@powersync/service-core 1.13.2 → 1.13.4

package/src/auth/CachedKeyCollector.ts

@@ -3,7 +3,7 @@ import timers from 'timers/promises';
 import { KeySpec } from './KeySpec.js';
 import { LeakyBucket } from './LeakyBucket.js';
 import { KeyCollector, KeyResult } from './KeyCollector.js';
-import { AuthorizationError } from '@powersync/lib-services-framework';
+import { AuthorizationError, ErrorCode, logger } from '@powersync/lib-services-framework';
 import { mapAuthConfigError } from './utils.js';
 
 /**
@@ -70,8 +70,21 @@ export class CachedKeyCollector implements KeyCollector {
       // e.g. in the case of waiting for error retries.
       // In the case of very slow requests, we don't wait for it to complete, but the
       // request can still complete in the background.
-      const timeout = timers.setTimeout(3000);
-      await Promise.race([this.refreshPromise, timeout]);
+      const WAIT_TIMEOUT_SECONDS = 3;
+      const timeout = timers.setTimeout(WAIT_TIMEOUT_SECONDS * 1000).then(() => {
+        throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed`, {
+          cause: { message: `Key request timed out in ${WAIT_TIMEOUT_SECONDS}s`, name: 'AbortError' }
+        });
+      });
+      try {
+        await Promise.race([this.refreshPromise, timeout]);
+      } catch (e) {
+        if (e instanceof AuthorizationError) {
+          return { keys: this.currentKeys, errors: [...this.currentErrors, e] };
+        } else {
+          throw e;
+        }
+      }
     }
 
     return { keys: this.currentKeys, errors: this.currentErrors };
@@ -102,7 +115,16 @@ export class CachedKeyCollector implements KeyCollector {
       this.currentErrors = errors;
       this.keyTimestamp = Date.now();
       this.error = false;
+
+      // Due to caching and background refresh behavior, errors are not always propagated to the request handler,
+      // so we log them here.
+      for (let error of errors) {
+        logger.error(`Soft key refresh error`, error);
+      }
     } catch (e) {
+      // Due to caching and background refresh behavior, errors are not always propagated to the request handler,
+      // so we log them here.
+      logger.error(`Hard key refresh error`, e);
       this.error = true;
       // No result - keep previous keys
       this.currentErrors = [mapAuthConfigError(e)];

package/src/auth/KeySpec.ts

@@ -40,6 +40,20 @@ export class KeySpec {
     return this.source.kid;
   }
 
+  get description(): string {
+    let details: string[] = [];
+    details.push(`kid: ${this.kid ?? '*'}`);
+    details.push(`kty: ${this.source.kty}`);
+    if (this.source.alg != null) {
+      details.push(`alg: ${this.source.alg}`);
+    }
+    if (this.options.requiresAudience != null) {
+      details.push(`aud: ${this.options.requiresAudience.join(', ')}`);
+    }
+
+    return `<${details.filter((x) => x != null).join(', ')}>`;
+  }
+
   matchesAlgorithm(jwtAlg: string): boolean {
     if (this.source.alg) {
       return jwtAlg === this.source.alg;

package/src/auth/KeyStore.ts

@@ -1,4 +1,4 @@
-import { logger, errors, AuthorizationError, ErrorCode } from '@powersync/lib-services-framework';
+import { AuthorizationError, ErrorCode, logger } from '@powersync/lib-services-framework';
 import * as jose from 'jose';
 import secs from '../util/secs.js';
 import { JwtPayload } from './JwtPayload.js';
@@ -169,7 +169,7 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
         ErrorCode.PSYNC_S2101,
         'Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID',
         {
-          configurationDetails: `Known kid values: ${keys.map((key) => key.kid ?? '*').join(', ')}`
+          configurationDetails: `Known keys: ${keys.map((key) => key.description).join(', ')}`
           // tokenDetails automatically populated later
         }
       );

package/src/auth/RemoteJWKSCollector.ts

@@ -49,9 +49,10 @@ export class RemoteJWKSCollector implements KeyCollector {
 
   private async getJwksData(): Promise<any> {
     const abortController = new AbortController();
+    const REQUEST_TIMEOUT_SECONDS = 30;
     const timeout = setTimeout(() => {
       abortController.abort();
-    }, 30_000);
+    }, REQUEST_TIMEOUT_SECONDS * 1000);
 
     try {
       const res = await fetch(this.url, {
@@ -71,11 +72,14 @@ export class RemoteJWKSCollector implements KeyCollector {
 
       return (await res.json()) as any;
     } catch (e) {
+      if (e instanceof Error && e.name === 'AbortError') {
+        e = { message: `Request timed out in ${REQUEST_TIMEOUT_SECONDS}s`, name: 'AbortError' };
+      }
       throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed`, {
         configurationDetails: `JWKS URL: ${this.url}`,
         // This covers most cases of FetchError
         // `cause: e` could lose the error message
-        cause: { message: e.message, code: e.code }
+        cause: { message: e.message, code: e.code, name: e.name }
       });
     } finally {
       clearTimeout(timeout);

package/src/routes/auth.ts

@@ -1,10 +1,7 @@
-import * as jose from 'jose';
-
+import { AuthorizationError, AuthorizationResponse, ErrorCode } from '@powersync/lib-services-framework';
 import * as auth from '../auth/auth-index.js';
 import { ServiceContext } from '../system/ServiceContext.js';
-import * as util from '../util/util-index.js';
 import { BasicRouterRequest, Context, RequestEndpointHandlerPayload } from './router.js';
-import { AuthorizationError, AuthorizationResponse, ErrorCode, ServiceError } from '@powersync/lib-services-framework';
 
 export function endpoint(req: BasicRouterRequest) {
   const protocol = req.headers['x-forwarded-proto'] ?? req.protocol;
@@ -12,81 +9,6 @@ export function endpoint(req: BasicRouterRequest) {
   return `${protocol}://${host}`;
 }
 
-function devAudience(req: BasicRouterRequest): string {
-  return `${endpoint(req)}/dev`;
-}
-
-/**
- * @deprecated
- *
- * Will be replaced by temporary tokens issued by PowerSync Management service.
- */
-export async function issueDevToken(req: BasicRouterRequest, user_id: string, config: util.ResolvedPowerSyncConfig) {
-  const iss = devAudience(req);
-  const aud = devAudience(req);
-
-  const key = config.dev.dev_key;
-  if (key == null) {
-    throw new Error('Auth disabled');
-  }
-
-  return await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('30d')
-    .sign(key.key);
-}
-
-/** @deprecated */
-export async function issueLegacyDevToken(
-  req: BasicRouterRequest,
-  user_id: string,
-  config: util.ResolvedPowerSyncConfig
-) {
-  const iss = devAudience(req);
-  const aud = config.jwt_audiences[0];
-
-  const key = config.dev.dev_key;
-  if (key == null || aud == null) {
-    throw new Error('Auth disabled');
-  }
-
-  return await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('60m')
-    .sign(key.key);
-}
-
-export async function issuePowerSyncToken(
-  req: BasicRouterRequest,
-  user_id: string,
-  config: util.ResolvedPowerSyncConfig
-) {
-  const iss = devAudience(req);
-  const aud = config.jwt_audiences[0];
-  const key = config.dev.dev_key;
-  if (key == null || aud == null) {
-    throw new Error('Auth disabled');
-  }
-
-  const jwt = await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('5m')
-    .sign(key.key);
-  return jwt;
-}
-
 export function getTokenFromHeader(authHeader: string = ''): string | null {
   const tokenMatch = /^(Token|Bearer) (\S+)$/.exec(authHeader);
   if (!tokenMatch) {
@@ -146,51 +68,6 @@ export async function generateContext(serviceContext: ServiceContext, token: str
   }
 }
 
-/**
- * @deprecated
- */
-export const authDevUser = async (payload: RequestEndpointHandlerPayload) => {
-  const {
-    context: {
-      service_context: { configuration }
-    }
-  } = payload;
-
-  const token = getTokenFromHeader(payload.request.headers.authorization as string);
-  if (!configuration.dev.demo_auth) {
-    return {
-      authorized: false,
-      errors: ['Authentication disabled']
-    };
-  }
-  if (token == null) {
-    return {
-      authorized: false,
-      errors: ['Authentication required']
-    };
-  }
-
-  // Different from the configured audience.
-  // Should also not be changed by keys
-  const audience = [devAudience(payload.request)];
-
-  let tokenPayload: auth.JwtPayload;
-  try {
-    tokenPayload = await configuration.dev_client_keystore.verifyJwt(token, {
-      defaultAudiences: audience,
-      maxAge: '31d'
-    });
-  } catch (err) {
-    return {
-      authorized: false,
-      errors: [err.message]
-    };
-  }
-
-  payload.context.user_id = tokenPayload.sub;
-  return { authorized: true };
-};
-
 export const authApi = (payload: RequestEndpointHandlerPayload) => {
   const {
     context: {

package/src/routes/configure-rsocket.ts

@@ -38,7 +38,9 @@ export function configureRSocket(router: ReactiveSocketRouter<Context>, options:
         const extracted_token = getTokenFromHeader(token);
         if (extracted_token != null) {
           const { context, tokenError } = await generateContext(options.service_context, extracted_token);
-          if (context?.token_payload == null) {
+          if (tokenError != null) {
+            throw tokenError;
+          } else if (context?.token_payload == null) {
             throw new errors.AuthorizationError(ErrorCode.PSYNC_S2106, 'Authentication required');
           }
 
@@ -46,7 +48,6 @@ export function configureRSocket(router: ReactiveSocketRouter<Context>, options:
             token,
             user_agent,
             ...context,
-            token_error: tokenError,
             service_context: service_context as RouterServiceContext,
             logger: connectionLogger
           };

package/src/routes/router.ts

@@ -17,7 +17,6 @@ export type Context = {
   service_context: RouterServiceContext;
 
   token_payload?: JwtPayload;
-  token_error?: ServiceError;
   /**
    * Only on websocket endpoints.
    */

package/src/util/config/compound-config-collector.ts

@@ -42,8 +42,6 @@ export type ConfigCollectorListener = {
   configCollected?: (event: ConfigCollectedEvent) => Promise<void>;
 };
 
-const POWERSYNC_DEV_KID = 'powersync-dev';
-
 const DEFAULT_COLLECTOR_OPTIONS: CompoundConfigCollectorOptions = {
   configCollectors: [new Base64ConfigCollector(), new FileSystemConfigCollector(), new FallbackConfigCollector()],
   syncRulesCollectors: [
@@ -117,13 +115,6 @@ export class CompoundConfigCollector {
       collectors.add(new auth.CachedKeyCollector(new auth.RemoteJWKSCollector(uri, { lookupOptions: jwksLookup })));
     }
 
-    const baseDevKey = (baseConfig.client_auth?.jwks?.keys ?? []).find((key) => key.kid == POWERSYNC_DEV_KID);
-
-    let devKey: auth.KeySpec | undefined;
-    if (baseConfig.dev?.demo_auth && baseDevKey != null && baseDevKey.kty == 'oct') {
-      devKey = await auth.KeySpec.importKey(baseDevKey);
-    }
-
     const sync_rules = await this.collectSyncRules(baseConfig, runnerConfig);
 
     let jwt_audiences: string[] = baseConfig.client_auth?.audience ?? [];
@@ -138,14 +129,7 @@ export class CompoundConfigCollector {
         }
       },
       client_keystore: keyStore,
-      // Dev tokens only use the static keys, no external key sources
-      // We may restrict this even further to only the powersync-dev key.
-      dev_client_keystore: new auth.KeyStore(staticCollector),
       api_tokens: baseConfig.api?.tokens ?? [],
-      dev: {
-        demo_auth: baseConfig.dev?.demo_auth ?? false,
-        dev_key: devKey
-      },
       port: baseConfig.port ?? 8080,
       sync_rules,
       jwt_audiences,

package/src/util/config/types.ts

@@ -32,18 +32,7 @@ export type ResolvedPowerSyncConfig = {
   base_config: configFile.PowerSyncConfig;
   connections?: configFile.GenericDataSourceConfig[];
   storage: configFile.GenericStorageConfig;
-  dev: {
-    demo_auth: boolean;
-    /**
-     * Only present when demo_auth == true
-     */
-    dev_key?: KeySpec;
-  };
   client_keystore: KeyStore<CompoundKeyCollector>;
-  /**
-   * Keystore for development tokens.
-   */
-  dev_client_keystore: KeyStore;
   port: number;
   sync_rules: SyncRulesConfig;
   api_tokens: string[];

package/src/util/util-index.ts

@@ -6,6 +6,7 @@ export * from './protocol-types.js';
 export * from './secs.js';
 export * from './utils.js';
 export * from './checkpointing.js';
+export * from './version.js';
 
 export * from './config.js';
 export * from './config/compound-config-collector.js';

package/src/util/version.ts

@@ -0,0 +1,3 @@
+import pkg from '../../package.json' with { type: 'json' };
+
+export const POWERSYNC_VERSION = pkg.version;