gruber 0.6.0 → 0.7.0

package/CHANGELOG.md

@@ -2,9 +2,52 @@
 
 This file documents notable changes to the project
 
-## next
+## 0.7.0
 
-...
+**new**
+
+- Add Server-sent events utilities
+- Add experimental `log` option to `FetchRouter`
+- Add experimental `expressMiddleware` and `koaMiddleware`
+
+**fixes**
+
+- Fix malformed node HTTP headers when they contain a comma
+- Ignore invalid cookies rather than throw an error
+- `getRequestBody` also checks for `multipart/form-data`
+- node: `request.signal` is now triggered if the request is cancelled
+
+## 0.6.2
+
+**fixes**
+
+- Use `unknown` type when expecting a dependency, its now on the consumer to make sure they pass the correct thing. TypeScript-ing this is too hard.
+- Experimental stores use dependency types too
+
+## 0.6.1
+
+**new**
+
+- Expose `includesScope` to check scopes
+
+**fixes**
+
+- Node & Express handle streams properly, they write the head then stream the response.
+- Log HTTP errors in `ExpressRouter` and `KoaRoater`
+- Took out type dependencies
+- JWTs have the correct expiration time
+
+**changed**
+
+- Renamed `formatCode` to `formatAuthenticationCode`
+
+**unstable**
+
+- Renamed unstable `expireAfter` to `maxAge`
+- Renamed unstable `JWTService` to `TokenService`
+- Renamed unstable `JoseJwtService` to `JoseTokens`
+- Renamed unstable `Authorization#getAuthorization` to `Authorization#assert`
+- Added unstable `Authorization#getAuthorization`
 
 ## 0.6.0
 

package/README.md

@@ -172,7 +172,7 @@ export async function runServer(options) {
 If you were using Deno, the same server would look like:
 
 ```js
-import { DenoRouter } from "@gruber/mod.js";
+import { DenoRouter } from "gruber/mod.js";
 
 import helloRoute from "./hello-route.js";
 
@@ -229,13 +229,13 @@ or if it is terminating existing connections ready to be descheduled.
 Terminator is here to help with this use-case.
 
 ```js
-import { DenoRouter, Terminator } from "@gruber/mod.js";
+import { DenoRouter, getTerminator } from "gruber";
 
 import { appConfig } from "./config.js";
 import helloRoute from "./hello-route.js";
 
 // 1. Create your Terminator, maybe call them arnie
-export const terminator = new Terminator({
+export const terminator = getTerminator({
 	timeout: appConfig.env === "development" ? 0 : 5_000,
 });
 
@@ -726,7 +726,7 @@ TODO: I'm not happy with this, will need to come back to it.
 
 ## Core library
 
-### http
+### HTTP
 
 #### defineRoute
 
@@ -989,9 +989,9 @@ Terminator helps you gracefully deploy servers with zero downtime when using a l
 import { Terminator } from "gruber/terminator.js";
 
 // All options are optional, these are also the defaults
-const arnie = new Terminator({
+const arnie = getTerminator({
 	signals: ["SIGINT", "SIGTERM"],
-	timeout: 5_000,
+	timeout: 5_000, // perhaps: appConfig.env === 'development' ? 0 : 5_000
 });
 
 // Generate a HTTP response based on the current state of the Terminator
@@ -1035,7 +1035,7 @@ await store.set("/some/key", { name: "Geoff Testington", age: 42 });
 await store.set(
 	"/login/55",
 	{ token: "abcdef" },
-	{ expireAfter: 30 * 1_000 /* 30 seconds */ },
+	{ maxAge: 30 * 1_000 /* 30 seconds */ },
 );
 
 // Retrieve geoff, types optional
@@ -1045,7 +1045,7 @@ const geoff = await store.get<GeoffRecord>("/some/key");
 await store.delete("/some/key");
 ```
 
-The store is meant for temporary resources, so its mostly meant to be called with the `expireAfter` option
+The store is meant for temporary resources, so its mostly meant to be called with the `maxAge` option
 
 > The `MemoryStore` is also useful for testing, you can provide a TimerService to mock time
 
@@ -1063,6 +1063,34 @@ const redis: RedisClientType;
 const store = new RedisStore(redis, { prefix: "/v2" });
 ```
 
+### JWT
+
+An abstraction around signing a JWT for a user with an access scope.
+There is currently one implementation using [jose](https://github.com/panva/jose).
+
+```ts
+import { JoseJwtService } from "gruber";
+import * as jose from "jose";
+
+const jwt = new JoseJwtService(
+	{
+		secret: "top_secret",
+		issuer: "myapp.io",
+		audience: "myapp.io",
+	},
+	jose,
+);
+
+// string
+const token = await jwt.sign("user:books:read", {
+	userId: 1,
+	maxAge: 30 * 24 * 60 * 60 * 1_000, // 30 days
+});
+
+// { userId, scope } or null
+const parsed = await jwt.verify(token);
+```
+
 ### Authorization
 
 > UNSTABLE
@@ -1070,29 +1098,38 @@ const store = new RedisStore(redis, { prefix: "/v2" });
 A module for checking Request objects have authorization to perform actions on the server
 
 ```ts
-import { JWTService, AuthorizationService } from "gruber";
+import { TokenService, AuthorizationService, includesScope } from "gruber";
 
-const jwt: JWTService;
-const authz = new AuthorizationService({ cookieName: "my_session" }, jwt);
+const tokens: TokenService;
+const authz = new AuthorizationService({ cookieName: "my_session" }, tokens);
 
-const { userId, scope } = await authz.getAuthorization(
+// string | null
+const token = authz.getAuthorization(
 	new Request("https://example.com", {
 		headers: { Authorization: "Bearer some-long-secure-token" },
 	}),
 );
 
-const { userId, scope } = await authz.getAuthorization(
+// { userId: number | undefined, scope: string }
+const { userId, scope } = await authz.assert(
 	new Request("https://example.com", {
-		headers: { Cookie: "my_session=some-long-secure-token" },
+		headers: { Authorization: "Bearer some-long-secure-token" },
 	}),
 );
 
+// { userId: number, scope: string }
 const { userId, scope } = await authz.assertUser(
-	"user:books:read",
 	new Request("https://example.com", {
-		headers: { Authorization: "Bearer some-long-secure-token" },
+		headers: { Cookie: "my_session=some-long-secure-token" },
 	}),
+	{ scope: "user:books:read" },
 );
+
+includesScope("user:books:read", "user:books:read"); // true
+includesScope("user:books", "user:books:read"); // true
+includesScope("user", "user:books:read"); // true
+includesScope("user", "user:podcasts"); // true
+includesScope("user:books", "user:podcasts"); // false
 ```
 
 Any of these methods will throw a `HTTPError.unauthorized` (a 401) if the authorization is not present or invalid.
@@ -1107,7 +1144,7 @@ The idea is you might check for `user:books:write` inside a request handler agai
 
 ### Authentication
 
-> UNSTABLE
+> VERY UNSTABLE
 
 Authentication provides a service to help users get authorization to use the application.
 
@@ -1146,6 +1183,56 @@ const { token, headers, redirect } = await authn.finish(login);
 These would obviously be spread accross multiple endpoints and you transfer
 the token / code combination to the user in a way that proves they are who they claim to be.
 
+### Server Sent Events
+
+Gruber includes utilities for sending [Server-sent events](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events) from regular route definitions.
+
+```ts
+import { defineRoute, ServerSentEventStream, sseHeaders } from "gruber";
+
+const stream = defineRoute({
+	method: "GET",
+	pathname: "/stream",
+	async handler({ request }) {
+		let counter = 0;
+		let timerId = null;
+
+		// Create a stream to pipe data to the response,
+		// it sends an incrementing counter every second
+		const stream = new ReadableStream({
+			start(controller) {
+				timerId = setInterval(() => {
+					counter++;
+					controller.enqueue({ data: JSON.stringify({ counter }) });
+				}, 1_000);
+			},
+			cancel() {
+				if (timerId) clearInterval(timerId);
+			},
+		});
+
+		// Create a response that transforms the stream into an SSE body
+		return new Response(stream.pipeThrough(new ServerSentEventStream()), {
+			headers: {
+				"content-type": "text/event-stream",
+				"cache-control": "no-cache",
+				connection: "keep-alive",
+			},
+		});
+	},
+});
+```
+
+> You might want to use [ReadableStream.from](https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream/from_static) to create the stream
+
+#### ServerSentEventMessage
+
+`ServerSentEventMessage` is an interface for the payload to be delivered to the client.
+
+#### ServerSentEventStream
+
+`ServerSentEventStream` is a [TransformStream]() that converts `ServerSentEventMessage` into the raw bytes to send to a client.
+
 ### Utilities
 
 #### loader
@@ -1477,6 +1564,7 @@ export function loader<T>(handler: Loader<T>): Loader<T> {
 
 ```js
 async function retryWithBackoff({
+	timers = window,
 	maxRetries = 20,
 	interval = 1_000,
 	handler,
@@ -1486,7 +1574,7 @@ async function retryWithBackoff({
 			const result = await handler();
 			return result;
 		} catch {
-			await new Promise((r) => setTimeout(r, i * interval));
+			await new Promise((r) => timers.setTimeout(r, i * interval));
 		}
 	}
 	console.error("Could not connect to database");

package/core/authentication.d.ts

@@ -1,6 +1,6 @@
 import { RandomService } from "./random.ts";
 import { Store } from "./store.ts";
-import { JWTService } from "./jwt.ts";
+import { TokenService } from "./tokens.ts";
 /**
  * An in-progress authentication, being stored while the client completes their challenge
  */
@@ -26,11 +26,11 @@ export interface AuthnResult {
     redirect: string;
 }
 export interface AbstractAuthenticationService {
-    check(token: string, code: number): Promise<AuthnRequest | null>;
+    check(token: string | undefined | null, code: string | number | undefined | null): Promise<AuthnRequest | null>;
     start(userId: number, redirectUrl: string | URL): Promise<AuthnCheck>;
     finish(request: AuthnRequest): Promise<AuthnResult>;
 }
-export declare function formatCode(code: number): string;
+export declare function formatAuthenticationCode(code: number): string;
 export interface AuthenticationServiceOptions {
     allowedHosts: () => URL[] | Promise<URL[]>;
     cookieName: string;
@@ -41,8 +41,8 @@ export declare class AuthenticationService implements AbstractAuthenticationServ
     options: AuthenticationServiceOptions;
     store: Store;
     random: RandomService;
-    jwt: JWTService;
-    constructor(options: AuthenticationServiceOptions, store: Store, random: RandomService, jwt: JWTService);
+    tokens: TokenService;
+    constructor(options: AuthenticationServiceOptions, store: Store, random: RandomService, tokens: TokenService);
     _canRedirect(input: string | URL, hosts: URL[]): boolean;
     check(token: string | undefined | null, code: string | number | undefined | null): Promise<AuthnRequest | null>;
     start(userId: number, redirectUrl: string | URL): Promise<AuthnCheck>;

package/core/authentication.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authentication.d.ts","sourceRoot":"","sources":["authentication.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAEtC;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,MAAM,EAAE,MAAM,CAAC;IAEf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACb;AAKD;;GAEG;AACH,MAAM,WAAW,UAAU;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC7C,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;IACjE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,MAAM,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CACpD;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,UAKtC;AAED,MAAM,WAAW,4BAA4B;IAC5C,YAAY,EAAE,MAAM,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,mBAAmB,CAAC,aAAa,EAAE,MAAM,CAAC;IAC1C,mBAAmB,CAAC,eAAe,EAAE,MAAM,CAAC;CAC5C;AAED,qBAAa,qBAAsB,YAAW,6BAA6B;IAElE,OAAO,EAAE,4BAA4B;IACrC,KAAK,EAAE,KAAK;IACZ,MAAM,EAAE,aAAa;IACrB,GAAG,EAAE,UAAU;gBAHf,OAAO,EAAE,4BAA4B,EACrC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,GAAG,EAAE,UAAU;IAOvB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE;IAcxC,KAAK,CACV,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAChC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,IAAI,GACtC,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAkBzB,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC;IAoBrE,MAAM,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;CAuBzD"}
+{"version":3,"file":"authentication.d.ts","sourceRoot":"","sources":["authentication.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,MAAM,EAAE,MAAM,CAAC;IAEf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACb;AAKD;;GAEG;AACH,MAAM,WAAW,UAAU;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC7C,KAAK,CACJ,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAChC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,IAAI,GACtC,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;IAChC,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,MAAM,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CACpD;AAED,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,UAKpD;AAED,MAAM,WAAW,4BAA4B;IAC5C,YAAY,EAAE,MAAM,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,mBAAmB,CAAC,aAAa,EAAE,MAAM,CAAC;IAC1C,mBAAmB,CAAC,eAAe,EAAE,MAAM,CAAC;CAC5C;AAED,qBAAa,qBAAsB,YAAW,6BAA6B;IAElE,OAAO,EAAE,4BAA4B;IACrC,KAAK,EAAE,KAAK;IACZ,MAAM,EAAE,aAAa;IACrB,MAAM,EAAE,YAAY;gBAHpB,OAAO,EAAE,4BAA4B,EACrC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,YAAY;IAO5B,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE;IAcxC,KAAK,CACV,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAChC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,IAAI,GACtC,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAkBzB,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC;IAoBrE,MAAM,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;CAuBzD"}

package/core/authentication.js

@@ -1,5 +1,5 @@
 import { HTTPError } from "./http.js";
-export function formatCode(code) {
+export function formatAuthenticationCode(code) {
     return [
         code.toString().padStart(6, "0").slice(0, 3),
         code.toString().padStart(6, "0").slice(3, 6),
@@ -9,12 +9,12 @@ export class AuthenticationService {
     options;
     store;
     random;
-    jwt;
-    constructor(options, store, random, jwt) {
+    tokens;
+    constructor(options, store, random, tokens) {
         this.options = options;
         this.store = store;
         this.random = random;
-        this.jwt = jwt;
+        this.tokens = tokens;
     }
     //
     // Internal
@@ -59,23 +59,23 @@ export class AuthenticationService {
             code: this.random.number(0, 999_999),
         };
         await this.store.set(`/authn/request/${token}`, request, {
-            expireAfter: this.options.loginDuration,
+            maxAge: this.options.loginDuration,
         });
         return { token, code: request.code };
     }
     async finish(request) {
         const headers = new Headers();
         headers.set("Location", request.redirect);
-        const token = await this.jwt.sign("user", {
+        const token = await this.tokens.sign("user", {
             userId: request.userId,
-            expireAfter: this.options.sessionDuration,
+            maxAge: this.options.sessionDuration,
         });
         const duration = Math.floor(this.options.sessionDuration / 1000);
         // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
         headers.append("Set-Cookie", `${this.options.cookieName}=${token}; Max-Age=${duration}; Path=/; HttpOnly`);
         // TODO: Microsoft "safe links" opens URLs, generates auth then throws it away
         // Maybe it should be a counter? like 3 you get uses
-        // await cache.delete(`/authn/request/${token}`)
+        // await cache.delete(`/authn/request/${request.token}`)
         return { token, headers, redirect: request.redirect };
     }
 }

package/core/authentication.test.js

@@ -1,17 +1,20 @@
 import {
 	assertEquals,
 	describe,
-	fakeJwt,
+	fakeTokens,
 	fakeRandom,
 	fakeTimers,
 	it,
 } from "./test-deps.js";
-import { AuthenticationService, formatCode } from "./authentication.ts";
+import {
+	AuthenticationService,
+	formatAuthenticationCode,
+} from "./authentication.ts";
 import { MemoryStore } from "./store.ts";
 
-describe("formatCode", () => {
+describe("formatAuthenticationCode", () => {
 	it("pads and seperates", () => {
-		assertEquals(formatCode(12345), "012 345");
+		assertEquals(formatAuthenticationCode(12345), "012 345");
 	});
 });
 
@@ -25,9 +28,9 @@ describe("AuthenticationService", () => {
 		};
 		const random = fakeRandom();
 		const store = new MemoryStore(fakeTimers());
-		const jwt = fakeJwt();
-		const authn = new AuthenticationService(options, store, random, jwt);
-		return { options, random, store, jwt, authn };
+		const tokens = fakeTokens();
+		const authn = new AuthenticationService(options, store, random, tokens);
+		return { options, random, store, tokens, authn };
 	}
 
 	describe("_canRedirect", () => {
@@ -126,7 +129,7 @@ describe("AuthenticationService", () => {
 			const token = JSON.stringify({
 				scope: "user",
 				userId: 1,
-				expireAfter: 20_000,
+				maxAge: 20_000,
 			});
 
 			assertEquals(result.token, token);

package/core/authentication.ts

@@ -1,7 +1,7 @@
 import { HTTPError } from "./http.ts";
 import { RandomService } from "./random.ts";
 import { Store } from "./store.ts";
-import { JWTService } from "./jwt.ts";
+import { TokenService } from "./tokens.ts";
 
 /**
  * An in-progress authentication, being stored while the client completes their challenge
@@ -35,12 +35,15 @@ export interface AuthnResult {
 }
 
 export interface AbstractAuthenticationService {
-	check(token: string, code: number): Promise<AuthnRequest | null>;
+	check(
+		token: string | undefined | null,
+		code: string | number | undefined | null,
+	): Promise<AuthnRequest | null>;
 	start(userId: number, redirectUrl: string | URL): Promise<AuthnCheck>;
 	finish(request: AuthnRequest): Promise<AuthnResult>;
 }
 
-export function formatCode(code: number) {
+export function formatAuthenticationCode(code: number) {
 	return [
 		code.toString().padStart(6, "0").slice(0, 3),
 		code.toString().padStart(6, "0").slice(3, 6),
@@ -59,7 +62,7 @@ export class AuthenticationService implements AbstractAuthenticationService {
 		public options: AuthenticationServiceOptions,
 		public store: Store,
 		public random: RandomService,
-		public jwt: JWTService,
+		public tokens: TokenService,
 	) {}
 
 	//
@@ -115,7 +118,7 @@ export class AuthenticationService implements AbstractAuthenticationService {
 		};
 
 		await this.store.set<AuthnRequest>(`/authn/request/${token}`, request, {
-			expireAfter: this.options.loginDuration,
+			maxAge: this.options.loginDuration,
 		});
 
 		return { token, code: request.code };
@@ -125,9 +128,9 @@ export class AuthenticationService implements AbstractAuthenticationService {
 		const headers = new Headers();
 		headers.set("Location", request.redirect);
 
-		const token = await this.jwt.sign("user", {
+		const token = await this.tokens.sign("user", {
 			userId: request.userId,
-			expireAfter: this.options.sessionDuration,
+			maxAge: this.options.sessionDuration,
 		});
 
 		const duration = Math.floor(this.options.sessionDuration / 1000);
@@ -140,7 +143,7 @@ export class AuthenticationService implements AbstractAuthenticationService {
 
 		// TODO: Microsoft "safe links" opens URLs, generates auth then throws it away
 		// Maybe it should be a counter? like 3 you get uses
-		// await cache.delete(`/authn/request/${token}`)
+		// await cache.delete(`/authn/request/${request.token}`)
 
 		return { token, headers, redirect: request.redirect };
 	}

package/core/authorization.d.ts

@@ -1,4 +1,4 @@
-import { AuthzToken, JWTService } from "./jwt.ts";
+import { AuthzToken, TokenService } from "./tokens.ts";
 /**
  * Based on deno std
  * https://github.com/denoland/std/blob/065296ca5a05a47f9741df8f99c32fae4f960070/http/cookie.ts#L254C1-L270C2
@@ -11,6 +11,7 @@ export declare function _getRequestCookie(request: Request, cookieName: string):
  */
 export declare function _expandScopes(scope: string): string[];
 export declare function _checkScope(actual: string, expected: string[]): boolean;
+export declare function includesScope(actual: string, expected: string): boolean;
 export interface AssertUserOptions {
     scope?: string;
 }
@@ -19,7 +20,8 @@ export interface AssertUserResult {
     scope: string;
 }
 export interface AbstractAuthorizationService {
-    getAuthorization(request: Request): Promise<AuthzToken>;
+    getAuthorization(request: Request): string | null;
+    assert(request: Request): Promise<AuthzToken>;
     assertUser(request: Request, options?: AssertUserOptions): Promise<AssertUserResult>;
 }
 export interface AuthorizationServiceOptions {
@@ -28,9 +30,10 @@ export interface AuthorizationServiceOptions {
 /** @unstable */
 export declare class AuthorizationService implements AbstractAuthorizationService {
     options: AuthorizationServiceOptions;
-    jwt: JWTService;
-    constructor(options: AuthorizationServiceOptions, jwt: JWTService);
-    getAuthorization(request: Request): Promise<AuthzToken>;
+    tokens: TokenService;
+    constructor(options: AuthorizationServiceOptions, tokens: TokenService);
+    getAuthorization(request: Request): string | null;
+    assert(request: Request): Promise<AuthzToken>;
     assertUser(request: Request, options?: AssertUserOptions): Promise<AssertUserResult>;
 }
 //# sourceMappingURL=authorization.d.ts.map

package/core/authorization.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["authorization.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAElD;;;GAGG;AACH,wBAAgB,WAAW,CAC1B,OAAO,EAAE,OAAO,GACd,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAapC;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,iBAIjD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAErE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,YAQ1C;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAM7D;AAED,MAAM,WAAW,iBAAiB;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,WAAW,gBAAgB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,4BAA4B;IAC5C,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,UAAU,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,iBAAiB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC3C,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,gBAAgB;AAChB,qBAAa,oBAAqB,YAAW,4BAA4B;IACxE,OAAO,EAAE,2BAA2B,CAAC;IACrC,GAAG,EAAE,UAAU,CAAC;gBAEJ,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,UAAU;IAK3D,gBAAgB,CAAC,OAAO,EAAE,OAAO;IAYjC,UAAU,CACf,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,iBAAsB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;CAY5B"}
+{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["authorization.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,WAAW,CAC1B,OAAO,EAAE,OAAO,GACd,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAapC;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,iBAIjD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAMrE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,YAQ1C;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAM7D;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,WAE7D;AAED,MAAM,WAAW,iBAAiB;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,WAAW,gBAAgB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,4BAA4B;IAC5C,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9C,UAAU,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,iBAAiB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC3C,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,gBAAgB;AAChB,qBAAa,oBAAqB,YAAW,4BAA4B;IAEhE,OAAO,EAAE,2BAA2B;IACpC,MAAM,EAAE,YAAY;gBADpB,OAAO,EAAE,2BAA2B,EACpC,MAAM,EAAE,YAAY;IAG5B,gBAAgB,CAAC,OAAO,EAAE,OAAO;IAO3B,MAAM,CAAC,OAAO,EAAE,OAAO;IAUvB,UAAU,CACf,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,iBAAsB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;CAY5B"}

package/core/authorization.js

@@ -24,7 +24,12 @@ export function _getRequestBearer(request) {
     return /^bearer (.+)$/i.exec(authz)?.[1] ?? null;
 }
 export function _getRequestCookie(request, cookieName) {
-    return _getCookies(request.headers)[cookieName] ?? null;
+    try {
+        return _getCookies(request.headers)[cookieName] ?? null;
+    }
+    catch {
+        return null;
+    }
 }
 /**
  * a:b:c -> [a, a:b, a:b:c]
@@ -47,30 +52,36 @@ export function _checkScope(actual, expected) {
     }
     return false;
 }
+export function includesScope(actual, expected) {
+    return _checkScope(actual, _expandScopes(expected));
+}
 /** @unstable */
 export class AuthorizationService {
     options;
-    jwt;
-    constructor(options, jwt) {
+    tokens;
+    constructor(options, tokens) {
         this.options = options;
-        this.jwt = jwt;
+        this.tokens = tokens;
+    }
+    getAuthorization(request) {
+        return (_getRequestBearer(request) ??
+            _getRequestCookie(request, this.options.cookieName));
     }
-    async getAuthorization(request) {
-        const authz = _getRequestBearer(request) ??
-            _getRequestCookie(request, this.options.cookieName);
+    async assert(request) {
+        const authz = this.getAuthorization(request);
         if (!authz)
             throw HTTPError.unauthorized("no authorization present");
-        const verified = await this.jwt.verify(authz);
+        const verified = await this.tokens.verify(authz);
         if (!verified)
             throw HTTPError.unauthorized("no valid authorization");
         return verified;
     }
     async assertUser(request, options = {}) {
-        const verified = await this.getAuthorization(request);
+        const verified = await this.assert(request);
         const { userId, scope } = verified;
         if (userId === undefined)
             throw HTTPError.unauthorized("not a user");
-        if (options.scope && !_checkScope(scope, _expandScopes(options.scope))) {
+        if (options.scope && !includesScope(scope, options.scope)) {
             throw HTTPError.unauthorized("missing required scope: " + options.scope);
         }
         return { userId, scope };

package/core/authorization.test.js

@@ -2,7 +2,7 @@ import {
 	assertEquals,
 	assertThrows,
 	describe,
-	fakeJwt,
+	fakeTokens,
 	it,
 } from "./test-deps.js";
 import {
@@ -72,6 +72,17 @@ describe("_getRequestCookie", () => {
 			"abcdef",
 		);
 	});
+	it("does not throw", () => {
+		assertEquals(
+			_getRequestCookie(
+				new Request("https://example.com", {
+					headers: { Cookie: "not_;a-cookie" },
+				}),
+				"my_cookie",
+			),
+			null,
+		);
+	});
 });
 
 describe("_expandScopes", () => {
@@ -118,19 +129,38 @@ describe("_checkScope", () => {
 describe("AuthorizationService", () => {
 	function setup() {
 		const options = { cookieName: "testing_session" };
-		const jwt = fakeJwt();
-		const authz = new AuthorizationService(options, jwt);
-		return { options, jwt, authz };
+		const tokens = fakeTokens();
+		const authz = new AuthorizationService(options, tokens);
+		return { options, tokens, authz };
 	}
 
 	describe("getAuthorization", () => {
+		it("parses bearer", () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: "Bearer test_bearer_token" },
+			});
+			assertEquals(authz.getAuthorization(request), "test_bearer_token");
+		});
+		it("parses cookies", () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Cookie: "testing_session=test_cookie_value" },
+			});
+			assertEquals(authz.getAuthorization(request), "test_cookie_value");
+		});
+	});
+
+	describe("assert", () => {
 		it("parses bearer", async () => {
 			const { authz } = setup();
 
 			const request = new Request("https://example.com", {
 				headers: { Authorization: 'Bearer {"scope":"user","userId":1}' },
 			});
-			assertEquals(await authz.getAuthorization(request), {
+			assertEquals(await authz.assert(request), {
 				scope: "user",
 				userId: 1,
 			});
@@ -141,7 +171,7 @@ describe("AuthorizationService", () => {
 			const request = new Request("https://example.com", {
 				headers: { Cookie: 'testing_session={"scope":"user","userId":1}' },
 			});
-			assertEquals(await authz.getAuthorization(request), {
+			assertEquals(await authz.assert(request), {
 				scope: "user",
 				userId: 1,
 			});