@pymthouse/builder-sdk 0.3.1 → 0.4.1-rc.2

package/dist/signer/webhook/adapters/trusted-headers.cjs

@@ -0,0 +1,110 @@
+'use strict';
+
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/signer/webhook/payload.ts
+function firstHeaderValue(values) {
+  if (!Array.isArray(values)) {
+    return "";
+  }
+  for (const value of values) {
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  return "";
+}
+function headerValueFromWebhookPayload(headers, name) {
+  if (!headers) {
+    return "";
+  }
+  const direct = firstHeaderValue(headers[name]);
+  if (direct) {
+    return direct;
+  }
+  const target = name.toLowerCase();
+  for (const [key, values] of Object.entries(headers)) {
+    if (key.toLowerCase() === target) {
+      return firstHeaderValue(values);
+    }
+  }
+  return "";
+}
+
+// src/signer/webhook/adapters/trusted-headers/verifier.ts
+var DEFAULT_DMZ_TRUSTED_HEADERS = {
+  issuer: "X-Livepeer-Usage-Issuer",
+  clientId: "X-Livepeer-Client-ID",
+  usageSubject: "X-Livepeer-Usage-Subject",
+  usageSubjectType: "X-Livepeer-Usage-Subject-Type"
+};
+function normalizeIssuer(value) {
+  let end = value.length;
+  while (end > 0 && value[end - 1] === "/") {
+    end -= 1;
+  }
+  return value.slice(0, end);
+}
+function identityFromTrustedHeaders(headers, config) {
+  const names = {
+    ...DEFAULT_DMZ_TRUSTED_HEADERS,
+    ...config.headerNames
+  };
+  const issuer = headerValueFromWebhookPayload(headers, names.issuer);
+  const clientId = headerValueFromWebhookPayload(headers, names.clientId);
+  const usageSubject = headerValueFromWebhookPayload(headers, names.usageSubject);
+  const usageSubjectType = headerValueFromWebhookPayload(headers, names.usageSubjectType) || "external_user_id";
+  if (!issuer || !clientId || !usageSubject) {
+    throw new PmtHouseError("missing trusted usage identity headers", {
+      status: 403,
+      code: "invalid_identity"
+    });
+  }
+  if (normalizeIssuer(issuer) !== normalizeIssuer(config.expectedIssuer.trim())) {
+    throw new PmtHouseError("trusted usage issuer mismatch", {
+      status: 403,
+      code: "invalid_identity"
+    });
+  }
+  return {
+    issuer,
+    client_id: clientId,
+    usage_subject: usageSubject,
+    usage_subject_type: usageSubjectType
+  };
+}
+function createTrustedHeadersEndUserVerifier(config) {
+  const expiryTtlSeconds = config.expiryTtlSeconds ?? 300;
+  return {
+    kind: "trusted_headers",
+    verify: async ({ payload }) => {
+      const identity = identityFromTrustedHeaders(payload.headers, config);
+      return {
+        identity,
+        expiry: Math.trunc(Date.now() / 1e3) + expiryTtlSeconds
+      };
+    }
+  };
+}
+
+exports.DEFAULT_DMZ_TRUSTED_HEADERS = DEFAULT_DMZ_TRUSTED_HEADERS;
+exports.createTrustedHeadersEndUserVerifier = createTrustedHeadersEndUserVerifier;
+exports.identityFromTrustedHeaders = identityFromTrustedHeaders;
+//# sourceMappingURL=trusted-headers.cjs.map
+//# sourceMappingURL=trusted-headers.cjs.map

package/dist/signer/webhook/adapters/trusted-headers.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/errors.ts","../../../../src/signer/webhook/payload.ts","../../../../src/signer/webhook/adapters/trusted-headers/verifier.ts"],"names":[],"mappings":";;;AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,MAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EAET,YACE,OAAA,EACA;AAAA,IACE,MAAA,GAAS,GAAA;AAAA,IACT,IAAA,GAAO,iBAAA;AAAA,IACP;AAAA,GACF,GAII,EAAC,EACL;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;ACrBA,SAAS,iBAAiB,MAAA,EAAsC;AAC9D,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AAC1B,IAAA,OAAO,EAAA;AAAA,EACT;AACA,EAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,MAAK,EAAG;AAC7C,MAAA,OAAO,MAAM,IAAA,EAAK;AAAA,IACpB;AAAA,EACF;AACA,EAAA,OAAO,EAAA;AACT;AAEO,SAAS,6BAAA,CACd,SACA,IAAA,EACQ;AACR,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,OAAO,EAAA;AAAA,EACT;AACA,EAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7C,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,WAAA,EAAY;AAChC,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,MAAM,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AACnD,IAAA,IAAI,GAAA,CAAI,WAAA,EAAY,KAAM,MAAA,EAAQ;AAChC,MAAA,OAAO,iBAAiB,MAAM,CAAA;AAAA,IAChC;AAAA,EACF;AACA,EAAA,OAAO,EAAA;AACT;;;AC3BO,IAAM,2BAAA,GAA8B;AAAA,EACzC,MAAA,EAAQ,yBAAA;AAAA,EACR,QAAA,EAAU,sBAAA;AAAA,EACV,YAAA,EAAc,0BAAA;AAAA,EACd,gBAAA,EAAkB;AACpB;AASA,SAAS,gBAAgB,KAAA,EAAuB;AAC9C,EAAA,IAAI,MAAM,KAAA,CAAM,MAAA;AAChB,EAAA,OAAO,MAAM,CAAA,IAAK,KAAA,CAAM,GAAA,GAAM,CAAC,MAAM,GAAA,EAAK;AACxC,IAAA,GAAA,IAAO,CAAA;AAAA,EACT;AACA,EAAA,OAAO,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AAC3B;AAEO,SAAS,0BAAA,CACd,SACA,MAAA,EACe;AACf,EAAA,MAAM,KAAA,GAAQ;AAAA,IACZ,GAAG,2BAAA;AAAA,IACH,GAAG,MAAA,CAAO;AAAA,GACZ;AACA,EAAA,MAAM,MAAA,GAAS,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAClE,EAAA,MAAM,QAAA,GAAW,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,QAAQ,CAAA;AACtE,EAAA,MAAM,YAAA,GAAe,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,YAAY,CAAA;AAC9E,EAAA,MAAM,gBAAA,GACJ,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,gBAAgB,CAAA,IAC7D,kBAAA;AAEF,EAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,IAAY,CAAC,YAAA,EAAc;AACzC,IAAA,MAAM,IAAI,cAAc,wCAAA,EAA0C;AAAA,MAChE,MAAA,EAAQ,GAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAEA,EAAA,IACE,eAAA,CAAgB,MAAM,CAAA,KAAM,eAAA,CAAgB,OAAO,cAAA,CAAe,IAAA,EAAM,CAAA,EACxE;AACA,IAAA,MAAM,IAAI,cAAc,+BAAA,EAAiC;AAAA,MACvD,MAAA,EAAQ,GAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAEA,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,SAAA,EAAW,QAAA;AAAA,IACX,aAAA,EAAe,YAAA;AAAA,IACf,kBAAA,EAAoB;AAAA,GACtB;AACF;AAEO,SAAS,oCACd,MAAA,EACqB;AACrB,EAAA,MAAM,gBAAA,GAAmB,OAAO,gBAAA,IAAoB,GAAA;AAEpD,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,iBAAA;AAAA,IACN,MAAA,EAAQ,OAAO,EAAE,OAAA,EAAQ,KAAM;AAC7B,MAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,OAAA,CAAQ,OAAA,EAAS,MAAM,CAAA;AACnE,MAAA,OAAO;AAAA,QACL,QAAA;AAAA,QACA,QAAQ,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI;AAAA,OAC1C;AAAA,IACF;AAAA,GACF;AACF","file":"trusted-headers.cjs","sourcesContent":["export class PmtHouseError extends Error {\n  readonly status: number;\n  readonly code: string;\n  readonly details?: unknown;\n\n  constructor(\n    message: string,\n    {\n      status = 500,\n      code = \"pymthouse_error\",\n      details,\n    }: {\n      status?: number;\n      code?: string;\n      details?: unknown;\n    } = {},\n  ) {\n    super(message);\n    this.name = \"PmtHouseError\";\n    this.status = status;\n    this.code = code;\n    this.details = details;\n  }\n}\n\nexport function toPmtHouseError(\n  error: unknown,\n  fallbackMessage: string,\n): PmtHouseError {\n  if (error instanceof PmtHouseError) {\n    return error;\n  }\n\n  if (error instanceof Error) {\n    return new PmtHouseError(error.message || fallbackMessage, {\n      code: \"unexpected_error\",\n      status: 500,\n    });\n  }\n\n  return new PmtHouseError(fallbackMessage, {\n    code: \"unexpected_error\",\n    status: 500,\n  });\n}\n","import type { PaymentWebhookRequest } from \"./types.js\";\n\nfunction firstHeaderValue(values: string[] | undefined): string {\n  if (!Array.isArray(values)) {\n    return \"\";\n  }\n  for (const value of values) {\n    if (typeof value === \"string\" && value.trim()) {\n      return value.trim();\n    }\n  }\n  return \"\";\n}\n\nexport function headerValueFromWebhookPayload(\n  headers: Record<string, string[]> | undefined,\n  name: string,\n): string {\n  if (!headers) {\n    return \"\";\n  }\n  const direct = firstHeaderValue(headers[name]);\n  if (direct) {\n    return direct;\n  }\n  const target = name.toLowerCase();\n  for (const [key, values] of Object.entries(headers)) {\n    if (key.toLowerCase() === target) {\n      return firstHeaderValue(values);\n    }\n  }\n  return \"\";\n}\n\n/** End-user Authorization from go-livepeer webhook body (headers map or legacy field). */\nexport function authorizationFromWebhookPayload(\n  payload: PaymentWebhookRequest,\n): string {\n  const fromHeaders = headerValueFromWebhookPayload(\n    payload.headers,\n    \"Authorization\",\n  );\n  if (fromHeaders) {\n    return fromHeaders;\n  }\n  return payload.authorization?.trim() ?? \"\";\n}\n","import { PmtHouseError } from \"../../../../errors.js\";\nimport { headerValueFromWebhookPayload } from \"../../payload.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\nimport type { UsageIdentity } from \"../../types.js\";\n\nexport const DEFAULT_DMZ_TRUSTED_HEADERS = {\n  issuer: \"X-Livepeer-Usage-Issuer\",\n  clientId: \"X-Livepeer-Client-ID\",\n  usageSubject: \"X-Livepeer-Usage-Subject\",\n  usageSubjectType: \"X-Livepeer-Usage-Subject-Type\",\n} as const;\n\nexport type TrustedHeadersEndUserAuthConfig = {\n  expectedIssuer: string;\n  headerNames?: Partial<typeof DEFAULT_DMZ_TRUSTED_HEADERS>;\n  /** Auth cache TTL returned to go-livepeer when headers are trusted. */\n  expiryTtlSeconds?: number;\n};\n\nfunction normalizeIssuer(value: string): string {\n  let end = value.length;\n  while (end > 0 && value[end - 1] === \"/\") {\n    end -= 1;\n  }\n  return value.slice(0, end);\n}\n\nexport function identityFromTrustedHeaders(\n  headers: Record<string, string[]> | undefined,\n  config: TrustedHeadersEndUserAuthConfig,\n): UsageIdentity {\n  const names = {\n    ...DEFAULT_DMZ_TRUSTED_HEADERS,\n    ...config.headerNames,\n  };\n  const issuer = headerValueFromWebhookPayload(headers, names.issuer);\n  const clientId = headerValueFromWebhookPayload(headers, names.clientId);\n  const usageSubject = headerValueFromWebhookPayload(headers, names.usageSubject);\n  const usageSubjectType =\n    headerValueFromWebhookPayload(headers, names.usageSubjectType) ||\n    \"external_user_id\";\n\n  if (!issuer || !clientId || !usageSubject) {\n    throw new PmtHouseError(\"missing trusted usage identity headers\", {\n      status: 403,\n      code: \"invalid_identity\",\n    });\n  }\n\n  if (\n    normalizeIssuer(issuer) !== normalizeIssuer(config.expectedIssuer.trim())\n  ) {\n    throw new PmtHouseError(\"trusted usage issuer mismatch\", {\n      status: 403,\n      code: \"invalid_identity\",\n    });\n  }\n\n  return {\n    issuer,\n    client_id: clientId,\n    usage_subject: usageSubject,\n    usage_subject_type: usageSubjectType,\n  };\n}\n\nexport function createTrustedHeadersEndUserVerifier(\n  config: TrustedHeadersEndUserAuthConfig,\n): EndUserAuthVerifier {\n  const expiryTtlSeconds = config.expiryTtlSeconds ?? 300;\n\n  return {\n    kind: \"trusted_headers\",\n    verify: async ({ payload }) => {\n      const identity = identityFromTrustedHeaders(payload.headers, config);\n      return {\n        identity,\n        expiry: Math.trunc(Date.now() / 1000) + expiryTtlSeconds,\n      };\n    },\n  };\n}\n"]}

package/dist/signer/webhook/adapters/trusted-headers.d.cts

@@ -0,0 +1,18 @@
+import { E as EndUserAuthVerifier, U as UsageIdentity } from '../../../verifier-B-WFDMz6.cjs';
+
+declare const DEFAULT_DMZ_TRUSTED_HEADERS: {
+    readonly issuer: "X-Livepeer-Usage-Issuer";
+    readonly clientId: "X-Livepeer-Client-ID";
+    readonly usageSubject: "X-Livepeer-Usage-Subject";
+    readonly usageSubjectType: "X-Livepeer-Usage-Subject-Type";
+};
+type TrustedHeadersEndUserAuthConfig = {
+    expectedIssuer: string;
+    headerNames?: Partial<typeof DEFAULT_DMZ_TRUSTED_HEADERS>;
+    /** Auth cache TTL returned to go-livepeer when headers are trusted. */
+    expiryTtlSeconds?: number;
+};
+declare function identityFromTrustedHeaders(headers: Record<string, string[]> | undefined, config: TrustedHeadersEndUserAuthConfig): UsageIdentity;
+declare function createTrustedHeadersEndUserVerifier(config: TrustedHeadersEndUserAuthConfig): EndUserAuthVerifier;
+
+export { DEFAULT_DMZ_TRUSTED_HEADERS, type TrustedHeadersEndUserAuthConfig, createTrustedHeadersEndUserVerifier, identityFromTrustedHeaders };

package/dist/signer/webhook/adapters/trusted-headers.d.ts

@@ -0,0 +1,18 @@
+import { E as EndUserAuthVerifier, U as UsageIdentity } from '../../../verifier-B-WFDMz6.js';
+
+declare const DEFAULT_DMZ_TRUSTED_HEADERS: {
+    readonly issuer: "X-Livepeer-Usage-Issuer";
+    readonly clientId: "X-Livepeer-Client-ID";
+    readonly usageSubject: "X-Livepeer-Usage-Subject";
+    readonly usageSubjectType: "X-Livepeer-Usage-Subject-Type";
+};
+type TrustedHeadersEndUserAuthConfig = {
+    expectedIssuer: string;
+    headerNames?: Partial<typeof DEFAULT_DMZ_TRUSTED_HEADERS>;
+    /** Auth cache TTL returned to go-livepeer when headers are trusted. */
+    expiryTtlSeconds?: number;
+};
+declare function identityFromTrustedHeaders(headers: Record<string, string[]> | undefined, config: TrustedHeadersEndUserAuthConfig): UsageIdentity;
+declare function createTrustedHeadersEndUserVerifier(config: TrustedHeadersEndUserAuthConfig): EndUserAuthVerifier;
+
+export { DEFAULT_DMZ_TRUSTED_HEADERS, type TrustedHeadersEndUserAuthConfig, createTrustedHeadersEndUserVerifier, identityFromTrustedHeaders };

package/dist/signer/webhook/adapters/trusted-headers.js

@@ -0,0 +1,106 @@
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/signer/webhook/payload.ts
+function firstHeaderValue(values) {
+  if (!Array.isArray(values)) {
+    return "";
+  }
+  for (const value of values) {
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  return "";
+}
+function headerValueFromWebhookPayload(headers, name) {
+  if (!headers) {
+    return "";
+  }
+  const direct = firstHeaderValue(headers[name]);
+  if (direct) {
+    return direct;
+  }
+  const target = name.toLowerCase();
+  for (const [key, values] of Object.entries(headers)) {
+    if (key.toLowerCase() === target) {
+      return firstHeaderValue(values);
+    }
+  }
+  return "";
+}
+
+// src/signer/webhook/adapters/trusted-headers/verifier.ts
+var DEFAULT_DMZ_TRUSTED_HEADERS = {
+  issuer: "X-Livepeer-Usage-Issuer",
+  clientId: "X-Livepeer-Client-ID",
+  usageSubject: "X-Livepeer-Usage-Subject",
+  usageSubjectType: "X-Livepeer-Usage-Subject-Type"
+};
+function normalizeIssuer(value) {
+  let end = value.length;
+  while (end > 0 && value[end - 1] === "/") {
+    end -= 1;
+  }
+  return value.slice(0, end);
+}
+function identityFromTrustedHeaders(headers, config) {
+  const names = {
+    ...DEFAULT_DMZ_TRUSTED_HEADERS,
+    ...config.headerNames
+  };
+  const issuer = headerValueFromWebhookPayload(headers, names.issuer);
+  const clientId = headerValueFromWebhookPayload(headers, names.clientId);
+  const usageSubject = headerValueFromWebhookPayload(headers, names.usageSubject);
+  const usageSubjectType = headerValueFromWebhookPayload(headers, names.usageSubjectType) || "external_user_id";
+  if (!issuer || !clientId || !usageSubject) {
+    throw new PmtHouseError("missing trusted usage identity headers", {
+      status: 403,
+      code: "invalid_identity"
+    });
+  }
+  if (normalizeIssuer(issuer) !== normalizeIssuer(config.expectedIssuer.trim())) {
+    throw new PmtHouseError("trusted usage issuer mismatch", {
+      status: 403,
+      code: "invalid_identity"
+    });
+  }
+  return {
+    issuer,
+    client_id: clientId,
+    usage_subject: usageSubject,
+    usage_subject_type: usageSubjectType
+  };
+}
+function createTrustedHeadersEndUserVerifier(config) {
+  const expiryTtlSeconds = config.expiryTtlSeconds ?? 300;
+  return {
+    kind: "trusted_headers",
+    verify: async ({ payload }) => {
+      const identity = identityFromTrustedHeaders(payload.headers, config);
+      return {
+        identity,
+        expiry: Math.trunc(Date.now() / 1e3) + expiryTtlSeconds
+      };
+    }
+  };
+}
+
+export { DEFAULT_DMZ_TRUSTED_HEADERS, createTrustedHeadersEndUserVerifier, identityFromTrustedHeaders };
+//# sourceMappingURL=trusted-headers.js.map
+//# sourceMappingURL=trusted-headers.js.map

package/dist/signer/webhook/adapters/trusted-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/errors.ts","../../../../src/signer/webhook/payload.ts","../../../../src/signer/webhook/adapters/trusted-headers/verifier.ts"],"names":[],"mappings":";AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,MAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EAET,YACE,OAAA,EACA;AAAA,IACE,MAAA,GAAS,GAAA;AAAA,IACT,IAAA,GAAO,iBAAA;AAAA,IACP;AAAA,GACF,GAII,EAAC,EACL;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;ACrBA,SAAS,iBAAiB,MAAA,EAAsC;AAC9D,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AAC1B,IAAA,OAAO,EAAA;AAAA,EACT;AACA,EAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,MAAK,EAAG;AAC7C,MAAA,OAAO,MAAM,IAAA,EAAK;AAAA,IACpB;AAAA,EACF;AACA,EAAA,OAAO,EAAA;AACT;AAEO,SAAS,6BAAA,CACd,SACA,IAAA,EACQ;AACR,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,OAAO,EAAA;AAAA,EACT;AACA,EAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7C,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,WAAA,EAAY;AAChC,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,MAAM,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AACnD,IAAA,IAAI,GAAA,CAAI,WAAA,EAAY,KAAM,MAAA,EAAQ;AAChC,MAAA,OAAO,iBAAiB,MAAM,CAAA;AAAA,IAChC;AAAA,EACF;AACA,EAAA,OAAO,EAAA;AACT;;;AC3BO,IAAM,2BAAA,GAA8B;AAAA,EACzC,MAAA,EAAQ,yBAAA;AAAA,EACR,QAAA,EAAU,sBAAA;AAAA,EACV,YAAA,EAAc,0BAAA;AAAA,EACd,gBAAA,EAAkB;AACpB;AASA,SAAS,gBAAgB,KAAA,EAAuB;AAC9C,EAAA,IAAI,MAAM,KAAA,CAAM,MAAA;AAChB,EAAA,OAAO,MAAM,CAAA,IAAK,KAAA,CAAM,GAAA,GAAM,CAAC,MAAM,GAAA,EAAK;AACxC,IAAA,GAAA,IAAO,CAAA;AAAA,EACT;AACA,EAAA,OAAO,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AAC3B;AAEO,SAAS,0BAAA,CACd,SACA,MAAA,EACe;AACf,EAAA,MAAM,KAAA,GAAQ;AAAA,IACZ,GAAG,2BAAA;AAAA,IACH,GAAG,MAAA,CAAO;AAAA,GACZ;AACA,EAAA,MAAM,MAAA,GAAS,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAClE,EAAA,MAAM,QAAA,GAAW,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,QAAQ,CAAA;AACtE,EAAA,MAAM,YAAA,GAAe,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,YAAY,CAAA;AAC9E,EAAA,MAAM,gBAAA,GACJ,6BAAA,CAA8B,OAAA,EAAS,KAAA,CAAM,gBAAgB,CAAA,IAC7D,kBAAA;AAEF,EAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,IAAY,CAAC,YAAA,EAAc;AACzC,IAAA,MAAM,IAAI,cAAc,wCAAA,EAA0C;AAAA,MAChE,MAAA,EAAQ,GAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAEA,EAAA,IACE,eAAA,CAAgB,MAAM,CAAA,KAAM,eAAA,CAAgB,OAAO,cAAA,CAAe,IAAA,EAAM,CAAA,EACxE;AACA,IAAA,MAAM,IAAI,cAAc,+BAAA,EAAiC;AAAA,MACvD,MAAA,EAAQ,GAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAEA,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,SAAA,EAAW,QAAA;AAAA,IACX,aAAA,EAAe,YAAA;AAAA,IACf,kBAAA,EAAoB;AAAA,GACtB;AACF;AAEO,SAAS,oCACd,MAAA,EACqB;AACrB,EAAA,MAAM,gBAAA,GAAmB,OAAO,gBAAA,IAAoB,GAAA;AAEpD,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,iBAAA;AAAA,IACN,MAAA,EAAQ,OAAO,EAAE,OAAA,EAAQ,KAAM;AAC7B,MAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,OAAA,CAAQ,OAAA,EAAS,MAAM,CAAA;AACnE,MAAA,OAAO;AAAA,QACL,QAAA;AAAA,QACA,QAAQ,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI;AAAA,OAC1C;AAAA,IACF;AAAA,GACF;AACF","file":"trusted-headers.js","sourcesContent":["export class PmtHouseError extends Error {\n  readonly status: number;\n  readonly code: string;\n  readonly details?: unknown;\n\n  constructor(\n    message: string,\n    {\n      status = 500,\n      code = \"pymthouse_error\",\n      details,\n    }: {\n      status?: number;\n      code?: string;\n      details?: unknown;\n    } = {},\n  ) {\n    super(message);\n    this.name = \"PmtHouseError\";\n    this.status = status;\n    this.code = code;\n    this.details = details;\n  }\n}\n\nexport function toPmtHouseError(\n  error: unknown,\n  fallbackMessage: string,\n): PmtHouseError {\n  if (error instanceof PmtHouseError) {\n    return error;\n  }\n\n  if (error instanceof Error) {\n    return new PmtHouseError(error.message || fallbackMessage, {\n      code: \"unexpected_error\",\n      status: 500,\n    });\n  }\n\n  return new PmtHouseError(fallbackMessage, {\n    code: \"unexpected_error\",\n    status: 500,\n  });\n}\n","import type { PaymentWebhookRequest } from \"./types.js\";\n\nfunction firstHeaderValue(values: string[] | undefined): string {\n  if (!Array.isArray(values)) {\n    return \"\";\n  }\n  for (const value of values) {\n    if (typeof value === \"string\" && value.trim()) {\n      return value.trim();\n    }\n  }\n  return \"\";\n}\n\nexport function headerValueFromWebhookPayload(\n  headers: Record<string, string[]> | undefined,\n  name: string,\n): string {\n  if (!headers) {\n    return \"\";\n  }\n  const direct = firstHeaderValue(headers[name]);\n  if (direct) {\n    return direct;\n  }\n  const target = name.toLowerCase();\n  for (const [key, values] of Object.entries(headers)) {\n    if (key.toLowerCase() === target) {\n      return firstHeaderValue(values);\n    }\n  }\n  return \"\";\n}\n\n/** End-user Authorization from go-livepeer webhook body (headers map or legacy field). */\nexport function authorizationFromWebhookPayload(\n  payload: PaymentWebhookRequest,\n): string {\n  const fromHeaders = headerValueFromWebhookPayload(\n    payload.headers,\n    \"Authorization\",\n  );\n  if (fromHeaders) {\n    return fromHeaders;\n  }\n  return payload.authorization?.trim() ?? \"\";\n}\n","import { PmtHouseError } from \"../../../../errors.js\";\nimport { headerValueFromWebhookPayload } from \"../../payload.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\nimport type { UsageIdentity } from \"../../types.js\";\n\nexport const DEFAULT_DMZ_TRUSTED_HEADERS = {\n  issuer: \"X-Livepeer-Usage-Issuer\",\n  clientId: \"X-Livepeer-Client-ID\",\n  usageSubject: \"X-Livepeer-Usage-Subject\",\n  usageSubjectType: \"X-Livepeer-Usage-Subject-Type\",\n} as const;\n\nexport type TrustedHeadersEndUserAuthConfig = {\n  expectedIssuer: string;\n  headerNames?: Partial<typeof DEFAULT_DMZ_TRUSTED_HEADERS>;\n  /** Auth cache TTL returned to go-livepeer when headers are trusted. */\n  expiryTtlSeconds?: number;\n};\n\nfunction normalizeIssuer(value: string): string {\n  let end = value.length;\n  while (end > 0 && value[end - 1] === \"/\") {\n    end -= 1;\n  }\n  return value.slice(0, end);\n}\n\nexport function identityFromTrustedHeaders(\n  headers: Record<string, string[]> | undefined,\n  config: TrustedHeadersEndUserAuthConfig,\n): UsageIdentity {\n  const names = {\n    ...DEFAULT_DMZ_TRUSTED_HEADERS,\n    ...config.headerNames,\n  };\n  const issuer = headerValueFromWebhookPayload(headers, names.issuer);\n  const clientId = headerValueFromWebhookPayload(headers, names.clientId);\n  const usageSubject = headerValueFromWebhookPayload(headers, names.usageSubject);\n  const usageSubjectType =\n    headerValueFromWebhookPayload(headers, names.usageSubjectType) ||\n    \"external_user_id\";\n\n  if (!issuer || !clientId || !usageSubject) {\n    throw new PmtHouseError(\"missing trusted usage identity headers\", {\n      status: 403,\n      code: \"invalid_identity\",\n    });\n  }\n\n  if (\n    normalizeIssuer(issuer) !== normalizeIssuer(config.expectedIssuer.trim())\n  ) {\n    throw new PmtHouseError(\"trusted usage issuer mismatch\", {\n      status: 403,\n      code: \"invalid_identity\",\n    });\n  }\n\n  return {\n    issuer,\n    client_id: clientId,\n    usage_subject: usageSubject,\n    usage_subject_type: usageSubjectType,\n  };\n}\n\nexport function createTrustedHeadersEndUserVerifier(\n  config: TrustedHeadersEndUserAuthConfig,\n): EndUserAuthVerifier {\n  const expiryTtlSeconds = config.expiryTtlSeconds ?? 300;\n\n  return {\n    kind: \"trusted_headers\",\n    verify: async ({ payload }) => {\n      const identity = identityFromTrustedHeaders(payload.headers, config);\n      return {\n        identity,\n        expiry: Math.trunc(Date.now() / 1000) + expiryTtlSeconds,\n      };\n    },\n  };\n}\n"]}