@run402/functions 2.7.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/dist/auth/errors.d.ts +89 -0
  2. package/dist/auth/errors.d.ts.map +1 -0
  3. package/dist/auth/errors.js +170 -0
  4. package/dist/auth/errors.js.map +1 -0
  5. package/dist/auth/index.d.ts +98 -0
  6. package/dist/auth/index.d.ts.map +1 -0
  7. package/dist/auth/index.js +453 -0
  8. package/dist/auth/index.js.map +1 -0
  9. package/dist/auth/types.d.ts +58 -0
  10. package/dist/auth/types.d.ts.map +1 -0
  11. package/dist/auth/types.js +13 -0
  12. package/dist/auth/types.js.map +1 -0
  13. package/dist/auth/url-validation.d.ts +31 -0
  14. package/dist/auth/url-validation.d.ts.map +1 -0
  15. package/dist/auth/url-validation.js +83 -0
  16. package/dist/auth/url-validation.js.map +1 -0
  17. package/dist/auth.d.ts +25 -50
  18. package/dist/auth.d.ts.map +1 -1
  19. package/dist/auth.js +34 -103
  20. package/dist/auth.js.map +1 -1
  21. package/dist/db.d.ts.map +1 -1
  22. package/dist/db.js +40 -0
  23. package/dist/db.js.map +1 -1
  24. package/dist/index.d.ts +6 -0
  25. package/dist/index.d.ts.map +1 -1
  26. package/dist/index.js +18 -0
  27. package/dist/index.js.map +1 -1
  28. package/dist/lib/actor-context-verify.d.ts +95 -0
  29. package/dist/lib/actor-context-verify.d.ts.map +1 -0
  30. package/dist/lib/actor-context-verify.js +200 -0
  31. package/dist/lib/actor-context-verify.js.map +1 -0
  32. package/dist/runtime-context.d.ts +14 -1
  33. package/dist/runtime-context.d.ts.map +1 -1
  34. package/dist/runtime-context.js +60 -0
  35. package/dist/runtime-context.js.map +1 -1
  36. package/dist/verify-webhook.d.ts +71 -0
  37. package/dist/verify-webhook.d.ts.map +1 -0
  38. package/dist/verify-webhook.js +147 -0
  39. package/dist/verify-webhook.js.map +1 -0
  40. package/package.json +2 -2
@@ -0,0 +1,83 @@
1
+ /**
2
+ * `auth.fetch` URL validation.
3
+ *
4
+ * Synchronous before-network checks: the URL is rejected (sync throw)
5
+ * before any network I/O if it's not safely same-origin. The set of
6
+ * rejected shapes is enumerated by the spec — we mirror it verbatim:
7
+ *
8
+ * - Cross-origin absolute URLs
9
+ * - URLs with embedded credentials (`http://user:pass@host/...`)
10
+ * - Non-HTTP(S) schemes (`javascript:`, `data:`, `file:`, etc.)
11
+ * - Protocol-relative URLs (`//evil.example/...`)
12
+ * - Subdomain-spoof patterns (`https://app.run402.app.evil.example/...`)
13
+ * - Port-mismatch against the current request origin
14
+ *
15
+ * Same-origin normalisation: scheme, host, and default-port comparisons
16
+ * use `URL.origin`, which strips `:80` for http and `:443` for https.
17
+ *
18
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
19
+ */
20
+ const SAFE_SCHEMES = new Set(["http:", "https:"]);
21
+ export function validateAuthFetchInput(input, ctx) {
22
+ // Reject Request objects with cross-origin url. We don't accept Request
23
+ // here because `auth.fetch` is the canonical surface for same-origin
24
+ // SSR fetches; the Request escape hatch could carry headers / credentials
25
+ // / redirect modes that bypass our policy.
26
+ if (typeof input === "object" && input !== null && "url" in input && typeof input.url === "string") {
27
+ // Caller passed a Request — extract the URL string and run it
28
+ // through the same validation. Same with URL object.
29
+ return validateAuthFetchInput(input.url, ctx);
30
+ }
31
+ if (input instanceof URL) {
32
+ return validateAuthFetchInput(input.toString(), ctx);
33
+ }
34
+ if (typeof input !== "string") {
35
+ return { ok: false, reason: "URL must be a string, URL, or Request" };
36
+ }
37
+ const raw = input;
38
+ if (raw.length === 0) {
39
+ return { ok: false, reason: "URL is empty" };
40
+ }
41
+ // Protocol-relative reject — `//host/path` resolves to the current
42
+ // origin's scheme, but a server-side fetch has no implicit origin
43
+ // when there's no document; the spec treats it as a smell.
44
+ if (raw.startsWith("//")) {
45
+ return { ok: false, reason: "protocol-relative URLs are not allowed" };
46
+ }
47
+ // Path-only / relative URLs (no scheme) are the happy path. We resolve
48
+ // them against the request origin and let the URL constructor reject
49
+ // any structural garbage.
50
+ if (!/^[a-z][a-z0-9+\-.]*:/i.test(raw)) {
51
+ let absolute;
52
+ try {
53
+ absolute = new URL(raw, ctx.requestOrigin);
54
+ }
55
+ catch {
56
+ return { ok: false, reason: "invalid relative URL" };
57
+ }
58
+ return { ok: true, normalized: absolute };
59
+ }
60
+ // Absolute URL — parse and validate.
61
+ let url;
62
+ try {
63
+ url = new URL(raw);
64
+ }
65
+ catch {
66
+ return { ok: false, reason: "invalid absolute URL" };
67
+ }
68
+ if (!SAFE_SCHEMES.has(url.protocol)) {
69
+ return { ok: false, reason: `scheme ${url.protocol} is not http(s)` };
70
+ }
71
+ if (url.username !== "" || url.password !== "") {
72
+ return { ok: false, reason: "URL contains embedded credentials" };
73
+ }
74
+ if (url.origin !== ctx.requestOrigin) {
75
+ // Subdomain-spoof guard: even if the host string contains the
76
+ // expected hostname as a substring (e.g.
77
+ // `app.run402.app.evil.example`), URL.origin compares the full
78
+ // host+port+scheme, so this is correct.
79
+ return { ok: false, reason: "cross-origin URLs are not allowed" };
80
+ }
81
+ return { ok: true, normalized: url };
82
+ }
83
+ //# sourceMappingURL=url-validation.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"url-validation.js","sourceRoot":"","sources":["../../src/auth/url-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAUH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAElD,MAAM,UAAU,sBAAsB,CACpC,KAAwB,EACxB,GAAyB;IAEzB,wEAAwE;IACxE,qEAAqE;IACrE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnG,8DAA8D;QAC9D,qDAAqD;QACrD,OAAO,sBAAsB,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;QACzB,OAAO,sBAAsB,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC;IAClB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,2DAA2D;IAC3D,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;IACzE,CAAC;IAED,uEAAuE;IACvE,qEAAqE;IACrE,0BAA0B;IAC1B,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,IAAI,QAAa,CAAC;QAClB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;QACvD,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAED,qCAAqC;IACrC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,GAAG,CAAC,QAAQ,iBAAiB,EAAE,CAAC;IACxE,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,aAAa,EAAE,CAAC;QACrC,8DAA8D;QAC9D,yCAAyC;QACzC,+DAA+D;QAC/D,wCAAwC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;AACvC,CAAC"}
package/dist/auth.d.ts CHANGED
@@ -1,57 +1,32 @@
1
- export interface User {
2
- id: string;
3
- role: string;
4
- email: string;
5
- }
6
1
  /**
7
- * Verify the caller's JWT and return user identity.
8
- * Returns { id, role, email } or null if unauthenticated/invalid.
2
+ * Legacy auth exports throwing sentinels.
9
3
  *
10
- * NOTE: `role` here is the JWT claim (`anon`, `authenticated`,
11
- * `project_admin`, …) the PostgREST/RLS system role, NOT the
12
- * application role from a declarative `requireRole` gate. For the
13
- * gate-resolved application role, use {@link getRole}.
14
- */
15
- export declare function getUser(req?: Request): User | null;
16
- /**
17
- * Read the gate-resolved user id from the request.
4
+ * **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
5
+ * `getRole` are no longer working exports they throw
6
+ * `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
7
+ * canonical `auth.*` namespace.
18
8
  *
19
- * Returns the value of the `x-run402-user-id` request header, which the
20
- * Run402 gateway injects when a function-level `requireAuth` or
21
- * `requireRole` gate evaluates successfully on this dispatch. Inbound
22
- * `x-run402-*` headers from the browser are stripped by the gateway
23
- * before injection, so the value is trustworthy.
9
+ * ESM named imports (`import { getUser } from "@run402/functions"`)
10
+ * can't be intercepted by a Proxy; the only way to fail loudly on
11
+ * runtime usage is to ship a sentinel function. The `run402 doctor`
12
+ * source scanner (public repo CLI) and the `@run402/astro` ESLint rule
13
+ * catch the import before runtime; this file is the last line of defense
14
+ * for code that bypasses both.
24
15
  *
25
- * Returns `null` when the function has no gate declared, or when the
26
- * function is invoked outside the gateway (local test harness, direct
27
- * Lambda invoke). For gated functions reached through the gateway, the
28
- * value is non-null by construction.
16
+ * The legacy `User` type is preserved as an alias of `Actor` for any
17
+ * stragglers but accessing the throwing sentinels at runtime fails.
29
18
  *
30
- * This is the gate-side companion to {@link getUser}, which decodes
31
- * the JWT directly. The two layers are independent: a function with
32
- * only `requireRole` runs the role lookup against the project's
33
- * `members` table via gateway-side RLS-bypass; user code does not
34
- * need to re-decode the JWT.
19
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
35
20
  */
36
- export declare function getUserId(req?: Request): string | null;
37
- /**
38
- * Read the gate-resolved application role from the request.
39
- *
40
- * Returns the value of the `x-run402-user-role` request header, which
41
- * the Run402 gateway injects when a function-level `requireRole` gate
42
- * evaluates successfully on this dispatch. The value is the role string
43
- * from the project-schema `members.role` (or whatever
44
- * `(table, idColumn, roleColumn)` triple the gate declared), already
45
- * confirmed to be in `requireRole.allowed`. Inbound `x-run402-*`
46
- * headers are stripped, so the value is trustworthy.
47
- *
48
- * Returns `null` when no `requireRole` gate ran on this dispatch
49
- * (function has only `requireAuth`, no gate at all, or is invoked
50
- * outside the gateway).
51
- *
52
- * This is the application role, NOT the JWT role from
53
- * {@link getUser}. The two are independent — see the JSDoc on
54
- * `getUser` for the distinction.
55
- */
56
- export declare function getRole(req?: Request): string | null;
21
+ export type User = {
22
+ id: string;
23
+ role: string;
24
+ email: string;
25
+ };
26
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
27
+ export declare function getUser(_req?: Request): never;
28
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
29
+ export declare function getUserId(_req?: Request): never;
30
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
31
+ export declare function getRole(_req?: Request): never;
57
32
  //# sourceMappingURL=auth.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,GAAG,IAAI,CAsClD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOtD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpD"}
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,MAAM,MAAM,IAAI,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAE/D,kGAAkG;AAClG,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C;AAED,yHAAyH;AACzH,wBAAgB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK/C;AAED,qFAAqF;AACrF,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C"}
package/dist/auth.js CHANGED
@@ -1,112 +1,43 @@
1
- import jwt from "./lib/jwt.js";
2
- import { config } from "./config.js";
3
- import { getCurrentContext, taintCacheBypass } from "./runtime-context.js";
4
1
  /**
5
- * Verify the caller's JWT and return user identity.
6
- * Returns { id, role, email } or null if unauthenticated/invalid.
2
+ * Legacy auth exports throwing sentinels.
7
3
  *
8
- * NOTE: `role` here is the JWT claim (`anon`, `authenticated`,
9
- * `project_admin`, …) the PostgREST/RLS system role, NOT the
10
- * application role from a declarative `requireRole` gate. For the
11
- * gate-resolved application role, use {@link getRole}.
12
- */
13
- export function getUser(req) {
14
- // Capability `astro-ssr-runtime` (v1.52). Taint the cache-bypass flag
15
- // on the active request context, regardless of whether `getUser`
16
- // resolves to a user or null — the response now depends on per-request
17
- // auth state and MUST NOT be cached publicly.
18
- taintCacheBypass();
19
- // If no `req` was passed, read auth from the ALS context (the SSR
20
- // Lambda runtime's `runWithContext` populates `request.headers`).
21
- // This is what makes `await getUser()` work naturally inside Astro
22
- // `[slug].astro` frontmatter without any explicit plumbing.
23
- let authHeader;
24
- if (req !== undefined) {
25
- authHeader =
26
- typeof req.headers.get === "function"
27
- ? req.headers.get("authorization")
28
- : req.headers?.authorization;
29
- }
30
- else {
31
- const ctx = getCurrentContext();
32
- if (ctx === undefined)
33
- return null;
34
- const h = ctx.request.headers;
35
- const raw = h["authorization"] ?? h["Authorization"];
36
- authHeader = Array.isArray(raw) ? raw[0] : raw;
37
- }
38
- if (!authHeader || !authHeader.startsWith("Bearer "))
39
- return null;
40
- const token = authHeader.slice(7);
41
- try {
42
- const payload = jwt.verify(token, config.JWT_SECRET);
43
- if (payload.project_id !== config.PROJECT_ID)
44
- return null;
45
- return { id: payload.sub, role: payload.role, email: payload.email };
46
- }
47
- catch {
48
- return null;
49
- }
50
- }
51
- /**
52
- * Read the gate-resolved user id from the request.
4
+ * **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
5
+ * `getRole` are no longer working exports they throw
6
+ * `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
7
+ * canonical `auth.*` namespace.
53
8
  *
54
- * Returns the value of the `x-run402-user-id` request header, which the
55
- * Run402 gateway injects when a function-level `requireAuth` or
56
- * `requireRole` gate evaluates successfully on this dispatch. Inbound
57
- * `x-run402-*` headers from the browser are stripped by the gateway
58
- * before injection, so the value is trustworthy.
9
+ * ESM named imports (`import { getUser } from "@run402/functions"`)
10
+ * can't be intercepted by a Proxy; the only way to fail loudly on
11
+ * runtime usage is to ship a sentinel function. The `run402 doctor`
12
+ * source scanner (public repo CLI) and the `@run402/astro` ESLint rule
13
+ * catch the import before runtime; this file is the last line of defense
14
+ * for code that bypasses both.
59
15
  *
60
- * Returns `null` when the function has no gate declared, or when the
61
- * function is invoked outside the gateway (local test harness, direct
62
- * Lambda invoke). For gated functions reached through the gateway, the
63
- * value is non-null by construction.
16
+ * The legacy `User` type is preserved as an alias of `Actor` for any
17
+ * stragglers but accessing the throwing sentinels at runtime fails.
64
18
  *
65
- * This is the gate-side companion to {@link getUser}, which decodes
66
- * the JWT directly. The two layers are independent: a function with
67
- * only `requireRole` runs the role lookup against the project's
68
- * `members` table via gateway-side RLS-bypass; user code does not
69
- * need to re-decode the JWT.
19
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
70
20
  */
71
- export function getUserId(req) {
72
- if (req !== undefined)
73
- return req.headers.get("x-run402-user-id");
74
- const ctx = getCurrentContext();
75
- if (ctx === undefined)
76
- return null;
77
- const raw = ctx.request.headers["x-run402-user-id"];
78
- if (Array.isArray(raw))
79
- return raw[0] ?? null;
80
- return raw ?? null;
21
+ import { UnknownExportError } from "./auth/errors.js";
22
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
23
+ export function getUser(_req) {
24
+ throw new UnknownExportError({
25
+ attemptedName: "getUser",
26
+ canonicalName: "auth.user() / auth.requireUser()",
27
+ });
81
28
  }
82
- /**
83
- * Read the gate-resolved application role from the request.
84
- *
85
- * Returns the value of the `x-run402-user-role` request header, which
86
- * the Run402 gateway injects when a function-level `requireRole` gate
87
- * evaluates successfully on this dispatch. The value is the role string
88
- * from the project-schema `members.role` (or whatever
89
- * `(table, idColumn, roleColumn)` triple the gate declared), already
90
- * confirmed to be in `requireRole.allowed`. Inbound `x-run402-*`
91
- * headers are stripped, so the value is trustworthy.
92
- *
93
- * Returns `null` when no `requireRole` gate ran on this dispatch
94
- * (function has only `requireAuth`, no gate at all, or is invoked
95
- * outside the gateway).
96
- *
97
- * This is the application role, NOT the JWT role from
98
- * {@link getUser}. The two are independent — see the JSDoc on
99
- * `getUser` for the distinction.
100
- */
101
- export function getRole(req) {
102
- if (req !== undefined)
103
- return req.headers.get("x-run402-user-role");
104
- const ctx = getCurrentContext();
105
- if (ctx === undefined)
106
- return null;
107
- const raw = ctx.request.headers["x-run402-user-role"];
108
- if (Array.isArray(raw))
109
- return raw[0] ?? null;
110
- return raw ?? null;
29
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
30
+ export function getUserId(_req) {
31
+ throw new UnknownExportError({
32
+ attemptedName: "getUserId",
33
+ canonicalName: "(await auth.user())?.id",
34
+ });
35
+ }
36
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
37
+ export function getRole(_req) {
38
+ throw new UnknownExportError({
39
+ attemptedName: "getRole",
40
+ canonicalName: "auth.requireRole(role)",
41
+ });
111
42
  }
112
43
  //# sourceMappingURL=auth.js.map
package/dist/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAQ3E;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CAAC,GAAa;IACnC,sEAAsE;IACtE,iEAAiE;IACjE,uEAAuE;IACvE,8CAA8C;IAC9C,gBAAgB,EAAE,CAAC;IAEnB,kEAAkE;IAClE,kEAAkE;IAClE,mEAAmE;IACnE,4DAA4D;IAC5D,IAAI,UAAqC,CAAC;IAC1C,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,UAAU;YACR,OAAQ,GAAG,CAAC,OAA6C,CAAC,GAAG,KAAK,UAAU;gBAC1E,CAAC,CAAE,GAAG,CAAC,OAAmB,CAAC,GAAG,CAAC,eAAe,CAAC;gBAC/C,CAAC,CAAE,GAAG,CAAC,OAAyD,EAAE,aAAa,CAAC;IACtF,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;QAC9B,MAAM,GAAG,GAAG,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,CAAC;QACrD,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC;IACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAKvB,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAC7B,IAAI,OAAO,CAAC,UAAU,KAAK,MAAM,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,EAAE,EAAE,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,SAAS,CAAC,GAAa;IACrC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,OAAO,CAAC,GAAa;IACnC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACpE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACtD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC"}
1
+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAItD,kGAAkG;AAClG,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,kCAAkC;KAClD,CAAC,CAAC;AACL,CAAC;AAED,yHAAyH;AACzH,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,WAAW;QAC1B,aAAa,EAAE,yBAAyB;KACzC,CAAC,CAAC;AACL,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,wBAAwB;KACxC,CAAC,CAAC;AACL,CAAC"}
package/dist/db.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAGA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAgBD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
1
+ {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAIA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAwDD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
package/dist/db.js CHANGED
@@ -1,5 +1,6 @@
1
1
  import { config } from "./config.js";
2
2
  import { getCurrentContext } from "./runtime-context.js";
3
+ import jwt from "./lib/jwt.js";
3
4
  export class QueryBuilder {
4
5
  #table;
5
6
  #params = new URLSearchParams();
@@ -116,6 +117,45 @@ function extractAuthFromAls() {
116
117
  const ctx = getCurrentContext();
117
118
  if (ctx === undefined)
118
119
  return undefined;
120
+ // v3.0 (auth-aware-ssr): if a verified actor is present on the runtime
121
+ // context, mint a short-lived JWT carrying the actor's claims so the
122
+ // gateway's PostgREST proxy → pre_request hook → RLS pipeline sees the
123
+ // browser-cookie actor identically to a Bearer-JWT call. The mint is
124
+ // SDK-side because the cookie itself is `__Host-` scoped to the
125
+ // browser origin and never forwarded server-to-server (D13 forbids
126
+ // cookie forwarding). The pepper-isolated session secret stays in the
127
+ // DB; the JWT carries only the actor's already-validated claims, signed
128
+ // with the same JWT_SECRET PostgREST verifies against.
129
+ if (ctx.actor && config.JWT_SECRET) {
130
+ const nowSec = Math.floor(Date.now() / 1000);
131
+ const claims = {
132
+ sub: ctx.actor.id,
133
+ role: "authenticated",
134
+ email: ctx.actor.email,
135
+ project_id: ctx.projectId,
136
+ iss: "agentdb",
137
+ amr: ctx.actor.amr,
138
+ auth_time: ctx.actor.authTime,
139
+ aal: ctx.actor.amr.includes("passkey") ? "aal2" : "aal1",
140
+ session_id: ctx.actor.sessionId,
141
+ authz_version: ctx.actor.authzVersion,
142
+ iat: nowSec,
143
+ // 60-second TTL — long enough for the request + retry budget,
144
+ // short enough that exfiltration provides no value.
145
+ exp: nowSec + 60,
146
+ };
147
+ try {
148
+ return `Bearer ${jwt.sign(claims, config.JWT_SECRET)}`;
149
+ }
150
+ catch {
151
+ // Fall through to header forwarding below. JWT signing should not
152
+ // realistically fail with a present secret; if it does, we want
153
+ // the request to proceed anonymously rather than 500.
154
+ }
155
+ }
156
+ // Fallback: forward whatever Authorization the inbound request carried.
157
+ // This is the v2.x behavior — preserved for explicit Bearer flows
158
+ // (mobile, server-to-server) where the caller already has a JWT.
119
159
  const headers = ctx.request.headers;
120
160
  const raw = headers["authorization"] ?? headers["Authorization"];
121
161
  if (Array.isArray(raw))
package/dist/db.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAQzD,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,GAAG,MAAM,cAAc,CAAC;AAQ/B,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAExC,uEAAuE;IACvE,qEAAqE;IACrE,uEAAuE;IACvE,qEAAqE;IACrE,gEAAgE;IAChE,mEAAmE;IACnE,sEAAsE;IACtE,wEAAwE;IACxE,uDAAuD;IACvD,IAAI,GAAG,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE;YACjB,IAAI,EAAE,eAAwB;YAC9B,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAK;YACtB,UAAU,EAAE,GAAG,CAAC,SAAS;YACzB,GAAG,EAAE,SAAkB;YACvB,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG;YAClB,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ;YAC7B,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAE,MAAgB,CAAC,CAAC,CAAE,MAAgB;YAC9E,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,SAAS;YAC/B,aAAa,EAAE,GAAG,CAAC,KAAK,CAAC,YAAY;YACrC,GAAG,EAAE,MAAM;YACX,8DAA8D;YAC9D,oDAAoD;YACpD,GAAG,EAAE,MAAM,GAAG,EAAE;SACjB,CAAC;QACF,IAAI,CAAC;YACH,OAAO,UAAU,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,gEAAgE;YAChE,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,kEAAkE;IAClE,iEAAiE;IACjE,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
package/dist/index.d.ts CHANGED
@@ -1,11 +1,17 @@
1
1
  export { db, adminDb, QueryBuilder } from "./db.js";
2
2
  export { getUser, getUserId, getRole } from "./auth.js";
3
3
  export type { User } from "./auth.js";
4
+ export { auth } from "./auth/index.js";
5
+ export type { Actor, IdentityProof } from "./auth/index.js";
6
+ export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, } from "./auth/index.js";
7
+ export { getSession, currentUser, getCurrentUser, getServerSession } from "./auth/index.js";
4
8
  export { email } from "./email.js";
5
9
  export type { EmailSendOptions, EmailRawOptions, EmailTemplateOptions, EmailSendResult } from "./email.js";
6
10
  export { ai } from "./ai.js";
7
11
  export type { GenerateImageOptions, GenerateImageResult, ImageAspect, TranslateOptions, TranslateResult, ModerateResult, } from "./ai.js";
8
12
  export { assets } from "./assets.js";
13
+ export { verifyWebhook } from "./verify-webhook.js";
14
+ export type { VerifyWebhookOptions, VerifyWebhookResult, HeadersLike } from "./verify-webhook.js";
9
15
  export { getRun402Context } from "./request-context.js";
10
16
  export type { Run402RequestContext } from "./request-context.js";
11
17
  export type { AssetPutOptions, AssetPutSource, AssetPutSourceInput, AssetRef, AssetVisibility, AssetVariant, AssetListRow, AssetsListFilter, AssetsListOptions, AssetsListResult, AssetsListSort, ImageInfo, } from "./assets.js";
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAMrC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQtC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAIrC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAMlG,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}
package/dist/index.js CHANGED
@@ -1,8 +1,26 @@
1
1
  export { db, adminDb, QueryBuilder } from "./db.js";
2
2
  export { getUser, getUserId, getRole } from "./auth.js";
3
+ // Capability `auth-aware-ssr` (v3.0). The canonical server-side auth
4
+ // namespace. `auth.user()` / `auth.requireUser()` / `auth.requireRole(...)`
5
+ // / `auth.requireMembership(...)` / `auth.requireFresh({...})` /
6
+ // `auth.fetch(...)` / `auth.csrfField()` / `auth.sessions.*` /
7
+ // `auth.identities.link(...)` are the only documented identity surfaces.
8
+ // See openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md.
9
+ export { auth } from "./auth/index.js";
10
+ export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, } from "./auth/index.js";
11
+ // Throwing-sentinel exports for the top legacy bare-name imports. These
12
+ // fire `R402_AUTH_UNKNOWN_EXPORT` at runtime with a structured fix-it,
13
+ // catching the case where `run402 doctor` and the ESLint rule didn't run
14
+ // (e.g. agent paste straight into a route handler). Excluded from public
15
+ // docs intentionally — they exist to fail loudly, not as API.
16
+ export { getSession, currentUser, getCurrentUser, getServerSession } from "./auth/index.js";
3
17
  export { email } from "./email.js";
4
18
  export { ai } from "./ai.js";
5
19
  export { assets } from "./assets.js";
20
+ // `verifyWebhook(headers, rawBody, secret)` — verify a Run402-signed
21
+ // operator-notifications webhook delivery. Stripe-shape HMAC SHA256 with
22
+ // dual-secret rotation grace.
23
+ export { verifyWebhook } from "./verify-webhook.js";
6
24
  // `getRun402Context(request)` — zero-dep helper for non-Astro Node22
7
25
  // functions (webhooks, auth endpoints, admin tools) to read the
8
26
  // per-request context the gateway populates as `x-run402-*` headers.
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAExD,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAS7B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,qEAAqE;AACrE,gEAAgE;AAChE,qEAAqE;AACrE,2EAA2E;AAC3E,2DAA2D;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAiBxD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAO5E,0CAA0C;AAC1C,mEAAmE;AACnE,2DAA2D;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AACpB,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AACxE,iDAAiD;AACjD,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGxD,qEAAqE;AACrE,4EAA4E;AAC5E,iEAAiE;AACjE,+DAA+D;AAC/D,yEAAyE;AACzE,wEAAwE;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAEvC,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,wEAAwE;AACxE,uEAAuE;AACvE,yEAAyE;AACzE,yEAAyE;AACzE,8DAA8D;AAC9D,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAS7B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,qEAAqE;AACrE,yEAAyE;AACzE,8BAA8B;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,qEAAqE;AACrE,gEAAgE;AAChE,qEAAqE;AACrE,2EAA2E;AAC3E,2DAA2D;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAiBxD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAO5E,0CAA0C;AAC1C,mEAAmE;AACnE,2DAA2D;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AACpB,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AACxE,iDAAiD;AACjD,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC"}
@@ -0,0 +1,95 @@
1
+ /**
2
+ * SDK runtime verifier for the gateway-signed actor-context envelope.
3
+ *
4
+ * Why this lives in `packages/functions/src/lib/` (vendored shape):
5
+ * - `@run402/functions` is published independently; it must NOT depend
6
+ * on `@run402/gateway` types or runtime.
7
+ * - The verifier is small, deterministic, and security-critical — easier
8
+ * to audit when it lives next to the consumer.
9
+ * - Matches the convention used for `jwt.ts` (vendored upstream copy of
10
+ * the verifier we trust).
11
+ *
12
+ * Contract — the encoded envelope is `base64url(canonical_json) + "." +
13
+ * base64url(hmac_sha256)`. Canonical JSON has a fixed key order; the
14
+ * verifier doesn't re-canonicalise, it just rehmac's the body bytes that
15
+ * were base64-decoded. (Trying to re-derive canonical JSON from the parsed
16
+ * object would re-introduce key-order brittleness; verify the bytes you
17
+ * received, parse only to read fields.)
18
+ *
19
+ * Lookup of `actor_context_signing_key[kid]`:
20
+ * 1. `ACTOR_CONTEXT_SIGNING_KEY_MAP_JSON` env (`{kid: base64}` JSON).
21
+ * 2. `ACTOR_CONTEXT_SIGNING_KEY_<KID_UPPER>` env (one var per kid).
22
+ * 3. Test injection via `_setActorContextKeyMapForTest` on this module.
23
+ *
24
+ * Verification failure modes (mirrors the gateway side):
25
+ * - "malformed" — encoded shape rejected before parse
26
+ * - "unknown_kid" — envelope's kid not in the verifier map
27
+ * - "bad_signature" — HMAC mismatch
28
+ * - "iss_mismatch" — envelope.iss !== "run402-gateway"
29
+ * - "aud_mismatch" — envelope.aud !== "run402-functions-runtime"
30
+ * - "expired" — envelope.exp <= now
31
+ * - "lifetime_too_long" — envelope.exp - envelope.iat > 60s
32
+ * - "project_id_mismatch" — envelope.project_id !== request's
33
+ * - "request_id_mismatch" — envelope.request_id !== request's
34
+ * - "method_mismatch" — different HTTP method
35
+ * - "host_mismatch" — different host (after default-port normalise)
36
+ * - "path_mismatch" — different path (compared by sha256)
37
+ * - "version_mismatch" — schema version not what we compiled
38
+ *
39
+ * On ANY failure the SDK runtime treats the request as anonymous AND
40
+ * logs `R402_AUTH_ACTOR_HEADER_SPOOF` so spoofs / replays are visible
41
+ * in observability.
42
+ *
43
+ * @see openspec/changes/auth-aware-ssr/specs/routed-http-functions/spec.md
44
+ */
45
+ export declare const ACTOR_CONTEXT_ENVELOPE_VERSION: 1;
46
+ export declare const ACTOR_CONTEXT_ENVELOPE_ISS = "run402-gateway";
47
+ export declare const ACTOR_CONTEXT_ENVELOPE_AUD = "run402-functions-runtime";
48
+ export declare const ACTOR_CONTEXT_MAX_LIFETIME_SEC = 60;
49
+ /** Inbound header carrying the encoded envelope. The runtime reads from
50
+ * the request headers in `RunRequestContext.request.headers`. */
51
+ export declare const ACTOR_CONTEXT_HEADER = "x-run402-actor-context";
52
+ export interface VerifiedActorPayload {
53
+ id: string;
54
+ email: string;
55
+ emailVerified: boolean;
56
+ authTime: number;
57
+ amr: string[];
58
+ amrTimes: Record<string, number>;
59
+ authzVersion: number;
60
+ }
61
+ export interface VerifiedEnvelope {
62
+ v: 1;
63
+ kid: string;
64
+ iss: typeof ACTOR_CONTEXT_ENVELOPE_ISS;
65
+ aud: typeof ACTOR_CONTEXT_ENVELOPE_AUD;
66
+ project_id: string;
67
+ request_id: string;
68
+ method: string;
69
+ host: string;
70
+ path_hash: string;
71
+ iat: number;
72
+ exp: number;
73
+ actor: VerifiedActorPayload;
74
+ }
75
+ export interface VerifyRequestContext {
76
+ projectId: string;
77
+ requestId: string;
78
+ method: string;
79
+ host: string;
80
+ path: string;
81
+ /** Override for tests; production uses `new Date()`. */
82
+ now?: Date;
83
+ }
84
+ export type VerifyFailureReason = "malformed" | "unknown_kid" | "bad_signature" | "iss_mismatch" | "aud_mismatch" | "expired" | "lifetime_too_long" | "project_id_mismatch" | "request_id_mismatch" | "method_mismatch" | "host_mismatch" | "path_mismatch" | "version_mismatch";
85
+ export type VerifyOutcome = {
86
+ ok: true;
87
+ envelope: VerifiedEnvelope;
88
+ } | {
89
+ ok: false;
90
+ reason: VerifyFailureReason;
91
+ };
92
+ /** Test injection. NEVER call from production code. */
93
+ export declare function _setActorContextKeyMapForTest(map: Record<string, Buffer | string> | null): void;
94
+ export declare function verifyActorContextEnvelope(encoded: string, ctx: VerifyRequestContext): VerifyOutcome;
95
+ //# sourceMappingURL=actor-context-verify.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"actor-context-verify.d.ts","sourceRoot":"","sources":["../../src/lib/actor-context-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAIH,eAAO,MAAM,8BAA8B,EAAG,CAAU,CAAC;AACzD,eAAO,MAAM,0BAA0B,mBAAmB,CAAC;AAC3D,eAAO,MAAM,0BAA0B,6BAA6B,CAAC;AACrE,eAAO,MAAM,8BAA8B,KAAK,CAAC;AAEjD;kEACkE;AAClE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAE7D,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,CAAC,EAAE,CAAC,CAAC;IACL,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,oBAAoB,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED,MAAM,MAAM,mBAAmB,GAC3B,WAAW,GACX,aAAa,GACb,eAAe,GACf,cAAc,GACd,cAAc,GACd,SAAS,GACT,mBAAmB,GACnB,qBAAqB,GACrB,qBAAqB,GACrB,iBAAiB,GACjB,eAAe,GACf,eAAe,GACf,kBAAkB,CAAC;AAEvB,MAAM,MAAM,aAAa,GACrB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GACxC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,mBAAmB,CAAA;CAAE,CAAC;AAqD/C,uDAAuD;AACvD,wBAAgB,6BAA6B,CAC3C,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,IAAI,GAC1C,IAAI,CAcN;AAMD,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,oBAAoB,GACxB,aAAa,CA0Ef"}