@wazobiatech/auth-middleware 1.0.0

package/dist/middlewares/project.guard.d.ts

@@ -0,0 +1,49 @@
+import { Response, NextFunction } from 'express';
+import { AuthenticatedRequest } from '../types/jwt-payload';
+export declare class ProjectAuthMiddleware {
+    private jwksCacheKey;
+    private jwksCacheTTL;
+    constructor();
+    /**
+     * Main authentication middleware for project tokens
+     */
+    authenticate(req: AuthenticatedRequest): Promise<void>;
+    /**
+     * Validate project token using cached JWKS + RSA verification
+     */
+    private validateProjectToken;
+    /**
+     * Get RSA public key from cached JWKS (with 5+ hour caching)
+     */
+    private getPublicKeyFromCache;
+    /**
+     * Fetch JWKS from Mercury and cache in Redis
+     */
+    private fetchAndCacheJWKS;
+    /**
+     * Decode JWT header to extract kid
+     */
+    private decodeJwtHeader;
+    /**
+   * Get current project secret version from Redis (cached by Mercury)
+   */
+    private getCurrentProjectSecretVersion;
+    /**
+     * Express middleware factory
+     */
+    static middleware(): (req: AuthenticatedRequest, res: Response, next: NextFunction) => Promise<void>;
+    /**
+     * Update JWKS cache TTL (can be increased beyond 5 hours)
+     */
+    setCacheTTL(seconds: number): void;
+    /**
+     * Manually refresh JWKS cache
+     */
+    refreshJWKSCache(): Promise<void>;
+    /**
+     * Cleanup Redis connection
+     */
+    cleanup(): Promise<void>;
+}
+export default ProjectAuthMiddleware;
+//# sourceMappingURL=project.guard.d.ts.map

package/dist/middlewares/project.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"project.guard.d.ts","sourceRoot":"","sources":["../../src/middlewares/project.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAKjD,OAAO,EAAE,oBAAoB,EAAuB,MAAM,sBAAsB,CAAC;AAIjF,qBAAa,qBAAqB;IAChC,OAAO,CAAC,YAAY,CAAwB;IAC5C,OAAO,CAAC,YAAY,CAAS;;IAI7B;;OAEG;IACG,YAAY,CAAC,GAAG,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IA0D5D;;OAEG;YACW,oBAAoB;IAmElC;;OAEG;YACW,qBAAqB;IAwCnC;;OAEG;YACW,iBAAiB;IAuD/B;;OAEG;IACH,OAAO,CAAC,eAAe;IAUvB;;KAEC;YACa,8BAA8B;IAuB5C;;OAEG;IACH,MAAM,CAAC,UAAU,IAAI,CAAC,GAAG,EAAE,oBAAoB,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC;IAOpG;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAIlC;;OAEG;IACG,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAIvC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAI/B;AAED,eAAe,qBAAqB,CAAC"}

package/dist/middlewares/project.guard.js

@@ -0,0 +1,310 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProjectAuthMiddleware = void 0;
+const jwt = __importStar(require("jsonwebtoken"));
+const axios_1 = __importDefault(require("axios"));
+const jose = __importStar(require("node-jose"));
+const crypto = __importStar(require("crypto"));
+const redis_connection_1 = __importDefault(require("../utils/redis.connection"));
+// Redis-cached JWKS Project Authentication Middleware
+class ProjectAuthMiddleware {
+    constructor() {
+        this.jwksCacheKey = 'project_jwks_cache';
+        this.jwksCacheTTL = 18000; // 5 hours in seconds
+    }
+    /**
+     * Main authentication middleware for project tokens
+     */
+    async authenticate(req) {
+        try {
+            // Extract token from x-project-token header
+            const authHeader = req.headers['x-project-token'];
+            if (!authHeader) {
+                throw new Error(`No project token provided, required_header: 'x-project-token'`);
+            }
+            // Handle Bearer prefix`
+            const token = authHeader.startsWith('Bearer ')
+                ? authHeader.slice(7)
+                : authHeader;
+            if (!token) {
+                throw new Error('Empty project token');
+            }
+            // Validate project token using cached JWKS
+            const validation = await this.validateProjectToken(token);
+            if (!validation.isValid) {
+                throw new Error(`Invalid project token, message: ${validation.error}`);
+                return;
+            }
+            // Check if current service is enabled for this project
+            const serviceId = process.env.SERVICE_ID;
+            if (!serviceId) {
+                throw new Error('Service ID not configured');
+            }
+            const hasAccess = validation.payload.enabled_services.includes(serviceId);
+            if (!hasAccess) {
+                throw new Error(`
+          error: Service access denied,
+          service_id: ${serviceId},
+          project: ${validation.payload.project_uuid},
+          enabled_services: ${validation.payload.enabled_services}
+        `);
+            }
+            // Inject project context into request (NO user context)
+            req.project = {
+                project_uuid: validation.payload.project_uuid,
+                enabled_services: validation.payload.enabled_services,
+                secret_version: validation.payload.secret_version,
+                token_id: validation.payload.token_id,
+                expires_at: validation.payload.exp
+            };
+        }
+        catch (error) {
+            throw new Error(`Authentication service error ${error}`);
+        }
+    }
+    /**
+     * Validate project token using cached JWKS + RSA verification
+     */
+    async validateProjectToken(token) {
+        try {
+            // Get public key from cached JWKS
+            const publicKey = await this.getPublicKeyFromCache(token);
+            // Verify JWT with RSA public key
+            const verified = jwt.verify(token, publicKey, {
+                algorithms: ["RS512"],
+                ignoreExpiration: false,
+            });
+            if (typeof verified !== 'object' || verified === null) {
+                return {
+                    isValid: false,
+                    error: 'Invalid token payload'
+                };
+            }
+            const payload = verified;
+            // Validate project token structure
+            if (!payload.project_uuid || !payload.token_id || !Array.isArray(payload.enabled_services)) {
+                return {
+                    isValid: false,
+                    error: 'Invalid project token structure'
+                };
+            }
+            const currentSecretVersion = await this.getCurrentProjectSecretVersion(payload.project_uuid);
+            if (currentSecretVersion > 0 && payload.secret_version < currentSecretVersion) {
+                return {
+                    isValid: false,
+                    error: `Token secret version outdated (token: ${payload.secret_version}, current: ${currentSecretVersion}) - re-authentication required`
+                };
+            }
+            const redis = await redis_connection_1.default.getInstance();
+            // Check if token is in Redis cache (for revocation)
+            const tokenExists = await redis.sendCommand([
+                'EXISTS',
+                `project_token:${payload.token_id}`
+            ]);
+            if (tokenExists === 0) {
+                return {
+                    isValid: false,
+                    error: 'Token has been revoked'
+                };
+            }
+            return {
+                isValid: true,
+                payload
+            };
+        }
+        catch (error) {
+            return {
+                isValid: false,
+                error: error instanceof Error ? error.message : 'Token validation failed'
+            };
+        }
+    }
+    /**
+     * Get RSA public key from cached JWKS (with 5+ hour caching)
+     */
+    async getPublicKeyFromCache(token) {
+        try {
+            // Extract kid from JWT header
+            const header = this.decodeJwtHeader(token);
+            if (!header.kid) {
+                throw new Error('Missing key ID in token header');
+            }
+            // Check Redis for cached JWKS
+            const redis = await redis_connection_1.default.getInstance();
+            const cachedJwks = await redis.sendCommand([
+                'GET',
+                this.jwksCacheKey
+            ]);
+            let keyStore;
+            if (cachedJwks) {
+                // Use cached JWKS
+                const jwksData = JSON.parse(cachedJwks);
+                keyStore = await jose.JWK.asKeyStore(jwksData);
+            }
+            else {
+                // Fetch fresh JWKS from Mercury and cache it
+                keyStore = await this.fetchAndCacheJWKS();
+            }
+            // Get the specific key
+            const key = keyStore.get(header.kid);
+            if (!key) {
+                throw new Error(`Key ${header.kid} not found in JWKS`);
+            }
+            // Return PEM format public key
+            const publicKey = key.toPEM(false);
+            return publicKey;
+        }
+        catch (error) {
+            throw new Error(`Failed to get public key: ${error.message}`);
+        }
+    }
+    /**
+     * Fetch JWKS from Mercury and cache in Redis
+     */
+    async fetchAndCacheJWKS() {
+        try {
+            const path = 'auth/project/.well-known/jwks.json';
+            const jwksUri = `${process.env.MERCURY_BASE_URL}/${path}`;
+            const timestamp = Date.now().toString();
+            const signatureInput = 'GET' + `/${path}` + timestamp;
+            const sharedSecret = process.env.SIGNATURE_SHARED_SECRET || '';
+            const signature = crypto
+                .createHmac('sha256', sharedSecret)
+                .update(signatureInput)
+                .digest('hex');
+            const headers = {
+                Accept: 'application/json',
+                'User-Agent': 'Node-JWT-Strategy/1.0',
+                'X-Timestamp': timestamp,
+                'X-Signature': signature,
+            };
+            const response = await axios_1.default.get(jwksUri, {
+                timeout: 10000,
+                headers,
+            });
+            if (!response.data || !response.data.keys) {
+                throw new Error('Invalid JWKS response');
+            }
+            // Cache JWKS in Redis for 5+ hours
+            const redis = await redis_connection_1.default.getInstance();
+            await redis.sendCommand([
+                'SETEX',
+                this.jwksCacheKey,
+                this.jwksCacheTTL.toString(),
+                JSON.stringify(response.data)
+            ]);
+            // Create and return key store
+            return await jose.JWK.asKeyStore(response.data);
+        }
+        catch (error) {
+            if (axios_1.default.isAxiosError(error)) {
+                const axiosError = error;
+                if (axiosError.code === 'ECONNREFUSED') {
+                    throw new Error('Mercury service unavailable');
+                }
+                throw new Error(`HTTP ${axiosError.response?.status || 'unknown'}: ${axiosError.message}`);
+            }
+            throw new Error(`Failed to fetch JWKS: ${error.message}`);
+        }
+    }
+    /**
+     * Decode JWT header to extract kid
+     */
+    decodeJwtHeader(token) {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            throw new Error('Invalid JWT format');
+        }
+        const headerJson = Buffer.from(parts[0], 'base64').toString();
+        return JSON.parse(headerJson);
+    }
+    /**
+   * Get current project secret version from Redis (cached by Mercury)
+   */
+    async getCurrentProjectSecretVersion(projectUuid) {
+        try {
+            const redis = await redis_connection_1.default.getInstance();
+            const cacheKey = `project_secret_version:${projectUuid}`;
+            const cachedVersion = await redis.sendCommand([
+                'GET', cacheKey
+            ]);
+            if (cachedVersion) {
+                return parseInt(cachedVersion, 10);
+            }
+            // If not in Redis, this means Mercury hasn't cached it yet
+            // This shouldn't happen in normal flow, but fallback to allowing the token
+            // Mercury's Kafka handler will eventually populate this
+            return 0; // Default to allow if version not found
+        }
+        catch (error) {
+            throw new Error(`Failed to get project secret version: ${error.message}`);
+        }
+    }
+    /**
+     * Express middleware factory
+     */
+    static middleware() {
+        const authMiddleware = new ProjectAuthMiddleware();
+        return (req) => {
+            return authMiddleware.authenticate(req);
+        };
+    }
+    /**
+     * Update JWKS cache TTL (can be increased beyond 5 hours)
+     */
+    setCacheTTL(seconds) {
+        this.jwksCacheTTL = seconds;
+    }
+    /**
+     * Manually refresh JWKS cache
+     */
+    async refreshJWKSCache() {
+        await this.fetchAndCacheJWKS();
+    }
+    /**
+     * Cleanup Redis connection
+     */
+    async cleanup() {
+        const redis = await redis_connection_1.default.getInstance();
+        await redis.quit();
+    }
+}
+exports.ProjectAuthMiddleware = ProjectAuthMiddleware;
+exports.default = ProjectAuthMiddleware;
+//# sourceMappingURL=project.guard.js.map

package/dist/middlewares/project.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project.guard.js","sourceRoot":"","sources":["../../src/middlewares/project.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,kDAAoC;AACpC,kDAA0B;AAC1B,gDAAkC;AAClC,+CAAiC;AAEjC,iFAA+D;AAE/D,sDAAsD;AACtD,MAAa,qBAAqB;IAIhC;QAHQ,iBAAY,GAAG,oBAAoB,CAAC;QACpC,iBAAY,GAAG,KAAK,CAAC,CAAC,qBAAqB;IAEnC,CAAC;IAEjB;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,GAAyB;QAC1C,IAAI,CAAC;YACH,4CAA4C;YAC5C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAW,CAAC;YAE5D,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;YACnF,CAAC;YAED,wBAAwB;YACxB,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;gBAC5C,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;gBACrB,CAAC,CAAC,UAAU,CAAC;YAEf,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC;YAED,2CAA2C;YAC3C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;YAE1D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,mCAAmC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;gBAEvE,OAAO;YACT,CAAC;YAED,uDAAuD;YACvD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;YACzC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;YAC/C,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAC,OAAQ,CAAC,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAC3E,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC;;wBAEA,SAAS;qBACZ,UAAU,CAAC,OAAQ,CAAC,YAAY;8BACvB,UAAU,CAAC,OAAQ,CAAC,gBAAgB;SACzD,CAAC,CAAC;YACL,CAAC;YAED,wDAAwD;YACxD,GAAG,CAAC,OAAO,GAAG;gBACZ,YAAY,EAAE,UAAU,CAAC,OAAQ,CAAC,YAAY;gBAC9C,gBAAgB,EAAE,UAAU,CAAC,OAAQ,CAAC,gBAAgB;gBACtD,cAAc,EAAE,UAAU,CAAC,OAAQ,CAAC,cAAc;gBAClD,QAAQ,EAAE,UAAU,CAAC,OAAQ,CAAC,QAAQ;gBACtC,UAAU,EAAE,UAAU,CAAC,OAAQ,CAAC,GAAG;aACpC,CAAC;QAGJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,gCAAgC,KAAK,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,oBAAoB,CAAC,KAAa;QAK9C,IAAI,CAAC;YACH,kCAAkC;YAClC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;YAE1D,iCAAiC;YACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE;gBAC5C,UAAU,EAAE,CAAC,OAAO,CAAC;gBACrB,gBAAgB,EAAE,KAAK;aACxB,CAAC,CAAC;YAEH,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBACtD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,QAA+B,CAAC;YAEhD,mCAAmC;YACnC,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC3F,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,iCAAiC;iBACzC,CAAC;YACJ,CAAC;YAED,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,8BAA8B,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC7F,IAAI,oBAAoB,GAAG,CAAC,IAAI,OAAO,CAAC,cAAc,GAAG,oBAAoB,EAAE,CAAC;gBAC9E,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,yCAAyC,OAAO,CAAC,cAAc,cAAc,oBAAoB,gCAAgC;iBACzI,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,0BAAsB,CAAC,WAAW,EAAE,CAAC;YACzD,oDAAoD;YACpD,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC;gBAC1C,QAAQ;gBACR,iBAAiB,OAAO,CAAC,QAAQ,EAAE;aACpC,CAAW,CAAC;YAEb,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;gBACtB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,wBAAwB;iBAChC,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;aACR,CAAC;QAEJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB;aAC1E,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,qBAAqB,CAAC,KAAa;QAC/C,IAAI,CAAC;YACH,8BAA8B;YAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAED,8BAA8B;YAC9B,MAAM,KAAK,GAAG,MAAM,0BAAsB,CAAC,WAAW,EAAE,CAAC;YACzD,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC;gBACzC,KAAK;gBACL,IAAI,CAAC,YAAY;aAClB,CAAkB,CAAC;YAEpB,IAAI,QAA2B,CAAC;YAEhC,IAAI,UAAU,EAAE,CAAC;gBACf,kBAAkB;gBAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;gBACxC,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,6CAA6C;gBAC7C,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC5C,CAAC;YAED,uBAAuB;YACvB,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAA6B,CAAC;YACjE,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,OAAO,MAAM,CAAC,GAAG,oBAAoB,CAAC,CAAC;YACzD,CAAC;YAED,+BAA+B;YAC/B,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACnC,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB;QAC7B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,oCAAoC,CAAA;YACjD,MAAM,OAAO,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,IAAI,EAAE,CAAC;YAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;YACxC,MAAM,cAAc,GAAG,KAAK,GAAG,IAAI,IAAI,EAAE,GAAG,SAAS,CAAC;YACtD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,EAAE,CAAC;YAE/D,MAAM,SAAS,GAAG,MAAM;iBACrB,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC;iBAClC,MAAM,CAAC,cAAc,CAAC;iBACtB,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjB,MAAM,OAAO,GAAG;gBACd,MAAM,EAAE,kBAAkB;gBAC1B,YAAY,EAAE,uBAAuB;gBACrC,aAAa,EAAE,SAAS;gBACxB,aAAa,EAAE,SAAS;aACzB,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,eAAK,CAAC,GAAG,CAA0C,OAAO,EAAE;gBACjF,OAAO,EAAE,KAAK;gBACd,OAAO;aACR,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC1C,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,CAAC;YAED,mCAAmC;YACnC,MAAM,KAAK,GAAG,MAAM,0BAAsB,CAAC,WAAW,EAAE,CAAC;YACzD,MAAM,KAAK,CAAC,WAAW,CAAC;gBACtB,OAAO;gBACP,IAAI,CAAC,YAAY;gBACjB,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE;gBAC5B,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC;aAC9B,CAAC,CAAC;YAEH,8BAA8B;YAC9B,OAAO,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAElD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,eAAK,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,KAAK,CAAC;gBACzB,IAAI,UAAU,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;oBACvC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjD,CAAC;gBAED,MAAM,IAAI,KAAK,CAAC,QAAQ,UAAU,CAAC,QAAQ,EAAE,MAAM,IAAI,SAAS,KAAK,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,KAAa;QACnC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;IAED;;KAEC;IACO,KAAK,CAAC,8BAA8B,CAAC,WAAmB;QAC9D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,0BAAsB,CAAC,WAAW,EAAE,CAAC;YACzD,MAAM,QAAQ,GAAG,0BAA0B,WAAW,EAAE,CAAC;YAEzD,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC;gBAC5C,KAAK,EAAE,QAAQ;aAChB,CAAkB,CAAC;YAEpB,IAAI,aAAa,EAAE,CAAC;gBAClB,OAAO,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YACrC,CAAC;YAED,2DAA2D;YAC3D,2EAA2E;YAC3E,wDAAwD;YACxD,OAAO,CAAC,CAAC,CAAC,wCAAwC;QAEpD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,yCAAyC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,UAAU;QACf,MAAM,cAAc,GAAG,IAAI,qBAAqB,EAAE,CAAC;QACnD,OAAO,CAAC,GAAyB,EAAE,EAAE;YACnC,OAAO,cAAc,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAC1C,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,OAAe;QACzB,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB;QACpB,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,KAAK,GAAG,MAAM,0BAAsB,CAAC,WAAW,EAAE,CAAC;QACzD,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACrB,CAAC;CACF;AApTD,sDAoTC;AAED,kBAAe,qBAAqB,CAAC"}

package/dist/nestjs/decorators/auth.decorator.d.ts

@@ -0,0 +1,2 @@
+export declare function ProjectAndUserAuth(): <TFunction extends Function, Y>(target: TFunction | object, propertyKey?: string | symbol, descriptor?: TypedPropertyDescriptor<Y>) => void;
+//# sourceMappingURL=auth.decorator.d.ts.map

package/dist/nestjs/decorators/auth.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.decorator.d.ts","sourceRoot":"","sources":["../../../src/nestjs/decorators/auth.decorator.ts"],"names":[],"mappings":"AAIA,wBAAgB,kBAAkB,gJAEjC"}

package/dist/nestjs/decorators/auth.decorator.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProjectAndUserAuth = ProjectAndUserAuth;
+const common_1 = require("@nestjs/common");
+const project_guard_1 = require("../guards/project.guard");
+const jwt_guard_1 = require("../guards/jwt-guard");
+function ProjectAndUserAuth() {
+    return (0, common_1.applyDecorators)((0, common_1.UseGuards)(jwt_guard_1.JwtAuthGuard, project_guard_1.ProjectAuthGuard));
+}
+//# sourceMappingURL=auth.decorator.js.map

package/dist/nestjs/decorators/auth.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.decorator.js","sourceRoot":"","sources":["../../../src/nestjs/decorators/auth.decorator.ts"],"names":[],"mappings":";;AAIA,gDAEC;AAND,2CAA4D;AAC5D,2DAA2D;AAC3D,mDAAmD;AAEnD,SAAgB,kBAAkB;IAChC,OAAO,IAAA,wBAAe,EAAC,IAAA,kBAAS,EAAC,wBAAY,EAAE,gCAAgB,CAAC,CAAC,CAAC;AACpE,CAAC"}

package/dist/nestjs/decorators/current-user.decorator.d.ts

@@ -0,0 +1,2 @@
+export declare const CurrentUser: (...dataOrPipes: (string | import("@nestjs/common").PipeTransform<any, any> | import("@nestjs/common").Type<import("@nestjs/common").PipeTransform<any, any>>)[]) => ParameterDecorator;
+//# sourceMappingURL=current-user.decorator.d.ts.map

package/dist/nestjs/decorators/current-user.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.d.ts","sourceRoot":"","sources":["../../../src/nestjs/decorators/current-user.decorator.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,WAAW,yLAiBvB,CAAC"}

package/dist/nestjs/decorators/current-user.decorator.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentUser = void 0;
+const common_1 = require("@nestjs/common");
+const graphql_1 = require("@nestjs/graphql");
+exports.CurrentUser = (0, common_1.createParamDecorator)((data, context) => {
+    const ctx = graphql_1.GqlExecutionContext.create(context);
+    const request = ctx.getContext().req;
+    const user = request.user;
+    if (!user) {
+        throw new Error('User not found in request context');
+    }
+    if (data) {
+        return user[data];
+    }
+    return user;
+});
+//# sourceMappingURL=current-user.decorator.js.map

package/dist/nestjs/decorators/current-user.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.js","sourceRoot":"","sources":["../../../src/nestjs/decorators/current-user.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAAwE;AACxE,6CAAsD;AAEzC,QAAA,WAAW,GAAG,IAAA,6BAAoB,EAC7C,CAAC,IAAwB,EAAE,OAAyB,EAAU,EAAE;IAC9D,MAAM,GAAG,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC;IAErC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAE1B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC;IACpB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CACF,CAAC"}

package/dist/nestjs/guards/jwt-guard.d.ts

@@ -0,0 +1,8 @@
+import { ExecutionContext } from '@nestjs/common';
+import { Request } from 'express';
+declare const JwtAuthGuard_base: import("@nestjs/passport").Type<import("@nestjs/passport").IAuthGuard>;
+export declare class JwtAuthGuard extends JwtAuthGuard_base {
+    getRequest(context: ExecutionContext): Request;
+}
+export {};
+//# sourceMappingURL=jwt-guard.d.ts.map

package/dist/nestjs/guards/jwt-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-guard.d.ts","sourceRoot":"","sources":["../../../src/nestjs/guards/jwt-guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAE9D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;;AAIlC,qBACa,YAAa,SAAQ,iBAAgB;IAChD,UAAU,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAI/C"}

package/dist/nestjs/guards/jwt-guard.js

@@ -0,0 +1,23 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const passport_1 = require("@nestjs/passport");
+const graphql_1 = require("@nestjs/graphql");
+let JwtAuthGuard = class JwtAuthGuard extends (0, passport_1.AuthGuard)('jwt') {
+    getRequest(context) {
+        const ctx = graphql_1.GqlExecutionContext.create(context);
+        return ctx.getContext().req;
+    }
+};
+exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = __decorate([
+    (0, common_1.Injectable)()
+], JwtAuthGuard);
+//# sourceMappingURL=jwt-guard.js.map

package/dist/nestjs/guards/jwt-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-guard.js","sourceRoot":"","sources":["../../../src/nestjs/guards/jwt-guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAA8D;AAC9D,+CAA6C;AAE7C,6CAAsD;AAI/C,IAAM,YAAY,GAAlB,MAAM,YAAa,SAAQ,IAAA,oBAAS,EAAC,KAAK,CAAC;IAChD,UAAU,CAAC,OAAyB;QAClC,MAAM,GAAG,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAChD,OAAO,GAAG,CAAC,UAAU,EAAc,CAAC,GAAG,CAAC;IAC1C,CAAC;CACF,CAAA;AALY,oCAAY;uBAAZ,YAAY;IADxB,IAAA,mBAAU,GAAE;GACA,YAAY,CAKxB"}

package/dist/nestjs/guards/project.guard.d.ts

@@ -0,0 +1,45 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+export declare class ProjectAuthGuard implements CanActivate {
+    private readonly logger;
+    private jwksCacheKey;
+    private jwksCacheTTL;
+    constructor();
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    /**
+     * Extract request object from different NestJS contexts
+     */
+    private getRequest;
+    /**
+     * Validate project token using cached JWKS + RSA verification
+     */
+    private validateProjectToken;
+    /**
+     * Get RSA public key from cached JWKS (with 5+ hour caching)
+     */
+    private getPublicKeyFromCache;
+    /**
+   * Get current project secret version from Redis (cached by Mercury)
+   */
+    private getCurrentProjectSecretVersion;
+    /**
+     * Fetch JWKS from Mercury and cache in Redis
+     */
+    private fetchAndCacheJWKS;
+    /**
+     * Decode JWT header to extract kid
+     */
+    private decodeJwtHeader;
+    /**
+     * Update JWKS cache TTL (can be increased beyond 5 hours)
+     */
+    setCacheTTL(seconds: number): void;
+    /**
+     * Manually refresh JWKS cache
+     */
+    refreshJWKSCache(): Promise<void>;
+    /**
+     * Cleanup Redis connection (called on app shutdown)
+     */
+    onApplicationShutdown(): Promise<void>;
+}
+//# sourceMappingURL=project.guard.d.ts.map

package/dist/nestjs/guards/project.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"project.guard.d.ts","sourceRoot":"","sources":["../../../src/nestjs/guards/project.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AAQxB,qBACa,gBAAiB,YAAW,WAAW;IAClD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqC;IAC5D,OAAO,CAAC,YAAY,CAAwB;IAC5C,OAAO,CAAC,YAAY,CAAS;;IAIvB,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAiF9D;;OAEG;IACH,OAAO,CAAC,UAAU;IAalB;;OAEG;YACW,oBAAoB;IAoElC;;OAEG;YACW,qBAAqB;IAyCnC;;KAEC;YACa,8BAA8B;IAuB5C;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;IACH,OAAO,CAAC,eAAe;IAUvB;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAKlC;;OAEG;IACG,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAKvC;;OAEG;IACG,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC;CAM7C"}