@oathmesh/sdk 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +238 -0
- package/dist/index.d.ts +37 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +47 -0
- package/dist/index.js.map +1 -0
- package/dist/middleware.d.ts +39 -0
- package/dist/middleware.d.ts.map +1 -0
- package/dist/middleware.js +58 -0
- package/dist/middleware.js.map +1 -0
- package/dist/next.d.ts +117 -0
- package/dist/next.d.ts.map +1 -0
- package/dist/next.js +183 -0
- package/dist/next.js.map +1 -0
- package/dist/types.d.ts +174 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +98 -0
- package/dist/types.js.map +1 -0
- package/dist/verify.d.ts +31 -0
- package/dist/verify.d.ts.map +1 -0
- package/dist/verify.js +176 -0
- package/dist/verify.js.map +1 -0
- package/package.json +81 -0
package/dist/next.js
ADDED
|
@@ -0,0 +1,183 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* OathMesh Next.js adapters.
|
|
4
|
+
*
|
|
5
|
+
* Provides verification for:
|
|
6
|
+
* - App Router Route Handlers (GET, POST, etc.)
|
|
7
|
+
* - Pages Router API Routes
|
|
8
|
+
* - Next.js Edge Middleware
|
|
9
|
+
*
|
|
10
|
+
* All adapters use the same core verifier — no framework-specific crypto.
|
|
11
|
+
*/
|
|
12
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
|
+
exports.withOathMesh = withOathMesh;
|
|
14
|
+
exports.withOathMeshApi = withOathMeshApi;
|
|
15
|
+
exports.createEdgeVerifier = createEdgeVerifier;
|
|
16
|
+
const types_1 = require("./types");
|
|
17
|
+
const verify_1 = require("./verify");
|
|
18
|
+
// ─── App Router (Route Handlers) ────────────────────────────────────────────
|
|
19
|
+
/**
|
|
20
|
+
* Verify an OathMesh token inside a Next.js App Router Route Handler.
|
|
21
|
+
*
|
|
22
|
+
* Returns the verified caller context or throws an OathMeshError.
|
|
23
|
+
* Use with `NextRequest` in route handlers.
|
|
24
|
+
*
|
|
25
|
+
* @example
|
|
26
|
+
* ```typescript
|
|
27
|
+
* // app/api/inventory/route.ts
|
|
28
|
+
* import { NextRequest, NextResponse } from 'next/server';
|
|
29
|
+
* import { withOathMesh } from '@oathmesh/sdk/next';
|
|
30
|
+
*
|
|
31
|
+
* const oathmesh = withOathMesh({
|
|
32
|
+
* audience: 'https://inventory.internal',
|
|
33
|
+
* trustedIssuers: ['https://issuer.oathmesh.dev'],
|
|
34
|
+
* });
|
|
35
|
+
*
|
|
36
|
+
* export async function GET(request: NextRequest) {
|
|
37
|
+
* const { caller, error } = await oathmesh(request);
|
|
38
|
+
* if (error) return error;
|
|
39
|
+
*
|
|
40
|
+
* return NextResponse.json({
|
|
41
|
+
* subject: caller.principal.subject,
|
|
42
|
+
* action: caller.action,
|
|
43
|
+
* });
|
|
44
|
+
* }
|
|
45
|
+
* ```
|
|
46
|
+
*/
|
|
47
|
+
function withOathMesh(config) {
|
|
48
|
+
return async (request) => {
|
|
49
|
+
const token = (0, verify_1.extractToken)(request.headers.get('authorization'));
|
|
50
|
+
const headers = Object.fromEntries(request.headers.entries());
|
|
51
|
+
if (!token) {
|
|
52
|
+
const err = new types_1.OathMeshError('claim_missing:token', 'missing or invalid Authorization header', "provide a token in the format 'Authorization: OathMesh <token>'");
|
|
53
|
+
await config.onDenied?.(err, headers);
|
|
54
|
+
return {
|
|
55
|
+
caller: null,
|
|
56
|
+
error: Response.json(err.toJSON(), { status: 401 }),
|
|
57
|
+
};
|
|
58
|
+
}
|
|
59
|
+
try {
|
|
60
|
+
const caller = await (0, verify_1.verifyOathToken)(token, config);
|
|
61
|
+
await config.onVerified?.(caller, headers);
|
|
62
|
+
return { caller, error: null };
|
|
63
|
+
}
|
|
64
|
+
catch (e) {
|
|
65
|
+
const err = e instanceof types_1.OathMeshError
|
|
66
|
+
? e
|
|
67
|
+
: new types_1.OathMeshError('verification_failed', e.message, 'check token format');
|
|
68
|
+
await config.onDenied?.(err, headers);
|
|
69
|
+
return {
|
|
70
|
+
caller: null,
|
|
71
|
+
error: Response.json(err.toJSON(), { status: 401 }),
|
|
72
|
+
};
|
|
73
|
+
}
|
|
74
|
+
};
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* Wrap a Next.js Pages Router API handler with OathMesh verification.
|
|
78
|
+
*
|
|
79
|
+
* The verified caller context is injected into `req.oathmeshContext`.
|
|
80
|
+
*
|
|
81
|
+
* @example
|
|
82
|
+
* ```typescript
|
|
83
|
+
* // pages/api/inventory.ts
|
|
84
|
+
* import { withOathMeshApi } from '@oathmesh/sdk/next';
|
|
85
|
+
*
|
|
86
|
+
* export default withOathMeshApi(
|
|
87
|
+
* {
|
|
88
|
+
* audience: 'https://inventory.internal',
|
|
89
|
+
* trustedIssuers: ['https://issuer.oathmesh.dev'],
|
|
90
|
+
* },
|
|
91
|
+
* (req, res) => {
|
|
92
|
+
* const caller = (req as any).oathmeshContext;
|
|
93
|
+
* res.json({ subject: caller.principal.subject });
|
|
94
|
+
* }
|
|
95
|
+
* );
|
|
96
|
+
* ```
|
|
97
|
+
*/
|
|
98
|
+
function withOathMeshApi(config, handler) {
|
|
99
|
+
return async (req, res) => {
|
|
100
|
+
const authHeader = Array.isArray(req.headers.authorization)
|
|
101
|
+
? req.headers.authorization[0]
|
|
102
|
+
: req.headers.authorization;
|
|
103
|
+
const token = (0, verify_1.extractToken)(authHeader);
|
|
104
|
+
const headers = req.headers;
|
|
105
|
+
if (!token) {
|
|
106
|
+
const err = new types_1.OathMeshError('claim_missing:token', 'missing or invalid Authorization header', "provide a token in the format 'Authorization: OathMesh <token>'");
|
|
107
|
+
await config.onDenied?.(err, headers);
|
|
108
|
+
res.status(401).json(err.toJSON());
|
|
109
|
+
return;
|
|
110
|
+
}
|
|
111
|
+
try {
|
|
112
|
+
const caller = await (0, verify_1.verifyOathToken)(token, config);
|
|
113
|
+
req.oathmeshContext = caller;
|
|
114
|
+
await config.onVerified?.(caller, headers);
|
|
115
|
+
await handler(req, res);
|
|
116
|
+
}
|
|
117
|
+
catch (e) {
|
|
118
|
+
const err = e instanceof types_1.OathMeshError
|
|
119
|
+
? e
|
|
120
|
+
: new types_1.OathMeshError('verification_failed', e.message, 'check token format');
|
|
121
|
+
await config.onDenied?.(err, headers);
|
|
122
|
+
res.status(401).json(err.toJSON());
|
|
123
|
+
}
|
|
124
|
+
};
|
|
125
|
+
}
|
|
126
|
+
// ─── Edge Middleware ────────────────────────────────────────────────────────
|
|
127
|
+
/**
|
|
128
|
+
* Create a Next.js Edge Middleware verifier.
|
|
129
|
+
*
|
|
130
|
+
* Returns a function you call inside your `middleware.ts`. If verification
|
|
131
|
+
* fails it returns a `Response` you should return immediately. If it passes,
|
|
132
|
+
* it returns `null` and you should call `NextResponse.next()`.
|
|
133
|
+
*
|
|
134
|
+
* @example
|
|
135
|
+
* ```typescript
|
|
136
|
+
* // middleware.ts (project root)
|
|
137
|
+
* import { NextRequest, NextResponse } from 'next/server';
|
|
138
|
+
* import { createEdgeVerifier } from '@oathmesh/sdk/next';
|
|
139
|
+
*
|
|
140
|
+
* const verify = createEdgeVerifier({
|
|
141
|
+
* audience: 'https://inventory.internal',
|
|
142
|
+
* trustedIssuers: ['https://issuer.oathmesh.dev'],
|
|
143
|
+
* });
|
|
144
|
+
*
|
|
145
|
+
* export async function middleware(request: NextRequest) {
|
|
146
|
+
* const denied = await verify(request);
|
|
147
|
+
* if (denied) return denied;
|
|
148
|
+
*
|
|
149
|
+
* // Verification passed — forward with injected headers
|
|
150
|
+
* return NextResponse.next();
|
|
151
|
+
* }
|
|
152
|
+
*
|
|
153
|
+
* export const config = {
|
|
154
|
+
* matcher: '/api/:path*',
|
|
155
|
+
* };
|
|
156
|
+
* ```
|
|
157
|
+
*/
|
|
158
|
+
function createEdgeVerifier(config) {
|
|
159
|
+
return async (request) => {
|
|
160
|
+
const token = (0, verify_1.extractToken)(request.headers.get('authorization'));
|
|
161
|
+
const headers = Object.fromEntries(request.headers.entries());
|
|
162
|
+
if (!token) {
|
|
163
|
+
const err = new types_1.OathMeshError('claim_missing:token', 'missing or invalid Authorization header', "provide a token in the format 'Authorization: OathMesh <token>'");
|
|
164
|
+
await config.onDenied?.(err, headers);
|
|
165
|
+
return Response.json(err.toJSON(), { status: 401 });
|
|
166
|
+
}
|
|
167
|
+
try {
|
|
168
|
+
const caller = await (0, verify_1.verifyOathToken)(token, config);
|
|
169
|
+
await config.onVerified?.(caller, headers);
|
|
170
|
+
// Verification passed — middleware.ts should call NextResponse.next()
|
|
171
|
+
// with injected X-OathMesh-* headers if desired
|
|
172
|
+
return null;
|
|
173
|
+
}
|
|
174
|
+
catch (e) {
|
|
175
|
+
const err = e instanceof types_1.OathMeshError
|
|
176
|
+
? e
|
|
177
|
+
: new types_1.OathMeshError('verification_failed', e.message, 'check token format');
|
|
178
|
+
await config.onDenied?.(err, headers);
|
|
179
|
+
return Response.json(err.toJSON(), { status: 401 });
|
|
180
|
+
}
|
|
181
|
+
};
|
|
182
|
+
}
|
|
183
|
+
//# sourceMappingURL=next.js.map
|
package/dist/next.js.map
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"next.js","sourceRoot":"","sources":["../src/next.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAmCH,oCAsCC;AA2CD,0CAmCC;AAmCD,gDA6BC;AArND,mCAAiH;AACjH,qCAAyD;AAEzD,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,YAAY,CAAC,MAAsB;IACjD,OAAO,KAAK,EACV,OAAgB,EAIhB,EAAE;QACF,MAAM,KAAK,GAAG,IAAA,qBAAY,EAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC;QACjE,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;QAE9D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,qBAAa,CAC3B,qBAAqB,EACrB,yCAAyC,EACzC,iEAAiE,CAClE,CAAC;YACF,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACtC,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;aACpD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAe,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACpD,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC3C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,qBAAa;gBACpC,CAAC,CAAC,CAAC;gBACH,CAAC,CAAC,IAAI,qBAAa,CAAC,qBAAqB,EAAG,CAAW,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;YACzF,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACtC,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;aACpD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAqBD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,eAAe,CAC7B,MAAsB,EACtB,OAAuB;IAEvB,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACxB,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YACzD,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;YAC9B,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAA,qBAAY,EAAC,UAAU,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,GAAG,CAAC,OAA6C,CAAC;QAElE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,qBAAa,CAC3B,qBAAqB,EACrB,yCAAyC,EACzC,iEAAiE,CAClE,CAAC;YACF,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACnC,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAe,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACnD,GAAW,CAAC,eAAe,GAAG,MAAM,CAAC;YACtC,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC3C,MAAM,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,qBAAa;gBACpC,CAAC,CAAC,CAAC;gBACH,CAAC,CAAC,IAAI,qBAAa,CAAC,qBAAqB,EAAG,CAAW,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;YACzF,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,SAAgB,kBAAkB,CAAC,MAAsB;IACvD,OAAO,KAAK,EAAE,OAAgB,EAA4B,EAAE;QAC1D,MAAM,KAAK,GAAG,IAAA,qBAAY,EAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC;QACjE,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;QAE9D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,qBAAa,CAC3B,qBAAqB,EACrB,yCAAyC,EACzC,iEAAiE,CAClE,CAAC;YACF,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACtC,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAe,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACpD,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC3C,sEAAsE;YACtE,gDAAgD;YAChD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,qBAAa;gBACpC,CAAC,CAAC,CAAC;gBACH,CAAC,CAAC,IAAI,qBAAa,CAAC,qBAAqB,EAAG,CAAW,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;YACzF,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACtC,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
package/dist/types.d.ts
ADDED
|
@@ -0,0 +1,174 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OathMesh SDK Types
|
|
3
|
+
*
|
|
4
|
+
* These types mirror the Go VerifiedCallerContext from internal/core/context.go.
|
|
5
|
+
*/
|
|
6
|
+
/** Authenticated identity of the caller. */
|
|
7
|
+
export interface Principal {
|
|
8
|
+
/** Canonical issuer URL (e.g., "https://issuer.oathmesh.dev") */
|
|
9
|
+
issuer: string;
|
|
10
|
+
/** Subject URI — always a scheme: svc://, agent://, job://, tool://, user:// */
|
|
11
|
+
subject: string;
|
|
12
|
+
}
|
|
13
|
+
/** Source provenance — where the call originated. */
|
|
14
|
+
export interface Source {
|
|
15
|
+
type: string;
|
|
16
|
+
repo?: string;
|
|
17
|
+
workflow?: string;
|
|
18
|
+
runId?: string;
|
|
19
|
+
sha?: string;
|
|
20
|
+
}
|
|
21
|
+
/** The verified identity after successful token verification. */
|
|
22
|
+
export interface VerifiedCallerContext {
|
|
23
|
+
principal: Principal;
|
|
24
|
+
action: string;
|
|
25
|
+
tokenId: string;
|
|
26
|
+
environment: string;
|
|
27
|
+
scope?: string[];
|
|
28
|
+
reason?: string;
|
|
29
|
+
source?: Source;
|
|
30
|
+
}
|
|
31
|
+
/** Machine-readable error code from the OathMesh error taxonomy. */
|
|
32
|
+
export type ErrorCode = 'claim_missing:token' | 'claim_missing:iss' | 'claim_missing:sub' | 'claim_missing:aud' | 'claim_missing:act' | 'claim_missing:jti' | 'signature_invalid' | 'issuer_untrusted' | 'token_expired' | 'audience_mismatch' | 'algorithm_not_allowed' | 'replay_detected' | 'policy_denied' | 'binding_mismatch' | 'binding_required' | 'verification_failed';
|
|
33
|
+
/** Structured error returned on verification failure. */
|
|
34
|
+
export declare class OathMeshError extends Error {
|
|
35
|
+
readonly code: ErrorCode;
|
|
36
|
+
readonly fix?: string;
|
|
37
|
+
constructor(code: ErrorCode, message: string, fix?: string);
|
|
38
|
+
/** Serialize to the standard OathMesh error JSON shape. */
|
|
39
|
+
toJSON(): {
|
|
40
|
+
error: ErrorCode;
|
|
41
|
+
message: string;
|
|
42
|
+
fix: string | undefined;
|
|
43
|
+
};
|
|
44
|
+
}
|
|
45
|
+
/** Configuration for the OathMesh verifier. */
|
|
46
|
+
export interface VerifierConfig {
|
|
47
|
+
/** The audience URL this receiver expects (exact match, no globs). */
|
|
48
|
+
audience: string;
|
|
49
|
+
/** Trusted issuer URLs (explicit allowlist — no wildcards, no auto-discovery). */
|
|
50
|
+
trustedIssuers: string[];
|
|
51
|
+
/**
|
|
52
|
+
* Enforces that tokens MUST include an rqh claim.
|
|
53
|
+
* When true, tokens without rqh are rejected with error "binding_required".
|
|
54
|
+
* Recommended for all write/mutate endpoints to prevent tampering.
|
|
55
|
+
* Default: false (for backward compatibility).
|
|
56
|
+
*/
|
|
57
|
+
requireRequestBinding?: boolean;
|
|
58
|
+
/**
|
|
59
|
+
* Replay cache for preventing token reuse.
|
|
60
|
+
* If provided, tokens with duplicate jti within TTL are rejected.
|
|
61
|
+
* Use InMemoryReplayCache for development, or implement Redis-based cache for production.
|
|
62
|
+
* Default: undefined (no replay checking).
|
|
63
|
+
*/
|
|
64
|
+
replayCache?: ReplayCache;
|
|
65
|
+
/**
|
|
66
|
+
* Policy evaluator for authorization decisions.
|
|
67
|
+
* If provided, token verification includes policy evaluation.
|
|
68
|
+
* Use JsonPolicyEvaluator with a JSON policy document.
|
|
69
|
+
* Default: undefined (no policy enforcement).
|
|
70
|
+
*/
|
|
71
|
+
policyEvaluator?: PolicyEvaluator;
|
|
72
|
+
/**
|
|
73
|
+
* Called on every denied request. Use for logging, metrics, or alerting.
|
|
74
|
+
* Runs after the error response is determined but before it is sent.
|
|
75
|
+
*/
|
|
76
|
+
onDenied?: (err: OathMeshError, headers: Record<string, string | undefined>) => void | Promise<void>;
|
|
77
|
+
/**
|
|
78
|
+
* Called on every successful verification. Use for logging or metrics.
|
|
79
|
+
*/
|
|
80
|
+
onVerified?: (ctx: VerifiedCallerContext, headers: Record<string, string | undefined>) => void | Promise<void>;
|
|
81
|
+
}
|
|
82
|
+
/** The JSON body shape returned on verification failure. */
|
|
83
|
+
export interface OathMeshErrorBody {
|
|
84
|
+
error: ErrorCode;
|
|
85
|
+
message: string;
|
|
86
|
+
fix?: string;
|
|
87
|
+
request_id?: string;
|
|
88
|
+
}
|
|
89
|
+
/**
|
|
90
|
+
* Replay cache interface for preventing token reuse attacks.
|
|
91
|
+
* Implementations can be in-memory (for single-instance) or Redis (for multi-instance).
|
|
92
|
+
*/
|
|
93
|
+
export interface ReplayCache {
|
|
94
|
+
/**
|
|
95
|
+
* Check if a token JTI has been seen before.
|
|
96
|
+
* Returns true if the token has been replayed (already used).
|
|
97
|
+
* Returns false if this is the first time seeing this JTI.
|
|
98
|
+
*/
|
|
99
|
+
check(jti: string): boolean | Promise<boolean>;
|
|
100
|
+
/**
|
|
101
|
+
* Record a token JTI as seen.
|
|
102
|
+
* Should be called after successful verification.
|
|
103
|
+
*/
|
|
104
|
+
add(jti: string): void | Promise<void>;
|
|
105
|
+
}
|
|
106
|
+
/**
|
|
107
|
+
* In-memory replay cache implementation for development/single-instance.
|
|
108
|
+
* Uses a Map with TTL to automatically expire old entries.
|
|
109
|
+
*/
|
|
110
|
+
export declare class InMemoryReplayCache implements ReplayCache {
|
|
111
|
+
private cache;
|
|
112
|
+
private defaultTTL;
|
|
113
|
+
constructor(defaultTTL?: number);
|
|
114
|
+
check(jti: string): boolean;
|
|
115
|
+
add(jti: string): void;
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Policy input for evaluation.
|
|
119
|
+
*/
|
|
120
|
+
export interface PolicyInput {
|
|
121
|
+
iss: string;
|
|
122
|
+
sub: string;
|
|
123
|
+
aud: string;
|
|
124
|
+
act: string;
|
|
125
|
+
scope?: string[];
|
|
126
|
+
env?: string;
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Policy decision result.
|
|
130
|
+
*/
|
|
131
|
+
export interface PolicyDecision {
|
|
132
|
+
outcome: 'allow' | 'deny';
|
|
133
|
+
ruleName?: string;
|
|
134
|
+
denyReason?: string;
|
|
135
|
+
}
|
|
136
|
+
/**
|
|
137
|
+
* Policy evaluator interface.
|
|
138
|
+
* Implementations evaluate token claims against policy rules.
|
|
139
|
+
*/
|
|
140
|
+
export interface PolicyEvaluator {
|
|
141
|
+
evaluate(input: PolicyInput): PolicyDecision | Promise<PolicyDecision>;
|
|
142
|
+
}
|
|
143
|
+
/**
|
|
144
|
+
* JSON policy rule format.
|
|
145
|
+
*/
|
|
146
|
+
export interface JsonPolicyRule {
|
|
147
|
+
match?: {
|
|
148
|
+
sub?: string;
|
|
149
|
+
aud?: string;
|
|
150
|
+
act?: string;
|
|
151
|
+
scope?: string[];
|
|
152
|
+
env?: string;
|
|
153
|
+
};
|
|
154
|
+
allow: boolean;
|
|
155
|
+
ruleName?: string;
|
|
156
|
+
denyReason?: string;
|
|
157
|
+
}
|
|
158
|
+
/**
|
|
159
|
+
* JSON policy document format.
|
|
160
|
+
*/
|
|
161
|
+
export interface JsonPolicyDocument {
|
|
162
|
+
rules: JsonPolicyRule[];
|
|
163
|
+
}
|
|
164
|
+
/**
|
|
165
|
+
* JSON policy evaluator that loads and evaluates simple JSON policies.
|
|
166
|
+
*/
|
|
167
|
+
export declare class JsonPolicyEvaluator implements PolicyEvaluator {
|
|
168
|
+
private policy;
|
|
169
|
+
constructor(policy: JsonPolicyDocument);
|
|
170
|
+
evaluate(input: PolicyInput): PolicyDecision;
|
|
171
|
+
private matchesRule;
|
|
172
|
+
private matchPattern;
|
|
173
|
+
}
|
|
174
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,4CAA4C;AAC5C,MAAM,WAAW,SAAS;IACxB,iEAAiE;IACjE,MAAM,EAAE,MAAM,CAAC;IACf,gFAAgF;IAChF,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,qDAAqD;AACrD,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACpC,SAAS,EAAE,SAAS,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,oEAAoE;AACpE,MAAM,MAAM,SAAS,GACjB,qBAAqB,GACrB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,kBAAkB,GAClB,eAAe,GACf,mBAAmB,GACnB,uBAAuB,GACvB,iBAAiB,GACjB,eAAe,GACf,kBAAkB,GAClB,kBAAkB,GAClB,qBAAqB,CAAC;AAE1B,yDAAyD;AACzD,qBAAa,aAAc,SAAQ,KAAK;IACtC,SAAgB,IAAI,EAAE,SAAS,CAAC;IAChC,SAAgB,GAAG,CAAC,EAAE,MAAM,CAAC;gBAEjB,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM;IAO1D,2DAA2D;IAC3D,MAAM;;;;;CAOP;AAED,+CAA+C;AAC/C,MAAM,WAAW,cAAc;IAC7B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B;;;;;OAKG;IACH,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrG;;OAEG;IACH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,qBAAqB,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChH;AAED,4DAA4D;AAC5D,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,SAAS,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C;;;OAGG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC;AAED;;;GAGG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,OAAO,CAAC,KAAK,CAAkC;IAC/C,OAAO,CAAC,UAAU,CAAS;gBAEf,UAAU,GAAE,MAAY;IAIpC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAY3B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;CAGvB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;CACxE;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,KAAK,CAAC,EAAE;QACN,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QACjB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;IACF,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,cAAc,EAAE,CAAC;CACzB;AAED;;GAEG;AACH,qBAAa,mBAAoB,YAAW,eAAe;IACzD,OAAO,CAAC,MAAM,CAAqB;gBAEvB,MAAM,EAAE,kBAAkB;IAItC,QAAQ,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc;IAiB5C,OAAO,CAAC,WAAW;IAYnB,OAAO,CAAC,YAAY;CAOrB"}
|
package/dist/types.js
ADDED
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* OathMesh SDK Types
|
|
4
|
+
*
|
|
5
|
+
* These types mirror the Go VerifiedCallerContext from internal/core/context.go.
|
|
6
|
+
*/
|
|
7
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
8
|
+
exports.JsonPolicyEvaluator = exports.InMemoryReplayCache = exports.OathMeshError = void 0;
|
|
9
|
+
/** Structured error returned on verification failure. */
|
|
10
|
+
class OathMeshError extends Error {
|
|
11
|
+
constructor(code, message, fix) {
|
|
12
|
+
super(message);
|
|
13
|
+
this.name = 'OathMeshError';
|
|
14
|
+
this.code = code;
|
|
15
|
+
this.fix = fix;
|
|
16
|
+
}
|
|
17
|
+
/** Serialize to the standard OathMesh error JSON shape. */
|
|
18
|
+
toJSON() {
|
|
19
|
+
return {
|
|
20
|
+
error: this.code,
|
|
21
|
+
message: this.message,
|
|
22
|
+
fix: this.fix,
|
|
23
|
+
};
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
exports.OathMeshError = OathMeshError;
|
|
27
|
+
/**
|
|
28
|
+
* In-memory replay cache implementation for development/single-instance.
|
|
29
|
+
* Uses a Map with TTL to automatically expire old entries.
|
|
30
|
+
*/
|
|
31
|
+
class InMemoryReplayCache {
|
|
32
|
+
constructor(defaultTTL = 300) {
|
|
33
|
+
this.cache = new Map();
|
|
34
|
+
this.defaultTTL = defaultTTL;
|
|
35
|
+
}
|
|
36
|
+
check(jti) {
|
|
37
|
+
const expiresAt = this.cache.get(jti);
|
|
38
|
+
if (expiresAt === undefined) {
|
|
39
|
+
return false;
|
|
40
|
+
}
|
|
41
|
+
if (Date.now() > expiresAt) {
|
|
42
|
+
this.cache.delete(jti);
|
|
43
|
+
return false;
|
|
44
|
+
}
|
|
45
|
+
return true;
|
|
46
|
+
}
|
|
47
|
+
add(jti) {
|
|
48
|
+
this.cache.set(jti, Date.now() + this.defaultTTL * 1000);
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
exports.InMemoryReplayCache = InMemoryReplayCache;
|
|
52
|
+
/**
|
|
53
|
+
* JSON policy evaluator that loads and evaluates simple JSON policies.
|
|
54
|
+
*/
|
|
55
|
+
class JsonPolicyEvaluator {
|
|
56
|
+
constructor(policy) {
|
|
57
|
+
this.policy = policy;
|
|
58
|
+
}
|
|
59
|
+
evaluate(input) {
|
|
60
|
+
for (const rule of this.policy.rules) {
|
|
61
|
+
if (this.matchesRule(input, rule)) {
|
|
62
|
+
return {
|
|
63
|
+
outcome: rule.allow ? 'allow' : 'deny',
|
|
64
|
+
ruleName: rule.ruleName,
|
|
65
|
+
denyReason: rule.denyReason,
|
|
66
|
+
};
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
// Default deny if no rules match
|
|
70
|
+
return {
|
|
71
|
+
outcome: 'deny',
|
|
72
|
+
denyReason: 'no matching policy rule',
|
|
73
|
+
};
|
|
74
|
+
}
|
|
75
|
+
matchesRule(input, rule) {
|
|
76
|
+
if (!rule.match)
|
|
77
|
+
return false;
|
|
78
|
+
const match = rule.match;
|
|
79
|
+
if (match.sub && !this.matchPattern(input.sub, match.sub))
|
|
80
|
+
return false;
|
|
81
|
+
if (match.aud && !this.matchPattern(input.aud, match.aud))
|
|
82
|
+
return false;
|
|
83
|
+
if (match.act && !this.matchPattern(input.act, match.act))
|
|
84
|
+
return false;
|
|
85
|
+
if (match.env && input.env !== match.env)
|
|
86
|
+
return false;
|
|
87
|
+
return true;
|
|
88
|
+
}
|
|
89
|
+
matchPattern(value, pattern) {
|
|
90
|
+
if (pattern.includes('*')) {
|
|
91
|
+
const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
|
|
92
|
+
return regex.test(value);
|
|
93
|
+
}
|
|
94
|
+
return value === pattern;
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
exports.JsonPolicyEvaluator = JsonPolicyEvaluator;
|
|
98
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAiDH,yDAAyD;AACzD,MAAa,aAAc,SAAQ,KAAK;IAItC,YAAY,IAAe,EAAE,OAAe,EAAE,GAAY;QACxD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED,2DAA2D;IAC3D,MAAM;QACJ,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,IAAI;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,CAAC;IACJ,CAAC;CACF;AAnBD,sCAmBC;AAkED;;;GAGG;AACH,MAAa,mBAAmB;IAI9B,YAAY,aAAqB,GAAG;QAH5B,UAAK,GAAwB,IAAI,GAAG,EAAE,CAAC;QAI7C,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,GAAW;QACf,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,GAAW;QACb,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IAC3D,CAAC;CACF;AAvBD,kDAuBC;AAsDD;;GAEG;AACH,MAAa,mBAAmB;IAG9B,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,QAAQ,CAAC,KAAkB;QACzB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;gBAClC,OAAO;oBACL,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;oBACtC,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;iBAC5B,CAAC;YACJ,CAAC;QACH,CAAC;QACD,iCAAiC;QACjC,OAAO;YACL,OAAO,EAAE,MAAM;YACf,UAAU,EAAE,yBAAyB;SACtC,CAAC;IACJ,CAAC;IAEO,WAAW,CAAC,KAAkB,EAAE,IAAoB;QAC1D,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAEzB,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACxE,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACxE,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACxE,IAAI,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,GAAG,KAAK,KAAK,CAAC,GAAG;YAAE,OAAO,KAAK,CAAC;QAEvD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,YAAY,CAAC,KAAa,EAAE,OAAe;QACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;YACnE,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,OAAO,KAAK,KAAK,OAAO,CAAC;IAC3B,CAAC;CACF;AA3CD,kDA2CC"}
|
package/dist/verify.d.ts
ADDED
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Core OathMesh token verification — framework-agnostic.
|
|
3
|
+
*
|
|
4
|
+
* This module contains the pure verification logic shared by all framework
|
|
5
|
+
* adapters (Express, Next.js App Router, Next.js Pages Router, Edge Middleware).
|
|
6
|
+
* It has no dependency on any HTTP framework.
|
|
7
|
+
*/
|
|
8
|
+
import { type VerifierConfig, type VerifiedCallerContext } from './types';
|
|
9
|
+
/**
|
|
10
|
+
* Extract the raw token string from an Authorization header value.
|
|
11
|
+
*
|
|
12
|
+
* Accepts:
|
|
13
|
+
* - `OathMesh <token>` (canonical)
|
|
14
|
+
* - `Bearer <token>` (compatibility — only when the token contains om+jwt typ)
|
|
15
|
+
*
|
|
16
|
+
* @returns The raw token string, or null if the header is missing/invalid.
|
|
17
|
+
*/
|
|
18
|
+
export declare function extractToken(authHeader: string | null | undefined): string | null;
|
|
19
|
+
/**
|
|
20
|
+
* Verify an OathMesh token string and return the verified caller context.
|
|
21
|
+
*
|
|
22
|
+
* This is the core verification function. Framework adapters call this
|
|
23
|
+
* and handle HTTP responses themselves.
|
|
24
|
+
*
|
|
25
|
+
* @param token - Raw token string (without "OathMesh " prefix)
|
|
26
|
+
* @param config - Verifier configuration
|
|
27
|
+
* @returns Verified caller context on success
|
|
28
|
+
* @throws OathMeshError on any verification failure
|
|
29
|
+
*/
|
|
30
|
+
export declare function verifyOathToken(token: string, config: VerifierConfig): Promise<VerifiedCallerContext>;
|
|
31
|
+
//# sourceMappingURL=verify.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAiB,KAAK,cAAc,EAAE,KAAK,qBAAqB,EAAoB,MAAM,SAAS,CAAC;AAoB3G;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAKjF;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,qBAAqB,CAAC,CAgIhC"}
|