latchkey 2.7.3 → 2.9.0

package/dist/src/gateway/extensions.js

@@ -0,0 +1,170 @@
+/**
+ * Extensions: user-supplied HTTP handlers mounted on the gateway.
+ *
+ * The gateway scans `extensionsDirectory` for `*.mjs` files at startup
+ * and dynamically imports each one. Each module's default export must be
+ * a function `(request, response) => boolean | Promise<boolean>`:
+ *
+ *   - return `true` when the extension has handled the request (i.e. it
+ *     has written / will write the response). The gateway will not consult
+ *     any further extensions.
+ *   - return `false` to defer to the next extension. The handler must not
+ *     touch the response in this case.
+ *
+ * Extensions only see Node's raw HTTP request / response. They do NOT have
+ * access to credential storage, the curl-injection pipeline, or the service
+ * registry. Each extension request is run through the same
+ * `permissions.json` machinery as `/gateway/...` proxy requests, by
+ * synthesising a request whose URL uses fixed placeholder values
+ * (representing "this gateway") while preserving the inbound method, path,
+ * and headers.
+ */
+import { existsSync, readdirSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { PermissionCheckError } from '../permissions.js';
+import { RequestNotPermittedError } from '../curlInjection.js';
+import { GATEWAY_INTERNAL_HEADERS, HOP_BY_HOP_HEADERS } from './gatewayEndpoint.js';
+/**
+ * Placeholder URL parts that stand in for "this gateway" when extension
+ * requests are run through the permission check. They use RFC 2606's
+ * reserved `.invalid` TLD so the synthetic URL is guaranteed never to
+ * resolve to a real host. Detent schemas matching extension routes should
+ * key on these exact values.
+ */
+export const EXTENSION_PLACEHOLDER_SCHEME = 'https';
+export const EXTENSION_PLACEHOLDER_HOST = 'latchkey-self.invalid';
+export const EXTENSION_PLACEHOLDER_PORT = 1;
+const EXTENSION_FILE_SUFFIX = '.mjs';
+export class ExtensionLoadError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ExtensionLoadError';
+    }
+}
+function isExtensionModuleShape(value) {
+    return (typeof value === 'object' &&
+        value !== null &&
+        'default' in value &&
+        typeof value.default === 'function');
+}
+/**
+ * Load every extension module in `directory` and return the resulting
+ * ordered list. Extensions are tried in alphabetical order of filename, so
+ * the loader returns them in that order. Returns an empty list if the
+ * directory does not exist. Throws `ExtensionLoadError` on the first file
+ * that fails to import or has the wrong shape.
+ */
+export async function loadExtensions(directory) {
+    if (!existsSync(directory)) {
+        return [];
+    }
+    if (!statSync(directory).isDirectory()) {
+        return [];
+    }
+    const fileNames = readdirSync(directory, { withFileTypes: true })
+        .filter((entry) => entry.isFile())
+        .filter((entry) => entry.name.endsWith(EXTENSION_FILE_SUFFIX))
+        .map((entry) => entry.name)
+        .sort();
+    const extensions = [];
+    for (const fileName of fileNames) {
+        const filePath = join(directory, fileName);
+        let importedModule;
+        try {
+            importedModule = (await import(pathToFileURL(filePath).href));
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new ExtensionLoadError(`Failed to load extension '${filePath}': ${message}`);
+        }
+        if (!isExtensionModuleShape(importedModule)) {
+            throw new ExtensionLoadError(`Extension '${filePath}' must export a default function ` +
+                `(request, response) => boolean | Promise<boolean>.`);
+        }
+        extensions.push({ handler: importedModule.default, sourceFile: filePath });
+    }
+    return extensions;
+}
+/**
+ * Build the synthetic `Request` fed to the permission check. The URL uses
+ * fixed placeholder values for protocol/host/port (representing "this
+ * gateway") with the inbound path and query string preserved verbatim. The
+ * inbound method and headers are forwarded, minus hop-by-hop and
+ * gateway-internal headers (so the password and permissions-override
+ * headers cannot influence schema matching). The body is intentionally
+ * omitted: the permission check operates on URL/method/headers only.
+ */
+function buildExtensionPermissionCheckRequest(request) {
+    const url = `${EXTENSION_PLACEHOLDER_SCHEME}://${EXTENSION_PLACEHOLDER_HOST}` +
+        `:${String(EXTENSION_PLACEHOLDER_PORT)}${request.url ?? ''}`;
+    const headers = new Headers();
+    const rawHeaders = request.rawHeaders;
+    for (let index = 0; index < rawHeaders.length; index += 2) {
+        const name = rawHeaders[index];
+        const value = rawHeaders[index + 1];
+        const lowerName = name.toLowerCase();
+        if (HOP_BY_HOP_HEADERS.has(lowerName) || GATEWAY_INTERNAL_HEADERS.has(lowerName)) {
+            continue;
+        }
+        headers.append(name, value);
+    }
+    return new Request(url, {
+        method: (request.method ?? 'GET').toUpperCase(),
+        headers,
+    });
+}
+function sendErrorResponse(response, statusCode, message) {
+    if (response.headersSent)
+        return;
+    response.writeHead(statusCode, { 'Content-Type': 'application/json' });
+    response.end(JSON.stringify({ error: message }));
+}
+/**
+ * Run the permission check for an inbound extension request and offer it to
+ * each loaded extension in order. Returns true when an extension claimed
+ * the request (i.e. responded or threw). When false, no extension touched
+ * the response and the caller is responsible for sending a fallback
+ * (typically `404`).
+ */
+export async function dispatchExtensionRequest(request, response, extensions, deps, permissionsConfigPath) {
+    const method = (request.method ?? 'GET').toUpperCase();
+    const pathAndQuery = request.url ?? '';
+    let allowed;
+    try {
+        allowed = await deps.checkPermission(buildExtensionPermissionCheckRequest(request), permissionsConfigPath, deps.config.permissionsDoNotUseBuiltinSchemas);
+    }
+    catch (error) {
+        if (error instanceof PermissionCheckError) {
+            deps.log(`${method} ${pathAndQuery} -> 403 (extension)`);
+            sendErrorResponse(response, 403, `Error: ${error.message}`);
+            return true;
+        }
+        throw error;
+    }
+    if (!allowed) {
+        const notPermitted = new RequestNotPermittedError();
+        deps.log(`${method} ${pathAndQuery} -> 403 (extension)`);
+        sendErrorResponse(response, 403, notPermitted.message);
+        return true;
+    }
+    for (const extension of extensions) {
+        let handled;
+        try {
+            handled = await extension.handler(request, response);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            deps.errorLog(`Unexpected error in extension '${extension.sourceFile}' ` +
+                `(${method} ${pathAndQuery}): ${message}`);
+            sendErrorResponse(response, 500, 'Internal error');
+            return true;
+        }
+        if (handled) {
+            deps.log(`${method} ${pathAndQuery} -> ${String(response.statusCode)} (extension)`);
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=extensions.js.map

package/dist/src/gateway/extensions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extensions.js","sourceRoot":"","sources":["../../../src/gateway/extensions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAC/D,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAEpF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,OAAO,CAAC;AACpD,MAAM,CAAC,MAAM,0BAA0B,GAAG,uBAAuB,CAAC;AAClE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAE5C,MAAM,qBAAqB,GAAG,MAAM,CAAC;AAiBrC,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,SAAS,IAAI,KAAK;QAClB,OAAQ,KAA8B,CAAC,OAAO,KAAK,UAAU,CAC9D,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB;IACpD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;SAC9D,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;SACjC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;SAC7D,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;SAC1B,IAAI,EAAE,CAAC;IAEV,MAAM,UAAU,GAAsB,EAAE,CAAC;IACzC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC3C,IAAI,cAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,cAAc,GAAG,CAAC,MAAM,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAY,CAAC;QAC3E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,kBAAkB,CAAC,6BAA6B,QAAQ,MAAM,OAAO,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAC1B,cAAc,QAAQ,mCAAmC;gBACvD,oDAAoD,CACvD,CAAC;QACJ,CAAC;QACD,UAAU,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,cAAc,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,oCAAoC,CAAC,OAA6B;IACzE,MAAM,GAAG,GACP,GAAG,4BAA4B,MAAM,0BAA0B,EAAE;QACjE,IAAI,MAAM,CAAC,0BAA0B,CAAC,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,EAAE,CAAC;IAC/D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,UAAU,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAE,CAAC;QAChC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,GAAG,CAAC,CAAE,CAAC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,wBAAwB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACjF,SAAS;QACX,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE;QACtB,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE;QAC/C,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,SAAS,iBAAiB,CACxB,QAA6B,EAC7B,UAAkB,EAClB,OAAe;IAEf,IAAI,QAAQ,CAAC,WAAW;QAAE,OAAO;IACjC,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACvE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,OAA6B,EAC7B,QAA6B,EAC7B,UAAsC,EACtC,IAAqB,EACrB,qBAA6B;IAE7B,MAAM,MAAM,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;IAEvC,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAClC,oCAAoC,CAAC,OAAO,CAAC,EAC7C,qBAAqB,EACrB,IAAI,CAAC,MAAM,CAAC,iCAAiC,CAC9C,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,YAAY,qBAAqB,CAAC,CAAC;YACzD,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IACD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,YAAY,GAAG,IAAI,wBAAwB,EAAE,CAAC;QACpD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,YAAY,qBAAqB,CAAC,CAAC;QACzD,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,OAAgB,CAAC;QACrB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAI,CAAC,QAAQ,CACX,kCAAkC,SAAS,CAAC,UAAU,IAAI;gBACxD,IAAI,MAAM,IAAI,YAAY,MAAM,OAAO,EAAE,CAC5C,CAAC;YACF,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,YAAY,OAAO,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;YACpF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/src/gateway/gatewayEndpoint.d.ts

@@ -8,6 +8,15 @@
 import * as http from 'node:http';
 import type { ApiCredentialStore } from '../apiCredentials/store.js';
 import type { CliDependencies } from '../cliCommands.js';
+/**
+ * Headers that should not be forwarded between client and upstream (hop-by-hop).
+ */
+export declare const HOP_BY_HOP_HEADERS: ReadonlySet<string>;
+/**
+ * Headers that the gateway consumes itself and must not forward to upstream
+ * (in addition to hop-by-hop headers).
+ */
+export declare const GATEWAY_INTERNAL_HEADERS: ReadonlySet<string>;
 export declare const GATEWAY_PATH_PREFIX = "/gateway/";
 export declare class BodyTooLargeError extends Error {
     constructor();
@@ -16,6 +25,17 @@ export interface GatewayOptions {
     readonly port: number;
     readonly host: string;
     readonly maxBodySize: number;
+    /**
+     * When set, the gateway requires every incoming request to present this
+     * value in the `X-Latchkey-Gateway-Password` header. When null, no
+     * authentication is enforced.
+     */
+    readonly password: string | null;
+    /**
+     * HMAC key used to verify per-request `X-Latchkey-Gateway-Permissions-Override`
+     * JWTs.
+     */
+    readonly permissionsOverrideSigningKey: Buffer;
 }
 /**
  * Extract the target URL from a raw gateway request URL.
@@ -25,7 +45,8 @@ export interface GatewayOptions {
 export declare function extractTargetUrl(rawUrl: string): string | null;
 /**
  * Build curl arguments from an HTTP request's components.
- * Strips hop-by-hop headers and constructs a curl-compatible argument array.
+ *
+ * Hop-by-hop headers and gateway-internal headers are stripped.
  */
 export declare function buildCurlArguments(method: string, headers: ReadonlyMap<string, string>, targetUrl: string, hasBody: boolean): readonly string[];
 /**

package/dist/src/gateway/gatewayEndpoint.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gatewayEndpoint.d.ts","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAIlC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AA2BzD,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAE/C,qBAAa,iBAAkB,SAAQ,KAAK;;CAK3C;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAwBD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU9D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,EACpC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,GACf,SAAS,MAAM,EAAE,CAqBnB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG;IACxD,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC;CACjD,CAiCA;AAkED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,IAAI,CAAC,eAAe,EAC7B,QAAQ,EAAE,IAAI,CAAC,cAAc,EAC7B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,eAAe,EACrB,kBAAkB,EAAE,kBAAkB,EACtC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CA6Hf"}
+{"version":3,"file":"gatewayEndpoint.d.ts","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAIlC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAmBzD;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,WAAW,CAAC,MAAM,CAUjD,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,WAAW,CAAC,MAAM,CAGvD,CAAC;AAEH,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAE/C,qBAAa,iBAAkB,SAAQ,KAAK;;CAK3C;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC;;;OAGG;IACH,QAAQ,CAAC,6BAA6B,EAAE,MAAM,CAAC;CAChD;AAwBD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU9D;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,EACpC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,GACf,SAAS,MAAM,EAAE,CAsBnB;AAcD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG;IACxD,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC;CACjD,CAiCA;AAkED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,IAAI,CAAC,eAAe,EAC7B,QAAQ,EAAE,IAAI,CAAC,cAAc,EAC7B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,eAAe,EACrB,kBAAkB,EAAE,kBAAkB,EACtC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CAmJf"}

package/dist/src/gateway/gatewayEndpoint.js

@@ -11,10 +11,12 @@ import { tmpdir } from 'node:os';
 import { CredentialsExpiredError, NoCredentialsForServiceError, NoServiceForUrlError, prepareCurlInvocation, RequestNotPermittedError, UrlExtractionFailedError, } from '../curlInjection.js';
 import { PermissionCheckError } from '../permissions.js';
 import { ErrorMessages } from '../errorMessages.js';
+import { GATEWAY_PASSWORD_HEADER } from './password.js';
+import { InvalidPermissionsOverrideError, PERMISSIONS_OVERRIDE_HEADER, PermissionsOverrideFileMissingError, resolveRequestPermissionsConfig, } from './permissionsOverride.js';
 /**
  * Headers that should not be forwarded between client and upstream (hop-by-hop).
  */
-const HOP_BY_HOP_HEADERS = new Set([
+export const HOP_BY_HOP_HEADERS = new Set([
     'connection',
     'keep-alive',
     'proxy-authenticate',
@@ -25,6 +27,14 @@ const HOP_BY_HOP_HEADERS = new Set([
     'upgrade',
     'host',
 ]);
+/**
+ * Headers that the gateway consumes itself and must not forward to upstream
+ * (in addition to hop-by-hop headers).
+ */
+export const GATEWAY_INTERNAL_HEADERS = new Set([
+    GATEWAY_PASSWORD_HEADER,
+    PERMISSIONS_OVERRIDE_HEADER,
+]);
 export const GATEWAY_PATH_PREFIX = '/gateway/';
 export class BodyTooLargeError extends Error {
     constructor() {
@@ -66,7 +76,8 @@ export function extractTargetUrl(rawUrl) {
 }
 /**
  * Build curl arguments from an HTTP request's components.
- * Strips hop-by-hop headers and constructs a curl-compatible argument array.
+ *
+ * Hop-by-hop headers and gateway-internal headers are stripped.
  */
 export function buildCurlArguments(method, headers, targetUrl, hasBody) {
     const args = [];
@@ -74,7 +85,8 @@ export function buildCurlArguments(method, headers, targetUrl, hasBody) {
         args.push('-X', method);
     }
     for (const [name, value] of headers) {
-        if (HOP_BY_HOP_HEADERS.has(name.toLowerCase())) {
+        const lowerName = name.toLowerCase();
+        if (HOP_BY_HOP_HEADERS.has(lowerName) || GATEWAY_INTERNAL_HEADERS.has(lowerName)) {
             continue;
         }
         args.push('-H', `${name}: ${value}`);
@@ -85,6 +97,17 @@ export function buildCurlArguments(method, headers, targetUrl, hasBody) {
     args.push(targetUrl);
     return args;
 }
+/**
+ * Build a `Map<string, string>` view of an `IncomingMessage`'s `rawHeaders`,
+ * preserving original case.
+ */
+function rawHeadersToMap(rawHeaders) {
+    const map = new Map();
+    for (let index = 0; index < rawHeaders.length; index += 2) {
+        map.set(rawHeaders[index], rawHeaders[index + 1]);
+    }
+    return map;
+}
 /**
  * Parse response headers from curl's -D output.
  * Returns the status code from the last status line and all response headers.
@@ -177,6 +200,27 @@ function forwardResponse(response, parsed, body) {
  * Execute a proxied request through the credential injection pipeline.
  */
 export async function handleGatewayRequest(request, response, targetUrl, deps, apiCredentialStore, options) {
+    // Resolve the permissions config for this request. When the client
+    // supplied a permissions-override JWT, validate it and use the referenced
+    // file; otherwise fall back to the gateway's default config path.
+    let permissionsConfigPath;
+    try {
+        permissionsConfigPath = resolveRequestPermissionsConfig(request.headers, deps.config.permissionsConfigPath, options.permissionsOverrideSigningKey);
+    }
+    catch (error) {
+        const method = request.method ?? 'UNKNOWN';
+        if (error instanceof InvalidPermissionsOverrideError) {
+            deps.log(`${method} ${targetUrl} -> 401 (permissions override)`);
+            sendErrorResponse(response, 401, error.message);
+            return;
+        }
+        if (error instanceof PermissionsOverrideFileMissingError) {
+            deps.log(`${method} ${targetUrl} -> 400 (permissions override)`);
+            sendErrorResponse(response, 400, error.message);
+            return;
+        }
+        throw error;
+    }
     // Read body
     let body;
     try {
@@ -191,24 +235,17 @@ export async function handleGatewayRequest(request, response, targetUrl, deps, a
         }
         throw error;
     }
-    // Build curl arguments from the incoming request
+    // Build curl arguments from the incoming request. `buildCurlArguments`
+    // strips hop-by-hop and gateway-internal headers itself, so we just hand
+    // it the raw header map.
     const method = request.method ?? 'GET';
-    const headerMap = new Map();
-    const rawHeaders = request.rawHeaders;
-    for (let i = 0; i < rawHeaders.length; i += 2) {
-        const name = rawHeaders[i];
-        const value = rawHeaders[i + 1];
-        if (!HOP_BY_HOP_HEADERS.has(name.toLowerCase())) {
-            headerMap.set(name, value);
-        }
-    }
-    const curlArguments = buildCurlArguments(method, headerMap, targetUrl, body !== null);
+    const curlArguments = buildCurlArguments(method, rawHeadersToMap(request.rawHeaders), targetUrl, body !== null);
     let allArguments;
     try {
         allArguments = await prepareCurlInvocation(curlArguments, apiCredentialStore, {
             registry: deps.registry,
             checkPermission: deps.checkPermission,
-            permissionsConfigPath: deps.config.permissionsConfigPath,
+            permissionsConfigPath,
             permissionsDoNotUseBuiltinSchemas: deps.config.permissionsDoNotUseBuiltinSchemas,
             passthroughUnknown: deps.config.passthroughUnknown,
         });

package/dist/src/gateway/gatewayEndpoint.js.map

@@ -1 +1 @@
-{"version":3,"file":"gatewayEndpoint.js","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAIjC,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD;;GAEG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,YAAY;IACZ,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,UAAU;IACV,mBAAmB;IACnB,SAAS;IACT,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAE/C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C;QACE,KAAK,CAAC,aAAa,CAAC,mBAAmB,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAQD,SAAS,iBAAiB,CACxB,QAA6B,EAC7B,UAAkB,EAClB,OAAe;IAEf,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACvE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,uBAAuB,CAAC,QAA6B,EAAE,MAAuB;IACrF,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,aAAa,KAAK,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC,CAAC,aAAa,CAAC;IAC3F,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,MAAM,GAAG,mBAAmB,CAAC;IACnC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,OAAoC,EACpC,SAAiB,EACjB,OAAgB;IAEhB,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QACpC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC/C,SAAS;QACX,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,IAAI,KAAK,KAAK,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IAIrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC5C,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,wEAAwE;IACxE,iEAAiE;IACjE,yDAAyD;IACzD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,iDAAiD;QACjD,MAAM,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,SAAS;QACX,CAAC;QAED,gDAAgD;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,OAA6B,EAC7B,WAAmB;IAEnB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACxD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,WAAW,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACnC,SAAS,IAAI,KAAK,CAAC,MAAM,CAAC;YAC1B,IAAI,SAAS,GAAG,WAAW,EAAE,CAAC;gBAC5B,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACrB,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACpB,OAAO,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,QAA6B,EAC7B,MAA+E,EAC/E,IAAY;IAEZ,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC5C,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,SAAS;QACX,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IACD,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACtC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAA6B,EAC7B,QAA6B,EAC7B,SAAiB,EACjB,IAAqB,EACrB,kBAAsC,EACtC,OAAuB;IAEvB,YAAY;IACZ,IAAI,IAAmB,CAAC;IACxB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;YAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,iDAAiD;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IACvC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QACjC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAChD,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,KAAK,IAAI,CAAC,CAAC;IAEtF,IAAI,YAA+B,CAAC;IACpC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,qBAAqB,CAAC,aAAa,EAAE,kBAAkB,EAAE;YAC5E,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,qBAAqB,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAqB;YACxD,iCAAiC,EAAE,IAAI,CAAC,MAAM,CAAC,iCAAiC;YAChF,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;SACnD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,wBAAwB,EAAE,CAAC;YAC9C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,IACE,KAAK,YAAY,wBAAwB;YACzC,KAAK,YAAY,oBAAoB;YACrC,KAAK,YAAY,4BAA4B;YAC7C,KAAK,YAAY,uBAAuB,EACxC,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,wCAAwC;IACxC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAE5C,IAAI,CAAC;QACH,qEAAqE;QACrE,sEAAsE;QACtE,4DAA4D;QAC5D,uEAAuE;QACvE,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAoB,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE;YAChE,KAAK,EAAE,IAAI,IAAI,SAAS;SACzB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YAC5B,iEAAiE;YACjE,IAAI,UAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,4CAA4C;YAC5C,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;YAChD,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;QAE5C,eAAe,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAClF,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"gatewayEndpoint.js","sourceRoot":"","sources":["../../../src/gateway/gatewayEndpoint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAIjC,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,oBAAoB,EACpB,qBAAqB,EACrB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EACL,+BAA+B,EAC/B,2BAA2B,EAC3B,mCAAmC,EACnC,+BAA+B,GAChC,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IAC7D,YAAY;IACZ,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,UAAU;IACV,mBAAmB;IACnB,SAAS;IACT,MAAM;CACP,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC;IACnE,uBAAuB;IACvB,2BAA2B;CAC5B,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAE/C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C;QACE,KAAK,CAAC,aAAa,CAAC,mBAAmB,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAmBD,SAAS,iBAAiB,CACxB,QAA6B,EAC7B,UAAkB,EAClB,OAAe;IAEf,QAAQ,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACvE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,uBAAuB,CAAC,QAA6B,EAAE,MAAuB;IACrF,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,aAAa,KAAK,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC,CAAC,aAAa,CAAC;IAC3F,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,MAAM,GAAG,mBAAmB,CAAC;IACnC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,OAAoC,EACpC,SAAiB,EACjB,OAAgB;IAEhB,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,wBAAwB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACjF,SAAS;QACX,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,IAAI,KAAK,KAAK,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAErB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,UAA6B;IACpD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,UAAU,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QAC1D,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAE,EAAE,UAAU,CAAC,KAAK,GAAG,CAAC,CAAE,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IAIrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC5C,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,wEAAwE;IACxE,iEAAiE;IACjE,yDAAyD;IACzD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,iDAAiD;QACjD,MAAM,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,SAAS;QACX,CAAC;QAED,gDAAgD;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,OAA6B,EAC7B,WAAmB;IAEnB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACxD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,WAAW,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACnC,SAAS,IAAI,KAAK,CAAC,MAAM,CAAC;YAC1B,IAAI,SAAS,GAAG,WAAW,EAAE,CAAC;gBAC5B,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACrB,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACpB,OAAO,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,QAA6B,EAC7B,MAA+E,EAC/E,IAAY;IAEZ,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC5C,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,SAAS;QACX,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IACD,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACtC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAA6B,EAC7B,QAA6B,EAC7B,SAAiB,EACjB,IAAqB,EACrB,kBAAsC,EACtC,OAAuB;IAEvB,mEAAmE;IACnE,0EAA0E;IAC1E,kEAAkE;IAClE,IAAI,qBAA6B,CAAC;IAClC,IAAI,CAAC;QACH,qBAAqB,GAAG,+BAA+B,CACrD,OAAO,CAAC,OAAO,EACf,IAAI,CAAC,MAAM,CAAC,qBAAqB,EACjC,OAAO,CAAC,6BAA6B,CACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;QAC3C,IAAI,KAAK,YAAY,+BAA+B,EAAE,CAAC;YACrD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,gCAAgC,CAAC,CAAC;YACjE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,mCAAmC,EAAE,CAAC;YACzD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,gCAAgC,CAAC,CAAC;YACjE,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,YAAY;IACZ,IAAI,IAAmB,CAAC;IACxB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;YAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,uEAAuE;IACvE,yEAAyE;IACzE,yBAAyB;IACzB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IACvC,MAAM,aAAa,GAAG,kBAAkB,CACtC,MAAM,EACN,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,EACnC,SAAS,EACT,IAAI,KAAK,IAAI,CACd,CAAC;IAEF,IAAI,YAA+B,CAAC;IACpC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,qBAAqB,CAAC,aAAa,EAAE,kBAAkB,EAAE;YAC5E,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,qBAAqB;YACrB,iCAAiC,EAAE,IAAI,CAAC,MAAM,CAAC,iCAAiC;YAChF,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;SACnD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,wBAAwB,EAAE,CAAC;YAC9C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,IACE,KAAK,YAAY,wBAAwB;YACzC,KAAK,YAAY,oBAAoB;YACrC,KAAK,YAAY,4BAA4B;YAC7C,KAAK,YAAY,uBAAuB,EACxC,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,wCAAwC;IACxC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAE5C,IAAI,CAAC;QACH,qEAAqE;QACrE,sEAAsE;QACtE,4DAA4D;QAC5D,uEAAuE;QACvE,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAoB,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE;YAChE,KAAK,EAAE,IAAI,IAAI,SAAS;SACzB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YAC5B,iEAAiE;YACjE,IAAI,UAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;gBAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,4CAA4C;YAC5C,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;YAChD,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,SAAS,CAAC,CAAC;YAC1C,uBAAuB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;QAE5C,eAAe,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAClF,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,SAAS,OAAO,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/src/gateway/password.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Shared definitions for the optional gateway password used to authenticate
+ * requests between the latchkey CLI (in gateway mode) and the `latchkey
+ * gateway` server.
+ */
+/**
+ * HTTP header used to carry the shared secret. Lowercased to match how
+ * Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export declare const GATEWAY_PASSWORD_HEADER = "x-latchkey-gateway-password";
+/**
+ * Compare two passwords in constant time relative to their length.
+ * Returns false when the values differ in length or contents.
+ */
+export declare function passwordsMatch(expected: string, provided: string): boolean;
+//# sourceMappingURL=password.d.ts.map

package/dist/src/gateway/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../../src/gateway/password.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,eAAO,MAAM,uBAAuB,gCAAgC,CAAC;AAErE;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAO1E"}

package/dist/src/gateway/password.js

@@ -0,0 +1,24 @@
+/**
+ * Shared definitions for the optional gateway password used to authenticate
+ * requests between the latchkey CLI (in gateway mode) and the `latchkey
+ * gateway` server.
+ */
+import { timingSafeEqual } from 'node:crypto';
+/**
+ * HTTP header used to carry the shared secret. Lowercased to match how
+ * Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export const GATEWAY_PASSWORD_HEADER = 'x-latchkey-gateway-password';
+/**
+ * Compare two passwords in constant time relative to their length.
+ * Returns false when the values differ in length or contents.
+ */
+export function passwordsMatch(expected, provided) {
+    const expectedBytes = Buffer.from(expected, 'utf-8');
+    const providedBytes = Buffer.from(provided, 'utf-8');
+    if (expectedBytes.length !== providedBytes.length) {
+        return false;
+    }
+    return timingSafeEqual(expectedBytes, providedBytes);
+}
+//# sourceMappingURL=password.js.map

package/dist/src/gateway/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../../src/gateway/password.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,6BAA6B,CAAC;AAErE;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB,EAAE,QAAgB;IAC/D,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,aAAa,CAAC,MAAM,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,eAAe,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC"}

package/dist/src/gateway/permissionsOverride.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Optional `x-latchkey-gateway-permissions-override` header support.
+ *
+ * The header carries a minimal HS256 JWT whose only payload field is
+ * `permissionsConfig`, an absolute path to a `permissions.json` file.
+ * When the gateway receives such a header on a `/gateway/...` request and
+ * the JWT is valid, it uses the referenced permissions config instead of
+ * the default one for that single request.
+ *
+ * The signing key is derived from the Latchkey encryption key via HKDF-like
+ * HMAC-SHA256 with a domain-separation label, so the encryption key itself
+ * is never used to sign or verify these JWTs directly.
+ */
+import type * as http from 'node:http';
+/**
+ * HTTP header used to carry the permissions-override JWT. Lowercased to match
+ * how Node's `http.IncomingMessage.headers` exposes header names.
+ */
+export declare const PERMISSIONS_OVERRIDE_HEADER = "x-latchkey-gateway-permissions-override";
+export declare class InvalidPermissionsOverrideError extends Error {
+    constructor(message: string);
+}
+export declare class PermissionsOverrideFileMissingError extends Error {
+    constructor(filePath: string);
+}
+/**
+ * Derive the HS256 signing key used for permissions-override JWTs from the
+ * Latchkey encryption key. The encryption key is base64-encoded; the
+ * derived key is the raw HMAC-SHA256 output (32 bytes).
+ */
+export declare function derivePermissionsOverrideSigningKey(encryptionKeyBase64: string): Buffer;
+/**
+ * Build a permissions-override JWT for the given absolute path. The path is
+ * not validated here; callers that want to ensure the file exists must do
+ * so before calling this function.
+ */
+export declare function createPermissionsOverrideJwt(permissionsConfigPath: string, signingKey: Buffer): string;
+interface PermissionsOverridePayload {
+    readonly permissionsConfig: string;
+}
+/**
+ * Verify a permissions-override JWT and return its payload. Throws
+ * `InvalidPermissionsOverrideError` on any structural, signature, or content
+ * issue (i.e. anything that should be reported as "the JWT is invalid").
+ *
+ * This intentionally does not check that the referenced file exists; that
+ * concern is handled by `resolvePermissionsOverride` so that file-system
+ * errors can be reported separately from JWT errors.
+ */
+export declare function verifyPermissionsOverrideJwt(token: string, signingKey: Buffer): PermissionsOverridePayload;
+/**
+ * Verify a permissions-override JWT and additionally require the referenced
+ * file to exist as a regular file. Returns the absolute path on success.
+ */
+export declare function resolvePermissionsOverride(token: string, signingKey: Buffer): string;
+/**
+ * Apply the optional `X-Latchkey-Gateway-Permissions-Override` header to a
+ * request: when absent, return the default config path; when present,
+ * validate the JWT and return the referenced path. Throws
+ * `InvalidPermissionsOverrideError` (=> 401) or
+ * `PermissionsOverrideFileMissingError` (=> 400) on invalid input.
+ */
+export declare function resolveRequestPermissionsConfig(headers: http.IncomingHttpHeaders, defaultConfigPath: string, signingKey: Buffer): string;
+export {};
+//# sourceMappingURL=permissionsOverride.d.ts.map

package/dist/src/gateway/permissionsOverride.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionsOverride.d.ts","sourceRoot":"","sources":["../../../src/gateway/permissionsOverride.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,KAAK,IAAI,MAAM,WAAW,CAAC;AAGvC;;;GAGG;AACH,eAAO,MAAM,2BAA2B,4CAA4C,CAAC;AAYrF,qBAAa,+BAAgC,SAAQ,KAAK;gBAC5C,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,mCAAoC,SAAQ,KAAK;gBAChD,QAAQ,EAAE,MAAM;CAI7B;AAED;;;;GAIG;AACH,wBAAgB,mCAAmC,CAAC,mBAAmB,EAAE,MAAM,GAAG,MAAM,CAGvF;AAED;;;;GAIG;AACH,wBAAgB,4BAA4B,CAC1C,qBAAqB,EAAE,MAAM,EAC7B,UAAU,EAAE,MAAM,GACjB,MAAM,CAWR;AAED,UAAU,0BAA0B;IAClC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;CACpC;AAwCD;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,GACjB,0BAA0B,CAyD5B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAMpF;AAED;;;;;;GAMG;AACH,wBAAgB,+BAA+B,CAC7C,OAAO,EAAE,IAAI,CAAC,mBAAmB,EACjC,iBAAiB,EAAE,MAAM,EACzB,UAAU,EAAE,MAAM,GACjB,MAAM,CAKR"}