digitaltwin-core 0.14.3 → 1.0.1

package/dist/auth/apisix_parser.js

@@ -1,16 +1,18 @@
-import { AuthConfig } from './auth_config.js';
+import { AuthProviderFactory } from './auth_provider_factory.js';
 /**
  * Parses authentication information from Apache APISIX headers set after Keycloak authentication.
  *
- * This class handles the parsing of authentication headers forwarded by Apache APISIX
- * after successful Keycloak authentication. APISIX acts as a gateway that:
- * 1. Validates JWT tokens with Keycloak
- * 2. Extracts user information from the token
- * 3. Forwards user data as HTTP headers to downstream services
+ * This class provides a static API for backward compatibility while internally using
+ * the AuthProvider system. It automatically handles:
+ * - Gateway mode (x-user-id, x-user-roles headers)
+ * - JWT mode (Authorization: Bearer token)
+ * - No-auth mode (DIGITALTWIN_DISABLE_AUTH=true)
  *
- * Authentication can be disabled via environment variables for development/testing:
- * - Set DIGITALTWIN_DISABLE_AUTH=true to bypass authentication checks
- * - Set DIGITALTWIN_ANONYMOUS_USER_ID=custom-id to use a custom anonymous user ID
+ * For new code, consider using AuthProviderFactory directly:
+ * ```typescript
+ * const authProvider = AuthProviderFactory.fromEnv()
+ * const user = authProvider.parseRequest(req)
+ * ```
  *
  * @example
  * ```typescript
@@ -24,18 +26,59 @@ import { AuthConfig } from './auth_config.js';
  * ```
  */
 export class ApisixAuthParser {
+    static { this._provider = null; }
+    /**
+     * Get the authentication provider instance.
+     * Creates it on first use based on environment configuration.
+     */
+    static getProvider() {
+        if (!this._provider) {
+            this._provider = AuthProviderFactory.fromEnv();
+        }
+        return this._provider;
+    }
+    /**
+     * Reset the provider instance (useful for testing).
+     * @internal
+     */
+    static _resetProvider() {
+        this._provider = null;
+    }
+    /**
+     * Set a custom provider (useful for testing).
+     * @internal
+     */
+    static _setProvider(provider) {
+        this._provider = provider;
+    }
+    /**
+     * Create a request-like object from headers for the AuthProvider.
+     * Normalizes headers by taking only the first value for array headers.
+     */
+    static toAuthRequest(headers) {
+        const normalizedHeaders = {};
+        for (const [key, value] of Object.entries(headers)) {
+            if (typeof value === 'string') {
+                normalizedHeaders[key] = value;
+            }
+            else if (Array.isArray(value) && value.length > 0) {
+                normalizedHeaders[key] = value[0];
+            }
+        }
+        return { headers: normalizedHeaders };
+    }
     /**
-     * Extracts user information from APISIX headers.
+     * Extracts user information from authentication headers.
      *
-     * Parses the authentication headers forwarded by APISIX:
-     * - `x-user-id`: Keycloak user UUID (required)
-     * - `x-user-roles`: Comma-separated list of user roles (optional)
+     * Parses the authentication headers (gateway mode) or JWT token (jwt mode):
+     * - Gateway: `x-user-id` and `x-user-roles` headers
+     * - JWT: `Authorization: Bearer <token>` header
      *
      * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
-     * returns a default anonymous user instead of requiring headers.
+     * returns a default anonymous user.
      *
-     * @param headers - HTTP request headers from APISIX
-     * @returns Parsed user authentication data, or null if x-user-id is missing and auth is enabled
+     * @param headers - HTTP request headers
+     * @returns Parsed user authentication data, or null if not authenticated
      *
      * @example
      * ```typescript
@@ -46,70 +89,39 @@ export class ApisixAuthParser {
      *
      * const authUser = ApisixAuthParser.parseAuthHeaders(headers)
      * // Returns: { id: '6e06a527...', roles: ['default-roles-master', 'offline_access'] }
-     *
-     * // With DIGITALTWIN_DISABLE_AUTH=true
-     * const authUser = ApisixAuthParser.parseAuthHeaders({})
-     * // Returns: { id: 'anonymous', roles: ['anonymous'] }
      * ```
      */
     static parseAuthHeaders(headers) {
-        // If authentication is disabled, return anonymous user
-        if (AuthConfig.isAuthDisabled()) {
-            return AuthConfig.getAnonymousUser();
-        }
-        const userId = headers['x-user-id'];
-        if (!userId) {
-            return null;
-        }
-        // Parse roles from comma-separated string
-        const rolesString = headers['x-user-roles'] || '';
-        const roles = rolesString ? rolesString.split(',').map(role => role.trim()) : [];
-        return {
-            id: userId,
-            roles: roles
-        };
+        return this.getProvider().parseRequest(this.toAuthRequest(headers));
     }
     /**
-     * Checks if a request has valid authentication headers.
+     * Checks if a request has valid authentication.
      *
      * Performs a quick validation to determine if the request contains
-     * the minimum required authentication information (x-user-id header).
-     * Use this for early authentication checks before parsing.
+     * valid authentication credentials (gateway headers or JWT token).
      *
-     * When authentication is disabled (DIGITALTWIN_DISABLE_AUTH=true),
-     * this always returns true to allow all requests through.
+     * When authentication is disabled, this always returns true.
      *
      * @param headers - HTTP request headers
-     * @returns true if x-user-id header is present or auth is disabled, false otherwise
+     * @returns true if authentication is valid or disabled, false otherwise
      *
      * @example
      * ```typescript
-     * // Early authentication check in handler
      * if (!ApisixAuthParser.hasValidAuth(req.headers)) {
      *   return { status: 401, content: 'Authentication required' }
      * }
-     *
-     * // Now safe to proceed with parsing
-     * const authUser = ApisixAuthParser.parseAuthHeaders(req.headers)
      * ```
      */
     static hasValidAuth(headers) {
-        // If authentication is disabled, all requests are valid
-        if (AuthConfig.isAuthDisabled()) {
-            return true;
-        }
-        return !!headers['x-user-id'];
+        return this.getProvider().hasValidAuth(this.toAuthRequest(headers));
     }
     /**
      * Extracts just the user ID from headers.
      *
-     * Convenience method for cases where you only need the user ID
-     * without parsing the full authentication context.
-     *
-     * When authentication is disabled, returns the configured anonymous user ID.
+     * Convenience method for cases where you only need the user ID.
      *
      * @param headers - HTTP request headers
-     * @returns Keycloak user ID, anonymous user ID if auth disabled, or null if not present
+     * @returns User ID, or null if not authenticated
      *
      * @example
      * ```typescript
@@ -120,22 +132,13 @@ export class ApisixAuthParser {
      * ```
      */
     static getUserId(headers) {
-        // If authentication is disabled, return anonymous user ID
-        if (AuthConfig.isAuthDisabled()) {
-            return AuthConfig.getAnonymousUserId();
-        }
-        return headers['x-user-id'] || null;
+        return this.getProvider().getUserId(this.toAuthRequest(headers));
     }
     /**
      * Extracts just the user roles from headers.
      *
-     * Convenience method for cases where you only need the user roles
-     * without parsing the full authentication context.
-     *
-     * When authentication is disabled, returns the anonymous user roles.
-     *
      * @param headers - HTTP request headers
-     * @returns Array of role names, anonymous roles if auth disabled, empty array if no roles header present
+     * @returns Array of role names, empty array if not authenticated
      *
      * @example
      * ```typescript
@@ -146,40 +149,23 @@ export class ApisixAuthParser {
      * ```
      */
     static getUserRoles(headers) {
-        // If authentication is disabled, return anonymous user roles
-        if (AuthConfig.isAuthDisabled()) {
-            return AuthConfig.getAnonymousUser().roles;
-        }
-        const rolesString = headers['x-user-roles'] || '';
-        return rolesString ? rolesString.split(',').map(role => role.trim()) : [];
+        return this.getProvider().getUserRoles(this.toAuthRequest(headers));
     }
     /**
      * Checks if a user has the admin role.
      *
-     * Determines if the authenticated user has administrative privileges by checking
-     * if their roles include the configured admin role name (default: "admin").
-     *
-     * The admin role name can be configured via DIGITALTWIN_ADMIN_ROLE_NAME environment variable.
-     *
      * @param headers - HTTP request headers
      * @returns true if user has admin role, false otherwise
      *
      * @example
      * ```typescript
      * if (ApisixAuthParser.isAdmin(req.headers)) {
-     *   // User has full administrative access
-     *   // Can view all assets including private assets owned by others
-     *   console.log('Admin user detected')
+     *   // Admin-only logic
      * }
-     *
-     * // With custom admin role name (DIGITALTWIN_ADMIN_ROLE_NAME=administrator)
-     * const isAdmin = ApisixAuthParser.isAdmin(req.headers)
      * ```
      */
     static isAdmin(headers) {
-        const roles = this.getUserRoles(headers);
-        const adminRoleName = AuthConfig.getAdminRoleName();
-        return roles.includes(adminRoleName);
+        return this.getProvider().isAdmin(this.toAuthRequest(headers));
     }
 }
 //# sourceMappingURL=apisix_parser.js.map

package/dist/auth/apisix_parser.js.map

@@ -1 +1 @@
-{"version":3,"file":"apisix_parser.js","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,gBAAgB;IACzB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAA+B;QACnD,uDAAuD;QACvD,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC,gBAAgB,EAAE,CAAA;QACxC,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAA;QACnC,IAAI,CAAC,MAAM,EAAE,CAAC;YACV,OAAO,IAAI,CAAA;QACf,CAAC;QAED,0CAA0C;QAC1C,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;QACjD,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;QAEhF,OAAO;YACH,EAAE,EAAE,MAAM;YACV,KAAK,EAAE,KAAK;SACf,CAAA;IACL,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,wDAAwD;QACxD,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAA;QACf,CAAC;QAED,OAAO,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;IACjC,CAAC;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,SAAS,CAAC,OAA+B;QAC5C,0DAA0D;QAC1D,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC,kBAAkB,EAAE,CAAA;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC,WAAW,CAAC,IAAI,IAAI,CAAA;IACvC,CAAC;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,YAAY,CAAC,OAA+B;QAC/C,6DAA6D;QAC7D,IAAI,UAAU,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAA;QAC9C,CAAC;QAED,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;QACjD,OAAO,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC7E,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,MAAM,CAAC,OAAO,CAAC,OAA+B;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;QACxC,MAAM,aAAa,GAAG,UAAU,CAAC,gBAAgB,EAAE,CAAA;QACnD,OAAO,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAA;IACxC,CAAC;CACJ"}
+{"version":3,"file":"apisix_parser.js","sourceRoot":"","sources":["../../src/auth/apisix_parser.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAOhE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,gBAAgB;aACV,cAAS,GAAwB,IAAI,CAAA;IAEpD;;;OAGG;IACK,MAAM,CAAC,WAAW;QACtB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAClB,IAAI,CAAC,SAAS,GAAG,mBAAmB,CAAC,OAAO,EAAE,CAAA;QAClD,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAA;IACzB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,cAAc;QACjB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAA;IACzB,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,QAAsB;QACtC,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAA;IAC7B,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,aAAa,CAAC,OAAoB;QAC7C,MAAM,iBAAiB,GAA2B,EAAE,CAAA;QACpD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACjD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC5B,iBAAiB,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;YAClC,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,iBAAiB,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACrC,CAAC;QACL,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAA;IACzC,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAoB;QACxC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,YAAY,CAAC,OAAoB;QACpC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,SAAS,CAAC,OAAoB;QACjC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACpE,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,YAAY,CAAC,OAAoB;QACpC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IACvE,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,CAAC,OAAoB;QAC/B,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;IAClE,CAAC"}

package/dist/auth/auth_provider.d.ts

@@ -0,0 +1,118 @@
+/**
+ * @fileoverview Authentication provider interface and types for the Digital Twin framework.
+ *
+ * This module defines the contract for authentication providers, allowing the framework
+ * to support multiple authentication mechanisms (gateway headers, JWT tokens, etc.).
+ */
+import type { AuthenticatedUser } from './types.js';
+/**
+ * Authentication mode for the Digital Twin framework.
+ *
+ * - `gateway`: Parse authentication from gateway headers (x-user-id, x-user-roles)
+ * - `jwt`: Validate JWT tokens from Authorization header
+ * - `none`: Disable authentication (development/testing only)
+ */
+export type AuthMode = 'gateway' | 'jwt' | 'none';
+/**
+ * JWT-specific configuration options.
+ */
+export interface JwtConfig {
+    /** Secret key for HMAC algorithms (HS256, HS384, HS512) */
+    secret?: string;
+    /** Public key for RSA/EC algorithms (RS256, RS384, RS512, ES256, ES384, ES512) */
+    publicKey?: string;
+    /** JWT algorithm (default: 'HS256') */
+    algorithm?: string;
+    /** Expected token issuer for validation */
+    issuer?: string;
+    /** Expected token audience for validation */
+    audience?: string;
+    /** Claim name for user ID (default: 'sub') */
+    userIdClaim?: string;
+    /** Claim name for roles (default: 'roles', supports nested paths like 'realm_access.roles') */
+    rolesClaim?: string;
+}
+/**
+ * Authentication configuration for the Digital Twin framework.
+ */
+export interface AuthProviderConfig {
+    /** Authentication mode */
+    mode: AuthMode;
+    /** Name of the admin role (default: 'admin') */
+    adminRoleName?: string;
+    /** JWT-specific configuration (required when mode is 'jwt') */
+    jwt?: JwtConfig;
+    /** Anonymous user ID for 'none' mode (default: 'anonymous') */
+    anonymousUserId?: string;
+}
+/**
+ * Request-like object for authentication parsing.
+ *
+ * This interface allows the auth provider to work with any request object
+ * that has headers, without requiring a full Express Request.
+ */
+export interface AuthRequest {
+    /** Request headers */
+    headers: Record<string, string | string[] | undefined>;
+}
+/**
+ * Authentication provider interface.
+ *
+ * Implement this interface to create custom authentication mechanisms.
+ * The framework provides three built-in providers:
+ * - GatewayAuthProvider: For API gateway authentication (Apache APISIX, KrakenD)
+ * - JwtAuthProvider: For direct JWT token validation
+ * - NoAuthProvider: For development/testing without authentication
+ *
+ * @example
+ * ```typescript
+ * // Using the factory (recommended)
+ * const provider = AuthProviderFactory.fromEnv()
+ *
+ * // In a handler
+ * const user = provider.parseRequest(req)
+ * if (!user) {
+ *     return { status: 401, content: 'Authentication required' }
+ * }
+ * ```
+ */
+export interface AuthProvider {
+    /**
+     * Parse the request and return the authenticated user.
+     *
+     * @param req - Request object with headers
+     * @returns Authenticated user, or null if not authenticated or invalid
+     */
+    parseRequest(req: AuthRequest): AuthenticatedUser | null;
+    /**
+     * Check if the request has valid authentication.
+     *
+     * This is a quick check that can be used before full parsing.
+     *
+     * @param req - Request object with headers
+     * @returns true if the request has valid authentication credentials
+     */
+    hasValidAuth(req: AuthRequest): boolean;
+    /**
+     * Check if the authenticated user has admin privileges.
+     *
+     * @param req - Request object with headers
+     * @returns true if the user has the admin role
+     */
+    isAdmin(req: AuthRequest): boolean;
+    /**
+     * Get the user ID from the request.
+     *
+     * @param req - Request object with headers
+     * @returns User ID, or null if not authenticated
+     */
+    getUserId(req: AuthRequest): string | null;
+    /**
+     * Get the user roles from the request.
+     *
+     * @param req - Request object with headers
+     * @returns Array of role names, empty array if not authenticated
+     */
+    getUserRoles(req: AuthRequest): string[];
+}
+//# sourceMappingURL=auth_provider.d.ts.map

package/dist/auth/auth_provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_provider.d.ts","sourceRoot":"","sources":["../../src/auth/auth_provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AAEnD;;;;;;GAMG;AACH,MAAM,MAAM,QAAQ,GAAG,SAAS,GAAG,KAAK,GAAG,MAAM,CAAA;AAEjD;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,uCAAuC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,2CAA2C;IAC3C,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,+FAA+F;IAC/F,UAAU,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAC/B,0BAA0B;IAC1B,IAAI,EAAE,QAAQ,CAAA;IACd,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,+DAA+D;IAC/D,GAAG,CAAC,EAAE,SAAS,CAAA;IACf,+DAA+D;IAC/D,eAAe,CAAC,EAAE,MAAM,CAAA;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IACxB,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAA;CACzD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,WAAW,YAAY;IACzB;;;;;OAKG;IACH,YAAY,CAAC,GAAG,EAAE,WAAW,GAAG,iBAAiB,GAAG,IAAI,CAAA;IAExD;;;;;;;OAOG;IACH,YAAY,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAA;IAEvC;;;;;OAKG;IACH,OAAO,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAA;IAElC;;;;;OAKG;IACH,SAAS,CAAC,GAAG,EAAE,WAAW,GAAG,MAAM,GAAG,IAAI,CAAA;IAE1C;;;;;OAKG;IACH,YAAY,CAAC,GAAG,EAAE,WAAW,GAAG,MAAM,EAAE,CAAA;CAC3C"}

package/dist/auth/auth_provider.js

@@ -0,0 +1,8 @@
+/**
+ * @fileoverview Authentication provider interface and types for the Digital Twin framework.
+ *
+ * This module defines the contract for authentication providers, allowing the framework
+ * to support multiple authentication mechanisms (gateway headers, JWT tokens, etc.).
+ */
+export {};
+//# sourceMappingURL=auth_provider.js.map

package/dist/auth/auth_provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_provider.js","sourceRoot":"","sources":["../../src/auth/auth_provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/auth/auth_provider_factory.d.ts

@@ -0,0 +1,91 @@
+/**
+ * @fileoverview Factory for creating authentication providers.
+ *
+ * This module provides a factory for creating the appropriate authentication
+ * provider based on configuration or environment variables.
+ */
+import type { AuthProvider, AuthProviderConfig } from './auth_provider.js';
+/**
+ * Factory for creating authentication providers.
+ *
+ * Use this factory to create the appropriate authentication provider based on
+ * configuration or environment variables.
+ *
+ * @example
+ * ```typescript
+ * // Create from environment variables (recommended)
+ * const provider = AuthProviderFactory.fromEnv()
+ *
+ * // Create from explicit configuration
+ * const provider = AuthProviderFactory.create({
+ *     mode: 'jwt',
+ *     jwt: { secret: 'your-secret' }
+ * })
+ * ```
+ */
+export declare class AuthProviderFactory {
+    /**
+     * Create an authentication provider from explicit configuration.
+     *
+     * @param config - Authentication configuration
+     * @returns Configured authentication provider
+     * @throws Error if configuration is invalid
+     *
+     * @example
+     * ```typescript
+     * // Gateway mode (default)
+     * const provider = AuthProviderFactory.create({ mode: 'gateway' })
+     *
+     * // JWT mode
+     * const provider = AuthProviderFactory.create({
+     *     mode: 'jwt',
+     *     jwt: { secret: 'your-secret', algorithm: 'HS256' }
+     * })
+     *
+     * // No auth mode (development only)
+     * const provider = AuthProviderFactory.create({ mode: 'none' })
+     * ```
+     */
+    static create(config: AuthProviderConfig): AuthProvider;
+    /**
+     * Create an authentication provider from environment variables.
+     *
+     * Environment variables:
+     * - `AUTH_MODE`: Authentication mode ('gateway', 'jwt', 'none'). Default: 'gateway'
+     * - `AUTH_ADMIN_ROLE`: Name of admin role. Default: 'admin'
+     *
+     * For JWT mode:
+     * - `JWT_SECRET`: Secret key for HMAC algorithms
+     * - `JWT_PUBLIC_KEY`: Public key content for RSA/EC algorithms
+     * - `JWT_PUBLIC_KEY_FILE`: Path to public key file
+     * - `JWT_ALGORITHM`: Algorithm (default: 'HS256')
+     * - `JWT_ISSUER`: Expected token issuer
+     * - `JWT_AUDIENCE`: Expected token audience
+     * - `JWT_USER_ID_CLAIM`: Claim for user ID (default: 'sub')
+     * - `JWT_ROLES_CLAIM`: Claim for roles (default: 'roles')
+     *
+     * For no-auth mode:
+     * - `DIGITALTWIN_DISABLE_AUTH`: Set to 'true' to disable auth
+     * - `DIGITALTWIN_ANONYMOUS_USER_ID`: Anonymous user ID (default: 'anonymous')
+     *
+     * @returns Configured authentication provider
+     *
+     * @example
+     * ```typescript
+     * // Gateway mode (default, no env vars needed)
+     * // AUTH_MODE=gateway or not set
+     * const provider = AuthProviderFactory.fromEnv()
+     *
+     * // JWT mode
+     * // AUTH_MODE=jwt
+     * // JWT_SECRET=your-secret
+     * const provider = AuthProviderFactory.fromEnv()
+     *
+     * // Disable auth for development
+     * // DIGITALTWIN_DISABLE_AUTH=true
+     * const provider = AuthProviderFactory.fromEnv()
+     * ```
+     */
+    static fromEnv(): AuthProvider;
+}
+//# sourceMappingURL=auth_provider_factory.d.ts.map

package/dist/auth/auth_provider_factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_provider_factory.d.ts","sourceRoot":"","sources":["../../src/auth/auth_provider_factory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,kBAAkB,EAAY,MAAM,oBAAoB,CAAA;AAKpF;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,mBAAmB;IAC5B;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY;IAgBvD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsCG;IACH,MAAM,CAAC,OAAO,IAAI,YAAY;CAkDjC"}

package/dist/auth/auth_provider_factory.js

@@ -0,0 +1,146 @@
+/**
+ * @fileoverview Factory for creating authentication providers.
+ *
+ * This module provides a factory for creating the appropriate authentication
+ * provider based on configuration or environment variables.
+ */
+import * as fs from 'fs';
+import { GatewayAuthProvider } from './providers/gateway_auth_provider.js';
+import { JwtAuthProvider } from './providers/jwt_auth_provider.js';
+import { NoAuthProvider } from './providers/no_auth_provider.js';
+/**
+ * Factory for creating authentication providers.
+ *
+ * Use this factory to create the appropriate authentication provider based on
+ * configuration or environment variables.
+ *
+ * @example
+ * ```typescript
+ * // Create from environment variables (recommended)
+ * const provider = AuthProviderFactory.fromEnv()
+ *
+ * // Create from explicit configuration
+ * const provider = AuthProviderFactory.create({
+ *     mode: 'jwt',
+ *     jwt: { secret: 'your-secret' }
+ * })
+ * ```
+ */
+export class AuthProviderFactory {
+    /**
+     * Create an authentication provider from explicit configuration.
+     *
+     * @param config - Authentication configuration
+     * @returns Configured authentication provider
+     * @throws Error if configuration is invalid
+     *
+     * @example
+     * ```typescript
+     * // Gateway mode (default)
+     * const provider = AuthProviderFactory.create({ mode: 'gateway' })
+     *
+     * // JWT mode
+     * const provider = AuthProviderFactory.create({
+     *     mode: 'jwt',
+     *     jwt: { secret: 'your-secret', algorithm: 'HS256' }
+     * })
+     *
+     * // No auth mode (development only)
+     * const provider = AuthProviderFactory.create({ mode: 'none' })
+     * ```
+     */
+    static create(config) {
+        switch (config.mode) {
+            case 'gateway':
+                return new GatewayAuthProvider(config.adminRoleName);
+            case 'jwt':
+                return new JwtAuthProvider(config);
+            case 'none':
+                return new NoAuthProvider(config.anonymousUserId);
+            default:
+                throw new Error(`Unknown auth mode: ${config.mode}`);
+        }
+    }
+    /**
+     * Create an authentication provider from environment variables.
+     *
+     * Environment variables:
+     * - `AUTH_MODE`: Authentication mode ('gateway', 'jwt', 'none'). Default: 'gateway'
+     * - `AUTH_ADMIN_ROLE`: Name of admin role. Default: 'admin'
+     *
+     * For JWT mode:
+     * - `JWT_SECRET`: Secret key for HMAC algorithms
+     * - `JWT_PUBLIC_KEY`: Public key content for RSA/EC algorithms
+     * - `JWT_PUBLIC_KEY_FILE`: Path to public key file
+     * - `JWT_ALGORITHM`: Algorithm (default: 'HS256')
+     * - `JWT_ISSUER`: Expected token issuer
+     * - `JWT_AUDIENCE`: Expected token audience
+     * - `JWT_USER_ID_CLAIM`: Claim for user ID (default: 'sub')
+     * - `JWT_ROLES_CLAIM`: Claim for roles (default: 'roles')
+     *
+     * For no-auth mode:
+     * - `DIGITALTWIN_DISABLE_AUTH`: Set to 'true' to disable auth
+     * - `DIGITALTWIN_ANONYMOUS_USER_ID`: Anonymous user ID (default: 'anonymous')
+     *
+     * @returns Configured authentication provider
+     *
+     * @example
+     * ```typescript
+     * // Gateway mode (default, no env vars needed)
+     * // AUTH_MODE=gateway or not set
+     * const provider = AuthProviderFactory.fromEnv()
+     *
+     * // JWT mode
+     * // AUTH_MODE=jwt
+     * // JWT_SECRET=your-secret
+     * const provider = AuthProviderFactory.fromEnv()
+     *
+     * // Disable auth for development
+     * // DIGITALTWIN_DISABLE_AUTH=true
+     * const provider = AuthProviderFactory.fromEnv()
+     * ```
+     */
+    static fromEnv() {
+        const adminRoleName = process.env.AUTH_ADMIN_ROLE || process.env.DIGITALTWIN_ADMIN_ROLE_NAME || 'admin';
+        // Check if auth is disabled (legacy env var)
+        if (process.env.DIGITALTWIN_DISABLE_AUTH === 'true') {
+            return new NoAuthProvider(process.env.DIGITALTWIN_ANONYMOUS_USER_ID || 'anonymous');
+        }
+        const mode = (process.env.AUTH_MODE || 'gateway');
+        if (mode === 'none') {
+            return new NoAuthProvider(process.env.DIGITALTWIN_ANONYMOUS_USER_ID || 'anonymous');
+        }
+        if (mode === 'gateway') {
+            return new GatewayAuthProvider(adminRoleName);
+        }
+        if (mode === 'jwt') {
+            // Load public key from file if specified
+            let publicKey;
+            if (process.env.JWT_PUBLIC_KEY_FILE) {
+                publicKey = fs.readFileSync(process.env.JWT_PUBLIC_KEY_FILE, 'utf-8');
+            }
+            else if (process.env.JWT_PUBLIC_KEY) {
+                publicKey = process.env.JWT_PUBLIC_KEY;
+            }
+            const secret = process.env.JWT_SECRET;
+            if (!secret && !publicKey) {
+                throw new Error('JWT mode requires either JWT_SECRET or JWT_PUBLIC_KEY/JWT_PUBLIC_KEY_FILE');
+            }
+            return new JwtAuthProvider({
+                mode: 'jwt',
+                adminRoleName,
+                jwt: {
+                    secret,
+                    publicKey,
+                    algorithm: process.env.JWT_ALGORITHM || 'HS256',
+                    issuer: process.env.JWT_ISSUER,
+                    audience: process.env.JWT_AUDIENCE,
+                    userIdClaim: process.env.JWT_USER_ID_CLAIM || 'sub',
+                    rolesClaim: process.env.JWT_ROLES_CLAIM || 'roles'
+                }
+            });
+        }
+        throw new Error(`Unknown AUTH_MODE: ${mode}`);
+    }
+}
+//# sourceMappingURL=auth_provider_factory.js.map

package/dist/auth/auth_provider_factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_provider_factory.js","sourceRoot":"","sources":["../../src/auth/auth_provider_factory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AAExB,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAA;AAC1E,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAA;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAA;AAEhE;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,mBAAmB;IAC5B;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,MAAM,CAAC,MAAM,CAAC,MAA0B;QACpC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;YAClB,KAAK,SAAS;gBACV,OAAO,IAAI,mBAAmB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAA;YAExD,KAAK,KAAK;gBACN,OAAO,IAAI,eAAe,CAAC,MAAM,CAAC,CAAA;YAEtC,KAAK,MAAM;gBACP,OAAO,IAAI,cAAc,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;YAErD;gBACI,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;QAC5D,CAAC;IACL,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsCG;IACH,MAAM,CAAC,OAAO;QACV,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,OAAO,CAAA;QAEvG,6CAA6C;QAC7C,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,MAAM,EAAE,CAAC;YAClD,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,IAAI,WAAW,CAAC,CAAA;QACvF,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,SAAS,CAAa,CAAA;QAE7D,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YAClB,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,IAAI,WAAW,CAAC,CAAA;QACvF,CAAC;QAED,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACrB,OAAO,IAAI,mBAAmB,CAAC,aAAa,CAAC,CAAA;QACjD,CAAC;QAED,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;YACjB,yCAAyC;YACzC,IAAI,SAA6B,CAAA;YACjC,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,CAAC;gBAClC,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAA;YACzE,CAAC;iBAAM,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;gBACpC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAA;YAC1C,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;YAErC,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAA;YAChG,CAAC;YAED,OAAO,IAAI,eAAe,CAAC;gBACvB,IAAI,EAAE,KAAK;gBACX,aAAa;gBACb,GAAG,EAAE;oBACD,MAAM;oBACN,SAAS;oBACT,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO;oBAC/C,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;oBAC9B,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;oBAClC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK;oBACnD,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,OAAO;iBACrD;aACJ,CAAC,CAAA;QACN,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAA;IACjD,CAAC;CACJ"}

package/dist/auth/index.d.ts

@@ -1,4 +1,7 @@
-export { ApisixAuthParser } from './apisix_parser.js';
+export type { AuthProvider, AuthRequest, AuthMode, AuthProviderConfig, JwtConfig } from './auth_provider.js';
+export { AuthProviderFactory } from './auth_provider_factory.js';
+export { GatewayAuthProvider, JwtAuthProvider, NoAuthProvider } from './providers/index.js';
+export { ApisixAuthParser, type HeadersLike } from './apisix_parser.js';
 export { UserService } from './user_service.js';
 export { AuthConfig } from './auth_config.js';
 export type { AuthenticatedUser, UserRecord, AuthContext, AuthenticatedRequest } from './types.js';

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,YAAY,EAAE,iBAAiB,EAAE,UAAU,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AACA,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC5G,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAA;AAChE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAG3F,OAAO,EAAE,gBAAgB,EAAE,KAAK,WAAW,EAAE,MAAM,oBAAoB,CAAA;AACvE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAG7C,YAAY,EAAE,iBAAiB,EAAE,UAAU,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA"}

package/dist/auth/index.js

@@ -1,3 +1,6 @@
+export { AuthProviderFactory } from './auth_provider_factory.js';
+export { GatewayAuthProvider, JwtAuthProvider, NoAuthProvider } from './providers/index.js';
+// Backward-compatible API
 export { ApisixAuthParser } from './apisix_parser.js';
 export { UserService } from './user_service.js';
 export { AuthConfig } from './auth_config.js';