@run402/functions 2.9.0 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/errors.d.ts +106 -0
- package/dist/auth/errors.d.ts.map +1 -0
- package/dist/auth/errors.js +205 -0
- package/dist/auth/errors.js.map +1 -0
- package/dist/auth/index.d.ts +112 -0
- package/dist/auth/index.d.ts.map +1 -0
- package/dist/auth/index.js +585 -0
- package/dist/auth/index.js.map +1 -0
- package/dist/auth/types.d.ts +86 -0
- package/dist/auth/types.d.ts.map +1 -0
- package/dist/auth/types.js +13 -0
- package/dist/auth/types.js.map +1 -0
- package/dist/auth/url-validation.d.ts +31 -0
- package/dist/auth/url-validation.d.ts.map +1 -0
- package/dist/auth/url-validation.js +83 -0
- package/dist/auth/url-validation.js.map +1 -0
- package/dist/auth.d.ts +25 -50
- package/dist/auth.d.ts.map +1 -1
- package/dist/auth.js +34 -103
- package/dist/auth.js.map +1 -1
- package/dist/db.d.ts.map +1 -1
- package/dist/db.js +40 -0
- package/dist/db.js.map +1 -1
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +14 -0
- package/dist/index.js.map +1 -1
- package/dist/lib/actor-context-verify.d.ts +95 -0
- package/dist/lib/actor-context-verify.d.ts.map +1 -0
- package/dist/lib/actor-context-verify.js +200 -0
- package/dist/lib/actor-context-verify.js.map +1 -0
- package/dist/runtime-context.d.ts +23 -1
- package/dist/runtime-context.d.ts.map +1 -1
- package/dist/runtime-context.js +64 -0
- package/dist/runtime-context.js.map +1 -1
- package/package.json +2 -2
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Public types for the `auth.*` namespace.
|
|
3
|
+
*
|
|
4
|
+
* The canonical actor shape used everywhere `auth.user()` /
|
|
5
|
+
* `auth.requireUser()` / `auth.requireRole()` etc. resolve to a user.
|
|
6
|
+
* Note that `id` (not `userId`) is the canonical public field — matches
|
|
7
|
+
* Supabase / Clerk / Auth.js / NextAuth so coding-agent generated code
|
|
8
|
+
* gets it right on the first try.
|
|
9
|
+
*
|
|
10
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
11
|
+
*/
|
|
12
|
+
export interface Actor {
|
|
13
|
+
/** Canonical public user-id. Matches `internal.users.id` UUID. */
|
|
14
|
+
id: string;
|
|
15
|
+
projectId: string;
|
|
16
|
+
sessionId: string;
|
|
17
|
+
email: string;
|
|
18
|
+
emailVerified: boolean;
|
|
19
|
+
/** Last any-method auth proof, seconds-since-epoch. */
|
|
20
|
+
authTime: number;
|
|
21
|
+
amr: string[];
|
|
22
|
+
/** Per-AMR last-verified UNIX seconds. */
|
|
23
|
+
amrTimes: Record<string, number>;
|
|
24
|
+
}
|
|
25
|
+
/** Provider-shaped identity proof. The `wallet` shape carries an SIWX
|
|
26
|
+
* signature + message; `oidc` carries a JWT bound to a project-configured
|
|
27
|
+
* issuer; `custom` requires admin-registered project-side verifier and
|
|
28
|
+
* carries provider-specific bytes. */
|
|
29
|
+
export type IdentityProof = {
|
|
30
|
+
kind: "siwx";
|
|
31
|
+
signature: string;
|
|
32
|
+
message: string;
|
|
33
|
+
nonce?: string;
|
|
34
|
+
} | {
|
|
35
|
+
kind: "oidc_jwt";
|
|
36
|
+
token: string;
|
|
37
|
+
nonce?: string;
|
|
38
|
+
} | {
|
|
39
|
+
kind: "custom";
|
|
40
|
+
payload: unknown;
|
|
41
|
+
nonce?: string;
|
|
42
|
+
};
|
|
43
|
+
export interface CreateResponseFromIdentityOptions {
|
|
44
|
+
provider: "wallet" | "oidc" | "custom";
|
|
45
|
+
subject: string;
|
|
46
|
+
proof: IdentityProof;
|
|
47
|
+
amr: string[];
|
|
48
|
+
/** When `false` (default), unknown identities cause
|
|
49
|
+
* `R402_AUTH_UNKNOWN_IDENTITY`. When `true`, the platform creates the
|
|
50
|
+
* user + identity link in the same transaction as the session. */
|
|
51
|
+
createUser?: boolean;
|
|
52
|
+
}
|
|
53
|
+
export interface IdentityLinkOptions {
|
|
54
|
+
provider: string;
|
|
55
|
+
subject: string;
|
|
56
|
+
proof: IdentityProof;
|
|
57
|
+
}
|
|
58
|
+
/** The tenant's view of a user it has already authenticated against its OWN
|
|
59
|
+
* store (bcrypt, custom DB, external IdP). `id` MUST be a stable primary key
|
|
60
|
+
* — NOT a bare email. Platform identity uniqueness is `(project_id, issuer,
|
|
61
|
+
* id)`; linking is by `(issuer, id)` only, never implicitly by email. */
|
|
62
|
+
export interface TenantUser {
|
|
63
|
+
id: string;
|
|
64
|
+
email: string;
|
|
65
|
+
emailVerified: boolean;
|
|
66
|
+
displayName?: string;
|
|
67
|
+
avatarUrl?: string;
|
|
68
|
+
}
|
|
69
|
+
/** Options for `auth.sessions.createResponseFromTenantAssertion`. Agent-proof
|
|
70
|
+
* by design: the platform derives `issuer: "tenant:<tenant>"` from `tenant`
|
|
71
|
+
* and `amr` from `method` (`"password"` → `tenant_password`, `"sso"` →
|
|
72
|
+
* `tenant_sso`). The agent never hand-builds `issuer`/`amr`; arbitrary amr is
|
|
73
|
+
* available only via the `advanced` escape hatch. */
|
|
74
|
+
export interface CreateResponseFromTenantAssertionOptions {
|
|
75
|
+
/** Short tenant identifier; becomes `issuer: "tenant:<tenant>"`. */
|
|
76
|
+
tenant: string;
|
|
77
|
+
/** The tenant-verified user. Requires a stable `user.id`. */
|
|
78
|
+
user: TenantUser;
|
|
79
|
+
/** The credential class the tenant verified. */
|
|
80
|
+
method: "password" | "sso";
|
|
81
|
+
/** Escape hatch for arbitrary amr values — agents should not need this. */
|
|
82
|
+
advanced?: {
|
|
83
|
+
amr: string[];
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,WAAW,KAAK;IACpB,kEAAkE;IAClE,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,uDAAuD;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;uCAGuC;AACvC,MAAM,MAAM,aAAa,GACrB;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACpE;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzD,MAAM,WAAW,iCAAiC;IAChD,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,aAAa,CAAC;IACrB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd;;uEAEmE;IACnE,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,aAAa,CAAC;CACtB;AAED;;;0EAG0E;AAC1E,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;sDAIsD;AACtD,MAAM,WAAW,wCAAwC;IACvD,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,IAAI,EAAE,UAAU,CAAC;IACjB,gDAAgD;IAChD,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC;IAC3B,2EAA2E;IAC3E,QAAQ,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAC9B"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Public types for the `auth.*` namespace.
|
|
3
|
+
*
|
|
4
|
+
* The canonical actor shape used everywhere `auth.user()` /
|
|
5
|
+
* `auth.requireUser()` / `auth.requireRole()` etc. resolve to a user.
|
|
6
|
+
* Note that `id` (not `userId`) is the canonical public field — matches
|
|
7
|
+
* Supabase / Clerk / Auth.js / NextAuth so coding-agent generated code
|
|
8
|
+
* gets it right on the first try.
|
|
9
|
+
*
|
|
10
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
11
|
+
*/
|
|
12
|
+
export {};
|
|
13
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `auth.fetch` URL validation.
|
|
3
|
+
*
|
|
4
|
+
* Synchronous before-network checks: the URL is rejected (sync throw)
|
|
5
|
+
* before any network I/O if it's not safely same-origin. The set of
|
|
6
|
+
* rejected shapes is enumerated by the spec — we mirror it verbatim:
|
|
7
|
+
*
|
|
8
|
+
* - Cross-origin absolute URLs
|
|
9
|
+
* - URLs with embedded credentials (`http://user:pass@host/...`)
|
|
10
|
+
* - Non-HTTP(S) schemes (`javascript:`, `data:`, `file:`, etc.)
|
|
11
|
+
* - Protocol-relative URLs (`//evil.example/...`)
|
|
12
|
+
* - Subdomain-spoof patterns (`https://app.run402.app.evil.example/...`)
|
|
13
|
+
* - Port-mismatch against the current request origin
|
|
14
|
+
*
|
|
15
|
+
* Same-origin normalisation: scheme, host, and default-port comparisons
|
|
16
|
+
* use `URL.origin`, which strips `:80` for http and `:443` for https.
|
|
17
|
+
*
|
|
18
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
19
|
+
*/
|
|
20
|
+
export interface UrlValidationContext {
|
|
21
|
+
requestOrigin: string;
|
|
22
|
+
}
|
|
23
|
+
export type UrlValidationResult = {
|
|
24
|
+
ok: true;
|
|
25
|
+
normalized: URL;
|
|
26
|
+
} | {
|
|
27
|
+
ok: false;
|
|
28
|
+
reason: string;
|
|
29
|
+
};
|
|
30
|
+
export declare function validateAuthFetchInput(input: RequestInfo | URL, ctx: UrlValidationContext): UrlValidationResult;
|
|
31
|
+
//# sourceMappingURL=url-validation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"url-validation.d.ts","sourceRoot":"","sources":["../../src/auth/url-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,MAAM,mBAAmB,GAC3B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,UAAU,EAAE,GAAG,CAAA;CAAE,GAC7B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAIlC,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,GAAG,EAAE,oBAAoB,GACxB,mBAAmB,CAiErB"}
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `auth.fetch` URL validation.
|
|
3
|
+
*
|
|
4
|
+
* Synchronous before-network checks: the URL is rejected (sync throw)
|
|
5
|
+
* before any network I/O if it's not safely same-origin. The set of
|
|
6
|
+
* rejected shapes is enumerated by the spec — we mirror it verbatim:
|
|
7
|
+
*
|
|
8
|
+
* - Cross-origin absolute URLs
|
|
9
|
+
* - URLs with embedded credentials (`http://user:pass@host/...`)
|
|
10
|
+
* - Non-HTTP(S) schemes (`javascript:`, `data:`, `file:`, etc.)
|
|
11
|
+
* - Protocol-relative URLs (`//evil.example/...`)
|
|
12
|
+
* - Subdomain-spoof patterns (`https://app.run402.app.evil.example/...`)
|
|
13
|
+
* - Port-mismatch against the current request origin
|
|
14
|
+
*
|
|
15
|
+
* Same-origin normalisation: scheme, host, and default-port comparisons
|
|
16
|
+
* use `URL.origin`, which strips `:80` for http and `:443` for https.
|
|
17
|
+
*
|
|
18
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
19
|
+
*/
|
|
20
|
+
const SAFE_SCHEMES = new Set(["http:", "https:"]);
|
|
21
|
+
export function validateAuthFetchInput(input, ctx) {
|
|
22
|
+
// Reject Request objects with cross-origin url. We don't accept Request
|
|
23
|
+
// here because `auth.fetch` is the canonical surface for same-origin
|
|
24
|
+
// SSR fetches; the Request escape hatch could carry headers / credentials
|
|
25
|
+
// / redirect modes that bypass our policy.
|
|
26
|
+
if (typeof input === "object" && input !== null && "url" in input && typeof input.url === "string") {
|
|
27
|
+
// Caller passed a Request — extract the URL string and run it
|
|
28
|
+
// through the same validation. Same with URL object.
|
|
29
|
+
return validateAuthFetchInput(input.url, ctx);
|
|
30
|
+
}
|
|
31
|
+
if (input instanceof URL) {
|
|
32
|
+
return validateAuthFetchInput(input.toString(), ctx);
|
|
33
|
+
}
|
|
34
|
+
if (typeof input !== "string") {
|
|
35
|
+
return { ok: false, reason: "URL must be a string, URL, or Request" };
|
|
36
|
+
}
|
|
37
|
+
const raw = input;
|
|
38
|
+
if (raw.length === 0) {
|
|
39
|
+
return { ok: false, reason: "URL is empty" };
|
|
40
|
+
}
|
|
41
|
+
// Protocol-relative reject — `//host/path` resolves to the current
|
|
42
|
+
// origin's scheme, but a server-side fetch has no implicit origin
|
|
43
|
+
// when there's no document; the spec treats it as a smell.
|
|
44
|
+
if (raw.startsWith("//")) {
|
|
45
|
+
return { ok: false, reason: "protocol-relative URLs are not allowed" };
|
|
46
|
+
}
|
|
47
|
+
// Path-only / relative URLs (no scheme) are the happy path. We resolve
|
|
48
|
+
// them against the request origin and let the URL constructor reject
|
|
49
|
+
// any structural garbage.
|
|
50
|
+
if (!/^[a-z][a-z0-9+\-.]*:/i.test(raw)) {
|
|
51
|
+
let absolute;
|
|
52
|
+
try {
|
|
53
|
+
absolute = new URL(raw, ctx.requestOrigin);
|
|
54
|
+
}
|
|
55
|
+
catch {
|
|
56
|
+
return { ok: false, reason: "invalid relative URL" };
|
|
57
|
+
}
|
|
58
|
+
return { ok: true, normalized: absolute };
|
|
59
|
+
}
|
|
60
|
+
// Absolute URL — parse and validate.
|
|
61
|
+
let url;
|
|
62
|
+
try {
|
|
63
|
+
url = new URL(raw);
|
|
64
|
+
}
|
|
65
|
+
catch {
|
|
66
|
+
return { ok: false, reason: "invalid absolute URL" };
|
|
67
|
+
}
|
|
68
|
+
if (!SAFE_SCHEMES.has(url.protocol)) {
|
|
69
|
+
return { ok: false, reason: `scheme ${url.protocol} is not http(s)` };
|
|
70
|
+
}
|
|
71
|
+
if (url.username !== "" || url.password !== "") {
|
|
72
|
+
return { ok: false, reason: "URL contains embedded credentials" };
|
|
73
|
+
}
|
|
74
|
+
if (url.origin !== ctx.requestOrigin) {
|
|
75
|
+
// Subdomain-spoof guard: even if the host string contains the
|
|
76
|
+
// expected hostname as a substring (e.g.
|
|
77
|
+
// `app.run402.app.evil.example`), URL.origin compares the full
|
|
78
|
+
// host+port+scheme, so this is correct.
|
|
79
|
+
return { ok: false, reason: "cross-origin URLs are not allowed" };
|
|
80
|
+
}
|
|
81
|
+
return { ok: true, normalized: url };
|
|
82
|
+
}
|
|
83
|
+
//# sourceMappingURL=url-validation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"url-validation.js","sourceRoot":"","sources":["../../src/auth/url-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAUH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAElD,MAAM,UAAU,sBAAsB,CACpC,KAAwB,EACxB,GAAyB;IAEzB,wEAAwE;IACxE,qEAAqE;IACrE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnG,8DAA8D;QAC9D,qDAAqD;QACrD,OAAO,sBAAsB,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;QACzB,OAAO,sBAAsB,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC;IAClB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,2DAA2D;IAC3D,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;IACzE,CAAC;IAED,uEAAuE;IACvE,qEAAqE;IACrE,0BAA0B;IAC1B,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,IAAI,QAAa,CAAC;QAClB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;QACvD,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAED,qCAAqC;IACrC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,GAAG,CAAC,QAAQ,iBAAiB,EAAE,CAAC;IACxE,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,aAAa,EAAE,CAAC;QACrC,8DAA8D;QAC9D,yCAAyC;QACzC,+DAA+D;QAC/D,wCAAwC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;AACvC,CAAC"}
|
package/dist/auth.d.ts
CHANGED
|
@@ -1,57 +1,32 @@
|
|
|
1
|
-
export interface User {
|
|
2
|
-
id: string;
|
|
3
|
-
role: string;
|
|
4
|
-
email: string;
|
|
5
|
-
}
|
|
6
1
|
/**
|
|
7
|
-
*
|
|
8
|
-
* Returns { id, role, email } or null if unauthenticated/invalid.
|
|
2
|
+
* Legacy auth exports — throwing sentinels.
|
|
9
3
|
*
|
|
10
|
-
*
|
|
11
|
-
* `
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*/
|
|
15
|
-
export declare function getUser(req?: Request): User | null;
|
|
16
|
-
/**
|
|
17
|
-
* Read the gate-resolved user id from the request.
|
|
4
|
+
* **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
|
|
5
|
+
* `getRole` are no longer working exports — they throw
|
|
6
|
+
* `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
|
|
7
|
+
* canonical `auth.*` namespace.
|
|
18
8
|
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
* before
|
|
9
|
+
* ESM named imports (`import { getUser } from "@run402/functions"`)
|
|
10
|
+
* can't be intercepted by a Proxy; the only way to fail loudly on
|
|
11
|
+
* runtime usage is to ship a sentinel function. The `run402 doctor`
|
|
12
|
+
* source scanner (public repo CLI) and the `@run402/astro` ESLint rule
|
|
13
|
+
* catch the import before runtime; this file is the last line of defense
|
|
14
|
+
* for code that bypasses both.
|
|
24
15
|
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
27
|
-
* Lambda invoke). For gated functions reached through the gateway, the
|
|
28
|
-
* value is non-null by construction.
|
|
16
|
+
* The legacy `User` type is preserved as an alias of `Actor` for any
|
|
17
|
+
* stragglers — but accessing the throwing sentinels at runtime fails.
|
|
29
18
|
*
|
|
30
|
-
*
|
|
31
|
-
* the JWT directly. The two layers are independent: a function with
|
|
32
|
-
* only `requireRole` runs the role lookup against the project's
|
|
33
|
-
* `members` table via gateway-side RLS-bypass; user code does not
|
|
34
|
-
* need to re-decode the JWT.
|
|
19
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
35
20
|
*/
|
|
36
|
-
export
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
*
|
|
48
|
-
* Returns `null` when no `requireRole` gate ran on this dispatch
|
|
49
|
-
* (function has only `requireAuth`, no gate at all, or is invoked
|
|
50
|
-
* outside the gateway).
|
|
51
|
-
*
|
|
52
|
-
* This is the application role, NOT the JWT role from
|
|
53
|
-
* {@link getUser}. The two are independent — see the JSDoc on
|
|
54
|
-
* `getUser` for the distinction.
|
|
55
|
-
*/
|
|
56
|
-
export declare function getRole(req?: Request): string | null;
|
|
21
|
+
export type User = {
|
|
22
|
+
id: string;
|
|
23
|
+
role: string;
|
|
24
|
+
email: string;
|
|
25
|
+
};
|
|
26
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
|
|
27
|
+
export declare function getUser(_req?: Request): never;
|
|
28
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
|
|
29
|
+
export declare function getUserId(_req?: Request): never;
|
|
30
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
|
|
31
|
+
export declare function getRole(_req?: Request): never;
|
|
57
32
|
//# sourceMappingURL=auth.d.ts.map
|
package/dist/auth.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,MAAM,MAAM,IAAI,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAE/D,kGAAkG;AAClG,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C;AAED,yHAAyH;AACzH,wBAAgB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK/C;AAED,qFAAqF;AACrF,wBAAgB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAK7C"}
|
package/dist/auth.js
CHANGED
|
@@ -1,112 +1,43 @@
|
|
|
1
|
-
import jwt from "./lib/jwt.js";
|
|
2
|
-
import { config } from "./config.js";
|
|
3
|
-
import { getCurrentContext, taintCacheBypass } from "./runtime-context.js";
|
|
4
1
|
/**
|
|
5
|
-
*
|
|
6
|
-
* Returns { id, role, email } or null if unauthenticated/invalid.
|
|
2
|
+
* Legacy auth exports — throwing sentinels.
|
|
7
3
|
*
|
|
8
|
-
*
|
|
9
|
-
* `
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*/
|
|
13
|
-
export function getUser(req) {
|
|
14
|
-
// Capability `astro-ssr-runtime` (v1.52). Taint the cache-bypass flag
|
|
15
|
-
// on the active request context, regardless of whether `getUser`
|
|
16
|
-
// resolves to a user or null — the response now depends on per-request
|
|
17
|
-
// auth state and MUST NOT be cached publicly.
|
|
18
|
-
taintCacheBypass();
|
|
19
|
-
// If no `req` was passed, read auth from the ALS context (the SSR
|
|
20
|
-
// Lambda runtime's `runWithContext` populates `request.headers`).
|
|
21
|
-
// This is what makes `await getUser()` work naturally inside Astro
|
|
22
|
-
// `[slug].astro` frontmatter without any explicit plumbing.
|
|
23
|
-
let authHeader;
|
|
24
|
-
if (req !== undefined) {
|
|
25
|
-
authHeader =
|
|
26
|
-
typeof req.headers.get === "function"
|
|
27
|
-
? req.headers.get("authorization")
|
|
28
|
-
: req.headers?.authorization;
|
|
29
|
-
}
|
|
30
|
-
else {
|
|
31
|
-
const ctx = getCurrentContext();
|
|
32
|
-
if (ctx === undefined)
|
|
33
|
-
return null;
|
|
34
|
-
const h = ctx.request.headers;
|
|
35
|
-
const raw = h["authorization"] ?? h["Authorization"];
|
|
36
|
-
authHeader = Array.isArray(raw) ? raw[0] : raw;
|
|
37
|
-
}
|
|
38
|
-
if (!authHeader || !authHeader.startsWith("Bearer "))
|
|
39
|
-
return null;
|
|
40
|
-
const token = authHeader.slice(7);
|
|
41
|
-
try {
|
|
42
|
-
const payload = jwt.verify(token, config.JWT_SECRET);
|
|
43
|
-
if (payload.project_id !== config.PROJECT_ID)
|
|
44
|
-
return null;
|
|
45
|
-
return { id: payload.sub, role: payload.role, email: payload.email };
|
|
46
|
-
}
|
|
47
|
-
catch {
|
|
48
|
-
return null;
|
|
49
|
-
}
|
|
50
|
-
}
|
|
51
|
-
/**
|
|
52
|
-
* Read the gate-resolved user id from the request.
|
|
4
|
+
* **REMOVED in v3.0 (auth-aware-ssr).** `getUser`, `getUserId`, and
|
|
5
|
+
* `getRole` are no longer working exports — they throw
|
|
6
|
+
* `R402_AUTH_UNKNOWN_EXPORT` with a structured fix-it pointing at the
|
|
7
|
+
* canonical `auth.*` namespace.
|
|
53
8
|
*
|
|
54
|
-
*
|
|
55
|
-
*
|
|
56
|
-
*
|
|
57
|
-
*
|
|
58
|
-
* before
|
|
9
|
+
* ESM named imports (`import { getUser } from "@run402/functions"`)
|
|
10
|
+
* can't be intercepted by a Proxy; the only way to fail loudly on
|
|
11
|
+
* runtime usage is to ship a sentinel function. The `run402 doctor`
|
|
12
|
+
* source scanner (public repo CLI) and the `@run402/astro` ESLint rule
|
|
13
|
+
* catch the import before runtime; this file is the last line of defense
|
|
14
|
+
* for code that bypasses both.
|
|
59
15
|
*
|
|
60
|
-
*
|
|
61
|
-
*
|
|
62
|
-
* Lambda invoke). For gated functions reached through the gateway, the
|
|
63
|
-
* value is non-null by construction.
|
|
16
|
+
* The legacy `User` type is preserved as an alias of `Actor` for any
|
|
17
|
+
* stragglers — but accessing the throwing sentinels at runtime fails.
|
|
64
18
|
*
|
|
65
|
-
*
|
|
66
|
-
* the JWT directly. The two layers are independent: a function with
|
|
67
|
-
* only `requireRole` runs the role lookup against the project's
|
|
68
|
-
* `members` table via gateway-side RLS-bypass; user code does not
|
|
69
|
-
* need to re-decode the JWT.
|
|
19
|
+
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
70
20
|
*/
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
if (Array.isArray(raw))
|
|
79
|
-
return raw[0] ?? null;
|
|
80
|
-
return raw ?? null;
|
|
21
|
+
import { UnknownExportError } from "./auth/errors.js";
|
|
22
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.user()` or `auth.requireUser()`. */
|
|
23
|
+
export function getUser(_req) {
|
|
24
|
+
throw new UnknownExportError({
|
|
25
|
+
attemptedName: "getUser",
|
|
26
|
+
canonicalName: "auth.user() / auth.requireUser()",
|
|
27
|
+
});
|
|
81
28
|
}
|
|
82
|
-
/**
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
* outside the gateway).
|
|
96
|
-
*
|
|
97
|
-
* This is the application role, NOT the JWT role from
|
|
98
|
-
* {@link getUser}. The two are independent — see the JSDoc on
|
|
99
|
-
* `getUser` for the distinction.
|
|
100
|
-
*/
|
|
101
|
-
export function getRole(req) {
|
|
102
|
-
if (req !== undefined)
|
|
103
|
-
return req.headers.get("x-run402-user-role");
|
|
104
|
-
const ctx = getCurrentContext();
|
|
105
|
-
if (ctx === undefined)
|
|
106
|
-
return null;
|
|
107
|
-
const raw = ctx.request.headers["x-run402-user-role"];
|
|
108
|
-
if (Array.isArray(raw))
|
|
109
|
-
return raw[0] ?? null;
|
|
110
|
-
return raw ?? null;
|
|
29
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `(await auth.user())?.id` or `(await auth.requireUser()).id`. */
|
|
30
|
+
export function getUserId(_req) {
|
|
31
|
+
throw new UnknownExportError({
|
|
32
|
+
attemptedName: "getUserId",
|
|
33
|
+
canonicalName: "(await auth.user())?.id",
|
|
34
|
+
});
|
|
35
|
+
}
|
|
36
|
+
/** @deprecated Removed in `@run402/functions` v3.0. Use `auth.requireRole(role)`. */
|
|
37
|
+
export function getRole(_req) {
|
|
38
|
+
throw new UnknownExportError({
|
|
39
|
+
attemptedName: "getRole",
|
|
40
|
+
canonicalName: "auth.requireRole(role)",
|
|
41
|
+
});
|
|
111
42
|
}
|
|
112
43
|
//# sourceMappingURL=auth.js.map
|
package/dist/auth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAItD,kGAAkG;AAClG,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,kCAAkC;KAClD,CAAC,CAAC;AACL,CAAC;AAED,yHAAyH;AACzH,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,WAAW;QAC1B,aAAa,EAAE,yBAAyB;KACzC,CAAC,CAAC;AACL,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,MAAM,IAAI,kBAAkB,CAAC;QAC3B,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,wBAAwB;KACxC,CAAC,CAAC;AACL,CAAC"}
|
package/dist/db.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAIA,UAAU,gBAAgB;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,YAAY;;gBASX,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB;IAOjD,MAAM,CAAC,OAAO,SAAM,GAAG,IAAI;IAK3B,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKhD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKjD,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK3C,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAK5C,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,IAAI;IAKrD,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAgB,EAAE;;KAAK,GAAG,IAAI;IAKtD,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK1B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK3B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;IAMvE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAM3C,MAAM,IAAI,IAAI;IAKd,IAAI,CACF,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,IAAI,EACnD,MAAM,EAAE,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,GAC9B,IAAI;CA6BR;AAwDD,UAAU,cAAc;IACtB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAkBhD;AAED,UAAU,aAAa;IACrB,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAClC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;CAC5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA+BvC"}
|
package/dist/db.js
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { config } from "./config.js";
|
|
2
2
|
import { getCurrentContext } from "./runtime-context.js";
|
|
3
|
+
import jwt from "./lib/jwt.js";
|
|
3
4
|
export class QueryBuilder {
|
|
4
5
|
#table;
|
|
5
6
|
#params = new URLSearchParams();
|
|
@@ -116,6 +117,45 @@ function extractAuthFromAls() {
|
|
|
116
117
|
const ctx = getCurrentContext();
|
|
117
118
|
if (ctx === undefined)
|
|
118
119
|
return undefined;
|
|
120
|
+
// v3.0 (auth-aware-ssr): if a verified actor is present on the runtime
|
|
121
|
+
// context, mint a short-lived JWT carrying the actor's claims so the
|
|
122
|
+
// gateway's PostgREST proxy → pre_request hook → RLS pipeline sees the
|
|
123
|
+
// browser-cookie actor identically to a Bearer-JWT call. The mint is
|
|
124
|
+
// SDK-side because the cookie itself is `__Host-` scoped to the
|
|
125
|
+
// browser origin and never forwarded server-to-server (D13 forbids
|
|
126
|
+
// cookie forwarding). The pepper-isolated session secret stays in the
|
|
127
|
+
// DB; the JWT carries only the actor's already-validated claims, signed
|
|
128
|
+
// with the same JWT_SECRET PostgREST verifies against.
|
|
129
|
+
if (ctx.actor && config.JWT_SECRET) {
|
|
130
|
+
const nowSec = Math.floor(Date.now() / 1000);
|
|
131
|
+
const claims = {
|
|
132
|
+
sub: ctx.actor.id,
|
|
133
|
+
role: "authenticated",
|
|
134
|
+
email: ctx.actor.email,
|
|
135
|
+
project_id: ctx.projectId,
|
|
136
|
+
iss: "agentdb",
|
|
137
|
+
amr: ctx.actor.amr,
|
|
138
|
+
auth_time: ctx.actor.authTime,
|
|
139
|
+
aal: ctx.actor.amr.includes("passkey") ? "aal2" : "aal1",
|
|
140
|
+
session_id: ctx.actor.sessionId,
|
|
141
|
+
authz_version: ctx.actor.authzVersion,
|
|
142
|
+
iat: nowSec,
|
|
143
|
+
// 60-second TTL — long enough for the request + retry budget,
|
|
144
|
+
// short enough that exfiltration provides no value.
|
|
145
|
+
exp: nowSec + 60,
|
|
146
|
+
};
|
|
147
|
+
try {
|
|
148
|
+
return `Bearer ${jwt.sign(claims, config.JWT_SECRET)}`;
|
|
149
|
+
}
|
|
150
|
+
catch {
|
|
151
|
+
// Fall through to header forwarding below. JWT signing should not
|
|
152
|
+
// realistically fail with a present secret; if it does, we want
|
|
153
|
+
// the request to proceed anonymously rather than 500.
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
// Fallback: forward whatever Authorization the inbound request carried.
|
|
157
|
+
// This is the v2.x behavior — preserved for explicit Bearer flows
|
|
158
|
+
// (mobile, server-to-server) where the caller already has a JWT.
|
|
119
159
|
const headers = ctx.request.headers;
|
|
120
160
|
const raw = headers["authorization"] ?? headers["Authorization"];
|
|
121
161
|
if (Array.isArray(raw))
|
package/dist/db.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;
|
|
1
|
+
{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,GAAG,MAAM,cAAc,CAAC;AAQ/B,MAAM,OAAO,YAAY;IACvB,MAAM,CAAS;IACf,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;IAChC,OAAO,GAAG,KAAK,CAAC;IAChB,KAAK,GAAY,SAAS,CAAC;IAC3B,OAAO,CAAS;IAChB,cAAc,CAAqB;IACnC,SAAS,CAAS;IAElB,YAAY,KAAa,EAAE,IAAsB;QAC/C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,GAAG;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,KAAsB;QACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,EAAE,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,KAAsB;QACxC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAc,EAAE,OAAe;QAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,OAAO,EAAE,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,OAAe;QACnC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,MAAc,EAAE,MAA2B;QAC5C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,MAAc,EAAE,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE;QAC7C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAa;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAyD;QAC9D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAA6B;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,OAAO,GAAG,QAAQ,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CACF,OAAmD,EACnD,MAA+B;QAE/B,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAEtF,MAAM,OAAO,GAA2B;YACtC,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,uBAAuB;SAChC,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,GAAG,EAAE;YACT,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC;aACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAiC,CAAC,CAAC;QAC7C,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;CACF;AAED,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAExC,uEAAuE;IACvE,qEAAqE;IACrE,uEAAuE;IACvE,qEAAqE;IACrE,gEAAgE;IAChE,mEAAmE;IACnE,sEAAsE;IACtE,wEAAwE;IACxE,uDAAuD;IACvD,IAAI,GAAG,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE;YACjB,IAAI,EAAE,eAAwB;YAC9B,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,KAAK;YACtB,UAAU,EAAE,GAAG,CAAC,SAAS;YACzB,GAAG,EAAE,SAAkB;YACvB,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG;YAClB,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ;YAC7B,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAE,MAAgB,CAAC,CAAC,CAAE,MAAgB;YAC9E,UAAU,EAAE,GAAG,CAAC,KAAK,CAAC,SAAS;YAC/B,aAAa,EAAE,GAAG,CAAC,KAAK,CAAC,YAAY;YACrC,GAAG,EAAE,MAAM;YACX,8DAA8D;YAC9D,oDAAoD;YACpD,GAAG,EAAE,MAAM,GAAG,EAAE;SACjB,CAAC;QACF,IAAI,CAAC;YACH,OAAO,UAAU,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,gEAAgE;YAChE,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,kEAAkE;IAClE,iEAAiE;IACjE,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IACtC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,EAAE,CAAC,GAAa;IAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2DAA2D;YACzD,oEAAoE,CACvE,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAClF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,OAAO;gBACf,aAAa;gBACb,QAAQ,EAAE,UAAU;aACrB,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAOD;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC;IACtC,OAAO;QACL,IAAI,CAAC,KAAa;YAChB,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE;gBAC7B,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,QAAQ,EAAE,gBAAgB;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,MAAkB;YACzC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,UAAU,MAAM,CAAC;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,UAAU,EAAE;oBACrC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY;iBAC9D;gBACD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;aACjE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,GAAG,CAAC,IAAI,EAAwC,CAAC;QAC1D,CAAC;KACF,CAAC;AACJ,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
export { db, adminDb, QueryBuilder } from "./db.js";
|
|
2
2
|
export { getUser, getUserId, getRole } from "./auth.js";
|
|
3
3
|
export type { User } from "./auth.js";
|
|
4
|
+
export { auth } from "./auth/index.js";
|
|
5
|
+
export type { Actor, IdentityProof, TenantUser, CreateResponseFromTenantAssertionOptions, } from "./auth/index.js";
|
|
6
|
+
export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, InvalidCredentialsError, TenantSubjectInvalidError, } from "./auth/index.js";
|
|
7
|
+
export { getSession, currentUser, getCurrentUser, getServerSession } from "./auth/index.js";
|
|
4
8
|
export { email } from "./email.js";
|
|
5
9
|
export type { EmailSendOptions, EmailRawOptions, EmailTemplateOptions, EmailSendResult } from "./email.js";
|
|
6
10
|
export { ai } from "./ai.js";
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQtC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,YAAY,EACV,KAAK,EACL,aAAa,EACb,UAAU,EACV,wCAAwC,GACzC,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAIrC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAMlG,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC"}
|