@juspay/neurolink 9.31.2 → 9.32.0

package/dist/lib/auth/providers/clerk.js

@@ -0,0 +1,318 @@
+// src/lib/auth/providers/clerk.ts
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import { AuthError } from "../errors.js";
+import { logger } from "../../utils/logger.js";
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import * as jose from "jose";
+/**
+ * Clerk Authentication Provider
+ *
+ * Supports Clerk's session-based and JWT authentication.
+ * Can validate both JWT tokens and session tokens via Clerk API.
+ *
+ * Features:
+ * - JWT validation using Clerk's JWKS
+ * - Session token validation via Clerk API
+ * - User profile fetching
+ * - Organization support for multi-tenant apps
+ *
+ * @example
+ * ```typescript
+ * const clerk = new ClerkProvider({
+ *   type: "clerk",
+ *   publishableKey: "pk_test_...",
+ *   secretKey: "sk_test_..."
+ * });
+ *
+ * const result = await clerk.authenticateToken(sessionToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export class ClerkProvider extends BaseAuthProvider {
+    type = "clerk";
+    secretKey;
+    jwtKey;
+    publishableKey;
+    jwks = null;
+    localKey = null;
+    constructor(config) {
+        super(config);
+        if (!config.secretKey) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Clerk secretKey is required", { details: { missingFields: ["secretKey"] } });
+        }
+        this.secretKey = config.secretKey;
+        this.jwtKey = config.jwtKey;
+        this.publishableKey = config.publishableKey;
+    }
+    /**
+     * Initialize Clerk JWKS
+     */
+    async initialize() {
+        // Clerk JWKS endpoint (v1 API)
+        const jwksUrl = new URL("https://api.clerk.com/v1/jwks");
+        this.jwks = jose.createRemoteJWKSet(jwksUrl);
+        logger.debug("Clerk provider initialized");
+    }
+    /**
+     * Validate Clerk session token or JWT
+     */
+    async authenticateToken(token, _context) {
+        // First try JWT validation (tokens with dots)
+        if (token.includes(".") && token.split(".").length === 3) {
+            return this.validateJWT(token);
+        }
+        // Otherwise treat as session token
+        return this.validateSessionToken(token);
+    }
+    /**
+     * Validate JWT using local jwtKey (if configured) or JWKS
+     */
+    async validateJWT(token) {
+        try {
+            let payload;
+            if (this.jwtKey) {
+                // Use locally provided JWT key for verification
+                if (!this.localKey) {
+                    this.localKey = new TextEncoder().encode(this.jwtKey);
+                }
+                ({ payload } = await jose.jwtVerify(token, this.localKey));
+            }
+            else {
+                // Fall back to Clerk JWKS endpoint
+                if (!this.jwks) {
+                    await this.initialize();
+                }
+                if (!this.jwks) {
+                    return {
+                        valid: false,
+                        error: "Clerk JWKS not initialized",
+                    };
+                }
+                ({ payload } = await jose.jwtVerify(token, this.jwks));
+            }
+            // Validate azp (authorized party) claim if publishableKey is configured
+            if (this.publishableKey && payload.azp) {
+                if (payload.azp !== this.publishableKey) {
+                    return {
+                        valid: false,
+                        error: `Invalid authorized party: ${payload.azp}. Expected: ${this.publishableKey}`,
+                    };
+                }
+            }
+            const user = {
+                id: payload.sub,
+                email: payload.email,
+                name: payload.name,
+                picture: payload.picture,
+                emailVerified: payload.email_verified,
+                roles: payload["https://clerk.dev/roles"] || [],
+                permissions: payload["https://clerk.dev/permissions"] || [],
+                organizationId: payload.org_id,
+                metadata: {
+                    azp: payload.azp,
+                    sid: payload.sid,
+                },
+            };
+            return {
+                valid: true,
+                payload: payload,
+                user,
+                expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Validate session token via Clerk API
+     */
+    async validateSessionToken(token) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch("https://api.clerk.com/v1/sessions/verify", {
+                method: "POST",
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify({ token }),
+            });
+            if (!response.ok) {
+                const error = (await response.json());
+                return {
+                    valid: false,
+                    error: error.errors?.[0]?.message || "Session validation failed",
+                };
+            }
+            const session = (await response.json());
+            const userData = session.user;
+            const emailAddresses = userData?.email_addresses;
+            const user = {
+                id: session.user_id,
+                email: emailAddresses?.[0]?.email_address,
+                name: userData?.first_name
+                    ? `${userData.first_name} ${userData.last_name || ""}`.trim()
+                    : undefined,
+                picture: userData?.image_url,
+                roles: userData?.public_metadata
+                    ?.roles || [],
+                permissions: userData?.public_metadata
+                    ?.permissions || [],
+                organizationId: session.active_organization_id,
+            };
+            return {
+                valid: true,
+                payload: session,
+                user,
+                expiresAt: session.expire_at
+                    ? new Date(session.expire_at)
+                    : undefined,
+                tokenType: "session",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Get user by ID from Clerk API
+     */
+    async getUser(userId) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://api.clerk.com/v1/users/${userId}`, {
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                },
+            });
+            if (!response.ok) {
+                if (response.status === 404) {
+                    return null;
+                }
+                throw AuthError.create("PROVIDER_ERROR", `Clerk API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const data = (await response.json());
+            const emailAddresses = data.email_addresses;
+            return {
+                id: data.id,
+                email: emailAddresses?.[0]?.email_address,
+                name: data.first_name
+                    ? `${data.first_name} ${data.last_name || ""}`.trim()
+                    : undefined,
+                picture: data.image_url,
+                emailVerified: emailAddresses?.[0]?.verification?.status === "verified",
+                roles: data.public_metadata
+                    ?.roles || [],
+                permissions: data.public_metadata
+                    ?.permissions || [],
+                createdAt: data.created_at
+                    ? new Date(data.created_at)
+                    : undefined,
+                lastLoginAt: data.last_sign_in_at
+                    ? new Date(data.last_sign_in_at)
+                    : undefined,
+                metadata: data.private_metadata,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to fetch Clerk user:", error);
+            if (error &&
+                typeof error === "object" &&
+                "code" in error &&
+                typeof error.code === "string") {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Get user by email from Clerk API
+     */
+    async getUserByEmail(email) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://api.clerk.com/v1/users?email_address=${encodeURIComponent(email)}`, {
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                },
+            });
+            if (!response.ok) {
+                throw AuthError.create("PROVIDER_ERROR", `Clerk API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const users = (await response.json());
+            if (users.length === 0) {
+                return null;
+            }
+            const data = users[0];
+            const emailAddresses = data.email_addresses;
+            return {
+                id: data.id,
+                email: emailAddresses?.[0]?.email_address,
+                name: data.first_name
+                    ? `${data.first_name} ${data.last_name || ""}`.trim()
+                    : undefined,
+                picture: data.image_url,
+                emailVerified: emailAddresses?.[0]?.verification?.status === "verified",
+                roles: data.public_metadata
+                    ?.roles || [],
+                permissions: data.public_metadata
+                    ?.permissions || [],
+                createdAt: data.created_at
+                    ? new Date(data.created_at)
+                    : undefined,
+                lastLoginAt: data.last_sign_in_at
+                    ? new Date(data.last_sign_in_at)
+                    : undefined,
+                metadata: data.private_metadata,
+            };
+        }
+        catch (error) {
+            logger.error("Failed to fetch Clerk user by email:", error);
+            if (error &&
+                typeof error === "object" &&
+                "code" in error &&
+                typeof error.code === "string") {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            const proxyFetch = createProxyFetch();
+            // Use a lightweight endpoint to check connectivity
+            const response = await proxyFetch("https://api.clerk.com/v1/organizations?limit=1", {
+                headers: {
+                    Authorization: `Bearer ${this.secretKey}`,
+                },
+            });
+            return {
+                healthy: response.ok,
+                providerConnected: response.ok,
+                sessionStorageHealthy: true,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}
+//# sourceMappingURL=clerk.js.map

package/dist/lib/auth/providers/custom.d.ts

@@ -0,0 +1,64 @@
+import type { AuthProviderConfig, CustomAuthConfig, AuthUser, AuthSession, TokenValidationResult, AuthRequestContext, AuthHealthCheck } from "../../types/authTypes.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Custom Authentication Provider
+ *
+ * Allows users to provide their own authentication logic through callback functions.
+ * Useful for integrating with custom auth systems or implementing unique auth flows.
+ *
+ * Features:
+ * - Custom token validation via callback
+ * - Custom user fetching (optional)
+ * - Custom session creation (optional, delegates to base when not provided)
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * const custom = new CustomAuthProvider({
+ *   type: "custom",
+ *   validateToken: async (token, context) => {
+ *     // Your custom token validation logic
+ *     const decoded = await myAuthService.verify(token);
+ *     return {
+ *       valid: !!decoded,
+ *       user: decoded ? {
+ *         id: decoded.sub,
+ *         email: decoded.email,
+ *         roles: decoded.roles || [],
+ *         permissions: decoded.permissions || [],
+ *       } : undefined,
+ *     };
+ *   },
+ *   getUser: async (userId) => {
+ *     // Your custom user fetching logic
+ *     return myUserService.getById(userId);
+ *   },
+ * });
+ *
+ * const result = await custom.authenticateToken(token);
+ * ```
+ */
+export declare class CustomAuthProvider extends BaseAuthProvider {
+    readonly type: "custom";
+    private validateTokenFn;
+    private getUserFn?;
+    private createSessionFn?;
+    constructor(config: AuthProviderConfig & CustomAuthConfig);
+    /**
+     * Validate token using custom function
+     */
+    authenticateToken(token: string, context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Create a new session.
+     * Uses custom function if provided, otherwise delegates to BaseAuthProvider.
+     */
+    createSession(user: AuthUser, context?: AuthRequestContext): Promise<AuthSession>;
+    /**
+     * Get user by ID using custom function
+     */
+    getUser(userId: string): Promise<AuthUser | null>;
+    /**
+     * Health check - always healthy for custom provider
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}

package/dist/lib/auth/providers/custom.js

@@ -0,0 +1,113 @@
+// src/lib/auth/providers/custom.ts
+import { logger } from "../../utils/logger.js";
+import { AuthError } from "../errors.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Custom Authentication Provider
+ *
+ * Allows users to provide their own authentication logic through callback functions.
+ * Useful for integrating with custom auth systems or implementing unique auth flows.
+ *
+ * Features:
+ * - Custom token validation via callback
+ * - Custom user fetching (optional)
+ * - Custom session creation (optional, delegates to base when not provided)
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * const custom = new CustomAuthProvider({
+ *   type: "custom",
+ *   validateToken: async (token, context) => {
+ *     // Your custom token validation logic
+ *     const decoded = await myAuthService.verify(token);
+ *     return {
+ *       valid: !!decoded,
+ *       user: decoded ? {
+ *         id: decoded.sub,
+ *         email: decoded.email,
+ *         roles: decoded.roles || [],
+ *         permissions: decoded.permissions || [],
+ *       } : undefined,
+ *     };
+ *   },
+ *   getUser: async (userId) => {
+ *     // Your custom user fetching logic
+ *     return myUserService.getById(userId);
+ *   },
+ * });
+ *
+ * const result = await custom.authenticateToken(token);
+ * ```
+ */
+export class CustomAuthProvider extends BaseAuthProvider {
+    type = "custom";
+    validateTokenFn;
+    getUserFn;
+    createSessionFn;
+    constructor(config) {
+        super(config);
+        if (!config.validateToken) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Custom validateToken function is required", { details: { provider: "custom", missingFields: ["validateToken"] } });
+        }
+        this.validateTokenFn = config.validateToken;
+        this.getUserFn = config.getUser;
+        this.createSessionFn = config.createSession;
+    }
+    /**
+     * Validate token using custom function
+     */
+    async authenticateToken(token, context) {
+        try {
+            return await this.validateTokenFn(token, context);
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Create a new session.
+     * Uses custom function if provided, otherwise delegates to BaseAuthProvider.
+     */
+    async createSession(user, context) {
+        if (this.createSessionFn) {
+            const session = await this.createSessionFn(user, context);
+            await this.sessionStorage.save(session);
+            this.emit("auth:login", session.user);
+            return session;
+        }
+        // Delegate to base class session creation
+        return super.createSession(user, context);
+    }
+    /**
+     * Get user by ID using custom function
+     */
+    async getUser(userId) {
+        if (this.getUserFn) {
+            try {
+                return await this.getUserFn(userId);
+            }
+            catch (error) {
+                logger.error("Custom getUser failed:", error);
+                return null;
+            }
+        }
+        // No custom user fetching, return null
+        logger.warn("Custom getUser function not provided");
+        return null;
+    }
+    /**
+     * Health check - always healthy for custom provider
+     */
+    async healthCheck() {
+        return {
+            healthy: true,
+            providerConnected: true,
+            sessionStorageHealthy: true,
+        };
+    }
+}
+//# sourceMappingURL=custom.js.map

package/dist/lib/auth/providers/firebase.d.ts

@@ -0,0 +1,63 @@
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import type { AuthProviderConfig, FirebaseConfig, AuthUser, TokenValidationResult, AuthRequestContext, AuthHealthCheck, AuthProviderType } from "../../types/authTypes.js";
+/**
+ * Firebase Authentication Provider
+ *
+ * Supports Firebase ID token validation using Google's public keys.
+ * Can validate tokens locally or via Firebase REST API.
+ *
+ * Features:
+ * - JWT validation using Google's public keys
+ * - Token verification via Firebase REST API
+ * - Custom claims extraction for roles/permissions
+ *
+ * @example
+ * ```typescript
+ * const firebase = new FirebaseAuthProvider({
+ *   type: "firebase",
+ *   projectId: "your-project-id"
+ * });
+ *
+ * const result = await firebase.authenticateToken(idToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export declare class FirebaseAuthProvider extends BaseAuthProvider {
+    readonly type: AuthProviderType;
+    private projectId;
+    private apiKey?;
+    private serviceAccount?;
+    private jwks;
+    constructor(config: AuthProviderConfig & FirebaseConfig);
+    /**
+     * Initialize JWKS for Firebase token verification
+     */
+    initialize(): Promise<void>;
+    /**
+     * Validate Firebase ID token
+     */
+    authenticateToken(token: string, _context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Validate token via Firebase REST API
+     */
+    private validateViaApi;
+    /**
+     * Convert JWT payload to AuthUser
+     */
+    private payloadToUser;
+    /**
+     * Convert Firebase user data to AuthUser
+     */
+    private firebaseUserToAuthUser;
+    /**
+     * Get user by ID via Firebase REST API
+     * Requires API key
+     */
+    getUser(_userId: string): Promise<AuthUser | null>;
+    /**
+     * Health check
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}