@thirdweb-dev/service-utils 0.0.0-dev-f2d9bcd-20230713055621 → 0.0.0-dev-2666fdc-20230713214856

package/dist/declarations/src/auth/index.d.ts

@@ -1,21 +1,6 @@
-/// <reference types="node" />
-import { AuthorizationOptions, AuthorizationResponse, AuthorizationValidations } from "./types";
-import { KVNamespace, ExecutionContext } from "@cloudflare/workers-types";
-import { IncomingHttpHeaders } from "http";
-interface AuthorizeWorkerOptions {
-    ctx?: ExecutionContext;
-    kvStore: KVNamespace<string>;
-    headers: Headers;
-    clientId: string;
-    authOpts: AuthorizationOptions;
-    validations?: AuthorizationValidations;
-}
-export declare function authorizeWorkerService(options: AuthorizeWorkerOptions): Promise<AuthorizationResponse>;
-export declare function authorizeNodeService(options: {
-    clientId: string;
-    headers: IncomingHttpHeaders;
-    authOpts: AuthorizationOptions;
-    validations?: AuthorizationValidations;
-}): Promise<AuthorizationResponse>;
-export {};
+import { AuthorizationResponse, AuthorizeCFWorkerOptions, AuthorizeNodeServiceOptions } from "./types";
+export declare function authorizeCFWorkerService(options: AuthorizeCFWorkerOptions): Promise<AuthorizationResponse>;
+export declare function authorizeNodeService(options: AuthorizeNodeServiceOptions): Promise<AuthorizationResponse>;
+export declare function hashSecret(secret: string): string;
+export declare function hashClientId(secret: string): string;
 //# sourceMappingURL=index.d.ts.map

package/dist/declarations/src/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"../../../../src/auth","sources":["index.ts"],"names":[],"mappings":";AACA,OAAO,EAGL,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACzB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC1E,OAAO,EAAE,mBAAmB,EAAE,MAAM,MAAM,CAAC;AAE3C,UAAU,sBAAsB;IAC9B,GAAG,CAAC,EAAE,gBAAgB,CAAC;IACvB,OAAO,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,WAAW,CAAC,EAAE,wBAAwB,CAAC;CACxC;AAED,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,sBAAsB,kCAqD3E;AAwLD,wBAAsB,oBAAoB,CAAC,OAAO,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,mBAAmB,CAAC;IAC7B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,WAAW,CAAC,EAAE,wBAAwB,CAAC;CACxC,kCAmCA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"../../../../src/auth","sources":["index.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,qBAAqB,EAErB,wBAAwB,EACxB,2BAA2B,EAE5B,MAAM,SAAS,CAAC;AAGjB,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,wBAAwB,kCAkClC;AAED,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,2BAA2B,kCASrC;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,UAExC;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,UAG1C"}

package/dist/declarations/src/auth/types.d.ts

@@ -1,18 +1,34 @@
+import { KVNamespace, ExecutionContext } from "@cloudflare/workers-types";
 import { ServiceName } from "../types";
-export interface AuthorizationOptions {
+export interface AuthOptions {
+    clientId: string;
+    secretHash?: string;
+    bundleId?: string;
+    origin?: string;
+}
+export interface AuthorizeCFWorkerOptions {
+    ctx: ExecutionContext;
+    kvStore: KVNamespace<string>;
+    authOptions: AuthOptions;
+    serviceConfig: ServiceConfiguration;
+    validations: AuthorizationValidations;
+}
+export interface AuthorizeNodeServiceOptions {
+    authOptions: AuthOptions;
+    serviceConfig: ServiceConfiguration;
+    validations: AuthorizationValidations;
+}
+export interface ServiceConfiguration {
     apiUrl: string;
-    serviceAPIKey: string;
     scope: ServiceName;
-    origin?: string;
+    serviceKey: string;
     cachedKey?: ApiKey;
     cacheTtl?: number;
     onRefetchComplete?: (key: ApiKey) => void;
 }
 export interface AuthorizationValidations {
     serviceTargetAddresses?: string[];
-    serviceActions?: string[];
-    domains: string[];
-    bundleIds: string[];
+    serviceAction?: string;
 }
 export interface AuthorizationResponse {
     authorized: boolean;
@@ -32,14 +48,14 @@ export interface ApiResponse {
 export interface ApiKey {
     id: string;
     key: string;
+    secretHash: string;
     walletAddresses: string[];
     domains: string[];
-    services?: [
-        {
-            name: string;
-            targetAddresses: string[];
-            actions: string[];
-        }
-    ];
+    bundleIds: string[];
+    services: {
+        name: string;
+        targetAddresses: string[];
+        actions: string[];
+    }[];
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/declarations/src/auth/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"../../../../src/auth","sources":["types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEvC,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,WAAW,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC3C;AAED,MAAM,WAAW,wBAAwB;IACvC,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE;QACT;YACE,IAAI,EAAE,MAAM,CAAC;YACb,eAAe,EAAE,MAAM,EAAE,CAAC;YAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;SACnB;KACF,CAAC;CACH"}
+{"version":3,"file":"types.d.ts","sourceRoot":"../../../../src/auth","sources":["types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEvC,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,GAAG,EAAE,gBAAgB,CAAC;IACtB,OAAO,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAC7B,WAAW,EAAE,WAAW,CAAC;IACzB,aAAa,EAAE,oBAAoB,CAAC;IACpC,WAAW,EAAE,wBAAwB,CAAC;CACvC;AAED,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAE,WAAW,CAAC;IACzB,aAAa,EAAE,oBAAoB,CAAC;IACpC,WAAW,EAAE,wBAAwB,CAAC;CACvC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC3C;AAED,MAAM,WAAW,wBAAwB;IACvC,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,EAAE,CAAC;CACL"}

package/dist/declarations/src/index.d.ts

@@ -1,6 +1,4 @@
-import { Service } from "./types";
-export declare const SERVICES: Service[];
-export declare function getServiceByName(name: string): Service | undefined;
+export declare function getServiceByName(name: string): import("./types").Service | undefined;
 export * from "./types";
 export * from "./auth";
 //# sourceMappingURL=index.d.ts.map

package/dist/declarations/src/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"../../../src","sources":["index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,eAAO,MAAM,QAAQ,EAAE,OAAO,EAgC7B,CAAC;AAEF,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAElE;AAED,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"../../../src","sources":["index.ts"],"names":[],"mappings":"AAEA,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,yCAE5C;AAED,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC"}

package/dist/declarations/src/types.d.ts

@@ -1,4 +1,6 @@
-export type ServiceName = "bundler" | "rpc" | "storage";
+export declare const SERVICE_NAMES: readonly ["bundler", "rpc", "storage"];
+export declare const SERVICES: Service[];
+export type ServiceName = (typeof SERVICE_NAMES)[number];
 export interface ServiceAction {
     name: string;
     title: string;

package/dist/declarations/src/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"../../../src","sources":["types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,KAAK,GAAG,SAAS,CAAC;AAExD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,WAAW,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,aAAa,EAAE,CAAC;CAC1B"}
+{"version":3,"file":"types.d.ts","sourceRoot":"../../../src","sources":["types.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,aAAa,wCAAyC,CAAC;AAEpE,eAAO,MAAM,QAAQ,EAAE,OAAO,EAgC7B,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,WAAW,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,aAAa,EAAE,CAAC;CAC1B"}

package/dist/thirdweb-dev-service-utils.cjs.dev.js

@@ -3,81 +3,121 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var fetch = require('isomorphic-unfetch');
+var crypto = require('crypto');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
 
 var fetch__default = /*#__PURE__*/_interopDefault(fetch);
 
-async function authorizeWorkerService(options) {
+const SERVICE_NAMES = ["bundler", "rpc", "storage"];
+const SERVICES = [{
+  name: "storage",
+  title: "Storage",
+  description: "IPFS Upload and Download",
+  actions: [{
+    name: "read",
+    title: "Download",
+    description: "Download a file from Storage"
+  }, {
+    name: "write",
+    title: "Upload",
+    description: "Upload a file to Storage"
+  }]
+}, {
+  name: "rpc",
+  title: "RPC",
+  description: "Accelerated RPC Edge",
+  // all actions allowed
+  actions: []
+}, {
+  name: "bundler",
+  title: "Smart Wallets",
+  description: "Bundler & Paymaster services",
+  // all actions allowed
+  actions: []
+}];
+
+async function authorizeCFWorkerService(options) {
+  const {
+    kvStore,
+    ctx,
+    authOptions,
+    serviceConfig,
+    validations
+  } = options;
+  const {
+    clientId
+  } = authOptions;
   let cachedKey;
-  if (!options.clientId) {
-    return {
-      authorized: false,
-      errorMessage: "The ClientId is missing. Make sure it is included with your Authorization Bearer request header.",
-      errorCode: "MISSING_CLIENT_ID",
-      statusCode: 422
-    };
-  }
 
   // first, check if the key is in KV
   try {
-    const kvKey = await options.kvStore.get(options.clientId);
+    const kvKey = await kvStore.get(clientId);
     if (kvKey) {
       cachedKey = JSON.parse(kvKey);
     }
   } catch (err) {
     // ignore JSON parse, assuming not valid
   }
-  const origin = options.headers.get("Origin") || "";
-  let originHost;
-  if (origin) {
-    try {
-      const originUrl = new URL(origin);
-      originHost = originUrl.host;
-    } catch (error) {
-      // ignore, will be verified by domains
-    }
-  }
   const updateKv = async keyData => {
-    options.kvStore.put(options.clientId, JSON.stringify(keyData), {
-      expirationTtl: options.authOpts.cacheTtl || 60
+    kvStore.put(clientId, JSON.stringify(keyData), {
+      expirationTtl: serviceConfig.cacheTtl || 60
     });
   };
-  return authorize(options.clientId, {
-    ...options.authOpts,
-    origin: originHost,
-    cachedKey,
-    onRefetchComplete: keyData => {
-      options?.ctx?.waitUntil(updateKv(keyData));
-    }
-  }, options.validations);
+  return authorize({
+    authOptions,
+    serviceConfig: {
+      ...serviceConfig,
+      cachedKey,
+      onRefetchComplete: keyData => {
+        ctx.waitUntil(updateKv(keyData));
+      }
+    },
+    validations
+  });
+}
+async function authorizeNodeService(options) {
+  const {
+    authOptions,
+    serviceConfig,
+    validations
+  } = options;
+  return authorize({
+    authOptions,
+    serviceConfig,
+    validations
+  });
+}
+function hashSecret(secret) {
+  return crypto.createHash("sha256").update(secret).digest("hex");
+}
+function hashClientId(secret) {
+  const hashed = crypto.createHash("sha256").update(secret).digest("hex");
+  return hashed.slice(0, 32);
 }
 
 /**
- * Authorizes a request for a given clientId
- *
- * @param clientId The String client id
- * @params authOpts The Object auth options
- *           origin - The String origin
- *           apiUrl - The String API URL
- *           scope - The ServiceName scope identifier
- *           cachedKey - The ApiKey (optional) cached key
- *           onRefetchComplete - The Func to trigger after key refetch from API
- * @params validations The Object of validations to run on a key
- *           serviceTargetAddresses - The Array (optional) of service target addresses to validate
- *           serviceActions - The Array (optional) of service actions to validate
+ * Authorizes a request for a given client ID
  *
  * @returns The Promise AuthorizationResponse
  */
-async function authorize(clientId, authOpts, validations) {
+async function authorize(options) {
   try {
+    const {
+      authOptions,
+      serviceConfig,
+      validations
+    } = options;
+    const {
+      clientId
+    } = authOptions;
     const {
       apiUrl,
-      origin,
       scope,
+      serviceKey,
       cachedKey,
       onRefetchComplete
-    } = authOpts;
+    } = serviceConfig;
     let keyData = cachedKey;
 
     // no cached key, re-fetch from API
@@ -85,8 +125,8 @@ async function authorize(clientId, authOpts, validations) {
       const response = await fetch__default["default"](`${apiUrl}/v1/keys/use/?scope=${scope}&clientId=${clientId}`, {
         method: "GET",
         headers: {
-          "content-type": "application/json",
-          "x-service-api-key": authOpts.serviceAPIKey
+          "x-service-api-key": serviceKey,
+          "content-type": "application/json"
         }
       });
       const apiResponse = await response.json();
@@ -110,107 +150,22 @@ async function authorize(clientId, authOpts, validations) {
     //
     // Run validations
     //
-    const {
-      serviceActions,
-      serviceTargetAddresses
-    } = validations || {};
-
-    // validate domains
-    if (keyData.domains && keyData.domains?.length > 0) {
-      let originHost = "";
-      if (origin) {
-        try {
-          const originUrl = new URL(origin);
-          originHost = originUrl.host;
-        } catch (error) {
-          // ignore, will be verified by domains
-        }
-      }
-      if (
-      // find matching domain, or if all domains allowed
-      !keyData.domains.find(d => {
-        if (d === "*") {
-          return true;
-        }
-
-        // If the allowedDomain has a wildcard,
-        // we'll check that the ending of our domain matches the wildcard
-        if (d.startsWith("*.")) {
-          const wildcard = d.slice(2);
-          return originHost.endsWith(wildcard);
-        }
-
-        // If there's no wildcard, we'll check for an exact match
-        return d === originHost;
-      })) {
-        return {
-          authorized: false,
-          errorMessage: "The domain is not authorized for this key.",
-          errorCode: "DOMAIN_UNAUTHORIZED",
-          statusCode: 403
-        };
-      }
+    const authResponse = authAccess(authOptions, keyData);
+    if (!authResponse?.authorized) {
+      return authResponse;
     }
-
-    // validate services
-    if (keyData.services && keyData.services?.length > 0) {
-      const service = (keyData.services || []).find(srv => srv.name === scope);
-      if (!service) {
-        return {
-          authorized: false,
-          errorMessage: `The service "${scope}" is not authorized for this key.`,
-          errorCode: "SERVICE_UNAUTHORIZED",
-          statusCode: 403
-        };
-      }
-
-      // validate service actions
-      if (serviceActions) {
-        let unknownAction;
-        serviceActions.forEach(action => {
-          if (!service.actions.includes(action)) {
-            unknownAction = action;
-          }
-        });
-        if (unknownAction) {
-          return {
-            authorized: false,
-            errorMessage: `The service "${scope}" action "${unknownAction}" is not authorized for this key.`,
-            errorCode: "SERVICE_ACTION_UNAUTHORIZED",
-            statusCode: 403
-          };
-        }
-      }
-
-      // validate service target addresses
-      if (serviceTargetAddresses && !service.targetAddresses.find(addr => addr === "*" || serviceTargetAddresses.includes(addr))) {
-        return {
-          authorized: false,
-          errorMessage: `The service "${scope}" target address is not authorized for this key.`,
-          errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
-          statusCode: 403
-        };
-      }
+    const authzResponse = authzServices(validations, keyData, scope);
+    if (!authzResponse?.authorized) {
+      return authzResponse;
     }
+    // FIXME: validate bundleId
 
-    // validate bundleIds
-    // if (
-    //   bundleIds &&
-    //   !keyData.bundleIds.find((addr) => addr === "*" || bundleIds.includes(addr))
-    // ) {
-    //   return {
-    //     authorized: false,
-    //     errorMessage: `The service "${scope}" for BundlerIds ${bundleIds} is not authorized for this key.`,
-    //     errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
-    //     statusCode: 403,
-    //   };
-    // }
     return {
       authorized: true,
       data: keyData
     };
   } catch (err) {
-    console.error("Failed to authorize this key", err);
+    console.error("Failed to authorize this key.", err);
     return {
       authorized: false,
       errorMessage: "Internal error",
@@ -219,63 +174,122 @@ async function authorize(clientId, authOpts, validations) {
     };
   }
 }
-async function authorizeNodeService(options) {
-  if (!options.clientId) {
+function authAccess(authOptions, apiKey) {
+  const {
+    origin,
+    secretHash: providedSecretHash
+  } = authOptions;
+  const {
+    domains,
+    secretHash
+  } = apiKey;
+  if (providedSecretHash) {
+    if (secretHash !== providedSecretHash) {
+      return {
+        authorized: false,
+        errorMessage: "The secret is invalid.",
+        errorCode: "SECRET_INVALID",
+        statusCode: 401
+      };
+    }
     return {
-      authorized: false,
-      errorMessage: "The API key is missing. Make sure it is included with your Authorization Bearer request header.",
-      errorCode: "MISSING_API_KEY",
-      statusCode: 422
+      authorized: true
     };
   }
-  const origin = typeof options.headers["Origin"] === "string" ? options.headers["Origin"] : options.headers["Origin"]?.join("");
-  let originHost;
+
+  // validate domains
   if (origin) {
-    try {
-      const originUrl = new URL(origin);
-      originHost = originUrl.hostname;
-    } catch (error) {
-      // ignore, will be verified by domains
+    if (
+    // find matching domain, or if all domains allowed
+    domains.find(d => {
+      if (d === "*") {
+        return true;
+      }
+
+      // If the allowedDomain has a wildcard,
+      // we'll check that the ending of our domain matches the wildcard
+      if (d.startsWith("*.")) {
+        const domainRoot = d.slice(2);
+        return origin.endsWith(domainRoot);
+      }
+
+      // If there's no wildcard, we'll check for an exact match
+      return d === origin;
+    })) {
+      return {
+        authorized: true
+      };
     }
+    return {
+      authorized: false,
+      errorMessage: "The origin is not authorized for this key.",
+      errorCode: "ORIGIN_UNAUTHORIZED",
+      statusCode: 401
+    };
   }
-  return authorize(options.clientId, {
-    ...options.authOpts,
-    origin: originHost,
-    cachedKey: undefined
-  }, options.validations);
+
+  // FIXME: validate bundle id
+  return {
+    authorized: false,
+    errorMessage: "The keys are invalid.",
+    errorCode: "UNAUTHORIZED",
+    statusCode: 401
+  };
+}
+function authzServices(validations, apiKey, scope) {
+  const {
+    services
+  } = apiKey;
+  const {
+    serviceTargetAddresses,
+    serviceAction
+  } = validations;
+
+  // validate services
+  const service = services.find(srv => srv.name === scope);
+  if (!service) {
+    return {
+      authorized: false,
+      errorMessage: `The service "${scope}" is not authorized for this key.`,
+      errorCode: "SERVICE_UNAUTHORIZED",
+      statusCode: 403
+    };
+  }
+
+  // validate service actions
+  if (serviceAction) {
+    if (!service.actions.includes(serviceAction)) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${scope}" action "${serviceAction}" is not authorized for this key.`,
+        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
+        statusCode: 403
+      };
+    }
+  }
+
+  // validate service target addresses
+  if (serviceTargetAddresses && !service.targetAddresses.find(addr => addr === "*" || serviceTargetAddresses.includes(addr))) {
+    return {
+      authorized: false,
+      errorMessage: `The service "${scope}" target address is not authorized for this key.`,
+      errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
+      statusCode: 403
+    };
+  }
+  return {
+    authorized: true
+  };
 }
 
-const SERVICES = [{
-  name: "storage",
-  title: "Storage",
-  description: "IPFS Upload and Download",
-  actions: [{
-    name: "read",
-    title: "Download",
-    description: "Download a file from Storage"
-  }, {
-    name: "write",
-    title: "Upload",
-    description: "Upload a file to Storage"
-  }]
-}, {
-  name: "rpc",
-  title: "RPC",
-  description: "Accelerated RPC Edge",
-  // all actions allowed
-  actions: []
-}, {
-  name: "bundler",
-  title: "Smart Wallets",
-  description: "Bundler & Paymaster services",
-  // all actions allowed
-  actions: []
-}];
 function getServiceByName(name) {
   return SERVICES.find(srv => srv.name === name);
 }
 
 exports.SERVICES = SERVICES;
+exports.SERVICE_NAMES = SERVICE_NAMES;
+exports.authorizeCFWorkerService = authorizeCFWorkerService;
 exports.authorizeNodeService = authorizeNodeService;
-exports.authorizeWorkerService = authorizeWorkerService;
 exports.getServiceByName = getServiceByName;
+exports.hashClientId = hashClientId;
+exports.hashSecret = hashSecret;