fastify-portcullis 1.0.0 → 1.0.2

package/lib/index.d.ts

@@ -0,0 +1,43 @@
+import '@fastify/jwt';
+import type { FastifyPluginAsync } from 'fastify';
+/** Shape of the authenticated principal attached to every verified request. */
+export interface PortcullisUser {
+    email: string;
+}
+/**
+ * Options accepted by the plugin when registered with `fastify.register()`.
+ */
+export interface PortcullisPluginOptions {
+    /**
+     * JWT verification secret.
+     *
+     * - **string** — symmetric HS256 shared secret (suitable for test
+     *   environments and services that share a secret with Portcullis)
+     * - **{ private, public }** — asymmetric ES256 PEM key pair as issued by
+     *   Portcullis in production; services only need the `public` key to
+     *   verify tokens but the full pair is accepted so a signer can be
+     *   co-located for testing
+     */
+    secret: string | {
+        private: string | Buffer;
+        public: string | Buffer;
+    };
+    /**
+     * URL paths that bypass JWT enforcement entirely.
+     * Defaults to `['/health']`.
+     */
+    exempt?: string[];
+    /**
+     * When set, the JWT `iss` (issuer) claim must equal this value.
+     * Tokens with a missing or non-matching issuer are rejected with 400.
+     */
+    issuer?: string;
+}
+declare module '@fastify/jwt' {
+    interface FastifyJWT {
+        user: PortcullisUser;
+    }
+}
+declare const _default: FastifyPluginAsync<PortcullisPluginOptions>;
+export default _default;
+//# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,cAAc,CAAA;AACrB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAA;AAMjD,+EAA+E;AAC/E,MAAM,WAAW,cAAc;IAC3B,KAAK,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACpC;;;;;;;;;OASG;IACH,MAAM,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAA;IAEtE;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IAEjB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAA;CAClB;AAQD,OAAO,QAAQ,cAAc,CAAC;IAC1B,UAAU,UAAU;QAChB,IAAI,EAAE,cAAc,CAAA;KACvB;CACJ;;AA6CD,wBAGE"}

package/lib/index.js

@@ -0,0 +1,44 @@
+import fp from 'fastify-plugin';
+import fastifyJwt from '@fastify/jwt';
+import '@fastify/jwt'; // side-effect: ensures @fastify/jwt's FastifyRequest augmentation
+// ---------------------------------------------------------------------------
+// Plugin implementation
+// ---------------------------------------------------------------------------
+const plugin = async (fastify, opts) => {
+    const exempt = new Set(opts.exempt ?? ['/health']);
+    await fastify.register(fastifyJwt, {
+        // Cast: our public API is a strict subset of @fastify/jwt's Secret union
+        secret: opts.secret,
+        ...(opts.issuer
+            ? { verify: { allowedIss: [opts.issuer] } }
+            : {}),
+    });
+    fastify.addHook('onRequest', async (request, reply) => {
+        if (exempt.has(request.url))
+            return;
+        if (!request.headers.authorization) {
+            return reply.status(401).send({ error: 'Unauthorized' });
+        }
+        try {
+            await request.jwtVerify();
+        }
+        catch {
+            return reply.status(400).send({ error: 'Invalid token' });
+        }
+        // @fastify/jwt's allowedIss only rejects tokens where iss is present
+        // but wrong — it silently passes tokens that omit iss entirely. When
+        // the caller has configured issuer validation we enforce presence too.
+        const payload = request.user;
+        if (opts.issuer && payload.iss !== opts.issuer) {
+            return reply.status(400).send({ error: 'Invalid token' });
+        }
+        if (!payload.email) {
+            return reply.status(400).send({ error: 'Token must contain a valid email claim' });
+        }
+    });
+};
+export default fp(plugin, {
+    fastify: '>=5.0.0',
+    name: 'fastify-portcullis',
+});
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAC/B,OAAO,UAAU,MAAM,cAAc,CAAA;AACrC,OAAO,cAAc,CAAA,CAAG,kEAAkE;AAqD1F,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E,MAAM,MAAM,GAAgD,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;IAChF,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,CAAC,CAAA;IAElD,MAAM,OAAO,CAAC,QAAQ,CAAC,UAAU,EAAE;QAC/B,yEAAyE;QACzE,MAAM,EAAE,IAAI,CAAC,MAAoD;QACjE,GAAG,CAAC,IAAI,CAAC,MAAM;YACX,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE;YAC3C,CAAC,CAAC,EAAE,CAAC;KACZ,CAAC,CAAA;IAEF,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QAClD,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC;YAAE,OAAM;QAEnC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YACjC,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,IAAI,CAAC;YACD,MAAM,OAAO,CAAC,SAAS,EAAE,CAAA;QAC7B,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAA;QAC7D,CAAC;QAED,qEAAqE;QACrE,qEAAqE;QACrE,uEAAuE;QACvE,MAAM,OAAO,GAAG,OAAO,CAAC,IAA0C,CAAA;QAElE,IAAI,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;YAC7C,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAA;QAC7D,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACjB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC,CAAA;QACtF,CAAC;IACL,CAAC,CAAC,CAAA;AACN,CAAC,CAAA;AAED,eAAe,EAAE,CAAC,MAAM,EAAE;IACtB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,oBAAoB;CAC7B,CAAC,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastify-portcullis",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Fastify plugin: JWT authentication for services behind a Portcullis proxy",
   "type": "module",
   "main": "lib/index.js",