@hybrd/xmtp 1.3.0 → 1.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +10 -10
- package/.turbo/turbo-typecheck.log +1 -1
- package/dist/index.cjs +10 -10
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +10 -10
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
- package/src/lib/jwt.ts +15 -15
package/package.json
CHANGED
package/src/lib/jwt.ts
CHANGED
|
@@ -64,40 +64,40 @@ export function getValidatedPayload(c: Context): XMTPToolsPayload | null {
|
|
|
64
64
|
}
|
|
65
65
|
|
|
66
66
|
/**
|
|
67
|
-
* JWT secret
|
|
68
|
-
*
|
|
67
|
+
* Gets the JWT secret for token signing, with lazy initialization
|
|
68
|
+
* Uses XMTP_ENCRYPTION_KEY environment variable for consistency
|
|
69
69
|
* Only falls back to development secret in development/test environments
|
|
70
70
|
*/
|
|
71
|
-
|
|
72
|
-
const secret = process.env.
|
|
71
|
+
function getJwtSecret(): string {
|
|
72
|
+
const secret = process.env.XMTP_ENCRYPTION_KEY
|
|
73
73
|
const nodeEnv = process.env.NODE_ENV || "development"
|
|
74
74
|
|
|
75
75
|
// In production, require a real JWT secret
|
|
76
76
|
if (nodeEnv === "production" && !secret) {
|
|
77
77
|
throw new Error(
|
|
78
|
-
"
|
|
78
|
+
"XMTP_ENCRYPTION_KEY environment variable is required in production. " +
|
|
79
79
|
"Generate a secure random secret for JWT token signing."
|
|
80
80
|
)
|
|
81
81
|
}
|
|
82
82
|
|
|
83
|
-
// In development/test, allow fallback but warn
|
|
83
|
+
// In development/test, allow fallback but warn only when actually used
|
|
84
84
|
if (!secret) {
|
|
85
85
|
console.warn(
|
|
86
86
|
"⚠️ [SECURITY] Using fallback JWT secret for development. " +
|
|
87
|
-
"Set
|
|
87
|
+
"Set XMTP_ENCRYPTION_KEY environment variable for production."
|
|
88
88
|
)
|
|
89
89
|
return "fallback-secret-for-dev-only"
|
|
90
90
|
}
|
|
91
91
|
|
|
92
92
|
return secret
|
|
93
|
-
}
|
|
93
|
+
}
|
|
94
94
|
|
|
95
95
|
/**
|
|
96
|
-
* API key
|
|
96
|
+
* Gets the API key for authentication, with lazy initialization
|
|
97
97
|
* Requires XMTP_API_KEY environment variable in production
|
|
98
98
|
* Only falls back to development key in development/test environments
|
|
99
99
|
*/
|
|
100
|
-
|
|
100
|
+
function getApiKey(): string {
|
|
101
101
|
const apiKey = process.env.XMTP_API_KEY
|
|
102
102
|
const nodeEnv = process.env.NODE_ENV || "development"
|
|
103
103
|
|
|
@@ -109,7 +109,7 @@ const API_KEY = (() => {
|
|
|
109
109
|
)
|
|
110
110
|
}
|
|
111
111
|
|
|
112
|
-
// In development/test, allow fallback but warn
|
|
112
|
+
// In development/test, allow fallback but warn only when actually used
|
|
113
113
|
if (!apiKey) {
|
|
114
114
|
console.warn(
|
|
115
115
|
"⚠️ [SECURITY] Using fallback API key for development. " +
|
|
@@ -119,7 +119,7 @@ const API_KEY = (() => {
|
|
|
119
119
|
}
|
|
120
120
|
|
|
121
121
|
return apiKey
|
|
122
|
-
}
|
|
122
|
+
}
|
|
123
123
|
|
|
124
124
|
/**
|
|
125
125
|
* JWT token expiry time in seconds (5 minutes)
|
|
@@ -155,7 +155,7 @@ export function generateXMTPToolsToken(
|
|
|
155
155
|
expires: now + JWT_EXPIRY
|
|
156
156
|
}
|
|
157
157
|
|
|
158
|
-
return jwt.sign(fullPayload,
|
|
158
|
+
return jwt.sign(fullPayload, getJwtSecret(), {
|
|
159
159
|
expiresIn: JWT_EXPIRY
|
|
160
160
|
})
|
|
161
161
|
}
|
|
@@ -185,7 +185,7 @@ export function generateXMTPToolsToken(
|
|
|
185
185
|
*/
|
|
186
186
|
export function validateXMTPToolsToken(token: string): XMTPToolsPayload | null {
|
|
187
187
|
// First try API key authentication
|
|
188
|
-
if (token ===
|
|
188
|
+
if (token === getApiKey()) {
|
|
189
189
|
console.log("🔑 [Auth] Using API key authentication")
|
|
190
190
|
// Return a valid payload for API key auth
|
|
191
191
|
const now = Math.floor(Date.now() / 1000)
|
|
@@ -199,7 +199,7 @@ export function validateXMTPToolsToken(token: string): XMTPToolsPayload | null {
|
|
|
199
199
|
|
|
200
200
|
// Then try JWT token authentication
|
|
201
201
|
try {
|
|
202
|
-
const decoded = jwt.verify(token,
|
|
202
|
+
const decoded = jwt.verify(token, getJwtSecret()) as XMTPToolsPayload
|
|
203
203
|
console.log("🔑 [Auth] Using JWT token authentication")
|
|
204
204
|
|
|
205
205
|
// Additional expiry check
|