@thirdweb-dev/service-utils 0.5.0-nightly-6cf298a29-20240308012322 → 0.5.0

package/dist/cjs/cf-worker/index.js

@@ -0,0 +1,164 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorizeWorker = authorizeWorker;
+exports.extractAuthorizationData = extractAuthorizationData;
+exports.hashSecretKey = hashSecretKey;
+exports.deriveClientIdFromSecretKeyHash = deriveClientIdFromSecretKeyHash;
+exports.logHttpRequest = logHttpRequest;
+const tslib_1 = require("tslib");
+const index_js_1 = require("../core/authorize/index.js");
+tslib_1.__exportStar(require("./usage.js"), exports);
+tslib_1.__exportStar(require("../core/services.js"), exports);
+tslib_1.__exportStar(require("../core/rateLimit/index.js"), exports);
+const DEFAULT_CACHE_TTL_SECONDS = 60;
+async function authorizeWorker(authInput, serviceConfig) {
+    let authData;
+    try {
+        authData = await extractAuthorizationData(authInput);
+    }
+    catch (e) {
+        if (e instanceof Error && e.message === "KEY_CONFLICT") {
+            return {
+                authorized: false,
+                status: 400,
+                errorMessage: "Please pass either a client id or a secret key.",
+                errorCode: "KEY_CONFLICT",
+            };
+        }
+        return {
+            authorized: false,
+            status: 500,
+            errorMessage: "Internal Server Error",
+            errorCode: "INTERNAL_SERVER_ERROR",
+        };
+    }
+    return await (0, index_js_1.authorize)(authData, serviceConfig, {
+        get: async (clientId) => serviceConfig.kvStore.get(clientId),
+        put: (clientId, data) => serviceConfig.ctx.waitUntil(serviceConfig.kvStore.put(clientId, JSON.stringify({
+            updatedAt: Date.now(),
+            data,
+        }), {
+            expirationTtl: serviceConfig.cacheTtlSeconds &&
+                serviceConfig.cacheTtlSeconds >= DEFAULT_CACHE_TTL_SECONDS
+                ? serviceConfig.cacheTtlSeconds
+                : DEFAULT_CACHE_TTL_SECONDS,
+        })),
+        cacheTtlSeconds: serviceConfig.cacheTtlSeconds ?? DEFAULT_CACHE_TTL_SECONDS,
+    });
+}
+async function extractAuthorizationData(authInput) {
+    const requestUrl = new URL(authInput.req.url);
+    const headers = authInput.req.headers;
+    const secretKey = headers.get("x-secret-key");
+    // prefer clientId that is explicitly passed in
+    let clientId = authInput.clientId ?? null;
+    if (!clientId) {
+        // next preference is clientId from header
+        clientId = headers.get("x-client-id");
+    }
+    // next preference is search param
+    if (!clientId) {
+        clientId = requestUrl.searchParams.get("clientId");
+    }
+    // bundle id from header is first preference
+    let bundleId = headers.get("x-bundle-id");
+    // next preference is search param
+    if (!bundleId) {
+        bundleId = requestUrl.searchParams.get("bundleId");
+    }
+    let ecosystemId = headers.get("x-ecosystem-id");
+    if (!ecosystemId) {
+        ecosystemId = requestUrl.searchParams.get("ecosystemId");
+    }
+    let ecosystemPartnerId = headers.get("x-ecosystem-partner-id");
+    if (!ecosystemPartnerId) {
+        ecosystemPartnerId = requestUrl.searchParams.get("ecosystemPartnerId");
+    }
+    let origin = headers.get("origin");
+    // if origin header is not available we'll fall back to referrer;
+    if (!origin) {
+        origin = headers.get("referer");
+    }
+    // if we have an origin at this point, normalize it
+    if (origin) {
+        try {
+            origin = new URL(origin).host;
+        }
+        catch (e) {
+            console.warn("failed to parse origin", origin, e);
+        }
+    }
+    // handle if we a secret key is passed in the headers
+    let secretKeyHash = null;
+    if (secretKey) {
+        // hash the secret key
+        secretKeyHash = await hashSecretKey(secretKey);
+        // derive the client id from the secret key hash
+        const derivedClientId = deriveClientIdFromSecretKeyHash(secretKeyHash);
+        // if we already have a client id passed in we need to make sure they match
+        if (clientId && clientId !== derivedClientId) {
+            throw new Error("KEY_CONFLICT");
+        }
+        // otherwise set the client id to the derived client id (client id based off of secret key)
+        clientId = derivedClientId;
+    }
+    let jwt = null;
+    if (headers.has("authorization")) {
+        const authHeader = headers.get("authorization");
+        if (authHeader) {
+            const [type, token] = authHeader.split(" ");
+            if (type?.toLowerCase() === "bearer" && !!token) {
+                jwt = token;
+            }
+        }
+    }
+    return {
+        jwt,
+        hashedJWT: jwt ? await hashSecretKey(jwt) : null,
+        secretKey,
+        clientId,
+        ecosystemId,
+        ecosystemPartnerId,
+        origin,
+        bundleId,
+        secretKeyHash,
+        targetAddress: authInput.targetAddress,
+    };
+}
+async function hashSecretKey(secretKey) {
+    return bufferToHex(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(secretKey)));
+}
+function deriveClientIdFromSecretKeyHash(secretKeyHash) {
+    return secretKeyHash.slice(0, 32);
+}
+function bufferToHex(buffer) {
+    return [...new Uint8Array(buffer)]
+        .map((x) => x.toString(16).padStart(2, "0"))
+        .join("");
+}
+async function logHttpRequest({ clientId, req, res, isAuthed, statusMessage, latencyMs, }) {
+    try {
+        const authorizationData = await extractAuthorizationData({ req, clientId });
+        const headers = req.headers;
+        console.log(JSON.stringify({
+            method: req.method,
+            pathname: req.url,
+            hasSecretKey: !!authorizationData.secretKey,
+            hasClientId: !!authorizationData.clientId,
+            hasJwt: !!authorizationData.jwt,
+            clientId: authorizationData.clientId,
+            isAuthed,
+            status: res.status,
+            sdkName: headers.get("x-sdk-name") ?? undefined,
+            sdkVersion: headers.get("x-sdk-version") ?? undefined,
+            platform: headers.get("x-sdk-platform") ?? undefined,
+            os: headers.get("x-sdk-os") ?? undefined,
+            latencyMs,
+        }));
+        if (statusMessage) {
+            console.log(`statusMessage=${statusMessage}`);
+        }
+    }
+    catch { }
+}
+//# sourceMappingURL=index.js.map

package/dist/cjs/cf-worker/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/cf-worker/index.ts"],"names":[],"mappings":";;AA4BA,0CA6CC;AAED,4DAyFC;AAED,sCAIC;AAED,0EAEC;AAQD,wCAwCC;;AAvND,yDAAuD;AAKvD,qDAA2B;AAC3B,8DAAoC;AACpC,qEAA2C;AAQ3C,MAAM,yBAAyB,GAAG,EAAE,CAAC;AAM9B,KAAK,UAAU,eAAe,CACnC,SAAoB,EACpB,aAAkC;IAElC,IAAI,QAA4B,CAAC;IACjC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,wBAAwB,CAAC,SAAS,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;YACvD,OAAO;gBACL,UAAU,EAAE,KAAK;gBACjB,MAAM,EAAE,GAAG;gBACX,YAAY,EAAE,iDAAiD;gBAC/D,SAAS,EAAE,cAAc;aAC1B,CAAC;QACJ,CAAC;QACD,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,MAAM,EAAE,GAAG;YACX,YAAY,EAAE,uBAAuB;YACrC,SAAS,EAAE,uBAAuB;SACnC,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,IAAA,oBAAS,EAAC,QAAQ,EAAE,aAAa,EAAE;QAC9C,GAAG,EAAE,KAAK,EAAE,QAAgB,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QACpE,GAAG,EAAE,CAAC,QAAgB,EAAE,IAA4B,EAAE,EAAE,CACtD,aAAa,CAAC,GAAG,CAAC,SAAS,CACzB,aAAa,CAAC,OAAO,CAAC,GAAG,CACvB,QAAQ,EACR,IAAI,CAAC,SAAS,CAAC;YACb,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,IAAI;SACL,CAAC,EACF;YACE,aAAa,EACX,aAAa,CAAC,eAAe;gBAC7B,aAAa,CAAC,eAAe,IAAI,yBAAyB;gBACxD,CAAC,CAAC,aAAa,CAAC,eAAe;gBAC/B,CAAC,CAAC,yBAAyB;SAChC,CACF,CACF;QACH,eAAe,EAAE,aAAa,CAAC,eAAe,IAAI,yBAAyB;KAC5E,CAAC,CAAC;AACL,CAAC;AAEM,KAAK,UAAU,wBAAwB,CAC5C,SAAoB;IAEpB,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAE9C,+CAA+C;IAC/C,IAAI,QAAQ,GAAG,SAAS,CAAC,QAAQ,IAAI,IAAI,CAAC;IAE1C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,0CAA0C;QAC1C,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IACxC,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IACD,4CAA4C;IAC5C,IAAI,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAE1C,kCAAkC;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAChD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IAC/D,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,kBAAkB,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACnC,iEAAiE;IACjE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;IACD,mDAAmD;IACnD,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;QAChC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,wBAAwB,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,SAAS,EAAE,CAAC;QACd,sBAAsB;QACtB,aAAa,GAAG,MAAM,aAAa,CAAC,SAAS,CAAC,CAAC;QAC/C,gDAAgD;QAChD,MAAM,eAAe,GAAG,+BAA+B,CAAC,aAAa,CAAC,CAAC;QACvE,2EAA2E;QAC3E,IAAI,QAAQ,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QACD,2FAA2F;QAC3F,QAAQ,GAAG,eAAe,CAAC;IAC7B,CAAC;IAED,IAAI,GAAG,GAAkB,IAAI,CAAC;IAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAChD,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5C,IAAI,IAAI,EAAE,WAAW,EAAE,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;gBAChD,GAAG,GAAG,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,GAAG;QACH,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QAChD,SAAS;QACT,QAAQ;QACR,WAAW;QACX,kBAAkB;QAClB,MAAM;QACN,QAAQ;QACR,aAAa;QACb,aAAa,EAAE,SAAS,CAAC,aAAa;KACvC,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,OAAO,WAAW,CAChB,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAC3E,CAAC;AACJ,CAAC;AAED,SAAgB,+BAA+B,CAAC,aAAqB;IACnE,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,WAAW,CAAC,MAAmB;IACtC,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;SAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,cAAc,CAAC,EACnC,QAAQ,EACR,GAAG,EACH,GAAG,EACH,QAAQ,EACR,aAAa,EACb,SAAS,GAQV;IACC,IAAI,CAAC;QACH,MAAM,iBAAiB,GAAG,MAAM,wBAAwB,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC5E,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;QAE5B,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC;YACb,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,GAAG;YACjB,YAAY,EAAE,CAAC,CAAC,iBAAiB,CAAC,SAAS;YAC3C,WAAW,EAAE,CAAC,CAAC,iBAAiB,CAAC,QAAQ;YACzC,MAAM,EAAE,CAAC,CAAC,iBAAiB,CAAC,GAAG;YAC/B,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,QAAQ;YACR,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,SAAS;YAC/C,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,SAAS;YACrD,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,SAAS;YACpD,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,SAAS;YACxC,SAAS;SACV,CAAC,CACH,CAAC;QACF,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,iBAAiB,aAAa,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;AACZ,CAAC"}

package/dist/cjs/cf-worker/usage.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.publishUsageEvents = publishUsageEvents;
+const aws4fetch_1 = require("aws4fetch");
+const usage_js_1 = require("../core/usage.js");
+// Initialize a singleton for AWS usage.
+let _aws;
+function getAws(options) {
+    if (!_aws) {
+        _aws = new aws4fetch_1.AwsClient(options);
+    }
+    return _aws;
+}
+/**
+ * Publish usage events. Provide the relevant fields for your application.
+ *
+ * Usage in Cloudflare Workers:
+ *    ctx.waitUntil(
+ *      publishUsageEvents(
+ *        [event1, event2],
+ *        { queueUrl, accessKeyId, secretAccessKey },
+ *      )
+ *    )
+ *
+ * @param usageEvents
+ * @param config
+ */
+async function publishUsageEvents(usageEvents, config) {
+    const { queueUrl, accessKeyId, secretAccessKey, region = "us-west-2", } = config;
+    const entries = usageEvents.map((event) => {
+        // Enforce schema of usage event.
+        const parsed = usage_js_1.usageEventSchema.parse(event);
+        return {
+            Id: crypto.randomUUID(),
+            MessageBody: JSON.stringify(parsed),
+        };
+    });
+    const aws = getAws({
+        accessKeyId,
+        secretAccessKey,
+        region,
+    });
+    await aws.fetch(`https://sqs.${region}.amazonaws.com`, {
+        headers: {
+            "X-Amz-Target": "AmazonSQS.SendMessageBatch",
+            "X-Amz-Date": new Date().toISOString(),
+            "Content-Type": "application/x-amz-json-1.0",
+        },
+        body: JSON.stringify({
+            QueueUrl: queueUrl,
+            Entries: entries,
+        }),
+    });
+}
+//# sourceMappingURL=usage.js.map

package/dist/cjs/cf-worker/usage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"usage.js","sourceRoot":"","sources":["../../../src/cf-worker/usage.ts"],"names":[],"mappings":";;AAsES,gDAAkB;AAtE3B,yCAAsC;AACtC,+CAAqE;AAGrE,wCAAwC;AACxC,IAAI,IAA2B,CAAC;AAChC,SAAS,MAAM,CAAC,OAAmD;IACjE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,GAAG,IAAI,qBAAS,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,kBAAkB,CAC/B,WAAyB,EACzB,MAKC;IAED,MAAM,EACJ,QAAQ,EACR,WAAW,EACX,eAAe,EACf,MAAM,GAAG,WAAW,GACrB,GAAG,MAAM,CAAC;IAEX,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACxC,iCAAiC;QACjC,MAAM,MAAM,GAAG,2BAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;YACvB,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;SACpC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,CAAC;QACjB,WAAW;QACX,eAAe;QACf,MAAM;KACP,CAAC,CAAC;IACH,MAAM,GAAG,CAAC,KAAK,CAAC,eAAe,MAAM,gBAAgB,EAAE;QACrD,OAAO,EAAE;YACP,cAAc,EAAE,4BAA4B;YAC5C,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACtC,cAAc,EAAE,4BAA4B;SAC7C;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,OAAO;SACjB,CAAC;KACH,CAAC,CAAC;AACL,CAAC"}

package/dist/cjs/core/api.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchTeamAndProject = fetchTeamAndProject;
+exports.updateRateLimitedAt = updateRateLimitedAt;
+async function fetchTeamAndProject(authData, config) {
+    const { apiUrl, serviceApiKey } = config;
+    const clientId = authData.clientId;
+    const url = `${apiUrl}/v2/keys/use${clientId ? `?clientId=${clientId}` : ""}`;
+    const response = await fetch(url, {
+        method: "GET",
+        headers: {
+            ...(authData.secretKey ? { "x-secret-key": authData.secretKey } : {}),
+            ...(authData.jwt ? { Authorization: `Bearer ${authData.jwt}` } : {}),
+            "x-service-api-key": serviceApiKey,
+            "content-type": "application/json",
+        },
+    });
+    let text = "";
+    try {
+        text = await response.text();
+        return JSON.parse(text);
+    }
+    catch {
+        throw new Error(`Error fetching key metadata from API: ${response.status} - ${text}`);
+    }
+}
+async function updateRateLimitedAt(projectId, config) {
+    const { apiUrl, serviceScope: scope, serviceApiKey } = config;
+    const url = `${apiUrl}/usage/rateLimit`;
+    await fetch(url, {
+        method: "PUT",
+        headers: {
+            "x-service-api-key": serviceApiKey,
+            "content-type": "application/json",
+        },
+        body: JSON.stringify({
+            apiKeyId: projectId, // projectId is the apiKeyId
+            scope,
+        }),
+    });
+}
+//# sourceMappingURL=api.js.map

package/dist/cjs/core/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../../../src/core/api.ts"],"names":[],"mappings":";;AAuIA,kDA2BC;AAED,kDAmBC;AAhDM,KAAK,UAAU,mBAAmB,CACvC,QAA4B,EAC5B,MAAyB;IAEzB,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;IAEzC,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC;IACnC,MAAM,GAAG,GAAG,GAAG,MAAM,eAAe,QAAQ,CAAC,CAAC,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,UAAU,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,mBAAmB,EAAE,aAAa;YAClC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,yCAAyC,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CACrE,CAAC;IACJ,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,mBAAmB,CACvC,SAAiB,EACjB,MAAyB;IAEzB,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;IAE9D,MAAM,GAAG,GAAG,GAAG,MAAM,kBAAkB,CAAC;IAExC,MAAM,KAAK,CAAC,GAAG,EAAE;QACf,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,mBAAmB,EAAE,aAAa;YAClC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,SAAS,EAAE,4BAA4B;YACjD,KAAK;SACN,CAAC;KACH,CAAC,CAAC;AACL,CAAC"}

package/dist/cjs/core/authorize/client.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorizeClient = authorizeClient;
+exports.authorizeDomain = authorizeDomain;
+exports.authorizeBundleId = authorizeBundleId;
+function authorizeClient(authOptions, teamAndProjectResponse) {
+    const { origin, bundleId } = authOptions;
+    const { team, project } = teamAndProjectResponse;
+    const authResult = {
+        authorized: true,
+        team,
+        project,
+    };
+    if (!project) {
+        return authResult;
+    }
+    // check for public restrictions
+    if (project.domains.includes("*")) {
+        return authResult;
+    }
+    // validate domains
+    if (origin) {
+        if (authorizeDomain({
+            domains: project.domains,
+            origin,
+        })) {
+            return authResult;
+        }
+        return {
+            authorized: false,
+            errorMessage: `Invalid request: Unauthorized domain: ${origin}. You can view the restrictions on this API key at https://thirdweb.com/create-api-key`,
+            errorCode: "ORIGIN_UNAUTHORIZED",
+            status: 401,
+        };
+    }
+    // validate bundleId
+    if (bundleId) {
+        if (authorizeBundleId({
+            bundleIds: project.bundleIds,
+            bundleId,
+        })) {
+            return authResult;
+        }
+        return {
+            authorized: false,
+            errorMessage: `Invalid request: Unauthorized Bundle ID: ${bundleId}. You can view the restrictions on this API key at https://thirdweb.com/create-api-key`,
+            errorCode: "BUNDLE_UNAUTHORIZED",
+            status: 401,
+        };
+    }
+    return {
+        authorized: false,
+        errorMessage: "The keys are invalid. Please check the secret-key/clientId and try again.",
+        errorCode: "UNAUTHORIZED",
+        status: 401,
+    };
+}
+// Exposed for use in validating ecosystem partners settings
+function authorizeDomain({ domains, origin, }) {
+    // find matching domain, or if all domains allowed
+    // embedded-wallet.thirdweb(-dev).com is automatically allowed
+    // because the rpc is passed from user's domain to embedded-wallet.thirdweb.com iframe for use.
+    // Note this doesn't allow embedded-wallets from being used if it's disabled. The service check that runs after enforces that.
+    return !![
+        ...domains,
+        "embedded-wallet.thirdweb.com",
+        "embedded-wallet.thirdweb-dev.com",
+    ].find((d) => {
+        // if any domain is allowed, we'll return true
+        if (d === "*") {
+            return true;
+        }
+        // special rule for `localhost`
+        // if the domain is localhost, we'll allow any origin that starts with localhost
+        if (d === "localhost" && origin.startsWith("localhost")) {
+            return true;
+        }
+        // If the allowedDomain has a wildcard,
+        // we'll check that the ending of our domain matches the wildcard
+        if (d.startsWith("*.")) {
+            // get rid of the * and check if it ends with the `.<domain>.<tld>`
+            const domainRoot = d.slice(1);
+            return origin.endsWith(domainRoot);
+        }
+        // If there's no wildcard, we'll check for an exact match
+        return d === origin;
+    });
+}
+function authorizeBundleId({ bundleIds, bundleId, }) {
+    // find matching bundle id, or if all bundles allowed
+    return !!bundleIds.find((b) => {
+        if (b === "*") {
+            return true;
+        }
+        return b === bundleId;
+    });
+}
+//# sourceMappingURL=client.js.map

package/dist/cjs/core/authorize/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/core/authorize/client.ts"],"names":[],"mappings":";;AASA,0CAmEC;AAGD,0CAmCC;AAED,8CAYC;AAvHD,SAAgB,eAAe,CAC7B,WAAuC,EACvC,sBAA8C;IAE9C,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,WAAW,CAAC;IACzC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,sBAAsB,CAAC;IAEjD,MAAM,UAAU,GAAwB;QACtC,UAAU,EAAE,IAAI;QAChB,IAAI;QACJ,OAAO;KACR,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,gCAAgC;IAChC,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,mBAAmB;IACnB,IAAI,MAAM,EAAE,CAAC;QACX,IACE,eAAe,CAAC;YACd,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,MAAM;SACP,CAAC,EACF,CAAC;YACD,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,YAAY,EAAE,yCAAyC,MAAM,wFAAwF;YACrJ,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,IAAI,QAAQ,EAAE,CAAC;QACb,IACE,iBAAiB,CAAC;YAChB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,QAAQ;SACT,CAAC,EACF,CAAC;YACD,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,YAAY,EAAE,4CAA4C,QAAQ,wFAAwF;YAC1J,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,YAAY,EACV,2EAA2E;QAC7E,SAAS,EAAE,cAAc;QACzB,MAAM,EAAE,GAAG;KACZ,CAAC;AACJ,CAAC;AAED,4DAA4D;AAC5D,SAAgB,eAAe,CAAC,EAC9B,OAAO,EACP,MAAM,GACgC;IACtC,kDAAkD;IAClD,8DAA8D;IAC9D,+FAA+F;IAC/F,8HAA8H;IAC9H,OAAO,CAAC,CAAC;QACP,GAAG,OAAO;QACV,8BAA8B;QAC9B,kCAAkC;KACnC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QACX,8CAA8C;QAC9C,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACd,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+BAA+B;QAC/B,gFAAgF;QAChF,IAAI,CAAC,KAAK,WAAW,IAAI,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YACxD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uCAAuC;QACvC,iEAAiE;QACjE,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,mEAAmE;YACnE,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC9B,OAAO,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACrC,CAAC;QAED,yDAAyD;QACzD,OAAO,CAAC,KAAK,MAAM,CAAC;IACtB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,iBAAiB,CAAC,EAChC,SAAS,EACT,QAAQ,GACkC;IAC1C,qDAAqD;IACrD,OAAO,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QAC5B,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACd,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,KAAK,QAAQ,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/cjs/core/authorize/index.js

@@ -0,0 +1,109 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorize = authorize;
+const api_js_1 = require("../api.js");
+const client_js_1 = require("./client.js");
+const service_js_1 = require("./service.js");
+async function authorize(authData, serviceConfig, cacheOptions) {
+    let teamAndProjectResponse = null;
+    const cacheKey = `key_v2_${authData.clientId ?? authData.secretKeyHash ?? authData.hashedJWT}`;
+    // TODO if we have cache options we want to check the cache first
+    if (cacheOptions) {
+        try {
+            const cachedKey = await cacheOptions.get(cacheKey);
+            if (cachedKey) {
+                const parsed = JSON.parse(cachedKey);
+                if ("updatedAt" in parsed) {
+                    // we want to compare the updatedAt time to the current time
+                    // if the difference is greater than the cacheTtl we want to ignore the cached data
+                    const now = Date.now();
+                    const diff = now - parsed.updatedAt;
+                    const cacheTtlMs = cacheOptions.cacheTtlSeconds * 1000;
+                    // only if the diff is less than the cacheTtl do we want to use the cached key
+                    if (diff < cacheTtlMs) {
+                        teamAndProjectResponse = parsed.teamAndProjectResponse;
+                    }
+                }
+                else {
+                    teamAndProjectResponse = parsed;
+                }
+            }
+        }
+        catch {
+            // ignore errors, proceed as if not in cache
+        }
+    }
+    // if we don't have a cached key, fetch from the API
+    if (!teamAndProjectResponse) {
+        try {
+            const { data, error } = await (0, api_js_1.fetchTeamAndProject)(authData, serviceConfig);
+            if (error) {
+                return {
+                    authorized: false,
+                    errorCode: error.code,
+                    errorMessage: error.message,
+                    status: error.statusCode,
+                };
+            }
+            if (!data) {
+                return {
+                    authorized: false,
+                    errorCode: "NO_KEY",
+                    errorMessage: "No error but also no key returned.",
+                    status: 500,
+                };
+            }
+            // if we have a key for sure then assign it
+            teamAndProjectResponse = data;
+            // cache the retrieved key if we have cache options
+            if (cacheOptions) {
+                // we await this always because it can be a promise or not
+                await cacheOptions.put(cacheKey, data);
+            }
+        }
+        catch (err) {
+            console.warn("failed to fetch key metadata from api", err);
+            return {
+                authorized: false,
+                status: 500,
+                errorMessage: "Failed to fetch key metadata. Please check your secret-key/clientId.",
+                errorCode: "FAILED_TO_FETCH_KEY",
+            };
+        }
+    }
+    if (!teamAndProjectResponse) {
+        return {
+            authorized: false,
+            status: 401,
+            errorMessage: "Key is invalid. Please check your secret-key/clientId.",
+            errorCode: "INVALID_KEY",
+        };
+    }
+    // now we can validate the key itself
+    const clientAuth = (0, client_js_1.authorizeClient)(authData, teamAndProjectResponse);
+    if (!clientAuth.authorized) {
+        return {
+            errorCode: clientAuth.errorCode,
+            authorized: false,
+            status: 401,
+            errorMessage: clientAuth.errorMessage,
+        };
+    }
+    // if we've made it this far we need to check service specific authorization
+    const serviceAuth = (0, service_js_1.authorizeService)(teamAndProjectResponse, serviceConfig);
+    if (!serviceAuth.authorized) {
+        return {
+            errorCode: serviceAuth.errorCode,
+            authorized: false,
+            status: 403,
+            errorMessage: serviceAuth.errorMessage,
+        };
+    }
+    // if we reach this point we are authorized!
+    return {
+        authorized: true,
+        team: teamAndProjectResponse.team,
+        project: teamAndProjectResponse.project,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/cjs/core/authorize/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/core/authorize/index.ts"],"names":[],"mappings":";;AAqCA,8BAkHC;AAvJD,sCAImB;AACnB,2CAA8C;AAC9C,6CAAgD;AA+BzC,KAAK,UAAU,SAAS,CAC7B,QAA4B,EAC5B,aAAgC,EAChC,YAA2B;IAE3B,IAAI,sBAAsB,GAAkC,IAAI,CAAC;IACjE,MAAM,QAAQ,GAAG,UAAU,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;IAC/F,iEAAiE;IACjE,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACnD,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,SAAS,CAC4B,CAAC;gBACxC,IAAI,WAAW,IAAI,MAAM,EAAE,CAAC;oBAC1B,4DAA4D;oBAC5D,mFAAmF;oBACnF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBACvB,MAAM,IAAI,GAAG,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC;oBACpC,MAAM,UAAU,GAAG,YAAY,CAAC,eAAe,GAAG,IAAI,CAAC;oBACvD,8EAA8E;oBAC9E,IAAI,IAAI,GAAG,UAAU,EAAE,CAAC;wBACtB,sBAAsB,GAAG,MAAM,CAAC,sBAAsB,CAAC;oBACzD,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,sBAAsB,GAAG,MAAM,CAAC;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,4CAA4C;QAC9C,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,IAAA,4BAAmB,EAC/C,QAAQ,EACR,aAAa,CACd,CAAC;YACF,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS,EAAE,KAAK,CAAC,IAAI;oBACrB,YAAY,EAAE,KAAK,CAAC,OAAO;oBAC3B,MAAM,EAAE,KAAK,CAAC,UAAU;iBACzB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS,EAAE,QAAQ;oBACnB,YAAY,EAAE,oCAAoC;oBAClD,MAAM,EAAE,GAAG;iBACZ,CAAC;YACJ,CAAC;YACD,2CAA2C;YAC3C,sBAAsB,GAAG,IAAI,CAAC;YAE9B,mDAAmD;YACnD,IAAI,YAAY,EAAE,CAAC;gBACjB,0DAA0D;gBAC1D,MAAM,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAAC;YAC3D,OAAO;gBACL,UAAU,EAAE,KAAK;gBACjB,MAAM,EAAE,GAAG;gBACX,YAAY,EACV,sEAAsE;gBACxE,SAAS,EAAE,qBAAqB;aACjC,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,MAAM,EAAE,GAAG;YACX,YAAY,EAAE,wDAAwD;YACtE,SAAS,EAAE,aAAa;SACzB,CAAC;IACJ,CAAC;IACD,qCAAqC;IACrC,MAAM,UAAU,GAAG,IAAA,2BAAe,EAAC,QAAQ,EAAE,sBAAsB,CAAC,CAAC;IAErE,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;QAC3B,OAAO;YACL,SAAS,EAAE,UAAU,CAAC,SAAS;YAC/B,UAAU,EAAE,KAAK;YACjB,MAAM,EAAE,GAAG;YACX,YAAY,EAAE,UAAU,CAAC,YAAY;SACtC,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,MAAM,WAAW,GAAG,IAAA,6BAAgB,EAAC,sBAAsB,EAAE,aAAa,CAAC,CAAC;IAE5E,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;QAC5B,OAAO;YACL,SAAS,EAAE,WAAW,CAAC,SAAS;YAChC,UAAU,EAAE,KAAK;YACjB,MAAM,EAAE,GAAG;YACX,YAAY,EAAE,WAAW,CAAC,YAAY;SACvC,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,IAAI,EAAE,sBAAsB,CAAC,IAAI;QACjC,OAAO,EAAE,sBAAsB,CAAC,OAAO;KACxC,CAAC;AACJ,CAAC"}

package/dist/cjs/core/authorize/service.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorizeService = authorizeService;
+function authorizeService(teamAndProjectResponse, serviceConfig) {
+    const { team, project } = teamAndProjectResponse;
+    if (!team.enabledScopes.includes(serviceConfig.serviceScope)) {
+        return {
+            authorized: false,
+            errorMessage: `Invalid request: Unauthorized service: ${serviceConfig.serviceScope}. You can view the restrictions for this team in your dashboard: https://thirdweb.com`,
+            errorCode: "SERVICE_UNAUTHORIZED",
+            status: 403,
+        };
+    }
+    if (!project) {
+        // acting on behalf of the team (ie. coming from dashboard), authorize
+        return {
+            authorized: true,
+            team,
+        };
+    }
+    // validate services
+    const services = project.services;
+    const service = services.find((srv) => srv.name === serviceConfig.serviceScope);
+    if (!service) {
+        return {
+            authorized: false,
+            errorMessage: `Invalid request: Unauthorized service: ${serviceConfig.serviceScope}. You can view the restrictions on this project in your dashboard: https://thirdweb.com`,
+            errorCode: "SERVICE_UNAUTHORIZED",
+            status: 403,
+        };
+    }
+    // validate service actions
+    if (serviceConfig.serviceAction) {
+        const isActionAllowed = service.actions.includes(serviceConfig.serviceAction);
+        if (!isActionAllowed) {
+            return {
+                authorized: false,
+                errorMessage: `Invalid request: Unauthorized action: ${serviceConfig.serviceScope} ${serviceConfig.serviceAction}. You can view the restrictions on this API key in your dashboard:  https://thirdweb.com/create-api-key`,
+                errorCode: "SERVICE_ACTION_UNAUTHORIZED",
+                status: 403,
+            };
+        }
+    }
+    return {
+        authorized: true,
+        team,
+        project,
+    };
+}
+//# sourceMappingURL=service.js.map

package/dist/cjs/core/authorize/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../../../src/core/authorize/service.ts"],"names":[],"mappings":";;AAGA,4CAyDC;AAzDD,SAAgB,gBAAgB,CAC9B,sBAA8C,EAC9C,aAAgC;IAEhC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,sBAAsB,CAAC;IAEjD,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,aAAa,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7D,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,YAAY,EAAE,0CAA0C,aAAa,CAAC,YAAY,uFAAuF;YACzK,SAAS,EAAE,sBAAsB;YACjC,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,sEAAsE;QACtE,OAAO;YACL,UAAU,EAAE,IAAI;YAChB,IAAI;SACL,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAC3B,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,CACjD,CAAC;IACF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,YAAY,EAAE,0CAA0C,aAAa,CAAC,YAAY,yFAAyF;YAC3K,SAAS,EAAE,sBAAsB;YACjC,MAAM,EAAE,GAAG;SACZ,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,IAAI,aAAa,CAAC,aAAa,EAAE,CAAC;QAChC,MAAM,eAAe,GAAI,OAAO,CAAC,OAAoB,CAAC,QAAQ,CAC5D,aAAa,CAAC,aAAa,CAC5B,CAAC;QACF,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO;gBACL,UAAU,EAAE,KAAK;gBACjB,YAAY,EAAE,yCAAyC,aAAa,CAAC,YAAY,IAAI,aAAa,CAAC,aAAa,yGAAyG;gBACzN,SAAS,EAAE,6BAA6B;gBACxC,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,IAAI;QACJ,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/cjs/core/authorize/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/cjs/core/authorize/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/core/authorize/types.ts"],"names":[],"mappings":""}

package/dist/cjs/core/rateLimit/index.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rateLimit = rateLimit;
+const api_js_1 = require("../api.js");
+const RATE_LIMIT_WINDOW_SECONDS = 10;
+async function rateLimit(args) {
+    const { project, limitPerSecond, serviceConfig, redis, sampleRate = 1.0, } = args;
+    const shouldSampleRequest = Math.random() < sampleRate;
+    if (!shouldSampleRequest) {
+        return {
+            rateLimited: false,
+            requestCount: 0,
+            rateLimit: 0,
+        };
+    }
+    if (limitPerSecond === 0) {
+        // No rate limit is provided. Assume the request is not rate limited.
+        return {
+            rateLimited: false,
+            requestCount: 0,
+            rateLimit: 0,
+        };
+    }
+    const serviceScope = serviceConfig.serviceScope;
+    // Gets the 10-second window for the current timestamp.
+    const timestampWindow = Math.floor(Date.now() / (1000 * RATE_LIMIT_WINDOW_SECONDS)) *
+        RATE_LIMIT_WINDOW_SECONDS;
+    const key = `rate-limit:${serviceScope}:${project?.id}:${timestampWindow}`;
+    // Increment and get the current request count in this window.
+    const requestCount = await redis.incr(key);
+    if (requestCount === 1) {
+        // For the first increment, set an expiration to clean up this key.
+        await redis.expire(key, RATE_LIMIT_WINDOW_SECONDS);
+    }
+    // Get the limit for this window accounting for the sample rate.
+    const limitPerWindow = limitPerSecond * sampleRate * RATE_LIMIT_WINDOW_SECONDS;
+    if (requestCount > limitPerWindow) {
+        // Report rate limit hits.
+        if (project?.id) {
+            await (0, api_js_1.updateRateLimitedAt)(project.id, serviceConfig);
+        }
+        // Reject requests when they've exceeded 2x the rate limit.
+        if (requestCount > 2 * limitPerWindow) {
+            return {
+                rateLimited: true,
+                requestCount,
+                rateLimit: limitPerWindow,
+                status: 429,
+                errorMessage: `You've exceeded your ${serviceScope} rate limit at ${limitPerSecond} reqs/sec. To get higher rate limits, contact us at https://thirdweb.com/contact-us.`,
+                errorCode: "RATE_LIMIT_EXCEEDED",
+            };
+        }
+    }
+    return {
+        rateLimited: false,
+        requestCount,
+        rateLimit: limitPerWindow,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/cjs/core/rateLimit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/core/rateLimit/index.ts"],"names":[],"mappings":";;AAeA,8BAiFC;AAhGD,sCAImB;AAGnB,MAAM,yBAAyB,GAAG,EAAE,CAAC;AAQ9B,KAAK,UAAU,SAAS,CAAC,IAW/B;IACC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,aAAa,EACb,KAAK,EACL,UAAU,GAAG,GAAG,GACjB,GAAG,IAAI,CAAC;IAET,MAAM,mBAAmB,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,UAAU,CAAC;IACvD,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,OAAO;YACL,WAAW,EAAE,KAAK;YAClB,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,CAAC;SACb,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,KAAK,CAAC,EAAE,CAAC;QACzB,qEAAqE;QACrE,OAAO;YACL,WAAW,EAAE,KAAK;YAClB,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,CAAC;SACb,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,aAAa,CAAC,YAAY,CAAC;IAEhD,uDAAuD;IACvD,MAAM,eAAe,GACnB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,GAAG,yBAAyB,CAAC,CAAC;QAC3D,yBAAyB,CAAC;IAC5B,MAAM,GAAG,GAAG,cAAc,YAAY,IAAI,OAAO,EAAE,EAAE,IAAI,eAAe,EAAE,CAAC;IAE3E,8DAA8D;IAC9D,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;QACvB,mEAAmE;QACnE,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IACrD,CAAC;IAED,gEAAgE;IAChE,MAAM,cAAc,GAClB,cAAc,GAAG,UAAU,GAAG,yBAAyB,CAAC;IAE1D,IAAI,YAAY,GAAG,cAAc,EAAE,CAAC;QAClC,0BAA0B;QAC1B,IAAI,OAAO,EAAE,EAAE,EAAE,CAAC;YAChB,MAAM,IAAA,4BAAmB,EAAC,OAAO,CAAC,EAAE,EAAE,aAAa,CAAC,CAAC;QACvD,CAAC;QAED,2DAA2D;QAC3D,IAAI,YAAY,GAAG,CAAC,GAAG,cAAc,EAAE,CAAC;YACtC,OAAO;gBACL,WAAW,EAAE,IAAI;gBACjB,YAAY;gBACZ,SAAS,EAAE,cAAc;gBACzB,MAAM,EAAE,GAAG;gBACX,YAAY,EAAE,wBAAwB,YAAY,kBAAkB,cAAc,sFAAsF;gBACxK,SAAS,EAAE,qBAAqB;aACjC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,WAAW,EAAE,KAAK;QAClB,YAAY;QACZ,SAAS,EAAE,cAAc;KAC1B,CAAC;AACJ,CAAC"}

package/dist/cjs/core/rateLimit/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/cjs/core/rateLimit/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/core/rateLimit/types.ts"],"names":[],"mappings":""}