@redmix/api 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Redmix
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,51 @@
+# API
+
+## Purpose and Vision
+
+Redwood believes the future is serverless and multi-client. And `@redwoodjs/api` makes Redwood serverless and multi-client ready. Redwood has one API to rule them all. Your API is abstracted away from any one side of your application, so you can have as many sides as you need, and when you need them.
+
+Right now, the `@redwoodjs/api` package exposes functions that help with logging, services, data fetching via Prisma, webhooks and authentication.
+
+We also plan to make Functions platform-agnostic. At the moment, we're targeting AWS Lambda, but we aim to provide a single interface for other providers and build-time support when you've targeted them.
+
+## Package Lead
+
+[@peterp](https://github.com/peterp/)
+[@dthyresson](https://github.com/dthyresson/)
+
+### Logging
+
+RedwoodJS provides an opinionated logger with sensible, practical defaults that grants you visibility into the JAMStack applications you're developing and have deployed -- with ease.
+
+Logging in the serverless ecosystem is not trivial and neither is its configuration.
+
+When choosing a Node.js logger to add to the framework, RedwoodJS required that it:
+
+- Have a low-overhead, and be fast
+- Output helpful, readable information in development
+- Be highly configurable to set log levels, time formatting, and more
+- Support key redaction to prevent passwords or tokens from leaking out
+- Save to a file in local (or other) environments that can write to the file system
+- Stream to third-party log and application monitoring services vital to production logging in serverless environments like [logFlare](https://logflare.app/) and [Datadog](https://www.datadoghq.com/)
+- Hook into [Prisma logging](https://www.prisma.io/docs/concepts/components/prisma-client/working-with-prismaclient/logging) to give visibility into connection issues, slow queries, and any unexpected errors
+- Have a solid Developer experience (DX) to get logging out-of-the-gate quickly
+- Use a compact configuration to set how to log (its `options`) and where to log -- file, stdout, or remote transport stream -- (its `destination`)
+
+With those criteria in mind, Redwood includes [pino](https://github.com/pinojs/pino) with its rich [features](https://github.com/pinojs/pino/blob/master/docs/api.md), [ecosystem](https://github.com/pinojs/pino/blob/master/docs/ecosystem.md) and [community](https://github.com/pinojs/pino/blob/master/docs/ecosystem.md#community).
+
+Plus ... pino means 🌲 pine tree! How perfect is that for RedwoodJS?
+
+Note: RedwoodJS logging is setup for its api side only. For browser and web side error reporting or exception handling, these features will be addressed in a future release.
+
+For detailed logger configuration, see the RedwoodJS logger package [README](./src/logger/README.md).
+
+## Contributing
+
+`@redwoodjs/api` uses a few things you should be familiar with:
+
+- [Prisma](https://www.prisma.io)
+- [Pino](https://getpino.io)
+
+Although this package depends, in the code-dependency sense, only on `@redwoodjs/internal`, it still hangs together with the others—notably, `@redwoodjs/web` and `@redwoodjs/api-server`. So, if you’re asking yourself “but when does my server run?” head over to `@redwoodjs/api-server`.
+
+If you’re asking yourself “but where is my GraphQL Server” head over to `@redwoodjs/graphql-server`.

package/dist/auth/index.d.ts

@@ -0,0 +1,51 @@
+export * from './parseJWT';
+import type { APIGatewayProxyEvent, Context as LambdaContext } from 'aws-lambda';
+import type { Decoded } from './parseJWT';
+export type { Decoded };
+export declare const AUTH_PROVIDER_HEADER = "auth-provider";
+export declare const getAuthProviderHeader: (event: APIGatewayProxyEvent | Request) => string | null | undefined;
+export interface AuthorizationHeader {
+    schema: 'Bearer' | 'Basic' | string;
+    token: string;
+}
+export type AuthorizationCookies = {
+    parsedCookie: Record<string, string | undefined>;
+    rawCookie: string;
+    type: string | undefined;
+} | null;
+export declare const parseAuthorizationCookie: (event: APIGatewayProxyEvent | Request) => AuthorizationCookies;
+/**
+ * Split the `Authorization` header into a schema and token part.
+ */
+export declare const parseAuthorizationHeader: (event: APIGatewayProxyEvent | Request) => AuthorizationHeader;
+/** @MARK Note that we do not send LambdaContext when making fetch requests
+ *
+ * This part is incomplete, as we need to decide how we will make the breaking change to
+ * 1. getCurrentUser
+ * 2. authDecoders
+
+ */
+export type AuthContextPayload = [
+    Decoded,
+    {
+        type: string;
+    } & AuthorizationHeader,
+    {
+        event: APIGatewayProxyEvent | Request;
+        context?: LambdaContext;
+    }
+];
+export type Decoder = (token: string, type: string, req: {
+    event: APIGatewayProxyEvent | Request;
+    context?: LambdaContext;
+}) => Promise<Decoded>;
+/**
+ * Get the authorization information from the request headers and request context.
+ * @returns [decoded, { type, schema, token }, { event, context }]
+ **/
+export declare const getAuthenticationContext: ({ authDecoder, event, context, }: {
+    authDecoder?: Decoder | Decoder[];
+    event: APIGatewayProxyEvent | Request;
+    context: LambdaContext;
+}) => Promise<undefined | AuthContextPayload>;
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAA;AAE1B,OAAO,KAAK,EAAE,oBAAoB,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,YAAY,CAAA;AAKhF,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACzC,YAAY,EAAE,OAAO,EAAE,CAAA;AAGvB,eAAO,MAAM,oBAAoB,kBAAkB,CAAA;AAEnD,eAAO,MAAM,qBAAqB,UACzB,oBAAoB,GAAG,OAAO,8BAStC,CAAA;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAA;IACnC,KAAK,EAAE,MAAM,CAAA;CACd;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAA;IAChD,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE,MAAM,GAAG,SAAS,CAAA;CACzB,GAAG,IAAI,CAAA;AAER,eAAO,MAAM,wBAAwB,UAC5B,oBAAoB,GAAG,OAAO,KACpC,oBAiBF,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,wBAAwB,UAC5B,oBAAoB,GAAG,OAAO,KACpC,mBAUF,CAAA;AAED;;;;;;GAMG;AAEH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,OAAO;IACP;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,mBAAmB;IAEtC;QACE,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAA;QACrC,OAAO,CAAC,EAAE,aAAa,CAAA;KACxB;CACF,CAAA;AAED,MAAM,MAAM,OAAO,GAAG,CACpB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE;IACH,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAA;IACrC,OAAO,CAAC,EAAE,aAAa,CAAA;CACxB,KACE,OAAO,CAAC,OAAO,CAAC,CAAA;AAErB;;;IAGI;AACJ,eAAO,MAAM,wBAAwB,qCAIlC;IACD,WAAW,CAAC,EAAE,OAAO,GAAG,OAAO,EAAE,CAAA;IACjC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAA;IACrC,OAAO,EAAE,aAAa,CAAA;CACvB,KAAG,OAAO,CAAC,SAAS,GAAG,kBAAkB,CA6DzC,CAAA"}

package/dist/auth/index.js

@@ -0,0 +1,129 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var auth_exports = {};
+__export(auth_exports, {
+  AUTH_PROVIDER_HEADER: () => AUTH_PROVIDER_HEADER,
+  getAuthProviderHeader: () => getAuthProviderHeader,
+  getAuthenticationContext: () => getAuthenticationContext,
+  parseAuthorizationCookie: () => parseAuthorizationCookie,
+  parseAuthorizationHeader: () => parseAuthorizationHeader
+});
+module.exports = __toCommonJS(auth_exports);
+__reExport(auth_exports, require("./parseJWT"), module.exports);
+var cookie = __toESM(require("cookie"));
+var import_event = require("../event");
+const AUTH_PROVIDER_HEADER = "auth-provider";
+const getAuthProviderHeader = (event) => {
+  const authProviderKey = Object.keys(event?.headers ?? {}).find(
+    (key) => key.toLowerCase() === AUTH_PROVIDER_HEADER
+  );
+  if (authProviderKey) {
+    return (0, import_event.getEventHeader)(event, authProviderKey);
+  }
+  return void 0;
+};
+const parseAuthorizationCookie = (event) => {
+  const cookieHeader = (0, import_event.getEventHeader)(event, "Cookie");
+  if (!cookieHeader) {
+    return null;
+  }
+  const parsedCookie = cookie.parse(cookieHeader);
+  return {
+    parsedCookie,
+    rawCookie: cookieHeader,
+    // When not unauthenticated, this will be null/undefined
+    // Remember that the cookie header could contain other (unrelated) values!
+    type: parsedCookie[AUTH_PROVIDER_HEADER]
+  };
+};
+const parseAuthorizationHeader = (event) => {
+  const parts = (0, import_event.getEventHeader)(event, "Authorization")?.split(" ");
+  if (parts?.length !== 2) {
+    throw new Error("The `Authorization` header is not valid.");
+  }
+  const [schema, token] = parts;
+  if (!schema.length || !token.length) {
+    throw new Error("The `Authorization` header is not valid.");
+  }
+  return { schema, token };
+};
+const getAuthenticationContext = async ({
+  authDecoder,
+  event,
+  context
+}) => {
+  const cookieHeader = parseAuthorizationCookie(event);
+  const typeFromHeader = getAuthProviderHeader(event);
+  if (!typeFromHeader && !cookieHeader) {
+    return void 0;
+  }
+  let token;
+  let type;
+  let schema;
+  if (cookieHeader?.type) {
+    token = cookieHeader.rawCookie;
+    type = cookieHeader.type;
+    schema = "cookie";
+  } else if (typeFromHeader) {
+    const parsedAuthHeader = parseAuthorizationHeader(event);
+    token = parsedAuthHeader.token;
+    type = typeFromHeader;
+    schema = parsedAuthHeader.schema;
+  }
+  if (!token || !type || !schema) {
+    return void 0;
+  }
+  let authDecoders = [];
+  if (Array.isArray(authDecoder)) {
+    authDecoders = authDecoder;
+  } else if (authDecoder) {
+    authDecoders = [authDecoder];
+  }
+  let decoded = null;
+  let i = 0;
+  while (!decoded && i < authDecoders.length) {
+    decoded = await authDecoders[i](token, type, {
+      // @MARK: When called from middleware, the decoder will pass Request, not Lambda event
+      event,
+      context
+    });
+    i++;
+  }
+  return [decoded, { type, schema, token }, { event, context }];
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AUTH_PROVIDER_HEADER,
+  getAuthProviderHeader,
+  getAuthenticationContext,
+  parseAuthorizationCookie,
+  parseAuthorizationHeader,
+  ...require("./parseJWT")
+});

package/dist/auth/parseJWT.d.ts

@@ -0,0 +1,6 @@
+export type Decoded = Record<string, unknown> | null;
+export declare const parseJWT: (token: {
+    decoded: Decoded;
+    namespace?: string;
+}) => any;
+//# sourceMappingURL=parseJWT.d.ts.map

package/dist/auth/parseJWT.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseJWT.d.ts","sourceRoot":"","sources":["../../src/auth/parseJWT.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;AA8DpD,eAAO,MAAM,QAAQ,UAAW;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,KAAG,GAKH,CAAA"}

package/dist/auth/parseJWT.js

@@ -0,0 +1,57 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var parseJWT_exports = {};
+__export(parseJWT_exports, {
+  parseJWT: () => parseJWT
+});
+module.exports = __toCommonJS(parseJWT_exports);
+function isTokenWithRoles(token) {
+  return !!token.decoded?.roles;
+}
+function isTokenWithMetadata(token) {
+  const claim = token.namespace ? `${token.namespace}/app_metadata` : "app_metadata";
+  return !!token.decoded?.[claim];
+}
+const appMetadata = (token) => {
+  if (typeof token.decoded === "string") {
+    return {};
+  }
+  if (isTokenWithMetadata(token)) {
+    const claim = token.namespace ? `${token.namespace}/app_metadata` : "app_metadata";
+    return token.decoded?.[claim];
+  }
+  return {};
+};
+const roles = (token) => {
+  if (isTokenWithRoles(token)) {
+    return token.decoded.roles;
+  }
+  const metadata = appMetadata(token);
+  return metadata?.roles || metadata.authorization?.roles || [];
+};
+const parseJWT = (token) => {
+  return {
+    appMetadata: appMetadata(token),
+    roles: roles(token)
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  parseJWT
+});

package/dist/auth/verifiers/base64Sha1Verifier.d.ts

@@ -0,0 +1,19 @@
+import type { WebhookVerifier, VerifyOptions } from './common';
+export interface Base64Sha1Verifier extends WebhookVerifier {
+    type: 'base64Sha1Verifier';
+}
+export declare const verifySignature: ({ payload, secret, signature, }: {
+    payload: string | Record<string, unknown>;
+    secret: string;
+    signature: string;
+}) => boolean;
+/**
+ * Base64 SHA1 HMAC Payload Verifier
+ *
+ * Based on Svix's webhook payload verification, but using SHA1 instead
+ * @see https://docs.svix.com/receiving/verifying-payloads/how-manual
+ * @see https://github.com/svix/svix-webhooks/blob/main/javascript/src/index.ts
+ */
+declare const base64Sha1Verifier: (_options?: VerifyOptions) => Base64Sha1Verifier;
+export default base64Sha1Verifier;
+//# sourceMappingURL=base64Sha1Verifier.d.ts.map

package/dist/auth/verifiers/base64Sha1Verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64Sha1Verifier.d.ts","sourceRoot":"","sources":["../../../src/auth/verifiers/base64Sha1Verifier.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAE9D,MAAM,WAAW,kBAAmB,SAAQ,eAAe;IACzD,IAAI,EAAE,oBAAoB,CAAA;CAC3B;AA0BD,eAAO,MAAM,eAAe,oCAIzB;IACD,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACzC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;CAClB,KAAG,OA0BH,CAAA;AAED;;;;;;GAMG;AACH,QAAA,MAAM,kBAAkB,cAAe,aAAa,KAAG,kBAUtD,CAAA;AAED,eAAe,kBAAkB,CAAA"}

package/dist/auth/verifiers/base64Sha1Verifier.js

@@ -0,0 +1,77 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var base64Sha1Verifier_exports = {};
+__export(base64Sha1Verifier_exports, {
+  default: () => base64Sha1Verifier_default,
+  verifySignature: () => verifySignature
+});
+module.exports = __toCommonJS(base64Sha1Verifier_exports);
+var import_crypto = require("crypto");
+var import_common = require("./common");
+function toNormalizedJsonString(payload) {
+  return JSON.stringify(payload).replace(/[^\\]\\u[\da-f]{4}/g, (s) => {
+    return s.slice(0, 3) + s.slice(3).toUpperCase();
+  });
+}
+const createSignature = ({
+  payload,
+  secret = import_common.DEFAULT_WEBHOOK_SECRET
+}) => {
+  const algorithm = "sha1";
+  const hmac = (0, import_crypto.createHmac)(algorithm, Buffer.from(secret, "base64"));
+  payload = typeof payload === "string" ? payload : toNormalizedJsonString(payload);
+  const digest = hmac.update(payload).digest();
+  return digest.toString("base64");
+};
+const verifySignature = ({
+  payload,
+  secret = import_common.DEFAULT_WEBHOOK_SECRET,
+  signature
+}) => {
+  try {
+    const webhookSignature = Buffer.from(signature || "", "base64");
+    const hmac = (0, import_crypto.createHmac)("sha1", Buffer.from(secret, "base64"));
+    payload = typeof payload === "string" ? payload : toNormalizedJsonString(payload);
+    const digest = hmac.update(payload).digest();
+    if (webhookSignature.length === digest.length && (0, import_crypto.timingSafeEqual)(digest, webhookSignature)) {
+      return true;
+    }
+    throw new import_common.WebhookVerificationError();
+  } catch (error) {
+    throw new import_common.WebhookVerificationError(
+      `${import_common.VERIFICATION_ERROR_MESSAGE}: ${error.message}`
+    );
+  }
+};
+const base64Sha1Verifier = (_options) => {
+  return {
+    sign: ({ payload, secret }) => {
+      return createSignature({ payload, secret });
+    },
+    verify: ({ payload, secret, signature }) => {
+      return verifySignature({ payload, secret, signature });
+    },
+    type: "base64Sha1Verifier"
+  };
+};
+var base64Sha1Verifier_default = base64Sha1Verifier;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  verifySignature
+});

package/dist/auth/verifiers/base64Sha256Verifier.d.ts

@@ -0,0 +1,19 @@
+import type { WebhookVerifier, VerifyOptions } from './common';
+export interface Base64Sha256Verifier extends WebhookVerifier {
+    type: 'base64Sha256Verifier';
+}
+export declare const verifySignature: ({ payload, secret, signature, }: {
+    payload: string | Record<string, unknown>;
+    secret: string;
+    signature: string;
+}) => boolean;
+/**
+ * Base64 SHA256 HMAC Payload Verifier
+ *
+ * Based on Svix's webhook payload verification
+ * @see https://docs.svix.com/receiving/verifying-payloads/how-manual
+ * @see https://github.com/svix/svix-webhooks/blob/main/javascript/src/index.ts
+ */
+declare const base64Sha256Verifier: (_options?: VerifyOptions) => Base64Sha256Verifier;
+export default base64Sha256Verifier;
+//# sourceMappingURL=base64Sha256Verifier.d.ts.map

package/dist/auth/verifiers/base64Sha256Verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64Sha256Verifier.d.ts","sourceRoot":"","sources":["../../../src/auth/verifiers/base64Sha256Verifier.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAE9D,MAAM,WAAW,oBAAqB,SAAQ,eAAe;IAC3D,IAAI,EAAE,sBAAsB,CAAA;CAC7B;AA0BD,eAAO,MAAM,eAAe,oCAIzB;IACD,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACzC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;CAClB,KAAG,OA0BH,CAAA;AAED;;;;;;GAMG;AACH,QAAA,MAAM,oBAAoB,cACb,aAAa,KACvB,oBAUF,CAAA;AAED,eAAe,oBAAoB,CAAA"}

package/dist/auth/verifiers/base64Sha256Verifier.js

@@ -0,0 +1,77 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var base64Sha256Verifier_exports = {};
+__export(base64Sha256Verifier_exports, {
+  default: () => base64Sha256Verifier_default,
+  verifySignature: () => verifySignature
+});
+module.exports = __toCommonJS(base64Sha256Verifier_exports);
+var import_crypto = require("crypto");
+var import_common = require("./common");
+function toNormalizedJsonString(payload) {
+  return JSON.stringify(payload).replace(/[^\\]\\u[\da-f]{4}/g, (s) => {
+    return s.slice(0, 3) + s.slice(3).toUpperCase();
+  });
+}
+const createSignature = ({
+  payload,
+  secret = import_common.DEFAULT_WEBHOOK_SECRET
+}) => {
+  const algorithm = "sha256";
+  const hmac = (0, import_crypto.createHmac)(algorithm, Buffer.from(secret, "base64"));
+  payload = typeof payload === "string" ? payload : toNormalizedJsonString(payload);
+  const digest = hmac.update(payload).digest();
+  return digest.toString("base64");
+};
+const verifySignature = ({
+  payload,
+  secret = import_common.DEFAULT_WEBHOOK_SECRET,
+  signature
+}) => {
+  try {
+    const webhookSignature = Buffer.from(signature || "", "base64");
+    const hmac = (0, import_crypto.createHmac)("sha256", Buffer.from(secret, "base64"));
+    payload = typeof payload === "string" ? payload : toNormalizedJsonString(payload);
+    const digest = hmac.update(payload).digest();
+    if (webhookSignature.length === digest.length && (0, import_crypto.timingSafeEqual)(digest, webhookSignature)) {
+      return true;
+    }
+    throw new import_common.WebhookVerificationError();
+  } catch (error) {
+    throw new import_common.WebhookVerificationError(
+      `${import_common.VERIFICATION_ERROR_MESSAGE}: ${error.message}`
+    );
+  }
+};
+const base64Sha256Verifier = (_options) => {
+  return {
+    sign: ({ payload, secret }) => {
+      return createSignature({ payload, secret });
+    },
+    verify: ({ payload, secret, signature }) => {
+      return verifySignature({ payload, secret, signature });
+    },
+    type: "base64Sha256Verifier"
+  };
+};
+var base64Sha256Verifier_default = base64Sha256Verifier;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  verifySignature
+});

package/dist/auth/verifiers/common.d.ts

@@ -0,0 +1,104 @@
+import type { Base64Sha1Verifier } from './base64Sha1Verifier';
+import type { Base64Sha256Verifier } from './base64Sha256Verifier';
+import type { JwtVerifier } from './jwtVerifier';
+import type { SecretKeyVerifier } from './secretKeyVerifier';
+import type { Sha1Verifier } from './sha1Verifier';
+import type { Sha256Verifier } from './sha256Verifier';
+import type { SkipVerifier } from './skipVerifier';
+import type { TimestampSchemeVerifier } from './timestampSchemeVerifier';
+export declare const verifierLookup: {
+    skipVerifier: (_options?: VerifyOptions) => SkipVerifier;
+    secretKeyVerifier: (_options?: VerifyOptions) => SecretKeyVerifier;
+    sha1Verifier: (_options?: VerifyOptions) => Sha1Verifier;
+    sha256Verifier: (_options?: VerifyOptions) => Sha256Verifier;
+    base64Sha1Verifier: (_options?: VerifyOptions) => Base64Sha1Verifier;
+    base64Sha256Verifier: (_options?: VerifyOptions) => Base64Sha256Verifier;
+    timestampSchemeVerifier: (options?: VerifyOptions) => TimestampSchemeVerifier;
+    jwtVerifier: (options?: VerifyOptions) => JwtVerifier;
+};
+export type SupportedVerifiers = SkipVerifier | SecretKeyVerifier | Sha1Verifier | Sha256Verifier | Base64Sha1Verifier | Base64Sha256Verifier | TimestampSchemeVerifier | JwtVerifier;
+export type SupportedVerifierTypes = keyof typeof verifierLookup;
+export declare const DEFAULT_WEBHOOK_SECRET: string;
+export declare const VERIFICATION_ERROR_MESSAGE = "You don't have access to invoke this function.";
+export declare const VERIFICATION_SIGN_MESSAGE = "Unable to sign payload";
+/**
+ * @const {number} DEFAULT_TOLERANCE - Five minutes
+ */
+export declare const DEFAULT_TOLERANCE: number;
+/**
+ * Class representing a WebhookError
+ * @extends Error
+ */
+declare class WebhookError extends Error {
+    /**
+     * Create a WebhookError.
+     * @param {string} message - The error message
+     * */
+    constructor(message: string);
+}
+/**
+ * Class representing a WebhookVerificationError
+ * @extends WebhookError
+ */
+export declare class WebhookVerificationError extends WebhookError {
+    /**
+     * Create a WebhookVerificationError.
+     * @param {string} message - The error message
+     * */
+    constructor(message?: string);
+}
+/**
+ * Class representing a WebhookSignError
+ * @extends WebhookError
+ */
+export declare class WebhookSignError extends WebhookError {
+    /**
+     * Create a WebhookSignError.
+     * @param {string} message - The error message
+     * */
+    constructor(message?: string);
+}
+/**
+ * VerifyOptions
+ *
+ * Used when verifying a signature based on the verifier's requirements
+ *
+ * @param {string} signatureHeader - Optional Header that contains the signature
+ * to verify. Will default to DEFAULT_WEBHOOK_SIGNATURE_HEADER
+ * @param {(signature: string) => string} signatureTransformer - Optional
+ * function that receives the signature from the headers and returns a new
+ * signature to use in the Verifier
+ * @param {number} currentTimestampOverride - Optional timestamp to use as the
+ * "current" timestamp, in msec
+ * @param {number} eventTimestamp - Optional timestamp to use as the event
+ * timestamp, in msec. If this is provided the webhook verification will fail
+ * if the eventTimestamp is too far from the current time (or the time passed
+ * as the `currentTimestampOverride` option)
+ * @param {number} tolerance - Optional tolerance in msec
+ * @param {string} issuer - Options JWT issuer for JWTVerifier
+ */
+export interface VerifyOptions {
+    signatureHeader?: string;
+    signatureTransformer?: (signature: string) => string;
+    currentTimestampOverride?: number;
+    eventTimestamp?: number;
+    tolerance?: number;
+    issuer?: string;
+}
+/**
+ * WebhookVerifier is the interface for all verifiers
+ */
+export interface WebhookVerifier {
+    sign({ payload, secret, }: {
+        payload: string | Record<string, unknown>;
+        secret: string;
+    }): string;
+    verify({ payload, secret, signature, }: {
+        payload: string | Record<string, unknown>;
+        secret: string;
+        signature: string;
+    }): boolean | WebhookVerificationError;
+    type: SupportedVerifierTypes;
+}
+export {};
+//# sourceMappingURL=common.d.ts.map

package/dist/auth/verifiers/common.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../../../src/auth/verifiers/common.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AAE9D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAA;AAElE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAEhD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAE5D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAElD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAA;AAEtD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAElD,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAA;AAExE,eAAO,MAAM,cAAc;;;;;;;;;CAS1B,CAAA;AAED,MAAM,MAAM,kBAAkB,GAC1B,YAAY,GACZ,iBAAiB,GACjB,YAAY,GACZ,cAAc,GACd,kBAAkB,GAClB,oBAAoB,GACpB,uBAAuB,GACvB,WAAW,CAAA;AAEf,MAAM,MAAM,sBAAsB,GAAG,MAAM,OAAO,cAAc,CAAA;AAEhE,eAAO,MAAM,sBAAsB,QAAmC,CAAA;AAEtE,eAAO,MAAM,0BAA0B,mDACW,CAAA;AAElD,eAAO,MAAM,yBAAyB,2BAA2B,CAAA;AAIjE;;GAEG;AACH,eAAO,MAAM,iBAAiB,QAAe,CAAA;AAE7C;;;GAGG;AACH,cAAM,YAAa,SAAQ,KAAK;IAC9B;;;SAGK;gBACO,OAAO,EAAE,MAAM;CAG5B;AAED;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,YAAY;IACxD;;;SAGK;gBACO,OAAO,CAAC,EAAE,MAAM;CAG7B;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,YAAY;IAChD;;;SAGK;gBACO,OAAO,CAAC,EAAE,MAAM;CAG7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,aAAa;IAC5B,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,oBAAoB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,MAAM,CAAA;IACpD,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EACH,OAAO,EACP,MAAM,GACP,EAAE;QACD,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QACzC,MAAM,EAAE,MAAM,CAAA;KACf,GAAG,MAAM,CAAA;IACV,MAAM,CAAC,EACL,OAAO,EACP,MAAM,EACN,SAAS,GACV,EAAE;QACD,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QACzC,MAAM,EAAE,MAAM,CAAA;QACd,SAAS,EAAE,MAAM,CAAA;KAClB,GAAG,OAAO,GAAG,wBAAwB,CAAA;IACtC,IAAI,EAAE,sBAAsB,CAAA;CAC7B"}