heyio 3.0.12 → 3.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AA+
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AA+EhD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,QAAQ,IACtC,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAmC9D;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAc5F"}
|
|
@@ -9,31 +9,64 @@ const EXEMPT_ROUTES = [
|
|
|
9
9
|
function isExempt(method, path) {
|
|
10
10
|
return EXEMPT_ROUTES.some((r) => r.method === method.toUpperCase() && path.startsWith(r.path));
|
|
11
11
|
}
|
|
12
|
-
// Cached JWKS fetcher
|
|
12
|
+
// Cached JWKS fetcher
|
|
13
13
|
let jwks = null;
|
|
14
|
-
function getJwks(
|
|
14
|
+
function getJwks(projectUrl) {
|
|
15
15
|
if (!jwks) {
|
|
16
|
-
const jwksUrl = new URL('/auth/v1/
|
|
16
|
+
const jwksUrl = new URL('/auth/v1/.well-known/jwks.json', projectUrl);
|
|
17
17
|
jwks = createRemoteJWKSet(jwksUrl);
|
|
18
18
|
}
|
|
19
19
|
return jwks;
|
|
20
20
|
}
|
|
21
21
|
/**
|
|
22
|
-
* Verify a Supabase JWT token
|
|
23
|
-
*
|
|
24
|
-
*
|
|
22
|
+
* Verify a Supabase JWT token using multiple strategies:
|
|
23
|
+
* 1. JWKS (asymmetric RS256/ES256) if projectUrl is available
|
|
24
|
+
* 2. Shared secret (HS256) if jwtSecret is available
|
|
25
|
+
* 3. Supabase Auth server introspection as final fallback
|
|
25
26
|
*/
|
|
26
27
|
async function verifyToken(config, token) {
|
|
28
|
+
const errors = [];
|
|
29
|
+
// Strategy 1: Try JWKS verification (asymmetric signing)
|
|
27
30
|
if (config.supabase.projectUrl) {
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
+
try {
|
|
32
|
+
const keySet = getJwks(config.supabase.projectUrl);
|
|
33
|
+
await jwtVerify(token, keySet, { clockTolerance: 30 });
|
|
34
|
+
return true;
|
|
35
|
+
}
|
|
36
|
+
catch (err) {
|
|
37
|
+
errors.push(`JWKS: ${err instanceof Error ? err.message : 'unknown'}`);
|
|
38
|
+
}
|
|
31
39
|
}
|
|
40
|
+
// Strategy 2: Try shared secret (HS256)
|
|
32
41
|
if (config.supabase.jwtSecret) {
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
42
|
+
try {
|
|
43
|
+
const secret = new TextEncoder().encode(config.supabase.jwtSecret);
|
|
44
|
+
await jwtVerify(token, secret, { clockTolerance: 30 });
|
|
45
|
+
return true;
|
|
46
|
+
}
|
|
47
|
+
catch (err) {
|
|
48
|
+
errors.push(`HS256: ${err instanceof Error ? err.message : 'unknown'}`);
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
// Strategy 3: Verify via Supabase Auth server (introspection)
|
|
52
|
+
if (config.supabase.projectUrl && config.supabase.anonKey) {
|
|
53
|
+
try {
|
|
54
|
+
const res = await fetch(`${config.supabase.projectUrl}/auth/v1/user`, {
|
|
55
|
+
headers: {
|
|
56
|
+
apikey: config.supabase.anonKey,
|
|
57
|
+
Authorization: `Bearer ${token}`,
|
|
58
|
+
},
|
|
59
|
+
});
|
|
60
|
+
if (res.ok) {
|
|
61
|
+
return true;
|
|
62
|
+
}
|
|
63
|
+
errors.push(`Auth server: HTTP ${res.status}`);
|
|
64
|
+
}
|
|
65
|
+
catch (err) {
|
|
66
|
+
errors.push(`Auth server: ${err instanceof Error ? err.message : 'unknown'}`);
|
|
67
|
+
}
|
|
36
68
|
}
|
|
69
|
+
logger().warn({ strategies: errors.join('; ') }, 'All JWT verification strategies failed');
|
|
37
70
|
return false;
|
|
38
71
|
}
|
|
39
72
|
/**
|
|
@@ -60,7 +93,14 @@ export function authMiddleware(config) {
|
|
|
60
93
|
}
|
|
61
94
|
const token = authHeader.slice(7);
|
|
62
95
|
verifyToken(config, token)
|
|
63
|
-
.then(() =>
|
|
96
|
+
.then((valid) => {
|
|
97
|
+
if (valid) {
|
|
98
|
+
next();
|
|
99
|
+
}
|
|
100
|
+
else {
|
|
101
|
+
res.status(401).json({ error: 'Invalid or expired token' });
|
|
102
|
+
}
|
|
103
|
+
})
|
|
64
104
|
.catch((err) => {
|
|
65
105
|
const errMessage = err instanceof Error ? err.message : 'Unknown error';
|
|
66
106
|
logger().warn({ err: errMessage }, 'JWT verification failed');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/api/middleware/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAErD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,MAAM,GAAG,GAAG,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAE/C,0EAA0E;AAC1E,MAAM,aAAa,GAA4C;IAC9D,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE;IAClC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE;CAClC,CAAC;AAEF,SAAS,QAAQ,CAAC,MAAc,EAAE,IAAY;IAC7C,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/api/middleware/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAErD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,MAAM,GAAG,GAAG,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAE/C,0EAA0E;AAC1E,MAAM,aAAa,GAA4C;IAC9D,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE;IAClC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE;CAClC,CAAC;AAEF,SAAS,QAAQ,CAAC,MAAc,EAAE,IAAY;IAC7C,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,sBAAsB;AACtB,IAAI,IAAI,GAAiD,IAAI,CAAC;AAE9D,SAAS,OAAO,CAAC,UAAkB;IAClC,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,gCAAgC,EAAE,UAAU,CAAC,CAAC;QACtE,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,IAAI,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,WAAW,CAAC,MAAgB,EAAE,KAAa;IACzD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,yDAAyD;IACzD,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;QAChC,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACnD,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC,CAAC;YACvD,OAAO,IAAI,CAAC;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,SAAS,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;QACxE,CAAC;IACF,CAAC;IAED,wCAAwC;IACxC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC/B,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACnE,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC,CAAC;YACvD,OAAO,IAAI,CAAC;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;QACzE,CAAC;IACF,CAAC;IAED,8DAA8D;IAC9D,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC3D,IAAI,CAAC;YACJ,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,eAAe,EAAE;gBACrE,OAAO,EAAE;oBACR,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO;oBAC/B,aAAa,EAAE,UAAU,KAAK,EAAE;iBAChC;aACD,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,OAAO,IAAI,CAAC;YACb,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,qBAAqB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,gBAAgB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,CAAC;IACF,CAAC;IAED,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,wCAAwC,CAAC,CAAC;IAC3F,OAAO,KAAK,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,MAAgB;IAC9C,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAChE,kEAAkE;QAClE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YAC/D,IAAI,EAAE,CAAC;YACP,OAAO;QACR,CAAC;QAED,mCAAmC;QACnC,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,IAAI,EAAE,CAAC;YACP,OAAO;QACR,CAAC;QAED,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACR,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAElC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC;aACxB,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;YACf,IAAI,KAAK,EAAE,CAAC;gBACX,IAAI,EAAE,CAAC;YACR,CAAC;iBAAM,CAAC;gBACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC7D,CAAC;QACF,CAAC,CAAC;aACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACd,MAAM,UAAU,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACxE,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,yBAAyB,CAAC,CAAC;YAC9D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAgB,EAAE,KAAoB;IACzE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC/D,OAAO,IAAI,CAAC,CAAC,6BAA6B;IAC3C,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACJ,OAAO,MAAM,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,KAAK,CAAC;IACd,CAAC;AACF,CAAC"}
|