@thirdweb-dev/service-utils 0.0.0-dev-b4ddcd1-20230714194904 → 0.0.0-dev-11d3fa6-20230714225821
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cf-worker/dist/thirdweb-dev-service-utils-cf-worker.cjs.dev.js +4 -2
- package/cf-worker/dist/thirdweb-dev-service-utils-cf-worker.cjs.prod.js +4 -2
- package/cf-worker/dist/thirdweb-dev-service-utils-cf-worker.esm.js +4 -2
- package/dist/declarations/src/cf-worker/index.d.ts.map +1 -1
- package/dist/declarations/src/core/api.d.ts.map +1 -1
- package/dist/declarations/src/core/authorize/index.d.ts +2 -1
- package/dist/declarations/src/core/authorize/index.d.ts.map +1 -1
- package/dist/declarations/src/core/authorize/types.d.ts +1 -1
- package/dist/declarations/src/core/authorize/types.d.ts.map +1 -1
- package/dist/declarations/src/core/types.d.ts +2 -1
- package/dist/declarations/src/core/types.d.ts.map +1 -1
- package/dist/declarations/src/node/index.d.ts.map +1 -1
- package/dist/{index-bc2b86a5.cjs.prod.js → index-03e2bf97.cjs.dev.js} +27 -14
- package/dist/{index-ded83ecc.cjs.dev.js → index-2facafef.cjs.prod.js} +27 -14
- package/dist/{index-1125bae0.esm.js → index-e7c3b3be.esm.js} +27 -14
- package/node/dist/thirdweb-dev-service-utils-node.cjs.dev.js +10 -5
- package/node/dist/thirdweb-dev-service-utils-node.cjs.prod.js +10 -5
- package/node/dist/thirdweb-dev-service-utils-node.esm.js +10 -5
- package/package.json +1 -1
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
|
-
var index = require('../../dist/index-
|
|
5
|
+
var index = require('../../dist/index-03e2bf97.cjs.dev.js');
|
|
6
6
|
var services = require('../../dist/services-a3f36057.cjs.dev.js');
|
|
7
7
|
|
|
8
8
|
const DEFAULT_CACHE_TTL_SECONDS = 60;
|
|
@@ -93,7 +93,9 @@ async function extractAuthorizationData(authInput) {
|
|
|
93
93
|
clientId,
|
|
94
94
|
origin,
|
|
95
95
|
bundleId,
|
|
96
|
-
secretKeyHash
|
|
96
|
+
secretKeyHash,
|
|
97
|
+
targetAddress: authInput.targetAddress,
|
|
98
|
+
enforceAuth: authInput.enforcedAuth
|
|
97
99
|
};
|
|
98
100
|
}
|
|
99
101
|
async function hashSecretKey(secretKey) {
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
|
-
var index = require('../../dist/index-
|
|
5
|
+
var index = require('../../dist/index-2facafef.cjs.prod.js');
|
|
6
6
|
var services = require('../../dist/services-9e185105.cjs.prod.js');
|
|
7
7
|
|
|
8
8
|
const DEFAULT_CACHE_TTL_SECONDS = 60;
|
|
@@ -93,7 +93,9 @@ async function extractAuthorizationData(authInput) {
|
|
|
93
93
|
clientId,
|
|
94
94
|
origin,
|
|
95
95
|
bundleId,
|
|
96
|
-
secretKeyHash
|
|
96
|
+
secretKeyHash,
|
|
97
|
+
targetAddress: authInput.targetAddress,
|
|
98
|
+
enforceAuth: authInput.enforcedAuth
|
|
97
99
|
};
|
|
98
100
|
}
|
|
99
101
|
async function hashSecretKey(secretKey) {
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { a as authorize } from '../../dist/index-
|
|
1
|
+
import { a as authorize } from '../../dist/index-e7c3b3be.esm.js';
|
|
2
2
|
export { b as SERVICES, S as SERVICE_DEFINITIONS, a as SERVICE_NAMES, g as getServiceByName } from '../../dist/services-86283509.esm.js';
|
|
3
3
|
|
|
4
4
|
const DEFAULT_CACHE_TTL_SECONDS = 60;
|
|
@@ -89,7 +89,9 @@ async function extractAuthorizationData(authInput) {
|
|
|
89
89
|
clientId,
|
|
90
90
|
origin,
|
|
91
91
|
bundleId,
|
|
92
|
-
secretKeyHash
|
|
92
|
+
secretKeyHash,
|
|
93
|
+
targetAddress: authInput.targetAddress,
|
|
94
|
+
enforceAuth: authInput.enforcedAuth
|
|
93
95
|
};
|
|
94
96
|
}
|
|
95
97
|
async function hashSecretKey(secretKey) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"../../../../src/cf-worker","sources":["index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC/E,OAAO,KAAK,EAAkB,iBAAiB,EAAE,uBAAoB;AAGrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,2BAA2B,CAAC;AAEzD,OAAO,KAAK,EAAE,mBAAmB,EAAE,mCAAgC;AACnE,OAAO,KAAK,EAAE,aAAa,EAAE,yBAAsB;AAEnD,oCAAiC;AAEjC,KAAK,mBAAmB,GAAG,iBAAiB,GAAG;IAC7C,OAAO,EAAE,WAAW,CAAC;IACrB,GAAG,EAAE,gBAAgB,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAIF,KAAK,SAAS,GAAG,aAAa,GAAG;IAC/B,GAAG,EAAE,OAAO,CAAC;CACd,CAAC;AAEF,wBAAsB,eAAe,CACnC,SAAS,EAAE,SAAS,EACpB,aAAa,EAAE,mBAAmB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CA0C9B;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"../../../../src/cf-worker","sources":["index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAC/E,OAAO,KAAK,EAAkB,iBAAiB,EAAE,uBAAoB;AAGrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,2BAA2B,CAAC;AAEzD,OAAO,KAAK,EAAE,mBAAmB,EAAE,mCAAgC;AACnE,OAAO,KAAK,EAAE,aAAa,EAAE,yBAAsB;AAEnD,oCAAiC;AAEjC,KAAK,mBAAmB,GAAG,iBAAiB,GAAG;IAC7C,OAAO,EAAE,WAAW,CAAC;IACrB,GAAG,EAAE,gBAAgB,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAIF,KAAK,SAAS,GAAG,aAAa,GAAG;IAC/B,GAAG,EAAE,OAAO,CAAC;CACd,CAAC;AAEF,wBAAsB,eAAe,CACnC,SAAS,EAAE,SAAS,EACpB,aAAa,EAAE,mBAAmB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CA0C9B;AAqED,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,mBAIpD;AAED,wBAAgB,+BAA+B,CAAC,aAAa,EAAE,MAAM,UAEpE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api.d.ts","sourceRoot":"../../../../src/core","sources":["api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,sBAAmB;AAE9C,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,WAAW,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,oBAAoB,EAAE,MAAM,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,EAAE,CAAC;CACL,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH,CAAC;AAEF,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,WAAW,CAAC,
|
|
1
|
+
{"version":3,"file":"api.d.ts","sourceRoot":"../../../../src/core","sources":["api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,sBAAmB;AAE9C,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,WAAW,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,oBAAoB,EAAE,MAAM,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,EAAE,CAAC;CACL,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH,CAAC;AAEF,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,WAAW,CAAC,CAgBtB"}
|
|
@@ -6,7 +6,8 @@ export type AuthorizationInput = {
|
|
|
6
6
|
origin: string | null;
|
|
7
7
|
bundleId: string | null;
|
|
8
8
|
secretKeyHash: string | null;
|
|
9
|
-
targetAddress?: string;
|
|
9
|
+
targetAddress?: string | string[];
|
|
10
|
+
enforceAuth: boolean;
|
|
10
11
|
};
|
|
11
12
|
type CacheOptions = {
|
|
12
13
|
get: (clientId: string) => Promise<string | null>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"../../../../../src/core/authorize","sources":["index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,iBAAiB,EAElB,kBAAe;AAGhB,OAAO,EAAE,mBAAmB,EAAE,mBAAgB;AAE9C,MAAM,MAAM,kBAAkB,GAAG;IAC/B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"../../../../../src/core/authorize","sources":["index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,iBAAiB,EAElB,kBAAe;AAGhB,OAAO,EAAE,mBAAmB,EAAE,mBAAgB;AAE9C,MAAM,MAAM,kBAAkB,GAAG;IAC/B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,WAAW,EAAE,OAAO,CAAC;CACtB,CAAC;AAEF,KAAK,YAAY,GAAG;IAClB,GAAG,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAClD,GAAG,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACtE,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC;AASF,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,kBAAkB,EAC5B,aAAa,EAAE,iBAAiB,EAChC,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,mBAAmB,CAAC,CA+H9B"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"../../../../../src/core/authorize","sources":["types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kBAAe;AAExC,MAAM,MAAM,mBAAmB,GAC3B;IACE,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"../../../../../src/core/authorize","sources":["types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kBAAe;AAExC,MAAM,MAAM,mBAAmB,GAC3B;IACE,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,cAAc,GAAG,IAAI,CAAC;CACnC,GACD;IACE,UAAU,EAAE,KAAK,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"../../../../src/core","sources":["types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG;IAE1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,aAAa,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"../../../../src/core","sources":["types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG;IAE1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAElC,YAAY,EAAE,OAAO,CAAC;CACvB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"../../../../src/node","sources":["index.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,EAAuB,eAAe,EAAE,MAAM,WAAW,CAAC;AAEtE,OAAO,KAAK,EAAE,kBAAkB,EAAE,mCAA0B;AAC5D,OAAO,KAAK,EAAE,iBAAiB,EAAE,uBAAoB;AAErD,OAAO,KAAK,EAAE,mBAAmB,EAAE,mCAAgC;AACnE,OAAO,KAAK,EAAE,aAAa,EAAE,yBAAsB;AAEnD,oCAAiC;AAEjC,KAAK,iBAAiB,GAAG,iBAAiB,CAAC;AAE3C,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG;IACtC,GAAG,EAAE,eAAe,CAAC;CACtB,CAAC;AAEF,wBAAsB,aAAa,CACjC,SAAS,EAAE,SAAS,EACpB,aAAa,EAAE,iBAAiB,GAC/B,OAAO,CAAC,mBAAmB,CAAC,CAsB9B;AAaD,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,SAAS,GACnB,kBAAkB,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"../../../../src/node","sources":["index.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,EAAuB,eAAe,EAAE,MAAM,WAAW,CAAC;AAEtE,OAAO,KAAK,EAAE,kBAAkB,EAAE,mCAA0B;AAC5D,OAAO,KAAK,EAAE,iBAAiB,EAAE,uBAAoB;AAErD,OAAO,KAAK,EAAE,mBAAmB,EAAE,mCAAgC;AACnE,OAAO,KAAK,EAAE,aAAa,EAAE,yBAAsB;AAEnD,oCAAiC;AAEjC,KAAK,iBAAiB,GAAG,iBAAiB,CAAC;AAE3C,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG;IACtC,GAAG,EAAE,eAAe,CAAC;CACtB,CAAC;AAEF,wBAAsB,aAAa,CACjC,SAAS,EAAE,SAAS,EACpB,aAAa,EAAE,iBAAiB,GAC/B,OAAO,CAAC,mBAAmB,CAAC,CAsB9B;AAaD,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,SAAS,GACnB,kBAAkB,CAyEpB;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,UAE9C;AAED,wBAAgB,+BAA+B,CAAC,aAAa,EAAE,MAAM,UAEpE"}
|
|
@@ -6,10 +6,8 @@ async function fetchKeyMetadataFromApi(clientId, config) {
|
|
|
6
6
|
serviceScope,
|
|
7
7
|
serviceApiKey
|
|
8
8
|
} = config;
|
|
9
|
-
const url =
|
|
10
|
-
url
|
|
11
|
-
url.searchParams.set("scope", serviceScope);
|
|
12
|
-
const response = await fetch(url.href, {
|
|
9
|
+
const url = `${apiUrl}/v1/keys/use?clientId=${clientId}&scope=${serviceScope}`;
|
|
10
|
+
const response = await fetch(url, {
|
|
13
11
|
method: "GET",
|
|
14
12
|
headers: {
|
|
15
13
|
"x-service-api-key": serviceApiKey,
|
|
@@ -114,8 +112,6 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
114
112
|
const {
|
|
115
113
|
services
|
|
116
114
|
} = apiKeyMetadata;
|
|
117
|
-
// const { serviceTargetAddresses, serviceAction } = validations;
|
|
118
|
-
|
|
119
115
|
// validate services
|
|
120
116
|
const service = services.find(srv => srv.name === serviceConfig.serviceScope);
|
|
121
117
|
if (!service) {
|
|
@@ -143,11 +139,12 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
143
139
|
// validate service target addresses
|
|
144
140
|
// the service has to pass in the target address for this to be validated
|
|
145
141
|
if (authorizationPayload?.targetAddress) {
|
|
146
|
-
const
|
|
147
|
-
|
|
142
|
+
const checkedAddresses = Array.isArray(authorizationPayload.targetAddress) ? authorizationPayload.targetAddress : [authorizationPayload.targetAddress];
|
|
143
|
+
const allAllowed = service.targetAddresses.includes("*");
|
|
144
|
+
if (!allAllowed && checkedAddresses.some(ta => !service.targetAddresses.includes(ta))) {
|
|
148
145
|
return {
|
|
149
146
|
authorized: false,
|
|
150
|
-
errorMessage: `The service "${serviceConfig.serviceScope}" target address
|
|
147
|
+
errorMessage: `The service "${serviceConfig.serviceScope}" target address is not authorized for this key.`,
|
|
151
148
|
errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
|
|
152
149
|
status: 403
|
|
153
150
|
};
|
|
@@ -160,8 +157,24 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
160
157
|
}
|
|
161
158
|
|
|
162
159
|
async function authorize(authData, serviceConfig, cacheOptions) {
|
|
160
|
+
const {
|
|
161
|
+
clientId,
|
|
162
|
+
targetAddress,
|
|
163
|
+
enforceAuth,
|
|
164
|
+
secretKeyHash
|
|
165
|
+
} = authData;
|
|
166
|
+
|
|
167
|
+
// BACKWARDS COMPAT: if auth not enforced and
|
|
168
|
+
// we don't have auth credentials bypass
|
|
169
|
+
if (!enforceAuth && !clientId && !secretKeyHash) {
|
|
170
|
+
return {
|
|
171
|
+
authorized: true,
|
|
172
|
+
apiKeyMeta: null
|
|
173
|
+
};
|
|
174
|
+
}
|
|
175
|
+
|
|
163
176
|
// if we don't have a client id at this point we can't authorize
|
|
164
|
-
if (!
|
|
177
|
+
if (!clientId) {
|
|
165
178
|
return {
|
|
166
179
|
authorized: false,
|
|
167
180
|
status: 401,
|
|
@@ -173,7 +186,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
173
186
|
// if we have cache options we want to check the cache first
|
|
174
187
|
if (cacheOptions) {
|
|
175
188
|
try {
|
|
176
|
-
const cachedKey = await cacheOptions.get(
|
|
189
|
+
const cachedKey = await cacheOptions.get(clientId);
|
|
177
190
|
if (cachedKey) {
|
|
178
191
|
const parsed = JSON.parse(cachedKey);
|
|
179
192
|
if ("updatedAt" in parsed) {
|
|
@@ -201,7 +214,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
201
214
|
const {
|
|
202
215
|
data,
|
|
203
216
|
error
|
|
204
|
-
} = await fetchKeyMetadataFromApi(
|
|
217
|
+
} = await fetchKeyMetadataFromApi(clientId, serviceConfig);
|
|
205
218
|
if (error) {
|
|
206
219
|
return {
|
|
207
220
|
authorized: false,
|
|
@@ -223,7 +236,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
223
236
|
// cache the retrieved key if we have cache options
|
|
224
237
|
if (cacheOptions) {
|
|
225
238
|
// we await this always because it can be a promise or not
|
|
226
|
-
await cacheOptions.put(
|
|
239
|
+
await cacheOptions.put(clientId, data);
|
|
227
240
|
}
|
|
228
241
|
} catch (err) {
|
|
229
242
|
console.warn("failed to fetch key metadata from api", err);
|
|
@@ -256,7 +269,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
256
269
|
|
|
257
270
|
// if we've made it this far we need to check service specific authorization
|
|
258
271
|
const serviceAuth = authorizeService(apiKeyMeta, serviceConfig, {
|
|
259
|
-
targetAddress
|
|
272
|
+
targetAddress
|
|
260
273
|
});
|
|
261
274
|
if (!serviceAuth.authorized) {
|
|
262
275
|
return {
|
|
@@ -6,10 +6,8 @@ async function fetchKeyMetadataFromApi(clientId, config) {
|
|
|
6
6
|
serviceScope,
|
|
7
7
|
serviceApiKey
|
|
8
8
|
} = config;
|
|
9
|
-
const url =
|
|
10
|
-
url
|
|
11
|
-
url.searchParams.set("scope", serviceScope);
|
|
12
|
-
const response = await fetch(url.href, {
|
|
9
|
+
const url = `${apiUrl}/v1/keys/use?clientId=${clientId}&scope=${serviceScope}`;
|
|
10
|
+
const response = await fetch(url, {
|
|
13
11
|
method: "GET",
|
|
14
12
|
headers: {
|
|
15
13
|
"x-service-api-key": serviceApiKey,
|
|
@@ -114,8 +112,6 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
114
112
|
const {
|
|
115
113
|
services
|
|
116
114
|
} = apiKeyMetadata;
|
|
117
|
-
// const { serviceTargetAddresses, serviceAction } = validations;
|
|
118
|
-
|
|
119
115
|
// validate services
|
|
120
116
|
const service = services.find(srv => srv.name === serviceConfig.serviceScope);
|
|
121
117
|
if (!service) {
|
|
@@ -143,11 +139,12 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
143
139
|
// validate service target addresses
|
|
144
140
|
// the service has to pass in the target address for this to be validated
|
|
145
141
|
if (authorizationPayload?.targetAddress) {
|
|
146
|
-
const
|
|
147
|
-
|
|
142
|
+
const checkedAddresses = Array.isArray(authorizationPayload.targetAddress) ? authorizationPayload.targetAddress : [authorizationPayload.targetAddress];
|
|
143
|
+
const allAllowed = service.targetAddresses.includes("*");
|
|
144
|
+
if (!allAllowed && checkedAddresses.some(ta => !service.targetAddresses.includes(ta))) {
|
|
148
145
|
return {
|
|
149
146
|
authorized: false,
|
|
150
|
-
errorMessage: `The service "${serviceConfig.serviceScope}" target address
|
|
147
|
+
errorMessage: `The service "${serviceConfig.serviceScope}" target address is not authorized for this key.`,
|
|
151
148
|
errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
|
|
152
149
|
status: 403
|
|
153
150
|
};
|
|
@@ -160,8 +157,24 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
160
157
|
}
|
|
161
158
|
|
|
162
159
|
async function authorize(authData, serviceConfig, cacheOptions) {
|
|
160
|
+
const {
|
|
161
|
+
clientId,
|
|
162
|
+
targetAddress,
|
|
163
|
+
enforceAuth,
|
|
164
|
+
secretKeyHash
|
|
165
|
+
} = authData;
|
|
166
|
+
|
|
167
|
+
// BACKWARDS COMPAT: if auth not enforced and
|
|
168
|
+
// we don't have auth credentials bypass
|
|
169
|
+
if (!enforceAuth && !clientId && !secretKeyHash) {
|
|
170
|
+
return {
|
|
171
|
+
authorized: true,
|
|
172
|
+
apiKeyMeta: null
|
|
173
|
+
};
|
|
174
|
+
}
|
|
175
|
+
|
|
163
176
|
// if we don't have a client id at this point we can't authorize
|
|
164
|
-
if (!
|
|
177
|
+
if (!clientId) {
|
|
165
178
|
return {
|
|
166
179
|
authorized: false,
|
|
167
180
|
status: 401,
|
|
@@ -173,7 +186,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
173
186
|
// if we have cache options we want to check the cache first
|
|
174
187
|
if (cacheOptions) {
|
|
175
188
|
try {
|
|
176
|
-
const cachedKey = await cacheOptions.get(
|
|
189
|
+
const cachedKey = await cacheOptions.get(clientId);
|
|
177
190
|
if (cachedKey) {
|
|
178
191
|
const parsed = JSON.parse(cachedKey);
|
|
179
192
|
if ("updatedAt" in parsed) {
|
|
@@ -201,7 +214,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
201
214
|
const {
|
|
202
215
|
data,
|
|
203
216
|
error
|
|
204
|
-
} = await fetchKeyMetadataFromApi(
|
|
217
|
+
} = await fetchKeyMetadataFromApi(clientId, serviceConfig);
|
|
205
218
|
if (error) {
|
|
206
219
|
return {
|
|
207
220
|
authorized: false,
|
|
@@ -223,7 +236,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
223
236
|
// cache the retrieved key if we have cache options
|
|
224
237
|
if (cacheOptions) {
|
|
225
238
|
// we await this always because it can be a promise or not
|
|
226
|
-
await cacheOptions.put(
|
|
239
|
+
await cacheOptions.put(clientId, data);
|
|
227
240
|
}
|
|
228
241
|
} catch (err) {
|
|
229
242
|
console.warn("failed to fetch key metadata from api", err);
|
|
@@ -256,7 +269,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
256
269
|
|
|
257
270
|
// if we've made it this far we need to check service specific authorization
|
|
258
271
|
const serviceAuth = authorizeService(apiKeyMeta, serviceConfig, {
|
|
259
|
-
targetAddress
|
|
272
|
+
targetAddress
|
|
260
273
|
});
|
|
261
274
|
if (!serviceAuth.authorized) {
|
|
262
275
|
return {
|
|
@@ -4,10 +4,8 @@ async function fetchKeyMetadataFromApi(clientId, config) {
|
|
|
4
4
|
serviceScope,
|
|
5
5
|
serviceApiKey
|
|
6
6
|
} = config;
|
|
7
|
-
const url =
|
|
8
|
-
url
|
|
9
|
-
url.searchParams.set("scope", serviceScope);
|
|
10
|
-
const response = await fetch(url.href, {
|
|
7
|
+
const url = `${apiUrl}/v1/keys/use?clientId=${clientId}&scope=${serviceScope}`;
|
|
8
|
+
const response = await fetch(url, {
|
|
11
9
|
method: "GET",
|
|
12
10
|
headers: {
|
|
13
11
|
"x-service-api-key": serviceApiKey,
|
|
@@ -112,8 +110,6 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
112
110
|
const {
|
|
113
111
|
services
|
|
114
112
|
} = apiKeyMetadata;
|
|
115
|
-
// const { serviceTargetAddresses, serviceAction } = validations;
|
|
116
|
-
|
|
117
113
|
// validate services
|
|
118
114
|
const service = services.find(srv => srv.name === serviceConfig.serviceScope);
|
|
119
115
|
if (!service) {
|
|
@@ -141,11 +137,12 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
141
137
|
// validate service target addresses
|
|
142
138
|
// the service has to pass in the target address for this to be validated
|
|
143
139
|
if (authorizationPayload?.targetAddress) {
|
|
144
|
-
const
|
|
145
|
-
|
|
140
|
+
const checkedAddresses = Array.isArray(authorizationPayload.targetAddress) ? authorizationPayload.targetAddress : [authorizationPayload.targetAddress];
|
|
141
|
+
const allAllowed = service.targetAddresses.includes("*");
|
|
142
|
+
if (!allAllowed && checkedAddresses.some(ta => !service.targetAddresses.includes(ta))) {
|
|
146
143
|
return {
|
|
147
144
|
authorized: false,
|
|
148
|
-
errorMessage: `The service "${serviceConfig.serviceScope}" target address
|
|
145
|
+
errorMessage: `The service "${serviceConfig.serviceScope}" target address is not authorized for this key.`,
|
|
149
146
|
errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
|
|
150
147
|
status: 403
|
|
151
148
|
};
|
|
@@ -158,8 +155,24 @@ function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
|
|
|
158
155
|
}
|
|
159
156
|
|
|
160
157
|
async function authorize(authData, serviceConfig, cacheOptions) {
|
|
158
|
+
const {
|
|
159
|
+
clientId,
|
|
160
|
+
targetAddress,
|
|
161
|
+
enforceAuth,
|
|
162
|
+
secretKeyHash
|
|
163
|
+
} = authData;
|
|
164
|
+
|
|
165
|
+
// BACKWARDS COMPAT: if auth not enforced and
|
|
166
|
+
// we don't have auth credentials bypass
|
|
167
|
+
if (!enforceAuth && !clientId && !secretKeyHash) {
|
|
168
|
+
return {
|
|
169
|
+
authorized: true,
|
|
170
|
+
apiKeyMeta: null
|
|
171
|
+
};
|
|
172
|
+
}
|
|
173
|
+
|
|
161
174
|
// if we don't have a client id at this point we can't authorize
|
|
162
|
-
if (!
|
|
175
|
+
if (!clientId) {
|
|
163
176
|
return {
|
|
164
177
|
authorized: false,
|
|
165
178
|
status: 401,
|
|
@@ -171,7 +184,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
171
184
|
// if we have cache options we want to check the cache first
|
|
172
185
|
if (cacheOptions) {
|
|
173
186
|
try {
|
|
174
|
-
const cachedKey = await cacheOptions.get(
|
|
187
|
+
const cachedKey = await cacheOptions.get(clientId);
|
|
175
188
|
if (cachedKey) {
|
|
176
189
|
const parsed = JSON.parse(cachedKey);
|
|
177
190
|
if ("updatedAt" in parsed) {
|
|
@@ -199,7 +212,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
199
212
|
const {
|
|
200
213
|
data,
|
|
201
214
|
error
|
|
202
|
-
} = await fetchKeyMetadataFromApi(
|
|
215
|
+
} = await fetchKeyMetadataFromApi(clientId, serviceConfig);
|
|
203
216
|
if (error) {
|
|
204
217
|
return {
|
|
205
218
|
authorized: false,
|
|
@@ -221,7 +234,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
221
234
|
// cache the retrieved key if we have cache options
|
|
222
235
|
if (cacheOptions) {
|
|
223
236
|
// we await this always because it can be a promise or not
|
|
224
|
-
await cacheOptions.put(
|
|
237
|
+
await cacheOptions.put(clientId, data);
|
|
225
238
|
}
|
|
226
239
|
} catch (err) {
|
|
227
240
|
console.warn("failed to fetch key metadata from api", err);
|
|
@@ -254,7 +267,7 @@ async function authorize(authData, serviceConfig, cacheOptions) {
|
|
|
254
267
|
|
|
255
268
|
// if we've made it this far we need to check service specific authorization
|
|
256
269
|
const serviceAuth = authorizeService(apiKeyMeta, serviceConfig, {
|
|
257
|
-
targetAddress
|
|
270
|
+
targetAddress
|
|
258
271
|
});
|
|
259
272
|
if (!serviceAuth.authorized) {
|
|
260
273
|
return {
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
5
|
var node_crypto = require('node:crypto');
|
|
6
|
-
var index = require('../../dist/index-
|
|
6
|
+
var index = require('../../dist/index-03e2bf97.cjs.dev.js');
|
|
7
7
|
var services = require('../../dist/services-a3f36057.cjs.dev.js');
|
|
8
8
|
|
|
9
9
|
async function authorizeNode(authInput, serviceConfig) {
|
|
@@ -36,10 +36,13 @@ function getHeader(headers, headerName) {
|
|
|
36
36
|
return header ?? null;
|
|
37
37
|
}
|
|
38
38
|
function extractAuthorizationData(authInput) {
|
|
39
|
-
|
|
40
|
-
|
|
39
|
+
let requestUrl;
|
|
40
|
+
try {
|
|
41
|
+
requestUrl = new URL(authInput.req.url || "", `http://${authInput.req.headers.host}`);
|
|
42
|
+
} catch (error) {
|
|
43
|
+
console.log("** Node URL Error **", error);
|
|
44
|
+
throw error;
|
|
41
45
|
}
|
|
42
|
-
const requestUrl = new URL(authInput.req.url, authInput.req.headers.host);
|
|
43
46
|
const headers = authInput.req.headers;
|
|
44
47
|
const secretKey = getHeader(headers, "x-secret-key");
|
|
45
48
|
// prefer clientId that is explicitly passed in
|
|
@@ -93,7 +96,9 @@ function extractAuthorizationData(authInput) {
|
|
|
93
96
|
secretKey,
|
|
94
97
|
clientId,
|
|
95
98
|
origin,
|
|
96
|
-
bundleId
|
|
99
|
+
bundleId,
|
|
100
|
+
targetAddress: authInput.targetAddress,
|
|
101
|
+
enforceAuth: authInput.enforcedAuth
|
|
97
102
|
};
|
|
98
103
|
}
|
|
99
104
|
function hashSecretKey(secretKey) {
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
5
|
var node_crypto = require('node:crypto');
|
|
6
|
-
var index = require('../../dist/index-
|
|
6
|
+
var index = require('../../dist/index-2facafef.cjs.prod.js');
|
|
7
7
|
var services = require('../../dist/services-9e185105.cjs.prod.js');
|
|
8
8
|
|
|
9
9
|
async function authorizeNode(authInput, serviceConfig) {
|
|
@@ -36,10 +36,13 @@ function getHeader(headers, headerName) {
|
|
|
36
36
|
return header ?? null;
|
|
37
37
|
}
|
|
38
38
|
function extractAuthorizationData(authInput) {
|
|
39
|
-
|
|
40
|
-
|
|
39
|
+
let requestUrl;
|
|
40
|
+
try {
|
|
41
|
+
requestUrl = new URL(authInput.req.url || "", `http://${authInput.req.headers.host}`);
|
|
42
|
+
} catch (error) {
|
|
43
|
+
console.log("** Node URL Error **", error);
|
|
44
|
+
throw error;
|
|
41
45
|
}
|
|
42
|
-
const requestUrl = new URL(authInput.req.url, authInput.req.headers.host);
|
|
43
46
|
const headers = authInput.req.headers;
|
|
44
47
|
const secretKey = getHeader(headers, "x-secret-key");
|
|
45
48
|
// prefer clientId that is explicitly passed in
|
|
@@ -93,7 +96,9 @@ function extractAuthorizationData(authInput) {
|
|
|
93
96
|
secretKey,
|
|
94
97
|
clientId,
|
|
95
98
|
origin,
|
|
96
|
-
bundleId
|
|
99
|
+
bundleId,
|
|
100
|
+
targetAddress: authInput.targetAddress,
|
|
101
|
+
enforceAuth: authInput.enforcedAuth
|
|
97
102
|
};
|
|
98
103
|
}
|
|
99
104
|
function hashSecretKey(secretKey) {
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { createHash } from 'node:crypto';
|
|
2
|
-
import { a as authorize } from '../../dist/index-
|
|
2
|
+
import { a as authorize } from '../../dist/index-e7c3b3be.esm.js';
|
|
3
3
|
export { b as SERVICES, S as SERVICE_DEFINITIONS, a as SERVICE_NAMES, g as getServiceByName } from '../../dist/services-86283509.esm.js';
|
|
4
4
|
|
|
5
5
|
async function authorizeNode(authInput, serviceConfig) {
|
|
@@ -32,10 +32,13 @@ function getHeader(headers, headerName) {
|
|
|
32
32
|
return header ?? null;
|
|
33
33
|
}
|
|
34
34
|
function extractAuthorizationData(authInput) {
|
|
35
|
-
|
|
36
|
-
|
|
35
|
+
let requestUrl;
|
|
36
|
+
try {
|
|
37
|
+
requestUrl = new URL(authInput.req.url || "", `http://${authInput.req.headers.host}`);
|
|
38
|
+
} catch (error) {
|
|
39
|
+
console.log("** Node URL Error **", error);
|
|
40
|
+
throw error;
|
|
37
41
|
}
|
|
38
|
-
const requestUrl = new URL(authInput.req.url, authInput.req.headers.host);
|
|
39
42
|
const headers = authInput.req.headers;
|
|
40
43
|
const secretKey = getHeader(headers, "x-secret-key");
|
|
41
44
|
// prefer clientId that is explicitly passed in
|
|
@@ -89,7 +92,9 @@ function extractAuthorizationData(authInput) {
|
|
|
89
92
|
secretKey,
|
|
90
93
|
clientId,
|
|
91
94
|
origin,
|
|
92
|
-
bundleId
|
|
95
|
+
bundleId,
|
|
96
|
+
targetAddress: authInput.targetAddress,
|
|
97
|
+
enforceAuth: authInput.enforcedAuth
|
|
93
98
|
};
|
|
94
99
|
}
|
|
95
100
|
function hashSecretKey(secretKey) {
|
package/package.json
CHANGED