@optimizely-opal/opal-tool-ocp-sdk 0.0.0-beta.7 → 0.0.0-beta.9

package/README.md

@@ -10,7 +10,7 @@ A TypeScript SDK for building Opal tools in Optimizely Connect Platform. This SD
 - 🔧 **Type-safe Development** - Full TypeScript support with comprehensive type definitions  
 - 🏗️ **Abstract Base Classes** - Extend `ToolFunction` for standardized request processing
 - 🔐 **Authentication Support** - OptiID authentication
-- 🛡️ **Authorization Support** - Bearer token tool authorization
+- 🛡️ **Authorization Support** - OptiID token tool authorization
 - 📝 **Parameter Validation** - Define and validate tool parameters with types
 - 🧪 **Comprehensive Testing** - Fully tested with Jest
 
@@ -115,7 +115,7 @@ export class MyToolFunction extends ToolFunction {
 Your function class inherits a `perform()` method from `ToolFunction` that serves as the main entry point for handling all incoming requests. When called, the SDK automatically:
 
 - **Routes requests** to your registered tools and interactions based on endpoints
-- **Handles authentication** and bearer token validation before calling your methods  
+- **Handles authentication** and OptiID token validation before calling your methods  
 - **Provides discovery** at `/discovery` endpoint for OCP platform integration
 - **Returns proper HTTP responses** with correct status codes and JSON formatting
 
@@ -169,29 +169,18 @@ interface AuthRequirementConfig {
 }
 ```
 
-#### Bearer Token Support
+#### OptiID Token Authorization
 
-The SDK automatically extracts Bearer tokens from the `authorization` header for tool authorization. When users register tools in Opal, they can specify a Bearer token that Opal will include in requests to validate the tool's identity.
+The SDK automatically handles OptiID token validation for tool authorization. OptiID tokens provide both user authentication and authorization for tools, ensuring that only authenticated users with proper permissions can access your tools.
 
 **Token Validation:**
-- Bearer tokens are extracted from the `authorization: Bearer <token>` header
-- Empty strings and `undefined` tokens are treated as missing (no validation performed)
-- **Optionally override** the `validateBearerToken(token: string): boolean` method to implement custom validation logic
-- The default implementation returns `true` (accepts all tokens) - override if you need custom authorization
-- If validation fails, returns HTTP 403 Forbidden before reaching your handler methods
+- The SDK extracts and validates OptiID tokens from the request body
+- Validation includes verifying that requests come from the same organization
+- If validation fails, returns HTTP 403 Unauthorized before reaching your handler methods
+- No additional configuration needed - validation is handled automatically
 
 ```typescript
 export class MyToolFunction extends ToolFunction {
-  // Optional: Override this method to implement custom bearer token validation
-  protected override validateBearerToken(token: string): boolean {
-    // If you don't need bearer token validation, don't override this method
-    // The default implementation returns true
-    
-    // For custom validation, compare against expected token
-    const expectedToken = process.env.OPAL_TOOL_TOKEN;
-    return token === expectedToken;
-  }
-
   @tool({
     name: 'secure_tool',
     description: 'Tool that validates requests from Opal',
@@ -215,15 +204,6 @@ export class MyToolFunction extends ToolFunction {
 }
 ```
 
-**Bearer Token Usage:**
-- Set by users when registering tools in Opal
-- Used to authorize tool requests from Opal instances  
-- Validates that requests are coming from trusted Opal sources
-- **Optionally override** the `validateBearerToken(token: string): boolean` method for custom authorization
-- Default implementation accepts all tokens - override for security
-- If validation fails, returns HTTP 403 Forbidden before reaching your handler methods
-
-
 ## API Reference
 
 ### Handler Function Signatures
@@ -240,8 +220,6 @@ async handlerMethod(
 - **params**: The input parameters for tools, or interaction data for webhooks
 - **authData**: Available when OptiID user authentication is configured and successful
 
-**Note**: Bearer token validation is handled automatically by the base class. If a bearer token is present and fails validation, the request is rejected before reaching your handler methods.
-
 ### Decorators
 
 #### `@tool(config: ToolConfig)`
@@ -279,11 +257,10 @@ Abstract base class for OCP functions:
 export abstract class ToolFunction extends Function {
   protected ready(): Promise<boolean>;
   public async perform(): Promise<Response>;
-  protected validateBearerToken(token: string): boolean;
 }
 ```
 
-Extend this class and implement your OCP function. The `perform` method automatically routes requests to registered tools and handles bearer token validation. **You can optionally override the `validateBearerToken` method** to define custom bearer token authorization for your tools.
+Extend this class and implement your OCP function. The `perform` method automatically routes requests to registered tools.
 
 ### Models
 
@@ -407,11 +384,6 @@ yarn lint
 import { ToolFunction, tool, interaction, ParameterType, OptiIdAuthData, InteractionResult } from '@optimizely-opal/opal-ocp-sdk';
 
 export class AuthenticatedFunction extends ToolFunction {
-  // Optional: Override this method for custom bearer token validation
-  protected override validateBearerToken(token: string): boolean {
-    const expectedToken = process.env.OPAL_TOOL_TOKEN;
-    return token === expectedToken;
-  }
 
   // OptiID authentication example
   @tool({
@@ -573,12 +545,6 @@ import { ToolFunction } from '@optimizely-opal/opal-ocp-sdk';
 import * from './tools';
 
 export class MyToolFunction extends ToolFunction {
-
-  // Optional: Override this method for custom bearer token validation
-  protected override validateBearerToken(token: string): boolean {
-    const expectedToken = process.env.OPAL_TOOL_TOKEN;
-    return token === expectedToken;
-  }
 }
 ```
 

package/dist/auth/TokenVerifier.d.ts

@@ -0,0 +1,31 @@
+export declare class TokenVerifier {
+    private static instance;
+    private jwksUri?;
+    private issuer?;
+    private jwks?;
+    private initialized;
+    /**
+     * Verify the provided Optimizely JWT token string
+     * @param token JWT token string to verify
+     * @returns boolean true if verification successful, false otherwise
+     * @throws Error if token is null, empty, or verifier is not properly configured
+     */
+    verify(token: string | undefined): Promise<boolean>;
+    private static getInstance;
+    /**
+     * Get singleton instance of TokenVerifier and ensure it's initialized
+     * @returns Promise<TokenVerifier> - initialized singleton instance
+     */
+    static getInitializedInstance(): Promise<TokenVerifier>;
+    /**
+     * Initialize the TokenVerifier with discovery document from well-known endpoint
+     */
+    private initialize;
+    /**
+     * Fetch discovery document from well-known endpoint
+     */
+    private fetchDiscoveryDocument;
+    private verifyToken;
+}
+export declare const getTokenVerifier: () => Promise<TokenVerifier>;
+//# sourceMappingURL=TokenVerifier.d.ts.map

package/dist/auth/TokenVerifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.d.ts","sourceRoot":"","sources":["../../src/auth/TokenVerifier.ts"],"names":[],"mappings":"AAkCA,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAA8B;IACrD,OAAO,CAAC,OAAO,CAAC,CAAS;IACzB,OAAO,CAAC,MAAM,CAAC,CAAS;IACxB,OAAO,CAAC,IAAI,CAAC,CAAwC;IACrD,OAAO,CAAC,WAAW,CAAkB;IAErC;;;;;OAKG;IACU,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC;IAQhE,OAAO,CAAC,MAAM,CAAC,WAAW;IAO1B;;;OAGG;WACiB,sBAAsB,IAAI,OAAO,CAAC,aAAa,CAAC;IAQpE;;OAEG;YACW,UAAU;IAyBxB;;OAEG;YACW,sBAAsB;YAetB,WAAW;CAsB1B;AAED,eAAO,MAAM,gBAAgB,QAAa,OAAO,CAAC,aAAa,CAA2C,CAAC"}

package/dist/auth/TokenVerifier.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getTokenVerifier = exports.TokenVerifier = void 0;
+const jose_1 = require("jose");
+const app_sdk_1 = require("@zaiusinc/app-sdk");
+/**
+ * Default JWKS cache expiration time in milliseconds (1 hour)
+ */
+const DEFAULT_JWKS_EXPIRES_IN = 60 * 60 * 1000;
+/**
+ * Default clock skew tolerance in seconds
+ */
+const DEFAULT_LEEWAY = 30;
+/**
+ * Expected JWT audience for token validation
+ */
+const AUDIENCE = 'api://default';
+/**
+ * Prep Base URL for Optimizely OAuth2 endpoints
+ */
+const PREP_BASE_URL = 'https://prep.login.optimizely.com/oauth2/default';
+/**
+ * Prod Base URL for Optimizely OAuth2 endpoints
+ */
+const PROD_BASE_URL = 'https://login.optimizely.com/oauth2/default';
+class TokenVerifier {
+    static instance = null;
+    jwksUri;
+    issuer;
+    jwks;
+    initialized = false;
+    /**
+     * Verify the provided Optimizely JWT token string
+     * @param token JWT token string to verify
+     * @returns boolean true if verification successful, false otherwise
+     * @throws Error if token is null, empty, or verifier is not properly configured
+     */
+    async verify(token) {
+        if (!token || token.trim().length === 0) {
+            throw new Error('Token cannot be null or empty');
+        }
+        return this.verifyToken(token);
+    }
+    static getInstance() {
+        if (!TokenVerifier.instance) {
+            TokenVerifier.instance = new TokenVerifier();
+        }
+        return TokenVerifier.instance;
+    }
+    /**
+     * Get singleton instance of TokenVerifier and ensure it's initialized
+     * @returns Promise<TokenVerifier> - initialized singleton instance
+     */
+    static async getInitializedInstance() {
+        const instance = TokenVerifier.getInstance();
+        if (!instance.initialized) {
+            await instance.initialize();
+        }
+        return instance;
+    }
+    /**
+     * Initialize the TokenVerifier with discovery document from well-known endpoint
+     */
+    async initialize() {
+        if (this.initialized) {
+            return;
+        }
+        try {
+            // Use prep URL when environment variable is set to 'staging', otherwise use prod
+            const environment = process.env.environment || 'production';
+            const baseUrl = environment === 'staging' ? PREP_BASE_URL : PROD_BASE_URL;
+            const discoveryDocument = await this.fetchDiscoveryDocument(baseUrl);
+            this.issuer = discoveryDocument.issuer;
+            this.jwksUri = discoveryDocument.jwks_uri;
+            this.jwks = (0, jose_1.createRemoteJWKSet)(new URL(this.jwksUri), {
+                cacheMaxAge: DEFAULT_JWKS_EXPIRES_IN,
+                cooldownDuration: DEFAULT_JWKS_EXPIRES_IN
+            });
+            this.initialized = true;
+            app_sdk_1.logger.info(`TokenVerifier initialized with issuer: ${this.issuer} (environment: ${environment})`);
+        }
+        catch (error) {
+            app_sdk_1.logger.error('Failed to initialize TokenVerifier', error);
+            // Re-throw the original error to preserve specific error messages for tests
+            throw error;
+        }
+    }
+    /**
+     * Fetch discovery document from well-known endpoint
+     */
+    async fetchDiscoveryDocument(baseUrl) {
+        const wellKnownUrl = `${baseUrl}/.well-known/oauth-authorization-server`;
+        const response = await fetch(wellKnownUrl);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch discovery document: ${response.status} ${response.statusText}`);
+        }
+        const discoveryDocument = await response.json();
+        if (!discoveryDocument.issuer || !discoveryDocument.jwks_uri) {
+            throw new Error('Invalid discovery document: missing issuer or jwks_uri');
+        }
+        return discoveryDocument;
+    }
+    async verifyToken(token) {
+        if (!this.initialized) {
+            throw new Error('TokenVerifier not initialized. Call initialize() first.');
+        }
+        if (!this.jwks || !this.issuer) {
+            throw new Error('TokenVerifier not properly configured.');
+        }
+        try {
+            await (0, jose_1.jwtVerify)(token, this.jwks, {
+                issuer: this.issuer,
+                audience: AUDIENCE,
+                clockTolerance: DEFAULT_LEEWAY,
+            });
+            return true;
+        }
+        catch (error) {
+            app_sdk_1.logger.error('Token verification failed:', error);
+            return false;
+        }
+    }
+}
+exports.TokenVerifier = TokenVerifier;
+const getTokenVerifier = async () => TokenVerifier.getInitializedInstance();
+exports.getTokenVerifier = getTokenVerifier;
+//# sourceMappingURL=TokenVerifier.js.map

package/dist/auth/TokenVerifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.js","sourceRoot":"","sources":["../../src/auth/TokenVerifier.ts"],"names":[],"mappings":";;;AAAA,+BAAqD;AACrD,+CAA2C;AAE3C;;GAEG;AACH,MAAM,uBAAuB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C;;GAEG;AACH,MAAM,cAAc,GAAG,EAAE,CAAC;AAE1B;;GAEG;AACH,MAAM,QAAQ,GAAG,eAAe,CAAC;AAEjC;;GAEG;AACH,MAAM,aAAa,GAAG,kDAAkD,CAAC;AAEzE;;GAEG;AACH,MAAM,aAAa,GAAG,6CAA6C,CAAC;AAQpE,MAAa,aAAa;IAChB,MAAM,CAAC,QAAQ,GAAyB,IAAI,CAAC;IAC7C,OAAO,CAAU;IACjB,MAAM,CAAU;IAChB,IAAI,CAAyC;IAC7C,WAAW,GAAY,KAAK,CAAC;IAErC;;;;;OAKG;IACI,KAAK,CAAC,MAAM,CAAC,KAAyB;QAC3C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAEO,MAAM,CAAC,WAAW;QACxB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5B,aAAa,CAAC,QAAQ,GAAG,IAAI,aAAa,EAAE,CAAC;QAC/C,CAAC;QACD,OAAO,aAAa,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,sBAAsB;QACxC,MAAM,QAAQ,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC1B,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC9B,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU;QACtB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,iFAAiF;YACjF,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,YAAY,CAAC;YAC5D,MAAM,OAAO,GAAG,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC;YAC1E,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;YACrE,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC;YACvC,IAAI,CAAC,OAAO,GAAG,iBAAiB,CAAC,QAAQ,CAAC;YAC1C,IAAI,CAAC,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;gBACpD,WAAW,EAAE,uBAAuB;gBACpC,gBAAgB,EAAE,uBAAuB;aAC1C,CAAC,CAAC;YACH,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,gBAAM,CAAC,IAAI,CAAC,0CAA0C,IAAI,CAAC,MAAM,kBAAkB,WAAW,GAAG,CAAC,CAAC;QACrG,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC1D,4EAA4E;YAC5E,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAAC,OAAe;QAClD,MAAM,YAAY,GAAG,GAAG,OAAO,yCAAyC,CAAC;QAEzE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAC3C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,uCAAuC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACnG,CAAC;QACD,MAAM,iBAAiB,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuB,CAAC;QACrE,IAAI,CAAC,iBAAiB,CAAC,MAAM,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC5E,CAAC;QAED,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,KAAa;QACrC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC7E,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE;gBAChC,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,QAAQ;gBAClB,cAAc,EAAE,cAAc;aAC/B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;YAClD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;;AA1GH,sCA4GC;AAEM,MAAM,gBAAgB,GAAG,KAAK,IAA4B,EAAE,CAAC,aAAa,CAAC,sBAAsB,EAAE,CAAC;AAA9F,QAAA,gBAAgB,oBAA8E"}

package/dist/auth/TokenVerifier.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=TokenVerifier.test.d.ts.map

package/dist/auth/TokenVerifier.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.test.d.ts","sourceRoot":"","sources":["../../src/auth/TokenVerifier.test.ts"],"names":[],"mappings":""}

package/dist/auth/TokenVerifier.test.js

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const TokenVerifier_1 = require("./TokenVerifier");
+// Test constants
+const TEST_ISSUER = 'https://prep.login.optimizely.com/oauth2/default';
+const TEST_JWKS_URI = 'https://prep.login.optimizely.com/oauth2/v1/keys';
+// Mock fetch globally
+global.fetch = jest.fn();
+describe('TokenVerifier', () => {
+    beforeEach(() => {
+        // Reset fetch mock
+        global.fetch.mockReset();
+        // Reset singleton instance for each test
+        TokenVerifier_1.TokenVerifier.instance = null;
+    });
+    describe('getInitializedInstance', () => {
+        it('should initialize successfully', async () => {
+            // Mock fetch for OAuth2 authorization server discovery
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            const tokenVerifier = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(tokenVerifier).toBeInstanceOf(TokenVerifier_1.TokenVerifier);
+        });
+        it('should throw error when discovery document is invalid', async () => {
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                // Missing issuer and jwks_uri
+                })
+            });
+            await expect(TokenVerifier_1.TokenVerifier.getInitializedInstance()).rejects.toThrow('Invalid discovery document: missing issuer or jwks_uri');
+        });
+        it('should throw error when discovery endpoint is unreachable', async () => {
+            global.fetch.mockResolvedValue({
+                ok: false,
+                status: 404,
+                statusText: 'Not Found'
+            });
+            await expect(TokenVerifier_1.TokenVerifier.getInitializedInstance()).rejects.toThrow('Failed to fetch discovery document: 404 Not Found');
+        });
+    });
+    describe('token verification', () => {
+        let tokenVerifier;
+        beforeEach(async () => {
+            // Mock successful initialization
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            tokenVerifier = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+        });
+        it('should throw error for empty token', async () => {
+            await expect(tokenVerifier.verify('')).rejects.toThrow('Token cannot be null or empty');
+        });
+        it('should throw error for undefined token', async () => {
+            await expect(tokenVerifier.verify(undefined)).rejects.toThrow('Token cannot be null or empty');
+        });
+        it('should throw error for whitespace-only token', async () => {
+            await expect(tokenVerifier.verify('   ')).rejects.toThrow('Token cannot be null or empty');
+        });
+        it('should return false for invalid token format', async () => {
+            const result = await tokenVerifier.verify('invalid.jwt.token');
+            expect(result).toBe(false);
+        });
+    });
+    describe('singleton pattern', () => {
+        it('should return same instance when called multiple times', async () => {
+            // Mock successful initialization
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            const instance1 = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            const instance2 = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(instance1).toBe(instance2);
+        });
+        it('should call correct prod OAuth2 authorization server discovery URL', async () => {
+            const fetchSpy = jest.spyOn(global, 'fetch').mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(fetchSpy).toHaveBeenCalledWith('https://login.optimizely.com/oauth2/default/.well-known/oauth-authorization-server');
+        });
+        it('should call correct prep OAuth2 authorization server discovery URL', async () => {
+            // Set environment variable to staging
+            process.env.environment = 'staging';
+            const fetchSpy = jest.spyOn(global, 'fetch').mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(fetchSpy).toHaveBeenCalledWith('https://prep.login.optimizely.com/oauth2/default/.well-known/oauth-authorization-server');
+        });
+    });
+});
+//# sourceMappingURL=TokenVerifier.test.js.map

package/dist/auth/TokenVerifier.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.test.js","sourceRoot":"","sources":["../../src/auth/TokenVerifier.test.ts"],"names":[],"mappings":";;AAAA,mDAAgD;AAEhD,iBAAiB;AACjB,MAAM,WAAW,GAAG,kDAAkD,CAAC;AACvE,MAAM,aAAa,GAAG,kDAAkD,CAAC;AAEzE,sBAAsB;AACtB,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC;AAEzB,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,UAAU,CAAC,GAAG,EAAE;QACd,mBAAmB;QAClB,MAAM,CAAC,KAAmB,CAAC,SAAS,EAAE,CAAC;QAExC,yCAAyC;QACxC,6BAAqB,CAAC,QAAQ,GAAG,IAAI,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,uDAAuD;YACtD,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,aAAa,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YACnE,MAAM,CAAC,aAAa,CAAC,CAAC,cAAc,CAAC,6BAAa,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAChC,8BAA8B;iBAC/B,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,MAAM,CAAC,6BAAa,CAAC,sBAAsB,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAClE,wDAAwD,CACzD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,UAAU,EAAE,WAAW;aACxB,CAAC,CAAC;YAEH,MAAM,MAAM,CAAC,6BAAa,CAAC,sBAAsB,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAClE,mDAAmD,CACpD,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,IAAI,aAA4B,CAAC;QAEjC,UAAU,CAAC,KAAK,IAAI,EAAE;YACpB,iCAAiC;YAChC,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACH,CAAC,CAAC;YAEH,aAAa,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;YAClD,MAAM,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACpD,+BAA+B,CAChC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC3D,+BAA+B,CAChC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACvD,+BAA+B,CAChC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;YAC/D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;YACtE,iCAAiC;YAChC,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,SAAS,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAC/D,MAAM,SAAS,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAC/D,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QACH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;YAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,iBAAiB,CAAC;gBAC7D,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACoB,CAAC,CAAC;YAE1B,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,CAAC,oBAAoB,CACnC,oFAAoF,CACrF,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;YAClF,sCAAsC;YACtC,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,SAAS,CAAC;YAEpC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,iBAAiB,CAAC;gBAC7D,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACoB,CAAC,CAAC;YAE1B,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,CAAC,oBAAoB,CACnC,yFAAyF,CAC1F,CAAC;QAEJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AAEL,CAAC,CAAC,CAAC"}

package/dist/function/ToolFunction.d.ts

@@ -18,14 +18,11 @@ export declare abstract class ToolFunction extends Function {
      */
     perform(): Promise<Response>;
     /**
-     * Validates the bearer token for authorization.
+     * Authenticate the incoming request by validating the OptiID token and organization ID
      *
-     * This method provides a default implementation that accepts all tokens.
-     * Subclasses can override this method to implement custom bearer token validation logic.
-     *
-     * @param _bearerToken - The bearer token extracted from the Authorization header
-     * @returns true if the token is valid and the request should proceed, false to return 403 Forbidden
+     * @throws true if authentication succeeds
      */
-    protected validateBearerToken(_bearerToken: string): boolean;
+    private authorizeRequest;
+    private validateAccessToken;
 }
 //# sourceMappingURL=ToolFunction.d.ts.map

package/dist/function/ToolFunction.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ToolFunction.d.ts","sourceRoot":"","sources":["../../src/function/ToolFunction.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAmB,MAAM,mBAAmB,CAAC;AAGxE;;;GAGG;AACH,8BAAsB,YAAa,SAAQ,QAAQ;IAEjD;;;;;OAKG;IACH,SAAS,CAAC,KAAK,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;;;OAIG;IACU,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC;IAezC;;;;;;;;OAQG;IACH,SAAS,CAAC,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;CAG7D"}
+{"version":3,"file":"ToolFunction.d.ts","sourceRoot":"","sources":["../../src/function/ToolFunction.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAA0C,MAAM,mBAAmB,CAAC;AAK/F;;;GAGG;AACH,8BAAsB,YAAa,SAAQ,QAAQ;IAEjD;;;;;OAKG;IACH,SAAS,CAAC,KAAK,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;;;OAIG;IACU,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC;IAczC;;;;OAIG;YACW,gBAAgB;YA2BhB,mBAAmB;CAalC"}

package/dist/function/ToolFunction.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.ToolFunction = void 0;
 const app_sdk_1 = require("@zaiusinc/app-sdk");
 const Service_1 = require("../service/Service");
+const TokenVerifier_1 = require("../auth/TokenVerifier");
 /**
  * Abstract base class for tool-based function execution
  * Provides a standard interface for processing requests through registered tools
@@ -24,8 +25,7 @@ class ToolFunction extends app_sdk_1.Function {
      */
     async perform() {
         (0, app_sdk_1.amendLogContext)({ opalThreadId: this.request.headers.get('x-opal-thread-id') || '' });
-        const bearerToken = Service_1.toolsService.extractBearerToken(this.request.headers);
-        if (bearerToken && !this.validateBearerToken(bearerToken)) {
+        if (!(await this.authorizeRequest())) {
             return new app_sdk_1.Response(403, { error: 'Forbidden' });
         }
         if (this.request.path === '/ready') {
@@ -36,16 +36,44 @@ class ToolFunction extends app_sdk_1.Function {
         return Service_1.toolsService.processRequest(this.request, this);
     }
     /**
-     * Validates the bearer token for authorization.
+     * Authenticate the incoming request by validating the OptiID token and organization ID
      *
-     * This method provides a default implementation that accepts all tokens.
-     * Subclasses can override this method to implement custom bearer token validation logic.
-     *
-     * @param _bearerToken - The bearer token extracted from the Authorization header
-     * @returns true if the token is valid and the request should proceed, false to return 403 Forbidden
+     * @throws true if authentication succeeds
      */
-    validateBearerToken(_bearerToken) {
-        return true;
+    async authorizeRequest() {
+        if (this.request.path === '/discovery' || this.request.path === '/ready') {
+            return true;
+        }
+        const authData = this.request.bodyJSON?.auth;
+        const accessToken = authData?.credentials?.access_token;
+        if (!accessToken || authData?.provider?.toLowerCase() !== 'optiid') {
+            app_sdk_1.logger.error('OptiID token is required but not provided');
+            return false;
+        }
+        const customerId = authData.credentials?.customer_id;
+        if (!customerId) {
+            app_sdk_1.logger.error('Organisation ID is required but not provided');
+            return false;
+        }
+        const appOrganisationId = (0, app_sdk_1.getAppContext)().account.organizationId;
+        if (customerId !== appOrganisationId) {
+            app_sdk_1.logger.error(`Invalid organisation ID: expected ${appOrganisationId}, received ${customerId}`);
+            return false;
+        }
+        return await this.validateAccessToken(accessToken);
+    }
+    async validateAccessToken(accessToken) {
+        try {
+            if (!accessToken) {
+                return false;
+            }
+            const tokenVerifier = await (0, TokenVerifier_1.getTokenVerifier)();
+            return await tokenVerifier.verify(accessToken);
+        }
+        catch (error) {
+            app_sdk_1.logger.error('OptiID token validation failed:', error);
+            return false;
+        }
     }
 }
 exports.ToolFunction = ToolFunction;

package/dist/function/ToolFunction.js.map

@@ -1 +1 @@
-{"version":3,"file":"ToolFunction.js","sourceRoot":"","sources":["../../src/function/ToolFunction.ts"],"names":[],"mappings":";;;AAAA,+CAAwE;AACxE,gDAAkD;AAElD;;;GAGG;AACH,MAAsB,YAAa,SAAQ,kBAAQ;IAEjD;;;;;OAKG;IACO,KAAK;QACb,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,OAAO;QAClB,IAAA,yBAAe,EAAC,EAAE,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACtF,MAAM,WAAW,GAAG,sBAAY,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1E,IAAI,WAAW,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1D,OAAO,IAAI,kBAAQ,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;YACnC,OAAO,IAAI,kBAAQ,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,4EAA4E;QAC5E,OAAO,sBAAY,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACzD,CAAC;IAED;;;;;;;;OAQG;IACO,mBAAmB,CAAC,YAAoB;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AA5CD,oCA4CC"}
+{"version":3,"file":"ToolFunction.js","sourceRoot":"","sources":["../../src/function/ToolFunction.ts"],"names":[],"mappings":";;;AAAA,+CAA+F;AAC/F,gDAAkD;AAClD,yDAAyD;AAGzD;;;GAGG;AACH,MAAsB,YAAa,SAAQ,kBAAQ;IAEjD;;;;;OAKG;IACO,KAAK;QACb,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,OAAO;QAClB,IAAA,yBAAe,EAAC,EAAE,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACtF,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,EAAE,CAAC;YACrC,OAAO,IAAI,kBAAQ,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;YACnC,OAAO,IAAI,kBAAQ,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAC/C,CAAC;QACD,4EAA4E;QAC5E,OAAO,sBAAY,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACzD,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,gBAAgB;QAC5B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACzE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAsB,CAAC;QAC/D,MAAM,WAAW,GAAG,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC;QACxD,IAAI,CAAC,WAAW,IAAI,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YACnE,gBAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC1D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;QACrD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,gBAAM,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;YAC7D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,iBAAiB,GAAG,IAAA,uBAAa,GAAE,CAAC,OAAO,CAAC,cAAc,CAAC;QACjE,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;YACrC,gBAAM,CAAC,KAAK,CAAC,qCAAqC,iBAAiB,cAAc,UAAU,EAAE,CAAC,CAAC;YAC/F,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,WAA+B;QAC/D,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,aAAa,GAAG,MAAM,IAAA,gCAAgB,GAAE,CAAC;YAC/C,OAAO,MAAM,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;YACvD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CAEF;AA5ED,oCA4EC"}