@thirdweb-dev/service-utils 0.5.0-nightly-6cf298a29-20240308012322 → 0.5.1

package/dist/index-62b88cac.cjs.dev.js

@@ -1,576 +0,0 @@
-'use strict';
-
-async function fetchKeyMetadataFromApi(clientId, config) {
-  const {
-    apiUrl,
-    serviceScope,
-    serviceApiKey,
-    checkPolicy,
-    policyMetadata
-  } = config;
-  const policyQuery = checkPolicy && policyMetadata ? `&checkPolicy=true&policyMetadata=${encodeURIComponent(JSON.stringify(policyMetadata))}` : "";
-  const url = `${apiUrl}/v1/keys/use?clientId=${clientId}&scope=${serviceScope}&includeUsage=true${policyQuery}`;
-  const response = await fetch(url, {
-    method: "GET",
-    headers: {
-      "x-service-api-key": serviceApiKey,
-      "content-type": "application/json"
-    }
-  });
-  let text = "";
-  try {
-    text = await response.text();
-    return JSON.parse(text);
-  } catch (e) {
-    throw new Error(`Error fetching key metadata from API: ${response.status} - ${text}`);
-  }
-}
-async function fetchAccountFromApi(jwt, config, useWalletAuth) {
-  const {
-    apiUrl,
-    serviceApiKey
-  } = config;
-  const url = useWalletAuth ? `${apiUrl}/v1/wallet/me?includeUsage=true` : `${apiUrl}/v1/account/me?includeUsage=true`;
-  const response = await fetch(url, {
-    method: "GET",
-    headers: {
-      "x-service-api-key": serviceApiKey,
-      "content-type": "application/json",
-      authorization: `Bearer ${jwt}`
-    }
-  });
-  let text = "";
-  try {
-    text = await response.text();
-    return JSON.parse(text);
-  } catch (e) {
-    throw new Error(`Error fetching account from API: ${response.status} - ${text}`);
-  }
-}
-async function updateRateLimitedAt(apiKeyId, config) {
-  const {
-    apiUrl,
-    serviceScope: scope,
-    serviceApiKey
-  } = config;
-  const url = `${apiUrl}/usage/rateLimit`;
-  await fetch(url, {
-    method: "PUT",
-    headers: {
-      "x-service-api-key": serviceApiKey,
-      "content-type": "application/json"
-    },
-    body: JSON.stringify({
-      apiKeyId,
-      scope
-    })
-  });
-}
-
-function authorizeClient(authOptions, apiKeyMeta) {
-  const {
-    origin,
-    bundleId,
-    secretKeyHash: providedSecretHash
-  } = authOptions;
-  const {
-    domains,
-    bundleIds,
-    secretHash
-  } = apiKeyMeta;
-  const authResult = {
-    authorized: true,
-    apiKeyMeta,
-    accountMeta: {
-      id: apiKeyMeta.accountId,
-      // TODO update this later
-      name: "",
-      creatorWalletAddress: apiKeyMeta.creatorWalletAddress,
-      limits: apiKeyMeta.limits,
-      rateLimits: apiKeyMeta.rateLimits,
-      usage: apiKeyMeta.usage
-    }
-  };
-
-  // check for public restrictions
-  if (domains.includes("*")) {
-    return authResult;
-  }
-
-  // check for secretHash
-  if (providedSecretHash) {
-    if (secretHash !== providedSecretHash) {
-      return {
-        authorized: false,
-        errorMessage: "Incorrect key provided. You can view your active API keys at https://thirdweb.com/dashboard/settings",
-        errorCode: "SECRET_INVALID",
-        status: 401
-      };
-    }
-    return authResult;
-  }
-
-  // validate domains
-  if (origin) {
-    if (
-    // find matching domain, or if all domains allowed
-    domains.find(d => {
-      // if any domain is allowed, we'll return true
-      if (d === "*") {
-        return true;
-      }
-
-      // special rule for `localhost`
-      // if the domain is localhost, we'll allow any origin that starts with localhost
-      if (d === "localhost" && origin.startsWith("localhost")) {
-        return true;
-      }
-
-      // If the allowedDomain has a wildcard,
-      // we'll check that the ending of our domain matches the wildcard
-      if (d.startsWith("*.")) {
-        // get rid of the * and check if it ends with the `.<domain>.<tld>`
-        const domainRoot = d.slice(1);
-        return origin.endsWith(domainRoot);
-      }
-
-      // If there's no wildcard, we'll check for an exact match
-      return d === origin;
-    })) {
-      return authResult;
-    }
-    return {
-      authorized: false,
-      errorMessage: `Invalid request: Unauthorized domain: ${origin}. You can view the restrictions on this API key at https://thirdweb.com/create-api-key`,
-      errorCode: "ORIGIN_UNAUTHORIZED",
-      status: 401
-    };
-  }
-
-  // validate bundleId
-  if (bundleId) {
-    if (
-    // find matching bundle id, or if all bundles allowed
-    bundleIds.find(b => {
-      if (b === "*") {
-        return true;
-      }
-      return b === bundleId;
-    })) {
-      return authResult;
-    }
-    return {
-      authorized: false,
-      errorMessage: `Invalid request: Unauthorized Bundle ID: ${bundleId}. You can view the restrictions on this API key at https://thirdweb.com/create-api-key`,
-      errorCode: "BUNDLE_UNAUTHORIZED",
-      status: 401
-    };
-  }
-  return {
-    authorized: false,
-    errorMessage: "The keys are invalid. Please check the secret-key/clientId and try again.",
-    errorCode: "UNAUTHORIZED",
-    status: 401
-  };
-}
-
-function authorizeService(apiKeyMetadata, serviceConfig, authorizationPayload) {
-  const {
-    services
-  } = apiKeyMetadata;
-  // validate services
-  const service = services.find(srv => srv.name === serviceConfig.serviceScope);
-  if (!service) {
-    return {
-      authorized: false,
-      errorMessage: `Invalid request: Unauthorized service: ${serviceConfig.serviceScope}. You can view the restrictions on this API key in your dashboard:  https://thirdweb.com/create-api-key`,
-      errorCode: "SERVICE_UNAUTHORIZED",
-      status: 403
-    };
-  }
-
-  // validate service actions
-  if (serviceConfig.serviceAction) {
-    const isActionAllowed = service.actions.includes(serviceConfig.serviceAction);
-    if (!isActionAllowed) {
-      return {
-        authorized: false,
-        errorMessage: `Invalid request: Unauthorized action: ${serviceConfig.serviceScope} ${serviceConfig.serviceAction}. You can view the restrictions on this API key in your dashboard:  https://thirdweb.com/create-api-key`,
-        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
-        status: 403
-      };
-    }
-  }
-
-  // validate service target addresses
-  // the service has to pass in the target address for this to be validated
-  if (authorizationPayload?.targetAddress) {
-    const checkedAddresses = Array.isArray(authorizationPayload.targetAddress) ? authorizationPayload.targetAddress : [authorizationPayload.targetAddress];
-    const allAllowed = service.targetAddresses.includes("*");
-    if (!allAllowed && checkedAddresses.some(ta => !service.targetAddresses.includes(ta))) {
-      return {
-        authorized: false,
-        errorMessage: `Invalid request: Unauthorized address: ${serviceConfig.serviceScope} ${checkedAddresses}. You can view the restrictions on this API key in your dashboard:  https://thirdweb.com/create-api-key`,
-        errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
-        status: 403
-      };
-    }
-  }
-  return {
-    authorized: true,
-    apiKeyMeta: apiKeyMetadata,
-    accountMeta: {
-      id: apiKeyMetadata.accountId,
-      name: "",
-      creatorWalletAddress: apiKeyMetadata.creatorWalletAddress,
-      limits: apiKeyMetadata.limits,
-      rateLimits: apiKeyMetadata.rateLimits,
-      usage: apiKeyMetadata.usage
-    }
-  };
-}
-
-async function authorize(authData, serviceConfig, cacheOptions) {
-  const {
-    clientId,
-    targetAddress,
-    secretKeyHash,
-    jwt,
-    hashedJWT,
-    useWalletAuth
-  } = authData;
-  const {
-    enforceAuth
-  } = serviceConfig;
-
-  // BACKWARDS COMPAT: if auth not enforced and we don't have auth credentials bypass
-  if (!enforceAuth && !clientId && !secretKeyHash) {
-    return {
-      authorized: true,
-      apiKeyMeta: null,
-      accountMeta: null
-    };
-  }
-  // if we come in with a JWT then we only check the account is valid
-  if (jwt && hashedJWT) {
-    let accountMeta = null;
-    if (cacheOptions) {
-      try {
-        const cachedAccountInfo = await cacheOptions.get(hashedJWT);
-        if (cachedAccountInfo) {
-          const parsed = JSON.parse(cachedAccountInfo);
-          if ("updatedAt" in parsed) {
-            // we want to compare the updatedAt time to the current time
-            // if the difference is greater than the cacheTtl we want to ignore the cached data
-            const now = Date.now();
-            const diff = now - parsed.updatedAt;
-            const cacheTtlMs = cacheOptions.cacheTtlSeconds * 1000;
-            // only if the diff is less than the cacheTtl do we want to use the cached key
-            if (diff < cacheTtlMs) {
-              accountMeta = parsed.apiKeyMeta;
-            }
-          } else {
-            accountMeta = parsed;
-          }
-        }
-      } catch (err) {
-        // ignore errors, proceed as if not in cache
-      }
-    }
-    if (!accountMeta) {
-      try {
-        const {
-          data,
-          error
-        } = await fetchAccountFromApi(jwt, serviceConfig, useWalletAuth?.toLowerCase() === "true");
-        if (error) {
-          return {
-            authorized: false,
-            errorCode: error.code,
-            errorMessage: error.message,
-            status: error.statusCode
-          };
-        } else if (!data) {
-          return {
-            authorized: false,
-            errorCode: "NO_ACCOUNT",
-            errorMessage: "No error but also no account returned.",
-            status: 500
-          };
-        }
-        accountMeta = data;
-        if (cacheOptions) {
-          await cacheOptions.put(hashedJWT, accountMeta);
-        }
-      } catch (err) {
-        console.warn("failed to fetch account from api", err);
-        return {
-          authorized: false,
-          status: 500,
-          errorMessage: "Failed to get account information.",
-          errorCode: "FAILED_TO_LOAD_ACCOUNT"
-        };
-      }
-    }
-    // if we still don't have an accountMeta at this point we can't authorize
-    if (!accountMeta) {
-      return {
-        authorized: false,
-        status: 401,
-        errorMessage: "Missing account information.",
-        errorCode: "MISSING_ACCOUNT"
-      };
-    }
-    // otherwise we want to return early with the accountMeta
-    return {
-      authorized: true,
-      apiKeyMeta: null,
-      accountMeta
-    };
-  }
-
-  // if we don't have a client id at this point we can't authorize
-  if (!clientId) {
-    return {
-      authorized: false,
-      status: 401,
-      errorMessage: "Missing clientId or secretKey.",
-      errorCode: "MISSING_KEY"
-    };
-  }
-  let apiKeyMeta = null;
-  // if we have cache options we want to check the cache first
-  if (cacheOptions) {
-    try {
-      const cachedKey = await cacheOptions.get(clientId);
-      if (cachedKey) {
-        const parsed = JSON.parse(cachedKey);
-        if ("updatedAt" in parsed) {
-          // we want to compare the updatedAt time to the current time
-          // if the difference is greater than the cacheTtl we want to ignore the cached data
-          const now = Date.now();
-          const diff = now - parsed.updatedAt;
-          const cacheTtlMs = cacheOptions.cacheTtlSeconds * 1000;
-          // only if the diff is less than the cacheTtl do we want to use the cached key
-          if (diff < cacheTtlMs) {
-            apiKeyMeta = parsed.apiKeyMeta;
-          }
-        } else {
-          apiKeyMeta = parsed;
-        }
-      }
-    } catch (err) {
-      // ignore errors, proceed as if not in cache
-    }
-  }
-
-  // if we don't have a cached key, fetch from the API
-  if (!apiKeyMeta) {
-    try {
-      const {
-        data,
-        error
-      } = await fetchKeyMetadataFromApi(clientId, serviceConfig);
-      if (error) {
-        return {
-          authorized: false,
-          errorCode: error.code,
-          errorMessage: error.message,
-          status: error.statusCode
-        };
-      } else if (!data) {
-        return {
-          authorized: false,
-          errorCode: "NO_KEY",
-          errorMessage: "No error but also no key returned.",
-          status: 500
-        };
-      }
-      // if we have a key for sure then assign it
-      apiKeyMeta = data;
-
-      // cache the retrieved key if we have cache options
-      if (cacheOptions) {
-        // we await this always because it can be a promise or not
-        await cacheOptions.put(clientId, data);
-      }
-    } catch (err) {
-      console.warn("failed to fetch key metadata from api", err);
-      return {
-        authorized: false,
-        status: 500,
-        errorMessage: "Failed to fetch key metadata. Please check your secret-key/clientId.",
-        errorCode: "FAILED_TO_FETCH_KEY"
-      };
-    }
-  }
-  if (!apiKeyMeta) {
-    return {
-      authorized: false,
-      status: 401,
-      errorMessage: "Key is invalid. Please check your secret-key/clientId.",
-      errorCode: "INVALID_KEY"
-    };
-  }
-  // now we can validate the key itself
-  const clientAuth = authorizeClient(authData, apiKeyMeta);
-  if (!clientAuth.authorized) {
-    return {
-      errorCode: clientAuth.errorCode,
-      authorized: false,
-      status: 401,
-      errorMessage: clientAuth.errorMessage
-    };
-  }
-
-  // if we've made it this far we need to check service specific authorization
-  const serviceAuth = authorizeService(apiKeyMeta, serviceConfig, {
-    targetAddress
-  });
-  if (!serviceAuth.authorized) {
-    return {
-      errorCode: serviceAuth.errorCode,
-      authorized: false,
-      status: 403,
-      errorMessage: serviceAuth.errorMessage
-    };
-  }
-
-  // if we reach this point we are authorized!
-  return {
-    authorized: true,
-    apiKeyMeta,
-    accountMeta: {
-      id: apiKeyMeta.accountId,
-      // TODO update this later
-      name: "",
-      limits: apiKeyMeta.limits,
-      rateLimits: apiKeyMeta.rateLimits,
-      usage: apiKeyMeta.usage,
-      creatorWalletAddress: apiKeyMeta.creatorWalletAddress
-    }
-  };
-}
-
-const RATE_LIMIT_WINDOW_SECONDS = 10;
-
-// Redis interface compatible with ioredis (Node) and upstash (Cloudflare Workers).
-
-async function rateLimit(args) {
-  const {
-    authzResult,
-    serviceConfig,
-    redis,
-    sampleRate = 1.0
-  } = args;
-  const shouldSampleRequest = Math.random() < sampleRate;
-  if (!shouldSampleRequest || !authzResult.authorized) {
-    return {
-      rateLimited: false,
-      requestCount: 0,
-      rateLimit: 0
-    };
-  }
-  const {
-    apiKeyMeta,
-    accountMeta
-  } = authzResult;
-  const accountId = apiKeyMeta?.accountId || accountMeta?.id;
-  const {
-    serviceScope
-  } = serviceConfig;
-  const limitPerSecond = apiKeyMeta?.rateLimits?.[serviceScope] ?? accountMeta?.rateLimits?.[serviceScope];
-  if (!limitPerSecond) {
-    // No rate limit is provided. Assume the request is not rate limited.
-    return {
-      rateLimited: false,
-      requestCount: 0,
-      rateLimit: 0
-    };
-  }
-
-  // Gets the 10-second window for the current timestamp.
-  const timestampWindow = Math.floor(Date.now() / (1000 * RATE_LIMIT_WINDOW_SECONDS)) * RATE_LIMIT_WINDOW_SECONDS;
-  const key = `rate-limit:${serviceScope}:${accountId}:${timestampWindow}`;
-
-  // Increment and get the current request count in this window.
-  const requestCount = await redis.incr(key);
-  if (requestCount === 1) {
-    // For the first increment, set an expiration to clean up this key.
-    await redis.expire(key, RATE_LIMIT_WINDOW_SECONDS);
-  }
-
-  // Get the limit for this window accounting for the sample rate.
-  const limitPerWindow = limitPerSecond * sampleRate * RATE_LIMIT_WINDOW_SECONDS;
-  if (requestCount > limitPerWindow) {
-    // Report rate limit hits.
-    if (apiKeyMeta?.id) {
-      await updateRateLimitedAt(apiKeyMeta.id, serviceConfig);
-    }
-
-    // Reject requests when they've exceeded 2x the rate limit.
-    if (requestCount > 2 * limitPerWindow) {
-      return {
-        rateLimited: true,
-        requestCount,
-        rateLimit: limitPerWindow,
-        status: 429,
-        errorMessage: `You've exceeded your ${serviceScope} rate limit at ${limitPerSecond} reqs/sec. To get higher rate limits, contact us at https://thirdweb.com/contact-us.`,
-        errorCode: "RATE_LIMIT_EXCEEDED"
-      };
-    }
-  }
-  return {
-    rateLimited: false,
-    requestCount,
-    rateLimit: limitPerWindow
-  };
-}
-
-async function usageLimit(authzResult, serviceConfig) {
-  if (!authzResult.authorized) {
-    return {
-      usageLimited: false
-    };
-  }
-  const {
-    apiKeyMeta,
-    accountMeta
-  } = authzResult;
-  const {
-    limits,
-    usage
-  } = apiKeyMeta || accountMeta || {};
-  const {
-    serviceScope
-  } = serviceConfig;
-  if (!usage || !(serviceScope in usage) || !limits || !(serviceScope in limits)) {
-    // No usage limit is provided. Assume the request is not limited.
-    return {
-      usageLimited: false
-    };
-  }
-  if (serviceScope === "storage" && (usage.storage?.sumFileSizeBytes ?? 0) > (limits.storage ?? 0)) {
-    return {
-      usageLimited: true,
-      status: 403,
-      errorMessage: `You've used all of your total usage credits for Storage Pinning. Please add your payment method at https://thirdweb.com/dashboard/settings/billing.`,
-      errorCode: "PAYMENT_METHOD_REQUIRED"
-    };
-  }
-  if (serviceScope === "embeddedWallets" && (usage.embeddedWallets?.countWalletAddresses ?? 0) > (limits.embeddedWallets ?? 0)) {
-    return {
-      usageLimited: true,
-      status: 403,
-      errorMessage: `You've used all of your total usage credits for Embedded Wallets. Please add your payment method at https://thirdweb.com/dashboard/settings/billing.`,
-      errorCode: "PAYMENT_METHOD_REQUIRED"
-    };
-  }
-  return {
-    usageLimited: false
-  };
-}
-
-exports.authorize = authorize;
-exports.rateLimit = rateLimit;
-exports.usageLimit = usageLimit;