@juspay/neurolink 9.31.2 → 9.32.0

package/dist/lib/auth/providers/firebase.js

@@ -0,0 +1,227 @@
+// src/lib/auth/providers/firebase.ts
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import { AuthError } from "../errors.js";
+import { logger } from "../../utils/logger.js";
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import * as jose from "jose";
+/**
+ * Firebase Authentication Provider
+ *
+ * Supports Firebase ID token validation using Google's public keys.
+ * Can validate tokens locally or via Firebase REST API.
+ *
+ * Features:
+ * - JWT validation using Google's public keys
+ * - Token verification via Firebase REST API
+ * - Custom claims extraction for roles/permissions
+ *
+ * @example
+ * ```typescript
+ * const firebase = new FirebaseAuthProvider({
+ *   type: "firebase",
+ *   projectId: "your-project-id"
+ * });
+ *
+ * const result = await firebase.authenticateToken(idToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export class FirebaseAuthProvider extends BaseAuthProvider {
+    type = "firebase";
+    projectId;
+    apiKey;
+    serviceAccount;
+    jwks = null;
+    constructor(config) {
+        super(config);
+        if (!config.projectId) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Firebase projectId is required", { details: { missingFields: ["projectId"] } });
+        }
+        this.projectId = config.projectId;
+        this.apiKey = config.apiKey;
+        this.serviceAccount = config.serviceAccount;
+    }
+    /**
+     * Initialize JWKS for Firebase token verification
+     */
+    async initialize() {
+        // Firebase uses Google's secure token service public keys
+        const jwksUrl = new URL("https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com");
+        this.jwks = jose.createRemoteJWKSet(jwksUrl);
+        logger.debug(`Firebase provider initialized for project: ${this.projectId}`);
+    }
+    /**
+     * Validate Firebase ID token
+     */
+    async authenticateToken(token, _context) {
+        if (!this.jwks) {
+            await this.initialize();
+        }
+        try {
+            // Verify the token using Google's public keys
+            const { payload } = await jose.jwtVerify(token, this.jwks, {
+                issuer: `https://securetoken.google.com/${this.projectId}`,
+                audience: this.projectId,
+            });
+            // Extract user info from Firebase token claims
+            const user = this.payloadToUser(payload);
+            return {
+                valid: true,
+                payload: payload,
+                user,
+                expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            // If local validation fails and API key is available, try REST API
+            if (this.apiKey) {
+                return this.validateViaApi(token);
+            }
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Validate token via Firebase REST API
+     */
+    async validateViaApi(token) {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${this.apiKey}`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify({ idToken: token }),
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok) {
+                const error = (await response.json());
+                return {
+                    valid: false,
+                    error: error.error?.message || `Firebase API returned ${response.status}`,
+                };
+            }
+            const data = (await response.json());
+            const users = data.users || [];
+            if (users.length === 0) {
+                return {
+                    valid: false,
+                    error: "User not found",
+                };
+            }
+            const userData = users[0];
+            const user = this.firebaseUserToAuthUser(userData);
+            return {
+                valid: true,
+                payload: userData,
+                user,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Convert JWT payload to AuthUser
+     */
+    payloadToUser(payload) {
+        // Extract custom claims
+        const customClaims = payload;
+        return {
+            id: payload.sub,
+            email: payload.email,
+            name: payload.name,
+            picture: payload.picture,
+            emailVerified: payload.email_verified,
+            roles: customClaims.roles || [],
+            permissions: customClaims.permissions || [],
+            metadata: {
+                firebase: {
+                    sign_in_provider: payload.firebase?.sign_in_provider ||
+                        "unknown",
+                    identities: payload.firebase?.identities,
+                },
+            },
+        };
+    }
+    /**
+     * Convert Firebase user data to AuthUser
+     */
+    firebaseUserToAuthUser(userData) {
+        let customAttributes = {};
+        if (userData.customAttributes) {
+            try {
+                customAttributes = JSON.parse(userData.customAttributes);
+            }
+            catch {
+                logger.warn("Failed to parse Firebase customAttributes, treating as empty");
+            }
+        }
+        return {
+            id: userData.localId,
+            email: userData.email,
+            name: userData.displayName,
+            picture: userData.photoUrl,
+            emailVerified: userData.emailVerified,
+            roles: customAttributes.roles || [],
+            permissions: customAttributes.permissions || [],
+            createdAt: userData.createdAt
+                ? new Date(parseInt(userData.createdAt))
+                : undefined,
+            lastLoginAt: userData.lastLoginAt
+                ? new Date(parseInt(userData.lastLoginAt))
+                : undefined,
+            metadata: {
+                providerUserInfo: userData.providerUserInfo,
+            },
+        };
+    }
+    /**
+     * Get user by ID via Firebase REST API
+     * Requires API key
+     */
+    async getUser(_userId) {
+        if (!this.apiKey) {
+            logger.warn("Firebase API key required for user lookup");
+            return null;
+        }
+        // Firebase REST API doesn't support direct user lookup by UID
+        // This would require Admin SDK or custom backend
+        logger.warn("Direct user lookup by ID requires Firebase Admin SDK which is not supported in browser/edge environments");
+        return null;
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            // Check if we can fetch the JWKS
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch("https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", { signal: AbortSignal.timeout(5000) });
+            return {
+                healthy: response.ok,
+                providerConnected: response.ok,
+                sessionStorageHealthy: true,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}
+//# sourceMappingURL=firebase.js.map

package/dist/lib/auth/providers/jwt.d.ts

@@ -0,0 +1,68 @@
+import type { AuthHealthCheck, AuthProviderConfig, AuthRequestContext, JWTConfig, TokenValidationResult } from "../../types/authTypes.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Generic JWT Provider
+ *
+ * Supports validation of JWT tokens using either symmetric secrets (HS256/384/512)
+ * or asymmetric keys (RS256/384/512, ES256/384/512).
+ *
+ * Features:
+ * - Symmetric secret validation (HMAC)
+ * - Asymmetric key validation (RSA, ECDSA)
+ * - Configurable algorithms
+ * - Issuer and audience validation
+ * - Token signing (symmetric keys only)
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * // Symmetric key (HMAC)
+ * const jwtProvider = new JWTProvider({
+ *   type: "jwt",
+ *   secret: "your-256-bit-secret",
+ *   algorithms: ["HS256"],
+ *   issuer: "your-app",
+ *   audience: "your-api",
+ * });
+ *
+ * // Asymmetric key (RSA/ECDSA)
+ * const jwtProvider = new JWTProvider({
+ *   type: "jwt",
+ *   publicKey: "-----BEGIN PUBLIC KEY-----...",
+ *   algorithms: ["RS256"],
+ *   issuer: "your-app",
+ * });
+ *
+ * const result = await jwtProvider.authenticateToken(token);
+ * ```
+ */
+export declare class JWTProvider extends BaseAuthProvider {
+    readonly type: "jwt";
+    private secret?;
+    private publicKey?;
+    private algorithms;
+    private issuer?;
+    private audience?;
+    private keyObject;
+    constructor(config: AuthProviderConfig & JWTConfig);
+    /**
+     * Initialize the key for verification
+     */
+    initialize(): Promise<void>;
+    /**
+     * Validate JWT token
+     */
+    authenticateToken(token: string, _context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Create a signed JWT token
+     *
+     * Useful for issuing tokens from this provider.
+     */
+    signToken(payload: Record<string, unknown>, options?: {
+        expiresIn?: string;
+    }): Promise<string>;
+    /**
+     * Health check
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}

package/dist/lib/auth/providers/jwt.js

@@ -0,0 +1,213 @@
+// src/lib/auth/providers/jwt.ts
+import * as jose from "jose";
+import { logger } from "../../utils/logger.js";
+import { AuthError } from "../errors.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Generic JWT Provider
+ *
+ * Supports validation of JWT tokens using either symmetric secrets (HS256/384/512)
+ * or asymmetric keys (RS256/384/512, ES256/384/512).
+ *
+ * Features:
+ * - Symmetric secret validation (HMAC)
+ * - Asymmetric key validation (RSA, ECDSA)
+ * - Configurable algorithms
+ * - Issuer and audience validation
+ * - Token signing (symmetric keys only)
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * // Symmetric key (HMAC)
+ * const jwtProvider = new JWTProvider({
+ *   type: "jwt",
+ *   secret: "your-256-bit-secret",
+ *   algorithms: ["HS256"],
+ *   issuer: "your-app",
+ *   audience: "your-api",
+ * });
+ *
+ * // Asymmetric key (RSA/ECDSA)
+ * const jwtProvider = new JWTProvider({
+ *   type: "jwt",
+ *   publicKey: "-----BEGIN PUBLIC KEY-----...",
+ *   algorithms: ["RS256"],
+ *   issuer: "your-app",
+ * });
+ *
+ * const result = await jwtProvider.authenticateToken(token);
+ * ```
+ */
+export class JWTProvider extends BaseAuthProvider {
+    type = "jwt";
+    secret;
+    publicKey;
+    algorithms;
+    issuer;
+    audience;
+    keyObject = null;
+    constructor(config) {
+        super(config);
+        if (!config.secret && !config.publicKey) {
+            throw AuthError.create("CONFIGURATION_ERROR", "JWT requires either secret (for HMAC) or publicKey (for RSA/ECDSA)", {
+                details: { provider: "jwt", missingFields: ["secret", "publicKey"] },
+            });
+        }
+        this.secret = config.secret;
+        this.publicKey = config.publicKey;
+        this.algorithms =
+            config.algorithms ?? (config.secret ? ["HS256"] : ["RS256"]);
+        this.issuer = config.issuer;
+        this.audience = config.audience;
+    }
+    /**
+     * Initialize the key for verification
+     */
+    async initialize() {
+        try {
+            if (this.secret) {
+                // Symmetric key (HMAC)
+                this.keyObject = new TextEncoder().encode(this.secret);
+                logger.debug("JWT provider initialized with symmetric secret");
+            }
+            else if (this.publicKey) {
+                // Asymmetric key (RSA/ECDSA)
+                this.keyObject = await jose.importSPKI(this.publicKey, this.algorithms[0]);
+                logger.debug("JWT provider initialized with asymmetric public key");
+            }
+        }
+        catch (error) {
+            throw AuthError.create("PROVIDER_INIT_FAILED", `Failed to initialize JWT key: ${error instanceof Error ? error.message : String(error)}`, {
+                details: { provider: "jwt" },
+                cause: error instanceof Error ? error : undefined,
+            });
+        }
+    }
+    /**
+     * Validate JWT token
+     */
+    async authenticateToken(token, _context) {
+        if (!this.keyObject) {
+            await this.initialize();
+        }
+        try {
+            const verifyOptions = {};
+            if (this.algorithms.length > 0) {
+                verifyOptions.algorithms = this
+                    .algorithms;
+            }
+            if (this.issuer) {
+                verifyOptions.issuer = this.issuer;
+            }
+            if (this.audience) {
+                verifyOptions.audience = this.audience;
+            }
+            const { payload } = await jose.jwtVerify(token, this.keyObject, verifyOptions);
+            // Reject tokens without a non-empty sub claim
+            if (!payload.sub) {
+                return {
+                    valid: false,
+                    error: "JWT is missing required 'sub' claim: cannot identify user",
+                };
+            }
+            // Extract user from standard JWT claims
+            const user = {
+                id: payload.sub,
+                email: payload.email,
+                name: payload.name,
+                picture: payload.picture,
+                emailVerified: payload.email_verified,
+                roles: payload.roles ?? [],
+                permissions: payload.permissions ??
+                    payload.scope?.split(" ") ??
+                    [],
+                metadata: {
+                    iss: payload.iss,
+                    aud: payload.aud,
+                    jti: payload.jti,
+                },
+            };
+            return {
+                valid: true,
+                payload: payload,
+                user,
+                expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.warn("JWT validation failed:", message);
+            // Provide specific error messages
+            let errorDetail = message;
+            if (message.includes("JWTExpired")) {
+                errorDetail = "Token has expired";
+            }
+            else if (message.includes("signature")) {
+                errorDetail = "Invalid token signature";
+            }
+            else if (message.includes("audience")) {
+                errorDetail = "Invalid token audience";
+            }
+            else if (message.includes("issuer")) {
+                errorDetail = "Invalid token issuer";
+            }
+            return {
+                valid: false,
+                error: errorDetail,
+            };
+        }
+    }
+    /**
+     * Create a signed JWT token
+     *
+     * Useful for issuing tokens from this provider.
+     */
+    async signToken(payload, options) {
+        if (!this.secret) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Token signing requires a secret (symmetric key)", { details: { provider: "jwt" } });
+        }
+        if (!this.keyObject) {
+            await this.initialize();
+        }
+        const jwt = new jose.SignJWT(payload)
+            .setProtectedHeader({ alg: this.algorithms[0] })
+            .setIssuedAt();
+        if (this.issuer) {
+            jwt.setIssuer(this.issuer);
+        }
+        if (this.audience) {
+            jwt.setAudience(this.audience);
+        }
+        if (options?.expiresIn) {
+            jwt.setExpirationTime(options.expiresIn);
+        }
+        return jwt.sign(this.keyObject);
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            // Verify the key is properly initialized
+            if (!this.keyObject) {
+                await this.initialize();
+            }
+            return {
+                healthy: this.keyObject !== null,
+                providerConnected: true,
+                sessionStorageHealthy: true,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}
+//# sourceMappingURL=jwt.js.map

package/dist/lib/auth/providers/oauth2.d.ts

@@ -0,0 +1,73 @@
+import type { AuthHealthCheck, AuthProviderConfig, AuthRequestContext, OAuth2Config, TokenValidationResult } from "../../types/authTypes.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Generic OAuth2/OIDC Provider
+ *
+ * Supports any OAuth2-compliant identity provider with configurable endpoints.
+ * Works with both JWKS-based JWT validation and token introspection.
+ *
+ * Features:
+ * - JWT validation with JWKS (if jwksUrl provided)
+ * - Token introspection endpoint support
+ * - User info endpoint integration
+ * - PKCE support
+ *
+ * @example
+ * ```typescript
+ * const oauth2 = new OAuth2Provider({
+ *   type: "oauth2",
+ *   authorizationUrl: "https://idp.example.com/oauth/authorize",
+ *   tokenUrl: "https://idp.example.com/oauth/token",
+ *   userInfoUrl: "https://idp.example.com/userinfo",
+ *   jwksUrl: "https://idp.example.com/.well-known/jwks.json",
+ *   clientId: "your-client-id",
+ *   clientSecret: "your-client-secret",
+ * });
+ *
+ * const result = await oauth2.authenticateToken(accessToken);
+ * ```
+ */
+export declare class OAuth2Provider extends BaseAuthProvider {
+    readonly type: "oauth2";
+    private authorizationUrl;
+    private tokenUrl;
+    private userInfoUrl?;
+    private jwksUrl?;
+    private clientId;
+    private clientSecret?;
+    private scopes;
+    private redirectUrl?;
+    private usePKCE;
+    private jwks;
+    constructor(config: AuthProviderConfig & OAuth2Config);
+    /**
+     * Initialize JWKS for JWT verification (if jwksUrl is provided)
+     */
+    initialize(): Promise<void>;
+    /**
+     * Validate OAuth2 access token
+     *
+     * Uses JWKS validation if available, otherwise falls back to userinfo endpoint
+     */
+    authenticateToken(token: string, _context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Validate token via userinfo endpoint
+     */
+    private validateViaUserInfo;
+    /**
+     * Get authorization URL for OAuth2 flow
+     */
+    getAuthorizationUrl(state: string, codeChallenge?: string): string;
+    /**
+     * Exchange authorization code for tokens
+     */
+    exchangeCode(code: string, codeVerifier?: string): Promise<{
+        accessToken: string;
+        refreshToken?: string;
+        idToken?: string;
+    }>;
+    /**
+     * Health check
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}