@xtaskjs/security 1.0.0 → 1.0.3

package/dist/lifecycle.js

@@ -0,0 +1,314 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InjectSecurityLifecycleManager = exports.InjectPassport = exports.InjectAuthorizationService = exports.InjectAuthenticationService = exports.resetSecurityIntegration = exports.getSecurityLifecycleManager = exports.shutdownSecurityIntegration = exports.initializeSecurityIntegration = exports.SecurityLifecycleManager = void 0;
+const core_1 = require("@xtaskjs/core");
+const passport_1 = __importDefault(require("passport"));
+const passport_jwt_1 = require("passport-jwt");
+const configuration_1 = require("./configuration");
+const tokens_1 = require("./tokens");
+const authorization_1 = require("./authorization");
+const authentication_1 = require("./authentication");
+const strategies_1 = require("./strategies");
+const createPassportInstance = () => {
+    const PassportConstructor = passport_1.default.Passport || passport_1.default.Authenticator;
+    return new PassportConstructor();
+};
+const createSafeExtractor = (extractor) => {
+    return (request) => {
+        try {
+            return extractor(request);
+        }
+        catch {
+            return null;
+        }
+    };
+};
+const toRecord = (value) => {
+    if (value && typeof value === "object" && !Array.isArray(value)) {
+        return value;
+    }
+    return {};
+};
+const uniqueRoles = (roles) => {
+    return Array.from(new Set(roles.filter((value) => value.length > 0)));
+};
+const resolveClaims = (user, info) => {
+    if (info?.claims) {
+        return toRecord(info.claims);
+    }
+    if (user?.claims) {
+        return toRecord(user.claims);
+    }
+    return {};
+};
+const resolveRoles = (definition, claims, user) => {
+    const extracted = definition.extractRoles?.(claims, user);
+    if (Array.isArray(extracted)) {
+        return uniqueRoles(extracted.map((value) => String(value).trim()));
+    }
+    if (Array.isArray(user?.roles)) {
+        return uniqueRoles(user.roles.map((value) => String(value).trim()));
+    }
+    if (Array.isArray(claims.roles)) {
+        return uniqueRoles(claims.roles.map((value) => String(value).trim()));
+    }
+    if (typeof claims.scope === "string") {
+        return uniqueRoles(claims.scope
+            .split(/\s+/)
+            .map((value) => value.trim())
+            .filter((value) => value.length > 0));
+    }
+    return [];
+};
+class SecurityLifecycleManager {
+    constructor() {
+        this.passportInstance = createPassportInstance();
+        this.strategyDefinitions = new Map();
+    }
+    async initialize(container) {
+        this.passportInstance = createPassportInstance();
+        this.strategyDefinitions.clear();
+        this.container = container;
+        for (const definition of (0, configuration_1.getRegisteredSecurityStrategies)()) {
+            this.strategyDefinitions.set(definition.name, definition);
+            if (definition.kind === "jwt") {
+                this.registerJwtStrategy(definition);
+                continue;
+            }
+            this.passportInstance.use(definition.name, new strategies_1.JweStrategy(definition, () => ({ container: this.container })));
+        }
+        this.registerContainerBindings(container);
+    }
+    async destroy() {
+        this.passportInstance = createPassportInstance();
+        this.strategyDefinitions.clear();
+        this.container = undefined;
+    }
+    getPassport() {
+        return this.passportInstance;
+    }
+    async authenticateContext(context, strategyNames) {
+        const result = await this.authenticateRequest(context.request, context.response, strategyNames);
+        if (!result.success) {
+            return result;
+        }
+        context.auth = {
+            isAuthenticated: true,
+            strategy: result.strategy,
+            token: result.token,
+            user: result.user,
+            claims: result.claims,
+            roles: [...result.roles],
+        };
+        if (context.request && typeof context.request === "object") {
+            context.request.user = result.user;
+            context.request.auth = context.auth;
+            context.request.authInfo = result.info;
+        }
+        if (context.response && typeof context.response === "object") {
+            context.response.locals = context.response.locals || {};
+            context.response.locals.auth = context.auth;
+        }
+        return result;
+    }
+    async authenticateRequest(request, _response, strategyNames) {
+        const selectedStrategies = this.resolveStrategyNames(strategyNames);
+        let lastFailure = {
+            statusCode: 401,
+            challenge: { message: "Unauthorized" },
+        };
+        for (const strategyName of selectedStrategies) {
+            const definition = this.strategyDefinitions.get(strategyName);
+            if (!definition) {
+                throw new Error(`Security strategy '${strategyName}' is not registered`);
+            }
+            const extractor = definition.jwtFromRequest || strategies_1.defaultBearerTokenExtractor;
+            const token = extractor(request) || undefined;
+            const outcome = await this.runPassportStrategy(strategyName, request);
+            if (outcome.type === "success") {
+                const claims = resolveClaims(outcome.user, outcome.info);
+                return {
+                    success: true,
+                    strategy: strategyName,
+                    token,
+                    user: outcome.user,
+                    claims,
+                    roles: resolveRoles(definition, claims, outcome.user),
+                    info: outcome.info,
+                };
+            }
+            if (outcome.type === "fail") {
+                lastFailure = { statusCode: outcome.statusCode, challenge: outcome.challenge };
+            }
+        }
+        return {
+            success: false,
+            statusCode: lastFailure.statusCode || 401,
+            challenge: lastFailure.challenge || { message: "Unauthorized" },
+            roles: [],
+        };
+    }
+    resolveStrategyNames(strategyNames) {
+        if (Array.isArray(strategyNames) && strategyNames.length > 0) {
+            return strategyNames;
+        }
+        if (typeof strategyNames === "string" && strategyNames.trim().length > 0) {
+            return [strategyNames.trim()];
+        }
+        const defaultStrategy = (0, configuration_1.getDefaultSecurityStrategyName)();
+        if (defaultStrategy) {
+            return [defaultStrategy];
+        }
+        throw new Error("No security strategy registered. Call registerJwtStrategy() or registerJweStrategy().");
+    }
+    registerJwtStrategy(definition) {
+        const extractor = createSafeExtractor(definition.jwtFromRequest || passport_jwt_1.ExtractJwt.fromAuthHeaderAsBearerToken());
+        const options = {
+            jwtFromRequest: extractor,
+            secretOrKey: definition.secretOrKey,
+            secretOrKeyProvider: definition.secretOrKeyProvider,
+            issuer: definition.issuer,
+            audience: definition.audience,
+            algorithms: definition.algorithms,
+            ignoreExpiration: definition.ignoreExpiration,
+            jsonWebTokenOptions: definition.jsonWebTokenOptions,
+            passReqToCallback: definition.passReqToCallback === true,
+        };
+        const verify = async (...args) => {
+            const done = args[args.length - 1];
+            const request = definition.passReqToCallback ? args[0] : undefined;
+            const payload = toRecord(definition.passReqToCallback ? args[1] : args[0]);
+            try {
+                const token = extractor(request) || "";
+                const user = await (0, strategies_1.resolveValidatedUser)(definition, payload, {
+                    container: this.container,
+                    request,
+                    token,
+                    strategyName: definition.name,
+                    kind: definition.kind,
+                });
+                if (!user) {
+                    done(null, false, { message: "Unauthorized", claims: payload });
+                    return;
+                }
+                done(null, user, {
+                    claims: payload,
+                    strategy: definition.name,
+                    kind: definition.kind,
+                });
+            }
+            catch (error) {
+                done(error);
+            }
+        };
+        this.passportInstance.use(definition.name, new passport_jwt_1.Strategy(options, verify));
+    }
+    runPassportStrategy(strategyName, request) {
+        const strategy = this.passportInstance._strategy(strategyName);
+        if (!strategy) {
+            throw new Error(`Passport strategy '${strategyName}' is not registered`);
+        }
+        return new Promise((resolve, reject) => {
+            const delegate = Object.create(strategy);
+            Object.assign(delegate, strategy);
+            delegate.success = (user, info) => resolve({ type: "success", user, info });
+            delegate.fail = (challenge, statusCode) => resolve({ type: "fail", challenge, statusCode });
+            delegate.pass = () => resolve({ type: "pass" });
+            delegate.error = (error) => reject(error);
+            delegate.redirect = (_url, statusCode) => resolve({
+                type: "fail",
+                challenge: { message: "Redirect responses are not supported by xtaskjs security guards" },
+                statusCode: statusCode || 401,
+            });
+            delegate.authenticate(request, {});
+        });
+    }
+    registerContainerBindings(container) {
+        if (!container) {
+            return;
+        }
+        const anyContainer = container;
+        if (typeof anyContainer.registerWithName === "function") {
+            anyContainer.registerWithName(authentication_1.SecurityAuthenticationService, { scope: "singleton" }, (0, tokens_1.getAuthenticationServiceToken)());
+            anyContainer.registerWithName(authorization_1.SecurityAuthorizationService, { scope: "singleton" }, (0, tokens_1.getAuthorizationServiceToken)());
+        }
+        if (typeof anyContainer.registerNamedInstance === "function") {
+            anyContainer.registerNamedInstance((0, tokens_1.getPassportToken)(), this.passportInstance);
+            anyContainer.registerNamedInstance((0, tokens_1.getSecurityLifecycleToken)(), this);
+        }
+    }
+}
+exports.SecurityLifecycleManager = SecurityLifecycleManager;
+const lifecycleManager = new SecurityLifecycleManager();
+const initializeSecurityIntegration = async (container) => {
+    await lifecycleManager.initialize(container);
+};
+exports.initializeSecurityIntegration = initializeSecurityIntegration;
+const shutdownSecurityIntegration = async () => {
+    await lifecycleManager.destroy();
+};
+exports.shutdownSecurityIntegration = shutdownSecurityIntegration;
+const getSecurityLifecycleManager = () => {
+    return lifecycleManager;
+};
+exports.getSecurityLifecycleManager = getSecurityLifecycleManager;
+const resetSecurityIntegration = async () => {
+    await (0, exports.shutdownSecurityIntegration)();
+    (0, configuration_1.clearRegisteredSecurityStrategies)();
+};
+exports.resetSecurityIntegration = resetSecurityIntegration;
+const InjectAuthenticationService = () => {
+    return (target, propertyKey, parameterIndex) => {
+        const token = (0, tokens_1.getAuthenticationServiceToken)();
+        if (typeof parameterIndex === "number") {
+            (0, core_1.Qualifier)(token)(target, propertyKey, parameterIndex);
+            return;
+        }
+        if (propertyKey !== undefined) {
+            (0, core_1.AutoWired)({ qualifier: token })(target, propertyKey);
+        }
+    };
+};
+exports.InjectAuthenticationService = InjectAuthenticationService;
+const InjectAuthorizationService = () => {
+    return (target, propertyKey, parameterIndex) => {
+        const token = (0, tokens_1.getAuthorizationServiceToken)();
+        if (typeof parameterIndex === "number") {
+            (0, core_1.Qualifier)(token)(target, propertyKey, parameterIndex);
+            return;
+        }
+        if (propertyKey !== undefined) {
+            (0, core_1.AutoWired)({ qualifier: token })(target, propertyKey);
+        }
+    };
+};
+exports.InjectAuthorizationService = InjectAuthorizationService;
+const InjectPassport = () => {
+    return (target, propertyKey, parameterIndex) => {
+        const token = (0, tokens_1.getPassportToken)();
+        if (typeof parameterIndex === "number") {
+            (0, core_1.Qualifier)(token)(target, propertyKey, parameterIndex);
+            return;
+        }
+        if (propertyKey !== undefined) {
+            (0, core_1.AutoWired)({ qualifier: token })(target, propertyKey);
+        }
+    };
+};
+exports.InjectPassport = InjectPassport;
+const InjectSecurityLifecycleManager = () => {
+    return (target, propertyKey, parameterIndex) => {
+        const token = (0, tokens_1.getSecurityLifecycleToken)();
+        if (typeof parameterIndex === "number") {
+            (0, core_1.Qualifier)(token)(target, propertyKey, parameterIndex);
+            return;
+        }
+        if (propertyKey !== undefined) {
+            (0, core_1.AutoWired)({ qualifier: token })(target, propertyKey);
+        }
+    };
+};
+exports.InjectSecurityLifecycleManager = InjectSecurityLifecycleManager;

package/dist/metadata.d.ts

@@ -0,0 +1,6 @@
+import { ResolvedSecurityMetadata, RolesOptions } from "./types";
+export declare const normalizeStrategies: (strategies?: string | string[]) => string[];
+export declare const setAuthenticatedMetadata: (target: any, propertyKey: PropertyKey | undefined, strategies?: string | string[]) => void;
+export declare const setRolesMetadata: (target: any, propertyKey: PropertyKey | undefined, options: RolesOptions) => void;
+export declare const setAllowAnonymousMetadata: (target: any, propertyKey?: PropertyKey) => void;
+export declare const resolveSecurityMetadata: (controllerType: any, handler?: PropertyKey) => ResolvedSecurityMetadata;

package/dist/metadata.js

@@ -0,0 +1,103 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveSecurityMetadata = exports.setAllowAnonymousMetadata = exports.setRolesMetadata = exports.setAuthenticatedMetadata = exports.normalizeStrategies = void 0;
+const CLASS_SECURITY_METADATA_KEY = Symbol("xtask:security:class");
+const METHOD_SECURITY_METADATA_KEY = Symbol("xtask:security:method");
+const emptyMetadata = () => ({
+    allowAnonymous: false,
+    strategies: [],
+    roles: [],
+    roleMode: "any",
+});
+const uniqueStrings = (values) => {
+    return Array.from(new Set(values.map((value) => value.trim()).filter((value) => value.length > 0)));
+};
+const getClassMetadata = (target) => {
+    return Reflect.getMetadata(CLASS_SECURITY_METADATA_KEY, target) || emptyMetadata();
+};
+const setClassMetadata = (target, metadata) => {
+    Reflect.defineMetadata(CLASS_SECURITY_METADATA_KEY, metadata, target);
+};
+const getMethodMetadataMap = (target) => {
+    const stored = Reflect.getMetadata(METHOD_SECURITY_METADATA_KEY, target);
+    return stored || new Map();
+};
+const setMethodMetadataMap = (target, metadataMap) => {
+    Reflect.defineMetadata(METHOD_SECURITY_METADATA_KEY, metadataMap, target);
+};
+const getOrCreateMethodMetadata = (target, propertyKey) => {
+    const metadataMap = getMethodMetadataMap(target.constructor);
+    const current = metadataMap.get(propertyKey) || emptyMetadata();
+    metadataMap.set(propertyKey, current);
+    setMethodMetadataMap(target.constructor, metadataMap);
+    return current;
+};
+const normalizeStrategies = (strategies) => {
+    if (!strategies) {
+        return [];
+    }
+    return uniqueStrings(Array.isArray(strategies) ? strategies : [strategies]);
+};
+exports.normalizeStrategies = normalizeStrategies;
+const setAuthenticatedMetadata = (target, propertyKey, strategies) => {
+    const normalizedStrategies = (0, exports.normalizeStrategies)(strategies);
+    if (propertyKey === undefined) {
+        const current = getClassMetadata(target);
+        current.allowAnonymous = false;
+        current.strategies = uniqueStrings([...(current.strategies || []), ...normalizedStrategies]);
+        setClassMetadata(target, current);
+        return;
+    }
+    const current = getOrCreateMethodMetadata(target, propertyKey);
+    current.allowAnonymous = false;
+    current.strategies = uniqueStrings([...(current.strategies || []), ...normalizedStrategies]);
+};
+exports.setAuthenticatedMetadata = setAuthenticatedMetadata;
+const setRolesMetadata = (target, propertyKey, options) => {
+    const roles = uniqueStrings(options.roles || []);
+    const strategies = (0, exports.normalizeStrategies)(options.strategies);
+    const roleMode = options.mode || "any";
+    if (propertyKey === undefined) {
+        const current = getClassMetadata(target);
+        current.roles = uniqueStrings([...(current.roles || []), ...roles]);
+        current.strategies = uniqueStrings([...(current.strategies || []), ...strategies]);
+        current.roleMode = roleMode;
+        setClassMetadata(target, current);
+        return;
+    }
+    const current = getOrCreateMethodMetadata(target, propertyKey);
+    current.roles = uniqueStrings([...(current.roles || []), ...roles]);
+    current.strategies = uniqueStrings([...(current.strategies || []), ...strategies]);
+    current.roleMode = roleMode;
+};
+exports.setRolesMetadata = setRolesMetadata;
+const setAllowAnonymousMetadata = (target, propertyKey) => {
+    if (propertyKey === undefined) {
+        const current = getClassMetadata(target);
+        current.allowAnonymous = true;
+        setClassMetadata(target, current);
+        return;
+    }
+    const current = getOrCreateMethodMetadata(target, propertyKey);
+    current.allowAnonymous = true;
+};
+exports.setAllowAnonymousMetadata = setAllowAnonymousMetadata;
+const resolveSecurityMetadata = (controllerType, handler) => {
+    const classMetadata = controllerType ? getClassMetadata(controllerType) : emptyMetadata();
+    const methodMetadata = controllerType && handler !== undefined
+        ? getMethodMetadataMap(controllerType).get(handler) || emptyMetadata()
+        : emptyMetadata();
+    const allowAnonymous = Boolean(methodMetadata.allowAnonymous ?? classMetadata.allowAnonymous ?? false);
+    const strategies = uniqueStrings([
+        ...(classMetadata.strategies || []),
+        ...(methodMetadata.strategies || []),
+    ]);
+    const roles = uniqueStrings([...(classMetadata.roles || []), ...(methodMetadata.roles || [])]);
+    return {
+        allowAnonymous,
+        strategies,
+        roles,
+        roleMode: methodMetadata.roleMode || classMetadata.roleMode || "any",
+    };
+};
+exports.resolveSecurityMetadata = resolveSecurityMetadata;

package/dist/strategies.d.ts

@@ -0,0 +1,16 @@
+import { Strategy as PassportStrategyBase } from "passport-strategy";
+import { RegisteredJweSecurityStrategyOptions, RegisteredSecurityStrategyOptions, SecurityValidationContext } from "./types";
+export declare const defaultBearerTokenExtractor: (request: any) => string | null;
+export declare const resolveValidatedUser: (definition: RegisteredSecurityStrategyOptions, payload: Record<string, any>, context: SecurityValidationContext) => Promise<any | false>;
+export declare class JweStrategy extends PassportStrategyBase {
+    readonly name: string;
+    success: (user: any, info?: any) => void;
+    fail: (challenge?: any, status?: number) => void;
+    error: (error: Error) => void;
+    pass: () => void;
+    private readonly definition;
+    private readonly resolveValidationContext?;
+    constructor(definition: RegisteredJweSecurityStrategyOptions, resolveValidationContext?: () => Partial<SecurityValidationContext>);
+    authenticate(request: any): void;
+    private run;
+}

package/dist/strategies.js

@@ -0,0 +1,173 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JweStrategy = exports.resolveValidatedUser = exports.defaultBearerTokenExtractor = void 0;
+const crypto_1 = require("crypto");
+const passport_strategy_1 = require("passport-strategy");
+const defaultBearerTokenExtractor = (request) => {
+    const headerValue = request?.headers?.authorization ||
+        request?.headers?.Authorization ||
+        request?.authorization;
+    if (typeof headerValue !== "string") {
+        return null;
+    }
+    const match = headerValue.match(/^Bearer\s+(.+)$/i);
+    return match?.[1] || null;
+};
+exports.defaultBearerTokenExtractor = defaultBearerTokenExtractor;
+const decodeBase64Url = (value) => {
+    const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = normalized.length % 4 === 0 ? "" : "=".repeat(4 - (normalized.length % 4));
+    return Buffer.from(`${normalized}${padding}`, "base64");
+};
+const decodeJsonSegment = (value) => {
+    return ensureRecord(JSON.parse(decodeBase64Url(value).toString("utf-8")));
+};
+const normalizeDecryptionKey = (value) => {
+    if (Buffer.isBuffer(value)) {
+        return value;
+    }
+    if (value instanceof Uint8Array) {
+        return Buffer.from(value);
+    }
+    return Buffer.from(String(value), "utf-8");
+};
+const toUnixTime = () => Math.floor(Date.now() / 1000);
+const toClockToleranceSeconds = (value) => {
+    if (typeof value === "number" && Number.isFinite(value)) {
+        return value;
+    }
+    if (typeof value === "string") {
+        const parsed = Number(value);
+        return Number.isFinite(parsed) ? parsed : 0;
+    }
+    return 0;
+};
+const normalizeAudience = (value) => {
+    if (Array.isArray(value)) {
+        return value.map((item) => String(item));
+    }
+    if (typeof value === "string") {
+        return [value];
+    }
+    return [];
+};
+const validateJweClaims = (payload, definition) => {
+    const now = toUnixTime();
+    const clockTolerance = toClockToleranceSeconds(definition.clockTolerance);
+    if (typeof payload.exp === "number" && now - clockTolerance >= payload.exp) {
+        throw new Error("Token expired");
+    }
+    if (typeof payload.nbf === "number" && now + clockTolerance < payload.nbf) {
+        throw new Error("Token is not active yet");
+    }
+    if (definition.issuer) {
+        const expectedIssuers = Array.isArray(definition.issuer)
+            ? definition.issuer
+            : [definition.issuer];
+        if (!expectedIssuers.includes(String(payload.iss || ""))) {
+            throw new Error("Token issuer is not allowed");
+        }
+    }
+    if (definition.audience) {
+        const expectedAudiences = Array.isArray(definition.audience)
+            ? definition.audience
+            : [definition.audience];
+        const actualAudiences = normalizeAudience(payload.aud);
+        const hasAudience = expectedAudiences.some((audience) => actualAudiences.includes(audience));
+        if (!hasAudience) {
+            throw new Error("Token audience is not allowed");
+        }
+    }
+};
+const ensureRecord = (value) => {
+    if (value && typeof value === "object" && !Array.isArray(value)) {
+        return value;
+    }
+    return {};
+};
+const resolveValidatedUser = async (definition, payload, context) => {
+    if (!definition.validate) {
+        return payload;
+    }
+    return definition.validate(payload, context);
+};
+exports.resolveValidatedUser = resolveValidatedUser;
+const toJweKey = async (definition) => {
+    const key = typeof definition.resolveDecryptionKey === "function"
+        ? await definition.resolveDecryptionKey()
+        : definition.decryptionKey;
+    if (typeof key === "string") {
+        return new TextEncoder().encode(key);
+    }
+    return key;
+};
+class JweStrategy extends passport_strategy_1.Strategy {
+    constructor(definition, resolveValidationContext) {
+        super();
+        this.definition = definition;
+        this.name = definition.name;
+        this.resolveValidationContext = resolveValidationContext;
+    }
+    authenticate(request) {
+        void this.run(request);
+    }
+    async run(request) {
+        const extractor = this.definition.jwtFromRequest || exports.defaultBearerTokenExtractor;
+        const token = extractor(request);
+        if (!token) {
+            this.fail({ message: "Missing bearer token" }, 401);
+            return;
+        }
+        try {
+            const [protectedHeader, encryptedKey, iv, ciphertext, tag] = token.split(".");
+            if (!protectedHeader || encryptedKey === undefined || !iv || !ciphertext || !tag) {
+                throw new Error("Malformed JWE token");
+            }
+            const header = decodeJsonSegment(protectedHeader);
+            if (header.alg !== "dir") {
+                throw new Error(`Unsupported JWE alg '${String(header.alg || "")}'`);
+            }
+            if (header.enc !== "A256GCM") {
+                throw new Error(`Unsupported JWE enc '${String(header.enc || "")}'`);
+            }
+            if (encryptedKey.length > 0) {
+                throw new Error("Compact JWE with direct encryption must not include an encrypted key segment");
+            }
+            const key = normalizeDecryptionKey(await toJweKey(this.definition));
+            if (key.length !== 32) {
+                throw new Error("JWE decryption key must be 32 bytes for dir/A256GCM tokens");
+            }
+            const decipher = (0, crypto_1.createDecipheriv)("aes-256-gcm", key, decodeBase64Url(iv));
+            decipher.setAAD(Buffer.from(protectedHeader, "utf-8"));
+            decipher.setAuthTag(decodeBase64Url(tag));
+            const plaintext = Buffer.concat([
+                decipher.update(decodeBase64Url(ciphertext)),
+                decipher.final(),
+            ]);
+            const payload = ensureRecord(JSON.parse(plaintext.toString("utf-8")));
+            validateJweClaims(payload, this.definition);
+            const user = await (0, exports.resolveValidatedUser)(this.definition, payload, {
+                ...this.resolveValidationContext?.(),
+                request,
+                token,
+                strategyName: this.definition.name,
+                kind: this.definition.kind,
+            });
+            if (!user) {
+                this.fail({ message: "Unauthorized", claims: payload }, 401);
+                return;
+            }
+            this.success(user, {
+                claims: payload,
+                protectedHeader: header,
+                strategy: this.definition.name,
+                kind: this.definition.kind,
+            });
+        }
+        catch (error) {
+            const message = typeof error?.message === "string" ? error.message : "Unauthorized";
+            this.fail({ message }, 401);
+        }
+    }
+}
+exports.JweStrategy = JweStrategy;

package/dist/tokens.d.ts

@@ -0,0 +1,8 @@
+export declare const SECURITY_PASSPORT_TOKEN = "xtask:security:passport";
+export declare const SECURITY_LIFECYCLE_TOKEN = "xtask:security:lifecycle";
+export declare const SECURITY_AUTHENTICATION_SERVICE_TOKEN = "xtask:security:authentication-service";
+export declare const SECURITY_AUTHORIZATION_SERVICE_TOKEN = "xtask:security:authorization-service";
+export declare const getPassportToken: () => string;
+export declare const getSecurityLifecycleToken: () => string;
+export declare const getAuthenticationServiceToken: () => string;
+export declare const getAuthorizationServiceToken: () => string;

package/dist/tokens.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAuthorizationServiceToken = exports.getAuthenticationServiceToken = exports.getSecurityLifecycleToken = exports.getPassportToken = exports.SECURITY_AUTHORIZATION_SERVICE_TOKEN = exports.SECURITY_AUTHENTICATION_SERVICE_TOKEN = exports.SECURITY_LIFECYCLE_TOKEN = exports.SECURITY_PASSPORT_TOKEN = void 0;
+exports.SECURITY_PASSPORT_TOKEN = "xtask:security:passport";
+exports.SECURITY_LIFECYCLE_TOKEN = "xtask:security:lifecycle";
+exports.SECURITY_AUTHENTICATION_SERVICE_TOKEN = "xtask:security:authentication-service";
+exports.SECURITY_AUTHORIZATION_SERVICE_TOKEN = "xtask:security:authorization-service";
+const getPassportToken = () => exports.SECURITY_PASSPORT_TOKEN;
+exports.getPassportToken = getPassportToken;
+const getSecurityLifecycleToken = () => exports.SECURITY_LIFECYCLE_TOKEN;
+exports.getSecurityLifecycleToken = getSecurityLifecycleToken;
+const getAuthenticationServiceToken = () => {
+    return exports.SECURITY_AUTHENTICATION_SERVICE_TOKEN;
+};
+exports.getAuthenticationServiceToken = getAuthenticationServiceToken;
+const getAuthorizationServiceToken = () => {
+    return exports.SECURITY_AUTHORIZATION_SERVICE_TOKEN;
+};
+exports.getAuthorizationServiceToken = getAuthorizationServiceToken;