@juspay/neurolink 9.31.2 → 9.32.0

package/dist/lib/auth/providers/oauth2.js

@@ -0,0 +1,304 @@
+// src/lib/auth/providers/oauth2.ts
+import * as jose from "jose";
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import { logger } from "../../utils/logger.js";
+import { AuthError } from "../errors.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * Generic OAuth2/OIDC Provider
+ *
+ * Supports any OAuth2-compliant identity provider with configurable endpoints.
+ * Works with both JWKS-based JWT validation and token introspection.
+ *
+ * Features:
+ * - JWT validation with JWKS (if jwksUrl provided)
+ * - Token introspection endpoint support
+ * - User info endpoint integration
+ * - PKCE support
+ *
+ * @example
+ * ```typescript
+ * const oauth2 = new OAuth2Provider({
+ *   type: "oauth2",
+ *   authorizationUrl: "https://idp.example.com/oauth/authorize",
+ *   tokenUrl: "https://idp.example.com/oauth/token",
+ *   userInfoUrl: "https://idp.example.com/userinfo",
+ *   jwksUrl: "https://idp.example.com/.well-known/jwks.json",
+ *   clientId: "your-client-id",
+ *   clientSecret: "your-client-secret",
+ * });
+ *
+ * const result = await oauth2.authenticateToken(accessToken);
+ * ```
+ */
+export class OAuth2Provider extends BaseAuthProvider {
+    type = "oauth2";
+    authorizationUrl;
+    tokenUrl;
+    userInfoUrl;
+    jwksUrl;
+    clientId;
+    clientSecret;
+    scopes;
+    redirectUrl;
+    usePKCE;
+    jwks = null;
+    constructor(config) {
+        super(config);
+        if (!config.authorizationUrl) {
+            throw AuthError.create("CONFIGURATION_ERROR", "OAuth2 authorizationUrl is required");
+        }
+        if (!config.tokenUrl) {
+            throw AuthError.create("CONFIGURATION_ERROR", "OAuth2 tokenUrl is required");
+        }
+        if (!config.clientId) {
+            throw AuthError.create("CONFIGURATION_ERROR", "OAuth2 clientId is required");
+        }
+        this.authorizationUrl = config.authorizationUrl;
+        this.tokenUrl = config.tokenUrl;
+        this.userInfoUrl = config.userInfoUrl;
+        this.jwksUrl = config.jwksUrl;
+        this.clientId = config.clientId;
+        this.clientSecret = config.clientSecret;
+        this.scopes = config.scopes ?? ["openid", "profile", "email"];
+        this.redirectUrl = config.redirectUrl;
+        this.usePKCE = config.usePKCE ?? false;
+    }
+    /**
+     * Initialize JWKS for JWT verification (if jwksUrl is provided)
+     */
+    async initialize() {
+        if (this.jwksUrl) {
+            try {
+                const jwksUrl = new URL(this.jwksUrl);
+                this.jwks = jose.createRemoteJWKSet(jwksUrl);
+                logger.debug(`OAuth2 provider initialized with JWKS: ${this.jwksUrl}`);
+            }
+            catch (error) {
+                throw AuthError.create("PROVIDER_INIT_FAILED", "Failed to initialize OAuth2 JWKS", {
+                    cause: error instanceof Error ? error : new Error(String(error)),
+                });
+            }
+        }
+    }
+    /**
+     * Validate OAuth2 access token
+     *
+     * Uses JWKS validation if available, otherwise falls back to userinfo endpoint
+     */
+    async authenticateToken(token, _context) {
+        // Try JWKS validation first if available
+        if (this.jwksUrl) {
+            // Lazy-init JWKS on first use if initialize() was not called
+            if (!this.jwks) {
+                await this.initialize();
+            }
+            if (!this.jwks) {
+                return {
+                    valid: false,
+                    error: "JWKS not available after initialization",
+                };
+            }
+            try {
+                const { payload } = await jose.jwtVerify(token, this.jwks);
+                // Validate issuer against the authorization server origin
+                if (payload.iss) {
+                    const expectedIssuerOrigin = new URL(this.authorizationUrl).origin;
+                    if (!payload.iss.startsWith(expectedIssuerOrigin)) {
+                        return {
+                            valid: false,
+                            error: `Invalid issuer: ${payload.iss}. Expected origin: ${expectedIssuerOrigin}`,
+                        };
+                    }
+                }
+                // Validate audience against the configured clientId
+                if (payload.aud) {
+                    const audiences = Array.isArray(payload.aud)
+                        ? payload.aud
+                        : [payload.aud];
+                    if (!audiences.includes(this.clientId)) {
+                        return {
+                            valid: false,
+                            error: `Invalid audience: ${audiences.join(", ")}. Expected: ${this.clientId}`,
+                        };
+                    }
+                }
+                if (!payload.sub) {
+                    return {
+                        valid: false,
+                        error: "JWT is missing required 'sub' claim: cannot identify user",
+                    };
+                }
+                const user = {
+                    id: payload.sub,
+                    email: payload.email,
+                    name: payload.name,
+                    picture: payload.picture,
+                    roles: payload.roles ?? [],
+                    permissions: payload.permissions ?? [],
+                    metadata: payload,
+                };
+                return {
+                    valid: true,
+                    payload: payload,
+                    user,
+                    expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                    tokenType: "jwt",
+                };
+            }
+            catch {
+                logger.debug("JWKS validation failed, trying userinfo endpoint");
+            }
+        }
+        // Fall back to userinfo endpoint if available
+        if (this.userInfoUrl) {
+            return this.validateViaUserInfo(token);
+        }
+        return {
+            valid: false,
+            error: "No validation method available (provide jwksUrl or userInfoUrl)",
+        };
+    }
+    /**
+     * Validate token via userinfo endpoint
+     */
+    async validateViaUserInfo(token) {
+        try {
+            const proxyFetch = createProxyFetch();
+            if (!this.userInfoUrl) {
+                return {
+                    valid: false,
+                    error: "UserInfo URL not configured",
+                };
+            }
+            const response = await proxyFetch(this.userInfoUrl, {
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                },
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok) {
+                return {
+                    valid: false,
+                    error: `UserInfo endpoint returned ${response.status}`,
+                };
+            }
+            const data = (await response.json());
+            const userId = data.sub ?? data.id;
+            if (!userId) {
+                return {
+                    valid: false,
+                    error: "UserInfo response is missing 'sub' and 'id': cannot identify user",
+                };
+            }
+            const user = {
+                id: userId,
+                email: data.email,
+                name: data.name,
+                picture: data.picture,
+                emailVerified: data.email_verified,
+                roles: data.roles ?? [],
+                permissions: data.permissions ?? [],
+                metadata: data,
+            };
+            return {
+                valid: true,
+                payload: data,
+                user,
+                tokenType: "oauth",
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.warn("OAuth2 userinfo validation failed:", message);
+            return {
+                valid: false,
+                error: message,
+            };
+        }
+    }
+    /**
+     * Get authorization URL for OAuth2 flow
+     */
+    getAuthorizationUrl(state, codeChallenge) {
+        const params = new URLSearchParams({
+            response_type: "code",
+            client_id: this.clientId,
+            scope: this.scopes.join(" "),
+            state,
+        });
+        if (this.redirectUrl) {
+            params.set("redirect_uri", this.redirectUrl);
+        }
+        if (this.usePKCE && codeChallenge) {
+            params.set("code_challenge", codeChallenge);
+            params.set("code_challenge_method", "S256");
+        }
+        return `${this.authorizationUrl}?${params.toString()}`;
+    }
+    /**
+     * Exchange authorization code for tokens
+     */
+    async exchangeCode(code, codeVerifier) {
+        const proxyFetch = createProxyFetch();
+        const body = new URLSearchParams({
+            grant_type: "authorization_code",
+            client_id: this.clientId,
+            code,
+        });
+        if (this.clientSecret) {
+            body.set("client_secret", this.clientSecret);
+        }
+        if (this.redirectUrl) {
+            body.set("redirect_uri", this.redirectUrl);
+        }
+        if (this.usePKCE && codeVerifier) {
+            body.set("code_verifier", codeVerifier);
+        }
+        const response = await proxyFetch(this.tokenUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            body: body.toString(),
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!response.ok) {
+            throw AuthError.create("PROVIDER_ERROR", `Token exchange failed: ${response.status}`);
+        }
+        const data = (await response.json());
+        return {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token,
+            idToken: data.id_token,
+        };
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            // Try to fetch JWKS or authorization endpoint to check connectivity
+            const proxyFetch = createProxyFetch();
+            const checkUrl = this.jwksUrl ?? this.authorizationUrl;
+            const response = await proxyFetch(checkUrl, { method: "HEAD" });
+            return {
+                healthy: response.ok || response.status === 405, // 405 is ok for HEAD
+                providerConnected: true,
+                sessionStorageHealthy: true,
+                error: response.ok || response.status === 405
+                    ? undefined
+                    : `HTTP ${response.status}`,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}
+//# sourceMappingURL=oauth2.js.map

package/dist/lib/auth/providers/supabase.d.ts

@@ -0,0 +1,63 @@
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import type { AuthProviderConfig, SupabaseConfig, AuthUser, TokenValidationResult, AuthRequestContext, AuthHealthCheck, AuthProviderType } from "../../types/authTypes.js";
+/**
+ * Supabase Authentication Provider
+ *
+ * Supports Supabase JWT validation and user management.
+ * Can validate tokens locally with JWT secret or via Supabase API.
+ *
+ * Features:
+ * - Local JWT validation with JWT secret
+ * - API-based token validation
+ * - User profile fetching (requires service role key)
+ * - Role extraction from app_metadata
+ *
+ * @example
+ * ```typescript
+ * const supabase = new SupabaseAuthProvider({
+ *   type: "supabase",
+ *   url: "https://your-project.supabase.co",
+ *   anonKey: "your-anon-key",
+ *   jwtSecret: "your-jwt-secret" // Optional for local validation
+ * });
+ *
+ * const result = await supabase.authenticateToken(accessToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export declare class SupabaseAuthProvider extends BaseAuthProvider {
+    readonly type: AuthProviderType;
+    private supabaseUrl;
+    private anonKey;
+    private serviceRoleKey?;
+    private jwtSecret?;
+    constructor(config: AuthProviderConfig & SupabaseConfig);
+    /**
+     * Validate Supabase JWT
+     */
+    authenticateToken(token: string, _context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Convert JWT payload to AuthUser
+     */
+    private payloadToUser;
+    /**
+     * Convert Supabase user to AuthUser
+     */
+    private supabaseUserToAuthUser;
+    /**
+     * Get user by ID via Supabase Admin API
+     * Requires service role key
+     */
+    getUser(userId: string): Promise<AuthUser | null>;
+    /**
+     * Get user by email via Supabase Admin API
+     * Requires service role key
+     */
+    getUserByEmail(email: string): Promise<AuthUser | null>;
+    /**
+     * Health check
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}

package/dist/lib/auth/providers/supabase.js

@@ -0,0 +1,260 @@
+// src/lib/auth/providers/supabase.ts
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+import { AuthError } from "../errors.js";
+import { logger } from "../../utils/logger.js";
+import { createProxyFetch } from "../../proxy/proxyFetch.js";
+import * as jose from "jose";
+/**
+ * Supabase Authentication Provider
+ *
+ * Supports Supabase JWT validation and user management.
+ * Can validate tokens locally with JWT secret or via Supabase API.
+ *
+ * Features:
+ * - Local JWT validation with JWT secret
+ * - API-based token validation
+ * - User profile fetching (requires service role key)
+ * - Role extraction from app_metadata
+ *
+ * @example
+ * ```typescript
+ * const supabase = new SupabaseAuthProvider({
+ *   type: "supabase",
+ *   url: "https://your-project.supabase.co",
+ *   anonKey: "your-anon-key",
+ *   jwtSecret: "your-jwt-secret" // Optional for local validation
+ * });
+ *
+ * const result = await supabase.authenticateToken(accessToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export class SupabaseAuthProvider extends BaseAuthProvider {
+    type = "supabase";
+    supabaseUrl;
+    anonKey;
+    serviceRoleKey;
+    jwtSecret;
+    constructor(config) {
+        super(config);
+        if (!config.url) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Supabase URL is required", { details: { missingFields: ["url"] } });
+        }
+        if (!config.anonKey) {
+            throw AuthError.create("CONFIGURATION_ERROR", "Supabase anon key is required", { details: { missingFields: ["anonKey"] } });
+        }
+        this.supabaseUrl = config.url.replace(/\/$/, ""); // Remove trailing slash
+        this.anonKey = config.anonKey;
+        this.serviceRoleKey = config.serviceRoleKey;
+        this.jwtSecret = config.jwtSecret;
+    }
+    /**
+     * Validate Supabase JWT
+     */
+    async authenticateToken(token, _context) {
+        try {
+            // If JWT secret is provided, verify locally
+            if (this.jwtSecret) {
+                const secret = new TextEncoder().encode(this.jwtSecret);
+                const { payload } = await jose.jwtVerify(token, secret);
+                // Reject tokens without a sub claim (anon/service_role JWTs)
+                if (!payload.sub) {
+                    return {
+                        valid: false,
+                        error: "Token missing sub claim: cannot authenticate without a user identity",
+                    };
+                }
+                // Only accept tokens with "authenticated" role
+                const role = payload.role;
+                if (role && role !== "authenticated") {
+                    return {
+                        valid: false,
+                        error: `Invalid token role: ${role}. Only "authenticated" role is accepted`,
+                    };
+                }
+                const user = this.payloadToUser(payload);
+                return {
+                    valid: true,
+                    payload: payload,
+                    user,
+                    expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
+                    tokenType: "jwt",
+                };
+            }
+            // Otherwise, validate via Supabase API
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`${this.supabaseUrl}/auth/v1/user`, {
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    apikey: this.anonKey,
+                },
+            });
+            if (!response.ok) {
+                return {
+                    valid: false,
+                    error: `Token validation failed: HTTP ${response.status}`,
+                };
+            }
+            const userData = (await response.json());
+            const user = this.supabaseUserToAuthUser(userData);
+            return {
+                valid: true,
+                payload: userData,
+                user,
+                tokenType: "jwt",
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Convert JWT payload to AuthUser
+     */
+    payloadToUser(payload) {
+        const appMetadata = payload.app_metadata;
+        const userMetadata = payload.user_metadata;
+        // Use payload.role (Supabase standard claim) for the roles array
+        const role = payload.role;
+        return {
+            id: payload.sub,
+            email: payload.email,
+            name: userMetadata?.full_name || userMetadata?.name,
+            picture: userMetadata?.avatar_url,
+            emailVerified: payload.email_confirmed || false,
+            roles: role ? [role] : appMetadata?.roles || [],
+            permissions: appMetadata?.permissions || [],
+            metadata: userMetadata,
+        };
+    }
+    /**
+     * Convert Supabase user to AuthUser
+     */
+    supabaseUserToAuthUser(userData) {
+        const appMetadata = userData.app_metadata;
+        const userMetadata = userData.user_metadata;
+        return {
+            id: userData.id,
+            email: userData.email,
+            name: userMetadata?.full_name || userMetadata?.name,
+            picture: userMetadata?.avatar_url,
+            emailVerified: !!userData.email_confirmed_at,
+            roles: appMetadata?.roles || [],
+            permissions: appMetadata?.permissions || [],
+            createdAt: userData.created_at
+                ? new Date(userData.created_at)
+                : undefined,
+            lastLoginAt: userData.last_sign_in_at
+                ? new Date(userData.last_sign_in_at)
+                : undefined,
+            metadata: userMetadata,
+        };
+    }
+    /**
+     * Get user by ID via Supabase Admin API
+     * Requires service role key
+     */
+    async getUser(userId) {
+        if (!this.serviceRoleKey) {
+            logger.warn("Service role key required for user lookup");
+            return null;
+        }
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`${this.supabaseUrl}/auth/v1/admin/users/${userId}`, {
+                headers: {
+                    Authorization: `Bearer ${this.serviceRoleKey}`,
+                    apikey: this.anonKey,
+                },
+            });
+            if (!response.ok) {
+                if (response.status === 404) {
+                    return null;
+                }
+                throw AuthError.create("PROVIDER_ERROR", `Supabase API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const userData = (await response.json());
+            return this.supabaseUserToAuthUser(userData);
+        }
+        catch (error) {
+            logger.error("Failed to fetch Supabase user:", error);
+            if (error &&
+                typeof error === "object" &&
+                "code" in error &&
+                typeof error.code === "string") {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Get user by email via Supabase Admin API
+     * Requires service role key
+     */
+    async getUserByEmail(email) {
+        if (!this.serviceRoleKey) {
+            logger.warn("Service role key required for user lookup by email");
+            return null;
+        }
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`${this.supabaseUrl}/auth/v1/admin/users?email=${encodeURIComponent(email)}`, {
+                headers: {
+                    Authorization: `Bearer ${this.serviceRoleKey}`,
+                    apikey: this.anonKey,
+                },
+            });
+            if (!response.ok) {
+                throw AuthError.create("PROVIDER_ERROR", `Supabase API returned ${response.status}`, { details: { statusCode: response.status } });
+            }
+            const result = (await response.json());
+            const users = result.users || [];
+            if (users.length === 0) {
+                return null;
+            }
+            return this.supabaseUserToAuthUser(users[0]);
+        }
+        catch (error) {
+            logger.error("Failed to fetch Supabase user by email:", error);
+            if (error &&
+                typeof error === "object" &&
+                "code" in error &&
+                typeof error.code === "string") {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Health check
+     */
+    async healthCheck() {
+        try {
+            const proxyFetch = createProxyFetch();
+            const response = await proxyFetch(`${this.supabaseUrl}/auth/v1/health`, {
+                headers: {
+                    apikey: this.anonKey,
+                },
+            });
+            return {
+                healthy: response.ok,
+                providerConnected: response.ok,
+                sessionStorageHealthy: true,
+            };
+        }
+        catch (error) {
+            return {
+                healthy: false,
+                providerConnected: false,
+                sessionStorageHealthy: true,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+}
+//# sourceMappingURL=supabase.js.map

package/dist/lib/auth/providers/workos.d.ts

@@ -0,0 +1,61 @@
+import type { AuthProviderConfig, WorkOSConfig, AuthUser, TokenValidationResult, AuthRequestContext, AuthHealthCheck } from "../../types/authTypes.js";
+import { BaseAuthProvider } from "./BaseAuthProvider.js";
+/**
+ * WorkOS Authentication Provider
+ *
+ * Supports WorkOS for enterprise SSO and user management.
+ * Validates JWTs issued by WorkOS and fetches user information.
+ *
+ * Features:
+ * - JWT validation using WorkOS JWKS
+ * - SSO token validation
+ * - Enterprise directory integration
+ * - Organization support for multi-tenant apps
+ * - Session management (inherited from BaseAuthProvider)
+ *
+ * @example
+ * ```typescript
+ * const workos = new WorkOSProvider({
+ *   type: "workos",
+ *   apiKey: "sk_...",
+ *   clientId: "client_..."
+ * });
+ *
+ * const result = await workos.authenticateToken(accessToken);
+ * if (result.valid) {
+ *   console.log("Authenticated user:", result.user);
+ * }
+ * ```
+ */
+export declare class WorkOSProvider extends BaseAuthProvider {
+    readonly type: "workos";
+    private apiKey;
+    private clientId;
+    private organizationId?;
+    private jwks;
+    constructor(config: AuthProviderConfig & WorkOSConfig);
+    /**
+     * Initialize JWKS for WorkOS token verification
+     */
+    initialize(): Promise<void>;
+    /**
+     * Validate WorkOS access token
+     */
+    authenticateToken(token: string, _context?: AuthRequestContext): Promise<TokenValidationResult>;
+    /**
+     * Validate session via WorkOS API
+     */
+    private validateSessionViaAPI;
+    /**
+     * Get user by ID via WorkOS API
+     */
+    getUser(userId: string): Promise<AuthUser | null>;
+    /**
+     * Get user by email via WorkOS API
+     */
+    getUserByEmail(email: string): Promise<AuthUser | null>;
+    /**
+     * Health check
+     */
+    healthCheck(): Promise<AuthHealthCheck>;
+}