cloudflare-access 1.0.0

package/dist/adapters/effect/index.d.ts

@@ -0,0 +1,167 @@
+import { C as CloudflareAccessConfig, g as CloudflareAccessUser, c as CloudflareAccessError } from '../../jwks-ChdyyS_L.js';
+export { A as AccessDeniedError, a as AuthRequiredError, b as AuthResult, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.js';
+export { g as getCloudflareAccessConfigFromEnv } from '../../config-ottUdc-K.js';
+import { Schema, Context, Redacted, Effect, Layer, Option } from 'effect';
+import * as _effect_platform_HttpRouter from '@effect/platform/HttpRouter';
+import { HttpApiMiddleware, HttpApiSecurity, HttpServerRequest } from '@effect/platform';
+import * as effect_Either from 'effect/Either';
+import 'jose';
+
+/**
+ * Options for creating Cloudflare Access middleware
+ */
+interface CloudflareAccessMiddlewareOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist */
+    allowedEmails?: string[];
+    /** Skip validation in development */
+    skipInDev?: boolean;
+    /** Environment identifier */
+    environment?: string;
+}
+
+declare const Unauthorized_base: Schema.TaggedErrorClass<Unauthorized, "Unauthorized", {
+    readonly _tag: Schema.tag<"Unauthorized">;
+} & {
+    message: typeof Schema.String;
+    code: typeof Schema.String;
+}>;
+/**
+ * Unauthorized error schema for Effect Platform
+ */
+declare class Unauthorized extends Unauthorized_base {
+}
+declare const Forbidden_base: Schema.TaggedErrorClass<Forbidden, "Forbidden", {
+    readonly _tag: Schema.tag<"Forbidden">;
+} & {
+    message: typeof Schema.String;
+    email: typeof Schema.String;
+}>;
+/**
+ * Forbidden error schema for Effect Platform
+ */
+declare class Forbidden extends Forbidden_base {
+}
+
+declare const CurrentUser_base: Context.TagClass<CurrentUser, "cloudflare-access/CurrentUser", CloudflareAccessUser>;
+/**
+ * Context Tag for the authenticated user.
+ * Use this to access the current user in your handlers.
+ *
+ * @example
+ * ```typescript
+ * import { Effect } from "effect";
+ * import { CurrentUser } from "cloudflare-access/effect";
+ *
+ * const handler = Effect.gen(function* () {
+ *   const user = yield* CurrentUser;
+ *   console.log(`Hello ${user.email}`);
+ *   return user;
+ * });
+ * ```
+ */
+declare class CurrentUser extends CurrentUser_base {
+}
+
+declare const CloudflareAccessAuth_base: HttpApiMiddleware.TagClass.BaseSecurity<CloudflareAccessAuth, "CloudflareAccessAuth", {
+    readonly provides: typeof CurrentUser;
+    readonly failure: Schema.Union<[typeof Unauthorized, typeof Forbidden]>;
+    readonly security: {
+        readonly bearer: HttpApiSecurity.Bearer;
+    };
+}, {
+    readonly bearer: (_: Redacted.Redacted<string>) => Effect.Effect<CloudflareAccessUser, Unauthorized | Forbidden, _effect_platform_HttpRouter.HttpRouter.Provided>;
+}, {
+    readonly bearer: HttpApiSecurity.Bearer;
+}>;
+/**
+ * Cloudflare Access authentication middleware class.
+ *
+ * Use this class directly in your API middleware definitions.
+ *
+ * @example
+ * ```typescript
+ * import { HttpApi, HttpApiGroup, HttpApiEndpoint } from "@effect/platform";
+ * import { Schema, Effect, Layer } from "effect";
+ * import {
+ *   CloudflareAccessAuth,
+ *   CurrentUser,
+ *   makeCloudflareAccessLive,
+ *   Unauthorized,
+ *   Forbidden
+ * } from "cloudflare-access/effect";
+ *
+ * // Configure the middleware
+ * const CloudflareAccessLive = makeCloudflareAccessLive({
+ *   accessConfig: {
+ *     teamDomain: "https://yourteam.cloudflareaccess.com",
+ *     audTag: "your-audience-tag",
+ *   },
+ *   allowedEmails: ["admin@example.com"],
+ *   skipInDev: true,
+ *   environment: "dev",
+ * });
+ *
+ * // Define API with protected endpoints
+ * const User = Schema.Struct({ email: Schema.String });
+ *
+ * const api = HttpApi.make("api").add(
+ *   HttpApiGroup.make("users").add(
+ *     HttpApiEndpoint.get("profile", "/profile")
+ *       .addSuccess(User)
+ *       .middleware(CloudflareAccessAuth)
+ *   )
+ * );
+ *
+ * // Implement handlers with access to CurrentUser
+ * const UsersLive = HttpApiBuilder.group(api, "users", (handlers) =>
+ *   Effect.gen(function* () {
+ *     const user = yield* CurrentUser;
+ *     return handlers.handle("profile", () =>
+ *       Effect.succeed({ email: user.email })
+ *     );
+ *   })
+ * ).pipe(Layer.provide(CloudflareAccessLive));
+ * ```
+ */
+declare class CloudflareAccessAuth extends CloudflareAccessAuth_base {
+}
+/**
+ * Create a Layer that implements Cloudflare Access authentication.
+ *
+ * This layer validates the Cloudflare Access JWT token from the request
+ * and provides the authenticated user via the CurrentUser context.
+ *
+ * @param options Configuration for Cloudflare Access
+ * @returns Layer that provides authentication
+ */
+declare const makeCloudflareAccessLive: (options: CloudflareAccessMiddlewareOptions) => Layer.Layer<CloudflareAccessAuth, never, never>;
+
+/**
+ * Extract Cloudflare Access token from request headers.
+ * Looks for CF-Access-JWT-Assertion header.
+ *
+ * @param request HTTP server request
+ * @returns Option with token if present
+ */
+declare const extractToken: (request: HttpServerRequest.HttpServerRequest) => Option.Option<string>;
+/**
+ * Authenticate using the CF-Access-JWT-Assertion header directly.
+ * This bypasses the HttpApiSecurity bearer token pattern.
+ *
+ * @param request HTTP server request
+ * @param options Authentication options
+ * @returns Effect with authenticated user or error
+ */
+declare const authenticateRequest: (request: HttpServerRequest.HttpServerRequest, options: CloudflareAccessMiddlewareOptions) => Effect.Effect<CloudflareAccessUser, CloudflareAccessError, never>;
+/**
+ * Get user as Option (returns None on auth failure)
+ */
+declare const getUser: (request: HttpServerRequest.HttpServerRequest, options: CloudflareAccessMiddlewareOptions) => Effect.Effect<Option.Option<CloudflareAccessUser>, never, never>;
+/**
+ * Authenticate and return Either (for explicit error handling)
+ */
+declare const authenticateEither: (request: HttpServerRequest.HttpServerRequest, options: CloudflareAccessMiddlewareOptions) => Effect.Effect<effect_Either.Either<CloudflareAccessUser, CloudflareAccessError>, never, never>;
+
+export { CloudflareAccessAuth, CloudflareAccessConfig, CloudflareAccessError, type CloudflareAccessMiddlewareOptions, CloudflareAccessUser, CurrentUser, Forbidden, Unauthorized, authenticateEither, authenticateRequest, extractToken, getUser, makeCloudflareAccessLive };

package/dist/adapters/effect/index.js

@@ -0,0 +1,221 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+var _chunkWUJPWM4Tjs = require('../../chunk-WUJPWM4T.js');
+
+// src/adapters/effect/errors.ts
+var _effect = require('effect');
+var _platform = require('@effect/platform');
+var Unauthorized = class extends _effect.Schema.TaggedError()(
+  "Unauthorized",
+  {
+    message: _effect.Schema.String,
+    code: _effect.Schema.String
+  },
+  _platform.HttpApiSchema.annotations({ status: 401 })
+) {
+};
+var Forbidden = class extends _effect.Schema.TaggedError()(
+  "Forbidden",
+  {
+    message: _effect.Schema.String,
+    email: _effect.Schema.String
+  },
+  _platform.HttpApiSchema.annotations({ status: 403 })
+) {
+};
+
+// src/adapters/effect/context.ts
+
+var CurrentUser = class extends _effect.Context.Tag("cloudflare-access/CurrentUser")() {
+};
+
+// src/adapters/effect/middleware.ts
+
+
+var CloudflareAccessAuth = class extends _platform.HttpApiMiddleware.Tag()(
+  "CloudflareAccessAuth",
+  {
+    provides: CurrentUser,
+    failure: _effect.Schema.Union(Unauthorized, Forbidden),
+    security: {
+      bearer: _platform.HttpApiSecurity.bearer
+    }
+  }
+) {
+};
+var makeCloudflareAccessLive = (options) => {
+  return _effect.Layer.succeed(
+    CloudflareAccessAuth,
+    CloudflareAccessAuth.of({
+      bearer: (bearerToken) => _effect.Effect.gen(function* () {
+        const request = yield* _platform.HttpServerRequest.HttpServerRequest;
+        const token = _effect.Redacted.value(bearerToken);
+        const result = yield* _effect.Effect.promise(
+          () => _chunkWUJPWM4Tjs.validateCloudflareAccessToken.call(void 0, 
+            token,
+            {
+              accessConfig: options.accessConfig,
+              allowedEmails: options.allowedEmails,
+              skipInDev: options.skipInDev,
+              environment: options.environment
+            },
+            request.url
+          )
+        );
+        if (!result.success) {
+          const errorCode = _nullishCoalesce(_optionalChain([result, 'access', _ => _.error, 'optionalAccess', _2 => _2.code]), () => ( _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.INVALID_TOKEN));
+          const errorMessage = _nullishCoalesce(_optionalChain([result, 'access', _3 => _3.error, 'optionalAccess', _4 => _4.message]), () => ( "Authentication failed"));
+          if (errorCode === _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.AUTH_REQUIRED) {
+            return yield* _effect.Effect.fail(
+              new Unauthorized({ message: errorMessage, code: "AUTH_REQUIRED" })
+            );
+          }
+          if (errorCode === _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.ACCESS_DENIED) {
+            return yield* _effect.Effect.fail(
+              new Forbidden({
+                message: errorMessage,
+                email: _nullishCoalesce(_optionalChain([result, 'access', _5 => _5.user, 'optionalAccess', _6 => _6.email]), () => ( "unknown"))
+              })
+            );
+          }
+          return yield* _effect.Effect.fail(new Unauthorized({ message: errorMessage, code: errorCode }));
+        }
+        if (!result.user) {
+          return {
+            email: "dev@example.com",
+            userId: "dev-user",
+            country: "dev"
+          };
+        }
+        return result.user;
+      })
+    })
+  );
+};
+
+// src/adapters/effect/utils.ts
+
+var extractToken = (request) => {
+  const token = request.headers["cf-access-jwt-assertion"];
+  return _effect.Option.fromNullable(token);
+};
+var authenticateRequest = (request, options) => {
+  return _effect.Effect.gen(function* () {
+    const token = extractToken(request);
+    const result = yield* _effect.Effect.tryPromise({
+      try: async () => {
+        return await _chunkWUJPWM4Tjs.validateCloudflareAccessToken.call(void 0, 
+          _effect.Option.getOrUndefined(token),
+          {
+            accessConfig: options.accessConfig,
+            allowedEmails: options.allowedEmails,
+            skipInDev: options.skipInDev,
+            environment: options.environment
+          },
+          request.url
+        );
+      },
+      catch: (error) => {
+        if (_chunkWUJPWM4Tjs.isCloudflareAccessError.call(void 0, error)) {
+          return error;
+        }
+        return new (0, _chunkWUJPWM4Tjs.CloudflareAccessError)(
+          _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.INVALID_TOKEN,
+          error instanceof Error ? error.message : "Unknown error",
+          { context: { requestUrl: request.url } }
+        );
+      }
+    });
+    if (result instanceof _chunkWUJPWM4Tjs.CloudflareAccessError) {
+      return yield* _effect.Effect.fail(result);
+    }
+    if (!result.success) {
+      const errorCode = _nullishCoalesce(_optionalChain([result, 'access', _7 => _7.error, 'optionalAccess', _8 => _8.code]), () => ( _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.INVALID_TOKEN));
+      const errorMessage = _nullishCoalesce(_optionalChain([result, 'access', _9 => _9.error, 'optionalAccess', _10 => _10.message]), () => ( "Authentication failed"));
+      switch (errorCode) {
+        case _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.AUTH_REQUIRED:
+          return yield* _effect.Effect.fail(
+            new (0, _chunkWUJPWM4Tjs.AuthRequiredError)({
+              context: { requestUrl: request.url, ...result.error.context }
+            })
+          );
+        case _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.ACCESS_DENIED:
+          return yield* _effect.Effect.fail(
+            new (0, _chunkWUJPWM4Tjs.AccessDeniedError)(_nullishCoalesce(_optionalChain([result, 'access', _11 => _11.user, 'optionalAccess', _12 => _12.email]), () => ( "unknown")), {
+              requestUrl: request.url,
+              allowedEmails: options.allowedEmails
+            })
+          );
+        case _chunkWUJPWM4Tjs.CloudflareAccessErrorCode.INVALID_TOKEN:
+          return yield* _effect.Effect.fail(
+            new (0, _chunkWUJPWM4Tjs.InvalidTokenError)(errorMessage, {
+              requestUrl: request.url
+            })
+          );
+        default:
+          return yield* _effect.Effect.fail(
+            new (0, _chunkWUJPWM4Tjs.CloudflareAccessError)(errorCode, errorMessage, {
+              context: { requestUrl: request.url, ...result.error.context }
+            })
+          );
+      }
+    }
+    if (!result.user) {
+      return {
+        email: "dev@example.com",
+        userId: "dev-user",
+        country: "dev"
+      };
+    }
+    return result.user;
+  });
+};
+var getUser = (request, options) => {
+  return authenticateRequest(request, options).pipe(
+    _effect.Effect.map((user) => _effect.Option.some(user)),
+    _effect.Effect.catchAll(() => _effect.Effect.succeed(_effect.Option.none()))
+  );
+};
+var authenticateEither = (request, options) => {
+  return _effect.Effect.either(authenticateRequest(request, options));
+};
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.AccessDeniedError = _chunkWUJPWM4Tjs.AccessDeniedError; exports.AuthRequiredError = _chunkWUJPWM4Tjs.AuthRequiredError; exports.CloudflareAccessAuth = CloudflareAccessAuth; exports.CloudflareAccessError = _chunkWUJPWM4Tjs.CloudflareAccessError; exports.CloudflareAccessErrorCode = _chunkWUJPWM4Tjs.CloudflareAccessErrorCode; exports.ConfigurationError = _chunkWUJPWM4Tjs.ConfigurationError; exports.CurrentUser = CurrentUser; exports.Forbidden = Forbidden; exports.InvalidTokenError = _chunkWUJPWM4Tjs.InvalidTokenError; exports.Unauthorized = Unauthorized; exports.__clearJwksCache = _chunkWUJPWM4Tjs.__clearJwksCache; exports.authenticateEither = authenticateEither; exports.authenticateRequest = authenticateRequest; exports.extractToken = extractToken; exports.getCloudflareAccessConfigFromEnv = _chunkWUJPWM4Tjs.getCloudflareAccessConfigFromEnv; exports.getUser = getUser; exports.isAccessDeniedError = _chunkWUJPWM4Tjs.isAccessDeniedError; exports.isAuthRequiredError = _chunkWUJPWM4Tjs.isAuthRequiredError; exports.isCloudflareAccessError = _chunkWUJPWM4Tjs.isCloudflareAccessError; exports.isConfigurationError = _chunkWUJPWM4Tjs.isConfigurationError; exports.isInvalidTokenError = _chunkWUJPWM4Tjs.isInvalidTokenError; exports.makeCloudflareAccessLive = makeCloudflareAccessLive; exports.toAuthError = _chunkWUJPWM4Tjs.toAuthError;
+//# sourceMappingURL=index.js.map

package/dist/adapters/effect/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/effect/index.js","../../../src/adapters/effect/errors.ts","../../../src/adapters/effect/context.ts","../../../src/adapters/effect/middleware.ts","../../../src/adapters/effect/utils.ts"],"names":["Schema","Effect"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,0DAAgC;AAChC;AACA;AClBA,gCAAuB;AACvB,4CAA8B;AAKvB,IAAM,aAAA,EAAN,MAAA,QAA2B,cAAA,CAAO,WAAA,CAA0B,CAAA;AAAA,EACjE,cAAA;AAAA,EACA;AAAA,IACE,OAAA,EAAS,cAAA,CAAO,MAAA;AAAA,IAChB,IAAA,EAAM,cAAA,CAAO;AAAA,EACf,CAAA;AAAA,EACA,uBAAA,CAAc,WAAA,CAAY,EAAE,MAAA,EAAQ,IAAI,CAAC;AAC3C,EAAE;AAAC,CAAA;AAKI,IAAM,UAAA,EAAN,MAAA,QAAwB,cAAA,CAAO,WAAA,CAAuB,CAAA;AAAA,EAC3D,WAAA;AAAA,EACA;AAAA,IACE,OAAA,EAAS,cAAA,CAAO,MAAA;AAAA,IAChB,KAAA,EAAO,cAAA,CAAO;AAAA,EAChB,CAAA;AAAA,EACA,uBAAA,CAAc,WAAA,CAAY,EAAE,MAAA,EAAQ,IAAI,CAAC;AAC3C,EAAE;AAAC,CAAA;ADcH;AACA;AExCA;AAmBO,IAAM,YAAA,EAAN,MAAA,QAA0B,eAAA,CAAQ,GAAA,CAAI,+BAA+B,CAAA,CAG1E,EAAE;AAAC,CAAA;AFsBL;AACA;AG7CA;AACA;AAwDO,IAAM,qBAAA,EAAN,MAAA,QAAmC,2BAAA,CAAkB,GAAA,CAA0B,CAAA;AAAA,EACpF,sBAAA;AAAA,EACA;AAAA,IACE,QAAA,EAAU,WAAA;AAAA,IACV,OAAA,EAASA,cAAAA,CAAO,KAAA,CAAM,YAAA,EAAc,SAAS,CAAA;AAAA,IAC7C,QAAA,EAAU;AAAA,MACR,MAAA,EAAQ,yBAAA,CAAgB;AAAA,IAC1B;AAAA,EACF;AACF,EAAE;AAAC,CAAA;AAWI,IAAM,yBAAA,EAA2B,CAAC,OAAA,EAAA,GAA+C;AACtF,EAAA,OAAO,aAAA,CAAM,OAAA;AAAA,IACX,oBAAA;AAAA,IACA,oBAAA,CAAqB,EAAA,CAAG;AAAA,MACtB,MAAA,EAAQ,CAAC,WAAA,EAAA,GACP,cAAA,CAAO,GAAA,CAAI,QAAA,EAAA,CAAA,EAAa;AACtB,QAAA,MAAM,QAAA,EAAU,KAAA,EAAO,2BAAA,CAAkB,iBAAA;AACzC,QAAA,MAAM,MAAA,EAAQ,gBAAA,CAAS,KAAA,CAAM,WAAW,CAAA;AAGxC,QAAA,MAAM,OAAA,EAAS,KAAA,EAAO,cAAA,CAAO,OAAA;AAAA,UAAQ,CAAA,EAAA,GACnC,4DAAA;AAAA,YACE,KAAA;AAAA,YACA;AAAA,cACE,YAAA,EAAc,OAAA,CAAQ,YAAA;AAAA,cACtB,aAAA,EAAe,OAAA,CAAQ,aAAA;AAAA,cACvB,SAAA,EAAW,OAAA,CAAQ,SAAA;AAAA,cACnB,WAAA,EAAa,OAAA,CAAQ;AAAA,YACvB,CAAA;AAAA,YACA,OAAA,CAAQ;AAAA,UACV;AAAA,QACF,CAAA;AAGA,QAAA,GAAA,CAAI,CAAC,MAAA,CAAO,OAAA,EAAS;AACnB,UAAA,MAAM,UAAA,mCAAY,MAAA,mBAAO,KAAA,6BAAO,MAAA,UAAQ,0CAAA,CAA0B,eAAA;AAClE,UAAA,MAAM,aAAA,mCAAe,MAAA,qBAAO,KAAA,6BAAO,SAAA,UAAW,yBAAA;AAE9C,UAAA,GAAA,CAAI,UAAA,IAAc,0CAAA,CAA0B,aAAA,EAAe;AACzD,YAAA,OAAO,KAAA,EAAO,cAAA,CAAO,IAAA;AAAA,cACnB,IAAI,YAAA,CAAa,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,gBAAgB,CAAC;AAAA,YACnE,CAAA;AAAA,UACF;AAEA,UAAA,GAAA,CAAI,UAAA,IAAc,0CAAA,CAA0B,aAAA,EAAe;AACzD,YAAA,OAAO,KAAA,EAAO,cAAA,CAAO,IAAA;AAAA,cACnB,IAAI,SAAA,CAAU;AAAA,gBACZ,OAAA,EAAS,YAAA;AAAA,gBACT,KAAA,mCAAO,MAAA,qBAAO,IAAA,6BAAM,OAAA,UAAS;AAAA,cAC/B,CAAC;AAAA,YACH,CAAA;AAAA,UACF;AAEA,UAAA,OAAO,KAAA,EAAO,cAAA,CAAO,IAAA,CAAK,IAAI,YAAA,CAAa,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,UAAU,CAAC,CAAC,CAAA;AAAA,QACxF;AAGA,QAAA,GAAA,CAAI,CAAC,MAAA,CAAO,IAAA,EAAM;AAChB,UAAA,OAAO;AAAA,YACL,KAAA,EAAO,iBAAA;AAAA,YACP,MAAA,EAAQ,UAAA;AAAA,YACR,OAAA,EAAS;AAAA,UACX,CAAA;AAAA,QACF;AAEA,QAAA,OAAO,MAAA,CAAO,IAAA;AAAA,MAChB,CAAC;AAAA,IACL,CAAC;AAAA,EACH,CAAA;AACF,CAAA;AH5BA;AACA;AI7GA;AAqBO,IAAM,aAAA,EAAe,CAC1B,OAAA,EAAA,GAC0B;AAC1B,EAAA,MAAM,MAAA,EAAQ,OAAA,CAAQ,OAAA,CAAQ,yBAAyB,CAAA;AACvD,EAAA,OAAO,cAAA,CAAO,YAAA,CAAa,KAAK,CAAA;AAClC,CAAA;AAUO,IAAM,oBAAA,EAAsB,CACjC,OAAA,EACA,OAAA,EAAA,GACsE;AACtE,EAAA,OAAOC,cAAAA,CAAO,GAAA,CAAI,QAAA,EAAA,CAAA,EAAa;AAC7B,IAAA,MAAM,MAAA,EAAQ,YAAA,CAAa,OAAO,CAAA;AAElC,IAAA,MAAM,OAAA,EAAS,KAAA,EAAOA,cAAAA,CAAO,UAAA,CAAW;AAAA,MACtC,GAAA,EAAK,MAAA,CAAA,EAAA,GAAY;AACf,QAAA,OAAO,MAAM,4DAAA;AAAA,UACX,cAAA,CAAO,cAAA,CAAe,KAAK,CAAA;AAAA,UAC3B;AAAA,YACE,YAAA,EAAc,OAAA,CAAQ,YAAA;AAAA,YACtB,aAAA,EAAe,OAAA,CAAQ,aAAA;AAAA,YACvB,SAAA,EAAW,OAAA,CAAQ,SAAA;AAAA,YACnB,WAAA,EAAa,OAAA,CAAQ;AAAA,UACvB,CAAA;AAAA,UACA,OAAA,CAAQ;AAAA,QACV,CAAA;AAAA,MACF,CAAA;AAAA,MACA,KAAA,EAAO,CAAC,KAAA,EAAA,GAAU;AAChB,QAAA,GAAA,CAAI,sDAAA,KAA6B,CAAA,EAAG;AAClC,UAAA,OAAO,KAAA;AAAA,QACT;AACA,QAAA,OAAO,IAAI,2CAAA;AAAA,UACT,0CAAA,CAA0B,aAAA;AAAA,UAC1B,MAAA,WAAiB,MAAA,EAAQ,KAAA,CAAM,QAAA,EAAU,eAAA;AAAA,UACzC,EAAE,OAAA,EAAS,EAAE,UAAA,EAAY,OAAA,CAAQ,IAAI,EAAE;AAAA,QACzC,CAAA;AAAA,MACF;AAAA,IACF,CAAC,CAAA;AAGD,IAAA,GAAA,CAAI,OAAA,WAAkB,sCAAA,EAAuB;AAC3C,MAAA,OAAO,KAAA,EAAOA,cAAAA,CAAO,IAAA,CAAK,MAAM,CAAA;AAAA,IAClC;AAEA,IAAA,GAAA,CAAI,CAAC,MAAA,CAAO,OAAA,EAAS;AACnB,MAAA,MAAM,UAAA,mCAAY,MAAA,qBAAO,KAAA,6BAAO,MAAA,UAAQ,0CAAA,CAA0B,eAAA;AAClE,MAAA,MAAM,aAAA,mCAAe,MAAA,qBAAO,KAAA,+BAAO,SAAA,UAAW,yBAAA;AAE9C,MAAA,OAAA,CAAQ,SAAA,EAAW;AAAA,QACjB,KAAK,0CAAA,CAA0B,aAAA;AAC7B,UAAA,OAAO,KAAA,EAAOA,cAAAA,CAAO,IAAA;AAAA,YACnB,IAAI,uCAAA,CAAkB;AAAA,cACpB,OAAA,EAAS,EAAE,UAAA,EAAY,OAAA,CAAQ,GAAA,EAAK,GAAG,MAAA,CAAO,KAAA,CAAM,QAAQ;AAAA,YAC9D,CAAC;AAAA,UACH,CAAA;AAAA,QACF,KAAK,0CAAA,CAA0B,aAAA;AAC7B,UAAA,OAAO,KAAA,EAAOA,cAAAA,CAAO,IAAA;AAAA,YACnB,IAAI,uCAAA,kCAAkB,MAAA,uBAAO,IAAA,+BAAM,OAAA,UAAS,WAAA,EAAW;AAAA,cACrD,UAAA,EAAY,OAAA,CAAQ,GAAA;AAAA,cACpB,aAAA,EAAe,OAAA,CAAQ;AAAA,YACzB,CAAC;AAAA,UACH,CAAA;AAAA,QACF,KAAK,0CAAA,CAA0B,aAAA;AAC7B,UAAA,OAAO,KAAA,EAAOA,cAAAA,CAAO,IAAA;AAAA,YACnB,IAAI,uCAAA,CAAkB,YAAA,EAAc;AAAA,cAClC,UAAA,EAAY,OAAA,CAAQ;AAAA,YACtB,CAAC;AAAA,UACH,CAAA;AAAA,QACF,OAAA;AACE,UAAA,OAAO,KAAA,EAAOA,cAAAA,CAAO,IAAA;AAAA,YACnB,IAAI,2CAAA,CAAsB,SAAA,EAAW,YAAA,EAAc;AAAA,cACjD,OAAA,EAAS,EAAE,UAAA,EAAY,OAAA,CAAQ,GAAA,EAAK,GAAG,MAAA,CAAO,KAAA,CAAM,QAAQ;AAAA,YAC9D,CAAC;AAAA,UACH,CAAA;AAAA,MACJ;AAAA,IACF;AAGA,IAAA,GAAA,CAAI,CAAC,MAAA,CAAO,IAAA,EAAM;AAChB,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,iBAAA;AAAA,QACP,MAAA,EAAQ,UAAA;AAAA,QACR,OAAA,EAAS;AAAA,MACX,CAAA;AAAA,IACF;AAEA,IAAA,OAAO,MAAA,CAAO,IAAA;AAAA,EAChB,CAAC,CAAA;AACH,CAAA;AAKO,IAAM,QAAA,EAAU,CACrB,OAAA,EACA,OAAA,EAAA,GACqE;AACrE,EAAA,OAAO,mBAAA,CAAoB,OAAA,EAAS,OAAO,CAAA,CAAE,IAAA;AAAA,IAC3CA,cAAAA,CAAO,GAAA,CAAI,CAAC,IAAA,EAAA,GAAS,cAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,IACtCA,cAAAA,CAAO,QAAA,CAAS,CAAA,EAAA,GAAMA,cAAAA,CAAO,OAAA,CAAQ,cAAA,CAAO,IAAA,CAA2B,CAAC,CAAC;AAAA,EAC3E,CAAA;AACF,CAAA;AAKO,IAAM,mBAAA,EAAqB,CAChC,OAAA,EACA,OAAA,EAAA,GACG;AACH,EAAA,OAAOA,cAAAA,CAAO,MAAA,CAAO,mBAAA,CAAoB,OAAA,EAAS,OAAO,CAAC,CAAA;AAC5D,CAAA;AJuDA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,o0CAAC","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/effect/index.js","sourcesContent":[null,"import { Schema } from \"effect\";\nimport { HttpApiSchema } from \"@effect/platform\";\n\n/**\n * Unauthorized error schema for Effect Platform\n */\nexport class Unauthorized extends Schema.TaggedError<Unauthorized>()(\n  \"Unauthorized\",\n  {\n    message: Schema.String,\n    code: Schema.String,\n  },\n  HttpApiSchema.annotations({ status: 401 }),\n) {}\n\n/**\n * Forbidden error schema for Effect Platform\n */\nexport class Forbidden extends Schema.TaggedError<Forbidden>()(\n  \"Forbidden\",\n  {\n    message: Schema.String,\n    email: Schema.String,\n  },\n  HttpApiSchema.annotations({ status: 403 }),\n) {}\n","import { Context } from \"effect\";\nimport type { CloudflareAccessUser } from \"../../core/index\";\n\n/**\n * Context Tag for the authenticated user.\n * Use this to access the current user in your handlers.\n *\n * @example\n * ```typescript\n * import { Effect } from \"effect\";\n * import { CurrentUser } from \"cloudflare-access/effect\";\n *\n * const handler = Effect.gen(function* () {\n *   const user = yield* CurrentUser;\n *   console.log(`Hello ${user.email}`);\n *   return user;\n * });\n * ```\n */\nexport class CurrentUser extends Context.Tag(\"cloudflare-access/CurrentUser\")<\n  CurrentUser,\n  CloudflareAccessUser\n>() {}\n","import { Effect, Layer, Redacted, Schema } from \"effect\";\nimport { HttpApiMiddleware, HttpApiSecurity, HttpServerRequest } from \"@effect/platform\";\nimport { validateCloudflareAccessToken, CloudflareAccessErrorCode } from \"../../core/index\";\nimport type { CloudflareAccessMiddlewareOptions } from \"./types\";\nimport { Unauthorized, Forbidden } from \"./errors\";\nimport { CurrentUser } from \"./context\";\n\n/**\n * Cloudflare Access authentication middleware class.\n *\n * Use this class directly in your API middleware definitions.\n *\n * @example\n * ```typescript\n * import { HttpApi, HttpApiGroup, HttpApiEndpoint } from \"@effect/platform\";\n * import { Schema, Effect, Layer } from \"effect\";\n * import {\n *   CloudflareAccessAuth,\n *   CurrentUser,\n *   makeCloudflareAccessLive,\n *   Unauthorized,\n *   Forbidden\n * } from \"cloudflare-access/effect\";\n *\n * // Configure the middleware\n * const CloudflareAccessLive = makeCloudflareAccessLive({\n *   accessConfig: {\n *     teamDomain: \"https://yourteam.cloudflareaccess.com\",\n *     audTag: \"your-audience-tag\",\n *   },\n *   allowedEmails: [\"admin@example.com\"],\n *   skipInDev: true,\n *   environment: \"dev\",\n * });\n *\n * // Define API with protected endpoints\n * const User = Schema.Struct({ email: Schema.String });\n *\n * const api = HttpApi.make(\"api\").add(\n *   HttpApiGroup.make(\"users\").add(\n *     HttpApiEndpoint.get(\"profile\", \"/profile\")\n *       .addSuccess(User)\n *       .middleware(CloudflareAccessAuth)\n *   )\n * );\n *\n * // Implement handlers with access to CurrentUser\n * const UsersLive = HttpApiBuilder.group(api, \"users\", (handlers) =>\n *   Effect.gen(function* () {\n *     const user = yield* CurrentUser;\n *     return handlers.handle(\"profile\", () =>\n *       Effect.succeed({ email: user.email })\n *     );\n *   })\n * ).pipe(Layer.provide(CloudflareAccessLive));\n * ```\n */\nexport class CloudflareAccessAuth extends HttpApiMiddleware.Tag<CloudflareAccessAuth>()(\n  \"CloudflareAccessAuth\",\n  {\n    provides: CurrentUser,\n    failure: Schema.Union(Unauthorized, Forbidden),\n    security: {\n      bearer: HttpApiSecurity.bearer,\n    },\n  },\n) {}\n\n/**\n * Create a Layer that implements Cloudflare Access authentication.\n *\n * This layer validates the Cloudflare Access JWT token from the request\n * and provides the authenticated user via the CurrentUser context.\n *\n * @param options Configuration for Cloudflare Access\n * @returns Layer that provides authentication\n */\nexport const makeCloudflareAccessLive = (options: CloudflareAccessMiddlewareOptions) => {\n  return Layer.succeed(\n    CloudflareAccessAuth,\n    CloudflareAccessAuth.of({\n      bearer: (bearerToken) =>\n        Effect.gen(function* () {\n          const request = yield* HttpServerRequest.HttpServerRequest;\n          const token = Redacted.value(bearerToken);\n\n          // Wrap the async validation in an Effect\n          const result = yield* Effect.promise(() =>\n            validateCloudflareAccessToken(\n              token,\n              {\n                accessConfig: options.accessConfig,\n                allowedEmails: options.allowedEmails,\n                skipInDev: options.skipInDev,\n                environment: options.environment,\n              },\n              request.url,\n            ),\n          );\n\n          // Handle validation result\n          if (!result.success) {\n            const errorCode = result.error?.code ?? CloudflareAccessErrorCode.INVALID_TOKEN;\n            const errorMessage = result.error?.message ?? \"Authentication failed\";\n\n            if (errorCode === CloudflareAccessErrorCode.AUTH_REQUIRED) {\n              return yield* Effect.fail(\n                new Unauthorized({ message: errorMessage, code: \"AUTH_REQUIRED\" }),\n              );\n            }\n\n            if (errorCode === CloudflareAccessErrorCode.ACCESS_DENIED) {\n              return yield* Effect.fail(\n                new Forbidden({\n                  message: errorMessage,\n                  email: result.user?.email ?? \"unknown\",\n                }),\n              );\n            }\n\n            return yield* Effect.fail(new Unauthorized({ message: errorMessage, code: errorCode }));\n          }\n\n          // Dev mode skip case (result.user can be null when skipped)\n          if (!result.user) {\n            return {\n              email: \"dev@example.com\",\n              userId: \"dev-user\",\n              country: \"dev\",\n            };\n          }\n\n          return result.user;\n        }),\n    }),\n  );\n};\n","import { Effect, Option } from \"effect\";\nimport { HttpServerRequest } from \"@effect/platform\";\nimport {\n  validateCloudflareAccessToken,\n  CloudflareAccessError,\n  CloudflareAccessErrorCode,\n  AuthRequiredError,\n  InvalidTokenError,\n  AccessDeniedError,\n  isCloudflareAccessError,\n  type CloudflareAccessUser,\n} from \"../../core/index\";\nimport type { CloudflareAccessMiddlewareOptions } from \"./types\";\n\n/**\n * Extract Cloudflare Access token from request headers.\n * Looks for CF-Access-JWT-Assertion header.\n *\n * @param request HTTP server request\n * @returns Option with token if present\n */\nexport const extractToken = (\n  request: HttpServerRequest.HttpServerRequest,\n): Option.Option<string> => {\n  const token = request.headers[\"cf-access-jwt-assertion\"];\n  return Option.fromNullable(token);\n};\n\n/**\n * Authenticate using the CF-Access-JWT-Assertion header directly.\n * This bypasses the HttpApiSecurity bearer token pattern.\n *\n * @param request HTTP server request\n * @param options Authentication options\n * @returns Effect with authenticated user or error\n */\nexport const authenticateRequest = (\n  request: HttpServerRequest.HttpServerRequest,\n  options: CloudflareAccessMiddlewareOptions,\n): Effect.Effect<CloudflareAccessUser, CloudflareAccessError, never> => {\n  return Effect.gen(function* () {\n    const token = extractToken(request);\n\n    const result = yield* Effect.tryPromise({\n      try: async () => {\n        return await validateCloudflareAccessToken(\n          Option.getOrUndefined(token),\n          {\n            accessConfig: options.accessConfig,\n            allowedEmails: options.allowedEmails,\n            skipInDev: options.skipInDev,\n            environment: options.environment,\n          },\n          request.url,\n        );\n      },\n      catch: (error) => {\n        if (isCloudflareAccessError(error)) {\n          return error;\n        }\n        return new CloudflareAccessError(\n          CloudflareAccessErrorCode.INVALID_TOKEN,\n          error instanceof Error ? error.message : \"Unknown error\",\n          { context: { requestUrl: request.url } },\n        );\n      },\n    });\n\n    // Handle case where catch block returned a CloudflareAccessError directly\n    if (result instanceof CloudflareAccessError) {\n      return yield* Effect.fail(result);\n    }\n\n    if (!result.success) {\n      const errorCode = result.error?.code ?? CloudflareAccessErrorCode.INVALID_TOKEN;\n      const errorMessage = result.error?.message ?? \"Authentication failed\";\n\n      switch (errorCode) {\n        case CloudflareAccessErrorCode.AUTH_REQUIRED:\n          return yield* Effect.fail(\n            new AuthRequiredError({\n              context: { requestUrl: request.url, ...result.error.context },\n            }),\n          );\n        case CloudflareAccessErrorCode.ACCESS_DENIED:\n          return yield* Effect.fail(\n            new AccessDeniedError(result.user?.email ?? \"unknown\", {\n              requestUrl: request.url,\n              allowedEmails: options.allowedEmails,\n            }),\n          );\n        case CloudflareAccessErrorCode.INVALID_TOKEN:\n          return yield* Effect.fail(\n            new InvalidTokenError(errorMessage, {\n              requestUrl: request.url,\n            }),\n          );\n        default:\n          return yield* Effect.fail(\n            new CloudflareAccessError(errorCode, errorMessage, {\n              context: { requestUrl: request.url, ...result.error.context },\n            }),\n          );\n      }\n    }\n\n    // Dev mode skip case\n    if (!result.user) {\n      return {\n        email: \"dev@example.com\",\n        userId: \"dev-user\",\n        country: \"dev\",\n      };\n    }\n\n    return result.user;\n  });\n};\n\n/**\n * Get user as Option (returns None on auth failure)\n */\nexport const getUser = (\n  request: HttpServerRequest.HttpServerRequest,\n  options: CloudflareAccessMiddlewareOptions,\n): Effect.Effect<Option.Option<CloudflareAccessUser>, never, never> => {\n  return authenticateRequest(request, options).pipe(\n    Effect.map((user) => Option.some(user)),\n    Effect.catchAll(() => Effect.succeed(Option.none<CloudflareAccessUser>())),\n  );\n};\n\n/**\n * Authenticate and return Either (for explicit error handling)\n */\nexport const authenticateEither = (\n  request: HttpServerRequest.HttpServerRequest,\n  options: CloudflareAccessMiddlewareOptions,\n) => {\n  return Effect.either(authenticateRequest(request, options));\n};\n"]}

package/dist/adapters/effect/index.mjs

@@ -0,0 +1,221 @@
+import {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  getCloudflareAccessConfigFromEnv,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  validateCloudflareAccessToken
+} from "../../chunk-DM2KGIQX.mjs";
+
+// src/adapters/effect/errors.ts
+import { Schema } from "effect";
+import { HttpApiSchema } from "@effect/platform";
+var Unauthorized = class extends Schema.TaggedError()(
+  "Unauthorized",
+  {
+    message: Schema.String,
+    code: Schema.String
+  },
+  HttpApiSchema.annotations({ status: 401 })
+) {
+};
+var Forbidden = class extends Schema.TaggedError()(
+  "Forbidden",
+  {
+    message: Schema.String,
+    email: Schema.String
+  },
+  HttpApiSchema.annotations({ status: 403 })
+) {
+};
+
+// src/adapters/effect/context.ts
+import { Context } from "effect";
+var CurrentUser = class extends Context.Tag("cloudflare-access/CurrentUser")() {
+};
+
+// src/adapters/effect/middleware.ts
+import { Effect, Layer, Redacted, Schema as Schema2 } from "effect";
+import { HttpApiMiddleware, HttpApiSecurity, HttpServerRequest } from "@effect/platform";
+var CloudflareAccessAuth = class extends HttpApiMiddleware.Tag()(
+  "CloudflareAccessAuth",
+  {
+    provides: CurrentUser,
+    failure: Schema2.Union(Unauthorized, Forbidden),
+    security: {
+      bearer: HttpApiSecurity.bearer
+    }
+  }
+) {
+};
+var makeCloudflareAccessLive = (options) => {
+  return Layer.succeed(
+    CloudflareAccessAuth,
+    CloudflareAccessAuth.of({
+      bearer: (bearerToken) => Effect.gen(function* () {
+        const request = yield* HttpServerRequest.HttpServerRequest;
+        const token = Redacted.value(bearerToken);
+        const result = yield* Effect.promise(
+          () => validateCloudflareAccessToken(
+            token,
+            {
+              accessConfig: options.accessConfig,
+              allowedEmails: options.allowedEmails,
+              skipInDev: options.skipInDev,
+              environment: options.environment
+            },
+            request.url
+          )
+        );
+        if (!result.success) {
+          const errorCode = result.error?.code ?? CloudflareAccessErrorCode.INVALID_TOKEN;
+          const errorMessage = result.error?.message ?? "Authentication failed";
+          if (errorCode === CloudflareAccessErrorCode.AUTH_REQUIRED) {
+            return yield* Effect.fail(
+              new Unauthorized({ message: errorMessage, code: "AUTH_REQUIRED" })
+            );
+          }
+          if (errorCode === CloudflareAccessErrorCode.ACCESS_DENIED) {
+            return yield* Effect.fail(
+              new Forbidden({
+                message: errorMessage,
+                email: result.user?.email ?? "unknown"
+              })
+            );
+          }
+          return yield* Effect.fail(new Unauthorized({ message: errorMessage, code: errorCode }));
+        }
+        if (!result.user) {
+          return {
+            email: "dev@example.com",
+            userId: "dev-user",
+            country: "dev"
+          };
+        }
+        return result.user;
+      })
+    })
+  );
+};
+
+// src/adapters/effect/utils.ts
+import { Effect as Effect2, Option } from "effect";
+var extractToken = (request) => {
+  const token = request.headers["cf-access-jwt-assertion"];
+  return Option.fromNullable(token);
+};
+var authenticateRequest = (request, options) => {
+  return Effect2.gen(function* () {
+    const token = extractToken(request);
+    const result = yield* Effect2.tryPromise({
+      try: async () => {
+        return await validateCloudflareAccessToken(
+          Option.getOrUndefined(token),
+          {
+            accessConfig: options.accessConfig,
+            allowedEmails: options.allowedEmails,
+            skipInDev: options.skipInDev,
+            environment: options.environment
+          },
+          request.url
+        );
+      },
+      catch: (error) => {
+        if (isCloudflareAccessError(error)) {
+          return error;
+        }
+        return new CloudflareAccessError(
+          CloudflareAccessErrorCode.INVALID_TOKEN,
+          error instanceof Error ? error.message : "Unknown error",
+          { context: { requestUrl: request.url } }
+        );
+      }
+    });
+    if (result instanceof CloudflareAccessError) {
+      return yield* Effect2.fail(result);
+    }
+    if (!result.success) {
+      const errorCode = result.error?.code ?? CloudflareAccessErrorCode.INVALID_TOKEN;
+      const errorMessage = result.error?.message ?? "Authentication failed";
+      switch (errorCode) {
+        case CloudflareAccessErrorCode.AUTH_REQUIRED:
+          return yield* Effect2.fail(
+            new AuthRequiredError({
+              context: { requestUrl: request.url, ...result.error.context }
+            })
+          );
+        case CloudflareAccessErrorCode.ACCESS_DENIED:
+          return yield* Effect2.fail(
+            new AccessDeniedError(result.user?.email ?? "unknown", {
+              requestUrl: request.url,
+              allowedEmails: options.allowedEmails
+            })
+          );
+        case CloudflareAccessErrorCode.INVALID_TOKEN:
+          return yield* Effect2.fail(
+            new InvalidTokenError(errorMessage, {
+              requestUrl: request.url
+            })
+          );
+        default:
+          return yield* Effect2.fail(
+            new CloudflareAccessError(errorCode, errorMessage, {
+              context: { requestUrl: request.url, ...result.error.context }
+            })
+          );
+      }
+    }
+    if (!result.user) {
+      return {
+        email: "dev@example.com",
+        userId: "dev-user",
+        country: "dev"
+      };
+    }
+    return result.user;
+  });
+};
+var getUser = (request, options) => {
+  return authenticateRequest(request, options).pipe(
+    Effect2.map((user) => Option.some(user)),
+    Effect2.catchAll(() => Effect2.succeed(Option.none()))
+  );
+};
+var authenticateEither = (request, options) => {
+  return Effect2.either(authenticateRequest(request, options));
+};
+export {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessAuth,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  CurrentUser,
+  Forbidden,
+  InvalidTokenError,
+  Unauthorized,
+  __clearJwksCache,
+  authenticateEither,
+  authenticateRequest,
+  extractToken,
+  getCloudflareAccessConfigFromEnv,
+  getUser,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  makeCloudflareAccessLive,
+  toAuthError
+};
+//# sourceMappingURL=index.mjs.map