@vivero/stoma 0.1.0-rc.10

package/dist/policies/auth/jws.js

@@ -0,0 +1,317 @@
+import { GatewayError } from "../../core/errors";
+import { sanitizeHeaderValue, withModifiedHeaders } from "../../utils/headers";
+import { definePolicy, Priority } from "../sdk";
+import {
+  base64UrlDecode,
+  base64UrlEncodeBytes,
+  base64UrlToBuffer,
+  fetchJwks,
+  hmacAlgorithm,
+  rsaAlgorithm
+} from "./crypto";
+import { clearJwksCache } from "./crypto";
+const jws = /* @__PURE__ */ definePolicy({
+  name: "jws",
+  priority: Priority.AUTH,
+  defaults: {
+    headerName: "X-JWS-Signature",
+    payloadSource: "embedded",
+    forwardPayload: false,
+    forwardHeaderName: "X-JWS-Payload"
+  },
+  validate: (config) => {
+    if (!config.secret && !config.jwksUrl) {
+      throw new GatewayError(
+        500,
+        "config_error",
+        "jws requires either 'secret' or 'jwksUrl'"
+      );
+    }
+  },
+  handler: async (c, next, { config, debug }) => {
+    const jwsCompact = c.req.header(config.headerName);
+    if (!jwsCompact) {
+      throw new GatewayError(
+        401,
+        "jws_missing",
+        `Missing JWS header: ${config.headerName}`
+      );
+    }
+    const parts = jwsCompact.split(".");
+    if (parts.length !== 3) {
+      throw new GatewayError(
+        401,
+        "jws_invalid",
+        "Malformed JWS: expected 3 parts"
+      );
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    let header;
+    try {
+      header = JSON.parse(base64UrlDecode(headerB64));
+    } catch {
+      throw new GatewayError(
+        401,
+        "jws_invalid",
+        "Malformed JWS: invalid header encoding"
+      );
+    }
+    if (header.alg.toLowerCase() === "none") {
+      throw new GatewayError(
+        401,
+        "jws_invalid",
+        "JWS algorithm 'none' is not allowed"
+      );
+    }
+    let verifyPayloadB64;
+    if (config.payloadSource === "body") {
+      const body = await c.req.raw.clone().text();
+      const encoder2 = new TextEncoder();
+      verifyPayloadB64 = base64UrlEncodeBytes(encoder2.encode(body));
+    } else {
+      if (!payloadB64) {
+        throw new GatewayError(
+          401,
+          "jws_invalid",
+          "JWS has empty payload but payloadSource is 'embedded'"
+        );
+      }
+      verifyPayloadB64 = payloadB64;
+    }
+    const encoder = new TextEncoder();
+    const signingInput = encoder.encode(`${headerB64}.${verifyPayloadB64}`);
+    const signature = base64UrlToBuffer(signatureB64);
+    if (config.secret) {
+      const hash = hmacAlgorithm(header.alg);
+      if (!hash) {
+        throw new GatewayError(
+          401,
+          "jws_invalid",
+          `Unsupported JWS algorithm: ${header.alg}`
+        );
+      }
+      debug(`HMAC verification (alg=${header.alg})`);
+      const key = await crypto.subtle.importKey(
+        "raw",
+        encoder.encode(config.secret),
+        { name: "HMAC", hash },
+        false,
+        ["verify"]
+      );
+      const valid = await crypto.subtle.verify(
+        "HMAC",
+        key,
+        signature,
+        signingInput
+      );
+      if (!valid) {
+        throw new GatewayError(401, "jws_invalid", "Invalid JWS signature");
+      }
+    } else if (config.jwksUrl) {
+      const algorithm = rsaAlgorithm(header.alg);
+      if (!algorithm) {
+        throw new GatewayError(
+          401,
+          "jws_invalid",
+          `Unsupported JWS algorithm: ${header.alg}`
+        );
+      }
+      const keys = await fetchJwks(
+        config.jwksUrl,
+        config.jwksCacheTtlMs,
+        config.jwksTimeoutMs
+      );
+      const matchingKey = header.kid ? keys.find(
+        (k) => k.kid === header.kid
+      ) : keys[0];
+      if (!matchingKey) {
+        throw new GatewayError(
+          401,
+          "jws_invalid",
+          "No matching JWKS key found"
+        );
+      }
+      debug(
+        `JWKS verification (alg=${header.alg}, kid=${header.kid ?? "none"})`
+      );
+      const key = await crypto.subtle.importKey(
+        "jwk",
+        matchingKey,
+        algorithm,
+        false,
+        ["verify"]
+      );
+      const valid = await crypto.subtle.verify(
+        algorithm,
+        key,
+        signature,
+        signingInput
+      );
+      if (!valid) {
+        throw new GatewayError(401, "jws_invalid", "Invalid JWS signature");
+      }
+    }
+    if (config.forwardPayload) {
+      try {
+        const decodedPayload = base64UrlDecode(verifyPayloadB64);
+        withModifiedHeaders(c, (headers) => {
+          headers.set(
+            config.forwardHeaderName,
+            sanitizeHeaderValue(decodedPayload)
+          );
+        });
+      } catch {
+      }
+    }
+    debug("JWS verified");
+    await next();
+  },
+  evaluate: {
+    onRequest: async (input, { config, debug }) => {
+      const jwsCompact = input.headers.get(config.headerName);
+      if (!jwsCompact) {
+        return {
+          action: "reject",
+          status: 401,
+          code: "jws_missing",
+          message: `Missing JWS header: ${config.headerName}`
+        };
+      }
+      const parts = jwsCompact.split(".");
+      if (parts.length !== 3) {
+        return {
+          action: "reject",
+          status: 401,
+          code: "jws_invalid",
+          message: "Malformed JWS: expected 3 parts"
+        };
+      }
+      const [headerB64, payloadB64, signatureB64] = parts;
+      let header;
+      try {
+        header = JSON.parse(base64UrlDecode(headerB64));
+      } catch {
+        return {
+          action: "reject",
+          status: 401,
+          code: "jws_invalid",
+          message: "Malformed JWS header: invalid base64"
+        };
+      }
+      if (header.alg.toLowerCase() === "none") {
+        return {
+          action: "reject",
+          status: 401,
+          code: "jws_invalid",
+          message: "JWS algorithm 'none' is not allowed"
+        };
+      }
+      const verifyPayloadB64 = config.payloadSource === "body" && input.body ? typeof input.body === "string" ? base64UrlEncodeBytes(new TextEncoder().encode(input.body)) : base64UrlEncodeBytes(new Uint8Array(input.body)) : payloadB64;
+      const signingInput = `${headerB64}.${verifyPayloadB64}`;
+      const signature = base64UrlToBuffer(signatureB64);
+      if (config.secret) {
+        const algorithm = hmacAlgorithm(header.alg);
+        if (!algorithm) {
+          return {
+            action: "reject",
+            status: 401,
+            code: "jws_invalid",
+            message: `Unsupported JWS algorithm: ${header.alg}`
+          };
+        }
+        const key = await crypto.subtle.importKey(
+          "raw",
+          new TextEncoder().encode(config.secret),
+          { name: "HMAC", hash: algorithm },
+          false,
+          ["verify"]
+        );
+        const valid = await crypto.subtle.verify(
+          algorithm,
+          key,
+          signature,
+          new TextEncoder().encode(signingInput)
+        );
+        if (!valid) {
+          return {
+            action: "reject",
+            status: 401,
+            code: "jws_invalid",
+            message: "Invalid JWS signature"
+          };
+        }
+      } else if (config.jwksUrl) {
+        const algorithm = rsaAlgorithm(header.alg);
+        if (!algorithm) {
+          return {
+            action: "reject",
+            status: 401,
+            code: "jws_invalid",
+            message: `Unsupported JWS algorithm: ${header.alg}`
+          };
+        }
+        const keys = await fetchJwks(
+          config.jwksUrl,
+          config.jwksCacheTtlMs,
+          config.jwksTimeoutMs
+        );
+        const matchingKey = header.kid ? keys.find(
+          (k) => k.kid === header.kid
+        ) : keys[0];
+        if (!matchingKey) {
+          return {
+            action: "reject",
+            status: 401,
+            code: "jws_invalid",
+            message: "No matching JWKS key found"
+          };
+        }
+        const key = await crypto.subtle.importKey(
+          "jwk",
+          matchingKey,
+          algorithm,
+          false,
+          ["verify"]
+        );
+        const valid = await crypto.subtle.verify(
+          algorithm,
+          key,
+          signature,
+          new TextEncoder().encode(signingInput)
+        );
+        if (!valid) {
+          return {
+            action: "reject",
+            status: 401,
+            code: "jws_invalid",
+            message: "Invalid JWS signature"
+          };
+        }
+      }
+      if (config.forwardPayload) {
+        try {
+          const decodedPayload = base64UrlDecode(verifyPayloadB64);
+          return {
+            action: "continue",
+            mutations: [
+              {
+                type: "header",
+                op: "set",
+                name: config.forwardHeaderName,
+                value: sanitizeHeaderValue(decodedPayload)
+              }
+            ]
+          };
+        } catch {
+        }
+      }
+      debug("JWS verified");
+      return { action: "continue" };
+    }
+  }
+});
+export {
+  clearJwksCache as clearJwsJwksCache,
+  jws
+};
+//# sourceMappingURL=jws.js.map

package/dist/policies/auth/jws.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/auth/jws.ts"],"sourcesContent":["/**\n * JWS verification policy - verifies JSON Web Signature compact serialization.\n *\n * Supports both embedded and detached payloads, HMAC (HS256/384/512) and\n * RSA (RS256/384/512) via JWKS endpoints.\n *\n * @module jws\n */\n\nimport { GatewayError } from \"../../core/errors\";\nimport { sanitizeHeaderValue, withModifiedHeaders } from \"../../utils/headers\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\nimport {\n  base64UrlDecode,\n  base64UrlEncodeBytes,\n  base64UrlToBuffer,\n  fetchJwks,\n  hmacAlgorithm,\n  rsaAlgorithm,\n} from \"./crypto\";\n\nexport interface JwsConfig extends PolicyConfig {\n  /** HMAC secret for verification */\n  secret?: string;\n  /** JWKS endpoint for RSA verification */\n  jwksUrl?: string;\n  /** Header containing the JWS. Default: \"X-JWS-Signature\" */\n  headerName?: string;\n  /** Where the payload comes from for detached JWS. Default: \"embedded\" */\n  payloadSource?: \"embedded\" | \"body\";\n  /** Whether to forward the verified payload as a header. Default: false */\n  forwardPayload?: boolean;\n  /** Header name for forwarded payload. Default: \"X-JWS-Payload\" */\n  forwardHeaderName?: string;\n  /** JWKS cache TTL in ms. Default: 300000 */\n  jwksCacheTtlMs?: number;\n  /** JWKS fetch timeout in milliseconds. Default: 10000 (10 seconds). */\n  jwksTimeoutMs?: number;\n}\n\ninterface JwsHeader {\n  alg: string;\n  typ?: string;\n  kid?: string;\n}\n\n/**\n * @deprecated Use `clearJwksCache` from `./crypto` instead. This re-export\n * exists for backwards compatibility with existing tests.\n */\nexport { clearJwksCache as clearJwsJwksCache } from \"./crypto\";\n\n/**\n * Verify JWS compact serialization signatures on requests.\n *\n * The `none` algorithm is always rejected to prevent signature bypass attacks.\n * Config validation (`secret` or `jwksUrl` required) is performed at construction\n * time - a missing config throws immediately, not on first request.\n *\n * @example\n * ```ts\n * import { jws } from \"@vivero/stoma\";\n *\n * // HMAC verification with embedded payload\n * jws({ secret: env.JWS_SECRET });\n *\n * // Detached JWS - payload comes from the request body\n * jws({ secret: env.JWS_SECRET, payloadSource: \"body\" });\n * ```\n */\nexport const jws = /*#__PURE__*/ definePolicy<JwsConfig>({\n  name: \"jws\",\n  priority: Priority.AUTH,\n  defaults: {\n    headerName: \"X-JWS-Signature\",\n    payloadSource: \"embedded\",\n    forwardPayload: false,\n    forwardHeaderName: \"X-JWS-Payload\",\n  },\n  validate: (config) => {\n    if (!config.secret && !config.jwksUrl) {\n      throw new GatewayError(\n        500,\n        \"config_error\",\n        \"jws requires either 'secret' or 'jwksUrl'\"\n      );\n    }\n  },\n  handler: async (c, next, { config, debug }) => {\n    // Extract JWS from header\n    const jwsCompact = c.req.header(config.headerName!);\n    if (!jwsCompact) {\n      throw new GatewayError(\n        401,\n        \"jws_missing\",\n        `Missing JWS header: ${config.headerName}`\n      );\n    }\n\n    // Parse JWS compact serialization: header.payload.signature\n    const parts = jwsCompact.split(\".\");\n    if (parts.length !== 3) {\n      throw new GatewayError(\n        401,\n        \"jws_invalid\",\n        \"Malformed JWS: expected 3 parts\"\n      );\n    }\n\n    const [headerB64, payloadB64, signatureB64] = parts;\n\n    // Decode header\n    let header: JwsHeader;\n    try {\n      header = JSON.parse(base64UrlDecode(headerB64));\n    } catch {\n      throw new GatewayError(\n        401,\n        \"jws_invalid\",\n        \"Malformed JWS: invalid header encoding\"\n      );\n    }\n\n    // Block \"none\" algorithm (case-insensitive to prevent bypass)\n    if (header.alg.toLowerCase() === \"none\") {\n      throw new GatewayError(\n        401,\n        \"jws_invalid\",\n        \"JWS algorithm 'none' is not allowed\"\n      );\n    }\n\n    // Resolve the payload for verification\n    let verifyPayloadB64: string;\n    if (config.payloadSource === \"body\") {\n      // Detached JWS: payload section should be empty, actual payload is request body\n      const body = await c.req.raw.clone().text();\n      const encoder = new TextEncoder();\n      verifyPayloadB64 = base64UrlEncodeBytes(encoder.encode(body));\n    } else {\n      // Embedded: payload is in the JWS itself\n      if (!payloadB64) {\n        throw new GatewayError(\n          401,\n          \"jws_invalid\",\n          \"JWS has empty payload but payloadSource is 'embedded'\"\n        );\n      }\n      verifyPayloadB64 = payloadB64;\n    }\n\n    // Verify signature\n    const encoder = new TextEncoder();\n    const signingInput = encoder.encode(`${headerB64}.${verifyPayloadB64}`);\n    const signature = base64UrlToBuffer(signatureB64);\n\n    if (config.secret) {\n      const hash = hmacAlgorithm(header.alg);\n      if (!hash) {\n        throw new GatewayError(\n          401,\n          \"jws_invalid\",\n          `Unsupported JWS algorithm: ${header.alg}`\n        );\n      }\n\n      debug(`HMAC verification (alg=${header.alg})`);\n      const key = await crypto.subtle.importKey(\n        \"raw\",\n        encoder.encode(config.secret),\n        { name: \"HMAC\", hash },\n        false,\n        [\"verify\"]\n      );\n\n      const valid = await crypto.subtle.verify(\n        \"HMAC\",\n        key,\n        signature,\n        signingInput\n      );\n      if (!valid) {\n        throw new GatewayError(401, \"jws_invalid\", \"Invalid JWS signature\");\n      }\n    } else if (config.jwksUrl) {\n      const algorithm = rsaAlgorithm(header.alg);\n      if (!algorithm) {\n        throw new GatewayError(\n          401,\n          \"jws_invalid\",\n          `Unsupported JWS algorithm: ${header.alg}`\n        );\n      }\n\n      const keys = await fetchJwks(\n        config.jwksUrl,\n        config.jwksCacheTtlMs,\n        config.jwksTimeoutMs\n      );\n      const matchingKey = (header as JwsHeader).kid\n        ? keys.find(\n            (k) => (k as unknown as Record<string, unknown>).kid === header.kid\n          )\n        : keys[0];\n\n      if (!matchingKey) {\n        throw new GatewayError(\n          401,\n          \"jws_invalid\",\n          \"No matching JWKS key found\"\n        );\n      }\n\n      debug(\n        `JWKS verification (alg=${header.alg}, kid=${header.kid ?? \"none\"})`\n      );\n      const key = await crypto.subtle.importKey(\n        \"jwk\",\n        matchingKey,\n        algorithm,\n        false,\n        [\"verify\"]\n      );\n\n      const valid = await crypto.subtle.verify(\n        algorithm,\n        key,\n        signature,\n        signingInput\n      );\n      if (!valid) {\n        throw new GatewayError(401, \"jws_invalid\", \"Invalid JWS signature\");\n      }\n    }\n\n    // Forward verified payload if requested\n    if (config.forwardPayload) {\n      try {\n        const decodedPayload = base64UrlDecode(verifyPayloadB64);\n        withModifiedHeaders(c, (headers) => {\n          headers.set(\n            config.forwardHeaderName!,\n            sanitizeHeaderValue(decodedPayload)\n          );\n        });\n      } catch {\n        // If payload isn't decodable, skip forwarding\n      }\n    }\n\n    debug(\"JWS verified\");\n    await next();\n  },\n  evaluate: {\n    onRequest: async (input, { config, debug }) => {\n      // Extract JWS from header\n      const jwsCompact = input.headers.get(config.headerName!);\n      if (!jwsCompact) {\n        return {\n          action: \"reject\",\n          status: 401,\n          code: \"jws_missing\",\n          message: `Missing JWS header: ${config.headerName}`,\n        };\n      }\n\n      // Parse JWS compact serialization: header.payload.signature\n      const parts = jwsCompact.split(\".\");\n      if (parts.length !== 3) {\n        return {\n          action: \"reject\",\n          status: 401,\n          code: \"jws_invalid\",\n          message: \"Malformed JWS: expected 3 parts\",\n        };\n      }\n\n      const [headerB64, payloadB64, signatureB64] = parts;\n\n      // Decode header\n      let header: JwsHeader;\n      try {\n        header = JSON.parse(base64UrlDecode(headerB64));\n      } catch {\n        return {\n          action: \"reject\",\n          status: 401,\n          code: \"jws_invalid\",\n          message: \"Malformed JWS header: invalid base64\",\n        };\n      }\n\n      // Block \"none\" algorithm\n      if (header.alg.toLowerCase() === \"none\") {\n        return {\n          action: \"reject\",\n          status: 401,\n          code: \"jws_invalid\",\n          message: \"JWS algorithm 'none' is not allowed\",\n        };\n      }\n\n      // Get payload (embedded or from body)\n      const verifyPayloadB64 =\n        config.payloadSource === \"body\" && input.body\n          ? typeof input.body === \"string\"\n            ? base64UrlEncodeBytes(new TextEncoder().encode(input.body))\n            : base64UrlEncodeBytes(new Uint8Array(input.body))\n          : payloadB64;\n\n      const signingInput = `${headerB64}.${verifyPayloadB64}`;\n\n      // Verify signature\n      const signature = base64UrlToBuffer(signatureB64);\n\n      if (config.secret) {\n        const algorithm = hmacAlgorithm(header.alg);\n        if (!algorithm) {\n          return {\n            action: \"reject\",\n            status: 401,\n            code: \"jws_invalid\",\n            message: `Unsupported JWS algorithm: ${header.alg}`,\n          };\n        }\n\n        const key = await crypto.subtle.importKey(\n          \"raw\",\n          new TextEncoder().encode(config.secret),\n          { name: \"HMAC\", hash: algorithm },\n          false,\n          [\"verify\"]\n        );\n\n        const valid = await crypto.subtle.verify(\n          algorithm,\n          key,\n          signature,\n          new TextEncoder().encode(signingInput)\n        );\n        if (!valid) {\n          return {\n            action: \"reject\",\n            status: 401,\n            code: \"jws_invalid\",\n            message: \"Invalid JWS signature\",\n          };\n        }\n      } else if (config.jwksUrl) {\n        const algorithm = rsaAlgorithm(header.alg);\n        if (!algorithm) {\n          return {\n            action: \"reject\",\n            status: 401,\n            code: \"jws_invalid\",\n            message: `Unsupported JWS algorithm: ${header.alg}`,\n          };\n        }\n\n        const keys = await fetchJwks(\n          config.jwksUrl,\n          config.jwksCacheTtlMs,\n          config.jwksTimeoutMs\n        );\n        const matchingKey = header.kid\n          ? keys.find(\n              (k) =>\n                (k as unknown as Record<string, unknown>).kid === header.kid\n            )\n          : keys[0];\n\n        if (!matchingKey) {\n          return {\n            action: \"reject\",\n            status: 401,\n            code: \"jws_invalid\",\n            message: \"No matching JWKS key found\",\n          };\n        }\n\n        const key = await crypto.subtle.importKey(\n          \"jwk\",\n          matchingKey,\n          algorithm,\n          false,\n          [\"verify\"]\n        );\n\n        const valid = await crypto.subtle.verify(\n          algorithm,\n          key,\n          signature,\n          new TextEncoder().encode(signingInput)\n        );\n        if (!valid) {\n          return {\n            action: \"reject\",\n            status: 401,\n            code: \"jws_invalid\",\n            message: \"Invalid JWS signature\",\n          };\n        }\n      }\n\n      // Forward verified payload if requested\n      if (config.forwardPayload) {\n        try {\n          const decodedPayload = base64UrlDecode(verifyPayloadB64);\n          return {\n            action: \"continue\",\n            mutations: [\n              {\n                type: \"header\" as const,\n                op: \"set\" as const,\n                name: config.forwardHeaderName!,\n                value: sanitizeHeaderValue(decodedPayload),\n              },\n            ],\n          };\n        } catch {\n          // If payload isn't decodable, continue without forwarding\n        }\n      }\n\n      debug(\"JWS verified\");\n      return { action: \"continue\" };\n    },\n  },\n});\n"],"mappings":"AASA,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB,2BAA2B;AACzD,SAAS,cAAc,gBAAgB;AAEvC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AA+BP,SAA2B,sBAAyB;AAoB7C,MAAM,MAAoB,6BAAwB;AAAA,EACvD,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,IACR,YAAY;AAAA,IACZ,eAAe;AAAA,IACf,gBAAgB;AAAA,IAChB,mBAAmB;AAAA,EACrB;AAAA,EACA,UAAU,CAAC,WAAW;AACpB,QAAI,CAAC,OAAO,UAAU,CAAC,OAAO,SAAS;AACrC,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,MAAM,MAAM;AAE7C,UAAM,aAAa,EAAE,IAAI,OAAO,OAAO,UAAW;AAClD,QAAI,CAAC,YAAY;AACf,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,uBAAuB,OAAO,UAAU;AAAA,MAC1C;AAAA,IACF;AAGA,UAAM,QAAQ,WAAW,MAAM,GAAG;AAClC,QAAI,MAAM,WAAW,GAAG;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAG9C,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,gBAAgB,SAAS,CAAC;AAAA,IAChD,QAAQ;AACN,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAGA,QAAI,OAAO,IAAI,YAAY,MAAM,QAAQ;AACvC,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAGA,QAAI;AACJ,QAAI,OAAO,kBAAkB,QAAQ;AAEnC,YAAM,OAAO,MAAM,EAAE,IAAI,IAAI,MAAM,EAAE,KAAK;AAC1C,YAAMA,WAAU,IAAI,YAAY;AAChC,yBAAmB,qBAAqBA,SAAQ,OAAO,IAAI,CAAC;AAAA,IAC9D,OAAO;AAEL,UAAI,CAAC,YAAY;AACf,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AACA,yBAAmB;AAAA,IACrB;AAGA,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,eAAe,QAAQ,OAAO,GAAG,SAAS,IAAI,gBAAgB,EAAE;AACtE,UAAM,YAAY,kBAAkB,YAAY;AAEhD,QAAI,OAAO,QAAQ;AACjB,YAAM,OAAO,cAAc,OAAO,GAAG;AACrC,UAAI,CAAC,MAAM;AACT,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA,8BAA8B,OAAO,GAAG;AAAA,QAC1C;AAAA,MACF;AAEA,YAAM,0BAA0B,OAAO,GAAG,GAAG;AAC7C,YAAM,MAAM,MAAM,OAAO,OAAO;AAAA,QAC9B;AAAA,QACA,QAAQ,OAAO,OAAO,MAAM;AAAA,QAC5B,EAAE,MAAM,QAAQ,KAAK;AAAA,QACrB;AAAA,QACA,CAAC,QAAQ;AAAA,MACX;AAEA,YAAM,QAAQ,MAAM,OAAO,OAAO;AAAA,QAChC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,UAAI,CAAC,OAAO;AACV,cAAM,IAAI,aAAa,KAAK,eAAe,uBAAuB;AAAA,MACpE;AAAA,IACF,WAAW,OAAO,SAAS;AACzB,YAAM,YAAY,aAAa,OAAO,GAAG;AACzC,UAAI,CAAC,WAAW;AACd,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA,8BAA8B,OAAO,GAAG;AAAA,QAC1C;AAAA,MACF;AAEA,YAAM,OAAO,MAAM;AAAA,QACjB,OAAO;AAAA,QACP,OAAO;AAAA,QACP,OAAO;AAAA,MACT;AACA,YAAM,cAAe,OAAqB,MACtC,KAAK;AAAA,QACH,CAAC,MAAO,EAAyC,QAAQ,OAAO;AAAA,MAClE,IACA,KAAK,CAAC;AAEV,UAAI,CAAC,aAAa;AAChB,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAEA;AAAA,QACE,0BAA0B,OAAO,GAAG,SAAS,OAAO,OAAO,MAAM;AAAA,MACnE;AACA,YAAM,MAAM,MAAM,OAAO,OAAO;AAAA,QAC9B;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,CAAC,QAAQ;AAAA,MACX;AAEA,YAAM,QAAQ,MAAM,OAAO,OAAO;AAAA,QAChC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,UAAI,CAAC,OAAO;AACV,cAAM,IAAI,aAAa,KAAK,eAAe,uBAAuB;AAAA,MACpE;AAAA,IACF;AAGA,QAAI,OAAO,gBAAgB;AACzB,UAAI;AACF,cAAM,iBAAiB,gBAAgB,gBAAgB;AACvD,4BAAoB,GAAG,CAAC,YAAY;AAClC,kBAAQ;AAAA,YACN,OAAO;AAAA,YACP,oBAAoB,cAAc;AAAA,UACpC;AAAA,QACF,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,cAAc;AACpB,UAAM,KAAK;AAAA,EACb;AAAA,EACA,UAAU;AAAA,IACR,WAAW,OAAO,OAAO,EAAE,QAAQ,MAAM,MAAM;AAE7C,YAAM,aAAa,MAAM,QAAQ,IAAI,OAAO,UAAW;AACvD,UAAI,CAAC,YAAY;AACf,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS,uBAAuB,OAAO,UAAU;AAAA,QACnD;AAAA,MACF;AAGA,YAAM,QAAQ,WAAW,MAAM,GAAG;AAClC,UAAI,MAAM,WAAW,GAAG;AACtB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAEA,YAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAG9C,UAAI;AACJ,UAAI;AACF,iBAAS,KAAK,MAAM,gBAAgB,SAAS,CAAC;AAAA,MAChD,QAAQ;AACN,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAGA,UAAI,OAAO,IAAI,YAAY,MAAM,QAAQ;AACvC,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAGA,YAAM,mBACJ,OAAO,kBAAkB,UAAU,MAAM,OACrC,OAAO,MAAM,SAAS,WACpB,qBAAqB,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI,CAAC,IACzD,qBAAqB,IAAI,WAAW,MAAM,IAAI,CAAC,IACjD;AAEN,YAAM,eAAe,GAAG,SAAS,IAAI,gBAAgB;AAGrD,YAAM,YAAY,kBAAkB,YAAY;AAEhD,UAAI,OAAO,QAAQ;AACjB,cAAM,YAAY,cAAc,OAAO,GAAG;AAC1C,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,SAAS,8BAA8B,OAAO,GAAG;AAAA,UACnD;AAAA,QACF;AAEA,cAAM,MAAM,MAAM,OAAO,OAAO;AAAA,UAC9B;AAAA,UACA,IAAI,YAAY,EAAE,OAAO,OAAO,MAAM;AAAA,UACtC,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,UAChC;AAAA,UACA,CAAC,QAAQ;AAAA,QACX;AAEA,cAAM,QAAQ,MAAM,OAAO,OAAO;AAAA,UAChC;AAAA,UACA;AAAA,UACA;AAAA,UACA,IAAI,YAAY,EAAE,OAAO,YAAY;AAAA,QACvC;AACA,YAAI,CAAC,OAAO;AACV,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,SAAS;AAAA,UACX;AAAA,QACF;AAAA,MACF,WAAW,OAAO,SAAS;AACzB,cAAM,YAAY,aAAa,OAAO,GAAG;AACzC,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,SAAS,8BAA8B,OAAO,GAAG;AAAA,UACnD;AAAA,QACF;AAEA,cAAM,OAAO,MAAM;AAAA,UACjB,OAAO;AAAA,UACP,OAAO;AAAA,UACP,OAAO;AAAA,QACT;AACA,cAAM,cAAc,OAAO,MACvB,KAAK;AAAA,UACH,CAAC,MACE,EAAyC,QAAQ,OAAO;AAAA,QAC7D,IACA,KAAK,CAAC;AAEV,YAAI,CAAC,aAAa;AAChB,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,SAAS;AAAA,UACX;AAAA,QACF;AAEA,cAAM,MAAM,MAAM,OAAO,OAAO;AAAA,UAC9B;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA,CAAC,QAAQ;AAAA,QACX;AAEA,cAAM,QAAQ,MAAM,OAAO,OAAO;AAAA,UAChC;AAAA,UACA;AAAA,UACA;AAAA,UACA,IAAI,YAAY,EAAE,OAAO,YAAY;AAAA,QACvC;AACA,YAAI,CAAC,OAAO;AACV,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,SAAS;AAAA,UACX;AAAA,QACF;AAAA,MACF;AAGA,UAAI,OAAO,gBAAgB;AACzB,YAAI;AACF,gBAAM,iBAAiB,gBAAgB,gBAAgB;AACvD,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,WAAW;AAAA,cACT;AAAA,gBACE,MAAM;AAAA,gBACN,IAAI;AAAA,gBACJ,MAAM,OAAO;AAAA,gBACb,OAAO,oBAAoB,cAAc;AAAA,cAC3C;AAAA,YACF;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAEA,YAAM,cAAc;AACpB,aAAO,EAAE,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;","names":["encoder"]}

package/dist/policies/auth/jwt-auth.d.ts

@@ -0,0 +1,64 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+export { clearJwksCache } from './crypto.js';
+import 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+
+interface JwtAuthConfig extends PolicyConfig {
+    /** JWT secret for HMAC verification */
+    secret?: string;
+    /** JWKS endpoint URL (e.g. Supabase, Auth0) */
+    jwksUrl?: string;
+    /** Expected JWT issuer */
+    issuer?: string;
+    /** Expected JWT audience */
+    audience?: string;
+    /** Header to read the token from. Default: "Authorization" */
+    headerName?: string;
+    /** Token prefix. Default: "Bearer" */
+    tokenPrefix?: string;
+    /** Claims to inject into request headers for upstream consumption */
+    forwardClaims?: Record<string, string>;
+    /** JWKS cache TTL in milliseconds. Default: 300000 (5 minutes). */
+    jwksCacheTtlMs?: number;
+    /** JWKS fetch timeout in milliseconds. Default: 10000 (10 seconds). */
+    jwksTimeoutMs?: number;
+    /** Clock skew tolerance in seconds for expiry checks. Default: 0. */
+    clockSkewSeconds?: number;
+    /** Require the `exp` claim to be present. Default: false. */
+    requireExp?: boolean;
+}
+/**
+ * Validate JWT tokens and optionally forward claims as upstream headers.
+ *
+ * Supports both HMAC (shared secret) and RSA (JWKS endpoint) verification.
+ * JWKS responses are cached for 5 minutes. The `none` algorithm is always
+ * rejected to prevent signature bypass attacks.
+ *
+ * @param config - JWT authentication settings. Requires either `secret` (HMAC) or `jwksUrl` (RSA).
+ * @returns A {@link Policy} at priority 10 (runs early, before rate limiting).
+ *
+ * @example
+ * ```ts
+ * // HMAC verification with a shared secret
+ * createGateway({
+ *   routes: [{
+ *     path: "/api/*",
+ *     pipeline: {
+ *       policies: [jwtAuth({ secret: env.JWT_SECRET })],
+ *       upstream: { type: "url", target: "https://backend.internal" },
+ *     },
+ *   }],
+ * });
+ *
+ * // JWKS verification (e.g. Supabase, Auth0) with claim forwarding
+ * jwtAuth({
+ *   jwksUrl: "https://your-project.supabase.co/auth/v1/.well-known/jwks.json",
+ *   issuer: "https://your-project.supabase.co/auth/v1",
+ *   forwardClaims: { sub: "x-user-id", email: "x-user-email" },
+ * });
+ * ```
+ */
+declare const jwtAuth: (config?: JwtAuthConfig | undefined) => Policy;
+
+export { type JwtAuthConfig, jwtAuth };

package/dist/policies/auth/jwt-auth.js

@@ -0,0 +1,266 @@
+import { GatewayError } from "../../core/errors";
+import { sanitizeHeaderValue, withModifiedHeaders } from "../../utils/headers";
+import { definePolicy, Priority } from "../sdk";
+import {
+  base64UrlDecode,
+  base64UrlToBuffer,
+  fetchJwks,
+  hmacAlgorithm,
+  rsaAlgorithm
+} from "./crypto";
+async function validateJwt(authHeader, config, debug) {
+  if (!authHeader) {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "Missing authentication token"
+    };
+  }
+  let token;
+  if (config.tokenPrefix) {
+    if (!authHeader.startsWith(`${config.tokenPrefix} `)) {
+      return {
+        ok: false,
+        status: 401,
+        code: "unauthorized",
+        message: `Expected ${config.tokenPrefix} token`
+      };
+    }
+    token = authHeader.slice(config.tokenPrefix.length + 1);
+  } else {
+    token = authHeader;
+  }
+  if (!token || !token.trim()) {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "Empty authentication token"
+    };
+  }
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "Malformed JWT: expected 3 parts"
+    };
+  }
+  let header;
+  let payload;
+  try {
+    header = JSON.parse(base64UrlDecode(parts[0]));
+    payload = JSON.parse(base64UrlDecode(parts[1]));
+  } catch {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "Malformed JWT: invalid base64 encoding"
+    };
+  }
+  if (header.alg.toLowerCase() === "none") {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "JWT algorithm 'none' is not allowed"
+    };
+  }
+  if (config.secret) {
+    debug(`HMAC verification (alg=${header.alg})`);
+    await verifyHmac(config.secret, parts[0], parts[1], parts[2], header.alg);
+  } else if (config.jwksUrl) {
+    debug(`JWKS verification (alg=${header.alg}, kid=${header.kid ?? "none"})`);
+    await verifyJwks(
+      config.jwksUrl,
+      parts[0],
+      parts[1],
+      parts[2],
+      header,
+      config.jwksCacheTtlMs,
+      config.jwksTimeoutMs
+    );
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (config.requireExp && payload.exp === void 0) {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "JWT must contain an 'exp' claim"
+    };
+  }
+  if (payload.exp !== void 0 && payload.exp < now - config.clockSkewSeconds) {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "JWT has expired"
+    };
+  }
+  if (config.issuer && payload.iss !== config.issuer) {
+    return {
+      ok: false,
+      status: 401,
+      code: "unauthorized",
+      message: "JWT issuer mismatch"
+    };
+  }
+  if (config.audience) {
+    const aud = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+    if (!aud.includes(config.audience)) {
+      return {
+        ok: false,
+        status: 401,
+        code: "unauthorized",
+        message: "JWT audience mismatch"
+      };
+    }
+  }
+  debug(`verified (sub=${payload.sub ?? "none"})`);
+  return { ok: true, payload };
+}
+const jwtAuth = /* @__PURE__ */ definePolicy({
+  name: "jwt-auth",
+  priority: Priority.AUTH,
+  phases: ["request-headers"],
+  defaults: {
+    headerName: "authorization",
+    tokenPrefix: "Bearer",
+    clockSkewSeconds: 0,
+    requireExp: false
+  },
+  validate: (config) => {
+    if (!config.secret && !config.jwksUrl) {
+      throw new GatewayError(
+        500,
+        "config_error",
+        "jwtAuth requires either 'secret' or 'jwksUrl'"
+      );
+    }
+  },
+  handler: async (c, next, { config, debug }) => {
+    const result = await validateJwt(
+      c.req.header(config.headerName),
+      config,
+      debug
+    );
+    if (!result.ok) {
+      throw new GatewayError(result.status, result.code, result.message);
+    }
+    if (config.forwardClaims) {
+      const { payload } = result;
+      const forwardClaims = config.forwardClaims;
+      withModifiedHeaders(c, (headers) => {
+        for (const [claim, headerKey] of Object.entries(forwardClaims)) {
+          const value = payload[claim];
+          if (value !== void 0 && value !== null) {
+            headers.set(headerKey, sanitizeHeaderValue(String(value)));
+          }
+        }
+      });
+    }
+    await next();
+  },
+  evaluate: {
+    onRequest: async (input, { config, debug }) => {
+      const result = await validateJwt(
+        input.headers.get(config.headerName),
+        config,
+        debug
+      );
+      if (!result.ok) {
+        return {
+          action: "reject",
+          status: result.status,
+          code: result.code,
+          message: result.message
+        };
+      }
+      if (config.forwardClaims) {
+        const { payload } = result;
+        const forwardClaims = config.forwardClaims;
+        const mutations = [];
+        for (const [claim, headerKey] of Object.entries(forwardClaims)) {
+          const value = payload[claim];
+          if (value !== void 0 && value !== null) {
+            mutations.push({
+              type: "header",
+              op: "set",
+              name: headerKey,
+              value: sanitizeHeaderValue(String(value))
+            });
+          }
+        }
+        if (mutations.length > 0) {
+          return { action: "continue", mutations };
+        }
+      }
+      return { action: "continue" };
+    }
+  }
+});
+async function verifyHmac(secret, headerB64, payloadB64, signatureB64, alg) {
+  const algorithm = hmacAlgorithm(alg);
+  if (!algorithm) {
+    throw new GatewayError(
+      401,
+      "unauthorized",
+      `Unsupported JWT algorithm: ${alg}`
+    );
+  }
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: algorithm },
+    false,
+    ["verify"]
+  );
+  const data = encoder.encode(`${headerB64}.${payloadB64}`);
+  const signature = base64UrlToBuffer(signatureB64);
+  const valid = await crypto.subtle.verify("HMAC", key, signature, data);
+  if (!valid) {
+    throw new GatewayError(401, "unauthorized", "Invalid JWT signature");
+  }
+}
+async function verifyJwks(jwksUrl, headerB64, payloadB64, signatureB64, header, cacheTtlMs, timeoutMs) {
+  const keys = await fetchJwks(jwksUrl, cacheTtlMs, timeoutMs);
+  const matchingKey = header.kid ? keys.find(
+    (k) => k.kid === header.kid
+  ) : keys[0];
+  if (!matchingKey) {
+    throw new GatewayError(401, "unauthorized", "No matching JWKS key found");
+  }
+  const algorithm = rsaAlgorithm(header.alg);
+  if (!algorithm) {
+    throw new GatewayError(
+      401,
+      "unauthorized",
+      `Unsupported JWT algorithm: ${header.alg}`
+    );
+  }
+  const key = await crypto.subtle.importKey(
+    "jwk",
+    matchingKey,
+    algorithm,
+    false,
+    ["verify"]
+  );
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`${headerB64}.${payloadB64}`);
+  const signature = base64UrlToBuffer(signatureB64);
+  const valid = await crypto.subtle.verify(algorithm, key, signature, data);
+  if (!valid) {
+    throw new GatewayError(401, "unauthorized", "Invalid JWT signature");
+  }
+}
+import { clearJwksCache } from "./crypto";
+export {
+  clearJwksCache,
+  jwtAuth
+};
+//# sourceMappingURL=jwt-auth.js.map