@powersync/service-core 1.13.3 → 1.13.4

package/src/auth/RemoteJWKSCollector.ts

@@ -49,9 +49,10 @@ export class RemoteJWKSCollector implements KeyCollector {
 
   private async getJwksData(): Promise<any> {
     const abortController = new AbortController();
+    const REQUEST_TIMEOUT_SECONDS = 30;
     const timeout = setTimeout(() => {
       abortController.abort();
-    }, 30_000);
+    }, REQUEST_TIMEOUT_SECONDS * 1000);
 
     try {
       const res = await fetch(this.url, {
@@ -71,11 +72,14 @@ export class RemoteJWKSCollector implements KeyCollector {
 
       return (await res.json()) as any;
     } catch (e) {
+      if (e instanceof Error && e.name === 'AbortError') {
+        e = { message: `Request timed out in ${REQUEST_TIMEOUT_SECONDS}s`, name: 'AbortError' };
+      }
       throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed`, {
         configurationDetails: `JWKS URL: ${this.url}`,
         // This covers most cases of FetchError
         // `cause: e` could lose the error message
-        cause: { message: e.message, code: e.code }
+        cause: { message: e.message, code: e.code, name: e.name }
       });
     } finally {
       clearTimeout(timeout);

package/src/routes/auth.ts

@@ -1,10 +1,7 @@
-import * as jose from 'jose';
-
+import { AuthorizationError, AuthorizationResponse, ErrorCode } from '@powersync/lib-services-framework';
 import * as auth from '../auth/auth-index.js';
 import { ServiceContext } from '../system/ServiceContext.js';
-import * as util from '../util/util-index.js';
 import { BasicRouterRequest, Context, RequestEndpointHandlerPayload } from './router.js';
-import { AuthorizationError, AuthorizationResponse, ErrorCode, ServiceError } from '@powersync/lib-services-framework';
 
 export function endpoint(req: BasicRouterRequest) {
   const protocol = req.headers['x-forwarded-proto'] ?? req.protocol;
@@ -12,81 +9,6 @@ export function endpoint(req: BasicRouterRequest) {
   return `${protocol}://${host}`;
 }
 
-function devAudience(req: BasicRouterRequest): string {
-  return `${endpoint(req)}/dev`;
-}
-
-/**
- * @deprecated
- *
- * Will be replaced by temporary tokens issued by PowerSync Management service.
- */
-export async function issueDevToken(req: BasicRouterRequest, user_id: string, config: util.ResolvedPowerSyncConfig) {
-  const iss = devAudience(req);
-  const aud = devAudience(req);
-
-  const key = config.dev.dev_key;
-  if (key == null) {
-    throw new Error('Auth disabled');
-  }
-
-  return await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('30d')
-    .sign(key.key);
-}
-
-/** @deprecated */
-export async function issueLegacyDevToken(
-  req: BasicRouterRequest,
-  user_id: string,
-  config: util.ResolvedPowerSyncConfig
-) {
-  const iss = devAudience(req);
-  const aud = config.jwt_audiences[0];
-
-  const key = config.dev.dev_key;
-  if (key == null || aud == null) {
-    throw new Error('Auth disabled');
-  }
-
-  return await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('60m')
-    .sign(key.key);
-}
-
-export async function issuePowerSyncToken(
-  req: BasicRouterRequest,
-  user_id: string,
-  config: util.ResolvedPowerSyncConfig
-) {
-  const iss = devAudience(req);
-  const aud = config.jwt_audiences[0];
-  const key = config.dev.dev_key;
-  if (key == null || aud == null) {
-    throw new Error('Auth disabled');
-  }
-
-  const jwt = await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('5m')
-    .sign(key.key);
-  return jwt;
-}
-
 export function getTokenFromHeader(authHeader: string = ''): string | null {
   const tokenMatch = /^(Token|Bearer) (\S+)$/.exec(authHeader);
   if (!tokenMatch) {
@@ -146,51 +68,6 @@ export async function generateContext(serviceContext: ServiceContext, token: str
   }
 }
 
-/**
- * @deprecated
- */
-export const authDevUser = async (payload: RequestEndpointHandlerPayload) => {
-  const {
-    context: {
-      service_context: { configuration }
-    }
-  } = payload;
-
-  const token = getTokenFromHeader(payload.request.headers.authorization as string);
-  if (!configuration.dev.demo_auth) {
-    return {
-      authorized: false,
-      errors: ['Authentication disabled']
-    };
-  }
-  if (token == null) {
-    return {
-      authorized: false,
-      errors: ['Authentication required']
-    };
-  }
-
-  // Different from the configured audience.
-  // Should also not be changed by keys
-  const audience = [devAudience(payload.request)];
-
-  let tokenPayload: auth.JwtPayload;
-  try {
-    tokenPayload = await configuration.dev_client_keystore.verifyJwt(token, {
-      defaultAudiences: audience,
-      maxAge: '31d'
-    });
-  } catch (err) {
-    return {
-      authorized: false,
-      errors: [err.message]
-    };
-  }
-
-  payload.context.user_id = tokenPayload.sub;
-  return { authorized: true };
-};
-
 export const authApi = (payload: RequestEndpointHandlerPayload) => {
   const {
     context: {

package/src/util/config/compound-config-collector.ts

@@ -42,8 +42,6 @@ export type ConfigCollectorListener = {
   configCollected?: (event: ConfigCollectedEvent) => Promise<void>;
 };
 
-const POWERSYNC_DEV_KID = 'powersync-dev';
-
 const DEFAULT_COLLECTOR_OPTIONS: CompoundConfigCollectorOptions = {
   configCollectors: [new Base64ConfigCollector(), new FileSystemConfigCollector(), new FallbackConfigCollector()],
   syncRulesCollectors: [
@@ -117,13 +115,6 @@ export class CompoundConfigCollector {
       collectors.add(new auth.CachedKeyCollector(new auth.RemoteJWKSCollector(uri, { lookupOptions: jwksLookup })));
     }
 
-    const baseDevKey = (baseConfig.client_auth?.jwks?.keys ?? []).find((key) => key.kid == POWERSYNC_DEV_KID);
-
-    let devKey: auth.KeySpec | undefined;
-    if (baseConfig.dev?.demo_auth && baseDevKey != null && baseDevKey.kty == 'oct') {
-      devKey = await auth.KeySpec.importKey(baseDevKey);
-    }
-
     const sync_rules = await this.collectSyncRules(baseConfig, runnerConfig);
 
     let jwt_audiences: string[] = baseConfig.client_auth?.audience ?? [];
@@ -138,14 +129,7 @@ export class CompoundConfigCollector {
         }
       },
       client_keystore: keyStore,
-      // Dev tokens only use the static keys, no external key sources
-      // We may restrict this even further to only the powersync-dev key.
-      dev_client_keystore: new auth.KeyStore(staticCollector),
       api_tokens: baseConfig.api?.tokens ?? [],
-      dev: {
-        demo_auth: baseConfig.dev?.demo_auth ?? false,
-        dev_key: devKey
-      },
       port: baseConfig.port ?? 8080,
       sync_rules,
       jwt_audiences,

package/src/util/config/types.ts

@@ -32,18 +32,7 @@ export type ResolvedPowerSyncConfig = {
   base_config: configFile.PowerSyncConfig;
   connections?: configFile.GenericDataSourceConfig[];
   storage: configFile.GenericStorageConfig;
-  dev: {
-    demo_auth: boolean;
-    /**
-     * Only present when demo_auth == true
-     */
-    dev_key?: KeySpec;
-  };
   client_keystore: KeyStore<CompoundKeyCollector>;
-  /**
-   * Keystore for development tokens.
-   */
-  dev_client_keystore: KeyStore;
   port: number;
   sync_rules: SyncRulesConfig;
   api_tokens: string[];

package/src/util/util-index.ts

@@ -6,6 +6,7 @@ export * from './protocol-types.js';
 export * from './secs.js';
 export * from './utils.js';
 export * from './checkpointing.js';
+export * from './version.js';
 
 export * from './config.js';
 export * from './config/compound-config-collector.js';

package/src/util/version.ts

@@ -0,0 +1,3 @@
+import pkg from '../../package.json' with { type: 'json' };
+
+export const POWERSYNC_VERSION = pkg.version;