npm - @twin.org/api-auth-entity-storage-service - Versions diffs - 0.0.3-next.4 → 0.0.3-next.41 - Mend

@twin.org/api-auth-entity-storage-service 0.0.3-next.4 → 0.0.3-next.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (104) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
-# TWIN Auth Entity Storage Service
+# TWIN API Auth Entity Storage Service
-Auth Entity Storage contract implementation and REST endpoint definitions.
+This package provides an authentication service implementation and REST routes backed by entity storage.
 ## Installation

package/dist/es/entities/authenticationAuditEntry.js ADDED Viewed

@@ -0,0 +1,101 @@
+// Copyright 2026 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+import { entity, property } from "@twin.org/entity";
+/**
+ * Class defining the storage for authentication audit entries.
+ */
+let AuthenticationAuditEntry = class AuthenticationAuditEntry {
+    /**
+     * The unique identifier for the audit entry.
+     */
+    id;
+    /**
+     * The timestamp of the audit entry in ISO 8601 format.
+     */
+    dateCreated;
+    /**
+     * The audit event that occurred.
+     */
+    event;
+    /**
+     * The actor identifier, could be e-mail, username, or other unique identifier.
+     */
+    actorId;
+    /**
+     * The node identifier associated with the audit entry, if applicable.
+     */
+    nodeId;
+    /**
+     * The organization identifier associated with the audit entry, if applicable.
+     */
+    organizationId;
+    /**
+     * The tenant identifier associated with the audit entry, if applicable.
+     */
+    tenantId;
+    /**
+     * The hashed IP addresses of the client.
+     */
+    ipAddressHashes;
+    /**
+     * The user agent string of the client.
+     */
+    userAgent;
+    /**
+     * The correlation ID for request tracing.
+     */
+    correlationId;
+    /**
+     * Additional data related to the audit entry, such as IP address, user agent, etc.
+     */
+    data;
+};
+__decorate([
+    property({ type: "string", isPrimary: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "id", void 0);
+__decorate([
+    property({ type: "string", isSecondary: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "dateCreated", void 0);
+__decorate([
+    property({ type: "string", isSecondary: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "event", void 0);
+__decorate([
+    property({ type: "string", isSecondary: true, optional: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "actorId", void 0);
+__decorate([
+    property({ type: "string", isSecondary: true, optional: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "nodeId", void 0);
+__decorate([
+    property({ type: "string", isSecondary: true, optional: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "organizationId", void 0);
+__decorate([
+    property({ type: "string", isSecondary: true, optional: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "tenantId", void 0);
+__decorate([
+    property({ type: "array", optional: true }),
+    __metadata("design:type", Array)
+], AuthenticationAuditEntry.prototype, "ipAddressHashes", void 0);
+__decorate([
+    property({ type: "string", optional: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "userAgent", void 0);
+__decorate([
+    property({ type: "string", optional: true }),
+    __metadata("design:type", String)
+], AuthenticationAuditEntry.prototype, "correlationId", void 0);
+__decorate([
+    property({ type: "object", optional: true }),
+    __metadata("design:type", Object)
+], AuthenticationAuditEntry.prototype, "data", void 0);
+AuthenticationAuditEntry = __decorate([
+    entity()
+], AuthenticationAuditEntry);
+export { AuthenticationAuditEntry };
+//# sourceMappingURL=authenticationAuditEntry.js.map

package/dist/es/entities/authenticationAuditEntry.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authenticationAuditEntry.js","sourceRoot":"","sources":["../../../src/entities/authenticationAuditEntry.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEpD;;GAEG;AAEI,IAAM,wBAAwB,GAA9B,MAAM,wBAAwB;IACpC;;OAEG;IAEI,EAAE,CAAU;IAEnB;;OAEG;IAEI,WAAW,CAAU;IAE5B;;OAEG;IAEI,KAAK,CAAU;IAEtB;;OAEG;IAEI,OAAO,CAAU;IAExB;;OAEG;IAEI,MAAM,CAAU;IAEvB;;OAEG;IAEI,cAAc,CAAU;IAE/B;;OAEG;IAEI,QAAQ,CAAU;IAEzB;;OAEG;IAEI,eAAe,CAAY;IAElC;;OAEG;IAEI,SAAS,CAAU;IAE1B;;OAEG;IAEI,aAAa,CAAU;IAE9B;;OAEG;IAEI,IAAI,CAAW;CACtB,CAAA;AA7DO;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;;oDAC3B;AAMZ;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;;6DACpB;AAMrB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;;uDAC1B;AAMf;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;yDACxC;AAMjB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;wDACzC;AAMhB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;gEACjC;AAMxB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;0DACvC;AAMlB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;iEACV;AAM3B;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;2DACnB;AAMnB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;+DACf;AAMvB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;sDACvB;AAjEV,wBAAwB;IADpC,MAAM,EAAE;GACI,wBAAwB,CAkEpC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { entity, property } from \"@twin.org/entity\";\n\n/**\n * Class defining the storage for authentication audit entries.\n */\n@entity()\nexport class AuthenticationAuditEntry {\n\t/**\n\t * The unique identifier for the audit entry.\n\t */\n\t@property({ type: \"string\", isPrimary: true })\n\tpublic id!: string;\n\n\t/**\n\t * The timestamp of the audit entry in ISO 8601 format.\n\t */\n\t@property({ type: \"string\", isSecondary: true })\n\tpublic dateCreated!: string;\n\n\t/**\n\t * The audit event that occurred.\n\t */\n\t@property({ type: \"string\", isSecondary: true })\n\tpublic event!: string;\n\n\t/**\n\t * The actor identifier, could be e-mail, username, or other unique identifier.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic actorId?: string;\n\n\t/**\n\t * The node identifier associated with the audit entry, if applicable.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic nodeId?: string;\n\n\t/**\n\t * The organization identifier associated with the audit entry, if applicable.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic organizationId?: string;\n\n\t/**\n\t * The tenant identifier associated with the audit entry, if applicable.\n\t */\n\t@property({ type: \"string\", isSecondary: true, optional: true })\n\tpublic tenantId?: string;\n\n\t/**\n\t * The hashed IP addresses of the client.\n\t */\n\t@property({ type: \"array\", optional: true })\n\tpublic ipAddressHashes?: string[];\n\n\t/**\n\t * The user agent string of the client.\n\t */\n\t@property({ type: \"string\", optional: true })\n\tpublic userAgent?: string;\n\n\t/**\n\t * The correlation ID for request tracing.\n\t */\n\t@property({ type: \"string\", optional: true })\n\tpublic correlationId?: string;\n\n\t/**\n\t * Additional data related to the audit entry, such as IP address, user agent, etc.\n\t */\n\t@property({ type: \"object\", optional: true })\n\tpublic data?: unknown;\n}\n"]}

package/dist/es/entities/authenticationRateEntry.js ADDED Viewed

@@ -0,0 +1,37 @@
+// Copyright 2026 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+import { entity, property } from "@twin.org/entity";
+/**
+ * Class defining the storage for authentication rate entries.
+ */
+let AuthenticationRateEntry = class AuthenticationRateEntry {
+    /**
+     * The id for the rate entry.
+     */
+    id;
+    /**
+     * Array of ISO date strings representing timestamps of failed attempts.
+     */
+    timestamps;
+    /**
+     * Last modification time in ISO date format.
+     */
+    dateModified;
+};
+__decorate([
+    property({ type: "string", isPrimary: true }),
+    __metadata("design:type", String)
+], AuthenticationRateEntry.prototype, "id", void 0);
+__decorate([
+    property({ type: "array", itemType: "string" }),
+    __metadata("design:type", Array)
+], AuthenticationRateEntry.prototype, "timestamps", void 0);
+__decorate([
+    property({ type: "string" }),
+    __metadata("design:type", String)
+], AuthenticationRateEntry.prototype, "dateModified", void 0);
+AuthenticationRateEntry = __decorate([
+    entity()
+], AuthenticationRateEntry);
+export { AuthenticationRateEntry };
+//# sourceMappingURL=authenticationRateEntry.js.map

package/dist/es/entities/authenticationRateEntry.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authenticationRateEntry.js","sourceRoot":"","sources":["../../../src/entities/authenticationRateEntry.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEpD;;GAEG;AAEI,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IACnC;;OAEG;IAEI,EAAE,CAAU;IAEnB;;OAEG;IAEI,UAAU,CAAY;IAE7B;;OAEG;IAEI,YAAY,CAAU;CAC7B,CAAA;AAbO;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;;mDAC3B;AAMZ;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;;2DACnB;AAMtB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;6DACA;AAjBjB,uBAAuB;IADnC,MAAM,EAAE;GACI,uBAAuB,CAkBnC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { entity, property } from \"@twin.org/entity\";\n\n/**\n * Class defining the storage for authentication rate entries.\n */\n@entity()\nexport class AuthenticationRateEntry {\n\t/**\n\t * The id for the rate entry.\n\t */\n\t@property({ type: \"string\", isPrimary: true })\n\tpublic id!: string;\n\n\t/**\n\t * Array of ISO date strings representing timestamps of failed attempts.\n\t */\n\t@property({ type: \"array\", itemType: \"string\" })\n\tpublic timestamps!: string[];\n\n\t/**\n\t * Last modification time in ISO date format.\n\t */\n\t@property({ type: \"string\" })\n\tpublic dateModified!: string;\n}\n"]}

package/dist/es/entities/authenticationUser.js CHANGED Viewed

@@ -25,6 +25,14 @@ let AuthenticationUser = class AuthenticationUser {
      * The users organization.
      */
     organization;
+    /**
+     * The scope assigned to the user, comma separated.
+     */
+    scope;
+    /**
+     * The password version counter, incremented on every password change to invalidate existing tokens.
+     */
+    passwordVersion;
 };
 __decorate([
     property({ type: "string", isPrimary: true }),
@@ -39,13 +47,21 @@ __decorate([
     __metadata("design:type", String)
 ], AuthenticationUser.prototype, "salt", void 0);
 __decorate([
-    property({ type: "string" }),
+    property({ type: "string", isSecondary: true }),
     __metadata("design:type", String)
 ], AuthenticationUser.prototype, "identity", void 0);
 __decorate([
     property({ type: "string" }),
     __metadata("design:type", String)
 ], AuthenticationUser.prototype, "organization", void 0);
+__decorate([
+    property({ type: "string" }),
+    __metadata("design:type", String)
+], AuthenticationUser.prototype, "scope", void 0);
+__decorate([
+    property({ type: "integer", optional: true }),
+    __metadata("design:type", Number)
+], AuthenticationUser.prototype, "passwordVersion", void 0);
 AuthenticationUser = __decorate([
     entity()
 ], AuthenticationUser);

package/dist/es/entities/authenticationUser.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authenticationUser.js","sourceRoot":"","sources":["../../../src/entities/authenticationUser.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEpD;;GAEG;AAEI,IAAM,kBAAkB,GAAxB,MAAM,kBAAkB;IAC9B;;OAEG;IAEI,KAAK,CAAU;IAEtB;;OAEG;IAEI,QAAQ,CAAU;IAEzB;;OAEG;IAEI,IAAI,CAAU;IAErB;;OAEG;IAEI,QAAQ,CAAU;IAEzB;;OAEG;IAEI,YAAY,CAAU;~~CAC7B~~,CAAA;~~AAzBO~~;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;;iDACxB;AAMf;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;oDACJ;AAMlB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;gDACR;AAMd;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;~~oDACJ~~;AAMlB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;wDACA;~~AA7BjB~~,kBAAkB;IAD9B,MAAM,EAAE;GACI,kBAAkB,~~CA8B9B~~","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { entity, property } from \"@twin.org/entity\";\n\n/*\n Class defining the storage for user login credentials.\n /\n@entity()\nexport class AuthenticationUser {\n\t/\n\t The user e-mail address.\n\t /\n\t@property({ type: \"string\", isPrimary: true })\n\tpublic email!: string;\n\n\t/\n\t The encrypted password for the user.\n\t /\n\t@property({ type: \"string\" })\n\tpublic password!: string;\n\n\t/\n\t The salt for the password.\n\t /\n\t@property({ type: \"string\" })\n\tpublic salt!: string;\n\n\t/\n\t The user identity.\n\t /\n\t@property({ type: \"string\" })\n\tpublic identity!: string;\n\n\t/\n\t The users organization.\n\t */\n\t@property({ type: \"string\" })\n\tpublic organization!: string;\n}\n"]}
1	+ {"version":3,"file":"authenticationUser.js","sourceRoot":"","sources":["../../../src/entities/authenticationUser.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEpD;;GAEG;AAEI,IAAM,kBAAkB,GAAxB,MAAM,kBAAkB;IAC9B;;OAEG;IAEI,KAAK,CAAU;IAEtB;;OAEG;IAEI,QAAQ,CAAU;IAEzB;;OAEG;IAEI,IAAI,CAAU;IAErB;;OAEG;IAEI,QAAQ,CAAU;IAEzB;;OAEG;IAEI,YAAY,CAAU;IAE7B;;OAEG;IAEI,KAAK,CAAU;IAEtB;;OAEG;IAEI,eAAe,CAAU;CAChC,CAAA;AArCO;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;;iDACxB;AAMf;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;oDACJ;AAMlB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;gDACR;AAMd;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;;oDACvB;AAMlB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;wDACA;AAMtB;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;iDACP;AAMf;IADN,QAAQ,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;2DACd;AAzCpB,kBAAkB;IAD9B,MAAM,EAAE;GACI,kBAAkB,CA0C9B","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { entity, property } from \"@twin.org/entity\";\n\n/*\n Class defining the storage for user login credentials.\n /\n@entity()\nexport class AuthenticationUser {\n\t/\n\t The user e-mail address.\n\t /\n\t@property({ type: \"string\", isPrimary: true })\n\tpublic email!: string;\n\n\t/\n\t The encrypted password for the user.\n\t /\n\t@property({ type: \"string\" })\n\tpublic password!: string;\n\n\t/\n\t The salt for the password.\n\t /\n\t@property({ type: \"string\" })\n\tpublic salt!: string;\n\n\t/\n\t The user identity.\n\t /\n\t@property({ type: \"string\", isSecondary: true })\n\tpublic identity!: string;\n\n\t/\n\t The users organization.\n\t /\n\t@property({ type: \"string\" })\n\tpublic organization!: string;\n\n\t/\n\t The scope assigned to the user, comma separated.\n\t /\n\t@property({ type: \"string\" })\n\tpublic scope!: string;\n\n\t/\n\t The password version counter, incremented on every password change to invalidate existing tokens.\n\t */\n\t@property({ type: \"integer\", optional: true })\n\tpublic passwordVersion?: number;\n}\n"]}

package/dist/es/index.js CHANGED Viewed

@@ -1,18 +1,28 @@
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
+export * from "./entities/authenticationAuditEntry.js";
+export * from "./entities/authenticationRateEntry.js";
 export * from "./entities/authenticationUser.js";
 export * from "./models/IAuthHeaderProcessorConfig.js";
 export * from "./models/IAuthHeaderProcessorConstructorOptions.js";
 export * from "./models/IEntityStorageAuthenticationAdminServiceConfig.js";
 export * from "./models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js";
+export * from "./models/IEntityStorageAuthenticationAuditServiceConfig.js";
+export * from "./models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js";
+export * from "./models/IEntityStorageAuthenticationRateServiceConfig.js";
+export * from "./models/IEntityStorageAuthenticationRateServiceConstructorOptions.js";
 export * from "./models/IEntityStorageAuthenticationServiceConfig.js";
 export * from "./models/IEntityStorageAuthenticationServiceConstructorOptions.js";
 export * from "./processors/authHeaderProcessor.js";
 export * from "./restEntryPoints.js";
+export * from "./routes/entityStorageAuthenticationAdminRoutes.js";
+export * from "./routes/entityStorageAuthenticationAuditRoutes.js";
 export * from "./routes/entityStorageAuthenticationRoutes.js";
 export * from "./schema.js";
 export * from "./services/entityStorageAuthenticationAdminService.js";
+export * from "./services/entityStorageAuthenticationAuditService.js";
+export * from "./services/entityStorageAuthenticationRateService.js";
 export * from "./services/entityStorageAuthenticationService.js";
-export * from "./utils/passwordHelper.js";
 export * from "./utils/tokenHelper.js";
+export * from "./utils/passwordHelper.js";
 //# sourceMappingURL=index.js.map

package/dist/es/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,kCAAkC,CAAC;AACjD,cAAc,wCAAwC,CAAC;AACvD,cAAc,oDAAoD,CAAC;AACnE,cAAc,4DAA4D,CAAC;AAC3E,cAAc,wEAAwE,CAAC;AACvF,cAAc,uDAAuD,CAAC;AACtE,cAAc,mEAAmE,CAAC;AAClF,cAAc,qCAAqC,CAAC;AACpD,cAAc,sBAAsB,CAAC;AACrC,cAAc,+CAA+C,CAAC;AAC9D,cAAc,aAAa,CAAC;AAC5B,cAAc,uDAAuD,CAAC;AACtE,cAAc,kDAAkD,CAAC;AACjE,cAAc,~~2BAA2B~~,CAAC;~~AAC1C~~,cAAc,~~wBAAwB~~,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./entities/authenticationUser.js\";\nexport * from \"./models/IAuthHeaderProcessorConfig.js\";\nexport * from \"./models/IAuthHeaderProcessorConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConstructorOptions.js\";\nexport * from \"./processors/authHeaderProcessor.js\";\nexport * from \"./restEntryPoints.js\";\nexport * from \"./routes/entityStorageAuthenticationRoutes.js\";\nexport * from \"./schema.js\";\nexport * from \"./services/entityStorageAuthenticationAdminService.js\";\nexport * from \"./services/entityStorageAuthenticationService.js\";\nexport * from \"./utils/~~passwordHelper~~.js\";\nexport * from \"./utils/~~tokenHelper~~.js\";\n"]}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,wCAAwC,CAAC;AACvD,cAAc,uCAAuC,CAAC;AACtD,cAAc,kCAAkC,CAAC;AACjD,cAAc,wCAAwC,CAAC;AACvD,cAAc,oDAAoD,CAAC;AACnE,cAAc,4DAA4D,CAAC;AAC3E,cAAc,wEAAwE,CAAC;AACvF,cAAc,4DAA4D,CAAC;AAC3E,cAAc,wEAAwE,CAAC;AACvF,cAAc,2DAA2D,CAAC;AAC1E,cAAc,uEAAuE,CAAC;AACtF,cAAc,uDAAuD,CAAC;AACtE,cAAc,mEAAmE,CAAC;AAClF,cAAc,qCAAqC,CAAC;AACpD,cAAc,sBAAsB,CAAC;AACrC,cAAc,oDAAoD,CAAC;AACnE,cAAc,oDAAoD,CAAC;AACnE,cAAc,+CAA+C,CAAC;AAC9D,cAAc,aAAa,CAAC;AAC5B,cAAc,uDAAuD,CAAC;AACtE,cAAc,uDAAuD,CAAC;AACtE,cAAc,sDAAsD,CAAC;AACrE,cAAc,kDAAkD,CAAC;AACjE,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./entities/authenticationAuditEntry.js\";\nexport * from \"./entities/authenticationRateEntry.js\";\nexport * from \"./entities/authenticationUser.js\";\nexport * from \"./models/IAuthHeaderProcessorConfig.js\";\nexport * from \"./models/IAuthHeaderProcessorConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationAuditServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationRateServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationRateServiceConstructorOptions.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConfig.js\";\nexport * from \"./models/IEntityStorageAuthenticationServiceConstructorOptions.js\";\nexport * from \"./processors/authHeaderProcessor.js\";\nexport * from \"./restEntryPoints.js\";\nexport * from \"./routes/entityStorageAuthenticationAdminRoutes.js\";\nexport * from \"./routes/entityStorageAuthenticationAuditRoutes.js\";\nexport * from \"./routes/entityStorageAuthenticationRoutes.js\";\nexport * from \"./schema.js\";\nexport * from \"./services/entityStorageAuthenticationAdminService.js\";\nexport * from \"./services/entityStorageAuthenticationAuditService.js\";\nexport * from \"./services/entityStorageAuthenticationRateService.js\";\nexport * from \"./services/entityStorageAuthenticationService.js\";\nexport * from \"./utils/tokenHelper.js\";\nexport * from \"./utils/passwordHelper.js\";\n"]}

package/dist/es/models/IAuthHeaderProcessorConstructorOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"IAuthHeaderProcessorConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IAuthHeaderProcessorConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAuthHeaderProcessorConfig } from \"./IAuthHeaderProcessorConfig.js\";\n\n/*\n Options for the AuthHeaderProcessor constructor.\n /\nexport interface IAuthHeaderProcessorConstructorOptions {\n\t/\n\t The vault for the private keys.\n\t * @default vault\n\t /\n\tvaultConnectorType?: string;\n\n\t/\n\t The configuration for the processor.\n\t */\n\tconfig?: IAuthHeaderProcessorConfig;\n}\n"]}
1	+ {"version":3,"file":"IAuthHeaderProcessorConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IAuthHeaderProcessorConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAuthHeaderProcessorConfig } from \"./IAuthHeaderProcessorConfig.js\";\n\n/*\n Options for the AuthHeaderProcessor constructor.\n /\nexport interface IAuthHeaderProcessorConstructorOptions {\n\t/\n\t The entity storage for users.\n\t * @default authentication-user\n\t /\n\tuserEntityStorageType?: string;\n\n\t/\n\t The vault for the private keys.\n\t * @default vault\n\t /\n\tvaultConnectorType?: string;\n\n\t/\n\t The URL transformer component for the tenants.\n\t /\n\turlTransformerComponentType?: string;\n\n\t/\n\t The component to retrieve tenant information.\n\t * @default tenant-admin\n\t /\n\ttenantAdminComponentType?: string;\n\n\t/\n\t The configuration for the processor.\n\t */\n\tconfig?: IAuthHeaderProcessorConfig;\n}\n"]}

package/dist/es/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"IEntityStorageAuthenticationAdminServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationAdminServiceConfig } from \"./IEntityStorageAuthenticationAdminServiceConfig.js\";\n\n/*\n Options for the EntityStorageAuthenticationAdminService constructor.\n /\nexport interface IEntityStorageAuthenticationAdminServiceConstructorOptions {\n\t/\n\t The entity storage for the users.\n\t * @default authentication-user\n\t /\n\tuserEntityStorageType?: string;\n\n\t/\n\t The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationAdminServiceConfig;\n}\n"]}
1	+ {"version":3,"file":"IEntityStorageAuthenticationAdminServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAdminServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationAdminServiceConfig } from \"./IEntityStorageAuthenticationAdminServiceConfig.js\";\n\n/*\n Options for the EntityStorageAuthenticationAdminService constructor.\n /\nexport interface IEntityStorageAuthenticationAdminServiceConstructorOptions {\n\t/\n\t The entity storage for the users.\n\t * @default authentication-user\n\t /\n\tuserEntityStorageType?: string;\n\n\t/\n\t The audit service.\n\t * @default authentication-audit\n\t /\n\tauthenticationAuditServiceType?: string;\n\n\t/\n\t The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationAdminServiceConfig;\n}\n"]}

package/dist/es/models/IEntityStorageAuthenticationAuditServiceConfig.js ADDED Viewed

@@ -0,0 +1,4 @@
+// Copyright 2026 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+export {};
+//# sourceMappingURL=IEntityStorageAuthenticationAuditServiceConfig.js.map

package/dist/es/models/IEntityStorageAuthenticationAuditServiceConfig.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"IEntityStorageAuthenticationAuditServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAuditServiceConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Config for the EntityStorageAuthenticationAuditService constructor.\n */\nexport interface IEntityStorageAuthenticationAuditServiceConfig {\n\t/**\n\t * The server-side salt for hashing IP addresses in audit logs, if configured.\n\t */\n\tipHashSalt?: string;\n}\n"]}

package/dist/es/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=IEntityStorageAuthenticationAuditServiceConstructorOptions.js.map

package/dist/es/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"IEntityStorageAuthenticationAuditServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationAuditServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationAuditServiceConfig } from \"./IEntityStorageAuthenticationAuditServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationAuditService constructor.\n */\nexport interface IEntityStorageAuthenticationAuditServiceConstructorOptions {\n\t/**\n\t * The entity storage for the audit entries.\n\t * @default authentication-audit-entry\n\t */\n\tauthenticationAuditEntryStorageType?: string;\n\n\t/**\n\t * The configuration for the authentication audit service.\n\t */\n\tconfig?: IEntityStorageAuthenticationAuditServiceConfig;\n}\n"]}

package/dist/es/models/IEntityStorageAuthenticationRateServiceConfig.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=IEntityStorageAuthenticationRateServiceConfig.js.map

package/dist/es/models/IEntityStorageAuthenticationRateServiceConfig.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"IEntityStorageAuthenticationRateServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationRateServiceConfig.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n/**\n * Configuration for the entity storage authentication rate service.\n */\nexport interface IEntityStorageAuthenticationRateServiceConfig {\n\t/**\n\t * Interval between cleanup runs in minutes.\n\t * @default 5\n\t */\n\tcleanupIntervalMinutes?: number;\n}\n"]}

package/dist/es/models/IEntityStorageAuthenticationRateServiceConstructorOptions.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=IEntityStorageAuthenticationRateServiceConstructorOptions.js.map

package/dist/es/models/IEntityStorageAuthenticationRateServiceConstructorOptions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"IEntityStorageAuthenticationRateServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationRateServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationRateServiceConfig } from \"./IEntityStorageAuthenticationRateServiceConfig.js\";\n\n/**\n * Options for the EntityStorageAuthenticationRateService constructor.\n */\nexport interface IEntityStorageAuthenticationRateServiceConstructorOptions {\n\t/**\n\t * The entity storage for authentication rate entries.\n\t * @default authentication-rate-entry\n\t */\n\tauthenticationRateEntryStorageType?: string;\n\n\t/**\n\t * The task scheduler component type.\n\t * @default task-scheduler\n\t */\n\ttaskSchedulerComponentType?: string;\n\n\t/**\n\t * The configuration for the authentication rate service.\n\t */\n\tconfig?: IEntityStorageAuthenticationRateServiceConfig;\n}\n"]}

package/dist/es/models/IEntityStorageAuthenticationServiceConfig.js CHANGED Viewed

@@ -1,4 +1,2 @@
-// Copyright 2024 IOTA Stiftung.
-// SPDX-License-Identifier: Apache-2.0.
 export {};
 //# sourceMappingURL=IEntityStorageAuthenticationServiceConfig.js.map

package/dist/es/models/IEntityStorageAuthenticationServiceConfig.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"IEntityStorageAuthenticationServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConfig.ts"],"names":[],"mappings":"~~AAAA,gCAAgC;AAChC,uCAAuC~~","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/*\n Configuration for the entity storage authentication service.\n /\nexport interface IEntityStorageAuthenticationServiceConfig {\n\t/\n\t The name of the key to retrieve from the vault for signing JWT.\n\t * @default auth-signing\n\t /\n\tsigningKeyName?: string;\n\n\t/\n\t The default time to live for the JWT.\n\t * @default ~~1440~~\n\t */\n\tdefaultTtlMinutes?: number;\n}\n"]}
1	+ {"version":3,"file":"IEntityStorageAuthenticationServiceConfig.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConfig.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAuthenticationRateActionConfig } from \"@twin.org/api-auth-entity-storage-models\";\n\n/*\n Configuration for the entity storage authentication service.\n /\nexport interface IEntityStorageAuthenticationServiceConfig {\n\t/\n\t The name of the key to retrieve from the vault for signing JWT.\n\t * @default auth-signing\n\t /\n\tsigningKeyName?: string;\n\n\t/\n\t The default time to live for the JWT.\n\t * @default 60\n\t /\n\tdefaultTtlMinutes?: number;\n\n\t/\n\t The minimum password length for new password validation.\n\t * @default 8\n\t /\n\tminPasswordLength?: number;\n\n\t/\n\t Optional override for login failure rate limit.\n\t * @default { maxAttempts: 5, windowMinutes: 15 }\n\t /\n\tloginRateLimit?: IAuthenticationRateActionConfig;\n\n\t/\n\t Optional override for password change rate limit.\n\t * @default { maxAttempts: 5, windowMinutes: 15 }\n\t /\n\tpasswordChangeRateLimit?: IAuthenticationRateActionConfig;\n\n\t/\n\t Optional override for token refresh rate limit.\n\t * @default { maxAttempts: 30, windowMinutes: 60 }\n\t */\n\ttokenRefreshRateLimit?: IAuthenticationRateActionConfig;\n}\n"]}

package/dist/es/models/IEntityStorageAuthenticationServiceConstructorOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"IEntityStorageAuthenticationServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationServiceConfig } from \"./IEntityStorageAuthenticationServiceConfig.js\";\n\n/*\n Options for the EntityStorageAuthenticationService constructor.\n /\nexport interface IEntityStorageAuthenticationServiceConstructorOptions {\n\t/\n\t The entity storage for the users.\n\t * @default authentication-user\n\t /\n\tuserEntityStorageType?: string;\n\n\t/\n\t The vault for the private keys.\n\t * @default vault\n\t /\n\tvaultConnectorType?: string;\n\n\t/\n\t The ~~admin~~ service.\n\t * @default authentication-admin\n\t /\n\~~tauthenticationAdminServiceType~~?: string;\n\n\t/\n\t The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationServiceConfig;\n}\n"]}
1	+ {"version":3,"file":"IEntityStorageAuthenticationServiceConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IEntityStorageAuthenticationServiceConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IEntityStorageAuthenticationServiceConfig } from \"./IEntityStorageAuthenticationServiceConfig.js\";\n\n/*\n Options for the EntityStorageAuthenticationService constructor.\n /\nexport interface IEntityStorageAuthenticationServiceConstructorOptions {\n\t/\n\t The entity storage for the users.\n\t * @default authentication-user\n\t /\n\tuserEntityStorageType?: string;\n\n\t/\n\t The vault for the private keys.\n\t * @default vault\n\t /\n\tvaultConnectorType?: string;\n\n\t/\n\t The URL transformer component for the tenants.\n\t /\n\turlTransformerComponentType?: string;\n\n\t/\n\t The audit service.\n\t * @default authentication-audit\n\t /\n\tauthenticationAuditServiceType?: string;\n\n\t/\n\t The rate service.\n\t * @default authentication-rate\n\t /\n\tauthenticationRateServiceType?: string;\n\n\t/\n\t The component to retrieve tenant information.\n\t * @default tenant-admin\n\t /\n\ttenantAdminComponentType?: string;\n\n\t/\n\t The configuration for the authentication.\n\t */\n\tconfig?: IEntityStorageAuthenticationServiceConfig;\n}\n"]}

package/dist/es/processors/authHeaderProcessor.js CHANGED Viewed

@@ -2,9 +2,10 @@
 // SPDX-License-Identifier: Apache-2.0.
 import { HttpErrorHelper } from "@twin.org/api-models";
 import { ContextIdHelper, ContextIdKeys, ContextIdStore } from "@twin.org/context";
-import { BaseError, Coerce, Is } from "@twin.org/core";
+import { BaseError, Coerce, ComponentFactory, Is } from "@twin.org/core";
+import { EntityStorageConnectorFactory } from "@twin.org/entity-storage-models";
 import { VaultConnectorFactory } from "@twin.org/vault-models";
-import { HeaderTypes, HttpStatusCode } from "@twin.org/web";
+import { CookieHelper, HeaderTypes, HttpStatusCode } from "@twin.org/web";
 import { TokenHelper } from "../utils/tokenHelper.js";
 /**
  * Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.
@@ -24,6 +25,21 @@ export class AuthHeaderProcessor {
      * @internal
      */
     _vaultConnector;
+    /**
+     * The transformer component, used to resolve public origins for tenants and encrypt/decrypt tenant tokens.
+     * @internal
+     */
+    _urlTransformerService;
+    /**
+     * The component to retrieve tenant information.
+     * @internal
+     */
+    _tenantAdminComponent;
+    /**
+     * The entity storage for users.
+     * @internal
+     */
+    _userEntityStorage;
     /**
      * The name of the key to retrieve from the vault for signing JWT.
      * @internal
@@ -40,11 +56,14 @@ export class AuthHeaderProcessor {
      */
     _nodeId;
     /**
-     * Create a new instance of AuthCookiePreProcessor.
+     * Create a new instance of AuthHeaderProcessor.
      * @param options Options for the processor.
      */
     constructor(options) {
         this._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? "vault");
+        this._urlTransformerService = ComponentFactory.get(options?.urlTransformerComponentType ?? "url-transformer");
+        this._userEntityStorage = EntityStorageConnectorFactory.get(options?.userEntityStorageType ?? "authentication-user");
+        this._tenantAdminComponent = ComponentFactory.getIfExists(options?.tenantAdminComponentType ?? "tenant-admin");
         this._signingKeyName = options?.config?.signingKeyName ?? "auth-signing";
         this._cookieName = options?.config?.cookieName ?? AuthHeaderProcessor.DEFAULT_COOKIE_NAME;
     }
@@ -77,7 +96,32 @@ export class AuthHeaderProcessor {
         if (!Is.empty(route) && !(route.skipAuth ?? false)) {
             try {
                 const tokenAndLocation = TokenHelper.extractTokenFromHeaders(request.headers, this._cookieName);
-                const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeId}/${this._signingKeyName}`, tokenAndLocation?.token);
+                const headerAndPayload = await TokenHelper.verify(this._vaultConnector, `${this._nodeId}/${this._signingKeyName}`, tokenAndLocation?.token, route.requiredScope, async (userIdentity, organizationIdentity, encryptedTenantId, passwordVersion) => {
+                    const validParts = [];
+                    // If the token carries an encrypted tenant ID and the admin component is available,
+                    // decrypt and resolve the tenant first so the user lookup runs in the correct partition.
+                    if (Is.stringValue(encryptedTenantId)) {
+                        const tenantId = await this._urlTransformerService.decryptParam(encryptedTenantId);
+                        if (Is.stringValue(tenantId)) {
+                            const tenant = await this._tenantAdminComponent?.get(tenantId);
+                            if (!Is.empty(tenant)) {
+                                processorState.publicOrigin = tenant.publicOrigin;
+                                validParts.push("tenant");
+                                contextIds[ContextIdKeys.Tenant] = tenantId;
+                            }
+                        }
+                    }
+                    // Wrap the user lookup in the request context so partitioned storage uses the correct tenant.
+                    const user = await ContextIdStore.run(contextIds, async () => this._userEntityStorage.get(userIdentity, "identity"));
+                    if (user?.identity === userIdentity &&
+                        (passwordVersion ?? 0) === (user.passwordVersion ?? 0)) {
+                        validParts.push("user");
+                    }
+                    if (user?.organization === organizationIdentity) {
+                        validParts.push("organization");
+                    }
+                    return validParts;
+                });
                 contextIds[ContextIdKeys.User] = headerAndPayload.payload?.sub;
                 contextIds[ContextIdKeys.Organization] = Coerce.string(headerAndPayload.payload?.org);
                 processorState.authToken = tokenAndLocation?.token;
@@ -99,21 +143,29 @@ export class AuthHeaderProcessor {
      */
     async post(request, response, route, contextIds, processorState) {
         const responseAuthOperation = processorState?.authOperation;
+        const responseAuthToken = processorState?.authToken;
         // We don't populate the cookie if the incoming request was from an authorization header.
         if (!Is.empty(route) &&
             Is.stringValue(responseAuthOperation) &&
             processorState.authTokenLocation !== "authorization") {
             if ((responseAuthOperation === "login" || responseAuthOperation === "refresh") &&
-                Is.stringValue(response.body?.token)) {
+                Is.stringValue(responseAuthToken)) {
                 response.headers ??= {};
-                response.headers[HeaderTypes.SetCookie] =
-                    `${this._cookieName}=${response.body.token}; Secure; HttpOnly; SameSite=None; Path=/`;
-                delete response.body.token;
+                response.headers[HeaderTypes.SetCookie] = CookieHelper.createCookie(this._cookieName, responseAuthToken, {
+                    secure: true,
+                    httpOnly: true,
+                    sameSite: "None",
+                    path: "/"
+                });
             }
             else if (responseAuthOperation === "logout") {
                 response.headers ??= {};
-                response.headers[HeaderTypes.SetCookie] =
-                    `${this._cookieName}=; Max-Age=0; Secure; HttpOnly; SameSite=None; Path=/`;
+                response.headers[HeaderTypes.SetCookie] = CookieHelper.deleteCookie(this._cookieName, {
+                    secure: true,
+                    httpOnly: true,
+                    sameSite: "None",
+                    path: "/"
+                });
             }
         }
     }

package/dist/es/processors/authHeaderProcessor.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authHeaderProcessor.js","sourceRoot":"","sources":["../../../src/processors/authHeaderProcessor.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EACN,eAAe,EAKf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACN,eAAe,EACf,aAAa,EACb,cAAc,EAEd,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AAEvD,OAAO,EAAE,qBAAqB,EAAwB,MAAM,wBAAwB,CAAC;AACrF,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE5D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD;;GAEG;AACH,MAAM,OAAO,mBAAmB;IAC/B;;;OAGG;IACI,MAAM,CAAU,mBAAmB,GAAW,cAAc,CAAC;IAEpE;;OAEG;IACI,MAAM,CAAU,UAAU,yBAAyC;IAE1E;;;OAGG;IACc,eAAe,CAAkB;IAElD;;;OAGG;IACc,eAAe,CAAS;IAEzC;;;OAGG;IACc,WAAW,CAAS;IAErC;;;OAGG;IACK,OAAO,CAAU;IAEzB;;;OAGG;IACH,YAAY,OAAgD;QAC3D,IAAI,CAAC,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,OAAO,EAAE,kBAAkB,IAAI,OAAO,CAAC,CAAC;QACzF,IAAI,CAAC,eAAe,GAAG,OAAO,EAAE,MAAM,EAAE,cAAc,IAAI,cAAc,CAAC;QACzE,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC,mBAAmB,CAAC;IAC3F,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,mBAAmB,CAAC,UAAU,CAAC;IACvC,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,KAAK,CAAC,wBAAiC;QACnD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,aAAa,EAAE,CAAC;QACxD,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,GAAG,CACf,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC;gBACJ,MAAM,gBAAgB,GAAG,WAAW,CAAC,uBAAuB,CAC3D,OAAO,CAAC,OAAO,EACf,IAAI,CAAC,WAAW,CAChB,CAAC;gBAEF,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,MAAM,CAChD,IAAI,CAAC,eAAe,EACpB,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,EACzC,gBAAgB,EAAE,KAAK,CACvB,CAAC;gBAEF,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC;gBAC/D,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBAEtF,cAAc,CAAC,SAAS,GAAG,gBAAgB,EAAE,KAAK,CAAC;gBACnD,cAAc,CAAC,iBAAiB,GAAG,gBAAgB,EAAE,QAAQ,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACvC,eAAe,CAAC,aAAa,CAAC,QAAQ,EAAE,KAAK,EAAE,cAAc,CAAC,YAAY,CAAC,CAAC;YAC7E,CAAC;QACF,CAAC;IACF,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,IAAI,CAChB,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,MAAM,qBAAqB,GAAG,cAAc,EAAE,aAAa,CAAC;QAE5D,yFAAyF;QACzF,IACC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;YAChB,EAAE,CAAC,WAAW,CAAC,qBAAqB,CAAC;YACrC,cAAc,CAAC,iBAAiB,KAAK,eAAe,EACnD,CAAC;YACF,IACC,CAAC,qBAAqB,KAAK,OAAO,IAAI,qBAAqB,KAAK,SAAS,CAAC;gBAC1E,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC,EACnC,CAAC;gBACF,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC;oBACtC,GAAG,IAAI,CAAC,WAAW,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,2CAA2C,CAAC;gBACvF,OAAO,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC;YAC5B,CAAC;iBAAM,IAAI,qBAAqB,KAAK,QAAQ,EAAE,CAAC;gBAC/C,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC;oBACtC,GAAG,IAAI,CAAC,WAAW,uDAAuD,CAAC;YAC7E,CAAC;QACF,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport {\n\tHttpErrorHelper,\n\ttype IBaseRoute,\n\ttype IBaseRouteProcessor,\n\ttype IHttpResponse,\n\ttype IHttpServerRequest\n} from \"@twin.org/api-models\";\nimport {\n\tContextIdHelper,\n\tContextIdKeys,\n\tContextIdStore,\n\ttype IContextIds\n} from \"@twin.org/context\";\nimport { BaseError, Coerce, Is } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { VaultConnectorFactory, type IVaultConnector } from \"@twin.org/vault-models\";\nimport { HeaderTypes, HttpStatusCode } from \"@twin.org/web\";\nimport type { IAuthHeaderProcessorConstructorOptions } from \"../models/IAuthHeaderProcessorConstructorOptions.js\";\nimport { TokenHelper } from \"../utils/tokenHelper.js\";\n\n/*\n Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.\n /\nexport class AuthHeaderProcessor implements IBaseRouteProcessor {\n\t/\n\t The default name for the access token as a cookie.\n\t * @internal\n\t /\n\tpublic static readonly DEFAULT_COOKIE_NAME: string = \"access_token\";\n\n\t/\n\t Runtime name for the class.\n\t /\n\tpublic static readonly CLASS_NAME: string = nameof<AuthHeaderProcessor>();\n\n\t/\n\t The vault for the keys.\n\t * @internal\n\t /\n\tprivate readonly _vaultConnector: IVaultConnector;\n\n\t/\n\t The name of the key to retrieve from the vault for signing JWT.\n\t * @internal\n\t /\n\tprivate readonly _signingKeyName: string;\n\n\t/\n\t The name of the cookie to use for the token.\n\t * @internal\n\t /\n\tprivate readonly _cookieName: string;\n\n\t/\n\t The node identity.\n\t * @internal\n\t /\n\tprivate _nodeId?: string;\n\n\t/\n\t Create a new instance of AuthCookiePreProcessor.\n\t * @param options Options for the processor.\n\t /\n\tconstructor(options?: IAuthHeaderProcessorConstructorOptions) {\n\t\tthis._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? \"vault\");\n\t\tthis._signingKeyName = options?.config?.signingKeyName ?? \"auth-signing\";\n\t\tthis._cookieName = options?.config?.cookieName ?? AuthHeaderProcessor.DEFAULT_COOKIE_NAME;\n\t}\n\n\t/\n\t Returns the class name of the component.\n\t * @returns The class name of the component.\n\t /\n\tpublic className(): string {\n\t\treturn AuthHeaderProcessor.CLASS_NAME;\n\t}\n\n\t/\n\t The service needs to be started when the application is initialized.\n\t * @param nodeLoggingComponentType The node logging component type.\n\t * @returns Nothing.\n\t /\n\tpublic async start(nodeLoggingComponentType?: string): Promise<void> {\n\t\tconst contextIds = await ContextIdStore.getContextIds();\n\t\tContextIdHelper.guard(contextIds, ContextIdKeys.Node);\n\t\tthis._nodeId = contextIds[ContextIdKeys.Node];\n\t}\n\n\t/\n\t Pre process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t /\n\tpublic async pre(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute \| undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tif (!Is.empty(route) && !(route.skipAuth ?? false)) {\n\t\t\ttry {\n\t\t\t\tconst tokenAndLocation = TokenHelper.extractTokenFromHeaders(\n\t\t\t\t\trequest.headers,\n\t\t\t\t\tthis._cookieName\n\t\t\t\t);\n\n\t\t\t\tconst headerAndPayload = await TokenHelper.verify(\n\t\t\t\t\tthis._vaultConnector,\n\t\t\t\t\t`${this._nodeId}/${this._signingKeyName}`,\n\t\t\t\t\ttokenAndLocation?.token\n\t\t\t\t);\n\n\t\t\t\tcontextIds[ContextIdKeys.User] = headerAndPayload.payload?.sub;\n\t\t\t\tcontextIds[ContextIdKeys.Organization] = Coerce.string(headerAndPayload.payload?.org);\n\n\t\t\t\tprocessorState.authToken = tokenAndLocation?.token;\n\t\t\t\tprocessorState.authTokenLocation = tokenAndLocation?.location;\n\t\t\t} catch (err) {\n\t\t\t\tconst error = BaseError.fromError(err);\n\t\t\t\tHttpErrorHelper.buildResponse(response, error, HttpStatusCode.unauthorized);\n\t\t\t}\n\t\t}\n\t}\n\n\t/\n\t Post process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t */\n\tpublic async post(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute \| undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tconst responseAuthOperation = processorState?.authOperation;\n\n\t\t// We don't populate the cookie if the incoming request was from an authorization header.\n\t\tif (\n\t\t\t!Is.empty(route) &&\n\t\t\tIs.stringValue(responseAuthOperation) &&\n\t\t\tprocessorState.authTokenLocation !== \"authorization\"\n\t\t) {\n\t\t\tif (\n\t\t\t\t(responseAuthOperation === \"login\" \|\| responseAuthOperation === \"refresh\") &&\n\t\t\t\tIs.stringValue(response.body?.token)\n\t\t\t) {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] =\n\t\t\t\t\t`${this._cookieName}=${response.body.token}; Secure; HttpOnly; SameSite=None; Path=/`;\n\t\t\t\tdelete response.body.token;\n\t\t\t} else if (responseAuthOperation === \"logout\") {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] =\n\t\t\t\t\t`${this._cookieName}=; Max-Age=0; Secure; HttpOnly; SameSite=None; Path=/`;\n\t\t\t}\n\t\t}\n\t}\n}\n"]}
1	+ {"version":3,"file":"authHeaderProcessor.js","sourceRoot":"","sources":["../../../src/processors/authHeaderProcessor.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EACN,eAAe,EAOf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACN,eAAe,EACf,aAAa,EACb,cAAc,EAEd,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AACzE,OAAO,EACN,6BAA6B,EAE7B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAAE,qBAAqB,EAAwB,MAAM,wBAAwB,CAAC;AACrF,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG1E,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD;;GAEG;AACH,MAAM,OAAO,mBAAmB;IAC/B;;;OAGG;IACI,MAAM,CAAU,mBAAmB,GAAW,cAAc,CAAC;IAEpE;;OAEG;IACI,MAAM,CAAU,UAAU,yBAAyC;IAE1E;;;OAGG;IACc,eAAe,CAAkB;IAElD;;;OAGG;IACc,sBAAsB,CAA2B;IAElE;;;OAGG;IACc,qBAAqB,CAAyB;IAE/D;;;OAGG;IACc,kBAAkB,CAA8C;IAEjF;;;OAGG;IACc,eAAe,CAAS;IAEzC;;;OAGG;IACc,WAAW,CAAS;IAErC;;;OAGG;IACK,OAAO,CAAU;IAEzB;;;OAGG;IACH,YAAY,OAAgD;QAC3D,IAAI,CAAC,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,OAAO,EAAE,kBAAkB,IAAI,OAAO,CAAC,CAAC;QACzF,IAAI,CAAC,sBAAsB,GAAG,gBAAgB,CAAC,GAAG,CACjD,OAAO,EAAE,2BAA2B,IAAI,iBAAiB,CACzD,CAAC;QACF,IAAI,CAAC,kBAAkB,GAAG,6BAA6B,CAAC,GAAG,CAC1D,OAAO,EAAE,qBAAqB,IAAI,qBAAqB,CACvD,CAAC;QACF,IAAI,CAAC,qBAAqB,GAAG,gBAAgB,CAAC,WAAW,CACxD,OAAO,EAAE,wBAAwB,IAAI,cAAc,CACnD,CAAC;QAEF,IAAI,CAAC,eAAe,GAAG,OAAO,EAAE,MAAM,EAAE,cAAc,IAAI,cAAc,CAAC;QACzE,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC,mBAAmB,CAAC;IAC3F,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,mBAAmB,CAAC,UAAU,CAAC;IACvC,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,KAAK,CAAC,wBAAiC;QACnD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,aAAa,EAAE,CAAC;QACxD,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,GAAG,CACf,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC;gBACJ,MAAM,gBAAgB,GAAG,WAAW,CAAC,uBAAuB,CAC3D,OAAO,CAAC,OAAO,EACf,IAAI,CAAC,WAAW,CAChB,CAAC;gBAEF,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,MAAM,CAChD,IAAI,CAAC,eAAe,EACpB,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,EACzC,gBAAgB,EAAE,KAAK,EACvB,KAAK,CAAC,aAAa,EACnB,KAAK,EACJ,YAAoB,EACpB,oBAA4B,EAC5B,iBAAqC,EACrC,eAAmC,EAClC,EAAE;oBACH,MAAM,UAAU,GAAG,EAAE,CAAC;oBAEtB,oFAAoF;oBACpF,yFAAyF;oBACzF,IAAI,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,EAAE,CAAC;wBACvC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;wBAEnF,IAAI,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAC9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;4BAC/D,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gCACvB,cAAc,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;gCAClD,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gCAC1B,UAAU,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;4BAC7C,CAAC;wBACF,CAAC;oBACF,CAAC;oBAED,8FAA8F;oBAC9F,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAC5D,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,CACrD,CAAC;oBAEF,IACC,IAAI,EAAE,QAAQ,KAAK,YAAY;wBAC/B,CAAC,eAAe,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,CAAC,EACrD,CAAC;wBACF,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBACzB,CAAC;oBACD,IAAI,IAAI,EAAE,YAAY,KAAK,oBAAoB,EAAE,CAAC;wBACjD,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;oBACjC,CAAC;oBAED,OAAO,UAAU,CAAC;gBACnB,CAAC,CACD,CAAC;gBAEF,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC;gBAC/D,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBAEtF,cAAc,CAAC,SAAS,GAAG,gBAAgB,EAAE,KAAK,CAAC;gBACnD,cAAc,CAAC,iBAAiB,GAAG,gBAAgB,EAAE,QAAQ,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACvC,eAAe,CAAC,aAAa,CAAC,QAAQ,EAAE,KAAK,EAAE,cAAc,CAAC,YAAY,CAAC,CAAC;YAC7E,CAAC;QACF,CAAC;IACF,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,IAAI,CAChB,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,MAAM,qBAAqB,GAAG,cAAc,EAAE,aAAa,CAAC;QAC5D,MAAM,iBAAiB,GAAG,cAAc,EAAE,SAAS,CAAC;QAEpD,yFAAyF;QACzF,IACC,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;YAChB,EAAE,CAAC,WAAW,CAAC,qBAAqB,CAAC;YACrC,cAAc,CAAC,iBAAiB,KAAK,eAAe,EACnD,CAAC;YACF,IACC,CAAC,qBAAqB,KAAK,OAAO,IAAI,qBAAqB,KAAK,SAAS,CAAC;gBAC1E,EAAE,CAAC,WAAW,CAAC,iBAAiB,CAAC,EAChC,CAAC;gBACF,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC,YAAY,CAClE,IAAI,CAAC,WAAW,EAChB,iBAAiB,EACjB;oBACC,MAAM,EAAE,IAAI;oBACZ,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG;iBACT,CACD,CAAC;YACH,CAAC;iBAAM,IAAI,qBAAqB,KAAK,QAAQ,EAAE,CAAC;gBAC/C,QAAQ,CAAC,OAAO,KAAK,EAAE,CAAC;gBACxB,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE;oBACrF,MAAM,EAAE,IAAI;oBACZ,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG;iBACT,CAAC,CAAC;YACJ,CAAC;QACF,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport {\n\tHttpErrorHelper,\n\ttype IUrlTransformerComponent,\n\ttype IBaseRoute,\n\ttype IBaseRouteProcessor,\n\ttype IHttpResponse,\n\ttype IHttpServerRequest,\n\ttype ITenantAdminComponent\n} from \"@twin.org/api-models\";\nimport {\n\tContextIdHelper,\n\tContextIdKeys,\n\tContextIdStore,\n\ttype IContextIds\n} from \"@twin.org/context\";\nimport { BaseError, Coerce, ComponentFactory, Is } from \"@twin.org/core\";\nimport {\n\tEntityStorageConnectorFactory,\n\ttype IEntityStorageConnector\n} from \"@twin.org/entity-storage-models\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { VaultConnectorFactory, type IVaultConnector } from \"@twin.org/vault-models\";\nimport { CookieHelper, HeaderTypes, HttpStatusCode } from \"@twin.org/web\";\nimport type { AuthenticationUser } from \"../entities/authenticationUser.js\";\nimport type { IAuthHeaderProcessorConstructorOptions } from \"../models/IAuthHeaderProcessorConstructorOptions.js\";\nimport { TokenHelper } from \"../utils/tokenHelper.js\";\n\n/*\n Handle a JWT token in the authorization header or cookies and validate it to populate request context identity.\n /\nexport class AuthHeaderProcessor implements IBaseRouteProcessor {\n\t/\n\t The default name for the access token as a cookie.\n\t * @internal\n\t /\n\tpublic static readonly DEFAULT_COOKIE_NAME: string = \"access_token\";\n\n\t/\n\t Runtime name for the class.\n\t /\n\tpublic static readonly CLASS_NAME: string = nameof<AuthHeaderProcessor>();\n\n\t/\n\t The vault for the keys.\n\t * @internal\n\t /\n\tprivate readonly _vaultConnector: IVaultConnector;\n\n\t/\n\t The transformer component, used to resolve public origins for tenants and encrypt/decrypt tenant tokens.\n\t * @internal\n\t /\n\tprivate readonly _urlTransformerService: IUrlTransformerComponent;\n\n\t/\n\t The component to retrieve tenant information.\n\t * @internal\n\t /\n\tprivate readonly _tenantAdminComponent?: ITenantAdminComponent;\n\n\t/\n\t The entity storage for users.\n\t * @internal\n\t /\n\tprivate readonly _userEntityStorage: IEntityStorageConnector<AuthenticationUser>;\n\n\t/\n\t The name of the key to retrieve from the vault for signing JWT.\n\t * @internal\n\t /\n\tprivate readonly _signingKeyName: string;\n\n\t/\n\t The name of the cookie to use for the token.\n\t * @internal\n\t /\n\tprivate readonly _cookieName: string;\n\n\t/\n\t The node identity.\n\t * @internal\n\t /\n\tprivate _nodeId?: string;\n\n\t/\n\t Create a new instance of AuthHeaderProcessor.\n\t * @param options Options for the processor.\n\t /\n\tconstructor(options?: IAuthHeaderProcessorConstructorOptions) {\n\t\tthis._vaultConnector = VaultConnectorFactory.get(options?.vaultConnectorType ?? \"vault\");\n\t\tthis._urlTransformerService = ComponentFactory.get(\n\t\t\toptions?.urlTransformerComponentType ?? \"url-transformer\"\n\t\t);\n\t\tthis._userEntityStorage = EntityStorageConnectorFactory.get(\n\t\t\toptions?.userEntityStorageType ?? \"authentication-user\"\n\t\t);\n\t\tthis._tenantAdminComponent = ComponentFactory.getIfExists<ITenantAdminComponent>(\n\t\t\toptions?.tenantAdminComponentType ?? \"tenant-admin\"\n\t\t);\n\n\t\tthis._signingKeyName = options?.config?.signingKeyName ?? \"auth-signing\";\n\t\tthis._cookieName = options?.config?.cookieName ?? AuthHeaderProcessor.DEFAULT_COOKIE_NAME;\n\t}\n\n\t/\n\t Returns the class name of the component.\n\t * @returns The class name of the component.\n\t /\n\tpublic className(): string {\n\t\treturn AuthHeaderProcessor.CLASS_NAME;\n\t}\n\n\t/\n\t The service needs to be started when the application is initialized.\n\t * @param nodeLoggingComponentType The node logging component type.\n\t * @returns Nothing.\n\t /\n\tpublic async start(nodeLoggingComponentType?: string): Promise<void> {\n\t\tconst contextIds = await ContextIdStore.getContextIds();\n\t\tContextIdHelper.guard(contextIds, ContextIdKeys.Node);\n\t\tthis._nodeId = contextIds[ContextIdKeys.Node];\n\t}\n\n\t/\n\t Pre process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t /\n\tpublic async pre(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute \| undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tif (!Is.empty(route) && !(route.skipAuth ?? false)) {\n\t\t\ttry {\n\t\t\t\tconst tokenAndLocation = TokenHelper.extractTokenFromHeaders(\n\t\t\t\t\trequest.headers,\n\t\t\t\t\tthis._cookieName\n\t\t\t\t);\n\n\t\t\t\tconst headerAndPayload = await TokenHelper.verify(\n\t\t\t\t\tthis._vaultConnector,\n\t\t\t\t\t`${this._nodeId}/${this._signingKeyName}`,\n\t\t\t\t\ttokenAndLocation?.token,\n\t\t\t\t\troute.requiredScope,\n\t\t\t\t\tasync (\n\t\t\t\t\t\tuserIdentity: string,\n\t\t\t\t\t\torganizationIdentity: string,\n\t\t\t\t\t\tencryptedTenantId: string \| undefined,\n\t\t\t\t\t\tpasswordVersion: number \| undefined\n\t\t\t\t\t) => {\n\t\t\t\t\t\tconst validParts = [];\n\n\t\t\t\t\t\t// If the token carries an encrypted tenant ID and the admin component is available,\n\t\t\t\t\t\t// decrypt and resolve the tenant first so the user lookup runs in the correct partition.\n\t\t\t\t\t\tif (Is.stringValue(encryptedTenantId)) {\n\t\t\t\t\t\t\tconst tenantId = await this._urlTransformerService.decryptParam(encryptedTenantId);\n\n\t\t\t\t\t\t\tif (Is.stringValue(tenantId)) {\n\t\t\t\t\t\t\t\tconst tenant = await this._tenantAdminComponent?.get(tenantId);\n\t\t\t\t\t\t\t\tif (!Is.empty(tenant)) {\n\t\t\t\t\t\t\t\t\tprocessorState.publicOrigin = tenant.publicOrigin;\n\t\t\t\t\t\t\t\t\tvalidParts.push(\"tenant\");\n\t\t\t\t\t\t\t\t\tcontextIds[ContextIdKeys.Tenant] = tenantId;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Wrap the user lookup in the request context so partitioned storage uses the correct tenant.\n\t\t\t\t\t\tconst user = await ContextIdStore.run(contextIds, async () =>\n\t\t\t\t\t\t\tthis._userEntityStorage.get(userIdentity, \"identity\")\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\tuser?.identity === userIdentity &&\n\t\t\t\t\t\t\t(passwordVersion ?? 0) === (user.passwordVersion ?? 0)\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\tvalidParts.push(\"user\");\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (user?.organization === organizationIdentity) {\n\t\t\t\t\t\t\tvalidParts.push(\"organization\");\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn validParts;\n\t\t\t\t\t}\n\t\t\t\t);\n\n\t\t\t\tcontextIds[ContextIdKeys.User] = headerAndPayload.payload?.sub;\n\t\t\t\tcontextIds[ContextIdKeys.Organization] = Coerce.string(headerAndPayload.payload?.org);\n\n\t\t\t\tprocessorState.authToken = tokenAndLocation?.token;\n\t\t\t\tprocessorState.authTokenLocation = tokenAndLocation?.location;\n\t\t\t} catch (err) {\n\t\t\t\tconst error = BaseError.fromError(err);\n\t\t\t\tHttpErrorHelper.buildResponse(response, error, HttpStatusCode.unauthorized);\n\t\t\t}\n\t\t}\n\t}\n\n\t/\n\t Post process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t */\n\tpublic async post(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute \| undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tconst responseAuthOperation = processorState?.authOperation;\n\t\tconst responseAuthToken = processorState?.authToken;\n\n\t\t// We don't populate the cookie if the incoming request was from an authorization header.\n\t\tif (\n\t\t\t!Is.empty(route) &&\n\t\t\tIs.stringValue(responseAuthOperation) &&\n\t\t\tprocessorState.authTokenLocation !== \"authorization\"\n\t\t) {\n\t\t\tif (\n\t\t\t\t(responseAuthOperation === \"login\" \|\| responseAuthOperation === \"refresh\") &&\n\t\t\t\tIs.stringValue(responseAuthToken)\n\t\t\t) {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] = CookieHelper.createCookie(\n\t\t\t\t\tthis._cookieName,\n\t\t\t\t\tresponseAuthToken,\n\t\t\t\t\t{\n\t\t\t\t\t\tsecure: true,\n\t\t\t\t\t\thttpOnly: true,\n\t\t\t\t\t\tsameSite: \"None\",\n\t\t\t\t\t\tpath: \"/\"\n\t\t\t\t\t}\n\t\t\t\t);\n\t\t\t} else if (responseAuthOperation === \"logout\") {\n\t\t\t\tresponse.headers ??= {};\n\t\t\t\tresponse.headers[HeaderTypes.SetCookie] = CookieHelper.deleteCookie(this._cookieName, {\n\t\t\t\t\tsecure: true,\n\t\t\t\t\thttpOnly: true,\n\t\t\t\t\tsameSite: \"None\",\n\t\t\t\t\tpath: \"/\"\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n}\n"]}

package/dist/es/restEntryPoints.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import { generateRestRoutesAuthenticationAdmin, tagsAuthenticationAdmin } from "./routes/entityStorageAuthenticationAdminRoutes.js";
+import { generateRestRoutesAuthenticationAudit, tagsAuthenticationAudit } from "./routes/entityStorageAuthenticationAuditRoutes.js";
 import { generateRestRoutesAuthentication, tagsAuthentication } from "./routes/entityStorageAuthenticationRoutes.js";
 export const restEntryPoints = [
     {
@@ -5,6 +7,18 @@ export const restEntryPoints = [
         defaultBaseRoute: "authentication",
         tags: tagsAuthentication,
         generateRoutes: generateRestRoutesAuthentication
+    },
+    {
+        name: "authenticationAdmin",
+        defaultBaseRoute: "authentication/admin",
+        tags: tagsAuthenticationAdmin,
+        generateRoutes: generateRestRoutesAuthenticationAdmin
+    },
+    {
+        name: "authenticationAudit",
+        defaultBaseRoute: "authentication/audit",
+        tags: tagsAuthenticationAudit,
+        generateRoutes: generateRestRoutesAuthenticationAudit
     }
 ];
 //# sourceMappingURL=restEntryPoints.js.map

package/dist/es/restEntryPoints.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"restEntryPoints.js","sourceRoot":"","sources":["../../src/restEntryPoints.ts"],"names":[],"mappings":"AAGA,OAAO,EACN,gCAAgC,EAChC,kBAAkB,EAClB,MAAM,+CAA+C,CAAC;AAEvD,MAAM,CAAC,MAAM,eAAe,GAA2B;IACtD;QACC,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,gBAAgB;QAClC,IAAI,EAAE,kBAAkB;QACxB,cAAc,EAAE,gCAAgC;KAChD;CACD,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IRestRouteEntryPoint } from \"@twin.org/api-models\";\nimport {\n\tgenerateRestRoutesAuthentication,\n\ttagsAuthentication\n} from \"./routes/entityStorageAuthenticationRoutes.js\";\n\nexport const restEntryPoints: IRestRouteEntryPoint[] = [\n\t{\n\t\tname: \"authentication\",\n\t\tdefaultBaseRoute: \"authentication\",\n\t\ttags: tagsAuthentication,\n\t\tgenerateRoutes: generateRestRoutesAuthentication\n\t}\n];\n"]}
1	+ {"version":3,"file":"restEntryPoints.js","sourceRoot":"","sources":["../../src/restEntryPoints.ts"],"names":[],"mappings":"AAGA,OAAO,EACN,qCAAqC,EACrC,uBAAuB,EACvB,MAAM,oDAAoD,CAAC;AAC5D,OAAO,EACN,qCAAqC,EACrC,uBAAuB,EACvB,MAAM,oDAAoD,CAAC;AAC5D,OAAO,EACN,gCAAgC,EAChC,kBAAkB,EAClB,MAAM,+CAA+C,CAAC;AAEvD,MAAM,CAAC,MAAM,eAAe,GAA2B;IACtD;QACC,IAAI,EAAE,gBAAgB;QACtB,gBAAgB,EAAE,gBAAgB;QAClC,IAAI,EAAE,kBAAkB;QACxB,cAAc,EAAE,gCAAgC;KAChD;IACD;QACC,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,sBAAsB;QACxC,IAAI,EAAE,uBAAuB;QAC7B,cAAc,EAAE,qCAAqC;KACrD;IACD;QACC,IAAI,EAAE,qBAAqB;QAC3B,gBAAgB,EAAE,sBAAsB;QACxC,IAAI,EAAE,uBAAuB;QAC7B,cAAc,EAAE,qCAAqC;KACrD;CACD,CAAC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IRestRouteEntryPoint } from \"@twin.org/api-models\";\nimport {\n\tgenerateRestRoutesAuthenticationAdmin,\n\ttagsAuthenticationAdmin\n} from \"./routes/entityStorageAuthenticationAdminRoutes.js\";\nimport {\n\tgenerateRestRoutesAuthenticationAudit,\n\ttagsAuthenticationAudit\n} from \"./routes/entityStorageAuthenticationAuditRoutes.js\";\nimport {\n\tgenerateRestRoutesAuthentication,\n\ttagsAuthentication\n} from \"./routes/entityStorageAuthenticationRoutes.js\";\n\nexport const restEntryPoints: IRestRouteEntryPoint[] = [\n\t{\n\t\tname: \"authentication\",\n\t\tdefaultBaseRoute: \"authentication\",\n\t\ttags: tagsAuthentication,\n\t\tgenerateRoutes: generateRestRoutesAuthentication\n\t},\n\t{\n\t\tname: \"authenticationAdmin\",\n\t\tdefaultBaseRoute: \"authentication/admin\",\n\t\ttags: tagsAuthenticationAdmin,\n\t\tgenerateRoutes: generateRestRoutesAuthenticationAdmin\n\t},\n\t{\n\t\tname: \"authenticationAudit\",\n\t\tdefaultBaseRoute: \"authentication/audit\",\n\t\ttags: tagsAuthenticationAudit,\n\t\tgenerateRoutes: generateRestRoutesAuthenticationAudit\n\t}\n];\n"]}