@thirdweb-dev/service-utils 0.1.1-nightly-4915ac50-20230714041125 → 0.2.0-nightly-5eb6fc1b-20230714082745

package/dist/thirdweb-dev-service-utils.cjs.prod.js

@@ -2,290 +2,11 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-const SERVICE_DEFINITIONS = {
-  storage: {
-    name: "storage",
-    title: "Storage",
-    description: "IPFS Upload and Download",
-    actions: [{
-      name: "read",
-      title: "Download",
-      description: "Download a file from Storage"
-    }, {
-      name: "write",
-      title: "Upload",
-      description: "Upload a file to Storage"
-    }]
-  },
-  rpc: {
-    name: "rpc",
-    title: "RPC",
-    description: "Accelerated RPC Edge",
-    // all actions allowed
-    actions: []
-  },
-  bundler: {
-    name: "bundler",
-    title: "Smart Wallets",
-    description: "Bundler & Paymaster services",
-    // all actions allowed
-    actions: []
-  },
-  relayer: {
-    name: "relayer",
-    title: "Gasless Relayer",
-    description: "Enable gasless transactions",
-    // all actions allowed
-    actions: []
-  }
-};
-const SERVICE_NAMES = Object.keys(SERVICE_DEFINITIONS);
-const SERVICES = Object.values(SERVICE_DEFINITIONS);
-function getServiceByName(name) {
-  return SERVICE_DEFINITIONS[name];
-}
+var services = require('./services-9e185105.cjs.prod.js');
 
-async function authorizeCFWorkerService(options) {
-  const {
-    kvStore,
-    ctx,
-    authOptions,
-    serviceConfig,
-    validations
-  } = options;
-  const {
-    clientId
-  } = authOptions;
-  let cachedKey;
 
-  // first, check if the key is in KV
-  try {
-    const kvKey = await kvStore.get(clientId);
-    if (kvKey) {
-      cachedKey = JSON.parse(kvKey);
-    }
-  } catch (err) {
-    // ignore JSON parse, assuming not valid
-  }
-  const updateKv = async keyData => {
-    kvStore.put(clientId, JSON.stringify(keyData), {
-      expirationTtl: serviceConfig.cacheTtl || 60
-    });
-  };
-  return authorize({
-    authOptions,
-    serviceConfig: {
-      ...serviceConfig,
-      cachedKey,
-      onRefetchComplete: keyData => {
-        ctx.waitUntil(updateKv(keyData));
-      }
-    },
-    validations
-  });
-}
-async function authorizeNodeService(options) {
-  const {
-    authOptions,
-    serviceConfig,
-    validations
-  } = options;
-  return authorize({
-    authOptions,
-    serviceConfig,
-    validations
-  });
-}
 
-/**
- * Authorizes a request for a given client ID
- *
- * @returns The Promise AuthorizationResponse
- */
-async function authorize(options) {
-  try {
-    const {
-      authOptions,
-      serviceConfig,
-      validations
-    } = options;
-    const {
-      clientId
-    } = authOptions;
-    const {
-      apiUrl,
-      scope,
-      serviceKey,
-      cachedKey,
-      onRefetchComplete
-    } = serviceConfig;
-    let keyData = cachedKey;
-
-    // no cached key, re-fetch from API
-    if (!keyData) {
-      const response = await fetch(`${apiUrl}/v1/keys/use?scope=${scope}&clientId=${clientId}`, {
-        method: "GET",
-        headers: {
-          "x-service-api-key": serviceKey,
-          "content-type": "application/json"
-        }
-      });
-      const apiResponse = await response.json();
-      if (!response.ok) {
-        const {
-          error
-        } = apiResponse;
-        return {
-          authorized: false,
-          errorMessage: error.message,
-          errorCode: error.code || "",
-          statusCode: error.statusCode || 401
-        };
-      }
-      keyData = apiResponse.data;
-      if (onRefetchComplete) {
-        onRefetchComplete(keyData);
-      }
-    }
-
-    //
-    // Run validations
-    //
-    const authResponse = authAccess(authOptions, keyData);
-    if (!authResponse?.authorized) {
-      return authResponse;
-    }
-    const authzResponse = authzServices(validations, keyData, scope);
-    if (!authzResponse?.authorized) {
-      return authzResponse;
-    }
-    // FIXME: validate bundleId
-
-    return {
-      authorized: true,
-      data: keyData
-    };
-  } catch (err) {
-    console.error("Failed to authorize this key.", err);
-    return {
-      authorized: false,
-      errorMessage: "Internal error",
-      errorCode: "INTERNAL_ERROR",
-      statusCode: 500
-    };
-  }
-}
-function authAccess(authOptions, apiKey) {
-  const {
-    origin,
-    secretHash: providedSecretHash
-  } = authOptions;
-  const {
-    domains,
-    secretHash
-  } = apiKey;
-  if (providedSecretHash) {
-    if (secretHash !== providedSecretHash) {
-      return {
-        authorized: false,
-        errorMessage: "The secret is invalid.",
-        errorCode: "SECRET_INVALID",
-        statusCode: 401
-      };
-    }
-    return {
-      authorized: true
-    };
-  }
-
-  // validate domains
-  if (origin) {
-    if (
-    // find matching domain, or if all domains allowed
-    domains.find(d => {
-      if (d === "*") {
-        return true;
-      }
-
-      // If the allowedDomain has a wildcard,
-      // we'll check that the ending of our domain matches the wildcard
-      if (d.startsWith("*.")) {
-        const domainRoot = d.slice(2);
-        return origin.endsWith(domainRoot);
-      }
-
-      // If there's no wildcard, we'll check for an exact match
-      return d === origin;
-    })) {
-      return {
-        authorized: true
-      };
-    }
-    return {
-      authorized: false,
-      errorMessage: "The origin is not authorized for this key.",
-      errorCode: "ORIGIN_UNAUTHORIZED",
-      statusCode: 401
-    };
-  }
-
-  // FIXME: validate bundle id
-  return {
-    authorized: false,
-    errorMessage: "The keys are invalid.",
-    errorCode: "UNAUTHORIZED",
-    statusCode: 401
-  };
-}
-function authzServices(validations, apiKey, scope) {
-  const {
-    services
-  } = apiKey;
-  const {
-    serviceTargetAddresses,
-    serviceAction
-  } = validations;
-
-  // validate services
-  const service = services.find(srv => srv.name === scope);
-  if (!service) {
-    return {
-      authorized: false,
-      errorMessage: `The service "${scope}" is not authorized for this key.`,
-      errorCode: "SERVICE_UNAUTHORIZED",
-      statusCode: 403
-    };
-  }
-
-  // validate service actions
-  if (serviceAction) {
-    if (!service.actions.includes(serviceAction)) {
-      return {
-        authorized: false,
-        errorMessage: `The service "${scope}" action "${serviceAction}" is not authorized for this key.`,
-        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
-        statusCode: 403
-      };
-    }
-  }
-
-  // validate service target addresses
-  if (serviceTargetAddresses && !service.targetAddresses.find(addr => addr === "*" || serviceTargetAddresses.includes(addr))) {
-    return {
-      authorized: false,
-      errorMessage: `The service "${scope}" target address is not authorized for this key.`,
-      errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
-      statusCode: 403
-    };
-  }
-  return {
-    authorized: true
-  };
-}
-
-exports.SERVICES = SERVICES;
-exports.SERVICE_DEFINITIONS = SERVICE_DEFINITIONS;
-exports.SERVICE_NAMES = SERVICE_NAMES;
-exports.authorizeCFWorkerService = authorizeCFWorkerService;
-exports.authorizeNodeService = authorizeNodeService;
-exports.getServiceByName = getServiceByName;
+exports.SERVICES = services.SERVICES;
+exports.SERVICE_DEFINITIONS = services.SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = services.SERVICE_NAMES;
+exports.getServiceByName = services.getServiceByName;

package/dist/thirdweb-dev-service-utils.esm.js

@@ -1,282 +1 @@
-const SERVICE_DEFINITIONS = {
-  storage: {
-    name: "storage",
-    title: "Storage",
-    description: "IPFS Upload and Download",
-    actions: [{
-      name: "read",
-      title: "Download",
-      description: "Download a file from Storage"
-    }, {
-      name: "write",
-      title: "Upload",
-      description: "Upload a file to Storage"
-    }]
-  },
-  rpc: {
-    name: "rpc",
-    title: "RPC",
-    description: "Accelerated RPC Edge",
-    // all actions allowed
-    actions: []
-  },
-  bundler: {
-    name: "bundler",
-    title: "Smart Wallets",
-    description: "Bundler & Paymaster services",
-    // all actions allowed
-    actions: []
-  },
-  relayer: {
-    name: "relayer",
-    title: "Gasless Relayer",
-    description: "Enable gasless transactions",
-    // all actions allowed
-    actions: []
-  }
-};
-const SERVICE_NAMES = Object.keys(SERVICE_DEFINITIONS);
-const SERVICES = Object.values(SERVICE_DEFINITIONS);
-function getServiceByName(name) {
-  return SERVICE_DEFINITIONS[name];
-}
-
-async function authorizeCFWorkerService(options) {
-  const {
-    kvStore,
-    ctx,
-    authOptions,
-    serviceConfig,
-    validations
-  } = options;
-  const {
-    clientId
-  } = authOptions;
-  let cachedKey;
-
-  // first, check if the key is in KV
-  try {
-    const kvKey = await kvStore.get(clientId);
-    if (kvKey) {
-      cachedKey = JSON.parse(kvKey);
-    }
-  } catch (err) {
-    // ignore JSON parse, assuming not valid
-  }
-  const updateKv = async keyData => {
-    kvStore.put(clientId, JSON.stringify(keyData), {
-      expirationTtl: serviceConfig.cacheTtl || 60
-    });
-  };
-  return authorize({
-    authOptions,
-    serviceConfig: {
-      ...serviceConfig,
-      cachedKey,
-      onRefetchComplete: keyData => {
-        ctx.waitUntil(updateKv(keyData));
-      }
-    },
-    validations
-  });
-}
-async function authorizeNodeService(options) {
-  const {
-    authOptions,
-    serviceConfig,
-    validations
-  } = options;
-  return authorize({
-    authOptions,
-    serviceConfig,
-    validations
-  });
-}
-
-/**
- * Authorizes a request for a given client ID
- *
- * @returns The Promise AuthorizationResponse
- */
-async function authorize(options) {
-  try {
-    const {
-      authOptions,
-      serviceConfig,
-      validations
-    } = options;
-    const {
-      clientId
-    } = authOptions;
-    const {
-      apiUrl,
-      scope,
-      serviceKey,
-      cachedKey,
-      onRefetchComplete
-    } = serviceConfig;
-    let keyData = cachedKey;
-
-    // no cached key, re-fetch from API
-    if (!keyData) {
-      const response = await fetch(`${apiUrl}/v1/keys/use?scope=${scope}&clientId=${clientId}`, {
-        method: "GET",
-        headers: {
-          "x-service-api-key": serviceKey,
-          "content-type": "application/json"
-        }
-      });
-      const apiResponse = await response.json();
-      if (!response.ok) {
-        const {
-          error
-        } = apiResponse;
-        return {
-          authorized: false,
-          errorMessage: error.message,
-          errorCode: error.code || "",
-          statusCode: error.statusCode || 401
-        };
-      }
-      keyData = apiResponse.data;
-      if (onRefetchComplete) {
-        onRefetchComplete(keyData);
-      }
-    }
-
-    //
-    // Run validations
-    //
-    const authResponse = authAccess(authOptions, keyData);
-    if (!authResponse?.authorized) {
-      return authResponse;
-    }
-    const authzResponse = authzServices(validations, keyData, scope);
-    if (!authzResponse?.authorized) {
-      return authzResponse;
-    }
-    // FIXME: validate bundleId
-
-    return {
-      authorized: true,
-      data: keyData
-    };
-  } catch (err) {
-    console.error("Failed to authorize this key.", err);
-    return {
-      authorized: false,
-      errorMessage: "Internal error",
-      errorCode: "INTERNAL_ERROR",
-      statusCode: 500
-    };
-  }
-}
-function authAccess(authOptions, apiKey) {
-  const {
-    origin,
-    secretHash: providedSecretHash
-  } = authOptions;
-  const {
-    domains,
-    secretHash
-  } = apiKey;
-  if (providedSecretHash) {
-    if (secretHash !== providedSecretHash) {
-      return {
-        authorized: false,
-        errorMessage: "The secret is invalid.",
-        errorCode: "SECRET_INVALID",
-        statusCode: 401
-      };
-    }
-    return {
-      authorized: true
-    };
-  }
-
-  // validate domains
-  if (origin) {
-    if (
-    // find matching domain, or if all domains allowed
-    domains.find(d => {
-      if (d === "*") {
-        return true;
-      }
-
-      // If the allowedDomain has a wildcard,
-      // we'll check that the ending of our domain matches the wildcard
-      if (d.startsWith("*.")) {
-        const domainRoot = d.slice(2);
-        return origin.endsWith(domainRoot);
-      }
-
-      // If there's no wildcard, we'll check for an exact match
-      return d === origin;
-    })) {
-      return {
-        authorized: true
-      };
-    }
-    return {
-      authorized: false,
-      errorMessage: "The origin is not authorized for this key.",
-      errorCode: "ORIGIN_UNAUTHORIZED",
-      statusCode: 401
-    };
-  }
-
-  // FIXME: validate bundle id
-  return {
-    authorized: false,
-    errorMessage: "The keys are invalid.",
-    errorCode: "UNAUTHORIZED",
-    statusCode: 401
-  };
-}
-function authzServices(validations, apiKey, scope) {
-  const {
-    services
-  } = apiKey;
-  const {
-    serviceTargetAddresses,
-    serviceAction
-  } = validations;
-
-  // validate services
-  const service = services.find(srv => srv.name === scope);
-  if (!service) {
-    return {
-      authorized: false,
-      errorMessage: `The service "${scope}" is not authorized for this key.`,
-      errorCode: "SERVICE_UNAUTHORIZED",
-      statusCode: 403
-    };
-  }
-
-  // validate service actions
-  if (serviceAction) {
-    if (!service.actions.includes(serviceAction)) {
-      return {
-        authorized: false,
-        errorMessage: `The service "${scope}" action "${serviceAction}" is not authorized for this key.`,
-        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
-        statusCode: 403
-      };
-    }
-  }
-
-  // validate service target addresses
-  if (serviceTargetAddresses && !service.targetAddresses.find(addr => addr === "*" || serviceTargetAddresses.includes(addr))) {
-    return {
-      authorized: false,
-      errorMessage: `The service "${scope}" target address is not authorized for this key.`,
-      errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
-      statusCode: 403
-    };
-  }
-  return {
-    authorized: true
-  };
-}
-
-export { SERVICES, SERVICE_DEFINITIONS, SERVICE_NAMES, authorizeCFWorkerService, authorizeNodeService, getServiceByName };
+export { b as SERVICES, S as SERVICE_DEFINITIONS, a as SERVICE_NAMES, g as getServiceByName } from './services-86283509.esm.js';

package/node/dist/thirdweb-dev-service-utils-node.cjs.d.ts

@@ -0,0 +1,2 @@
+export * from "../../dist/declarations/src/node/index";
+//# sourceMappingURL=thirdweb-dev-service-utils-node.cjs.d.ts.map

package/node/dist/thirdweb-dev-service-utils-node.cjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"thirdweb-dev-service-utils-node.cjs.d.ts","sourceRoot":"","sources":["../../dist/declarations/src/node/index.d.ts"],"names":[],"mappings":"AAAA"}

package/node/dist/thirdweb-dev-service-utils-node.cjs.dev.js

@@ -0,0 +1,113 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var node_crypto = require('node:crypto');
+var index = require('../../dist/index-fcf69a55.cjs.dev.js');
+var services = require('../../dist/services-a3f36057.cjs.dev.js');
+
+async function authorizeNode(authInput, serviceConfig) {
+  let authData;
+  try {
+    authData = extractAuthorizationData(authInput);
+  } catch (e) {
+    if (e instanceof Error && e.message === "KEY_CONFLICT") {
+      return {
+        authorized: false,
+        status: 400,
+        errorMessage: "Please pass either a client id or a secret key.",
+        errorCode: "KEY_CONFLICT"
+      };
+    }
+    return {
+      authorized: false,
+      status: 500,
+      errorMessage: "Internal Server Error",
+      errorCode: "INTERNAL_SERVER_ERROR"
+    };
+  }
+  return await index.authorize(authData, serviceConfig);
+}
+function getHeader(headers, headerName) {
+  const header = headers[headerName];
+  if (Array.isArray(header)) {
+    return header[0];
+  }
+  return header ?? null;
+}
+function extractAuthorizationData(authInput) {
+  if (!authInput.req.url) {
+    throw new Error("no req.url in authInput.req");
+  }
+  const requestUrl = new URL(authInput.req.url, authInput.req.headers.host);
+  const headers = authInput.req.headers;
+  const secretKey = getHeader(headers, "x-secret-key");
+  // prefer clientId that is explicitly passed in
+  let clientId = authInput.clientId ?? null;
+  if (!clientId) {
+    // next preference is clientId from header
+    clientId = getHeader(headers, "x-client-id");
+  }
+
+  // next preference is search param
+  if (!clientId) {
+    clientId = requestUrl.searchParams.get("clientId");
+  }
+  // bundle id from header is first preference
+  let bundleId = getHeader(headers, "x-bundle-id");
+
+  // next preference is search param
+  if (!bundleId) {
+    bundleId = requestUrl.searchParams.get("bundleId");
+  }
+  let origin = getHeader(headers, "origin");
+  // if origin header is not available we'll fall back to referrer;
+  if (!origin) {
+    origin = getHeader(headers, "referer");
+  }
+  // if we have an origin at this point, normalize it
+  if (origin) {
+    try {
+      origin = new URL(origin).hostname;
+    } catch (e) {
+      console.warn("failed to parse origin", origin, e);
+    }
+  }
+
+  // handle if we a secret key is passed in the headers
+  let secretKeyHash = null;
+  if (secretKey) {
+    // hash the secret key
+    secretKeyHash = hashSecretKey(secretKey);
+    // derive the client id from the secret key hash
+    const derivedClientId = deriveClientIdFromSecretKeyHash(secretKeyHash);
+    // if we already have a client id passed in we need to make sure they match
+    if (clientId && clientId !== derivedClientId) {
+      throw new Error("KEY_CONFLICT");
+    }
+    // otherwise set the client id to the derived client id (client id based off of secret key)
+    clientId = derivedClientId;
+  }
+  return {
+    secretKeyHash,
+    secretKey,
+    clientId,
+    origin,
+    bundleId
+  };
+}
+function hashSecretKey(secretKey) {
+  return node_crypto.createHash("sha256").update(secretKey).digest("hex");
+}
+function deriveClientIdFromSecretKeyHash(secretKeyHash) {
+  return secretKeyHash.slice(0, 32);
+}
+
+exports.SERVICES = services.SERVICES;
+exports.SERVICE_DEFINITIONS = services.SERVICE_DEFINITIONS;
+exports.SERVICE_NAMES = services.SERVICE_NAMES;
+exports.getServiceByName = services.getServiceByName;
+exports.authorizeNode = authorizeNode;
+exports.deriveClientIdFromSecretKeyHash = deriveClientIdFromSecretKeyHash;
+exports.extractAuthorizationData = extractAuthorizationData;
+exports.hashSecretKey = hashSecretKey;

package/node/dist/thirdweb-dev-service-utils-node.cjs.js

@@ -0,0 +1,7 @@
+'use strict';
+
+if (process.env.NODE_ENV === "production") {
+  module.exports = require("./thirdweb-dev-service-utils-node.cjs.prod.js");
+} else {
+  module.exports = require("./thirdweb-dev-service-utils-node.cjs.dev.js");
+}