@kya-os/mcp-i-cloudflare 1.9.6 → 1.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter.d.ts.map +1 -1
- package/dist/adapter.js +47 -16
- package/dist/adapter.js.map +1 -1
- package/dist/agent.d.ts +9 -0
- package/dist/agent.d.ts.map +1 -1
- package/dist/agent.js +203 -53
- package/dist/agent.js.map +1 -1
- package/dist/app.d.ts.map +1 -1
- package/dist/app.js +86 -3
- package/dist/app.js.map +1 -1
- package/dist/config.d.ts +54 -0
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +58 -0
- package/dist/config.js.map +1 -1
- package/dist/constants/storage-keys.d.ts +6 -0
- package/dist/constants/storage-keys.d.ts.map +1 -1
- package/dist/constants/storage-keys.js +6 -0
- package/dist/constants/storage-keys.js.map +1 -1
- package/dist/delegation-http/anchor-do.d.ts +84 -0
- package/dist/delegation-http/anchor-do.d.ts.map +1 -0
- package/dist/delegation-http/anchor-do.js +253 -0
- package/dist/delegation-http/anchor-do.js.map +1 -0
- package/dist/delegation-http/anchor-routing.d.ts +20 -0
- package/dist/delegation-http/anchor-routing.d.ts.map +1 -0
- package/dist/delegation-http/anchor-routing.js +27 -0
- package/dist/delegation-http/anchor-routing.js.map +1 -0
- package/dist/delegation-http/bearer-retry.d.ts +54 -0
- package/dist/delegation-http/bearer-retry.d.ts.map +1 -0
- package/dist/delegation-http/bearer-retry.js +195 -0
- package/dist/delegation-http/bearer-retry.js.map +1 -0
- package/dist/delegation-http/challenge-middleware.d.ts +28 -0
- package/dist/delegation-http/challenge-middleware.d.ts.map +1 -0
- package/dist/delegation-http/challenge-middleware.js +190 -0
- package/dist/delegation-http/challenge-middleware.js.map +1 -0
- package/dist/delegation-http/challenge.d.ts +86 -0
- package/dist/delegation-http/challenge.d.ts.map +1 -0
- package/dist/delegation-http/challenge.js +173 -0
- package/dist/delegation-http/challenge.js.map +1 -0
- package/dist/delegation-http/consent-anchor-bridge.d.ts +35 -0
- package/dist/delegation-http/consent-anchor-bridge.d.ts.map +1 -0
- package/dist/delegation-http/consent-anchor-bridge.js +355 -0
- package/dist/delegation-http/consent-anchor-bridge.js.map +1 -0
- package/dist/delegation-http/constants.d.ts +51 -0
- package/dist/delegation-http/constants.d.ts.map +1 -0
- package/dist/delegation-http/constants.js +60 -0
- package/dist/delegation-http/constants.js.map +1 -0
- package/dist/delegation-http/hash.d.ts +21 -0
- package/dist/delegation-http/hash.d.ts.map +1 -0
- package/dist/delegation-http/hash.js +92 -0
- package/dist/delegation-http/hash.js.map +1 -0
- package/dist/delegation-http/pickup-routes.d.ts +42 -0
- package/dist/delegation-http/pickup-routes.d.ts.map +1 -0
- package/dist/delegation-http/pickup-routes.js +79 -0
- package/dist/delegation-http/pickup-routes.js.map +1 -0
- package/dist/delegation-http/register.d.ts +19 -0
- package/dist/delegation-http/register.d.ts.map +1 -0
- package/dist/delegation-http/register.js +72 -0
- package/dist/delegation-http/register.js.map +1 -0
- package/dist/delegation-http/sid.d.ts +20 -0
- package/dist/delegation-http/sid.d.ts.map +1 -0
- package/dist/delegation-http/sid.js +32 -0
- package/dist/delegation-http/sid.js.map +1 -0
- package/dist/delegation-http/types.d.ts +64 -0
- package/dist/delegation-http/types.d.ts.map +1 -0
- package/dist/delegation-http/types.js +11 -0
- package/dist/delegation-http/types.js.map +1 -0
- package/dist/helpers/env-mapper.d.ts.map +1 -1
- package/dist/helpers/env-mapper.js +24 -0
- package/dist/helpers/env-mapper.js.map +1 -1
- package/dist/index.d.ts +5 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +10 -2
- package/dist/index.js.map +1 -1
- package/dist/providers/crypto.d.ts +1 -1
- package/dist/providers/crypto.d.ts.map +1 -1
- package/dist/providers/crypto.js +1 -1
- package/dist/providers/crypto.js.map +1 -1
- package/dist/providers/kv-identity.d.ts +2 -2
- package/dist/providers/kv-identity.d.ts.map +1 -1
- package/dist/providers/kv-identity.js +1 -1
- package/dist/providers/kv-identity.js.map +1 -1
- package/dist/providers/storage.d.ts +1 -1
- package/dist/providers/storage.d.ts.map +1 -1
- package/dist/providers/storage.js +1 -1
- package/dist/providers/storage.js.map +1 -1
- package/dist/runtime/audit-logger.d.ts +1 -1
- package/dist/runtime/audit-logger.d.ts.map +1 -1
- package/dist/runtime/oauth-handler.d.ts.map +1 -1
- package/dist/runtime/oauth-handler.js +31 -3
- package/dist/runtime/oauth-handler.js.map +1 -1
- package/dist/runtime/oidc/authorize-url.d.ts +19 -0
- package/dist/runtime/oidc/authorize-url.d.ts.map +1 -0
- package/dist/runtime/oidc/authorize-url.js +94 -0
- package/dist/runtime/oidc/authorize-url.js.map +1 -0
- package/dist/runtime/oidc/token-exchange.d.ts +62 -0
- package/dist/runtime/oidc/token-exchange.d.ts.map +1 -0
- package/dist/runtime/oidc/token-exchange.js +75 -0
- package/dist/runtime/oidc/token-exchange.js.map +1 -0
- package/dist/runtime.d.ts +1 -1
- package/dist/runtime.d.ts.map +1 -1
- package/dist/services/consent-audit.service.d.ts +1 -1
- package/dist/services/consent-audit.service.d.ts.map +1 -1
- package/dist/services/consent-audit.service.js.map +1 -1
- package/dist/services/consent.service.d.ts +2 -2
- package/dist/services/consent.service.d.ts.map +1 -1
- package/dist/services/consent.service.js +48 -59
- package/dist/services/consent.service.js.map +1 -1
- package/dist/services/delegation.service.d.ts +9 -0
- package/dist/services/delegation.service.d.ts.map +1 -1
- package/dist/services/delegation.service.js +21 -7
- package/dist/services/delegation.service.js.map +1 -1
- package/dist/services/oauth-security.service.d.ts.map +1 -1
- package/dist/services/oauth-security.service.js +6 -10
- package/dist/services/oauth-security.service.js.map +1 -1
- package/dist/services/provider-loader.service.js +1 -1
- package/dist/services/provider-loader.service.js.map +1 -1
- package/dist/types.d.ts +5 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/utils/known-clients.d.ts.map +1 -1
- package/dist/utils/known-clients.js +19 -10
- package/dist/utils/known-clients.js.map +1 -1
- package/package.json +3 -1
|
@@ -0,0 +1,355 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* draft-kya-http-02 delegation layer — consent → pickup bridge.
|
|
3
|
+
*
|
|
4
|
+
* The worker is its own Tier-2 authorization host: the §8.1 challenge points the
|
|
5
|
+
* caller's user at `consent_uri = /consent?sid=kya-…`, served here. This module is
|
|
6
|
+
* the route-order interception that `register.ts` wires BEFORE the legacy `/consent`
|
|
7
|
+
* routes; it only ever handles requests whose query carries an anchor sid (the
|
|
8
|
+
* `next()` fall-through for everything else lives in `register.ts`), so the legacy
|
|
9
|
+
* consent service is untouched.
|
|
10
|
+
*
|
|
11
|
+
* - `GET /consent?sid=kya-…` reads the anchor via `INTERNAL_PICKUP_INFO`. An unknown
|
|
12
|
+
* sid → 404 page; an expired sid → a "link expired" page; otherwise a minimal
|
|
13
|
+
* approve form (the consent-only scope list + a CSRF-protected POST).
|
|
14
|
+
* - `POST /consent/approve?sid=kya-…` mints a delegation VC-JWT using the SAME
|
|
15
|
+
* `@kya-os/mcp` primitives `consent.service.ts` uses (`wrapDelegationAsVC` →
|
|
16
|
+
* `createUnsignedVCJWT` → sign → `completeVCJWT`) — calling them directly here, NOT
|
|
17
|
+
* editing the service — then parks it on the anchor via `INTERNAL_PICKUP_APPROVE`.
|
|
18
|
+
* If the anchor is gone (DO 410/404) the approval FAILS with an error page and
|
|
19
|
+
* mints nothing reachable: consent on an EXPIRED anchor MUST fail.
|
|
20
|
+
*
|
|
21
|
+
* @module @kya-os/mcp-i-cloudflare/delegation-http/consent-anchor-bridge
|
|
22
|
+
*/
|
|
23
|
+
import { wrapDelegationAsVC, createUnsignedVCJWT, completeVCJWT, base64urlEncodeFromBytes, generateDidKeyFromBase64, didKeyFragment, } from "@kya-os/mcp";
|
|
24
|
+
import { WebCryptoProvider } from "../providers/crypto";
|
|
25
|
+
import { escapeHtml } from "../services/consent-templates/base/escape";
|
|
26
|
+
import { getAnchorStub } from "./anchor-routing";
|
|
27
|
+
import { INTERNAL_PICKUP_INFO, INTERNAL_PICKUP_APPROVE } from "./constants";
|
|
28
|
+
/** Internal origin for durable-object stub fetches — the DO routes by pathname only. */
|
|
29
|
+
const DO_INTERNAL_ORIGIN = "https://do.internal";
|
|
30
|
+
/**
|
|
31
|
+
* POST a JSON body to one of the anchor's `/_internal/pickup/*` routes. Returns the
|
|
32
|
+
* durable-object response so callers can branch on its status.
|
|
33
|
+
*/
|
|
34
|
+
async function callAnchor(env, sid, internalPath, body) {
|
|
35
|
+
const stub = getAnchorStub(env, sid);
|
|
36
|
+
const response = await stub.fetch(new URL(internalPath, DO_INTERNAL_ORIGIN).toString(), {
|
|
37
|
+
method: "POST",
|
|
38
|
+
headers: { "Content-Type": "application/json" },
|
|
39
|
+
body: JSON.stringify(body),
|
|
40
|
+
});
|
|
41
|
+
return response;
|
|
42
|
+
}
|
|
43
|
+
/** An HTML response with the mandated `Cache-Control: no-store`. */
|
|
44
|
+
function htmlResponse(html, status) {
|
|
45
|
+
return new Response(html, {
|
|
46
|
+
status,
|
|
47
|
+
headers: {
|
|
48
|
+
"Content-Type": "text/html; charset=utf-8",
|
|
49
|
+
"Cache-Control": "no-store",
|
|
50
|
+
},
|
|
51
|
+
});
|
|
52
|
+
}
|
|
53
|
+
/** Minimal self-contained HTML page shell (no external bundle dependency). */
|
|
54
|
+
function page(title, bodyInner) {
|
|
55
|
+
return `<!DOCTYPE html>
|
|
56
|
+
<html lang="en">
|
|
57
|
+
<head>
|
|
58
|
+
<meta charset="UTF-8">
|
|
59
|
+
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
60
|
+
<title>${escapeHtml(title)}</title>
|
|
61
|
+
</head>
|
|
62
|
+
<body>
|
|
63
|
+
${bodyInner}
|
|
64
|
+
</body>
|
|
65
|
+
</html>`;
|
|
66
|
+
}
|
|
67
|
+
/** "Link expired" page for an anchor past its TTL. */
|
|
68
|
+
function expiredPage() {
|
|
69
|
+
return htmlResponse(page("Authorization link expired", `<main class="kya-consent-expired">
|
|
70
|
+
<h1>Authorization link expired</h1>
|
|
71
|
+
<p>This authorization request is no longer valid. Please start over to request a new one.</p>
|
|
72
|
+
</main>`), 410);
|
|
73
|
+
}
|
|
74
|
+
/** 404 page for an unknown anchor sid. */
|
|
75
|
+
function notFoundPage() {
|
|
76
|
+
return htmlResponse(page("Authorization request not found", `<main class="kya-consent-notfound">
|
|
77
|
+
<h1>Authorization request not found</h1>
|
|
78
|
+
<p>We could not find this authorization request. It may have already completed or been cancelled.</p>
|
|
79
|
+
</main>`), 404);
|
|
80
|
+
}
|
|
81
|
+
/** Generic approval-failed page (e.g. the anchor expired between GET and POST). */
|
|
82
|
+
function approvalFailedPage(message, status = 410) {
|
|
83
|
+
return htmlResponse(page("Authorization failed", `<main class="kya-consent-failed">
|
|
84
|
+
<h1>Authorization failed</h1>
|
|
85
|
+
<p>${escapeHtml(message)}</p>
|
|
86
|
+
</main>`), status);
|
|
87
|
+
}
|
|
88
|
+
/** Success page after a delegation is parked on the anchor. */
|
|
89
|
+
function successPage() {
|
|
90
|
+
return htmlResponse(page("Authorization complete", `<main class="kya-consent-success">
|
|
91
|
+
<h1>Authorization complete</h1>
|
|
92
|
+
<p>You have authorized the request. You can close this window and return to the application.</p>
|
|
93
|
+
</main>`), 200);
|
|
94
|
+
}
|
|
95
|
+
/**
|
|
96
|
+
* Render the minimal anchor approve form. Reuses the consent-only scope-list shape
|
|
97
|
+
* (escaped scope items) and posts to `/consent/approve?sid=…` with a CSRF token.
|
|
98
|
+
*/
|
|
99
|
+
function approveFormPage(sid, info, csrfToken) {
|
|
100
|
+
const scopeItems = info.requiredScopes.length > 0
|
|
101
|
+
? info.requiredScopes
|
|
102
|
+
.map((s) => `<li class="kya-scope-item">${escapeHtml(s)}</li>`)
|
|
103
|
+
.join("")
|
|
104
|
+
: `<li class="kya-scope-item">No specific permissions required.</li>`;
|
|
105
|
+
return page("Permission Request", `<main class="kya-consent">
|
|
106
|
+
<h1>Authorize delegation</h1>
|
|
107
|
+
<p class="kya-permissions-header">This request needs the following permissions:</p>
|
|
108
|
+
<ul class="kya-permissions-list">${scopeItems}</ul>
|
|
109
|
+
<form method="POST" action="/consent/approve?sid=${encodeURIComponent(sid)}">
|
|
110
|
+
<input type="hidden" name="sid" value="${escapeHtml(sid)}">
|
|
111
|
+
<input type="hidden" name="csrf_token" value="${escapeHtml(csrfToken)}">
|
|
112
|
+
<button type="submit" class="kya-consent-allow">Allow</button>
|
|
113
|
+
</form>
|
|
114
|
+
</main>`);
|
|
115
|
+
}
|
|
116
|
+
// ── CSRF (mirrors consent.service's HMAC token format, bound to the anchor sid) ──
|
|
117
|
+
/** Base64url-encode bytes without padding. */
|
|
118
|
+
function base64UrlEncodeBytes(bytes) {
|
|
119
|
+
return btoa(String.fromCharCode(...bytes))
|
|
120
|
+
.replace(/\+/g, "-")
|
|
121
|
+
.replace(/\//g, "_")
|
|
122
|
+
.replace(/=/g, "");
|
|
123
|
+
}
|
|
124
|
+
/** Base64url-encode a UTF-8 string without padding. */
|
|
125
|
+
function base64UrlEncodeString(value) {
|
|
126
|
+
return base64UrlEncodeBytes(new TextEncoder().encode(value));
|
|
127
|
+
}
|
|
128
|
+
/** Base64url-decode to a UTF-8 string (re-adding the stripped `=` padding for atob). */
|
|
129
|
+
function base64UrlDecodeString(value) {
|
|
130
|
+
const b64 = value.replace(/-/g, "+").replace(/_/g, "/");
|
|
131
|
+
return atob(b64 + "=".repeat((4 - (b64.length % 4)) % 4));
|
|
132
|
+
}
|
|
133
|
+
/**
|
|
134
|
+
* Compute the domain-separated CSRF HMAC (`csrf:<secret>` key material), matching
|
|
135
|
+
* `consent.service.ts` so the two never collide on the same secret.
|
|
136
|
+
*/
|
|
137
|
+
async function computeCsrfHmac(secret, data) {
|
|
138
|
+
const encoder = new TextEncoder();
|
|
139
|
+
const key = await crypto.subtle.importKey("raw", encoder.encode(`csrf:${secret}`), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
|
|
140
|
+
return crypto.subtle.sign("HMAC", key, encoder.encode(data));
|
|
141
|
+
}
|
|
142
|
+
/** Constant-time string comparison to avoid CSRF token timing oracles. */
|
|
143
|
+
function constantTimeEqual(a, b) {
|
|
144
|
+
if (a.length !== b.length)
|
|
145
|
+
return false;
|
|
146
|
+
let diff = 0;
|
|
147
|
+
for (let i = 0; i < a.length; i++) {
|
|
148
|
+
diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
|
|
149
|
+
}
|
|
150
|
+
return diff === 0;
|
|
151
|
+
}
|
|
152
|
+
/**
|
|
153
|
+
* Mint a CSRF token bound to the anchor `sid`: `${hmacB64}.${payloadB64}` over
|
|
154
|
+
* `{ sid, exp }`. Returns a non-validating random token when no secret is configured
|
|
155
|
+
* (graceful degradation — the form still renders).
|
|
156
|
+
*/
|
|
157
|
+
async function mintCsrfToken(env, sid) {
|
|
158
|
+
const secret = env.OAUTH_ENCRYPTION_SECRET;
|
|
159
|
+
if (!secret) {
|
|
160
|
+
return base64UrlEncodeBytes(crypto.getRandomValues(new Uint8Array(32)));
|
|
161
|
+
}
|
|
162
|
+
const exp = Math.floor(Date.now() / 1000) + 600;
|
|
163
|
+
const payloadB64 = base64UrlEncodeString(JSON.stringify({ sid, exp }));
|
|
164
|
+
const hmacB64 = base64UrlEncodeBytes(new Uint8Array(await computeCsrfHmac(secret, payloadB64)));
|
|
165
|
+
return `${hmacB64}.${payloadB64}`;
|
|
166
|
+
}
|
|
167
|
+
/** Validate a CSRF token against the anchor `sid` (HMAC + `sid` binding + expiry). */
|
|
168
|
+
async function validateCsrfToken(env, sid, token) {
|
|
169
|
+
if (!token)
|
|
170
|
+
return false;
|
|
171
|
+
const secret = env.OAUTH_ENCRYPTION_SECRET;
|
|
172
|
+
if (!secret) {
|
|
173
|
+
// Fail CLOSED: with no secret we cannot validate the double-submit token, so an
|
|
174
|
+
// anchor consent-approve POST on this state-changing endpoint must be rejected.
|
|
175
|
+
// (Inheriting consent.service's legacy "graceful degradation to no-CSRF" is not
|
|
176
|
+
// acceptable on this new surface.) Set OAUTH_ENCRYPTION_SECRET, or use
|
|
177
|
+
// MCPI_TEST_CONSENT in an explicit development environment for local testing.
|
|
178
|
+
console.warn(`[kya-http] OAUTH_ENCRYPTION_SECRET unset; rejecting anchor consent approval (sid=${sid})`);
|
|
179
|
+
return false;
|
|
180
|
+
}
|
|
181
|
+
const dot = token.indexOf(".");
|
|
182
|
+
if (dot === -1)
|
|
183
|
+
return false;
|
|
184
|
+
const hmacB64 = token.substring(0, dot);
|
|
185
|
+
const payloadB64 = token.substring(dot + 1);
|
|
186
|
+
try {
|
|
187
|
+
const payload = JSON.parse(base64UrlDecodeString(payloadB64));
|
|
188
|
+
if (payload.sid !== sid)
|
|
189
|
+
return false;
|
|
190
|
+
if (typeof payload.exp === "number" &&
|
|
191
|
+
payload.exp < Math.floor(Date.now() / 1000)) {
|
|
192
|
+
return false;
|
|
193
|
+
}
|
|
194
|
+
const expectedB64 = base64UrlEncodeBytes(new Uint8Array(await computeCsrfHmac(secret, payloadB64)));
|
|
195
|
+
return constantTimeEqual(hmacB64, expectedB64);
|
|
196
|
+
}
|
|
197
|
+
catch {
|
|
198
|
+
return false;
|
|
199
|
+
}
|
|
200
|
+
}
|
|
201
|
+
/**
|
|
202
|
+
* Whether CSRF is relaxed for local/miniflare testing. Requires BOTH
|
|
203
|
+
* `MCPI_TEST_CONSENT === "true"` AND an explicit development environment (W3): the
|
|
204
|
+
* flag alone must NEVER disable CSRF on a production/default deployment.
|
|
205
|
+
*/
|
|
206
|
+
function isTestConsentMode(env) {
|
|
207
|
+
// `MCPI_TEST_CONSENT` / `ENVIRONMENT` are deploy-time vars not declared on the
|
|
208
|
+
// strict CloudflareEnv interface (mirrors config.ts reading `MCPI_HTTP_CHALLENGE`).
|
|
209
|
+
const bag = env;
|
|
210
|
+
if (String(bag.MCPI_TEST_CONSENT) !== "true")
|
|
211
|
+
return false;
|
|
212
|
+
// Fail closed: only an explicit development environment may relax CSRF. Production,
|
|
213
|
+
// staging, unset, and empty all keep CSRF enforced.
|
|
214
|
+
const environment = String(bag.ENVIRONMENT ?? bag.MCPI_ENV ?? "").toLowerCase();
|
|
215
|
+
return environment === "development";
|
|
216
|
+
}
|
|
217
|
+
// ── VC-JWT minting (same primitive chain as consent.service.issueDelegationVC) ──
|
|
218
|
+
/**
|
|
219
|
+
* Mint a delegation VC-JWT for an approved anchor. Generates an ephemeral did:key
|
|
220
|
+
* holder, wraps a delegation record as a VC, and signs it — exactly the primitive
|
|
221
|
+
* chain `consent.service.ts` uses, called here directly (the service is a hot file
|
|
222
|
+
* and is never edited).
|
|
223
|
+
*/
|
|
224
|
+
async function mintDelegationVcJwt(env, sid, info, expiresInS) {
|
|
225
|
+
const cryptoProvider = new WebCryptoProvider();
|
|
226
|
+
const rawKeyPair = await cryptoProvider.generateKeyPair();
|
|
227
|
+
const userDid = generateDidKeyFromBase64(rawKeyPair.publicKey);
|
|
228
|
+
const keyId = `${userDid}#${didKeyFragment(userDid)}`;
|
|
229
|
+
// Subject (the agent the delegation is granted to). The anchor does not carry the
|
|
230
|
+
// agent DID, so fall back to the worker's configured agent DID when present; the
|
|
231
|
+
// holder did is the issuer either way.
|
|
232
|
+
const agentDid = env.MCP_IDENTITY_AGENT_DID || userDid;
|
|
233
|
+
const nowS = Math.floor(Date.now() / 1000);
|
|
234
|
+
const delegation = {
|
|
235
|
+
id: `urn:uuid:${sid}`,
|
|
236
|
+
issuerDid: userDid,
|
|
237
|
+
subjectDid: agentDid,
|
|
238
|
+
vcId: `urn:uuid:${sid}`,
|
|
239
|
+
constraints: {
|
|
240
|
+
scopes: info.requiredScopes,
|
|
241
|
+
notBefore: nowS,
|
|
242
|
+
notAfter: nowS + expiresInS,
|
|
243
|
+
},
|
|
244
|
+
signature: "",
|
|
245
|
+
status: "active",
|
|
246
|
+
createdAt: nowS,
|
|
247
|
+
};
|
|
248
|
+
const unsignedVC = wrapDelegationAsVC(delegation, {
|
|
249
|
+
id: `urn:uuid:${sid}`,
|
|
250
|
+
issuanceDate: new Date().toISOString(),
|
|
251
|
+
});
|
|
252
|
+
const vcWithIssuer = { ...unsignedVC, issuer: userDid };
|
|
253
|
+
const { signingInput } = createUnsignedVCJWT(vcWithIssuer, { keyId });
|
|
254
|
+
const signatureBytes = await cryptoProvider.sign(new TextEncoder().encode(signingInput), rawKeyPair.privateKey);
|
|
255
|
+
const signature = base64urlEncodeFromBytes(signatureBytes);
|
|
256
|
+
return completeVCJWT(signingInput, signature);
|
|
257
|
+
}
|
|
258
|
+
// ── Public handlers ──────────────────────────────────────────────────────────
|
|
259
|
+
/**
|
|
260
|
+
* Render the anchor consent surface for `GET /consent?sid=kya-…`.
|
|
261
|
+
*/
|
|
262
|
+
export async function handleAnchorConsentGet(c, sid, env, _cfg) {
|
|
263
|
+
const infoResponse = await callAnchor(env, sid, INTERNAL_PICKUP_INFO, {
|
|
264
|
+
sid,
|
|
265
|
+
});
|
|
266
|
+
if (infoResponse.status === 404)
|
|
267
|
+
return notFoundPage();
|
|
268
|
+
if (infoResponse.status === 410)
|
|
269
|
+
return expiredPage();
|
|
270
|
+
if (!infoResponse.ok) {
|
|
271
|
+
return approvalFailedPage("This authorization request could not be loaded. Please start over.", 502);
|
|
272
|
+
}
|
|
273
|
+
const info = (await infoResponse.json());
|
|
274
|
+
const csrfToken = await mintCsrfToken(env, sid);
|
|
275
|
+
return htmlResponse(approveFormPage(sid, info, csrfToken), 200);
|
|
276
|
+
}
|
|
277
|
+
/**
|
|
278
|
+
* Handle anchor approval for `POST /consent/approve?sid=kya-…`. Mints a VC-JWT and
|
|
279
|
+
* parks it on the anchor; an expired/unknown anchor makes the approval FAIL.
|
|
280
|
+
*/
|
|
281
|
+
export async function handleAnchorConsentApprove(c, sid, env, cfg) {
|
|
282
|
+
// CSRF, unless test mode relaxes it for miniflare POSTs.
|
|
283
|
+
if (!isTestConsentMode(env)) {
|
|
284
|
+
const csrfToken = await readCsrfTokenFromBody(c);
|
|
285
|
+
const valid = await validateCsrfToken(env, sid, csrfToken);
|
|
286
|
+
if (!valid) {
|
|
287
|
+
return htmlResponse(page("Authorization failed", `<main class="kya-consent-failed"><h1>Authorization failed</h1><p>Invalid or missing security token. Please reload and try again.</p></main>`), 403);
|
|
288
|
+
}
|
|
289
|
+
}
|
|
290
|
+
// Read the anchor first: if it is already gone, fail BEFORE minting anything.
|
|
291
|
+
const infoResponse = await callAnchor(env, sid, INTERNAL_PICKUP_INFO, {
|
|
292
|
+
sid,
|
|
293
|
+
});
|
|
294
|
+
if (infoResponse.status === 404)
|
|
295
|
+
return notFoundPage();
|
|
296
|
+
if (infoResponse.status === 410) {
|
|
297
|
+
return approvalFailedPage("This authorization request has expired. Nothing was authorized.");
|
|
298
|
+
}
|
|
299
|
+
if (!infoResponse.ok) {
|
|
300
|
+
return approvalFailedPage("This authorization request could not be loaded. Please start over.", 502);
|
|
301
|
+
}
|
|
302
|
+
const info = (await infoResponse.json());
|
|
303
|
+
let vcJwt;
|
|
304
|
+
try {
|
|
305
|
+
vcJwt = await mintDelegationVcJwt(env, sid, info, cfg.delegationExpiresInS);
|
|
306
|
+
}
|
|
307
|
+
catch (error) {
|
|
308
|
+
// A mint failure (keygen/sign) must surface as a styled no-store error page, not
|
|
309
|
+
// an unhandled throw that escapes to a bare 500 — and must park nothing (we fail
|
|
310
|
+
// before the INTERNAL_PICKUP_APPROVE call below).
|
|
311
|
+
console.warn(`[kya-http] delegation mint failed (sid=${sid}):`, error instanceof Error ? error.message : String(error));
|
|
312
|
+
return approvalFailedPage("We could not complete the authorization. Please start over.", 500);
|
|
313
|
+
}
|
|
314
|
+
const approveResponse = await callAnchor(env, sid, INTERNAL_PICKUP_APPROVE, {
|
|
315
|
+
sid,
|
|
316
|
+
vcJwt,
|
|
317
|
+
expiresInS: cfg.delegationExpiresInS,
|
|
318
|
+
});
|
|
319
|
+
// Consent on an EXPIRED (410) or unknown (404) anchor MUST fail and mint nothing
|
|
320
|
+
// reachable — the minted JWT is never returned to the caller in that case.
|
|
321
|
+
if (approveResponse.status === 410) {
|
|
322
|
+
return approvalFailedPage("This authorization request expired before it could be completed. Nothing was authorized.");
|
|
323
|
+
}
|
|
324
|
+
if (approveResponse.status === 404)
|
|
325
|
+
return notFoundPage();
|
|
326
|
+
if (!approveResponse.ok) {
|
|
327
|
+
return approvalFailedPage("We could not complete the authorization. Please start over.", 502);
|
|
328
|
+
}
|
|
329
|
+
return successPage();
|
|
330
|
+
}
|
|
331
|
+
/**
|
|
332
|
+
* Read the `csrf_token` form field from the POST body via the underlying native
|
|
333
|
+
* Request (`c.req.raw`). The sid travels in the query, so consuming the body here
|
|
334
|
+
* never interferes with route-order interception. Returns undefined on parse failure.
|
|
335
|
+
*/
|
|
336
|
+
async function readCsrfTokenFromBody(c) {
|
|
337
|
+
const raw = c.req?.raw;
|
|
338
|
+
if (!raw)
|
|
339
|
+
return undefined;
|
|
340
|
+
try {
|
|
341
|
+
const contentType = raw.headers.get("Content-Type") || "";
|
|
342
|
+
if (contentType.includes("application/json")) {
|
|
343
|
+
const body = (await raw.clone().json());
|
|
344
|
+
const token = body?.csrf_token;
|
|
345
|
+
return typeof token === "string" ? token : undefined;
|
|
346
|
+
}
|
|
347
|
+
const form = await raw.clone().formData();
|
|
348
|
+
const token = form.get("csrf_token");
|
|
349
|
+
return typeof token === "string" ? token : undefined;
|
|
350
|
+
}
|
|
351
|
+
catch {
|
|
352
|
+
return undefined;
|
|
353
|
+
}
|
|
354
|
+
}
|
|
355
|
+
//# sourceMappingURL=consent-anchor-bridge.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"consent-anchor-bridge.js","sourceRoot":"","sources":["../../src/delegation-http/consent-anchor-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,wBAAwB,EACxB,cAAc,GAEf,MAAM,aAAa,CAAC;AAIrB,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,2CAA2C,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE5E,wFAAwF;AACxF,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AAqBjD;;;GAGG;AACH,KAAK,UAAU,UAAU,CACvB,GAAkB,EAClB,GAAW,EACX,YAAoB,EACpB,IAAa;IAEb,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAC/B,IAAI,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,EACpD;QACE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CACF,CAAC;IACF,OAAO,QAA0C,CAAC;AACpD,CAAC;AAED,oEAAoE;AACpE,SAAS,YAAY,CAAC,IAAY,EAAE,MAAc;IAChD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,0BAA0B;YAC1C,eAAe,EAAE,UAAU;SAC5B;KACF,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,SAAS,IAAI,CAAC,KAAa,EAAE,SAAiB;IAC5C,OAAO;;;;;SAKA,UAAU,CAAC,KAAK,CAAC;;;EAGxB,SAAS;;QAEH,CAAC;AACT,CAAC;AAED,sDAAsD;AACtD,SAAS,WAAW;IAClB,OAAO,YAAY,CACjB,IAAI,CACF,4BAA4B,EAC5B;;;QAGE,CACH,EACD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,0CAA0C;AAC1C,SAAS,YAAY;IACnB,OAAO,YAAY,CACjB,IAAI,CACF,iCAAiC,EACjC;;;QAGE,CACH,EACD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,mFAAmF;AACnF,SAAS,kBAAkB,CAAC,OAAe,EAAE,MAAM,GAAG,GAAG;IACvD,OAAO,YAAY,CACjB,IAAI,CACF,sBAAsB,EACtB;;KAED,UAAU,CAAC,OAAO,CAAC;QAChB,CACH,EACD,MAAM,CACP,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,SAAS,WAAW;IAClB,OAAO,YAAY,CACjB,IAAI,CACF,wBAAwB,EACxB;;;QAGE,CACH,EACD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CACtB,GAAW,EACX,IAAgB,EAChB,SAAiB;IAEjB,MAAM,UAAU,GACd,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;QAC5B,CAAC,CAAC,IAAI,CAAC,cAAc;aAChB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,8BAA8B,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC;aAC9D,IAAI,CAAC,EAAE,CAAC;QACb,CAAC,CAAC,mEAAmE,CAAC;IAE1E,OAAO,IAAI,CACT,oBAAoB,EACpB;;;mCAG+B,UAAU;mDACM,kBAAkB,CAAC,GAAG,CAAC;yCACjC,UAAU,CAAC,GAAG,CAAC;gDACR,UAAU,CAAC,SAAS,CAAC;;;QAG7D,CACL,CAAC;AACJ,CAAC;AAED,oFAAoF;AAEpF,8CAA8C;AAC9C,SAAS,oBAAoB,CAAC,KAAiB;IAC7C,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC;SACvC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,uDAAuD;AACvD,SAAS,qBAAqB,CAAC,KAAa;IAC1C,OAAO,oBAAoB,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,wFAAwF;AACxF,SAAS,qBAAqB,CAAC,KAAa;IAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,eAAe,CAC5B,MAAc,EACd,IAAY;IAEZ,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,QAAQ,MAAM,EAAE,CAAC,EAChC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,0EAA0E;AAC1E,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,aAAa,CAAC,GAAkB,EAAE,GAAW;IAC1D,MAAM,MAAM,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,oBAAoB,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;IAChD,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IACvE,MAAM,OAAO,GAAG,oBAAoB,CAClC,IAAI,UAAU,CAAC,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAC1D,CAAC;IACF,OAAO,GAAG,OAAO,IAAI,UAAU,EAAE,CAAC;AACpC,CAAC;AAED,sFAAsF;AACtF,KAAK,UAAU,iBAAiB,CAC9B,GAAkB,EAClB,GAAW,EACX,KAAyB;IAEzB,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,MAAM,GAAG,GAAG,CAAC,uBAAuB,CAAC;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,gFAAgF;QAChF,gFAAgF;QAChF,gFAAgF;QAChF,uEAAuE;QACvE,8EAA8E;QAC9E,OAAO,CAAC,IAAI,CACV,oFAAoF,GAAG,GAAG,CAC3F,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7B,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAG3D,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,KAAK,GAAG;YAAE,OAAO,KAAK,CAAC;QACtC,IACE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;YAC/B,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAC3C,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,WAAW,GAAG,oBAAoB,CACtC,IAAI,UAAU,CAAC,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO,iBAAiB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,GAAkB;IAC3C,+EAA+E;IAC/E,oFAAoF;IACpF,MAAM,GAAG,GAAG,GAAyC,CAAC;IACtD,IAAI,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IAC3D,oFAAoF;IACpF,oDAAoD;IACpD,MAAM,WAAW,GAAG,MAAM,CACxB,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CACtC,CAAC,WAAW,EAAE,CAAC;IAChB,OAAO,WAAW,KAAK,aAAa,CAAC;AACvC,CAAC;AAED,mFAAmF;AAEnF;;;;;GAKG;AACH,KAAK,UAAU,mBAAmB,CAChC,GAAkB,EAClB,GAAW,EACX,IAAgB,EAChB,UAAkB;IAElB,MAAM,cAAc,GAAG,IAAI,iBAAiB,EAAE,CAAC;IAC/C,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,eAAe,EAAE,CAAC;IAC1D,MAAM,OAAO,GAAG,wBAAwB,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAC/D,MAAM,KAAK,GAAG,GAAG,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;IAEtD,kFAAkF;IAClF,iFAAiF;IACjF,uCAAuC;IACvC,MAAM,QAAQ,GAAG,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC;IAEvD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAqB;QACnC,EAAE,EAAE,YAAY,GAAG,EAAE;QACrB,SAAS,EAAE,OAAO;QAClB,UAAU,EAAE,QAAQ;QACpB,IAAI,EAAE,YAAY,GAAG,EAAE;QACvB,WAAW,EAAE;YACX,MAAM,EAAE,IAAI,CAAC,cAAc;YAC3B,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,IAAI,GAAG,UAAU;SAC5B;QACD,SAAS,EAAE,EAAE;QACb,MAAM,EAAE,QAAQ;QAChB,SAAS,EAAE,IAAI;KAChB,CAAC;IAEF,MAAM,UAAU,GAAG,kBAAkB,CAAC,UAAU,EAAE;QAChD,EAAE,EAAE,YAAY,GAAG,EAAE;QACrB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACvC,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,EAAE,GAAG,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAExD,MAAM,EAAE,YAAY,EAAE,GAAG,mBAAmB,CAC1C,YAAuC,EACvC,EAAE,KAAK,EAAE,CACV,CAAC;IACF,MAAM,cAAc,GAAG,MAAM,cAAc,CAAC,IAAI,CAC9C,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EACtC,UAAU,CAAC,UAAU,CACtB,CAAC;IACF,MAAM,SAAS,GAAG,wBAAwB,CAAC,cAAc,CAAC,CAAC;IAE3D,OAAO,aAAa,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;AAChD,CAAC;AAED,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,CAAc,EACd,GAAW,EACX,GAAkB,EAClB,IAAmC;IAEnC,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,oBAAoB,EAAE;QACpE,GAAG;KACJ,CAAC,CAAC;IAEH,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,YAAY,EAAE,CAAC;IACvD,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,WAAW,EAAE,CAAC;IACtD,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,OAAO,kBAAkB,CACvB,oEAAoE,EACpE,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAe,CAAC;IACvD,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,OAAO,YAAY,CAAC,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,CAAc,EACd,GAAW,EACX,GAAkB,EAClB,GAAkC;IAElC,yDAAyD;IACzD,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,YAAY,CACjB,IAAI,CACF,sBAAsB,EACtB,6IAA6I,CAC9I,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,oBAAoB,EAAE;QACpE,GAAG;KACJ,CAAC,CAAC;IACH,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,YAAY,EAAE,CAAC;IACvD,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAChC,OAAO,kBAAkB,CACvB,iEAAiE,CAClE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,OAAO,kBAAkB,CACvB,oEAAoE,EACpE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAAe,CAAC;IAEvD,IAAI,KAAa,CAAC;IAClB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,iFAAiF;QACjF,iFAAiF;QACjF,kDAAkD;QAClD,OAAO,CAAC,IAAI,CACV,0CAA0C,GAAG,IAAI,EACjD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CACvD,CAAC;QACF,OAAO,kBAAkB,CACvB,6DAA6D,EAC7D,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,uBAAuB,EAAE;QAC1E,GAAG;QACH,KAAK;QACL,UAAU,EAAE,GAAG,CAAC,oBAAoB;KACrC,CAAC,CAAC;IAEH,iFAAiF;IACjF,2EAA2E;IAC3E,IAAI,eAAe,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACnC,OAAO,kBAAkB,CACvB,0FAA0F,CAC3F,CAAC;IACJ,CAAC;IACD,IAAI,eAAe,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,YAAY,EAAE,CAAC;IAC1D,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC;QACxB,OAAO,kBAAkB,CACvB,6DAA6D,EAC7D,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,OAAO,WAAW,EAAE,CAAC;AACvB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,qBAAqB,CAClC,CAAc;IAEd,MAAM,GAAG,GAAI,CAA4C,CAAC,GAAG,EAAE,GAAG,CAAC;IACnE,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC1D,IAAI,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAA4B,CAAC;YACnE,MAAM,KAAK,GAAG,IAAI,EAAE,UAAU,CAAC;YAC/B,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QACvD,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACrC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* draft-kya-http-02 delegation layer — frozen constants.
|
|
3
|
+
*
|
|
4
|
+
* Wire contract source of truth: the vendored golden fixtures under
|
|
5
|
+
* `src/__tests__/fixtures/kya-http/`. These values are byte-significant for §8.1
|
|
6
|
+
* challenges, §8.2 worker-served pickup, and the §9 error registry. Do not edit
|
|
7
|
+
* without re-vendoring the fixtures from checkpoint.
|
|
8
|
+
*
|
|
9
|
+
* @module @kya-os/mcp-i-cloudflare/delegation-http/constants
|
|
10
|
+
*/
|
|
11
|
+
/** Worker-served pickup endpoint (§8.2). Hono route pattern with a `:sid` param. */
|
|
12
|
+
export declare const PICKUP_ROUTE = "/api/delegation/pickup/:sid";
|
|
13
|
+
/**
|
|
14
|
+
* Consent surface. The legacy consent service owns this path; the kya-http bridge
|
|
15
|
+
* only intercepts requests carrying an anchor sid (`?sid=kya-…`) and otherwise
|
|
16
|
+
* falls through with `next()`.
|
|
17
|
+
*/
|
|
18
|
+
export declare const CONSENT_ROUTE = "/consent";
|
|
19
|
+
/** Raw pickup-token header for token-path holders (hashed before storage). */
|
|
20
|
+
export declare const PICKUP_TOKEN_HEADER = "X-KYA-Pickup-Token";
|
|
21
|
+
/** Fallback delegation header used when `Authorization` is occupied by an OAuth bearer. */
|
|
22
|
+
export declare const FALLBACK_DELEGATION_HEADER = "KYA-Delegation";
|
|
23
|
+
/**
|
|
24
|
+
* Param order for the `WWW-Authenticate: Delegation` challenge (§8.1), byte-exact.
|
|
25
|
+
* Mirrors `challenge.delegation.full.json` → `conformance.param_order`.
|
|
26
|
+
*/
|
|
27
|
+
export declare const CHALLENGE_PARAM_ORDER: readonly ["realm", "sid", "consent_uri", "pickup_uri", "scope", "min_assurance", "interval", "kind"];
|
|
28
|
+
/**
|
|
29
|
+
* The `kyaos/*` error registry (§9). Every value MUST be present in the vendored
|
|
30
|
+
* `error-codes.json` (asserted by the contract test). Emitters MUST use these exact
|
|
31
|
+
* strings.
|
|
32
|
+
*/
|
|
33
|
+
export declare const KYAOS_ERRORS: {
|
|
34
|
+
readonly authorizationRequired: "kyaos/authorization-required";
|
|
35
|
+
readonly pickupPinned: "kyaos/pickup-pinned";
|
|
36
|
+
readonly invalidSession: "kyaos/invalid-session";
|
|
37
|
+
readonly pickupExpired: "kyaos/pickup-expired";
|
|
38
|
+
readonly expired: "kyaos/expired";
|
|
39
|
+
readonly chainBroken: "kyaos/chain-broken";
|
|
40
|
+
readonly scopeInsufficient: "kyaos/scope-insufficient";
|
|
41
|
+
};
|
|
42
|
+
/**
|
|
43
|
+
* Internal DO route paths for the pickup-anchor durable object. Dispatched at the
|
|
44
|
+
* top of `MCPICloudflareAgent.fetch` (see `agent.ts`) and proxied to via
|
|
45
|
+
* `getAnchorStub(env, sid)`.
|
|
46
|
+
*/
|
|
47
|
+
export declare const INTERNAL_PICKUP_CREATE = "/_internal/pickup/create";
|
|
48
|
+
export declare const INTERNAL_PICKUP_POLL = "/_internal/pickup/poll";
|
|
49
|
+
export declare const INTERNAL_PICKUP_APPROVE = "/_internal/pickup/approve";
|
|
50
|
+
export declare const INTERNAL_PICKUP_INFO = "/_internal/pickup/info";
|
|
51
|
+
//# sourceMappingURL=constants.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/delegation-http/constants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,oFAAoF;AACpF,eAAO,MAAM,YAAY,gCAAgC,CAAC;AAE1D;;;;GAIG;AACH,eAAO,MAAM,aAAa,aAAa,CAAC;AAExC,8EAA8E;AAC9E,eAAO,MAAM,mBAAmB,uBAAuB,CAAC;AAExD,2FAA2F;AAC3F,eAAO,MAAM,0BAA0B,mBAAmB,CAAC;AAE3D;;;GAGG;AACH,eAAO,MAAM,qBAAqB,sGASxB,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,YAAY;;;;;;;;CAQf,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,6BAA6B,CAAC;AACjE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAC7D,eAAO,MAAM,uBAAuB,8BAA8B,CAAC;AACnE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC"}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* draft-kya-http-02 delegation layer — frozen constants.
|
|
3
|
+
*
|
|
4
|
+
* Wire contract source of truth: the vendored golden fixtures under
|
|
5
|
+
* `src/__tests__/fixtures/kya-http/`. These values are byte-significant for §8.1
|
|
6
|
+
* challenges, §8.2 worker-served pickup, and the §9 error registry. Do not edit
|
|
7
|
+
* without re-vendoring the fixtures from checkpoint.
|
|
8
|
+
*
|
|
9
|
+
* @module @kya-os/mcp-i-cloudflare/delegation-http/constants
|
|
10
|
+
*/
|
|
11
|
+
/** Worker-served pickup endpoint (§8.2). Hono route pattern with a `:sid` param. */
|
|
12
|
+
export const PICKUP_ROUTE = "/api/delegation/pickup/:sid";
|
|
13
|
+
/**
|
|
14
|
+
* Consent surface. The legacy consent service owns this path; the kya-http bridge
|
|
15
|
+
* only intercepts requests carrying an anchor sid (`?sid=kya-…`) and otherwise
|
|
16
|
+
* falls through with `next()`.
|
|
17
|
+
*/
|
|
18
|
+
export const CONSENT_ROUTE = "/consent";
|
|
19
|
+
/** Raw pickup-token header for token-path holders (hashed before storage). */
|
|
20
|
+
export const PICKUP_TOKEN_HEADER = "X-KYA-Pickup-Token";
|
|
21
|
+
/** Fallback delegation header used when `Authorization` is occupied by an OAuth bearer. */
|
|
22
|
+
export const FALLBACK_DELEGATION_HEADER = "KYA-Delegation";
|
|
23
|
+
/**
|
|
24
|
+
* Param order for the `WWW-Authenticate: Delegation` challenge (§8.1), byte-exact.
|
|
25
|
+
* Mirrors `challenge.delegation.full.json` → `conformance.param_order`.
|
|
26
|
+
*/
|
|
27
|
+
export const CHALLENGE_PARAM_ORDER = [
|
|
28
|
+
"realm",
|
|
29
|
+
"sid",
|
|
30
|
+
"consent_uri",
|
|
31
|
+
"pickup_uri",
|
|
32
|
+
"scope",
|
|
33
|
+
"min_assurance",
|
|
34
|
+
"interval",
|
|
35
|
+
"kind",
|
|
36
|
+
];
|
|
37
|
+
/**
|
|
38
|
+
* The `kyaos/*` error registry (§9). Every value MUST be present in the vendored
|
|
39
|
+
* `error-codes.json` (asserted by the contract test). Emitters MUST use these exact
|
|
40
|
+
* strings.
|
|
41
|
+
*/
|
|
42
|
+
export const KYAOS_ERRORS = {
|
|
43
|
+
authorizationRequired: "kyaos/authorization-required",
|
|
44
|
+
pickupPinned: "kyaos/pickup-pinned",
|
|
45
|
+
invalidSession: "kyaos/invalid-session",
|
|
46
|
+
pickupExpired: "kyaos/pickup-expired",
|
|
47
|
+
expired: "kyaos/expired",
|
|
48
|
+
chainBroken: "kyaos/chain-broken",
|
|
49
|
+
scopeInsufficient: "kyaos/scope-insufficient",
|
|
50
|
+
};
|
|
51
|
+
/**
|
|
52
|
+
* Internal DO route paths for the pickup-anchor durable object. Dispatched at the
|
|
53
|
+
* top of `MCPICloudflareAgent.fetch` (see `agent.ts`) and proxied to via
|
|
54
|
+
* `getAnchorStub(env, sid)`.
|
|
55
|
+
*/
|
|
56
|
+
export const INTERNAL_PICKUP_CREATE = "/_internal/pickup/create";
|
|
57
|
+
export const INTERNAL_PICKUP_POLL = "/_internal/pickup/poll";
|
|
58
|
+
export const INTERNAL_PICKUP_APPROVE = "/_internal/pickup/approve";
|
|
59
|
+
export const INTERNAL_PICKUP_INFO = "/_internal/pickup/info";
|
|
60
|
+
//# sourceMappingURL=constants.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/delegation-http/constants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,oFAAoF;AACpF,MAAM,CAAC,MAAM,YAAY,GAAG,6BAA6B,CAAC;AAE1D;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,UAAU,CAAC;AAExC,8EAA8E;AAC9E,MAAM,CAAC,MAAM,mBAAmB,GAAG,oBAAoB,CAAC;AAExD,2FAA2F;AAC3F,MAAM,CAAC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC;AAE3D;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,OAAO;IACP,KAAK;IACL,aAAa;IACb,YAAY;IACZ,OAAO;IACP,eAAe;IACf,UAAU;IACV,MAAM;CACE,CAAC;AAEX;;;;GAIG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,qBAAqB,EAAE,8BAA8B;IACrD,YAAY,EAAE,qBAAqB;IACnC,cAAc,EAAE,uBAAuB;IACvC,aAAa,EAAE,sBAAsB;IACrC,OAAO,EAAE,eAAe;IACxB,WAAW,EAAE,oBAAoB;IACjC,iBAAiB,EAAE,0BAA0B;CACrC,CAAC;AAEX;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,0BAA0B,CAAC;AACjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,wBAAwB,CAAC;AAC7D,MAAM,CAAC,MAAM,uBAAuB,GAAG,2BAA2B,CAAC;AACnE,MAAM,CAAC,MAAM,oBAAoB,GAAG,wBAAwB,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* draft-kya-http-02 delegation layer — synchronous SHA-256.
|
|
3
|
+
*
|
|
4
|
+
* The §13 pickup-anchor reducers are pure and synchronous (frozen contract:
|
|
5
|
+
* `reducePoll(...)` returns a plain object, not a `Promise`), yet they must hash the
|
|
6
|
+
* holder secret so that only its digest — never the raw token/keyid — is ever stored
|
|
7
|
+
* or compared. The Workers runtime exposes SHA-256 only through the *async*
|
|
8
|
+
* `crypto.subtle` API, so a synchronous, dependency-free implementation is required
|
|
9
|
+
* to keep the reducers pure. This is a verbatim FIPS 180-4 SHA-256 over the UTF-8
|
|
10
|
+
* bytes of the input; it is asserted against the canonical vectors and against
|
|
11
|
+
* `crypto.subtle.digest` in `anchor-reducer.test.ts`.
|
|
12
|
+
*
|
|
13
|
+
* @module @kya-os/mcp-i-cloudflare/delegation-http/hash
|
|
14
|
+
*/
|
|
15
|
+
/**
|
|
16
|
+
* Compute the lowercase hex SHA-256 digest of a string's UTF-8 bytes.
|
|
17
|
+
*
|
|
18
|
+
* Synchronous and pure — safe to call inside the anchor reducers.
|
|
19
|
+
*/
|
|
20
|
+
export declare function sha256Hex(input: string): string;
|
|
21
|
+
//# sourceMappingURL=hash.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/delegation-http/hash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAsBH;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CA2E/C"}
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* draft-kya-http-02 delegation layer — synchronous SHA-256.
|
|
3
|
+
*
|
|
4
|
+
* The §13 pickup-anchor reducers are pure and synchronous (frozen contract:
|
|
5
|
+
* `reducePoll(...)` returns a plain object, not a `Promise`), yet they must hash the
|
|
6
|
+
* holder secret so that only its digest — never the raw token/keyid — is ever stored
|
|
7
|
+
* or compared. The Workers runtime exposes SHA-256 only through the *async*
|
|
8
|
+
* `crypto.subtle` API, so a synchronous, dependency-free implementation is required
|
|
9
|
+
* to keep the reducers pure. This is a verbatim FIPS 180-4 SHA-256 over the UTF-8
|
|
10
|
+
* bytes of the input; it is asserted against the canonical vectors and against
|
|
11
|
+
* `crypto.subtle.digest` in `anchor-reducer.test.ts`.
|
|
12
|
+
*
|
|
13
|
+
* @module @kya-os/mcp-i-cloudflare/delegation-http/hash
|
|
14
|
+
*/
|
|
15
|
+
/** FIPS 180-4 §4.2.2 round constants (first 32 bits of the cube roots of the first 64 primes). */
|
|
16
|
+
const K = new Uint32Array([
|
|
17
|
+
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
|
|
18
|
+
0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
|
|
19
|
+
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
|
|
20
|
+
0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
|
|
21
|
+
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
|
|
22
|
+
0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
|
|
23
|
+
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
|
|
24
|
+
0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
|
|
25
|
+
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
|
|
26
|
+
0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
|
|
27
|
+
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
|
|
28
|
+
]);
|
|
29
|
+
/** Right-rotate a 32-bit word (`>>> 0` because the left shift can set the sign bit). */
|
|
30
|
+
function ror(x, n) {
|
|
31
|
+
return ((x >>> n) | (x << (32 - n))) >>> 0;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Compute the lowercase hex SHA-256 digest of a string's UTF-8 bytes.
|
|
35
|
+
*
|
|
36
|
+
* Synchronous and pure — safe to call inside the anchor reducers.
|
|
37
|
+
*/
|
|
38
|
+
export function sha256Hex(input) {
|
|
39
|
+
const bytes = new TextEncoder().encode(input);
|
|
40
|
+
const bitLen = bytes.length * 8;
|
|
41
|
+
// Pad: 0x80, then zeros to 56 mod 64, then the 64-bit big-endian bit length.
|
|
42
|
+
const withPad = ((bytes.length + 8) >> 6) + 1; // number of 64-byte blocks
|
|
43
|
+
const padded = new Uint8Array(withPad * 64);
|
|
44
|
+
padded.set(bytes);
|
|
45
|
+
padded[bytes.length] = 0x80;
|
|
46
|
+
// Bit length as 64-bit big-endian (high word is 0 for any realistic input).
|
|
47
|
+
const dv = new DataView(padded.buffer);
|
|
48
|
+
dv.setUint32(padded.length - 8, Math.floor(bitLen / 0x100000000));
|
|
49
|
+
dv.setUint32(padded.length - 4, bitLen >>> 0);
|
|
50
|
+
// FIPS 180-4 §5.3.3 initial hash value.
|
|
51
|
+
let h0 = 0x6a09e667, h1 = 0xbb67ae85, h2 = 0x3c6ef372, h3 = 0xa54ff53a, h4 = 0x510e527f, h5 = 0x9b05688c, h6 = 0x1f83d9ab, h7 = 0x5be0cd19;
|
|
52
|
+
const w = new Uint32Array(64);
|
|
53
|
+
for (let block = 0; block < padded.length; block += 64) {
|
|
54
|
+
for (let t = 0; t < 16; t++) {
|
|
55
|
+
w[t] = dv.getUint32(block + t * 4);
|
|
56
|
+
}
|
|
57
|
+
for (let t = 16; t < 64; t++) {
|
|
58
|
+
const s0 = ror(w[t - 15], 7) ^ ror(w[t - 15], 18) ^ (w[t - 15] >>> 3);
|
|
59
|
+
const s1 = ror(w[t - 2], 17) ^ ror(w[t - 2], 19) ^ (w[t - 2] >>> 10);
|
|
60
|
+
w[t] = (w[t - 16] + s0 + w[t - 7] + s1) >>> 0;
|
|
61
|
+
}
|
|
62
|
+
let a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7;
|
|
63
|
+
for (let t = 0; t < 64; t++) {
|
|
64
|
+
const S1 = ror(e, 6) ^ ror(e, 11) ^ ror(e, 25);
|
|
65
|
+
const ch = (e & f) ^ (~e & g);
|
|
66
|
+
const t1 = (h + S1 + ch + K[t] + w[t]) >>> 0;
|
|
67
|
+
const S0 = ror(a, 2) ^ ror(a, 13) ^ ror(a, 22);
|
|
68
|
+
const maj = (a & b) ^ (a & c) ^ (b & c);
|
|
69
|
+
const t2 = (S0 + maj) >>> 0;
|
|
70
|
+
h = g;
|
|
71
|
+
g = f;
|
|
72
|
+
f = e;
|
|
73
|
+
e = (d + t1) >>> 0;
|
|
74
|
+
d = c;
|
|
75
|
+
c = b;
|
|
76
|
+
b = a;
|
|
77
|
+
a = (t1 + t2) >>> 0;
|
|
78
|
+
}
|
|
79
|
+
h0 = (h0 + a) >>> 0;
|
|
80
|
+
h1 = (h1 + b) >>> 0;
|
|
81
|
+
h2 = (h2 + c) >>> 0;
|
|
82
|
+
h3 = (h3 + d) >>> 0;
|
|
83
|
+
h4 = (h4 + e) >>> 0;
|
|
84
|
+
h5 = (h5 + f) >>> 0;
|
|
85
|
+
h6 = (h6 + g) >>> 0;
|
|
86
|
+
h7 = (h7 + h) >>> 0;
|
|
87
|
+
}
|
|
88
|
+
return [h0, h1, h2, h3, h4, h5, h6, h7]
|
|
89
|
+
.map((x) => x.toString(16).padStart(8, "0"))
|
|
90
|
+
.join("");
|
|
91
|
+
}
|
|
92
|
+
//# sourceMappingURL=hash.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/delegation-http/hash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,kGAAkG;AAClG,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC;IACxB,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IACtE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;CAC/C,CAAC,CAAC;AAEH,wFAAwF;AACxF,SAAS,GAAG,CAAC,CAAS,EAAE,CAAS;IAC/B,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAEhC,6EAA6E;IAC7E,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,2BAA2B;IAC1E,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,OAAO,GAAG,EAAE,CAAC,CAAC;IAC5C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClB,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAC5B,4EAA4E;IAC5E,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACvC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC;IAClE,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,MAAM,KAAK,CAAC,CAAC,CAAC;IAE9C,wCAAwC;IACxC,IAAI,EAAE,GAAG,UAAU,EACjB,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,EACf,EAAE,GAAG,UAAU,CAAC;IAElB,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IAE9B,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC;QACvD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACrC,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YACtE,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACrE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,CAAC,GAAG,EAAE,EACR,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,EACN,CAAC,GAAG,EAAE,CAAC;QAET,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/C,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACxC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;YACnB,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,CAAC;YACN,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QAED,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;SACpC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}
|