fastify-txstate 3.6.9 → 4.0.0

package/{lib-esm/index.d.ts → lib/server.d.ts}

@@ -1,12 +1,22 @@
-/// <reference types="node" />
-/// <reference types="node" />
 import { type FastifyDynamicSwaggerOptions } from '@fastify/swagger';
 import { type FastifySwaggerUiOptions } from '@fastify/swagger-ui';
 import type { JsonSchemaToTsProvider } from '@fastify/type-provider-json-schema-to-ts';
-import { type FastifyInstance, type FastifyRequest, type FastifyReply, type FastifyServerOptions, type FastifyLoggerOptions, type FastifyBaseLogger, type RawServerDefault } from 'fastify';
+import { type FastifyInstance, type FastifyRequest, type FastifyReply, type FastifyServerOptions, type FastifyBaseLogger, type RawServerDefault } from 'fastify';
+import pino from 'pino';
 import http from 'node:http';
 import type http2 from 'node:http2';
 type ErrorHandler = (error: Error, req: FastifyRequest, res: FastifyReply) => Promise<void>;
+/**
+ * Get the base URL for this API. Uses PUBLIC_URL if set, otherwise derives
+ * from the request's protocol and hostname.
+ */
+export declare function apiBaseUrl(req: FastifyRequest): string;
+/**
+ * Get the base URL for the UI that this API serves. Uses UI_URL if set,
+ * otherwise assumes the API lives at a subpath (e.g. /api) and the UI is
+ * one level up. Falls back to the API base URL if there's no parent path.
+ */
+export declare function uiBaseUrl(req: FastifyRequest): string;
 export interface FastifyTxStateAuthInfo {
     /**
      * The primary identifier for the user that is making the request, after processing
@@ -27,6 +37,13 @@ export interface FastifyTxStateAuthInfo {
      * If all else fails, you can sha256 the session token with a salt.
      */
     sessionId: string;
+    /**
+     * The date that the session was created, if available. This is useful for considering
+     * tokens before a certain date as invalid. For instance, if you want a logout action
+     * to invalidate all tokens created until that point, you can compare this field against
+     * the last time they logged out.
+     */
+    sessionCreatedAt?: Date;
     /**
      * Some authentication systems allow administrators to impersonate regular users, so that
      * they can see what that user sees and troubleshoot issues. We still want to log the administrator
@@ -45,6 +62,39 @@ export interface FastifyTxStateAuthInfo {
      * this field can help log requests that are authenticated with the other application's token.
      */
     clientId?: string;
+    /**
+     * A string that designates the current session as one that has limited authorization. The application will
+     * be responsible for checking this field and restricting appropriately.
+     *
+     * For example, a user who authenticated via non-standard mechanism might be given a scope of 'altlogin' and
+     * only a portion of the application's functionality would be available to them.
+     */
+    scope?: string;
+    /**
+     * The token or key that was used to authenticate the request. This is useful for
+     * making sub-requests to other APIs that can authenticate with the same token.
+     */
+    token: string;
+    /**
+     * The issuer configuration for the token, if applicable. This helps you generate
+     * a proper logout url in multi-issuer environments.
+     */
+    issuerConfig?: IssuerConfig;
+    /**
+     * The OAuth access token, if available. This is useful when your API needs to make
+     * requests to the provider's APIs on behalf of the user (e.g. Google Drive, Microsoft
+     * Graph). Only populated when using cookie-based OAuth with a provider that returns
+     * an access token during the code exchange.
+     */
+    accessToken?: string;
+}
+export interface IssuerConfig {
+    iss: string;
+    url?: string;
+    publicKey?: string;
+    secret?: string;
+    validateUrl?: URL;
+    logoutUrl?: URL;
 }
 export interface FastifyTxStateOptions extends Partial<FastifyServerOptions> {
     https?: http2.SecureServerOptions;
@@ -82,39 +132,24 @@ export interface FastifyTxStateOptions extends Partial<FastifyServerOptions> {
 declare module 'fastify' {
     interface FastifyRequest {
         auth?: FastifyTxStateAuthInfo;
+        originChecker?: OriginChecker;
     }
     interface FastifyReply {
         extraLogInfo: any;
     }
 }
-export declare const devLogger: {
-    level: string;
-    info: (msg: any) => void;
-    error: {
-        (...data: any[]): void;
-        (message?: any, ...optionalParams: any[]): void;
-    };
-    debug: {
-        (...data: any[]): void;
-        (message?: any, ...optionalParams: any[]): void;
-    };
-    fatal: {
-        (...data: any[]): void;
-        (message?: any, ...optionalParams: any[]): void;
-    };
-    warn: {
-        (...data: any[]): void;
-        (message?: any, ...optionalParams: any[]): void;
-    };
-    trace: {
-        (...data: any[]): void;
-        (message?: any, ...optionalParams: any[]): void;
-    };
-    silent: (msg: any) => void;
-    child(bindings: any, options?: any): any;
-};
-export declare const prodLogger: FastifyLoggerOptions;
-export type FastifyInstanceTyped = FastifyInstance<RawServerDefault, http.IncomingMessage, http.ServerResponse<http.IncomingMessage>, FastifyBaseLogger, JsonSchemaToTsProvider>;
+export declare const devLogger: pino.Logger<never, boolean>;
+export declare const prodLogger: pino.Logger<never, boolean>;
+export type FastifyInstanceTyped = FastifyInstance<RawServerDefault, http.IncomingMessage, http.ServerResponse, FastifyBaseLogger, JsonSchemaToTsProvider>;
+export declare class OriginChecker {
+    protected validOrigins: Record<string, boolean>;
+    protected validOriginHosts: Record<string, boolean>;
+    protected validOriginSuffixes: Set<string>;
+    setValidOrigins(origins: string[]): void;
+    setValidOriginHosts(hosts: string[]): void;
+    setValidOriginSuffixes(suffixes: string[]): void;
+    check(hostname: string, requestHostname?: string): boolean;
+}
 export type TxServer = Server;
 export default class Server {
     protected config: FastifyTxStateOptions & {
@@ -129,9 +164,8 @@ export default class Server {
     } | undefined>;
     protected shuttingDown: boolean;
     protected sigHandler: (signal: any) => void;
-    protected validOrigins: Record<string, boolean>;
-    protected validOriginHosts: Record<string, boolean>;
-    protected validOriginSuffixes: Set<string>;
+    protected originChecker: OriginChecker;
+    protected swaggerEndpoint: string | undefined;
     app: FastifyInstanceTyped;
     constructor(config?: FastifyTxStateOptions & {
         http2?: true;
@@ -150,6 +184,4 @@ export default class Server {
     }): Promise<void>;
     close(softSeconds?: number): Promise<void>;
 }
-export * from './analytics';
-export * from './error';
-export * from './unified-auth';
+export {};

package/lib/server.js

@@ -0,0 +1,440 @@
+import { Ajv } from 'ajv';
+import swagger from '@fastify/swagger';
+import swaggerUI from '@fastify/swagger-ui';
+import { validatedResponse } from '@txstate-mws/fastify-shared';
+import ajvErrors from 'ajv-errors';
+import ajvFormats from 'ajv-formats';
+import { fastify } from 'fastify';
+import fs from 'node:fs';
+import pino from 'pino';
+import http from 'node:http';
+import { Writable } from 'node:stream';
+import { clone, destroyNulls, isBlank, isNotBlank, omit, set, sleep, stringifyDates, toArray } from 'txstate-utils';
+import { HttpError, ValidationError, ValidationErrors, fstValidationToMessage } from "./error.js";
+/**
+ * Get the base URL for this API. Uses PUBLIC_URL if set, otherwise derives
+ * from the request's protocol and hostname.
+ */
+export function apiBaseUrl(req) {
+    if (isNotBlank(process.env.PUBLIC_URL))
+        return process.env.PUBLIC_URL.replace(/\/$/v, '');
+    return req.protocol + '://' + req.hostname;
+}
+/**
+ * Get the base URL for the UI that this API serves. Uses UI_URL if set,
+ * otherwise assumes the API lives at a subpath (e.g. /api) and the UI is
+ * one level up. Falls back to the API base URL if there's no parent path.
+ */
+export function uiBaseUrl(req) {
+    if (isNotBlank(process.env.UI_URL))
+        return process.env.UI_URL.replace(/\/$/v, '');
+    const base = apiBaseUrl(req);
+    return new URL('..', base + '/').toString().replace(/\/$/v, '');
+}
+/* eslint-disable no-console -- devLogger intentionally writes to console */
+export const devLogger = pino({
+    level: 'info'
+}, new Writable({
+    write(chunk, _encoding, callback) {
+        const obj = JSON.parse(String(chunk));
+        if (obj.req)
+            console.info(`${obj.req.method} ${obj.req.url}`);
+        else if (obj.res)
+            console.info(`${obj.res.statusCode} - ${obj.responseTime}`);
+        else if (obj.err)
+            console.error(obj.err);
+        else
+            console.info(obj.msg || obj);
+        callback();
+    }
+}));
+/* eslint-enable no-console */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call -- pino serializer params are typed as any */
+export const prodLogger = pino({
+    level: 'info',
+    serializers: {
+        req(req) {
+            return {
+                method: req.method,
+                url: req.url.replace(/(?<param>token|unifiedJwt)=[\w.]+/iv, '$<param>=redacted'),
+                remoteAddress: req.ip,
+                traceparent: req.headers.traceparent
+            };
+        },
+        res(res) {
+            return {
+                statusCode: res.statusCode,
+                url: res.request?.url.replace(/(?<param>token|unifiedJwt)=[\w.]+/iv, '$<param>=redacted'),
+                length: Number(toArray(res.getHeader?.('content-length'))[0]),
+                ...omit(res.extraLogInfo, 'auth'),
+                auth: omit(res.request?.auth ?? res.extraLogInfo?.auth ?? {}, 'token', 'accessToken', 'issuerConfig')
+            };
+        }
+    }
+});
+export class OriginChecker {
+    validOrigins = {};
+    validOriginHosts = {};
+    validOriginSuffixes = new Set();
+    setValidOrigins(origins) {
+        this.validOrigins = origins.reduce((acc, origin) => ({ ...acc, [origin]: true }), {});
+    }
+    setValidOriginHosts(hosts) {
+        this.validOriginHosts = hosts.reduce((acc, host) => ({ ...acc, [host]: true }), {});
+    }
+    setValidOriginSuffixes(suffixes) {
+        this.validOriginSuffixes.clear();
+        for (const s of suffixes)
+            this.validOriginSuffixes.add(s.replace(/^\./v, ''));
+    }
+    check(hostname, requestHostname) {
+        try {
+            const parsed = new URL(hostname.includes('://') ? hostname : 'https://' + hostname);
+            if (this.validOrigins[parsed.origin])
+                return true;
+            if (requestHostname && parsed.hostname === requestHostname)
+                return true;
+            if (this.validOriginHosts[parsed.hostname])
+                return true;
+            const parts = parsed.hostname.split('.');
+            for (let i = 0; i < parts.length; i++) {
+                if (this.validOriginSuffixes.has(parts.slice(i).join('.')))
+                    return true;
+            }
+            return false;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export default class Server {
+    config;
+    https = false;
+    errorHandlers = [];
+    healthMessage;
+    healthCallback;
+    shuttingDown = false;
+    sigHandler;
+    originChecker = new OriginChecker();
+    swaggerEndpoint;
+    app;
+    constructor(config = {}) {
+        this.config = config;
+        try {
+            const key = fs.readFileSync('/securekeys/private.key');
+            const cert = fs.readFileSync('/securekeys/cert.pem');
+            config.https = {
+                ...config.https,
+                allowHTTP1: true,
+                key,
+                cert,
+                minVersion: 'TLSv1.2'
+            };
+            config.http2 = true;
+            this.https = true;
+        }
+        catch (e) {
+            this.https = false;
+            delete config.https;
+        }
+        if (typeof config.logger === 'undefined' && !config.loggerInstance) {
+            config.loggerInstance = process.env.NODE_ENV === 'development'
+                ? devLogger
+                : prodLogger;
+        }
+        if (process.env.TRUST_PROXY != null) {
+            if (['true', '1'].includes(process.env.TRUST_PROXY))
+                config.trustProxy = true;
+            else
+                config.trustProxy = process.env.TRUST_PROXY;
+        }
+        config.ajv = { ...config.ajv, mode: undefined, plugins: [...(config.ajv?.plugins ?? []), ajvErrors, [ajvFormats, { mode: 'fast' }]], customOptions: { ...config.ajv?.customOptions, allErrors: true, strictSchema: false, coerceTypes: true } };
+        this.healthCallback = config.checkHealth;
+        this.app = fastify(config);
+        this.app.addHook('onRoute', route => {
+            if (!route.schema?.body)
+                return;
+            const missingResponse = route.schema.response == null;
+            const response400 = set(validatedResponse.properties.messages, 'description', 'Basic validation failure. This means that the UI provided input that failed validation as defined in the openapi specification published by the API. The UI is at fault and should be re-coded to avoid sending invalid data.');
+            let newSchema = set(route.schema ?? {}, 'response.400', response400);
+            const response422 = set(validatedResponse, 'description', 'Validation failure. This means that the user provided an invalid object. The user should be shown their error so that they can correct it.');
+            newSchema = set(newSchema, 'response.422', response422);
+            if (missingResponse) {
+                newSchema.response['200'] = {
+                    description: 'Success. Return type has not been specified.',
+                    type: 'object'
+                };
+            }
+            route.schema = newSchema;
+        });
+        this.app.addHook('preValidation', (req, res, done) => {
+            if (req.body != null && req.routeOptions.schema?.body)
+                destroyNulls(req.body);
+            done();
+        });
+        // use Ajv to validate responses instead of @fastify/json-fast-stringify since ajv does
+        // a better job with recursive types and we don't want to have different behavior between
+        // input and output validation
+        const ajv = new Ajv(config.ajv.customOptions);
+        for (const pluginConfig of config.ajv.plugins ?? []) {
+            const [plugin, opts] = toArray(pluginConfig);
+            plugin(ajv, opts); // eslint-disable-line @typescript-eslint/no-unsafe-call -- plugin type comes from fastify's ajv config
+        }
+        this.app.setSerializerCompiler(route => {
+            const schema = route.schema;
+            const validate = schema == null ? ajv.compile({ type: 'object' }) : ajv.compile(schema); // eslint-disable-line @typescript-eslint/no-unnecessary-condition -- schema can be undefined at runtime
+            return data => {
+                /**
+                 * Ajv unfortunately treats optional properties as non-nullable, so they're allowed to
+                 * be undefined but not allowed to be null. Worse, with `coerceTypes`, null will be converted
+                 * to empty string or 0 or false. This is silly behavior, so we're converting all nulls to
+                 * undefined before we validate.
+                 */
+                if (schema != null)
+                    destroyNulls(stringifyDates(data)); // eslint-disable-line @typescript-eslint/no-unnecessary-condition -- schema can be undefined at runtime
+                if (!validate(data))
+                    throw new Error('Output validation failed. ' + validate.errors?.[0].instancePath + ': ' + validate.errors?.[0].message);
+                return JSON.stringify(data);
+            };
+        });
+        this.app.addHook('onRequest', (req, res, done) => {
+            res.extraLogInfo = {};
+            req.originChecker = this.originChecker;
+            done();
+        });
+        if (!config.skipOriginCheck && !process.env.SKIP_ORIGIN_CHECK) {
+            this.originChecker.setValidOrigins([...(config.validOrigins ?? []), ...(process.env.VALID_ORIGINS?.split(',') ?? [])]);
+            this.originChecker.setValidOriginHosts([...(config.validOriginHosts ?? []), ...(process.env.VALID_ORIGIN_HOSTS?.split(',') ?? [])]);
+            this.originChecker.setValidOriginSuffixes([...(config.validOriginSuffixes ?? []), ...(process.env.VALID_ORIGIN_SUFFIXES?.split(',') ?? [])]);
+            this.app.addHook('onRequest', async (req, res) => {
+                if (!req.headers.origin)
+                    return;
+                const passed = (req.headers.origin === 'null'
+                    ? process.env.NODE_ENV === 'development'
+                    : this.originChecker.check(req.headers.origin, req.hostname)) || !!config.checkOrigin?.(req);
+                if (!passed) {
+                    await res.status(403).send('Origin check failed. Suspected XSRF attack.');
+                    return await res;
+                }
+                else {
+                    void res.header('Access-Control-Allow-Origin', req.headers.origin);
+                    void res.header('Access-Control-Max-Age', '600'); // ask browser to skip pre-flights for 10 minutes after a yes
+                    if (req.headers['access-control-request-method'])
+                        void res.header('access-control-allow-methods', req.headers['access-control-request-method']);
+                    if (req.headers['access-control-request-headers'])
+                        void res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
+                }
+            });
+            this.app.options('*', async (req, res) => {
+                await res.send();
+            });
+        }
+        if (config.authenticate) {
+            const authenticatedMethods = {
+                GET: true,
+                POST: true,
+                PUT: true,
+                PATCH: true,
+                DELETE: true
+            };
+            this.app.addHook('onRequest', async (req, res) => {
+                if (!authenticatedMethods[req.method] || isBlank(req.routeOptions.url) || req.routeOptions.url === '/health' || req.routeOptions.url === '/.uaService' || (this.swaggerEndpoint && req.routeOptions.url.startsWith(this.swaggerEndpoint)))
+                    return;
+                try {
+                    req.auth = await config.authenticate(req);
+                }
+                catch (e) {
+                    await res.status(401).send('Failed to authenticate.');
+                    return await res;
+                }
+            });
+        }
+        this.app.addHook('onSend', this.https && process.env.NODE_ENV !== 'development'
+            ? async (_, resp) => {
+                void resp.removeHeader('X-Powered-By');
+                void resp.header('Strict-Transport-Security', 'max-age=31536000');
+                if (resp.getHeader('content-type') === 'text/html')
+                    void resp.type('text/html; charset=utf-8');
+            }
+            : async (_, resp) => {
+                void resp.removeHeader('X-Powered-By');
+                if (resp.getHeader('content-type') === 'text/html')
+                    void resp.type('text/html; charset=utf-8');
+            });
+        this.app.setNotFoundHandler((req, res) => { void res.status(404).send('Not Found.'); });
+        this.app.setErrorHandler(async (err, req, res) => {
+            req.log.warn(err);
+            for (const errorHandler of this.errorHandlers) {
+                if (!res.sent)
+                    await errorHandler(err, req, res);
+            }
+            if (!res.sent) {
+                if (err instanceof ValidationError) {
+                    await res.status(err.statusCode).send({ success: false, messages: [{ message: err.message, path: err.path, type: err.type ?? 'error' }] });
+                }
+                else if (err instanceof ValidationErrors) {
+                    await res.status(err.statusCode).send({ success: false, messages: err.errors });
+                }
+                else if (err instanceof HttpError) {
+                    await res.status(err.statusCode).send(err.message);
+                }
+                else if (err.code === 'FST_ERR_VALIDATION') {
+                    const developerErrors = [];
+                    const userErrors = [];
+                    for (const v of err.validation ?? []) {
+                        if (v.keyword === 'errorMessage') {
+                            for (const ov of v.params.errors) {
+                                if (['type', 'additionalProperties', 'minProperties'].includes(ov.keyword))
+                                    developerErrors.push({ ...ov, message: v.message });
+                                else if (ov.keyword === 'required')
+                                    userErrors.push({ ...ov, message: 'This field is required.' });
+                                else
+                                    userErrors.push({ ...ov, message: v.message });
+                            }
+                        }
+                        else if (['type', 'additionalProperties', 'minProperties'].includes(v.keyword))
+                            developerErrors.push(v);
+                        else if (v.keyword === 'required')
+                            userErrors.push({ ...v, message: 'This field is required.' });
+                        else
+                            userErrors.push(v);
+                    }
+                    if (userErrors.length)
+                        await res.status(422).send({ success: false, messages: userErrors.map(fstValidationToMessage) });
+                    else
+                        await res.status(400).send(developerErrors.map(fstValidationToMessage));
+                }
+                else if (err.statusCode) {
+                    await res.status(err.statusCode).send(new HttpError(err.statusCode).message);
+                }
+                else {
+                    await res.status(500).send('Internal Server Error.');
+                }
+            }
+        });
+        this.app.get('/health', { logLevel: 'warn' }, async (req, res) => {
+            if (this.shuttingDown) {
+                res.log.warn('Returning 503 on /health because we are shutting down/restarting.');
+                void res.status(503);
+                return 'MAINTENANCE';
+            }
+            else if (this.healthMessage) {
+                res.log.error(this.healthMessage);
+                void res.status(500);
+                return this.healthMessage;
+            }
+            else if (this.healthCallback) {
+                const resp = await this.healthCallback();
+                const [status, msg] = typeof resp === 'string' ? [500, resp] : [resp?.status, resp?.message];
+                if (!!msg || !!status) {
+                    res.log.error(resp, 'Health check callback failed.');
+                    void res.status(status ?? 500);
+                    return msg ?? 'FAIL';
+                }
+            }
+            return 'OK';
+        });
+        this.sigHandler = () => {
+            this.close().then(() => {
+                process.exit();
+            }).catch((e) => { this.app.log.error(e, 'Error during shutdown'); });
+        };
+        process.on('SIGTERM', this.sigHandler);
+        process.on('SIGINT', this.sigHandler);
+    }
+    async start(port) {
+        const customPort = port ?? parseInt(process.env.PORT ?? '0', 10);
+        await this.app.ready();
+        if (this.swaggerEndpoint)
+            this.app.swagger();
+        if (customPort) {
+            await this.app.listen({ port: customPort, host: '0.0.0.0' });
+        }
+        else if (this.https) {
+            // redirect 80 to 443
+            http.createServer((req, res) => {
+                res.writeHead(301, { Location: 'https://' + (req.headers.host?.replace(/:\d+$/v, '') ?? '') + (req.url ?? '') });
+                res.end();
+            }).listen(80);
+            await this.app.listen({ port: 443, host: '0.0.0.0' });
+        }
+        else {
+            await this.app.listen({ port: 80, host: '0.0.0.0' });
+        }
+    }
+    addErrorHandler(handler) {
+        this.errorHandlers.push(handler);
+    }
+    setUnhealthy(message) {
+        this.healthMessage = message;
+    }
+    setHealthy() {
+        this.healthMessage = undefined;
+    }
+    setValidOrigins(origins) {
+        this.originChecker.setValidOrigins(origins);
+    }
+    setValidOriginHosts(hosts) {
+        this.originChecker.setValidOriginHosts(hosts);
+    }
+    setValidOriginSuffixes(suffixes) {
+        this.originChecker.setValidOriginSuffixes(suffixes);
+    }
+    async swagger(opts) {
+        let openapi = opts?.openapi ?? {};
+        if (this.config.authenticate != null) {
+            openapi = set(openapi, 'components.securitySchemes', {
+                unifiedAuth: {
+                    type: 'http',
+                    scheme: 'bearer',
+                    bearerFormat: 'JWT',
+                    description: `Enter a token obtained from the TxState Unified Authentication service. An easy way to do
+this is log into this application and use dev tools to pull your token from the Authorization header.`
+                }
+            });
+            // Apply the security globally to all operations
+            openapi.security = [{ unifiedAuth: [] }];
+        }
+        /* eslint-disable @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-return -- findRefs traverses arbitrary JSON schema objects */
+        function findRefs(obj, id) {
+            if (obj == null)
+                return undefined;
+            if (obj.$id?.length)
+                id = obj.$id;
+            if (obj.$ref === '#' && id?.length) {
+                obj.type = 'string';
+                obj.enum = [id];
+                delete obj.$ref;
+            }
+            else {
+                for (const val of Object.values(obj)) {
+                    if (typeof val === 'object' && !(val instanceof Date))
+                        findRefs(val, id);
+                }
+            }
+            return obj;
+        }
+        await this.app.register(swagger, {
+            openapi,
+            transform(transformArgs) {
+                const newSchema = findRefs(clone(transformArgs.schema));
+                return { ...transformArgs, schema: newSchema };
+            }
+        });
+        /* eslint-enable @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-return */
+        this.swaggerEndpoint = opts?.path ?? opts?.ui?.routePrefix ?? '/docs';
+        await this.app.register(swaggerUI, { ...opts?.ui, routePrefix: this.swaggerEndpoint });
+    }
+    async close(softSeconds) {
+        if (typeof softSeconds === 'undefined')
+            softSeconds = parseInt(process.env.LOAD_BALANCE_TIMEOUT ?? '0', 10);
+        process.removeListener('SIGTERM', this.sigHandler);
+        process.removeListener('SIGINT', this.sigHandler);
+        if (softSeconds) {
+            this.shuttingDown = true;
+            await sleep(softSeconds);
+        }
+        await this.app.close();
+    }
+}

package/lib/unified-auth.d.ts

@@ -1,5 +1,5 @@
-import { type FastifyReply, type FastifyRequest } from 'fastify';
-import { type IssuerConfig, type FastifyInstanceTyped, type FastifyTxStateAuthInfo } from '.';
+import type { FastifyReply, FastifyRequest } from 'fastify';
+import { type IssuerConfig, type FastifyInstanceTyped, type FastifyTxStateAuthInfo } from './server.ts';
 export interface IssuerConfigRaw extends Omit<IssuerConfig, 'validateUrl' | 'logoutUrl'> {
     validateUrl?: string;
     logoutUrl?: string;