npm - @pymthouse/builder-sdk - Versions diffs - 0.4.1-rc.1 → 0.4.1-rc.3 - Mend

@pymthouse/builder-sdk 0.4.1-rc.1 → 0.4.1-rc.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/dist/{index-BixH4VIG.d.cts → index-D5wdxNYy.d.cts} +4 -2
package/dist/{index-BTDKEorK.d.ts → index-DFJ6qcK0.d.ts} +4 -2
package/dist/index.d.cts +1 -1
package/dist/index.d.ts +1 -1
package/dist/{proxy-JrT6raU_.d.cts → proxy-0wa8QZIU.d.cts} +16 -2
package/dist/{proxy-U32DFNuj.d.ts → proxy-KrA1vEmh.d.ts} +16 -2
package/dist/signer/server.cjs +90 -67
package/dist/signer/server.cjs.map +1 -1
package/dist/signer/server.d.cts +4 -4
package/dist/signer/server.d.ts +4 -4
package/dist/signer/server.js +90 -67
package/dist/signer/server.js.map +1 -1
package/dist/signer/webhook/adapters/api-key.cjs +15 -11
package/dist/signer/webhook/adapters/api-key.cjs.map +1 -1
package/dist/signer/webhook/adapters/api-key.d.cts +1 -1
package/dist/signer/webhook/adapters/api-key.d.ts +1 -1
package/dist/signer/webhook/adapters/api-key.js +15 -11
package/dist/signer/webhook/adapters/api-key.js.map +1 -1
package/dist/signer/webhook/adapters/composite.cjs +1 -1
package/dist/signer/webhook/adapters/composite.cjs.map +1 -1
package/dist/signer/webhook/adapters/composite.d.cts +1 -1
package/dist/signer/webhook/adapters/composite.d.ts +1 -1
package/dist/signer/webhook/adapters/composite.js +1 -1
package/dist/signer/webhook/adapters/composite.js.map +1 -1
package/dist/signer/webhook/adapters/oauth1.d.cts +1 -1
package/dist/signer/webhook/adapters/oauth1.d.ts +1 -1
package/dist/signer/webhook/adapters/oidc.cjs +39 -25
package/dist/signer/webhook/adapters/oidc.cjs.map +1 -1
package/dist/signer/webhook/adapters/oidc.d.cts +2 -2
package/dist/signer/webhook/adapters/oidc.d.ts +2 -2
package/dist/signer/webhook/adapters/oidc.js +39 -25
package/dist/signer/webhook/adapters/oidc.js.map +1 -1
package/dist/signer/webhook/adapters/trusted-headers.cjs +18 -11
package/dist/signer/webhook/adapters/trusted-headers.cjs.map +1 -1
package/dist/signer/webhook/adapters/trusted-headers.d.cts +1 -1
package/dist/signer/webhook/adapters/trusted-headers.d.ts +1 -1
package/dist/signer/webhook/adapters/trusted-headers.js +18 -11
package/dist/signer/webhook/adapters/trusted-headers.js.map +1 -1
package/dist/signer/webhook.cjs +90 -38
package/dist/signer/webhook.cjs.map +1 -1
package/dist/signer/webhook.d.cts +6 -4
package/dist/signer/webhook.d.ts +6 -4
package/dist/signer/webhook.js +90 -39
package/dist/signer/webhook.js.map +1 -1
package/dist/{verifier-B-WFDMz6.d.cts → verifier-Be9WAjFF.d.cts} +3 -2
package/dist/{verifier-B-WFDMz6.d.ts → verifier-Be9WAjFF.d.ts} +3 -2
package/package.json +2 -2

package/dist/signer/server.js CHANGED Viewed

@@ -46,62 +46,6 @@ function signerHandlerErrorResponse(error) {
   });
 }
-// src/signer/token-manager.ts
-function cacheKey(clientId, externalUserId) {
-  return `${clientId}\0${externalUserId}`;
-}
-function createSignerTokenManager(options) {
-  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
-  const cache = /* @__PURE__ */ new Map();
-  const inflight = /* @__PURE__ */ new Map();
-  function isUsable(entry, now, forceRefresh) {
-    if (forceRefresh) return false;
-    if (now >= entry.expiresAt) return false;
-    if (now >= entry.refreshAt) return false;
-    return true;
-  }
-  async function refresh(publicClientId, externalUserId) {
-    const key = cacheKey(publicClientId, externalUserId);
-    const existing = inflight.get(key);
-    if (existing) {
-      return existing;
-    }
-    const promise = options.mint(externalUserId).then((token) => {
-      const normalized = {
-        ...token,
-        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
-      };
-      cache.set(key, normalized);
-      inflight.delete(key);
-      return normalized;
-    }).catch((error) => {
-      inflight.delete(key);
-      throw error;
-    });
-    inflight.set(key, promise);
-    return promise;
-  }
-  return {
-    peek(publicClientId, externalUserId) {
-      return cache.get(cacheKey(publicClientId, externalUserId));
-    },
-    invalidate(publicClientId, externalUserId) {
-      const key = cacheKey(publicClientId, externalUserId);
-      cache.delete(key);
-      inflight.delete(key);
-    },
-    async getToken(publicClientId, externalUserId, getOptions = {}) {
-      const now = Date.now();
-      const key = cacheKey(publicClientId, externalUserId);
-      const cached = cache.get(key);
-      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
-        return cached;
-      }
-      return refresh(publicClientId, externalUserId);
-    }
-  };
-}
 // src/signer/forward.ts
 function base64UrlPayloadToUtf8(payloadB64) {
   const normalized = payloadB64.replaceAll("-", "+").replaceAll("_", "/");
@@ -215,6 +159,70 @@ async function forwardDirectSignerRequest(options) {
   return fetchImpl(target, init);
 }
+// src/signer/token-manager.ts
+function cacheKey(clientId, externalUserId) {
+  return `${clientId}\0${externalUserId}`;
+}
+function createSignerTokenManager(options) {
+  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
+  const cache = /* @__PURE__ */ new Map();
+  const inflight = /* @__PURE__ */ new Map();
+  function isUsable(entry, now, forceRefresh) {
+    if (forceRefresh) return false;
+    if (now >= entry.expiresAt) return false;
+    if (now >= entry.refreshAt) return false;
+    return true;
+  }
+  async function refresh(publicClientId, externalUserId) {
+    const key = cacheKey(publicClientId, externalUserId);
+    const existing = inflight.get(key);
+    if (existing) {
+      return existing;
+    }
+    const promise = options.mint(publicClientId, externalUserId).then((token) => {
+      const identity = identityFromJwtPayload(decodeJwtPayload(token.jwt));
+      if (identity.clientId !== publicClientId) {
+        throw new PmtHouseError("minted JWT client_id does not match public client id", {
+          status: 500,
+          code: "invalid_client_id",
+          details: { expected: publicClientId, actual: identity.clientId }
+        });
+      }
+      const normalized = {
+        ...token,
+        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
+      };
+      cache.set(key, normalized);
+      inflight.delete(key);
+      return normalized;
+    }).catch((error) => {
+      inflight.delete(key);
+      throw error;
+    });
+    inflight.set(key, promise);
+    return promise;
+  }
+  return {
+    peek(publicClientId, externalUserId) {
+      return cache.get(cacheKey(publicClientId, externalUserId));
+    },
+    invalidate(publicClientId, externalUserId) {
+      const key = cacheKey(publicClientId, externalUserId);
+      cache.delete(key);
+      inflight.delete(key);
+    },
+    async getToken(publicClientId, externalUserId, getOptions = {}) {
+      const now = Date.now();
+      const key = cacheKey(publicClientId, externalUserId);
+      const cached = cache.get(key);
+      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
+        return cached;
+      }
+      return refresh(publicClientId, externalUserId);
+    }
+  };
+}
 // src/string-utils.ts
 function stripTrailingSlashes(value) {
   let end = value.length;
@@ -1011,7 +1019,7 @@ async function forwardToSigner(options) {
   const headers = { "Content-Type": "application/json" };
   const explicitAuth = options.authorization?.trim();
   if (explicitAuth) {
-    headers.Authorization = explicitAuth.startsWith("Bearer ") ? explicitAuth : `Bearer ${explicitAuth}`;
+    headers.Authorization = explicitAuth;
   } else {
     const attachJwt = options.forwardJwt ?? true;
     if (attachJwt) {
@@ -1155,15 +1163,30 @@ function toResponse(result) {
   });
 }
 function createDirectSignerProxyHandler(config) {
-  const tokenManager = createSignerTokenManager({
-    mint: (externalUserId) => mintUserSignerToken({
-      issuerUrl: config.pymthouseIssuerUrl,
+  async function resolveM2MCredentials(publicClientId) {
+    if (config.resolveM2MCredentials) {
+      return config.resolveM2MCredentials(publicClientId);
+    }
+    return {
       m2mClientId: config.pymthouseM2MClientId,
-      m2mClientSecret: config.pymthouseM2MClientSecret,
-      externalUserId,
-      fetch: config.fetch,
-      allowInsecureHttp: config.allowInsecureHttp
-    })
+      m2mClientSecret: config.pymthouseM2MClientSecret
+    };
+  }
+  const tokenManager = createSignerTokenManager({
+    // `publicClientId` selects the M2M credentials so the minted JWT's
+    // `client_id` matches the cache partition key. The token manager rejects any
+    // minted token whose `client_id` diverges from `publicClientId`.
+    mint: async (publicClientId, externalUserId) => {
+      const { m2mClientId, m2mClientSecret } = await resolveM2MCredentials(publicClientId);
+      return mintUserSignerToken({
+        issuerUrl: config.pymthouseIssuerUrl,
+        m2mClientId,
+        m2mClientSecret,
+        externalUserId,
+        fetch: config.fetch,
+        allowInsecureHttp: config.allowInsecureHttp
+      });
+    }
   });
   async function runBeforeSign(token, externalUserId, request) {
     if (!config.beforeSign) {
@@ -1227,8 +1250,8 @@ function createDirectSignerProxyHandler(config) {
       return signerHandlerErrorResponse(error);
     }
   };
-  handler.getCachedUsage = (externalUserId) => tokenManager.peek(config.pymthouseClientId, externalUserId);
-  handler.invalidateToken = (externalUserId) => tokenManager.invalidate(config.pymthouseClientId, externalUserId);
+  handler.getCachedUsage = (publicClientId, externalUserId) => tokenManager.peek(publicClientId, externalUserId);
+  handler.invalidateToken = (publicClientId, externalUserId) => tokenManager.invalidate(publicClientId, externalUserId);
   return handler;
 }