crossly.client.auth.service 0.0.1

package/.vscode/launch.json

@@ -0,0 +1,95 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "Debug Current Test File",
+            "program": "${workspaceFolder}/node_modules/mocha/bin/mocha.js",
+            "runtimeArgs": [
+                "--enable-source-maps"
+            ],
+            "args": [
+                "--timeout",
+                "30000",
+                "${workspaceFolder}/dist-tests/**/${fileBasenameNoExtension}.js"
+            ],
+            "console": "integratedTerminal",
+            "internalConsoleOptions": "neverOpen",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "outFiles": [
+                "${workspaceFolder}/dist-tests/**/*.js"
+            ],
+            "sourceMaps": true,
+            "sourceMapPathOverrides": {
+                "../src/*": "${workspaceFolder}/src/*",
+                "../tests/*": "${workspaceFolder}/tests/*"
+            },
+            "resolveSourceMapLocations": [
+                "${workspaceFolder}/**",
+                "!**/node_modules/**"
+            ],
+            "preLaunchTask": "compile:tests"
+        },
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "Debug All Tests",
+            "program": "${workspaceFolder}/node_modules/mocha/bin/mocha.js",
+            "runtimeArgs": [
+                "--enable-source-maps"
+            ],
+            "args": [
+                "--timeout",
+                "30000",
+                "${workspaceFolder}/dist-tests/tests/**/*.test.js"
+            ],
+            "console": "integratedTerminal",
+            "internalConsoleOptions": "neverOpen",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "outFiles": [
+                "${workspaceFolder}/dist-tests/**/*.js"
+            ],
+            "sourceMaps": true,
+            "sourceMapPathOverrides": {
+                "../src/*": "${workspaceFolder}/src/*",
+                "../tests/*": "${workspaceFolder}/tests/*"
+            },
+            "resolveSourceMapLocations": [
+                "${workspaceFolder}/**",
+                "!**/node_modules/**"
+            ],
+            "preLaunchTask": "build:tests"
+        },
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "Debug App",
+            "program": "${workspaceFolder}/dist/app.js",
+            "runtimeArgs": [
+                "--enable-source-maps"
+            ],
+            "console": "integratedTerminal",
+            "internalConsoleOptions": "neverOpen",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "outFiles": [
+                "${workspaceFolder}/dist/**/*.js"
+            ],
+            "sourceMaps": true,
+            "sourceMapPathOverrides": {
+                "../src/*": "${workspaceFolder}/src/*"
+            },
+            "resolveSourceMapLocations": [
+                "${workspaceFolder}/**",
+                "!**/node_modules/**"
+            ],
+            "preLaunchTask": "build"
+        }
+    ]
+}

package/.vscode/settings.json

@@ -0,0 +1,24 @@
+{
+    "cSpell.words": [
+        "textyly"
+    ],
+    "files.exclude": {
+        "**/dist*": true,
+        "**/package*.json": false,
+        "**/node_modules": true,
+        "**/tsconfig*.json": true,
+        "**/.gitignore": true,
+        "**/.github": true,
+        "**/LICENSE": true,
+        "**/README*": true,
+        "**/*.js": true,
+        "**/*.js.map": true,
+        "**/*.log": true
+    },
+    "typescript.preferences.importModuleSpecifierEnding": "js",
+    "typescript.tsdk": "node_modules/typescript/lib",
+    "typescript.enablePromptUseWorkspaceTsdk": true,
+    "editor.formatOnSave": true,
+    "files.trimTrailingWhitespace": true,
+    "js/ts.tsdk.path": "node_modules/typescript/lib"
+}

package/.vscode/tasks.json

@@ -0,0 +1,34 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "build",
+            "type": "shell",
+            "command": "npm run build",
+            "group": {
+                "kind": "build",
+                "isDefault": true
+            },
+            "problemMatcher": [],
+            "detail": "Run the build script using npm."
+        },
+        {
+            "label": "build:tests",
+            "type": "shell",
+            "command": "npm run build:tests",
+            "group": "build",
+            "problemMatcher": [],
+            "detail": "Full build then compile the tests using npm."
+        },
+        {
+            "label": "compile:tests",
+            "type": "shell",
+            "command": "npm run compile:tests",
+            "group": "build",
+            "problemMatcher": [
+                "$tsc"
+            ],
+            "detail": "Fast: recompile the tests (and imported source) for debugging."
+        }
+    ]
+}

package/README.md

@@ -0,0 +1,38 @@
+# crossly.client.auth.service
+
+Client authentication for Crossly.
+
+Phase 1 (this version) is deliberately minimal: it issues **anonymous guest sessions** so a user can
+start creating patterns immediately, with no login. A guest session is a signed JWT whose `sub` is a
+freshly generated client id.
+
+Sessions are valid for **1 year**, and `POST /auth/refresh` re-issues a token for the same client id
+with a fresh expiry. The client calls it on use (e.g. on app start) so an active user's session keeps
+rolling forward and only lapses after a full year of inactivity.
+
+Later phases add login via existing identity providers (Google, GitHub, …) that issue a token of the
+**same shape**, so nothing downstream changes — see the project notes for the staged plan.
+
+## Endpoints
+
+| Method | Route            | Purpose                                                        |
+|--------|------------------|---------------------------------------------------------------|
+| GET    | `/health`        | Liveness check                                                |
+| POST   | `/auth/guest`    | Create a new anonymous guest session                          |
+| POST   | `/auth/refresh`  | Re-issue a token for the current session (`Authorization: Bearer <token>`) |
+| GET    | `/auth/validate` | Verify a token; on success returns `200` with `X-Client-Id` / `X-Guest` response headers, else `401`. Intended for an API-gateway **ForwardAuth** check so downstream services receive a trusted `clientId` without holding the signing key. |
+
+## Scripts
+
+- `npm run build` — build contracts then the service
+- `npm start` — build and run on port 5001
+- `npm test` — unit + integration tests
+- `npm run test:unit` / `npm run test:integration`
+
+## Configuration
+
+- `AUTH_JWT_SECRET` — HS256 signing secret (defaults to a dev-only value; override in real environments).
+
+## License
+
+Apache-2.0

package/contracts/README.md

@@ -0,0 +1,28 @@
+# @textyly/crossly-client-auth-contracts
+
+Shared TypeScript contracts (types / DTOs) for the Crossly **Client Auth** service.
+
+These types describe the auth tokens and responses exchanged over the service's HTTP API and are
+meant to be consumed by any TypeScript/JavaScript client — for example [`crossly.ui`](https://github.com/textyly) —
+and by other services that validate Crossly access tokens.
+
+## Install
+
+```bash
+npm install @textyly/crossly-client-auth-contracts
+```
+
+## Usage
+
+```ts
+import type {
+    AccessTokenClaims,
+    GuestSessionResponse,
+} from '@textyly/crossly-client-auth-contracts';
+```
+
+The package ships only type declarations and has no runtime or server dependencies.
+
+## License
+
+Apache-2.0 — part of the [textyly / crossly](https://github.com/textyly) open-source project.

package/contracts/package-lock.json

@@ -0,0 +1,30 @@
+{
+  "name": "@textyly/crossly-client-auth-contracts",
+  "version": "0.0.1",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "@textyly/crossly-client-auth-contracts",
+      "version": "0.0.1",
+      "license": "Apache-2.0",
+      "devDependencies": {
+        "typescript": "^5.6.2"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    }
+  }
+}

package/contracts/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@textyly/crossly-client-auth-contracts",
+  "version": "0.0.2",
+  "description": "Shared contracts (types/DTOs) for the Crossly Client Auth service, consumable by clients such as crossly.ui.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "compile": "tsc --version && tsc",
+    "build": "npm i && npm run compile",
+    "prepublishOnly": "npm run build"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/textyly/crossly.client.auth.service.git",
+    "directory": "contracts"
+  },
+  "homepage": "https://github.com/textyly/crossly.client.auth.service/tree/main/contracts#readme",
+  "bugs": {
+    "url": "https://github.com/textyly/crossly.client.auth.service/issues"
+  },
+  "keywords": [
+    "crossly",
+    "textyly",
+    "contracts",
+    "auth",
+    "jwt"
+  ],
+  "author": "textyly community",
+  "license": "Apache-2.0",
+  "devDependencies": {
+    "typescript": "^5.6.2"
+  }
+}

package/contracts/src/index.ts

@@ -0,0 +1,53 @@
+/**
+ * Shared contracts for the Crossly Client Auth service.
+ *
+ * These types describe the auth tokens and responses exchanged over the
+ * service's API and are meant to be consumed by any TypeScript/JavaScript
+ * client (e.g. crossly.ui) and by other services that validate tokens.
+ * Keep this module free of runtime/server dependencies.
+ */
+
+/** Claims carried by a Crossly access token (guest now; authenticated later). */
+export interface AccessTokenClaims {
+    /** Subject — the stable client identifier. Equals the clientId used elsewhere. */
+    sub: string;
+    /** True for anonymous guest sessions; false for authenticated users. */
+    guest: boolean;
+    /** Issued-at, in seconds since the epoch. */
+    iat: number;
+    /** Expiry, in seconds since the epoch. */
+    exp: number;
+}
+
+/**
+ * Internal session shape produced by the signer/manager: the raw token + expiry.
+ * In the BFF cookie model the token is set as an httpOnly cookie rather than
+ * returned in the response body — see {@link SessionResponse} / {@link MeResponse}.
+ */
+export interface GuestSessionResponse {
+    /** Signed JWT (set by the server as an httpOnly session cookie). */
+    token: string;
+    /** The client identifier (equals the token's `sub`). */
+    clientId: string;
+    /** Token expiry, in seconds since the epoch. */
+    expiresAt: number;
+}
+
+/**
+ * Minimal session summary returned by `POST /auth/guest`, `POST /auth/refresh`
+ * and `GET /auth/validate`. The session token itself rides in an httpOnly cookie.
+ */
+export interface SessionResponse {
+    /** The client identifier (equals the session token's `sub`). */
+    clientId: string;
+    /** True for anonymous guests; false for authenticated users. */
+    guest: boolean;
+}
+
+/** Identity returned by `GET /auth/me` so the UI knows who it is (it can't read the cookie). */
+export interface MeResponse {
+    clientId: string;
+    guest: boolean;
+    /** Present for authenticated users when the provider reported one; display only. */
+    email?: string;
+}

package/contracts/tsconfig.json

@@ -0,0 +1,22 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "declaration": true,
+    "declarationMap": true,
+    "strict": true,
+    "sourceMap": true,
+    "inlineSources": true,
+    "esModuleInterop": true
+  },
+  "include": [
+    "src/**/*"
+  ],
+  "exclude": [
+    "node_modules",
+    "dist"
+  ]
+}

package/dist/app.js

@@ -0,0 +1,52 @@
+import 'dotenv/config';
+import pg from 'pg';
+import { createApp } from './createApp.js';
+import { JwtSigner } from './signer/jwtSigner.js';
+import { PgClientRepository } from './repository/pgClientRepository.js';
+import { databaseUrl, runMigrations } from './db/migrate.js';
+import { loadConfig, loadGoogleConfig } from './config.js';
+import { GoogleProvider } from './oidc/googleProvider.js';
+import { NotConfiguredOidcProvider } from './oidc/notConfiguredOidcProvider.js';
+const port = 5001;
+// HS256 shared secret. MUST be overridden via AUTH_JWT_SECRET in any real environment.
+const secret = process.env.AUTH_JWT_SECRET ?? 'dev-only-insecure-secret-change-me';
+/** Build the real Google provider if configured, else a disabled placeholder. */
+async function buildOidcProvider() {
+    const google = loadGoogleConfig();
+    if (google.clientId && google.clientSecret) {
+        return GoogleProvider.create({
+            clientId: google.clientId,
+            clientSecret: google.clientSecret,
+            redirectUri: google.callbackUrl,
+        });
+    }
+    console.warn('Google OIDC not configured (set GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET) — /auth/login is disabled');
+    return new NotConfiguredOidcProvider();
+}
+/**
+ * Entry point: apply database migrations, then build the app via the shared
+ * factory and listen.
+ *
+ * Migrations run on startup and are safe across several instances booting in
+ * parallel (an advisory lock serializes them — see db/migrate.ts), so no separate
+ * migration job is required. The service will not start serving until the schema
+ * is up to date, which means a reachable Postgres is now required to boot.
+ */
+async function main() {
+    await runMigrations();
+    // One pool for the app's lifetime, backing the client repository.
+    const pool = new pg.Pool({ connectionString: databaseUrl() });
+    const signer = new JwtSigner(secret);
+    const clients = new PgClientRepository(pool);
+    const oidc = await buildOidcProvider();
+    const config = loadConfig();
+    const app = createApp({ signer, clients, oidc, config });
+    app.listen(port, () => {
+        console.log(`crossly.client.auth.service listening on port ${port}`);
+    });
+}
+main().catch((error) => {
+    console.error('failed to start crossly.client.auth.service:', error);
+    process.exit(1);
+});
+//# sourceMappingURL=app.js.map

package/dist/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,CAAC;AACvB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,yBAAyB,EAAE,MAAM,qCAAqC,CAAC;AAGhF,MAAM,IAAI,GAAG,IAAI,CAAC;AAClB,uFAAuF;AACvF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,oCAAoC,CAAC;AAEnF,iFAAiF;AACjF,KAAK,UAAU,iBAAiB;IAC5B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACzC,OAAO,cAAc,CAAC,MAAM,CAAC;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,WAAW,EAAE,MAAM,CAAC,WAAW;SAClC,CAAC,CAAC;IACP,CAAC;IAED,OAAO,CAAC,IAAI,CACR,oGAAoG,CACvG,CAAC;IACF,OAAO,IAAI,yBAAyB,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK,UAAU,IAAI;IACf,MAAM,aAAa,EAAE,CAAC;IAEtB,kEAAkE;IAClE,MAAM,IAAI,GAAG,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,gBAAgB,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,iBAAiB,EAAE,CAAC;IACvC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAEzD,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QAClB,OAAO,CAAC,GAAG,CAAC,iDAAiD,IAAI,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;AACP,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,8CAA8C,EAAE,KAAK,CAAC,CAAC;IACrE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC,CAAC,CAAC","sourcesContent":["import 'dotenv/config';\nimport pg from 'pg';\nimport { createApp } from './createApp.js';\nimport { JwtSigner } from './signer/jwtSigner.js';\nimport { PgClientRepository } from './repository/pgClientRepository.js';\nimport { databaseUrl, runMigrations } from './db/migrate.js';\nimport { loadConfig, loadGoogleConfig } from './config.js';\nimport { GoogleProvider } from './oidc/googleProvider.js';\nimport { NotConfiguredOidcProvider } from './oidc/notConfiguredOidcProvider.js';\nimport type { IOidcProvider } from './oidc/types.js';\n\nconst port = 5001;\n// HS256 shared secret. MUST be overridden via AUTH_JWT_SECRET in any real environment.\nconst secret = process.env.AUTH_JWT_SECRET ?? 'dev-only-insecure-secret-change-me';\n\n/** Build the real Google provider if configured, else a disabled placeholder. */\nasync function buildOidcProvider(): Promise<IOidcProvider> {\n    const google = loadGoogleConfig();\n    if (google.clientId && google.clientSecret) {\n        return GoogleProvider.create({\n            clientId: google.clientId,\n            clientSecret: google.clientSecret,\n            redirectUri: google.callbackUrl,\n        });\n    }\n\n    console.warn(\n        'Google OIDC not configured (set GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET) — /auth/login is disabled',\n    );\n    return new NotConfiguredOidcProvider();\n}\n\n/**\n * Entry point: apply database migrations, then build the app via the shared\n * factory and listen.\n *\n * Migrations run on startup and are safe across several instances booting in\n * parallel (an advisory lock serializes them — see db/migrate.ts), so no separate\n * migration job is required. The service will not start serving until the schema\n * is up to date, which means a reachable Postgres is now required to boot.\n */\nasync function main(): Promise<void> {\n    await runMigrations();\n\n    // One pool for the app's lifetime, backing the client repository.\n    const pool = new pg.Pool({ connectionString: databaseUrl() });\n    const signer = new JwtSigner(secret);\n    const clients = new PgClientRepository(pool);\n    const oidc = await buildOidcProvider();\n    const config = loadConfig();\n    const app = createApp({ signer, clients, oidc, config });\n\n    app.listen(port, () => {\n        console.log(`crossly.client.auth.service listening on port ${port}`);\n    });\n}\n\nmain().catch((error) => {\n    console.error('failed to start crossly.client.auth.service:', error);\n    process.exit(1);\n});\n"]}

package/dist/config.js

@@ -0,0 +1,29 @@
+/**
+ * Service configuration, read from the environment with dev-friendly defaults.
+ * Secrets/URLs come from env (k8s Secret/ConfigMap later); the defaults make
+ * local dev work with zero setup (except Google login, which needs real creds).
+ */
+/** httpOnly cookie holding the session JWT (guest or authenticated). */
+export const SESSION_COOKIE = 'crossly_session';
+/** Short-lived signed cookie holding the OAuth `state` + PKCE `codeVerifier`. */
+export const OAUTH_COOKIE = 'crossly_oauth';
+export function loadConfig() {
+    // Where the browser lands after login. May include a path (e.g. the static
+    // UI entry); the CORS origin is derived from just its scheme+host+port, since
+    // the browser's Origin header never carries a path.
+    const uiRedirectUrl = process.env.UI_URL ?? 'http://localhost:5000/dist/index.html';
+    return {
+        cookieSecret: process.env.COOKIE_SECRET ?? 'dev-only-cookie-secret-change-me',
+        uiRedirectUrl,
+        corsOrigin: process.env.CORS_ORIGIN ?? new URL(uiRedirectUrl).origin,
+        secureCookies: (process.env.SECURE_COOKIES ?? 'false') === 'true',
+    };
+}
+export function loadGoogleConfig() {
+    return {
+        clientId: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+        callbackUrl: process.env.GOOGLE_CALLBACK_URL ?? 'http://localhost:5001/api/v1/auth/callback',
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,wEAAwE;AACxE,MAAM,CAAC,MAAM,cAAc,GAAG,iBAAiB,CAAC;AAEhD,iFAAiF;AACjF,MAAM,CAAC,MAAM,YAAY,GAAG,eAAe,CAAC;AAqB5C,MAAM,UAAU,UAAU;IACtB,2EAA2E;IAC3E,8EAA8E;IAC9E,oDAAoD;IACpD,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,uCAAuC,CAAC;IACpF,OAAO;QACH,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,kCAAkC;QAC7E,aAAa;QACb,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,MAAM;QACpE,aAAa,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,KAAK,MAAM;KACpE,CAAC;AACN,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC5B,OAAO;QACH,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;QACtC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAC9C,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,4CAA4C;KAC/F,CAAC;AACN,CAAC","sourcesContent":["/**\n * Service configuration, read from the environment with dev-friendly defaults.\n * Secrets/URLs come from env (k8s Secret/ConfigMap later); the defaults make\n * local dev work with zero setup (except Google login, which needs real creds).\n */\n\n/** httpOnly cookie holding the session JWT (guest or authenticated). */\nexport const SESSION_COOKIE = 'crossly_session';\n\n/** Short-lived signed cookie holding the OAuth `state` + PKCE `codeVerifier`. */\nexport const OAUTH_COOKIE = 'crossly_oauth';\n\n/** Runtime config for cookies, CORS and post-login redirects. */\nexport interface AuthConfig {\n    /** Secret used to sign the short-lived OAuth cookie. */\n    cookieSecret: string;\n    /** Where the browser is sent after a successful login / after logout. */\n    uiRedirectUrl: string;\n    /** Allowed browser origin for credentialed CORS requests. */\n    corsOrigin: string;\n    /** Whether cookies carry the `Secure` attribute (true behind HTTPS). */\n    secureCookies: boolean;\n}\n\n/** Google OAuth client config; clientId/secret absent ⇒ login is disabled. */\nexport interface GoogleConfig {\n    clientId?: string;\n    clientSecret?: string;\n    callbackUrl: string;\n}\n\nexport function loadConfig(): AuthConfig {\n    // Where the browser lands after login. May include a path (e.g. the static\n    // UI entry); the CORS origin is derived from just its scheme+host+port, since\n    // the browser's Origin header never carries a path.\n    const uiRedirectUrl = process.env.UI_URL ?? 'http://localhost:5000/dist/index.html';\n    return {\n        cookieSecret: process.env.COOKIE_SECRET ?? 'dev-only-cookie-secret-change-me',\n        uiRedirectUrl,\n        corsOrigin: process.env.CORS_ORIGIN ?? new URL(uiRedirectUrl).origin,\n        secureCookies: (process.env.SECURE_COOKIES ?? 'false') === 'true',\n    };\n}\n\nexport function loadGoogleConfig(): GoogleConfig {\n    return {\n        clientId: process.env.GOOGLE_CLIENT_ID,\n        clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n        callbackUrl: process.env.GOOGLE_CALLBACK_URL ?? 'http://localhost:5001/api/v1/auth/callback',\n    };\n}\n"]}