@tern-secure/nextjs 5.2.0-canary.v20251125170702 → 5.2.0-canary.v20251127221555
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/app-router/admin/c-authenticateRequestProcessor.js +1 -0
- package/dist/cjs/app-router/admin/c-authenticateRequestProcessor.js.map +1 -1
- package/dist/cjs/app-router/admin/fnValidators.js +7 -0
- package/dist/cjs/app-router/admin/fnValidators.js.map +1 -1
- package/dist/cjs/app-router/admin/request.js +5 -2
- package/dist/cjs/app-router/admin/request.js.map +1 -1
- package/dist/cjs/app-router/admin/sessionHandlers.js +15 -5
- package/dist/cjs/app-router/admin/sessionHandlers.js.map +1 -1
- package/dist/cjs/server/data/getAuthDataFromRequest.js +8 -2
- package/dist/cjs/server/data/getAuthDataFromRequest.js.map +1 -1
- package/dist/cjs/server/ternSecureProxy.js +13 -1
- package/dist/cjs/server/ternSecureProxy.js.map +1 -1
- package/dist/cjs/server/utils.js +2 -1
- package/dist/cjs/server/utils.js.map +1 -1
- package/dist/esm/app-router/admin/c-authenticateRequestProcessor.js +1 -0
- package/dist/esm/app-router/admin/c-authenticateRequestProcessor.js.map +1 -1
- package/dist/esm/app-router/admin/fnValidators.js +7 -0
- package/dist/esm/app-router/admin/fnValidators.js.map +1 -1
- package/dist/esm/app-router/admin/request.js +5 -2
- package/dist/esm/app-router/admin/request.js.map +1 -1
- package/dist/esm/app-router/admin/sessionHandlers.js +15 -5
- package/dist/esm/app-router/admin/sessionHandlers.js.map +1 -1
- package/dist/esm/server/data/getAuthDataFromRequest.js +9 -3
- package/dist/esm/server/data/getAuthDataFromRequest.js.map +1 -1
- package/dist/esm/server/ternSecureProxy.js +14 -2
- package/dist/esm/server/ternSecureProxy.js.map +1 -1
- package/dist/esm/server/utils.js +2 -1
- package/dist/esm/server/utils.js.map +1 -1
- package/dist/types/app-router/admin/c-authenticateRequestProcessor.d.ts +1 -0
- package/dist/types/app-router/admin/c-authenticateRequestProcessor.d.ts.map +1 -1
- package/dist/types/app-router/admin/fnValidators.d.ts.map +1 -1
- package/dist/types/app-router/admin/request.d.ts +1 -1
- package/dist/types/app-router/admin/request.d.ts.map +1 -1
- package/dist/types/app-router/admin/sessionHandlers.d.ts.map +1 -1
- package/dist/types/server/data/getAuthDataFromRequest.d.ts.map +1 -1
- package/dist/types/server/ternSecureProxy.d.ts.map +1 -1
- package/dist/types/server/utils.d.ts +1 -1
- package/dist/types/server/utils.d.ts.map +1 -1
- package/package.json +5 -5
|
@@ -47,6 +47,7 @@ class RequestProcessorContext {
|
|
|
47
47
|
this.userAgent = this.getHeader(import_backend.constants.Headers.UserAgent);
|
|
48
48
|
this.secFetchDest = this.getHeader(import_backend.constants.Headers.SecFetchDest);
|
|
49
49
|
this.accept = this.getHeader(import_backend.constants.Headers.Accept);
|
|
50
|
+
this.appCheckToken = this.getHeader(import_backend.constants.Headers.AppCheckToken);
|
|
50
51
|
}
|
|
51
52
|
initCookieValues() {
|
|
52
53
|
const isProduction = process.env.NODE_ENV === "production";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/c-authenticateRequestProcessor.ts"],"sourcesContent":["import type { TernSecureRequest } from '@tern-secure/backend';\nimport { constants } from '@tern-secure/backend';\n\nimport type { AuthEndpoint, SessionSubEndpoint, TernSecureHandlerOptions } from './types';\n\n/**\n * Request context for better type safety and clarity\n */\ninterface RequestProcessorContext extends TernSecureHandlerOptions {\n // header-based values\n sessionTokenInHeader: string | undefined;\n origin: string | undefined;\n host: string | undefined;\n forwardedHost: string | undefined;\n forwardedProto: string | undefined;\n referrer: string | undefined;\n userAgent: string | undefined;\n secFetchDest: string | undefined;\n accept: string | undefined;\n\n // cookie-based values\n idTokenInCookie: string | undefined;\n refreshTokenInCookie: string | undefined;\n csrfTokenInCookie: string | undefined;\n sessionTokenInCookie?: string | undefined;\n customTokenInCookie?: string | undefined;\n\n method: string;\n pathSegments: string[];\n endpoint?: AuthEndpoint;\n subEndpoint?: SessionSubEndpoint;\n\n ternUrl: URL;\n instanceType: string;\n}\n\n/**\n * Request processor utility class for common operations\n */\nclass RequestProcessorContext implements RequestProcessorContext {\n public constructor(\n private ternSecureRequest: TernSecureRequest,\n private options: TernSecureHandlerOptions,\n ) {\n this.initHeaderValues();\n this.initCookieValues();\n this.initUrlValues();\n Object.assign(this, options);\n this.ternUrl = this.ternSecureRequest.ternUrl;\n }\n\n public get request(): TernSecureRequest {\n return this.ternSecureRequest;\n }\n\n private initHeaderValues() {\n this.sessionTokenInHeader = this.parseAuthorizationHeader(\n this.getHeader(constants.Headers.Authorization),\n );\n this.origin = this.getHeader(constants.Headers.Origin);\n this.host = this.getHeader(constants.Headers.Host);\n this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);\n this.forwardedProto =\n this.getHeader(constants.Headers.CloudFrontForwardedProto) ||\n this.getHeader(constants.Headers.ForwardedProto);\n this.referrer = this.getHeader(constants.Headers.Referrer);\n this.userAgent = this.getHeader(constants.Headers.UserAgent);\n this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);\n this.accept = this.getHeader(constants.Headers.Accept);\n }\n\n private initCookieValues() {\n const isProduction = process.env.NODE_ENV === 'production';\n const defaultPrefix = isProduction ? '__HOST-' : '__dev_';\n this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);\n\n // System-fixed cookies using backend constants\n this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);\n this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);\n this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);\n this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);\n }\n\n private initUrlValues() {\n this.method = this.ternSecureRequest.method;\n this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split('/').filter(Boolean);\n this.endpoint = this.pathSegments[2] as AuthEndpoint;\n this.subEndpoint = this.pathSegments[3] as SessionSubEndpoint;\n }\n\n private getHeader(name: string) {\n return this.ternSecureRequest.headers.get(name) || undefined;\n }\n\n private getCookie(name: string) {\n return this.ternSecureRequest.cookies.get(name) || undefined;\n }\n\n private parseAuthorizationHeader(\n authorizationHeader: string | undefined | null,\n ): string | undefined {\n if (!authorizationHeader) {\n return undefined;\n }\n\n const [scheme, token] = authorizationHeader.split(' ', 2);\n\n if (!token) {\n // No scheme specified, treat the entire value as the token\n return scheme;\n }\n\n if (scheme === 'Bearer') {\n return token;\n }\n\n // Skip all other schemes\n return undefined;\n }\n}\n\nexport type { RequestProcessorContext };\n\nexport const createRequestProcessor = (\n ternSecureRequest: TernSecureRequest,\n options: TernSecureHandlerOptions,\n): RequestProcessorContext => {\n return new RequestProcessorContext(ternSecureRequest, options);\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,qBAA0B;
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/c-authenticateRequestProcessor.ts"],"sourcesContent":["import type { TernSecureRequest } from '@tern-secure/backend';\nimport { constants } from '@tern-secure/backend';\n\nimport type { AuthEndpoint, SessionSubEndpoint, TernSecureHandlerOptions } from './types';\n\n/**\n * Request context for better type safety and clarity\n */\ninterface RequestProcessorContext extends TernSecureHandlerOptions {\n // header-based values\n sessionTokenInHeader: string | undefined;\n origin: string | undefined;\n host: string | undefined;\n forwardedHost: string | undefined;\n forwardedProto: string | undefined;\n referrer: string | undefined;\n userAgent: string | undefined;\n secFetchDest: string | undefined;\n accept: string | undefined;\n appCheckToken: string | undefined;\n\n // cookie-based values\n idTokenInCookie: string | undefined;\n refreshTokenInCookie: string | undefined;\n csrfTokenInCookie: string | undefined;\n sessionTokenInCookie?: string | undefined;\n customTokenInCookie?: string | undefined;\n\n method: string;\n pathSegments: string[];\n endpoint?: AuthEndpoint;\n subEndpoint?: SessionSubEndpoint;\n\n ternUrl: URL;\n instanceType: string;\n}\n\n/**\n * Request processor utility class for common operations\n */\nclass RequestProcessorContext implements RequestProcessorContext {\n public constructor(\n private ternSecureRequest: TernSecureRequest,\n private options: TernSecureHandlerOptions,\n ) {\n this.initHeaderValues();\n this.initCookieValues();\n this.initUrlValues();\n Object.assign(this, options);\n this.ternUrl = this.ternSecureRequest.ternUrl;\n }\n\n public get request(): TernSecureRequest {\n return this.ternSecureRequest;\n }\n\n private initHeaderValues() {\n this.sessionTokenInHeader = this.parseAuthorizationHeader(\n this.getHeader(constants.Headers.Authorization),\n );\n this.origin = this.getHeader(constants.Headers.Origin);\n this.host = this.getHeader(constants.Headers.Host);\n this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);\n this.forwardedProto =\n this.getHeader(constants.Headers.CloudFrontForwardedProto) ||\n this.getHeader(constants.Headers.ForwardedProto);\n this.referrer = this.getHeader(constants.Headers.Referrer);\n this.userAgent = this.getHeader(constants.Headers.UserAgent);\n this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);\n this.accept = this.getHeader(constants.Headers.Accept);\n this.appCheckToken = this.getHeader(constants.Headers.AppCheckToken);\n }\n\n private initCookieValues() {\n const isProduction = process.env.NODE_ENV === 'production';\n const defaultPrefix = isProduction ? '__HOST-' : '__dev_';\n this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);\n\n // System-fixed cookies using backend constants\n this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);\n this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);\n this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);\n this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);\n }\n\n private initUrlValues() {\n this.method = this.ternSecureRequest.method;\n this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split('/').filter(Boolean);\n this.endpoint = this.pathSegments[2] as AuthEndpoint;\n this.subEndpoint = this.pathSegments[3] as SessionSubEndpoint;\n }\n\n private getHeader(name: string) {\n return this.ternSecureRequest.headers.get(name) || undefined;\n }\n\n private getCookie(name: string) {\n return this.ternSecureRequest.cookies.get(name) || undefined;\n }\n\n private parseAuthorizationHeader(\n authorizationHeader: string | undefined | null,\n ): string | undefined {\n if (!authorizationHeader) {\n return undefined;\n }\n\n const [scheme, token] = authorizationHeader.split(' ', 2);\n\n if (!token) {\n // No scheme specified, treat the entire value as the token\n return scheme;\n }\n\n if (scheme === 'Bearer') {\n return token;\n }\n\n // Skip all other schemes\n return undefined;\n }\n}\n\nexport type { RequestProcessorContext };\n\nexport const createRequestProcessor = (\n ternSecureRequest: TernSecureRequest,\n options: TernSecureHandlerOptions,\n): RequestProcessorContext => {\n return new RequestProcessorContext(ternSecureRequest, options);\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,qBAA0B;AAuC1B,MAAM,wBAA2D;AAAA,EACxD,YACG,mBACA,SACR;AAFQ;AACA;AAER,SAAK,iBAAiB;AACtB,SAAK,iBAAiB;AACtB,SAAK,cAAc;AACnB,WAAO,OAAO,MAAM,OAAO;AAC3B,SAAK,UAAU,KAAK,kBAAkB;AAAA,EACxC;AAAA,EAEA,IAAW,UAA6B;AACtC,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,mBAAmB;AACzB,SAAK,uBAAuB,KAAK;AAAA,MAC/B,KAAK,UAAU,yBAAU,QAAQ,aAAa;AAAA,IAChD;AACA,SAAK,SAAS,KAAK,UAAU,yBAAU,QAAQ,MAAM;AACrD,SAAK,OAAO,KAAK,UAAU,yBAAU,QAAQ,IAAI;AACjD,SAAK,gBAAgB,KAAK,UAAU,yBAAU,QAAQ,aAAa;AACnE,SAAK,iBACH,KAAK,UAAU,yBAAU,QAAQ,wBAAwB,KACzD,KAAK,UAAU,yBAAU,QAAQ,cAAc;AACjD,SAAK,WAAW,KAAK,UAAU,yBAAU,QAAQ,QAAQ;AACzD,SAAK,YAAY,KAAK,UAAU,yBAAU,QAAQ,SAAS;AAC3D,SAAK,eAAe,KAAK,UAAU,yBAAU,QAAQ,YAAY;AACjE,SAAK,SAAS,KAAK,UAAU,yBAAU,QAAQ,MAAM;AACrD,SAAK,gBAAgB,KAAK,UAAU,yBAAU,QAAQ,aAAa;AAAA,EACrE;AAAA,EAEQ,mBAAmB;AACzB,UAAM,eAAe,QAAQ,IAAI,aAAa;AAC9C,UAAM,gBAAgB,eAAe,YAAY;AACjD,SAAK,uBAAuB,KAAK,UAAU,yBAAU,QAAQ,OAAO;AAGpE,SAAK,kBAAkB,KAAK,UAAU,GAAG,aAAa,GAAG,yBAAU,QAAQ,OAAO,EAAE;AACpF,SAAK,uBAAuB,KAAK,UAAU,GAAG,aAAa,GAAG,yBAAU,QAAQ,OAAO,EAAE;AACzF,SAAK,oBAAoB,KAAK,UAAU,yBAAU,QAAQ,SAAS;AACnE,SAAK,sBAAsB,KAAK,UAAU,yBAAU,QAAQ,MAAM;AAAA,EACpE;AAAA,EAEQ,gBAAgB;AACtB,SAAK,SAAS,KAAK,kBAAkB;AACrC,SAAK,eAAe,KAAK,kBAAkB,QAAQ,SAAS,MAAM,GAAG,EAAE,OAAO,OAAO;AACrF,SAAK,WAAW,KAAK,aAAa,CAAC;AACnC,SAAK,cAAc,KAAK,aAAa,CAAC;AAAA,EACxC;AAAA,EAEQ,UAAU,MAAc;AAC9B,WAAO,KAAK,kBAAkB,QAAQ,IAAI,IAAI,KAAK;AAAA,EACrD;AAAA,EAEQ,UAAU,MAAc;AAC9B,WAAO,KAAK,kBAAkB,QAAQ,IAAI,IAAI,KAAK;AAAA,EACrD;AAAA,EAEQ,yBACN,qBACoB;AACpB,QAAI,CAAC,qBAAqB;AACxB,aAAO;AAAA,IACT;AAEA,UAAM,CAAC,QAAQ,KAAK,IAAI,oBAAoB,MAAM,KAAK,CAAC;AAExD,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AAEA,QAAI,WAAW,UAAU;AACvB,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;AAIO,MAAM,yBAAyB,CACpC,mBACA,YAC4B;AAC5B,SAAO,IAAI,wBAAwB,mBAAmB,OAAO;AAC/D;","names":[]}
|
|
@@ -189,6 +189,13 @@ function createValidators(context) {
|
|
|
189
189
|
400
|
|
190
190
|
);
|
|
191
191
|
}
|
|
192
|
+
if (idToken.split(".").length !== 3) {
|
|
193
|
+
return (0, import_responses.createApiErrorResponse)(
|
|
194
|
+
"INVALID_TOKEN_FORMAT",
|
|
195
|
+
"ID token must be a valid JWT",
|
|
196
|
+
400
|
|
197
|
+
);
|
|
198
|
+
}
|
|
192
199
|
return null;
|
|
193
200
|
}
|
|
194
201
|
async function validateRequest(config) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/fnValidators.ts"],"sourcesContent":["import { cookies } from 'next/headers';\n\nimport type { RequestProcessorContext } from './c-authenticateRequestProcessor';\nimport { createApiErrorResponse } from './responses';\nimport type {\n AuthEndpoint,\n ComprehensiveValidationResult,\n CorsOptions,\n EndpointConfig,\n SecurityOptions,\n SessionSubEndpoint,\n ValidationConfig,\n} from './types';\n\n/**\n * Main validators factory function\n * Returns an object containing all validator functions and utilities\n */\nexport function createValidators(context: RequestProcessorContext) {\n const { origin, host, referrer, userAgent, method, pathSegments } = context;\n const request = context.request;\n\n async function validateCors(corsOptions: CorsOptions): Promise<Response | null> {\n if (corsOptions.skipSameOrigin) {\n if (!origin || (host && origin.includes(host))) {\n return null;\n }\n }\n\n if (corsOptions.allowedOrigins !== '*') {\n const isAllowed = corsOptions.allowedOrigins.some(allowedOrigin => {\n if (allowedOrigin.startsWith('*')) {\n const domain = allowedOrigin.slice(1);\n return origin?.endsWith(domain);\n }\n return origin === allowedOrigin;\n });\n\n if (!isAllowed) {\n return createApiErrorResponse('CORS_ORIGIN_NOT_ALLOWED', 'Origin not allowed', 403);\n }\n }\n\n return null;\n }\n\n function createCorsOptionsResponse(corsOptions: CorsOptions): Response {\n const response = new Response(null, { status: 204 });\n\n if (corsOptions.allowedOrigins === '*') {\n response.headers.set('Access-Control-Allow-Origin', '*');\n } else {\n response.headers.set('Access-Control-Allow-Origin', corsOptions.allowedOrigins.join(','));\n }\n\n response.headers.set(\n 'Access-Control-Allow-Methods',\n corsOptions.allowedMethods?.join(',') || 'GET,POST',\n );\n response.headers.set(\n 'Access-Control-Allow-Headers',\n corsOptions.allowedHeaders?.join(',') || 'Content-Type,Authorization',\n );\n\n if (corsOptions.allowCredentials) {\n response.headers.set('Access-Control-Allow-Credentials', 'true');\n }\n\n if (corsOptions.maxAge) {\n response.headers.set('Access-Control-Max-Age', corsOptions.maxAge.toString());\n }\n\n return response;\n }\n\n async function validateSecurity(securityOptions: SecurityOptions): Promise<Response | null> {\n const csrfResult = validateCsrf(securityOptions);\n if (csrfResult) return csrfResult;\n\n const headersResult = validateRequiredHeaders(securityOptions);\n if (headersResult) return headersResult;\n\n const userAgentResult = validateUserAgent(securityOptions);\n if (userAgentResult) return userAgentResult;\n\n return null;\n }\n\n function validateCsrf(securityOptions: SecurityOptions): Response | null {\n if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {\n const hasCSRFHeader = context.request.headers.get('x-requested-with') === 'XMLHttpRequest';\n const hasValidReferer = referrer && host && referrer.includes(host);\n\n if (!hasCSRFHeader && !hasValidReferer) {\n const isAllowedReferrer = securityOptions.allowedReferers?.some((allowedRef: string) =>\n referrer?.includes(allowedRef),\n );\n\n if (!isAllowedReferrer) {\n return createApiErrorResponse('CSRF_PROTECTION', 'Access denied', 403);\n }\n }\n }\n return null;\n }\n\n function validateRequiredHeaders(securityOptions: SecurityOptions): Response | null {\n if (securityOptions.requiredHeaders) {\n for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {\n const actualValue = context.request.headers.get(headerName);\n if (actualValue !== expectedValue) {\n return createApiErrorResponse(\n 'INVALID_HEADERS',\n 'Required header missing or invalid',\n 400,\n );\n }\n }\n }\n return null;\n }\n\n function validateUserAgent(securityOptions: SecurityOptions): Response | null {\n if (securityOptions.userAgent?.block?.length) {\n const isBlocked = securityOptions.userAgent.block.some((blocked: string) =>\n context.request.headers.get('user-agent')?.toLowerCase().includes(blocked.toLowerCase()),\n );\n\n if (isBlocked) {\n return createApiErrorResponse('USER_AGENT_BLOCKED', 'Access denied', 403);\n }\n }\n\n if (securityOptions.userAgent?.allow?.length) {\n const isAllowed = securityOptions.userAgent.allow.some((allowed: string) =>\n request.headers.get('user-agent')?.toLowerCase().includes(allowed.toLowerCase()),\n );\n\n if (!isAllowed) {\n return createApiErrorResponse('USER_AGENT_NOT_ALLOWED', 'Access denied', 403);\n }\n }\n\n return null;\n }\n\n function validateCsrfToken(\n csrfToken: string,\n csrfCookieValue: string | undefined,\n ): Response | null {\n if (!csrfToken) {\n return createApiErrorResponse('INVALID_CSRF_TOKEN', 'CSRF token is required', 400);\n }\n\n if (!csrfCookieValue) {\n return createApiErrorResponse('CSRF_COOKIE_MISSING', 'CSRF token cookie not found', 403);\n }\n\n if (csrfToken !== csrfCookieValue) {\n return createApiErrorResponse('CSRF_TOKEN_MISMATCH', 'CSRF token mismatch', 403);\n }\n\n return null;\n }\n\n function validatePathStructure(): Response | null {\n if (pathSegments.length < 3) {\n return createApiErrorResponse(\n 'INVALID_ROUTE',\n 'Invalid route structure. Expected: /api/auth/{endpoint}',\n 404,\n );\n }\n return null;\n }\n\n function validateEndpoint(\n _endpoint: AuthEndpoint,\n endpointConfig: EndpointConfig,\n ): Response | null {\n if (!endpointConfig || !endpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n }\n\n if (method !== 'OPTIONS' && !endpointConfig.methods.includes(method as any)) {\n return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n }\n\n return null;\n }\n\n function validateSubEndpoint(\n subEndpoint: SessionSubEndpoint | undefined,\n subEndpointConfig: any,\n ): Response | null {\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n }\n\n if (!subEndpointConfig || !subEndpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n }\n\n if (!subEndpointConfig.methods?.includes(method as any)) {\n return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n }\n\n return null;\n }\n\n async function validateSessionRequest(): Promise<{\n body: any;\n idToken?: string;\n csrfToken?: string;\n error?: Response;\n }> {\n try {\n const body = await request.json();\n return { body, idToken: body.idToken, csrfToken: body.csrfToken };\n } catch (error) {\n return {\n body: null,\n error: createApiErrorResponse('INVALID_REQUEST_FORMAT', 'Invalid request format', 400),\n };\n }\n }\n\n function validateIdToken(idToken: string | undefined): Response | null {\n if (!idToken) {\n return createApiErrorResponse(\n 'INVALID_TOKEN',\n 'ID token is required for creating session',\n 400,\n );\n }\n return null;\n }\n\n /**\n * Main validation orchestrator function\n * Runs all configured validations in the correct order\n */\n async function validateRequest(config: ValidationConfig): Promise<ComprehensiveValidationResult> {\n if (method === 'OPTIONS' && config.cors) {\n return {\n isValid: true,\n corsResponse: createCorsOptionsResponse(config.cors),\n };\n }\n const pathError = validatePathStructure();\n if (pathError) {\n return { isValid: false, error: pathError };\n }\n\n if (config.cors) {\n const corsError = await validateCors(config.cors);\n if (corsError) {\n return { isValid: false, error: corsError };\n }\n }\n\n if (config.security) {\n const securityError = await validateSecurity(config.security);\n if (securityError) {\n return { isValid: false, error: securityError };\n }\n }\n\n if (config.endpoint) {\n const endpointError = validateEndpoint(config.endpoint.name, config.endpoint.config);\n if (endpointError) {\n return { isValid: false, error: endpointError };\n }\n }\n\n if (config.subEndpoint) {\n const subEndpointError = validateSubEndpoint(\n config.subEndpoint.name,\n config.subEndpoint.config,\n );\n if (subEndpointError) {\n return { isValid: false, error: subEndpointError };\n }\n }\n\n let sessionData;\n if (method === 'POST' && (config.requireIdToken || config.requireCsrfToken)) {\n const sessionResult = await validateSessionRequest();\n if (sessionResult.error) {\n return { isValid: false, error: sessionResult.error };\n }\n\n sessionData = sessionResult;\n\n if (config.requireIdToken) {\n const idTokenError = validateIdToken(sessionData.idToken);\n if (idTokenError) {\n return { isValid: false, error: idTokenError };\n }\n }\n\n if (config.requireCsrfToken && sessionData.csrfToken) {\n const cookieStore = await cookies();\n const csrfCookieValue = cookieStore.get('csrfToken')?.value;\n const csrfError = validateCsrfToken(sessionData.csrfToken, csrfCookieValue);\n if (csrfError) {\n return { isValid: false, error: csrfError };\n }\n }\n }\n\n return {\n isValid: true,\n sessionData,\n };\n }\n\n /**\n * Convenience function for quick validation setup\n */\n function createValidationConfig(overrides: Partial<ValidationConfig> = {}): ValidationConfig {\n return {\n ...overrides,\n };\n }\n\n return {\n createValidationConfig,\n\n validateRequest,\n\n validateCors,\n validateSecurity,\n validatePathStructure,\n validateEndpoint,\n validateSubEndpoint,\n validateSessionRequest,\n validateIdToken,\n validateCsrfToken,\n\n createCorsOptionsResponse,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAwB;AAGxB,uBAAuC;AAehC,SAAS,iBAAiB,SAAkC;AACjE,QAAM,EAAE,QAAQ,MAAM,UAAU,WAAW,QAAQ,aAAa,IAAI;AACpE,QAAM,UAAU,QAAQ;AAExB,iBAAe,aAAa,aAAoD;AAC9E,QAAI,YAAY,gBAAgB;AAC9B,UAAI,CAAC,UAAW,QAAQ,OAAO,SAAS,IAAI,GAAI;AAC9C,eAAO;AAAA,MACT;AAAA,IACF;AAEA,QAAI,YAAY,mBAAmB,KAAK;AACtC,YAAM,YAAY,YAAY,eAAe,KAAK,mBAAiB;AACjE,YAAI,cAAc,WAAW,GAAG,GAAG;AACjC,gBAAM,SAAS,cAAc,MAAM,CAAC;AACpC,iBAAO,QAAQ,SAAS,MAAM;AAAA,QAChC;AACA,eAAO,WAAW;AAAA,MACpB,CAAC;AAED,UAAI,CAAC,WAAW;AACd,mBAAO,yCAAuB,2BAA2B,sBAAsB,GAAG;AAAA,MACpF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,0BAA0B,aAAoC;AACrE,UAAM,WAAW,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAEnD,QAAI,YAAY,mBAAmB,KAAK;AACtC,eAAS,QAAQ,IAAI,+BAA+B,GAAG;AAAA,IACzD,OAAO;AACL,eAAS,QAAQ,IAAI,+BAA+B,YAAY,eAAe,KAAK,GAAG,CAAC;AAAA,IAC1F;AAEA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AACA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AAEA,QAAI,YAAY,kBAAkB;AAChC,eAAS,QAAQ,IAAI,oCAAoC,MAAM;AAAA,IACjE;AAEA,QAAI,YAAY,QAAQ;AACtB,eAAS,QAAQ,IAAI,0BAA0B,YAAY,OAAO,SAAS,CAAC;AAAA,IAC9E;AAEA,WAAO;AAAA,EACT;AAEA,iBAAe,iBAAiB,iBAA4D;AAC1F,UAAM,aAAa,aAAa,eAAe;AAC/C,QAAI,WAAY,QAAO;AAEvB,UAAM,gBAAgB,wBAAwB,eAAe;AAC7D,QAAI,cAAe,QAAO;AAE1B,UAAM,kBAAkB,kBAAkB,eAAe;AACzD,QAAI,gBAAiB,QAAO;AAE5B,WAAO;AAAA,EACT;AAEA,WAAS,aAAa,iBAAmD;AACvE,QAAI,gBAAgB,eAAe,UAAU,QAAQ,CAAC,OAAO,SAAS,IAAI,GAAG;AAC3E,YAAM,gBAAgB,QAAQ,QAAQ,QAAQ,IAAI,kBAAkB,MAAM;AAC1E,YAAM,kBAAkB,YAAY,QAAQ,SAAS,SAAS,IAAI;AAElE,UAAI,CAAC,iBAAiB,CAAC,iBAAiB;AACtC,cAAM,oBAAoB,gBAAgB,iBAAiB;AAAA,UAAK,CAAC,eAC/D,UAAU,SAAS,UAAU;AAAA,QAC/B;AAEA,YAAI,CAAC,mBAAmB;AACtB,qBAAO,yCAAuB,mBAAmB,iBAAiB,GAAG;AAAA,QACvE;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,wBAAwB,iBAAmD;AAClF,QAAI,gBAAgB,iBAAiB;AACnC,iBAAW,CAAC,YAAY,aAAa,KAAK,OAAO,QAAQ,gBAAgB,eAAe,GAAG;AACzF,cAAM,cAAc,QAAQ,QAAQ,QAAQ,IAAI,UAAU;AAC1D,YAAI,gBAAgB,eAAe;AACjC,qBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,kBAAkB,iBAAmD;AAC5E,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,QAAQ,QAAQ,QAAQ,IAAI,YAAY,GAAG,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACzF;AAEA,UAAI,WAAW;AACb,mBAAO,yCAAuB,sBAAsB,iBAAiB,GAAG;AAAA,MAC1E;AAAA,IACF;AAEA,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,QAAQ,QAAQ,IAAI,YAAY,GAAG,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACjF;AAEA,UAAI,CAAC,WAAW;AACd,mBAAO,yCAAuB,0BAA0B,iBAAiB,GAAG;AAAA,MAC9E;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,kBACP,WACA,iBACiB;AACjB,QAAI,CAAC,WAAW;AACd,iBAAO,yCAAuB,sBAAsB,0BAA0B,GAAG;AAAA,IACnF;AAEA,QAAI,CAAC,iBAAiB;AACpB,iBAAO,yCAAuB,uBAAuB,+BAA+B,GAAG;AAAA,IACzF;AAEA,QAAI,cAAc,iBAAiB;AACjC,iBAAO,yCAAuB,uBAAuB,uBAAuB,GAAG;AAAA,IACjF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,wBAAyC;AAChD,QAAI,aAAa,SAAS,GAAG;AAC3B,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,iBACP,WACA,gBACiB;AACjB,QAAI,CAAC,kBAAkB,CAAC,eAAe,SAAS;AAC9C,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,WAAW,aAAa,CAAC,eAAe,QAAQ,SAAS,MAAa,GAAG;AAC3E,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,oBACP,aACA,mBACiB;AACjB,QAAI,CAAC,aAAa;AAChB,iBAAO,yCAAuB,yBAAyB,iCAAiC,GAAG;AAAA,IAC7F;AAEA,QAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,CAAC,kBAAkB,SAAS,SAAS,MAAa,GAAG;AACvD,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAEA,iBAAe,yBAKZ;AACD,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,aAAO,EAAE,MAAM,SAAS,KAAK,SAAS,WAAW,KAAK,UAAU;AAAA,IAClE,SAAS,OAAO;AACd,aAAO;AAAA,QACL,MAAM;AAAA,QACN,WAAO,yCAAuB,0BAA0B,0BAA0B,GAAG;AAAA,MACvF;AAAA,IACF;AAAA,EACF;AAEA,WAAS,gBAAgB,SAA8C;AACrE,QAAI,CAAC,SAAS;AACZ,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAMA,iBAAe,gBAAgB,QAAkE;AAC/F,QAAI,WAAW,aAAa,OAAO,MAAM;AACvC,aAAO;AAAA,QACL,SAAS;AAAA,QACT,cAAc,0BAA0B,OAAO,IAAI;AAAA,MACrD;AAAA,IACF;AACA,UAAM,YAAY,sBAAsB;AACxC,QAAI,WAAW;AACb,aAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,IAC5C;AAEA,QAAI,OAAO,MAAM;AACf,YAAM,YAAY,MAAM,aAAa,OAAO,IAAI;AAChD,UAAI,WAAW;AACb,eAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,MAC5C;AAAA,IACF;AAEA,QAAI,OAAO,UAAU;AACnB,YAAM,gBAAgB,MAAM,iBAAiB,OAAO,QAAQ;AAC5D,UAAI,eAAe;AACjB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc;AAAA,MAChD;AAAA,IACF;AAEA,QAAI,OAAO,UAAU;AACnB,YAAM,gBAAgB,iBAAiB,OAAO,SAAS,MAAM,OAAO,SAAS,MAAM;AACnF,UAAI,eAAe;AACjB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc;AAAA,MAChD;AAAA,IACF;AAEA,QAAI,OAAO,aAAa;AACtB,YAAM,mBAAmB;AAAA,QACvB,OAAO,YAAY;AAAA,QACnB,OAAO,YAAY;AAAA,MACrB;AACA,UAAI,kBAAkB;AACpB,eAAO,EAAE,SAAS,OAAO,OAAO,iBAAiB;AAAA,MACnD;AAAA,IACF;AAEA,QAAI;AACJ,QAAI,WAAW,WAAW,OAAO,kBAAkB,OAAO,mBAAmB;AAC3E,YAAM,gBAAgB,MAAM,uBAAuB;AACnD,UAAI,cAAc,OAAO;AACvB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc,MAAM;AAAA,MACtD;AAEA,oBAAc;AAEd,UAAI,OAAO,gBAAgB;AACzB,cAAM,eAAe,gBAAgB,YAAY,OAAO;AACxD,YAAI,cAAc;AAChB,iBAAO,EAAE,SAAS,OAAO,OAAO,aAAa;AAAA,QAC/C;AAAA,MACF;AAEA,UAAI,OAAO,oBAAoB,YAAY,WAAW;AACpD,cAAM,cAAc,UAAM,wBAAQ;AAClC,cAAM,kBAAkB,YAAY,IAAI,WAAW,GAAG;AACtD,cAAM,YAAY,kBAAkB,YAAY,WAAW,eAAe;AAC1E,YAAI,WAAW;AACb,iBAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,QAC5C;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAKA,WAAS,uBAAuB,YAAuC,CAAC,GAAqB;AAC3F,WAAO;AAAA,MACL,GAAG;AAAA,IACL;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IAEA;AAAA,IAEA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IAEA;AAAA,EACF;AACF;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/fnValidators.ts"],"sourcesContent":["import { cookies } from 'next/headers';\n\nimport type { RequestProcessorContext } from './c-authenticateRequestProcessor';\nimport { createApiErrorResponse } from './responses';\nimport type {\n AuthEndpoint,\n ComprehensiveValidationResult,\n CorsOptions,\n EndpointConfig,\n SecurityOptions,\n SessionSubEndpoint,\n ValidationConfig,\n} from './types';\n\n/**\n * Main validators factory function\n * Returns an object containing all validator functions and utilities\n */\nexport function createValidators(context: RequestProcessorContext) {\n const { origin, host, referrer, userAgent, method, pathSegments } = context;\n const request = context.request;\n\n async function validateCors(corsOptions: CorsOptions): Promise<Response | null> {\n if (corsOptions.skipSameOrigin) {\n if (!origin || (host && origin.includes(host))) {\n return null;\n }\n }\n\n if (corsOptions.allowedOrigins !== '*') {\n const isAllowed = corsOptions.allowedOrigins.some(allowedOrigin => {\n if (allowedOrigin.startsWith('*')) {\n const domain = allowedOrigin.slice(1);\n return origin?.endsWith(domain);\n }\n return origin === allowedOrigin;\n });\n\n if (!isAllowed) {\n return createApiErrorResponse('CORS_ORIGIN_NOT_ALLOWED', 'Origin not allowed', 403);\n }\n }\n\n return null;\n }\n\n function createCorsOptionsResponse(corsOptions: CorsOptions): Response {\n const response = new Response(null, { status: 204 });\n\n if (corsOptions.allowedOrigins === '*') {\n response.headers.set('Access-Control-Allow-Origin', '*');\n } else {\n response.headers.set('Access-Control-Allow-Origin', corsOptions.allowedOrigins.join(','));\n }\n\n response.headers.set(\n 'Access-Control-Allow-Methods',\n corsOptions.allowedMethods?.join(',') || 'GET,POST',\n );\n response.headers.set(\n 'Access-Control-Allow-Headers',\n corsOptions.allowedHeaders?.join(',') || 'Content-Type,Authorization',\n );\n\n if (corsOptions.allowCredentials) {\n response.headers.set('Access-Control-Allow-Credentials', 'true');\n }\n\n if (corsOptions.maxAge) {\n response.headers.set('Access-Control-Max-Age', corsOptions.maxAge.toString());\n }\n\n return response;\n }\n\n async function validateSecurity(securityOptions: SecurityOptions): Promise<Response | null> {\n const csrfResult = validateCsrf(securityOptions);\n if (csrfResult) return csrfResult;\n\n const headersResult = validateRequiredHeaders(securityOptions);\n if (headersResult) return headersResult;\n\n const userAgentResult = validateUserAgent(securityOptions);\n if (userAgentResult) return userAgentResult;\n\n return null;\n }\n\n function validateCsrf(securityOptions: SecurityOptions): Response | null {\n if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {\n const hasCSRFHeader = context.request.headers.get('x-requested-with') === 'XMLHttpRequest';\n const hasValidReferer = referrer && host && referrer.includes(host);\n\n if (!hasCSRFHeader && !hasValidReferer) {\n const isAllowedReferrer = securityOptions.allowedReferers?.some((allowedRef: string) =>\n referrer?.includes(allowedRef),\n );\n\n if (!isAllowedReferrer) {\n return createApiErrorResponse('CSRF_PROTECTION', 'Access denied', 403);\n }\n }\n }\n return null;\n }\n\n function validateRequiredHeaders(securityOptions: SecurityOptions): Response | null {\n if (securityOptions.requiredHeaders) {\n for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {\n const actualValue = context.request.headers.get(headerName);\n if (actualValue !== expectedValue) {\n return createApiErrorResponse(\n 'INVALID_HEADERS',\n 'Required header missing or invalid',\n 400,\n );\n }\n }\n }\n return null;\n }\n\n function validateUserAgent(securityOptions: SecurityOptions): Response | null {\n if (securityOptions.userAgent?.block?.length) {\n const isBlocked = securityOptions.userAgent.block.some((blocked: string) =>\n context.request.headers.get('user-agent')?.toLowerCase().includes(blocked.toLowerCase()),\n );\n\n if (isBlocked) {\n return createApiErrorResponse('USER_AGENT_BLOCKED', 'Access denied', 403);\n }\n }\n\n if (securityOptions.userAgent?.allow?.length) {\n const isAllowed = securityOptions.userAgent.allow.some((allowed: string) =>\n request.headers.get('user-agent')?.toLowerCase().includes(allowed.toLowerCase()),\n );\n\n if (!isAllowed) {\n return createApiErrorResponse('USER_AGENT_NOT_ALLOWED', 'Access denied', 403);\n }\n }\n\n return null;\n }\n\n function validateCsrfToken(\n csrfToken: string,\n csrfCookieValue: string | undefined,\n ): Response | null {\n if (!csrfToken) {\n return createApiErrorResponse('INVALID_CSRF_TOKEN', 'CSRF token is required', 400);\n }\n\n if (!csrfCookieValue) {\n return createApiErrorResponse('CSRF_COOKIE_MISSING', 'CSRF token cookie not found', 403);\n }\n\n if (csrfToken !== csrfCookieValue) {\n return createApiErrorResponse('CSRF_TOKEN_MISMATCH', 'CSRF token mismatch', 403);\n }\n\n return null;\n }\n\n function validatePathStructure(): Response | null {\n if (pathSegments.length < 3) {\n return createApiErrorResponse(\n 'INVALID_ROUTE',\n 'Invalid route structure. Expected: /api/auth/{endpoint}',\n 404,\n );\n }\n return null;\n }\n\n function validateEndpoint(\n _endpoint: AuthEndpoint,\n endpointConfig: EndpointConfig,\n ): Response | null {\n if (!endpointConfig || !endpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n }\n\n if (method !== 'OPTIONS' && !endpointConfig.methods.includes(method as any)) {\n return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n }\n\n return null;\n }\n\n function validateSubEndpoint(\n subEndpoint: SessionSubEndpoint | undefined,\n subEndpointConfig: any,\n ): Response | null {\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n }\n\n if (!subEndpointConfig || !subEndpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n }\n\n if (!subEndpointConfig.methods?.includes(method as any)) {\n return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n }\n\n return null;\n }\n\n async function validateSessionRequest(): Promise<{\n body: any;\n idToken?: string;\n csrfToken?: string;\n error?: Response;\n }> {\n try {\n const body = await request.json();\n return { body, idToken: body.idToken, csrfToken: body.csrfToken };\n } catch (error) {\n return {\n body: null,\n error: createApiErrorResponse('INVALID_REQUEST_FORMAT', 'Invalid request format', 400),\n };\n }\n }\n\n function validateIdToken(idToken: string | undefined): Response | null {\n if (!idToken) {\n return createApiErrorResponse(\n 'INVALID_TOKEN',\n 'ID token is required for creating session',\n 400,\n );\n }\n if (idToken.split('.').length !== 3) {\n return createApiErrorResponse(\n 'INVALID_TOKEN_FORMAT',\n 'ID token must be a valid JWT',\n 400,\n );\n }\n return null;\n }\n\n /**\n * Main validation orchestrator function\n * Runs all configured validations in the correct order\n */\n async function validateRequest(config: ValidationConfig): Promise<ComprehensiveValidationResult> {\n if (method === 'OPTIONS' && config.cors) {\n return {\n isValid: true,\n corsResponse: createCorsOptionsResponse(config.cors),\n };\n }\n const pathError = validatePathStructure();\n if (pathError) {\n return { isValid: false, error: pathError };\n }\n\n if (config.cors) {\n const corsError = await validateCors(config.cors);\n if (corsError) {\n return { isValid: false, error: corsError };\n }\n }\n\n if (config.security) {\n const securityError = await validateSecurity(config.security);\n if (securityError) {\n return { isValid: false, error: securityError };\n }\n }\n\n if (config.endpoint) {\n const endpointError = validateEndpoint(config.endpoint.name, config.endpoint.config);\n if (endpointError) {\n return { isValid: false, error: endpointError };\n }\n }\n\n if (config.subEndpoint) {\n const subEndpointError = validateSubEndpoint(\n config.subEndpoint.name,\n config.subEndpoint.config,\n );\n if (subEndpointError) {\n return { isValid: false, error: subEndpointError };\n }\n }\n\n let sessionData;\n if (method === 'POST' && (config.requireIdToken || config.requireCsrfToken)) {\n const sessionResult = await validateSessionRequest();\n if (sessionResult.error) {\n return { isValid: false, error: sessionResult.error };\n }\n\n sessionData = sessionResult;\n\n if (config.requireIdToken) {\n const idTokenError = validateIdToken(sessionData.idToken);\n if (idTokenError) {\n return { isValid: false, error: idTokenError };\n }\n }\n\n if (config.requireCsrfToken && sessionData.csrfToken) {\n const cookieStore = await cookies();\n const csrfCookieValue = cookieStore.get('csrfToken')?.value;\n const csrfError = validateCsrfToken(sessionData.csrfToken, csrfCookieValue);\n if (csrfError) {\n return { isValid: false, error: csrfError };\n }\n }\n }\n\n return {\n isValid: true,\n sessionData,\n };\n }\n\n /**\n * Convenience function for quick validation setup\n */\n function createValidationConfig(overrides: Partial<ValidationConfig> = {}): ValidationConfig {\n return {\n ...overrides,\n };\n }\n\n return {\n createValidationConfig,\n\n validateRequest,\n\n validateCors,\n validateSecurity,\n validatePathStructure,\n validateEndpoint,\n validateSubEndpoint,\n validateSessionRequest,\n validateIdToken,\n validateCsrfToken,\n\n createCorsOptionsResponse,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAwB;AAGxB,uBAAuC;AAehC,SAAS,iBAAiB,SAAkC;AACjE,QAAM,EAAE,QAAQ,MAAM,UAAU,WAAW,QAAQ,aAAa,IAAI;AACpE,QAAM,UAAU,QAAQ;AAExB,iBAAe,aAAa,aAAoD;AAC9E,QAAI,YAAY,gBAAgB;AAC9B,UAAI,CAAC,UAAW,QAAQ,OAAO,SAAS,IAAI,GAAI;AAC9C,eAAO;AAAA,MACT;AAAA,IACF;AAEA,QAAI,YAAY,mBAAmB,KAAK;AACtC,YAAM,YAAY,YAAY,eAAe,KAAK,mBAAiB;AACjE,YAAI,cAAc,WAAW,GAAG,GAAG;AACjC,gBAAM,SAAS,cAAc,MAAM,CAAC;AACpC,iBAAO,QAAQ,SAAS,MAAM;AAAA,QAChC;AACA,eAAO,WAAW;AAAA,MACpB,CAAC;AAED,UAAI,CAAC,WAAW;AACd,mBAAO,yCAAuB,2BAA2B,sBAAsB,GAAG;AAAA,MACpF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,0BAA0B,aAAoC;AACrE,UAAM,WAAW,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAEnD,QAAI,YAAY,mBAAmB,KAAK;AACtC,eAAS,QAAQ,IAAI,+BAA+B,GAAG;AAAA,IACzD,OAAO;AACL,eAAS,QAAQ,IAAI,+BAA+B,YAAY,eAAe,KAAK,GAAG,CAAC;AAAA,IAC1F;AAEA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AACA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AAEA,QAAI,YAAY,kBAAkB;AAChC,eAAS,QAAQ,IAAI,oCAAoC,MAAM;AAAA,IACjE;AAEA,QAAI,YAAY,QAAQ;AACtB,eAAS,QAAQ,IAAI,0BAA0B,YAAY,OAAO,SAAS,CAAC;AAAA,IAC9E;AAEA,WAAO;AAAA,EACT;AAEA,iBAAe,iBAAiB,iBAA4D;AAC1F,UAAM,aAAa,aAAa,eAAe;AAC/C,QAAI,WAAY,QAAO;AAEvB,UAAM,gBAAgB,wBAAwB,eAAe;AAC7D,QAAI,cAAe,QAAO;AAE1B,UAAM,kBAAkB,kBAAkB,eAAe;AACzD,QAAI,gBAAiB,QAAO;AAE5B,WAAO;AAAA,EACT;AAEA,WAAS,aAAa,iBAAmD;AACvE,QAAI,gBAAgB,eAAe,UAAU,QAAQ,CAAC,OAAO,SAAS,IAAI,GAAG;AAC3E,YAAM,gBAAgB,QAAQ,QAAQ,QAAQ,IAAI,kBAAkB,MAAM;AAC1E,YAAM,kBAAkB,YAAY,QAAQ,SAAS,SAAS,IAAI;AAElE,UAAI,CAAC,iBAAiB,CAAC,iBAAiB;AACtC,cAAM,oBAAoB,gBAAgB,iBAAiB;AAAA,UAAK,CAAC,eAC/D,UAAU,SAAS,UAAU;AAAA,QAC/B;AAEA,YAAI,CAAC,mBAAmB;AACtB,qBAAO,yCAAuB,mBAAmB,iBAAiB,GAAG;AAAA,QACvE;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,wBAAwB,iBAAmD;AAClF,QAAI,gBAAgB,iBAAiB;AACnC,iBAAW,CAAC,YAAY,aAAa,KAAK,OAAO,QAAQ,gBAAgB,eAAe,GAAG;AACzF,cAAM,cAAc,QAAQ,QAAQ,QAAQ,IAAI,UAAU;AAC1D,YAAI,gBAAgB,eAAe;AACjC,qBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,kBAAkB,iBAAmD;AAC5E,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,QAAQ,QAAQ,QAAQ,IAAI,YAAY,GAAG,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACzF;AAEA,UAAI,WAAW;AACb,mBAAO,yCAAuB,sBAAsB,iBAAiB,GAAG;AAAA,MAC1E;AAAA,IACF;AAEA,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,QAAQ,QAAQ,IAAI,YAAY,GAAG,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACjF;AAEA,UAAI,CAAC,WAAW;AACd,mBAAO,yCAAuB,0BAA0B,iBAAiB,GAAG;AAAA,MAC9E;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,kBACP,WACA,iBACiB;AACjB,QAAI,CAAC,WAAW;AACd,iBAAO,yCAAuB,sBAAsB,0BAA0B,GAAG;AAAA,IACnF;AAEA,QAAI,CAAC,iBAAiB;AACpB,iBAAO,yCAAuB,uBAAuB,+BAA+B,GAAG;AAAA,IACzF;AAEA,QAAI,cAAc,iBAAiB;AACjC,iBAAO,yCAAuB,uBAAuB,uBAAuB,GAAG;AAAA,IACjF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,wBAAyC;AAChD,QAAI,aAAa,SAAS,GAAG;AAC3B,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,iBACP,WACA,gBACiB;AACjB,QAAI,CAAC,kBAAkB,CAAC,eAAe,SAAS;AAC9C,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,WAAW,aAAa,CAAC,eAAe,QAAQ,SAAS,MAAa,GAAG;AAC3E,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,oBACP,aACA,mBACiB;AACjB,QAAI,CAAC,aAAa;AAChB,iBAAO,yCAAuB,yBAAyB,iCAAiC,GAAG;AAAA,IAC7F;AAEA,QAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,CAAC,kBAAkB,SAAS,SAAS,MAAa,GAAG;AACvD,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAEA,iBAAe,yBAKZ;AACD,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,aAAO,EAAE,MAAM,SAAS,KAAK,SAAS,WAAW,KAAK,UAAU;AAAA,IAClE,SAAS,OAAO;AACd,aAAO;AAAA,QACL,MAAM;AAAA,QACN,WAAO,yCAAuB,0BAA0B,0BAA0B,GAAG;AAAA,MACvF;AAAA,IACF;AAAA,EACF;AAEA,WAAS,gBAAgB,SAA8C;AACrE,QAAI,CAAC,SAAS;AACZ,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,QAAI,QAAQ,MAAM,GAAG,EAAE,WAAW,GAAG;AACnC,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAMA,iBAAe,gBAAgB,QAAkE;AAC/F,QAAI,WAAW,aAAa,OAAO,MAAM;AACvC,aAAO;AAAA,QACL,SAAS;AAAA,QACT,cAAc,0BAA0B,OAAO,IAAI;AAAA,MACrD;AAAA,IACF;AACA,UAAM,YAAY,sBAAsB;AACxC,QAAI,WAAW;AACb,aAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,IAC5C;AAEA,QAAI,OAAO,MAAM;AACf,YAAM,YAAY,MAAM,aAAa,OAAO,IAAI;AAChD,UAAI,WAAW;AACb,eAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,MAC5C;AAAA,IACF;AAEA,QAAI,OAAO,UAAU;AACnB,YAAM,gBAAgB,MAAM,iBAAiB,OAAO,QAAQ;AAC5D,UAAI,eAAe;AACjB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc;AAAA,MAChD;AAAA,IACF;AAEA,QAAI,OAAO,UAAU;AACnB,YAAM,gBAAgB,iBAAiB,OAAO,SAAS,MAAM,OAAO,SAAS,MAAM;AACnF,UAAI,eAAe;AACjB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc;AAAA,MAChD;AAAA,IACF;AAEA,QAAI,OAAO,aAAa;AACtB,YAAM,mBAAmB;AAAA,QACvB,OAAO,YAAY;AAAA,QACnB,OAAO,YAAY;AAAA,MACrB;AACA,UAAI,kBAAkB;AACpB,eAAO,EAAE,SAAS,OAAO,OAAO,iBAAiB;AAAA,MACnD;AAAA,IACF;AAEA,QAAI;AACJ,QAAI,WAAW,WAAW,OAAO,kBAAkB,OAAO,mBAAmB;AAC3E,YAAM,gBAAgB,MAAM,uBAAuB;AACnD,UAAI,cAAc,OAAO;AACvB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc,MAAM;AAAA,MACtD;AAEA,oBAAc;AAEd,UAAI,OAAO,gBAAgB;AACzB,cAAM,eAAe,gBAAgB,YAAY,OAAO;AACxD,YAAI,cAAc;AAChB,iBAAO,EAAE,SAAS,OAAO,OAAO,aAAa;AAAA,QAC/C;AAAA,MACF;AAEA,UAAI,OAAO,oBAAoB,YAAY,WAAW;AACpD,cAAM,cAAc,UAAM,wBAAQ;AAClC,cAAM,kBAAkB,YAAY,IAAI,WAAW,GAAG;AACtD,cAAM,YAAY,kBAAkB,YAAY,WAAW,eAAe;AAC1E,YAAI,WAAW;AACb,iBAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,QAC5C;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAKA,WAAS,uBAAuB,YAAuC,CAAC,GAAqB;AAC3F,WAAO;AAAA,MACL,GAAG;AAAA,IACL;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IAEA;AAAA,IAEA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IAEA;AAAA,EACF;AACF;","names":[]}
|
|
@@ -27,7 +27,7 @@ var import_cookie = require("@tern-secure/shared/cookie");
|
|
|
27
27
|
var import_ternsecureClient = require("../../server/ternsecureClient");
|
|
28
28
|
var import_constants = require("./constants");
|
|
29
29
|
var import_cookieOptionsHelper = require("./cookieOptionsHelper");
|
|
30
|
-
async function refreshCookieWithIdToken(idToken, cookieStore, config, referrer) {
|
|
30
|
+
async function refreshCookieWithIdToken(idToken, cookieStore, config, referrer, appCheckToken) {
|
|
31
31
|
const backendClient = await (0, import_ternsecureClient.ternSecureBackendClient)();
|
|
32
32
|
const authOptions = {
|
|
33
33
|
tenantId: config?.tenantId || void 0,
|
|
@@ -43,7 +43,10 @@ async function refreshCookieWithIdToken(idToken, cookieStore, config, referrer)
|
|
|
43
43
|
};
|
|
44
44
|
const COOKIE_OPTIONS = (0, import_cookieOptionsHelper.getIdTokenCookieOptions)();
|
|
45
45
|
const { createCustomIdAndRefreshToken } = (0, import_auth.getAuth)(authOptions);
|
|
46
|
-
const customTokens = await createCustomIdAndRefreshToken(idToken, {
|
|
46
|
+
const customTokens = await createCustomIdAndRefreshToken(idToken, {
|
|
47
|
+
referer: referrer,
|
|
48
|
+
appCheckToken
|
|
49
|
+
});
|
|
47
50
|
const cookiePrefix = (0, import_cookie.getCookiePrefix)();
|
|
48
51
|
const cookiePromises = [
|
|
49
52
|
cookieStore.set(
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/request.ts"],"sourcesContent":["import type { AuthenticateRequestOptions } from '@tern-secure/backend';\nimport { constants } from '@tern-secure/backend';\nimport { getAuth } from '@tern-secure/backend/auth';\nimport { getCookieName, getCookiePrefix } from '@tern-secure/shared/cookie';\n\nimport { ternSecureBackendClient } from '../../server/ternsecureClient';\nimport type { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport {\n FIREBASE_API_KEY,\n FIREBASE_APP_ID,\n FIREBASE_AUTH_DOMAIN,\n FIREBASE_MESSAGING_SENDER_ID,\n FIREBASE_PROJECT_ID,\n FIREBASE_STORAGE_BUCKET,\n} from './constants';\nimport { getIdTokenCookieOptions } from './cookieOptionsHelper';\nimport type { TernSecureHandlerOptions } from './types';\n\nexport async function refreshCookieWithIdToken(\n idToken: string,\n cookieStore: NextCookieStore,\n config?: TernSecureHandlerOptions,\n referrer?: string,\n): Promise<void> {\n const backendClient = await ternSecureBackendClient();\n\n const authOptions: AuthenticateRequestOptions = {\n tenantId: config?.tenantId || undefined,\n firebaseConfig: {\n apiKey: FIREBASE_API_KEY,\n authDomain: FIREBASE_AUTH_DOMAIN,\n projectId: FIREBASE_PROJECT_ID,\n storageBucket: FIREBASE_STORAGE_BUCKET,\n messagingSenderId: FIREBASE_MESSAGING_SENDER_ID,\n appId: FIREBASE_APP_ID,\n },\n apiClient: backendClient,\n };\n\n const COOKIE_OPTIONS = getIdTokenCookieOptions();\n\n const { createCustomIdAndRefreshToken } = getAuth(authOptions);\n\n const customTokens = await createCustomIdAndRefreshToken(idToken, {
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/request.ts"],"sourcesContent":["import type { AuthenticateRequestOptions } from '@tern-secure/backend';\nimport { constants } from '@tern-secure/backend';\nimport { getAuth } from '@tern-secure/backend/auth';\nimport { getCookieName, getCookiePrefix } from '@tern-secure/shared/cookie';\n\nimport { ternSecureBackendClient } from '../../server/ternsecureClient';\nimport type { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport {\n FIREBASE_API_KEY,\n FIREBASE_APP_ID,\n FIREBASE_AUTH_DOMAIN,\n FIREBASE_MESSAGING_SENDER_ID,\n FIREBASE_PROJECT_ID,\n FIREBASE_STORAGE_BUCKET,\n} from './constants';\nimport { getIdTokenCookieOptions } from './cookieOptionsHelper';\nimport type { TernSecureHandlerOptions } from './types';\n\nexport async function refreshCookieWithIdToken(\n idToken: string,\n cookieStore: NextCookieStore,\n config?: TernSecureHandlerOptions,\n referrer?: string,\n appCheckToken?: string,\n): Promise<void> {\n const backendClient = await ternSecureBackendClient();\n\n const authOptions: AuthenticateRequestOptions = {\n tenantId: config?.tenantId || undefined,\n firebaseConfig: {\n apiKey: FIREBASE_API_KEY,\n authDomain: FIREBASE_AUTH_DOMAIN,\n projectId: FIREBASE_PROJECT_ID,\n storageBucket: FIREBASE_STORAGE_BUCKET,\n messagingSenderId: FIREBASE_MESSAGING_SENDER_ID,\n appId: FIREBASE_APP_ID,\n },\n apiClient: backendClient,\n };\n\n const COOKIE_OPTIONS = getIdTokenCookieOptions();\n\n const { createCustomIdAndRefreshToken } = getAuth(authOptions);\n\n\n const customTokens = await createCustomIdAndRefreshToken(idToken, {\n referer: referrer,\n appCheckToken,\n });\n\n\n const cookiePrefix = getCookiePrefix();\n\n const cookiePromises = [\n cookieStore.set(\n getCookieName(constants.Cookies.IdToken, cookiePrefix),\n customTokens.idToken,\n COOKIE_OPTIONS,\n ),\n cookieStore.set(\n getCookieName(constants.Cookies.Refresh, cookiePrefix),\n customTokens.refreshToken,\n COOKIE_OPTIONS,\n ),\n\n cookieStore.set(\n constants.Cookies.TernAut,\n customTokens.auth_time.toString(),\n { secure: true, maxAge: 365 * 24 * 60 * 60 }\n ),\n ];\n\n if (config?.enableCustomToken) {\n cookiePromises.push(\n cookieStore.set(constants.Cookies.Custom, customTokens.customToken, COOKIE_OPTIONS),\n );\n }\n\n await Promise.all(cookiePromises);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,qBAA0B;AAC1B,kBAAwB;AACxB,oBAA+C;AAE/C,8BAAwC;AAExC,uBAOO;AACP,iCAAwC;AAGxC,eAAsB,yBACpB,SACA,aACA,QACA,UACA,eACe;AACf,QAAM,gBAAgB,UAAM,iDAAwB;AAEpD,QAAM,cAA0C;AAAA,IAC9C,UAAU,QAAQ,YAAY;AAAA,IAC9B,gBAAgB;AAAA,MACd,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,MACf,mBAAmB;AAAA,MACnB,OAAO;AAAA,IACT;AAAA,IACA,WAAW;AAAA,EACb;AAEA,QAAM,qBAAiB,oDAAwB;AAE/C,QAAM,EAAE,8BAA8B,QAAI,qBAAQ,WAAW;AAG7D,QAAM,eAAe,MAAM,8BAA8B,SAAS;AAAA,IAChE,SAAS;AAAA,IACT;AAAA,EACF,CAAC;AAGD,QAAM,mBAAe,+BAAgB;AAErC,QAAM,iBAAiB;AAAA,IACrB,YAAY;AAAA,UACV,6BAAc,yBAAU,QAAQ,SAAS,YAAY;AAAA,MACrD,aAAa;AAAA,MACb;AAAA,IACF;AAAA,IACA,YAAY;AAAA,UACV,6BAAc,yBAAU,QAAQ,SAAS,YAAY;AAAA,MACrD,aAAa;AAAA,MACb;AAAA,IACF;AAAA,IAEA,YAAY;AAAA,MACV,yBAAU,QAAQ;AAAA,MAClB,aAAa,UAAU,SAAS;AAAA,MAChC,EAAE,QAAQ,MAAM,QAAQ,MAAM,KAAK,KAAK,GAAG;AAAA,IAC7C;AAAA,EACF;AAEA,MAAI,QAAQ,mBAAmB;AAC7B,mBAAe;AAAA,MACb,YAAY,IAAI,yBAAU,QAAQ,QAAQ,aAAa,aAAa,cAAc;AAAA,IACpF;AAAA,EACF;AAEA,QAAM,QAAQ,IAAI,cAAc;AAClC;","names":[]}
|
|
@@ -83,13 +83,15 @@ const sessionEndpointHandler = async (context, config) => {
|
|
|
83
83
|
validateCsrfToken(csrfToken || "", csrfCookieValue.value);
|
|
84
84
|
const handleCreateSession = async (cookieStore2, idToken2) => {
|
|
85
85
|
try {
|
|
86
|
-
await (0, import_request.refreshCookieWithIdToken)(idToken2, cookieStore2, config, referrer);
|
|
86
|
+
await (0, import_request.refreshCookieWithIdToken)(idToken2, cookieStore2, config, referrer, context.appCheckToken);
|
|
87
87
|
return import_responses.SessionResponseHelper.createSessionCreationResponse({
|
|
88
88
|
success: true,
|
|
89
89
|
message: "Session created successfully"
|
|
90
90
|
});
|
|
91
91
|
} catch (error2) {
|
|
92
|
-
|
|
92
|
+
console.error("[SessionHandler - createsession] Error:", error2);
|
|
93
|
+
const errorMessage = error2 instanceof Error ? error2.message : "Session creation failed";
|
|
94
|
+
return (0, import_responses.createApiErrorResponse)("SESSION_CREATION_FAILED", errorMessage, 500);
|
|
93
95
|
}
|
|
94
96
|
};
|
|
95
97
|
const handleRefreshSession = async (cookieStore2, idToken2) => {
|
|
@@ -98,10 +100,17 @@ const sessionEndpointHandler = async (context, config) => {
|
|
|
98
100
|
if (decodedSession.errors) {
|
|
99
101
|
return (0, import_responses.createApiErrorResponse)("INVALID_SESSION", "Invalid session for refresh", 401);
|
|
100
102
|
}
|
|
101
|
-
const refreshRes = await (0, import_request.refreshCookieWithIdToken)(
|
|
103
|
+
const refreshRes = await (0, import_request.refreshCookieWithIdToken)(
|
|
104
|
+
idToken2,
|
|
105
|
+
cookieStore2,
|
|
106
|
+
config,
|
|
107
|
+
void 0,
|
|
108
|
+
context.appCheckToken
|
|
109
|
+
);
|
|
102
110
|
return import_responses.SessionResponseHelper.createRefreshResponse(refreshRes);
|
|
103
111
|
} catch (error2) {
|
|
104
|
-
|
|
112
|
+
const errorMessage = error2 instanceof Error ? error2.message : "Session refresh failed";
|
|
113
|
+
return (0, import_responses.createApiErrorResponse)("REFRESH_FAILED", errorMessage, 500);
|
|
105
114
|
}
|
|
106
115
|
};
|
|
107
116
|
const handleRevokeSession = async (cookieStore2) => {
|
|
@@ -110,7 +119,8 @@ const sessionEndpointHandler = async (context, config) => {
|
|
|
110
119
|
};
|
|
111
120
|
switch (subEndpoint2) {
|
|
112
121
|
case "createsession": {
|
|
113
|
-
validateIdToken(idToken);
|
|
122
|
+
const idTokenError = validateIdToken(idToken);
|
|
123
|
+
if (idTokenError) return idTokenError;
|
|
114
124
|
return handleCreateSession(cookieStore, idToken);
|
|
115
125
|
}
|
|
116
126
|
case "refresh":
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/sessionHandlers.ts"],"sourcesContent":["import { constants } from '@tern-secure/backend';\nimport { clearSessionCookie } from '@tern-secure/backend/admin';\nimport { ternDecodeJwtUnguarded } from '@tern-secure/backend/jwt';\nimport type { CookieSubEndpoint } from '@tern-secure/types';\n\nimport { ternSecureBackendClient } from '../../server/ternsecureClient';\nimport { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport { type RequestProcessorContext } from './c-authenticateRequestProcessor';\nimport { FIREBASE_API_KEY } from './constants';\nimport { createValidators } from './fnValidators';\nimport { refreshCookieWithIdToken } from './request';\nimport {\n createApiErrorResponse,\n createApiSuccessResponse,\n HttpResponseHelper,\n SessionResponseHelper,\n} from './responses';\nimport { processSignInCreate } from './signInCreateHandler';\nimport type { SessionSubEndpoint, SignInSubEndpoint, TernSecureHandlerOptions } from './types';\n\nconst sessionEndpointHandler = async (\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> => {\n const { subEndpoint, method, referrer } = context;\n\n const validators = createValidators(context);\n\n const {\n validateSubEndpoint,\n validateSecurity,\n validateSessionRequest,\n validateCsrfToken,\n validateIdToken,\n } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n }\n\n const sessionsConfig = config.endpoints?.sessions;\n const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];\n\n validateSubEndpoint(subEndpoint, subEndpointConfig);\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const SessionGetHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const handleSessionVerify = async (): Promise<Response> => {\n try {\n const sessionCookie = context.sessionTokenInCookie;\n if (!sessionCookie) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n const { data: decodedSession, errors } = ternDecodeJwtUnguarded(sessionCookie);\n if (errors) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n return SessionResponseHelper.createVerificationResponse(decodedSession);\n } catch (error) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n };\n\n switch (subEndpoint) {\n case 'verify':\n return handleSessionVerify();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n const SessionPostHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const cookieStore = new NextCookieStore();\n\n const { idToken, csrfToken, error } = await validateSessionRequest();\n if (error) return error;\n\n const csrfCookieValue = await cookieStore.get(constants.Cookies.CsrfToken);\n validateCsrfToken(csrfToken || '', csrfCookieValue.value);\n\n const handleCreateSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n await refreshCookieWithIdToken(idToken, cookieStore, config, referrer);\n return SessionResponseHelper.createSessionCreationResponse({\n success: true,\n message: 'Session created successfully',\n });\n } catch (error) {\n return createApiErrorResponse('SESSION_CREATION_FAILED', 'Session creation failed', 500);\n }\n };\n\n const handleRefreshSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n const decodedSession = ternDecodeJwtUnguarded(idToken);\n if (decodedSession.errors) {\n return createApiErrorResponse('INVALID_SESSION', 'Invalid session for refresh', 401);\n }\n\n const refreshRes = await refreshCookieWithIdToken(idToken, cookieStore, config);\n return SessionResponseHelper.createRefreshResponse(refreshRes);\n } catch (error) {\n return createApiErrorResponse('REFRESH_FAILED', 'Session refresh failed', 500);\n }\n };\n\n const handleRevokeSession = async (cookieStore: NextCookieStore): Promise<Response> => {\n const res = await clearSessionCookie(cookieStore);\n return SessionResponseHelper.createRevokeResponse(res);\n };\n\n switch (subEndpoint) {\n case 'createsession': {\n validateIdToken(idToken);\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleCreateSession(cookieStore, idToken!);\n }\n\n case 'refresh':\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleRefreshSession(cookieStore, idToken!);\n\n case 'revoke':\n return handleRevokeSession(cookieStore);\n\n default:\n return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return SessionGetHandler(subEndpoint);\n\n case 'POST':\n return SessionPostHandler(subEndpoint);\n\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nconst cookieEndpointHandler = async (\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> => {\n const { subEndpoint, method } = context;\n\n const validators = createValidators(context);\n const { validateSecurity } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Cookie sub-endpoint required', 400);\n }\n\n const cookiesConfig = config.endpoints?.cookies;\n const subEndpointConfig = cookiesConfig?.subEndpoints?.[subEndpoint as CookieSubEndpoint];\n\n if (!subEndpointConfig || !subEndpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Cookie endpoint not found or disabled', 404);\n }\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const CookieGetHandler = async (subEndpoint: CookieSubEndpoint): Promise<Response> => {\n const handleGetCookie = async (): Promise<Response> => {\n try {\n const url = new URL(context.ternUrl);\n const tokenName = url.searchParams.get('tokenName');\n\n if (!tokenName) {\n return createApiErrorResponse('TOKEN_NAME_REQUIRED', 'tokenName query parameter is required', 400);\n }\n\n let cookieValue: string | undefined;\n\n switch (tokenName) {\n case 'idToken':\n cookieValue = context.idTokenInCookie;\n break;\n case 'sessionToken':\n cookieValue = context.sessionTokenInCookie;\n break;\n case 'refreshToken':\n cookieValue = context.refreshTokenInCookie;\n break;\n case 'customToken':\n cookieValue = context.customTokenInCookie;\n break;\n default:\n return createApiErrorResponse('INVALID_TOKEN_NAME', 'Invalid token name. Must be one of: idToken, sessionToken, refreshToken, customToken', 400);\n }\n\n if (!cookieValue) {\n return createApiErrorResponse(\n 'TOKEN_NOT_FOUND',\n `${tokenName} not found in httpOnly cookies`,\n 404\n );\n }\n\n return createApiSuccessResponse({\n token: cookieValue,\n });\n } catch (error) {\n return createApiErrorResponse('COOKIE_RETRIEVAL_FAILED', 'Failed to retrieve cookie', 500);\n }\n };\n\n switch (subEndpoint) {\n case 'get':\n return handleGetCookie();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return CookieGetHandler(subEndpoint as CookieSubEndpoint);\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nconst signInEndpointHandler = async (\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions\n): Promise<Response> => {\n const { subEndpoint, method } = context;\n\n const validators = createValidators(context);\n\n const {\n validateSubEndpoint,\n validateSecurity,\n } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Sign_ins sub-endpoint required', 400);\n }\n\n const signInsConfig = config.endpoints?.signIns;\n const subEndpointConfig = signInsConfig?.subEndpoints?.[subEndpoint as SignInSubEndpoint];\n\n validateSubEndpoint(subEndpoint, subEndpointConfig);\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const PostHandler = async (subEndpoint: SignInSubEndpoint): Promise<Response> => {\n const create = async (): Promise<Response> => {\n return await processSignInCreate(context);\n };\n\n const passwordResetEmail = async (): Promise<Response> => {\n try {\n const body = await context.request.json();\n const { email } = body;\n\n if (!email || typeof email !== 'string') {\n return createApiErrorResponse('EMAIL_REQUIRED', 'Email is required', 400);\n }\n\n const backendClient = await ternSecureBackendClient();\n\n const response = await backendClient.signIn.resetPasswordEmail(FIREBASE_API_KEY, {\n email,\n requestType: 'PASSWORD_RESET',\n });\n\n if (!response) {\n return createApiErrorResponse(\n 'PASSWORD_RESET_FAILED',\n 'Failed to send password reset email',\n 500,\n );\n }\n\n return createApiSuccessResponse({\n email,\n });\n } catch (error) {\n return createApiErrorResponse(\n 'PASSWORD_RESET_ERROR',\n error instanceof Error\n ? error.message\n : 'An error occurred while sending password reset email',\n 500,\n );\n }\n };\n\n switch (subEndpoint) {\n case 'create':\n return create();\n case 'resetPasswordEmail':\n return passwordResetEmail();\n default:\n return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n }\n };\n\n switch (method) {\n case 'POST':\n return PostHandler(subEndpoint as SignInSubEndpoint);\n\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n\n}\n\nexport { cookieEndpointHandler, sessionEndpointHandler, signInEndpointHandler };\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAA0B;AAC1B,mBAAmC;AACnC,iBAAuC;AAGvC,8BAAwC;AACxC,+BAAgC;AAEhC,uBAAiC;AACjC,0BAAiC;AACjC,qBAAyC;AACzC,uBAKO;AACP,iCAAoC;AAGpC,MAAM,yBAAyB,OAC7B,SACA,WACsB;AACtB,QAAM,EAAE,aAAa,QAAQ,SAAS,IAAI;AAE1C,QAAM,iBAAa,sCAAiB,OAAO;AAE3C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,aAAa;AAChB,eAAO,yCAAuB,yBAAyB,iCAAiC,GAAG;AAAA,EAC7F;AAEA,QAAM,iBAAiB,OAAO,WAAW;AACzC,QAAM,oBAAoB,gBAAgB,eAAe,WAAW;AAEpE,sBAAoB,aAAa,iBAAiB;AAElD,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,oBAAoB,OAAOA,iBAAuD;AACtF,UAAM,sBAAsB,YAA+B;AACzD,UAAI;AACF,cAAM,gBAAgB,QAAQ;AAC9B,YAAI,CAAC,eAAe;AAClB,iBAAO,uCAAsB,2BAA2B;AAAA,QAC1D;AAEA,cAAM,EAAE,MAAM,gBAAgB,OAAO,QAAI,mCAAuB,aAAa;AAC7E,YAAI,QAAQ;AACV,iBAAO,uCAAsB,2BAA2B;AAAA,QAC1D;AAEA,eAAO,uCAAsB,2BAA2B,cAAc;AAAA,MACxE,SAAS,OAAO;AACd,eAAO,uCAAsB,2BAA2B;AAAA,MAC1D;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,oBAAoB;AAAA,MAC7B;AACE,eAAO,oCAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,QAAM,qBAAqB,OAAOA,iBAAuD;AACvF,UAAM,cAAc,IAAI,yCAAgB;AAExC,UAAM,EAAE,SAAS,WAAW,MAAM,IAAI,MAAM,uBAAuB;AACnE,QAAI,MAAO,QAAO;AAElB,UAAM,kBAAkB,MAAM,YAAY,IAAI,yBAAU,QAAQ,SAAS;AACzE,sBAAkB,aAAa,IAAI,gBAAgB,KAAK;AAExD,UAAM,sBAAsB,OAC1BC,cACAC,aACsB;AACtB,UAAI;AACF,kBAAM,yCAAyBA,UAASD,cAAa,QAAQ,QAAQ;AACrE,eAAO,uCAAsB,8BAA8B;AAAA,UACzD,SAAS;AAAA,UACT,SAAS;AAAA,QACX,CAAC;AAAA,MACH,SAASE,QAAO;AACd,mBAAO,yCAAuB,2BAA2B,2BAA2B,GAAG;AAAA,MACzF;AAAA,IACF;AAEA,UAAM,uBAAuB,OAC3BF,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,qBAAiB,mCAAuBA,QAAO;AACrD,YAAI,eAAe,QAAQ;AACzB,qBAAO,yCAAuB,mBAAmB,+BAA+B,GAAG;AAAA,QACrF;AAEA,cAAM,aAAa,UAAM,yCAAyBA,UAASD,cAAa,MAAM;AAC9E,eAAO,uCAAsB,sBAAsB,UAAU;AAAA,MAC/D,SAASE,QAAO;AACd,mBAAO,yCAAuB,kBAAkB,0BAA0B,GAAG;AAAA,MAC/E;AAAA,IACF;AAEA,UAAM,sBAAsB,OAAOF,iBAAoD;AACrF,YAAM,MAAM,UAAM,iCAAmBA,YAAW;AAChD,aAAO,uCAAsB,qBAAqB,GAAG;AAAA,IACvD;AAEA,YAAQD,cAAa;AAAA,MACnB,KAAK,iBAAiB;AACpB,wBAAgB,OAAO;AAEvB,eAAO,oBAAoB,aAAa,OAAQ;AAAA,MAClD;AAAA,MAEA,KAAK;AAEH,eAAO,qBAAqB,aAAa,OAAQ;AAAA,MAEnD,KAAK;AACH,eAAO,oBAAoB,WAAW;AAAA,MAExC;AACE,eAAO,oCAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,kBAAkB,WAAW;AAAA,IAEtC,KAAK;AACH,aAAO,mBAAmB,WAAW;AAAA,IAEvC;AACE,aAAO,oCAAmB,+BAA+B;AAAA,EAC7D;AACF;AAEA,MAAM,wBAAwB,OAC5B,SACA,WACsB;AACtB,QAAM,EAAE,aAAa,OAAO,IAAI;AAEhC,QAAM,iBAAa,sCAAiB,OAAO;AAC3C,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,CAAC,aAAa;AAChB,eAAO,yCAAuB,yBAAyB,gCAAgC,GAAG;AAAA,EAC5F;AAEA,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,oBAAoB,eAAe,eAAe,WAAgC;AAExF,MAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,eAAO,yCAAuB,sBAAsB,yCAAyC,GAAG;AAAA,EAClG;AAEA,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,mBAAmB,OAAOA,iBAAsD;AACpF,UAAM,kBAAkB,YAA+B;AACrD,UAAI;AACF,cAAM,MAAM,IAAI,IAAI,QAAQ,OAAO;AACnC,cAAM,YAAY,IAAI,aAAa,IAAI,WAAW;AAElD,YAAI,CAAC,WAAW;AACd,qBAAO,yCAAuB,uBAAuB,yCAAyC,GAAG;AAAA,QACnG;AAEA,YAAI;AAEJ,gBAAQ,WAAW;AAAA,UACjB,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF;AACE,uBAAO,yCAAuB,sBAAsB,wFAAwF,GAAG;AAAA,QACnJ;AAEA,YAAI,CAAC,aAAa;AAChB,qBAAO;AAAA,YACL;AAAA,YACA,GAAG,SAAS;AAAA,YACZ;AAAA,UACF;AAAA,QACF;AAEA,mBAAO,2CAAyB;AAAA,UAC9B,OAAO;AAAA,QACT,CAAC;AAAA,MACH,SAAS,OAAO;AACd,mBAAO,yCAAuB,2BAA2B,6BAA6B,GAAG;AAAA,MAC3F;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,gBAAgB;AAAA,MACzB;AACE,eAAO,oCAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,iBAAiB,WAAgC;AAAA,IAC1D;AACE,aAAO,oCAAmB,+BAA+B;AAAA,EAC7D;AACF;AAEA,MAAM,wBAAwB,OAC5B,SACA,WACsB;AACtB,QAAM,EAAE,aAAa,OAAO,IAAI;AAEhC,QAAM,iBAAa,sCAAiB,OAAO;AAE3C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,aAAa;AAChB,eAAO,yCAAuB,yBAAyB,kCAAkC,GAAG;AAAA,EAC9F;AAEA,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,oBAAoB,eAAe,eAAe,WAAgC;AAExF,sBAAoB,aAAa,iBAAiB;AAElD,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,cAAc,OAAOA,iBAAsD;AAC/E,UAAM,SAAS,YAA+B;AAC5C,aAAO,UAAM,gDAAoB,OAAO;AAAA,IAC1C;AAEA,UAAM,qBAAqB,YAA+B;AACxD,UAAI;AACF,cAAM,OAAO,MAAM,QAAQ,QAAQ,KAAK;AACxC,cAAM,EAAE,MAAM,IAAI;AAElB,YAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,qBAAO,yCAAuB,kBAAkB,qBAAqB,GAAG;AAAA,QAC1E;AAEA,cAAM,gBAAgB,UAAM,iDAAwB;AAEpD,cAAM,WAAW,MAAM,cAAc,OAAO,mBAAmB,mCAAkB;AAAA,UAC/E;AAAA,UACA,aAAa;AAAA,QACf,CAAC;AAED,YAAI,CAAC,UAAU;AACb,qBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAEA,mBAAO,2CAAyB;AAAA,UAC9B;AAAA,QACF,CAAC;AAAA,MACH,SAAS,OAAO;AACd,mBAAO;AAAA,UACL;AAAA,UACA,iBAAiB,QACb,MAAM,UACN;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,OAAO;AAAA,MAChB,KAAK;AACH,eAAO,mBAAmB;AAAA,MAC5B;AACE,eAAO,oCAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,YAAY,WAAgC;AAAA,IAErD;AACE,aAAO,oCAAmB,+BAA+B;AAAA,EAC7D;AAEF;","names":["subEndpoint","cookieStore","idToken","error"]}
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/sessionHandlers.ts"],"sourcesContent":["import { constants } from '@tern-secure/backend';\nimport { clearSessionCookie } from '@tern-secure/backend/admin';\nimport { ternDecodeJwtUnguarded } from '@tern-secure/backend/jwt';\nimport type { CookieSubEndpoint } from '@tern-secure/types';\n\nimport { ternSecureBackendClient } from '../../server/ternsecureClient';\nimport { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport { type RequestProcessorContext } from './c-authenticateRequestProcessor';\nimport { FIREBASE_API_KEY } from './constants';\nimport { createValidators } from './fnValidators';\nimport { refreshCookieWithIdToken } from './request';\nimport {\n createApiErrorResponse,\n createApiSuccessResponse,\n HttpResponseHelper,\n SessionResponseHelper,\n} from './responses';\nimport { processSignInCreate } from './signInCreateHandler';\nimport type { SessionSubEndpoint, SignInSubEndpoint, TernSecureHandlerOptions } from './types';\n\nconst sessionEndpointHandler = async (\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> => {\n const { subEndpoint, method, referrer } = context;\n\n const validators = createValidators(context);\n\n const {\n validateSubEndpoint,\n validateSecurity,\n validateSessionRequest,\n validateCsrfToken,\n validateIdToken,\n } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n }\n\n const sessionsConfig = config.endpoints?.sessions;\n const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];\n\n validateSubEndpoint(subEndpoint, subEndpointConfig);\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const SessionGetHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const handleSessionVerify = async (): Promise<Response> => {\n try {\n const sessionCookie = context.sessionTokenInCookie;\n if (!sessionCookie) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n const { data: decodedSession, errors } = ternDecodeJwtUnguarded(sessionCookie);\n if (errors) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n return SessionResponseHelper.createVerificationResponse(decodedSession);\n } catch (error) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n };\n\n switch (subEndpoint) {\n case 'verify':\n return handleSessionVerify();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n const SessionPostHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const cookieStore = new NextCookieStore();\n\n const { idToken, csrfToken, error } = await validateSessionRequest();\n if (error) return error;\n\n const csrfCookieValue = await cookieStore.get(constants.Cookies.CsrfToken);\n validateCsrfToken(csrfToken || '', csrfCookieValue.value);\n\n const handleCreateSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n await refreshCookieWithIdToken(idToken, cookieStore, config, referrer, context.appCheckToken);\n return SessionResponseHelper.createSessionCreationResponse({\n success: true,\n message: 'Session created successfully',\n });\n } catch (error) {\n console.error('[SessionHandler - createsession] Error:', error);\n const errorMessage = error instanceof Error ? error.message : 'Session creation failed';\n return createApiErrorResponse('SESSION_CREATION_FAILED', errorMessage, 500);\n }\n };\n\n const handleRefreshSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n const decodedSession = ternDecodeJwtUnguarded(idToken);\n if (decodedSession.errors) {\n return createApiErrorResponse('INVALID_SESSION', 'Invalid session for refresh', 401);\n }\n\n const refreshRes = await refreshCookieWithIdToken(\n idToken,\n cookieStore,\n config,\n undefined,\n context.appCheckToken,\n );\n return SessionResponseHelper.createRefreshResponse(refreshRes);\n } catch (error) {\n const errorMessage = error instanceof Error ? error.message : 'Session refresh failed';\n return createApiErrorResponse('REFRESH_FAILED', errorMessage, 500);\n }\n };\n\n const handleRevokeSession = async (cookieStore: NextCookieStore): Promise<Response> => {\n const res = await clearSessionCookie(cookieStore);\n return SessionResponseHelper.createRevokeResponse(res);\n };\n\n switch (subEndpoint) {\n case 'createsession': {\n const idTokenError = validateIdToken(idToken);\n if (idTokenError) return idTokenError;\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleCreateSession(cookieStore, idToken!);\n }\n\n case 'refresh':\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleRefreshSession(cookieStore, idToken!);\n\n case 'revoke':\n return handleRevokeSession(cookieStore);\n\n default:\n return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return SessionGetHandler(subEndpoint);\n\n case 'POST':\n return SessionPostHandler(subEndpoint);\n\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nconst cookieEndpointHandler = async (\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> => {\n const { subEndpoint, method } = context;\n\n const validators = createValidators(context);\n const { validateSecurity } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Cookie sub-endpoint required', 400);\n }\n\n const cookiesConfig = config.endpoints?.cookies;\n const subEndpointConfig = cookiesConfig?.subEndpoints?.[subEndpoint as CookieSubEndpoint];\n\n if (!subEndpointConfig || !subEndpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Cookie endpoint not found or disabled', 404);\n }\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const CookieGetHandler = async (subEndpoint: CookieSubEndpoint): Promise<Response> => {\n const handleGetCookie = async (): Promise<Response> => {\n try {\n const url = new URL(context.ternUrl);\n const tokenName = url.searchParams.get('tokenName');\n\n if (!tokenName) {\n return createApiErrorResponse('TOKEN_NAME_REQUIRED', 'tokenName query parameter is required', 400);\n }\n\n let cookieValue: string | undefined;\n\n switch (tokenName) {\n case 'idToken':\n cookieValue = context.idTokenInCookie;\n break;\n case 'sessionToken':\n cookieValue = context.sessionTokenInCookie;\n break;\n case 'refreshToken':\n cookieValue = context.refreshTokenInCookie;\n break;\n case 'customToken':\n cookieValue = context.customTokenInCookie;\n break;\n default:\n return createApiErrorResponse('INVALID_TOKEN_NAME', 'Invalid token name. Must be one of: idToken, sessionToken, refreshToken, customToken', 400);\n }\n\n if (!cookieValue) {\n return createApiErrorResponse(\n 'TOKEN_NOT_FOUND',\n `${tokenName} not found in httpOnly cookies`,\n 404\n );\n }\n\n return createApiSuccessResponse({\n token: cookieValue,\n });\n } catch (error) {\n return createApiErrorResponse('COOKIE_RETRIEVAL_FAILED', 'Failed to retrieve cookie', 500);\n }\n };\n\n switch (subEndpoint) {\n case 'get':\n return handleGetCookie();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return CookieGetHandler(subEndpoint as CookieSubEndpoint);\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nconst signInEndpointHandler = async (\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions\n): Promise<Response> => {\n const { subEndpoint, method } = context;\n\n const validators = createValidators(context);\n\n const {\n validateSubEndpoint,\n validateSecurity,\n } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Sign_ins sub-endpoint required', 400);\n }\n\n const signInsConfig = config.endpoints?.signIns;\n const subEndpointConfig = signInsConfig?.subEndpoints?.[subEndpoint as SignInSubEndpoint];\n\n validateSubEndpoint(subEndpoint, subEndpointConfig);\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const PostHandler = async (subEndpoint: SignInSubEndpoint): Promise<Response> => {\n const create = async (): Promise<Response> => {\n return await processSignInCreate(context);\n };\n\n const passwordResetEmail = async (): Promise<Response> => {\n try {\n const body = await context.request.json();\n const { email } = body;\n\n if (!email || typeof email !== 'string') {\n return createApiErrorResponse('EMAIL_REQUIRED', 'Email is required', 400);\n }\n\n const backendClient = await ternSecureBackendClient();\n\n const response = await backendClient.signIn.resetPasswordEmail(FIREBASE_API_KEY, {\n email,\n requestType: 'PASSWORD_RESET',\n });\n\n if (!response) {\n return createApiErrorResponse(\n 'PASSWORD_RESET_FAILED',\n 'Failed to send password reset email',\n 500,\n );\n }\n\n return createApiSuccessResponse({\n email,\n });\n } catch (error) {\n return createApiErrorResponse(\n 'PASSWORD_RESET_ERROR',\n error instanceof Error\n ? error.message\n : 'An error occurred while sending password reset email',\n 500,\n );\n }\n };\n\n switch (subEndpoint) {\n case 'create':\n return create();\n case 'resetPasswordEmail':\n return passwordResetEmail();\n default:\n return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n }\n };\n\n switch (method) {\n case 'POST':\n return PostHandler(subEndpoint as SignInSubEndpoint);\n\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n\n}\n\nexport { cookieEndpointHandler, sessionEndpointHandler, signInEndpointHandler };\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAA0B;AAC1B,mBAAmC;AACnC,iBAAuC;AAGvC,8BAAwC;AACxC,+BAAgC;AAEhC,uBAAiC;AACjC,0BAAiC;AACjC,qBAAyC;AACzC,uBAKO;AACP,iCAAoC;AAGpC,MAAM,yBAAyB,OAC7B,SACA,WACsB;AACtB,QAAM,EAAE,aAAa,QAAQ,SAAS,IAAI;AAE1C,QAAM,iBAAa,sCAAiB,OAAO;AAE3C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,aAAa;AAChB,eAAO,yCAAuB,yBAAyB,iCAAiC,GAAG;AAAA,EAC7F;AAEA,QAAM,iBAAiB,OAAO,WAAW;AACzC,QAAM,oBAAoB,gBAAgB,eAAe,WAAW;AAEpE,sBAAoB,aAAa,iBAAiB;AAElD,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,oBAAoB,OAAOA,iBAAuD;AACtF,UAAM,sBAAsB,YAA+B;AACzD,UAAI;AACF,cAAM,gBAAgB,QAAQ;AAC9B,YAAI,CAAC,eAAe;AAClB,iBAAO,uCAAsB,2BAA2B;AAAA,QAC1D;AAEA,cAAM,EAAE,MAAM,gBAAgB,OAAO,QAAI,mCAAuB,aAAa;AAC7E,YAAI,QAAQ;AACV,iBAAO,uCAAsB,2BAA2B;AAAA,QAC1D;AAEA,eAAO,uCAAsB,2BAA2B,cAAc;AAAA,MACxE,SAAS,OAAO;AACd,eAAO,uCAAsB,2BAA2B;AAAA,MAC1D;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,oBAAoB;AAAA,MAC7B;AACE,eAAO,oCAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,QAAM,qBAAqB,OAAOA,iBAAuD;AACvF,UAAM,cAAc,IAAI,yCAAgB;AAExC,UAAM,EAAE,SAAS,WAAW,MAAM,IAAI,MAAM,uBAAuB;AACnE,QAAI,MAAO,QAAO;AAElB,UAAM,kBAAkB,MAAM,YAAY,IAAI,yBAAU,QAAQ,SAAS;AACzE,sBAAkB,aAAa,IAAI,gBAAgB,KAAK;AAExD,UAAM,sBAAsB,OAC1BC,cACAC,aACsB;AACtB,UAAI;AACF,kBAAM,yCAAyBA,UAASD,cAAa,QAAQ,UAAU,QAAQ,aAAa;AAC5F,eAAO,uCAAsB,8BAA8B;AAAA,UACzD,SAAS;AAAA,UACT,SAAS;AAAA,QACX,CAAC;AAAA,MACH,SAASE,QAAO;AACd,gBAAQ,MAAM,2CAA2CA,MAAK;AAC9D,cAAM,eAAeA,kBAAiB,QAAQA,OAAM,UAAU;AAC9D,mBAAO,yCAAuB,2BAA2B,cAAc,GAAG;AAAA,MAC5E;AAAA,IACF;AAEA,UAAM,uBAAuB,OAC3BF,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,qBAAiB,mCAAuBA,QAAO;AACrD,YAAI,eAAe,QAAQ;AACzB,qBAAO,yCAAuB,mBAAmB,+BAA+B,GAAG;AAAA,QACrF;AAEA,cAAM,aAAa,UAAM;AAAA,UACvBA;AAAA,UACAD;AAAA,UACA;AAAA,UACA;AAAA,UACA,QAAQ;AAAA,QACV;AACA,eAAO,uCAAsB,sBAAsB,UAAU;AAAA,MAC/D,SAASE,QAAO;AACd,cAAM,eAAeA,kBAAiB,QAAQA,OAAM,UAAU;AAC9D,mBAAO,yCAAuB,kBAAkB,cAAc,GAAG;AAAA,MACnE;AAAA,IACF;AAEA,UAAM,sBAAsB,OAAOF,iBAAoD;AACrF,YAAM,MAAM,UAAM,iCAAmBA,YAAW;AAChD,aAAO,uCAAsB,qBAAqB,GAAG;AAAA,IACvD;AAEA,YAAQD,cAAa;AAAA,MACnB,KAAK,iBAAiB;AACpB,cAAM,eAAe,gBAAgB,OAAO;AAC5C,YAAI,aAAc,QAAO;AAEzB,eAAO,oBAAoB,aAAa,OAAQ;AAAA,MAClD;AAAA,MAEA,KAAK;AAEH,eAAO,qBAAqB,aAAa,OAAQ;AAAA,MAEnD,KAAK;AACH,eAAO,oBAAoB,WAAW;AAAA,MAExC;AACE,eAAO,oCAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,kBAAkB,WAAW;AAAA,IAEtC,KAAK;AACH,aAAO,mBAAmB,WAAW;AAAA,IAEvC;AACE,aAAO,oCAAmB,+BAA+B;AAAA,EAC7D;AACF;AAEA,MAAM,wBAAwB,OAC5B,SACA,WACsB;AACtB,QAAM,EAAE,aAAa,OAAO,IAAI;AAEhC,QAAM,iBAAa,sCAAiB,OAAO;AAC3C,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,CAAC,aAAa;AAChB,eAAO,yCAAuB,yBAAyB,gCAAgC,GAAG;AAAA,EAC5F;AAEA,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,oBAAoB,eAAe,eAAe,WAAgC;AAExF,MAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,eAAO,yCAAuB,sBAAsB,yCAAyC,GAAG;AAAA,EAClG;AAEA,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,mBAAmB,OAAOA,iBAAsD;AACpF,UAAM,kBAAkB,YAA+B;AACrD,UAAI;AACF,cAAM,MAAM,IAAI,IAAI,QAAQ,OAAO;AACnC,cAAM,YAAY,IAAI,aAAa,IAAI,WAAW;AAElD,YAAI,CAAC,WAAW;AACd,qBAAO,yCAAuB,uBAAuB,yCAAyC,GAAG;AAAA,QACnG;AAEA,YAAI;AAEJ,gBAAQ,WAAW;AAAA,UACjB,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF;AACE,uBAAO,yCAAuB,sBAAsB,wFAAwF,GAAG;AAAA,QACnJ;AAEA,YAAI,CAAC,aAAa;AAChB,qBAAO;AAAA,YACL;AAAA,YACA,GAAG,SAAS;AAAA,YACZ;AAAA,UACF;AAAA,QACF;AAEA,mBAAO,2CAAyB;AAAA,UAC9B,OAAO;AAAA,QACT,CAAC;AAAA,MACH,SAAS,OAAO;AACd,mBAAO,yCAAuB,2BAA2B,6BAA6B,GAAG;AAAA,MAC3F;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,gBAAgB;AAAA,MACzB;AACE,eAAO,oCAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,iBAAiB,WAAgC;AAAA,IAC1D;AACE,aAAO,oCAAmB,+BAA+B;AAAA,EAC7D;AACF;AAEA,MAAM,wBAAwB,OAC5B,SACA,WACsB;AACtB,QAAM,EAAE,aAAa,OAAO,IAAI;AAEhC,QAAM,iBAAa,sCAAiB,OAAO;AAE3C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,aAAa;AAChB,eAAO,yCAAuB,yBAAyB,kCAAkC,GAAG;AAAA,EAC9F;AAEA,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,oBAAoB,eAAe,eAAe,WAAgC;AAExF,sBAAoB,aAAa,iBAAiB;AAElD,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,cAAc,OAAOA,iBAAsD;AAC/E,UAAM,SAAS,YAA+B;AAC5C,aAAO,UAAM,gDAAoB,OAAO;AAAA,IAC1C;AAEA,UAAM,qBAAqB,YAA+B;AACxD,UAAI;AACF,cAAM,OAAO,MAAM,QAAQ,QAAQ,KAAK;AACxC,cAAM,EAAE,MAAM,IAAI;AAElB,YAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,qBAAO,yCAAuB,kBAAkB,qBAAqB,GAAG;AAAA,QAC1E;AAEA,cAAM,gBAAgB,UAAM,iDAAwB;AAEpD,cAAM,WAAW,MAAM,cAAc,OAAO,mBAAmB,mCAAkB;AAAA,UAC/E;AAAA,UACA,aAAa;AAAA,QACf,CAAC;AAED,YAAI,CAAC,UAAU;AACb,qBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAEA,mBAAO,2CAAyB;AAAA,UAC9B;AAAA,QACF,CAAC;AAAA,MACH,SAAS,OAAO;AACd,mBAAO;AAAA,UACL;AAAA,UACA,iBAAiB,QACb,MAAM,UACN;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,OAAO;AAAA,MAChB,KAAK;AACH,eAAO,mBAAmB;AAAA,MAC5B;AACE,eAAO,oCAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,YAAY,WAAgC;AAAA,IAErD;AACE,aAAO,oCAAmB,+BAA+B;AAAA,EAC7D;AAEF;","names":["subEndpoint","cookieStore","idToken","error"]}
|
|
@@ -65,6 +65,7 @@ async function getTernSecureAuthData(req, initialState = {}) {
|
|
|
65
65
|
async function getAuthDataFromRequest(req) {
|
|
66
66
|
const authStatus = (0, import_headers_utils.getAuthKeyFromRequest)(req, "AuthStatus");
|
|
67
67
|
const authToken = (0, import_headers_utils.getAuthKeyFromRequest)(req, "AuthToken");
|
|
68
|
+
const appCheckToken = (0, import_headers_utils.getHeader)(req, "X-Firebase-AppCheck");
|
|
68
69
|
if (!authStatus || authStatus !== import_backend.AuthStatus.SignedIn) {
|
|
69
70
|
return {
|
|
70
71
|
...(0, import_backend.signedOutAuthObject)(),
|
|
@@ -72,7 +73,11 @@ async function getAuthDataFromRequest(req) {
|
|
|
72
73
|
userId: null
|
|
73
74
|
};
|
|
74
75
|
}
|
|
75
|
-
const firebaseUser = await authenticateRequest(
|
|
76
|
+
const firebaseUser = await authenticateRequest(
|
|
77
|
+
authToken,
|
|
78
|
+
req,
|
|
79
|
+
appCheckToken
|
|
80
|
+
);
|
|
76
81
|
if (!firebaseUser || !firebaseUser.claims) {
|
|
77
82
|
return {
|
|
78
83
|
...(0, import_backend.signedOutAuthObject)(),
|
|
@@ -87,7 +92,7 @@ async function getAuthDataFromRequest(req) {
|
|
|
87
92
|
user: user || null
|
|
88
93
|
};
|
|
89
94
|
}
|
|
90
|
-
const authenticateRequest = async (token, request) => {
|
|
95
|
+
const authenticateRequest = async (token, request, appCheckToken) => {
|
|
91
96
|
try {
|
|
92
97
|
const origin = new URL(request.url).origin;
|
|
93
98
|
const requestHeaders = new Headers(request.headers);
|
|
@@ -109,6 +114,7 @@ const authenticateRequest = async (token, request) => {
|
|
|
109
114
|
config,
|
|
110
115
|
{
|
|
111
116
|
authIdToken: token,
|
|
117
|
+
appCheckToken,
|
|
112
118
|
releaseOnDeref: mockRequest
|
|
113
119
|
}
|
|
114
120
|
);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/server/data/getAuthDataFromRequest.ts"],"sourcesContent":["import type { AuthObject } from '@tern-secure/backend';\nimport { AuthStatus, signedInAuthObject, signedOutAuthObject } from '@tern-secure/backend';\nimport { ternDecodeJwt } from '@tern-secure/backend/jwt';\nimport type { ParsedToken, TernSecureConfig, TernSecureUser } from '@tern-secure/types';\nimport type { FirebaseServerApp } from \"firebase/app\";\nimport { initializeServerApp } from \"firebase/app\";\nimport type { Auth } from \"firebase/auth\";\nimport { getAuth } from \"firebase/auth\";\n\nimport { getAuthKeyFromRequest } from '../../server/headers-utils';\nimport type { RequestLike } from '../../server/types';\nimport {\n FIREBASE_API_KEY,\n FIREBASE_APP_ID,\n FIREBASE_AUTH_DOMAIN,\n FIREBASE_MEASUREMENT_ID,\n FIREBASE_MESSAGING_SENDER_ID,\n FIREBASE_PROJECT_ID,\n FIREBASE_STORAGE_BUCKET\n} from \"../constant\";\n\n\n/**\n * Auth objects moving through the server -> client boundary need to be serializable\n * as we need to ensure that they can be transferred via the network as pure strings.\n * Some frameworks like Remix or Next (/pages dir only) handle this serialization by simply\n * ignoring any non-serializable keys, however Nextjs /app directory is stricter and\n * throws an error if a non-serializable value is found.\n * @internal\n */\nexport const authObjectToSerializableJwt = <T extends Record<string, unknown>>(obj: T): T => {\n // remove any non-serializable props from the returned object\n\n const { require, ...rest } = obj as unknown as AuthObject;\n return rest as unknown as T;\n};\n\nexport function getTernSecureAuthDataJwt(req: RequestLike, initialState = {}) {\n const authObject = getAuthDataFromRequestJwt(req);\n return authObjectToSerializable({ ...initialState, ...authObject });\n}\n\nexport function getAuthDataFromRequestJwt(req: RequestLike): AuthObject {\n const authStatus = getAuthKeyFromRequest(req, 'AuthStatus');\n const authToken = getAuthKeyFromRequest(req, 'AuthToken');\n const authSignature = getAuthKeyFromRequest(req, 'AuthSignature');\n const authReason = getAuthKeyFromRequest(req, 'AuthReason');\n\n let authObject;\n if (!authStatus || authStatus !== AuthStatus.SignedIn) {\n authObject = signedOutAuthObject();\n } else {\n const jwt = ternDecodeJwt(authToken as string);\n\n authObject = signedInAuthObject(jwt.raw.text, jwt.payload);\n }\n return authObject;\n}\n\n\nexport type SerializableTernSecureUser = Omit<TernSecureUser, 'delete' | 'getIdToken' | 'getIdTokenResult' | 'reload' | 'toJSON'>;\n\nexport type Aobj = {\n user: SerializableTernSecureUser | null\n userId: string | null\n}\n\n\n// Serializable auth object type\n/**\n * Auth objects moving through the server -> client boundary need to be serializable\n * as we need to ensure that they can be transferred via the network as pure strings.\n * Some frameworks like Remix or Next (/pages dir only) handle this serialization by simply\n * ignoring any non-serializable keys, however Nextjs /app directory is stricter and\n * throws an error if a non-serializable value is found.\n * @internal\n */\nexport const authObjectToSerializable = <T extends Record<string, unknown>>(\n obj: T\n): T => {\n // remove any non-serializable props from the returned object\n\n const { require, ...rest } = obj as unknown as AuthObject;\n return rest as unknown as T;\n};\n\nexport async function getTernSecureAuthData(\n req: RequestLike,\n initialState = {}\n) {\n const authObject = await getAuthDataFromRequest(req);\n return authObjectToSerializable({ ...initialState, ...authObject });\n}\n\nexport async function getAuthDataFromRequest(req: RequestLike): Promise<AuthObject & Aobj> {\n const authStatus = getAuthKeyFromRequest(req, \"AuthStatus\");\n const authToken = getAuthKeyFromRequest(req, \"AuthToken\");\n\n if (!authStatus || authStatus !== AuthStatus.SignedIn) {\n return {\n ...signedOutAuthObject(),\n user: null,\n userId: null\n }\n }\n\n const firebaseUser = await authenticateRequest(authToken as string, req as any);\n if (!firebaseUser || !firebaseUser.claims) {\n return {\n ...signedOutAuthObject(),\n user: null,\n userId: null\n }\n }\n const { user, claims } = firebaseUser;\n const authObject = signedInAuthObject(authToken as string, claims as any);\n return {\n ...authObject,\n user: user || null,\n };\n}\n\nconst authenticateRequest = async (\n token: string,\n request: Request\n): Promise<{ user: SerializableTernSecureUser; claims: ParsedToken } | null> => {\n try {\n const origin = new URL(request.url).origin;\n\n const requestHeaders = new Headers(request.headers);\n requestHeaders.set(\"referer\", origin);\n requestHeaders.set(\"Referer\", origin);\n\n const mockRequest = {\n headers: requestHeaders,\n };\n\n const config: TernSecureConfig = {\n apiKey: FIREBASE_API_KEY,\n authDomain: FIREBASE_AUTH_DOMAIN,\n projectId: FIREBASE_PROJECT_ID,\n storageBucket: FIREBASE_STORAGE_BUCKET,\n messagingSenderId: FIREBASE_MESSAGING_SENDER_ID,\n appId: FIREBASE_APP_ID,\n measurementId: FIREBASE_MEASUREMENT_ID,\n };\n\n const firebaseServerApp: FirebaseServerApp = initializeServerApp(\n config,\n {\n authIdToken: token,\n releaseOnDeref: mockRequest,\n }\n );\n\n const auth: Auth = getAuth(firebaseServerApp);\n await auth.authStateReady();\n\n if (auth.currentUser) {\n const idTokenResult = await auth.currentUser.getIdTokenResult();\n const claims = idTokenResult.claims;\n\n const userObj: SerializableTernSecureUser = {\n uid: auth.currentUser.uid,\n email: auth.currentUser.email,\n emailVerified: auth.currentUser.emailVerified,\n displayName: auth.currentUser.displayName,\n isAnonymous: auth.currentUser.isAnonymous,\n phoneNumber: auth.currentUser.phoneNumber,\n photoURL: auth.currentUser.photoURL,\n providerId: auth.currentUser.providerId,\n tenantId: auth.currentUser.tenantId,\n refreshToken: auth.currentUser.refreshToken,\n metadata: {\n creationTime: auth.currentUser.metadata.creationTime,\n lastSignInTime: auth.currentUser.metadata.lastSignInTime,\n },\n providerData: auth.currentUser.providerData.map((provider) => ({\n uid: provider.uid,\n displayName: provider.displayName,\n email: provider.email,\n phoneNumber: provider.phoneNumber,\n photoURL: provider.photoURL,\n providerId: provider.providerId,\n })),\n };\n\n return { user: userObj, claims };\n }\n\n return null;\n } catch (error) {\n return null;\n }\n};\n\nexport { TernSecureUser }\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,qBAAoE;AACpE,iBAA8B;AAG9B,iBAAoC;AAEpC,kBAAwB;AAExB,
|
|
1
|
+
{"version":3,"sources":["../../../../src/server/data/getAuthDataFromRequest.ts"],"sourcesContent":["import type { AuthObject } from '@tern-secure/backend';\nimport { AuthStatus, signedInAuthObject, signedOutAuthObject } from '@tern-secure/backend';\nimport { ternDecodeJwt } from '@tern-secure/backend/jwt';\nimport type { ParsedToken, TernSecureConfig, TernSecureUser } from '@tern-secure/types';\nimport type { FirebaseServerApp } from \"firebase/app\";\nimport { initializeServerApp } from \"firebase/app\";\nimport type { Auth } from \"firebase/auth\";\nimport { getAuth } from \"firebase/auth\";\n\nimport { getAuthKeyFromRequest, getHeader } from '../../server/headers-utils';\nimport type { RequestLike } from '../../server/types';\nimport {\n FIREBASE_API_KEY,\n FIREBASE_APP_ID,\n FIREBASE_AUTH_DOMAIN,\n FIREBASE_MEASUREMENT_ID,\n FIREBASE_MESSAGING_SENDER_ID,\n FIREBASE_PROJECT_ID,\n FIREBASE_STORAGE_BUCKET\n} from \"../constant\";\n\n\n/**\n * Auth objects moving through the server -> client boundary need to be serializable\n * as we need to ensure that they can be transferred via the network as pure strings.\n * Some frameworks like Remix or Next (/pages dir only) handle this serialization by simply\n * ignoring any non-serializable keys, however Nextjs /app directory is stricter and\n * throws an error if a non-serializable value is found.\n * @internal\n */\nexport const authObjectToSerializableJwt = <T extends Record<string, unknown>>(obj: T): T => {\n // remove any non-serializable props from the returned object\n\n const { require, ...rest } = obj as unknown as AuthObject;\n return rest as unknown as T;\n};\n\nexport function getTernSecureAuthDataJwt(req: RequestLike, initialState = {}) {\n const authObject = getAuthDataFromRequestJwt(req);\n return authObjectToSerializable({ ...initialState, ...authObject });\n}\n\nexport function getAuthDataFromRequestJwt(req: RequestLike): AuthObject {\n const authStatus = getAuthKeyFromRequest(req, 'AuthStatus');\n const authToken = getAuthKeyFromRequest(req, 'AuthToken');\n const authSignature = getAuthKeyFromRequest(req, 'AuthSignature');\n const authReason = getAuthKeyFromRequest(req, 'AuthReason');\n\n let authObject;\n if (!authStatus || authStatus !== AuthStatus.SignedIn) {\n authObject = signedOutAuthObject();\n } else {\n const jwt = ternDecodeJwt(authToken as string);\n\n authObject = signedInAuthObject(jwt.raw.text, jwt.payload);\n }\n return authObject;\n}\n\n\nexport type SerializableTernSecureUser = Omit<TernSecureUser, 'delete' | 'getIdToken' | 'getIdTokenResult' | 'reload' | 'toJSON'>;\n\nexport type Aobj = {\n user: SerializableTernSecureUser | null\n userId: string | null\n}\n\n\n// Serializable auth object type\n/**\n * Auth objects moving through the server -> client boundary need to be serializable\n * as we need to ensure that they can be transferred via the network as pure strings.\n * Some frameworks like Remix or Next (/pages dir only) handle this serialization by simply\n * ignoring any non-serializable keys, however Nextjs /app directory is stricter and\n * throws an error if a non-serializable value is found.\n * @internal\n */\nexport const authObjectToSerializable = <T extends Record<string, unknown>>(\n obj: T\n): T => {\n // remove any non-serializable props from the returned object\n\n const { require, ...rest } = obj as unknown as AuthObject;\n return rest as unknown as T;\n};\n\nexport async function getTernSecureAuthData(\n req: RequestLike,\n initialState = {}\n) {\n const authObject = await getAuthDataFromRequest(req);\n return authObjectToSerializable({ ...initialState, ...authObject });\n}\n\nexport async function getAuthDataFromRequest(req: RequestLike): Promise<AuthObject & Aobj> {\n const authStatus = getAuthKeyFromRequest(req, \"AuthStatus\");\n const authToken = getAuthKeyFromRequest(req, \"AuthToken\");\n const appCheckToken = getHeader(req, \"X-Firebase-AppCheck\");\n\n if (!authStatus || authStatus !== AuthStatus.SignedIn) {\n return {\n ...signedOutAuthObject(),\n user: null,\n userId: null\n }\n }\n\n const firebaseUser = await authenticateRequest(\n authToken as string, \n req as any, \n appCheckToken as string | undefined\n );\n if (!firebaseUser || !firebaseUser.claims) {\n return {\n ...signedOutAuthObject(),\n user: null,\n userId: null\n }\n }\n const { user, claims } = firebaseUser;\n const authObject = signedInAuthObject(authToken as string, claims as any);\n return {\n ...authObject,\n user: user || null,\n };\n}\n\nconst authenticateRequest = async (\n token: string,\n request: Request,\n appCheckToken?: string\n): Promise<{ user: SerializableTernSecureUser; claims: ParsedToken } | null> => {\n try {\n //console.log(\"[getAuthDataFromRequest] App Check Token:\", appCheckToken);\n const origin = new URL(request.url).origin;\n\n const requestHeaders = new Headers(request.headers);\n requestHeaders.set(\"referer\", origin);\n requestHeaders.set(\"Referer\", origin);\n\n const mockRequest = {\n headers: requestHeaders,\n };\n\n const config: TernSecureConfig = {\n apiKey: FIREBASE_API_KEY,\n authDomain: FIREBASE_AUTH_DOMAIN,\n projectId: FIREBASE_PROJECT_ID,\n storageBucket: FIREBASE_STORAGE_BUCKET,\n messagingSenderId: FIREBASE_MESSAGING_SENDER_ID,\n appId: FIREBASE_APP_ID,\n measurementId: FIREBASE_MEASUREMENT_ID,\n };\n\n const firebaseServerApp: FirebaseServerApp = initializeServerApp(\n config,\n {\n authIdToken: token,\n appCheckToken: appCheckToken,\n releaseOnDeref: mockRequest,\n }\n );\n\n const auth: Auth = getAuth(firebaseServerApp);\n await auth.authStateReady();\n\n if (auth.currentUser) {\n const idTokenResult = await auth.currentUser.getIdTokenResult();\n const claims = idTokenResult.claims;\n\n const userObj: SerializableTernSecureUser = {\n uid: auth.currentUser.uid,\n email: auth.currentUser.email,\n emailVerified: auth.currentUser.emailVerified,\n displayName: auth.currentUser.displayName,\n isAnonymous: auth.currentUser.isAnonymous,\n phoneNumber: auth.currentUser.phoneNumber,\n photoURL: auth.currentUser.photoURL,\n providerId: auth.currentUser.providerId,\n tenantId: auth.currentUser.tenantId,\n refreshToken: auth.currentUser.refreshToken,\n metadata: {\n creationTime: auth.currentUser.metadata.creationTime,\n lastSignInTime: auth.currentUser.metadata.lastSignInTime,\n },\n providerData: auth.currentUser.providerData.map((provider) => ({\n uid: provider.uid,\n displayName: provider.displayName,\n email: provider.email,\n phoneNumber: provider.phoneNumber,\n photoURL: provider.photoURL,\n providerId: provider.providerId,\n })),\n };\n\n return { user: userObj, claims };\n }\n\n return null;\n } catch (error) {\n return null;\n }\n};\n\nexport { TernSecureUser }\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,qBAAoE;AACpE,iBAA8B;AAG9B,iBAAoC;AAEpC,kBAAwB;AAExB,2BAAiD;AAEjD,sBAQO;AAWA,MAAM,8BAA8B,CAAoC,QAAc;AAG3F,QAAM,EAAE,SAAAA,UAAS,GAAG,KAAK,IAAI;AAC7B,SAAO;AACT;AAEO,SAAS,yBAAyB,KAAkB,eAAe,CAAC,GAAG;AAC5E,QAAM,aAAa,0BAA0B,GAAG;AAChD,SAAO,yBAAyB,EAAE,GAAG,cAAc,GAAG,WAAW,CAAC;AACpE;AAEO,SAAS,0BAA0B,KAA8B;AACtE,QAAM,iBAAa,4CAAsB,KAAK,YAAY;AAC1D,QAAM,gBAAY,4CAAsB,KAAK,WAAW;AACxD,QAAM,oBAAgB,4CAAsB,KAAK,eAAe;AAChE,QAAM,iBAAa,4CAAsB,KAAK,YAAY;AAE1D,MAAI;AACJ,MAAI,CAAC,cAAc,eAAe,0BAAW,UAAU;AACrD,qBAAa,oCAAoB;AAAA,EACnC,OAAO;AACL,UAAM,UAAM,0BAAc,SAAmB;AAE7C,qBAAa,mCAAmB,IAAI,IAAI,MAAM,IAAI,OAAO;AAAA,EAC3D;AACA,SAAO;AACT;AAoBO,MAAM,2BAA2B,CACtC,QACM;AAGN,QAAM,EAAE,SAAAA,UAAS,GAAG,KAAK,IAAI;AAC7B,SAAO;AACT;AAEA,eAAsB,sBACpB,KACA,eAAe,CAAC,GAChB;AACA,QAAM,aAAa,MAAM,uBAAuB,GAAG;AACnD,SAAO,yBAAyB,EAAE,GAAG,cAAc,GAAG,WAAW,CAAC;AACpE;AAEA,eAAsB,uBAAuB,KAA8C;AACzF,QAAM,iBAAa,4CAAsB,KAAK,YAAY;AAC1D,QAAM,gBAAY,4CAAsB,KAAK,WAAW;AACxD,QAAM,oBAAgB,gCAAU,KAAK,qBAAqB;AAE1D,MAAI,CAAC,cAAc,eAAe,0BAAW,UAAU;AACrD,WAAO;AAAA,MACL,OAAG,oCAAoB;AAAA,MACvB,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,QAAM,eAAe,MAAM;AAAA,IACzB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,MAAI,CAAC,gBAAgB,CAAC,aAAa,QAAQ;AACzC,WAAO;AAAA,MACL,OAAG,oCAAoB;AAAA,MACvB,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AACA,QAAM,EAAE,MAAM,OAAO,IAAI;AACzB,QAAM,iBAAa,mCAAmB,WAAqB,MAAa;AACxE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,MAAM,QAAQ;AAAA,EAChB;AACF;AAEA,MAAM,sBAAsB,OAC1B,OACA,SACA,kBAC8E;AAC9E,MAAI;AAEF,UAAM,SAAS,IAAI,IAAI,QAAQ,GAAG,EAAE;AAEpC,UAAM,iBAAiB,IAAI,QAAQ,QAAQ,OAAO;AAClD,mBAAe,IAAI,WAAW,MAAM;AACpC,mBAAe,IAAI,WAAW,MAAM;AAEpC,UAAM,cAAc;AAAA,MAClB,SAAS;AAAA,IACX;AAEA,UAAM,SAA2B;AAAA,MAC/B,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,MACf,mBAAmB;AAAA,MACnB,OAAO;AAAA,MACP,eAAe;AAAA,IACjB;AAEA,UAAM,wBAAuC;AAAA,MAC3C;AAAA,MACA;AAAA,QACE,aAAa;AAAA,QACb;AAAA,QACA,gBAAgB;AAAA,MAClB;AAAA,IACF;AAEA,UAAM,WAAa,qBAAQ,iBAAiB;AAC5C,UAAM,KAAK,eAAe;AAE1B,QAAI,KAAK,aAAa;AACpB,YAAM,gBAAgB,MAAM,KAAK,YAAY,iBAAiB;AAC9D,YAAM,SAAS,cAAc;AAE7B,YAAM,UAAsC;AAAA,QAC1C,KAAK,KAAK,YAAY;AAAA,QACtB,OAAO,KAAK,YAAY;AAAA,QACxB,eAAe,KAAK,YAAY;AAAA,QAChC,aAAa,KAAK,YAAY;AAAA,QAC9B,aAAa,KAAK,YAAY;AAAA,QAC9B,aAAa,KAAK,YAAY;AAAA,QAC9B,UAAU,KAAK,YAAY;AAAA,QAC3B,YAAY,KAAK,YAAY;AAAA,QAC7B,UAAU,KAAK,YAAY;AAAA,QAC3B,cAAc,KAAK,YAAY;AAAA,QAC/B,UAAU;AAAA,UACR,cAAc,KAAK,YAAY,SAAS;AAAA,UACxC,gBAAgB,KAAK,YAAY,SAAS;AAAA,QAC5C;AAAA,QACA,cAAc,KAAK,YAAY,aAAa,IAAI,CAAC,cAAc;AAAA,UAC7D,KAAK,SAAS;AAAA,UACd,aAAa,SAAS;AAAA,UACtB,OAAO,SAAS;AAAA,UAChB,aAAa,SAAS;AAAA,UACtB,UAAU,SAAS;AAAA,UACnB,YAAY,SAAS;AAAA,QACvB,EAAE;AAAA,MACJ;AAEA,aAAO,EAAE,MAAM,SAAS,OAAO;AAAA,IACjC;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;","names":["require"]}
|
|
@@ -41,10 +41,20 @@ const ternSecureProxy = (...args) => {
|
|
|
41
41
|
const signInUrl = resolvedParams.signInUrl || import_constant.SIGN_IN_URL;
|
|
42
42
|
const signUpUrl = resolvedParams.signUpUrl || import_constant.SIGN_UP_URL;
|
|
43
43
|
const apiKey = resolvedParams.apiKey || import_constant.FIREBASE_API_KEY;
|
|
44
|
+
const appId = import_constant.FIREBASE_APP_ID;
|
|
45
|
+
const projectId = import_constant.FIREBASE_PROJECT_ID;
|
|
46
|
+
const firebaseConfig = resolvedParams.firebaseConfig || {
|
|
47
|
+
apiKey,
|
|
48
|
+
appId,
|
|
49
|
+
projectId
|
|
50
|
+
};
|
|
51
|
+
const firebaseAdminConfig = resolvedParams.firebaseAdminConfig;
|
|
44
52
|
const options = {
|
|
45
53
|
signInUrl,
|
|
46
54
|
signUpUrl,
|
|
47
55
|
apiKey,
|
|
56
|
+
firebaseConfig,
|
|
57
|
+
firebaseAdminConfig,
|
|
48
58
|
...resolvedParams
|
|
49
59
|
};
|
|
50
60
|
const reqBackendClient = await (0, import_ternsecureClient.ternSecureBackendClient)();
|
|
@@ -54,6 +64,8 @@ const ternSecureProxy = (...args) => {
|
|
|
54
64
|
options
|
|
55
65
|
);
|
|
56
66
|
const locationHeader = requestStateClient.headers.get(import_backend.constants.Headers.Location);
|
|
67
|
+
const appCheckToken = requestStateClient.headers.get(import_backend.constants.Headers.AppCheckToken);
|
|
68
|
+
console.log("[ternSecureProxy] App Check Token in Proxy:", appCheckToken);
|
|
57
69
|
if (locationHeader) {
|
|
58
70
|
return new Response(null, {
|
|
59
71
|
status: 307,
|
|
@@ -91,7 +103,7 @@ const ternSecureProxy = (...args) => {
|
|
|
91
103
|
if ((0, import_response.isRedirect)(handlerResult)) {
|
|
92
104
|
return (0, import_serverRedirectAuth.serverRedirectWithAuth)(ternSecureRequest, handlerResult);
|
|
93
105
|
}
|
|
94
|
-
(0, import_utils.decorateRequest)(ternSecureRequest, handlerResult, requestStateClient);
|
|
106
|
+
(0, import_utils.decorateRequest)(ternSecureRequest, handlerResult, requestStateClient, appCheckToken || void 0);
|
|
95
107
|
return handlerResult;
|
|
96
108
|
};
|
|
97
109
|
const nextMiddleware = async (request2, event2) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../src/server/ternSecureProxy.ts"],"sourcesContent":["import type {\r\n AuthenticateRequestOptions,\r\n AuthObject,\r\n RedirectFun,\r\n RequestState,\r\n TernSecureRequest,\r\n} from '@tern-secure/backend';\r\nimport { AuthStatus, constants, createRedirect, createTernSecureRequest } from '@tern-secure/backend';\r\nimport { notFound as nextjsNotFound } from 'next/navigation';\r\nimport type { NextMiddleware, NextRequest } from 'next/server';\r\nimport { NextResponse } from 'next/server';\r\n\r\nimport { isRedirect, setHeader } from '../utils/response';\r\nimport { serverRedirectWithAuth } from '../utils/serverRedirectAuth';\r\nimport { FIREBASE_API_KEY, SIGN_IN_URL, SIGN_UP_URL } from './constant';\r\nimport {\r\n isNextjsNotFoundError,\r\n isNextjsRedirectError,\r\n isRedirectToSignInError,\r\n isRedirectToSignUpError,\r\n nextjsRedirectError,\r\n redirectToSignInError,\r\n redirectToSignUpError,\r\n} from './nextErrors';\r\nimport { type AuthProtect, createProtect } from './protect';\r\nimport { ternSecureBackendClient } from './ternsecureClient';\r\nimport type {\r\n NextMiddlewareEvtParam,\r\n NextMiddlewareRequestParam,\r\n NextMiddlewareReturn,\r\n} from './types';\r\nimport { decorateRequest } from './utils';\r\n\r\nexport type MiddlewareAuthObject = AuthObject & {\r\n redirectToSignIn: RedirectFun<Response>;\r\n redirectToSignUp: RedirectFun<Response>;\r\n};\r\n\r\nexport interface MiddlewareAuth {\r\n (): Promise<MiddlewareAuthObject>;\r\n\r\n protect: AuthProtect;\r\n}\r\n\r\ntype MiddlewareHandler = (\r\n auth: MiddlewareAuth,\r\n request: NextMiddlewareRequestParam,\r\n event: NextMiddlewareEvtParam,\r\n) => NextMiddlewareReturn;\r\n\r\nexport interface MiddlewareOptions extends AuthenticateRequestOptions {\r\n debug?: boolean;\r\n}\r\ntype MiddlewareOptionsCallback = (\r\n req: NextRequest,\r\n) => MiddlewareOptions | Promise<MiddlewareOptions>;\r\n\r\ninterface TernSecureMiddleware {\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware((auth, request, event) => { ... }, options);\r\n */\r\n (handler: MiddlewareHandler, options?: MiddlewareOptions): NextMiddleware;\r\n\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware((auth, request, event) => { ... }, (req) => options);\r\n */\r\n (handler: MiddlewareHandler, options?: MiddlewareOptionsCallback): NextMiddleware;\r\n\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware(options);\r\n */\r\n (options?: MiddlewareOptions): NextMiddleware;\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware;\r\n */\r\n (request: NextMiddlewareRequestParam, event: NextMiddlewareEvtParam): NextMiddlewareReturn;\r\n}\r\n\r\nexport const ternSecureProxy = ((\r\n ...args: unknown[]\r\n): NextMiddleware | NextMiddlewareReturn => {\r\n const [request, event] = parseRequestAndEvent(args);\r\n const [handler, params] = parseHandlerAndOptions(args);\r\n\r\n const middleware = () => {\r\n const withAuthNextMiddleware: NextMiddleware = async (request, event) => {\r\n const resolvedParams = typeof params === 'function' ? await params(request) : params;\r\n\r\n const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;\r\n const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;\r\n const apiKey = resolvedParams.apiKey || FIREBASE_API_KEY;\r\n\r\n const options = {\r\n signInUrl,\r\n signUpUrl,\r\n apiKey,\r\n ...resolvedParams,\r\n };\r\n\r\n const reqBackendClient = await ternSecureBackendClient();\r\n\r\n const ternSecureRequest = createTernSecureRequest(request);\r\n\r\n const requestStateClient = await reqBackendClient.authenticateRequest(\r\n ternSecureRequest,\r\n options,\r\n );\r\n\r\n const locationHeader = requestStateClient.headers.get(constants.Headers.Location);\r\n if (locationHeader) {\r\n return new Response(null, {\r\n status: 307,\r\n headers: requestStateClient.headers,\r\n });\r\n } else if (requestStateClient.status === AuthStatus.Handshake) {\r\n throw new Error('TernSecure: handshake status without redirect is not supported.');\r\n }\r\n\r\n const authObjectClient = requestStateClient.auth();\r\n\r\n const redirectToSignIn = createProxyRedirectToSignIn(ternSecureRequest);\r\n const redirectToSignUp = createProxyRedirectToSignUp(ternSecureRequest);\r\n const protect = await createMiddlewareProtect(\r\n ternSecureRequest,\r\n authObjectClient,\r\n redirectToSignIn,\r\n );\r\n\r\n const authObj: MiddlewareAuthObject = Object.assign(authObjectClient, {\r\n redirectToSignIn,\r\n redirectToSignUp,\r\n });\r\n\r\n const authHandler = () => Promise.resolve(authObj);\r\n authHandler.protect = protect;\r\n\r\n let handlerResult: Response = NextResponse.next();\r\n\r\n try {\r\n const userHandlerResult = await handler?.(authHandler, request, event);\r\n handlerResult = userHandlerResult || handlerResult;\r\n } catch (error: any) {\r\n handlerResult = handleControlError(error, ternSecureRequest, request, requestStateClient);\r\n }\r\n\r\n if (requestStateClient.headers) {\r\n requestStateClient.headers.forEach((value, key) => {\r\n handlerResult.headers.append(key, value);\r\n });\r\n }\r\n\r\n if (isRedirect(handlerResult)) {\r\n return serverRedirectWithAuth(ternSecureRequest, handlerResult);\r\n }\r\n\r\n decorateRequest(ternSecureRequest, handlerResult, requestStateClient);\r\n return handlerResult;\r\n };\r\n\r\n const nextMiddleware: NextMiddleware = async (request, event) => {\r\n return withAuthNextMiddleware(request, event);\r\n };\r\n\r\n if (request && event) {\r\n return nextMiddleware(request, event);\r\n }\r\n\r\n return nextMiddleware;\r\n };\r\n return middleware();\r\n}) as TernSecureMiddleware;\r\n\r\nconst parseRequestAndEvent = (args: unknown[]) => {\r\n return [\r\n args[0] instanceof Request ? args[0] : undefined,\r\n args[0] instanceof Request ? args[1] : undefined,\r\n ] as [NextMiddlewareRequestParam | undefined, NextMiddlewareEvtParam | undefined];\r\n};\r\n\r\nconst parseHandlerAndOptions = (args: unknown[]) => {\r\n return [\r\n typeof args[0] === 'function' ? args[0] : undefined,\r\n (args.length === 2 ? args[1] : typeof args[0] === 'function' ? {} : args[0]) || {},\r\n ] as [MiddlewareHandler | undefined, MiddlewareOptions | MiddlewareOptionsCallback];\r\n};\r\n\r\n\r\nconst createProxyRedirectToSignIn = (\r\n ternSecureRequest: TernSecureRequest,\r\n): MiddlewareAuthObject['redirectToSignIn'] => {\r\n return (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignInError(url, opts.returnBackUrl);\r\n };\r\n};\r\n\r\nconst createProxyRedirectToSignUp = (\r\n ternSecureRequest: TernSecureRequest,\r\n): MiddlewareAuthObject['redirectToSignUp'] => {\r\n return (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignUpError(url, opts.returnBackUrl);\r\n };\r\n};\r\n\r\n/**\r\n * Create middleware redirect functions\r\n * @deprecated\r\n */\r\nconst createMiddlewareRedirects = (ternSecureRequest: TernSecureRequest) => {\r\n const redirectToSignIn: MiddlewareAuthObject['redirectToSignIn'] = (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignInError(url, opts.returnBackUrl);\r\n };\r\n\r\n const redirectToSignUp: MiddlewareAuthObject['redirectToSignUp'] = (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignUpError(url, opts.returnBackUrl);\r\n };\r\n\r\n return { redirectToSignIn, redirectToSignUp };\r\n};\r\n\r\nconst createMiddlewareProtect = (\r\n ternSecureRequest: TernSecureRequest,\r\n authObject: AuthObject,\r\n redirectToSignIn: RedirectFun<Response>,\r\n) => {\r\n return (async (params: any, options: any) => {\r\n const notFound = () => nextjsNotFound();\r\n\r\n const redirect = (url: string) =>\r\n nextjsRedirectError(url, {\r\n redirectUrl: url,\r\n });\r\n\r\n return createProtect({\r\n request: ternSecureRequest,\r\n redirect,\r\n notFound,\r\n authObject,\r\n redirectToSignIn,\r\n })(params, options);\r\n }) as unknown as Promise<AuthProtect>;\r\n};\r\n\r\nexport const redirectAdapter = (url: string | URL) => {\r\n return NextResponse.redirect(url, {\r\n headers: { [constants.Headers.TernSecureRedirectTo]: 'true' },\r\n });\r\n};\r\n\r\n/**\r\n * Handle control flow errors in middleware\r\n */\r\nconst handleControlError = (\r\n error: any,\r\n ternSecureRequest: TernSecureRequest,\r\n nextrequest: NextRequest,\r\n requestState: RequestState,\r\n): Response => {\r\n if (isNextjsNotFoundError(error)) {\r\n return setHeader(\r\n NextResponse.rewrite(new URL(`/tern_${Date.now()}`, nextrequest.url)),\r\n constants.Headers.AuthReason,\r\n 'protect-rewrite',\r\n );\r\n }\r\n\r\n const isRedirectToSignIn = isRedirectToSignInError(error);\r\n const isRedirectToSignUp = isRedirectToSignUpError(error);\r\n\r\n if (isRedirectToSignIn || isRedirectToSignUp) {\r\n const redirect = createRedirect({\r\n redirectAdapter,\r\n baseUrl: ternSecureRequest.ternUrl,\r\n signInUrl: requestState.signInUrl,\r\n signUpUrl: requestState.signUpUrl,\r\n });\r\n\r\n const { returnBackUrl } = error;\r\n\r\n return redirect[isRedirectToSignIn ? 'redirectToSignIn' : 'redirectToSignUp']({\r\n returnBackUrl,\r\n });\r\n }\r\n\r\n if (isNextjsRedirectError(error)) {\r\n return redirectAdapter(error.redirectUrl);\r\n }\r\n\r\n throw error;\r\n};\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,qBAA+E;AAC/E,wBAA2C;AAE3C,oBAA6B;AAE7B,sBAAsC;AACtC,gCAAuC;AACvC,sBAA2D;AAC3D,wBAQO;AACP,qBAAgD;AAChD,8BAAwC;AAMxC,mBAAgC;AAmDzB,MAAM,kBAAmB,IAC3B,SACuC;AAC1C,QAAM,CAAC,SAAS,KAAK,IAAI,qBAAqB,IAAI;AAClD,QAAM,CAAC,SAAS,MAAM,IAAI,uBAAuB,IAAI;AAErD,QAAM,aAAa,MAAM;AACvB,UAAM,yBAAyC,OAAOA,UAASC,WAAU;AACvE,YAAM,iBAAiB,OAAO,WAAW,aAAa,MAAM,OAAOD,QAAO,IAAI;AAE9E,YAAM,YAAY,eAAe,aAAa;AAC9C,YAAM,YAAY,eAAe,aAAa;AAC9C,YAAM,SAAS,eAAe,UAAU;AAExC,YAAM,UAAU;AAAA,QACd;AAAA,QACA;AAAA,QACA;AAAA,QACA,GAAG;AAAA,MACL;AAEA,YAAM,mBAAmB,UAAM,iDAAwB;AAEvD,YAAM,wBAAoB,wCAAwBA,QAAO;AAEzD,YAAM,qBAAqB,MAAM,iBAAiB;AAAA,QAChD;AAAA,QACA;AAAA,MACF;AAEA,YAAM,iBAAiB,mBAAmB,QAAQ,IAAI,yBAAU,QAAQ,QAAQ;AAChF,UAAI,gBAAgB;AAClB,eAAO,IAAI,SAAS,MAAM;AAAA,UACxB,QAAQ;AAAA,UACR,SAAS,mBAAmB;AAAA,QAC9B,CAAC;AAAA,MACH,WAAW,mBAAmB,WAAW,0BAAW,WAAW;AAC7D,cAAM,IAAI,MAAM,iEAAiE;AAAA,MACnF;AAEA,YAAM,mBAAmB,mBAAmB,KAAK;AAEjD,YAAM,mBAAmB,4BAA4B,iBAAiB;AACtE,YAAM,mBAAmB,4BAA4B,iBAAiB;AACtE,YAAM,UAAU,MAAM;AAAA,QACpB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,UAAgC,OAAO,OAAO,kBAAkB;AAAA,QACpE;AAAA,QACA;AAAA,MACF,CAAC;AAED,YAAM,cAAc,MAAM,QAAQ,QAAQ,OAAO;AACjD,kBAAY,UAAU;AAEtB,UAAI,gBAA0B,2BAAa,KAAK;AAEhD,UAAI;AACF,cAAM,oBAAoB,MAAM,UAAU,aAAaA,UAASC,MAAK;AACrE,wBAAgB,qBAAqB;AAAA,MACvC,SAAS,OAAY;AACnB,wBAAgB,mBAAmB,OAAO,mBAAmBD,UAAS,kBAAkB;AAAA,MAC1F;AAEA,UAAI,mBAAmB,SAAS;AAC9B,2BAAmB,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AACjD,wBAAc,QAAQ,OAAO,KAAK,KAAK;AAAA,QACzC,CAAC;AAAA,MACH;AAEA,cAAI,4BAAW,aAAa,GAAG;AAC7B,mBAAO,kDAAuB,mBAAmB,aAAa;AAAA,MAChE;AAEA,wCAAgB,mBAAmB,eAAe,kBAAkB;AACpE,aAAO;AAAA,IACT;AAEA,UAAM,iBAAiC,OAAOA,UAASC,WAAU;AAC/D,aAAO,uBAAuBD,UAASC,MAAK;AAAA,IAC9C;AAEA,QAAI,WAAW,OAAO;AACpB,aAAO,eAAe,SAAS,KAAK;AAAA,IACtC;AAEA,WAAO;AAAA,EACT;AACA,SAAO,WAAW;AACpB;AAEA,MAAM,uBAAuB,CAAC,SAAoB;AAChD,SAAO;AAAA,IACL,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,IACvC,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,EACzC;AACF;AAEA,MAAM,yBAAyB,CAAC,SAAoB;AAClD,SAAO;AAAA,IACL,OAAO,KAAK,CAAC,MAAM,aAAa,KAAK,CAAC,IAAI;AAAA,KACzC,KAAK,WAAW,IAAI,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,MAAM,aAAa,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC;AAAA,EACnF;AACF;AAGA,MAAM,8BAA8B,CAClC,sBAC6C;AAC7C,SAAO,CAAC,OAAO,CAAC,MAAM;AACpB,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AACF;AAEA,MAAM,8BAA8B,CAClC,sBAC6C;AAC7C,SAAO,CAAC,OAAO,CAAC,MAAM;AACpB,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AACF;AAMA,MAAM,4BAA4B,CAAC,sBAAyC;AAC1E,QAAM,mBAA6D,CAAC,OAAO,CAAC,MAAM;AAChF,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,QAAM,mBAA6D,CAAC,OAAO,CAAC,MAAM;AAChF,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,SAAO,EAAE,kBAAkB,iBAAiB;AAC9C;AAEA,MAAM,0BAA0B,CAC9B,mBACA,YACA,qBACG;AACH,SAAQ,OAAO,QAAa,YAAiB;AAC3C,UAAM,WAAW,UAAM,kBAAAC,UAAe;AAEtC,UAAM,WAAW,CAAC,YAChB,uCAAoB,KAAK;AAAA,MACvB,aAAa;AAAA,IACf,CAAC;AAEH,eAAO,8BAAc;AAAA,MACnB,SAAS;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC,EAAE,QAAQ,OAAO;AAAA,EACpB;AACF;AAEO,MAAM,kBAAkB,CAAC,QAAsB;AACpD,SAAO,2BAAa,SAAS,KAAK;AAAA,IAChC,SAAS,EAAE,CAAC,yBAAU,QAAQ,oBAAoB,GAAG,OAAO;AAAA,EAC9D,CAAC;AACH;AAKA,MAAM,qBAAqB,CACzB,OACA,mBACA,aACA,iBACa;AACb,UAAI,yCAAsB,KAAK,GAAG;AAChC,eAAO;AAAA,MACL,2BAAa,QAAQ,IAAI,IAAI,SAAS,KAAK,IAAI,CAAC,IAAI,YAAY,GAAG,CAAC;AAAA,MACpE,yBAAU,QAAQ;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,yBAAqB,2CAAwB,KAAK;AACxD,QAAM,yBAAqB,2CAAwB,KAAK;AAExD,MAAI,sBAAsB,oBAAoB;AAC5C,UAAM,eAAW,+BAAe;AAAA,MAC9B;AAAA,MACA,SAAS,kBAAkB;AAAA,MAC3B,WAAW,aAAa;AAAA,MACxB,WAAW,aAAa;AAAA,IAC1B,CAAC;AAED,UAAM,EAAE,cAAc,IAAI;AAE1B,WAAO,SAAS,qBAAqB,qBAAqB,kBAAkB,EAAE;AAAA,MAC5E;AAAA,IACF,CAAC;AAAA,EACH;AAEA,UAAI,yCAAsB,KAAK,GAAG;AAChC,WAAO,gBAAgB,MAAM,WAAW;AAAA,EAC1C;AAEA,QAAM;AACR;","names":["request","event","nextjsNotFound"]}
|
|
1
|
+
{"version":3,"sources":["../../../src/server/ternSecureProxy.ts"],"sourcesContent":["import type {\r\n AuthenticateRequestOptions,\r\n AuthObject,\r\n RedirectFun,\r\n RequestState,\r\n TernSecureRequest,\r\n} from '@tern-secure/backend';\r\nimport { AuthStatus, constants, createRedirect, createTernSecureRequest } from '@tern-secure/backend';\r\nimport { notFound as nextjsNotFound } from 'next/navigation';\r\nimport type { NextMiddleware, NextRequest } from 'next/server';\r\nimport { NextResponse } from 'next/server';\r\n\r\nimport { isRedirect, setHeader } from '../utils/response';\r\nimport { serverRedirectWithAuth } from '../utils/serverRedirectAuth';\r\nimport { FIREBASE_API_KEY, FIREBASE_APP_ID, FIREBASE_PROJECT_ID,SIGN_IN_URL, SIGN_UP_URL } from './constant';\r\nimport {\r\n isNextjsNotFoundError,\r\n isNextjsRedirectError,\r\n isRedirectToSignInError,\r\n isRedirectToSignUpError,\r\n nextjsRedirectError,\r\n redirectToSignInError,\r\n redirectToSignUpError,\r\n} from './nextErrors';\r\nimport { type AuthProtect, createProtect } from './protect';\r\nimport { ternSecureBackendClient } from './ternsecureClient';\r\nimport type {\r\n NextMiddlewareEvtParam,\r\n NextMiddlewareRequestParam,\r\n NextMiddlewareReturn,\r\n} from './types';\r\nimport { decorateRequest } from './utils';\r\n\r\nexport type MiddlewareAuthObject = AuthObject & {\r\n redirectToSignIn: RedirectFun<Response>;\r\n redirectToSignUp: RedirectFun<Response>;\r\n};\r\n\r\nexport interface MiddlewareAuth {\r\n (): Promise<MiddlewareAuthObject>;\r\n\r\n protect: AuthProtect;\r\n}\r\n\r\ntype MiddlewareHandler = (\r\n auth: MiddlewareAuth,\r\n request: NextMiddlewareRequestParam,\r\n event: NextMiddlewareEvtParam,\r\n) => NextMiddlewareReturn;\r\n\r\nexport interface MiddlewareOptions extends AuthenticateRequestOptions {\r\n debug?: boolean;\r\n}\r\ntype MiddlewareOptionsCallback = (\r\n req: NextRequest,\r\n) => MiddlewareOptions | Promise<MiddlewareOptions>;\r\n\r\ninterface TernSecureMiddleware {\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware((auth, request, event) => { ... }, options);\r\n */\r\n (handler: MiddlewareHandler, options?: MiddlewareOptions): NextMiddleware;\r\n\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware((auth, request, event) => { ... }, (req) => options);\r\n */\r\n (handler: MiddlewareHandler, options?: MiddlewareOptionsCallback): NextMiddleware;\r\n\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware(options);\r\n */\r\n (options?: MiddlewareOptions): NextMiddleware;\r\n /**\r\n * @example\r\n * export default ternSecureMiddleware;\r\n */\r\n (request: NextMiddlewareRequestParam, event: NextMiddlewareEvtParam): NextMiddlewareReturn;\r\n}\r\n\r\nexport const ternSecureProxy = ((\r\n ...args: unknown[]\r\n): NextMiddleware | NextMiddlewareReturn => {\r\n const [request, event] = parseRequestAndEvent(args);\r\n const [handler, params] = parseHandlerAndOptions(args);\r\n\r\n const middleware = () => {\r\n const withAuthNextMiddleware: NextMiddleware = async (request, event) => {\r\n const resolvedParams = typeof params === 'function' ? await params(request) : params;\r\n\r\n const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;\r\n const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;\r\n const apiKey = resolvedParams.apiKey || FIREBASE_API_KEY;\r\n const appId = FIREBASE_APP_ID;\r\n const projectId = FIREBASE_PROJECT_ID;\r\n const firebaseConfig = resolvedParams.firebaseConfig || {\r\n apiKey,\r\n appId,\r\n projectId,\r\n }\r\n const firebaseAdminConfig = resolvedParams.firebaseAdminConfig;\r\n\r\n const options = {\r\n signInUrl,\r\n signUpUrl,\r\n apiKey,\r\n firebaseConfig,\r\n firebaseAdminConfig,\r\n ...resolvedParams,\r\n };\r\n\r\n const reqBackendClient = await ternSecureBackendClient();\r\n\r\n const ternSecureRequest = createTernSecureRequest(request);\r\n\r\n const requestStateClient = await reqBackendClient.authenticateRequest(\r\n ternSecureRequest,\r\n options,\r\n );\r\n\r\n const locationHeader = requestStateClient.headers.get(constants.Headers.Location);\r\n const appCheckToken = requestStateClient.headers.get(constants.Headers.AppCheckToken);\r\n console.log(\"[ternSecureProxy] App Check Token in Proxy:\", appCheckToken);\r\n if (locationHeader) {\r\n return new Response(null, {\r\n status: 307,\r\n headers: requestStateClient.headers,\r\n });\r\n } else if (requestStateClient.status === AuthStatus.Handshake) {\r\n throw new Error('TernSecure: handshake status without redirect is not supported.');\r\n }\r\n\r\n const authObjectClient = requestStateClient.auth();\r\n\r\n const redirectToSignIn = createProxyRedirectToSignIn(ternSecureRequest);\r\n const redirectToSignUp = createProxyRedirectToSignUp(ternSecureRequest);\r\n const protect = await createMiddlewareProtect(\r\n ternSecureRequest,\r\n authObjectClient,\r\n redirectToSignIn,\r\n );\r\n\r\n const authObj: MiddlewareAuthObject = Object.assign(authObjectClient, {\r\n redirectToSignIn,\r\n redirectToSignUp,\r\n });\r\n\r\n const authHandler = () => Promise.resolve(authObj);\r\n authHandler.protect = protect;\r\n\r\n let handlerResult: Response = NextResponse.next();\r\n\r\n try {\r\n const userHandlerResult = await handler?.(authHandler, request, event);\r\n handlerResult = userHandlerResult || handlerResult;\r\n } catch (error: any) {\r\n handlerResult = handleControlError(error, ternSecureRequest, request, requestStateClient);\r\n }\r\n\r\n if (requestStateClient.headers) {\r\n requestStateClient.headers.forEach((value, key) => {\r\n handlerResult.headers.append(key, value);\r\n });\r\n }\r\n\r\n if (isRedirect(handlerResult)) {\r\n return serverRedirectWithAuth(ternSecureRequest, handlerResult);\r\n }\r\n\r\n decorateRequest(ternSecureRequest, handlerResult, requestStateClient, appCheckToken || undefined);\r\n return handlerResult;\r\n };\r\n\r\n const nextMiddleware: NextMiddleware = async (request, event) => {\r\n return withAuthNextMiddleware(request, event);\r\n };\r\n\r\n if (request && event) {\r\n return nextMiddleware(request, event);\r\n }\r\n\r\n return nextMiddleware;\r\n };\r\n return middleware();\r\n}) as TernSecureMiddleware;\r\n\r\nconst parseRequestAndEvent = (args: unknown[]) => {\r\n return [\r\n args[0] instanceof Request ? args[0] : undefined,\r\n args[0] instanceof Request ? args[1] : undefined,\r\n ] as [NextMiddlewareRequestParam | undefined, NextMiddlewareEvtParam | undefined];\r\n};\r\n\r\nconst parseHandlerAndOptions = (args: unknown[]) => {\r\n return [\r\n typeof args[0] === 'function' ? args[0] : undefined,\r\n (args.length === 2 ? args[1] : typeof args[0] === 'function' ? {} : args[0]) || {},\r\n ] as [MiddlewareHandler | undefined, MiddlewareOptions | MiddlewareOptionsCallback];\r\n};\r\n\r\n\r\nconst createProxyRedirectToSignIn = (\r\n ternSecureRequest: TernSecureRequest,\r\n): MiddlewareAuthObject['redirectToSignIn'] => {\r\n return (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignInError(url, opts.returnBackUrl);\r\n };\r\n};\r\n\r\nconst createProxyRedirectToSignUp = (\r\n ternSecureRequest: TernSecureRequest,\r\n): MiddlewareAuthObject['redirectToSignUp'] => {\r\n return (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignUpError(url, opts.returnBackUrl);\r\n };\r\n};\r\n\r\n/**\r\n * Create middleware redirect functions\r\n * @deprecated\r\n */\r\nconst createMiddlewareRedirects = (ternSecureRequest: TernSecureRequest) => {\r\n const redirectToSignIn: MiddlewareAuthObject['redirectToSignIn'] = (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignInError(url, opts.returnBackUrl);\r\n };\r\n\r\n const redirectToSignUp: MiddlewareAuthObject['redirectToSignUp'] = (opts = {}) => {\r\n const url = ternSecureRequest.ternUrl.toString();\r\n redirectToSignUpError(url, opts.returnBackUrl);\r\n };\r\n\r\n return { redirectToSignIn, redirectToSignUp };\r\n};\r\n\r\nconst createMiddlewareProtect = (\r\n ternSecureRequest: TernSecureRequest,\r\n authObject: AuthObject,\r\n redirectToSignIn: RedirectFun<Response>,\r\n) => {\r\n return (async (params: any, options: any) => {\r\n const notFound = () => nextjsNotFound();\r\n\r\n const redirect = (url: string) =>\r\n nextjsRedirectError(url, {\r\n redirectUrl: url,\r\n });\r\n\r\n return createProtect({\r\n request: ternSecureRequest,\r\n redirect,\r\n notFound,\r\n authObject,\r\n redirectToSignIn,\r\n })(params, options);\r\n }) as unknown as Promise<AuthProtect>;\r\n};\r\n\r\nexport const redirectAdapter = (url: string | URL) => {\r\n return NextResponse.redirect(url, {\r\n headers: { [constants.Headers.TernSecureRedirectTo]: 'true' },\r\n });\r\n};\r\n\r\n/**\r\n * Handle control flow errors in middleware\r\n */\r\nconst handleControlError = (\r\n error: any,\r\n ternSecureRequest: TernSecureRequest,\r\n nextrequest: NextRequest,\r\n requestState: RequestState,\r\n): Response => {\r\n if (isNextjsNotFoundError(error)) {\r\n return setHeader(\r\n NextResponse.rewrite(new URL(`/tern_${Date.now()}`, nextrequest.url)),\r\n constants.Headers.AuthReason,\r\n 'protect-rewrite',\r\n );\r\n }\r\n\r\n const isRedirectToSignIn = isRedirectToSignInError(error);\r\n const isRedirectToSignUp = isRedirectToSignUpError(error);\r\n\r\n if (isRedirectToSignIn || isRedirectToSignUp) {\r\n const redirect = createRedirect({\r\n redirectAdapter,\r\n baseUrl: ternSecureRequest.ternUrl,\r\n signInUrl: requestState.signInUrl,\r\n signUpUrl: requestState.signUpUrl,\r\n });\r\n\r\n const { returnBackUrl } = error;\r\n\r\n return redirect[isRedirectToSignIn ? 'redirectToSignIn' : 'redirectToSignUp']({\r\n returnBackUrl,\r\n });\r\n }\r\n\r\n if (isNextjsRedirectError(error)) {\r\n return redirectAdapter(error.redirectUrl);\r\n }\r\n\r\n throw error;\r\n};\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,qBAA+E;AAC/E,wBAA2C;AAE3C,oBAA6B;AAE7B,sBAAsC;AACtC,gCAAuC;AACvC,sBAAgG;AAChG,wBAQO;AACP,qBAAgD;AAChD,8BAAwC;AAMxC,mBAAgC;AAmDzB,MAAM,kBAAmB,IAC3B,SACuC;AAC1C,QAAM,CAAC,SAAS,KAAK,IAAI,qBAAqB,IAAI;AAClD,QAAM,CAAC,SAAS,MAAM,IAAI,uBAAuB,IAAI;AAErD,QAAM,aAAa,MAAM;AACvB,UAAM,yBAAyC,OAAOA,UAASC,WAAU;AACvE,YAAM,iBAAiB,OAAO,WAAW,aAAa,MAAM,OAAOD,QAAO,IAAI;AAE9E,YAAM,YAAY,eAAe,aAAa;AAC9C,YAAM,YAAY,eAAe,aAAa;AAC9C,YAAM,SAAS,eAAe,UAAU;AACxC,YAAM,QAAQ;AACd,YAAM,YAAY;AAClB,YAAM,iBAAiB,eAAe,kBAAkB;AAAA,QACtD;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,YAAM,sBAAsB,eAAe;AAE3C,YAAM,UAAU;AAAA,QACd;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,GAAG;AAAA,MACL;AAEA,YAAM,mBAAmB,UAAM,iDAAwB;AAEvD,YAAM,wBAAoB,wCAAwBA,QAAO;AAEzD,YAAM,qBAAqB,MAAM,iBAAiB;AAAA,QAChD;AAAA,QACA;AAAA,MACF;AAEA,YAAM,iBAAiB,mBAAmB,QAAQ,IAAI,yBAAU,QAAQ,QAAQ;AAChF,YAAM,gBAAgB,mBAAmB,QAAQ,IAAI,yBAAU,QAAQ,aAAa;AACpF,cAAQ,IAAI,+CAA+C,aAAa;AACxE,UAAI,gBAAgB;AAClB,eAAO,IAAI,SAAS,MAAM;AAAA,UACxB,QAAQ;AAAA,UACR,SAAS,mBAAmB;AAAA,QAC9B,CAAC;AAAA,MACH,WAAW,mBAAmB,WAAW,0BAAW,WAAW;AAC7D,cAAM,IAAI,MAAM,iEAAiE;AAAA,MACnF;AAEA,YAAM,mBAAmB,mBAAmB,KAAK;AAEjD,YAAM,mBAAmB,4BAA4B,iBAAiB;AACtE,YAAM,mBAAmB,4BAA4B,iBAAiB;AACtE,YAAM,UAAU,MAAM;AAAA,QACpB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,UAAgC,OAAO,OAAO,kBAAkB;AAAA,QACpE;AAAA,QACA;AAAA,MACF,CAAC;AAED,YAAM,cAAc,MAAM,QAAQ,QAAQ,OAAO;AACjD,kBAAY,UAAU;AAEtB,UAAI,gBAA0B,2BAAa,KAAK;AAEhD,UAAI;AACF,cAAM,oBAAoB,MAAM,UAAU,aAAaA,UAASC,MAAK;AACrE,wBAAgB,qBAAqB;AAAA,MACvC,SAAS,OAAY;AACnB,wBAAgB,mBAAmB,OAAO,mBAAmBD,UAAS,kBAAkB;AAAA,MAC1F;AAEA,UAAI,mBAAmB,SAAS;AAC9B,2BAAmB,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AACjD,wBAAc,QAAQ,OAAO,KAAK,KAAK;AAAA,QACzC,CAAC;AAAA,MACH;AAEA,cAAI,4BAAW,aAAa,GAAG;AAC7B,mBAAO,kDAAuB,mBAAmB,aAAa;AAAA,MAChE;AAEA,wCAAgB,mBAAmB,eAAe,oBAAoB,iBAAiB,MAAS;AAChG,aAAO;AAAA,IACT;AAEA,UAAM,iBAAiC,OAAOA,UAASC,WAAU;AAC/D,aAAO,uBAAuBD,UAASC,MAAK;AAAA,IAC9C;AAEA,QAAI,WAAW,OAAO;AACpB,aAAO,eAAe,SAAS,KAAK;AAAA,IACtC;AAEA,WAAO;AAAA,EACT;AACA,SAAO,WAAW;AACpB;AAEA,MAAM,uBAAuB,CAAC,SAAoB;AAChD,SAAO;AAAA,IACL,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,IACvC,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,EACzC;AACF;AAEA,MAAM,yBAAyB,CAAC,SAAoB;AAClD,SAAO;AAAA,IACL,OAAO,KAAK,CAAC,MAAM,aAAa,KAAK,CAAC,IAAI;AAAA,KACzC,KAAK,WAAW,IAAI,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,MAAM,aAAa,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC;AAAA,EACnF;AACF;AAGA,MAAM,8BAA8B,CAClC,sBAC6C;AAC7C,SAAO,CAAC,OAAO,CAAC,MAAM;AACpB,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AACF;AAEA,MAAM,8BAA8B,CAClC,sBAC6C;AAC7C,SAAO,CAAC,OAAO,CAAC,MAAM;AACpB,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AACF;AAMA,MAAM,4BAA4B,CAAC,sBAAyC;AAC1E,QAAM,mBAA6D,CAAC,OAAO,CAAC,MAAM;AAChF,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,QAAM,mBAA6D,CAAC,OAAO,CAAC,MAAM;AAChF,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,iDAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,SAAO,EAAE,kBAAkB,iBAAiB;AAC9C;AAEA,MAAM,0BAA0B,CAC9B,mBACA,YACA,qBACG;AACH,SAAQ,OAAO,QAAa,YAAiB;AAC3C,UAAM,WAAW,UAAM,kBAAAC,UAAe;AAEtC,UAAM,WAAW,CAAC,YAChB,uCAAoB,KAAK;AAAA,MACvB,aAAa;AAAA,IACf,CAAC;AAEH,eAAO,8BAAc;AAAA,MACnB,SAAS;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC,EAAE,QAAQ,OAAO;AAAA,EACpB;AACF;AAEO,MAAM,kBAAkB,CAAC,QAAsB;AACpD,SAAO,2BAAa,SAAS,KAAK;AAAA,IAChC,SAAS,EAAE,CAAC,yBAAU,QAAQ,oBAAoB,GAAG,OAAO;AAAA,EAC9D,CAAC;AACH;AAKA,MAAM,qBAAqB,CACzB,OACA,mBACA,aACA,iBACa;AACb,UAAI,yCAAsB,KAAK,GAAG;AAChC,eAAO;AAAA,MACL,2BAAa,QAAQ,IAAI,IAAI,SAAS,KAAK,IAAI,CAAC,IAAI,YAAY,GAAG,CAAC;AAAA,MACpE,yBAAU,QAAQ;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,yBAAqB,2CAAwB,KAAK;AACxD,QAAM,yBAAqB,2CAAwB,KAAK;AAExD,MAAI,sBAAsB,oBAAoB;AAC5C,UAAM,eAAW,+BAAe;AAAA,MAC9B;AAAA,MACA,SAAS,kBAAkB;AAAA,MAC3B,WAAW,aAAa;AAAA,MACxB,WAAW,aAAa;AAAA,IAC1B,CAAC;AAED,UAAM,EAAE,cAAc,IAAI;AAE1B,WAAO,SAAS,qBAAqB,qBAAqB,kBAAkB,EAAE;AAAA,MAC5E;AAAA,IACF,CAAC;AAAA,EACH;AAEA,UAAI,yCAAsB,KAAK,GAAG;AAChC,WAAO,gBAAgB,MAAM,WAAW;AAAA,EAC1C;AAEA,QAAM;AACR;","names":["request","event","nextjsNotFound"]}
|
package/dist/cjs/server/utils.js
CHANGED
|
@@ -133,7 +133,7 @@ const setRequestHeadersOnNextResponse = (res, req, newHeaders) => {
|
|
|
133
133
|
res.headers.set(`${MIDDLEWARE_HEADER_PREFIX}-${key}`, val);
|
|
134
134
|
});
|
|
135
135
|
};
|
|
136
|
-
function decorateRequest(req, res, requestState) {
|
|
136
|
+
function decorateRequest(req, res, requestState, appCheckToken) {
|
|
137
137
|
const { reason, token, status } = requestState;
|
|
138
138
|
if (!res) {
|
|
139
139
|
res = import_server.NextResponse.next();
|
|
@@ -158,6 +158,7 @@ function decorateRequest(req, res, requestState) {
|
|
|
158
158
|
setRequestHeadersOnNextResponse(res, req, {
|
|
159
159
|
[import_backend.constants.Headers.AuthStatus]: status,
|
|
160
160
|
[import_backend.constants.Headers.AuthToken]: token || "",
|
|
161
|
+
[import_backend.constants.Headers.AppCheckToken]: appCheckToken || req.headers.get(import_backend.constants.Headers.AppCheckToken) || "",
|
|
161
162
|
[import_backend.constants.Headers.AuthReason]: reason || "",
|
|
162
163
|
[import_backend.constants.Headers.TernSecureUrl]: req.ternUrl.toString()
|
|
163
164
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../src/server/utils.ts"],"sourcesContent":["import type {\r\n RequestState,\r\n TernSecureRequest,\r\n} from \"@tern-secure/backend\";\r\nimport { constants } from \"@tern-secure/backend\";\r\nimport { NextRequest,NextResponse } from 'next/server';\r\n\r\nimport { constants as nextConstants } from \"../constants\";\r\nimport type { User } from \"./types\"\r\n\r\nconst OVERRIDE_HEADERS = 'x-middleware-override-headers';\r\nconst MIDDLEWARE_HEADER_PREFIX = 'x-middleware-request' as string;\r\n\r\ninterface RequestContext {\r\n user: User\r\n sessionId: string\r\n}\r\n\r\n// Use process.env in Node.js and globalThis in Edge\r\nconst getGlobalObject = () => {\r\n if (typeof process !== 'undefined') {\r\n return process\r\n }\r\n return globalThis\r\n}\r\n\r\nconst STORE_KEY = '__TERN_AUTH_STORE__'\r\n\r\nexport class Store {\r\n private static getStore() {\r\n const global = getGlobalObject() as any\r\n \r\n if (!global[STORE_KEY]) {\r\n global[STORE_KEY] = {\r\n contexts: new Map<string, RequestContext>(),\r\n sessions: new Map<string, User>(),\r\n currentSession: null as RequestContext | null\r\n }\r\n }\r\n \r\n return global[STORE_KEY]\r\n }\r\n\r\n static setContext(context: RequestContext) {\r\n const store = this.getStore()\r\n const { user, sessionId } = context\r\n \r\n console.log(\"Store: Setting context:\", { sessionId, user })\r\n \r\n // Store in both maps\r\n store.contexts.set(sessionId, context)\r\n store.sessions.set(sessionId, user)\r\n \r\n // Set as current session\r\n store.currentSession = context\r\n \r\n console.log(\"Store: Updated state:\", {\r\n contextsSize: store.contexts.size,\r\n sessionsSize: store.sessions.size,\r\n currentSession: store.currentSession\r\n })\r\n }\r\n\r\n static getContext(): RequestContext | null {\r\n const store = this.getStore()\r\n \r\n // First try current session\r\n if (store.currentSession) {\r\n const session = this.getSession(store.currentSession.sessionId)\r\n if (session && session.uid === store.currentSession.user.uid) {\r\n return store.currentSession\r\n }\r\n }\r\n \r\n // Then try to find any valid context\r\n for (const [sessionId, user] of store.sessions.entries()) {\r\n const context = store.contexts.get(sessionId)\r\n if (context && context.user.uid === user.uid) {\r\n // Update current session\r\n store.currentSession = context\r\n return context\r\n }\r\n }\r\n \r\n return null\r\n }\r\n\r\n static setSession(sessionId: string, user: User) {\r\n const store = this.getStore()\r\n store.sessions.set(sessionId, user)\r\n }\r\n\r\n static getSession(sessionId: string): User | null {\r\n const store = this.getStore()\r\n return store.sessions.get(sessionId) || null\r\n }\r\n\r\n static debug() {\r\n const store = this.getStore()\r\n return {\r\n contextsSize: store.contexts.size,\r\n sessionsSize: store.sessions.size,\r\n currentSession: store.currentSession,\r\n contexts: Array.from(store.contexts.entries()),\r\n sessions: Array.from(store.sessions.entries())\r\n }\r\n }\r\n\r\n static cleanup() {\r\n const store = this.getStore()\r\n const MAX_ENTRIES = 1000\r\n \r\n if (store.contexts.size > MAX_ENTRIES) {\r\n const keys = Array.from(store.contexts.keys())\r\n const toDelete = keys.slice(0, keys.length - MAX_ENTRIES)\r\n \r\n toDelete.forEach(key => {\r\n store.contexts.delete(key)\r\n store.sessions.delete(key)\r\n })\r\n }\r\n }\r\n}\r\n\r\n\r\nexport const setRequestHeadersOnNextResponse = (\r\n res: NextResponse | Response,\r\n req: Request,\r\n newHeaders: Record<string, string>,\r\n) => {\r\n if (!res.headers.get(OVERRIDE_HEADERS)) {\r\n // Emulate a user setting overrides by explicitly adding the required nextjs headers\r\n // https://github.com/vercel/next.js/pull/41380\r\n // @ts-expect-error -- property keys does not exist on type Headers\r\n res.headers.set(OVERRIDE_HEADERS, [...req.headers.keys()]);\r\n req.headers.forEach((val, key) => {\r\n res.headers.set(`${MIDDLEWARE_HEADER_PREFIX}-${key}`, val);\r\n });\r\n }\r\n\r\n // Now that we have normalised res to include overrides, just append the new header\r\n Object.entries(newHeaders).forEach(([key, val]) => {\r\n res.headers.set(OVERRIDE_HEADERS, `${res.headers.get(OVERRIDE_HEADERS)},${key}`);\r\n res.headers.set(`${MIDDLEWARE_HEADER_PREFIX}-${key}`, val);\r\n });\r\n};\r\n\r\nexport function decorateRequest(\r\n req: TernSecureRequest,\r\n res: Response,\r\n requestState: RequestState,\r\n): Response {\r\n const { reason, token, status } = requestState;\r\n // pass-through case, convert to next()\r\n if (!res) {\r\n res = NextResponse.next();\r\n }\r\n\r\n // redirect() case, return early\r\n if (res.headers.get(nextConstants.Headers.NextRedirect)) {\r\n return res;\r\n }\r\n\r\n let rewriteURL;\r\n\r\n // next() case, convert to a rewrite\r\n if (res.headers.get(nextConstants.Headers.NextResume) === '1') {\r\n res.headers.delete(nextConstants.Headers.NextResume);\r\n rewriteURL = new URL(req.url);\r\n }\r\n\r\n // rewrite() case, set auth result only if origin remains the same\r\n const rewriteURLHeader = res.headers.get(nextConstants.Headers.NextRewrite);\r\n\r\n if (rewriteURLHeader) {\r\n const reqURL = new URL(req.url);\r\n rewriteURL = new URL(rewriteURLHeader);\r\n\r\n // if the origin has changed, return early\r\n if (rewriteURL.origin !== reqURL.origin) {\r\n return res;\r\n }\r\n }\r\n\r\n if (rewriteURL) {\r\n setRequestHeadersOnNextResponse(res, req, {\r\n [constants.Headers.AuthStatus]: status,\r\n [constants.Headers.AuthToken]: token || '',\r\n [constants.Headers.AuthReason]: reason || '',\r\n [constants.Headers.TernSecureUrl]: req.ternUrl.toString(),\r\n });\r\n res.headers.set(nextConstants.Headers.NextRewrite, rewriteURL.href);\r\n }\r\n\r\n return res;\r\n}\r\n\r\n\r\nexport const isPrerenderingBailout = (e: unknown) => {\r\n if (!(e instanceof Error) || !('message' in e)) {\r\n return false;\r\n }\r\n\r\n const { message } = e;\r\n\r\n const lowerCaseInput = message.toLowerCase();\r\n const dynamicServerUsage = lowerCaseInput.includes('dynamic server usage');\r\n const bailOutPrerendering = lowerCaseInput.includes('this page needs to bail out of prerendering');\r\n\r\n // note: new error message syntax introduced in next@14.1.1-canary.21\r\n // but we still want to support older versions.\r\n // https://github.com/vercel/next.js/pull/61332 (dynamic-rendering.ts:153)\r\n const routeRegex = /Route .*? needs to bail out of prerendering at this point because it used .*?./;\r\n\r\n return routeRegex.test(message) || dynamicServerUsage || bailOutPrerendering;\r\n};\r\n\r\nexport async function buildRequestLike(): Promise<NextRequest> {\r\n try {\r\n // Dynamically import next/headers, otherwise Next12 apps will break\r\n // @ts-expect-error: Cannot find module 'next/headers' or its corresponding type declarations.ts(2307)\r\n const { headers } = await import('next/headers');\r\n const resolvedHeaders = await headers();\r\n return new NextRequest('https://placeholder.com', { headers: resolvedHeaders });\r\n } catch (e: any) {\r\n // rethrow the error when react throws a prerendering bailout\r\n // https://nextjs.org/docs/messages/ppr-caught-error\r\n if (e && isPrerenderingBailout(e)) {\r\n throw e;\r\n }\r\n\r\n throw new Error(\r\n `TernSecure: auth(), currentUser() and ternSecureClient(), are only supported in App Router (/app directory).\\nIf you're using /pages, try getAuth() instead.\\nOriginal error: ${e}`,\r\n );\r\n }\r\n}\r\n\r\n// Original source: https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/get-script-nonce-from-header.tsx\r\nexport function getScriptNonceFromHeader(cspHeaderValue: string): string | undefined {\r\n const directives = cspHeaderValue\r\n // Directives are split by ';'.\r\n .split(';')\r\n .map(directive => directive.trim());\r\n\r\n // First try to find the directive for the 'script-src', otherwise try to\r\n // fallback to the 'default-src'.\r\n const directive =\r\n directives.find(dir => dir.startsWith('script-src')) || directives.find(dir => dir.startsWith('default-src'));\r\n\r\n // If no directive could be found, then we're done.\r\n if (!directive) {\r\n return;\r\n }\r\n\r\n // Extract the nonce from the directive\r\n const nonce = directive\r\n .split(' ')\r\n // Remove the 'strict-src'/'default-src' string, this can't be the nonce.\r\n .slice(1)\r\n .map(source => source.trim())\r\n // Find the first source with the 'nonce-' prefix.\r\n .find(source => source.startsWith(\"'nonce-\") && source.length > 8 && source.endsWith(\"'\"))\r\n // Grab the nonce by trimming the 'nonce-' prefix.\r\n ?.slice(7, -1);\r\n\r\n // If we couldn't find the nonce, then we're done.\r\n if (!nonce) {\r\n return;\r\n }\r\n\r\n // Don't accept the nonce value if it contains HTML escape characters.\r\n // Technically, the spec requires a base64'd value, but this is just an\r\n // extra layer.\r\n if (/[&><\\u2028\\u2029]/g.test(nonce)) {\r\n throw new Error(\r\n 'Nonce value from Content-Security-Policy contained invalid HTML escape characters, which is disallowed for security reasons. Make sure that your nonce value does not contain the following characters: `<`, `>`, `&`',\r\n );\r\n }\r\n\r\n return nonce;\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,qBAA0B;AAC1B,oBAAyC;AAEzC,uBAA2C;AAG3C,MAAM,mBAAmB;AACzB,MAAM,2BAA2B;AAQjC,MAAM,kBAAkB,MAAM;AAC5B,MAAI,OAAO,YAAY,aAAa;AAClC,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,MAAM,YAAY;AAEX,MAAM,MAAM;AAAA,EACjB,OAAe,WAAW;AACxB,UAAM,SAAS,gBAAgB;AAE/B,QAAI,CAAC,OAAO,SAAS,GAAG;AACtB,aAAO,SAAS,IAAI;AAAA,QAClB,UAAU,oBAAI,IAA4B;AAAA,QAC1C,UAAU,oBAAI,IAAkB;AAAA,QAChC,gBAAgB;AAAA,MAClB;AAAA,IACF;AAEA,WAAO,OAAO,SAAS;AAAA,EACzB;AAAA,EAEA,OAAO,WAAW,SAAyB;AACzC,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,EAAE,MAAM,UAAU,IAAI;AAE5B,YAAQ,IAAI,2BAA2B,EAAE,WAAW,KAAK,CAAC;AAG1D,UAAM,SAAS,IAAI,WAAW,OAAO;AACrC,UAAM,SAAS,IAAI,WAAW,IAAI;AAGlC,UAAM,iBAAiB;AAEvB,YAAQ,IAAI,yBAAyB;AAAA,MACnC,cAAc,MAAM,SAAS;AAAA,MAC7B,cAAc,MAAM,SAAS;AAAA,MAC7B,gBAAgB,MAAM;AAAA,IACxB,CAAC;AAAA,EACH;AAAA,EAEA,OAAO,aAAoC;AACzC,UAAM,QAAQ,KAAK,SAAS;AAG5B,QAAI,MAAM,gBAAgB;AACxB,YAAM,UAAU,KAAK,WAAW,MAAM,eAAe,SAAS;AAC9D,UAAI,WAAW,QAAQ,QAAQ,MAAM,eAAe,KAAK,KAAK;AAC5D,eAAO,MAAM;AAAA,MACf;AAAA,IACF;AAGA,eAAW,CAAC,WAAW,IAAI,KAAK,MAAM,SAAS,QAAQ,GAAG;AACxD,YAAM,UAAU,MAAM,SAAS,IAAI,SAAS;AAC5C,UAAI,WAAW,QAAQ,KAAK,QAAQ,KAAK,KAAK;AAE5C,cAAM,iBAAiB;AACvB,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,WAAW,WAAmB,MAAY;AAC/C,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,SAAS,IAAI,WAAW,IAAI;AAAA,EACpC;AAAA,EAEA,OAAO,WAAW,WAAgC;AAChD,UAAM,QAAQ,KAAK,SAAS;AAC5B,WAAO,MAAM,SAAS,IAAI,SAAS,KAAK;AAAA,EAC1C;AAAA,EAEA,OAAO,QAAQ;AACb,UAAM,QAAQ,KAAK,SAAS;AAC5B,WAAO;AAAA,MACL,cAAc,MAAM,SAAS;AAAA,MAC7B,cAAc,MAAM,SAAS;AAAA,MAC7B,gBAAgB,MAAM;AAAA,MACtB,UAAU,MAAM,KAAK,MAAM,SAAS,QAAQ,CAAC;AAAA,MAC7C,UAAU,MAAM,KAAK,MAAM,SAAS,QAAQ,CAAC;AAAA,IAC/C;AAAA,EACF;AAAA,EAEA,OAAO,UAAU;AACf,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,cAAc;AAEpB,QAAI,MAAM,SAAS,OAAO,aAAa;AACrC,YAAM,OAAO,MAAM,KAAK,MAAM,SAAS,KAAK,CAAC;AAC7C,YAAM,WAAW,KAAK,MAAM,GAAG,KAAK,SAAS,WAAW;AAExD,eAAS,QAAQ,SAAO;AACtB,cAAM,SAAS,OAAO,GAAG;AACzB,cAAM,SAAS,OAAO,GAAG;AAAA,MAC3B,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAGO,MAAM,kCAAkC,CAC7C,KACA,KACA,eACG;AACH,MAAI,CAAC,IAAI,QAAQ,IAAI,gBAAgB,GAAG;AAItC,QAAI,QAAQ,IAAI,kBAAkB,CAAC,GAAG,IAAI,QAAQ,KAAK,CAAC,CAAC;AACzD,QAAI,QAAQ,QAAQ,CAAC,KAAK,QAAQ;AAChC,UAAI,QAAQ,IAAI,GAAG,wBAAwB,IAAI,GAAG,IAAI,GAAG;AAAA,IAC3D,CAAC;AAAA,EACH;AAGA,SAAO,QAAQ,UAAU,EAAE,QAAQ,CAAC,CAAC,KAAK,GAAG,MAAM;AACjD,QAAI,QAAQ,IAAI,kBAAkB,GAAG,IAAI,QAAQ,IAAI,gBAAgB,CAAC,IAAI,GAAG,EAAE;AAC/E,QAAI,QAAQ,IAAI,GAAG,wBAAwB,IAAI,GAAG,IAAI,GAAG;AAAA,EAC3D,CAAC;AACH;AAEO,SAAS,gBACd,KACA,KACA,cACU;AACV,QAAM,EAAE,QAAQ,OAAO,OAAO,IAAI;AAElC,MAAI,CAAC,KAAK;AACR,UAAM,2BAAa,KAAK;AAAA,EAC1B;AAGA,MAAI,IAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,YAAY,GAAG;AACvD,WAAO;AAAA,EACT;AAEA,MAAI;AAGJ,MAAI,IAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,UAAU,MAAM,KAAK;AAC7D,QAAI,QAAQ,OAAO,iBAAAA,UAAc,QAAQ,UAAU;AACnD,iBAAa,IAAI,IAAI,IAAI,GAAG;AAAA,EAC9B;AAGA,QAAM,mBAAmB,IAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,WAAW;AAE1E,MAAI,kBAAkB;AACpB,UAAM,SAAS,IAAI,IAAI,IAAI,GAAG;AAC9B,iBAAa,IAAI,IAAI,gBAAgB;AAGrC,QAAI,WAAW,WAAW,OAAO,QAAQ;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,YAAY;AACd,oCAAgC,KAAK,KAAK;AAAA,MACxC,CAAC,yBAAU,QAAQ,UAAU,GAAG;AAAA,MAChC,CAAC,yBAAU,QAAQ,SAAS,GAAG,SAAS;AAAA,MACxC,CAAC,yBAAU,QAAQ,UAAU,GAAG,UAAU;AAAA,MAC1C,CAAC,yBAAU,QAAQ,aAAa,GAAG,IAAI,QAAQ,SAAS;AAAA,IAC1D,CAAC;AACD,QAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,aAAa,WAAW,IAAI;AAAA,EACpE;AAEA,SAAO;AACT;AAGO,MAAM,wBAAwB,CAAC,MAAe;AACnD,MAAI,EAAE,aAAa,UAAU,EAAE,aAAa,IAAI;AAC9C,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,QAAQ,IAAI;AAEpB,QAAM,iBAAiB,QAAQ,YAAY;AAC3C,QAAM,qBAAqB,eAAe,SAAS,sBAAsB;AACzE,QAAM,sBAAsB,eAAe,SAAS,6CAA6C;AAKjG,QAAM,aAAa;AAEnB,SAAO,WAAW,KAAK,OAAO,KAAK,sBAAsB;AAC3D;AAEA,eAAsB,mBAAyC;AAC7D,MAAI;AAGF,UAAM,EAAE,QAAQ,IAAI,MAAM,OAAO,cAAc;AAC/C,UAAM,kBAAkB,MAAM,QAAQ;AACtC,WAAO,IAAI,0BAAY,2BAA2B,EAAE,SAAS,gBAAgB,CAAC;AAAA,EAChF,SAAS,GAAQ;AAGf,QAAI,KAAK,sBAAsB,CAAC,GAAG;AACjC,YAAM;AAAA,IACR;AAEA,UAAM,IAAI;AAAA,MACR;AAAA;AAAA,kBAAiL,CAAC;AAAA,IACpL;AAAA,EACF;AACF;AAGO,SAAS,yBAAyB,gBAA4C;AACnF,QAAM,aAAa,eAEhB,MAAM,GAAG,EACT,IAAI,CAAAC,eAAaA,WAAU,KAAK,CAAC;AAIpC,QAAM,YACJ,WAAW,KAAK,SAAO,IAAI,WAAW,YAAY,CAAC,KAAK,WAAW,KAAK,SAAO,IAAI,WAAW,aAAa,CAAC;AAG9G,MAAI,CAAC,WAAW;AACd;AAAA,EACF;AAGA,QAAM,QAAQ,UACX,MAAM,GAAG,EAET,MAAM,CAAC,EACP,IAAI,YAAU,OAAO,KAAK,CAAC,EAE3B,KAAK,YAAU,OAAO,WAAW,SAAS,KAAK,OAAO,SAAS,KAAK,OAAO,SAAS,GAAG,CAAC,GAEvF,MAAM,GAAG,EAAE;AAGf,MAAI,CAAC,OAAO;AACV;AAAA,EACF;AAKA,MAAI,qBAAqB,KAAK,KAAK,GAAG;AACpC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":["nextConstants","directive"]}
|
|
1
|
+
{"version":3,"sources":["../../../src/server/utils.ts"],"sourcesContent":["import type {\r\n RequestState,\r\n TernSecureRequest,\r\n} from \"@tern-secure/backend\";\r\nimport { constants } from \"@tern-secure/backend\";\r\nimport { NextRequest,NextResponse } from 'next/server';\r\n\r\nimport { constants as nextConstants } from \"../constants\";\r\nimport type { User } from \"./types\"\r\n\r\nconst OVERRIDE_HEADERS = 'x-middleware-override-headers';\r\nconst MIDDLEWARE_HEADER_PREFIX = 'x-middleware-request' as string;\r\n\r\ninterface RequestContext {\r\n user: User\r\n sessionId: string\r\n}\r\n\r\n// Use process.env in Node.js and globalThis in Edge\r\nconst getGlobalObject = () => {\r\n if (typeof process !== 'undefined') {\r\n return process\r\n }\r\n return globalThis\r\n}\r\n\r\nconst STORE_KEY = '__TERN_AUTH_STORE__'\r\n\r\nexport class Store {\r\n private static getStore() {\r\n const global = getGlobalObject() as any\r\n \r\n if (!global[STORE_KEY]) {\r\n global[STORE_KEY] = {\r\n contexts: new Map<string, RequestContext>(),\r\n sessions: new Map<string, User>(),\r\n currentSession: null as RequestContext | null\r\n }\r\n }\r\n \r\n return global[STORE_KEY]\r\n }\r\n\r\n static setContext(context: RequestContext) {\r\n const store = this.getStore()\r\n const { user, sessionId } = context\r\n \r\n console.log(\"Store: Setting context:\", { sessionId, user })\r\n \r\n // Store in both maps\r\n store.contexts.set(sessionId, context)\r\n store.sessions.set(sessionId, user)\r\n \r\n // Set as current session\r\n store.currentSession = context\r\n \r\n console.log(\"Store: Updated state:\", {\r\n contextsSize: store.contexts.size,\r\n sessionsSize: store.sessions.size,\r\n currentSession: store.currentSession\r\n })\r\n }\r\n\r\n static getContext(): RequestContext | null {\r\n const store = this.getStore()\r\n \r\n // First try current session\r\n if (store.currentSession) {\r\n const session = this.getSession(store.currentSession.sessionId)\r\n if (session && session.uid === store.currentSession.user.uid) {\r\n return store.currentSession\r\n }\r\n }\r\n \r\n // Then try to find any valid context\r\n for (const [sessionId, user] of store.sessions.entries()) {\r\n const context = store.contexts.get(sessionId)\r\n if (context && context.user.uid === user.uid) {\r\n // Update current session\r\n store.currentSession = context\r\n return context\r\n }\r\n }\r\n \r\n return null\r\n }\r\n\r\n static setSession(sessionId: string, user: User) {\r\n const store = this.getStore()\r\n store.sessions.set(sessionId, user)\r\n }\r\n\r\n static getSession(sessionId: string): User | null {\r\n const store = this.getStore()\r\n return store.sessions.get(sessionId) || null\r\n }\r\n\r\n static debug() {\r\n const store = this.getStore()\r\n return {\r\n contextsSize: store.contexts.size,\r\n sessionsSize: store.sessions.size,\r\n currentSession: store.currentSession,\r\n contexts: Array.from(store.contexts.entries()),\r\n sessions: Array.from(store.sessions.entries())\r\n }\r\n }\r\n\r\n static cleanup() {\r\n const store = this.getStore()\r\n const MAX_ENTRIES = 1000\r\n \r\n if (store.contexts.size > MAX_ENTRIES) {\r\n const keys = Array.from(store.contexts.keys())\r\n const toDelete = keys.slice(0, keys.length - MAX_ENTRIES)\r\n \r\n toDelete.forEach(key => {\r\n store.contexts.delete(key)\r\n store.sessions.delete(key)\r\n })\r\n }\r\n }\r\n}\r\n\r\n\r\nexport const setRequestHeadersOnNextResponse = (\r\n res: NextResponse | Response,\r\n req: Request,\r\n newHeaders: Record<string, string>,\r\n) => {\r\n if (!res.headers.get(OVERRIDE_HEADERS)) {\r\n // Emulate a user setting overrides by explicitly adding the required nextjs headers\r\n // https://github.com/vercel/next.js/pull/41380\r\n // @ts-expect-error -- property keys does not exist on type Headers\r\n res.headers.set(OVERRIDE_HEADERS, [...req.headers.keys()]);\r\n req.headers.forEach((val, key) => {\r\n res.headers.set(`${MIDDLEWARE_HEADER_PREFIX}-${key}`, val);\r\n });\r\n }\r\n\r\n // Now that we have normalised res to include overrides, just append the new header\r\n Object.entries(newHeaders).forEach(([key, val]) => {\r\n res.headers.set(OVERRIDE_HEADERS, `${res.headers.get(OVERRIDE_HEADERS)},${key}`);\r\n res.headers.set(`${MIDDLEWARE_HEADER_PREFIX}-${key}`, val);\r\n });\r\n};\r\n\r\nexport function decorateRequest(\r\n req: TernSecureRequest,\r\n res: Response,\r\n requestState: RequestState,\r\n appCheckToken?: string,\r\n): Response {\r\n const { reason, token, status } = requestState;\r\n // pass-through case, convert to next()\r\n if (!res) {\r\n res = NextResponse.next();\r\n }\r\n\r\n // redirect() case, return early\r\n if (res.headers.get(nextConstants.Headers.NextRedirect)) {\r\n return res;\r\n }\r\n\r\n let rewriteURL;\r\n\r\n // next() case, convert to a rewrite\r\n if (res.headers.get(nextConstants.Headers.NextResume) === '1') {\r\n res.headers.delete(nextConstants.Headers.NextResume);\r\n rewriteURL = new URL(req.url);\r\n }\r\n\r\n // rewrite() case, set auth result only if origin remains the same\r\n const rewriteURLHeader = res.headers.get(nextConstants.Headers.NextRewrite);\r\n\r\n if (rewriteURLHeader) {\r\n const reqURL = new URL(req.url);\r\n rewriteURL = new URL(rewriteURLHeader);\r\n\r\n // if the origin has changed, return early\r\n if (rewriteURL.origin !== reqURL.origin) {\r\n return res;\r\n }\r\n }\r\n\r\n if (rewriteURL) {\r\n setRequestHeadersOnNextResponse(res, req, {\r\n [constants.Headers.AuthStatus]: status,\r\n [constants.Headers.AuthToken]: token || '',\r\n [constants.Headers.AppCheckToken]: appCheckToken || req.headers.get(constants.Headers.AppCheckToken) || '',\r\n [constants.Headers.AuthReason]: reason || '',\r\n [constants.Headers.TernSecureUrl]: req.ternUrl.toString(),\r\n });\r\n res.headers.set(nextConstants.Headers.NextRewrite, rewriteURL.href);\r\n }\r\n\r\n return res;\r\n}\r\n\r\n\r\nexport const isPrerenderingBailout = (e: unknown) => {\r\n if (!(e instanceof Error) || !('message' in e)) {\r\n return false;\r\n }\r\n\r\n const { message } = e;\r\n\r\n const lowerCaseInput = message.toLowerCase();\r\n const dynamicServerUsage = lowerCaseInput.includes('dynamic server usage');\r\n const bailOutPrerendering = lowerCaseInput.includes('this page needs to bail out of prerendering');\r\n\r\n // note: new error message syntax introduced in next@14.1.1-canary.21\r\n // but we still want to support older versions.\r\n // https://github.com/vercel/next.js/pull/61332 (dynamic-rendering.ts:153)\r\n const routeRegex = /Route .*? needs to bail out of prerendering at this point because it used .*?./;\r\n\r\n return routeRegex.test(message) || dynamicServerUsage || bailOutPrerendering;\r\n};\r\n\r\nexport async function buildRequestLike(): Promise<NextRequest> {\r\n try {\r\n // Dynamically import next/headers, otherwise Next12 apps will break\r\n // @ts-expect-error: Cannot find module 'next/headers' or its corresponding type declarations.ts(2307)\r\n const { headers } = await import('next/headers');\r\n const resolvedHeaders = await headers();\r\n return new NextRequest('https://placeholder.com', { headers: resolvedHeaders });\r\n } catch (e: any) {\r\n // rethrow the error when react throws a prerendering bailout\r\n // https://nextjs.org/docs/messages/ppr-caught-error\r\n if (e && isPrerenderingBailout(e)) {\r\n throw e;\r\n }\r\n\r\n throw new Error(\r\n `TernSecure: auth(), currentUser() and ternSecureClient(), are only supported in App Router (/app directory).\\nIf you're using /pages, try getAuth() instead.\\nOriginal error: ${e}`,\r\n );\r\n }\r\n}\r\n\r\n// Original source: https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/get-script-nonce-from-header.tsx\r\nexport function getScriptNonceFromHeader(cspHeaderValue: string): string | undefined {\r\n const directives = cspHeaderValue\r\n // Directives are split by ';'.\r\n .split(';')\r\n .map(directive => directive.trim());\r\n\r\n // First try to find the directive for the 'script-src', otherwise try to\r\n // fallback to the 'default-src'.\r\n const directive =\r\n directives.find(dir => dir.startsWith('script-src')) || directives.find(dir => dir.startsWith('default-src'));\r\n\r\n // If no directive could be found, then we're done.\r\n if (!directive) {\r\n return;\r\n }\r\n\r\n // Extract the nonce from the directive\r\n const nonce = directive\r\n .split(' ')\r\n // Remove the 'strict-src'/'default-src' string, this can't be the nonce.\r\n .slice(1)\r\n .map(source => source.trim())\r\n // Find the first source with the 'nonce-' prefix.\r\n .find(source => source.startsWith(\"'nonce-\") && source.length > 8 && source.endsWith(\"'\"))\r\n // Grab the nonce by trimming the 'nonce-' prefix.\r\n ?.slice(7, -1);\r\n\r\n // If we couldn't find the nonce, then we're done.\r\n if (!nonce) {\r\n return;\r\n }\r\n\r\n // Don't accept the nonce value if it contains HTML escape characters.\r\n // Technically, the spec requires a base64'd value, but this is just an\r\n // extra layer.\r\n if (/[&><\\u2028\\u2029]/g.test(nonce)) {\r\n throw new Error(\r\n 'Nonce value from Content-Security-Policy contained invalid HTML escape characters, which is disallowed for security reasons. Make sure that your nonce value does not contain the following characters: `<`, `>`, `&`',\r\n );\r\n }\r\n\r\n return nonce;\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,qBAA0B;AAC1B,oBAAyC;AAEzC,uBAA2C;AAG3C,MAAM,mBAAmB;AACzB,MAAM,2BAA2B;AAQjC,MAAM,kBAAkB,MAAM;AAC5B,MAAI,OAAO,YAAY,aAAa;AAClC,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,MAAM,YAAY;AAEX,MAAM,MAAM;AAAA,EACjB,OAAe,WAAW;AACxB,UAAM,SAAS,gBAAgB;AAE/B,QAAI,CAAC,OAAO,SAAS,GAAG;AACtB,aAAO,SAAS,IAAI;AAAA,QAClB,UAAU,oBAAI,IAA4B;AAAA,QAC1C,UAAU,oBAAI,IAAkB;AAAA,QAChC,gBAAgB;AAAA,MAClB;AAAA,IACF;AAEA,WAAO,OAAO,SAAS;AAAA,EACzB;AAAA,EAEA,OAAO,WAAW,SAAyB;AACzC,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,EAAE,MAAM,UAAU,IAAI;AAE5B,YAAQ,IAAI,2BAA2B,EAAE,WAAW,KAAK,CAAC;AAG1D,UAAM,SAAS,IAAI,WAAW,OAAO;AACrC,UAAM,SAAS,IAAI,WAAW,IAAI;AAGlC,UAAM,iBAAiB;AAEvB,YAAQ,IAAI,yBAAyB;AAAA,MACnC,cAAc,MAAM,SAAS;AAAA,MAC7B,cAAc,MAAM,SAAS;AAAA,MAC7B,gBAAgB,MAAM;AAAA,IACxB,CAAC;AAAA,EACH;AAAA,EAEA,OAAO,aAAoC;AACzC,UAAM,QAAQ,KAAK,SAAS;AAG5B,QAAI,MAAM,gBAAgB;AACxB,YAAM,UAAU,KAAK,WAAW,MAAM,eAAe,SAAS;AAC9D,UAAI,WAAW,QAAQ,QAAQ,MAAM,eAAe,KAAK,KAAK;AAC5D,eAAO,MAAM;AAAA,MACf;AAAA,IACF;AAGA,eAAW,CAAC,WAAW,IAAI,KAAK,MAAM,SAAS,QAAQ,GAAG;AACxD,YAAM,UAAU,MAAM,SAAS,IAAI,SAAS;AAC5C,UAAI,WAAW,QAAQ,KAAK,QAAQ,KAAK,KAAK;AAE5C,cAAM,iBAAiB;AACvB,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,WAAW,WAAmB,MAAY;AAC/C,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,SAAS,IAAI,WAAW,IAAI;AAAA,EACpC;AAAA,EAEA,OAAO,WAAW,WAAgC;AAChD,UAAM,QAAQ,KAAK,SAAS;AAC5B,WAAO,MAAM,SAAS,IAAI,SAAS,KAAK;AAAA,EAC1C;AAAA,EAEA,OAAO,QAAQ;AACb,UAAM,QAAQ,KAAK,SAAS;AAC5B,WAAO;AAAA,MACL,cAAc,MAAM,SAAS;AAAA,MAC7B,cAAc,MAAM,SAAS;AAAA,MAC7B,gBAAgB,MAAM;AAAA,MACtB,UAAU,MAAM,KAAK,MAAM,SAAS,QAAQ,CAAC;AAAA,MAC7C,UAAU,MAAM,KAAK,MAAM,SAAS,QAAQ,CAAC;AAAA,IAC/C;AAAA,EACF;AAAA,EAEA,OAAO,UAAU;AACf,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,cAAc;AAEpB,QAAI,MAAM,SAAS,OAAO,aAAa;AACrC,YAAM,OAAO,MAAM,KAAK,MAAM,SAAS,KAAK,CAAC;AAC7C,YAAM,WAAW,KAAK,MAAM,GAAG,KAAK,SAAS,WAAW;AAExD,eAAS,QAAQ,SAAO;AACtB,cAAM,SAAS,OAAO,GAAG;AACzB,cAAM,SAAS,OAAO,GAAG;AAAA,MAC3B,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAGO,MAAM,kCAAkC,CAC7C,KACA,KACA,eACG;AACH,MAAI,CAAC,IAAI,QAAQ,IAAI,gBAAgB,GAAG;AAItC,QAAI,QAAQ,IAAI,kBAAkB,CAAC,GAAG,IAAI,QAAQ,KAAK,CAAC,CAAC;AACzD,QAAI,QAAQ,QAAQ,CAAC,KAAK,QAAQ;AAChC,UAAI,QAAQ,IAAI,GAAG,wBAAwB,IAAI,GAAG,IAAI,GAAG;AAAA,IAC3D,CAAC;AAAA,EACH;AAGA,SAAO,QAAQ,UAAU,EAAE,QAAQ,CAAC,CAAC,KAAK,GAAG,MAAM;AACjD,QAAI,QAAQ,IAAI,kBAAkB,GAAG,IAAI,QAAQ,IAAI,gBAAgB,CAAC,IAAI,GAAG,EAAE;AAC/E,QAAI,QAAQ,IAAI,GAAG,wBAAwB,IAAI,GAAG,IAAI,GAAG;AAAA,EAC3D,CAAC;AACH;AAEO,SAAS,gBACd,KACA,KACA,cACA,eACU;AACV,QAAM,EAAE,QAAQ,OAAO,OAAO,IAAI;AAElC,MAAI,CAAC,KAAK;AACR,UAAM,2BAAa,KAAK;AAAA,EAC1B;AAGA,MAAI,IAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,YAAY,GAAG;AACvD,WAAO;AAAA,EACT;AAEA,MAAI;AAGJ,MAAI,IAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,UAAU,MAAM,KAAK;AAC7D,QAAI,QAAQ,OAAO,iBAAAA,UAAc,QAAQ,UAAU;AACnD,iBAAa,IAAI,IAAI,IAAI,GAAG;AAAA,EAC9B;AAGA,QAAM,mBAAmB,IAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,WAAW;AAE1E,MAAI,kBAAkB;AACpB,UAAM,SAAS,IAAI,IAAI,IAAI,GAAG;AAC9B,iBAAa,IAAI,IAAI,gBAAgB;AAGrC,QAAI,WAAW,WAAW,OAAO,QAAQ;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,YAAY;AACd,oCAAgC,KAAK,KAAK;AAAA,MACxC,CAAC,yBAAU,QAAQ,UAAU,GAAG;AAAA,MAChC,CAAC,yBAAU,QAAQ,SAAS,GAAG,SAAS;AAAA,MACxC,CAAC,yBAAU,QAAQ,aAAa,GAAG,iBAAiB,IAAI,QAAQ,IAAI,yBAAU,QAAQ,aAAa,KAAK;AAAA,MACxG,CAAC,yBAAU,QAAQ,UAAU,GAAG,UAAU;AAAA,MAC1C,CAAC,yBAAU,QAAQ,aAAa,GAAG,IAAI,QAAQ,SAAS;AAAA,IAC1D,CAAC;AACD,QAAI,QAAQ,IAAI,iBAAAA,UAAc,QAAQ,aAAa,WAAW,IAAI;AAAA,EACpE;AAEA,SAAO;AACT;AAGO,MAAM,wBAAwB,CAAC,MAAe;AACnD,MAAI,EAAE,aAAa,UAAU,EAAE,aAAa,IAAI;AAC9C,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,QAAQ,IAAI;AAEpB,QAAM,iBAAiB,QAAQ,YAAY;AAC3C,QAAM,qBAAqB,eAAe,SAAS,sBAAsB;AACzE,QAAM,sBAAsB,eAAe,SAAS,6CAA6C;AAKjG,QAAM,aAAa;AAEnB,SAAO,WAAW,KAAK,OAAO,KAAK,sBAAsB;AAC3D;AAEA,eAAsB,mBAAyC;AAC7D,MAAI;AAGF,UAAM,EAAE,QAAQ,IAAI,MAAM,OAAO,cAAc;AAC/C,UAAM,kBAAkB,MAAM,QAAQ;AACtC,WAAO,IAAI,0BAAY,2BAA2B,EAAE,SAAS,gBAAgB,CAAC;AAAA,EAChF,SAAS,GAAQ;AAGf,QAAI,KAAK,sBAAsB,CAAC,GAAG;AACjC,YAAM;AAAA,IACR;AAEA,UAAM,IAAI;AAAA,MACR;AAAA;AAAA,kBAAiL,CAAC;AAAA,IACpL;AAAA,EACF;AACF;AAGO,SAAS,yBAAyB,gBAA4C;AACnF,QAAM,aAAa,eAEhB,MAAM,GAAG,EACT,IAAI,CAAAC,eAAaA,WAAU,KAAK,CAAC;AAIpC,QAAM,YACJ,WAAW,KAAK,SAAO,IAAI,WAAW,YAAY,CAAC,KAAK,WAAW,KAAK,SAAO,IAAI,WAAW,aAAa,CAAC;AAG9G,MAAI,CAAC,WAAW;AACd;AAAA,EACF;AAGA,QAAM,QAAQ,UACX,MAAM,GAAG,EAET,MAAM,CAAC,EACP,IAAI,YAAU,OAAO,KAAK,CAAC,EAE3B,KAAK,YAAU,OAAO,WAAW,SAAS,KAAK,OAAO,SAAS,KAAK,OAAO,SAAS,GAAG,CAAC,GAEvF,MAAM,GAAG,EAAE;AAGf,MAAI,CAAC,OAAO;AACV;AAAA,EACF;AAKA,MAAI,qBAAqB,KAAK,KAAK,GAAG;AACpC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":["nextConstants","directive"]}
|