@ouim/logto-authkit 0.3.0

package/dist/server/index.js

@@ -0,0 +1,431 @@
+import { importJWK as G, jwtVerify as U } from "jose";
+import F from "cookie-parser";
+import { randomUUID as D } from "node:crypto";
+function b(e) {
+  return typeof e == "object" && e !== null && "get" in e && typeof e.get == "function";
+}
+function x(e) {
+  return typeof e == "object" && e !== null;
+}
+function H(e) {
+  return typeof e == "object" && e !== null;
+}
+const f = /* @__PURE__ */ new Map(), L = 300 * 1e3;
+function K(e) {
+  return `${e.replace(/\/+$/, "")}/oidc`;
+}
+function l(e, t = "guest_logto_authtoken") {
+  if (b(e)) {
+    const n = e.get(t);
+    return (n == null ? void 0 : n.value) ?? void 0;
+  } else if (x(e))
+    return e[t] ?? void 0;
+}
+function m(e, t = "logto_authtoken") {
+  if (b(e)) {
+    const n = e.get(t);
+    return (n == null ? void 0 : n.value) || null;
+  } else if (x(e))
+    return e[t] || null;
+  return null;
+}
+function p(e) {
+  if (!H(e))
+    return null;
+  const t = typeof e.get == "function" ? e.get("authorization") : e.authorization;
+  return typeof t == "string" && t.startsWith("Bearer ") ? t.slice(7) : null;
+}
+function z(e) {
+  let t = e.replace(/-/g, "+").replace(/_/g, "/");
+  const n = t.length % 4;
+  return n && (t += "=".repeat(4 - n)), typeof atob < "u" ? atob(t) : Buffer.from(t, "base64").toString();
+}
+async function $(e) {
+  const { logtoUrl: t, jwksCacheTtlMs: n = L, skipJwksCache: o = !1 } = e, r = k(t), i = Date.now(), s = f.get(r);
+  if (!o && s && s.expires > i)
+    return s.keys;
+  try {
+    const a = await fetch(r);
+    if (!a.ok)
+      throw new Error(`Failed to fetch JWKS: ${a.status} ${a.statusText}`);
+    const c = (await a.json()).keys || [];
+    return !o && n > 0 ? f.set(r, {
+      keys: c,
+      expires: i + n
+    }) : f.delete(r), c;
+  } catch (a) {
+    throw new Error(`Failed to fetch JWKS from ${r}: ${a instanceof Error ? a.message : "Unknown error"}`);
+  }
+}
+function k(e) {
+  return `${K(e)}/jwks`;
+}
+function ne(e) {
+  f.delete(k(e));
+}
+function oe() {
+  f.clear();
+}
+function B(e, t, n) {
+  if (!e || e.length === 0)
+    throw new Error("No keys found in JWKS");
+  if (t) {
+    const r = e.find((i) => i.kid === t);
+    if (r) return r;
+    throw new Error(`Key with kid "${t}" not found in JWKS`);
+  }
+  if (n) {
+    const r = e.find((i) => i.alg === n);
+    if (r) return r;
+  }
+  const o = e.find((r) => r.kty === "RSA" && (r.use === "sig" || !r.use));
+  return o || e[0];
+}
+function O(e, t) {
+  const { logtoUrl: n, audience: o, requiredScope: r } = t, i = typeof e.exp == "number" ? e.exp : void 0, s = typeof e.nbf == "number" ? e.nbf : void 0, a = K(n);
+  if (e.iss !== a)
+    throw new Error(`Invalid issuer. Expected: ${a}, Got: ${e.iss}`);
+  if (o) {
+    const c = e.aud, d = Array.isArray(o) ? o : [o];
+    if (!(Array.isArray(c) ? c : c !== void 0 ? [c] : []).some((y) => d.includes(y)))
+      throw new Error(
+        `Invalid audience. Expected one of: ${JSON.stringify(d)}, Got: ${Array.isArray(c) ? JSON.stringify(c) : c}`
+      );
+  }
+  const u = Math.floor(Date.now() / 1e3);
+  if (i !== void 0 && i < u)
+    throw new Error("Token has expired");
+  if (s !== void 0 && s > u)
+    throw new Error("Token is not yet valid");
+  if (r && (!e.scope || !e.scope.includes(r)))
+    throw new Error(`Missing required scope: ${r}`);
+}
+function P(e) {
+  if (typeof e != "object" || e === null)
+    throw new Error("JWT payload is missing or not an object");
+  const t = e;
+  if (typeof t.sub != "string" || t.sub.trim() === "")
+    throw new Error('JWT payload is missing required field "sub" (user ID)');
+  if (typeof t.iss != "string" || t.iss.trim() === "")
+    throw new Error('JWT payload is missing required field "iss" (issuer)');
+  if (t.exp !== void 0 && typeof t.exp != "number")
+    throw new Error('JWT payload field "exp" must be a number');
+  if (t.nbf !== void 0 && typeof t.nbf != "number")
+    throw new Error('JWT payload field "nbf" must be a number');
+  if (t.aud !== void 0) {
+    const n = t.aud;
+    if (!(typeof n == "string" || Array.isArray(n) && n.every((r) => typeof r == "string")))
+      throw new Error('JWT payload field "aud" must be a string or string[]');
+  }
+  if (t.scope !== void 0 && typeof t.scope != "string")
+    throw new Error('JWT payload field "scope" must be a string');
+}
+function V(e) {
+  if (!(e instanceof Error)) return !1;
+  if (e.message.startsWith("No keys found in JWKS") || e.message.startsWith("Key with kid"))
+    return !0;
+  const t = e.code;
+  return t === "ERR_JWKS_NO_MATCHING_KEY" || t === "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+}
+async function C(e, t, n, o) {
+  const r = typeof t.kid == "string" ? t.kid : void 0, i = typeof t.alg == "string" ? t.alg : void 0, s = B(n, r, i), a = await G(s, i || "RS256"), { payload: u } = await U(e, a);
+  return P(u), O(u, o), {
+    userId: u.sub,
+    isAuthenticated: !0,
+    payload: u,
+    isGuest: !1
+  };
+}
+async function A(e, t) {
+  const { logtoUrl: n } = t, o = k(n);
+  try {
+    const [r] = e.split(".");
+    if (!r)
+      throw new Error("Invalid JWT format");
+    const i = z(r), s = JSON.parse(i), a = await $(t);
+    try {
+      return await C(e, s, a, t);
+    } catch (u) {
+      if (!V(u))
+        throw u;
+      console.warn("[verifyLogtoToken] Key/signature error — invalidating JWKS cache and retrying with fresh keys"), f.delete(o);
+      const c = await $(t);
+      return await C(e, s, c, t);
+    }
+  } catch (r) {
+    throw new Error(`Token verification failed: ${r instanceof Error ? r.message : "Unknown error"}`);
+  }
+}
+function ie(e) {
+  const t = F(), n = async (o, r, i) => {
+    try {
+      let s = m(o.cookies, e.cookieName);
+      if (s || (s = p(o.headers)), !s) {
+        if (e.allowGuest) {
+          const u = l(o.cookies);
+          return o.auth = {
+            userId: null,
+            isAuthenticated: !1,
+            payload: null,
+            isGuest: !0,
+            guestId: u
+          }, i();
+        }
+        return r.status(401).json({
+          error: "Authentication required",
+          message: "No token found in cookies or Authorization header"
+        });
+      }
+      const a = await A(s, e);
+      return o.auth = a, i();
+    } catch (s) {
+      if (e.allowGuest) {
+        const a = l(o.cookies);
+        return o.auth = {
+          userId: null,
+          isAuthenticated: !1,
+          payload: null,
+          isGuest: !0,
+          guestId: a || void 0
+        }, i();
+      }
+      return r.status(401).json({
+        error: "Authentication failed",
+        message: s instanceof Error ? s.message : "Unknown error"
+      });
+    }
+  };
+  return async (o, r, i) => {
+    o.cookies ? await n(o, r, i) : t(o, r, async (s) => {
+      if (s)
+        return i(s);
+      await n(o, r, i);
+    });
+  };
+}
+async function se(e, t) {
+  try {
+    let n = m(e.cookies, t.cookieName);
+    return n || (n = p(e.headers)), n ? {
+      success: !0,
+      auth: await A(n, t)
+    } : t.allowGuest ? {
+      success: !0,
+      auth: {
+        userId: null,
+        isAuthenticated: !1,
+        payload: null,
+        isGuest: !0,
+        guestId: l(e.cookies) || void 0
+      }
+    } : {
+      success: !1,
+      error: "No token found in cookies or Authorization header"
+    };
+  } catch (n) {
+    if (t.allowGuest) {
+      const o = l(e.cookies), r = n instanceof Error ? n.message : "Unknown error";
+      return console.warn(`[verifyNextAuth] Token verification failed, falling back to guest: ${r}`), {
+        success: !0,
+        auth: {
+          userId: null,
+          isAuthenticated: !1,
+          payload: null,
+          isGuest: !0,
+          guestId: o || void 0
+        }
+      };
+    }
+    return {
+      success: !1,
+      error: n instanceof Error ? n.message : "Unknown error"
+    };
+  }
+}
+async function ae(e, t) {
+  let n;
+  if (typeof e == "string")
+    n = e;
+  else {
+    const o = m(e.cookies, t.cookieName) || p(e.headers);
+    if (!o) {
+      if (t.allowGuest)
+        return {
+          userId: null,
+          isAuthenticated: !1,
+          payload: null,
+          isGuest: !0,
+          guestId: l(e.cookies) || void 0
+        };
+      throw new Error("No token found in request");
+    }
+    n = o;
+  }
+  try {
+    return await A(n, t);
+  } catch (o) {
+    if (t.allowGuest && typeof e == "object")
+      return {
+        userId: null,
+        isAuthenticated: !1,
+        payload: null,
+        isGuest: !0,
+        guestId: l(e.cookies) || void 0
+      };
+    throw o;
+  }
+}
+function ue(e, t = {}) {
+  const {
+    cookieName: n = "logto_authtoken",
+    maxAge: o = 10080 * 60,
+    // 7 days in seconds
+    domain: r,
+    path: i = "/",
+    sameSite: s = "Strict"
+  } = t;
+  let a = `${n}=${e}; Max-Age=${o}; Path=${i}; HttpOnly; Secure; SameSite=${s}`;
+  return r && (a += `; Domain=${r}`), a;
+}
+const E = "logto_csrf_token", J = "x-csrf-token", Y = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS", "TRACE"]);
+function Q() {
+  return D();
+}
+function X(e, t = {}) {
+  const {
+    cookieName: n = E,
+    maxAge: o = 1440 * 60,
+    // 1 day
+    domain: r,
+    path: i = "/",
+    sameSite: s = "Strict"
+  } = t;
+  if (/[\r\n;]/.test(e))
+    throw new Error("CSRF token contains invalid characters (newline or semicolon)");
+  let a = `${n}=${e}; Max-Age=${o}; Path=${i}; Secure; SameSite=${s}`;
+  return r && (a += `; Domain=${r}`), a;
+}
+function ce(e = {}) {
+  const {
+    cookieName: t = E,
+    headerName: n = J,
+    domain: o,
+    path: r = "/",
+    sameSite: i = "Strict",
+    maxAge: s = 1440 * 60
+  } = e;
+  return (a, u, c) => {
+    var S, T, I;
+    const d = (a.method ?? "GET").toUpperCase();
+    if (Y.has(d)) {
+      if (!((S = a.cookies) != null && S[t])) {
+        const R = Q(), j = X(R, { cookieName: t, maxAge: s, domain: o, path: r, sameSite: i });
+        typeof u.setHeader == "function" && u.setHeader("Set-Cookie", j);
+      }
+      return c();
+    }
+    const w = (T = a.cookies) == null ? void 0 : T[t], h = (I = a.headers) == null ? void 0 : I[n], y = Array.isArray(h) ? h[0] : h;
+    if (!w || !y || w !== y) {
+      u.status(403).json({
+        error: "CSRF validation failed",
+        message: `Include the '${n}' request header with the value from the '${t}' cookie.`
+      });
+      return;
+    }
+    return c();
+  };
+}
+function fe(e, t = {}) {
+  var s, a;
+  const { cookieName: n = E, headerName: o = J } = t, r = (a = (s = e.cookies) == null ? void 0 : s.get(n)) == null ? void 0 : a.value, i = e.headers.get(o);
+  return r ? i ? r !== i ? {
+    valid: !1,
+    error: "CSRF token mismatch. The header value does not match the cookie value."
+  } : { valid: !0 } : {
+    valid: !1,
+    error: `Missing '${o}' request header. Read the '${n}' cookie value and send it in this header.`
+  } : {
+    valid: !1,
+    error: `CSRF cookie '${n}' not found. Ensure GET requests are made first to receive the CSRF cookie.`
+  };
+}
+const _ = ["roles", "role"];
+function Z(e) {
+  return typeof e == "object" && e !== null && "isAuthenticated" in e;
+}
+function N(e) {
+  return e ? Z(e) ? e.payload : e : null;
+}
+function v(e) {
+  return (Array.isArray(e) ? e : [e]).flatMap((t) => t.split(/\s+/)).map((t) => t.trim()).filter(Boolean);
+}
+function g(e) {
+  return (Array.isArray(e) ? e : [e]).flatMap((t) => t.split(/[,\s]+/)).map((t) => t.trim()).filter(Boolean);
+}
+function W(e) {
+  const t = N(e);
+  return t != null && t.scope ? v(t.scope) : [];
+}
+function M(e, t) {
+  const n = N(e);
+  if (!n) return [];
+  for (const o of t) {
+    const r = n[o];
+    if (Array.isArray(r) && r.every((i) => typeof i == "string") || typeof r == "string")
+      return g(r);
+  }
+  return [];
+}
+function q(e, t, n = {}) {
+  const o = v(t);
+  if (o.length === 0) return !0;
+  const r = W(e), { mode: i = "all" } = n;
+  return i === "any" ? o.some((s) => r.includes(s)) : o.every((s) => r.includes(s));
+}
+function le(e, t, n = {}) {
+  const o = v(t);
+  if (o.length === 0) return;
+  const r = W(e), { mode: i = "all" } = n;
+  if (q(e, o, { mode: i }))
+    return;
+  const s = o.filter((u) => !r.includes(u)), a = i === "any" ? "at least one of" : "all of";
+  throw new Error(
+    `Missing required scopes (${a}: ${o.join(", ")}). Token scopes: ${r.join(", ") || "(none)"}. Missing: ${s.join(", ") || o.join(", ")}`
+  );
+}
+function de(e, t, n = {}) {
+  var s;
+  const o = g(t);
+  if (o.length === 0) return !0;
+  const r = (s = n.claimKeys) != null && s.length ? n.claimKeys : _, i = M(e, r);
+  return o.every((a) => i.includes(a));
+}
+function he(e, t, n = {}) {
+  var s;
+  const o = g(t);
+  if (o.length === 0) return;
+  const r = (s = n.claimKeys) != null && s.length ? n.claimKeys : _, i = M(e, r);
+  if (!o.every((a) => i.includes(a)))
+    throw new Error(
+      `Missing required role: ${o.join(", ")}. Checked claims: ${r.join(", ")}. Token roles: ${i.join(", ") || "(none)"}`
+    );
+}
+export {
+  E as CSRF_COOKIE_NAME,
+  J as CSRF_HEADER_NAME,
+  ue as buildAuthCookieHeader,
+  X as buildCsrfCookieHeader,
+  oe as clearJwksCache,
+  ce as createCsrfMiddleware,
+  ie as createExpressAuthMiddleware,
+  Q as generateCsrfToken,
+  de as hasRole,
+  q as hasScopes,
+  ne as invalidateJwksCache,
+  he as requireRole,
+  le as requireScopes,
+  ae as verifyAuth,
+  fe as verifyCsrfToken,
+  A as verifyLogtoToken,
+  se as verifyNextAuth
+};

package/dist/server/types.d.ts

@@ -0,0 +1,62 @@
+export interface AuthPayload {
+    sub: string;
+    scope: string;
+    iss?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    [key: string]: unknown;
+}
+export interface AuthContext {
+    userId: string | null;
+    isAuthenticated: boolean;
+    payload: AuthPayload | null;
+    isGuest?: boolean;
+    guestId?: string;
+}
+export interface VerifyAuthOptions {
+    logtoUrl: string;
+    audience?: string | string[];
+    cookieName?: string;
+    requiredScope?: string;
+    allowGuest?: boolean;
+    jwksCacheTtlMs?: number;
+    skipJwksCache?: boolean;
+}
+export interface ExpressRequest {
+    cookies?: {
+        [key: string]: string;
+    };
+    headers: {
+        [key: string]: string | string[] | undefined;
+    };
+    auth?: AuthContext;
+}
+export interface ExpressResponse {
+    status: (code: number) => ExpressResponse;
+    json: (obj: unknown) => ExpressResponse;
+    /**
+     * Set a response header. Present on all real Express `Response` objects
+     * (inherited from `http.ServerResponse`). Typed as optional here to keep
+     * the interface compatible with minimal test stubs, but the CSRF middleware
+     * depends on it being present to set the CSRF cookie.
+     */
+    setHeader?: (name: string, value: string) => void;
+}
+export type ExpressNext = (err?: unknown) => void;
+export interface NextRequest {
+    cookies?: {
+        get: (name: string) => {
+            value: string;
+        } | undefined;
+    };
+    headers: {
+        get: (name: string) => string | null;
+    };
+}
+export interface NextResponse {
+    json: (body: unknown, init?: {
+        status?: number;
+    }) => NextResponse;
+}