cyrus-github-event-transport 0.2.39 → 0.2.40

package/dist/GitHubAppTokenProvider.d.ts

@@ -0,0 +1,35 @@
+export interface GitHubAppTokenProviderConfig {
+    appId: string;
+    installationId: string;
+    privateKeyPath: string;
+    /** GitHub API base URL (default: https://api.github.com) */
+    apiBaseUrl?: string;
+}
+/**
+ * Mints and caches GitHub App installation tokens for self-hosted users.
+ *
+ * Uses the App's private key to sign a JWT, then exchanges it for a
+ * short-lived installation access token via the GitHub API.
+ * Tokens are cached and refreshed 5 minutes before expiry.
+ */
+export declare class GitHubAppTokenProvider {
+    private config;
+    private cachedToken;
+    private expiresAt;
+    private privateKeyPromise;
+    constructor(config: GitHubAppTokenProviderConfig);
+    /**
+     * Get a valid installation access token.
+     * Returns cached token if still valid, otherwise mints a new one.
+     */
+    getToken(): Promise<string>;
+    private loadPrivateKey;
+}
+/**
+ * Create a JWT for GitHub App authentication.
+ * Uses Node's native crypto — no external JWT library needed.
+ *
+ * @see https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app
+ */
+export declare function createAppJwt(appId: string, privateKey: string): string;
+//# sourceMappingURL=GitHubAppTokenProvider.d.ts.map

package/dist/GitHubAppTokenProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GitHubAppTokenProvider.d.ts","sourceRoot":"","sources":["../src/GitHubAppTokenProvider.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,4BAA4B;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,qBAAa,sBAAsB;IAClC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,SAAS,CAAK;IACtB,OAAO,CAAC,iBAAiB,CAAgC;gBAE7C,MAAM,EAAE,4BAA4B;IAIhD;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAwCjC,OAAO,CAAC,cAAc;CAMtB;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAkBtE"}

package/dist/GitHubAppTokenProvider.js

@@ -0,0 +1,73 @@
+import { createSign } from "node:crypto";
+import { readFile } from "node:fs/promises";
+/**
+ * Mints and caches GitHub App installation tokens for self-hosted users.
+ *
+ * Uses the App's private key to sign a JWT, then exchanges it for a
+ * short-lived installation access token via the GitHub API.
+ * Tokens are cached and refreshed 5 minutes before expiry.
+ */
+export class GitHubAppTokenProvider {
+    config;
+    cachedToken = null;
+    expiresAt = 0;
+    privateKeyPromise = null;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Get a valid installation access token.
+     * Returns cached token if still valid, otherwise mints a new one.
+     */
+    async getToken() {
+        // Refresh 5 minutes before expiry
+        if (this.cachedToken && Date.now() < this.expiresAt - 5 * 60 * 1000) {
+            return this.cachedToken;
+        }
+        const pem = await this.loadPrivateKey();
+        const jwt = createAppJwt(this.config.appId, pem);
+        const apiBase = this.config.apiBaseUrl ?? "https://api.github.com";
+        const response = await fetch(`${apiBase}/app/installations/${this.config.installationId}/access_tokens`, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${jwt}`,
+                Accept: "application/vnd.github+json",
+                "X-GitHub-Api-Version": "2022-11-28",
+            },
+        });
+        if (!response.ok) {
+            const body = await response.text();
+            throw new Error(`[GitHubAppTokenProvider] Failed to create installation token: ${response.status} ${response.statusText} - ${body}`);
+        }
+        const data = (await response.json());
+        this.cachedToken = data.token;
+        this.expiresAt = new Date(data.expires_at).getTime();
+        return this.cachedToken;
+    }
+    loadPrivateKey() {
+        if (!this.privateKeyPromise) {
+            this.privateKeyPromise = readFile(this.config.privateKeyPath, "utf-8");
+        }
+        return this.privateKeyPromise;
+    }
+}
+/**
+ * Create a JWT for GitHub App authentication.
+ * Uses Node's native crypto — no external JWT library needed.
+ *
+ * @see https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app
+ */
+export function createAppJwt(appId, privateKey) {
+    const now = Math.floor(Date.now() / 1000);
+    const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url");
+    const payload = Buffer.from(JSON.stringify({
+        iat: now - 60,
+        exp: now + 10 * 60,
+        iss: appId,
+    })).toString("base64url");
+    const sign = createSign("RSA-SHA256");
+    sign.update(`${header}.${payload}`);
+    const signature = sign.sign(privateKey, "base64url");
+    return `${header}.${payload}.${signature}`;
+}
+//# sourceMappingURL=GitHubAppTokenProvider.js.map

package/dist/GitHubAppTokenProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GitHubAppTokenProvider.js","sourceRoot":"","sources":["../src/GitHubAppTokenProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAU5C;;;;;;GAMG;AACH,MAAM,OAAO,sBAAsB;IAC1B,MAAM,CAA+B;IACrC,WAAW,GAAkB,IAAI,CAAC;IAClC,SAAS,GAAG,CAAC,CAAC;IACd,iBAAiB,GAA2B,IAAI,CAAC;IAEzD,YAAY,MAAoC;QAC/C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ;QACb,kCAAkC;QAClC,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACrE,OAAO,IAAI,CAAC,WAAW,CAAC;QACzB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,wBAAwB,CAAC;QAEnE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC3B,GAAG,OAAO,sBAAsB,IAAI,CAAC,MAAM,CAAC,cAAc,gBAAgB,EAC1E;YACC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACR,aAAa,EAAE,UAAU,GAAG,EAAE;gBAC9B,MAAM,EAAE,6BAA6B;gBACrC,sBAAsB,EAAE,YAAY;aACpC;SACD,CACD,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YAClB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CACd,iEAAiE,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,IAAI,EAAE,CACnH,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGlC,CAAC;QAEF,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC;QAC9B,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;QAErD,OAAO,IAAI,CAAC,WAAW,CAAC;IACzB,CAAC;IAEO,cAAc;QACrB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC7B,IAAI,CAAC,iBAAiB,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,IAAI,CAAC,iBAAiB,CAAC;IAC/B,CAAC;CACD;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa,EAAE,UAAkB;IAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CACzB,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAC5C,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAC1B,IAAI,CAAC,SAAS,CAAC;QACd,GAAG,EAAE,GAAG,GAAG,EAAE;QACb,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE;QAClB,GAAG,EAAE,KAAK;KACV,CAAC,CACF,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExB,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAErD,OAAO,GAAG,MAAM,IAAI,OAAO,IAAI,SAAS,EAAE,CAAC;AAC5C,CAAC"}

package/dist/index.d.ts

@@ -1,3 +1,5 @@
+export type { GitHubAppTokenProviderConfig } from "./GitHubAppTokenProvider.js";
+export { createAppJwt, GitHubAppTokenProvider, } from "./GitHubAppTokenProvider.js";
 export type { AddReactionParams, GitHubCommentResponse, GitHubCommentServiceConfig, PostCommentParams, PostReviewCommentReplyParams, } from "./GitHubCommentService.js";
 export { GitHubCommentService } from "./GitHubCommentService.js";
 export { GitHubEventTransport } from "./GitHubEventTransport.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACX,iBAAiB,EACjB,qBAAqB,EACrB,0BAA0B,EAC1B,iBAAiB,EACjB,4BAA4B,GAC5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EACN,oBAAoB,EACpB,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,EACtB,qBAAqB,EACrB,iCAAiC,EACjC,0BAA0B,EAC1B,YAAY,GACZ,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACX,aAAa,EACb,0BAA0B,EAC1B,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,EAClB,WAAW,EACX,yBAAyB,EACzB,iBAAiB,EACjB,wBAAwB,EACxB,oBAAoB,EACpB,qCAAqC,EACrC,8BAA8B,EAC9B,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,sBAAsB,EACtB,kBAAkB,GAClB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAChF,OAAO,EACN,YAAY,EACZ,sBAAsB,GACtB,MAAM,6BAA6B,CAAC;AACrC,YAAY,EACX,iBAAiB,EACjB,qBAAqB,EACrB,0BAA0B,EAC1B,iBAAiB,EACjB,4BAA4B,GAC5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EACN,oBAAoB,EACpB,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,EACtB,qBAAqB,EACrB,iCAAiC,EACjC,0BAA0B,EAC1B,YAAY,GACZ,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACX,aAAa,EACb,0BAA0B,EAC1B,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,EAClB,WAAW,EACX,yBAAyB,EACzB,iBAAiB,EACjB,wBAAwB,EACxB,oBAAoB,EACpB,qCAAqC,EACrC,8BAA8B,EAC9B,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,sBAAsB,EACtB,kBAAkB,GAClB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -1,3 +1,4 @@
+export { createAppJwt, GitHubAppTokenProvider, } from "./GitHubAppTokenProvider.js";
 export { GitHubCommentService } from "./GitHubCommentService.js";
 export { GitHubEventTransport } from "./GitHubEventTransport.js";
 export { GitHubMessageTranslator } from "./GitHubMessageTranslator.js";

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EACN,oBAAoB,EACpB,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,EACtB,qBAAqB,EACrB,iCAAiC,EACjC,0BAA0B,EAC1B,YAAY,GACZ,MAAM,2BAA2B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACN,YAAY,EACZ,sBAAsB,GACtB,MAAM,6BAA6B,CAAC;AAQrC,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EACN,oBAAoB,EACpB,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,EACtB,qBAAqB,EACrB,iCAAiC,EACjC,0BAA0B,EAC1B,YAAY,GACZ,MAAM,2BAA2B,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cyrus-github-event-transport",
-  "version": "0.2.39",
+  "version": "0.2.40",
   "description": "GitHub event transport for receiving and verifying forwarded GitHub webhooks",
   "type": "module",
   "main": "dist/index.js",
@@ -10,7 +10,7 @@
   ],
   "dependencies": {
     "fastify": "^5.8.3",
-    "cyrus-core": "0.2.39"
+    "cyrus-core": "0.2.40"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",