@valkyrianlabs/payload-markdown-docs 0.2.1 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +214 -127
- package/dist/collections/docsSets.js +149 -0
- package/dist/collections/docsSets.js.map +1 -1
- package/dist/endpoints/sync.js +109 -29
- package/dist/endpoints/sync.js.map +1 -1
- package/dist/payload/docsSets.d.ts +2 -0
- package/dist/payload/docsSets.js +73 -0
- package/dist/payload/docsSets.js.map +1 -1
- package/dist/security/githubOidc.d.ts +2 -4
- package/dist/security/githubOidc.js.map +1 -1
- package/dist/skills/codex/SKILL.md +5 -1
- package/dist/skills/codex/reference/sync.md +5 -4
- package/dist/skills/codex/reference/troubleshooting.md +3 -2
- package/dist/types.d.ts +30 -12
- package/dist/types.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/payload/docsSets.ts"],"sourcesContent":["export type DocsSetPayloadOperations = {\n find: (args: {\n collection: string\n depth?: number\n limit?: number\n overrideAccess?: boolean\n where?: unknown\n }) => Promise<{\n docs: unknown[]\n }>\n update?: (args: {\n collection: string\n data: Record<string, unknown>\n id: string\n overrideAccess?: boolean\n }) => Promise<Record<string, unknown>>\n}\n\nexport type PayloadRecordId = number | string\n\nexport type ResolvedDocsSet = {\n id: PayloadRecordId\n routeBase: string\n sourceId: string\n sourceRoot?: string\n}\n\nexport const updateDocsSetAfterSync = async ({\n aiExport,\n collectionSlug,\n docsCount,\n docsSetId,\n now,\n payload,\n syncRunId,\n}: {\n aiExport?: unknown\n collectionSlug: string\n docsCount: number\n docsSetId: PayloadRecordId\n now: Date\n payload: DocsSetPayloadOperations\n syncRunId?: PayloadRecordId\n}): Promise<void> => {\n if (!payload.update) {\n return\n }\n\n await payload.update({\n id: String(docsSetId),\n collection: collectionSlug,\n data: {\n aiExport: aiExport ?? null,\n sync: {\n docsCount,\n lastStatus: 'success',\n lastSyncedAt: now.toISOString(),\n lastSyncRunId: syncRunId,\n },\n },\n overrideAccess: true,\n })\n}\n\nconst isRecord = (value: unknown): value is Record<string, unknown> =>\n typeof value === 'object' && value !== null && !Array.isArray(value)\n\nconst getRecordId = (doc: Record<string, unknown>): PayloadRecordId | undefined => {\n if (typeof doc.id === 'string' || typeof doc.id === 'number') {\n return doc.id\n }\n\n return undefined\n}\n\nconst toResolvedDocsSet = (doc: unknown): ResolvedDocsSet | undefined => {\n if (!isRecord(doc)) {\n return undefined\n }\n\n const id = getRecordId(doc)\n\n if (\n !id ||\n typeof doc.sourceId !== 'string' ||\n typeof doc.routeBase !== 'string'\n ) {\n return undefined\n }\n\n return {\n id,\n routeBase: doc.routeBase,\n sourceId: doc.sourceId,\n sourceRoot: typeof doc.sourceRoot === 'string' ? doc.sourceRoot : undefined,\n }\n}\n\nexport const findDocsSetBySourceId = async ({\n collectionSlug,\n payload,\n sourceId,\n}: {\n collectionSlug: string\n payload: DocsSetPayloadOperations\n sourceId: string\n}): Promise<ResolvedDocsSet | undefined> => {\n const result = await payload.find({\n collection: collectionSlug,\n depth: 0,\n limit: 1,\n overrideAccess: true,\n where: {\n sourceId: {\n equals: sourceId,\n },\n },\n })\n\n return toResolvedDocsSet(result.docs[0])\n}\n"],"names":["updateDocsSetAfterSync","aiExport","collectionSlug","docsCount","docsSetId","now","payload","syncRunId","update","id","String","collection","data","sync","lastStatus","lastSyncedAt","toISOString","lastSyncRunId","overrideAccess","isRecord","value","Array","isArray","getRecordId","doc","undefined","toResolvedDocsSet","sourceId","routeBase","sourceRoot","findDocsSetBySourceId","result","find","depth","limit","where","equals","docs"],"mappings":"AA2BA,OAAO,MAAMA,yBAAyB,OAAO,EAC3CC,QAAQ,EACRC,cAAc,EACdC,SAAS,EACTC,SAAS,EACTC,GAAG,EACHC,OAAO,EACPC,SAAS,EASV;IACC,IAAI,CAACD,QAAQE,MAAM,EAAE;QACnB;IACF;IAEA,MAAMF,QAAQE,MAAM,CAAC;QACnBC,IAAIC,OAAON;QACXO,YAAYT;QACZU,MAAM;YACJX,UAAUA,YAAY;YACtBY,MAAM;gBACJV;gBACAW,YAAY;gBACZC,cAAcV,IAAIW,WAAW;gBAC7BC,eAAeV;YACjB;QACF;QACAW,gBAAgB;IAClB;AACF,EAAC;AAED,MAAMC,WAAW,CAACC,QAChB,OAAOA,UAAU,YAAYA,UAAU,QAAQ,CAACC,MAAMC,OAAO,CAACF;AAEhE,MAAMG,cAAc,CAACC;IACnB,IAAI,OAAOA,IAAIf,EAAE,KAAK,YAAY,OAAOe,IAAIf,EAAE,KAAK,UAAU;QAC5D,OAAOe,IAAIf,EAAE;IACf;IAEA,OAAOgB;AACT;AAEA,MAAMC,oBAAoB,CAACF;IACzB,IAAI,CAACL,SAASK,MAAM;QAClB,OAAOC;IACT;IAEA,MAAMhB,KAAKc,YAAYC;IAEvB,IACE,CAACf,MACD,OAAOe,IAAIG,QAAQ,KAAK,YACxB,OAAOH,IAAII,SAAS,KAAK,UACzB;QACA,OAAOH;IACT;IAEA,OAAO;QACLhB;QACAmB,WAAWJ,IAAII,SAAS;QACxBD,UAAUH,IAAIG,QAAQ;QACtBE,YAAY,OAAOL,IAAIK,UAAU,KAAK,WAAWL,IAAIK,UAAU,GAAGJ;IACpE;AACF;AAEA,OAAO,MAAMK,wBAAwB,OAAO,EAC1C5B,cAAc,EACdI,OAAO,EACPqB,QAAQ,EAKT;IACC,MAAMI,SAAS,MAAMzB,QAAQ0B,IAAI,CAAC;QAChCrB,YAAYT;QACZ+B,OAAO;QACPC,OAAO;QACPhB,gBAAgB;QAChBiB,OAAO;YACLR,UAAU;gBACRS,QAAQT;YACV;QACF;IACF;IAEA,OAAOD,kBAAkBK,OAAOM,IAAI,CAAC,EAAE;AACzC,EAAC"}
|
|
1
|
+
{"version":3,"sources":["../../src/payload/docsSets.ts"],"sourcesContent":["import type { PayloadMarkdownDocsDocsSetAuthConfig } from '../types.js'\n\nexport type DocsSetPayloadOperations = {\n find: (args: {\n collection: string\n depth?: number\n limit?: number\n overrideAccess?: boolean\n where?: unknown\n }) => Promise<{\n docs: unknown[]\n }>\n update?: (args: {\n collection: string\n data: Record<string, unknown>\n id: string\n overrideAccess?: boolean\n }) => Promise<Record<string, unknown>>\n}\n\nexport type PayloadRecordId = number | string\n\nexport type ResolvedDocsSet = {\n auth?: PayloadMarkdownDocsDocsSetAuthConfig\n id: PayloadRecordId\n routeBase: string\n sourceId: string\n sourceRoot?: string\n}\n\nexport const updateDocsSetAfterSync = async ({\n aiExport,\n collectionSlug,\n docsCount,\n docsSetId,\n now,\n payload,\n syncRunId,\n}: {\n aiExport?: unknown\n collectionSlug: string\n docsCount: number\n docsSetId: PayloadRecordId\n now: Date\n payload: DocsSetPayloadOperations\n syncRunId?: PayloadRecordId\n}): Promise<void> => {\n if (!payload.update) {\n return\n }\n\n await payload.update({\n id: String(docsSetId),\n collection: collectionSlug,\n data: {\n aiExport: aiExport ?? null,\n sync: {\n docsCount,\n lastStatus: 'success',\n lastSyncedAt: now.toISOString(),\n lastSyncRunId: syncRunId,\n },\n },\n overrideAccess: true,\n })\n}\n\nconst isRecord = (value: unknown): value is Record<string, unknown> =>\n typeof value === 'object' && value !== null && !Array.isArray(value)\n\nconst getRecordId = (doc: Record<string, unknown>): PayloadRecordId | undefined => {\n if (typeof doc.id === 'string' || typeof doc.id === 'number') {\n return doc.id\n }\n\n return undefined\n}\n\nconst getString = (value: unknown): string | undefined =>\n typeof value === 'string' && value.trim() !== '' ? value.trim() : undefined\n\nconst getNumber = (value: unknown): number | undefined =>\n typeof value === 'number' && Number.isFinite(value) ? value : undefined\n\nconst getStringArray = (value: unknown): string[] | undefined => {\n if (!Array.isArray(value)) {\n return undefined\n }\n\n const values = value.flatMap((item) => {\n if (typeof item === 'string' && item.trim() !== '') {\n return [item.trim()]\n }\n\n if (isRecord(item)) {\n const nestedValue = getString(item.value)\n\n return nestedValue ? [nestedValue] : []\n }\n\n return []\n })\n\n return values.length > 0 ? values : undefined\n}\n\nconst getRecord = (value: unknown): Record<string, unknown> | undefined =>\n isRecord(value) ? value : undefined\n\nconst toResolvedDocsSetAuth = (\n value: unknown,\n): PayloadMarkdownDocsDocsSetAuthConfig | undefined => {\n const auth = getRecord(value)\n\n if (!auth) {\n return undefined\n }\n\n const ed25519 = getRecord(auth.ed25519)\n const keys = Array.isArray(ed25519?.keys)\n ? ed25519.keys.flatMap((key) => {\n if (!isRecord(key)) {\n return []\n }\n\n const id = getString(key.keyId) ?? getString(key.id)\n const publicKey = getString(key.publicKey)\n\n return id && publicKey\n ? [\n {\n id,\n publicKey,\n },\n ]\n : []\n })\n : []\n const githubOidc = getRecord(auth.githubOidc)\n const resolvedGithubOidc =\n githubOidc && githubOidc.enabled !== false\n ? {\n allowedEnvironments: getStringArray(githubOidc.allowedEnvironments),\n allowedRefs: getStringArray(githubOidc.allowedRefs),\n allowedRepositories: getStringArray(githubOidc.allowedRepositories),\n allowedRepositoryOwners: getStringArray(githubOidc.allowedRepositoryOwners),\n allowedWorkflowRefs: getStringArray(githubOidc.allowedWorkflowRefs),\n allowedWorkflows: getStringArray(githubOidc.allowedWorkflows),\n allowPullRequests:\n typeof githubOidc.allowPullRequests === 'boolean'\n ? githubOidc.allowPullRequests\n : undefined,\n audience: getString(githubOidc.audience),\n enabled: githubOidc.enabled === true,\n issuer: getString(githubOidc.issuer),\n jwksUrl: getString(githubOidc.jwksUrl),\n maxSkewSeconds: getNumber(githubOidc.maxSkewSeconds),\n }\n : undefined\n const hasGithubOidcPolicy = Boolean(\n resolvedGithubOidc &&\n (resolvedGithubOidc.enabled ||\n resolvedGithubOidc.audience ||\n resolvedGithubOidc.allowedEnvironments ||\n resolvedGithubOidc.allowedRefs ||\n resolvedGithubOidc.allowedRepositories ||\n resolvedGithubOidc.allowedRepositoryOwners ||\n resolvedGithubOidc.allowedWorkflowRefs ||\n resolvedGithubOidc.allowedWorkflows ||\n resolvedGithubOidc.allowPullRequests !== undefined ||\n resolvedGithubOidc.issuer ||\n resolvedGithubOidc.jwksUrl ||\n resolvedGithubOidc.maxSkewSeconds !== undefined),\n )\n const resolvedAuth: PayloadMarkdownDocsDocsSetAuthConfig = {\n ...(keys.length > 0\n ? {\n ed25519: {\n keys,\n maxSkewSeconds: getNumber(ed25519?.maxSkewSeconds),\n nonceTtlSeconds: getNumber(ed25519?.nonceTtlSeconds),\n },\n }\n : {}),\n ...(hasGithubOidcPolicy && resolvedGithubOidc\n ? {\n githubOidc: resolvedGithubOidc,\n }\n : {}),\n }\n\n return resolvedAuth.ed25519 || resolvedAuth.githubOidc ? resolvedAuth : undefined\n}\n\nconst toResolvedDocsSet = (doc: unknown): ResolvedDocsSet | undefined => {\n if (!isRecord(doc)) {\n return undefined\n }\n\n const id = getRecordId(doc)\n\n if (!id || typeof doc.sourceId !== 'string' || typeof doc.routeBase !== 'string') {\n return undefined\n }\n\n return {\n id,\n auth: toResolvedDocsSetAuth(doc.auth),\n routeBase: doc.routeBase,\n sourceId: doc.sourceId,\n sourceRoot: typeof doc.sourceRoot === 'string' ? doc.sourceRoot : undefined,\n }\n}\n\nexport const findDocsSetBySourceId = async ({\n collectionSlug,\n payload,\n sourceId,\n}: {\n collectionSlug: string\n payload: DocsSetPayloadOperations\n sourceId: string\n}): Promise<ResolvedDocsSet | undefined> => {\n const result = await payload.find({\n collection: collectionSlug,\n depth: 0,\n limit: 1,\n overrideAccess: true,\n where: {\n sourceId: {\n equals: sourceId,\n },\n },\n })\n\n return toResolvedDocsSet(result.docs[0])\n}\n"],"names":["updateDocsSetAfterSync","aiExport","collectionSlug","docsCount","docsSetId","now","payload","syncRunId","update","id","String","collection","data","sync","lastStatus","lastSyncedAt","toISOString","lastSyncRunId","overrideAccess","isRecord","value","Array","isArray","getRecordId","doc","undefined","getString","trim","getNumber","Number","isFinite","getStringArray","values","flatMap","item","nestedValue","length","getRecord","toResolvedDocsSetAuth","auth","ed25519","keys","key","keyId","publicKey","githubOidc","resolvedGithubOidc","enabled","allowedEnvironments","allowedRefs","allowedRepositories","allowedRepositoryOwners","allowedWorkflowRefs","allowedWorkflows","allowPullRequests","audience","issuer","jwksUrl","maxSkewSeconds","hasGithubOidcPolicy","Boolean","resolvedAuth","nonceTtlSeconds","toResolvedDocsSet","sourceId","routeBase","sourceRoot","findDocsSetBySourceId","result","find","depth","limit","where","equals","docs"],"mappings":"AA8BA,OAAO,MAAMA,yBAAyB,OAAO,EAC3CC,QAAQ,EACRC,cAAc,EACdC,SAAS,EACTC,SAAS,EACTC,GAAG,EACHC,OAAO,EACPC,SAAS,EASV;IACC,IAAI,CAACD,QAAQE,MAAM,EAAE;QACnB;IACF;IAEA,MAAMF,QAAQE,MAAM,CAAC;QACnBC,IAAIC,OAAON;QACXO,YAAYT;QACZU,MAAM;YACJX,UAAUA,YAAY;YACtBY,MAAM;gBACJV;gBACAW,YAAY;gBACZC,cAAcV,IAAIW,WAAW;gBAC7BC,eAAeV;YACjB;QACF;QACAW,gBAAgB;IAClB;AACF,EAAC;AAED,MAAMC,WAAW,CAACC,QAChB,OAAOA,UAAU,YAAYA,UAAU,QAAQ,CAACC,MAAMC,OAAO,CAACF;AAEhE,MAAMG,cAAc,CAACC;IACnB,IAAI,OAAOA,IAAIf,EAAE,KAAK,YAAY,OAAOe,IAAIf,EAAE,KAAK,UAAU;QAC5D,OAAOe,IAAIf,EAAE;IACf;IAEA,OAAOgB;AACT;AAEA,MAAMC,YAAY,CAACN,QACjB,OAAOA,UAAU,YAAYA,MAAMO,IAAI,OAAO,KAAKP,MAAMO,IAAI,KAAKF;AAEpE,MAAMG,YAAY,CAACR,QACjB,OAAOA,UAAU,YAAYS,OAAOC,QAAQ,CAACV,SAASA,QAAQK;AAEhE,MAAMM,iBAAiB,CAACX;IACtB,IAAI,CAACC,MAAMC,OAAO,CAACF,QAAQ;QACzB,OAAOK;IACT;IAEA,MAAMO,SAASZ,MAAMa,OAAO,CAAC,CAACC;QAC5B,IAAI,OAAOA,SAAS,YAAYA,KAAKP,IAAI,OAAO,IAAI;YAClD,OAAO;gBAACO,KAAKP,IAAI;aAAG;QACtB;QAEA,IAAIR,SAASe,OAAO;YAClB,MAAMC,cAAcT,UAAUQ,KAAKd,KAAK;YAExC,OAAOe,cAAc;gBAACA;aAAY,GAAG,EAAE;QACzC;QAEA,OAAO,EAAE;IACX;IAEA,OAAOH,OAAOI,MAAM,GAAG,IAAIJ,SAASP;AACtC;AAEA,MAAMY,YAAY,CAACjB,QACjBD,SAASC,SAASA,QAAQK;AAE5B,MAAMa,wBAAwB,CAC5BlB;IAEA,MAAMmB,OAAOF,UAAUjB;IAEvB,IAAI,CAACmB,MAAM;QACT,OAAOd;IACT;IAEA,MAAMe,UAAUH,UAAUE,KAAKC,OAAO;IACtC,MAAMC,OAAOpB,MAAMC,OAAO,CAACkB,SAASC,QAChCD,QAAQC,IAAI,CAACR,OAAO,CAAC,CAACS;QACpB,IAAI,CAACvB,SAASuB,MAAM;YAClB,OAAO,EAAE;QACX;QAEA,MAAMjC,KAAKiB,UAAUgB,IAAIC,KAAK,KAAKjB,UAAUgB,IAAIjC,EAAE;QACnD,MAAMmC,YAAYlB,UAAUgB,IAAIE,SAAS;QAEzC,OAAOnC,MAAMmC,YACT;YACE;gBACEnC;gBACAmC;YACF;SACD,GACD,EAAE;IACR,KACA,EAAE;IACN,MAAMC,aAAaR,UAAUE,KAAKM,UAAU;IAC5C,MAAMC,qBACJD,cAAcA,WAAWE,OAAO,KAAK,QACjC;QACEC,qBAAqBjB,eAAec,WAAWG,mBAAmB;QAClEC,aAAalB,eAAec,WAAWI,WAAW;QAClDC,qBAAqBnB,eAAec,WAAWK,mBAAmB;QAClEC,yBAAyBpB,eAAec,WAAWM,uBAAuB;QAC1EC,qBAAqBrB,eAAec,WAAWO,mBAAmB;QAClEC,kBAAkBtB,eAAec,WAAWQ,gBAAgB;QAC5DC,mBACE,OAAOT,WAAWS,iBAAiB,KAAK,YACpCT,WAAWS,iBAAiB,GAC5B7B;QACN8B,UAAU7B,UAAUmB,WAAWU,QAAQ;QACvCR,SAASF,WAAWE,OAAO,KAAK;QAChCS,QAAQ9B,UAAUmB,WAAWW,MAAM;QACnCC,SAAS/B,UAAUmB,WAAWY,OAAO;QACrCC,gBAAgB9B,UAAUiB,WAAWa,cAAc;IACrD,IACAjC;IACN,MAAMkC,sBAAsBC,QAC1Bd,sBACCA,CAAAA,mBAAmBC,OAAO,IACzBD,mBAAmBS,QAAQ,IAC3BT,mBAAmBE,mBAAmB,IACtCF,mBAAmBG,WAAW,IAC9BH,mBAAmBI,mBAAmB,IACtCJ,mBAAmBK,uBAAuB,IAC1CL,mBAAmBM,mBAAmB,IACtCN,mBAAmBO,gBAAgB,IACnCP,mBAAmBQ,iBAAiB,KAAK7B,aACzCqB,mBAAmBU,MAAM,IACzBV,mBAAmBW,OAAO,IAC1BX,mBAAmBY,cAAc,KAAKjC,SAAQ;IAElD,MAAMoC,eAAqD;QACzD,GAAIpB,KAAKL,MAAM,GAAG,IACd;YACEI,SAAS;gBACPC;gBACAiB,gBAAgB9B,UAAUY,SAASkB;gBACnCI,iBAAiBlC,UAAUY,SAASsB;YACtC;QACF,IACA,CAAC,CAAC;QACN,GAAIH,uBAAuBb,qBACvB;YACED,YAAYC;QACd,IACA,CAAC,CAAC;IACR;IAEA,OAAOe,aAAarB,OAAO,IAAIqB,aAAahB,UAAU,GAAGgB,eAAepC;AAC1E;AAEA,MAAMsC,oBAAoB,CAACvC;IACzB,IAAI,CAACL,SAASK,MAAM;QAClB,OAAOC;IACT;IAEA,MAAMhB,KAAKc,YAAYC;IAEvB,IAAI,CAACf,MAAM,OAAOe,IAAIwC,QAAQ,KAAK,YAAY,OAAOxC,IAAIyC,SAAS,KAAK,UAAU;QAChF,OAAOxC;IACT;IAEA,OAAO;QACLhB;QACA8B,MAAMD,sBAAsBd,IAAIe,IAAI;QACpC0B,WAAWzC,IAAIyC,SAAS;QACxBD,UAAUxC,IAAIwC,QAAQ;QACtBE,YAAY,OAAO1C,IAAI0C,UAAU,KAAK,WAAW1C,IAAI0C,UAAU,GAAGzC;IACpE;AACF;AAEA,OAAO,MAAM0C,wBAAwB,OAAO,EAC1CjE,cAAc,EACdI,OAAO,EACP0D,QAAQ,EAKT;IACC,MAAMI,SAAS,MAAM9D,QAAQ+D,IAAI,CAAC;QAChC1D,YAAYT;QACZoE,OAAO;QACPC,OAAO;QACPrD,gBAAgB;QAChBsD,OAAO;YACLR,UAAU;gBACRS,QAAQT;YACV;QACF;IACF;IAEA,OAAOD,kBAAkBK,OAAOM,IAAI,CAAC,EAAE;AACzC,EAAC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import type {
|
|
1
|
+
import type { PayloadMarkdownDocsGitHubOidcAuthConfig } from '../types.js';
|
|
2
2
|
import type { FetchJson } from './jwks.js';
|
|
3
3
|
export type GitHubOidcErrorCode = 'oidc_environment_not_allowed' | 'oidc_expired' | 'oidc_invalid_audience' | 'oidc_invalid_issuer' | 'oidc_invalid_token' | 'oidc_jwks_unavailable' | 'oidc_missing_claim' | 'oidc_missing_jti' | 'oidc_not_yet_valid' | 'oidc_owner_not_allowed' | 'oidc_pull_request_not_allowed' | 'oidc_ref_not_allowed' | 'oidc_repository_not_allowed' | 'oidc_workflow_not_allowed';
|
|
4
4
|
export type GitHubOidcClaims = {
|
|
@@ -33,9 +33,7 @@ export type VerifyGitHubOidcTokenResult = {
|
|
|
33
33
|
ok: true;
|
|
34
34
|
token: VerifiedGitHubOidcToken;
|
|
35
35
|
};
|
|
36
|
-
type GitHubOidcAuthConfig =
|
|
37
|
-
mode: 'github-oidc';
|
|
38
|
-
}>;
|
|
36
|
+
type GitHubOidcAuthConfig = PayloadMarkdownDocsGitHubOidcAuthConfig;
|
|
39
37
|
export declare const verifyGitHubOidcToken: ({ config, fetchJson, now, token, }: {
|
|
40
38
|
config: GitHubOidcAuthConfig;
|
|
41
39
|
fetchJson?: FetchJson;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/security/githubOidc.ts"],"sourcesContent":["import {\n createPublicKey,\n type JsonWebKey,\n verify,\n} from 'node:crypto'\n\nimport type { PayloadMarkdownDocsAuthConfig } from '../types.js'\nimport type { FetchJson } from './jwks.js'\n\nimport {\n DEFAULT_GITHUB_OIDC_ISSUER,\n DEFAULT_MAX_SKEW_SECONDS,\n} from '../constants.js'\nimport {\n fetchJwks,\n findJwkByKid,\n getGithubOidcJwksUrl,\n} from './jwks.js'\nimport { decodeJwt } from './jwt.js'\n\nexport type GitHubOidcErrorCode =\n | 'oidc_environment_not_allowed'\n | 'oidc_expired'\n | 'oidc_invalid_audience'\n | 'oidc_invalid_issuer'\n | 'oidc_invalid_token'\n | 'oidc_jwks_unavailable'\n | 'oidc_missing_claim'\n | 'oidc_missing_jti'\n | 'oidc_not_yet_valid'\n | 'oidc_owner_not_allowed'\n | 'oidc_pull_request_not_allowed'\n | 'oidc_ref_not_allowed'\n | 'oidc_repository_not_allowed'\n | 'oidc_workflow_not_allowed'\n\nexport type GitHubOidcClaims = {\n actor?: string\n aud: string | string[]\n environment?: string\n event_name?: string\n exp: number\n iat: number\n iss: string\n job_workflow_ref?: string\n jti: string\n nbf?: number\n ref: string\n repository: string\n repository_owner: string\n sha?: string\n sub: string\n workflow?: string\n workflow_ref?: string\n}\n\nexport type VerifiedGitHubOidcToken = {\n claims: GitHubOidcClaims\n expiresAt: Date\n keyId: string\n}\n\nexport type VerifyGitHubOidcTokenResult =\n | {\n code: GitHubOidcErrorCode\n message: string\n ok: false\n }\n | {\n ok: true\n token: VerifiedGitHubOidcToken\n }\n\ntype GitHubOidcAuthConfig = Extract<\n PayloadMarkdownDocsAuthConfig,\n { mode: 'github-oidc' }\n>\n\nconst isString = (value: unknown): value is string =>\n typeof value === 'string' && value.trim() !== ''\n\nconst isStringArray = (value: unknown): value is string[] =>\n Array.isArray(value) && value.every(isString)\n\nconst isNumber = (value: unknown): value is number =>\n typeof value === 'number' && Number.isFinite(value)\n\nconst getStringClaim = (\n payload: Record<string, unknown>,\n claim: string,\n): string | undefined => {\n const value = payload[claim]\n\n return isString(value) ? value : undefined\n}\n\nconst getNumberClaim = (\n payload: Record<string, unknown>,\n claim: string,\n): number | undefined => {\n const value = payload[claim]\n\n return isNumber(value) ? value : undefined\n}\n\nconst getAudienceClaim = (\n payload: Record<string, unknown>,\n): string | string[] | undefined => {\n const value = payload.aud\n\n if (isString(value) || isStringArray(value)) {\n return value\n }\n\n return undefined\n}\n\nconst toClaims = (\n payload: Record<string, unknown>,\n): GitHubOidcClaims | undefined => {\n const aud = getAudienceClaim(payload)\n const exp = getNumberClaim(payload, 'exp')\n const iat = getNumberClaim(payload, 'iat')\n const iss = getStringClaim(payload, 'iss')\n const jti = getStringClaim(payload, 'jti')\n const ref = getStringClaim(payload, 'ref')\n const repository = getStringClaim(payload, 'repository')\n const repositoryOwner = getStringClaim(payload, 'repository_owner')\n const sub = getStringClaim(payload, 'sub')\n\n if (\n !aud ||\n exp === undefined ||\n iat === undefined ||\n !iss ||\n !jti ||\n !ref ||\n !repository ||\n !repositoryOwner ||\n !sub\n ) {\n return undefined\n }\n\n return {\n actor: getStringClaim(payload, 'actor'),\n aud,\n environment: getStringClaim(payload, 'environment'),\n event_name: getStringClaim(payload, 'event_name'),\n exp,\n iat,\n iss,\n job_workflow_ref: getStringClaim(payload, 'job_workflow_ref'),\n jti,\n nbf: getNumberClaim(payload, 'nbf'),\n ref,\n repository,\n repository_owner: repositoryOwner,\n sha: getStringClaim(payload, 'sha'),\n sub,\n workflow: getStringClaim(payload, 'workflow'),\n workflow_ref: getStringClaim(payload, 'workflow_ref'),\n }\n}\n\nconst issue = (\n code: GitHubOidcErrorCode,\n message: string,\n): VerifyGitHubOidcTokenResult => ({\n code,\n message,\n ok: false,\n})\n\nconst includesIfConfigured = (\n allowed: string[] | undefined,\n value: string | undefined,\n): boolean => {\n if (!allowed || allowed.length === 0) {\n return true\n }\n\n return value !== undefined && allowed.includes(value)\n}\n\nconst audienceMatches = (\n audience: string | string[],\n expected: string,\n): boolean =>\n Array.isArray(audience) ? audience.includes(expected) : audience === expected\n\nconst verifyJwtSignature = ({\n jwk,\n signature,\n signingInput,\n}: {\n jwk: Record<string, unknown>\n signature: Buffer\n signingInput: string\n}): boolean => {\n try {\n const publicKey = createPublicKey({\n format: 'jwk',\n key: jwk as JsonWebKey,\n })\n\n return verify(\n 'RSA-SHA256',\n Buffer.from(signingInput, 'utf8'),\n publicKey,\n signature,\n )\n } catch {\n return false\n }\n}\n\nexport const verifyGitHubOidcToken = async ({\n config,\n fetchJson,\n now = new Date(),\n token,\n}: {\n config: GitHubOidcAuthConfig\n fetchJson?: FetchJson\n now?: Date\n token: string\n}): Promise<VerifyGitHubOidcTokenResult> => {\n const decoded = decodeJwt(token)\n\n if (!decoded) {\n return issue('oidc_invalid_token', 'GitHub OIDC token is malformed.')\n }\n\n if (decoded.header.alg !== 'RS256') {\n return issue('oidc_invalid_token', 'GitHub OIDC token must use RS256.')\n }\n\n if (!isString(decoded.header.kid)) {\n return issue('oidc_invalid_token', 'GitHub OIDC token is missing kid.')\n }\n\n const issuer = config.issuer ?? DEFAULT_GITHUB_OIDC_ISSUER\n let jwksUrl: string\n\n try {\n jwksUrl = await getGithubOidcJwksUrl({\n fetchJson,\n issuer,\n jwksUrl: config.jwksUrl,\n })\n const jwks = await fetchJwks({\n fetchJson,\n now,\n url: jwksUrl,\n })\n const jwk = findJwkByKid({\n jwks,\n kid: decoded.header.kid,\n })\n\n if (\n !jwk ||\n !verifyJwtSignature({\n jwk,\n signature: decoded.signature,\n signingInput: decoded.signingInput,\n })\n ) {\n return issue('oidc_invalid_token', 'GitHub OIDC token signature is invalid.')\n }\n } catch {\n return issue('oidc_jwks_unavailable', 'GitHub OIDC signing keys are unavailable.')\n }\n\n if (!isString(decoded.payload.jti)) {\n return issue('oidc_missing_jti', 'GitHub OIDC token is missing jti.')\n }\n\n const claims = toClaims(decoded.payload)\n\n if (!claims) {\n return issue('oidc_missing_claim', 'GitHub OIDC token is missing a required claim.')\n }\n\n if (claims.iss !== issuer) {\n return issue('oidc_invalid_issuer', 'GitHub OIDC token issuer is not allowed.')\n }\n\n if (!audienceMatches(claims.aud, config.audience)) {\n return issue('oidc_invalid_audience', 'GitHub OIDC token audience is not allowed.')\n }\n\n const maxSkewSeconds = config.maxSkewSeconds ?? DEFAULT_MAX_SKEW_SECONDS\n const nowSeconds = now.getTime() / 1000\n\n if (claims.exp + maxSkewSeconds < nowSeconds) {\n return issue('oidc_expired', 'GitHub OIDC token has expired.')\n }\n\n if (claims.nbf !== undefined && claims.nbf - maxSkewSeconds > nowSeconds) {\n return issue('oidc_not_yet_valid', 'GitHub OIDC token is not valid yet.')\n }\n\n if (claims.iat - maxSkewSeconds > nowSeconds) {\n return issue('oidc_not_yet_valid', 'GitHub OIDC token was issued in the future.')\n }\n\n const hasRepositoryAllowlist =\n (config.allowedRepositories?.length ?? 0) > 0 ||\n (config.allowedRepositoryOwners?.length ?? 0) > 0\n\n if (!hasRepositoryAllowlist) {\n return issue(\n 'oidc_repository_not_allowed',\n 'GitHub OIDC auth requires an allowed repository or repository owner.',\n )\n }\n\n if (!includesIfConfigured(config.allowedRepositories, claims.repository)) {\n return issue(\n 'oidc_repository_not_allowed',\n 'GitHub OIDC token repository is not allowed.',\n )\n }\n\n if (!includesIfConfigured(config.allowedRepositoryOwners, claims.repository_owner)) {\n return issue(\n 'oidc_owner_not_allowed',\n 'GitHub OIDC token repository owner is not allowed.',\n )\n }\n\n if (!includesIfConfigured(config.allowedRefs, claims.ref)) {\n return issue('oidc_ref_not_allowed', 'GitHub OIDC token ref is not allowed.')\n }\n\n if (!includesIfConfigured(config.allowedWorkflows, claims.workflow)) {\n return issue(\n 'oidc_workflow_not_allowed',\n 'GitHub OIDC token workflow is not allowed.',\n )\n }\n\n const workflowRef = claims.workflow_ref ?? claims.job_workflow_ref\n\n if (!includesIfConfigured(config.allowedWorkflowRefs, workflowRef)) {\n return issue(\n 'oidc_workflow_not_allowed',\n 'GitHub OIDC token workflow ref is not allowed.',\n )\n }\n\n if (!includesIfConfigured(config.allowedEnvironments, claims.environment)) {\n return issue(\n 'oidc_environment_not_allowed',\n 'GitHub OIDC token environment is not allowed.',\n )\n }\n\n if (claims.event_name === 'pull_request' && config.allowPullRequests !== true) {\n return issue(\n 'oidc_pull_request_not_allowed',\n 'GitHub OIDC pull request events are not allowed.',\n )\n }\n\n return {\n ok: true,\n token: {\n claims,\n expiresAt: new Date(claims.exp * 1000),\n keyId: `github-oidc:${claims.repository}`,\n },\n }\n}\n"],"names":["createPublicKey","verify","DEFAULT_GITHUB_OIDC_ISSUER","DEFAULT_MAX_SKEW_SECONDS","fetchJwks","findJwkByKid","getGithubOidcJwksUrl","decodeJwt","isString","value","trim","isStringArray","Array","isArray","every","isNumber","Number","isFinite","getStringClaim","payload","claim","undefined","getNumberClaim","getAudienceClaim","aud","toClaims","exp","iat","iss","jti","ref","repository","repositoryOwner","sub","actor","environment","event_name","job_workflow_ref","nbf","repository_owner","sha","workflow","workflow_ref","issue","code","message","ok","includesIfConfigured","allowed","length","includes","audienceMatches","audience","expected","verifyJwtSignature","jwk","signature","signingInput","publicKey","format","key","Buffer","from","verifyGitHubOidcToken","config","fetchJson","now","Date","token","decoded","header","alg","kid","issuer","jwksUrl","jwks","url","claims","maxSkewSeconds","nowSeconds","getTime","hasRepositoryAllowlist","allowedRepositories","allowedRepositoryOwners","allowedRefs","allowedWorkflows","workflowRef","allowedWorkflowRefs","allowedEnvironments","allowPullRequests","expiresAt","keyId"],"mappings":"AAAA,SACEA,eAAe,EAEfC,MAAM,QACD,cAAa;AAKpB,SACEC,0BAA0B,EAC1BC,wBAAwB,QACnB,kBAAiB;AACxB,SACEC,SAAS,EACTC,YAAY,EACZC,oBAAoB,QACf,YAAW;AAClB,SAASC,SAAS,QAAQ,WAAU;AA4DpC,MAAMC,WAAW,CAACC,QAChB,OAAOA,UAAU,YAAYA,MAAMC,IAAI,OAAO;AAEhD,MAAMC,gBAAgB,CAACF,QACrBG,MAAMC,OAAO,CAACJ,UAAUA,MAAMK,KAAK,CAACN;AAEtC,MAAMO,WAAW,CAACN,QAChB,OAAOA,UAAU,YAAYO,OAAOC,QAAQ,CAACR;AAE/C,MAAMS,iBAAiB,CACrBC,SACAC;IAEA,MAAMX,QAAQU,OAAO,CAACC,MAAM;IAE5B,OAAOZ,SAASC,SAASA,QAAQY;AACnC;AAEA,MAAMC,iBAAiB,CACrBH,SACAC;IAEA,MAAMX,QAAQU,OAAO,CAACC,MAAM;IAE5B,OAAOL,SAASN,SAASA,QAAQY;AACnC;AAEA,MAAME,mBAAmB,CACvBJ;IAEA,MAAMV,QAAQU,QAAQK,GAAG;IAEzB,IAAIhB,SAASC,UAAUE,cAAcF,QAAQ;QAC3C,OAAOA;IACT;IAEA,OAAOY;AACT;AAEA,MAAMI,WAAW,CACfN;IAEA,MAAMK,MAAMD,iBAAiBJ;IAC7B,MAAMO,MAAMJ,eAAeH,SAAS;IACpC,MAAMQ,MAAML,eAAeH,SAAS;IACpC,MAAMS,MAAMV,eAAeC,SAAS;IACpC,MAAMU,MAAMX,eAAeC,SAAS;IACpC,MAAMW,MAAMZ,eAAeC,SAAS;IACpC,MAAMY,aAAab,eAAeC,SAAS;IAC3C,MAAMa,kBAAkBd,eAAeC,SAAS;IAChD,MAAMc,MAAMf,eAAeC,SAAS;IAEpC,IACE,CAACK,OACDE,QAAQL,aACRM,QAAQN,aACR,CAACO,OACD,CAACC,OACD,CAACC,OACD,CAACC,cACD,CAACC,mBACD,CAACC,KACD;QACA,OAAOZ;IACT;IAEA,OAAO;QACLa,OAAOhB,eAAeC,SAAS;QAC/BK;QACAW,aAAajB,eAAeC,SAAS;QACrCiB,YAAYlB,eAAeC,SAAS;QACpCO;QACAC;QACAC;QACAS,kBAAkBnB,eAAeC,SAAS;QAC1CU;QACAS,KAAKhB,eAAeH,SAAS;QAC7BW;QACAC;QACAQ,kBAAkBP;QAClBQ,KAAKtB,eAAeC,SAAS;QAC7Bc;QACAQ,UAAUvB,eAAeC,SAAS;QAClCuB,cAAcxB,eAAeC,SAAS;IACxC;AACF;AAEA,MAAMwB,QAAQ,CACZC,MACAC,UACiC,CAAA;QACjCD;QACAC;QACAC,IAAI;IACN,CAAA;AAEA,MAAMC,uBAAuB,CAC3BC,SACAvC;IAEA,IAAI,CAACuC,WAAWA,QAAQC,MAAM,KAAK,GAAG;QACpC,OAAO;IACT;IAEA,OAAOxC,UAAUY,aAAa2B,QAAQE,QAAQ,CAACzC;AACjD;AAEA,MAAM0C,kBAAkB,CACtBC,UACAC,WAEAzC,MAAMC,OAAO,CAACuC,YAAYA,SAASF,QAAQ,CAACG,YAAYD,aAAaC;AAEvE,MAAMC,qBAAqB,CAAC,EAC1BC,GAAG,EACHC,SAAS,EACTC,YAAY,EAKb;IACC,IAAI;QACF,MAAMC,YAAY1D,gBAAgB;YAChC2D,QAAQ;YACRC,KAAKL;QACP;QAEA,OAAOtD,OACL,cACA4D,OAAOC,IAAI,CAACL,cAAc,SAC1BC,WACAF;IAEJ,EAAE,OAAM;QACN,OAAO;IACT;AACF;AAEA,OAAO,MAAMO,wBAAwB,OAAO,EAC1CC,MAAM,EACNC,SAAS,EACTC,MAAM,IAAIC,MAAM,EAChBC,KAAK,EAMN;IACC,MAAMC,UAAU9D,UAAU6D;IAE1B,IAAI,CAACC,SAAS;QACZ,OAAO1B,MAAM,sBAAsB;IACrC;IAEA,IAAI0B,QAAQC,MAAM,CAACC,GAAG,KAAK,SAAS;QAClC,OAAO5B,MAAM,sBAAsB;IACrC;IAEA,IAAI,CAACnC,SAAS6D,QAAQC,MAAM,CAACE,GAAG,GAAG;QACjC,OAAO7B,MAAM,sBAAsB;IACrC;IAEA,MAAM8B,SAAST,OAAOS,MAAM,IAAIvE;IAChC,IAAIwE;IAEJ,IAAI;QACFA,UAAU,MAAMpE,qBAAqB;YACnC2D;YACAQ;YACAC,SAASV,OAAOU,OAAO;QACzB;QACA,MAAMC,OAAO,MAAMvE,UAAU;YAC3B6D;YACAC;YACAU,KAAKF;QACP;QACA,MAAMnB,MAAMlD,aAAa;YACvBsE;YACAH,KAAKH,QAAQC,MAAM,CAACE,GAAG;QACzB;QAEA,IACE,CAACjB,OACD,CAACD,mBAAmB;YAClBC;YACAC,WAAWa,QAAQb,SAAS;YAC5BC,cAAcY,QAAQZ,YAAY;QACpC,IACA;YACA,OAAOd,MAAM,sBAAsB;QACrC;IACF,EAAE,OAAM;QACN,OAAOA,MAAM,yBAAyB;IACxC;IAEA,IAAI,CAACnC,SAAS6D,QAAQlD,OAAO,CAACU,GAAG,GAAG;QAClC,OAAOc,MAAM,oBAAoB;IACnC;IAEA,MAAMkC,SAASpD,SAAS4C,QAAQlD,OAAO;IAEvC,IAAI,CAAC0D,QAAQ;QACX,OAAOlC,MAAM,sBAAsB;IACrC;IAEA,IAAIkC,OAAOjD,GAAG,KAAK6C,QAAQ;QACzB,OAAO9B,MAAM,uBAAuB;IACtC;IAEA,IAAI,CAACQ,gBAAgB0B,OAAOrD,GAAG,EAAEwC,OAAOZ,QAAQ,GAAG;QACjD,OAAOT,MAAM,yBAAyB;IACxC;IAEA,MAAMmC,iBAAiBd,OAAOc,cAAc,IAAI3E;IAChD,MAAM4E,aAAab,IAAIc,OAAO,KAAK;IAEnC,IAAIH,OAAOnD,GAAG,GAAGoD,iBAAiBC,YAAY;QAC5C,OAAOpC,MAAM,gBAAgB;IAC/B;IAEA,IAAIkC,OAAOvC,GAAG,KAAKjB,aAAawD,OAAOvC,GAAG,GAAGwC,iBAAiBC,YAAY;QACxE,OAAOpC,MAAM,sBAAsB;IACrC;IAEA,IAAIkC,OAAOlD,GAAG,GAAGmD,iBAAiBC,YAAY;QAC5C,OAAOpC,MAAM,sBAAsB;IACrC;IAEA,MAAMsC,yBACJ,AAACjB,CAAAA,OAAOkB,mBAAmB,EAAEjC,UAAU,CAAA,IAAK,KAC5C,AAACe,CAAAA,OAAOmB,uBAAuB,EAAElC,UAAU,CAAA,IAAK;IAElD,IAAI,CAACgC,wBAAwB;QAC3B,OAAOtC,MACL,+BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOkB,mBAAmB,EAAEL,OAAO9C,UAAU,GAAG;QACxE,OAAOY,MACL,+BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOmB,uBAAuB,EAAEN,OAAOtC,gBAAgB,GAAG;QAClF,OAAOI,MACL,0BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOoB,WAAW,EAAEP,OAAO/C,GAAG,GAAG;QACzD,OAAOa,MAAM,wBAAwB;IACvC;IAEA,IAAI,CAACI,qBAAqBiB,OAAOqB,gBAAgB,EAAER,OAAOpC,QAAQ,GAAG;QACnE,OAAOE,MACL,6BACA;IAEJ;IAEA,MAAM2C,cAAcT,OAAOnC,YAAY,IAAImC,OAAOxC,gBAAgB;IAElE,IAAI,CAACU,qBAAqBiB,OAAOuB,mBAAmB,EAAED,cAAc;QAClE,OAAO3C,MACL,6BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOwB,mBAAmB,EAAEX,OAAO1C,WAAW,GAAG;QACzE,OAAOQ,MACL,gCACA;IAEJ;IAEA,IAAIkC,OAAOzC,UAAU,KAAK,kBAAkB4B,OAAOyB,iBAAiB,KAAK,MAAM;QAC7E,OAAO9C,MACL,iCACA;IAEJ;IAEA,OAAO;QACLG,IAAI;QACJsB,OAAO;YACLS;YACAa,WAAW,IAAIvB,KAAKU,OAAOnD,GAAG,GAAG;YACjCiE,OAAO,CAAC,YAAY,EAAEd,OAAO9C,UAAU,EAAE;QAC3C;IACF;AACF,EAAC"}
|
|
1
|
+
{"version":3,"sources":["../../src/security/githubOidc.ts"],"sourcesContent":["import {\n createPublicKey,\n type JsonWebKey,\n verify,\n} from 'node:crypto'\n\nimport type { PayloadMarkdownDocsGitHubOidcAuthConfig } from '../types.js'\nimport type { FetchJson } from './jwks.js'\n\nimport {\n DEFAULT_GITHUB_OIDC_ISSUER,\n DEFAULT_MAX_SKEW_SECONDS,\n} from '../constants.js'\nimport {\n fetchJwks,\n findJwkByKid,\n getGithubOidcJwksUrl,\n} from './jwks.js'\nimport { decodeJwt } from './jwt.js'\n\nexport type GitHubOidcErrorCode =\n | 'oidc_environment_not_allowed'\n | 'oidc_expired'\n | 'oidc_invalid_audience'\n | 'oidc_invalid_issuer'\n | 'oidc_invalid_token'\n | 'oidc_jwks_unavailable'\n | 'oidc_missing_claim'\n | 'oidc_missing_jti'\n | 'oidc_not_yet_valid'\n | 'oidc_owner_not_allowed'\n | 'oidc_pull_request_not_allowed'\n | 'oidc_ref_not_allowed'\n | 'oidc_repository_not_allowed'\n | 'oidc_workflow_not_allowed'\n\nexport type GitHubOidcClaims = {\n actor?: string\n aud: string | string[]\n environment?: string\n event_name?: string\n exp: number\n iat: number\n iss: string\n job_workflow_ref?: string\n jti: string\n nbf?: number\n ref: string\n repository: string\n repository_owner: string\n sha?: string\n sub: string\n workflow?: string\n workflow_ref?: string\n}\n\nexport type VerifiedGitHubOidcToken = {\n claims: GitHubOidcClaims\n expiresAt: Date\n keyId: string\n}\n\nexport type VerifyGitHubOidcTokenResult =\n | {\n code: GitHubOidcErrorCode\n message: string\n ok: false\n }\n | {\n ok: true\n token: VerifiedGitHubOidcToken\n }\n\ntype GitHubOidcAuthConfig = PayloadMarkdownDocsGitHubOidcAuthConfig\n\nconst isString = (value: unknown): value is string =>\n typeof value === 'string' && value.trim() !== ''\n\nconst isStringArray = (value: unknown): value is string[] =>\n Array.isArray(value) && value.every(isString)\n\nconst isNumber = (value: unknown): value is number =>\n typeof value === 'number' && Number.isFinite(value)\n\nconst getStringClaim = (\n payload: Record<string, unknown>,\n claim: string,\n): string | undefined => {\n const value = payload[claim]\n\n return isString(value) ? value : undefined\n}\n\nconst getNumberClaim = (\n payload: Record<string, unknown>,\n claim: string,\n): number | undefined => {\n const value = payload[claim]\n\n return isNumber(value) ? value : undefined\n}\n\nconst getAudienceClaim = (\n payload: Record<string, unknown>,\n): string | string[] | undefined => {\n const value = payload.aud\n\n if (isString(value) || isStringArray(value)) {\n return value\n }\n\n return undefined\n}\n\nconst toClaims = (\n payload: Record<string, unknown>,\n): GitHubOidcClaims | undefined => {\n const aud = getAudienceClaim(payload)\n const exp = getNumberClaim(payload, 'exp')\n const iat = getNumberClaim(payload, 'iat')\n const iss = getStringClaim(payload, 'iss')\n const jti = getStringClaim(payload, 'jti')\n const ref = getStringClaim(payload, 'ref')\n const repository = getStringClaim(payload, 'repository')\n const repositoryOwner = getStringClaim(payload, 'repository_owner')\n const sub = getStringClaim(payload, 'sub')\n\n if (\n !aud ||\n exp === undefined ||\n iat === undefined ||\n !iss ||\n !jti ||\n !ref ||\n !repository ||\n !repositoryOwner ||\n !sub\n ) {\n return undefined\n }\n\n return {\n actor: getStringClaim(payload, 'actor'),\n aud,\n environment: getStringClaim(payload, 'environment'),\n event_name: getStringClaim(payload, 'event_name'),\n exp,\n iat,\n iss,\n job_workflow_ref: getStringClaim(payload, 'job_workflow_ref'),\n jti,\n nbf: getNumberClaim(payload, 'nbf'),\n ref,\n repository,\n repository_owner: repositoryOwner,\n sha: getStringClaim(payload, 'sha'),\n sub,\n workflow: getStringClaim(payload, 'workflow'),\n workflow_ref: getStringClaim(payload, 'workflow_ref'),\n }\n}\n\nconst issue = (\n code: GitHubOidcErrorCode,\n message: string,\n): VerifyGitHubOidcTokenResult => ({\n code,\n message,\n ok: false,\n})\n\nconst includesIfConfigured = (\n allowed: string[] | undefined,\n value: string | undefined,\n): boolean => {\n if (!allowed || allowed.length === 0) {\n return true\n }\n\n return value !== undefined && allowed.includes(value)\n}\n\nconst audienceMatches = (\n audience: string | string[],\n expected: string,\n): boolean =>\n Array.isArray(audience) ? audience.includes(expected) : audience === expected\n\nconst verifyJwtSignature = ({\n jwk,\n signature,\n signingInput,\n}: {\n jwk: Record<string, unknown>\n signature: Buffer\n signingInput: string\n}): boolean => {\n try {\n const publicKey = createPublicKey({\n format: 'jwk',\n key: jwk as JsonWebKey,\n })\n\n return verify(\n 'RSA-SHA256',\n Buffer.from(signingInput, 'utf8'),\n publicKey,\n signature,\n )\n } catch {\n return false\n }\n}\n\nexport const verifyGitHubOidcToken = async ({\n config,\n fetchJson,\n now = new Date(),\n token,\n}: {\n config: GitHubOidcAuthConfig\n fetchJson?: FetchJson\n now?: Date\n token: string\n}): Promise<VerifyGitHubOidcTokenResult> => {\n const decoded = decodeJwt(token)\n\n if (!decoded) {\n return issue('oidc_invalid_token', 'GitHub OIDC token is malformed.')\n }\n\n if (decoded.header.alg !== 'RS256') {\n return issue('oidc_invalid_token', 'GitHub OIDC token must use RS256.')\n }\n\n if (!isString(decoded.header.kid)) {\n return issue('oidc_invalid_token', 'GitHub OIDC token is missing kid.')\n }\n\n const issuer = config.issuer ?? DEFAULT_GITHUB_OIDC_ISSUER\n let jwksUrl: string\n\n try {\n jwksUrl = await getGithubOidcJwksUrl({\n fetchJson,\n issuer,\n jwksUrl: config.jwksUrl,\n })\n const jwks = await fetchJwks({\n fetchJson,\n now,\n url: jwksUrl,\n })\n const jwk = findJwkByKid({\n jwks,\n kid: decoded.header.kid,\n })\n\n if (\n !jwk ||\n !verifyJwtSignature({\n jwk,\n signature: decoded.signature,\n signingInput: decoded.signingInput,\n })\n ) {\n return issue('oidc_invalid_token', 'GitHub OIDC token signature is invalid.')\n }\n } catch {\n return issue('oidc_jwks_unavailable', 'GitHub OIDC signing keys are unavailable.')\n }\n\n if (!isString(decoded.payload.jti)) {\n return issue('oidc_missing_jti', 'GitHub OIDC token is missing jti.')\n }\n\n const claims = toClaims(decoded.payload)\n\n if (!claims) {\n return issue('oidc_missing_claim', 'GitHub OIDC token is missing a required claim.')\n }\n\n if (claims.iss !== issuer) {\n return issue('oidc_invalid_issuer', 'GitHub OIDC token issuer is not allowed.')\n }\n\n if (!audienceMatches(claims.aud, config.audience)) {\n return issue('oidc_invalid_audience', 'GitHub OIDC token audience is not allowed.')\n }\n\n const maxSkewSeconds = config.maxSkewSeconds ?? DEFAULT_MAX_SKEW_SECONDS\n const nowSeconds = now.getTime() / 1000\n\n if (claims.exp + maxSkewSeconds < nowSeconds) {\n return issue('oidc_expired', 'GitHub OIDC token has expired.')\n }\n\n if (claims.nbf !== undefined && claims.nbf - maxSkewSeconds > nowSeconds) {\n return issue('oidc_not_yet_valid', 'GitHub OIDC token is not valid yet.')\n }\n\n if (claims.iat - maxSkewSeconds > nowSeconds) {\n return issue('oidc_not_yet_valid', 'GitHub OIDC token was issued in the future.')\n }\n\n const hasRepositoryAllowlist =\n (config.allowedRepositories?.length ?? 0) > 0 ||\n (config.allowedRepositoryOwners?.length ?? 0) > 0\n\n if (!hasRepositoryAllowlist) {\n return issue(\n 'oidc_repository_not_allowed',\n 'GitHub OIDC auth requires an allowed repository or repository owner.',\n )\n }\n\n if (!includesIfConfigured(config.allowedRepositories, claims.repository)) {\n return issue(\n 'oidc_repository_not_allowed',\n 'GitHub OIDC token repository is not allowed.',\n )\n }\n\n if (!includesIfConfigured(config.allowedRepositoryOwners, claims.repository_owner)) {\n return issue(\n 'oidc_owner_not_allowed',\n 'GitHub OIDC token repository owner is not allowed.',\n )\n }\n\n if (!includesIfConfigured(config.allowedRefs, claims.ref)) {\n return issue('oidc_ref_not_allowed', 'GitHub OIDC token ref is not allowed.')\n }\n\n if (!includesIfConfigured(config.allowedWorkflows, claims.workflow)) {\n return issue(\n 'oidc_workflow_not_allowed',\n 'GitHub OIDC token workflow is not allowed.',\n )\n }\n\n const workflowRef = claims.workflow_ref ?? claims.job_workflow_ref\n\n if (!includesIfConfigured(config.allowedWorkflowRefs, workflowRef)) {\n return issue(\n 'oidc_workflow_not_allowed',\n 'GitHub OIDC token workflow ref is not allowed.',\n )\n }\n\n if (!includesIfConfigured(config.allowedEnvironments, claims.environment)) {\n return issue(\n 'oidc_environment_not_allowed',\n 'GitHub OIDC token environment is not allowed.',\n )\n }\n\n if (claims.event_name === 'pull_request' && config.allowPullRequests !== true) {\n return issue(\n 'oidc_pull_request_not_allowed',\n 'GitHub OIDC pull request events are not allowed.',\n )\n }\n\n return {\n ok: true,\n token: {\n claims,\n expiresAt: new Date(claims.exp * 1000),\n keyId: `github-oidc:${claims.repository}`,\n },\n }\n}\n"],"names":["createPublicKey","verify","DEFAULT_GITHUB_OIDC_ISSUER","DEFAULT_MAX_SKEW_SECONDS","fetchJwks","findJwkByKid","getGithubOidcJwksUrl","decodeJwt","isString","value","trim","isStringArray","Array","isArray","every","isNumber","Number","isFinite","getStringClaim","payload","claim","undefined","getNumberClaim","getAudienceClaim","aud","toClaims","exp","iat","iss","jti","ref","repository","repositoryOwner","sub","actor","environment","event_name","job_workflow_ref","nbf","repository_owner","sha","workflow","workflow_ref","issue","code","message","ok","includesIfConfigured","allowed","length","includes","audienceMatches","audience","expected","verifyJwtSignature","jwk","signature","signingInput","publicKey","format","key","Buffer","from","verifyGitHubOidcToken","config","fetchJson","now","Date","token","decoded","header","alg","kid","issuer","jwksUrl","jwks","url","claims","maxSkewSeconds","nowSeconds","getTime","hasRepositoryAllowlist","allowedRepositories","allowedRepositoryOwners","allowedRefs","allowedWorkflows","workflowRef","allowedWorkflowRefs","allowedEnvironments","allowPullRequests","expiresAt","keyId"],"mappings":"AAAA,SACEA,eAAe,EAEfC,MAAM,QACD,cAAa;AAKpB,SACEC,0BAA0B,EAC1BC,wBAAwB,QACnB,kBAAiB;AACxB,SACEC,SAAS,EACTC,YAAY,EACZC,oBAAoB,QACf,YAAW;AAClB,SAASC,SAAS,QAAQ,WAAU;AAyDpC,MAAMC,WAAW,CAACC,QAChB,OAAOA,UAAU,YAAYA,MAAMC,IAAI,OAAO;AAEhD,MAAMC,gBAAgB,CAACF,QACrBG,MAAMC,OAAO,CAACJ,UAAUA,MAAMK,KAAK,CAACN;AAEtC,MAAMO,WAAW,CAACN,QAChB,OAAOA,UAAU,YAAYO,OAAOC,QAAQ,CAACR;AAE/C,MAAMS,iBAAiB,CACrBC,SACAC;IAEA,MAAMX,QAAQU,OAAO,CAACC,MAAM;IAE5B,OAAOZ,SAASC,SAASA,QAAQY;AACnC;AAEA,MAAMC,iBAAiB,CACrBH,SACAC;IAEA,MAAMX,QAAQU,OAAO,CAACC,MAAM;IAE5B,OAAOL,SAASN,SAASA,QAAQY;AACnC;AAEA,MAAME,mBAAmB,CACvBJ;IAEA,MAAMV,QAAQU,QAAQK,GAAG;IAEzB,IAAIhB,SAASC,UAAUE,cAAcF,QAAQ;QAC3C,OAAOA;IACT;IAEA,OAAOY;AACT;AAEA,MAAMI,WAAW,CACfN;IAEA,MAAMK,MAAMD,iBAAiBJ;IAC7B,MAAMO,MAAMJ,eAAeH,SAAS;IACpC,MAAMQ,MAAML,eAAeH,SAAS;IACpC,MAAMS,MAAMV,eAAeC,SAAS;IACpC,MAAMU,MAAMX,eAAeC,SAAS;IACpC,MAAMW,MAAMZ,eAAeC,SAAS;IACpC,MAAMY,aAAab,eAAeC,SAAS;IAC3C,MAAMa,kBAAkBd,eAAeC,SAAS;IAChD,MAAMc,MAAMf,eAAeC,SAAS;IAEpC,IACE,CAACK,OACDE,QAAQL,aACRM,QAAQN,aACR,CAACO,OACD,CAACC,OACD,CAACC,OACD,CAACC,cACD,CAACC,mBACD,CAACC,KACD;QACA,OAAOZ;IACT;IAEA,OAAO;QACLa,OAAOhB,eAAeC,SAAS;QAC/BK;QACAW,aAAajB,eAAeC,SAAS;QACrCiB,YAAYlB,eAAeC,SAAS;QACpCO;QACAC;QACAC;QACAS,kBAAkBnB,eAAeC,SAAS;QAC1CU;QACAS,KAAKhB,eAAeH,SAAS;QAC7BW;QACAC;QACAQ,kBAAkBP;QAClBQ,KAAKtB,eAAeC,SAAS;QAC7Bc;QACAQ,UAAUvB,eAAeC,SAAS;QAClCuB,cAAcxB,eAAeC,SAAS;IACxC;AACF;AAEA,MAAMwB,QAAQ,CACZC,MACAC,UACiC,CAAA;QACjCD;QACAC;QACAC,IAAI;IACN,CAAA;AAEA,MAAMC,uBAAuB,CAC3BC,SACAvC;IAEA,IAAI,CAACuC,WAAWA,QAAQC,MAAM,KAAK,GAAG;QACpC,OAAO;IACT;IAEA,OAAOxC,UAAUY,aAAa2B,QAAQE,QAAQ,CAACzC;AACjD;AAEA,MAAM0C,kBAAkB,CACtBC,UACAC,WAEAzC,MAAMC,OAAO,CAACuC,YAAYA,SAASF,QAAQ,CAACG,YAAYD,aAAaC;AAEvE,MAAMC,qBAAqB,CAAC,EAC1BC,GAAG,EACHC,SAAS,EACTC,YAAY,EAKb;IACC,IAAI;QACF,MAAMC,YAAY1D,gBAAgB;YAChC2D,QAAQ;YACRC,KAAKL;QACP;QAEA,OAAOtD,OACL,cACA4D,OAAOC,IAAI,CAACL,cAAc,SAC1BC,WACAF;IAEJ,EAAE,OAAM;QACN,OAAO;IACT;AACF;AAEA,OAAO,MAAMO,wBAAwB,OAAO,EAC1CC,MAAM,EACNC,SAAS,EACTC,MAAM,IAAIC,MAAM,EAChBC,KAAK,EAMN;IACC,MAAMC,UAAU9D,UAAU6D;IAE1B,IAAI,CAACC,SAAS;QACZ,OAAO1B,MAAM,sBAAsB;IACrC;IAEA,IAAI0B,QAAQC,MAAM,CAACC,GAAG,KAAK,SAAS;QAClC,OAAO5B,MAAM,sBAAsB;IACrC;IAEA,IAAI,CAACnC,SAAS6D,QAAQC,MAAM,CAACE,GAAG,GAAG;QACjC,OAAO7B,MAAM,sBAAsB;IACrC;IAEA,MAAM8B,SAAST,OAAOS,MAAM,IAAIvE;IAChC,IAAIwE;IAEJ,IAAI;QACFA,UAAU,MAAMpE,qBAAqB;YACnC2D;YACAQ;YACAC,SAASV,OAAOU,OAAO;QACzB;QACA,MAAMC,OAAO,MAAMvE,UAAU;YAC3B6D;YACAC;YACAU,KAAKF;QACP;QACA,MAAMnB,MAAMlD,aAAa;YACvBsE;YACAH,KAAKH,QAAQC,MAAM,CAACE,GAAG;QACzB;QAEA,IACE,CAACjB,OACD,CAACD,mBAAmB;YAClBC;YACAC,WAAWa,QAAQb,SAAS;YAC5BC,cAAcY,QAAQZ,YAAY;QACpC,IACA;YACA,OAAOd,MAAM,sBAAsB;QACrC;IACF,EAAE,OAAM;QACN,OAAOA,MAAM,yBAAyB;IACxC;IAEA,IAAI,CAACnC,SAAS6D,QAAQlD,OAAO,CAACU,GAAG,GAAG;QAClC,OAAOc,MAAM,oBAAoB;IACnC;IAEA,MAAMkC,SAASpD,SAAS4C,QAAQlD,OAAO;IAEvC,IAAI,CAAC0D,QAAQ;QACX,OAAOlC,MAAM,sBAAsB;IACrC;IAEA,IAAIkC,OAAOjD,GAAG,KAAK6C,QAAQ;QACzB,OAAO9B,MAAM,uBAAuB;IACtC;IAEA,IAAI,CAACQ,gBAAgB0B,OAAOrD,GAAG,EAAEwC,OAAOZ,QAAQ,GAAG;QACjD,OAAOT,MAAM,yBAAyB;IACxC;IAEA,MAAMmC,iBAAiBd,OAAOc,cAAc,IAAI3E;IAChD,MAAM4E,aAAab,IAAIc,OAAO,KAAK;IAEnC,IAAIH,OAAOnD,GAAG,GAAGoD,iBAAiBC,YAAY;QAC5C,OAAOpC,MAAM,gBAAgB;IAC/B;IAEA,IAAIkC,OAAOvC,GAAG,KAAKjB,aAAawD,OAAOvC,GAAG,GAAGwC,iBAAiBC,YAAY;QACxE,OAAOpC,MAAM,sBAAsB;IACrC;IAEA,IAAIkC,OAAOlD,GAAG,GAAGmD,iBAAiBC,YAAY;QAC5C,OAAOpC,MAAM,sBAAsB;IACrC;IAEA,MAAMsC,yBACJ,AAACjB,CAAAA,OAAOkB,mBAAmB,EAAEjC,UAAU,CAAA,IAAK,KAC5C,AAACe,CAAAA,OAAOmB,uBAAuB,EAAElC,UAAU,CAAA,IAAK;IAElD,IAAI,CAACgC,wBAAwB;QAC3B,OAAOtC,MACL,+BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOkB,mBAAmB,EAAEL,OAAO9C,UAAU,GAAG;QACxE,OAAOY,MACL,+BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOmB,uBAAuB,EAAEN,OAAOtC,gBAAgB,GAAG;QAClF,OAAOI,MACL,0BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOoB,WAAW,EAAEP,OAAO/C,GAAG,GAAG;QACzD,OAAOa,MAAM,wBAAwB;IACvC;IAEA,IAAI,CAACI,qBAAqBiB,OAAOqB,gBAAgB,EAAER,OAAOpC,QAAQ,GAAG;QACnE,OAAOE,MACL,6BACA;IAEJ;IAEA,MAAM2C,cAAcT,OAAOnC,YAAY,IAAImC,OAAOxC,gBAAgB;IAElE,IAAI,CAACU,qBAAqBiB,OAAOuB,mBAAmB,EAAED,cAAc;QAClE,OAAO3C,MACL,6BACA;IAEJ;IAEA,IAAI,CAACI,qBAAqBiB,OAAOwB,mBAAmB,EAAEX,OAAO1C,WAAW,GAAG;QACzE,OAAOQ,MACL,gCACA;IAEJ;IAEA,IAAIkC,OAAOzC,UAAU,KAAK,kBAAkB4B,OAAOyB,iBAAiB,KAAK,MAAM;QAC7E,OAAO9C,MACL,iCACA;IAEJ;IAEA,OAAO;QACLG,IAAI;QACJsB,OAAO;YACLS;YACAa,WAAW,IAAIvB,KAAKU,OAAOnD,GAAG,GAAG;YACjCiE,OAAO,CAAC,YAAY,EAAEd,OAAO9C,UAAU,EAAE;QAC3C;IACF;AACF,EAAC"}
|
|
@@ -14,7 +14,11 @@ The docs source lives in `{{docsRoot}}` unless the user says otherwise. Edit Mar
|
|
|
14
14
|
- Do not invent directives, frontmatter fields, CLI flags, sync modes, or runtime features.
|
|
15
15
|
- Do not describe unsupported features as implemented.
|
|
16
16
|
- Run validation before finishing docs edits.
|
|
17
|
-
- Treat sync and publishing as server-owned. The request may ask;
|
|
17
|
+
- Treat sync and publishing as CMS/server-owned. The request may ask; Payload
|
|
18
|
+
docs sets and plugin config decide.
|
|
19
|
+
- Do not hardcode new docs sources into plugin config. A docs source should map
|
|
20
|
+
to a Payload Admin docs set with `sourceId`, `sourceRoot`, `routeBase`, and
|
|
21
|
+
source-specific auth policy.
|
|
18
22
|
|
|
19
23
|
## AI Markdown Export Manifest
|
|
20
24
|
|
|
@@ -4,8 +4,8 @@ The sync workflow is authenticated and server-owned.
|
|
|
4
4
|
|
|
5
5
|
Important concepts:
|
|
6
6
|
|
|
7
|
-
- `source.id` maps to a
|
|
8
|
-
- The docs set owns the route base.
|
|
7
|
+
- `source.id` maps to a Payload Admin docs set.
|
|
8
|
+
- The docs set owns the route base and source-specific auth policy.
|
|
9
9
|
- The manifest does not choose target collections or fields.
|
|
10
10
|
- `sync.allowWrites: true` is required for `mode: "sync"`.
|
|
11
11
|
- `sync.allowPublish: true` and `target.enableDrafts: true` are required for publishing.
|
|
@@ -26,10 +26,11 @@ GitHub OIDC pushes verify:
|
|
|
26
26
|
|
|
27
27
|
- bearer JWT signature through GitHub JWKS
|
|
28
28
|
- issuer and audience
|
|
29
|
-
- repository, owner, ref, workflow, and environment allowlists
|
|
29
|
+
- repository, owner, ref, workflow, and environment allowlists from the docs set
|
|
30
30
|
- pull request policy
|
|
31
31
|
- JWT `jti` replay protection
|
|
32
32
|
- body SHA-256
|
|
33
33
|
- manifest validity
|
|
34
34
|
|
|
35
|
-
Do not bypass failed auth or body verification. Fix the key, endpoint,
|
|
35
|
+
Do not bypass failed auth or body verification. Fix the key, endpoint, docs set,
|
|
36
|
+
source id, body, or server config.
|
|
@@ -10,7 +10,8 @@ Check that the workflow uses `--github-oidc`, grants `id-token: write`, and requ
|
|
|
10
10
|
|
|
11
11
|
## OIDC repository or ref not allowed
|
|
12
12
|
|
|
13
|
-
Check
|
|
13
|
+
Check the docs set OIDC allowlists. The request may ask; the CMS decides which
|
|
14
|
+
repository and ref are trusted.
|
|
14
15
|
|
|
15
16
|
## OIDC replay
|
|
16
17
|
|
|
@@ -26,7 +27,7 @@ Generate a fresh request. Do not reuse signed headers.
|
|
|
26
27
|
|
|
27
28
|
## Source not allowed
|
|
28
29
|
|
|
29
|
-
Create or update a docs set with the expected `sourceId
|
|
30
|
+
Create or update a docs set with the expected `sourceId`.
|
|
30
31
|
|
|
31
32
|
## Publish disabled
|
|
32
33
|
|
package/dist/types.d.ts
CHANGED
|
@@ -13,6 +13,36 @@ export type PayloadMarkdownDocsEndpointConfig = {
|
|
|
13
13
|
path?: string;
|
|
14
14
|
};
|
|
15
15
|
export type PayloadMarkdownDocsAuthConfig = {
|
|
16
|
+
mode: 'disabled';
|
|
17
|
+
} | PayloadMarkdownDocsCombinedAuthConfig | PayloadMarkdownDocsEd25519AuthConfig | PayloadMarkdownDocsGitHubOidcAuthConfig;
|
|
18
|
+
export type PayloadMarkdownDocsCombinedAuthConfig = {
|
|
19
|
+
ed25519?: PayloadMarkdownDocsEd25519AuthOptions;
|
|
20
|
+
githubOidc?: PayloadMarkdownDocsGitHubOidcAuthOptions;
|
|
21
|
+
mode?: 'multi';
|
|
22
|
+
};
|
|
23
|
+
export type PayloadMarkdownDocsDocsSetAuthConfig = {
|
|
24
|
+
ed25519?: PayloadMarkdownDocsEd25519AuthOptions;
|
|
25
|
+
githubOidc?: PayloadMarkdownDocsDocsSetGitHubOidcAuthOptions;
|
|
26
|
+
};
|
|
27
|
+
export type PayloadMarkdownDocsDocsSetGitHubOidcAuthOptions = {
|
|
28
|
+
enabled?: boolean;
|
|
29
|
+
} & Partial<PayloadMarkdownDocsGitHubOidcAuthOptions>;
|
|
30
|
+
export type PayloadMarkdownDocsEd25519AuthConfig = {
|
|
31
|
+
mode: 'ed25519';
|
|
32
|
+
} & PayloadMarkdownDocsEd25519AuthOptions;
|
|
33
|
+
export type PayloadMarkdownDocsEd25519AuthOptions = {
|
|
34
|
+
keys: PayloadMarkdownDocsEd25519Key[];
|
|
35
|
+
maxSkewSeconds?: number;
|
|
36
|
+
nonceTtlSeconds?: number;
|
|
37
|
+
};
|
|
38
|
+
export type PayloadMarkdownDocsEd25519Key = {
|
|
39
|
+
id: string;
|
|
40
|
+
publicKey: string;
|
|
41
|
+
};
|
|
42
|
+
export type PayloadMarkdownDocsGitHubOidcAuthConfig = {
|
|
43
|
+
mode: 'github-oidc';
|
|
44
|
+
} & PayloadMarkdownDocsGitHubOidcAuthOptions;
|
|
45
|
+
export type PayloadMarkdownDocsGitHubOidcAuthOptions = {
|
|
16
46
|
allowedEnvironments?: string[];
|
|
17
47
|
allowedRefs?: string[];
|
|
18
48
|
allowedRepositories?: string[];
|
|
@@ -24,18 +54,6 @@ export type PayloadMarkdownDocsAuthConfig = {
|
|
|
24
54
|
issuer?: string;
|
|
25
55
|
jwksUrl?: string;
|
|
26
56
|
maxSkewSeconds?: number;
|
|
27
|
-
mode: 'github-oidc';
|
|
28
|
-
} | {
|
|
29
|
-
keys: PayloadMarkdownDocsEd25519Key[];
|
|
30
|
-
maxSkewSeconds?: number;
|
|
31
|
-
mode: 'ed25519';
|
|
32
|
-
nonceTtlSeconds?: number;
|
|
33
|
-
} | {
|
|
34
|
-
mode: 'disabled';
|
|
35
|
-
};
|
|
36
|
-
export type PayloadMarkdownDocsEd25519Key = {
|
|
37
|
-
id: string;
|
|
38
|
-
publicKey: string;
|
|
39
57
|
};
|
|
40
58
|
export type PayloadMarkdownDocsCollectionConfig = {
|
|
41
59
|
enabled?: boolean;
|
package/dist/types.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/types.ts"],"sourcesContent":["export type PayloadMarkdownDocsConfig = {\n auth?: PayloadMarkdownDocsAuthConfig\n collections?: PayloadMarkdownDocsCollectionsConfig\n enabled?: boolean\n endpoint?: PayloadMarkdownDocsEndpointConfig\n routing?: PayloadMarkdownDocsRoutingConfig\n sources?: PayloadMarkdownDocsSourceConfig[]\n sync?: PayloadMarkdownDocsSyncConfig\n target?: PayloadMarkdownDocsTargetConfig\n}\n\nexport type PayloadMarkdownDocsEndpointConfig = {\n maxBodyBytes?: number\n path?: string\n}\n\nexport type PayloadMarkdownDocsAuthConfig =\n | {\n
|
|
1
|
+
{"version":3,"sources":["../src/types.ts"],"sourcesContent":["export type PayloadMarkdownDocsConfig = {\n auth?: PayloadMarkdownDocsAuthConfig\n collections?: PayloadMarkdownDocsCollectionsConfig\n enabled?: boolean\n endpoint?: PayloadMarkdownDocsEndpointConfig\n routing?: PayloadMarkdownDocsRoutingConfig\n sources?: PayloadMarkdownDocsSourceConfig[]\n sync?: PayloadMarkdownDocsSyncConfig\n target?: PayloadMarkdownDocsTargetConfig\n}\n\nexport type PayloadMarkdownDocsEndpointConfig = {\n maxBodyBytes?: number\n path?: string\n}\n\nexport type PayloadMarkdownDocsAuthConfig =\n | {\n mode: 'disabled'\n }\n | PayloadMarkdownDocsCombinedAuthConfig\n | PayloadMarkdownDocsEd25519AuthConfig\n | PayloadMarkdownDocsGitHubOidcAuthConfig\n\nexport type PayloadMarkdownDocsCombinedAuthConfig = {\n ed25519?: PayloadMarkdownDocsEd25519AuthOptions\n githubOidc?: PayloadMarkdownDocsGitHubOidcAuthOptions\n mode?: 'multi'\n}\n\nexport type PayloadMarkdownDocsDocsSetAuthConfig = {\n ed25519?: PayloadMarkdownDocsEd25519AuthOptions\n githubOidc?: PayloadMarkdownDocsDocsSetGitHubOidcAuthOptions\n}\n\nexport type PayloadMarkdownDocsDocsSetGitHubOidcAuthOptions =\n {\n enabled?: boolean\n } & Partial<PayloadMarkdownDocsGitHubOidcAuthOptions>\n\nexport type PayloadMarkdownDocsEd25519AuthConfig =\n {\n mode: 'ed25519'\n } & PayloadMarkdownDocsEd25519AuthOptions\n\nexport type PayloadMarkdownDocsEd25519AuthOptions = {\n keys: PayloadMarkdownDocsEd25519Key[]\n maxSkewSeconds?: number\n nonceTtlSeconds?: number\n}\n\nexport type PayloadMarkdownDocsEd25519Key = {\n id: string\n publicKey: string\n}\n\nexport type PayloadMarkdownDocsGitHubOidcAuthConfig =\n {\n mode: 'github-oidc'\n } & PayloadMarkdownDocsGitHubOidcAuthOptions\n\nexport type PayloadMarkdownDocsGitHubOidcAuthOptions = {\n allowedEnvironments?: string[]\n allowedRefs?: string[]\n allowedRepositories?: string[]\n allowedRepositoryOwners?: string[]\n allowedWorkflowRefs?: string[]\n allowedWorkflows?: string[]\n allowPullRequests?: boolean\n audience: string\n issuer?: string\n jwksUrl?: string\n maxSkewSeconds?: number\n}\n\nexport type PayloadMarkdownDocsCollectionConfig = {\n enabled?: boolean\n slug?: string\n}\n\nexport type PayloadMarkdownDocsCollectionsConfig = {\n docs?: PayloadMarkdownDocsCollectionConfig\n docsGroups?: PayloadMarkdownDocsCollectionConfig\n docsSets?: PayloadMarkdownDocsCollectionConfig\n nonces?: PayloadMarkdownDocsCollectionConfig\n syncRuns?: PayloadMarkdownDocsCollectionConfig\n}\n\nexport type PayloadMarkdownDocsPagesRoutingConfig = {\n allowBridgePages?: boolean\n bridgeField?: string\n collection?: string\n enabled?: boolean\n routeField?: string\n}\n\nexport type PayloadMarkdownDocsRoutingConfig = {\n pages?: PayloadMarkdownDocsPagesRoutingConfig\n}\n\nexport type PayloadMarkdownDocsSourceConfig = {\n id: string\n root?: string\n routeBase: string\n}\n\nexport type PayloadMarkdownDocsTargetConfig =\n | {\n collection: string\n markdownField: string\n routeField?: string\n type: 'existingCollection'\n }\n | {\n enableDrafts?: boolean\n markdownField?: string\n slug?: string\n type: 'docsCollection'\n }\n\nexport type PayloadMarkdownDocsSyncConfig = {\n allowHardDelete?: boolean\n allowPublish?: boolean\n allowWrites?: boolean\n defaultPublishMode?: 'draft' | 'preserve' | 'published'\n deleteBehavior?: 'archive' | 'delete' | 'draft' | 'ignore'\n requireDryRunBeforeApply?: boolean\n}\n"],"names":[],"mappings":"AAwHA,WAOC"}
|
package/package.json
CHANGED