npm - @thirdweb-dev/service-utils - Versions diffs - 0.1.1-nightly-4915ac50-20230714041125 → 0.2.0-nightly-5eb6fc1b-20230714082745 - Mend

@thirdweb-dev/service-utils 0.1.1-nightly-4915ac50-20230714041125 → 0.2.0-nightly-5eb6fc1b-20230714082745

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/dist/index-294e111f.esm.js ADDED Viewed

@@ -0,0 +1,252 @@
+async function fetchKeyMetadataFromApi(clientId, config) {
+  const {
+    apiUrl,
+    serviceScope,
+    serviceApiKey
+  } = config;
+  const url = new URL(`${apiUrl}/v1/keys/use`);
+  url.searchParams.set("clientId", clientId);
+  url.searchParams.set("scope", serviceScope);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "x-service-api-key": serviceApiKey,
+      "content-type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    throw new Error(`Error fetching key metadata from API: ${response.statusText}`);
+  }
+  return await response.json();
+}
+function authorizeClient(authOptions, apiKeyMeta) {
+  const {
+    origin,
+    secretKeyHash: providedSecretHash
+  } = authOptions;
+  const {
+    domains,
+    secretHash
+  } = apiKeyMeta;
+  if (providedSecretHash) {
+    if (secretHash !== providedSecretHash) {
+      return {
+        authorized: false,
+        errorMessage: "The secret is invalid.",
+        errorCode: "SECRET_INVALID",
+        status: 401
+      };
+    }
+    return {
+      authorized: true,
+      apiKeyMeta
+    };
+  }
+  // validate domains
+  if (origin) {
+    if (
+    // find matching domain, or if all domains allowed
+    domains.find(d => {
+      if (d === "*") {
+        return true;
+      }
+      // If the allowedDomain has a wildcard,
+      // we'll check that the ending of our domain matches the wildcard
+      if (d.startsWith("*.")) {
+        const domainRoot = d.slice(2);
+        return origin.endsWith(domainRoot);
+      }
+      // If there's no wildcard, we'll check for an exact match
+      return d === origin;
+    })) {
+      return {
+        authorized: true,
+        apiKeyMeta
+      };
+    }
+    return {
+      authorized: false,
+      errorMessage: "The origin is not authorized for this key.",
+      errorCode: "ORIGIN_UNAUTHORIZED",
+      status: 401
+    };
+  }
+  // FIXME: validate bundle id
+  return {
+    authorized: false,
+    errorMessage: "The keys are invalid.",
+    errorCode: "UNAUTHORIZED",
+    status: 401
+  };
+}
+function authorizeService(apikeyMetadata, serviceConfig, authorizationPayload) {
+  const {
+    services
+  } = apikeyMetadata;
+  // const { serviceTargetAddresses, serviceAction } = validations;
+  // validate services
+  const service = services.find(srv => srv.name === serviceConfig.serviceScope);
+  if (!service) {
+    return {
+      authorized: false,
+      errorMessage: `The service "${serviceConfig.serviceScope}" is not authorized for this key.`,
+      errorCode: "SERVICE_UNAUTHORIZED",
+      status: 403
+    };
+  }
+  // validate service actions
+  if (serviceConfig.serviceAction) {
+    const isActionAllowed = service.actions.includes(serviceConfig.serviceAction);
+    if (!isActionAllowed) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${serviceConfig.serviceScope}" action "${serviceConfig.serviceAction}" is not authorized for this key.`,
+        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
+        status: 403
+      };
+    }
+  }
+  // validate service target addresses
+  // the service has to pass in the target address for this to be validated
+  if (authorizationPayload?.targetAddress) {
+    const isTargetAddressAllowed = service.targetAddresses.includes(authorizationPayload.targetAddress);
+    if (!isTargetAddressAllowed) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${serviceConfig.serviceScope}" target address "${authorizationPayload.targetAddress}" is not authorized for this key.`,
+        errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
+        status: 403
+      };
+    }
+  }
+  return {
+    authorized: true,
+    apiKeyMeta: apikeyMetadata
+  };
+}
+async function authorize(authData, serviceConfig, cacheOptions) {
+  // if we don't have a client id at this point we can't authorize
+  if (!authData.clientId) {
+    return {
+      authorized: false,
+      status: 401,
+      errorMessage: "Missing clientId or secretKey.",
+      errorCode: "MISSING_KEY"
+    };
+  }
+  let apiKeyMeta = null;
+  // if we have cache options we want to check the cache first
+  if (cacheOptions) {
+    try {
+      const cachedKey = await cacheOptions.get(authData.clientId);
+      if (cachedKey) {
+        const parsed = JSON.parse(cachedKey);
+        if ("updatedAt" in parsed) {
+          // we want to compare the updatedAt time to the current time
+          // if the difference is greater than the cacheTtl we want to ignore the cached data
+          const now = Date.now();
+          const diff = now - parsed.updatedAt;
+          const cacheTtl = cacheOptions.cacheTtlSeconds * 1000;
+          // only if the diff is less than the cacheTtl do we want to use the cached key
+          if (diff < cacheTtl * 1000) {
+            apiKeyMeta = parsed.apiKeyMeta;
+          }
+        } else {
+          apiKeyMeta = parsed;
+        }
+      }
+    } catch (err) {
+      // ignore errors, proceed as if not in cache
+    }
+  }
+  // if we don't have a cached key, fetch from the API
+  if (!apiKeyMeta) {
+    try {
+      const {
+        data,
+        error
+      } = await fetchKeyMetadataFromApi(authData.clientId, serviceConfig);
+      if (error) {
+        return {
+          authorized: false,
+          errorCode: error.code,
+          errorMessage: error.message,
+          status: error.statusCode
+        };
+      } else if (!data) {
+        return {
+          authorized: false,
+          errorCode: "NO_KEY",
+          errorMessage: "No error but also no key returned.",
+          status: 500
+        };
+      }
+      // if we have a key for sure then assign it
+      apiKeyMeta = data;
+      // cache the retrieved key if we have cache options
+      if (cacheOptions) {
+        // we await this always because it can be a promise or not
+        await cacheOptions.put(authData.clientId, data);
+      }
+    } catch (err) {
+      console.warn("failed to fetch key metadata from api", err);
+      return {
+        authorized: false,
+        status: 500,
+        errorMessage: "Failed to fetch key metadata.",
+        errorCode: "FAILED_TO_FETCH_KEY"
+      };
+    }
+  }
+  if (!apiKeyMeta) {
+    return {
+      authorized: false,
+      status: 401,
+      errorMessage: "Key is invalid.",
+      errorCode: "INVALID_KEY"
+    };
+  }
+  // now we can validate the key itself
+  const clientAuth = authorizeClient(authData, apiKeyMeta);
+  if (!clientAuth.authorized) {
+    return {
+      errorCode: clientAuth.errorCode,
+      authorized: false,
+      status: 401,
+      errorMessage: clientAuth.errorMessage
+    };
+  }
+  // if we've made it this far we need to check service specific authorization
+  const serviceAuth = authorizeService(apiKeyMeta, serviceConfig, {
+    targetAddress: authData.targetAddress
+  });
+  if (!serviceAuth.authorized) {
+    return {
+      errorCode: serviceAuth.errorCode,
+      authorized: false,
+      status: 403,
+      errorMessage: serviceAuth.errorMessage
+    };
+  }
+  // if we reach this point we are authorized!
+  return {
+    authorized: true,
+    apiKeyMeta
+  };
+}
+export { authorize as a };

package/dist/index-3060948e.cjs.prod.js ADDED Viewed

@@ -0,0 +1,254 @@
+'use strict';
+async function fetchKeyMetadataFromApi(clientId, config) {
+  const {
+    apiUrl,
+    serviceScope,
+    serviceApiKey
+  } = config;
+  const url = new URL(`${apiUrl}/v1/keys/use`);
+  url.searchParams.set("clientId", clientId);
+  url.searchParams.set("scope", serviceScope);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "x-service-api-key": serviceApiKey,
+      "content-type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    throw new Error(`Error fetching key metadata from API: ${response.statusText}`);
+  }
+  return await response.json();
+}
+function authorizeClient(authOptions, apiKeyMeta) {
+  const {
+    origin,
+    secretKeyHash: providedSecretHash
+  } = authOptions;
+  const {
+    domains,
+    secretHash
+  } = apiKeyMeta;
+  if (providedSecretHash) {
+    if (secretHash !== providedSecretHash) {
+      return {
+        authorized: false,
+        errorMessage: "The secret is invalid.",
+        errorCode: "SECRET_INVALID",
+        status: 401
+      };
+    }
+    return {
+      authorized: true,
+      apiKeyMeta
+    };
+  }
+  // validate domains
+  if (origin) {
+    if (
+    // find matching domain, or if all domains allowed
+    domains.find(d => {
+      if (d === "*") {
+        return true;
+      }
+      // If the allowedDomain has a wildcard,
+      // we'll check that the ending of our domain matches the wildcard
+      if (d.startsWith("*.")) {
+        const domainRoot = d.slice(2);
+        return origin.endsWith(domainRoot);
+      }
+      // If there's no wildcard, we'll check for an exact match
+      return d === origin;
+    })) {
+      return {
+        authorized: true,
+        apiKeyMeta
+      };
+    }
+    return {
+      authorized: false,
+      errorMessage: "The origin is not authorized for this key.",
+      errorCode: "ORIGIN_UNAUTHORIZED",
+      status: 401
+    };
+  }
+  // FIXME: validate bundle id
+  return {
+    authorized: false,
+    errorMessage: "The keys are invalid.",
+    errorCode: "UNAUTHORIZED",
+    status: 401
+  };
+}
+function authorizeService(apikeyMetadata, serviceConfig, authorizationPayload) {
+  const {
+    services
+  } = apikeyMetadata;
+  // const { serviceTargetAddresses, serviceAction } = validations;
+  // validate services
+  const service = services.find(srv => srv.name === serviceConfig.serviceScope);
+  if (!service) {
+    return {
+      authorized: false,
+      errorMessage: `The service "${serviceConfig.serviceScope}" is not authorized for this key.`,
+      errorCode: "SERVICE_UNAUTHORIZED",
+      status: 403
+    };
+  }
+  // validate service actions
+  if (serviceConfig.serviceAction) {
+    const isActionAllowed = service.actions.includes(serviceConfig.serviceAction);
+    if (!isActionAllowed) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${serviceConfig.serviceScope}" action "${serviceConfig.serviceAction}" is not authorized for this key.`,
+        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
+        status: 403
+      };
+    }
+  }
+  // validate service target addresses
+  // the service has to pass in the target address for this to be validated
+  if (authorizationPayload?.targetAddress) {
+    const isTargetAddressAllowed = service.targetAddresses.includes(authorizationPayload.targetAddress);
+    if (!isTargetAddressAllowed) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${serviceConfig.serviceScope}" target address "${authorizationPayload.targetAddress}" is not authorized for this key.`,
+        errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
+        status: 403
+      };
+    }
+  }
+  return {
+    authorized: true,
+    apiKeyMeta: apikeyMetadata
+  };
+}
+async function authorize(authData, serviceConfig, cacheOptions) {
+  // if we don't have a client id at this point we can't authorize
+  if (!authData.clientId) {
+    return {
+      authorized: false,
+      status: 401,
+      errorMessage: "Missing clientId or secretKey.",
+      errorCode: "MISSING_KEY"
+    };
+  }
+  let apiKeyMeta = null;
+  // if we have cache options we want to check the cache first
+  if (cacheOptions) {
+    try {
+      const cachedKey = await cacheOptions.get(authData.clientId);
+      if (cachedKey) {
+        const parsed = JSON.parse(cachedKey);
+        if ("updatedAt" in parsed) {
+          // we want to compare the updatedAt time to the current time
+          // if the difference is greater than the cacheTtl we want to ignore the cached data
+          const now = Date.now();
+          const diff = now - parsed.updatedAt;
+          const cacheTtl = cacheOptions.cacheTtlSeconds * 1000;
+          // only if the diff is less than the cacheTtl do we want to use the cached key
+          if (diff < cacheTtl * 1000) {
+            apiKeyMeta = parsed.apiKeyMeta;
+          }
+        } else {
+          apiKeyMeta = parsed;
+        }
+      }
+    } catch (err) {
+      // ignore errors, proceed as if not in cache
+    }
+  }
+  // if we don't have a cached key, fetch from the API
+  if (!apiKeyMeta) {
+    try {
+      const {
+        data,
+        error
+      } = await fetchKeyMetadataFromApi(authData.clientId, serviceConfig);
+      if (error) {
+        return {
+          authorized: false,
+          errorCode: error.code,
+          errorMessage: error.message,
+          status: error.statusCode
+        };
+      } else if (!data) {
+        return {
+          authorized: false,
+          errorCode: "NO_KEY",
+          errorMessage: "No error but also no key returned.",
+          status: 500
+        };
+      }
+      // if we have a key for sure then assign it
+      apiKeyMeta = data;
+      // cache the retrieved key if we have cache options
+      if (cacheOptions) {
+        // we await this always because it can be a promise or not
+        await cacheOptions.put(authData.clientId, data);
+      }
+    } catch (err) {
+      console.warn("failed to fetch key metadata from api", err);
+      return {
+        authorized: false,
+        status: 500,
+        errorMessage: "Failed to fetch key metadata.",
+        errorCode: "FAILED_TO_FETCH_KEY"
+      };
+    }
+  }
+  if (!apiKeyMeta) {
+    return {
+      authorized: false,
+      status: 401,
+      errorMessage: "Key is invalid.",
+      errorCode: "INVALID_KEY"
+    };
+  }
+  // now we can validate the key itself
+  const clientAuth = authorizeClient(authData, apiKeyMeta);
+  if (!clientAuth.authorized) {
+    return {
+      errorCode: clientAuth.errorCode,
+      authorized: false,
+      status: 401,
+      errorMessage: clientAuth.errorMessage
+    };
+  }
+  // if we've made it this far we need to check service specific authorization
+  const serviceAuth = authorizeService(apiKeyMeta, serviceConfig, {
+    targetAddress: authData.targetAddress
+  });
+  if (!serviceAuth.authorized) {
+    return {
+      errorCode: serviceAuth.errorCode,
+      authorized: false,
+      status: 403,
+      errorMessage: serviceAuth.errorMessage
+    };
+  }
+  // if we reach this point we are authorized!
+  return {
+    authorized: true,
+    apiKeyMeta
+  };
+}
+exports.authorize = authorize;