fa-mcp-sdk 0.4.142 → 0.11.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -0
- package/cli-template/.dockerignore +16 -0
- package/cli-template/.gitlab-ci.yml +135 -0
- package/cli-template/AGENTS.md +1 -0
- package/cli-template/CHANGELOG.md +64 -0
- package/cli-template/FA-MCP-SDK-DOC/00-FA-MCP-SDK-index.md +27 -4
- package/cli-template/FA-MCP-SDK-DOC/02-1-tools-and-api.md +195 -0
- package/cli-template/FA-MCP-SDK-DOC/02-2-prompts-and-resources.md +172 -9
- package/cli-template/FA-MCP-SDK-DOC/03-configuration.md +170 -12
- package/cli-template/FA-MCP-SDK-DOC/04-authentication.md +158 -8
- package/cli-template/FA-MCP-SDK-DOC/06-utilities.md +67 -6
- package/cli-template/FA-MCP-SDK-DOC/07-testing-and-operations.md +31 -15
- package/cli-template/FA-MCP-SDK-DOC/10-mcp-apps.md +1 -1
- package/cli-template/FA-MCP-SDK-DOC/11-public-contract.md +342 -0
- package/cli-template/README.md +37 -0
- package/cli-template/deploy/docker/.env.example +10 -0
- package/cli-template/deploy/docker/Dockerfile +44 -0
- package/cli-template/deploy/docker/Dockerfile.local +29 -0
- package/cli-template/deploy/docker/README.md +94 -0
- package/cli-template/deploy/docker/config/local.docker.yaml +14 -0
- package/cli-template/deploy/docker/docker-compose.yml +31 -0
- package/cli-template/deploy/gitlab-runner/.env.example +16 -0
- package/cli-template/deploy/gitlab-runner/README.md +65 -0
- package/cli-template/deploy/gitlab-runner/config/config.toml.template +26 -0
- package/cli-template/deploy/gitlab-runner/docker-compose.yml +39 -0
- package/cli-template/deploy/gitlab-runner/entrypoint.sh +27 -0
- package/cli-template/deploy/gitlab-runner/start.sh +47 -0
- package/cli-template/gitignore +96 -95
- package/cli-template/package.json +1 -1
- package/config/_local.yaml +73 -11
- package/config/custom-environment-variables.yaml +102 -0
- package/config/default.yaml +164 -11
- package/config/local.yaml +20 -19
- package/dist/core/_types_/config.d.ts +119 -0
- package/dist/core/_types_/config.d.ts.map +1 -1
- package/dist/core/_types_/types.d.ts +137 -4
- package/dist/core/_types_/types.d.ts.map +1 -1
- package/dist/core/agent-tester/agent-tester-router.d.ts.map +1 -1
- package/dist/core/agent-tester/agent-tester-router.js +25 -11
- package/dist/core/agent-tester/agent-tester-router.js.map +1 -1
- package/dist/core/agent-tester/services/TesterMcpClientService.d.ts.map +1 -1
- package/dist/core/agent-tester/services/TesterMcpClientService.js +6 -4
- package/dist/core/agent-tester/services/TesterMcpClientService.js.map +1 -1
- package/dist/core/auth/admin-auth.js +4 -4
- package/dist/core/auth/admin-auth.js.map +1 -1
- package/dist/core/auth/agent-tester-auth.d.ts +1 -1
- package/dist/core/auth/agent-tester-auth.d.ts.map +1 -1
- package/dist/core/auth/agent-tester-auth.js +8 -4
- package/dist/core/auth/agent-tester-auth.js.map +1 -1
- package/dist/core/auth/auth-profile.d.ts +38 -0
- package/dist/core/auth/auth-profile.d.ts.map +1 -0
- package/dist/core/auth/auth-profile.js +101 -0
- package/dist/core/auth/auth-profile.js.map +1 -0
- package/dist/core/auth/jwt-v2.d.ts +27 -0
- package/dist/core/auth/jwt-v2.d.ts.map +1 -0
- package/dist/core/auth/jwt-v2.js +180 -0
- package/dist/core/auth/jwt-v2.js.map +1 -0
- package/dist/core/auth/jwt.d.ts +27 -13
- package/dist/core/auth/jwt.d.ts.map +1 -1
- package/dist/core/auth/jwt.js +36 -13
- package/dist/core/auth/jwt.js.map +1 -1
- package/dist/core/auth/key-resolver.d.ts +74 -0
- package/dist/core/auth/key-resolver.d.ts.map +1 -0
- package/dist/core/auth/key-resolver.js +330 -0
- package/dist/core/auth/key-resolver.js.map +1 -0
- package/dist/core/auth/middleware.d.ts.map +1 -1
- package/dist/core/auth/middleware.js +66 -0
- package/dist/core/auth/middleware.js.map +1 -1
- package/dist/core/auth/multi-auth.d.ts +1 -1
- package/dist/core/auth/multi-auth.d.ts.map +1 -1
- package/dist/core/auth/multi-auth.js +7 -7
- package/dist/core/auth/multi-auth.js.map +1 -1
- package/dist/core/auth/token-generator/server.js +4 -4
- package/dist/core/auth/token-generator/server.js.map +1 -1
- package/dist/core/auth/types.d.ts +5 -0
- package/dist/core/auth/types.d.ts.map +1 -1
- package/dist/core/db/pg-db.d.ts +7 -0
- package/dist/core/db/pg-db.d.ts.map +1 -1
- package/dist/core/db/pg-db.js +54 -3
- package/dist/core/db/pg-db.js.map +1 -1
- package/dist/core/errors/BaseMcpError.d.ts +21 -1
- package/dist/core/errors/BaseMcpError.d.ts.map +1 -1
- package/dist/core/errors/BaseMcpError.js +20 -1
- package/dist/core/errors/BaseMcpError.js.map +1 -1
- package/dist/core/errors/ValidationError.d.ts +5 -0
- package/dist/core/errors/ValidationError.d.ts.map +1 -1
- package/dist/core/errors/ValidationError.js +6 -1
- package/dist/core/errors/ValidationError.js.map +1 -1
- package/dist/core/errors/errors.d.ts +31 -3
- package/dist/core/errors/errors.d.ts.map +1 -1
- package/dist/core/errors/errors.js +86 -6
- package/dist/core/errors/errors.js.map +1 -1
- package/dist/core/errors/specific-errors.d.ts +54 -0
- package/dist/core/errors/specific-errors.d.ts.map +1 -0
- package/dist/core/errors/specific-errors.js +82 -0
- package/dist/core/errors/specific-errors.js.map +1 -0
- package/dist/core/index.d.ts +10 -2
- package/dist/core/index.d.ts.map +1 -1
- package/dist/core/index.js +9 -1
- package/dist/core/index.js.map +1 -1
- package/dist/core/init-mcp-server.d.ts.map +1 -1
- package/dist/core/init-mcp-server.js +39 -0
- package/dist/core/init-mcp-server.js.map +1 -1
- package/dist/core/mcp/create-mcp-server.d.ts +12 -6
- package/dist/core/mcp/create-mcp-server.d.ts.map +1 -1
- package/dist/core/mcp/create-mcp-server.js +592 -33
- package/dist/core/mcp/create-mcp-server.js.map +1 -1
- package/dist/core/mcp/debug-trace.d.ts +3 -1
- package/dist/core/mcp/debug-trace.d.ts.map +1 -1
- package/dist/core/mcp/debug-trace.js +17 -2
- package/dist/core/mcp/debug-trace.js.map +1 -1
- package/dist/core/mcp/deprecation.d.ts +31 -0
- package/dist/core/mcp/deprecation.d.ts.map +1 -0
- package/dist/core/mcp/deprecation.js +96 -0
- package/dist/core/mcp/deprecation.js.map +1 -0
- package/dist/core/mcp/mcp-logging.d.ts +32 -0
- package/dist/core/mcp/mcp-logging.d.ts.map +1 -0
- package/dist/core/mcp/mcp-logging.js +97 -0
- package/dist/core/mcp/mcp-logging.js.map +1 -0
- package/dist/core/mcp/pagination.d.ts +13 -0
- package/dist/core/mcp/pagination.d.ts.map +1 -0
- package/dist/core/mcp/pagination.js +50 -0
- package/dist/core/mcp/pagination.js.map +1 -0
- package/dist/core/mcp/prompts.d.ts +5 -1
- package/dist/core/mcp/prompts.d.ts.map +1 -1
- package/dist/core/mcp/prompts.js +3 -1
- package/dist/core/mcp/prompts.js.map +1 -1
- package/dist/core/mcp/resources.d.ts +9 -0
- package/dist/core/mcp/resources.d.ts.map +1 -1
- package/dist/core/mcp/resources.js +158 -11
- package/dist/core/mcp/resources.js.map +1 -1
- package/dist/core/mcp/server-stdio.d.ts +7 -1
- package/dist/core/mcp/server-stdio.d.ts.map +1 -1
- package/dist/core/mcp/server-stdio.js +8 -3
- package/dist/core/mcp/server-stdio.js.map +1 -1
- package/dist/core/mcp/task-store.d.ts +97 -0
- package/dist/core/mcp/task-store.d.ts.map +1 -0
- package/dist/core/mcp/task-store.js +175 -0
- package/dist/core/mcp/task-store.js.map +1 -0
- package/dist/core/mcp/tool-limits.d.ts +22 -0
- package/dist/core/mcp/tool-limits.d.ts.map +1 -0
- package/dist/core/mcp/tool-limits.js +115 -0
- package/dist/core/mcp/tool-limits.js.map +1 -0
- package/dist/core/mcp/validate-tool-args.d.ts +16 -0
- package/dist/core/mcp/validate-tool-args.d.ts.map +1 -0
- package/dist/core/mcp/validate-tool-args.js +67 -0
- package/dist/core/mcp/validate-tool-args.js.map +1 -0
- package/dist/core/mcp/validate-tool-names.d.ts +11 -0
- package/dist/core/mcp/validate-tool-names.d.ts.map +1 -0
- package/dist/core/mcp/validate-tool-names.js +23 -0
- package/dist/core/mcp/validate-tool-names.js.map +1 -0
- package/dist/core/metrics/metrics.d.ts +45 -0
- package/dist/core/metrics/metrics.d.ts.map +1 -0
- package/dist/core/metrics/metrics.js +119 -0
- package/dist/core/metrics/metrics.js.map +1 -0
- package/dist/core/utils/mask-sensitive.d.ts +44 -0
- package/dist/core/utils/mask-sensitive.d.ts.map +1 -0
- package/dist/core/utils/mask-sensitive.js +64 -0
- package/dist/core/utils/mask-sensitive.js.map +1 -0
- package/dist/core/utils/testing/McpHttpClient.d.ts +8 -33
- package/dist/core/utils/testing/McpHttpClient.d.ts.map +1 -1
- package/dist/core/utils/testing/McpHttpClient.js +8 -74
- package/dist/core/utils/testing/McpHttpClient.js.map +1 -1
- package/dist/core/utils/testing/McpStreamableHttpClient.d.ts +24 -30
- package/dist/core/utils/testing/McpStreamableHttpClient.d.ts.map +1 -1
- package/dist/core/utils/testing/McpStreamableHttpClient.js +36 -198
- package/dist/core/utils/testing/McpStreamableHttpClient.js.map +1 -1
- package/dist/core/utils/utils.d.ts.map +1 -1
- package/dist/core/utils/utils.js +2 -0
- package/dist/core/utils/utils.js.map +1 -1
- package/dist/core/web/admin-router.js +3 -3
- package/dist/core/web/admin-router.js.map +1 -1
- package/dist/core/web/cors.d.ts +9 -1
- package/dist/core/web/cors.d.ts.map +1 -1
- package/dist/core/web/cors.js +26 -5
- package/dist/core/web/cors.js.map +1 -1
- package/dist/core/web/event-store.d.ts +33 -0
- package/dist/core/web/event-store.d.ts.map +1 -0
- package/dist/core/web/event-store.js +65 -0
- package/dist/core/web/event-store.js.map +1 -0
- package/dist/core/web/oauth-router.d.ts +37 -0
- package/dist/core/web/oauth-router.d.ts.map +1 -0
- package/dist/core/web/oauth-router.js +207 -0
- package/dist/core/web/oauth-router.js.map +1 -0
- package/dist/core/web/request-id.d.ts +44 -0
- package/dist/core/web/request-id.d.ts.map +1 -0
- package/dist/core/web/request-id.js +82 -0
- package/dist/core/web/request-id.js.map +1 -0
- package/dist/core/web/server-http.d.ts.map +1 -1
- package/dist/core/web/server-http.js +322 -182
- package/dist/core/web/server-http.js.map +1 -1
- package/package.json +15 -2
- package/scripts/claude-2-agents-symlink.js +10 -1
- package/scripts/generate-jwt.js +129 -51
- package/src/template/custom-resources.ts +14 -0
- package/src/template/prompts/custom-prompts.ts +4 -0
- package/src/template/tools/handle-tool-call.ts +59 -3
- package/src/template/tools/tools.ts +92 -31
- package/src/tests/mcp/test-http.js +1 -1
- package/src/tests/mcp/test-sse.js +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"admin-auth.js","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,8CAA8C,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAErF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAGtE,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC;AACjC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;AAE3C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,GAAG,GAAG,UAAU,EAAE,QAAQ,CAAC;IACjC,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAsB,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,QAAuB;IACrD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,EAAE,qBAAqB,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC7D,OAAO,wBAAwB,QAAQ,wEAAwE,CAAC;YAClH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;gBACzC,OAAO,wBAAwB,QAAQ,+DAA+D,CAAC;YACzG,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC3B,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,wBAAwB,QAAQ,qEAAqE,CAAC;YAC/G,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,wBAAwB,QAAQ,kEAAkE,CAAC;YAC5G,CAAC;YACD,MAAM;QACR,CAAC;QAED;YACE,OAAO,gCAAgC,QAAQ,mEAAmE,CAAC;IACvH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,uBAAuB,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,mEAAmE;IACrE,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,MAAc,EAAE,YAAqB,EAAE,YAA6B;IACnG,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAE3E,IAAI,MAAM,KAAK,QAAQ,IAAI,YAAY,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9E,OAAO,oHAAoH,OAAO,IAAI,CAAC;IACzI,CAAC;IACD,IAAI,MAAM,KAAK,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,OAAO,wFAAwF,OAAO,IAAI,CAAC;IAC7G,CAAC;IACD,OAAO,+CAA+C,OAAO,GAAG,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,
|
|
1
|
+
{"version":3,"file":"admin-auth.js","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,8CAA8C,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAErF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAGtE,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC;AACjC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;AAE3C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,GAAG,GAAG,UAAU,EAAE,QAAQ,CAAC;IACjC,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAsB,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,QAAuB;IACrD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,EAAE,qBAAqB,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC7D,OAAO,wBAAwB,QAAQ,wEAAwE,CAAC;YAClH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;gBACzC,OAAO,wBAAwB,QAAQ,+DAA+D,CAAC;YACzG,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC3B,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,wBAAwB,QAAQ,qEAAqE,CAAC;YAC/G,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,wBAAwB,QAAQ,kEAAkE,CAAC;YAC5G,CAAC;YACD,MAAM;QACR,CAAC;QAED;YACE,OAAO,gCAAgC,QAAQ,mEAAmE,CAAC;IACvH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,uBAAuB,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,mEAAmE;IACrE,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,MAAc,EAAE,YAAqB,EAAE,YAA6B;IACnG,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAE3E,IAAI,MAAM,KAAK,QAAQ,IAAI,YAAY,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9E,OAAO,oHAAoH,OAAO,IAAI,CAAC;IACzI,CAAC;IACD,IAAI,MAAM,KAAK,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,OAAO,wFAAwF,OAAO,IAAI,CAAC;IAC7G,CAAC;IACD,OAAO,+CAA+C,OAAO,GAAG,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,QAAuB,EACvB,MAAc,EACd,WAAmB;IAEnB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;YAChD,OAAO,MAAM,CAAC,WAAW;gBACvB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE;gBAC/C,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;QACjD,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,iBAAiB;YACnB,OAAO,cAAc,CAAC,WAAW,CAAC,CAAC;QACrC,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YAC3D,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;YACvD,CAAC;YACD,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,KAAK,WAAW,EAAE,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mEAAmE,EAAE,CAAC;YACxG,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;QAClG,CAAC;QAED;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAElC,8EAA8E;IAC9E,+EAA+E;IAC/E,kDAAkD;IAClD,IAAI,CAAC,UAAU,EAAE,OAAO,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/C,IAAI,UAAU,EAAE,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAClD,CAAC;QACD,OAAO;YACL,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;gBAClD,GAAG,CAAC,IAAI,GAAG;oBACT,eAAe,EAAE,KAAK;oBACtB,QAAQ,EAAE,WAAW;oBACrB,MAAM,EAAE,QAAQ;iBACjB,CAAC;gBACF,IAAI,EAAE,CAAC;YACT,CAAC;SACF,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;QAC9C,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IAED,gFAAgF;IAChF,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC;IAExD,6CAA6C;IAC7C,OAAO;QACL,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YACxD,yEAAyE;YACzE,GAAG,CAAC,IAAI,GAAG;gBACT,eAAe,EAAE,KAAK;gBACtB,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,SAAS;aAClB,CAAC;YAEF,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YAE1E,qDAAqD;YACrD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;YAC9C,CAAC;YAED,yEAAyE;YACzE,0EAA0E;YAC1E,sEAAsE;YACtE,MAAM,MAAM,GAA2C,EAAE,CAAC;YAC1D,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;gBACrC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC;gBACtE,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,SAAS;gBACX,CAAC;gBACD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACnB,GAAG,CAAC,IAAI,GAAG;wBACT,eAAe,EAAE,IAAI;wBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,eAAe;wBAC5C,MAAM,EAAE,QAAQ;qBACjB,CAAC;oBACF,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBAClB,GAAW,CAAC,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC;oBAC5C,CAAC;oBACD,OAAO,IAAI,EAAE,CAAC;gBAChB,CAAC;gBACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;oBACjB,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC;gBAClC,CAAC;YACH,CAAC;YAED,qEAAqE;YACrE,0EAA0E;YAC1E,IAAI,aAAiC,CAAC;YACtC,IAAI,YAAY,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpC,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;YAClC,CAAC;iBAAM,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAC9C,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC;YAC/B,CAAC;iBAAM,IAAI,MAAM,CAAC,qBAAqB,EAAE,CAAC;gBACxC,aAAa,GAAG,MAAM,CAAC,qBAAqB,CAAC;YAC/C,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,sBAAsB,aAAa,IAAI,uBAAuB,EAAE,CAAC,CAAC;YAC/E,MAAM,OAAO,GAAG,aAAa,IAAI,uBAAuB,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;YACtG,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC;QACvD,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,GAAa,EAAE,SAA0B,EAAE,OAAgB;IACnF,MAAM,YAAY,GAAG,OAAO,IAAI,yBAAyB,CAAC;IAE1D,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAEhG,yDAAyD;IACzD,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,IAAI,SAAS,EAAE,CAAC;QACd,UAAU,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,UAAU,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,YAAY;QACnB,gBAAgB,EAAE,SAAS;KAC5B,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent-tester-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/agent-tester-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"agent-tester-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/agent-tester-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAU1E,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AASxC,eAAO,MAAM,WAAW,aAAa,CAAC;AAEtC;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAGxC;AASD,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAErD;AAmBD,wBAAgB,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAM9F;AAsBD,wBAAgB,aAAa,CAAC,QAAQ,EAAE,UAAU,GAAG,MAAM,CAI1D;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,GAAG,IAAI,CAKhD;AAMD,wBAAgB,uBAAuB,IAAI,MAAM,EAAE,CAgBlD;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAAC,IAAI,EAAE;IACnD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,OAAO,CAAC,UAAU,CAAC,CAuBtB;AAYD;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,IAAI,cAAc,EAAE,CAuB7D"}
|
|
@@ -13,6 +13,7 @@ import { appConfig } from '../bootstrap/init-config.js';
|
|
|
13
13
|
import { logger as lgr } from '../logger.js';
|
|
14
14
|
import { checkBasicAuth } from './basic.js';
|
|
15
15
|
import { checkJwtToken } from './jwt.js';
|
|
16
|
+
import { canLocallyIssueJwt } from './key-resolver.js';
|
|
16
17
|
import { createAuthMW } from './middleware.js';
|
|
17
18
|
import { checkPermanentToken } from './permanent.js';
|
|
18
19
|
const logger = lgr.getSubLogger({ name: chalk.yellow('agent-tester-auth') });
|
|
@@ -93,8 +94,11 @@ export function getAvailableAuthMethods() {
|
|
|
93
94
|
if (auth?.basic?.username && auth?.basic?.password) {
|
|
94
95
|
methods.push('basic');
|
|
95
96
|
}
|
|
96
|
-
if (
|
|
97
|
-
|
|
97
|
+
// JWT available if we have any way to either sign (legacy/embedded/localKey) or verify
|
|
98
|
+
// against an external IdP (remoteJwks). The login dialog needs the "token" option so
|
|
99
|
+
// headless clients / pasted tokens can be used.
|
|
100
|
+
if (canLocallyIssueJwt() || auth?.jwtToken?.mode === 'remoteJwks') {
|
|
101
|
+
methods.push('token');
|
|
98
102
|
}
|
|
99
103
|
return [...new Set(methods)];
|
|
100
104
|
}
|
|
@@ -102,7 +106,7 @@ export function getAvailableAuthMethods() {
|
|
|
102
106
|
* Validate login credentials.
|
|
103
107
|
* Returns AuthResult with success=true if valid.
|
|
104
108
|
*/
|
|
105
|
-
export function validateLoginCredentials(body) {
|
|
109
|
+
export async function validateLoginCredentials(body) {
|
|
106
110
|
const { token, username, password } = body;
|
|
107
111
|
if (token) {
|
|
108
112
|
// Try as permanent token first
|
|
@@ -111,7 +115,7 @@ export function validateLoginCredentials(body) {
|
|
|
111
115
|
return { success: true, authType: 'permanentServerTokens' };
|
|
112
116
|
}
|
|
113
117
|
// Try as JWT
|
|
114
|
-
const jwtResult = checkJwtToken({ token });
|
|
118
|
+
const jwtResult = await checkJwtToken({ token });
|
|
115
119
|
if (!jwtResult.errorReason) {
|
|
116
120
|
return { success: true, authType: 'jwtToken', payload: jwtResult.payload };
|
|
117
121
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent-tester-auth.js","sourceRoot":"","sources":["../../../src/core/auth/agent-tester-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC;AAE7E,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAC7D,MAAM,CAAC,MAAM,WAAW,GAAG,UAAU,CAAC;AAEtC;;;GAGG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,CAAC,GAAG,SAAS,CAAC,WAAW,EAAE,YAAY,CAAC;IAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAK,CAAY,GAAG,CAAC,CAAC,CAAC,CAAE,CAAY,CAAC,CAAC,CAAC,sBAAsB,CAAC;AAC1F,CAAC;AAOD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEjD,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,OAAO,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,0DAA0D;AAC1D,WAAW,CACT,GAAG,EAAE;IACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;QACpC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,EAAE,CAAC;YAC9C,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;AACH,CAAC,EACD,EAAE,GAAG,EAAE,GAAG,IAAI,CACf,CAAC;AAEF,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,UAAU,WAAW,CAAC,YAAgC,EAAE,IAAY;IACxE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC;IAC3E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/D,CAAC;AAED,SAAS,eAAe,CAAC,GAAY;IACnC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,EAAE,CAAC;QACrD,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,MAAM,UAAU,aAAa,CAAC,QAAoB;IAChD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IACvD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,CAAC;QACR,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mCAAmC;AACnC,8EAA8E;AAE9E,MAAM,UAAU,uBAAuB;IACrC,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC;IACvC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,IAAI,EAAE,qBAAqB,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;IACD,IAAI,IAAI,EAAE,KAAK,EAAE,QAAQ,IAAI,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QACnD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;IACD,IAAI,IAAI,EAAE,QAAQ,EAAE,
|
|
1
|
+
{"version":3,"file":"agent-tester-auth.js","sourceRoot":"","sources":["../../../src/core/auth/agent-tester-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC;AAE7E,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAC7D,MAAM,CAAC,MAAM,WAAW,GAAG,UAAU,CAAC;AAEtC;;;GAGG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,CAAC,GAAG,SAAS,CAAC,WAAW,EAAE,YAAY,CAAC;IAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAK,CAAY,GAAG,CAAC,CAAC,CAAC,CAAE,CAAY,CAAC,CAAC,CAAC,sBAAsB,CAAC;AAC1F,CAAC;AAOD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEjD,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,OAAO,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,0DAA0D;AAC1D,WAAW,CACT,GAAG,EAAE;IACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;QACpC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,EAAE,CAAC;YAC9C,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;AACH,CAAC,EACD,EAAE,GAAG,EAAE,GAAG,IAAI,CACf,CAAC;AAEF,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,UAAU,WAAW,CAAC,YAAgC,EAAE,IAAY;IACxE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC;IAC3E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/D,CAAC;AAED,SAAS,eAAe,CAAC,GAAY;IACnC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,EAAE,CAAC;QACrD,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,MAAM,UAAU,aAAa,CAAC,QAAoB;IAChD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IACvD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,CAAC;QACR,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mCAAmC;AACnC,8EAA8E;AAE9E,MAAM,UAAU,uBAAuB;IACrC,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC;IACvC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,IAAI,EAAE,qBAAqB,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;IACD,IAAI,IAAI,EAAE,KAAK,EAAE,QAAQ,IAAI,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QACnD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;IACD,uFAAuF;IACvF,qFAAqF;IACrF,gDAAgD;IAChD,IAAI,kBAAkB,EAAE,IAAI,IAAI,EAAE,QAAQ,EAAE,IAAI,KAAK,YAAY,EAAE,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,IAI9C;IACC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IAE3C,IAAI,KAAK,EAAE,CAAC;QACV,+BAA+B;QAC/B,MAAM,UAAU,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;YAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,uBAAuB,EAAE,CAAC;QAC9D,CAAC;QACD,aAAa;QACb,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,CAAC;QAC7E,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;IACpD,CAAC;IAED,IAAI,QAAQ,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,IAAI,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1E,OAAO,cAAc,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;AAC7E,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,YAAY,GAAG,IAAI,GAAG,CAAS,CAAC,GAAG,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB,CAAC,CAAC,CAAC;AAEvG,SAAS,YAAY,CAAC,IAAY;IAChC,OAAO,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,0BAA0B;IACxC,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;QACpC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAE9B,MAAM,EAAE,GAAmB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC7E,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,EAAE,CAAC;YACX,GAAW,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;YACzC,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,OAAO,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Summary of which authentication methods are wired up on this server.
|
|
3
|
+
* Surfaced via the `use://auth` resource (standard §11.2 SHOULD).
|
|
4
|
+
*/
|
|
5
|
+
export interface IAuthProfile {
|
|
6
|
+
enabled: boolean;
|
|
7
|
+
schemes: string[];
|
|
8
|
+
methods: string[];
|
|
9
|
+
claims?: {
|
|
10
|
+
issuer?: string;
|
|
11
|
+
checkMCPName?: boolean;
|
|
12
|
+
isCheckIP?: boolean;
|
|
13
|
+
};
|
|
14
|
+
jwt?: {
|
|
15
|
+
mode: 'legacyAesCtr' | 'embedded' | 'localKey' | 'remoteJwks';
|
|
16
|
+
algorithm?: 'ES256' | 'RS256' | 'HS256';
|
|
17
|
+
expectedIssuer?: string;
|
|
18
|
+
expectedAudience?: string;
|
|
19
|
+
jwksUri?: string;
|
|
20
|
+
};
|
|
21
|
+
discovery?: {
|
|
22
|
+
protectedResource?: string;
|
|
23
|
+
openidConfiguration?: string;
|
|
24
|
+
jwks?: string;
|
|
25
|
+
token?: string;
|
|
26
|
+
};
|
|
27
|
+
requiredScopes?: {
|
|
28
|
+
tools: Record<string, string[]>;
|
|
29
|
+
prompts: Record<string, string[]>;
|
|
30
|
+
resources: Record<string, string[]>;
|
|
31
|
+
};
|
|
32
|
+
headers: {
|
|
33
|
+
authorization: string;
|
|
34
|
+
};
|
|
35
|
+
httpHeadersResource: string;
|
|
36
|
+
}
|
|
37
|
+
export declare function collectAuthProfile(): IAuthProfile;
|
|
38
|
+
//# sourceMappingURL=auth-profile.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-profile.d.ts","sourceRoot":"","sources":["../../../src/core/auth/auth-profile.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE;QACP,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,SAAS,CAAC,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,IAAI,EAAE,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,YAAY,CAAC;QAC9D,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;QACxC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,SAAS,CAAC,EAAE;QACV,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,cAAc,CAAC,EAAE;QACf,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAChC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAClC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;KACrC,CAAC;IACF,OAAO,EAAE;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IACnC,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED,wBAAgB,kBAAkB,IAAI,YAAY,CAsGjD"}
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
import { appConfig } from '../bootstrap/init-config.js';
|
|
2
|
+
import { getJwtRuntimeConfig } from './key-resolver.js';
|
|
3
|
+
export function collectAuthProfile() {
|
|
4
|
+
const auth = appConfig.webServer?.auth;
|
|
5
|
+
const methods = [];
|
|
6
|
+
const schemes = new Set();
|
|
7
|
+
if (auth?.enabled) {
|
|
8
|
+
if (Array.isArray(auth.permanentServerTokens) && auth.permanentServerTokens.filter(Boolean).length > 0) {
|
|
9
|
+
methods.push('permanentServerTokens');
|
|
10
|
+
schemes.add('Bearer');
|
|
11
|
+
}
|
|
12
|
+
if (auth.jwtToken?.encryptKey) {
|
|
13
|
+
methods.push('jwtToken');
|
|
14
|
+
schemes.add('Bearer');
|
|
15
|
+
}
|
|
16
|
+
if (auth.basic?.username && auth.basic?.password) {
|
|
17
|
+
methods.push('basic');
|
|
18
|
+
schemes.add('Basic');
|
|
19
|
+
}
|
|
20
|
+
}
|
|
21
|
+
if (global.__MCP_PROJECT_DATA__?.customAuthValidator) {
|
|
22
|
+
methods.push('custom');
|
|
23
|
+
}
|
|
24
|
+
const claims = {};
|
|
25
|
+
const issuer = auth?.jwtToken?.issuer;
|
|
26
|
+
if (issuer) {
|
|
27
|
+
claims.issuer = issuer;
|
|
28
|
+
}
|
|
29
|
+
if (typeof auth?.jwtToken?.checkMCPName === 'boolean') {
|
|
30
|
+
claims.checkMCPName = auth.jwtToken.checkMCPName;
|
|
31
|
+
}
|
|
32
|
+
if (typeof auth?.jwtToken?.isCheckIP === 'boolean') {
|
|
33
|
+
claims.isCheckIP = auth.jwtToken.isCheckIP;
|
|
34
|
+
}
|
|
35
|
+
const jwtRt = getJwtRuntimeConfig();
|
|
36
|
+
const jwt = {
|
|
37
|
+
mode: jwtRt.mode,
|
|
38
|
+
algorithm: jwtRt.mode === 'legacyAesCtr' ? 'HS256' : jwtRt.algorithm,
|
|
39
|
+
};
|
|
40
|
+
if (jwtRt.expectedIssuer) {
|
|
41
|
+
jwt.expectedIssuer = jwtRt.expectedIssuer;
|
|
42
|
+
}
|
|
43
|
+
if (jwtRt.expectedAudience) {
|
|
44
|
+
jwt.expectedAudience = jwtRt.expectedAudience;
|
|
45
|
+
}
|
|
46
|
+
if (jwtRt.jwksUri) {
|
|
47
|
+
jwt.jwksUri = jwtRt.jwksUri;
|
|
48
|
+
}
|
|
49
|
+
const discovery = {};
|
|
50
|
+
if (jwtRt.mode !== 'legacyAesCtr') {
|
|
51
|
+
discovery.protectedResource = '/.well-known/oauth-protected-resource';
|
|
52
|
+
if (jwtRt.mode === 'embedded' || jwtRt.mode === 'localKey') {
|
|
53
|
+
discovery.openidConfiguration = '/.well-known/openid-configuration';
|
|
54
|
+
discovery.jwks = '/.well-known/jwks.json';
|
|
55
|
+
discovery.token = '/oauth/token';
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
// Aggregate requiredScopes declared on customResources / customPrompts / tools so
|
|
59
|
+
// clients (and use://auth consumers) can introspect server-side §7.5 enforcement.
|
|
60
|
+
const requiredScopes = {
|
|
61
|
+
tools: {},
|
|
62
|
+
prompts: {},
|
|
63
|
+
resources: {},
|
|
64
|
+
};
|
|
65
|
+
const data = global.__MCP_PROJECT_DATA__;
|
|
66
|
+
const tools = Array.isArray(data?.tools) ? data.tools : [];
|
|
67
|
+
for (const t of tools) {
|
|
68
|
+
const scopes = t?._meta?.requiredScopes ?? t?.requiredScopes;
|
|
69
|
+
if (Array.isArray(scopes) && scopes.length > 0 && typeof t?.name === 'string') {
|
|
70
|
+
requiredScopes.tools[t.name] = scopes;
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
const prompts = Array.isArray(data?.customPrompts) ? data.customPrompts : [];
|
|
74
|
+
for (const p of prompts) {
|
|
75
|
+
if (Array.isArray(p?.requiredScopes) && p.requiredScopes.length > 0 && typeof p?.name === 'string') {
|
|
76
|
+
requiredScopes.prompts[p.name] = p.requiredScopes;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
const resources = Array.isArray(data?.customResources) ? data.customResources : [];
|
|
80
|
+
for (const r of resources) {
|
|
81
|
+
if (Array.isArray(r?.requiredScopes) && r.requiredScopes.length > 0 && typeof r?.uri === 'string') {
|
|
82
|
+
requiredScopes.resources[r.uri] = r.requiredScopes;
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
return {
|
|
86
|
+
enabled: !!auth?.enabled,
|
|
87
|
+
schemes: Array.from(schemes),
|
|
88
|
+
methods,
|
|
89
|
+
claims,
|
|
90
|
+
jwt,
|
|
91
|
+
...(Object.keys(discovery).length ? { discovery } : {}),
|
|
92
|
+
...(Object.keys(requiredScopes.tools).length ||
|
|
93
|
+
Object.keys(requiredScopes.prompts).length ||
|
|
94
|
+
Object.keys(requiredScopes.resources).length
|
|
95
|
+
? { requiredScopes }
|
|
96
|
+
: {}),
|
|
97
|
+
headers: { authorization: 'Authorization: Bearer <token>' },
|
|
98
|
+
httpHeadersResource: 'use://http-headers',
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
//# sourceMappingURL=auth-profile.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-profile.js","sourceRoot":"","sources":["../../../src/core/auth/auth-profile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAExD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAqCxD,MAAM,UAAU,kBAAkB;IAChC,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC;IACvC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAgB,IAAI,GAAG,EAAE,CAAC;IACvC,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;QAClB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,IAAI,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvG,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxB,CAAC;QACD,IAAI,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxB,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;YACjD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,CAAC;QACrD,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,MAAM,GAAwC,EAAE,CAAC;IACvD,MAAM,MAAM,GAAG,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC;IACtC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;IACzB,CAAC;IACD,IAAI,OAAO,IAAI,EAAE,QAAQ,EAAE,YAAY,KAAK,SAAS,EAAE,CAAC;QACtD,MAAM,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;IACnD,CAAC;IACD,IAAI,OAAO,IAAI,EAAE,QAAQ,EAAE,SAAS,KAAK,SAAS,EAAE,CAAC;QACnD,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;IAC7C,CAAC;IAED,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,MAAM,GAAG,GAAqC;QAC5C,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,SAAS,EAAE,KAAK,CAAC,IAAI,KAAK,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS;KACrE,CAAC;IACF,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;QACzB,GAAG,CAAC,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC;IAC5C,CAAC;IACD,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,GAAG,CAAC,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,GAAG,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAC9B,CAAC;IAED,MAAM,SAAS,GAA2C,EAAE,CAAC;IAC7D,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAClC,SAAS,CAAC,iBAAiB,GAAG,uCAAuC,CAAC;QACtE,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC3D,SAAS,CAAC,mBAAmB,GAAG,mCAAmC,CAAC;YACpE,SAAS,CAAC,IAAI,GAAG,wBAAwB,CAAC;YAC1C,SAAS,CAAC,KAAK,GAAG,cAAc,CAAC;QACnC,CAAC;IACH,CAAC;IAED,kFAAkF;IAClF,kFAAkF;IAClF,MAAM,cAAc,GAAgD;QAClE,KAAK,EAAE,EAAE;QACT,OAAO,EAAE,EAAE;QACX,SAAS,EAAE,EAAE;KACd,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,CAAC,oBAAoB,CAAC;IACzC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3D,KAAK,MAAM,CAAC,IAAI,KAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,CAAC,EAAE,KAAK,EAAE,cAAc,IAAI,CAAC,EAAE,cAAc,CAAC;QAC7D,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC9E,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,MAAkB,CAAC;QACpD,CAAC;IACH,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,KAAK,MAAM,CAAC,IAAI,OAAgB,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,cAAc,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnG,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,cAA0B,CAAC;QAChE,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC;IACnF,KAAK,MAAM,CAAC,IAAI,SAAkB,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,cAAc,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,EAAE,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClG,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,cAA0B,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO;QACxB,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;QAC5B,OAAO;QACP,MAAM;QACN,GAAG;QACH,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,MAAM;YAC5C,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,MAAM;YAC1C,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,MAAM;YAC1C,CAAC,CAAC,EAAE,cAAc,EAAE;YACpB,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,EAAE,EAAE,aAAa,EAAE,+BAA+B,EAAE;QAC3D,mBAAmB,EAAE,oBAAoB;KAC1C,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* jwt-v2 — sign + verify standard JWT using asymmetric keys (ES256/RS256) via jose.
|
|
3
|
+
*
|
|
4
|
+
* This module is only active when webServer.auth.jwtToken.mode is one of:
|
|
5
|
+
* - embedded (built-in IdP, autogen keys, local issuance)
|
|
6
|
+
* - localKey (PEM-based public/private keys on disk)
|
|
7
|
+
* - remoteJwks (verify only — tokens issued by external IdP)
|
|
8
|
+
*
|
|
9
|
+
* The legacy AES-CTR + HS256 path stays in jwt.ts.
|
|
10
|
+
*/
|
|
11
|
+
import { ICheckTokenResult } from './types.js';
|
|
12
|
+
/**
|
|
13
|
+
* Issue a standard JWT signed with the asymmetric key from the current KeyResolver.
|
|
14
|
+
* Mirrors generateToken() signature in jwt.ts so callsites stay compatible.
|
|
15
|
+
*/
|
|
16
|
+
export declare function generateTokenV2(user: string, liveTimeSec: number, payload?: any): Promise<string>;
|
|
17
|
+
/**
|
|
18
|
+
* Verify a standard JWT issued under embedded/localKey/remoteJwks modes.
|
|
19
|
+
* Returns the same ICheckTokenResult shape as checkJwtToken() so multi-auth.ts stays unchanged.
|
|
20
|
+
*/
|
|
21
|
+
export declare function verifyJwtV2(arg: {
|
|
22
|
+
token: string;
|
|
23
|
+
expectedUser?: string;
|
|
24
|
+
expectedService?: string;
|
|
25
|
+
clientIp?: string;
|
|
26
|
+
}): Promise<ICheckTokenResult>;
|
|
27
|
+
//# sourceMappingURL=jwt-v2.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwt-v2.d.ts","sourceRoot":"","sources":["../../../src/core/auth/jwt-v2.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAcH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,YAAY,CAAC;AAM9D;;;GAGG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CA0CvG;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAAC,GAAG,EAAE;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA4H7B"}
|
|
@@ -0,0 +1,180 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* jwt-v2 — sign + verify standard JWT using asymmetric keys (ES256/RS256) via jose.
|
|
3
|
+
*
|
|
4
|
+
* This module is only active when webServer.auth.jwtToken.mode is one of:
|
|
5
|
+
* - embedded (built-in IdP, autogen keys, local issuance)
|
|
6
|
+
* - localKey (PEM-based public/private keys on disk)
|
|
7
|
+
* - remoteJwks (verify only — tokens issued by external IdP)
|
|
8
|
+
*
|
|
9
|
+
* The legacy AES-CTR + HS256 path stays in jwt.ts.
|
|
10
|
+
*/
|
|
11
|
+
import crypto from 'crypto';
|
|
12
|
+
import chalk from 'chalk';
|
|
13
|
+
import { jwtVerify, SignJWT, errors as joseErrors } from 'jose';
|
|
14
|
+
import { appConfig } from '../bootstrap/init-config.js';
|
|
15
|
+
import { logger as lgr } from '../logger.js';
|
|
16
|
+
import { isObject, trim } from '../utils/utils.js';
|
|
17
|
+
import { parseIpList, isIpAllowed } from './ip-check.js';
|
|
18
|
+
import { getJwtRuntimeConfig, getKeyResolver } from './key-resolver.js';
|
|
19
|
+
import { isJtiRevoked, isJwtTokenRevoked, isUserRevoked } from './revocation.js';
|
|
20
|
+
const logger = lgr.getSubLogger({ name: chalk.cyan('token-auth-v2') });
|
|
21
|
+
const STANDARD_CLAIMS = new Set(['user', 'expire', 'iat', 'service', 'iss', 'sub', 'aud', 'exp', 'jti', 'nbf']);
|
|
22
|
+
/**
|
|
23
|
+
* Issue a standard JWT signed with the asymmetric key from the current KeyResolver.
|
|
24
|
+
* Mirrors generateToken() signature in jwt.ts so callsites stay compatible.
|
|
25
|
+
*/
|
|
26
|
+
export async function generateTokenV2(user, liveTimeSec, payload) {
|
|
27
|
+
const normalizedUser = trim(user).toLowerCase();
|
|
28
|
+
if (!normalizedUser) {
|
|
29
|
+
throw new Error('generateTokenV2: Username is empty');
|
|
30
|
+
}
|
|
31
|
+
const resolver = await getKeyResolver();
|
|
32
|
+
if (!resolver) {
|
|
33
|
+
throw new Error('generateTokenV2: KeyResolver is not available in legacy mode');
|
|
34
|
+
}
|
|
35
|
+
if (!resolver.canSign()) {
|
|
36
|
+
const { mode, jwksUri } = getJwtRuntimeConfig();
|
|
37
|
+
throw new Error(`Token issuance is not available in mode=${mode}.${jwksUri ? ` Obtain tokens from the IdP at ${jwksUri}.` : ''}`);
|
|
38
|
+
}
|
|
39
|
+
const inputPayload = isObject(payload) ? { ...payload } : {};
|
|
40
|
+
const service = trim(inputPayload.service) || undefined;
|
|
41
|
+
for (const reserved of ['user', 'expire', 'iat', 'service', 'sub', 'aud', 'exp', 'iss', 'jti', 'nbf']) {
|
|
42
|
+
delete inputPayload[reserved];
|
|
43
|
+
}
|
|
44
|
+
const { algorithm, privateKey, kid } = resolver.getSignContext();
|
|
45
|
+
const { expectedIssuer, expectedAudience } = getJwtRuntimeConfig();
|
|
46
|
+
const issuer = expectedIssuer || `urn:fa-mcp:${appConfig.shortName || appConfig.name}`;
|
|
47
|
+
const audience = service || expectedAudience || appConfig.name;
|
|
48
|
+
const builder = new SignJWT(inputPayload)
|
|
49
|
+
.setProtectedHeader({ alg: algorithm, kid, typ: 'JWT' })
|
|
50
|
+
.setSubject(normalizedUser)
|
|
51
|
+
.setIssuedAt()
|
|
52
|
+
.setExpirationTime(Math.floor(Date.now() / 1000) + liveTimeSec)
|
|
53
|
+
.setJti(crypto.randomUUID());
|
|
54
|
+
if (issuer) {
|
|
55
|
+
builder.setIssuer(issuer);
|
|
56
|
+
}
|
|
57
|
+
if (audience) {
|
|
58
|
+
builder.setAudience(audience);
|
|
59
|
+
}
|
|
60
|
+
return builder.sign(privateKey);
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Verify a standard JWT issued under embedded/localKey/remoteJwks modes.
|
|
64
|
+
* Returns the same ICheckTokenResult shape as checkJwtToken() so multi-auth.ts stays unchanged.
|
|
65
|
+
*/
|
|
66
|
+
export async function verifyJwtV2(arg) {
|
|
67
|
+
const token = trim(arg.token);
|
|
68
|
+
if (!token) {
|
|
69
|
+
return { errorReason: 'Token not passed' };
|
|
70
|
+
}
|
|
71
|
+
if (isJwtTokenRevoked(token)) {
|
|
72
|
+
return { errorReason: 'JWT Token has been revoked' };
|
|
73
|
+
}
|
|
74
|
+
const resolver = await getKeyResolver();
|
|
75
|
+
if (!resolver) {
|
|
76
|
+
return { errorReason: 'JWT verifier not initialized (legacy mode)' };
|
|
77
|
+
}
|
|
78
|
+
const { expectedIssuer, expectedAudience, clockSkew } = getJwtRuntimeConfig();
|
|
79
|
+
const checkMCPName = appConfig.webServer?.auth?.jwtToken?.checkMCPName || false;
|
|
80
|
+
const isCheckIP = appConfig.webServer?.auth?.jwtToken?.isCheckIP || false;
|
|
81
|
+
const wantService = arg.expectedService ?? expectedAudience ?? appConfig.name;
|
|
82
|
+
let payloadDecoded;
|
|
83
|
+
try {
|
|
84
|
+
const { payload } = await jwtVerify(token, (header) => resolver.getVerifyKey(header), {
|
|
85
|
+
...(expectedIssuer ? { issuer: expectedIssuer } : {}),
|
|
86
|
+
// jose's audience check passes when the token's aud (string or array) intersects ours.
|
|
87
|
+
// We do our own check below to surface the same error wording as legacy code.
|
|
88
|
+
clockTolerance: clockSkew,
|
|
89
|
+
});
|
|
90
|
+
payloadDecoded = payload;
|
|
91
|
+
}
|
|
92
|
+
catch (err) {
|
|
93
|
+
if (err instanceof joseErrors.JWTExpired) {
|
|
94
|
+
const expSec = err.payload?.exp;
|
|
95
|
+
const expiredOn = expSec ? Date.now() - expSec * 1000 : 0;
|
|
96
|
+
return {
|
|
97
|
+
isTokenDecrypted: true,
|
|
98
|
+
errorReason: expiredOn > 0 ? `JWT Token expired :: on ${expiredOn} mc` : 'JWT Token expired',
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
if (err instanceof joseErrors.JWSSignatureVerificationFailed) {
|
|
102
|
+
return { errorReason: 'Invalid signature' };
|
|
103
|
+
}
|
|
104
|
+
if (err instanceof joseErrors.JWTClaimValidationFailed) {
|
|
105
|
+
return { errorReason: `JWT Token: ${err.message}` };
|
|
106
|
+
}
|
|
107
|
+
if (err instanceof joseErrors.JOSEError) {
|
|
108
|
+
logger.debug(`JOSE error: ${err.message}`);
|
|
109
|
+
return { errorReason: 'The token is not a JWT' };
|
|
110
|
+
}
|
|
111
|
+
logger.error('verifyJwtV2 unexpected error:', err);
|
|
112
|
+
return { errorReason: `Error verifying JWT token :: ${err?.message ?? 'unknown error'}` };
|
|
113
|
+
}
|
|
114
|
+
const sub = typeof payloadDecoded.sub === 'string' ? payloadDecoded.sub : '';
|
|
115
|
+
if (!sub) {
|
|
116
|
+
return { errorReason: 'JWT Token: missing subject' };
|
|
117
|
+
}
|
|
118
|
+
const expSec = typeof payloadDecoded.exp === 'number' ? payloadDecoded.exp : 0;
|
|
119
|
+
if (!expSec) {
|
|
120
|
+
return { isTokenDecrypted: true, errorReason: 'JWT Token: missing expiration' };
|
|
121
|
+
}
|
|
122
|
+
const iatSec = typeof payloadDecoded.iat === 'number' ? payloadDecoded.iat : 0;
|
|
123
|
+
const audValues = Array.isArray(payloadDecoded.aud)
|
|
124
|
+
? payloadDecoded.aud.filter((v) => typeof v === 'string' && !!trim(v))
|
|
125
|
+
: typeof payloadDecoded.aud === 'string' && trim(payloadDecoded.aud)
|
|
126
|
+
? [payloadDecoded.aud]
|
|
127
|
+
: [];
|
|
128
|
+
const normalizedService = wantService && audValues.includes(wantService) ? wantService : audValues[0];
|
|
129
|
+
const normalized = { user: sub, expire: expSec * 1000 };
|
|
130
|
+
if (iatSec) {
|
|
131
|
+
normalized.iat = new Date(iatSec * 1000).toISOString();
|
|
132
|
+
}
|
|
133
|
+
if (normalizedService) {
|
|
134
|
+
normalized.service = normalizedService;
|
|
135
|
+
}
|
|
136
|
+
if (typeof payloadDecoded.iss === 'string') {
|
|
137
|
+
normalized.iss = payloadDecoded.iss;
|
|
138
|
+
}
|
|
139
|
+
if (typeof payloadDecoded.jti === 'string') {
|
|
140
|
+
normalized.jti = payloadDecoded.jti;
|
|
141
|
+
}
|
|
142
|
+
for (const [k, v] of Object.entries(payloadDecoded)) {
|
|
143
|
+
if (!STANDARD_CLAIMS.has(k)) {
|
|
144
|
+
normalized[k] = v;
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
if (normalized.jti && isJtiRevoked(normalized.jti)) {
|
|
148
|
+
return { isTokenDecrypted: true, errorReason: 'JWT Token has been revoked' };
|
|
149
|
+
}
|
|
150
|
+
if (isUserRevoked(normalized.user)) {
|
|
151
|
+
return { isTokenDecrypted: true, errorReason: `JWT Token: user '${normalized.user}' has been revoked` };
|
|
152
|
+
}
|
|
153
|
+
const expectedUser = trim(arg.expectedUser).toLowerCase();
|
|
154
|
+
if (expectedUser && normalized.user !== expectedUser) {
|
|
155
|
+
return {
|
|
156
|
+
isTokenDecrypted: true,
|
|
157
|
+
errorReason: `JWT Token: user not match :: Expected '${expectedUser}' / obtained from the token: '${normalized.user}'`,
|
|
158
|
+
};
|
|
159
|
+
}
|
|
160
|
+
if (checkMCPName) {
|
|
161
|
+
const obtainedService = audValues.length > 1 ? audValues.join(', ') : normalized.service;
|
|
162
|
+
if (wantService && !audValues.includes(wantService)) {
|
|
163
|
+
return {
|
|
164
|
+
isTokenDecrypted: true,
|
|
165
|
+
errorReason: `JWT Token: service not match :: Expected '${wantService}' / obtained from the token: '${obtainedService}'`,
|
|
166
|
+
};
|
|
167
|
+
}
|
|
168
|
+
}
|
|
169
|
+
if (isCheckIP && normalized.ip && arg.clientIp) {
|
|
170
|
+
const allowedIps = parseIpList(normalized.ip);
|
|
171
|
+
if (allowedIps.length > 0 && !isIpAllowed(arg.clientIp, allowedIps)) {
|
|
172
|
+
return {
|
|
173
|
+
isTokenDecrypted: true,
|
|
174
|
+
errorReason: `JWT Token: client IP ${arg.clientIp} is not in the allowed list`,
|
|
175
|
+
};
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
return { payload: normalized };
|
|
179
|
+
}
|
|
180
|
+
//# sourceMappingURL=jwt-v2.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwt-v2.js","sourceRoot":"","sources":["../../../src/core/auth/jwt-v2.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,MAAM,CAAC;AAEhE,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxE,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGjF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;AAEvE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEhH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY,EAAE,WAAmB,EAAE,OAAa;IACpF,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,cAAc,EAAE,CAAC;IACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;QACxB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,mBAAmB,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,2CAA2C,IAAI,IAAI,OAAO,CAAC,CAAC,CAAC,kCAAkC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACjH,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC;IACxD,KAAK,MAAM,QAAQ,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;QACtG,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,QAAQ,CAAC,cAAc,EAAE,CAAC;IACjE,MAAM,EAAE,cAAc,EAAE,gBAAgB,EAAE,GAAG,mBAAmB,EAAE,CAAC;IAEnE,MAAM,MAAM,GAAG,cAAc,IAAI,cAAc,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;IACvF,MAAM,QAAQ,GAAG,OAAO,IAAI,gBAAgB,IAAI,SAAS,CAAC,IAAI,CAAC;IAE/D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,YAAY,CAAC;SACtC,kBAAkB,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;SACvD,UAAU,CAAC,cAAc,CAAC;SAC1B,WAAW,EAAE;SACb,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,WAAW,CAAC;SAC9D,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IAC/B,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAKjC;IACC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,CAAC;IAC7C,CAAC;IAED,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,cAAc,EAAE,CAAC;IACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,WAAW,EAAE,4CAA4C,EAAE,CAAC;IACvE,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,gBAAgB,EAAE,SAAS,EAAE,GAAG,mBAAmB,EAAE,CAAC;IAC9E,MAAM,YAAY,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,IAAI,KAAK,CAAC;IAChF,MAAM,SAAS,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,IAAI,KAAK,CAAC;IAC1E,MAAM,WAAW,GAAG,GAAG,CAAC,eAAe,IAAI,gBAAgB,IAAI,SAAS,CAAC,IAAI,CAAC;IAE9E,IAAI,cAAmC,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAQ,EAAE;YAC3F,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,uFAAuF;YACvF,8EAA8E;YAC9E,cAAc,EAAE,SAAS;SAC1B,CAAC,CAAC;QACH,cAAc,GAAG,OAA8B,CAAC;IAClD,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,GAAG,YAAY,UAAU,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,MAAM,GAAI,GAAG,CAAC,OAAe,EAAE,GAAG,CAAC;YACzC,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,2BAA2B,SAAS,KAAK,CAAC,CAAC,CAAC,mBAAmB;aAC7F,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,YAAY,UAAU,CAAC,8BAA8B,EAAE,CAAC;YAC7D,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,GAAG,YAAY,UAAU,CAAC,wBAAwB,EAAE,CAAC;YACvD,OAAO,EAAE,WAAW,EAAE,cAAc,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;QACtD,CAAC;QACD,IAAI,GAAG,YAAY,UAAU,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,eAAe,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3C,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;QACnD,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,EAAE,WAAW,EAAE,gCAAgC,GAAG,EAAE,OAAO,IAAI,eAAe,EAAE,EAAE,CAAC;IAC5F,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,+BAA+B,EAAE,CAAC;IAClF,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC;QACjD,CAAC,CAAE,cAAc,CAAC,GAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClG,CAAC,CAAC,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC;YAClE,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC;YACtB,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,iBAAiB,GAAG,WAAW,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAEtG,MAAM,UAAU,GAAkB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,CAAC;IACvE,IAAI,MAAM,EAAE,CAAC;QACX,UAAU,CAAC,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IACzD,CAAC;IACD,IAAI,iBAAiB,EAAE,CAAC;QACtB,UAAU,CAAC,OAAO,GAAG,iBAAiB,CAAC;IACzC,CAAC;IACD,IAAI,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC3C,UAAU,CAAC,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC3C,UAAU,CAAC,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC;IACtC,CAAC;IACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5B,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,IAAI,UAAU,CAAC,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,oBAAoB,UAAU,CAAC,IAAI,oBAAoB,EAAE,CAAC;IAC1G,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,YAAY,IAAI,UAAU,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACrD,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2CAA2C,YAAY,iCAAiC,UAAU,CAAC,IAAI,GAAG;SACxH,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC;QACzF,IAAI,WAAW,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,8CAA8C,WAAW,iCAAiC,eAAe,GAAG;aAC1H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,SAAS,IAAI,UAAU,CAAC,EAAE,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC/C,MAAM,UAAU,GAAG,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;YACpE,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,wBAAwB,GAAG,CAAC,QAAQ,6BAA6B;aAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;AACjC,CAAC"}
|
package/dist/core/auth/jwt.d.ts
CHANGED
|
@@ -14,23 +14,37 @@ export declare const encrypt: (text: string) => string;
|
|
|
14
14
|
*/
|
|
15
15
|
export declare const decrypt: (encryptedStr: string) => string;
|
|
16
16
|
/**
|
|
17
|
-
* Generates a
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
* - `iss` is added only when webServer.auth.jwtToken.issuer is configured
|
|
17
|
+
* Generates a signed JWT.
|
|
18
|
+
*
|
|
19
|
+
* Dispatches by `appConfig.webServer.auth.jwtToken.mode`:
|
|
20
|
+
* - 'legacyAesCtr' (default) → HS256 with appConfig encryptKey (sync impl below)
|
|
21
|
+
* - 'embedded' | 'localKey' → ES256/RS256 with KeyResolver (via generateTokenV2)
|
|
22
|
+
* - 'remoteJwks' → throws — this server does not issue tokens
|
|
24
23
|
*/
|
|
25
|
-
export declare
|
|
24
|
+
export declare function generateToken(user: string, liveTimeSec: number, payload?: any): Promise<string>;
|
|
25
|
+
/**
|
|
26
|
+
* Legacy HS256 token issuer (used only when mode=legacyAesCtr). Kept synchronous for
|
|
27
|
+
* minimum-risk parity with prior releases and for use by tests.
|
|
28
|
+
*/
|
|
29
|
+
export declare const generateTokenLegacy: (user: string, liveTimeSec: number, payload?: any) => string;
|
|
26
30
|
/**
|
|
27
31
|
* Verifies a token.
|
|
28
|
-
*
|
|
29
|
-
*
|
|
30
|
-
* -
|
|
31
|
-
*
|
|
32
|
+
*
|
|
33
|
+
* Dispatches by `appConfig.webServer.auth.jwtToken.mode`:
|
|
34
|
+
* - 'legacyAesCtr' (default) → in-process HS256 + AES-CTR fallback
|
|
35
|
+
* - 'embedded' | 'localKey' | 'remoteJwks' → ES256/RS256 via verifyJwtV2 (jose-based)
|
|
36
|
+
*/
|
|
37
|
+
export declare function checkJwtToken(arg: {
|
|
38
|
+
token: string;
|
|
39
|
+
expectedUser?: string;
|
|
40
|
+
expectedService?: string;
|
|
41
|
+
clientIp?: string;
|
|
42
|
+
}): Promise<ICheckTokenResult>;
|
|
43
|
+
/**
|
|
44
|
+
* Legacy verifier — accepts standard HS256 JWTs and pre-migration AES-CTR tokens.
|
|
45
|
+
* Used only when mode=legacyAesCtr.
|
|
32
46
|
*/
|
|
33
|
-
export declare const
|
|
47
|
+
export declare const checkJwtTokenLegacy: (arg: {
|
|
34
48
|
token: string;
|
|
35
49
|
expectedUser?: string;
|
|
36
50
|
expectedService?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,iBAAiB,EAAiB,MAAM,YAAY,CAAC;AAS9D,eAAO,MAAM,sBAAsB,IAAI,CAAC;AAQxC,eAAO,MAAM,WAAW,QAAmC,CAAC;AAC5D,eAAO,MAAM,aAAa,QAAqD,CAAC;AAEhF,eAAO,MAAM,UAAU,QAAkF,CAAC;AAI1G;;;GAGG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,MAAM,KAAG,MAMtC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,OAAO,GAAI,cAAc,MAAM,WAO3C,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAMrG;AAED;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAAI,MAAM,MAAM,EAAE,aAAa,MAAM,EAAE,UAAU,GAAG,KAAG,MAgCtF,CAAC;AAEF;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAM7B;AAED;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAAI,KAAK;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,KAAG,iBAYH,CAAC"}
|
package/dist/core/auth/jwt.js
CHANGED
|
@@ -6,6 +6,8 @@ import { appConfig } from '../bootstrap/init-config.js';
|
|
|
6
6
|
import { logger as lgr } from '../logger.js';
|
|
7
7
|
import { isObject, trim } from '../utils/utils.js';
|
|
8
8
|
import { parseIpList, isIpAllowed } from './ip-check.js';
|
|
9
|
+
import { generateTokenV2, verifyJwtV2 } from './jwt-v2.js';
|
|
10
|
+
import { getJwtRuntimeConfig } from './key-resolver.js';
|
|
9
11
|
import { isJtiRevoked, isJwtTokenRevoked, isUserRevoked } from './revocation.js';
|
|
10
12
|
const logger = lgr.getSubLogger({ name: chalk.cyan('token-auth') });
|
|
11
13
|
const { jwtToken } = appConfig.webServer?.auth || {};
|
|
@@ -46,15 +48,25 @@ export const decrypt = (encryptedStr) => {
|
|
|
46
48
|
return decryptedBuf.toString();
|
|
47
49
|
};
|
|
48
50
|
/**
|
|
49
|
-
* Generates a
|
|
50
|
-
*
|
|
51
|
-
*
|
|
52
|
-
*
|
|
53
|
-
*
|
|
54
|
-
*
|
|
55
|
-
* - `iss` is added only when webServer.auth.jwtToken.issuer is configured
|
|
51
|
+
* Generates a signed JWT.
|
|
52
|
+
*
|
|
53
|
+
* Dispatches by `appConfig.webServer.auth.jwtToken.mode`:
|
|
54
|
+
* - 'legacyAesCtr' (default) → HS256 with appConfig encryptKey (sync impl below)
|
|
55
|
+
* - 'embedded' | 'localKey' → ES256/RS256 with KeyResolver (via generateTokenV2)
|
|
56
|
+
* - 'remoteJwks' → throws — this server does not issue tokens
|
|
56
57
|
*/
|
|
57
|
-
export
|
|
58
|
+
export async function generateToken(user, liveTimeSec, payload) {
|
|
59
|
+
const { mode } = getJwtRuntimeConfig();
|
|
60
|
+
if (mode === 'legacyAesCtr') {
|
|
61
|
+
return generateTokenLegacy(user, liveTimeSec, payload);
|
|
62
|
+
}
|
|
63
|
+
return generateTokenV2(user, liveTimeSec, payload);
|
|
64
|
+
}
|
|
65
|
+
/**
|
|
66
|
+
* Legacy HS256 token issuer (used only when mode=legacyAesCtr). Kept synchronous for
|
|
67
|
+
* minimum-risk parity with prior releases and for use by tests.
|
|
68
|
+
*/
|
|
69
|
+
export const generateTokenLegacy = (user, liveTimeSec, payload) => {
|
|
58
70
|
user = trim(user).toLowerCase();
|
|
59
71
|
if (!user) {
|
|
60
72
|
throw new Error('generateToken: Username is empty');
|
|
@@ -87,12 +99,23 @@ export const generateToken = (user, liveTimeSec, payload) => {
|
|
|
87
99
|
};
|
|
88
100
|
/**
|
|
89
101
|
* Verifies a token.
|
|
90
|
-
*
|
|
91
|
-
*
|
|
92
|
-
* -
|
|
93
|
-
*
|
|
102
|
+
*
|
|
103
|
+
* Dispatches by `appConfig.webServer.auth.jwtToken.mode`:
|
|
104
|
+
* - 'legacyAesCtr' (default) → in-process HS256 + AES-CTR fallback
|
|
105
|
+
* - 'embedded' | 'localKey' | 'remoteJwks' → ES256/RS256 via verifyJwtV2 (jose-based)
|
|
106
|
+
*/
|
|
107
|
+
export async function checkJwtToken(arg) {
|
|
108
|
+
const { mode } = getJwtRuntimeConfig();
|
|
109
|
+
if (mode === 'legacyAesCtr') {
|
|
110
|
+
return checkJwtTokenLegacy(arg);
|
|
111
|
+
}
|
|
112
|
+
return verifyJwtV2(arg);
|
|
113
|
+
}
|
|
114
|
+
/**
|
|
115
|
+
* Legacy verifier — accepts standard HS256 JWTs and pre-migration AES-CTR tokens.
|
|
116
|
+
* Used only when mode=legacyAesCtr.
|
|
94
117
|
*/
|
|
95
|
-
export const
|
|
118
|
+
export const checkJwtTokenLegacy = (arg) => {
|
|
96
119
|
const token = trim(arg.token);
|
|
97
120
|
if (!token) {
|
|
98
121
|
return { errorReason: 'Token not passed' };
|