npm - postgresdk - Versions diffs - 0.14.5 → 0.15.1 - Mend

postgresdk 0.14.5 → 0.15.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -165,7 +165,7 @@ export default {
     // OR
     jwt: {                              // JWT with multi-service support
       services: [
-        { issuer: "my-app", secret: process.env.JWT_SECRET }
+        { issuer: "my-app", secret: "env:JWT_SECRET" }  // Use "env:" prefix!
       ]
     }
   },
@@ -296,7 +296,7 @@ export default {
     strategy: "jwt-hs256",
     jwt: {
       services: [
-        { issuer: "my-app", secret: process.env.JWT_SECRET }
+        { issuer: "my-app", secret: "env:JWT_SECRET" }  // Use "env:" prefix!
       ],
       audience: "my-api"  // Optional
     }
@@ -310,8 +310,8 @@ export default {
     strategy: "jwt-hs256",
     jwt: {
       services: [
-        { issuer: "web-app", secret: process.env.WEB_APP_SECRET },
-        { issuer: "mobile-app", secret: process.env.MOBILE_SECRET },
+        { issuer: "web-app", secret: "env:WEB_APP_SECRET" },
+        { issuer: "mobile-app", secret: "env:MOBILE_SECRET" },
       ],
       audience: "my-api"
     }
@@ -352,8 +352,8 @@ export default {
     strategy: "jwt-hs256",
     jwt: {
       services: [
-        { issuer: "web-app", secret: process.env.WEB_SECRET },
-        { issuer: "analytics-service", secret: process.env.ANALYTICS_SECRET }
+        { issuer: "web-app", secret: "env:WEB_SECRET" },
+        { issuer: "analytics-service", secret: "env:ANALYTICS_SECRET" }
       ],
       audience: "my-api"
     }

package/dist/cli.js CHANGED Viewed

@@ -3941,10 +3941,37 @@ function emitAuth(cfgAuth) {
   const apiKeys = cfgAuth?.apiKeys ?? [];
   const jwtServices = cfgAuth?.jwt?.services ?? [];
   const jwtAudience = cfgAuth?.jwt?.audience ?? undefined;
+  if (strategy === "jwt-hs256" && jwtServices.length > 0) {
+    for (const svc of jwtServices) {
+      if (!svc.secret) {
+        throw new Error(`JWT service "${svc.issuer}" is missing required secret.
+` + `Use the "env:VAR_NAME" pattern in your config:
+` + `  { issuer: "${svc.issuer}", secret: "env:${svc.issuer.toUpperCase().replace(/-/g, "_")}_SECRET" }`);
+      }
+      if (!svc.secret.startsWith("env:")) {
+        throw new Error(`SECURITY ERROR: JWT secret for "${svc.issuer}" must use "env:VAR_NAME" pattern.
+` + `Found: secret: ${typeof svc.secret === "string" && svc.secret.length > 20 ? '"***REDACTED***"' : JSON.stringify(svc.secret)}
+` + `Hardcoding secrets in config files is a security risk!
+` + `Instead, use:
+` + `  { issuer: "${svc.issuer}", secret: "env:${svc.issuer.toUpperCase().replace(/-/g, "_")}_SECRET" }
+` + `Then set the environment variable at runtime.`);
+      }
+    }
+  }
   const STRATEGY = JSON.stringify(strategy);
   const API_KEY_HEADER = JSON.stringify(apiKeyHeader);
   const RAW_API_KEYS = JSON.stringify(apiKeys);
-  const JWT_SERVICES = JSON.stringify(jwtServices);
+  const jwtServicesCode = jwtServices.length === 0 ? "[]" : `[
+${jwtServices.map((svc) => {
+    const varName = svc.secret.slice(4);
+    return `  { issuer: ${JSON.stringify(svc.issuer)}, secret: process.env.${varName} ?? "" }`;
+  }).join(`,
+`)}
+]`;
   const JWT_AUDIENCE = jwtAudience === undefined ? "undefined" : JSON.stringify(jwtAudience);
   return `/**
  * AUTO-GENERATED FILE - DO NOT EDIT
@@ -3962,7 +3989,7 @@ const STRATEGY = ${STRATEGY} as "none" | "api-key" | "jwt-hs256";
 const API_KEY_HEADER = ${API_KEY_HEADER} as string;
 const RAW_API_KEYS = ${RAW_API_KEYS} as readonly string[];
-const JWT_SERVICES = ${JWT_SERVICES} as ReadonlyArray<{ issuer: string; secret?: string }>;
+const JWT_SERVICES = ${jwtServicesCode} as ReadonlyArray<{ issuer: string; secret: string }>;
 const JWT_AUDIENCE = ${JWT_AUDIENCE} as string | undefined;
 // -------------------------------------
@@ -3978,15 +4005,6 @@ function expandEnvList(v: string): string[] {
   return v.split(",").map(s => s.trim()).filter(Boolean);
 }
-function resolveValue(v: string | undefined): string {
-  if (!v) return "";
-  if (v.startsWith("env:")) {
-    const name = v.slice(4);
-    return process.env[name] ?? "";
-  }
-  return v;
-}
 function resolveKeys(keys: readonly string[]): string[] {
   const out: string[] = [];
   for (const k of keys) {
@@ -4004,12 +4022,6 @@ function resolveKeys(keys: readonly string[]): string[] {
 const API_KEYS = resolveKeys(RAW_API_KEYS);
-// Resolve JWT service secrets from env vars if needed
-const RESOLVED_JWT_SERVICES = JWT_SERVICES.map(svc => ({
-  issuer: svc.issuer,
-  secret: resolveValue(svc.secret)
-}));
 // Augment Hono context for DX
 declare module "hono" {
   interface ContextVariableMap {
@@ -4052,7 +4064,7 @@ export async function authMiddleware(c: Context, next: Next) {
       }
       const token = m[1];
-      if (!RESOLVED_JWT_SERVICES.length) {
+      if (!JWT_SERVICES.length) {
         log.error("JWT strategy configured but no services defined");
         return c.json({ error: "Unauthorized" }, 401);
       }
@@ -4071,7 +4083,7 @@ export async function authMiddleware(c: Context, next: Next) {
         }
         // Find matching service by issuer
-        const service = RESOLVED_JWT_SERVICES.find(s => s.issuer === issuer);
+        const service = JWT_SERVICES.find(s => s.issuer === issuer);
         if (!service) {
           log.error("Unknown JWT issuer:", issuer);
           return c.json({ error: "Unauthorized" }, 401);

package/dist/index.js CHANGED Viewed

@@ -3115,10 +3115,37 @@ function emitAuth(cfgAuth) {
   const apiKeys = cfgAuth?.apiKeys ?? [];
   const jwtServices = cfgAuth?.jwt?.services ?? [];
   const jwtAudience = cfgAuth?.jwt?.audience ?? undefined;
+  if (strategy === "jwt-hs256" && jwtServices.length > 0) {
+    for (const svc of jwtServices) {
+      if (!svc.secret) {
+        throw new Error(`JWT service "${svc.issuer}" is missing required secret.
+` + `Use the "env:VAR_NAME" pattern in your config:
+` + `  { issuer: "${svc.issuer}", secret: "env:${svc.issuer.toUpperCase().replace(/-/g, "_")}_SECRET" }`);
+      }
+      if (!svc.secret.startsWith("env:")) {
+        throw new Error(`SECURITY ERROR: JWT secret for "${svc.issuer}" must use "env:VAR_NAME" pattern.
+` + `Found: secret: ${typeof svc.secret === "string" && svc.secret.length > 20 ? '"***REDACTED***"' : JSON.stringify(svc.secret)}
+` + `Hardcoding secrets in config files is a security risk!
+` + `Instead, use:
+` + `  { issuer: "${svc.issuer}", secret: "env:${svc.issuer.toUpperCase().replace(/-/g, "_")}_SECRET" }
+` + `Then set the environment variable at runtime.`);
+      }
+    }
+  }
   const STRATEGY = JSON.stringify(strategy);
   const API_KEY_HEADER = JSON.stringify(apiKeyHeader);
   const RAW_API_KEYS = JSON.stringify(apiKeys);
-  const JWT_SERVICES = JSON.stringify(jwtServices);
+  const jwtServicesCode = jwtServices.length === 0 ? "[]" : `[
+${jwtServices.map((svc) => {
+    const varName = svc.secret.slice(4);
+    return `  { issuer: ${JSON.stringify(svc.issuer)}, secret: process.env.${varName} ?? "" }`;
+  }).join(`,
+`)}
+]`;
   const JWT_AUDIENCE = jwtAudience === undefined ? "undefined" : JSON.stringify(jwtAudience);
   return `/**
  * AUTO-GENERATED FILE - DO NOT EDIT
@@ -3136,7 +3163,7 @@ const STRATEGY = ${STRATEGY} as "none" | "api-key" | "jwt-hs256";
 const API_KEY_HEADER = ${API_KEY_HEADER} as string;
 const RAW_API_KEYS = ${RAW_API_KEYS} as readonly string[];
-const JWT_SERVICES = ${JWT_SERVICES} as ReadonlyArray<{ issuer: string; secret?: string }>;
+const JWT_SERVICES = ${jwtServicesCode} as ReadonlyArray<{ issuer: string; secret: string }>;
 const JWT_AUDIENCE = ${JWT_AUDIENCE} as string | undefined;
 // -------------------------------------
@@ -3152,15 +3179,6 @@ function expandEnvList(v: string): string[] {
   return v.split(",").map(s => s.trim()).filter(Boolean);
 }
-function resolveValue(v: string | undefined): string {
-  if (!v) return "";
-  if (v.startsWith("env:")) {
-    const name = v.slice(4);
-    return process.env[name] ?? "";
-  }
-  return v;
-}
 function resolveKeys(keys: readonly string[]): string[] {
   const out: string[] = [];
   for (const k of keys) {
@@ -3178,12 +3196,6 @@ function resolveKeys(keys: readonly string[]): string[] {
 const API_KEYS = resolveKeys(RAW_API_KEYS);
-// Resolve JWT service secrets from env vars if needed
-const RESOLVED_JWT_SERVICES = JWT_SERVICES.map(svc => ({
-  issuer: svc.issuer,
-  secret: resolveValue(svc.secret)
-}));
 // Augment Hono context for DX
 declare module "hono" {
   interface ContextVariableMap {
@@ -3226,7 +3238,7 @@ export async function authMiddleware(c: Context, next: Next) {
       }
       const token = m[1];
-      if (!RESOLVED_JWT_SERVICES.length) {
+      if (!JWT_SERVICES.length) {
         log.error("JWT strategy configured but no services defined");
         return c.json({ error: "Unauthorized" }, 401);
       }
@@ -3245,7 +3257,7 @@ export async function authMiddleware(c: Context, next: Next) {
         }
         // Find matching service by issuer
-        const service = RESOLVED_JWT_SERVICES.find(s => s.issuer === issuer);
+        const service = JWT_SERVICES.find(s => s.issuer === issuer);
         if (!service) {
           log.error("Unknown JWT issuer:", issuer);
           return c.json({ error: "Unauthorized" }, 401);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "postgresdk",
-  "version": "0.14.5",
+  "version": "0.15.1",
   "description": "Generate a typed server/client SDK from a Postgres schema (includes, Zod, Hono).",
   "type": "module",
   "bin": {