@juspay/neurolink 9.31.1 → 9.32.0

package/dist/client/auth/providers/clerk.js

@@ -0,0 +1,317 @@
+// src/lib/auth/providers/clerk.ts
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import { AuthError } from "../errors.js";
+import { logger } from "../../utils/logger.js";
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import * as jose from "jose";
+/**
+ * Clerk Authentication Provider
+ *
+ * Supports Clerk's session-based and JWT authentication.
+ * Can validate both JWT tokens and session tokens via Clerk API.
+ *
+ * Features:
+ * - JWT validation using Clerk's JWKS
+ * - Session token validation via Clerk API
+ * - User profile fetching
+ * - Organization support for multi-tenant apps
+ *
+ * @example
+ * ```typescript
+ * const clerk = new ClerkProvider({
+ *   type: "clerk",
+ *   publishableKey: "pk_test_...",
+ *   secretKey: "sk_test_..."
+ * });
+ *
+ * const result = await clerk.authenticateToken(sessionToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export class ClerkProvider extends BaseAuthProvider {
+    type = "clerk";
+    secretKey;
+    jwtKey;
+    publishableKey;
+    jwks = null;
+    localKey = null;
+    constructor(config) {
+        super(config);
+        if (!config.secretKey) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Clerk secretKey is required", { details: { missingFields: ["secretKey"] } });
+        }
+        this.secretKey = config.secretKey;
+        this.jwtKey = config.jwtKey;
+        this.publishableKey = config.publishableKey;
+    }
+    /**
+     * Initialize Clerk JWKS
+     */
+    async initialize() {
+        // Clerk JWKS endpoint (v1 API)
+        const jwksUrl = new URL("https://api.clerk.com/v1/jwks");
+        this.jwks = jose.createRemoteJWKSet(jwksUrl);
+        logger.debug("Clerk provider initialized");
+    }
+    /**
+     * Validate Clerk session token or JWT
+     */
+    async authenticateToken(token, _context) {
+        // First try JWT validation (tokens with dots)
+        if (token.includes(".") && token.split(".").length === 3) {
+            return this.validateJWT(token);
+        }
+        // Otherwise treat as session token
+        return this.validateSessionToken(token);
+    }
+    /**
+     * Validate JWT using local jwtKey (if configured) or JWKS
+     */
+    async validateJWT(token) {
+        try {
+            let payload;
+            if (this.jwtKey) {
+                // Use locally provided JWT key for verification
+                if (!this.localKey) {
+                    this.localKey = new TextEncoder().encode(this.jwtKey);
+                }
+                ({ payload } = await jose.jwtVerify(token, this.localKey));
+            }
+            else {
+                // Fall back to Clerk JWKS endpoint
+                if (!this.jwks) {
+                    await this.initialize();
+                }
+                if (!this.jwks) {
+                    return {
+                        valid: false,
+                        error: "Clerk JWKS not initialized",
+                    };
+                }
+                ({ payload } = await jose.jwtVerify(token, this.jwks));
+            }
+            // Validate azp (authorized party) claim if publishableKey is configured
+            if (this.publishableKey && payload.azp) {
+                if (payload.azp !== this.publishableKey) {
+                    return {
+                        valid: false,
+                        error: `Invalid authorized party: ${payload.azp}. Expected: ${this.publishableKey}`,
+                    };
+                }
+            }
+            const user = {
+                id: payload.sub,
+                email: payload.email,
+                name: payload.name,
+                picture: payload.picture,
+                emailVerified: payload.email_verified,
+                roles: payload["https://clerk.dev/roles"] || [],
+                permissions: payload["https://clerk.dev/permissions"] || [],
+                organizationId: payload.org_id,
+                metadata: {
+                    azp: payload.azp,
+                    sid: payload.sid,
+                },
+            };
+            return {
+                valid: true,
+                payload: payload,
+                user,
+                expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Validate session token via Clerk API
+     */
+    async validateSessionToken(token) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch("https://api.clerk.com/v1/sessions/verify", {
+                method: "POST",
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify({ token }),
+            });
+            if (!response.ok) {
+                const error = (await response.json());
+                return {
+                    valid: false,
+                    error: error.errors?.[0]?.message || "Session validation failed",
+                };
+            }
+            const session = (await response.json());
+            const userData = session.user;
+            const emailAddresses = userData?.email_addresses;
+            const user = {
+                id: session.user_id,
+                email: emailAddresses?.[0]?.email_address,
+                name: userData?.first_name
+                    ? `${userData.first_name} ${userData.last_name || ""}`.trim()
+                    : undefined,
+                picture: userData?.image_url,
+                roles: userData?.public_metadata
+                    ?.roles || [],
+                permissions: userData?.public_metadata
+                    ?.permissions || [],
+                organizationId: session.active_organization_id,
+            };
+            return {
+                valid: true,
+                payload: session,
+                user,
+                expiresAt: session.expire_at
+                    ? new Date(session.expire_at)
+                    : undefined,
+                tokenType: "session",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Get user by ID from Clerk API
+     */
+    async getUser(userId) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://api.clerk.com/v1/users/${userId}`, {
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                },
+            });
+            if (!response.ok) {
+                if (response.status === 404) {
+                    return null;
+                }
+                throw AuthError.create("PROVIDER_ERROR", `Clerk API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const data = (await response.json());
+            const emailAddresses = data.email_addresses;
+            return {
+                id: data.id,
+                email: emailAddresses?.[0]?.email_address,
+                name: data.first_name
+                    ? `${data.first_name} ${data.last_name || ""}`.trim()
+                    : undefined,
+                picture: data.image_url,
+                emailVerified: emailAddresses?.[0]?.verification?.status === "verified",
+                roles: data.public_metadata
+                    ?.roles || [],
+                permissions: data.public_metadata
+                    ?.permissions || [],
+                createdAt: data.created_at
+                    ? new Date(data.created_at)
+                    : undefined,
+                lastLoginAt: data.last_sign_in_at
+                    ? new Date(data.last_sign_in_at)
+                    : undefined,
+                metadata: data.private_metadata,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to fetch Clerk user:", error);
+            if (error &&
+                typeof error === "object" &&
+                "code" in error &&
+                typeof error.code === "string") {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Get user by email from Clerk API
+     */
+    async getUserByEmail(email) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://api.clerk.com/v1/users?email_address=${encodeURIComponent(email)}`, {
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                },
+            });
+            if (!response.ok) {
+                throw AuthError.create("PROVIDER_ERROR", `Clerk API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const users = (await response.json());
+            if (users.length === 0) {
+                return null;
+            }
+            const data = users[0];
+            const emailAddresses = data.email_addresses;
+            return {
+                id: data.id,
+                email: emailAddresses?.[0]?.email_address,
+                name: data.first_name
+                    ? `${data.first_name} ${data.last_name || ""}`.trim()
+                    : undefined,
+                picture: data.image_url,
+                emailVerified: emailAddresses?.[0]?.verification?.status === "verified",
+                roles: data.public_metadata
+                    ?.roles || [],
+                permissions: data.public_metadata
+                    ?.permissions || [],
+                createdAt: data.created_at
+                    ? new Date(data.created_at)
+                    : undefined,
+                lastLoginAt: data.last_sign_in_at
+                    ? new Date(data.last_sign_in_at)
+                    : undefined,
+                metadata: data.private_metadata,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to fetch Clerk user by email:", error);
+            if (error &&
+                typeof error === "object" &&
+                "code" in error &&
+                typeof error.code === "string") {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            const proxyFetch = createProxyFetch();
+            // Use a lightweight endpoint to check connectivity
+            const response = await proxyFetch("https://api.clerk.com/v1/organizations?limit=1", {
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                },
+            });
+            return {
+                healthy: response.ok,
+                providerConnected: response.ok,
+                sessionStorageHealthy: true,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}

package/dist/client/auth/providers/custom.js

@@ -0,0 +1,112 @@
+// src/lib/auth/providers/custom.ts
+import { logger } from "../../utils/logger.js";
+import { AuthError } from "../errors.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Custom Authentication Provider
+ *
+ * Allows users to provide their own authentication logic through callback functions.
+ * Useful for integrating with custom auth systems or implementing unique auth flows.
+ *
+ * Features:
+ * - Custom token validation via callback
+ * - Custom user fetching (optional)
+ * - Custom session creation (optional, delegates to base when not provided)
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * const custom = new CustomAuthProvider({
+ *   type: "custom",
+ *   validateToken: async (token, context) => {
+ *     // Your custom token validation logic
+ *     const decoded = await myAuthService.verify(token);
+ *     return {
+ *       valid: !!decoded,
+ *       user: decoded ? {
+ *         id: decoded.sub,
+ *         email: decoded.email,
+ *         roles: decoded.roles || [],
+ *         permissions: decoded.permissions || [],
+ *       } : undefined,
+ *     };
+ *   },
+ *   getUser: async (userId) => {
+ *     // Your custom user fetching logic
+ *     return myUserService.getById(userId);
+ *   },
+ * });
+ *
+ * const result = await custom.authenticateToken(token);
+ * ```
+ */
+export class CustomAuthProvider extends BaseAuthProvider {
+    type = "custom";
+    validateTokenFn;
+    getUserFn;
+    createSessionFn;
+    constructor(config) {
+        super(config);
+        if (!config.validateToken) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Custom validateToken function is required", { details: { provider: "custom", missingFields: ["validateToken"] } });
+        }
+        this.validateTokenFn = config.validateToken;
+        this.getUserFn = config.getUser;
+        this.createSessionFn = config.createSession;
+    }
+    /**
+     * Validate token using custom function
+     */
+    async authenticateToken(token, context) {
+        try {
+            return await this.validateTokenFn(token, context);
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Create a new session.
+     * Uses custom function if provided, otherwise delegates to BaseAuthProvider.
+     */
+    async createSession(user, context) {
+        if (this.createSessionFn) {
+            const session = await this.createSessionFn(user, context);
+            await this.sessionStorage.save(session);
+            this.emit("auth:login", session.user);
+            return session;
+        }
+        // Delegate to base class session creation
+        return super.createSession(user, context);
+    }
+    /**
+     * Get user by ID using custom function
+     */
+    async getUser(userId) {
+        if (this.getUserFn) {
+            try {
+                return await this.getUserFn(userId);
+            }
+            catch (error) {
+                logger.error("Custom getUser failed:", error);
+                return null;
+            }
+        }
+        // No custom user fetching, return null
+        logger.warn("Custom getUser function not provided");
+        return null;
+    }
+    /**
+     * Health check - always healthy for custom provider
+     */
+    async healthCheck() {
+        return {
+            healthy: true,
+            providerConnected: true,
+            sessionStorageHealthy: true,
+        };
+    }
+}

package/dist/client/auth/providers/firebase.js

@@ -0,0 +1,226 @@
+// src/lib/auth/providers/firebase.ts
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import { AuthError } from "../errors.js";
+import { logger } from "../../utils/logger.js";
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import * as jose from "jose";
+/**
+ * Firebase Authentication Provider
+ *
+ * Supports Firebase ID token validation using Google's public keys.
+ * Can validate tokens locally or via Firebase REST API.
+ *
+ * Features:
+ * - JWT validation using Google's public keys
+ * - Token verification via Firebase REST API
+ * - Custom claims extraction for roles/permissions
+ *
+ * @example
+ * ```typescript
+ * const firebase = new FirebaseAuthProvider({
+ *   type: "firebase",
+ *   projectId: "your-project-id"
+ * });
+ *
+ * const result = await firebase.authenticateToken(idToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export class FirebaseAuthProvider extends BaseAuthProvider {
+    type = "firebase";
+    projectId;
+    apiKey;
+    serviceAccount;
+    jwks = null;
+    constructor(config) {
+        super(config);
+        if (!config.projectId) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Firebase projectId is required", { details: { missingFields: ["projectId"] } });
+        }
+        this.projectId = config.projectId;
+        this.apiKey = config.apiKey;
+        this.serviceAccount = config.serviceAccount;
+    }
+    /**
+     * Initialize JWKS for Firebase token verification
+     */
+    async initialize() {
+        // Firebase uses Google's secure token service public keys
+        const jwksUrl = new URL("https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com");
+        this.jwks = jose.createRemoteJWKSet(jwksUrl);
+        logger.debug(`Firebase provider initialized for project: ${this.projectId}`);
+    }
+    /**
+     * Validate Firebase ID token
+     */
+    async authenticateToken(token, _context) {
+        if (!this.jwks) {
+            await this.initialize();
+        }
+        try {
+            // Verify the token using Google's public keys
+            const { payload } = await jose.jwtVerify(token, this.jwks, {
+                issuer: `https://securetoken.google.com/${this.projectId}`,
+                audience: this.projectId,
+            });
+            // Extract user info from Firebase token claims
+            const user = this.payloadToUser(payload);
+            return {
+                valid: true,
+                payload: payload,
+                user,
+                expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            // If local validation fails and API key is available, try REST API
+            if (this.apiKey) {
+                return this.validateViaApi(token);
+            }
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Validate token via Firebase REST API
+     */
+    async validateViaApi(token) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${this.apiKey}`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify({ idToken: token }),
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok) {
+                const error = (await response.json());
+                return {
+                    valid: false,
+                    error: error.error?.message || `Firebase API returned ${response.status}`,
+                };
+            }
+            const data = (await response.json());
+            const users = data.users || [];
+            if (users.length === 0) {
+                return {
+                    valid: false,
+                    error: "User not found",
+                };
+            }
+            const userData = users[0];
+            const user = this.firebaseUserToAuthUser(userData);
+            return {
+                valid: true,
+                payload: userData,
+                user,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Convert JWT payload to AuthUser
+     */
+    payloadToUser(payload) {
+        // Extract custom claims
+        const customClaims = payload;
+        return {
+            id: payload.sub,
+            email: payload.email,
+            name: payload.name,
+            picture: payload.picture,
+            emailVerified: payload.email_verified,
+            roles: customClaims.roles || [],
+            permissions: customClaims.permissions || [],
+            metadata: {
+                firebase: {
+                    sign_in_provider: payload.firebase?.sign_in_provider ||
+                        "unknown",
+                    identities: payload.firebase?.identities,
+                },
+            },
+        };
+    }
+    /**
+     * Convert Firebase user data to AuthUser
+     */
+    firebaseUserToAuthUser(userData) {
+        let customAttributes = {};
+        if (userData.customAttributes) {
+            try {
+                customAttributes = JSON.parse(userData.customAttributes);
+            }
+            catch {
+                logger.warn("Failed to parse Firebase customAttributes, treating as empty");
+            }
+        }
+        return {
+            id: userData.localId,
+            email: userData.email,
+            name: userData.displayName,
+            picture: userData.photoUrl,
+            emailVerified: userData.emailVerified,
+            roles: customAttributes.roles || [],
+            permissions: customAttributes.permissions || [],
+            createdAt: userData.createdAt
+                ? new Date(parseInt(userData.createdAt))
+                : undefined,
+            lastLoginAt: userData.lastLoginAt
+                ? new Date(parseInt(userData.lastLoginAt))
+                : undefined,
+            metadata: {
+                providerUserInfo: userData.providerUserInfo,
+            },
+        };
+    }
+    /**
+     * Get user by ID via Firebase REST API
+     * Requires API key
+     */
+    async getUser(_userId) {
+        if (!this.apiKey) {
+            logger.warn("Firebase API key required for user lookup");
+            return null;
+        }
+        // Firebase REST API doesn't support direct user lookup by UID
+        // This would require Admin SDK or custom backend
+        logger.warn("Direct user lookup by ID requires Firebase Admin SDK which is not supported in browser/edge environments");
+        return null;
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            // Check if we can fetch the JWKS
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch("https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", { signal: AbortSignal.timeout(5000) });
+            return {
+                healthy: response.ok,
+                providerConnected: response.ok,
+                sessionStorageHealthy: true,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}