@ogcio/api-auth 4.29.0

package/__tests__/index.test.ts

@@ -0,0 +1,89 @@
+import { expect, test } from "vitest";
+import {
+  type ScopeMap,
+  getMapFromScope,
+  validatePermission,
+} from "../src/utils.js";
+
+const mapFromScopeTestCases: {
+  description: string;
+  scope: string;
+  expected: ScopeMap;
+}[] = [
+  {
+    description: "getMapFromScope: Single scope",
+    scope: "payments:payment:create",
+    expected: new Map([
+      ["payments", new Map([["payment", new Map([["create", true]])]])],
+    ]),
+  },
+  {
+    description: "getMapFromScope: Single scope with wildcard",
+    scope: "payments:payment:*",
+    expected: new Map([["payments", new Map([["payment", true]])]]),
+  },
+  {
+    description: "getMapFromScope: Multiple scopes",
+    scope: "payments:payment:create payments:transaction:read",
+    expected: new Map([
+      [
+        "payments",
+        new Map([
+          ["payment", new Map([["create", true]])],
+          ["transaction", new Map([["read", true]])],
+        ]),
+      ],
+    ]),
+  },
+  {
+    description: "getMapFromScope: Multiple scopes with resource wildcard",
+    scope: "payments:payment:create payments:* payments:transaction:read",
+    expected: new Map([["payments", true]]),
+  },
+  {
+    description: "getMapFromScope: Multiple scopes with action wildcard",
+    scope:
+      "payments:payment:create payments:transaction:* payments:transaction:read",
+    expected: new Map([
+      [
+        "payments",
+        new Map([
+          // biome-ignore lint/suspicious/noExplicitAny: <explanation>
+          ["payment", new Map([["create", true]]) as any],
+          ["transaction", true],
+        ]),
+      ],
+    ]),
+  },
+];
+
+for (const { description, scope, expected } of mapFromScopeTestCases) {
+  test(description, () => {
+    const result = getMapFromScope(scope);
+    expect(result).toStrictEqual(expected);
+  });
+}
+
+test("validatePermission: passes with wildcard scope", () => {
+  const scope = "payments:payment:create payments:* payments:transaction:read";
+  const permission = "payments:transaction:read";
+
+  const result = validatePermission(permission, getMapFromScope(scope));
+  expect(result).toBe(true);
+});
+
+test("validatePermission: does not pass", () => {
+  const scope = "payments:payment:create payments:transaction:read";
+  const permission = "payments:transaction:create";
+
+  const result = validatePermission(permission, getMapFromScope(scope));
+  expect(result).toBe(false);
+});
+
+test("validatePermission: passes with exact match", () => {
+  const scope = "payments:payment:create payments:transaction:read";
+  const permission = "payments:transaction:read";
+
+  const result = validatePermission(permission, getMapFromScope(scope));
+  expect(result).toBe(true);
+});

package/dist/index.d.ts

@@ -0,0 +1,29 @@
+import type { FastifyInstance } from "fastify";
+type ExtractedUserData = {
+    userId: string;
+    organizationId?: string;
+    isM2MApplication: boolean;
+    accessToken: string;
+};
+declare module "fastify" {
+    interface FastifyRequest {
+        userData?: ExtractedUserData;
+    }
+}
+export declare const ensureUserCanAccessUser: (loggedUserData: ExtractedUserData | undefined, requestedUserId: string) => ExtractedUserData;
+export declare const checkPermissions: (authHeader: string, config: {
+    jwkEndpoint: string;
+    oidcEndpoint: string;
+}, requiredPermissions: string[], matchConfig?: {
+    method: string;
+}) => Promise<ExtractedUserData>;
+export type CheckPermissionsPluginOpts = {
+    jwkEndpoint: string;
+    oidcEndpoint: string;
+};
+export declare const checkPermissionsPlugin: (app: FastifyInstance, opts: CheckPermissionsPluginOpts) => Promise<void>;
+declare const _default: (app: FastifyInstance, opts: CheckPermissionsPluginOpts) => Promise<void>;
+export default _default;
+export * from "./logto-client/index.js";
+export * from "./jwtService.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAgC,MAAM,SAAS,CAAC;AAK7E,KAAK,iBAAiB,GAAG;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAIF,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,QAAQ,CAAC,EAAE,iBAAiB,CAAC;KAC9B;CACF;AA2BD,eAAO,MAAM,uBAAuB,mBAClB,iBAAiB,GAAG,SAAS,mBAC5B,MAAM,KACtB,iBAUF,CAAC;AAEF,eAAO,MAAM,gBAAgB,eACf,MAAM,UACV;IACN,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,uBACoB,MAAM,EAAE;;MAE5B,OAAO,CAAC,iBAAiB,CAmC3B,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,eAAO,MAAM,sBAAsB,QAC5B,eAAe,QACd,0BAA0B,kBA2BjC,CAAC;8BA5BK,eAAe,QACd,0BAA0B;AA6BlC,wBAEG;AAEH,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,71 @@
+import { httpErrors } from "@fastify/sensible";
+import { getErrorMessage } from "@ogcio/shared-errors";
+import fp from "fastify-plugin";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { getMapFromScope, validatePermission } from "./utils.js";
+const extractBearerToken = (authHeader) => {
+    const [type, token] = authHeader.split(" ");
+    if (type !== "Bearer") {
+        throw httpErrors.unauthorized("Invalid Authorization header type, 'Bearer' expected");
+    }
+    return token;
+};
+const decodeLogtoToken = async (token, config) => {
+    // Reference: https://docs.logto.io/docs/recipes/protect-your-api/node/
+    const jwks = createRemoteJWKSet(new URL(config.jwkEndpoint));
+    const { payload } = await jwtVerify(token, jwks, {
+        issuer: config.oidcEndpoint,
+    });
+    return payload;
+};
+export const ensureUserCanAccessUser = (loggedUserData, requestedUserId) => {
+    if (loggedUserData && requestedUserId === loggedUserData.userId) {
+        return loggedUserData;
+    }
+    if (loggedUserData?.organizationId) {
+        return loggedUserData;
+    }
+    throw httpErrors.forbidden("You can't access this user's data");
+};
+export const checkPermissions = async (authHeader, config, requiredPermissions, matchConfig = { method: "OR" }) => {
+    const token = extractBearerToken(authHeader);
+    const payload = await decodeLogtoToken(token, config);
+    const { scope, sub, aud, client_id: clientId, } = payload;
+    const scopesMap = getMapFromScope(scope);
+    const grantAccess = matchConfig.method === "AND"
+        ? requiredPermissions.every((p) => validatePermission(p, scopesMap))
+        : requiredPermissions.some((p) => validatePermission(p, scopesMap));
+    if (!grantAccess) {
+        throw httpErrors.forbidden();
+    }
+    const organizationId = aud.includes("urn:logto:organization:")
+        ? aud.split("urn:logto:organization:")[1]
+        : undefined;
+    return {
+        userId: sub,
+        organizationId: organizationId,
+        accessToken: token,
+        isM2MApplication: sub === clientId,
+    };
+};
+export const checkPermissionsPlugin = async (app, opts) => {
+    app.decorate("checkPermissions", async (req, _rep, permissions, matchConfig) => {
+        const authHeader = req.headers.authorization;
+        if (!authHeader) {
+            throw httpErrors.unauthorized();
+        }
+        try {
+            const userData = await checkPermissions(authHeader, opts, permissions, matchConfig);
+            req.userData = userData;
+        }
+        catch (e) {
+            throw httpErrors.createError(403, getErrorMessage(e), { parent: e });
+        }
+    });
+};
+export default fp(checkPermissionsPlugin, {
+    name: "apiAuthPlugin",
+});
+export * from "./logto-client/index.js";
+export * from "./jwtService.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAChC,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAiBjE,MAAM,kBAAkB,GAAG,CAAC,UAAkB,EAAE,EAAE;IAChD,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,UAAU,CAAC,YAAY,CAC3B,sDAAsD,CACvD,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,KAAK,EAC5B,KAAa,EACb,MAGC,EACD,EAAE;IACF,uEAAuE;IACvE,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7D,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAC/C,MAAM,EAAE,MAAM,CAAC,YAAY;KAC5B,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CACrC,cAA6C,EAC7C,eAAuB,EACJ,EAAE;IACrB,IAAI,cAAc,IAAI,eAAe,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;QAChE,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,IAAI,cAAc,EAAE,cAAc,EAAE,CAAC;QACnC,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,MAAM,UAAU,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC;AAClE,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EACnC,UAAkB,EAClB,MAGC,EACD,mBAA6B,EAC7B,WAAW,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EACF,EAAE;IAC9B,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,EACJ,KAAK,EACL,GAAG,EACH,GAAG,EACH,SAAS,EAAE,QAAQ,GACpB,GAAG,OAKH,CAAC;IACF,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,WAAW,GACf,WAAW,CAAC,MAAM,KAAK,KAAK;QAC1B,CAAC,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IAExE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,UAAU,CAAC,SAAS,EAAE,CAAC;IAC/B,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAC5D,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO;QACL,MAAM,EAAE,GAAG;QACX,cAAc,EAAE,cAAc;QAC9B,WAAW,EAAE,KAAK;QAClB,gBAAgB,EAAE,GAAG,KAAK,QAAQ;KACnC,CAAC;AACJ,CAAC,CAAC;AAOF,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,EACzC,GAAoB,EACpB,IAAgC,EAChC,EAAE;IACF,GAAG,CAAC,QAAQ,CACV,kBAAkB,EAClB,KAAK,EACH,GAAmB,EACnB,IAAkB,EAClB,WAAqB,EACrB,WAAyB,EACzB,EAAE;QACF,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,UAAU,CAAC,YAAY,EAAE,CAAC;QAClC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC,UAAU,EACV,IAAI,EACJ,WAAW,EACX,WAAW,CACZ,CAAC;YACF,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,UAAU,CAAC,WAAW,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC,CAAC;AAEF,eAAe,EAAE,CAAC,sBAAsB,EAAE;IACxC,IAAI,EAAE,eAAe;CACtB,CAAC,CAAC;AAEH,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC"}

package/dist/jwtService.d.ts

@@ -0,0 +1,36 @@
+import { type KMSClientConfig } from "@aws-sdk/client-kms";
+import { type JWK, type JWTPayload } from "jose";
+interface JWTOptions {
+    expirationTime?: string;
+    audience?: string;
+    issuer?: string;
+}
+/**
+ * Creates and signs a JWT using the provided payload and private key.
+ * @param payload - The JWT payload as an object.
+ * @param keyId - The key id or alias in KMS
+ * @param options - Optional parameters for customizing the JWT creation (e.g., expiration, audience, issuer).
+ */
+declare function createSignedJWT(payload: Record<string, unknown>, keyId: string, options: JWTOptions, kmsConfig: KMSClientConfig): Promise<string>;
+interface VerifyJWTOptions {
+    jwksUrl: string;
+    audience?: string;
+    issuer?: string;
+}
+/**
+ * Verifies the given JWT using the JWKS provided by the remote JWKS URL.
+ * @param token - The JWT token to verify.
+ * @param options - Object containing JWKS URL, expected audience, issuer, and algorithm.
+ */
+declare function verifyJWT(token: string, options: VerifyJWTOptions): Promise<JWTPayload>;
+/**
+ * Retrieves a public key from KMS and returns the JWKS (JSON Web Key Set) for the public key.
+ * @param keyId - The key id or alias in KMS.
+ */
+declare function getJWKS(keyId: string, kmsConfig: KMSClientConfig): Promise<{
+    keys: JWK[];
+}>;
+declare function getIssuerFromJWT(token: string): string | undefined;
+declare function unsecureVerifyJWT(token: string): JWTPayload;
+export { createSignedJWT, verifyJWT, getJWKS, getIssuerFromJWT, unsecureVerifyJWT, };
+//# sourceMappingURL=jwtService.d.ts.map

package/dist/jwtService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtService.d.ts","sourceRoot":"","sources":["../src/jwtService.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,eAAe,EAErB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,KAAK,GAAG,EACR,KAAK,UAAU,EAOhB,MAAM,MAAM,CAAC;AAed,UAAU,UAAU;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,iBAAe,eAAe,CAC5B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,eAAe,mBAkC3B;AASD,UAAU,gBAAgB;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;GAIG;AACH,iBAAe,SAAS,CACtB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,UAAU,CAAC,CAsBrB;AAED;;;GAGG;AACH,iBAAe,OAAO,CACpB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,eAAe,GACzB,OAAO,CAAC;IAAE,IAAI,EAAE,GAAG,EAAE,CAAA;CAAE,CAAC,CAa1B;AAGD,iBAAS,gBAAgB,CAAC,KAAK,EAAE,MAAM,sBAEtC;AAED,iBAAS,iBAAiB,CAAC,KAAK,EAAE,MAAM,cAEvC;AAED,OAAO,EACL,eAAe,EACf,SAAS,EACT,OAAO,EACP,gBAAgB,EAChB,iBAAiB,GAClB,CAAC"}

package/dist/jwtService.js

@@ -0,0 +1,96 @@
+import { GetPublicKeyCommand, KMSClient, SignCommand, } from "@aws-sdk/client-kms";
+import { createRemoteJWKSet, decodeJwt, exportJWK, importSPKI, jwtVerify, } from "jose";
+const getKmsClient = (() => {
+    let kmsClient = null;
+    return function getKmsClient(kmsConfig) {
+        if (kmsClient)
+            return kmsClient;
+        kmsClient = new KMSClient(kmsConfig);
+        return kmsClient;
+    };
+})();
+const defaultAlgorithm = "RS256";
+/**
+ * Creates and signs a JWT using the provided payload and private key.
+ * @param payload - The JWT payload as an object.
+ * @param keyId - The key id or alias in KMS
+ * @param options - Optional parameters for customizing the JWT creation (e.g., expiration, audience, issuer).
+ */
+async function createSignedJWT(payload, keyId, options, kmsConfig) {
+    const { audience: aud, issuer: iss } = options;
+    const header = {
+        alg: defaultAlgorithm,
+        typ: "JWT",
+    };
+    // we need to create the jwt manually and sign it directly on KMS - private keys cannot be retrieved
+    const payloadString = JSON.stringify({ ...payload, aud, iss });
+    const encodedHeader = Buffer.from(JSON.stringify(header)).toString("base64url");
+    const encodedPayload = Buffer.from(payloadString).toString("base64url");
+    const messageToSign = `${encodedHeader}.${encodedPayload}`;
+    const input = {
+        KeyId: keyId,
+        Message: Buffer.from(messageToSign),
+        MessageType: "RAW",
+        SigningAlgorithm: "RSASSA_PKCS1_V1_5_SHA_256",
+    };
+    const command = new SignCommand(input);
+    const signResponse = await getKmsClient(kmsConfig).send(command);
+    if (!signResponse.Signature) {
+        throw new Error("KMS did not return a signature. Signing failed.");
+    }
+    const signature = Buffer.from(signResponse.Signature).toString("base64url");
+    return `${messageToSign}.${signature}`;
+}
+/**
+ * Returns the JWKS (JSON Web Key Set) for the public key.
+ */
+async function getJWKSRoute(publicKey) {
+    return { keys: [publicKey] };
+}
+/**
+ * Verifies the given JWT using the JWKS provided by the remote JWKS URL.
+ * @param token - The JWT token to verify.
+ * @param options - Object containing JWKS URL, expected audience, issuer, and algorithm.
+ */
+async function verifyJWT(token, options) {
+    const { jwksUrl, audience, issuer } = options;
+    // Create the remote JWK set from the given URL
+    const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+    // Define verification options
+    const verifyOptions = {
+        algorithms: [defaultAlgorithm],
+        audience, // Check if token is for the expected audience
+        issuer, // Check if token was issued by the expected issuer
+    };
+    // Verify the JWT using the remote JWKS
+    const { payload } = await jwtVerify(token, JWKS, verifyOptions);
+    // Check if the token has expired by verifying the `exp` claim
+    if (payload.exp && payload.exp * 1000 < Date.now()) {
+        throw new Error("Token has expired");
+    }
+    return payload;
+}
+/**
+ * Retrieves a public key from KMS and returns the JWKS (JSON Web Key Set) for the public key.
+ * @param keyId - The key id or alias in KMS.
+ */
+async function getJWKS(keyId, kmsConfig) {
+    const command = new GetPublicKeyCommand({ KeyId: keyId });
+    const { PublicKey } = await getKmsClient(kmsConfig).send(command);
+    if (!PublicKey)
+        throw new Error("KMS did not return a public key. Retrieval failed.");
+    // convert Uint8Array to JWK
+    const spki = `-----BEGIN PUBLIC KEY-----\n${Buffer.from(PublicKey).toString("base64")}\n-----END PUBLIC KEY-----`;
+    const keyObject = await importSPKI(spki, "RS256");
+    const jwk = await exportJWK(keyObject);
+    return getJWKSRoute(jwk);
+}
+// Function to decode JWT without validation
+function getIssuerFromJWT(token) {
+    return decodeJwt(token).iss;
+}
+function unsecureVerifyJWT(token) {
+    return decodeJwt(token);
+}
+export { createSignedJWT, verifyJWT, getJWKS, getIssuerFromJWT, unsecureVerifyJWT, };
+//# sourceMappingURL=jwtService.js.map

package/dist/jwtService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtService.js","sourceRoot":"","sources":["../src/jwtService.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,SAAS,EAET,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAIL,kBAAkB,EAClB,SAAS,EACT,SAAS,EACT,UAAU,EACV,SAAS,GACV,MAAM,MAAM,CAAC;AAEd,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;IACzB,IAAI,SAAS,GAAqB,IAAI,CAAC;IAEvC,OAAO,SAAS,YAAY,CAAC,SAA0B;QACrD,IAAI,SAAS;YAAE,OAAO,SAAS,CAAC;QAEhC,SAAS,GAAG,IAAI,SAAS,CAAC,SAAS,CAAC,CAAC;QACrC,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC,CAAC,EAAE,CAAC;AAEL,MAAM,gBAAgB,GAAG,OAAO,CAAC;AAQjC;;;;;GAKG;AACH,KAAK,UAAU,eAAe,CAC5B,OAAgC,EAChC,KAAa,EACb,OAAmB,EACnB,SAA0B;IAE1B,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAE/C,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,gBAAgB;QACrB,GAAG,EAAE,KAAK;KACX,CAAC;IAEF,oGAAoG;IACpG,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;IAE/D,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAChE,WAAW,CACZ,CAAC;IACF,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExE,MAAM,aAAa,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAE3D,MAAM,KAAK,GAAG;QACZ,KAAK,EAAE,KAAK;QACZ,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;QACnC,WAAW,EAAE,KAAc;QAC3B,gBAAgB,EAAE,2BAAoC;KACvD,CAAC;IACF,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAEjE,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE5E,OAAO,GAAG,aAAa,IAAI,SAAS,EAAE,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,YAAY,CAAC,SAAc;IACxC,OAAO,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;AAC/B,CAAC;AAQD;;;;GAIG;AACH,KAAK,UAAU,SAAS,CACtB,KAAa,EACb,OAAyB;IAEzB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAE9C,+CAA+C;IAC/C,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IAElD,8BAA8B;IAC9B,MAAM,aAAa,GAAqB;QACtC,UAAU,EAAE,CAAC,gBAAgB,CAAC;QAC9B,QAAQ,EAAE,8CAA8C;QACxD,MAAM,EAAE,mDAAmD;KAC5D,CAAC;IAEF,uCAAuC;IACvC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;IAEhE,8DAA8D;IAC9D,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,OAAO,CACpB,KAAa,EACb,SAA0B;IAE1B,MAAM,OAAO,GAAG,IAAI,mBAAmB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAElE,IAAI,CAAC,SAAS;QACZ,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAExE,4BAA4B;IAC5B,MAAM,IAAI,GAAG,+BAA+B,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,4BAA4B,CAAC;IAClH,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAEvC,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,4CAA4C;AAC5C,SAAS,gBAAgB,CAAC,KAAa;IACrC,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED,OAAO,EACL,eAAe,EACf,SAAS,EACT,OAAO,EACP,gBAAgB,EAChB,iBAAiB,GAClB,CAAC"}

package/dist/logto-client/index.d.ts

@@ -0,0 +1,16 @@
+interface GetTokenBaseParams {
+    logtoOidcEndpoint: string;
+    applicationId: string;
+    applicationSecret: string;
+    scopes: string[];
+}
+export interface GetOrganizationTokenParams extends GetTokenBaseParams {
+    organizationId: string;
+}
+export interface GetAccessTokenParams extends GetTokenBaseParams {
+    resource: string;
+}
+export declare const getOrganizationToken: (params: GetOrganizationTokenParams) => Promise<string>;
+export declare const getAccessToken: (params: GetAccessTokenParams) => Promise<string>;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/logto-client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/logto-client/index.ts"],"names":[],"mappings":"AAGA,UAAU,kBAAkB;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AACD,MAAM,WAAW,0BAA2B,SAAQ,kBAAkB;IACpE,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,oBAAqB,SAAQ,kBAAkB;IAC9D,QAAQ,EAAE,MAAM,CAAC;CAClB;AASD,eAAO,MAAM,oBAAoB,WACvB,0BAA0B,KACjC,OAAO,CAAC,MAAM,CAYhB,CAAC;AAEF,eAAO,MAAM,cAAc,WACjB,oBAAoB,KAC3B,OAAO,CAAC,MAAM,CAOhB,CAAC"}

package/dist/logto-client/index.js

@@ -0,0 +1,46 @@
+import { httpErrors } from "@fastify/sensible";
+import { UserScope } from "./user-scope.js";
+export const getOrganizationToken = async (params) => {
+    const tokenResponse = await fetchToken({
+        ...params,
+        scopes: [
+            ...params.scopes,
+            UserScope.OrganizationRoles,
+            UserScope.Organizations,
+        ],
+        specificBodyFields: { organization_id: params.organizationId },
+    });
+    //TODO store here
+    return tokenResponse.access_token;
+};
+export const getAccessToken = async (params) => {
+    const tokenResponse = await fetchToken({
+        ...params,
+        specificBodyFields: { resource: params.resource },
+    });
+    //TODO store here
+    return tokenResponse.access_token;
+};
+const fetchToken = async (params) => {
+    const body = {
+        ...params.specificBodyFields,
+        scope: params.scopes.join(" "),
+        grant_type: "client_credentials",
+    };
+    const logtoOidcEndpoint = params.logtoOidcEndpoint.endsWith("/")
+        ? params.logtoOidcEndpoint
+        : `${params.logtoOidcEndpoint}/`;
+    const response = await fetch(`${logtoOidcEndpoint}token`, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Authorization: `Basic ${Buffer.from(`${params.applicationId}:${params.applicationSecret}`).toString("base64")}`,
+        },
+        body: new URLSearchParams(body).toString(),
+    });
+    if (response.status !== 200) {
+        throw httpErrors.unauthorized(JSON.stringify(await response.json()));
+    }
+    return response.json();
+};
+//# sourceMappingURL=index.js.map

package/dist/logto-client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/logto-client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAuB5C,MAAM,CAAC,MAAM,oBAAoB,GAAG,KAAK,EACvC,MAAkC,EACjB,EAAE;IACnB,MAAM,aAAa,GAAG,MAAM,UAAU,CAAC;QACrC,GAAG,MAAM;QACT,MAAM,EAAE;YACN,GAAG,MAAM,CAAC,MAAM;YAChB,SAAS,CAAC,iBAAiB;YAC3B,SAAS,CAAC,aAAa;SACxB;QACD,kBAAkB,EAAE,EAAE,eAAe,EAAE,MAAM,CAAC,cAAc,EAAE;KAC/D,CAAC,CAAC;IACH,iBAAiB;IACjB,OAAO,aAAa,CAAC,YAAY,CAAC;AACpC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAAG,KAAK,EACjC,MAA4B,EACX,EAAE;IACnB,MAAM,aAAa,GAAG,MAAM,UAAU,CAAC;QACrC,GAAG,MAAM;QACT,kBAAkB,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE;KAClD,CAAC,CAAC;IACH,iBAAiB;IACjB,OAAO,aAAa,CAAC,YAAY,CAAC;AACpC,CAAC,CAAC;AAEF,MAAM,UAAU,GAAG,KAAK,EAAE,MAMzB,EAA8B,EAAE;IAC/B,MAAM,IAAI,GAAG;QACX,GAAG,MAAM,CAAC,kBAAkB;QAC5B,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QAC9B,UAAU,EAAE,oBAAoB;KACjC,CAAC;IACF,MAAM,iBAAiB,GAAG,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC;QAC9D,CAAC,CAAC,MAAM,CAAC,iBAAiB;QAC1B,CAAC,CAAC,GAAG,MAAM,CAAC,iBAAiB,GAAG,CAAC;IACnC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,iBAAiB,OAAO,EAAE;QACxD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,aAAa,EAAE,SAAS,MAAM,CAAC,IAAI,CACjC,GAAG,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,iBAAiB,EAAE,CACtD,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;SACvB;QACD,IAAI,EAAE,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE;KAC3C,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACvE,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAgC,CAAC;AACvD,CAAC,CAAC"}

package/dist/logto-client/user-scope.d.ts

@@ -0,0 +1,11 @@
+export declare enum UserScope {
+    Profile = "profile",
+    Email = "email",
+    Phone = "phone",
+    CustomData = "custom_data",
+    Identities = "identities",
+    Roles = "roles",
+    Organizations = "urn:logto:scope:organizations",
+    OrganizationRoles = "urn:logto:scope:organization_roles"
+}
+//# sourceMappingURL=user-scope.d.ts.map

package/dist/logto-client/user-scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-scope.d.ts","sourceRoot":"","sources":["../../src/logto-client/user-scope.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,OAAO,MAAM,SAAS;IAC3B,OAAO,YAAY;IACnB,KAAK,UAAU;IACf,KAAK,UAAU;IACf,UAAU,gBAAgB;IAC1B,UAAU,eAAe;IACzB,KAAK,UAAU;IACf,aAAa,kCAAkC;IAC/C,iBAAiB,uCAAuC;CACzD"}

package/dist/logto-client/user-scope.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=user-scope.js.map

package/dist/logto-client/user-scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-scope.js","sourceRoot":"","sources":["../../src/logto-client/user-scope.ts"],"names":[],"mappings":""}

package/dist/utils.d.ts

@@ -0,0 +1,4 @@
+export type ScopeMap = Map<string, ScopeMap | boolean>;
+export declare const getMapFromScope: (scope?: string) => Map<any, any>;
+export declare const validatePermission: (permission: string, scope: ScopeMap) => boolean | undefined;
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,CAAC;AAEvD,eAAO,MAAM,eAAe,WAAY,MAAM,kBAiC7C,CAAC;AAEF,eAAO,MAAM,kBAAkB,eAAgB,MAAM,SAAS,QAAQ,wBAgBrE,CAAC"}

package/dist/utils.js

@@ -0,0 +1,45 @@
+export const getMapFromScope = (scope) => {
+    if (!scope || scope.length === 0) {
+        return new Map();
+    }
+    const scopes = scope.split(" ");
+    return scopes.reduce((acc, scope) => {
+        const subScope = scope.split(":");
+        let current = acc;
+        for (let i = 0; i < subScope.length; i++) {
+            const part = subScope[i];
+            if (current === true)
+                break;
+            if (current instanceof Map) {
+                if (subScope[i + 1] === "*") {
+                    current.set(part, true);
+                    break;
+                }
+                if (i === subScope.length - 1) {
+                    current.set(part, true);
+                }
+                else if (!current.get(part)) {
+                    current.set(part, new Map());
+                }
+                current = current.get(part);
+            }
+        }
+        return acc;
+    }, new Map());
+};
+export const validatePermission = (permission, scope) => {
+    const parts = permission.split(":");
+    let current = scope;
+    for (let i = 0; i <= parts.length; i++) {
+        const part = parts[i];
+        if (current === true)
+            return true;
+        if (current instanceof Map) {
+            current = current.get(part);
+        }
+        else {
+            return false;
+        }
+    }
+};
+//# sourceMappingURL=utils.js.map

package/dist/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,KAAc,EAAE,EAAE;IAChD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,MAAM,CAAC,MAAM,CAAW,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,OAAO,GAAmC,GAAG,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;YAEzB,IAAI,OAAO,KAAK,IAAI;gBAAE,MAAM;YAE5B,IAAI,OAAO,YAAY,GAAG,EAAE,CAAC;gBAC3B,IAAI,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;oBACxB,MAAM;gBACR,CAAC;gBAED,IAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC9B,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBAC1B,CAAC;qBAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;gBAC/B,CAAC;gBAED,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,UAAkB,EAAE,KAAe,EAAE,EAAE;IACxE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEpC,IAAI,OAAO,GAAmC,KAAK,CAAC;IAEpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAElC,IAAI,OAAO,YAAY,GAAG,EAAE,CAAC;YAC3B,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;AACH,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@ogcio/api-auth",
+  "version": "4.29.0",
+  "main": "dist/index.js",
+  "type": "module",
+  "dependencies": {
+    "@aws-sdk/client-kms": "^3.709.0",
+    "@fastify/sensible": "5.6.0",
+    "@ogcio/shared-errors": "1.0.0",
+    "fastify": "^4.29.0",
+    "fastify-plugin": "^4.5.1",
+    "jose": "^5.9.6"
+  },
+  "scripts": {
+    "build": "rm -rf dist tsconfig.prod.tsbuildinfo tsconfig.tsbuildinfo && tsc -p tsconfig.prod.json",
+    "test": "vitest run --coverage --outputFile=results.xml",
+    "prepublishOnly": "npm i && npm run build && npm run test"
+  },
+  "devDependencies": {
+    "@types/node": "22.10.1",
+    "typescript": "^5.7.2"
+  }
+}

package/src/index.ts

@@ -0,0 +1,149 @@
+import { httpErrors } from "@fastify/sensible";
+import { getErrorMessage } from "@ogcio/shared-errors";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import fp from "fastify-plugin";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { getMapFromScope, validatePermission } from "./utils.js";
+
+type ExtractedUserData = {
+  userId: string;
+  organizationId?: string;
+  isM2MApplication: boolean;
+  accessToken: string;
+};
+
+type MatchConfig = { method: "AND" | "OR" };
+
+declare module "fastify" {
+  interface FastifyRequest {
+    userData?: ExtractedUserData;
+  }
+}
+
+const extractBearerToken = (authHeader: string) => {
+  const [type, token] = authHeader.split(" ");
+  if (type !== "Bearer") {
+    throw httpErrors.unauthorized(
+      "Invalid Authorization header type, 'Bearer' expected",
+    );
+  }
+  return token;
+};
+
+const decodeLogtoToken = async (
+  token: string,
+  config: {
+    jwkEndpoint: string;
+    oidcEndpoint: string;
+  },
+) => {
+  // Reference: https://docs.logto.io/docs/recipes/protect-your-api/node/
+  const jwks = createRemoteJWKSet(new URL(config.jwkEndpoint));
+  const { payload } = await jwtVerify(token, jwks, {
+    issuer: config.oidcEndpoint,
+  });
+  return payload;
+};
+
+export const ensureUserCanAccessUser = (
+  loggedUserData: ExtractedUserData | undefined,
+  requestedUserId: string,
+): ExtractedUserData => {
+  if (loggedUserData && requestedUserId === loggedUserData.userId) {
+    return loggedUserData;
+  }
+
+  if (loggedUserData?.organizationId) {
+    return loggedUserData;
+  }
+
+  throw httpErrors.forbidden("You can't access this user's data");
+};
+
+export const checkPermissions = async (
+  authHeader: string,
+  config: {
+    jwkEndpoint: string;
+    oidcEndpoint: string;
+  },
+  requiredPermissions: string[],
+  matchConfig = { method: "OR" },
+): Promise<ExtractedUserData> => {
+  const token = extractBearerToken(authHeader);
+  const payload = await decodeLogtoToken(token, config);
+  const {
+    scope,
+    sub,
+    aud,
+    client_id: clientId,
+  } = payload as {
+    scope: string;
+    sub: string;
+    aud: string;
+    client_id: string;
+  };
+  const scopesMap = getMapFromScope(scope);
+
+  const grantAccess =
+    matchConfig.method === "AND"
+      ? requiredPermissions.every((p) => validatePermission(p, scopesMap))
+      : requiredPermissions.some((p) => validatePermission(p, scopesMap));
+
+  if (!grantAccess) {
+    throw httpErrors.forbidden();
+  }
+
+  const organizationId = aud.includes("urn:logto:organization:")
+    ? aud.split("urn:logto:organization:")[1]
+    : undefined;
+
+  return {
+    userId: sub,
+    organizationId: organizationId,
+    accessToken: token,
+    isM2MApplication: sub === clientId,
+  };
+};
+
+export type CheckPermissionsPluginOpts = {
+  jwkEndpoint: string;
+  oidcEndpoint: string;
+};
+
+export const checkPermissionsPlugin = async (
+  app: FastifyInstance,
+  opts: CheckPermissionsPluginOpts,
+) => {
+  app.decorate(
+    "checkPermissions",
+    async (
+      req: FastifyRequest,
+      _rep: FastifyReply,
+      permissions: string[],
+      matchConfig?: MatchConfig,
+    ) => {
+      const authHeader = req.headers.authorization;
+      if (!authHeader) {
+        throw httpErrors.unauthorized();
+      }
+      try {
+        const userData = await checkPermissions(
+          authHeader,
+          opts,
+          permissions,
+          matchConfig,
+        );
+        req.userData = userData;
+      } catch (e) {
+        throw httpErrors.createError(403, getErrorMessage(e), { parent: e });
+      }
+    },
+  );
+};
+
+export default fp(checkPermissionsPlugin, {
+  name: "apiAuthPlugin",
+});
+
+export * from "./logto-client/index.js";
+export * from "./jwtService.js";

package/src/jwtService.ts

@@ -0,0 +1,165 @@
+import {
+  GetPublicKeyCommand,
+  KMSClient,
+  type KMSClientConfig,
+  SignCommand,
+} from "@aws-sdk/client-kms";
+import {
+  type JWK,
+  type JWTPayload,
+  type JWTVerifyOptions,
+  createRemoteJWKSet,
+  decodeJwt,
+  exportJWK,
+  importSPKI,
+  jwtVerify,
+} from "jose";
+
+const getKmsClient = (() => {
+  let kmsClient: KMSClient | null = null;
+
+  return function getKmsClient(kmsConfig: KMSClientConfig): KMSClient {
+    if (kmsClient) return kmsClient;
+
+    kmsClient = new KMSClient(kmsConfig);
+    return kmsClient;
+  };
+})();
+
+const defaultAlgorithm = "RS256";
+
+interface JWTOptions {
+  expirationTime?: string; // Token expiration time (e.g., "1h")
+  audience?: string; // Expected audience
+  issuer?: string; // Token issuer
+}
+
+/**
+ * Creates and signs a JWT using the provided payload and private key.
+ * @param payload - The JWT payload as an object.
+ * @param keyId - The key id or alias in KMS
+ * @param options - Optional parameters for customizing the JWT creation (e.g., expiration, audience, issuer).
+ */
+async function createSignedJWT(
+  payload: Record<string, unknown>,
+  keyId: string,
+  options: JWTOptions,
+  kmsConfig: KMSClientConfig,
+) {
+  const { audience: aud, issuer: iss } = options;
+
+  const header = {
+    alg: defaultAlgorithm,
+    typ: "JWT",
+  };
+
+  // we need to create the jwt manually and sign it directly on KMS - private keys cannot be retrieved
+  const payloadString = JSON.stringify({ ...payload, aud, iss });
+
+  const encodedHeader = Buffer.from(JSON.stringify(header)).toString(
+    "base64url",
+  );
+  const encodedPayload = Buffer.from(payloadString).toString("base64url");
+
+  const messageToSign = `${encodedHeader}.${encodedPayload}`;
+
+  const input = {
+    KeyId: keyId,
+    Message: Buffer.from(messageToSign),
+    MessageType: "RAW" as const,
+    SigningAlgorithm: "RSASSA_PKCS1_V1_5_SHA_256" as const,
+  };
+  const command = new SignCommand(input);
+  const signResponse = await getKmsClient(kmsConfig).send(command);
+
+  if (!signResponse.Signature) {
+    throw new Error("KMS did not return a signature. Signing failed.");
+  }
+  const signature = Buffer.from(signResponse.Signature).toString("base64url");
+
+  return `${messageToSign}.${signature}`;
+}
+
+/**
+ * Returns the JWKS (JSON Web Key Set) for the public key.
+ */
+async function getJWKSRoute(publicKey: JWK) {
+  return { keys: [publicKey] };
+}
+
+interface VerifyJWTOptions {
+  jwksUrl: string;
+  audience?: string; // Expected audience for the token
+  issuer?: string; // Expected issuer for the token
+}
+
+/**
+ * Verifies the given JWT using the JWKS provided by the remote JWKS URL.
+ * @param token - The JWT token to verify.
+ * @param options - Object containing JWKS URL, expected audience, issuer, and algorithm.
+ */
+async function verifyJWT(
+  token: string,
+  options: VerifyJWTOptions,
+): Promise<JWTPayload> {
+  const { jwksUrl, audience, issuer } = options;
+
+  // Create the remote JWK set from the given URL
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+
+  // Define verification options
+  const verifyOptions: JWTVerifyOptions = {
+    algorithms: [defaultAlgorithm],
+    audience, // Check if token is for the expected audience
+    issuer, // Check if token was issued by the expected issuer
+  };
+
+  // Verify the JWT using the remote JWKS
+  const { payload } = await jwtVerify(token, JWKS, verifyOptions);
+
+  // Check if the token has expired by verifying the `exp` claim
+  if (payload.exp && payload.exp * 1000 < Date.now()) {
+    throw new Error("Token has expired");
+  }
+
+  return payload;
+}
+
+/**
+ * Retrieves a public key from KMS and returns the JWKS (JSON Web Key Set) for the public key.
+ * @param keyId - The key id or alias in KMS.
+ */
+async function getJWKS(
+  keyId: string,
+  kmsConfig: KMSClientConfig,
+): Promise<{ keys: JWK[] }> {
+  const command = new GetPublicKeyCommand({ KeyId: keyId });
+  const { PublicKey } = await getKmsClient(kmsConfig).send(command);
+
+  if (!PublicKey)
+    throw new Error("KMS did not return a public key. Retrieval failed.");
+
+  // convert Uint8Array to JWK
+  const spki = `-----BEGIN PUBLIC KEY-----\n${Buffer.from(PublicKey).toString("base64")}\n-----END PUBLIC KEY-----`;
+  const keyObject = await importSPKI(spki, "RS256");
+  const jwk = await exportJWK(keyObject);
+
+  return getJWKSRoute(jwk);
+}
+
+// Function to decode JWT without validation
+function getIssuerFromJWT(token: string) {
+  return decodeJwt(token).iss;
+}
+
+function unsecureVerifyJWT(token: string) {
+  return decodeJwt(token);
+}
+
+export {
+  createSignedJWT,
+  verifyJWT,
+  getJWKS,
+  getIssuerFromJWT,
+  unsecureVerifyJWT,
+};

package/src/logto-client/index.ts

@@ -0,0 +1,83 @@
+import { httpErrors } from "@fastify/sensible";
+import { UserScope } from "./user-scope.js";
+
+interface GetTokenBaseParams {
+  logtoOidcEndpoint: string;
+  applicationId: string;
+  applicationSecret: string;
+  scopes: string[];
+}
+export interface GetOrganizationTokenParams extends GetTokenBaseParams {
+  organizationId: string;
+}
+
+export interface GetAccessTokenParams extends GetTokenBaseParams {
+  resource: string;
+}
+
+interface TokenResponseBody {
+  access_token: string;
+  expires_in: number;
+  token_type: string;
+  scope: string;
+}
+
+export const getOrganizationToken = async (
+  params: GetOrganizationTokenParams,
+): Promise<string> => {
+  const tokenResponse = await fetchToken({
+    ...params,
+    scopes: [
+      ...params.scopes,
+      UserScope.OrganizationRoles,
+      UserScope.Organizations,
+    ],
+    specificBodyFields: { organization_id: params.organizationId },
+  });
+  //TODO store here
+  return tokenResponse.access_token;
+};
+
+export const getAccessToken = async (
+  params: GetAccessTokenParams,
+): Promise<string> => {
+  const tokenResponse = await fetchToken({
+    ...params,
+    specificBodyFields: { resource: params.resource },
+  });
+  //TODO store here
+  return tokenResponse.access_token;
+};
+
+const fetchToken = async (params: {
+  logtoOidcEndpoint: string;
+  applicationId: string;
+  applicationSecret: string;
+  scopes: string[];
+  specificBodyFields: { [x: string]: string };
+}): Promise<TokenResponseBody> => {
+  const body = {
+    ...params.specificBodyFields,
+    scope: params.scopes.join(" "),
+    grant_type: "client_credentials",
+  };
+  const logtoOidcEndpoint = params.logtoOidcEndpoint.endsWith("/")
+    ? params.logtoOidcEndpoint
+    : `${params.logtoOidcEndpoint}/`;
+  const response = await fetch(`${logtoOidcEndpoint}token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${Buffer.from(
+        `${params.applicationId}:${params.applicationSecret}`,
+      ).toString("base64")}`,
+    },
+    body: new URLSearchParams(body).toString(),
+  });
+
+  if (response.status !== 200) {
+    throw httpErrors.unauthorized(JSON.stringify(await response.json()));
+  }
+
+  return response.json() as Promise<TokenResponseBody>;
+};

package/src/logto-client/user-scope.ts

@@ -0,0 +1,10 @@
+export declare enum UserScope {
+  Profile = "profile",
+  Email = "email",
+  Phone = "phone",
+  CustomData = "custom_data",
+  Identities = "identities",
+  Roles = "roles",
+  Organizations = "urn:logto:scope:organizations",
+  OrganizationRoles = "urn:logto:scope:organization_roles",
+}

package/src/utils.ts

@@ -0,0 +1,54 @@
+export type ScopeMap = Map<string, ScopeMap | boolean>;
+
+export const getMapFromScope = (scope?: string) => {
+  if (!scope || scope.length === 0) {
+    return new Map();
+  }
+
+  const scopes = scope.split(" ");
+  return scopes.reduce<ScopeMap>((acc, scope) => {
+    const subScope = scope.split(":");
+    let current: ScopeMap | boolean | undefined = acc;
+
+    for (let i = 0; i < subScope.length; i++) {
+      const part = subScope[i];
+
+      if (current === true) break;
+
+      if (current instanceof Map) {
+        if (subScope[i + 1] === "*") {
+          current.set(part, true);
+          break;
+        }
+
+        if (i === subScope.length - 1) {
+          current.set(part, true);
+        } else if (!current.get(part)) {
+          current.set(part, new Map());
+        }
+
+        current = current.get(part);
+      }
+    }
+
+    return acc;
+  }, new Map());
+};
+
+export const validatePermission = (permission: string, scope: ScopeMap) => {
+  const parts = permission.split(":");
+
+  let current: ScopeMap | boolean | undefined = scope;
+
+  for (let i = 0; i <= parts.length; i++) {
+    const part = parts[i];
+
+    if (current === true) return true;
+
+    if (current instanceof Map) {
+      current = current.get(part);
+    } else {
+      return false;
+    }
+  }
+};

package/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "composite": true,
+    "outDir": "dist",
+  },
+  "include": ["src", "__tests__"],
+  "references": [
+    { "path": "../shared-errors" }
+  ]
+}

package/tsconfig.prod.json

@@ -0,0 +1,5 @@
+{
+  "extends": "./tsconfig",
+  "exclude": ["__tests__", "dist"],
+  "compilerOptions": {"rootDir": "src"}
+}

package/vitest.config.mts

@@ -0,0 +1,19 @@
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    reporters: "default",
+    coverage: {
+      reporter: ["text", "cobertura"],
+      provider: "istanbul",
+    },
+    include: [
+      "**/@(test?(s)|__test?(s)__)/**/*.test.@(js|cjs|mjs|tap|cts|jsx|mts|ts|tsx)",
+      "**/*.@(test?(s)|spec).@(js|cjs|mjs|tap|cts|jsx|mts|ts|tsx)",
+      "**/test?(s).@(js|cjs|mjs|tap|cts|jsx|mts|ts|tsx)",
+    ],
+    exclude: ["**/@(fixture*(s)|dist|node_modules)/**"],
+    maxConcurrency: 1,
+    testTimeout: 30000, // Timeout in milliseconds (30 seconds)
+  },
+});