@naylence/runtime 0.3.5-test.911 → 0.3.5-test.914

package/dist/cjs/naylence/fame/config/extended-fame-config.js

@@ -57,6 +57,61 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+let cachedNodeRequire = typeof require === 'function' ? require : null;
+function fileUrlToPath(url) {
+    try {
+        const parsed = new URL(url);
+        if (parsed.protocol !== 'file:') {
+            return null;
+        }
+        let pathname = parsed.pathname;
+        if (typeof process !== 'undefined' &&
+            process.platform === 'win32' &&
+            pathname.startsWith('/')) {
+            pathname = pathname.slice(1);
+        }
+        return decodeURIComponent(pathname);
+    }
+    catch {
+        return null;
+    }
+}
+function getNodeRequire() {
+    if (cachedNodeRequire) {
+        return cachedNodeRequire;
+    }
+    if (!logging_types_js_1.isNode) {
+        return null;
+    }
+    const processBinding = process.binding;
+    if (typeof processBinding !== 'function') {
+        return null;
+    }
+    try {
+        const moduleWrap = processBinding('module_wrap');
+        if (typeof moduleWrap?.createRequire !== 'function') {
+            return null;
+        }
+        const modulePathFromUrl = currentModuleUrl
+            ? fileUrlToPath(currentModuleUrl)
+            : null;
+        const requireSource = modulePathFromUrl ?? `${process.cwd()}/.naylence-require-shim.js`;
+        cachedNodeRequire = moduleWrap.createRequire(requireSource);
+        return cachedNodeRequire;
+    }
+    catch {
+        return null;
+    }
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -64,9 +119,10 @@ function getFsModule() {
     if (!logging_types_js_1.isNode) {
         throw new Error('File system access is not available in this environment');
     }
-    if (typeof require === 'function') {
+    const nodeRequire = typeof require === 'function' ? require : getNodeRequire();
+    if (nodeRequire) {
         try {
-            cachedFsModule = require(fsModuleSpecifier);
+            cachedFsModule = nodeRequire(fsModuleSpecifier);
             return cachedFsModule;
         }
         catch (error) {

package/dist/cjs/naylence/fame/http/jwks-api-router.js

@@ -1,14 +1,12 @@
 "use strict";
 /**
- * JWKS (JSON Web Key Set) API router for Express
+ * JWKS (JSON Web Key Set) API plugin for Fastify
  *
  * Provides /.well-known/jwks.json endpoint for public key discovery
  * Used by OAuth2/JWT token verification
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createJwksRouter = createJwksRouter;
-const tslib_1 = require("tslib");
-const express_1 = tslib_1.__importDefault(require("express"));
 const logging_js_1 = require("../util/logging.js");
 const logger = (0, logging_js_1.getLogger)('naylence.fame.http.jwks_api_router');
 const DEFAULT_PREFIX = '';
@@ -88,23 +86,22 @@ function filterKeysByType(jwksData, allowedTypes) {
     return { ...jwksData, keys: filteredKeys };
 }
 /**
- * Create an Express router that exposes JWKS at /.well-known/jwks.json
+ * Create a Fastify plugin that exposes JWKS at /.well-known/jwks.json
  *
  * @param options - Router configuration options
- * @returns Express router with JWKS endpoint
+ * @returns Fastify plugin with JWKS endpoint
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createJwksRouter } from '@naylence/runtime';
  *
- * const app = express();
+ * const app = Fastify();
  * const cryptoProvider = new MyCryptoProvider();
- * app.use(createJwksRouter({ cryptoProvider }));
+ * app.register(createJwksRouter({ cryptoProvider }));
  * ```
  */
 function createJwksRouter(options = {}) {
-    const router = express_1.default.Router();
     const { getJwksJson, cryptoProvider, prefix = DEFAULT_PREFIX, keyTypes, } = normalizeCreateJwksRouterOptions(options);
     // Get JWKS data
     let jwks;
@@ -127,14 +124,15 @@ function createJwksRouter(options = {}) {
         key_types: allowedKeyTypes,
         total_keys: jwks.keys.length,
     });
-    // JWKS endpoint
-    router.get(`${prefix}/.well-known/jwks.json`, (_req, res) => {
-        const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
-        logger.debug('jwks_served', {
-            total_keys: jwks.keys.length,
-            filtered_keys: filteredJwks.keys.length,
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/jwks.json`, async (_request, reply) => {
+            const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
+            logger.debug('jwks_served', {
+                total_keys: jwks.keys.length,
+                filtered_keys: filteredJwks.keys.length,
+            });
+            reply.send(filteredJwks);
         });
-        res.json(filteredJwks);
-    });
-    return router;
+    };
+    return plugin;
 }

package/dist/cjs/naylence/fame/http/oauth2-server.js

@@ -26,7 +26,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createApp = createApp;
 exports.main = main;
 const tslib_1 = require("tslib");
-const express_1 = tslib_1.__importDefault(require("express"));
+const fastify_1 = tslib_1.__importDefault(require("fastify"));
 const oauth2_token_router_js_1 = require("./oauth2-token-router.js");
 const jwks_api_router_js_1 = require("./jwks-api-router.js");
 const openid_configuration_router_js_1 = require("./openid-configuration-router.js");
@@ -58,23 +58,18 @@ async function getCryptoProvider() {
     return DefaultCryptoProvider.create();
 }
 /**
- * Create and configure the OAuth2 Express application
+ * Create and configure the OAuth2 Fastify application
  */
 async function createApp() {
-    const app = (0, express_1.default)();
-    // Middleware
-    app.use(express_1.default.json());
-    app.use(express_1.default.urlencoded({ extended: true }));
+    const app = (0, fastify_1.default)({ logger: false });
     // Get crypto provider
     const cryptoProvider = await getCryptoProvider();
     // Add routers
-    app.use((0, oauth2_token_router_js_1.createOAuth2TokenRouter)({ cryptoProvider }));
-    app.use((0, jwks_api_router_js_1.createJwksRouter)({ cryptoProvider }));
-    app.use((0, openid_configuration_router_js_1.createOpenIDConfigurationRouter)());
+    app.register((0, oauth2_token_router_js_1.createOAuth2TokenRouter)({ cryptoProvider }));
+    app.register((0, jwks_api_router_js_1.createJwksRouter)({ cryptoProvider }));
+    app.register((0, openid_configuration_router_js_1.createOpenIDConfigurationRouter)());
     // Health check endpoint
-    app.get('/health', (_req, res) => {
-        res.json({ status: 'ok' });
-    });
+    app.get('/health', async () => ({ status: 'ok' }));
     return app;
 }
 /**
@@ -102,25 +97,27 @@ async function main() {
     });
     const app = await createApp();
     // Start server
-    app.listen(port, host, () => {
-        logger.info('oauth2_server_started', {
-            host,
-            port,
-            endpoints: {
-                token: '/oauth/token',
-                jwks: '/.well-known/jwks.json',
-                openid_config: '/.well-known/openid-configuration',
-                health: '/health',
-            },
-        });
+    await app.listen({ port, host });
+    logger.info('oauth2_server_started', {
+        host,
+        port,
+        endpoints: {
+            token: '/oauth/token',
+            jwks: '/.well-known/jwks.json',
+            openid_config: '/.well-known/openid-configuration',
+            health: '/health',
+        },
     });
+    const shutdown = (signal) => {
+        logger.info('oauth2_server_shutting_down', { signal });
+        app
+            .close()
+            .catch((error) => logger.error('oauth2_server_shutdown_error', {
+            error: error instanceof Error ? error.message : String(error),
+        }))
+            .finally(() => process.exit(0));
+    };
     // Graceful shutdown
-    process.on('SIGINT', () => {
-        logger.info('oauth2_server_shutting_down', { signal: 'SIGINT' });
-        process.exit(0);
-    });
-    process.on('SIGTERM', () => {
-        logger.info('oauth2_server_shutting_down', { signal: 'SIGTERM' });
-        process.exit(0);
-    });
+    process.on('SIGINT', () => shutdown('SIGINT'));
+    process.on('SIGTERM', () => shutdown('SIGTERM'));
 }

package/dist/cjs/naylence/fame/http/oauth2-token-router.js

@@ -1,6 +1,6 @@
 "use strict";
 /**
- * OAuth2 client credentials and authorization code (PKCE) grant router for Express
+ * OAuth2 client credentials and authorization code (PKCE) grant router for Fastify
  *
  * Provides /oauth/token and /oauth/authorize endpoints for local development and testing.
  * Implements OAuth2 client credentials grant with JWT token issuance and
@@ -9,11 +9,156 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createOAuth2TokenRouter = createOAuth2TokenRouter;
 const tslib_1 = require("tslib");
-const express_1 = tslib_1.__importDefault(require("express"));
+const formbody_1 = tslib_1.__importDefault(require("@fastify/formbody"));
 const node_crypto_1 = require("node:crypto");
 const jwt_token_issuer_js_1 = require("../security/auth/jwt-token-issuer.js");
 const logging_js_1 = require("../util/logging.js");
 const logger = (0, logging_js_1.getLogger)('naylence.fame.http.oauth2_token_router');
+class RouterCompat {
+    constructor() {
+        this.routes = [];
+    }
+    get(path, handler) {
+        this.routes.push({ method: 'GET', path, handler });
+    }
+    post(path, handler) {
+        this.routes.push({ method: 'POST', path, handler });
+    }
+    toPlugin() {
+        return async (fastify) => {
+            await fastify.register(formbody_1.default);
+            for (const route of this.routes) {
+                fastify.route({
+                    method: route.method,
+                    url: route.path,
+                    handler: async (request, reply) => {
+                        const compatRequest = toCompatRequest(request);
+                        const compatResponse = new FastifyResponseAdapter(reply);
+                        await route.handler(compatRequest, compatResponse);
+                    },
+                });
+            }
+        };
+    }
+}
+class FastifyResponseAdapter {
+    constructor(reply) {
+        this.reply = reply;
+    }
+    status(code) {
+        this.reply.status(code);
+        return this;
+    }
+    set(field, value) {
+        if (field.toLowerCase() === 'set-cookie') {
+            this.appendHeader(field, value);
+        }
+        else {
+            this.reply.header(field, value);
+        }
+        return this;
+    }
+    type(contentType) {
+        const normalized = contentType === 'html'
+            ? 'text/html'
+            : contentType === 'json'
+                ? 'application/json'
+                : contentType;
+        this.reply.type(normalized);
+        return this;
+    }
+    json(payload) {
+        this.reply.send(payload);
+    }
+    send(payload) {
+        this.reply.send(payload);
+    }
+    redirect(statusOrUrl, maybeUrl) {
+        if (typeof statusOrUrl === 'number') {
+            if (maybeUrl === undefined) {
+                throw new Error('redirect url is required when status code is provided');
+            }
+            this.reply.status(statusOrUrl);
+            this.reply.header('Location', maybeUrl);
+            this.reply.send();
+        }
+        else {
+            this.reply.redirect(statusOrUrl);
+        }
+    }
+    cookie(name, value, options) {
+        const serialized = serializeCookie(name, value, options);
+        this.appendHeader('Set-Cookie', serialized);
+    }
+    appendHeader(name, value) {
+        const existing = this.reply.getHeader(name);
+        if (Array.isArray(existing)) {
+            this.reply.header(name, [...existing, value]);
+        }
+        else if (typeof existing === 'string') {
+            this.reply.header(name, [existing, value]);
+        }
+        else if (existing === undefined) {
+            this.reply.header(name, value);
+        }
+        else {
+            this.reply.header(name, [String(existing), value]);
+        }
+    }
+}
+function toCompatRequest(request) {
+    const headers = {};
+    for (const [key, value] of Object.entries(request.headers)) {
+        if (typeof value === 'string') {
+            headers[key.toLowerCase()] = value;
+        }
+        else if (Array.isArray(value)) {
+            headers[key.toLowerCase()] = value.join(', ');
+        }
+        else if (value !== undefined && value !== null) {
+            headers[key.toLowerCase()] = String(value);
+        }
+        else {
+            headers[key.toLowerCase()] = undefined;
+        }
+    }
+    return {
+        body: request.body,
+        headers,
+        method: request.method,
+        originalUrl: request.raw.url ?? request.url,
+        query: request.query ?? {},
+    };
+}
+function serializeCookie(name, value, options) {
+    const segments = [
+        `${encodeURIComponent(name)}=${encodeURIComponent(value)}`,
+    ];
+    if (options.maxAge !== undefined) {
+        const maxAgeMs = options.maxAge;
+        const maxAgeSeconds = Math.floor(maxAgeMs / 1000);
+        segments.push(`Max-Age=${maxAgeSeconds}`);
+        const expires = new Date(Date.now() + maxAgeMs).toUTCString();
+        segments.push(`Expires=${expires}`);
+    }
+    segments.push(`Path=${options.path ?? '/'}`);
+    if (options.httpOnly) {
+        segments.push('HttpOnly');
+    }
+    if (options.secure) {
+        segments.push('Secure');
+    }
+    if (options.sameSite) {
+        const normalized = options.sameSite.toLowerCase();
+        const formatted = normalized === 'strict'
+            ? 'Strict'
+            : normalized === 'none'
+                ? 'None'
+                : 'Lax';
+        segments.push(`SameSite=${formatted}`);
+    }
+    return segments.join('; ');
+}
 const DEFAULT_PREFIX = '/oauth';
 const ENV_VAR_CLIENT_ID = 'FAME_JWT_CLIENT_ID';
 const ENV_VAR_CLIENT_SECRET = 'FAME_JWT_CLIENT_SECRET';
@@ -435,11 +580,11 @@ function respondInvalidClient(res) {
     });
 }
 /**
- * Create an Express router that implements OAuth2 token and authorization endpoints
+ * Create a Fastify plugin that implements OAuth2 token and authorization endpoints
  * with support for client credentials and authorization code (PKCE) grants.
  *
  * @param options - Router configuration options
- * @returns Express router with OAuth2 token and authorization endpoints
+ * @returns Fastify plugin with OAuth2 token and authorization endpoints
  *
  * Environment Variables:
  *   FAME_JWT_CLIENT_ID: OAuth2 client identifier
@@ -453,7 +598,7 @@ function respondInvalidClient(res) {
  *   FAME_OAUTH_CODE_TTL_SEC: Authorization code TTL in seconds (optional, default: 300)
  */
 function createOAuth2TokenRouter(options) {
-    const router = express_1.default.Router();
+    const router = new RouterCompat();
     const { cryptoProvider, prefix = DEFAULT_PREFIX, issuer, audience, tokenTtlSec, allowedScopes: configAllowedScopes, algorithm: configAlgorithm, enablePkce: configEnablePkce, allowPublicClients: configAllowPublicClients, authorizationCodeTtlSec: configAuthorizationCodeTtlSec, enableDevLogin: configEnableDevLogin, devLoginUsername: configDevLoginUsername, devLoginPassword: configDevLoginPassword, devLoginSessionTtlSec: configDevLoginSessionTtlSec, devLoginCookieName: configDevLoginCookieName, devLoginSecureCookie: configDevLoginSecureCookie, devLoginTitle: configDevLoginTitle, } = normalizeCreateOAuth2TokenRouterOptions(options);
     if (!cryptoProvider) {
         throw new Error('cryptoProvider is required to create OAuth2 token router');
@@ -752,7 +897,7 @@ function createOAuth2TokenRouter(options) {
     };
     router.post(`${prefix}/logout`, logoutHandler);
     router.get(`${prefix}/logout`, logoutHandler);
-    router.post(`${prefix}/token`, async (req, res, next) => {
+    router.post(`${prefix}/token`, async (req, res) => {
         try {
             cleanupAuthorizationCodes(authorizationCodes, Date.now());
             const { grant_type, client_id, client_secret, scope, audience: reqAudience, code, redirect_uri, code_verifier, } = req.body ?? {};
@@ -937,7 +1082,7 @@ function createOAuth2TokenRouter(options) {
         }
         catch (error) {
             logger.error('oauth2_token_error', { error: error.message });
-            next(error);
+            throw error;
         }
     });
     async function issueTokenResponse(params) {
@@ -970,5 +1115,5 @@ function createOAuth2TokenRouter(options) {
         }
         return response;
     }
-    return router;
+    return router.toPlugin();
 }

package/dist/cjs/naylence/fame/http/openid-configuration-router.js

@@ -1,13 +1,11 @@
 "use strict";
 /**
- * OpenID Connect Discovery configuration router for Express
+ * OpenID Connect Discovery configuration plugin for Fastify
  *
  * Provides /.well-known/openid-configuration endpoint for OAuth2/OIDC client auto-discovery
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createOpenIDConfigurationRouter = createOpenIDConfigurationRouter;
-const tslib_1 = require("tslib");
-const express_1 = tslib_1.__importDefault(require("express"));
 const logging_js_1 = require("../util/logging.js");
 const logger = (0, logging_js_1.getLogger)('naylence.fame.http.openid_configuration_router');
 const DEFAULT_PREFIX = '';
@@ -81,10 +79,10 @@ function getAllowedScopes(configScopes) {
     return configScopes ?? ['node.connect'];
 }
 /**
- * Create an Express router that implements OpenID Connect Discovery
+ * Create a Fastify plugin that implements OpenID Connect Discovery
  *
  * @param options - Router configuration options
- * @returns Express router with OpenID configuration endpoint
+ * @returns Fastify plugin with OpenID configuration endpoint
  *
  * Environment Variables:
  *   FAME_JWT_ISSUER: JWT issuer claim (optional)
@@ -93,17 +91,16 @@ function getAllowedScopes(configScopes) {
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createOpenIDConfigurationRouter } from '@naylence/runtime';
  *
- * const app = express();
- * app.use(createOpenIDConfigurationRouter({
+ * const app = Fastify();
+ * app.register(createOpenIDConfigurationRouter({
  *   issuer: 'https://auth.example.com',
  * }));
  * ```
  */
 function createOpenIDConfigurationRouter(options = {}) {
-    const router = express_1.default.Router();
     const { prefix = DEFAULT_PREFIX, issuer, baseUrl, tokenEndpointPath = '/oauth/token', jwksEndpointPath = '/.well-known/jwks.json', allowedScopes: configAllowedScopes, algorithm: configAlgorithm, } = normalizeOpenIDConfigurationRouterOptions(options);
     // Resolve configuration with environment variable priority
     const defaultIssuer = process.env[ENV_VAR_JWT_ISSUER] ?? issuer ?? 'https://auth.fame.fabric';
@@ -119,27 +116,28 @@ function createOpenIDConfigurationRouter(options = {}) {
         algorithm,
         allowedScopes,
     });
-    // OpenID Connect Discovery endpoint
-    router.get(`${prefix}/.well-known/openid-configuration`, (_req, res) => {
-        // Construct absolute URLs for endpoints
-        const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
-        const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
-        const config = {
-            issuer: defaultIssuer,
-            token_endpoint: tokenEndpoint,
-            jwks_uri: jwksUri,
-            scopes_supported: allowedScopes,
-            response_types_supported: ['token'],
-            grant_types_supported: ['client_credentials'],
-            token_endpoint_auth_methods_supported: [
-                'client_secret_basic',
-                'client_secret_post',
-            ],
-            subject_types_supported: ['public'],
-            id_token_signing_alg_values_supported: [algorithm],
-        };
-        logger.debug('openid_config_served', { config });
-        res.json(config);
-    });
-    return router;
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/openid-configuration`, async (_request, reply) => {
+            // Construct absolute URLs for endpoints
+            const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
+            const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
+            const config = {
+                issuer: defaultIssuer,
+                token_endpoint: tokenEndpoint,
+                jwks_uri: jwksUri,
+                scopes_supported: allowedScopes,
+                response_types_supported: ['token'],
+                grant_types_supported: ['client_credentials'],
+                token_endpoint_auth_methods_supported: [
+                    'client_secret_basic',
+                    'client_secret_post',
+                ],
+                subject_types_supported: ['public'],
+                id_token_signing_alg_values_supported: [algorithm],
+            };
+            logger.debug('openid_config_served', { config });
+            reply.send(config);
+        });
+    };
+    return plugin;
 }

package/dist/cjs/naylence/fame/node/admission/admission-profile-factory.js

@@ -22,6 +22,8 @@ const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
 const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
 const DEFAULT_INPAGE_CHANNEL = 'naylence-fabric';
 const PROFILE_NAME_WELCOME = 'welcome';
+const PROFILE_NAME_WELCOME_PKCE = 'welcome-pkce';
+const PROFILE_NAME_WELCOME_PKCE_ALIAS = 'welcome_pkce';
 const PROFILE_NAME_DIRECT = 'direct';
 const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
 const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
@@ -82,6 +84,7 @@ function createOAuthPkceTokenProviderConfig() {
 }
 const welcomeIsRoot = factory_1.Expressions.env(ENV_VAR_IS_ROOT, 'false');
 const welcomeTokenProvider = createOAuthTokenProviderConfig();
+const welcomePkceTokenProvider = createOAuthPkceTokenProviderConfig();
 const WELCOME_SERVICE_PROFILE = {
     type: 'WelcomeServiceClient',
     is_root: welcomeIsRoot,
@@ -95,6 +98,19 @@ const WELCOME_SERVICE_PROFILE = {
         tokenProvider: welcomeTokenProvider,
     },
 };
+const WELCOME_SERVICE_PKCE_PROFILE = {
+    type: 'WelcomeServiceClient',
+    is_root: welcomeIsRoot,
+    isRoot: welcomeIsRoot,
+    url: factory_1.Expressions.env(ENV_VAR_ADMISSION_SERVICE_URL),
+    supported_transports: ['websocket'],
+    supportedTransports: ['websocket'],
+    auth: {
+        type: 'BearerTokenHeaderAuth',
+        token_provider: welcomePkceTokenProvider,
+        tokenProvider: welcomePkceTokenProvider,
+    },
+};
 const directGrantTokenProvider = createOAuthTokenProviderConfig();
 const directGrant = {
     type: 'WebSocketConnectionGrant',
@@ -200,6 +216,8 @@ const NOOP_PROFILE = {
 };
 const PROFILE_MAP = {
     [PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE]: WELCOME_SERVICE_PKCE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE_ALIAS]: WELCOME_SERVICE_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,