@memberjunction/server 5.44.0 → 5.45.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agentSessions/ReturningVisitorRecap.d.ts +39 -0
- package/dist/agentSessions/ReturningVisitorRecap.d.ts.map +1 -0
- package/dist/agentSessions/ReturningVisitorRecap.js +198 -0
- package/dist/agentSessions/ReturningVisitorRecap.js.map +1 -0
- package/dist/agentSessions/SessionJanitor.d.ts +13 -0
- package/dist/agentSessions/SessionJanitor.d.ts.map +1 -1
- package/dist/agentSessions/SessionJanitor.js +65 -7
- package/dist/agentSessions/SessionJanitor.js.map +1 -1
- package/dist/agentSessions/SessionManager.d.ts.map +1 -1
- package/dist/agentSessions/SessionManager.js +37 -0
- package/dist/agentSessions/SessionManager.js.map +1 -1
- package/dist/auth/magicLink/MagicLinkRouter.d.ts +10 -0
- package/dist/auth/magicLink/MagicLinkRouter.d.ts.map +1 -1
- package/dist/auth/magicLink/MagicLinkRouter.js +16 -0
- package/dist/auth/magicLink/MagicLinkRouter.js.map +1 -1
- package/dist/auth/magicLink/MagicLinkService.d.ts +7 -0
- package/dist/auth/magicLink/MagicLinkService.d.ts.map +1 -1
- package/dist/auth/magicLink/MagicLinkService.js +13 -3
- package/dist/auth/magicLink/MagicLinkService.js.map +1 -1
- package/dist/auth/magicLink/index.d.ts +1 -1
- package/dist/auth/magicLink/index.d.ts.map +1 -1
- package/dist/auth/magicLink/index.js +1 -1
- package/dist/auth/magicLink/index.js.map +1 -1
- package/dist/auth/magicLink/magicLinkCore.d.ts +38 -1
- package/dist/auth/magicLink/magicLinkCore.d.ts.map +1 -1
- package/dist/auth/magicLink/magicLinkCore.js +42 -19
- package/dist/auth/magicLink/magicLinkCore.js.map +1 -1
- package/dist/auth/magicLink/types.d.ts +26 -0
- package/dist/auth/magicLink/types.d.ts.map +1 -1
- package/dist/config.d.ts +1883 -144
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +160 -36
- package/dist/config.js.map +1 -1
- package/dist/context.d.ts.map +1 -1
- package/dist/context.js +45 -2
- package/dist/context.js.map +1 -1
- package/dist/generated/generated.d.ts +522 -0
- package/dist/generated/generated.d.ts.map +1 -1
- package/dist/generated/generated.js +2860 -0
- package/dist/generated/generated.js.map +1 -1
- package/dist/generic/ResolverBase.d.ts +13 -0
- package/dist/generic/ResolverBase.d.ts.map +1 -1
- package/dist/generic/ResolverBase.js +22 -0
- package/dist/generic/ResolverBase.js.map +1 -1
- package/dist/generic/RunViewResolver.d.ts.map +1 -1
- package/dist/generic/RunViewResolver.js +4 -0
- package/dist/generic/RunViewResolver.js.map +1 -1
- package/dist/index.d.ts +0 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +101 -3
- package/dist/index.js.map +1 -1
- package/dist/integration/CustomColumnPromoter.d.ts.map +1 -1
- package/dist/integration/CustomColumnPromoter.js +6 -0
- package/dist/integration/CustomColumnPromoter.js.map +1 -1
- package/dist/realtimeWidget/WidgetRouter.d.ts +26 -0
- package/dist/realtimeWidget/WidgetRouter.d.ts.map +1 -0
- package/dist/realtimeWidget/WidgetRouter.js +182 -0
- package/dist/realtimeWidget/WidgetRouter.js.map +1 -0
- package/dist/realtimeWidget/WidgetSessionService.d.ts +265 -0
- package/dist/realtimeWidget/WidgetSessionService.d.ts.map +1 -0
- package/dist/realtimeWidget/WidgetSessionService.js +477 -0
- package/dist/realtimeWidget/WidgetSessionService.js.map +1 -0
- package/dist/realtimeWidget/host-identity.d.ts +40 -0
- package/dist/realtimeWidget/host-identity.d.ts.map +1 -0
- package/dist/realtimeWidget/host-identity.js +58 -0
- package/dist/realtimeWidget/host-identity.js.map +1 -0
- package/dist/realtimeWidget/index.d.ts +10 -0
- package/dist/realtimeWidget/index.d.ts.map +1 -0
- package/dist/realtimeWidget/index.js +9 -0
- package/dist/realtimeWidget/index.js.map +1 -0
- package/dist/realtimeWidget/visitorIdentity.d.ts +76 -0
- package/dist/realtimeWidget/visitorIdentity.d.ts.map +1 -0
- package/dist/realtimeWidget/visitorIdentity.js +202 -0
- package/dist/realtimeWidget/visitorIdentity.js.map +1 -0
- package/dist/realtimeWidget/widgetCore.d.ts +106 -0
- package/dist/realtimeWidget/widgetCore.d.ts.map +1 -0
- package/dist/realtimeWidget/widgetCore.js +173 -0
- package/dist/realtimeWidget/widgetCore.js.map +1 -0
- package/dist/realtimeWidget/widgetGuestElevation.d.ts +51 -0
- package/dist/realtimeWidget/widgetGuestElevation.d.ts.map +1 -0
- package/dist/realtimeWidget/widgetGuestElevation.js +79 -0
- package/dist/realtimeWidget/widgetGuestElevation.js.map +1 -0
- package/dist/resolvers/ComponentRegistryResolver.d.ts +7 -0
- package/dist/resolvers/ComponentRegistryResolver.d.ts.map +1 -1
- package/dist/resolvers/ComponentRegistryResolver.js +31 -8
- package/dist/resolvers/ComponentRegistryResolver.js.map +1 -1
- package/dist/resolvers/EntityPermissionResolver.d.ts.map +1 -1
- package/dist/resolvers/EntityPermissionResolver.js +1 -2
- package/dist/resolvers/EntityPermissionResolver.js.map +1 -1
- package/dist/resolvers/QuerySystemUserResolver.d.ts +9 -6
- package/dist/resolvers/QuerySystemUserResolver.d.ts.map +1 -1
- package/dist/resolvers/QuerySystemUserResolver.js +15 -13
- package/dist/resolvers/QuerySystemUserResolver.js.map +1 -1
- package/dist/resolvers/RealtimeClientSessionResolver.d.ts +10 -0
- package/dist/resolvers/RealtimeClientSessionResolver.d.ts.map +1 -1
- package/dist/resolvers/RealtimeClientSessionResolver.js +47 -3
- package/dist/resolvers/RealtimeClientSessionResolver.js.map +1 -1
- package/dist/resolvers/RingCentralTelephonyResolver.d.ts +27 -0
- package/dist/resolvers/RingCentralTelephonyResolver.d.ts.map +1 -0
- package/dist/resolvers/RingCentralTelephonyResolver.js +87 -0
- package/dist/resolvers/RingCentralTelephonyResolver.js.map +1 -0
- package/dist/resolvers/RunAIAgentResolver.d.ts +9 -0
- package/dist/resolvers/RunAIAgentResolver.d.ts.map +1 -1
- package/dist/resolvers/RunAIAgentResolver.js +20 -4
- package/dist/resolvers/RunAIAgentResolver.js.map +1 -1
- package/dist/resolvers/SearchKnowledgeResolver.d.ts.map +1 -1
- package/dist/resolvers/SearchKnowledgeResolver.js +2 -0
- package/dist/resolvers/SearchKnowledgeResolver.js.map +1 -1
- package/dist/resolvers/TeamsMeetingsResolver.d.ts +28 -0
- package/dist/resolvers/TeamsMeetingsResolver.d.ts.map +1 -0
- package/dist/resolvers/TeamsMeetingsResolver.js +91 -0
- package/dist/resolvers/TeamsMeetingsResolver.js.map +1 -0
- package/dist/resolvers/TelephonyResolver.d.ts +26 -0
- package/dist/resolvers/TelephonyResolver.d.ts.map +1 -0
- package/dist/resolvers/TelephonyResolver.js +86 -0
- package/dist/resolvers/TelephonyResolver.js.map +1 -0
- package/dist/resolvers/TestQuerySQLResolver.d.ts +1 -1
- package/dist/resolvers/TestQuerySQLResolver.d.ts.map +1 -1
- package/dist/resolvers/TestQuerySQLResolver.js +2 -3
- package/dist/resolvers/TestQuerySQLResolver.js.map +1 -1
- package/dist/resolvers/VonageTelephonyResolver.d.ts +26 -0
- package/dist/resolvers/VonageTelephonyResolver.d.ts.map +1 -0
- package/dist/resolvers/VonageTelephonyResolver.js +86 -0
- package/dist/resolvers/VonageTelephonyResolver.js.map +1 -0
- package/dist/rest/MediaStreamHandler.js +4 -1
- package/dist/rest/MediaStreamHandler.js.map +1 -1
- package/dist/telephony/RingCentralTelephonyService.d.ts +115 -0
- package/dist/telephony/RingCentralTelephonyService.d.ts.map +1 -0
- package/dist/telephony/RingCentralTelephonyService.js +262 -0
- package/dist/telephony/RingCentralTelephonyService.js.map +1 -0
- package/dist/telephony/TeamsMeetingsRouter.d.ts +40 -0
- package/dist/telephony/TeamsMeetingsRouter.d.ts.map +1 -0
- package/dist/telephony/TeamsMeetingsRouter.js +96 -0
- package/dist/telephony/TeamsMeetingsRouter.js.map +1 -0
- package/dist/telephony/TeamsMeetingsService.d.ts +113 -0
- package/dist/telephony/TeamsMeetingsService.d.ts.map +1 -0
- package/dist/telephony/TeamsMeetingsService.js +196 -0
- package/dist/telephony/TeamsMeetingsService.js.map +1 -0
- package/dist/telephony/TwilioTelephonyRouter.d.ts +36 -0
- package/dist/telephony/TwilioTelephonyRouter.d.ts.map +1 -0
- package/dist/telephony/TwilioTelephonyRouter.js +143 -0
- package/dist/telephony/TwilioTelephonyRouter.js.map +1 -0
- package/dist/telephony/TwilioTelephonyService.d.ts +95 -0
- package/dist/telephony/TwilioTelephonyService.d.ts.map +1 -0
- package/dist/telephony/TwilioTelephonyService.js +193 -0
- package/dist/telephony/TwilioTelephonyService.js.map +1 -0
- package/dist/telephony/VonageTelephonyRouter.d.ts +41 -0
- package/dist/telephony/VonageTelephonyRouter.d.ts.map +1 -0
- package/dist/telephony/VonageTelephonyRouter.js +201 -0
- package/dist/telephony/VonageTelephonyRouter.js.map +1 -0
- package/dist/telephony/VonageTelephonyService.d.ts +90 -0
- package/dist/telephony/VonageTelephonyService.d.ts.map +1 -0
- package/dist/telephony/VonageTelephonyService.js +191 -0
- package/dist/telephony/VonageTelephonyService.js.map +1 -0
- package/dist/telephony/calendar-scheduler.d.ts +67 -0
- package/dist/telephony/calendar-scheduler.d.ts.map +1 -0
- package/dist/telephony/calendar-scheduler.js +133 -0
- package/dist/telephony/calendar-scheduler.js.map +1 -0
- package/dist/telephony/index.d.ts +29 -0
- package/dist/telephony/index.d.ts.map +1 -0
- package/dist/telephony/index.js +38 -0
- package/dist/telephony/index.js.map +1 -0
- package/dist/telephony/media-upgrade-router.d.ts +33 -0
- package/dist/telephony/media-upgrade-router.d.ts.map +1 -0
- package/dist/telephony/media-upgrade-router.js +56 -0
- package/dist/telephony/media-upgrade-router.js.map +1 -0
- package/dist/telephony/ringcentral-runtime.d.ts +14 -0
- package/dist/telephony/ringcentral-runtime.d.ts.map +1 -0
- package/dist/telephony/ringcentral-runtime.js +18 -0
- package/dist/telephony/ringcentral-runtime.js.map +1 -0
- package/dist/telephony/teams-meetings-runtime.d.ts +16 -0
- package/dist/telephony/teams-meetings-runtime.d.ts.map +1 -0
- package/dist/telephony/teams-meetings-runtime.js +20 -0
- package/dist/telephony/teams-meetings-runtime.js.map +1 -0
- package/dist/telephony/teamsAcsMediaRegistry.d.ts +69 -0
- package/dist/telephony/teamsAcsMediaRegistry.d.ts.map +1 -0
- package/dist/telephony/teamsAcsMediaRegistry.js +118 -0
- package/dist/telephony/teamsAcsMediaRegistry.js.map +1 -0
- package/dist/telephony/telephony-runtime.d.ts +14 -0
- package/dist/telephony/telephony-runtime.d.ts.map +1 -0
- package/dist/telephony/telephony-runtime.js +18 -0
- package/dist/telephony/telephony-runtime.js.map +1 -0
- package/dist/telephony/twilioMediaRegistry.d.ts +60 -0
- package/dist/telephony/twilioMediaRegistry.d.ts.map +1 -0
- package/dist/telephony/twilioMediaRegistry.js +106 -0
- package/dist/telephony/twilioMediaRegistry.js.map +1 -0
- package/dist/telephony/vonage-runtime.d.ts +14 -0
- package/dist/telephony/vonage-runtime.d.ts.map +1 -0
- package/dist/telephony/vonage-runtime.js +18 -0
- package/dist/telephony/vonage-runtime.js.map +1 -0
- package/dist/telephony/vonageMediaRegistry.d.ts +78 -0
- package/dist/telephony/vonageMediaRegistry.d.ts.map +1 -0
- package/dist/telephony/vonageMediaRegistry.js +158 -0
- package/dist/telephony/vonageMediaRegistry.js.map +1 -0
- package/package.json +88 -83
- package/src/__tests__/RunAIAgentResolver.streaming.test.ts +128 -0
- package/src/__tests__/magicLink.test.ts +53 -3
- package/src/__tests__/search-knowledge-tags.test.ts +9 -9
- package/src/__tests__/teams-meetings-service.test.ts +65 -0
- package/src/__tests__/teamsAcsMediaRegistry.test.ts +82 -0
- package/src/__tests__/twilio-telephony-service.test.ts +23 -0
- package/src/__tests__/twilioMediaRegistry.test.ts +103 -0
- package/src/__tests__/vonageMediaRegistry.test.ts +180 -0
- package/src/__tests__/widget.test.ts +204 -0
- package/src/__tests__/widgetGuestElevation.test.ts +57 -0
- package/src/__tests__/widgetHostIdentity.test.ts +117 -0
- package/src/agentSessions/ReturningVisitorRecap.ts +242 -0
- package/src/agentSessions/SessionJanitor.ts +66 -6
- package/src/agentSessions/SessionManager.ts +38 -0
- package/src/auth/magicLink/MagicLinkRouter.ts +17 -0
- package/src/auth/magicLink/MagicLinkService.ts +13 -3
- package/src/auth/magicLink/index.ts +1 -0
- package/src/auth/magicLink/magicLinkCore.ts +48 -20
- package/src/auth/magicLink/types.ts +26 -0
- package/src/config.ts +172 -38
- package/src/context.ts +50 -3
- package/src/generated/generated.ts +1991 -1
- package/src/generic/ResolverBase.ts +28 -0
- package/src/generic/RunViewResolver.ts +4 -0
- package/src/index.ts +109 -3
- package/src/integration/CustomColumnPromoter.ts +6 -0
- package/src/realtimeWidget/WidgetRouter.ts +204 -0
- package/src/realtimeWidget/WidgetSessionService.ts +714 -0
- package/src/realtimeWidget/host-identity.ts +84 -0
- package/src/realtimeWidget/index.ts +15 -0
- package/src/realtimeWidget/visitorIdentity.ts +258 -0
- package/src/realtimeWidget/widgetCore.ts +231 -0
- package/src/realtimeWidget/widgetGuestElevation.ts +115 -0
- package/src/resolvers/ComponentRegistryResolver.ts +36 -10
- package/src/resolvers/EntityPermissionResolver.ts +1 -2
- package/src/resolvers/QuerySystemUserResolver.ts +14 -10
- package/src/resolvers/RealtimeClientSessionResolver.ts +59 -2
- package/src/resolvers/RingCentralTelephonyResolver.ts +64 -0
- package/src/resolvers/RunAIAgentResolver.ts +32 -8
- package/src/resolvers/SearchKnowledgeResolver.ts +2 -0
- package/src/resolvers/TeamsMeetingsResolver.ts +68 -0
- package/src/resolvers/TelephonyResolver.ts +63 -0
- package/src/resolvers/TestQuerySQLResolver.ts +2 -3
- package/src/resolvers/VonageTelephonyResolver.ts +63 -0
- package/src/rest/MediaStreamHandler.ts +4 -1
- package/src/telephony/RingCentralTelephonyService.ts +342 -0
- package/src/telephony/TeamsMeetingsRouter.ts +124 -0
- package/src/telephony/TeamsMeetingsService.ts +268 -0
- package/src/telephony/TwilioTelephonyRouter.ts +184 -0
- package/src/telephony/TwilioTelephonyService.ts +261 -0
- package/src/telephony/VonageTelephonyRouter.ts +239 -0
- package/src/telephony/VonageTelephonyService.ts +259 -0
- package/src/telephony/calendar-scheduler.ts +176 -0
- package/src/telephony/index.ts +43 -0
- package/src/telephony/media-upgrade-router.ts +62 -0
- package/src/telephony/ringcentral-runtime.ts +22 -0
- package/src/telephony/teams-meetings-runtime.ts +24 -0
- package/src/telephony/teamsAcsMediaRegistry.ts +152 -0
- package/src/telephony/telephony-runtime.ts +22 -0
- package/src/telephony/twilioMediaRegistry.ts +137 -0
- package/src/telephony/vonage-runtime.ts +22 -0
- package/src/telephony/vonageMediaRegistry.ts +200 -0
- package/dist/agents/skip-agent.d.ts +0 -111
- package/dist/agents/skip-agent.d.ts.map +0 -1
- package/dist/agents/skip-agent.js +0 -1487
- package/dist/agents/skip-agent.js.map +0 -1
- package/dist/agents/skip-sdk.d.ts +0 -261
- package/dist/agents/skip-sdk.d.ts.map +0 -1
- package/dist/agents/skip-sdk.js +0 -909
- package/dist/agents/skip-sdk.js.map +0 -1
- package/src/agents/skip-agent.ts +0 -1594
- package/src/agents/skip-sdk.ts +0 -1210
|
@@ -0,0 +1,477 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Imperative shell for public web widget guest sessions: resolves a
|
|
3
|
+
* widget instance by its public key, enforces the origin allowlist + status, and
|
|
4
|
+
* mints a short-lived anonymous guest session JWT by reusing the magic-link RS256
|
|
5
|
+
* key + `anonymous-embed` synthesis. The pure logic lives in `widgetCore.ts`.
|
|
6
|
+
*
|
|
7
|
+
* Design (per public-web-widget.md W1 + open-Q #1): DIRECT-MINT for anonymous
|
|
8
|
+
* guests — no MagicLinkInvite row is created (those model single-use invites; a
|
|
9
|
+
* widget guest is ephemeral). Forensics ride the opaque per-session id (`mj_sid`)
|
|
10
|
+
* carried in the token, plus best-effort structured audit logging. The minted
|
|
11
|
+
* token is validated by the SAME `magic-link` auth provider (same issuer/audience/
|
|
12
|
+
* JWKS) and synthesized into a constrained guest principal by `buildMagicLinkSessionUser`.
|
|
13
|
+
*
|
|
14
|
+
* @module @memberjunction/server/widget
|
|
15
|
+
*/
|
|
16
|
+
import { Metadata, RunView, LogError, LogStatus } from '@memberjunction/core';
|
|
17
|
+
import { UUIDsEqual } from '@memberjunction/global';
|
|
18
|
+
import { UserCache } from '@memberjunction/sqlserver-dataprovider';
|
|
19
|
+
import { MagicLinkKeyManager } from '../auth/magicLink/MagicLinkKeys.js';
|
|
20
|
+
import { generateSessionId } from '../auth/magicLink/magicLinkCore.js';
|
|
21
|
+
import { MagicLinkService } from '../auth/magicLink/MagicLinkService.js';
|
|
22
|
+
import { configInfo } from '../config.js';
|
|
23
|
+
import { buildWidgetGuestClaims, evaluateWidgetMint, parseEnabledChannels } from './widgetCore.js';
|
|
24
|
+
import { verifyHostAssertion } from './host-identity.js';
|
|
25
|
+
import { writeReturningVisitorRecap } from '../agentSessions/ReturningVisitorRecap.js';
|
|
26
|
+
import { resolveIdentityByEmail, mergeVisitorIdentity, forgetVisitor } from './visitorIdentity.js';
|
|
27
|
+
const WIDGET_ENTITY = 'MJ: Conversation Widget Instances';
|
|
28
|
+
const CONVERSATIONS_ENTITY = 'MJ: Conversations';
|
|
29
|
+
/** Shape of the durable visitor anchor key (opaque base64url, same alphabet as generateSessionId). */
|
|
30
|
+
const VISITOR_KEY_PATTERN = /^[A-Za-z0-9_-]{16,128}$/;
|
|
31
|
+
/** Minimal email sanity check (presence + single `@` with a dotted domain) — not full RFC validation. */
|
|
32
|
+
function isLikelyEmail(email) {
|
|
33
|
+
return /^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(email);
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Mints constrained, short-lived guest sessions for the public web widget.
|
|
37
|
+
* Stateless; constructed once at server startup alongside the magic-link service.
|
|
38
|
+
*/
|
|
39
|
+
export class WidgetSessionService {
|
|
40
|
+
constructor(publicUrl, config) {
|
|
41
|
+
this.publicUrl = publicUrl;
|
|
42
|
+
this.config = config;
|
|
43
|
+
/** Short-TTL cache of resolved per-instance rate limits, so the limiter doesn't hit the DB per request. */
|
|
44
|
+
this.rateLimitCache = new Map();
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Resolves the widget instance, enforces guardrails, and mints a guest JWT.
|
|
48
|
+
* Never throws for business failures — returns `{ success: false, errorCode }`.
|
|
49
|
+
*/
|
|
50
|
+
async MintGuestSession(input) {
|
|
51
|
+
try {
|
|
52
|
+
const contextUser = this.resolveLookupUser();
|
|
53
|
+
if (!contextUser) {
|
|
54
|
+
LogError('[Widget] No lookup context user available; server not configured.');
|
|
55
|
+
return { success: false, errorCode: 'server_error', error: 'Server not configured for widget sessions.' };
|
|
56
|
+
}
|
|
57
|
+
const widget = await this.loadWidgetByKey(input.widgetKey, contextUser);
|
|
58
|
+
if (!widget) {
|
|
59
|
+
return this.audited({ success: false, errorCode: 'not_found', error: 'Unknown widget key.' }, input, undefined);
|
|
60
|
+
}
|
|
61
|
+
const eligibility = evaluateWidgetMint({ Status: widget.Status, AllowedOrigins: widget.AllowedOrigins, Modality: widget.Modality }, input.origin);
|
|
62
|
+
if (!eligibility.ok) {
|
|
63
|
+
return this.audited({ success: false, errorCode: eligibility.errorCode, error: 'Widget mint rejected.' }, input, widget);
|
|
64
|
+
}
|
|
65
|
+
const guestRoleName = this.resolveGuestRoleName(widget.GuestRoleID);
|
|
66
|
+
if (!guestRoleName) {
|
|
67
|
+
LogError(`[Widget] Guest role ${widget.GuestRoleID} for widget ${widget.ID} not found in metadata.`);
|
|
68
|
+
return this.audited({ success: false, errorCode: 'server_error', error: 'Guest role not resolvable.' }, input, widget);
|
|
69
|
+
}
|
|
70
|
+
// D1 host-identity strategy: a HostIdentity widget MUST present a valid host assertion.
|
|
71
|
+
let hostIdentity;
|
|
72
|
+
if (widget.AuthStrategy === 'HostIdentity') {
|
|
73
|
+
const verified = this.verifyHost(widget, input.hostAssertion);
|
|
74
|
+
if (!verified) {
|
|
75
|
+
return this.audited({ success: false, errorCode: 'host_assertion_invalid', error: 'Host identity assertion invalid.' }, input, widget);
|
|
76
|
+
}
|
|
77
|
+
hostIdentity = verified;
|
|
78
|
+
}
|
|
79
|
+
// Returning-visitor anchor (RV1): resolve/mint the durable VisitorKey and chain to the prior
|
|
80
|
+
// conversation — only when this widget opts in. Never blocks the mint (best-effort on lookup failure).
|
|
81
|
+
const returningVisitor = await this.resolveReturningVisitor(widget, input.visitorKey, contextUser);
|
|
82
|
+
// RV2 (text path): the text widget runs client-side and has no server "session closed" event, so
|
|
83
|
+
// we recap the visitor's PRIOR conversation lazily, at the moment they return — which is exactly
|
|
84
|
+
// when the recap is needed for RV3 to inject it into this new session. Idempotent (skips when a
|
|
85
|
+
// recap already exists) and best-effort (never blocks or fails the mint).
|
|
86
|
+
await this.recapPriorConversationIfNeeded(widget, returningVisitor, contextUser);
|
|
87
|
+
// RV4 (host-identity path): when a host asserts a resolvable identity, promote the visitor's prior
|
|
88
|
+
// anonymous trail to that record and surface the pair so the client stamps the new conversation.
|
|
89
|
+
const resolvedIdentity = await this.resolveHostIdentityIfApplicable(widget, hostIdentity, returningVisitor, contextUser);
|
|
90
|
+
return this.audited(this.mintToken(widget, guestRoleName, hostIdentity, returningVisitor, resolvedIdentity), input, widget);
|
|
91
|
+
}
|
|
92
|
+
catch (e) {
|
|
93
|
+
LogError(e);
|
|
94
|
+
return { success: false, errorCode: 'server_error', error: e instanceof Error ? e.message : String(e) };
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
/**
|
|
98
|
+
* Refreshes a live guest session. The widget always holds its public key, so a
|
|
99
|
+
* refresh is a fresh mint by the same key + origin — short-TTL tokens with no
|
|
100
|
+
* refresh-token machinery (mirrors magic-link's no-refresh-token stance).
|
|
101
|
+
*/
|
|
102
|
+
async RefreshGuestSession(input) {
|
|
103
|
+
return this.MintGuestSession(input);
|
|
104
|
+
}
|
|
105
|
+
static { this.RATE_LIMIT_CACHE_TTL_MS = 60_000; }
|
|
106
|
+
/**
|
|
107
|
+
* Resolves the per-instance `RateLimitPerMinute` for a widget key (W6 hardening), falling back to the
|
|
108
|
+
* deployment-wide `defaultRateLimitPerMinute` for an unknown/invalid key (so an enumeration probe is
|
|
109
|
+
* still bounded by the coarse default). Cached for a short TTL so the dynamic limiter — which runs on
|
|
110
|
+
* EVERY mint request — does not issue a DB read per request. Never throws.
|
|
111
|
+
*/
|
|
112
|
+
async ResolvePerInstanceRateLimit(widgetKey) {
|
|
113
|
+
const key = (widgetKey ?? '').trim();
|
|
114
|
+
const fallback = this.config.defaultRateLimitPerMinute;
|
|
115
|
+
if (!key) {
|
|
116
|
+
return fallback;
|
|
117
|
+
}
|
|
118
|
+
const cached = this.rateLimitCache.get(key);
|
|
119
|
+
const now = Date.now();
|
|
120
|
+
if (cached && cached.expiresAtMs > now) {
|
|
121
|
+
return cached.limit;
|
|
122
|
+
}
|
|
123
|
+
let limit = fallback;
|
|
124
|
+
try {
|
|
125
|
+
const contextUser = this.resolveLookupUser();
|
|
126
|
+
if (contextUser) {
|
|
127
|
+
const widget = await this.loadWidgetByKey(key, contextUser);
|
|
128
|
+
if (widget && widget.RateLimitPerMinute > 0) {
|
|
129
|
+
limit = widget.RateLimitPerMinute;
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
}
|
|
133
|
+
catch (e) {
|
|
134
|
+
LogError(e);
|
|
135
|
+
}
|
|
136
|
+
this.rateLimitCache.set(key, { limit, expiresAtMs: now + WidgetSessionService.RATE_LIMIT_CACHE_TTL_MS });
|
|
137
|
+
return limit;
|
|
138
|
+
}
|
|
139
|
+
/**
|
|
140
|
+
* W5 magic-link upgrade — "Verify it's you". For a widget whose AuthStrategy is `MagicLinkUpgrade`,
|
|
141
|
+
* a guest supplies their email and we issue a single-use **email-mode** magic-link invite scoped to
|
|
142
|
+
* the widget's Application (under the server principal — `CreateInvite` is Owner-gated). The visitor
|
|
143
|
+
* clicks the emailed link → the existing public `POST /magic-link/redeem` mints a VERIFIED session
|
|
144
|
+
* JWT → the widget swaps it in via `transport.UpdateToken`, preserving the live conversationId.
|
|
145
|
+
*
|
|
146
|
+
* This converges on the SAME `AuthProviderFactory` + `buildMagicLinkSessionUser` path as the guest
|
|
147
|
+
* mint (D1), so the verified session is just a more-privileged principal on the one pathway. Never
|
|
148
|
+
* throws for business failures — returns a structured result.
|
|
149
|
+
*/
|
|
150
|
+
async RequestUpgrade(input) {
|
|
151
|
+
try {
|
|
152
|
+
const email = (input.email ?? '').trim();
|
|
153
|
+
if (!isLikelyEmail(email)) {
|
|
154
|
+
return { success: false, errorCode: 'invalid_email', error: 'A valid email is required.' };
|
|
155
|
+
}
|
|
156
|
+
const contextUser = this.resolveLookupUser();
|
|
157
|
+
if (!contextUser) {
|
|
158
|
+
return { success: false, errorCode: 'server_error', error: 'Server not configured for widget sessions.' };
|
|
159
|
+
}
|
|
160
|
+
const widget = await this.loadWidgetByKey(input.widgetKey, contextUser);
|
|
161
|
+
if (!widget) {
|
|
162
|
+
return { success: false, errorCode: 'not_found', error: 'Unknown widget key.' };
|
|
163
|
+
}
|
|
164
|
+
const eligibility = evaluateWidgetMint({ Status: widget.Status, AllowedOrigins: widget.AllowedOrigins, Modality: widget.Modality }, input.origin);
|
|
165
|
+
if (!eligibility.ok) {
|
|
166
|
+
return { success: false, errorCode: eligibility.errorCode, error: 'Widget upgrade rejected.' };
|
|
167
|
+
}
|
|
168
|
+
if (widget.AuthStrategy !== 'MagicLinkUpgrade') {
|
|
169
|
+
return { success: false, errorCode: 'upgrade_not_enabled', error: 'This widget does not offer magic-link upgrade.' };
|
|
170
|
+
}
|
|
171
|
+
const magicLinkConfig = configInfo.magicLink;
|
|
172
|
+
if (!magicLinkConfig) {
|
|
173
|
+
LogError('[Widget] Upgrade requested but magicLink config is absent.');
|
|
174
|
+
return { success: false, errorCode: 'server_error', error: 'Identity verification is not configured.' };
|
|
175
|
+
}
|
|
176
|
+
const service = new MagicLinkService(this.publicUrl, magicLinkConfig);
|
|
177
|
+
const result = await service.CreateInvite({ email, applicationId: widget.ApplicationID }, contextUser);
|
|
178
|
+
if (!result.success) {
|
|
179
|
+
LogError(`[Widget] Upgrade invite failed for widget ${widget.ID}: ${result.error ?? result.errorCode ?? 'unknown'}`);
|
|
180
|
+
return { success: false, errorCode: 'server_error', error: 'Could not start identity verification.' };
|
|
181
|
+
}
|
|
182
|
+
// Deliberately do NOT echo the raw token/redemption URL to the public caller — the verified link
|
|
183
|
+
// is delivered out-of-band by email so a widget-key holder cannot mint verified sessions at will.
|
|
184
|
+
return { success: true, emailSent: result.emailSent ?? false };
|
|
185
|
+
}
|
|
186
|
+
catch (e) {
|
|
187
|
+
LogError(e);
|
|
188
|
+
return { success: false, errorCode: 'server_error', error: e instanceof Error ? e.message : String(e) };
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
/**
|
|
192
|
+
* Verifies a host-identity assertion for a HostIdentity widget against the host's
|
|
193
|
+
* registered public key (config interim store, keyed by widget PublicKey). Fails closed
|
|
194
|
+
* when the key is absent or the assertion is missing/invalid.
|
|
195
|
+
*/
|
|
196
|
+
verifyHost(widget, assertion) {
|
|
197
|
+
// Prefer the per-instance HostPublicKey column (Phase 3 — no config-resident keys); fall back to the
|
|
198
|
+
// interim config map (keyed by PublicKey) for deployments that haven't migrated their key yet.
|
|
199
|
+
const hostKey = widget.HostPublicKey ?? this.config.hostPublicKeys?.[widget.PublicKey];
|
|
200
|
+
const result = verifyHostAssertion(assertion, hostKey, widget.PublicKey);
|
|
201
|
+
if (result.ok && result.identity) {
|
|
202
|
+
return result.identity;
|
|
203
|
+
}
|
|
204
|
+
LogError(`[Widget] Host assertion rejected for widget ${widget.ID}: ${result.errorCode ?? 'unknown'}`);
|
|
205
|
+
return null;
|
|
206
|
+
}
|
|
207
|
+
/** Builds + signs the guest JWT for an eligible widget instance. */
|
|
208
|
+
mintToken(widget, guestRoleName, hostIdentity, returningVisitor, resolvedIdentity) {
|
|
209
|
+
const nowSeconds = Math.floor(Date.now() / 1000);
|
|
210
|
+
const ttlMinutes = widget.SessionTTLMinutes || this.config.defaultSessionTtlMinutes;
|
|
211
|
+
// Generated once and returned to the client: the widget stamps Conversation.ExternalID with
|
|
212
|
+
// this id so the Widget Guest RLS filters ({{ScopeResourceID}}) isolate this guest's rows.
|
|
213
|
+
const sessionId = generateSessionId();
|
|
214
|
+
const claims = buildWidgetGuestClaims({
|
|
215
|
+
issuer: this.publicUrl,
|
|
216
|
+
audience: this.config.audience,
|
|
217
|
+
widgetId: widget.ID,
|
|
218
|
+
sessionId,
|
|
219
|
+
anonymousEmail: this.config.anonymousEmail,
|
|
220
|
+
applicationId: widget.ApplicationID,
|
|
221
|
+
guestRoleName,
|
|
222
|
+
nowSeconds,
|
|
223
|
+
ttlSeconds: ttlMinutes * 60,
|
|
224
|
+
hostIdentity,
|
|
225
|
+
// RV1/RV2/RV4: carry the returning-visitor anchor + resolved identity as claims so the voice path
|
|
226
|
+
// (server-created conversation) stamps the same fields the text path stamps client-side.
|
|
227
|
+
returningVisitor: returningVisitor
|
|
228
|
+
? {
|
|
229
|
+
visitorKey: returningVisitor.visitorKey,
|
|
230
|
+
lastConversationId: returningVisitor.lastConversationId,
|
|
231
|
+
linkedEntityId: resolvedIdentity?.entityId,
|
|
232
|
+
linkedRecordId: resolvedIdentity?.recordId,
|
|
233
|
+
}
|
|
234
|
+
: undefined,
|
|
235
|
+
});
|
|
236
|
+
const token = MagicLinkKeyManager.Instance.Sign(claims);
|
|
237
|
+
return {
|
|
238
|
+
success: true,
|
|
239
|
+
token,
|
|
240
|
+
expiresAt: new Date(claims.exp * 1000).toISOString(),
|
|
241
|
+
widgetId: widget.ID,
|
|
242
|
+
applicationId: widget.ApplicationID,
|
|
243
|
+
pinnedAgentId: widget.PinnedAgentID,
|
|
244
|
+
modality: widget.Modality,
|
|
245
|
+
sessionId,
|
|
246
|
+
// Phase 2: which interactive channels this widget may attach during a voice session. Read from the
|
|
247
|
+
// per-instance EnabledChannels column (added by the Widget_Public_Hardening migration + CodeGen).
|
|
248
|
+
enabledChannels: parseEnabledChannels(widget.EnabledChannels),
|
|
249
|
+
voiceMaxSessionMinutes: widget.VoiceMaxSessionMinutes ?? undefined,
|
|
250
|
+
rememberReturningVisitors: !!returningVisitor,
|
|
251
|
+
visitorKey: returningVisitor?.visitorKey,
|
|
252
|
+
lastConversationId: returningVisitor?.lastConversationId,
|
|
253
|
+
linkedEntityId: resolvedIdentity?.entityId,
|
|
254
|
+
linkedRecordId: resolvedIdentity?.recordId,
|
|
255
|
+
};
|
|
256
|
+
}
|
|
257
|
+
/**
|
|
258
|
+
* RV4 (host-identity path): when a `HostIdentity` widget asserts a resolvable identity AND remembering
|
|
259
|
+
* is on, resolve the asserted email to a polymorphic record and merge the visitor's prior anonymous
|
|
260
|
+
* trail onto it. Returns the resolved pair (so the client stamps the new conversation), or undefined
|
|
261
|
+
* when not applicable or no record matched. Best-effort — never blocks the mint.
|
|
262
|
+
*/
|
|
263
|
+
async resolveHostIdentityIfApplicable(widget, hostIdentity, returningVisitor, contextUser) {
|
|
264
|
+
if (!widget.RememberReturningVisitors || !hostIdentity?.email || !returningVisitor?.visitorKey) {
|
|
265
|
+
return undefined;
|
|
266
|
+
}
|
|
267
|
+
const identity = await resolveIdentityByEmail(hostIdentity.email, contextUser, Metadata.Provider, this.config.identityResolution); // global-provider-ok: server-side mint under the single default provider
|
|
268
|
+
if (!identity) {
|
|
269
|
+
return undefined;
|
|
270
|
+
}
|
|
271
|
+
await mergeVisitorIdentity({
|
|
272
|
+
visitorKey: returningVisitor.visitorKey,
|
|
273
|
+
applicationId: widget.ApplicationID,
|
|
274
|
+
identity,
|
|
275
|
+
contextUser,
|
|
276
|
+
provider: Metadata.Provider, // global-provider-ok: server-side mint under the single default provider
|
|
277
|
+
});
|
|
278
|
+
return identity;
|
|
279
|
+
}
|
|
280
|
+
/**
|
|
281
|
+
* RV4 (magic-link upgrade path): after a visitor verifies their identity, promote their anonymous
|
|
282
|
+
* trail to the verified record. Called from the AUTHENTICATED route with the verified session's email,
|
|
283
|
+
* so the resolved record is the deployment-configured target for that email (default: the MJ User).
|
|
284
|
+
* Validates the widget + origin + opt-in + key, then resolves and merges. Never throws.
|
|
285
|
+
*/
|
|
286
|
+
async ResolveVisitorIdentity(input) {
|
|
287
|
+
try {
|
|
288
|
+
const gate = await this.gateVisitorPrivacyRequest(input.widgetKey, input.visitorKey, input.origin);
|
|
289
|
+
if (!gate.ok) {
|
|
290
|
+
return { success: false, errorCode: gate.errorCode, error: gate.error };
|
|
291
|
+
}
|
|
292
|
+
const identity = await resolveIdentityByEmail(input.verifiedEmail, gate.contextUser, Metadata.Provider, this.config.identityResolution); // global-provider-ok: server-side mint under the single default provider
|
|
293
|
+
if (!identity) {
|
|
294
|
+
// Verified, but no record matches the email under the configured target — nothing to merge.
|
|
295
|
+
return { success: true, mergedConversations: 0 };
|
|
296
|
+
}
|
|
297
|
+
const mergedConversations = await mergeVisitorIdentity({
|
|
298
|
+
visitorKey: input.visitorKey,
|
|
299
|
+
applicationId: gate.widget.ApplicationID,
|
|
300
|
+
identity,
|
|
301
|
+
contextUser: gate.contextUser,
|
|
302
|
+
provider: Metadata.Provider, // global-provider-ok: server-side mint under the single default provider
|
|
303
|
+
});
|
|
304
|
+
return { success: true, resolved: identity, mergedConversations };
|
|
305
|
+
}
|
|
306
|
+
catch (e) {
|
|
307
|
+
LogError(e);
|
|
308
|
+
return { success: false, errorCode: 'server_error', error: e instanceof Error ? e.message : String(e) };
|
|
309
|
+
}
|
|
310
|
+
}
|
|
311
|
+
/**
|
|
312
|
+
* RV5 "forget me": archives the visitor's auto-generated memory and clears the VisitorKey linkage for
|
|
313
|
+
* this anchor in the widget's application. Public (the visitor proves possession of the durable key,
|
|
314
|
+
* not an identity). Validates the widget + origin + opt-in + key, then delegates to {@link forgetVisitor}.
|
|
315
|
+
*/
|
|
316
|
+
async ForgetVisitor(input) {
|
|
317
|
+
try {
|
|
318
|
+
const gate = await this.gateVisitorPrivacyRequest(input.widgetKey, input.visitorKey, input.origin);
|
|
319
|
+
if (!gate.ok) {
|
|
320
|
+
return { success: false, errorCode: gate.errorCode, error: gate.error };
|
|
321
|
+
}
|
|
322
|
+
const { notesArchived, conversationsCleared } = await forgetVisitor({
|
|
323
|
+
visitorKey: input.visitorKey,
|
|
324
|
+
applicationId: gate.widget.ApplicationID,
|
|
325
|
+
contextUser: gate.contextUser,
|
|
326
|
+
provider: Metadata.Provider, // global-provider-ok: server-side mint under the single default provider
|
|
327
|
+
});
|
|
328
|
+
return { success: true, notesArchived, conversationsCleared };
|
|
329
|
+
}
|
|
330
|
+
catch (e) {
|
|
331
|
+
LogError(e);
|
|
332
|
+
return { success: false, errorCode: 'server_error', error: e instanceof Error ? e.message : String(e) };
|
|
333
|
+
}
|
|
334
|
+
}
|
|
335
|
+
/**
|
|
336
|
+
* Shared guard for the RV4/RV5 visitor-privacy endpoints: resolves the lookup user, loads + validates
|
|
337
|
+
* the widget (status/origin), requires returning-visitor memory to be ON, and validates the presented
|
|
338
|
+
* VisitorKey shape. Returns the resolved widget + context user on success, or a structured failure.
|
|
339
|
+
*/
|
|
340
|
+
async gateVisitorPrivacyRequest(widgetKey, visitorKey, origin) {
|
|
341
|
+
const contextUser = this.resolveLookupUser();
|
|
342
|
+
if (!contextUser) {
|
|
343
|
+
return { ok: false, errorCode: 'server_error', error: 'Server not configured for widget sessions.' };
|
|
344
|
+
}
|
|
345
|
+
const widget = await this.loadWidgetByKey(widgetKey, contextUser);
|
|
346
|
+
if (!widget) {
|
|
347
|
+
return { ok: false, errorCode: 'not_found', error: 'Unknown widget key.' };
|
|
348
|
+
}
|
|
349
|
+
const eligibility = evaluateWidgetMint({ Status: widget.Status, AllowedOrigins: widget.AllowedOrigins, Modality: widget.Modality }, origin);
|
|
350
|
+
if (!eligibility.ok) {
|
|
351
|
+
return { ok: false, errorCode: eligibility.errorCode ?? 'server_error', error: 'Widget request rejected.' };
|
|
352
|
+
}
|
|
353
|
+
if (!widget.RememberReturningVisitors) {
|
|
354
|
+
return { ok: false, errorCode: 'upgrade_not_enabled', error: 'Returning-visitor memory is not enabled for this widget.' };
|
|
355
|
+
}
|
|
356
|
+
if (!VISITOR_KEY_PATTERN.test((visitorKey ?? '').trim())) {
|
|
357
|
+
return { ok: false, errorCode: 'not_found', error: 'A valid visitorKey is required.' };
|
|
358
|
+
}
|
|
359
|
+
return { ok: true, widget, contextUser };
|
|
360
|
+
}
|
|
361
|
+
/**
|
|
362
|
+
* Resolves the returning-visitor anchor for a mint (RV1). Returns undefined when the widget does NOT
|
|
363
|
+
* opt in (RememberReturningVisitors off) — the default, fully-off path: no cookie, no chaining.
|
|
364
|
+
* When on: validates the presented key (else mints a fresh one) and, for a returning key, finds the
|
|
365
|
+
* visitor's most-recent prior conversation in this widget's application to chain from. Best-effort:
|
|
366
|
+
* a lookup failure degrades to "no prior conversation" rather than blocking the session.
|
|
367
|
+
*/
|
|
368
|
+
async resolveReturningVisitor(widget, presentedKey, contextUser) {
|
|
369
|
+
if (!widget.RememberReturningVisitors) {
|
|
370
|
+
return undefined;
|
|
371
|
+
}
|
|
372
|
+
const presented = (presentedKey ?? '').trim();
|
|
373
|
+
const isReturning = VISITOR_KEY_PATTERN.test(presented);
|
|
374
|
+
const visitorKey = isReturning ? presented : generateSessionId();
|
|
375
|
+
const lastConversationId = isReturning
|
|
376
|
+
? await this.findPreviousConversationByVisitorKey(visitorKey, widget.ApplicationID, contextUser)
|
|
377
|
+
: undefined;
|
|
378
|
+
return { visitorKey, lastConversationId };
|
|
379
|
+
}
|
|
380
|
+
/**
|
|
381
|
+
* Recaps the visitor's prior conversation when they return (RV2, text path). No-op unless this is a
|
|
382
|
+
* returning visit (a resolved `lastConversationId`). Delegates to the shared, idempotent,
|
|
383
|
+
* best-effort {@link writeReturningVisitorRecap}, attributing the recap to the widget's pinned agent
|
|
384
|
+
* and stamping the widget's `VisitorMemoryRetentionDays` as the note's expiry. Awaited so the recap
|
|
385
|
+
* note exists before the new session's memory injection (RV3) runs; the recap's own idempotency
|
|
386
|
+
* bounds the LLM cost to the first return after each prior conversation.
|
|
387
|
+
*/
|
|
388
|
+
async recapPriorConversationIfNeeded(widget, returningVisitor, contextUser) {
|
|
389
|
+
const priorConversationId = returningVisitor?.lastConversationId;
|
|
390
|
+
if (!priorConversationId) {
|
|
391
|
+
return;
|
|
392
|
+
}
|
|
393
|
+
// global-provider-ok: server-side mint under the single default provider (same rationale as resolveGuestRoleName).
|
|
394
|
+
await writeReturningVisitorRecap(priorConversationId, widget.PinnedAgentID, contextUser, Metadata.Provider, // global-provider-ok: server-side mint under the single default provider
|
|
395
|
+
widget.VisitorMemoryRetentionDays);
|
|
396
|
+
}
|
|
397
|
+
/**
|
|
398
|
+
* Finds the visitor's most-recent prior conversation for a VisitorKey, scoped to the widget's
|
|
399
|
+
* application so a key can never resolve a conversation from a different deployment. Returns the
|
|
400
|
+
* id or undefined (first visit, or read failure — never throws).
|
|
401
|
+
*/
|
|
402
|
+
async findPreviousConversationByVisitorKey(visitorKey, applicationId, contextUser) {
|
|
403
|
+
const rv = new RunView();
|
|
404
|
+
const result = await rv.RunView({
|
|
405
|
+
EntityName: CONVERSATIONS_ENTITY,
|
|
406
|
+
// visitorKey is validated base64url ([A-Za-z0-9_-]) so the literal is injection-safe; applicationId
|
|
407
|
+
// is a server-trusted UUID. Scope to the application to prevent cross-widget anchor reuse.
|
|
408
|
+
ExtraFilter: `VisitorKey = '${visitorKey}' AND ApplicationID = '${applicationId.replace(/'/g, "''")}'`,
|
|
409
|
+
OrderBy: '__mj_CreatedAt DESC',
|
|
410
|
+
MaxRows: 1,
|
|
411
|
+
Fields: ['ID'],
|
|
412
|
+
ResultType: 'simple',
|
|
413
|
+
}, contextUser);
|
|
414
|
+
if (!result.Success) {
|
|
415
|
+
LogError(`[Widget] Returning-visitor lookup failed: ${result.ErrorMessage}`);
|
|
416
|
+
return undefined;
|
|
417
|
+
}
|
|
418
|
+
return result.Results?.[0]?.ID ?? undefined;
|
|
419
|
+
}
|
|
420
|
+
/** Loads a single widget instance by its public key (read-only, simple result). */
|
|
421
|
+
async loadWidgetByKey(widgetKey, contextUser) {
|
|
422
|
+
const key = (widgetKey ?? '').trim();
|
|
423
|
+
if (!key) {
|
|
424
|
+
return null;
|
|
425
|
+
}
|
|
426
|
+
const rv = new RunView();
|
|
427
|
+
const result = await rv.RunView({
|
|
428
|
+
EntityName: WIDGET_ENTITY,
|
|
429
|
+
ExtraFilter: `PublicKey = '${key.replace(/'/g, "''")}'`,
|
|
430
|
+
MaxRows: 1,
|
|
431
|
+
ResultType: 'entity_object',
|
|
432
|
+
}, contextUser);
|
|
433
|
+
if (!result.Success) {
|
|
434
|
+
LogError(`[Widget] Failed to load widget by key: ${result.ErrorMessage}`);
|
|
435
|
+
return null;
|
|
436
|
+
}
|
|
437
|
+
return result.Results?.[0] ?? null;
|
|
438
|
+
}
|
|
439
|
+
/** Resolves the guest role's NAME from its id (claims carry the name, not the id). */
|
|
440
|
+
resolveGuestRoleName(guestRoleId) {
|
|
441
|
+
const md = Metadata.Provider; // global-provider-ok: pre-auth server-side mint under the single default provider
|
|
442
|
+
const role = md?.Roles.find((r) => UUIDsEqual(r.ID, guestRoleId));
|
|
443
|
+
return role?.Name ?? null;
|
|
444
|
+
}
|
|
445
|
+
/** Resolves the server-side context user used to READ widget config (not the guest principal). */
|
|
446
|
+
resolveLookupUser() {
|
|
447
|
+
const candidate = this.config.contextUserForLookup;
|
|
448
|
+
if (candidate) {
|
|
449
|
+
const byName = UserCache.Instance.UserByName(candidate);
|
|
450
|
+
if (byName) {
|
|
451
|
+
return byName;
|
|
452
|
+
}
|
|
453
|
+
LogError(`[Widget] Configured lookup user '${candidate}' not found; falling back to system/Owner.`);
|
|
454
|
+
}
|
|
455
|
+
return (UserCache.Instance.GetSystemUser() ??
|
|
456
|
+
UserCache.Users.find((u) => u.IsActive && u.Type?.trim().toLowerCase() === 'owner') ??
|
|
457
|
+
null);
|
|
458
|
+
}
|
|
459
|
+
/**
|
|
460
|
+
* Best-effort structured audit of a mint attempt. Never alters the result — losing
|
|
461
|
+
* an audit line must not change whether a visitor got (or was denied) a session.
|
|
462
|
+
* (A dedicated `MJ: Widget Session` audit entity is a follow-on; for now this is a
|
|
463
|
+
* structured log line carrying the same forensics as the magic-link redemption row.)
|
|
464
|
+
*/
|
|
465
|
+
audited(result, input, widget) {
|
|
466
|
+
try {
|
|
467
|
+
LogStatus(`[Widget][audit] mint outcome=${result.success ? 'success' : result.errorCode} ` +
|
|
468
|
+
`widget=${widget?.ID ?? 'unknown'} origin=${input.audit?.origin ?? input.origin ?? '-'} ` +
|
|
469
|
+
`ip=${input.audit?.ipAddress ?? '-'}`);
|
|
470
|
+
}
|
|
471
|
+
catch {
|
|
472
|
+
/* audit is best-effort */
|
|
473
|
+
}
|
|
474
|
+
return result;
|
|
475
|
+
}
|
|
476
|
+
}
|
|
477
|
+
//# sourceMappingURL=WidgetSessionService.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"WidgetSessionService.js","sourceRoot":"","sources":["../../src/realtimeWidget/WidgetSessionService.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAY,QAAQ,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACxF,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEpD,OAAO,EAAE,SAAS,EAAE,MAAM,wCAAwC,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AACzE,OAAO,EAAE,UAAU,EAAqB,MAAM,cAAc,CAAC;AAC7D,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,oBAAoB,EAA4B,MAAM,iBAAiB,CAAC;AAC7H,OAAO,EAAE,mBAAmB,EAA6B,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,0BAA0B,EAAE,MAAM,2CAA2C,CAAC;AACvF,OAAO,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,aAAa,EAAgC,MAAM,sBAAsB,CAAC;AAEjI,MAAM,aAAa,GAAG,mCAAmC,CAAC;AAC1D,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAEjD,sGAAsG;AACtG,MAAM,mBAAmB,GAAG,yBAAyB,CAAC;AAsKtD,yGAAyG;AACzG,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,oBAAoB;IAC/B,YACmB,SAAiB,EACjB,MAAoB;QADpB,cAAS,GAAT,SAAS,CAAQ;QACjB,WAAM,GAAN,MAAM,CAAc;QA0EvC,2GAA2G;QAC1F,mBAAc,GAAG,IAAI,GAAG,EAAkD,CAAC;IA1EzF,CAAC;IAEJ;;;OAGG;IACI,KAAK,CAAC,gBAAgB,CAAC,KAA4B;QACxD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC7C,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,QAAQ,CAAC,mEAAmE,CAAC,CAAC;gBAC9E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC;YAC5G,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACxE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE,qBAAqB,EAAE,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;YAClH,CAAC;YAED,MAAM,WAAW,GAAG,kBAAkB,CACpC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,MAAM,CAAC,cAAc,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,EAC3F,KAAK,CAAC,MAAM,CACb,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,CAAC,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YAC3H,CAAC;YAED,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACpE,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,QAAQ,CAAC,uBAAuB,MAAM,CAAC,WAAW,eAAe,MAAM,CAAC,EAAE,yBAAyB,CAAC,CAAC;gBACrG,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,4BAA4B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzH,CAAC;YAED,wFAAwF;YACxF,IAAI,YAA8C,CAAC;YACnD,IAAI,MAAM,CAAC,YAAY,KAAK,cAAc,EAAE,CAAC;gBAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;gBAC9D,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,wBAAwB,EAAE,KAAK,EAAE,kCAAkC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;gBACzI,CAAC;gBACD,YAAY,GAAG,QAAQ,CAAC;YAC1B,CAAC;YAED,6FAA6F;YAC7F,uGAAuG;YACvG,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YAEnG,iGAAiG;YACjG,iGAAiG;YACjG,gGAAgG;YAChG,0EAA0E;YAC1E,MAAM,IAAI,CAAC,8BAA8B,CAAC,MAAM,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;YAEjF,mGAAmG;YACnG,iGAAiG;YACjG,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,+BAA+B,CAAC,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;YAEzH,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC9H,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,QAAQ,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1G,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,mBAAmB,CAAC,KAA4B;QAC3D,OAAO,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;aAIuB,4BAAuB,GAAG,MAAM,AAAT,CAAU;IAEzD;;;;;OAKG;IACI,KAAK,CAAC,2BAA2B,CAAC,SAAiB;QACxD,MAAM,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,yBAAyB,CAAC;QACvD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,MAAM,IAAI,MAAM,CAAC,WAAW,GAAG,GAAG,EAAE,CAAC;YACvC,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;QACD,IAAI,KAAK,GAAG,QAAQ,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC7C,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;gBAC5D,IAAI,MAAM,IAAI,MAAM,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;oBAC5C,KAAK,GAAG,MAAM,CAAC,kBAAkB,CAAC;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,QAAQ,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,GAAG,oBAAoB,CAAC,uBAAuB,EAAE,CAAC,CAAC;QACzG,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;;;OAUG;IACI,KAAK,CAAC,cAAc,CAAC,KAA+B;QACzD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;YAC7F,CAAC;YACD,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC7C,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC;YAC5G,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACxE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YAClF,CAAC;YACD,MAAM,WAAW,GAAG,kBAAkB,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,MAAM,CAAC,cAAc,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;YAClJ,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;gBACpB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,CAAC,SAAS,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;YACjG,CAAC;YACD,IAAI,MAAM,CAAC,YAAY,KAAK,kBAAkB,EAAE,CAAC;gBAC/C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,qBAAqB,EAAE,KAAK,EAAE,gDAAgD,EAAE,CAAC;YACvH,CAAC;YACD,MAAM,eAAe,GAAG,UAAU,CAAC,SAAS,CAAC;YAC7C,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,QAAQ,CAAC,4DAA4D,CAAC,CAAC;gBACvE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;YAC1G,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;YACtE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,EAAE,WAAW,CAAC,CAAC;YACvG,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,QAAQ,CAAC,6CAA6C,MAAM,CAAC,EAAE,KAAK,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,SAAS,IAAI,SAAS,EAAE,CAAC,CAAC;gBACrH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;YACxG,CAAC;YACD,iGAAiG;YACjG,kGAAkG;YAClG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK,EAAE,CAAC;QACjE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,QAAQ,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1G,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,UAAU,CAAC,MAA0C,EAAE,SAA6B;QAC1F,qGAAqG;QACrG,+FAA+F;QAC/F,MAAM,OAAO,GAAG,MAAM,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACvF,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QACzE,IAAI,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjC,OAAO,MAAM,CAAC,QAAQ,CAAC;QACzB,CAAC;QACD,QAAQ,CAAC,+CAA+C,MAAM,CAAC,EAAE,KAAK,MAAM,CAAC,SAAS,IAAI,SAAS,EAAE,CAAC,CAAC;QACvG,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oEAAoE;IAC5D,SAAS,CACf,MAA0C,EAC1C,aAAqB,EACrB,YAAmC,EACnC,gBAA6C,EAC7C,gBAA0C;QAE1C,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,MAAM,CAAC,iBAAiB,IAAI,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC;QACpF,4FAA4F;QAC5F,2FAA2F;QAC3F,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,sBAAsB,CAAC;YACpC,MAAM,EAAE,IAAI,CAAC,SAAS;YACtB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,SAAS;YACT,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc;YAC1C,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,aAAa;YACb,UAAU;YACV,UAAU,EAAE,UAAU,GAAG,EAAE;YAC3B,YAAY;YACZ,kGAAkG;YAClG,yFAAyF;YACzF,gBAAgB,EAAE,gBAAgB;gBAChC,CAAC,CAAC;oBACE,UAAU,EAAE,gBAAgB,CAAC,UAAU;oBACvC,kBAAkB,EAAE,gBAAgB,CAAC,kBAAkB;oBACvD,cAAc,EAAE,gBAAgB,EAAE,QAAQ;oBAC1C,cAAc,EAAE,gBAAgB,EAAE,QAAQ;iBAC3C;gBACH,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;YACpD,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS;YACT,mGAAmG;YACnG,kGAAkG;YAClG,eAAe,EAAE,oBAAoB,CAAC,MAAM,CAAC,eAAe,CAAC;YAC7D,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,SAAS;YAClE,yBAAyB,EAAE,CAAC,CAAC,gBAAgB;YAC7C,UAAU,EAAE,gBAAgB,EAAE,UAAU;YACxC,kBAAkB,EAAE,gBAAgB,EAAE,kBAAkB;YACxD,cAAc,EAAE,gBAAgB,EAAE,QAAQ;YAC1C,cAAc,EAAE,gBAAgB,EAAE,QAAQ;SAC3C,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,+BAA+B,CAC3C,MAA0C,EAC1C,YAA8C,EAC9C,gBAAwD,EACxD,WAAqB;QAErB,IAAI,CAAC,MAAM,CAAC,yBAAyB,IAAI,CAAC,YAAY,EAAE,KAAK,IAAI,CAAC,gBAAgB,EAAE,UAAU,EAAE,CAAC;YAC/F,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,YAAY,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,yEAAyE;QAC5M,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,MAAM,oBAAoB,CAAC;YACzB,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,QAAQ;YACR,WAAW;YACX,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,yEAAyE;SACvG,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,sBAAsB,CAAC,KAAkC;QACpE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;YACnG,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;YAC1E,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,aAAa,EAAE,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,yEAAyE;YAClN,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,4FAA4F;gBAC5F,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,CAAC,EAAE,CAAC;YACnD,CAAC;YACD,MAAM,mBAAmB,GAAG,MAAM,oBAAoB,CAAC;gBACrD,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACxC,QAAQ;gBACR,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,yEAAyE;aACvG,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,mBAAmB,EAAE,CAAC;QACpE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,QAAQ,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1G,CAAC;IACH,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,aAAa,CAAC,KAAyB;QAClD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;YACnG,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;YAC1E,CAAC;YACD,MAAM,EAAE,aAAa,EAAE,oBAAoB,EAAE,GAAG,MAAM,aAAa,CAAC;gBAClE,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACxC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,yEAAyE;aACvG,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,oBAAoB,EAAE,CAAC;QAChE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,QAAQ,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1G,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,yBAAyB,CACrC,SAAiB,EACjB,UAAkB,EAClB,MAA0B;QAE1B,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC;QACvG,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC7E,CAAC;QACD,MAAM,WAAW,GAAG,kBAAkB,CACpC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,MAAM,CAAC,cAAc,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,EAC3F,MAAM,CACP,CAAC;QACF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;YACpB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,CAAC,SAAS,IAAI,cAAc,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;QAC9G,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,yBAAyB,EAAE,CAAC;YACtC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,qBAAqB,EAAE,KAAK,EAAE,0DAA0D,EAAE,CAAC;QAC5H,CAAC;QACD,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YACzD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACzF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC3C,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,uBAAuB,CACnC,MAA0C,EAC1C,YAAgC,EAChC,WAAqB;QAErB,IAAI,CAAC,MAAM,CAAC,yBAAyB,EAAE,CAAC;YACtC,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,MAAM,SAAS,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,MAAM,WAAW,GAAG,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB,EAAE,CAAC;QACjE,MAAM,kBAAkB,GAAG,WAAW;YACpC,CAAC,CAAC,MAAM,IAAI,CAAC,oCAAoC,CAAC,UAAU,EAAE,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC;YAChG,CAAC,CAAC,SAAS,CAAC;QACd,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC;IAC5C,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,8BAA8B,CAC1C,MAA0C,EAC1C,gBAAwD,EACxD,WAAqB;QAErB,MAAM,mBAAmB,GAAG,gBAAgB,EAAE,kBAAkB,CAAC;QACjE,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO;QACT,CAAC;QACD,mHAAmH;QACnH,MAAM,0BAA0B,CAC9B,mBAAmB,EACnB,MAAM,CAAC,aAAa,EACpB,WAAW,EACX,QAAQ,CAAC,QAAQ,EAAE,yEAAyE;QAC5F,MAAM,CAAC,0BAA0B,CAClC,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,oCAAoC,CAChD,UAAkB,EAClB,aAAqB,EACrB,WAAqB;QAErB,MAAM,EAAE,GAAG,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,OAAO,CAC7B;YACE,UAAU,EAAE,oBAAoB;YAChC,oGAAoG;YACpG,2FAA2F;YAC3F,WAAW,EAAE,iBAAiB,UAAU,0BAA0B,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG;YACtG,OAAO,EAAE,qBAAqB;YAC9B,OAAO,EAAE,CAAC;YACV,MAAM,EAAE,CAAC,IAAI,CAAC;YACd,UAAU,EAAE,QAAQ;SACrB,EACD,WAAW,CACZ,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,QAAQ,CAAC,6CAA6C,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;YAC7E,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,SAAS,CAAC;IAC9C,CAAC;IAED,mFAAmF;IAC3E,KAAK,CAAC,eAAe,CAAC,SAAiB,EAAE,WAAqB;QACpE,MAAM,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,EAAE,GAAG,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,OAAO,CAC7B;YACE,UAAU,EAAE,aAAa;YACzB,WAAW,EAAE,gBAAgB,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG;YACvD,OAAO,EAAE,CAAC;YACV,UAAU,EAAE,eAAe;SAC5B,EACD,WAAW,CACZ,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,QAAQ,CAAC,0CAA0C,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACrC,CAAC;IAED,sFAAsF;IAC9E,oBAAoB,CAAC,WAAmB;QAC9C,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,kFAAkF;QAChH,MAAM,IAAI,GAAG,EAAE,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;QAClE,OAAO,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC;IAC5B,CAAC;IAED,kGAAkG;IAC1F,iBAAiB;QACvB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC;QACnD,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;YACxD,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,CAAC;YAChB,CAAC;YACD,QAAQ,CAAC,oCAAoC,SAAS,4CAA4C,CAAC,CAAC;QACtG,CAAC;QACD,OAAO,CACL,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE;YAClC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC;YACnF,IAAI,CACL,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,OAAO,CAAC,MAA8B,EAAE,KAA4B,EAAE,MAAiD;QAC7H,IAAI,CAAC;YACH,SAAS,CACP,gCAAgC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG;gBAChF,UAAU,MAAM,EAAE,EAAE,IAAI,SAAS,WAAW,KAAK,CAAC,KAAK,EAAE,MAAM,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG,GAAG;gBACzF,MAAM,KAAK,CAAC,KAAK,EAAE,SAAS,IAAI,GAAG,EAAE,CACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Host-passed identity (D1 strategy `host-identity`). When a widget is
|
|
3
|
+
* embedded in an already-authenticated host portal, the host signs a short-lived
|
|
4
|
+
* assertion (its own RS256 key) describing the visitor; the widget posts it to
|
|
5
|
+
* `POST /widget/session`, which verifies it against the host's registered public key
|
|
6
|
+
* and folds the host-provided identity into the minted guest claims. The minted token
|
|
7
|
+
* is still validated by the same `magic-link` AuthProviderFactory path + synthesized by
|
|
8
|
+
* `buildMagicLinkSessionUser` — host-identity is a MINT-TIME strategy, not a second
|
|
9
|
+
* session-validation provider (it converges on the one pathway, per D1).
|
|
10
|
+
*
|
|
11
|
+
* Pure + unit-testable: verification takes the PEM as an argument.
|
|
12
|
+
*
|
|
13
|
+
* @module @memberjunction/server/widget
|
|
14
|
+
*/
|
|
15
|
+
import type jwt from 'jsonwebtoken';
|
|
16
|
+
import { type HostAssertionError } from '@memberjunction/auth-providers';
|
|
17
|
+
export type { HostAssertionError };
|
|
18
|
+
/** The visitor identity a host asserts. Standard OIDC-ish claims so synthesis is uniform. */
|
|
19
|
+
export interface HostAssertedIdentity {
|
|
20
|
+
email: string;
|
|
21
|
+
firstName?: string;
|
|
22
|
+
lastName?: string;
|
|
23
|
+
/** The host's opaque user id for this visitor (audit correlation; not an MJ user id). */
|
|
24
|
+
hostUserId?: string;
|
|
25
|
+
}
|
|
26
|
+
/** Result of verifying a host assertion. `identity` is present iff `ok` is true. */
|
|
27
|
+
export interface HostAssertionResult {
|
|
28
|
+
ok: boolean;
|
|
29
|
+
identity?: HostAssertedIdentity;
|
|
30
|
+
errorCode?: HostAssertionError;
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Verifies a host-signed RS256 assertion against the host's registered public key (PEM) and extracts the
|
|
34
|
+
* asserted visitor identity. Thin adapter over {@link HostIdentityProvider.VerifyHostAssertion} (the single
|
|
35
|
+
* implementation, registered in the AuthProviderFactory) preserving this module's result shape. Never throws.
|
|
36
|
+
*/
|
|
37
|
+
export declare function verifyHostAssertion(assertion: string | undefined, hostPublicKeyPem: string | undefined, expectedAudience: string): HostAssertionResult;
|
|
38
|
+
/** Pulls the visitor identity from a verified host-assertion payload (delegates to the provider). */
|
|
39
|
+
export declare function extractHostIdentity(payload: jwt.JwtPayload): HostAssertedIdentity;
|
|
40
|
+
//# sourceMappingURL=host-identity.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"host-identity.d.ts","sourceRoot":"","sources":["../../src/realtimeWidget/host-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,GAAG,MAAM,cAAc,CAAC;AACpC,OAAO,EAAwB,KAAK,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AAE/F,YAAY,EAAE,kBAAkB,EAAE,CAAC;AAEnC,6FAA6F;AAC7F,MAAM,WAAW,oBAAoB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yFAAyF;IACzF,UAAU,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,oFAAoF;AACpF,MAAM,WAAW,mBAAmB;IAChC,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAChC,SAAS,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAeD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAC/B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,gBAAgB,EAAE,MAAM,GAAG,SAAS,EACpC,gBAAgB,EAAE,MAAM,GACzB,mBAAmB,CAcrB;AAED,qGAAqG;AACrG,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,UAAU,GAAG,oBAAoB,CAQjF"}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Host-passed identity (D1 strategy `host-identity`). When a widget is
|
|
3
|
+
* embedded in an already-authenticated host portal, the host signs a short-lived
|
|
4
|
+
* assertion (its own RS256 key) describing the visitor; the widget posts it to
|
|
5
|
+
* `POST /widget/session`, which verifies it against the host's registered public key
|
|
6
|
+
* and folds the host-provided identity into the minted guest claims. The minted token
|
|
7
|
+
* is still validated by the same `magic-link` AuthProviderFactory path + synthesized by
|
|
8
|
+
* `buildMagicLinkSessionUser` — host-identity is a MINT-TIME strategy, not a second
|
|
9
|
+
* session-validation provider (it converges on the one pathway, per D1).
|
|
10
|
+
*
|
|
11
|
+
* Pure + unit-testable: verification takes the PEM as an argument.
|
|
12
|
+
*
|
|
13
|
+
* @module @memberjunction/server/widget
|
|
14
|
+
*/
|
|
15
|
+
import { HostIdentityProvider } from '@memberjunction/auth-providers';
|
|
16
|
+
/**
|
|
17
|
+
* The single shared {@link HostIdentityProvider} instance the mint path verifies through. The base
|
|
18
|
+
* `BaseAuthProvider` constructor builds a (never-contacted) JWKS client; host-identity verifies against
|
|
19
|
+
* static per-widget PEM keys, so we pass a placeholder `jwksUri`. Built once — verification is stateless.
|
|
20
|
+
*/
|
|
21
|
+
const hostIdentityProvider = new HostIdentityProvider({
|
|
22
|
+
name: 'host-identity',
|
|
23
|
+
type: 'host-identity',
|
|
24
|
+
issuer: 'host-identity',
|
|
25
|
+
audience: 'host-identity',
|
|
26
|
+
jwksUri: 'https://host-identity.local/unused',
|
|
27
|
+
});
|
|
28
|
+
/**
|
|
29
|
+
* Verifies a host-signed RS256 assertion against the host's registered public key (PEM) and extracts the
|
|
30
|
+
* asserted visitor identity. Thin adapter over {@link HostIdentityProvider.VerifyHostAssertion} (the single
|
|
31
|
+
* implementation, registered in the AuthProviderFactory) preserving this module's result shape. Never throws.
|
|
32
|
+
*/
|
|
33
|
+
export function verifyHostAssertion(assertion, hostPublicKeyPem, expectedAudience) {
|
|
34
|
+
const result = hostIdentityProvider.VerifyHostAssertion(assertion, hostPublicKeyPem, expectedAudience);
|
|
35
|
+
if (!result.ok || !result.userInfo?.email) {
|
|
36
|
+
return { ok: false, errorCode: result.errorCode };
|
|
37
|
+
}
|
|
38
|
+
return {
|
|
39
|
+
ok: true,
|
|
40
|
+
identity: {
|
|
41
|
+
email: result.userInfo.email,
|
|
42
|
+
firstName: result.userInfo.firstName,
|
|
43
|
+
lastName: result.userInfo.lastName,
|
|
44
|
+
hostUserId: result.hostUserId,
|
|
45
|
+
},
|
|
46
|
+
};
|
|
47
|
+
}
|
|
48
|
+
/** Pulls the visitor identity from a verified host-assertion payload (delegates to the provider). */
|
|
49
|
+
export function extractHostIdentity(payload) {
|
|
50
|
+
const info = hostIdentityProvider.extractUserInfo(payload);
|
|
51
|
+
return {
|
|
52
|
+
email: info.email ?? '',
|
|
53
|
+
firstName: info.firstName,
|
|
54
|
+
lastName: info.lastName,
|
|
55
|
+
hostUserId: typeof payload.sub === 'string' ? payload.sub : undefined,
|
|
56
|
+
};
|
|
57
|
+
}
|
|
58
|
+
//# sourceMappingURL=host-identity.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"host-identity.js","sourceRoot":"","sources":["../../src/realtimeWidget/host-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,oBAAoB,EAA2B,MAAM,gCAAgC,CAAC;AAoB/F;;;;GAIG;AACH,MAAM,oBAAoB,GAAG,IAAI,oBAAoB,CAAC;IAClD,IAAI,EAAE,eAAe;IACrB,IAAI,EAAE,eAAe;IACrB,MAAM,EAAE,eAAe;IACvB,QAAQ,EAAE,eAAe;IACzB,OAAO,EAAE,oCAAoC;CAChD,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAC/B,SAA6B,EAC7B,gBAAoC,EACpC,gBAAwB;IAExB,MAAM,MAAM,GAAG,oBAAoB,CAAC,mBAAmB,CAAC,SAAS,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;IACvG,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;IACtD,CAAC;IACD,OAAO;QACH,EAAE,EAAE,IAAI;QACR,QAAQ,EAAE;YACN,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK;YAC5B,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS;YACpC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;YAClC,UAAU,EAAE,MAAM,CAAC,UAAU;SAChC;KACJ,CAAC;AACN,CAAC;AAED,qGAAqG;AACrG,MAAM,UAAU,mBAAmB,CAAC,OAAuB;IACvD,MAAM,IAAI,GAAG,oBAAoB,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IAC3D,OAAO;QACH,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;QACvB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,UAAU,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;KACxE,CAAC;AACN,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Public web widget guest-session module barrel.
|
|
3
|
+
* @module @memberjunction/server/widget
|
|
4
|
+
*/
|
|
5
|
+
export * from './widgetCore.js';
|
|
6
|
+
export { verifyHostAssertion, extractHostIdentity, type HostAssertedIdentity, type HostAssertionResult, type HostAssertionError, } from './host-identity.js';
|
|
7
|
+
export { WidgetSessionService } from './WidgetSessionService.js';
|
|
8
|
+
export type { MintGuestSessionInput, MintGuestSessionResult, WidgetMintAuditContext } from './WidgetSessionService.js';
|
|
9
|
+
export { createWidgetHandler, WIDGET_MOUNT_PATH } from './WidgetRouter.js';
|
|
10
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/realtimeWidget/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,cAAc,iBAAiB,CAAC;AAChC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,YAAY,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Public web widget guest-session module barrel.
|
|
3
|
+
* @module @memberjunction/server/widget
|
|
4
|
+
*/
|
|
5
|
+
export * from './widgetCore.js';
|
|
6
|
+
export { verifyHostAssertion, extractHostIdentity, } from './host-identity.js';
|
|
7
|
+
export { WidgetSessionService } from './WidgetSessionService.js';
|
|
8
|
+
export { createWidgetHandler, WIDGET_MOUNT_PATH } from './WidgetRouter.js';
|
|
9
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/realtimeWidget/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,cAAc,iBAAiB,CAAC;AAChC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,GAIpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAEjE,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}
|