@vasanthcambium/marketplace-auth 0.1.0

package/dist/server/createApp.js

@@ -0,0 +1,201 @@
+import { createRemoteJWKSet, jwtVerify, SignJWT } from 'jose';
+import { request as undiciRequest } from 'undici';
+import { randomUUID } from 'node:crypto';
+import { regionToNbiUrl } from '../shared/regions.js';
+import { NonceVerificationError, TokenExchangeError, SessionNotFoundError, UpstreamError, } from '../shared/errors.js';
+import { memorySessionStore, redisSessionStore } from './session.js';
+const DEFAULT_COOKIE_NAME = 'cn_session';
+const DEFAULT_TTL_SECONDS = 28_800;
+export function createApp(config) {
+    const ttlSeconds = config.sessionTtlSeconds ?? DEFAULT_TTL_SECONDS;
+    const jwksUrl = config.authServicePublicKeyUrl
+        ?? `${config.authServiceUrl}/.well-known/jwks.json`;
+    const sessionStore = resolveSessionStore(config);
+    const jwks = createRemoteJWKSet(new URL(jwksUrl));
+    const nbiBaseUrl = regionToNbiUrl(config.region);
+    const tokenEndpoint = `${config.authServiceUrl.replace(/\/$/, '')}/oauth/token`;
+    let readyPromise = null;
+    const app = {
+        config: Object.freeze({ ...config }),
+        async ready() {
+            readyPromise ??= (async () => {
+                if (!config.devMode) {
+                    await jwks({ alg: 'RS256', kid: undefined }).catch(() => undefined);
+                }
+            })();
+            return readyPromise;
+        },
+        async close() { },
+        async handleLaunch(launchToken) {
+            if (config.devMode) {
+                const session = await mintDevSession(app, sessionStore, ttlSeconds);
+                return { session, redirectTo: '/' };
+            }
+            try {
+                await jwtVerify(launchToken, jwks, {
+                    issuer: config.authServiceUrl,
+                    audience: config.appId,
+                });
+            }
+            catch (err) {
+                throw new NonceVerificationError(err);
+            }
+            const body = new URLSearchParams({
+                grant_type: 'launch_nonce',
+                nonce: launchToken,
+                client_id: config.appCredentials.clientId,
+                client_secret: config.appCredentials.clientSecret,
+            });
+            const res = await undiciRequest(tokenEndpoint, {
+                method: 'POST',
+                headers: { 'content-type': 'application/x-www-form-urlencoded' },
+                body: body.toString(),
+            });
+            if (res.statusCode < 200 || res.statusCode >= 300) {
+                const errorBody = await res.body.text();
+                throw new TokenExchangeError(res.statusCode, errorBody);
+            }
+            const json = await res.body.json();
+            const session = await materializeSession(json, sessionStore);
+            return { session, redirectTo: '/' };
+        },
+        async proxy(req, sessionId) {
+            const session = await sessionStore.get(sessionId);
+            if (!session)
+                throw new SessionNotFoundError();
+            await config.hooks?.beforeProxy?.(req, session);
+            const upstreamUrl = nbiBaseUrl + req.url;
+            const upstreamHeaders = {
+                ...req.headers,
+                'authorization': `Bearer ${session.accessToken}`,
+            };
+            delete upstreamHeaders['host'];
+            delete upstreamHeaders['cookie'];
+            delete upstreamHeaders['connection'];
+            const buildInit = () => {
+                const init = {
+                    method: req.method,
+                    headers: upstreamHeaders,
+                };
+                if (req.body != null)
+                    init.body = JSON.stringify(req.body);
+                return init;
+            };
+            let res = await undiciRequest(upstreamUrl, buildInit());
+            if (res.statusCode === 401) {
+                await this.refreshAccessToken(sessionId);
+                const refreshed = await sessionStore.get(sessionId);
+                if (refreshed) {
+                    upstreamHeaders['authorization'] = `Bearer ${refreshed.accessToken}`;
+                    res = await undiciRequest(upstreamUrl, buildInit());
+                }
+            }
+            const respText = await res.body.text();
+            let parsed = respText;
+            try {
+                parsed = respText ? JSON.parse(respText) : undefined;
+            }
+            catch { /* keep text */ }
+            const response = {
+                status: res.statusCode,
+                headers: Object.fromEntries(Object.entries(res.headers)
+                    .filter(([k]) => !['transfer-encoding', 'connection'].includes(k))
+                    .map(([k, v]) => [k, Array.isArray(v) ? v.join(', ') : String(v)])),
+                body: parsed,
+            };
+            await config.hooks?.afterProxy?.(req, response, session);
+            if (response.status >= 500) {
+                throw new UpstreamError(response.status, `NBI upstream returned ${response.status}`);
+            }
+            return response;
+        },
+        async refreshAccessToken(sessionId) {
+            const session = await sessionStore.get(sessionId);
+            if (!session)
+                throw new SessionNotFoundError();
+            if (config.devMode)
+                return session;
+            const body = new URLSearchParams({
+                grant_type: 'refresh_token',
+                refresh_token: session.jwt ?? '',
+                client_id: config.appCredentials.clientId,
+                client_secret: config.appCredentials.clientSecret,
+            });
+            const res = await undiciRequest(tokenEndpoint, {
+                method: 'POST',
+                headers: { 'content-type': 'application/x-www-form-urlencoded' },
+                body: body.toString(),
+            });
+            if (res.statusCode < 200 || res.statusCode >= 300) {
+                const errorBody = await res.body.text();
+                throw new TokenExchangeError(res.statusCode, errorBody);
+            }
+            const json = await res.body.json();
+            const refreshed = {
+                ...session,
+                jwt: json.jwt ?? session.jwt,
+                accessToken: json.access_token,
+                expiresAt: Date.now() + json.expires_in * 1000,
+            };
+            await sessionStore.set(sessionId, refreshed);
+            return refreshed;
+        },
+        async getSession(sessionId) { return sessionStore.get(sessionId); },
+        async invalidateSession(sessionId) { await sessionStore.delete(sessionId); },
+    };
+    return app;
+}
+function resolveSessionStore(config) {
+    const v = config.sessionStore ?? 'memory';
+    if (v === 'memory')
+        return memorySessionStore();
+    if (v === 'redis') {
+        if (!config.redisUrl)
+            throw new Error('sessionStore=redis requires redisUrl');
+        return redisSessionStore({ url: config.redisUrl });
+    }
+    return v;
+}
+async function materializeSession(t, store) {
+    const session = {
+        id: randomUUID(),
+        appId: t.app_id,
+        jwt: t.jwt,
+        accessToken: t.access_token,
+        expiresAt: Date.now() + t.expires_in * 1000,
+        accountCid: t.account_cid,
+        userRole: t.user_role,
+        permission: t.permission,
+        scopes: t.scopes,
+        apiRoutes: t.api_routes,
+    };
+    await store.set(session.id, session);
+    return session;
+}
+async function mintDevSession(app, store, ttlSeconds) {
+    const placeholderJwt = await new SignJWT({ sub: 'dev-user', app_id: app.config.appId })
+        .setProtectedHeader({ alg: 'HS256' })
+        .setExpirationTime('8h')
+        .sign(new TextEncoder().encode('marketplace-auth-dev-only'));
+    const session = {
+        id: randomUUID(),
+        appId: app.config.appId,
+        jwt: placeholderJwt,
+        accessToken: 'dev-access-token',
+        expiresAt: Date.now() + ttlSeconds * 1000,
+        accountCid: 'dev-account-001',
+        userRole: 'admin',
+        permission: 'read-write',
+        scopes: {
+            tenant: { account_cid: 'dev-account-001', mcids: [] },
+            network: {},
+        },
+        apiRoutes: [
+            { method: 'GET', path: '/api/v2/devices', description: 'dev stub' },
+            { method: 'GET', path: '/api/v2/devices/{device_id}', description: 'dev stub' },
+        ],
+    };
+    await store.set(session.id, session);
+    return session;
+}
+//# sourceMappingURL=createApp.js.map

package/dist/server/createApp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createApp.js","sourceRoot":"","sources":["../../src/server/createApp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EACL,sBAAsB,EACtB,kBAAkB,EAClB,oBAAoB,EACpB,aAAa,GACd,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,mBAAmB,GAAG,YAAY,CAAC;AACzC,MAAM,mBAAmB,GAAG,MAAM,CAAC;AAEnC,MAAM,UAAU,SAAS,CAAC,MAAiB;IACzC,MAAM,UAAU,GAAG,MAAM,CAAC,iBAAiB,IAAI,mBAAmB,CAAC;IACnE,MAAM,OAAO,GAAM,MAAM,CAAC,uBAAuB;WAC1B,GAAG,MAAM,CAAC,cAAc,wBAAwB,CAAC;IACxE,MAAM,YAAY,GAAI,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,GAAY,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,MAAM,UAAU,GAAM,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACpD,MAAM,aAAa,GAAG,GAAG,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;IAEhF,IAAI,YAAY,GAAyB,IAAI,CAAC;IAE9C,MAAM,GAAG,GAAQ;QACf,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;QAEpC,KAAK,CAAC,KAAK;YACT,YAAY,KAAK,CAAC,KAAK,IAAI,EAAE;gBAC3B,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,MAAM,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,EAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC,CAAC,EAAE,CAAC;YACL,OAAO,YAAY,CAAC;QACtB,CAAC;QAED,KAAK,CAAC,KAAK,KAA+B,CAAC;QAE3C,KAAK,CAAC,YAAY,CAAC,WAAmB;YACpC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;gBACpE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;YACtC,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE;oBACjC,MAAM,EAAE,MAAM,CAAC,cAAc;oBAC7B,QAAQ,EAAE,MAAM,CAAC,KAAK;iBACvB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAC/B,UAAU,EAAK,cAAc;gBAC7B,KAAK,EAAU,WAAW;gBAC1B,SAAS,EAAM,MAAM,CAAC,cAAc,CAAC,QAAQ;gBAC7C,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,YAAY;aAClD,CAAC,CAAC;YAEH,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,aAAa,EAAE;gBAC7C,MAAM,EAAG,MAAM;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAK,IAAI,CAAC,QAAQ,EAAE;aACzB,CAAC,CAAC;YAEH,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;gBAClD,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACxC,MAAM,IAAI,kBAAkB,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YAC1D,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,EAA2B,CAAC;YAC5D,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QACtC,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAiB,EAAE,SAAiB;YAC9C,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,oBAAoB,EAAE,CAAC;YAE/C,MAAM,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAEhD,MAAM,WAAW,GAAG,UAAU,GAAG,GAAG,CAAC,GAAG,CAAC;YACzC,MAAM,eAAe,GAA2B;gBAC9C,GAAG,GAAG,CAAC,OAAO;gBACd,eAAe,EAAE,UAAU,OAAO,CAAC,WAAW,EAAE;aACjD,CAAC;YACF,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC;YAC/B,OAAO,eAAe,CAAC,QAAQ,CAAC,CAAC;YACjC,OAAO,eAAe,CAAC,YAAY,CAAC,CAAC;YAOrC,MAAM,SAAS,GAAG,GAAe,EAAE;gBACjC,MAAM,IAAI,GAAe;oBACvB,MAAM,EAAG,GAAG,CAAC,MAA8B;oBAC3C,OAAO,EAAE,eAAe;iBACzB,CAAC;gBACF,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI;oBAAE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC3D,OAAO,IAAI,CAAC;YACd,CAAC,CAAC;YAEF,IAAI,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;YAExD,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;gBACzC,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBACpD,IAAI,SAAS,EAAE,CAAC;oBACd,eAAe,CAAC,eAAe,CAAC,GAAG,UAAU,SAAS,CAAC,WAAW,EAAE,CAAC;oBACrE,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACvC,IAAI,MAAM,GAAY,QAAQ,CAAC;YAC/B,IAAI,CAAC;gBAAC,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAEvF,MAAM,QAAQ,GAAkB;gBAC9B,MAAM,EAAE,GAAG,CAAC,UAAU;gBACtB,OAAO,EAAE,MAAM,CAAC,WAAW,CACzB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;qBACxB,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,mBAAmB,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;qBACjE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CACrE;gBACD,IAAI,EAAE,MAAM;aACb,CAAC;YAEF,MAAM,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEzD,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBAC3B,MAAM,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,yBAAyB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACvF,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,KAAK,CAAC,kBAAkB,CAAC,SAAiB;YACxC,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,oBAAoB,EAAE,CAAC;YAC/C,IAAI,MAAM,CAAC,OAAO;gBAAE,OAAO,OAAO,CAAC;YAEnC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAC/B,UAAU,EAAK,eAAe;gBAC9B,aAAa,EAAE,OAAO,CAAC,GAAG,IAAI,EAAE;gBAChC,SAAS,EAAM,MAAM,CAAC,cAAc,CAAC,QAAQ;gBAC7C,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,YAAY;aAClD,CAAC,CAAC;YAEH,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,aAAa,EAAE;gBAC7C,MAAM,EAAG,MAAM;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAK,IAAI,CAAC,QAAQ,EAAE;aACzB,CAAC,CAAC;YAEH,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;gBAClD,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACxC,MAAM,IAAI,kBAAkB,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YAC1D,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,EAA2B,CAAC;YAC5D,MAAM,SAAS,GAAY;gBACzB,GAAG,OAAO;gBACV,GAAG,EAAU,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG;gBACpC,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,SAAS,EAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;aACjD,CAAC;YACF,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAC7C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,SAAiB,IAAW,OAAO,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAClF,KAAK,CAAC,iBAAiB,CAAC,SAAiB,IAAI,MAAM,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;KACrF,CAAC;IAEF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAiB;IAC5C,MAAM,CAAC,GAAG,MAAM,CAAC,YAAY,IAAI,QAAQ,CAAC;IAC1C,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,kBAAkB,EAAE,CAAC;IAChD,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;QAClB,IAAI,CAAC,MAAM,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC9E,OAAO,iBAAiB,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAcD,KAAK,UAAU,kBAAkB,CAAC,CAAwB,EAAE,KAAmB;IAC7E,MAAM,OAAO,GAAY;QACvB,EAAE,EAAW,UAAU,EAAE;QACzB,KAAK,EAAQ,CAAC,CAAC,MAAM;QACrB,GAAG,EAAU,CAAC,CAAC,GAAG;QAClB,WAAW,EAAE,CAAC,CAAC,YAAY;QAC3B,SAAS,EAAI,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,GAAG,IAAI;QAC7C,UAAU,EAAG,CAAC,CAAC,WAAW;QAC1B,QAAQ,EAAK,CAAC,CAAC,SAAS;QACxB,UAAU,EAAG,CAAC,CAAC,UAAU;QACzB,MAAM,EAAO,CAAC,CAAC,MAAM;QACrB,SAAS,EAAI,CAAC,CAAC,UAAU;KAC1B,CAAC;IACF,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,GAAQ,EAAE,KAAmB,EAAE,UAAkB;IAC7E,MAAM,cAAc,GAAG,MAAM,IAAI,OAAO,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;SACpF,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,iBAAiB,CAAC,IAAI,CAAC;SACvB,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC;IAE/D,MAAM,OAAO,GAAY;QACvB,EAAE,EAAW,UAAU,EAAE;QACzB,KAAK,EAAQ,GAAG,CAAC,MAAM,CAAC,KAAK;QAC7B,GAAG,EAAU,cAAc;QAC3B,WAAW,EAAE,kBAAkB;QAC/B,SAAS,EAAI,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI;QAC3C,UAAU,EAAG,iBAAiB;QAC9B,QAAQ,EAAK,OAAO;QACpB,UAAU,EAAG,YAAY;QACzB,MAAM,EAAE;YACN,MAAM,EAAG,EAAE,WAAW,EAAE,iBAAiB,EAAE,KAAK,EAAE,EAAE,EAAE;YACtD,OAAO,EAAE,EAAE;SACZ;QACD,SAAS,EAAE;YACT,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,iBAAiB,EAAmB,WAAW,EAAE,UAAU,EAAE;YACpF,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,6BAA6B,EAAO,WAAW,EAAE,UAAU,EAAE;SACrF;KACF,CAAC;IACF,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/server/express.d.ts

@@ -0,0 +1,11 @@
+import type { RequestHandler } from 'express';
+import type { App } from './types.js';
+/**
+ * Express middleware that installs:
+ *   GET  /launch?token=...   (token from cnMaestro UI; named param TBD by Rupam's team)
+ *   ANY  /api/*
+ *   GET  /healthz
+ *   POST /logout
+ */
+export declare function expressMiddleware(app: App): RequestHandler;
+//# sourceMappingURL=express.d.ts.map

package/dist/server/express.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/server/express.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAmC,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,GAAG,EAAgB,MAAM,YAAY,CAAC;AAIpD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,GAAG,cAAc,CA8E1D"}

package/dist/server/express.js

@@ -0,0 +1,86 @@
+import { parse as parseCookie, serialize as serializeCookie } from 'cookie';
+import { AuthError } from '../shared/errors.js';
+const DEFAULT_COOKIE_NAME = 'cn_session';
+/**
+ * Express middleware that installs:
+ *   GET  /launch?token=...   (token from cnMaestro UI; named param TBD by Rupam's team)
+ *   ANY  /api/*
+ *   GET  /healthz
+ *   POST /logout
+ */
+export function expressMiddleware(app) {
+    const cookieName = app.config.sessionCookieName ?? DEFAULT_COOKIE_NAME;
+    return async (req, res, next) => {
+        try {
+            if (req.path === '/healthz' && req.method === 'GET') {
+                res.json({
+                    version: '0.1.0-alpha.1',
+                    appId: app.config.appId,
+                    region: app.config.region,
+                });
+                return;
+            }
+            if (req.path === '/launch' && req.method === 'GET') {
+                // Accept either ?token= or ?nonce= for forward-compat with the
+                // exact param name cnMaestro UI ends up using.
+                const launchToken = String(req.query.token ?? req.query.nonce ?? '');
+                if (!launchToken) {
+                    res.status(400).json({ error: 'missing launch token' });
+                    return;
+                }
+                const { session, redirectTo } = await app.handleLaunch(launchToken);
+                res.setHeader('Set-Cookie', serializeCookie(cookieName, session.id, {
+                    httpOnly: true,
+                    secure: process.env.NODE_ENV === 'production',
+                    sameSite: 'lax',
+                    path: '/',
+                    maxAge: app.config.sessionTtlSeconds ?? 28_800,
+                }));
+                res.redirect(302, redirectTo);
+                return;
+            }
+            if (req.path === '/logout' && req.method === 'POST') {
+                const cookies = parseCookie(req.headers.cookie ?? '');
+                const sessionId = cookies[cookieName];
+                if (sessionId)
+                    await app.invalidateSession(sessionId);
+                res.setHeader('Set-Cookie', serializeCookie(cookieName, '', { path: '/', maxAge: 0 }));
+                res.status(204).end();
+                return;
+            }
+            if (req.path.startsWith('/api/')) {
+                const cookies = parseCookie(req.headers.cookie ?? '');
+                const sessionId = cookies[cookieName];
+                if (!sessionId) {
+                    res.status(401).json({ error: 'no_session' });
+                    return;
+                }
+                const proxyReq = {
+                    method: req.method,
+                    url: req.originalUrl,
+                    headers: Object.fromEntries(Object.entries(req.headers).map(([k, v]) => [k, Array.isArray(v) ? v.join(', ') : String(v ?? '')])),
+                    body: req.body,
+                };
+                const proxyRes = await app.proxy(proxyReq, sessionId);
+                for (const [k, v] of Object.entries(proxyRes.headers))
+                    res.setHeader(k, v);
+                res.status(proxyRes.status).send(proxyRes.body);
+                return;
+            }
+            next();
+        }
+        catch (err) {
+            if (err instanceof AuthError) {
+                const status = err.code === 'session_not_found' ? 401 :
+                    err.code === 'nonce_verification_failed' ? 400 :
+                        err.code === 'token_exchange_failed' ? 502 :
+                            500;
+                res.status(status).json({ error: err.code, message: err.message });
+            }
+            else {
+                next(err);
+            }
+        }
+    };
+}
+//# sourceMappingURL=express.js.map

package/dist/server/express.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.js","sourceRoot":"","sources":["../../src/server/express.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,IAAI,WAAW,EAAE,SAAS,IAAI,eAAe,EAAE,MAAM,QAAQ,CAAC;AAE5E,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAGhD,MAAM,mBAAmB,GAAG,YAAY,CAAC;AAEzC;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAQ;IACxC,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,IAAI,mBAAmB,CAAC;IAEvE,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACpD,GAAG,CAAC,IAAI,CAAC;oBACP,OAAO,EAAE,eAAe;oBACxB,KAAK,EAAI,GAAG,CAAC,MAAM,CAAC,KAAK;oBACzB,MAAM,EAAG,GAAG,CAAC,MAAM,CAAC,MAAM;iBAC3B,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACnD,+DAA+D;gBAC/D,+CAA+C;gBAC/C,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;gBACrE,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;oBACxD,OAAO;gBACT,CAAC;gBACD,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,eAAe,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,EAAE;oBAClE,QAAQ,EAAE,IAAI;oBACd,MAAM,EAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;oBAC/C,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAM,GAAG;oBACb,MAAM,EAAI,GAAG,CAAC,MAAM,CAAC,iBAAiB,IAAI,MAAM;iBACjD,CAAC,CAAC,CAAC;gBACJ,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;gBAC9B,OAAO;YACT,CAAC;YAED,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACpD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;gBACtD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtC,IAAI,SAAS;oBAAE,MAAM,GAAG,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;gBACtD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,eAAe,CAAC,UAAU,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;gBACvF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;gBACtB,OAAO;YACT,CAAC;YAED,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;gBACtD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtC,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;oBAC9C,OAAO;gBACT,CAAC;gBACD,MAAM,QAAQ,GAAiB;oBAC7B,MAAM,EAAG,GAAG,CAAC,MAAM;oBACnB,GAAG,EAAM,GAAG,CAAC,WAAW;oBACxB,OAAO,EAAE,MAAM,CAAC,WAAW,CACzB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CACpG;oBACD,IAAI,EAAE,GAAG,CAAC,IAAI;iBACf,CAAC;gBACF,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;gBACtD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAAE,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAC3E,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAChD,OAAO;YACT,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;gBAC7B,MAAM,MAAM,GACV,GAAG,CAAC,IAAI,KAAK,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;oBACxC,GAAG,CAAC,IAAI,KAAK,2BAA2B,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;wBAChD,GAAG,CAAC,IAAI,KAAK,uBAAuB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;4BAC5C,GAAG,CAAC;gBACN,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,GAAG,CAAC,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/hono.d.ts

@@ -0,0 +1,4 @@
+import type { MiddlewareHandler } from 'hono';
+import type { App } from './types.js';
+export declare function honoMiddleware(app: App): MiddlewareHandler;
+//# sourceMappingURL=hono.d.ts.map

package/dist/server/hono.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hono.d.ts","sourceRoot":"","sources":["../../src/server/hono.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAW,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAEvD,OAAO,KAAK,EAAE,GAAG,EAAgB,MAAM,YAAY,CAAC;AAIpD,wBAAgB,cAAc,CAAC,GAAG,EAAE,GAAG,GAAG,iBAAiB,CAiE1D"}

package/dist/server/hono.js

@@ -0,0 +1,66 @@
+import { parse as parseCookie, serialize as serializeCookie } from 'cookie';
+import { AuthError } from '../shared/errors.js';
+const DEFAULT_COOKIE_NAME = 'cn_session';
+export function honoMiddleware(app) {
+    const cookieName = app.config.sessionCookieName ?? DEFAULT_COOKIE_NAME;
+    return async (c, next) => {
+        const url = new URL(c.req.url);
+        try {
+            if (url.pathname === '/healthz' && c.req.method === 'GET') {
+                return c.json({ version: '0.1.0-alpha.1', appId: app.config.appId, region: app.config.region });
+            }
+            if (url.pathname === '/launch' && c.req.method === 'GET') {
+                const launchToken = url.searchParams.get('token') ?? url.searchParams.get('nonce') ?? '';
+                if (!launchToken)
+                    return c.json({ error: 'missing launch token' }, 400);
+                const { session, redirectTo } = await app.handleLaunch(launchToken);
+                c.header('Set-Cookie', serializeCookie(cookieName, session.id, {
+                    httpOnly: true, secure: true, sameSite: 'lax', path: '/',
+                    maxAge: app.config.sessionTtlSeconds ?? 28_800,
+                }));
+                return c.redirect(redirectTo, 302);
+            }
+            if (url.pathname === '/logout' && c.req.method === 'POST') {
+                const cookies = parseCookie(c.req.header('cookie') ?? '');
+                const sessionId = cookies[cookieName];
+                if (sessionId)
+                    await app.invalidateSession(sessionId);
+                c.header('Set-Cookie', serializeCookie(cookieName, '', { path: '/', maxAge: 0 }));
+                return c.body(null, 204);
+            }
+            if (url.pathname.startsWith('/api/')) {
+                const cookies = parseCookie(c.req.header('cookie') ?? '');
+                const sessionId = cookies[cookieName];
+                if (!sessionId)
+                    return c.json({ error: 'no_session' }, 401);
+                const body = c.req.method === 'GET' || c.req.method === 'HEAD'
+                    ? undefined
+                    : await c.req.json().catch(() => undefined);
+                const reqHeaders = {};
+                c.req.raw.headers.forEach((v, k) => { reqHeaders[k] = v; });
+                const proxyReq = {
+                    method: c.req.method,
+                    url: url.pathname + url.search,
+                    headers: reqHeaders,
+                    body,
+                };
+                const res = await app.proxy(proxyReq, sessionId);
+                for (const [k, v] of Object.entries(res.headers))
+                    c.header(k, v);
+                return c.json(res.body, res.status);
+            }
+            return next();
+        }
+        catch (err) {
+            if (err instanceof AuthError) {
+                const status = err.code === 'session_not_found' ? 401 :
+                    err.code === 'nonce_verification_failed' ? 400 :
+                        err.code === 'token_exchange_failed' ? 502 :
+                            500;
+                return c.json({ error: err.code, message: err.message }, status);
+            }
+            throw err;
+        }
+    };
+}
+//# sourceMappingURL=hono.js.map

package/dist/server/hono.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hono.js","sourceRoot":"","sources":["../../src/server/hono.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,IAAI,WAAW,EAAE,SAAS,IAAI,eAAe,EAAE,MAAM,QAAQ,CAAC;AAE5E,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAGhD,MAAM,mBAAmB,GAAG,YAAY,CAAC;AAEzC,MAAM,UAAU,cAAc,CAAC,GAAQ;IACrC,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,IAAI,mBAAmB,CAAC;IAEvE,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;QAChC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAE/B,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBAC1D,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YAClG,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACzD,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBACzF,IAAI,CAAC,WAAW;oBAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAC;gBACxE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;gBACpE,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,EAAE;oBAC7D,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG;oBACxD,MAAM,EAAI,GAAG,CAAC,MAAM,CAAC,iBAAiB,IAAI,MAAM;iBACjD,CAAC,CAAC,CAAC;gBACJ,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC1D,MAAM,OAAO,GAAK,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC5D,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtC,IAAI,SAAS;oBAAE,MAAM,GAAG,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;gBACtD,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,UAAU,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;gBAClF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC3B,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACrC,MAAM,OAAO,GAAK,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC5D,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtC,IAAI,CAAC,SAAS;oBAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,GAAG,CAAC,CAAC;gBAE5D,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,MAAM;oBAC5D,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBAE9C,MAAM,UAAU,GAA2B,EAAE,CAAC;gBAC9C,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5D,MAAM,QAAQ,GAAiB;oBAC7B,MAAM,EAAG,CAAC,CAAC,GAAG,CAAC,MAAM;oBACrB,GAAG,EAAM,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM;oBAClC,OAAO,EAAE,UAAU;oBACnB,IAAI;iBACL,CAAC;gBACF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;gBACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;oBAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBACjE,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,MAAa,CAAC,CAAC;YAC7C,CAAC;YAED,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;gBAC7B,MAAM,MAAM,GACV,GAAG,CAAC,IAAI,KAAK,mBAAmB,CAAQ,CAAC,CAAC,GAAG,CAAC,CAAC;oBAC/C,GAAG,CAAC,IAAI,KAAK,2BAA2B,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;wBAChD,GAAG,CAAC,IAAI,KAAK,uBAAuB,CAAI,CAAC,CAAC,GAAG,CAAC,CAAC;4BAC/C,GAAG,CAAC;gBACN,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,MAAa,CAAC,CAAC;YAC1E,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * @cmbmwifi/marketplace-auth/server — Node BFF helper.
+ *
+ *   import { createApp, expressMiddleware } from '@cmbmwifi/marketplace-auth/server';
+ *
+ * Verifies the launch handshake from cnMaestro UI, manages the session cookie,
+ * proxies authenticated NBI calls to the regional NBI-API tier.
+ *
+ * NOTE: the exact launch handshake (token format, exchange endpoint, claims) is
+ * captured in this file as a pluggable contract. Defaults are placeholder —
+ * once the cnMaestro UI handoff spec lands, only `verifyLaunchToken` and
+ * `exchangeForAccessToken` change. Everything else is contract-stable.
+ */
+export { createApp } from './createApp.js';
+export { expressMiddleware } from './express.js';
+export { honoMiddleware } from './hono.js';
+export { memorySessionStore, redisSessionStore } from './session.js';
+export type { App, AppConfig, AppCredentials, ProxyRequest, ProxyResponse, SessionStore, } from './types.js';
+export type { ApiRoute, Permission, Region, Session, UserRole, } from '../shared/types.js';
+export { AuthError, NonceVerificationError, TokenExchangeError, SessionNotFoundError, UpstreamError, } from '../shared/errors.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAErE,YAAY,EACV,GAAG,EACH,SAAS,EACT,cAAc,EACd,YAAY,EACZ,aAAa,EACb,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,YAAY,EACV,QAAQ,EACR,UAAU,EACV,MAAM,EACN,OAAO,EACP,QAAQ,GACT,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,sBAAsB,EACtB,kBAAkB,EAClB,oBAAoB,EACpB,aAAa,GACd,MAAM,qBAAqB,CAAC"}

package/dist/server/index.js

@@ -0,0 +1,19 @@
+/**
+ * @cmbmwifi/marketplace-auth/server — Node BFF helper.
+ *
+ *   import { createApp, expressMiddleware } from '@cmbmwifi/marketplace-auth/server';
+ *
+ * Verifies the launch handshake from cnMaestro UI, manages the session cookie,
+ * proxies authenticated NBI calls to the regional NBI-API tier.
+ *
+ * NOTE: the exact launch handshake (token format, exchange endpoint, claims) is
+ * captured in this file as a pluggable contract. Defaults are placeholder —
+ * once the cnMaestro UI handoff spec lands, only `verifyLaunchToken` and
+ * `exchangeForAccessToken` change. Everything else is contract-stable.
+ */
+export { createApp } from './createApp.js';
+export { expressMiddleware } from './express.js';
+export { honoMiddleware } from './hono.js';
+export { memorySessionStore, redisSessionStore } from './session.js';
+export { AuthError, NonceVerificationError, TokenExchangeError, SessionNotFoundError, UpstreamError, } from '../shared/errors.js';
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAoBrE,OAAO,EACL,SAAS,EACT,sBAAsB,EACtB,kBAAkB,EAClB,oBAAoB,EACpB,aAAa,GACd,MAAM,qBAAqB,CAAC"}

package/dist/server/session.d.ts

@@ -0,0 +1,15 @@
+import type { SessionStore } from './types.js';
+/**
+ * In-memory store. Single-process only. Use for dev or single-task ECS deploys.
+ */
+export declare function memorySessionStore(): SessionStore;
+/**
+ * Redis-backed store. Stub. Wire ioredis or redis@4 when first ECS deploy
+ * needs auto-scaling beyond a single task.
+ */
+export declare function redisSessionStore(config: {
+    url: string;
+    keyPrefix?: string;
+    ttlSeconds?: number;
+}): SessionStore;
+//# sourceMappingURL=session.d.ts.map

package/dist/server/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,YAAY,CAOjD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,YAAY,CAKhH"}

package/dist/server/session.js

@@ -0,0 +1,20 @@
+/**
+ * In-memory store. Single-process only. Use for dev or single-task ECS deploys.
+ */
+export function memorySessionStore() {
+    const store = new Map();
+    return {
+        async get(id) { return store.get(id) ?? null; },
+        async set(id, session) { store.set(id, session); },
+        async delete(id) { store.delete(id); },
+    };
+}
+/**
+ * Redis-backed store. Stub. Wire ioredis or redis@4 when first ECS deploy
+ * needs auto-scaling beyond a single task.
+ */
+export function redisSessionStore(config) {
+    void config;
+    throw new Error('redisSessionStore is not implemented yet. Provide a custom SessionStore via createApp({ sessionStore }).');
+}
+//# sourceMappingURL=session.js.map

package/dist/server/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAmB,CAAC;IACzC,OAAO;QACL,KAAK,CAAC,GAAG,CAAC,EAAE,IAAgB,OAAO,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;QAC3D,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,IAAO,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;QACrD,KAAK,CAAC,MAAM,CAAC,EAAE,IAAa,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;KAChD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAgE;IAChG,KAAK,MAAM,CAAC;IACZ,MAAM,IAAI,KAAK,CACb,0GAA0G,CAC3G,CAAC;AACJ,CAAC"}

package/dist/server/types.d.ts

@@ -0,0 +1,60 @@
+import type { Region, Session } from '../shared/types.js';
+export interface AppCredentials {
+    clientId: string;
+    clientSecret: string;
+}
+export interface SessionStore {
+    get(id: string): Promise<Session | null>;
+    set(id: string, session: Session): Promise<void>;
+    delete(id: string): Promise<void>;
+}
+export interface AppConfig {
+    appId: string;
+    region: Region;
+    /** Auth Service base URL (or whatever the cnMaestro UI handoff endpoint is). */
+    authServiceUrl: string;
+    /** JWKS URL for verifying the launch token signature. */
+    authServicePublicKeyUrl?: string;
+    /** App credentials (client_id + client_secret), kept server-side only. */
+    appCredentials: AppCredentials;
+    sessionStore?: 'memory' | 'redis' | SessionStore;
+    redisUrl?: string;
+    sessionCookieName?: string;
+    sessionTtlSeconds?: number;
+    /** When true, skip the real launch handshake and mint a local dev JWT. */
+    devMode?: boolean;
+    hooks?: {
+        beforeProxy?: (req: ProxyRequest, session: Session) => Promise<void>;
+        afterProxy?: (req: ProxyRequest, res: ProxyResponse, session: Session) => Promise<void>;
+    };
+}
+export interface ProxyRequest {
+    method: string;
+    url: string;
+    headers: Record<string, string>;
+    body?: unknown;
+}
+export interface ProxyResponse {
+    status: number;
+    headers: Record<string, string>;
+    body?: unknown;
+}
+export interface App {
+    ready(): Promise<void>;
+    close(): Promise<void>;
+    /**
+     * Handle a launch from cnMaestro UI. The launchToken is whatever the UI hands
+     * to your BFF (kept generic so a different handshake can plug in without
+     * changing call sites).
+     */
+    handleLaunch(launchToken: string): Promise<{
+        session: Session;
+        redirectTo: string;
+    }>;
+    proxy(req: ProxyRequest, sessionId: string): Promise<ProxyResponse>;
+    refreshAccessToken(sessionId: string): Promise<Session>;
+    getSession(sessionId: string): Promise<Session | null>;
+    invalidateSession(sessionId: string): Promise<void>;
+    readonly config: Readonly<AppConfig>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/server/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/server/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAE1D,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IACzC,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,gFAAgF;IAChF,cAAc,EAAE,MAAM,CAAC;IACvB,yDAAyD;IACzD,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,0EAA0E;IAC1E,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,CAAC,EAAE,QAAQ,GAAG,OAAO,GAAG,YAAY,CAAC;IACjD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,0EAA0E;IAC1E,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE;QACN,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QACrE,UAAU,CAAC,EAAG,CAAC,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC1F,CAAC;CACH;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,GAAG;IAClB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB;;;;OAIG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAErF,KAAK,CAAC,GAAG,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACpE,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACxD,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IACvD,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpD,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;CACtC"}

package/dist/server/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/server/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/server/types.ts"],"names":[],"mappings":""}

package/dist/shared/errors.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Error classes shared across server, browser, and React subpaths.
+ * Branded so consumers can `instanceof`-check across module boundaries.
+ */
+export declare class AuthError extends Error {
+    readonly code: string;
+    readonly cause?: unknown | undefined;
+    constructor(message: string, code: string, cause?: unknown | undefined);
+}
+export declare class NonceVerificationError extends AuthError {
+    constructor(cause?: unknown);
+}
+export declare class TokenExchangeError extends AuthError {
+    readonly status: number;
+    constructor(status: number, body: unknown);
+}
+export declare class SessionNotFoundError extends AuthError {
+    constructor();
+}
+export declare class UpstreamError extends AuthError {
+    readonly status: number;
+    constructor(status: number, message: string);
+}
+export declare class BridgeHttpError extends Error {
+    readonly status: number;
+    readonly statusText: string;
+    readonly body: unknown;
+    constructor(status: number, statusText: string, body: unknown);
+}
+export declare class SessionExpiredError extends Error {
+    constructor();
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/shared/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/shared/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,qBAAa,SAAU,SAAQ,KAAK;aACW,IAAI,EAAE,MAAM;aAAkB,KAAK,CAAC,EAAE,OAAO;gBAA9E,OAAO,EAAE,MAAM,EAAkB,IAAI,EAAE,MAAM,EAAkB,KAAK,CAAC,EAAE,OAAO,YAAA;CAI3F;AAID,qBAAa,sBAAuB,SAAQ,SAAS;gBACvC,KAAK,CAAC,EAAE,OAAO;CAG5B;AAED,qBAAa,kBAAmB,SAAQ,SAAS;aACnB,MAAM,EAAE,MAAM;gBAAd,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO;CAG1D;AAED,qBAAa,oBAAqB,SAAQ,SAAS;;CAIlD;AAED,qBAAa,aAAc,SAAQ,SAAS;aACd,MAAM,EAAE,MAAM;gBAAd,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAG5D;AAID,qBAAa,eAAgB,SAAQ,KAAK;aAEtB,MAAM,EAAE,MAAM;aACd,UAAU,EAAE,MAAM;aAClB,IAAI,EAAE,OAAO;gBAFb,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,OAAO;CAKhC;AAED,qBAAa,mBAAoB,SAAQ,KAAK;;CAK7C"}