@pymthouse/builder-sdk 0.3.1 → 0.4.1-rc.1

package/dist/signer/webhook.cjs

@@ -0,0 +1,747 @@
+'use strict';
+
+var crypto = require('crypto');
+var oauth4webapi = require('oauth4webapi');
+var http = require('http');
+
+// src/signer/webhook/types.ts
+function isValidUsageIdentity(identity) {
+  return Boolean(
+    identity.issuer.trim() && identity.client_id.trim() && identity.usage_subject.trim() && identity.usage_subject_type.trim()
+  );
+}
+
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/signer/webhook/identity.ts
+var DEFAULT_WEBHOOK_IDENTITY_CLAIMS = {
+  claimClientId: "client_id",
+  claimUsageSubject: "sub",
+  usageSubjectType: "external_user_id"
+};
+function readClaim(payload, key) {
+  const value = payload[key];
+  if (typeof value === "string" && value.trim()) {
+    return value.trim();
+  }
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return value.toString().trim();
+  }
+  return "";
+}
+function identityFromWebhookClaims(claims, mapping = {}) {
+  const claimClientId = mapping.claimClientId ?? DEFAULT_WEBHOOK_IDENTITY_CLAIMS.claimClientId;
+  const claimUsageSubject = mapping.claimUsageSubject ?? DEFAULT_WEBHOOK_IDENTITY_CLAIMS.claimUsageSubject;
+  const defaultUsageSubjectType = mapping.usageSubjectType ?? DEFAULT_WEBHOOK_IDENTITY_CLAIMS.usageSubjectType;
+  let clientId = readClaim(claims, claimClientId);
+  if (!clientId) {
+    clientId = readClaim(claims, "azp");
+  }
+  const usageSubject = readClaim(claims, claimUsageSubject);
+  let usageSubjectType = defaultUsageSubjectType;
+  const claimUsageSubjectType = readClaim(claims, "usage_subject_type");
+  if (claimUsageSubjectType) {
+    usageSubjectType = claimUsageSubjectType;
+  }
+  const identity = {
+    issuer: readClaim(claims, "iss"),
+    client_id: clientId,
+    usage_subject: usageSubject,
+    usage_subject_type: usageSubjectType
+  };
+  if (!identity.issuer || !identity.client_id || !identity.usage_subject) {
+    throw new PmtHouseError("JWT missing required identity claims", {
+      status: 403,
+      code: "invalid_identity"
+    });
+  }
+  return identity;
+}
+function claimExpirySeconds(claims, fallbackTtlSeconds = 300) {
+  const exp = claims.exp;
+  if (typeof exp === "number" && Number.isFinite(exp)) {
+    return Math.trunc(exp);
+  }
+  if (typeof exp === "string" && exp.trim()) {
+    const parsed = Number(exp);
+    if (Number.isFinite(parsed)) {
+      return Math.trunc(parsed);
+    }
+  }
+  return Math.trunc(Date.now() / 1e3) + fallbackTtlSeconds;
+}
+
+// src/signer/webhook/payload.ts
+function headerValueFromWebhookPayload(headers, name) {
+  if (!headers) {
+    return "";
+  }
+  const target = name.toLowerCase();
+  for (const [key, values] of Object.entries(headers)) {
+    if (key.toLowerCase() !== target) {
+      continue;
+    }
+    if (!Array.isArray(values)) {
+      continue;
+    }
+    for (const value of values) {
+      if (typeof value === "string" && value.trim()) {
+        return value.trim();
+      }
+    }
+  }
+  return "";
+}
+function authorizationFromWebhookPayload(payload) {
+  const fromHeaders = headerValueFromWebhookPayload(
+    payload.headers,
+    "Authorization"
+  );
+  if (fromHeaders) {
+    return fromHeaders;
+  }
+  return payload.authorization?.trim() ?? "";
+}
+
+// src/signer/webhook/authorize.ts
+function authIdFromIdentity(identity) {
+  return `${identity.client_id}:${identity.usage_subject}`;
+}
+function timingSafeEqualStrings(a, b) {
+  const aBuffer = Buffer.from(a);
+  const bBuffer = Buffer.from(b);
+  if (aBuffer.length !== bBuffer.length) {
+    return false;
+  }
+  return crypto.timingSafeEqual(aBuffer, bBuffer);
+}
+function authenticateWebhookCaller(request, secret) {
+  if (!secret.trim()) {
+    return false;
+  }
+  const trimmed = secret.trim();
+  const auth = request.headers.get("authorization")?.trim() ?? "";
+  if (auth === `Bearer ${trimmed}`) {
+    return true;
+  }
+  const apiKey = request.headers.get("x-api-key")?.trim() ?? "";
+  if (apiKey && timingSafeEqualStrings(apiKey, trimmed)) {
+    return true;
+  }
+  const legacySecret = request.headers.get("x-webhook-secret")?.trim() ?? "";
+  if (legacySecret && timingSafeEqualStrings(legacySecret, trimmed)) {
+    return true;
+  }
+  return false;
+}
+function paymentWebhookJson(httpStatus, body) {
+  return new Response(JSON.stringify(body), {
+    status: httpStatus,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function rejectStatusFromError(err) {
+  if (err instanceof PmtHouseError) {
+    return {
+      status: err.status >= 400 && err.status < 600 ? err.status : 403,
+      reason: err.message
+    };
+  }
+  const reason = err instanceof Error ? err.message : "authorization rejected";
+  return { status: 403, reason };
+}
+async function handleRemoteSignerAuthorize(request, config) {
+  if (!authenticateWebhookCaller(request, config.webhookSecret)) {
+    return paymentWebhookJson(401, {
+      status: 401,
+      reason: "unauthorized webhook caller"
+    });
+  }
+  let payload;
+  try {
+    payload = await request.json();
+  } catch {
+    return paymentWebhookJson(400, {
+      status: 400,
+      reason: "invalid request json"
+    });
+  }
+  const authorization = authorizationFromWebhookPayload(payload) ?? "";
+  try {
+    const verified = await config.endUserAuth.verify({
+      authorization,
+      payload,
+      request
+    });
+    if (config.afterVerify) {
+      await config.afterVerify({
+        authorization,
+        payload,
+        request,
+        verified,
+        identity: verified.identity
+      });
+    }
+    return paymentWebhookJson(200, {
+      status: 200,
+      expiry: verified.expiry,
+      auth_id: authIdFromIdentity(verified.identity),
+      identity: verified.identity
+    });
+  } catch (err) {
+    const { status, reason } = rejectStatusFromError(err);
+    return paymentWebhookJson(200, {
+      status,
+      reason
+    });
+  }
+}
+function createRemoteSignerAuthorizeHandler(config) {
+  return (request) => handleRemoteSignerAuthorize(request, config);
+}
+async function routeRemoteSignerWebhookRequest(request, config) {
+  const url = new URL(request.url);
+  if (request.method === "POST" && url.pathname === "/authorize") {
+    return handleRemoteSignerAuthorize(request, config);
+  }
+  const adminRoutes = config.endUserAuth.adminRoutes ?? [];
+  for (const route of adminRoutes) {
+    if (request.method === route.method && url.pathname === route.pathname) {
+      return route.handler(request);
+    }
+  }
+  return null;
+}
+
+// src/signer/webhook/bearer.ts
+function bearerTokenFromAuthorization(authorization) {
+  const trimmed = authorization.trim();
+  if (!trimmed) {
+    throw new Error("missing authorization");
+  }
+  const prefix = "Bearer ";
+  if (!trimmed.startsWith(prefix)) {
+    throw new Error("authorization must be Bearer token");
+  }
+  const token = trimmed.slice(prefix.length).trim();
+  if (!token) {
+    throw new Error("empty bearer token");
+  }
+  return token;
+}
+
+// src/signer/webhook/adapters/api-key/verifier.ts
+function createApiKeyEndUserVerifier(config) {
+  const prefix = config.apiKeyPrefix ?? "sk_";
+  const defaultClientId = config.defaultClientId ?? "daydream-scope";
+  const defaultUsageSubjectType = config.defaultUsageSubjectType ?? "clerk_user_id";
+  const ttl = config.expiryTtlSeconds ?? 60;
+  return {
+    kind: "custom",
+    verify: async ({ authorization }) => {
+      const token = bearerTokenFromAuthorization(authorization);
+      if (prefix && !token.startsWith(prefix)) {
+        throw new PmtHouseError("invalid api key", {
+          status: 401,
+          code: "invalid_api_key"
+        });
+      }
+      const resolved = await config.resolveApiKey(token);
+      if (!resolved?.userId) {
+        throw new PmtHouseError("invalid api key", {
+          status: 401,
+          code: "invalid_api_key"
+        });
+      }
+      const identity = {
+        issuer: config.issuer,
+        client_id: resolved.clientId ?? defaultClientId,
+        usage_subject: resolved.userId,
+        usage_subject_type: resolved.usageSubjectType ?? defaultUsageSubjectType
+      };
+      return {
+        identity,
+        expiry: Math.trunc(Date.now() / 1e3) + ttl,
+        raw: resolved
+      };
+    }
+  };
+}
+
+// src/signer/webhook/adapters/composite/verifier.ts
+function createFirstMatchEndUserVerifier(verifiers) {
+  if (verifiers.length === 0) {
+    throw new PmtHouseError("at least one verifier is required", {
+      status: 500,
+      code: "invalid_verifier_config"
+    });
+  }
+  return {
+    kind: "custom",
+    verify: async (context) => {
+      let lastError;
+      for (const verifier of verifiers) {
+        try {
+          return await verifier.verify(context);
+        } catch (err) {
+          lastError = err;
+        }
+      }
+      if (lastError instanceof PmtHouseError) {
+        throw lastError;
+      }
+      if (lastError instanceof Error) {
+        throw new PmtHouseError(lastError.message, {
+          status: 401,
+          code: "invalid_credentials"
+        });
+      }
+      throw new PmtHouseError("invalid credentials", {
+        status: 401,
+        code: "invalid_credentials"
+      });
+    },
+    adminRoutes: verifiers.flatMap((verifier) => verifier.adminRoutes ?? [])
+  };
+}
+
+// src/string-utils.ts
+function stripTrailingSlashes(value) {
+  let end = value.length;
+  while (end > 0 && (value.codePointAt(end - 1) ?? 0) === 47) {
+    end--;
+  }
+  return value.slice(0, end);
+}
+
+// src/discovery.ts
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var discoveryCache = /* @__PURE__ */ new Map();
+function normalizedIssuerKey(issuerUrl) {
+  return stripTrailingSlashes(issuerUrl);
+}
+async function loadAuthorizationServer(issuerUrl, fetchImpl, options = {}) {
+  const key = normalizedIssuerKey(issuerUrl);
+  const now = Date.now();
+  const cached = discoveryCache.get(key);
+  if (!options.force && cached && now - cached.fetchedAt < CACHE_TTL_MS) {
+    return cached.as;
+  }
+  const issuerIdentifier = new URL(key);
+  const discoveryOpts = {
+    algorithm: "oidc",
+    [oauth4webapi.customFetch]: fetchImpl
+  };
+  if (options.allowInsecureHttp) {
+    discoveryOpts[oauth4webapi.allowInsecureRequests] = true;
+  }
+  let response;
+  try {
+    response = await oauth4webapi.discoveryRequest(issuerIdentifier, discoveryOpts);
+  } catch (e) {
+    throw mapDiscoveryNetworkError(e);
+  }
+  let as;
+  try {
+    as = await oauth4webapi.processDiscoveryResponse(issuerIdentifier, response);
+  } catch (e) {
+    throw mapOAuthDiscoveryError(e);
+  }
+  discoveryCache.set(key, { as, fetchedAt: now });
+  return as;
+}
+function mapOAuthDiscoveryError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(error.message, {
+      status: 500,
+      code: "oidc_discovery_invalid",
+      details: { cause: error.cause }
+    });
+  }
+  return new PmtHouseError("OIDC discovery failed", {
+    status: 500,
+    code: "oidc_discovery_invalid"
+  });
+}
+function mapDiscoveryNetworkError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(`Failed to load OIDC discovery: ${error.message}`, {
+      status: 502,
+      code: "oidc_discovery_failed"
+    });
+  }
+  return new PmtHouseError("Failed to load OIDC discovery", {
+    status: 502,
+    code: "oidc_discovery_failed"
+  });
+}
+function mapOAuthError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof oauth4webapi.ResponseBodyError) {
+    const cause = error.cause;
+    const description = typeof error.error_description === "string" ? error.error_description : error.message;
+    const details = { ...cause };
+    if (typeof cause.error_uri === "string") {
+      details.error_uri = cause.error_uri;
+    }
+    return new PmtHouseError(description, {
+      status: error.status,
+      code: error.error,
+      details
+    });
+  }
+  if (error instanceof oauth4webapi.OperationProcessingError) {
+    return new PmtHouseError(error.message, {
+      status: 502,
+      code: error.code ?? "oauth_processing_error",
+      details: { cause: error.cause }
+    });
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(error.message, {
+      status: 500,
+      code: "unexpected_error"
+    });
+  }
+  return new PmtHouseError("Unexpected error", {
+    status: 500,
+    code: "unexpected_error"
+  });
+}
+
+// src/verify.ts
+async function verifyJwt(token, options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const as = await loadAuthorizationServer(options.issuerUrl, fetchImpl, {
+    allowInsecureHttp: options.allowInsecureHttp
+  });
+  const request = new Request("https://resource.invalid/", {
+    headers: {
+      Authorization: `Bearer ${token}`
+    }
+  });
+  const httpOpts = {
+    [oauth4webapi.customFetch]: fetchImpl
+  };
+  if (options.allowInsecureHttp) {
+    httpOpts[oauth4webapi.allowInsecureRequests] = true;
+  }
+  try {
+    const claims = await oauth4webapi.validateJwtAccessToken(
+      as,
+      request,
+      options.audience,
+      httpOpts
+    );
+    if (options.requiredScopes?.length) {
+      const scopeStr = typeof claims.scope === "string" ? claims.scope : "";
+      const have = new Set(scopeStr.split(/\s+/).filter(Boolean));
+      for (const s of options.requiredScopes) {
+        if (!have.has(s)) {
+          throw new PmtHouseError(`Missing required scope: ${s}`, {
+            status: 403,
+            code: "insufficient_scope"
+          });
+        }
+      }
+    }
+    return claims;
+  } catch (e) {
+    throw mapOAuthError(e);
+  }
+}
+
+// src/signer/webhook/adapters/oidc/verifier.ts
+async function handleRemoteSignerRefreshJwks(request, config) {
+  if (!authenticateWebhookCaller(request, config.webhookSecret)) {
+    return new Response("unauthorized", { status: 401 });
+  }
+  try {
+    await loadAuthorizationServer(config.jwtIssuer, config.fetch ?? fetch, {
+      force: true,
+      allowInsecureHttp: config.allowInsecureHttp
+    });
+    return new Response(JSON.stringify({ status: "ok" }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "jwks refresh failed";
+    return new Response(message, { status: 500 });
+  }
+}
+function createOidcEndUserVerifier(config) {
+  const claimMapping = {
+    ...DEFAULT_WEBHOOK_IDENTITY_CLAIMS,
+    ...config.claimMapping
+  };
+  return {
+    kind: "oidc",
+    verify: async ({ authorization }) => {
+      const token = bearerTokenFromAuthorization(authorization);
+      const audience = config.jwtAudience.trim();
+      if (!audience) {
+        throw new Error("jwt audience is required for webhook verification");
+      }
+      const claims = await verifyJwt(token, {
+        issuerUrl: config.jwtIssuer,
+        audience,
+        fetch: config.fetch,
+        allowInsecureHttp: config.allowInsecureHttp,
+        requiredScopes: config.requiredScopes
+      });
+      const claimsRecord = claims;
+      const identity = identityFromWebhookClaims(claimsRecord, claimMapping);
+      return {
+        identity,
+        expiry: claimExpirySeconds(claimsRecord),
+        raw: claimsRecord
+      };
+    },
+    adminRoutes: [
+      {
+        method: "POST",
+        pathname: "/admin/refresh-jwks",
+        handler: (request) => handleRemoteSignerRefreshJwks(request, config)
+      }
+    ]
+  };
+}
+
+// src/signer/webhook/adapters/oauth1/verifier.ts
+function createOAuth1EndUserVerifier(config) {
+  return {
+    kind: "oauth1",
+    verify: async () => {
+      if (!config.consumerKey.trim() || !config.consumerSecret.trim()) {
+        throw new Error("OAuth 1.0 consumer credentials are required");
+      }
+      throw new Error("OAuth 1.0 webhook verification is not implemented yet");
+    }
+  };
+}
+
+// src/signer/webhook/adapters/trusted-headers/verifier.ts
+var DEFAULT_DMZ_TRUSTED_HEADERS = {
+  issuer: "X-Livepeer-Usage-Issuer",
+  clientId: "X-Livepeer-Client-ID",
+  usageSubject: "X-Livepeer-Usage-Subject",
+  usageSubjectType: "X-Livepeer-Usage-Subject-Type"
+};
+function normalizeIssuer(value) {
+  let end = value.length;
+  while (end > 0 && value[end - 1] === "/") {
+    end -= 1;
+  }
+  return value.slice(0, end);
+}
+function identityFromTrustedHeaders(headers, config) {
+  const names = {
+    ...DEFAULT_DMZ_TRUSTED_HEADERS,
+    ...config.headerNames
+  };
+  const issuer = headerValueFromWebhookPayload(headers, names.issuer);
+  const clientId = headerValueFromWebhookPayload(headers, names.clientId);
+  const usageSubject = headerValueFromWebhookPayload(headers, names.usageSubject);
+  const usageSubjectType = headerValueFromWebhookPayload(headers, names.usageSubjectType) || "external_user_id";
+  if (!issuer || !clientId || !usageSubject) {
+    throw new PmtHouseError("missing trusted usage identity headers", {
+      status: 403,
+      code: "invalid_identity"
+    });
+  }
+  if (normalizeIssuer(issuer) !== normalizeIssuer(config.expectedIssuer.trim())) {
+    throw new PmtHouseError("trusted usage issuer mismatch", {
+      status: 403,
+      code: "invalid_identity"
+    });
+  }
+  return {
+    issuer,
+    client_id: clientId,
+    usage_subject: usageSubject,
+    usage_subject_type: usageSubjectType
+  };
+}
+function createTrustedHeadersEndUserVerifier(config) {
+  const expiryTtlSeconds = config.expiryTtlSeconds ?? 300;
+  return {
+    kind: "trusted_headers",
+    verify: async ({ payload }) => {
+      const identity = identityFromTrustedHeaders(payload.headers, config);
+      return {
+        identity,
+        expiry: Math.trunc(Date.now() / 1e3) + expiryTtlSeconds
+      };
+    }
+  };
+}
+
+// src/signer/webhook/adapters/oidc/config.ts
+function envTrim(env, key) {
+  const value = env[key]?.trim();
+  return value || void 0;
+}
+function createOidcRemoteSignerWebhookConfig(input) {
+  const { afterVerify, ...oidcConfig } = input;
+  return {
+    webhookSecret: oidcConfig.webhookSecret,
+    endUserAuth: createOidcEndUserVerifier(oidcConfig),
+    afterVerify
+  };
+}
+function createSignerDmzRemoteSignerWebhookConfig(input) {
+  const {
+    afterVerify,
+    dmzTrustedHeaders = true,
+    trustedHeaders,
+    ...oidcConfig
+  } = input;
+  const oidcVerifier = createOidcEndUserVerifier(oidcConfig);
+  const endUserAuth = dmzTrustedHeaders === false ? oidcVerifier : createFirstMatchEndUserVerifier([
+    createTrustedHeadersEndUserVerifier({
+      expectedIssuer: oidcConfig.jwtIssuer,
+      ...trustedHeaders
+    }),
+    oidcVerifier
+  ]);
+  return {
+    webhookSecret: oidcConfig.webhookSecret,
+    endUserAuth,
+    afterVerify
+  };
+}
+function readOidcRemoteSignerWebhookConfigFromEnv(env = process.env) {
+  const webhookSecret = envTrim(env, "WEBHOOK_SECRET");
+  const jwtIssuer = envTrim(env, "JWT_ISSUER");
+  const jwtAudience = envTrim(env, "JWT_AUDIENCE") ?? jwtIssuer;
+  if (!webhookSecret) {
+    throw new Error("WEBHOOK_SECRET is required");
+  }
+  if (!jwtIssuer) {
+    throw new Error("JWT_ISSUER is required");
+  }
+  if (!jwtAudience) {
+    throw new Error("JWT_AUDIENCE is required");
+  }
+  return createSignerDmzRemoteSignerWebhookConfig({
+    webhookSecret,
+    jwtIssuer,
+    jwtAudience,
+    claimMapping: {
+      claimClientId: envTrim(env, "CLAIM_CLIENT_ID") ?? "client_id",
+      claimUsageSubject: envTrim(env, "CLAIM_USAGE_SUBJECT") ?? "sub",
+      usageSubjectType: envTrim(env, "USAGE_SUBJECT_TYPE") ?? "external_user_id"
+    },
+    allowInsecureHttp: envTrim(env, "ALLOW_INSECURE_HTTP") === "1"
+  });
+}
+var readRemoteSignerWebhookConfigFromEnv = readOidcRemoteSignerWebhookConfigFromEnv;
+function startRemoteSignerWebhookServer(options = {}) {
+  const config = options.config ?? readOidcRemoteSignerWebhookConfigFromEnv();
+  const port = options.port ?? Number(process.env.PORT ?? 8090);
+  const addr = options.addr ?? process.env.ADDR ?? "0.0.0.0";
+  const server = http.createServer(async (req, res) => {
+    try {
+      const host = req.headers.host ?? "localhost";
+      const url = `http://${host}${req.url ?? "/"}`;
+      const headers = new Headers();
+      for (const [name, value] of Object.entries(req.headers)) {
+        if (typeof value === "string") {
+          headers.set(name, value);
+        } else if (Array.isArray(value)) {
+          for (const item of value) {
+            headers.append(name, item);
+          }
+        }
+      }
+      const chunks = [];
+      for await (const chunk of req) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+      }
+      const body = Buffer.concat(chunks);
+      const request = new Request(url, {
+        method: req.method,
+        headers,
+        body: req.method === "GET" || req.method === "HEAD" ? void 0 : body
+      });
+      const response = await routeRemoteSignerWebhookRequest(request, config) ?? new Response("not found", { status: 404 });
+      res.statusCode = response.status;
+      response.headers.forEach((value, name) => {
+        res.setHeader(name, value);
+      });
+      const responseBody = Buffer.from(await response.arrayBuffer());
+      res.end(responseBody);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "internal error";
+      res.statusCode = 500;
+      res.end(message);
+    }
+  });
+  server.listen(port, addr, () => {
+    console.log(
+      `[builder-sdk] remote signer identity webhook listening on http://${addr}:${port}`
+    );
+    console.log(
+      `[builder-sdk] end-user auth strategy=${config.endUserAuth.kind}`
+    );
+  });
+  return server;
+}
+
+// src/signer/webhook/index.ts
+function createRemoteSignerRefreshJwksHandler(config) {
+  return (request) => handleRemoteSignerRefreshJwks(request, config);
+}
+
+exports.DEFAULT_DMZ_TRUSTED_HEADERS = DEFAULT_DMZ_TRUSTED_HEADERS;
+exports.DEFAULT_WEBHOOK_IDENTITY_CLAIMS = DEFAULT_WEBHOOK_IDENTITY_CLAIMS;
+exports.authenticateWebhookCaller = authenticateWebhookCaller;
+exports.authorizationFromWebhookPayload = authorizationFromWebhookPayload;
+exports.bearerTokenFromAuthorization = bearerTokenFromAuthorization;
+exports.claimExpirySeconds = claimExpirySeconds;
+exports.createApiKeyEndUserVerifier = createApiKeyEndUserVerifier;
+exports.createFirstMatchEndUserVerifier = createFirstMatchEndUserVerifier;
+exports.createOAuth1EndUserVerifier = createOAuth1EndUserVerifier;
+exports.createOidcEndUserVerifier = createOidcEndUserVerifier;
+exports.createOidcRemoteSignerWebhookConfig = createOidcRemoteSignerWebhookConfig;
+exports.createRemoteSignerAuthorizeHandler = createRemoteSignerAuthorizeHandler;
+exports.createRemoteSignerRefreshJwksHandler = createRemoteSignerRefreshJwksHandler;
+exports.createSignerDmzRemoteSignerWebhookConfig = createSignerDmzRemoteSignerWebhookConfig;
+exports.createTrustedHeadersEndUserVerifier = createTrustedHeadersEndUserVerifier;
+exports.handleRemoteSignerAuthorize = handleRemoteSignerAuthorize;
+exports.handleRemoteSignerRefreshJwks = handleRemoteSignerRefreshJwks;
+exports.headerValueFromWebhookPayload = headerValueFromWebhookPayload;
+exports.identityFromTrustedHeaders = identityFromTrustedHeaders;
+exports.identityFromWebhookClaims = identityFromWebhookClaims;
+exports.isValidUsageIdentity = isValidUsageIdentity;
+exports.readOidcRemoteSignerWebhookConfigFromEnv = readOidcRemoteSignerWebhookConfigFromEnv;
+exports.readRemoteSignerWebhookConfigFromEnv = readRemoteSignerWebhookConfigFromEnv;
+exports.routeRemoteSignerWebhookRequest = routeRemoteSignerWebhookRequest;
+exports.startRemoteSignerWebhookServer = startRemoteSignerWebhookServer;
+//# sourceMappingURL=webhook.cjs.map
+//# sourceMappingURL=webhook.cjs.map