@shushed/helpers 0.0.26 → 0.0.27

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import { JSONSchemaType } from 'ajv';
 import { DeepRedact } from '@hackylabs/deep-redact';
-import { DocumentReference, Firestore } from '@google-cloud/firestore';
+import { Firestore, DocumentReference } from '@google-cloud/firestore';
 import { PubSub, Topic, Subscription } from '@google-cloud/pubsub';
 import * as _google_cloud_scheduler_build_protos_protos from '@google-cloud/scheduler/build/protos/protos';
 import { CloudSchedulerClient } from '@google-cloud/scheduler';
@@ -28715,6 +28715,12 @@ declare class Runtime {
     constructor(opts: Opts);
 }
 
+declare const isPubSubRequest: (headers: Record<string, string>) => boolean;
+declare const isCronMessage: (headers: Record<string, string>) => boolean;
+declare const validateGoogleAuth: (opts: Opts & {
+    serviceAccount?: string | null;
+}, headers: Record<string, string>, firestore: Firestore) => Promise<void>;
+
 type Level = 'env' | 'workflow' | 'trigger';
 declare class EnvEngine extends Runtime {
     docRef: Record<Level, DocumentReference>;
@@ -28987,11 +28993,14 @@ type index_Secrets = Secrets;
 declare const index_Secrets: typeof Secrets;
 type index_TriggerOnCreateOptions = TriggerOnCreateOptions;
 type index_TriggerOnExecuteOptions = TriggerOnExecuteOptions;
+declare const index_isCronMessage: typeof isCronMessage;
+declare const index_isPubSubRequest: typeof isPubSubRequest;
 declare const index_sanitize: typeof sanitize;
 declare const index_sanitizeToString: typeof sanitizeToString;
 declare const index_validate: typeof validate;
+declare const index_validateGoogleAuth: typeof validateGoogleAuth;
 declare namespace index {
-  export { index_EnvEngine as EnvEngine, index_JWKSHelper as JWKSHelper, index_PubSubHelper as PubSubHelper, index_Runtime as Runtime, index_SchedulerHelper as SchedulerHelper, index_Secrets as Secrets, type index_TriggerOnCreateOptions as TriggerOnCreateOptions, type index_TriggerOnExecuteOptions as TriggerOnExecuteOptions, index_sanitize as sanitize, index_sanitizeToString as sanitizeToString, index_validate as validate };
+  export { index_EnvEngine as EnvEngine, index_JWKSHelper as JWKSHelper, index_PubSubHelper as PubSubHelper, index_Runtime as Runtime, index_SchedulerHelper as SchedulerHelper, index_Secrets as Secrets, type index_TriggerOnCreateOptions as TriggerOnCreateOptions, type index_TriggerOnExecuteOptions as TriggerOnExecuteOptions, index_isCronMessage as isCronMessage, index_isPubSubRequest as isPubSubRequest, index_sanitize as sanitize, index_sanitizeToString as sanitizeToString, index_validate as validate, index_validateGoogleAuth as validateGoogleAuth };
 }
 
 export { index as lib, index$9 as schema, index$1 as types };

package/dist/index.js

@@ -286,9 +286,12 @@ __export(src_public_exports, {
   Runtime: () => Runtime,
   SchedulerHelper: () => scheduler_default,
   Secrets: () => secret_default,
+  isCronMessage: () => isCronMessage,
+  isPubSubRequest: () => isPubSubRequest,
   sanitize: () => sanitize,
   sanitizeToString: () => sanitizeToString,
-  validate: () => validate
+  validate: () => validate,
+  validateGoogleAuth: () => validateGoogleAuth
 });
 
 // src-public/validate.ts
@@ -343,8 +346,8 @@ var sanitize = new import_deep_redact.DeepRedact({
   replaceStringByLength: true
 });
 
-// src-public/env.ts
-var crypto = __toESM(require("crypto"));
+// src-public/jwks.ts
+var import_jose = require("jose");
 
 // src-public/runtime.ts
 var DEFAULT_BRANCH = "migratedprod";
@@ -370,7 +373,121 @@ var Runtime = class {
   }
 };
 
+// src-public/jwks.ts
+var CACHE_TABLE = "cache-global";
+var JWKSHelper = class extends Runtime {
+  constructor(opts, firestore) {
+    super(opts);
+    this.firestore = firestore;
+  }
+  async validateAuthorizationHeader(authorizationHeader, expectedServiceAccount = null) {
+    const splitted = authorizationHeader.split(".");
+    const keyMeta = JSON.parse(Buffer.from(splitted[0], "base64").toString("utf-8")) || {};
+    const meta = JSON.parse(Buffer.from(splitted[1], "base64").toString("utf-8")) || {};
+    if (!meta.email_verified) {
+      throw new Error("Authorization header - Email not verified");
+    }
+    if (expectedServiceAccount === null) {
+      expectedServiceAccount = `runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`;
+    }
+    if (meta.email !== expectedServiceAccount) {
+      throw new Error(`Authorization header - Wrong service account, got ${meta?.email}, expected ${expectedServiceAccount}`);
+    }
+    if (!keyMeta.kid || !keyMeta.alg) {
+      throw new Error("Malformed Authorization Header. KID is missing");
+    }
+    const key = await this.getKey(keyMeta.kid);
+    if (!key) {
+      throw new Error("Incorrect Authorization Header. The key has not been found in the Google JWKS set");
+    }
+    const importedKey = await (0, import_jose.importJWK)(key, keyMeta.alg);
+    let validationCorrect = true;
+    try {
+      await (0, import_jose.jwtVerify)(authorizationHeader, importedKey, {
+        issuer: ["https://accounts.google.com", "accounts.google.com"],
+        clockTolerance: 0,
+        audience: process.env.GCLOUD_PROJECT + "/" + this.triggerId
+      });
+    } catch (err) {
+      validationCorrect = false;
+    }
+    if (!validationCorrect) {
+      throw new Error("Incorrect Authorization Header. The JWT is not valid");
+    }
+    return validationCorrect;
+  }
+  async getKey(keyId) {
+    const jwks = typeof global.jwks !== "undefined" ? global.jwks : null;
+    let parsedJwks = null;
+    if (jwks) {
+      try {
+        parsedJwks = JSON.parse(jwks);
+      } catch (err) {
+        err.message.toString();
+      }
+    }
+    let keyData = parsedJwks?.keys?.find((x) => x.kid === keyId);
+    let cachedItem;
+    if (!keyData) {
+      cachedItem = await this.firestore.collection(CACHE_TABLE).doc("google-jwks").get();
+      if (cachedItem.exists && cachedItem.data()?.expires_at.toDate() > /* @__PURE__ */ new Date()) {
+        keyData = cachedItem.data()?.value;
+      }
+    }
+    keyData = parsedJwks?.keys.find((x) => x.kid === keyId);
+    if (!keyData) {
+      const result = await this.fetchJWKS();
+      parsedJwks = result.jwks;
+      if (cachedItem) {
+        cachedItem.ref.set({
+          value: parsedJwks,
+          expires_at: result.expiresAt
+        }, { merge: true });
+      }
+      keyData = parsedJwks?.keys.find((x) => x.kid === keyId);
+    }
+    if (parsedJwks && cachedItem) {
+      global.jwks = JSON.stringify(parsedJwks);
+    }
+    return keyData;
+  }
+  async fetchJWKS() {
+    const date = /* @__PURE__ */ new Date();
+    let expiresAt = new Date(Date.now() + 1e3 * 60 * 60);
+    const response = await fetch("https://www.googleapis.com/oauth2/v3/certs");
+    const maxAgePair = response.headers.get("Cache-Control")?.split(",").map((x) => x.trim().split("=")).find((x) => x[0] === "max-age");
+    if (maxAgePair && maxAgePair.length === 2) {
+      expiresAt = new Date(date.getTime() + parseInt(maxAgePair[1], 10) * 1e3);
+    }
+    const jwks = await response.json();
+    return {
+      expiresAt,
+      jwks
+    };
+  }
+};
+var jwks_default = JWKSHelper;
+
+// src-public/utils.ts
+var isPubSubRequest = (headers) => (headers["User-Agent"] || headers["user-agent"]) === "CloudPubSub-Google" || (headers["User-Agent"] || headers["user-agent"] || "").indexOf("APIs-Google") !== -1;
+var isCronMessage = (headers) => (headers["User-Agent"] || headers["user-agent"]) === "Google-Cloud-Scheduler";
+var validateGoogleAuth = async (opts, headers, firestore) => {
+  const token = headers.authorization?.split(" ")[1];
+  if (!token) {
+    throw new Error(
+      "Missing authorization header or invalid format, needs to be in format: Bearer <IdToken>"
+    );
+  }
+  try {
+    const jwksHelper = new jwks_default(opts, firestore);
+    await jwksHelper.validateAuthorizationHeader(token, opts.serviceAccount || null);
+  } catch (err) {
+    throw new Error("Invalid authorization header " + err.message);
+  }
+};
+
 // src-public/env.ts
+var crypto = __toESM(require("crypto"));
 var EnvEngine = class extends Runtime {
   docRef;
   store;
@@ -825,102 +942,6 @@ var Secrets = class extends Runtime {
   }
 };
 var secret_default = Secrets;
-
-// src-public/jwks.ts
-var import_jose = require("jose");
-var CACHE_TABLE = "cache-global";
-var JWKSHelper = class extends Runtime {
-  constructor(opts, firestore) {
-    super(opts);
-    this.firestore = firestore;
-  }
-  async validateAuthorizationHeader(authorizationHeader, expectedServiceAccount = null) {
-    const splitted = authorizationHeader.split(".");
-    const keyMeta = JSON.parse(Buffer.from(splitted[0], "base64").toString("utf-8")) || {};
-    const meta = JSON.parse(Buffer.from(splitted[1], "base64").toString("utf-8")) || {};
-    if (!meta.email_verified) {
-      throw new Error("Authorization header - Email not verified");
-    }
-    if (expectedServiceAccount === null) {
-      expectedServiceAccount = `runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`;
-    }
-    if (meta.email !== expectedServiceAccount) {
-      throw new Error(`Authorization header - Wrong service account, got ${meta?.email}, expected ${expectedServiceAccount}`);
-    }
-    if (!keyMeta.kid || !keyMeta.alg) {
-      throw new Error("Malformed Authorization Header. KID is missing");
-    }
-    const key = await this.getKey(keyMeta.kid);
-    if (!key) {
-      throw new Error("Incorrect Authorization Header. The key has not been found in the Google JWKS set");
-    }
-    const importedKey = await (0, import_jose.importJWK)(key, keyMeta.alg);
-    let validationCorrect = true;
-    try {
-      await (0, import_jose.jwtVerify)(authorizationHeader, importedKey, {
-        issuer: ["https://accounts.google.com", "accounts.google.com"],
-        clockTolerance: 0,
-        audience: process.env.GCLOUD_PROJECT + "/" + this.triggerId
-      });
-    } catch (err) {
-      validationCorrect = false;
-    }
-    if (!validationCorrect) {
-      throw new Error("Incorrect Authorization Header. The JWT is not valid");
-    }
-    return validationCorrect;
-  }
-  async getKey(keyId) {
-    const jwks = typeof global.jwks !== "undefined" ? global.jwks : null;
-    let parsedJwks = null;
-    if (jwks) {
-      try {
-        parsedJwks = JSON.parse(jwks);
-      } catch (err) {
-        err.message.toString();
-      }
-    }
-    let keyData = parsedJwks?.keys?.find((x) => x.kid === keyId);
-    let cachedItem;
-    if (!keyData) {
-      cachedItem = await this.firestore.collection(CACHE_TABLE).doc("google-jwks").get();
-      if (cachedItem.exists && cachedItem.data()?.expires_at.toDate() > /* @__PURE__ */ new Date()) {
-        keyData = cachedItem.data()?.value;
-      }
-    }
-    keyData = parsedJwks?.keys.find((x) => x.kid === keyId);
-    if (!keyData) {
-      const result = await this.fetchJWKS();
-      parsedJwks = result.jwks;
-      if (cachedItem) {
-        cachedItem.ref.set({
-          value: parsedJwks,
-          expires_at: result.expiresAt
-        }, { merge: true });
-      }
-      keyData = parsedJwks?.keys.find((x) => x.kid === keyId);
-    }
-    if (parsedJwks && cachedItem) {
-      global.jwks = JSON.stringify(parsedJwks);
-    }
-    return keyData;
-  }
-  async fetchJWKS() {
-    const date = /* @__PURE__ */ new Date();
-    let expiresAt = new Date(Date.now() + 1e3 * 60 * 60);
-    const response = await fetch("https://www.googleapis.com/oauth2/v3/certs");
-    const maxAgePair = response.headers.get("Cache-Control")?.split(",").map((x) => x.trim().split("=")).find((x) => x[0] === "max-age");
-    if (maxAgePair && maxAgePair.length === 2) {
-      expiresAt = new Date(date.getTime() + parseInt(maxAgePair[1], 10) * 1e3);
-    }
-    const jwks = await response.json();
-    return {
-      expiresAt,
-      jwks
-    };
-  }
-};
-var jwks_default = JWKSHelper;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   lib,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@shushed/helpers",
-  "version": "0.0.26",
+  "version": "0.0.27",
   "author": "",
   "license": "UNLICENSED",
   "description": "",