@run402/functions 2.4.1 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +107 -0
- package/dist/auth.d.ts +47 -1
- package/dist/auth.d.ts.map +1 -1
- package/dist/auth.js +92 -4
- package/dist/auth.js.map +1 -1
- package/dist/cache.d.ts +122 -0
- package/dist/cache.d.ts.map +1 -0
- package/dist/cache.js +243 -0
- package/dist/cache.js.map +1 -0
- package/dist/db.d.ts +26 -7
- package/dist/db.d.ts.map +1 -1
- package/dist/db.js +38 -8
- package/dist/db.js.map +1 -1
- package/dist/index.d.ts +6 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +11 -1
- package/dist/index.js.map +1 -1
- package/dist/lib/jwt.d.ts +55 -0
- package/dist/lib/jwt.d.ts.map +1 -0
- package/dist/lib/jwt.js +196 -0
- package/dist/lib/jwt.js.map +1 -0
- package/dist/runtime-context.d.ts +152 -0
- package/dist/runtime-context.d.ts.map +1 -0
- package/dist/runtime-context.js +170 -0
- package/dist/runtime-context.js.map +1 -0
- package/package.json +2 -7
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cache.js","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAwB,MAAM,sBAAsB,CAAC;AA0B/E;;;;GAIG;AACH,MAAM,OAAO,kCAAmC,SAAQ,KAAK;IAClD,IAAI,GAAG,uCAAuC,CAAC;IAC/C,IAAI,GAAG,iEAAiE,CAAC;IACzE,YAAY,GACnB,+JAA+J,CAAC;IAElK;QACE,KAAK,CACH,2DAA2D;YACzD,6DAA6D,CAChE,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,oCAAoC,CAAC;IACnD,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,mCAAoC,SAAQ,KAAK;IACnD,IAAI,GAAG,wCAAwC,CAAC;IAChD,IAAI,GAAG,kEAAkE,CAAC;IAC1E,IAAI,CAAS;IACb,YAAY,CAAS;IAE9B,YAAY,IAAY;QACtB,KAAK,CAAC,QAAQ,IAAI,sCAAsC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,GAAG,qCAAqC,CAAC;QAClD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,YAAY,GAAG,uMAAuM,CAAC;IAC9N,CAAC;CACF;AAED;;;;;GAKG;AACH,KAAK,UAAU,mBAAmB,CAAC,IAMlC;IACC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,CAAC;IACrD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,kEAAkE;YAClE,kEAAkE;YAClE,4DAA4D;YAC5D,aAAa,EAAE,SAAS,GAAG,MAAM,CAAC,WAAW;SAC9C;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;QACrF,MAAM,IAAI,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACjF,MAAM,IAAI,mCAAmC,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,oBAAoB,IAAI,CAAC,IAAI,kBAAkB,QAAQ,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC1F,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAMlC,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACnC,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjC,GAAG,CAAC;YACJ,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;SACjC,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAuB;IACtD,IAAI,IAAY,CAAC;IACjB,IAAI,IAAY,CAAC;IAEjB,IAAI,SAAS,YAAY,GAAG,EAAE,CAAC;QAC7B,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACpC,IAAI,GAAG,SAAS,CAAC,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC;IAC/C,CAAC;SAAM,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5E,gEAAgE;QAChE,uBAAuB;QACvB,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5B,IAAI,GAAG,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;SAAM,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7E,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5B,IAAI,GAAG,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;SAAM,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtE,qEAAqE;QACrE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC3C,MAAM,IAAI,kCAAkC,EAAE,CAAC;QACjD,CAAC;QACD,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC9B,IAAI,GAAG,SAAS,CAAC;IACnB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CACb,yGAAyG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC,OAAO,SAAS,EAAE,CAC/K,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,IAAI;KAC1B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAA6B;IAClE,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC5E,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;QACvC,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE;QAC7B,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAA0B;IAC5D,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;QACvC,IAAI,EAAE,KAAK;QACX,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE;KAC9B,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAyB;IAC5D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAClD,CAAC;IAED,mEAAmE;IACnE,yBAAyB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC9B,IAAI,CAAC,YAAY,GAAG;YAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC1C,IAAI,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,CAAC,CAAC;QAClE,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAC3C,MAAM,IAAI,kCAAkC,EAAE,CAAC;YACjD,CAAC;YACD,OAAO,WAAW,GAAG,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACnC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,GAAG,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC3E,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE;KACxB,CAAC;AACJ,CAAC;AAED;2BAC2B;AAC3B,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,UAAU;IACV,gBAAgB;IAChB,aAAa;IACb,cAAc;CACN,CAAC"}
|
package/dist/db.d.ts
CHANGED
|
@@ -30,15 +30,34 @@ interface CallerDbClient {
|
|
|
30
30
|
from(table: string): QueryBuilder;
|
|
31
31
|
}
|
|
32
32
|
/**
|
|
33
|
-
* Caller-context DB client. Forwards the
|
|
34
|
-
*
|
|
35
|
-
* `apikey` is the project's anon key (routing only — does not grant bypass).
|
|
33
|
+
* Caller-context DB client. Forwards the caller's Authorization header
|
|
34
|
+
* to PostgREST so RLS policies evaluate against the caller's role.
|
|
36
35
|
*
|
|
37
|
-
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
36
|
+
* Capability `astro-ssr-runtime` (v1.52): `db()` now accepts the request
|
|
37
|
+
* via either path:
|
|
38
|
+
*
|
|
39
|
+
* 1. **Explicit `db(req)`** — pass a Web `Request` (or Express
|
|
40
|
+
* `req.raw` equivalent). The existing v0.x call shape.
|
|
41
|
+
*
|
|
42
|
+
* 2. **Implicit `db()`** — when called with no argument, reads the
|
|
43
|
+
* Authorization header from the active AsyncLocalStorage request
|
|
44
|
+
* context (populated by the SSR Lambda runtime in `@run402/astro`).
|
|
45
|
+
* This is what makes `await db().from(...)` work naturally inside
|
|
46
|
+
* Astro `[slug].astro` frontmatter without explicit plumbing.
|
|
47
|
+
*
|
|
48
|
+
* `apikey` is the project's anon key (routing only — does not grant
|
|
49
|
+
* bypass). If no Authorization is present (in either form), the request
|
|
50
|
+
* is sent with just the anon apikey; PostgREST resolves role=anon and
|
|
51
|
+
* RLS decides whether the query succeeds or returns 401/403.
|
|
52
|
+
*
|
|
53
|
+
* Outside an active request context (module scope, background timer
|
|
54
|
+
* past response materialization), `db()` (no arg) still works — it
|
|
55
|
+
* sends with no Authorization, exactly as the v0.x behavior with a
|
|
56
|
+
* Request that has no auth header. SDK functions that REQUIRE a context
|
|
57
|
+
* (like `cache.invalidate` path-form) throw `R402_SDK_OUTSIDE_REQUEST_CONTEXT`
|
|
58
|
+
* separately.
|
|
40
59
|
*/
|
|
41
|
-
export declare function db(req
|
|
60
|
+
export declare function db(req?: Request): CallerDbClient;
|
|
42
61
|
interface AdminDbClient {
|
|
43
62
|
from(table: string): QueryBuilder;
|
|
44
63
|
sql(query: string, params?: unknown[]): Promise<Record<string, unknown>[]>;
|
package/dist/db.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAGA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAgBD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
|
package/dist/db.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { config } from "./config.js";
|
|
2
|
+
import { getCurrentContext } from "./runtime-context.js";
|
|
2
3
|
export class QueryBuilder {
|
|
3
4
|
#table;
|
|
4
5
|
#params = new URLSearchParams();
|
|
@@ -111,21 +112,50 @@ function extractAuth(req) {
|
|
|
111
112
|
const auth = req.headers.get("authorization") ?? req.headers.get("Authorization");
|
|
112
113
|
return auth ?? undefined;
|
|
113
114
|
}
|
|
115
|
+
function extractAuthFromAls() {
|
|
116
|
+
const ctx = getCurrentContext();
|
|
117
|
+
if (ctx === undefined)
|
|
118
|
+
return undefined;
|
|
119
|
+
const headers = ctx.request.headers;
|
|
120
|
+
const raw = headers["authorization"] ?? headers["Authorization"];
|
|
121
|
+
if (Array.isArray(raw))
|
|
122
|
+
return raw[0];
|
|
123
|
+
return raw ?? undefined;
|
|
124
|
+
}
|
|
114
125
|
/**
|
|
115
|
-
* Caller-context DB client. Forwards the
|
|
116
|
-
*
|
|
117
|
-
*
|
|
126
|
+
* Caller-context DB client. Forwards the caller's Authorization header
|
|
127
|
+
* to PostgREST so RLS policies evaluate against the caller's role.
|
|
128
|
+
*
|
|
129
|
+
* Capability `astro-ssr-runtime` (v1.52): `db()` now accepts the request
|
|
130
|
+
* via either path:
|
|
131
|
+
*
|
|
132
|
+
* 1. **Explicit `db(req)`** — pass a Web `Request` (or Express
|
|
133
|
+
* `req.raw` equivalent). The existing v0.x call shape.
|
|
134
|
+
*
|
|
135
|
+
* 2. **Implicit `db()`** — when called with no argument, reads the
|
|
136
|
+
* Authorization header from the active AsyncLocalStorage request
|
|
137
|
+
* context (populated by the SSR Lambda runtime in `@run402/astro`).
|
|
138
|
+
* This is what makes `await db().from(...)` work naturally inside
|
|
139
|
+
* Astro `[slug].astro` frontmatter without explicit plumbing.
|
|
140
|
+
*
|
|
141
|
+
* `apikey` is the project's anon key (routing only — does not grant
|
|
142
|
+
* bypass). If no Authorization is present (in either form), the request
|
|
143
|
+
* is sent with just the anon apikey; PostgREST resolves role=anon and
|
|
144
|
+
* RLS decides whether the query succeeds or returns 401/403.
|
|
118
145
|
*
|
|
119
|
-
*
|
|
120
|
-
*
|
|
121
|
-
*
|
|
146
|
+
* Outside an active request context (module scope, background timer
|
|
147
|
+
* past response materialization), `db()` (no arg) still works — it
|
|
148
|
+
* sends with no Authorization, exactly as the v0.x behavior with a
|
|
149
|
+
* Request that has no auth header. SDK functions that REQUIRE a context
|
|
150
|
+
* (like `cache.invalidate` path-form) throw `R402_SDK_OUTSIDE_REQUEST_CONTEXT`
|
|
151
|
+
* separately.
|
|
122
152
|
*/
|
|
123
153
|
export function db(req) {
|
|
124
154
|
if (!config.ANON_KEY) {
|
|
125
|
-
throw new Error("db(
|
|
155
|
+
throw new Error("db() requires RUN402_ANON_KEY in the Lambda environment. " +
|
|
126
156
|
"Redeploy this function via the gateway to pick up the new env var.");
|
|
127
157
|
}
|
|
128
|
-
const authorization = extractAuth(req);
|
|
158
|
+
const authorization = req !== undefined ? extractAuth(req) : extractAuthFromAls();
|
|
129
159
|
const anonKey = config.ANON_KEY;
|
|
130
160
|
return {
|
|
131
161
|
from(table) {
|
package/dist/db.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAQzD,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
export { db, adminDb, QueryBuilder } from "./db.js";
|
|
2
|
-
export { getUser } from "./auth.js";
|
|
2
|
+
export { getUser, getUserId, getRole } from "./auth.js";
|
|
3
3
|
export type { User } from "./auth.js";
|
|
4
4
|
export { email } from "./email.js";
|
|
5
5
|
export type { EmailSendOptions, EmailRawOptions, EmailTemplateOptions, EmailSendResult } from "./email.js";
|
|
@@ -9,4 +9,9 @@ export { assets } from "./assets.js";
|
|
|
9
9
|
export type { AssetPutOptions, AssetPutSource, AssetPutSourceInput, AssetRef, AssetVisibility, AssetVariant, AssetListRow, AssetsListFilter, AssetsListOptions, AssetsListResult, AssetsListSort, ImageInfo, } from "./assets.js";
|
|
10
10
|
export { bytes, isRequest, json, routedHttp, text } from "./routed-http.js";
|
|
11
11
|
export type { RoutedHttpHeaderList, RoutedHttpRequestV1, RoutedHttpResponseInit, RoutedHttpResponseV1, } from "./routed-http.js";
|
|
12
|
+
export { cache } from "./cache.js";
|
|
13
|
+
export type { Cache, CacheInvalidateResult, InvalidatePrefixOptions, InvalidateAllOptions, } from "./cache.js";
|
|
14
|
+
export { CacheInvalidationHostRequiredError, CacheInvalidationHostForbiddenError, } from "./cache.js";
|
|
15
|
+
export { als, getCurrentContext, runWithContext, requireActiveContext, taintCacheBypass, withPaymentTaint, PAYMENT_PRIMITIVES, Run402OutsideRequestContextError, } from "./runtime-context.js";
|
|
16
|
+
export type { RunRequestContext } from "./runtime-context.js";
|
|
12
17
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1,7 +1,17 @@
|
|
|
1
1
|
export { db, adminDb, QueryBuilder } from "./db.js";
|
|
2
|
-
export { getUser } from "./auth.js";
|
|
2
|
+
export { getUser, getUserId, getRole } from "./auth.js";
|
|
3
3
|
export { email } from "./email.js";
|
|
4
4
|
export { ai } from "./ai.js";
|
|
5
5
|
export { assets } from "./assets.js";
|
|
6
6
|
export { bytes, isRequest, json, routedHttp, text } from "./routed-http.js";
|
|
7
|
+
// Capability `astro-ssr-runtime` (v1.52).
|
|
8
|
+
// `cache.*` — sub-second admin-edit visibility via origin-side ISR
|
|
9
|
+
// cache invalidation. Server-side (function-context) only.
|
|
10
|
+
export { cache } from "./cache.js";
|
|
11
|
+
export { CacheInvalidationHostRequiredError, CacheInvalidationHostForbiddenError, } from "./cache.js";
|
|
12
|
+
// Runtime context primitives — used internally by SDK functions to read
|
|
13
|
+
// the current SSR request from AsyncLocalStorage. The SSR Lambda runtime
|
|
14
|
+
// (in @run402/astro) uses `runWithContext` to establish the store; user
|
|
15
|
+
// code typically does not import these directly.
|
|
16
|
+
export { als, getCurrentContext, runWithContext, requireActiveContext, taintCacheBypass, withPaymentTaint, PAYMENT_PRIMITIVES, Run402OutsideRequestContextError, } from "./runtime-context.js";
|
|
7
17
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAExD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAS7B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAgBrC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAO5E,0CAA0C;AAC1C,mEAAmE;AACnE,2DAA2D;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AACpB,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AACxE,iDAAiD;AACjD,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal HS256/HS512 JWT sign + verify built directly on `node:crypto`.
|
|
3
|
+
*
|
|
4
|
+
* Used internally by `@run402/functions` to verify project JWTs in
|
|
5
|
+
* `getUser`. Replaces a runtime dependency on the `jsonwebtoken` package
|
|
6
|
+
* (and its transitive tree `jws` / `jwa` / `ecdsa-sig-formatter` /
|
|
7
|
+
* `lodash.*` / `ms` / `semver` / `safe-buffer`), so this published SDK
|
|
8
|
+
* has zero crypto deps beyond `node:crypto`. The companion file in
|
|
9
|
+
* the private gateway package (`packages/gateway/src/lib/jwt.ts`) is
|
|
10
|
+
* intentionally a verbatim duplicate — the published SDK cannot pull
|
|
11
|
+
* from the workspace-private `@run402/shared`.
|
|
12
|
+
*/
|
|
13
|
+
export interface JwtPayload {
|
|
14
|
+
[key: string]: unknown;
|
|
15
|
+
iat?: number;
|
|
16
|
+
exp?: number;
|
|
17
|
+
nbf?: number;
|
|
18
|
+
iss?: string;
|
|
19
|
+
aud?: string | string[];
|
|
20
|
+
sub?: string;
|
|
21
|
+
jti?: string;
|
|
22
|
+
}
|
|
23
|
+
export type SupportedAlgorithm = "HS256" | "HS512";
|
|
24
|
+
export interface SignOptions {
|
|
25
|
+
algorithm?: SupportedAlgorithm;
|
|
26
|
+
expiresIn?: string | number;
|
|
27
|
+
noTimestamp?: boolean;
|
|
28
|
+
}
|
|
29
|
+
export interface VerifyOptions {
|
|
30
|
+
algorithms?: ReadonlyArray<SupportedAlgorithm>;
|
|
31
|
+
issuer?: string;
|
|
32
|
+
audience?: string | string[];
|
|
33
|
+
clockTolerance?: number;
|
|
34
|
+
}
|
|
35
|
+
export declare class JsonWebTokenError extends Error {
|
|
36
|
+
constructor(message: string);
|
|
37
|
+
}
|
|
38
|
+
export declare class TokenExpiredError extends JsonWebTokenError {
|
|
39
|
+
expiredAt: Date;
|
|
40
|
+
constructor(message: string, expiredAt: Date);
|
|
41
|
+
}
|
|
42
|
+
export declare class NotBeforeError extends JsonWebTokenError {
|
|
43
|
+
date: Date;
|
|
44
|
+
constructor(message: string, date: Date);
|
|
45
|
+
}
|
|
46
|
+
export declare function sign(payload: object, secret: string, options?: SignOptions): string;
|
|
47
|
+
export declare function verify<T = JwtPayload>(token: string, secret: string, options?: VerifyOptions): T;
|
|
48
|
+
export declare function decode<T = JwtPayload>(token: string): T | null;
|
|
49
|
+
declare const jwt: {
|
|
50
|
+
sign: typeof sign;
|
|
51
|
+
verify: typeof verify;
|
|
52
|
+
decode: typeof decode;
|
|
53
|
+
};
|
|
54
|
+
export default jwt;
|
|
55
|
+
//# sourceMappingURL=jwt.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/lib/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,UAAU;IACzB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,OAAO,CAAC;AAEnD,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IAC/C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,iBAAkB,SAAQ,KAAK;gBAC9B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,iBAAkB,SAAQ,iBAAiB;IACtD,SAAS,EAAE,IAAI,CAAC;gBACJ,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI;CAK7C;AAED,qBAAa,cAAe,SAAQ,iBAAiB;IACnD,IAAI,EAAE,IAAI,CAAC;gBACC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;CAKxC;AAqCD,wBAAgB,IAAI,CAClB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,WAAW,GACpB,MAAM,CAmCR;AAED,wBAAgB,MAAM,CAAC,CAAC,GAAG,UAAU,EACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,aAAa,GACtB,CAAC,CA4EH;AAED,wBAAgB,MAAM,CAAC,CAAC,GAAG,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAW9D;AAED,QAAA,MAAM,GAAG;;;;CAA2B,CAAC;AACrC,eAAe,GAAG,CAAC"}
|
package/dist/lib/jwt.js
ADDED
|
@@ -0,0 +1,196 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal HS256/HS512 JWT sign + verify built directly on `node:crypto`.
|
|
3
|
+
*
|
|
4
|
+
* Used internally by `@run402/functions` to verify project JWTs in
|
|
5
|
+
* `getUser`. Replaces a runtime dependency on the `jsonwebtoken` package
|
|
6
|
+
* (and its transitive tree `jws` / `jwa` / `ecdsa-sig-formatter` /
|
|
7
|
+
* `lodash.*` / `ms` / `semver` / `safe-buffer`), so this published SDK
|
|
8
|
+
* has zero crypto deps beyond `node:crypto`. The companion file in
|
|
9
|
+
* the private gateway package (`packages/gateway/src/lib/jwt.ts`) is
|
|
10
|
+
* intentionally a verbatim duplicate — the published SDK cannot pull
|
|
11
|
+
* from the workspace-private `@run402/shared`.
|
|
12
|
+
*/
|
|
13
|
+
import { createHmac, timingSafeEqual } from "node:crypto";
|
|
14
|
+
export class JsonWebTokenError extends Error {
|
|
15
|
+
constructor(message) {
|
|
16
|
+
super(message);
|
|
17
|
+
this.name = "JsonWebTokenError";
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
export class TokenExpiredError extends JsonWebTokenError {
|
|
21
|
+
expiredAt;
|
|
22
|
+
constructor(message, expiredAt) {
|
|
23
|
+
super(message);
|
|
24
|
+
this.name = "TokenExpiredError";
|
|
25
|
+
this.expiredAt = expiredAt;
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
export class NotBeforeError extends JsonWebTokenError {
|
|
29
|
+
date;
|
|
30
|
+
constructor(message, date) {
|
|
31
|
+
super(message);
|
|
32
|
+
this.name = "NotBeforeError";
|
|
33
|
+
this.date = date;
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
function b64urlEncode(input) {
|
|
37
|
+
const buf = typeof input === "string" ? Buffer.from(input, "utf8") : input;
|
|
38
|
+
return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
|
|
39
|
+
}
|
|
40
|
+
function b64urlDecodeToBuffer(input) {
|
|
41
|
+
if (!/^[A-Za-z0-9_-]*$/.test(input))
|
|
42
|
+
throw new JsonWebTokenError("invalid token");
|
|
43
|
+
const norm = input.replace(/-/g, "+").replace(/_/g, "/");
|
|
44
|
+
const pad = norm.length % 4 === 0 ? "" : "=".repeat(4 - (norm.length % 4));
|
|
45
|
+
return Buffer.from(norm + pad, "base64");
|
|
46
|
+
}
|
|
47
|
+
const DURATION_RE = /^(-?\d+(?:\.\d+)?)\s*(s|sec|secs|seconds?|m|min|mins|minutes?|h|hr|hrs|hours?|d|days?|w|weeks?|y|years?)?$/i;
|
|
48
|
+
function parseDurationSeconds(input) {
|
|
49
|
+
if (typeof input === "number") {
|
|
50
|
+
if (!Number.isFinite(input))
|
|
51
|
+
throw new TypeError(`Invalid expiresIn: ${input}`);
|
|
52
|
+
return Math.floor(input);
|
|
53
|
+
}
|
|
54
|
+
const m = DURATION_RE.exec(input.trim());
|
|
55
|
+
if (!m)
|
|
56
|
+
throw new TypeError(`Invalid expiresIn duration: ${input}`);
|
|
57
|
+
const n = parseFloat(m[1]);
|
|
58
|
+
const unit = (m[2] ?? "s").toLowerCase();
|
|
59
|
+
if (unit.startsWith("y"))
|
|
60
|
+
return Math.floor(n * 31_557_600);
|
|
61
|
+
if (unit.startsWith("w"))
|
|
62
|
+
return Math.floor(n * 604_800);
|
|
63
|
+
if (unit.startsWith("d"))
|
|
64
|
+
return Math.floor(n * 86_400);
|
|
65
|
+
if (unit.startsWith("h"))
|
|
66
|
+
return Math.floor(n * 3_600);
|
|
67
|
+
if (unit === "m" || unit.startsWith("min"))
|
|
68
|
+
return Math.floor(n * 60);
|
|
69
|
+
return Math.floor(n);
|
|
70
|
+
}
|
|
71
|
+
function hmacForAlg(alg) {
|
|
72
|
+
return alg === "HS256" ? "sha256" : "sha512";
|
|
73
|
+
}
|
|
74
|
+
export function sign(payload, secret, options) {
|
|
75
|
+
const alg = options?.algorithm ?? "HS256";
|
|
76
|
+
if (alg !== "HS256" && alg !== "HS512") {
|
|
77
|
+
throw new JsonWebTokenError(`Unsupported algorithm: ${alg}`);
|
|
78
|
+
}
|
|
79
|
+
if (typeof secret !== "string" || secret.length === 0) {
|
|
80
|
+
throw new JsonWebTokenError("secretOrPrivateKey must be provided");
|
|
81
|
+
}
|
|
82
|
+
if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
|
|
83
|
+
throw new JsonWebTokenError("payload must be a plain object");
|
|
84
|
+
}
|
|
85
|
+
const claims = { ...payload };
|
|
86
|
+
const noTimestamp = options?.noTimestamp ?? false;
|
|
87
|
+
if (!noTimestamp && claims.iat === undefined) {
|
|
88
|
+
claims.iat = Math.floor(Date.now() / 1000);
|
|
89
|
+
}
|
|
90
|
+
if (options?.expiresIn !== undefined) {
|
|
91
|
+
if (claims.exp !== undefined) {
|
|
92
|
+
throw new JsonWebTokenError("Bad options.expiresIn option the payload already has an exp property");
|
|
93
|
+
}
|
|
94
|
+
const offset = parseDurationSeconds(options.expiresIn);
|
|
95
|
+
const iatRef = typeof claims.iat === "number" ? claims.iat : Math.floor(Date.now() / 1000);
|
|
96
|
+
claims.exp = iatRef + offset;
|
|
97
|
+
}
|
|
98
|
+
const header = { alg, typ: "JWT" };
|
|
99
|
+
const headerB64 = b64urlEncode(JSON.stringify(header));
|
|
100
|
+
const payloadB64 = b64urlEncode(JSON.stringify(claims));
|
|
101
|
+
const sig = createHmac(hmacForAlg(alg), secret)
|
|
102
|
+
.update(`${headerB64}.${payloadB64}`)
|
|
103
|
+
.digest();
|
|
104
|
+
return `${headerB64}.${payloadB64}.${b64urlEncode(sig)}`;
|
|
105
|
+
}
|
|
106
|
+
export function verify(token, secret, options) {
|
|
107
|
+
if (typeof token !== "string" || token.length === 0) {
|
|
108
|
+
throw new JsonWebTokenError("jwt must be provided");
|
|
109
|
+
}
|
|
110
|
+
if (typeof secret !== "string" || secret.length === 0) {
|
|
111
|
+
throw new JsonWebTokenError("secret must be provided");
|
|
112
|
+
}
|
|
113
|
+
const parts = token.split(".");
|
|
114
|
+
if (parts.length !== 3)
|
|
115
|
+
throw new JsonWebTokenError("jwt malformed");
|
|
116
|
+
const [headerB64, payloadB64, sigB64] = parts;
|
|
117
|
+
let header;
|
|
118
|
+
try {
|
|
119
|
+
header = JSON.parse(b64urlDecodeToBuffer(headerB64).toString("utf8"));
|
|
120
|
+
}
|
|
121
|
+
catch {
|
|
122
|
+
throw new JsonWebTokenError("invalid token");
|
|
123
|
+
}
|
|
124
|
+
const allowed = (options?.algorithms ?? ["HS256"]);
|
|
125
|
+
if (typeof header.alg !== "string" || !allowed.includes(header.alg)) {
|
|
126
|
+
throw new JsonWebTokenError("invalid algorithm");
|
|
127
|
+
}
|
|
128
|
+
if (header.alg !== "HS256" && header.alg !== "HS512") {
|
|
129
|
+
throw new JsonWebTokenError("invalid algorithm");
|
|
130
|
+
}
|
|
131
|
+
const expected = createHmac(hmacForAlg(header.alg), secret)
|
|
132
|
+
.update(`${headerB64}.${payloadB64}`)
|
|
133
|
+
.digest();
|
|
134
|
+
let got;
|
|
135
|
+
try {
|
|
136
|
+
got = b64urlDecodeToBuffer(sigB64);
|
|
137
|
+
}
|
|
138
|
+
catch {
|
|
139
|
+
throw new JsonWebTokenError("invalid signature");
|
|
140
|
+
}
|
|
141
|
+
if (got.length !== expected.length || !timingSafeEqual(got, expected)) {
|
|
142
|
+
throw new JsonWebTokenError("invalid signature");
|
|
143
|
+
}
|
|
144
|
+
let payload;
|
|
145
|
+
try {
|
|
146
|
+
payload = JSON.parse(b64urlDecodeToBuffer(payloadB64).toString("utf8"));
|
|
147
|
+
}
|
|
148
|
+
catch {
|
|
149
|
+
throw new JsonWebTokenError("invalid token");
|
|
150
|
+
}
|
|
151
|
+
if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
|
|
152
|
+
throw new JsonWebTokenError("invalid token");
|
|
153
|
+
}
|
|
154
|
+
const clockTolerance = options?.clockTolerance ?? 0;
|
|
155
|
+
const now = Math.floor(Date.now() / 1000);
|
|
156
|
+
if (typeof payload.exp === "number" && payload.exp + clockTolerance < now) {
|
|
157
|
+
throw new TokenExpiredError("jwt expired", new Date(payload.exp * 1000));
|
|
158
|
+
}
|
|
159
|
+
if (typeof payload.nbf === "number" && payload.nbf - clockTolerance > now) {
|
|
160
|
+
throw new NotBeforeError("jwt not active", new Date(payload.nbf * 1000));
|
|
161
|
+
}
|
|
162
|
+
if (options?.issuer !== undefined && payload.iss !== options.issuer) {
|
|
163
|
+
throw new JsonWebTokenError(`jwt issuer invalid. expected: ${options.issuer}`);
|
|
164
|
+
}
|
|
165
|
+
if (options?.audience !== undefined) {
|
|
166
|
+
const wantArr = Array.isArray(options.audience) ? options.audience : [options.audience];
|
|
167
|
+
const haveArr = Array.isArray(payload.aud)
|
|
168
|
+
? payload.aud
|
|
169
|
+
: payload.aud !== undefined
|
|
170
|
+
? [payload.aud]
|
|
171
|
+
: [];
|
|
172
|
+
if (!wantArr.some((w) => haveArr.includes(w))) {
|
|
173
|
+
throw new JsonWebTokenError("jwt audience invalid");
|
|
174
|
+
}
|
|
175
|
+
}
|
|
176
|
+
return payload;
|
|
177
|
+
}
|
|
178
|
+
export function decode(token) {
|
|
179
|
+
if (typeof token !== "string")
|
|
180
|
+
return null;
|
|
181
|
+
const parts = token.split(".");
|
|
182
|
+
if (parts.length !== 3)
|
|
183
|
+
return null;
|
|
184
|
+
try {
|
|
185
|
+
const decoded = JSON.parse(b64urlDecodeToBuffer(parts[1]).toString("utf8"));
|
|
186
|
+
if (decoded === null || typeof decoded !== "object" || Array.isArray(decoded))
|
|
187
|
+
return null;
|
|
188
|
+
return decoded;
|
|
189
|
+
}
|
|
190
|
+
catch {
|
|
191
|
+
return null;
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
const jwt = { sign, verify, decode };
|
|
195
|
+
export default jwt;
|
|
196
|
+
//# sourceMappingURL=jwt.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/lib/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AA4B1D,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,iBAAiB;IACtD,SAAS,CAAO;IAChB,YAAY,OAAe,EAAE,SAAe;QAC1C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,iBAAiB;IACnD,IAAI,CAAO;IACX,YAAY,OAAe,EAAE,IAAU;QACrC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,SAAS,YAAY,CAAC,KAAsB;IAC1C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAC3E,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3F,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAClF,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAC3E,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,EAAE,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,WAAW,GAAG,6GAA6G,CAAC;AAElI,SAAS,oBAAoB,CAAC,KAAsB;IAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,MAAM,IAAI,SAAS,CAAC,sBAAsB,KAAK,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IACD,MAAM,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,SAAS,CAAC,+BAA+B,KAAK,EAAE,CAAC,CAAC;IACpE,MAAM,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IACzC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC;IAC5D,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC;IACzD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IACxD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IACvD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACtE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,UAAU,CAAC,GAAuB;IACzC,OAAO,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,IAAI,CAClB,OAAe,EACf,MAAc,EACd,OAAqB;IAErB,MAAM,GAAG,GAAuB,OAAO,EAAE,SAAS,IAAI,OAAO,CAAC;IAC9D,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACvC,MAAM,IAAI,iBAAiB,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,iBAAiB,CAAC,qCAAqC,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,MAAM,GAA4B,EAAE,GAAI,OAAmC,EAAE,CAAC;IACpF,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,KAAK,CAAC;IAClD,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7C,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,OAAO,EAAE,SAAS,KAAK,SAAS,EAAE,CAAC;QACrC,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,iBAAiB,CACzB,sEAAsE,CACvE,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC3F,MAAM,CAAC,GAAG,GAAG,MAAM,GAAG,MAAM,CAAC;IAC/B,CAAC;IAED,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IACnC,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;SAC5C,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;SACpC,MAAM,EAAE,CAAC;IACZ,OAAO,GAAG,SAAS,IAAI,UAAU,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,MAAM,CACpB,KAAa,EACb,MAAc,EACd,OAAuB;IAEvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,iBAAiB,CAAC,sBAAsB,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,iBAAiB,CAAC,yBAAyB,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IACrE,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;IAE9C,IAAI,MAAwC,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAGnE,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,OAAO,EAAE,UAAU,IAAI,CAAC,OAAO,CAAC,CAA0B,CAAC;IAC5E,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACpE,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QACrD,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;SACxD,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;SACpC,MAAM,EAAE,CAAC;IACZ,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAe,CAAC;IACxF,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,cAAc,GAAG,OAAO,EAAE,cAAc,IAAI,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,cAAc,GAAG,GAAG,EAAE,CAAC;QAC1E,MAAM,IAAI,iBAAiB,CAAC,aAAa,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,cAAc,GAAG,GAAG,EAAE,CAAC;QAC1E,MAAM,IAAI,cAAc,CAAC,gBAAgB,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACpE,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACxF,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,OAAO,CAAC,GAAG;YACb,CAAC,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS;gBACzB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;gBACf,CAAC,CAAC,EAAE,CAAC;QACT,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,iBAAiB,CAAC,sBAAsB,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,OAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,MAAM,CAAiB,KAAa;IAClD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAY,CAAC;QACvF,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3F,OAAO,OAAY,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AACrC,eAAe,GAAG,CAAC"}
|
|
@@ -0,0 +1,152 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SSR request context primitive — capability `functions-sdk-auth-model`.
|
|
3
|
+
*
|
|
4
|
+
* The SSR Lambda runtime establishes this context via `als.run(...)`
|
|
5
|
+
* BEFORE importing or executing the Astro server bundle (or any other
|
|
6
|
+
* user-supplied code). SDK functions that need request-scoped state
|
|
7
|
+
* (`db()`, `getUser()`, `cache.*`, `assets.*`, `email.*`, `ai.*`) read
|
|
8
|
+
* from `getCurrentContext()` rather than requiring explicit context
|
|
9
|
+
* parameters at the call site.
|
|
10
|
+
*
|
|
11
|
+
* The `active` flag exists because Node's AsyncLocalStorage propagates
|
|
12
|
+
* into timers, microtasks, and unawaited promises created inside
|
|
13
|
+
* `als.run()`. Without an explicit flag, a `setTimeout(() => db()..., 60_000)`
|
|
14
|
+
* scheduled inside a handler would, when the timer fires later, still
|
|
15
|
+
* observe an `als.getStore()` pointing at the (now-completed) request —
|
|
16
|
+
* leading to stale or incorrect SDK behavior. The SSR runtime sets
|
|
17
|
+
* `active.value = false` IMMEDIATELY after the response body is fully
|
|
18
|
+
* materialized; SDK functions check the flag and throw
|
|
19
|
+
* `R402_SDK_OUTSIDE_REQUEST_CONTEXT` when it's false.
|
|
20
|
+
*
|
|
21
|
+
* Likewise `cacheBypassTainted.value` is set to `true` by `getUser()`
|
|
22
|
+
* and payment-primitive SDK calls during render; the SSR runtime returns
|
|
23
|
+
* its final value to the gateway in the Lambda response metadata envelope
|
|
24
|
+
* (NOT via in-process ALS — the gateway runs in a different process).
|
|
25
|
+
*
|
|
26
|
+
* @see openspec/changes/astro-ssr-runtime/specs/functions-sdk-auth-model/spec.md
|
|
27
|
+
* @see openspec/changes/astro-ssr-runtime/specs/routed-http-functions/spec.md
|
|
28
|
+
*/
|
|
29
|
+
import { AsyncLocalStorage } from "node:async_hooks";
|
|
30
|
+
/** The shape stored in AsyncLocalStorage. See the spec referenced above
|
|
31
|
+
* for the canonical definition. */
|
|
32
|
+
export interface RunRequestContext {
|
|
33
|
+
/** Unique per-request id; matches `x-run402-request-id`. */
|
|
34
|
+
requestId: string;
|
|
35
|
+
projectId: string;
|
|
36
|
+
releaseId: string;
|
|
37
|
+
/** v1.49-negotiated locale string. `null` when the active release has
|
|
38
|
+
* no i18n slice. */
|
|
39
|
+
locale: string | null;
|
|
40
|
+
/** Echoed verbatim from the active release's `i18n.defaultLocale`,
|
|
41
|
+
* `null` when the release has no i18n slice. */
|
|
42
|
+
defaultLocale: string | null;
|
|
43
|
+
/** Validated host from the routed-function envelope — NOT the raw
|
|
44
|
+
* `Host` header. Cache-key host comes from here. */
|
|
45
|
+
host: string;
|
|
46
|
+
/** Request information SDK functions need (cookies for `getUser()`,
|
|
47
|
+
* url for invalidate path-form, etc.). Body is intentionally absent
|
|
48
|
+
* — user code reads body via the standard Web Request API passed to
|
|
49
|
+
* the handler. */
|
|
50
|
+
request: {
|
|
51
|
+
method: string;
|
|
52
|
+
url: string;
|
|
53
|
+
headers: Record<string, string | string[] | undefined>;
|
|
54
|
+
};
|
|
55
|
+
/** Mutable ref: SDK functions that read request-scoped auth or invoke
|
|
56
|
+
* payment primitives set `value = true`. The SSR Lambda runtime
|
|
57
|
+
* returns the final value to the gateway in the response metadata
|
|
58
|
+
* envelope. */
|
|
59
|
+
cacheBypassTainted: {
|
|
60
|
+
value: boolean;
|
|
61
|
+
};
|
|
62
|
+
/** Mutable ref: SSR runtime sets `value = false` after the response
|
|
63
|
+
* body has been fully materialized. SDK functions check this AND
|
|
64
|
+
* the store presence; either being false produces
|
|
65
|
+
* `R402_SDK_OUTSIDE_REQUEST_CONTEXT`. */
|
|
66
|
+
active: {
|
|
67
|
+
value: boolean;
|
|
68
|
+
};
|
|
69
|
+
}
|
|
70
|
+
/** The shared ALS instance. Modules in @run402/functions read from
|
|
71
|
+
* this; the SSR Lambda runtime (in @run402/astro) writes to it. */
|
|
72
|
+
export declare const als: AsyncLocalStorage<RunRequestContext>;
|
|
73
|
+
/**
|
|
74
|
+
* Read the current request context, or `undefined` if no SSR request
|
|
75
|
+
* is in flight. SDK functions check both this AND `active.value` to
|
|
76
|
+
* decide whether to honor the call.
|
|
77
|
+
*/
|
|
78
|
+
export declare function getCurrentContext(): RunRequestContext | undefined;
|
|
79
|
+
/**
|
|
80
|
+
* Establish a request context and run a callback inside it. The SSR
|
|
81
|
+
* Lambda runtime calls this exactly once per invocation, wrapping the
|
|
82
|
+
* full `App.render(request)` + body-materialization sequence.
|
|
83
|
+
*
|
|
84
|
+
* The `active` flag is set to `true` initially; the caller (the SSR
|
|
85
|
+
* runtime) flips it to `false` after the response body is materialized.
|
|
86
|
+
* Don't call this from user code — it's the runtime's primitive.
|
|
87
|
+
*/
|
|
88
|
+
export declare function runWithContext<T>(context: Omit<RunRequestContext, "cacheBypassTainted" | "active"> & Partial<Pick<RunRequestContext, "cacheBypassTainted" | "active">>, callback: () => Promise<T> | T): Promise<T> | T;
|
|
89
|
+
/**
|
|
90
|
+
* Throw a structured `R402_SDK_OUTSIDE_REQUEST_CONTEXT` error. Used by
|
|
91
|
+
* SDK functions when they're invoked with no ALS store OR while the
|
|
92
|
+
* context has been marked inactive.
|
|
93
|
+
*
|
|
94
|
+
* Per the api-error-envelope spec, the thrown error carries:
|
|
95
|
+
* - `code: 'R402_SDK_OUTSIDE_REQUEST_CONTEXT'`
|
|
96
|
+
* - `message`: names the SDK function and the cause
|
|
97
|
+
* - `suggestedFix`: recommends moving the call inside a handler OR
|
|
98
|
+
* not scheduling background work that outlives the response
|
|
99
|
+
* - `docs`: `https://docs.run402.com/sdk/errors#outside-request-context`
|
|
100
|
+
*/
|
|
101
|
+
export declare class Run402OutsideRequestContextError extends Error {
|
|
102
|
+
readonly code = "R402_SDK_OUTSIDE_REQUEST_CONTEXT";
|
|
103
|
+
readonly docs = "https://docs.run402.com/sdk/errors#outside-request-context";
|
|
104
|
+
readonly suggestedFix: string;
|
|
105
|
+
readonly sdkFunction: string;
|
|
106
|
+
readonly cause: "no_context" | "context_inactive";
|
|
107
|
+
constructor(sdkFunction: string, cause: "no_context" | "context_inactive");
|
|
108
|
+
}
|
|
109
|
+
/**
|
|
110
|
+
* Assert that a request context is active. Returns the context on
|
|
111
|
+
* success; throws `Run402OutsideRequestContextError` on failure.
|
|
112
|
+
*
|
|
113
|
+
* SDK functions call this as the first line, e.g.:
|
|
114
|
+
*
|
|
115
|
+
* const ctx = requireActiveContext("db");
|
|
116
|
+
* // use ctx.projectId, ctx.request.headers, etc.
|
|
117
|
+
*/
|
|
118
|
+
export declare function requireActiveContext(sdkFunction: string): RunRequestContext;
|
|
119
|
+
/**
|
|
120
|
+
* Flip the cache-bypass taint flag on the current context. Called by
|
|
121
|
+
* `getUser()` and payment-primitive SDK calls to signal that the
|
|
122
|
+
* rendered response depends on request-scoped auth state and therefore
|
|
123
|
+
* MUST NOT be cached publicly.
|
|
124
|
+
*
|
|
125
|
+
* No-op if there is no active context (rather than throwing — the taint
|
|
126
|
+
* is moot when there's no cache layer to inform).
|
|
127
|
+
*/
|
|
128
|
+
export declare function taintCacheBypass(): void;
|
|
129
|
+
/**
|
|
130
|
+
* Canonical registry of SDK functions that are "payment primitives" for
|
|
131
|
+
* cache-taint purposes. Calling any of these inside an active request
|
|
132
|
+
* context MUST flip `cacheBypassTainted.value = true`. The set is
|
|
133
|
+
* defined here so the spec, runtime, and docs share one source of truth.
|
|
134
|
+
*
|
|
135
|
+
* To add a new payment primitive: append to this set AND ensure the
|
|
136
|
+
* function's implementation calls `taintCacheBypass()` on every entry.
|
|
137
|
+
*
|
|
138
|
+
* @see openspec/changes/astro-ssr-runtime/specs/functions-sdk-auth-model/spec.md
|
|
139
|
+
*/
|
|
140
|
+
export declare const PAYMENT_PRIMITIVES: ReadonlySet<string>;
|
|
141
|
+
/**
|
|
142
|
+
* Helper for payment-primitive implementations. Wraps the body in a
|
|
143
|
+
* taint-on-entry call so the registry contract is enforced at the
|
|
144
|
+
* SDK layer rather than relying on each implementation to remember.
|
|
145
|
+
*
|
|
146
|
+
* Example:
|
|
147
|
+
* export const requirePayment = withPaymentTaint("payments.require", async (opts) => {
|
|
148
|
+
* // ... actual implementation
|
|
149
|
+
* });
|
|
150
|
+
*/
|
|
151
|
+
export declare function withPaymentTaint<TArgs extends unknown[], TReturn>(name: string, impl: (...args: TArgs) => TReturn): (...args: TArgs) => TReturn;
|
|
152
|
+
//# sourceMappingURL=runtime-context.d.ts.map
|