@rocicorp/zero 0.26.1 → 0.26.2-canary.4

package/out/zero-cache/src/auth/auth.js

@@ -1,179 +1,145 @@
-import { Unauthorized, AuthInvalidated } from "../../../zero-protocol/src/error-kind-enum.js";
+import { AuthInvalidated, Unauthorized } from "../../../zero-protocol/src/error-kind-enum.js";
 import { ZeroCache } from "../../../zero-protocol/src/error-origin-enum.js";
-import { isProtocolError, ProtocolError } from "../../../zero-protocol/src/error.js";
+import { ProtocolError, isProtocolError } from "../../../zero-protocol/src/error.js";
+//#region ../zero-cache/src/auth/auth.ts
 function isProvidedAuth(wireAuth) {
-  return wireAuth !== void 0 && wireAuth !== "";
+	return wireAuth !== void 0 && wireAuth !== "";
 }
 function authEquals(a, b) {
-  if (a === b) {
-    return true;
-  }
-  if (!a || !b) {
-    return false;
-  }
-  return a.type === b.type && a.raw === b.raw;
-}
-class AuthSessionImpl {
-  id;
-  #lc;
-  #validateLegacyJWT;
-  #auth = void 0;
-  #boundUserID;
-  #revision = 0;
-  constructor(lc, clientGroupID, validateLegacyJWT) {
-    this.id = clientGroupID;
-    this.#lc = lc;
-    this.#validateLegacyJWT = validateLegacyJWT;
-  }
-  get auth() {
-    return this.#auth;
-  }
-  get revision() {
-    return this.#revision;
-  }
-  clear() {
-    const lc = this.#lc.withContext(
-      "boundUserID",
-      this.#boundUserID ?? "unknown"
-    );
-    lc.debug?.(`Clearing auth session`);
-    this.#auth = void 0;
-    this.#boundUserID = void 0;
-    this.#revision = 0;
-  }
-  async update(userID, wireAuth) {
-    try {
-      const lc = this.#lc.withContext("newUserID", userID);
-      if (this.#boundUserID && this.#boundUserID !== userID) {
-        return {
-          ok: false,
-          error: {
-            kind: Unauthorized,
-            message: "Client groups are pinned to a single user. Connection userID does not match existing client group userID.",
-            origin: ZeroCache
-          }
-        };
-      }
-      const previousAuth = this.#auth;
-      const hasProvidedAuth = isProvidedAuth(wireAuth);
-      let nextAuth = previousAuth;
-      if (previousAuth) {
-        lc.debug?.(`Attempting to update auth from previous value`);
-      } else {
-        lc.debug?.(`Attempting to initialize auth`);
-      }
-      if (!hasProvidedAuth && previousAuth) {
-        return {
-          ok: false,
-          error: {
-            kind: Unauthorized,
-            message: "No token provided. An unauthenticated client cannot connect to an authenticated client group.",
-            origin: ZeroCache
-          }
-        };
-      }
-      if (!hasProvidedAuth) {
-        nextAuth = void 0;
-        lc.debug?.(`Cleared auth`);
-      } else if (this.#validateLegacyJWT !== void 0) {
-        const verifiedToken = await this.#validateLegacyJWT(wireAuth, { userID });
-        nextAuth = pickToken(this.#lc, this.#auth, verifiedToken);
-        lc.debug?.(`Updated auth with JWT`);
-      } else {
-        if (this.#auth?.type === "jwt") {
-          throw new Error(
-            "Cannot change auth type from legacy to opaque token"
-          );
-        }
-        nextAuth = {
-          type: "opaque",
-          raw: wireAuth
-        };
-        lc.debug?.(`Updated auth with opaque token`);
-      }
-      this.#auth = nextAuth;
-      this.#boundUserID ??= userID;
-      if (!authEquals(previousAuth, nextAuth)) {
-        this.#revision++;
-      }
-    } catch (e) {
-      if (isProtocolError(e)) {
-        return {
-          ok: false,
-          error: e.errorBody
-        };
-      }
-      return {
-        ok: false,
-        error: {
-          kind: AuthInvalidated,
-          message: `Failed to decode auth token: ${String(e)}`,
-          origin: ZeroCache
-        }
-      };
-    }
-    return { ok: true };
-  }
+	if (a === b) return true;
+	if (!a || !b) return false;
+	return a.type === b.type && a.raw === b.raw;
 }
+var AuthSessionImpl = class {
+	id;
+	#lc;
+	#validateLegacyJWT;
+	#auth = void 0;
+	#boundUserID;
+	#revision = 0;
+	constructor(lc, clientGroupID, validateLegacyJWT) {
+		this.id = clientGroupID;
+		this.#lc = lc;
+		this.#validateLegacyJWT = validateLegacyJWT;
+	}
+	get auth() {
+		return this.#auth;
+	}
+	get revision() {
+		return this.#revision;
+	}
+	clear() {
+		this.#lc.withContext("boundUserID", this.#boundUserID ?? "unknown").debug?.(`Clearing auth session`);
+		this.#auth = void 0;
+		this.#boundUserID = void 0;
+		this.#revision = 0;
+	}
+	async update(userID, wireAuth) {
+		try {
+			const lc = this.#lc.withContext("newUserID", userID);
+			if (this.#boundUserID && this.#boundUserID !== userID) return {
+				ok: false,
+				error: {
+					kind: Unauthorized,
+					message: "Client groups are pinned to a single user. Connection userID does not match existing client group userID.",
+					origin: ZeroCache
+				}
+			};
+			const previousAuth = this.#auth;
+			const hasProvidedAuth = isProvidedAuth(wireAuth);
+			let nextAuth = previousAuth;
+			if (previousAuth) lc.debug?.(`Attempting to update auth from previous value`);
+			else lc.debug?.(`Attempting to initialize auth`);
+			if (!hasProvidedAuth && previousAuth) return {
+				ok: false,
+				error: {
+					kind: Unauthorized,
+					message: "No token provided. An unauthenticated client cannot connect to an authenticated client group.",
+					origin: ZeroCache
+				}
+			};
+			if (!hasProvidedAuth) {
+				nextAuth = void 0;
+				lc.debug?.(`Cleared auth`);
+			} else if (this.#validateLegacyJWT !== void 0) {
+				const verifiedToken = await this.#validateLegacyJWT(wireAuth, { userID });
+				nextAuth = pickToken(this.#lc, this.#auth, verifiedToken);
+				lc.debug?.(`Updated auth with JWT`);
+			} else {
+				if (this.#auth?.type === "jwt") throw new Error("Cannot change auth type from legacy to opaque token");
+				nextAuth = {
+					type: "opaque",
+					raw: wireAuth
+				};
+				lc.debug?.(`Updated auth with opaque token`);
+			}
+			this.#auth = nextAuth;
+			this.#boundUserID ??= userID;
+			if (!authEquals(previousAuth, nextAuth)) this.#revision++;
+		} catch (e) {
+			if (isProtocolError(e)) return {
+				ok: false,
+				error: e.errorBody
+			};
+			return {
+				ok: false,
+				error: {
+					kind: AuthInvalidated,
+					message: `Failed to decode auth token: ${String(e)}`,
+					origin: ZeroCache
+				}
+			};
+		}
+		return { ok: true };
+	}
+};
+/** @deprecated used only in old JWT validation/rotation auth */
 function pickToken(lc, previousToken, newToken) {
-  if (newToken === null) {
-    return void 0;
-  }
-  if (previousToken?.type && newToken?.type && previousToken?.type !== newToken?.type) {
-    throw new ProtocolError({
-      kind: Unauthorized,
-      message: "Token type cannot change. Client groups are pinned to a single token type.",
-      origin: ZeroCache
-    });
-  }
-  if (previousToken === void 0) {
-    lc.debug?.(`No previous token, using new token`);
-    return newToken;
-  }
-  if (newToken?.type === "opaque") {
-    return newToken;
-  }
-  if (previousToken.type === "opaque") {
-    throw new ProtocolError({
-      kind: Unauthorized,
-      message: "Token type cannot change from opaque to JWT. Client groups are pinned to a single token type.",
-      origin: ZeroCache
-    });
-  }
-  if (newToken) {
-    if (previousToken.decoded.sub !== newToken.decoded.sub) {
-      throw new ProtocolError({
-        kind: Unauthorized,
-        message: "The user id in the new token does not match the previous token. Client groups are pinned to a single user.",
-        origin: ZeroCache
-      });
-    }
-    if (previousToken.decoded.iat === void 0) {
-      lc.debug?.(`No issued at time for the existing token, using new token`);
-      return newToken;
-    }
-    if (newToken.decoded.iat === void 0) {
-      throw new ProtocolError({
-        kind: Unauthorized,
-        message: "The new token does not have an issued at time but the prior token does. Tokens for a client group must either all have issued at times or all not have issued at times",
-        origin: ZeroCache
-      });
-    }
-    if (previousToken.decoded.iat < newToken.decoded.iat) {
-      lc.debug?.(`New token is newer, using it`);
-      return newToken;
-    }
-    lc.debug?.(`New token is older or the same, using existing token`);
-    return previousToken;
-  }
-  throw new ProtocolError({
-    kind: Unauthorized,
-    message: "No token provided. An unauthenticated client cannot connect to an authenticated client group.",
-    origin: ZeroCache
-  });
+	if (newToken === null) return;
+	if (previousToken?.type && newToken?.type && previousToken?.type !== newToken?.type) throw new ProtocolError({
+		kind: Unauthorized,
+		message: "Token type cannot change. Client groups are pinned to a single token type.",
+		origin: ZeroCache
+	});
+	if (previousToken === void 0) {
+		lc.debug?.(`No previous token, using new token`);
+		return newToken;
+	}
+	if (newToken?.type === "opaque") return newToken;
+	if (previousToken.type === "opaque") throw new ProtocolError({
+		kind: Unauthorized,
+		message: "Token type cannot change from opaque to JWT. Client groups are pinned to a single token type.",
+		origin: ZeroCache
+	});
+	if (newToken) {
+		if (previousToken.decoded.sub !== newToken.decoded.sub) throw new ProtocolError({
+			kind: Unauthorized,
+			message: "The user id in the new token does not match the previous token. Client groups are pinned to a single user.",
+			origin: ZeroCache
+		});
+		if (previousToken.decoded.iat === void 0) {
+			lc.debug?.(`No issued at time for the existing token, using new token`);
+			return newToken;
+		}
+		if (newToken.decoded.iat === void 0) throw new ProtocolError({
+			kind: Unauthorized,
+			message: "The new token does not have an issued at time but the prior token does. Tokens for a client group must either all have issued at times or all not have issued at times",
+			origin: ZeroCache
+		});
+		if (previousToken.decoded.iat < newToken.decoded.iat) {
+			lc.debug?.(`New token is newer, using it`);
+			return newToken;
+		}
+		lc.debug?.(`New token is older or the same, using existing token`);
+		return previousToken;
+	}
+	throw new ProtocolError({
+		kind: Unauthorized,
+		message: "No token provided. An unauthenticated client cannot connect to an authenticated client group.",
+		origin: ZeroCache
+	});
 }
-export {
-  AuthSessionImpl,
-  pickToken
-};
-//# sourceMappingURL=auth.js.map
+//#endregion
+export { AuthSessionImpl };
+
+//# sourceMappingURL=auth.js.map

package/out/zero-cache/src/auth/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sources":["../../../../../zero-cache/src/auth/auth.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport type {JWTPayload} from 'jose';\nimport {ErrorKind} from '../../../zero-protocol/src/error-kind.ts';\nimport {ErrorOrigin} from '../../../zero-protocol/src/error-origin.ts';\nimport {\n  isProtocolError,\n  ProtocolError,\n  type ErrorBody,\n} from '../../../zero-protocol/src/error.ts';\n\n/** @deprecated JWT auth is deprecated */\nexport type JWTAuth = {\n  readonly type: 'jwt';\n  readonly raw: string;\n  readonly decoded: JWTPayload;\n};\n\nexport type OpaqueAuth = {\n  readonly type: 'opaque';\n  readonly raw: string;\n};\n\nexport type Auth = OpaqueAuth | JWTAuth;\n\nexport interface AuthSession {\n  /** Update the auth session with a new userID and token from the client */\n  update(\n    userID: string,\n    wireAuth: string | undefined,\n  ): Promise<AuthUpdateResult>;\n\n  /** The revision of the auth state */\n  get revision(): number;\n\n  /** The auth state for the session */\n  get auth(): Auth | undefined;\n\n  /** Clear the auth session, removing any stored auth and allowing a new userID to be bound on the next update. */\n  clear(): void;\n}\n\nexport type AuthUpdateResult =\n  | {\n      readonly ok: true;\n    }\n  | {\n      readonly ok: false;\n      readonly error: ErrorBody;\n    };\n\nexport type ValidateLegacyJWT = (\n  token: string,\n  ctx: {readonly userID: string},\n) => Promise<JWTAuth>;\n\nfunction isProvidedAuth(wireAuth: string | undefined): wireAuth is string {\n  return wireAuth !== undefined && wireAuth !== '';\n}\n\nfunction authEquals(a: Auth | null | undefined, b: Auth | null | undefined) {\n  if (a === b) {\n    return true;\n  }\n  if (!a || !b) {\n    return false;\n  }\n  return a.type === b.type && a.raw === b.raw;\n}\n\nexport class AuthSessionImpl implements AuthSession {\n  readonly id: string;\n  readonly #lc: LogContext;\n  readonly #validateLegacyJWT: ValidateLegacyJWT | undefined;\n  #auth: Auth | undefined = undefined;\n  #boundUserID: string | undefined;\n  #revision = 0;\n\n  constructor(\n    lc: LogContext,\n    clientGroupID: string,\n    validateLegacyJWT: ValidateLegacyJWT | undefined,\n  ) {\n    this.id = clientGroupID;\n    this.#lc = lc;\n    this.#validateLegacyJWT = validateLegacyJWT;\n  }\n\n  get auth(): Auth | undefined {\n    return this.#auth;\n  }\n\n  get revision(): number {\n    return this.#revision;\n  }\n\n  clear(): void {\n    const lc = this.#lc.withContext(\n      'boundUserID',\n      this.#boundUserID ?? 'unknown',\n    );\n    lc.debug?.(`Clearing auth session`);\n    this.#auth = undefined;\n    this.#boundUserID = undefined;\n    this.#revision = 0;\n  }\n\n  async update(\n    userID: string,\n    wireAuth: string | undefined,\n  ): Promise<AuthUpdateResult> {\n    try {\n      const lc = this.#lc.withContext('newUserID', userID);\n\n      // check if the auth update is trying to change the bound userID for this client group\n      if (this.#boundUserID && this.#boundUserID !== userID) {\n        return {\n          ok: false,\n          error: {\n            kind: ErrorKind.Unauthorized,\n            message:\n              'Client groups are pinned to a single user. Connection userID does not match existing client group userID.',\n            origin: ErrorOrigin.ZeroCache,\n          },\n        };\n      }\n\n      const previousAuth = this.#auth;\n      const hasProvidedAuth = isProvidedAuth(wireAuth);\n      let nextAuth = previousAuth;\n\n      if (previousAuth) {\n        lc.debug?.(`Attempting to update auth from previous value`);\n      } else {\n        lc.debug?.(`Attempting to initialize auth`);\n      }\n\n      if (!hasProvidedAuth && previousAuth) {\n        return {\n          ok: false,\n          error: {\n            kind: ErrorKind.Unauthorized,\n            message:\n              'No token provided. An unauthenticated client cannot connect to an authenticated client group.',\n            origin: ErrorOrigin.ZeroCache,\n          },\n        };\n      }\n\n      if (!hasProvidedAuth) {\n        nextAuth = undefined;\n        lc.debug?.(`Cleared auth`);\n      } else if (this.#validateLegacyJWT !== undefined) {\n        const verifiedToken = await this.#validateLegacyJWT(wireAuth, {userID});\n        nextAuth = pickToken(this.#lc, this.#auth, verifiedToken);\n        lc.debug?.(`Updated auth with JWT`);\n      } else {\n        if (this.#auth?.type === 'jwt') {\n          throw new Error(\n            'Cannot change auth type from legacy to opaque token',\n          );\n        }\n        nextAuth = {\n          type: 'opaque',\n          raw: wireAuth,\n        };\n        lc.debug?.(`Updated auth with opaque token`);\n      }\n\n      this.#auth = nextAuth;\n      this.#boundUserID ??= userID;\n\n      if (!authEquals(previousAuth, nextAuth)) {\n        this.#revision++;\n      }\n    } catch (e) {\n      if (isProtocolError(e)) {\n        return {\n          ok: false,\n          error: e.errorBody,\n        };\n      }\n      return {\n        ok: false,\n        error: {\n          kind: ErrorKind.AuthInvalidated,\n          message: `Failed to decode auth token: ${String(e)}`,\n          origin: ErrorOrigin.ZeroCache,\n        },\n      };\n    }\n\n    return {ok: true};\n  }\n}\n\n/** @deprecated used only in old JWT validation/rotation auth */\nexport function pickToken(\n  lc: LogContext,\n  previousToken: Auth | undefined,\n  newToken: Auth | undefined | null,\n) {\n  if (newToken === null) {\n    return undefined;\n  }\n\n  if (\n    previousToken?.type &&\n    newToken?.type &&\n    previousToken?.type !== newToken?.type\n  ) {\n    throw new ProtocolError({\n      kind: ErrorKind.Unauthorized,\n      message:\n        'Token type cannot change. Client groups are pinned to a single token type.',\n      origin: ErrorOrigin.ZeroCache,\n    });\n  }\n\n  if (previousToken === undefined) {\n    lc.debug?.(`No previous token, using new token`);\n    return newToken;\n  }\n\n  if (newToken?.type === 'opaque') {\n    return newToken;\n  }\n\n  if (previousToken.type === 'opaque') {\n    throw new ProtocolError({\n      kind: ErrorKind.Unauthorized,\n      message:\n        'Token type cannot change from opaque to JWT. Client groups are pinned to a single token type.',\n      origin: ErrorOrigin.ZeroCache,\n    });\n  }\n\n  if (newToken) {\n    if (previousToken.decoded.sub !== newToken.decoded.sub) {\n      throw new ProtocolError({\n        kind: ErrorKind.Unauthorized,\n        message:\n          'The user id in the new token does not match the previous token. Client groups are pinned to a single user.',\n        origin: ErrorOrigin.ZeroCache,\n      });\n    }\n\n    if (previousToken.decoded.iat === undefined) {\n      lc.debug?.(`No issued at time for the existing token, using new token`);\n      // No issued at time for the existing token? We take the most recently received token.\n      return newToken;\n    }\n\n    if (newToken.decoded.iat === undefined) {\n      throw new ProtocolError({\n        kind: ErrorKind.Unauthorized,\n        message:\n          'The new token does not have an issued at time but the prior token does. Tokens for a client group must either all have issued at times or all not have issued at times',\n        origin: ErrorOrigin.ZeroCache,\n      });\n    }\n\n    // The new token is newer, so we take it.\n    if (previousToken.decoded.iat < newToken.decoded.iat) {\n      lc.debug?.(`New token is newer, using it`);\n      return newToken;\n    }\n\n    // if the new token is older or the same, we keep the existing token.\n    lc.debug?.(`New token is older or the same, using existing token`);\n    return previousToken;\n  }\n\n  // previousToken !== undefined but newToken is undefined\n  throw new ProtocolError({\n    kind: ErrorKind.Unauthorized,\n    message:\n      'No token provided. An unauthenticated client cannot connect to an authenticated client group.',\n    origin: ErrorOrigin.ZeroCache,\n  });\n}\n"],"names":["ErrorKind.Unauthorized","ErrorOrigin.ZeroCache","ErrorKind.AuthInvalidated"],"mappings":";;;AAuDA,SAAS,eAAe,UAAkD;AACxE,SAAO,aAAa,UAAa,aAAa;AAChD;AAEA,SAAS,WAAW,GAA4B,GAA4B;AAC1E,MAAI,MAAM,GAAG;AACX,WAAO;AAAA,EACT;AACA,MAAI,CAAC,KAAK,CAAC,GAAG;AACZ,WAAO;AAAA,EACT;AACA,SAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE;AAC1C;AAEO,MAAM,gBAAuC;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACT,QAA0B;AAAA,EAC1B;AAAA,EACA,YAAY;AAAA,EAEZ,YACE,IACA,eACA,mBACA;AACA,SAAK,KAAK;AACV,SAAK,MAAM;AACX,SAAK,qBAAqB;AAAA,EAC5B;AAAA,EAEA,IAAI,OAAyB;AAC3B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,IAAI,WAAmB;AACrB,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,QAAc;AACZ,UAAM,KAAK,KAAK,IAAI;AAAA,MAClB;AAAA,MACA,KAAK,gBAAgB;AAAA,IAAA;AAEvB,OAAG,QAAQ,uBAAuB;AAClC,SAAK,QAAQ;AACb,SAAK,eAAe;AACpB,SAAK,YAAY;AAAA,EACnB;AAAA,EAEA,MAAM,OACJ,QACA,UAC2B;AAC3B,QAAI;AACF,YAAM,KAAK,KAAK,IAAI,YAAY,aAAa,MAAM;AAGnD,UAAI,KAAK,gBAAgB,KAAK,iBAAiB,QAAQ;AACrD,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO;AAAA,YACL,MAAMA;AAAAA,YACN,SACE;AAAA,YACF,QAAQC;AAAAA,UAAY;AAAA,QACtB;AAAA,MAEJ;AAEA,YAAM,eAAe,KAAK;AAC1B,YAAM,kBAAkB,eAAe,QAAQ;AAC/C,UAAI,WAAW;AAEf,UAAI,cAAc;AAChB,WAAG,QAAQ,+CAA+C;AAAA,MAC5D,OAAO;AACL,WAAG,QAAQ,+BAA+B;AAAA,MAC5C;AAEA,UAAI,CAAC,mBAAmB,cAAc;AACpC,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO;AAAA,YACL,MAAMD;AAAAA,YACN,SACE;AAAA,YACF,QAAQC;AAAAA,UAAY;AAAA,QACtB;AAAA,MAEJ;AAEA,UAAI,CAAC,iBAAiB;AACpB,mBAAW;AACX,WAAG,QAAQ,cAAc;AAAA,MAC3B,WAAW,KAAK,uBAAuB,QAAW;AAChD,cAAM,gBAAgB,MAAM,KAAK,mBAAmB,UAAU,EAAC,QAAO;AACtE,mBAAW,UAAU,KAAK,KAAK,KAAK,OAAO,aAAa;AACxD,WAAG,QAAQ,uBAAuB;AAAA,MACpC,OAAO;AACL,YAAI,KAAK,OAAO,SAAS,OAAO;AAC9B,gBAAM,IAAI;AAAA,YACR;AAAA,UAAA;AAAA,QAEJ;AACA,mBAAW;AAAA,UACT,MAAM;AAAA,UACN,KAAK;AAAA,QAAA;AAEP,WAAG,QAAQ,gCAAgC;AAAA,MAC7C;AAEA,WAAK,QAAQ;AACb,WAAK,iBAAiB;AAEtB,UAAI,CAAC,WAAW,cAAc,QAAQ,GAAG;AACvC,aAAK;AAAA,MACP;AAAA,IACF,SAAS,GAAG;AACV,UAAI,gBAAgB,CAAC,GAAG;AACtB,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO,EAAE;AAAA,QAAA;AAAA,MAEb;AACA,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO;AAAA,UACL,MAAMC;AAAAA,UACN,SAAS,gCAAgC,OAAO,CAAC,CAAC;AAAA,UAClD,QAAQD;AAAAA,QAAY;AAAA,MACtB;AAAA,IAEJ;AAEA,WAAO,EAAC,IAAI,KAAA;AAAA,EACd;AACF;AAGO,SAAS,UACd,IACA,eACA,UACA;AACA,MAAI,aAAa,MAAM;AACrB,WAAO;AAAA,EACT;AAEA,MACE,eAAe,QACf,UAAU,QACV,eAAe,SAAS,UAAU,MAClC;AACA,UAAM,IAAI,cAAc;AAAA,MACtB,MAAMD;AAAAA,MACN,SACE;AAAA,MACF,QAAQC;AAAAA,IAAY,CACrB;AAAA,EACH;AAEA,MAAI,kBAAkB,QAAW;AAC/B,OAAG,QAAQ,oCAAoC;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI,UAAU,SAAS,UAAU;AAC/B,WAAO;AAAA,EACT;AAEA,MAAI,cAAc,SAAS,UAAU;AACnC,UAAM,IAAI,cAAc;AAAA,MACtB,MAAMD;AAAAA,MACN,SACE;AAAA,MACF,QAAQC;AAAAA,IAAY,CACrB;AAAA,EACH;AAEA,MAAI,UAAU;AACZ,QAAI,cAAc,QAAQ,QAAQ,SAAS,QAAQ,KAAK;AACtD,YAAM,IAAI,cAAc;AAAA,QACtB,MAAMD;AAAAA,QACN,SACE;AAAA,QACF,QAAQC;AAAAA,MAAY,CACrB;AAAA,IACH;AAEA,QAAI,cAAc,QAAQ,QAAQ,QAAW;AAC3C,SAAG,QAAQ,2DAA2D;AAEtE,aAAO;AAAA,IACT;AAEA,QAAI,SAAS,QAAQ,QAAQ,QAAW;AACtC,YAAM,IAAI,cAAc;AAAA,QACtB,MAAMD;AAAAA,QACN,SACE;AAAA,QACF,QAAQC;AAAAA,MAAY,CACrB;AAAA,IACH;AAGA,QAAI,cAAc,QAAQ,MAAM,SAAS,QAAQ,KAAK;AACpD,SAAG,QAAQ,8BAA8B;AACzC,aAAO;AAAA,IACT;AAGA,OAAG,QAAQ,sDAAsD;AACjE,WAAO;AAAA,EACT;AAGA,QAAM,IAAI,cAAc;AAAA,IACtB,MAAMD;AAAAA,IACN,SACE;AAAA,IACF,QAAQC;AAAAA,EAAY,CACrB;AACH;"}
+{"version":3,"file":"auth.js","names":["#lc","#validateLegacyJWT","#auth","#revision","#boundUserID"],"sources":["../../../../../zero-cache/src/auth/auth.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport type {JWTPayload} from 'jose';\nimport {ErrorKind} from '../../../zero-protocol/src/error-kind.ts';\nimport {ErrorOrigin} from '../../../zero-protocol/src/error-origin.ts';\nimport {\n  isProtocolError,\n  ProtocolError,\n  type ErrorBody,\n} from '../../../zero-protocol/src/error.ts';\n\n/** @deprecated JWT auth is deprecated */\nexport type JWTAuth = {\n  readonly type: 'jwt';\n  readonly raw: string;\n  readonly decoded: JWTPayload;\n};\n\nexport type OpaqueAuth = {\n  readonly type: 'opaque';\n  readonly raw: string;\n};\n\nexport type Auth = OpaqueAuth | JWTAuth;\n\nexport interface AuthSession {\n  /** Update the auth session with a new userID and token from the client */\n  update(\n    userID: string,\n    wireAuth: string | undefined,\n  ): Promise<AuthUpdateResult>;\n\n  /** The revision of the auth state */\n  get revision(): number;\n\n  /** The auth state for the session */\n  get auth(): Auth | undefined;\n\n  /** Clear the auth session, removing any stored auth and allowing a new userID to be bound on the next update. */\n  clear(): void;\n}\n\nexport type AuthUpdateResult =\n  | {\n      readonly ok: true;\n    }\n  | {\n      readonly ok: false;\n      readonly error: ErrorBody;\n    };\n\nexport type ValidateLegacyJWT = (\n  token: string,\n  ctx: {readonly userID: string},\n) => Promise<JWTAuth>;\n\nfunction isProvidedAuth(wireAuth: string | undefined): wireAuth is string {\n  return wireAuth !== undefined && wireAuth !== '';\n}\n\nfunction authEquals(a: Auth | null | undefined, b: Auth | null | undefined) {\n  if (a === b) {\n    return true;\n  }\n  if (!a || !b) {\n    return false;\n  }\n  return a.type === b.type && a.raw === b.raw;\n}\n\nexport class AuthSessionImpl implements AuthSession {\n  readonly id: string;\n  readonly #lc: LogContext;\n  readonly #validateLegacyJWT: ValidateLegacyJWT | undefined;\n  #auth: Auth | undefined = undefined;\n  #boundUserID: string | undefined;\n  #revision = 0;\n\n  constructor(\n    lc: LogContext,\n    clientGroupID: string,\n    validateLegacyJWT: ValidateLegacyJWT | undefined,\n  ) {\n    this.id = clientGroupID;\n    this.#lc = lc;\n    this.#validateLegacyJWT = validateLegacyJWT;\n  }\n\n  get auth(): Auth | undefined {\n    return this.#auth;\n  }\n\n  get revision(): number {\n    return this.#revision;\n  }\n\n  clear(): void {\n    const lc = this.#lc.withContext(\n      'boundUserID',\n      this.#boundUserID ?? 'unknown',\n    );\n    lc.debug?.(`Clearing auth session`);\n    this.#auth = undefined;\n    this.#boundUserID = undefined;\n    this.#revision = 0;\n  }\n\n  async update(\n    userID: string,\n    wireAuth: string | undefined,\n  ): Promise<AuthUpdateResult> {\n    try {\n      const lc = this.#lc.withContext('newUserID', userID);\n\n      // check if the auth update is trying to change the bound userID for this client group\n      if (this.#boundUserID && this.#boundUserID !== userID) {\n        return {\n          ok: false,\n          error: {\n            kind: ErrorKind.Unauthorized,\n            message:\n              'Client groups are pinned to a single user. Connection userID does not match existing client group userID.',\n            origin: ErrorOrigin.ZeroCache,\n          },\n        };\n      }\n\n      const previousAuth = this.#auth;\n      const hasProvidedAuth = isProvidedAuth(wireAuth);\n      let nextAuth = previousAuth;\n\n      if (previousAuth) {\n        lc.debug?.(`Attempting to update auth from previous value`);\n      } else {\n        lc.debug?.(`Attempting to initialize auth`);\n      }\n\n      if (!hasProvidedAuth && previousAuth) {\n        return {\n          ok: false,\n          error: {\n            kind: ErrorKind.Unauthorized,\n            message:\n              'No token provided. An unauthenticated client cannot connect to an authenticated client group.',\n            origin: ErrorOrigin.ZeroCache,\n          },\n        };\n      }\n\n      if (!hasProvidedAuth) {\n        nextAuth = undefined;\n        lc.debug?.(`Cleared auth`);\n      } else if (this.#validateLegacyJWT !== undefined) {\n        const verifiedToken = await this.#validateLegacyJWT(wireAuth, {userID});\n        nextAuth = pickToken(this.#lc, this.#auth, verifiedToken);\n        lc.debug?.(`Updated auth with JWT`);\n      } else {\n        if (this.#auth?.type === 'jwt') {\n          throw new Error(\n            'Cannot change auth type from legacy to opaque token',\n          );\n        }\n        nextAuth = {\n          type: 'opaque',\n          raw: wireAuth,\n        };\n        lc.debug?.(`Updated auth with opaque token`);\n      }\n\n      this.#auth = nextAuth;\n      this.#boundUserID ??= userID;\n\n      if (!authEquals(previousAuth, nextAuth)) {\n        this.#revision++;\n      }\n    } catch (e) {\n      if (isProtocolError(e)) {\n        return {\n          ok: false,\n          error: e.errorBody,\n        };\n      }\n      return {\n        ok: false,\n        error: {\n          kind: ErrorKind.AuthInvalidated,\n          message: `Failed to decode auth token: ${String(e)}`,\n          origin: ErrorOrigin.ZeroCache,\n        },\n      };\n    }\n\n    return {ok: true};\n  }\n}\n\n/** @deprecated used only in old JWT validation/rotation auth */\nexport function pickToken(\n  lc: LogContext,\n  previousToken: Auth | undefined,\n  newToken: Auth | undefined | null,\n) {\n  if (newToken === null) {\n    return undefined;\n  }\n\n  if (\n    previousToken?.type &&\n    newToken?.type &&\n    previousToken?.type !== newToken?.type\n  ) {\n    throw new ProtocolError({\n      kind: ErrorKind.Unauthorized,\n      message:\n        'Token type cannot change. Client groups are pinned to a single token type.',\n      origin: ErrorOrigin.ZeroCache,\n    });\n  }\n\n  if (previousToken === undefined) {\n    lc.debug?.(`No previous token, using new token`);\n    return newToken;\n  }\n\n  if (newToken?.type === 'opaque') {\n    return newToken;\n  }\n\n  if (previousToken.type === 'opaque') {\n    throw new ProtocolError({\n      kind: ErrorKind.Unauthorized,\n      message:\n        'Token type cannot change from opaque to JWT. Client groups are pinned to a single token type.',\n      origin: ErrorOrigin.ZeroCache,\n    });\n  }\n\n  if (newToken) {\n    if (previousToken.decoded.sub !== newToken.decoded.sub) {\n      throw new ProtocolError({\n        kind: ErrorKind.Unauthorized,\n        message:\n          'The user id in the new token does not match the previous token. Client groups are pinned to a single user.',\n        origin: ErrorOrigin.ZeroCache,\n      });\n    }\n\n    if (previousToken.decoded.iat === undefined) {\n      lc.debug?.(`No issued at time for the existing token, using new token`);\n      // No issued at time for the existing token? We take the most recently received token.\n      return newToken;\n    }\n\n    if (newToken.decoded.iat === undefined) {\n      throw new ProtocolError({\n        kind: ErrorKind.Unauthorized,\n        message:\n          'The new token does not have an issued at time but the prior token does. Tokens for a client group must either all have issued at times or all not have issued at times',\n        origin: ErrorOrigin.ZeroCache,\n      });\n    }\n\n    // The new token is newer, so we take it.\n    if (previousToken.decoded.iat < newToken.decoded.iat) {\n      lc.debug?.(`New token is newer, using it`);\n      return newToken;\n    }\n\n    // if the new token is older or the same, we keep the existing token.\n    lc.debug?.(`New token is older or the same, using existing token`);\n    return previousToken;\n  }\n\n  // previousToken !== undefined but newToken is undefined\n  throw new ProtocolError({\n    kind: ErrorKind.Unauthorized,\n    message:\n      'No token provided. An unauthenticated client cannot connect to an authenticated client group.',\n    origin: ErrorOrigin.ZeroCache,\n  });\n}\n"],"mappings":";;;;AAuDA,SAAS,eAAe,UAAkD;AACxE,QAAO,aAAa,KAAA,KAAa,aAAa;;AAGhD,SAAS,WAAW,GAA4B,GAA4B;AAC1E,KAAI,MAAM,EACR,QAAO;AAET,KAAI,CAAC,KAAK,CAAC,EACT,QAAO;AAET,QAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE;;AAG1C,IAAa,kBAAb,MAAoD;CAClD;CACA;CACA;CACA,QAA0B,KAAA;CAC1B;CACA,YAAY;CAEZ,YACE,IACA,eACA,mBACA;AACA,OAAK,KAAK;AACV,QAAA,KAAW;AACX,QAAA,oBAA0B;;CAG5B,IAAI,OAAyB;AAC3B,SAAO,MAAA;;CAGT,IAAI,WAAmB;AACrB,SAAO,MAAA;;CAGT,QAAc;AACD,QAAA,GAAS,YAClB,eACA,MAAA,eAAqB,UACtB,CACE,QAAQ,wBAAwB;AACnC,QAAA,OAAa,KAAA;AACb,QAAA,cAAoB,KAAA;AACpB,QAAA,WAAiB;;CAGnB,MAAM,OACJ,QACA,UAC2B;AAC3B,MAAI;GACF,MAAM,KAAK,MAAA,GAAS,YAAY,aAAa,OAAO;AAGpD,OAAI,MAAA,eAAqB,MAAA,gBAAsB,OAC7C,QAAO;IACL,IAAI;IACJ,OAAO;KACL,MAAM;KACN,SACE;KACF,QAAQ;KACT;IACF;GAGH,MAAM,eAAe,MAAA;GACrB,MAAM,kBAAkB,eAAe,SAAS;GAChD,IAAI,WAAW;AAEf,OAAI,aACF,IAAG,QAAQ,gDAAgD;OAE3D,IAAG,QAAQ,gCAAgC;AAG7C,OAAI,CAAC,mBAAmB,aACtB,QAAO;IACL,IAAI;IACJ,OAAO;KACL,MAAM;KACN,SACE;KACF,QAAQ;KACT;IACF;AAGH,OAAI,CAAC,iBAAiB;AACpB,eAAW,KAAA;AACX,OAAG,QAAQ,eAAe;cACjB,MAAA,sBAA4B,KAAA,GAAW;IAChD,MAAM,gBAAgB,MAAM,MAAA,kBAAwB,UAAU,EAAC,QAAO,CAAC;AACvE,eAAW,UAAU,MAAA,IAAU,MAAA,MAAY,cAAc;AACzD,OAAG,QAAQ,wBAAwB;UAC9B;AACL,QAAI,MAAA,MAAY,SAAS,MACvB,OAAM,IAAI,MACR,sDACD;AAEH,eAAW;KACT,MAAM;KACN,KAAK;KACN;AACD,OAAG,QAAQ,iCAAiC;;AAG9C,SAAA,OAAa;AACb,SAAA,gBAAsB;AAEtB,OAAI,CAAC,WAAW,cAAc,SAAS,CACrC,OAAA;WAEK,GAAG;AACV,OAAI,gBAAgB,EAAE,CACpB,QAAO;IACL,IAAI;IACJ,OAAO,EAAE;IACV;AAEH,UAAO;IACL,IAAI;IACJ,OAAO;KACL,MAAM;KACN,SAAS,gCAAgC,OAAO,EAAE;KAClD,QAAQ;KACT;IACF;;AAGH,SAAO,EAAC,IAAI,MAAK;;;;AAKrB,SAAgB,UACd,IACA,eACA,UACA;AACA,KAAI,aAAa,KACf;AAGF,KACE,eAAe,QACf,UAAU,QACV,eAAe,SAAS,UAAU,KAElC,OAAM,IAAI,cAAc;EACtB,MAAM;EACN,SACE;EACF,QAAQ;EACT,CAAC;AAGJ,KAAI,kBAAkB,KAAA,GAAW;AAC/B,KAAG,QAAQ,qCAAqC;AAChD,SAAO;;AAGT,KAAI,UAAU,SAAS,SACrB,QAAO;AAGT,KAAI,cAAc,SAAS,SACzB,OAAM,IAAI,cAAc;EACtB,MAAM;EACN,SACE;EACF,QAAQ;EACT,CAAC;AAGJ,KAAI,UAAU;AACZ,MAAI,cAAc,QAAQ,QAAQ,SAAS,QAAQ,IACjD,OAAM,IAAI,cAAc;GACtB,MAAM;GACN,SACE;GACF,QAAQ;GACT,CAAC;AAGJ,MAAI,cAAc,QAAQ,QAAQ,KAAA,GAAW;AAC3C,MAAG,QAAQ,4DAA4D;AAEvE,UAAO;;AAGT,MAAI,SAAS,QAAQ,QAAQ,KAAA,EAC3B,OAAM,IAAI,cAAc;GACtB,MAAM;GACN,SACE;GACF,QAAQ;GACT,CAAC;AAIJ,MAAI,cAAc,QAAQ,MAAM,SAAS,QAAQ,KAAK;AACpD,MAAG,QAAQ,+BAA+B;AAC1C,UAAO;;AAIT,KAAG,QAAQ,uDAAuD;AAClE,SAAO;;AAIT,OAAM,IAAI,cAAc;EACtB,MAAM;EACN,SACE;EACF,QAAQ;EACT,CAAC"}

package/out/zero-cache/src/auth/jwt.js

@@ -1,44 +1,36 @@
-import { jwtVerify, createRemoteJWKSet } from "jose";
-let remoteKeyset;
+import { createRemoteJWKSet, jwtVerify } from "jose";
+//#region ../zero-cache/src/auth/jwt.ts
+var remoteKeyset;
 function getRemoteKeyset(jwksUrl) {
-  if (remoteKeyset === void 0) {
-    remoteKeyset = createRemoteJWKSet(new URL(jwksUrl));
-  }
-  return remoteKeyset;
+	if (remoteKeyset === void 0) remoteKeyset = createRemoteJWKSet(new URL(jwksUrl));
+	return remoteKeyset;
 }
-const tokenConfigOptions = (config) => {
-  const tokenOptions = ["jwk", "secret", "jwksUrl"].filter(
-    (key) => config[key] !== void 0
-  );
-  return tokenOptions;
+/** @deprecated */
+var tokenConfigOptions = (config) => {
+	return [
+		"jwk",
+		"secret",
+		"jwksUrl"
+	].filter((key) => config[key] !== void 0);
 };
+/** @deprecated */
 async function verifyToken(config, token, verifyOptions) {
-  if (config.jwk !== void 0) {
-    return verifyTokenImpl(token, loadJwk(config.jwk), verifyOptions);
-  }
-  if (config.secret !== void 0) {
-    return verifyTokenImpl(token, loadSecret(config.secret), verifyOptions);
-  }
-  if (config.jwksUrl !== void 0) {
-    const remoteKeyset2 = getRemoteKeyset(config.jwksUrl);
-    return (await jwtVerify(token, remoteKeyset2, verifyOptions)).payload;
-  }
-  throw new Error(
-    "verifyToken was called but no auth options (one of: jwk, secret, jwksUrl) were configured."
-  );
+	if (config.jwk !== void 0) return verifyTokenImpl(token, loadJwk(config.jwk), verifyOptions);
+	if (config.secret !== void 0) return verifyTokenImpl(token, loadSecret(config.secret), verifyOptions);
+	if (config.jwksUrl !== void 0) return (await jwtVerify(token, getRemoteKeyset(config.jwksUrl), verifyOptions)).payload;
+	throw new Error("verifyToken was called but no auth options (one of: jwk, secret, jwksUrl) were configured.");
 }
 function loadJwk(jwkString) {
-  return JSON.parse(jwkString);
+	return JSON.parse(jwkString);
 }
 function loadSecret(secret) {
-  return new TextEncoder().encode(secret);
+	return new TextEncoder().encode(secret);
 }
 async function verifyTokenImpl(token, verifyKey, verifyOptions) {
-  const { payload } = await jwtVerify(token, verifyKey, verifyOptions);
-  return payload;
+	const { payload } = await jwtVerify(token, verifyKey, verifyOptions);
+	return payload;
 }
-export {
-  tokenConfigOptions,
-  verifyToken
-};
-//# sourceMappingURL=jwt.js.map
+//#endregion
+export { tokenConfigOptions, verifyToken };
+
+//# sourceMappingURL=jwt.js.map

package/out/zero-cache/src/auth/jwt.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.js","sources":["../../../../../zero-cache/src/auth/jwt.ts"],"sourcesContent":["import {\n  createRemoteJWKSet,\n  exportJWK,\n  generateKeyPair,\n  jwtVerify,\n  type JWK,\n  type JWTClaimVerificationOptions,\n  type JWTPayload,\n  type KeyLike,\n} from 'jose';\nimport type {AuthConfig} from '../config/zero-config.ts';\n\n/** @deprecated */\nexport async function createJwkPair() {\n  const {publicKey, privateKey} = await generateKeyPair('PS256');\n\n  const privateJwk = await exportJWK(privateKey);\n  const publicJwk = await exportJWK(publicKey);\n\n  privateJwk.kid = 'key-2024-001';\n  privateJwk.use = 'sig';\n  privateJwk.alg = 'PS256';\n\n  publicJwk.kid = privateJwk.kid;\n  publicJwk.use = privateJwk.use;\n  publicJwk.alg = privateJwk.alg;\n\n  return {privateJwk, publicJwk};\n}\n\nlet remoteKeyset: ReturnType<typeof createRemoteJWKSet> | undefined;\nfunction getRemoteKeyset(jwksUrl: string) {\n  if (remoteKeyset === undefined) {\n    remoteKeyset = createRemoteJWKSet(new URL(jwksUrl));\n  }\n\n  return remoteKeyset;\n}\n\n/** @deprecated */\nexport const tokenConfigOptions = (config: AuthConfig) => {\n  const tokenOptions = (['jwk', 'secret', 'jwksUrl'] as const).filter(\n    key => config[key] !== undefined,\n  );\n\n  return tokenOptions;\n};\n\n/** @deprecated */\nexport async function verifyToken(\n  config: AuthConfig,\n  token: string,\n  verifyOptions: JWTClaimVerificationOptions,\n): Promise<JWTPayload> {\n  if (config.jwk !== undefined) {\n    return verifyTokenImpl(token, loadJwk(config.jwk), verifyOptions);\n  }\n\n  if (config.secret !== undefined) {\n    return verifyTokenImpl(token, loadSecret(config.secret), verifyOptions);\n  }\n\n  if (config.jwksUrl !== undefined) {\n    const remoteKeyset = getRemoteKeyset(config.jwksUrl);\n    return (await jwtVerify(token, remoteKeyset, verifyOptions)).payload;\n  }\n\n  throw new Error(\n    'verifyToken was called but no auth options (one of: jwk, secret, jwksUrl) were configured.',\n  );\n}\n\nfunction loadJwk(jwkString: string) {\n  return JSON.parse(jwkString) as JWK;\n}\n\nfunction loadSecret(secret: string) {\n  return new TextEncoder().encode(secret);\n}\n\nasync function verifyTokenImpl(\n  token: string,\n  verifyKey: Uint8Array | KeyLike | JWK,\n  verifyOptions: JWTClaimVerificationOptions,\n): Promise<JWTPayload> {\n  const {payload} = await jwtVerify(token, verifyKey, verifyOptions);\n\n  return payload;\n}\n"],"names":["remoteKeyset"],"mappings":";AA8BA,IAAI;AACJ,SAAS,gBAAgB,SAAiB;AACxC,MAAI,iBAAiB,QAAW;AAC9B,mBAAe,mBAAmB,IAAI,IAAI,OAAO,CAAC;AAAA,EACpD;AAEA,SAAO;AACT;AAGO,MAAM,qBAAqB,CAAC,WAAuB;AACxD,QAAM,eAAgB,CAAC,OAAO,UAAU,SAAS,EAAY;AAAA,IAC3D,CAAA,QAAO,OAAO,GAAG,MAAM;AAAA,EAAA;AAGzB,SAAO;AACT;AAGA,eAAsB,YACpB,QACA,OACA,eACqB;AACrB,MAAI,OAAO,QAAQ,QAAW;AAC5B,WAAO,gBAAgB,OAAO,QAAQ,OAAO,GAAG,GAAG,aAAa;AAAA,EAClE;AAEA,MAAI,OAAO,WAAW,QAAW;AAC/B,WAAO,gBAAgB,OAAO,WAAW,OAAO,MAAM,GAAG,aAAa;AAAA,EACxE;AAEA,MAAI,OAAO,YAAY,QAAW;AAChC,UAAMA,gBAAe,gBAAgB,OAAO,OAAO;AACnD,YAAQ,MAAM,UAAU,OAAOA,eAAc,aAAa,GAAG;AAAA,EAC/D;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,EAAA;AAEJ;AAEA,SAAS,QAAQ,WAAmB;AAClC,SAAO,KAAK,MAAM,SAAS;AAC7B;AAEA,SAAS,WAAW,QAAgB;AAClC,SAAO,IAAI,YAAA,EAAc,OAAO,MAAM;AACxC;AAEA,eAAe,gBACb,OACA,WACA,eACqB;AACrB,QAAM,EAAC,QAAA,IAAW,MAAM,UAAU,OAAO,WAAW,aAAa;AAEjE,SAAO;AACT;"}
+{"version":3,"file":"jwt.js","names":[],"sources":["../../../../../zero-cache/src/auth/jwt.ts"],"sourcesContent":["import {\n  createRemoteJWKSet,\n  exportJWK,\n  generateKeyPair,\n  jwtVerify,\n  type JWK,\n  type JWTClaimVerificationOptions,\n  type JWTPayload,\n  type KeyLike,\n} from 'jose';\nimport type {AuthConfig} from '../config/zero-config.ts';\n\n/** @deprecated */\nexport async function createJwkPair() {\n  const {publicKey, privateKey} = await generateKeyPair('PS256');\n\n  const privateJwk = await exportJWK(privateKey);\n  const publicJwk = await exportJWK(publicKey);\n\n  privateJwk.kid = 'key-2024-001';\n  privateJwk.use = 'sig';\n  privateJwk.alg = 'PS256';\n\n  publicJwk.kid = privateJwk.kid;\n  publicJwk.use = privateJwk.use;\n  publicJwk.alg = privateJwk.alg;\n\n  return {privateJwk, publicJwk};\n}\n\nlet remoteKeyset: ReturnType<typeof createRemoteJWKSet> | undefined;\nfunction getRemoteKeyset(jwksUrl: string) {\n  if (remoteKeyset === undefined) {\n    remoteKeyset = createRemoteJWKSet(new URL(jwksUrl));\n  }\n\n  return remoteKeyset;\n}\n\n/** @deprecated */\nexport const tokenConfigOptions = (config: AuthConfig) => {\n  const tokenOptions = (['jwk', 'secret', 'jwksUrl'] as const).filter(\n    key => config[key] !== undefined,\n  );\n\n  return tokenOptions;\n};\n\n/** @deprecated */\nexport async function verifyToken(\n  config: AuthConfig,\n  token: string,\n  verifyOptions: JWTClaimVerificationOptions,\n): Promise<JWTPayload> {\n  if (config.jwk !== undefined) {\n    return verifyTokenImpl(token, loadJwk(config.jwk), verifyOptions);\n  }\n\n  if (config.secret !== undefined) {\n    return verifyTokenImpl(token, loadSecret(config.secret), verifyOptions);\n  }\n\n  if (config.jwksUrl !== undefined) {\n    const remoteKeyset = getRemoteKeyset(config.jwksUrl);\n    return (await jwtVerify(token, remoteKeyset, verifyOptions)).payload;\n  }\n\n  throw new Error(\n    'verifyToken was called but no auth options (one of: jwk, secret, jwksUrl) were configured.',\n  );\n}\n\nfunction loadJwk(jwkString: string) {\n  return JSON.parse(jwkString) as JWK;\n}\n\nfunction loadSecret(secret: string) {\n  return new TextEncoder().encode(secret);\n}\n\nasync function verifyTokenImpl(\n  token: string,\n  verifyKey: Uint8Array | KeyLike | JWK,\n  verifyOptions: JWTClaimVerificationOptions,\n): Promise<JWTPayload> {\n  const {payload} = await jwtVerify(token, verifyKey, verifyOptions);\n\n  return payload;\n}\n"],"mappings":";;AA8BA,IAAI;AACJ,SAAS,gBAAgB,SAAiB;AACxC,KAAI,iBAAiB,KAAA,EACnB,gBAAe,mBAAmB,IAAI,IAAI,QAAQ,CAAC;AAGrD,QAAO;;;AAIT,IAAa,sBAAsB,WAAuB;AAKxD,QAJsB;EAAC;EAAO;EAAU;EAAU,CAAW,QAC3D,QAAO,OAAO,SAAS,KAAA,EACxB;;;AAMH,eAAsB,YACpB,QACA,OACA,eACqB;AACrB,KAAI,OAAO,QAAQ,KAAA,EACjB,QAAO,gBAAgB,OAAO,QAAQ,OAAO,IAAI,EAAE,cAAc;AAGnE,KAAI,OAAO,WAAW,KAAA,EACpB,QAAO,gBAAgB,OAAO,WAAW,OAAO,OAAO,EAAE,cAAc;AAGzE,KAAI,OAAO,YAAY,KAAA,EAErB,SAAQ,MAAM,UAAU,OADH,gBAAgB,OAAO,QAAQ,EACP,cAAc,EAAE;AAG/D,OAAM,IAAI,MACR,6FACD;;AAGH,SAAS,QAAQ,WAAmB;AAClC,QAAO,KAAK,MAAM,UAAU;;AAG9B,SAAS,WAAW,QAAgB;AAClC,QAAO,IAAI,aAAa,CAAC,OAAO,OAAO;;AAGzC,eAAe,gBACb,OACA,WACA,eACqB;CACrB,MAAM,EAAC,YAAW,MAAM,UAAU,OAAO,WAAW,cAAc;AAElE,QAAO"}

package/out/zero-cache/src/auth/load-permissions.js

@@ -1,74 +1,66 @@
 import { parse } from "../../../shared/src/valita.js";
+import { elide } from "../types/strings.js";
 import { permissionsConfigSchema } from "../../../zero-schema/src/compiled-permissions.js";
 import { computeZqlSpecs } from "../db/lite-tables.js";
-import { elide } from "../types/strings.js";
+//#region ../zero-cache/src/auth/load-permissions.ts
 function loadPermissions(lc, replica, appID, config) {
-  const { permissions, hash } = replica.get(
-    `SELECT permissions, hash FROM "${appID}.permissions"`
-  );
-  if (permissions === null) {
-    const hasCustomEndpoints = config !== void 0 && (config.push?.url !== void 0 || config.mutate?.url !== void 0) && (config.query?.url !== void 0 || config.getQueries?.url !== void 0);
-    if (!hasCustomEndpoints) {
-      const appIDFlag = appID === "zero" ? "" : ` --app-id=${appID}`;
-      lc.warn?.(
-        `
+	const { permissions, hash } = replica.get(`SELECT permissions, hash FROM "${appID}.permissions"`);
+	if (permissions === null) {
+		if (!(config !== void 0 && (config.push?.url !== void 0 || config.mutate?.url !== void 0) && (config.query?.url !== void 0 || config.getQueries?.url !== void 0))) {
+			const appIDFlag = appID === "zero" ? "" : ` --app-id=${appID}`;
+			lc.warn?.(`
 
 
 No upstream permissions deployed.
-Run 'npx zero-deploy-permissions${appIDFlag}' to enforce permissions.
-
-
-`
-      );
-    }
-    return { permissions, hash: null };
-  }
-  let obj;
-  let parsed;
-  try {
-    obj = JSON.parse(permissions);
-    parsed = parse(obj, permissionsConfigSchema);
-  } catch (e) {
-    throw new Error(
-      `Could not parse upstream permissions: '${elide(String(permissions), 100)}'.
-This may happen if Permissions with a new internal format are deployed before the supporting server has been fully rolled out.`,
-      { cause: e }
-    );
-  }
-  return { permissions: parsed, hash };
+Run 'npx zero-deploy-permissions${appIDFlag}' to enforce permissions.\n\n\n`);
+		}
+		return {
+			permissions,
+			hash: null
+		};
+	}
+	let obj;
+	let parsed;
+	try {
+		obj = JSON.parse(permissions);
+		parsed = parse(obj, permissionsConfigSchema);
+	} catch (e) {
+		throw new Error(`Could not parse upstream permissions: '${elide(String(permissions), 100)}'.\nThis may happen if Permissions with a new internal format are deployed before the supporting server has been fully rolled out.`, { cause: e });
+	}
+	return {
+		permissions: parsed,
+		hash
+	};
 }
 function reloadPermissionsIfChanged(lc, replica, appID, current, config) {
-  if (current === null) {
-    return {
-      permissions: loadPermissions(lc, replica, appID, config),
-      changed: true
-    };
-  }
-  const { hash } = replica.get(`SELECT hash FROM "${appID}.permissions"`);
-  return hash === current.hash ? { permissions: current, changed: false } : { permissions: loadPermissions(lc, replica, appID, config), changed: true };
+	if (current === null) return {
+		permissions: loadPermissions(lc, replica, appID, config),
+		changed: true
+	};
+	const { hash } = replica.get(`SELECT hash FROM "${appID}.permissions"`);
+	return hash === current.hash ? {
+		permissions: current,
+		changed: false
+	} : {
+		permissions: loadPermissions(lc, replica, appID, config),
+		changed: true
+	};
 }
 function getSchema(lc, replica) {
-  const specs = computeZqlSpecs(lc, replica, {
-    includeBackfillingColumns: false
-  });
-  const tables = Object.fromEntries(
-    [...specs.values()].map((table) => {
-      const {
-        tableSpec: { name, primaryKey },
-        zqlSpec: columns
-      } = table;
-      return [name, { name, columns, primaryKey }];
-    })
-  );
-  return {
-    tables,
-    relationships: {}
-    // relationships are already denormalized in ASTs
-  };
+	const specs = computeZqlSpecs(lc, replica, { includeBackfillingColumns: false });
+	return {
+		tables: Object.fromEntries([...specs.values()].map((table) => {
+			const { tableSpec: { name, primaryKey }, zqlSpec: columns } = table;
+			return [name, {
+				name,
+				columns,
+				primaryKey
+			}];
+		})),
+		relationships: {}
+	};
 }
-export {
-  getSchema,
-  loadPermissions,
-  reloadPermissionsIfChanged
-};
-//# sourceMappingURL=load-permissions.js.map
+//#endregion
+export { getSchema, loadPermissions, reloadPermissionsIfChanged };
+
+//# sourceMappingURL=load-permissions.js.map

package/out/zero-cache/src/auth/load-permissions.js.map

@@ -1 +1 @@
-{"version":3,"file":"load-permissions.js","sources":["../../../../../zero-cache/src/auth/load-permissions.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport * as v from '../../../shared/src/valita.ts';\nimport {\n  permissionsConfigSchema,\n  type PermissionsConfig,\n} from '../../../zero-schema/src/compiled-permissions.ts';\nimport type {TableSchema} from '../../../zero-schema/src/table-schema.ts';\nimport type {Schema} from '../../../zero-types/src/schema.ts';\nimport type {Database} from '../../../zqlite/src/db.ts';\nimport type {ZeroConfig} from '../config/zero-config.ts';\nimport {computeZqlSpecs} from '../db/lite-tables.ts';\nimport type {StatementRunner} from '../db/statements.ts';\nimport {elide} from '../types/strings.ts';\n\nexport type LoadedPermissions = {\n  permissions: PermissionsConfig | null;\n  hash: string | null;\n};\n\nexport function loadPermissions(\n  lc: LogContext,\n  replica: StatementRunner,\n  appID: string,\n  config?: ZeroConfig | undefined,\n): LoadedPermissions {\n  const {permissions, hash} = replica.get(\n    `SELECT permissions, hash FROM \"${appID}.permissions\"`,\n  );\n  if (permissions === null) {\n    const hasCustomEndpoints =\n      config !== undefined &&\n      (config.push?.url !== undefined || config.mutate?.url !== undefined) &&\n      (config.query?.url !== undefined || config.getQueries?.url !== undefined);\n\n    if (!hasCustomEndpoints) {\n      const appIDFlag = appID === 'zero' ? '' : ` --app-id=${appID}`;\n      lc.warn?.(\n        `\\n\\n\\n` +\n          `No upstream permissions deployed.\\n` +\n          `Run 'npx zero-deploy-permissions${appIDFlag}' to enforce permissions.` +\n          `\\n\\n\\n`,\n      );\n    }\n    return {permissions, hash: null};\n  }\n  let obj;\n  let parsed;\n  try {\n    obj = JSON.parse(permissions);\n    parsed = v.parse(obj, permissionsConfigSchema);\n  } catch (e) {\n    // TODO: Plumb the --server-version and include in error message.\n    throw new Error(\n      `Could not parse upstream permissions: ` +\n        `'${elide(String(permissions), 100)}'.\\n` +\n        `This may happen if Permissions with a new internal format are ` +\n        `deployed before the supporting server has been fully rolled out.`,\n      {cause: e},\n    );\n  }\n  return {permissions: parsed, hash};\n}\n\nexport function reloadPermissionsIfChanged(\n  lc: LogContext,\n  replica: StatementRunner,\n  appID: string,\n  current: LoadedPermissions | null,\n  config?: ZeroConfig | undefined,\n): {permissions: LoadedPermissions; changed: boolean} {\n  if (current === null) {\n    return {\n      permissions: loadPermissions(lc, replica, appID, config),\n      changed: true,\n    };\n  }\n  const {hash} = replica.get(`SELECT hash FROM \"${appID}.permissions\"`);\n  return hash === current.hash\n    ? {permissions: current, changed: false}\n    : {permissions: loadPermissions(lc, replica, appID, config), changed: true};\n}\n\nexport function getSchema(lc: LogContext, replica: Database): Schema {\n  const specs = computeZqlSpecs(lc, replica, {\n    includeBackfillingColumns: false,\n  });\n  const tables = Object.fromEntries(\n    [...specs.values()].map(table => {\n      const {\n        tableSpec: {name, primaryKey},\n        zqlSpec: columns,\n      } = table;\n      return [name, {name, columns, primaryKey} satisfies TableSchema];\n    }),\n  );\n  return {\n    tables,\n    relationships: {}, // relationships are already denormalized in ASTs\n  };\n}\n"],"names":["v.parse"],"mappings":";;;;AAmBO,SAAS,gBACd,IACA,SACA,OACA,QACmB;AACnB,QAAM,EAAC,aAAa,KAAA,IAAQ,QAAQ;AAAA,IAClC,kCAAkC,KAAK;AAAA,EAAA;AAEzC,MAAI,gBAAgB,MAAM;AACxB,UAAM,qBACJ,WAAW,WACV,OAAO,MAAM,QAAQ,UAAa,OAAO,QAAQ,QAAQ,YACzD,OAAO,OAAO,QAAQ,UAAa,OAAO,YAAY,QAAQ;AAEjE,QAAI,CAAC,oBAAoB;AACvB,YAAM,YAAY,UAAU,SAAS,KAAK,aAAa,KAAK;AAC5D,SAAG;AAAA,QACD;AAAA;AAAA;AAAA;AAAA,kCAEqC,SAAS;AAAA;AAAA;AAAA;AAAA,MAAA;AAAA,IAGlD;AACA,WAAO,EAAC,aAAa,MAAM,KAAA;AAAA,EAC7B;AACA,MAAI;AACJ,MAAI;AACJ,MAAI;AACF,UAAM,KAAK,MAAM,WAAW;AAC5B,aAASA,MAAQ,KAAK,uBAAuB;AAAA,EAC/C,SAAS,GAAG;AAEV,UAAM,IAAI;AAAA,MACR,0CACM,MAAM,OAAO,WAAW,GAAG,GAAG,CAAC;AAAA;AAAA,MAGrC,EAAC,OAAO,EAAA;AAAA,IAAC;AAAA,EAEb;AACA,SAAO,EAAC,aAAa,QAAQ,KAAA;AAC/B;AAEO,SAAS,2BACd,IACA,SACA,OACA,SACA,QACoD;AACpD,MAAI,YAAY,MAAM;AACpB,WAAO;AAAA,MACL,aAAa,gBAAgB,IAAI,SAAS,OAAO,MAAM;AAAA,MACvD,SAAS;AAAA,IAAA;AAAA,EAEb;AACA,QAAM,EAAC,KAAA,IAAQ,QAAQ,IAAI,qBAAqB,KAAK,eAAe;AACpE,SAAO,SAAS,QAAQ,OACpB,EAAC,aAAa,SAAS,SAAS,MAAA,IAChC,EAAC,aAAa,gBAAgB,IAAI,SAAS,OAAO,MAAM,GAAG,SAAS,KAAA;AAC1E;AAEO,SAAS,UAAU,IAAgB,SAA2B;AACnE,QAAM,QAAQ,gBAAgB,IAAI,SAAS;AAAA,IACzC,2BAA2B;AAAA,EAAA,CAC5B;AACD,QAAM,SAAS,OAAO;AAAA,IACpB,CAAC,GAAG,MAAM,QAAQ,EAAE,IAAI,CAAA,UAAS;AAC/B,YAAM;AAAA,QACJ,WAAW,EAAC,MAAM,WAAA;AAAA,QAClB,SAAS;AAAA,MAAA,IACP;AACJ,aAAO,CAAC,MAAM,EAAC,MAAM,SAAS,YAAiC;AAAA,IACjE,CAAC;AAAA,EAAA;AAEH,SAAO;AAAA,IACL;AAAA,IACA,eAAe,CAAA;AAAA;AAAA,EAAC;AAEpB;"}
+{"version":3,"file":"load-permissions.js","names":[],"sources":["../../../../../zero-cache/src/auth/load-permissions.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport * as v from '../../../shared/src/valita.ts';\nimport {\n  permissionsConfigSchema,\n  type PermissionsConfig,\n} from '../../../zero-schema/src/compiled-permissions.ts';\nimport type {TableSchema} from '../../../zero-schema/src/table-schema.ts';\nimport type {Schema} from '../../../zero-types/src/schema.ts';\nimport type {Database} from '../../../zqlite/src/db.ts';\nimport type {ZeroConfig} from '../config/zero-config.ts';\nimport {computeZqlSpecs} from '../db/lite-tables.ts';\nimport type {StatementRunner} from '../db/statements.ts';\nimport {elide} from '../types/strings.ts';\n\nexport type LoadedPermissions = {\n  permissions: PermissionsConfig | null;\n  hash: string | null;\n};\n\nexport function loadPermissions(\n  lc: LogContext,\n  replica: StatementRunner,\n  appID: string,\n  config?: ZeroConfig | undefined,\n): LoadedPermissions {\n  const {permissions, hash} = replica.get(\n    `SELECT permissions, hash FROM \"${appID}.permissions\"`,\n  );\n  if (permissions === null) {\n    const hasCustomEndpoints =\n      config !== undefined &&\n      (config.push?.url !== undefined || config.mutate?.url !== undefined) &&\n      (config.query?.url !== undefined || config.getQueries?.url !== undefined);\n\n    if (!hasCustomEndpoints) {\n      const appIDFlag = appID === 'zero' ? '' : ` --app-id=${appID}`;\n      lc.warn?.(\n        `\\n\\n\\n` +\n          `No upstream permissions deployed.\\n` +\n          `Run 'npx zero-deploy-permissions${appIDFlag}' to enforce permissions.` +\n          `\\n\\n\\n`,\n      );\n    }\n    return {permissions, hash: null};\n  }\n  let obj;\n  let parsed;\n  try {\n    obj = JSON.parse(permissions);\n    parsed = v.parse(obj, permissionsConfigSchema);\n  } catch (e) {\n    // TODO: Plumb the --server-version and include in error message.\n    throw new Error(\n      `Could not parse upstream permissions: ` +\n        `'${elide(String(permissions), 100)}'.\\n` +\n        `This may happen if Permissions with a new internal format are ` +\n        `deployed before the supporting server has been fully rolled out.`,\n      {cause: e},\n    );\n  }\n  return {permissions: parsed, hash};\n}\n\nexport function reloadPermissionsIfChanged(\n  lc: LogContext,\n  replica: StatementRunner,\n  appID: string,\n  current: LoadedPermissions | null,\n  config?: ZeroConfig | undefined,\n): {permissions: LoadedPermissions; changed: boolean} {\n  if (current === null) {\n    return {\n      permissions: loadPermissions(lc, replica, appID, config),\n      changed: true,\n    };\n  }\n  const {hash} = replica.get(`SELECT hash FROM \"${appID}.permissions\"`);\n  return hash === current.hash\n    ? {permissions: current, changed: false}\n    : {permissions: loadPermissions(lc, replica, appID, config), changed: true};\n}\n\nexport function getSchema(lc: LogContext, replica: Database): Schema {\n  const specs = computeZqlSpecs(lc, replica, {\n    includeBackfillingColumns: false,\n  });\n  const tables = Object.fromEntries(\n    [...specs.values()].map(table => {\n      const {\n        tableSpec: {name, primaryKey},\n        zqlSpec: columns,\n      } = table;\n      return [name, {name, columns, primaryKey} satisfies TableSchema];\n    }),\n  );\n  return {\n    tables,\n    relationships: {}, // relationships are already denormalized in ASTs\n  };\n}\n"],"mappings":";;;;;AAmBA,SAAgB,gBACd,IACA,SACA,OACA,QACmB;CACnB,MAAM,EAAC,aAAa,SAAQ,QAAQ,IAClC,kCAAkC,MAAM,eACzC;AACD,KAAI,gBAAgB,MAAM;AAMxB,MAAI,EAJF,WAAW,KAAA,MACV,OAAO,MAAM,QAAQ,KAAA,KAAa,OAAO,QAAQ,QAAQ,KAAA,OACzD,OAAO,OAAO,QAAQ,KAAA,KAAa,OAAO,YAAY,QAAQ,KAAA,KAExC;GACvB,MAAM,YAAY,UAAU,SAAS,KAAK,aAAa;AACvD,MAAG,OACD;;;;kCAEqC,UAAU,iCAEhD;;AAEH,SAAO;GAAC;GAAa,MAAM;GAAK;;CAElC,IAAI;CACJ,IAAI;AACJ,KAAI;AACF,QAAM,KAAK,MAAM,YAAY;AAC7B,WAAS,MAAQ,KAAK,wBAAwB;UACvC,GAAG;AAEV,QAAM,IAAI,MACR,0CACM,MAAM,OAAO,YAAY,EAAE,IAAI,CAAC,qIAGtC,EAAC,OAAO,GAAE,CACX;;AAEH,QAAO;EAAC,aAAa;EAAQ;EAAK;;AAGpC,SAAgB,2BACd,IACA,SACA,OACA,SACA,QACoD;AACpD,KAAI,YAAY,KACd,QAAO;EACL,aAAa,gBAAgB,IAAI,SAAS,OAAO,OAAO;EACxD,SAAS;EACV;CAEH,MAAM,EAAC,SAAQ,QAAQ,IAAI,qBAAqB,MAAM,eAAe;AACrE,QAAO,SAAS,QAAQ,OACpB;EAAC,aAAa;EAAS,SAAS;EAAM,GACtC;EAAC,aAAa,gBAAgB,IAAI,SAAS,OAAO,OAAO;EAAE,SAAS;EAAK;;AAG/E,SAAgB,UAAU,IAAgB,SAA2B;CACnE,MAAM,QAAQ,gBAAgB,IAAI,SAAS,EACzC,2BAA2B,OAC5B,CAAC;AAUF,QAAO;EACL,QAVa,OAAO,YACpB,CAAC,GAAG,MAAM,QAAQ,CAAC,CAAC,KAAI,UAAS;GAC/B,MAAM,EACJ,WAAW,EAAC,MAAM,cAClB,SAAS,YACP;AACJ,UAAO,CAAC,MAAM;IAAC;IAAM;IAAS;IAAW,CAAuB;IAChE,CACH;EAGC,eAAe,EAAE;EAClB"}