@pymthouse/builder-sdk 0.4.1-rc.2 → 0.4.1

package/dist/signer/server.js

@@ -19,14 +19,8 @@ var PmtHouseError = class extends Error {
 };
 
 // src/signer/handler-errors.ts
-function isPmtHouseError(error) {
-  if (error instanceof PmtHouseError) {
-    return true;
-  }
-  return error instanceof Error && typeof error.status === "number" && typeof error.code === "string";
-}
 function signerHandlerErrorResponse(error) {
-  if (isPmtHouseError(error)) {
+  if (error instanceof PmtHouseError) {
     return new Response(
       JSON.stringify({
         error: error.code,
@@ -46,62 +40,6 @@ function signerHandlerErrorResponse(error) {
   });
 }
 
-// src/signer/token-manager.ts
-function cacheKey(clientId, externalUserId) {
-  return `${clientId}\0${externalUserId}`;
-}
-function createSignerTokenManager(options) {
-  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
-  const cache = /* @__PURE__ */ new Map();
-  const inflight = /* @__PURE__ */ new Map();
-  function isUsable(entry, now, forceRefresh) {
-    if (forceRefresh) return false;
-    if (now >= entry.expiresAt) return false;
-    if (now >= entry.refreshAt) return false;
-    return true;
-  }
-  async function refresh(publicClientId, externalUserId) {
-    const key = cacheKey(publicClientId, externalUserId);
-    const existing = inflight.get(key);
-    if (existing) {
-      return existing;
-    }
-    const promise = options.mint(externalUserId).then((token) => {
-      const normalized = {
-        ...token,
-        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
-      };
-      cache.set(key, normalized);
-      inflight.delete(key);
-      return normalized;
-    }).catch((error) => {
-      inflight.delete(key);
-      throw error;
-    });
-    inflight.set(key, promise);
-    return promise;
-  }
-  return {
-    peek(publicClientId, externalUserId) {
-      return cache.get(cacheKey(publicClientId, externalUserId));
-    },
-    invalidate(publicClientId, externalUserId) {
-      const key = cacheKey(publicClientId, externalUserId);
-      cache.delete(key);
-      inflight.delete(key);
-    },
-    async getToken(publicClientId, externalUserId, getOptions = {}) {
-      const now = Date.now();
-      const key = cacheKey(publicClientId, externalUserId);
-      const cached = cache.get(key);
-      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
-        return cached;
-      }
-      return refresh(publicClientId, externalUserId);
-    }
-  };
-}
-
 // src/signer/forward.ts
 function base64UrlPayloadToUtf8(payloadB64) {
   const normalized = payloadB64.replaceAll("-", "+").replaceAll("_", "/");
@@ -215,6 +153,70 @@ async function forwardDirectSignerRequest(options) {
   return fetchImpl(target, init);
 }
 
+// src/signer/token-manager.ts
+function cacheKey(clientId, externalUserId) {
+  return `${clientId}\0${externalUserId}`;
+}
+function createSignerTokenManager(options) {
+  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
+  const cache = /* @__PURE__ */ new Map();
+  const inflight = /* @__PURE__ */ new Map();
+  function isUsable(entry, now, forceRefresh) {
+    if (forceRefresh) return false;
+    if (now >= entry.expiresAt) return false;
+    if (now >= entry.refreshAt) return false;
+    return true;
+  }
+  async function refresh(publicClientId, externalUserId) {
+    const key = cacheKey(publicClientId, externalUserId);
+    const existing = inflight.get(key);
+    if (existing) {
+      return existing;
+    }
+    const promise = options.mint(publicClientId, externalUserId).then((token) => {
+      const identity = identityFromJwtPayload(decodeJwtPayload(token.jwt));
+      if (identity.clientId !== publicClientId) {
+        throw new PmtHouseError("minted JWT client_id does not match public client id", {
+          status: 500,
+          code: "invalid_client_id",
+          details: { expected: publicClientId, actual: identity.clientId }
+        });
+      }
+      const normalized = {
+        ...token,
+        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
+      };
+      cache.set(key, normalized);
+      inflight.delete(key);
+      return normalized;
+    }).catch((error) => {
+      inflight.delete(key);
+      throw error;
+    });
+    inflight.set(key, promise);
+    return promise;
+  }
+  return {
+    peek(publicClientId, externalUserId) {
+      return cache.get(cacheKey(publicClientId, externalUserId));
+    },
+    invalidate(publicClientId, externalUserId) {
+      const key = cacheKey(publicClientId, externalUserId);
+      cache.delete(key);
+      inflight.delete(key);
+    },
+    async getToken(publicClientId, externalUserId, getOptions = {}) {
+      const now = Date.now();
+      const key = cacheKey(publicClientId, externalUserId);
+      const cached = cache.get(key);
+      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
+        return cached;
+      }
+      return refresh(publicClientId, externalUserId);
+    }
+  };
+}
+
 // src/string-utils.ts
 function stripTrailingSlashes(value) {
   let end = value.length;
@@ -541,7 +543,7 @@ async function mintSignerTokenFromDeviceToken(options) {
       code: "oidc_discovery_invalid"
     });
   }
-  const audience = options.audience?.trim() || signerJwtAudience(issuerUrl);
+  const audience = options.audience?.trim() || LIVEPEER_REMOTE_SIGNER_AUDIENCE;
   const params = new URLSearchParams({
     grant_type: TOKEN_EXCHANGE_GRANT,
     subject_token: options.deviceToken,
@@ -1155,15 +1157,30 @@ function toResponse(result) {
   });
 }
 function createDirectSignerProxyHandler(config) {
-  const tokenManager = createSignerTokenManager({
-    mint: (externalUserId) => mintUserSignerToken({
-      issuerUrl: config.pymthouseIssuerUrl,
+  async function resolveM2MCredentials(publicClientId) {
+    if (config.resolveM2MCredentials) {
+      return config.resolveM2MCredentials(publicClientId);
+    }
+    return {
       m2mClientId: config.pymthouseM2MClientId,
-      m2mClientSecret: config.pymthouseM2MClientSecret,
-      externalUserId,
-      fetch: config.fetch,
-      allowInsecureHttp: config.allowInsecureHttp
-    })
+      m2mClientSecret: config.pymthouseM2MClientSecret
+    };
+  }
+  const tokenManager = createSignerTokenManager({
+    // `publicClientId` selects the M2M credentials so the minted JWT's
+    // `client_id` matches the cache partition key. The token manager rejects any
+    // minted token whose `client_id` diverges from `publicClientId`.
+    mint: async (publicClientId, externalUserId) => {
+      const { m2mClientId, m2mClientSecret } = await resolveM2MCredentials(publicClientId);
+      return mintUserSignerToken({
+        issuerUrl: config.pymthouseIssuerUrl,
+        m2mClientId,
+        m2mClientSecret,
+        externalUserId,
+        fetch: config.fetch,
+        allowInsecureHttp: config.allowInsecureHttp
+      });
+    }
   });
   async function runBeforeSign(token, externalUserId, request) {
     if (!config.beforeSign) {