@oxyhq/core 3.0.0 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/.tsbuildinfo +1 -1
- package/dist/cjs/mixins/OxyServices.applications.js +3 -1
- package/dist/cjs/mixins/OxyServices.utility.js +3 -0
- package/dist/esm/.tsbuildinfo +1 -1
- package/dist/esm/mixins/OxyServices.applications.js +3 -1
- package/dist/esm/mixins/OxyServices.utility.js +3 -0
- package/dist/types/.tsbuildinfo +1 -1
- package/dist/types/index.d.ts +1 -1
- package/dist/types/mixins/OxyServices.applications.d.ts +28 -4
- package/dist/types/mixins/OxyServices.utility.d.ts +7 -0
- package/package.json +1 -1
- package/src/index.ts +1 -0
- package/src/mixins/OxyServices.applications.ts +24 -4
- package/src/mixins/OxyServices.utility.ts +11 -0
package/dist/types/index.d.ts
CHANGED
|
@@ -33,7 +33,7 @@ export type { ServiceApp, ServiceActingAsVerification } from './mixins/OxyServic
|
|
|
33
33
|
export type { CreateManagedAccountInput, ManagedAccountManager, ManagedAccount, } from './mixins/OxyServices.managedAccounts';
|
|
34
34
|
export type { ContactDiscoveryMatch, ContactDiscoveryResponse, } from './mixins/OxyServices.contacts';
|
|
35
35
|
export { OxyAppDataIdentifierError } from './mixins/OxyServices.appData';
|
|
36
|
-
export type { Application, ApplicationMember, ApplicationCredential, ApplicationRole, ApplicationType, ApplicationStatus, ApplicationMemberStatus, ApplicationCredentialType, ApplicationCredentialStatus, ApplicationEnvironment, CreateApplicationInput, UpdateApplicationInput, InviteApplicationMemberInput, UpdateApplicationMemberInput, TransferApplicationOwnershipInput, CreateApplicationCredentialInput, ApplicationCredentialWithSecret, ApplicationUsagePeriod, ApplicationUsageSummary, ApplicationUsageByDay, ApplicationUsageByEndpoint, ApplicationUsageStats, ApplicationSuccessResult, } from './mixins/OxyServices.applications';
|
|
36
|
+
export type { Application, ApplicationMember, ApplicationCredential, ApplicationRole, ApplicationType, ApplicationStatus, ApplicationMemberStatus, ApplicationCredentialType, ApplicationCredentialStatus, ApplicationEnvironment, CreateApplicationInput, UpdateApplicationInput, InviteApplicationMemberInput, UpdateApplicationMemberInput, TransferApplicationOwnershipInput, CreateApplicationCredentialInput, ApplicationCredentialWithSecret, RotateApplicationCredentialResult, ApplicationUsagePeriod, ApplicationUsageSummary, ApplicationUsageByDay, ApplicationUsageByEndpoint, ApplicationUsageStats, ApplicationSuccessResult, } from './mixins/OxyServices.applications';
|
|
37
37
|
export { SessionSyncRequiredError, AuthenticationFailedError, ensureValidToken, isAuthenticationError, withAuthErrorHandling, authenticatedApiCall, } from './utils/authHelpers';
|
|
38
38
|
export type { HandleApiErrorOptions } from './utils/authHelpers';
|
|
39
39
|
export { mergeSessions, normalizeAndSortSessions, sessionsArraysEqual, } from './utils/sessionUtils';
|
|
@@ -89,6 +89,11 @@ export interface ApplicationCredential {
|
|
|
89
89
|
status: ApplicationCredentialStatus;
|
|
90
90
|
lastUsedAt?: string;
|
|
91
91
|
expiresAt?: string;
|
|
92
|
+
/**
|
|
93
|
+
* Audit link to the credential this one was rotated FROM. Populated by the
|
|
94
|
+
* API on credentials created via rotation; absent on original credentials.
|
|
95
|
+
*/
|
|
96
|
+
rotatedFromCredentialId?: string;
|
|
92
97
|
createdByUserId: string;
|
|
93
98
|
createdAt: string;
|
|
94
99
|
updatedAt: string;
|
|
@@ -134,11 +139,23 @@ export interface CreateApplicationCredentialInput {
|
|
|
134
139
|
environment: ApplicationEnvironment;
|
|
135
140
|
scopes?: string[];
|
|
136
141
|
}
|
|
137
|
-
/** Result of creating
|
|
142
|
+
/** Result of creating a credential — `secret` is returned ONCE. */
|
|
138
143
|
export interface ApplicationCredentialWithSecret {
|
|
139
144
|
credential: ApplicationCredential;
|
|
140
145
|
secret: string;
|
|
141
146
|
}
|
|
147
|
+
/**
|
|
148
|
+
* Result of rotating a credential. Extends the create result with audit fields:
|
|
149
|
+
* the new plaintext `secret` is returned ONCE, plus `rotatedFrom` (the previous
|
|
150
|
+
* credential's `credentialId`) and `graceExpiresAt` (ISO string marking when the
|
|
151
|
+
* old credential stops being honoured during the rotation grace window).
|
|
152
|
+
*/
|
|
153
|
+
export interface RotateApplicationCredentialResult extends ApplicationCredentialWithSecret {
|
|
154
|
+
/** The previous credential's `credentialId` that this rotation supersedes. */
|
|
155
|
+
rotatedFrom: string;
|
|
156
|
+
/** ISO timestamp at which the rotated-from credential's grace window ends. */
|
|
157
|
+
graceExpiresAt: string;
|
|
158
|
+
}
|
|
142
159
|
/** Time window for application usage statistics. */
|
|
143
160
|
export type ApplicationUsagePeriod = '24h' | '7d' | '30d' | '90d';
|
|
144
161
|
/** Aggregate totals for an application over the requested period. */
|
|
@@ -245,11 +262,13 @@ export declare function OxyServicesApplicationsMixin<T extends typeof OxyService
|
|
|
245
262
|
createApplicationCredential(applicationId: string, data: CreateApplicationCredentialInput): Promise<ApplicationCredentialWithSecret>;
|
|
246
263
|
/**
|
|
247
264
|
* Rotate a credential's secret. The new plaintext `secret` is returned
|
|
248
|
-
* exactly ONCE
|
|
265
|
+
* exactly ONCE, along with audit fields: `rotatedFrom` (the previous
|
|
266
|
+
* credentialId) and `graceExpiresAt` (ISO string for the grace window during
|
|
267
|
+
* which the old credential is still honoured).
|
|
249
268
|
* @param applicationId - The application's Mongo `_id`.
|
|
250
269
|
* @param credentialId - The credential's Mongo `_id`.
|
|
251
270
|
*/
|
|
252
|
-
rotateApplicationCredential(applicationId: string, credentialId: string): Promise<
|
|
271
|
+
rotateApplicationCredential(applicationId: string, credentialId: string): Promise<RotateApplicationCredentialResult>;
|
|
253
272
|
/**
|
|
254
273
|
* Revoke a credential (`status='revoked'`). Revoked credentials can no
|
|
255
274
|
* longer authenticate.
|
|
@@ -310,7 +329,12 @@ export declare function OxyServicesApplicationsMixin<T extends typeof OxyService
|
|
|
310
329
|
healthCheck(): Promise<{
|
|
311
330
|
status: string;
|
|
312
331
|
users?: number;
|
|
313
|
-
timestamp
|
|
332
|
+
timestamp? /**
|
|
333
|
+
* Create a credential. The plaintext `secret` is returned exactly ONCE;
|
|
334
|
+
* the server stores only a hash and will never return it again.
|
|
335
|
+
* @param applicationId - The application's Mongo `_id`.
|
|
336
|
+
* @param data - Credential configuration.
|
|
337
|
+
*/: string;
|
|
314
338
|
[key: string]: any;
|
|
315
339
|
}>;
|
|
316
340
|
};
|
|
@@ -34,6 +34,13 @@ export interface ServiceApp {
|
|
|
34
34
|
appId: string;
|
|
35
35
|
appName: string;
|
|
36
36
|
scopes: string[];
|
|
37
|
+
/**
|
|
38
|
+
* The credentialId of the specific service credential that minted this token.
|
|
39
|
+
* Carried by newer service-token JWTs alongside `appId`; absent on tokens
|
|
40
|
+
* issued before credential-level audit linking. Use for per-credential audit
|
|
41
|
+
* trails and rotation alignment (GitHub #215).
|
|
42
|
+
*/
|
|
43
|
+
credentialId?: string;
|
|
37
44
|
}
|
|
38
45
|
/**
|
|
39
46
|
* Options for oxyClient.auth() middleware
|
package/package.json
CHANGED
package/src/index.ts
CHANGED
|
@@ -100,6 +100,11 @@ export interface ApplicationCredential {
|
|
|
100
100
|
status: ApplicationCredentialStatus;
|
|
101
101
|
lastUsedAt?: string;
|
|
102
102
|
expiresAt?: string;
|
|
103
|
+
/**
|
|
104
|
+
* Audit link to the credential this one was rotated FROM. Populated by the
|
|
105
|
+
* API on credentials created via rotation; absent on original credentials.
|
|
106
|
+
*/
|
|
107
|
+
rotatedFromCredentialId?: string;
|
|
103
108
|
createdByUserId: string;
|
|
104
109
|
createdAt: string;
|
|
105
110
|
updatedAt: string;
|
|
@@ -152,12 +157,25 @@ export interface CreateApplicationCredentialInput {
|
|
|
152
157
|
scopes?: string[];
|
|
153
158
|
}
|
|
154
159
|
|
|
155
|
-
/** Result of creating
|
|
160
|
+
/** Result of creating a credential — `secret` is returned ONCE. */
|
|
156
161
|
export interface ApplicationCredentialWithSecret {
|
|
157
162
|
credential: ApplicationCredential;
|
|
158
163
|
secret: string;
|
|
159
164
|
}
|
|
160
165
|
|
|
166
|
+
/**
|
|
167
|
+
* Result of rotating a credential. Extends the create result with audit fields:
|
|
168
|
+
* the new plaintext `secret` is returned ONCE, plus `rotatedFrom` (the previous
|
|
169
|
+
* credential's `credentialId`) and `graceExpiresAt` (ISO string marking when the
|
|
170
|
+
* old credential stops being honoured during the rotation grace window).
|
|
171
|
+
*/
|
|
172
|
+
export interface RotateApplicationCredentialResult extends ApplicationCredentialWithSecret {
|
|
173
|
+
/** The previous credential's `credentialId` that this rotation supersedes. */
|
|
174
|
+
rotatedFrom: string;
|
|
175
|
+
/** ISO timestamp at which the rotated-from credential's grace window ends. */
|
|
176
|
+
graceExpiresAt: string;
|
|
177
|
+
}
|
|
178
|
+
|
|
161
179
|
/** Time window for application usage statistics. */
|
|
162
180
|
export type ApplicationUsagePeriod = '24h' | '7d' | '30d' | '90d';
|
|
163
181
|
|
|
@@ -445,16 +463,18 @@ export function OxyServicesApplicationsMixin<T extends typeof OxyServicesBase>(B
|
|
|
445
463
|
|
|
446
464
|
/**
|
|
447
465
|
* Rotate a credential's secret. The new plaintext `secret` is returned
|
|
448
|
-
* exactly ONCE
|
|
466
|
+
* exactly ONCE, along with audit fields: `rotatedFrom` (the previous
|
|
467
|
+
* credentialId) and `graceExpiresAt` (ISO string for the grace window during
|
|
468
|
+
* which the old credential is still honoured).
|
|
449
469
|
* @param applicationId - The application's Mongo `_id`.
|
|
450
470
|
* @param credentialId - The credential's Mongo `_id`.
|
|
451
471
|
*/
|
|
452
472
|
async rotateApplicationCredential(
|
|
453
473
|
applicationId: string,
|
|
454
474
|
credentialId: string,
|
|
455
|
-
): Promise<
|
|
475
|
+
): Promise<RotateApplicationCredentialResult> {
|
|
456
476
|
try {
|
|
457
|
-
return await this.makeRequest<
|
|
477
|
+
return await this.makeRequest<RotateApplicationCredentialResult>(
|
|
458
478
|
'POST',
|
|
459
479
|
`/applications/${applicationId}/credentials/${credentialId}/rotate`,
|
|
460
480
|
undefined,
|
|
@@ -18,6 +18,7 @@ interface JwtPayload {
|
|
|
18
18
|
sessionId?: string;
|
|
19
19
|
type?: string;
|
|
20
20
|
appId?: string;
|
|
21
|
+
credentialId?: string;
|
|
21
22
|
appName?: string;
|
|
22
23
|
scopes?: string[];
|
|
23
24
|
aud?: string | string[];
|
|
@@ -61,6 +62,13 @@ export interface ServiceApp {
|
|
|
61
62
|
appId: string;
|
|
62
63
|
appName: string;
|
|
63
64
|
scopes: string[];
|
|
65
|
+
/**
|
|
66
|
+
* The credentialId of the specific service credential that minted this token.
|
|
67
|
+
* Carried by newer service-token JWTs alongside `appId`; absent on tokens
|
|
68
|
+
* issued before credential-level audit linking. Use for per-credential audit
|
|
69
|
+
* trails and rotation alignment (GitHub #215).
|
|
70
|
+
*/
|
|
71
|
+
credentialId?: string;
|
|
64
72
|
}
|
|
65
73
|
|
|
66
74
|
/**
|
|
@@ -618,6 +626,9 @@ export function OxyServicesUtilityMixin<T extends typeof OxyServicesBase>(Base:
|
|
|
618
626
|
appId,
|
|
619
627
|
appName: decoded.appName || 'unknown',
|
|
620
628
|
scopes: Array.isArray(decoded.scopes) ? decoded.scopes : [],
|
|
629
|
+
...(typeof decoded.credentialId === 'string' && decoded.credentialId.length > 0
|
|
630
|
+
? { credentialId: decoded.credentialId }
|
|
631
|
+
: {}),
|
|
621
632
|
};
|
|
622
633
|
|
|
623
634
|
if (debug) {
|