@ogcio/api-auth 5.1.1 → 5.2.0

package/dist/index.d.ts

@@ -1,9 +1,18 @@
 import type { FastifyInstance } from "fastify";
+import { type JSONWebKeySet } from "jose";
 type ExtractedUserData = {
     userId: string;
     organizationId?: string;
     isM2MApplication: boolean;
     accessToken: string;
+    signInMethod?: string;
+};
+type StoreLocalJwkSet = (keySet: JSONWebKeySet) => Promise<void>;
+export type CheckPermissionsPluginOpts = {
+    jwkEndpoint: string;
+    oidcEndpoint: string;
+    getLocalJwksFn?: () => JSONWebKeySet | undefined;
+    storeLocalJwkSetFn?: StoreLocalJwkSet;
 };
 declare module "fastify" {
     interface FastifyRequest {
@@ -11,16 +20,9 @@ declare module "fastify" {
     }
 }
 export declare const ensureUserCanAccessUser: (loggedUserData: ExtractedUserData | undefined, requestedUserId: string) => ExtractedUserData;
-export declare const checkPermissions: (authHeader: string, config: {
-    jwkEndpoint: string;
-    oidcEndpoint: string;
-}, requiredPermissions: string[], matchConfig?: {
+export declare const checkPermissions: (authHeader: string, config: CheckPermissionsPluginOpts, requiredPermissions: string[], matchConfig?: {
     method: string;
 }) => Promise<ExtractedUserData>;
-export type CheckPermissionsPluginOpts = {
-    jwkEndpoint: string;
-    oidcEndpoint: string;
-};
 export declare const checkPermissionsPlugin: (app: FastifyInstance, opts: CheckPermissionsPluginOpts) => Promise<void>;
 declare const _default: (app: FastifyInstance, opts: CheckPermissionsPluginOpts) => Promise<void>;
 export default _default;

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAgC,MAAM,SAAS,CAAC;AAK7E,KAAK,iBAAiB,GAAG;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAIF,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,QAAQ,CAAC,EAAE,iBAAiB,CAAC;KAC9B;CACF;AA2BD,eAAO,MAAM,uBAAuB,mBAClB,iBAAiB,GAAG,SAAS,mBAC5B,MAAM,KACtB,iBAUF,CAAC;AAEF,eAAO,MAAM,gBAAgB,eACf,MAAM,UACV;IACN,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,uBACoB,MAAM,EAAE;;MAE5B,OAAO,CAAC,iBAAiB,CAmC3B,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,eAAO,MAAM,sBAAsB,QAC5B,eAAe,QACd,0BAA0B,kBA2BjC,CAAC;8BA5BK,eAAe,QACd,0BAA0B;AA6BlC,wBAEG;AAEH,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAgC,MAAM,SAAS,CAAC;AAE7E,OAAO,EAEL,KAAK,aAAa,EAMnB,MAAM,MAAM,CAAC;AAGd,KAAK,iBAAiB,GAAG;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAIF,KAAK,gBAAgB,GAAG,CAAC,MAAM,EAAE,aAAa,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAEjE,MAAM,MAAM,0BAA0B,GAAG;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,aAAa,GAAG,SAAS,CAAC;IACjD,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;CACvC,CAAC;AAEF,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,QAAQ,CAAC,EAAE,iBAAiB,CAAC;KAC9B;CACF;AAiED,eAAO,MAAM,uBAAuB,mBAClB,iBAAiB,GAAG,SAAS,mBAC5B,MAAM,KACtB,iBAUF,CAAC;AAEF,eAAO,MAAM,gBAAgB,eACf,MAAM,UACV,0BAA0B,uBACb,MAAM,EAAE;;MAE5B,OAAO,CAAC,iBAAiB,CAsC3B,CAAC;AAEF,eAAO,MAAM,sBAAsB,QAC5B,eAAe,QACd,0BAA0B,kBA2BjC,CAAC;8BA5BK,eAAe,QACd,0BAA0B;AA6BlC,wBAEG;AAEH,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC"}

package/dist/index.js

@@ -1,7 +1,7 @@
 import { httpErrors } from "@fastify/sensible";
 import { getErrorMessage } from "@ogcio/shared-errors";
 import fp from "fastify-plugin";
-import { createRemoteJWKSet, jwtVerify } from "jose";
+import { createLocalJWKSet, createRemoteJWKSet, jwtVerify, } from "jose";
 import { getMapFromScope, validatePermission } from "./utils.js";
 const extractBearerToken = (authHeader) => {
     const [type, token] = authHeader.split(" ");
@@ -10,10 +10,44 @@ const extractBearerToken = (authHeader) => {
     }
     return token;
 };
+/**
+ * Reference: https://docs.logto.io/docs/recipes/protect-your-api/node/
+ * @param token
+ * @param config
+ * @returns JWTPayload
+ */
 const decodeLogtoToken = async (token, config) => {
-    // Reference: https://docs.logto.io/docs/recipes/protect-your-api/node/
-    const jwks = createRemoteJWKSet(new URL(config.jwkEndpoint));
-    const { payload } = await jwtVerify(token, jwks, {
+    let jwksSet;
+    // check if local JSONWebKeySet retrieval function is provided
+    if (config.getLocalJwksFn) {
+        try {
+            jwksSet = config.getLocalJwksFn();
+        }
+        catch {
+            // just ignoring the error to avoid changes in
+            // decodeLogtoToken behaviours
+        }
+    }
+    let resolverFn;
+    if (!jwksSet) {
+        const remoteSet = createRemoteJWKSet(new URL(config.jwkEndpoint));
+        const remoteJwks = remoteSet.jwks();
+        if (config.storeLocalJwkSetFn && remoteJwks) {
+            try {
+                await config.storeLocalJwkSetFn(remoteJwks);
+            }
+            catch {
+                // just ignoring the error to avoid changes in
+                // method behaviours
+            }
+        }
+        resolverFn = remoteSet;
+    }
+    else {
+        const localJwkSet = createLocalJWKSet(jwksSet);
+        resolverFn = localJwkSet;
+    }
+    const { payload } = await jwtVerify(token, resolverFn, {
         issuer: config.oidcEndpoint,
     });
     return payload;
@@ -30,7 +64,7 @@ export const ensureUserCanAccessUser = (loggedUserData, requestedUserId) => {
 export const checkPermissions = async (authHeader, config, requiredPermissions, matchConfig = { method: "OR" }) => {
     const token = extractBearerToken(authHeader);
     const payload = await decodeLogtoToken(token, config);
-    const { scope, sub, aud, client_id: clientId, } = payload;
+    const { scope, sub, aud, client_id: clientId, signInMethod, } = payload;
     const scopesMap = getMapFromScope(scope);
     const grantAccess = matchConfig.method === "AND"
         ? requiredPermissions.every((p) => validatePermission(p, scopesMap))
@@ -46,6 +80,7 @@ export const checkPermissions = async (authHeader, config, requiredPermissions,
         organizationId: organizationId,
         accessToken: token,
         isM2MApplication: sub === clientId,
+        signInMethod,
     };
 };
 export const checkPermissionsPlugin = async (app, opts) => {

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAChC,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAiBjE,MAAM,kBAAkB,GAAG,CAAC,UAAkB,EAAE,EAAE;IAChD,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,UAAU,CAAC,YAAY,CAC3B,sDAAsD,CACvD,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,KAAK,EAC5B,KAAa,EACb,MAGC,EACD,EAAE;IACF,uEAAuE;IACvE,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7D,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAC/C,MAAM,EAAE,MAAM,CAAC,YAAY;KAC5B,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CACrC,cAA6C,EAC7C,eAAuB,EACJ,EAAE;IACrB,IAAI,cAAc,IAAI,eAAe,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;QAChE,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,IAAI,cAAc,EAAE,cAAc,EAAE,CAAC;QACnC,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,MAAM,UAAU,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC;AAClE,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EACnC,UAAkB,EAClB,MAGC,EACD,mBAA6B,EAC7B,WAAW,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EACF,EAAE;IAC9B,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,EACJ,KAAK,EACL,GAAG,EACH,GAAG,EACH,SAAS,EAAE,QAAQ,GACpB,GAAG,OAKH,CAAC;IACF,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,WAAW,GACf,WAAW,CAAC,MAAM,KAAK,KAAK;QAC1B,CAAC,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IAExE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,UAAU,CAAC,SAAS,EAAE,CAAC;IAC/B,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAC5D,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO;QACL,MAAM,EAAE,GAAG;QACX,cAAc,EAAE,cAAc;QAC9B,WAAW,EAAE,KAAK;QAClB,gBAAgB,EAAE,GAAG,KAAK,QAAQ;KACnC,CAAC;AACJ,CAAC,CAAC;AAOF,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,EACzC,GAAoB,EACpB,IAAgC,EAChC,EAAE;IACF,GAAG,CAAC,QAAQ,CACV,kBAAkB,EAClB,KAAK,EACH,GAAmB,EACnB,IAAkB,EAClB,WAAqB,EACrB,WAAyB,EACzB,EAAE;QACF,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,UAAU,CAAC,YAAY,EAAE,CAAC;QAClC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC,UAAU,EACV,IAAI,EACJ,WAAW,EACX,WAAW,CACZ,CAAC;YACF,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,UAAU,CAAC,WAAW,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC,CAAC;AAEF,eAAe,EAAE,CAAC,sBAAsB,EAAE;IACxC,IAAI,EAAE,eAAe;CACtB,CAAC,CAAC;AAEH,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAChC,OAAO,EAKL,iBAAiB,EACjB,kBAAkB,EAClB,SAAS,GACV,MAAM,MAAM,CAAC;AACd,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AA2BjE,MAAM,kBAAkB,GAAG,CAAC,UAAkB,EAAE,EAAE;IAChD,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,UAAU,CAAC,YAAY,CAC3B,sDAAsD,CACvD,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,gBAAgB,GAAG,KAAK,EAC5B,KAAa,EACb,MAAkC,EACb,EAAE;IACvB,IAAI,OAAkC,CAAC;IAEvC,8DAA8D;IAC9D,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;YAC9C,8BAA8B;QAChC,CAAC;IACH,CAAC;IAED,IAAI,UAKwB,CAAC;IAE7B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAClE,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;QACpC,IAAI,MAAM,CAAC,kBAAkB,IAAI,UAAU,EAAE,CAAC;YAC5C,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;gBAC9C,oBAAoB;YACtB,CAAC;QACH,CAAC;QACD,UAAU,GAAG,SAAS,CAAC;IACzB,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC/C,UAAU,GAAG,WAAW,CAAC;IAC3B,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE;QACrD,MAAM,EAAE,MAAM,CAAC,YAAY;KAC5B,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CACrC,cAA6C,EAC7C,eAAuB,EACJ,EAAE;IACrB,IAAI,cAAc,IAAI,eAAe,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;QAChE,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,IAAI,cAAc,EAAE,cAAc,EAAE,CAAC;QACnC,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,MAAM,UAAU,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC;AAClE,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EACnC,UAAkB,EAClB,MAAkC,EAClC,mBAA6B,EAC7B,WAAW,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EACF,EAAE;IAC9B,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,EACJ,KAAK,EACL,GAAG,EACH,GAAG,EACH,SAAS,EAAE,QAAQ,EACnB,YAAY,GACb,GAAG,OAMH,CAAC;IACF,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,WAAW,GACf,WAAW,CAAC,MAAM,KAAK,KAAK;QAC1B,CAAC,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IAExE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,UAAU,CAAC,SAAS,EAAE,CAAC;IAC/B,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAC5D,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO;QACL,MAAM,EAAE,GAAG;QACX,cAAc,EAAE,cAAc;QAC9B,WAAW,EAAE,KAAK;QAClB,gBAAgB,EAAE,GAAG,KAAK,QAAQ;QAClC,YAAY;KACb,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,EACzC,GAAoB,EACpB,IAAgC,EAChC,EAAE;IACF,GAAG,CAAC,QAAQ,CACV,kBAAkB,EAClB,KAAK,EACH,GAAmB,EACnB,IAAkB,EAClB,WAAqB,EACrB,WAAyB,EACzB,EAAE;QACF,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,UAAU,CAAC,YAAY,EAAE,CAAC;QAClC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC,UAAU,EACV,IAAI,EACJ,WAAW,EACX,WAAW,CACZ,CAAC;YACF,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,UAAU,CAAC,WAAW,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC,CAAC;AAEF,eAAe,EAAE,CAAC,sBAAsB,EAAE;IACxC,IAAI,EAAE,eAAe;CACtB,CAAC,CAAC;AAEH,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC"}

package/package.json

@@ -1,23 +1,19 @@
 {
   "name": "@ogcio/api-auth",
-  "version": "5.1.1",
+  "version": "5.2.0",
   "main": "dist/index.js",
   "type": "module",
   "dependencies": {
-    "@aws-sdk/client-kms": "^3.709.0",
-    "@fastify/sensible": "6.0.1",
-    "@ogcio/shared-errors": "1.0.0",
-    "fastify": "^5.1.0",
-    "fastify-plugin": "^5.0.1",
-    "jose": "^5.9.6"
+    "@aws-sdk/client-kms": "^3.936.0",
+    "@fastify/sensible": "6.0.3",
+    "@ogcio/shared-errors": "1.1.0",
+    "fastify": "^5.6.2",
+    "fastify-plugin": "^5.1.0",
+    "jose": "^6.1.2"
   },
   "scripts": {
     "build": "rm -rf dist tsconfig.prod.tsbuildinfo tsconfig.tsbuildinfo && tsc -p tsconfig.prod.json",
     "test": "vitest run --coverage --outputFile=results.xml",
     "prepublishOnly": "npm i && npm run build && npm run test"
-  },
-  "devDependencies": {
-    "@types/node": "22.10.1",
-    "typescript": "^5.7.2"
   }
 }

package/src/index.ts

@@ -2,7 +2,15 @@ import { httpErrors } from "@fastify/sensible";
 import { getErrorMessage } from "@ogcio/shared-errors";
 import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import fp from "fastify-plugin";
-import { createRemoteJWKSet, jwtVerify } from "jose";
+import {
+  type FlattenedJWSInput,
+  type JSONWebKeySet,
+  type JWSHeaderParameters,
+  type JWTPayload,
+  createLocalJWKSet,
+  createRemoteJWKSet,
+  jwtVerify,
+} from "jose";
 import { getMapFromScope, validatePermission } from "./utils.js";
 
 type ExtractedUserData = {
@@ -10,10 +18,20 @@ type ExtractedUserData = {
   organizationId?: string;
   isM2MApplication: boolean;
   accessToken: string;
+  signInMethod?: string;
 };
 
 type MatchConfig = { method: "AND" | "OR" };
 
+type StoreLocalJwkSet = (keySet: JSONWebKeySet) => Promise<void>;
+
+export type CheckPermissionsPluginOpts = {
+  jwkEndpoint: string;
+  oidcEndpoint: string;
+  getLocalJwksFn?: () => JSONWebKeySet | undefined;
+  storeLocalJwkSetFn?: StoreLocalJwkSet;
+};
+
 declare module "fastify" {
   interface FastifyRequest {
     userData?: ExtractedUserData;
@@ -30,18 +48,56 @@ const extractBearerToken = (authHeader: string) => {
   return token;
 };
 
+/**
+ * Reference: https://docs.logto.io/docs/recipes/protect-your-api/node/
+ * @param token
+ * @param config
+ * @returns JWTPayload
+ */
 const decodeLogtoToken = async (
   token: string,
-  config: {
-    jwkEndpoint: string;
-    oidcEndpoint: string;
-  },
-) => {
-  // Reference: https://docs.logto.io/docs/recipes/protect-your-api/node/
-  const jwks = createRemoteJWKSet(new URL(config.jwkEndpoint));
-  const { payload } = await jwtVerify(token, jwks, {
+  config: CheckPermissionsPluginOpts,
+): Promise<JWTPayload> => {
+  let jwksSet: JSONWebKeySet | undefined;
+
+  // check if local JSONWebKeySet retrieval function is provided
+  if (config.getLocalJwksFn) {
+    try {
+      jwksSet = config.getLocalJwksFn();
+    } catch {
+      // just ignoring the error to avoid changes in
+      // decodeLogtoToken behaviours
+    }
+  }
+
+  let resolverFn:
+    | undefined
+    | ((
+        protectedHeader?: JWSHeaderParameters,
+        token?: FlattenedJWSInput,
+      ) => Promise<CryptoKey>);
+
+  if (!jwksSet) {
+    const remoteSet = createRemoteJWKSet(new URL(config.jwkEndpoint));
+    const remoteJwks = remoteSet.jwks();
+    if (config.storeLocalJwkSetFn && remoteJwks) {
+      try {
+        await config.storeLocalJwkSetFn(remoteJwks);
+      } catch {
+        // just ignoring the error to avoid changes in
+        // method behaviours
+      }
+    }
+    resolverFn = remoteSet;
+  } else {
+    const localJwkSet = createLocalJWKSet(jwksSet);
+    resolverFn = localJwkSet;
+  }
+
+  const { payload } = await jwtVerify(token, resolverFn, {
     issuer: config.oidcEndpoint,
   });
+
   return payload;
 };
 
@@ -62,10 +118,7 @@ export const ensureUserCanAccessUser = (
 
 export const checkPermissions = async (
   authHeader: string,
-  config: {
-    jwkEndpoint: string;
-    oidcEndpoint: string;
-  },
+  config: CheckPermissionsPluginOpts,
   requiredPermissions: string[],
   matchConfig = { method: "OR" },
 ): Promise<ExtractedUserData> => {
@@ -76,11 +129,13 @@ export const checkPermissions = async (
     sub,
     aud,
     client_id: clientId,
+    signInMethod,
   } = payload as {
     scope: string;
     sub: string;
     aud: string;
     client_id: string;
+    signInMethod?: string;
   };
   const scopesMap = getMapFromScope(scope);
 
@@ -102,14 +157,10 @@ export const checkPermissions = async (
     organizationId: organizationId,
     accessToken: token,
     isM2MApplication: sub === clientId,
+    signInMethod,
   };
 };
 
-export type CheckPermissionsPluginOpts = {
-  jwkEndpoint: string;
-  oidcEndpoint: string;
-};
-
 export const checkPermissionsPlugin = async (
   app: FastifyInstance,
   opts: CheckPermissionsPluginOpts,