cloudflare-access 1.0.0

package/dist/adapters/fastify/index.d.ts

@@ -0,0 +1,111 @@
+import { C as CloudflareAccessConfig, e as CloudflareAccessMiddlewareEnv, g as CloudflareAccessUser } from '../../jwks-ChdyyS_L.js';
+export { A as AccessDeniedError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, f as CloudflareAccessPayload, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.js';
+import * as fastify from 'fastify';
+import { FastifyReply, preHandlerHookHandler, FastifyPluginAsync } from 'fastify';
+import 'jose';
+
+/**
+ * Options for creating Cloudflare Access authentication for Fastify
+ */
+interface CloudflareAccessAuthOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist. Access policy should still be configured at Cloudflare. */
+    allowedEmails?: string[];
+    /** Custom unauthorized handler */
+    onUnauthorized?: (request: fastify.FastifyRequest, reply: fastify.FastifyReply, reason: string) => void | Promise<void>;
+    /** Custom forbidden handler */
+    onForbidden?: (request: fastify.FastifyRequest, reply: fastify.FastifyReply, email: string) => void | Promise<void>;
+    /** Paths to exclude from auth check */
+    excludePaths?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Get Cloudflare Access configuration from environment variables
+ */
+declare function getCloudflareAccessConfigFromEnv(env: CloudflareAccessMiddlewareEnv): CloudflareAccessConfig;
+
+/**
+ * Generate unauthorized response
+ */
+declare function unauthorizedResponse(reply: FastifyReply, reason: string): void;
+/**
+ * Generate auth required response
+ */
+declare function authRequiredResponse(reply: FastifyReply): void;
+/**
+ * Generate forbidden response
+ */
+declare function forbiddenResponse(reply: FastifyReply): void;
+
+declare module "fastify" {
+    interface FastifyRequest {
+        /** Authenticated user from Cloudflare Access */
+        user?: CloudflareAccessUser;
+    }
+}
+/**
+ * Creates a preHandler hook for Cloudflare Access authentication.
+ *
+ * @param options - Configuration options
+ * @returns Fastify preHandler hook
+ *
+ * @example
+ * ```typescript
+ * import fastify from 'fastify';
+ * import { cloudflareAccessPreHandler } from 'cloudflare-access/adapters/fastify';
+ *
+ * const app = fastify();
+ *
+ * app.addHook('preHandler', cloudflareAccessPreHandler({
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * }));
+ *
+ * app.get('/protected', async (request, reply) => {
+ *   return { email: request.user?.email };
+ * });
+ * ```
+ */
+declare function cloudflareAccessPreHandler(options: CloudflareAccessAuthOptions): preHandlerHookHandler;
+
+/**
+ * Creates a Fastify plugin for Cloudflare Access authentication.
+ *
+ * @param options - Configuration options
+ * @returns Fastify plugin
+ *
+ * @example
+ * ```typescript
+ * import fastify from 'fastify';
+ * import { cloudflareAccessPlugin } from 'cloudflare-access/adapters/fastify';
+ *
+ * const app = fastify();
+ *
+ * app.register(cloudflareAccessPlugin, {
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * });
+ *
+ * app.get('/protected', async (request, reply) => {
+ *   return { email: request.user?.email };
+ * });
+ * ```
+ */
+declare const cloudflareAccessPlugin: FastifyPluginAsync<CloudflareAccessAuthOptions>;
+
+declare module "fastify" {
+    interface FastifyRequest {
+        /** Authenticated user from Cloudflare Access */
+        user?: CloudflareAccessUser;
+    }
+}
+
+export { type CloudflareAccessAuthOptions, CloudflareAccessConfig, CloudflareAccessMiddlewareEnv, CloudflareAccessUser, authRequiredResponse, cloudflareAccessPlugin, cloudflareAccessPreHandler, cloudflareAccessPlugin as default, forbiddenResponse, getCloudflareAccessConfigFromEnv, unauthorizedResponse };

package/dist/adapters/fastify/index.js

@@ -0,0 +1,140 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+var _chunkWUJPWM4Tjs = require('../../chunk-WUJPWM4T.js');
+
+// src/adapters/fastify/types.ts
+function getCloudflareAccessConfigFromEnv2(env) {
+  return _chunkWUJPWM4Tjs.getCloudflareAccessConfigFromEnv.call(void 0, env);
+}
+
+// src/adapters/fastify/responses.ts
+function unauthorizedResponse(reply, reason) {
+  reply.code(401).send({
+    success: false,
+    error: {
+      code: "INVALID_TOKEN",
+      message: "Invalid authentication token",
+      why: reason,
+      fix: "Please sign in again via Cloudflare Access"
+    }
+  });
+}
+function authRequiredResponse(reply) {
+  reply.code(401).send({
+    success: false,
+    error: {
+      code: "AUTH_REQUIRED",
+      message: "Unauthorized",
+      why: "Authentication required via Cloudflare Access",
+      fix: "Sign in via Cloudflare Access"
+    }
+  });
+}
+function forbiddenResponse(reply) {
+  reply.code(403).send({
+    success: false,
+    error: {
+      code: "ACCESS_DENIED",
+      message: "Forbidden",
+      why: "Your email is not authorized to access this resource",
+      fix: "Contact an administrator if you need access"
+    }
+  });
+}
+
+// src/adapters/fastify/middleware.ts
+function cloudflareAccessPreHandler(options) {
+  const allowedEmails = _nullishCoalesce(options.allowedEmails, () => ( null));
+  return async (request, reply) => {
+    const path = request.url;
+    const method = request.method;
+    if (_optionalChain([options, 'access', _ => _.excludePaths, 'optionalAccess', _2 => _2.includes, 'call', _3 => _3(path)]) || method === "OPTIONS") {
+      return;
+    }
+    const token = request.headers["cf-access-jwt-assertion"];
+    const protocol = request.protocol;
+    const host = request.hostname;
+    const url = `${protocol}://${host}${request.url}`;
+    const result = await _chunkWUJPWM4Tjs.validateCloudflareAccessToken.call(void 0, 
+      token,
+      {
+        accessConfig: options.accessConfig,
+        allowedEmails: _nullishCoalesce(allowedEmails, () => ( void 0)),
+        skipInDev: options.skipInDev,
+        environment: options.environment
+      },
+      url
+    );
+    if (!result.success) {
+      if (_optionalChain([result, 'access', _4 => _4.error, 'optionalAccess', _5 => _5.code]) === "AUTH_REQUIRED") {
+        if (options.onUnauthorized) {
+          await options.onUnauthorized(request, reply, result.error.why);
+        } else {
+          authRequiredResponse(reply);
+        }
+        return;
+      }
+      if (_optionalChain([result, 'access', _6 => _6.error, 'optionalAccess', _7 => _7.code]) === "ACCESS_DENIED") {
+        const email = _nullishCoalesce(_optionalChain([result, 'access', _8 => _8.user, 'optionalAccess', _9 => _9.email]), () => ( "unknown"));
+        if (options.onForbidden) {
+          await options.onForbidden(request, reply, email);
+        } else {
+          forbiddenResponse(reply);
+        }
+        return;
+      }
+      if (options.onUnauthorized) {
+        await options.onUnauthorized(request, reply, _nullishCoalesce(_optionalChain([result, 'access', _10 => _10.error, 'optionalAccess', _11 => _11.why]), () => ( "Unknown error")));
+      } else {
+        unauthorizedResponse(reply, _nullishCoalesce(_optionalChain([result, 'access', _12 => _12.error, 'optionalAccess', _13 => _13.why]), () => ( "Unknown error")));
+      }
+      return;
+    }
+    if (result.user) {
+      request.user = result.user;
+    }
+  };
+}
+
+// src/adapters/fastify/plugin.ts
+var cloudflareAccessPlugin = async (fastify, options) => {
+  fastify.addHook("preHandler", cloudflareAccessPreHandler(options));
+};
+var plugin_default = cloudflareAccessPlugin;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.AccessDeniedError = _chunkWUJPWM4Tjs.AccessDeniedError; exports.AuthRequiredError = _chunkWUJPWM4Tjs.AuthRequiredError; exports.CloudflareAccessError = _chunkWUJPWM4Tjs.CloudflareAccessError; exports.CloudflareAccessErrorCode = _chunkWUJPWM4Tjs.CloudflareAccessErrorCode; exports.ConfigurationError = _chunkWUJPWM4Tjs.ConfigurationError; exports.InvalidTokenError = _chunkWUJPWM4Tjs.InvalidTokenError; exports.__clearJwksCache = _chunkWUJPWM4Tjs.__clearJwksCache; exports.authRequiredResponse = authRequiredResponse; exports.cloudflareAccessPlugin = cloudflareAccessPlugin; exports.cloudflareAccessPreHandler = cloudflareAccessPreHandler; exports.default = plugin_default; exports.forbiddenResponse = forbiddenResponse; exports.getCloudflareAccessConfigFromEnv = getCloudflareAccessConfigFromEnv2; exports.isAccessDeniedError = _chunkWUJPWM4Tjs.isAccessDeniedError; exports.isAuthRequiredError = _chunkWUJPWM4Tjs.isAuthRequiredError; exports.isCloudflareAccessError = _chunkWUJPWM4Tjs.isCloudflareAccessError; exports.isConfigurationError = _chunkWUJPWM4Tjs.isConfigurationError; exports.isInvalidTokenError = _chunkWUJPWM4Tjs.isInvalidTokenError; exports.toAuthError = _chunkWUJPWM4Tjs.toAuthError; exports.unauthorizedResponse = unauthorizedResponse;
+//# sourceMappingURL=index.js.map

package/dist/adapters/fastify/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/fastify/index.js","../../../src/adapters/fastify/types.ts","../../../src/adapters/fastify/responses.ts","../../../src/adapters/fastify/middleware.ts","../../../src/adapters/fastify/plugin.ts"],"names":["getCloudflareAccessConfigFromEnv"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,0DAAgC;AAChC;AACA;ACsBO,SAASA,iCAAAA,CACd,GAAA,EACwB;AACxB,EAAA,OAAO,+DAAA,GAAqC,CAAA;AAC9C;ADtBA;AACA;AElBO,SAAS,oBAAA,CAAqB,KAAA,EAAqB,MAAA,EAAsB;AAC9E,EAAA,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,IACnB,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,eAAA;AAAA,MACN,OAAA,EAAS,8BAAA;AAAA,MACT,GAAA,EAAK,MAAA;AAAA,MACL,GAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACH;AAKO,SAAS,oBAAA,CAAqB,KAAA,EAA2B;AAC9D,EAAA,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,IACnB,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,eAAA;AAAA,MACN,OAAA,EAAS,cAAA;AAAA,MACT,GAAA,EAAK,+CAAA;AAAA,MACL,GAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACH;AAKO,SAAS,iBAAA,CAAkB,KAAA,EAA2B;AAC3D,EAAA,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,IACnB,OAAA,EAAS,KAAA;AAAA,IACT,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,eAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,GAAA,EAAK,sDAAA;AAAA,MACL,GAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACH;AFYA;AACA;AGrBO,SAAS,0BAAA,CACd,OAAA,EACuB;AACvB,EAAA,MAAM,cAAA,mBAAgB,OAAA,CAAQ,aAAA,UAAiB,MAAA;AAE/C,EAAA,OAAO,MAAA,CAAO,OAAA,EAAyB,KAAA,EAAA,GAAuC;AAC5E,IAAA,MAAM,KAAA,EAAO,OAAA,CAAQ,GAAA;AACrB,IAAA,MAAM,OAAA,EAAS,OAAA,CAAQ,MAAA;AAGvB,IAAA,GAAA,iBAAI,OAAA,mBAAQ,YAAA,6BAAc,QAAA,mBAAS,IAAI,IAAA,GAAK,OAAA,IAAW,SAAA,EAAW;AAChE,MAAA,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,EAAQ,OAAA,CAAQ,OAAA,CAAQ,yBAAyB,CAAA;AACvD,IAAA,MAAM,SAAA,EAAW,OAAA,CAAQ,QAAA;AACzB,IAAA,MAAM,KAAA,EAAO,OAAA,CAAQ,QAAA;AACrB,IAAA,MAAM,IAAA,EAAM,CAAA,EAAA;AAEN,IAAA;AACJ,MAAA;AACA,MAAA;AACE,QAAA;AACA,QAAA;AACA,QAAA;AACA,QAAA;AACF,MAAA;AACA,MAAA;AACF,IAAA;AAEY,IAAA;AACC,MAAA;AACL,QAAA;AACI,UAAA;AACD,QAAA;AACL,UAAA;AACF,QAAA;AACA,QAAA;AACF,MAAA;AAEW,MAAA;AACH,QAAA;AACF,QAAA;AACI,UAAA;AACD,QAAA;AACL,UAAA;AACF,QAAA;AACA,QAAA;AACF,MAAA;AAEI,MAAA;AACI,QAAA;AACD,MAAA;AACL,QAAA;AACF,MAAA;AACA,MAAA;AACF,IAAA;AAGW,IAAA;AACD,MAAA;AACV,IAAA;AACF,EAAA;AACF;AHWiB;AACA;AInFJ;AAIH,EAAA;AACV;AAGO;AJgFU;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/fastify/index.js","sourcesContent":[null,"import type { CloudflareAccessConfig, CloudflareAccessMiddlewareEnv } from \"../../core\";\nimport { getCloudflareAccessConfigFromEnv as _getCloudflareAccessConfigFromEnv } from \"../../core\";\n\n/**\n * Options for creating Cloudflare Access authentication for Fastify\n */\nexport interface CloudflareAccessAuthOptions {\n  /** Cloudflare Access configuration */\n  accessConfig: CloudflareAccessConfig;\n\n  /** Optional email allowlist. Access policy should still be configured at Cloudflare. */\n  allowedEmails?: string[];\n\n  /** Custom unauthorized handler */\n  onUnauthorized?: (\n    request: import(\"fastify\").FastifyRequest,\n    reply: import(\"fastify\").FastifyReply,\n    reason: string,\n  ) => void | Promise<void>;\n\n  /** Custom forbidden handler */\n  onForbidden?: (\n    request: import(\"fastify\").FastifyRequest,\n    reply: import(\"fastify\").FastifyReply,\n    email: string,\n  ) => void | Promise<void>;\n\n  /** Paths to exclude from auth check */\n  excludePaths?: string[];\n\n  /** Whether to skip JWT validation outside production */\n  skipInDev?: boolean;\n\n  /** Environment indicator */\n  environment?: string;\n}\n\n/**\n * Get Cloudflare Access configuration from environment variables\n */\nexport function getCloudflareAccessConfigFromEnv(\n  env: CloudflareAccessMiddlewareEnv,\n): CloudflareAccessConfig {\n  return _getCloudflareAccessConfigFromEnv(env);\n}\n","import type { FastifyReply } from \"fastify\";\n\n/**\n * Generate unauthorized response\n */\nexport function unauthorizedResponse(reply: FastifyReply, reason: string): void {\n  reply.code(401).send({\n    success: false,\n    error: {\n      code: \"INVALID_TOKEN\",\n      message: \"Invalid authentication token\",\n      why: reason,\n      fix: \"Please sign in again via Cloudflare Access\",\n    },\n  });\n}\n\n/**\n * Generate auth required response\n */\nexport function authRequiredResponse(reply: FastifyReply): void {\n  reply.code(401).send({\n    success: false,\n    error: {\n      code: \"AUTH_REQUIRED\",\n      message: \"Unauthorized\",\n      why: \"Authentication required via Cloudflare Access\",\n      fix: \"Sign in via Cloudflare Access\",\n    },\n  });\n}\n\n/**\n * Generate forbidden response\n */\nexport function forbiddenResponse(reply: FastifyReply): void {\n  reply.code(403).send({\n    success: false,\n    error: {\n      code: \"ACCESS_DENIED\",\n      message: \"Forbidden\",\n      why: \"Your email is not authorized to access this resource\",\n      fix: \"Contact an administrator if you need access\",\n    },\n  });\n}\n","import type { FastifyRequest, FastifyReply, FastifyInstance, preHandlerHookHandler } from \"fastify\";\nimport { validateCloudflareAccessToken } from \"../../core\";\nimport type { CloudflareAccessAuthOptions } from \"./types\";\nimport { unauthorizedResponse, authRequiredResponse, forbiddenResponse } from \"./responses\";\n\ndeclare module \"fastify\" {\n  interface FastifyRequest {\n    /** Authenticated user from Cloudflare Access */\n    user?: import(\"../../core\").CloudflareAccessUser;\n  }\n}\n\n/**\n * Creates a preHandler hook for Cloudflare Access authentication.\n *\n * @param options - Configuration options\n * @returns Fastify preHandler hook\n *\n * @example\n * ```typescript\n * import fastify from 'fastify';\n * import { cloudflareAccessPreHandler } from 'cloudflare-access/adapters/fastify';\n *\n * const app = fastify();\n *\n * app.addHook('preHandler', cloudflareAccessPreHandler({\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * }));\n *\n * app.get('/protected', async (request, reply) => {\n *   return { email: request.user?.email };\n * });\n * ```\n */\nexport function cloudflareAccessPreHandler(\n  options: CloudflareAccessAuthOptions,\n): preHandlerHookHandler {\n  const allowedEmails = options.allowedEmails ?? null;\n\n  return async (request: FastifyRequest, reply: FastifyReply): Promise<void> => {\n    const path = request.url;\n    const method = request.method;\n\n    // Skip OPTIONS requests and excluded paths\n    if (options.excludePaths?.includes(path) || method === \"OPTIONS\") {\n      return;\n    }\n\n    const token = request.headers[\"cf-access-jwt-assertion\"] as string | undefined;\n    const protocol = request.protocol;\n    const host = request.hostname;\n    const url = `${protocol}://${host}${request.url}`;\n\n    const result = await validateCloudflareAccessToken(\n      token,\n      {\n        accessConfig: options.accessConfig,\n        allowedEmails: allowedEmails ?? undefined,\n        skipInDev: options.skipInDev,\n        environment: options.environment,\n      },\n      url,\n    );\n\n    if (!result.success) {\n      if (result.error?.code === \"AUTH_REQUIRED\") {\n        if (options.onUnauthorized) {\n          await options.onUnauthorized(request, reply, result.error.why);\n        } else {\n          authRequiredResponse(reply);\n        }\n        return;\n      }\n\n      if (result.error?.code === \"ACCESS_DENIED\") {\n        const email = result.user?.email ?? \"unknown\";\n        if (options.onForbidden) {\n          await options.onForbidden(request, reply, email);\n        } else {\n          forbiddenResponse(reply);\n        }\n        return;\n      }\n\n      if (options.onUnauthorized) {\n        await options.onUnauthorized(request, reply, result.error?.why ?? \"Unknown error\");\n      } else {\n        unauthorizedResponse(reply, result.error?.why ?? \"Unknown error\");\n      }\n      return;\n    }\n\n    // Set user in request\n    if (result.user) {\n      request.user = result.user;\n    }\n  };\n}\n\n/**\n * Creates a Fastify plugin for Cloudflare Access authentication.\n *\n * @param options - Configuration options\n * @returns Fastify plugin\n *\n * @example\n * ```typescript\n * import fastify from 'fastify';\n * import { cloudflareAccessPlugin } from 'cloudflare-access/adapters/fastify';\n *\n * const app = fastify();\n *\n * app.register(cloudflareAccessPlugin, {\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * });\n *\n * app.get('/protected', async (request, reply) => {\n *   return { email: request.user?.email };\n * });\n * ```\n */\nexport async function cloudflareAccessPlugin(\n  fastify: FastifyInstance,\n  options: CloudflareAccessAuthOptions,\n): Promise<void> {\n  fastify.addHook(\"preHandler\", cloudflareAccessPreHandler(options));\n}\n","import type { FastifyPluginAsync } from \"fastify\";\nimport type { CloudflareAccessAuthOptions } from \"./types\";\nimport { cloudflareAccessPreHandler } from \"./middleware\";\n\n/**\n * Creates a Fastify plugin for Cloudflare Access authentication.\n *\n * @param options - Configuration options\n * @returns Fastify plugin\n *\n * @example\n * ```typescript\n * import fastify from 'fastify';\n * import { cloudflareAccessPlugin } from 'cloudflare-access/adapters/fastify';\n *\n * const app = fastify();\n *\n * app.register(cloudflareAccessPlugin, {\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * });\n *\n * app.get('/protected', async (request, reply) => {\n *   return { email: request.user?.email };\n * });\n * ```\n */\nexport const cloudflareAccessPlugin: FastifyPluginAsync<CloudflareAccessAuthOptions> = async (\n  fastify,\n  options,\n) => {\n  fastify.addHook(\"preHandler\", cloudflareAccessPreHandler(options));\n};\n\n// Also export as default for convenience\nexport default cloudflareAccessPlugin;\n"]}

package/dist/adapters/fastify/index.mjs

@@ -0,0 +1,140 @@
+import {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  getCloudflareAccessConfigFromEnv,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  validateCloudflareAccessToken
+} from "../../chunk-DM2KGIQX.mjs";
+
+// src/adapters/fastify/types.ts
+function getCloudflareAccessConfigFromEnv2(env) {
+  return getCloudflareAccessConfigFromEnv(env);
+}
+
+// src/adapters/fastify/responses.ts
+function unauthorizedResponse(reply, reason) {
+  reply.code(401).send({
+    success: false,
+    error: {
+      code: "INVALID_TOKEN",
+      message: "Invalid authentication token",
+      why: reason,
+      fix: "Please sign in again via Cloudflare Access"
+    }
+  });
+}
+function authRequiredResponse(reply) {
+  reply.code(401).send({
+    success: false,
+    error: {
+      code: "AUTH_REQUIRED",
+      message: "Unauthorized",
+      why: "Authentication required via Cloudflare Access",
+      fix: "Sign in via Cloudflare Access"
+    }
+  });
+}
+function forbiddenResponse(reply) {
+  reply.code(403).send({
+    success: false,
+    error: {
+      code: "ACCESS_DENIED",
+      message: "Forbidden",
+      why: "Your email is not authorized to access this resource",
+      fix: "Contact an administrator if you need access"
+    }
+  });
+}
+
+// src/adapters/fastify/middleware.ts
+function cloudflareAccessPreHandler(options) {
+  const allowedEmails = options.allowedEmails ?? null;
+  return async (request, reply) => {
+    const path = request.url;
+    const method = request.method;
+    if (options.excludePaths?.includes(path) || method === "OPTIONS") {
+      return;
+    }
+    const token = request.headers["cf-access-jwt-assertion"];
+    const protocol = request.protocol;
+    const host = request.hostname;
+    const url = `${protocol}://${host}${request.url}`;
+    const result = await validateCloudflareAccessToken(
+      token,
+      {
+        accessConfig: options.accessConfig,
+        allowedEmails: allowedEmails ?? void 0,
+        skipInDev: options.skipInDev,
+        environment: options.environment
+      },
+      url
+    );
+    if (!result.success) {
+      if (result.error?.code === "AUTH_REQUIRED") {
+        if (options.onUnauthorized) {
+          await options.onUnauthorized(request, reply, result.error.why);
+        } else {
+          authRequiredResponse(reply);
+        }
+        return;
+      }
+      if (result.error?.code === "ACCESS_DENIED") {
+        const email = result.user?.email ?? "unknown";
+        if (options.onForbidden) {
+          await options.onForbidden(request, reply, email);
+        } else {
+          forbiddenResponse(reply);
+        }
+        return;
+      }
+      if (options.onUnauthorized) {
+        await options.onUnauthorized(request, reply, result.error?.why ?? "Unknown error");
+      } else {
+        unauthorizedResponse(reply, result.error?.why ?? "Unknown error");
+      }
+      return;
+    }
+    if (result.user) {
+      request.user = result.user;
+    }
+  };
+}
+
+// src/adapters/fastify/plugin.ts
+var cloudflareAccessPlugin = async (fastify, options) => {
+  fastify.addHook("preHandler", cloudflareAccessPreHandler(options));
+};
+var plugin_default = cloudflareAccessPlugin;
+export {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  authRequiredResponse,
+  cloudflareAccessPlugin,
+  cloudflareAccessPreHandler,
+  plugin_default as default,
+  forbiddenResponse,
+  getCloudflareAccessConfigFromEnv2 as getCloudflareAccessConfigFromEnv,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  unauthorizedResponse
+};
+//# sourceMappingURL=index.mjs.map

package/dist/adapters/fastify/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/adapters/fastify/types.ts","../../../src/adapters/fastify/responses.ts","../../../src/adapters/fastify/middleware.ts","../../../src/adapters/fastify/plugin.ts"],"sourcesContent":["import type { CloudflareAccessConfig, CloudflareAccessMiddlewareEnv } from \"../../core\";\nimport { getCloudflareAccessConfigFromEnv as _getCloudflareAccessConfigFromEnv } from \"../../core\";\n\n/**\n * Options for creating Cloudflare Access authentication for Fastify\n */\nexport interface CloudflareAccessAuthOptions {\n  /** Cloudflare Access configuration */\n  accessConfig: CloudflareAccessConfig;\n\n  /** Optional email allowlist. Access policy should still be configured at Cloudflare. */\n  allowedEmails?: string[];\n\n  /** Custom unauthorized handler */\n  onUnauthorized?: (\n    request: import(\"fastify\").FastifyRequest,\n    reply: import(\"fastify\").FastifyReply,\n    reason: string,\n  ) => void | Promise<void>;\n\n  /** Custom forbidden handler */\n  onForbidden?: (\n    request: import(\"fastify\").FastifyRequest,\n    reply: import(\"fastify\").FastifyReply,\n    email: string,\n  ) => void | Promise<void>;\n\n  /** Paths to exclude from auth check */\n  excludePaths?: string[];\n\n  /** Whether to skip JWT validation outside production */\n  skipInDev?: boolean;\n\n  /** Environment indicator */\n  environment?: string;\n}\n\n/**\n * Get Cloudflare Access configuration from environment variables\n */\nexport function getCloudflareAccessConfigFromEnv(\n  env: CloudflareAccessMiddlewareEnv,\n): CloudflareAccessConfig {\n  return _getCloudflareAccessConfigFromEnv(env);\n}\n","import type { FastifyReply } from \"fastify\";\n\n/**\n * Generate unauthorized response\n */\nexport function unauthorizedResponse(reply: FastifyReply, reason: string): void {\n  reply.code(401).send({\n    success: false,\n    error: {\n      code: \"INVALID_TOKEN\",\n      message: \"Invalid authentication token\",\n      why: reason,\n      fix: \"Please sign in again via Cloudflare Access\",\n    },\n  });\n}\n\n/**\n * Generate auth required response\n */\nexport function authRequiredResponse(reply: FastifyReply): void {\n  reply.code(401).send({\n    success: false,\n    error: {\n      code: \"AUTH_REQUIRED\",\n      message: \"Unauthorized\",\n      why: \"Authentication required via Cloudflare Access\",\n      fix: \"Sign in via Cloudflare Access\",\n    },\n  });\n}\n\n/**\n * Generate forbidden response\n */\nexport function forbiddenResponse(reply: FastifyReply): void {\n  reply.code(403).send({\n    success: false,\n    error: {\n      code: \"ACCESS_DENIED\",\n      message: \"Forbidden\",\n      why: \"Your email is not authorized to access this resource\",\n      fix: \"Contact an administrator if you need access\",\n    },\n  });\n}\n","import type { FastifyRequest, FastifyReply, FastifyInstance, preHandlerHookHandler } from \"fastify\";\nimport { validateCloudflareAccessToken } from \"../../core\";\nimport type { CloudflareAccessAuthOptions } from \"./types\";\nimport { unauthorizedResponse, authRequiredResponse, forbiddenResponse } from \"./responses\";\n\ndeclare module \"fastify\" {\n  interface FastifyRequest {\n    /** Authenticated user from Cloudflare Access */\n    user?: import(\"../../core\").CloudflareAccessUser;\n  }\n}\n\n/**\n * Creates a preHandler hook for Cloudflare Access authentication.\n *\n * @param options - Configuration options\n * @returns Fastify preHandler hook\n *\n * @example\n * ```typescript\n * import fastify from 'fastify';\n * import { cloudflareAccessPreHandler } from 'cloudflare-access/adapters/fastify';\n *\n * const app = fastify();\n *\n * app.addHook('preHandler', cloudflareAccessPreHandler({\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * }));\n *\n * app.get('/protected', async (request, reply) => {\n *   return { email: request.user?.email };\n * });\n * ```\n */\nexport function cloudflareAccessPreHandler(\n  options: CloudflareAccessAuthOptions,\n): preHandlerHookHandler {\n  const allowedEmails = options.allowedEmails ?? null;\n\n  return async (request: FastifyRequest, reply: FastifyReply): Promise<void> => {\n    const path = request.url;\n    const method = request.method;\n\n    // Skip OPTIONS requests and excluded paths\n    if (options.excludePaths?.includes(path) || method === \"OPTIONS\") {\n      return;\n    }\n\n    const token = request.headers[\"cf-access-jwt-assertion\"] as string | undefined;\n    const protocol = request.protocol;\n    const host = request.hostname;\n    const url = `${protocol}://${host}${request.url}`;\n\n    const result = await validateCloudflareAccessToken(\n      token,\n      {\n        accessConfig: options.accessConfig,\n        allowedEmails: allowedEmails ?? undefined,\n        skipInDev: options.skipInDev,\n        environment: options.environment,\n      },\n      url,\n    );\n\n    if (!result.success) {\n      if (result.error?.code === \"AUTH_REQUIRED\") {\n        if (options.onUnauthorized) {\n          await options.onUnauthorized(request, reply, result.error.why);\n        } else {\n          authRequiredResponse(reply);\n        }\n        return;\n      }\n\n      if (result.error?.code === \"ACCESS_DENIED\") {\n        const email = result.user?.email ?? \"unknown\";\n        if (options.onForbidden) {\n          await options.onForbidden(request, reply, email);\n        } else {\n          forbiddenResponse(reply);\n        }\n        return;\n      }\n\n      if (options.onUnauthorized) {\n        await options.onUnauthorized(request, reply, result.error?.why ?? \"Unknown error\");\n      } else {\n        unauthorizedResponse(reply, result.error?.why ?? \"Unknown error\");\n      }\n      return;\n    }\n\n    // Set user in request\n    if (result.user) {\n      request.user = result.user;\n    }\n  };\n}\n\n/**\n * Creates a Fastify plugin for Cloudflare Access authentication.\n *\n * @param options - Configuration options\n * @returns Fastify plugin\n *\n * @example\n * ```typescript\n * import fastify from 'fastify';\n * import { cloudflareAccessPlugin } from 'cloudflare-access/adapters/fastify';\n *\n * const app = fastify();\n *\n * app.register(cloudflareAccessPlugin, {\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * });\n *\n * app.get('/protected', async (request, reply) => {\n *   return { email: request.user?.email };\n * });\n * ```\n */\nexport async function cloudflareAccessPlugin(\n  fastify: FastifyInstance,\n  options: CloudflareAccessAuthOptions,\n): Promise<void> {\n  fastify.addHook(\"preHandler\", cloudflareAccessPreHandler(options));\n}\n","import type { FastifyPluginAsync } from \"fastify\";\nimport type { CloudflareAccessAuthOptions } from \"./types\";\nimport { cloudflareAccessPreHandler } from \"./middleware\";\n\n/**\n * Creates a Fastify plugin for Cloudflare Access authentication.\n *\n * @param options - Configuration options\n * @returns Fastify plugin\n *\n * @example\n * ```typescript\n * import fastify from 'fastify';\n * import { cloudflareAccessPlugin } from 'cloudflare-access/adapters/fastify';\n *\n * const app = fastify();\n *\n * app.register(cloudflareAccessPlugin, {\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * });\n *\n * app.get('/protected', async (request, reply) => {\n *   return { email: request.user?.email };\n * });\n * ```\n */\nexport const cloudflareAccessPlugin: FastifyPluginAsync<CloudflareAccessAuthOptions> = async (\n  fastify,\n  options,\n) => {\n  fastify.addHook(\"preHandler\", cloudflareAccessPreHandler(options));\n};\n\n// Also export as default for convenience\nexport default cloudflareAccessPlugin;\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAwCO,SAASA,kCACd,KACwB;AACxB,SAAO,iCAAkC,GAAG;AAC9C;;;ACvCO,SAAS,qBAAqB,OAAqB,QAAsB;AAC9E,QAAM,KAAK,GAAG,EAAE,KAAK;AAAA,IACnB,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF,CAAC;AACH;AAKO,SAAS,qBAAqB,OAA2B;AAC9D,QAAM,KAAK,GAAG,EAAE,KAAK;AAAA,IACnB,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF,CAAC;AACH;AAKO,SAAS,kBAAkB,OAA2B;AAC3D,QAAM,KAAK,GAAG,EAAE,KAAK;AAAA,IACnB,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF,CAAC;AACH;;;ACRO,SAAS,2BACd,SACuB;AACvB,QAAM,gBAAgB,QAAQ,iBAAiB;AAE/C,SAAO,OAAO,SAAyB,UAAuC;AAC5E,UAAM,OAAO,QAAQ;AACrB,UAAM,SAAS,QAAQ;AAGvB,QAAI,QAAQ,cAAc,SAAS,IAAI,KAAK,WAAW,WAAW;AAChE;AAAA,IACF;AAEA,UAAM,QAAQ,QAAQ,QAAQ,yBAAyB;AACvD,UAAM,WAAW,QAAQ;AACzB,UAAM,OAAO,QAAQ;AACrB,UAAM,MAAM,GAAG,QAAQ,MAAM,IAAI,GAAG,QAAQ,GAAG;AAE/C,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,QACE,cAAc,QAAQ;AAAA,QACtB,eAAe,iBAAiB;AAAA,QAChC,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,SAAS;AACnB,UAAI,OAAO,OAAO,SAAS,iBAAiB;AAC1C,YAAI,QAAQ,gBAAgB;AAC1B,gBAAM,QAAQ,eAAe,SAAS,OAAO,OAAO,MAAM,GAAG;AAAA,QAC/D,OAAO;AACL,+BAAqB,KAAK;AAAA,QAC5B;AACA;AAAA,MACF;AAEA,UAAI,OAAO,OAAO,SAAS,iBAAiB;AAC1C,cAAM,QAAQ,OAAO,MAAM,SAAS;AACpC,YAAI,QAAQ,aAAa;AACvB,gBAAM,QAAQ,YAAY,SAAS,OAAO,KAAK;AAAA,QACjD,OAAO;AACL,4BAAkB,KAAK;AAAA,QACzB;AACA;AAAA,MACF;AAEA,UAAI,QAAQ,gBAAgB;AAC1B,cAAM,QAAQ,eAAe,SAAS,OAAO,OAAO,OAAO,OAAO,eAAe;AAAA,MACnF,OAAO;AACL,6BAAqB,OAAO,OAAO,OAAO,OAAO,eAAe;AAAA,MAClE;AACA;AAAA,IACF;AAGA,QAAI,OAAO,MAAM;AACf,cAAQ,OAAO,OAAO;AAAA,IACxB;AAAA,EACF;AACF;;;ACvEO,IAAM,yBAA0E,OACrF,SACA,YACG;AACH,UAAQ,QAAQ,cAAc,2BAA2B,OAAO,CAAC;AACnE;AAGA,IAAO,iBAAQ;","names":["getCloudflareAccessConfigFromEnv"]}

package/dist/adapters/hono/index.d.mts

@@ -0,0 +1,19 @@
+export { A as AccessDeniedError, a as AuthRequiredError, C as CloudflareAccessConfig, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, g as CloudflareAccessUser, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.mjs';
+export { C as CloudflareAccessAuthOptions, a as CloudflareAccessConfigResolver, b as CloudflareAccessHono, c as CloudflareAccessVariables, d as createCloudflareAccessAuth, g as getCloudflareAccessConfigFromBindings, r as resolveConfig } from '../../middleware-BDl6jUCu.mjs';
+import { Context } from 'hono';
+import 'jose';
+
+/**
+ * Generate unauthorized response
+ */
+declare function unauthorizedResponse(c: Context, reason: string): Response;
+/**
+ * Generate auth required response
+ */
+declare function authRequiredResponse(c: Context): Response;
+/**
+ * Generate forbidden response
+ */
+declare function forbiddenResponse(c: Context): Response;
+
+export { authRequiredResponse, forbiddenResponse, unauthorizedResponse };

package/dist/adapters/hono/index.d.ts

@@ -0,0 +1,19 @@
+export { A as AccessDeniedError, a as AuthRequiredError, C as CloudflareAccessConfig, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, g as CloudflareAccessUser, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.js';
+export { C as CloudflareAccessAuthOptions, a as CloudflareAccessConfigResolver, b as CloudflareAccessHono, c as CloudflareAccessVariables, d as createCloudflareAccessAuth, g as getCloudflareAccessConfigFromBindings, r as resolveConfig } from '../../middleware-CgFsjM20.js';
+import { Context } from 'hono';
+import 'jose';
+
+/**
+ * Generate unauthorized response
+ */
+declare function unauthorizedResponse(c: Context, reason: string): Response;
+/**
+ * Generate auth required response
+ */
+declare function authRequiredResponse(c: Context): Response;
+/**
+ * Generate forbidden response
+ */
+declare function forbiddenResponse(c: Context): Response;
+
+export { authRequiredResponse, forbiddenResponse, unauthorizedResponse };

package/dist/adapters/hono/index.js

@@ -0,0 +1,45 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+
+
+
+
+
+
+var _chunkPMFPT3SIjs = require('../../chunk-PMFPT3SI.js');
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+var _chunkWUJPWM4Tjs = require('../../chunk-WUJPWM4T.js');
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.AccessDeniedError = _chunkWUJPWM4Tjs.AccessDeniedError; exports.AuthRequiredError = _chunkWUJPWM4Tjs.AuthRequiredError; exports.CloudflareAccessError = _chunkWUJPWM4Tjs.CloudflareAccessError; exports.CloudflareAccessErrorCode = _chunkWUJPWM4Tjs.CloudflareAccessErrorCode; exports.ConfigurationError = _chunkWUJPWM4Tjs.ConfigurationError; exports.InvalidTokenError = _chunkWUJPWM4Tjs.InvalidTokenError; exports.__clearJwksCache = _chunkWUJPWM4Tjs.__clearJwksCache; exports.authRequiredResponse = _chunkPMFPT3SIjs.authRequiredResponse; exports.createCloudflareAccessAuth = _chunkPMFPT3SIjs.createCloudflareAccessAuth; exports.forbiddenResponse = _chunkPMFPT3SIjs.forbiddenResponse; exports.getCloudflareAccessConfigFromBindings = _chunkPMFPT3SIjs.getCloudflareAccessConfigFromBindings; exports.isAccessDeniedError = _chunkWUJPWM4Tjs.isAccessDeniedError; exports.isAuthRequiredError = _chunkWUJPWM4Tjs.isAuthRequiredError; exports.isCloudflareAccessError = _chunkWUJPWM4Tjs.isCloudflareAccessError; exports.isConfigurationError = _chunkWUJPWM4Tjs.isConfigurationError; exports.isInvalidTokenError = _chunkWUJPWM4Tjs.isInvalidTokenError; exports.resolveConfig = _chunkPMFPT3SIjs.resolveConfig; exports.toAuthError = _chunkWUJPWM4Tjs.toAuthError; exports.unauthorizedResponse = _chunkPMFPT3SIjs.unauthorizedResponse;
+//# sourceMappingURL=index.js.map

package/dist/adapters/hono/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/hono/index.js"],"names":[],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACF,0DAAgC;AAChC;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,0DAAgC;AAChC;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,uyCAAC","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/hono/index.js"}

package/dist/adapters/hono/index.mjs

@@ -0,0 +1,45 @@
+import {
+  authRequiredResponse,
+  createCloudflareAccessAuth,
+  forbiddenResponse,
+  getCloudflareAccessConfigFromBindings,
+  resolveConfig,
+  unauthorizedResponse
+} from "../../chunk-LQWCGHLJ.mjs";
+import {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError
+} from "../../chunk-DM2KGIQX.mjs";
+export {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  authRequiredResponse,
+  createCloudflareAccessAuth,
+  forbiddenResponse,
+  getCloudflareAccessConfigFromBindings,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  resolveConfig,
+  toAuthError,
+  unauthorizedResponse
+};
+//# sourceMappingURL=index.mjs.map

package/dist/adapters/hono/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}