@run402/functions 2.7.0 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/errors.d.ts +89 -0
- package/dist/auth/errors.d.ts.map +1 -0
- package/dist/auth/errors.js +170 -0
- package/dist/auth/errors.js.map +1 -0
- package/dist/auth/index.d.ts +98 -0
- package/dist/auth/index.d.ts.map +1 -0
- package/dist/auth/index.js +453 -0
- package/dist/auth/index.js.map +1 -0
- package/dist/auth/types.d.ts +58 -0
- package/dist/auth/types.d.ts.map +1 -0
- package/dist/auth/types.js +13 -0
- package/dist/auth/types.js.map +1 -0
- package/dist/auth/url-validation.d.ts +31 -0
- package/dist/auth/url-validation.d.ts.map +1 -0
- package/dist/auth/url-validation.js +83 -0
- package/dist/auth/url-validation.js.map +1 -0
- package/dist/auth.d.ts +25 -50
- package/dist/auth.d.ts.map +1 -1
- package/dist/auth.js +34 -103
- package/dist/auth.js.map +1 -1
- package/dist/db.d.ts.map +1 -1
- package/dist/db.js +40 -0
- package/dist/db.js.map +1 -1
- package/dist/index.d.ts +6 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +18 -0
- package/dist/index.js.map +1 -1
- package/dist/lib/actor-context-verify.d.ts +95 -0
- package/dist/lib/actor-context-verify.d.ts.map +1 -0
- package/dist/lib/actor-context-verify.js +200 -0
- package/dist/lib/actor-context-verify.js.map +1 -0
- package/dist/runtime-context.d.ts +14 -1
- package/dist/runtime-context.d.ts.map +1 -1
- package/dist/runtime-context.js +60 -0
- package/dist/runtime-context.js.map +1 -1
- package/dist/verify-webhook.d.ts +71 -0
- package/dist/verify-webhook.d.ts.map +1 -0
- package/dist/verify-webhook.js +147 -0
- package/dist/verify-webhook.js.map +1 -0
- package/package.json +2 -2
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `auth.fetch` URL validation.
|
|
3
|
+
*
|
|
4
|
+
* Synchronous before-network checks: the URL is rejected (sync throw)
|
|
5
|
+
* before any network I/O if it's not safely same-origin. The set of
|
|
6
|
+
* rejected shapes is enumerated by the spec — we mirror it verbatim:
|
|
7
|
+
*
|
|
8
|
+
* - Cross-origin absolute URLs
|
|
9
|
+
* - URLs with embedded credentials (`http://user:pass@host/...`)
|
|
10
|
+
* - Non-HTTP(S) schemes (`javascript:`, `data:`, `file:`, etc.)
|
|
11
|
+
* - Protocol-relative URLs (`//evil.example/...`)
|
|
12
|
+
* - Subdomain-spoof patterns (`https://app.run402.app.evil.example/...`)
|
|
13
|
+
* - Port-mismatch against the current request origin
|
|
14
|
+
*
|
|
15
|
+
* Same-origin normalisation: scheme, host, and default-port comparisons
|
|
16
|
+
* use `URL.origin`, which strips `:80` for http and `:443` for https.
|
|
17
|
+
*
|
|
18
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
19
|
+
*/
|
|
20
|
+
const SAFE_SCHEMES = new Set(["http:", "https:"]);
|
|
21
|
+
export function validateAuthFetchInput(input, ctx) {
|
|
22
|
+
// Reject Request objects with cross-origin url. We don't accept Request
|
|
23
|
+
// here because `auth.fetch` is the canonical surface for same-origin
|
|
24
|
+
// SSR fetches; the Request escape hatch could carry headers / credentials
|
|
25
|
+
// / redirect modes that bypass our policy.
|
|
26
|
+
if (typeof input === "object" && input !== null && "url" in input && typeof input.url === "string") {
|
|
27
|
+
// Caller passed a Request — extract the URL string and run it
|
|
28
|
+
// through the same validation. Same with URL object.
|
|
29
|
+
return validateAuthFetchInput(input.url, ctx);
|
|
30
|
+
}
|
|
31
|
+
if (input instanceof URL) {
|
|
32
|
+
return validateAuthFetchInput(input.toString(), ctx);
|
|
33
|
+
}
|
|
34
|
+
if (typeof input !== "string") {
|
|
35
|
+
return { ok: false, reason: "URL must be a string, URL, or Request" };
|
|
36
|
+
}
|
|
37
|
+
const raw = input;
|
|
38
|
+
if (raw.length === 0) {
|
|
39
|
+
return { ok: false, reason: "URL is empty" };
|
|
40
|
+
}
|
|
41
|
+
// Protocol-relative reject — `//host/path` resolves to the current
|
|
42
|
+
// origin's scheme, but a server-side fetch has no implicit origin
|
|
43
|
+
// when there's no document; the spec treats it as a smell.
|
|
44
|
+
if (raw.startsWith("//")) {
|
|
45
|
+
return { ok: false, reason: "protocol-relative URLs are not allowed" };
|
|
46
|
+
}
|
|
47
|
+
// Path-only / relative URLs (no scheme) are the happy path. We resolve
|
|
48
|
+
// them against the request origin and let the URL constructor reject
|
|
49
|
+
// any structural garbage.
|
|
50
|
+
if (!/^[a-z][a-z0-9+\-.]*:/i.test(raw)) {
|
|
51
|
+
let absolute;
|
|
52
|
+
try {
|
|
53
|
+
absolute = new URL(raw, ctx.requestOrigin);
|
|
54
|
+
}
|
|
55
|
+
catch {
|
|
56
|
+
return { ok: false, reason: "invalid relative URL" };
|
|
57
|
+
}
|
|
58
|
+
return { ok: true, normalized: absolute };
|
|
59
|
+
}
|
|
60
|
+
// Absolute URL — parse and validate.
|
|
61
|
+
let url;
|
|
62
|
+
try {
|
|
63
|
+
url = new URL(raw);
|
|
64
|
+
}
|
|
65
|
+
catch {
|
|
66
|
+
return { ok: false, reason: "invalid absolute URL" };
|
|
67
|
+
}
|
|
68
|
+
if (!SAFE_SCHEMES.has(url.protocol)) {
|
|
69
|
+
return { ok: false, reason: `scheme ${url.protocol} is not http(s)` };
|
|
70
|
+
}
|
|
71
|
+
if (url.username !== "" || url.password !== "") {
|
|
72
|
+
return { ok: false, reason: "URL contains embedded credentials" };
|
|
73
|
+
}
|
|
74
|
+
if (url.origin !== ctx.requestOrigin) {
|
|
75
|
+
// Subdomain-spoof guard: even if the host string contains the
|
|
76
|
+
// expected hostname as a substring (e.g.
|
|
77
|
+
// `app.run402.app.evil.example`), URL.origin compares the full
|
|
78
|
+
// host+port+scheme, so this is correct.
|
|
79
|
+
return { ok: false, reason: "cross-origin URLs are not allowed" };
|
|
80
|
+
}
|
|
81
|
+
return { ok: true, normalized: url };
|
|
82
|
+
}
|
|
83
|
+
//# sourceMappingURL=url-validation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"url-validation.js","sourceRoot":"","sources":["../../src/auth/url-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAUH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAElD,MAAM,UAAU,sBAAsB,CACpC,KAAwB,EACxB,GAAyB;IAEzB,wEAAwE;IACxE,qEAAqE;IACrE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnG,8DAA8D;QAC9D,qDAAqD;QACrD,OAAO,sBAAsB,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;QACzB,OAAO,sBAAsB,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC;IAClB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,2DAA2D;IAC3D,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;IACzE,CAAC;IAED,uEAAuE;IACvE,qEAAqE;IACrE,0BAA0B;IAC1B,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,IAAI,QAAa,CAAC;QAClB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;QACvD,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAED,qCAAqC;IACrC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,GAAG,CAAC,QAAQ,iBAAiB,EAAE,CAAC;IACxE,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,aAAa,EAAE,CAAC;QACrC,8DAA8D;QAC9D,yCAAyC;QACzC,+DAA+D;QAC/D,wCAAwC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;AACvC,CAAC"}
|
package/dist/auth.d.ts
CHANGED
|
@@ -1,57 +1,32 @@
|
|
|
1
|
-
export interface User {
|
|
2
|
-
id: string;
|
|
3
|
-
role: string;
|
|
4
|
-
email: string;
|
|
5
|
-
}
|
|
6
1
|
/**
|
|
7
|
-
*
|
|
8
|
-
* Returns { id, role, email } or null if unauthenticated/invalid.
|
|
2
|
+
* Legacy auth exports — throwing sentinels.
|
|
9
3
|
*
|
|
10
|
-
*
|
|
11
|
-
* `
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*/
|
|
15
|
-
export declare function getUser(req?: Request): User | null;
|
|
16
|
-
/**
|
|
17
|
-
* Read the gate-resolved user id from the request.
|
|
4
|
+
* **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
|
|
5
|
+
* `getRole` are no longer working exports — they throw
|
|
6
|
+
* `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
|
|
7
|
+
* canonical `auth.*` namespace.
|
|
18
8
|
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
* before
|
|
9
|
+
* ESM named imports (`import { getUser } from "@run402/functions"`)
|
|
10
|
+
* can't be intercepted by a Proxy; the only way to fail loudly on
|
|
11
|
+
* runtime usage is to ship a sentinel function. The `run402 doctor`
|
|
12
|
+
* source scanner (public repo CLI) and the `@run402/astro` ESLint rule
|
|
13
|
+
* catch the import before runtime; this file is the last line of defense
|
|
14
|
+
* for code that bypasses both.
|
|
24
15
|
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
27
|
-
* Lambda invoke). For gated functions reached through the gateway, the
|
|
28
|
-
* value is non-null by construction.
|
|
16
|
+
* The legacy `User` type is preserved as an alias of `Actor` for any
|
|
17
|
+
* stragglers — but accessing the throwing sentinels at runtime fails.
|
|
29
18
|
*
|
|
30
|
-
*
|
|
31
|
-
* the JWT directly. The two layers are independent: a function with
|
|
32
|
-
* only `requireRole` runs the role lookup against the project's
|
|
33
|
-
* `members` table via gateway-side RLS-bypass; user code does not
|
|
34
|
-
* need to re-decode the JWT.
|
|
19
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
35
20
|
*/
|
|
36
|
-
export
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
*
|
|
48
|
-
* Returns `null` when no `requireRole` gate ran on this dispatch
|
|
49
|
-
* (function has only `requireAuth`, no gate at all, or is invoked
|
|
50
|
-
* outside the gateway).
|
|
51
|
-
*
|
|
52
|
-
* This is the application role, NOT the JWT role from
|
|
53
|
-
* {@link getUser}. The two are independent — see the JSDoc on
|
|
54
|
-
* `getUser` for the distinction.
|
|
55
|
-
*/
|
|
56
|
-
export declare function getRole(req?: Request): string | null;
|
|
21
|
+
export type User = {
|
|
22
|
+
id: string;
|
|
23
|
+
role: string;
|
|
24
|
+
email: string;
|
|
25
|
+
};
|
|
26
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
|
|
27
|
+
export declare function getUser(_req?: Request): never;
|
|
28
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
|
|
29
|
+
export declare function getUserId(_req?: Request): never;
|
|
30
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
|
|
31
|
+
export declare function getRole(_req?: Request): never;
|
|
57
32
|
//# sourceMappingURL=auth.d.ts.map
|
package/dist/auth.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,MAAM,MAAM,IAAI,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAE/D,kGAAkG;AAClG,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C;AAED,yHAAyH;AACzH,wBAAgB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK/C;AAED,qFAAqF;AACrF,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C"}
|
package/dist/auth.js
CHANGED
|
@@ -1,112 +1,43 @@
|
|
|
1
|
-
import jwt from "./lib/jwt.js";
|
|
2
|
-
import { config } from "./config.js";
|
|
3
|
-
import { getCurrentContext, taintCacheBypass } from "./runtime-context.js";
|
|
4
1
|
/**
|
|
5
|
-
*
|
|
6
|
-
* Returns { id, role, email } or null if unauthenticated/invalid.
|
|
2
|
+
* Legacy auth exports — throwing sentinels.
|
|
7
3
|
*
|
|
8
|
-
*
|
|
9
|
-
* `
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*/
|
|
13
|
-
export function getUser(req) {
|
|
14
|
-
// Capability `astro-ssr-runtime` (v1.52). Taint the cache-bypass flag
|
|
15
|
-
// on the active request context, regardless of whether `getUser`
|
|
16
|
-
// resolves to a user or null — the response now depends on per-request
|
|
17
|
-
// auth state and MUST NOT be cached publicly.
|
|
18
|
-
taintCacheBypass();
|
|
19
|
-
// If no `req` was passed, read auth from the ALS context (the SSR
|
|
20
|
-
// Lambda runtime's `runWithContext` populates `request.headers`).
|
|
21
|
-
// This is what makes `await getUser()` work naturally inside Astro
|
|
22
|
-
// `[slug].astro` frontmatter without any explicit plumbing.
|
|
23
|
-
let authHeader;
|
|
24
|
-
if (req !== undefined) {
|
|
25
|
-
authHeader =
|
|
26
|
-
typeof req.headers.get === "function"
|
|
27
|
-
? req.headers.get("authorization")
|
|
28
|
-
: req.headers?.authorization;
|
|
29
|
-
}
|
|
30
|
-
else {
|
|
31
|
-
const ctx = getCurrentContext();
|
|
32
|
-
if (ctx === undefined)
|
|
33
|
-
return null;
|
|
34
|
-
const h = ctx.request.headers;
|
|
35
|
-
const raw = h["authorization"] ?? h["Authorization"];
|
|
36
|
-
authHeader = Array.isArray(raw) ? raw[0] : raw;
|
|
37
|
-
}
|
|
38
|
-
if (!authHeader || !authHeader.startsWith("Bearer "))
|
|
39
|
-
return null;
|
|
40
|
-
const token = authHeader.slice(7);
|
|
41
|
-
try {
|
|
42
|
-
const payload = jwt.verify(token, config.JWT_SECRET);
|
|
43
|
-
if (payload.project_id !== config.PROJECT_ID)
|
|
44
|
-
return null;
|
|
45
|
-
return { id: payload.sub, role: payload.role, email: payload.email };
|
|
46
|
-
}
|
|
47
|
-
catch {
|
|
48
|
-
return null;
|
|
49
|
-
}
|
|
50
|
-
}
|
|
51
|
-
/**
|
|
52
|
-
* Read the gate-resolved user id from the request.
|
|
4
|
+
* **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
|
|
5
|
+
* `getRole` are no longer working exports — they throw
|
|
6
|
+
* `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
|
|
7
|
+
* canonical `auth.*` namespace.
|
|
53
8
|
*
|
|
54
|
-
*
|
|
55
|
-
*
|
|
56
|
-
*
|
|
57
|
-
*
|
|
58
|
-
* before
|
|
9
|
+
* ESM named imports (`import { getUser } from "@run402/functions"`)
|
|
10
|
+
* can't be intercepted by a Proxy; the only way to fail loudly on
|
|
11
|
+
* runtime usage is to ship a sentinel function. The `run402 doctor`
|
|
12
|
+
* source scanner (public repo CLI) and the `@run402/astro` ESLint rule
|
|
13
|
+
* catch the import before runtime; this file is the last line of defense
|
|
14
|
+
* for code that bypasses both.
|
|
59
15
|
*
|
|
60
|
-
*
|
|
61
|
-
*
|
|
62
|
-
* Lambda invoke). For gated functions reached through the gateway, the
|
|
63
|
-
* value is non-null by construction.
|
|
16
|
+
* The legacy `User` type is preserved as an alias of `Actor` for any
|
|
17
|
+
* stragglers — but accessing the throwing sentinels at runtime fails.
|
|
64
18
|
*
|
|
65
|
-
*
|
|
66
|
-
* the JWT directly. The two layers are independent: a function with
|
|
67
|
-
* only `requireRole` runs the role lookup against the project's
|
|
68
|
-
* `members` table via gateway-side RLS-bypass; user code does not
|
|
69
|
-
* need to re-decode the JWT.
|
|
19
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
70
20
|
*/
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
if (Array.isArray(raw))
|
|
79
|
-
return raw[0] ?? null;
|
|
80
|
-
return raw ?? null;
|
|
21
|
+
import { UnknownExportError } from "./auth/errors.js";
|
|
22
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
|
|
23
|
+
export function getUser(_req) {
|
|
24
|
+
throw new UnknownExportError({
|
|
25
|
+
attemptedName: "getUser",
|
|
26
|
+
canonicalName: "auth.user() / auth.requireUser()",
|
|
27
|
+
});
|
|
81
28
|
}
|
|
82
|
-
/**
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
* outside the gateway).
|
|
96
|
-
*
|
|
97
|
-
* This is the application role, NOT the JWT role from
|
|
98
|
-
* {@link getUser}. The two are independent — see the JSDoc on
|
|
99
|
-
* `getUser` for the distinction.
|
|
100
|
-
*/
|
|
101
|
-
export function getRole(req) {
|
|
102
|
-
if (req !== undefined)
|
|
103
|
-
return req.headers.get("x-run402-user-role");
|
|
104
|
-
const ctx = getCurrentContext();
|
|
105
|
-
if (ctx === undefined)
|
|
106
|
-
return null;
|
|
107
|
-
const raw = ctx.request.headers["x-run402-user-role"];
|
|
108
|
-
if (Array.isArray(raw))
|
|
109
|
-
return raw[0] ?? null;
|
|
110
|
-
return raw ?? null;
|
|
29
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
|
|
30
|
+
export function getUserId(_req) {
|
|
31
|
+
throw new UnknownExportError({
|
|
32
|
+
attemptedName: "getUserId",
|
|
33
|
+
canonicalName: "(await auth.user())?.id",
|
|
34
|
+
});
|
|
35
|
+
}
|
|
36
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
|
|
37
|
+
export function getRole(_req) {
|
|
38
|
+
throw new UnknownExportError({
|
|
39
|
+
attemptedName: "getRole",
|
|
40
|
+
canonicalName: "auth.requireRole(role)",
|
|
41
|
+
});
|
|
111
42
|
}
|
|
112
43
|
//# sourceMappingURL=auth.js.map
|
package/dist/auth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAItD,kGAAkG;AAClG,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,kCAAkC;KAClD,CAAC,CAAC;AACL,CAAC;AAED,yHAAyH;AACzH,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,WAAW;QAC1B,aAAa,EAAE,yBAAyB;KACzC,CAAC,CAAC;AACL,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,wBAAwB;KACxC,CAAC,CAAC;AACL,CAAC"}
|
package/dist/db.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAIA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAwDD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
|
package/dist/db.js
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { config } from "./config.js";
|
|
2
2
|
import { getCurrentContext } from "./runtime-context.js";
|
|
3
|
+
import jwt from "./lib/jwt.js";
|
|
3
4
|
export class QueryBuilder {
|
|
4
5
|
#table;
|
|
5
6
|
#params = new URLSearchParams();
|
|
@@ -116,6 +117,45 @@ function extractAuthFromAls() {
|
|
|
116
117
|
const ctx = getCurrentContext();
|
|
117
118
|
if (ctx === undefined)
|
|
118
119
|
return undefined;
|
|
120
|
+
// v3.0 (auth-aware-ssr): if a verified actor is present on the runtime
|
|
121
|
+
// context, mint a short-lived JWT carrying the actor's claims so the
|
|
122
|
+
// gateway's PostgREST proxy → pre_request hook → RLS pipeline sees the
|
|
123
|
+
// browser-cookie actor identically to a Bearer-JWT call. The mint is
|
|
124
|
+
// SDK-side because the cookie itself is `__Host-` scoped to the
|
|
125
|
+
// browser origin and never forwarded server-to-server (D13 forbids
|
|
126
|
+
// cookie forwarding). The pepper-isolated session secret stays in the
|
|
127
|
+
// DB; the JWT carries only the actor's already-validated claims, signed
|
|
128
|
+
// with the same JWT_SECRET PostgREST verifies against.
|
|
129
|
+
if (ctx.actor && config.JWT_SECRET) {
|
|
130
|
+
const nowSec = Math.floor(Date.now() / 1000);
|
|
131
|
+
const claims = {
|
|
132
|
+
sub: ctx.actor.id,
|
|
133
|
+
role: "authenticated",
|
|
134
|
+
email: ctx.actor.email,
|
|
135
|
+
project_id: ctx.projectId,
|
|
136
|
+
iss: "agentdb",
|
|
137
|
+
amr: ctx.actor.amr,
|
|
138
|
+
auth_time: ctx.actor.authTime,
|
|
139
|
+
aal: ctx.actor.amr.includes("passkey") ? "aal2" : "aal1",
|
|
140
|
+
session_id: ctx.actor.sessionId,
|
|
141
|
+
authz_version: ctx.actor.authzVersion,
|
|
142
|
+
iat: nowSec,
|
|
143
|
+
// 60-second TTL — long enough for the request + retry budget,
|
|
144
|
+
// short enough that exfiltration provides no value.
|
|
145
|
+
exp: nowSec + 60,
|
|
146
|
+
};
|
|
147
|
+
try {
|
|
148
|
+
return `Bearer ${jwt.sign(claims, config.JWT_SECRET)}`;
|
|
149
|
+
}
|
|
150
|
+
catch {
|
|
151
|
+
// Fall through to header forwarding below. JWT signing should not
|
|
152
|
+
// realistically fail with a present secret; if it does, we want
|
|
153
|
+
// the request to proceed anonymously rather than 500.
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
// Fallback: forward whatever Authorization the inbound request carried.
|
|
157
|
+
// This is the v2.x behavior — preserved for explicit Bearer flows
|
|
158
|
+
// (mobile, server-to-server) where the caller already has a JWT.
|
|
119
159
|
const headers = ctx.request.headers;
|
|
120
160
|
const raw = headers["authorization"] ?? headers["Authorization"];
|
|
121
161
|
if (Array.isArray(raw))
|
package/dist/db.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;
|
|
1
|
+
{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,GAAG,MAAM,cAAc,CAAC;AAQ/B,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAExC,uEAAuE;IACvE,qEAAqE;IACrE,uEAAuE;IACvE,qEAAqE;IACrE,gEAAgE;IAChE,mEAAmE;IACnE,sEAAsE;IACtE,wEAAwE;IACxE,uDAAuD;IACvD,IAAI,GAAG,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE;YACjB,IAAI,EAAE,eAAwB;YAC9B,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAK;YACtB,UAAU,EAAE,GAAG,CAAC,SAAS;YACzB,GAAG,EAAE,SAAkB;YACvB,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG;YAClB,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ;YAC7B,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAE,MAAgB,CAAC,CAAC,CAAE,MAAgB;YAC9E,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,SAAS;YAC/B,aAAa,EAAE,GAAG,CAAC,KAAK,CAAC,YAAY;YACrC,GAAG,EAAE,MAAM;YACX,8DAA8D;YAC9D,oDAAoD;YACpD,GAAG,EAAE,MAAM,GAAG,EAAE;SACjB,CAAC;QACF,IAAI,CAAC;YACH,OAAO,UAAU,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,gEAAgE;YAChE,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,kEAAkE;IAClE,iEAAiE;IACjE,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,11 +1,17 @@
|
|
|
1
1
|
export { db, adminDb, QueryBuilder } from "./db.js";
|
|
2
2
|
export { getUser, getUserId, getRole } from "./auth.js";
|
|
3
3
|
export type { User } from "./auth.js";
|
|
4
|
+
export { auth } from "./auth/index.js";
|
|
5
|
+
export type { Actor, IdentityProof } from "./auth/index.js";
|
|
6
|
+
export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, } from "./auth/index.js";
|
|
7
|
+
export { getSession, currentUser, getCurrentUser, getServerSession } from "./auth/index.js";
|
|
4
8
|
export { email } from "./email.js";
|
|
5
9
|
export type { EmailSendOptions, EmailRawOptions, EmailTemplateOptions, EmailSendResult } from "./email.js";
|
|
6
10
|
export { ai } from "./ai.js";
|
|
7
11
|
export type { GenerateImageOptions, GenerateImageResult, ImageAspect, TranslateOptions, TranslateResult, ModerateResult, } from "./ai.js";
|
|
8
12
|
export { assets } from "./assets.js";
|
|
13
|
+
export { verifyWebhook } from "./verify-webhook.js";
|
|
14
|
+
export type { VerifyWebhookOptions, VerifyWebhookResult, HeadersLike } from "./verify-webhook.js";
|
|
9
15
|
export { getRun402Context } from "./request-context.js";
|
|
10
16
|
export type { Run402RequestContext } from "./request-context.js";
|
|
11
17
|
export type { AssetPutOptions, AssetPutSource, AssetPutSourceInput, AssetRef, AssetVisibility, AssetVariant, AssetListRow, AssetsListFilter, AssetsListOptions, AssetsListResult, AssetsListSort, ImageInfo, } from "./assets.js";
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQtC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAIrC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAMlG,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1,8 +1,26 @@
|
|
|
1
1
|
export { db, adminDb, QueryBuilder } from "./db.js";
|
|
2
2
|
export { getUser, getUserId, getRole } from "./auth.js";
|
|
3
|
+
// Capability `auth-aware-ssr` (v3.0). The canonical server-side auth
|
|
4
|
+
// namespace. `auth.user()` / `auth.requireUser()` / `auth.requireRole(...)`
|
|
5
|
+
// / `auth.requireMembership(...)` / `auth.requireFresh({...})` /
|
|
6
|
+
// `auth.fetch(...)` / `auth.csrfField()` / `auth.sessions.*` /
|
|
7
|
+
// `auth.identities.link(...)` are the only documented identity surfaces.
|
|
8
|
+
// See openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md.
|
|
9
|
+
export { auth } from "./auth/index.js";
|
|
10
|
+
export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, } from "./auth/index.js";
|
|
11
|
+
// Throwing-sentinel exports for the top legacy bare-name imports. These
|
|
12
|
+
// fire `R402_AUTH_UNKNOWN_EXPORT` at runtime with a structured fix-it,
|
|
13
|
+
// catching the case where `run402 doctor` and the ESLint rule didn't run
|
|
14
|
+
// (e.g. agent paste straight into a route handler). Excluded from public
|
|
15
|
+
// docs intentionally — they exist to fail loudly, not as API.
|
|
16
|
+
export { getSession, currentUser, getCurrentUser, getServerSession } from "./auth/index.js";
|
|
3
17
|
export { email } from "./email.js";
|
|
4
18
|
export { ai } from "./ai.js";
|
|
5
19
|
export { assets } from "./assets.js";
|
|
20
|
+
// `verifyWebhook(headers, rawBody, secret)` — verify a Run402-signed
|
|
21
|
+
// operator-notifications webhook delivery. Stripe-shape HMAC SHA256 with
|
|
22
|
+
// dual-secret rotation grace.
|
|
23
|
+
export { verifyWebhook } from "./verify-webhook.js";
|
|
6
24
|
// `getRun402Context(request)` — zero-dep helper for non-Astro Node22
|
|
7
25
|
// functions (webhooks, auth endpoints, admin tools) to read the
|
|
8
26
|
// per-request context the gateway populates as `x-run402-*` headers.
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGxD,qEAAqE;AACrE,4EAA4E;AAC5E,iEAAiE;AACjE,+DAA+D;AAC/D,yEAAyE;AACzE,wEAAwE;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAEvC,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,wEAAwE;AACxE,uEAAuE;AACvE,yEAAyE;AACzE,yEAAyE;AACzE,8DAA8D;AAC9D,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAS7B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,qEAAqE;AACrE,yEAAyE;AACzE,8BAA8B;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,qEAAqE;AACrE,gEAAgE;AAChE,qEAAqE;AACrE,2EAA2E;AAC3E,2DAA2D;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAiBxD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAO5E,0CAA0C;AAC1C,mEAAmE;AACnE,2DAA2D;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AACpB,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AACxE,iDAAiD;AACjD,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC"}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SDK runtime verifier for the gateway-signed actor-context envelope.
|
|
3
|
+
*
|
|
4
|
+
* Why this lives in `packages/functions/src/lib/` (vendored shape):
|
|
5
|
+
* - `@run402/functions` is published independently; it must NOT depend
|
|
6
|
+
* on `@run402/gateway` types or runtime.
|
|
7
|
+
* - The verifier is small, deterministic, and security-critical — easier
|
|
8
|
+
* to audit when it lives next to the consumer.
|
|
9
|
+
* - Matches the convention used for `jwt.ts` (vendored upstream copy of
|
|
10
|
+
* the verifier we trust).
|
|
11
|
+
*
|
|
12
|
+
* Contract — the encoded envelope is `base64url(canonical_json) + "." +
|
|
13
|
+
* base64url(hmac_sha256)`. Canonical JSON has a fixed key order; the
|
|
14
|
+
* verifier doesn't re-canonicalise, it just rehmac's the body bytes that
|
|
15
|
+
* were base64-decoded. (Trying to re-derive canonical JSON from the parsed
|
|
16
|
+
* object would re-introduce key-order brittleness; verify the bytes you
|
|
17
|
+
* received, parse only to read fields.)
|
|
18
|
+
*
|
|
19
|
+
* Lookup of `actor_context_signing_key[kid]`:
|
|
20
|
+
* 1. `ACTOR_CONTEXT_SIGNING_KEY_MAP_JSON` env (`{kid: base64}` JSON).
|
|
21
|
+
* 2. `ACTOR_CONTEXT_SIGNING_KEY_<KID_UPPER>` env (one var per kid).
|
|
22
|
+
* 3. Test injection via `_setActorContextKeyMapForTest` on this module.
|
|
23
|
+
*
|
|
24
|
+
* Verification failure modes (mirrors the gateway side):
|
|
25
|
+
* - "malformed" — encoded shape rejected before parse
|
|
26
|
+
* - "unknown_kid" — envelope's kid not in the verifier map
|
|
27
|
+
* - "bad_signature" — HMAC mismatch
|
|
28
|
+
* - "iss_mismatch" — envelope.iss !== "run402-gateway"
|
|
29
|
+
* - "aud_mismatch" — envelope.aud !== "run402-functions-runtime"
|
|
30
|
+
* - "expired" — envelope.exp <= now
|
|
31
|
+
* - "lifetime_too_long" — envelope.exp - envelope.iat > 60s
|
|
32
|
+
* - "project_id_mismatch" — envelope.project_id !== request's
|
|
33
|
+
* - "request_id_mismatch" — envelope.request_id !== request's
|
|
34
|
+
* - "method_mismatch" — different HTTP method
|
|
35
|
+
* - "host_mismatch" — different host (after default-port normalise)
|
|
36
|
+
* - "path_mismatch" — different path (compared by sha256)
|
|
37
|
+
* - "version_mismatch" — schema version not what we compiled
|
|
38
|
+
*
|
|
39
|
+
* On ANY failure the SDK runtime treats the request as anonymous AND
|
|
40
|
+
* logs `R402_AUTH_ACTOR_HEADER_SPOOF` so spoofs / replays are visible
|
|
41
|
+
* in observability.
|
|
42
|
+
*
|
|
43
|
+
* @see openspec/changes/auth-aware-ssr/specs/routed-http-functions/spec.md
|
|
44
|
+
*/
|
|
45
|
+
export declare const ACTOR_CONTEXT_ENVELOPE_VERSION: 1;
|
|
46
|
+
export declare const ACTOR_CONTEXT_ENVELOPE_ISS = "run402-gateway";
|
|
47
|
+
export declare const ACTOR_CONTEXT_ENVELOPE_AUD = "run402-functions-runtime";
|
|
48
|
+
export declare const ACTOR_CONTEXT_MAX_LIFETIME_SEC = 60;
|
|
49
|
+
/** Inbound header carrying the encoded envelope. The runtime reads from
|
|
50
|
+
* the request headers in `RunRequestContext.request.headers`. */
|
|
51
|
+
export declare const ACTOR_CONTEXT_HEADER = "x-run402-actor-context";
|
|
52
|
+
export interface VerifiedActorPayload {
|
|
53
|
+
id: string;
|
|
54
|
+
email: string;
|
|
55
|
+
emailVerified: boolean;
|
|
56
|
+
authTime: number;
|
|
57
|
+
amr: string[];
|
|
58
|
+
amrTimes: Record<string, number>;
|
|
59
|
+
authzVersion: number;
|
|
60
|
+
}
|
|
61
|
+
export interface VerifiedEnvelope {
|
|
62
|
+
v: 1;
|
|
63
|
+
kid: string;
|
|
64
|
+
iss: typeof ACTOR_CONTEXT_ENVELOPE_ISS;
|
|
65
|
+
aud: typeof ACTOR_CONTEXT_ENVELOPE_AUD;
|
|
66
|
+
project_id: string;
|
|
67
|
+
request_id: string;
|
|
68
|
+
method: string;
|
|
69
|
+
host: string;
|
|
70
|
+
path_hash: string;
|
|
71
|
+
iat: number;
|
|
72
|
+
exp: number;
|
|
73
|
+
actor: VerifiedActorPayload;
|
|
74
|
+
}
|
|
75
|
+
export interface VerifyRequestContext {
|
|
76
|
+
projectId: string;
|
|
77
|
+
requestId: string;
|
|
78
|
+
method: string;
|
|
79
|
+
host: string;
|
|
80
|
+
path: string;
|
|
81
|
+
/** Override for tests; production uses `new Date()`. */
|
|
82
|
+
now?: Date;
|
|
83
|
+
}
|
|
84
|
+
export type VerifyFailureReason = "malformed" | "unknown_kid" | "bad_signature" | "iss_mismatch" | "aud_mismatch" | "expired" | "lifetime_too_long" | "project_id_mismatch" | "request_id_mismatch" | "method_mismatch" | "host_mismatch" | "path_mismatch" | "version_mismatch";
|
|
85
|
+
export type VerifyOutcome = {
|
|
86
|
+
ok: true;
|
|
87
|
+
envelope: VerifiedEnvelope;
|
|
88
|
+
} | {
|
|
89
|
+
ok: false;
|
|
90
|
+
reason: VerifyFailureReason;
|
|
91
|
+
};
|
|
92
|
+
/** Test injection. NEVER call from production code. */
|
|
93
|
+
export declare function _setActorContextKeyMapForTest(map: Record<string, Buffer | string> | null): void;
|
|
94
|
+
export declare function verifyActorContextEnvelope(encoded: string, ctx: VerifyRequestContext): VerifyOutcome;
|
|
95
|
+
//# sourceMappingURL=actor-context-verify.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"actor-context-verify.d.ts","sourceRoot":"","sources":["../../src/lib/actor-context-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAIH,eAAO,MAAM,8BAA8B,EAAG,CAAU,CAAC;AACzD,eAAO,MAAM,0BAA0B,mBAAmB,CAAC;AAC3D,eAAO,MAAM,0BAA0B,6BAA6B,CAAC;AACrE,eAAO,MAAM,8BAA8B,KAAK,CAAC;AAEjD;kEACkE;AAClE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAE7D,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,CAAC,EAAE,CAAC,CAAC;IACL,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,oBAAoB,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED,MAAM,MAAM,mBAAmB,GAC3B,WAAW,GACX,aAAa,GACb,eAAe,GACf,cAAc,GACd,cAAc,GACd,SAAS,GACT,mBAAmB,GACnB,qBAAqB,GACrB,qBAAqB,GACrB,iBAAiB,GACjB,eAAe,GACf,eAAe,GACf,kBAAkB,CAAC;AAEvB,MAAM,MAAM,aAAa,GACrB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GACxC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,mBAAmB,CAAA;CAAE,CAAC;AAqD/C,uDAAuD;AACvD,wBAAgB,6BAA6B,CAC3C,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,IAAI,GAC1C,IAAI,CAcN;AAMD,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,oBAAoB,GACxB,aAAa,CA0Ef"}
|