gruber 0.7.0 → 0.8.0

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 This file documents notable changes to the project
 
+## 0.8.0
+
+**features**
+
+- Add optional `options` parameter to `authz.assert` to check the scope
+- Add experimental `authz.from` method to parse the authenticated user
+- Add experimental `CompositeTokens` to combine multiple TokenServices together
+- Add experimental `Cors` utility for addings CORS headers to responses
+- Add experimental `cors` option to `FetchRouter`
+
+**fixes**
+
+- Add optional `res` parameter to `getResponseReadable` to propagate stream cancellations
+
 ## 0.7.0
 
 **new**

package/README.md

@@ -867,6 +867,11 @@ Use it to get a `Response` from the provided request, based on the router's rout
 const response = await router.getResponse(new Request("http://localhost"));
 ```
 
+**experimental**
+
+- `options.log` turn on HTTP logging with `true` or a custom
+- `options.cors` apply CORS headers with a [Cors](#cors) instance
+
 #### unstable http
 
 There are some unstable internal methods too:
@@ -877,6 +882,31 @@ There are some unstable internal methods too:
 - `getRequestBody(request)` Get the JSON of FormData body of a request
 - `assertRequestBody(struct, body)` Assert the body matches a structure and return the parsed value
 
+#### Cors
+
+There is an unstable API for applying [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) headers to responses.
+
+```ts
+import { Cors } from "gruber";
+
+const cors = new Cors({
+	credentials: true,
+	origins: ["http://localhost:8080"],
+});
+
+const response = cors.apply(
+	new Request("http://localhsot:8000"),
+	new Response("ok"),
+);
+```
+
+It returns a clone of the response passed to it with CORS headers applied. You should no longer use the response passed into it. The headers it applies are:
+
+- `Access-Control-Allow-Methods` set to `GET, HEAD, PUT, PATCH, POST, DELETE`
+- `Access-Control-Allow-Headers` mirrors what is set on `Access-Control-Request-Headers` and adds that to `Vary`
+- `Access-Control-Allow-Origin` allows the `Origin` if it matches the `origins` parameter
+- `Access-Control-Allow-Credentials` is set to `true` if the `credentials` parameter is
+
 ### Postgres
 
 #### getPostgresMigratorOptions
@@ -1063,16 +1093,16 @@ const redis: RedisClientType;
 const store = new RedisStore(redis, { prefix: "/v2" });
 ```
 
-### JWT
+### Tokens
 
-An abstraction around signing a JWT for a user with an access scope.
+An abstraction around signing or storing a token for a user with an access scope.
 There is currently one implementation using [jose](https://github.com/panva/jose).
 
 ```ts
-import { JoseJwtService } from "gruber";
+import { JoseTokens } from "gruber";
 import * as jose from "jose";
 
-const jwt = new JoseJwtService(
+const jwt = new JoseTokens(
 	{
 		secret: "top_secret",
 		issuer: "myapp.io",
@@ -1091,6 +1121,22 @@ const token = await jwt.sign("user:books:read", {
 const parsed = await jwt.verify(token);
 ```
 
+There is also `CompositeTokens` which lets you combine multiple verifiers with one signer.
+For example, if your app has several methods a client might authenticate and one way it itself signs things,
+like a user token, or a static service or database app-token.
+
+> UNSTABLE
+
+```ts
+import { CompositeTokens, JoseTokens } from "gruber";
+import * as jose from "jose";
+
+const tokens = new CompositeTokens(new JoseTokens("..."), [
+	new JoseTokens("..."),
+	// Different token formats your app accepts
+]);
+```
+
 ### Authorization
 
 > UNSTABLE
@@ -1110,19 +1156,27 @@ const token = authz.getAuthorization(
 	}),
 );
 
-// { userId: number | undefined, scope: string }
+// { kind: 'user', userId: number , scope: string } | { kind: 'service', scope: string }
+const result = await authz.from(
+	new Request("https://example.com", {
+		headers: { Authorization: "Bearer some-long-secure-token" },
+	}),
+);
+
+// { kind: 'user', userId: number , scope: string } | { kind: 'service', scope: string }
 const { userId, scope } = await authz.assert(
 	new Request("https://example.com", {
 		headers: { Authorization: "Bearer some-long-secure-token" },
 	}),
+	{ scope: "repo:coffee-club" }, // optional
 );
 
-// { userId: number, scope: string }
+// { kind: 'user', userId: number, scope: string }
 const { userId, scope } = await authz.assertUser(
 	new Request("https://example.com", {
 		headers: { Cookie: "my_session=some-long-secure-token" },
 	}),
-	{ scope: "user:books:read" },
+	{ scope: "user:books:read" }, // optional
 );
 
 includesScope("user:books:read", "user:books:read"); // true
@@ -1520,11 +1574,18 @@ const server = http.createServer((req) => {
 `getResponseReadable` creates a [streams:Readable](https://nodejs.org/api/stream.html#class-streamreadable) from the body of a fetch Response.
 
 ```js
+import http from "node:http";
 import { getResponseReadable } from "gruber/node-router.js";
 
-const readable = getResponseReadable(new Response("some body"));
+const server = http.createServer((req, res) => {
+	const readable = getResponseReadable(new Response("some body"), res);
+});
 ```
 
+Pass in `res` if you want the readable to be cancelled if reading the response is aborted.
+
+> NOTE: This relies on the **experimental** [Readable.fromWeb](https://nodejs.org/api/stream.html#streamreadablefromwebreadablestream-options)
+
 ## Development
 
 WIP stuff

package/core/authorization.d.ts

@@ -12,13 +12,22 @@ export declare function _getRequestCookie(request: Request, cookieName: string):
 export declare function _expandScopes(scope: string): string[];
 export declare function _checkScope(actual: string, expected: string[]): boolean;
 export declare function includesScope(actual: string, expected: string): boolean;
+export interface AssertOptions {
+    scope?: string;
+}
 export interface AssertUserOptions {
     scope?: string;
 }
 export interface AssertUserResult {
+    kind: "user";
     userId: number;
     scope: string;
 }
+export interface AssertServiceResult {
+    kind: "service";
+    scope: string;
+}
+export type AuthorizationResult = AssertUserResult | AssertServiceResult;
 export interface AbstractAuthorizationService {
     getAuthorization(request: Request): string | null;
     assert(request: Request): Promise<AuthzToken>;
@@ -33,7 +42,10 @@ export declare class AuthorizationService implements AbstractAuthorizationServic
     tokens: TokenService;
     constructor(options: AuthorizationServiceOptions, tokens: TokenService);
     getAuthorization(request: Request): string | null;
-    assert(request: Request): Promise<AuthzToken>;
+    _processToken(verified: AuthzToken): AuthorizationResult;
+    /** @unstable use at your own risk */
+    from(request: Request): Promise<AuthorizationResult | null>;
+    assert(request: Request, options?: AssertOptions): Promise<AuthorizationResult>;
     assertUser(request: Request, options?: AssertUserOptions): Promise<AssertUserResult>;
 }
 //# sourceMappingURL=authorization.d.ts.map

package/core/authorization.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["authorization.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,WAAW,CAC1B,OAAO,EAAE,OAAO,GACd,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAapC;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,iBAIjD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAMrE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,YAQ1C;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAM7D;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,WAE7D;AAED,MAAM,WAAW,iBAAiB;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,WAAW,gBAAgB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,4BAA4B;IAC5C,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9C,UAAU,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,iBAAiB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC3C,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,gBAAgB;AAChB,qBAAa,oBAAqB,YAAW,4BAA4B;IAEhE,OAAO,EAAE,2BAA2B;IACpC,MAAM,EAAE,YAAY;gBADpB,OAAO,EAAE,2BAA2B,EACpC,MAAM,EAAE,YAAY;IAG5B,gBAAgB,CAAC,OAAO,EAAE,OAAO;IAO3B,MAAM,CAAC,OAAO,EAAE,OAAO;IAUvB,UAAU,CACf,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,iBAAsB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;CAY5B"}
+{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["authorization.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,WAAW,CAC1B,OAAO,EAAE,OAAO,GACd,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAapC;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,iBAIjD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,iBAMrE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,YAQ1C;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAM7D;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,WAE7D;AAED,MAAM,WAAW,aAAa;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAGD,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,mBAAmB;IACnC,IAAI,EAAE,SAAS,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,MAAM,mBAAmB,GAAG,gBAAgB,GAAG,mBAAmB,CAAC;AAEzE,MAAM,WAAW,4BAA4B;IAC5C,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9C,UAAU,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,iBAAiB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,2BAA2B;IAC3C,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,gBAAgB;AAChB,qBAAa,oBAAqB,YAAW,4BAA4B;IAEhE,OAAO,EAAE,2BAA2B;IACpC,MAAM,EAAE,YAAY;gBADpB,OAAO,EAAE,2BAA2B,EACpC,MAAM,EAAE,YAAY;IAG5B,gBAAgB,CAAC,OAAO,EAAE,OAAO;IAOjC,aAAa,CAAC,QAAQ,EAAE,UAAU,GAAG,mBAAmB;IAMxD,qCAAqC;IAC/B,IAAI,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAQ3D,MAAM,CACX,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,aAAkB,GACzB,OAAO,CAAC,mBAAmB,CAAC;IAezB,UAAU,CACf,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,iBAAsB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;CAS5B"}

package/core/authorization.js

@@ -67,23 +67,37 @@ export class AuthorizationService {
         return (_getRequestBearer(request) ??
             _getRequestCookie(request, this.options.cookieName));
     }
-    async assert(request) {
+    _processToken(verified) {
+        return typeof verified.userId === "number"
+            ? { kind: "user", userId: verified.userId, scope: verified.scope }
+            : { kind: "service", scope: verified.scope };
+    }
+    /** @unstable use at your own risk */
+    async from(request) {
+        const authz = this.getAuthorization(request);
+        if (!authz)
+            return null;
+        const verified = await this.tokens.verify(authz);
+        return verified ? this._processToken(verified) : null;
+    }
+    async assert(request, options = {}) {
         const authz = this.getAuthorization(request);
         if (!authz)
             throw HTTPError.unauthorized("no authorization present");
         const verified = await this.tokens.verify(authz);
         if (!verified)
             throw HTTPError.unauthorized("no valid authorization");
-        return verified;
+        if (options.scope && !includesScope(verified.scope, options.scope)) {
+            throw HTTPError.unauthorized("missing required scope: " + options.scope);
+        }
+        return this._processToken(verified);
     }
     async assertUser(request, options = {}) {
-        const verified = await this.assert(request);
-        const { userId, scope } = verified;
-        if (userId === undefined)
+        const verified = await this.assert(request, {
+            scope: options.scope,
+        });
+        if (verified.kind !== "user")
             throw HTTPError.unauthorized("not a user");
-        if (options.scope && !includesScope(scope, options.scope)) {
-            throw HTTPError.unauthorized("missing required scope: " + options.scope);
-        }
-        return { userId, scope };
+        return verified;
     }
 }

package/core/authorization.test.js

@@ -153,6 +153,32 @@ describe("AuthorizationService", () => {
 		});
 	});
 
+	describe("from", () => {
+		it("parses users", async () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: 'Bearer {"scope":"statuses","userId":1}' },
+			});
+			assertEquals(await authz.from(request), {
+				kind: "user",
+				userId: 1,
+				scope: "statuses",
+			});
+		});
+		it("parses services", async () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: 'Bearer {"scope":"coffee-club"}' },
+			});
+			assertEquals(await authz.from(request), {
+				kind: "service",
+				scope: "coffee-club",
+			});
+		});
+	});
+
 	describe("assert", () => {
 		it("parses bearer", async () => {
 			const { authz } = setup();
@@ -161,6 +187,7 @@ describe("AuthorizationService", () => {
 				headers: { Authorization: 'Bearer {"scope":"user","userId":1}' },
 			});
 			assertEquals(await authz.assert(request), {
+				kind: "user",
 				scope: "user",
 				userId: 1,
 			});
@@ -172,10 +199,22 @@ describe("AuthorizationService", () => {
 				headers: { Cookie: 'testing_session={"scope":"user","userId":1}' },
 			});
 			assertEquals(await authz.assert(request), {
+				kind: "user",
 				scope: "user",
 				userId: 1,
 			});
 		});
+		it("parses services", async () => {
+			const { authz } = setup();
+
+			const request = new Request("https://example.com", {
+				headers: { Authorization: 'Bearer {"scope":"coffee-club"}' },
+			});
+			assertEquals(await authz.assert(request), {
+				kind: "service",
+				scope: "coffee-club",
+			});
+		});
 	});
 
 	describe("assertUser", () => {
@@ -185,6 +224,7 @@ describe("AuthorizationService", () => {
 				headers: { Authorization: 'Bearer {"scope":"user","userId":1}' },
 			});
 			assertEquals(await authz.assertUser(request, { scope: "user" }), {
+				kind: "user",
 				userId: 1,
 				scope: "user",
 			});
@@ -195,6 +235,7 @@ describe("AuthorizationService", () => {
 				headers: { Cookie: 'testing_session={"scope":"user","userId":1}' },
 			});
 			assertEquals(await authz.assertUser(request, { scope: "user" }), {
+				kind: "user",
 				userId: 1,
 				scope: "user",
 			});

package/core/authorization.ts

@@ -61,16 +61,28 @@ export function includesScope(actual: string, expected: string) {
 	return _checkScope(actual, _expandScopes(expected));
 }
 
+export interface AssertOptions {
+	scope?: string;
+}
+
 export interface AssertUserOptions {
 	scope?: string;
 }
 
 // NOTE: should userId be a string for future-proofing / to align to JWTs?
 export interface AssertUserResult {
+	kind: "user";
 	userId: number;
 	scope: string;
 }
 
+export interface AssertServiceResult {
+	kind: "service";
+	scope: string;
+}
+
+export type AuthorizationResult = AssertUserResult | AssertServiceResult;
+
 export interface AbstractAuthorizationService {
 	getAuthorization(request: Request): string | null;
 	assert(request: Request): Promise<AuthzToken>;
@@ -98,29 +110,49 @@ export class AuthorizationService implements AbstractAuthorizationService {
 		);
 	}
 
-	async assert(request: Request) {
+	_processToken(verified: AuthzToken): AuthorizationResult {
+		return typeof verified.userId === "number"
+			? { kind: "user", userId: verified.userId, scope: verified.scope }
+			: { kind: "service", scope: verified.scope };
+	}
+
+	/** @unstable use at your own risk */
+	async from(request: Request): Promise<AuthorizationResult | null> {
+		const authz = this.getAuthorization(request);
+		if (!authz) return null;
+
+		const verified = await this.tokens.verify(authz);
+		return verified ? this._processToken(verified) : null;
+	}
+
+	async assert(
+		request: Request,
+		options: AssertOptions = {},
+	): Promise<AuthorizationResult> {
 		const authz = this.getAuthorization(request);
 
 		if (!authz) throw HTTPError.unauthorized("no authorization present");
 
 		const verified = await this.tokens.verify(authz);
 		if (!verified) throw HTTPError.unauthorized("no valid authorization");
-		return verified;
+
+		if (options.scope && !includesScope(verified.scope, options.scope)) {
+			throw HTTPError.unauthorized("missing required scope: " + options.scope);
+		}
+
+		return this._processToken(verified);
 	}
 
 	async assertUser(
 		request: Request,
 		options: AssertUserOptions = {},
 	): Promise<AssertUserResult> {
-		const verified = await this.assert(request);
-
-		const { userId, scope } = verified;
-		if (userId === undefined) throw HTTPError.unauthorized("not a user");
+		const verified = await this.assert(request, {
+			scope: options.scope,
+		});
 
-		if (options.scope && !includesScope(scope, options.scope)) {
-			throw HTTPError.unauthorized("missing required scope: " + options.scope);
-		}
+		if (verified.kind !== "user") throw HTTPError.unauthorized("not a user");
 
-		return { userId, scope };
+		return verified;
 	}
 }

package/core/cors.d.ts

@@ -0,0 +1,15 @@
+interface CorsOptions {
+    /** Origins you want to be allowed to access this server or "*" for any server */
+    origins?: string[];
+    /** Whether to allow credentials in requests, default: false */
+    credentials?: boolean;
+}
+/** @unstable */
+export declare class Cors {
+    origins: Set<string>;
+    credentials: boolean;
+    constructor(options?: CorsOptions);
+    apply(request: Request, response: Response): Response;
+}
+export {};
+//# sourceMappingURL=cors.d.ts.map

package/core/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["cors.ts"],"names":[],"mappings":"AAUA,UAAU,WAAW;IACpB,iFAAiF;IACjF,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB,+DAA+D;IAC/D,WAAW,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,gBAAgB;AAChB,qBAAa,IAAI;IAChB,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACrB,WAAW,EAAE,OAAO,CAAC;gBACT,OAAO,GAAE,WAAgB;IAKrC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ;CAmD1C"}

package/core/cors.js

@@ -0,0 +1,50 @@
+//
+// This was loosely based on https://github.com/expressjs/cors/blob/master/lib/index.js
+//
+// Future work:
+// - "allowedHeaders" to allow-list headers for request-headers
+// - An option for "origins" to be dynamic so it could be pulled from a source like the database
+// - An option to configure which methods are allowed
+//
+/** @unstable */
+export class Cors {
+    origins;
+    credentials;
+    constructor(options = {}) {
+        this.credentials = options.credentials ?? false;
+        this.origins = new Set(options.origins ?? ["*"]);
+    }
+    apply(request, response) {
+        const headers = new Headers(response.headers);
+        // HTTP methods
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Methods
+        headers.set("Access-Control-Allow-Methods", "GET, HEAD, PUT, PATCH, POST, DELETE");
+        // Headers
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Request-Headers
+        if (request.headers.has("Access-Control-Request-Headers")) {
+            headers.append("Access-Control-Allow-Headers", request.headers.get("Access-Control-Request-Headers"));
+            headers.append("Vary", "Access-Control-Request-Headers");
+        }
+        // Origins
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin
+        if (this.origins.has("*")) {
+            headers.set("Access-Control-Allow-Origin", request.headers.get("origin") ?? "*");
+            headers.append("Vary", "Origin");
+        }
+        else if (request.headers.has("origin") &&
+            this.origins.has(request.headers.get("origin"))) {
+            headers.set("Access-Control-Allow-Origin", request.headers.get("origin"));
+            headers.append("Vary", "Origin");
+        }
+        // Credentials
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Credentials
+        if (this.credentials) {
+            headers.set("Access-Control-Allow-Credentials", "true");
+        }
+        return new Response(response.body, {
+            headers,
+            status: response.status,
+            statusText: response.statusText,
+        });
+    }
+}

package/core/cors.test.js

@@ -0,0 +1,134 @@
+import { Cors } from "./cors.ts";
+import { assertEquals, assertMatch, describe, it } from "./test-deps.js";
+
+describe("Cors", () => {
+	describe("constructor", () => {
+		it("stores credentials", () => {
+			const cors = new Cors({ credentials: true });
+			assertEquals(cors.credentials, true);
+		});
+		it("stores origins", () => {
+			const cors = new Cors({
+				origins: ["https://duck.com", "https://example.com"],
+			});
+			assertEquals(
+				cors.origins,
+				new Set(["https://duck.com", "https://example.com"]),
+			);
+		});
+	});
+
+	describe("apply", () => {
+		it("adds methods header", () => {
+			const request = new Request("http://testing.local");
+			const cors = new Cors();
+			const response = cors.apply(request, new Response());
+
+			assertEquals(
+				response.headers.get("Access-Control-Allow-Methods"),
+				"GET, HEAD, PUT, PATCH, POST, DELETE",
+			);
+		});
+		it("adds request headers", () => {
+			const request = new Request("http://testing.local", {
+				headers: {
+					"Access-Control-Request-Headers": ["content-type", "x-pingother"],
+				},
+			});
+			const cors = new Cors();
+			const response = cors.apply(request, new Response());
+
+			assertEquals(
+				response.headers.get("Access-Control-Allow-Headers"),
+				"content-type,x-pingother",
+				"should add the headers to Access-Control-Allow-Headers",
+			);
+			assertMatch(
+				response.headers.get("Vary"),
+				/Access-Control-Request-Headers/,
+				"should modify the Vary header",
+			);
+		});
+		it("adds wildcard origins", () => {
+			const request = new Request("http://testing.local");
+			const cors = new Cors({ origins: ["*"] });
+			const response = cors.apply(request, new Response());
+
+			assertEquals(
+				response.headers.get("Access-Control-Allow-Origin"),
+				"*",
+				"should respond with a wildcard if no origin is available",
+			);
+			assertMatch(
+				response.headers.get("Vary"),
+				/Origin/,
+				"should modify the Vary header",
+			);
+		});
+		it("adds requested wildcard origin", () => {
+			const request = new Request("http://testing.local", {
+				headers: { Origin: "http://testing.local" },
+			});
+			const cors = new Cors({ origins: ["*"] });
+			const response = cors.apply(request, new Response());
+
+			assertEquals(
+				response.headers.get("Access-Control-Allow-Origin"),
+				"http://testing.local",
+				"should respond with the requested origin",
+			);
+			assertMatch(
+				response.headers.get("Vary"),
+				/Origin/,
+				"should modify the Vary header",
+			);
+		});
+		it("adds specific origins", () => {
+			const request = new Request("http://testing.local", {
+				headers: { Origin: "http://testing.local" },
+			});
+			const cors = new Cors({ origins: ["http://testing.local"] });
+			const response = cors.apply(request, new Response());
+
+			assertEquals(
+				response.headers.get("Access-Control-Allow-Origin"),
+				"http://testing.local",
+				"should respond with the requested origin",
+			);
+			assertMatch(
+				response.headers.get("Vary"),
+				/Origin/,
+				"should modify the Vary header",
+			);
+		});
+
+		it("adds credentials", () => {
+			const request = new Request("http://testing.local");
+			const cors = new Cors({ credentials: true });
+			const response = cors.apply(request, new Response());
+
+			assertEquals(
+				response.headers.get("Access-Control-Allow-Credentials"),
+				"true",
+			);
+		});
+
+		it("clones the response", async () => {
+			const request = new Request("http://testing.local");
+			const cors = new Cors();
+			const response = cors.apply(
+				request,
+				new Response("ok", {
+					status: 418,
+					statusText: "I'm a teapot",
+					headers: { "X-Hotel-Bar": "Hotel Bar" },
+				}),
+			);
+
+			assertEquals(response.status, 418);
+			assertEquals(response.statusText, "I'm a teapot");
+			assertEquals(await response.text(), "ok");
+			assertEquals(response.headers.get("X-Hotel-Bar"), "Hotel Bar");
+		});
+	});
+});

package/core/cors.ts

@@ -0,0 +1,79 @@
+//
+// This was loosely based on https://github.com/expressjs/cors/blob/master/lib/index.js
+//
+// Future work:
+// - "allowedHeaders" to allow-list headers for request-headers
+// - An option for "origins" to be dynamic so it could be pulled from a source like the database
+// - An option to configure which methods are allowed
+//
+
+//
+interface CorsOptions {
+	/** Origins you want to be allowed to access this server or "*" for any server */
+	origins?: string[];
+
+	/** Whether to allow credentials in requests, default: false */
+	credentials?: boolean;
+}
+
+/** @unstable */
+export class Cors {
+	origins: Set<string>;
+	credentials: boolean;
+	constructor(options: CorsOptions = {}) {
+		this.credentials = options.credentials ?? false;
+		this.origins = new Set(options.origins ?? ["*"]);
+	}
+
+	apply(request: Request, response: Response) {
+		const headers = new Headers(response.headers);
+
+		// HTTP methods
+		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Methods
+		headers.set(
+			"Access-Control-Allow-Methods",
+			"GET, HEAD, PUT, PATCH, POST, DELETE",
+		);
+
+		// Headers
+		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Request-Headers
+		if (request.headers.has("Access-Control-Request-Headers")) {
+			headers.append(
+				"Access-Control-Allow-Headers",
+				request.headers.get("Access-Control-Request-Headers")!,
+			);
+			headers.append("Vary", "Access-Control-Request-Headers");
+		}
+
+		// Origins
+		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin
+		if (this.origins.has("*")) {
+			headers.set(
+				"Access-Control-Allow-Origin",
+				request.headers.get("origin") ?? "*",
+			);
+			headers.append("Vary", "Origin");
+		} else if (
+			request.headers.has("origin") &&
+			this.origins.has(request.headers.get("origin")!)
+		) {
+			headers.set(
+				"Access-Control-Allow-Origin",
+				request.headers.get("origin")!,
+			);
+			headers.append("Vary", "Origin");
+		}
+
+		// Credentials
+		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Credentials
+		if (this.credentials) {
+			headers.set("Access-Control-Allow-Credentials", "true");
+		}
+
+		return new Response(response.body, {
+			headers,
+			status: response.status,
+			statusText: response.statusText,
+		});
+	}
+}

package/core/fetch-router.d.ts

@@ -1,3 +1,4 @@
+import { Cors } from "./cors.ts";
 import { RouteDefinition } from "./http.ts";
 export type RouteErrorHandler = (error: unknown, request: Request) => unknown;
 export interface MatchedRoute {
@@ -10,10 +11,12 @@ export interface FetchRouterOptions {
     errorHandler?: RouteErrorHandler;
     /** @unstable */
     log?: boolean | _RouteMiddleware;
+    /** @unstable */
+    cors?: Cors;
 }
 /** @unstable */
 export interface _RouteMiddleware {
-    (request: Request, response: Response): void;
+    (request: Request, response: Response): Promise<Response> | Response;
 }
 /** A rudimentary HTTP router using fetch Request & Responses with RouteDefinitions based on URLPattern */
 export declare class FetchRouter {

package/core/fetch-router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fetch-router.d.ts","sourceRoot":"","sources":["fetch-router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAa,eAAe,EAAE,MAAM,WAAW,CAAC;AAEvD,MAAM,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC;AAE9E,MAAM,WAAW,YAAY;IAC5B,KAAK,EAAE,eAAe,CAAC;IACvB,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,gBAAgB,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IAClC,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,iBAAiB,CAAC;IAEjC,gBAAgB;IAChB,GAAG,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAAC;CACjC;AAED,gBAAgB;AAChB,MAAM,WAAW,gBAAgB;IAChC,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;CAC7C;AAMD,0GAA0G;AAC1G,qBAAa,WAAW;IACvB,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,YAAY,EAAE,iBAAiB,GAAG,SAAS,CAAC;IAC5C,WAAW,EAAE,gBAAgB,EAAE,CAAM;gBAEzB,OAAO,GAAE,kBAAuB;IAO5C;;;OAGG;IACF,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,CAAC,YAAY,CAAC;IAa7D;;OAEG;IACG,cAAc,CACnB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,QAAQ,CAAC,YAAY,CAAC,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAepB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,GAAG,QAAQ;IAUjD,WAAW,CAAC,OAAO,EAAE,OAAO;CAYlC"}
+{"version":3,"file":"fetch-router.d.ts","sourceRoot":"","sources":["fetch-router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAa,eAAe,EAAE,MAAM,WAAW,CAAC;AAEvD,MAAM,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC;AAE9E,MAAM,WAAW,YAAY;IAC5B,KAAK,EAAE,eAAe,CAAC;IACvB,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,gBAAgB,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IAClC,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,iBAAiB,CAAC;IAEjC,gBAAgB;IAChB,GAAG,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAAC;IAEjC,gBAAgB;IAChB,IAAI,CAAC,EAAE,IAAI,CAAC;CACZ;AAED,gBAAgB;AAChB,MAAM,WAAW,gBAAgB;IAChC,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;CACrE;AAOD,0GAA0G;AAC1G,qBAAa,WAAW;IACvB,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,YAAY,EAAE,iBAAiB,GAAG,SAAS,CAAC;IAC5C,WAAW,EAAE,gBAAgB,EAAE,CAAM;gBAEzB,OAAO,GAAE,kBAAuB;IAU5C;;;OAGG;IACF,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,CAAC,YAAY,CAAC;IAa7D;;OAEG;IACG,cAAc,CACnB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,QAAQ,CAAC,YAAY,CAAC,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAepB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,GAAG,QAAQ;IAUjD,WAAW,CAAC,OAAO,EAAE,OAAO;CAclC"}

package/core/fetch-router.js

@@ -1,6 +1,7 @@
 import { HTTPError } from "./http.js";
 function _defaultLogger(request, response) {
     console.debug(response.status, request.method.padEnd(5), request.url);
+    return response;
 }
 /** A rudimentary HTTP router using fetch Request & Responses with RouteDefinitions based on URLPattern */
 export class FetchRouter {
@@ -14,6 +15,9 @@ export class FetchRouter {
             this._middleware.push(_defaultLogger);
         if (typeof options.log === "function")
             this._middleware.push(options.log);
+        if (options.cors) {
+            this._middleware.push((req, res) => options.cors.apply(req, res));
+        }
     }
     /**
      * Finds routes that match the request method and URLPattern
@@ -57,8 +61,10 @@ export class FetchRouter {
     }
     async getResponse(request) {
         try {
-            const response = await this.processMatches(request, this.findMatchingRoutes(request));
-            this._middleware.forEach((fn) => fn(request, response));
+            let response = await this.processMatches(request, this.findMatchingRoutes(request));
+            for (const fn of this._middleware) {
+                response = await fn(request, response);
+            }
             return response;
         }
         catch (error) {

package/core/fetch-router.ts

@@ -1,3 +1,4 @@
+import { Cors } from "./cors.ts";
 import { HTTPError, RouteDefinition } from "./http.ts";
 
 export type RouteErrorHandler = (error: unknown, request: Request) => unknown;
@@ -14,15 +15,19 @@ export interface FetchRouterOptions {
 
 	/** @unstable */
 	log?: boolean | _RouteMiddleware;
+
+	/** @unstable */
+	cors?: Cors;
 }
 
 /** @unstable */
 export interface _RouteMiddleware {
-	(request: Request, response: Response): void;
+	(request: Request, response: Response): Promise<Response> | Response;
 }
 
 function _defaultLogger(request: Request, response: Response) {
 	console.debug(response.status, request.method.padEnd(5), request.url);
+	return response;
 }
 
 /** A rudimentary HTTP router using fetch Request & Responses with RouteDefinitions based on URLPattern */
@@ -36,6 +41,9 @@ export class FetchRouter {
 		this.errorHandler = options.errorHandler ?? undefined;
 		if (options.log === true) this._middleware.push(_defaultLogger);
 		if (typeof options.log === "function") this._middleware.push(options.log);
+		if (options.cors) {
+			this._middleware.push((req, res) => options.cors!.apply(req, res));
+		}
 	}
 
 	/**
@@ -88,11 +96,13 @@ export class FetchRouter {
 
 	async getResponse(request: Request) {
 		try {
-			const response = await this.processMatches(
+			let response = await this.processMatches(
 				request,
 				this.findMatchingRoutes(request),
 			);
-			this._middleware.forEach((fn) => fn(request, response));
+			for (const fn of this._middleware) {
+				response = await fn(request, response);
+			}
 			return response;
 		} catch (error) {
 			return this.handleError(request, error);

package/core/mod.d.ts

@@ -1,9 +1,9 @@
 export * from "./authentication.ts";
 export * from "./authorization.ts";
 export * from "./configuration.ts";
+export * from "./cors.ts";
 export * from "./fetch-router.ts";
 export * from "./http.ts";
-export * from "./tokens.ts";
 export * from "./migrator.ts";
 export * from "./postgres.ts";
 export * from "./random.ts";
@@ -12,5 +12,6 @@ export * from "./store.ts";
 export * from "./structures.ts";
 export * from "./terminator.ts";
 export * from "./timers.ts";
+export * from "./tokens.ts";
 export * from "./utilities.ts";
 //# sourceMappingURL=mod.d.ts.map

package/core/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["mod.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,yBAAyB,CAAC;AACxC,cAAc,YAAY,CAAC;AAC3B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["mod.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,WAAW,CAAC;AAC1B,cAAc,mBAAmB,CAAC;AAClC,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,yBAAyB,CAAC;AACxC,cAAc,YAAY,CAAC;AAC3B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC"}

package/core/mod.js

@@ -1,9 +1,9 @@
 export * from "./authentication.js";
 export * from "./authorization.js";
 export * from "./configuration.js";
+export * from "./cors.js";
 export * from "./fetch-router.js";
 export * from "./http.js";
-export * from "./tokens.js";
 export * from "./migrator.js";
 export * from "./postgres.js";
 export * from "./random.js";
@@ -12,4 +12,5 @@ export * from "./store.js";
 export * from "./structures.js";
 export * from "./terminator.js";
 export * from "./timers.js";
+export * from "./tokens.js";
 export * from "./utilities.js";

package/core/mod.ts

@@ -1,9 +1,9 @@
 export * from "./authentication.ts";
 export * from "./authorization.ts";
 export * from "./configuration.ts";
+export * from "./cors.ts";
 export * from "./fetch-router.ts";
 export * from "./http.ts";
-export * from "./tokens.ts";
 export * from "./migrator.ts";
 export * from "./postgres.ts";
 export * from "./random.ts";
@@ -12,4 +12,5 @@ export * from "./store.ts";
 export * from "./structures.ts";
 export * from "./terminator.ts";
 export * from "./timers.ts";
+export * from "./tokens.ts";
 export * from "./utilities.ts";

package/core/tokens.d.ts

@@ -25,4 +25,15 @@ export declare class JoseTokens implements TokenService {
     verify(input: string): Promise<AuthzToken | null>;
     sign(scope: string, options?: SignTokenOptions): Promise<string>;
 }
+/**
+ * @unstable
+ * A TokenService with multiple verification methods and a single signer
+ */
+export declare class CompositeTokens implements TokenService {
+    signer: TokenService;
+    verifiers: TokenService[];
+    constructor(signer: TokenService, verifiers: TokenService[]);
+    verify(token: string): Promise<AuthzToken | null>;
+    sign(scope: string, options?: SignTokenOptions): Promise<string>;
+}
 //# sourceMappingURL=tokens.d.ts.map

package/core/tokens.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["tokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,UAAU;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mBAAmB,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CACpC;AAED,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC5B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACjE;AAED,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,UAAW,YAAW,YAAY;;IAC9C,OAAO,EAAE,iBAAiB,CAAC;IAC3B,IAAI,EAAE,cAAc,CAAC;gBAGT,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,cAAc;IAMtD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAgBvD,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB;CAgBlD"}
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["tokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,UAAU;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mBAAmB,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CACpC;AAED,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC5B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACjE;AAED,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,UAAW,YAAW,YAAY;;IAC9C,OAAO,EAAE,iBAAiB,CAAC;IAC3B,IAAI,EAAE,cAAc,CAAC;gBAGT,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,cAAc;IAMtD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAgBvD,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB;CAgBlD;AAED;;;GAGG;AACH,qBAAa,eAAgB,YAAW,YAAY;IACnD,MAAM,EAAE,YAAY,CAAC;IACrB,SAAS,EAAE,YAAY,EAAE,CAAC;gBACd,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE;IAKrD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAOvD,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,MAAM,CAAC;CAGpE"}

package/core/tokens.js

@@ -38,3 +38,26 @@ export class JoseTokens {
         return jwt.sign(this.#secret);
     }
 }
+/**
+ * @unstable
+ * A TokenService with multiple verification methods and a single signer
+ */
+export class CompositeTokens {
+    signer;
+    verifiers;
+    constructor(signer, verifiers) {
+        this.signer = signer;
+        this.verifiers = verifiers;
+    }
+    async verify(token) {
+        for (const verifier of this.verifiers) {
+            const result = await verifier.verify(token);
+            if (result)
+                return result;
+        }
+        return null;
+    }
+    sign(scope, options = {}) {
+        return this.signer.sign(scope, options);
+    }
+}

package/core/tokens.test.js

@@ -0,0 +1,43 @@
+import {
+	assertEquals,
+	assertThrows,
+	describe,
+	fakeTokens,
+	it,
+} from "./test-deps.js";
+import { CompositeTokens } from "./tokens.ts";
+
+describe("CompositeTokens", () => {
+	describe("verify", () => {
+		it("tries each verifier", async () => {
+			const tokens = new CompositeTokens(
+				{ sign: () => Promise.resolve("signed_token") },
+				[
+					{ verify: () => Promise.resolve(null) },
+					{ verify: () => Promise.resolve(null) },
+					{ verify: () => Promise.resolve({ userId: 1, scope: "statuses" }) },
+					{ verify: () => Promise.resolve({ userId: 2, scope: "invalid" }) },
+				],
+			);
+
+			assertEquals(await tokens.verify("input_token"), {
+				userId: 1,
+				scope: "statuses",
+			});
+		});
+	});
+
+	describe("sign", () => {
+		it("uses the signer", async () => {
+			const tokens = new CompositeTokens(
+				{
+					sign: (scope, options) =>
+						Promise.resolve(`${scope}__${options.userId}`),
+				},
+				[],
+			);
+
+			assertEquals(await tokens.sign("statuses", { userId: 1 }), "statuses__1");
+		});
+	});
+});

package/core/tokens.ts

@@ -66,3 +66,27 @@ export class JoseTokens implements TokenService {
 		return jwt.sign(this.#secret);
 	}
 }
+
+/**
+ * @unstable
+ * A TokenService with multiple verification methods and a single signer
+ */
+export class CompositeTokens implements TokenService {
+	signer: TokenService;
+	verifiers: TokenService[];
+	constructor(signer: TokenService, verifiers: TokenService[]) {
+		this.signer = signer;
+		this.verifiers = verifiers;
+	}
+
+	async verify(token: string): Promise<AuthzToken | null> {
+		for (const verifier of this.verifiers) {
+			const result = await verifier.verify(token);
+			if (result) return result;
+		}
+		return null;
+	}
+	sign(scope: string, options: SignTokenOptions = {}): Promise<string> {
+		return this.signer.sign(scope, options);
+	}
+}

package/package.json

@@ -23,5 +23,5 @@
       "import": "./source/*.js"
     }
   },
-  "version": "0.7.0"
+  "version": "0.8.0"
 }

package/source/node-router.d.ts

@@ -29,7 +29,7 @@ export declare function applyResponse(response: Response, res: ServerResponse):
 export declare function getFetchRequest(req: IncomingMessage): Request;
 export declare function getFetchHeaders(input: IncomingHttpHeaders): Headers;
 export declare function getIncomingMessageBody(req: IncomingMessage): BodyInit | undefined;
-export declare function getResponseReadable(response: Response): Readable;
+export declare function getResponseReadable(response: Response, res?: ServerResponse): Readable;
 /** @unstable */
 export interface ServeHTTPOptions {
     port: number;

package/source/node-router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"node-router.d.ts","sourceRoot":"","sources":["node-router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAEN,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,cAAc,EACd,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,WAAW,iBAAiB;IACjC,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC;CAC3B;AAED;;;;;;;;;;EAUE;AACF,qBAAa,UAAU;IACtB,MAAM,EAAE,WAAW,CAAC;gBACR,OAAO,GAAE,iBAAsB;IAO3C,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIhD,aAAa,IAAI,eAAe;IAQhC,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;IAIpD,OAAO,CAAC,GAAG,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI;CAGtD;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,cAAc,GAAG,IAAI,CAS3E;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,WAYnD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,mBAAmB,WAOzD;AAID,wBAAgB,sBAAsB,CACrC,GAAG,EAAE,eAAe,GAClB,QAAQ,GAAG,SAAS,CAItB;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,YAGrD;AAED,gBAAgB;AAChB,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,gBAAgB;AAChB,MAAM,WAAW,gBAAgB;IAChC,CAAC,OAAO,EAAE,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;CAC3C;AAED,gFAAgF;AAChF,wBAAgB,SAAS,CACxB,OAAO,EAAE,gBAAgB,EACzB,OAAO,EAAE,gBAAgB,wEAuBzB"}
+{"version":3,"file":"node-router.d.ts","sourceRoot":"","sources":["node-router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAEN,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,cAAc,EACd,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,WAAW,iBAAiB;IACjC,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC;CAC3B;AAED;;;;;;;;;;EAUE;AACF,qBAAa,UAAU;IACtB,MAAM,EAAE,WAAW,CAAC;gBACR,OAAO,GAAE,iBAAsB;IAO3C,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIhD,aAAa,IAAI,eAAe;IAQhC,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;IAIpD,OAAO,CAAC,GAAG,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI;CAGtD;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,cAAc,GAAG,IAAI,CAS3E;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,WAYnD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,mBAAmB,WAOzD;AAID,wBAAgB,sBAAsB,CACrC,GAAG,EAAE,eAAe,GAClB,QAAQ,GAAG,SAAS,CAItB;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,cAAc,YAU3E;AAED,gBAAgB;AAChB,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,gBAAgB;AAChB,MAAM,WAAW,gBAAgB;IAChC,CAAC,OAAO,EAAE,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;CAC3C;AAED,gFAAgF;AAChF,wBAAgB,SAAS,CACxB,OAAO,EAAE,gBAAgB,EACzB,OAAO,EAAE,gBAAgB,wEAuBzB"}

package/source/node-router.js

@@ -79,9 +79,14 @@ export function getIncomingMessageBody(req) {
         return undefined;
     return Readable.toWeb(req);
 }
-export function getResponseReadable(response) {
-    // TODO: check this...
-    return Readable.fromWeb(response.body);
+export function getResponseReadable(response, res) {
+    const ac = new AbortController();
+    // Abort controller if the response is aborted (ie the user cancelled streaming)
+    res?.once("close", () => {
+        console.log("@gruber res close");
+        ac.abort();
+    });
+    return Readable.fromWeb(response.body, { signal: ac.signal });
 }
 /** @unstable A node version of Deno.serve now all the polyfills are in place */
 export function serveHTTP(options, handler) {

package/source/node-router.ts

@@ -100,9 +100,16 @@ export function getIncomingMessageBody(
 	return Readable.toWeb(req) as ReadableStream;
 }
 
-export function getResponseReadable(response: Response) {
-	// TODO: check this...
-	return Readable.fromWeb(response.body as any);
+export function getResponseReadable(response: Response, res?: ServerResponse) {
+	const ac = new AbortController();
+
+	// Abort controller if the response is aborted (ie the user cancelled streaming)
+	res?.once("close", () => {
+		console.log("@gruber res close");
+		ac.abort();
+	});
+
+	return Readable.fromWeb(response.body as any, { signal: ac.signal });
 }
 
 /** @unstable */