@toa.io/extensions.exposition 1.0.0-alpha.101 → 1.0.0-alpha.103

package/components/identity.tokens/manifest.toa.yaml

@@ -13,8 +13,26 @@ operations:
       identity*: &identity
         id: string
         ...: true
-      lifetime: integer[0,) # seconds
-    output: string
+      lifetime: &lifetime
+        type: number
+        minimum: 0
+      scopes: [string]
+      permissions:
+        ~: [string]
+      key:
+        type: object
+        properties:
+          id:
+            type: string
+          key:
+            type: string
+        required:
+          - id
+          - key
+    output:
+      type: string
+    errors:
+      - ERR_INACCESSIBLE_SCOPE
   decrypt:
     input: string
     output:
@@ -23,6 +41,10 @@ operations:
       iat: string
       exp: string
       refresh: boolean
+    errors:
+      - INVALID_TOKEN
+      - INVALID_KEY
+      - FORGED_KEY
   authenticate:
     input:
       authority*: string
@@ -30,6 +52,43 @@ operations:
     output:
       identity: *identity
       refresh: boolean
+    errors:
+      - AUTHORITY_MISMATCH
+      - TOKEN_REVOKED
+  issue:
+    input:
+      type: object
+      properties:
+        authority:
+          type: string
+        identity:
+          type: string
+        lifetime: *lifetime
+        scopes:
+          type: array
+          items:
+            type: string
+        permissions:
+          type: object
+          additionalProperties:
+            type: array
+            items:
+              type: string
+        label:
+          type: string
+          minLength: 1
+          maxLength: 64
+      required:
+        - authority
+        - identity
+        - lifetime
+        - label
+    output:
+      kid: string
+      exp: number
+      token: string
+    errors:
+      - ERR_INACCESSIBLE_SCOPE
   revoke:
     concurrency: retry
 
@@ -38,16 +97,37 @@ receivers:
   identity.bans.updated: revoke
 
 configuration:
-  key0*: string
-  key1: string
-  lifetime: 2592000 # seconds, 30 days
-  refresh: 600      # seconds, 10 minutes
+  keys:
+    type: object
+    minProperties: 1
+    additionalProperties:
+      type: string
+  lifetime:
+    description: Token expiration time in seconds (default 30 days)
+    type: number
+    default: 2592000
+  refresh:
+    description: Token refresh time in seconds (default 10 minutes)
+    type: number
+    default: 600
+  cache:
+    description: Custom token keys LRU cache configuration
+    properties:
+      max:
+        type: number
+        default: 1024
+      ttl:
+        type: number
+        default: 600_000
+    default: { }
+
 
 exposition:
-  /:
+  /:identity:
+    auth:id: identity
+    auth:role: system:identity:tokens
     POST:
-      auth:scheme: token
-      auth:delegate: identity
-      io:output: true # string
       map:authority: authority
-      endpoint: encrypt
+      io:input: [authority, identity, lifetime, label, scopes, permissions]
+      io:output: [kid, exp, token, label]
+      endpoint: issue

package/components/identity.tokens/operations/authenticate.d.ts

@@ -1,5 +1,5 @@
-import { type Maybe, type Operation } from '@toa.io/types';
-import type { AuthenticateInput, AuthenticateOutput, Context } from './types';
+import type { Maybe, Operation } from '@toa.io/types';
+import type { AuthenticateInput, AuthenticateOutput, Context } from './lib';
 export declare class Computation implements Operation {
     private refresh;
     private decrypt;

package/components/identity.tokens/operations/authenticate.js

@@ -4,29 +4,29 @@ exports.Computation = void 0;
 const error_value_1 = require("error-value");
 class Computation {
     refresh = 0;
-    decrypt = undefined;
-    observe = undefined;
+    decrypt;
+    observe;
     mount(context) {
         this.refresh = context.configuration.refresh * 1000;
         this.decrypt = context.local.decrypt;
         this.observe = context.local.observe;
     }
     async execute(input) {
-        const claim = await this.decrypt({ input: input.credentials });
-        if (claim instanceof Error)
-            return claim;
-        if (claim.authority !== input.authority)
+        const claims = await this.decrypt({ input: input.credentials });
+        if (claims instanceof Error)
+            return claims;
+        if (claims.iss !== input.authority)
             return ERR_AUTHORITY;
-        const identity = claim.identity;
-        const iat = new Date(claim.iat).getTime();
-        const transient = claim.exp !== undefined;
+        const identity = claims.identity;
+        const iat = new Date(claims.iat).getTime();
+        const transient = claims.exp !== undefined;
         const stale = transient && (iat + this.refresh < Date.now());
         if (stale) {
             const revocation = await this.observe({ query: { id: identity.id } });
             if (revocation?.revokedAt !== undefined && iat < revocation.revokedAt)
                 return ERR_TOKEN_REVOKED;
         }
-        const refresh = stale || claim.refresh;
+        const refresh = stale || claims.refresh;
         return {
             identity,
             refresh
@@ -34,6 +34,6 @@ class Computation {
     }
 }
 exports.Computation = Computation;
-const ERR_AUTHORITY = (0, error_value_1.Err)('AUTHORITY_MISMATCH');
-const ERR_TOKEN_REVOKED = (0, error_value_1.Err)('TOKEN_REVOKED');
+const ERR_AUTHORITY = new error_value_1.Err('AUTHORITY_MISMATCH');
+const ERR_TOKEN_REVOKED = new error_value_1.Err('TOKEN_REVOKED');
 //# sourceMappingURL=authenticate.js.map

package/components/identity.tokens/operations/authenticate.js.map

@@ -1 +1 @@
-{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../source/authenticate.ts"],"names":[],"mappings":";;;AACA,6CAAiC;AAGjC,MAAa,WAAW;IACd,OAAO,GAAW,CAAC,CAAA;IACnB,OAAO,GAAgC,SAAmD,CAAA;IAC1F,OAAO,GAAgC,SAAmD,CAAA;IAE3F,KAAK,CAAE,OAAgB;QAC5B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,OAAO,GAAG,IAAI,CAAA;QACnD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAA;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAA;IACtC,CAAC;IAEM,KAAK,CAAC,OAAO,CAAE,KAAwB;QAC5C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;QAE9D,IAAI,KAAK,YAAY,KAAK;YACxB,OAAO,KAAK,CAAA;QAEd,IAAI,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS;YACrC,OAAO,aAAa,CAAA;QAEtB,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;QAC/B,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAA;QACzC,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,KAAK,SAAS,CAAA;QACzC,MAAM,KAAK,GAAG,SAAS,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;QAE5D,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;YAErE,IAAI,UAAU,EAAE,SAAS,KAAK,SAAS,IAAI,GAAG,GAAG,UAAU,CAAC,SAAS;gBACnE,OAAO,iBAAiB,CAAA;QAC5B,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,IAAI,KAAK,CAAC,OAAO,CAAA;QAEtC,OAAO;YACL,QAAQ;YACR,OAAO;SACR,CAAA;IACH,CAAC;CACF;AAvCD,kCAuCC;AAED,MAAM,aAAa,GAAG,IAAA,iBAAG,EAAC,oBAAoB,CAAC,CAAA;AAC/C,MAAM,iBAAiB,GAAG,IAAA,iBAAG,EAAC,eAAe,CAAC,CAAA"}
+{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../source/authenticate.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AAIjC,MAAa,WAAW;IACd,OAAO,GAAW,CAAC,CAAA;IACnB,OAAO,CAA8B;IACrC,OAAO,CAA8B;IAEtC,KAAK,CAAE,OAAgB;QAC5B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,OAAO,GAAG,IAAI,CAAA;QACnD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAA;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAA;IACtC,CAAC;IAEM,KAAK,CAAC,OAAO,CAAE,KAAwB;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAA;QAE/D,IAAI,MAAM,YAAY,KAAK;YACzB,OAAO,MAAM,CAAA;QAEf,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK,CAAC,SAAS;YAChC,OAAO,aAAa,CAAA;QAEtB,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;QAChC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAA;QAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,KAAK,SAAS,CAAA;QAC1C,MAAM,KAAK,GAAG,SAAS,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;QAE5D,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;YAErE,IAAI,UAAU,EAAE,SAAS,KAAK,SAAS,IAAI,GAAG,GAAG,UAAU,CAAC,SAAS;gBACnE,OAAO,iBAAiB,CAAA;QAC5B,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,OAAO,CAAA;QAEvC,OAAO;YACL,QAAQ;YACR,OAAO;SACR,CAAA;IACH,CAAC;CACF;AAvCD,kCAuCC;AAED,MAAM,aAAa,GAAG,IAAI,iBAAG,CAAC,oBAAoB,CAAC,CAAA;AACnD,MAAM,iBAAiB,GAAG,IAAI,iBAAG,CAAC,eAAe,CAAC,CAAA"}

package/components/identity.tokens/operations/decrypt.d.ts

@@ -1,3 +1,12 @@
-import { type Maybe } from '@toa.io/types';
-import { type Context, type DecryptOutput } from './types';
-export declare function computation(token: string, context: Context): Promise<Maybe<DecryptOutput>>;
+import type { Maybe, Operation } from '@toa.io/types';
+import type { Context, DecryptOutput } from './lib';
+export declare class Computation implements Operation {
+    private keys;
+    private cache;
+    private latest;
+    private remote;
+    mount(context: Context): void;
+    execute(token: string): Promise<Maybe<DecryptOutput>>;
+    private kid;
+    private key;
+}

package/components/identity.tokens/operations/decrypt.js

@@ -1,33 +1,77 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.computation = void 0;
+exports.Computation = void 0;
 const paseto_1 = require("paseto");
-async function computation(token, context) {
-    let refresh = false;
-    let claim = await decrypt(token, context.configuration.key0);
-    if (claim === null && context.configuration.key1 !== undefined) {
-        refresh = true;
-        claim = await decrypt(token, context.configuration.key1);
+const error_value_1 = require("error-value");
+const lru_cache_1 = require("lru-cache");
+class Computation {
+    keys = {};
+    cache;
+    latest;
+    remote;
+    mount(context) {
+        this.latest = Object.keys(context.configuration.keys)[0];
+        this.remote = context.remote.identity.keys;
+        this.cache = new lru_cache_1.LRUCache(context.configuration.cache);
+        for (const [kid, key] of Object.entries(context.configuration.keys))
+            this.keys[kid] = { key };
     }
-    if (claim === null)
-        return ERR_INVALID_TOKEN;
-    else
+    async execute(token) {
+        const kid = this.kid(token);
+        if (kid instanceof Error)
+            return kid;
+        const key = await this.key(kid);
+        if (key instanceof Error)
+            return key;
+        const claims = await decrypt(token, key.key);
+        if (claims instanceof Error)
+            return claims;
+        if (key.identity !== undefined && claims.identity.id !== key.identity)
+            return ERR_FORGED_KEY;
         return {
-            authority: claim.aud,
-            identity: claim.identity,
-            iat: claim.iat,
-            exp: claim.exp,
-            refresh
+            iss: claims.iss,
+            iat: claims.iat,
+            exp: claims.exp,
+            identity: claims.identity,
+            refresh: kid !== this.latest && key.identity === undefined
         };
+    }
+    kid(token) {
+        const [, , , footer] = token.split('.');
+        if (footer === undefined)
+            return ERR_INVALID_TOKEN;
+        try {
+            const json = Buffer.from(footer, 'base64url').toString('utf-8');
+            const { kid } = JSON.parse(json);
+            if (typeof kid !== 'string')
+                return ERR_INVALID_TOKEN;
+            return kid;
+        }
+        catch {
+            return ERR_INVALID_TOKEN;
+        }
+    }
+    async key(kid) {
+        if (kid in this.keys)
+            return this.keys[kid];
+        if (!this.cache.has(kid)) {
+            const value = await this.remote.observe({ query: { id: kid } });
+            this.cache.set(kid, { value });
+        }
+        const entry = this.cache.get(kid);
+        return entry?.value ?? ERR_INVALID_KEY;
+    }
 }
-exports.computation = computation;
+exports.Computation = Computation;
 async function decrypt(token, key) {
     try {
         return await paseto_1.V3.decrypt(token, key);
     }
     catch {
-        return null;
+        return ERR_INVALID_TOKEN;
     }
 }
-const ERR_INVALID_TOKEN = new Error('INVALID_TOKEN');
+const ERR_INVALID_TOKEN = new error_value_1.Err('INVALID_TOKEN');
+const ERR_INVALID_KEY = new error_value_1.Err('INVALID_KEY');
+const ERR_FORGED_KEY = new error_value_1.Err('FORGED_KEY');
 //# sourceMappingURL=decrypt.js.map

package/components/identity.tokens/operations/decrypt.js.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../source/decrypt.ts"],"names":[],"mappings":";;;AAAA,mCAA2B;AAIpB,KAAK,UAAU,WAAW,CAAE,KAAa,EAAE,OAAgB;IAChE,IAAI,OAAO,GAAG,KAAK,CAAA;IACnB,IAAI,KAAK,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;IAE5D,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,CAAC,aAAa,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC/D,OAAO,GAAG,IAAI,CAAA;QACd,KAAK,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAA;IAC1D,CAAC;IAED,IAAI,KAAK,KAAK,IAAI;QAChB,OAAO,iBAAiB,CAAA;;QAExB,OAAO;YACL,SAAS,EAAE,KAAK,CAAC,GAAG;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,OAAO;SACR,CAAA;AACL,CAAC;AAnBD,kCAmBC;AAED,KAAK,UAAU,OAAO,CAAE,KAAa,EAAE,GAAW;IAChD,IAAI,CAAC;QACH,OAAO,MAAM,WAAE,CAAC,OAAO,CAAQ,KAAK,EAAE,GAAG,CAAC,CAAA;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG,IAAI,KAAK,CAAC,eAAe,CAAC,CAAA"}
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../source/decrypt.ts"],"names":[],"mappings":";;;AAAA,mCAA2B;AAC3B,6CAAiC;AACjC,yCAAoC;AAIpC,MAAa,WAAW;IACd,IAAI,GAAwB,EAAE,CAAA;IAC9B,KAAK,CAA6B;IAClC,MAAM,CAAS;IACf,MAAM,CAAwC;IAE/C,KAAK,CAAE,OAAgB;QAC5B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;QACxD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAA;QAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAQ,CAAmB,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAA;QAExE,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC;YACjE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,CAAA;IAC5B,CAAC;IAEM,KAAK,CAAC,OAAO,CAAE,KAAa;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAE3B,IAAI,GAAG,YAAY,KAAK;YACtB,OAAO,GAAG,CAAA;QAEZ,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAE/B,IAAI,GAAG,YAAY,KAAK;YACtB,OAAO,GAAG,CAAA;QAEZ,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,CAAA;QAE5C,IAAI,MAAM,YAAY,KAAK;YACzB,OAAO,MAAM,CAAA;QAEf,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,GAAG,CAAC,QAAQ;YACnE,OAAO,cAAc,CAAA;QAEvB,OAAO;YACL,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,GAAG,KAAK,IAAI,CAAC,MAAM,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS;SAC3D,CAAA;IACH,CAAC;IAEO,GAAG,CAAE,KAAa;QACxB,MAAM,CAAC,EAAE,AAAD,EAAG,AAAD,EAAG,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAEvC,IAAI,MAAM,KAAK,SAAS;YACtB,OAAO,iBAAiB,CAAA;QAE1B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;YAC/D,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEhC,IAAI,OAAO,GAAG,KAAK,QAAQ;gBACzB,OAAO,iBAAiB,CAAA;YAE1B,OAAO,GAAG,CAAA;QACZ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,iBAAiB,CAAA;QAC1B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,GAAG,CAAE,GAAW;QAC5B,IAAI,GAAG,IAAI,IAAI,CAAC,IAAI;YAClB,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAEvB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;YAE/D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAChC,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAEjC,OAAO,KAAK,EAAE,KAAK,IAAI,eAAe,CAAA;IACxC,CAAC;CACF;AA5ED,kCA4EC;AAED,KAAK,UAAU,OAAO,CAAE,KAAa,EAAE,GAAW;IAChD,IAAI,CAAC;QACH,OAAO,MAAM,WAAE,CAAC,OAAO,CAAS,KAAK,EAAE,GAAG,CAAC,CAAA;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,iBAAiB,CAAA;IAC1B,CAAC;AACH,CAAC;AAWD,MAAM,iBAAiB,GAAG,IAAI,iBAAG,CAAC,eAAe,CAAC,CAAA;AAClD,MAAM,eAAe,GAAG,IAAI,iBAAG,CAAC,aAAa,CAAC,CAAA;AAC9C,MAAM,cAAc,GAAG,IAAI,iBAAG,CAAC,YAAY,CAAC,CAAA"}

package/components/identity.tokens/operations/encrypt.d.ts

@@ -1,8 +1,8 @@
-import { type Operation } from '@toa.io/types';
-import { type Context, type EncryptInput } from './types';
+import type { Operation, Maybe } from '@toa.io/types';
+import type { Context, EncryptInput } from './lib';
 export declare class Effect implements Operation {
     private key;
     private lifetime;
     mount(context: Context): void;
-    execute(input: EncryptInput): Promise<string>;
+    execute(input: EncryptInput): Promise<Maybe<string>>;
 }

package/components/identity.tokens/operations/encrypt.js

@@ -2,25 +2,41 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Effect = void 0;
 const paseto_1 = require("paseto");
+const error_value_1 = require("error-value");
 class Effect {
-    key = '';
-    lifetime = 0;
+    key;
+    lifetime;
     mount(context) {
-        this.key = context.configuration.key0;
+        const [id, secret] = Object.entries(context.configuration.keys)[0];
+        this.key = { id, key: secret };
         this.lifetime = context.configuration.lifetime * 1000;
     }
     async execute(input) {
-        const lifetime = input.lifetime === undefined ? this.lifetime : input.lifetime * 1000;
+        if (input.scopes?.some((scope) => !within(scope, input.identity.roles)) === true)
+            return ERR_INACCESSIBLE_SCOPE;
+        const lifetime = input.lifetime === undefined ? this.lifetime : (input.lifetime * 1000);
         const exp = lifetime === 0
             ? undefined
             : new Date(Date.now() + lifetime).toISOString();
+        const identity = {
+            id: input.identity.id,
+            roles: input.scopes ?? input.identity.roles
+        };
+        if (input.permissions !== undefined)
+            identity.permissions = input.permissions;
         const payload = {
-            identity: input.identity,
-            aud: input.authority,
-            exp
+            identity,
+            iss: input.authority
         };
-        return await paseto_1.V3.encrypt(payload, this.key);
+        if (exp !== undefined)
+            payload.exp = exp;
+        const key = input.key ?? this.key;
+        return await paseto_1.V3.encrypt(payload, key.key, { footer: { kid: key.id } });
     }
 }
 exports.Effect = Effect;
+function within(scope, roles) {
+    return roles.some((role) => role === scope || scope.startsWith(role + ':'));
+}
+const ERR_INACCESSIBLE_SCOPE = new error_value_1.Err('INACCESSIBLE_SCOPE');
 //# sourceMappingURL=encrypt.js.map

package/components/identity.tokens/operations/encrypt.js.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../source/encrypt.ts"],"names":[],"mappings":";;;AAAA,mCAA2B;AAI3B,MAAa,MAAM;IACT,GAAG,GAAW,EAAE,CAAA;IAChB,QAAQ,GAAW,CAAC,CAAA;IAErB,KAAK,CAAE,OAAgB;QAC5B,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,CAAA;QACrC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,QAAQ,GAAG,IAAI,CAAA;IACvD,CAAC;IAEM,KAAK,CAAC,OAAO,CAAE,KAAmB;QACvC,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAA;QAErF,MAAM,GAAG,GAAG,QAAQ,KAAK,CAAC;YACxB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAA;QAEjD,MAAM,OAAO,GAAmB;YAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,GAAG,EAAE,KAAK,CAAC,SAAS;YACpB,GAAG;SACJ,CAAA;QAED,OAAO,MAAM,WAAE,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IAC5C,CAAC;CACF;AAxBD,wBAwBC"}
+{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../source/encrypt.ts"],"names":[],"mappings":";;;AAAA,mCAA2B;AAC3B,6CAAiC;AAIjC,MAAa,MAAM;IACT,GAAG,CAA0B;IAC7B,QAAQ,CAAS;IAElB,KAAK,CAAE,OAAgB;QAC5B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;QAElE,IAAI,CAAC,GAAG,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,CAAA;QAC9B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,QAAQ,GAAG,IAAI,CAAA;IACvD,CAAC;IAEM,KAAK,CAAC,OAAO,CAAE,KAAmB;QACvC,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI;YAC9E,OAAO,sBAAsB,CAAA;QAE/B,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;QAEvF,MAAM,GAAG,GAAG,QAAQ,KAAK,CAAC;YACxB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAA;QAEjD,MAAM,QAAQ,GAAa;YACzB,EAAE,EAAE,KAAK,CAAC,QAAQ,CAAC,EAAE;YACrB,KAAK,EAAE,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK;SAC5C,CAAA;QAED,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;YACjC,QAAQ,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAA;QAE1C,MAAM,OAAO,GAAoB;YAC/B,QAAQ;YACR,GAAG,EAAE,KAAK,CAAC,SAAS;SACrB,CAAA;QAED,IAAI,GAAG,KAAK,SAAS;YACnB,OAAO,CAAC,GAAG,GAAG,GAAG,CAAA;QAEnB,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAA;QAEjC,OAAO,MAAM,WAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;IACxE,CAAC;CACF;AAzCD,wBAyCC;AAED,SAAS,MAAM,CAAE,KAAa,EAAE,KAAe;IAC7C,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAA;AAC7E,CAAC;AAED,MAAM,sBAAsB,GAAG,IAAI,iBAAG,CAAC,oBAAoB,CAAC,CAAA"}

package/components/identity.tokens/operations/issue.d.ts

@@ -0,0 +1,24 @@
+import type { Maybe, Operation } from '@toa.io/types';
+import type { Context } from './lib';
+export declare class Effect implements Operation {
+    private keys;
+    private roles;
+    private encrypt;
+    private lifetime;
+    mount(context: Context): void;
+    execute(input: Input): Promise<Maybe<Output>>;
+}
+interface Input {
+    authority: string;
+    identity: string;
+    lifetime: number;
+    label: string;
+    scopes?: string[];
+    permissions?: Record<string, string[]>;
+}
+interface Output {
+    kid: string;
+    exp?: number;
+    token: string;
+}
+export {};

package/components/identity.tokens/operations/issue.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Effect = void 0;
+class Effect {
+    keys;
+    roles;
+    encrypt;
+    lifetime;
+    mount(context) {
+        this.keys = context.remote.identity.keys;
+        this.roles = context.remote.identity.roles;
+        this.encrypt = context.local.encrypt;
+        this.lifetime = context.configuration.lifetime * 1000;
+    }
+    async execute(input) {
+        const expires = input.lifetime === 0
+            ? undefined
+            : new Date(Date.now() + input.lifetime * 1000).getTime();
+        const key = await this.keys.create({
+            input: {
+                identity: input.identity,
+                label: input.label,
+                expires
+            }
+        });
+        const roles = await this.roles.list({
+            query: {
+                criteria: `identity==${input.identity}`,
+                limit: 1024
+            }
+        });
+        const identity = {
+            id: input.identity,
+            roles
+        };
+        const { authority, lifetime, scopes, permissions } = input;
+        const token = await this.encrypt({
+            input: {
+                authority,
+                identity,
+                lifetime,
+                scopes,
+                permissions,
+                key
+            }
+        });
+        if (token instanceof Error)
+            return token;
+        return {
+            kid: key.id,
+            // technically, the token expires some time later
+            ...(expires !== undefined && { exp: expires }),
+            token
+        };
+    }
+}
+exports.Effect = Effect;
+//# sourceMappingURL=issue.js.map

package/components/identity.tokens/operations/issue.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue.js","sourceRoot":"","sources":["../source/issue.ts"],"names":[],"mappings":";;;AAGA,MAAa,MAAM;IACT,IAAI,CAAwC;IAC5C,KAAK,CAAyC;IAC9C,OAAO,CAA8B;IACrC,QAAQ,CAAS;IAElB,KAAK,CAAE,OAAgB;QAC5B,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAA;QACxC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAA;QAC1C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAA;QACpC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,QAAQ,GAAG,IAAI,CAAA;IACvD,CAAC;IAEM,KAAK,CAAC,OAAO,CAAE,KAAY;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,KAAK,CAAC;YAClC,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC,OAAO,EAAE,CAAA;QAE1D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;YACjC,KAAK,EAAE;gBACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO;aACR;SACF,CAAC,CAAA;QAEF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAClC,KAAK,EAAE;gBACL,QAAQ,EAAE,aAAa,KAAK,CAAC,QAAQ,EAAE;gBACvC,KAAK,EAAE,IAAI;aACZ;SACF,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAa;YACzB,EAAE,EAAE,KAAK,CAAC,QAAQ;YAClB,KAAK;SACN,CAAA;QAED,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAA;QAE1D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC;YAC/B,KAAK,EAAE;gBACL,SAAS;gBACT,QAAQ;gBACR,QAAQ;gBACR,MAAM;gBACN,WAAW;gBACX,GAAG;aACJ;SACF,CAAC,CAAA;QAEF,IAAI,KAAK,YAAY,KAAK;YACxB,OAAO,KAAK,CAAA;QAEd,OAAO;YACL,GAAG,EAAE,GAAG,CAAC,EAAE;YACX,iDAAiD;YACjD,GAAG,CAAC,OAAO,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YAC9C,KAAK;SACN,CAAA;IACH,CAAC;CACF;AA7DD,wBA6DC"}

package/components/identity.tokens/operations/lib/index.d.ts

@@ -0,0 +1,2 @@
+export * from './pad';
+export * from './types';

package/components/identity.tokens/operations/lib/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./pad"), exports);
+__exportStar(require("./types"), exports);
+//# sourceMappingURL=index.js.map

package/components/identity.tokens/operations/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../source/lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,wCAAqB;AACrB,0CAAuB"}

package/components/identity.tokens/operations/lib/pad.d.ts

@@ -0,0 +1 @@
+export declare const PAD = "v3.local.";

package/components/identity.tokens/operations/lib/pad.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PAD = void 0;
+exports.PAD = 'v3.local.';
+//# sourceMappingURL=pad.js.map

package/components/identity.tokens/operations/lib/pad.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pad.js","sourceRoot":"","sources":["../../source/lib/pad.ts"],"names":[],"mappings":";;;AAAa,QAAA,GAAG,GAAG,WAAW,CAAA"}

package/components/identity.tokens/operations/{types.d.ts → lib/types.d.ts}

@@ -1,22 +1,39 @@
-import { type Call, type Maybe, type Observation } from '@toa.io/types';
+import type { Call, Maybe, Observation } from '@toa.io/types';
 export interface Context {
     local: {
         observe: Observation<Entity>;
+        encrypt: Call<Maybe<string>, EncryptInput>;
         decrypt: Call<Maybe<DecryptOutput>, string>;
     };
+    remote: {
+        identity: {
+            keys: {
+                observe: Observation<CustomKey>;
+                create: Call<Key>;
+            };
+            roles: {
+                list: Call<string[]>;
+            };
+        };
+    };
     configuration: Configuration;
 }
 export interface Configuration {
-    readonly key0: string;
-    readonly key1?: string;
+    readonly keys: Record<string, string>;
     readonly lifetime: number;
     readonly refresh: number;
+    readonly cache: {
+        max: number;
+        ttl: number;
+    };
 }
 export interface Entity {
     revokedAt?: number;
 }
 export interface Identity extends Record<string, any> {
     id: string;
+    roles: string[];
+    permissions?: Record<string, string[]>;
 }
 export interface AuthenticateInput {
     authority: string;
@@ -30,17 +47,28 @@ export interface EncryptInput {
     authority: string;
     identity: Identity;
     lifetime?: number;
+    scopes?: string[];
+    permissions?: Record<string, string[]>;
+    key?: Key;
 }
 export interface DecryptOutput {
-    authority: string;
-    identity: Identity;
+    iss: string;
     iat: string;
     exp?: string;
+    identity: Identity;
     refresh: boolean;
 }
-export interface Claim {
+export interface Claims {
     identity: Identity;
-    aud: string;
+    iss: string;
     iat: string;
     exp?: string;
 }
+export interface Key {
+    id: string;
+    key: string;
+    label: string;
+}
+export interface CustomKey extends Key {
+    identity: string;
+}

package/components/identity.tokens/operations/lib/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../source/lib/types.ts"],"names":[],"mappings":""}

package/components/identity.tokens/operations/revoke.d.ts

@@ -1,2 +1,2 @@
-import { type Entity } from './types';
-export declare function transition(_: never, object: Entity): void;
+import type { Entity } from './lib';
+export declare function transition(_: unknown, object: Entity): void;

package/components/identity.tokens/operations/revoke.js.map

@@ -1 +1 @@
-{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../source/revoke.ts"],"names":[],"mappings":";;;AAEA,SAAgB,UAAU,CAAE,CAAQ,EAAE,MAAc;IAClD,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;AAC/B,CAAC;AAFD,gCAEC"}
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../source/revoke.ts"],"names":[],"mappings":";;;AAEA,SAAgB,UAAU,CAAE,CAAU,EAAE,MAAc;IACpD,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;AAC/B,CAAC;AAFD,gCAEC"}