fa-mcp-sdk 0.4.92 → 0.4.95

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/cli-template/.claude/skills/readme-generator/reference/satellite-templates.md +1 -1
  2. package/cli-template/CLAUDE.md +1 -1
  3. package/cli-template/FA-MCP-SDK-DOC/03-configuration.md +9 -5
  4. package/cli-template/FA-MCP-SDK-DOC/04-authentication.md +4 -4
  5. package/cli-template/FA-MCP-SDK-DOC/08-agent-tester-and-headless-api.md +1 -1
  6. package/cli-template/package.json +1 -1
  7. package/config/_local.yaml +13 -6
  8. package/config/custom-environment-variables.yaml +1 -0
  9. package/config/default.yaml +14 -6
  10. package/dist/core/_types_/config.d.ts +1 -0
  11. package/dist/core/_types_/config.d.ts.map +1 -1
  12. package/dist/core/auth/admin-auth.d.ts.map +1 -1
  13. package/dist/core/auth/admin-auth.js +19 -2
  14. package/dist/core/auth/admin-auth.js.map +1 -1
  15. package/dist/core/auth/jwt.d.ts +18 -9
  16. package/dist/core/auth/jwt.d.ts.map +1 -1
  17. package/dist/core/auth/jwt.js +185 -51
  18. package/dist/core/auth/jwt.js.map +1 -1
  19. package/dist/core/auth/multi-auth.d.ts +4 -2
  20. package/dist/core/auth/multi-auth.d.ts.map +1 -1
  21. package/dist/core/auth/multi-auth.js +43 -31
  22. package/dist/core/auth/multi-auth.js.map +1 -1
  23. package/dist/core/auth/revocation.d.ts +1 -0
  24. package/dist/core/auth/revocation.d.ts.map +1 -1
  25. package/dist/core/auth/revocation.js +9 -2
  26. package/dist/core/auth/revocation.js.map +1 -1
  27. package/dist/core/auth/types.d.ts +5 -0
  28. package/dist/core/auth/types.d.ts.map +1 -1
  29. package/package.json +6 -2
  30. package/scripts/generate-jwt.js +61 -35
package/cli-template/.claude/skills/readme-generator/reference/satellite-templates.md CHANGED
@@ -30,7 +30,7 @@ Configured under `webServer.auth` in `config/*.yaml`. Supported methods:
30
30
 
31
31
  - **Permanent server tokens** — O(1) set lookup, for service-to-service callers
32
32
  - **Basic** — `Authorization: Basic base64(user:pass)`
33
- - **JWT** — `Authorization: Bearer <token>`; AES-256-CTR-encrypted payload; optional IP restriction
33
+ - **JWT** — `Authorization: Bearer <token>`; standard signed JWT (HS256); optional IP restriction
34
34
  - **Custom validator** — project-defined fallback
35
35
 
36
36
  JWT tokens can be minted via:
package/cli-template/CLAUDE.md CHANGED
@@ -106,7 +106,7 @@ Priority: environment variables > local.yaml > {NODE_ENV}.yaml > default.yaml. A
106
106
  When multiple auth methods configured, detection from `Authorization` header:
107
107
  1. `permanentServerTokens` — static tokens (O(1) lookup)
108
108
  2. `basic` — base64 username:password
109
- 3. `jwtToken` — encrypted JWT (optional IP restriction via `isCheckIP` + `ip` field in payload)
109
+ 3. `jwtToken` — standard signed JWT, HS256 (optional IP restriction via `isCheckIP` + `ip` field in payload; legacy `<expire>.<hex>` tokens still accepted for backward compatibility)
110
110
  4. `custom` — user-defined validator (fallback)
111
111
 
112
112
  ## Framework Documentation
package/cli-template/FA-MCP-SDK-DOC/03-configuration.md CHANGED
@@ -155,21 +155,25 @@ webServer:
155
155
  permanentServerTokens: [ ] # Add your server tokens here: ['token1', 'token2']
156
156
 
157
157
  # ========================================================================
158
- # JWT TOKEN WITH SYMMETRIC ENCRYPTION
159
- # Custom JWT tokens with AES-256 encryption
160
- # CPU cost: Medium - decryption + JSON parsing
158
+ # JWT TOKEN standard signed JWT (HS256)
159
+ # Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
160
+ # The verifier also temporarily accepts pre-migration legacy tokens
161
+ # (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
162
+ # CPU cost: Medium - signature verification + JSON parsing
161
163
  #
162
164
  # To enable this authentication, you need to set auth.enabled = true and set
163
- # encryptKey to at least 20 characters
165
+ # encryptKey to at least 8 characters (used as the HS256 signing secret).
164
166
  # ========================================================================
165
167
  jwtToken:
166
- # Symmetric encryption key to generate a token for this MCP (minimum 8 chars)
168
+ # HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
167
169
  encryptKey: '***'
168
170
  # If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
169
171
  checkMCPName: true
170
172
  # If true and JWT token contains non-empty 'ip' field,
171
173
  # the client IP will be checked against the allowed list in the token
172
174
  isCheckIP: false
175
+ # Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
176
+ issuer: ''
173
177
 
174
178
  # ========================================================================
175
179
  # Basic Authentication - Base64 encoded username:password
package/cli-template/FA-MCP-SDK-DOC/04-authentication.md CHANGED
@@ -74,8 +74,8 @@ For `ntlm` — uses AD configuration from `ad.domains` section.
74
74
 
75
75
  When `jwtToken` is used to authenticate into the admin panel (`/admin`), the decoded
76
76
  payload **must** contain `allow: 'gen-token'`. Any JWT without this claim is rejected
77
- with `401` even if it decrypts and is not expired. This prevents short-lived JWTs
78
- issued for other purposes (e.g. the Agent Tester page auto-fills a JWT into its
77
+ with `401` even if its signature verifies and it is not expired. This prevents short-lived
78
+ JWTs issued for other purposes (e.g. the Agent Tester page auto-fills a JWT into its
79
79
  `Authorization` header — TTL is configurable via `agentTester.tokenTTLSec`, default
80
80
  30 min) from being replayed against `/admin` to mint arbitrary long-lived tokens.
81
81
 
@@ -311,7 +311,7 @@ node scripts/generate-jwt.js -u <username> -ttl <duration> [-s <service>] [-p <p
311
311
  | `-s`, `--service-name` | `JWT_PAYLOAD_SERVICE_NAME` | Service name (optional) |
312
312
  | `-p`, `--params` | `JWT_PAYLOAD_PARAMS` | Extra payload `key=value;key=value` (optional) |
313
313
 
314
- The `encryptKey` is read from config `webServer.auth.jwtToken.encryptKey` (via `config/local.yaml` or ENV `WS_TOKEN_ENCRYPT_KEY`).
314
+ The HS256 signing secret is read from config `webServer.auth.jwtToken.encryptKey` (via `config/local.yaml` or ENV `WS_TOKEN_ENCRYPT_KEY`). Generated tokens are standard 3-segment JWTs.
315
315
 
316
316
  **Examples:**
317
317
 
@@ -388,7 +388,7 @@ curl -X POST http://localhost:3000/gen-jwt \
388
388
  ```json
389
389
  {
390
390
  "success": true,
391
- "token": "1718000000000.a1b2c3...",
391
+ "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0dXNlciJ9.signature",
392
392
  "user": "testuser",
393
393
  "expire": "2025-07-10T12:00:00.000Z",
394
394
  "ttlSeconds": 2592000
package/cli-template/FA-MCP-SDK-DOC/08-agent-tester-and-headless-api.md CHANGED
@@ -130,7 +130,7 @@ When `useAuth` is `true`, a successful browser login creates a server-side sessi
130
130
 
131
131
  When the MCP server requires authentication (`webServer.auth.enabled: true`) and the chat UI is configured to send the `Authorization` header, the page does **not** ask the user to type a token — it issues one for itself by calling `GET /api/auth-token` on load. The endpoint returns a header value derived from the configured method, in priority order:
132
132
 
133
- 1. **`jwtToken`** — `Bearer <encrypted JWT>` issued by the server with `sub: 'agentTester'`, `service: <appConfig.name>`, and TTL = `agentTester.tokenTTLSec` (default 1800 sec / 30 min). The response also includes `ttlSec` so the client can plan refresh.
133
+ 1. **`jwtToken`** — `Bearer <standard signed JWT>` issued by the server with `sub: 'agentTester'`, `aud: <appConfig.name>`, and TTL = `agentTester.tokenTTLSec` (default 1800 sec / 30 min). The response also includes `ttlSec` so the client can plan refresh.
134
134
  2. **`basic`** — `Basic <base64(user:password)>` from `webServer.auth.basic`.
135
135
  3. **`permanentServerTokens`** — `Bearer <first configured token>`.
136
136
 
package/cli-template/package.json CHANGED
@@ -54,7 +54,7 @@
54
54
  "dependencies": {
55
55
  "@modelcontextprotocol/sdk": "^1.29.0",
56
56
  "dotenv": "^17.4.1",
57
- "fa-mcp-sdk": "^0.4.92"
57
+ "fa-mcp-sdk": "^0.4.93"
58
58
  },
59
59
  "devDependencies": {
60
60
  "@types/express": "^5.0.6",
package/config/_local.yaml CHANGED
@@ -304,21 +304,25 @@ webServer:
304
304
  permanentServerTokens: [ ]
305
305
 
306
306
  #> ========================================================================
307
- #> JWT TOKEN WITH SYMMETRIC ENCRYPTION
308
- #> Custom JWT tokens with AES-256 encryption
309
- #> CPU cost: Medium decryption + JSON parsing
307
+ #> JWT TOKEN standard signed JWT (HS256)
308
+ #> Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
309
+ #> The verifier also temporarily accepts pre-migration legacy tokens
310
+ #> (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
311
+ #> CPU cost: Medium — signature verification + JSON parsing
310
312
  #>
311
313
  #> To enable this authentication, you need to set auth.enabled = true and set
312
- #> encryptKey to at least 20 characters
314
+ #> encryptKey to at least 8 characters (used as the HS256 signing secret).
313
315
  #> ========================================================================
314
316
  jwtToken:
315
- #> Symmetric encryption key to generate a token for this MCP (minimum 8 chars)
317
+ #> HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
316
318
  encryptKey: '{{webServer.auth.token.encryptKey}}'
317
319
  #> If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
318
320
  checkMCPName: {{webServer.auth.token.checkMCPName}}
319
321
  #> If true and JWT token contains non-empty 'ip' field,
320
322
  #> the client IP will be checked against the allowed list in the token
321
323
  isCheckIP: false
324
+ #> Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
325
+ issuer: ''
322
326
 
323
327
  #> ========================================================================
324
328
  #> Basic Authentication — Base64 encoded username:password
@@ -338,7 +342,10 @@ webServer:
338
342
  #> MCP endpoints, Admin panel, and Agent Tester.
339
343
  #> ========================================================================
340
344
  revoked:
341
- #> Revoked JWT tokens. Each entry: { token: '<jwt>', note?: '<reason>' }
345
+ #> Revoked JWT entries. Each entry: { token: '<value>', note?: '<reason>' }.
346
+ #> `token` may be:
347
+ #> - a full token string (legacy `<expire>.<hex>` or exact standard JWT `a.b.c`)
348
+ #> - a standard JWT ID (`jti`) — preferred for revoking standard JWTs
342
349
  jwtTokens: [ ]
343
350
  #> Revoked usernames matched against JWT payload.user (case-insensitive)
344
351
  users: [ ]
package/config/custom-environment-variables.yaml CHANGED
@@ -57,6 +57,7 @@ webServer:
57
57
  encryptKey: WS_TOKEN_ENCRYPT_KEY
58
58
  checkMCPName: WS_CHECK_MC_NAME
59
59
  isCheckIP: WS_JWT_CHECK_IP
60
+ issuer: WS_JWT_ISSUER
60
61
  basic:
61
62
  username: WS_AUTH_BASIC_USERNAME
62
63
  password: WS_AUTH_BASIC_PASSWORD
package/config/default.yaml CHANGED
@@ -302,21 +302,26 @@ webServer:
302
302
  permanentServerTokens: [ ]
303
303
 
304
304
  #> ========================================================================
305
- #> JWT TOKEN WITH SYMMETRIC ENCRYPTION
306
- #> Custom JWT tokens with AES-256 encryption
307
- #> CPU cost: Medium decryption + JSON parsing
305
+ #> JWT TOKEN standard signed JWT (HS256)
306
+ #> Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
307
+ #> The verifier also temporarily accepts pre-migration legacy tokens
308
+ #> (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
309
+ #> CPU cost: Medium — signature verification + JSON parsing
308
310
  #>
309
311
  #> To enable this authentication, you need to set auth.enabled = true and set
310
- #> encryptKey to at least 20 characters
312
+ #> encryptKey to at least 8 characters (used as the HS256 signing secret).
311
313
  #> ========================================================================
312
314
  jwtToken:
313
- #> Symmetric encryption key to generate a token for this MCP (minimum 8 chars)
315
+ #> HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
314
316
  encryptKey: '***'
315
317
  #> If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
316
318
  checkMCPName: true
317
319
  #> If true and JWT token contains non-empty 'ip' field,
318
320
  #> the client IP will be checked against the allowed list in the token
319
321
  isCheckIP: false
322
+ #> Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
323
+ #> Leave empty to skip issuer enforcement.
324
+ issuer: ''
320
325
 
321
326
  #> ========================================================================
322
327
  #> Basic Authentication — Base64 encoded username:password
@@ -336,7 +341,10 @@ webServer:
336
341
  #> MCP endpoints, Admin panel, and Agent Tester.
337
342
  #> ========================================================================
338
343
  revoked:
339
- #> Revoked JWT tokens. Each entry: { token: '<jwt>', note?: '<reason>' }
344
+ #> Revoked JWT entries. Each entry: { token: '<value>', note?: '<reason>' }.
345
+ #> `token` may be:
346
+ #> - a full token string (legacy `<expire>.<hex>` or exact standard JWT `a.b.c`)
347
+ #> - a standard JWT ID (`jti`) — preferred for revoking standard JWTs
340
348
  jwtTokens: [ ]
341
349
  #> Revoked usernames matched against JWT payload.user (case-insensitive)
342
350
  users: [ ]
package/dist/core/_types_/config.d.ts CHANGED
@@ -19,6 +19,7 @@ interface IWebServerConfig {
19
19
  encryptKey: string;
20
20
  checkMCPName: boolean;
21
21
  isCheckIP: boolean;
22
+ issuer?: string;
22
23
  };
23
24
  permanentServerTokens: string[];
24
25
  revoked?: {
package/dist/core/_types_/config.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/core/_types_/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE3D,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAEzD,MAAM,MAAM,aAAa,GAAG,uBAAuB,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AACpF,MAAM,MAAM,kBAAkB,GAAG,aAAa,GAAG,MAAM,CAAC;AAExD,UAAU,gBAAgB;IACxB,SAAS,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,CAAC,EAAE;gBACN,QAAQ,EAAE,MAAM,CAAC;gBACjB,QAAQ,EAAE,MAAM,CAAC;aAClB,CAAC;YACF,QAAQ,EAAE;gBACR,UAAU,EAAE,MAAM,CAAC;gBACnB,YAAY,EAAE,OAAO,CAAC;gBACtB,SAAS,EAAE,OAAO,CAAC;aACpB,CAAC;YACF,qBAAqB,EAAE,MAAM,EAAE,CAAC;YAEhC,OAAO,CAAC,EAAE;gBAER,SAAS,CAAC,EAAE,KAAK,CAAC;oBAAE,KAAK,EAAE,MAAM,CAAC;oBAAC,IAAI,CAAC,EAAE,MAAM,CAAA;iBAAE,CAAC,CAAC;gBAEpD,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;aAClB,CAAC;SACH,CAAC;QACF,eAAe,EAAE,OAAO,CAAC;KAC1B,CAAC;CACH;AAKD,UAAU,iBAAiB;IACzB,UAAU,CAAC,EAAE;QACX,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,kBAAkB,GAAG,kBAAkB,EAAE,GAAG,IAAI,CAAC;KAC7D,CAAC;CACH;AAGD,UAAU,aAAa;IACrB,MAAM,EAAE;QACN,KAAK,EAAE,aAAa,CAAC;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,UAAU,UAAU;IAClB,GAAG,EAAE;QACH,SAAS,EAAE;YACT,WAAW,EAAE,MAAM,CAAC;YACpB,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;QAChC,KAAK,EAAE;YACL,QAAQ,EAAE,MAAM,GAAG,mBAAmB,CAAC;YACvC,eAAe,EAAE,OAAO,CAAC;SAC1B,CAAC;KACH,CAAC;CACH;AAED,UAAU,cAAc;IACtB,OAAO,EAAE;QACP,OAAO,CAAC,EAAE;YACR,GAAG,EAAE,MAAM,CAAC;YACZ,WAAW,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC;KACL,CAAC;CACH;AAED,UAAU,kBAAkB;IAC1B,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,OAAO,CAAC;QACjB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,OAAO,EAAE,OAAO,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE;YACP,MAAM,EAAE,MAAM,CAAC;YACf,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,cAAc,CAAC,EAAE,OAAO,CAAC;SAC1B,CAAC;QACF,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACtC,CAAC;CACH;AAED,UAAU,eAAe;IACvB,QAAQ,CAAC,EAAE;QACT,QAAQ,CAAC,EAAE;YACT,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC;QACF,UAAU,CAAC,EAAE;YACX,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC;KACH,CAAC;CACH;AAED,UAAU,YAAY;IACpB,KAAK,EAAE;QACL,UAAU,EAAE,GAAG,CAAC;QAChB,QAAQ,EAAE,IAAI,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,SACf,SACE,SAAS,EACT,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,kBAAkB,EAClB,eAAe;IACjB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IAEpB,YAAY,EAAE,aAAa,CAAC;IAC5B,MAAM,EAAE,eAAe,GAAG;QACxB,OAAO,EAAE;YACP,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH"}
1
+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/core/_types_/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE3D,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAEzD,MAAM,MAAM,aAAa,GAAG,uBAAuB,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AACpF,MAAM,MAAM,kBAAkB,GAAG,aAAa,GAAG,MAAM,CAAC;AAExD,UAAU,gBAAgB;IACxB,SAAS,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,CAAC,EAAE;gBACN,QAAQ,EAAE,MAAM,CAAC;gBACjB,QAAQ,EAAE,MAAM,CAAC;aAClB,CAAC;YACF,QAAQ,EAAE;gBACR,UAAU,EAAE,MAAM,CAAC;gBACnB,YAAY,EAAE,OAAO,CAAC;gBACtB,SAAS,EAAE,OAAO,CAAC;gBACnB,MAAM,CAAC,EAAE,MAAM,CAAC;aACjB,CAAC;YACF,qBAAqB,EAAE,MAAM,EAAE,CAAC;YAEhC,OAAO,CAAC,EAAE;gBAER,SAAS,CAAC,EAAE,KAAK,CAAC;oBAAE,KAAK,EAAE,MAAM,CAAC;oBAAC,IAAI,CAAC,EAAE,MAAM,CAAA;iBAAE,CAAC,CAAC;gBAEpD,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;aAClB,CAAC;SACH,CAAC;QACF,eAAe,EAAE,OAAO,CAAC;KAC1B,CAAC;CACH;AAKD,UAAU,iBAAiB;IACzB,UAAU,CAAC,EAAE;QACX,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,kBAAkB,GAAG,kBAAkB,EAAE,GAAG,IAAI,CAAC;KAC7D,CAAC;CACH;AAGD,UAAU,aAAa;IACrB,MAAM,EAAE;QACN,KAAK,EAAE,aAAa,CAAC;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,UAAU,UAAU;IAClB,GAAG,EAAE;QACH,SAAS,EAAE;YACT,WAAW,EAAE,MAAM,CAAC;YACpB,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;QAChC,KAAK,EAAE;YACL,QAAQ,EAAE,MAAM,GAAG,mBAAmB,CAAC;YACvC,eAAe,EAAE,OAAO,CAAC;SAC1B,CAAC;KACH,CAAC;CACH;AAED,UAAU,cAAc;IACtB,OAAO,EAAE;QACP,OAAO,CAAC,EAAE;YACR,GAAG,EAAE,MAAM,CAAC;YACZ,WAAW,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC;KACL,CAAC;CACH;AAED,UAAU,kBAAkB;IAC1B,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,OAAO,CAAC;QACjB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,OAAO,EAAE,OAAO,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE;YACP,MAAM,EAAE,MAAM,CAAC;YACf,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,cAAc,CAAC,EAAE,OAAO,CAAC;SAC1B,CAAC;QACF,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACtC,CAAC;CACH;AAED,UAAU,eAAe;IACvB,QAAQ,CAAC,EAAE;QACT,QAAQ,CAAC,EAAE;YACT,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC;QACF,UAAU,CAAC,EAAE;YACX,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC;KACH,CAAC;CACH;AAED,UAAU,YAAY;IACpB,KAAK,EAAE;QACL,UAAU,EAAE,GAAG,CAAC;QAChB,QAAQ,EAAE,IAAI,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,SACf,SACE,SAAS,EACT,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,kBAAkB,EAClB,eAAe;IACjB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IAEpB,YAAY,EAAE,aAAa,CAAC;IAC5B,MAAM,EAAE,eAAe,GAAG;QACxB,OAAO,EAAE;YACP,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH"}
package/dist/core/auth/admin-auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"admin-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE1E,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAarD,YAAY,EAAE,aAAa,EAAE,CAAC;AAI9B;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,aAAa,EAAE,CAOnD;AA6CD;;;;GAIG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,GAAG,IAAI,CAavD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAe9C;AAgDD;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAqEpD"}
1
+ {"version":3,"file":"admin-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE1E,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAarD,YAAY,EAAE,aAAa,EAAE,CAAC;AAI9B;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,aAAa,EAAE,CAOnD;AA6CD;;;;GAIG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,GAAG,IAAI,CAavD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAe9C;AAkED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAqEpD"}
package/dist/core/auth/admin-auth.js CHANGED
@@ -105,6 +105,22 @@ export function getAdminAuthMethods() {
105
105
  }
106
106
  return [...new Set(methods)];
107
107
  }
108
+ /**
109
+ * Build an actionable 401 message. `scheme` here is what `getTokenFromHttpHeader` returned:
110
+ * 'basic' for Basic auth, 'bearer' for anything else. `looksLikeJwt` indicates the bearer
111
+ * credential matches a known JWT format (legacy `<expire>.<hex>` or standard `a.b.c`) — but
112
+ * since permanent tokens may also contain dots, this is only a hint for diagnostics.
113
+ */
114
+ function buildAuthFailureMessage(scheme, looksLikeJwt, allowedTypes) {
115
+ const allowed = allowedTypes.length > 0 ? allowedTypes.join(', ') : 'none';
116
+ if (scheme === 'bearer' && looksLikeJwt && !allowedTypes.includes('jwtToken')) {
117
+ return `Authentication failed: token looks like a JWT, but 'jwtToken' is not enabled in adminPanel.authType (configured: ${allowed}).`;
118
+ }
119
+ if (scheme === 'basic' && !allowedTypes.includes('basic')) {
120
+ return `Authentication failed: Basic auth is not enabled in adminPanel.authType (configured: ${allowed}).`;
121
+ }
122
+ return `Authentication failed. Admin panel accepts: ${allowed}.`;
123
+ }
108
124
  /**
109
125
  * Try authenticating a request against a single auth type.
110
126
  * Returns auth result or null if this type doesn't match the request.
@@ -186,7 +202,7 @@ export function createAdminAuthMW() {
186
202
  username: 'Unknown',
187
203
  domain: 'Unknown',
188
204
  };
189
- const { scheme, credentials } = getTokenFromHttpHeader(req);
205
+ const { scheme, credentials, looksLikeJwt } = getTokenFromHttpHeader(req);
190
206
  // If no credentials provided, request authentication
191
207
  if (!credentials) {
192
208
  return sendAuthRequired(res, standardTypes);
@@ -207,7 +223,7 @@ export function createAdminAuthMW() {
207
223
  }
208
224
  }
209
225
  logger.debug('Admin auth failed: no matching auth type');
210
- return sendAuthRequired(res, standardTypes, 'Authentication failed');
226
+ return sendAuthRequired(res, standardTypes, buildAuthFailureMessage(scheme || '', !!looksLikeJwt, standardTypes));
211
227
  },
212
228
  ];
213
229
  }
@@ -232,6 +248,7 @@ function sendAuthRequired(res, authTypes, message) {
232
248
  res.status(401).json({
233
249
  success: false,
234
250
  error: errorMessage,
251
+ allowedAuthTypes: authTypes,
235
252
  });
236
253
  }
237
254
  //# sourceMappingURL=admin-auth.js.map
package/dist/core/auth/admin-auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"admin-auth.js","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,8CAA8C,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAErF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAGtE,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC;AACjC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;AAE3C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,GAAG,GAAG,UAAU,EAAE,QAAQ,CAAC;IACjC,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAsB,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,QAAuB;IACrD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,EAAE,qBAAqB,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC7D,OAAO,wBAAwB,QAAQ,wEAAwE,CAAC;YAClH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;gBACzC,OAAO,wBAAwB,QAAQ,+DAA+D,CAAC;YACzG,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC3B,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,wBAAwB,QAAQ,qEAAqE,CAAC;YAC/G,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,wBAAwB,QAAQ,kEAAkE,CAAC;YAC5G,CAAC;YACD,MAAM;QACR,CAAC;QAED;YACE,OAAO,gCAAgC,QAAQ,mEAAmE,CAAC;IACvH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,uBAAuB,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,mEAAmE;IACrE,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAClB,QAAuB,EACvB,MAAc,EACd,WAAmB;IAEnB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;YAChD,OAAO,MAAM,CAAC,WAAW;gBACvB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE;gBAC/C,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;QACjD,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,iBAAiB;YACnB,OAAO,cAAc,CAAC,WAAW,CAAC,CAAC;QACrC,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YACrD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;YACvD,CAAC;YACD,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,KAAK,WAAW,EAAE,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mEAAmE,EAAE,CAAC;YACxG,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;QAClG,CAAC;QAED;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAElC,8EAA8E;IAC9E,+EAA+E;IAC/E,kDAAkD;IAClD,IAAI,CAAC,UAAU,EAAE,OAAO,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/C,IAAI,UAAU,EAAE,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAClD,CAAC;QACD,OAAO;YACL,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;gBAClD,GAAG,CAAC,IAAI,GAAG;oBACT,eAAe,EAAE,KAAK;oBACtB,QAAQ,EAAE,WAAW;oBACrB,MAAM,EAAE,QAAQ;iBACjB,CAAC;gBACF,IAAI,EAAE,CAAC;YACT,CAAC;SACF,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;QAC9C,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IAED,gFAAgF;IAChF,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC;IAExD,6CAA6C;IAC7C,OAAO;QACL,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAClD,yEAAyE;YACzE,GAAG,CAAC,IAAI,GAAG;gBACT,eAAe,EAAE,KAAK;gBACtB,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,SAAS;aAClB,CAAC;YAEF,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YAE5D,qDAAqD;YACrD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;YAC9C,CAAC;YAED,yCAAyC;YACzC,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;gBACrC,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC;gBAChE,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBAC7B,GAAG,CAAC,IAAI,GAAG;wBACT,eAAe,EAAE,IAAI;wBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,eAAe;wBAC5C,MAAM,EAAE,QAAQ;qBACjB,CAAC;oBACF,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBAClB,GAAW,CAAC,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC;oBAC5C,CAAC;oBACD,OAAO,IAAI,EAAE,CAAC;gBAChB,CAAC;YACH,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;YACzD,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,EAAE,uBAAuB,CAAC,CAAC;QACvE,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,GAAa,EAAE,SAA0B,EAAE,OAAgB;IACnF,MAAM,YAAY,GAAG,OAAO,IAAI,yBAAyB,CAAC;IAE1D,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAEhG,yDAAyD;IACzD,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,IAAI,SAAS,EAAE,CAAC;QACd,UAAU,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,UAAU,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,YAAY;KACpB,CAAC,CAAC;AACL,CAAC"}
1
+ {"version":3,"file":"admin-auth.js","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,8CAA8C,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAErF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAGtE,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC;AACjC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;AAE3C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,GAAG,GAAG,UAAU,EAAE,QAAQ,CAAC;IACjC,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAsB,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,QAAuB;IACrD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,EAAE,qBAAqB,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC7D,OAAO,wBAAwB,QAAQ,wEAAwE,CAAC;YAClH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;gBACzC,OAAO,wBAAwB,QAAQ,+DAA+D,CAAC;YACzG,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC3B,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,wBAAwB,QAAQ,qEAAqE,CAAC;YAC/G,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,wBAAwB,QAAQ,kEAAkE,CAAC;YAC5G,CAAC;YACD,MAAM;QACR,CAAC;QAED;YACE,OAAO,gCAAgC,QAAQ,mEAAmE,CAAC;IACvH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,uBAAuB,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,mEAAmE;IACrE,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,MAAc,EAAE,YAAqB,EAAE,YAA6B;IACnG,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAE3E,IAAI,MAAM,KAAK,QAAQ,IAAI,YAAY,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9E,OAAO,oHAAoH,OAAO,IAAI,CAAC;IACzI,CAAC;IACD,IAAI,MAAM,KAAK,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,OAAO,wFAAwF,OAAO,IAAI,CAAC;IAC7G,CAAC;IACD,OAAO,+CAA+C,OAAO,GAAG,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAClB,QAAuB,EACvB,MAAc,EACd,WAAmB;IAEnB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;YAChD,OAAO,MAAM,CAAC,WAAW;gBACvB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE;gBAC/C,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;QACjD,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,iBAAiB;YACnB,OAAO,cAAc,CAAC,WAAW,CAAC,CAAC;QACrC,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YACrD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;YACvD,CAAC;YACD,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,KAAK,WAAW,EAAE,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mEAAmE,EAAE,CAAC;YACxG,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;QAClG,CAAC;QAED;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAElC,8EAA8E;IAC9E,+EAA+E;IAC/E,kDAAkD;IAClD,IAAI,CAAC,UAAU,EAAE,OAAO,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/C,IAAI,UAAU,EAAE,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAClD,CAAC;QACD,OAAO;YACL,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;gBAClD,GAAG,CAAC,IAAI,GAAG;oBACT,eAAe,EAAE,KAAK;oBACtB,QAAQ,EAAE,WAAW;oBACrB,MAAM,EAAE,QAAQ;iBACjB,CAAC;gBACF,IAAI,EAAE,CAAC;YACT,CAAC;SACF,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;QAC9C,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IAED,gFAAgF;IAChF,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC;IAExD,6CAA6C;IAC7C,OAAO;QACL,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAClD,yEAAyE;YACzE,GAAG,CAAC,IAAI,GAAG;gBACT,eAAe,EAAE,KAAK;gBACtB,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,SAAS;aAClB,CAAC;YAEF,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YAE1E,qDAAqD;YACrD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;YAC9C,CAAC;YAED,yCAAyC;YACzC,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;gBACrC,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC;gBAChE,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBAC7B,GAAG,CAAC,IAAI,GAAG;wBACT,eAAe,EAAE,IAAI;wBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,eAAe;wBAC5C,MAAM,EAAE,QAAQ;qBACjB,CAAC;oBACF,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBAClB,GAAW,CAAC,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC;oBAC5C,CAAC;oBACD,OAAO,IAAI,EAAE,CAAC;gBAChB,CAAC;YACH,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;YACzD,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,EAAE,uBAAuB,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC,CAAC;QACpH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,GAAa,EAAE,SAA0B,EAAE,OAAgB;IACnF,MAAM,YAAY,GAAG,OAAO,IAAI,yBAAyB,CAAC;IAE1D,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAEhG,yDAAyD;IACzD,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,IAAI,SAAS,EAAE,CAAC;QACd,UAAU,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,UAAU,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,YAAY;QACnB,gBAAgB,EAAE,SAAS;KAC5B,CAAC,CAAC;AACL,CAAC"}
package/dist/core/auth/jwt.d.ts CHANGED
@@ -1,25 +1,34 @@
1
1
  import { ICheckTokenResult } from './types.js';
2
2
  export declare const MIN_ENCRYPT_KEY_LENGTH = 8;
3
+ export declare const legacyJwtRE: RegExp;
4
+ export declare const standardJwtRE: RegExp;
3
5
  export declare const jwtTokenRE: RegExp;
4
6
  /**
5
- * Encrypts the transmitted text with a symmetric key taken from the config
7
+ * Legacy: encrypts text with the symmetric key from config.
8
+ * Retained ONLY for backward-compatible reading of pre-migration tokens.
6
9
  */
7
10
  export declare const encrypt: (text: string) => string;
8
11
  /**
9
- * Decrypts the transmitted text with a symmetric key taken from the config
12
+ * Legacy: decrypts text with the symmetric key from config.
13
+ * Retained ONLY for backward-compatible reading of pre-migration tokens.
10
14
  */
11
15
  export declare const decrypt: (encryptedStr: string) => string;
12
16
  /**
13
- * Creates a token by encrypting the username and expiration time.
14
- * To determine the expiration time in the JB form script, at the beginning of the token
15
- * deprecation timestamp is added
17
+ * Generates a standard signed JWT (HS256).
18
+ * - `user` becomes `sub`
19
+ * - `service` becomes `aud`
20
+ * - `expire` becomes `exp`
21
+ * - `jti` is auto-generated via crypto.randomUUID()
22
+ * - other payload keys are written as private claims
23
+ * - `iss` is added only when webServer.auth.jwtToken.issuer is configured
16
24
  */
17
25
  export declare const generateToken: (user: string, liveTimeSec: number, payload?: any) => string;
18
26
  /**
19
- * Checks the validity of the token:
20
- * - Token to be decrypted
21
- * - the obsolescence time must not be expired
22
- * - If a user is transferred, it must match
27
+ * Verifies a token.
28
+ * Routes by format:
29
+ * - `header.payload.signature` standard JWT verification
30
+ * - `<expire_ms>.<hex>` legacy AES-256-CTR fallback
31
+ * Returns a normalized `ITokenPayload`.
23
32
  */
24
33
  export declare const checkJwtToken: (arg: {
25
34
  token: string;
package/dist/core/auth/jwt.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,iBAAiB,EAAiB,MAAM,YAAY,CAAC;AAQ9D,eAAO,MAAM,sBAAsB,IAAI,CAAC;AASxC,eAAO,MAAM,UAAU,QAAmC,CAAC;AAE3D;;GAEG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,MAAM,KAAG,MAStC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,OAAO,GAAI,cAAc,MAAM,WAW3C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,EAAE,aAAa,MAAM,EAAE,UAAU,GAAG,KAAG,MAYhF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,aAAa,GAAI,KAAK;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,KAAG,iBAoFH,CAAC"}
1
+ {"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,iBAAiB,EAAiB,MAAM,YAAY,CAAC;AAS9D,eAAO,MAAM,sBAAsB,IAAI,CAAC;AAQxC,eAAO,MAAM,WAAW,QAAmC,CAAC;AAC5D,eAAO,MAAM,aAAa,QAAqD,CAAC;AAEhF,eAAO,MAAM,UAAU,QAAkF,CAAC;AAI1G;;;GAGG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,MAAM,KAAG,MAMtC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,OAAO,GAAI,cAAc,MAAM,WAO3C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,EAAE,aAAa,MAAM,EAAE,UAAU,GAAG,KAAG,MAgChF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GAAI,KAAK;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,KAAG,iBAYH,CAAC"}
package/dist/core/auth/jwt.js CHANGED
@@ -1,82 +1,220 @@
1
1
  // noinspection UnnecessaryLocalVariableJS
2
2
  import crypto from 'crypto';
3
3
  import chalk from 'chalk';
4
+ import jwt from 'jsonwebtoken';
4
5
  import { appConfig } from '../bootstrap/init-config.js';
5
6
  import { logger as lgr } from '../logger.js';
6
7
  import { isObject, trim } from '../utils/utils.js';
7
8
  import { parseIpList, isIpAllowed } from './ip-check.js';
8
- import { isJwtTokenRevoked, isUserRevoked } from './revocation.js';
9
+ import { isJtiRevoked, isJwtTokenRevoked, isUserRevoked } from './revocation.js';
9
10
  const logger = lgr.getSubLogger({ name: chalk.cyan('token-auth') });
10
11
  const { jwtToken } = appConfig.webServer?.auth || {};
11
12
  const checkMCPName = jwtToken?.checkMCPName || false;
12
13
  const isCheckIP = jwtToken?.isCheckIP || false;
14
+ const configuredIssuer = trim(jwtToken?.issuer);
13
15
  export const MIN_ENCRYPT_KEY_LENGTH = 8;
14
- const ALGORITHM = 'aes-256-ctr';
15
- const KEY = crypto
16
- .createHash('sha256')
17
- .update(String(jwtToken?.encryptKey || '11111111-7777-8888-9999-000000000000'))
18
- .digest('base64')
19
- .substring(0, 32);
20
- export const jwtTokenRE = /^(\d{13,})\.([\da-fA-F]{32,})$/;
16
+ const ENCRYPT_KEY = String(jwtToken?.encryptKey || '11111111-7777-8888-9999-000000000000');
17
+ // Legacy AES-256-CTR — used ONLY to read tokens issued before the migration to standard JWT.
18
+ const LEGACY_ALGORITHM = 'aes-256-ctr';
19
+ const LEGACY_KEY = crypto.createHash('sha256').update(ENCRYPT_KEY).digest('base64').substring(0, 32);
20
+ export const legacyJwtRE = /^(\d{13,})\.([\da-fA-F]{32,})$/;
21
+ export const standardJwtRE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
22
+ // "Looks like JWT" helper (either legacy or standard). Not used as the only criterion for auth routing.
23
+ export const jwtTokenRE = /^(?:\d{13,}\.[\da-fA-F]{32,}|[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/;
24
+ const STANDARD_CLAIMS = new Set(['user', 'expire', 'iat', 'service', 'iss', 'sub', 'aud', 'exp', 'jti']);
21
25
  /**
22
- * Encrypts the transmitted text with a symmetric key taken from the config
26
+ * Legacy: encrypts text with the symmetric key from config.
27
+ * Retained ONLY for backward-compatible reading of pre-migration tokens.
23
28
  */
24
29
  export const encrypt = (text) => {
25
30
  const buffer = Buffer.from(text);
26
- // Create an initialization vector
27
31
  const iv = crypto.randomBytes(16);
28
- // Create a new cipher using the algorithm, key, and iv
29
- const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
30
- // Create the new (encrypted) buffer
32
+ const cipher = crypto.createCipheriv(LEGACY_ALGORITHM, LEGACY_KEY, iv);
31
33
  const encryptedBuf = Buffer.concat([iv, cipher.update(buffer), cipher.final()]);
32
34
  return encryptedBuf.toString('hex');
33
35
  };
34
36
  /**
35
- * Decrypts the transmitted text with a symmetric key taken from the config
37
+ * Legacy: decrypts text with the symmetric key from config.
38
+ * Retained ONLY for backward-compatible reading of pre-migration tokens.
36
39
  */
37
40
  export const decrypt = (encryptedStr) => {
38
41
  const encryptedByf = Buffer.from(encryptedStr, 'hex');
39
- // Get the iv: the first 16 bytes
40
42
  const iv2 = encryptedByf.subarray(0, 16);
41
- // Get the rest
42
43
  const restBuf = encryptedByf.subarray(16);
43
- // Create decipher
44
- const decipher = crypto.createDecipheriv(ALGORITHM, KEY, iv2);
45
- // Actually decrypt it
44
+ const decipher = crypto.createDecipheriv(LEGACY_ALGORITHM, LEGACY_KEY, iv2);
46
45
  const decryptedBuf = Buffer.concat([decipher.update(restBuf), decipher.final()]);
47
46
  return decryptedBuf.toString();
48
47
  };
49
48
  /**
50
- * Creates a token by encrypting the username and expiration time.
51
- * To determine the expiration time in the JB form script, at the beginning of the token
52
- * deprecation timestamp is added
49
+ * Generates a standard signed JWT (HS256).
50
+ * - `user` becomes `sub`
51
+ * - `service` becomes `aud`
52
+ * - `expire` becomes `exp`
53
+ * - `jti` is auto-generated via crypto.randomUUID()
54
+ * - other payload keys are written as private claims
55
+ * - `iss` is added only when webServer.auth.jwtToken.issuer is configured
53
56
  */
54
57
  export const generateToken = (user, liveTimeSec, payload) => {
55
58
  user = trim(user).toLowerCase();
56
59
  if (!user) {
57
60
  throw new Error('generateToken: Username is empty');
58
61
  }
59
- const expire = Date.now() + liveTimeSec * 1000;
60
- const issuedAt = new Date().toISOString();
61
- payload = isObject(payload) ? payload : {};
62
- payload.user = user;
63
- payload.expire = expire;
64
- payload.iat = issuedAt;
65
- return `${expire}.${encrypt(JSON.stringify(payload))}`;
62
+ const inputPayload = isObject(payload) ? { ...payload } : {};
63
+ // Extract reserved fields and drop them from the private claims
64
+ const service = trim(inputPayload.service) || undefined;
65
+ delete inputPayload.user;
66
+ delete inputPayload.expire;
67
+ delete inputPayload.iat;
68
+ delete inputPayload.service;
69
+ delete inputPayload.sub;
70
+ delete inputPayload.aud;
71
+ delete inputPayload.exp;
72
+ delete inputPayload.iss;
73
+ delete inputPayload.jti;
74
+ const signOptions = {
75
+ algorithm: 'HS256',
76
+ subject: user,
77
+ expiresIn: liveTimeSec,
78
+ jwtid: crypto.randomUUID(),
79
+ };
80
+ if (service) {
81
+ signOptions.audience = service;
82
+ }
83
+ if (configuredIssuer) {
84
+ signOptions.issuer = configuredIssuer;
85
+ }
86
+ return jwt.sign(inputPayload, ENCRYPT_KEY, signOptions);
66
87
  };
67
88
  /**
68
- * Checks the validity of the token:
69
- * - Token to be decrypted
70
- * - the obsolescence time must not be expired
71
- * - If a user is transferred, it must match
89
+ * Verifies a token.
90
+ * Routes by format:
91
+ * - `header.payload.signature` standard JWT verification
92
+ * - `<expire_ms>.<hex>` legacy AES-256-CTR fallback
93
+ * Returns a normalized `ITokenPayload`.
72
94
  */
73
95
  export const checkJwtToken = (arg) => {
74
- let { token, expectedUser, expectedService = appConfig.name, clientIp } = arg;
75
- token = (token || '').trim();
96
+ const token = trim(arg.token);
76
97
  if (!token) {
77
98
  return { errorReason: 'Token not passed' };
78
99
  }
79
- const [, expirePartStr, encryptedPayload] = jwtTokenRE.exec(token) || [];
100
+ if (standardJwtRE.test(token)) {
101
+ return checkStandardJwt(token, arg);
102
+ }
103
+ if (legacyJwtRE.test(token)) {
104
+ return checkLegacyJwt(token, arg);
105
+ }
106
+ return { errorReason: 'The token is not a JWT' };
107
+ };
108
+ function checkStandardJwt(token, arg) {
109
+ // Exact-match revoke against the full token string (works for legacy revoke records too)
110
+ if (isJwtTokenRevoked(token)) {
111
+ return { errorReason: 'JWT Token has been revoked' };
112
+ }
113
+ let decoded;
114
+ try {
115
+ const verifyOptions = { algorithms: ['HS256'] };
116
+ if (configuredIssuer) {
117
+ verifyOptions.issuer = configuredIssuer;
118
+ }
119
+ const result = jwt.verify(token, ENCRYPT_KEY, verifyOptions);
120
+ if (typeof result === 'string') {
121
+ return { errorReason: 'The token is not a JWT' };
122
+ }
123
+ decoded = result;
124
+ }
125
+ catch (err) {
126
+ if (err?.name === 'TokenExpiredError') {
127
+ const expiredAt = err.expiredAt instanceof Date ? err.expiredAt.getTime() : 0;
128
+ const expiredOn = expiredAt ? Date.now() - expiredAt : 0;
129
+ return {
130
+ isTokenDecrypted: true,
131
+ errorReason: expiredOn > 0 ? `JWT Token expired :: on ${expiredOn} mc` : 'JWT Token expired',
132
+ };
133
+ }
134
+ if (err?.name === 'JsonWebTokenError') {
135
+ if (typeof err.message === 'string' && err.message.toLowerCase().includes('signature')) {
136
+ return { errorReason: 'Invalid signature' };
137
+ }
138
+ if (typeof err.message === 'string' && err.message.toLowerCase().includes('issuer')) {
139
+ return { errorReason: `JWT Token: ${err.message}` };
140
+ }
141
+ return { errorReason: 'The token is not a JWT' };
142
+ }
143
+ logger.error(err);
144
+ return { errorReason: `Error verifying JWT token :: ${err?.message ?? 'unknown error'}` };
145
+ }
146
+ // Normalize to ITokenPayload shape
147
+ const sub = typeof decoded.sub === 'string' ? decoded.sub : '';
148
+ if (!sub) {
149
+ return { errorReason: 'JWT Token: missing subject' };
150
+ }
151
+ const expSec = typeof decoded.exp === 'number' ? decoded.exp : 0;
152
+ if (!expSec) {
153
+ return { isTokenDecrypted: true, errorReason: 'JWT Token: missing expiration' };
154
+ }
155
+ const iatSec = typeof decoded.iat === 'number' ? decoded.iat : 0;
156
+ const audValues = Array.isArray(decoded.aud)
157
+ ? decoded.aud.filter((value) => typeof value === 'string' && !!trim(value))
158
+ : typeof decoded.aud === 'string' && trim(decoded.aud)
159
+ ? [decoded.aud]
160
+ : [];
161
+ const expectedService = arg.expectedService ?? appConfig.name;
162
+ const normalizedService = expectedService && audValues.includes(expectedService) ? expectedService : audValues[0];
163
+ const payload = { user: sub, expire: expSec * 1000 };
164
+ if (iatSec) {
165
+ payload.iat = new Date(iatSec * 1000).toISOString();
166
+ }
167
+ if (normalizedService) {
168
+ payload.service = normalizedService;
169
+ }
170
+ if (typeof decoded.iss === 'string') {
171
+ payload.iss = decoded.iss;
172
+ }
173
+ if (typeof decoded.jti === 'string') {
174
+ payload.jti = decoded.jti;
175
+ }
176
+ // copy private claims (everything not in STANDARD_CLAIMS)
177
+ for (const [k, v] of Object.entries(decoded)) {
178
+ if (!STANDARD_CLAIMS.has(k)) {
179
+ payload[k] = v;
180
+ }
181
+ }
182
+ // Revoke by jti
183
+ if (payload.jti && isJtiRevoked(payload.jti)) {
184
+ return { isTokenDecrypted: true, errorReason: 'JWT Token has been revoked' };
185
+ }
186
+ if (isUserRevoked(payload.user)) {
187
+ return { isTokenDecrypted: true, errorReason: `JWT Token: user '${payload.user}' has been revoked` };
188
+ }
189
+ const expectedUser = trim(arg.expectedUser).toLowerCase();
190
+ if (expectedUser && payload.user !== expectedUser) {
191
+ return {
192
+ isTokenDecrypted: true,
193
+ errorReason: `JWT Token: user not match :: Expected '${expectedUser}' / obtained from the token: '${payload.user}'`,
194
+ };
195
+ }
196
+ if (checkMCPName) {
197
+ const obtainedService = audValues.length > 1 ? audValues.join(', ') : payload.service;
198
+ if (expectedService && !audValues.includes(expectedService)) {
199
+ return {
200
+ isTokenDecrypted: true,
201
+ errorReason: `JWT Token: service not match :: Expected '${expectedService}' / obtained from the token: '${obtainedService}'`,
202
+ };
203
+ }
204
+ }
205
+ if (isCheckIP && payload.ip && arg.clientIp) {
206
+ const allowedIps = parseIpList(payload.ip);
207
+ if (allowedIps.length > 0 && !isIpAllowed(arg.clientIp, allowedIps)) {
208
+ return {
209
+ isTokenDecrypted: true,
210
+ errorReason: `JWT Token: client IP ${arg.clientIp} is not in the allowed list`,
211
+ };
212
+ }
213
+ }
214
+ return { payload };
215
+ }
216
+ function checkLegacyJwt(token, arg) {
217
+ const [, expirePartStr, encryptedPayload] = legacyJwtRE.exec(token) || [];
80
218
  if (!expirePartStr || !encryptedPayload) {
81
219
  return { errorReason: 'The token is not a JWT' };
82
220
  }
@@ -108,7 +246,7 @@ export const checkJwtToken = (arg) => {
108
246
  errorReason: `JWT Token: user '${payload.user}' has been revoked`,
109
247
  };
110
248
  }
111
- expectedUser = trim(expectedUser).toLowerCase();
249
+ const expectedUser = trim(arg.expectedUser).toLowerCase();
112
250
  if (expectedUser && payload.user !== expectedUser) {
113
251
  return {
114
252
  isTokenDecrypted: true,
@@ -116,6 +254,7 @@ export const checkJwtToken = (arg) => {
116
254
  };
117
255
  }
118
256
  if (checkMCPName) {
257
+ const expectedService = arg.expectedService ?? appConfig.name;
119
258
  if (expectedService && payload.service !== expectedService) {
120
259
  return {
121
260
  isTokenDecrypted: true,
@@ -123,28 +262,23 @@ export const checkJwtToken = (arg) => {
123
262
  };
124
263
  }
125
264
  }
126
- let expire = Number(expirePartStr) || 0;
265
+ const expire = Number(expirePartStr) || 0;
127
266
  const expiredOn = Date.now() - expire;
128
267
  if (expiredOn > 0) {
129
- // Token deprecated
130
268
  return {
131
269
  isTokenDecrypted: true,
132
270
  errorReason: `JWT Token expired :: on ${expiredOn} mc`,
133
271
  };
134
272
  }
135
- // IP check (after all other validations pass)
136
- if (isCheckIP && payload.ip) {
137
- if (clientIp) {
138
- const allowedIps = parseIpList(payload.ip);
139
- if (allowedIps.length > 0 && !isIpAllowed(clientIp, allowedIps)) {
140
- return {
141
- isTokenDecrypted: true,
142
- errorReason: `JWT Token: client IP ${clientIp} is not in the allowed list`,
143
- };
144
- }
273
+ if (isCheckIP && payload.ip && arg.clientIp) {
274
+ const allowedIps = parseIpList(payload.ip);
275
+ if (allowedIps.length > 0 && !isIpAllowed(arg.clientIp, allowedIps)) {
276
+ return {
277
+ isTokenDecrypted: true,
278
+ errorReason: `JWT Token: client IP ${arg.clientIp} is not in the allowed list`,
279
+ };
145
280
  }
146
281
  }
147
- // OK!
148
282
  return { payload };
149
- };
283
+ }
150
284
  //# sourceMappingURL=jwt.js.map
package/dist/core/auth/jwt.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGnE,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEpE,MAAM,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AACrD,MAAM,YAAY,GAAG,QAAQ,EAAE,YAAY,IAAI,KAAK,CAAC;AACrD,MAAM,SAAS,GAAG,QAAQ,EAAE,SAAS,IAAI,KAAK,CAAC;AAE/C,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAExC,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,GAAG,GAAG,MAAM;KACf,UAAU,CAAC,QAAQ,CAAC;KACpB,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,IAAI,sCAAsC,CAAC,CAAC;KAC9E,MAAM,CAAC,QAAQ,CAAC;KAChB,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAEpB,MAAM,CAAC,MAAM,UAAU,GAAG,gCAAgC,CAAC;AAE3D;;GAEG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,IAAY,EAAU,EAAE;IAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,kCAAkC;IAClC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,uDAAuD;IACvD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACzD,oCAAoC;IACpC,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACtC,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,YAAoB,EAAE,EAAE;IAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACtD,iCAAiC;IACjC,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,eAAe;IACf,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC1C,kBAAkB;IAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC9D,sBAAsB;IACtB,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,OAAO,YAAY,CAAC,QAAQ,EAAE,CAAC;AACjC,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAE,WAAmB,EAAE,OAAa,EAAU,EAAE;IACxF,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,IAAI,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3C,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IACpB,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;IACxB,OAAO,CAAC,GAAG,GAAG,QAAQ,CAAC;IACvB,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;AACzD,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAK7B,EAAqB,EAAE;IACtB,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,eAAe,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;IAC9E,KAAK,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,EAAE,aAAa,EAAE,gBAAgB,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAEzE,IAAI,CAAC,aAAa,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxC,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,UAAU,GAAW,EAAE,CAAC;IAC5B,IAAI,CAAC;QACH,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACvC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,WAAW,EAAE,gEAAgE,EAAE,CAAC;QAC3F,CAAC;IACH,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,iCAAiC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACzE,CAAC;IACD,IAAI,OAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,+CAA+C,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACvF,CAAC;IAED,IAAI,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,oBAAoB,OAAO,CAAC,IAAI,oBAAoB;SAClE,CAAC;IACJ,CAAC;IAED,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,YAAY,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2CAA2C,YAAY,iCAAiC,OAAO,CAAC,IAAI,GAAG;SACrH,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,eAAe,IAAI,OAAO,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;YAC3D,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,8CAA8C,eAAe,iCAAiC,OAAO,CAAC,OAAO,GAAG;aAC9H,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAExC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;IACtC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,mBAAmB;QACnB,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2BAA2B,SAAS,KAAK;SACvD,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,IAAI,SAAS,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;QAC5B,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;gBAChE,OAAO;oBACL,gBAAgB,EAAE,IAAI;oBACtB,WAAW,EAAE,wBAAwB,QAAQ,6BAA6B;iBAC3E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM;IACN,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC,CAAC"}
1
+ {"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAA+C,MAAM,cAAc,CAAC;AAE3E,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGjF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEpE,MAAM,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AACrD,MAAM,YAAY,GAAG,QAAQ,EAAE,YAAY,IAAI,KAAK,CAAC;AACrD,MAAM,SAAS,GAAG,QAAQ,EAAE,SAAS,IAAI,KAAK,CAAC;AAC/C,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AAEhD,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAExC,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,EAAE,UAAU,IAAI,sCAAsC,CAAC,CAAC;AAE3F,6FAA6F;AAC7F,MAAM,gBAAgB,GAAG,aAAa,CAAC;AACvC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAErG,MAAM,CAAC,MAAM,WAAW,GAAG,gCAAgC,CAAC;AAC5D,MAAM,CAAC,MAAM,aAAa,GAAG,kDAAkD,CAAC;AAChF,wGAAwG;AACxG,MAAM,CAAC,MAAM,UAAU,GAAG,+EAA+E,CAAC;AAE1G,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEzG;;;GAGG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,IAAY,EAAU,EAAE;IAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,gBAAgB,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;IACvE,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACtC,CAAC,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,YAAoB,EAAE,EAAE;IAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACtD,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,gBAAgB,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,OAAO,YAAY,CAAC,QAAQ,EAAE,CAAC;AACjC,CAAC,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAE,WAAmB,EAAE,OAAa,EAAU,EAAE;IACxF,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAE7D,gEAAgE;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC;IACxD,OAAO,YAAY,CAAC,IAAI,CAAC;IACzB,OAAO,YAAY,CAAC,MAAM,CAAC;IAC3B,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,OAAO,CAAC;IAC5B,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IAExB,MAAM,WAAW,GAAgB;QAC/B,SAAS,EAAE,OAAO;QAClB,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,WAAW;QACtB,KAAK,EAAE,MAAM,CAAC,UAAU,EAAE;KAC3B,CAAC;IACF,IAAI,OAAO,EAAE,CAAC;QACZ,WAAW,CAAC,QAAQ,GAAG,OAAO,CAAC;IACjC,CAAC;IACD,IAAI,gBAAgB,EAAE,CAAC;QACrB,WAAW,CAAC,MAAM,GAAG,gBAAgB,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAK7B,EAAqB,EAAE;IACtB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,gBAAgB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,cAAc,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;AACnD,CAAC,CAAC;AAEF,SAAS,gBAAgB,CACvB,KAAa,EACb,GAA2E;IAE3E,yFAAyF;IACzF,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,aAAa,GAAkB,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/D,IAAI,gBAAgB,EAAE,CAAC;YACrB,aAAa,CAAC,MAAM,GAAG,gBAAgB,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;QAC7D,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;QACnD,CAAC;QACD,OAAO,GAAG,MAAM,CAAC;IACnB,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,IAAI,GAAG,EAAE,IAAI,KAAK,mBAAmB,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,YAAY,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9E,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YACzD,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,2BAA2B,SAAS,KAAK,CAAC,CAAC,CAAC,mBAAmB;aAC7F,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,EAAE,IAAI,KAAK,mBAAmB,EAAE,CAAC;YACtC,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvF,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,CAAC;YAC9C,CAAC;YACD,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpF,OAAO,EAAE,WAAW,EAAE,cAAc,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;YACtD,CAAC;YACD,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;QACnD,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,gCAAgC,GAAG,EAAE,OAAO,IAAI,eAAe,EAAE,EAAE,CAAC;IAC5F,CAAC;IAED,mCAAmC;IACnC,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACjE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,+BAA+B,EAAE,CAAC;IAClF,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;QAC1C,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5F,CAAC,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;YACpD,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;YACf,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI,CAAC;IAC9D,MAAM,iBAAiB,GAAG,eAAe,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAElH,MAAM,OAAO,GAAkB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,CAAC;IACpE,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,CAAC,OAAO,GAAG,iBAAiB,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAC5B,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAC5B,CAAC;IACD,0DAA0D;IAC1D,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,OAAO,CAAC,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,oBAAoB,OAAO,CAAC,IAAI,oBAAoB,EAAE,CAAC;IACvG,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,YAAY,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2CAA2C,YAAY,iCAAiC,OAAO,CAAC,IAAI,GAAG;SACrH,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;QACtF,IAAI,eAAe,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YAC5D,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,8CAA8C,eAAe,iCAAiC,eAAe,GAAG;aAC9H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,SAAS,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;YACpE,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,wBAAwB,GAAG,CAAC,QAAQ,6BAA6B;aAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED,SAAS,cAAc,CACrB,KAAa,EACb,GAA2E;IAE3E,MAAM,CAAC,EAAE,aAAa,EAAE,gBAAgB,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1E,IAAI,CAAC,aAAa,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxC,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,UAAU,GAAW,EAAE,CAAC;IAC5B,IAAI,CAAC;QACH,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACvC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,WAAW,EAAE,gEAAgE,EAAE,CAAC;QAC3F,CAAC;IACH,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,iCAAiC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACzE,CAAC;IACD,IAAI,OAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,+CAA+C,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACvF,CAAC;IAED,IAAI,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,oBAAoB,OAAO,CAAC,IAAI,oBAAoB;SAClE,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,YAAY,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2CAA2C,YAAY,iCAAiC,OAAO,CAAC,IAAI,GAAG;SACrH,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI,CAAC;QAC9D,IAAI,eAAe,IAAI,OAAO,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;YAC3D,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,8CAA8C,eAAe,iCAAiC,OAAO,CAAC,OAAO,GAAG;aAC9H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;IACtC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2BAA2B,SAAS,KAAK;SACvD,CAAC;IACJ,CAAC;IAED,IAAI,SAAS,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;YACpE,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,wBAAwB,GAAG,CAAC,QAAQ,6BAA6B;aAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC"}
package/dist/core/auth/multi-auth.d.ts CHANGED
@@ -1,8 +1,10 @@
1
1
  import { Request } from 'express';
2
- import { AuthDetectionResult, AuthResult, AuthType } from './types.js';
2
+ import { AuthDetectionResult, AuthResult } from './types.js';
3
+ export type AuthScheme = 'basic' | 'bearer';
3
4
  export declare const getTokenFromHttpHeader: (req: Request) => {
4
- scheme?: AuthType;
5
+ scheme?: AuthScheme;
5
6
  credentials?: string;
7
+ looksLikeJwt?: boolean;
6
8
  };
7
9
  /**
8
10
  * Detects configured authentication types in priority order (ascending CPU load)
package/dist/core/auth/multi-auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"multi-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAUlC,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAsBvE,eAAO,MAAM,sBAAsB,GAAI,KAAK,OAAO,KAAG;IAAE,MAAM,CAAC,EAAE,QAAQ,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAiB9F,CAAC;AAyBF;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,mBAAmB,CAgD7D;AAsBD;;GAEG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAqFtE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAa3C;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAuC/C"}
1
+ {"version":3,"file":"multi-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAUlC,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAY,MAAM,YAAY,CAAC;AAqBvE,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,QAAQ,CAAC;AAG5C,eAAO,MAAM,sBAAsB,GACjC,KAAK,OAAO,KACX;IAAE,MAAM,CAAC,EAAE,UAAU,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,OAAO,CAAA;CAcrE,CAAC;AAyBF;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,mBAAmB,CAgD7D;AAsBD;;GAEG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAgGtE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAa3C;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAuC/C"}
package/dist/core/auth/multi-auth.js CHANGED
@@ -34,10 +34,7 @@ export const getTokenFromHttpHeader = (req) => {
34
34
  if (scheme.toLowerCase() === 'basic') {
35
35
  return { scheme: 'basic', credentials };
36
36
  }
37
- if (jwtTokenRE.test(credentials)) {
38
- return { scheme: 'jwtToken', credentials };
39
- }
40
- return { scheme: 'permanentServerTokens', credentials };
37
+ return { scheme: 'bearer', credentials, looksLikeJwt: jwtTokenRE.test(credentials) };
41
38
  };
42
39
  /**
43
40
  * Gets custom auth validator from global context.
@@ -150,54 +147,69 @@ export async function checkMultiAuth(req) {
150
147
  // fall through to standard auth
151
148
  }
152
149
  }
153
- const { scheme: authType, credentials } = getTokenFromHttpHeader(req);
150
+ const { scheme, credentials } = getTokenFromHttpHeader(req);
154
151
  if (!credentials) {
155
152
  return { success: false, error: `${E_PFX}credentials not provided` };
156
153
  }
157
- if (!authType) {
158
- return { success: false, error: `${E_PFX}Cannot detect auth type from Authorization header` };
154
+ if (!scheme) {
155
+ return { success: false, error: `${E_PFX}Cannot detect auth scheme from Authorization header` };
159
156
  }
160
157
  logger.debug(`Checking auth types: ${configuredTypes}`);
161
- if (!configuredSet.has(authType)) {
162
- return { success: false, error: `${E_PFX}Detected in Authorisation header auth type ${authType} not configured` };
163
- }
164
158
  let errorResult = undefined;
165
159
  try {
166
- switch (authType) {
167
- case 'permanentServerTokens': {
160
+ if (scheme === 'basic') {
161
+ if (!configuredSet.has('basic')) {
162
+ return {
163
+ success: false,
164
+ error: `${E_PFX}Detected Basic auth in Authorization header, but 'basic' is not configured`,
165
+ };
166
+ }
167
+ const result = checkBasicAuth(credentials);
168
+ if (result.success) {
169
+ return { ...result, authType: 'basic', payload: { user: result.username } };
170
+ }
171
+ errorResult = { ...result, authType: 'basic' };
172
+ }
173
+ else {
174
+ // Bearer / non-Basic: try permanent tokens first (O(1)), then JWT.
175
+ // Permanent tokens can contain dots, so we never classify purely by shape.
176
+ let permError;
177
+ let jwtErrorResult;
178
+ if (configuredSet.has('permanentServerTokens')) {
168
179
  const { errorReason } = checkPermanentToken(credentials);
169
180
  if (!errorReason) {
170
- return { success: true, authType };
181
+ return { success: true, authType: 'permanentServerTokens' };
171
182
  }
172
- errorResult = { success: false, authType, error: `${E_PFX}${errorReason}` };
173
- break;
183
+ permError = errorReason;
174
184
  }
175
- case 'basic': {
176
- const result = checkBasicAuth(credentials);
177
- if (result.success) {
178
- // For basic auth, create payload with user property
179
- return { ...result, authType, payload: { user: result.username } };
180
- }
181
- errorResult = { ...result, authType };
182
- break;
183
- }
184
- case 'jwtToken': {
185
+ if (configuredSet.has('jwtToken')) {
185
186
  const xff = req.headers['x-forwarded-for'];
186
187
  const xffStr = (Array.isArray(xff) ? (xff[0] ?? '') : (xff ?? '')).split(',').shift() ?? '';
187
188
  const clientIp = req.ip ?? (xffStr.trim() || (req.socket?.remoteAddress ?? ''));
188
189
  const { errorReason, payload, isTokenDecrypted } = checkJwtToken({ token: credentials, clientIp });
189
190
  if (!errorReason) {
190
- return { success: true, authType, payload };
191
+ return { success: true, authType: 'jwtToken', payload };
191
192
  }
192
- errorResult = { success: false, error: `${E_PFX}${errorReason}`, authType, isTokenDecrypted };
193
- break;
193
+ jwtErrorResult = { success: false, error: `${E_PFX}${errorReason}`, authType: 'jwtToken', isTokenDecrypted };
194
+ }
195
+ // Prefer the JWT-specific error (it's more informative for malformed/expired JWTs).
196
+ // Fall back to the permanent token error if JWT wasn't configured/attempted.
197
+ if (jwtErrorResult) {
198
+ errorResult = jwtErrorResult;
199
+ }
200
+ else if (permError) {
201
+ errorResult = { success: false, authType: 'permanentServerTokens', error: `${E_PFX}${permError}` };
202
+ }
203
+ else {
204
+ errorResult = {
205
+ success: false,
206
+ error: `${E_PFX}No bearer auth method is configured (need permanentServerTokens or jwtToken)`,
207
+ };
194
208
  }
195
- default:
196
- errorResult = { success: false, error: `${E_PFX}Unknown auth type: ${authType}` };
197
209
  }
198
210
  }
199
211
  catch (error) {
200
- logger.warn(`Auth type ${authType} failed with exception:`, error instanceof Error ? E_PFX + error.message : 'Unknown error');
212
+ logger.warn(`Auth scheme ${scheme} failed with exception:`, error instanceof Error ? E_PFX + error.message : 'Unknown error');
201
213
  }
202
214
  return (errorResult || {
203
215
  success: false,
package/dist/core/auth/multi-auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"multi-auth.js","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAE1C;;GAEG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAC5F,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEvE,MAAM,EACJ,OAAO,EAAE,WAAW,EACpB,qBAAqB,EAAE,EAAE,EACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,EAAE,EACxD,QAAQ,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,GAC9B,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AAEpC;;GAEG;AACH,MAAM,SAAS,GAAG;IAChB,qBAAqB,EAAE,CAAC,EAAE,iBAAiB;IAC3C,KAAK,EAAE,CAAC,EAAE,kBAAkB;IAC5B,QAAQ,EAAE,CAAC,EAAE,oCAAoC;IACjD,MAAM,EAAE,CAAC;CACV,CAAC;AAEF,MAAM,QAAQ,GAAG,iBAAiB,CAAC;AACnC,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,GAAY,EAA+C,EAAE;IAClG,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1C,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,MAAM,GAAW,EAAE,CAAC;IACxB,IAAI,WAAW,GAAW,CAAC,CAAC;IAC5B,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrB,CAAC,MAAM,GAAG,EAAE,EAAE,WAAW,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;QACrC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IAC1C,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;IAC7C,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,CAAC;AAC1D,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,IAAI,gBAAwD,CAAC;AAE7D,SAAS,sBAAsB;IAC7B,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,gBAAgB,IAAI,SAAS,CAAC;IACvC,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,CAAC,oBAAoB,CAAC;IAChD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,4DAA4D;QAC5D,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,EAAE,GAAG,WAAW,CAAC,mBAAmB,CAAC;IAC3C,gBAAgB,GAAG,OAAO,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACxD,OAAO,gBAAgB,IAAI,SAAS,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,UAAU,GAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAA6B,EAAE,CAAC;IAC5C,MAAM,MAAM,GAAwB,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,GAAG,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAE1G,IAAI,WAAW,EAAE,CAAC;QAChB,8BAA8B;QAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5C,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,kBAAkB;QAClB,IAAI,UAAU,EAAE,MAAM,EAAE,CAAC;YACvB,IAAI,UAAU,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;gBAC/C,MAAM,CAAC,QAAQ,GAAG;oBAChB,oCAAoC,UAAU,CAAC,MAAM,4BAA4B,sBAAsB,aAAa;iBACrH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,SAAS,IAAI,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,EAAE,CAAC;YAChB,0DAA0D;YAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,sBAAsB,EAAE,EAAE,CAAC;QAC7B,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3E,MAAM,CAAC,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,IAAI,iBAAkD,CAAC;AAEvD,SAAS,oBAAoB;IAC3B,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IACD,MAAM,MAAM,GAAG,uBAAuB,EAAE,CAAC;IACzC,IAAI,MAAM,CAAC,oBAAoB,EAAE,CAAC;QAChC,iBAAiB,GAAG,MAAM,CAAC;IAC7B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,KAAK,GAAG,YAAY,CAAC;AAE3B;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY;IAC/C,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,oBAAoB,EAAE,CAAC;IAC9E,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,sCAAsC,EAAE,CAAC;IACnF,CAAC;IAED,yFAAyF;IACzF,MAAM,eAAe,GAAG,sBAAsB,EAAE,CAAC;IACjD,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,4BAA4B,GAAG,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,gBAAgB,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9F,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,4BAA4B,CAAC,CAAC;YACzE,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;gBACzB,OAAO,YAAY,CAAC;YACtB,CAAC;YACD,iDAAiD;QACnD,CAAC;QAAC,OAAO,KAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YACrD,gCAAgC;QAClC,CAAC;IACH,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACtE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,0BAA0B,EAAE,CAAC;IACvE,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,mDAAmD,EAAE,CAAC;IAChG,CAAC;IACD,MAAM,CAAC,KAAK,CAAC,wBAAwB,eAAe,EAAE,CAAC,CAAC;IAExD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,8CAA8C,QAAQ,iBAAiB,EAAE,CAAC;IACpH,CAAC;IAED,IAAI,WAAW,GAA2B,SAAS,CAAC;IACpD,IAAI,CAAC;QACH,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;gBAC7B,MAAM,EAAE,WAAW,EAAE,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;gBACzD,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;gBACrC,CAAC;gBACD,WAAW,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,KAAK,GAAG,WAAW,EAAE,EAAE,CAAC;gBAC5E,MAAM;YACR,CAAC;YAED,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;gBAC3C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACnB,oDAAoD;oBACpD,OAAO,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,QAAS,EAAE,EAAE,CAAC;gBACtE,CAAC;gBACD,WAAW,GAAG,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,CAAC;gBACtC,MAAM;YACR,CAAC;YAED,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;gBAC3C,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;gBAC5F,MAAM,QAAQ,GAAG,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC;gBAChF,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACnG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;gBAC9C,CAAC;gBACD,WAAW,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,GAAG,WAAW,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC;gBAC9F,MAAM;YACR,CAAC;YAED;gBACE,WAAW,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,sBAAsB,QAAQ,EAAE,EAAE,CAAC;QACtF,CAAC;IACH,CAAC;IAAC,OAAO,KAAkB,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACT,aAAa,QAAQ,yBAAyB,EAC9C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CACjE,CAAC;IACJ,CAAC;IAED,OAAO,CACL,WAAW,IAAI;QACb,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,GAAG,KAAK,qDAAqD,eAAe,EAAE;KACtF,CACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE,CAAC;IAEtD,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC1C,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,MAAM,CAAC,IAAI,CAAC,uBAAuB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE5D,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QAC1C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE;YACjD,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB;IACpC,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC;IAEvC,4CAA4C;IAC5C,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QACnB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,0DAA0D;IAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,6BAA6B;QAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;YAC/D,OAAO,EAAE,aAAa,EAAE,UAAU,UAAU,EAAE,EAAE,CAAC;QACnD,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IACvB,IAAI,KAAK,EAAE,QAAQ,IAAI,KAAK,EAAE,QAAQ,EAAE,CAAC;QACvC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1F,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,EAAE,aAAa,EAAE,SAAS,WAAW,EAAE,EAAE,CAAC;IACnD,CAAC;IAED,gEAAgE;IAChE,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,IAAI,SAAS,EAAE,UAAU,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;QACzE,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;QAC9D,OAAO,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;IAC9C,CAAC;IAED,sDAAsD;IACtD,OAAO,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACtF,OAAO,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAC/F,OAAO,EAAE,CAAC;AACZ,CAAC"}
1
+ {"version":3,"file":"multi-auth.js","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAE1C;;GAEG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAC5F,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEvE,MAAM,EACJ,OAAO,EAAE,WAAW,EACpB,qBAAqB,EAAE,EAAE,EACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,EAAE,EACxD,QAAQ,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,GAC9B,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AAEpC;;GAEG;AACH,MAAM,SAAS,GAAG;IAChB,qBAAqB,EAAE,CAAC,EAAE,iBAAiB;IAC3C,KAAK,EAAE,CAAC,EAAE,kBAAkB;IAC5B,QAAQ,EAAE,CAAC,EAAE,oCAAoC;IACjD,MAAM,EAAE,CAAC;CACV,CAAC;AAIF,MAAM,QAAQ,GAAG,iBAAiB,CAAC;AACnC,MAAM,CAAC,MAAM,sBAAsB,GAAG,CACpC,GAAY,EAC2D,EAAE;IACzE,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1C,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,MAAM,GAAW,EAAE,CAAC;IACxB,IAAI,WAAW,GAAW,CAAC,CAAC;IAC5B,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrB,CAAC,MAAM,GAAG,EAAE,EAAE,WAAW,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;QACrC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;AACvF,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,IAAI,gBAAwD,CAAC;AAE7D,SAAS,sBAAsB;IAC7B,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,gBAAgB,IAAI,SAAS,CAAC;IACvC,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,CAAC,oBAAoB,CAAC;IAChD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,4DAA4D;QAC5D,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,EAAE,GAAG,WAAW,CAAC,mBAAmB,CAAC;IAC3C,gBAAgB,GAAG,OAAO,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACxD,OAAO,gBAAgB,IAAI,SAAS,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,UAAU,GAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAA6B,EAAE,CAAC;IAC5C,MAAM,MAAM,GAAwB,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,GAAG,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAE1G,IAAI,WAAW,EAAE,CAAC;QAChB,8BAA8B;QAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5C,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,kBAAkB;QAClB,IAAI,UAAU,EAAE,MAAM,EAAE,CAAC;YACvB,IAAI,UAAU,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;gBAC/C,MAAM,CAAC,QAAQ,GAAG;oBAChB,oCAAoC,UAAU,CAAC,MAAM,4BAA4B,sBAAsB,aAAa;iBACrH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,SAAS,IAAI,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,EAAE,CAAC;YAChB,0DAA0D;YAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,sBAAsB,EAAE,EAAE,CAAC;QAC7B,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3E,MAAM,CAAC,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,IAAI,iBAAkD,CAAC;AAEvD,SAAS,oBAAoB;IAC3B,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IACD,MAAM,MAAM,GAAG,uBAAuB,EAAE,CAAC;IACzC,IAAI,MAAM,CAAC,oBAAoB,EAAE,CAAC;QAChC,iBAAiB,GAAG,MAAM,CAAC;IAC7B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,KAAK,GAAG,YAAY,CAAC;AAE3B;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY;IAC/C,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,oBAAoB,EAAE,CAAC;IAC9E,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,sCAAsC,EAAE,CAAC;IACnF,CAAC;IAED,yFAAyF;IACzF,MAAM,eAAe,GAAG,sBAAsB,EAAE,CAAC;IACjD,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,4BAA4B,GAAG,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,gBAAgB,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9F,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,4BAA4B,CAAC,CAAC;YACzE,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;gBACzB,OAAO,YAAY,CAAC;YACtB,CAAC;YACD,iDAAiD;QACnD,CAAC;QAAC,OAAO,KAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YACrD,gCAAgC;QAClC,CAAC;IACH,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,0BAA0B,EAAE,CAAC;IACvE,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,qDAAqD,EAAE,CAAC;IAClG,CAAC;IACD,MAAM,CAAC,KAAK,CAAC,wBAAwB,eAAe,EAAE,CAAC,CAAC;IAExD,IAAI,WAAW,GAA2B,SAAS,CAAC;IACpD,IAAI,CAAC;QACH,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChC,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,GAAG,KAAK,4EAA4E;iBAC5F,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;YAC3C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,QAAS,EAAE,EAAE,CAAC;YAC/E,CAAC;YACD,WAAW,GAAG,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,mEAAmE;YACnE,2EAA2E;YAC3E,IAAI,SAA6B,CAAC;YAClC,IAAI,cAAsC,CAAC;YAE3C,IAAI,aAAa,CAAC,GAAG,CAAC,uBAAuB,CAAC,EAAE,CAAC;gBAC/C,MAAM,EAAE,WAAW,EAAE,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;gBACzD,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,uBAAuB,EAAE,CAAC;gBAC9D,CAAC;gBACD,SAAS,GAAG,WAAW,CAAC;YAC1B,CAAC;YAED,IAAI,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;gBAC3C,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;gBAC5F,MAAM,QAAQ,GAAG,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC;gBAChF,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACnG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;gBAC1D,CAAC;gBACD,cAAc,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,GAAG,WAAW,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,CAAC;YAC/G,CAAC;YAED,oFAAoF;YACpF,6EAA6E;YAC7E,IAAI,cAAc,EAAE,CAAC;gBACnB,WAAW,GAAG,cAAc,CAAC;YAC/B,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,WAAW,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,uBAAuB,EAAE,KAAK,EAAE,GAAG,KAAK,GAAG,SAAS,EAAE,EAAE,CAAC;YACrG,CAAC;iBAAM,CAAC;gBACN,WAAW,GAAG;oBACZ,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,GAAG,KAAK,8EAA8E;iBAC9F,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAkB,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACT,eAAe,MAAM,yBAAyB,EAC9C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CACjE,CAAC;IACJ,CAAC;IAED,OAAO,CACL,WAAW,IAAI;QACb,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,GAAG,KAAK,qDAAqD,eAAe,EAAE;KACtF,CACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE,CAAC;IAEtD,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC1C,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,MAAM,CAAC,IAAI,CAAC,uBAAuB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE5D,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QAC1C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE;YACjD,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB;IACpC,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC;IAEvC,4CAA4C;IAC5C,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QACnB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,0DAA0D;IAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,6BAA6B;QAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;YAC/D,OAAO,EAAE,aAAa,EAAE,UAAU,UAAU,EAAE,EAAE,CAAC;QACnD,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IACvB,IAAI,KAAK,EAAE,QAAQ,IAAI,KAAK,EAAE,QAAQ,EAAE,CAAC;QACvC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1F,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,EAAE,aAAa,EAAE,SAAS,WAAW,EAAE,EAAE,CAAC;IACnD,CAAC;IAED,gEAAgE;IAChE,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,IAAI,SAAS,EAAE,UAAU,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;QACzE,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;QAC9D,OAAO,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;IAC9C,CAAC;IAED,sDAAsD;IACtD,OAAO,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACtF,OAAO,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAC/F,OAAO,EAAE,CAAC;AACZ,CAAC"}
package/dist/core/auth/revocation.d.ts CHANGED
@@ -1,3 +1,4 @@
1
1
  export declare const isJwtTokenRevoked: (token: string) => boolean;
2
+ export declare const isJtiRevoked: (jti: string) => boolean;
2
3
  export declare const isUserRevoked: (user: string) => boolean;
3
4
  //# sourceMappingURL=revocation.d.ts.map
package/dist/core/auth/revocation.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"revocation.d.ts","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"AAaA,eAAO,MAAM,iBAAiB,GAAI,OAAO,MAAM,KAAG,OAA4C,CAAC;AAE/F,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,OAAwD,CAAC"}
1
+ {"version":3,"file":"revocation.d.ts","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"AAmBA,eAAO,MAAM,iBAAiB,GAAI,OAAO,MAAM,KAAG,OAAgD,CAAC;AAEnG,eAAO,MAAM,YAAY,GAAI,KAAK,MAAM,KAAG,OAAuC,CAAC;AAEnF,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,OAAwD,CAAC"}
package/dist/core/auth/revocation.js CHANGED
@@ -1,8 +1,15 @@
1
1
  import { appConfig } from '../bootstrap/init-config.js';
2
2
  import { trim } from '../utils/utils.js';
3
3
  const revoked = appConfig.webServer?.auth?.revoked || {};
4
- const revokedTokensSet = new Set((Array.isArray(revoked.jwtTokens) ? revoked.jwtTokens : []).map((e) => trim(e?.token)).filter(Boolean));
4
+ const entries = (Array.isArray(revoked.jwtTokens) ? revoked.jwtTokens : [])
5
+ .map((e) => trim(e?.token))
6
+ .filter(Boolean);
7
+ // Full-token entries (legacy `<expire>.<hex>` or full standard JWT `a.b.c`) — exact match
8
+ const revokedExactTokenSet = new Set(entries.filter((v) => v.includes('.')));
9
+ // Bare jti entries (no dots) — match by JWT id
10
+ const revokedJtiSet = new Set(entries.filter((v) => !v.includes('.')));
5
11
  const revokedUsersSet = new Set((Array.isArray(revoked.users) ? revoked.users : []).map((u) => trim(u).toLowerCase()).filter(Boolean));
6
- export const isJwtTokenRevoked = (token) => revokedTokensSet.has(trim(token));
12
+ export const isJwtTokenRevoked = (token) => revokedExactTokenSet.has(trim(token));
13
+ export const isJtiRevoked = (jti) => revokedJtiSet.has(trim(jti));
7
14
  export const isUserRevoked = (user) => revokedUsersSet.has(trim(user).toLowerCase());
8
15
  //# sourceMappingURL=revocation.js.map
package/dist/core/auth/revocation.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"revocation.js","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,IAAK,EAAU,CAAC;AAElE,MAAM,gBAAgB,GAAgB,IAAI,GAAG,CAC3C,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAC5G,CAAC;AAEF,MAAM,eAAe,GAAgB,IAAI,GAAG,CAC1C,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAC3G,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAW,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAE/F,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAW,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC"}
1
+ {"version":3,"file":"revocation.js","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,IAAK,EAAU,CAAC;AAElE,MAAM,OAAO,GAAa,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;KAClF,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;KAC/B,MAAM,CAAC,OAAO,CAAC,CAAC;AAEnB,0FAA0F;AAC1F,MAAM,oBAAoB,GAAgB,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAE1F,+CAA+C;AAC/C,MAAM,aAAa,GAAgB,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEpF,MAAM,eAAe,GAAgB,IAAI,GAAG,CAC1C,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAC3G,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAW,EAAE,CAAC,oBAAoB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAEnG,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,GAAW,EAAW,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAEnF,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAW,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC"}
package/dist/core/auth/types.d.ts CHANGED
@@ -5,6 +5,11 @@ export type TTokenType = 'permanent' | 'JWT';
5
5
  export interface ITokenPayload {
6
6
  user: string;
7
7
  expire: number;
8
+ iat?: string;
9
+ service?: string;
10
+ jti?: string;
11
+ iss?: string;
12
+ ip?: string;
8
13
  [key: string]: any;
9
14
  }
10
15
  export interface ICheckTokenResult {
package/dist/core/auth/types.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/core/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;AAE7C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IAEf,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,MAAM,MAAM,QAAQ,GAAG,uBAAuB,GAAG,UAAU,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEjF,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,QAAQ,EAAE,CAAC;IACvB,aAAa,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7B,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACvC,OAAO,CAAC,EAAE,GAAG,CAAC;CACf"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/core/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;AAE7C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,MAAM,MAAM,QAAQ,GAAG,uBAAuB,GAAG,UAAU,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEjF,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,QAAQ,EAAE,CAAC;IACvB,aAAa,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7B,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACvC,OAAO,CAAC,EAAE,GAAG,CAAC;CACf"}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "fa-mcp-sdk",
3
3
  "productName": "FA MCP SDK",
4
- "version": "0.4.92",
4
+ "version": "0.4.95",
5
5
  "description": "Core infrastructure and templates for building Model Context Protocol (MCP) servers with TypeScript",
6
6
  "type": "module",
7
7
  "main": "dist/core/index.js",
@@ -46,7 +46,9 @@
46
46
  "template:stdio": "node dist/template/start.js stdio",
47
47
  "token-gen": "node dist/core/auth/token-generator/server.js",
48
48
  "tsoa:spec": "tsoa spec",
49
- "check-llm": "node dist/core/agent-tester/check-llm.js"
49
+ "check-llm": "node dist/core/agent-tester/check-llm.js",
50
+ "test:ip-check": "npm run build && node tests/ip-check.test.mjs",
51
+ "test:jwt": "npm run build && node tests/jwt.test.mjs"
50
52
  },
51
53
  "keywords": [
52
54
  "mcp",
@@ -86,6 +88,7 @@
86
88
  "fa-consul": "^1.0.7",
87
89
  "helmet": "^8.1.0",
88
90
  "js-yaml": "^4.1.1",
91
+ "jsonwebtoken": "^9.0.3",
89
92
  "node-cache": "^5.1.2",
90
93
  "openai": "^6.33.0",
91
94
  "pgvector": "^0.2.1",
@@ -101,6 +104,7 @@
101
104
  "@types/cors": "^2.8.19",
102
105
  "@types/express": "^5.0.6",
103
106
  "@types/js-yaml": "^4.0.9",
107
+ "@types/jsonwebtoken": "^9.0.10",
104
108
  "@types/mssql": "^9.1.11",
105
109
  "@types/node": "^25.5.2",
106
110
  "@types/swagger-ui-express": "^4.1.8",
package/scripts/generate-jwt.js CHANGED
@@ -11,7 +11,8 @@
11
11
  * -s, --service-name Service name (optional). ENV: JWT_PAYLOAD_SERVICE_NAME
12
12
  * -p, --params Extra payload "key=value;key=value" (optional). ENV: JWT_PAYLOAD_PARAMS
13
13
  *
14
- * The encryptKey is read from config: webServer.auth.jwtToken.encryptKey
14
+ * The signing secret is read from config: webServer.auth.jwtToken.encryptKey
15
+ * Token format: standard signed JWT (HS256), 3 segments header.payload.signature.
15
16
  */
16
17
 
17
18
  import crypto from 'crypto';
@@ -19,6 +20,7 @@ import { readFileSync } from 'fs';
19
20
  import { fileURLToPath } from 'url';
20
21
  import { dirname, resolve } from 'path';
21
22
  import configModule from 'config';
23
+ import jwt from 'jsonwebtoken';
22
24
 
23
25
  // ── CLI argument parsing ────────────────────────────────────────────
24
26
 
@@ -81,17 +83,11 @@ if (!encryptKey || String(encryptKey).trim() === '' || encryptKey === '***') {
81
83
  process.exit(1);
82
84
  }
83
85
 
84
- // ── Encryption (mirrors src/core/auth/jwt.ts) ───────────────────────
85
-
86
- const ALGORITHM = 'aes-256-ctr';
87
- const KEY = crypto.createHash('sha256').update(String(encryptKey)).digest('base64').substring(0, 32);
88
-
89
- function encrypt(text) {
90
- const buffer = Buffer.from(text);
91
- const iv = crypto.randomBytes(16);
92
- const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
93
- const encryptedBuf = Buffer.concat([iv, cipher.update(buffer), cipher.final()]);
94
- return encryptedBuf.toString('hex');
86
+ let configuredIssuer = '';
87
+ try {
88
+ configuredIssuer = String(configModule.get('webServer.auth.jwtToken.issuer') || '').trim();
89
+ } catch {
90
+ // optional field, ignore
95
91
  }
96
92
 
97
93
  // ── Auto-detect service name if checkMCPName is enabled ─────────────
@@ -126,14 +122,9 @@ if (!effectiveService || !effectiveService.trim()) {
126
122
  }
127
123
  }
128
124
 
129
- // ── Build payload ───────────────────────────────────────────────────
130
-
131
- const payload = {};
132
- payload.user = username.trim().toLowerCase();
125
+ // ── Build payload (private claims only) ─────────────────────────────
133
126
 
134
- if (effectiveService && effectiveService.trim()) {
135
- payload.service = effectiveService.trim();
136
- }
127
+ const privateClaims = {};
137
128
 
138
129
  // Parse extra params: "key1=value1;key2=value2"
139
130
  if (paramsRaw && paramsRaw.trim()) {
@@ -150,32 +141,67 @@ if (paramsRaw && paramsRaw.trim()) {
150
141
  console.error(`Error: empty key in param "${pair}"`);
151
142
  process.exit(1);
152
143
  }
153
- payload[key] = value;
144
+ // Skip reserved fields if user accidentally passes them
145
+ if (['user', 'expire', 'iat', 'service', 'sub', 'aud', 'exp', 'iss', 'jti'].includes(key)) {
146
+ continue;
147
+ }
148
+ privateClaims[key] = value;
154
149
  }
155
150
  }
156
151
 
157
- const expire = Date.now() + liveTimeSec * 1000;
158
- payload.expire = expire;
159
- payload.iat = new Date().toISOString();
160
-
161
152
  // ── Generate token ──────────────────────────────────────────────────
162
153
 
163
- const token = `${expire}.${encrypt(JSON.stringify(payload))}`;
154
+ const normalizedUser = username.trim().toLowerCase();
155
+ const signOptions = {
156
+ algorithm: 'HS256',
157
+ subject: normalizedUser,
158
+ expiresIn: liveTimeSec,
159
+ jwtid: crypto.randomUUID(),
160
+ };
161
+ if (effectiveService && effectiveService.trim()) {
162
+ signOptions.audience = effectiveService.trim();
163
+ }
164
+ if (configuredIssuer) {
165
+ signOptions.issuer = configuredIssuer;
166
+ }
167
+
168
+ const token = jwt.sign(privateClaims, String(encryptKey), signOptions);
169
+
170
+ // ── Decode for display (normalized payload, mirrors checkJwtToken) ──
171
+
172
+ const decoded = jwt.decode(token, { json: true }) || {};
173
+ const expireMs = (decoded.exp || 0) * 1000;
174
+ const iatIso = decoded.iat ? new Date(decoded.iat * 1000).toISOString() : new Date().toISOString();
175
+
176
+ const displayPayload = { user: normalizedUser };
177
+ if (decoded.aud) {
178
+ displayPayload.service = Array.isArray(decoded.aud) ? decoded.aud[0] : decoded.aud;
179
+ }
180
+ displayPayload.expire = expireMs;
181
+ displayPayload.iat = iatIso;
182
+ if (decoded.jti) {
183
+ displayPayload.jti = decoded.jti;
184
+ }
185
+ if (decoded.iss) {
186
+ displayPayload.iss = decoded.iss;
187
+ }
188
+ for (const [k, v] of Object.entries(privateClaims)) {
189
+ displayPayload[k] = v;
190
+ }
164
191
 
165
192
  console.log('');
166
193
  console.log('JWT Token generated successfully');
167
194
  console.log('─'.repeat(50));
168
- console.log(` User: ${payload.user}`);
169
- if (payload.service) {
170
- console.log(` Service: ${payload.service}`);
195
+ console.log(` User: ${displayPayload.user}`);
196
+ if (displayPayload.service) {
197
+ console.log(` Service: ${displayPayload.service}`);
171
198
  }
172
199
  console.log(` TTL: ${ttlRaw} (${liveTimeSec} seconds)`);
173
- console.log(` Expires: ${new Date(expire).toISOString()}`);
174
- if (Object.keys(payload).filter((k) => !['user', 'service', 'expire', 'iat'].includes(k)).length) {
175
- const extra = Object.entries(payload)
176
- .filter(([k]) => !['user', 'service', 'expire', 'iat'].includes(k))
177
- .map(([k, v]) => `${k}=${v}`)
178
- .join('; ');
200
+ console.log(` Expires: ${new Date(expireMs).toISOString()}`);
201
+ console.log(` JTI: ${displayPayload.jti || ''}`);
202
+ const extraEntries = Object.entries(privateClaims);
203
+ if (extraEntries.length) {
204
+ const extra = extraEntries.map(([k, v]) => `${k}=${v}`).join('; ');
179
205
  console.log(` Params: ${extra}`);
180
206
  }
181
207
  console.log('─'.repeat(50));
@@ -183,5 +209,5 @@ console.log('');
183
209
  console.log(token);
184
210
  console.log('');
185
211
  console.log('__PAYLOAD_JSON__');
186
- console.log(JSON.stringify({ ...payload, ttl: ttlRaw, expire_iso: new Date(expire).toISOString() }));
212
+ console.log(JSON.stringify({ ...displayPayload, ttl: ttlRaw, expire_iso: new Date(expireMs).toISOString() }));
187
213
  console.log('__END_PAYLOAD_JSON__');