cloudflare-access 1.0.0

package/dist/chunk-WUJPWM4T.js

@@ -0,0 +1,320 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+
+// src/core/types.ts
+var CloudflareAccessErrorCode = {
+  /** Missing or invalid authentication token */
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  /** Token validation failed (expired, wrong signature, etc.) */
+  INVALID_TOKEN: "INVALID_TOKEN",
+  /** User email not in allowlist */
+  ACCESS_DENIED: "ACCESS_DENIED",
+  /** Invalid team domain configuration */
+  INVALID_TEAM_DOMAIN: "INVALID_TEAM_DOMAIN",
+  /** Missing audience tag configuration */
+  MISSING_AUDIENCE_TAG: "MISSING_AUDIENCE_TAG",
+  /** Missing environment configuration */
+  MISSING_CONFIG: "MISSING_CONFIG",
+  /** JWKS fetch failed */
+  JWKS_FETCH_ERROR: "JWKS_FETCH_ERROR"
+};
+
+// src/core/errors.ts
+var CloudflareAccessError = class extends Error {
+  
+  
+  
+  
+  constructor(code, message, options) {
+    super(message, { cause: _optionalChain([options, 'optionalAccess', _ => _.cause]) });
+    this.name = "CloudflareAccessError";
+    this.code = code;
+    this.context = _optionalChain([options, 'optionalAccess', _2 => _2.context]);
+    this.requestUrl = _optionalChain([options, 'optionalAccess', _3 => _3.requestUrl]);
+    this.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  }
+  /**
+   * Get a user-friendly error message with fix instructions
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      timestamp: this.timestamp,
+      context: this.context,
+      fix: this.getFixInstructions()
+    };
+  }
+  /**
+   * Get fix instructions based on error code
+   */
+  getFixInstructions() {
+    switch (this.code) {
+      case CloudflareAccessErrorCode.AUTH_REQUIRED:
+        return "Ensure you're accessing through Cloudflare Access or provide a valid CF-Access-JWT-Assertion token";
+      case CloudflareAccessErrorCode.INVALID_TOKEN:
+        return "Your session may have expired. Please re-authenticate through Cloudflare Access";
+      case CloudflareAccessErrorCode.ACCESS_DENIED:
+        return "Contact your administrator to request access";
+      case CloudflareAccessErrorCode.MISSING_CONFIG:
+        return "Set CF_ACCESS_TEAM_DOMAIN and CF_ACCESS_AUD environment variables";
+      case CloudflareAccessErrorCode.INVALID_TEAM_DOMAIN:
+        return "Verify your team domain URL format (should be https://yourteam.cloudflareaccess.com)";
+      case CloudflareAccessErrorCode.MISSING_AUDIENCE_TAG:
+        return "Set CF_ACCESS_AUD to your application's audience tag";
+      case CloudflareAccessErrorCode.JWKS_FETCH_ERROR:
+        return "Unable to fetch signing keys. Check network connectivity and team domain";
+      default:
+        return "Check Cloudflare Access configuration and try again";
+    }
+  }
+};
+var AuthRequiredError = class extends CloudflareAccessError {
+  constructor(options) {
+    super(
+      CloudflareAccessErrorCode.AUTH_REQUIRED,
+      "Authentication required via Cloudflare Access",
+      { requestUrl: _optionalChain([options, 'optionalAccess', _4 => _4.requestUrl]), context: _optionalChain([options, 'optionalAccess', _5 => _5.context]) }
+    );
+    this.name = "AuthRequiredError";
+  }
+};
+var InvalidTokenError = class extends CloudflareAccessError {
+  
+  constructor(reason, options) {
+    super(CloudflareAccessErrorCode.INVALID_TOKEN, `Invalid authentication token: ${reason}`, {
+      requestUrl: _optionalChain([options, 'optionalAccess', _6 => _6.requestUrl])
+    });
+    this.name = "InvalidTokenError";
+    this.reason = reason;
+  }
+};
+var AccessDeniedError = class extends CloudflareAccessError {
+  
+  constructor(email, options) {
+    super(CloudflareAccessErrorCode.ACCESS_DENIED, `Access denied for ${email}`, {
+      requestUrl: _optionalChain([options, 'optionalAccess', _7 => _7.requestUrl]),
+      context: { email, allowedEmails: _optionalChain([options, 'optionalAccess', _8 => _8.allowedEmails]) }
+    });
+    this.name = "AccessDeniedError";
+    this.email = email;
+  }
+};
+var ConfigurationError = class extends CloudflareAccessError {
+  constructor(message, options) {
+    super(CloudflareAccessErrorCode.MISSING_CONFIG, message, options);
+    this.name = "ConfigurationError";
+  }
+};
+function isCloudflareAccessError(error) {
+  return error instanceof CloudflareAccessError;
+}
+function isAuthRequiredError(error) {
+  return error instanceof AuthRequiredError;
+}
+function isInvalidTokenError(error) {
+  return error instanceof InvalidTokenError;
+}
+function isAccessDeniedError(error) {
+  return error instanceof AccessDeniedError;
+}
+function isConfigurationError(error) {
+  return error instanceof ConfigurationError;
+}
+function toAuthError(error) {
+  if (isCloudflareAccessError(error)) {
+    return error;
+  }
+  if (error instanceof Error) {
+    return new CloudflareAccessError(CloudflareAccessErrorCode.INVALID_TOKEN, error.message, {
+      cause: error
+    });
+  }
+  return new CloudflareAccessError(
+    CloudflareAccessErrorCode.INVALID_TOKEN,
+    "Unknown authentication error",
+    { context: { error } }
+  );
+}
+
+// src/core/jwks.ts
+var _jose = require('jose');
+var jwksCache = /* @__PURE__ */ new Map();
+function __clearJwksCache() {
+  jwksCache.clear();
+}
+function getRemoteJwks(teamDomain) {
+  const cached = jwksCache.get(teamDomain);
+  if (cached) {
+    return cached;
+  }
+  const jwks = _jose.createRemoteJWKSet.call(void 0, new URL(`${teamDomain}/cdn-cgi/access/certs`));
+  jwksCache.set(teamDomain, jwks);
+  return jwks;
+}
+function isLocalDevelopmentRequest(url) {
+  try {
+    const hostname = new URL(url).hostname;
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
+  } catch (e) {
+    return false;
+  }
+}
+
+// src/core/config.ts
+function normalizeTeamDomain(teamDomain) {
+  return teamDomain.replace(/\/+$/, "");
+}
+function validateAccessConfig(config, requestUrl) {
+  const teamDomain = normalizeTeamDomain(config.teamDomain);
+  if (!teamDomain.startsWith("https://") || !teamDomain.endsWith(".cloudflareaccess.com")) {
+    throw new ConfigurationError(`Invalid Cloudflare Access team domain: ${config.teamDomain}`, {
+      context: { requestUrl, expectedFormat: "https://<team>.cloudflareaccess.com" }
+    });
+  }
+  if (!config.audTag) {
+    throw new ConfigurationError("Missing Cloudflare Access audience tag", {
+      context: {
+        requestUrl,
+        expectedFormat: "Application AUD tag from Cloudflare Access dashboard"
+      }
+    });
+  }
+  return { teamDomain, audTag: config.audTag };
+}
+function getCloudflareAccessConfigFromEnv(env) {
+  const teamDomain = env.CF_ACCESS_TEAM_DOMAIN;
+  const audTag = env.CF_ACCESS_AUD;
+  if (!teamDomain || !audTag) {
+    const missing = [!teamDomain && "CF_ACCESS_TEAM_DOMAIN", !audTag && "CF_ACCESS_AUD"].filter(Boolean).join(" and ");
+    throw new ConfigurationError(`Missing Cloudflare Access bindings: ${missing}`, {
+      context: {
+        expectedFormat: "CF_ACCESS_TEAM_DOMAIN=https://<team>.cloudflareaccess.com, CF_ACCESS_AUD=<audience-tag>"
+      }
+    });
+  }
+  return { teamDomain, audTag };
+}
+
+// src/core/validator.ts
+
+async function validateCloudflareAccessToken(token, options, requestUrl) {
+  const { accessConfig, allowedEmails, skipInDev, environment } = options;
+  const isDev = environment !== "prod";
+  if (!token) {
+    if (isDev && skipInDev && isLocalDevelopmentRequest(requestUrl)) {
+      return { success: true, user: null };
+    }
+    return {
+      success: false,
+      error: {
+        code: CloudflareAccessErrorCode.AUTH_REQUIRED,
+        message: "Unauthorized",
+        why: "Missing CF-Access-JWT-Assertion header",
+        fix: "Sign in via Cloudflare Access",
+        context: { requestUrl }
+      }
+    };
+  }
+  try {
+    const { teamDomain, audTag } = validateAccessConfig(accessConfig, requestUrl);
+    const jwks = getRemoteJwks(teamDomain);
+    const { payload } = await _jose.jwtVerify.call(void 0, token, jwks, {
+      issuer: teamDomain,
+      audience: audTag,
+      algorithms: ["RS256"]
+    });
+    const accessPayload = payload;
+    const email = accessPayload.email;
+    if (!email) {
+      throw new InvalidTokenError("Email not found in validated Cloudflare Access token", {
+        requestUrl
+      });
+    }
+    if (allowedEmails && !allowedEmails.includes(email)) {
+      return {
+        success: false,
+        user: {
+          email,
+          userId: typeof accessPayload.sub === "string" ? accessPayload.sub : void 0,
+          country: accessPayload.country
+        },
+        error: {
+          code: CloudflareAccessErrorCode.ACCESS_DENIED,
+          message: "Forbidden",
+          why: "Your email is not authorized to access this resource",
+          fix: "Contact an administrator if you need access",
+          context: {
+            email,
+            allowedEmails,
+            requestUrl
+          }
+        }
+      };
+    }
+    return {
+      success: true,
+      user: {
+        email,
+        userId: typeof accessPayload.sub === "string" ? accessPayload.sub : void 0,
+        country: accessPayload.country
+      }
+    };
+  } catch (error) {
+    if (error instanceof CloudflareAccessError) {
+      return {
+        success: false,
+        error: {
+          code: error.code,
+          message: error.message,
+          why: error.message,
+          fix: _optionalChain([error, 'access', _9 => _9.context, 'optionalAccess', _10 => _10.fix]) || "Please sign in again via Cloudflare Access",
+          context: error.context
+        }
+      };
+    }
+    const reason = error instanceof Error ? error.message : "Token validation failed";
+    return {
+      success: false,
+      error: {
+        code: CloudflareAccessErrorCode.INVALID_TOKEN,
+        message: "Invalid authentication token",
+        why: reason,
+        fix: "Please sign in again via Cloudflare Access",
+        context: { requestUrl, originalError: reason }
+      }
+    };
+  }
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.__decorateClass = __decorateClass; exports.CloudflareAccessErrorCode = CloudflareAccessErrorCode; exports.CloudflareAccessError = CloudflareAccessError; exports.AuthRequiredError = AuthRequiredError; exports.InvalidTokenError = InvalidTokenError; exports.AccessDeniedError = AccessDeniedError; exports.ConfigurationError = ConfigurationError; exports.isCloudflareAccessError = isCloudflareAccessError; exports.isAuthRequiredError = isAuthRequiredError; exports.isInvalidTokenError = isInvalidTokenError; exports.isAccessDeniedError = isAccessDeniedError; exports.isConfigurationError = isConfigurationError; exports.toAuthError = toAuthError; exports.__clearJwksCache = __clearJwksCache; exports.getRemoteJwks = getRemoteJwks; exports.isLocalDevelopmentRequest = isLocalDevelopmentRequest; exports.validateAccessConfig = validateAccessConfig; exports.getCloudflareAccessConfigFromEnv = getCloudflareAccessConfigFromEnv; exports.validateCloudflareAccessToken = validateCloudflareAccessToken;
+//# sourceMappingURL=chunk-WUJPWM4T.js.map

package/dist/chunk-WUJPWM4T.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/chunk-WUJPWM4T.js","../src/core/types.ts","../src/core/errors.ts","../src/core/jwks.ts","../src/core/config.ts","../src/core/validator.ts"],"names":[],"mappings":"AAAA,ilBAAI,UAAU,EAAE,MAAM,CAAC,cAAc;AACrC,IAAI,iBAAiB,EAAE,MAAM,CAAC,wBAAwB;AACtD,IAAI,gBAAgB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG;AACzD,EAAE,IAAI,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,gBAAgB,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE,MAAM;AAChF,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE;AAC5D,IAAI,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC;AACjC,MAAM,OAAO,EAAE,CAAC,KAAK,EAAE,SAAS,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,SAAS,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM;AACpF,EAAE,GAAG,CAAC,KAAK,GAAG,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC;AACpD,EAAE,OAAO,MAAM;AACf,CAAC;AACD;AACA;ACoCO,IAAM,0BAAA,EAA4B;AAAA;AAAA,EAEvC,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,gBAAA,EAAkB;AACpB,CAAA;ADlCA;AACA;AExBO,IAAM,sBAAA,EAAN,MAAA,QAAoC,MAAM;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAET,WAAA,CACE,IAAA,EACA,OAAA,EACA,OAAA,EAKA;AACA,IAAA,KAAA,CAAM,OAAA,EAAS,EAAE,KAAA,kBAAO,OAAA,2BAAS,QAAM,CAAC,CAAA;AACxC,IAAA,IAAA,CAAK,KAAA,EAAO,uBAAA;AACZ,IAAA,IAAA,CAAK,KAAA,EAAO,IAAA;AACZ,IAAA,IAAA,CAAK,QAAA,kBAAU,OAAA,6BAAS,SAAA;AACxB,IAAA,IAAA,CAAK,WAAA,kBAAa,OAAA,6BAAS,YAAA;AAC3B,IAAA,IAAA,CAAK,UAAA,EAAA,iBAAY,IAAI,IAAA,CAAK,CAAA,CAAA,CAAE,WAAA,CAAY,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAA,CAAA,EAAkC;AAChC,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,IAAA,CAAK,IAAA;AAAA,MACX,IAAA,EAAM,IAAA,CAAK,IAAA;AAAA,MACX,OAAA,EAAS,IAAA,CAAK,OAAA;AAAA,MACd,SAAA,EAAW,IAAA,CAAK,SAAA;AAAA,MAChB,OAAA,EAAS,IAAA,CAAK,OAAA;AAAA,MACd,GAAA,EAAK,IAAA,CAAK,kBAAA,CAAmB;AAAA,IAC/B,CAAA;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAA,CAAA,EAA6B;AACnC,IAAA,OAAA,CAAQ,IAAA,CAAK,IAAA,EAAM;AAAA,MACjB,KAAK,yBAAA,CAA0B,aAAA;AAC7B,QAAA,OAAO,oGAAA;AAAA,MACT,KAAK,yBAAA,CAA0B,aAAA;AAC7B,QAAA,OAAO,iFAAA;AAAA,MACT,KAAK,yBAAA,CAA0B,aAAA;AAC7B,QAAA,OAAO,8CAAA;AAAA,MACT,KAAK,yBAAA,CAA0B,cAAA;AAC7B,QAAA,OAAO,mEAAA;AAAA,MACT,KAAK,yBAAA,CAA0B,mBAAA;AAC7B,QAAA,OAAO,sFAAA;AAAA,MACT,KAAK,yBAAA,CAA0B,oBAAA;AAC7B,QAAA,OAAO,sDAAA;AAAA,MACT,KAAK,yBAAA,CAA0B,gBAAA;AAC7B,QAAA,OAAO,0EAAA;AAAA,MACT,OAAA;AACE,QAAA,OAAO,qDAAA;AAAA,IACX;AAAA,EACF;AACF,CAAA;AAKO,IAAM,kBAAA,EAAN,MAAA,QAAgC,sBAAsB;AAAA,EAC3D,WAAA,CAAY,OAAA,EAAsE;AAChF,IAAA,KAAA;AAAA,MACE,yBAAA,CAA0B,aAAA;AAAA,MAC1B,+CAAA;AAAA,MACA,EAAE,UAAA,kBAAY,OAAA,6BAAS,YAAA,EAAY,OAAA,kBAAS,OAAA,6BAAS,UAAQ;AAAA,IAC/D,CAAA;AACA,IAAA,IAAA,CAAK,KAAA,EAAO,mBAAA;AAAA,EACd;AACF,CAAA;AAKO,IAAM,kBAAA,EAAN,MAAA,QAAgC,sBAAsB;AAAA,EAClD;AAAA,EAET,WAAA,CAAY,MAAA,EAAgB,OAAA,EAAmC;AAC7D,IAAA,KAAA,CAAM,yBAAA,CAA0B,aAAA,EAAe,CAAA,8BAAA,EAAiC,MAAM,CAAA,CAAA;AAC/D,MAAA;AACtB,IAAA;AACW,IAAA;AACE,IAAA;AAChB,EAAA;AACF;AAK6D;AAClD,EAAA;AAE+E,EAAA;AACT,IAAA;AACtD,MAAA;AACmC,MAAA;AACzD,IAAA;AACW,IAAA;AACC,IAAA;AACf,EAAA;AACF;AAK8D;AACiC,EAAA;AAC3B,IAAA;AACpD,IAAA;AACd,EAAA;AACF;AAKwF;AAC9D,EAAA;AAC1B;AAKgF;AACtD,EAAA;AAC1B;AAEgF;AACtD,EAAA;AAC1B;AAEgF;AACtD,EAAA;AAC1B;AAEkF;AACxD,EAAA;AAC1B;AAKmE;AAC7B,EAAA;AAC3B,IAAA;AACT,EAAA;AAE4B,EAAA;AACsD,IAAA;AACvE,MAAA;AACR,IAAA;AACH,EAAA;AAEW,EAAA;AACiB,IAAA;AAC1B,IAAA;AACqB,IAAA;AACvB,EAAA;AACF;AFpB2F;AACA;AGpJxD;AAGsC;AAMhC;AACvB,EAAA;AAClB;AAKyF;AAChD,EAAA;AAC3B,EAAA;AACH,IAAA;AACT,EAAA;AAE6E,EAAA;AAC/C,EAAA;AACvB,EAAA;AACT;AAKgE;AAC1D,EAAA;AAC4B,IAAA;AAK5B,IAAA;AAEI,EAAA;AACC,IAAA;AACT,EAAA;AACF;AHiI2F;AACA;AItKlC;AACnB,EAAA;AACtC;AAQ0B;AACgC,EAAA;AAEiC,EAAA;AACT,IAAA;AACC,MAAA;AAC9E,IAAA;AACH,EAAA;AAEoB,EAAA;AACqD,IAAA;AAC5D,MAAA;AACP,QAAA;AACgB,QAAA;AAClB,MAAA;AACD,IAAA;AACH,EAAA;AAE2C,EAAA;AAC7C;AAO0B;AACD,EAAA;AACJ,EAAA;AAES,EAAA;AAEvB,IAAA;AAG4E,IAAA;AACpE,MAAA;AAEL,QAAA;AACJ,MAAA;AACD,IAAA;AACH,EAAA;AAE4B,EAAA;AAC9B;AJkJ2F;AACA;AK/MjE;AAgCH;AAC2C,EAAA;AAClC,EAAA;AAGlB,EAAA;AAEuD,IAAA;AAC5B,MAAA;AACrC,IAAA;AAEO,IAAA;AACI,MAAA;AACF,MAAA;AAC2B,QAAA;AACvB,QAAA;AACJ,QAAA;AACA,QAAA;AACiB,QAAA;AACxB,MAAA;AACF,IAAA;AACF,EAAA;AAEI,EAAA;AAC0E,IAAA;AACvC,IAAA;AAGY,IAAA;AACvC,MAAA;AACE,MAAA;AACU,MAAA;AACrB,IAAA;AAEqB,IAAA;AACM,IAAA;AAEhB,IAAA;AAC0E,MAAA;AAClF,QAAA;AACD,MAAA;AACH,IAAA;AAGqD,IAAA;AAC5C,MAAA;AACI,QAAA;AACH,QAAA;AACJ,UAAA;AACoE,UAAA;AAC7C,UAAA;AACzB,QAAA;AACO,QAAA;AAC2B,UAAA;AACvB,UAAA;AACJ,UAAA;AACA,UAAA;AACI,UAAA;AACP,YAAA;AACA,YAAA;AACA,YAAA;AACF,UAAA;AACF,QAAA;AACF,MAAA;AACF,IAAA;AAEO,IAAA;AACI,MAAA;AACH,MAAA;AACJ,QAAA;AACoE,QAAA;AAC7C,QAAA;AACzB,MAAA;AACF,IAAA;AACc,EAAA;AAC8B,IAAA;AACnC,MAAA;AACI,QAAA;AACF,QAAA;AACO,UAAA;AACG,UAAA;AACJ,UAAA;AAC4B,UAAA;AACxB,UAAA;AACjB,QAAA;AACF,MAAA;AACF,IAAA;AAEwD,IAAA;AACjD,IAAA;AACI,MAAA;AACF,MAAA;AAC2B,QAAA;AACvB,QAAA;AACJ,QAAA;AACA,QAAA;AACwC,QAAA;AAC/C,MAAA;AACF,IAAA;AACF,EAAA;AACF;ALqK2F;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/chunk-WUJPWM4T.js","sourcesContent":[null,"import type { JWTPayload } from \"jose\";\n\n/**\n * Cloudflare Access JWT payload with additional claims\n */\nexport interface CloudflareAccessPayload extends JWTPayload {\n  /** User's email address */\n  email?: string;\n  /** Token type */\n  type?: string;\n  /** Identity nonce for additional verification */\n  identity_nonce?: string;\n  /** User's country */\n  country?: string;\n}\n\n/**\n * Cloudflare Access configuration\n */\nexport interface CloudflareAccessConfig {\n  /** Exact Cloudflare Access issuer domain, e.g. https://myteam.cloudflareaccess.com */\n  teamDomain: string;\n  /** Exact Access application audience tag */\n  audTag: string;\n}\n\n/**\n * User information extracted from Cloudflare Access token\n */\nexport interface CloudflareAccessUser {\n  email: string;\n  userId?: string;\n  country?: string;\n}\n\n/**\n * Expected environment bindings for Cloudflare Access\n */\nexport interface CloudflareAccessMiddlewareEnv {\n  CF_ACCESS_TEAM_DOMAIN?: string;\n  CF_ACCESS_AUD?: string;\n  ENVIRONMENT?: string;\n}\n\n/**\n * Error codes for Cloudflare Access authentication\n */\nexport const CloudflareAccessErrorCode = {\n  /** Missing or invalid authentication token */\n  AUTH_REQUIRED: \"AUTH_REQUIRED\",\n  /** Token validation failed (expired, wrong signature, etc.) */\n  INVALID_TOKEN: \"INVALID_TOKEN\",\n  /** User email not in allowlist */\n  ACCESS_DENIED: \"ACCESS_DENIED\",\n  /** Invalid team domain configuration */\n  INVALID_TEAM_DOMAIN: \"INVALID_TEAM_DOMAIN\",\n  /** Missing audience tag configuration */\n  MISSING_AUDIENCE_TAG: \"MISSING_AUDIENCE_TAG\",\n  /** Missing environment configuration */\n  MISSING_CONFIG: \"MISSING_CONFIG\",\n  /** JWKS fetch failed */\n  JWKS_FETCH_ERROR: \"JWKS_FETCH_ERROR\",\n} as const;\n\nexport type CloudflareAccessErrorCode =\n  (typeof CloudflareAccessErrorCode)[keyof typeof CloudflareAccessErrorCode];\n\n/**\n * Rich authentication error with actionable information\n */\nexport interface AuthError {\n  code: CloudflareAccessErrorCode;\n  message: string;\n  why: string;\n  fix: string;\n  context?: Record<string, unknown>;\n}\n\n/**\n * Authentication result\n */\nexport type AuthResult =\n  | { success: true; user: CloudflareAccessUser | null; error?: never }\n  | { success: false; user?: CloudflareAccessUser | null; error: AuthError };\n","import { CloudflareAccessErrorCode } from \"./types\";\n\n/**\n * Base error class for Cloudflare Access authentication errors\n */\nexport class CloudflareAccessError extends Error {\n  readonly code: CloudflareAccessErrorCode;\n  readonly context?: Record<string, unknown>;\n  readonly requestUrl?: string;\n  readonly timestamp: string;\n\n  constructor(\n    code: CloudflareAccessErrorCode,\n    message: string,\n    options?: {\n      cause?: Error;\n      context?: Record<string, unknown>;\n      requestUrl?: string;\n    },\n  ) {\n    super(message, { cause: options?.cause });\n    this.name = \"CloudflareAccessError\";\n    this.code = code;\n    this.context = options?.context;\n    this.requestUrl = options?.requestUrl;\n    this.timestamp = new Date().toISOString();\n  }\n\n  /**\n   * Get a user-friendly error message with fix instructions\n   */\n  toJSON(): Record<string, unknown> {\n    return {\n      name: this.name,\n      code: this.code,\n      message: this.message,\n      timestamp: this.timestamp,\n      context: this.context,\n      fix: this.getFixInstructions(),\n    };\n  }\n\n  /**\n   * Get fix instructions based on error code\n   */\n  private getFixInstructions(): string {\n    switch (this.code) {\n      case CloudflareAccessErrorCode.AUTH_REQUIRED:\n        return \"Ensure you're accessing through Cloudflare Access or provide a valid CF-Access-JWT-Assertion token\";\n      case CloudflareAccessErrorCode.INVALID_TOKEN:\n        return \"Your session may have expired. Please re-authenticate through Cloudflare Access\";\n      case CloudflareAccessErrorCode.ACCESS_DENIED:\n        return \"Contact your administrator to request access\";\n      case CloudflareAccessErrorCode.MISSING_CONFIG:\n        return \"Set CF_ACCESS_TEAM_DOMAIN and CF_ACCESS_AUD environment variables\";\n      case CloudflareAccessErrorCode.INVALID_TEAM_DOMAIN:\n        return \"Verify your team domain URL format (should be https://yourteam.cloudflareaccess.com)\";\n      case CloudflareAccessErrorCode.MISSING_AUDIENCE_TAG:\n        return \"Set CF_ACCESS_AUD to your application's audience tag\";\n      case CloudflareAccessErrorCode.JWKS_FETCH_ERROR:\n        return \"Unable to fetch signing keys. Check network connectivity and team domain\";\n      default:\n        return \"Check Cloudflare Access configuration and try again\";\n    }\n  }\n}\n\n/**\n * Error thrown when authentication is required but missing/invalid\n */\nexport class AuthRequiredError extends CloudflareAccessError {\n  constructor(options?: { requestUrl?: string; context?: Record<string, unknown> }) {\n    super(\n      CloudflareAccessErrorCode.AUTH_REQUIRED,\n      \"Authentication required via Cloudflare Access\",\n      { requestUrl: options?.requestUrl, context: options?.context },\n    );\n    this.name = \"AuthRequiredError\";\n  }\n}\n\n/**\n * Error thrown when token validation fails\n */\nexport class InvalidTokenError extends CloudflareAccessError {\n  readonly reason: string;\n\n  constructor(reason: string, options?: { requestUrl?: string }) {\n    super(CloudflareAccessErrorCode.INVALID_TOKEN, `Invalid authentication token: ${reason}`, {\n      requestUrl: options?.requestUrl,\n    });\n    this.name = \"InvalidTokenError\";\n    this.reason = reason;\n  }\n}\n\n/**\n * Error thrown when user is not in email allowlist\n */\nexport class AccessDeniedError extends CloudflareAccessError {\n  readonly email: string;\n\n  constructor(email: string, options?: { requestUrl?: string; allowedEmails?: string[] }) {\n    super(CloudflareAccessErrorCode.ACCESS_DENIED, `Access denied for ${email}`, {\n      requestUrl: options?.requestUrl,\n      context: { email, allowedEmails: options?.allowedEmails },\n    });\n    this.name = \"AccessDeniedError\";\n    this.email = email;\n  }\n}\n\n/**\n * Error thrown when configuration is invalid or missing\n */\nexport class ConfigurationError extends CloudflareAccessError {\n  constructor(message: string, options?: { cause?: Error; context?: Record<string, unknown> }) {\n    super(CloudflareAccessErrorCode.MISSING_CONFIG, message, options);\n    this.name = \"ConfigurationError\";\n  }\n}\n\n/**\n * Type guard to check if error is a CloudflareAccessError\n */\nexport function isCloudflareAccessError(error: unknown): error is CloudflareAccessError {\n  return error instanceof CloudflareAccessError;\n}\n\n/**\n * Type guard for specific error types\n */\nexport function isAuthRequiredError(error: unknown): error is AuthRequiredError {\n  return error instanceof AuthRequiredError;\n}\n\nexport function isInvalidTokenError(error: unknown): error is InvalidTokenError {\n  return error instanceof InvalidTokenError;\n}\n\nexport function isAccessDeniedError(error: unknown): error is AccessDeniedError {\n  return error instanceof AccessDeniedError;\n}\n\nexport function isConfigurationError(error: unknown): error is ConfigurationError {\n  return error instanceof ConfigurationError;\n}\n\n/**\n * Convert unknown error to CloudflareAccessError\n */\nexport function toAuthError(error: unknown): CloudflareAccessError {\n  if (isCloudflareAccessError(error)) {\n    return error;\n  }\n\n  if (error instanceof Error) {\n    return new CloudflareAccessError(CloudflareAccessErrorCode.INVALID_TOKEN, error.message, {\n      cause: error,\n    });\n  }\n\n  return new CloudflareAccessError(\n    CloudflareAccessErrorCode.INVALID_TOKEN,\n    \"Unknown authentication error\",\n    { context: { error } },\n  );\n}\n","import { createRemoteJWKSet } from \"jose\";\n\n/** JWK Set cache by team domain */\nconst jwksCache = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\n/**\n * Clear the JWKS cache. Useful for testing.\n * @internal\n */\nexport function __clearJwksCache(): void {\n  jwksCache.clear();\n}\n\n/**\n * Get or create cached JWKS for a team domain\n */\nexport function getRemoteJwks(teamDomain: string): ReturnType<typeof createRemoteJWKSet> {\n  const cached = jwksCache.get(teamDomain);\n  if (cached) {\n    return cached;\n  }\n\n  const jwks = createRemoteJWKSet(new URL(`${teamDomain}/cdn-cgi/access/certs`));\n  jwksCache.set(teamDomain, jwks);\n  return jwks;\n}\n\n/**\n * Check if request is from local development\n */\nexport function isLocalDevelopmentRequest(url: string): boolean {\n  try {\n    const hostname = new URL(url).hostname;\n    return (\n      hostname === \"localhost\" ||\n      hostname === \"127.0.0.1\" ||\n      hostname === \"[::1]\" ||\n      hostname.endsWith(\".localhost\")\n    );\n  } catch {\n    return false;\n  }\n}\n","import { type CloudflareAccessConfig, type CloudflareAccessMiddlewareEnv } from \"./types\";\nimport { ConfigurationError } from \"./errors\";\n\n/**\n * Remove trailing slashes from team domain\n */\nfunction normalizeTeamDomain(teamDomain: string): string {\n  return teamDomain.replace(/\\/+$/, \"\");\n}\n\n/**\n * Validate and normalize access configuration\n */\nexport function validateAccessConfig(\n  config: CloudflareAccessConfig,\n  requestUrl?: string,\n): CloudflareAccessConfig {\n  const teamDomain = normalizeTeamDomain(config.teamDomain);\n\n  if (!teamDomain.startsWith(\"https://\") || !teamDomain.endsWith(\".cloudflareaccess.com\")) {\n    throw new ConfigurationError(`Invalid Cloudflare Access team domain: ${config.teamDomain}`, {\n      context: { requestUrl, expectedFormat: \"https://<team>.cloudflareaccess.com\" },\n    });\n  }\n\n  if (!config.audTag) {\n    throw new ConfigurationError(\"Missing Cloudflare Access audience tag\", {\n      context: {\n        requestUrl,\n        expectedFormat: \"Application AUD tag from Cloudflare Access dashboard\",\n      },\n    });\n  }\n\n  return { teamDomain, audTag: config.audTag };\n}\n\n/**\n * Get Cloudflare Access configuration from environment variables/bindings\n */\nexport function getCloudflareAccessConfigFromEnv(\n  env: CloudflareAccessMiddlewareEnv,\n): CloudflareAccessConfig {\n  const teamDomain = env.CF_ACCESS_TEAM_DOMAIN;\n  const audTag = env.CF_ACCESS_AUD;\n\n  if (!teamDomain || !audTag) {\n    const missing = [!teamDomain && \"CF_ACCESS_TEAM_DOMAIN\", !audTag && \"CF_ACCESS_AUD\"]\n      .filter(Boolean)\n      .join(\" and \");\n\n    throw new ConfigurationError(`Missing Cloudflare Access bindings: ${missing}`, {\n      context: {\n        expectedFormat:\n          \"CF_ACCESS_TEAM_DOMAIN=https://<team>.cloudflareaccess.com, CF_ACCESS_AUD=<audience-tag>\",\n      },\n    });\n  }\n\n  return { teamDomain, audTag };\n}\n","import { jwtVerify } from \"jose\";\nimport {\n  CloudflareAccessErrorCode,\n  type CloudflareAccessConfig,\n  type CloudflareAccessPayload,\n  type AuthResult,\n} from \"./types\";\nimport { validateAccessConfig } from \"./config\";\nimport { getRemoteJwks, isLocalDevelopmentRequest } from \"./jwks\";\nimport { InvalidTokenError, CloudflareAccessError } from \"./errors\";\n\n/**\n * Options for token validation\n */\nexport interface ValidateTokenOptions {\n  /** Cloudflare Access configuration */\n  accessConfig: CloudflareAccessConfig;\n  /** Optional email allowlist */\n  allowedEmails?: string[];\n  /** Whether to skip JWT validation outside production */\n  skipInDev?: boolean;\n  /** Environment indicator */\n  environment?: string;\n}\n\n/**\n * Validate Cloudflare Access JWT token\n */\nexport async function validateCloudflareAccessToken(\n  token: string | undefined,\n  options: ValidateTokenOptions,\n  requestUrl: string,\n): Promise<AuthResult> {\n  const { accessConfig, allowedEmails, skipInDev, environment } = options;\n  const isDev = environment !== \"prod\";\n\n  // Skip OPTIONS requests\n  if (!token) {\n    // Check if we should skip auth in dev\n    if (isDev && skipInDev && isLocalDevelopmentRequest(requestUrl)) {\n      return { success: true, user: null };\n    }\n\n    return {\n      success: false,\n      error: {\n        code: CloudflareAccessErrorCode.AUTH_REQUIRED,\n        message: \"Unauthorized\",\n        why: \"Missing CF-Access-JWT-Assertion header\",\n        fix: \"Sign in via Cloudflare Access\",\n        context: { requestUrl },\n      },\n    };\n  }\n\n  try {\n    const { teamDomain, audTag } = validateAccessConfig(accessConfig, requestUrl);\n    const jwks = getRemoteJwks(teamDomain);\n\n    // Verify the JWT token\n    const { payload } = await jwtVerify(token, jwks, {\n      issuer: teamDomain,\n      audience: audTag,\n      algorithms: [\"RS256\"],\n    });\n\n    const accessPayload = payload as CloudflareAccessPayload;\n    const email = accessPayload.email;\n\n    if (!email) {\n      throw new InvalidTokenError(\"Email not found in validated Cloudflare Access token\", {\n        requestUrl,\n      });\n    }\n\n    // Check email allowlist if configured\n    if (allowedEmails && !allowedEmails.includes(email)) {\n      return {\n        success: false,\n        user: {\n          email,\n          userId: typeof accessPayload.sub === \"string\" ? accessPayload.sub : undefined,\n          country: accessPayload.country,\n        },\n        error: {\n          code: CloudflareAccessErrorCode.ACCESS_DENIED,\n          message: \"Forbidden\",\n          why: \"Your email is not authorized to access this resource\",\n          fix: \"Contact an administrator if you need access\",\n          context: {\n            email,\n            allowedEmails,\n            requestUrl,\n          },\n        },\n      };\n    }\n\n    return {\n      success: true,\n      user: {\n        email,\n        userId: typeof accessPayload.sub === \"string\" ? accessPayload.sub : undefined,\n        country: accessPayload.country,\n      },\n    };\n  } catch (error) {\n    if (error instanceof CloudflareAccessError) {\n      return {\n        success: false,\n        error: {\n          code: error.code,\n          message: error.message,\n          why: error.message,\n          fix: (error.context?.fix as string) || \"Please sign in again via Cloudflare Access\",\n          context: error.context,\n        },\n      };\n    }\n\n    const reason = error instanceof Error ? error.message : \"Token validation failed\";\n    return {\n      success: false,\n      error: {\n        code: CloudflareAccessErrorCode.INVALID_TOKEN,\n        message: \"Invalid authentication token\",\n        why: reason,\n        fix: \"Please sign in again via Cloudflare Access\",\n        context: { requestUrl, originalError: reason },\n      },\n    };\n  }\n}\n"]}

package/dist/config-D4O7DXNT.d.mts

@@ -0,0 +1,12 @@
+import { e as CloudflareAccessMiddlewareEnv, C as CloudflareAccessConfig } from './jwks-ChdyyS_L.mjs';
+
+/**
+ * Validate and normalize access configuration
+ */
+declare function validateAccessConfig(config: CloudflareAccessConfig, requestUrl?: string): CloudflareAccessConfig;
+/**
+ * Get Cloudflare Access configuration from environment variables/bindings
+ */
+declare function getCloudflareAccessConfigFromEnv(env: CloudflareAccessMiddlewareEnv): CloudflareAccessConfig;
+
+export { getCloudflareAccessConfigFromEnv as g, validateAccessConfig as v };

package/dist/config-ottUdc-K.d.ts

@@ -0,0 +1,12 @@
+import { e as CloudflareAccessMiddlewareEnv, C as CloudflareAccessConfig } from './jwks-ChdyyS_L.js';
+
+/**
+ * Validate and normalize access configuration
+ */
+declare function validateAccessConfig(config: CloudflareAccessConfig, requestUrl?: string): CloudflareAccessConfig;
+/**
+ * Get Cloudflare Access configuration from environment variables/bindings
+ */
+declare function getCloudflareAccessConfigFromEnv(env: CloudflareAccessMiddlewareEnv): CloudflareAccessConfig;
+
+export { getCloudflareAccessConfigFromEnv as g, validateAccessConfig as v };

package/dist/core/index.d.mts

@@ -0,0 +1,24 @@
+import { C as CloudflareAccessConfig, b as AuthResult } from '../jwks-ChdyyS_L.mjs';
+export { A as AccessDeniedError, n as AuthError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, g as CloudflareAccessUser, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, o as getRemoteJwks, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, p as isLocalDevelopmentRequest, t as toAuthError } from '../jwks-ChdyyS_L.mjs';
+export { g as getCloudflareAccessConfigFromEnv, v as validateAccessConfig } from '../config-D4O7DXNT.mjs';
+import 'jose';
+
+/**
+ * Options for token validation
+ */
+interface ValidateTokenOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist */
+    allowedEmails?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Validate Cloudflare Access JWT token
+ */
+declare function validateCloudflareAccessToken(token: string | undefined, options: ValidateTokenOptions, requestUrl: string): Promise<AuthResult>;
+
+export { AuthResult, CloudflareAccessConfig, type ValidateTokenOptions, validateCloudflareAccessToken };

package/dist/core/index.d.ts

@@ -0,0 +1,24 @@
+import { C as CloudflareAccessConfig, b as AuthResult } from '../jwks-ChdyyS_L.js';
+export { A as AccessDeniedError, n as AuthError, a as AuthRequiredError, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, g as CloudflareAccessUser, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, o as getRemoteJwks, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, p as isLocalDevelopmentRequest, t as toAuthError } from '../jwks-ChdyyS_L.js';
+export { g as getCloudflareAccessConfigFromEnv, v as validateAccessConfig } from '../config-ottUdc-K.js';
+import 'jose';
+
+/**
+ * Options for token validation
+ */
+interface ValidateTokenOptions {
+    /** Cloudflare Access configuration */
+    accessConfig: CloudflareAccessConfig;
+    /** Optional email allowlist */
+    allowedEmails?: string[];
+    /** Whether to skip JWT validation outside production */
+    skipInDev?: boolean;
+    /** Environment indicator */
+    environment?: string;
+}
+/**
+ * Validate Cloudflare Access JWT token
+ */
+declare function validateCloudflareAccessToken(token: string | undefined, options: ValidateTokenOptions, requestUrl: string): Promise<AuthResult>;
+
+export { AuthResult, CloudflareAccessConfig, type ValidateTokenOptions, validateCloudflareAccessToken };

package/dist/core/index.js

@@ -0,0 +1,41 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+var _chunkWUJPWM4Tjs = require('../chunk-WUJPWM4T.js');
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.AccessDeniedError = _chunkWUJPWM4Tjs.AccessDeniedError; exports.AuthRequiredError = _chunkWUJPWM4Tjs.AuthRequiredError; exports.CloudflareAccessError = _chunkWUJPWM4Tjs.CloudflareAccessError; exports.CloudflareAccessErrorCode = _chunkWUJPWM4Tjs.CloudflareAccessErrorCode; exports.ConfigurationError = _chunkWUJPWM4Tjs.ConfigurationError; exports.InvalidTokenError = _chunkWUJPWM4Tjs.InvalidTokenError; exports.__clearJwksCache = _chunkWUJPWM4Tjs.__clearJwksCache; exports.getCloudflareAccessConfigFromEnv = _chunkWUJPWM4Tjs.getCloudflareAccessConfigFromEnv; exports.getRemoteJwks = _chunkWUJPWM4Tjs.getRemoteJwks; exports.isAccessDeniedError = _chunkWUJPWM4Tjs.isAccessDeniedError; exports.isAuthRequiredError = _chunkWUJPWM4Tjs.isAuthRequiredError; exports.isCloudflareAccessError = _chunkWUJPWM4Tjs.isCloudflareAccessError; exports.isConfigurationError = _chunkWUJPWM4Tjs.isConfigurationError; exports.isInvalidTokenError = _chunkWUJPWM4Tjs.isInvalidTokenError; exports.isLocalDevelopmentRequest = _chunkWUJPWM4Tjs.isLocalDevelopmentRequest; exports.toAuthError = _chunkWUJPWM4Tjs.toAuthError; exports.validateAccessConfig = _chunkWUJPWM4Tjs.validateAccessConfig; exports.validateCloudflareAccessToken = _chunkWUJPWM4Tjs.validateCloudflareAccessToken;
+//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/core/index.js"],"names":[],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,uDAA6B;AAC7B;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,6uCAAC","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/core/index.js"}

package/dist/core/index.mjs

@@ -0,0 +1,41 @@
+import {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  getCloudflareAccessConfigFromEnv,
+  getRemoteJwks,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  isLocalDevelopmentRequest,
+  toAuthError,
+  validateAccessConfig,
+  validateCloudflareAccessToken
+} from "../chunk-DM2KGIQX.mjs";
+export {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  getCloudflareAccessConfigFromEnv,
+  getRemoteJwks,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  isLocalDevelopmentRequest,
+  toAuthError,
+  validateAccessConfig,
+  validateCloudflareAccessToken
+};
+//# sourceMappingURL=index.mjs.map

package/dist/core/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/index.d.mts

@@ -0,0 +1,6 @@
+export { A as AccessDeniedError, a as AuthRequiredError, b as AuthResult, C as CloudflareAccessConfig, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, g as CloudflareAccessUser, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from './jwks-ChdyyS_L.mjs';
+export { g as getCloudflareAccessConfigFromEnv } from './config-D4O7DXNT.mjs';
+export { validateCloudflareAccessToken } from './core/index.mjs';
+export { C as CloudflareAccessAuthOptions, a as CloudflareAccessConfigResolver, b as CloudflareAccessHono, c as CloudflareAccessVariables, d as createCloudflareAccessAuth, g as getCloudflareAccessConfigFromBindings } from './middleware-BDl6jUCu.mjs';
+import 'jose';
+import 'hono';

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { A as AccessDeniedError, a as AuthRequiredError, b as AuthResult, C as CloudflareAccessConfig, c as CloudflareAccessError, d as CloudflareAccessErrorCode, e as CloudflareAccessMiddlewareEnv, f as CloudflareAccessPayload, g as CloudflareAccessUser, h as ConfigurationError, I as InvalidTokenError, _ as __clearJwksCache, i as isAccessDeniedError, j as isAuthRequiredError, k as isCloudflareAccessError, l as isConfigurationError, m as isInvalidTokenError, t as toAuthError } from './jwks-ChdyyS_L.js';
+export { g as getCloudflareAccessConfigFromEnv } from './config-ottUdc-K.js';
+export { validateCloudflareAccessToken } from './core/index.js';
+export { C as CloudflareAccessAuthOptions, a as CloudflareAccessConfigResolver, b as CloudflareAccessHono, c as CloudflareAccessVariables, d as createCloudflareAccessAuth, g as getCloudflareAccessConfigFromBindings } from './middleware-CgFsjM20.js';
+import 'jose';
+import 'hono';

package/dist/index.js

@@ -0,0 +1,41 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+
+
+var _chunkPMFPT3SIjs = require('./chunk-PMFPT3SI.js');
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+var _chunkWUJPWM4Tjs = require('./chunk-WUJPWM4T.js');
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.AccessDeniedError = _chunkWUJPWM4Tjs.AccessDeniedError; exports.AuthRequiredError = _chunkWUJPWM4Tjs.AuthRequiredError; exports.CloudflareAccessError = _chunkWUJPWM4Tjs.CloudflareAccessError; exports.CloudflareAccessErrorCode = _chunkWUJPWM4Tjs.CloudflareAccessErrorCode; exports.ConfigurationError = _chunkWUJPWM4Tjs.ConfigurationError; exports.InvalidTokenError = _chunkWUJPWM4Tjs.InvalidTokenError; exports.__clearJwksCache = _chunkWUJPWM4Tjs.__clearJwksCache; exports.createCloudflareAccessAuth = _chunkPMFPT3SIjs.createCloudflareAccessAuth; exports.getCloudflareAccessConfigFromBindings = _chunkPMFPT3SIjs.getCloudflareAccessConfigFromBindings; exports.getCloudflareAccessConfigFromEnv = _chunkWUJPWM4Tjs.getCloudflareAccessConfigFromEnv; exports.isAccessDeniedError = _chunkWUJPWM4Tjs.isAccessDeniedError; exports.isAuthRequiredError = _chunkWUJPWM4Tjs.isAuthRequiredError; exports.isCloudflareAccessError = _chunkWUJPWM4Tjs.isCloudflareAccessError; exports.isConfigurationError = _chunkWUJPWM4Tjs.isConfigurationError; exports.isInvalidTokenError = _chunkWUJPWM4Tjs.isInvalidTokenError; exports.toAuthError = _chunkWUJPWM4Tjs.toAuthError; exports.validateCloudflareAccessToken = _chunkWUJPWM4Tjs.validateCloudflareAccessToken;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/v000281/personal/hono-cloudflare-access-middleware/dist/index.js"],"names":[],"mappings":"AAAA;AACE;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,ytCAAC","file":"/Users/v000281/personal/hono-cloudflare-access-middleware/dist/index.js"}

package/dist/index.mjs

@@ -0,0 +1,41 @@
+import {
+  createCloudflareAccessAuth,
+  getCloudflareAccessConfigFromBindings
+} from "./chunk-LQWCGHLJ.mjs";
+import {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  getCloudflareAccessConfigFromEnv,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  validateCloudflareAccessToken
+} from "./chunk-DM2KGIQX.mjs";
+export {
+  AccessDeniedError,
+  AuthRequiredError,
+  CloudflareAccessError,
+  CloudflareAccessErrorCode,
+  ConfigurationError,
+  InvalidTokenError,
+  __clearJwksCache,
+  createCloudflareAccessAuth,
+  getCloudflareAccessConfigFromBindings,
+  getCloudflareAccessConfigFromEnv,
+  isAccessDeniedError,
+  isAuthRequiredError,
+  isCloudflareAccessError,
+  isConfigurationError,
+  isInvalidTokenError,
+  toAuthError,
+  validateCloudflareAccessToken
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}