digitaltwin-core 0.14.3 → 1.0.0

package/README.md

@@ -12,6 +12,7 @@ Digital Twin Core is a minimalist TypeScript framework used to collect and proce
 - **Storage adapters** – currently local filesystem and OVH Object Storage via S3 API.
 - **Database adapter** – implemented with [Knex](https://knexjs.org/) to index metadata.
 - **Engine** – orchestrates components, schedules jobs with BullMQ and exposes endpoints via Express.
+- **Authentication** – pluggable authentication system supporting API gateway headers, JWT tokens, or no-auth mode.
 
 ## Installation
 
@@ -326,6 +327,139 @@ class WMSLayersManager extends CustomTableManager {
 - `update(id, data)` - Update existing record
 - `delete(id)` - Delete record
 
+## Request Validation
+
+The framework includes VineJS integration for type-safe request validation:
+
+```typescript
+import { validate, AssetUploadSchema } from 'digitaltwin-core'
+
+// In your component
+async handleUpload(req: any) {
+  const data = await validate(AssetUploadSchema, req.body)
+  // data is now typed and validated
+}
+```
+
+Validation errors return HTTP 422 with detailed error messages:
+
+```json
+{
+  "error": "Validation failed",
+  "details": [
+    { "field": "description", "message": "The description field must be a string" }
+  ]
+}
+```
+
+## Error Handling
+
+The framework provides custom error classes for structured error handling:
+
+```typescript
+import { CollectorError, ValidationError, StorageError } from 'digitaltwin-core'
+
+// Errors include context
+throw new CollectorError('Failed to fetch data', 'weather-collector', originalError)
+
+// Validation errors return 422
+throw new ValidationError('Invalid input', details)
+```
+
+All component errors are caught and logged with context (component name, stack trace). Non-critical operations use `safeAsync` to log errors without crashing:
+
+```typescript
+import { safeAsync } from 'digitaltwin-core'
+
+// Won't throw, just logs on failure
+await safeAsync(() => cleanup(), 'cleanup temporary files', logger)
+```
+
+## Production Features
+
+### Graceful Shutdown
+
+The engine supports graceful shutdown with configurable timeout:
+
+```typescript
+const engine = new DigitalTwinEngine({ database, storage })
+
+// Configure shutdown timeout (default: 30s)
+engine.setShutdownTimeout(60000)
+
+// Check if shutting down
+if (engine.isShuttingDown()) {
+  // Don't accept new work
+}
+
+// Graceful stop
+await engine.stop()
+```
+
+### Health Checks
+
+Register custom health checks for monitoring:
+
+```typescript
+engine.registerHealthCheck('external-api', async () => {
+  const response = await fetch('https://api.example.com/health')
+  return { status: response.ok ? 'up' : 'down' }
+})
+
+// Built-in checks: database, redis (if configured)
+const names = engine.getHealthCheckNames() // ['database', 'redis', 'external-api']
+
+// Remove check
+engine.removeHealthCheck('external-api')
+```
+
+### OpenAPI Specification
+
+Generate OpenAPI 3.0 specs from your components:
+
+```typescript
+import { OpenAPIGenerator } from 'digitaltwin-core'
+
+const spec = OpenAPIGenerator.generate({
+  info: { title: 'My API', version: '1.0.0' },
+  components: [collector, assetsManager, handler]
+})
+
+// Output as JSON or YAML
+const json = OpenAPIGenerator.toJSON(spec)
+const yaml = OpenAPIGenerator.toYAML(spec)
+```
+
+## Authentication
+
+The framework supports multiple authentication modes:
+
+- **Gateway** (default): Uses headers from API gateways (Apache APISIX, KrakenD)
+- **JWT**: Direct JWT token validation
+- **None**: Disabled for development/testing
+
+### Gateway Mode (Default)
+
+No configuration needed. The framework reads `x-user-id` and `x-user-roles` headers set by your API gateway.
+
+### JWT Mode
+
+```bash
+export AUTH_MODE=jwt
+export JWT_SECRET=your-secret-key
+# Or for RSA: JWT_PUBLIC_KEY or JWT_PUBLIC_KEY_FILE
+```
+
+### Disable Authentication
+
+```bash
+export DIGITALTWIN_DISABLE_AUTH=true
+# Or
+export AUTH_MODE=none
+```
+
+For detailed configuration options, see [src/auth/README.md](src/auth/README.md).
+
 ## Project Scaffolding
 
 Use [create-digitaltwin](https://github.com/CePseudoBE/create-digitaltwin) to quickly bootstrap new projects:
@@ -348,6 +482,7 @@ node dt make:harvester DataProcessor --source weather-collector
 ## Folder structure
 
 - `src/` – framework sources
+    - `auth/` – authentication providers and user management
     - `components/` – base classes for collectors, harvesters, handlers and assets manager
     - `engine/` – orchestration logic
     - `storage/` – storage service abstractions and adapters

package/dist/auth/apisix_parser.d.ts

@@ -1,16 +1,19 @@
 import type { AuthenticatedUser } from './types.js';
+import type { AuthProvider } from './auth_provider.js';
 /**
  * Parses authentication information from Apache APISIX headers set after Keycloak authentication.
  *
- * This class handles the parsing of authentication headers forwarded by Apache APISIX
- * after successful Keycloak authentication. APISIX acts as a gateway that:
- * 1. Validates JWT tokens with Keycloak
- * 2. Extracts user information from the token
- * 3. Forwards user data as HTTP headers to downstream services
+ * This class provides a static API for backward compatibility while internally using
+ * the AuthProvider system. It automatically handles:
+ * - Gateway mode (x-user-id, x-user-roles headers)
+ * - JWT mode (Authorization: Bearer token)
+ * - No-auth mode (DIGITALTWIN_DISABLE_AUTH=true)
  *
- * Authentication can be disabled via environment variables for development/testing:
- * - Set DIGITALTWIN_DISABLE_AUTH=true to bypass authentication checks
- * - Set DIGITALTWIN_ANONYMOUS_USER_ID=custom-id to use a custom anonymous user ID
+ * For new code, consider using AuthProviderFactory directly:
+ * ```typescript
+ * const authProvider = AuthProviderFactory.fromEnv()
+ * const user = authProvider.parseRequest(req)
+ * ```
  *
  * @example
  * ```typescript
@@ -24,18 +27,38 @@ import type { AuthenticatedUser } from './types.js';
  * ```
  */
 export declare class ApisixAuthParser {
+    private static _provider;
+    /**
+     * Get the authentication provider instance.
+     * Creates it on first use based on environment configuration.
+     */
+    private static getProvider;
+    /**
+     * Reset the provider instance (useful for testing).
+     * @internal
+     */
+    static _resetProvider(): void;
+    /**
+     * Set a custom provider (useful for testing).
+     * @internal
+     */
+    static _setProvider(provider: AuthProvider): void;
+    /**
+     * Create a request-like object from headers for the AuthProvider.
+     */
+    private static toAuthRequest;
     /**
-     * Extracts user information from APISIX headers.
+     * Extracts user information from authentication headers.
      *
-     * Parses the authentication headers forwarded by APISIX:
-     * - `x-user-id`: Keycloak user UUID (required)
-     * - `x-user-roles`: Comma-separated list of user roles (optional)
+     * Parses the authentication headers (gateway mode) or JWT token (jwt mode):
+     * - Gateway: `x-user-id` and `x-user-roles` headers
+     * - JWT: `Authorization: Bearer <token>` header
      *
      * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
-     * returns a default anonymous user instead of requiring headers.
+     * returns a default anonymous user.
      *
-     * @param headers - HTTP request headers from APISIX
-     * @returns Parsed user authentication data, or null if x-user-id is missing and auth is enabled
+     * @param headers - HTTP request headers
+     * @returns Parsed user authentication data, or null if not authenticated
      *
      * @example
      * ```typescript
@@ -46,48 +69,35 @@ export declare class ApisixAuthParser {
      *
      * const authUser = ApisixAuthParser.parseAuthHeaders(headers)
      * // Returns: { id: '6e06a527...', roles: ['default-roles-master', 'offline_access'] }
-     *
-     * // With DIGITALTWIN_DISABLE_AUTH=true
-     * const authUser = ApisixAuthParser.parseAuthHeaders({})
-     * // Returns: { id: 'anonymous', roles: ['anonymous'] }
      * ```
      */
     static parseAuthHeaders(headers: Record<string, string>): AuthenticatedUser | null;
     /**
-     * Checks if a request has valid authentication headers.
+     * Checks if a request has valid authentication.
      *
      * Performs a quick validation to determine if the request contains
-     * the minimum required authentication information (x-user-id header).
-     * Use this for early authentication checks before parsing.
+     * valid authentication credentials (gateway headers or JWT token).
      *
-     * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
-     * this always returns true to allow all requests through.
+     * When authentication is disabled, this always returns true.
      *
      * @param headers - HTTP request headers
-     * @returns true if x-user-id header is present or auth is disabled, false otherwise
+     * @returns true if authentication is valid or disabled, false otherwise
      *
      * @example
      * ```typescript
-     * // Early authentication check in handler
      * if (!ApisixAuthParser.hasValidAuth(req.headers)) {
      *   return { status: 401, content: 'Authentication required' }
      * }
-     *
-     * // Now safe to proceed with parsing
-     * const authUser = ApisixAuthParser.parseAuthHeaders(req.headers)
      * ```
      */
     static hasValidAuth(headers: Record<string, string>): boolean;
     /**
      * Extracts just the user ID from headers.
      *
-     * Convenience method for cases where you only need the user ID
-     * without parsing the full authentication context.
-     *
-     * When authentication is disabled, returns the configured anonymous user ID.
+     * Convenience method for cases where you only need the user ID.
      *
      * @param headers - HTTP request headers
-     * @returns Keycloak user ID, anonymous user ID if auth disabled, or null if not present
+     * @returns User ID, or null if not authenticated
      *
      * @example
      * ```typescript
@@ -101,13 +111,8 @@ export declare class ApisixAuthParser {
     /**
      * Extracts just the user roles from headers.
      *
-     * Convenience method for cases where you only need the user roles
-     * without parsing the full authentication context.
-     *
-     * When authentication is disabled, returns the anonymous user roles.
-     *
      * @param headers - HTTP request headers
-     * @returns Array of role names, anonymous roles if auth disabled, empty array if no roles header present
+     * @returns Array of role names, empty array if not authenticated
      *
      * @example
      * ```typescript
@@ -121,24 +126,14 @@ export declare class ApisixAuthParser {
     /**
      * Checks if a user has the admin role.
      *
-     * Determines if the authenticated user has administrative privileges by checking
-     * if their roles include the configured admin role name (default: "admin").
-     *
-     * The admin role name can be configured via DIGITALTWIN_ADMIN_ROLE_NAME environment variable.
-     *
      * @param headers - HTTP request headers
      * @returns true if user has admin role, false otherwise
      *
      * @example
      * ```typescript
      * if (ApisixAuthParser.isAdmin(req.headers)) {
-     *   // User has full administrative access
-     *   // Can view all assets including private assets owned by others
-     *   console.log('Admin user detected')
+     *   // Admin-only logic
      * }
-     *
-     * // With custom admin role name (DIGITALTWIN_ADMIN_ROLE_NAME=administrator)
-     * const isAdmin = ApisixAuthParser.isAdmin(req.headers)
      * ```
      */
     static isAdmin(headers: Record<string, string>): boolean;

package/dist/auth/apisix_parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"apisix_parser.d.ts","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AAGnD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,gBAAgB;IACzB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,iBAAiB,GAAG,IAAI;IAqBlF;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO;IAS7D;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,GAAG,IAAI;IAShE;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE;IAU9D;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO;CAK3D"}
+{"version":3,"file":"apisix_parser.d.ts","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AACnD,OAAO,KAAK,EAAE,YAAY,EAAe,MAAM,oBAAoB,CAAA;AAGnE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,MAAM,CAAC,SAAS,CAA4B;IAEpD;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAO1B;;;OAGG;IACH,MAAM,CAAC,cAAc,IAAI,IAAI;IAI7B;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,QAAQ,EAAE,YAAY,GAAG,IAAI;IAIjD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,aAAa;IAI5B;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,iBAAiB,GAAG,IAAI;IAIlF;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO;IAI7D;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,GAAG,IAAI;IAIhE;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE;IAI9D;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO;CAG3D"}

package/dist/auth/apisix_parser.js

@@ -1,16 +1,18 @@
-import { AuthConfig } from './auth_config.js';
+import { AuthProviderFactory } from './auth_provider_factory.js';
 /**
  * Parses authentication information from Apache APISIX headers set after Keycloak authentication.
  *
- * This class handles the parsing of authentication headers forwarded by Apache APISIX
- * after successful Keycloak authentication. APISIX acts as a gateway that:
- * 1. Validates JWT tokens with Keycloak
- * 2. Extracts user information from the token
- * 3. Forwards user data as HTTP headers to downstream services
+ * This class provides a static API for backward compatibility while internally using
+ * the AuthProvider system. It automatically handles:
+ * - Gateway mode (x-user-id, x-user-roles headers)
+ * - JWT mode (Authorization: Bearer token)
+ * - No-auth mode (DIGITALTWIN_DISABLE_AUTH=true)
  *
- * Authentication can be disabled via environment variables for development/testing:
- * - Set DIGITALTWIN_DISABLE_AUTH=true to bypass authentication checks
- * - Set DIGITALTWIN_ANONYMOUS_USER_ID=custom-id to use a custom anonymous user ID
+ * For new code, consider using AuthProviderFactory directly:
+ * ```typescript
+ * const authProvider = AuthProviderFactory.fromEnv()
+ * const user = authProvider.parseRequest(req)
+ * ```
  *
  * @example
  * ```typescript
@@ -24,18 +26,49 @@ import { AuthConfig } from './auth_config.js';
  * ```
  */
 export class ApisixAuthParser {
+    static { this._provider = null; }
+    /**
+     * Get the authentication provider instance.
+     * Creates it on first use based on environment configuration.
+     */
+    static getProvider() {
+        if (!this._provider) {
+            this._provider = AuthProviderFactory.fromEnv();
+        }
+        return this._provider;
+    }
+    /**
+     * Reset the provider instance (useful for testing).
+     * @internal
+     */
+    static _resetProvider() {
+        this._provider = null;
+    }
+    /**
+     * Set a custom provider (useful for testing).
+     * @internal
+     */
+    static _setProvider(provider) {
+        this._provider = provider;
+    }
+    /**
+     * Create a request-like object from headers for the AuthProvider.
+     */
+    static toAuthRequest(headers) {
+        return { headers };
+    }
     /**
-     * Extracts user information from APISIX headers.
+     * Extracts user information from authentication headers.
      *
-     * Parses the authentication headers forwarded by APISIX:
-     * - `x-user-id`: Keycloak user UUID (required)
-     * - `x-user-roles`: Comma-separated list of user roles (optional)
+     * Parses the authentication headers (gateway mode) or JWT token (jwt mode):
+     * - Gateway: `x-user-id` and `x-user-roles` headers
+     * - JWT: `Authorization: Bearer <token>` header
      *
      * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
-     * returns a default anonymous user instead of requiring headers.
+     * returns a default anonymous user.
      *
-     * @param headers - HTTP request headers from APISIX
-     * @returns Parsed user authentication data, or null if x-user-id is missing and auth is enabled
+     * @param headers - HTTP request headers
+     * @returns Parsed user authentication data, or null if not authenticated
      *
      * @example
      * ```typescript
@@ -46,70 +79,39 @@ export class ApisixAuthParser {
      *
      * const authUser = ApisixAuthParser.parseAuthHeaders(headers)
      * // Returns: { id: '6e06a527...', roles: ['default-roles-master', 'offline_access'] }
-     *
-     * // With DIGITALTWIN_DISABLE_AUTH=true
-     * const authUser = ApisixAuthParser.parseAuthHeaders({})
-     * // Returns: { id: 'anonymous', roles: ['anonymous'] }
      * ```
      */
     static parseAuthHeaders(headers) {
-        // If authentication is disabled, return anonymous user
-        if (AuthConfig.isAuthDisabled()) {
-            return AuthConfig.getAnonymousUser();
-        }
-        const userId = headers['x-user-id'];
-        if (!userId) {
-            return null;
-        }
-        // Parse roles from comma-separated string
-        const rolesString = headers['x-user-roles'] || '';
-        const roles = rolesString ? rolesString.split(',').map(role => role.trim()) : [];
-        return {
-            id: userId,
-            roles: roles
-        };
+        return this.getProvider().parseRequest(this.toAuthRequest(headers));
     }
     /**
-     * Checks if a request has valid authentication headers.
+     * Checks if a request has valid authentication.
      *
      * Performs a quick validation to determine if the request contains
-     * the minimum required authentication information (x-user-id header).
-     * Use this for early authentication checks before parsing.
+     * valid authentication credentials (gateway headers or JWT token).
      *
-     * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
-     * this always returns true to allow all requests through.
+     * When authentication is disabled, this always returns true.
      *
      * @param headers - HTTP request headers
-     * @returns true if x-user-id header is present or auth is disabled, false otherwise
+     * @returns true if authentication is valid or disabled, false otherwise
      *
      * @example
      * ```typescript
-     * // Early authentication check in handler
      * if (!ApisixAuthParser.hasValidAuth(req.headers)) {
      *   return { status: 401, content: 'Authentication required' }
      * }
-     *
-     * // Now safe to proceed with parsing
-     * const authUser = ApisixAuthParser.parseAuthHeaders(req.headers)
      * ```
      */
     static hasValidAuth(headers) {
-        // If authentication is disabled, all requests are valid
-        if (AuthConfig.isAuthDisabled()) {
-            return true;
-        }
-        return !!headers['x-user-id'];
+        return this.getProvider().hasValidAuth(this.toAuthRequest(headers));
     }
     /**
      * Extracts just the user ID from headers.
      *
-     * Convenience method for cases where you only need the user ID
-     * without parsing the full authentication context.
-     *
-     * When authentication is disabled, returns the configured anonymous user ID.
+     * Convenience method for cases where you only need the user ID.
      *
      * @param headers - HTTP request headers
-     * @returns Keycloak user ID, anonymous user ID if auth disabled, or null if not present
+     * @returns User ID, or null if not authenticated
      *
      * @example
      * ```typescript
@@ -120,22 +122,13 @@ export class ApisixAuthParser {
      * ```
      */
     static getUserId(headers) {
-        // If authentication is disabled, return anonymous user ID
-        if (AuthConfig.isAuthDisabled()) {
-            return AuthConfig.getAnonymousUserId();
-        }
-        return headers['x-user-id'] || null;
+        return this.getProvider().getUserId(this.toAuthRequest(headers));
     }
     /**
      * Extracts just the user roles from headers.
      *
-     * Convenience method for cases where you only need the user roles
-     * without parsing the full authentication context.
-     *
-     * When authentication is disabled, returns the anonymous user roles.
-     *
      * @param headers - HTTP request headers
-     * @returns Array of role names, anonymous roles if auth disabled, empty array if no roles header present
+     * @returns Array of role names, empty array if not authenticated
      *
      * @example
      * ```typescript
@@ -146,40 +139,23 @@ export class ApisixAuthParser {
      * ```
      */
     static getUserRoles(headers) {
-        // If authentication is disabled, return anonymous user roles
-        if (AuthConfig.isAuthDisabled()) {
-            return AuthConfig.getAnonymousUser().roles;
-        }
-        const rolesString = headers['x-user-roles'] || '';
-        return rolesString ? rolesString.split(',').map(role => role.trim()) : [];
+        return this.getProvider().getUserRoles(this.toAuthRequest(headers));
     }
     /**
      * Checks if a user has the admin role.
      *
-     * Determines if the authenticated user has administrative privileges by checking
-     * if their roles include the configured admin role name (default: "admin").
-     *
-     * The admin role name can be configured via DIGITALTWIN_ADMIN_ROLE_NAME environment variable.
-     *
      * @param headers - HTTP request headers
      * @returns true if user has admin role, false otherwise
      *
      * @example
      * ```typescript
      * if (ApisixAuthParser.isAdmin(req.headers)) {
-     *   // User has full administrative access
-     *   // Can view all assets including private assets owned by others
-     *   console.log('Admin user detected')
+     *   // Admin-only logic
      * }
-     *
-     * // With custom admin role name (DIGITALTWIN_ADMIN_ROLE_NAME=administrator)
-     * const isAdmin = ApisixAuthParser.isAdmin(req.headers)
      * ```
      */
     static isAdmin(headers) {
-        const roles = this.getUserRoles(headers);
-        const adminRoleName = AuthConfig.getAdminRoleName();
-        return roles.includes(adminRoleName);
+        return this.getProvider().isAdmin(this.toAuthRequest(headers));
     }
 }
 //# sourceMappingURL=apisix_parser.js.map

package/dist/auth/apisix_parser.js.map

@@ -1 +1 @@
-{"version":3,"file":"apisix_parser.js","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,gBAAgB;IACzB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAA+B;QACnD,uDAAuD;QACvD,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC,gBAAgB,EAAE,CAAA;QACxC,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAA;QACnC,IAAI,CAAC,MAAM,EAAE,CAAC;YACV,OAAO,IAAI,CAAA;QACf,CAAC;QAED,0CAA0C;QAC1C,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;QACjD,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;QAEhF,OAAO;YACH,EAAE,EAAE,MAAM;YACV,KAAK,EAAE,KAAK;SACf,CAAA;IACL,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,wDAAwD;QACxD,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAA;QACf,CAAC;QAED,OAAO,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;IACjC,CAAC;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,SAAS,CAAC,OAA+B;QAC5C,0DAA0D;QAC1D,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC,kBAAkB,EAAE,CAAA;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC,WAAW,CAAC,IAAI,IAAI,CAAA;IACvC,CAAC;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,6DAA6D;QAC7D,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAA;QAC9C,CAAC;QAED,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;QACjD,OAAO,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC7E,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,MAAM,CAAC,OAAO,CAAC,OAA+B;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;QACxC,MAAM,aAAa,GAAG,UAAU,CAAC,gBAAgB,EAAE,CAAA;QACnD,OAAO,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAA;IACxC,CAAC;CACJ"}
+{"version":3,"file":"apisix_parser.js","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAEhE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,gBAAgB;aACV,cAAS,GAAwB,IAAI,CAAA;IAEpD;;;OAGG;IACK,MAAM,CAAC,WAAW;QACtB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAClB,IAAI,CAAC,SAAS,GAAG,mBAAmB,CAAC,OAAO,EAAE,CAAA;QAClD,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAA;IACzB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,cAAc;QACjB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAA;IACzB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,QAAsB;QACtC,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAA;IAC7B,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,aAAa,CAAC,OAA+B;QACxD,OAAO,EAAE,OAAO,EAAE,CAAA;IACtB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAA+B;QACnD,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,SAAS,CAAC,OAA+B;QAC5C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACpE,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,CAAC,OAA+B;QAC1C,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IAClE,CAAC"}