npm - @vivero/stoma - Versions diffs - 0.1.0-rc.5 - Mend

@vivero/stoma 0.1.0-rc.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (251) hide show

package/dist/adapters/bun.d.ts +9 -0
package/dist/adapters/bun.js +8 -0
package/dist/adapters/bun.js.map +1 -0
package/dist/adapters/cloudflare.d.ts +49 -0
package/dist/adapters/cloudflare.js +85 -0
package/dist/adapters/cloudflare.js.map +1 -0
package/dist/adapters/deno.d.ts +9 -0
package/dist/adapters/deno.js +8 -0
package/dist/adapters/deno.js.map +1 -0
package/dist/adapters/durable-object.d.ts +63 -0
package/dist/adapters/durable-object.js +46 -0
package/dist/adapters/durable-object.js.map +1 -0
package/dist/adapters/index.d.ts +13 -0
package/dist/adapters/index.js +53 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/memory.d.ts +9 -0
package/dist/adapters/memory.js +14 -0
package/dist/adapters/memory.js.map +1 -0
package/dist/adapters/node.d.ts +9 -0
package/dist/adapters/node.js +8 -0
package/dist/adapters/node.js.map +1 -0
package/dist/adapters/postgres.d.ts +109 -0
package/dist/adapters/postgres.js +242 -0
package/dist/adapters/postgres.js.map +1 -0
package/dist/adapters/redis.d.ts +116 -0
package/dist/adapters/redis.js +194 -0
package/dist/adapters/redis.js.map +1 -0
package/dist/adapters/testing.d.ts +32 -0
package/dist/adapters/testing.js +33 -0
package/dist/adapters/testing.js.map +1 -0
package/dist/adapters/types.d.ts +4 -0
package/dist/adapters/types.js +1 -0
package/dist/adapters/types.js.map +1 -0
package/dist/config/index.d.ts +11 -0
package/dist/config/index.js +21 -0
package/dist/config/index.js.map +1 -0
package/dist/config/merge.d.ts +48 -0
package/dist/config/merge.js +83 -0
package/dist/config/merge.js.map +1 -0
package/dist/config/schema.d.ts +254 -0
package/dist/config/schema.js +109 -0
package/dist/config/schema.js.map +1 -0
package/dist/core/errors.d.ts +66 -0
package/dist/core/errors.js +47 -0
package/dist/core/errors.js.map +1 -0
package/dist/core/gateway.d.ts +44 -0
package/dist/core/gateway.js +390 -0
package/dist/core/gateway.js.map +1 -0
package/dist/core/health.d.ts +78 -0
package/dist/core/health.js +65 -0
package/dist/core/health.js.map +1 -0
package/dist/core/pipeline.d.ts +62 -0
package/dist/core/pipeline.js +214 -0
package/dist/core/pipeline.js.map +1 -0
package/dist/core/protocol.d.ts +4 -0
package/dist/core/protocol.js +1 -0
package/dist/core/protocol.js.map +1 -0
package/dist/core/scope.d.ts +67 -0
package/dist/core/scope.js +44 -0
package/dist/core/scope.js.map +1 -0
package/dist/core/types.d.ts +252 -0
package/dist/core/types.js +1 -0
package/dist/core/types.js.map +1 -0
package/dist/index.d.ts +57 -0
package/dist/index.js +158 -0
package/dist/index.js.map +1 -0
package/dist/observability/admin.d.ts +32 -0
package/dist/observability/admin.js +85 -0
package/dist/observability/admin.js.map +1 -0
package/dist/observability/metrics.d.ts +78 -0
package/dist/observability/metrics.js +107 -0
package/dist/observability/metrics.js.map +1 -0
package/dist/observability/tracing.d.ts +149 -0
package/dist/observability/tracing.js +191 -0
package/dist/observability/tracing.js.map +1 -0
package/dist/policies/auth/api-key-auth.d.ts +64 -0
package/dist/policies/auth/api-key-auth.js +93 -0
package/dist/policies/auth/api-key-auth.js.map +1 -0
package/dist/policies/auth/basic-auth.d.ts +33 -0
package/dist/policies/auth/basic-auth.js +96 -0
package/dist/policies/auth/basic-auth.js.map +1 -0
package/dist/policies/auth/crypto.d.ts +29 -0
package/dist/policies/auth/crypto.js +100 -0
package/dist/policies/auth/crypto.js.map +1 -0
package/dist/policies/auth/generate-http-signature.d.ts +30 -0
package/dist/policies/auth/generate-http-signature.js +79 -0
package/dist/policies/auth/generate-http-signature.js.map +1 -0
package/dist/policies/auth/generate-jwt.d.ts +44 -0
package/dist/policies/auth/generate-jwt.js +99 -0
package/dist/policies/auth/generate-jwt.js.map +1 -0
package/dist/policies/auth/http-signature-base.d.ts +55 -0
package/dist/policies/auth/http-signature-base.js +140 -0
package/dist/policies/auth/http-signature-base.js.map +1 -0
package/dist/policies/auth/jws.d.ts +46 -0
package/dist/policies/auth/jws.js +317 -0
package/dist/policies/auth/jws.js.map +1 -0
package/dist/policies/auth/jwt-auth.d.ts +64 -0
package/dist/policies/auth/jwt-auth.js +268 -0
package/dist/policies/auth/jwt-auth.js.map +1 -0
package/dist/policies/auth/oauth2.d.ts +38 -0
package/dist/policies/auth/oauth2.js +254 -0
package/dist/policies/auth/oauth2.js.map +1 -0
package/dist/policies/auth/rbac.d.ts +30 -0
package/dist/policies/auth/rbac.js +115 -0
package/dist/policies/auth/rbac.js.map +1 -0
package/dist/policies/auth/verify-http-signature.d.ts +30 -0
package/dist/policies/auth/verify-http-signature.js +147 -0
package/dist/policies/auth/verify-http-signature.js.map +1 -0
package/dist/policies/index.d.ts +51 -0
package/dist/policies/index.js +109 -0
package/dist/policies/index.js.map +1 -0
package/dist/policies/mock.d.ts +60 -0
package/dist/policies/mock.js +29 -0
package/dist/policies/mock.js.map +1 -0
package/dist/policies/observability/assign-metrics.d.ts +37 -0
package/dist/policies/observability/assign-metrics.js +29 -0
package/dist/policies/observability/assign-metrics.js.map +1 -0
package/dist/policies/observability/metrics-reporter.d.ts +25 -0
package/dist/policies/observability/metrics-reporter.js +62 -0
package/dist/policies/observability/metrics-reporter.js.map +1 -0
package/dist/policies/observability/request-log.d.ts +135 -0
package/dist/policies/observability/request-log.js +124 -0
package/dist/policies/observability/request-log.js.map +1 -0
package/dist/policies/observability/server-timing.d.ts +35 -0
package/dist/policies/observability/server-timing.js +89 -0
package/dist/policies/observability/server-timing.js.map +1 -0
package/dist/policies/proxy.d.ts +59 -0
package/dist/policies/proxy.js +47 -0
package/dist/policies/proxy.js.map +1 -0
package/dist/policies/resilience/circuit-breaker.d.ts +4 -0
package/dist/policies/resilience/circuit-breaker.js +280 -0
package/dist/policies/resilience/circuit-breaker.js.map +1 -0
package/dist/policies/resilience/latency-injection.d.ts +35 -0
package/dist/policies/resilience/latency-injection.js +26 -0
package/dist/policies/resilience/latency-injection.js.map +1 -0
package/dist/policies/resilience/retry.d.ts +71 -0
package/dist/policies/resilience/retry.js +79 -0
package/dist/policies/resilience/retry.js.map +1 -0
package/dist/policies/resilience/timeout.d.ts +32 -0
package/dist/policies/resilience/timeout.js +46 -0
package/dist/policies/resilience/timeout.js.map +1 -0
package/dist/policies/sdk/define-policy.d.ts +176 -0
package/dist/policies/sdk/define-policy.js +42 -0
package/dist/policies/sdk/define-policy.js.map +1 -0
package/dist/policies/sdk/helpers.d.ts +132 -0
package/dist/policies/sdk/helpers.js +87 -0
package/dist/policies/sdk/helpers.js.map +1 -0
package/dist/policies/sdk/index.d.ts +10 -0
package/dist/policies/sdk/index.js +35 -0
package/dist/policies/sdk/index.js.map +1 -0
package/dist/policies/sdk/priority.d.ts +44 -0
package/dist/policies/sdk/priority.js +36 -0
package/dist/policies/sdk/priority.js.map +1 -0
package/dist/policies/sdk/testing.d.ts +53 -0
package/dist/policies/sdk/testing.js +41 -0
package/dist/policies/sdk/testing.js.map +1 -0
package/dist/policies/sdk/trace.d.ts +73 -0
package/dist/policies/sdk/trace.js +25 -0
package/dist/policies/sdk/trace.js.map +1 -0
package/dist/policies/traffic/cache.d.ts +4 -0
package/dist/policies/traffic/cache.js +224 -0
package/dist/policies/traffic/cache.js.map +1 -0
package/dist/policies/traffic/dynamic-routing.d.ts +54 -0
package/dist/policies/traffic/dynamic-routing.js +36 -0
package/dist/policies/traffic/dynamic-routing.js.map +1 -0
package/dist/policies/traffic/geo-ip-filter.d.ts +37 -0
package/dist/policies/traffic/geo-ip-filter.js +74 -0
package/dist/policies/traffic/geo-ip-filter.js.map +1 -0
package/dist/policies/traffic/http-callout.d.ts +59 -0
package/dist/policies/traffic/http-callout.js +69 -0
package/dist/policies/traffic/http-callout.js.map +1 -0
package/dist/policies/traffic/interrupt.d.ts +46 -0
package/dist/policies/traffic/interrupt.js +38 -0
package/dist/policies/traffic/interrupt.js.map +1 -0
package/dist/policies/traffic/ip-filter.d.ts +47 -0
package/dist/policies/traffic/ip-filter.js +57 -0
package/dist/policies/traffic/ip-filter.js.map +1 -0
package/dist/policies/traffic/json-threat-protection.d.ts +51 -0
package/dist/policies/traffic/json-threat-protection.js +173 -0
package/dist/policies/traffic/json-threat-protection.js.map +1 -0
package/dist/policies/traffic/rate-limit.d.ts +4 -0
package/dist/policies/traffic/rate-limit.js +145 -0
package/dist/policies/traffic/rate-limit.js.map +1 -0
package/dist/policies/traffic/regex-threat-protection.d.ts +54 -0
package/dist/policies/traffic/regex-threat-protection.js +109 -0
package/dist/policies/traffic/regex-threat-protection.js.map +1 -0
package/dist/policies/traffic/request-limit.d.ts +27 -0
package/dist/policies/traffic/request-limit.js +41 -0
package/dist/policies/traffic/request-limit.js.map +1 -0
package/dist/policies/traffic/resource-filter.d.ts +38 -0
package/dist/policies/traffic/resource-filter.js +184 -0
package/dist/policies/traffic/resource-filter.js.map +1 -0
package/dist/policies/traffic/ssl-enforce.d.ts +27 -0
package/dist/policies/traffic/ssl-enforce.js +38 -0
package/dist/policies/traffic/ssl-enforce.js.map +1 -0
package/dist/policies/traffic/traffic-shadow.d.ts +40 -0
package/dist/policies/traffic/traffic-shadow.js +87 -0
package/dist/policies/traffic/traffic-shadow.js.map +1 -0
package/dist/policies/transform/assign-attributes.d.ts +33 -0
package/dist/policies/transform/assign-attributes.js +38 -0
package/dist/policies/transform/assign-attributes.js.map +1 -0
package/dist/policies/transform/assign-content.d.ts +40 -0
package/dist/policies/transform/assign-content.js +185 -0
package/dist/policies/transform/assign-content.js.map +1 -0
package/dist/policies/transform/cors.d.ts +57 -0
package/dist/policies/transform/cors.js +23 -0
package/dist/policies/transform/cors.js.map +1 -0
package/dist/policies/transform/json-validation.d.ts +50 -0
package/dist/policies/transform/json-validation.js +125 -0
package/dist/policies/transform/json-validation.js.map +1 -0
package/dist/policies/transform/override-method.d.ts +33 -0
package/dist/policies/transform/override-method.js +48 -0
package/dist/policies/transform/override-method.js.map +1 -0
package/dist/policies/transform/request-validation.d.ts +59 -0
package/dist/policies/transform/request-validation.js +121 -0
package/dist/policies/transform/request-validation.js.map +1 -0
package/dist/policies/transform/transform.d.ts +75 -0
package/dist/policies/transform/transform.js +116 -0
package/dist/policies/transform/transform.js.map +1 -0
package/dist/policies/types.d.ts +4 -0
package/dist/policies/types.js +1 -0
package/dist/policies/types.js.map +1 -0
package/dist/protocol-2fD3DJrL.d.ts +725 -0
package/dist/utils/cidr.d.ts +58 -0
package/dist/utils/cidr.js +107 -0
package/dist/utils/cidr.js.map +1 -0
package/dist/utils/debug.d.ts +1 -0
package/dist/utils/debug.js +13 -0
package/dist/utils/debug.js.map +1 -0
package/dist/utils/headers.d.ts +68 -0
package/dist/utils/headers.js +25 -0
package/dist/utils/headers.js.map +1 -0
package/dist/utils/ip.d.ts +58 -0
package/dist/utils/ip.js +28 -0
package/dist/utils/ip.js.map +1 -0
package/dist/utils/redact.d.ts +30 -0
package/dist/utils/redact.js +52 -0
package/dist/utils/redact.js.map +1 -0
package/dist/utils/request-id.d.ts +11 -0
package/dist/utils/request-id.js +7 -0
package/dist/utils/request-id.js.map +1 -0
package/dist/utils/timing-safe.d.ts +31 -0
package/dist/utils/timing-safe.js +17 -0
package/dist/utils/timing-safe.js.map +1 -0
package/dist/utils/timing.d.ts +27 -0
package/dist/utils/timing.js +12 -0
package/dist/utils/timing.js.map +1 -0
package/dist/utils/trace-context.d.ts +51 -0
package/dist/utils/trace-context.js +37 -0
package/dist/utils/trace-context.js.map +1 -0
package/package.json +202 -0

package/dist/policies/auth/api-key-auth.js ADDED Viewed

@@ -0,0 +1,93 @@
+import { GatewayError } from "../../core/errors";
+import { sanitizeHeaderValue, withModifiedHeaders } from "../../utils/headers";
+import { definePolicy, Priority } from "../sdk";
+const apiKeyAuth = /* @__PURE__ */ definePolicy({
+  name: "api-key-auth",
+  priority: Priority.AUTH,
+  defaults: { headerName: "x-api-key" },
+  phases: ["request-headers"],
+  handler: async (c, next, { config, debug, trace }) => {
+    let key = c.req.header(config.headerName);
+    let source = "header";
+    if (!key && config.queryParam) {
+      const url = new URL(c.req.url);
+      key = url.searchParams.get(config.queryParam) ?? void 0;
+      source = "query";
+    }
+    if (!key) {
+      trace("rejected", { reason: "missing" });
+      throw new GatewayError(401, "unauthorized", "Missing API key");
+    }
+    const isValid = await config.validate(key);
+    if (!isValid) {
+      trace("rejected", { reason: "invalid" });
+      throw new GatewayError(403, "forbidden", "Invalid API key");
+    }
+    trace("authenticated", { source });
+    if (config.forwardKeyIdentity) {
+      const fwd = config.forwardKeyIdentity;
+      const identity = await fwd.identityFn(key);
+      withModifiedHeaders(c, (headers) => {
+        headers.set(fwd.headerName, sanitizeHeaderValue(identity));
+      });
+      debug(
+        `forwarded key identity as ${config.forwardKeyIdentity.headerName}`
+      );
+    }
+    await next();
+  },
+  evaluate: {
+    onRequest: async (input, { config, debug, trace }) => {
+      let key = input.headers.get(config.headerName) ?? void 0;
+      let source = "header";
+      if (!key && config.queryParam) {
+        const url = new URL(input.path, "http://localhost");
+        key = url.searchParams.get(config.queryParam) ?? void 0;
+        source = "query";
+      }
+      if (!key) {
+        trace("rejected", { reason: "missing" });
+        return {
+          action: "reject",
+          status: 401,
+          code: "unauthorized",
+          message: "Missing API key"
+        };
+      }
+      const isValid = await config.validate(key);
+      if (!isValid) {
+        trace("rejected", { reason: "invalid" });
+        return {
+          action: "reject",
+          status: 403,
+          code: "forbidden",
+          message: "Invalid API key"
+        };
+      }
+      trace("authenticated", { source });
+      if (config.forwardKeyIdentity) {
+        const fwd = config.forwardKeyIdentity;
+        const identity = await fwd.identityFn(key);
+        debug(
+          `forwarded key identity as ${config.forwardKeyIdentity.headerName}`
+        );
+        return {
+          action: "continue",
+          mutations: [
+            {
+              type: "header",
+              op: "set",
+              name: fwd.headerName,
+              value: sanitizeHeaderValue(identity)
+            }
+          ]
+        };
+      }
+      return { action: "continue" };
+    }
+  }
+});
+export {
+  apiKeyAuth
+};
+//# sourceMappingURL=api-key-auth.js.map

package/dist/policies/auth/api-key-auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/policies/auth/api-key-auth.ts"],"sourcesContent":["/**\n * API key authentication policy.\n *\n * **Security note:** When implementing `validate`, use\n * {@link timingSafeEqual} from `@vivero/stoma` for constant-time\n * key comparison to prevent timing side-channel attacks.\n *\n * @module api-key-auth\n */\nimport { GatewayError } from \"../../core/errors\";\nimport { sanitizeHeaderValue, withModifiedHeaders } from \"../../utils/headers\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\n\nexport interface ApiKeyAuthConfig extends PolicyConfig {\n /** Header name to read the API key from. Default: \"X-API-Key\" */\n headerName?: string;\n /** Query parameter name as fallback. Default: undefined (disabled) */\n queryParam?: string;\n /** Validator function - return true if the key is valid */\n validate: (key: string) => boolean | Promise<boolean>;\n /**\n * After successful validation, derive an identity string from the key\n * and set it as a request header for upstream consumption.\n *\n * @example\n * ```ts\n * apiKeyAuth({\n * validate: (key) => keys.has(key),\n * forwardKeyIdentity: {\n * headerName: \"x-api-client\",\n * identityFn: (key) => keyToClientMap.get(key) ?? \"unknown\",\n * },\n * });\n * ```\n */\n forwardKeyIdentity?: {\n /** Header name to set on the request. */\n headerName: string;\n /** Derive an identity string from the validated key. Can be async. */\n identityFn: (key: string) => string | Promise<string>;\n };\n}\n\n/**\n * Validate API keys from headers or query parameters.\n *\n * Checks the `X-API-Key` header by default, with an optional query parameter\n * fallback. The `validate` function can be async to support remote key lookups.\n *\n * @param config - API key settings with a required `validate` function.\n * @returns A {@link Policy} at priority 10.\n *\n * @example\n * ```ts\n * // Static key validation\n * apiKeyAuth({\n * validate: (key) => key === env.API_KEY,\n * });\n *\n * // Async validation with query parameter fallback\n * apiKeyAuth({\n * headerName: \"Authorization\",\n * queryParam: \"api_key\",\n * validate: async (key) => {\n * const result = await kv.get(`api-key:${key}`);\n * return result !== null;\n * },\n * });\n * ```\n */\nexport const apiKeyAuth = /*#__PURE__*/ definePolicy<ApiKeyAuthConfig>({\n name: \"api-key-auth\",\n priority: Priority.AUTH,\n defaults: { headerName: \"x-api-key\" },\n phases: [\"request-headers\"],\n handler: async (c, next, { config, debug, trace }) => {\n // Try header first\n let key = c.req.header(config.headerName!);\n let source = \"header\";\n\n // Fall back to query parameter if configured\n if (!key && config.queryParam) {\n const url = new URL(c.req.url);\n key = url.searchParams.get(config.queryParam) ?? undefined;\n source = \"query\";\n }\n\n if (!key) {\n trace(\"rejected\", { reason: \"missing\" });\n throw new GatewayError(401, \"unauthorized\", \"Missing API key\");\n }\n\n const isValid = await config.validate(key);\n if (!isValid) {\n trace(\"rejected\", { reason: \"invalid\" });\n throw new GatewayError(403, \"forbidden\", \"Invalid API key\");\n }\n\n trace(\"authenticated\", { source });\n\n // Forward key identity as a request header if configured\n if (config.forwardKeyIdentity) {\n const fwd = config.forwardKeyIdentity;\n const identity = await fwd.identityFn(key);\n withModifiedHeaders(c, (headers) => {\n headers.set(fwd.headerName, sanitizeHeaderValue(identity));\n });\n debug(\n `forwarded key identity as ${config.forwardKeyIdentity.headerName}`\n );\n }\n\n await next();\n },\n evaluate: {\n onRequest: async (input, { config, debug, trace }) => {\n // Try header first\n let key = input.headers.get(config.headerName!) ?? undefined;\n let source = \"header\";\n\n // Fall back to query parameter if configured\n if (!key && config.queryParam) {\n const url = new URL(input.path, \"http://localhost\");\n key = url.searchParams.get(config.queryParam!) ?? undefined;\n source = \"query\";\n }\n\n if (!key) {\n trace(\"rejected\", { reason: \"missing\" });\n return {\n action: \"reject\",\n status: 401,\n code: \"unauthorized\",\n message: \"Missing API key\",\n };\n }\n\n const isValid = await config.validate(key);\n if (!isValid) {\n trace(\"rejected\", { reason: \"invalid\" });\n return {\n action: \"reject\",\n status: 403,\n code: \"forbidden\",\n message: \"Invalid API key\",\n };\n }\n\n trace(\"authenticated\", { source });\n\n // Forward key identity as a header if configured\n if (config.forwardKeyIdentity) {\n const fwd = config.forwardKeyIdentity;\n const identity = await fwd.identityFn(key);\n debug(\n `forwarded key identity as ${config.forwardKeyIdentity.headerName}`\n );\n return {\n action: \"continue\",\n mutations: [\n {\n type: \"header\",\n op: \"set\",\n name: fwd.headerName,\n value: sanitizeHeaderValue(identity),\n },\n ],\n };\n }\n\n return { action: \"continue\" };\n },\n },\n});\n"],"mappings":"AASA,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB,2BAA2B;AACzD,SAAS,cAAc,gBAAgB;AA4DhC,MAAM,aAA2B,6BAA+B;AAAA,EACrE,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU,EAAE,YAAY,YAAY;AAAA,EACpC,QAAQ,CAAC,iBAAiB;AAAA,EAC1B,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,OAAO,MAAM,MAAM;AAEpD,QAAI,MAAM,EAAE,IAAI,OAAO,OAAO,UAAW;AACzC,QAAI,SAAS;AAGb,QAAI,CAAC,OAAO,OAAO,YAAY;AAC7B,YAAM,MAAM,IAAI,IAAI,EAAE,IAAI,GAAG;AAC7B,YAAM,IAAI,aAAa,IAAI,OAAO,UAAU,KAAK;AACjD,eAAS;AAAA,IACX;AAEA,QAAI,CAAC,KAAK;AACR,YAAM,YAAY,EAAE,QAAQ,UAAU,CAAC;AACvC,YAAM,IAAI,aAAa,KAAK,gBAAgB,iBAAiB;AAAA,IAC/D;AAEA,UAAM,UAAU,MAAM,OAAO,SAAS,GAAG;AACzC,QAAI,CAAC,SAAS;AACZ,YAAM,YAAY,EAAE,QAAQ,UAAU,CAAC;AACvC,YAAM,IAAI,aAAa,KAAK,aAAa,iBAAiB;AAAA,IAC5D;AAEA,UAAM,iBAAiB,EAAE,OAAO,CAAC;AAGjC,QAAI,OAAO,oBAAoB;AAC7B,YAAM,MAAM,OAAO;AACnB,YAAM,WAAW,MAAM,IAAI,WAAW,GAAG;AACzC,0BAAoB,GAAG,CAAC,YAAY;AAClC,gBAAQ,IAAI,IAAI,YAAY,oBAAoB,QAAQ,CAAC;AAAA,MAC3D,CAAC;AACD;AAAA,QACE,6BAA6B,OAAO,mBAAmB,UAAU;AAAA,MACnE;AAAA,IACF;AAEA,UAAM,KAAK;AAAA,EACb;AAAA,EACA,UAAU;AAAA,IACR,WAAW,OAAO,OAAO,EAAE,QAAQ,OAAO,MAAM,MAAM;AAEpD,UAAI,MAAM,MAAM,QAAQ,IAAI,OAAO,UAAW,KAAK;AACnD,UAAI,SAAS;AAGb,UAAI,CAAC,OAAO,OAAO,YAAY;AAC7B,cAAM,MAAM,IAAI,IAAI,MAAM,MAAM,kBAAkB;AAClD,cAAM,IAAI,aAAa,IAAI,OAAO,UAAW,KAAK;AAClD,iBAAS;AAAA,MACX;AAEA,UAAI,CAAC,KAAK;AACR,cAAM,YAAY,EAAE,QAAQ,UAAU,CAAC;AACvC,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAEA,YAAM,UAAU,MAAM,OAAO,SAAS,GAAG;AACzC,UAAI,CAAC,SAAS;AACZ,cAAM,YAAY,EAAE,QAAQ,UAAU,CAAC;AACvC,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAEA,YAAM,iBAAiB,EAAE,OAAO,CAAC;AAGjC,UAAI,OAAO,oBAAoB;AAC7B,cAAM,MAAM,OAAO;AACnB,cAAM,WAAW,MAAM,IAAI,WAAW,GAAG;AACzC;AAAA,UACE,6BAA6B,OAAO,mBAAmB,UAAU;AAAA,QACnE;AACA,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,WAAW;AAAA,YACT;AAAA,cACE,MAAM;AAAA,cACN,IAAI;AAAA,cACJ,MAAM,IAAI;AAAA,cACV,OAAO,oBAAoB,QAAQ;AAAA,YACrC;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAEA,aAAO,EAAE,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;","names":[]}

package/dist/policies/auth/basic-auth.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+import { Context } from 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+interface BasicAuthConfig extends PolicyConfig {
+    /** Validate username/password. Return true if valid. */
+    validate: (username: string, password: string, c: Context) => boolean | Promise<boolean>;
+    /** Realm for the WWW-Authenticate header. Default: "Restricted" */
+    realm?: string;
+}
+/**
+ * Basic Authentication policy - validate base64-encoded credentials.
+ *
+ * Sends a `WWW-Authenticate` header on failure to prompt browser credential dialogs.
+ * The realm is sanitized to prevent header injection.
+ *
+ * @param config - Validation function and optional realm name.
+ * @returns A {@link Policy} at priority 10.
+ *
+ * @example
+ * ```ts
+ * basicAuth({
+ *   realm: "Admin Area",
+ *   validate: async (username, password) => {
+ *     return username === "admin" && password === env.ADMIN_PASSWORD;
+ *   },
+ * });
+ * ```
+ */
+declare const basicAuth: (config: BasicAuthConfig) => Policy;
+export { type BasicAuthConfig, basicAuth };

package/dist/policies/auth/basic-auth.js ADDED Viewed

@@ -0,0 +1,96 @@
+import { GatewayError } from "../../core/errors";
+import { escapeHeaderValue, sanitizeHeaderValue } from "../../utils/headers";
+import { definePolicy, Priority } from "../sdk";
+const basicAuth = /* @__PURE__ */ definePolicy({
+  name: "basic-auth",
+  priority: Priority.AUTH,
+  defaults: { realm: "Restricted" },
+  phases: ["request-headers"],
+  handler: async (c, next, { config }) => {
+    const realm = escapeHeaderValue(
+      sanitizeHeaderValue(config.realm ?? "Restricted")
+    );
+    const authHeader = c.req.header("authorization");
+    if (!authHeader || !authHeader.startsWith("Basic ")) {
+      c.header("www-authenticate", `Basic realm="${realm}"`);
+      throw new GatewayError(
+        401,
+        "unauthorized",
+        "Basic authentication required"
+      );
+    }
+    let username;
+    let password;
+    try {
+      const decoded = atob(authHeader.slice(6));
+      const colonIndex = decoded.indexOf(":");
+      if (colonIndex === -1) {
+        throw new Error("Invalid format");
+      }
+      username = decoded.slice(0, colonIndex);
+      password = decoded.slice(colonIndex + 1);
+    } catch {
+      throw new GatewayError(
+        401,
+        "unauthorized",
+        "Malformed Basic authentication header"
+      );
+    }
+    const isValid = await config.validate(username, password, c);
+    if (!isValid) {
+      c.header("www-authenticate", `Basic realm="${realm}"`);
+      throw new GatewayError(403, "forbidden", "Invalid credentials");
+    }
+    await next();
+  },
+  evaluate: {
+    onRequest: async (input, { config }) => {
+      const realm = escapeHeaderValue(
+        sanitizeHeaderValue(config.realm ?? "Restricted")
+      );
+      const authHeader = input.headers.get("authorization");
+      if (!authHeader || !authHeader.startsWith("Basic ")) {
+        return {
+          action: "reject",
+          status: 401,
+          code: "unauthorized",
+          message: "Basic authentication required",
+          headers: { "www-authenticate": `Basic realm="${realm}"` }
+        };
+      }
+      let username;
+      let password;
+      try {
+        const decoded = atob(authHeader.slice(6));
+        const colonIndex = decoded.indexOf(":");
+        if (colonIndex === -1) {
+          throw new Error("Invalid format");
+        }
+        username = decoded.slice(0, colonIndex);
+        password = decoded.slice(colonIndex + 1);
+      } catch {
+        return {
+          action: "reject",
+          status: 401,
+          code: "unauthorized",
+          message: "Malformed Basic authentication header"
+        };
+      }
+      const isValid = await config.validate(username, password, {});
+      if (!isValid) {
+        return {
+          action: "reject",
+          status: 403,
+          code: "forbidden",
+          message: "Invalid credentials",
+          headers: { "www-authenticate": `Basic realm="${realm}"` }
+        };
+      }
+      return { action: "continue" };
+    }
+  }
+});
+export {
+  basicAuth
+};
+//# sourceMappingURL=basic-auth.js.map

package/dist/policies/auth/basic-auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/policies/auth/basic-auth.ts"],"sourcesContent":["/**\n * HTTP Basic authentication policy.\n *\n * @module basic-auth\n */\n\nimport type { Context } from \"hono\";\nimport { GatewayError } from \"../../core/errors\";\nimport { escapeHeaderValue, sanitizeHeaderValue } from \"../../utils/headers\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\n\nexport interface BasicAuthConfig extends PolicyConfig {\n /** Validate username/password. Return true if valid. */\n validate: (\n username: string,\n password: string,\n c: Context\n ) => boolean | Promise<boolean>;\n /** Realm for the WWW-Authenticate header. Default: \"Restricted\" */\n realm?: string;\n}\n\n/**\n * Basic Authentication policy - validate base64-encoded credentials.\n *\n * Sends a `WWW-Authenticate` header on failure to prompt browser credential dialogs.\n * The realm is sanitized to prevent header injection.\n *\n * @param config - Validation function and optional realm name.\n * @returns A {@link Policy} at priority 10.\n *\n * @example\n * ```ts\n * basicAuth({\n * realm: \"Admin Area\",\n * validate: async (username, password) => {\n * return username === \"admin\" && password === env.ADMIN_PASSWORD;\n * },\n * });\n * ```\n */\nexport const basicAuth = /*#__PURE__*/ definePolicy<BasicAuthConfig>({\n name: \"basic-auth\",\n priority: Priority.AUTH,\n defaults: { realm: \"Restricted\" },\n phases: [\"request-headers\"],\n handler: async (c, next, { config }) => {\n // Sanitize realm to prevent header injection (escape quotes, strip control chars)\n const realm = escapeHeaderValue(\n sanitizeHeaderValue(config.realm ?? \"Restricted\")\n );\n\n const authHeader = c.req.header(\"authorization\");\n\n if (!authHeader || !authHeader.startsWith(\"Basic \")) {\n c.header(\"www-authenticate\", `Basic realm=\"${realm}\"`);\n throw new GatewayError(\n 401,\n \"unauthorized\",\n \"Basic authentication required\"\n );\n }\n\n let username: string;\n let password: string;\n try {\n const decoded = atob(authHeader.slice(6));\n const colonIndex = decoded.indexOf(\":\");\n if (colonIndex === -1) {\n throw new Error(\"Invalid format\");\n }\n username = decoded.slice(0, colonIndex);\n password = decoded.slice(colonIndex + 1);\n } catch {\n throw new GatewayError(\n 401,\n \"unauthorized\",\n \"Malformed Basic authentication header\"\n );\n }\n\n const isValid = await config.validate(username, password, c);\n if (!isValid) {\n c.header(\"www-authenticate\", `Basic realm=\"${realm}\"`);\n throw new GatewayError(403, \"forbidden\", \"Invalid credentials\");\n }\n\n await next();\n },\n evaluate: {\n onRequest: async (input, { config }) => {\n // Sanitize realm to prevent header injection\n const realm = escapeHeaderValue(\n sanitizeHeaderValue(config.realm ?? \"Restricted\")\n );\n\n const authHeader = input.headers.get(\"authorization\");\n\n if (!authHeader || !authHeader.startsWith(\"Basic \")) {\n return {\n action: \"reject\",\n status: 401,\n code: \"unauthorized\",\n message: \"Basic authentication required\",\n headers: { \"www-authenticate\": `Basic realm=\"${realm}\"` },\n };\n }\n\n let username: string;\n let password: string;\n try {\n const decoded = atob(authHeader.slice(6));\n const colonIndex = decoded.indexOf(\":\");\n if (colonIndex === -1) {\n throw new Error(\"Invalid format\");\n }\n username = decoded.slice(0, colonIndex);\n password = decoded.slice(colonIndex + 1);\n } catch {\n return {\n action: \"reject\",\n status: 401,\n code: \"unauthorized\",\n message: \"Malformed Basic authentication header\",\n };\n }\n\n // validate function requires Hono Context - use a no-op for evaluate\n // Users needing evaluate should use a different auth policy\n const isValid = await config.validate(username, password, {} as Context);\n if (!isValid) {\n return {\n action: \"reject\",\n status: 403,\n code: \"forbidden\",\n message: \"Invalid credentials\",\n headers: { \"www-authenticate\": `Basic realm=\"${realm}\"` },\n };\n }\n\n return { action: \"continue\" };\n },\n },\n});\n"],"mappings":"AAOA,SAAS,oBAAoB;AAC7B,SAAS,mBAAmB,2BAA2B;AACvD,SAAS,cAAc,gBAAgB;AAiChC,MAAM,YAA0B,6BAA8B;AAAA,EACnE,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU,EAAE,OAAO,aAAa;AAAA,EAChC,QAAQ,CAAC,iBAAiB;AAAA,EAC1B,SAAS,OAAO,GAAG,MAAM,EAAE,OAAO,MAAM;AAEtC,UAAM,QAAQ;AAAA,MACZ,oBAAoB,OAAO,SAAS,YAAY;AAAA,IAClD;AAEA,UAAM,aAAa,EAAE,IAAI,OAAO,eAAe;AAE/C,QAAI,CAAC,cAAc,CAAC,WAAW,WAAW,QAAQ,GAAG;AACnD,QAAE,OAAO,oBAAoB,gBAAgB,KAAK,GAAG;AACrD,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,QAAI;AACJ,QAAI;AACJ,QAAI;AACF,YAAM,UAAU,KAAK,WAAW,MAAM,CAAC,CAAC;AACxC,YAAM,aAAa,QAAQ,QAAQ,GAAG;AACtC,UAAI,eAAe,IAAI;AACrB,cAAM,IAAI,MAAM,gBAAgB;AAAA,MAClC;AACA,iBAAW,QAAQ,MAAM,GAAG,UAAU;AACtC,iBAAW,QAAQ,MAAM,aAAa,CAAC;AAAA,IACzC,QAAQ;AACN,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU,MAAM,OAAO,SAAS,UAAU,UAAU,CAAC;AAC3D,QAAI,CAAC,SAAS;AACZ,QAAE,OAAO,oBAAoB,gBAAgB,KAAK,GAAG;AACrD,YAAM,IAAI,aAAa,KAAK,aAAa,qBAAqB;AAAA,IAChE;AAEA,UAAM,KAAK;AAAA,EACb;AAAA,EACA,UAAU;AAAA,IACR,WAAW,OAAO,OAAO,EAAE,OAAO,MAAM;AAEtC,YAAM,QAAQ;AAAA,QACZ,oBAAoB,OAAO,SAAS,YAAY;AAAA,MAClD;AAEA,YAAM,aAAa,MAAM,QAAQ,IAAI,eAAe;AAEpD,UAAI,CAAC,cAAc,CAAC,WAAW,WAAW,QAAQ,GAAG;AACnD,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,UACT,SAAS,EAAE,oBAAoB,gBAAgB,KAAK,IAAI;AAAA,QAC1D;AAAA,MACF;AAEA,UAAI;AACJ,UAAI;AACJ,UAAI;AACF,cAAM,UAAU,KAAK,WAAW,MAAM,CAAC,CAAC;AACxC,cAAM,aAAa,QAAQ,QAAQ,GAAG;AACtC,YAAI,eAAe,IAAI;AACrB,gBAAM,IAAI,MAAM,gBAAgB;AAAA,QAClC;AACA,mBAAW,QAAQ,MAAM,GAAG,UAAU;AACtC,mBAAW,QAAQ,MAAM,aAAa,CAAC;AAAA,MACzC,QAAQ;AACN,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAIA,YAAM,UAAU,MAAM,OAAO,SAAS,UAAU,UAAU,CAAC,CAAY;AACvE,UAAI,CAAC,SAAS;AACZ,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,UACT,SAAS,EAAE,oBAAoB,gBAAgB,KAAK,IAAI;AAAA,QAC1D;AAAA,MACF;AAEA,aAAO,EAAE,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;","names":[]}

package/dist/policies/auth/crypto.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/** Decode a base64url string to a UTF-8 string. */
+declare function base64UrlDecode(str: string): string;
+/** Decode a base64url string to a Uint8Array. */
+declare function base64UrlToBuffer(str: string): Uint8Array;
+/** Encode a Uint8Array to a base64url string (no padding). */
+declare function base64UrlEncodeBytes(data: Uint8Array): string;
+/** Encode a string to a base64url string (no padding). */
+declare function base64UrlEncodeString(str: string): string;
+/** Map a JWT/JWS HMAC algorithm string to a WebCrypto hash name. Returns `null` for unsupported algorithms. */
+declare function hmacAlgorithm(alg: string): string | null;
+/** Map a JWT/JWS RSA algorithm string to WebCrypto import parameters. Returns `null` for unsupported algorithms. */
+declare function rsaAlgorithm(alg: string): {
+    name: string;
+    hash: string;
+} | null;
+/**
+ * Fetch and cache a JWKS endpoint.
+ *
+ * @param url - The JWKS endpoint URL.
+ * @param cacheTtlMs - Cache TTL in milliseconds. Default: 300000 (5 minutes).
+ * @param timeoutMs - Fetch timeout in milliseconds. Default: 10000 (10 seconds).
+ * @returns An array of JWK keys from the endpoint.
+ * @throws {GatewayError} 502 on fetch failure or timeout.
+ */
+declare function fetchJwks(url: string, cacheTtlMs?: number, timeoutMs?: number): Promise<JsonWebKey[]>;
+/** Clear the unified JWKS cache. Exported for testing. */
+declare function clearJwksCache(): void;
+export { base64UrlDecode, base64UrlEncodeBytes, base64UrlEncodeString, base64UrlToBuffer, clearJwksCache, fetchJwks, hmacAlgorithm, rsaAlgorithm };

package/dist/policies/auth/crypto.js ADDED Viewed

@@ -0,0 +1,100 @@
+import { GatewayError } from "../../core/errors";
+function base64UrlDecode(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const paddedLength = padded + "=".repeat((4 - padded.length % 4) % 4);
+  return atob(paddedLength);
+}
+function base64UrlToBuffer(str) {
+  const binary = base64UrlDecode(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function base64UrlEncodeBytes(data) {
+  let binary = "";
+  for (let i = 0; i < data.length; i++) {
+    binary += String.fromCharCode(data[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlEncodeString(str) {
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function hmacAlgorithm(alg) {
+  switch (alg) {
+    case "HS256":
+      return "SHA-256";
+    case "HS384":
+      return "SHA-384";
+    case "HS512":
+      return "SHA-512";
+    default:
+      return null;
+  }
+}
+function rsaAlgorithm(alg) {
+  switch (alg) {
+    case "RS256":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+    case "RS384":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-384" };
+    case "RS512":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-512" };
+    default:
+      return null;
+  }
+}
+const DEFAULT_JWKS_CACHE_TTL_MS = 3e5;
+const DEFAULT_JWKS_TIMEOUT_MS = 1e4;
+const jwksCache = /* @__PURE__ */ new Map();
+async function fetchJwks(url, cacheTtlMs, timeoutMs) {
+  const cached = jwksCache.get(url);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.keys;
+  }
+  const timeout = timeoutMs ?? DEFAULT_JWKS_TIMEOUT_MS;
+  let response;
+  try {
+    response = await fetch(url, { signal: AbortSignal.timeout(timeout) });
+  } catch (err) {
+    if (err instanceof DOMException && err.name === "TimeoutError") {
+      throw new GatewayError(
+        502,
+        "jwks_error",
+        `JWKS fetch timed out after ${timeout}ms: ${url}`
+      );
+    }
+    throw new GatewayError(
+      502,
+      "jwks_error",
+      `Failed to fetch JWKS from ${url}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!response.ok) {
+    throw new GatewayError(
+      502,
+      "jwks_error",
+      `Failed to fetch JWKS from ${url}: ${response.status}`
+    );
+  }
+  const ttl = cacheTtlMs ?? DEFAULT_JWKS_CACHE_TTL_MS;
+  const data = await response.json();
+  jwksCache.set(url, { keys: data.keys, expiresAt: Date.now() + ttl });
+  return data.keys;
+}
+function clearJwksCache() {
+  jwksCache.clear();
+}
+export {
+  base64UrlDecode,
+  base64UrlEncodeBytes,
+  base64UrlEncodeString,
+  base64UrlToBuffer,
+  clearJwksCache,
+  fetchJwks,
+  hmacAlgorithm,
+  rsaAlgorithm
+};
+//# sourceMappingURL=crypto.js.map

package/dist/policies/auth/crypto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/policies/auth/crypto.ts"],"sourcesContent":["/**\n * Shared cryptographic utilities for auth policies (JWT, JWS).\n *\n * Consolidates base64url encoding/decoding, HMAC/RSA algorithm mapping,\n * and JWKS fetching with a unified cache. Extracted to avoid duplication\n * between jwt-auth and jws.\n *\n * @module auth/crypto\n */\nimport { GatewayError } from \"../../core/errors\";\n\n// --- Base64URL ---\n\n/** Decode a base64url string to a UTF-8 string. */\nexport function base64UrlDecode(str: string): string {\n const padded = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const paddedLength = padded + \"=\".repeat((4 - (padded.length % 4)) % 4);\n return atob(paddedLength);\n}\n\n/** Decode a base64url string to a Uint8Array. */\nexport function base64UrlToBuffer(str: string): Uint8Array {\n const binary = base64UrlDecode(str);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n\n/** Encode a Uint8Array to a base64url string (no padding). */\nexport function base64UrlEncodeBytes(data: Uint8Array): string {\n let binary = \"\";\n for (let i = 0; i < data.length; i++) {\n binary += String.fromCharCode(data[i]);\n }\n return btoa(binary)\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\n/** Encode a string to a base64url string (no padding). */\nexport function base64UrlEncodeString(str: string): string {\n return btoa(str).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n// --- Algorithm mapping ---\n\n/** Map a JWT/JWS HMAC algorithm string to a WebCrypto hash name. Returns `null` for unsupported algorithms. */\nexport function hmacAlgorithm(alg: string): string | null {\n switch (alg) {\n case \"HS256\":\n return \"SHA-256\";\n case \"HS384\":\n return \"SHA-384\";\n case \"HS512\":\n return \"SHA-512\";\n default:\n return null;\n }\n}\n\n/** Map a JWT/JWS RSA algorithm string to WebCrypto import parameters. Returns `null` for unsupported algorithms. */\nexport function rsaAlgorithm(\n alg: string\n): { name: string; hash: string } | null {\n switch (alg) {\n case \"RS256\":\n return { name: \"RSASSA-PKCS1-v1_5\", hash: \"SHA-256\" };\n case \"RS384\":\n return { name: \"RSASSA-PKCS1-v1_5\", hash: \"SHA-384\" };\n case \"RS512\":\n return { name: \"RSASSA-PKCS1-v1_5\", hash: \"SHA-512\" };\n default:\n return null;\n }\n}\n\n// --- JWKS fetching + cache ---\n\nconst DEFAULT_JWKS_CACHE_TTL_MS = 300_000; // 5 minutes\nconst DEFAULT_JWKS_TIMEOUT_MS = 10_000; // 10 seconds\n\n/** Unified JWKS cache shared between jwt-auth and jws. */\nconst jwksCache = new Map<string, { keys: JsonWebKey[]; expiresAt: number }>();\n\n/**\n * Fetch and cache a JWKS endpoint.\n *\n * @param url - The JWKS endpoint URL.\n * @param cacheTtlMs - Cache TTL in milliseconds. Default: 300000 (5 minutes).\n * @param timeoutMs - Fetch timeout in milliseconds. Default: 10000 (10 seconds).\n * @returns An array of JWK keys from the endpoint.\n * @throws {GatewayError} 502 on fetch failure or timeout.\n */\nexport async function fetchJwks(\n url: string,\n cacheTtlMs?: number,\n timeoutMs?: number\n): Promise<JsonWebKey[]> {\n const cached = jwksCache.get(url);\n if (cached && cached.expiresAt > Date.now()) {\n return cached.keys;\n }\n\n const timeout = timeoutMs ?? DEFAULT_JWKS_TIMEOUT_MS;\n let response: Response;\n try {\n response = await fetch(url, { signal: AbortSignal.timeout(timeout) });\n } catch (err) {\n if (err instanceof DOMException && err.name === \"TimeoutError\") {\n throw new GatewayError(\n 502,\n \"jwks_error\",\n `JWKS fetch timed out after ${timeout}ms: ${url}`\n );\n }\n throw new GatewayError(\n 502,\n \"jwks_error\",\n `Failed to fetch JWKS from ${url}: ${err instanceof Error ? err.message : String(err)}`\n );\n }\n\n if (!response.ok) {\n throw new GatewayError(\n 502,\n \"jwks_error\",\n `Failed to fetch JWKS from ${url}: ${response.status}`\n );\n }\n\n const ttl = cacheTtlMs ?? DEFAULT_JWKS_CACHE_TTL_MS;\n const data = (await response.json()) as { keys: JsonWebKey[] };\n jwksCache.set(url, { keys: data.keys, expiresAt: Date.now() + ttl });\n return data.keys;\n}\n\n/** Clear the unified JWKS cache. Exported for testing. */\nexport function clearJwksCache(): void {\n jwksCache.clear();\n}\n"],"mappings":"AASA,SAAS,oBAAoB;AAKtB,SAAS,gBAAgB,KAAqB;AACnD,QAAM,SAAS,IAAI,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACvD,QAAM,eAAe,SAAS,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AACtE,SAAO,KAAK,YAAY;AAC1B;AAGO,SAAS,kBAAkB,KAAyB;AACzD,QAAM,SAAS,gBAAgB,GAAG;AAClC,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO;AACT;AAGO,SAAS,qBAAqB,MAA0B;AAC7D,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,cAAU,OAAO,aAAa,KAAK,CAAC,CAAC;AAAA,EACvC;AACA,SAAO,KAAK,MAAM,EACf,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACtB;AAGO,SAAS,sBAAsB,KAAqB;AACzD,SAAO,KAAK,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AAC5E;AAKO,SAAS,cAAc,KAA4B;AACxD,UAAQ,KAAK;AAAA,IACX,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAGO,SAAS,aACd,KACuC;AACvC,UAAQ,KAAK;AAAA,IACX,KAAK;AACH,aAAO,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,IACtD,KAAK;AACH,aAAO,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,IACtD,KAAK;AACH,aAAO,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,IACtD;AACE,aAAO;AAAA,EACX;AACF;AAIA,MAAM,4BAA4B;AAClC,MAAM,0BAA0B;AAGhC,MAAM,YAAY,oBAAI,IAAuD;AAW7E,eAAsB,UACpB,KACA,YACA,WACuB;AACvB,QAAM,SAAS,UAAU,IAAI,GAAG;AAChC,MAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,WAAO,OAAO;AAAA,EAChB;AAEA,QAAM,UAAU,aAAa;AAC7B,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,MAAM,KAAK,EAAE,QAAQ,YAAY,QAAQ,OAAO,EAAE,CAAC;AAAA,EACtE,SAAS,KAAK;AACZ,QAAI,eAAe,gBAAgB,IAAI,SAAS,gBAAgB;AAC9D,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,8BAA8B,OAAO,OAAO,GAAG;AAAA,MACjD;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA,6BAA6B,GAAG,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IACvF;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA,6BAA6B,GAAG,KAAK,SAAS,MAAM;AAAA,IACtD;AAAA,EACF;AAEA,QAAM,MAAM,cAAc;AAC1B,QAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,YAAU,IAAI,KAAK,EAAE,MAAM,KAAK,MAAM,WAAW,KAAK,IAAI,IAAI,IAAI,CAAC;AACnE,SAAO,KAAK;AACd;AAGO,SAAS,iBAAuB;AACrC,YAAU,MAAM;AAClB;","names":[]}

package/dist/policies/auth/generate-http-signature.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+import 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+interface GenerateHttpSignatureConfig extends PolicyConfig {
+    /** Key identifier included in signature parameters. */
+    keyId: string;
+    /** HMAC secret for signing. */
+    secret?: string;
+    /** RSA private key as JWK. */
+    privateKey?: JsonWebKey;
+    /** Signing algorithm identifier (e.g. "hmac-sha256", "rsa-pss-sha512", "rsa-v1_5-sha256"). */
+    algorithm: string;
+    /** Components to include in signature. Default: ["@method", "@path", "@authority"]. */
+    components?: string[];
+    /** Signature header name. Default: "Signature". */
+    signatureHeaderName?: string;
+    /** Signature-Input header name. Default: "Signature-Input". */
+    signatureInputHeaderName?: string;
+    /** Signature label. Default: "sig1". */
+    label?: string;
+    /** Signature expiry in seconds from creation. Optional. */
+    expires?: number;
+    /** Include a nonce parameter. Default: false. */
+    nonce?: boolean;
+}
+declare const generateHttpSignature: (config: GenerateHttpSignatureConfig) => Policy;
+export { type GenerateHttpSignatureConfig, generateHttpSignature };

package/dist/policies/auth/generate-http-signature.js ADDED Viewed

@@ -0,0 +1,79 @@
+import { GatewayError } from "../../core/errors";
+import { withModifiedHeaders } from "../../utils/headers";
+import { definePolicy, Priority } from "../sdk";
+import {
+  algorithmToCrypto,
+  buildSignatureBase,
+  buildSignatureParams,
+  importSigningKey,
+  toBase64
+} from "./http-signature-base";
+const generateHttpSignature = /* @__PURE__ */ definePolicy({
+  name: "generate-http-signature",
+  priority: Priority.PROXY,
+  defaults: {
+    components: ["@method", "@path", "@authority"],
+    signatureHeaderName: "Signature",
+    signatureInputHeaderName: "Signature-Input",
+    label: "sig1",
+    nonce: false
+  },
+  handler: async (c, _next, { config, debug }) => {
+    if (!config.secret && !config.privateKey) {
+      throw new GatewayError(
+        500,
+        "config_error",
+        "generateHttpSignature requires either 'secret' or 'privateKey'"
+      );
+    }
+    const components = config.components;
+    const label = config.label;
+    const created = Math.floor(Date.now() / 1e3);
+    const paramsObj = {
+      created,
+      keyId: config.keyId,
+      algorithm: config.algorithm
+    };
+    if (config.expires !== void 0) {
+      paramsObj.expires = created + config.expires;
+    }
+    if (config.nonce) {
+      paramsObj.nonce = crypto.randomUUID().replace(/-/g, "");
+    }
+    const signatureParamsStr = buildSignatureParams(components, paramsObj);
+    const signatureBase = buildSignatureBase(
+      components,
+      signatureParamsStr,
+      c.req.raw
+    );
+    debug(
+      `signing with ${config.algorithm}, components: ${components.join(", ")}`
+    );
+    const key = await importSigningKey(
+      config.algorithm,
+      config.secret,
+      config.privateKey
+    );
+    const { signAlg } = algorithmToCrypto(config.algorithm);
+    const encoder = new TextEncoder();
+    const signatureBytes = await crypto.subtle.sign(
+      signAlg,
+      key,
+      encoder.encode(signatureBase)
+    );
+    const signatureB64 = toBase64(signatureBytes);
+    withModifiedHeaders(c, (headers) => {
+      headers.set(
+        config.signatureInputHeaderName,
+        `${label}=${signatureParamsStr}`
+      );
+      headers.set(config.signatureHeaderName, `${label}=:${signatureB64}:`);
+    });
+    debug("signature headers attached");
+    await _next();
+  }
+});
+export {
+  generateHttpSignature
+};
+//# sourceMappingURL=generate-http-signature.js.map

package/dist/policies/auth/generate-http-signature.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/policies/auth/generate-http-signature.ts"],"sourcesContent":["/**\n * Generate HTTP Message Signatures per RFC 9421.\n *\n * Signs outbound requests by computing a signature over selected\n * request components and attaching `Signature` + `Signature-Input` headers.\n *\n * @module generate-http-signature\n */\n\nimport { GatewayError } from \"../../core/errors\";\nimport { withModifiedHeaders } from \"../../utils/headers\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\nimport {\n algorithmToCrypto,\n buildSignatureBase,\n buildSignatureParams,\n importSigningKey,\n toBase64,\n} from \"./http-signature-base\";\n\nexport interface GenerateHttpSignatureConfig extends PolicyConfig {\n /** Key identifier included in signature parameters. */\n keyId: string;\n /** HMAC secret for signing. */\n secret?: string;\n /** RSA private key as JWK. */\n privateKey?: JsonWebKey;\n /** Signing algorithm identifier (e.g. \"hmac-sha256\", \"rsa-pss-sha512\", \"rsa-v1_5-sha256\"). */\n algorithm: string;\n /** Components to include in signature. Default: [\"@method\", \"@path\", \"@authority\"]. */\n components?: string[];\n /** Signature header name. Default: \"Signature\". */\n signatureHeaderName?: string;\n /** Signature-Input header name. Default: \"Signature-Input\". */\n signatureInputHeaderName?: string;\n /** Signature label. Default: \"sig1\". */\n label?: string;\n /** Signature expiry in seconds from creation. Optional. */\n expires?: number;\n /** Include a nonce parameter. Default: false. */\n nonce?: boolean;\n}\n\nexport const generateHttpSignature =\n /*#__PURE__*/ definePolicy<GenerateHttpSignatureConfig>({\n name: \"generate-http-signature\",\n priority: Priority.PROXY,\n defaults: {\n components: [\"@method\", \"@path\", \"@authority\"],\n signatureHeaderName: \"Signature\",\n signatureInputHeaderName: \"Signature-Input\",\n label: \"sig1\",\n nonce: false,\n },\n handler: async (c, _next, { config, debug }) => {\n // Validate key material at request time\n if (!config.secret && !config.privateKey) {\n throw new GatewayError(\n 500,\n \"config_error\",\n \"generateHttpSignature requires either 'secret' or 'privateKey'\"\n );\n }\n\n const components = config.components!;\n const label = config.label!;\n const created = Math.floor(Date.now() / 1000);\n\n // Build signature params\n const paramsObj: {\n created: number;\n keyId: string;\n expires?: number;\n nonce?: string;\n algorithm?: string;\n } = {\n created,\n keyId: config.keyId,\n algorithm: config.algorithm,\n };\n\n if (config.expires !== undefined) {\n paramsObj.expires = created + config.expires;\n }\n\n if (config.nonce) {\n paramsObj.nonce = crypto.randomUUID().replace(/-/g, \"\");\n }\n\n const signatureParamsStr = buildSignatureParams(components, paramsObj);\n\n // Build signature base\n const signatureBase = buildSignatureBase(\n components,\n signatureParamsStr,\n c.req.raw\n );\n\n debug(\n `signing with ${config.algorithm}, components: ${components.join(\", \")}`\n );\n\n // Import key and sign\n const key = await importSigningKey(\n config.algorithm,\n config.secret,\n config.privateKey\n );\n const { signAlg } = algorithmToCrypto(config.algorithm);\n const encoder = new TextEncoder();\n const signatureBytes = await crypto.subtle.sign(\n signAlg,\n key,\n encoder.encode(signatureBase)\n );\n\n const signatureB64 = toBase64(signatureBytes);\n\n withModifiedHeaders(c, (headers) => {\n headers.set(\n config.signatureInputHeaderName!,\n `${label}=${signatureParamsStr}`\n );\n headers.set(config.signatureHeaderName!, `${label}=:${signatureB64}:`);\n });\n\n debug(\"signature headers attached\");\n\n await _next();\n },\n });\n"],"mappings":"AASA,SAAS,oBAAoB;AAC7B,SAAS,2BAA2B;AACpC,SAAS,cAAc,gBAAgB;AAEvC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAyBA,MAAM,wBACG,6BAA0C;AAAA,EACtD,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,IACR,YAAY,CAAC,WAAW,SAAS,YAAY;AAAA,IAC7C,qBAAqB;AAAA,IACrB,0BAA0B;AAAA,IAC1B,OAAO;AAAA,IACP,OAAO;AAAA,EACT;AAAA,EACA,SAAS,OAAO,GAAG,OAAO,EAAE,QAAQ,MAAM,MAAM;AAE9C,QAAI,CAAC,OAAO,UAAU,CAAC,OAAO,YAAY;AACxC,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,OAAO;AAC1B,UAAM,QAAQ,OAAO;AACrB,UAAM,UAAU,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAG5C,UAAM,YAMF;AAAA,MACF;AAAA,MACA,OAAO,OAAO;AAAA,MACd,WAAW,OAAO;AAAA,IACpB;AAEA,QAAI,OAAO,YAAY,QAAW;AAChC,gBAAU,UAAU,UAAU,OAAO;AAAA,IACvC;AAEA,QAAI,OAAO,OAAO;AAChB,gBAAU,QAAQ,OAAO,WAAW,EAAE,QAAQ,MAAM,EAAE;AAAA,IACxD;AAEA,UAAM,qBAAqB,qBAAqB,YAAY,SAAS;AAGrE,UAAM,gBAAgB;AAAA,MACpB;AAAA,MACA;AAAA,MACA,EAAE,IAAI;AAAA,IACR;AAEA;AAAA,MACE,gBAAgB,OAAO,SAAS,iBAAiB,WAAW,KAAK,IAAI,CAAC;AAAA,IACxE;AAGA,UAAM,MAAM,MAAM;AAAA,MAChB,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,UAAM,EAAE,QAAQ,IAAI,kBAAkB,OAAO,SAAS;AACtD,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,iBAAiB,MAAM,OAAO,OAAO;AAAA,MACzC;AAAA,MACA;AAAA,MACA,QAAQ,OAAO,aAAa;AAAA,IAC9B;AAEA,UAAM,eAAe,SAAS,cAAc;AAE5C,wBAAoB,GAAG,CAAC,YAAY;AAClC,cAAQ;AAAA,QACN,OAAO;AAAA,QACP,GAAG,KAAK,IAAI,kBAAkB;AAAA,MAChC;AACA,cAAQ,IAAI,OAAO,qBAAsB,GAAG,KAAK,KAAK,YAAY,GAAG;AAAA,IACvE,CAAC;AAED,UAAM,4BAA4B;AAElC,UAAM,MAAM;AAAA,EACd;AACF,CAAC;","names":[]}

package/dist/policies/auth/generate-jwt.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+import { Context } from 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+interface GenerateJwtConfig extends PolicyConfig {
+    /** Signing algorithm */
+    algorithm: "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512";
+    /** HMAC secret (for HS* algorithms) */
+    secret?: string;
+    /** RSA private key as JWK (for RS* algorithms) */
+    privateKey?: JsonWebKey;
+    /** Claims to include. Static record or dynamic function. */
+    claims?: Record<string, unknown> | ((c: Context) => Record<string, unknown> | Promise<Record<string, unknown>>);
+    /** Token lifetime in seconds. Default: 3600 (1 hour) */
+    expiresIn?: number;
+    /** Issuer claim */
+    issuer?: string;
+    /** Audience claim */
+    audience?: string;
+    /** Header name for the generated token. Default: "Authorization" */
+    headerName?: string;
+    /** Token prefix. Default: "Bearer" */
+    tokenPrefix?: string;
+}
+/**
+ * Mint JWTs and attach them to the request for upstream consumption.
+ *
+ * @example
+ * ```ts
+ * import { generateJwt } from "@vivero/stoma";
+ *
+ * generateJwt({
+ *   algorithm: "HS256",
+ *   secret: env.JWT_SIGNING_SECRET,
+ *   claims: (c) => ({ sub: c.req.header("x-user-id") }),
+ *   issuer: "my-gateway",
+ *   expiresIn: 300,
+ * });
+ * ```
+ */
+declare const generateJwt: (config: GenerateJwtConfig) => Policy;
+export { type GenerateJwtConfig, generateJwt };