@thirdweb-dev/service-utils 0.0.0-dev-e58d1ee-20230714074507 → 0.0.0-dev-1d8a47a-20230714075515

package/dist/index-9343e4ac.esm.js

@@ -0,0 +1,252 @@
+async function fetchKeyMetadataFromApi(clientId, config) {
+  const {
+    apiUrl,
+    serviceScope,
+    serviceApiKey
+  } = config;
+  const url = new URL(`${apiUrl}/api/v1/keys`);
+  url.searchParams.set("clientId", clientId);
+  url.searchParams.set("scope", serviceScope);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "x-service-api-key": serviceApiKey,
+      "content-type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    throw new Error(`Error fetching key metadata from API: ${response.statusText}`);
+  }
+  return await response.json();
+}
+
+function authorizeClient(authOptions, apiKeyMeta) {
+  const {
+    origin,
+    secretKeyHash: providedSecretHash
+  } = authOptions;
+  const {
+    domains,
+    secretHash
+  } = apiKeyMeta;
+  if (providedSecretHash) {
+    if (secretHash !== providedSecretHash) {
+      return {
+        authorized: false,
+        errorMessage: "The secret is invalid.",
+        errorCode: "SECRET_INVALID",
+        status: 401
+      };
+    }
+    return {
+      authorized: true,
+      apiKeyMeta
+    };
+  }
+
+  // validate domains
+  if (origin) {
+    if (
+    // find matching domain, or if all domains allowed
+    domains.find(d => {
+      if (d === "*") {
+        return true;
+      }
+
+      // If the allowedDomain has a wildcard,
+      // we'll check that the ending of our domain matches the wildcard
+      if (d.startsWith("*.")) {
+        const domainRoot = d.slice(2);
+        return origin.endsWith(domainRoot);
+      }
+
+      // If there's no wildcard, we'll check for an exact match
+      return d === origin;
+    })) {
+      return {
+        authorized: true,
+        apiKeyMeta
+      };
+    }
+    return {
+      authorized: false,
+      errorMessage: "The origin is not authorized for this key.",
+      errorCode: "ORIGIN_UNAUTHORIZED",
+      status: 401
+    };
+  }
+
+  // FIXME: validate bundle id
+  return {
+    authorized: false,
+    errorMessage: "The keys are invalid.",
+    errorCode: "UNAUTHORIZED",
+    status: 401
+  };
+}
+
+function authorizeService(apikeyMetadata, serviceConfig, authorizationPayload) {
+  const {
+    services
+  } = apikeyMetadata;
+  // const { serviceTargetAddresses, serviceAction } = validations;
+
+  // validate services
+  const service = services.find(srv => srv.name === serviceConfig.serviceScope);
+  if (!service) {
+    return {
+      authorized: false,
+      errorMessage: `The service "${serviceConfig.serviceScope}" is not authorized for this key.`,
+      errorCode: "SERVICE_UNAUTHORIZED",
+      status: 403
+    };
+  }
+
+  // validate service actions
+  if (serviceConfig.serviceAction) {
+    const isActionAllowed = service.actions.includes(serviceConfig.serviceAction);
+    if (!isActionAllowed) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${serviceConfig.serviceScope}" action "${serviceConfig.serviceAction}" is not authorized for this key.`,
+        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
+        status: 403
+      };
+    }
+  }
+
+  // validate service target addresses
+  // the service has to pass in the target address for this to be validated
+  if (authorizationPayload?.targetAddress) {
+    const isTargetAddressAllowed = service.targetAddresses.includes(authorizationPayload.targetAddress);
+    if (!isTargetAddressAllowed) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${serviceConfig.serviceScope}" target address "${authorizationPayload.targetAddress}" is not authorized for this key.`,
+        errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
+        status: 403
+      };
+    }
+  }
+  return {
+    authorized: true,
+    apiKeyMeta: apikeyMetadata
+  };
+}
+
+async function authorize(authData, serviceConfig, cacheOptions) {
+  // if we don't have a client id at this point we can't authorize
+  if (!authData.clientId) {
+    return {
+      authorized: false,
+      status: 401,
+      errorMessage: "Missing clientId or secretKey.",
+      errorCode: "MISSING_KEY"
+    };
+  }
+  let apiKeyMeta = null;
+  // if we have cache options we want to check the cache first
+  if (cacheOptions) {
+    try {
+      const cachedKey = await cacheOptions.get(authData.clientId);
+      if (cachedKey) {
+        const parsed = JSON.parse(cachedKey);
+        if ("updatedAt" in parsed) {
+          // we want to compare the updatedAt time to the current time
+          // if the difference is greater than the cacheTtl we want to ignore the cached data
+          const now = Date.now();
+          const diff = now - parsed.updatedAt;
+          const cacheTtl = cacheOptions.cacheTtlSeconds * 1000;
+          // only if the diff is less than the cacheTtl do we want to use the cached key
+          if (diff < cacheTtl * 1000) {
+            apiKeyMeta = parsed.apiKeyMeta;
+          }
+        } else {
+          apiKeyMeta = parsed;
+        }
+      }
+    } catch (err) {
+      // ignore errors, proceed as if not in cache
+    }
+  }
+
+  // if we don't have a cached key, fetch from the API
+  if (!apiKeyMeta) {
+    try {
+      const {
+        data,
+        error
+      } = await fetchKeyMetadataFromApi(authData.clientId, serviceConfig);
+      if (error) {
+        return {
+          authorized: false,
+          errorCode: error.code,
+          errorMessage: error.message,
+          status: error.statusCode
+        };
+      } else if (!data) {
+        return {
+          authorized: false,
+          errorCode: "NO_KEY",
+          errorMessage: "No error but also no key returned.",
+          status: 500
+        };
+      }
+      // if we have a key for sure then assign it
+      apiKeyMeta = data;
+
+      // cache the retrieved key if we have cache options
+      if (cacheOptions) {
+        // we await this always because it can be a promise or not
+        await cacheOptions.put(authData.clientId, data);
+      }
+    } catch (err) {
+      console.warn("failed to fetch key metadata from api", err);
+      return {
+        authorized: false,
+        status: 500,
+        errorMessage: "Failed to fetch key metadata.",
+        errorCode: "FAILED_TO_FETCH_KEY"
+      };
+    }
+  }
+  if (!apiKeyMeta) {
+    return {
+      authorized: false,
+      status: 401,
+      errorMessage: "Key is invalid.",
+      errorCode: "INVALID_KEY"
+    };
+  }
+  // now we can validate the key itself
+  const clientAuth = authorizeClient(authData, apiKeyMeta);
+  if (!clientAuth.authorized) {
+    return {
+      errorCode: clientAuth.errorCode,
+      authorized: false,
+      status: 401,
+      errorMessage: clientAuth.errorMessage
+    };
+  }
+
+  // if we've made it this far we need to check service specific authorization
+  const serviceAuth = authorizeService(apiKeyMeta, serviceConfig, {
+    targetAddress: authData.targetAddress
+  });
+  if (!serviceAuth.authorized) {
+    return {
+      errorCode: serviceAuth.errorCode,
+      authorized: false,
+      status: 403,
+      errorMessage: serviceAuth.errorMessage
+    };
+  }
+
+  // if we reach this point we are authorized!
+  return {
+    authorized: true,
+    apiKeyMeta
+  };
+}
+
+export { authorize as a };

package/dist/services-86283509.esm.js

@@ -0,0 +1,44 @@
+const SERVICE_DEFINITIONS = {
+  storage: {
+    name: "storage",
+    title: "Storage",
+    description: "IPFS Upload and Download",
+    actions: [{
+      name: "read",
+      title: "Download",
+      description: "Download a file from Storage"
+    }, {
+      name: "write",
+      title: "Upload",
+      description: "Upload a file to Storage"
+    }]
+  },
+  rpc: {
+    name: "rpc",
+    title: "RPC",
+    description: "Accelerated RPC Edge",
+    // all actions allowed
+    actions: []
+  },
+  bundler: {
+    name: "bundler",
+    title: "Smart Wallets",
+    description: "Bundler & Paymaster services",
+    // all actions allowed
+    actions: []
+  },
+  relayer: {
+    name: "relayer",
+    title: "Gasless Relayer",
+    description: "Enable gasless transactions",
+    // all actions allowed
+    actions: []
+  }
+};
+const SERVICE_NAMES = Object.keys(SERVICE_DEFINITIONS);
+const SERVICES = Object.values(SERVICE_DEFINITIONS);
+function getServiceByName(name) {
+  return SERVICE_DEFINITIONS[name];
+}
+
+export { SERVICE_DEFINITIONS as S, SERVICE_NAMES as a, SERVICES as b, getServiceByName as g };

package/dist/services-9e185105.cjs.prod.js

@@ -0,0 +1,49 @@
+'use strict';
+
+const SERVICE_DEFINITIONS = {
+  storage: {
+    name: "storage",
+    title: "Storage",
+    description: "IPFS Upload and Download",
+    actions: [{
+      name: "read",
+      title: "Download",
+      description: "Download a file from Storage"
+    }, {
+      name: "write",
+      title: "Upload",
+      description: "Upload a file to Storage"
+    }]
+  },
+  rpc: {
+    name: "rpc",
+    title: "RPC",
+    description: "Accelerated RPC Edge",
+    // all actions allowed
+    actions: []
+  },
+  bundler: {
+    name: "bundler",
+    title: "Smart Wallets",
+    description: "Bundler & Paymaster services",
+    // all actions allowed
+    actions: []
+  },
+  relayer: {
+    name: "relayer",
+    title: "Gasless Relayer",
+    description: "Enable gasless transactions",
+    // all actions allowed
+    actions: []
+  }
+};
+const SERVICE_NAMES = Object.keys(SERVICE_DEFINITIONS);
+const SERVICES = Object.values(SERVICE_DEFINITIONS);
+function getServiceByName(name) {
+  return SERVICE_DEFINITIONS[name];
+}
+
+exports.SERVICES = SERVICES;
+exports.SERVICE_DEFINITIONS = SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = SERVICE_NAMES;
+exports.getServiceByName = getServiceByName;

package/dist/services-a3f36057.cjs.dev.js

@@ -0,0 +1,49 @@
+'use strict';
+
+const SERVICE_DEFINITIONS = {
+  storage: {
+    name: "storage",
+    title: "Storage",
+    description: "IPFS Upload and Download",
+    actions: [{
+      name: "read",
+      title: "Download",
+      description: "Download a file from Storage"
+    }, {
+      name: "write",
+      title: "Upload",
+      description: "Upload a file to Storage"
+    }]
+  },
+  rpc: {
+    name: "rpc",
+    title: "RPC",
+    description: "Accelerated RPC Edge",
+    // all actions allowed
+    actions: []
+  },
+  bundler: {
+    name: "bundler",
+    title: "Smart Wallets",
+    description: "Bundler & Paymaster services",
+    // all actions allowed
+    actions: []
+  },
+  relayer: {
+    name: "relayer",
+    title: "Gasless Relayer",
+    description: "Enable gasless transactions",
+    // all actions allowed
+    actions: []
+  }
+};
+const SERVICE_NAMES = Object.keys(SERVICE_DEFINITIONS);
+const SERVICES = Object.values(SERVICE_DEFINITIONS);
+function getServiceByName(name) {
+  return SERVICE_DEFINITIONS[name];
+}
+
+exports.SERVICES = SERVICES;
+exports.SERVICE_DEFINITIONS = SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = SERVICE_NAMES;
+exports.getServiceByName = getServiceByName;

package/dist/thirdweb-dev-service-utils.cjs.d.ts

@@ -0,0 +1,2 @@
+export * from "./declarations/src/index";
+//# sourceMappingURL=thirdweb-dev-service-utils.cjs.d.ts.map

package/dist/thirdweb-dev-service-utils.cjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"thirdweb-dev-service-utils.cjs.d.ts","sourceRoot":"","sources":["./declarations/src/index.d.ts"],"names":[],"mappings":"AAAA"}

package/dist/thirdweb-dev-service-utils.cjs.dev.js

@@ -0,0 +1,12 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var services = require('./services-a3f36057.cjs.dev.js');
+
+
+
+exports.SERVICES = services.SERVICES;
+exports.SERVICE_DEFINITIONS = services.SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = services.SERVICE_NAMES;
+exports.getServiceByName = services.getServiceByName;

package/dist/thirdweb-dev-service-utils.cjs.js

@@ -0,0 +1,7 @@
+'use strict';
+
+if (process.env.NODE_ENV === "production") {
+  module.exports = require("./thirdweb-dev-service-utils.cjs.prod.js");
+} else {
+  module.exports = require("./thirdweb-dev-service-utils.cjs.dev.js");
+}

package/dist/thirdweb-dev-service-utils.cjs.prod.js

@@ -0,0 +1,12 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var services = require('./services-9e185105.cjs.prod.js');
+
+
+
+exports.SERVICES = services.SERVICES;
+exports.SERVICE_DEFINITIONS = services.SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = services.SERVICE_NAMES;
+exports.getServiceByName = services.getServiceByName;

package/dist/thirdweb-dev-service-utils.esm.js

@@ -0,0 +1 @@
+export { b as SERVICES, S as SERVICE_DEFINITIONS, a as SERVICE_NAMES, g as getServiceByName } from './services-86283509.esm.js';

package/node/dist/thirdweb-dev-service-utils-node.cjs.d.ts

@@ -0,0 +1,2 @@
+export * from "../../dist/declarations/src/node/index";
+//# sourceMappingURL=thirdweb-dev-service-utils-node.cjs.d.ts.map

package/node/dist/thirdweb-dev-service-utils-node.cjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"thirdweb-dev-service-utils-node.cjs.d.ts","sourceRoot":"","sources":["../../dist/declarations/src/node/index.d.ts"],"names":[],"mappings":"AAAA"}

package/node/dist/thirdweb-dev-service-utils-node.cjs.dev.js

@@ -0,0 +1,113 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var node_crypto = require('node:crypto');
+var index = require('../../dist/index-781b85e1.cjs.dev.js');
+var services = require('../../dist/services-a3f36057.cjs.dev.js');
+
+async function authorizeNode(authInput, serviceConfig) {
+  let authData;
+  try {
+    authData = extractAuthorizationData(authInput);
+  } catch (e) {
+    if (e instanceof Error && e.message === "KEY_CONFLICT") {
+      return {
+        authorized: false,
+        status: 400,
+        errorMessage: "Please pass either a client id or a secret key.",
+        errorCode: "KEY_CONFLICT"
+      };
+    }
+    return {
+      authorized: false,
+      status: 500,
+      errorMessage: "Internal Server Error",
+      errorCode: "INTERNAL_SERVER_ERROR"
+    };
+  }
+  return await index.authorize(authData, serviceConfig);
+}
+function getHeader(headers, headerName) {
+  const header = headers[headerName];
+  if (Array.isArray(header)) {
+    return header[0];
+  }
+  return header ?? null;
+}
+function extractAuthorizationData(authInput) {
+  if (!authInput.req.url) {
+    throw new Error("no req.url in authInput.req");
+  }
+  const requestUrl = new URL(authInput.req.url, authInput.req.headers.host);
+  const headers = authInput.req.headers;
+  const secretKey = getHeader(headers, "x-secret-key");
+  // prefer clientId that is explicitly passed in
+  let clientId = authInput.clientId ?? null;
+  if (!clientId) {
+    // next preference is clientId from header
+    clientId = getHeader(headers, "x-client-id");
+  }
+
+  // next preference is search param
+  if (!clientId) {
+    clientId = requestUrl.searchParams.get("clientId");
+  }
+  // bundle id from header is first preference
+  let bundleId = getHeader(headers, "x-bundle-id");
+
+  // next preference is search param
+  if (!bundleId) {
+    bundleId = requestUrl.searchParams.get("bundleId");
+  }
+  let origin = getHeader(headers, "origin");
+  // if origin header is not available we'll fall back to referrer;
+  if (!origin) {
+    origin = getHeader(headers, "referer");
+  }
+  // if we have an origin at this point, normalize it
+  if (origin) {
+    try {
+      origin = new URL(origin).hostname;
+    } catch (e) {
+      console.warn("failed to parse origin", origin, e);
+    }
+  }
+
+  // handle if we a secret key is passed in the headers
+  let secretKeyHash = null;
+  if (secretKey) {
+    // hash the secret key
+    secretKeyHash = hashSecretKey(secretKey);
+    // derive the client id from the secret key hash
+    const derivedClientId = deriveClientIdFromSecretKeyHash(secretKeyHash);
+    // if we already have a client id passed in we need to make sure they match
+    if (clientId && clientId !== derivedClientId) {
+      throw new Error("KEY_CONFLICT");
+    }
+    // otherwise set the client id to the derived client id (client id based off of secret key)
+    clientId = derivedClientId;
+  }
+  return {
+    secretKeyHash,
+    secretKey,
+    clientId,
+    origin,
+    bundleId
+  };
+}
+function hashSecretKey(secretKey) {
+  return node_crypto.createHash("sha256").update(secretKey).digest("hex");
+}
+function deriveClientIdFromSecretKeyHash(secretKeyHash) {
+  return secretKeyHash.slice(0, 32);
+}
+
+exports.SERVICES = services.SERVICES;
+exports.SERVICE_DEFINITIONS = services.SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = services.SERVICE_NAMES;
+exports.getServiceByName = services.getServiceByName;
+exports.authorizeNode = authorizeNode;
+exports.deriveClientIdFromSecretKeyHash = deriveClientIdFromSecretKeyHash;
+exports.extractAuthorizationData = extractAuthorizationData;
+exports.hashSecretKey = hashSecretKey;

package/node/dist/thirdweb-dev-service-utils-node.cjs.js

@@ -0,0 +1,7 @@
+'use strict';
+
+if (process.env.NODE_ENV === "production") {
+  module.exports = require("./thirdweb-dev-service-utils-node.cjs.prod.js");
+} else {
+  module.exports = require("./thirdweb-dev-service-utils-node.cjs.dev.js");
+}

package/node/dist/thirdweb-dev-service-utils-node.cjs.prod.js

@@ -0,0 +1,113 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var node_crypto = require('node:crypto');
+var index = require('../../dist/index-20c60154.cjs.prod.js');
+var services = require('../../dist/services-9e185105.cjs.prod.js');
+
+async function authorizeNode(authInput, serviceConfig) {
+  let authData;
+  try {
+    authData = extractAuthorizationData(authInput);
+  } catch (e) {
+    if (e instanceof Error && e.message === "KEY_CONFLICT") {
+      return {
+        authorized: false,
+        status: 400,
+        errorMessage: "Please pass either a client id or a secret key.",
+        errorCode: "KEY_CONFLICT"
+      };
+    }
+    return {
+      authorized: false,
+      status: 500,
+      errorMessage: "Internal Server Error",
+      errorCode: "INTERNAL_SERVER_ERROR"
+    };
+  }
+  return await index.authorize(authData, serviceConfig);
+}
+function getHeader(headers, headerName) {
+  const header = headers[headerName];
+  if (Array.isArray(header)) {
+    return header[0];
+  }
+  return header ?? null;
+}
+function extractAuthorizationData(authInput) {
+  if (!authInput.req.url) {
+    throw new Error("no req.url in authInput.req");
+  }
+  const requestUrl = new URL(authInput.req.url, authInput.req.headers.host);
+  const headers = authInput.req.headers;
+  const secretKey = getHeader(headers, "x-secret-key");
+  // prefer clientId that is explicitly passed in
+  let clientId = authInput.clientId ?? null;
+  if (!clientId) {
+    // next preference is clientId from header
+    clientId = getHeader(headers, "x-client-id");
+  }
+
+  // next preference is search param
+  if (!clientId) {
+    clientId = requestUrl.searchParams.get("clientId");
+  }
+  // bundle id from header is first preference
+  let bundleId = getHeader(headers, "x-bundle-id");
+
+  // next preference is search param
+  if (!bundleId) {
+    bundleId = requestUrl.searchParams.get("bundleId");
+  }
+  let origin = getHeader(headers, "origin");
+  // if origin header is not available we'll fall back to referrer;
+  if (!origin) {
+    origin = getHeader(headers, "referer");
+  }
+  // if we have an origin at this point, normalize it
+  if (origin) {
+    try {
+      origin = new URL(origin).hostname;
+    } catch (e) {
+      console.warn("failed to parse origin", origin, e);
+    }
+  }
+
+  // handle if we a secret key is passed in the headers
+  let secretKeyHash = null;
+  if (secretKey) {
+    // hash the secret key
+    secretKeyHash = hashSecretKey(secretKey);
+    // derive the client id from the secret key hash
+    const derivedClientId = deriveClientIdFromSecretKeyHash(secretKeyHash);
+    // if we already have a client id passed in we need to make sure they match
+    if (clientId && clientId !== derivedClientId) {
+      throw new Error("KEY_CONFLICT");
+    }
+    // otherwise set the client id to the derived client id (client id based off of secret key)
+    clientId = derivedClientId;
+  }
+  return {
+    secretKeyHash,
+    secretKey,
+    clientId,
+    origin,
+    bundleId
+  };
+}
+function hashSecretKey(secretKey) {
+  return node_crypto.createHash("sha256").update(secretKey).digest("hex");
+}
+function deriveClientIdFromSecretKeyHash(secretKeyHash) {
+  return secretKeyHash.slice(0, 32);
+}
+
+exports.SERVICES = services.SERVICES;
+exports.SERVICE_DEFINITIONS = services.SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = services.SERVICE_NAMES;
+exports.getServiceByName = services.getServiceByName;
+exports.authorizeNode = authorizeNode;
+exports.deriveClientIdFromSecretKeyHash = deriveClientIdFromSecretKeyHash;
+exports.extractAuthorizationData = extractAuthorizationData;
+exports.hashSecretKey = hashSecretKey;