@powersync/service-core 0.0.2

package/dist/auth/KeyCollector.d.ts

@@ -0,0 +1,24 @@
+import * as jose from 'jose';
+import { KeySpec } from './KeySpec.js';
+export interface KeyCollector {
+    /**
+     * Fetch keys for this collector.
+     *
+     * If a partial result is available, return keys and errors array.
+     * These errors are not retried, and previous keys not cached.
+     *
+     * If the request fails completely, throw an error. These errors are retried.
+     * In that case, previous keys may be cached and used.
+     */
+    getKeys(): Promise<KeyResult>;
+    /**
+     * Indicates that no matching key was found.
+     *
+     * The collector may use this as a hint to reload keys, although this is not a requirement.
+     */
+    noKeyFound?: () => Promise<void>;
+}
+export interface KeyResult {
+    errors: jose.errors.JOSEError[];
+    keys: KeySpec[];
+}

package/dist/auth/KeyCollector.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=KeyCollector.js.map

package/dist/auth/KeyCollector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeyCollector.js","sourceRoot":"","sources":["../../src/auth/KeyCollector.ts"],"names":[],"mappings":""}

package/dist/auth/KeySpec.d.ts

@@ -0,0 +1,26 @@
+import * as jose from 'jose';
+export declare const HS_ALGORITHMS: string[];
+export declare const RSA_ALGORITHMS: string[];
+export declare const SUPPORTED_ALGORITHMS: string[];
+export interface KeyOptions {
+    /**
+     * If configured, JWTs verified by this key must have one of these audiences
+     * in the `aud` claim, instead of the default.
+     */
+    requiresAudience?: string[];
+    /**
+     * If configured, JWTs verified by this key can have a maximum lifetime up to
+     * this value, instead of the default.
+     */
+    maxLifetimeSeconds?: number;
+}
+export declare class KeySpec {
+    key: jose.KeyLike;
+    source: jose.JWK;
+    options: KeyOptions;
+    static importKey(key: jose.JWK, options?: KeyOptions): Promise<KeySpec>;
+    constructor(source: jose.JWK, key: jose.KeyLike, options?: KeyOptions);
+    get kid(): string | undefined;
+    matchesAlgorithm(jwtAlg: string): boolean;
+    isValidSignature(token: string): Promise<boolean>;
+}

package/dist/auth/KeySpec.js

@@ -0,0 +1,49 @@
+import * as jose from 'jose';
+export const HS_ALGORITHMS = ['HS256', 'HS384', 'HS512'];
+export const RSA_ALGORITHMS = ['RS256', 'RS384', 'RS512'];
+export const SUPPORTED_ALGORITHMS = [...HS_ALGORITHMS, ...RSA_ALGORITHMS];
+export class KeySpec {
+    static async importKey(key, options) {
+        const parsed = (await jose.importJWK(key));
+        return new KeySpec(key, parsed, options);
+    }
+    constructor(source, key, options) {
+        this.source = source;
+        this.key = key;
+        this.options = options ?? {};
+    }
+    get kid() {
+        return this.source.kid;
+    }
+    matchesAlgorithm(jwtAlg) {
+        if (this.source.alg) {
+            return jwtAlg == this.source.alg;
+        }
+        else if (this.source.kty == 'RSA') {
+            return RSA_ALGORITHMS.includes(jwtAlg);
+        }
+        else if (this.source.kty == 'oct') {
+            return HS_ALGORITHMS.includes(jwtAlg);
+        }
+        else {
+            // We don't support 'ec' yet
+            return false;
+        }
+    }
+    async isValidSignature(token) {
+        try {
+            await jose.compactVerify(token, this.key);
+            return true;
+        }
+        catch (e) {
+            if (e.code == 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
+                return false;
+            }
+            else {
+                // Token format error most likely
+                throw e;
+            }
+        }
+    }
+}
+//# sourceMappingURL=KeySpec.js.map

package/dist/auth/KeySpec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeySpec.js","sourceRoot":"","sources":["../../src/auth/KeySpec.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AACzD,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAC1D,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,cAAc,CAAC,CAAC;AAgB1E,MAAM,OAAO,OAAO;IAKlB,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,GAAa,EAAE,OAAoB;QACxD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAiB,CAAC;QAC3D,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED,YAAY,MAAgB,EAAE,GAAiB,EAAE,OAAoB;QACnE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,OAAO,GAAG,OAAO,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED,IAAI,GAAG;QACL,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC;IACzB,CAAC;IAED,gBAAgB,CAAC,MAAc;QAC7B,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YACpB,OAAO,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC;QACnC,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,EAAE,CAAC;YACpC,OAAO,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,EAAE,CAAC;YACpC,OAAO,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,4BAA4B;YAC5B,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,KAAa;QAClC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,CAAC,IAAI,IAAI,uCAAuC,EAAE,CAAC;gBACtD,OAAO,KAAK,CAAC;YACf,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,MAAM,CAAC,CAAC;YACV,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/auth/KeyStore.d.ts

@@ -0,0 +1,39 @@
+import { KeyCollector } from './KeyCollector.js';
+import { JwtPayload } from './JwtPayload.js';
+/**
+ * KeyStore to get keys and verify tokens.
+ *
+ *
+ * Similar to micro_auth's KeyStore, but with different caching and error handling.
+ *
+ * We generally assume that:
+ * 1. If we have a key kid matching a JWT kid, that is the correct key.
+ *    We don't look for other keys, even if there are algorithm or other issues.
+ * 2. Otherwise, iterate through "wildcard" keys and look for a matching signature.
+ *    Wildcard keys are any key defined without a kid.
+ *
+ * # Security considerations
+ *
+ * Some places for security holes:
+ * 1. Signature verification not done correctly: We rely on jose.jwtVerify() to do this correctly.
+ * 2. Using a key that has been revoked - see CachedKeyCollector's refresh strategy.
+ * 3. Using a key for the wrong purpose (e.g. key.use != 'sig'). Checked in RemoteJWKSCollector.
+ * 4. Not checking all attributes, e.g. a JWT trusted by the global firebase key, but has the wrong aud. Correct aud must be configured.
+ * 5. Using the incorrect algorithm, e.g. 'none', or using public key as a shared key.
+ *    We check the algorithm for each JWT against the matching key's configured algorithm or algorithm family.
+ *
+ * # Errors
+ *
+ * If we have a matching kid, we can generally get a detailed error (e.g. signature verification failed, invalid algorithm, etc).
+ * If we don't have a matching kid, we'll generally just get an error "Could not find an appropriate key...".
+ */
+export declare class KeyStore {
+    private collector;
+    constructor(collector: KeyCollector);
+    verifyJwt(token: string, options: {
+        defaultAudiences: string[];
+        maxAge: string;
+    }): Promise<JwtPayload>;
+    private verifyInternal;
+    private getCachedKey;
+}

package/dist/auth/KeyStore.js

@@ -0,0 +1,131 @@
+import * as jose from 'jose';
+import secs from '../util/secs.js';
+import { SUPPORTED_ALGORITHMS } from './KeySpec.js';
+import * as micro from '@journeyapps-platform/micro';
+/**
+ * KeyStore to get keys and verify tokens.
+ *
+ *
+ * Similar to micro_auth's KeyStore, but with different caching and error handling.
+ *
+ * We generally assume that:
+ * 1. If we have a key kid matching a JWT kid, that is the correct key.
+ *    We don't look for other keys, even if there are algorithm or other issues.
+ * 2. Otherwise, iterate through "wildcard" keys and look for a matching signature.
+ *    Wildcard keys are any key defined without a kid.
+ *
+ * # Security considerations
+ *
+ * Some places for security holes:
+ * 1. Signature verification not done correctly: We rely on jose.jwtVerify() to do this correctly.
+ * 2. Using a key that has been revoked - see CachedKeyCollector's refresh strategy.
+ * 3. Using a key for the wrong purpose (e.g. key.use != 'sig'). Checked in RemoteJWKSCollector.
+ * 4. Not checking all attributes, e.g. a JWT trusted by the global firebase key, but has the wrong aud. Correct aud must be configured.
+ * 5. Using the incorrect algorithm, e.g. 'none', or using public key as a shared key.
+ *    We check the algorithm for each JWT against the matching key's configured algorithm or algorithm family.
+ *
+ * # Errors
+ *
+ * If we have a matching kid, we can generally get a detailed error (e.g. signature verification failed, invalid algorithm, etc).
+ * If we don't have a matching kid, we'll generally just get an error "Could not find an appropriate key...".
+ */
+export class KeyStore {
+    constructor(collector) {
+        this.collector = collector;
+    }
+    async verifyJwt(token, options) {
+        const { result, keyOptions } = await this.verifyInternal(token, {
+            // audience is not checked here, since we vary the allowed audience based on the key
+            // audience: options.defaultAudiences,
+            clockTolerance: 60,
+            // More specific algorithm checking is done when selecting the key to use.
+            algorithms: SUPPORTED_ALGORITHMS,
+            requiredClaims: ['aud', 'sub', 'iat', 'exp']
+        });
+        let audiences = options.defaultAudiences;
+        if (keyOptions.requiresAudience) {
+            // Replace the audience, don't add
+            audiences = keyOptions.requiresAudience;
+        }
+        const tokenPayload = result.payload;
+        let aud = tokenPayload.aud;
+        if (!Array.isArray(aud)) {
+            aud = [aud];
+        }
+        if (!aud.some((a) => {
+            return audiences.includes(a);
+        })) {
+            throw new jose.errors.JWTClaimValidationFailed('unexpected "aud" claim value', 'aud', 'check_failed');
+        }
+        const tokenDuration = tokenPayload.exp - tokenPayload.iat;
+        // Implement our own maxAge validation, that rejects the token immediately if expiration
+        // is too far into the future.
+        const maxAge = keyOptions.maxLifetimeSeconds ?? secs(options.maxAge);
+        if (tokenDuration > maxAge) {
+            throw new jose.errors.JWTInvalid(`Token must expire in a maximum of ${maxAge} seconds, got ${tokenDuration}`);
+        }
+        const parameters = tokenPayload.parameters;
+        if (parameters != null && (Array.isArray(parameters) || typeof parameters != 'object')) {
+            throw new jose.errors.JWTInvalid('parameters must be an object');
+        }
+        return {
+            ...tokenPayload,
+            parameters: {
+                user_id: tokenPayload.sub,
+                ...parameters
+            }
+        };
+    }
+    async verifyInternal(token, options) {
+        let keyOptions = undefined;
+        const result = await jose.jwtVerify(token, async (header) => {
+            let key = await this.getCachedKey(token, header);
+            keyOptions = key.options;
+            return key.key;
+        }, options);
+        return { result, keyOptions: keyOptions };
+    }
+    async getCachedKey(token, header) {
+        const kid = header.kid;
+        const { keys, errors } = await this.collector.getKeys();
+        if (kid) {
+            // key has kid: JWK with exact kid, or JWK without kid
+            // key without kid: JWK without kid only
+            for (let key of keys) {
+                if (key.kid == kid) {
+                    if (!key.matchesAlgorithm(header.alg)) {
+                        throw new jose.errors.JOSEAlgNotAllowed(`Unexpected token algorithm ${header.alg}`);
+                    }
+                    return key;
+                }
+            }
+        }
+        for (let key of keys) {
+            // Checks signature and algorithm
+            if (key.kid != null) {
+                // Not a wildcard key
+                continue;
+            }
+            if (!key.matchesAlgorithm(header.alg)) {
+                continue;
+            }
+            if (await key.isValidSignature(token)) {
+                return key;
+            }
+        }
+        if (errors.length > 0) {
+            throw errors[0];
+        }
+        else {
+            // No key found
+            // Trigger refresh of the keys - might be ready by the next request.
+            this.collector.noKeyFound?.().catch((e) => {
+                // Typically this error would be stored on the collector.
+                // This is just a last resort error handling.
+                micro.logger.error(`Failed to refresh keys`, e);
+            });
+            throw new jose.errors.JOSEError('Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID');
+        }
+    }
+}
+//# sourceMappingURL=KeyStore.js.map

package/dist/auth/KeyStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeyStore.js","sourceRoot":"","sources":["../../src/auth/KeyStore.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,IAAI,MAAM,iBAAiB,CAAC;AACnC,OAAO,EAAuB,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAEzE,OAAO,KAAK,KAAK,MAAM,6BAA6B,CAAC;AAGrD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,OAAO,QAAQ;IAGnB,YAAY,SAAuB;QACjC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,OAAuD;QACpF,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE;YAC9D,oFAAoF;YACpF,sCAAsC;YACtC,cAAc,EAAE,EAAE;YAClB,0EAA0E;YAC1E,UAAU,EAAE,oBAAoB;YAChC,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;SAC7C,CAAC,CAAC;QAEH,IAAI,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACzC,IAAI,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAChC,kCAAkC;YAClC,SAAS,GAAG,UAAU,CAAC,gBAAgB,CAAC;QAC1C,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC;QAEpC,IAAI,GAAG,GAAG,YAAY,CAAC,GAAI,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,CAAC;QACD,IACE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACd,OAAO,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC/B,CAAC,CAAC,EACF,CAAC;YACD,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,8BAA8B,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;QACxG,CAAC;QAED,MAAM,aAAa,GAAG,YAAY,CAAC,GAAI,GAAG,YAAY,CAAC,GAAI,CAAC;QAE5D,wFAAwF;QACxF,8BAA8B;QAC9B,MAAM,MAAM,GAAG,UAAU,CAAC,kBAAkB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,aAAa,GAAG,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,qCAAqC,MAAM,iBAAiB,aAAa,EAAE,CAAC,CAAC;QAChH,CAAC;QAED,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC;QAC3C,IAAI,UAAU,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,OAAO,UAAU,IAAI,QAAQ,CAAC,EAAE,CAAC;YACvF,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,8BAA8B,CAAC,CAAC;QACnE,CAAC;QAED,OAAO;YACL,GAAI,YAAoB;YACxB,UAAU,EAAE;gBACV,OAAO,EAAE,YAAY,CAAC,GAAG;gBACzB,GAAG,UAAU;aACd;SACF,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,KAAa,EAAE,OAA8B;QACxE,IAAI,UAAU,GAA2B,SAAS,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CACjC,KAAK,EACL,KAAK,EAAE,MAAM,EAAE,EAAE;YACf,IAAI,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACjD,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC;YACzB,OAAO,GAAG,CAAC,GAAG,CAAC;QACjB,CAAC,EACD,OAAO,CACR,CAAC;QACF,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAW,EAAE,CAAC;IAC7C,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,KAAa,EAAE,MAAgC;QACxE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACvB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QACxD,IAAI,GAAG,EAAE,CAAC;YACR,sDAAsD;YACtD,wCAAwC;YACxC,KAAK,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,CAAC;oBACnB,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;wBACtC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,8BAA8B,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;oBACtF,CAAC;oBACD,OAAO,GAAG,CAAC;gBACb,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;YACrB,iCAAiC;YACjC,IAAI,GAAG,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;gBACpB,qBAAqB;gBACrB,SAAS;YACX,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,SAAS;YACX,CAAC;YAED,IAAI,MAAM,GAAG,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtC,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,MAAM,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,eAAe;YACf,oEAAoE;YACpE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;gBACxC,yDAAyD;gBACzD,6CAA6C;gBAC7C,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,CAAC,CAAC,CAAC;YAClD,CAAC,CAAC,CAAC;YAEH,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAC7B,uGAAuG,CACxG,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/auth/LeakyBucket.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Variation on a leaky bucket rate limiter.
+ *
+ * The base is a leaky bucket:
+ *  * The bucket is filled at a certain rate
+ *  * The bucket has a max capacity
+ *
+ * This gives an initial burst capacity, then continues
+ * at the refill rate when the burst capacity is depleted.
+ *
+ * This variation introduces an additional quadratic delay
+ * during the initial burst, which prevents the burst capacity
+ * from being consumed immediately. The steady-state rate
+ * is still the same.
+ *
+ *
+ * Steady state rate: x requests / ms.
+ * Steady state period: 1 / rate
+ *
+ * capacity: number of requests before steady state
+ *
+ * capacity == max_capacity: no delay between requests
+ * capacity = 0: delay = Steady state period
+ *
+ * variable_delay = (max_capacity - capacity)^2 / max_capacity^2 * period
+ */
+export declare class LeakyBucket {
+    private capacity;
+    private lastRequest;
+    private maxCapacity;
+    private periodMs;
+    lastGrantedRequest: number;
+    constructor(options: {
+        maxCapacity: number;
+        periodMs: number;
+    });
+    allowed(): boolean;
+    reset(): void;
+}

package/dist/auth/LeakyBucket.js

@@ -0,0 +1,57 @@
+/**
+ * Variation on a leaky bucket rate limiter.
+ *
+ * The base is a leaky bucket:
+ *  * The bucket is filled at a certain rate
+ *  * The bucket has a max capacity
+ *
+ * This gives an initial burst capacity, then continues
+ * at the refill rate when the burst capacity is depleted.
+ *
+ * This variation introduces an additional quadratic delay
+ * during the initial burst, which prevents the burst capacity
+ * from being consumed immediately. The steady-state rate
+ * is still the same.
+ *
+ *
+ * Steady state rate: x requests / ms.
+ * Steady state period: 1 / rate
+ *
+ * capacity: number of requests before steady state
+ *
+ * capacity == max_capacity: no delay between requests
+ * capacity = 0: delay = Steady state period
+ *
+ * variable_delay = (max_capacity - capacity)^2 / max_capacity^2 * period
+ */
+export class LeakyBucket {
+    constructor(options) {
+        this.capacity = options.maxCapacity;
+        this.maxCapacity = options.maxCapacity;
+        this.periodMs = options.periodMs;
+        this.lastRequest = 0;
+        this.lastGrantedRequest = 0;
+    }
+    allowed() {
+        const now = Date.now();
+        const elapsed = now - this.lastRequest;
+        const leaked = elapsed / this.periodMs;
+        this.capacity = Math.min(this.capacity + leaked, this.maxCapacity);
+        this.lastRequest = now;
+        const capacityUsed = this.maxCapacity - this.capacity;
+        const variableDelay = ((capacityUsed * capacityUsed) / (this.maxCapacity * this.maxCapacity)) * this.periodMs;
+        if (this.capacity >= 1 && variableDelay <= now - this.lastGrantedRequest) {
+            this.capacity -= 1;
+            this.lastGrantedRequest = now;
+            return true;
+        }
+        else {
+            return false;
+        }
+    }
+    reset() {
+        this.capacity = this.maxCapacity;
+        this.lastGrantedRequest = 0;
+    }
+}
+//# sourceMappingURL=LeakyBucket.js.map

package/dist/auth/LeakyBucket.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LeakyBucket.js","sourceRoot":"","sources":["../../src/auth/LeakyBucket.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,WAAW;IAQtB,YAAY,OAAkD;QAC5D,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAC;QACpC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC;QACrB,IAAI,CAAC,kBAAkB,GAAG,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC;QACvC,MAAM,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,GAAG,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACnE,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC;QAEvB,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC;QACtD,MAAM,aAAa,GAAG,CAAC,CAAC,YAAY,GAAG,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAE9G,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,aAAa,IAAI,GAAG,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACzE,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC;YACnB,IAAI,CAAC,kBAAkB,GAAG,GAAG,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK;QACH,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC;QACjC,IAAI,CAAC,kBAAkB,GAAG,CAAC,CAAC;IAC9B,CAAC;CACF"}

package/dist/auth/RemoteJWKSCollector.d.ts

@@ -0,0 +1,24 @@
+/// <reference types="node" resolution-mode="require"/>
+/// <reference types="node" resolution-mode="require"/>
+import * as https from 'https';
+import * as http from 'http';
+import { KeyCollector, KeyResult } from './KeyCollector.js';
+export type RemoteJWKSCollectorOptions = {
+    /**
+     * Blocks IP Ranges from the BLOCKED_IP_RANGES array
+     */
+    block_local_ip?: boolean;
+};
+/**
+ * Set of keys fetched from JWKS URI.
+ */
+export declare class RemoteJWKSCollector implements KeyCollector {
+    protected options?: RemoteJWKSCollectorOptions | undefined;
+    private url;
+    constructor(url: string, options?: RemoteJWKSCollectorOptions | undefined);
+    getKeys(): Promise<KeyResult>;
+    /**
+     * Resolve IP, and check that it is in an allowed range.
+     */
+    resolveAgent(): Promise<http.Agent | https.Agent>;
+}

package/dist/auth/RemoteJWKSCollector.js

@@ -0,0 +1,106 @@
+import * as https from 'https';
+import * as http from 'http';
+import * as dns from 'dns/promises';
+import ip from 'ipaddr.js';
+import * as jose from 'jose';
+import * as net from 'net';
+import fetch from 'node-fetch';
+import { KeySpec } from './KeySpec.js';
+/**
+ * Set of keys fetched from JWKS URI.
+ */
+export class RemoteJWKSCollector {
+    constructor(url, options) {
+        this.options = options;
+        try {
+            this.url = new URL(url);
+        }
+        catch (e) {
+            throw new Error(`Invalid jwks_uri: ${url}`);
+        }
+        // We do support http here for self-hosting use cases.
+        // Management service restricts this to https for hosted versions.
+        if (this.url.protocol != 'https:' && this.url.protocol != 'http:') {
+            throw new Error(`Only http(s) is supported for jwks_uri, got: ${url}`);
+        }
+    }
+    async getKeys() {
+        const abortController = new AbortController();
+        const timeout = setTimeout(() => {
+            abortController.abort();
+        }, 30000);
+        const res = await fetch(this.url, {
+            method: 'GET',
+            headers: {
+                Accept: 'application/json'
+            },
+            signal: abortController.signal,
+            agent: await this.resolveAgent()
+        });
+        if (!res.ok) {
+            throw new jose.errors.JWKSInvalid(`JWKS request failed with ${res.statusText}`);
+        }
+        const data = (await res.json());
+        clearTimeout(timeout);
+        // https://github.com/panva/jose/blob/358e864a0cccf1e0f9928a959f91f18f3f06a7de/src/jwks/local.ts#L36
+        if (data.keys == null ||
+            !Array.isArray(data.keys) ||
+            !data.keys.every((key) => typeof key == 'object' && !Array.isArray(key))) {
+            return { keys: [], errors: [new jose.errors.JWKSInvalid(`No keys in found in JWKS response`)] };
+        }
+        let keys = [];
+        for (let keyData of data.keys) {
+            if (keyData.kty != 'RSA') {
+                // Only RSA public keys supported here
+                continue;
+            }
+            if (typeof keyData.use == 'string') {
+                if (keyData.use != 'sig') {
+                    continue;
+                }
+            }
+            if (Array.isArray(keyData.key_ops)) {
+                if (!keyData.key_ops.includes('verify')) {
+                    continue;
+                }
+            }
+            const key = await KeySpec.importKey(keyData);
+            keys.push(key);
+        }
+        return { keys: keys, errors: [] };
+    }
+    /**
+     * Resolve IP, and check that it is in an allowed range.
+     */
+    async resolveAgent() {
+        const hostname = this.url.hostname;
+        let resolved_ip;
+        if (net.isIPv6(hostname)) {
+            throw new Error('IPv6 not supported yet');
+        }
+        else if (net.isIPv4(hostname)) {
+            // All good
+            resolved_ip = hostname;
+        }
+        else {
+            resolved_ip = (await dns.resolve4(hostname))[0];
+        }
+        const parsed = ip.parse(resolved_ip);
+        if (parsed.kind() != 'ipv4' || (this.options?.block_local_ip && parsed.range() !== 'unicast')) {
+            // Do not connect to any reserved IPs, including loopback and private ranges
+            throw new Error(`IPs in this range are not supported: ${resolved_ip}`);
+        }
+        const options = {
+            // This is the host that the agent connects to
+            host: resolved_ip
+        };
+        switch (this.url.protocol) {
+            case 'http:':
+                return new http.Agent(options);
+            case 'https:':
+                return new https.Agent(options);
+        }
+        throw new Error('http or or https is required for protocol');
+    }
+}
+//# sourceMappingURL=RemoteJWKSCollector.js.map

package/dist/auth/RemoteJWKSCollector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RemoteJWKSCollector.js","sourceRoot":"","sources":["../../src/auth/RemoteJWKSCollector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,GAAG,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,MAAM,WAAW,CAAC;AAC3B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,GAAG,MAAM,KAAK,CAAC;AAC3B,OAAO,KAAK,MAAM,YAAY,CAAC;AAE/B,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAUvC;;GAEG;AACH,MAAM,OAAO,mBAAmB;IAG9B,YAAY,GAAW,EAAY,OAAoC;QAApC,YAAO,GAAP,OAAO,CAA6B;QACrE,IAAI,CAAC;YACH,IAAI,CAAC,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,sDAAsD;QACtD,kEAAkE;QAClE,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,EAAE,CAAC;YAClE,MAAM,IAAI,KAAK,CAAC,gDAAgD,GAAG,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,eAAe,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC,EAAE,KAAM,CAAC,CAAC;QAEX,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;aAC3B;YACD,MAAM,EAAE,eAAe,CAAC,MAAM;YAC9B,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,EAAE;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,4BAA4B,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QAClF,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAQ,CAAC;QAEvC,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,oGAAoG;QACpG,IACE,IAAI,CAAC,IAAI,IAAI,IAAI;YACjB,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;YACzB,CAAE,IAAI,CAAC,IAAc,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,GAAG,IAAI,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EACnF,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,mCAAmC,CAAC,CAAC,EAAE,CAAC;QAClG,CAAC;QAED,IAAI,IAAI,GAAc,EAAE,CAAC;QACzB,KAAK,IAAI,OAAO,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,OAAO,CAAC,GAAG,IAAI,KAAK,EAAE,CAAC;gBACzB,sCAAsC;gBACtC,SAAS;YACX,CAAC;YAED,IAAI,OAAO,OAAO,CAAC,GAAG,IAAI,QAAQ,EAAE,CAAC;gBACnC,IAAI,OAAO,CAAC,GAAG,IAAI,KAAK,EAAE,CAAC;oBACzB,SAAS;gBACX,CAAC;YACH,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACxC,SAAS;gBACX,CAAC;YACH,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC7C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjB,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY;QAChB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;QACnC,IAAI,WAAmB,CAAC;QACxB,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;aAAM,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,WAAW;YACX,WAAW,GAAG,QAAQ,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,WAAW,GAAG,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACrC,IAAI,MAAM,CAAC,IAAI,EAAE,IAAI,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,IAAI,MAAM,CAAC,KAAK,EAAE,KAAK,SAAS,CAAC,EAAE,CAAC;YAC9F,4EAA4E;YAC5E,MAAM,IAAI,KAAK,CAAC,wCAAwC,WAAW,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,OAAO,GAAG;YACd,8CAA8C;YAC9C,IAAI,EAAE,WAAW;SAClB,CAAC;QAEF,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC1B,KAAK,OAAO;gBACV,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACjC,KAAK,QAAQ;gBACX,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACpC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;CACF"}

package/dist/auth/StaticKeyCollector.d.ts

@@ -0,0 +1,14 @@
+import * as jose from 'jose';
+import { KeySpec } from './KeySpec.js';
+import { KeyCollector, KeyResult } from './KeyCollector.js';
+/**
+ * Set of static keys.
+ *
+ * A key can be added both with and without a kid, in case wildcard matching is desired.
+ */
+export declare class StaticKeyCollector implements KeyCollector {
+    private keys;
+    static importKeys(keys: jose.JWK[]): Promise<StaticKeyCollector>;
+    constructor(keys: KeySpec[]);
+    getKeys(): Promise<KeyResult>;
+}

package/dist/auth/StaticKeyCollector.js

@@ -0,0 +1,19 @@
+import { KeySpec } from './KeySpec.js';
+/**
+ * Set of static keys.
+ *
+ * A key can be added both with and without a kid, in case wildcard matching is desired.
+ */
+export class StaticKeyCollector {
+    static async importKeys(keys) {
+        const parsedKeys = await Promise.all(keys.map((key) => KeySpec.importKey(key)));
+        return new StaticKeyCollector(parsedKeys);
+    }
+    constructor(keys) {
+        this.keys = keys;
+    }
+    async getKeys() {
+        return { keys: this.keys, errors: [] };
+    }
+}
+//# sourceMappingURL=StaticKeyCollector.js.map

package/dist/auth/StaticKeyCollector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"StaticKeyCollector.js","sourceRoot":"","sources":["../../src/auth/StaticKeyCollector.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAGvC;;;;GAIG;AACH,MAAM,OAAO,kBAAkB;IAC7B,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,IAAgB;QACtC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAChF,OAAO,IAAI,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC5C,CAAC;IAED,YAAoB,IAAe;QAAf,SAAI,GAAJ,IAAI,CAAW;IAAG,CAAC;IAEvC,KAAK,CAAC,OAAO;QACX,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACzC,CAAC;CACF"}

package/dist/auth/SupabaseKeyCollector.d.ts

@@ -0,0 +1,22 @@
+import * as jose from 'jose';
+import { KeyCollector } from './KeyCollector.js';
+import { KeySpec } from './KeySpec.js';
+import { ResolvedConnection } from '../util/config/types.js';
+/**
+ * Fetches key from the Supabase database.
+ *
+ * Unfortunately, despite the JWTs containing a kid, we have no way to lookup that kid
+ * before receiving a valid token.
+ */
+export declare class SupabaseKeyCollector implements KeyCollector {
+    private pool;
+    private keyOptions;
+    constructor(connection: ResolvedConnection);
+    getKeys(): Promise<{
+        keys: never[];
+        errors: jose.errors.JWKSNoMatchingKey[];
+    } | {
+        keys: KeySpec[];
+        errors: never[];
+    }>;
+}

package/dist/auth/SupabaseKeyCollector.js

@@ -0,0 +1,61 @@
+import * as jose from 'jose';
+import { connectPgWirePool, pgwireRows } from '@powersync/service-jpgwire';
+import { KeySpec } from './KeySpec.js';
+import { retriedQuery } from '../util/pgwire_utils.js';
+/**
+ * Fetches key from the Supabase database.
+ *
+ * Unfortunately, despite the JWTs containing a kid, we have no way to lookup that kid
+ * before receiving a valid token.
+ */
+export class SupabaseKeyCollector {
+    constructor(connection) {
+        this.keyOptions = {
+            requiresAudience: ['authenticated'],
+            maxLifetimeSeconds: 86400 * 7 + 1200 // 1 week + 20 minutes margin
+        };
+        this.pool = connectPgWirePool(connection, {
+            // To avoid overloading the source database with open connections,
+            // limit to a single connection, and close the connection shortly
+            // after using it.
+            idleTimeout: 5000,
+            maxSize: 1
+        });
+    }
+    async getKeys() {
+        let row;
+        try {
+            const rows = pgwireRows(await retriedQuery(this.pool, `SELECT current_setting('app.settings.jwt_secret') as jwt_secret`));
+            row = rows[0];
+        }
+        catch (e) {
+            if (e.message?.includes('unrecognized configuration parameter')) {
+                throw new jose.errors.JOSEError(`Generate a new JWT secret on Supabase. Cause: ${e.message}`);
+            }
+            else {
+                throw e;
+            }
+        }
+        const secret = row?.jwt_secret;
+        if (secret == null) {
+            return {
+                keys: [],
+                errors: [new jose.errors.JWKSNoMatchingKey()]
+            };
+        }
+        else {
+            const key = {
+                kty: 'oct',
+                alg: 'HS256',
+                // While the secret is valid base64, the base64-encoded form is the secret value.
+                k: Buffer.from(secret, 'utf8').toString('base64url')
+            };
+            const imported = await KeySpec.importKey(key, this.keyOptions);
+            return {
+                keys: [imported],
+                errors: []
+            };
+        }
+    }
+}
+//# sourceMappingURL=SupabaseKeyCollector.js.map