@naylence/runtime 0.3.5-test.910 → 0.3.5-test.911
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +1847 -1054
- package/dist/browser/index.mjs +1842 -1049
- package/dist/cjs/naylence/fame/factory-manifest.js +2 -0
- package/dist/cjs/naylence/fame/http/oauth2-token-router.js +751 -88
- package/dist/cjs/naylence/fame/node/admission/admission-profile-factory.js +61 -0
- package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.js +171 -0
- package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider.js +560 -0
- package/dist/cjs/naylence/fame/telemetry/open-telemetry-trace-emitter-factory.js +19 -2
- package/dist/cjs/naylence/fame/telemetry/open-telemetry-trace-emitter.js +19 -9
- package/dist/cjs/naylence/fame/util/register-runtime-factories.js +6 -0
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/factory-manifest.js +2 -0
- package/dist/esm/naylence/fame/http/oauth2-token-router.js +751 -88
- package/dist/esm/naylence/fame/node/admission/admission-profile-factory.js +61 -0
- package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.js +134 -0
- package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider.js +555 -0
- package/dist/esm/naylence/fame/telemetry/open-telemetry-trace-emitter-factory.js +19 -2
- package/dist/esm/naylence/fame/telemetry/open-telemetry-trace-emitter.js +19 -9
- package/dist/esm/naylence/fame/util/register-runtime-factories.js +6 -0
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +1843 -1050
- package/dist/node/index.mjs +1842 -1049
- package/dist/node/node.cjs +2658 -1202
- package/dist/node/node.mjs +2657 -1201
- package/dist/types/naylence/fame/factory-manifest.d.ts +1 -1
- package/dist/types/naylence/fame/http/oauth2-token-router.d.ts +73 -17
- package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.d.ts +27 -0
- package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider.d.ts +42 -0
- package/dist/types/naylence/fame/telemetry/open-telemetry-trace-emitter.d.ts +4 -0
- package/dist/types/version.d.ts +1 -1
- package/package.json +3 -1
|
@@ -8,6 +8,12 @@ const ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
|
|
|
8
8
|
const ENV_VAR_ADMISSION_TOKEN_URL = 'FAME_ADMISSION_TOKEN_URL';
|
|
9
9
|
const ENV_VAR_ADMISSION_CLIENT_ID = 'FAME_ADMISSION_CLIENT_ID';
|
|
10
10
|
const ENV_VAR_ADMISSION_CLIENT_SECRET = 'FAME_ADMISSION_CLIENT_SECRET';
|
|
11
|
+
const ENV_VAR_ADMISSION_AUTHORIZE_URL = 'FAME_ADMISSION_AUTHORIZE_URL';
|
|
12
|
+
const ENV_VAR_ADMISSION_REDIRECT_URL = 'FAME_ADMISSION_REDIRECT_URL';
|
|
13
|
+
const ENV_VAR_ADMISSION_LOGIN_HINT_PARAM = 'FAME_ADMISSION_LOGIN_HINT_PARAM';
|
|
14
|
+
const ENV_VAR_ADMISSION_CODE_CHALLENGE_METHOD = 'FAME_ADMISSION_CODE_CHALLENGE_METHOD';
|
|
15
|
+
const ENV_VAR_ADMISSION_CODE_VERIFIER_LENGTH = 'FAME_ADMISSION_CODE_VERIFIER_LENGTH';
|
|
16
|
+
const ENV_VAR_ADMISSION_CLOCK_SKEW_SECONDS = 'FAME_ADMISSION_CLOCK_SKEW_SECONDS';
|
|
11
17
|
const ENV_VAR_DIRECT_ADMISSION_URL = 'FAME_DIRECT_ADMISSION_URL';
|
|
12
18
|
const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
|
|
13
19
|
const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
|
|
@@ -16,10 +22,12 @@ const PROFILE_NAME_WELCOME = 'welcome';
|
|
|
16
22
|
const PROFILE_NAME_DIRECT = 'direct';
|
|
17
23
|
const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
|
|
18
24
|
const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
|
|
25
|
+
const PROFILE_NAME_DIRECT_PKCE = 'direct-pkce';
|
|
19
26
|
const PROFILE_NAME_OPEN = 'open';
|
|
20
27
|
const PROFILE_NAME_NOOP = 'noop';
|
|
21
28
|
const PROFILE_NAME_NONE = 'none';
|
|
22
29
|
const PROFILE_NAME_DIRECT_INPAGE_ALIAS = 'direct_inpage';
|
|
30
|
+
const PROFILE_NAME_DIRECT_PKCE_ALIAS = 'direct_pkce';
|
|
23
31
|
function createOAuthTokenProviderConfig() {
|
|
24
32
|
const tokenUrl = Expressions.env(ENV_VAR_ADMISSION_TOKEN_URL);
|
|
25
33
|
const clientId = Expressions.env(ENV_VAR_ADMISSION_CLIENT_ID);
|
|
@@ -37,6 +45,38 @@ function createOAuthTokenProviderConfig() {
|
|
|
37
45
|
audience,
|
|
38
46
|
};
|
|
39
47
|
}
|
|
48
|
+
function createOAuthPkceTokenProviderConfig() {
|
|
49
|
+
const authorizeUrl = Expressions.env(ENV_VAR_ADMISSION_AUTHORIZE_URL);
|
|
50
|
+
const tokenUrl = Expressions.env(ENV_VAR_ADMISSION_TOKEN_URL);
|
|
51
|
+
const redirectUri = Expressions.env(ENV_VAR_ADMISSION_REDIRECT_URL);
|
|
52
|
+
const clientId = Expressions.env(ENV_VAR_ADMISSION_CLIENT_ID);
|
|
53
|
+
const loginHintParam = Expressions.env(ENV_VAR_ADMISSION_LOGIN_HINT_PARAM, 'login_hint');
|
|
54
|
+
const audience = Expressions.env(ENV_VAR_JWT_AUDIENCE);
|
|
55
|
+
const codeChallengeMethod = Expressions.env(ENV_VAR_ADMISSION_CODE_CHALLENGE_METHOD, 'S256');
|
|
56
|
+
const codeVerifierLength = Expressions.env(ENV_VAR_ADMISSION_CODE_VERIFIER_LENGTH, '64');
|
|
57
|
+
const clockSkewSeconds = Expressions.env(ENV_VAR_ADMISSION_CLOCK_SKEW_SECONDS, '30');
|
|
58
|
+
return {
|
|
59
|
+
type: 'OAuth2PkceTokenProvider',
|
|
60
|
+
authorizeUrl,
|
|
61
|
+
authorize_url: authorizeUrl,
|
|
62
|
+
tokenUrl,
|
|
63
|
+
token_url: tokenUrl,
|
|
64
|
+
redirectUri,
|
|
65
|
+
redirect_uri: redirectUri,
|
|
66
|
+
clientId,
|
|
67
|
+
client_id: clientId,
|
|
68
|
+
loginHintParam,
|
|
69
|
+
login_hint_param: loginHintParam,
|
|
70
|
+
scopes: ['node.connect'],
|
|
71
|
+
audience,
|
|
72
|
+
codeChallengeMethod,
|
|
73
|
+
code_challenge_method: codeChallengeMethod,
|
|
74
|
+
codeVerifierLength,
|
|
75
|
+
code_verifier_length: codeVerifierLength,
|
|
76
|
+
clockSkewSeconds,
|
|
77
|
+
clock_skew_seconds: clockSkewSeconds,
|
|
78
|
+
};
|
|
79
|
+
}
|
|
40
80
|
const welcomeIsRoot = Expressions.env(ENV_VAR_IS_ROOT, 'false');
|
|
41
81
|
const welcomeTokenProvider = createOAuthTokenProviderConfig();
|
|
42
82
|
const WELCOME_SERVICE_PROFILE = {
|
|
@@ -71,6 +111,25 @@ const DIRECT_PROFILE = {
|
|
|
71
111
|
connection_grants: directGrants,
|
|
72
112
|
connectionGrants: directGrants,
|
|
73
113
|
};
|
|
114
|
+
const directPkceTokenProvider = createOAuthPkceTokenProviderConfig();
|
|
115
|
+
const directPkceGrant = {
|
|
116
|
+
type: 'WebSocketConnectionGrant',
|
|
117
|
+
purpose: GRANT_PURPOSE_NODE_ATTACH,
|
|
118
|
+
url: Expressions.env(ENV_VAR_DIRECT_ADMISSION_URL),
|
|
119
|
+
auth: {
|
|
120
|
+
type: 'WebSocketSubprotocolAuth',
|
|
121
|
+
token_provider: directPkceTokenProvider,
|
|
122
|
+
tokenProvider: directPkceTokenProvider,
|
|
123
|
+
},
|
|
124
|
+
ttl: 0,
|
|
125
|
+
durable: false,
|
|
126
|
+
};
|
|
127
|
+
const directPkceGrants = [directPkceGrant];
|
|
128
|
+
const DIRECT_PKCE_PROFILE = {
|
|
129
|
+
type: 'DirectAdmissionClient',
|
|
130
|
+
connection_grants: directPkceGrants,
|
|
131
|
+
connectionGrants: directPkceGrants,
|
|
132
|
+
};
|
|
74
133
|
const directHttpTokenProvider = createOAuthTokenProviderConfig();
|
|
75
134
|
const directHttpGrant = {
|
|
76
135
|
type: 'HttpConnectionGrant',
|
|
@@ -139,6 +198,8 @@ const NOOP_PROFILE = {
|
|
|
139
198
|
const PROFILE_MAP = {
|
|
140
199
|
[PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
|
|
141
200
|
[PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
|
|
201
|
+
[PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
|
|
202
|
+
[PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,
|
|
142
203
|
[PROFILE_NAME_DIRECT_HTTP]: DIRECT_HTTP_PROFILE,
|
|
143
204
|
[PROFILE_NAME_DIRECT_INPAGE]: DIRECT_INPAGE_PROFILE,
|
|
144
205
|
[PROFILE_NAME_DIRECT_INPAGE_ALIAS]: DIRECT_INPAGE_PROFILE,
|
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
import { CredentialProviderFactory, } from '../credential/credential-provider-factory.js';
|
|
2
|
+
import { normalizeSecretSource, } from '../credential/secret-source.js';
|
|
3
|
+
import { safeImport } from '../../util/lazy-import.js';
|
|
4
|
+
import { TOKEN_PROVIDER_FACTORY_BASE_TYPE, TokenProviderFactory, } from './token-provider-factory.js';
|
|
5
|
+
let oauth2PkceTokenProviderModulePromise = null;
|
|
6
|
+
async function getOAuth2PkceTokenProviderModule() {
|
|
7
|
+
if (!oauth2PkceTokenProviderModulePromise) {
|
|
8
|
+
oauth2PkceTokenProviderModulePromise = safeImport(() => import('./oauth2-pkce-token-provider.js'), 'oauth2-pkce-token-provider');
|
|
9
|
+
}
|
|
10
|
+
return oauth2PkceTokenProviderModulePromise;
|
|
11
|
+
}
|
|
12
|
+
function ensureNonEmptyString(value, field) {
|
|
13
|
+
if (typeof value !== 'string' || value.trim().length === 0) {
|
|
14
|
+
throw new Error(`OAuth2PkceTokenProvider ${field} must be a non-empty string`);
|
|
15
|
+
}
|
|
16
|
+
return value.trim();
|
|
17
|
+
}
|
|
18
|
+
function normalizeScopes(value) {
|
|
19
|
+
if (Array.isArray(value)) {
|
|
20
|
+
const scopes = value
|
|
21
|
+
.map((scope) => (typeof scope === 'string' ? scope.trim() : ''))
|
|
22
|
+
.filter((scope) => scope.length > 0);
|
|
23
|
+
return scopes;
|
|
24
|
+
}
|
|
25
|
+
if (typeof value === 'string' && value.trim().length > 0) {
|
|
26
|
+
return value
|
|
27
|
+
.split(/[\s,]+/u)
|
|
28
|
+
.map((scope) => scope.trim())
|
|
29
|
+
.filter((scope) => scope.length > 0);
|
|
30
|
+
}
|
|
31
|
+
return [];
|
|
32
|
+
}
|
|
33
|
+
function normalizeConfig(config) {
|
|
34
|
+
if (!config) {
|
|
35
|
+
throw new Error('OAuth2PkceTokenProvider requires configuration');
|
|
36
|
+
}
|
|
37
|
+
const candidate = config;
|
|
38
|
+
const authorizeUrl = ensureNonEmptyString(candidate.authorizeUrl ?? candidate.authorize_url, 'authorizeUrl');
|
|
39
|
+
const tokenUrl = ensureNonEmptyString(candidate.tokenUrl ?? candidate.token_url, 'tokenUrl');
|
|
40
|
+
const redirectUri = ensureNonEmptyString(candidate.redirectUri ?? candidate.redirect_uri, 'redirectUri');
|
|
41
|
+
const clientId = ensureNonEmptyString(candidate.clientId ?? candidate.client_id, 'clientId');
|
|
42
|
+
const usernameSource = (candidate.username ??
|
|
43
|
+
candidate.username_source);
|
|
44
|
+
const clientSecretSource = (candidate.clientSecret ??
|
|
45
|
+
candidate.client_secret);
|
|
46
|
+
const scopes = normalizeScopes(candidate.scopes ?? candidate.scope);
|
|
47
|
+
const normalized = {
|
|
48
|
+
authorizeUrl,
|
|
49
|
+
tokenUrl,
|
|
50
|
+
redirectUri,
|
|
51
|
+
clientId,
|
|
52
|
+
scopes,
|
|
53
|
+
};
|
|
54
|
+
if (usernameSource) {
|
|
55
|
+
normalized.usernameConfig = normalizeSecretSource(usernameSource);
|
|
56
|
+
}
|
|
57
|
+
if (clientSecretSource) {
|
|
58
|
+
normalized.clientSecretConfig = normalizeSecretSource(clientSecretSource);
|
|
59
|
+
}
|
|
60
|
+
const audienceCandidate = candidate.audience ?? candidate.aud;
|
|
61
|
+
if (typeof audienceCandidate === 'string' && audienceCandidate.trim().length > 0) {
|
|
62
|
+
normalized.audience = audienceCandidate.trim();
|
|
63
|
+
}
|
|
64
|
+
const codeChallengeMethod = candidate.codeChallengeMethod ?? candidate.code_challenge_method;
|
|
65
|
+
if (typeof codeChallengeMethod === 'string' && codeChallengeMethod.trim().length > 0) {
|
|
66
|
+
normalized.codeChallengeMethod = codeChallengeMethod.trim();
|
|
67
|
+
}
|
|
68
|
+
const codeVerifierLength = candidate.codeVerifierLength ?? candidate.code_verifier_length;
|
|
69
|
+
if (typeof codeVerifierLength === 'number' && Number.isFinite(codeVerifierLength)) {
|
|
70
|
+
normalized.codeVerifierLength = codeVerifierLength;
|
|
71
|
+
}
|
|
72
|
+
const clockSkewSeconds = candidate.clockSkewSeconds ?? candidate.clock_skew_seconds;
|
|
73
|
+
if (typeof clockSkewSeconds === 'number' && Number.isFinite(clockSkewSeconds)) {
|
|
74
|
+
normalized.clockSkewSeconds = clockSkewSeconds;
|
|
75
|
+
}
|
|
76
|
+
const loginHintParam = candidate.loginHintParam ?? candidate.login_hint_param;
|
|
77
|
+
if (typeof loginHintParam === 'string' && loginHintParam.trim().length > 0) {
|
|
78
|
+
normalized.loginHintParam = loginHintParam.trim();
|
|
79
|
+
}
|
|
80
|
+
return normalized;
|
|
81
|
+
}
|
|
82
|
+
export const FACTORY_META = {
|
|
83
|
+
base: TOKEN_PROVIDER_FACTORY_BASE_TYPE,
|
|
84
|
+
key: 'OAuth2PkceTokenProvider',
|
|
85
|
+
};
|
|
86
|
+
export class OAuth2PkceTokenProviderFactory extends TokenProviderFactory {
|
|
87
|
+
constructor() {
|
|
88
|
+
super(...arguments);
|
|
89
|
+
this.type = 'OAuth2PkceTokenProvider';
|
|
90
|
+
}
|
|
91
|
+
async create(config) {
|
|
92
|
+
const normalized = normalizeConfig(config);
|
|
93
|
+
const [usernameProvider, clientSecretProvider] = await Promise.all([
|
|
94
|
+
normalized.usernameConfig
|
|
95
|
+
? CredentialProviderFactory.createCredentialProvider(normalized.usernameConfig)
|
|
96
|
+
: Promise.resolve(undefined),
|
|
97
|
+
normalized.clientSecretConfig
|
|
98
|
+
? CredentialProviderFactory.createCredentialProvider(normalized.clientSecretConfig)
|
|
99
|
+
: Promise.resolve(undefined),
|
|
100
|
+
]);
|
|
101
|
+
const options = {
|
|
102
|
+
authorizeUrl: normalized.authorizeUrl,
|
|
103
|
+
tokenUrl: normalized.tokenUrl,
|
|
104
|
+
redirectUri: normalized.redirectUri,
|
|
105
|
+
clientId: normalized.clientId,
|
|
106
|
+
scopes: normalized.scopes,
|
|
107
|
+
};
|
|
108
|
+
if (usernameProvider) {
|
|
109
|
+
options.usernameProvider = usernameProvider;
|
|
110
|
+
}
|
|
111
|
+
if (clientSecretProvider) {
|
|
112
|
+
options.clientSecretProvider = clientSecretProvider;
|
|
113
|
+
}
|
|
114
|
+
if (normalized.audience) {
|
|
115
|
+
options.audience = normalized.audience;
|
|
116
|
+
}
|
|
117
|
+
if (normalized.codeChallengeMethod) {
|
|
118
|
+
options.codeChallengeMethod = normalized.codeChallengeMethod
|
|
119
|
+
.toUpperCase();
|
|
120
|
+
}
|
|
121
|
+
if (normalized.codeVerifierLength) {
|
|
122
|
+
options.codeVerifierLength = normalized.codeVerifierLength;
|
|
123
|
+
}
|
|
124
|
+
if (normalized.clockSkewSeconds) {
|
|
125
|
+
options.clockSkewSeconds = normalized.clockSkewSeconds;
|
|
126
|
+
}
|
|
127
|
+
if (normalized.loginHintParam) {
|
|
128
|
+
options.loginHintParam = normalized.loginHintParam;
|
|
129
|
+
}
|
|
130
|
+
const { OAuth2PkceTokenProvider } = await getOAuth2PkceTokenProviderModule();
|
|
131
|
+
return new OAuth2PkceTokenProvider(options);
|
|
132
|
+
}
|
|
133
|
+
}
|
|
134
|
+
export default OAuth2PkceTokenProviderFactory;
|