@keycardai/oauth 0.2.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +91 -4
- package/dist/cjs/credentials.d.ts +22 -0
- package/dist/cjs/credentials.d.ts.map +1 -0
- package/dist/cjs/credentials.js +3 -0
- package/dist/cjs/credentials.js.map +1 -0
- package/dist/cjs/errors.d.ts +23 -0
- package/dist/cjs/errors.d.ts.map +1 -1
- package/dist/cjs/errors.js +42 -1
- package/dist/cjs/errors.js.map +1 -1
- package/dist/cjs/index.d.ts +7 -3
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +10 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/jwt/substituteUser.d.ts +15 -0
- package/dist/cjs/jwt/substituteUser.d.ts.map +1 -0
- package/dist/cjs/jwt/substituteUser.js +29 -0
- package/dist/cjs/jwt/substituteUser.js.map +1 -0
- package/dist/cjs/jwt/verifier.d.ts +22 -1
- package/dist/cjs/jwt/verifier.d.ts.map +1 -1
- package/dist/cjs/jwt/verifier.js +101 -9
- package/dist/cjs/jwt/verifier.js.map +1 -1
- package/dist/cjs/keyring.d.ts +6 -0
- package/dist/cjs/keyring.d.ts.map +1 -1
- package/dist/cjs/keyring.js +11 -0
- package/dist/cjs/keyring.js.map +1 -1
- package/dist/cjs/server/accessContext.d.ts +26 -0
- package/dist/cjs/server/accessContext.d.ts.map +1 -0
- package/dist/cjs/server/accessContext.js +105 -0
- package/dist/cjs/server/accessContext.js.map +1 -0
- package/dist/cjs/server/accessToken.d.ts +8 -0
- package/dist/cjs/server/accessToken.d.ts.map +1 -0
- package/dist/cjs/server/accessToken.js +3 -0
- package/dist/cjs/server/accessToken.js.map +1 -0
- package/dist/cjs/server/clientSecret.d.ts +14 -0
- package/dist/cjs/server/clientSecret.d.ts.map +1 -0
- package/dist/cjs/server/clientSecret.js +76 -0
- package/dist/cjs/server/clientSecret.js.map +1 -0
- package/dist/cjs/server/index.d.ts +8 -0
- package/dist/cjs/server/index.d.ts.map +1 -0
- package/dist/cjs/server/index.js +10 -0
- package/dist/cjs/server/index.js.map +1 -0
- package/dist/cjs/server/tokenVerifier.d.ts +49 -0
- package/dist/cjs/server/tokenVerifier.d.ts.map +1 -0
- package/dist/cjs/server/tokenVerifier.js +118 -0
- package/dist/cjs/server/tokenVerifier.js.map +1 -0
- package/dist/cjs/tokenExchange.d.ts +27 -1
- package/dist/cjs/tokenExchange.d.ts.map +1 -1
- package/dist/cjs/tokenExchange.js +44 -6
- package/dist/cjs/tokenExchange.js.map +1 -1
- package/dist/esm/credentials.d.ts +22 -0
- package/dist/esm/credentials.d.ts.map +1 -0
- package/dist/esm/credentials.js +2 -0
- package/dist/esm/credentials.js.map +1 -0
- package/dist/esm/errors.d.ts +23 -0
- package/dist/esm/errors.d.ts.map +1 -1
- package/dist/esm/errors.js +39 -0
- package/dist/esm/errors.js.map +1 -1
- package/dist/esm/index.d.ts +7 -3
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +4 -2
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/jwt/substituteUser.d.ts +15 -0
- package/dist/esm/jwt/substituteUser.d.ts.map +1 -0
- package/dist/esm/jwt/substituteUser.js +26 -0
- package/dist/esm/jwt/substituteUser.js.map +1 -0
- package/dist/esm/jwt/verifier.d.ts +22 -1
- package/dist/esm/jwt/verifier.d.ts.map +1 -1
- package/dist/esm/jwt/verifier.js +101 -9
- package/dist/esm/jwt/verifier.js.map +1 -1
- package/dist/esm/keyring.d.ts +6 -0
- package/dist/esm/keyring.d.ts.map +1 -1
- package/dist/esm/keyring.js +11 -0
- package/dist/esm/keyring.js.map +1 -1
- package/dist/esm/server/accessContext.d.ts +26 -0
- package/dist/esm/server/accessContext.d.ts.map +1 -0
- package/dist/esm/server/accessContext.js +101 -0
- package/dist/esm/server/accessContext.js.map +1 -0
- package/dist/esm/server/accessToken.d.ts +8 -0
- package/dist/esm/server/accessToken.d.ts.map +1 -0
- package/dist/esm/server/accessToken.js +2 -0
- package/dist/esm/server/accessToken.js.map +1 -0
- package/dist/esm/server/clientSecret.d.ts +14 -0
- package/dist/esm/server/clientSecret.d.ts.map +1 -0
- package/dist/esm/server/clientSecret.js +72 -0
- package/dist/esm/server/clientSecret.js.map +1 -0
- package/dist/esm/server/index.d.ts +8 -0
- package/dist/esm/server/index.d.ts.map +1 -0
- package/dist/esm/server/index.js +4 -0
- package/dist/esm/server/index.js.map +1 -0
- package/dist/esm/server/tokenVerifier.d.ts +49 -0
- package/dist/esm/server/tokenVerifier.d.ts.map +1 -0
- package/dist/esm/server/tokenVerifier.js +114 -0
- package/dist/esm/server/tokenVerifier.js.map +1 -0
- package/dist/esm/tokenExchange.d.ts +27 -1
- package/dist/esm/tokenExchange.d.ts.map +1 -1
- package/dist/esm/tokenExchange.js +43 -5
- package/dist/esm/tokenExchange.js.map +1 -1
- package/package.json +37 -2
package/dist/cjs/keyring.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6BAAwB;AACxB,iDAAkE;AAyBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAa,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;
|
|
1
|
+
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6BAAwB;AACxB,iDAAkE;AAyBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAa,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,KAAK;QACH,uBAAA,IAAI,kCAAU,CAAC,KAAK,EAAE,CAAC;QACvB,uBAAA,IAAI,qCAAa,CAAC,KAAK,EAAE,CAAC;QAC1B,uBAAA,IAAI,wCAAgB,CAAC,KAAK,EAAE,CAAC;QAC7B,uBAAA,IAAI,2CAAmB,CAAC,KAAK,EAAE,CAAC;IAClC,CAAC;CAsHF;AApKD,4CAoKC;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
import type { TokenResponse } from "../tokenExchange.js";
|
|
2
|
+
import { type ErrorDetail } from "../errors.js";
|
|
3
|
+
export type { ErrorDetail } from "../errors.js";
|
|
4
|
+
export type AccessContextStatus = "success" | "partial_error" | "error";
|
|
5
|
+
export declare class AccessContext {
|
|
6
|
+
#private;
|
|
7
|
+
constructor(accessTokens?: Record<string, TokenResponse>);
|
|
8
|
+
setToken(resource: string, token: TokenResponse): void;
|
|
9
|
+
setBulkTokens(tokens: Record<string, TokenResponse>): void;
|
|
10
|
+
setResourceError(resource: string, error: ErrorDetail): void;
|
|
11
|
+
setError(error: ErrorDetail): void;
|
|
12
|
+
access(resource: string): TokenResponse;
|
|
13
|
+
hasError(): boolean;
|
|
14
|
+
hasResourceError(resource: string): boolean;
|
|
15
|
+
hasErrors(): boolean;
|
|
16
|
+
getError(): ErrorDetail | null;
|
|
17
|
+
getResourceError(resource: string): ErrorDetail | null;
|
|
18
|
+
getErrors(): {
|
|
19
|
+
resources: Record<string, ErrorDetail>;
|
|
20
|
+
error: ErrorDetail | null;
|
|
21
|
+
};
|
|
22
|
+
getStatus(): AccessContextStatus;
|
|
23
|
+
getSuccessfulResources(): string[];
|
|
24
|
+
getFailedResources(): string[];
|
|
25
|
+
}
|
|
26
|
+
//# sourceMappingURL=accessContext.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"accessContext.d.ts","sourceRoot":"","sources":["../../../src/server/accessContext.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAErE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,MAAM,mBAAmB,GAAG,SAAS,GAAG,eAAe,GAAG,OAAO,CAAC;AAExE,qBAAa,aAAa;;gBAKZ,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC;IAMxD,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,GAAG,IAAI;IAKtD,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,IAAI;IAM1D,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI;IAK5D,QAAQ,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAIlC,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa;IA2BvC,QAAQ,IAAI,OAAO;IAInB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAI3C,SAAS,IAAI,OAAO;IAIpB,QAAQ,IAAI,WAAW,GAAG,IAAI;IAI9B,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI;IAItD,SAAS,IAAI;QAAE,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAA;KAAE;IAOlF,SAAS,IAAI,mBAAmB;IAMhC,sBAAsB,IAAI,MAAM,EAAE;IAIlC,kBAAkB,IAAI,MAAM,EAAE;CAG/B"}
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _AccessContext_accessTokens, _AccessContext_resourceErrors, _AccessContext_error;
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.AccessContext = void 0;
|
|
16
|
+
const errors_js_1 = require("../errors.js");
|
|
17
|
+
class AccessContext {
|
|
18
|
+
constructor(accessTokens) {
|
|
19
|
+
_AccessContext_accessTokens.set(this, void 0);
|
|
20
|
+
_AccessContext_resourceErrors.set(this, void 0);
|
|
21
|
+
_AccessContext_error.set(this, void 0);
|
|
22
|
+
__classPrivateFieldSet(this, _AccessContext_accessTokens, new Map(accessTokens ? Object.entries(accessTokens) : []), "f");
|
|
23
|
+
__classPrivateFieldSet(this, _AccessContext_resourceErrors, new Map(), "f");
|
|
24
|
+
__classPrivateFieldSet(this, _AccessContext_error, null, "f");
|
|
25
|
+
}
|
|
26
|
+
setToken(resource, token) {
|
|
27
|
+
__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").set(resource, token);
|
|
28
|
+
__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").delete(resource);
|
|
29
|
+
}
|
|
30
|
+
setBulkTokens(tokens) {
|
|
31
|
+
for (const [resource, token] of Object.entries(tokens)) {
|
|
32
|
+
__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").set(resource, token);
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
setResourceError(resource, error) {
|
|
36
|
+
__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").set(resource, error);
|
|
37
|
+
__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").delete(resource);
|
|
38
|
+
}
|
|
39
|
+
setError(error) {
|
|
40
|
+
__classPrivateFieldSet(this, _AccessContext_error, error, "f");
|
|
41
|
+
}
|
|
42
|
+
access(resource) {
|
|
43
|
+
if (__classPrivateFieldGet(this, _AccessContext_error, "f")) {
|
|
44
|
+
throw new errors_js_1.ResourceAccessError(undefined, {
|
|
45
|
+
resource,
|
|
46
|
+
errorType: "global_error",
|
|
47
|
+
errorDetails: __classPrivateFieldGet(this, _AccessContext_error, "f"),
|
|
48
|
+
});
|
|
49
|
+
}
|
|
50
|
+
const resourceError = __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").get(resource);
|
|
51
|
+
if (resourceError) {
|
|
52
|
+
throw new errors_js_1.ResourceAccessError(undefined, {
|
|
53
|
+
resource,
|
|
54
|
+
errorType: "resource_error",
|
|
55
|
+
errorDetails: resourceError,
|
|
56
|
+
});
|
|
57
|
+
}
|
|
58
|
+
const token = __classPrivateFieldGet(this, _AccessContext_accessTokens, "f").get(resource);
|
|
59
|
+
if (!token) {
|
|
60
|
+
throw new errors_js_1.ResourceAccessError(undefined, {
|
|
61
|
+
resource,
|
|
62
|
+
errorType: "missing_token",
|
|
63
|
+
availableResources: [...__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").keys()],
|
|
64
|
+
});
|
|
65
|
+
}
|
|
66
|
+
return token;
|
|
67
|
+
}
|
|
68
|
+
hasError() {
|
|
69
|
+
return __classPrivateFieldGet(this, _AccessContext_error, "f") !== null;
|
|
70
|
+
}
|
|
71
|
+
hasResourceError(resource) {
|
|
72
|
+
return __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").has(resource);
|
|
73
|
+
}
|
|
74
|
+
hasErrors() {
|
|
75
|
+
return this.hasError() || __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").size > 0;
|
|
76
|
+
}
|
|
77
|
+
getError() {
|
|
78
|
+
return __classPrivateFieldGet(this, _AccessContext_error, "f");
|
|
79
|
+
}
|
|
80
|
+
getResourceError(resource) {
|
|
81
|
+
return __classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").get(resource) ?? null;
|
|
82
|
+
}
|
|
83
|
+
getErrors() {
|
|
84
|
+
return {
|
|
85
|
+
resources: Object.fromEntries(__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f")),
|
|
86
|
+
error: __classPrivateFieldGet(this, _AccessContext_error, "f"),
|
|
87
|
+
};
|
|
88
|
+
}
|
|
89
|
+
getStatus() {
|
|
90
|
+
if (__classPrivateFieldGet(this, _AccessContext_error, "f"))
|
|
91
|
+
return "error";
|
|
92
|
+
if (__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").size > 0)
|
|
93
|
+
return "partial_error";
|
|
94
|
+
return "success";
|
|
95
|
+
}
|
|
96
|
+
getSuccessfulResources() {
|
|
97
|
+
return Array.from(__classPrivateFieldGet(this, _AccessContext_accessTokens, "f").keys());
|
|
98
|
+
}
|
|
99
|
+
getFailedResources() {
|
|
100
|
+
return Array.from(__classPrivateFieldGet(this, _AccessContext_resourceErrors, "f").keys());
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
exports.AccessContext = AccessContext;
|
|
104
|
+
_AccessContext_accessTokens = new WeakMap(), _AccessContext_resourceErrors = new WeakMap(), _AccessContext_error = new WeakMap();
|
|
105
|
+
//# sourceMappingURL=accessContext.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"accessContext.js","sourceRoot":"","sources":["../../../src/server/accessContext.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AACA,4CAAqE;AAMrE,MAAa,aAAa;IAKxB,YAAY,YAA4C;QAJxD,8CAA0C;QAC1C,gDAA0C;QAC1C,uCAA2B;QAGzB,uBAAA,IAAI,+BAAiB,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAA,CAAC;QAC/E,uBAAA,IAAI,iCAAmB,IAAI,GAAG,EAAE,MAAA,CAAC;QACjC,uBAAA,IAAI,wBAAU,IAAI,MAAA,CAAC;IACrB,CAAC;IAED,QAAQ,CAAC,QAAgB,EAAE,KAAoB;QAC7C,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACxC,uBAAA,IAAI,qCAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,aAAa,CAAC,MAAqC;QACjD,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACvD,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,gBAAgB,CAAC,QAAgB,EAAE,KAAkB;QACnD,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1C,uBAAA,IAAI,mCAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,QAAQ,CAAC,KAAkB;QACzB,uBAAA,IAAI,wBAAU,KAAK,MAAA,CAAC;IACtB,CAAC;IAED,MAAM,CAAC,QAAgB;QACrB,IAAI,uBAAA,IAAI,4BAAO,EAAE,CAAC;YAChB,MAAM,IAAI,+BAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,cAAc;gBACzB,YAAY,EAAE,uBAAA,IAAI,4BAAO;aAC1B,CAAC,CAAC;QACL,CAAC;QACD,MAAM,aAAa,GAAG,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,IAAI,+BAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,gBAAgB;gBAC3B,YAAY,EAAE,aAAa;aAC5B,CAAC,CAAC;QACL,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,mCAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,+BAAmB,CAAC,SAAS,EAAE;gBACvC,QAAQ;gBACR,SAAS,EAAE,eAAe;gBAC1B,kBAAkB,EAAE,CAAC,GAAG,uBAAA,IAAI,mCAAc,CAAC,IAAI,EAAE,CAAC;aACnD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,QAAQ;QACN,OAAO,uBAAA,IAAI,4BAAO,KAAK,IAAI,CAAC;IAC9B,CAAC;IAED,gBAAgB,CAAC,QAAgB;QAC/B,OAAO,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,QAAQ,EAAE,IAAI,uBAAA,IAAI,qCAAgB,CAAC,IAAI,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,QAAQ;QACN,OAAO,uBAAA,IAAI,4BAAO,CAAC;IACrB,CAAC;IAED,gBAAgB,CAAC,QAAgB;QAC/B,OAAO,uBAAA,IAAI,qCAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACpD,CAAC;IAED,SAAS;QACP,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,WAAW,CAAC,uBAAA,IAAI,qCAAgB,CAAC;YACnD,KAAK,EAAE,uBAAA,IAAI,4BAAO;SACnB,CAAC;IACJ,CAAC;IAED,SAAS;QACP,IAAI,uBAAA,IAAI,4BAAO;YAAE,OAAO,OAAO,CAAC;QAChC,IAAI,uBAAA,IAAI,qCAAgB,CAAC,IAAI,GAAG,CAAC;YAAE,OAAO,eAAe,CAAC;QAC1D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,sBAAsB;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,uBAAA,IAAI,mCAAc,CAAC,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,kBAAkB;QAChB,OAAO,KAAK,CAAC,IAAI,CAAC,uBAAA,IAAI,qCAAgB,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;CACF;AAlGD,sCAkGC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"accessToken.d.ts","sourceRoot":"","sources":["../../../src/server/accessToken.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"accessToken.js","sourceRoot":"","sources":["../../../src/server/accessToken.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import type { ApplicationCredential } from "../credentials.js";
|
|
2
|
+
import type { TokenExchangeRequest } from "../tokenExchange.js";
|
|
3
|
+
export type ClientSecretCredentials = [clientId: string, clientSecret: string] | Record<string, [clientId: string, clientSecret: string]>;
|
|
4
|
+
export declare class ClientSecret implements ApplicationCredential {
|
|
5
|
+
#private;
|
|
6
|
+
constructor(clientId: string, clientSecret: string);
|
|
7
|
+
constructor(credentials: ClientSecretCredentials);
|
|
8
|
+
getAuth(zoneId?: string): {
|
|
9
|
+
clientId: string;
|
|
10
|
+
clientSecret: string;
|
|
11
|
+
} | null;
|
|
12
|
+
prepareTokenExchangeRequest(subjectToken: string, resource: string): Promise<TokenExchangeRequest>;
|
|
13
|
+
}
|
|
14
|
+
//# sourceMappingURL=clientSecret.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientSecret.d.ts","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAKhE,MAAM,MAAM,uBAAuB,GAC/B,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,GACxC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;AAE7D,qBAAa,YAAa,YAAW,qBAAqB;;gBAI5C,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM;gBACtC,WAAW,EAAE,uBAAuB;IA2ChD,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAYrE,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CAOjC"}
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _ClientSecret_zoneCredentials, _ClientSecret_isMultiZone;
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.ClientSecret = void 0;
|
|
16
|
+
const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
|
|
17
|
+
const DEFAULT_ZONE = "__default__";
|
|
18
|
+
class ClientSecret {
|
|
19
|
+
constructor(arg1, arg2) {
|
|
20
|
+
_ClientSecret_zoneCredentials.set(this, void 0);
|
|
21
|
+
_ClientSecret_isMultiZone.set(this, void 0);
|
|
22
|
+
__classPrivateFieldSet(this, _ClientSecret_zoneCredentials, new Map(), "f");
|
|
23
|
+
if (typeof arg1 === "string") {
|
|
24
|
+
if (typeof arg2 !== "string") {
|
|
25
|
+
throw new TypeError("ClientSecret: client_secret is required when client_id is provided as a string");
|
|
26
|
+
}
|
|
27
|
+
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [arg1, arg2]);
|
|
28
|
+
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
29
|
+
return;
|
|
30
|
+
}
|
|
31
|
+
if (Array.isArray(arg1)) {
|
|
32
|
+
const [clientId, clientSecret] = arg1;
|
|
33
|
+
if (typeof clientId !== "string" || typeof clientSecret !== "string") {
|
|
34
|
+
throw new TypeError("ClientSecret: tuple must be [clientId, clientSecret]");
|
|
35
|
+
}
|
|
36
|
+
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [clientId, clientSecret]);
|
|
37
|
+
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
38
|
+
return;
|
|
39
|
+
}
|
|
40
|
+
if (arg1 && typeof arg1 === "object") {
|
|
41
|
+
for (const [zoneId, tuple] of Object.entries(arg1)) {
|
|
42
|
+
if (!Array.isArray(tuple) || typeof tuple[0] !== "string" || typeof tuple[1] !== "string") {
|
|
43
|
+
throw new TypeError(`ClientSecret: zone "${zoneId}" must map to [clientId, clientSecret]`);
|
|
44
|
+
}
|
|
45
|
+
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(zoneId, [tuple[0], tuple[1]]);
|
|
46
|
+
}
|
|
47
|
+
if (__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").size === 0) {
|
|
48
|
+
throw new TypeError("ClientSecret: zone-keyed credentials must contain at least one zone");
|
|
49
|
+
}
|
|
50
|
+
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, true, "f");
|
|
51
|
+
return;
|
|
52
|
+
}
|
|
53
|
+
throw new TypeError("ClientSecret: unsupported credentials shape");
|
|
54
|
+
}
|
|
55
|
+
getAuth(zoneId) {
|
|
56
|
+
if (!__classPrivateFieldGet(this, _ClientSecret_isMultiZone, "f")) {
|
|
57
|
+
const tuple = __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").get(DEFAULT_ZONE);
|
|
58
|
+
return tuple ? { clientId: tuple[0], clientSecret: tuple[1] } : null;
|
|
59
|
+
}
|
|
60
|
+
if (!zoneId) {
|
|
61
|
+
return null;
|
|
62
|
+
}
|
|
63
|
+
const tuple = __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").get(zoneId);
|
|
64
|
+
return tuple ? { clientId: tuple[0], clientSecret: tuple[1] } : null;
|
|
65
|
+
}
|
|
66
|
+
async prepareTokenExchangeRequest(subjectToken, resource) {
|
|
67
|
+
return {
|
|
68
|
+
subjectToken,
|
|
69
|
+
resource,
|
|
70
|
+
subjectTokenType: ACCESS_TOKEN_TYPE,
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
exports.ClientSecret = ClientSecret;
|
|
75
|
+
_ClientSecret_zoneCredentials = new WeakMap(), _ClientSecret_isMultiZone = new WeakMap();
|
|
76
|
+
//# sourceMappingURL=clientSecret.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientSecret.js","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAGA,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,YAAY,GAAG,aAAa,CAAC;AAMnC,MAAa,YAAY;IAMvB,YACE,IAAsC,EACtC,IAAa;QAPf,gDAAgD;QAChD,4CAAsB;QAQpB,uBAAA,IAAI,iCAAoB,IAAI,GAAG,EAAE,MAAA,CAAC;QAElC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,SAAS,CAAC,gFAAgF,CAAC,CAAC;YACxG,CAAC;YACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACtD,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC;YACtC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrE,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAC;YAC9E,CAAC;YACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;YAClE,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC1F,MAAM,IAAI,SAAS,CAAC,uBAAuB,MAAM,wCAAwC,CAAC,CAAC;gBAC7F,CAAC;gBACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,IAAI,uBAAA,IAAI,qCAAiB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,SAAS,CAAC,qEAAqE,CAAC,CAAC;YAC7F,CAAC;YACD,uBAAA,IAAI,6BAAgB,IAAI,MAAA,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,CAAC,MAAe;QACrB,IAAI,CAAC,uBAAA,IAAI,iCAAa,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,iBAAiB;SACpC,CAAC;IACJ,CAAC;CACF;AAtED,oCAsEC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
export { AccessContext } from "./accessContext.js";
|
|
2
|
+
export type { ErrorDetail, AccessContextStatus } from "./accessContext.js";
|
|
3
|
+
export type { AccessToken } from "./accessToken.js";
|
|
4
|
+
export { TokenVerifier } from "./tokenVerifier.js";
|
|
5
|
+
export type { TokenVerifierOptions } from "./tokenVerifier.js";
|
|
6
|
+
export { ClientSecret } from "./clientSecret.js";
|
|
7
|
+
export type { ClientSecretCredentials } from "./clientSecret.js";
|
|
8
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = void 0;
|
|
4
|
+
var accessContext_js_1 = require("./accessContext.js");
|
|
5
|
+
Object.defineProperty(exports, "AccessContext", { enumerable: true, get: function () { return accessContext_js_1.AccessContext; } });
|
|
6
|
+
var tokenVerifier_js_1 = require("./tokenVerifier.js");
|
|
7
|
+
Object.defineProperty(exports, "TokenVerifier", { enumerable: true, get: function () { return tokenVerifier_js_1.TokenVerifier; } });
|
|
8
|
+
var clientSecret_js_1 = require("./clientSecret.js");
|
|
9
|
+
Object.defineProperty(exports, "ClientSecret", { enumerable: true, get: function () { return clientSecret_js_1.ClientSecret; } });
|
|
10
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":";;;AAAA,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAGtB,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAEtB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
import { type OAuthKeyring } from "../keyring.js";
|
|
2
|
+
import type { AccessToken } from "./accessToken.js";
|
|
3
|
+
export interface TokenVerifierOptions {
|
|
4
|
+
/**
|
|
5
|
+
* Issuer URL for the Keycard zone, e.g. "https://zone-id.keycard.cloud" for
|
|
6
|
+
* single-zone deployments. With `enableMultiZone: true`, this is the base
|
|
7
|
+
* URL whose host gets prefixed with the per-request zoneId.
|
|
8
|
+
*/
|
|
9
|
+
issuer: string;
|
|
10
|
+
/**
|
|
11
|
+
* Required scopes. When set, every value must be present in the token's
|
|
12
|
+
* `scope` claim or verification returns null.
|
|
13
|
+
*/
|
|
14
|
+
requiredScopes?: readonly string[];
|
|
15
|
+
/**
|
|
16
|
+
* Allowed signing algorithms. Defaults to ["RS256"].
|
|
17
|
+
*/
|
|
18
|
+
allowedAlgorithms?: readonly string[];
|
|
19
|
+
/**
|
|
20
|
+
* When true, callers can supply a per-request zoneId via verifyTokenForZone.
|
|
21
|
+
* Each zone gets its own issuer URL and audience.
|
|
22
|
+
*/
|
|
23
|
+
enableMultiZone?: boolean;
|
|
24
|
+
/**
|
|
25
|
+
* Audience to validate against. A single string applies to every zone.
|
|
26
|
+
* A `Record<zoneId, audience>` selects the audience per zone; if a request
|
|
27
|
+
* arrives for a zoneId with no entry in the dict, verification fails closed
|
|
28
|
+
* (returns null) rather than silently dropping audience validation.
|
|
29
|
+
*/
|
|
30
|
+
audience?: string | Record<string, string>;
|
|
31
|
+
/**
|
|
32
|
+
* Custom keyring (e.g. for testing or shared caches). When omitted,
|
|
33
|
+
* a fresh JWKSOAuthKeyring is constructed.
|
|
34
|
+
*/
|
|
35
|
+
keyring?: OAuthKeyring;
|
|
36
|
+
}
|
|
37
|
+
export declare class TokenVerifier {
|
|
38
|
+
#private;
|
|
39
|
+
constructor(options: TokenVerifierOptions);
|
|
40
|
+
verifyToken(token: string): Promise<AccessToken | null>;
|
|
41
|
+
verifyTokenForZone(token: string, zoneId: string): Promise<AccessToken | null>;
|
|
42
|
+
/**
|
|
43
|
+
* Flushes JWKS keys and discovery results from the underlying keyring.
|
|
44
|
+
* Use after a global key rotation. No-op if the injected keyring does
|
|
45
|
+
* not expose a `clear()` method.
|
|
46
|
+
*/
|
|
47
|
+
clearCache(): void;
|
|
48
|
+
}
|
|
49
|
+
//# sourceMappingURL=tokenVerifier.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tokenVerifier.d.ts","sourceRoot":"","sources":["../../../src/server/tokenVerifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAoB,KAAK,YAAY,EAAE,MAAM,eAAe,CAAC;AAEpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAIpD,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC;;OAEG;IACH,iBAAiB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C;;;OAGG;IACH,OAAO,CAAC,EAAE,YAAY,CAAC;CACxB;AAED,qBAAa,aAAa;;gBAQZ,OAAO,EAAE,oBAAoB;IAYnC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAIvD,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAOpF;;;;OAIG;IACH,UAAU,IAAI,IAAI;CA8CnB"}
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _TokenVerifier_instances, _TokenVerifier_issuer, _TokenVerifier_requiredScopes, _TokenVerifier_allowedAlgorithms, _TokenVerifier_enableMultiZone, _TokenVerifier_audience, _TokenVerifier_keyring, _TokenVerifier_verify, _TokenVerifier_scopesSatisfied;
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.TokenVerifier = void 0;
|
|
16
|
+
const verifier_js_1 = require("../jwt/verifier.js");
|
|
17
|
+
const keyring_js_1 = require("../keyring.js");
|
|
18
|
+
const DEFAULT_ALLOWED_ALGORITHMS = ["RS256"];
|
|
19
|
+
class TokenVerifier {
|
|
20
|
+
constructor(options) {
|
|
21
|
+
_TokenVerifier_instances.add(this);
|
|
22
|
+
_TokenVerifier_issuer.set(this, void 0);
|
|
23
|
+
_TokenVerifier_requiredScopes.set(this, void 0);
|
|
24
|
+
_TokenVerifier_allowedAlgorithms.set(this, void 0);
|
|
25
|
+
_TokenVerifier_enableMultiZone.set(this, void 0);
|
|
26
|
+
_TokenVerifier_audience.set(this, void 0);
|
|
27
|
+
_TokenVerifier_keyring.set(this, void 0);
|
|
28
|
+
if (!options.issuer) {
|
|
29
|
+
throw new Error("TokenVerifier: issuer is required");
|
|
30
|
+
}
|
|
31
|
+
__classPrivateFieldSet(this, _TokenVerifier_issuer, options.issuer, "f");
|
|
32
|
+
__classPrivateFieldSet(this, _TokenVerifier_requiredScopes, options.requiredScopes ?? [], "f");
|
|
33
|
+
__classPrivateFieldSet(this, _TokenVerifier_allowedAlgorithms, options.allowedAlgorithms ?? DEFAULT_ALLOWED_ALGORITHMS, "f");
|
|
34
|
+
__classPrivateFieldSet(this, _TokenVerifier_enableMultiZone, options.enableMultiZone ?? false, "f");
|
|
35
|
+
__classPrivateFieldSet(this, _TokenVerifier_audience, options.audience, "f");
|
|
36
|
+
__classPrivateFieldSet(this, _TokenVerifier_keyring, options.keyring ?? new keyring_js_1.JWKSOAuthKeyring(), "f");
|
|
37
|
+
}
|
|
38
|
+
async verifyToken(token) {
|
|
39
|
+
return __classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_verify).call(this, token, undefined);
|
|
40
|
+
}
|
|
41
|
+
async verifyTokenForZone(token, zoneId) {
|
|
42
|
+
if (!zoneId) {
|
|
43
|
+
return null;
|
|
44
|
+
}
|
|
45
|
+
return __classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_verify).call(this, token, zoneId);
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Flushes JWKS keys and discovery results from the underlying keyring.
|
|
49
|
+
* Use after a global key rotation. No-op if the injected keyring does
|
|
50
|
+
* not expose a `clear()` method.
|
|
51
|
+
*/
|
|
52
|
+
clearCache() {
|
|
53
|
+
const keyring = __classPrivateFieldGet(this, _TokenVerifier_keyring, "f");
|
|
54
|
+
keyring.clear?.();
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
exports.TokenVerifier = TokenVerifier;
|
|
58
|
+
_TokenVerifier_issuer = new WeakMap(), _TokenVerifier_requiredScopes = new WeakMap(), _TokenVerifier_allowedAlgorithms = new WeakMap(), _TokenVerifier_enableMultiZone = new WeakMap(), _TokenVerifier_audience = new WeakMap(), _TokenVerifier_keyring = new WeakMap(), _TokenVerifier_instances = new WeakSet(), _TokenVerifier_verify = async function _TokenVerifier_verify(token, zoneId) {
|
|
59
|
+
let audience;
|
|
60
|
+
if (typeof __classPrivateFieldGet(this, _TokenVerifier_audience, "f") === "string") {
|
|
61
|
+
audience = __classPrivateFieldGet(this, _TokenVerifier_audience, "f");
|
|
62
|
+
}
|
|
63
|
+
else if (__classPrivateFieldGet(this, _TokenVerifier_audience, "f") !== undefined) {
|
|
64
|
+
if (!zoneId || !Object.prototype.hasOwnProperty.call(__classPrivateFieldGet(this, _TokenVerifier_audience, "f"), zoneId)) {
|
|
65
|
+
return null;
|
|
66
|
+
}
|
|
67
|
+
audience = __classPrivateFieldGet(this, _TokenVerifier_audience, "f")[zoneId];
|
|
68
|
+
}
|
|
69
|
+
const issuer = __classPrivateFieldGet(this, _TokenVerifier_enableMultiZone, "f") && zoneId
|
|
70
|
+
? buildZoneScopedIssuer(__classPrivateFieldGet(this, _TokenVerifier_issuer, "f"), zoneId)
|
|
71
|
+
: __classPrivateFieldGet(this, _TokenVerifier_issuer, "f");
|
|
72
|
+
try {
|
|
73
|
+
const verifier = new verifier_js_1.JWTVerifier(__classPrivateFieldGet(this, _TokenVerifier_keyring, "f"), {
|
|
74
|
+
issuers: [issuer],
|
|
75
|
+
audiences: audience,
|
|
76
|
+
algorithms: __classPrivateFieldGet(this, _TokenVerifier_allowedAlgorithms, "f"),
|
|
77
|
+
});
|
|
78
|
+
const claims = await verifier.verify(token);
|
|
79
|
+
if (!__classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_scopesSatisfied).call(this, claims)) {
|
|
80
|
+
return null;
|
|
81
|
+
}
|
|
82
|
+
return toAccessToken(token, claims);
|
|
83
|
+
}
|
|
84
|
+
catch {
|
|
85
|
+
return null;
|
|
86
|
+
}
|
|
87
|
+
}, _TokenVerifier_scopesSatisfied = function _TokenVerifier_scopesSatisfied(claims) {
|
|
88
|
+
if (__classPrivateFieldGet(this, _TokenVerifier_requiredScopes, "f").length === 0) {
|
|
89
|
+
return true;
|
|
90
|
+
}
|
|
91
|
+
if (typeof claims.scope !== "string") {
|
|
92
|
+
return false;
|
|
93
|
+
}
|
|
94
|
+
const tokenScopes = new Set(claims.scope.split(" ").filter(Boolean));
|
|
95
|
+
return __classPrivateFieldGet(this, _TokenVerifier_requiredScopes, "f").every((s) => tokenScopes.has(s));
|
|
96
|
+
};
|
|
97
|
+
function toAccessToken(token, claims) {
|
|
98
|
+
const scopes = typeof claims.scope === "string"
|
|
99
|
+
? claims.scope.split(" ").filter(Boolean)
|
|
100
|
+
: [];
|
|
101
|
+
const resourceClaim = claims["resource"];
|
|
102
|
+
const resource = typeof resourceClaim === "string" ? resourceClaim : undefined;
|
|
103
|
+
const expiresAt = typeof claims.exp === "number" ? claims.exp : undefined;
|
|
104
|
+
// JWTVerifier validates client_id is present and a non-empty string before
|
|
105
|
+
// returning, so this assertion is load-bearing only at the type boundary.
|
|
106
|
+
return {
|
|
107
|
+
token,
|
|
108
|
+
clientId: claims.client_id,
|
|
109
|
+
scopes,
|
|
110
|
+
expiresAt,
|
|
111
|
+
resource,
|
|
112
|
+
};
|
|
113
|
+
}
|
|
114
|
+
function buildZoneScopedIssuer(baseIssuer, zoneId) {
|
|
115
|
+
const url = new URL(baseIssuer);
|
|
116
|
+
return `${url.protocol}//${zoneId}.${url.host}`;
|
|
117
|
+
}
|
|
118
|
+
//# sourceMappingURL=tokenVerifier.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tokenVerifier.js","sourceRoot":"","sources":["../../../src/server/tokenVerifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,oDAAiD;AACjD,8CAAoE;AAIpE,MAAM,0BAA0B,GAAG,CAAC,OAAO,CAAU,CAAC;AAqCtD,MAAa,aAAa;IAQxB,YAAY,OAA6B;;QAPzC,wCAAgB;QAChB,gDAAmC;QACnC,mDAAsC;QACtC,iDAA0B;QAC1B,0CAA4C;QAC5C,yCAAuB;QAGrB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,uBAAA,IAAI,yBAAW,OAAO,CAAC,MAAM,MAAA,CAAC;QAC9B,uBAAA,IAAI,iCAAmB,OAAO,CAAC,cAAc,IAAI,EAAE,MAAA,CAAC;QACpD,uBAAA,IAAI,oCAAsB,OAAO,CAAC,iBAAiB,IAAI,0BAA0B,MAAA,CAAC;QAClF,uBAAA,IAAI,kCAAoB,OAAO,CAAC,eAAe,IAAI,KAAK,MAAA,CAAC;QACzD,uBAAA,IAAI,2BAAa,OAAO,CAAC,QAAQ,MAAA,CAAC;QAClC,uBAAA,IAAI,0BAAY,OAAO,CAAC,OAAO,IAAI,IAAI,6BAAgB,EAAE,MAAA,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,OAAO,uBAAA,IAAI,uDAAQ,MAAZ,IAAI,EAAS,KAAK,EAAE,SAAS,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa,EAAE,MAAc;QACpD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,uBAAA,IAAI,uDAAQ,MAAZ,IAAI,EAAS,KAAK,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED;;;;OAIG;IACH,UAAU;QACR,MAAM,OAAO,GAAG,uBAAA,IAAI,8BAAmC,CAAC;QACxD,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IACpB,CAAC;CA2CF;AAlFD,sCAkFC;2UAzCC,KAAK,gCAAS,KAAa,EAAE,MAA0B;IACrD,IAAI,QAA4B,CAAC;IACjC,IAAI,OAAO,uBAAA,IAAI,+BAAU,KAAK,QAAQ,EAAE,CAAC;QACvC,QAAQ,GAAG,uBAAA,IAAI,+BAAU,CAAC;IAC5B,CAAC;SAAM,IAAI,uBAAA,IAAI,+BAAU,KAAK,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,uBAAA,IAAI,+BAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YAC7E,OAAO,IAAI,CAAC;QACd,CAAC;QACD,QAAQ,GAAG,uBAAA,IAAI,+BAAU,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,MAAM,GAAG,uBAAA,IAAI,sCAAiB,IAAI,MAAM;QAC5C,CAAC,CAAC,qBAAqB,CAAC,uBAAA,IAAI,6BAAQ,EAAE,MAAM,CAAC;QAC7C,CAAC,CAAC,uBAAA,IAAI,6BAAQ,CAAC;IAEjB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,yBAAW,CAAC,uBAAA,IAAI,8BAAS,EAAE;YAC9C,OAAO,EAAE,CAAC,MAAM,CAAC;YACjB,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,uBAAA,IAAI,wCAAmB;SACpC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,uBAAA,IAAI,gEAAiB,MAArB,IAAI,EAAkB,MAAM,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,2EAEgB,MAAiB;IAChC,IAAI,uBAAA,IAAI,qCAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IACrE,OAAO,uBAAA,IAAI,qCAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAGH,SAAS,aAAa,CAAC,KAAa,EAAE,MAAiB;IACrD,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;QAC7C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACzC,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,OAAO,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1E,2EAA2E;IAC3E,0EAA0E;IAC1E,OAAO;QACL,KAAK;QACL,QAAQ,EAAE,MAAM,CAAC,SAAmB;QACpC,MAAM;QACN,SAAS;QACT,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkB,EAAE,MAAc;IAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;AAClD,CAAC"}
|
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
import type { ApplicationCredential } from "./credentials.js";
|
|
2
|
+
export declare const TokenType: {
|
|
3
|
+
readonly ACCESS_TOKEN: "urn:ietf:params:oauth:token-type:access_token";
|
|
4
|
+
/**
|
|
5
|
+
* Vendor URN for substitute-user (impersonation) subject tokens.
|
|
6
|
+
* Recognized by the Keycard authorization server; not registered with IANA.
|
|
7
|
+
*/
|
|
8
|
+
readonly SUBSTITUTE_USER: "urn:keycard:params:oauth:token-type:substitute-user";
|
|
9
|
+
};
|
|
10
|
+
export type TokenType = (typeof TokenType)[keyof typeof TokenType];
|
|
1
11
|
export interface TokenExchangeRequest {
|
|
2
12
|
grantType?: string;
|
|
3
13
|
resource?: string;
|
|
@@ -22,10 +32,26 @@ export interface TokenResponse {
|
|
|
22
32
|
export interface TokenExchangeClientOptions {
|
|
23
33
|
clientId?: string;
|
|
24
34
|
clientSecret?: string;
|
|
35
|
+
/**
|
|
36
|
+
* Application credential provider. When set, takes precedence over
|
|
37
|
+
* static `clientId`/`clientSecret` and resolves the per-request
|
|
38
|
+
* Authorization header from the credential's `getAuth(zoneId)`.
|
|
39
|
+
*/
|
|
40
|
+
credential?: ApplicationCredential;
|
|
41
|
+
}
|
|
42
|
+
export interface ExchangeOptions {
|
|
43
|
+
zoneId?: string;
|
|
44
|
+
}
|
|
45
|
+
export interface ImpersonateRequest {
|
|
46
|
+
userIdentifier: string;
|
|
47
|
+
resource: string;
|
|
48
|
+
scope?: string;
|
|
49
|
+
zoneId?: string;
|
|
25
50
|
}
|
|
26
51
|
export declare class TokenExchangeClient {
|
|
27
52
|
#private;
|
|
28
53
|
constructor(issuerUrl: string, options?: TokenExchangeClientOptions);
|
|
29
|
-
exchangeToken(request: TokenExchangeRequest): Promise<TokenResponse>;
|
|
54
|
+
exchangeToken(request: TokenExchangeRequest, options?: ExchangeOptions): Promise<TokenResponse>;
|
|
55
|
+
impersonate(req: ImpersonateRequest): Promise<TokenResponse>;
|
|
30
56
|
}
|
|
31
57
|
//# sourceMappingURL=tokenExchange.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAO9D,eAAO,MAAM,SAAS;;IAEpB;;;OAGG;;CAEK,CAAC;AACX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAEnE,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAkDD,qBAAa,mBAAmB;;gBAQlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAO7D,aAAa,CACjB,OAAO,EAAE,oBAAoB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,aAAa,CAAC;IA8CnB,WAAW,CAAC,GAAG,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;CAkDnE"}
|