latchkey 2.7.2 → 2.8.0

package/dist/tests/oauthUtils.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oauthUtils.test.d.ts.map

package/dist/tests/oauthUtils.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauthUtils.test.d.ts","sourceRoot":"","sources":["../../tests/oauthUtils.test.ts"],"names":[],"mappings":""}

package/dist/tests/oauthUtils.test.js

@@ -0,0 +1,63 @@
+import { describe, it, expect, vi, afterEach } from 'vitest';
+import { startOAuthCallbackServer, generateCodeVerifier, generateCodeChallenge, exchangeCodeForTokens, refreshAccessToken, OAuthTokenExchangeError, OAuthCallbackServerTimeoutError, } from '../src/oauthUtils.js';
+import * as curl from '../src/curl.js';
+afterEach(() => {
+    vi.restoreAllMocks();
+});
+void startOAuthCallbackServer;
+void OAuthTokenExchangeError;
+void OAuthCallbackServerTimeoutError;
+describe('startOAuthCallbackServer', () => {
+    it.todo('add tests');
+});
+describe('generateCodeVerifier', () => {
+    it('just runs', () => {
+        generateCodeVerifier();
+    });
+});
+describe('generateCodeChallenge', () => {
+    it('just runs', () => {
+        generateCodeChallenge('dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk');
+    });
+});
+describe('exchangeCodeForTokens', () => {
+    it('with PKCE: includes code_verifier in body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => exchangeCodeForTokens('https://api.notion.com/v1/oauth/token', 'auth-code-abc123', 'test-client-id', 'test-client-secret', 'http://localhost:12345/oauth2callback', 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('code=auth-code-abc123&client_id=test-client-id&redirect_uri=http%3A%2F%2Flocalhost%3A12345%2Foauth2callback&grant_type=authorization_code&client_secret=test-client-secret&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk');
+    });
+    it('without PKCE: omits code_verifier from body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => exchangeCodeForTokens('https://api.notion.com/v1/oauth/token', 'auth-code-abc123', 'test-client-id', 'test-client-secret', 'http://localhost:12345/oauth2callback')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('code=auth-code-abc123&client_id=test-client-id&redirect_uri=http%3A%2F%2Flocalhost%3A12345%2Foauth2callback&grant_type=authorization_code&client_secret=test-client-secret');
+    });
+});
+describe('refreshAccessToken', () => {
+    it('confidential client: includes client_secret in body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => refreshAccessToken('https://api.notion.com/v1/oauth/token', 'refresh-token-xyz789', 'test-client-id', 'test-client-secret')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('refresh_token=refresh-token-xyz789&client_id=test-client-id&grant_type=refresh_token&client_secret=test-client-secret');
+    });
+    it('public client: omits client_secret from body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => refreshAccessToken('https://api.notion.com/v1/oauth/token', 'refresh-token-xyz789', 'test-client-id', '')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('refresh_token=refresh-token-xyz789&client_id=test-client-id&grant_type=refresh_token');
+    });
+});
+//# sourceMappingURL=oauthUtils.test.js.map

package/dist/tests/oauthUtils.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauthUtils.test.js","sourceRoot":"","sources":["../../tests/oauthUtils.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,uBAAuB,EACvB,+BAA+B,GAChC,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,SAAS,CAAC,GAAG,EAAE;IACb,EAAE,CAAC,eAAe,EAAE,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,KAAK,wBAAwB,CAAC;AAC9B,KAAK,uBAAuB,CAAC;AAC7B,KAAK,+BAA+B,CAAC;AAErC,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,WAAW,EAAE,GAAG,EAAE;QACnB,oBAAoB,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,WAAW,EAAE,GAAG,EAAE;QACnB,qBAAqB,CAAC,6CAA6C,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,qBAAqB,CACnB,uCAAuC,EACvC,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,EACpB,uCAAuC,EACvC,6CAA6C,CAC9C,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,sOAAsO,CACvO,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,qBAAqB,CACnB,uCAAuC,EACvC,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,EACpB,uCAAuC,CACxC,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,4KAA4K,CAC7K,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,kBAAkB,CAChB,uCAAuC,EACvC,sBAAsB,EACtB,gBAAgB,EAChB,oBAAoB,CACrB,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,uHAAuH,CACxH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,kBAAkB,CAChB,uCAAuC,EACvC,sBAAsB,EACtB,gBAAgB,EAChB,EAAE,CACH,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,sFAAsF,CACvF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/permissionPointer.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=permissionPointer.test.d.ts.map

package/dist/tests/permissionPointer.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionPointer.test.d.ts","sourceRoot":"","sources":["../../tests/permissionPointer.test.ts"],"names":[],"mappings":""}

package/dist/tests/permissionPointer.test.js

@@ -0,0 +1,152 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createHmac } from 'node:crypto';
+import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { createPermissionPointerJwt, derivePermissionPointerSigningKey, InvalidPermissionPointerError, PERMISSION_POINTER_HEADER, PermissionPointerFileMissingError, resolvePermissionPointer, verifyPermissionPointerJwt, } from '../src/gateway/permissionPointer.js';
+const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
+const OTHER_ENCRYPTION_KEY = 'b3RoZXJrZXlvdGhlcmtleW90aGVya2V5b3RoZXJrZXk=';
+describe('PERMISSION_POINTER_HEADER', () => {
+    it('is the lowercase header name', () => {
+        expect(PERMISSION_POINTER_HEADER).toBe('x-latchkey-gateway-permission-pointer');
+    });
+});
+describe('derivePermissionPointerSigningKey', () => {
+    it('produces a deterministic 32-byte key', () => {
+        const a = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
+        const b = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
+        expect(a.length).toBe(32);
+        expect(a.equals(b)).toBe(true);
+    });
+    it('produces different keys for different master keys', () => {
+        const a = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
+        const b = derivePermissionPointerSigningKey(OTHER_ENCRYPTION_KEY);
+        expect(a.equals(b)).toBe(false);
+    });
+    it('does not equal the encryption key itself', () => {
+        const derived = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
+        const master = Buffer.from(TEST_ENCRYPTION_KEY, 'base64');
+        expect(derived.equals(master)).toBe(false);
+    });
+});
+describe('createPermissionPointerJwt / verifyPermissionPointerJwt', () => {
+    const signingKey = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
+    it('round-trips an absolute path', () => {
+        const token = createPermissionPointerJwt('/etc/latchkey/permissions.json', signingKey);
+        const payload = verifyPermissionPointerJwt(token, signingKey);
+        expect(payload).toEqual({ permissionsConfig: '/etc/latchkey/permissions.json' });
+    });
+    it('produces a three-segment JWT', () => {
+        const token = createPermissionPointerJwt('/x.json', signingKey);
+        expect(token.split('.')).toHaveLength(3);
+    });
+    it('uses HS256/JWT in the header', () => {
+        const token = createPermissionPointerJwt('/x.json', signingKey);
+        const header = token.split('.')[0];
+        const json = Buffer.from(header.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8');
+        expect(JSON.parse(json)).toEqual({ alg: 'HS256', typ: 'JWT' });
+    });
+    it('payload contains only the permissionsConfig field', () => {
+        const token = createPermissionPointerJwt('/x.json', signingKey);
+        const payload = token.split('.')[1];
+        const json = Buffer.from(payload.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8');
+        expect(JSON.parse(json)).toEqual({ permissionsConfig: '/x.json' });
+    });
+    it('rejects creation for non-absolute paths', () => {
+        expect(() => createPermissionPointerJwt('relative/path.json', signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+    it('rejects tokens signed with a different key', () => {
+        const otherKey = derivePermissionPointerSigningKey(OTHER_ENCRYPTION_KEY);
+        const token = createPermissionPointerJwt('/x.json', otherKey);
+        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+    it('rejects tokens with a tampered payload', () => {
+        const token = createPermissionPointerJwt('/x.json', signingKey);
+        const [header, , signature] = token.split('.');
+        const tamperedPayload = Buffer.from(JSON.stringify({ permissionsConfig: '/y.json' }), 'utf-8')
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=+$/, '');
+        const tampered = `${header}.${tamperedPayload}.${signature}`;
+        expect(() => verifyPermissionPointerJwt(tampered, signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+    it('rejects tokens that do not have three segments', () => {
+        expect(() => verifyPermissionPointerJwt('a.b', signingKey)).toThrow(InvalidPermissionPointerError);
+        expect(() => verifyPermissionPointerJwt('a.b.c.d', signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+    function base64Url(value) {
+        return Buffer.from(value, 'utf-8')
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=+$/, '');
+    }
+    function buildSignedToken(headerJson, payloadJson) {
+        const headerSegment = base64Url(headerJson);
+        const payloadSegment = base64Url(payloadJson);
+        const signature = createHmac('sha256', signingKey)
+            .update(`${headerSegment}.${payloadSegment}`)
+            .digest()
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=+$/, '');
+        return `${headerSegment}.${payloadSegment}.${signature}`;
+    }
+    it('rejects tokens whose payload is not valid JSON', () => {
+        // Sign a payload that is base64url of "not-json" so we hit the JSON parse
+        // error rather than the signature mismatch error first.
+        const headerSegment = base64Url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+        const payloadSegment = base64Url('not-json');
+        const signature = createHmac('sha256', signingKey)
+            .update(`${headerSegment}.${payloadSegment}`)
+            .digest()
+            .toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=+$/, '');
+        const token = `${headerSegment}.${payloadSegment}.${signature}`;
+        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+    it('rejects payloads without permissionsConfig', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ other: '/x.json' }));
+        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+    it('rejects payloads whose permissionsConfig is not absolute', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ permissionsConfig: 'relative.json' }));
+        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+    it('rejects headers with the wrong algorithm', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'none', typ: 'JWT' }), JSON.stringify({ permissionsConfig: '/x.json' }));
+        expect(() => verifyPermissionPointerJwt(token, signingKey)).toThrow(InvalidPermissionPointerError);
+    });
+});
+describe('resolvePermissionPointer', () => {
+    const signingKey = derivePermissionPointerSigningKey(TEST_ENCRYPTION_KEY);
+    let tempDir;
+    beforeEach(() => {
+        tempDir = mkdtempSync(join(tmpdir(), 'latchkey-pp-test-'));
+    });
+    afterEach(() => {
+        rmSync(tempDir, { recursive: true, force: true });
+    });
+    it('returns the path when the file exists', () => {
+        const path = join(tempDir, 'permissions.json');
+        writeFileSync(path, '{}');
+        const token = createPermissionPointerJwt(path, signingKey);
+        expect(resolvePermissionPointer(token, signingKey)).toBe(path);
+    });
+    it('throws PermissionPointerFileMissingError when the file is absent', () => {
+        const path = join(tempDir, 'does-not-exist.json');
+        const token = createPermissionPointerJwt(path, signingKey);
+        expect(() => resolvePermissionPointer(token, signingKey)).toThrow(PermissionPointerFileMissingError);
+    });
+    it('throws PermissionPointerFileMissingError when the path is a directory', () => {
+        const path = join(tempDir, 'subdir');
+        mkdirSync(path);
+        const token = createPermissionPointerJwt(path, signingKey);
+        expect(() => resolvePermissionPointer(token, signingKey)).toThrow(PermissionPointerFileMissingError);
+    });
+});
+//# sourceMappingURL=permissionPointer.test.js.map

package/dist/tests/permissionPointer.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionPointer.test.js","sourceRoot":"","sources":["../../tests/permissionPointer.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EACL,0BAA0B,EAC1B,iCAAiC,EACjC,6BAA6B,EAC7B,yBAAyB,EACzB,iCAAiC,EACjC,wBAAwB,EACxB,0BAA0B,GAC3B,MAAM,qCAAqC,CAAC;AAE7C,MAAM,mBAAmB,GAAG,8CAA8C,CAAC;AAC3E,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAE5E,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,yBAAyB,CAAC,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,CAAC,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,CAAC,GAAG,iCAAiC,CAAC,oBAAoB,CAAC,CAAC;QAClE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,OAAO,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,yDAAyD,EAAE,GAAG,EAAE;IACvE,MAAM,UAAU,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;IAE1E,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,0BAA0B,CAAC,gCAAgC,EAAE,UAAU,CAAC,CAAC;QACvF,MAAM,OAAO,GAAG,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAC9D,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,gCAAgC,EAAE,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CACvF,OAAO,CACR,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CACxF,OAAO,CACR,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAChF,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,QAAQ,GAAG,iCAAiC,CAAC,oBAAoB,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC9D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,KAAK,GAAG,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,EAAE,AAAD,EAAG,SAAS,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;QAC3E,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CACjC,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,EAChD,OAAO,CACR;aACE,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,eAAe,IAAI,SAAS,EAAE,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACpE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACrE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,SAAS,CAAC,KAAa;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC;aAC/B,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,WAAmB;QAC/D,MAAM,aAAa,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,EAAE;aACR,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,OAAO,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;IAC3D,CAAC;IAED,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,0EAA0E;QAC1E,wDAAwD;QACxD,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,cAAc,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,EAAE;aACR,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,MAAM,KAAK,GAAG,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CACrC,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,eAAe,EAAE,CAAC,CACvD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC3C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CACjD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,6BAA6B,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,MAAM,UAAU,GAAG,iCAAiC,CAAC,mBAAmB,CAAC,CAAC;IAC1E,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAC/C,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,wBAAwB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAC/D,iCAAiC,CAClC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrC,SAAS,CAAC,IAAI,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAC/D,iCAAiC,CAClC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/permissionsOverride.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=permissionsOverride.test.d.ts.map

package/dist/tests/permissionsOverride.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionsOverride.test.d.ts","sourceRoot":"","sources":["../../tests/permissionsOverride.test.ts"],"names":[],"mappings":""}

package/dist/tests/permissionsOverride.test.js

@@ -0,0 +1,136 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createHmac } from 'node:crypto';
+import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { createPermissionsOverrideJwt, derivePermissionsOverrideSigningKey, InvalidPermissionsOverrideError, PERMISSIONS_OVERRIDE_HEADER, PermissionsOverrideFileMissingError, resolvePermissionsOverride, verifyPermissionsOverrideJwt, } from '../src/gateway/permissionsOverride.js';
+const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
+const OTHER_ENCRYPTION_KEY = 'b3RoZXJrZXlvdGhlcmtleW90aGVya2V5b3RoZXJrZXk=';
+describe('PERMISSIONS_OVERRIDE_HEADER', () => {
+    it('is the lowercase header name', () => {
+        expect(PERMISSIONS_OVERRIDE_HEADER).toBe('x-latchkey-gateway-permissions-override');
+    });
+});
+describe('derivePermissionsOverrideSigningKey', () => {
+    it('produces a deterministic 32-byte key', () => {
+        const a = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        const b = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        expect(a.length).toBe(32);
+        expect(a.equals(b)).toBe(true);
+    });
+    it('produces different keys for different master keys', () => {
+        const a = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        const b = derivePermissionsOverrideSigningKey(OTHER_ENCRYPTION_KEY);
+        expect(a.equals(b)).toBe(false);
+    });
+    it('does not equal the encryption key itself', () => {
+        const derived = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        const master = Buffer.from(TEST_ENCRYPTION_KEY, 'base64');
+        expect(derived.equals(master)).toBe(false);
+    });
+});
+describe('createPermissionsOverrideJwt / verifyPermissionsOverrideJwt', () => {
+    const signingKey = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+    it('round-trips an absolute path', () => {
+        const token = createPermissionsOverrideJwt('/etc/latchkey/permissions.json', signingKey);
+        const payload = verifyPermissionsOverrideJwt(token, signingKey);
+        expect(payload).toEqual({ permissionsConfig: '/etc/latchkey/permissions.json' });
+    });
+    it('produces a three-segment JWT', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        expect(token.split('.')).toHaveLength(3);
+    });
+    it('uses HS256/JWT in the header', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        const header = token.split('.')[0];
+        const json = Buffer.from(header, 'base64url').toString('utf-8');
+        expect(JSON.parse(json)).toEqual({ alg: 'HS256', typ: 'JWT' });
+    });
+    it('payload contains only the permissionsConfig field', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        const payload = token.split('.')[1];
+        const json = Buffer.from(payload, 'base64url').toString('utf-8');
+        expect(JSON.parse(json)).toEqual({ permissionsConfig: '/x.json' });
+    });
+    it('rejects creation for non-absolute paths', () => {
+        expect(() => createPermissionsOverrideJwt('relative/path.json', signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects tokens signed with a different key', () => {
+        const otherKey = derivePermissionsOverrideSigningKey(OTHER_ENCRYPTION_KEY);
+        const token = createPermissionsOverrideJwt('/x.json', otherKey);
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects tokens with a tampered payload', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        const [header, , signature] = token.split('.');
+        const tamperedPayload = Buffer.from(JSON.stringify({ permissionsConfig: '/y.json' }), 'utf-8').toString('base64url');
+        const tampered = `${header}.${tamperedPayload}.${signature}`;
+        expect(() => verifyPermissionsOverrideJwt(tampered, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects tokens that do not have three segments', () => {
+        expect(() => verifyPermissionsOverrideJwt('a.b', signingKey)).toThrow(InvalidPermissionsOverrideError);
+        expect(() => verifyPermissionsOverrideJwt('a.b.c.d', signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    function base64Url(value) {
+        return Buffer.from(value, 'utf-8').toString('base64url');
+    }
+    function buildSignedToken(headerJson, payloadJson) {
+        const headerSegment = base64Url(headerJson);
+        const payloadSegment = base64Url(payloadJson);
+        const signature = createHmac('sha256', signingKey)
+            .update(`${headerSegment}.${payloadSegment}`)
+            .digest('base64url');
+        return `${headerSegment}.${payloadSegment}.${signature}`;
+    }
+    it('rejects tokens whose payload is not valid JSON', () => {
+        // Sign a payload that is base64url of "not-json" so we hit the JSON parse
+        // error rather than the signature mismatch error first.
+        const headerSegment = base64Url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+        const payloadSegment = base64Url('not-json');
+        const signature = createHmac('sha256', signingKey)
+            .update(`${headerSegment}.${payloadSegment}`)
+            .digest('base64url');
+        const token = `${headerSegment}.${payloadSegment}.${signature}`;
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects payloads without permissionsConfig', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ other: '/x.json' }));
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects payloads whose permissionsConfig is not absolute', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ permissionsConfig: 'relative.json' }));
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects headers with the wrong algorithm', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'none', typ: 'JWT' }), JSON.stringify({ permissionsConfig: '/x.json' }));
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+});
+describe('resolvePermissionsOverride', () => {
+    const signingKey = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+    let tempDir;
+    beforeEach(() => {
+        tempDir = mkdtempSync(join(tmpdir(), 'latchkey-pp-test-'));
+    });
+    afterEach(() => {
+        rmSync(tempDir, { recursive: true, force: true });
+    });
+    it('returns the path when the file exists', () => {
+        const path = join(tempDir, 'permissions.json');
+        writeFileSync(path, '{}');
+        const token = createPermissionsOverrideJwt(path, signingKey);
+        expect(resolvePermissionsOverride(token, signingKey)).toBe(path);
+    });
+    it('throws PermissionsOverrideFileMissingError when the file is absent', () => {
+        const path = join(tempDir, 'does-not-exist.json');
+        const token = createPermissionsOverrideJwt(path, signingKey);
+        expect(() => resolvePermissionsOverride(token, signingKey)).toThrow(PermissionsOverrideFileMissingError);
+    });
+    it('throws PermissionsOverrideFileMissingError when the path is a directory', () => {
+        const path = join(tempDir, 'subdir');
+        mkdirSync(path);
+        const token = createPermissionsOverrideJwt(path, signingKey);
+        expect(() => resolvePermissionsOverride(token, signingKey)).toThrow(PermissionsOverrideFileMissingError);
+    });
+});
+//# sourceMappingURL=permissionsOverride.test.js.map

package/dist/tests/permissionsOverride.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionsOverride.test.js","sourceRoot":"","sources":["../../tests/permissionsOverride.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EACL,4BAA4B,EAC5B,mCAAmC,EACnC,+BAA+B,EAC/B,2BAA2B,EAC3B,mCAAmC,EACnC,0BAA0B,EAC1B,4BAA4B,GAC7B,MAAM,uCAAuC,CAAC;AAE/C,MAAM,mBAAmB,GAAG,8CAA8C,CAAC;AAC3E,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAE5E,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,2BAA2B,CAAC,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qCAAqC,EAAE,GAAG,EAAE;IACnD,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACnE,MAAM,CAAC,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACnE,MAAM,CAAC,GAAG,mCAAmC,CAAC,oBAAoB,CAAC,CAAC;QACpE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,OAAO,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACzE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6DAA6D,EAAE,GAAG,EAAE;IAC3E,MAAM,UAAU,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;IAE5E,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,4BAA4B,CAAC,gCAAgC,EAAE,UAAU,CAAC,CAAC;QACzF,MAAM,OAAO,GAAG,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,gCAAgC,EAAE,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAClF,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,QAAQ,GAAG,mCAAmC,CAAC,oBAAoB,CAAC,CAAC;QAC3E,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,EAAE,AAAD,EAAG,SAAS,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;QAC3E,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CACjC,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,EAChD,OAAO,CACR,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,eAAe,IAAI,SAAS,EAAE,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACtE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACvE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,SAAS,CAAC,KAAa;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3D,CAAC;IAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,WAAmB;QAC/D,MAAM,aAAa,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,CAAC,WAAW,CAAC,CAAC;QACvB,OAAO,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;IAC3D,CAAC;IAED,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,0EAA0E;QAC1E,wDAAwD;QACxD,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,cAAc,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,CAAC,WAAW,CAAC,CAAC;QACvB,MAAM,KAAK,GAAG,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CACrC,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,eAAe,EAAE,CAAC,CACvD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC3C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CACjD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,MAAM,UAAU,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;IAC5E,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAC/C,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,4BAA4B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,4BAA4B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,mCAAmC,CACpC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;QACjF,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrC,SAAS,CAAC,IAAI,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,4BAA4B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,mCAAmC,CACpC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/resolveEncryptionKey.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=resolveEncryptionKey.test.d.ts.map

package/dist/tests/resolveEncryptionKey.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolveEncryptionKey.test.d.ts","sourceRoot":"","sources":["../../tests/resolveEncryptionKey.test.ts"],"names":[],"mappings":""}

package/dist/tests/resolveEncryptionKey.test.js

@@ -0,0 +1,26 @@
+import { describe, it, expect, vi } from 'vitest';
+import { EncryptionKeyLostError, generateKey, resolveEncryptionKey } from '../src/encryption.js';
+vi.mock('../src/keychain.js', async (importOriginal) => {
+    const original = await importOriginal();
+    return {
+        ...original,
+        retrieveFromKeychain: () => Promise.resolve(null),
+        storeInKeychain: () => Promise.resolve(undefined),
+    };
+});
+describe('resolveEncryptionKey', () => {
+    it('returns the override verbatim and does not touch the keychain', async () => {
+        const override = generateKey();
+        await expect(resolveEncryptionKey({ encryptionKeyOverride: override })).resolves.toBe(override);
+    });
+    it('throws EncryptionKeyLostError when allowKeyGeneration is false and keychain has no key', async () => {
+        await expect(resolveEncryptionKey({ allowKeyGeneration: false })).rejects.toThrow(EncryptionKeyLostError);
+    });
+    it('generates a new key when allowKeyGeneration is true and keychain has no key', async () => {
+        await expect(resolveEncryptionKey({ allowKeyGeneration: true })).resolves.toMatch(/.+/);
+    });
+    it('generates a new key when allowKeyGeneration is unset and keychain has no key', async () => {
+        await expect(resolveEncryptionKey({})).resolves.toMatch(/.+/);
+    });
+});
+//# sourceMappingURL=resolveEncryptionKey.test.js.map

package/dist/tests/resolveEncryptionKey.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolveEncryptionKey.test.js","sourceRoot":"","sources":["../../tests/resolveEncryptionKey.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjG,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;IACrD,MAAM,QAAQ,GAAG,MAAM,cAAc,EAAuC,CAAC;IAC7E,OAAO;QACL,GAAG,QAAQ;QACX,oBAAoB,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;QACjD,eAAe,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC;KAClD,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,qBAAqB,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wFAAwF,EAAE,KAAK,IAAI,EAAE;QACtG,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC/E,sBAAsB,CACvB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8EAA8E,EAAE,KAAK,IAAI,EAAE;QAC5F,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}