gruber 0.6.1 → 0.8.0

package/CHANGELOG.md

@@ -2,6 +2,42 @@
 
 This file documents notable changes to the project
 
+## 0.8.0
+
+**features**
+
+- Add optional `options` parameter to `authz.assert` to check the scope
+- Add experimental `authz.from` method to parse the authenticated user
+- Add experimental `CompositeTokens` to combine multiple TokenServices together
+- Add experimental `Cors` utility for addings CORS headers to responses
+- Add experimental `cors` option to `FetchRouter`
+
+**fixes**
+
+- Add optional `res` parameter to `getResponseReadable` to propagate stream cancellations
+
+## 0.7.0
+
+**new**
+
+- Add Server-sent events utilities
+- Add experimental `log` option to `FetchRouter`
+- Add experimental `expressMiddleware` and `koaMiddleware`
+
+**fixes**
+
+- Fix malformed node HTTP headers when they contain a comma
+- Ignore invalid cookies rather than throw an error
+- `getRequestBody` also checks for `multipart/form-data`
+- node: `request.signal` is now triggered if the request is cancelled
+
+## 0.6.2
+
+**fixes**
+
+- Use `unknown` type when expecting a dependency, its now on the consumer to make sure they pass the correct thing. TypeScript-ing this is too hard.
+- Experimental stores use dependency types too
+
 ## 0.6.1
 
 **new**

package/README.md

@@ -726,7 +726,7 @@ TODO: I'm not happy with this, will need to come back to it.
 
 ## Core library
 
-### http
+### HTTP
 
 #### defineRoute
 
@@ -867,6 +867,11 @@ Use it to get a `Response` from the provided request, based on the router's rout
 const response = await router.getResponse(new Request("http://localhost"));
 ```
 
+**experimental**
+
+- `options.log` turn on HTTP logging with `true` or a custom
+- `options.cors` apply CORS headers with a [Cors](#cors) instance
+
 #### unstable http
 
 There are some unstable internal methods too:
@@ -877,6 +882,31 @@ There are some unstable internal methods too:
 - `getRequestBody(request)` Get the JSON of FormData body of a request
 - `assertRequestBody(struct, body)` Assert the body matches a structure and return the parsed value
 
+#### Cors
+
+There is an unstable API for applying [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) headers to responses.
+
+```ts
+import { Cors } from "gruber";
+
+const cors = new Cors({
+	credentials: true,
+	origins: ["http://localhost:8080"],
+});
+
+const response = cors.apply(
+	new Request("http://localhsot:8000"),
+	new Response("ok"),
+);
+```
+
+It returns a clone of the response passed to it with CORS headers applied. You should no longer use the response passed into it. The headers it applies are:
+
+- `Access-Control-Allow-Methods` set to `GET, HEAD, PUT, PATCH, POST, DELETE`
+- `Access-Control-Allow-Headers` mirrors what is set on `Access-Control-Request-Headers` and adds that to `Vary`
+- `Access-Control-Allow-Origin` allows the `Origin` if it matches the `origins` parameter
+- `Access-Control-Allow-Credentials` is set to `true` if the `credentials` parameter is
+
 ### Postgres
 
 #### getPostgresMigratorOptions
@@ -1063,16 +1093,16 @@ const redis: RedisClientType;
 const store = new RedisStore(redis, { prefix: "/v2" });
 ```
 
-### JWT
+### Tokens
 
-An abstraction around signing a JWT for a user with an access scope.
+An abstraction around signing or storing a token for a user with an access scope.
 There is currently one implementation using [jose](https://github.com/panva/jose).
 
 ```ts
-import { JoseJwtService } from "gruber";
+import { JoseTokens } from "gruber";
 import * as jose from "jose";
 
-const jwt = new JoseJwtService(
+const jwt = new JoseTokens(
 	{
 		secret: "top_secret",
 		issuer: "myapp.io",
@@ -1091,6 +1121,22 @@ const token = await jwt.sign("user:books:read", {
 const parsed = await jwt.verify(token);
 ```
 
+There is also `CompositeTokens` which lets you combine multiple verifiers with one signer.
+For example, if your app has several methods a client might authenticate and one way it itself signs things,
+like a user token, or a static service or database app-token.
+
+> UNSTABLE
+
+```ts
+import { CompositeTokens, JoseTokens } from "gruber";
+import * as jose from "jose";
+
+const tokens = new CompositeTokens(new JoseTokens("..."), [
+	new JoseTokens("..."),
+	// Different token formats your app accepts
+]);
+```
+
 ### Authorization
 
 > UNSTABLE
@@ -1110,19 +1156,27 @@ const token = authz.getAuthorization(
 	}),
 );
 
-// { userId: number | undefined, scope: string }
+// { kind: 'user', userId: number , scope: string } | { kind: 'service', scope: string }
+const result = await authz.from(
+	new Request("https://example.com", {
+		headers: { Authorization: "Bearer some-long-secure-token" },
+	}),
+);
+
+// { kind: 'user', userId: number , scope: string } | { kind: 'service', scope: string }
 const { userId, scope } = await authz.assert(
 	new Request("https://example.com", {
 		headers: { Authorization: "Bearer some-long-secure-token" },
 	}),
+	{ scope: "repo:coffee-club" }, // optional
 );
 
-// { userId: number, scope: string }
+// { kind: 'user', userId: number, scope: string }
 const { userId, scope } = await authz.assertUser(
 	new Request("https://example.com", {
 		headers: { Cookie: "my_session=some-long-secure-token" },
 	}),
-	{ scope: "user:books:read" },
+	{ scope: "user:books:read" }, // optional
 );
 
 includesScope("user:books:read", "user:books:read"); // true
@@ -1144,7 +1198,7 @@ The idea is you might check for `user:books:write` inside a request handler agai
 
 ### Authentication
 
-> UNSTABLE
+> VERY UNSTABLE
 
 Authentication provides a service to help users get authorization to use the application.
 
@@ -1183,6 +1237,56 @@ const { token, headers, redirect } = await authn.finish(login);
 These would obviously be spread accross multiple endpoints and you transfer
 the token / code combination to the user in a way that proves they are who they claim to be.
 
+### Server Sent Events
+
+Gruber includes utilities for sending [Server-sent events](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events) from regular route definitions.
+
+```ts
+import { defineRoute, ServerSentEventStream, sseHeaders } from "gruber";
+
+const stream = defineRoute({
+	method: "GET",
+	pathname: "/stream",
+	async handler({ request }) {
+		let counter = 0;
+		let timerId = null;
+
+		// Create a stream to pipe data to the response,
+		// it sends an incrementing counter every second
+		const stream = new ReadableStream({
+			start(controller) {
+				timerId = setInterval(() => {
+					counter++;
+					controller.enqueue({ data: JSON.stringify({ counter }) });
+				}, 1_000);
+			},
+			cancel() {
+				if (timerId) clearInterval(timerId);
+			},
+		});
+
+		// Create a response that transforms the stream into an SSE body
+		return new Response(stream.pipeThrough(new ServerSentEventStream()), {
+			headers: {
+				"content-type": "text/event-stream",
+				"cache-control": "no-cache",
+				connection: "keep-alive",
+			},
+		});
+	},
+});
+```
+
+> You might want to use [ReadableStream.from](https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream/from_static) to create the stream
+
+#### ServerSentEventMessage
+
+`ServerSentEventMessage` is an interface for the payload to be delivered to the client.
+
+#### ServerSentEventStream
+
+`ServerSentEventStream` is a [TransformStream]() that converts `ServerSentEventMessage` into the raw bytes to send to a client.
+
 ### Utilities
 
 #### loader
@@ -1470,11 +1574,18 @@ const server = http.createServer((req) => {
 `getResponseReadable` creates a [streams:Readable](https://nodejs.org/api/stream.html#class-streamreadable) from the body of a fetch Response.
 
 ```js
+import http from "node:http";
 import { getResponseReadable } from "gruber/node-router.js";
 
-const readable = getResponseReadable(new Response("some body"));
+const server = http.createServer((req, res) => {
+	const readable = getResponseReadable(new Response("some body"), res);
+});
 ```
 
+Pass in `res` if you want the readable to be cancelled if reading the response is aborted.
+
+> NOTE: This relies on the **experimental** [Readable.fromWeb](https://nodejs.org/api/stream.html#streamreadablefromwebreadablestream-options)
+
 ## Development
 
 WIP stuff

package/core/authorization.d.ts

@@ -12,13 +12,22 @@ export declare function _getRequestCookie(request: Request, cookieName: string):
 export declare function _expandScopes(scope: string): string[];
 export declare function _checkScope(actual: string, expected: string[]): boolean;
 export declare function includesScope(actual: string, expected: string): boolean;
+export interface AssertOptions {
+    scope?: string;
+}
 export interface AssertUserOptions {
     scope?: string;
 }
 export interface AssertUserResult {
+    kind: "user";
     userId: number;
     scope: string;
 }
+export interface AssertServiceResult {
+    kind: "service";
+    scope: string;
+}
+export type AuthorizationResult = AssertUserResult | AssertServiceResult;
 export interface AbstractAuthorizationService {
     getAuthorization(request: Request): string | null;
     assert(request: Request): Promise<AuthzToken>;
@@ -33,7 +42,10 @@ export declare class AuthorizationService implements AbstractAuthorizationServic
     tokens: TokenService;
     constructor(options: AuthorizationServiceOptions, tokens: TokenService);
     getAuthorization(request: Request): string | null;
-    assert(request: Request): Promise<AuthzToken>;
+    _processToken(verified: AuthzToken): AuthorizationResult;
+    /** @unstable use at your own risk */
+    from(request: Request): Promise<AuthorizationResult | null>;
+    assert(request: Request, options?: AssertOptions): Promise<AuthorizationResult>;
     assertUser(request: Request, options?: AssertUserOptions): Promise<AssertUserResult>;
 }
 //# sourceMappingURL=authorization.d.ts.map

package/core/authorization.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["authorization.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,WAAW,CAC1B,OAAO,EAAE,OAAO,GACd,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAapC;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,iBAIjD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAErE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,YAQ1C;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAM7D;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,WAE7D;AAED,MAAM,WAAW,iBAAiB;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,WAAW,gBAAgB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,4BAA4B;IAC5C,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9C,UAAU,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,iBAAiB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC3C,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,gBAAgB;AAChB,qBAAa,oBAAqB,YAAW,4BAA4B;IAEhE,OAAO,EAAE,2BAA2B;IACpC,MAAM,EAAE,YAAY;gBADpB,OAAO,EAAE,2BAA2B,EACpC,MAAM,EAAE,YAAY;IAG5B,gBAAgB,CAAC,OAAO,EAAE,OAAO;IAO3B,MAAM,CAAC,OAAO,EAAE,OAAO;IAUvB,UAAU,CACf,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,iBAAsB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;CAY5B"}
+{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["authorization.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,WAAW,CAC1B,OAAO,EAAE,OAAO,GACd,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAapC;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,iBAIjD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAMrE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,YAQ1C;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAM7D;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,WAE7D;AAED,MAAM,WAAW,aAAa;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,mBAAmB;IACnC,IAAI,EAAE,SAAS,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,GAAG,mBAAmB,CAAC;AAEzE,MAAM,WAAW,4BAA4B;IAC5C,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9C,UAAU,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,iBAAiB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC3C,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,gBAAgB;AAChB,qBAAa,oBAAqB,YAAW,4BAA4B;IAEhE,OAAO,EAAE,2BAA2B;IACpC,MAAM,EAAE,YAAY;gBADpB,OAAO,EAAE,2BAA2B,EACpC,MAAM,EAAE,YAAY;IAG5B,gBAAgB,CAAC,OAAO,EAAE,OAAO;IAOjC,aAAa,CAAC,QAAQ,EAAE,UAAU,GAAG,mBAAmB;IAMxD,qCAAqC;IAC/B,IAAI,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAQ3D,MAAM,CACX,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,aAAkB,GACzB,OAAO,CAAC,mBAAmB,CAAC;IAezB,UAAU,CACf,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,iBAAsB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;CAS5B"}

package/core/authorization.js

@@ -24,7 +24,12 @@ export function _getRequestBearer(request) {
     return /^bearer (.+)$/i.exec(authz)?.[1] ?? null;
 }
 export function _getRequestCookie(request, cookieName) {
-    return _getCookies(request.headers)[cookieName] ?? null;
+    try {
+        return _getCookies(request.headers)[cookieName] ?? null;
+    }
+    catch {
+        return null;
+    }
 }
 /**
  * a:b:c -> [a, a:b, a:b:c]
@@ -62,23 +67,37 @@ export class AuthorizationService {
         return (_getRequestBearer(request) ??
             _getRequestCookie(request, this.options.cookieName));
     }
-    async assert(request) {
+    _processToken(verified) {
+        return typeof verified.userId === "number"
+            ? { kind: "user", userId: verified.userId, scope: verified.scope }
+            : { kind: "service", scope: verified.scope };
+    }
+    /** @unstable use at your own risk */
+    async from(request) {
+        const authz = this.getAuthorization(request);
+        if (!authz)
+            return null;
+        const verified = await this.tokens.verify(authz);
+        return verified ? this._processToken(verified) : null;
+    }
+    async assert(request, options = {}) {
         const authz = this.getAuthorization(request);
         if (!authz)
             throw HTTPError.unauthorized("no authorization present");
         const verified = await this.tokens.verify(authz);
         if (!verified)
             throw HTTPError.unauthorized("no valid authorization");
-        return verified;
+        if (options.scope && !includesScope(verified.scope, options.scope)) {
+            throw HTTPError.unauthorized("missing required scope: " + options.scope);
+        }
+        return this._processToken(verified);
     }
     async assertUser(request, options = {}) {
-        const verified = await this.assert(request);
-        const { userId, scope } = verified;
-        if (userId === undefined)
+        const verified = await this.assert(request, {
+            scope: options.scope,
+        });
+        if (verified.kind !== "user")
             throw HTTPError.unauthorized("not a user");
-        if (options.scope && !includesScope(scope, options.scope)) {
-            throw HTTPError.unauthorized("missing required scope: " + options.scope);
-        }
-        return { userId, scope };
+        return verified;
     }
 }

package/core/authorization.test.js

@@ -72,6 +72,17 @@ describe("_getRequestCookie", () => {
 			"abcdef",
 		);
 	});
+	it("does not throw", () => {
+		assertEquals(
+			_getRequestCookie(
+				new Request("https://example.com", {
+					headers: { Cookie: "not_;a-cookie" },
+				}),
+				"my_cookie",
+			),
+			null,
+		);
+	});
 });
 
 describe("_expandScopes", () => {
@@ -124,13 +135,59 @@ describe("AuthorizationService", () => {
 	}
 
 	describe("getAuthorization", () => {
+		it("parses bearer", () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: "Bearer test_bearer_token" },
+			});
+			assertEquals(authz.getAuthorization(request), "test_bearer_token");
+		});
+		it("parses cookies", () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Cookie: "testing_session=test_cookie_value" },
+			});
+			assertEquals(authz.getAuthorization(request), "test_cookie_value");
+		});
+	});
+
+	describe("from", () => {
+		it("parses users", async () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: 'Bearer {"scope":"statuses","userId":1}' },
+			});
+			assertEquals(await authz.from(request), {
+				kind: "user",
+				userId: 1,
+				scope: "statuses",
+			});
+		});
+		it("parses services", async () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: 'Bearer {"scope":"coffee-club"}' },
+			});
+			assertEquals(await authz.from(request), {
+				kind: "service",
+				scope: "coffee-club",
+			});
+		});
+	});
+
+	describe("assert", () => {
 		it("parses bearer", async () => {
 			const { authz } = setup();
 
 			const request = new Request("https://example.com", {
 				headers: { Authorization: 'Bearer {"scope":"user","userId":1}' },
 			});
-			assertEquals(await authz.getAuthorization(request), {
+			assertEquals(await authz.assert(request), {
+				kind: "user",
 				scope: "user",
 				userId: 1,
 			});
@@ -141,11 +198,23 @@ describe("AuthorizationService", () => {
 			const request = new Request("https://example.com", {
 				headers: { Cookie: 'testing_session={"scope":"user","userId":1}' },
 			});
-			assertEquals(await authz.getAuthorization(request), {
+			assertEquals(await authz.assert(request), {
+				kind: "user",
 				scope: "user",
 				userId: 1,
 			});
 		});
+		it("parses services", async () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: 'Bearer {"scope":"coffee-club"}' },
+			});
+			assertEquals(await authz.assert(request), {
+				kind: "service",
+				scope: "coffee-club",
+			});
+		});
 	});
 
 	describe("assertUser", () => {
@@ -155,6 +224,7 @@ describe("AuthorizationService", () => {
 				headers: { Authorization: 'Bearer {"scope":"user","userId":1}' },
 			});
 			assertEquals(await authz.assertUser(request, { scope: "user" }), {
+				kind: "user",
 				userId: 1,
 				scope: "user",
 			});
@@ -165,6 +235,7 @@ describe("AuthorizationService", () => {
 				headers: { Cookie: 'testing_session={"scope":"user","userId":1}' },
 			});
 			assertEquals(await authz.assertUser(request, { scope: "user" }), {
+				kind: "user",
 				userId: 1,
 				scope: "user",
 			});

package/core/authorization.ts

@@ -29,7 +29,11 @@ export function _getRequestBearer(request: Request) {
 }
 
 export function _getRequestCookie(request: Request, cookieName: string) {
-	return _getCookies(request.headers)[cookieName] ?? null;
+	try {
+		return _getCookies(request.headers)[cookieName] ?? null;
+	} catch {
+		return null;
+	}
 }
 
 /**
@@ -57,16 +61,28 @@ export function includesScope(actual: string, expected: string) {
 	return _checkScope(actual, _expandScopes(expected));
 }
 
+export interface AssertOptions {
+	scope?: string;
+}
+
 export interface AssertUserOptions {
 	scope?: string;
 }
 
 // NOTE: should userId be a string for future-proofing / to align to JWTs?
 export interface AssertUserResult {
+	kind: "user";
 	userId: number;
 	scope: string;
 }
 
+export interface AssertServiceResult {
+	kind: "service";
+	scope: string;
+}
+
+export type AuthorizationResult = AssertUserResult | AssertServiceResult;
+
 export interface AbstractAuthorizationService {
 	getAuthorization(request: Request): string | null;
 	assert(request: Request): Promise<AuthzToken>;
@@ -94,29 +110,49 @@ export class AuthorizationService implements AbstractAuthorizationService {
 		);
 	}
 
-	async assert(request: Request) {
+	_processToken(verified: AuthzToken): AuthorizationResult {
+		return typeof verified.userId === "number"
+			? { kind: "user", userId: verified.userId, scope: verified.scope }
+			: { kind: "service", scope: verified.scope };
+	}
+
+	/** @unstable use at your own risk */
+	async from(request: Request): Promise<AuthorizationResult | null> {
+		const authz = this.getAuthorization(request);
+		if (!authz) return null;
+
+		const verified = await this.tokens.verify(authz);
+		return verified ? this._processToken(verified) : null;
+	}
+
+	async assert(
+		request: Request,
+		options: AssertOptions = {},
+	): Promise<AuthorizationResult> {
 		const authz = this.getAuthorization(request);
 
 		if (!authz) throw HTTPError.unauthorized("no authorization present");
 
 		const verified = await this.tokens.verify(authz);
 		if (!verified) throw HTTPError.unauthorized("no valid authorization");
-		return verified;
+
+		if (options.scope && !includesScope(verified.scope, options.scope)) {
+			throw HTTPError.unauthorized("missing required scope: " + options.scope);
+		}
+
+		return this._processToken(verified);
 	}
 
 	async assertUser(
 		request: Request,
 		options: AssertUserOptions = {},
 	): Promise<AssertUserResult> {
-		const verified = await this.assert(request);
-
-		const { userId, scope } = verified;
-		if (userId === undefined) throw HTTPError.unauthorized("not a user");
+		const verified = await this.assert(request, {
+			scope: options.scope,
+		});
 
-		if (options.scope && !includesScope(scope, options.scope)) {
-			throw HTTPError.unauthorized("missing required scope: " + options.scope);
-		}
+		if (verified.kind !== "user") throw HTTPError.unauthorized("not a user");
 
-		return { userId, scope };
+		return verified;
 	}
 }

package/core/cors.d.ts

@@ -0,0 +1,15 @@
+interface CorsOptions {
+    /** Origins you want to be allowed to access this server or "*" for any server */
+    origins?: string[];
+    /** Whether to allow credentials in requests, default: false */
+    credentials?: boolean;
+}
+/** @unstable */
+export declare class Cors {
+    origins: Set<string>;
+    credentials: boolean;
+    constructor(options?: CorsOptions);
+    apply(request: Request, response: Response): Response;
+}
+export {};
+//# sourceMappingURL=cors.d.ts.map

package/core/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["cors.ts"],"names":[],"mappings":"AAUA,UAAU,WAAW;IACpB,iFAAiF;IACjF,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB,+DAA+D;IAC/D,WAAW,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,gBAAgB;AAChB,qBAAa,IAAI;IAChB,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACrB,WAAW,EAAE,OAAO,CAAC;gBACT,OAAO,GAAE,WAAgB;IAKrC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ;CAmD1C"}

package/core/cors.js

@@ -0,0 +1,50 @@
+//
+// This was loosely based on https://github.com/expressjs/cors/blob/master/lib/index.js
+//
+// Future work:
+// - "allowedHeaders" to allow-list headers for request-headers
+// - An option for "origins" to be dynamic so it could be pulled from a source like the database
+// - An option to configure which methods are allowed
+//
+/** @unstable */
+export class Cors {
+    origins;
+    credentials;
+    constructor(options = {}) {
+        this.credentials = options.credentials ?? false;
+        this.origins = new Set(options.origins ?? ["*"]);
+    }
+    apply(request, response) {
+        const headers = new Headers(response.headers);
+        // HTTP methods
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Methods
+        headers.set("Access-Control-Allow-Methods", "GET, HEAD, PUT, PATCH, POST, DELETE");
+        // Headers
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Request-Headers
+        if (request.headers.has("Access-Control-Request-Headers")) {
+            headers.append("Access-Control-Allow-Headers", request.headers.get("Access-Control-Request-Headers"));
+            headers.append("Vary", "Access-Control-Request-Headers");
+        }
+        // Origins
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin
+        if (this.origins.has("*")) {
+            headers.set("Access-Control-Allow-Origin", request.headers.get("origin") ?? "*");
+            headers.append("Vary", "Origin");
+        }
+        else if (request.headers.has("origin") &&
+            this.origins.has(request.headers.get("origin"))) {
+            headers.set("Access-Control-Allow-Origin", request.headers.get("origin"));
+            headers.append("Vary", "Origin");
+        }
+        // Credentials
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Credentials
+        if (this.credentials) {
+            headers.set("Access-Control-Allow-Credentials", "true");
+        }
+        return new Response(response.body, {
+            headers,
+            status: response.status,
+            statusText: response.statusText,
+        });
+    }
+}