@markwharton/pwa-core 1.2.0 → 1.3.0

package/dist/server/auth/index.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateApiKey = exports.validateApiKey = exports.hashApiKey = exports.extractApiKey = exports.generateLongLivedToken = exports.generateToken = exports.validateToken = exports.extractToken = exports.getJwtSecret = exports.initAuth = void 0;
+var token_1 = require("./token");
+Object.defineProperty(exports, "initAuth", { enumerable: true, get: function () { return token_1.initAuth; } });
+Object.defineProperty(exports, "getJwtSecret", { enumerable: true, get: function () { return token_1.getJwtSecret; } });
+Object.defineProperty(exports, "extractToken", { enumerable: true, get: function () { return token_1.extractToken; } });
+Object.defineProperty(exports, "validateToken", { enumerable: true, get: function () { return token_1.validateToken; } });
+Object.defineProperty(exports, "generateToken", { enumerable: true, get: function () { return token_1.generateToken; } });
+Object.defineProperty(exports, "generateLongLivedToken", { enumerable: true, get: function () { return token_1.generateLongLivedToken; } });
+var apiKey_1 = require("./apiKey");
+Object.defineProperty(exports, "extractApiKey", { enumerable: true, get: function () { return apiKey_1.extractApiKey; } });
+Object.defineProperty(exports, "hashApiKey", { enumerable: true, get: function () { return apiKey_1.hashApiKey; } });
+Object.defineProperty(exports, "validateApiKey", { enumerable: true, get: function () { return apiKey_1.validateApiKey; } });
+Object.defineProperty(exports, "generateApiKey", { enumerable: true, get: function () { return apiKey_1.generateApiKey; } });

package/dist/server/auth/token.d.ts

@@ -0,0 +1,56 @@
+import { Result } from '../../types';
+/**
+ * Initializes the JWT authentication system. Call once at application startup.
+ * @param secret - The JWT secret key (from environment variable)
+ * @param minLength - Minimum required secret length (default: 32)
+ * @throws Error if secret is missing or too short
+ * @example
+ * initAuth(process.env.JWT_SECRET);
+ */
+export declare function initAuth(secret: string | undefined, minLength?: number): void;
+/**
+ * Gets the configured JWT secret.
+ * @returns The JWT secret string
+ * @throws Error if initAuth() has not been called
+ */
+export declare function getJwtSecret(): string;
+/**
+ * Extracts the Bearer token from an Authorization header.
+ * @param authHeader - The Authorization header value
+ * @returns The token string, or null if not a valid Bearer token
+ * @example
+ * const token = extractToken(request.headers.get('Authorization'));
+ */
+export declare function extractToken(authHeader: string | null): string | null;
+/**
+ * Validates and decodes a JWT token.
+ * @typeParam T - The expected payload type (extends object)
+ * @param token - The JWT token string to validate
+ * @returns Result with decoded payload on success, or error message on failure
+ * @example
+ * const result = validateToken<UserPayload>(token);
+ * if (result.ok) {
+ *   console.log(result.data.username);
+ * }
+ */
+export declare function validateToken<T extends object>(token: string): Result<T>;
+/**
+ * Generates a signed JWT token with the given payload.
+ * @typeParam T - The payload type (extends object)
+ * @param payload - The data to encode in the token
+ * @param expiresIn - Token expiration time (default: '7d')
+ * @returns The signed JWT token string
+ * @example
+ * const token = generateToken({ userId: '123', role: 'admin' }, '1h');
+ */
+export declare function generateToken<T extends object>(payload: T, expiresIn?: string): string;
+/**
+ * Generates a long-lived JWT token for machine/API access.
+ * @typeParam T - The payload type (extends object)
+ * @param payload - The data to encode in the token
+ * @param expiresInDays - Token expiration in days (default: 3650 ≈ 10 years)
+ * @returns The signed JWT token string
+ * @example
+ * const apiToken = generateLongLivedToken({ machineId: 'server-1' });
+ */
+export declare function generateLongLivedToken<T extends object>(payload: T, expiresInDays?: number): string;

package/dist/server/auth/token.js

@@ -0,0 +1,104 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initAuth = initAuth;
+exports.getJwtSecret = getJwtSecret;
+exports.extractToken = extractToken;
+exports.validateToken = validateToken;
+exports.generateToken = generateToken;
+exports.generateLongLivedToken = generateLongLivedToken;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const types_1 = require("../../types");
+/**
+ * JWT token utilities - works with any payload structure
+ * Use BaseJwtPayload or extend it for type safety
+ */
+let jwtSecret = null;
+/**
+ * Initializes the JWT authentication system. Call once at application startup.
+ * @param secret - The JWT secret key (from environment variable)
+ * @param minLength - Minimum required secret length (default: 32)
+ * @throws Error if secret is missing or too short
+ * @example
+ * initAuth(process.env.JWT_SECRET);
+ */
+function initAuth(secret, minLength = 32) {
+    if (!secret || secret.length < minLength) {
+        throw new Error(`JWT_SECRET must be at least ${minLength} characters`);
+    }
+    jwtSecret = secret;
+}
+/**
+ * Gets the configured JWT secret.
+ * @returns The JWT secret string
+ * @throws Error if initAuth() has not been called
+ */
+function getJwtSecret() {
+    if (!jwtSecret) {
+        throw new Error('Auth not initialized. Call initAuth() first.');
+    }
+    return jwtSecret;
+}
+/**
+ * Extracts the Bearer token from an Authorization header.
+ * @param authHeader - The Authorization header value
+ * @returns The token string, or null if not a valid Bearer token
+ * @example
+ * const token = extractToken(request.headers.get('Authorization'));
+ */
+function extractToken(authHeader) {
+    if (!authHeader?.startsWith('Bearer ')) {
+        return null;
+    }
+    return authHeader.slice(7);
+}
+/**
+ * Validates and decodes a JWT token.
+ * @typeParam T - The expected payload type (extends object)
+ * @param token - The JWT token string to validate
+ * @returns Result with decoded payload on success, or error message on failure
+ * @example
+ * const result = validateToken<UserPayload>(token);
+ * if (result.ok) {
+ *   console.log(result.data.username);
+ * }
+ */
+function validateToken(token) {
+    try {
+        const payload = jsonwebtoken_1.default.verify(token, getJwtSecret());
+        if (typeof payload === 'object' && payload !== null) {
+            return (0, types_1.ok)(payload);
+        }
+        return (0, types_1.err)('Invalid token payload');
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'Token validation failed';
+        return (0, types_1.err)(message);
+    }
+}
+/**
+ * Generates a signed JWT token with the given payload.
+ * @typeParam T - The payload type (extends object)
+ * @param payload - The data to encode in the token
+ * @param expiresIn - Token expiration time (default: '7d')
+ * @returns The signed JWT token string
+ * @example
+ * const token = generateToken({ userId: '123', role: 'admin' }, '1h');
+ */
+function generateToken(payload, expiresIn = '7d') {
+    return jsonwebtoken_1.default.sign(payload, getJwtSecret(), { expiresIn });
+}
+/**
+ * Generates a long-lived JWT token for machine/API access.
+ * @typeParam T - The payload type (extends object)
+ * @param payload - The data to encode in the token
+ * @param expiresInDays - Token expiration in days (default: 3650 ≈ 10 years)
+ * @returns The signed JWT token string
+ * @example
+ * const apiToken = generateLongLivedToken({ machineId: 'server-1' });
+ */
+function generateLongLivedToken(payload, expiresInDays = 3650) {
+    return jsonwebtoken_1.default.sign(payload, getJwtSecret(), { expiresIn: `${expiresInDays}d` });
+}

package/dist/server/http/index.d.ts

@@ -0,0 +1 @@
+export { badRequestResponse, unauthorizedResponse, forbiddenResponse, notFoundResponse, conflictResponse, handleFunctionError, isNotFoundError, isConflictError } from './responses';

package/dist/server/http/index.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isConflictError = exports.isNotFoundError = exports.handleFunctionError = exports.conflictResponse = exports.notFoundResponse = exports.forbiddenResponse = exports.unauthorizedResponse = exports.badRequestResponse = void 0;
+var responses_1 = require("./responses");
+Object.defineProperty(exports, "badRequestResponse", { enumerable: true, get: function () { return responses_1.badRequestResponse; } });
+Object.defineProperty(exports, "unauthorizedResponse", { enumerable: true, get: function () { return responses_1.unauthorizedResponse; } });
+Object.defineProperty(exports, "forbiddenResponse", { enumerable: true, get: function () { return responses_1.forbiddenResponse; } });
+Object.defineProperty(exports, "notFoundResponse", { enumerable: true, get: function () { return responses_1.notFoundResponse; } });
+Object.defineProperty(exports, "conflictResponse", { enumerable: true, get: function () { return responses_1.conflictResponse; } });
+Object.defineProperty(exports, "handleFunctionError", { enumerable: true, get: function () { return responses_1.handleFunctionError; } });
+Object.defineProperty(exports, "isNotFoundError", { enumerable: true, get: function () { return responses_1.isNotFoundError; } });
+Object.defineProperty(exports, "isConflictError", { enumerable: true, get: function () { return responses_1.isConflictError; } });

package/dist/server/http/responses.d.ts

@@ -0,0 +1,82 @@
+import { HttpResponseInit, InvocationContext } from '@azure/functions';
+/**
+ * Creates a 400 Bad Request response.
+ * @param message - The error message to return
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!body.email) return badRequestResponse('Email is required');
+ */
+export declare function badRequestResponse(message: string): HttpResponseInit;
+/**
+ * Creates a 401 Unauthorized response.
+ * @param message - The error message (default: 'Unauthorized')
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!token) return unauthorizedResponse();
+ */
+export declare function unauthorizedResponse(message?: string): HttpResponseInit;
+/**
+ * Creates a 403 Forbidden response.
+ * @param message - The error message (default: 'Forbidden')
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!isAdmin(payload)) return forbiddenResponse('Admin access required');
+ */
+export declare function forbiddenResponse(message?: string): HttpResponseInit;
+/**
+ * Creates a 404 Not Found response.
+ * @param resource - The name of the resource that wasn't found
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!user) return notFoundResponse('User');
+ * // Returns: { error: 'User not found' }
+ */
+export declare function notFoundResponse(resource: string): HttpResponseInit;
+/**
+ * Creates a 409 Conflict response.
+ * @param message - The conflict error message
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (existingUser) return conflictResponse('Email already registered');
+ */
+export declare function conflictResponse(message: string): HttpResponseInit;
+/**
+ * Handles unexpected errors safely by logging details and returning a generic message.
+ * Use in catch blocks to avoid exposing internal error details to clients.
+ * @param error - The caught error
+ * @param context - Azure Functions InvocationContext for logging
+ * @returns Azure Functions HttpResponseInit with 500 status
+ * @example
+ * try {
+ *   await riskyOperation();
+ * } catch (error) {
+ *   return handleFunctionError(error, context);
+ * }
+ */
+export declare function handleFunctionError(error: unknown, context: InvocationContext): HttpResponseInit;
+/**
+ * Checks if an error is an Azure Table Storage "not found" error.
+ * @param error - The caught error
+ * @returns True if error has statusCode 404
+ * @example
+ * try {
+ *   await tableClient.getEntity(pk, rk);
+ * } catch (error) {
+ *   if (isNotFoundError(error)) return notFoundResponse('Entity');
+ *   throw error;
+ * }
+ */
+export declare function isNotFoundError(error: unknown): boolean;
+/**
+ * Checks if an error is an Azure Table Storage "conflict" error.
+ * @param error - The caught error
+ * @returns True if error has statusCode 409
+ * @example
+ * try {
+ *   await tableClient.createEntity(entity);
+ * } catch (error) {
+ *   if (isConflictError(error)) return conflictResponse('Entity already exists');
+ *   throw error;
+ * }
+ */
+export declare function isConflictError(error: unknown): boolean;

package/dist/server/http/responses.js

@@ -0,0 +1,132 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.badRequestResponse = badRequestResponse;
+exports.unauthorizedResponse = unauthorizedResponse;
+exports.forbiddenResponse = forbiddenResponse;
+exports.notFoundResponse = notFoundResponse;
+exports.conflictResponse = conflictResponse;
+exports.handleFunctionError = handleFunctionError;
+exports.isNotFoundError = isNotFoundError;
+exports.isConflictError = isConflictError;
+const status_1 = require("../../shared/http/status");
+/**
+ * Creates a 400 Bad Request response.
+ * @param message - The error message to return
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!body.email) return badRequestResponse('Email is required');
+ */
+function badRequestResponse(message) {
+    return {
+        status: status_1.HTTP_STATUS.BAD_REQUEST,
+        jsonBody: { error: message }
+    };
+}
+/**
+ * Creates a 401 Unauthorized response.
+ * @param message - The error message (default: 'Unauthorized')
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!token) return unauthorizedResponse();
+ */
+function unauthorizedResponse(message = 'Unauthorized') {
+    return {
+        status: status_1.HTTP_STATUS.UNAUTHORIZED,
+        jsonBody: { error: message }
+    };
+}
+/**
+ * Creates a 403 Forbidden response.
+ * @param message - The error message (default: 'Forbidden')
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!isAdmin(payload)) return forbiddenResponse('Admin access required');
+ */
+function forbiddenResponse(message = 'Forbidden') {
+    return {
+        status: status_1.HTTP_STATUS.FORBIDDEN,
+        jsonBody: { error: message }
+    };
+}
+/**
+ * Creates a 404 Not Found response.
+ * @param resource - The name of the resource that wasn't found
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (!user) return notFoundResponse('User');
+ * // Returns: { error: 'User not found' }
+ */
+function notFoundResponse(resource) {
+    return {
+        status: status_1.HTTP_STATUS.NOT_FOUND,
+        jsonBody: { error: `${resource} not found` }
+    };
+}
+/**
+ * Creates a 409 Conflict response.
+ * @param message - The conflict error message
+ * @returns Azure Functions HttpResponseInit object
+ * @example
+ * if (existingUser) return conflictResponse('Email already registered');
+ */
+function conflictResponse(message) {
+    return {
+        status: status_1.HTTP_STATUS.CONFLICT,
+        jsonBody: { error: message }
+    };
+}
+/**
+ * Handles unexpected errors safely by logging details and returning a generic message.
+ * Use in catch blocks to avoid exposing internal error details to clients.
+ * @param error - The caught error
+ * @param context - Azure Functions InvocationContext for logging
+ * @returns Azure Functions HttpResponseInit with 500 status
+ * @example
+ * try {
+ *   await riskyOperation();
+ * } catch (error) {
+ *   return handleFunctionError(error, context);
+ * }
+ */
+function handleFunctionError(error, context) {
+    const message = error instanceof Error ? error.message : 'Unknown error';
+    context.error(`Function error: ${message}`);
+    return {
+        status: status_1.HTTP_STATUS.INTERNAL_ERROR,
+        jsonBody: { error: 'Internal server error' }
+    };
+}
+/**
+ * Checks if an error is an Azure Table Storage "not found" error.
+ * @param error - The caught error
+ * @returns True if error has statusCode 404
+ * @example
+ * try {
+ *   await tableClient.getEntity(pk, rk);
+ * } catch (error) {
+ *   if (isNotFoundError(error)) return notFoundResponse('Entity');
+ *   throw error;
+ * }
+ */
+function isNotFoundError(error) {
+    return (error instanceof Error &&
+        'statusCode' in error &&
+        error.statusCode === 404);
+}
+/**
+ * Checks if an error is an Azure Table Storage "conflict" error.
+ * @param error - The caught error
+ * @returns True if error has statusCode 409
+ * @example
+ * try {
+ *   await tableClient.createEntity(entity);
+ * } catch (error) {
+ *   if (isConflictError(error)) return conflictResponse('Entity already exists');
+ *   throw error;
+ * }
+ */
+function isConflictError(error) {
+    return (error instanceof Error &&
+        'statusCode' in error &&
+        error.statusCode === 409);
+}

package/dist/server/index.d.ts

@@ -0,0 +1,3 @@
+export { initAuth, getJwtSecret, extractToken, validateToken, generateToken, generateLongLivedToken, extractApiKey, hashApiKey, validateApiKey, generateApiKey } from './auth';
+export { badRequestResponse, unauthorizedResponse, forbiddenResponse, notFoundResponse, conflictResponse, handleFunctionError, isNotFoundError, isConflictError } from './http';
+export { initStorage, initStorageFromEnv, useManagedIdentity, getTableClient, clearTableClientCache, generateRowKey } from './storage';

package/dist/server/index.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateRowKey = exports.clearTableClientCache = exports.getTableClient = exports.useManagedIdentity = exports.initStorageFromEnv = exports.initStorage = exports.isConflictError = exports.isNotFoundError = exports.handleFunctionError = exports.conflictResponse = exports.notFoundResponse = exports.forbiddenResponse = exports.unauthorizedResponse = exports.badRequestResponse = exports.generateApiKey = exports.validateApiKey = exports.hashApiKey = exports.extractApiKey = exports.generateLongLivedToken = exports.generateToken = exports.validateToken = exports.extractToken = exports.getJwtSecret = exports.initAuth = void 0;
+// Auth
+var auth_1 = require("./auth");
+Object.defineProperty(exports, "initAuth", { enumerable: true, get: function () { return auth_1.initAuth; } });
+Object.defineProperty(exports, "getJwtSecret", { enumerable: true, get: function () { return auth_1.getJwtSecret; } });
+Object.defineProperty(exports, "extractToken", { enumerable: true, get: function () { return auth_1.extractToken; } });
+Object.defineProperty(exports, "validateToken", { enumerable: true, get: function () { return auth_1.validateToken; } });
+Object.defineProperty(exports, "generateToken", { enumerable: true, get: function () { return auth_1.generateToken; } });
+Object.defineProperty(exports, "generateLongLivedToken", { enumerable: true, get: function () { return auth_1.generateLongLivedToken; } });
+Object.defineProperty(exports, "extractApiKey", { enumerable: true, get: function () { return auth_1.extractApiKey; } });
+Object.defineProperty(exports, "hashApiKey", { enumerable: true, get: function () { return auth_1.hashApiKey; } });
+Object.defineProperty(exports, "validateApiKey", { enumerable: true, get: function () { return auth_1.validateApiKey; } });
+Object.defineProperty(exports, "generateApiKey", { enumerable: true, get: function () { return auth_1.generateApiKey; } });
+// HTTP
+var http_1 = require("./http");
+Object.defineProperty(exports, "badRequestResponse", { enumerable: true, get: function () { return http_1.badRequestResponse; } });
+Object.defineProperty(exports, "unauthorizedResponse", { enumerable: true, get: function () { return http_1.unauthorizedResponse; } });
+Object.defineProperty(exports, "forbiddenResponse", { enumerable: true, get: function () { return http_1.forbiddenResponse; } });
+Object.defineProperty(exports, "notFoundResponse", { enumerable: true, get: function () { return http_1.notFoundResponse; } });
+Object.defineProperty(exports, "conflictResponse", { enumerable: true, get: function () { return http_1.conflictResponse; } });
+Object.defineProperty(exports, "handleFunctionError", { enumerable: true, get: function () { return http_1.handleFunctionError; } });
+Object.defineProperty(exports, "isNotFoundError", { enumerable: true, get: function () { return http_1.isNotFoundError; } });
+Object.defineProperty(exports, "isConflictError", { enumerable: true, get: function () { return http_1.isConflictError; } });
+// Storage
+var storage_1 = require("./storage");
+Object.defineProperty(exports, "initStorage", { enumerable: true, get: function () { return storage_1.initStorage; } });
+Object.defineProperty(exports, "initStorageFromEnv", { enumerable: true, get: function () { return storage_1.initStorageFromEnv; } });
+Object.defineProperty(exports, "useManagedIdentity", { enumerable: true, get: function () { return storage_1.useManagedIdentity; } });
+Object.defineProperty(exports, "getTableClient", { enumerable: true, get: function () { return storage_1.getTableClient; } });
+Object.defineProperty(exports, "clearTableClientCache", { enumerable: true, get: function () { return storage_1.clearTableClientCache; } });
+Object.defineProperty(exports, "generateRowKey", { enumerable: true, get: function () { return storage_1.generateRowKey; } });

package/dist/server/storage/client.d.ts

@@ -0,0 +1,48 @@
+import { TableClient } from '@azure/data-tables';
+/**
+ * Initializes Azure Table Storage configuration. Call once at application startup.
+ * @param config - Storage configuration options
+ * @param config.accountName - Azure Storage account name (for managed identity)
+ * @param config.connectionString - Connection string (for local development)
+ * @example
+ * // Production (Azure with managed identity)
+ * initStorage({ accountName: 'mystorageaccount' });
+ *
+ * // Local development (Azurite)
+ * initStorage({ connectionString: 'UseDevelopmentStorage=true' });
+ */
+export declare function initStorage(config: {
+    accountName?: string;
+    connectionString?: string;
+}): void;
+/**
+ * Initializes storage from environment variables.
+ * Reads STORAGE_ACCOUNT_NAME and AzureWebJobsStorage.
+ * @example
+ * initStorageFromEnv(); // Uses process.env automatically
+ */
+export declare function initStorageFromEnv(): void;
+/**
+ * Checks if using Azure managed identity vs local connection string.
+ * @returns True if using managed identity (production), false for connection string (local)
+ */
+export declare function useManagedIdentity(): boolean;
+/**
+ * Gets a TableClient for the specified table, creating the table if needed.
+ * Clients are cached for reuse across requests.
+ * @param tableName - The Azure Table Storage table name
+ * @returns A configured TableClient instance
+ * @throws Error if storage is not configured
+ * @example
+ * const client = await getTableClient('users');
+ * await client.createEntity({ partitionKey: 'pk', rowKey: 'rk', name: 'John' });
+ */
+export declare function getTableClient(tableName: string): Promise<TableClient>;
+/**
+ * Clears the TableClient cache. Primarily useful for testing.
+ * @example
+ * afterEach(() => {
+ *   clearTableClientCache();
+ * });
+ */
+export declare function clearTableClientCache(): void;

package/dist/server/storage/client.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initStorage = initStorage;
+exports.initStorageFromEnv = initStorageFromEnv;
+exports.useManagedIdentity = useManagedIdentity;
+exports.getTableClient = getTableClient;
+exports.clearTableClientCache = clearTableClientCache;
+const data_tables_1 = require("@azure/data-tables");
+const identity_1 = require("@azure/identity");
+/**
+ * Azure Table Storage client factory with managed identity support
+ */
+// Cache table clients to avoid repeated connections
+const tableClients = new Map();
+// Configuration
+let storageAccountName;
+let connectionString;
+/**
+ * Initializes Azure Table Storage configuration. Call once at application startup.
+ * @param config - Storage configuration options
+ * @param config.accountName - Azure Storage account name (for managed identity)
+ * @param config.connectionString - Connection string (for local development)
+ * @example
+ * // Production (Azure with managed identity)
+ * initStorage({ accountName: 'mystorageaccount' });
+ *
+ * // Local development (Azurite)
+ * initStorage({ connectionString: 'UseDevelopmentStorage=true' });
+ */
+function initStorage(config) {
+    storageAccountName = config.accountName;
+    connectionString = config.connectionString;
+}
+/**
+ * Initializes storage from environment variables.
+ * Reads STORAGE_ACCOUNT_NAME and AzureWebJobsStorage.
+ * @example
+ * initStorageFromEnv(); // Uses process.env automatically
+ */
+function initStorageFromEnv() {
+    initStorage({
+        accountName: process.env.STORAGE_ACCOUNT_NAME,
+        connectionString: process.env.AzureWebJobsStorage
+    });
+}
+/**
+ * Checks if using Azure managed identity vs local connection string.
+ * @returns True if using managed identity (production), false for connection string (local)
+ */
+function useManagedIdentity() {
+    return !!storageAccountName && !connectionString?.includes('UseDevelopmentStorage');
+}
+/**
+ * Gets a TableClient for the specified table, creating the table if needed.
+ * Clients are cached for reuse across requests.
+ * @param tableName - The Azure Table Storage table name
+ * @returns A configured TableClient instance
+ * @throws Error if storage is not configured
+ * @example
+ * const client = await getTableClient('users');
+ * await client.createEntity({ partitionKey: 'pk', rowKey: 'rk', name: 'John' });
+ */
+async function getTableClient(tableName) {
+    // Return cached client if available
+    const cached = tableClients.get(tableName);
+    if (cached) {
+        return cached;
+    }
+    let client;
+    if (useManagedIdentity()) {
+        // Azure: Use managed identity
+        const credential = new identity_1.DefaultAzureCredential();
+        const endpoint = `https://${storageAccountName}.table.core.windows.net`;
+        client = new data_tables_1.TableClient(endpoint, tableName, credential);
+    }
+    else if (connectionString) {
+        // Local/Azurite: Use connection string
+        client = data_tables_1.TableClient.fromConnectionString(connectionString, tableName);
+    }
+    else {
+        throw new Error('Storage not configured. Set STORAGE_ACCOUNT_NAME or AzureWebJobsStorage.');
+    }
+    // Create table if it doesn't exist
+    try {
+        await client.createTable();
+    }
+    catch (error) {
+        // Ignore "table already exists" errors (409 Conflict)
+        const tableError = error;
+        if (tableError.statusCode !== 409) {
+            throw error;
+        }
+    }
+    // Cache and return
+    tableClients.set(tableName, client);
+    return client;
+}
+/**
+ * Clears the TableClient cache. Primarily useful for testing.
+ * @example
+ * afterEach(() => {
+ *   clearTableClientCache();
+ * });
+ */
+function clearTableClientCache() {
+    tableClients.clear();
+}

package/dist/server/storage/index.d.ts

@@ -0,0 +1,2 @@
+export { initStorage, initStorageFromEnv, useManagedIdentity, getTableClient, clearTableClientCache } from './client';
+export { generateRowKey } from './keys';

package/dist/server/storage/index.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateRowKey = exports.clearTableClientCache = exports.getTableClient = exports.useManagedIdentity = exports.initStorageFromEnv = exports.initStorage = void 0;
+var client_1 = require("./client");
+Object.defineProperty(exports, "initStorage", { enumerable: true, get: function () { return client_1.initStorage; } });
+Object.defineProperty(exports, "initStorageFromEnv", { enumerable: true, get: function () { return client_1.initStorageFromEnv; } });
+Object.defineProperty(exports, "useManagedIdentity", { enumerable: true, get: function () { return client_1.useManagedIdentity; } });
+Object.defineProperty(exports, "getTableClient", { enumerable: true, get: function () { return client_1.getTableClient; } });
+Object.defineProperty(exports, "clearTableClientCache", { enumerable: true, get: function () { return client_1.clearTableClientCache; } });
+var keys_1 = require("./keys");
+Object.defineProperty(exports, "generateRowKey", { enumerable: true, get: function () { return keys_1.generateRowKey; } });

package/dist/server/storage/keys.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Generate a unique row key from an identifier string
+ * Uses SHA-256 hash for consistent, URL-safe keys
+ *
+ * @param identifier - The string to hash (e.g., subscription endpoint, user ID)
+ * @returns A 32-character hex string suitable for Azure Table Storage row keys
+ */
+export declare function generateRowKey(identifier: string): string;

package/dist/server/storage/keys.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateRowKey = generateRowKey;
+const crypto_1 = require("crypto");
+/**
+ * Generate a unique row key from an identifier string
+ * Uses SHA-256 hash for consistent, URL-safe keys
+ *
+ * @param identifier - The string to hash (e.g., subscription endpoint, user ID)
+ * @returns A 32-character hex string suitable for Azure Table Storage row keys
+ */
+function generateRowKey(identifier) {
+    return (0, crypto_1.createHash)('sha256').update(identifier).digest('hex').substring(0, 32);
+}

package/dist/shared/auth/index.d.ts

@@ -0,0 +1,2 @@
+export type { BaseJwtPayload, UserTokenPayload, UsernameTokenPayload, RoleTokenPayload } from './types';
+export { hasUsername, hasRole, isAdmin } from './types';

package/dist/shared/auth/index.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isAdmin = exports.hasRole = exports.hasUsername = void 0;
+var types_1 = require("./types");
+Object.defineProperty(exports, "hasUsername", { enumerable: true, get: function () { return types_1.hasUsername; } });
+Object.defineProperty(exports, "hasRole", { enumerable: true, get: function () { return types_1.hasRole; } });
+Object.defineProperty(exports, "isAdmin", { enumerable: true, get: function () { return types_1.isAdmin; } });