@schemavaults/auth-server-sdk 0.17.9 → 0.17.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/JwtKeyManager/DatabaseConnectedJwtKeyManager.d.ts +3 -6
- package/dist/JwtKeyManager/DatabaseConnectedJwtKeyManager.js +5 -7
- package/dist/JwtKeyManager/DatabaseConnectedJwtKeyManager.js.map +1 -1
- package/dist/JwtKeyManager/JsonWebKeySetsStore/AbstractJsonWebKeySetsStore.d.ts +3 -5
- package/dist/JwtKeyManager/JsonWebKeySetsStore/AbstractJsonWebKeySetsStore.js +20 -3
- package/dist/JwtKeyManager/JsonWebKeySetsStore/AbstractJsonWebKeySetsStore.js.map +1 -1
- package/dist/JwtKeyManager/JsonWebKeySetsStore/MockJwtKeySetsStore.d.ts +2 -2
- package/dist/JwtKeyManager/JwtDecodingKeysetNotFoundError.d.ts +8 -0
- package/dist/JwtKeyManager/JwtDecodingKeysetNotFoundError.js +20 -0
- package/dist/JwtKeyManager/JwtDecodingKeysetNotFoundError.js.map +1 -0
- package/dist/JwtKeyManager/RemoteJwtKeyManager/RemoteJwtKeyManager.d.ts +2 -1
- package/dist/JwtKeyManager/RemoteJwtKeyManager/RemoteJwtKeyManager.js +11 -0
- package/dist/JwtKeyManager/RemoteJwtKeyManager/RemoteJwtKeyManager.js.map +1 -1
- package/dist/JwtKeyManager/RemoteJwtKeyManager/jwksEndpoint.d.ts +2 -0
- package/dist/JwtKeyManager/RemoteJwtKeyManager/jwksEndpoint.js +11 -0
- package/dist/JwtKeyManager/RemoteJwtKeyManager/jwksEndpoint.js.map +1 -0
- package/dist/JwtKeyManager/RemoteJwtKeyManager/loadRemoteJwks.d.ts +5 -3
- package/dist/JwtKeyManager/RemoteJwtKeyManager/loadRemoteJwks.js +36 -9
- package/dist/JwtKeyManager/RemoteJwtKeyManager/loadRemoteJwks.js.map +1 -1
- package/dist/JwtKeyManager/index.d.ts +6 -5
- package/dist/JwtKeyManager/index.js +5 -4
- package/dist/JwtKeyManager/index.js.map +1 -1
- package/dist/JwtKeyManager/loadJwtDecodingKeys.d.ts +2 -1
- package/dist/JwtKeyManager/loadJwtDecodingKeys.js +26 -11
- package/dist/JwtKeyManager/loadJwtDecodingKeys.js.map +1 -1
- package/dist/auth-server-error-message-catalog.d.ts +1 -1
- package/dist/auth-server-error-message-catalog.js +2 -0
- package/dist/auth-server-error-message-catalog.js.map +1 -1
- package/dist/env/loadApiServerId.d.ts +2 -0
- package/dist/env/loadApiServerId.js +17 -0
- package/dist/env/loadApiServerId.js.map +1 -0
- package/dist/env/loadJwksAccessPrivateKey.d.ts +1 -0
- package/dist/env/loadJwksAccessPrivateKey.js +33 -0
- package/dist/env/loadJwksAccessPrivateKey.js.map +1 -0
- package/dist/is-valid-uuid.d.ts +1 -0
- package/dist/is-valid-uuid.js +7 -0
- package/dist/is-valid-uuid.js.map +1 -0
- package/dist/middleware/server-middleware.d.ts +2 -1
- package/dist/middleware/server-middleware.js +3 -2
- package/dist/middleware/server-middleware.js.map +1 -1
- package/dist/route_guards/route-guard-factory.js +20 -8
- package/dist/route_guards/route-guard-factory.js.map +1 -1
- package/package.json +7 -6
|
@@ -1,12 +1,9 @@
|
|
|
1
1
|
import type { JWKS } from "@schemavaults/jwt";
|
|
2
2
|
import type { IJsonWebKeySetsStore } from "./JsonWebKeySetsStore";
|
|
3
3
|
import type { IJwtKeyManager } from "./IJwtKeyManager";
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
constructor(store: IJsonWebKeySetsStore & IDatabaseResourceGroup);
|
|
4
|
+
export declare abstract class DatabaseConnectedJwtKeyManager implements IJwtKeyManager {
|
|
5
|
+
protected readonly store: IJsonWebKeySetsStore;
|
|
6
|
+
constructor(store: IJsonWebKeySetsStore);
|
|
8
7
|
loadJwks(audienceId: string): Promise<JWKS>;
|
|
9
|
-
hasBeenInitialized(): Promise<boolean>;
|
|
10
|
-
performSetupTasks(): Promise<void>;
|
|
11
8
|
}
|
|
12
9
|
export default DatabaseConnectedJwtKeyManager;
|
|
@@ -4,13 +4,11 @@ export class DatabaseConnectedJwtKeyManager {
|
|
|
4
4
|
this.store = store;
|
|
5
5
|
}
|
|
6
6
|
async loadJwks(audienceId) {
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
async performSetupTasks() {
|
|
13
|
-
return await this.store.performSetupTasks();
|
|
7
|
+
const jwks = await this.store.getJwks(audienceId);
|
|
8
|
+
if (!("keys" in jwks) || !Array.isArray(jwks.keys)) {
|
|
9
|
+
throw new TypeError("Expected loaded JWKS to have a 'keys' array property!");
|
|
10
|
+
}
|
|
11
|
+
return jwks;
|
|
14
12
|
}
|
|
15
13
|
}
|
|
16
14
|
export default DatabaseConnectedJwtKeyManager;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"DatabaseConnectedJwtKeyManager.js","sourceRoot":"","sources":["../../src/JwtKeyManager/DatabaseConnectedJwtKeyManager.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"DatabaseConnectedJwtKeyManager.js","sourceRoot":"","sources":["../../src/JwtKeyManager/DatabaseConnectedJwtKeyManager.ts"],"names":[],"mappings":"AAIA,MAAM,OAAgB,8BAA8B;IAC/B,KAAK,CAAuB;IAE/C,YAAmB,KAA2B;QAC5C,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAEM,KAAK,CAAC,QAAQ,CAAC,UAAkB;QACtC,MAAM,IAAI,GAAS,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACxD,IAAI,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,SAAS,CACjB,uDAAuD,CACxD,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,eAAe,8BAA8B,CAAC"}
|
|
@@ -1,16 +1,14 @@
|
|
|
1
|
+
import { type ApiServerId } from "@schemavaults/app-definitions";
|
|
1
2
|
import type { IJsonWebKeySetsStore } from "./IJsonWebKeySetsStore";
|
|
2
3
|
import { to_public_jwks, type I_JWT_Keys } from "@schemavaults/jwt";
|
|
3
|
-
import type { IDatabaseResourceGroup } from "../../DatabaseResourceGroup";
|
|
4
4
|
type JWKS = Awaited<ReturnType<typeof to_public_jwks>>;
|
|
5
|
-
export declare abstract class AbstractJsonWebKeySetsStore implements IJsonWebKeySetsStore
|
|
5
|
+
export declare abstract class AbstractJsonWebKeySetsStore implements IJsonWebKeySetsStore {
|
|
6
6
|
abstract get(audienceId: string, keySetId: string): Promise<I_JWT_Keys | null>;
|
|
7
7
|
abstract has(audienceId: string, keySetId: string): Promise<boolean>;
|
|
8
8
|
abstract storeKeySet(keys: I_JWT_Keys): Promise<void>;
|
|
9
9
|
abstract delete(audienceId: string, keySetId: string): Promise<void>;
|
|
10
10
|
abstract listActiveKeySets(audienceId: string, currentTimestamp?: number): Promise<readonly I_JWT_Keys[]>;
|
|
11
11
|
abstract clearOutdatedKeySets(currentTimestamp?: number): Promise<void>;
|
|
12
|
-
getJwks(audienceId:
|
|
13
|
-
abstract hasBeenInitialized(): Promise<boolean>;
|
|
14
|
-
abstract performSetupTasks(): Promise<void>;
|
|
12
|
+
getJwks(audienceId: ApiServerId): Promise<JWKS>;
|
|
15
13
|
}
|
|
16
14
|
export default AbstractJsonWebKeySetsStore;
|
|
@@ -1,13 +1,30 @@
|
|
|
1
|
-
import { apiServerIdSchema } from "@schemavaults/app-definitions";
|
|
1
|
+
import { apiServerIdSchema, } from "@schemavaults/app-definitions";
|
|
2
2
|
import { to_public_jwks } from "@schemavaults/jwt";
|
|
3
3
|
export class AbstractJsonWebKeySetsStore {
|
|
4
4
|
async getJwks(audienceId) {
|
|
5
5
|
if (!apiServerIdSchema.safeParse(audienceId).success) {
|
|
6
6
|
throw new Error("Invalid audience ID to load JWKS for!");
|
|
7
7
|
}
|
|
8
|
-
|
|
8
|
+
let keysets;
|
|
9
|
+
try {
|
|
10
|
+
keysets = await this.listActiveKeySets(audienceId);
|
|
11
|
+
}
|
|
12
|
+
catch (e) {
|
|
13
|
+
console.error(`There was an error listing the active keysets for audience '${audienceId}':`, e);
|
|
14
|
+
throw new Error(`There was an error listing the active keysets for audience '${audienceId}'`);
|
|
15
|
+
}
|
|
16
|
+
if (!Array.isArray(keysets)) {
|
|
17
|
+
throw new TypeError("Expected result of 'listActiveKeySets' to be an array!");
|
|
18
|
+
}
|
|
19
|
+
if (keysets.length === 0) {
|
|
20
|
+
console.warn(`[AbstractJsonWebKeySetsStore::getJwks(audience_id='${audienceId}')] listActiveKeySets returned an empty array!`);
|
|
21
|
+
}
|
|
9
22
|
const jwks_promise = to_public_jwks(keysets);
|
|
10
|
-
|
|
23
|
+
const jwks = await jwks_promise;
|
|
24
|
+
if (!("keys" in jwks) || !Array.isArray(jwks.keys)) {
|
|
25
|
+
throw new TypeError("Expected loaded JWKS to have a 'keys' array property!");
|
|
26
|
+
}
|
|
27
|
+
return jwks;
|
|
11
28
|
}
|
|
12
29
|
}
|
|
13
30
|
export default AbstractJsonWebKeySetsStore;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"AbstractJsonWebKeySetsStore.js","sourceRoot":"","sources":["../../../src/JwtKeyManager/JsonWebKeySetsStore/AbstractJsonWebKeySetsStore.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"AbstractJsonWebKeySetsStore.js","sourceRoot":"","sources":["../../../src/JwtKeyManager/JsonWebKeySetsStore/AbstractJsonWebKeySetsStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,iBAAiB,GAClB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAmB,MAAM,mBAAmB,CAAC;AAIpE,MAAM,OAAgB,2BAA2B;IAgBxC,KAAK,CAAC,OAAO,CAAC,UAAuB;QAC1C,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,OAA8B,CAAC;QACnC,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CACX,+DAA+D,UAAU,IAAI,EAC7E,CAAC,CACF,CAAC;YACF,MAAM,IAAI,KAAK,CACb,+DAA+D,UAAU,GAAG,CAC7E,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CACjB,wDAAwD,CACzD,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CACV,sDAAsD,UAAU,gDAAgD,CACjH,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAkB,cAAc,CAAC,OAAO,CAAC,CAAC;QAC5D,MAAM,IAAI,GAAS,MAAM,YAAY,CAAC;QACtC,IAAI,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,SAAS,CACjB,uDAAuD,CACxD,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,eAAe,2BAA2B,CAAC"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { I_JWT_Keys } from "@schemavaults/jwt";
|
|
1
|
+
import type { I_JWT_Keys } from "@schemavaults/jwt";
|
|
2
2
|
import AbstractJsonWebKeySetsStore from "./AbstractJsonWebKeySetsStore";
|
|
3
|
-
import { IJsonWebKeySetsStore } from "./IJsonWebKeySetsStore";
|
|
3
|
+
import type { IJsonWebKeySetsStore } from "./IJsonWebKeySetsStore";
|
|
4
4
|
export declare class MockJwtKeySetsStore extends AbstractJsonWebKeySetsStore implements IJsonWebKeySetsStore {
|
|
5
5
|
hasBeenInitialized(): Promise<boolean>;
|
|
6
6
|
performSetupTasks(): Promise<void>;
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @description Thrown when a JWT keyset with a given 'keyset_id' cannot be found!
|
|
3
|
+
*/
|
|
4
|
+
export declare class JwtDecodingKeysetNotFoundError extends Error {
|
|
5
|
+
readonly keyset_id: string;
|
|
6
|
+
constructor(keyset_id: string, message: string);
|
|
7
|
+
}
|
|
8
|
+
export default JwtDecodingKeysetNotFoundError;
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
// JwtDecodingKeysetNotFoundError.ts
|
|
2
|
+
import isValidUuid from "../is-valid-uuid";
|
|
3
|
+
/**
|
|
4
|
+
* @description Thrown when a JWT keyset with a given 'keyset_id' cannot be found!
|
|
5
|
+
*/
|
|
6
|
+
export class JwtDecodingKeysetNotFoundError extends Error {
|
|
7
|
+
keyset_id;
|
|
8
|
+
constructor(keyset_id, message) {
|
|
9
|
+
super(message);
|
|
10
|
+
if (typeof keyset_id !== "string" || !isValidUuid(keyset_id)) {
|
|
11
|
+
throw new TypeError("Expected first argument to JwtDecodingKeysetNotFoundError to be a 'keyset_id' UUID string");
|
|
12
|
+
}
|
|
13
|
+
else if (typeof message !== "string") {
|
|
14
|
+
throw new TypeError("Expected second argument to JwtDecodingKeysetNotFoundError to be a 'message' string!");
|
|
15
|
+
}
|
|
16
|
+
this.keyset_id = keyset_id;
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
export default JwtDecodingKeysetNotFoundError;
|
|
20
|
+
//# sourceMappingURL=JwtDecodingKeysetNotFoundError.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"JwtDecodingKeysetNotFoundError.js","sourceRoot":"","sources":["../../src/JwtKeyManager/JwtDecodingKeysetNotFoundError.ts"],"names":[],"mappings":"AAAA,oCAAoC;AAEpC,OAAO,WAAW,MAAM,iBAAiB,CAAC;AAE1C;;GAEG;AACH,MAAM,OAAO,8BAA+B,SAAQ,KAAK;IACvC,SAAS,CAAS;IAElC,YAAmB,SAAiB,EAAE,OAAe;QACnD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,SAAS,CACjB,2FAA2F,CAC5F,CAAC;QACJ,CAAC;aAAM,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YACvC,MAAM,IAAI,SAAS,CACjB,sFAAsF,CACvF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAED,eAAe,8BAA8B,CAAC"}
|
|
@@ -1,11 +1,12 @@
|
|
|
1
1
|
import type { IJwtKeyManager } from "../../JwtKeyManager/IJwtKeyManager";
|
|
2
2
|
import type { JWKS } from "@schemavaults/jwt";
|
|
3
|
+
import { ApiServerId } from "@schemavaults/app-definitions";
|
|
3
4
|
export interface IRemoteJwtKeyManagerConstructorOpts {
|
|
4
5
|
auth_server_uri?: string;
|
|
5
6
|
}
|
|
6
7
|
export declare class RemoteJwtKeyManager implements IJwtKeyManager {
|
|
7
8
|
private readonly auth_server_uri;
|
|
8
9
|
constructor({ auth_server_uri, }: IRemoteJwtKeyManagerConstructorOpts);
|
|
9
|
-
loadJwks(audienceId:
|
|
10
|
+
loadJwks(audienceId: ApiServerId): Promise<JWKS>;
|
|
10
11
|
}
|
|
11
12
|
export default RemoteJwtKeyManager;
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import loadRemoteJwks from "./loadRemoteJwks";
|
|
2
2
|
import { apiServerIdSchema, SCHEMAVAULTS_AUTH_APP_DEFINITION, } from "@schemavaults/app-definitions";
|
|
3
3
|
import getSchemaVaultsAuthServerUri from "../../get-schemavaults-auth-server-uri";
|
|
4
|
+
import loadJwksAccessPrivateKey from "../../env/loadJwksAccessPrivateKey";
|
|
4
5
|
export class RemoteJwtKeyManager {
|
|
5
6
|
auth_server_uri;
|
|
6
7
|
constructor({ auth_server_uri = getSchemaVaultsAuthServerUri(), }) {
|
|
@@ -13,8 +14,18 @@ export class RemoteJwtKeyManager {
|
|
|
13
14
|
if (audienceId === SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id) {
|
|
14
15
|
throw new Error(`Auth server doesn't need to load remote JWKS; it already has the keys.`);
|
|
15
16
|
}
|
|
17
|
+
let jwks_access_private_key;
|
|
18
|
+
try {
|
|
19
|
+
jwks_access_private_key = await loadJwksAccessPrivateKey(process.env);
|
|
20
|
+
}
|
|
21
|
+
catch (e) {
|
|
22
|
+
console.error(e);
|
|
23
|
+
throw new TypeError("Failed to load JWKS access private key from environment variables!");
|
|
24
|
+
}
|
|
16
25
|
return await loadRemoteJwks({
|
|
17
26
|
auth_server_uri: this.auth_server_uri,
|
|
27
|
+
api_server_id: audienceId,
|
|
28
|
+
jwks_access_private_key,
|
|
18
29
|
});
|
|
19
30
|
}
|
|
20
31
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"RemoteJwtKeyManager.js","sourceRoot":"","sources":["../../../src/JwtKeyManager/RemoteJwtKeyManager/RemoteJwtKeyManager.ts"],"names":[],"mappings":"AAEA,OAAO,cAAc,MAAM,kBAAkB,CAAC;AAC9C,OAAO,
|
|
1
|
+
{"version":3,"file":"RemoteJwtKeyManager.js","sourceRoot":"","sources":["../../../src/JwtKeyManager/RemoteJwtKeyManager/RemoteJwtKeyManager.ts"],"names":[],"mappings":"AAEA,OAAO,cAAc,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAEL,iBAAiB,EACjB,gCAAgC,GACjC,MAAM,+BAA+B,CAAC;AACvC,OAAO,4BAA4B,MAAM,oCAAoC,CAAC;AAC9E,OAAO,wBAAwB,MAAM,gCAAgC,CAAC;AAMtE,MAAM,OAAO,mBAAmB;IACb,eAAe,CAAS;IAEzC,YAAmB,EACjB,eAAe,GAAG,4BAA4B,EAAE,GACZ;QACpC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAEM,KAAK,CAAC,QAAQ,CAAC,UAAuB;QAC3C,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CACb,8CAA8C,UAAU,GAAG,CAC5D,CAAC;QACJ,CAAC;QAED,IAAI,UAAU,KAAK,gCAAgC,CAAC,MAAM,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CACb,wEAAwE,CACzE,CAAC;QACJ,CAAC;QAED,IAAI,uBAAkC,CAAC;QACvC,IAAI,CAAC;YACH,uBAAuB,GAAG,MAAM,wBAAwB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACjB,MAAM,IAAI,SAAS,CACjB,oEAAoE,CACrE,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,cAAc,CAAC;YAC1B,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,aAAa,EAAE,UAAU;YACzB,uBAAuB;SACxB,CAAC,CAAC;IACL,CAAC;CACF;AAED,eAAe,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { apiServerIdSchema, SCHEMAVAULTS_AUTH_SERVER, } from "@schemavaults/app-definitions";
|
|
2
|
+
export default function jwksEndpoint(api_server_id) {
|
|
3
|
+
if (!apiServerIdSchema.safeParse(api_server_id).success) {
|
|
4
|
+
throw new TypeError("Invalid 'api_server_id' to load JWKS endpoint URL for!");
|
|
5
|
+
}
|
|
6
|
+
if (api_server_id === SCHEMAVAULTS_AUTH_SERVER.api_server_id) {
|
|
7
|
+
throw new Error("The auth server does not expose a JWKS endpoint.");
|
|
8
|
+
}
|
|
9
|
+
return `/api/jwks/${api_server_id}`;
|
|
10
|
+
}
|
|
11
|
+
//# sourceMappingURL=jwksEndpoint.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwksEndpoint.js","sourceRoot":"","sources":["../../../src/JwtKeyManager/RemoteJwtKeyManager/jwksEndpoint.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,+BAA+B,CAAC;AAEvC,MAAM,CAAC,OAAO,UAAU,YAAY,CAClC,aAAgB;IAEhB,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,MAAM,IAAI,SAAS,CACjB,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,IAAI,aAAa,KAAK,wBAAwB,CAAC,aAAa,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,OAAO,aAAa,aAAa,EAAE,CAAC;AACtC,CAAC"}
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
import type
|
|
1
|
+
import { type JWKS } from "@schemavaults/jwt";
|
|
2
|
+
import { type ApiServerId } from "@schemavaults/app-definitions";
|
|
2
3
|
export interface ILoadRemoteJwksOpts {
|
|
3
4
|
auth_server_uri: string;
|
|
4
|
-
|
|
5
|
+
api_server_id: ApiServerId;
|
|
6
|
+
jwks_access_private_key: CryptoKey;
|
|
5
7
|
}
|
|
6
|
-
export declare function loadRemoteJwks({ auth_server_uri,
|
|
8
|
+
export declare function loadRemoteJwks({ auth_server_uri, api_server_id, jwks_access_private_key, }: ILoadRemoteJwksOpts): Promise<JWKS>;
|
|
7
9
|
export default loadRemoteJwks;
|
|
@@ -1,21 +1,48 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
1
|
+
import { createJwksAccessProofToken } from "@schemavaults/jwt";
|
|
2
|
+
import jwksEndpoint from "./jwksEndpoint";
|
|
3
|
+
import { apiServerIdSchema, } from "@schemavaults/app-definitions";
|
|
4
|
+
export async function loadRemoteJwks({ auth_server_uri, api_server_id, jwks_access_private_key, }) {
|
|
5
|
+
if (typeof auth_server_uri !== "string") {
|
|
6
|
+
throw new TypeError("Expected 'auth_server_uri' to be a string!");
|
|
7
|
+
}
|
|
8
|
+
else if (!auth_server_uri.startsWith("http://") &&
|
|
9
|
+
!auth_server_uri.startsWith("https://")) {
|
|
10
|
+
throw new TypeError("Expected 'auth_server_uri' to start with http:// or https://");
|
|
11
|
+
}
|
|
12
|
+
if (!apiServerIdSchema.safeParse(api_server_id).success) {
|
|
13
|
+
throw new TypeError("Invalid API server ID to load remote JWKS for!");
|
|
14
|
+
}
|
|
15
|
+
let jwks_access_proof_token;
|
|
16
|
+
try {
|
|
17
|
+
jwks_access_proof_token = await createJwksAccessProofToken({
|
|
18
|
+
api_server_id,
|
|
19
|
+
private_key: jwks_access_private_key,
|
|
20
|
+
});
|
|
21
|
+
}
|
|
22
|
+
catch (e) {
|
|
23
|
+
console.error(e);
|
|
24
|
+
throw new Error("Failed to create JWKS Access Proof Token!");
|
|
25
|
+
}
|
|
26
|
+
const response = await fetch(`${auth_server_uri}${jwksEndpoint(api_server_id)}`, {
|
|
27
|
+
method: "GET",
|
|
28
|
+
headers: new Headers({
|
|
29
|
+
Authorization: `Bearer ${jwks_access_proof_token}`,
|
|
30
|
+
}),
|
|
31
|
+
});
|
|
5
32
|
if (!response.ok || response.status !== 200) {
|
|
6
|
-
throw new Error(
|
|
33
|
+
throw new Error(`Failed to load jwks.json from auth server: ${response.status} ${response.statusText}`);
|
|
7
34
|
}
|
|
8
35
|
const body = await response.json();
|
|
9
|
-
if (typeof body !==
|
|
36
|
+
if (typeof body !== "object" || !body) {
|
|
10
37
|
throw new TypeError("Expected result of loading jwks.json to be an object!");
|
|
11
38
|
}
|
|
12
|
-
if (!("keys" in body) || !Array.isArray(body[
|
|
39
|
+
if (!("keys" in body) || !Array.isArray(body["keys"])) {
|
|
13
40
|
throw new Error("Expected response body of jwks.json to have a 'keys' array field!");
|
|
14
41
|
}
|
|
15
|
-
if (!body[
|
|
42
|
+
if (!body["keys"].every((key) => typeof key !== "object" || !key)) {
|
|
16
43
|
throw new Error("Expected every item in 'keys' array to be an object!");
|
|
17
44
|
}
|
|
18
|
-
const keys = body[
|
|
45
|
+
const keys = body["keys"];
|
|
19
46
|
return { keys };
|
|
20
47
|
}
|
|
21
48
|
export default loadRemoteJwks;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"loadRemoteJwks.js","sourceRoot":"","sources":["../../../src/JwtKeyManager/RemoteJwtKeyManager/loadRemoteJwks.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"loadRemoteJwks.js","sourceRoot":"","sources":["../../../src/JwtKeyManager/RemoteJwtKeyManager/loadRemoteJwks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAa,MAAM,mBAAmB,CAAC;AAC1E,OAAO,YAAY,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAEL,iBAAiB,GAClB,MAAM,+BAA+B,CAAC;AAQvC,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,EACnC,eAAe,EACf,aAAa,EACb,uBAAuB,GACH;IACpB,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,SAAS,CAAC,4CAA4C,CAAC,CAAC;IACpE,CAAC;SAAM,IACL,CAAC,eAAe,CAAC,UAAU,CAAC,SAAS,CAAC;QACtC,CAAC,eAAe,CAAC,UAAU,CAAC,UAAU,CAAC,EACvC,CAAC;QACD,MAAM,IAAI,SAAS,CACjB,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,uBAA+B,CAAC;IACpC,IAAI,CAAC;QACH,uBAAuB,GAAG,MAAM,0BAA0B,CAAC;YACzD,aAAa;YACb,WAAW,EAAE,uBAAuB;SACrC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,QAAQ,GAAa,MAAM,KAAK,CACpC,GAAG,eAAe,GAAG,YAAY,CAAC,aAAa,CAAC,EAAE,EAClD;QACE,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,IAAI,OAAO,CAAC;YACnB,aAAa,EAAE,UAAU,uBAAuB,EAAE;SACnD,CAAC;KACH,CACF,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CACb,8CAA8C,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CACvF,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,IAAI,SAAS,CACjB,uDAAuD,CACxD,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,mEAAmE,CACpE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,IAAI,GAAa,IAAI,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,EAAE,IAAI,EAAE,CAAC;AAClB,CAAC;AAED,eAAe,cAAc,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
export { AbstractJsonWebKeySetsStore } from
|
|
2
|
-
export type { IJsonWebKeySetsStore } from
|
|
1
|
+
export { AbstractJsonWebKeySetsStore } from "./JsonWebKeySetsStore";
|
|
2
|
+
export type { IJsonWebKeySetsStore } from "./JsonWebKeySetsStore";
|
|
3
3
|
export type { IJwtKeyManager } from "./IJwtKeyManager";
|
|
4
|
-
export { DatabaseConnectedJwtKeyManager } from
|
|
5
|
-
export { RemoteJwtKeyManager } from
|
|
6
|
-
export { loadJwtDecodingKeys, type IDecodeAuthTokenKeys } from
|
|
4
|
+
export { DatabaseConnectedJwtKeyManager } from "./DatabaseConnectedJwtKeyManager";
|
|
5
|
+
export { RemoteJwtKeyManager } from "./RemoteJwtKeyManager";
|
|
6
|
+
export { loadJwtDecodingKeys, type IDecodeAuthTokenKeys, } from "./loadJwtDecodingKeys";
|
|
7
|
+
export { JwtDecodingKeysetNotFoundError } from "./JwtDecodingKeysetNotFoundError";
|
|
@@ -1,5 +1,6 @@
|
|
|
1
|
-
export { AbstractJsonWebKeySetsStore } from
|
|
2
|
-
export { DatabaseConnectedJwtKeyManager } from
|
|
3
|
-
export { RemoteJwtKeyManager } from
|
|
4
|
-
export { loadJwtDecodingKeys } from
|
|
1
|
+
export { AbstractJsonWebKeySetsStore } from "./JsonWebKeySetsStore";
|
|
2
|
+
export { DatabaseConnectedJwtKeyManager } from "./DatabaseConnectedJwtKeyManager";
|
|
3
|
+
export { RemoteJwtKeyManager } from "./RemoteJwtKeyManager";
|
|
4
|
+
export { loadJwtDecodingKeys, } from "./loadJwtDecodingKeys";
|
|
5
|
+
export { JwtDecodingKeysetNotFoundError } from "./JwtDecodingKeysetNotFoundError";
|
|
5
6
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/JwtKeyManager/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,2BAA2B,EAAE,MAAM,uBAAuB,CAAC;AAKpE,OAAO,EAAE,8BAA8B,EAAE,MAAM,kCAAkC,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,OAAO,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/JwtKeyManager/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,2BAA2B,EAAE,MAAM,uBAAuB,CAAC;AAKpE,OAAO,EAAE,8BAA8B,EAAE,MAAM,kCAAkC,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EACL,mBAAmB,GAEpB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,8BAA8B,EAAE,MAAM,kCAAkC,CAAC"}
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import type { IJwtKeyManager } from "../JwtKeyManager";
|
|
2
|
+
import { type ApiServerId } from "@schemavaults/app-definitions";
|
|
2
3
|
import { type JWKS } from "@schemavaults/jwt";
|
|
3
4
|
export interface ILoadJwtDecodingKeysOptions {
|
|
4
|
-
audience_id:
|
|
5
|
+
audience_id: ApiServerId;
|
|
5
6
|
keyset_id: string;
|
|
6
7
|
keys_manager: IJwtKeyManager;
|
|
7
8
|
debug?: boolean;
|
|
@@ -1,11 +1,13 @@
|
|
|
1
|
-
import
|
|
1
|
+
import isValidUuid from "../is-valid-uuid";
|
|
2
|
+
import { apiServerIdSchema, } from "@schemavaults/app-definitions";
|
|
2
3
|
import { importAsymmetricJWK } from "@schemavaults/jwt";
|
|
4
|
+
import { JwtDecodingKeysetNotFoundError } from "./JwtDecodingKeysetNotFoundError";
|
|
3
5
|
export async function loadJwtDecodingKeysFromJwks({ keyset_id, jwks, }, debug = false) {
|
|
4
6
|
if (jwks.keys.length === 0) {
|
|
5
|
-
throw new
|
|
7
|
+
throw new JwtDecodingKeysetNotFoundError(keyset_id, "JWKS appears to be empty, cannot extract decoding keys from empty set!");
|
|
6
8
|
}
|
|
7
9
|
if (debug) {
|
|
8
|
-
console.log(`loadJwtDecodingKeysFromJwks(keyset_id='${keyset_id}', jwks)`);
|
|
10
|
+
console.log(`loadJwtDecodingKeysFromJwks(keyset_id='${keyset_id}', jwks.keys.length='${jwks.keys.length}')`);
|
|
9
11
|
}
|
|
10
12
|
// Loop over keys in JWKS and find the required keys
|
|
11
13
|
let verification_key = undefined;
|
|
@@ -53,16 +55,16 @@ export async function loadJwtDecodingKeysFromJwks({ keyset_id, jwks, }, debug =
|
|
|
53
55
|
.map((k) => `'${k.kid}'`)
|
|
54
56
|
.join(", ");
|
|
55
57
|
if (!verification_key && !decryption_key) {
|
|
56
|
-
console.
|
|
57
|
-
throw new
|
|
58
|
+
console.warn(`Missing both verification and decryption keys for keyset '${keyset_id}' from available keys: `, listOfKidsInJwks);
|
|
59
|
+
throw new JwtDecodingKeysetNotFoundError(keyset_id, `Missing both verification and decryption keys for keyset '${keyset_id}'`);
|
|
58
60
|
}
|
|
59
61
|
else if (!verification_key) {
|
|
60
|
-
console.
|
|
61
|
-
throw new
|
|
62
|
+
console.warn(`Missing verification key for keyset '${keyset_id}' from available keys: `, listOfKidsInJwks);
|
|
63
|
+
throw new JwtDecodingKeysetNotFoundError(keyset_id, `Missing verification key for keyset '${keyset_id}'`);
|
|
62
64
|
}
|
|
63
65
|
else if (!decryption_key) {
|
|
64
|
-
console.
|
|
65
|
-
throw new
|
|
66
|
+
console.warn(`Missing decryption key for keyset '${keyset_id}' from available keys: `, listOfKidsInJwks);
|
|
67
|
+
throw new JwtDecodingKeysetNotFoundError(keyset_id, `Missing decryption key for keyset '${keyset_id}'`);
|
|
66
68
|
}
|
|
67
69
|
else {
|
|
68
70
|
throw new Error("Error handling missing JWT decoding keys gracefully!");
|
|
@@ -71,15 +73,28 @@ export async function loadJwtDecodingKeysFromJwks({ keyset_id, jwks, }, debug =
|
|
|
71
73
|
export async function loadJwtDecodingKeys({ keys_manager, keyset_id, audience_id, ...opts }) {
|
|
72
74
|
const debug = opts.debug ?? false;
|
|
73
75
|
if (!apiServerIdSchema.safeParse(audience_id).success) {
|
|
74
|
-
throw new
|
|
76
|
+
throw new TypeError(`Invalid audience ID to load JWT decoding keys for: '${audience_id}'`);
|
|
77
|
+
}
|
|
78
|
+
else if (!isValidUuid(keyset_id)) {
|
|
79
|
+
throw new TypeError("Expected 'keyset_id' to be a valid UUID!");
|
|
80
|
+
}
|
|
81
|
+
let jwks;
|
|
82
|
+
try {
|
|
83
|
+
jwks = await keys_manager.loadJwks(audience_id);
|
|
84
|
+
}
|
|
85
|
+
catch (e) {
|
|
86
|
+
console.error("Failed to load JWKS from key manager: ", e);
|
|
87
|
+
throw new Error("Failed to load JWKS from key manager!");
|
|
75
88
|
}
|
|
76
|
-
const jwks = await keys_manager.loadJwks(audience_id);
|
|
77
89
|
if (!jwks ||
|
|
78
90
|
typeof jwks !== "object" ||
|
|
79
91
|
!("keys" in jwks) ||
|
|
80
92
|
!Array.isArray(jwks.keys)) {
|
|
81
93
|
throw new TypeError("Invalid JWKS; not an object or missing 'keys' array!");
|
|
82
94
|
}
|
|
95
|
+
if (jwks.keys.length === 0) {
|
|
96
|
+
throw new JwtDecodingKeysetNotFoundError(keyset_id, "Received JWKS from JwtKeyManager but it does not appear to include any keys.");
|
|
97
|
+
}
|
|
83
98
|
const jwt_decoding_keys = await loadJwtDecodingKeysFromJwks({ keyset_id, jwks }, debug);
|
|
84
99
|
return jwt_decoding_keys;
|
|
85
100
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"loadJwtDecodingKeys.js","sourceRoot":"","sources":["../../src/JwtKeyManager/loadJwtDecodingKeys.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"loadJwtDecodingKeys.js","sourceRoot":"","sources":["../../src/JwtKeyManager/loadJwtDecodingKeys.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,iBAAiB,CAAC;AAE1C,OAAO,EAEL,iBAAiB,GAClB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAa,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACnE,OAAO,EAAE,8BAA8B,EAAE,MAAM,kCAAkC,CAAC;AAelF,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,EACE,SAAS,EACT,IAAI,GAIL,EACD,QAAiB,KAAK;IAEtB,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,8BAA8B,CACtC,SAAS,EACT,wEAAwE,CACzE,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CACT,0CAA0C,SAAS,wBAAwB,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAChG,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,IAAI,gBAAgB,GAA0B,SAAS,CAAC;IACxD,IAAI,cAAc,GAA0B,SAAS,CAAC;IACtD,SAAS,oBAAoB;QAC3B,OAAO,gBAAgB,IAAI,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;IAC3D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CAAC,4CAA4C,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,GAAG,KAAK,GAAG,SAAS,eAAe,EAAE,CAAC;YACxC,gBAAgB,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAClD,IAAI,oBAAoB,EAAE,EAAE,CAAC;gBAC3B,MAAM,CAAC,qCAAqC;YAC9C,CAAC;iBAAM,CAAC;gBACN,SAAS;YACX,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,GAAG,SAAS,aAAa,EAAE,CAAC;YAC7C,cAAc,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAChD,IAAI,oBAAoB,EAAE,EAAE,CAAC;gBAC3B,MAAM,CAAC,qCAAqC;YAC9C,CAAC;iBAAM,CAAC;gBACN,SAAS;YACX,CAAC;QACH,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,cAAc;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,yBAAyB,GAAY,oBAAoB,EAAE,CAAC;IAClE,IAAI,yBAAyB,IAAI,gBAAgB,IAAI,cAAc,EAAE,CAAC;QACpE,OAAO;YACL,SAAS;YACT,gBAAgB;YAChB,cAAc;SACgB,CAAC;IACnC,CAAC;IAED,4DAA4D;IAE5D,MAAM,gBAAgB,GAAW,IAAI,CAAC,IAAI;SACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC;SACxB,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,IAAI,CAAC,gBAAgB,IAAI,CAAC,cAAc,EAAE,CAAC;QACzC,OAAO,CAAC,IAAI,CACV,6DAA6D,SAAS,yBAAyB,EAC/F,gBAAgB,CACjB,CAAC;QACF,MAAM,IAAI,8BAA8B,CACtC,SAAS,EACT,6DAA6D,SAAS,GAAG,CAC1E,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC7B,OAAO,CAAC,IAAI,CACV,wCAAwC,SAAS,yBAAyB,EAC1E,gBAAgB,CACjB,CAAC;QACF,MAAM,IAAI,8BAA8B,CACtC,SAAS,EACT,wCAAwC,SAAS,GAAG,CACrD,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC3B,OAAO,CAAC,IAAI,CACV,sCAAsC,SAAS,yBAAyB,EACxE,gBAAgB,CACjB,CAAC;QACF,MAAM,IAAI,8BAA8B,CACtC,SAAS,EACT,sCAAsC,SAAS,GAAG,CACnD,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,EACxC,YAAY,EACZ,SAAS,EACT,WAAW,EACX,GAAG,IAAI,EACqB;IAC5B,MAAM,KAAK,GAAY,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC;IAE3C,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,CAAC;QACtD,MAAM,IAAI,SAAS,CACjB,uDAAuD,WAAW,GAAG,CACtE,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,IAAU,CAAC;IACf,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,IACE,CAAC,IAAI;QACL,OAAO,IAAI,KAAK,QAAQ;QACxB,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC;QACjB,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EACzB,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,8BAA8B,CACtC,SAAS,EACT,8EAA8E,CAC/E,CAAC;IACJ,CAAC;IAED,MAAM,iBAAiB,GACrB,MAAM,2BAA2B,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;IAEhE,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,eAAe,mBAAmB,CAAC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
declare const ERROR_IDS: readonly ["unknown", "bad_request", "app_id_not_found", "api_server_id_not_found", "unauthenticated", "forbidden", "load_user_data_failure", "internal_server_error"];
|
|
1
|
+
declare const ERROR_IDS: readonly ["unknown", "bad_request", "app_id_not_found", "api_server_id_not_found", "unauthenticated", "forbidden", "load_user_data_failure", "internal_server_error", "load_server_config_failure"];
|
|
2
2
|
export type SchemaVaultsAuthErrorId = (typeof ERROR_IDS)[number];
|
|
3
3
|
export declare const ERROR_MESSAGE_CATALOG: Record<SchemaVaultsAuthErrorId, string>;
|
|
4
4
|
export declare function isValidErrorId(id: string): id is SchemaVaultsAuthErrorId;
|
|
@@ -7,6 +7,7 @@ const ERROR_IDS = [
|
|
|
7
7
|
"forbidden",
|
|
8
8
|
"load_user_data_failure",
|
|
9
9
|
"internal_server_error",
|
|
10
|
+
"load_server_config_failure",
|
|
10
11
|
];
|
|
11
12
|
export const ERROR_MESSAGE_CATALOG = {
|
|
12
13
|
unknown: "An unknown error occurred",
|
|
@@ -17,6 +18,7 @@ export const ERROR_MESSAGE_CATALOG = {
|
|
|
17
18
|
forbidden: "Oops! You don't have permission to do that action! Get in touch with support if you believe this is a mistake!",
|
|
18
19
|
load_user_data_failure: "There was an error loading data associated with your SchemaVaults account!",
|
|
19
20
|
internal_server_error: "There was a problem in the SchemaVaults backend logic and something caused a crash!",
|
|
21
|
+
load_server_config_failure: "There was a problem loading server configuration settings.",
|
|
20
22
|
};
|
|
21
23
|
export function isValidErrorId(id) {
|
|
22
24
|
return ERROR_IDS.includes(id);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth-server-error-message-catalog.js","sourceRoot":"","sources":["../src/auth-server-error-message-catalog.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG;IAChB,SAAS;IACT,aAAa;IACb,kBAAkB;IAClB,yBAAyB;IACzB,iBAAiB;IACjB,WAAW;IACX,wBAAwB;IACxB,uBAAuB;
|
|
1
|
+
{"version":3,"file":"auth-server-error-message-catalog.js","sourceRoot":"","sources":["../src/auth-server-error-message-catalog.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG;IAChB,SAAS;IACT,aAAa;IACb,kBAAkB;IAClB,yBAAyB;IACzB,iBAAiB;IACjB,WAAW;IACX,wBAAwB;IACxB,uBAAuB;IACvB,4BAA4B;CACQ,CAAC;AAIvC,MAAM,CAAC,MAAM,qBAAqB,GAA4C;IAC5E,OAAO,EAAE,2BAA2B;IACpC,WAAW,EAAE,wCAAwC;IACrD,gBAAgB,EAAE,kCAAkC;IACpD,uBAAuB,EAAE,wCAAwC;IACjE,eAAe,EACb,iGAAiG;IACnG,SAAS,EACP,gHAAgH;IAClH,sBAAsB,EACpB,4EAA4E;IAC9E,qBAAqB,EACnB,qFAAqF;IACvF,0BAA0B,EACxB,4DAA4D;CAC/D,CAAC;AAEF,MAAM,UAAU,cAAc,CAAC,EAAU;IACvC,OAAO,SAAS,CAAC,QAAQ,CAAC,EAA8C,CAAC,CAAC;AAC5E,CAAC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { apiServerIdSchema, } from "@schemavaults/app-definitions";
|
|
2
|
+
export default function loadApiServerId(env = process.env) {
|
|
3
|
+
if (typeof env === "object" &&
|
|
4
|
+
"SCHEMAVAULTS_API_SERVER_ID" in env &&
|
|
5
|
+
typeof env["SCHEMAVAULTS_API_SERVER_ID"] === "string" &&
|
|
6
|
+
env["SCHEMAVAULTS_API_SERVER_ID"].length > 0) {
|
|
7
|
+
const parsed = apiServerIdSchema.safeParse(env["SCHEMAVAULTS_API_SERVER_ID"]);
|
|
8
|
+
if (!parsed.success) {
|
|
9
|
+
throw new TypeError("Invalid value set for 'SCHEMAVAULTS_API_SERVER_ID' environment variable!");
|
|
10
|
+
}
|
|
11
|
+
return parsed.data;
|
|
12
|
+
}
|
|
13
|
+
else {
|
|
14
|
+
throw new TypeError("Environment variable 'SCHEMAVAULTS_API_SERVER_ID' is not set!");
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
//# sourceMappingURL=loadApiServerId.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"loadApiServerId.js","sourceRoot":"","sources":["../../src/env/loadApiServerId.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,iBAAiB,GAClB,MAAM,+BAA+B,CAAC;AAEvC,MAAM,CAAC,OAAO,UAAU,eAAe,CACrC,MAAc,OAAO,CAAC,GAAG;IAEzB,IACE,OAAO,GAAG,KAAK,QAAQ;QACvB,4BAA4B,IAAI,GAAG;QACnC,OAAO,GAAG,CAAC,4BAA4B,CAAC,KAAK,QAAQ;QACrD,GAAG,CAAC,4BAA4B,CAAC,CAAC,MAAM,GAAG,CAAC,EAC5C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CACxC,GAAG,CAAC,4BAA4B,CAAC,CAClC,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,SAAS,CACjB,0EAA0E,CAC3E,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,SAAS,CACjB,+DAA+D,CAChE,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export default function loadJwksAccessPrivateKey(env?: object): Promise<CryptoKey>;
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import { importPKCS8, PEMFormat, sign_verify_alg } from "@schemavaults/jwt";
|
|
2
|
+
export default async function loadJwksAccessPrivateKey(env = process.env) {
|
|
3
|
+
if (typeof env === "object" &&
|
|
4
|
+
"SCHEMAVAULTS_AUTH_JWKS_ACCESS_PRIVATE_KEY" in env &&
|
|
5
|
+
typeof env["SCHEMAVAULTS_AUTH_JWKS_ACCESS_PRIVATE_KEY"] === "string" &&
|
|
6
|
+
env["SCHEMAVAULTS_AUTH_JWKS_ACCESS_PRIVATE_KEY"].length > 0) {
|
|
7
|
+
const environmentVariable = env["SCHEMAVAULTS_AUTH_JWKS_ACCESS_PRIVATE_KEY"];
|
|
8
|
+
let pem;
|
|
9
|
+
if (PEMFormat.isPemFormat(environmentVariable, "PRIVATE")) {
|
|
10
|
+
try {
|
|
11
|
+
pem = PEMFormat.parsePem(environmentVariable, "PRIVATE");
|
|
12
|
+
}
|
|
13
|
+
catch (e) {
|
|
14
|
+
console.error(e);
|
|
15
|
+
throw new TypeError("Failed to import environment variable 'SCHEMAVAULTS_AUTH_JWKS_ACCESS_PRIVATE_KEY' from PEM-encoded environment variable!");
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
else {
|
|
19
|
+
try {
|
|
20
|
+
pem = PEMFormat.fromBase64Url(environmentVariable, "PRIVATE");
|
|
21
|
+
}
|
|
22
|
+
catch (e) {
|
|
23
|
+
console.error(e);
|
|
24
|
+
throw new TypeError("Failed to import environment variable 'SCHEMAVAULTS_AUTH_JWKS_ACCESS_PRIVATE_KEY' from base64url-encoded environment variable!");
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
return await importPKCS8(pem.value, sign_verify_alg);
|
|
28
|
+
}
|
|
29
|
+
else {
|
|
30
|
+
throw new TypeError("Environment variable 'SCHEMAVAULTS_AUTH_JWKS_ACCESS_PRIVATE_KEY' missing!");
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
//# sourceMappingURL=loadJwksAccessPrivateKey.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"loadJwksAccessPrivateKey.js","sourceRoot":"","sources":["../../src/env/loadJwksAccessPrivateKey.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAE5E,MAAM,CAAC,OAAO,CAAC,KAAK,UAAU,wBAAwB,CACpD,MAAc,OAAO,CAAC,GAAG;IAEzB,IACE,OAAO,GAAG,KAAK,QAAQ;QACvB,2CAA2C,IAAI,GAAG;QAClD,OAAO,GAAG,CAAC,2CAA2C,CAAC,KAAK,QAAQ;QACpE,GAAG,CAAC,2CAA2C,CAAC,CAAC,MAAM,GAAG,CAAC,EAC3D,CAAC;QACD,MAAM,mBAAmB,GACvB,GAAG,CAAC,2CAA2C,CAAC,CAAC;QAEnD,IAAI,GAAc,CAAC;QACnB,IAAI,SAAS,CAAC,WAAW,CAAC,mBAAmB,EAAE,SAAS,CAAC,EAAE,CAAC;YAC1D,IAAI,CAAC;gBACH,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,mBAAmB,EAAE,SAAS,CAAC,CAAC;YAC3D,CAAC;YAAC,OAAO,CAAU,EAAE,CAAC;gBACpB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACjB,MAAM,IAAI,SAAS,CACjB,0HAA0H,CAC3H,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,GAAG,GAAG,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,SAAS,CAAC,CAAC;YAChE,CAAC;YAAC,OAAO,CAAU,EAAE,CAAC;gBACpB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACjB,MAAM,IAAI,SAAS,CACjB,gIAAgI,CACjI,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,SAAS,CACjB,2EAA2E,CAC5E,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export default function isValidUuid(val: unknown): val is string;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"is-valid-uuid.js","sourceRoot":"","sources":["../src/is-valid-uuid.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,OAAO,UAAU,WAAW,CAAC,GAAY;IAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC;AAClD,CAAC"}
|
|
@@ -4,7 +4,7 @@ import { type SchemaVaultsAppEnvironment } from "@schemavaults/app-definitions";
|
|
|
4
4
|
import { type SchemaVaultsCORSEnforcementPolicy } from "./middlewares/withCorsSettings";
|
|
5
5
|
import type { ISchemaVaultsMiddleware, ISchemaVaultsMiddlewareFnInputs } from "./middleware_types";
|
|
6
6
|
import BaseMiddleware from "./middlewares/BaseMiddleware";
|
|
7
|
-
import { IJwtKeyManager } from "../JwtKeyManager";
|
|
7
|
+
import type { IJwtKeyManager } from "../JwtKeyManager";
|
|
8
8
|
export interface IServerMiddlewareInitializationOptions {
|
|
9
9
|
api_server_id?: string;
|
|
10
10
|
auth_middleware_rules?: AuthMiddlewareRules;
|
|
@@ -21,3 +21,4 @@ export declare class SchemaVaultsServerMiddleware extends BaseMiddleware impleme
|
|
|
21
21
|
constructor(options: IServerMiddlewareInitializationOptions);
|
|
22
22
|
handle({ req, ...inputs }: ISchemaVaultsMiddlewareFnInputs): Promise<NextResponse | Response>;
|
|
23
23
|
}
|
|
24
|
+
export default SchemaVaultsServerMiddleware;
|
|
@@ -50,7 +50,7 @@ export class SchemaVaultsServerMiddleware extends BaseMiddleware {
|
|
|
50
50
|
}
|
|
51
51
|
else {
|
|
52
52
|
jwt_keys_manager = new RemoteJwtKeyManager({
|
|
53
|
-
auth_server_uri: getHardcodedClientWebAppDomain(SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id, environment)
|
|
53
|
+
auth_server_uri: getHardcodedClientWebAppDomain(SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id, environment),
|
|
54
54
|
});
|
|
55
55
|
}
|
|
56
56
|
}
|
|
@@ -74,7 +74,7 @@ export class SchemaVaultsServerMiddleware extends BaseMiddleware {
|
|
|
74
74
|
middleware_rules: opts.auth_middleware_rules,
|
|
75
75
|
debug: debug,
|
|
76
76
|
environment: environment,
|
|
77
|
-
keys_manager: jwt_keys_manager
|
|
77
|
+
keys_manager: jwt_keys_manager,
|
|
78
78
|
}),
|
|
79
79
|
],
|
|
80
80
|
debug,
|
|
@@ -100,4 +100,5 @@ export class SchemaVaultsServerMiddleware extends BaseMiddleware {
|
|
|
100
100
|
return await next.handle({ req, ...inputs });
|
|
101
101
|
}
|
|
102
102
|
}
|
|
103
|
+
export default SchemaVaultsServerMiddleware;
|
|
103
104
|
//# sourceMappingURL=server-middleware.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server-middleware.js","sourceRoot":"","sources":["../../src/middleware/server-middleware.ts"],"names":[],"mappings":"AAAA,uBAAuB;
|
|
1
|
+
{"version":3,"file":"server-middleware.js","sourceRoot":"","sources":["../../src/middleware/server-middleware.ts"],"names":[],"mappings":"AAAA,uBAAuB;AAGvB,OAAO,EAEL,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAEL,iBAAiB,EACjB,iBAAiB,EACjB,8BAA8B,EAC9B,gCAAgC,GAEjC,MAAM,+BAA+B,CAAC;AAEvC,0BAA0B;AAC1B,OAAO,kCAAkC,MAAM,qCAAqC,CAAC;AACrF,OAAO,qBAAqB,EAAE,EAE5B,mCAAmC,IAAI,aAAa,GACrD,MAAM,gCAAgC,CAAC;AACxC,OAAO,+BAA+B,MAAM,2BAA2B,CAAC;AAMxE,OAAO,cAAc,MAAM,8BAA8B,CAAC;AAE1D,OAAO,mBAAmB,MAAM,qCAAqC,CAAC;AAWtE,MAAM,OAAO,4BACX,SAAQ,cAAc;IA0GM;IAvGpB,MAAM,CAAC,kBAAkB,CAC/B,aAAsB;QAEtB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CACX,0GAA0G,CAC3G,CAAC;YACF,MAAM,IAAI,SAAS,CAAC,wCAAwC,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACxE,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,CAAC;YAClC,OAAO,CAAC,KAAK,CACX,+EAA+E,EAC/E,oBAAoB,CAAC,KAAK,CAC3B,CAAC;YACF,MAAM,IAAI,SAAS,CACjB,8EAA8E,CAC/E,CAAC;QACJ,CAAC;QACD,OAAO,oBAAoB,CAAC,OAAO,CAAC;IACtC,CAAC;IAEO,MAAM,CAAC,oBAAoB,CACjC,WAAuC;QAEvC,IAAI,WAAW,KAAK,aAAa,EAAE,CAAC;YAClC,OAAO,aAAa,CAAC,QAAQ,CAAC;QAChC,CAAC;QACD,OAAO,aAAa,CAAC,8BAA8B,CAAC;IACtD,CAAC;IAEO,MAAM,CAAC,oBAAoB,CACjC,IAA4C;QAE5C,IAAI,CAAC,4BAA4B,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACzE,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,QAAQ,GAAgB,IAAI,CAAC,aAAa,CAAC;QAEjD,MAAM,WAAW,GACf,IAAI,CAAC,WAAW,IAAI,iBAAiB,EAAE,CAAC;QAE1C,MAAM,YAAY,GAChB,QAAQ,KAAK,gCAAgC,CAAC,MAAM,CAAC;QACvD,IAAI,gBAAgC,CAAC;QACrC,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CACb,+DAA+D,CAChE,CAAC;YACJ,CAAC;YACD,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,QAAQ,KAAK,gCAAgC,CAAC,MAAM,EAAE,CAAC;gBACzD,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAC;YACJ,CAAC;YACD,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1B,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,gBAAgB,GAAG,IAAI,mBAAmB,CAAC;oBACzC,eAAe,EAAE,8BAA8B,CAC7C,gCAAgC,CAAC,MAAM,EACvC,WAAW,CACZ;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GACT,OAAO,IAAI,CAAC,KAAK,KAAK,SAAS;YAC7B,CAAC,CAAC,IAAI,CAAC,KAAK;YACZ,CAAC,CAAC,WAAW,KAAK,aAAa;gBAC7B,WAAW,KAAK,MAAM;gBACtB,WAAW,KAAK,SAAS,CAAC;QAEhC,MAAM,WAAW,GACf,IAAI,CAAC,WAAW;YAChB,4BAA4B,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC;QAEjE,MAAM,mBAAmB,GAAgC;YACvD,WAAW,EAAE;gBACX,IAAI,+BAA+B,EAAE;gBACrC,IAAI,qBAAqB,CAAC;oBACxB,KAAK,EAAE,KAAK;oBACZ,QAAQ;oBACR,MAAM,EAAE,WAAW;iBACpB,CAAC;gBACF,IAAI,kCAAkC,CAAC;oBACrC,QAAQ;oBACR,gBAAgB,EAAE,IAAI,CAAC,qBAAqB;oBAC5C,KAAK,EAAE,KAAK;oBACZ,WAAW,EAAE,WAAW;oBACxB,YAAY,EAAE,gBAAgB;iBAC/B,CAAC;aAC0D;YAC9D,KAAK;SACN,CAAC;QAEF,OAAO,IAAI,eAAe,CAAC,mBAAmB,CAAC,CAAC;IAClD,CAAC;IAED,YAA4B,OAA+C;QACzE,KAAK,CAAC;YACJ,GAAG,OAAO;YACV,IAAI,EAAE,8BAA8B;YACpC,IAAI,EAAE,4BAA4B,CAAC,oBAAoB,CAAC,OAAO,CAAC;SACjE,CAAC,CAAC;QALuB,YAAO,GAAP,OAAO,CAAwC;QAOzE,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CACT,0DAA0D,OAAO,CAAC,aAAa,uBAAuB,EACtG,IAAI,CAAC,sBAAsB,EAAE,CAC9B,CAAC;QACJ,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,EAClB,GAAG,EACH,GAAG,MAAM,EACuB;QAChC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACvB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QACD,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;IAC/C,CAAC;CACF;AAED,eAAe,4BAA4B,CAAC"}
|
|
@@ -1,11 +1,12 @@
|
|
|
1
1
|
import AdminRequiredRouteGuard from "./admin";
|
|
2
2
|
import AuthenticationRequiredRouteGuard from "./authenticated";
|
|
3
3
|
import { z } from "zod";
|
|
4
|
-
import {
|
|
4
|
+
import { decodeJWTs, organizationIdSchema, } from "@schemavaults/auth-common";
|
|
5
5
|
import { decodeJWT as decodeSchemavaultsJwt, getKeysetIdFromToken, } from "@schemavaults/jwt";
|
|
6
6
|
import { apiServerIdSchema, getAppEnvironment, getHardcodedClientWebAppDomain, SCHEMAVAULTS_AUTH_APP_DEFINITION, } from "@schemavaults/app-definitions";
|
|
7
7
|
import loadJwtDecodingKeys from "../JwtKeyManager/loadJwtDecodingKeys";
|
|
8
|
-
import { RemoteJwtKeyManager } from "../JwtKeyManager";
|
|
8
|
+
import { RemoteJwtKeyManager, JwtDecodingKeysetNotFoundError, } from "../JwtKeyManager";
|
|
9
|
+
import isValidUuid from "../is-valid-uuid";
|
|
9
10
|
const GUARD_TYPES = [
|
|
10
11
|
"authenticated",
|
|
11
12
|
"admin",
|
|
@@ -67,10 +68,14 @@ export class RouteGuardFactory {
|
|
|
67
68
|
if (!apiServerIdSchema.safeParse(jwt_audience).success) {
|
|
68
69
|
throw new TypeError(`Invalid API server ID for 'jwt_audience': ${jwt_audience}`);
|
|
69
70
|
}
|
|
71
|
+
const keys_manager = this.jwt_keys_manager;
|
|
72
|
+
if (!keys_manager) {
|
|
73
|
+
throw new Error("Failed to resolve reference to JWT keys manager to operate this route guard!");
|
|
74
|
+
}
|
|
70
75
|
let user = null;
|
|
71
76
|
let user_organizations = null;
|
|
72
77
|
try {
|
|
73
|
-
user = await
|
|
78
|
+
user = await decodeJWTs({
|
|
74
79
|
token_sources,
|
|
75
80
|
jwt_audience,
|
|
76
81
|
decodeJWT: async (opts) => {
|
|
@@ -85,9 +90,8 @@ export class RouteGuardFactory {
|
|
|
85
90
|
console.error("Failed to load 'keyset_id' from auth token: ", e);
|
|
86
91
|
throw new Error("Failed to load 'keyset_id' from auth token!");
|
|
87
92
|
}
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
throw new Error("Failed to resolve reference to JWT keys manager to operate this route guard!");
|
|
93
|
+
if (!keyset_id || !isValidUuid(keyset_id)) {
|
|
94
|
+
throw new TypeError("Expected 'keyset_id' from token to be a valid UUID!");
|
|
91
95
|
}
|
|
92
96
|
let decodingKeys;
|
|
93
97
|
try {
|
|
@@ -102,7 +106,10 @@ export class RouteGuardFactory {
|
|
|
102
106
|
}
|
|
103
107
|
}
|
|
104
108
|
catch (e) {
|
|
105
|
-
console.
|
|
109
|
+
console.warn(`[createGuardFromTokenSources] Failed to load keys associated with token-associated keyset '${keyset_id}': `, e);
|
|
110
|
+
if (e instanceof JwtDecodingKeysetNotFoundError) {
|
|
111
|
+
throw e;
|
|
112
|
+
}
|
|
106
113
|
throw new Error("Failed to load keys associated with token-associated keyset!");
|
|
107
114
|
}
|
|
108
115
|
const { decryption_key, verification_key } = decodingKeys;
|
|
@@ -135,7 +142,12 @@ export class RouteGuardFactory {
|
|
|
135
142
|
}
|
|
136
143
|
}
|
|
137
144
|
catch (e) {
|
|
138
|
-
|
|
145
|
+
if (e instanceof JwtDecodingKeysetNotFoundError) {
|
|
146
|
+
console.warn(`[createdGuardFromTokenSources] Failed to load keyset '${e.keyset_id}' associated with provided token: `, e);
|
|
147
|
+
}
|
|
148
|
+
else {
|
|
149
|
+
console.warn("No-op error creating route-guard... Failed to decode JWTs, setting user = null", e);
|
|
150
|
+
}
|
|
139
151
|
user = null;
|
|
140
152
|
user_organizations = null;
|
|
141
153
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"route-guard-factory.js","sourceRoot":"","sources":["../../src/route_guards/route-guard-factory.ts"],"names":[],"mappings":"AAAA,OAAO,uBAAuB,MAAM,SAAS,CAAC;AAC9C,OAAO,gCAAgC,MAAM,iBAAiB,CAAC;AAE/D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"route-guard-factory.js","sourceRoot":"","sources":["../../src/route_guards/route-guard-factory.ts"],"names":[],"mappings":"AAAA,OAAO,uBAAuB,MAAM,SAAS,CAAC;AAC9C,OAAO,gCAAgC,MAAM,iBAAiB,CAAC;AAE/D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EACL,UAAU,EAKV,oBAAoB,GACrB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAEL,SAAS,IAAI,qBAAqB,EAClC,oBAAoB,GACrB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,8BAA8B,EAC9B,gCAAgC,GAEjC,MAAM,+BAA+B,CAAC;AACvC,OAAO,mBAEN,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EACL,mBAAmB,EAEnB,8BAA8B,GAC/B,MAAM,iBAAiB,CAAC;AACzB,OAAO,WAAW,MAAM,iBAAiB,CAAC;AAW1C,MAAM,WAAW,GAAG;IAClB,eAAe;IACf,OAAO;CAC6B,CAAC;AAGvC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,GAAG,EAAyB,EAAE;IAC5E,OACE,WACD,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH,MAAM,MAAM,GAAG;IACb,aAAa,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,gCAAgC,CAAC,IAAI,CAAC;IACnE,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC;CAInD,CAAC;AAEF,MAAM,OAAO,iBAAiB;IACX,gBAAgB,CAAiB;IACjC,WAAW,CAA6B;IACxC,KAAK,CAAU;IACf,cAAc,CAAU;IAEzC,YAAmB,EAAE,WAAW,EAAE,GAAG,IAAI,EAAgC;QACvE,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC;QACjC,IACE,OAAO,IAAI,CAAC,cAAc,KAAK,SAAS;YACxC,OAAO,IAAI,CAAC,cAAc,KAAK,WAAW,EAC1C,CAAC;YACD,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,KAAK,CAAC;QAEnD,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,MAAM,IAAI,SAAS,CACjB,8EAA8E,CAC/E,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,gBAAgB,GAAG,IAAI,mBAAmB,CAAC;gBAC9C,eAAe,EAAE,8BAA8B,CAC7C,gCAAgC,CAAC,MAAM,EACvC,WAAW,CACZ;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,qBAAqB,CAAC,IAAa;QAChD,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC3C,OAAO,oBAAoB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;IACtD,CAAC;IAEM,MAAM,CAAC,sBAAsB,CAClC,IAAoB,EACpB,IAAgC;QAEhC,IAAI,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+CAA+C,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxE,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,KAAK,GAAgB,YAAY,CAAC,IAAI,CAAC,CAAC;QAE9C,OAAO,KAAK,CAAC;IACf,CAAC;IAEM,sBAAsB,CAC3B,IAAoB,EACpB,IAAgC;QAEhC,OAAO,iBAAiB,CAAC,sBAAsB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IAEM,KAAK,CAAC,2BAA2B,CACtC,IAAoB,EACpB,aAAqD,EACrD,YAAoB;QAEpB,MAAM,WAAW,GAA+B,IAAI,CAAC,WAAW,CAAC;QACjE,MAAM,KAAK,GAAY,IAAI,CAAC,KAAK,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CACT,mEAAmE,EACnE,aAAa,CACd,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,YAA6B,CAAC,CAAC,OAAO,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CACjB,6CAA6C,YAAY,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAmB,IAAI,CAAC,gBAAgB,CAAC;QAC3D,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,GAAoB,IAAI,CAAC;QACjC,IAAI,kBAAkB,GAAqC,IAAI,CAAC;QAChE,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,UAAU,CACrB;gBACE,aAAa;gBACb,YAAY;gBACZ,SAAS,EAAE,KAAK,EAAE,IAAI,EAAgC,EAAE;oBACtD,IAAI,WAAW,KAAK,YAAY,EAAE,CAAC;wBACjC,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;oBACjE,CAAC;oBAED,IAAI,SAAiB,CAAC;oBACtB,IAAI,CAAC;wBACH,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,KAAsB,CAAC,CAAC;oBAChE,CAAC;oBAAC,OAAO,CAAU,EAAE,CAAC;wBACpB,OAAO,CAAC,KAAK,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC;wBACjE,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;oBACjE,CAAC;oBAED,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC1C,MAAM,IAAI,SAAS,CACjB,qDAAqD,CACtD,CAAC;oBACJ,CAAC;oBAED,IAAI,YAAkC,CAAC;oBACvC,IAAI,CAAC;wBACH,YAAY,GAAG,MAAM,mBAAmB,CAAC;4BACvC,SAAS;4BACT,YAAY;4BACZ,WAAW,EAAE,YAAY;4BACzB,KAAK;yBACN,CAAC,CAAC;wBACH,IAAI,YAAY,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;4BACzC,MAAM,IAAI,KAAK,CACb,kEAAkE,CACnE,CAAC;wBACJ,CAAC;oBACH,CAAC;oBAAC,OAAO,CAAU,EAAE,CAAC;wBACpB,OAAO,CAAC,IAAI,CACV,8FAA8F,SAAS,KAAK,EAC5G,CAAC,CACF,CAAC;wBACF,IAAI,CAAC,YAAY,8BAA8B,EAAE,CAAC;4BAChD,MAAM,CAAC,CAAC;wBACV,CAAC;wBACD,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;oBACJ,CAAC;oBACD,MAAM,EAAE,cAAc,EAAE,gBAAgB,EAAE,GAAG,YAAY,CAAC;oBAE1D,IAAI,CAAC;wBACH,OAAO,CAAC,MAAM,qBAAqB,CAAC;4BAClC,GAAG,EAAE,IAAI,CAAC,KAAK;4BACf,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,YAAY;4BAC3B,cAAc;4BACd,gBAAgB;4BAChB,SAAS;4BACT,GAAG,EAAE,WAAW;yBACjB,CAAC,CAA4B,CAAC;oBACjC,CAAC;oBAAC,OAAO,CAAU,EAAE,CAAC;wBACpB,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;wBACtD,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;aACF,EACD,KAAK,CACN,CAAC;YACF,IAAI,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;YAC7D,CAAC;YAED,IACE,IAAI,CAAC,IAAI,CAAC,KAAK,CACb,CAAC,MAAM,EAAE,EAAE,CACT,OAAO,MAAM,KAAK,QAAQ;gBAC1B,oBAAoB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,OAAO,CACjD,EACD,CAAC;gBACD,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC;YACjC,CAAC;YAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,SAAS,CACjB,oEAAoE,CACrE,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,IAAI,CAAC,YAAY,8BAA8B,EAAE,CAAC;gBAChD,OAAO,CAAC,IAAI,CACV,yDAAyD,CAAC,CAAC,SAAS,oCAAoC,EACxG,CAAC,CACF,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,CACV,gFAAgF,EAChF,CAAC,CACF,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,IAAI,CAAC;YACZ,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QAED,MAAM,SAAS,GAA+B;YAC5C,IAAI;YACJ,WAAW,EAAE,iBAAiB,EAAE;YAChC,kBAAkB,EAAE,kBAAkB,IAAI,EAAE;SAC7C,CAAC;QAEF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CACT,8DAA8D,EAC9D,SAAS,CACV,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACtD,CAAC;IAEM,KAAK,CAAC,yBAAyB,CACpC,IAAoB,EACpB,UAAyB,EACzB,YAAoB;QAEpB,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,YAAY,GAAG,SAAkB,CAAC;QACxC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,KAAK,GAAW,UAAU,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAE5D,OAAO,MAAM,IAAI,CAAC,2BAA2B,CAC3C,IAAI,EACJ;YACE;gBACE,UAAU,EAAE,0BAA0B;gBACtC,KAAK;gBACL,IAAI,EAAE,QAAQ;aACf;SACF,EACD,YAAY,CACb,CAAC;IACJ,CAAC;CACF;AAED,eAAe,iBAAiB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@schemavaults/auth-server-sdk",
|
|
3
3
|
"description": "TypeScript SDK for building authenticated endpoints/middlewares for the Auth Server and Resource Servers",
|
|
4
|
-
"version": "0.17.
|
|
4
|
+
"version": "0.17.15",
|
|
5
5
|
"license": "UNLICENSED",
|
|
6
6
|
"private": false,
|
|
7
7
|
"repository": {
|
|
@@ -15,9 +15,9 @@
|
|
|
15
15
|
"types": "dist/index.d.ts",
|
|
16
16
|
"dependencies": {
|
|
17
17
|
"zod": "3.23.8",
|
|
18
|
-
"@schemavaults/jwt": "0.6.
|
|
19
|
-
"@schemavaults/auth-common": "0.
|
|
20
|
-
"@schemavaults/app-definitions": "0.6.
|
|
18
|
+
"@schemavaults/jwt": "0.6.21",
|
|
19
|
+
"@schemavaults/auth-common": "0.8.1",
|
|
20
|
+
"@schemavaults/app-definitions": "0.6.12"
|
|
21
21
|
},
|
|
22
22
|
"scripts": {
|
|
23
23
|
"build": "tsc --project tsconfig.json && tsc-alias --project tsconfig.json",
|
|
@@ -25,10 +25,11 @@
|
|
|
25
25
|
"cleanup:compiled-tests-output": "find ./dist -type f \\( -name \"*.test.js\" -o -name \"*.test.js.map\" -o -name \"*.test.d.ts\" \\) -delete",
|
|
26
26
|
"cleanup": "bun run cleanup:compiled-tests-output",
|
|
27
27
|
"postbuild": "bun run cleanup",
|
|
28
|
-
"lint": "eslint src --ext .ts,.tsx"
|
|
28
|
+
"lint": "eslint src --ext .ts,.tsx",
|
|
29
|
+
"typecheck": "tsc --project tsconfig.json --noEmit"
|
|
29
30
|
},
|
|
30
31
|
"devDependencies": {
|
|
31
|
-
"@schemavaults/dbh": "0.7.
|
|
32
|
+
"@schemavaults/dbh": "0.7.5",
|
|
32
33
|
"typescript": "5.9.3",
|
|
33
34
|
"bun-types": "1.3.6",
|
|
34
35
|
"@types/react": "19.0.0",
|