@pafi-dev/issuer 0.27.1 → 0.28.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/chunk-BRKEJJFQ.js +17 -0
- package/dist/chunk-BRKEJJFQ.js.map +1 -0
- package/dist/{chunk-U3WMORJG.js → chunk-QLNGNH4A.js} +1 -52
- package/dist/{chunk-U3WMORJG.js.map → chunk-QLNGNH4A.js.map} +1 -1
- package/dist/http/index.js +2 -1
- package/dist/index.cjs +1 -1
- package/dist/index.js +3 -2
- package/dist/index.js.map +1 -1
- package/dist/nestjs/index.cjs +107 -51
- package/dist/nestjs/index.cjs.map +1 -1
- package/dist/nestjs/index.d.cts +90 -2
- package/dist/nestjs/index.d.ts +90 -2
- package/dist/nestjs/index.js +109 -10
- package/dist/nestjs/index.js.map +1 -1
- package/dist/types-CxVXRHLy.d.cts +64 -0
- package/dist/types-CxVXRHLy.d.ts +64 -0
- package/dist/wallet-auth/index.cjs +48 -0
- package/dist/wallet-auth/index.cjs.map +1 -0
- package/dist/wallet-auth/index.d.cts +29 -0
- package/dist/wallet-auth/index.d.ts +29 -0
- package/dist/wallet-auth/index.js +23 -0
- package/dist/wallet-auth/index.js.map +1 -0
- package/package.json +25 -12
package/dist/nestjs/index.cjs
CHANGED
|
@@ -1,15 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __create = Object.create;
|
|
3
2
|
var __defProp = Object.defineProperty;
|
|
4
3
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
4
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
6
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
7
|
-
var __knownSymbol = (name, symbol) => (symbol = Symbol[name]) ? symbol : /* @__PURE__ */ Symbol.for("Symbol." + name);
|
|
8
|
-
var __typeError = (msg) => {
|
|
9
|
-
throw TypeError(msg);
|
|
10
|
-
};
|
|
11
|
-
var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
12
|
-
var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
|
|
13
6
|
var __export = (target, all) => {
|
|
14
7
|
for (var name in all)
|
|
15
8
|
__defProp(target, name, { get: all[name], enumerable: true });
|
|
@@ -23,49 +16,23 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
23
16
|
return to;
|
|
24
17
|
};
|
|
25
18
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
26
|
-
var
|
|
27
|
-
var
|
|
28
|
-
var
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
return value;
|
|
34
|
-
};
|
|
35
|
-
var __decorateElement = (array, flags, name, decorators, target, extra) => {
|
|
36
|
-
var fn, it, done, ctx, access, k = flags & 7, s = !!(flags & 8), p = !!(flags & 16);
|
|
37
|
-
var j = k > 3 ? array.length + 1 : k ? s ? 1 : 2 : 0, key = __decoratorStrings[k + 5];
|
|
38
|
-
var initializers = k > 3 && (array[j - 1] = []), extraInitializers = array[j] || (array[j] = []);
|
|
39
|
-
var desc = k && (!p && !s && (target = target.prototype), k < 5 && (k > 3 || !p) && __getOwnPropDesc(k < 4 ? target : { get [name]() {
|
|
40
|
-
return __privateGet(this, extra);
|
|
41
|
-
}, set [name](x) {
|
|
42
|
-
return __privateSet(this, extra, x);
|
|
43
|
-
} }, name));
|
|
44
|
-
k ? p && k < 4 && __name(extra, (k > 2 ? "set " : k > 1 ? "get " : "") + name) : __name(target, name);
|
|
45
|
-
for (var i = decorators.length - 1; i >= 0; i--) {
|
|
46
|
-
ctx = __decoratorContext(k, name, done = {}, array[3], extraInitializers);
|
|
47
|
-
if (k) {
|
|
48
|
-
ctx.static = s, ctx.private = p, access = ctx.access = { has: p ? (x) => __privateIn(target, x) : (x) => name in x };
|
|
49
|
-
if (k ^ 3) access.get = p ? (x) => (k ^ 1 ? __privateGet : __privateMethod)(x, target, k ^ 4 ? extra : desc.get) : (x) => x[name];
|
|
50
|
-
if (k > 2) access.set = p ? (x, y) => __privateSet(x, target, y, k ^ 4 ? extra : desc.set) : (x, y) => x[name] = y;
|
|
51
|
-
}
|
|
52
|
-
it = (0, decorators[i])(k ? k < 4 ? p ? extra : desc[key] : k > 4 ? void 0 : { get: desc.get, set: desc.set } : target, ctx), done._ = 1;
|
|
53
|
-
if (k ^ 4 || it === void 0) __expectFn(it) && (k > 4 ? initializers.unshift(it) : k ? p ? extra = it : desc[key] = it : target = it);
|
|
54
|
-
else if (typeof it !== "object" || it === null) __typeError("Object expected");
|
|
55
|
-
else __expectFn(fn = it.get) && (desc.get = fn), __expectFn(fn = it.set) && (desc.set = fn), __expectFn(fn = it.init) && initializers.unshift(fn);
|
|
56
|
-
}
|
|
57
|
-
return k || __decoratorMetadata(array, target), desc && __defProp(target, name, desc), p ? k ^ 4 ? extra : desc : target;
|
|
19
|
+
var __decorateClass = (decorators, target, key, kind) => {
|
|
20
|
+
var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
|
|
21
|
+
for (var i = decorators.length - 1, decorator; i >= 0; i--)
|
|
22
|
+
if (decorator = decorators[i])
|
|
23
|
+
result = (kind ? decorator(target, key, result) : decorator(result)) || result;
|
|
24
|
+
if (kind && result) __defProp(target, key, result);
|
|
25
|
+
return result;
|
|
58
26
|
};
|
|
59
|
-
var
|
|
60
|
-
var __privateIn = (member, obj) => Object(obj) !== obj ? __typeError('Cannot use the "in" operator on this value') : member.has(obj);
|
|
61
|
-
var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
|
|
62
|
-
var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
|
|
63
|
-
var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
|
|
27
|
+
var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
|
|
64
28
|
|
|
65
29
|
// src/nestjs/index.ts
|
|
66
30
|
var nestjs_exports = {};
|
|
67
31
|
__export(nestjs_exports, {
|
|
68
|
-
PafiHttpExceptionFilter: () => PafiHttpExceptionFilter
|
|
32
|
+
PafiHttpExceptionFilter: () => PafiHttpExceptionFilter,
|
|
33
|
+
WALLET_AUTH_JWKS_KEYS: () => WALLET_AUTH_JWKS_KEYS,
|
|
34
|
+
WalletAuthJwksController: () => WalletAuthJwksController,
|
|
35
|
+
WalletAuthJwksModule: () => WalletAuthJwksModule
|
|
69
36
|
});
|
|
70
37
|
module.exports = __toCommonJS(nestjs_exports);
|
|
71
38
|
|
|
@@ -207,8 +174,6 @@ function payloadFromGenericError(err) {
|
|
|
207
174
|
}
|
|
208
175
|
|
|
209
176
|
// src/nestjs/httpExceptionFilter.ts
|
|
210
|
-
var _PafiHttpExceptionFilter_decorators, _init;
|
|
211
|
-
_PafiHttpExceptionFilter_decorators = [(0, import_common.Catch)()];
|
|
212
177
|
var PafiHttpExceptionFilter = class {
|
|
213
178
|
logger = new import_common.Logger("PafiHttpExceptionFilter");
|
|
214
179
|
opts;
|
|
@@ -304,11 +269,102 @@ var PafiHttpExceptionFilter = class {
|
|
|
304
269
|
};
|
|
305
270
|
}
|
|
306
271
|
};
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
272
|
+
PafiHttpExceptionFilter = __decorateClass([
|
|
273
|
+
(0, import_common.Catch)()
|
|
274
|
+
], PafiHttpExceptionFilter);
|
|
275
|
+
|
|
276
|
+
// src/nestjs/walletAuthJwks.module.ts
|
|
277
|
+
var import_common3 = require("@nestjs/common");
|
|
278
|
+
|
|
279
|
+
// src/nestjs/walletAuthJwks.controller.ts
|
|
280
|
+
var import_common2 = require("@nestjs/common");
|
|
281
|
+
|
|
282
|
+
// src/nestjs/walletAuthJwks.tokens.ts
|
|
283
|
+
var WALLET_AUTH_JWKS_KEYS = /* @__PURE__ */ Symbol("WALLET_AUTH_JWKS_KEYS");
|
|
284
|
+
|
|
285
|
+
// src/nestjs/walletAuthJwks.controller.ts
|
|
286
|
+
var WalletAuthJwksController = class {
|
|
287
|
+
logger = new import_common2.Logger(WalletAuthJwksController.name);
|
|
288
|
+
jwks;
|
|
289
|
+
constructor(keys) {
|
|
290
|
+
this.jwks = { keys };
|
|
291
|
+
const kids = keys.map((k) => k.kid).join(", ");
|
|
292
|
+
this.logger.log(
|
|
293
|
+
`JWKS endpoint ready \u2014 ${keys.length} key(s) published: ${kids || "(empty)"}`
|
|
294
|
+
);
|
|
295
|
+
}
|
|
296
|
+
getJwks() {
|
|
297
|
+
return this.jwks;
|
|
298
|
+
}
|
|
299
|
+
};
|
|
300
|
+
__decorateClass([
|
|
301
|
+
(0, import_common2.Get)("jwks.json"),
|
|
302
|
+
(0, import_common2.HttpCode)(import_common2.HttpStatus.OK)
|
|
303
|
+
], WalletAuthJwksController.prototype, "getJwks", 1);
|
|
304
|
+
WalletAuthJwksController = __decorateClass([
|
|
305
|
+
(0, import_common2.Controller)(".well-known"),
|
|
306
|
+
__decorateParam(0, (0, import_common2.Inject)(WALLET_AUTH_JWKS_KEYS))
|
|
307
|
+
], WalletAuthJwksController);
|
|
308
|
+
|
|
309
|
+
// src/nestjs/walletAuthJwks.module.ts
|
|
310
|
+
var WalletAuthJwksModule = class {
|
|
311
|
+
static forRoot(options) {
|
|
312
|
+
return {
|
|
313
|
+
module: WalletAuthJwksModule,
|
|
314
|
+
controllers: [WalletAuthJwksController],
|
|
315
|
+
providers: [
|
|
316
|
+
{
|
|
317
|
+
provide: WALLET_AUTH_JWKS_KEYS,
|
|
318
|
+
useValue: validateKeys(options.keys)
|
|
319
|
+
}
|
|
320
|
+
]
|
|
321
|
+
};
|
|
322
|
+
}
|
|
323
|
+
static forRootAsync(options) {
|
|
324
|
+
return {
|
|
325
|
+
module: WalletAuthJwksModule,
|
|
326
|
+
imports: options.imports ?? [],
|
|
327
|
+
controllers: [WalletAuthJwksController],
|
|
328
|
+
providers: [
|
|
329
|
+
{
|
|
330
|
+
provide: WALLET_AUTH_JWKS_KEYS,
|
|
331
|
+
inject: options.inject ?? [],
|
|
332
|
+
useFactory: async (...args) => {
|
|
333
|
+
const opts = await options.useFactory(...args);
|
|
334
|
+
return validateKeys(opts.keys);
|
|
335
|
+
}
|
|
336
|
+
}
|
|
337
|
+
]
|
|
338
|
+
};
|
|
339
|
+
}
|
|
340
|
+
};
|
|
341
|
+
WalletAuthJwksModule = __decorateClass([
|
|
342
|
+
(0, import_common3.Module)({})
|
|
343
|
+
], WalletAuthJwksModule);
|
|
344
|
+
function validateKeys(keys) {
|
|
345
|
+
if (!Array.isArray(keys)) {
|
|
346
|
+
throw new Error("WalletAuthJwksModule: `keys` must be an array");
|
|
347
|
+
}
|
|
348
|
+
for (const k of keys) {
|
|
349
|
+
if (!k || typeof k !== "object") {
|
|
350
|
+
throw new Error("WalletAuthJwksModule: each key must be an object");
|
|
351
|
+
}
|
|
352
|
+
if (!k.kty) {
|
|
353
|
+
throw new Error("WalletAuthJwksModule: each key must have a `kty` field");
|
|
354
|
+
}
|
|
355
|
+
if (!k.kid) {
|
|
356
|
+
throw new Error(
|
|
357
|
+
"WalletAuthJwksModule: each key must have a `kid` field \u2014 PAFI gateway uses kid to look up the verification key"
|
|
358
|
+
);
|
|
359
|
+
}
|
|
360
|
+
}
|
|
361
|
+
return keys;
|
|
362
|
+
}
|
|
310
363
|
// Annotate the CommonJS export names for ESM import in node:
|
|
311
364
|
0 && (module.exports = {
|
|
312
|
-
PafiHttpExceptionFilter
|
|
365
|
+
PafiHttpExceptionFilter,
|
|
366
|
+
WALLET_AUTH_JWKS_KEYS,
|
|
367
|
+
WalletAuthJwksController,
|
|
368
|
+
WalletAuthJwksModule
|
|
313
369
|
});
|
|
314
370
|
//# sourceMappingURL=index.cjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/nestjs/index.ts","../../src/nestjs/httpExceptionFilter.ts","../../src/errors.ts","../../src/api/errorMapper.ts","../../src/http/errorEnvelope.ts"],"sourcesContent":["export {\n PafiHttpExceptionFilter,\n type PafiHttpExceptionFilterOptions,\n} from \"./httpExceptionFilter\";\n","/**\n * NestJS global exception filter that emits the PAFI Stripe-style\n * envelope (see `@pafi-dev/issuer/http`).\n *\n * Wire it once in your bootstrap:\n *\n * ```ts\n * import { PafiHttpExceptionFilter } from \"@pafi-dev/issuer/nestjs\";\n *\n * app.useGlobalFilters(new PafiHttpExceptionFilter());\n * ```\n *\n * Catches every thrown value:\n * - `PafiSdkError` (and subclasses) → typed envelope from `httpStatus`/\n * `code`/`type`/`safeToRetry`/`param`/`metadata`.\n * - `HttpException` (NestJS) → respected status; SDK-shaped body is\n * passed through, plain bodies + ValidationPipe arrays normalized.\n * - any other `Error` → `server_error` 500 with sanitized message.\n *\n * `@nestjs/common` is an optional peer dependency — only required when\n * importing this sub-export.\n */\nimport {\n ArgumentsHost,\n Catch,\n ExceptionFilter,\n HttpException,\n HttpStatus,\n Logger,\n} from \"@nestjs/common\";\nimport { randomUUID } from \"node:crypto\";\n\nimport { PafiSdkError, SDK_ERROR_HTTP_STATUS_CODE } from \"../errors\";\nimport {\n buildErrorEnvelope,\n payloadFromGenericError,\n payloadFromHttpException,\n payloadFromPafiSdkError,\n type NormalizeContext,\n type PafiErrorEnvelope,\n type PafiErrorPayload,\n} from \"../http/errorEnvelope\";\n\ninterface MinimalHttpRequest {\n url?: string;\n headers?: Record<string, string | string[] | undefined>;\n}\ninterface MinimalHttpResponse {\n status(code: number): MinimalHttpResponse;\n json(body: unknown): unknown;\n}\n\n/** Customization knobs. None required — sensible defaults baked in. */\nexport interface PafiHttpExceptionFilterOptions {\n /**\n * Header to read for the request id, lowercase. Default `\"x-request-id\"`.\n * If absent, a UUIDv4 is generated per request.\n */\n requestIdHeader?: string;\n /**\n * Override `Date` for deterministic tests.\n */\n now?: () => Date;\n /**\n * Hook to record/audit normalized errors before sending. Useful for\n * Sentry / Datadog / Pino. Throws are swallowed so a logging bug\n * never masks the real error response.\n */\n onError?: (envelope: PafiErrorEnvelope, raw: unknown) => void;\n}\n\n@Catch()\nexport class PafiHttpExceptionFilter implements ExceptionFilter {\n private readonly logger = new Logger(\"PafiHttpExceptionFilter\");\n private readonly opts: Required<\n Pick<PafiHttpExceptionFilterOptions, \"requestIdHeader\">\n > &\n PafiHttpExceptionFilterOptions;\n\n constructor(options: PafiHttpExceptionFilterOptions = {}) {\n this.opts = {\n requestIdHeader: options.requestIdHeader ?? \"x-request-id\",\n ...options,\n };\n }\n\n catch(exception: unknown, host: ArgumentsHost): void {\n const ctx = host.switchToHttp();\n const response = ctx.getResponse<MinimalHttpResponse>();\n const request = ctx.getRequest<MinimalHttpRequest>();\n\n const headerValue = request?.headers?.[this.opts.requestIdHeader];\n const requestId =\n (Array.isArray(headerValue) ? headerValue[0] : headerValue) ??\n randomUUID();\n\n const normCtx: NormalizeContext = {\n path: request?.url ?? \"\",\n requestId,\n ...(this.opts.now ? { now: this.opts.now } : {}),\n };\n\n const { status, payload } = this.normalize(exception);\n const envelope = buildErrorEnvelope({ status, payload, ctx: normCtx });\n\n if (this.opts.onError) {\n try {\n this.opts.onError(envelope, exception);\n } catch (hookErr) {\n this.logger.warn(\n { err: hookErr instanceof Error ? hookErr.message : String(hookErr) },\n \"onError hook threw; continuing\",\n );\n }\n }\n\n if (status >= 500) {\n this.logger.error(\n {\n err:\n exception instanceof Error\n ? exception.message\n : String(exception),\n stack: exception instanceof Error ? exception.stack : undefined,\n name: exception instanceof Error ? exception.name : undefined,\n path: normCtx.path,\n requestId,\n },\n \"Unhandled error in PafiHttpExceptionFilter\",\n );\n }\n\n response.status(status).json(envelope);\n }\n\n private normalize(exception: unknown): {\n status: number;\n payload: PafiErrorPayload;\n } {\n if (exception instanceof PafiSdkError) {\n return {\n status: SDK_ERROR_HTTP_STATUS_CODE[exception.httpStatus],\n payload: payloadFromPafiSdkError(exception),\n };\n }\n\n if (exception instanceof HttpException) {\n return {\n status: exception.getStatus(),\n payload: payloadFromHttpException({\n statusCode: exception.getStatus(),\n responseBody: exception.getResponse(),\n exceptionName: exception.name,\n fallbackMessage: exception.message,\n }),\n };\n }\n\n if (exception instanceof Error) {\n // Duck-typing for HttpException instances that fail `instanceof`\n // when multiple `@nestjs/common` copies exist in the dep tree.\n const maybeStatus = (exception as { status?: unknown }).status;\n const maybeGetResponse = (\n exception as { getResponse?: () => unknown }\n ).getResponse;\n if (\n typeof maybeStatus === \"number\" &&\n typeof maybeGetResponse === \"function\"\n ) {\n return {\n status: maybeStatus,\n payload: payloadFromHttpException({\n statusCode: maybeStatus,\n responseBody: maybeGetResponse.call(exception),\n exceptionName: exception.name,\n fallbackMessage: exception.message,\n }),\n };\n }\n const maybeStatusOnly =\n typeof maybeStatus === \"number\"\n ? maybeStatus\n : HttpStatus.INTERNAL_SERVER_ERROR;\n return {\n status: maybeStatusOnly,\n payload: payloadFromGenericError(exception),\n };\n }\n\n return {\n status: HttpStatus.INTERNAL_SERVER_ERROR,\n payload: {\n type: \"server_error\",\n code: \"INTERNAL_SERVER_ERROR\",\n message: \"An unexpected error occurred\",\n safeToRetry: false,\n },\n };\n }\n}\n","/**\n * `PafiSdkError` + `SdkErrorHttpStatus` are exported from\n * `@pafi-dev/core/errors` so core-level errors (e.g. `OracleStaleError`)\n * can extend the same base. Issuer re-exports the canonical types here\n * for back-compat — `instanceof PafiSdkError` from EITHER package\n * catches errors thrown from EITHER package.\n */\nexport {\n PafiSdkError,\n SDK_ERROR_HTTP_STATUS_CODE,\n defaultErrorTypeForStatus,\n type SdkErrorHttpStatus,\n type PafiErrorType,\n} from \"@pafi-dev/core\";\nimport { PafiSdkError } from \"@pafi-dev/core\";\n\n/**\n * `ValidationError` lives in `@pafi-dev/core` so core/trading helpers\n * throw the same typed class. Re-exported here for back-compat.\n */\nexport { ValidationError } from \"@pafi-dev/core\";\n\n/**\n * Issuer wired the SDK without a dependency the requested endpoint\n * needs (e.g. `/gas-fee` called but `feeManager` not configured;\n * `/pools` called but `poolsProvider` not configured). 503 because\n * the endpoint genuinely can't serve the request — caller's payload\n * is fine, the issuer's deployment is incomplete.\n */\nexport class ConfigurationError extends PafiSdkError {\n readonly httpStatus = \"service_unavailable\" as const;\n readonly code: string;\n readonly details?: Record<string, unknown>;\n\n constructor(\n code: string,\n message: string,\n details?: Record<string, unknown>,\n ) {\n super(message);\n this.code = code;\n this.details = details;\n }\n}\n","import {\n PafiSdkError,\n SDK_ERROR_HTTP_STATUS_CODE,\n defaultErrorTypeForStatus,\n type PafiErrorType,\n type SdkErrorHttpStatus,\n} from \"../errors\";\n\n/**\n * Normalized HTTP status the issuer controller should surface for a\n * given SDK error. Mirrors `SdkErrorHttpStatus` on `PafiSdkError`.\n */\nexport type SdkErrorStatus = SdkErrorHttpStatus;\n\n/**\n * Structured body the issuer controller passes to its\n * framework-specific exception class. Stripe-style envelope:\n *\n * ```json\n * {\n * \"type\": \"business_logic_error\",\n * \"code\": \"REDEMPTION_POLICY_DENIED\",\n * \"message\": \"...\",\n * \"param\": null,\n * \"metadata\": { \"policyDenialCode\": \"PER_TX_MIN\" },\n * \"safeToRetry\": false\n * }\n * ```\n *\n * Carries enough fields for the global HTTP filter to emit the final\n * envelope without losing any SDK-side context.\n */\nexport interface SdkErrorBody {\n /** Stripe-style taxonomy slot — drives UI branching. */\n type: PafiErrorType;\n /** Machine-readable code, e.g. `\"REDEMPTION_POLICY_DENIED\"`. */\n code: string;\n /** Human-readable message. */\n message: string;\n /** Field name that triggered the error, when applicable. */\n param?: string;\n /** UI-facing structured context. */\n metadata?: Record<string, unknown>;\n /** Raw debug context. */\n details?: unknown;\n /** True when retry is safe (no side effects yet). */\n safeToRetry: boolean;\n}\n\n/**\n * Per-status exception factories. The issuer's controller wires one\n * factory per status to its preferred framework's exception class\n * (NestJS `UnprocessableEntityException`, Fastify `httpErrors.badData`,\n * etc). The factory must return an Error — `createSdkErrorMapper`\n * uses `throw factory(body)`.\n */\nexport interface SdkErrorMapperFactories {\n notFound: (body: SdkErrorBody) => Error;\n forbidden: (body: SdkErrorBody) => Error;\n unprocessable: (body: SdkErrorBody) => Error;\n serviceUnavailable: (body: SdkErrorBody) => Error;\n}\n\n/**\n * Build the Stripe-style body from any `PafiSdkError`. Exposed for\n * frameworks that don't fit the four-factory shape (e.g. a Hono error\n * handler that builds its own response object).\n */\nexport function buildSdkErrorBody(err: PafiSdkError): SdkErrorBody {\n const type =\n err.type ??\n defaultErrorTypeForStatus(SDK_ERROR_HTTP_STATUS_CODE[err.httpStatus]);\n const body: SdkErrorBody = {\n type,\n code: err.code,\n message: err.message,\n safeToRetry: err.safeToRetry,\n };\n if (err.param) body.param = err.param;\n if (err.metadata) body.metadata = err.metadata;\n if (err.details !== undefined) body.details = err.details;\n return body;\n}\n\n/**\n * Build a single error-mapping function that converts any `PafiSdkError`\n * into the issuer's framework-specific HTTP exception. Status, code,\n * `safeToRetry`, and `details` come straight off the error class —\n * the mapper is a dumb funnel, no per-error business logic.\n *\n * Any non-`PafiSdkError` is re-thrown unchanged so unexpected runtime\n * errors propagate to the framework's default 500 handler.\n *\n * Usage (NestJS):\n *\n * ```ts\n * const mapSdkError = createSdkErrorMapper({\n * notFound: (body) => new NotFoundException(body),\n * forbidden: (body) => new ForbiddenException(body),\n * unprocessable: (body) => new UnprocessableEntityException(body),\n * serviceUnavailable: (body) => new ServiceUnavailableException(body),\n * });\n *\n * try { ... } catch (err) { mapSdkError(err); }\n * ```\n *\n * Returns `never` so call sites in `try/catch` propagate the throw\n * without a redundant `throw` keyword.\n */\nexport function createSdkErrorMapper(\n factories: SdkErrorMapperFactories,\n): (err: unknown) => never {\n return (err: unknown): never => {\n if (!(err instanceof PafiSdkError)) {\n throw err;\n }\n const body = buildSdkErrorBody(err);\n switch (err.httpStatus) {\n case \"not_found\":\n throw factories.notFound(body);\n case \"forbidden\":\n throw factories.forbidden(body);\n case \"unprocessable\":\n throw factories.unprocessable(body);\n case \"service_unavailable\":\n throw factories.serviceUnavailable(body);\n }\n };\n}\n","/**\n * Stripe-style HTTP error envelope shared by every PAFI service and\n * issuer backend. The framework-agnostic `normalizeErrorToEnvelope`\n * helper produces this from any thrown value; framework-specific\n * filters (`@pafi-dev/issuer/nestjs`) call into it and write the\n * result to their response object.\n *\n * Wire format:\n *\n * ```json\n * {\n * \"success\": false,\n * \"statusCode\": 422,\n * \"error\": {\n * \"type\": \"business_logic_error\",\n * \"code\": \"REDEMPTION_POLICY_DENIED\",\n * \"message\": \"redemption denied: amount 1 below per-tx minimum\",\n * \"param\": null,\n * \"metadata\": { \"policyDenialCode\": \"PER_TX_MIN\" },\n * \"safeToRetry\": false,\n * \"details\": null\n * },\n * \"meta\": {\n * \"timestamp\": \"2026-05-07T...\",\n * \"requestId\": \"...\",\n * \"path\": \"/pt/redeem\"\n * }\n * }\n * ```\n */\n\nimport {\n PafiSdkError,\n SDK_ERROR_HTTP_STATUS_CODE,\n defaultErrorTypeForStatus,\n type PafiErrorType,\n} from \"../errors\";\nimport { buildSdkErrorBody, type SdkErrorBody } from \"../api/errorMapper\";\n\n/** Inner `error` block of the envelope. */\nexport interface PafiErrorPayload {\n type: PafiErrorType;\n code: string;\n message: string;\n param?: string;\n metadata?: Record<string, unknown>;\n details?: unknown;\n safeToRetry: boolean;\n}\n\n/** Outer envelope returned for any non-2xx response. */\nexport interface PafiErrorEnvelope {\n success: false;\n statusCode: number;\n error: PafiErrorPayload;\n meta: {\n timestamp: string;\n requestId: string;\n path: string;\n };\n}\n\n/** Per-call request context the filter must collect from the host framework. */\nexport interface NormalizeContext {\n /** `req.url` or equivalent. */\n path: string;\n /** Resolved request id (header or generated). */\n requestId: string;\n /** Optional `now()` injection for deterministic tests. */\n now?: () => Date;\n}\n\n/**\n * Generic error duck-type. The filter passes a small descriptor for\n * any framework exception so the normalizer doesn't depend on\n * `@nestjs/common` or any specific HTTP library.\n */\nexport interface GenericHttpExceptionDescriptor {\n /** HTTP status code carried by the exception. */\n statusCode: number;\n /**\n * The body the framework would have serialized. For NestJS this is\n * `exception.getResponse()`. May be a string or a record with\n * `code`/`error`/`message`/`details`/`safeToRetry`/`type`/etc.\n */\n responseBody: unknown;\n /** Exception class name, used as a last-resort `code` fallback. */\n exceptionName: string;\n /** Original `error.message`, used as a last-resort `message` fallback. */\n fallbackMessage: string;\n}\n\n/** True when `value` looks like a NestJS `BadRequestException` from `ValidationPipe`. */\nfunction isValidationPipeBody(\n body: Record<string, unknown>,\n): body is { message: string[]; error?: string; statusCode?: number } {\n return (\n Array.isArray(body[\"message\"]) &&\n typeof body[\"error\"] === \"string\" &&\n body[\"error\"] === \"Bad Request\"\n );\n}\n\n/** Pull `param` out of a `class-validator` message like `\"amount must be a number string\"`. */\nfunction extractParamFromValidatorMessage(message: string): string | undefined {\n const idx = message.indexOf(\" \");\n if (idx <= 0) return undefined;\n const candidate = message.slice(0, idx);\n return /^[A-Za-z_][\\w.]*$/.test(candidate) ? candidate : undefined;\n}\n\nfunction normalizeValidationPipeBody(\n body: { message: string[]; statusCode?: number },\n): PafiErrorPayload {\n const fields: Record<string, string[]> = {};\n for (const msg of body.message) {\n const param = extractParamFromValidatorMessage(msg);\n const key = param ?? \"_\";\n (fields[key] ??= []).push(msg);\n }\n const fieldKeys = Object.keys(fields).filter((k) => k !== \"_\");\n const param = fieldKeys.length === 1 ? fieldKeys[0] : undefined;\n\n const payload: PafiErrorPayload = {\n type: \"validation_error\",\n code: \"VALIDATION_FAILED\",\n message: body.message.join(\"; \"),\n safeToRetry: false,\n metadata: { fieldErrors: fields },\n };\n if (param) payload.param = param;\n return payload;\n}\n\n/**\n * Pull a Stripe-style payload out of a structured exception body. The\n * filter has already determined this is an `HttpException` (or\n * duck-typed equivalent). Order:\n *\n * 1. SDK-shaped body (has `type` + `code`) — pass through verbatim.\n * 2. `ValidationPipe` body (`message: string[]`, `error: \"Bad Request\"`)\n * — collapse into `validation_error` with `metadata.fieldErrors`.\n * 3. Plain object with `code` or `error` — best-effort extract.\n * 4. String body — just a message.\n */\nfunction normalizeHttpExceptionBody(\n desc: GenericHttpExceptionDescriptor,\n): PafiErrorPayload {\n const { statusCode, responseBody, exceptionName, fallbackMessage } = desc;\n const defaultType = defaultErrorTypeForStatus(statusCode);\n\n if (typeof responseBody === \"string\") {\n return {\n type: defaultType,\n code: exceptionName,\n message: responseBody,\n safeToRetry: false,\n };\n }\n\n if (responseBody && typeof responseBody === \"object\") {\n const body = responseBody as Record<string, unknown>;\n\n if (isValidationPipeBody(body)) {\n return normalizeValidationPipeBody(body);\n }\n\n const code =\n (typeof body[\"code\"] === \"string\" && body[\"code\"]) ||\n (typeof body[\"error\"] === \"string\" && body[\"error\"]) ||\n exceptionName;\n const message =\n (typeof body[\"message\"] === \"string\" && body[\"message\"]) ||\n (Array.isArray(body[\"message\"])\n ? (body[\"message\"] as string[]).join(\"; \")\n : \"\") ||\n fallbackMessage;\n const type =\n (typeof body[\"type\"] === \"string\" && (body[\"type\"] as PafiErrorType)) ||\n defaultType;\n const safeToRetry =\n typeof body[\"safeToRetry\"] === \"boolean\" ? body[\"safeToRetry\"] : false;\n\n const payload: PafiErrorPayload = {\n type,\n code,\n message,\n safeToRetry,\n };\n if (typeof body[\"param\"] === \"string\") payload.param = body[\"param\"];\n if (body[\"metadata\"] && typeof body[\"metadata\"] === \"object\") {\n payload.metadata = body[\"metadata\"] as Record<string, unknown>;\n }\n if (body[\"details\"] !== undefined) payload.details = body[\"details\"];\n return payload;\n }\n\n return {\n type: defaultType,\n code: exceptionName || \"INTERNAL_SERVER_ERROR\",\n message: fallbackMessage || \"An unexpected error occurred\",\n safeToRetry: false,\n };\n}\n\n/**\n * Convert a `PafiSdkError` directly to the inner `error` payload —\n * skipping any framework exception wrapper. Used by frameworks that\n * surface SDK errors without going through `createSdkErrorMapper`.\n */\nexport function payloadFromPafiSdkError(err: PafiSdkError): PafiErrorPayload {\n const body: SdkErrorBody = buildSdkErrorBody(err);\n const payload: PafiErrorPayload = {\n type: body.type,\n code: body.code,\n message: body.message,\n safeToRetry: body.safeToRetry,\n };\n if (body.param) payload.param = body.param;\n if (body.metadata) payload.metadata = body.metadata;\n if (body.details !== undefined) payload.details = body.details;\n return payload;\n}\n\n/** Strip SQL fragments from raw DB driver errors before exposing them. */\nfunction sanitizeDbErrorMessage(message: string): string {\n if (/^[A-Z_]+: /.test(message) && message.length < 256) return message;\n return \"Internal database error\";\n}\n\n/**\n * Build the full envelope for any thrown value. The caller resolves\n * `HttpException`-shaped exceptions and passes a descriptor; plain\n * `Error` instances and unknown throws are handled directly.\n */\nexport function buildErrorEnvelope(input: {\n status: number;\n payload: PafiErrorPayload;\n ctx: NormalizeContext;\n}): PafiErrorEnvelope {\n const now = (input.ctx.now ?? (() => new Date()))();\n return {\n success: false,\n statusCode: input.status,\n error: input.payload,\n meta: {\n timestamp: now.toISOString(),\n requestId: input.ctx.requestId,\n path: input.ctx.path,\n },\n };\n}\n\n/**\n * Normalize a known `HttpException`-shaped exception into a payload.\n * Framework filters supply the descriptor; the rest is shape-agnostic.\n */\nexport function payloadFromHttpException(\n desc: GenericHttpExceptionDescriptor,\n): PafiErrorPayload {\n return normalizeHttpExceptionBody(desc);\n}\n\n/**\n * Normalize a generic `Error` (not an HttpException) — TypeORM\n * `QueryFailedError`, viem revert errors, etc. Returns a redacted\n * 500-class payload with no message bleed-through unless the error\n * is recognizably benign.\n */\nexport function payloadFromGenericError(err: Error): PafiErrorPayload {\n const name = err.name || \"INTERNAL_SERVER_ERROR\";\n const isDbError = name === \"QueryFailedError\" || name === \"EntityNotFoundError\";\n return {\n type: \"server_error\",\n code: name,\n message: isDbError\n ? sanitizeDbErrorMessage(err.message)\n : err.message || \"An unexpected error occurred\",\n safeToRetry: false,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACsBA,oBAOO;AACP,yBAA2B;;;ACvB3B,kBAMO;AACP,IAAAA,eAA6B;AAM7B,IAAAA,eAAgC;;;ACgDzB,SAAS,kBAAkB,KAAiC;AACjE,QAAM,OACJ,IAAI,YACJ,uCAA0B,uCAA2B,IAAI,UAAU,CAAC;AACtE,QAAM,OAAqB;AAAA,IACzB;AAAA,IACA,MAAM,IAAI;AAAA,IACV,SAAS,IAAI;AAAA,IACb,aAAa,IAAI;AAAA,EACnB;AACA,MAAI,IAAI,MAAO,MAAK,QAAQ,IAAI;AAChC,MAAI,IAAI,SAAU,MAAK,WAAW,IAAI;AACtC,MAAI,IAAI,YAAY,OAAW,MAAK,UAAU,IAAI;AAClD,SAAO;AACT;;;ACWA,SAAS,qBACP,MACoE;AACpE,SACE,MAAM,QAAQ,KAAK,SAAS,CAAC,KAC7B,OAAO,KAAK,OAAO,MAAM,YACzB,KAAK,OAAO,MAAM;AAEtB;AAGA,SAAS,iCAAiC,SAAqC;AAC7E,QAAM,MAAM,QAAQ,QAAQ,GAAG;AAC/B,MAAI,OAAO,EAAG,QAAO;AACrB,QAAM,YAAY,QAAQ,MAAM,GAAG,GAAG;AACtC,SAAO,oBAAoB,KAAK,SAAS,IAAI,YAAY;AAC3D;AAEA,SAAS,4BACP,MACkB;AAClB,QAAM,SAAmC,CAAC;AAC1C,aAAW,OAAO,KAAK,SAAS;AAC9B,UAAMC,SAAQ,iCAAiC,GAAG;AAClD,UAAM,MAAMA,UAAS;AACrB,KAAC,OAAO,GAAG,MAAM,CAAC,GAAG,KAAK,GAAG;AAAA,EAC/B;AACA,QAAM,YAAY,OAAO,KAAK,MAAM,EAAE,OAAO,CAAC,MAAM,MAAM,GAAG;AAC7D,QAAM,QAAQ,UAAU,WAAW,IAAI,UAAU,CAAC,IAAI;AAEtD,QAAM,UAA4B;AAAA,IAChC,MAAM;AAAA,IACN,MAAM;AAAA,IACN,SAAS,KAAK,QAAQ,KAAK,IAAI;AAAA,IAC/B,aAAa;AAAA,IACb,UAAU,EAAE,aAAa,OAAO;AAAA,EAClC;AACA,MAAI,MAAO,SAAQ,QAAQ;AAC3B,SAAO;AACT;AAaA,SAAS,2BACP,MACkB;AAClB,QAAM,EAAE,YAAY,cAAc,eAAe,gBAAgB,IAAI;AACrE,QAAM,kBAAc,uCAA0B,UAAU;AAExD,MAAI,OAAO,iBAAiB,UAAU;AACpC,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,IACf;AAAA,EACF;AAEA,MAAI,gBAAgB,OAAO,iBAAiB,UAAU;AACpD,UAAM,OAAO;AAEb,QAAI,qBAAqB,IAAI,GAAG;AAC9B,aAAO,4BAA4B,IAAI;AAAA,IACzC;AAEA,UAAM,OACH,OAAO,KAAK,MAAM,MAAM,YAAY,KAAK,MAAM,KAC/C,OAAO,KAAK,OAAO,MAAM,YAAY,KAAK,OAAO,KAClD;AACF,UAAM,UACH,OAAO,KAAK,SAAS,MAAM,YAAY,KAAK,SAAS,MACrD,MAAM,QAAQ,KAAK,SAAS,CAAC,IACzB,KAAK,SAAS,EAAe,KAAK,IAAI,IACvC,OACJ;AACF,UAAM,OACH,OAAO,KAAK,MAAM,MAAM,YAAa,KAAK,MAAM,KACjD;AACF,UAAM,cACJ,OAAO,KAAK,aAAa,MAAM,YAAY,KAAK,aAAa,IAAI;AAEnE,UAAM,UAA4B;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,QAAI,OAAO,KAAK,OAAO,MAAM,SAAU,SAAQ,QAAQ,KAAK,OAAO;AACnE,QAAI,KAAK,UAAU,KAAK,OAAO,KAAK,UAAU,MAAM,UAAU;AAC5D,cAAQ,WAAW,KAAK,UAAU;AAAA,IACpC;AACA,QAAI,KAAK,SAAS,MAAM,OAAW,SAAQ,UAAU,KAAK,SAAS;AACnE,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,iBAAiB;AAAA,IACvB,SAAS,mBAAmB;AAAA,IAC5B,aAAa;AAAA,EACf;AACF;AAOO,SAAS,wBAAwB,KAAqC;AAC3E,QAAM,OAAqB,kBAAkB,GAAG;AAChD,QAAM,UAA4B;AAAA,IAChC,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,SAAS,KAAK;AAAA,IACd,aAAa,KAAK;AAAA,EACpB;AACA,MAAI,KAAK,MAAO,SAAQ,QAAQ,KAAK;AACrC,MAAI,KAAK,SAAU,SAAQ,WAAW,KAAK;AAC3C,MAAI,KAAK,YAAY,OAAW,SAAQ,UAAU,KAAK;AACvD,SAAO;AACT;AAGA,SAAS,uBAAuB,SAAyB;AACvD,MAAI,aAAa,KAAK,OAAO,KAAK,QAAQ,SAAS,IAAK,QAAO;AAC/D,SAAO;AACT;AAOO,SAAS,mBAAmB,OAIb;AACpB,QAAM,OAAO,MAAM,IAAI,QAAQ,MAAM,oBAAI,KAAK,IAAI;AAClD,SAAO;AAAA,IACL,SAAS;AAAA,IACT,YAAY,MAAM;AAAA,IAClB,OAAO,MAAM;AAAA,IACb,MAAM;AAAA,MACJ,WAAW,IAAI,YAAY;AAAA,MAC3B,WAAW,MAAM,IAAI;AAAA,MACrB,MAAM,MAAM,IAAI;AAAA,IAClB;AAAA,EACF;AACF;AAMO,SAAS,yBACd,MACkB;AAClB,SAAO,2BAA2B,IAAI;AACxC;AAQO,SAAS,wBAAwB,KAA8B;AACpE,QAAM,OAAO,IAAI,QAAQ;AACzB,QAAM,YAAY,SAAS,sBAAsB,SAAS;AAC1D,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM;AAAA,IACN,SAAS,YACL,uBAAuB,IAAI,OAAO,IAClC,IAAI,WAAW;AAAA,IACnB,aAAa;AAAA,EACf;AACF;;;AHxRA;AAuEA,2CAAC,qBAAM;AACA,IAAM,0BAAN,MAAyD;AAAA,EAC7C,SAAS,IAAI,qBAAO,yBAAyB;AAAA,EAC7C;AAAA,EAKjB,YAAY,UAA0C,CAAC,GAAG;AACxD,SAAK,OAAO;AAAA,MACV,iBAAiB,QAAQ,mBAAmB;AAAA,MAC5C,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEA,MAAM,WAAoB,MAA2B;AACnD,UAAM,MAAM,KAAK,aAAa;AAC9B,UAAM,WAAW,IAAI,YAAiC;AACtD,UAAM,UAAU,IAAI,WAA+B;AAEnD,UAAM,cAAc,SAAS,UAAU,KAAK,KAAK,eAAe;AAChE,UAAM,aACH,MAAM,QAAQ,WAAW,IAAI,YAAY,CAAC,IAAI,oBAC/C,+BAAW;AAEb,UAAM,UAA4B;AAAA,MAChC,MAAM,SAAS,OAAO;AAAA,MACtB;AAAA,MACA,GAAI,KAAK,KAAK,MAAM,EAAE,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC;AAAA,IAChD;AAEA,UAAM,EAAE,QAAQ,QAAQ,IAAI,KAAK,UAAU,SAAS;AACpD,UAAM,WAAW,mBAAmB,EAAE,QAAQ,SAAS,KAAK,QAAQ,CAAC;AAErE,QAAI,KAAK,KAAK,SAAS;AACrB,UAAI;AACF,aAAK,KAAK,QAAQ,UAAU,SAAS;AAAA,MACvC,SAAS,SAAS;AAChB,aAAK,OAAO;AAAA,UACV,EAAE,KAAK,mBAAmB,QAAQ,QAAQ,UAAU,OAAO,OAAO,EAAE;AAAA,UACpE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,UAAU,KAAK;AACjB,WAAK,OAAO;AAAA,QACV;AAAA,UACE,KACE,qBAAqB,QACjB,UAAU,UACV,OAAO,SAAS;AAAA,UACtB,OAAO,qBAAqB,QAAQ,UAAU,QAAQ;AAAA,UACtD,MAAM,qBAAqB,QAAQ,UAAU,OAAO;AAAA,UACpD,MAAM,QAAQ;AAAA,UACd;AAAA,QACF;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,aAAS,OAAO,MAAM,EAAE,KAAK,QAAQ;AAAA,EACvC;AAAA,EAEQ,UAAU,WAGhB;AACA,QAAI,qBAAqB,0BAAc;AACrC,aAAO;AAAA,QACL,QAAQ,uCAA2B,UAAU,UAAU;AAAA,QACvD,SAAS,wBAAwB,SAAS;AAAA,MAC5C;AAAA,IACF;AAEA,QAAI,qBAAqB,6BAAe;AACtC,aAAO;AAAA,QACL,QAAQ,UAAU,UAAU;AAAA,QAC5B,SAAS,yBAAyB;AAAA,UAChC,YAAY,UAAU,UAAU;AAAA,UAChC,cAAc,UAAU,YAAY;AAAA,UACpC,eAAe,UAAU;AAAA,UACzB,iBAAiB,UAAU;AAAA,QAC7B,CAAC;AAAA,MACH;AAAA,IACF;AAEA,QAAI,qBAAqB,OAAO;AAG9B,YAAM,cAAe,UAAmC;AACxD,YAAM,mBACJ,UACA;AACF,UACE,OAAO,gBAAgB,YACvB,OAAO,qBAAqB,YAC5B;AACA,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,SAAS,yBAAyB;AAAA,YAChC,YAAY;AAAA,YACZ,cAAc,iBAAiB,KAAK,SAAS;AAAA,YAC7C,eAAe,UAAU;AAAA,YACzB,iBAAiB,UAAU;AAAA,UAC7B,CAAC;AAAA,QACH;AAAA,MACF;AACA,YAAM,kBACJ,OAAO,gBAAgB,WACnB,cACA,yBAAW;AACjB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,wBAAwB,SAAS;AAAA,MAC5C;AAAA,IACF;AAEA,WAAO;AAAA,MACL,QAAQ,yBAAW;AAAA,MACnB,SAAS;AAAA,QACP,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AACF;AA/HO;AAAM,0BAAN,uDADP,qCACa;AAAN,4BAAM;","names":["import_core","param"]}
|
|
1
|
+
{"version":3,"sources":["../../src/nestjs/index.ts","../../src/nestjs/httpExceptionFilter.ts","../../src/errors.ts","../../src/api/errorMapper.ts","../../src/http/errorEnvelope.ts","../../src/nestjs/walletAuthJwks.module.ts","../../src/nestjs/walletAuthJwks.controller.ts","../../src/nestjs/walletAuthJwks.tokens.ts"],"sourcesContent":["export {\n PafiHttpExceptionFilter,\n type PafiHttpExceptionFilterOptions,\n} from \"./httpExceptionFilter\";\n\nexport {\n WalletAuthJwksModule,\n type WalletAuthJwksOptions,\n type WalletAuthJwksAsyncOptions,\n} from \"./walletAuthJwks.module\";\nexport { WalletAuthJwksController } from \"./walletAuthJwks.controller\";\nexport { WALLET_AUTH_JWKS_KEYS } from \"./walletAuthJwks.tokens\";\n","/**\n * NestJS global exception filter that emits the PAFI Stripe-style\n * envelope (see `@pafi-dev/issuer/http`).\n *\n * Wire it once in your bootstrap:\n *\n * ```ts\n * import { PafiHttpExceptionFilter } from \"@pafi-dev/issuer/nestjs\";\n *\n * app.useGlobalFilters(new PafiHttpExceptionFilter());\n * ```\n *\n * Catches every thrown value:\n * - `PafiSdkError` (and subclasses) → typed envelope from `httpStatus`/\n * `code`/`type`/`safeToRetry`/`param`/`metadata`.\n * - `HttpException` (NestJS) → respected status; SDK-shaped body is\n * passed through, plain bodies + ValidationPipe arrays normalized.\n * - any other `Error` → `server_error` 500 with sanitized message.\n *\n * `@nestjs/common` is an optional peer dependency — only required when\n * importing this sub-export.\n */\nimport {\n ArgumentsHost,\n Catch,\n ExceptionFilter,\n HttpException,\n HttpStatus,\n Logger,\n} from \"@nestjs/common\";\nimport { randomUUID } from \"node:crypto\";\n\nimport { PafiSdkError, SDK_ERROR_HTTP_STATUS_CODE } from \"../errors\";\nimport {\n buildErrorEnvelope,\n payloadFromGenericError,\n payloadFromHttpException,\n payloadFromPafiSdkError,\n type NormalizeContext,\n type PafiErrorEnvelope,\n type PafiErrorPayload,\n} from \"../http/errorEnvelope\";\n\ninterface MinimalHttpRequest {\n url?: string;\n headers?: Record<string, string | string[] | undefined>;\n}\ninterface MinimalHttpResponse {\n status(code: number): MinimalHttpResponse;\n json(body: unknown): unknown;\n}\n\n/** Customization knobs. None required — sensible defaults baked in. */\nexport interface PafiHttpExceptionFilterOptions {\n /**\n * Header to read for the request id, lowercase. Default `\"x-request-id\"`.\n * If absent, a UUIDv4 is generated per request.\n */\n requestIdHeader?: string;\n /**\n * Override `Date` for deterministic tests.\n */\n now?: () => Date;\n /**\n * Hook to record/audit normalized errors before sending. Useful for\n * Sentry / Datadog / Pino. Throws are swallowed so a logging bug\n * never masks the real error response.\n */\n onError?: (envelope: PafiErrorEnvelope, raw: unknown) => void;\n}\n\n@Catch()\nexport class PafiHttpExceptionFilter implements ExceptionFilter {\n private readonly logger = new Logger(\"PafiHttpExceptionFilter\");\n private readonly opts: Required<\n Pick<PafiHttpExceptionFilterOptions, \"requestIdHeader\">\n > &\n PafiHttpExceptionFilterOptions;\n\n constructor(options: PafiHttpExceptionFilterOptions = {}) {\n this.opts = {\n requestIdHeader: options.requestIdHeader ?? \"x-request-id\",\n ...options,\n };\n }\n\n catch(exception: unknown, host: ArgumentsHost): void {\n const ctx = host.switchToHttp();\n const response = ctx.getResponse<MinimalHttpResponse>();\n const request = ctx.getRequest<MinimalHttpRequest>();\n\n const headerValue = request?.headers?.[this.opts.requestIdHeader];\n const requestId =\n (Array.isArray(headerValue) ? headerValue[0] : headerValue) ??\n randomUUID();\n\n const normCtx: NormalizeContext = {\n path: request?.url ?? \"\",\n requestId,\n ...(this.opts.now ? { now: this.opts.now } : {}),\n };\n\n const { status, payload } = this.normalize(exception);\n const envelope = buildErrorEnvelope({ status, payload, ctx: normCtx });\n\n if (this.opts.onError) {\n try {\n this.opts.onError(envelope, exception);\n } catch (hookErr) {\n this.logger.warn(\n { err: hookErr instanceof Error ? hookErr.message : String(hookErr) },\n \"onError hook threw; continuing\",\n );\n }\n }\n\n if (status >= 500) {\n this.logger.error(\n {\n err:\n exception instanceof Error\n ? exception.message\n : String(exception),\n stack: exception instanceof Error ? exception.stack : undefined,\n name: exception instanceof Error ? exception.name : undefined,\n path: normCtx.path,\n requestId,\n },\n \"Unhandled error in PafiHttpExceptionFilter\",\n );\n }\n\n response.status(status).json(envelope);\n }\n\n private normalize(exception: unknown): {\n status: number;\n payload: PafiErrorPayload;\n } {\n if (exception instanceof PafiSdkError) {\n return {\n status: SDK_ERROR_HTTP_STATUS_CODE[exception.httpStatus],\n payload: payloadFromPafiSdkError(exception),\n };\n }\n\n if (exception instanceof HttpException) {\n return {\n status: exception.getStatus(),\n payload: payloadFromHttpException({\n statusCode: exception.getStatus(),\n responseBody: exception.getResponse(),\n exceptionName: exception.name,\n fallbackMessage: exception.message,\n }),\n };\n }\n\n if (exception instanceof Error) {\n // Duck-typing for HttpException instances that fail `instanceof`\n // when multiple `@nestjs/common` copies exist in the dep tree.\n const maybeStatus = (exception as { status?: unknown }).status;\n const maybeGetResponse = (\n exception as { getResponse?: () => unknown }\n ).getResponse;\n if (\n typeof maybeStatus === \"number\" &&\n typeof maybeGetResponse === \"function\"\n ) {\n return {\n status: maybeStatus,\n payload: payloadFromHttpException({\n statusCode: maybeStatus,\n responseBody: maybeGetResponse.call(exception),\n exceptionName: exception.name,\n fallbackMessage: exception.message,\n }),\n };\n }\n const maybeStatusOnly =\n typeof maybeStatus === \"number\"\n ? maybeStatus\n : HttpStatus.INTERNAL_SERVER_ERROR;\n return {\n status: maybeStatusOnly,\n payload: payloadFromGenericError(exception),\n };\n }\n\n return {\n status: HttpStatus.INTERNAL_SERVER_ERROR,\n payload: {\n type: \"server_error\",\n code: \"INTERNAL_SERVER_ERROR\",\n message: \"An unexpected error occurred\",\n safeToRetry: false,\n },\n };\n }\n}\n","/**\n * `PafiSdkError` + `SdkErrorHttpStatus` are exported from\n * `@pafi-dev/core/errors` so core-level errors (e.g. `OracleStaleError`)\n * can extend the same base. Issuer re-exports the canonical types here\n * for back-compat — `instanceof PafiSdkError` from EITHER package\n * catches errors thrown from EITHER package.\n */\nexport {\n PafiSdkError,\n SDK_ERROR_HTTP_STATUS_CODE,\n defaultErrorTypeForStatus,\n type SdkErrorHttpStatus,\n type PafiErrorType,\n} from \"@pafi-dev/core\";\nimport { PafiSdkError } from \"@pafi-dev/core\";\n\n/**\n * `ValidationError` lives in `@pafi-dev/core` so core/trading helpers\n * throw the same typed class. Re-exported here for back-compat.\n */\nexport { ValidationError } from \"@pafi-dev/core\";\n\n/**\n * Issuer wired the SDK without a dependency the requested endpoint\n * needs (e.g. `/gas-fee` called but `feeManager` not configured;\n * `/pools` called but `poolsProvider` not configured). 503 because\n * the endpoint genuinely can't serve the request — caller's payload\n * is fine, the issuer's deployment is incomplete.\n */\nexport class ConfigurationError extends PafiSdkError {\n readonly httpStatus = \"service_unavailable\" as const;\n readonly code: string;\n readonly details?: Record<string, unknown>;\n\n constructor(\n code: string,\n message: string,\n details?: Record<string, unknown>,\n ) {\n super(message);\n this.code = code;\n this.details = details;\n }\n}\n","import {\n PafiSdkError,\n SDK_ERROR_HTTP_STATUS_CODE,\n defaultErrorTypeForStatus,\n type PafiErrorType,\n type SdkErrorHttpStatus,\n} from \"../errors\";\n\n/**\n * Normalized HTTP status the issuer controller should surface for a\n * given SDK error. Mirrors `SdkErrorHttpStatus` on `PafiSdkError`.\n */\nexport type SdkErrorStatus = SdkErrorHttpStatus;\n\n/**\n * Structured body the issuer controller passes to its\n * framework-specific exception class. Stripe-style envelope:\n *\n * ```json\n * {\n * \"type\": \"business_logic_error\",\n * \"code\": \"REDEMPTION_POLICY_DENIED\",\n * \"message\": \"...\",\n * \"param\": null,\n * \"metadata\": { \"policyDenialCode\": \"PER_TX_MIN\" },\n * \"safeToRetry\": false\n * }\n * ```\n *\n * Carries enough fields for the global HTTP filter to emit the final\n * envelope without losing any SDK-side context.\n */\nexport interface SdkErrorBody {\n /** Stripe-style taxonomy slot — drives UI branching. */\n type: PafiErrorType;\n /** Machine-readable code, e.g. `\"REDEMPTION_POLICY_DENIED\"`. */\n code: string;\n /** Human-readable message. */\n message: string;\n /** Field name that triggered the error, when applicable. */\n param?: string;\n /** UI-facing structured context. */\n metadata?: Record<string, unknown>;\n /** Raw debug context. */\n details?: unknown;\n /** True when retry is safe (no side effects yet). */\n safeToRetry: boolean;\n}\n\n/**\n * Per-status exception factories. The issuer's controller wires one\n * factory per status to its preferred framework's exception class\n * (NestJS `UnprocessableEntityException`, Fastify `httpErrors.badData`,\n * etc). The factory must return an Error — `createSdkErrorMapper`\n * uses `throw factory(body)`.\n */\nexport interface SdkErrorMapperFactories {\n notFound: (body: SdkErrorBody) => Error;\n forbidden: (body: SdkErrorBody) => Error;\n unprocessable: (body: SdkErrorBody) => Error;\n serviceUnavailable: (body: SdkErrorBody) => Error;\n}\n\n/**\n * Build the Stripe-style body from any `PafiSdkError`. Exposed for\n * frameworks that don't fit the four-factory shape (e.g. a Hono error\n * handler that builds its own response object).\n */\nexport function buildSdkErrorBody(err: PafiSdkError): SdkErrorBody {\n const type =\n err.type ??\n defaultErrorTypeForStatus(SDK_ERROR_HTTP_STATUS_CODE[err.httpStatus]);\n const body: SdkErrorBody = {\n type,\n code: err.code,\n message: err.message,\n safeToRetry: err.safeToRetry,\n };\n if (err.param) body.param = err.param;\n if (err.metadata) body.metadata = err.metadata;\n if (err.details !== undefined) body.details = err.details;\n return body;\n}\n\n/**\n * Build a single error-mapping function that converts any `PafiSdkError`\n * into the issuer's framework-specific HTTP exception. Status, code,\n * `safeToRetry`, and `details` come straight off the error class —\n * the mapper is a dumb funnel, no per-error business logic.\n *\n * Any non-`PafiSdkError` is re-thrown unchanged so unexpected runtime\n * errors propagate to the framework's default 500 handler.\n *\n * Usage (NestJS):\n *\n * ```ts\n * const mapSdkError = createSdkErrorMapper({\n * notFound: (body) => new NotFoundException(body),\n * forbidden: (body) => new ForbiddenException(body),\n * unprocessable: (body) => new UnprocessableEntityException(body),\n * serviceUnavailable: (body) => new ServiceUnavailableException(body),\n * });\n *\n * try { ... } catch (err) { mapSdkError(err); }\n * ```\n *\n * Returns `never` so call sites in `try/catch` propagate the throw\n * without a redundant `throw` keyword.\n */\nexport function createSdkErrorMapper(\n factories: SdkErrorMapperFactories,\n): (err: unknown) => never {\n return (err: unknown): never => {\n if (!(err instanceof PafiSdkError)) {\n throw err;\n }\n const body = buildSdkErrorBody(err);\n switch (err.httpStatus) {\n case \"not_found\":\n throw factories.notFound(body);\n case \"forbidden\":\n throw factories.forbidden(body);\n case \"unprocessable\":\n throw factories.unprocessable(body);\n case \"service_unavailable\":\n throw factories.serviceUnavailable(body);\n }\n };\n}\n","/**\n * Stripe-style HTTP error envelope shared by every PAFI service and\n * issuer backend. The framework-agnostic `normalizeErrorToEnvelope`\n * helper produces this from any thrown value; framework-specific\n * filters (`@pafi-dev/issuer/nestjs`) call into it and write the\n * result to their response object.\n *\n * Wire format:\n *\n * ```json\n * {\n * \"success\": false,\n * \"statusCode\": 422,\n * \"error\": {\n * \"type\": \"business_logic_error\",\n * \"code\": \"REDEMPTION_POLICY_DENIED\",\n * \"message\": \"redemption denied: amount 1 below per-tx minimum\",\n * \"param\": null,\n * \"metadata\": { \"policyDenialCode\": \"PER_TX_MIN\" },\n * \"safeToRetry\": false,\n * \"details\": null\n * },\n * \"meta\": {\n * \"timestamp\": \"2026-05-07T...\",\n * \"requestId\": \"...\",\n * \"path\": \"/pt/redeem\"\n * }\n * }\n * ```\n */\n\nimport {\n PafiSdkError,\n SDK_ERROR_HTTP_STATUS_CODE,\n defaultErrorTypeForStatus,\n type PafiErrorType,\n} from \"../errors\";\nimport { buildSdkErrorBody, type SdkErrorBody } from \"../api/errorMapper\";\n\n/** Inner `error` block of the envelope. */\nexport interface PafiErrorPayload {\n type: PafiErrorType;\n code: string;\n message: string;\n param?: string;\n metadata?: Record<string, unknown>;\n details?: unknown;\n safeToRetry: boolean;\n}\n\n/** Outer envelope returned for any non-2xx response. */\nexport interface PafiErrorEnvelope {\n success: false;\n statusCode: number;\n error: PafiErrorPayload;\n meta: {\n timestamp: string;\n requestId: string;\n path: string;\n };\n}\n\n/** Per-call request context the filter must collect from the host framework. */\nexport interface NormalizeContext {\n /** `req.url` or equivalent. */\n path: string;\n /** Resolved request id (header or generated). */\n requestId: string;\n /** Optional `now()` injection for deterministic tests. */\n now?: () => Date;\n}\n\n/**\n * Generic error duck-type. The filter passes a small descriptor for\n * any framework exception so the normalizer doesn't depend on\n * `@nestjs/common` or any specific HTTP library.\n */\nexport interface GenericHttpExceptionDescriptor {\n /** HTTP status code carried by the exception. */\n statusCode: number;\n /**\n * The body the framework would have serialized. For NestJS this is\n * `exception.getResponse()`. May be a string or a record with\n * `code`/`error`/`message`/`details`/`safeToRetry`/`type`/etc.\n */\n responseBody: unknown;\n /** Exception class name, used as a last-resort `code` fallback. */\n exceptionName: string;\n /** Original `error.message`, used as a last-resort `message` fallback. */\n fallbackMessage: string;\n}\n\n/** True when `value` looks like a NestJS `BadRequestException` from `ValidationPipe`. */\nfunction isValidationPipeBody(\n body: Record<string, unknown>,\n): body is { message: string[]; error?: string; statusCode?: number } {\n return (\n Array.isArray(body[\"message\"]) &&\n typeof body[\"error\"] === \"string\" &&\n body[\"error\"] === \"Bad Request\"\n );\n}\n\n/** Pull `param` out of a `class-validator` message like `\"amount must be a number string\"`. */\nfunction extractParamFromValidatorMessage(message: string): string | undefined {\n const idx = message.indexOf(\" \");\n if (idx <= 0) return undefined;\n const candidate = message.slice(0, idx);\n return /^[A-Za-z_][\\w.]*$/.test(candidate) ? candidate : undefined;\n}\n\nfunction normalizeValidationPipeBody(\n body: { message: string[]; statusCode?: number },\n): PafiErrorPayload {\n const fields: Record<string, string[]> = {};\n for (const msg of body.message) {\n const param = extractParamFromValidatorMessage(msg);\n const key = param ?? \"_\";\n (fields[key] ??= []).push(msg);\n }\n const fieldKeys = Object.keys(fields).filter((k) => k !== \"_\");\n const param = fieldKeys.length === 1 ? fieldKeys[0] : undefined;\n\n const payload: PafiErrorPayload = {\n type: \"validation_error\",\n code: \"VALIDATION_FAILED\",\n message: body.message.join(\"; \"),\n safeToRetry: false,\n metadata: { fieldErrors: fields },\n };\n if (param) payload.param = param;\n return payload;\n}\n\n/**\n * Pull a Stripe-style payload out of a structured exception body. The\n * filter has already determined this is an `HttpException` (or\n * duck-typed equivalent). Order:\n *\n * 1. SDK-shaped body (has `type` + `code`) — pass through verbatim.\n * 2. `ValidationPipe` body (`message: string[]`, `error: \"Bad Request\"`)\n * — collapse into `validation_error` with `metadata.fieldErrors`.\n * 3. Plain object with `code` or `error` — best-effort extract.\n * 4. String body — just a message.\n */\nfunction normalizeHttpExceptionBody(\n desc: GenericHttpExceptionDescriptor,\n): PafiErrorPayload {\n const { statusCode, responseBody, exceptionName, fallbackMessage } = desc;\n const defaultType = defaultErrorTypeForStatus(statusCode);\n\n if (typeof responseBody === \"string\") {\n return {\n type: defaultType,\n code: exceptionName,\n message: responseBody,\n safeToRetry: false,\n };\n }\n\n if (responseBody && typeof responseBody === \"object\") {\n const body = responseBody as Record<string, unknown>;\n\n if (isValidationPipeBody(body)) {\n return normalizeValidationPipeBody(body);\n }\n\n const code =\n (typeof body[\"code\"] === \"string\" && body[\"code\"]) ||\n (typeof body[\"error\"] === \"string\" && body[\"error\"]) ||\n exceptionName;\n const message =\n (typeof body[\"message\"] === \"string\" && body[\"message\"]) ||\n (Array.isArray(body[\"message\"])\n ? (body[\"message\"] as string[]).join(\"; \")\n : \"\") ||\n fallbackMessage;\n const type =\n (typeof body[\"type\"] === \"string\" && (body[\"type\"] as PafiErrorType)) ||\n defaultType;\n const safeToRetry =\n typeof body[\"safeToRetry\"] === \"boolean\" ? body[\"safeToRetry\"] : false;\n\n const payload: PafiErrorPayload = {\n type,\n code,\n message,\n safeToRetry,\n };\n if (typeof body[\"param\"] === \"string\") payload.param = body[\"param\"];\n if (body[\"metadata\"] && typeof body[\"metadata\"] === \"object\") {\n payload.metadata = body[\"metadata\"] as Record<string, unknown>;\n }\n if (body[\"details\"] !== undefined) payload.details = body[\"details\"];\n return payload;\n }\n\n return {\n type: defaultType,\n code: exceptionName || \"INTERNAL_SERVER_ERROR\",\n message: fallbackMessage || \"An unexpected error occurred\",\n safeToRetry: false,\n };\n}\n\n/**\n * Convert a `PafiSdkError` directly to the inner `error` payload —\n * skipping any framework exception wrapper. Used by frameworks that\n * surface SDK errors without going through `createSdkErrorMapper`.\n */\nexport function payloadFromPafiSdkError(err: PafiSdkError): PafiErrorPayload {\n const body: SdkErrorBody = buildSdkErrorBody(err);\n const payload: PafiErrorPayload = {\n type: body.type,\n code: body.code,\n message: body.message,\n safeToRetry: body.safeToRetry,\n };\n if (body.param) payload.param = body.param;\n if (body.metadata) payload.metadata = body.metadata;\n if (body.details !== undefined) payload.details = body.details;\n return payload;\n}\n\n/** Strip SQL fragments from raw DB driver errors before exposing them. */\nfunction sanitizeDbErrorMessage(message: string): string {\n if (/^[A-Z_]+: /.test(message) && message.length < 256) return message;\n return \"Internal database error\";\n}\n\n/**\n * Build the full envelope for any thrown value. The caller resolves\n * `HttpException`-shaped exceptions and passes a descriptor; plain\n * `Error` instances and unknown throws are handled directly.\n */\nexport function buildErrorEnvelope(input: {\n status: number;\n payload: PafiErrorPayload;\n ctx: NormalizeContext;\n}): PafiErrorEnvelope {\n const now = (input.ctx.now ?? (() => new Date()))();\n return {\n success: false,\n statusCode: input.status,\n error: input.payload,\n meta: {\n timestamp: now.toISOString(),\n requestId: input.ctx.requestId,\n path: input.ctx.path,\n },\n };\n}\n\n/**\n * Normalize a known `HttpException`-shaped exception into a payload.\n * Framework filters supply the descriptor; the rest is shape-agnostic.\n */\nexport function payloadFromHttpException(\n desc: GenericHttpExceptionDescriptor,\n): PafiErrorPayload {\n return normalizeHttpExceptionBody(desc);\n}\n\n/**\n * Normalize a generic `Error` (not an HttpException) — TypeORM\n * `QueryFailedError`, viem revert errors, etc. Returns a redacted\n * 500-class payload with no message bleed-through unless the error\n * is recognizably benign.\n */\nexport function payloadFromGenericError(err: Error): PafiErrorPayload {\n const name = err.name || \"INTERNAL_SERVER_ERROR\";\n const isDbError = name === \"QueryFailedError\" || name === \"EntityNotFoundError\";\n return {\n type: \"server_error\",\n code: name,\n message: isDbError\n ? sanitizeDbErrorMessage(err.message)\n : err.message || \"An unexpected error occurred\",\n safeToRetry: false,\n };\n}\n","import {\n Module,\n type DynamicModule,\n type FactoryProvider,\n} from \"@nestjs/common\";\nimport type { IssuerPublicJwk } from \"../wallet-auth/types\";\nimport { WalletAuthJwksController } from \"./walletAuthJwks.controller\";\nimport { WALLET_AUTH_JWKS_KEYS } from \"./walletAuthJwks.tokens\";\n\nexport interface WalletAuthJwksOptions {\n /**\n * One or more public JWKs to publish. During key rotation, include\n * BOTH the active and previous keys so JWTs signed with the older\n * kid can still be verified by the PAFI gateway until the rotation\n * window closes.\n */\n keys: IssuerPublicJwk[];\n}\n\nexport interface WalletAuthJwksAsyncOptions {\n /** Modules to import for the factory's DI. */\n imports?: NonNullable<DynamicModule[\"imports\"]>;\n /** Providers to inject into useFactory — same shape as FactoryProvider.inject. */\n inject?: FactoryProvider[\"inject\"];\n /** Builds options at runtime — read env, decrypt secrets, etc. */\n useFactory: (...args: any[]) => Promise<WalletAuthJwksOptions> | WalletAuthJwksOptions;\n}\n\n/**\n * Drop-in NestJS module that publishes the issuer's public signing\n * key set at GET /.well-known/jwks.json.\n *\n * Every issuer backend integrating with the PAFI Wallet Auth Gateway\n * needs this endpoint so the gateway can fetch their public key and\n * verify issuer JWT signatures.\n *\n * @example Sync registration\n * import { WalletAuthJwksModule } from '@pafi-dev/issuer/nestjs';\n *\n * @Module({\n * imports: [\n * WalletAuthJwksModule.forRoot({\n * keys: [JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON!)],\n * }),\n * ],\n * })\n * export class AppModule {}\n *\n * @example Async registration (read from ConfigService)\n * import { ConfigModule, ConfigService } from '@nestjs/config';\n * import { WalletAuthJwksModule } from '@pafi-dev/issuer/nestjs';\n *\n * @Module({\n * imports: [\n * WalletAuthJwksModule.forRootAsync({\n * imports: [ConfigModule],\n * inject: [ConfigService],\n * useFactory: (config: ConfigService) => ({\n * keys: [JSON.parse(config.getOrThrow('ISSUER_PUBLIC_JWK_JSON'))],\n * }),\n * }),\n * ],\n * })\n * export class AppModule {}\n *\n * @example Rotation window — publish 2 keys simultaneously\n * keys: [\n * JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON_ACTIVE!),\n * JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON_PREVIOUS!),\n * ]\n */\n@Module({})\nexport class WalletAuthJwksModule {\n static forRoot(options: WalletAuthJwksOptions): DynamicModule {\n return {\n module: WalletAuthJwksModule,\n controllers: [WalletAuthJwksController],\n providers: [\n {\n provide: WALLET_AUTH_JWKS_KEYS,\n useValue: validateKeys(options.keys),\n },\n ],\n };\n }\n\n static forRootAsync(options: WalletAuthJwksAsyncOptions): DynamicModule {\n return {\n module: WalletAuthJwksModule,\n imports: options.imports ?? [],\n controllers: [WalletAuthJwksController],\n providers: [\n {\n provide: WALLET_AUTH_JWKS_KEYS,\n inject: options.inject ?? [],\n useFactory: async (...args: unknown[]) => {\n const opts = await options.useFactory(...args);\n return validateKeys(opts.keys);\n },\n },\n ],\n };\n }\n}\n\n/**\n * Reject misconfiguration loudly at boot rather than serving an\n * invalid JWKS. Missing `kid` would mean the gateway can't match\n * the key against inbound JWT headers.\n */\nfunction validateKeys(keys: IssuerPublicJwk[]): IssuerPublicJwk[] {\n if (!Array.isArray(keys)) {\n throw new Error(\"WalletAuthJwksModule: `keys` must be an array\");\n }\n for (const k of keys) {\n if (!k || typeof k !== \"object\") {\n throw new Error(\"WalletAuthJwksModule: each key must be an object\");\n }\n if (!k.kty) {\n throw new Error(\"WalletAuthJwksModule: each key must have a `kty` field\");\n }\n if (!k.kid) {\n throw new Error(\n \"WalletAuthJwksModule: each key must have a `kid` field — PAFI gateway uses kid to look up the verification key\",\n );\n }\n }\n return keys;\n}\n","import {\n Controller,\n Get,\n HttpCode,\n HttpStatus,\n Inject,\n Logger,\n} from \"@nestjs/common\";\nimport type { IssuerPublicJwk } from \"../wallet-auth/types\";\nimport { WALLET_AUTH_JWKS_KEYS } from \"./walletAuthJwks.tokens\";\n\n/**\n * Publishes the issuer's public signing key set as RFC 7517 JWKS.\n *\n * The PAFI Wallet Auth Gateway fetches this URL to verify signatures\n * on issuer JWTs that this backend mints (the JWT travelling in\n * /v1/token-exchange's `issuer_jwt` body field).\n *\n * Mounted at GET /.well-known/jwks.json — no auth, public by design.\n */\n@Controller(\".well-known\")\nexport class WalletAuthJwksController {\n private readonly logger = new Logger(WalletAuthJwksController.name);\n private readonly jwks: { keys: IssuerPublicJwk[] };\n\n constructor(\n @Inject(WALLET_AUTH_JWKS_KEYS)\n keys: IssuerPublicJwk[],\n ) {\n this.jwks = { keys };\n const kids = keys.map((k) => k.kid).join(\", \");\n this.logger.log(\n `JWKS endpoint ready — ${keys.length} key(s) published: ${kids || \"(empty)\"}`,\n );\n }\n\n @Get(\"jwks.json\")\n @HttpCode(HttpStatus.OK)\n getJwks(): { keys: IssuerPublicJwk[] } {\n return this.jwks;\n }\n}\n","/** DI token: array of public JWKs to publish at /.well-known/jwks.json. */\nexport const WALLET_AUTH_JWKS_KEYS = Symbol(\"WALLET_AUTH_JWKS_KEYS\");\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACsBA,oBAOO;AACP,yBAA2B;;;ACvB3B,kBAMO;AACP,IAAAA,eAA6B;AAM7B,IAAAA,eAAgC;;;ACgDzB,SAAS,kBAAkB,KAAiC;AACjE,QAAM,OACJ,IAAI,YACJ,uCAA0B,uCAA2B,IAAI,UAAU,CAAC;AACtE,QAAM,OAAqB;AAAA,IACzB;AAAA,IACA,MAAM,IAAI;AAAA,IACV,SAAS,IAAI;AAAA,IACb,aAAa,IAAI;AAAA,EACnB;AACA,MAAI,IAAI,MAAO,MAAK,QAAQ,IAAI;AAChC,MAAI,IAAI,SAAU,MAAK,WAAW,IAAI;AACtC,MAAI,IAAI,YAAY,OAAW,MAAK,UAAU,IAAI;AAClD,SAAO;AACT;;;ACWA,SAAS,qBACP,MACoE;AACpE,SACE,MAAM,QAAQ,KAAK,SAAS,CAAC,KAC7B,OAAO,KAAK,OAAO,MAAM,YACzB,KAAK,OAAO,MAAM;AAEtB;AAGA,SAAS,iCAAiC,SAAqC;AAC7E,QAAM,MAAM,QAAQ,QAAQ,GAAG;AAC/B,MAAI,OAAO,EAAG,QAAO;AACrB,QAAM,YAAY,QAAQ,MAAM,GAAG,GAAG;AACtC,SAAO,oBAAoB,KAAK,SAAS,IAAI,YAAY;AAC3D;AAEA,SAAS,4BACP,MACkB;AAClB,QAAM,SAAmC,CAAC;AAC1C,aAAW,OAAO,KAAK,SAAS;AAC9B,UAAMC,SAAQ,iCAAiC,GAAG;AAClD,UAAM,MAAMA,UAAS;AACrB,KAAC,OAAO,GAAG,MAAM,CAAC,GAAG,KAAK,GAAG;AAAA,EAC/B;AACA,QAAM,YAAY,OAAO,KAAK,MAAM,EAAE,OAAO,CAAC,MAAM,MAAM,GAAG;AAC7D,QAAM,QAAQ,UAAU,WAAW,IAAI,UAAU,CAAC,IAAI;AAEtD,QAAM,UAA4B;AAAA,IAChC,MAAM;AAAA,IACN,MAAM;AAAA,IACN,SAAS,KAAK,QAAQ,KAAK,IAAI;AAAA,IAC/B,aAAa;AAAA,IACb,UAAU,EAAE,aAAa,OAAO;AAAA,EAClC;AACA,MAAI,MAAO,SAAQ,QAAQ;AAC3B,SAAO;AACT;AAaA,SAAS,2BACP,MACkB;AAClB,QAAM,EAAE,YAAY,cAAc,eAAe,gBAAgB,IAAI;AACrE,QAAM,kBAAc,uCAA0B,UAAU;AAExD,MAAI,OAAO,iBAAiB,UAAU;AACpC,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,IACf;AAAA,EACF;AAEA,MAAI,gBAAgB,OAAO,iBAAiB,UAAU;AACpD,UAAM,OAAO;AAEb,QAAI,qBAAqB,IAAI,GAAG;AAC9B,aAAO,4BAA4B,IAAI;AAAA,IACzC;AAEA,UAAM,OACH,OAAO,KAAK,MAAM,MAAM,YAAY,KAAK,MAAM,KAC/C,OAAO,KAAK,OAAO,MAAM,YAAY,KAAK,OAAO,KAClD;AACF,UAAM,UACH,OAAO,KAAK,SAAS,MAAM,YAAY,KAAK,SAAS,MACrD,MAAM,QAAQ,KAAK,SAAS,CAAC,IACzB,KAAK,SAAS,EAAe,KAAK,IAAI,IACvC,OACJ;AACF,UAAM,OACH,OAAO,KAAK,MAAM,MAAM,YAAa,KAAK,MAAM,KACjD;AACF,UAAM,cACJ,OAAO,KAAK,aAAa,MAAM,YAAY,KAAK,aAAa,IAAI;AAEnE,UAAM,UAA4B;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,QAAI,OAAO,KAAK,OAAO,MAAM,SAAU,SAAQ,QAAQ,KAAK,OAAO;AACnE,QAAI,KAAK,UAAU,KAAK,OAAO,KAAK,UAAU,MAAM,UAAU;AAC5D,cAAQ,WAAW,KAAK,UAAU;AAAA,IACpC;AACA,QAAI,KAAK,SAAS,MAAM,OAAW,SAAQ,UAAU,KAAK,SAAS;AACnE,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,iBAAiB;AAAA,IACvB,SAAS,mBAAmB;AAAA,IAC5B,aAAa;AAAA,EACf;AACF;AAOO,SAAS,wBAAwB,KAAqC;AAC3E,QAAM,OAAqB,kBAAkB,GAAG;AAChD,QAAM,UAA4B;AAAA,IAChC,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,SAAS,KAAK;AAAA,IACd,aAAa,KAAK;AAAA,EACpB;AACA,MAAI,KAAK,MAAO,SAAQ,QAAQ,KAAK;AACrC,MAAI,KAAK,SAAU,SAAQ,WAAW,KAAK;AAC3C,MAAI,KAAK,YAAY,OAAW,SAAQ,UAAU,KAAK;AACvD,SAAO;AACT;AAGA,SAAS,uBAAuB,SAAyB;AACvD,MAAI,aAAa,KAAK,OAAO,KAAK,QAAQ,SAAS,IAAK,QAAO;AAC/D,SAAO;AACT;AAOO,SAAS,mBAAmB,OAIb;AACpB,QAAM,OAAO,MAAM,IAAI,QAAQ,MAAM,oBAAI,KAAK,IAAI;AAClD,SAAO;AAAA,IACL,SAAS;AAAA,IACT,YAAY,MAAM;AAAA,IAClB,OAAO,MAAM;AAAA,IACb,MAAM;AAAA,MACJ,WAAW,IAAI,YAAY;AAAA,MAC3B,WAAW,MAAM,IAAI;AAAA,MACrB,MAAM,MAAM,IAAI;AAAA,IAClB;AAAA,EACF;AACF;AAMO,SAAS,yBACd,MACkB;AAClB,SAAO,2BAA2B,IAAI;AACxC;AAQO,SAAS,wBAAwB,KAA8B;AACpE,QAAM,OAAO,IAAI,QAAQ;AACzB,QAAM,YAAY,SAAS,sBAAsB,SAAS;AAC1D,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM;AAAA,IACN,SAAS,YACL,uBAAuB,IAAI,OAAO,IAClC,IAAI,WAAW;AAAA,IACnB,aAAa;AAAA,EACf;AACF;;;AHhNO,IAAM,0BAAN,MAAyD;AAAA,EAC7C,SAAS,IAAI,qBAAO,yBAAyB;AAAA,EAC7C;AAAA,EAKjB,YAAY,UAA0C,CAAC,GAAG;AACxD,SAAK,OAAO;AAAA,MACV,iBAAiB,QAAQ,mBAAmB;AAAA,MAC5C,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEA,MAAM,WAAoB,MAA2B;AACnD,UAAM,MAAM,KAAK,aAAa;AAC9B,UAAM,WAAW,IAAI,YAAiC;AACtD,UAAM,UAAU,IAAI,WAA+B;AAEnD,UAAM,cAAc,SAAS,UAAU,KAAK,KAAK,eAAe;AAChE,UAAM,aACH,MAAM,QAAQ,WAAW,IAAI,YAAY,CAAC,IAAI,oBAC/C,+BAAW;AAEb,UAAM,UAA4B;AAAA,MAChC,MAAM,SAAS,OAAO;AAAA,MACtB;AAAA,MACA,GAAI,KAAK,KAAK,MAAM,EAAE,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC;AAAA,IAChD;AAEA,UAAM,EAAE,QAAQ,QAAQ,IAAI,KAAK,UAAU,SAAS;AACpD,UAAM,WAAW,mBAAmB,EAAE,QAAQ,SAAS,KAAK,QAAQ,CAAC;AAErE,QAAI,KAAK,KAAK,SAAS;AACrB,UAAI;AACF,aAAK,KAAK,QAAQ,UAAU,SAAS;AAAA,MACvC,SAAS,SAAS;AAChB,aAAK,OAAO;AAAA,UACV,EAAE,KAAK,mBAAmB,QAAQ,QAAQ,UAAU,OAAO,OAAO,EAAE;AAAA,UACpE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,UAAU,KAAK;AACjB,WAAK,OAAO;AAAA,QACV;AAAA,UACE,KACE,qBAAqB,QACjB,UAAU,UACV,OAAO,SAAS;AAAA,UACtB,OAAO,qBAAqB,QAAQ,UAAU,QAAQ;AAAA,UACtD,MAAM,qBAAqB,QAAQ,UAAU,OAAO;AAAA,UACpD,MAAM,QAAQ;AAAA,UACd;AAAA,QACF;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,aAAS,OAAO,MAAM,EAAE,KAAK,QAAQ;AAAA,EACvC;AAAA,EAEQ,UAAU,WAGhB;AACA,QAAI,qBAAqB,0BAAc;AACrC,aAAO;AAAA,QACL,QAAQ,uCAA2B,UAAU,UAAU;AAAA,QACvD,SAAS,wBAAwB,SAAS;AAAA,MAC5C;AAAA,IACF;AAEA,QAAI,qBAAqB,6BAAe;AACtC,aAAO;AAAA,QACL,QAAQ,UAAU,UAAU;AAAA,QAC5B,SAAS,yBAAyB;AAAA,UAChC,YAAY,UAAU,UAAU;AAAA,UAChC,cAAc,UAAU,YAAY;AAAA,UACpC,eAAe,UAAU;AAAA,UACzB,iBAAiB,UAAU;AAAA,QAC7B,CAAC;AAAA,MACH;AAAA,IACF;AAEA,QAAI,qBAAqB,OAAO;AAG9B,YAAM,cAAe,UAAmC;AACxD,YAAM,mBACJ,UACA;AACF,UACE,OAAO,gBAAgB,YACvB,OAAO,qBAAqB,YAC5B;AACA,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,SAAS,yBAAyB;AAAA,YAChC,YAAY;AAAA,YACZ,cAAc,iBAAiB,KAAK,SAAS;AAAA,YAC7C,eAAe,UAAU;AAAA,YACzB,iBAAiB,UAAU;AAAA,UAC7B,CAAC;AAAA,QACH;AAAA,MACF;AACA,YAAM,kBACJ,OAAO,gBAAgB,WACnB,cACA,yBAAW;AACjB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,wBAAwB,SAAS;AAAA,MAC5C;AAAA,IACF;AAEA,WAAO;AAAA,MACL,QAAQ,yBAAW;AAAA,MACnB,SAAS;AAAA,QACP,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AACF;AA/Ha,0BAAN;AAAA,MADN,qBAAM;AAAA,GACM;;;AIxEb,IAAAC,iBAIO;;;ACJP,IAAAC,iBAOO;;;ACNA,IAAM,wBAAwB,uBAAO,uBAAuB;;;ADoB5D,IAAM,2BAAN,MAA+B;AAAA,EACnB,SAAS,IAAI,sBAAO,yBAAyB,IAAI;AAAA,EACjD;AAAA,EAEjB,YAEE,MACA;AACA,SAAK,OAAO,EAAE,KAAK;AACnB,UAAM,OAAO,KAAK,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,IAAI;AAC7C,SAAK,OAAO;AAAA,MACV,8BAAyB,KAAK,MAAM,sBAAsB,QAAQ,SAAS;AAAA,IAC7E;AAAA,EACF;AAAA,EAIA,UAAuC;AACrC,WAAO,KAAK;AAAA,EACd;AACF;AAHE;AAAA,MAFC,oBAAI,WAAW;AAAA,MACf,yBAAS,0BAAW,EAAE;AAAA,GAhBZ,yBAiBX;AAjBW,2BAAN;AAAA,MADN,2BAAW,aAAa;AAAA,EAMpB,8CAAO,qBAAqB;AAAA,GALpB;;;ADmDN,IAAM,uBAAN,MAA2B;AAAA,EAChC,OAAO,QAAQ,SAA+C;AAC5D,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,aAAa,CAAC,wBAAwB;AAAA,MACtC,WAAW;AAAA,QACT;AAAA,UACE,SAAS;AAAA,UACT,UAAU,aAAa,QAAQ,IAAI;AAAA,QACrC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAO,aAAa,SAAoD;AACtE,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,QAAQ,WAAW,CAAC;AAAA,MAC7B,aAAa,CAAC,wBAAwB;AAAA,MACtC,WAAW;AAAA,QACT;AAAA,UACE,SAAS;AAAA,UACT,QAAQ,QAAQ,UAAU,CAAC;AAAA,UAC3B,YAAY,UAAU,SAAoB;AACxC,kBAAM,OAAO,MAAM,QAAQ,WAAW,GAAG,IAAI;AAC7C,mBAAO,aAAa,KAAK,IAAI;AAAA,UAC/B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AA/Ba,uBAAN;AAAA,MADN,uBAAO,CAAC,CAAC;AAAA,GACG;AAsCb,SAAS,aAAa,MAA4C;AAChE,MAAI,CAAC,MAAM,QAAQ,IAAI,GAAG;AACxB,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AACA,aAAW,KAAK,MAAM;AACpB,QAAI,CAAC,KAAK,OAAO,MAAM,UAAU;AAC/B,YAAM,IAAI,MAAM,kDAAkD;AAAA,IACpE;AACA,QAAI,CAAC,EAAE,KAAK;AACV,YAAM,IAAI,MAAM,wDAAwD;AAAA,IAC1E;AACA,QAAI,CAAC,EAAE,KAAK;AACV,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;","names":["import_core","param","import_common","import_common"]}
|
package/dist/nestjs/index.d.cts
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
import { ExceptionFilter, ArgumentsHost } from '@nestjs/common';
|
|
1
|
+
import { ExceptionFilter, ArgumentsHost, DynamicModule, FactoryProvider } from '@nestjs/common';
|
|
2
2
|
import { PafiErrorEnvelope } from '../http/index.cjs';
|
|
3
|
+
import { a as IssuerPublicJwk } from '../types-CxVXRHLy.cjs';
|
|
3
4
|
import '@pafi-dev/core';
|
|
5
|
+
import 'jose';
|
|
4
6
|
|
|
5
7
|
/**
|
|
6
8
|
* NestJS global exception filter that emits the PAFI Stripe-style
|
|
@@ -51,4 +53,90 @@ declare class PafiHttpExceptionFilter implements ExceptionFilter {
|
|
|
51
53
|
private normalize;
|
|
52
54
|
}
|
|
53
55
|
|
|
54
|
-
|
|
56
|
+
interface WalletAuthJwksOptions {
|
|
57
|
+
/**
|
|
58
|
+
* One or more public JWKs to publish. During key rotation, include
|
|
59
|
+
* BOTH the active and previous keys so JWTs signed with the older
|
|
60
|
+
* kid can still be verified by the PAFI gateway until the rotation
|
|
61
|
+
* window closes.
|
|
62
|
+
*/
|
|
63
|
+
keys: IssuerPublicJwk[];
|
|
64
|
+
}
|
|
65
|
+
interface WalletAuthJwksAsyncOptions {
|
|
66
|
+
/** Modules to import for the factory's DI. */
|
|
67
|
+
imports?: NonNullable<DynamicModule["imports"]>;
|
|
68
|
+
/** Providers to inject into useFactory — same shape as FactoryProvider.inject. */
|
|
69
|
+
inject?: FactoryProvider["inject"];
|
|
70
|
+
/** Builds options at runtime — read env, decrypt secrets, etc. */
|
|
71
|
+
useFactory: (...args: any[]) => Promise<WalletAuthJwksOptions> | WalletAuthJwksOptions;
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Drop-in NestJS module that publishes the issuer's public signing
|
|
75
|
+
* key set at GET /.well-known/jwks.json.
|
|
76
|
+
*
|
|
77
|
+
* Every issuer backend integrating with the PAFI Wallet Auth Gateway
|
|
78
|
+
* needs this endpoint so the gateway can fetch their public key and
|
|
79
|
+
* verify issuer JWT signatures.
|
|
80
|
+
*
|
|
81
|
+
* @example Sync registration
|
|
82
|
+
* import { WalletAuthJwksModule } from '@pafi-dev/issuer/nestjs';
|
|
83
|
+
*
|
|
84
|
+
* @Module({
|
|
85
|
+
* imports: [
|
|
86
|
+
* WalletAuthJwksModule.forRoot({
|
|
87
|
+
* keys: [JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON!)],
|
|
88
|
+
* }),
|
|
89
|
+
* ],
|
|
90
|
+
* })
|
|
91
|
+
* export class AppModule {}
|
|
92
|
+
*
|
|
93
|
+
* @example Async registration (read from ConfigService)
|
|
94
|
+
* import { ConfigModule, ConfigService } from '@nestjs/config';
|
|
95
|
+
* import { WalletAuthJwksModule } from '@pafi-dev/issuer/nestjs';
|
|
96
|
+
*
|
|
97
|
+
* @Module({
|
|
98
|
+
* imports: [
|
|
99
|
+
* WalletAuthJwksModule.forRootAsync({
|
|
100
|
+
* imports: [ConfigModule],
|
|
101
|
+
* inject: [ConfigService],
|
|
102
|
+
* useFactory: (config: ConfigService) => ({
|
|
103
|
+
* keys: [JSON.parse(config.getOrThrow('ISSUER_PUBLIC_JWK_JSON'))],
|
|
104
|
+
* }),
|
|
105
|
+
* }),
|
|
106
|
+
* ],
|
|
107
|
+
* })
|
|
108
|
+
* export class AppModule {}
|
|
109
|
+
*
|
|
110
|
+
* @example Rotation window — publish 2 keys simultaneously
|
|
111
|
+
* keys: [
|
|
112
|
+
* JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON_ACTIVE!),
|
|
113
|
+
* JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON_PREVIOUS!),
|
|
114
|
+
* ]
|
|
115
|
+
*/
|
|
116
|
+
declare class WalletAuthJwksModule {
|
|
117
|
+
static forRoot(options: WalletAuthJwksOptions): DynamicModule;
|
|
118
|
+
static forRootAsync(options: WalletAuthJwksAsyncOptions): DynamicModule;
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
/**
|
|
122
|
+
* Publishes the issuer's public signing key set as RFC 7517 JWKS.
|
|
123
|
+
*
|
|
124
|
+
* The PAFI Wallet Auth Gateway fetches this URL to verify signatures
|
|
125
|
+
* on issuer JWTs that this backend mints (the JWT travelling in
|
|
126
|
+
* /v1/token-exchange's `issuer_jwt` body field).
|
|
127
|
+
*
|
|
128
|
+
* Mounted at GET /.well-known/jwks.json — no auth, public by design.
|
|
129
|
+
*/
|
|
130
|
+
declare class WalletAuthJwksController {
|
|
131
|
+
private readonly logger;
|
|
132
|
+
private readonly jwks;
|
|
133
|
+
constructor(keys: IssuerPublicJwk[]);
|
|
134
|
+
getJwks(): {
|
|
135
|
+
keys: IssuerPublicJwk[];
|
|
136
|
+
};
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
/** DI token: array of public JWKs to publish at /.well-known/jwks.json. */
|
|
140
|
+
declare const WALLET_AUTH_JWKS_KEYS: unique symbol;
|
|
141
|
+
|
|
142
|
+
export { PafiHttpExceptionFilter, type PafiHttpExceptionFilterOptions, WALLET_AUTH_JWKS_KEYS, type WalletAuthJwksAsyncOptions, WalletAuthJwksController, WalletAuthJwksModule, type WalletAuthJwksOptions };
|
package/dist/nestjs/index.d.ts
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
import { ExceptionFilter, ArgumentsHost } from '@nestjs/common';
|
|
1
|
+
import { ExceptionFilter, ArgumentsHost, DynamicModule, FactoryProvider } from '@nestjs/common';
|
|
2
2
|
import { PafiErrorEnvelope } from '../http/index.js';
|
|
3
|
+
import { a as IssuerPublicJwk } from '../types-CxVXRHLy.js';
|
|
3
4
|
import '@pafi-dev/core';
|
|
5
|
+
import 'jose';
|
|
4
6
|
|
|
5
7
|
/**
|
|
6
8
|
* NestJS global exception filter that emits the PAFI Stripe-style
|
|
@@ -51,4 +53,90 @@ declare class PafiHttpExceptionFilter implements ExceptionFilter {
|
|
|
51
53
|
private normalize;
|
|
52
54
|
}
|
|
53
55
|
|
|
54
|
-
|
|
56
|
+
interface WalletAuthJwksOptions {
|
|
57
|
+
/**
|
|
58
|
+
* One or more public JWKs to publish. During key rotation, include
|
|
59
|
+
* BOTH the active and previous keys so JWTs signed with the older
|
|
60
|
+
* kid can still be verified by the PAFI gateway until the rotation
|
|
61
|
+
* window closes.
|
|
62
|
+
*/
|
|
63
|
+
keys: IssuerPublicJwk[];
|
|
64
|
+
}
|
|
65
|
+
interface WalletAuthJwksAsyncOptions {
|
|
66
|
+
/** Modules to import for the factory's DI. */
|
|
67
|
+
imports?: NonNullable<DynamicModule["imports"]>;
|
|
68
|
+
/** Providers to inject into useFactory — same shape as FactoryProvider.inject. */
|
|
69
|
+
inject?: FactoryProvider["inject"];
|
|
70
|
+
/** Builds options at runtime — read env, decrypt secrets, etc. */
|
|
71
|
+
useFactory: (...args: any[]) => Promise<WalletAuthJwksOptions> | WalletAuthJwksOptions;
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Drop-in NestJS module that publishes the issuer's public signing
|
|
75
|
+
* key set at GET /.well-known/jwks.json.
|
|
76
|
+
*
|
|
77
|
+
* Every issuer backend integrating with the PAFI Wallet Auth Gateway
|
|
78
|
+
* needs this endpoint so the gateway can fetch their public key and
|
|
79
|
+
* verify issuer JWT signatures.
|
|
80
|
+
*
|
|
81
|
+
* @example Sync registration
|
|
82
|
+
* import { WalletAuthJwksModule } from '@pafi-dev/issuer/nestjs';
|
|
83
|
+
*
|
|
84
|
+
* @Module({
|
|
85
|
+
* imports: [
|
|
86
|
+
* WalletAuthJwksModule.forRoot({
|
|
87
|
+
* keys: [JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON!)],
|
|
88
|
+
* }),
|
|
89
|
+
* ],
|
|
90
|
+
* })
|
|
91
|
+
* export class AppModule {}
|
|
92
|
+
*
|
|
93
|
+
* @example Async registration (read from ConfigService)
|
|
94
|
+
* import { ConfigModule, ConfigService } from '@nestjs/config';
|
|
95
|
+
* import { WalletAuthJwksModule } from '@pafi-dev/issuer/nestjs';
|
|
96
|
+
*
|
|
97
|
+
* @Module({
|
|
98
|
+
* imports: [
|
|
99
|
+
* WalletAuthJwksModule.forRootAsync({
|
|
100
|
+
* imports: [ConfigModule],
|
|
101
|
+
* inject: [ConfigService],
|
|
102
|
+
* useFactory: (config: ConfigService) => ({
|
|
103
|
+
* keys: [JSON.parse(config.getOrThrow('ISSUER_PUBLIC_JWK_JSON'))],
|
|
104
|
+
* }),
|
|
105
|
+
* }),
|
|
106
|
+
* ],
|
|
107
|
+
* })
|
|
108
|
+
* export class AppModule {}
|
|
109
|
+
*
|
|
110
|
+
* @example Rotation window — publish 2 keys simultaneously
|
|
111
|
+
* keys: [
|
|
112
|
+
* JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON_ACTIVE!),
|
|
113
|
+
* JSON.parse(process.env.ISSUER_PUBLIC_JWK_JSON_PREVIOUS!),
|
|
114
|
+
* ]
|
|
115
|
+
*/
|
|
116
|
+
declare class WalletAuthJwksModule {
|
|
117
|
+
static forRoot(options: WalletAuthJwksOptions): DynamicModule;
|
|
118
|
+
static forRootAsync(options: WalletAuthJwksAsyncOptions): DynamicModule;
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
/**
|
|
122
|
+
* Publishes the issuer's public signing key set as RFC 7517 JWKS.
|
|
123
|
+
*
|
|
124
|
+
* The PAFI Wallet Auth Gateway fetches this URL to verify signatures
|
|
125
|
+
* on issuer JWTs that this backend mints (the JWT travelling in
|
|
126
|
+
* /v1/token-exchange's `issuer_jwt` body field).
|
|
127
|
+
*
|
|
128
|
+
* Mounted at GET /.well-known/jwks.json — no auth, public by design.
|
|
129
|
+
*/
|
|
130
|
+
declare class WalletAuthJwksController {
|
|
131
|
+
private readonly logger;
|
|
132
|
+
private readonly jwks;
|
|
133
|
+
constructor(keys: IssuerPublicJwk[]);
|
|
134
|
+
getJwks(): {
|
|
135
|
+
keys: IssuerPublicJwk[];
|
|
136
|
+
};
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
/** DI token: array of public JWKs to publish at /.well-known/jwks.json. */
|
|
140
|
+
declare const WALLET_AUTH_JWKS_KEYS: unique symbol;
|
|
141
|
+
|
|
142
|
+
export { PafiHttpExceptionFilter, type PafiHttpExceptionFilterOptions, WALLET_AUTH_JWKS_KEYS, type WalletAuthJwksAsyncOptions, WalletAuthJwksController, WalletAuthJwksModule, type WalletAuthJwksOptions };
|