@openbotauth/verifier-client 0.1.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 OpenBotAuth Project
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,319 @@
+# @openbotauth/verifier-client
+
+Client library for verifying [Web Bot Auth](https://github.com/nicholasgriffintn/draft-web-bot-auth) / [OpenBotAuth](https://openbotauth.org) signed HTTP requests in Node.js applications.
+
+Web Bot Auth is an IETF draft standard for authenticating AI agents and bots using RFC 9421 HTTP Message Signatures. OpenBotAuth provides the reference implementation, registry, and hosted verifier service.
+
+This package provides:
+- **VerifierClient**: Core client class for calling the verifier service
+- **Express middleware**: Easy integration with Express/Connect-based apps
+- **Next.js helpers**: Utilities for Next.js App Router (Server Components & Route Handlers)
+- **Header extraction**: Safe parsing of RFC 9421 signature headers
+
+## Installation
+
+```bash
+npm install @openbotauth/verifier-client
+# or
+pnpm add @openbotauth/verifier-client
+# or
+yarn add @openbotauth/verifier-client
+```
+
+## Quick Start
+
+### Express Middleware
+
+```typescript
+import express from 'express';
+import { openBotAuthMiddleware } from '@openbotauth/verifier-client/express';
+
+const app = express();
+
+// Add middleware (uses hosted verifier by default)
+app.use(openBotAuthMiddleware());
+
+app.get('/api/resource', (req, res) => {
+  const oba = (req as any).oba;
+
+  if (oba.signed && oba.result?.verified) {
+    // Request is from a verified bot
+    res.json({
+      message: 'Hello verified bot!',
+      agent: oba.result.agent,
+    });
+  } else if (oba.signed) {
+    // Signed but verification failed
+    res.json({
+      message: 'Signature verification failed',
+      error: oba.result?.error,
+    });
+  } else {
+    // Not a signed request
+    res.json({ message: 'Hello anonymous!' });
+  }
+});
+
+app.listen(3000);
+```
+
+### Require Verified Mode
+
+Block unverified signed requests with a 401 response:
+
+```typescript
+// Protected routes that require verified bot signatures
+app.use('/api/protected', openBotAuthMiddleware({
+  mode: 'require-verified'
+}));
+
+app.get('/api/protected/data', (req, res) => {
+  // Only verified bots reach here
+  const oba = (req as any).oba;
+  res.json({
+    message: 'Access granted',
+    agent: oba.result.agent,
+  });
+});
+```
+
+### Next.js App Router
+
+```typescript
+// app/api/protected/route.ts
+import { NextRequest, NextResponse } from 'next/server';
+import {
+  VerifierClient,
+  buildVerifyRequestForNext
+} from '@openbotauth/verifier-client';
+
+const client = new VerifierClient();
+
+export async function GET(request: NextRequest) {
+  const verifyRequest = buildVerifyRequestForNext(request);
+  const result = await client.verify(verifyRequest);
+
+  if (result.verified) {
+    return NextResponse.json({
+      message: 'Hello verified bot!',
+      agent: result.agent,
+    });
+  }
+
+  // For non-verified requests, you might still allow access
+  // or return an error depending on your use case
+  return NextResponse.json(
+    { error: 'Verification failed', details: result.error },
+    { status: 401 }
+  );
+}
+```
+
+## API Reference
+
+### VerifierClient
+
+Core client for verifying signatures.
+
+```typescript
+import { VerifierClient } from '@openbotauth/verifier-client';
+
+const client = new VerifierClient({
+  // Optional: Override verifier URL (default: hosted verifier)
+  verifierUrl: 'https://verifier.openbotauth.org/verify',
+  // Optional: Request timeout in ms (default: 5000)
+  timeoutMs: 5000,
+});
+
+const result = await client.verify({
+  method: 'GET',
+  url: 'https://example.com/api/resource',
+  headers: {
+    'signature-input': '...',
+    'signature': '...',
+    'signature-agent': '...',
+  },
+  body: undefined, // Optional request body
+});
+
+// Result type:
+// {
+//   verified: boolean;
+//   agent?: { jwks_url: string; kid: string; client_name?: string };
+//   error?: string;
+//   created?: number;
+//   expires?: number;
+// }
+```
+
+### openBotAuthMiddleware
+
+Express middleware for automatic verification. Import from the `/express` subpath to avoid pulling Express types into non-Express projects.
+
+```typescript
+import { openBotAuthMiddleware } from '@openbotauth/verifier-client/express';
+
+app.use(openBotAuthMiddleware({
+  // Optional: Override verifier URL
+  verifierUrl: 'http://localhost:8081/verify',
+
+  // Optional: Behavior mode
+  // - "observe" (default): Attach result, allow all requests
+  // - "require-verified": Block unverified signed requests with 401
+  mode: 'observe',
+
+  // Optional: Property name on request object (default: "oba")
+  attachProperty: 'oba',
+
+  // Optional: Request timeout in ms (default: 5000)
+  timeoutMs: 5000,
+}));
+```
+
+### Header Extraction Helpers
+
+```typescript
+import {
+  parseCoveredHeaders,
+  extractForwardedHeaders,
+  hasSignatureHeaders
+} from '@openbotauth/verifier-client';
+
+// Parse covered headers from Signature-Input
+const covered = parseCoveredHeaders(
+  'sig1=("@method" "@target-uri" "content-type");created=1234'
+);
+// Returns: ["@method", "@target-uri", "content-type"]
+
+// Check if request has signature headers
+if (hasSignatureHeaders(headers)) {
+  // Extract headers safe to forward (blocks sensitive headers)
+  const result = extractForwardedHeaders(headers, signatureInput);
+
+  if (result.error) {
+    // Signature covers sensitive header (cookie, authorization, etc.)
+    console.error(result.error);
+  } else {
+    // result.headers contains safe headers to forward
+  }
+}
+```
+
+### Next.js Helpers
+
+```typescript
+import {
+  extractFromNextHeaders,
+  buildVerifyRequestForNext,
+  buildVerifyRequestForNextWithBody,
+} from '@openbotauth/verifier-client';
+
+// Convert Next.js Headers to plain object
+const headersObj = extractFromNextHeaders(request.headers);
+
+// Build verification request (without body)
+const verifyRequest = buildVerifyRequestForNext(request);
+
+// Build verification request (with body - consumes body stream)
+const verifyRequestWithBody = await buildVerifyRequestForNextWithBody(request);
+```
+
+## Configuration
+
+### Using Hosted Verifier (Default)
+
+By default, the client uses the hosted verifier at `https://verifier.openbotauth.org/verify`. This requires no configuration:
+
+```typescript
+const client = new VerifierClient();
+// or
+app.use(openBotAuthMiddleware());
+```
+
+### Using Local/Self-Hosted Verifier
+
+For development or self-hosted deployments:
+
+```typescript
+const client = new VerifierClient({
+  verifierUrl: 'http://localhost:8081/verify',
+});
+
+// or with middleware
+app.use(openBotAuthMiddleware({
+  verifierUrl: 'http://localhost:8081/verify',
+}));
+```
+
+## Testing with bot-cli
+
+You can test your integration using the OpenBotAuth bot-cli:
+
+1. Start your Express server with the middleware
+2. Run bot-cli to make a signed request:
+
+```bash
+# From the OpenBotAuth monorepo
+pnpm --filter @openbotauth/bot-cli dev fetch http://localhost:3000/api/resource -v
+```
+
+**Note**: For the hosted verifier to successfully verify signatures, the `Signature-Agent` JWKS URL must be publicly accessible. Use a registry.openbotauth.org JWKS URL for testing.
+
+## Security
+
+This package follows security best practices:
+
+- **No local crypto**: Signature verification is delegated to the verifier service
+- **Sensitive header protection**: The client will NOT forward requests that sign sensitive headers:
+  - `cookie`
+  - `authorization`
+  - `proxy-authorization`
+  - `www-authenticate`
+- **Timeout handling**: All verifier requests have configurable timeouts
+- **Header normalization**: All forwarded headers are normalized to lowercase
+
+## Types
+
+```typescript
+interface VerificationRequest {
+  method: string;
+  url: string;
+  headers: Record<string, string>;
+  body?: string;
+}
+
+interface VerificationResult {
+  verified: boolean;
+  agent?: {
+    jwks_url: string;
+    kid: string;
+    client_name?: string;
+  };
+  error?: string;
+  created?: number;
+  expires?: number;
+}
+
+interface MiddlewareOptions {
+  verifierUrl?: string;
+  mode?: 'observe' | 'require-verified';
+  attachProperty?: string;
+  timeoutMs?: number;
+}
+
+interface RequestVerificationInfo {
+  signed: boolean;
+  result?: VerificationResult;
+}
+```
+
+## Standards & References
+
+- [Web Bot Auth IETF Draft](https://github.com/nicholasgriffintn/draft-web-bot-auth) - The IETF draft specification for bot authentication
+- [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421.html) - HTTP Message Signatures
+- [RFC 7517](https://www.rfc-editor.org/rfc/rfc7517.html) - JSON Web Key (JWK)
+- [OpenBotAuth](https://openbotauth.org) - Reference implementation and hosted services
+
+## License
+
+Apache-2.0

package/dist/client.d.ts

@@ -0,0 +1,9 @@
+import type { VerifierClientOptions, VerificationRequest, VerificationResult } from './types.js';
+export declare class VerifierClient {
+    private readonly verifierUrl;
+    private readonly timeoutMs;
+    constructor(options?: VerifierClientOptions);
+    verify(input: VerificationRequest): Promise<VerificationResult>;
+    private getHeaderValue;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAsCpB,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBASvB,OAAO,GAAE,qBAA0B;IAWzC,MAAM,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAwFrE,OAAO,CAAC,cAAc;CAYvB"}

package/dist/client.js

@@ -0,0 +1,92 @@
+import { extractForwardedHeaders, hasSignatureHeaders } from './headers.js';
+const DEFAULT_VERIFIER_URL = 'https://verifier.openbotauth.org/verify';
+const DEFAULT_TIMEOUT_MS = 5000;
+export class VerifierClient {
+    verifierUrl;
+    timeoutMs;
+    constructor(options = {}) {
+        this.verifierUrl = options.verifierUrl ?? DEFAULT_VERIFIER_URL;
+        this.timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    }
+    async verify(input) {
+        if (!hasSignatureHeaders(input.headers)) {
+            return {
+                verified: false,
+                error: 'No signature headers present',
+            };
+        }
+        const signatureInput = this.getHeaderValue(input.headers, 'signature-input');
+        if (!signatureInput) {
+            return {
+                verified: false,
+                error: 'Missing Signature-Input header (request has signature headers but Signature-Input is required)',
+            };
+        }
+        const signature = this.getHeaderValue(input.headers, 'signature');
+        if (!signature) {
+            return {
+                verified: false,
+                error: 'Missing Signature header (request has Signature-Input but Signature is required)',
+            };
+        }
+        const extractResult = extractForwardedHeaders(input.headers, signatureInput);
+        if (extractResult.error) {
+            return {
+                verified: false,
+                error: extractResult.error,
+            };
+        }
+        const payload = {
+            method: input.method,
+            url: input.url,
+            headers: extractResult.headers,
+            ...(input.body !== undefined && { body: input.body }),
+        };
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const response = await fetch(this.verifierUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+                body: JSON.stringify(payload),
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                const errorText = await response.text();
+                return {
+                    verified: false,
+                    error: `Verifier returned ${response.status}: ${errorText}`,
+                };
+            }
+            const result = await response.json();
+            return result;
+        }
+        catch (error) {
+            if (error instanceof Error && error.name === 'AbortError') {
+                return {
+                    verified: false,
+                    error: `Verification timed out after ${this.timeoutMs}ms`,
+                };
+            }
+            return {
+                verified: false,
+                error: `Verification failed: ${error instanceof Error ? error.message : String(error)}`,
+            };
+        }
+        finally {
+            clearTimeout(timeoutId);
+        }
+    }
+    getHeaderValue(headers, name) {
+        const normalized = name.toLowerCase();
+        for (const [key, value] of Object.entries(headers)) {
+            if (key.toLowerCase() === normalized) {
+                return value;
+            }
+        }
+        return undefined;
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAK5E,MAAM,oBAAoB,GAAG,yCAAyC,CAAC;AAKvE,MAAM,kBAAkB,GAAG,IAAI,CAAC;AA2BhC,MAAM,OAAO,cAAc;IACR,WAAW,CAAS;IACpB,SAAS,CAAS;IASnC,YAAY,UAAiC,EAAE;QAC7C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAC3D,CAAC;IAQD,KAAK,CAAC,MAAM,CAAC,KAA0B;QAErC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,8BAA8B;aACtC,CAAC;QACJ,CAAC;QAGD,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;QAC7E,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,gGAAgG;aACxG,CAAC;QACJ,CAAC;QAGD,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,kFAAkF;aAC1F,CAAC;QACJ,CAAC;QAGD,MAAM,aAAa,GAAG,uBAAuB,CAAC,KAAK,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QAC7E,IAAI,aAAa,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,aAAa,CAAC,KAAK;aAC3B,CAAC;QACJ,CAAC;QAID,MAAM,OAAO,GAAG;YACd,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,OAAO,EAAE,aAAa,CAAC,OAAO;YAC9B,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;SACtD,CAAC;QAEF,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAEvE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE;gBAC7C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7B,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACxC,OAAO;oBACL,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,qBAAqB,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE;iBAC5D,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAwB,CAAC;YAC3D,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC1D,OAAO;oBACL,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,gCAAgC,IAAI,CAAC,SAAS,IAAI;iBAC1D,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,wBAAwB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;aACxF,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAKO,cAAc,CACpB,OAA+B,EAC/B,IAAY;QAEZ,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACnD,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,UAAU,EAAE,CAAC;gBACrC,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}

package/dist/express.d.ts

@@ -0,0 +1,3 @@
+export { openBotAuthMiddleware } from './middleware.js';
+export type { MiddlewareOptions, RequestVerificationInfo } from './types.js';
+//# sourceMappingURL=express.d.ts.map

package/dist/express.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../src/express.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,YAAY,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC"}

package/dist/express.js

@@ -0,0 +1,2 @@
+export { openBotAuthMiddleware } from './middleware.js';
+//# sourceMappingURL=express.js.map

package/dist/express.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.js","sourceRoot":"","sources":["../src/express.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/headers.d.ts

@@ -0,0 +1,5 @@
+import type { HeaderExtractionResult } from './types.js';
+export declare function parseCoveredHeaders(signatureInput: string): string[];
+export declare function extractForwardedHeaders(rawHeaders: Record<string, string | undefined>, signatureInput: string): HeaderExtractionResult;
+export declare function hasSignatureHeaders(headers: Record<string, string | undefined>): boolean;
+//# sourceMappingURL=headers.d.ts.map

package/dist/headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAuCzD,wBAAgB,mBAAmB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAyBpE;AAoCD,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAC9C,cAAc,EAAE,MAAM,GACrB,sBAAsB,CAqDxB;AAsBD,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GAC1C,OAAO,CAQT"}

package/dist/headers.js

@@ -0,0 +1,88 @@
+const SENSITIVE_HEADERS = new Set([
+    'cookie',
+    'authorization',
+    'proxy-authorization',
+    'www-authenticate',
+]);
+const SIGNATURE_HEADERS = ['signature-input', 'signature'];
+const SIGNATURE_AGENT_HEADER = 'signature-agent';
+export function parseCoveredHeaders(signatureInput) {
+    const openParen = signatureInput.indexOf('(');
+    if (openParen === -1) {
+        return [];
+    }
+    const closeParen = signatureInput.indexOf(')', openParen);
+    if (closeParen === -1) {
+        return [];
+    }
+    const content = signatureInput.slice(openParen + 1, closeParen);
+    return content
+        .split(/\s+/)
+        .filter((s) => s.length > 0)
+        .map((s) => {
+        if (s.startsWith('"') && s.endsWith('"')) {
+            return s.slice(1, -1).toLowerCase();
+        }
+        return s.toLowerCase();
+    });
+}
+function normalizeHeaderName(name) {
+    return name.toLowerCase();
+}
+function isDerivedComponent(name) {
+    return name.startsWith('@');
+}
+export function extractForwardedHeaders(rawHeaders, signatureInput) {
+    const result = {};
+    const getHeader = (name) => {
+        const normalized = normalizeHeaderName(name);
+        for (const [key, value] of Object.entries(rawHeaders)) {
+            if (normalizeHeaderName(key) === normalized && value !== undefined) {
+                return value;
+            }
+        }
+        return undefined;
+    };
+    for (const headerName of SIGNATURE_HEADERS) {
+        const value = getHeader(headerName);
+        if (value !== undefined) {
+            result[headerName] = value;
+        }
+    }
+    const signatureAgent = getHeader(SIGNATURE_AGENT_HEADER);
+    if (signatureAgent !== undefined) {
+        result[SIGNATURE_AGENT_HEADER] = signatureAgent;
+    }
+    const coveredHeaders = parseCoveredHeaders(signatureInput);
+    for (const headerName of coveredHeaders) {
+        if (isDerivedComponent(headerName)) {
+            continue;
+        }
+        if (SENSITIVE_HEADERS.has(headerName)) {
+            return {
+                error: `Signature covers sensitive header: ${headerName}`,
+            };
+        }
+        const value = getHeader(headerName);
+        if (value !== undefined) {
+            result[headerName] = value;
+        }
+    }
+    return { headers: result };
+}
+const SIGNATURE_RELATED_HEADERS = new Set([
+    'signature-input',
+    'signature',
+    'signature-agent',
+]);
+export function hasSignatureHeaders(headers) {
+    for (const [key, value] of Object.entries(headers)) {
+        if (value === undefined)
+            continue;
+        if (SIGNATURE_RELATED_HEADERS.has(normalizeHeaderName(key))) {
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=headers.js.map

package/dist/headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.js","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":"AAMA,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,QAAQ;IACR,eAAe;IACf,qBAAqB;IACrB,kBAAkB;CACnB,CAAC,CAAC;AAKH,MAAM,iBAAiB,GAAG,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;AAK3D,MAAM,sBAAsB,GAAG,iBAAiB,CAAC;AAkBjD,MAAM,UAAU,mBAAmB,CAAC,cAAsB;IAExD,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC1D,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC;IAGhE,OAAO,OAAO;SACX,KAAK,CAAC,KAAK,CAAC;SACZ,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;SAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAET,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACzC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;AACP,CAAC;AAKD,SAAS,mBAAmB,CAAC,IAAY;IACvC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;AAC5B,CAAC;AAKD,SAAS,kBAAkB,CAAC,IAAY;IACtC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAsBD,MAAM,UAAU,uBAAuB,CACrC,UAA8C,EAC9C,cAAsB;IAEtB,MAAM,MAAM,GAA2B,EAAE,CAAC;IAG1C,MAAM,SAAS,GAAG,CAAC,IAAY,EAAsB,EAAE;QACrD,MAAM,UAAU,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC7C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACtD,IAAI,mBAAmB,CAAC,GAAG,CAAC,KAAK,UAAU,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACnE,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAGF,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;QAC7B,CAAC;IACH,CAAC;IAGD,MAAM,cAAc,GAAG,SAAS,CAAC,sBAAsB,CAAC,CAAC;IACzD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,CAAC,sBAAsB,CAAC,GAAG,cAAc,CAAC;IAClD,CAAC;IAGD,MAAM,cAAc,GAAG,mBAAmB,CAAC,cAAc,CAAC,CAAC;IAG3D,KAAK,MAAM,UAAU,IAAI,cAAc,EAAE,CAAC;QAExC,IAAI,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QAGD,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YACtC,OAAO;gBACL,KAAK,EAAE,sCAAsC,UAAU,EAAE;aAC1D,CAAC;QACJ,CAAC;QAGD,MAAM,KAAK,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAC7B,CAAC;AAKD,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,iBAAiB;IACjB,WAAW;IACX,iBAAiB;CAClB,CAAC,CAAC;AAaH,MAAM,UAAU,mBAAmB,CACjC,OAA2C;IAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAClC,IAAI,yBAAyB,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export type { VerificationRequest, VerificationResult, VerifiedAgent, VerifierClientOptions, HeaderExtractionResult, } from './types.js';
+export { VerifierClient } from './client.js';
+export { parseCoveredHeaders, extractForwardedHeaders, hasSignatureHeaders, } from './headers.js';
+export { extractFromNextHeaders, buildVerifyRequestForNext, buildVerifyRequestForNextWithBody, } from './nextjs.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,aAAa,EACb,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAG7C,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,iCAAiC,GAClC,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { VerifierClient } from './client.js';
+export { parseCoveredHeaders, extractForwardedHeaders, hasSignatureHeaders, } from './headers.js';
+export { extractFromNextHeaders, buildVerifyRequestForNext, buildVerifyRequestForNextWithBody, } from './nextjs.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAG7C,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,iCAAiC,GAClC,MAAM,aAAa,CAAC"}

package/dist/middleware.d.ts

@@ -0,0 +1,4 @@
+import type { Request, Response, NextFunction } from 'express';
+import type { MiddlewareOptions } from './types.js';
+export declare function openBotAuthMiddleware(options?: MiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,iBAAiB,EAA2B,MAAM,YAAY,CAAC;AAoC7E,wBAAgB,qBAAqB,CACnC,OAAO,GAAE,iBAAsB,GAC9B,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAuEpE"}

package/dist/middleware.js

@@ -0,0 +1,55 @@
+import { VerifierClient } from './client.js';
+import { hasSignatureHeaders } from './headers.js';
+export function openBotAuthMiddleware(options = {}) {
+    const { verifierUrl, mode = 'observe', attachProperty = 'oba', timeoutMs, } = options;
+    const client = new VerifierClient({ verifierUrl, timeoutMs });
+    return async (req, res, next) => {
+        const headers = {};
+        for (const [key, value] of Object.entries(req.headers)) {
+            if (typeof value === 'string') {
+                headers[key] = value;
+            }
+            else if (Array.isArray(value)) {
+                headers[key] = value.join(', ');
+            }
+        }
+        if (!hasSignatureHeaders(headers)) {
+            const info = { signed: false };
+            req[attachProperty] = info;
+            next();
+            return;
+        }
+        const protocol = req.protocol;
+        const host = req.get('host') || 'localhost';
+        const url = `${protocol}://${host}${req.originalUrl}`;
+        let body;
+        if (req.body !== undefined && req.body !== null) {
+            if (typeof req.body === 'string') {
+                body = req.body;
+            }
+            else if (Buffer.isBuffer(req.body)) {
+                body = req.body.toString('utf-8');
+            }
+            else if (typeof req.body === 'object') {
+                body = JSON.stringify(req.body);
+            }
+        }
+        const result = await client.verify({
+            method: req.method,
+            url,
+            headers: headers,
+            body,
+        });
+        const info = { signed: true, result };
+        req[attachProperty] = info;
+        if (mode === 'require-verified' && !result.verified) {
+            res.status(401).json({
+                error: 'Signature verification failed',
+                details: result.error,
+            });
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAkCnD,MAAM,UAAU,qBAAqB,CACnC,UAA6B,EAAE;IAE/B,MAAM,EACJ,WAAW,EACX,IAAI,GAAG,SAAS,EAChB,cAAc,GAAG,KAAK,EACtB,SAAS,GACV,GAAG,OAAO,CAAC;IAEZ,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;IAE9D,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAE9E,MAAM,OAAO,GAAuC,EAAE,CAAC;QACvD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACvB,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QAGD,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC;YAElC,MAAM,IAAI,GAA4B,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YACvD,GAA0C,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC;YACnE,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAGD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5C,MAAM,GAAG,GAAG,GAAG,QAAQ,MAAM,IAAI,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAItD,IAAI,IAAwB,CAAC;QAC7B,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YAChD,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACjC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;YAClB,CAAC;iBAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC;iBAAM,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QAGD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC;YACjC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,GAAG;YACH,OAAO,EAAE,OAAiC;YAC1C,IAAI;SACL,CAAC,CAAC;QAGH,MAAM,IAAI,GAA4B,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC9D,GAA0C,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC;QAGnE,IAAI,IAAI,KAAK,kBAAkB,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,+BAA+B;gBACtC,OAAO,EAAE,MAAM,CAAC,KAAK;aACtB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/nextjs.d.ts

@@ -0,0 +1,5 @@
+import type { VerificationRequest } from './types.js';
+export declare function extractFromNextHeaders(nextHeaders: Headers): Record<string, string>;
+export declare function buildVerifyRequestForNext(request: Request): Omit<VerificationRequest, 'body'>;
+export declare function buildVerifyRequestForNextWithBody(request: Request): Promise<VerificationRequest>;
+//# sourceMappingURL=nextjs.d.ts.map

package/dist/nextjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../src/nextjs.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAqBtD,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQnF;AAqCD,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,OAAO,GACf,IAAI,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAQnC;AA2BD,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,mBAAmB,CAAC,CAU9B"}

package/dist/nextjs.js

@@ -0,0 +1,26 @@
+export function extractFromNextHeaders(nextHeaders) {
+    const result = {};
+    nextHeaders.forEach((value, key) => {
+        result[key.toLowerCase()] = value;
+    });
+    return result;
+}
+export function buildVerifyRequestForNext(request) {
+    const headers = extractFromNextHeaders(request.headers);
+    return {
+        method: request.method,
+        url: request.url,
+        headers,
+    };
+}
+export async function buildVerifyRequestForNextWithBody(request) {
+    const headers = extractFromNextHeaders(request.headers);
+    const body = await request.text();
+    return {
+        method: request.method,
+        url: request.url,
+        headers,
+        body: body || undefined,
+    };
+}
+//# sourceMappingURL=nextjs.js.map

package/dist/nextjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../src/nextjs.ts"],"names":[],"mappings":"AAqBA,MAAM,UAAU,sBAAsB,CAAC,WAAoB;IACzD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,WAAW,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACjC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAqCD,MAAM,UAAU,yBAAyB,CACvC,OAAgB;IAEhB,MAAM,OAAO,GAAG,sBAAsB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAExD,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO;KACR,CAAC;AACJ,CAAC;AA2BD,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,OAAgB;IAEhB,MAAM,OAAO,GAAG,sBAAsB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;IAElC,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO;QACP,IAAI,EAAE,IAAI,IAAI,SAAS;KACxB,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,40 @@
+export interface VerificationRequest {
+    method: string;
+    url: string;
+    headers: Record<string, string>;
+    body?: string;
+}
+export interface VerifiedAgent {
+    jwks_url: string;
+    kid: string;
+    client_name?: string;
+}
+export interface VerificationResult {
+    verified: boolean;
+    agent?: VerifiedAgent;
+    error?: string;
+    created?: number;
+    expires?: number;
+}
+export interface VerifierClientOptions {
+    verifierUrl?: string;
+    timeoutMs?: number;
+}
+export interface MiddlewareOptions {
+    verifierUrl?: string;
+    mode?: 'observe' | 'require-verified';
+    attachProperty?: string;
+    timeoutMs?: number;
+}
+export interface RequestVerificationInfo {
+    signed: boolean;
+    result?: VerificationResult;
+}
+export type HeaderExtractionResult = {
+    headers: Record<string, string>;
+    error?: never;
+} | {
+    headers?: never;
+    error: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAKD,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAKD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAKD,MAAM,WAAW,qBAAqB;IAKpC,WAAW,CAAC,EAAE,MAAM,CAAC;IAMrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAKD,MAAM,WAAW,iBAAiB;IAKhC,WAAW,CAAC,EAAE,MAAM,CAAC;IAQrB,IAAI,CAAC,EAAE,SAAS,GAAG,kBAAkB,CAAC;IAMtC,cAAc,CAAC,EAAE,MAAM,CAAC;IAMxB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAKD,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAKD,MAAM,MAAM,sBAAsB,GAC9B;IAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,KAAK,CAAC,EAAE,KAAK,CAAA;CAAE,GAClD;IAAE,OAAO,CAAC,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,75 @@
+{
+  "name": "@openbotauth/verifier-client",
+  "version": "0.1.0",
+  "description": "Client library for verifying Web Bot Auth / OpenBotAuth (RFC 9421) signed HTTP requests",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./express": {
+      "types": "./dist/express.d.ts",
+      "import": "./dist/express.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "keywords": [
+    "webbotauth",
+    "web-bot-auth",
+    "openbotauth",
+    "rfc9421",
+    "http-signatures",
+    "verification",
+    "express",
+    "nextjs",
+    "middleware",
+    "bot-auth",
+    "agent-auth",
+    "ai-agent"
+  ],
+  "author": "OpenBotAuth",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/OpenBotAuth/openbotauth.git",
+    "directory": "packages/verifier-client"
+  },
+  "homepage": "https://openbotauth.org",
+  "bugs": {
+    "url": "https://github.com/OpenBotAuth/openbotauth/issues"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.14.0",
+    "typescript": "^5.4.5",
+    "vitest": "^1.6.0"
+  },
+  "peerDependencies": {
+    "express": "^4.x || ^5.x"
+  },
+  "peerDependenciesMeta": {
+    "express": {
+      "optional": true
+    }
+  }
+}