@shushed/helpers 0.0.21 → 0.0.22

package/dist/index.d.ts

@@ -1,5 +1,10 @@
 import { JSONSchemaType } from 'ajv';
 import { DeepRedact } from '@hackylabs/deep-redact';
+import { DocumentReference, Firestore } from '@google-cloud/firestore';
+import { PubSub, Topic, Subscription } from '@google-cloud/pubsub';
+import * as _google_cloud_scheduler_build_protos_protos from '@google-cloud/scheduler/build/protos/protos';
+import { CloudSchedulerClient } from '@google-cloud/scheduler';
+import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
 
 declare const schema$l: {
     readonly $schema: "http://json-schema.org/draft-07/schema#";
@@ -28691,11 +28696,162 @@ declare function validate<T>(payload: T, schema: JSONSchemaType<T>, options: {
 declare const sanitizeToString: DeepRedact;
 declare const sanitize: DeepRedact;
 
+type Opts = {
+    workflowId: string;
+    triggerId: string;
+    url: string;
+    envName: string;
+} | {
+    workflowId: string;
+    triggerId: string;
+    url: string;
+};
+declare class Runtime {
+    readonly workflowId: string;
+    readonly triggerId: string;
+    readonly envName: string;
+    readonly systemEnvName: string;
+    readonly runtimeUrl: string;
+    constructor(opts: Opts);
+}
+
+declare class EnvEngine extends Runtime {
+    docRef: DocumentReference;
+    private store;
+    constructor(opts: Opts, firestore: Firestore);
+    set(envs: Array<{
+        name: string;
+        value: string;
+    }>): Promise<undefined>;
+    private initializeIfNeeded;
+    get<T extends ReadonlyArray<string>>(keys: T): Promise<{
+        [K in T[number]]: string;
+    }>;
+    get(key: string): Promise<string>;
+}
+
+declare class PubSubHelper extends Runtime {
+    private pubSub;
+    constructor(opts: Opts, pubSub: PubSub);
+    createOrUpdate(opts: {
+        topicName: string;
+        dlq: boolean;
+        retryLimit: number;
+        retryDelay: number;
+        ackDeadline: number;
+    }): Promise<{
+        topic: Topic;
+        dlqTopic: Topic | null;
+        dlqSubscription: Subscription | null;
+        subscription: Subscription;
+    }>;
+    private findTopic;
+    private ensureTopicExists;
+    private getNameFromFullyQualifiedName;
+    private ensureSubscribtionExists;
+    private ensureDLQSubscriptionExists;
+    deleteSubscription(subscriptionURN: string): Promise<any>;
+}
+
+declare class SchedulerHelper extends Runtime {
+    private extraQuery;
+    private pubSubTarget;
+    private pubSubProjectId;
+    private schedulerLocationId;
+    private schedulerClient;
+    constructor(opts: Opts & {
+        extraQuery: Record<string, string>;
+        serviceAccount: string;
+        defaultServiceAccount: string;
+        pubSubTarget?: Topic | null;
+        schedulerLocationId?: string | null;
+    }, schedulerClient: CloudSchedulerClient);
+    get locationIds(): string[];
+    getTarget(): {
+        pubsubTarget: {
+            topicName: string;
+            data: Buffer<ArrayBuffer>;
+        };
+        httpTarget?: undefined;
+    } | {
+        httpTarget: {
+            uri: string;
+            httpMethod: "POST";
+            headers: {
+                "Content-Type": string;
+            };
+            oidcToken: {
+                serviceAccountEmail: string;
+                audience: string;
+            };
+        };
+        pubsubTarget?: undefined;
+    };
+    create({ schedule, timezone }: {
+        schedule: string;
+        timezone: string;
+    }): Promise<{
+        status: _google_cloud_scheduler_build_protos_protos.google.rpc.IStatus | null | undefined;
+        state: _google_cloud_scheduler_build_protos_protos.google.cloud.scheduler.v1.Job.State | "STATE_UNSPECIFIED" | "ENABLED" | "PAUSED" | "DISABLED" | "UPDATE_FAILED" | null | undefined;
+        name: string | null | undefined;
+        httpTarget: _google_cloud_scheduler_build_protos_protos.google.cloud.scheduler.v1.IHttpTarget | null | undefined;
+        pubsubTarget: _google_cloud_scheduler_build_protos_protos.google.cloud.scheduler.v1.IPubsubTarget | null | undefined;
+    }>;
+    update({ schedule, timezone }: {
+        schedule: string;
+        timezone: string;
+    }): Promise<{
+        status: _google_cloud_scheduler_build_protos_protos.google.rpc.IStatus | null | undefined;
+        state: _google_cloud_scheduler_build_protos_protos.google.cloud.scheduler.v1.Job.State | "STATE_UNSPECIFIED" | "ENABLED" | "PAUSED" | "DISABLED" | "UPDATE_FAILED" | null | undefined;
+        name: string | null | undefined;
+        httpTarget: _google_cloud_scheduler_build_protos_protos.google.cloud.scheduler.v1.IHttpTarget | null | undefined;
+        pubsubTarget: _google_cloud_scheduler_build_protos_protos.google.cloud.scheduler.v1.IPubsubTarget | null | undefined;
+    }>;
+    delete(): Promise<any>;
+}
+
+declare class Secrets extends Runtime {
+    private secretsManagerClient;
+    constructor(opts: Opts, secretsManagerClient: SecretManagerServiceClient);
+    getSecret(name: string): Promise<string>;
+}
+
+declare class JWKSHelper extends Runtime {
+    private firestore;
+    constructor(opts: Opts, firestore: Firestore);
+    validateAuthorizationHeader(authorizationHeader: string, expectedServiceAccount?: string | null): Promise<boolean>;
+    getKey(keyId: string): Promise<{
+        kid: string;
+    } | undefined>;
+    private fetchJWKS;
+}
+
+declare const isPubSubRequest: (headers: Record<string, string>) => boolean;
+declare const isCronMessage: (headers: Record<string, string>) => boolean;
+declare const validateGoogleAuth: (opts: Opts & {
+    serviceAccount?: string | null;
+}, headers: Record<string, string>, firestore: Firestore) => Promise<void>;
+
+type index_EnvEngine = EnvEngine;
+declare const index_EnvEngine: typeof EnvEngine;
+type index_JWKSHelper = JWKSHelper;
+declare const index_JWKSHelper: typeof JWKSHelper;
+type index_PubSubHelper = PubSubHelper;
+declare const index_PubSubHelper: typeof PubSubHelper;
+type index_Runtime = Runtime;
+declare const index_Runtime: typeof Runtime;
+type index_SchedulerHelper = SchedulerHelper;
+declare const index_SchedulerHelper: typeof SchedulerHelper;
+type index_Secrets = Secrets;
+declare const index_Secrets: typeof Secrets;
+declare const index_isCronMessage: typeof isCronMessage;
+declare const index_isPubSubRequest: typeof isPubSubRequest;
 declare const index_sanitize: typeof sanitize;
 declare const index_sanitizeToString: typeof sanitizeToString;
 declare const index_validate: typeof validate;
+declare const index_validateGoogleAuth: typeof validateGoogleAuth;
 declare namespace index {
-  export { index_sanitize as sanitize, index_sanitizeToString as sanitizeToString, index_validate as validate };
+  export { index_EnvEngine as EnvEngine, index_JWKSHelper as JWKSHelper, index_PubSubHelper as PubSubHelper, index_Runtime as Runtime, index_SchedulerHelper as SchedulerHelper, index_Secrets as Secrets, index_isCronMessage as isCronMessage, index_isPubSubRequest as isPubSubRequest, index_sanitize as sanitize, index_sanitizeToString as sanitizeToString, index_validate as validate, index_validateGoogleAuth as validateGoogleAuth };
 }
 
 export { index as lib, index$9 as schema, index$1 as types };

package/dist/index.js

@@ -280,9 +280,18 @@ var shipped_exports2 = {};
 // src-public/index.ts
 var src_public_exports = {};
 __export(src_public_exports, {
+  EnvEngine: () => env_default,
+  JWKSHelper: () => jwks_default,
+  PubSubHelper: () => pubsub_default,
+  Runtime: () => Runtime,
+  SchedulerHelper: () => scheduler_default,
+  Secrets: () => secret_default,
+  isCronMessage: () => isCronMessage,
+  isPubSubRequest: () => isPubSubRequest,
   sanitize: () => sanitize,
   sanitizeToString: () => sanitizeToString,
-  validate: () => validate
+  validate: () => validate,
+  validateGoogleAuth: () => validateGoogleAuth
 });
 
 // src-public/validate.ts
@@ -336,6 +345,513 @@ var sanitize = new import_deep_redact.DeepRedact({
   remove: false,
   replaceStringByLength: true
 });
+
+// src-public/runtime.ts
+var DEFAULT_BRANCH = "migratedprod";
+var Runtime = class {
+  workflowId;
+  triggerId;
+  envName;
+  systemEnvName;
+  runtimeUrl;
+  constructor(opts) {
+    this.workflowId = opts.workflowId;
+    this.triggerId = opts.triggerId;
+    this.systemEnvName = typeof opts.envName !== "undefined" ? opts.envName : (() => {
+      const hostId = opts.url.replace(/^(?:https?:)?\/\//i, "").split("/")[0].split(".")[0].toLowerCase();
+      let branch = DEFAULT_BRANCH;
+      if (hostId.includes("-")) {
+        branch = hostId.split("-")[0];
+      }
+      return branch;
+    })();
+    this.runtimeUrl = "https://" + new URL("https://" + opts.url.replace(/^(?:https?:)?\/\//i, "").split("/")[0]).host;
+    this.envName = this.systemEnvName === DEFAULT_BRANCH ? "prod" : this.systemEnvName;
+  }
+};
+
+// src-public/env.ts
+var EnvEngine = class extends Runtime {
+  docRef;
+  store = {};
+  constructor(opts, firestore) {
+    super(opts);
+    this.docRef = firestore?.doc(`${this.workflowId}/${this.triggerId}/${this.envName}`);
+  }
+  async set(envs) {
+    await this.initializeIfNeeded();
+    const obj = envs.filter((env) => env.name).reduce(
+      (prev, curr) => ({ ...prev, [curr.name]: curr.value }),
+      {}
+    );
+    if (this.docRef) {
+      try {
+        await this.docRef.set(
+          obj,
+          { merge: true }
+        );
+      } catch (err) {
+        throw new Error(`Failed to set the ${envs.map((x) => x.name).join(", ")}. Error: ${err.message}`);
+      }
+    }
+    Object.assign(this.store, obj);
+    return void 0;
+  }
+  async initializeIfNeeded() {
+    if (!this.store) {
+      if (this.docRef) {
+        const docSnapshot = await this.docRef.get();
+        const data = docSnapshot.data();
+        this.store = {};
+        for (const k in data) {
+          const v = data[k];
+          this.store[k] = typeof v !== "string" ? `${v === null || typeof v === "undefined" ? "" : `${v}`}` : v;
+        }
+      } else {
+        this.store = {};
+      }
+    }
+  }
+  async get(keys) {
+    await this.initializeIfNeeded();
+    if (typeof keys === "string") {
+      return this.store?.[keys] || "";
+    }
+    return keys.reduce((acc, k) => {
+      const v = this.store?.[k];
+      acc[k] = typeof v !== "string" ? `${v === null || typeof v === "undefined" ? "" : `${v}`}` : v;
+      return acc;
+    }, {});
+  }
+};
+var env_default = EnvEngine;
+
+// src-public/pubsub.ts
+var PubSubHelper = class extends Runtime {
+  constructor(opts, pubSub) {
+    super(opts);
+    this.pubSub = pubSub;
+  }
+  async createOrUpdate(opts) {
+    const subscriptionName = `${this.envName === "prod" ? "" : `${this.envName}---`}${this.triggerId}`;
+    const topic = await this.ensureTopicExists(opts.topicName);
+    let dlqTopic = null;
+    let dlqSubscription = null;
+    if (opts.dlq) {
+      const dlqTopicName = `${opts.topicName}-dlq`;
+      const dlqSubscriptionName = `${subscriptionName}-dlq`;
+      dlqTopic = await this.ensureTopicExists(dlqTopicName);
+      dlqSubscription = await this.ensureDLQSubscriptionExists(dlqSubscriptionName, {
+        topic: dlqTopic
+      });
+    }
+    const subscription = await this.ensureSubscribtionExists(subscriptionName, {
+      topic,
+      dlqTopic,
+      retryMinDelay: opts.retryDelay,
+      retryMaxDelay: opts.retryDelay,
+      retryLimit: opts.retryLimit,
+      endpointUrl: this.runtimeUrl + `/executeWorkflow/${this.workflowId}/${this.triggerId}`,
+      ackDeadline: opts.ackDeadline
+    });
+    return {
+      topic,
+      dlqTopic,
+      dlqSubscription,
+      subscription
+    };
+  }
+  async findTopic(topicName) {
+    const [topics] = await this.pubSub.getTopics();
+    return topics.find((topic) => this.getNameFromFullyQualifiedName(topic.name) === topicName);
+  }
+  async ensureTopicExists(topicName) {
+    let topic = await this.findTopic(topicName);
+    if (!topic) {
+      await this.pubSub.createTopic(topicName);
+      topic = await this.findTopic(topicName);
+    }
+    if (!topic) {
+      throw new Error(`Invariant: While creating topic - topic is not found`);
+    }
+    return topic;
+  }
+  getNameFromFullyQualifiedName(fullyQName) {
+    const name = fullyQName.split("/");
+    return name[name.length - 1];
+  }
+  async ensureSubscribtionExists(subscriptionName, opts) {
+    let [subscriptions] = await opts.topic.getSubscriptions();
+    let subscription = subscriptions.find((subscription2) => this.getNameFromFullyQualifiedName(subscription2.name) === subscriptionName);
+    let endpointHasChanged = false;
+    let retryLimitHasChanged = false;
+    let retryDelayHasChanged = false;
+    let shouldRecreate = false;
+    let dlqHasChanged = false;
+    if (subscription) {
+      const [subscriptionMetaData] = await subscription.getMetadata();
+      endpointHasChanged = subscriptionMetaData.pushConfig?.pushEndpoint != opts.endpointUrl;
+      retryDelayHasChanged = subscriptionMetaData.retryPolicy?.minimumBackoff?.seconds != opts.retryMinDelay;
+      retryLimitHasChanged = subscriptionMetaData.deadLetterPolicy?.maxDeliveryAttempts != opts.retryLimit;
+      dlqHasChanged = !subscriptionMetaData.deadLetterPolicy && !!opts.dlqTopic || !!subscriptionMetaData.deadLetterPolicy?.deadLetterTopic && !opts.dlqTopic;
+      shouldRecreate = endpointHasChanged || retryDelayHasChanged || retryLimitHasChanged || dlqHasChanged;
+    }
+    if (subscription && shouldRecreate) {
+      await subscription.delete();
+    }
+    if (!subscription || shouldRecreate) {
+      await opts.topic.createSubscription(subscriptionName, Object.assign({
+        ackDeadlineSeconds: opts.ackDeadline || 90,
+        pushConfig: {
+          pushEndpoint: opts.endpointUrl,
+          oidcToken: {
+            serviceAccountEmail: `runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`,
+            audience: process.env.GCLOUD_PROJECT + "/" + this.triggerId
+          }
+        },
+        retryPolicy: {
+          minimumBackoff: { seconds: opts.retryMinDelay },
+          maximumBackoff: { seconds: opts.retryMaxDelay }
+        }
+      }, opts.dlqTopic ? {
+        deadLetterPolicy: {
+          deadLetterTopic: opts.dlqTopic.name,
+          maxDeliveryAttempts: opts.retryLimit
+        }
+      } : {}));
+      [subscriptions] = await opts.topic.getSubscriptions();
+      subscription = subscriptions.find((subscription2) => this.getNameFromFullyQualifiedName(subscription2.name) === subscriptionName);
+    }
+    if (!subscription) {
+      throw new Error(`Invariant: While creating subscription - subscription is not found`);
+    }
+    return subscription;
+  }
+  async ensureDLQSubscriptionExists(subscriptionName, opts) {
+    let [subscriptions] = await opts.topic.getSubscriptions();
+    let subscription = subscriptions.find((subscription2) => this.getNameFromFullyQualifiedName(subscription2.name) === subscriptionName);
+    if (!subscription) {
+      await opts.topic.createSubscription(subscriptionName);
+      [subscriptions] = await opts.topic.getSubscriptions();
+      subscription = subscriptions.find((subscription2) => this.getNameFromFullyQualifiedName(subscription2.name) === subscriptionName);
+    }
+    if (!subscription) {
+      throw new Error(`Invariant: While creating subscription - subscription is not found`);
+    }
+    return subscription;
+  }
+  async deleteSubscription(subscriptionURN) {
+    const sub = this.pubSub.subscription(subscriptionURN);
+    return sub.delete().catch((err) => {
+      if (err.code === 5) {
+        return err.message;
+      }
+      throw err;
+    });
+  }
+};
+var pubsub_default = PubSubHelper;
+
+// src-public/scheduler.ts
+var SchedulerHelper = class extends Runtime {
+  extraQuery;
+  pubSubTarget;
+  pubSubProjectId;
+  schedulerLocationId;
+  schedulerClient;
+  constructor(opts, schedulerClient) {
+    super(opts);
+    this.extraQuery = opts.extraQuery;
+    this.pubSubTarget = opts.pubSubTarget || null;
+    this.pubSubProjectId = this.pubSubTarget?.name?.split("/")[1] || null;
+    this.schedulerLocationId = opts.schedulerLocationId || "europe-west2";
+    this.schedulerClient = schedulerClient;
+  }
+  get locationIds() {
+    return [
+      "asia-east1",
+      "asia-northeast1",
+      "asia-southeast1",
+      "europe-west1",
+      "us-central1",
+      "us-east1",
+      "us-east4",
+      "us-west1"
+    ];
+  }
+  getTarget() {
+    if (this.pubSubTarget) {
+      return {
+        pubsubTarget: {
+          topicName: this.pubSubTarget.name,
+          data: Buffer.from(JSON.stringify({
+            source: `${this.workflowId}/${this.triggerId}/${this.systemEnvName}`
+          }), "utf-8")
+        }
+      };
+    }
+    return {
+      httpTarget: {
+        uri: `${this.runtimeUrl}/executeWorkflow/${this.workflowId}/${this.triggerId}?${new URLSearchParams(this.extraQuery).toString()}`,
+        httpMethod: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        oidcToken: {
+          serviceAccountEmail: `runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`,
+          audience: process.env.GCLOUD_PROJECT + "/" + this.triggerId
+        }
+      }
+    };
+  }
+  async create({ schedule, timezone }) {
+    let parent;
+    let name;
+    if (this.pubSubProjectId) {
+      parent = `projects/${this.pubSubProjectId}/locations/${this.schedulerLocationId}`;
+      name = `${parent}/jobs/buildship-workflow-${this.triggerId}-${this.systemEnvName}`;
+    } else {
+      let locationId = process.env.SERVICE_REGION;
+      locationId = this.locationIds.includes(locationId) ? locationId : "us-central1";
+      parent = `projects/${process.env.GCLOUD_PROJECT}/locations/${locationId}`;
+      name = `${parent}/jobs/rowy-workflow-${this.triggerId}-${this.systemEnvName}`;
+    }
+    try {
+      const response = await this.schedulerClient.createJob({
+        parent,
+        job: {
+          name,
+          schedule,
+          timeZone: timezone,
+          ...this.getTarget()
+        }
+      });
+      return {
+        status: response[0].status,
+        state: response[0].state,
+        name: response[0].name,
+        httpTarget: response[0].httpTarget,
+        pubsubTarget: response[0].pubsubTarget
+      };
+    } catch (error) {
+      if (error.code === 6) {
+        return this.update(
+          { schedule, timezone }
+        );
+      } else {
+        throw error;
+      }
+    }
+  }
+  async update({ schedule, timezone }) {
+    let parent;
+    let name;
+    if (this.pubSubProjectId) {
+      parent = `projects/${this.pubSubProjectId}/locations/${this.schedulerLocationId}`;
+      name = `${parent}/jobs/buildship-workflow-${this.triggerId}-${this.systemEnvName}`;
+    } else {
+      let locationId = process.env.SERVICE_REGION;
+      locationId = this.locationIds.includes(locationId) ? locationId : "us-central1";
+      parent = `projects/${process.env.GCLOUD_PROJECT}/locations/${locationId}`;
+      name = `${parent}/jobs/rowy-workflow-${this.triggerId}-${this.systemEnvName}`;
+    }
+    try {
+      const response = await this.schedulerClient.updateJob({
+        job: {
+          ...this.getTarget(),
+          name,
+          schedule,
+          timeZone: timezone
+        }
+      });
+      return {
+        status: response[0].status,
+        state: response[0].state,
+        name: response[0].name,
+        httpTarget: response[0].httpTarget,
+        pubsubTarget: response[0].pubsubTarget
+      };
+    } catch {
+      const response = await this.schedulerClient.createJob({
+        parent,
+        job: {
+          name,
+          schedule,
+          timeZone: timezone,
+          ...this.getTarget()
+        }
+      });
+      return {
+        status: response[0].status,
+        state: response[0].state,
+        name: response[0].name,
+        httpTarget: response[0].httpTarget,
+        pubsubTarget: response[0].pubsubTarget
+      };
+    }
+  }
+  async delete() {
+    let parent;
+    let name;
+    if (this.pubSubProjectId) {
+      parent = `projects/${this.pubSubProjectId}/locations/${this.schedulerLocationId}`;
+      name = `${parent}/jobs/buildship-workflow-${this.triggerId}-${this.systemEnvName}`;
+    } else {
+      let locationId = process.env.SERVICE_REGION;
+      locationId = this.locationIds.includes(locationId) ? locationId : "us-central1";
+      parent = `projects/${process.env.GCLOUD_PROJECT}/locations/${locationId}`;
+      name = `${parent}/jobs/rowy-workflow-${this.triggerId}-${this.systemEnvName}`;
+    }
+    const request = {
+      name
+    };
+    let response;
+    try {
+      response = await this.schedulerClient.deleteJob(request);
+    } catch (err) {
+      if (err.code === 5) {
+        return err.message;
+      }
+      throw err;
+    }
+    return response;
+  }
+};
+var scheduler_default = SchedulerHelper;
+
+// src-public/secret.ts
+var Secrets = class extends Runtime {
+  constructor(opts, secretsManagerClient) {
+    super(opts);
+    this.secretsManagerClient = secretsManagerClient;
+  }
+  async getSecret(name) {
+    try {
+      const [secretVersion] = await this.secretsManagerClient.accessSecretVersion({
+        name: `projects/${process.env.GCLOUD_PROJECT}/secrets/${this.systemEnvName}---${name}/versions/latest`
+      });
+      const payload = secretVersion.payload?.data?.toString() || "";
+      return payload;
+    } catch (err) {
+      throw new Error(`Failed to get secret ${name}. Error: ${err.message}`);
+    }
+  }
+};
+var secret_default = Secrets;
+
+// src-public/jwks.ts
+var import_jose = require("jose");
+var CACHE_TABLE = "cache-global";
+var JWKSHelper = class extends Runtime {
+  constructor(opts, firestore) {
+    super(opts);
+    this.firestore = firestore;
+  }
+  async validateAuthorizationHeader(authorizationHeader, expectedServiceAccount = null) {
+    const splitted = authorizationHeader.split(".");
+    const keyMeta = JSON.parse(Buffer.from(splitted[0], "base64").toString("utf-8")) || {};
+    const meta = JSON.parse(Buffer.from(splitted[1], "base64").toString("utf-8")) || {};
+    if (!meta.email_verified) {
+      throw new Error("Authorization header - Email not verified");
+    }
+    if (expectedServiceAccount === null) {
+      expectedServiceAccount = `runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`;
+    }
+    if (meta.email !== expectedServiceAccount) {
+      throw new Error(`Authorization header - Wrong service account, got ${meta?.email}, expected ${expectedServiceAccount}`);
+    }
+    if (!keyMeta.kid || !keyMeta.alg) {
+      throw new Error("Malformed Authorization Header. KID is missing");
+    }
+    const key = await this.getKey(keyMeta.kid);
+    if (!key) {
+      throw new Error("Incorrect Authorization Header. The key has not been found in the Google JWKS set");
+    }
+    const importedKey = await (0, import_jose.importJWK)(key, keyMeta.alg);
+    let validationCorrect = true;
+    try {
+      await (0, import_jose.jwtVerify)(authorizationHeader, importedKey, {
+        issuer: ["https://accounts.google.com", "accounts.google.com"],
+        clockTolerance: 0,
+        audience: process.env.GCLOUD_PROJECT + "/" + this.triggerId
+      });
+    } catch (err) {
+      validationCorrect = false;
+    }
+    if (!validationCorrect) {
+      throw new Error("Incorrect Authorization Header. The JWT is not valid");
+    }
+    return validationCorrect;
+  }
+  async getKey(keyId) {
+    const jwks = typeof global.jwks !== "undefined" ? global.jwks : null;
+    let parsedJwks = null;
+    if (jwks) {
+      try {
+        parsedJwks = JSON.parse(jwks);
+      } catch (err) {
+        err.message.toString();
+      }
+    }
+    let keyData = parsedJwks?.keys?.find((x) => x.kid === keyId);
+    let cachedItem;
+    if (!keyData) {
+      cachedItem = await this.firestore.collection(CACHE_TABLE).doc("google-jwks").get();
+      if (cachedItem.exists && cachedItem.data()?.expires_at.toDate() > /* @__PURE__ */ new Date()) {
+        keyData = cachedItem.data()?.value;
+      }
+    }
+    keyData = parsedJwks?.keys.find((x) => x.kid === keyId);
+    if (!keyData) {
+      const result = await this.fetchJWKS();
+      parsedJwks = result.jwks;
+      if (cachedItem) {
+        cachedItem.ref.set({
+          value: parsedJwks,
+          expires_at: result.expiresAt
+        }, { merge: true });
+      }
+      keyData = parsedJwks?.keys.find((x) => x.kid === keyId);
+    }
+    if (parsedJwks && cachedItem) {
+      global.jwks = JSON.stringify(parsedJwks);
+    }
+    return keyData;
+  }
+  async fetchJWKS() {
+    const date = /* @__PURE__ */ new Date();
+    let expiresAt = new Date(Date.now() + 1e3 * 60 * 60);
+    const response = await fetch("https://www.googleapis.com/oauth2/v3/certs");
+    const maxAgePair = response.headers.get("Cache-Control")?.split(",").map((x) => x.trim().split("=")).find((x) => x[0] === "max-age");
+    if (maxAgePair && maxAgePair.length === 2) {
+      expiresAt = new Date(date.getTime() + parseInt(maxAgePair[1], 10) * 1e3);
+    }
+    const jwks = await response.json();
+    return {
+      expiresAt,
+      jwks
+    };
+  }
+};
+var jwks_default = JWKSHelper;
+
+// src-public/utils.ts
+var isPubSubRequest = (headers) => (headers["User-Agent"] || headers["user-agent"]) === "CloudPubSub-Google" || (headers["User-Agent"] || headers["user-agent"] || "").indexOf("APIs-Google") !== -1;
+var isCronMessage = (headers) => (headers["User-Agent"] || headers["user-agent"]) === "Google-Cloud-Scheduler";
+var validateGoogleAuth = async (opts, headers, firestore) => {
+  const token = headers.authorization?.split(" ")[1];
+  if (!token) {
+    throw new Error(
+      "Missing authorization header or invalid format, needs to be in format: Bearer <IdToken>"
+    );
+  }
+  try {
+    const jwksHelper = new jwks_default(opts, firestore);
+    await jwksHelper.validateAuthorizationHeader(token, opts.serviceAccount || null);
+  } catch (err) {
+    throw new Error("Invalid authorization header " + err.message);
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   lib,

package/dist/package.json

@@ -8,6 +8,7 @@
     "@hackylabs/deep-redact": "^2.2.1",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
+    "jose": "^6.0.11",
     "lodash.clonedeep": "^4.5.0"
   },
   "files": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@shushed/helpers",
-  "version": "0.0.21",
+  "version": "0.0.22",
   "author": "",
   "license": "UNLICENSED",
   "description": "",
@@ -8,6 +8,7 @@
     "@hackylabs/deep-redact": "^2.2.1",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
+    "jose": "^6.0.11",
     "lodash.clonedeep": "^4.5.0"
   },
   "files": [