@opentdf/sdk 0.1.0-beta.1701

package/README.md

@@ -0,0 +1,52 @@
+# An OpenTDF Library for Browser Applications
+
+This project presents client code to write and read a OpenTDF data formats.
+This included NanoTDF, Dataset TDF, and ZTDF.
+
+## Usage
+
+### NanoTDF
+
+```typescript
+  const oidcCredentials: RefreshTokenCredentials = {
+    clientId: keycloakClientId,
+    exchange: 'refresh',
+    refreshToken: refreshToken,
+    oidcOrigin: keycloakUrl,
+  }
+  const authProvider = await AuthProviders.refreshAuthProvider(oidcCredentials);
+  const client = new NanoTDFClient({authProvider, kasEndpoint});
+  const cipherText = await client.encrypt(plainText);
+  const clearText = await client.decrypt(cipherText);
+```
+
+### ZTDF
+
+```typescript
+  const client = new TDF3Client({
+    clientId: "tdf-client",
+    kasEndpoint: 'http://localhost/kas',
+    refreshToken: 'token', // Here is only difference in usage, browser build needs oidc tocken
+    oidcOrigin: 'http://localhost/oidc',
+  });
+  const source = new ReadableStream({
+    pull(controller) {
+      controller.enqueue(new TextEncoder().encode(string));
+      controller.close();
+    },
+  });
+  const ciphertextStream = await client.encrypt({ offline: true, source });
+  // Optionally: Save ciphertextStream to file or remote here.
+  // For demo purposes, we pipe to decrypt.
+  const plaintextStream = await client.decrypt({
+    source: { type: 'stream', location: ciphertextStream }
+  });
+  const plaintext = await plaintextStream.toString(); // could be also ct.toFile('img.jpg');
+  console.log(`deciphered text :${plaintext}`);
+```
+
+## Upgrading from 1.x
+
+- The 'RemoteStorage' features have been moved into a separate library, @opentdf/remote-storage.
+- We have replaced all usages of node's `Buffer` with the web-friendlier `UInt8Array`.
+  You will most likely see this in the return types of some functions.

package/dist/cjs/package.json

@@ -0,0 +1,3 @@
+{
+    "type": "commonjs"
+}

package/dist/cjs/src/access.js

@@ -0,0 +1,155 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OriginAllowList = exports.fetchECKasPubKey = exports.fetchWrappedKey = exports.RewrapResponse = exports.RewrapRequest = void 0;
+const errors_js_1 = require("./errors.js");
+const utils_js_1 = require("./utils.js");
+class RewrapRequest {
+    constructor() {
+        this.signedRequestToken = '';
+    }
+}
+exports.RewrapRequest = RewrapRequest;
+class RewrapResponse {
+    constructor() {
+        this.entityWrappedKey = '';
+        this.sessionPublicKey = '';
+    }
+}
+exports.RewrapResponse = RewrapResponse;
+/**
+ * Get a rewrapped access key to the document, if possible
+ * @param url Key access server rewrap endpoint
+ * @param requestBody a signed request with an encrypted document key
+ * @param authProvider Authorization middleware
+ * @param clientVersion
+ */
+async function fetchWrappedKey(url, requestBody, authProvider, clientVersion) {
+    const req = await authProvider.withCreds({
+        url,
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'virtru-ntdf-version': clientVersion,
+        },
+        body: JSON.stringify(requestBody),
+    });
+    try {
+        const response = await fetch(req.url, {
+            method: req.method,
+            mode: 'cors',
+            cache: 'no-cache',
+            credentials: 'same-origin',
+            headers: req.headers,
+            redirect: 'follow',
+            referrerPolicy: 'no-referrer',
+            body: req.body,
+        });
+        if (!response.ok) {
+            switch (response.status) {
+                case 400:
+                    throw new errors_js_1.InvalidFileError(`400 for [${req.url}]: rewrap failure [${await response.text()}]`);
+                case 401:
+                    throw new errors_js_1.UnauthenticatedError(`401 for [${req.url}]`);
+                case 403:
+                    throw new errors_js_1.PermissionDeniedError(`403 for [${req.url}]`);
+                default:
+                    throw new errors_js_1.NetworkError(`${req.method} ${req.url} => ${response.status} ${response.statusText}`);
+            }
+        }
+        return response.json();
+    }
+    catch (e) {
+        throw new errors_js_1.NetworkError(`unable to fetch wrapped key from [${url}]: ${e}`);
+    }
+}
+exports.fetchWrappedKey = fetchWrappedKey;
+async function noteInvalidPublicKey(url, r) {
+    try {
+        return await r;
+    }
+    catch (e) {
+        if (e instanceof TypeError) {
+            throw new errors_js_1.ServiceError(`invalid public key from [${url}]`, e);
+        }
+        throw e;
+    }
+}
+/**
+ * If we have KAS url but not public key we can fetch it from KAS, fetching
+ * the value from `${kas}/kas_public_key`.
+ */
+async function fetchECKasPubKey(kasEndpoint) {
+    (0, utils_js_1.validateSecureUrl)(kasEndpoint);
+    const pkUrlV2 = `${kasEndpoint}/v2/kas_public_key?algorithm=ec:secp256r1&v=2`;
+    const kasPubKeyResponseV2 = await fetch(pkUrlV2);
+    if (!kasPubKeyResponseV2.ok) {
+        switch (kasPubKeyResponseV2.status) {
+            case 404:
+                // v2 not implemented, perhaps a legacy server
+                break;
+            case 401:
+                throw new errors_js_1.UnauthenticatedError(`401 for [${pkUrlV2}]`);
+            case 403:
+                throw new errors_js_1.PermissionDeniedError(`403 for [${pkUrlV2}]`);
+            default:
+                throw new errors_js_1.NetworkError(`${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`);
+        }
+        // most likely a server that does not implement v2 endpoint, so no key identifier
+        const pkUrlV1 = `${kasEndpoint}/kas_public_key?algorithm=ec:secp256r1`;
+        const r2 = await fetch(pkUrlV1);
+        if (!r2.ok) {
+            switch (r2.status) {
+                case 401:
+                    throw new errors_js_1.UnauthenticatedError(`401 for [${pkUrlV2}]`);
+                case 403:
+                    throw new errors_js_1.PermissionDeniedError(`403 for [${pkUrlV2}]`);
+                default:
+                    throw new errors_js_1.NetworkError(`unable to load KAS public key from [${pkUrlV1}]. Received [${r2.status}:${r2.statusText}]`);
+            }
+        }
+        const pem = await r2.json();
+        return {
+            key: noteInvalidPublicKey(pkUrlV1, (0, utils_js_1.pemToCryptoPublicKey)(pem)),
+            publicKey: pem,
+            url: kasEndpoint,
+            algorithm: 'ec:secp256r1',
+        };
+    }
+    const jsonContent = await kasPubKeyResponseV2.json();
+    const { publicKey, kid } = jsonContent;
+    if (!publicKey) {
+        throw new errors_js_1.NetworkError(`invalid response from public key endpoint [${JSON.stringify(jsonContent)}]`);
+    }
+    return {
+        key: noteInvalidPublicKey(pkUrlV2, (0, utils_js_1.pemToCryptoPublicKey)(publicKey)),
+        publicKey,
+        url: kasEndpoint,
+        algorithm: 'ec:secp256r1',
+        ...(kid && { kid }),
+    };
+}
+exports.fetchECKasPubKey = fetchECKasPubKey;
+const origin = (u) => {
+    try {
+        return new URL(u).origin;
+    }
+    catch (e) {
+        console.log(`invalid kas url: [${u}]`);
+        throw e;
+    }
+};
+class OriginAllowList {
+    constructor(urls, allowAll) {
+        this.origins = urls.map(origin);
+        urls.forEach(utils_js_1.validateSecureUrl);
+        this.allowAll = !!allowAll;
+    }
+    allows(url) {
+        if (this.allowAll) {
+            return true;
+        }
+        return this.origins.includes(origin(url));
+    }
+}
+exports.OriginAllowList = OriginAllowList;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjZXNzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2FjY2Vzcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFDQSwyQ0FNcUI7QUFDckIseUNBQXFFO0FBRXJFLE1BQWEsYUFBYTtJQUExQjtRQUNFLHVCQUFrQixHQUFHLEVBQUUsQ0FBQztJQUMxQixDQUFDO0NBQUE7QUFGRCxzQ0FFQztBQUVELE1BQWEsY0FBYztJQUEzQjtRQUNFLHFCQUFnQixHQUFHLEVBQUUsQ0FBQztRQUN0QixxQkFBZ0IsR0FBRyxFQUFFLENBQUM7SUFDeEIsQ0FBQztDQUFBO0FBSEQsd0NBR0M7QUFFRDs7Ozs7O0dBTUc7QUFDSSxLQUFLLFVBQVUsZUFBZSxDQUNuQyxHQUFXLEVBQ1gsV0FBMEIsRUFDMUIsWUFBMEIsRUFDMUIsYUFBcUI7SUFFckIsTUFBTSxHQUFHLEdBQUcsTUFBTSxZQUFZLENBQUMsU0FBUyxDQUFDO1FBQ3ZDLEdBQUc7UUFDSCxNQUFNLEVBQUUsTUFBTTtRQUNkLE9BQU8sRUFBRTtZQUNQLGNBQWMsRUFBRSxrQkFBa0I7WUFDbEMscUJBQXFCLEVBQUUsYUFBYTtTQUNyQztRQUNELElBQUksRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLFdBQVcsQ0FBQztLQUNsQyxDQUFDLENBQUM7SUFFSCxJQUFJO1FBQ0YsTUFBTSxRQUFRLEdBQUcsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRTtZQUNwQyxNQUFNLEVBQUUsR0FBRyxDQUFDLE1BQU07WUFDbEIsSUFBSSxFQUFFLE1BQU07WUFDWixLQUFLLEVBQUUsVUFBVTtZQUNqQixXQUFXLEVBQUUsYUFBYTtZQUMxQixPQUFPLEVBQUUsR0FBRyxDQUFDLE9BQU87WUFDcEIsUUFBUSxFQUFFLFFBQVE7WUFDbEIsY0FBYyxFQUFFLGFBQWE7WUFDN0IsSUFBSSxFQUFFLEdBQUcsQ0FBQyxJQUFnQjtTQUMzQixDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsRUFBRTtZQUNoQixRQUFRLFFBQVEsQ0FBQyxNQUFNLEVBQUU7Z0JBQ3ZCLEtBQUssR0FBRztvQkFDTixNQUFNLElBQUksNEJBQWdCLENBQ3hCLFlBQVksR0FBRyxDQUFDLEdBQUcsc0JBQXNCLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxHQUFHLENBQ2xFLENBQUM7Z0JBQ0osS0FBSyxHQUFHO29CQUNOLE1BQU0sSUFBSSxnQ0FBb0IsQ0FBQyxZQUFZLEdBQUcsQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDO2dCQUN6RCxLQUFLLEdBQUc7b0JBQ04sTUFBTSxJQUFJLGlDQUFxQixDQUFDLFlBQVksR0FBRyxDQUFDLEdBQUcsR0FBRyxDQUFDLENBQUM7Z0JBQzFEO29CQUNFLE1BQU0sSUFBSSx3QkFBWSxDQUNwQixHQUFHLEdBQUcsQ0FBQyxNQUFNLElBQUksR0FBRyxDQUFDLEdBQUcsT0FBTyxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxVQUFVLEVBQUUsQ0FDeEUsQ0FBQzthQUNMO1NBQ0Y7UUFFRCxPQUFPLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztLQUN4QjtJQUFDLE9BQU8sQ0FBQyxFQUFFO1FBQ1YsTUFBTSxJQUFJLHdCQUFZLENBQUMscUNBQXFDLEdBQUcsTUFBTSxDQUFDLEVBQUUsQ0FBQyxDQUFDO0tBQzNFO0FBQ0gsQ0FBQztBQWpERCwwQ0FpREM7QUEyQkQsS0FBSyxVQUFVLG9CQUFvQixDQUFDLEdBQVcsRUFBRSxDQUFxQjtJQUNwRSxJQUFJO1FBQ0YsT0FBTyxNQUFNLENBQUMsQ0FBQztLQUNoQjtJQUFDLE9BQU8sQ0FBQyxFQUFFO1FBQ1YsSUFBSSxDQUFDLFlBQVksU0FBUyxFQUFFO1lBQzFCLE1BQU0sSUFBSSx3QkFBWSxDQUFDLDRCQUE0QixHQUFHLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQztTQUMvRDtRQUNELE1BQU0sQ0FBQyxDQUFDO0tBQ1Q7QUFDSCxDQUFDO0FBRUQ7OztHQUdHO0FBQ0ksS0FBSyxVQUFVLGdCQUFnQixDQUFDLFdBQW1CO0lBQ3hELElBQUEsNEJBQWlCLEVBQUMsV0FBVyxDQUFDLENBQUM7SUFDL0IsTUFBTSxPQUFPLEdBQUcsR0FBRyxXQUFXLCtDQUErQyxDQUFDO0lBQzlFLE1BQU0sbUJBQW1CLEdBQUcsTUFBTSxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDakQsSUFBSSxDQUFDLG1CQUFtQixDQUFDLEVBQUUsRUFBRTtRQUMzQixRQUFRLG1CQUFtQixDQUFDLE1BQU0sRUFBRTtZQUNsQyxLQUFLLEdBQUc7Z0JBQ04sOENBQThDO2dCQUM5QyxNQUFNO1lBQ1IsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxnQ0FBb0IsQ0FBQyxZQUFZLE9BQU8sR0FBRyxDQUFDLENBQUM7WUFDekQsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxpQ0FBcUIsQ0FBQyxZQUFZLE9BQU8sR0FBRyxDQUFDLENBQUM7WUFDMUQ7Z0JBQ0UsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLEdBQUcsT0FBTyxPQUFPLG1CQUFtQixDQUFDLE1BQU0sSUFBSSxtQkFBbUIsQ0FBQyxVQUFVLEVBQUUsQ0FDaEYsQ0FBQztTQUNMO1FBQ0QsaUZBQWlGO1FBQ2pGLE1BQU0sT0FBTyxHQUFHLEdBQUcsV0FBVyx3Q0FBd0MsQ0FBQztRQUN2RSxNQUFNLEVBQUUsR0FBRyxNQUFNLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUNoQyxJQUFJLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRTtZQUNWLFFBQVEsRUFBRSxDQUFDLE1BQU0sRUFBRTtnQkFDakIsS0FBSyxHQUFHO29CQUNOLE1BQU0sSUFBSSxnQ0FBb0IsQ0FBQyxZQUFZLE9BQU8sR0FBRyxDQUFDLENBQUM7Z0JBQ3pELEtBQUssR0FBRztvQkFDTixNQUFNLElBQUksaUNBQXFCLENBQUMsWUFBWSxPQUFPLEdBQUcsQ0FBQyxDQUFDO2dCQUMxRDtvQkFDRSxNQUFNLElBQUksd0JBQVksQ0FDcEIsdUNBQXVDLE9BQU8sZ0JBQWdCLEVBQUUsQ0FBQyxNQUFNLElBQUksRUFBRSxDQUFDLFVBQVUsR0FBRyxDQUM1RixDQUFDO2FBQ0w7U0FDRjtRQUNELE1BQU0sR0FBRyxHQUFHLE1BQU0sRUFBRSxDQUFDLElBQUksRUFBRSxDQUFDO1FBQzVCLE9BQU87WUFDTCxHQUFHLEVBQUUsb0JBQW9CLENBQUMsT0FBTyxFQUFFLElBQUEsK0JBQW9CLEVBQUMsR0FBRyxDQUFDLENBQUM7WUFDN0QsU0FBUyxFQUFFLEdBQUc7WUFDZCxHQUFHLEVBQUUsV0FBVztZQUNoQixTQUFTLEVBQUUsY0FBYztTQUMxQixDQUFDO0tBQ0g7SUFDRCxNQUFNLFdBQVcsR0FBRyxNQUFNLG1CQUFtQixDQUFDLElBQUksRUFBRSxDQUFDO0lBQ3JELE1BQU0sRUFBRSxTQUFTLEVBQUUsR0FBRyxFQUFFLEdBQXFCLFdBQVcsQ0FBQztJQUN6RCxJQUFJLENBQUMsU0FBUyxFQUFFO1FBQ2QsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLDhDQUE4QyxJQUFJLENBQUMsU0FBUyxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQzdFLENBQUM7S0FDSDtJQUNELE9BQU87UUFDTCxHQUFHLEVBQUUsb0JBQW9CLENBQUMsT0FBTyxFQUFFLElBQUEsK0JBQW9CLEVBQUMsU0FBUyxDQUFDLENBQUM7UUFDbkUsU0FBUztRQUNULEdBQUcsRUFBRSxXQUFXO1FBQ2hCLFNBQVMsRUFBRSxjQUFjO1FBQ3pCLEdBQUcsQ0FBQyxHQUFHLElBQUksRUFBRSxHQUFHLEVBQUUsQ0FBQztLQUNwQixDQUFDO0FBQ0osQ0FBQztBQXZERCw0Q0F1REM7QUFFRCxNQUFNLE1BQU0sR0FBRyxDQUFDLENBQVMsRUFBVSxFQUFFO0lBQ25DLElBQUk7UUFDRixPQUFPLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQztLQUMxQjtJQUFDLE9BQU8sQ0FBQyxFQUFFO1FBQ1YsT0FBTyxDQUFDLEdBQUcsQ0FBQyxxQkFBcUIsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUN2QyxNQUFNLENBQUMsQ0FBQztLQUNUO0FBQ0gsQ0FBQyxDQUFDO0FBRUYsTUFBYSxlQUFlO0lBRzFCLFlBQVksSUFBYyxFQUFFLFFBQWtCO1FBQzVDLElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNoQyxJQUFJLENBQUMsT0FBTyxDQUFDLDRCQUFpQixDQUFDLENBQUM7UUFDaEMsSUFBSSxDQUFDLFFBQVEsR0FBRyxDQUFDLENBQUMsUUFBUSxDQUFDO0lBQzdCLENBQUM7SUFDRCxNQUFNLENBQUMsR0FBVztRQUNoQixJQUFJLElBQUksQ0FBQyxRQUFRLEVBQUU7WUFDakIsT0FBTyxJQUFJLENBQUM7U0FDYjtRQUNELE9BQU8sSUFBSSxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7SUFDNUMsQ0FBQztDQUNGO0FBZEQsMENBY0MifQ==

package/dist/cjs/src/auth/Eas.js

@@ -0,0 +1,60 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const axios_1 = __importDefault(require("axios"));
+const { request } = axios_1.default;
+/**
+ * Client for EAS interaction, specifically fetching entity object.
+ */
+class Eas {
+    /**
+     * Create an object for accessing an Entity Attribute Service.
+     * @param {object} config - options to  configure this EAS accessor
+     * @param {AuthProvider|function} config.authProvider - interceptor for `http-request.Request` object manipulation
+     * @param {string} config.endpoint - the URI to connect to
+     * @param {function} [config.requestFunctor=request] - http request async function object
+     */
+    constructor({ authProvider, endpoint, requestFunctor, }) {
+        this.authProvider = authProvider;
+        this.endpoint = endpoint;
+        this.requestFunctor = requestFunctor || request;
+    }
+    /**
+     * Request an entity object for the current user.
+     * @param {object} config - options for the request
+     * @param {string} config.publicKey - String encoded public key from the keypair to be used with any subsequent requests refering to the returned EO
+     * @param {object} [config.etc] - additional parameters to be passed to the EAS entity-object endpoint
+     */
+    async fetchEntityObject({ publicKey, ...etc }) {
+        // Create a skeleton http request for EAS.
+        const incredibleHttpReq = {
+            url: this.endpoint,
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: { publicKey, ...etc },
+        };
+        // Delegate modifications to the auth provider.
+        // TODO: Handle various exception cases from interface docs.
+        const httpReq = await this.authProvider.withCreds(incredibleHttpReq);
+        // Execute the http request using axios.
+        const axiosParams = {
+            method: httpReq.method,
+            headers: httpReq.headers,
+            url: httpReq.url,
+            params: undefined,
+            data: undefined,
+        };
+        // Allow the authProvider to change the method.
+        if (httpReq.method === 'POST' || httpReq.method === 'PATCH' || httpReq.method === 'PUT') {
+            axiosParams.data = httpReq.body;
+        }
+        else {
+            axiosParams.params = httpReq.body;
+        }
+        return (await this.requestFunctor(axiosParams)).data;
+    }
+}
+exports.default = Eas;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiRWFzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2F1dGgvRWFzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7O0FBQUEsa0RBQThFO0FBSTlFLE1BQU0sRUFBRSxPQUFPLEVBQUUsR0FBRyxlQUFLLENBQUM7QUFNMUI7O0dBRUc7QUFDSCxNQUFNLEdBQUc7SUFPUDs7Ozs7O09BTUc7SUFDSCxZQUFZLEVBQ1YsWUFBWSxFQUNaLFFBQVEsRUFDUixjQUFjLEdBS2Y7UUFDQyxJQUFJLENBQUMsWUFBWSxHQUFHLFlBQVksQ0FBQztRQUNqQyxJQUFJLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztRQUN6QixJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsSUFBSSxPQUFPLENBQUM7SUFDbEQsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0gsS0FBSyxDQUFDLGlCQUFpQixDQUFDLEVBQUUsU0FBUyxFQUFFLEdBQUcsR0FBRyxFQUF5QjtRQUNsRSwwQ0FBMEM7UUFDMUMsTUFBTSxpQkFBaUIsR0FBZ0I7WUFDckMsR0FBRyxFQUFFLElBQUksQ0FBQyxRQUFRO1lBQ2xCLE1BQU0sRUFBRSxNQUFNO1lBQ2QsT0FBTyxFQUFFLEVBQUUsY0FBYyxFQUFFLGtCQUFrQixFQUFFO1lBQy9DLElBQUksRUFBRSxFQUFFLFNBQVMsRUFBRSxHQUFHLEdBQUcsRUFBRTtTQUM1QixDQUFDO1FBRUYsK0NBQStDO1FBQy9DLDREQUE0RDtRQUM1RCxNQUFNLE9BQU8sR0FBRyxNQUFNLElBQUksQ0FBQyxZQUFZLENBQUMsU0FBUyxDQUFDLGlCQUFpQixDQUFDLENBQUM7UUFFckUsd0NBQXdDO1FBQ3hDLE1BQU0sV0FBVyxHQUEwQjtZQUN6QyxNQUFNLEVBQUUsT0FBTyxDQUFDLE1BQU07WUFDdEIsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPO1lBQ3hCLEdBQUcsRUFBRSxPQUFPLENBQUMsR0FBRztZQUNoQixNQUFNLEVBQUUsU0FBUztZQUNqQixJQUFJLEVBQUUsU0FBUztTQUNoQixDQUFDO1FBQ0YsK0NBQStDO1FBQy9DLElBQUksT0FBTyxDQUFDLE1BQU0sS0FBSyxNQUFNLElBQUksT0FBTyxDQUFDLE1BQU0sS0FBSyxPQUFPLElBQUksT0FBTyxDQUFDLE1BQU0sS0FBSyxLQUFLLEVBQUU7WUFDdkYsV0FBVyxDQUFDLElBQUksR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDO1NBQ2pDO2FBQU07WUFDTCxXQUFXLENBQUMsTUFBTSxHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUM7U0FDbkM7UUFDRCxPQUFPLENBQUMsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDO0lBQ3ZELENBQUM7Q0FDRjtBQUVELGtCQUFlLEdBQUcsQ0FBQyJ9

package/dist/cjs/src/auth/auth.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AppIdAuthProvider = exports.isAuthProvider = exports.reqSignature = exports.withHeaders = exports.HttpRequest = void 0;
+const jose_1 = require("jose");
+/**
+ * Generic HTTP request interface used by AuthProvider implementers.
+ */
+class HttpRequest {
+    constructor() {
+        this.headers = {};
+        this.params = {};
+        this.method = 'POST';
+        this.url = '';
+    }
+}
+exports.HttpRequest = HttpRequest;
+/**
+ * Appends the given `newHeaders` to the headers listed in HttpRequest, overwriting
+ * any with the same name. NOTE: Case sensitive.
+ * @param httpReq the source request
+ * @param newHeaders header name/value pairs
+ * @returns an updated variant of the request
+ */
+function withHeaders(httpReq, newHeaders) {
+    const headers = {
+        ...httpReq.headers,
+        ...newHeaders,
+    };
+    return { ...httpReq, headers };
+}
+exports.withHeaders = withHeaders;
+function getTimestampInSeconds() {
+    return Math.floor(Date.now() / 1000);
+}
+/**
+ * Generate a JWT (or JWS-ed object)
+ * @param toSign the data to sign. Interpreted as JWTPayload but AFAIK this isn't required
+ * @param privateKey an RSA key
+ * @returns the signed object, with a JWS header. This may be a JWT.
+ */
+async function reqSignature(toSign, privateKey, jwtProtectedHeader = { alg: 'RS256' }) {
+    const now = getTimestampInSeconds();
+    const anHour = 3600;
+    return new jose_1.SignJWT(toSign)
+        .setProtectedHeader(jwtProtectedHeader)
+        .setIssuedAt(now - anHour)
+        .setExpirationTime(now + anHour)
+        .sign(privateKey);
+}
+exports.reqSignature = reqSignature;
+function isAuthProvider(a) {
+    if (!a || typeof a != 'object') {
+        return false;
+    }
+    return 'withCreds' in a;
+}
+exports.isAuthProvider = isAuthProvider;
+/**
+ * An AuthProvider encapsulates all logic necessary to authenticate to a backend service, in the
+ * vein of <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html">AWS.Credentials</a>.
+ * <br/><br/>
+ * The client will call into its configured AuthProvider to decorate remote TDF service calls with necessary
+ * authentication info. This approach allows the client to be agnostic to the auth scheme, allowing for
+ * methods like identify federation and custom service credentials to be used and changed at the developer's will.
+ * <br/><br/>
+ * This class is not intended to be used on its own. See the documented subclasses for public-facing implementations.
+ * <ul>
+ * <li><a href="EmailCodeAuthProvider.html">EmailCodeAuthProvider</li>
+ * <li><a href="GoogleAuthProvider.html">GoogleAuthProvider</li>
+ * <li><a href="O365AuthProvider.html">O365AuthProvider</li>
+ * <li><a href="OutlookAuthProvider.html">OutlookAuthProvider</li>
+ * <li><a href="VirtruCredentialsAuthProvider.html">VirtruCredentialsAuthProvider</li>
+ * </ul>
+ */
+class AppIdAuthProvider {
+}
+exports.AppIdAuthProvider = AppIdAuthProvider;
+exports.default = AppIdAuthProvider;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXV0aC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL2F1dGgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsK0JBQXdGO0FBYXhGOztHQUVHO0FBQ0gsTUFBYSxXQUFXO0lBV3RCO1FBQ0UsSUFBSSxDQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7UUFDbEIsSUFBSSxDQUFDLE1BQU0sR0FBRyxFQUFFLENBQUM7UUFDakIsSUFBSSxDQUFDLE1BQU0sR0FBRyxNQUFNLENBQUM7UUFDckIsSUFBSSxDQUFDLEdBQUcsR0FBRyxFQUFFLENBQUM7SUFDaEIsQ0FBQztDQUNGO0FBakJELGtDQWlCQztBQUVEOzs7Ozs7R0FNRztBQUNILFNBQWdCLFdBQVcsQ0FBQyxPQUFvQixFQUFFLFVBQWtDO0lBQ2xGLE1BQU0sT0FBTyxHQUFHO1FBQ2QsR0FBRyxPQUFPLENBQUMsT0FBTztRQUNsQixHQUFHLFVBQVU7S0FDZCxDQUFDO0lBQ0YsT0FBTyxFQUFFLEdBQUcsT0FBTyxFQUFFLE9BQU8sRUFBRSxDQUFDO0FBQ2pDLENBQUM7QUFORCxrQ0FNQztBQUVELFNBQVMscUJBQXFCO0lBQzVCLE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLENBQUM7QUFDdkMsQ0FBQztBQUVEOzs7OztHQUtHO0FBQ0ksS0FBSyxVQUFVLFlBQVksQ0FDaEMsTUFBZSxFQUNmLFVBQW1CLEVBQ25CLHFCQUEwQyxFQUFFLEdBQUcsRUFBRSxPQUFPLEVBQUU7SUFFMUQsTUFBTSxHQUFHLEdBQUcscUJBQXFCLEVBQUUsQ0FBQztJQUNwQyxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUM7SUFDcEIsT0FBTyxJQUFJLGNBQU8sQ0FBQyxNQUFvQixDQUFDO1NBQ3JDLGtCQUFrQixDQUFDLGtCQUFrQixDQUFDO1NBQ3RDLFdBQVcsQ0FBQyxHQUFHLEdBQUcsTUFBTSxDQUFDO1NBQ3pCLGlCQUFpQixDQUFDLEdBQUcsR0FBRyxNQUFNLENBQUM7U0FDL0IsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO0FBQ3RCLENBQUM7QUFaRCxvQ0FZQztBQWlDRCxTQUFnQixjQUFjLENBQUMsQ0FBVztJQUN4QyxJQUFJLENBQUMsQ0FBQyxJQUFJLE9BQU8sQ0FBQyxJQUFJLFFBQVEsRUFBRTtRQUM5QixPQUFPLEtBQUssQ0FBQztLQUNkO0lBQ0QsT0FBTyxXQUFXLElBQUksQ0FBQyxDQUFDO0FBQzFCLENBQUM7QUFMRCx3Q0FLQztBQUVEOzs7Ozs7Ozs7Ozs7Ozs7O0dBZ0JHO0FBQ0gsTUFBc0IsaUJBQWlCO0NBU3RDO0FBVEQsOENBU0M7QUFFRCxrQkFBZSxpQkFBaUIsQ0FBQyJ9

package/dist/cjs/src/auth/oidc-clientcredentials-provider.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OIDCClientCredentialsProvider = void 0;
+const errors_js_1 = require("../errors.js");
+const oidc_js_1 = require("./oidc.js");
+class OIDCClientCredentialsProvider {
+    constructor({ clientId, clientSecret, oidcOrigin, }) {
+        if (!clientId || !clientSecret) {
+            throw new errors_js_1.ConfigurationError('clientId & clientSecret required for client credentials flow');
+        }
+        this.oidcAuth = new oidc_js_1.AccessToken({
+            exchange: 'client',
+            clientId,
+            clientSecret,
+            oidcOrigin,
+        });
+    }
+    async updateClientPublicKey(signingKey) {
+        await this.oidcAuth.refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey);
+    }
+    async withCreds(httpReq) {
+        return this.oidcAuth.withCreds(httpReq);
+    }
+}
+exports.OIDCClientCredentialsProvider = OIDCClientCredentialsProvider;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy1jbGllbnRjcmVkZW50aWFscy1wcm92aWRlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMtY2xpZW50Y3JlZGVudGlhbHMtcHJvdmlkZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsNENBQWtEO0FBRWxELHVDQUFzRTtBQUV0RSxNQUFhLDZCQUE2QjtJQUd4QyxZQUFZLEVBQ1YsUUFBUSxFQUNSLFlBQVksRUFDWixVQUFVLEdBQ21FO1FBQzdFLElBQUksQ0FBQyxRQUFRLElBQUksQ0FBQyxZQUFZLEVBQUU7WUFDOUIsTUFBTSxJQUFJLDhCQUFrQixDQUFDLDhEQUE4RCxDQUFDLENBQUM7U0FDOUY7UUFFRCxJQUFJLENBQUMsUUFBUSxHQUFHLElBQUkscUJBQVcsQ0FBQztZQUM5QixRQUFRLEVBQUUsUUFBUTtZQUNsQixRQUFRO1lBQ1IsWUFBWTtZQUNaLFVBQVU7U0FDWCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsS0FBSyxDQUFDLHFCQUFxQixDQUFDLFVBQXlCO1FBQ25ELE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQywwQ0FBMEMsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUM3RSxDQUFDO0lBRUQsS0FBSyxDQUFDLFNBQVMsQ0FBQyxPQUFvQjtRQUNsQyxPQUFPLElBQUksQ0FBQyxRQUFRLENBQUMsU0FBUyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQzFDLENBQUM7Q0FDRjtBQTNCRCxzRUEyQkMifQ==

package/dist/cjs/src/auth/oidc-externaljwt-provider.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OIDCExternalJwtProvider = void 0;
+const errors_js_1 = require("../errors.js");
+const oidc_js_1 = require("./oidc.js");
+class OIDCExternalJwtProvider {
+    constructor({ clientId, externalJwt, oidcOrigin, }) {
+        if (!clientId || !externalJwt) {
+            throw new errors_js_1.ConfigurationError('external JWT exchange reequires client id and jwt');
+        }
+        this.oidcAuth = new oidc_js_1.AccessToken({
+            exchange: 'external',
+            clientId,
+            oidcOrigin,
+            externalJwt,
+        });
+        this.externalJwt = externalJwt;
+    }
+    async updateClientPublicKey(signingKey) {
+        this.oidcAuth.refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey);
+    }
+    async withCreds(httpReq) {
+        //If we've been seeded with an externally-issued JWT, consume it
+        //and exchange it for a Virtru bearer token.
+        if (this.externalJwt) {
+            await this.oidcAuth.exchangeForRefreshToken();
+            delete this.externalJwt;
+        }
+        return this.oidcAuth.withCreds(httpReq);
+    }
+}
+exports.OIDCExternalJwtProvider = OIDCExternalJwtProvider;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy1leHRlcm5hbGp3dC1wcm92aWRlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMtZXh0ZXJuYWxqd3QtcHJvdmlkZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsNENBQWtEO0FBRWxELHVDQUFxRTtBQUVyRSxNQUFhLHVCQUF1QjtJQUlsQyxZQUFZLEVBQ1YsUUFBUSxFQUNSLFdBQVcsRUFDWCxVQUFVLEdBQ2lFO1FBQzNFLElBQUksQ0FBQyxRQUFRLElBQUksQ0FBQyxXQUFXLEVBQUU7WUFDN0IsTUFBTSxJQUFJLDhCQUFrQixDQUFDLG1EQUFtRCxDQUFDLENBQUM7U0FDbkY7UUFFRCxJQUFJLENBQUMsUUFBUSxHQUFHLElBQUkscUJBQVcsQ0FBQztZQUM5QixRQUFRLEVBQUUsVUFBVTtZQUNwQixRQUFRO1lBQ1IsVUFBVTtZQUNWLFdBQVc7U0FDWixDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsV0FBVyxHQUFHLFdBQVcsQ0FBQztJQUNqQyxDQUFDO0lBRUQsS0FBSyxDQUFDLHFCQUFxQixDQUFDLFVBQXlCO1FBQ25ELElBQUksQ0FBQyxRQUFRLENBQUMsMENBQTBDLENBQUMsVUFBVSxDQUFDLENBQUM7SUFDdkUsQ0FBQztJQUVELEtBQUssQ0FBQyxTQUFTLENBQUMsT0FBb0I7UUFDbEMsZ0VBQWdFO1FBQ2hFLDRDQUE0QztRQUM1QyxJQUFJLElBQUksQ0FBQyxXQUFXLEVBQUU7WUFDcEIsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLHVCQUF1QixFQUFFLENBQUM7WUFDOUMsT0FBTyxJQUFJLENBQUMsV0FBVyxDQUFDO1NBQ3pCO1FBQ0QsT0FBTyxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUMxQyxDQUFDO0NBQ0Y7QUFwQ0QsMERBb0NDIn0=

package/dist/cjs/src/auth/oidc-refreshtoken-provider.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OIDCRefreshTokenProvider = void 0;
+const errors_js_1 = require("../errors.js");
+const oidc_js_1 = require("./oidc.js");
+class OIDCRefreshTokenProvider {
+    constructor({ clientId, refreshToken, oidcOrigin, }) {
+        if (!clientId || !refreshToken) {
+            throw new errors_js_1.ConfigurationError('refresh token or client id missing');
+        }
+        this.oidcAuth = new oidc_js_1.AccessToken({
+            exchange: 'refresh',
+            clientId,
+            refreshToken: refreshToken,
+            oidcOrigin,
+        });
+        this.refreshToken = refreshToken;
+    }
+    async updateClientPublicKey(signingKey) {
+        await this.oidcAuth.refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey);
+    }
+    async withCreds(httpReq) {
+        //If we've been seeded with an externally-issued refresh token, consume it
+        //and exchange it for a Virtru bearer token - if it's already been consumed,
+        //skip this step
+        if (this.refreshToken) {
+            await this.oidcAuth.exchangeForRefreshToken();
+            delete this.refreshToken;
+        }
+        return this.oidcAuth.withCreds(httpReq);
+    }
+}
+exports.OIDCRefreshTokenProvider = OIDCRefreshTokenProvider;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy1yZWZyZXNodG9rZW4tcHJvdmlkZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXV0aC9vaWRjLXJlZnJlc2h0b2tlbi1wcm92aWRlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSw0Q0FBa0Q7QUFFbEQsdUNBQXNFO0FBRXRFLE1BQWEsd0JBQXdCO0lBSW5DLFlBQVksRUFDVixRQUFRLEVBQ1IsWUFBWSxFQUNaLFVBQVUsR0FDbUU7UUFDN0UsSUFBSSxDQUFDLFFBQVEsSUFBSSxDQUFDLFlBQVksRUFBRTtZQUM5QixNQUFNLElBQUksOEJBQWtCLENBQUMsb0NBQW9DLENBQUMsQ0FBQztTQUNwRTtRQUVELElBQUksQ0FBQyxRQUFRLEdBQUcsSUFBSSxxQkFBVyxDQUFDO1lBQzlCLFFBQVEsRUFBRSxTQUFTO1lBQ25CLFFBQVE7WUFDUixZQUFZLEVBQUUsWUFBWTtZQUMxQixVQUFVO1NBQ1gsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLFlBQVksR0FBRyxZQUFZLENBQUM7SUFDbkMsQ0FBQztJQUVELEtBQUssQ0FBQyxxQkFBcUIsQ0FBQyxVQUF5QjtRQUNuRCxNQUFNLElBQUksQ0FBQyxRQUFRLENBQUMsMENBQTBDLENBQUMsVUFBVSxDQUFDLENBQUM7SUFDN0UsQ0FBQztJQUVELEtBQUssQ0FBQyxTQUFTLENBQUMsT0FBb0I7UUFDbEMsMEVBQTBFO1FBQzFFLDRFQUE0RTtRQUM1RSxnQkFBZ0I7UUFDaEIsSUFBSSxJQUFJLENBQUMsWUFBWSxFQUFFO1lBQ3JCLE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQyx1QkFBdUIsRUFBRSxDQUFDO1lBQzlDLE9BQU8sSUFBSSxDQUFDLFlBQVksQ0FBQztTQUMxQjtRQUNELE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDMUMsQ0FBQztDQUNGO0FBcENELDREQW9DQyJ9