cloudflare-access 1.0.0

package/dist/adapters/nestjs/index.d.mts

@@ -0,0 +1,123 @@
+import { C as CloudflareAccessConfig, e as CloudflareAccessMiddlewareEnv, g as CloudflareAccessUser } from '../../jwks-ChdyyS_L.mjs';
+export { A as AccessDeniedError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, f as CloudflareAccessPayload, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.mjs';
+import * as _nestjs_common from '@nestjs/common';
+import { CanActivate, ExecutionContext, ModuleMetadata, Type } from '@nestjs/common';
+import 'jose';
+
+/**
+ * Options for Cloudflare Access Guard
+ */
+interface CloudflareAccessGuardOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist. Access policy should still be configured at Cloudflare. */
+    allowedEmails?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Get Cloudflare Access configuration from environment variables
+ */
+declare function getCloudflareAccessConfigFromEnv(env: CloudflareAccessMiddlewareEnv): CloudflareAccessConfig;
+
+declare module "express" {
+    interface Request {
+        user?: CloudflareAccessUser;
+    }
+}
+/**
+ * NestJS Guard for Cloudflare Access authentication.
+ *
+ * @example
+ * ```typescript
+ * import { Module } from '@nestjs/common';
+ * import { APP_GUARD } from '@nestjs/core';
+ * import { CloudflareAccessGuard } from 'cloudflare-access/adapters/nestjs';
+ *
+ * @Module({
+ *   providers: [
+ *     {
+ *       provide: APP_GUARD,
+ *       useFactory: () => new CloudflareAccessGuard({
+ *         accessConfig: {
+ *           teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *           audTag: 'your-audience-tag',
+ *         },
+ *       }),
+ *     },
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+declare class CloudflareAccessGuard implements CanActivate {
+    private readonly options;
+    private readonly allowedEmails;
+    constructor(options: CloudflareAccessGuardOptions);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    private isPublicRoute;
+}
+
+/**
+ * Metadata key for public routes
+ */
+declare const IS_PUBLIC_KEY = "cfAccessPublic";
+
+/**
+ * Decorator to mark a route as public (skip auth)
+ */
+declare const Public: () => _nestjs_common.CustomDecorator<string>;
+/**
+ * Decorator to apply Cloudflare Access authentication to a route or controller.
+ *
+ * @example
+ * ```typescript
+ * import { Controller, Get } from '@nestjs/common';
+ * import { CloudflareAccess, Public } from 'cloudflare-access/adapters/nestjs';
+ *
+ * @Controller('api')
+ * @CloudflareAccess({
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * })
+ * export class ApiController {
+ *   @Get('protected')
+ *   getProtected(@Req() req: Request) {
+ *     return { email: req.user?.email };
+ *   }
+ *
+ *   @Public()
+ *   @Get('public')
+ *   getPublic() {
+ *     return { message: 'This is public' };
+ *   }
+ * }
+ * ```
+ */
+declare function CloudflareAccess(options: CloudflareAccessGuardOptions): <TFunction extends Function, Y>(target: TFunction | object, propertyKey?: string | symbol, descriptor?: TypedPropertyDescriptor<Y>) => void;
+/**
+ * Interface for async options for Cloudflare Access module
+ */
+interface CloudflareAccessModuleAsyncOptions extends Pick<ModuleMetadata, "imports"> {
+    useExisting?: Type<{
+        createCloudflareAccessOptions(): Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;
+    }>;
+    useClass?: Type<{
+        createCloudflareAccessOptions(): Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;
+    }>;
+    useFactory?: (...args: any[]) => Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;
+    inject?: any[];
+}
+
+declare module "express" {
+    interface Request {
+        /** Authenticated user from Cloudflare Access */
+        user?: CloudflareAccessUser;
+    }
+}
+
+export { CloudflareAccess, CloudflareAccessConfig, CloudflareAccessGuard, type CloudflareAccessGuardOptions, CloudflareAccessMiddlewareEnv, type CloudflareAccessModuleAsyncOptions, CloudflareAccessUser, IS_PUBLIC_KEY, Public, getCloudflareAccessConfigFromEnv };

package/dist/adapters/nestjs/index.d.ts

@@ -0,0 +1,123 @@
+import { C as CloudflareAccessConfig, e as CloudflareAccessMiddlewareEnv, g as CloudflareAccessUser } from '../../jwks-ChdyyS_L.js';
+export { A as AccessDeniedError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, f as CloudflareAccessPayload, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from '../../jwks-ChdyyS_L.js';
+import * as _nestjs_common from '@nestjs/common';
+import { CanActivate, ExecutionContext, ModuleMetadata, Type } from '@nestjs/common';
+import 'jose';
+
+/**
+ * Options for Cloudflare Access Guard
+ */
+interface CloudflareAccessGuardOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist. Access policy should still be configured at Cloudflare. */
+    allowedEmails?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Get Cloudflare Access configuration from environment variables
+ */
+declare function getCloudflareAccessConfigFromEnv(env: CloudflareAccessMiddlewareEnv): CloudflareAccessConfig;
+
+declare module "express" {
+    interface Request {
+        user?: CloudflareAccessUser;
+    }
+}
+/**
+ * NestJS Guard for Cloudflare Access authentication.
+ *
+ * @example
+ * ```typescript
+ * import { Module } from '@nestjs/common';
+ * import { APP_GUARD } from '@nestjs/core';
+ * import { CloudflareAccessGuard } from 'cloudflare-access/adapters/nestjs';
+ *
+ * @Module({
+ *   providers: [
+ *     {
+ *       provide: APP_GUARD,
+ *       useFactory: () => new CloudflareAccessGuard({
+ *         accessConfig: {
+ *           teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *           audTag: 'your-audience-tag',
+ *         },
+ *       }),
+ *     },
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+declare class CloudflareAccessGuard implements CanActivate {
+    private readonly options;
+    private readonly allowedEmails;
+    constructor(options: CloudflareAccessGuardOptions);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    private isPublicRoute;
+}
+
+/**
+ * Metadata key for public routes
+ */
+declare const IS_PUBLIC_KEY = "cfAccessPublic";
+
+/**
+ * Decorator to mark a route as public (skip auth)
+ */
+declare const Public: () => _nestjs_common.CustomDecorator<string>;
+/**
+ * Decorator to apply Cloudflare Access authentication to a route or controller.
+ *
+ * @example
+ * ```typescript
+ * import { Controller, Get } from '@nestjs/common';
+ * import { CloudflareAccess, Public } from 'cloudflare-access/adapters/nestjs';
+ *
+ * @Controller('api')
+ * @CloudflareAccess({
+ *   accessConfig: {
+ *     teamDomain: 'https://yourteam.cloudflareaccess.com',
+ *     audTag: 'your-audience-tag',
+ *   },
+ * })
+ * export class ApiController {
+ *   @Get('protected')
+ *   getProtected(@Req() req: Request) {
+ *     return { email: req.user?.email };
+ *   }
+ *
+ *   @Public()
+ *   @Get('public')
+ *   getPublic() {
+ *     return { message: 'This is public' };
+ *   }
+ * }
+ * ```
+ */
+declare function CloudflareAccess(options: CloudflareAccessGuardOptions): <TFunction extends Function, Y>(target: TFunction | object, propertyKey?: string | symbol, descriptor?: TypedPropertyDescriptor<Y>) => void;
+/**
+ * Interface for async options for Cloudflare Access module
+ */
+interface CloudflareAccessModuleAsyncOptions extends Pick<ModuleMetadata, "imports"> {
+    useExisting?: Type<{
+        createCloudflareAccessOptions(): Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;
+    }>;
+    useClass?: Type<{
+        createCloudflareAccessOptions(): Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;
+    }>;
+    useFactory?: (...args: any[]) => Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;
+    inject?: any[];
+}
+
+declare module "express" {
+    interface Request {
+        /** Authenticated user from Cloudflare Access */
+        user?: CloudflareAccessUser;
+    }
+}
+
+export { CloudflareAccess, CloudflareAccessConfig, CloudflareAccessGuard, type CloudflareAccessGuardOptions, CloudflareAccessMiddlewareEnv, type CloudflareAccessModuleAsyncOptions, CloudflareAccessUser, IS_PUBLIC_KEY, Public, getCloudflareAccessConfigFromEnv };

package/dist/adapters/nestjs/index.js

@@ -0,0 +1,117 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+var _chunkWUJPWM4Tjs = require('../../chunk-WUJPWM4T.js');
+
+// src/adapters/nestjs/types.ts
+function getCloudflareAccessConfigFromEnv2(env) {
+  return _chunkWUJPWM4Tjs.getCloudflareAccessConfigFromEnv.call(void 0, env);
+}
+
+// src/adapters/nestjs/guard.ts
+var _common = require('@nestjs/common');
+
+// src/adapters/nestjs/constants.ts
+var IS_PUBLIC_KEY = "cfAccessPublic";
+
+// src/adapters/nestjs/guard.ts
+var CloudflareAccessGuard = class {
+  constructor(options) {
+    this.options = options;
+    this.allowedEmails = _nullishCoalesce(options.allowedEmails, () => ( null));
+  }
+  
+  
+  async canActivate(context) {
+    const isPublic = this.isPublicRoute(context);
+    if (isPublic) {
+      return true;
+    }
+    const request = context.switchToHttp().getRequest();
+    const method = request.method;
+    if (method === "OPTIONS") {
+      return true;
+    }
+    const protocol = request.headers["x-forwarded-proto"] || "http";
+    const host = request.headers.host;
+    const url = `${protocol}://${host}${request.originalUrl}`;
+    const token = request.headers["cf-access-jwt-assertion"];
+    const result = await _chunkWUJPWM4Tjs.validateCloudflareAccessToken.call(void 0, 
+      token,
+      {
+        accessConfig: this.options.accessConfig,
+        allowedEmails: _nullishCoalesce(this.allowedEmails, () => ( void 0)),
+        skipInDev: this.options.skipInDev,
+        environment: this.options.environment
+      },
+      url
+    );
+    if (!result.success) {
+      if (_optionalChain([result, 'access', _ => _.error, 'optionalAccess', _2 => _2.code]) === "ACCESS_DENIED") {
+        throw new (0, _common.ForbiddenException)(result.error.message);
+      }
+      throw new (0, _common.UnauthorizedException)(_nullishCoalesce(_optionalChain([result, 'access', _3 => _3.error, 'optionalAccess', _4 => _4.message]), () => ( "Authentication required")));
+    }
+    if (result.user) {
+      request.user = result.user;
+    }
+    return true;
+  }
+  isPublicRoute(context) {
+    const isPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getHandler());
+    if (isPublic) {
+      return true;
+    }
+    const isClassPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getClass());
+    return _nullishCoalesce(isClassPublic, () => ( false));
+  }
+};
+CloudflareAccessGuard = exports.CloudflareAccessGuard = _chunkWUJPWM4Tjs.__decorateClass.call(void 0, [
+  _common.Injectable.call(void 0, )
+], CloudflareAccessGuard);
+
+// src/adapters/nestjs/decorators.ts
+
+
+
+
+
+var Public = () => _common.SetMetadata.call(void 0, IS_PUBLIC_KEY, true);
+function CloudflareAccess(options) {
+  return _common.applyDecorators.call(void 0, _common.UseGuards.call(void 0, new CloudflareAccessGuard(options)));
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.AccessDeniedError = _chunkWUJPWM4Tjs.AccessDeniedError; exports.AuthRequiredError = _chunkWUJPWM4Tjs.AuthRequiredError; exports.CloudflareAccess = CloudflareAccess; exports.CloudflareAccessError = _chunkWUJPWM4Tjs.CloudflareAccessError; exports.CloudflareAccessErrorCode = _chunkWUJPWM4Tjs.CloudflareAccessErrorCode; exports.CloudflareAccessGuard = CloudflareAccessGuard; exports.ConfigurationError = _chunkWUJPWM4Tjs.ConfigurationError; exports.IS_PUBLIC_KEY = IS_PUBLIC_KEY; exports.InvalidTokenError = _chunkWUJPWM4Tjs.InvalidTokenError; exports.Public = Public; exports.__clearJwksCache = _chunkWUJPWM4Tjs.__clearJwksCache; exports.getCloudflareAccessConfigFromEnv = getCloudflareAccessConfigFromEnv2; exports.isAccessDeniedError = _chunkWUJPWM4Tjs.isAccessDeniedError; exports.isAuthRequiredError = _chunkWUJPWM4Tjs.isAuthRequiredError; exports.isCloudflareAccessError = _chunkWUJPWM4Tjs.isCloudflareAccessError; exports.isConfigurationError = _chunkWUJPWM4Tjs.isConfigurationError; exports.isInvalidTokenError = _chunkWUJPWM4Tjs.isInvalidTokenError; exports.toAuthError = _chunkWUJPWM4Tjs.toAuthError;
+//# sourceMappingURL=index.js.map

package/dist/adapters/nestjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/nestjs/index.js","../../../src/adapters/nestjs/types.ts","../../../src/adapters/nestjs/guard.ts","../../../src/adapters/nestjs/constants.ts","../../../src/adapters/nestjs/decorators.ts"],"names":["getCloudflareAccessConfigFromEnv"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,0DAAgC;AAChC;AACA;ACIO,SAASA,iCAAAA,CACd,GAAA,EACwB;AACxB,EAAA,OAAO,+DAAA,GAAqC,CAAA;AAC9C;ADJA;AACA;AEvBA,wCAAsE;AFyBtE;AACA;AGxBO,IAAM,cAAA,EAAgB,gBAAA;AH0B7B;AACA;AESO,IAAM,sBAAA,EAAN,MAAmD;AAAA,EAGxD,WAAA,CAA6B,OAAA,EAAuC;AAAvC,IAAA,IAAA,CAAA,QAAA,EAAA,OAAA;AAC3B,IAAA,IAAA,CAAK,cAAA,mBAAgB,OAAA,CAAQ,aAAA,UAAiB,MAAA;AAAA,EAChD;AAAA,EAF6B;AAAA,EAFZ;AAAA,EAMjB,MAAM,WAAA,CAAY,OAAA,EAA6C;AAC7D,IAAA,MAAM,SAAA,EAAW,IAAA,CAAK,aAAA,CAAc,OAAO,CAAA;AAC3C,IAAA,GAAA,CAAI,QAAA,EAAU;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,QAAA,EAAU,OAAA,CAAQ,YAAA,CAAa,CAAA,CAAE,UAAA,CAAoB,CAAA;AAC3D,IAAA,MAAM,OAAA,EAAS,OAAA,CAAQ,MAAA;AAGvB,IAAA,GAAA,CAAI,OAAA,IAAW,SAAA,EAAW;AACxB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,SAAA,EAAW,OAAA,CAAQ,OAAA,CAAQ,mBAAmB,EAAA,GAAK,MAAA;AACzD,IAAA,MAAM,KAAA,EAAO,OAAA,CAAQ,OAAA,CAAQ,IAAA;AAC7B,IAAA,MAAM,IAAA,EAAM,CAAA,EAAA;AAEN,IAAA;AAEA,IAAA;AACJ,MAAA;AACA,MAAA;AACE,QAAA;AACA,QAAA;AACA,QAAA;AACA,QAAA;AACF,MAAA;AACA,MAAA;AACF,IAAA;AAEY,IAAA;AACC,MAAA;AACH,QAAA;AACR,MAAA;AACU,MAAA;AACZ,IAAA;AAEW,IAAA;AACD,MAAA;AACV,IAAA;AAEO,IAAA;AACT,EAAA;AAEsB,EAAA;AACd,IAAA;AACF,IAAA;AACK,MAAA;AACT,IAAA;AACM,IAAA;AACC,IAAA;AACT,EAAA;AACF;AA5Da;AADD,EAAA;AACC;AF8CI;AACA;AItFjB;AACE;AAGA;AACA;AACK;AASe;AA+BN;AACP,EAAA;AACT;AJgDiB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/adapters/nestjs/index.js","sourcesContent":[null,"import type { CloudflareAccessConfig, CloudflareAccessMiddlewareEnv } from \"../../core\";\nimport { getCloudflareAccessConfigFromEnv as _getCloudflareAccessConfigFromEnv } from \"../../core\";\n\n/**\n * Options for Cloudflare Access Guard\n */\nexport interface CloudflareAccessGuardOptions {\n  /** Cloudflare Access configuration */\n  accessConfig: CloudflareAccessConfig;\n\n  /** Optional email allowlist. Access policy should still be configured at Cloudflare. */\n  allowedEmails?: string[];\n\n  /** Whether to skip JWT validation outside production */\n  skipInDev?: boolean;\n\n  /** Environment indicator */\n  environment?: string;\n}\n\n/**\n * Get Cloudflare Access configuration from environment variables\n */\nexport function getCloudflareAccessConfigFromEnv(\n  env: CloudflareAccessMiddlewareEnv,\n): CloudflareAccessConfig {\n  return _getCloudflareAccessConfigFromEnv(env);\n}\n","import type { CanActivate, ExecutionContext } from \"@nestjs/common\";\nimport { Injectable, UnauthorizedException, ForbiddenException } from \"@nestjs/common\";\nimport type { Request } from \"express\";\nimport { validateCloudflareAccessToken } from \"../../core\";\nimport type { CloudflareAccessGuardOptions } from \"./types\";\nimport { IS_PUBLIC_KEY } from \"./constants\";\n\ndeclare module \"express\" {\n  interface Request {\n    user?: import(\"../../core\").CloudflareAccessUser;\n  }\n}\n\n/**\n * NestJS Guard for Cloudflare Access authentication.\n *\n * @example\n * ```typescript\n * import { Module } from '@nestjs/common';\n * import { APP_GUARD } from '@nestjs/core';\n * import { CloudflareAccessGuard } from 'cloudflare-access/adapters/nestjs';\n *\n * @Module({\n *   providers: [\n *     {\n *       provide: APP_GUARD,\n *       useFactory: () => new CloudflareAccessGuard({\n *         accessConfig: {\n *           teamDomain: 'https://yourteam.cloudflareaccess.com',\n *           audTag: 'your-audience-tag',\n *         },\n *       }),\n *     },\n *   ],\n * })\n * export class AppModule {}\n * ```\n */\n@Injectable()\nexport class CloudflareAccessGuard implements CanActivate {\n  private readonly allowedEmails: string[] | null;\n\n  constructor(private readonly options: CloudflareAccessGuardOptions) {\n    this.allowedEmails = options.allowedEmails ?? null;\n  }\n\n  async canActivate(context: ExecutionContext): Promise<boolean> {\n    const isPublic = this.isPublicRoute(context);\n    if (isPublic) {\n      return true;\n    }\n\n    const request = context.switchToHttp().getRequest<Request>();\n    const method = request.method;\n\n    // Skip OPTIONS requests\n    if (method === \"OPTIONS\") {\n      return true;\n    }\n\n    const protocol = request.headers[\"x-forwarded-proto\"] || \"http\";\n    const host = request.headers.host;\n    const url = `${protocol}://${host}${request.originalUrl}`;\n\n    const token = request.headers[\"cf-access-jwt-assertion\"] as string | undefined;\n\n    const result = await validateCloudflareAccessToken(\n      token,\n      {\n        accessConfig: this.options.accessConfig,\n        allowedEmails: this.allowedEmails ?? undefined,\n        skipInDev: this.options.skipInDev,\n        environment: this.options.environment,\n      },\n      url,\n    );\n\n    if (!result.success) {\n      if (result.error?.code === \"ACCESS_DENIED\") {\n        throw new ForbiddenException(result.error.message);\n      }\n      throw new UnauthorizedException(result.error?.message ?? \"Authentication required\");\n    }\n\n    if (result.user) {\n      request.user = result.user;\n    }\n\n    return true;\n  }\n\n  private isPublicRoute(context: ExecutionContext): boolean {\n    const isPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getHandler());\n    if (isPublic) {\n      return true;\n    }\n    const isClassPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getClass());\n    return isClassPublic ?? false;\n  }\n}\n","/**\n * Metadata key for public routes\n */\nexport const IS_PUBLIC_KEY = \"cfAccessPublic\";\n","import {\n  SetMetadata,\n  type ModuleMetadata,\n  type Type,\n  applyDecorators,\n  UseGuards,\n} from \"@nestjs/common\";\nimport { CloudflareAccessGuard } from \"./guard\";\nimport type { CloudflareAccessGuardOptions } from \"./types\";\nimport { IS_PUBLIC_KEY } from \"./constants\";\nexport { IS_PUBLIC_KEY } from \"./constants\";\n\n/**\n * Decorator to mark a route as public (skip auth)\n */\nexport const Public = () => SetMetadata(IS_PUBLIC_KEY, true);\n\n/**\n * Decorator to apply Cloudflare Access authentication to a route or controller.\n *\n * @example\n * ```typescript\n * import { Controller, Get } from '@nestjs/common';\n * import { CloudflareAccess, Public } from 'cloudflare-access/adapters/nestjs';\n *\n * @Controller('api')\n * @CloudflareAccess({\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * })\n * export class ApiController {\n *   @Get('protected')\n *   getProtected(@Req() req: Request) {\n *     return { email: req.user?.email };\n *   }\n *\n *   @Public()\n *   @Get('public')\n *   getPublic() {\n *     return { message: 'This is public' };\n *   }\n * }\n * ```\n */\nexport function CloudflareAccess(options: CloudflareAccessGuardOptions) {\n  return applyDecorators(UseGuards(new CloudflareAccessGuard(options)));\n}\n\n/**\n * Interface for async options for Cloudflare Access module\n */\nexport interface CloudflareAccessModuleAsyncOptions extends Pick<ModuleMetadata, \"imports\"> {\n  useExisting?: Type<{\n    createCloudflareAccessOptions():\n      | Promise<CloudflareAccessGuardOptions>\n      | CloudflareAccessGuardOptions;\n  }>;\n  useClass?: Type<{\n    createCloudflareAccessOptions():\n      | Promise<CloudflareAccessGuardOptions>\n      | CloudflareAccessGuardOptions;\n  }>;\n  useFactory?: (\n    ...args: any[]\n  ) => Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;\n  inject?: any[];\n}\n"]}

package/dist/adapters/nestjs/index.mjs

@@ -0,0 +1,117 @@
+import {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  __decorateClass,
+  getCloudflareAccessConfigFromEnv,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  validateCloudflareAccessToken
+} from "../../chunk-DM2KGIQX.mjs";
+
+// src/adapters/nestjs/types.ts
+function getCloudflareAccessConfigFromEnv2(env) {
+  return getCloudflareAccessConfigFromEnv(env);
+}
+
+// src/adapters/nestjs/guard.ts
+import { Injectable, UnauthorizedException, ForbiddenException } from "@nestjs/common";
+
+// src/adapters/nestjs/constants.ts
+var IS_PUBLIC_KEY = "cfAccessPublic";
+
+// src/adapters/nestjs/guard.ts
+var CloudflareAccessGuard = class {
+  constructor(options) {
+    this.options = options;
+    this.allowedEmails = options.allowedEmails ?? null;
+  }
+  options;
+  allowedEmails;
+  async canActivate(context) {
+    const isPublic = this.isPublicRoute(context);
+    if (isPublic) {
+      return true;
+    }
+    const request = context.switchToHttp().getRequest();
+    const method = request.method;
+    if (method === "OPTIONS") {
+      return true;
+    }
+    const protocol = request.headers["x-forwarded-proto"] || "http";
+    const host = request.headers.host;
+    const url = `${protocol}://${host}${request.originalUrl}`;
+    const token = request.headers["cf-access-jwt-assertion"];
+    const result = await validateCloudflareAccessToken(
+      token,
+      {
+        accessConfig: this.options.accessConfig,
+        allowedEmails: this.allowedEmails ?? void 0,
+        skipInDev: this.options.skipInDev,
+        environment: this.options.environment
+      },
+      url
+    );
+    if (!result.success) {
+      if (result.error?.code === "ACCESS_DENIED") {
+        throw new ForbiddenException(result.error.message);
+      }
+      throw new UnauthorizedException(result.error?.message ?? "Authentication required");
+    }
+    if (result.user) {
+      request.user = result.user;
+    }
+    return true;
+  }
+  isPublicRoute(context) {
+    const isPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getHandler());
+    if (isPublic) {
+      return true;
+    }
+    const isClassPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getClass());
+    return isClassPublic ?? false;
+  }
+};
+CloudflareAccessGuard = __decorateClass([
+  Injectable()
+], CloudflareAccessGuard);
+
+// src/adapters/nestjs/decorators.ts
+import {
+  SetMetadata,
+  applyDecorators,
+  UseGuards
+} from "@nestjs/common";
+var Public = () => SetMetadata(IS_PUBLIC_KEY, true);
+function CloudflareAccess(options) {
+  return applyDecorators(UseGuards(new CloudflareAccessGuard(options)));
+}
+export {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccess,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  CloudflareAccessGuard,
+  ConfigurationError,
+  IS_PUBLIC_KEY,
+  InvalidTokenError,
+  Public,
+  __clearJwksCache,
+  getCloudflareAccessConfigFromEnv2 as getCloudflareAccessConfigFromEnv,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError
+};
+//# sourceMappingURL=index.mjs.map

package/dist/adapters/nestjs/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/adapters/nestjs/types.ts","../../../src/adapters/nestjs/guard.ts","../../../src/adapters/nestjs/constants.ts","../../../src/adapters/nestjs/decorators.ts"],"sourcesContent":["import type { CloudflareAccessConfig, CloudflareAccessMiddlewareEnv } from \"../../core\";\nimport { getCloudflareAccessConfigFromEnv as _getCloudflareAccessConfigFromEnv } from \"../../core\";\n\n/**\n * Options for Cloudflare Access Guard\n */\nexport interface CloudflareAccessGuardOptions {\n  /** Cloudflare Access configuration */\n  accessConfig: CloudflareAccessConfig;\n\n  /** Optional email allowlist. Access policy should still be configured at Cloudflare. */\n  allowedEmails?: string[];\n\n  /** Whether to skip JWT validation outside production */\n  skipInDev?: boolean;\n\n  /** Environment indicator */\n  environment?: string;\n}\n\n/**\n * Get Cloudflare Access configuration from environment variables\n */\nexport function getCloudflareAccessConfigFromEnv(\n  env: CloudflareAccessMiddlewareEnv,\n): CloudflareAccessConfig {\n  return _getCloudflareAccessConfigFromEnv(env);\n}\n","import type { CanActivate, ExecutionContext } from \"@nestjs/common\";\nimport { Injectable, UnauthorizedException, ForbiddenException } from \"@nestjs/common\";\nimport type { Request } from \"express\";\nimport { validateCloudflareAccessToken } from \"../../core\";\nimport type { CloudflareAccessGuardOptions } from \"./types\";\nimport { IS_PUBLIC_KEY } from \"./constants\";\n\ndeclare module \"express\" {\n  interface Request {\n    user?: import(\"../../core\").CloudflareAccessUser;\n  }\n}\n\n/**\n * NestJS Guard for Cloudflare Access authentication.\n *\n * @example\n * ```typescript\n * import { Module } from '@nestjs/common';\n * import { APP_GUARD } from '@nestjs/core';\n * import { CloudflareAccessGuard } from 'cloudflare-access/adapters/nestjs';\n *\n * @Module({\n *   providers: [\n *     {\n *       provide: APP_GUARD,\n *       useFactory: () => new CloudflareAccessGuard({\n *         accessConfig: {\n *           teamDomain: 'https://yourteam.cloudflareaccess.com',\n *           audTag: 'your-audience-tag',\n *         },\n *       }),\n *     },\n *   ],\n * })\n * export class AppModule {}\n * ```\n */\n@Injectable()\nexport class CloudflareAccessGuard implements CanActivate {\n  private readonly allowedEmails: string[] | null;\n\n  constructor(private readonly options: CloudflareAccessGuardOptions) {\n    this.allowedEmails = options.allowedEmails ?? null;\n  }\n\n  async canActivate(context: ExecutionContext): Promise<boolean> {\n    const isPublic = this.isPublicRoute(context);\n    if (isPublic) {\n      return true;\n    }\n\n    const request = context.switchToHttp().getRequest<Request>();\n    const method = request.method;\n\n    // Skip OPTIONS requests\n    if (method === \"OPTIONS\") {\n      return true;\n    }\n\n    const protocol = request.headers[\"x-forwarded-proto\"] || \"http\";\n    const host = request.headers.host;\n    const url = `${protocol}://${host}${request.originalUrl}`;\n\n    const token = request.headers[\"cf-access-jwt-assertion\"] as string | undefined;\n\n    const result = await validateCloudflareAccessToken(\n      token,\n      {\n        accessConfig: this.options.accessConfig,\n        allowedEmails: this.allowedEmails ?? undefined,\n        skipInDev: this.options.skipInDev,\n        environment: this.options.environment,\n      },\n      url,\n    );\n\n    if (!result.success) {\n      if (result.error?.code === \"ACCESS_DENIED\") {\n        throw new ForbiddenException(result.error.message);\n      }\n      throw new UnauthorizedException(result.error?.message ?? \"Authentication required\");\n    }\n\n    if (result.user) {\n      request.user = result.user;\n    }\n\n    return true;\n  }\n\n  private isPublicRoute(context: ExecutionContext): boolean {\n    const isPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getHandler());\n    if (isPublic) {\n      return true;\n    }\n    const isClassPublic = Reflect.getMetadata(IS_PUBLIC_KEY, context.getClass());\n    return isClassPublic ?? false;\n  }\n}\n","/**\n * Metadata key for public routes\n */\nexport const IS_PUBLIC_KEY = \"cfAccessPublic\";\n","import {\n  SetMetadata,\n  type ModuleMetadata,\n  type Type,\n  applyDecorators,\n  UseGuards,\n} from \"@nestjs/common\";\nimport { CloudflareAccessGuard } from \"./guard\";\nimport type { CloudflareAccessGuardOptions } from \"./types\";\nimport { IS_PUBLIC_KEY } from \"./constants\";\nexport { IS_PUBLIC_KEY } from \"./constants\";\n\n/**\n * Decorator to mark a route as public (skip auth)\n */\nexport const Public = () => SetMetadata(IS_PUBLIC_KEY, true);\n\n/**\n * Decorator to apply Cloudflare Access authentication to a route or controller.\n *\n * @example\n * ```typescript\n * import { Controller, Get } from '@nestjs/common';\n * import { CloudflareAccess, Public } from 'cloudflare-access/adapters/nestjs';\n *\n * @Controller('api')\n * @CloudflareAccess({\n *   accessConfig: {\n *     teamDomain: 'https://yourteam.cloudflareaccess.com',\n *     audTag: 'your-audience-tag',\n *   },\n * })\n * export class ApiController {\n *   @Get('protected')\n *   getProtected(@Req() req: Request) {\n *     return { email: req.user?.email };\n *   }\n *\n *   @Public()\n *   @Get('public')\n *   getPublic() {\n *     return { message: 'This is public' };\n *   }\n * }\n * ```\n */\nexport function CloudflareAccess(options: CloudflareAccessGuardOptions) {\n  return applyDecorators(UseGuards(new CloudflareAccessGuard(options)));\n}\n\n/**\n * Interface for async options for Cloudflare Access module\n */\nexport interface CloudflareAccessModuleAsyncOptions extends Pick<ModuleMetadata, \"imports\"> {\n  useExisting?: Type<{\n    createCloudflareAccessOptions():\n      | Promise<CloudflareAccessGuardOptions>\n      | CloudflareAccessGuardOptions;\n  }>;\n  useClass?: Type<{\n    createCloudflareAccessOptions():\n      | Promise<CloudflareAccessGuardOptions>\n      | CloudflareAccessGuardOptions;\n  }>;\n  useFactory?: (\n    ...args: any[]\n  ) => Promise<CloudflareAccessGuardOptions> | CloudflareAccessGuardOptions;\n  inject?: any[];\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAuBO,SAASA,kCACd,KACwB;AACxB,SAAO,iCAAkC,GAAG;AAC9C;;;AC1BA,SAAS,YAAY,uBAAuB,0BAA0B;;;ACE/D,IAAM,gBAAgB;;;ADoCtB,IAAM,wBAAN,MAAmD;AAAA,EAGxD,YAA6B,SAAuC;AAAvC;AAC3B,SAAK,gBAAgB,QAAQ,iBAAiB;AAAA,EAChD;AAAA,EAF6B;AAAA,EAFZ;AAAA,EAMjB,MAAM,YAAY,SAA6C;AAC7D,UAAM,WAAW,KAAK,cAAc,OAAO;AAC3C,QAAI,UAAU;AACZ,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,QAAQ,aAAa,EAAE,WAAoB;AAC3D,UAAM,SAAS,QAAQ;AAGvB,QAAI,WAAW,WAAW;AACxB,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,QAAQ,QAAQ,mBAAmB,KAAK;AACzD,UAAM,OAAO,QAAQ,QAAQ;AAC7B,UAAM,MAAM,GAAG,QAAQ,MAAM,IAAI,GAAG,QAAQ,WAAW;AAEvD,UAAM,QAAQ,QAAQ,QAAQ,yBAAyB;AAEvD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,QACE,cAAc,KAAK,QAAQ;AAAA,QAC3B,eAAe,KAAK,iBAAiB;AAAA,QACrC,WAAW,KAAK,QAAQ;AAAA,QACxB,aAAa,KAAK,QAAQ;AAAA,MAC5B;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,SAAS;AACnB,UAAI,OAAO,OAAO,SAAS,iBAAiB;AAC1C,cAAM,IAAI,mBAAmB,OAAO,MAAM,OAAO;AAAA,MACnD;AACA,YAAM,IAAI,sBAAsB,OAAO,OAAO,WAAW,yBAAyB;AAAA,IACpF;AAEA,QAAI,OAAO,MAAM;AACf,cAAQ,OAAO,OAAO;AAAA,IACxB;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,cAAc,SAAoC;AACxD,UAAM,WAAW,QAAQ,YAAY,eAAe,QAAQ,WAAW,CAAC;AACxE,QAAI,UAAU;AACZ,aAAO;AAAA,IACT;AACA,UAAM,gBAAgB,QAAQ,YAAY,eAAe,QAAQ,SAAS,CAAC;AAC3E,WAAO,iBAAiB;AAAA,EAC1B;AACF;AA5Da,wBAAN;AAAA,EADN,WAAW;AAAA,GACC;;;AEvCb;AAAA,EACE;AAAA,EAGA;AAAA,EACA;AAAA,OACK;AASA,IAAM,SAAS,MAAM,YAAY,eAAe,IAAI;AA+BpD,SAAS,iBAAiB,SAAuC;AACtE,SAAO,gBAAgB,UAAU,IAAI,sBAAsB,OAAO,CAAC,CAAC;AACtE;","names":["getCloudflareAccessConfigFromEnv"]}