@run402/functions 2.9.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,86 @@
1
+ /**
2
+ * Public types for the `auth.*` namespace.
3
+ *
4
+ * The canonical actor shape used everywhere `auth.user()` /
5
+ * `auth.requireUser()` / `auth.requireRole()` etc. resolve to a user.
6
+ * Note that `id` (not `userId`) is the canonical public field — matches
7
+ * Supabase / Clerk / Auth.js / NextAuth so coding-agent generated code
8
+ * gets it right on the first try.
9
+ *
10
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
11
+ */
12
+ export interface Actor {
13
+ /** Canonical public user-id. Matches `internal.users.id` UUID. */
14
+ id: string;
15
+ projectId: string;
16
+ sessionId: string;
17
+ email: string;
18
+ emailVerified: boolean;
19
+ /** Last any-method auth proof, seconds-since-epoch. */
20
+ authTime: number;
21
+ amr: string[];
22
+ /** Per-AMR last-verified UNIX seconds. */
23
+ amrTimes: Record<string, number>;
24
+ }
25
+ /** Provider-shaped identity proof. The `wallet` shape carries an SIWX
26
+ * signature + message; `oidc` carries a JWT bound to a project-configured
27
+ * issuer; `custom` requires admin-registered project-side verifier and
28
+ * carries provider-specific bytes. */
29
+ export type IdentityProof = {
30
+ kind: "siwx";
31
+ signature: string;
32
+ message: string;
33
+ nonce?: string;
34
+ } | {
35
+ kind: "oidc_jwt";
36
+ token: string;
37
+ nonce?: string;
38
+ } | {
39
+ kind: "custom";
40
+ payload: unknown;
41
+ nonce?: string;
42
+ };
43
+ export interface CreateResponseFromIdentityOptions {
44
+ provider: "wallet" | "oidc" | "custom";
45
+ subject: string;
46
+ proof: IdentityProof;
47
+ amr: string[];
48
+ /** When `false` (default), unknown identities cause
49
+ * `R402_AUTH_UNKNOWN_IDENTITY`. When `true`, the platform creates the
50
+ * user + identity link in the same transaction as the session. */
51
+ createUser?: boolean;
52
+ }
53
+ export interface IdentityLinkOptions {
54
+ provider: string;
55
+ subject: string;
56
+ proof: IdentityProof;
57
+ }
58
+ /** The tenant's view of a user it has already authenticated against its OWN
59
+ * store (bcrypt, custom DB, external IdP). `id` MUST be a stable primary key
60
+ * — NOT a bare email. Platform identity uniqueness is `(project_id, issuer,
61
+ * id)`; linking is by `(issuer, id)` only, never implicitly by email. */
62
+ export interface TenantUser {
63
+ id: string;
64
+ email: string;
65
+ emailVerified: boolean;
66
+ displayName?: string;
67
+ avatarUrl?: string;
68
+ }
69
+ /** Options for `auth.sessions.createResponseFromTenantAssertion`. Agent-proof
70
+ * by design: the platform derives `issuer: "tenant:<tenant>"` from `tenant`
71
+ * and `amr` from `method` (`"password"` → `tenant_password`, `"sso"` →
72
+ * `tenant_sso`). The agent never hand-builds `issuer`/`amr`; arbitrary amr is
73
+ * available only via the `advanced` escape hatch. */
74
+ export interface CreateResponseFromTenantAssertionOptions {
75
+ /** Short tenant identifier; becomes `issuer: "tenant:<tenant>"`. */
76
+ tenant: string;
77
+ /** The tenant-verified user. Requires a stable `user.id`. */
78
+ user: TenantUser;
79
+ /** The credential class the tenant verified. */
80
+ method: "password" | "sso";
81
+ /** Escape hatch for arbitrary amr values — agents should not need this. */
82
+ advanced?: {
83
+ amr: string[];
84
+ };
85
+ }
86
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,WAAW,KAAK;IACpB,kEAAkE;IAClE,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,uDAAuD;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;uCAGuC;AACvC,MAAM,MAAM,aAAa,GACrB;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACpE;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzD,MAAM,WAAW,iCAAiC;IAChD,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,aAAa,CAAC;IACrB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd;;uEAEmE;IACnE,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,aAAa,CAAC;CACtB;AAED;;;0EAG0E;AAC1E,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;sDAIsD;AACtD,MAAM,WAAW,wCAAwC;IACvD,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,IAAI,EAAE,UAAU,CAAC;IACjB,gDAAgD;IAChD,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC;IAC3B,2EAA2E;IAC3E,QAAQ,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAC9B"}
@@ -0,0 +1,13 @@
1
+ /**
2
+ * Public types for the `auth.*` namespace.
3
+ *
4
+ * The canonical actor shape used everywhere `auth.user()` /
5
+ * `auth.requireUser()` / `auth.requireRole()` etc. resolve to a user.
6
+ * Note that `id` (not `userId`) is the canonical public field — matches
7
+ * Supabase / Clerk / Auth.js / NextAuth so coding-agent generated code
8
+ * gets it right on the first try.
9
+ *
10
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
11
+ */
12
+ export {};
13
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}
@@ -0,0 +1,31 @@
1
+ /**
2
+ * `auth.fetch` URL validation.
3
+ *
4
+ * Synchronous before-network checks: the URL is rejected (sync throw)
5
+ * before any network I/O if it's not safely same-origin. The set of
6
+ * rejected shapes is enumerated by the spec — we mirror it verbatim:
7
+ *
8
+ * - Cross-origin absolute URLs
9
+ * - URLs with embedded credentials (`http://user:pass@host/...`)
10
+ * - Non-HTTP(S) schemes (`javascript:`, `data:`, `file:`, etc.)
11
+ * - Protocol-relative URLs (`//evil.example/...`)
12
+ * - Subdomain-spoof patterns (`https://app.run402.app.evil.example/...`)
13
+ * - Port-mismatch against the current request origin
14
+ *
15
+ * Same-origin normalisation: scheme, host, and default-port comparisons
16
+ * use `URL.origin`, which strips `:80` for http and `:443` for https.
17
+ *
18
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
19
+ */
20
+ export interface UrlValidationContext {
21
+ requestOrigin: string;
22
+ }
23
+ export type UrlValidationResult = {
24
+ ok: true;
25
+ normalized: URL;
26
+ } | {
27
+ ok: false;
28
+ reason: string;
29
+ };
30
+ export declare function validateAuthFetchInput(input: RequestInfo | URL, ctx: UrlValidationContext): UrlValidationResult;
31
+ //# sourceMappingURL=url-validation.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"url-validation.d.ts","sourceRoot":"","sources":["../../src/auth/url-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,MAAM,mBAAmB,GAC3B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,UAAU,EAAE,GAAG,CAAA;CAAE,GAC7B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAIlC,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,GAAG,EAAE,oBAAoB,GACxB,mBAAmB,CAiErB"}
@@ -0,0 +1,83 @@
1
+ /**
2
+ * `auth.fetch` URL validation.
3
+ *
4
+ * Synchronous before-network checks: the URL is rejected (sync throw)
5
+ * before any network I/O if it's not safely same-origin. The set of
6
+ * rejected shapes is enumerated by the spec — we mirror it verbatim:
7
+ *
8
+ * - Cross-origin absolute URLs
9
+ * - URLs with embedded credentials (`http://user:pass@host/...`)
10
+ * - Non-HTTP(S) schemes (`javascript:`, `data:`, `file:`, etc.)
11
+ * - Protocol-relative URLs (`//evil.example/...`)
12
+ * - Subdomain-spoof patterns (`https://app.run402.app.evil.example/...`)
13
+ * - Port-mismatch against the current request origin
14
+ *
15
+ * Same-origin normalisation: scheme, host, and default-port comparisons
16
+ * use `URL.origin`, which strips `:80` for http and `:443` for https.
17
+ *
18
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
19
+ */
20
+ const SAFE_SCHEMES = new Set(["http:", "https:"]);
21
+ export function validateAuthFetchInput(input, ctx) {
22
+ // Reject Request objects with cross-origin url. We don't accept Request
23
+ // here because `auth.fetch` is the canonical surface for same-origin
24
+ // SSR fetches; the Request escape hatch could carry headers / credentials
25
+ // / redirect modes that bypass our policy.
26
+ if (typeof input === "object" && input !== null && "url" in input && typeof input.url === "string") {
27
+ // Caller passed a Request — extract the URL string and run it
28
+ // through the same validation. Same with URL object.
29
+ return validateAuthFetchInput(input.url, ctx);
30
+ }
31
+ if (input instanceof URL) {
32
+ return validateAuthFetchInput(input.toString(), ctx);
33
+ }
34
+ if (typeof input !== "string") {
35
+ return { ok: false, reason: "URL must be a string, URL, or Request" };
36
+ }
37
+ const raw = input;
38
+ if (raw.length === 0) {
39
+ return { ok: false, reason: "URL is empty" };
40
+ }
41
+ // Protocol-relative reject — `//host/path` resolves to the current
42
+ // origin's scheme, but a server-side fetch has no implicit origin
43
+ // when there's no document; the spec treats it as a smell.
44
+ if (raw.startsWith("//")) {
45
+ return { ok: false, reason: "protocol-relative URLs are not allowed" };
46
+ }
47
+ // Path-only / relative URLs (no scheme) are the happy path. We resolve
48
+ // them against the request origin and let the URL constructor reject
49
+ // any structural garbage.
50
+ if (!/^[a-z][a-z0-9+\-.]*:/i.test(raw)) {
51
+ let absolute;
52
+ try {
53
+ absolute = new URL(raw, ctx.requestOrigin);
54
+ }
55
+ catch {
56
+ return { ok: false, reason: "invalid relative URL" };
57
+ }
58
+ return { ok: true, normalized: absolute };
59
+ }
60
+ // Absolute URL — parse and validate.
61
+ let url;
62
+ try {
63
+ url = new URL(raw);
64
+ }
65
+ catch {
66
+ return { ok: false, reason: "invalid absolute URL" };
67
+ }
68
+ if (!SAFE_SCHEMES.has(url.protocol)) {
69
+ return { ok: false, reason: `scheme ${url.protocol} is not http(s)` };
70
+ }
71
+ if (url.username !== "" || url.password !== "") {
72
+ return { ok: false, reason: "URL contains embedded credentials" };
73
+ }
74
+ if (url.origin !== ctx.requestOrigin) {
75
+ // Subdomain-spoof guard: even if the host string contains the
76
+ // expected hostname as a substring (e.g.
77
+ // `app.run402.app.evil.example`), URL.origin compares the full
78
+ // host+port+scheme, so this is correct.
79
+ return { ok: false, reason: "cross-origin URLs are not allowed" };
80
+ }
81
+ return { ok: true, normalized: url };
82
+ }
83
+ //# sourceMappingURL=url-validation.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"url-validation.js","sourceRoot":"","sources":["../../src/auth/url-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAUH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAElD,MAAM,UAAU,sBAAsB,CACpC,KAAwB,EACxB,GAAyB;IAEzB,wEAAwE;IACxE,qEAAqE;IACrE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnG,8DAA8D;QAC9D,qDAAqD;QACrD,OAAO,sBAAsB,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;QACzB,OAAO,sBAAsB,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC;IAClB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,2DAA2D;IAC3D,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;IACzE,CAAC;IAED,uEAAuE;IACvE,qEAAqE;IACrE,0BAA0B;IAC1B,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,IAAI,QAAa,CAAC;QAClB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;QACvD,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAED,qCAAqC;IACrC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,GAAG,CAAC,QAAQ,iBAAiB,EAAE,CAAC;IACxE,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,aAAa,EAAE,CAAC;QACrC,8DAA8D;QAC9D,yCAAyC;QACzC,+DAA+D;QAC/D,wCAAwC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;AACvC,CAAC"}
package/dist/auth.d.ts CHANGED
@@ -1,57 +1,32 @@
1
- export interface User {
2
- id: string;
3
- role: string;
4
- email: string;
5
- }
6
1
  /**
7
- * Verify the caller's JWT and return user identity.
8
- * Returns { id, role, email } or null if unauthenticated/invalid.
2
+ * Legacy auth exports throwing sentinels.
9
3
  *
10
- * NOTE: `role` here is the JWT claim (`anon`, `authenticated`,
11
- * `project_admin`, …) the PostgREST/RLS system role, NOT the
12
- * application role from a declarative `requireRole` gate. For the
13
- * gate-resolved application role, use {@link getRole}.
14
- */
15
- export declare function getUser(req?: Request): User | null;
16
- /**
17
- * Read the gate-resolved user id from the request.
4
+ * **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
5
+ * `getRole` are no longer working exports they throw
6
+ * `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
7
+ * canonical `auth.*` namespace.
18
8
  *
19
- * Returns the value of the `x-run402-user-id` request header, which the
20
- * Run402 gateway injects when a function-level `requireAuth` or
21
- * `requireRole` gate evaluates successfully on this dispatch. Inbound
22
- * `x-run402-*` headers from the browser are stripped by the gateway
23
- * before injection, so the value is trustworthy.
9
+ * ESM named imports (`import { getUser } from "@run402/functions"`)
10
+ * can't be intercepted by a Proxy; the only way to fail loudly on
11
+ * runtime usage is to ship a sentinel function. The `run402 doctor`
12
+ * source scanner (public repo CLI) and the `@run402/astro` ESLint rule
13
+ * catch the import before runtime; this file is the last line of defense
14
+ * for code that bypasses both.
24
15
  *
25
- * Returns `null` when the function has no gate declared, or when the
26
- * function is invoked outside the gateway (local test harness, direct
27
- * Lambda invoke). For gated functions reached through the gateway, the
28
- * value is non-null by construction.
16
+ * The legacy `User` type is preserved as an alias of `Actor` for any
17
+ * stragglers but accessing the throwing sentinels at runtime fails.
29
18
  *
30
- * This is the gate-side companion to {@link getUser}, which decodes
31
- * the JWT directly. The two layers are independent: a function with
32
- * only `requireRole` runs the role lookup against the project's
33
- * `members` table via gateway-side RLS-bypass; user code does not
34
- * need to re-decode the JWT.
19
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
35
20
  */
36
- export declare function getUserId(req?: Request): string | null;
37
- /**
38
- * Read the gate-resolved application role from the request.
39
- *
40
- * Returns the value of the `x-run402-user-role` request header, which
41
- * the Run402 gateway injects when a function-level `requireRole` gate
42
- * evaluates successfully on this dispatch. The value is the role string
43
- * from the project-schema `members.role` (or whatever
44
- * `(table, idColumn, roleColumn)` triple the gate declared), already
45
- * confirmed to be in `requireRole.allowed`. Inbound `x-run402-*`
46
- * headers are stripped, so the value is trustworthy.
47
- *
48
- * Returns `null` when no `requireRole` gate ran on this dispatch
49
- * (function has only `requireAuth`, no gate at all, or is invoked
50
- * outside the gateway).
51
- *
52
- * This is the application role, NOT the JWT role from
53
- * {@link getUser}. The two are independent — see the JSDoc on
54
- * `getUser` for the distinction.
55
- */
56
- export declare function getRole(req?: Request): string | null;
21
+ export type User = {
22
+ id: string;
23
+ role: string;
24
+ email: string;
25
+ };
26
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
27
+ export declare function getUser(_req?: Request): never;
28
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
29
+ export declare function getUserId(_req?: Request): never;
30
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
31
+ export declare function getRole(_req?: Request): never;
57
32
  //# sourceMappingURL=auth.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,GAAG,IAAI,CAsClD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOtD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpD"}
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,MAAM,MAAM,IAAI,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAE/D,kGAAkG;AAClG,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C;AAED,yHAAyH;AACzH,wBAAgB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK/C;AAED,qFAAqF;AACrF,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C"}
package/dist/auth.js CHANGED
@@ -1,112 +1,43 @@
1
- import jwt from "./lib/jwt.js";
2
- import { config } from "./config.js";
3
- import { getCurrentContext, taintCacheBypass } from "./runtime-context.js";
4
1
  /**
5
- * Verify the caller's JWT and return user identity.
6
- * Returns { id, role, email } or null if unauthenticated/invalid.
2
+ * Legacy auth exports throwing sentinels.
7
3
  *
8
- * NOTE: `role` here is the JWT claim (`anon`, `authenticated`,
9
- * `project_admin`, …) the PostgREST/RLS system role, NOT the
10
- * application role from a declarative `requireRole` gate. For the
11
- * gate-resolved application role, use {@link getRole}.
12
- */
13
- export function getUser(req) {
14
- // Capability `astro-ssr-runtime` (v1.52). Taint the cache-bypass flag
15
- // on the active request context, regardless of whether `getUser`
16
- // resolves to a user or null — the response now depends on per-request
17
- // auth state and MUST NOT be cached publicly.
18
- taintCacheBypass();
19
- // If no `req` was passed, read auth from the ALS context (the SSR
20
- // Lambda runtime's `runWithContext` populates `request.headers`).
21
- // This is what makes `await getUser()` work naturally inside Astro
22
- // `[slug].astro` frontmatter without any explicit plumbing.
23
- let authHeader;
24
- if (req !== undefined) {
25
- authHeader =
26
- typeof req.headers.get === "function"
27
- ? req.headers.get("authorization")
28
- : req.headers?.authorization;
29
- }
30
- else {
31
- const ctx = getCurrentContext();
32
- if (ctx === undefined)
33
- return null;
34
- const h = ctx.request.headers;
35
- const raw = h["authorization"] ?? h["Authorization"];
36
- authHeader = Array.isArray(raw) ? raw[0] : raw;
37
- }
38
- if (!authHeader || !authHeader.startsWith("Bearer "))
39
- return null;
40
- const token = authHeader.slice(7);
41
- try {
42
- const payload = jwt.verify(token, config.JWT_SECRET);
43
- if (payload.project_id !== config.PROJECT_ID)
44
- return null;
45
- return { id: payload.sub, role: payload.role, email: payload.email };
46
- }
47
- catch {
48
- return null;
49
- }
50
- }
51
- /**
52
- * Read the gate-resolved user id from the request.
4
+ * **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
5
+ * `getRole` are no longer working exports they throw
6
+ * `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
7
+ * canonical `auth.*` namespace.
53
8
  *
54
- * Returns the value of the `x-run402-user-id` request header, which the
55
- * Run402 gateway injects when a function-level `requireAuth` or
56
- * `requireRole` gate evaluates successfully on this dispatch. Inbound
57
- * `x-run402-*` headers from the browser are stripped by the gateway
58
- * before injection, so the value is trustworthy.
9
+ * ESM named imports (`import { getUser } from "@run402/functions"`)
10
+ * can't be intercepted by a Proxy; the only way to fail loudly on
11
+ * runtime usage is to ship a sentinel function. The `run402 doctor`
12
+ * source scanner (public repo CLI) and the `@run402/astro` ESLint rule
13
+ * catch the import before runtime; this file is the last line of defense
14
+ * for code that bypasses both.
59
15
  *
60
- * Returns `null` when the function has no gate declared, or when the
61
- * function is invoked outside the gateway (local test harness, direct
62
- * Lambda invoke). For gated functions reached through the gateway, the
63
- * value is non-null by construction.
16
+ * The legacy `User` type is preserved as an alias of `Actor` for any
17
+ * stragglers but accessing the throwing sentinels at runtime fails.
64
18
  *
65
- * This is the gate-side companion to {@link getUser}, which decodes
66
- * the JWT directly. The two layers are independent: a function with
67
- * only `requireRole` runs the role lookup against the project's
68
- * `members` table via gateway-side RLS-bypass; user code does not
69
- * need to re-decode the JWT.
19
+ * @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
70
20
  */
71
- export function getUserId(req) {
72
- if (req !== undefined)
73
- return req.headers.get("x-run402-user-id");
74
- const ctx = getCurrentContext();
75
- if (ctx === undefined)
76
- return null;
77
- const raw = ctx.request.headers["x-run402-user-id"];
78
- if (Array.isArray(raw))
79
- return raw[0] ?? null;
80
- return raw ?? null;
21
+ import { UnknownExportError } from "./auth/errors.js";
22
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
23
+ export function getUser(_req) {
24
+ throw new UnknownExportError({
25
+ attemptedName: "getUser",
26
+ canonicalName: "auth.user() / auth.requireUser()",
27
+ });
81
28
  }
82
- /**
83
- * Read the gate-resolved application role from the request.
84
- *
85
- * Returns the value of the `x-run402-user-role` request header, which
86
- * the Run402 gateway injects when a function-level `requireRole` gate
87
- * evaluates successfully on this dispatch. The value is the role string
88
- * from the project-schema `members.role` (or whatever
89
- * `(table, idColumn, roleColumn)` triple the gate declared), already
90
- * confirmed to be in `requireRole.allowed`. Inbound `x-run402-*`
91
- * headers are stripped, so the value is trustworthy.
92
- *
93
- * Returns `null` when no `requireRole` gate ran on this dispatch
94
- * (function has only `requireAuth`, no gate at all, or is invoked
95
- * outside the gateway).
96
- *
97
- * This is the application role, NOT the JWT role from
98
- * {@link getUser}. The two are independent — see the JSDoc on
99
- * `getUser` for the distinction.
100
- */
101
- export function getRole(req) {
102
- if (req !== undefined)
103
- return req.headers.get("x-run402-user-role");
104
- const ctx = getCurrentContext();
105
- if (ctx === undefined)
106
- return null;
107
- const raw = ctx.request.headers["x-run402-user-role"];
108
- if (Array.isArray(raw))
109
- return raw[0] ?? null;
110
- return raw ?? null;
29
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
30
+ export function getUserId(_req) {
31
+ throw new UnknownExportError({
32
+ attemptedName: "getUserId",
33
+ canonicalName: "(await auth.user())?.id",
34
+ });
35
+ }
36
+ /** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
37
+ export function getRole(_req) {
38
+ throw new UnknownExportError({
39
+ attemptedName: "getRole",
40
+ canonicalName: "auth.requireRole(role)",
41
+ });
111
42
  }
112
43
  //# sourceMappingURL=auth.js.map
package/dist/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAQ3E;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CAAC,GAAa;IACnC,sEAAsE;IACtE,iEAAiE;IACjE,uEAAuE;IACvE,8CAA8C;IAC9C,gBAAgB,EAAE,CAAC;IAEnB,kEAAkE;IAClE,kEAAkE;IAClE,mEAAmE;IACnE,4DAA4D;IAC5D,IAAI,UAAqC,CAAC;IAC1C,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,UAAU;YACR,OAAQ,GAAG,CAAC,OAA6C,CAAC,GAAG,KAAK,UAAU;gBAC1E,CAAC,CAAE,GAAG,CAAC,OAAmB,CAAC,GAAG,CAAC,eAAe,CAAC;gBAC/C,CAAC,CAAE,GAAG,CAAC,OAAyD,EAAE,aAAa,CAAC;IACtF,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;QAC9B,MAAM,GAAG,GAAG,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,CAAC;QACrD,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC;IACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAKvB,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAC7B,IAAI,OAAO,CAAC,UAAU,KAAK,MAAM,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,EAAE,EAAE,EAAE,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,SAAS,CAAC,GAAa;IACrC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,OAAO,CAAC,GAAa;IACnC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACpE,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACtD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9C,OAAO,GAAG,IAAI,IAAI,CAAC;AACrB,CAAC"}
1
+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAItD,kGAAkG;AAClG,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,kCAAkC;KAClD,CAAC,CAAC;AACL,CAAC;AAED,yHAAyH;AACzH,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,WAAW;QAC1B,aAAa,EAAE,yBAAyB;KACzC,CAAC,CAAC;AACL,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,wBAAwB;KACxC,CAAC,CAAC;AACL,CAAC"}
package/dist/db.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAGA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAgBD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
1
+ {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAIA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAwDD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
package/dist/db.js CHANGED
@@ -1,5 +1,6 @@
1
1
  import { config } from "./config.js";
2
2
  import { getCurrentContext } from "./runtime-context.js";
3
+ import jwt from "./lib/jwt.js";
3
4
  export class QueryBuilder {
4
5
  #table;
5
6
  #params = new URLSearchParams();
@@ -116,6 +117,45 @@ function extractAuthFromAls() {
116
117
  const ctx = getCurrentContext();
117
118
  if (ctx === undefined)
118
119
  return undefined;
120
+ // v3.0 (auth-aware-ssr): if a verified actor is present on the runtime
121
+ // context, mint a short-lived JWT carrying the actor's claims so the
122
+ // gateway's PostgREST proxy → pre_request hook → RLS pipeline sees the
123
+ // browser-cookie actor identically to a Bearer-JWT call. The mint is
124
+ // SDK-side because the cookie itself is `__Host-` scoped to the
125
+ // browser origin and never forwarded server-to-server (D13 forbids
126
+ // cookie forwarding). The pepper-isolated session secret stays in the
127
+ // DB; the JWT carries only the actor's already-validated claims, signed
128
+ // with the same JWT_SECRET PostgREST verifies against.
129
+ if (ctx.actor && config.JWT_SECRET) {
130
+ const nowSec = Math.floor(Date.now() / 1000);
131
+ const claims = {
132
+ sub: ctx.actor.id,
133
+ role: "authenticated",
134
+ email: ctx.actor.email,
135
+ project_id: ctx.projectId,
136
+ iss: "agentdb",
137
+ amr: ctx.actor.amr,
138
+ auth_time: ctx.actor.authTime,
139
+ aal: ctx.actor.amr.includes("passkey") ? "aal2" : "aal1",
140
+ session_id: ctx.actor.sessionId,
141
+ authz_version: ctx.actor.authzVersion,
142
+ iat: nowSec,
143
+ // 60-second TTL — long enough for the request + retry budget,
144
+ // short enough that exfiltration provides no value.
145
+ exp: nowSec + 60,
146
+ };
147
+ try {
148
+ return `Bearer ${jwt.sign(claims, config.JWT_SECRET)}`;
149
+ }
150
+ catch {
151
+ // Fall through to header forwarding below. JWT signing should not
152
+ // realistically fail with a present secret; if it does, we want
153
+ // the request to proceed anonymously rather than 500.
154
+ }
155
+ }
156
+ // Fallback: forward whatever Authorization the inbound request carried.
157
+ // This is the v2.x behavior — preserved for explicit Bearer flows
158
+ // (mobile, server-to-server) where the caller already has a JWT.
119
159
  const headers = ctx.request.headers;
120
160
  const raw = headers["authorization"] ?? headers["Authorization"];
121
161
  if (Array.isArray(raw))
package/dist/db.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAQzD,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,GAAG,MAAM,cAAc,CAAC;AAQ/B,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAExC,uEAAuE;IACvE,qEAAqE;IACrE,uEAAuE;IACvE,qEAAqE;IACrE,gEAAgE;IAChE,mEAAmE;IACnE,sEAAsE;IACtE,wEAAwE;IACxE,uDAAuD;IACvD,IAAI,GAAG,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE;YACjB,IAAI,EAAE,eAAwB;YAC9B,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAK;YACtB,UAAU,EAAE,GAAG,CAAC,SAAS;YACzB,GAAG,EAAE,SAAkB;YACvB,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG;YAClB,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ;YAC7B,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAE,MAAgB,CAAC,CAAC,CAAE,MAAgB;YAC9E,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,SAAS;YAC/B,aAAa,EAAE,GAAG,CAAC,KAAK,CAAC,YAAY;YACrC,GAAG,EAAE,MAAM;YACX,8DAA8D;YAC9D,oDAAoD;YACpD,GAAG,EAAE,MAAM,GAAG,EAAE;SACjB,CAAC;QACF,IAAI,CAAC;YACH,OAAO,UAAU,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,gEAAgE;YAChE,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,kEAAkE;IAClE,iEAAiE;IACjE,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
package/dist/index.d.ts CHANGED
@@ -1,6 +1,10 @@
1
1
  export { db, adminDb, QueryBuilder } from "./db.js";
2
2
  export { getUser, getUserId, getRole } from "./auth.js";
3
3
  export type { User } from "./auth.js";
4
+ export { auth } from "./auth/index.js";
5
+ export type { Actor, IdentityProof, TenantUser, CreateResponseFromTenantAssertionOptions, } from "./auth/index.js";
6
+ export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, InvalidCredentialsError, TenantSubjectInvalidError, } from "./auth/index.js";
7
+ export { getSession, currentUser, getCurrentUser, getServerSession } from "./auth/index.js";
4
8
  export { email } from "./email.js";
5
9
  export type { EmailSendOptions, EmailRawOptions, EmailTemplateOptions, EmailSendResult } from "./email.js";
6
10
  export { ai } from "./ai.js";
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAIrC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAMlG,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQtC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,YAAY,EACV,KAAK,EACL,aAAa,EACb,UAAU,EACV,wCAAwC,GACzC,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAIrC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAMlG,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}