@scalekit-sdk/node 2.0.0 → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/core.js +2 -2
- package/lib/scalekit.d.ts +28 -7
- package/lib/scalekit.js +46 -9
- package/lib/scalekit.js.map +1 -1
- package/lib/types/scalekit.d.ts +5 -0
- package/package.json +1 -1
- package/src/core.ts +2 -2
- package/src/scalekit.ts +59 -10
- package/src/types/scalekit.ts +6 -0
package/lib/core.js
CHANGED
|
@@ -57,8 +57,8 @@ class CoreClient {
|
|
|
57
57
|
this.clientSecret = clientSecret;
|
|
58
58
|
this.keys = [];
|
|
59
59
|
this.accessToken = null;
|
|
60
|
-
this.sdkVersion = `Scalekit-Node/2.0.
|
|
61
|
-
this.apiVersion = "
|
|
60
|
+
this.sdkVersion = `Scalekit-Node/2.0.1`;
|
|
61
|
+
this.apiVersion = "20250710";
|
|
62
62
|
this.userAgent = `${this.sdkVersion} Node/${process.version} (${process.platform}; ${os_1.default.arch()})`;
|
|
63
63
|
this.axios = axios_1.default.create({ baseURL: envUrl });
|
|
64
64
|
this.axios.interceptors.request.use((config) => {
|
package/lib/scalekit.d.ts
CHANGED
|
@@ -5,7 +5,7 @@ import OrganizationClient from './organization';
|
|
|
5
5
|
import PasswordlessClient from './passwordless';
|
|
6
6
|
import UserClient from './user';
|
|
7
7
|
import { IdpInitiatedLoginClaims } from './types/auth';
|
|
8
|
-
import { AuthenticationOptions, AuthenticationResponse, AuthorizationUrlOptions, LogoutUrlOptions, RefreshTokenResponse } from './types/scalekit';
|
|
8
|
+
import { AuthenticationOptions, AuthenticationResponse, AuthorizationUrlOptions, LogoutUrlOptions, RefreshTokenResponse, TokenValidationOptions } from './types/scalekit';
|
|
9
9
|
/**
|
|
10
10
|
* To initiate scalekit
|
|
11
11
|
* @param {string} envUrl The environment url
|
|
@@ -63,16 +63,18 @@ export default class ScalekitClient {
|
|
|
63
63
|
* Get the idp initiated login claims
|
|
64
64
|
*
|
|
65
65
|
* @param {string} idpInitiatedLoginToken The idp_initiated_login query param from the URL
|
|
66
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer and audience
|
|
66
67
|
* @returns {object} Returns the idp initiated login claims
|
|
67
68
|
*/
|
|
68
|
-
getIdpInitiatedLoginClaims(idpInitiatedLoginToken: string): Promise<IdpInitiatedLoginClaims>;
|
|
69
|
+
getIdpInitiatedLoginClaims(idpInitiatedLoginToken: string, options?: TokenValidationOptions): Promise<IdpInitiatedLoginClaims>;
|
|
69
70
|
/**
|
|
70
|
-
* Validates the access token.
|
|
71
|
+
* Validates the access token and returns a boolean result.
|
|
71
72
|
*
|
|
72
73
|
* @param {string} token The token to be validated.
|
|
74
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
|
|
73
75
|
* @return {Promise<boolean>} Returns true if the token is valid, false otherwise.
|
|
74
76
|
*/
|
|
75
|
-
validateAccessToken(token: string): Promise<boolean>;
|
|
77
|
+
validateAccessToken(token: string, options?: TokenValidationOptions): Promise<boolean>;
|
|
76
78
|
/**
|
|
77
79
|
* Returns the logout URL that can be used to log out the user.
|
|
78
80
|
* @param {LogoutUrlOptions} options Logout URL options
|
|
@@ -99,12 +101,31 @@ export default class ScalekitClient {
|
|
|
99
101
|
*/
|
|
100
102
|
verifyWebhookPayload(secret: string, headers: Record<string, string>, payload: string): boolean;
|
|
101
103
|
/**
|
|
102
|
-
*
|
|
104
|
+
* Validates a token and returns its payload if valid.
|
|
105
|
+
* Supports issuer, audience, and scope validation.
|
|
103
106
|
*
|
|
104
107
|
* @param {string} token The token to be validated
|
|
105
|
-
* @
|
|
108
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
|
|
109
|
+
* @return {Promise<T>} Returns the token payload if valid
|
|
110
|
+
* @throws {Error} If token is invalid or missing required scopes
|
|
106
111
|
*/
|
|
107
|
-
|
|
112
|
+
validateToken<T>(token: string, options?: TokenValidationOptions): Promise<T>;
|
|
113
|
+
/**
|
|
114
|
+
* Verify that the token contains the required scopes
|
|
115
|
+
*
|
|
116
|
+
* @param {string} token The token to verify
|
|
117
|
+
* @param {string[]} requiredScopes The scopes that must be present in the token
|
|
118
|
+
* @return {boolean} Returns true if all required scopes are present
|
|
119
|
+
* @throws {Error} If required scopes are missing, with details about which scopes are missing
|
|
120
|
+
*/
|
|
121
|
+
verifyScopes(token: string, requiredScopes: string[]): boolean;
|
|
122
|
+
/**
|
|
123
|
+
* Extract scopes from token payload
|
|
124
|
+
*
|
|
125
|
+
* @param {any} payload The token payload
|
|
126
|
+
* @return {string[]} Array of scopes found in the token
|
|
127
|
+
*/
|
|
128
|
+
private extractScopesFromPayload;
|
|
108
129
|
/**
|
|
109
130
|
* Verify the timestamp
|
|
110
131
|
*
|
package/lib/scalekit.js
CHANGED
|
@@ -137,23 +137,25 @@ class ScalekitClient {
|
|
|
137
137
|
* Get the idp initiated login claims
|
|
138
138
|
*
|
|
139
139
|
* @param {string} idpInitiatedLoginToken The idp_initiated_login query param from the URL
|
|
140
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer and audience
|
|
140
141
|
* @returns {object} Returns the idp initiated login claims
|
|
141
142
|
*/
|
|
142
|
-
getIdpInitiatedLoginClaims(idpInitiatedLoginToken) {
|
|
143
|
+
getIdpInitiatedLoginClaims(idpInitiatedLoginToken, options) {
|
|
143
144
|
return __awaiter(this, void 0, void 0, function* () {
|
|
144
|
-
return this.validateToken(idpInitiatedLoginToken);
|
|
145
|
+
return this.validateToken(idpInitiatedLoginToken, options);
|
|
145
146
|
});
|
|
146
147
|
}
|
|
147
148
|
/**
|
|
148
|
-
* Validates the access token.
|
|
149
|
+
* Validates the access token and returns a boolean result.
|
|
149
150
|
*
|
|
150
151
|
* @param {string} token The token to be validated.
|
|
152
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
|
|
151
153
|
* @return {Promise<boolean>} Returns true if the token is valid, false otherwise.
|
|
152
154
|
*/
|
|
153
|
-
validateAccessToken(token) {
|
|
155
|
+
validateAccessToken(token, options) {
|
|
154
156
|
return __awaiter(this, void 0, void 0, function* () {
|
|
155
157
|
try {
|
|
156
|
-
yield this.validateToken(token);
|
|
158
|
+
yield this.validateToken(token, options);
|
|
157
159
|
return true;
|
|
158
160
|
}
|
|
159
161
|
catch (_) {
|
|
@@ -212,19 +214,25 @@ class ScalekitClient {
|
|
|
212
214
|
throw new Error("Invalid Signature");
|
|
213
215
|
}
|
|
214
216
|
/**
|
|
215
|
-
*
|
|
217
|
+
* Validates a token and returns its payload if valid.
|
|
218
|
+
* Supports issuer, audience, and scope validation.
|
|
216
219
|
*
|
|
217
220
|
* @param {string} token The token to be validated
|
|
218
|
-
* @
|
|
221
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
|
|
222
|
+
* @return {Promise<T>} Returns the token payload if valid
|
|
223
|
+
* @throws {Error} If token is invalid or missing required scopes
|
|
219
224
|
*/
|
|
220
|
-
validateToken(token) {
|
|
225
|
+
validateToken(token, options) {
|
|
221
226
|
return __awaiter(this, void 0, void 0, function* () {
|
|
222
227
|
yield this.coreClient.getJwks();
|
|
223
228
|
const jwks = jose.createLocalJWKSet({
|
|
224
229
|
keys: this.coreClient.keys
|
|
225
230
|
});
|
|
226
231
|
try {
|
|
227
|
-
const { payload } = yield jose.jwtVerify(token, jwks);
|
|
232
|
+
const { payload } = yield jose.jwtVerify(token, jwks, Object.assign(Object.assign({}, ((options === null || options === void 0 ? void 0 : options.issuer) && { issuer: options.issuer })), ((options === null || options === void 0 ? void 0 : options.audience) && { audience: options.audience })));
|
|
233
|
+
if ((options === null || options === void 0 ? void 0 : options.requiredScopes) && options.requiredScopes.length > 0) {
|
|
234
|
+
this.verifyScopes(token, options.requiredScopes);
|
|
235
|
+
}
|
|
228
236
|
return payload;
|
|
229
237
|
}
|
|
230
238
|
catch (_) {
|
|
@@ -232,6 +240,35 @@ class ScalekitClient {
|
|
|
232
240
|
}
|
|
233
241
|
});
|
|
234
242
|
}
|
|
243
|
+
/**
|
|
244
|
+
* Verify that the token contains the required scopes
|
|
245
|
+
*
|
|
246
|
+
* @param {string} token The token to verify
|
|
247
|
+
* @param {string[]} requiredScopes The scopes that must be present in the token
|
|
248
|
+
* @return {boolean} Returns true if all required scopes are present
|
|
249
|
+
* @throws {Error} If required scopes are missing, with details about which scopes are missing
|
|
250
|
+
*/
|
|
251
|
+
verifyScopes(token, requiredScopes) {
|
|
252
|
+
const payload = jose.decodeJwt(token);
|
|
253
|
+
const scopes = this.extractScopesFromPayload(payload);
|
|
254
|
+
const missingScopes = requiredScopes.filter(scope => !scopes.includes(scope));
|
|
255
|
+
if (missingScopes.length > 0) {
|
|
256
|
+
throw new Error(`Token missing required scopes: ${missingScopes.join(', ')}`);
|
|
257
|
+
}
|
|
258
|
+
return true;
|
|
259
|
+
}
|
|
260
|
+
/**
|
|
261
|
+
* Extract scopes from token payload
|
|
262
|
+
*
|
|
263
|
+
* @param {any} payload The token payload
|
|
264
|
+
* @return {string[]} Array of scopes found in the token
|
|
265
|
+
*/
|
|
266
|
+
extractScopesFromPayload(payload) {
|
|
267
|
+
const scopes = payload.scopes;
|
|
268
|
+
return Array.isArray(scopes)
|
|
269
|
+
? scopes.filter((scope) => { var _a; return !!((_a = scope.trim) === null || _a === void 0 ? void 0 : _a.call(scope)); })
|
|
270
|
+
: [];
|
|
271
|
+
}
|
|
235
272
|
/**
|
|
236
273
|
* Verify the timestamp
|
|
237
274
|
*
|
package/lib/scalekit.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scalekit.js","sourceRoot":"","sources":["../src/scalekit.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAA4B;AAC5B,2CAA6B;AAC7B,4CAA6B;AAC7B,wDAAoC;AACpC,8DAA4C;AAC5C,2CAAyD;AACzD,kDAAgC;AAChC,4DAA0C;AAC1C,sDAAoC;AACpC,kEAAgD;AAChD,kEAAgD;AAChD,kDAAgC;AAEhC,+
|
|
1
|
+
{"version":3,"file":"scalekit.js","sourceRoot":"","sources":["../src/scalekit.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAA4B;AAC5B,2CAA6B;AAC7B,4CAA6B;AAC7B,wDAAoC;AACpC,8DAA4C;AAC5C,2CAAyD;AACzD,kDAAgC;AAChC,4DAA0C;AAC1C,sDAAoC;AACpC,kEAAgD;AAChD,kEAAgD;AAChD,kDAAgC;AAEhC,+CAAqL;AAErL,MAAM,iBAAiB,GAAG,iBAAiB,CAAC;AAC5C,MAAM,cAAc,GAAG,aAAa,CAAC;AACrC,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;AACzD,MAAM,yBAAyB,GAAG,IAAI,CAAC;AAEvC;;;;;;;;EAQE;AACF,MAAqB,cAAc;IASjC,YACE,MAAc,EACd,QAAgB,EAChB,YAAoB;QAEpB,IAAI,CAAC,UAAU,GAAG,IAAI,cAAU,CAC9B,MAAM,EACN,QAAQ,EACR,YAAY,CACb,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,IAAI,iBAAW,CAChC,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,IAAI,CAAC,YAAY,GAAG,IAAI,sBAAkB,CACxC,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,UAAU,CAChB,CAAC;QACF,IAAI,CAAC,UAAU,GAAG,IAAI,oBAAgB,CACpC,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,UAAU,CAChB,CAAC;QACF,IAAI,CAAC,MAAM,GAAG,IAAI,gBAAY,CAC5B,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,UAAU,CAChB,CAAC;QACF,IAAI,CAAC,SAAS,GAAG,IAAI,mBAAe,CAClC,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,UAAU,CAChB,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,sBAAkB,CACxC,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,UAAU,CAChB,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,IAAI,cAAU,CACxB,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,UAAU,CAChB,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,mBAAmB,CACjB,WAAmB,EACnB,OAAiC;;QAEjC,MAAM,cAAc,GAA4B;YAC9C,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;SACvC,CAAA;QACD,OAAO,mCACF,cAAc,GACd,OAAO,CACX,CAAA;QACD,MAAM,EAAE,GAAG,YAAW,CAAC,SAAS,6JAC9B,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,QAAQ,EACnC,YAAY,EAAE,WAAW,EACzB,KAAK,EAAE,MAAA,OAAO,CAAC,MAAM,0CAAE,IAAI,CAAC,GAAG,CAAC,IAC7B,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,GAC3C,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,GAC3C,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,GACxD,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,WAAW,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,GAC3D,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,GACtD,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,aAAa,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,GACjE,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,cAAc,EAAE,CAAC,GACvE,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,cAAc,EAAE,OAAO,CAAC,aAAa,EAAE,CAAC,GACpE,CAAC,OAAO,CAAC,mBAAmB,IAAI,EAAE,qBAAqB,EAAE,OAAO,CAAC,mBAAmB,EAAE,CAAC,GACvF,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,GACpD,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,EACjD,CAAA;QAEF,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,IAAI,iBAAiB,IAAI,EAAE,EAAE,CAAA;IAC/D,CAAC;IAED;;;;;;;OAOG;IACG,oBAAoB,CACxB,IAAY,EACZ,WAAmB,EACnB,OAA+B;;YAE/B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,YAAW,CAAC,SAAS,iBAClE,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,WAAW,EACzB,UAAU,EAAE,oBAAS,CAAC,iBAAiB,EACvC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,QAAQ,EACnC,aAAa,EAAE,IAAI,CAAC,UAAU,CAAC,YAAY,IACxC,CAAC,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,YAAY,KAAI,EAAE,aAAa,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,EACrE,CAAC,CAAA;YACH,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAG,aAAa,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;YACxE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAe,QAAQ,CAAC,CAAC;YACtD,MAAM,IAAI,GAAS,EAAE,CAAC;YACtB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5C,IAAI,4BAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC7B,IAAI,CAAC,4BAAqB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBACrC,CAAC;YACH,CAAC;YAED,OAAO;gBACL,IAAI;gBACJ,OAAO,EAAE,QAAQ;gBACjB,WAAW,EAAE,YAAY;gBACzB,SAAS,EAAE,UAAU;gBACrB,YAAY,EAAE,aAAa;aAC5B,CAAA;QACH,CAAC;KAAA;IAED;;;;;;MAME;IACI,0BAA0B,CAAC,sBAA8B,EAAE,OAAgC;;YAC/F,OAAO,IAAI,CAAC,aAAa,CAA0B,sBAAsB,EAAE,OAAO,CAAC,CAAC;QACtF,CAAC;KAAA;IAED;;;;;;OAMG;IACG,mBAAmB,CAAC,KAAa,EAAE,OAAgC;;YACvE,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;gBACzC,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KAAA;IAID;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,OAA0B;QACrC,MAAM,EAAE,GAAG,YAAW,CAAC,SAAS,+CAC3B,CAAC,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,WAAW,KAAI,EAAE,aAAa,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,GAChE,CAAC,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,qBAAqB,KAAI,EAAE,wBAAwB,EAAE,OAAO,CAAC,qBAAqB,EAAE,CAAC,GAC/F,CAAC,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,KAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,EAC/C,CAAC;QAEH,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,IAAI,cAAc,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC5E,CAAC;IAED;;;;;;;OAOG;IACH,oBAAoB,CAAC,MAAc,EAAE,OAA+B,EAAE,OAAe;QACnF,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,gBAAgB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACtD,MAAM,gBAAgB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACtD,IAAI,CAAC,SAAS,IAAI,CAAC,gBAAgB,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,gBAAgB,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,OAAO,EAAE,CAAC;QACjF,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAChE,MAAM,iBAAiB,GAAG,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACnE,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACvD,KAAK,MAAM,kBAAkB,IAAI,kBAAkB,EAAE,CAAC;YACpD,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3D,IAAI,OAAO,KAAK,yBAAyB,EAAE,CAAC;gBAC1C,SAAS;YACX,CAAC;YACD,IAAI,gBAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;gBACvG,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED;;;;;;;;OAQG;IACG,aAAa,CAAI,KAAa,EAAE,OAAgC;;YACpE,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC;gBAClC,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;aAC3B,CAAC,CAAA;YACF,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAI,KAAK,EAAE,IAAI,kCAClD,CAAC,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM,KAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,GAC/C,CAAC,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,KAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,EACxD,CAAC;gBAEH,IAAI,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,cAAc,KAAI,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACjE,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;gBACnD,CAAC;gBAED,OAAO,OAAO,CAAC;YACjB,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;KAAA;IAED;;;;;;;OAOG;IACH,YAAY,CAAC,KAAa,EAAE,cAAwB;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;QAEtD,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;QAE9E,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,kCAAkC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,wBAAwB,CAAC,OAA4B;QAC3D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC9B,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YAC1B,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,WAAC,OAAA,CAAC,CAAC,CAAA,MAAA,KAAK,CAAC,IAAI,qDAAI,CAAA,CAAA,EAAA,CAAC;YAC5C,CAAC,CAAC,EAAE,CAAC;IACT,CAAC;IAED;;;;;OAKG;IACK,eAAe,CAAC,YAAoB;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QACD,IAAI,GAAG,GAAG,SAAS,GAAG,4BAA4B,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,SAAS,GAAG,GAAG,GAAG,4BAA4B,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IACpC,CAAC;IAED;;;;;;OAMG;IACK,gBAAgB,CAAC,WAAmB,EAAE,IAAY;QACxD,OAAO,gBAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChF,CAAC;IAED;;;;;OAKG;IACG,kBAAkB,CAAC,YAAoB;;YAC3C,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,GAAG,CAAC;YACR,IAAI,CAAC;gBACH,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,YAAW,CAAC,SAAS,CAAC;oBAC7D,UAAU,EAAE,oBAAS,CAAC,YAAY;oBAClC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,QAAQ;oBACnC,aAAa,EAAE,IAAI,CAAC,UAAU,CAAC,YAAY;oBAC3C,aAAa,EAAE,YAAY;iBAC5B,CAAC,CAAC,CAAC;YACN,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;YAC1G,CAAC;YAED,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;YACjE,CAAC;YAED,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;YAEjD,8CAA8C;YAC9C,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACrE,CAAC;YACD,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;YACtE,CAAC;YAED,OAAO;gBACL,WAAW,EAAE,YAAY;gBACzB,YAAY,EAAE,aAAa;aAC5B,CAAC;QACJ,CAAC;KAAA;CACF;AAlXD,iCAkXC"}
|
package/lib/types/scalekit.d.ts
CHANGED
|
@@ -20,6 +20,11 @@ export type AuthorizationUrlOptions = {
|
|
|
20
20
|
export type AuthenticationOptions = {
|
|
21
21
|
codeVerifier?: string;
|
|
22
22
|
};
|
|
23
|
+
export type TokenValidationOptions = {
|
|
24
|
+
issuer?: string;
|
|
25
|
+
audience?: string[];
|
|
26
|
+
requiredScopes?: string[];
|
|
27
|
+
};
|
|
23
28
|
export type AuthenticationResponse = {
|
|
24
29
|
user: User;
|
|
25
30
|
idToken: string;
|
package/package.json
CHANGED
package/src/core.ts
CHANGED
|
@@ -20,8 +20,8 @@ export default class CoreClient {
|
|
|
20
20
|
public keys: JWK[] = [];
|
|
21
21
|
public accessToken: string | null = null;
|
|
22
22
|
public axios: Axios;
|
|
23
|
-
public sdkVersion = `Scalekit-Node/2.0.
|
|
24
|
-
public apiVersion = "
|
|
23
|
+
public sdkVersion = `Scalekit-Node/2.0.1`;
|
|
24
|
+
public apiVersion = "20250710";
|
|
25
25
|
public userAgent = `${this.sdkVersion} Node/${process.version} (${process.platform}; ${os.arch()})`;
|
|
26
26
|
constructor(
|
|
27
27
|
readonly envUrl: string,
|
package/src/scalekit.ts
CHANGED
|
@@ -11,7 +11,7 @@ import OrganizationClient from './organization';
|
|
|
11
11
|
import PasswordlessClient from './passwordless';
|
|
12
12
|
import UserClient from './user';
|
|
13
13
|
import { IdpInitiatedLoginClaims, IdTokenClaim, User } from './types/auth';
|
|
14
|
-
import { AuthenticationOptions, AuthenticationResponse, AuthorizationUrlOptions, GrantType, LogoutUrlOptions, RefreshTokenResponse } from './types/scalekit';
|
|
14
|
+
import { AuthenticationOptions, AuthenticationResponse, AuthorizationUrlOptions, GrantType, LogoutUrlOptions, RefreshTokenResponse ,TokenValidationOptions } from './types/scalekit';
|
|
15
15
|
|
|
16
16
|
const authorizeEndpoint = "oauth/authorize";
|
|
17
17
|
const logoutEndpoint = "oidc/logout";
|
|
@@ -175,27 +175,31 @@ export default class ScalekitClient {
|
|
|
175
175
|
* Get the idp initiated login claims
|
|
176
176
|
*
|
|
177
177
|
* @param {string} idpInitiatedLoginToken The idp_initiated_login query param from the URL
|
|
178
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer and audience
|
|
178
179
|
* @returns {object} Returns the idp initiated login claims
|
|
179
180
|
*/
|
|
180
|
-
async getIdpInitiatedLoginClaims(idpInitiatedLoginToken: string): Promise<IdpInitiatedLoginClaims> {
|
|
181
|
-
return this.validateToken<IdpInitiatedLoginClaims>(idpInitiatedLoginToken);
|
|
181
|
+
async getIdpInitiatedLoginClaims(idpInitiatedLoginToken: string, options?: TokenValidationOptions): Promise<IdpInitiatedLoginClaims> {
|
|
182
|
+
return this.validateToken<IdpInitiatedLoginClaims>(idpInitiatedLoginToken, options);
|
|
182
183
|
}
|
|
183
184
|
|
|
184
185
|
/**
|
|
185
|
-
* Validates the access token.
|
|
186
|
+
* Validates the access token and returns a boolean result.
|
|
186
187
|
*
|
|
187
188
|
* @param {string} token The token to be validated.
|
|
189
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
|
|
188
190
|
* @return {Promise<boolean>} Returns true if the token is valid, false otherwise.
|
|
189
191
|
*/
|
|
190
|
-
async validateAccessToken(token: string): Promise<boolean> {
|
|
192
|
+
async validateAccessToken(token: string, options?: TokenValidationOptions): Promise<boolean> {
|
|
191
193
|
try {
|
|
192
|
-
await this.validateToken(token);
|
|
194
|
+
await this.validateToken(token, options);
|
|
193
195
|
return true;
|
|
194
196
|
} catch (_) {
|
|
195
197
|
return false;
|
|
196
198
|
}
|
|
197
199
|
}
|
|
198
200
|
|
|
201
|
+
|
|
202
|
+
|
|
199
203
|
/**
|
|
200
204
|
* Returns the logout URL that can be used to log out the user.
|
|
201
205
|
* @param {LogoutUrlOptions} options Logout URL options
|
|
@@ -255,24 +259,69 @@ export default class ScalekitClient {
|
|
|
255
259
|
}
|
|
256
260
|
|
|
257
261
|
/**
|
|
258
|
-
*
|
|
262
|
+
* Validates a token and returns its payload if valid.
|
|
263
|
+
* Supports issuer, audience, and scope validation.
|
|
259
264
|
*
|
|
260
265
|
* @param {string} token The token to be validated
|
|
261
|
-
* @
|
|
266
|
+
* @param {TokenValidationOptions} options Optional validation options for issuer, audience, and scopes
|
|
267
|
+
* @return {Promise<T>} Returns the token payload if valid
|
|
268
|
+
* @throws {Error} If token is invalid or missing required scopes
|
|
262
269
|
*/
|
|
263
|
-
|
|
270
|
+
async validateToken<T>(token: string, options?: TokenValidationOptions): Promise<T> {
|
|
264
271
|
await this.coreClient.getJwks();
|
|
265
272
|
const jwks = jose.createLocalJWKSet({
|
|
266
273
|
keys: this.coreClient.keys
|
|
267
274
|
})
|
|
268
275
|
try {
|
|
269
|
-
const { payload } = await jose.jwtVerify<T>(token, jwks
|
|
276
|
+
const { payload } = await jose.jwtVerify<T>(token, jwks, {
|
|
277
|
+
...(options?.issuer && { issuer: options.issuer }),
|
|
278
|
+
...(options?.audience && { audience: options.audience })
|
|
279
|
+
});
|
|
280
|
+
|
|
281
|
+
if (options?.requiredScopes && options.requiredScopes.length > 0) {
|
|
282
|
+
this.verifyScopes(token, options.requiredScopes);
|
|
283
|
+
}
|
|
284
|
+
|
|
270
285
|
return payload;
|
|
271
286
|
} catch (_) {
|
|
272
287
|
throw new Error("Invalid token");
|
|
273
288
|
}
|
|
274
289
|
}
|
|
275
290
|
|
|
291
|
+
/**
|
|
292
|
+
* Verify that the token contains the required scopes
|
|
293
|
+
*
|
|
294
|
+
* @param {string} token The token to verify
|
|
295
|
+
* @param {string[]} requiredScopes The scopes that must be present in the token
|
|
296
|
+
* @return {boolean} Returns true if all required scopes are present
|
|
297
|
+
* @throws {Error} If required scopes are missing, with details about which scopes are missing
|
|
298
|
+
*/
|
|
299
|
+
verifyScopes(token: string, requiredScopes: string[]): boolean {
|
|
300
|
+
const payload = jose.decodeJwt(token);
|
|
301
|
+
const scopes = this.extractScopesFromPayload(payload);
|
|
302
|
+
|
|
303
|
+
const missingScopes = requiredScopes.filter(scope => !scopes.includes(scope));
|
|
304
|
+
|
|
305
|
+
if (missingScopes.length > 0) {
|
|
306
|
+
throw new Error(`Token missing required scopes: ${missingScopes.join(', ')}`);
|
|
307
|
+
}
|
|
308
|
+
|
|
309
|
+
return true;
|
|
310
|
+
}
|
|
311
|
+
|
|
312
|
+
/**
|
|
313
|
+
* Extract scopes from token payload
|
|
314
|
+
*
|
|
315
|
+
* @param {any} payload The token payload
|
|
316
|
+
* @return {string[]} Array of scopes found in the token
|
|
317
|
+
*/
|
|
318
|
+
private extractScopesFromPayload(payload: Record<string, any>): string[] {
|
|
319
|
+
const scopes = payload.scopes;
|
|
320
|
+
return Array.isArray(scopes)
|
|
321
|
+
? scopes.filter((scope) => !!scope.trim?.())
|
|
322
|
+
: [];
|
|
323
|
+
}
|
|
324
|
+
|
|
276
325
|
/**
|
|
277
326
|
* Verify the timestamp
|
|
278
327
|
*
|
package/src/types/scalekit.ts
CHANGED
|
@@ -24,6 +24,12 @@ export type AuthenticationOptions = {
|
|
|
24
24
|
codeVerifier?: string;
|
|
25
25
|
}
|
|
26
26
|
|
|
27
|
+
export type TokenValidationOptions = {
|
|
28
|
+
issuer?: string;
|
|
29
|
+
audience?: string[];
|
|
30
|
+
requiredScopes?: string[];
|
|
31
|
+
}
|
|
32
|
+
|
|
27
33
|
export type AuthenticationResponse = {
|
|
28
34
|
user: User;
|
|
29
35
|
idToken: string;
|