@keycardai/oauth 0.3.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +84 -2
- package/dist/cjs/credentials.d.ts +5 -1
- package/dist/cjs/credentials.d.ts.map +1 -1
- package/dist/cjs/errors.d.ts +23 -0
- package/dist/cjs/errors.d.ts.map +1 -1
- package/dist/cjs/errors.js +42 -1
- package/dist/cjs/errors.js.map +1 -1
- package/dist/cjs/index.d.ts +6 -3
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +10 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/jwt/substituteUser.d.ts +15 -0
- package/dist/cjs/jwt/substituteUser.d.ts.map +1 -0
- package/dist/cjs/jwt/substituteUser.js +29 -0
- package/dist/cjs/jwt/substituteUser.js.map +1 -0
- package/dist/cjs/keyring.d.ts +6 -0
- package/dist/cjs/keyring.d.ts.map +1 -1
- package/dist/cjs/keyring.js +11 -0
- package/dist/cjs/keyring.js.map +1 -1
- package/dist/cjs/server/accessContext.d.ts +26 -0
- package/dist/cjs/server/accessContext.d.ts.map +1 -0
- package/dist/cjs/server/accessContext.js +105 -0
- package/dist/cjs/server/accessContext.js.map +1 -0
- package/dist/cjs/server/accessToken.d.ts +8 -0
- package/dist/cjs/server/accessToken.d.ts.map +1 -0
- package/dist/cjs/server/accessToken.js +3 -0
- package/dist/cjs/server/accessToken.js.map +1 -0
- package/dist/cjs/server/clientSecret.d.ts +14 -0
- package/dist/cjs/server/clientSecret.d.ts.map +1 -0
- package/dist/cjs/server/clientSecret.js +76 -0
- package/dist/cjs/server/clientSecret.js.map +1 -0
- package/dist/cjs/server/index.d.ts +8 -0
- package/dist/cjs/server/index.d.ts.map +1 -0
- package/dist/cjs/server/index.js +10 -0
- package/dist/cjs/server/index.js.map +1 -0
- package/dist/cjs/server/tokenVerifier.d.ts +49 -0
- package/dist/cjs/server/tokenVerifier.d.ts.map +1 -0
- package/dist/cjs/server/tokenVerifier.js +118 -0
- package/dist/cjs/server/tokenVerifier.js.map +1 -0
- package/dist/cjs/tokenExchange.d.ts +27 -1
- package/dist/cjs/tokenExchange.d.ts.map +1 -1
- package/dist/cjs/tokenExchange.js +44 -6
- package/dist/cjs/tokenExchange.js.map +1 -1
- package/dist/esm/credentials.d.ts +5 -1
- package/dist/esm/credentials.d.ts.map +1 -1
- package/dist/esm/errors.d.ts +23 -0
- package/dist/esm/errors.d.ts.map +1 -1
- package/dist/esm/errors.js +39 -0
- package/dist/esm/errors.js.map +1 -1
- package/dist/esm/index.d.ts +6 -3
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +4 -2
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/jwt/substituteUser.d.ts +15 -0
- package/dist/esm/jwt/substituteUser.d.ts.map +1 -0
- package/dist/esm/jwt/substituteUser.js +26 -0
- package/dist/esm/jwt/substituteUser.js.map +1 -0
- package/dist/esm/keyring.d.ts +6 -0
- package/dist/esm/keyring.d.ts.map +1 -1
- package/dist/esm/keyring.js +11 -0
- package/dist/esm/keyring.js.map +1 -1
- package/dist/esm/server/accessContext.d.ts +26 -0
- package/dist/esm/server/accessContext.d.ts.map +1 -0
- package/dist/esm/server/accessContext.js +101 -0
- package/dist/esm/server/accessContext.js.map +1 -0
- package/dist/esm/server/accessToken.d.ts +8 -0
- package/dist/esm/server/accessToken.d.ts.map +1 -0
- package/dist/esm/server/accessToken.js +2 -0
- package/dist/esm/server/accessToken.js.map +1 -0
- package/dist/esm/server/clientSecret.d.ts +14 -0
- package/dist/esm/server/clientSecret.d.ts.map +1 -0
- package/dist/esm/server/clientSecret.js +72 -0
- package/dist/esm/server/clientSecret.js.map +1 -0
- package/dist/esm/server/index.d.ts +8 -0
- package/dist/esm/server/index.d.ts.map +1 -0
- package/dist/esm/server/index.js +4 -0
- package/dist/esm/server/index.js.map +1 -0
- package/dist/esm/server/tokenVerifier.d.ts +49 -0
- package/dist/esm/server/tokenVerifier.d.ts.map +1 -0
- package/dist/esm/server/tokenVerifier.js +114 -0
- package/dist/esm/server/tokenVerifier.js.map +1 -0
- package/dist/esm/tokenExchange.d.ts +27 -1
- package/dist/esm/tokenExchange.d.ts.map +1 -1
- package/dist/esm/tokenExchange.js +43 -5
- package/dist/esm/tokenExchange.js.map +1 -1
- package/package.json +38 -2
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _ClientSecret_zoneCredentials, _ClientSecret_isMultiZone;
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.ClientSecret = void 0;
|
|
16
|
+
const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
|
|
17
|
+
const DEFAULT_ZONE = "__default__";
|
|
18
|
+
class ClientSecret {
|
|
19
|
+
constructor(arg1, arg2) {
|
|
20
|
+
_ClientSecret_zoneCredentials.set(this, void 0);
|
|
21
|
+
_ClientSecret_isMultiZone.set(this, void 0);
|
|
22
|
+
__classPrivateFieldSet(this, _ClientSecret_zoneCredentials, new Map(), "f");
|
|
23
|
+
if (typeof arg1 === "string") {
|
|
24
|
+
if (typeof arg2 !== "string") {
|
|
25
|
+
throw new TypeError("ClientSecret: client_secret is required when client_id is provided as a string");
|
|
26
|
+
}
|
|
27
|
+
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [arg1, arg2]);
|
|
28
|
+
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
29
|
+
return;
|
|
30
|
+
}
|
|
31
|
+
if (Array.isArray(arg1)) {
|
|
32
|
+
const [clientId, clientSecret] = arg1;
|
|
33
|
+
if (typeof clientId !== "string" || typeof clientSecret !== "string") {
|
|
34
|
+
throw new TypeError("ClientSecret: tuple must be [clientId, clientSecret]");
|
|
35
|
+
}
|
|
36
|
+
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [clientId, clientSecret]);
|
|
37
|
+
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
38
|
+
return;
|
|
39
|
+
}
|
|
40
|
+
if (arg1 && typeof arg1 === "object") {
|
|
41
|
+
for (const [zoneId, tuple] of Object.entries(arg1)) {
|
|
42
|
+
if (!Array.isArray(tuple) || typeof tuple[0] !== "string" || typeof tuple[1] !== "string") {
|
|
43
|
+
throw new TypeError(`ClientSecret: zone "${zoneId}" must map to [clientId, clientSecret]`);
|
|
44
|
+
}
|
|
45
|
+
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(zoneId, [tuple[0], tuple[1]]);
|
|
46
|
+
}
|
|
47
|
+
if (__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").size === 0) {
|
|
48
|
+
throw new TypeError("ClientSecret: zone-keyed credentials must contain at least one zone");
|
|
49
|
+
}
|
|
50
|
+
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, true, "f");
|
|
51
|
+
return;
|
|
52
|
+
}
|
|
53
|
+
throw new TypeError("ClientSecret: unsupported credentials shape");
|
|
54
|
+
}
|
|
55
|
+
getAuth(zoneId) {
|
|
56
|
+
if (!__classPrivateFieldGet(this, _ClientSecret_isMultiZone, "f")) {
|
|
57
|
+
const tuple = __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").get(DEFAULT_ZONE);
|
|
58
|
+
return tuple ? { clientId: tuple[0], clientSecret: tuple[1] } : null;
|
|
59
|
+
}
|
|
60
|
+
if (!zoneId) {
|
|
61
|
+
return null;
|
|
62
|
+
}
|
|
63
|
+
const tuple = __classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").get(zoneId);
|
|
64
|
+
return tuple ? { clientId: tuple[0], clientSecret: tuple[1] } : null;
|
|
65
|
+
}
|
|
66
|
+
async prepareTokenExchangeRequest(subjectToken, resource) {
|
|
67
|
+
return {
|
|
68
|
+
subjectToken,
|
|
69
|
+
resource,
|
|
70
|
+
subjectTokenType: ACCESS_TOKEN_TYPE,
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
exports.ClientSecret = ClientSecret;
|
|
75
|
+
_ClientSecret_zoneCredentials = new WeakMap(), _ClientSecret_isMultiZone = new WeakMap();
|
|
76
|
+
//# sourceMappingURL=clientSecret.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientSecret.js","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAGA,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,YAAY,GAAG,aAAa,CAAC;AAMnC,MAAa,YAAY;IAMvB,YACE,IAAsC,EACtC,IAAa;QAPf,gDAAgD;QAChD,4CAAsB;QAQpB,uBAAA,IAAI,iCAAoB,IAAI,GAAG,EAAE,MAAA,CAAC;QAElC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,SAAS,CAAC,gFAAgF,CAAC,CAAC;YACxG,CAAC;YACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACtD,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC;YACtC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrE,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAC;YAC9E,CAAC;YACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;YAClE,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC1F,MAAM,IAAI,SAAS,CAAC,uBAAuB,MAAM,wCAAwC,CAAC,CAAC;gBAC7F,CAAC;gBACD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,IAAI,uBAAA,IAAI,qCAAiB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,SAAS,CAAC,qEAAqE,CAAC,CAAC;YAC7F,CAAC;YACD,uBAAA,IAAI,6BAAgB,IAAI,MAAA,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,CAAC,MAAe;QACrB,IAAI,CAAC,uBAAA,IAAI,iCAAa,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,iBAAiB;SACpC,CAAC;IACJ,CAAC;CACF;AAtED,oCAsEC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
export { AccessContext } from "./accessContext.js";
|
|
2
|
+
export type { ErrorDetail, AccessContextStatus } from "./accessContext.js";
|
|
3
|
+
export type { AccessToken } from "./accessToken.js";
|
|
4
|
+
export { TokenVerifier } from "./tokenVerifier.js";
|
|
5
|
+
export type { TokenVerifierOptions } from "./tokenVerifier.js";
|
|
6
|
+
export { ClientSecret } from "./clientSecret.js";
|
|
7
|
+
export type { ClientSecretCredentials } from "./clientSecret.js";
|
|
8
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = void 0;
|
|
4
|
+
var accessContext_js_1 = require("./accessContext.js");
|
|
5
|
+
Object.defineProperty(exports, "AccessContext", { enumerable: true, get: function () { return accessContext_js_1.AccessContext; } });
|
|
6
|
+
var tokenVerifier_js_1 = require("./tokenVerifier.js");
|
|
7
|
+
Object.defineProperty(exports, "TokenVerifier", { enumerable: true, get: function () { return tokenVerifier_js_1.TokenVerifier; } });
|
|
8
|
+
var clientSecret_js_1 = require("./clientSecret.js");
|
|
9
|
+
Object.defineProperty(exports, "ClientSecret", { enumerable: true, get: function () { return clientSecret_js_1.ClientSecret; } });
|
|
10
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":";;;AAAA,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAGtB,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAEtB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
import { type OAuthKeyring } from "../keyring.js";
|
|
2
|
+
import type { AccessToken } from "./accessToken.js";
|
|
3
|
+
export interface TokenVerifierOptions {
|
|
4
|
+
/**
|
|
5
|
+
* Issuer URL for the Keycard zone, e.g. "https://zone-id.keycard.cloud" for
|
|
6
|
+
* single-zone deployments. With `enableMultiZone: true`, this is the base
|
|
7
|
+
* URL whose host gets prefixed with the per-request zoneId.
|
|
8
|
+
*/
|
|
9
|
+
issuer: string;
|
|
10
|
+
/**
|
|
11
|
+
* Required scopes. When set, every value must be present in the token's
|
|
12
|
+
* `scope` claim or verification returns null.
|
|
13
|
+
*/
|
|
14
|
+
requiredScopes?: readonly string[];
|
|
15
|
+
/**
|
|
16
|
+
* Allowed signing algorithms. Defaults to ["RS256"].
|
|
17
|
+
*/
|
|
18
|
+
allowedAlgorithms?: readonly string[];
|
|
19
|
+
/**
|
|
20
|
+
* When true, callers can supply a per-request zoneId via verifyTokenForZone.
|
|
21
|
+
* Each zone gets its own issuer URL and audience.
|
|
22
|
+
*/
|
|
23
|
+
enableMultiZone?: boolean;
|
|
24
|
+
/**
|
|
25
|
+
* Audience to validate against. A single string applies to every zone.
|
|
26
|
+
* A `Record<zoneId, audience>` selects the audience per zone; if a request
|
|
27
|
+
* arrives for a zoneId with no entry in the dict, verification fails closed
|
|
28
|
+
* (returns null) rather than silently dropping audience validation.
|
|
29
|
+
*/
|
|
30
|
+
audience?: string | Record<string, string>;
|
|
31
|
+
/**
|
|
32
|
+
* Custom keyring (e.g. for testing or shared caches). When omitted,
|
|
33
|
+
* a fresh JWKSOAuthKeyring is constructed.
|
|
34
|
+
*/
|
|
35
|
+
keyring?: OAuthKeyring;
|
|
36
|
+
}
|
|
37
|
+
export declare class TokenVerifier {
|
|
38
|
+
#private;
|
|
39
|
+
constructor(options: TokenVerifierOptions);
|
|
40
|
+
verifyToken(token: string): Promise<AccessToken | null>;
|
|
41
|
+
verifyTokenForZone(token: string, zoneId: string): Promise<AccessToken | null>;
|
|
42
|
+
/**
|
|
43
|
+
* Flushes JWKS keys and discovery results from the underlying keyring.
|
|
44
|
+
* Use after a global key rotation. No-op if the injected keyring does
|
|
45
|
+
* not expose a `clear()` method.
|
|
46
|
+
*/
|
|
47
|
+
clearCache(): void;
|
|
48
|
+
}
|
|
49
|
+
//# sourceMappingURL=tokenVerifier.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tokenVerifier.d.ts","sourceRoot":"","sources":["../../../src/server/tokenVerifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAoB,KAAK,YAAY,EAAE,MAAM,eAAe,CAAC;AAEpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAIpD,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC;;OAEG;IACH,iBAAiB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C;;;OAGG;IACH,OAAO,CAAC,EAAE,YAAY,CAAC;CACxB;AAED,qBAAa,aAAa;;gBAQZ,OAAO,EAAE,oBAAoB;IAYnC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAIvD,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAOpF;;;;OAIG;IACH,UAAU,IAAI,IAAI;CA8CnB"}
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _TokenVerifier_instances, _TokenVerifier_issuer, _TokenVerifier_requiredScopes, _TokenVerifier_allowedAlgorithms, _TokenVerifier_enableMultiZone, _TokenVerifier_audience, _TokenVerifier_keyring, _TokenVerifier_verify, _TokenVerifier_scopesSatisfied;
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.TokenVerifier = void 0;
|
|
16
|
+
const verifier_js_1 = require("../jwt/verifier.js");
|
|
17
|
+
const keyring_js_1 = require("../keyring.js");
|
|
18
|
+
const DEFAULT_ALLOWED_ALGORITHMS = ["RS256"];
|
|
19
|
+
class TokenVerifier {
|
|
20
|
+
constructor(options) {
|
|
21
|
+
_TokenVerifier_instances.add(this);
|
|
22
|
+
_TokenVerifier_issuer.set(this, void 0);
|
|
23
|
+
_TokenVerifier_requiredScopes.set(this, void 0);
|
|
24
|
+
_TokenVerifier_allowedAlgorithms.set(this, void 0);
|
|
25
|
+
_TokenVerifier_enableMultiZone.set(this, void 0);
|
|
26
|
+
_TokenVerifier_audience.set(this, void 0);
|
|
27
|
+
_TokenVerifier_keyring.set(this, void 0);
|
|
28
|
+
if (!options.issuer) {
|
|
29
|
+
throw new Error("TokenVerifier: issuer is required");
|
|
30
|
+
}
|
|
31
|
+
__classPrivateFieldSet(this, _TokenVerifier_issuer, options.issuer, "f");
|
|
32
|
+
__classPrivateFieldSet(this, _TokenVerifier_requiredScopes, options.requiredScopes ?? [], "f");
|
|
33
|
+
__classPrivateFieldSet(this, _TokenVerifier_allowedAlgorithms, options.allowedAlgorithms ?? DEFAULT_ALLOWED_ALGORITHMS, "f");
|
|
34
|
+
__classPrivateFieldSet(this, _TokenVerifier_enableMultiZone, options.enableMultiZone ?? false, "f");
|
|
35
|
+
__classPrivateFieldSet(this, _TokenVerifier_audience, options.audience, "f");
|
|
36
|
+
__classPrivateFieldSet(this, _TokenVerifier_keyring, options.keyring ?? new keyring_js_1.JWKSOAuthKeyring(), "f");
|
|
37
|
+
}
|
|
38
|
+
async verifyToken(token) {
|
|
39
|
+
return __classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_verify).call(this, token, undefined);
|
|
40
|
+
}
|
|
41
|
+
async verifyTokenForZone(token, zoneId) {
|
|
42
|
+
if (!zoneId) {
|
|
43
|
+
return null;
|
|
44
|
+
}
|
|
45
|
+
return __classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_verify).call(this, token, zoneId);
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Flushes JWKS keys and discovery results from the underlying keyring.
|
|
49
|
+
* Use after a global key rotation. No-op if the injected keyring does
|
|
50
|
+
* not expose a `clear()` method.
|
|
51
|
+
*/
|
|
52
|
+
clearCache() {
|
|
53
|
+
const keyring = __classPrivateFieldGet(this, _TokenVerifier_keyring, "f");
|
|
54
|
+
keyring.clear?.();
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
exports.TokenVerifier = TokenVerifier;
|
|
58
|
+
_TokenVerifier_issuer = new WeakMap(), _TokenVerifier_requiredScopes = new WeakMap(), _TokenVerifier_allowedAlgorithms = new WeakMap(), _TokenVerifier_enableMultiZone = new WeakMap(), _TokenVerifier_audience = new WeakMap(), _TokenVerifier_keyring = new WeakMap(), _TokenVerifier_instances = new WeakSet(), _TokenVerifier_verify = async function _TokenVerifier_verify(token, zoneId) {
|
|
59
|
+
let audience;
|
|
60
|
+
if (typeof __classPrivateFieldGet(this, _TokenVerifier_audience, "f") === "string") {
|
|
61
|
+
audience = __classPrivateFieldGet(this, _TokenVerifier_audience, "f");
|
|
62
|
+
}
|
|
63
|
+
else if (__classPrivateFieldGet(this, _TokenVerifier_audience, "f") !== undefined) {
|
|
64
|
+
if (!zoneId || !Object.prototype.hasOwnProperty.call(__classPrivateFieldGet(this, _TokenVerifier_audience, "f"), zoneId)) {
|
|
65
|
+
return null;
|
|
66
|
+
}
|
|
67
|
+
audience = __classPrivateFieldGet(this, _TokenVerifier_audience, "f")[zoneId];
|
|
68
|
+
}
|
|
69
|
+
const issuer = __classPrivateFieldGet(this, _TokenVerifier_enableMultiZone, "f") && zoneId
|
|
70
|
+
? buildZoneScopedIssuer(__classPrivateFieldGet(this, _TokenVerifier_issuer, "f"), zoneId)
|
|
71
|
+
: __classPrivateFieldGet(this, _TokenVerifier_issuer, "f");
|
|
72
|
+
try {
|
|
73
|
+
const verifier = new verifier_js_1.JWTVerifier(__classPrivateFieldGet(this, _TokenVerifier_keyring, "f"), {
|
|
74
|
+
issuers: [issuer],
|
|
75
|
+
audiences: audience,
|
|
76
|
+
algorithms: __classPrivateFieldGet(this, _TokenVerifier_allowedAlgorithms, "f"),
|
|
77
|
+
});
|
|
78
|
+
const claims = await verifier.verify(token);
|
|
79
|
+
if (!__classPrivateFieldGet(this, _TokenVerifier_instances, "m", _TokenVerifier_scopesSatisfied).call(this, claims)) {
|
|
80
|
+
return null;
|
|
81
|
+
}
|
|
82
|
+
return toAccessToken(token, claims);
|
|
83
|
+
}
|
|
84
|
+
catch {
|
|
85
|
+
return null;
|
|
86
|
+
}
|
|
87
|
+
}, _TokenVerifier_scopesSatisfied = function _TokenVerifier_scopesSatisfied(claims) {
|
|
88
|
+
if (__classPrivateFieldGet(this, _TokenVerifier_requiredScopes, "f").length === 0) {
|
|
89
|
+
return true;
|
|
90
|
+
}
|
|
91
|
+
if (typeof claims.scope !== "string") {
|
|
92
|
+
return false;
|
|
93
|
+
}
|
|
94
|
+
const tokenScopes = new Set(claims.scope.split(" ").filter(Boolean));
|
|
95
|
+
return __classPrivateFieldGet(this, _TokenVerifier_requiredScopes, "f").every((s) => tokenScopes.has(s));
|
|
96
|
+
};
|
|
97
|
+
function toAccessToken(token, claims) {
|
|
98
|
+
const scopes = typeof claims.scope === "string"
|
|
99
|
+
? claims.scope.split(" ").filter(Boolean)
|
|
100
|
+
: [];
|
|
101
|
+
const resourceClaim = claims["resource"];
|
|
102
|
+
const resource = typeof resourceClaim === "string" ? resourceClaim : undefined;
|
|
103
|
+
const expiresAt = typeof claims.exp === "number" ? claims.exp : undefined;
|
|
104
|
+
// JWTVerifier validates client_id is present and a non-empty string before
|
|
105
|
+
// returning, so this assertion is load-bearing only at the type boundary.
|
|
106
|
+
return {
|
|
107
|
+
token,
|
|
108
|
+
clientId: claims.client_id,
|
|
109
|
+
scopes,
|
|
110
|
+
expiresAt,
|
|
111
|
+
resource,
|
|
112
|
+
};
|
|
113
|
+
}
|
|
114
|
+
function buildZoneScopedIssuer(baseIssuer, zoneId) {
|
|
115
|
+
const url = new URL(baseIssuer);
|
|
116
|
+
return `${url.protocol}//${zoneId}.${url.host}`;
|
|
117
|
+
}
|
|
118
|
+
//# sourceMappingURL=tokenVerifier.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tokenVerifier.js","sourceRoot":"","sources":["../../../src/server/tokenVerifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,oDAAiD;AACjD,8CAAoE;AAIpE,MAAM,0BAA0B,GAAG,CAAC,OAAO,CAAU,CAAC;AAqCtD,MAAa,aAAa;IAQxB,YAAY,OAA6B;;QAPzC,wCAAgB;QAChB,gDAAmC;QACnC,mDAAsC;QACtC,iDAA0B;QAC1B,0CAA4C;QAC5C,yCAAuB;QAGrB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,uBAAA,IAAI,yBAAW,OAAO,CAAC,MAAM,MAAA,CAAC;QAC9B,uBAAA,IAAI,iCAAmB,OAAO,CAAC,cAAc,IAAI,EAAE,MAAA,CAAC;QACpD,uBAAA,IAAI,oCAAsB,OAAO,CAAC,iBAAiB,IAAI,0BAA0B,MAAA,CAAC;QAClF,uBAAA,IAAI,kCAAoB,OAAO,CAAC,eAAe,IAAI,KAAK,MAAA,CAAC;QACzD,uBAAA,IAAI,2BAAa,OAAO,CAAC,QAAQ,MAAA,CAAC;QAClC,uBAAA,IAAI,0BAAY,OAAO,CAAC,OAAO,IAAI,IAAI,6BAAgB,EAAE,MAAA,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,OAAO,uBAAA,IAAI,uDAAQ,MAAZ,IAAI,EAAS,KAAK,EAAE,SAAS,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa,EAAE,MAAc;QACpD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,uBAAA,IAAI,uDAAQ,MAAZ,IAAI,EAAS,KAAK,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED;;;;OAIG;IACH,UAAU;QACR,MAAM,OAAO,GAAG,uBAAA,IAAI,8BAAmC,CAAC;QACxD,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IACpB,CAAC;CA2CF;AAlFD,sCAkFC;2UAzCC,KAAK,gCAAS,KAAa,EAAE,MAA0B;IACrD,IAAI,QAA4B,CAAC;IACjC,IAAI,OAAO,uBAAA,IAAI,+BAAU,KAAK,QAAQ,EAAE,CAAC;QACvC,QAAQ,GAAG,uBAAA,IAAI,+BAAU,CAAC;IAC5B,CAAC;SAAM,IAAI,uBAAA,IAAI,+BAAU,KAAK,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,uBAAA,IAAI,+BAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YAC7E,OAAO,IAAI,CAAC;QACd,CAAC;QACD,QAAQ,GAAG,uBAAA,IAAI,+BAAU,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,MAAM,GAAG,uBAAA,IAAI,sCAAiB,IAAI,MAAM;QAC5C,CAAC,CAAC,qBAAqB,CAAC,uBAAA,IAAI,6BAAQ,EAAE,MAAM,CAAC;QAC7C,CAAC,CAAC,uBAAA,IAAI,6BAAQ,CAAC;IAEjB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,yBAAW,CAAC,uBAAA,IAAI,8BAAS,EAAE;YAC9C,OAAO,EAAE,CAAC,MAAM,CAAC;YACjB,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,uBAAA,IAAI,wCAAmB;SACpC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,uBAAA,IAAI,gEAAiB,MAArB,IAAI,EAAkB,MAAM,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,2EAEgB,MAAiB;IAChC,IAAI,uBAAA,IAAI,qCAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IACrE,OAAO,uBAAA,IAAI,qCAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAGH,SAAS,aAAa,CAAC,KAAa,EAAE,MAAiB;IACrD,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;QAC7C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACzC,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,OAAO,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1E,2EAA2E;IAC3E,0EAA0E;IAC1E,OAAO;QACL,KAAK;QACL,QAAQ,EAAE,MAAM,CAAC,SAAmB;QACpC,MAAM;QACN,SAAS;QACT,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkB,EAAE,MAAc;IAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;AAClD,CAAC"}
|
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
import type { ApplicationCredential } from "./credentials.js";
|
|
2
|
+
export declare const TokenType: {
|
|
3
|
+
readonly ACCESS_TOKEN: "urn:ietf:params:oauth:token-type:access_token";
|
|
4
|
+
/**
|
|
5
|
+
* Vendor URN for substitute-user (impersonation) subject tokens.
|
|
6
|
+
* Recognized by the Keycard authorization server; not registered with IANA.
|
|
7
|
+
*/
|
|
8
|
+
readonly SUBSTITUTE_USER: "urn:keycard:params:oauth:token-type:substitute-user";
|
|
9
|
+
};
|
|
10
|
+
export type TokenType = (typeof TokenType)[keyof typeof TokenType];
|
|
1
11
|
export interface TokenExchangeRequest {
|
|
2
12
|
grantType?: string;
|
|
3
13
|
resource?: string;
|
|
@@ -22,10 +32,26 @@ export interface TokenResponse {
|
|
|
22
32
|
export interface TokenExchangeClientOptions {
|
|
23
33
|
clientId?: string;
|
|
24
34
|
clientSecret?: string;
|
|
35
|
+
/**
|
|
36
|
+
* Application credential provider. When set, takes precedence over
|
|
37
|
+
* static `clientId`/`clientSecret` and resolves the per-request
|
|
38
|
+
* Authorization header from the credential's `getAuth(zoneId)`.
|
|
39
|
+
*/
|
|
40
|
+
credential?: ApplicationCredential;
|
|
41
|
+
}
|
|
42
|
+
export interface ExchangeOptions {
|
|
43
|
+
zoneId?: string;
|
|
44
|
+
}
|
|
45
|
+
export interface ImpersonateRequest {
|
|
46
|
+
userIdentifier: string;
|
|
47
|
+
resource: string;
|
|
48
|
+
scope?: string;
|
|
49
|
+
zoneId?: string;
|
|
25
50
|
}
|
|
26
51
|
export declare class TokenExchangeClient {
|
|
27
52
|
#private;
|
|
28
53
|
constructor(issuerUrl: string, options?: TokenExchangeClientOptions);
|
|
29
|
-
exchangeToken(request: TokenExchangeRequest): Promise<TokenResponse>;
|
|
54
|
+
exchangeToken(request: TokenExchangeRequest, options?: ExchangeOptions): Promise<TokenResponse>;
|
|
55
|
+
impersonate(req: ImpersonateRequest): Promise<TokenResponse>;
|
|
30
56
|
}
|
|
31
57
|
//# sourceMappingURL=tokenExchange.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAO9D,eAAO,MAAM,SAAS;;IAEpB;;;OAGG;;CAEK,CAAC;AACX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAEnE,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAkDD,qBAAa,mBAAmB;;gBAQlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAO7D,aAAa,CACjB,OAAO,EAAE,oBAAoB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,aAAa,CAAC;IA8CnB,WAAW,CAAC,GAAG,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;CAkDnE"}
|
|
@@ -10,11 +10,23 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
10
10
|
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
11
|
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
12
|
};
|
|
13
|
-
var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_getTokenEndpoint;
|
|
13
|
+
var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_credential, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_resolveBasicAuth, _TokenExchangeClient_getTokenEndpoint;
|
|
14
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
-
exports.TokenExchangeClient = void 0;
|
|
15
|
+
exports.TokenExchangeClient = exports.TokenType = void 0;
|
|
16
16
|
const discovery_js_1 = require("./discovery.js");
|
|
17
17
|
const errors_js_1 = require("./errors.js");
|
|
18
|
+
const substituteUser_js_1 = require("./jwt/substituteUser.js");
|
|
19
|
+
// =============================================================================
|
|
20
|
+
// Token Exchange Types (RFC 8693)
|
|
21
|
+
// =============================================================================
|
|
22
|
+
exports.TokenType = {
|
|
23
|
+
ACCESS_TOKEN: "urn:ietf:params:oauth:token-type:access_token",
|
|
24
|
+
/**
|
|
25
|
+
* Vendor URN for substitute-user (impersonation) subject tokens.
|
|
26
|
+
* Recognized by the Keycard authorization server; not registered with IANA.
|
|
27
|
+
*/
|
|
28
|
+
SUBSTITUTE_USER: "urn:keycard:params:oauth:token-type:substitute-user",
|
|
29
|
+
};
|
|
18
30
|
// =============================================================================
|
|
19
31
|
// Wire format helpers (camelCase <-> snake_case at the boundary)
|
|
20
32
|
// =============================================================================
|
|
@@ -70,20 +82,23 @@ class TokenExchangeClient {
|
|
|
70
82
|
_TokenExchangeClient_issuerUrl.set(this, void 0);
|
|
71
83
|
_TokenExchangeClient_clientId.set(this, void 0);
|
|
72
84
|
_TokenExchangeClient_clientSecret.set(this, void 0);
|
|
85
|
+
_TokenExchangeClient_credential.set(this, void 0);
|
|
73
86
|
_TokenExchangeClient_tokenEndpoint.set(this, void 0);
|
|
74
87
|
_TokenExchangeClient_discoveryPromise.set(this, void 0);
|
|
75
88
|
__classPrivateFieldSet(this, _TokenExchangeClient_issuerUrl, issuerUrl, "f");
|
|
76
89
|
__classPrivateFieldSet(this, _TokenExchangeClient_clientId, options?.clientId, "f");
|
|
77
90
|
__classPrivateFieldSet(this, _TokenExchangeClient_clientSecret, options?.clientSecret, "f");
|
|
91
|
+
__classPrivateFieldSet(this, _TokenExchangeClient_credential, options?.credential, "f");
|
|
78
92
|
}
|
|
79
|
-
async exchangeToken(request) {
|
|
93
|
+
async exchangeToken(request, options) {
|
|
80
94
|
const tokenEndpoint = await __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_getTokenEndpoint).call(this);
|
|
81
95
|
const body = serializeRequest(request);
|
|
82
96
|
const headers = {
|
|
83
97
|
"Content-Type": "application/x-www-form-urlencoded",
|
|
84
98
|
};
|
|
85
|
-
|
|
86
|
-
|
|
99
|
+
const basicAuth = __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_resolveBasicAuth).call(this, options?.zoneId);
|
|
100
|
+
if (basicAuth) {
|
|
101
|
+
const credentials = btoa(`${basicAuth.clientId}:${basicAuth.clientSecret}`);
|
|
87
102
|
headers["Authorization"] = `Basic ${credentials}`;
|
|
88
103
|
}
|
|
89
104
|
const response = await fetch(tokenEndpoint, {
|
|
@@ -115,9 +130,32 @@ class TokenExchangeClient {
|
|
|
115
130
|
const json = await response.json();
|
|
116
131
|
return deserializeResponse(json);
|
|
117
132
|
}
|
|
133
|
+
async impersonate(req) {
|
|
134
|
+
if (!req.userIdentifier) {
|
|
135
|
+
throw new Error("impersonate: userIdentifier is required");
|
|
136
|
+
}
|
|
137
|
+
if (!req.resource) {
|
|
138
|
+
throw new Error("impersonate: resource is required");
|
|
139
|
+
}
|
|
140
|
+
const subjectToken = (0, substituteUser_js_1.buildSubstituteUserToken)(req.userIdentifier);
|
|
141
|
+
return this.exchangeToken({
|
|
142
|
+
subjectToken,
|
|
143
|
+
subjectTokenType: exports.TokenType.SUBSTITUTE_USER,
|
|
144
|
+
resource: req.resource,
|
|
145
|
+
scope: req.scope,
|
|
146
|
+
}, { zoneId: req.zoneId });
|
|
147
|
+
}
|
|
118
148
|
}
|
|
119
149
|
exports.TokenExchangeClient = TokenExchangeClient;
|
|
120
|
-
_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(),
|
|
150
|
+
_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_credential = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(), _TokenExchangeClient_resolveBasicAuth = function _TokenExchangeClient_resolveBasicAuth(zoneId) {
|
|
151
|
+
if (__classPrivateFieldGet(this, _TokenExchangeClient_credential, "f")) {
|
|
152
|
+
return __classPrivateFieldGet(this, _TokenExchangeClient_credential, "f").getAuth(zoneId);
|
|
153
|
+
}
|
|
154
|
+
if (__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f") && __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")) {
|
|
155
|
+
return { clientId: __classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f"), clientSecret: __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f") };
|
|
156
|
+
}
|
|
157
|
+
return null;
|
|
158
|
+
}, _TokenExchangeClient_getTokenEndpoint = async function _TokenExchangeClient_getTokenEndpoint() {
|
|
121
159
|
if (__classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f")) {
|
|
122
160
|
return __classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f");
|
|
123
161
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAClE,2CAAyC;
|
|
1
|
+
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAClE,2CAAyC;AAEzC,+DAAmE;AAEnE,gFAAgF;AAChF,kCAAkC;AAClC,gFAAgF;AAEnE,QAAA,SAAS,GAAG;IACvB,YAAY,EAAE,+CAA+C;IAC7D;;;OAGG;IACH,eAAe,EAAE,qDAAqD;CAC9D,CAAC;AAgDX,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAa,mBAAmB;IAQ9B,YAAY,SAAiB,EAAE,OAAoC;;QAPnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,kDAAoC;QACpC,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;QAC3C,uBAAA,IAAI,mCAAe,OAAO,EAAE,UAAU,MAAA,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAA6B,EAC7B,OAAyB;QAEzB,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,MAAM,SAAS,GAAG,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,EAAmB,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5E,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,sBAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,sBAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAuB;QACvC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,YAAY,GAAG,IAAA,4CAAwB,EAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,aAAa,CACvB;YACE,YAAY;YACZ,gBAAgB,EAAE,iBAAS,CAAC,eAAe;YAC3C,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,EACD,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CACvB,CAAC;IACJ,CAAC;CAiCF;AAlHD,kDAkHC;qbA9BG,MAA0B;IAE1B,IAAI,uBAAA,IAAI,uCAAY,EAAE,CAAC;QACrB,OAAO,uBAAA,IAAI,uCAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,uBAAA,IAAI,qCAAU,EAAE,YAAY,EAAE,uBAAA,IAAI,yCAAc,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,0CAED,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
|
|
@@ -4,15 +4,19 @@ import type { TokenExchangeRequest } from "./tokenExchange.js";
|
|
|
4
4
|
*
|
|
5
5
|
* Implementations live in downstream packages (@keycardai/mcp, @keycardai/cloudflare)
|
|
6
6
|
* because they depend on platform-specific APIs (Node.js fs, Cloudflare Workers, etc.).
|
|
7
|
+
*
|
|
8
|
+
* The optional `zoneId` parameter routes per-zone credentials in multi-zone deployments.
|
|
9
|
+
* Implementations that ignore the zone (single-zone) are accepted by the interface.
|
|
7
10
|
*/
|
|
8
11
|
export interface ApplicationCredential {
|
|
9
|
-
getAuth(): {
|
|
12
|
+
getAuth(zoneId?: string): {
|
|
10
13
|
clientId: string;
|
|
11
14
|
clientSecret: string;
|
|
12
15
|
} | null;
|
|
13
16
|
prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
|
|
14
17
|
tokenEndpoint?: string;
|
|
15
18
|
authInfo?: Record<string, string>;
|
|
19
|
+
zoneId?: string;
|
|
16
20
|
}): Promise<TokenExchangeRequest>;
|
|
17
21
|
}
|
|
18
22
|
//# sourceMappingURL=credentials.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D
|
|
1
|
+
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;;;;GAQG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC5E,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GACvF,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}
|
package/dist/esm/errors.d.ts
CHANGED
|
@@ -16,4 +16,27 @@ export declare class InvalidTokenError extends OAuthError {
|
|
|
16
16
|
export declare class InsufficientScopeError extends OAuthError {
|
|
17
17
|
constructor(message: string, errorUri?: string);
|
|
18
18
|
}
|
|
19
|
+
export type ErrorDetail = {
|
|
20
|
+
message: string;
|
|
21
|
+
code?: string;
|
|
22
|
+
description?: string;
|
|
23
|
+
rawError?: string;
|
|
24
|
+
};
|
|
25
|
+
export type ResourceAccessErrorType = "global_error" | "resource_error" | "missing_token";
|
|
26
|
+
export interface ResourceAccessErrorOptions {
|
|
27
|
+
resource?: string;
|
|
28
|
+
errorType?: ResourceAccessErrorType;
|
|
29
|
+
availableResources?: readonly string[];
|
|
30
|
+
errorDetails?: ErrorDetail | null;
|
|
31
|
+
}
|
|
32
|
+
export declare class ResourceAccessError extends Error {
|
|
33
|
+
readonly resource?: string;
|
|
34
|
+
readonly errorType?: ResourceAccessErrorType;
|
|
35
|
+
readonly availableResources?: readonly string[];
|
|
36
|
+
readonly errorDetails: ErrorDetail | null;
|
|
37
|
+
constructor(message?: string, options?: ResourceAccessErrorOptions);
|
|
38
|
+
}
|
|
39
|
+
export declare class AuthProviderConfigurationError extends Error {
|
|
40
|
+
constructor(message?: string);
|
|
41
|
+
}
|
|
19
42
|
//# sourceMappingURL=errors.d.ts.map
|
package/dist/esm/errors.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C"}
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAC/B,cAAc,GACd,gBAAgB,GAChB,eAAe,CAAC;AAEpB,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,YAAY,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACnC;AAED,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,uBAAuB,CAAC;IAC7C,QAAQ,CAAC,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAChD,QAAQ,CAAC,YAAY,EAAE,WAAW,GAAG,IAAI,CAAC;gBAE9B,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;CAQnE;AA4BD,qBAAa,8BAA+B,SAAQ,KAAK;gBAC3C,OAAO,CAAC,EAAE,MAAM;CAI7B"}
|
package/dist/esm/errors.js
CHANGED
|
@@ -24,4 +24,43 @@ export class InsufficientScopeError extends OAuthError {
|
|
|
24
24
|
super("insufficient_scope", message, errorUri);
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
|
+
export class ResourceAccessError extends Error {
|
|
28
|
+
constructor(message, options) {
|
|
29
|
+
super(message ?? buildResourceAccessMessage(options));
|
|
30
|
+
this.name = "ResourceAccessError";
|
|
31
|
+
this.resource = options?.resource;
|
|
32
|
+
this.errorType = options?.errorType;
|
|
33
|
+
this.availableResources = options?.availableResources;
|
|
34
|
+
this.errorDetails = options?.errorDetails ?? null;
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
function buildResourceAccessMessage(options) {
|
|
38
|
+
if (!options?.errorType) {
|
|
39
|
+
return "Resource access denied or token not available";
|
|
40
|
+
}
|
|
41
|
+
const { resource, errorType, availableResources, errorDetails } = options;
|
|
42
|
+
const label = resource ? `'${resource}'` : "resource";
|
|
43
|
+
switch (errorType) {
|
|
44
|
+
case "global_error": {
|
|
45
|
+
const inner = errorDetails?.message ?? "Unknown global error";
|
|
46
|
+
return `Cannot access resource ${label}: global authentication error. ${inner}`;
|
|
47
|
+
}
|
|
48
|
+
case "resource_error": {
|
|
49
|
+
const inner = errorDetails?.message ?? "Unknown resource error";
|
|
50
|
+
return `Cannot access resource ${label}: ${inner}`;
|
|
51
|
+
}
|
|
52
|
+
case "missing_token": {
|
|
53
|
+
const list = availableResources && availableResources.length > 0
|
|
54
|
+
? ` Available: ${availableResources.join(", ")}.`
|
|
55
|
+
: "";
|
|
56
|
+
return `No access token available for resource ${label}.${list}`;
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
export class AuthProviderConfigurationError extends Error {
|
|
61
|
+
constructor(message) {
|
|
62
|
+
super(message ?? "AuthProvider configuration is invalid");
|
|
63
|
+
this.name = "AuthProviderConfigurationError";
|
|
64
|
+
}
|
|
65
|
+
}
|
|
27
66
|
//# sourceMappingURL=errors.js.map
|
package/dist/esm/errors.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,SAAS;CAC7C;AAED,MAAM,OAAO,iBAAkB,SAAQ,SAAS;CAC/C;AAED,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF"}
|
|
1
|
+
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,SAAS;CAC7C;AAED,MAAM,OAAO,iBAAkB,SAAQ,SAAS;CAC/C;AAED,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF;AAqBD,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAM5C,YAAY,OAAgB,EAAE,OAAoC;QAChE,KAAK,CAAC,OAAO,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;QACpC,IAAI,CAAC,kBAAkB,GAAG,OAAO,EAAE,kBAAkB,CAAC;QACtD,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC;IACpD,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,OAAoC;IACtE,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,CAAC;QACxB,OAAO,+CAA+C,CAAC;IACzD,CAAC;IACD,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,kBAAkB,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC;IAC1E,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC;IAEtD,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,KAAK,GAAG,YAAY,EAAE,OAAO,IAAI,sBAAsB,CAAC;YAC9D,OAAO,0BAA0B,KAAK,kCAAkC,KAAK,EAAE,CAAC;QAClF,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,MAAM,KAAK,GAAG,YAAY,EAAE,OAAO,IAAI,wBAAwB,CAAC;YAChE,OAAO,0BAA0B,KAAK,KAAK,KAAK,EAAE,CAAC;QACrD,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,MAAM,IAAI,GACR,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC;gBACjD,CAAC,CAAC,eAAe,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;gBACjD,CAAC,CAAC,EAAE,CAAC;YACT,OAAO,0CAA0C,KAAK,IAAI,IAAI,EAAE,CAAC;QACnE,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,OAAO,8BAA+B,SAAQ,KAAK;IACvD,YAAY,OAAgB;QAC1B,KAAK,CAAC,OAAO,IAAI,uCAAuC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,GAAG,gCAAgC,CAAC;IAC/C,CAAC;CACF"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -3,11 +3,14 @@ export { JWKSOAuthKeyring } from "./keyring.js";
|
|
|
3
3
|
export { default as base64url } from "./base64url.js";
|
|
4
4
|
export { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
5
5
|
export type { OAuthAuthorizationServerMetadata } from "./discovery.js";
|
|
6
|
-
export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
|
|
6
|
+
export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError, ResourceAccessError, AuthProviderConfigurationError, } from "./errors.js";
|
|
7
7
|
export { JWTSigner } from "./jwt/signer.js";
|
|
8
8
|
export type { JWTClaims } from "./jwt/signer.js";
|
|
9
9
|
export { JWTVerifier } from "./jwt/verifier.js";
|
|
10
|
-
export {
|
|
11
|
-
export
|
|
10
|
+
export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
11
|
+
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
12
|
+
export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
|
|
12
13
|
export type { ApplicationCredential } from "./credentials.js";
|
|
14
|
+
export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
|
|
15
|
+
export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
|
|
13
16
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
|
package/dist/esm/index.js
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
export { JWKSOAuthKeyring } from "./keyring.js";
|
|
2
2
|
export { default as base64url } from "./base64url.js";
|
|
3
3
|
export { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
4
|
-
export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
|
|
4
|
+
export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError, ResourceAccessError, AuthProviderConfigurationError, } from "./errors.js";
|
|
5
5
|
export { JWTSigner } from "./jwt/signer.js";
|
|
6
6
|
export { JWTVerifier } from "./jwt/verifier.js";
|
|
7
|
-
export {
|
|
7
|
+
export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
8
|
+
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
9
|
+
export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
|
|
8
10
|
//# sourceMappingURL=index.js.map
|