@zauso-ai/capstan-auth 1.0.0-beta.7 → 1.0.0-beta.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/execution.d.ts +10 -0
- package/dist/execution.d.ts.map +1 -0
- package/dist/execution.js +50 -0
- package/dist/execution.js.map +1 -0
- package/dist/harness-authorizer.d.ts +10 -0
- package/dist/harness-authorizer.d.ts.map +1 -0
- package/dist/harness-authorizer.js +90 -0
- package/dist/harness-authorizer.js.map +1 -0
- package/dist/index.d.ts +8 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +5 -1
- package/dist/index.js.map +1 -1
- package/dist/middleware.d.ts.map +1 -1
- package/dist/middleware.js +141 -6
- package/dist/middleware.js.map +1 -1
- package/dist/oauth.d.ts +10 -1
- package/dist/oauth.d.ts.map +1 -1
- package/dist/oauth.js +34 -5
- package/dist/oauth.js.map +1 -1
- package/dist/permissions.d.ts +12 -22
- package/dist/permissions.d.ts.map +1 -1
- package/dist/permissions.js +91 -33
- package/dist/permissions.js.map +1 -1
- package/dist/runtime-authorizer.d.ts +28 -0
- package/dist/runtime-authorizer.d.ts.map +1 -0
- package/dist/runtime-authorizer.js +136 -0
- package/dist/runtime-authorizer.js.map +1 -0
- package/dist/runtime-grants.d.ts +31 -0
- package/dist/runtime-grants.d.ts.map +1 -0
- package/dist/runtime-grants.js +96 -0
- package/dist/runtime-grants.js.map +1 -0
- package/dist/session.d.ts +3 -3
- package/dist/session.d.ts.map +1 -1
- package/dist/session.js +21 -3
- package/dist/session.js.map +1 -1
- package/dist/types.d.ts +97 -1
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import type { ActorIdentity, DelegationLink, ExecutionIdentity, ExecutionKind } from "./types.js";
|
|
2
|
+
export declare function createExecutionIdentity(kind: ExecutionKind, source: string, options?: {
|
|
3
|
+
parentId?: string;
|
|
4
|
+
metadata?: Record<string, unknown>;
|
|
5
|
+
}): ExecutionIdentity;
|
|
6
|
+
export declare function createRequestExecution(request: Request, options?: {
|
|
7
|
+
parentId?: string;
|
|
8
|
+
}): ExecutionIdentity;
|
|
9
|
+
export declare function createDelegationLink(from: ActorIdentity | ExecutionIdentity, to: ActorIdentity | ExecutionIdentity, reason: string, metadata?: Record<string, unknown>): DelegationLink;
|
|
10
|
+
//# sourceMappingURL=execution.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"execution.d.ts","sourceRoot":"","sources":["../src/execution.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EAEd,iBAAiB,EACjB,aAAa,EACd,MAAM,YAAY,CAAC;AASpB,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,aAAa,EACnB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,GACA,iBAAiB,CAQnB;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,iBAAiB,CAoBnB;AASD,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,aAAa,GAAG,iBAAiB,EACvC,EAAE,EAAE,aAAa,GAAG,iBAAiB,EACrC,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,cAAc,CAWhB"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
function buildExecutionId(kind, source) {
|
|
2
|
+
if (kind === "request") {
|
|
3
|
+
return source;
|
|
4
|
+
}
|
|
5
|
+
return `${kind}:${source}`;
|
|
6
|
+
}
|
|
7
|
+
export function createExecutionIdentity(kind, source, options) {
|
|
8
|
+
const execution = {
|
|
9
|
+
kind,
|
|
10
|
+
id: buildExecutionId(kind, source),
|
|
11
|
+
};
|
|
12
|
+
if (options?.parentId !== undefined)
|
|
13
|
+
execution.parentId = options.parentId;
|
|
14
|
+
if (options?.metadata !== undefined)
|
|
15
|
+
execution.metadata = options.metadata;
|
|
16
|
+
return execution;
|
|
17
|
+
}
|
|
18
|
+
export function createRequestExecution(request, options) {
|
|
19
|
+
const url = new URL(request.url);
|
|
20
|
+
const createOptions = {
|
|
21
|
+
metadata: {
|
|
22
|
+
method: request.method,
|
|
23
|
+
pathname: url.pathname,
|
|
24
|
+
origin: url.origin,
|
|
25
|
+
},
|
|
26
|
+
};
|
|
27
|
+
if (options?.parentId !== undefined) {
|
|
28
|
+
createOptions.parentId = options.parentId;
|
|
29
|
+
}
|
|
30
|
+
return createExecutionIdentity("request", `${request.method} ${url.pathname}`, createOptions);
|
|
31
|
+
}
|
|
32
|
+
function toTargetRef(target) {
|
|
33
|
+
return {
|
|
34
|
+
kind: target.kind,
|
|
35
|
+
id: target.id,
|
|
36
|
+
};
|
|
37
|
+
}
|
|
38
|
+
export function createDelegationLink(from, to, reason, metadata) {
|
|
39
|
+
const link = {
|
|
40
|
+
from: toTargetRef(from),
|
|
41
|
+
to: toTargetRef(to),
|
|
42
|
+
reason,
|
|
43
|
+
issuedAt: new Date().toISOString(),
|
|
44
|
+
};
|
|
45
|
+
if (metadata !== undefined) {
|
|
46
|
+
link.metadata = metadata;
|
|
47
|
+
}
|
|
48
|
+
return link;
|
|
49
|
+
}
|
|
50
|
+
//# sourceMappingURL=execution.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"execution.js","sourceRoot":"","sources":["../src/execution.ts"],"names":[],"mappings":"AAQA,SAAS,gBAAgB,CAAC,IAAmB,EAAE,MAAc;IAC3D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,GAAG,IAAI,IAAI,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,IAAmB,EACnB,MAAc,EACd,OAGC;IAED,MAAM,SAAS,GAAsB;QACnC,IAAI;QACJ,EAAE,EAAE,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC;KACnC,CAAC;IACF,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;QAAE,SAAS,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC3E,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;QAAE,SAAS,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC3E,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAgB,EAChB,OAEC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,aAAa,GAGf;QACF,QAAQ,EAAE;YACR,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM,EAAE,GAAG,CAAC,MAAM;SACnB;KACF,CAAC;IACF,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS,EAAE,CAAC;QACpC,aAAa,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC5C,CAAC;IACD,OAAO,uBAAuB,CAC5B,SAAS,EACT,GAAG,OAAO,CAAC,MAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,EACnC,aAAa,CACd,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAyC;IAC5D,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,EAAE,EAAE,MAAM,CAAC,EAAE;KACd,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,IAAuC,EACvC,EAAqC,EACrC,MAAc,EACd,QAAkC;IAElC,MAAM,IAAI,GAAmB;QAC3B,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC;QACvB,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC;QACnB,MAAM;QACN,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC;IACF,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import type { RuntimeGrantSupplier } from "./runtime-authorizer.js";
|
|
2
|
+
import { type RuntimeGrantAuthorizationResult, type RuntimeGrantAuthorizerRequest } from "./runtime-authorizer.js";
|
|
3
|
+
export interface HarnessGrantAuthorizationRequest {
|
|
4
|
+
action: string;
|
|
5
|
+
runId?: string;
|
|
6
|
+
detail?: Record<string, unknown>;
|
|
7
|
+
}
|
|
8
|
+
export declare function toRuntimeGrantRequest(request: HarnessGrantAuthorizationRequest): RuntimeGrantAuthorizerRequest;
|
|
9
|
+
export declare function createHarnessGrantAuthorizer(supplier: RuntimeGrantSupplier): (request: HarnessGrantAuthorizationRequest) => Promise<RuntimeGrantAuthorizationResult>;
|
|
10
|
+
//# sourceMappingURL=harness-authorizer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"harness-authorizer.d.ts","sourceRoot":"","sources":["../src/harness-authorizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EAEL,KAAK,+BAA+B,EACpC,KAAK,6BAA6B,EACnC,MAAM,yBAAyB,CAAC;AAEjC,MAAM,WAAW,gCAAgC;IAC/C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAiGD,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,gCAAgC,GACxC,6BAA6B,CAa/B;AAED,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,IAIvE,SAAS,gCAAgC,KACxC,OAAO,CAAC,+BAA+B,CAAC,CAE5C"}
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
import { createRuntimeGrantAuthorizer, } from "./runtime-authorizer.js";
|
|
2
|
+
function readString(source, key) {
|
|
3
|
+
const value = source?.[key];
|
|
4
|
+
return typeof value === "string" && value.trim().length > 0 ? value : undefined;
|
|
5
|
+
}
|
|
6
|
+
function readRecord(source, key) {
|
|
7
|
+
const value = source?.[key];
|
|
8
|
+
return value != null && typeof value === "object" && !Array.isArray(value)
|
|
9
|
+
? value
|
|
10
|
+
: undefined;
|
|
11
|
+
}
|
|
12
|
+
function deriveMemoryAttributes(detail) {
|
|
13
|
+
const kind = readString(detail, "kind");
|
|
14
|
+
if (kind === "session_memory") {
|
|
15
|
+
return { memoryKind: "session" };
|
|
16
|
+
}
|
|
17
|
+
if (kind === "persistent_memory") {
|
|
18
|
+
return { memoryKind: "persistent" };
|
|
19
|
+
}
|
|
20
|
+
const kinds = Array.isArray(detail?.["kinds"])
|
|
21
|
+
? detail["kinds"].filter((entry) => typeof entry === "string")
|
|
22
|
+
: [];
|
|
23
|
+
if (kinds.length === 1 && kinds[0] === "session_memory") {
|
|
24
|
+
return { memoryKind: "session" };
|
|
25
|
+
}
|
|
26
|
+
if (kinds.length === 1 && kinds[0] === "persistent_memory") {
|
|
27
|
+
return { memoryKind: "persistent" };
|
|
28
|
+
}
|
|
29
|
+
return undefined;
|
|
30
|
+
}
|
|
31
|
+
function deriveApprovalAttributes(detail) {
|
|
32
|
+
const pendingApproval = readRecord(detail, "pendingApproval");
|
|
33
|
+
const directKind = readString(detail, "kind");
|
|
34
|
+
const nestedKind = readString(pendingApproval, "kind");
|
|
35
|
+
const approvalKind = directKind === "tool" || directKind === "task"
|
|
36
|
+
? directKind
|
|
37
|
+
: nestedKind === "tool" || nestedKind === "task"
|
|
38
|
+
? nestedKind
|
|
39
|
+
: undefined;
|
|
40
|
+
return approvalKind ? { approvalKind } : undefined;
|
|
41
|
+
}
|
|
42
|
+
function buildScope(request) {
|
|
43
|
+
if (request.action.endsWith(":list")) {
|
|
44
|
+
return request.runId ? { runId: request.runId } : undefined;
|
|
45
|
+
}
|
|
46
|
+
const detail = request.detail;
|
|
47
|
+
const pendingApproval = readRecord(detail, "pendingApproval");
|
|
48
|
+
const pendingToolCall = readRecord(detail, "pendingToolCall");
|
|
49
|
+
const scope = {};
|
|
50
|
+
if (request.runId) {
|
|
51
|
+
scope.runId = request.runId;
|
|
52
|
+
}
|
|
53
|
+
const scopedFields = [
|
|
54
|
+
["approvalId", readString(detail, "approvalId") ?? readString(pendingApproval, "id")],
|
|
55
|
+
["artifactId", readString(detail, "artifactId")],
|
|
56
|
+
["memoryId", readString(detail, "memoryId")],
|
|
57
|
+
["summaryId", readString(detail, "summaryId")],
|
|
58
|
+
["taskId", readString(detail, "taskId")],
|
|
59
|
+
[
|
|
60
|
+
"tool",
|
|
61
|
+
readString(detail, "tool") ??
|
|
62
|
+
readString(pendingApproval, "tool") ??
|
|
63
|
+
readString(pendingToolCall, "tool"),
|
|
64
|
+
],
|
|
65
|
+
];
|
|
66
|
+
for (const [key, value] of scopedFields) {
|
|
67
|
+
if (value) {
|
|
68
|
+
scope[key] = value;
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
return Object.keys(scope).length > 0 ? scope : undefined;
|
|
72
|
+
}
|
|
73
|
+
export function toRuntimeGrantRequest(request) {
|
|
74
|
+
const detail = request.detail;
|
|
75
|
+
const attributes = {
|
|
76
|
+
...(request.action.startsWith("memory:") ? deriveMemoryAttributes(detail) ?? {} : {}),
|
|
77
|
+
...(request.action.startsWith("approval:") ? deriveApprovalAttributes(detail) ?? {} : {}),
|
|
78
|
+
};
|
|
79
|
+
const scope = buildScope(request);
|
|
80
|
+
return {
|
|
81
|
+
action: request.action,
|
|
82
|
+
...(scope ? { scope } : {}),
|
|
83
|
+
...(Object.keys(attributes).length > 0 ? { attributes } : {}),
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
export function createHarnessGrantAuthorizer(supplier) {
|
|
87
|
+
const runtimeAuthorizer = createRuntimeGrantAuthorizer(supplier);
|
|
88
|
+
return async (request) => runtimeAuthorizer(toRuntimeGrantRequest(request));
|
|
89
|
+
}
|
|
90
|
+
//# sourceMappingURL=harness-authorizer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"harness-authorizer.js","sourceRoot":"","sources":["../src/harness-authorizer.ts"],"names":[],"mappings":"AACA,OAAO,EACL,4BAA4B,GAG7B,MAAM,yBAAyB,CAAC;AAQjC,SAAS,UAAU,CACjB,MAA2C,EAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAClF,CAAC;AAED,SAAS,UAAU,CACjB,MAA2C,EAC3C,GAAW;IAEX,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,KAAK,IAAI,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACxE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED,SAAS,sBAAsB,CAC7B,MAA2C;IAE3C,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC9B,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACjC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC;QAC5C,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;QAC/E,CAAC,CAAC,EAAE,CAAC;IACP,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,gBAAgB,EAAE,CAAC;QACxD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,mBAAmB,EAAE,CAAC;QAC3D,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAA2C;IAE3C,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACvD,MAAM,YAAY,GAChB,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,MAAM;QAC5C,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,MAAM;YAC9C,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,SAAS,CAAC;IAElB,OAAO,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CACjB,OAAyC;IAEzC,IAAI,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9D,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC9D,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC9D,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC9B,CAAC;IAED,MAAM,YAAY,GAAwC;QACxD,CAAC,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,UAAU,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;QACrF,CAAC,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAChD,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC5C,CAAC,WAAW,EAAE,UAAU,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC9C,CAAC,QAAQ,EAAE,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACxC;YACE,MAAM;YACN,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC;gBACxB,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC;gBACnC,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC;SACtC;KACF,CAAC;IAEF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAyC;IAEzC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,MAAM,UAAU,GAAG;QACjB,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,sBAAsB,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrF,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1F,CAAC;IACF,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAElC,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,QAA8B;IACzE,MAAM,iBAAiB,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;IAEjE,OAAO,KAAK,EACV,OAAyC,EACC,EAAE,CAC5C,iBAAiB,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,CAAC;AACtD,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,12 +1,18 @@
|
|
|
1
1
|
export { signSession, verifySession } from "./session.js";
|
|
2
2
|
export { generateApiKey, verifyApiKey, extractApiKeyPrefix, } from "./api-key.js";
|
|
3
3
|
export { createAuthMiddleware } from "./middleware.js";
|
|
4
|
-
export { checkPermission, derivePermission } from "./permissions.js";
|
|
4
|
+
export { authorizeGrant, checkGrant, checkPermission, derivePermission, normalizePermissionsToGrants, serializeGrantsToPermissions, } from "./permissions.js";
|
|
5
|
+
export { createExecutionIdentity, createRequestExecution, createDelegationLink, } from "./execution.js";
|
|
6
|
+
export { createGrant, grantRunActions, grantRunCollectionActions, grantApprovalActions, grantApprovalCollectionActions, grantEventActions, grantEventCollectionActions, grantArtifactActions, grantCheckpointActions, grantTaskActions, grantSummaryActions, grantSummaryCollectionActions, grantMemoryActions, grantContextActions, grantRuntimePathsActions, } from "./runtime-grants.js";
|
|
7
|
+
export { deriveRuntimeGrantRequirements, authorizeRuntimeAction, createRuntimeGrantAuthorizer, } from "./runtime-authorizer.js";
|
|
8
|
+
export { createHarnessGrantAuthorizer, toRuntimeGrantRequest, } from "./harness-authorizer.js";
|
|
5
9
|
export { validateDpopProof, clearDpopReplayCache, setDpopReplayStore } from "./dpop.js";
|
|
6
10
|
export { extractWorkloadIdentity, isValidSpiffeId } from "./workload.js";
|
|
7
11
|
export { googleProvider, githubProvider, createOAuthHandlers, } from "./oauth.js";
|
|
8
12
|
export type { DpopValidationResult } from "./dpop.js";
|
|
9
13
|
export type { WorkloadIdentity } from "./workload.js";
|
|
10
14
|
export type { OAuthProvider, OAuthConfig, OAuthHandlers } from "./oauth.js";
|
|
11
|
-
export type { AuthConfig, SessionPayload, AgentCredential, AuthContext, AuthResolverDeps, } from "./types.js";
|
|
15
|
+
export type { ActorIdentity, AuthConfig, SessionPayload, SessionSigningOptions, SessionVerificationOptions, AgentCredential, AuthEnvelope, AuthGrant, AuthGrantRequirement, AuthContext, AuthResolverDeps, CredentialProof, DelegationLink, ExecutionIdentity, } from "./types.js";
|
|
16
|
+
export type { RuntimeGrantAuthorizerRequest, RuntimeGrantAuthorizationResult, RuntimeGrantSupplier, } from "./runtime-authorizer.js";
|
|
17
|
+
export type { HarnessGrantAuthorizationRequest } from "./harness-authorizer.js";
|
|
12
18
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,WAAW,EACX,eAAe,EACf,yBAAyB,EACzB,oBAAoB,EACpB,8BAA8B,EAC9B,iBAAiB,EACjB,2BAA2B,EAC3B,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACxF,OAAO,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EACL,cAAc,EACd,cAAc,EACd,mBAAmB,GACpB,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC5E,YAAY,EACV,aAAa,EACb,UAAU,EACV,cAAc,EACd,qBAAqB,EACrB,0BAA0B,EAC1B,eAAe,EACf,YAAY,EACZ,SAAS,EACT,oBAAoB,EACpB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,6BAA6B,EAC7B,+BAA+B,EAC/B,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,gCAAgC,EAAE,MAAM,yBAAyB,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1,7 +1,11 @@
|
|
|
1
1
|
export { signSession, verifySession } from "./session.js";
|
|
2
2
|
export { generateApiKey, verifyApiKey, extractApiKeyPrefix, } from "./api-key.js";
|
|
3
3
|
export { createAuthMiddleware } from "./middleware.js";
|
|
4
|
-
export { checkPermission, derivePermission } from "./permissions.js";
|
|
4
|
+
export { authorizeGrant, checkGrant, checkPermission, derivePermission, normalizePermissionsToGrants, serializeGrantsToPermissions, } from "./permissions.js";
|
|
5
|
+
export { createExecutionIdentity, createRequestExecution, createDelegationLink, } from "./execution.js";
|
|
6
|
+
export { createGrant, grantRunActions, grantRunCollectionActions, grantApprovalActions, grantApprovalCollectionActions, grantEventActions, grantEventCollectionActions, grantArtifactActions, grantCheckpointActions, grantTaskActions, grantSummaryActions, grantSummaryCollectionActions, grantMemoryActions, grantContextActions, grantRuntimePathsActions, } from "./runtime-grants.js";
|
|
7
|
+
export { deriveRuntimeGrantRequirements, authorizeRuntimeAction, createRuntimeGrantAuthorizer, } from "./runtime-authorizer.js";
|
|
8
|
+
export { createHarnessGrantAuthorizer, toRuntimeGrantRequest, } from "./harness-authorizer.js";
|
|
5
9
|
export { validateDpopProof, clearDpopReplayCache, setDpopReplayStore } from "./dpop.js";
|
|
6
10
|
export { extractWorkloadIdentity, isValidSpiffeId } from "./workload.js";
|
|
7
11
|
export { googleProvider, githubProvider, createOAuthHandlers, } from "./oauth.js";
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,YAAY,EACZ,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,WAAW,EACX,eAAe,EACf,yBAAyB,EACzB,oBAAoB,EACpB,8BAA8B,EAC9B,iBAAiB,EACjB,2BAA2B,EAC3B,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,8BAA8B,EAC9B,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACxF,OAAO,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EACL,cAAc,EACd,cAAc,EACd,mBAAmB,GACpB,MAAM,YAAY,CAAC"}
|
package/dist/middleware.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,UAAU,EACV,WAAW,
|
|
1
|
+
{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EAGX,gBAAgB,EAEjB,MAAM,YAAY,CAAC;AA6CpB;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE,gBAAgB,GACrB,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,CAAC,CAiP5C"}
|
package/dist/middleware.js
CHANGED
|
@@ -2,11 +2,24 @@ import { verifySession } from "./session.js";
|
|
|
2
2
|
import { verifyApiKey, extractApiKeyPrefix } from "./api-key.js";
|
|
3
3
|
import { validateDpopProof } from "./dpop.js";
|
|
4
4
|
import { extractWorkloadIdentity } from "./workload.js";
|
|
5
|
-
|
|
5
|
+
import { normalizePermissionsToGrants, serializeGrantsToPermissions, } from "./permissions.js";
|
|
6
|
+
import { createRequestExecution } from "./execution.js";
|
|
6
7
|
const DEFAULT_API_KEY_PREFIX = "cap_ak_";
|
|
7
8
|
const ANONYMOUS_CONTEXT = {
|
|
8
9
|
isAuthenticated: false,
|
|
9
10
|
type: "anonymous",
|
|
11
|
+
actor: {
|
|
12
|
+
kind: "anonymous",
|
|
13
|
+
id: "anonymous",
|
|
14
|
+
displayName: "Anonymous",
|
|
15
|
+
},
|
|
16
|
+
credential: {
|
|
17
|
+
kind: "anonymous",
|
|
18
|
+
subjectId: "anonymous",
|
|
19
|
+
presentedAt: new Date(0).toISOString(),
|
|
20
|
+
},
|
|
21
|
+
delegation: [],
|
|
22
|
+
grants: [],
|
|
10
23
|
};
|
|
11
24
|
// ── Cookie helpers ─────────────────────────────────────────────────
|
|
12
25
|
function parseCookies(header) {
|
|
@@ -40,6 +53,47 @@ export function createAuthMiddleware(config, deps) {
|
|
|
40
53
|
const apiKeyPrefix = config.apiKeys?.prefix ?? DEFAULT_API_KEY_PREFIX;
|
|
41
54
|
const authHeaderName = config.apiKeys?.headerName ?? "Authorization";
|
|
42
55
|
const trustedDomains = config.trustedDomains ?? [];
|
|
56
|
+
const sessionCookieName = config.session.cookieName ?? "capstan_session";
|
|
57
|
+
function syncEnvelope(authCtx) {
|
|
58
|
+
const envelope = {
|
|
59
|
+
actor: authCtx.actor,
|
|
60
|
+
credential: authCtx.credential,
|
|
61
|
+
delegation: authCtx.delegation,
|
|
62
|
+
grants: authCtx.grants,
|
|
63
|
+
};
|
|
64
|
+
if (authCtx.execution !== undefined) {
|
|
65
|
+
envelope.execution = authCtx.execution;
|
|
66
|
+
}
|
|
67
|
+
authCtx.envelope = envelope;
|
|
68
|
+
return authCtx;
|
|
69
|
+
}
|
|
70
|
+
async function enrichContext(authCtx, request) {
|
|
71
|
+
const extraGrants = await deps.resolveAdditionalGrants?.(authCtx, request);
|
|
72
|
+
if (extraGrants && extraGrants.length > 0) {
|
|
73
|
+
authCtx.grants = [...authCtx.grants, ...normalizePermissionsToGrants(extraGrants)];
|
|
74
|
+
authCtx.permissions = serializeGrantsToPermissions(authCtx.grants);
|
|
75
|
+
}
|
|
76
|
+
const execution = (await deps.resolveExecution?.(authCtx, request)) ??
|
|
77
|
+
createRequestExecution(request);
|
|
78
|
+
authCtx.execution = execution;
|
|
79
|
+
const delegation = await deps.resolveDelegation?.(authCtx, request);
|
|
80
|
+
if (delegation && delegation.length > 0) {
|
|
81
|
+
authCtx.delegation = delegation;
|
|
82
|
+
}
|
|
83
|
+
return syncEnvelope(authCtx);
|
|
84
|
+
}
|
|
85
|
+
function createCredential(kind, subjectId, options) {
|
|
86
|
+
const credential = {
|
|
87
|
+
kind,
|
|
88
|
+
subjectId,
|
|
89
|
+
presentedAt: new Date().toISOString(),
|
|
90
|
+
};
|
|
91
|
+
if (options?.expiresAt !== undefined)
|
|
92
|
+
credential.expiresAt = options.expiresAt;
|
|
93
|
+
if (options?.metadata !== undefined)
|
|
94
|
+
credential.metadata = options.metadata;
|
|
95
|
+
return credential;
|
|
96
|
+
}
|
|
43
97
|
return async (request) => {
|
|
44
98
|
let authCtx;
|
|
45
99
|
let accessToken;
|
|
@@ -54,6 +108,20 @@ export function createAuthMiddleware(config, deps) {
|
|
|
54
108
|
authCtx = {
|
|
55
109
|
isAuthenticated: true,
|
|
56
110
|
type: "workload",
|
|
111
|
+
actor: {
|
|
112
|
+
kind: "workload",
|
|
113
|
+
id: identity.spiffeId,
|
|
114
|
+
displayName: identity.workloadPath,
|
|
115
|
+
},
|
|
116
|
+
credential: createCredential("mtls", identity.spiffeId, {
|
|
117
|
+
metadata: {
|
|
118
|
+
certFingerprint: identity.certFingerprint,
|
|
119
|
+
trustDomain: identity.trustDomain,
|
|
120
|
+
workloadPath: identity.workloadPath,
|
|
121
|
+
},
|
|
122
|
+
}),
|
|
123
|
+
delegation: [],
|
|
124
|
+
grants: [],
|
|
57
125
|
spiffeId: identity.spiffeId,
|
|
58
126
|
certFingerprint: identity.certFingerprint,
|
|
59
127
|
};
|
|
@@ -63,19 +131,52 @@ export function createAuthMiddleware(config, deps) {
|
|
|
63
131
|
const cookieHeader = request.headers.get("cookie");
|
|
64
132
|
if (!authCtx && cookieHeader) {
|
|
65
133
|
const cookies = parseCookies(cookieHeader);
|
|
66
|
-
const sessionToken = cookies.get(
|
|
134
|
+
const sessionToken = cookies.get(sessionCookieName);
|
|
67
135
|
if (sessionToken) {
|
|
68
|
-
const payload = verifySession(sessionToken, config.session.secret
|
|
136
|
+
const payload = verifySession(sessionToken, config.session.secret, {
|
|
137
|
+
...(config.session.issuer !== undefined
|
|
138
|
+
? { issuer: config.session.issuer }
|
|
139
|
+
: {}),
|
|
140
|
+
...(config.session.audience !== undefined
|
|
141
|
+
? { audience: config.session.audience }
|
|
142
|
+
: {}),
|
|
143
|
+
});
|
|
69
144
|
if (payload) {
|
|
145
|
+
const grants = normalizePermissionsToGrants(payload.permissions ?? []);
|
|
70
146
|
const ctx = {
|
|
71
147
|
isAuthenticated: true,
|
|
72
148
|
type: "human",
|
|
149
|
+
actor: {
|
|
150
|
+
kind: "user",
|
|
151
|
+
id: payload.userId,
|
|
152
|
+
...(payload.displayName !== undefined
|
|
153
|
+
? { displayName: payload.displayName }
|
|
154
|
+
: {}),
|
|
155
|
+
...(payload.role !== undefined ? { role: payload.role } : {}),
|
|
156
|
+
...(payload.email !== undefined ? { email: payload.email } : {}),
|
|
157
|
+
...(payload.claims !== undefined ? { claims: payload.claims } : {}),
|
|
158
|
+
},
|
|
159
|
+
credential: createCredential("session", payload.userId, {
|
|
160
|
+
expiresAt: new Date(payload.exp * 1000).toISOString(),
|
|
161
|
+
metadata: {
|
|
162
|
+
issuedAt: new Date(payload.iat * 1000).toISOString(),
|
|
163
|
+
...(payload.sessionId !== undefined
|
|
164
|
+
? { sessionId: payload.sessionId }
|
|
165
|
+
: {}),
|
|
166
|
+
...(payload.iss !== undefined ? { issuer: payload.iss } : {}),
|
|
167
|
+
...(payload.aud !== undefined ? { audience: payload.aud } : {}),
|
|
168
|
+
},
|
|
169
|
+
}),
|
|
170
|
+
delegation: [],
|
|
171
|
+
grants,
|
|
73
172
|
userId: payload.userId,
|
|
74
173
|
};
|
|
75
174
|
if (payload.role !== undefined)
|
|
76
175
|
ctx.role = payload.role;
|
|
77
176
|
if (payload.email !== undefined)
|
|
78
177
|
ctx.email = payload.email;
|
|
178
|
+
if (payload.permissions !== undefined)
|
|
179
|
+
ctx.permissions = [...payload.permissions];
|
|
79
180
|
authCtx = ctx;
|
|
80
181
|
accessToken = sessionToken;
|
|
81
182
|
}
|
|
@@ -96,12 +197,27 @@ export function createAuthMiddleware(config, deps) {
|
|
|
96
197
|
if (credential && !credential.revokedAt) {
|
|
97
198
|
const valid = await verifyApiKey(token, credential.apiKeyHash);
|
|
98
199
|
if (valid) {
|
|
200
|
+
const grants = normalizePermissionsToGrants([
|
|
201
|
+
...credential.permissions,
|
|
202
|
+
...(credential.grants ?? []),
|
|
203
|
+
]);
|
|
99
204
|
authCtx = {
|
|
100
205
|
isAuthenticated: true,
|
|
101
206
|
type: "agent",
|
|
207
|
+
actor: {
|
|
208
|
+
kind: "agent",
|
|
209
|
+
id: credential.id,
|
|
210
|
+
displayName: credential.name,
|
|
211
|
+
...(credential.claims !== undefined
|
|
212
|
+
? { claims: credential.claims }
|
|
213
|
+
: {}),
|
|
214
|
+
},
|
|
215
|
+
credential: createCredential("api_key", credential.id),
|
|
216
|
+
delegation: [],
|
|
217
|
+
grants,
|
|
102
218
|
agentId: credential.id,
|
|
103
219
|
agentName: credential.name,
|
|
104
|
-
permissions:
|
|
220
|
+
permissions: serializeGrantsToPermissions(grants),
|
|
105
221
|
};
|
|
106
222
|
accessToken = token;
|
|
107
223
|
}
|
|
@@ -118,13 +234,32 @@ export function createAuthMiddleware(config, deps) {
|
|
|
118
234
|
const result = await validateDpopProof(dpopHeader, request.method, request.url, accessToken);
|
|
119
235
|
if (!result) {
|
|
120
236
|
// DPoP proof failed validation — treat as unauthenticated.
|
|
121
|
-
return ANONYMOUS_CONTEXT;
|
|
237
|
+
return syncEnvelope({ ...ANONYMOUS_CONTEXT });
|
|
122
238
|
}
|
|
123
239
|
// Bind the DPoP thumbprint to the auth context.
|
|
124
240
|
authCtx.dpopThumbprint = result.thumbprint;
|
|
241
|
+
authCtx.credential = createCredential("dpop", authCtx.actor.id, {
|
|
242
|
+
...(authCtx.credential.expiresAt !== undefined
|
|
243
|
+
? { expiresAt: authCtx.credential.expiresAt }
|
|
244
|
+
: {}),
|
|
245
|
+
metadata: {
|
|
246
|
+
...(authCtx.credential.metadata ?? {}),
|
|
247
|
+
thumbprint: result.thumbprint,
|
|
248
|
+
boundCredentialKind: authCtx.credential.kind,
|
|
249
|
+
},
|
|
250
|
+
});
|
|
125
251
|
}
|
|
126
252
|
// ── 5. Anonymous ─────────────────────────────────────────────
|
|
127
|
-
|
|
253
|
+
if (!authCtx) {
|
|
254
|
+
return enrichContext({
|
|
255
|
+
...ANONYMOUS_CONTEXT,
|
|
256
|
+
credential: {
|
|
257
|
+
...ANONYMOUS_CONTEXT.credential,
|
|
258
|
+
presentedAt: new Date().toISOString(),
|
|
259
|
+
},
|
|
260
|
+
}, request);
|
|
261
|
+
}
|
|
262
|
+
return enrichContext(authCtx, request);
|
|
128
263
|
};
|
|
129
264
|
}
|
|
130
265
|
//# sourceMappingURL=middleware.js.map
|
package/dist/middleware.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EACL,4BAA4B,EAC5B,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAExD,MAAM,sBAAsB,GAAG,SAAS,CAAC;AACzC,MAAM,iBAAiB,GAAgB;IACrC,eAAe,EAAE,KAAK;IACtB,IAAI,EAAE,WAAW;IACjB,KAAK,EAAE;QACL,IAAI,EAAE,WAAW;QACjB,EAAE,EAAE,WAAW;QACf,WAAW,EAAE,WAAW;KACzB;IACD,UAAU,EAAE;QACV,IAAI,EAAE,WAAW;QACjB,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE;KACvC;IACD,UAAU,EAAE,EAAE;IACd,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,sEAAsE;AAEtE,SAAS,YAAY,CAAC,MAAc;IAClC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,uEAAuE;AAEvE;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAkB,EAClB,IAAsB;IAEtB,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,EAAE,MAAM,IAAI,sBAAsB,CAAC;IACtE,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,EAAE,UAAU,IAAI,eAAe,CAAC;IACrE,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,EAAE,CAAC;IACnD,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,IAAI,iBAAiB,CAAC;IAEzE,SAAS,YAAY,CAAC,OAAoB;QACxC,MAAM,QAAQ,GAAiB;YAC7B,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC;QACF,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACpC,QAAQ,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACzC,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAC5B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,OAAgB;QAEhB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC3E,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,OAAO,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,4BAA4B,CAAC,WAAW,CAAC,CAAC,CAAC;YACnF,OAAO,CAAC,WAAW,GAAG,4BAA4B,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,SAAS,GACb,CAAC,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACjD,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,CAAC,SAAS,GAAG,SAAS,CAAC;QAC9B,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACpE,IAAI,UAAU,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;QAClC,CAAC;QACD,OAAO,YAAY,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAED,SAAS,gBAAgB,CACvB,IAA6B,EAC7B,SAAiB,EACjB,OAGC;QAED,MAAM,UAAU,GAAoB;YAClC,IAAI;YACJ,SAAS;YACT,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtC,CAAC;QACF,IAAI,OAAO,EAAE,SAAS,KAAK,SAAS;YAAE,UAAU,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/E,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;YAAE,UAAU,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAC5E,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,KAAK,EAAE,OAAgB,EAAwB,EAAE;QACtD,IAAI,OAAgC,CAAC;QACrC,IAAI,WAA+B,CAAC;QAEpC,gEAAgE;QAChE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAuC,EAAE,CAAC;YACvD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACvB,CAAC;YAED,MAAM,QAAQ,GAAG,uBAAuB,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;YAClE,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,GAAG;oBACR,eAAe,EAAE,IAAI;oBACrB,IAAI,EAAE,UAAU;oBAChB,KAAK,EAAE;wBACL,IAAI,EAAE,UAAU;wBAChB,EAAE,EAAE,QAAQ,CAAC,QAAQ;wBACrB,WAAW,EAAE,QAAQ,CAAC,YAAY;qBACnC;oBACD,UAAU,EAAE,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,EAAE;wBACtD,QAAQ,EAAE;4BACR,eAAe,EAAE,QAAQ,CAAC,eAAe;4BACzC,WAAW,EAAE,QAAQ,CAAC,WAAW;4BACjC,YAAY,EAAE,QAAQ,CAAC,YAAY;yBACpC;qBACF,CAAC;oBACF,UAAU,EAAE,EAAE;oBACd,MAAM,EAAE,EAAE;oBACV,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,eAAe,EAAE,QAAQ,CAAC,eAAe;iBAC1C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,IAAI,YAAY,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;YAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAEpD,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,OAAO,GAAG,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE;oBACjE,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,SAAS;wBACrC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE;wBACnC,CAAC,CAAC,EAAE,CAAC;oBACP,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,KAAK,SAAS;wBACvC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE;wBACvC,CAAC,CAAC,EAAE,CAAC;iBACR,CAAC,CAAC;gBACH,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM,MAAM,GAAG,4BAA4B,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;oBACvE,MAAM,GAAG,GAAgB;wBACvB,eAAe,EAAE,IAAI;wBACrB,IAAI,EAAE,OAAO;wBACb,KAAK,EAAE;4BACL,IAAI,EAAE,MAAM;4BACZ,EAAE,EAAE,OAAO,CAAC,MAAM;4BAClB,GAAG,CAAC,OAAO,CAAC,WAAW,KAAK,SAAS;gCACnC,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE;gCACtC,CAAC,CAAC,EAAE,CAAC;4BACP,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC7D,GAAG,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;4BAChE,GAAG,CAAC,OAAO,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;yBACpE;wBACD,UAAU,EAAE,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE;4BACtD,SAAS,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;4BACrD,QAAQ,EAAE;gCACR,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;gCACpD,GAAG,CAAC,OAAO,CAAC,SAAS,KAAK,SAAS;oCACjC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE;oCAClC,CAAC,CAAC,EAAE,CAAC;gCACP,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gCAC7D,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;6BAChE;yBACF,CAAC;wBACF,UAAU,EAAE,EAAE;wBACd,MAAM;wBACN,MAAM,EAAE,OAAO,CAAC,MAAM;qBACvB,CAAC;oBACF,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS;wBAAE,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;oBACxD,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;wBAAE,GAAG,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;oBAC3D,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS;wBAAE,GAAG,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;oBAClF,OAAO,GAAG,GAAG,CAAC;oBACd,WAAW,GAAG,YAAY,CAAC;gBAC7B,CAAC;YACH,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACvD,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;oBAC5C,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;oBACrB,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC;wBAC9B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;wBACrB,CAAC,CAAC,IAAI,CAAC;gBAEX,IAAI,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;oBACzE,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;oBAC1C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;oBAE3D,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;wBACxC,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;wBAC/D,IAAI,KAAK,EAAE,CAAC;4BACV,MAAM,MAAM,GAAG,4BAA4B,CAAC;gCAC1C,GAAG,UAAU,CAAC,WAAW;gCACzB,GAAG,CAAC,UAAU,CAAC,MAAM,IAAI,EAAE,CAAC;6BAC7B,CAAC,CAAC;4BACH,OAAO,GAAG;gCACR,eAAe,EAAE,IAAI;gCACrB,IAAI,EAAE,OAAO;gCACb,KAAK,EAAE;oCACL,IAAI,EAAE,OAAO;oCACb,EAAE,EAAE,UAAU,CAAC,EAAE;oCACjB,WAAW,EAAE,UAAU,CAAC,IAAI;oCAC5B,GAAG,CAAC,UAAU,CAAC,MAAM,KAAK,SAAS;wCACjC,CAAC,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE;wCAC/B,CAAC,CAAC,EAAE,CAAC;iCACR;gCACD,UAAU,EAAE,gBAAgB,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;gCACtD,UAAU,EAAE,EAAE;gCACd,MAAM;gCACN,OAAO,EAAE,UAAU,CAAC,EAAE;gCACtB,SAAS,EAAE,UAAU,CAAC,IAAI;gCAC1B,WAAW,EAAE,4BAA4B,CAAC,MAAM,CAAC;6BAClD,CAAC;4BACF,WAAW,GAAG,KAAK,CAAC;wBACtB,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,+DAA+D;QAC/D,gEAAgE;QAChE,gEAAgE;QAChE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,OAAO,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,iBAAiB,CACpC,UAAU,EACV,OAAO,CAAC,MAAM,EACd,OAAO,CAAC,GAAG,EACX,WAAW,CACZ,CAAC;YAEF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,2DAA2D;gBAC3D,OAAO,YAAY,CAAC,EAAE,GAAG,iBAAiB,EAAE,CAAC,CAAC;YAChD,CAAC;YAED,gDAAgD;YAChD,OAAO,CAAC,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC;YAC3C,OAAO,CAAC,UAAU,GAAG,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,EAAE,EAAE;gBAC9D,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,KAAK,SAAS;oBAC5C,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,SAAS,EAAE;oBAC7C,CAAC,CAAC,EAAE,CAAC;gBACP,QAAQ,EAAE;oBACR,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,IAAI,EAAE,CAAC;oBACtC,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,mBAAmB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;iBAC7C;aACF,CAAC,CAAC;QACL,CAAC;QAED,gEAAgE;QAChE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,aAAa,CAClB;gBACE,GAAG,iBAAiB;gBACpB,UAAU,EAAE;oBACV,GAAG,iBAAiB,CAAC,UAAU;oBAC/B,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACtC;aACF,EACD,OAAO,CACR,CAAC;QACJ,CAAC;QACD,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC,CAAC;AACJ,CAAC"}
|
package/dist/oauth.d.ts
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import type { AuthCookieConfig } from "./types.js";
|
|
1
2
|
export interface OAuthProvider {
|
|
2
3
|
name: string;
|
|
3
4
|
authorizeUrl: string;
|
|
@@ -10,7 +11,15 @@ export interface OAuthProvider {
|
|
|
10
11
|
export interface OAuthConfig {
|
|
11
12
|
providers: OAuthProvider[];
|
|
12
13
|
callbackPath?: string;
|
|
13
|
-
sessionSecret
|
|
14
|
+
sessionSecret?: string;
|
|
15
|
+
session?: {
|
|
16
|
+
secret?: string;
|
|
17
|
+
maxAge?: string;
|
|
18
|
+
cookieName?: string;
|
|
19
|
+
cookie?: AuthCookieConfig;
|
|
20
|
+
};
|
|
21
|
+
successRedirectPath?: string;
|
|
22
|
+
stateCookieName?: string;
|
|
14
23
|
}
|
|
15
24
|
/** Pre-built Google OAuth provider */
|
|
16
25
|
export declare function googleProvider(opts: {
|
package/dist/oauth.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAInD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE;QACR,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,gBAAgB,CAAC;KAC3B,CAAC;IACF,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAkBD,sCAAsC;AACtC,wBAAgB,cAAc,CAAC,IAAI,EAAE;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,aAAa,CAUhB;AAED,sCAAsC;AACtC,wBAAgB,cAAc,CAAC,IAAI,EAAE;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,aAAa,CAUhB;AAwCD,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,KAAK,QAAQ,CAAC;IAC5D,iEAAiE;IACjE,QAAQ,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CACnD;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,WAAW,EACnB,OAAO,GAAE,OAAO,UAAU,CAAC,KAAwB,GAClD,aAAa,CA4Lf"}
|
package/dist/oauth.js
CHANGED
|
@@ -43,6 +43,20 @@ function parseCookies(header) {
|
|
|
43
43
|
}
|
|
44
44
|
return cookies;
|
|
45
45
|
}
|
|
46
|
+
function buildCookie(name, value, options) {
|
|
47
|
+
const parts = [`${name}=${value}`];
|
|
48
|
+
parts.push(`Path=${options?.path ?? "/"}`);
|
|
49
|
+
if (options?.domain)
|
|
50
|
+
parts.push(`Domain=${options.domain}`);
|
|
51
|
+
if (options?.httpOnly !== false)
|
|
52
|
+
parts.push("HttpOnly");
|
|
53
|
+
parts.push(`SameSite=${options?.sameSite ?? "Lax"}`);
|
|
54
|
+
if (options?.secure)
|
|
55
|
+
parts.push("Secure");
|
|
56
|
+
if (options?.maxAge !== undefined)
|
|
57
|
+
parts.push(`Max-Age=${options.maxAge}`);
|
|
58
|
+
return parts.join("; ");
|
|
59
|
+
}
|
|
46
60
|
/**
|
|
47
61
|
* Create OAuth route handlers.
|
|
48
62
|
* Returns handlers for:
|
|
@@ -51,6 +65,13 @@ function parseCookies(header) {
|
|
|
51
65
|
*/
|
|
52
66
|
export function createOAuthHandlers(config, fetchFn = globalThis.fetch) {
|
|
53
67
|
const callbackPath = config.callbackPath ?? "/auth/callback";
|
|
68
|
+
const stateCookieName = config.stateCookieName ?? "capstan_oauth_state";
|
|
69
|
+
const sessionCookieName = config.session?.cookieName ?? "capstan_session";
|
|
70
|
+
const resolvedSessionSecret = config.session?.secret ?? config.sessionSecret;
|
|
71
|
+
if (!resolvedSessionSecret) {
|
|
72
|
+
throw new Error("OAuthConfig requires session.secret or sessionSecret");
|
|
73
|
+
}
|
|
74
|
+
const sessionSecret = resolvedSessionSecret;
|
|
54
75
|
const providerMap = new Map();
|
|
55
76
|
for (const p of config.providers) {
|
|
56
77
|
providerMap.set(p.name, p);
|
|
@@ -73,7 +94,9 @@ export function createOAuthHandlers(config, fetchFn = globalThis.fetch) {
|
|
|
73
94
|
status: 302,
|
|
74
95
|
headers: {
|
|
75
96
|
location: authorizeUrl.toString(),
|
|
76
|
-
"set-cookie":
|
|
97
|
+
"set-cookie": buildCookie(stateCookieName, `${providerName}:${state}`, {
|
|
98
|
+
maxAge: 600,
|
|
99
|
+
}),
|
|
77
100
|
},
|
|
78
101
|
});
|
|
79
102
|
}
|
|
@@ -87,7 +110,7 @@ export function createOAuthHandlers(config, fetchFn = globalThis.fetch) {
|
|
|
87
110
|
// Validate state against cookie
|
|
88
111
|
const cookieHeader = request.headers.get("cookie") ?? "";
|
|
89
112
|
const cookies = parseCookies(cookieHeader);
|
|
90
|
-
const storedState = cookies.get(
|
|
113
|
+
const storedState = cookies.get(stateCookieName);
|
|
91
114
|
if (!storedState || storedState !== stateParam) {
|
|
92
115
|
return new Response(JSON.stringify({ error: "Invalid state parameter" }), { status: 403, headers: { "content-type": "application/json" } });
|
|
93
116
|
}
|
|
@@ -151,17 +174,23 @@ export function createOAuthHandlers(config, fetchFn = globalThis.fetch) {
|
|
|
151
174
|
const userId = userInfo.sub ?? userInfo.id?.toString() ?? userInfo.login ?? "unknown";
|
|
152
175
|
const sessionData = {
|
|
153
176
|
userId: `${providerName}:${userId}`,
|
|
177
|
+
...(userInfo.name !== undefined ? { displayName: userInfo.name } : {}),
|
|
154
178
|
};
|
|
155
179
|
if (userInfo.email !== undefined) {
|
|
156
180
|
sessionData.email = userInfo.email;
|
|
157
181
|
}
|
|
158
|
-
const sessionToken = signSession(sessionData, config.
|
|
182
|
+
const sessionToken = signSession(sessionData, sessionSecret, config.session?.maxAge !== undefined
|
|
183
|
+
? { maxAge: config.session.maxAge }
|
|
184
|
+
: undefined);
|
|
159
185
|
// Set session cookie and redirect to /
|
|
160
186
|
return new Response(null, {
|
|
161
187
|
status: 302,
|
|
162
188
|
headers: {
|
|
163
|
-
location: "/",
|
|
164
|
-
"set-cookie":
|
|
189
|
+
location: config.successRedirectPath ?? "/",
|
|
190
|
+
"set-cookie": buildCookie(sessionCookieName, sessionToken, {
|
|
191
|
+
...(config.session?.cookie ?? {}),
|
|
192
|
+
maxAge: 604800,
|
|
193
|
+
}),
|
|
165
194
|
},
|
|
166
195
|
});
|
|
167
196
|
}
|