@query-farm/vgi-rpc 0.4.0 → 0.6.0

package/src/http/dispatch.ts

@@ -5,6 +5,7 @@ import { RecordBatch, RecordBatchReader, Schema } from "@query-farm/apache-arrow
 import type { AuthContext } from "../auth.js";
 import { STATE_KEY } from "../constants.js";
 import { buildDescribeBatch, DESCRIBE_SCHEMA } from "../dispatch/describe.js";
+import { type ExternalLocationConfig, maybeExternalizeBatch } from "../external.js";
 import type { MethodDefinition } from "../types.js";
 import { OutputCollector } from "../types.js";
 import { conformBatchToSchema } from "../util/conform.js";
@@ -30,6 +31,7 @@ export interface DispatchContext {
   maxStreamResponseBytes?: number;
   stateSerializer: StateSerializer;
   authContext?: AuthContext;
+  externalLocation?: ExternalLocationConfig;
 }
 
 /** Dispatch a __describe__ request. */
@@ -61,12 +63,18 @@ export async function httpDispatchUnary(
 
   try {
     const result = await method.handler!(parsed.params, out);
-    const resultBatch = buildResultBatch(schema, result, ctx.serverId, parsed.requestId);
+    let resultBatch = buildResultBatch(schema, result, ctx.serverId, parsed.requestId);
+    if (ctx.externalLocation) {
+      resultBatch = await maybeExternalizeBatch(resultBatch, ctx.externalLocation);
+    }
     const batches = [...out.batches.map((b) => b.batch), resultBatch];
     return arrowResponse(serializeIpcStream(schema, batches));
   } catch (error: any) {
     const errBatch = buildErrorBatch(schema, error, ctx.serverId, parsed.requestId);
-    return arrowResponse(serializeIpcStream(schema, [errBatch]), 500);
+    const response = arrowResponse(serializeIpcStream(schema, [errBatch]), 500);
+    // Attach the error so the dispatch hook can see it
+    (response as any).__dispatchError = error;
+    return response;
   }
 }
 
@@ -98,7 +106,9 @@ export async function httpDispatchStreamInit(
   } catch (error: any) {
     const errSchema = method.headerSchema ?? EMPTY_SCHEMA;
     const errBatch = buildErrorBatch(errSchema, error, ctx.serverId, parsed.requestId);
-    return arrowResponse(serializeIpcStream(errSchema, [errBatch]), 500);
+    const response = arrowResponse(serializeIpcStream(errSchema, [errBatch]), 500);
+    (response as any).__dispatchError = error;
+    return response;
   }
 
   // Support dynamic output schemas (same as pipe transport)
@@ -116,7 +126,9 @@ export async function httpDispatchStreamInit(
       headerBytes = serializeIpcStream(method.headerSchema, headerBatches);
     } catch (error: any) {
       const errBatch = buildErrorBatch(method.headerSchema, error, ctx.serverId, parsed.requestId);
-      return arrowResponse(serializeIpcStream(method.headerSchema, [errBatch]), 500);
+      const response = arrowResponse(serializeIpcStream(method.headerSchema, [errBatch]), 500);
+      (response as any).__dispatchError = error;
+      return response;
     }
   }
 
@@ -226,7 +238,9 @@ export async function httpDispatchStreamExchange(
           error.stack?.split("\n").slice(0, 5).join("\n"),
         );
       const errBatch = buildErrorBatch(outputSchema, error, ctx.serverId, null);
-      return arrowResponse(serializeIpcStream(outputSchema, [errBatch]), 500);
+      const response = arrowResponse(serializeIpcStream(outputSchema, [errBatch]), 500);
+      (response as any).__dispatchError = error;
+      return response;
     }
 
     // Collect emitted batches
@@ -283,6 +297,7 @@ async function produceStreamResponse(
   const allBatches: RecordBatch[] = [];
   const maxBytes = ctx.maxStreamResponseBytes;
   let estimatedBytes = 0;
+  let producerError: Error | undefined;
 
   while (true) {
     const out = new OutputCollector(outputSchema, true, ctx.serverId, requestId, ctx.authContext);
@@ -302,6 +317,7 @@ async function produceStreamResponse(
       if (process.env.VGI_DISPATCH_DEBUG)
         console.error(`[produceStreamResponse] error:`, error.message, error.stack?.split("\n").slice(0, 3).join("\n"));
       allBatches.push(buildErrorBatch(outputSchema, error, ctx.serverId, requestId));
+      producerError = error instanceof Error ? error : new Error(String(error));
       break;
     }
 
@@ -336,7 +352,11 @@ async function produceStreamResponse(
   } else {
     responseBody = dataBytes;
   }
-  return arrowResponse(responseBody);
+  const response = arrowResponse(responseBody);
+  if (producerError) {
+    (response as any).__dispatchError = producerError;
+  }
+  return response;
 }
 
 function concatBytes(...arrays: Uint8Array[]): Uint8Array {

package/src/http/handler.ts

@@ -6,7 +6,7 @@ import { Schema } from "@query-farm/apache-arrow";
 import type { AuthContext } from "../auth.js";
 import { DESCRIBE_METHOD_NAME } from "../constants.js";
 import type { Protocol } from "../protocol.js";
-import { MethodType } from "../types.js";
+import { type CallStatistics, type DispatchInfo, MethodType } from "../types.js";
 import { zstdCompress, zstdDecompress } from "../util/zstd.js";
 import { buildErrorBatch } from "../wire/response.js";
 import { buildWwwAuthenticateHeader, oauthResourceMetadataToJson, wellKnownPath } from "./auth.js";
@@ -17,6 +17,7 @@ import {
   httpDispatchStreamInit,
   httpDispatchUnary,
 } from "./dispatch.js";
+import { buildDescribePage, buildLandingPage, buildNotFoundPage } from "./pages.js";
 import { type HttpHandlerOptions, jsonStateSerializer } from "./types.js";
 
 const EMPTY_SCHEMA = new Schema([]);
@@ -37,7 +38,7 @@ export function createHttpHandler(
   protocol: Protocol,
   options?: HttpHandlerOptions,
 ): (request: Request) => Response | Promise<Response> {
-  const prefix = (options?.prefix ?? "/vgi").replace(/\/+$/, "");
+  const prefix = (options?.prefix ?? "").replace(/\/+$/, "");
   const signingKey = options?.signingKey ?? randomBytes(32);
   const tokenTtl = options?.tokenTtl ?? 3600;
   const corsOrigins = options?.corsOrigins;
@@ -52,6 +53,23 @@ export function createHttpHandler(
 
   const compressionLevel = options?.compressionLevel;
   const stateSerializer = options?.stateSerializer ?? jsonStateSerializer;
+  const dispatchHook = options?.dispatchHook;
+
+  // HTML page configuration
+  const enableLandingPage = options?.enableLandingPage ?? true;
+  const enableDescribePage = options?.enableDescribePage ?? true;
+  const enableNotFoundPage = options?.enableNotFoundPage ?? true;
+  const displayName = options?.protocolName ?? protocol.name;
+  const repoUrl = options?.repositoryUrl ?? null;
+
+  // Pre-render HTML pages for zero per-request overhead
+  const landingHtml = enableLandingPage
+    ? buildLandingPage(displayName, serverId, enableDescribePage ? `${prefix}/describe` : null, repoUrl)
+    : null;
+  const describeHtml = enableDescribePage ? buildDescribePage(displayName, serverId, methods, repoUrl) : null;
+  const notFoundHtml = enableNotFoundPage ? buildNotFoundPage(prefix, displayName) : null;
+
+  const externalLocation = options?.externalLocation;
 
   // ctx is built per-request to include authContext; base fields set here
   const baseCtx = {
@@ -60,6 +78,7 @@ export function createHttpHandler(
     serverId,
     maxStreamResponseBytes,
     stateSerializer,
+    externalLocation,
   };
 
   function addCorsHeaders(headers: Headers): void {
@@ -102,7 +121,7 @@ export function createHttpHandler(
       const body = JSON.stringify(oauthResourceMetadataToJson(oauthMetadata));
       const headers = new Headers({
         "Content-Type": "application/json",
-        "Cache-Control": "public, max-age=3600",
+        "Cache-Control": "public, max-age=60",
       });
       addCorsHeaders(headers);
       return new Response(body, { status: 200, headers });
@@ -128,6 +147,32 @@ export function createHttpHandler(
       return new Response(null, { status: 405 });
     }
 
+    // HTML pages for GET requests
+    if (request.method === "GET") {
+      // Landing page: GET {prefix}/ or GET {prefix}
+      if (landingHtml && (path === prefix || path === `${prefix}/`)) {
+        const headers = new Headers({ "Content-Type": "text/html; charset=utf-8" });
+        addCorsHeaders(headers);
+        return new Response(landingHtml, { status: 200, headers });
+      }
+
+      // Describe page: GET {prefix}/describe
+      if (describeHtml && path === `${prefix}/describe`) {
+        const headers = new Headers({ "Content-Type": "text/html; charset=utf-8" });
+        addCorsHeaders(headers);
+        return new Response(describeHtml, { status: 200, headers });
+      }
+
+      // 404 page for any other GET
+      if (notFoundHtml) {
+        const headers = new Headers({ "Content-Type": "text/html; charset=utf-8" });
+        addCorsHeaders(headers);
+        return new Response(notFoundHtml, { status: 404, headers });
+      }
+
+      return new Response("Not Found", { status: 404 });
+    }
+
     if (request.method !== "POST") {
       return new Response("Method Not Allowed", { status: 405 });
     }
@@ -169,7 +214,17 @@ export function createHttpHandler(
           const metadataUrl = new URL(request.url);
           metadataUrl.pathname = wellKnownPath(prefix);
           metadataUrl.search = "";
-          headers.set("WWW-Authenticate", buildWwwAuthenticateHeader(metadataUrl.toString()));
+          headers.set(
+            "WWW-Authenticate",
+            buildWwwAuthenticateHeader(
+              metadataUrl.toString(),
+              oauthMetadata.clientId,
+              oauthMetadata.clientSecret,
+              oauthMetadata.useIdTokenAsBearer,
+              oauthMetadata.deviceCodeClientId,
+              oauthMetadata.deviceCodeClientSecret,
+            ),
+          );
         }
         return new Response(error.message || "Unauthorized", { status: 401, headers });
       }
@@ -214,6 +269,20 @@ export function createHttpHandler(
       return compressIfAccepted(makeErrorResponse(err, 404), clientAcceptsZstd);
     }
 
+    const methodType = method.type === MethodType.UNARY ? "unary" : "stream";
+    const info: DispatchInfo = { method: methodName, methodType, serverId, requestId: null };
+    const stats: CallStatistics = {
+      inputBatches: 0,
+      outputBatches: 0,
+      inputRows: 0,
+      outputRows: 0,
+      inputBytes: 0,
+      outputBytes: 0,
+    };
+
+    const hookToken = dispatchHook?.onDispatchStart(info);
+    let dispatchError: Error | undefined;
+
     try {
       let response: Response;
 
@@ -240,13 +309,21 @@ export function createHttpHandler(
         response = await httpDispatchStreamExchange(method, body, ctx);
       }
 
+      // Check if the dispatch function caught an error internally
+      const internalError = (response as any).__dispatchError;
+      if (internalError) {
+        dispatchError = internalError instanceof Error ? internalError : new Error(String(internalError));
+      }
       addCorsHeaders(response.headers);
       return compressIfAccepted(response, clientAcceptsZstd);
     } catch (error: any) {
+      dispatchError = error instanceof Error ? error : new Error(String(error));
       if (error instanceof HttpRpcError) {
         return compressIfAccepted(makeErrorResponse(error, error.statusCode), clientAcceptsZstd);
       }
       return compressIfAccepted(makeErrorResponse(error, 500), clientAcceptsZstd);
+    } finally {
+      dispatchHook?.onDispatchEnd(hookToken, info, stats, dispatchError);
     }
   };
 }

package/src/http/index.ts

@@ -3,10 +3,20 @@
 
 export type { AuthenticateFn, OAuthResourceMetadata } from "./auth.js";
 export { oauthResourceMetadataToJson } from "./auth.js";
+export type { BearerValidateFn } from "./bearer.js";
+export { bearerAuthenticate, bearerAuthenticateStatic, chainAuthenticate } from "./bearer.js";
 export { ARROW_CONTENT_TYPE } from "./common.js";
 export { createHttpHandler } from "./handler.js";
 export type { JwtAuthenticateOptions } from "./jwt.js";
 export { jwtAuthenticate } from "./jwt.js";
+export type { CertValidateFn, XfccElement, XfccValidateFn } from "./mtls.js";
+export {
+  mtlsAuthenticate,
+  mtlsAuthenticateFingerprint,
+  mtlsAuthenticateSubject,
+  mtlsAuthenticateXfcc,
+  parseXfcc,
+} from "./mtls.js";
 export { type UnpackedToken, unpackStateToken } from "./token.js";
 export type { HttpHandlerOptions, StateSerializer } from "./types.js";
 export { jsonStateSerializer } from "./types.js";

package/src/http/jwt.ts

@@ -8,8 +8,8 @@ import type { AuthenticateFn } from "./auth.js";
 export interface JwtAuthenticateOptions {
   /** The expected `iss` claim (also used to discover AS metadata). */
   issuer: string;
-  /** The expected `aud` claim. */
-  audience: string;
+  /** The expected `aud` claim. If an array, tries each audience in order. */
+  audience: string | string[];
   /** Explicit JWKS URI. If omitted, discovered from issuer metadata. */
   jwksUri?: string;
   /** JWT claim to use as the principal. Default: "sub". */
@@ -58,7 +58,21 @@ export function jwtAuthenticate(options: JwtAuthenticateOptions): AuthenticateFn
     }
 
     // validateJwtAccessToken throws on failure, returns claims on success
-    const claims = await oauth.validateJwtAccessToken(as, request, audience);
+    // oauth4webapi only accepts a single string, so iterate if multiple audiences
+    const audiences = Array.isArray(audience) ? audience : [audience];
+    let claims: oauth.JWTAccessTokenClaims | undefined;
+    let lastError: unknown;
+    for (const aud of audiences) {
+      try {
+        claims = await oauth.validateJwtAccessToken(as, request, aud);
+        break;
+      } catch (error) {
+        lastError = error;
+      }
+    }
+    if (!claims) {
+      throw lastError;
+    }
     const principal = (claims[principalClaim] as string | undefined) ?? null;
 
     return new AuthContext(domain, true, principal, claims as unknown as Record<string, any>);

package/src/http/mtls.ts

@@ -0,0 +1,298 @@
+// © Copyright 2025-2026, Query.Farm LLC - https://query.farm
+// SPDX-License-Identifier: Apache-2.0
+
+import { createHash, X509Certificate } from "node:crypto";
+import { AuthContext } from "../auth.js";
+import type { AuthenticateFn } from "./auth.js";
+
+// ---------------------------------------------------------------------------
+// XFCC types and parser (no crypto needed)
+// ---------------------------------------------------------------------------
+
+/** A single element from an `x-forwarded-client-cert` header. */
+export interface XfccElement {
+  hash: string | null;
+  cert: string | null;
+  subject: string | null;
+  uri: string | null;
+  dns: readonly string[];
+  by: string | null;
+}
+
+/** Receives a parsed XFCC element, returns an AuthContext on success. Must throw on failure. */
+export type XfccValidateFn = (element: XfccElement) => AuthContext | Promise<AuthContext>;
+
+/** Receives a parsed X509Certificate, returns an AuthContext on success. Must throw on failure. */
+export type CertValidateFn = (cert: X509Certificate) => AuthContext | Promise<AuthContext>;
+
+function splitRespectingQuotes(text: string, delimiter: string): string[] {
+  const parts: string[] = [];
+  let current: string[] = [];
+  let inQuotes = false;
+  let i = 0;
+  while (i < text.length) {
+    const ch = text[i];
+    if (ch === '"') {
+      inQuotes = !inQuotes;
+      current.push(ch);
+    } else if (ch === "\\" && inQuotes && i + 1 < text.length) {
+      current.push(ch);
+      current.push(text[i + 1]);
+      i++;
+    } else if (ch === delimiter && !inQuotes) {
+      parts.push(current.join(""));
+      current = [];
+    } else {
+      current.push(ch);
+    }
+    i++;
+  }
+  parts.push(current.join(""));
+  return parts;
+}
+
+function unescapeQuoted(text: string): string {
+  return text.replace(/\\(.)/g, "$1");
+}
+
+/** Extract the CN value from an RFC 4514 or similar DN string. */
+function extractCn(subject: string): string {
+  for (const part of subject.split(/(?<!\\),/)) {
+    const trimmed = part.trim();
+    if (trimmed.toUpperCase().startsWith("CN=")) {
+      return trimmed.slice(3);
+    }
+  }
+  return "";
+}
+
+/**
+ * Parse an `x-forwarded-client-cert` header value.
+ *
+ * Handles comma-separated elements (respecting quoted values),
+ * semicolon-separated key=value pairs within each element, and
+ * URL-encoded Cert/URI/By fields.
+ */
+export function parseXfcc(headerValue: string): XfccElement[] {
+  const elements: XfccElement[] = [];
+  for (const rawElement of splitRespectingQuotes(headerValue, ",")) {
+    const trimmed = rawElement.trim();
+    if (!trimmed) continue;
+    const pairs = splitRespectingQuotes(trimmed, ";");
+    const fields: Record<string, string | string[]> = {};
+    for (const pair of pairs) {
+      const p = pair.trim();
+      if (!p) continue;
+      const eqIdx = p.indexOf("=");
+      if (eqIdx < 0) continue;
+      const key = p.slice(0, eqIdx).trim().toLowerCase();
+      let value = p.slice(eqIdx + 1).trim();
+      if (value.length >= 2 && value[0] === '"' && value[value.length - 1] === '"') {
+        value = unescapeQuoted(value.slice(1, -1));
+      }
+      if (key === "cert" || key === "uri" || key === "by") {
+        value = decodeURIComponent(value);
+      }
+      if (key === "dns") {
+        const existing = fields.dns;
+        if (Array.isArray(existing)) {
+          existing.push(value);
+        } else {
+          fields.dns = [value];
+        }
+      } else {
+        fields[key] = value;
+      }
+    }
+    const dns = Array.isArray(fields.dns) ? fields.dns : [];
+    elements.push({
+      hash: typeof fields.hash === "string" ? fields.hash : null,
+      cert: typeof fields.cert === "string" ? fields.cert : null,
+      subject: typeof fields.subject === "string" ? fields.subject : null,
+      uri: typeof fields.uri === "string" ? fields.uri : null,
+      dns,
+      by: typeof fields.by === "string" ? fields.by : null,
+    });
+  }
+  return elements;
+}
+
+/**
+ * Create an authenticate callback from Envoy `x-forwarded-client-cert`.
+ *
+ * Parses the `x-forwarded-client-cert` header and extracts client identity.
+ * Does not require any crypto dependencies.
+ *
+ * **Warning:** The reverse proxy MUST strip client-supplied
+ * `x-forwarded-client-cert` headers before forwarding.
+ */
+export function mtlsAuthenticateXfcc(options?: {
+  validate?: XfccValidateFn;
+  domain?: string;
+  selectElement?: "first" | "last";
+}): AuthenticateFn {
+  const validate = options?.validate;
+  const domain = options?.domain ?? "mtls";
+  const selectElement = options?.selectElement ?? "first";
+
+  return async function authenticate(request: Request): Promise<AuthContext> {
+    const headerValue = request.headers.get("x-forwarded-client-cert");
+    if (!headerValue) {
+      throw new Error("Missing x-forwarded-client-cert header");
+    }
+    const elements = parseXfcc(headerValue);
+    if (elements.length === 0) {
+      throw new Error("Empty x-forwarded-client-cert header");
+    }
+    const element = selectElement === "first" ? elements[0] : elements[elements.length - 1];
+    if (validate) {
+      return validate(element);
+    }
+    const principal = element.subject ? extractCn(element.subject) : "";
+    const claims: Record<string, any> = {};
+    if (element.hash) claims.hash = element.hash;
+    if (element.subject) claims.subject = element.subject;
+    if (element.uri) claims.uri = element.uri;
+    if (element.dns.length > 0) claims.dns = [...element.dns];
+    if (element.by) claims.by = element.by;
+    return new AuthContext(domain, true, principal, claims);
+  };
+}
+
+// ---------------------------------------------------------------------------
+// PEM-based factories (uses node:crypto X509Certificate)
+// ---------------------------------------------------------------------------
+
+function parseCertFromHeader(request: Request, header: string): X509Certificate {
+  const raw = request.headers.get(header);
+  if (!raw) {
+    throw new Error(`Missing ${header} header`);
+  }
+  const pemStr = decodeURIComponent(raw);
+  if (!pemStr.startsWith("-----BEGIN CERTIFICATE-----")) {
+    throw new Error("Header value is not a PEM certificate");
+  }
+  try {
+    return new X509Certificate(pemStr);
+  } catch (exc) {
+    throw new Error(`Failed to parse PEM certificate: ${exc}`);
+  }
+}
+
+function checkCertExpiry(cert: X509Certificate): void {
+  const now = new Date();
+  const notBefore = new Date(cert.validFrom);
+  const notAfter = new Date(cert.validTo);
+  if (now < notBefore) {
+    throw new Error("Certificate is not yet valid");
+  }
+  if (now > notAfter) {
+    throw new Error("Certificate has expired");
+  }
+}
+
+/**
+ * Create an mTLS authenticate callback with custom certificate validation.
+ *
+ * Generic factory that parses the client certificate from a proxy header
+ * and delegates identity extraction to a user-supplied `validate` callback.
+ *
+ * **Warning:** The reverse proxy MUST strip client-supplied certificate
+ * headers before forwarding.
+ */
+export function mtlsAuthenticate(options: {
+  validate: CertValidateFn;
+  header?: string;
+  checkExpiry?: boolean;
+}): AuthenticateFn {
+  const { validate, header = "X-SSL-Client-Cert", checkExpiry = false } = options;
+
+  return async function authenticate(request: Request): Promise<AuthContext> {
+    const cert = parseCertFromHeader(request, header);
+    if (checkExpiry) {
+      checkCertExpiry(cert);
+    }
+    return validate(cert);
+  };
+}
+
+const SUPPORTED_ALGORITHMS = new Set(["sha256", "sha1", "sha384", "sha512"]);
+
+/**
+ * Create an mTLS authenticate callback using certificate fingerprint lookup.
+ *
+ * Computes the certificate fingerprint and looks it up in the provided
+ * mapping. Fingerprints must be lowercase hex without colons.
+ */
+export function mtlsAuthenticateFingerprint(options: {
+  fingerprints: ReadonlyMap<string, AuthContext> | Record<string, AuthContext>;
+  header?: string;
+  algorithm?: string;
+  domain?: string;
+  checkExpiry?: boolean;
+}): AuthenticateFn {
+  const { fingerprints, header, algorithm = "sha256", checkExpiry } = options;
+  if (!SUPPORTED_ALGORITHMS.has(algorithm)) {
+    throw new Error(`Unsupported hash algorithm: ${algorithm}`);
+  }
+  const entries: ReadonlyMap<string, AuthContext> =
+    fingerprints instanceof Map ? fingerprints : new Map(Object.entries(fingerprints));
+
+  function validate(cert: X509Certificate): AuthContext {
+    const fp = createHash(algorithm).update(cert.raw).digest("hex");
+    const ctx = entries.get(fp);
+    if (!ctx) {
+      throw new Error(`Unknown certificate fingerprint: ${fp}`);
+    }
+    return ctx;
+  }
+
+  return mtlsAuthenticate({ validate, header, checkExpiry });
+}
+
+/**
+ * Create an mTLS authenticate callback using certificate subject CN.
+ *
+ * Extracts the Subject Common Name as `principal` and populates
+ * `claims` with the full DN, serial number (hex), and `not_valid_after`.
+ */
+export function mtlsAuthenticateSubject(options?: {
+  header?: string;
+  domain?: string;
+  allowedSubjects?: ReadonlySet<string> | null;
+  checkExpiry?: boolean;
+}): AuthenticateFn {
+  const { header, domain = "mtls", allowedSubjects = null, checkExpiry } = options ?? {};
+
+  function validate(cert: X509Certificate): AuthContext {
+    // Node's cert.subject is \n-separated "KEY=value" lines
+    const subjectParts = cert.subject
+      .split("\n")
+      .map((s) => s.trim())
+      .filter(Boolean);
+    const subjectDn = subjectParts.join(", ");
+
+    let cn = "";
+    for (const part of subjectParts) {
+      if (part.toUpperCase().startsWith("CN=")) {
+        cn = part.slice(3);
+        break;
+      }
+    }
+
+    if (allowedSubjects !== null && !allowedSubjects.has(cn)) {
+      throw new Error(`Subject CN '${cn}' not in allowed subjects`);
+    }
+
+    const serialHex = BigInt(`0x${cert.serialNumber}`).toString(16);
+    const notValidAfter = new Date(cert.validTo).toISOString();
+
+    return new AuthContext(domain, true, cn, {
+      subject_dn: subjectDn,
+      serial: serialHex,
+      not_valid_after: notValidAfter,
+    });
+  }
+
+  return mtlsAuthenticate({ validate, header, checkExpiry });
+}