@opendatalabs/service-auth 1.0.0-next.1

package/dist/resource-server/index.js

@@ -0,0 +1,199 @@
+/**
+ * Resource-server middleware. INTERNAL Vana package.
+ *
+ * Validates an inbound `Authorization: Bearer <jwt>` header against
+ * Hydra's published JWKS, enforces `iss`/`aud`/`exp`/`nbf`/`alg`, and
+ * returns a structured success or failure. Two surfaces:
+ *
+ *   - `validateAccessToken(authHeader, opts?)`  --  pure function. Use
+ *     this when you control the response shape.
+ *   - `requireJwt({ requiredScopes? })`  --  Next.js-style middleware
+ *     wrapper that returns a `Response` on rejection.
+ *
+ * Compliance
+ * ----------
+ *
+ *   - RFC 9068 access token shape. We do NOT invent Vana-specific
+ *     claim names; we read `aud`, `iss`, `client_id`, `scope`, `sub`.
+ *   - Algorithm allowlist defaults to `["RS256", "ES256"]`. Hydra's
+ *     defaults are `ES256` for access tokens; allowing both lets
+ *     services bring their own key shape without our code knowing.
+ */
+import { createLocalJWKSet, createRemoteJWKSet, errors as joseErrors, jwtVerify, } from "jose";
+const DEFAULT_ALLOWED_ALGORITHMS = ["RS256", "ES256"];
+// Per-jwksUri resolver cache. jose.createRemoteJWKSet already handles
+// in-flight coalescing and rotation, so we just want one resolver per
+// URL across all validators in a process.
+const remoteJwksCache = new Map();
+function getRemoteJwks(uri) {
+    let resolver = remoteJwksCache.get(uri);
+    if (!resolver) {
+        resolver = createRemoteJWKSet(new URL(uri));
+        remoteJwksCache.set(uri, resolver);
+    }
+    return resolver;
+}
+/** Test-only: drop cached resolvers between tests. */
+export function _resetJwksCacheForTests() {
+    remoteJwksCache.clear();
+}
+function looksLikeJwt(token) {
+    if (token.length < 16)
+        return false;
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return false;
+    const b64u = /^[A-Za-z0-9_-]+$/;
+    return parts.every((p) => p.length > 0 && b64u.test(p));
+}
+function extractBearer(header) {
+    if (!header)
+        return null;
+    const trimmed = header.trim();
+    if (trimmed.length < 8)
+        return null;
+    if (trimmed.slice(0, 7).toLowerCase() !== "bearer ")
+        return null;
+    return trimmed.slice(7).trim() || null;
+}
+function audienceIncludes(claim, expected) {
+    if (typeof claim === "string")
+        return claim === expected;
+    if (Array.isArray(claim))
+        return claim.includes(expected);
+    return false;
+}
+function scopeIncludes(claim, required) {
+    if (required.length === 0)
+        return true;
+    const present = typeof claim === "string"
+        ? new Set(claim.split(/\s+/).filter(Boolean))
+        : null;
+    if (!present)
+        return false;
+    for (const r of required) {
+        if (!present.has(r))
+            return false;
+    }
+    return true;
+}
+export function createServiceAuthValidator(options) {
+    if (!options.issuer)
+        throw new Error("service-auth: issuer is required");
+    if (!options.audience)
+        throw new Error("service-auth: audience is required");
+    if (!(options.jwksUri || options.jwks)) {
+        throw new Error("service-auth: jwksUri or jwks must be provided");
+    }
+    const allowedAlgorithms = (options.allowedAlgorithms ??
+        DEFAULT_ALLOWED_ALGORITHMS);
+    const clockTolerance = options.clockToleranceSec ?? 30;
+    const keyResolver = options.jwks
+        ? createLocalJWKSet(options.jwks)
+        : getRemoteJwks(options.jwksUri);
+    async function validateAccessToken(header, input) {
+        const presented = extractBearer(header);
+        if (!presented)
+            return { valid: false, reason: "not_bearer" };
+        if (!looksLikeJwt(presented))
+            return { valid: false, reason: "not_a_jwt" };
+        let payload;
+        try {
+            const verified = await jwtVerify(presented, keyResolver, {
+                issuer: options.issuer,
+                algorithms: allowedAlgorithms,
+                clockTolerance,
+            });
+            payload = verified.payload;
+        }
+        catch (err) {
+            return classifyJoseError(err);
+        }
+        if (!audienceIncludes(payload.aud, options.audience)) {
+            return { valid: false, reason: "wrong_audience" };
+        }
+        if (!scopeIncludes(payload.scope, input?.requiredScopes ?? [])) {
+            return { valid: false, reason: "insufficient_scope" };
+        }
+        let clientId = null;
+        if (typeof payload.client_id === "string") {
+            clientId = payload.client_id;
+        }
+        else if (typeof payload.sub === "string") {
+            clientId = payload.sub;
+        }
+        if (!clientId) {
+            return {
+                valid: false,
+                reason: "missing_claims",
+                detail: "no client_id / sub",
+            };
+        }
+        return {
+            valid: true,
+            claims: payload,
+            clientId,
+        };
+    }
+    function requireJwt(input) {
+        return async (request) => {
+            const result = await validateAccessToken(request.headers.get("authorization"), input);
+            if (result.valid) {
+                return { ok: true, result };
+            }
+            return {
+                ok: false,
+                response: rejectionResponse(result.reason),
+            };
+        };
+    }
+    return { validateAccessToken, requireJwt };
+}
+function classifyJoseError(err) {
+    if (err instanceof joseErrors.JWTExpired) {
+        return { valid: false, reason: "expired" };
+    }
+    if (err instanceof joseErrors.JWSSignatureVerificationFailed) {
+        return { valid: false, reason: "bad_signature" };
+    }
+    if (err instanceof joseErrors.JOSEAlgNotAllowed) {
+        return { valid: false, reason: "wrong_algorithm" };
+    }
+    if (err instanceof joseErrors.JWTClaimValidationFailed) {
+        const claim = err.claim;
+        if (claim === "iss")
+            return { valid: false, reason: "wrong_issuer" };
+        return {
+            valid: false,
+            reason: "missing_claims",
+            detail: `claim=${claim ?? "unknown"}`,
+        };
+    }
+    if (err instanceof joseErrors.JWSInvalid ||
+        err instanceof joseErrors.JWTInvalid) {
+        return { valid: false, reason: "not_a_jwt" };
+    }
+    return {
+        valid: false,
+        reason: "verify_error",
+        detail: err instanceof Error ? err.message : String(err),
+    };
+}
+function rejectionResponse(reason) {
+    // RFC 6750 §3 "WWW-Authenticate: Bearer" semantics: 401 for
+    // authentication failures, 403 for insufficient scope.
+    const status = reason === "insufficient_scope" ? 403 : 401;
+    const error = reason === "expired"
+        ? "invalid_token"
+        : reason === "insufficient_scope"
+            ? "insufficient_scope"
+            : "invalid_token";
+    return new Response(JSON.stringify({ error, reason }), {
+        status,
+        headers: {
+            "content-type": "application/json",
+            "www-authenticate": `Bearer error="${error}"`,
+        },
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/resource-server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/resource-server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,MAAM,IAAI,UAAU,EAGpB,SAAS,GACV,MAAM,MAAM,CAAC;AAEd,MAAM,0BAA0B,GAAG,CAAC,OAAO,EAAE,OAAO,CAAU,CAAC;AA0E/D,sEAAsE;AACtE,sEAAsE;AACtE,0CAA0C;AAC1C,MAAM,eAAe,GAAG,IAAI,GAAG,EAG5B,CAAC;AAEJ,SAAS,aAAa,CAAC,GAAW;IAChC,IAAI,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5C,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,sDAAsD;AACtD,MAAM,UAAU,uBAAuB;IACrC,eAAe,CAAC,KAAK,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,IAAI,GAAG,kBAAkB,CAAC;IAChC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,aAAa,CAAC,MAAiC;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACjE,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;AACzC,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc,EAAE,QAAgB;IACxD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,KAAK,QAAQ,CAAC;IACzD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC1D,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,KAAc,EAAE,QAAkB;IACvD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,OAAO,GACX,OAAO,KAAK,KAAK,QAAQ;QACvB,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC7C,CAAC,CAAC,IAAI,CAAC;IACX,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IACpC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,OAAoC;IAEpC,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACzE,IAAI,CAAC,OAAO,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IAC7E,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,iBAAiB,GAAG,CAAC,OAAO,CAAC,iBAAiB;QAClD,0BAA0B,CAAsB,CAAC;IACnD,MAAM,cAAc,GAAG,OAAO,CAAC,iBAAiB,IAAI,EAAE,CAAC;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI;QAC9B,CAAC,CAAC,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,OAAiB,CAAC,CAAC;IAE7C,KAAK,UAAU,mBAAmB,CAChC,MAAiC,EACjC,KAAgC;QAEhC,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;QAC9D,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QAE3E,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,WAAW,EAAE;gBACvD,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,UAAU,EAAE,iBAA6B;gBACzC,cAAc;aACf,CAAC,CAAC;YACH,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;QACpD,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,cAAc,IAAI,EAAE,CAAC,EAAE,CAAC;YAC/D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,QAAQ,GAAkB,IAAI,CAAC;QACnC,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC1C,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/B,CAAC;aAAM,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC3C,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC;QACzB,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,gBAAgB;gBACxB,MAAM,EAAE,oBAAoB;aAC7B,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,OAA4D;YACpE,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,SAAS,UAAU,CAAC,KAAgC;QAClD,OAAO,KAAK,EAAE,OAAgB,EAAE,EAAE;YAChC,MAAM,MAAM,GAAG,MAAM,mBAAmB,CACtC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EACpC,KAAK,CACN,CAAC;YACF,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,EAAE,EAAE,EAAE,IAAa,EAAE,MAAM,EAAE,CAAC;YACvC,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,KAAc;gBAClB,QAAQ,EAAE,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC;aAC3C,CAAC;QACJ,CAAC,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,CAAC;AAC7C,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAY;IACrC,IAAI,GAAG,YAAY,UAAU,CAAC,UAAU,EAAE,CAAC;QACzC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,GAAG,YAAY,UAAU,CAAC,8BAA8B,EAAE,CAAC;QAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACnD,CAAC;IACD,IAAI,GAAG,YAAY,UAAU,CAAC,iBAAiB,EAAE,CAAC;QAChD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACrD,CAAC;IACD,IAAI,GAAG,YAAY,UAAU,CAAC,wBAAwB,EAAE,CAAC;QACvD,MAAM,KAAK,GAAI,GAA0B,CAAC,KAAK,CAAC;QAChD,IAAI,KAAK,KAAK,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;QACrE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,SAAS,KAAK,IAAI,SAAS,EAAE;SACtC,CAAC;IACJ,CAAC;IACD,IACE,GAAG,YAAY,UAAU,CAAC,UAAU;QACpC,GAAG,YAAY,UAAU,CAAC,UAAU,EACpC,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC/C,CAAC;IACD,OAAO;QACL,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;KACzD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAwE;IAExE,4DAA4D;IAC5D,uDAAuD;IACvD,MAAM,MAAM,GAAG,MAAM,KAAK,oBAAoB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IAC3D,MAAM,KAAK,GACT,MAAM,KAAK,SAAS;QAClB,CAAC,CAAC,eAAe;QACjB,CAAC,CAAC,MAAM,KAAK,oBAAoB;YAC/B,CAAC,CAAC,oBAAoB;YACtB,CAAC,CAAC,eAAe,CAAC;IACxB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EACjC;QACE,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,kBAAkB,EAAE,iBAAiB,KAAK,GAAG;SAC9C;KACF,CACF,CAAC;AACJ,CAAC"}

package/dist/testkit/index.d.ts

@@ -0,0 +1,91 @@
+/**
+ * Test fixtures for service-auth consumers. INTERNAL Vana package.
+ *
+ * Use this from a service's own tests to:
+ *
+ *   - Spin up a fake issuer with a fresh ES256 keypair.
+ *   - Mint valid access tokens for happy-path tests.
+ *   - Get pre-made bad tokens (expired, wrong-aud, wrong-iss,
+ *     unsigned, malformed) for negative tests.
+ *
+ * NOT a public SDK. The shapes here are tuned for our own tests; they
+ * may change without notice.
+ */
+import { type JWK } from "jose";
+export interface FakeIssuerOptions {
+    /**
+     * The fake issuer URL to use in `iss` claims. Defaults to
+     * `"https://fake-issuer.test"`.
+     */
+    issuer?: string;
+    /**
+     * Algorithm. Defaults to `"ES256"` (matches Hydra's default for
+     * `access_token_strategy: jwt`).
+     */
+    algorithm?: "ES256" | "RS256";
+    /** Stable kid. Defaults to `"fake-kid-1"`. */
+    kid?: string;
+}
+export interface SignAccessTokenInput {
+    audience: string | string[];
+    subject?: string;
+    clientId?: string;
+    scope?: string;
+    expiresInSec?: number;
+    notBeforeSec?: number;
+    issuedAtSec?: number;
+    /** Override the issuer for negative-path tests. */
+    issuerOverride?: string;
+    /** Extra arbitrary claims. */
+    extraClaims?: Record<string, unknown>;
+}
+export interface SignAssertionInput {
+    /** Endpoint URL; becomes the `aud` claim per RFC 7523. */
+    tokenEndpoint: string;
+    clientId: string;
+    expiresInSec?: number;
+}
+export interface FakeIssuer {
+    issuer: string;
+    jwks: {
+        keys: JWK[];
+    };
+    signAccessToken(input: SignAccessTokenInput): Promise<string>;
+    signAssertion(input: SignAssertionInput): Promise<string>;
+}
+export declare function createFakeIssuer(options?: FakeIssuerOptions): Promise<FakeIssuer>;
+/**
+ * Pre-rolled fixtures. Builds tokens against a transient issuer; the
+ * returned object includes the issuer + jwks so a consumer's
+ * validator can be wired up:
+ *
+ *   const f = await createFixtures({ audience: "vana-account-introspect" });
+ *   const v = createServiceAuthValidator({
+ *     issuer: f.issuer.issuer,
+ *     audience: "vana-account-introspect",
+ *     jwks: f.issuer.jwks,
+ *   });
+ *   await v.validateAccessToken(`Bearer ${f.expiredToken}`);
+ */
+export interface CommonFixturesInput {
+    audience: string;
+    clientId?: string;
+}
+export interface CommonFixtures {
+    issuer: FakeIssuer;
+    validToken: string;
+    expiredToken: string;
+    wrongAudienceToken: string;
+    wrongIssuerToken: string;
+    /**
+     * A JWT-shaped string with a valid header+payload but a flipped
+     * signature byte. jose rejects with JWSSignatureVerificationFailed.
+     */
+    unsignedToken: string;
+    /**
+     * Not a JWT at all (no segments). Hits the `not_a_jwt` reason.
+     */
+    malformedToken: string;
+}
+export declare function createFixtures(input: CommonFixturesInput): Promise<CommonFixtures>;
+//# sourceMappingURL=index.d.ts.map

package/dist/testkit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/testkit/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAIL,KAAK,GAAG,EAET,MAAM,MAAM,CAAC;AAEd,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IAC9B,8CAA8C;IAC9C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mDAAmD;IACnD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,8BAA8B;IAC9B,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,kBAAkB;IACjC,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE;QAAE,IAAI,EAAE,GAAG,EAAE,CAAA;KAAE,CAAC;IACtB,eAAe,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9D,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC3D;AAuBD,wBAAsB,gBAAgB,CACpC,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,UAAU,CAAC,CA0CrB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,UAAU,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;OAGG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,wBAAsB,cAAc,CAClC,KAAK,EAAE,mBAAmB,GACzB,OAAO,CAAC,cAAc,CAAC,CA2CzB"}

package/dist/testkit/index.js

@@ -0,0 +1,108 @@
+/**
+ * Test fixtures for service-auth consumers. INTERNAL Vana package.
+ *
+ * Use this from a service's own tests to:
+ *
+ *   - Spin up a fake issuer with a fresh ES256 keypair.
+ *   - Mint valid access tokens for happy-path tests.
+ *   - Get pre-made bad tokens (expired, wrong-aud, wrong-iss,
+ *     unsigned, malformed) for negative tests.
+ *
+ * NOT a public SDK. The shapes here are tuned for our own tests; they
+ * may change without notice.
+ */
+import { exportJWK, generateKeyPair, SignJWT, } from "jose";
+async function buildKey(alg, kid) {
+    const { privateKey, publicKey } = await generateKeyPair(alg, {
+        extractable: true,
+    });
+    const publicJwk = await exportJWK(publicKey);
+    publicJwk.alg = alg;
+    publicJwk.use = "sig";
+    publicJwk.kid = kid;
+    return { privateKey, publicJwk, alg, kid };
+}
+export async function createFakeIssuer(options = {}) {
+    const issuer = options.issuer ?? "https://fake-issuer.test";
+    const alg = options.algorithm ?? "ES256";
+    const kid = options.kid ?? "fake-kid-1";
+    const key = await buildKey(alg, kid);
+    return {
+        issuer,
+        jwks: { keys: [key.publicJwk] },
+        async signAccessToken(input) {
+            const now = Math.floor(Date.now() / 1000);
+            const iat = input.issuedAtSec ?? now;
+            const builder = new SignJWT({
+                ...(input.clientId ? { client_id: input.clientId } : {}),
+                ...(input.scope ? { scope: input.scope } : {}),
+                ...(input.extraClaims ?? {}),
+            })
+                .setProtectedHeader({ alg: key.alg, kid: key.kid, typ: "JWT" })
+                .setIssuer(input.issuerOverride ?? issuer)
+                .setSubject(input.subject ?? input.clientId ?? "fake-sub")
+                .setAudience(input.audience)
+                .setIssuedAt(iat)
+                .setExpirationTime(iat + (input.expiresInSec ?? 300));
+            if (input.notBeforeSec !== undefined) {
+                builder.setNotBefore(input.notBeforeSec);
+            }
+            return builder.sign(key.privateKey);
+        },
+        async signAssertion(input) {
+            const now = Math.floor(Date.now() / 1000);
+            return new SignJWT({})
+                .setProtectedHeader({ alg: key.alg, kid: key.kid, typ: "JWT" })
+                .setIssuer(input.clientId)
+                .setSubject(input.clientId)
+                .setAudience(input.tokenEndpoint)
+                .setIssuedAt(now)
+                .setNotBefore(now)
+                .setExpirationTime(now + (input.expiresInSec ?? 60))
+                .setJti(`fake-${now}-${Math.random().toString(36).slice(2, 10)}`)
+                .sign(key.privateKey);
+        },
+    };
+}
+export async function createFixtures(input) {
+    const issuer = await createFakeIssuer();
+    const clientId = input.clientId ?? "test-client";
+    const validToken = await issuer.signAccessToken({
+        audience: input.audience,
+        clientId,
+    });
+    const expiredToken = await issuer.signAccessToken({
+        audience: input.audience,
+        clientId,
+        issuedAtSec: Math.floor(Date.now() / 1000) - 7200,
+        expiresInSec: -3600, // exp = iat - 3600 = 2h ago
+    });
+    const wrongAudienceToken = await issuer.signAccessToken({
+        audience: "some-other-service",
+        clientId,
+    });
+    const wrongIssuerToken = await issuer.signAccessToken({
+        audience: input.audience,
+        clientId,
+        issuerOverride: "https://evil.example",
+    });
+    // Build a definitively-broken signature by replacing the entire
+    // signature segment with a same-length string of base64url 'A's.
+    // For ES256 this gives the wrong (r, s) pair with probability ~1
+    // and jose rejects with JWSSignatureVerificationFailed.
+    const unsignedToken = (() => {
+        const parts = validToken.split(".");
+        const broken = "A".repeat(parts[2].length);
+        return [parts[0], parts[1], broken].join(".");
+    })();
+    return {
+        issuer,
+        validToken,
+        expiredToken,
+        wrongAudienceToken,
+        wrongIssuerToken,
+        unsignedToken,
+        malformedToken: "this-is-not-a-jwt",
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/testkit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/testkit/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAEL,SAAS,EACT,eAAe,EAEf,OAAO,GACR,MAAM,MAAM,CAAC;AAoDd,KAAK,UAAU,QAAQ,CACrB,GAAsB,EACtB,GAAW;IAEX,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE;QAC3D,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAC7C,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC;IACpB,SAAS,CAAC,GAAG,GAAG,KAAK,CAAC;IACtB,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC;IACpB,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,UAA6B,EAAE;IAE/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,0BAA0B,CAAC;IAC5D,MAAM,GAAG,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC;IACzC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,YAAY,CAAC;IACxC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAErC,OAAO;QACL,MAAM;QACN,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE;QAC/B,KAAK,CAAC,eAAe,CAAC,KAAK;YACzB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,WAAW,IAAI,GAAG,CAAC;YACrC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;gBAC1B,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxD,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9C,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC;aAC7B,CAAC;iBACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;iBAC9D,SAAS,CAAC,KAAK,CAAC,cAAc,IAAI,MAAM,CAAC;iBACzC,UAAU,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,QAAQ,IAAI,UAAU,CAAC;iBACzD,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC;iBAC3B,WAAW,CAAC,GAAG,CAAC;iBAChB,iBAAiB,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,GAAG,CAAC,CAAC,CAAC;YACxD,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;gBACrC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACtC,CAAC;QACD,KAAK,CAAC,aAAa,CAAC,KAAK;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,OAAO,IAAI,OAAO,CAAC,EAAE,CAAC;iBACnB,kBAAkB,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;iBAC9D,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC;iBACzB,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC;iBAC1B,WAAW,CAAC,KAAK,CAAC,aAAa,CAAC;iBAChC,WAAW,CAAC,GAAG,CAAC;iBAChB,YAAY,CAAC,GAAG,CAAC;iBACjB,iBAAiB,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;iBACnD,MAAM,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;iBAChE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;KACF,CAAC;AACJ,CAAC;AAqCD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAA0B;IAE1B,MAAM,MAAM,GAAG,MAAM,gBAAgB,EAAE,CAAC;IACxC,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,aAAa,CAAC;IAEjD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC;QAC9C,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ;KACT,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC;QAChD,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ;QACR,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;QACjD,YAAY,EAAE,CAAC,IAAI,EAAE,4BAA4B;KAClD,CAAC,CAAC;IACH,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC;QACtD,QAAQ,EAAE,oBAAoB;QAC9B,QAAQ;KACT,CAAC,CAAC;IACH,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC;QACpD,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ;QACR,cAAc,EAAE,sBAAsB;KACvC,CAAC,CAAC;IAEH,gEAAgE;IAChE,iEAAiE;IACjE,iEAAiE;IACjE,wDAAwD;IACxD,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE;QAC1B,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO;QACL,MAAM;QACN,UAAU;QACV,YAAY;QACZ,kBAAkB;QAClB,gBAAgB;QAChB,aAAa;QACb,cAAc,EAAE,mBAAmB;KACpC,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,83 @@
+{
+  "name": "@opendatalabs/service-auth",
+  "version": "1.0.0-next.1",
+  "private": false,
+  "description": "OAuth private_key_jwt service-to-service auth helper (RFC 7521/7523/9068) for Vana.",
+  "license": "MIT",
+  "type": "module",
+  "sideEffects": false,
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/vana-com/unity-surfaces.git",
+    "directory": "packages/service-auth"
+  },
+  "homepage": "https://github.com/vana-com/unity-surfaces/tree/main/packages/service-auth#readme",
+  "bugs": {
+    "url": "https://github.com/vana-com/unity-surfaces/issues"
+  },
+  "keywords": [
+    "oauth",
+    "oauth2",
+    "private_key_jwt",
+    "service-to-service",
+    "hydra",
+    "jwt",
+    "vana"
+  ],
+  "exports": {
+    "./client": "./src/client/index.ts",
+    "./resource-server": "./src/resource-server/index.ts",
+    "./jwks": "./src/jwks/index.ts",
+    "./registration": "./src/registration/index.ts",
+    "./testkit": "./src/testkit/index.ts"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "main": "./dist/client/index.js",
+    "types": "./dist/client/index.d.ts",
+    "exports": {
+      "./client": {
+        "types": "./dist/client/index.d.ts",
+        "default": "./dist/client/index.js"
+      },
+      "./resource-server": {
+        "types": "./dist/resource-server/index.d.ts",
+        "default": "./dist/resource-server/index.js"
+      },
+      "./jwks": {
+        "types": "./dist/jwks/index.d.ts",
+        "default": "./dist/jwks/index.js"
+      },
+      "./registration": {
+        "types": "./dist/registration/index.d.ts",
+        "default": "./dist/registration/index.js"
+      },
+      "./testkit": {
+        "types": "./dist/testkit/index.d.ts",
+        "default": "./dist/testkit/index.js"
+      }
+    }
+  },
+  "scripts": {
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "build": "tsc -p tsconfig.build.json",
+    "prepack": "pnpm build",
+    "provision": "tsx ./bin/provision.ts"
+  },
+  "dependencies": {
+    "jose": "^6.2.3",
+    "yaml": "^2.6.1",
+    "zod": "^3.25.76"
+  },
+  "devDependencies": {
+    "@types/node": "^20",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.5"
+  }
+}