npm - @twin.org/api-tenant-processor - Versions diffs - 0.0.3-next.28 → 0.0.3-next.30 - Mend

@twin.org/api-tenant-processor 0.0.3-next.28 → 0.0.3-next.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/es/index.js +0 -1
package/dist/es/index.js.map +1 -1
package/dist/es/models/ITenantProcessorConfig.js.map +1 -1
package/dist/es/models/ITenantProcessorConstructorOptions.js.map +1 -1
package/dist/es/tenantProcessor.js +51 -122
package/dist/es/tenantProcessor.js.map +1 -1
package/dist/types/index.d.ts +0 -1
package/dist/types/models/ITenantProcessorConfig.d.ts +0 -10
package/dist/types/models/ITenantProcessorConstructorOptions.d.ts +3 -4
package/dist/types/tenantProcessor.d.ts +1 -9
package/docs/changelog.md +28 -0
package/docs/reference/classes/TenantProcessor.md +1 -29
package/docs/reference/index.md +0 -1
package/docs/reference/interfaces/ITenantProcessorConfig.md +0 -28
package/docs/reference/interfaces/ITenantProcessorConstructorOptions.md +4 -5
package/locales/en.json +2 -7
package/package.json +2 -2
package/dist/es/utils/tenantUrlHelper.js +0 -65
package/dist/es/utils/tenantUrlHelper.js.map +0 -1
package/dist/types/utils/tenantUrlHelper.d.ts +0 -34
package/docs/reference/classes/TenantUrlHelper.md +0 -111

package/dist/es/index.js CHANGED Viewed

@@ -20,5 +20,4 @@ export * from "./tenantIdContextIdHandler.js";
 export * from "./tenantProcessor.js";
 export * from "./tenantRoutes.js";
 export * from "./utils/tenantIdHelper.js";
-export * from "./utils/tenantUrlHelper.js";
 //# sourceMappingURL=index.js.map

package/dist/es/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,sCAAsC,CAAC;AACrD,cAAc,2CAA2C,CAAC;AAC1D,cAAc,uCAAuC,CAAC;AACtD,cAAc,iDAAiD,CAAC;AAChE,cAAc,oCAAoC,CAAC;AACnD,cAAc,oCAAoC,CAAC;AACnD,cAAc,qCAAqC,CAAC;AACpD,cAAc,sCAAsC,CAAC;AACrD,cAAc,sCAAsC,CAAC;AACrD,cAAc,uCAAuC,CAAC;AACtD,cAAc,mDAAmD,CAAC;AAClE,cAAc,oCAAoC,CAAC;AACnD,cAAc,gDAAgD,CAAC;AAC/D,cAAc,aAAa,CAAC;AAC5B,cAAc,yBAAyB,CAAC;AACxC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,sBAAsB,CAAC;AACrC,cAAc,mBAAmB,CAAC;AAClC,cAAc,2BAA2B,CAAC~~;AAC1C,cAAc,4BAA4B,CAAC~~","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./entities/tenant.js\";\nexport * from \"./models/api/ITenantCreateRequest.js\";\nexport * from \"./models/api/ITenantGetByApiKeyRequest.js\";\nexport * from \"./models/api/ITenantGetByIdRequest.js\";\nexport * from \"./models/api/ITenantGetByPublicOriginRequest.js\";\nexport * from \"./models/api/ITenantGetResponse.js\";\nexport * from \"./models/api/ITenantListRequest.js\";\nexport * from \"./models/api/ITenantListResponse.js\";\nexport * from \"./models/api/ITenantRemoveRequest.js\";\nexport * from \"./models/api/ITenantUpdateRequest.js\";\nexport * from \"./models/ITenantAdminServiceConfig.js\";\nexport * from \"./models/ITenantAdminServiceConstructorOptions.js\";\nexport * from \"./models/ITenantProcessorConfig.js\";\nexport * from \"./models/ITenantProcessorConstructorOptions.js\";\nexport * from \"./schema.js\";\nexport * from \"./tenantAdminService.js\";\nexport * from \"./tenantIdContextIdHandler.js\";\nexport * from \"./tenantProcessor.js\";\nexport * from \"./tenantRoutes.js\";\nexport * from \"./utils/tenantIdHelper.js\";\~~nexport * from \"./utils/tenantUrlHelper.js\";\~~n"]}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,sCAAsC,CAAC;AACrD,cAAc,2CAA2C,CAAC;AAC1D,cAAc,uCAAuC,CAAC;AACtD,cAAc,iDAAiD,CAAC;AAChE,cAAc,oCAAoC,CAAC;AACnD,cAAc,oCAAoC,CAAC;AACnD,cAAc,qCAAqC,CAAC;AACpD,cAAc,sCAAsC,CAAC;AACrD,cAAc,sCAAsC,CAAC;AACrD,cAAc,uCAAuC,CAAC;AACtD,cAAc,mDAAmD,CAAC;AAClE,cAAc,oCAAoC,CAAC;AACnD,cAAc,gDAAgD,CAAC;AAC/D,cAAc,aAAa,CAAC;AAC5B,cAAc,yBAAyB,CAAC;AACxC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,sBAAsB,CAAC;AACrC,cAAc,mBAAmB,CAAC;AAClC,cAAc,2BAA2B,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./entities/tenant.js\";\nexport * from \"./models/api/ITenantCreateRequest.js\";\nexport * from \"./models/api/ITenantGetByApiKeyRequest.js\";\nexport * from \"./models/api/ITenantGetByIdRequest.js\";\nexport * from \"./models/api/ITenantGetByPublicOriginRequest.js\";\nexport * from \"./models/api/ITenantGetResponse.js\";\nexport * from \"./models/api/ITenantListRequest.js\";\nexport * from \"./models/api/ITenantListResponse.js\";\nexport * from \"./models/api/ITenantRemoveRequest.js\";\nexport * from \"./models/api/ITenantUpdateRequest.js\";\nexport * from \"./models/ITenantAdminServiceConfig.js\";\nexport * from \"./models/ITenantAdminServiceConstructorOptions.js\";\nexport * from \"./models/ITenantProcessorConfig.js\";\nexport * from \"./models/ITenantProcessorConstructorOptions.js\";\nexport * from \"./schema.js\";\nexport * from \"./tenantAdminService.js\";\nexport * from \"./tenantIdContextIdHandler.js\";\nexport * from \"./tenantProcessor.js\";\nexport * from \"./tenantRoutes.js\";\nexport * from \"./utils/tenantIdHelper.js\";\n"]}

package/dist/es/models/ITenantProcessorConfig.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ITenantProcessorConfig.js","sourceRoot":"","sources":["../../../src/models/ITenantProcessorConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/*\n Configuration for the tenant processor\n /\nexport interface ITenantProcessorConfig {\n\t/\n\t The key to look for in the header or query params for the api key.\n\t * @default x-api-key\n\t /\n\tapiKeyName?: string;\n\n\t/\n\t The name of the symmetric key in the vault used to encrypt/decrypt tenant tokens.\n\t * @default tenant-token-encryption\n\t /\n\tsigningKeyName?: string;\n\n\t/\n\t The query param name to look for the encrypted tenant token.\n\t * @default tenantToken\n\t */\n\ttenantTokenName?: string;\n}\n"]}
1	+ {"version":3,"file":"ITenantProcessorConfig.js","sourceRoot":"","sources":["../../../src/models/ITenantProcessorConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/*\n Configuration for the tenant processor\n /\nexport interface ITenantProcessorConfig {\n\t/\n\t The key to look for in the header or query params for the api key.\n\t * @default x-api-key\n\t */\n\tapiKeyName?: string;\n}\n"]}

package/dist/es/models/ITenantProcessorConstructorOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ITenantProcessorConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/ITenantProcessorConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { ITenantProcessorConfig } from \"./ITenantProcessorConfig.js\";\n\n/*\n Options for the Tenant Processor constructor.\n /\nexport interface ITenantProcessorConstructorOptions {\n\t/\n\t The entity storage for the tenants.\n\t * @default tenant\n\t /\n\ttenantEntityStorageType?: string;\n\n\t/\n\t The ~~vault~~ ~~connector~~ ~~used~~ to ~~decrypt~~ ~~tenant tokens. Only resolved when\n\t * `config.signingKeyName` is set~~.\n\t * @default ~~vault~~\n\t /\n\~~tvaultConnectorType~~?: string;\n\n\t/\n\t Configuration for the processor.\n\t */\n\tconfig?: ITenantProcessorConfig;\n}\n"]}
1	+ {"version":3,"file":"ITenantProcessorConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/ITenantProcessorConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { ITenantProcessorConfig } from \"./ITenantProcessorConfig.js\";\n\n/*\n Options for the Tenant Processor constructor.\n /\nexport interface ITenantProcessorConstructorOptions {\n\t/\n\t The entity storage for the tenants.\n\t * @default tenant\n\t /\n\ttenantEntityStorageType?: string;\n\n\t/\n\t The URL transformer component for the tenants.\n\t * @default url-transformer\n\t /\n\turlTransformerComponentType?: string;\n\n\t/\n\t Configuration for the processor.\n\t */\n\tconfig?: ITenantProcessorConfig;\n}\n"]}

package/dist/es/tenantProcessor.js CHANGED Viewed

@@ -1,12 +1,10 @@
 // Copyright 2025 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 import { HttpErrorHelper } from "@twin.org/api-models";
-import { ContextIdHelper, ContextIdKeys, ContextIdStore } from "@twin.org/context";
-import { BaseError, Is, UnauthorizedError } from "@twin.org/core";
+import { ContextIdKeys } from "@twin.org/context";
+import { BaseError, ComponentFactory, Is, UnauthorizedError } from "@twin.org/core";
 import { EntityStorageConnectorFactory } from "@twin.org/entity-storage-models";
-import { VaultConnectorFactory } from "@twin.org/vault-models";
 import { HttpStatusCode } from "@twin.org/web";
-import { TenantUrlHelper } from "./utils/tenantUrlHelper.js";
 /**
  * Handles incoming api keys and maps them to tenant ids.
  */
@@ -26,47 +24,23 @@ export class TenantProcessor {
      */
     _entityStorageConnector;
     /**
-     * The key in the header to look for the api key.
-     * @internal
-     */
-    _apiKeyName;
-    /**
-     * The query param name carrying the encrypted tenant token.
-     * @internal
-     */
-    _tenantTokenName;
-    /**
-     * The vault connector used to decrypt tenant tokens.
-     * Only set when `signingKeyName` is configured.
-     * @internal
-     */
-    _vaultConnector;
-    /**
-     * The name of the symmetric key in the vault used to decrypt tenant tokens.
+     * The hosting component, used to resolve public origins for tenants and encrypt/decrypt tenant tokens.
      * @internal
      */
-    _signingKeyName;
+    _urlTransformerService;
     /**
-     * The node identity, captured at start.
+     * The key in the header to look for the api key.
      * @internal
      */
-    _nodeId;
+    _apiKeyName;
     /**
-     * Create a new instance of NodeTenantProcessor.
+     * Create a new instance of TenantProcessor.
      * @param options Options for the processor.
      */
     constructor(options) {
         this._entityStorageConnector = EntityStorageConnectorFactory.get(options?.tenantEntityStorageType ?? "tenant");
+        this._urlTransformerService = ComponentFactory.get(options?.urlTransformerComponentType ?? "url-transformer");
         this._apiKeyName = options?.config?.apiKeyName ?? TenantProcessor.DEFAULT_API_KEY_NAME;
-        this._tenantTokenName =
-            options?.config?.tenantTokenName ?? TenantUrlHelper.DEFAULT_TENANT_TOKEN_NAME;
-        // Vault is resolved only when a connector type is explicitly passed, following
-        if (Is.stringValue(options?.vaultConnectorType)) {
-            this._vaultConnector = VaultConnectorFactory.get(options.vaultConnectorType);
-        }
-        if (Is.stringValue(options?.config?.signingKeyName)) {
-            this._signingKeyName = options.config.signingKeyName;
-        }
     }
     /**
      * Returns the class name of the component.
@@ -75,21 +49,6 @@ export class TenantProcessor {
     className() {
         return TenantProcessor.CLASS_NAME;
     }
-    /**
-     * The processor needs to be started when the application is initialized so that
-     * the node identity is available for vault key resolution. Only required when
-     * the encrypted-token path is wired (i.e. `signingKeyName` is configured).
-     * @param nodeLoggingComponentType The node logging component type.
-     * @returns Nothing.
-     */
-    async start(nodeLoggingComponentType) {
-        if (Is.empty(this._vaultConnector) || Is.empty(this._signingKeyName)) {
-            return;
-        }
-        const contextIds = await ContextIdStore.getContextIds();
-        ContextIdHelper.guard(contextIds, ContextIdKeys.Node);
-        this._nodeId = contextIds[ContextIdKeys.Node];
-    }
     /**
      * Pre process the REST request for the specified route.
      * @param request The incoming request.
@@ -99,96 +58,66 @@ export class TenantProcessor {
      * @param processorState The state handed through the processors.
      */
     async pre(request, response, route, contextIds, processorState) {
-        const tenantToken = request.query?.[this._tenantTokenName];
-        const tokenDecodable = Is.stringValue(tenantToken) &&
-            !Is.empty(this._vaultConnector) &&
-            Is.stringValue(this._signingKeyName);
-        // skipTenant routes (cross-node trust JWT routes) bypass api-key resolution
-        // accept an encrypted ?tenantToken= query param so cross-tenant catalogue/DSP/PNP routing reaches the publisher's tenant context
-        if (Is.empty(route) || (route.skipTenant ?? false)) {
-            if (tokenDecodable) {
-                const errorResponse = await this.resolveByTenantToken(tenantToken, contextIds, processorState);
-                if (!Is.empty(errorResponse)) {
-                    HttpErrorHelper.buildResponse(response, errorResponse, HttpStatusCode.unauthorized);
+        if (!Is.empty(route) && !(route.skipTenant ?? false)) {
+            try {
+                const apiKey = request.headers?.[this._apiKeyName] ?? request.query?.[this._apiKeyName];
+                let tenant;
+                // First check apiKey as this is the most common way to authenticate tenants,
+                // if that is not present check for the tenant token query param which is used
+                // in scenarios where there is an embedded static token.
+                if (Is.stringValue(apiKey)) {
+                    tenant = await this.resolveByApiKey(apiKey);
+                }
+                else {
+                    const tenantToken = await this._urlTransformerService.getEncryptedQueryParam(request.query, "tenant");
+                    if (Is.stringValue(tenantToken)) {
+                        tenant = await this.resolveByTenantToken(tenantToken);
+                    }
+                    else {
+                        throw new UnauthorizedError(TenantProcessor.CLASS_NAME, "missingApiKeyOrTenantToken", {
+                            keyName: this._apiKeyName
+                        });
+                    }
+                }
+                contextIds[ContextIdKeys.Tenant] = tenant.id;
+                if (Is.stringValue(tenant.publicOrigin)) {
+                    processorState.publicOrigin = tenant.publicOrigin;
                 }
             }
-            return;
-        }
-        const apiKey = request.headers?.[this._apiKeyName] ?? request.query?.[this._apiKeyName];
-        let errorResponse;
-        if (Is.stringValue(apiKey)) {
-            errorResponse = await this.resolveByApiKey(apiKey, contextIds, processorState);
-        }
-        else if (tokenDecodable) {
-            errorResponse = await this.resolveByTenantToken(tenantToken, contextIds, processorState);
-        }
-        else {
-            errorResponse = new UnauthorizedError(TenantProcessor.CLASS_NAME, "missingApiKey", {
-                keyName: this._apiKeyName
-            });
-        }
-        if (!Is.empty(errorResponse)) {
-            HttpErrorHelper.buildResponse(response, errorResponse, HttpStatusCode.unauthorized);
+            catch (err) {
+                HttpErrorHelper.buildResponse(response, BaseError.fromError(err), HttpStatusCode.unauthorized);
+            }
         }
     }
     /**
      * Resolve the tenant context from an api key.
      * @param apiKey The api key sent by the caller.
-     * @param contextIds The context IDs of the request.
-     * @param processorState The state handed through the processors.
-     * @returns An error to surface, or undefined on success.
+     * @returns The tenant associated with the api key.
      * @internal
      */
-    async resolveByApiKey(apiKey, contextIds, processorState) {
-        try {
-            const nodeTenant = await this._entityStorageConnector.get(apiKey, "apiKey");
-            if (Is.empty(nodeTenant)) {
-                return new UnauthorizedError(TenantProcessor.CLASS_NAME, "apiKeyNotFound", {
-                    key: apiKey
-                });
-            }
-            contextIds[ContextIdKeys.Tenant] = nodeTenant.id;
-            if (Is.stringValue(nodeTenant.publicOrigin)) {
-                processorState.publicOrigin = nodeTenant.publicOrigin;
-            }
-        }
-        catch (err) {
-            return BaseError.fromError(err);
+    async resolveByApiKey(apiKey) {
+        const nodeTenant = await this._entityStorageConnector.get(apiKey, "apiKey");
+        if (Is.empty(nodeTenant)) {
+            throw new UnauthorizedError(TenantProcessor.CLASS_NAME, "apiKeyNotFound", {
+                key: apiKey
+            });
         }
+        return nodeTenant;
     }
     /**
      * Resolve the tenant context from an encrypted tenant token query param.
-     * @param tenantToken The encrypted tenant token.
-     * @param contextIds The context IDs of the request.
-     * @param processorState The state handed through the processors.
-     * @returns An error to surface, or undefined on success.
+     * @param tenantId The encrypted tenant token.
+     * @returns The tenant associated with the tenant token.
      * @internal
      */
-    async resolveByTenantToken(tenantToken, contextIds, processorState) {
-        let tenantId;
-        try {
-            tenantId = await TenantUrlHelper.decrypt(tenantToken, this._vaultConnector, `${this._nodeId}/${this._signingKeyName}`);
-        }
-        catch {
-            return new UnauthorizedError(TenantProcessor.CLASS_NAME, "tenantTokenInvalid", {
-                token: tenantToken
+    async resolveByTenantToken(tenantId) {
+        const nodeTenant = await this._entityStorageConnector.get(tenantId);
+        if (Is.empty(nodeTenant)) {
+            throw new UnauthorizedError(TenantProcessor.CLASS_NAME, "tenantNotFound", {
+                tenantId
             });
         }
-        try {
-            const nodeTenant = await this._entityStorageConnector.get(tenantId);
-            if (Is.empty(nodeTenant)) {
-                return new UnauthorizedError(TenantProcessor.CLASS_NAME, "tenantTokenNotFound", {
-                    tenantId
-                });
-            }
-            contextIds[ContextIdKeys.Tenant] = nodeTenant.id;
-            if (Is.stringValue(nodeTenant.publicOrigin)) {
-                processorState.publicOrigin = nodeTenant.publicOrigin;
-            }
-        }
-        catch (err) {
-            return BaseError.fromError(err);
-        }
+        return nodeTenant;
     }
 }
 //# sourceMappingURL=tenantProcessor.js.map

package/dist/es/tenantProcessor.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tenantProcessor.js","sourceRoot":"","sources":["../../src/tenantProcessor.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EACN,eAAe,EAKf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACN,eAAe,EACf,aAAa,EACb,cAAc,EAEd,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAe,EAAE,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAC/E,OAAO,EACN,6BAA6B,EAE7B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAAwB,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG/C,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAE7D;;GAEG;AACH,MAAM,OAAO,eAAe;IAC3B;;;OAGG;IACI,MAAM,CAAU,oBAAoB,GAAW,WAAW,CAAC;IAElE;;OAEG;IACI,MAAM,CAAU,UAAU,qBAAqC;IAEtE;;;OAGG;IACc,uBAAuB,CAAkC;IAE1E;;;OAGG;IACc,WAAW,CAAS;IAErC;;;OAGG;IACc,gBAAgB,CAAS;IAE1C;;;;OAIG;IACc,eAAe,CAAmB;IAEnD;;;OAGG;IACc,eAAe,CAAU;IAE1C;;;OAGG;IACK,OAAO,CAAU;IAEzB;;;OAGG;IACH,YAAY,OAA4C;QACvD,IAAI,CAAC,uBAAuB,GAAG,6BAA6B,CAAC,GAAG,CAC/D,OAAO,EAAE,uBAAuB,IAAI,QAAQ,CAC5C,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,eAAe,CAAC,oBAAoB,CAAC;QACvF,IAAI,CAAC,gBAAgB;YACpB,OAAO,EAAE,MAAM,EAAE,eAAe,IAAI,eAAe,CAAC,yBAAyB,CAAC;QAE/E,+EAA+E;QAC/E,IAAI,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,kBAAkB,CAAC,EAAE,CAAC;YACjD,IAAI,CAAC,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC;QACtD,CAAC;IACF,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,eAAe,CAAC,UAAU,CAAC;IACnC,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,KAAK,CAAC,wBAAiC;QACnD,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;YACtE,OAAO;QACR,CAAC;QACD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,aAAa,EAAE,CAAC;QACxD,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,GAAG,CACf,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC3D,MAAM,cAAc,GACnB,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC;YAC3B,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC;YAC/B,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAEtC,4EAA4E;QAC5E,iIAAiI;QACjI,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,EAAE,CAAC;YACpD,IAAI,cAAc,EAAE,CAAC;gBACpB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,oBAAoB,CACpD,WAAW,EACX,UAAU,EACV,cAAc,CACd,CAAC;gBACF,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;oBAC9B,eAAe,CAAC,aAAa,CAAC,QAAQ,EAAE,aAAa,EAAE,cAAc,CAAC,YAAY,CAAC,CAAC;gBACrF,CAAC;YACF,CAAC;YACD,OAAO;QACR,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxF,IAAI,aAAiC,CAAC;QAEtC,IAAI,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5B,aAAa,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAChF,CAAC;aAAM,IAAI,cAAc,EAAE,CAAC;YAC3B,aAAa,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,WAAW,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAC1F,CAAC;aAAM,CAAC;YACP,aAAa,GAAG,IAAI,iBAAiB,CAAC,eAAe,CAAC,UAAU,EAAE,eAAe,EAAE;gBAClF,OAAO,EAAE,IAAI,CAAC,WAAW;aACzB,CAAC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,aAAa,CAAC,QAAQ,EAAE,aAAa,EAAE,cAAc,CAAC,YAAY,CAAC,CAAC;QACrF,CAAC;IACF,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,eAAe,CAC5B,MAAc,EACd,UAAuB,EACvB,cAAyC;QAEzC,IAAI,CAAC;YACJ,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAE5E,IAAI,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,iBAAiB,CAAC,eAAe,CAAC,UAAU,EAAE,gBAAgB,EAAE;oBAC1E,GAAG,EAAE,MAAM;iBACX,CAAC,CAAC;YACJ,CAAC;YAED,UAAU,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,UAAU,CAAC,EAAE,CAAC;YACjD,IAAI,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC7C,cAAc,CAAC,YAAY,GAAG,UAAU,CAAC,YAAY,CAAC;YACvD,CAAC;QACF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,OAAO,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;IACF,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,oBAAoB,CACjC,WAAmB,EACnB,UAAuB,EACvB,cAAyC;QAEzC,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACJ,QAAQ,GAAG,MAAM,eAAe,CAAC,OAAO,CACvC,WAAW,EACX,IAAI,CAAC,eAAkC,EACvC,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,CACzC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,IAAI,iBAAiB,CAAC,eAAe,CAAC,UAAU,EAAE,oBAAoB,EAAE;gBAC9E,KAAK,EAAE,WAAW;aAClB,CAAC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAEpE,IAAI,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,iBAAiB,CAAC,eAAe,CAAC,UAAU,EAAE,qBAAqB,EAAE;oBAC/E,QAAQ;iBACR,CAAC,CAAC;YACJ,CAAC;YAED,UAAU,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,UAAU,CAAC,EAAE,CAAC;YACjD,IAAI,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC7C,cAAc,CAAC,YAAY,GAAG,UAAU,CAAC,YAAY,CAAC;YACvD,CAAC;QACF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,OAAO,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport {\n\tHttpErrorHelper,\n\ttype IBaseRoute,\n\ttype IBaseRouteProcessor,\n\ttype IHttpResponse,\n\ttype IHttpServerRequest\n} from \"@twin.org/api-models\";\nimport {\n\tContextIdHelper,\n\tContextIdKeys,\n\tContextIdStore,\n\ttype IContextIds\n} from \"@twin.org/context\";\nimport { BaseError, type IError, Is, UnauthorizedError } from \"@twin.org/core\";\nimport {\n\tEntityStorageConnectorFactory,\n\ttype IEntityStorageConnector\n} from \"@twin.org/entity-storage-models\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { type IVaultConnector, VaultConnectorFactory } from \"@twin.org/vault-models\";\nimport { HttpStatusCode } from \"@twin.org/web\";\nimport type { Tenant } from \"./entities/tenant.js\";\nimport type { ITenantProcessorConstructorOptions } from \"./models/ITenantProcessorConstructorOptions.js\";\nimport { TenantUrlHelper } from \"./utils/tenantUrlHelper.js\";\n\n/*\n Handles incoming api keys and maps them to tenant ids.\n /\nexport class TenantProcessor implements IBaseRouteProcessor {\n\t/\n\t The default name for the api key header.\n\t * @internal\n\t /\n\tpublic static readonly DEFAULT_API_KEY_NAME: string = \"x-api-key\";\n\n\t/\n\t Runtime name for the class.\n\t /\n\tpublic static readonly CLASS_NAME: string = nameof<TenantProcessor>();\n\n\t/\n\t The entity storage for api keys.\n\t * @internal\n\t /\n\tprivate readonly _entityStorageConnector: IEntityStorageConnector<Tenant>;\n\n\t/\n\t The key in the header to look for the api key.\n\t * @internal\n\t /\n\tprivate readonly _apiKeyName: string;\n\n\t/\n\t The query param name carrying the encrypted tenant token.\n\t * @internal\n\t /\n\tprivate readonly _tenantTokenName: string;\n\n\t/\n\t The vault connector used to decrypt tenant tokens.\n\t * Only set when `signingKeyName` is configured.\n\t * @internal\n\t /\n\tprivate readonly _vaultConnector?: IVaultConnector;\n\n\t/\n\t The name of the symmetric key in the vault used to decrypt tenant tokens.\n\t * @internal\n\t /\n\tprivate readonly _signingKeyName?: string;\n\n\t/\n\t The node identity, captured at start.\n\t * @internal\n\t /\n\tprivate _nodeId?: string;\n\n\t/\n\t Create a new instance of NodeTenantProcessor.\n\t * @param options Options for the processor.\n\t /\n\tconstructor(options?: ITenantProcessorConstructorOptions) {\n\t\tthis._entityStorageConnector = EntityStorageConnectorFactory.get(\n\t\t\toptions?.tenantEntityStorageType ?? \"tenant\"\n\t\t);\n\t\tthis._apiKeyName = options?.config?.apiKeyName ?? TenantProcessor.DEFAULT_API_KEY_NAME;\n\t\tthis._tenantTokenName =\n\t\t\toptions?.config?.tenantTokenName ?? TenantUrlHelper.DEFAULT_TENANT_TOKEN_NAME;\n\n\t\t// Vault is resolved only when a connector type is explicitly passed, following\n\t\tif (Is.stringValue(options?.vaultConnectorType)) {\n\t\t\tthis._vaultConnector = VaultConnectorFactory.get(options.vaultConnectorType);\n\t\t}\n\t\tif (Is.stringValue(options?.config?.signingKeyName)) {\n\t\t\tthis._signingKeyName = options.config.signingKeyName;\n\t\t}\n\t}\n\n\t/\n\t Returns the class name of the component.\n\t * @returns The class name of the component.\n\t /\n\tpublic className(): string {\n\t\treturn TenantProcessor.CLASS_NAME;\n\t}\n\n\t/\n\t The processor needs to be started when the application is initialized so that\n\t * the node identity is available for vault key resolution. Only required when\n\t * the encrypted-token path is wired (i.e. `signingKeyName` is configured).\n\t * @param nodeLoggingComponentType The node logging component type.\n\t * @returns Nothing.\n\t /\n\tpublic async start(nodeLoggingComponentType?: string): Promise<void> {\n\t\tif (Is.empty(this._vaultConnector) \|\| Is.empty(this._signingKeyName)) {\n\t\t\treturn;\n\t\t}\n\t\tconst contextIds = await ContextIdStore.getContextIds();\n\t\tContextIdHelper.guard(contextIds, ContextIdKeys.Node);\n\t\tthis._nodeId = contextIds[ContextIdKeys.Node];\n\t}\n\n\t/\n\t Pre process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t /\n\tpublic async pre(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute \| undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tconst tenantToken = request.query?.[this._tenantTokenName];\n\t\tconst tokenDecodable =\n\t\t\tIs.stringValue(tenantToken) &&\n\t\t\t!Is.empty(this._vaultConnector) &&\n\t\t\tIs.stringValue(this._signingKeyName);\n\n\t\t// skipTenant routes (cross-node trust JWT routes) bypass api-key resolution\n\t\t// accept an encrypted ?tenantToken= query param so cross-tenant catalogue/DSP/PNP routing reaches the publisher's tenant context\n\t\tif (Is.empty(route) \|\| (route.skipTenant ?? false)) {\n\t\t\tif (tokenDecodable) {\n\t\t\t\tconst errorResponse = await this.resolveByTenantToken(\n\t\t\t\t\ttenantToken,\n\t\t\t\t\tcontextIds,\n\t\t\t\t\tprocessorState\n\t\t\t\t);\n\t\t\t\tif (!Is.empty(errorResponse)) {\n\t\t\t\t\tHttpErrorHelper.buildResponse(response, errorResponse, HttpStatusCode.unauthorized);\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\n\t\tconst apiKey = request.headers?.[this._apiKeyName] ?? request.query?.[this._apiKeyName];\n\t\tlet errorResponse: IError \| undefined;\n\n\t\tif (Is.stringValue(apiKey)) {\n\t\t\terrorResponse = await this.resolveByApiKey(apiKey, contextIds, processorState);\n\t\t} else if (tokenDecodable) {\n\t\t\terrorResponse = await this.resolveByTenantToken(tenantToken, contextIds, processorState);\n\t\t} else {\n\t\t\terrorResponse = new UnauthorizedError(TenantProcessor.CLASS_NAME, \"missingApiKey\", {\n\t\t\t\tkeyName: this._apiKeyName\n\t\t\t});\n\t\t}\n\n\t\tif (!Is.empty(errorResponse)) {\n\t\t\tHttpErrorHelper.buildResponse(response, errorResponse, HttpStatusCode.unauthorized);\n\t\t}\n\t}\n\n\t/\n\t Resolve the tenant context from an api key.\n\t * @param apiKey The api key sent by the caller.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t * @returns An error to surface, or undefined on success.\n\t * @internal\n\t /\n\tprivate async resolveByApiKey(\n\t\tapiKey: string,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<IError \| undefined> {\n\t\ttry {\n\t\t\tconst nodeTenant = await this._entityStorageConnector.get(apiKey, \"apiKey\");\n\n\t\t\tif (Is.empty(nodeTenant)) {\n\t\t\t\treturn new UnauthorizedError(TenantProcessor.CLASS_NAME, \"apiKeyNotFound\", {\n\t\t\t\t\tkey: apiKey\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tcontextIds[ContextIdKeys.Tenant] = nodeTenant.id;\n\t\t\tif (Is.stringValue(nodeTenant.publicOrigin)) {\n\t\t\t\tprocessorState.publicOrigin = nodeTenant.publicOrigin;\n\t\t\t}\n\t\t} catch (err) {\n\t\t\treturn BaseError.fromError(err);\n\t\t}\n\t}\n\n\t/\n\t Resolve the tenant context from an encrypted tenant token query param.\n\t * @param tenantToken The encrypted tenant token.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t * @returns An error to surface, or undefined on success.\n\t * @internal\n\t */\n\tprivate async resolveByTenantToken(\n\t\ttenantToken: string,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<IError \| undefined> {\n\t\tlet tenantId: string;\n\t\ttry {\n\t\t\ttenantId = await TenantUrlHelper.decrypt(\n\t\t\t\ttenantToken,\n\t\t\t\tthis._vaultConnector as IVaultConnector,\n\t\t\t\t`${this._nodeId}/${this._signingKeyName}`\n\t\t\t);\n\t\t} catch {\n\t\t\treturn new UnauthorizedError(TenantProcessor.CLASS_NAME, \"tenantTokenInvalid\", {\n\t\t\t\ttoken: tenantToken\n\t\t\t});\n\t\t}\n\n\t\ttry {\n\t\t\tconst nodeTenant = await this._entityStorageConnector.get(tenantId);\n\n\t\t\tif (Is.empty(nodeTenant)) {\n\t\t\t\treturn new UnauthorizedError(TenantProcessor.CLASS_NAME, \"tenantTokenNotFound\", {\n\t\t\t\t\ttenantId\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tcontextIds[ContextIdKeys.Tenant] = nodeTenant.id;\n\t\t\tif (Is.stringValue(nodeTenant.publicOrigin)) {\n\t\t\t\tprocessorState.publicOrigin = nodeTenant.publicOrigin;\n\t\t\t}\n\t\t} catch (err) {\n\t\t\treturn BaseError.fromError(err);\n\t\t}\n\t}\n}\n"]}
1	+ {"version":3,"file":"tenantProcessor.js","sourceRoot":"","sources":["../../src/tenantProcessor.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EACN,eAAe,EAMf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAoB,MAAM,mBAAmB,CAAC;AACpE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACpF,OAAO,EACN,6BAA6B,EAE7B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAI/C;;GAEG;AACH,MAAM,OAAO,eAAe;IAC3B;;;OAGG;IACI,MAAM,CAAU,oBAAoB,GAAW,WAAW,CAAC;IAElE;;OAEG;IACI,MAAM,CAAU,UAAU,qBAAqC;IAEtE;;;OAGG;IACc,uBAAuB,CAAkC;IAE1E;;;OAGG;IACc,sBAAsB,CAA2B;IAElE;;;OAGG;IACc,WAAW,CAAS;IAErC;;;OAGG;IACH,YAAY,OAA4C;QACvD,IAAI,CAAC,uBAAuB,GAAG,6BAA6B,CAAC,GAAG,CAC/D,OAAO,EAAE,uBAAuB,IAAI,QAAQ,CAC5C,CAAC;QACF,IAAI,CAAC,sBAAsB,GAAG,gBAAgB,CAAC,GAAG,CACjD,OAAO,EAAE,2BAA2B,IAAI,iBAAiB,CACzD,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,eAAe,CAAC,oBAAoB,CAAC;IACxF,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,eAAe,CAAC,UAAU,CAAC;IACnC,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,GAAG,CACf,OAA2B,EAC3B,QAAuB,EACvB,KAA6B,EAC7B,UAAuB,EACvB,cAAyC;QAEzC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC;gBACJ,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBACxF,IAAI,MAAM,CAAC;gBAEX,6EAA6E;gBAC7E,8EAA8E;gBAC9E,wDAAwD;gBACxD,IAAI,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC5B,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;gBAC7C,CAAC;qBAAM,CAAC;oBACP,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,sBAAsB,CAC3E,OAAO,CAAC,KAAK,EACb,QAAQ,CACR,CAAC;oBAEF,IAAI,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;wBACjC,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC;oBACvD,CAAC;yBAAM,CAAC;wBACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,UAAU,EAAE,4BAA4B,EAAE;4BACrF,OAAO,EAAE,IAAI,CAAC,WAAW;yBACzB,CAAC,CAAC;oBACJ,CAAC;gBACF,CAAC;gBAED,UAAU,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,EAAE,CAAC;gBAC7C,IAAI,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;oBACzC,cAAc,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;gBACnD,CAAC;YACF,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,eAAe,CAAC,aAAa,CAC5B,QAAQ,EACR,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,EACxB,cAAc,CAAC,YAAY,CAC3B,CAAC;YACH,CAAC;QACF,CAAC;IACF,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,eAAe,CAAC,MAAc;QAC3C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAE5E,IAAI,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBACzE,GAAG,EAAE,MAAM;aACX,CAAC,CAAC;QACJ,CAAC;QAED,OAAO,UAAU,CAAC;IACnB,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,oBAAoB,CAAC,QAAgB;QAClD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEpE,IAAI,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBACzE,QAAQ;aACR,CAAC,CAAC;QACJ,CAAC;QAED,OAAO,UAAU,CAAC;IACnB,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport {\n\tHttpErrorHelper,\n\ttype IBaseRoute,\n\ttype IBaseRouteProcessor,\n\ttype IHttpResponse,\n\ttype IHttpServerRequest,\n\ttype IUrlTransformerComponent\n} from \"@twin.org/api-models\";\nimport { ContextIdKeys, type IContextIds } from \"@twin.org/context\";\nimport { BaseError, ComponentFactory, Is, UnauthorizedError } from \"@twin.org/core\";\nimport {\n\tEntityStorageConnectorFactory,\n\ttype IEntityStorageConnector\n} from \"@twin.org/entity-storage-models\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { HttpStatusCode } from \"@twin.org/web\";\nimport type { Tenant } from \"./entities/tenant.js\";\nimport type { ITenantProcessorConstructorOptions } from \"./models/ITenantProcessorConstructorOptions.js\";\n\n/*\n Handles incoming api keys and maps them to tenant ids.\n /\nexport class TenantProcessor implements IBaseRouteProcessor {\n\t/\n\t The default name for the api key header.\n\t * @internal\n\t /\n\tpublic static readonly DEFAULT_API_KEY_NAME: string = \"x-api-key\";\n\n\t/\n\t Runtime name for the class.\n\t /\n\tpublic static readonly CLASS_NAME: string = nameof<TenantProcessor>();\n\n\t/\n\t The entity storage for api keys.\n\t * @internal\n\t /\n\tprivate readonly _entityStorageConnector: IEntityStorageConnector<Tenant>;\n\n\t/\n\t The hosting component, used to resolve public origins for tenants and encrypt/decrypt tenant tokens.\n\t * @internal\n\t /\n\tprivate readonly _urlTransformerService: IUrlTransformerComponent;\n\n\t/\n\t The key in the header to look for the api key.\n\t * @internal\n\t /\n\tprivate readonly _apiKeyName: string;\n\n\t/\n\t Create a new instance of TenantProcessor.\n\t * @param options Options for the processor.\n\t /\n\tconstructor(options?: ITenantProcessorConstructorOptions) {\n\t\tthis._entityStorageConnector = EntityStorageConnectorFactory.get(\n\t\t\toptions?.tenantEntityStorageType ?? \"tenant\"\n\t\t);\n\t\tthis._urlTransformerService = ComponentFactory.get(\n\t\t\toptions?.urlTransformerComponentType ?? \"url-transformer\"\n\t\t);\n\t\tthis._apiKeyName = options?.config?.apiKeyName ?? TenantProcessor.DEFAULT_API_KEY_NAME;\n\t}\n\n\t/\n\t Returns the class name of the component.\n\t * @returns The class name of the component.\n\t /\n\tpublic className(): string {\n\t\treturn TenantProcessor.CLASS_NAME;\n\t}\n\n\t/\n\t Pre process the REST request for the specified route.\n\t * @param request The incoming request.\n\t * @param response The outgoing response.\n\t * @param route The route to process.\n\t * @param contextIds The context IDs of the request.\n\t * @param processorState The state handed through the processors.\n\t /\n\tpublic async pre(\n\t\trequest: IHttpServerRequest,\n\t\tresponse: IHttpResponse,\n\t\troute: IBaseRoute \| undefined,\n\t\tcontextIds: IContextIds,\n\t\tprocessorState: { [id: string]: unknown }\n\t): Promise<void> {\n\t\tif (!Is.empty(route) && !(route.skipTenant ?? false)) {\n\t\t\ttry {\n\t\t\t\tconst apiKey = request.headers?.[this._apiKeyName] ?? request.query?.[this._apiKeyName];\n\t\t\t\tlet tenant;\n\n\t\t\t\t// First check apiKey as this is the most common way to authenticate tenants,\n\t\t\t\t// if that is not present check for the tenant token query param which is used\n\t\t\t\t// in scenarios where there is an embedded static token.\n\t\t\t\tif (Is.stringValue(apiKey)) {\n\t\t\t\t\ttenant = await this.resolveByApiKey(apiKey);\n\t\t\t\t} else {\n\t\t\t\t\tconst tenantToken = await this._urlTransformerService.getEncryptedQueryParam(\n\t\t\t\t\t\trequest.query,\n\t\t\t\t\t\t\"tenant\"\n\t\t\t\t\t);\n\n\t\t\t\t\tif (Is.stringValue(tenantToken)) {\n\t\t\t\t\t\ttenant = await this.resolveByTenantToken(tenantToken);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tthrow new UnauthorizedError(TenantProcessor.CLASS_NAME, \"missingApiKeyOrTenantToken\", {\n\t\t\t\t\t\t\tkeyName: this._apiKeyName\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tcontextIds[ContextIdKeys.Tenant] = tenant.id;\n\t\t\t\tif (Is.stringValue(tenant.publicOrigin)) {\n\t\t\t\t\tprocessorState.publicOrigin = tenant.publicOrigin;\n\t\t\t\t}\n\t\t\t} catch (err) {\n\t\t\t\tHttpErrorHelper.buildResponse(\n\t\t\t\t\tresponse,\n\t\t\t\t\tBaseError.fromError(err),\n\t\t\t\t\tHttpStatusCode.unauthorized\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t}\n\n\t/\n\t Resolve the tenant context from an api key.\n\t * @param apiKey The api key sent by the caller.\n\t * @returns The tenant associated with the api key.\n\t * @internal\n\t /\n\tprivate async resolveByApiKey(apiKey: string): Promise<Tenant> {\n\t\tconst nodeTenant = await this._entityStorageConnector.get(apiKey, \"apiKey\");\n\n\t\tif (Is.empty(nodeTenant)) {\n\t\t\tthrow new UnauthorizedError(TenantProcessor.CLASS_NAME, \"apiKeyNotFound\", {\n\t\t\t\tkey: apiKey\n\t\t\t});\n\t\t}\n\n\t\treturn nodeTenant;\n\t}\n\n\t/\n\t Resolve the tenant context from an encrypted tenant token query param.\n\t * @param tenantId The encrypted tenant token.\n\t * @returns The tenant associated with the tenant token.\n\t * @internal\n\t */\n\tprivate async resolveByTenantToken(tenantId: string): Promise<Tenant> {\n\t\tconst nodeTenant = await this._entityStorageConnector.get(tenantId);\n\n\t\tif (Is.empty(nodeTenant)) {\n\t\t\tthrow new UnauthorizedError(TenantProcessor.CLASS_NAME, \"tenantNotFound\", {\n\t\t\t\ttenantId\n\t\t\t});\n\t\t}\n\n\t\treturn nodeTenant;\n\t}\n}\n"]}

package/dist/types/index.d.ts CHANGED Viewed

@@ -18,4 +18,3 @@ export * from "./tenantIdContextIdHandler.js";
 export * from "./tenantProcessor.js";
 export * from "./tenantRoutes.js";
 export * from "./utils/tenantIdHelper.js";
-export * from "./utils/tenantUrlHelper.js";

package/dist/types/models/ITenantProcessorConfig.d.ts CHANGED Viewed

@@ -7,14 +7,4 @@ export interface ITenantProcessorConfig {
      * @default x-api-key
      */
     apiKeyName?: string;
-    /**
-     * The name of the symmetric key in the vault used to encrypt/decrypt tenant tokens.
-     * @default tenant-token-encryption
-     */
-    signingKeyName?: string;
-    /**
-     * The query param name to look for the encrypted tenant token.
-     * @default tenantToken
-     */
-    tenantTokenName?: string;
 }

package/dist/types/models/ITenantProcessorConstructorOptions.d.ts CHANGED Viewed

@@ -9,11 +9,10 @@ export interface ITenantProcessorConstructorOptions {
      */
     tenantEntityStorageType?: string;
     /**
-     * The vault connector used to decrypt tenant tokens. Only resolved when
-     * `config.signingKeyName` is set.
-     * @default vault
+     * The URL transformer component for the tenants.
+     * @default url-transformer
      */
-    vaultConnectorType?: string;
+    urlTransformerComponentType?: string;
     /**
      * Configuration for the processor.
      */

package/dist/types/tenantProcessor.d.ts CHANGED Viewed

@@ -10,7 +10,7 @@ export declare class TenantProcessor implements IBaseRouteProcessor {
      */
     static readonly CLASS_NAME: string;
     /**
-     * Create a new instance of NodeTenantProcessor.
+     * Create a new instance of TenantProcessor.
      * @param options Options for the processor.
      */
     constructor(options?: ITenantProcessorConstructorOptions);
@@ -19,14 +19,6 @@ export declare class TenantProcessor implements IBaseRouteProcessor {
      * @returns The class name of the component.
      */
     className(): string;
-    /**
-     * The processor needs to be started when the application is initialized so that
-     * the node identity is available for vault key resolution. Only required when
-     * the encrypted-token path is wired (i.e. `signingKeyName` is configured).
-     * @param nodeLoggingComponentType The node logging component type.
-     * @returns Nothing.
-     */
-    start(nodeLoggingComponentType?: string): Promise<void>;
     /**
      * Pre process the REST request for the specified route.
      * @param request The incoming request.

package/docs/changelog.md CHANGED Viewed

@@ -1,5 +1,33 @@
 # Changelog
+## [0.0.3-next.30](https://github.com/twinfoundation/twin-api/compare/api-tenant-processor-v0.0.3-next.29...api-tenant-processor-v0.0.3-next.30) (2026-05-05)
+### Features
+* separate service responsibilities ([#116](https://github.com/twinfoundation/twin-api/issues/116)) ([2234648](https://github.com/twinfoundation/twin-api/commit/2234648de4a2de5b7356aadde328f40470bc12e3))
+### Dependencies
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/api-models bumped from 0.0.3-next.29 to 0.0.3-next.30
+## [0.0.3-next.29](https://github.com/twinfoundation/twin-api/compare/api-tenant-processor-v0.0.3-next.28...api-tenant-processor-v0.0.3-next.29) (2026-05-01)
+### Features
+* hosting service ([#109](https://github.com/twinfoundation/twin-api/issues/109)) ([985bf1f](https://github.com/twinfoundation/twin-api/commit/985bf1f5c07b09ecb800df7120bc2422ac7a6d25))
+### Dependencies
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/api-models bumped from 0.0.3-next.28 to 0.0.3-next.29
 ## [0.0.3-next.28](https://github.com/twinfoundation/twin-api/compare/api-tenant-processor-v0.0.3-next.27...api-tenant-processor-v0.0.3-next.28) (2026-04-30)

package/docs/reference/classes/TenantProcessor.md CHANGED Viewed

@@ -12,7 +12,7 @@ Handles incoming api keys and maps them to tenant ids.
 > **new TenantProcessor**(`options?`): `TenantProcessor`
-Create a new instance of NodeTenantProcessor.
+Create a new instance of TenantProcessor.
 #### Parameters
@@ -54,34 +54,6 @@ The class name of the component.
 ***
-### start() {#start}
-> **start**(`nodeLoggingComponentType?`): `Promise`\<`void`\>
-The processor needs to be started when the application is initialized so that
-the node identity is available for vault key resolution. Only required when
-the encrypted-token path is wired (i.e. `signingKeyName` is configured).
-#### Parameters
-##### nodeLoggingComponentType?
-`string`
-The node logging component type.
-#### Returns
-`Promise`\<`void`\>
-Nothing.
-#### Implementation of
-`IBaseRouteProcessor.start`
-***
 ### pre() {#pre}
 > **pre**(`request`, `response`, `route`, `contextIds`, `processorState`): `Promise`\<`void`\>

package/docs/reference/index.md CHANGED Viewed

@@ -7,7 +7,6 @@
 - [TenantIdContextIdHandler](classes/TenantIdContextIdHandler.md)
 - [TenantProcessor](classes/TenantProcessor.md)
 - [TenantIdHelper](classes/TenantIdHelper.md)
-- [TenantUrlHelper](classes/TenantUrlHelper.md)
 ## Interfaces

package/docs/reference/interfaces/ITenantProcessorConfig.md CHANGED Viewed

@@ -15,31 +15,3 @@ The key to look for in the header or query params for the api key.
 ```ts
 x-api-key
 ```
-***
-### signingKeyName? {#signingkeyname}
-> `optional` **signingKeyName?**: `string`
-The name of the symmetric key in the vault used to encrypt/decrypt tenant tokens.
-#### Default
-```ts
-tenant-token-encryption
-```
-***
-### tenantTokenName? {#tenanttokenname}
-> `optional` **tenantTokenName?**: `string`
-The query param name to look for the encrypted tenant token.
-#### Default
-```ts
-tenantToken
-```

package/docs/reference/interfaces/ITenantProcessorConstructorOptions.md CHANGED Viewed

@@ -18,17 +18,16 @@ tenant
 ***
-### vaultConnectorType? {#vaultconnectortype}
+### urlTransformerComponentType? {#urltransformercomponenttype}
-> `optional` **vaultConnectorType?**: `string`
+> `optional` **urlTransformerComponentType?**: `string`
-The vault connector used to decrypt tenant tokens. Only resolved when
-`config.signingKeyName` is set.
+The URL transformer component for the tenants.
 #### Default
 ```ts
-vault
+url-transformer
 ```
 ***

package/locales/en.json CHANGED Viewed

@@ -1,14 +1,9 @@
 {
 	"error": {
 		"tenantProcessor": {
-			"missingApiKey": "API key header or query param \"{keyName}\" is missing or invalid.",
+			"missingApiKeyOrTenantToken": "API key \"{keyName}\" or tenant token is missing",
 			"apiKeyNotFound": "No node tenant found for API key \"{key}\".",
-			"tenantTokenInvalid": "The tenant token \"{token}\" could not be decrypted or is malformed.",
-			"tenantTokenNotFound": "No node tenant found for the decrypted tenant token \"{tenantId}\"."
-		},
-		"tenantUrlHelper": {
-			"encryptFailed": "Encryption of tenant URL token failed.",
-			"decryptFailed": "Decryption of tenant URL token failed."
+			"tenantNotFound": "No node tenant found for the decrypted tenant token \"{tenantId}\"."
 		},
 		"tenantAdminService": {
 			"apiKeyAlreadyInUse": "The provided API key is already in use by another tenant.",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@twin.org/api-tenant-processor",
-	"version": "0.0.3-next.28",
+	"version": "0.0.3-next.30",
 	"description": "Tenant resolution services and route handlers that derive tenant context from API keys.",
 	"repository": {
 		"type": "git",
@@ -14,7 +14,7 @@
 		"node": ">=20.0.0"
 	},
 	"dependencies": {
-		"@twin.org/api-models": "0.0.3-next.28",
+		"@twin.org/api-models": "0.0.3-next.30",
 		"@twin.org/context": "next",
 		"@twin.org/core": "next",
 		"@twin.org/entity": "next",

package/dist/es/utils/tenantUrlHelper.js DELETED Viewed

@@ -1,65 +0,0 @@
-// Copyright 2025 IOTA Stiftung.
-// SPDX-License-Identifier: Apache-2.0.
-import { Converter, GeneralError, Guards } from "@twin.org/core";
-import { VaultEncryptionType } from "@twin.org/vault-models";
-/**
- * Helper for building and parsing URLs that carry an encrypted tenant token query param.
- * The token is the ChaCha20Poly1305-encrypted UTF-8 bytes of a tenant id, base64url-encoded
- * for URL safety.
- */
-export class TenantUrlHelper {
-    /**
-     * The default query param name for the encrypted tenant token.
-     */
-    static DEFAULT_TENANT_TOKEN_NAME = "tenantToken";
-    /**
-     * Runtime name for the class.
-     */
-    static CLASS_NAME = "TenantUrlHelper";
-    /**
-     * Encrypt a tenant id and append it as an opaque query param to the supplied URL.
-     * @param url The URL to append the token to.
-     * @param tenantId The tenant id to encrypt into the token.
-     * @param vaultConnector The vault connector providing the symmetric key.
-     * @param keyName The fully-qualified vault key name (e.g. `${nodeId}/tenant-token-encryption`).
-     * @param tenantTokenName The query param name. Defaults to `tenantToken`.
-     * @returns The URL with the encrypted tenant token appended.
-     */
-    static async encrypt(url, tenantId, vaultConnector, keyName, tenantTokenName) {
-        Guards.stringValue(TenantUrlHelper.CLASS_NAME, "url", url);
-        Guards.stringValue(TenantUrlHelper.CLASS_NAME, "tenantId", tenantId);
-        Guards.object(TenantUrlHelper.CLASS_NAME, "vaultConnector", vaultConnector);
-        Guards.stringValue(TenantUrlHelper.CLASS_NAME, "keyName", keyName);
-        try {
-            const encrypted = await vaultConnector.encrypt(keyName, VaultEncryptionType.ChaCha20Poly1305, Converter.utf8ToBytes(tenantId));
-            const token = Converter.bytesToBase64Url(encrypted);
-            const paramName = tenantTokenName ?? TenantUrlHelper.DEFAULT_TENANT_TOKEN_NAME;
-            const separator = url.includes("?") ? "&" : "?";
-            return `${url}${separator}${paramName}=${token}`;
-        }
-        catch (err) {
-            throw new GeneralError(TenantUrlHelper.CLASS_NAME, "encryptFailed", undefined, err);
-        }
-    }
-    /**
-     * Decrypt an encrypted tenant token back into the original tenant id.
-     * @param token The base64url-encoded encrypted tenant token.
-     * @param vaultConnector The vault connector providing the symmetric key.
-     * @param keyName The fully-qualified vault key name used to encrypt the token.
-     * @returns The decrypted tenant id.
-     */
-    static async decrypt(token, vaultConnector, keyName) {
-        Guards.stringValue(TenantUrlHelper.CLASS_NAME, "token", token);
-        Guards.object(TenantUrlHelper.CLASS_NAME, "vaultConnector", vaultConnector);
-        Guards.stringValue(TenantUrlHelper.CLASS_NAME, "keyName", keyName);
-        try {
-            const encrypted = Converter.base64UrlToBytes(token);
-            const decrypted = await vaultConnector.decrypt(keyName, VaultEncryptionType.ChaCha20Poly1305, encrypted);
-            return Converter.bytesToUtf8(decrypted);
-        }
-        catch (err) {
-            throw new GeneralError(TenantUrlHelper.CLASS_NAME, "decryptFailed", undefined, err);
-        }
-    }
-}
-//# sourceMappingURL=tenantUrlHelper.js.map

package/dist/es/utils/tenantUrlHelper.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"tenantUrlHelper.js","sourceRoot":"","sources":["../../../src/utils/tenantUrlHelper.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAEjE,OAAO,EAAwB,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEnF;;;;GAIG;AACH,MAAM,OAAO,eAAe;IAC3B;;OAEG;IACI,MAAM,CAAU,yBAAyB,GAAW,aAAa,CAAC;IAEzE;;OAEG;IACI,MAAM,CAAU,UAAU,qBAAqC;IAEtE;;;;;;;;OAQG;IACI,MAAM,CAAC,KAAK,CAAC,OAAO,CAC1B,GAAW,EACX,QAAgB,EAChB,cAA+B,EAC/B,OAAe,EACf,eAAwB;QAExB,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,UAAU,SAAe,GAAG,CAAC,CAAC;QACjE,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,UAAU,cAAoB,QAAQ,CAAC,CAAC;QAC3E,MAAM,CAAC,MAAM,CACZ,eAAe,CAAC,UAAU,oBAE1B,cAAc,CACd,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,UAAU,aAAmB,OAAO,CAAC,CAAC;QAEzE,IAAI,CAAC;YACJ,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,OAAO,CAC7C,OAAO,EACP,mBAAmB,CAAC,gBAAgB,EACpC,SAAS,CAAC,WAAW,CAAC,QAAQ,CAAC,CAC/B,CAAC;YACF,MAAM,KAAK,GAAG,SAAS,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,SAAS,GAAG,eAAe,IAAI,eAAe,CAAC,yBAAyB,CAAC;YAC/E,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YAChD,OAAO,GAAG,GAAG,GAAG,SAAS,GAAG,SAAS,IAAI,KAAK,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,YAAY,CAAC,eAAe,CAAC,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QACrF,CAAC;IACF,CAAC;IAED;;;;;;OAMG;IACI,MAAM,CAAC,KAAK,CAAC,OAAO,CAC1B,KAAa,EACb,cAA+B,EAC/B,OAAe;QAEf,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,UAAU,WAAiB,KAAK,CAAC,CAAC;QACrE,MAAM,CAAC,MAAM,CACZ,eAAe,CAAC,UAAU,oBAE1B,cAAc,CACd,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,UAAU,aAAmB,OAAO,CAAC,CAAC;QAEzE,IAAI,CAAC;YACJ,MAAM,SAAS,GAAG,SAAS,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,OAAO,CAC7C,OAAO,EACP,mBAAmB,CAAC,gBAAgB,EACpC,SAAS,CACT,CAAC;YACF,OAAO,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACzC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,YAAY,CAAC,eAAe,CAAC,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QACrF,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { Converter, GeneralError, Guards } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport { type IVaultConnector, VaultEncryptionType } from \"@twin.org/vault-models\";\n\n/**\n * Helper for building and parsing URLs that carry an encrypted tenant token query param.\n * The token is the ChaCha20Poly1305-encrypted UTF-8 bytes of a tenant id, base64url-encoded\n * for URL safety.\n */\nexport class TenantUrlHelper {\n\t/**\n\t * The default query param name for the encrypted tenant token.\n\t */\n\tpublic static readonly DEFAULT_TENANT_TOKEN_NAME: string = \"tenantToken\";\n\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<TenantUrlHelper>();\n\n\t/**\n\t * Encrypt a tenant id and append it as an opaque query param to the supplied URL.\n\t * @param url The URL to append the token to.\n\t * @param tenantId The tenant id to encrypt into the token.\n\t * @param vaultConnector The vault connector providing the symmetric key.\n\t * @param keyName The fully-qualified vault key name (e.g. `${nodeId}/tenant-token-encryption`).\n\t * @param tenantTokenName The query param name. Defaults to `tenantToken`.\n\t * @returns The URL with the encrypted tenant token appended.\n\t */\n\tpublic static async encrypt(\n\t\turl: string,\n\t\ttenantId: string,\n\t\tvaultConnector: IVaultConnector,\n\t\tkeyName: string,\n\t\ttenantTokenName?: string\n\t): Promise<string> {\n\t\tGuards.stringValue(TenantUrlHelper.CLASS_NAME, nameof(url), url);\n\t\tGuards.stringValue(TenantUrlHelper.CLASS_NAME, nameof(tenantId), tenantId);\n\t\tGuards.object<IVaultConnector>(\n\t\t\tTenantUrlHelper.CLASS_NAME,\n\t\t\tnameof(vaultConnector),\n\t\t\tvaultConnector\n\t\t);\n\t\tGuards.stringValue(TenantUrlHelper.CLASS_NAME, nameof(keyName), keyName);\n\n\t\ttry {\n\t\t\tconst encrypted = await vaultConnector.encrypt(\n\t\t\t\tkeyName,\n\t\t\t\tVaultEncryptionType.ChaCha20Poly1305,\n\t\t\t\tConverter.utf8ToBytes(tenantId)\n\t\t\t);\n\t\t\tconst token = Converter.bytesToBase64Url(encrypted);\n\t\t\tconst paramName = tenantTokenName ?? TenantUrlHelper.DEFAULT_TENANT_TOKEN_NAME;\n\t\t\tconst separator = url.includes(\"?\") ? \"&\" : \"?\";\n\t\t\treturn `${url}${separator}${paramName}=${token}`;\n\t\t} catch (err) {\n\t\t\tthrow new GeneralError(TenantUrlHelper.CLASS_NAME, \"encryptFailed\", undefined, err);\n\t\t}\n\t}\n\n\t/**\n\t * Decrypt an encrypted tenant token back into the original tenant id.\n\t * @param token The base64url-encoded encrypted tenant token.\n\t * @param vaultConnector The vault connector providing the symmetric key.\n\t * @param keyName The fully-qualified vault key name used to encrypt the token.\n\t * @returns The decrypted tenant id.\n\t */\n\tpublic static async decrypt(\n\t\ttoken: string,\n\t\tvaultConnector: IVaultConnector,\n\t\tkeyName: string\n\t): Promise<string> {\n\t\tGuards.stringValue(TenantUrlHelper.CLASS_NAME, nameof(token), token);\n\t\tGuards.object<IVaultConnector>(\n\t\t\tTenantUrlHelper.CLASS_NAME,\n\t\t\tnameof(vaultConnector),\n\t\t\tvaultConnector\n\t\t);\n\t\tGuards.stringValue(TenantUrlHelper.CLASS_NAME, nameof(keyName), keyName);\n\n\t\ttry {\n\t\t\tconst encrypted = Converter.base64UrlToBytes(token);\n\t\t\tconst decrypted = await vaultConnector.decrypt(\n\t\t\t\tkeyName,\n\t\t\t\tVaultEncryptionType.ChaCha20Poly1305,\n\t\t\t\tencrypted\n\t\t\t);\n\t\t\treturn Converter.bytesToUtf8(decrypted);\n\t\t} catch (err) {\n\t\t\tthrow new GeneralError(TenantUrlHelper.CLASS_NAME, \"decryptFailed\", undefined, err);\n\t\t}\n\t}\n}\n"]}

package/dist/types/utils/tenantUrlHelper.d.ts DELETED Viewed

@@ -1,34 +0,0 @@
-import { type IVaultConnector } from "@twin.org/vault-models";
-/**
- * Helper for building and parsing URLs that carry an encrypted tenant token query param.
- * The token is the ChaCha20Poly1305-encrypted UTF-8 bytes of a tenant id, base64url-encoded
- * for URL safety.
- */
-export declare class TenantUrlHelper {
-    /**
-     * The default query param name for the encrypted tenant token.
-     */
-    static readonly DEFAULT_TENANT_TOKEN_NAME: string;
-    /**
-     * Runtime name for the class.
-     */
-    static readonly CLASS_NAME: string;
-    /**
-     * Encrypt a tenant id and append it as an opaque query param to the supplied URL.
-     * @param url The URL to append the token to.
-     * @param tenantId The tenant id to encrypt into the token.
-     * @param vaultConnector The vault connector providing the symmetric key.
-     * @param keyName The fully-qualified vault key name (e.g. `${nodeId}/tenant-token-encryption`).
-     * @param tenantTokenName The query param name. Defaults to `tenantToken`.
-     * @returns The URL with the encrypted tenant token appended.
-     */
-    static encrypt(url: string, tenantId: string, vaultConnector: IVaultConnector, keyName: string, tenantTokenName?: string): Promise<string>;
-    /**
-     * Decrypt an encrypted tenant token back into the original tenant id.
-     * @param token The base64url-encoded encrypted tenant token.
-     * @param vaultConnector The vault connector providing the symmetric key.
-     * @param keyName The fully-qualified vault key name used to encrypt the token.
-     * @returns The decrypted tenant id.
-     */
-    static decrypt(token: string, vaultConnector: IVaultConnector, keyName: string): Promise<string>;
-}

package/docs/reference/classes/TenantUrlHelper.md DELETED Viewed

@@ -1,111 +0,0 @@
-# Class: TenantUrlHelper
-Helper for building and parsing URLs that carry an encrypted tenant token query param.
-The token is the ChaCha20Poly1305-encrypted UTF-8 bytes of a tenant id, base64url-encoded
-for URL safety.
-## Constructors
-### Constructor
-> **new TenantUrlHelper**(): `TenantUrlHelper`
-#### Returns
-`TenantUrlHelper`
-## Properties
-### DEFAULT\_TENANT\_TOKEN\_NAME {#default_tenant_token_name}
-> `readonly` `static` **DEFAULT\_TENANT\_TOKEN\_NAME**: `string` = `"tenantToken"`
-The default query param name for the encrypted tenant token.
-***
-### CLASS\_NAME {#class_name}
-> `readonly` `static` **CLASS\_NAME**: `string`
-Runtime name for the class.
-## Methods
-### encrypt() {#encrypt}
-> `static` **encrypt**(`url`, `tenantId`, `vaultConnector`, `keyName`, `tenantTokenName?`): `Promise`\<`string`\>
-Encrypt a tenant id and append it as an opaque query param to the supplied URL.
-#### Parameters
-##### url
-`string`
-The URL to append the token to.
-##### tenantId
-`string`
-The tenant id to encrypt into the token.
-##### vaultConnector
-`IVaultConnector`
-The vault connector providing the symmetric key.
-##### keyName
-`string`
-The fully-qualified vault key name (e.g. `${nodeId}/tenant-token-encryption`).
-##### tenantTokenName?
-`string`
-The query param name. Defaults to `tenantToken`.
-#### Returns
-`Promise`\<`string`\>
-The URL with the encrypted tenant token appended.
-***
-### decrypt() {#decrypt}
-> `static` **decrypt**(`token`, `vaultConnector`, `keyName`): `Promise`\<`string`\>
-Decrypt an encrypted tenant token back into the original tenant id.
-#### Parameters
-##### token
-`string`
-The base64url-encoded encrypted tenant token.
-##### vaultConnector
-`IVaultConnector`
-The vault connector providing the symmetric key.
-##### keyName
-`string`
-The fully-qualified vault key name used to encrypt the token.
-#### Returns
-`Promise`\<`string`\>
-The decrypted tenant id.