@pymthouse/builder-sdk 0.4.4 → 0.4.5

package/dist/signer/server.cjs

@@ -452,6 +452,46 @@ async function mintUserSignerToken(options) {
   return parseMintUserSignerTokenResponse(parsed);
 }
 
+// src/signer/direct-signer.ts
+var DIRECT_SIGNER_PATHS = {
+  signOrchestratorInfo: "sign-orchestrator-info",
+  generateLivePayment: "generate-live-payment",
+  discoverOrchestrators: "discover-orchestrators"
+};
+function signerEndpointUrl(signerBaseUrl, path) {
+  const base = stripTrailingSlashes(signerBaseUrl.trim());
+  if (!base) {
+    throw new PmtHouseError("signerBaseUrl is required", {
+      status: 400,
+      code: "invalid_signer_url"
+    });
+  }
+  const suffix = path.replace(/^\/+/, "");
+  return `${base}/${suffix}`;
+}
+function signerUrlFromExchangeResponse(response) {
+  const url = response.signerUrl?.trim();
+  return url || void 0;
+}
+function assertDirectSignerBaseUrl(signerBaseUrl) {
+  let parsed;
+  try {
+    parsed = new URL(signerBaseUrl.trim());
+  } catch {
+    throw new PmtHouseError("signer URL must be an absolute http(s) URL", {
+      status: 400,
+      code: "invalid_signer_url"
+    });
+  }
+  const pathname = stripTrailingSlashes(parsed.pathname);
+  if (pathname === "/api/signer" || pathname.startsWith("/api/signer/")) {
+    throw new PmtHouseError(
+      "signer URL must be the remote signer DMZ base, not a dashboard /api/signer/* proxy path. Exchange at the platform facade, then call signer endpoints directly using signerUrl from the exchange response.",
+      { status: 400, code: "invalid_signer_url" }
+    );
+  }
+}
+
 // src/signer/device-exchange.ts
 var TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
 var SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
@@ -609,6 +649,9 @@ async function exchangeDeviceTokenForSigner(options) {
   const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
   const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
   const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  if (signerUrl) {
+    assertDirectSignerBaseUrl(signerUrl);
+  }
   return normalizeDeviceExchangeResponse(
     {
       access_token: accessToken,
@@ -788,6 +831,9 @@ async function exchangeApiKeyForSigner(options) {
   const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
   const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
   const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  if (signerUrl) {
+    assertDirectSignerBaseUrl(signerUrl);
+  }
   return normalizeDeviceExchangeResponse(
     {
       access_token: accessToken,
@@ -843,6 +889,178 @@ function createApiKeyExchangeHandler(config) {
   };
 }
 
+// src/signer/gateway-token.ts
+function requireString(value, label) {
+  if (typeof value !== "string") {
+    throw new PmtHouseError(`${label} must be a string`, {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  return value.trim();
+}
+function optionalString(value, label) {
+  if (value === void 0 || value === null) {
+    return void 0;
+  }
+  return requireString(value, label) || void 0;
+}
+function encodeBase64Json(value) {
+  const json = JSON.stringify(value);
+  if (typeof Buffer === "undefined") {
+    const binary = Array.from(
+      new TextEncoder().encode(json),
+      (c) => String.fromCodePoint(c)
+    ).join("");
+    return btoa(binary);
+  }
+  return Buffer.from(json, "utf8").toString("base64");
+}
+function decodeBase64Json(token) {
+  const trimmed = requireString(token, "gateway token");
+  let json;
+  try {
+    if (typeof Buffer === "undefined") {
+      json = new TextDecoder().decode(
+        Uint8Array.from(atob(trimmed), (c) => c.codePointAt(0) ?? 0)
+      );
+    } else {
+      json = Buffer.from(trimmed, "base64").toString("utf8");
+    }
+  } catch {
+    throw new PmtHouseError("Invalid gateway token: expected base64-encoded JSON", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  try {
+    return JSON.parse(json);
+  } catch {
+    throw new PmtHouseError("Invalid gateway token: expected UTF-8 JSON payload", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+}
+function normalizeStringMap(map) {
+  if (!map) {
+    return void 0;
+  }
+  const entries = Object.entries(map).filter(
+    ([key, value]) => key.trim() && typeof value === "string"
+  );
+  return entries.length > 0 ? Object.fromEntries(entries) : void 0;
+}
+function buildGatewayToken(input) {
+  if (input === null || typeof input !== "object") {
+    throw new PmtHouseError("buildGatewayToken requires an input object", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const signer = requireString(input.signer, "signer URL");
+  if (!signer) {
+    throw new PmtHouseError("buildGatewayToken requires a non-empty signer URL", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const signerHeaders = { ...input.signerHeaders };
+  const bundle = { signer };
+  const discovery = optionalString(input.discovery, "discovery URL");
+  if (discovery) {
+    bundle.discovery = discovery;
+  }
+  const rawOrchestrators = input.orchestrators ?? [];
+  if (!Array.isArray(rawOrchestrators)) {
+    throw new PmtHouseError("orchestrators must be an array of strings", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const orchestrators = rawOrchestrators.map((entry) => requireString(entry, "orchestrator entry")).filter((entry) => entry.length > 0);
+  if (orchestrators.length > 0) {
+    bundle.orchestrators = orchestrators;
+  }
+  if (input.auth?.kind === "signerJwt") {
+    const accessToken = requireString(input.auth.accessToken, "signerJwt accessToken");
+    if (!accessToken) {
+      throw new PmtHouseError("signerJwt auth requires a non-empty accessToken", {
+        status: 400,
+        code: "invalid_gateway_token"
+      });
+    }
+    signerHeaders.Authorization = `Bearer ${accessToken}`;
+  } else if (input.auth?.kind === "pmthApiKey") {
+    const apiKey = requireString(input.auth.apiKey, "pmthApiKey apiKey");
+    if (!apiKey) {
+      throw new PmtHouseError("pmthApiKey auth requires a non-empty apiKey", {
+        status: 400,
+        code: "invalid_gateway_token"
+      });
+    }
+    bundle.api_key = apiKey;
+    const billing = optionalString(input.auth.billing, "pmthApiKey billing URL");
+    if (billing) {
+      bundle.billing = billing;
+    }
+  }
+  const normalizedSignerHeaders = normalizeStringMap(signerHeaders);
+  if (normalizedSignerHeaders) {
+    bundle.signer_headers = normalizedSignerHeaders;
+  }
+  const normalizedDiscoveryHeaders = normalizeStringMap(input.discoveryHeaders);
+  if (normalizedDiscoveryHeaders) {
+    bundle.discovery_headers = normalizedDiscoveryHeaders;
+  }
+  return encodeBase64Json(bundle);
+}
+function decodeGatewayToken(token) {
+  const payload = decodeBase64Json(token);
+  if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
+    throw new PmtHouseError("Invalid gateway token: payload must be a JSON object", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  return payload;
+}
+async function mintGatewayToken(options) {
+  let accessToken;
+  if (options.source === "m2m") {
+    const minted = await mintUserSignerToken({
+      issuerUrl: options.issuerUrl,
+      m2mClientId: options.m2mClientId,
+      m2mClientSecret: options.m2mClientSecret,
+      externalUserId: options.externalUserId,
+      fetch: options.fetch,
+      allowInsecureHttp: options.allowInsecureHttp
+    });
+    accessToken = minted.jwt;
+  } else {
+    const minted = await mintSignerSessionFromApiKey({
+      issuerUrl: options.issuerUrl,
+      publicClientId: options.publicClientId,
+      m2mClientId: options.m2mClientId,
+      m2mClientSecret: options.m2mClientSecret,
+      apiKey: options.apiKey,
+      scope: options.scope,
+      audience: options.audience,
+      fetch: options.fetch,
+      allowInsecureHttp: options.allowInsecureHttp
+    });
+    accessToken = minted.access_token;
+  }
+  return buildGatewayToken({
+    signer: options.signer,
+    discovery: options.discovery,
+    orchestrators: options.orchestrators,
+    signerHeaders: options.signerHeaders,
+    discoveryHeaders: options.discoveryHeaders,
+    auth: { kind: "signerJwt", accessToken }
+  });
+}
+
 // src/signer/proxy.ts
 var HTTP_DMZ_TOKEN_MAX_ENTRIES = 100;
 var HTTP_DMZ_TOKEN_TTL_MS = 3.5 * 60 * 1e3;
@@ -1251,12 +1469,16 @@ function createDirectSignerProxyHandler(config) {
   return handler;
 }
 
+exports.DIRECT_SIGNER_PATHS = DIRECT_SIGNER_PATHS;
 exports.LIVEPEER_REMOTE_SIGNER_AUDIENCE = LIVEPEER_REMOTE_SIGNER_AUDIENCE;
 exports.SIGN_MINT_USER_TOKEN_SCOPE = SIGN_MINT_USER_TOKEN_SCOPE;
+exports.assertDirectSignerBaseUrl = assertDirectSignerBaseUrl;
+exports.buildGatewayToken = buildGatewayToken;
 exports.createApiKeyExchangeHandler = createApiKeyExchangeHandler;
 exports.createDeviceExchangeHandler = createDeviceExchangeHandler;
 exports.createDirectSignerProxyHandler = createDirectSignerProxyHandler;
 exports.createSignerTokenManager = createSignerTokenManager;
+exports.decodeGatewayToken = decodeGatewayToken;
 exports.decodeJwtPayload = decodeJwtPayload;
 exports.exchangeApiKeyForSigner = exchangeApiKeyForSigner;
 exports.exchangeDeviceTokenForSigner = exchangeDeviceTokenForSigner;
@@ -1266,6 +1488,7 @@ exports.forwardToSigner = forwardToSigner;
 exports.getCachedDmzBearerToken = getCachedDmzBearerToken;
 exports.identityFromJwtPayload = identityFromJwtPayload;
 exports.livepeerIdentityHeaders = livepeerIdentityHeaders;
+exports.mintGatewayToken = mintGatewayToken;
 exports.mintSignerSessionFromApiKey = mintSignerSessionFromApiKey;
 exports.mintSignerTokenFromDeviceToken = mintSignerTokenFromDeviceToken;
 exports.mintUserAccessTokenFromApiKey = mintUserAccessTokenFromApiKey;
@@ -1281,7 +1504,9 @@ exports.pickConflictingStringAliases = pickConflictingStringAliases;
 exports.probeSignerHttpReachability = probeSignerHttpReachability;
 exports.readSignerUpstreamBody = readSignerUpstreamBody;
 exports.resolveSignerBaseUrl = resolveSignerBaseUrl;
+exports.signerEndpointUrl = signerEndpointUrl;
 exports.signerJwtAudience = signerJwtAudience;
+exports.signerUrlFromExchangeResponse = signerUrlFromExchangeResponse;
 exports.stripSignerUsageFromResponse = stripSignerUsageFromResponse;
 //# sourceMappingURL=server.cjs.map
 //# sourceMappingURL=server.cjs.map