@pymthouse/builder-sdk 0.0.8

package/dist/env.js

@@ -0,0 +1,612 @@
+import { genericTokenEndpointRequest, processGenericTokenEndpointResponse, clientCredentialsGrantRequest, processClientCredentialsResponse, customFetch, allowInsecureRequests, discoveryRequest, processDiscoveryResponse, ResponseBodyError, OperationProcessingError } from 'oauth4webapi';
+
+// src/client.ts
+
+// src/encoding.ts
+function encodeClientSecretBasic(clientId, clientSecret) {
+  const raw = `${clientId}:${clientSecret}`;
+  const b64 = typeof Buffer !== "undefined" ? Buffer.from(raw, "utf8").toString("base64") : btoa(Array.from(new TextEncoder().encode(raw), (c) => String.fromCharCode(c)).join(""));
+  return `Basic ${b64}`;
+}
+
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/string-utils.ts
+function stripTrailingSlashes(value) {
+  let end = value.length;
+  while (end > 0 && value.charCodeAt(end - 1) === 47) {
+    end--;
+  }
+  return value.slice(0, end);
+}
+
+// src/discovery.ts
+function authorizationServerToOidcDocument(as) {
+  const tokenEndpoint = as.token_endpoint;
+  const jwksUri = as.jwks_uri;
+  if (!tokenEndpoint || !jwksUri) {
+    throw new PmtHouseError("OIDC discovery document is missing token_endpoint or jwks_uri", {
+      status: 500,
+      code: "oidc_discovery_invalid"
+    });
+  }
+  return {
+    issuer: as.issuer,
+    authorization_endpoint: as.authorization_endpoint ?? "",
+    token_endpoint: tokenEndpoint,
+    jwks_uri: jwksUri,
+    userinfo_endpoint: as.userinfo_endpoint,
+    device_authorization_endpoint: as.device_authorization_endpoint
+  };
+}
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var discoveryCache = /* @__PURE__ */ new Map();
+function normalizedIssuerKey(issuerUrl) {
+  return stripTrailingSlashes(issuerUrl);
+}
+async function loadAuthorizationServer(issuerUrl, fetchImpl, options = {}) {
+  const key = normalizedIssuerKey(issuerUrl);
+  const now = Date.now();
+  const cached = discoveryCache.get(key);
+  if (!options.force && cached && now - cached.fetchedAt < CACHE_TTL_MS) {
+    return cached.as;
+  }
+  const issuerIdentifier = new URL(key);
+  const discoveryOpts = {
+    algorithm: "oidc",
+    [customFetch]: fetchImpl
+  };
+  if (options.allowInsecureHttp) {
+    discoveryOpts[allowInsecureRequests] = true;
+  }
+  let response;
+  try {
+    response = await discoveryRequest(issuerIdentifier, discoveryOpts);
+  } catch (e) {
+    throw mapDiscoveryNetworkError(e);
+  }
+  let as;
+  try {
+    as = await processDiscoveryResponse(issuerIdentifier, response);
+  } catch (e) {
+    throw mapOAuthDiscoveryError(e);
+  }
+  discoveryCache.set(key, { as, fetchedAt: now });
+  return as;
+}
+function mapOAuthDiscoveryError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(error.message, {
+      status: 500,
+      code: "oidc_discovery_invalid",
+      details: { cause: error.cause }
+    });
+  }
+  return new PmtHouseError("OIDC discovery failed", {
+    status: 500,
+    code: "oidc_discovery_invalid"
+  });
+}
+function mapDiscoveryNetworkError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(`Failed to load OIDC discovery: ${error.message}`, {
+      status: 502,
+      code: "oidc_discovery_failed"
+    });
+  }
+  return new PmtHouseError("Failed to load OIDC discovery", {
+    status: 502,
+    code: "oidc_discovery_failed"
+  });
+}
+var ACCEPTED_ISSUED_TOKEN_TYPES = /* @__PURE__ */ new Set([
+  "urn:ietf:params:oauth:token-type:access_token",
+  "urn:pmth:token-type:remote-signer-session"
+]);
+function mapOAuthError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof ResponseBodyError) {
+    const cause = error.cause;
+    const description = typeof error.error_description === "string" ? error.error_description : error.message;
+    const details = { ...cause };
+    if (typeof cause.error_uri === "string") {
+      details.error_uri = cause.error_uri;
+    }
+    return new PmtHouseError(description, {
+      status: error.status,
+      code: error.error,
+      details
+    });
+  }
+  if (error instanceof OperationProcessingError) {
+    return new PmtHouseError(error.message, {
+      status: 502,
+      code: error.code ?? "oauth_processing_error",
+      details: { cause: error.cause }
+    });
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(error.message, {
+      status: 500,
+      code: "unexpected_error"
+    });
+  }
+  return new PmtHouseError("Unexpected error", {
+    status: 500,
+    code: "unexpected_error"
+  });
+}
+function tokenEndpointResponseToExchange(tr) {
+  const issued = tr.issued_token_type;
+  if (typeof issued !== "string" || !ACCEPTED_ISSUED_TOKEN_TYPES.has(issued)) {
+    throw new PmtHouseError("Token exchange returned an unexpected issued_token_type", {
+      status: 502,
+      code: "invalid_token_response",
+      details: { issued_token_type: issued }
+    });
+  }
+  const tt = tr.token_type;
+  if (typeof tt !== "string" || tt.toLowerCase() !== "bearer") {
+    throw new PmtHouseError("Token endpoint returned a non-Bearer token_type", {
+      status: 502,
+      code: "invalid_token_response",
+      details: { token_type: tt }
+    });
+  }
+  const expiresIn = tr.expires_in;
+  if (typeof expiresIn !== "number") {
+    throw new PmtHouseError("Token response missing expires_in", {
+      status: 502,
+      code: "invalid_token_response"
+    });
+  }
+  const scope = typeof tr.scope === "string" ? tr.scope : "";
+  return {
+    access_token: tr.access_token,
+    token_type: "Bearer",
+    expires_in: expiresIn,
+    scope,
+    issued_token_type: issued
+  };
+}
+function tokenEndpointResponseToClientCredentials(tr) {
+  const tt = tr.token_type;
+  if (typeof tt !== "string" || tt.toLowerCase() !== "bearer") {
+    throw new PmtHouseError("Token endpoint returned a non-Bearer token_type", {
+      status: 502,
+      code: "invalid_token_response",
+      details: { token_type: tt }
+    });
+  }
+  return {
+    access_token: tr.access_token,
+    token_type: "Bearer",
+    expires_in: tr.expires_in,
+    scope: typeof tr.scope === "string" ? tr.scope : void 0
+  };
+}
+function m2mClient(clientId) {
+  return { client_id: clientId };
+}
+
+// src/client.ts
+var TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
+var SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+var REQUESTED_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+var DEVICE_RESOURCE_PREFIX = "urn:pmth:device_code:";
+function normalizeUserCode(value) {
+  return value.replace(/[a-z]/g, (char) => char.toUpperCase()).replace(/\W/g, "");
+}
+function buildDeviceCodeResource(userCode) {
+  return `${DEVICE_RESOURCE_PREFIX}${normalizeUserCode(userCode)}`;
+}
+var PmtHouseClient = class {
+  issuerUrl;
+  publicClientId;
+  m2mClientId;
+  m2mClientSecret;
+  fetchImpl;
+  logger;
+  allowInsecureHttp;
+  constructor(options) {
+    this.issuerUrl = stripTrailingSlashes(options.issuerUrl);
+    this.publicClientId = options.publicClientId;
+    this.m2mClientId = options.m2mClientId;
+    this.m2mClientSecret = options.m2mClientSecret;
+    this.fetchImpl = options.fetch ?? fetch;
+    this.logger = options.logger;
+    this.allowInsecureHttp = options.allowInsecureHttp ?? false;
+  }
+  async getDiscovery(options = {}) {
+    const as = await loadAuthorizationServer(this.issuerUrl, this.fetchImpl, {
+      force: options.force,
+      allowInsecureHttp: this.allowInsecureHttp
+    });
+    return authorizationServerToOidcDocument(as);
+  }
+  verifyIssuer(iss) {
+    const candidate = stripTrailingSlashes(iss.trim());
+    return candidate === this.issuerUrl;
+  }
+  parseDeviceApprovalRedirect(searchParams) {
+    const issuer = searchParams.get("iss")?.trim() ?? "";
+    const targetLinkUri = searchParams.get("target_link_uri")?.trim() ?? "";
+    if (!issuer || !targetLinkUri) {
+      throw new PmtHouseError("Missing iss or target_link_uri", {
+        status: 400,
+        code: "invalid_request"
+      });
+    }
+    if (!this.verifyIssuer(issuer)) {
+      throw new PmtHouseError("Issuer mismatch for initiate login", {
+        status: 400,
+        code: "invalid_issuer"
+      });
+    }
+    let targetUrl;
+    try {
+      targetUrl = new URL(targetLinkUri);
+    } catch {
+      throw new PmtHouseError("target_link_uri is not a valid URL", {
+        status: 400,
+        code: "invalid_target"
+      });
+    }
+    const issuerOrigin = new URL(this.issuerUrl).origin;
+    if (targetUrl.origin !== issuerOrigin || targetUrl.pathname !== "/oidc/device") {
+      throw new PmtHouseError(
+        "target_link_uri does not point to the issuer device path",
+        {
+          status: 400,
+          code: "invalid_target"
+        }
+      );
+    }
+    const userCode = normalizeUserCode(targetUrl.searchParams.get("user_code") ?? "");
+    const clientId = targetUrl.searchParams.get("client_id")?.trim() ?? "";
+    if (!userCode || !clientId) {
+      throw new PmtHouseError("target_link_uri is missing user_code or client_id", {
+        status: 400,
+        code: "invalid_target"
+      });
+    }
+    return {
+      issuer,
+      targetLinkUri,
+      userCode,
+      clientId
+    };
+  }
+  async listAppUsers() {
+    const url = `${this.getAppsBaseUrl()}/users`;
+    return this.requestJson(url, {
+      method: "GET",
+      headers: this.builderHeaders(),
+      cache: "no-store"
+    });
+  }
+  async upsertAppUser(input) {
+    const payload = {
+      externalUserId: input.externalUserId
+    };
+    if (input.email) payload.email = input.email;
+    if (input.status) payload.status = input.status;
+    const url = `${this.getAppsBaseUrl()}/users`;
+    return this.requestJson(url, {
+      method: "POST",
+      headers: this.builderHeaders(),
+      body: JSON.stringify(payload),
+      cache: "no-store"
+    });
+  }
+  async deleteAppUser(params) {
+    const url = new URL(`${this.getAppsBaseUrl()}/users`);
+    url.searchParams.set("externalUserId", params.externalUserId);
+    return this.requestJson(url.toString(), {
+      method: "DELETE",
+      headers: this.builderHeaders(),
+      cache: "no-store"
+    });
+  }
+  async mintUserAccessToken(input) {
+    const url = `${this.getAppsBaseUrl()}/users/${encodeURIComponent(input.externalUserId)}/token`;
+    const body = input.scope ? { scope: input.scope } : {};
+    return this.requestJson(url, {
+      method: "POST",
+      headers: this.builderHeaders(),
+      body: JSON.stringify(body),
+      cache: "no-store"
+    });
+  }
+  async completeDeviceApproval(input) {
+    const as = await loadAuthorizationServer(this.issuerUrl, this.fetchImpl, {
+      allowInsecureHttp: this.allowInsecureHttp
+    });
+    const client = m2mClient(this.m2mClientId);
+    const clientAuth = this.m2mClientAuth();
+    const params = new URLSearchParams();
+    params.set("subject_token", input.userJwt);
+    params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE);
+    params.set("resource", buildDeviceCodeResource(input.userCode));
+    try {
+      const response = await genericTokenEndpointRequest(
+        as,
+        client,
+        clientAuth,
+        TOKEN_EXCHANGE_GRANT,
+        params,
+        this.tokenEndpointFetchOptions()
+      );
+      const tr = await processGenericTokenEndpointResponse(
+        as,
+        client,
+        response
+      );
+      return tokenEndpointResponseToExchange(tr);
+    } catch (e) {
+      throw mapOAuthError(e);
+    }
+  }
+  async issueMachineAccessToken(scope = "sign:job") {
+    const as = await loadAuthorizationServer(this.issuerUrl, this.fetchImpl, {
+      allowInsecureHttp: this.allowInsecureHttp
+    });
+    const client = m2mClient(this.m2mClientId);
+    const clientAuth = this.m2mClientAuth();
+    const params = new URLSearchParams();
+    params.set("scope", scope);
+    try {
+      const response = await clientCredentialsGrantRequest(
+        as,
+        client,
+        clientAuth,
+        params,
+        this.tokenEndpointFetchOptions()
+      );
+      const tr = await processClientCredentialsResponse(
+        as,
+        client,
+        response
+      );
+      return tokenEndpointResponseToClientCredentials(tr);
+    } catch (e) {
+      throw mapOAuthError(e);
+    }
+  }
+  async exchangeForSignerSession(input) {
+    const as = await loadAuthorizationServer(this.issuerUrl, this.fetchImpl, {
+      allowInsecureHttp: this.allowInsecureHttp
+    });
+    const client = m2mClient(this.m2mClientId);
+    const clientAuth = this.m2mClientAuth();
+    const params = new URLSearchParams();
+    params.set("subject_token", input.userJwt);
+    params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE);
+    params.set("requested_token_type", REQUESTED_ACCESS_TOKEN_TYPE);
+    const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
+    params.set("resource", stripTrailingSlashes(resourceCandidate));
+    try {
+      const response = await genericTokenEndpointRequest(
+        as,
+        client,
+        clientAuth,
+        TOKEN_EXCHANGE_GRANT,
+        params,
+        this.tokenEndpointFetchOptions()
+      );
+      const tr = await processGenericTokenEndpointResponse(
+        as,
+        client,
+        response
+      );
+      return tokenEndpointResponseToExchange(tr);
+    } catch (e) {
+      throw mapOAuthError(e);
+    }
+  }
+  /**
+   * Mint a short-lived per-user JWT with the Builder API, then exchange it for
+   * a long-lived opaque signer session token at the PymtHouse OIDC token endpoint.
+   */
+  async mintUserSignerSessionToken(input) {
+    const userToken = await this.mintUserAccessToken({
+      externalUserId: input.externalUserId,
+      scope: input.scope ?? "sign:job"
+    });
+    return this.exchangeForSignerSession({
+      userJwt: userToken.access_token,
+      resource: input.resource
+    });
+  }
+  async createSignerSessionToken(params) {
+    if (params.userJwt) {
+      try {
+        return await this.exchangeForSignerSession({ userJwt: params.userJwt });
+      } catch (error) {
+        const err = this.asError(error);
+        this.logger?.warn?.("User JWT exchange failed, falling back to machine exchange", {
+          code: err.code,
+          status: err.status
+        });
+      }
+    }
+    const machineToken = await this.issueMachineAccessToken("sign:job");
+    if (!machineToken.access_token) {
+      throw new PmtHouseError("Client credentials flow did not return access_token", {
+        status: 502,
+        code: "invalid_token_response"
+      });
+    }
+    return this.exchangeForSignerSession({ userJwt: machineToken.access_token });
+  }
+  async getUsage(input = {}) {
+    const url = new URL(`${this.getAppsBaseUrl()}/usage`);
+    if (input.startDate) url.searchParams.set("startDate", input.startDate);
+    if (input.endDate) url.searchParams.set("endDate", input.endDate);
+    if (input.groupBy) url.searchParams.set("groupBy", input.groupBy);
+    if (input.userId) url.searchParams.set("userId", input.userId);
+    if (input.gatewayRequestId) url.searchParams.set("gatewayRequestId", input.gatewayRequestId);
+    return this.requestJson(url.toString(), {
+      method: "GET",
+      headers: this.builderHeaders(),
+      cache: "no-store"
+    });
+  }
+  tokenEndpointFetchOptions() {
+    const o = {
+      [customFetch]: this.fetchImpl
+    };
+    if (this.allowInsecureHttp) {
+      o[allowInsecureRequests] = true;
+    }
+    return o;
+  }
+  getAppsBaseUrl() {
+    return `${this.getIssuerOrigin()}/api/v1/apps/${encodeURIComponent(this.publicClientId)}`;
+  }
+  getIssuerOrigin() {
+    return new URL(this.issuerUrl).origin;
+  }
+  builderHeaders() {
+    return {
+      Authorization: encodeClientSecretBasic(this.m2mClientId, this.m2mClientSecret),
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    };
+  }
+  m2mClientAuth() {
+    return (_as, _client, _body, headers) => {
+      headers.set("Authorization", encodeClientSecretBasic(this.m2mClientId, this.m2mClientSecret));
+    };
+  }
+  async requestJson(url, init) {
+    this.logger?.debug?.("PmtHouse request", {
+      method: init.method ?? "GET",
+      url
+    });
+    const response = await this.fetchImpl(url, init);
+    const raw = await response.text();
+    const ct = response.headers.get("content-type") ?? "";
+    const looksJson = ct.includes("application/json") || ct.includes("json");
+    const parsed = raw && looksJson ? this.safeParseJson(raw) : raw ? null : null;
+    if (!response.ok) {
+      const details = parsed ?? {};
+      const description = typeof details.error_description === "string" ? details.error_description : typeof details.error === "string" ? details.error : `Request failed (${response.status})`;
+      throw new PmtHouseError(description, {
+        status: response.status,
+        code: typeof details.error === "string" ? details.error : "pymthouse_http_error",
+        details
+      });
+    }
+    if (!looksJson || parsed === null) {
+      throw new PmtHouseError("Expected JSON response from Builder or Usage API", {
+        status: 502,
+        code: "invalid_response",
+        details: { contentType: ct, preview: raw.slice(0, 200) }
+      });
+    }
+    if (!parsed) {
+      return {};
+    }
+    return parsed;
+  }
+  safeParseJson(value) {
+    try {
+      return JSON.parse(value);
+    } catch {
+      return null;
+    }
+  }
+  asError(error) {
+    if (error instanceof PmtHouseError) {
+      return error;
+    }
+    if (error instanceof Error) {
+      return new PmtHouseError(error.message, {
+        code: "unexpected_error",
+        status: 500
+      });
+    }
+    return new PmtHouseError("Unexpected error", {
+      code: "unexpected_error",
+      status: 500
+    });
+  }
+};
+
+// src/env.ts
+function assertEnvModuleServerOnly() {
+  if (typeof globalThis !== "undefined" && typeof globalThis.window !== "undefined") {
+    throw new Error(
+      "@pymthouse/builder-sdk/env is server-only: do not import createPmtHouseClientFromEnv or getPymthouseBaseUrl in client-side code. Use a Route Handler, Server Action, or other server/runtime; keep M2M credentials out of the browser bundle."
+    );
+  }
+}
+assertEnvModuleServerOnly();
+var cachedClient = null;
+function requiredEnv(name) {
+  const value = process.env[name];
+  if (value && value.trim()) {
+    return value.trim();
+  }
+  throw new PmtHouseError(`Missing required environment variable: ${name}`, {
+    status: 500,
+    code: "missing_env"
+  });
+}
+function getPymthouseBaseUrl() {
+  const issuerUrl = requiredEnv("PYMTHOUSE_ISSUER_URL");
+  return new URL(stripTrailingSlashes(issuerUrl)).origin;
+}
+function createPmtHouseClientFromEnv() {
+  if (cachedClient) {
+    return cachedClient;
+  }
+  const issuerUrl = requiredEnv("PYMTHOUSE_ISSUER_URL");
+  cachedClient = new PmtHouseClient({
+    issuerUrl,
+    publicClientId: requiredEnv("PYMTHOUSE_PUBLIC_CLIENT_ID"),
+    m2mClientId: requiredEnv("PYMTHOUSE_M2M_CLIENT_ID"),
+    m2mClientSecret: requiredEnv("PYMTHOUSE_M2M_CLIENT_SECRET"),
+    allowInsecureHttp: issuerUrl.startsWith("http:"),
+    logger: {
+      debug: (message, details) => {
+        if (process.env.NODE_ENV !== "production") {
+          console.debug(`[pymthouse] ${message}`, details ?? {});
+        }
+      },
+      warn: (message, details) => {
+        console.warn(`[pymthouse] ${message}`, details ?? {});
+      }
+    }
+  });
+  return cachedClient;
+}
+
+export { createPmtHouseClientFromEnv, getPymthouseBaseUrl };
+//# sourceMappingURL=env.js.map
+//# sourceMappingURL=env.js.map