@uploadista/server 0.0.3 → 0.0.6

package/dist/auth/jwt/index.js

@@ -1,36 +0,0 @@
-/**
- * JWT Utilities for Uploadista Authentication
- *
- * This module provides JWT token validation and AuthContext extraction utilities
- * for implementing SaaS-mode authentication in uploadista adapters.
- *
- * @example Basic JWT validation
- * ```typescript
- * import { validateJwtToken } from '@uploadista/server/auth/jwt';
- *
- * const result = await validateJwtToken(token, {
- *   secret: process.env.JWT_SECRET,
- *   issuer: 'https://auth.myapp.com',
- *   audience: 'uploadista-api',
- * });
- *
- * if (result.success) {
- *   console.log('Valid token for user:', result.userId);
- * }
- * ```
- *
- * @example Extract AuthContext
- * ```typescript
- * import { extractAuthContextFromJwt } from '@uploadista/server/auth/jwt';
- *
- * const authContext = await extractAuthContextFromJwt(token, {
- *   secret: process.env.JWT_SECRET,
- * });
- *
- * if (authContext) {
- *   // Use auth context in your middleware
- *   return authContext;
- * }
- * ```
- */
-export { extractAuthContextFromJwt, validateJwtToken } from "./validate";

package/dist/auth/jwt/types.d.ts

@@ -1,77 +0,0 @@
-/**
- * JWT validation configuration options
- */
-export type JwtValidationConfig = {
-    /**
-     * The secret key or public key used to verify the JWT signature.
-     * - For HS256: Use a string secret
-     * - For RS256/ES256: Use a public key (string in PEM format or KeyLike)
-     */
-    secret: string | Uint8Array;
-    /**
-     * Expected issuer (iss claim) of the JWT.
-     * If provided, validation will fail if the token's issuer doesn't match.
-     */
-    issuer?: string;
-    /**
-     * Expected audience (aud claim) of the JWT.
-     * If provided, validation will fail if the token's audience doesn't match.
-     */
-    audience?: string;
-    /**
-     * Clock tolerance in seconds for expiry validation.
-     * Allows tokens to be considered valid even if they're slightly expired
-     * to account for clock skew between servers.
-     * @default 60 (1 minute)
-     */
-    clockTolerance?: number;
-    /**
-     * Allowed signing algorithms.
-     * If not specified, all standard algorithms are allowed (HS256, RS256, ES256).
-     * It's recommended to explicitly specify expected algorithms for security.
-     */
-    algorithms?: string[];
-};
-/**
- * JWT validation result - either success with claims or failure with error
- */
-export type JwtValidationResult = {
-    success: true;
-    claims: Record<string, unknown>;
-    userId: string;
-} | {
-    success: false;
-    error: JwtValidationError;
-};
-/**
- * JWT validation error types
- */
-export type JwtValidationError = {
-    type: "INVALID_TOKEN";
-    message: string;
-} | {
-    type: "EXPIRED";
-    message: string;
-} | {
-    type: "INVALID_SIGNATURE";
-    message: string;
-} | {
-    type: "INVALID_ISSUER";
-    message: string;
-    expected: string;
-    actual: string;
-} | {
-    type: "INVALID_AUDIENCE";
-    message: string;
-    expected: string;
-    actual: string;
-} | {
-    type: "MISSING_SUBJECT";
-    message: string;
-} | {
-    type: "INVALID_ALGORITHM";
-    message: string;
-    expected: string[];
-    actual: string;
-};
-//# sourceMappingURL=types.d.ts.map

package/dist/auth/jwt/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/auth/jwt/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC;;;;OAIG;IACH,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAE5B;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAC3B;IACE,OAAO,EAAE,IAAI,CAAC;IACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,EAAE,MAAM,CAAC;CAChB,GACD;IACE,OAAO,EAAE,KAAK,CAAC;IACf,KAAK,EAAE,kBAAkB,CAAC;CAC3B,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B;IAAE,IAAI,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC9C;IAAE,IAAI,EAAE,gBAAgB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC7E;IAAE,IAAI,EAAE,kBAAkB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC/E;IAAE,IAAI,EAAE,iBAAiB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC5C;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC"}

package/dist/auth/jwt/types.js

@@ -1 +0,0 @@
-export {};

package/dist/auth/jwt/validate.d.ts

@@ -1,58 +0,0 @@
-import type { AuthContext } from "../types";
-import type { JwtValidationConfig, JwtValidationResult } from "./types";
-/**
- * Validates a JWT token and returns the validation result with claims.
- *
- * This function verifies:
- * - Token signature using the provided secret/public key
- * - Token expiry (with clock tolerance)
- * - Issuer claim (if configured)
- * - Audience claim (if configured)
- * - Required subject (sub) claim presence
- *
- * @param token - The JWT token string to validate
- * @param config - Validation configuration (secret, issuer, audience, etc.)
- * @returns JwtValidationResult with success status and claims or error
- *
- * @example
- * ```typescript
- * const result = await validateJwtToken(token, {
- *   secret: 'my-secret-key',
- *   issuer: 'https://auth.example.com',
- *   audience: 'uploadista-api',
- *   clockTolerance: 60,
- * });
- *
- * if (result.success) {
- *   console.log('User ID:', result.userId);
- *   console.log('Claims:', result.claims);
- * } else {
- *   console.error('Validation failed:', result.error);
- * }
- * ```
- */
-export declare function validateJwtToken(token: string, config: JwtValidationConfig): Promise<JwtValidationResult>;
-/**
- * Extracts AuthContext from a validated JWT token.
- * This is a convenience function that combines validation and extraction.
- *
- * @param token - The JWT token string to validate and extract from
- * @param config - Validation configuration
- * @returns AuthContext if validation succeeds, null otherwise
- *
- * @example
- * ```typescript
- * const authContext = await extractAuthContextFromJwt(token, {
- *   secret: process.env.JWT_SECRET,
- *   issuer: 'https://auth.example.com',
- * });
- *
- * if (authContext) {
- *   console.log('Authenticated user:', authContext.userId);
- * } else {
- *   console.log('Invalid token');
- * }
- * ```
- */
-export declare function extractAuthContextFromJwt(token: string, config: JwtValidationConfig): Promise<AuthContext | null>;
-//# sourceMappingURL=validate.d.ts.map

package/dist/auth/jwt/validate.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../src/auth/jwt/validate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAExE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,mBAAmB,CAAC,CAmF9B;AA6ED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAmC7B"}

package/dist/auth/jwt/validate.js

@@ -1,226 +0,0 @@
-import { jwtVerify } from "jose";
-/**
- * Validates a JWT token and returns the validation result with claims.
- *
- * This function verifies:
- * - Token signature using the provided secret/public key
- * - Token expiry (with clock tolerance)
- * - Issuer claim (if configured)
- * - Audience claim (if configured)
- * - Required subject (sub) claim presence
- *
- * @param token - The JWT token string to validate
- * @param config - Validation configuration (secret, issuer, audience, etc.)
- * @returns JwtValidationResult with success status and claims or error
- *
- * @example
- * ```typescript
- * const result = await validateJwtToken(token, {
- *   secret: 'my-secret-key',
- *   issuer: 'https://auth.example.com',
- *   audience: 'uploadista-api',
- *   clockTolerance: 60,
- * });
- *
- * if (result.success) {
- *   console.log('User ID:', result.userId);
- *   console.log('Claims:', result.claims);
- * } else {
- *   console.error('Validation failed:', result.error);
- * }
- * ```
- */
-export async function validateJwtToken(token, config) {
-    try {
-        // Prepare secret/key for validation
-        let secret;
-        if (typeof config.secret === "string") {
-            secret = new TextEncoder().encode(config.secret);
-        }
-        else {
-            secret = config.secret;
-        }
-        // Prepare verification options
-        const options = {
-            clockTolerance: config.clockTolerance ?? 60, // Default 1 minute tolerance
-        };
-        if (config.issuer) {
-            options.issuer = config.issuer;
-        }
-        if (config.audience) {
-            options.audience = config.audience;
-        }
-        if (config.algorithms && config.algorithms.length > 0) {
-            options.algorithms = config.algorithms;
-        }
-        // Verify the JWT
-        let verifyResult;
-        try {
-            verifyResult = await jwtVerify(token, secret, options);
-        }
-        catch (error) {
-            return handleJwtVerifyError(error, config);
-        }
-        const { payload, protectedHeader } = verifyResult;
-        // Validate algorithm if specified
-        if (config.algorithms &&
-            config.algorithms.length > 0 &&
-            !config.algorithms.includes(protectedHeader.alg)) {
-            return {
-                success: false,
-                error: {
-                    type: "INVALID_ALGORITHM",
-                    message: `Invalid algorithm: expected one of [${config.algorithms.join(", ")}], got ${protectedHeader.alg}`,
-                    expected: config.algorithms,
-                    actual: protectedHeader.alg,
-                },
-            };
-        }
-        // Extract userId from sub claim
-        const userId = payload.sub;
-        if (!userId) {
-            return {
-                success: false,
-                error: {
-                    type: "MISSING_SUBJECT",
-                    message: "Token is missing required 'sub' claim. Cannot extract user ID.",
-                },
-            };
-        }
-        // Return success with claims
-        return {
-            success: true,
-            claims: payload,
-            userId,
-        };
-    }
-    catch (error) {
-        // Catch-all for unexpected errors
-        return {
-            success: false,
-            error: {
-                type: "INVALID_TOKEN",
-                message: error instanceof Error ? error.message : "Unknown error occurred",
-            },
-        };
-    }
-}
-/**
- * Handles errors from jose's jwtVerify and converts them to our error format
- */
-function handleJwtVerifyError(error, config) {
-    if (!(error instanceof Error)) {
-        return {
-            success: false,
-            error: {
-                type: "INVALID_TOKEN",
-                message: "Unknown validation error occurred",
-            },
-        };
-    }
-    const message = error.message.toLowerCase();
-    // Check for specific error types - order matters!
-    // Check issuer/audience before expired since "exp" might match "expected"
-    if (message.includes("issuer") || message.includes('"iss"') || message.includes("'iss'")) {
-        return {
-            success: false,
-            error: {
-                type: "INVALID_ISSUER",
-                message: "Token issuer does not match expected value",
-                expected: config.issuer ?? "",
-                actual: "unknown",
-            },
-        };
-    }
-    if (message.includes("audience") || message.includes('"aud"') || message.includes("'aud'")) {
-        return {
-            success: false,
-            error: {
-                type: "INVALID_AUDIENCE",
-                message: "Token audience does not match expected value",
-                expected: config.audience ?? "",
-                actual: "unknown",
-            },
-        };
-    }
-    if (message.includes("expired") || (message.includes("exp") && !message.includes("unexpected"))) {
-        return {
-            success: false,
-            error: {
-                type: "EXPIRED",
-                message: "Token has expired",
-            },
-        };
-    }
-    if (message.includes("signature")) {
-        return {
-            success: false,
-            error: {
-                type: "INVALID_SIGNATURE",
-                message: "Invalid token signature",
-            },
-        };
-    }
-    // Default to invalid token error
-    return {
-        success: false,
-        error: {
-            type: "INVALID_TOKEN",
-            message: error.message,
-        },
-    };
-}
-/**
- * Extracts AuthContext from a validated JWT token.
- * This is a convenience function that combines validation and extraction.
- *
- * @param token - The JWT token string to validate and extract from
- * @param config - Validation configuration
- * @returns AuthContext if validation succeeds, null otherwise
- *
- * @example
- * ```typescript
- * const authContext = await extractAuthContextFromJwt(token, {
- *   secret: process.env.JWT_SECRET,
- *   issuer: 'https://auth.example.com',
- * });
- *
- * if (authContext) {
- *   console.log('Authenticated user:', authContext.userId);
- * } else {
- *   console.log('Invalid token');
- * }
- * ```
- */
-export async function extractAuthContextFromJwt(token, config) {
-    const result = await validateJwtToken(token, config);
-    if (!result.success) {
-        return null;
-    }
-    // Extract permissions from claims (if present)
-    const permissions = Array.isArray(result.claims.permissions)
-        ? result.claims.permissions
-        : undefined;
-    // Extract metadata (all claims except standard JWT claims)
-    const standardClaims = new Set([
-        "iss",
-        "sub",
-        "aud",
-        "exp",
-        "nbf",
-        "iat",
-        "jti",
-        "permissions",
-    ]);
-    const metadata = {};
-    for (const [key, value] of Object.entries(result.claims)) {
-        if (!standardClaims.has(key)) {
-            metadata[key] = value;
-        }
-    }
-    return {
-        userId: result.userId,
-        metadata: Object.keys(metadata).length > 0 ? metadata : undefined,
-        permissions,
-    };
-}

package/dist/auth/jwt/validate.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=validate.test.d.ts.map

package/dist/auth/jwt/validate.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"validate.test.d.ts","sourceRoot":"","sources":["../../../src/auth/jwt/validate.test.ts"],"names":[],"mappings":""}