@naylence/runtime 0.3.5-test.910 → 0.3.5-test.911
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +1847 -1054
- package/dist/browser/index.mjs +1842 -1049
- package/dist/cjs/naylence/fame/factory-manifest.js +2 -0
- package/dist/cjs/naylence/fame/http/oauth2-token-router.js +751 -88
- package/dist/cjs/naylence/fame/node/admission/admission-profile-factory.js +61 -0
- package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.js +171 -0
- package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider.js +560 -0
- package/dist/cjs/naylence/fame/telemetry/open-telemetry-trace-emitter-factory.js +19 -2
- package/dist/cjs/naylence/fame/telemetry/open-telemetry-trace-emitter.js +19 -9
- package/dist/cjs/naylence/fame/util/register-runtime-factories.js +6 -0
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/factory-manifest.js +2 -0
- package/dist/esm/naylence/fame/http/oauth2-token-router.js +751 -88
- package/dist/esm/naylence/fame/node/admission/admission-profile-factory.js +61 -0
- package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.js +134 -0
- package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider.js +555 -0
- package/dist/esm/naylence/fame/telemetry/open-telemetry-trace-emitter-factory.js +19 -2
- package/dist/esm/naylence/fame/telemetry/open-telemetry-trace-emitter.js +19 -9
- package/dist/esm/naylence/fame/util/register-runtime-factories.js +6 -0
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +1843 -1050
- package/dist/node/index.mjs +1842 -1049
- package/dist/node/node.cjs +2658 -1202
- package/dist/node/node.mjs +2657 -1201
- package/dist/types/naylence/fame/factory-manifest.d.ts +1 -1
- package/dist/types/naylence/fame/http/oauth2-token-router.d.ts +73 -17
- package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.d.ts +27 -0
- package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider.d.ts +42 -0
- package/dist/types/naylence/fame/telemetry/open-telemetry-trace-emitter.d.ts +4 -0
- package/dist/types/version.d.ts +1 -1
- package/package.json +3 -1
|
@@ -11,6 +11,12 @@ const ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
|
|
|
11
11
|
const ENV_VAR_ADMISSION_TOKEN_URL = 'FAME_ADMISSION_TOKEN_URL';
|
|
12
12
|
const ENV_VAR_ADMISSION_CLIENT_ID = 'FAME_ADMISSION_CLIENT_ID';
|
|
13
13
|
const ENV_VAR_ADMISSION_CLIENT_SECRET = 'FAME_ADMISSION_CLIENT_SECRET';
|
|
14
|
+
const ENV_VAR_ADMISSION_AUTHORIZE_URL = 'FAME_ADMISSION_AUTHORIZE_URL';
|
|
15
|
+
const ENV_VAR_ADMISSION_REDIRECT_URL = 'FAME_ADMISSION_REDIRECT_URL';
|
|
16
|
+
const ENV_VAR_ADMISSION_LOGIN_HINT_PARAM = 'FAME_ADMISSION_LOGIN_HINT_PARAM';
|
|
17
|
+
const ENV_VAR_ADMISSION_CODE_CHALLENGE_METHOD = 'FAME_ADMISSION_CODE_CHALLENGE_METHOD';
|
|
18
|
+
const ENV_VAR_ADMISSION_CODE_VERIFIER_LENGTH = 'FAME_ADMISSION_CODE_VERIFIER_LENGTH';
|
|
19
|
+
const ENV_VAR_ADMISSION_CLOCK_SKEW_SECONDS = 'FAME_ADMISSION_CLOCK_SKEW_SECONDS';
|
|
14
20
|
const ENV_VAR_DIRECT_ADMISSION_URL = 'FAME_DIRECT_ADMISSION_URL';
|
|
15
21
|
const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
|
|
16
22
|
const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
|
|
@@ -19,10 +25,12 @@ const PROFILE_NAME_WELCOME = 'welcome';
|
|
|
19
25
|
const PROFILE_NAME_DIRECT = 'direct';
|
|
20
26
|
const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
|
|
21
27
|
const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
|
|
28
|
+
const PROFILE_NAME_DIRECT_PKCE = 'direct-pkce';
|
|
22
29
|
const PROFILE_NAME_OPEN = 'open';
|
|
23
30
|
const PROFILE_NAME_NOOP = 'noop';
|
|
24
31
|
const PROFILE_NAME_NONE = 'none';
|
|
25
32
|
const PROFILE_NAME_DIRECT_INPAGE_ALIAS = 'direct_inpage';
|
|
33
|
+
const PROFILE_NAME_DIRECT_PKCE_ALIAS = 'direct_pkce';
|
|
26
34
|
function createOAuthTokenProviderConfig() {
|
|
27
35
|
const tokenUrl = factory_1.Expressions.env(ENV_VAR_ADMISSION_TOKEN_URL);
|
|
28
36
|
const clientId = factory_1.Expressions.env(ENV_VAR_ADMISSION_CLIENT_ID);
|
|
@@ -40,6 +48,38 @@ function createOAuthTokenProviderConfig() {
|
|
|
40
48
|
audience,
|
|
41
49
|
};
|
|
42
50
|
}
|
|
51
|
+
function createOAuthPkceTokenProviderConfig() {
|
|
52
|
+
const authorizeUrl = factory_1.Expressions.env(ENV_VAR_ADMISSION_AUTHORIZE_URL);
|
|
53
|
+
const tokenUrl = factory_1.Expressions.env(ENV_VAR_ADMISSION_TOKEN_URL);
|
|
54
|
+
const redirectUri = factory_1.Expressions.env(ENV_VAR_ADMISSION_REDIRECT_URL);
|
|
55
|
+
const clientId = factory_1.Expressions.env(ENV_VAR_ADMISSION_CLIENT_ID);
|
|
56
|
+
const loginHintParam = factory_1.Expressions.env(ENV_VAR_ADMISSION_LOGIN_HINT_PARAM, 'login_hint');
|
|
57
|
+
const audience = factory_1.Expressions.env(ENV_VAR_JWT_AUDIENCE);
|
|
58
|
+
const codeChallengeMethod = factory_1.Expressions.env(ENV_VAR_ADMISSION_CODE_CHALLENGE_METHOD, 'S256');
|
|
59
|
+
const codeVerifierLength = factory_1.Expressions.env(ENV_VAR_ADMISSION_CODE_VERIFIER_LENGTH, '64');
|
|
60
|
+
const clockSkewSeconds = factory_1.Expressions.env(ENV_VAR_ADMISSION_CLOCK_SKEW_SECONDS, '30');
|
|
61
|
+
return {
|
|
62
|
+
type: 'OAuth2PkceTokenProvider',
|
|
63
|
+
authorizeUrl,
|
|
64
|
+
authorize_url: authorizeUrl,
|
|
65
|
+
tokenUrl,
|
|
66
|
+
token_url: tokenUrl,
|
|
67
|
+
redirectUri,
|
|
68
|
+
redirect_uri: redirectUri,
|
|
69
|
+
clientId,
|
|
70
|
+
client_id: clientId,
|
|
71
|
+
loginHintParam,
|
|
72
|
+
login_hint_param: loginHintParam,
|
|
73
|
+
scopes: ['node.connect'],
|
|
74
|
+
audience,
|
|
75
|
+
codeChallengeMethod,
|
|
76
|
+
code_challenge_method: codeChallengeMethod,
|
|
77
|
+
codeVerifierLength,
|
|
78
|
+
code_verifier_length: codeVerifierLength,
|
|
79
|
+
clockSkewSeconds,
|
|
80
|
+
clock_skew_seconds: clockSkewSeconds,
|
|
81
|
+
};
|
|
82
|
+
}
|
|
43
83
|
const welcomeIsRoot = factory_1.Expressions.env(ENV_VAR_IS_ROOT, 'false');
|
|
44
84
|
const welcomeTokenProvider = createOAuthTokenProviderConfig();
|
|
45
85
|
const WELCOME_SERVICE_PROFILE = {
|
|
@@ -74,6 +114,25 @@ const DIRECT_PROFILE = {
|
|
|
74
114
|
connection_grants: directGrants,
|
|
75
115
|
connectionGrants: directGrants,
|
|
76
116
|
};
|
|
117
|
+
const directPkceTokenProvider = createOAuthPkceTokenProviderConfig();
|
|
118
|
+
const directPkceGrant = {
|
|
119
|
+
type: 'WebSocketConnectionGrant',
|
|
120
|
+
purpose: grant_js_1.GRANT_PURPOSE_NODE_ATTACH,
|
|
121
|
+
url: factory_1.Expressions.env(ENV_VAR_DIRECT_ADMISSION_URL),
|
|
122
|
+
auth: {
|
|
123
|
+
type: 'WebSocketSubprotocolAuth',
|
|
124
|
+
token_provider: directPkceTokenProvider,
|
|
125
|
+
tokenProvider: directPkceTokenProvider,
|
|
126
|
+
},
|
|
127
|
+
ttl: 0,
|
|
128
|
+
durable: false,
|
|
129
|
+
};
|
|
130
|
+
const directPkceGrants = [directPkceGrant];
|
|
131
|
+
const DIRECT_PKCE_PROFILE = {
|
|
132
|
+
type: 'DirectAdmissionClient',
|
|
133
|
+
connection_grants: directPkceGrants,
|
|
134
|
+
connectionGrants: directPkceGrants,
|
|
135
|
+
};
|
|
77
136
|
const directHttpTokenProvider = createOAuthTokenProviderConfig();
|
|
78
137
|
const directHttpGrant = {
|
|
79
138
|
type: 'HttpConnectionGrant',
|
|
@@ -142,6 +201,8 @@ const NOOP_PROFILE = {
|
|
|
142
201
|
const PROFILE_MAP = {
|
|
143
202
|
[PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
|
|
144
203
|
[PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
|
|
204
|
+
[PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
|
|
205
|
+
[PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,
|
|
145
206
|
[PROFILE_NAME_DIRECT_HTTP]: DIRECT_HTTP_PROFILE,
|
|
146
207
|
[PROFILE_NAME_DIRECT_INPAGE]: DIRECT_INPAGE_PROFILE,
|
|
147
208
|
[PROFILE_NAME_DIRECT_INPAGE_ALIAS]: DIRECT_INPAGE_PROFILE,
|
|
@@ -0,0 +1,171 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.OAuth2PkceTokenProviderFactory = exports.FACTORY_META = void 0;
|
|
37
|
+
const credential_provider_factory_js_1 = require("../credential/credential-provider-factory.js");
|
|
38
|
+
const secret_source_js_1 = require("../credential/secret-source.js");
|
|
39
|
+
const lazy_import_js_1 = require("../../util/lazy-import.js");
|
|
40
|
+
const token_provider_factory_js_1 = require("./token-provider-factory.js");
|
|
41
|
+
let oauth2PkceTokenProviderModulePromise = null;
|
|
42
|
+
async function getOAuth2PkceTokenProviderModule() {
|
|
43
|
+
if (!oauth2PkceTokenProviderModulePromise) {
|
|
44
|
+
oauth2PkceTokenProviderModulePromise = (0, lazy_import_js_1.safeImport)(() => Promise.resolve().then(() => __importStar(require('./oauth2-pkce-token-provider.js'))), 'oauth2-pkce-token-provider');
|
|
45
|
+
}
|
|
46
|
+
return oauth2PkceTokenProviderModulePromise;
|
|
47
|
+
}
|
|
48
|
+
function ensureNonEmptyString(value, field) {
|
|
49
|
+
if (typeof value !== 'string' || value.trim().length === 0) {
|
|
50
|
+
throw new Error(`OAuth2PkceTokenProvider ${field} must be a non-empty string`);
|
|
51
|
+
}
|
|
52
|
+
return value.trim();
|
|
53
|
+
}
|
|
54
|
+
function normalizeScopes(value) {
|
|
55
|
+
if (Array.isArray(value)) {
|
|
56
|
+
const scopes = value
|
|
57
|
+
.map((scope) => (typeof scope === 'string' ? scope.trim() : ''))
|
|
58
|
+
.filter((scope) => scope.length > 0);
|
|
59
|
+
return scopes;
|
|
60
|
+
}
|
|
61
|
+
if (typeof value === 'string' && value.trim().length > 0) {
|
|
62
|
+
return value
|
|
63
|
+
.split(/[\s,]+/u)
|
|
64
|
+
.map((scope) => scope.trim())
|
|
65
|
+
.filter((scope) => scope.length > 0);
|
|
66
|
+
}
|
|
67
|
+
return [];
|
|
68
|
+
}
|
|
69
|
+
function normalizeConfig(config) {
|
|
70
|
+
if (!config) {
|
|
71
|
+
throw new Error('OAuth2PkceTokenProvider requires configuration');
|
|
72
|
+
}
|
|
73
|
+
const candidate = config;
|
|
74
|
+
const authorizeUrl = ensureNonEmptyString(candidate.authorizeUrl ?? candidate.authorize_url, 'authorizeUrl');
|
|
75
|
+
const tokenUrl = ensureNonEmptyString(candidate.tokenUrl ?? candidate.token_url, 'tokenUrl');
|
|
76
|
+
const redirectUri = ensureNonEmptyString(candidate.redirectUri ?? candidate.redirect_uri, 'redirectUri');
|
|
77
|
+
const clientId = ensureNonEmptyString(candidate.clientId ?? candidate.client_id, 'clientId');
|
|
78
|
+
const usernameSource = (candidate.username ??
|
|
79
|
+
candidate.username_source);
|
|
80
|
+
const clientSecretSource = (candidate.clientSecret ??
|
|
81
|
+
candidate.client_secret);
|
|
82
|
+
const scopes = normalizeScopes(candidate.scopes ?? candidate.scope);
|
|
83
|
+
const normalized = {
|
|
84
|
+
authorizeUrl,
|
|
85
|
+
tokenUrl,
|
|
86
|
+
redirectUri,
|
|
87
|
+
clientId,
|
|
88
|
+
scopes,
|
|
89
|
+
};
|
|
90
|
+
if (usernameSource) {
|
|
91
|
+
normalized.usernameConfig = (0, secret_source_js_1.normalizeSecretSource)(usernameSource);
|
|
92
|
+
}
|
|
93
|
+
if (clientSecretSource) {
|
|
94
|
+
normalized.clientSecretConfig = (0, secret_source_js_1.normalizeSecretSource)(clientSecretSource);
|
|
95
|
+
}
|
|
96
|
+
const audienceCandidate = candidate.audience ?? candidate.aud;
|
|
97
|
+
if (typeof audienceCandidate === 'string' && audienceCandidate.trim().length > 0) {
|
|
98
|
+
normalized.audience = audienceCandidate.trim();
|
|
99
|
+
}
|
|
100
|
+
const codeChallengeMethod = candidate.codeChallengeMethod ?? candidate.code_challenge_method;
|
|
101
|
+
if (typeof codeChallengeMethod === 'string' && codeChallengeMethod.trim().length > 0) {
|
|
102
|
+
normalized.codeChallengeMethod = codeChallengeMethod.trim();
|
|
103
|
+
}
|
|
104
|
+
const codeVerifierLength = candidate.codeVerifierLength ?? candidate.code_verifier_length;
|
|
105
|
+
if (typeof codeVerifierLength === 'number' && Number.isFinite(codeVerifierLength)) {
|
|
106
|
+
normalized.codeVerifierLength = codeVerifierLength;
|
|
107
|
+
}
|
|
108
|
+
const clockSkewSeconds = candidate.clockSkewSeconds ?? candidate.clock_skew_seconds;
|
|
109
|
+
if (typeof clockSkewSeconds === 'number' && Number.isFinite(clockSkewSeconds)) {
|
|
110
|
+
normalized.clockSkewSeconds = clockSkewSeconds;
|
|
111
|
+
}
|
|
112
|
+
const loginHintParam = candidate.loginHintParam ?? candidate.login_hint_param;
|
|
113
|
+
if (typeof loginHintParam === 'string' && loginHintParam.trim().length > 0) {
|
|
114
|
+
normalized.loginHintParam = loginHintParam.trim();
|
|
115
|
+
}
|
|
116
|
+
return normalized;
|
|
117
|
+
}
|
|
118
|
+
exports.FACTORY_META = {
|
|
119
|
+
base: token_provider_factory_js_1.TOKEN_PROVIDER_FACTORY_BASE_TYPE,
|
|
120
|
+
key: 'OAuth2PkceTokenProvider',
|
|
121
|
+
};
|
|
122
|
+
class OAuth2PkceTokenProviderFactory extends token_provider_factory_js_1.TokenProviderFactory {
|
|
123
|
+
constructor() {
|
|
124
|
+
super(...arguments);
|
|
125
|
+
this.type = 'OAuth2PkceTokenProvider';
|
|
126
|
+
}
|
|
127
|
+
async create(config) {
|
|
128
|
+
const normalized = normalizeConfig(config);
|
|
129
|
+
const [usernameProvider, clientSecretProvider] = await Promise.all([
|
|
130
|
+
normalized.usernameConfig
|
|
131
|
+
? credential_provider_factory_js_1.CredentialProviderFactory.createCredentialProvider(normalized.usernameConfig)
|
|
132
|
+
: Promise.resolve(undefined),
|
|
133
|
+
normalized.clientSecretConfig
|
|
134
|
+
? credential_provider_factory_js_1.CredentialProviderFactory.createCredentialProvider(normalized.clientSecretConfig)
|
|
135
|
+
: Promise.resolve(undefined),
|
|
136
|
+
]);
|
|
137
|
+
const options = {
|
|
138
|
+
authorizeUrl: normalized.authorizeUrl,
|
|
139
|
+
tokenUrl: normalized.tokenUrl,
|
|
140
|
+
redirectUri: normalized.redirectUri,
|
|
141
|
+
clientId: normalized.clientId,
|
|
142
|
+
scopes: normalized.scopes,
|
|
143
|
+
};
|
|
144
|
+
if (usernameProvider) {
|
|
145
|
+
options.usernameProvider = usernameProvider;
|
|
146
|
+
}
|
|
147
|
+
if (clientSecretProvider) {
|
|
148
|
+
options.clientSecretProvider = clientSecretProvider;
|
|
149
|
+
}
|
|
150
|
+
if (normalized.audience) {
|
|
151
|
+
options.audience = normalized.audience;
|
|
152
|
+
}
|
|
153
|
+
if (normalized.codeChallengeMethod) {
|
|
154
|
+
options.codeChallengeMethod = normalized.codeChallengeMethod
|
|
155
|
+
.toUpperCase();
|
|
156
|
+
}
|
|
157
|
+
if (normalized.codeVerifierLength) {
|
|
158
|
+
options.codeVerifierLength = normalized.codeVerifierLength;
|
|
159
|
+
}
|
|
160
|
+
if (normalized.clockSkewSeconds) {
|
|
161
|
+
options.clockSkewSeconds = normalized.clockSkewSeconds;
|
|
162
|
+
}
|
|
163
|
+
if (normalized.loginHintParam) {
|
|
164
|
+
options.loginHintParam = normalized.loginHintParam;
|
|
165
|
+
}
|
|
166
|
+
const { OAuth2PkceTokenProvider } = await getOAuth2PkceTokenProviderModule();
|
|
167
|
+
return new OAuth2PkceTokenProvider(options);
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
exports.OAuth2PkceTokenProviderFactory = OAuth2PkceTokenProviderFactory;
|
|
171
|
+
exports.default = OAuth2PkceTokenProviderFactory;
|