npm - @undefineds.co/xpod - Versions diffs - 0.3.31 → 0.3.33 - Mend

@undefineds.co/xpod 0.3.31 → 0.3.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (218) hide show

package/dist/identity/drizzle/schema.sqlite.js CHANGED Viewed

@@ -1,25 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.serviceTokens = exports.apiClientCredentials = exports.edgeNodePods = exports.edgeNodes = exports.ddnsRecords = exports.ddnsDomains = exports.podUsage = exports.accountUsage = void 0;
+exports.serviceTokens = exports.edgeNodes = exports.ddnsRecords = exports.usage = void 0;
 const sqlite_core_1 = require("drizzle-orm/sqlite-core");
-exports.accountUsage = (0, sqlite_core_1.sqliteTable)('identity_account_usage', {
-    accountId: (0, sqlite_core_1.text)('account_id').primaryKey(),
-    storageBytes: (0, sqlite_core_1.integer)('storage_bytes').notNull().default(0),
-    ingressBytes: (0, sqlite_core_1.integer)('ingress_bytes').notNull().default(0),
-    egressBytes: (0, sqlite_core_1.integer)('egress_bytes').notNull().default(0),
-    storageLimitBytes: (0, sqlite_core_1.integer)('storage_limit_bytes'),
-    bandwidthLimitBps: (0, sqlite_core_1.integer)('bandwidth_limit_bps'),
-    computeSeconds: (0, sqlite_core_1.integer)('compute_seconds').notNull().default(0),
-    tokensUsed: (0, sqlite_core_1.integer)('tokens_used').notNull().default(0),
-    computeLimitSeconds: (0, sqlite_core_1.integer)('compute_limit_seconds'),
-    tokenLimitMonthly: (0, sqlite_core_1.integer)('token_limit_monthly'),
-    periodStart: (0, sqlite_core_1.integer)('period_start'),
-    updatedAt: (0, sqlite_core_1.integer)('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
-});
-exports.podUsage = (0, sqlite_core_1.sqliteTable)('identity_pod_usage', {
-    podId: (0, sqlite_core_1.text)('pod_id').primaryKey(),
+exports.usage = (0, sqlite_core_1.sqliteTable)('identity_usage', {
+    scopeType: (0, sqlite_core_1.text)('scope_type').notNull(), // 'account' | 'pod'
+    scopeId: (0, sqlite_core_1.text)('scope_id').notNull(),
     accountId: (0, sqlite_core_1.text)('account_id').notNull(),
-    storageUrl: (0, sqlite_core_1.text)('storage_url'),
     storageBytes: (0, sqlite_core_1.integer)('storage_bytes').notNull().default(0),
     ingressBytes: (0, sqlite_core_1.integer)('ingress_bytes').notNull().default(0),
     egressBytes: (0, sqlite_core_1.integer)('egress_bytes').notNull().default(0),
@@ -31,23 +17,14 @@ exports.podUsage = (0, sqlite_core_1.sqliteTable)('identity_pod_usage', {
     tokenLimitMonthly: (0, sqlite_core_1.integer)('token_limit_monthly'),
     periodStart: (0, sqlite_core_1.integer)('period_start'),
     updatedAt: (0, sqlite_core_1.integer)('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
-});
-/**
- * DDNS 域名池表
- * 管理可用的 DDNS 域名
- */
-exports.ddnsDomains = (0, sqlite_core_1.sqliteTable)('identity_ddns_domain', {
-    domain: (0, sqlite_core_1.text)('domain').primaryKey(), // undefineds.xyz
-    status: (0, sqlite_core_1.text)('status').default('active'), // 'active' | 'suspended'
-    provider: (0, sqlite_core_1.text)('provider'), // 'cloudflare' | 'tencent'
-    zoneId: (0, sqlite_core_1.text)('zone_id'), // DNS Zone ID
-    createdAt: (0, sqlite_core_1.integer)('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
-});
+}, (table) => [
+    (0, sqlite_core_1.primaryKey)({ columns: [table.scopeType, table.scopeId] }),
+]);
 /**
- * DDNS 记录表
+ * Cloud cluster DDNS 记录表
  * 已分配的子域名记录
  */
-exports.ddnsRecords = (0, sqlite_core_1.sqliteTable)('identity_ddns_record', {
+exports.ddnsRecords = (0, sqlite_core_1.sqliteTable)('cluster_ddns_record', {
     subdomain: (0, sqlite_core_1.text)('subdomain').primaryKey(), // alice
     domain: (0, sqlite_core_1.text)('domain').notNull(), // undefineds.xyz
     ipAddress: (0, sqlite_core_1.text)('ip_address'),
@@ -61,7 +38,7 @@ exports.ddnsRecords = (0, sqlite_core_1.sqliteTable)('identity_ddns_record', {
     createdAt: (0, sqlite_core_1.integer)('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
     updatedAt: (0, sqlite_core_1.integer)('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
 });
-exports.edgeNodes = (0, sqlite_core_1.sqliteTable)('identity_edge_node', {
+exports.edgeNodes = (0, sqlite_core_1.sqliteTable)('cluster_node', {
     id: (0, sqlite_core_1.text)('id').primaryKey(),
     displayName: (0, sqlite_core_1.text)('display_name'),
     tokenHash: (0, sqlite_core_1.text)('token_hash').notNull(),
@@ -82,28 +59,18 @@ exports.edgeNodes = (0, sqlite_core_1.sqliteTable)('identity_edge_node', {
     // JSON fields
     capabilities: (0, sqlite_core_1.text)('capabilities'), // JSON string: 能力列表
     metadata: (0, sqlite_core_1.text)('metadata'), // JSON string: 复杂对象 (tunnel, certificate, metrics)
+    podBaseUrls: (0, sqlite_core_1.text)('pod_base_urls'), // JSON string: node-owned Pod/storage URL prefixes
     connectivityStatus: (0, sqlite_core_1.text)('connectivity_status').default('unknown'),
     lastConnectivityCheck: (0, sqlite_core_1.integer)('last_connectivity_check'),
     createdAt: (0, sqlite_core_1.integer)('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
     updatedAt: (0, sqlite_core_1.integer)('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
     lastSeen: (0, sqlite_core_1.integer)('last_seen'),
 });
-exports.edgeNodePods = (0, sqlite_core_1.sqliteTable)('identity_edge_node_pod', {
-    nodeId: (0, sqlite_core_1.text)('node_id').notNull().references(() => exports.edgeNodes.id, { onDelete: 'cascade' }),
-    baseUrl: (0, sqlite_core_1.text)('base_url').notNull(),
-});
-exports.apiClientCredentials = (0, sqlite_core_1.sqliteTable)('identity_api_client_credentials', {
-    clientId: (0, sqlite_core_1.text)('client_id').primaryKey(),
-    webId: (0, sqlite_core_1.text)('web_id').notNull(),
-    accountId: (0, sqlite_core_1.text)('account_id').notNull(),
-    displayName: (0, sqlite_core_1.text)('display_name'),
-    createdAt: (0, sqlite_core_1.integer)('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),
-});
 /**
- * Service Token 表
+ * Cloud cluster Service Token 表
  * 用于服务间认证 (Business, Local SP, Cloud, Compute)
  */
-exports.serviceTokens = (0, sqlite_core_1.sqliteTable)('identity_service_token', {
+exports.serviceTokens = (0, sqlite_core_1.sqliteTable)('cluster_service_token', {
     id: (0, sqlite_core_1.text)('id').primaryKey(),
     tokenHash: (0, sqlite_core_1.text)('token_hash').notNull().unique(),
     serviceType: (0, sqlite_core_1.text)('service_type').notNull(), // 'local' | 'business' | 'cloud' | 'compute'

package/dist/identity/drizzle/schema.sqlite.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"schema.sqlite.js","sourceRoot":"","sources":["../../../src/identity/drizzle/schema.sqlite.ts"],"names":[],"mappings":";;;AAAA,yDAAqE;AAExD,QAAA,YAAY,GAAG,IAAA,yBAAW,EAAC,wBAAwB,EAAE;IAChE,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,UAAU,EAAE;IAC1C,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,WAAW,EAAE,IAAA,qBAAO,EAAC,cAAc,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACzD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,cAAc,EAAE,IAAA,qBAAO,EAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/D,UAAU,EAAE,IAAA,qBAAO,EAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACvD,mBAAmB,EAAE,IAAA,qBAAO,EAAC,uBAAuB,CAAC;IACrD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,WAAW,EAAE,IAAA,qBAAO,EAAC,cAAc,CAAC;IACpC,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;CAC3F,CAAC,CAAC;AAEU,QAAA,QAAQ,GAAG,IAAA,yBAAW,EAAC,oBAAoB,EAAE;IACxD,KAAK,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,UAAU,EAAE;IAClC,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IACvC,UAAU,EAAE,IAAA,kBAAI,EAAC,aAAa,CAAC;IAC/B,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,WAAW,EAAE,IAAA,qBAAO,EAAC,cAAc,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACzD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,cAAc,EAAE,IAAA,qBAAO,EAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/D,UAAU,EAAE,IAAA,qBAAO,EAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACvD,mBAAmB,EAAE,IAAA,qBAAO,EAAC,uBAAuB,CAAC;IACrD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,WAAW,EAAE,IAAA,qBAAO,EAAC,cAAc,CAAC;IACpC,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;CAC3F,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,WAAW,GAAG,IAAA,yBAAW,EAAC,sBAAsB,EAAE;IAC7D,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,UAAU,EAAE,EAAiB,iBAAiB;IACrE,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAY,yBAAyB;IAC7E,QAAQ,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,EAA0B,2BAA2B;IAC/E,MAAM,EAAE,IAAA,kBAAI,EAAC,SAAS,CAAC,EAA6B,cAAc;IAClE,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;CAC3F,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,WAAW,GAAG,IAAA,yBAAW,EAAC,sBAAsB,EAAE;IAC7D,SAAS,EAAE,IAAA,kBAAI,EAAC,WAAW,CAAC,CAAC,UAAU,EAAE,EAAW,QAAQ;IAC5D,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,EAAoB,iBAAiB;IACrE,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC;IAC7B,WAAW,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC;IACjC,UAAU,EAAE,IAAA,kBAAI,EAAC,aAAa,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,EAAQ,eAAe;IACnE,MAAM,EAAE,IAAA,kBAAI,EAAC,SAAS,CAAC,EAA6B,WAAW;IAC/D,QAAQ,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,EAA0B,SAAS;IAC7D,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAY,sBAAsB;IAC1E,YAAY,EAAE,IAAA,kBAAI,EAAC,eAAe,CAAC;IACnC,GAAG,EAAE,IAAA,qBAAO,EAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC/B,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;CAC3F,CAAC,CAAC;AAEU,QAAA,SAAS,GAAG,IAAA,yBAAW,EAAC,oBAAoB,EAAE;IACzD,EAAE,EAAE,IAAA,kBAAI,EAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,WAAW,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC;IACjC,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IACvC,QAAQ,EAAE,IAAA,kBAAI,EAAC,WAAW,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAG,2BAA2B;IACzE,SAAS,EAAE,IAAA,kBAAI,EAAC,WAAW,CAAC,CAAC,MAAM,EAAE;IACrC,UAAU,EAAE,IAAA,kBAAI,EAAC,aAAa,CAAC;IAC/B,IAAI,EAAE,IAAA,kBAAI,EAAC,MAAM,CAAC,EAA2B,UAAU;IACvD,UAAU,EAAE,IAAA,qBAAO,EAAC,aAAa,CAAC;IAClC,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,EAAiB,qCAAqC;IACnF,gBAAgB,EAAE,IAAA,kBAAI,EAAC,oBAAoB,CAAC,EAAE,6BAA6B;IAC3E,iBAAiB,EAAE,IAAA,kBAAI,EAAC,qBAAqB,CAAC,EAAE,wBAAwB;IACxE,UAAU,EAAE,IAAA,kBAAI,EAAC,aAAa,CAAC,EAAe,uCAAuC;IACrF,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC;IACtC,0BAA0B;IAC1B,QAAQ,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,EAAoB,QAAQ;IACtD,IAAI,EAAE,IAAA,kBAAI,EAAC,MAAM,CAAC,EAA2B,UAAU;IACvD,OAAO,EAAE,IAAA,kBAAI,EAAC,SAAS,CAAC,EAAqB,WAAW;IACxD,cAAc;IACd,YAAY,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC,EAAY,oBAAoB;IAClE,QAAQ,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,EAAoB,mDAAmD;IACjG,kBAAkB,EAAE,IAAA,kBAAI,EAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAClE,qBAAqB,EAAE,IAAA,qBAAO,EAAC,yBAAyB,CAAC;IACzD,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,QAAQ,EAAE,IAAA,qBAAO,EAAC,WAAW,CAAC;CAC/B,CAAC,CAAC;AAEU,QAAA,YAAY,GAAG,IAAA,yBAAW,EAAC,wBAAwB,EAAE;IAChE,MAAM,EAAE,IAAA,kBAAI,EAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,iBAAS,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACzF,OAAO,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,CAAC,OAAO,EAAE;CACpC,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,IAAA,yBAAW,EAAC,iCAAiC,EAAE;IACjF,QAAQ,EAAE,IAAA,kBAAI,EAAC,WAAW,CAAC,CAAC,UAAU,EAAE;IACxC,KAAK,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,EAAE;IAC/B,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IACvC,WAAW,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC;IACjC,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;CAC3F,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,aAAa,GAAG,IAAA,yBAAW,EAAC,wBAAwB,EAAE;IACjE,EAAE,EAAE,IAAA,kBAAI,EAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;IAChD,WAAW,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC,CAAC,OAAO,EAAE,EAAE,6CAA6C;IAC1F,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IACvC,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,EAAE,2CAA2C;IAC7E,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC;CACjC,CAAC,CAAC","sourcesContent":["import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';\n\nexport const accountUsage = sqliteTable('identity_account_usage', {\n accountId: text('account_id').primaryKey(),\n storageBytes: integer('storage_bytes').notNull().default(0),\n ingressBytes: integer('ingress_bytes').notNull().default(0),\n egressBytes: integer('egress_bytes').notNull().default(0),\n storageLimitBytes: integer('storage_limit_bytes'),\n bandwidthLimitBps: integer('bandwidth_limit_bps'),\n computeSeconds: integer('compute_seconds').notNull().default(0),\n tokensUsed: integer('tokens_used').notNull().default(0),\n computeLimitSeconds: integer('compute_limit_seconds'),\n tokenLimitMonthly: integer('token_limit_monthly'),\n periodStart: integer('period_start'),\n updatedAt: integer('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n});\n\nexport const podUsage = sqliteTable('identity_pod_usage', {\n podId: text('pod_id').primaryKey(),\n accountId: text('account_id').notNull(),\n storageUrl: text('storage_url'),\n storageBytes: integer('storage_bytes').notNull().default(0),\n ingressBytes: integer('ingress_bytes').notNull().default(0),\n egressBytes: integer('egress_bytes').notNull().default(0),\n storageLimitBytes: integer('storage_limit_bytes'),\n bandwidthLimitBps: integer('bandwidth_limit_bps'),\n computeSeconds: integer('compute_seconds').notNull().default(0),\n tokensUsed: integer('tokens_used').notNull().default(0),\n computeLimitSeconds: integer('compute_limit_seconds'),\n tokenLimitMonthly: integer('token_limit_monthly'),\n periodStart: integer('period_start'),\n updatedAt: integer('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n});\n\n/*\n DDNS 域名池表\n * 管理可用的 DDNS 域名\n /\nexport const ddnsDomains = sqliteTable('identity_ddns_domain', {\n domain: text('domain').primaryKey(), // undefineds.xyz\n status: text('status').default('active'), // 'active' \| 'suspended'\n provider: text('provider'), // 'cloudflare' \| 'tencent'\n zoneId: text('zone_id'), // DNS Zone ID\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n});\n\n/\n DDNS 记录表\n * 已分配的子域名记录\n /\nexport const ddnsRecords = sqliteTable('identity_ddns_record', {\n subdomain: text('subdomain').primaryKey(), // alice\n domain: text('domain').notNull(), // undefineds.xyz\n ipAddress: text('ip_address'),\n ipv6Address: text('ipv6_address'),\n recordType: text('record_type').default('A'), // 'A' \| 'AAAA'\n nodeId: text('node_id'), // 关联的节点 ID\n username: text('username'), // 关联的用户名\n status: text('status').default('active'), // 'active' \| 'banned'\n bannedReason: text('banned_reason'),\n ttl: integer('ttl').default(60),\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n updatedAt: integer('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n});\n\nexport const edgeNodes = sqliteTable('identity_edge_node', {\n id: text('id').primaryKey(),\n displayName: text('display_name'),\n tokenHash: text('token_hash').notNull(),\n nodeType: text('node_type').default('edge'), // 'center' \| 'edge' \| 'sp'\n subdomain: text('subdomain').unique(),\n accessMode: text('access_mode'),\n ipv4: text('ipv4'), // IPv4 地址\n publicPort: integer('public_port'),\n publicUrl: text('public_url'), // SP 的公网地址 (e.g. https://sp.example)\n serviceTokenHash: text('service_token_hash'), // Cloud → SP 回调认证 token (明文)\n provisionCodeHash: text('provision_code_hash'), // bind 时用户传入的配对码 (hash)\n internalIp: text('internal_ip'), // Internal network IP for center nodes\n internalPort: integer('internal_port'),\n // Extracted from metadata\n hostname: text('hostname'), // 节点主机名\n ipv6: text('ipv6'), // IPv6 地址\n version: text('version'), // Agent 版本\n // JSON fields\n capabilities: text('capabilities'), // JSON string: 能力列表\n metadata: text('metadata'), // JSON string: 复杂对象 (tunnel, certificate, metrics)\n connectivityStatus: text('connectivity_status').default('unknown'),\n lastConnectivityCheck: integer('last_connectivity_check'),\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n updatedAt: integer('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n lastSeen: integer('last_seen'),\n});\n\nexport const edgeNodePods = sqliteTable('identity_edge_node_pod', {\n nodeId: text('node_id').notNull().references(() => edgeNodes.id, { onDelete: 'cascade' }),\n baseUrl: text('base_url').notNull(),\n});\n\nexport const apiClientCredentials = sqliteTable('identity_api_client_credentials', {\n clientId: text('client_id').primaryKey(),\n webId: text('web_id').notNull(),\n accountId: text('account_id').notNull(),\n displayName: text('display_name'),\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n});\n\n/\n Service Token 表\n * 用于服务间认证 (Business, Local SP, Cloud, Compute)\n */\nexport const serviceTokens = sqliteTable('identity_service_token', {\n id: text('id').primaryKey(),\n tokenHash: text('token_hash').notNull().unique(),\n serviceType: text('service_type').notNull(), // 'local' \| 'business' \| 'cloud' \| 'compute'\n serviceId: text('service_id').notNull(),\n scopes: text('scopes').notNull(), // JSON array: [\"quota:write\",\"usage:read\"]\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n expiresAt: integer('expires_at'),\n});\n"]}
1	+ {"version":3,"file":"schema.sqlite.js","sourceRoot":"","sources":["../../../src/identity/drizzle/schema.sqlite.ts"],"names":[],"mappings":";;;AAAA,yDAAiF;AAEpE,QAAA,KAAK,GAAG,IAAA,yBAAW,EAAC,gBAAgB,EAAE;IACjD,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,EAAE,oBAAoB;IAC7D,OAAO,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,CAAC,OAAO,EAAE;IACnC,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IACvC,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,WAAW,EAAE,IAAA,qBAAO,EAAC,cAAc,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACzD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,cAAc,EAAE,IAAA,qBAAO,EAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/D,UAAU,EAAE,IAAA,qBAAO,EAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACvD,mBAAmB,EAAE,IAAA,qBAAO,EAAC,uBAAuB,CAAC;IACrD,iBAAiB,EAAE,IAAA,qBAAO,EAAC,qBAAqB,CAAC;IACjD,WAAW,EAAE,IAAA,qBAAO,EAAC,cAAc,CAAC;IACpC,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;CAC3F,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC;IACZ,IAAA,wBAAU,EAAC,EAAE,OAAO,EAAE,CAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAE,EAAE,CAAC;CAC5D,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,WAAW,GAAG,IAAA,yBAAW,EAAC,qBAAqB,EAAE;IAC5D,SAAS,EAAE,IAAA,kBAAI,EAAC,WAAW,CAAC,CAAC,UAAU,EAAE,EAAW,QAAQ;IAC5D,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,EAAoB,iBAAiB;IACrE,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC;IAC7B,WAAW,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC;IACjC,UAAU,EAAE,IAAA,kBAAI,EAAC,aAAa,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,EAAQ,eAAe;IACnE,MAAM,EAAE,IAAA,kBAAI,EAAC,SAAS,CAAC,EAA6B,WAAW;IAC/D,QAAQ,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,EAA0B,SAAS;IAC7D,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAY,sBAAsB;IAC1E,YAAY,EAAE,IAAA,kBAAI,EAAC,eAAe,CAAC;IACnC,GAAG,EAAE,IAAA,qBAAO,EAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC/B,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;CAC3F,CAAC,CAAC;AAEU,QAAA,SAAS,GAAG,IAAA,yBAAW,EAAC,cAAc,EAAE;IACnD,EAAE,EAAE,IAAA,kBAAI,EAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,WAAW,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC;IACjC,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IACvC,QAAQ,EAAE,IAAA,kBAAI,EAAC,WAAW,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAG,2BAA2B;IACzE,SAAS,EAAE,IAAA,kBAAI,EAAC,WAAW,CAAC,CAAC,MAAM,EAAE;IACrC,UAAU,EAAE,IAAA,kBAAI,EAAC,aAAa,CAAC;IAC/B,IAAI,EAAE,IAAA,kBAAI,EAAC,MAAM,CAAC,EAA2B,UAAU;IACvD,UAAU,EAAE,IAAA,qBAAO,EAAC,aAAa,CAAC;IAClC,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,EAAiB,qCAAqC;IACnF,gBAAgB,EAAE,IAAA,kBAAI,EAAC,oBAAoB,CAAC,EAAE,6BAA6B;IAC3E,iBAAiB,EAAE,IAAA,kBAAI,EAAC,qBAAqB,CAAC,EAAE,wBAAwB;IACxE,UAAU,EAAE,IAAA,kBAAI,EAAC,aAAa,CAAC,EAAe,uCAAuC;IACrF,YAAY,EAAE,IAAA,qBAAO,EAAC,eAAe,CAAC;IACtC,0BAA0B;IAC1B,QAAQ,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,EAAoB,QAAQ;IACtD,IAAI,EAAE,IAAA,kBAAI,EAAC,MAAM,CAAC,EAA2B,UAAU;IACvD,OAAO,EAAE,IAAA,kBAAI,EAAC,SAAS,CAAC,EAAqB,WAAW;IACxD,cAAc;IACd,YAAY,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC,EAAY,oBAAoB;IAClE,QAAQ,EAAE,IAAA,kBAAI,EAAC,UAAU,CAAC,EAAoB,mDAAmD;IACjG,WAAW,EAAE,IAAA,kBAAI,EAAC,eAAe,CAAC,EAAa,mDAAmD;IAClG,kBAAkB,EAAE,IAAA,kBAAI,EAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAClE,qBAAqB,EAAE,IAAA,qBAAO,EAAC,yBAAyB,CAAC;IACzD,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,QAAQ,EAAE,IAAA,qBAAO,EAAC,WAAW,CAAC;CAC/B,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,aAAa,GAAG,IAAA,yBAAW,EAAC,uBAAuB,EAAE;IAChE,EAAE,EAAE,IAAA,kBAAI,EAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE;IAChD,WAAW,EAAE,IAAA,kBAAI,EAAC,cAAc,CAAC,CAAC,OAAO,EAAE,EAAE,6CAA6C;IAC1F,SAAS,EAAE,IAAA,kBAAI,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IACvC,MAAM,EAAE,IAAA,kBAAI,EAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,EAAE,2CAA2C;IAC7E,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,SAAS,EAAE,IAAA,qBAAO,EAAC,YAAY,CAAC;CACjC,CAAC,CAAC","sourcesContent":["import { sqliteTable, text, integer, primaryKey } from 'drizzle-orm/sqlite-core';\n\nexport const usage = sqliteTable('identity_usage', {\n scopeType: text('scope_type').notNull(), // 'account' \| 'pod'\n scopeId: text('scope_id').notNull(),\n accountId: text('account_id').notNull(),\n storageBytes: integer('storage_bytes').notNull().default(0),\n ingressBytes: integer('ingress_bytes').notNull().default(0),\n egressBytes: integer('egress_bytes').notNull().default(0),\n storageLimitBytes: integer('storage_limit_bytes'),\n bandwidthLimitBps: integer('bandwidth_limit_bps'),\n computeSeconds: integer('compute_seconds').notNull().default(0),\n tokensUsed: integer('tokens_used').notNull().default(0),\n computeLimitSeconds: integer('compute_limit_seconds'),\n tokenLimitMonthly: integer('token_limit_monthly'),\n periodStart: integer('period_start'),\n updatedAt: integer('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n}, (table) => [\n primaryKey({ columns: [ table.scopeType, table.scopeId ] }),\n]);\n\n/*\n Cloud cluster DDNS 记录表\n * 已分配的子域名记录\n /\nexport const ddnsRecords = sqliteTable('cluster_ddns_record', {\n subdomain: text('subdomain').primaryKey(), // alice\n domain: text('domain').notNull(), // undefineds.xyz\n ipAddress: text('ip_address'),\n ipv6Address: text('ipv6_address'),\n recordType: text('record_type').default('A'), // 'A' \| 'AAAA'\n nodeId: text('node_id'), // 关联的节点 ID\n username: text('username'), // 关联的用户名\n status: text('status').default('active'), // 'active' \| 'banned'\n bannedReason: text('banned_reason'),\n ttl: integer('ttl').default(60),\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n updatedAt: integer('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n});\n\nexport const edgeNodes = sqliteTable('cluster_node', {\n id: text('id').primaryKey(),\n displayName: text('display_name'),\n tokenHash: text('token_hash').notNull(),\n nodeType: text('node_type').default('edge'), // 'center' \| 'edge' \| 'sp'\n subdomain: text('subdomain').unique(),\n accessMode: text('access_mode'),\n ipv4: text('ipv4'), // IPv4 地址\n publicPort: integer('public_port'),\n publicUrl: text('public_url'), // SP 的公网地址 (e.g. https://sp.example)\n serviceTokenHash: text('service_token_hash'), // Cloud → SP 回调认证 token (明文)\n provisionCodeHash: text('provision_code_hash'), // bind 时用户传入的配对码 (hash)\n internalIp: text('internal_ip'), // Internal network IP for center nodes\n internalPort: integer('internal_port'),\n // Extracted from metadata\n hostname: text('hostname'), // 节点主机名\n ipv6: text('ipv6'), // IPv6 地址\n version: text('version'), // Agent 版本\n // JSON fields\n capabilities: text('capabilities'), // JSON string: 能力列表\n metadata: text('metadata'), // JSON string: 复杂对象 (tunnel, certificate, metrics)\n podBaseUrls: text('pod_base_urls'), // JSON string: node-owned Pod/storage URL prefixes\n connectivityStatus: text('connectivity_status').default('unknown'),\n lastConnectivityCheck: integer('last_connectivity_check'),\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n updatedAt: integer('updated_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n lastSeen: integer('last_seen'),\n});\n\n/\n Cloud cluster Service Token 表\n * 用于服务间认证 (Business, Local SP, Cloud, Compute)\n */\nexport const serviceTokens = sqliteTable('cluster_service_token', {\n id: text('id').primaryKey(),\n tokenHash: text('token_hash').notNull().unique(),\n serviceType: text('service_type').notNull(), // 'local' \| 'business' \| 'cloud' \| 'compute'\n serviceId: text('service_id').notNull(),\n scopes: text('scopes').notNull(), // JSON array: [\"quota:write\",\"usage:read\"]\n createdAt: integer('created_at').notNull().$defaultFn(() => Math.floor(Date.now() / 1000)),\n expiresAt: integer('expires_at'),\n});\n"]}

package/dist/identity/oidc/ScopedPickWebIdHandler.d.ts CHANGED Viewed

@@ -6,12 +6,14 @@ export interface ScopedPickWebIdHandlerOptions {
     webIdStore: WebIdStore;
     providerFactory: ProviderFactory;
     identityDbUrl?: string;
+    provisionBaseUrl?: string;
     podLookupRepository?: PodWebIdLookupRepository;
     fetch?: FetchLike;
 }
 export interface PodWebIdLookupRepository {
     findByWebId: (webId: string) => Promise<PodLookupResult | undefined>;
     findAllByWebId?: (webId: string) => Promise<PodLookupResult[]>;
+    findByWebIds?: (webIds: string[]) => Promise<PodLookupResult[]>;
 }
 /**
  * CSS-compatible WebID picker scoped to the current storage provider.
@@ -24,6 +26,7 @@ export declare class ScopedPickWebIdHandler extends JsonInteractionHandler imple
     private readonly logger;
     private readonly webIdStore;
     private readonly providerFactory;
+    private readonly provisionBaseUrl?;
     private readonly podLookupRepository?;
     private readonly fetch;
     constructor(options: ScopedPickWebIdHandlerOptions);

package/dist/identity/oidc/ScopedPickWebIdHandler.js CHANGED Viewed

@@ -24,6 +24,7 @@ class ScopedPickWebIdHandler extends community_server_1.JsonInteractionHandler {
         this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
         this.webIdStore = options.webIdStore;
         this.providerFactory = options.providerFactory;
+        this.provisionBaseUrl = normalizeOptionalUrl(options.provisionBaseUrl);
         this.podLookupRepository = options.podLookupRepository ??
             (options.identityDbUrl ? new PodLookupRepository_1.PodLookupRepository((0, db_1.getIdentityDatabase)(options.identityDbUrl)) : undefined);
         this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);
@@ -97,10 +98,16 @@ class ScopedPickWebIdHandler extends community_server_1.JsonInteractionHandler {
             return undefined;
         }
         try {
-            const pods = this.podLookupRepository.findAllByWebId
-                ? await this.podLookupRepository.findAllByWebId(webId)
-                : await this.podLookupRepository.findByWebId(webId).then((pod) => pod ? [pod] : []);
-            return pods.find((pod) => matchesTargetStorage(pod, targetStorageUrl));
+            if (this.podLookupRepository.findAllByWebId) {
+                const pods = await this.podLookupRepository.findAllByWebId(webId);
+                return pods.find((pod) => matchesTargetStorage(pod, targetStorageUrl));
+            }
+            if (this.podLookupRepository.findByWebIds) {
+                const pods = await this.podLookupRepository.findByWebIds([webId]);
+                return pods.find((pod) => matchesTargetStorage(pod, targetStorageUrl));
+            }
+            const pod = await this.podLookupRepository.findByWebId(webId);
+            return pod && matchesTargetStorage(pod, targetStorageUrl) ? pod : undefined;
         }
         catch (error) {
             this.logger.warn(`Pod lookup unavailable for WebID ${webId}: ${error}`);
@@ -112,7 +119,7 @@ class ScopedPickWebIdHandler extends community_server_1.JsonInteractionHandler {
         if (!provisionCode) {
             return { storageUrl: ensureTrailingSlash(provider.issuer) };
         }
-        const payload = new ProvisionCodeCodec_1.ProvisionCodeCodec(provider.issuer).decode(provisionCode);
+        const payload = new ProvisionCodeCodec_1.ProvisionCodeCodec(this.provisionBaseUrl ?? provider.issuer).decode(provisionCode);
         if (!payload) {
             throw new community_server_1.BadRequestHttpError('Invalid or expired provisionCode.');
         }
@@ -187,8 +194,13 @@ function deriveStorageRoot(url) {
 function ensureTrailingSlash(url) {
     return url.replace(/\/+$/u, '') + '/';
 }
+function normalizeOptionalUrl(url) {
+    const trimmed = url?.trim();
+    return trimmed ? trimmed : undefined;
+}
 function matchesTargetStorage(pod, targetStorageUrl) {
-    const candidateUrls = [pod.storageUrl, pod.baseUrl].filter((value) => typeof value === 'string' && value.length > 0);
+    const candidateUrls = (pod.storageUrl ? [pod.storageUrl] : [pod.baseUrl])
+        .filter((value) => typeof value === 'string' && value.length > 0);
     const targetRoot = deriveStorageRoot(targetStorageUrl);
     if (!targetRoot) {
         return false;

package/dist/identity/oidc/ScopedPickWebIdHandler.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ScopedPickWebIdHandler.js","sourceRoot":"","sources":["../../../src/identity/oidc/ScopedPickWebIdHandler.ts"],"names":[],"mappings":";;;AAAA,6BAA8C;AAC9C,iEAAqD;AACrD,8DAUiC;AASjC,sCAAoD;AACpD,wEAA2F;AAC3F,2EAAwE;AAIxE,MAAM,QAAQ,GAAG,IAAA,YAAM,EAAC;IACtB,KAAK,EAAE,IAAA,YAAM,GAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IACjC,QAAQ,EAAE,IAAA,aAAO,GAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACnC,CAAC,CAAC;AAqBH;;;;;;GAMG;AACH,MAAa,sBAAuB,SAAQ,yCAAsB;IAOhE,YAAmB,OAAsC;QACvD,KAAK,EAAE,CAAC;QAPO,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAQ3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB;YACpD,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,yCAAmB,CAAC,IAAA,wBAAmB,EAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC5G,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClE,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,eAAe,EAA+B;QAC9E,IAAA,kCAAe,EAAC,SAAS,CAAC,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAC1D,MAAM,WAAW,GAAG,IAAA,8BAAW,EAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAEnE,OAAO;YACL,IAAI,EAAE;gBACJ,GAAG,WAAW;gBACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;gBAC3C,OAAO;aACR;SACF,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,SAAS,EAAE,IAAI,EAA+B;QACnF,IAAA,wCAAqB,EAAC,eAAe,CAAC,CAAC;QACvC,IAAA,kCAAe,EAAC,SAAS,CAAC,CAAC;QAC3B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAA,oCAAiB,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAE1E,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,KAAK,qCAAqC,SAAS,EAAE,CAAC,CAAC;YAChG,MAAM,IAAI,sCAAmB,CAAC,wCAAwC,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,CAAC,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,KAAK,iDAAiD,CAAC,CAAC;YACjG,MAAM,IAAI,sCAAmB,CAAC,iDAAiD,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,IAAA,8BAAW,EAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,MAAM,IAAA,oCAAiB,EAAC,eAAe,EAAE;YACxD,KAAK,EAAE;gBACL,SAAS,EAAE,KAAK;gBAChB,QAAQ;aACT;SACF,EAAE,IAAI,CAAC,CAAC;QACT,MAAM,IAAI,iCAAc,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,SAAiB,EAAE,MAAqB;QACzE,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtF,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,SAAS;YACX,CAAC;YACD,MAAM,UAAU,GAAG,mBAAmB,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK;gBACL,UAAU;gBACV,WAAW,EAAE,iBAAiB,CAAC,KAAK,EAAE,UAAU,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,uBAAuB,CAAC,KAAa,EAAE,MAAqB;QACxE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,IAAI,CAAC,sBAAsB,CAAC,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;QACrG,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IACjE,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,gBAAwB;QAC7D,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;YACjG,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,mBAAmB,CAAC,cAAc;gBAClD,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC,cAAc,CAAC,KAAK,CAAC;gBACtD,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACtF,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,oBAAoB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACzE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;YACxE,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAChC,QAA4B,EAC5B,eAAgE;QAEhE,MAAM,aAAa,GAAG,oBAAoB,CAAC,eAAe,CAAC,CAAC;QAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,EAAE,UAAU,EAAE,mBAAmB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9D,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,uCAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC9E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,sCAAmB,CAAC,mCAAmC,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ;YAChC,CAAC,CAAC,WAAW,OAAO,CAAC,QAAQ,EAAE;YAC/B,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QAClB,OAAO;YACL,UAAU,EAAE,mBAAmB,CAAC,SAAS,CAAC;YAC1C,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;YAC7C,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,sBAAsB,CAAC,MAAgB,EAAE,MAAqB;QAC1E,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC3F,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE;gBAChD,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,kBAAkB;aAC7B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAC3E,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAA8C,CAAC;QAClG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC,OAAO;aAChB,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;aACpF,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,IAAI,oBAAoB,CAC7E;YACE,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,UAAU;YACzC,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B,EACD,MAAM,CAAC,UAAU,CAClB,CAAC;aACD,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACf,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,UAAU,EAAE,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC;YACjD,WAAW,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,UAAU,CAAC;SAC9D,CAAC,CAAC,CAAC;IACR,CAAC;CACF;AA5KD,wDA4KC;AAcD,SAAS,iBAAiB,CAAC,KAAa,EAAE,UAAkB;IAC1D,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,SAAS,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;AACvD,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,mBAAmB,CAAC,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW;IACtC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC;AACxC,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAoB,EAAE,gBAAwB;IAC1E,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtI,MAAM,UAAU,GAAG,iBAAiB,CAAC,gBAAgB,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,SAAS,IAAI,aAAa,EAAE,CAAC;QACtC,MAAM,aAAa,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,aAAa,IAAI,aAAa,KAAK,UAAU,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACpD,IAAI,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/E,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,eAA+D;IAC3F,MAAM,MAAM,GAAG,eAAe,EAAE,MAA6C,CAAC;IAC9E,MAAM,KAAK,GAAG,MAAM,EAAE,aAAa,CAAC;IACpC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACzF,CAAC","sourcesContent":["import { boolean, object, string } from 'yup';\nimport { getLoggerFor } from 'global-logger-factory';\nimport {\n BadRequestHttpError,\n FoundHttpError,\n JsonInteractionHandler,\n assertAccountId,\n assertOidcInteraction,\n finishInteraction,\n forgetWebId,\n parseSchema,\n validateWithError,\n} from '@solid/community-server';\nimport type {\n Json,\n JsonInteractionHandlerInput,\n JsonRepresentation,\n JsonView,\n ProviderFactory,\n WebIdStore,\n} from '@solid/community-server';\nimport { getIdentityDatabase } from '../drizzle/db';\nimport { PodLookupRepository, type PodLookupResult } from '../drizzle/PodLookupRepository';\nimport { ProvisionCodeCodec } from '../../provision/ProvisionCodeCodec';\n\ntype FetchLike = (input: RequestInfo \| URL, init?: RequestInit) => Promise<Response>;\n\nconst inSchema = object({\n webId: string().trim().required(),\n remember: boolean().default(false),\n});\n\nexport interface ScopedPickWebIdHandlerOptions {\n webIdStore: WebIdStore;\n providerFactory: ProviderFactory;\n identityDbUrl?: string;\n podLookupRepository?: PodWebIdLookupRepository;\n fetch?: FetchLike;\n}\n\nexport interface PodWebIdLookupRepository {\n findByWebId: (webId: string) => Promise<PodLookupResult \| undefined>;\n findAllByWebId?: (webId: string) => Promise<PodLookupResult[]>;\n}\n\ninterface WebIdEntry extends Record<string, Json \| undefined> {\n webId: string;\n storageUrl?: string;\n storageMode?: 'cloud' \| 'local' \| 'custom';\n}\n\n/*\n CSS-compatible WebID picker scoped to the current storage provider.\n \n The upstream handler lists every WebID linked to the IdP account. In an\n * IDP/SP split flow that lets a Local SP login pick a Cloud Pod again, so this\n * replacement keeps consent choices constrained by the selected SP's Pod facts.\n */\nexport class ScopedPickWebIdHandler extends JsonInteractionHandler implements JsonView {\n private readonly logger = getLoggerFor(this);\n private readonly webIdStore: WebIdStore;\n private readonly providerFactory: ProviderFactory;\n private readonly podLookupRepository?: PodWebIdLookupRepository;\n private readonly fetch: FetchLike;\n\n public constructor(options: ScopedPickWebIdHandlerOptions) {\n super();\n this.webIdStore = options.webIdStore;\n this.providerFactory = options.providerFactory;\n this.podLookupRepository = options.podLookupRepository ??\n (options.identityDbUrl ? new PodLookupRepository(getIdentityDatabase(options.identityDbUrl)) : undefined);\n this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);\n }\n\n public async getView({ accountId, oidcInteraction }: JsonInteractionHandlerInput): Promise<JsonRepresentation> {\n assertAccountId(accountId);\n const provider = await this.providerFactory.getProvider();\n const description = parseSchema(inSchema);\n const target = await this.resolveTargetStorage(provider, oidcInteraction);\n const entries = await this.resolveScopedEntries(accountId, target);\n\n return {\n json: {\n ...description,\n webIds: entries.map((entry) => entry.webId),\n entries,\n },\n };\n }\n\n public async handle({ oidcInteraction, accountId, json }: JsonInteractionHandlerInput): Promise<never> {\n assertOidcInteraction(oidcInteraction);\n assertAccountId(accountId);\n const { webId, remember } = await validateWithError(inSchema, json);\n const provider = await this.providerFactory.getProvider();\n const target = await this.resolveTargetStorage(provider, oidcInteraction);\n\n if (!await this.webIdStore.isLinked(webId, accountId)) {\n this.logger.warn(`Trying to pick WebID ${webId} which does not belong to account ${accountId}`);\n throw new BadRequestHttpError('WebID does not belong to this account.');\n }\n\n if (!await this.isResolvableByCurrentSp(webId, target)) {\n this.logger.warn(`Trying to pick WebID ${webId} which does not belong to this storage provider`);\n throw new BadRequestHttpError('WebID does not belong to this storage provider.');\n }\n\n await forgetWebId(provider, oidcInteraction);\n const location = await finishInteraction(oidcInteraction, {\n login: {\n accountId: webId,\n remember,\n },\n }, true);\n throw new FoundHttpError(location);\n }\n\n private async resolveScopedEntries(accountId: string, target: TargetStorage): Promise<WebIdEntry[]> {\n const webIds = (await this.webIdStore.findLinks(accountId)).map((link) => link.webId);\n if (target.serviceToken) {\n return this.resolveRemoteSpEntries(webIds, target);\n }\n\n const entries: WebIdEntry[] = [];\n for (const webId of webIds) {\n const pod = await this.findSpPod(webId, target.storageUrl);\n if (!pod) {\n continue;\n }\n const storageUrl = ensureTrailingSlash(pod.storageUrl ?? pod.baseUrl);\n entries.push({\n webId,\n storageUrl,\n storageMode: deriveStorageMode(webId, storageUrl),\n });\n }\n return entries;\n }\n\n private async isResolvableByCurrentSp(webId: string, target: TargetStorage): Promise<boolean> {\n if (target.serviceToken) {\n return (await this.resolveRemoteSpEntries([webId], target)).some((entry) => entry.webId === webId);\n }\n return Boolean(await this.findSpPod(webId, target.storageUrl));\n }\n\n private async findSpPod(webId: string, targetStorageUrl: string): Promise<PodLookupResult \| undefined> {\n if (!this.podLookupRepository) {\n this.logger.warn('No PodLookupRepository configured; refusing to expose unscoped WebID choices');\n return undefined;\n }\n\n try {\n const pods = this.podLookupRepository.findAllByWebId\n ? await this.podLookupRepository.findAllByWebId(webId)\n : await this.podLookupRepository.findByWebId(webId).then((pod) => pod ? [pod] : []);\n return pods.find((pod) => matchesTargetStorage(pod, targetStorageUrl));\n } catch (error) {\n this.logger.warn(`Pod lookup unavailable for WebID ${webId}: ${error}`);\n return undefined;\n }\n }\n\n private async resolveTargetStorage(\n provider: { issuer: string },\n oidcInteraction?: JsonInteractionHandlerInput['oidcInteraction'],\n ): Promise<TargetStorage> {\n const provisionCode = extractProvisionCode(oidcInteraction);\n if (!provisionCode) {\n return { storageUrl: ensureTrailingSlash(provider.issuer) };\n }\n\n const payload = new ProvisionCodeCodec(provider.issuer).decode(provisionCode);\n if (!payload) {\n throw new BadRequestHttpError('Invalid or expired provisionCode.');\n }\n\n const targetUrl = payload.spDomain\n ? `https://${payload.spDomain}`\n : payload.spUrl;\n return {\n storageUrl: ensureTrailingSlash(targetUrl),\n lookupUrl: ensureTrailingSlash(payload.spUrl),\n serviceToken: payload.serviceToken,\n };\n }\n\n private async resolveRemoteSpEntries(webIds: string[], target: TargetStorage): Promise<WebIdEntry[]> {\n if (!target.lookupUrl \|\| !target.serviceToken \|\| webIds.length === 0) {\n return [];\n }\n\n const response = await this.fetch(new URL('/provision/webids', target.lookupUrl).toString(), {\n method: 'POST',\n headers: {\n 'Authorization': `Bearer ${target.serviceToken}`,\n 'Content-Type': 'application/json',\n 'Accept': 'application/json',\n },\n body: JSON.stringify({ webIds }),\n });\n\n if (!response.ok) {\n this.logger.warn(`Remote SP WebID lookup failed: HTTP ${response.status}`);\n return [];\n }\n\n const body = await response.json().catch(() => null) as { entries?: RemoteSpWebIdEntry[] } \| null;\n if (!Array.isArray(body?.entries)) {\n return [];\n }\n\n const allowedWebIds = new Set(webIds);\n return body.entries\n .filter((entry) => typeof entry.webId === 'string' && allowedWebIds.has(entry.webId))\n .filter((entry) => typeof entry.storageUrl === 'string' && matchesTargetStorage(\n {\n podId: '',\n accountId: '',\n baseUrl: entry.podUrl ?? entry.storageUrl,\n storageUrl: entry.storageUrl,\n },\n target.storageUrl,\n ))\n .map((entry) => ({\n webId: entry.webId,\n storageUrl: ensureTrailingSlash(entry.storageUrl),\n storageMode: deriveStorageMode(entry.webId, entry.storageUrl),\n }));\n }\n}\n\ninterface TargetStorage {\n storageUrl: string;\n lookupUrl?: string;\n serviceToken?: string;\n}\n\ninterface RemoteSpWebIdEntry {\n webId: string;\n podUrl?: string;\n storageUrl: string;\n}\n\nfunction deriveStorageMode(webId: string, storageUrl: string): 'cloud' \| 'local' \| 'custom' {\n const webIdRoot = deriveStorageRoot(webId);\n const storageRoot = deriveStorageRoot(storageUrl);\n if (!webIdRoot \|\| !storageRoot) {\n return 'custom';\n }\n return webIdRoot === storageRoot ? 'cloud' : 'local';\n}\n\nfunction deriveStorageRoot(url: string): string \| undefined {\n try {\n const parsed = new URL(url);\n const segments = parsed.pathname.split('/').filter(Boolean);\n if (segments.length === 0) {\n return ensureTrailingSlash(parsed.origin);\n }\n\n return ensureTrailingSlash(new URL(`/${segments[0]}/`, parsed.origin).toString());\n } catch {\n return undefined;\n }\n}\n\nfunction ensureTrailingSlash(url: string): string {\n return url.replace(/\\/+$/u, '') + '/';\n}\n\nfunction matchesTargetStorage(pod: PodLookupResult, targetStorageUrl: string): boolean {\n const candidateUrls = [pod.storageUrl, pod.baseUrl].filter((value): value is string => typeof value === 'string' && value.length > 0);\n const targetRoot = deriveStorageRoot(targetStorageUrl);\n if (!targetRoot) {\n return false;\n }\n\n for (const candidate of candidateUrls) {\n const candidateRoot = deriveStorageRoot(candidate);\n if (candidateRoot && candidateRoot === targetRoot) {\n return true;\n }\n\n const candidateUrl = ensureTrailingSlash(candidate);\n if (candidateUrl.startsWith(targetRoot) \|\| targetRoot.startsWith(candidateUrl)) {\n return true;\n }\n }\n\n return false;\n}\n\nfunction extractProvisionCode(oidcInteraction: JsonInteractionHandlerInput['oidcInteraction']): string \| undefined {\n const params = oidcInteraction?.params as Record<string, unknown> \| undefined;\n const value = params?.provisionCode;\n return typeof value === 'string' && value.trim().length > 0 ? value.trim() : undefined;\n}\n"]}
1	+ {"version":3,"file":"ScopedPickWebIdHandler.js","sourceRoot":"","sources":["../../../src/identity/oidc/ScopedPickWebIdHandler.ts"],"names":[],"mappings":";;;AAAA,6BAA8C;AAC9C,iEAAqD;AACrD,8DAUiC;AASjC,sCAAoD;AACpD,wEAA2F;AAC3F,2EAAwE;AAIxE,MAAM,QAAQ,GAAG,IAAA,YAAM,EAAC;IACtB,KAAK,EAAE,IAAA,YAAM,GAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IACjC,QAAQ,EAAE,IAAA,aAAO,GAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACnC,CAAC,CAAC;AAuBH;;;;;;GAMG;AACH,MAAa,sBAAuB,SAAQ,yCAAsB;IAQhE,YAAmB,OAAsC;QACvD,KAAK,EAAE,CAAC;QARO,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAS3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,gBAAgB,GAAG,oBAAoB,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACvE,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB;YACpD,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,yCAAmB,CAAC,IAAA,wBAAmB,EAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC5G,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClE,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,eAAe,EAA+B;QAC9E,IAAA,kCAAe,EAAC,SAAS,CAAC,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAC1D,MAAM,WAAW,GAAG,IAAA,8BAAW,EAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAEnE,OAAO;YACL,IAAI,EAAE;gBACJ,GAAG,WAAW;gBACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;gBAC3C,OAAO;aACR;SACF,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,SAAS,EAAE,IAAI,EAA+B;QACnF,IAAA,wCAAqB,EAAC,eAAe,CAAC,CAAC;QACvC,IAAA,kCAAe,EAAC,SAAS,CAAC,CAAC;QAC3B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAA,oCAAiB,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAE1E,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,KAAK,qCAAqC,SAAS,EAAE,CAAC,CAAC;YAChG,MAAM,IAAI,sCAAmB,CAAC,wCAAwC,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,CAAC,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,KAAK,iDAAiD,CAAC,CAAC;YACjG,MAAM,IAAI,sCAAmB,CAAC,iDAAiD,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,IAAA,8BAAW,EAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,MAAM,IAAA,oCAAiB,EAAC,eAAe,EAAE;YACxD,KAAK,EAAE;gBACL,SAAS,EAAE,KAAK;gBAChB,QAAQ;aACT;SACF,EAAE,IAAI,CAAC,CAAC;QACT,MAAM,IAAI,iCAAc,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,SAAiB,EAAE,MAAqB;QACzE,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtF,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,SAAS;YACX,CAAC;YACD,MAAM,UAAU,GAAG,mBAAmB,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK;gBACL,UAAU;gBACV,WAAW,EAAE,iBAAiB,CAAC,KAAK,EAAE,UAAU,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,uBAAuB,CAAC,KAAa,EAAE,MAAqB;QACxE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,IAAI,CAAC,sBAAsB,CAAC,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;QACrG,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IACjE,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,gBAAwB;QAC7D,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;YACjG,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,mBAAmB,CAAC,cAAc,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;gBAClE,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,oBAAoB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC;YACzE,CAAC;YAED,IAAI,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,CAAC;gBAC1C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;gBAClE,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,oBAAoB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC;YACzE,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAC9D,OAAO,GAAG,IAAI,oBAAoB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;YACxE,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAChC,QAA4B,EAC5B,eAAgE;QAEhE,MAAM,aAAa,GAAG,oBAAoB,CAAC,eAAe,CAAC,CAAC;QAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,EAAE,UAAU,EAAE,mBAAmB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9D,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,uCAAkB,CAAC,IAAI,CAAC,gBAAgB,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACvG,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,sCAAmB,CAAC,mCAAmC,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ;YAChC,CAAC,CAAC,WAAW,OAAO,CAAC,QAAQ,EAAE;YAC/B,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QAClB,OAAO;YACL,UAAU,EAAE,mBAAmB,CAAC,SAAS,CAAC;YAC1C,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;YAC7C,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,sBAAsB,CAAC,MAAgB,EAAE,MAAqB;QAC1E,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC3F,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE;gBAChD,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,kBAAkB;aAC7B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAC3E,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAA8C,CAAC;QAClG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC,OAAO;aAChB,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;aACpF,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,IAAI,oBAAoB,CAC7E;YACE,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,UAAU;YACzC,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B,EACD,MAAM,CAAC,UAAU,CAClB,CAAC;aACD,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACf,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,UAAU,EAAE,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC;YACjD,WAAW,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,UAAU,CAAC;SAC9D,CAAC,CAAC,CAAC;IACR,CAAC;CACF;AAtLD,wDAsLC;AAcD,SAAS,iBAAiB,CAAC,KAAa,EAAE,UAAkB;IAC1D,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,SAAS,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;AACvD,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,mBAAmB,CAAC,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW;IACtC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC;AACxC,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAuB;IACnD,MAAM,OAAO,GAAG,GAAG,EAAE,IAAI,EAAE,CAAC;IAC5B,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;AACvC,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAoB,EAAE,gBAAwB;IAC1E,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;SACtE,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrF,MAAM,UAAU,GAAG,iBAAiB,CAAC,gBAAgB,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,SAAS,IAAI,aAAa,EAAE,CAAC;QACtC,MAAM,aAAa,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,aAAa,IAAI,aAAa,KAAK,UAAU,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACpD,IAAI,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/E,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,eAA+D;IAC3F,MAAM,MAAM,GAAG,eAAe,EAAE,MAA6C,CAAC;IAC9E,MAAM,KAAK,GAAG,MAAM,EAAE,aAAa,CAAC;IACpC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACzF,CAAC","sourcesContent":["import { boolean, object, string } from 'yup';\nimport { getLoggerFor } from 'global-logger-factory';\nimport {\n BadRequestHttpError,\n FoundHttpError,\n JsonInteractionHandler,\n assertAccountId,\n assertOidcInteraction,\n finishInteraction,\n forgetWebId,\n parseSchema,\n validateWithError,\n} from '@solid/community-server';\nimport type {\n Json,\n JsonInteractionHandlerInput,\n JsonRepresentation,\n JsonView,\n ProviderFactory,\n WebIdStore,\n} from '@solid/community-server';\nimport { getIdentityDatabase } from '../drizzle/db';\nimport { PodLookupRepository, type PodLookupResult } from '../drizzle/PodLookupRepository';\nimport { ProvisionCodeCodec } from '../../provision/ProvisionCodeCodec';\n\ntype FetchLike = (input: RequestInfo \| URL, init?: RequestInit) => Promise<Response>;\n\nconst inSchema = object({\n webId: string().trim().required(),\n remember: boolean().default(false),\n});\n\nexport interface ScopedPickWebIdHandlerOptions {\n webIdStore: WebIdStore;\n providerFactory: ProviderFactory;\n identityDbUrl?: string;\n provisionBaseUrl?: string;\n podLookupRepository?: PodWebIdLookupRepository;\n fetch?: FetchLike;\n}\n\nexport interface PodWebIdLookupRepository {\n findByWebId: (webId: string) => Promise<PodLookupResult \| undefined>;\n findAllByWebId?: (webId: string) => Promise<PodLookupResult[]>;\n findByWebIds?: (webIds: string[]) => Promise<PodLookupResult[]>;\n}\n\ninterface WebIdEntry extends Record<string, Json \| undefined> {\n webId: string;\n storageUrl?: string;\n storageMode?: 'cloud' \| 'local' \| 'custom';\n}\n\n/*\n CSS-compatible WebID picker scoped to the current storage provider.\n \n The upstream handler lists every WebID linked to the IdP account. In an\n * IDP/SP split flow that lets a Local SP login pick a Cloud Pod again, so this\n * replacement keeps consent choices constrained by the selected SP's Pod facts.\n */\nexport class ScopedPickWebIdHandler extends JsonInteractionHandler implements JsonView {\n private readonly logger = getLoggerFor(this);\n private readonly webIdStore: WebIdStore;\n private readonly providerFactory: ProviderFactory;\n private readonly provisionBaseUrl?: string;\n private readonly podLookupRepository?: PodWebIdLookupRepository;\n private readonly fetch: FetchLike;\n\n public constructor(options: ScopedPickWebIdHandlerOptions) {\n super();\n this.webIdStore = options.webIdStore;\n this.providerFactory = options.providerFactory;\n this.provisionBaseUrl = normalizeOptionalUrl(options.provisionBaseUrl);\n this.podLookupRepository = options.podLookupRepository ??\n (options.identityDbUrl ? new PodLookupRepository(getIdentityDatabase(options.identityDbUrl)) : undefined);\n this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);\n }\n\n public async getView({ accountId, oidcInteraction }: JsonInteractionHandlerInput): Promise<JsonRepresentation> {\n assertAccountId(accountId);\n const provider = await this.providerFactory.getProvider();\n const description = parseSchema(inSchema);\n const target = await this.resolveTargetStorage(provider, oidcInteraction);\n const entries = await this.resolveScopedEntries(accountId, target);\n\n return {\n json: {\n ...description,\n webIds: entries.map((entry) => entry.webId),\n entries,\n },\n };\n }\n\n public async handle({ oidcInteraction, accountId, json }: JsonInteractionHandlerInput): Promise<never> {\n assertOidcInteraction(oidcInteraction);\n assertAccountId(accountId);\n const { webId, remember } = await validateWithError(inSchema, json);\n const provider = await this.providerFactory.getProvider();\n const target = await this.resolveTargetStorage(provider, oidcInteraction);\n\n if (!await this.webIdStore.isLinked(webId, accountId)) {\n this.logger.warn(`Trying to pick WebID ${webId} which does not belong to account ${accountId}`);\n throw new BadRequestHttpError('WebID does not belong to this account.');\n }\n\n if (!await this.isResolvableByCurrentSp(webId, target)) {\n this.logger.warn(`Trying to pick WebID ${webId} which does not belong to this storage provider`);\n throw new BadRequestHttpError('WebID does not belong to this storage provider.');\n }\n\n await forgetWebId(provider, oidcInteraction);\n const location = await finishInteraction(oidcInteraction, {\n login: {\n accountId: webId,\n remember,\n },\n }, true);\n throw new FoundHttpError(location);\n }\n\n private async resolveScopedEntries(accountId: string, target: TargetStorage): Promise<WebIdEntry[]> {\n const webIds = (await this.webIdStore.findLinks(accountId)).map((link) => link.webId);\n if (target.serviceToken) {\n return this.resolveRemoteSpEntries(webIds, target);\n }\n\n const entries: WebIdEntry[] = [];\n for (const webId of webIds) {\n const pod = await this.findSpPod(webId, target.storageUrl);\n if (!pod) {\n continue;\n }\n const storageUrl = ensureTrailingSlash(pod.storageUrl ?? pod.baseUrl);\n entries.push({\n webId,\n storageUrl,\n storageMode: deriveStorageMode(webId, storageUrl),\n });\n }\n return entries;\n }\n\n private async isResolvableByCurrentSp(webId: string, target: TargetStorage): Promise<boolean> {\n if (target.serviceToken) {\n return (await this.resolveRemoteSpEntries([webId], target)).some((entry) => entry.webId === webId);\n }\n return Boolean(await this.findSpPod(webId, target.storageUrl));\n }\n\n private async findSpPod(webId: string, targetStorageUrl: string): Promise<PodLookupResult \| undefined> {\n if (!this.podLookupRepository) {\n this.logger.warn('No PodLookupRepository configured; refusing to expose unscoped WebID choices');\n return undefined;\n }\n\n try {\n if (this.podLookupRepository.findAllByWebId) {\n const pods = await this.podLookupRepository.findAllByWebId(webId);\n return pods.find((pod) => matchesTargetStorage(pod, targetStorageUrl));\n }\n\n if (this.podLookupRepository.findByWebIds) {\n const pods = await this.podLookupRepository.findByWebIds([webId]);\n return pods.find((pod) => matchesTargetStorage(pod, targetStorageUrl));\n }\n\n const pod = await this.podLookupRepository.findByWebId(webId);\n return pod && matchesTargetStorage(pod, targetStorageUrl) ? pod : undefined;\n } catch (error) {\n this.logger.warn(`Pod lookup unavailable for WebID ${webId}: ${error}`);\n return undefined;\n }\n }\n\n private async resolveTargetStorage(\n provider: { issuer: string },\n oidcInteraction?: JsonInteractionHandlerInput['oidcInteraction'],\n ): Promise<TargetStorage> {\n const provisionCode = extractProvisionCode(oidcInteraction);\n if (!provisionCode) {\n return { storageUrl: ensureTrailingSlash(provider.issuer) };\n }\n\n const payload = new ProvisionCodeCodec(this.provisionBaseUrl ?? provider.issuer).decode(provisionCode);\n if (!payload) {\n throw new BadRequestHttpError('Invalid or expired provisionCode.');\n }\n\n const targetUrl = payload.spDomain\n ? `https://${payload.spDomain}`\n : payload.spUrl;\n return {\n storageUrl: ensureTrailingSlash(targetUrl),\n lookupUrl: ensureTrailingSlash(payload.spUrl),\n serviceToken: payload.serviceToken,\n };\n }\n\n private async resolveRemoteSpEntries(webIds: string[], target: TargetStorage): Promise<WebIdEntry[]> {\n if (!target.lookupUrl \|\| !target.serviceToken \|\| webIds.length === 0) {\n return [];\n }\n\n const response = await this.fetch(new URL('/provision/webids', target.lookupUrl).toString(), {\n method: 'POST',\n headers: {\n 'Authorization': `Bearer ${target.serviceToken}`,\n 'Content-Type': 'application/json',\n 'Accept': 'application/json',\n },\n body: JSON.stringify({ webIds }),\n });\n\n if (!response.ok) {\n this.logger.warn(`Remote SP WebID lookup failed: HTTP ${response.status}`);\n return [];\n }\n\n const body = await response.json().catch(() => null) as { entries?: RemoteSpWebIdEntry[] } \| null;\n if (!Array.isArray(body?.entries)) {\n return [];\n }\n\n const allowedWebIds = new Set(webIds);\n return body.entries\n .filter((entry) => typeof entry.webId === 'string' && allowedWebIds.has(entry.webId))\n .filter((entry) => typeof entry.storageUrl === 'string' && matchesTargetStorage(\n {\n podId: '',\n accountId: '',\n baseUrl: entry.podUrl ?? entry.storageUrl,\n storageUrl: entry.storageUrl,\n },\n target.storageUrl,\n ))\n .map((entry) => ({\n webId: entry.webId,\n storageUrl: ensureTrailingSlash(entry.storageUrl),\n storageMode: deriveStorageMode(entry.webId, entry.storageUrl),\n }));\n }\n}\n\ninterface TargetStorage {\n storageUrl: string;\n lookupUrl?: string;\n serviceToken?: string;\n}\n\ninterface RemoteSpWebIdEntry {\n webId: string;\n podUrl?: string;\n storageUrl: string;\n}\n\nfunction deriveStorageMode(webId: string, storageUrl: string): 'cloud' \| 'local' \| 'custom' {\n const webIdRoot = deriveStorageRoot(webId);\n const storageRoot = deriveStorageRoot(storageUrl);\n if (!webIdRoot \|\| !storageRoot) {\n return 'custom';\n }\n return webIdRoot === storageRoot ? 'cloud' : 'local';\n}\n\nfunction deriveStorageRoot(url: string): string \| undefined {\n try {\n const parsed = new URL(url);\n const segments = parsed.pathname.split('/').filter(Boolean);\n if (segments.length === 0) {\n return ensureTrailingSlash(parsed.origin);\n }\n\n return ensureTrailingSlash(new URL(`/${segments[0]}/`, parsed.origin).toString());\n } catch {\n return undefined;\n }\n}\n\nfunction ensureTrailingSlash(url: string): string {\n return url.replace(/\\/+$/u, '') + '/';\n}\n\nfunction normalizeOptionalUrl(url: string \| undefined): string \| undefined {\n const trimmed = url?.trim();\n return trimmed ? trimmed : undefined;\n}\n\nfunction matchesTargetStorage(pod: PodLookupResult, targetStorageUrl: string): boolean {\n const candidateUrls = (pod.storageUrl ? [pod.storageUrl] : [pod.baseUrl])\n .filter((value): value is string => typeof value === 'string' && value.length > 0);\n const targetRoot = deriveStorageRoot(targetStorageUrl);\n if (!targetRoot) {\n return false;\n }\n\n for (const candidate of candidateUrls) {\n const candidateRoot = deriveStorageRoot(candidate);\n if (candidateRoot && candidateRoot === targetRoot) {\n return true;\n }\n\n const candidateUrl = ensureTrailingSlash(candidate);\n if (candidateUrl.startsWith(targetRoot) \|\| targetRoot.startsWith(candidateUrl)) {\n return true;\n }\n }\n\n return false;\n}\n\nfunction extractProvisionCode(oidcInteraction: JsonInteractionHandlerInput['oidcInteraction']): string \| undefined {\n const params = oidcInteraction?.params as Record<string, unknown> \| undefined;\n const value = params?.provisionCode;\n return typeof value === 'string' && value.trim().length > 0 ? value.trim() : undefined;\n}\n"]}

package/dist/identity/oidc/ScopedPickWebIdHandler.jsonld CHANGED Viewed

@@ -35,6 +35,18 @@
             ]
           }
         },
+        {
+          "@id": "undefineds:dist/identity/oidc/ScopedPickWebIdHandler.jsonld#ScopedPickWebIdHandler_options_provisionBaseUrl",
+          "range": {
+            "@type": "ParameterRangeUnion",
+            "parameterRangeElements": [
+              "xsd:string",
+              {
+                "@type": "ParameterRangeUndefined"
+              }
+            ]
+          }
+        },
         {
           "@id": "undefineds:dist/identity/oidc/ScopedPickWebIdHandler.jsonld#ScopedPickWebIdHandler_options_podLookupRepository",
           "range": {
@@ -75,6 +87,10 @@
           "@id": "undefineds:dist/identity/oidc/ScopedPickWebIdHandler.jsonld#ScopedPickWebIdHandler__member_providerFactory",
           "memberFieldName": "providerFactory"
         },
+        {
+          "@id": "undefineds:dist/identity/oidc/ScopedPickWebIdHandler.jsonld#ScopedPickWebIdHandler__member_provisionBaseUrl",
+          "memberFieldName": "provisionBaseUrl"
+        },
         {
           "@id": "undefineds:dist/identity/oidc/ScopedPickWebIdHandler.jsonld#ScopedPickWebIdHandler__member_podLookupRepository",
           "memberFieldName": "podLookupRepository"
@@ -138,6 +154,12 @@
                 "@id": "undefineds:dist/identity/oidc/ScopedPickWebIdHandler.jsonld#ScopedPickWebIdHandler_options_identityDbUrl"
               }
             },
+            {
+              "keyRaw": "provisionBaseUrl",
+              "value": {
+                "@id": "undefineds:dist/identity/oidc/ScopedPickWebIdHandler.jsonld#ScopedPickWebIdHandler_options_provisionBaseUrl"
+              }
+            },
             {
               "keyRaw": "podLookupRepository",
               "value": {

package/dist/provision/ProvisionCodeCodec.js CHANGED Viewed

@@ -12,12 +12,21 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ProvisionCodeCodec = void 0;
 const node_crypto_1 = require("node:crypto");
+function normalizeProvisionBaseUrl(baseUrl) {
+    try {
+        return new URL(baseUrl).toString().replace(/\/+$/, '') + '/';
+    }
+    catch {
+        return baseUrl.trim().replace(/\/+$/, '') + '/';
+    }
+}
 class ProvisionCodeCodec {
     /**
      * @param baseUrl — Cloud 的 baseUrl，用于派生签名密钥
      */
     constructor(baseUrl) {
-        this.secret = Buffer.from((0, node_crypto_1.createHmac)('sha256', 'xpod-provision').update(baseUrl).digest());
+        const normalizedBaseUrl = normalizeProvisionBaseUrl(baseUrl);
+        this.secret = Buffer.from((0, node_crypto_1.createHmac)('sha256', 'xpod-provision').update(normalizedBaseUrl).digest());
     }
     /**
      * 编码 provisionCode

package/dist/provision/ProvisionCodeCodec.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ProvisionCodeCodec.js","sourceRoot":"","sources":["../../src/provision/ProvisionCodeCodec.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAEH,6CAAyC;AAezC,MAAa,kBAAkB;IAG7B;;OAEG;IACH,YAAmB,OAAe;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CACvB,IAAA,wBAAU,EAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC,MAAM,CAAC,~~OAAO~~,CAAC,CAAC,MAAM,EAAE,~~CAChE~~,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,OAA6B;QACzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5B,OAAO,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC;IAC1B,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,IAA+B;QAC3C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAErC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAyB,CAAC;YAEpG,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC5D,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,OAAO;YACP,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;gBAChD,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,IAAI,CAAC,IAAY;QACvB,OAAO,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5E,CAAC;CACF;~~AAhED~~,~~gDAgEC~~","sourcesContent":["/*\n ProvisionCodeCodec\n \n 自包含的 provisionCode 编解码器。\n * provisionCode 编码了 SP 的信息（publicUrl、serviceToken），\n * CSS 侧解码后直接回调 SP，不需要查数据库。\n \n 格式: base64url(JSON payload) + \".\" + base64url(HMAC-SHA256 signature)\n * 密钥: 从 baseUrl 派生，无需单独配置。\n /\n\nimport { createHmac } from 'node:crypto';\n\nexport interface ProvisionCodePayload {\n /* SP 的公网地址 /\n spUrl: string;\n /* Cloud → SP 回调认证 token /\n serviceToken: string;\n /* SP 节点 ID（可选，用于记录） /\n nodeId?: string;\n /* Cloud 分配的子域名，如 \"abc123.undefineds.site\" /\n spDomain?: string;\n /* 过期时间 (Unix timestamp, seconds) /\n exp: number;\n}\n\nexport class ProvisionCodeCodec {\n private readonly secret: Buffer;\n\n /\n @param baseUrl — Cloud 的 baseUrl，用于派生签名密钥\n /\n public constructor(baseUrl: string) {\n this.secret = Buffer.from(\n createHmac('sha256', 'xpod-provision').update(~~baseUrl~~).digest(),\n );\n }\n\n /\n 编码 provisionCode\n /\n public encode(payload: ProvisionCodePayload): string {\n const json = JSON.stringify(payload);\n const data = Buffer.from(json, 'utf8').toString('base64url');\n const sig = this.sign(data);\n return `${data}.${sig}`;\n }\n\n /\n 解码并验证 provisionCode\n * 返回 payload，过期或签名无效则返回 undefined\n */\n public decode(code: string \| undefined \| null): ProvisionCodePayload \| undefined {\n if (typeof code !== 'string' \|\| code.length === 0) {\n return undefined;\n }\n\n const dotIndex = code.indexOf('.');\n if (dotIndex <= 0) {\n return undefined;\n }\n\n const data = code.slice(0, dotIndex);\n const sig = code.slice(dotIndex + 1);\n\n if (this.sign(data) !== sig) {\n return undefined;\n }\n\n try {\n const payload = JSON.parse(Buffer.from(data, 'base64url').toString('utf8')) as ProvisionCodePayload;\n\n if (!payload.spUrl \|\| !payload.serviceToken \|\| !payload.exp) {\n return undefined;\n }\n\n // 检查过期\n if (payload.exp < Math.floor(Date.now() / 1000)) {\n return undefined;\n }\n\n return payload;\n } catch {\n return undefined;\n }\n }\n\n private sign(data: string): string {\n return createHmac('sha256', this.secret).update(data).digest('base64url');\n }\n}\n"]}
1	+ {"version":3,"file":"ProvisionCodeCodec.js","sourceRoot":"","sources":["../../src/provision/ProvisionCodeCodec.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAEH,6CAAyC;AAezC,SAAS,yBAAyB,CAAC,OAAe;IAChD,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC;IAClD,CAAC;AACH,CAAC;AAED,MAAa,kBAAkB;IAG7B;;OAEG;IACH,YAAmB,OAAe;QAChC,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CACvB,IAAA,wBAAU,EAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,CAC1E,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,OAA6B;QACzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5B,OAAO,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC;IAC1B,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,IAA+B;QAC3C,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAErC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAyB,CAAC;YAEpG,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC5D,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,OAAO;YACP,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;gBAChD,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,IAAI,CAAC,IAAY;QACvB,OAAO,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5E,CAAC;CACF;AAjED,gDAiEC","sourcesContent":["/*\n ProvisionCodeCodec\n \n 自包含的 provisionCode 编解码器。\n * provisionCode 编码了 SP 的信息（publicUrl、serviceToken），\n * CSS 侧解码后直接回调 SP，不需要查数据库。\n \n 格式: base64url(JSON payload) + \".\" + base64url(HMAC-SHA256 signature)\n * 密钥: 从 baseUrl 派生，无需单独配置。\n /\n\nimport { createHmac } from 'node:crypto';\n\nexport interface ProvisionCodePayload {\n /* SP 的公网地址 /\n spUrl: string;\n /* Cloud → SP 回调认证 token /\n serviceToken: string;\n /* SP 节点 ID（可选，用于记录） /\n nodeId?: string;\n /* Cloud 分配的子域名，如 \"abc123.undefineds.site\" /\n spDomain?: string;\n /* 过期时间 (Unix timestamp, seconds) /\n exp: number;\n}\n\nfunction normalizeProvisionBaseUrl(baseUrl: string): string {\n try {\n return new URL(baseUrl).toString().replace(/\\/+$/, '') + '/';\n } catch {\n return baseUrl.trim().replace(/\\/+$/, '') + '/';\n }\n}\n\nexport class ProvisionCodeCodec {\n private readonly secret: Buffer;\n\n /\n @param baseUrl — Cloud 的 baseUrl，用于派生签名密钥\n /\n public constructor(baseUrl: string) {\n const normalizedBaseUrl = normalizeProvisionBaseUrl(baseUrl);\n this.secret = Buffer.from(\n createHmac('sha256', 'xpod-provision').update(normalizedBaseUrl).digest(),\n );\n }\n\n /\n 编码 provisionCode\n /\n public encode(payload: ProvisionCodePayload): string {\n const json = JSON.stringify(payload);\n const data = Buffer.from(json, 'utf8').toString('base64url');\n const sig = this.sign(data);\n return `${data}.${sig}`;\n }\n\n /\n 解码并验证 provisionCode\n * 返回 payload，过期或签名无效则返回 undefined\n */\n public decode(code: string \| undefined \| null): ProvisionCodePayload \| undefined {\n if (typeof code !== 'string' \|\| code.length === 0) {\n return undefined;\n }\n\n const dotIndex = code.indexOf('.');\n if (dotIndex <= 0) {\n return undefined;\n }\n\n const data = code.slice(0, dotIndex);\n const sig = code.slice(dotIndex + 1);\n\n if (this.sign(data) !== sig) {\n return undefined;\n }\n\n try {\n const payload = JSON.parse(Buffer.from(data, 'base64url').toString('utf8')) as ProvisionCodePayload;\n\n if (!payload.spUrl \|\| !payload.serviceToken \|\| !payload.exp) {\n return undefined;\n }\n\n // 检查过期\n if (payload.exp < Math.floor(Date.now() / 1000)) {\n return undefined;\n }\n\n return payload;\n } catch {\n return undefined;\n }\n }\n\n private sign(data: string): string {\n return createHmac('sha256', this.secret).update(data).digest('base64url');\n }\n}\n"]}

package/dist/provision/ProvisionPodCreator.d.ts CHANGED Viewed

@@ -11,14 +11,20 @@ import { BasePodCreator, type PodCreatorInput, type PodCreatorOutput, type BaseP
 export interface ProvisionPodCreatorArgs extends BasePodCreatorArgs {
     /** 与 ProvisionHandler 使用相同的 baseUrl 派生签名密钥 */
     provisionBaseUrl?: string;
-    /** Optional identity database connection string used to persist Pod-side storage facts. */
+    /** Current SP node id; used to recognize this SP even when URLs differ by localhost/managed domain. */
+    nodeId?: string;
+    /** Kept in the component signature for config compatibility; Pod storage facts live in CSS account data. */
     identityDbUrl?: string;
 }
 export declare class ProvisionPodCreator extends BasePodCreator {
     private readonly provisionLogger;
     private readonly codec;
-    private readonly podLookupRepo?;
+    private readonly oidcIssuer?;
+    private readonly currentNodeId?;
     constructor(args: ProvisionPodCreatorArgs);
     handle(input: PodCreatorInput): Promise<PodCreatorOutput>;
+    private targetsCurrentStorageProvider;
     private handleStandardPodCreate;
+    private prepareWebIdLink;
+    private findExistingWebIdLink;
 }