recker 1.0.20-next.de24f7d → 1.0.20-next.e194d90

package/dist/plugins/auth/azure-ad.js

@@ -0,0 +1,152 @@
+import { oidc, generatePKCE } from './oidc.js';
+function getAzureADIssuer(options) {
+    if (options.b2c) {
+        return `https://${options.b2c.tenantName}.b2clogin.com/${options.b2c.tenantName}.onmicrosoft.com/${options.b2c.policy}/v2.0`;
+    }
+    const cloudInstance = options.cloudInstance || 'https://login.microsoftonline.com';
+    return `${cloudInstance}/${options.tenantId}/v2.0`;
+}
+function getAzureADTokenEndpoint(options) {
+    if (options.b2c) {
+        return `https://${options.b2c.tenantName}.b2clogin.com/${options.b2c.tenantName}.onmicrosoft.com/${options.b2c.policy}/oauth2/v2.0/token`;
+    }
+    const cloudInstance = options.cloudInstance || 'https://login.microsoftonline.com';
+    return `${cloudInstance}/${options.tenantId}/oauth2/v2.0/token`;
+}
+export async function generateAzureADAuthUrl(options) {
+    const pkce = options.usePKCE ? generatePKCE() : undefined;
+    let authorizeUrl;
+    if (options.b2c) {
+        authorizeUrl = `https://${options.b2c.tenantName}.b2clogin.com/${options.b2c.tenantName}.onmicrosoft.com/${options.b2c.policy}/oauth2/v2.0/authorize`;
+    }
+    else {
+        const cloudInstance = options.cloudInstance || 'https://login.microsoftonline.com';
+        authorizeUrl = `${cloudInstance}/${options.tenantId}/oauth2/v2.0/authorize`;
+    }
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: options.clientId,
+        redirect_uri: options.redirectUri,
+        scope: (options.scopes || ['openid', 'profile', 'email']).join(' '),
+        response_mode: 'query',
+    });
+    if (options.state) {
+        params.set('state', options.state);
+    }
+    if (options.nonce) {
+        params.set('nonce', options.nonce);
+    }
+    if (pkce) {
+        params.set('code_challenge', pkce.codeChallenge);
+        params.set('code_challenge_method', 'S256');
+    }
+    if (options.prompt) {
+        params.set('prompt', options.prompt);
+    }
+    if (options.loginHint) {
+        params.set('login_hint', options.loginHint);
+    }
+    if (options.domainHint) {
+        params.set('domain_hint', options.domainHint);
+    }
+    return {
+        url: `${authorizeUrl}?${params.toString()}`,
+        codeVerifier: pkce?.codeVerifier,
+    };
+}
+export async function exchangeAzureADCode(options) {
+    const tokenUrl = getAzureADTokenEndpoint(options);
+    const params = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: options.clientId,
+        code: options.code,
+        redirect_uri: options.redirectUri,
+        scope: (options.scopes || ['openid', 'profile', 'email']).join(' '),
+    });
+    if (options.clientSecret) {
+        params.set('client_secret', options.clientSecret);
+    }
+    if (options.codeVerifier) {
+        params.set('code_verifier', options.codeVerifier);
+    }
+    const response = await fetch(tokenUrl, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.json();
+        throw new Error(`Azure AD token exchange failed: ${error.error_description || error.error}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        idToken: data.id_token,
+        expiresAt: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+        tokenType: data.token_type || 'Bearer',
+    };
+}
+export async function azureADOnBehalfOf(options) {
+    const tokenUrl = getAzureADTokenEndpoint(options);
+    const params = new URLSearchParams({
+        grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+        client_id: options.clientId,
+        assertion: options.assertion,
+        scope: options.scope,
+        requested_token_use: 'on_behalf_of',
+    });
+    if (options.clientSecret) {
+        params.set('client_secret', options.clientSecret);
+    }
+    const response = await fetch(tokenUrl, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.json();
+        throw new Error(`Azure AD OBO flow failed: ${error.error_description || error.error}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresAt: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+        tokenType: data.token_type || 'Bearer',
+    };
+}
+export async function getAzureADUserInfo(accessToken) {
+    const response = await fetch('https://graph.microsoft.com/v1.0/me', {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`Failed to get user info: ${response.status}`);
+    }
+    return response.json();
+}
+export function azureAD(options) {
+    const issuer = getAzureADIssuer(options);
+    const scopes = options.scopes || ['openid', 'profile', 'email', 'offline_access'];
+    return oidc({
+        issuer,
+        clientId: options.clientId,
+        clientSecret: options.clientSecret,
+        scopes,
+        accessToken: options.accessToken,
+        refreshToken: options.refreshToken,
+        tokenStorage: options.tokenStorage,
+    });
+}
+export function azureADPlugin(options) {
+    return (client) => {
+        client.use(azureAD(options));
+    };
+}
+export { azureAD as entraId, azureADPlugin as entraIdPlugin };

package/dist/plugins/auth/basic.d.ts

@@ -0,0 +1,7 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface BasicAuthOptions {
+    username: string;
+    password: string;
+}
+export declare function basicAuth(options: BasicAuthOptions): Middleware;
+export declare function basicAuthPlugin(options: BasicAuthOptions): Plugin;

package/dist/plugins/auth/basic.js

@@ -0,0 +1,13 @@
+export function basicAuth(options) {
+    const credentials = Buffer.from(`${options.username}:${options.password}`).toString('base64');
+    const authHeader = `Basic ${credentials}`;
+    return async (req, next) => {
+        const newReq = req.withHeader('Authorization', authHeader);
+        return next(newReq);
+    };
+}
+export function basicAuthPlugin(options) {
+    return (client) => {
+        client.use(basicAuth(options));
+    };
+}

package/dist/plugins/auth/bearer.d.ts

@@ -0,0 +1,8 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface BearerAuthOptions {
+    token: string | (() => string | Promise<string>);
+    type?: string;
+    headerName?: string;
+}
+export declare function bearerAuth(options: BearerAuthOptions): Middleware;
+export declare function bearerAuthPlugin(options: BearerAuthOptions): Plugin;

package/dist/plugins/auth/bearer.js

@@ -0,0 +1,17 @@
+export function bearerAuth(options) {
+    const type = options.type ?? 'Bearer';
+    const headerName = options.headerName ?? 'Authorization';
+    return async (req, next) => {
+        const token = typeof options.token === 'function'
+            ? await options.token()
+            : options.token;
+        const authHeader = `${type} ${token}`;
+        const newReq = req.withHeader(headerName, authHeader);
+        return next(newReq);
+    };
+}
+export function bearerAuthPlugin(options) {
+    return (client) => {
+        client.use(bearerAuth(options));
+    };
+}

package/dist/plugins/auth/cognito.d.ts

@@ -0,0 +1,45 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface CognitoOptions {
+    region: string;
+    userPoolId: string;
+    clientId: string;
+    clientSecret?: string;
+    accessToken?: string | (() => string | Promise<string>);
+    idToken?: string;
+    refreshToken?: string;
+    username?: string;
+    password?: string;
+    useSRP?: boolean;
+    tokenStorage?: {
+        get: () => Promise<CognitoTokens | null>;
+        set: (tokens: CognitoTokens) => Promise<void>;
+    };
+    identityPoolId?: string;
+}
+export interface CognitoTokens {
+    accessToken: string;
+    idToken?: string;
+    refreshToken?: string;
+    expiresAt?: number;
+    tokenType?: string;
+}
+export interface CognitoAWSCredentials {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken: string;
+    expiresAt: number;
+}
+export declare function getCognitoIdentityCredentials(options: {
+    region: string;
+    identityPoolId: string;
+    idToken: string;
+    userPoolId: string;
+}): Promise<CognitoAWSCredentials>;
+export declare function getCognitoHostedUIUrl(options: CognitoOptions & {
+    redirectUri: string;
+    responseType?: 'code' | 'token';
+    scopes?: string[];
+    state?: string;
+}): string;
+export declare function cognito(options: CognitoOptions): Middleware;
+export declare function cognitoPlugin(options: CognitoOptions): Plugin;

package/dist/plugins/auth/cognito.js

@@ -0,0 +1,208 @@
+import { createHmac } from 'node:crypto';
+function generateSecretHash(username, clientId, clientSecret) {
+    return createHmac('sha256', clientSecret)
+        .update(username + clientId)
+        .digest('base64');
+}
+async function authenticateUserPassword(options) {
+    if (!options.username || !options.password) {
+        throw new Error('Username and password are required for USER_PASSWORD_AUTH');
+    }
+    const endpoint = `https://cognito-idp.${options.region}.amazonaws.com/`;
+    const authParameters = {
+        USERNAME: options.username,
+        PASSWORD: options.password,
+    };
+    if (options.clientSecret) {
+        authParameters.SECRET_HASH = generateSecretHash(options.username, options.clientId, options.clientSecret);
+    }
+    const response = await fetch(endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-amz-json-1.1',
+            'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth',
+        },
+        body: JSON.stringify({
+            AuthFlow: 'USER_PASSWORD_AUTH',
+            ClientId: options.clientId,
+            AuthParameters: authParameters,
+        }),
+    });
+    if (!response.ok) {
+        const error = await response.json();
+        throw new Error(`Cognito authentication failed: ${error.message || error.__type}`);
+    }
+    const data = await response.json();
+    if (data.ChallengeName) {
+        throw new Error(`Cognito challenge required: ${data.ChallengeName}`);
+    }
+    if (!data.AuthenticationResult) {
+        throw new Error('Cognito authentication failed: No result');
+    }
+    return {
+        accessToken: data.AuthenticationResult.AccessToken,
+        idToken: data.AuthenticationResult.IdToken,
+        refreshToken: data.AuthenticationResult.RefreshToken,
+        expiresAt: Date.now() + data.AuthenticationResult.ExpiresIn * 1000,
+        tokenType: data.AuthenticationResult.TokenType,
+    };
+}
+async function refreshCognitoTokens(options, refreshToken) {
+    const endpoint = `https://cognito-idp.${options.region}.amazonaws.com/`;
+    const authParameters = {
+        REFRESH_TOKEN: refreshToken,
+    };
+    if (options.clientSecret && options.username) {
+        authParameters.SECRET_HASH = generateSecretHash(options.username, options.clientId, options.clientSecret);
+    }
+    const response = await fetch(endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-amz-json-1.1',
+            'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth',
+        },
+        body: JSON.stringify({
+            AuthFlow: 'REFRESH_TOKEN_AUTH',
+            ClientId: options.clientId,
+            AuthParameters: authParameters,
+        }),
+    });
+    if (!response.ok) {
+        const error = await response.json();
+        throw new Error(`Cognito token refresh failed: ${error.message || error.__type}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.AuthenticationResult.AccessToken,
+        idToken: data.AuthenticationResult.IdToken,
+        refreshToken: refreshToken,
+        expiresAt: Date.now() + data.AuthenticationResult.ExpiresIn * 1000,
+        tokenType: data.AuthenticationResult.TokenType,
+    };
+}
+export async function getCognitoIdentityCredentials(options) {
+    const identityEndpoint = `https://cognito-identity.${options.region}.amazonaws.com/`;
+    const logins = {
+        [`cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`]: options.idToken,
+    };
+    const getIdResponse = await fetch(identityEndpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-amz-json-1.1',
+            'X-Amz-Target': 'AWSCognitoIdentityService.GetId',
+        },
+        body: JSON.stringify({
+            IdentityPoolId: options.identityPoolId,
+            Logins: logins,
+        }),
+    });
+    if (!getIdResponse.ok) {
+        const error = await getIdResponse.json();
+        throw new Error(`Failed to get identity ID: ${error.message || error.__type}`);
+    }
+    const { IdentityId } = await getIdResponse.json();
+    const getCredentialsResponse = await fetch(identityEndpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-amz-json-1.1',
+            'X-Amz-Target': 'AWSCognitoIdentityService.GetCredentialsForIdentity',
+        },
+        body: JSON.stringify({
+            IdentityId,
+            Logins: logins,
+        }),
+    });
+    if (!getCredentialsResponse.ok) {
+        const error = await getCredentialsResponse.json();
+        throw new Error(`Failed to get credentials: ${error.message || error.__type}`);
+    }
+    const data = await getCredentialsResponse.json();
+    return {
+        accessKeyId: data.Credentials.AccessKeyId,
+        secretAccessKey: data.Credentials.SecretKey,
+        sessionToken: data.Credentials.SessionToken,
+        expiresAt: data.Credentials.Expiration * 1000,
+    };
+}
+export function getCognitoHostedUIUrl(options) {
+    const domain = `https://${options.userPoolId.split('_')[1].toLowerCase()}.auth.${options.region}.amazoncognito.com`;
+    const params = new URLSearchParams({
+        response_type: options.responseType || 'code',
+        client_id: options.clientId,
+        redirect_uri: options.redirectUri,
+        scope: (options.scopes || ['openid', 'profile', 'email']).join(' '),
+    });
+    if (options.state) {
+        params.set('state', options.state);
+    }
+    return `${domain}/login?${params.toString()}`;
+}
+export function cognito(options) {
+    let cachedTokens = null;
+    const getTokens = async () => {
+        if (options.tokenStorage) {
+            const stored = await options.tokenStorage.get();
+            if (stored) {
+                cachedTokens = stored;
+            }
+        }
+        if (cachedTokens && cachedTokens.expiresAt && cachedTokens.expiresAt > Date.now() + 60000) {
+            return cachedTokens;
+        }
+        if (cachedTokens?.refreshToken || options.refreshToken) {
+            const refreshToken = cachedTokens?.refreshToken || options.refreshToken;
+            try {
+                cachedTokens = await refreshCognitoTokens(options, refreshToken);
+                if (options.tokenStorage) {
+                    await options.tokenStorage.set(cachedTokens);
+                }
+                return cachedTokens;
+            }
+            catch {
+            }
+        }
+        if (options.accessToken) {
+            const token = typeof options.accessToken === 'function'
+                ? await options.accessToken()
+                : options.accessToken;
+            return {
+                accessToken: token,
+                idToken: options.idToken,
+                tokenType: 'Bearer',
+            };
+        }
+        if (options.username && options.password) {
+            cachedTokens = await authenticateUserPassword(options);
+            if (options.tokenStorage) {
+                await options.tokenStorage.set(cachedTokens);
+            }
+            return cachedTokens;
+        }
+        throw new Error('No valid authentication method. Provide accessToken, refreshToken, or username/password.');
+    };
+    return async (req, next) => {
+        const tokens = await getTokens();
+        const authReq = req.withHeader('Authorization', `Bearer ${tokens.accessToken}`);
+        const response = await next(authReq);
+        if (response.status === 401 && (cachedTokens?.refreshToken || options.refreshToken)) {
+            try {
+                const refreshToken = cachedTokens?.refreshToken || options.refreshToken;
+                cachedTokens = await refreshCognitoTokens(options, refreshToken);
+                if (options.tokenStorage) {
+                    await options.tokenStorage.set(cachedTokens);
+                }
+                const retryReq = req.withHeader('Authorization', `Bearer ${cachedTokens.accessToken}`);
+                return next(retryReq);
+            }
+            catch {
+                return response;
+            }
+        }
+        return response;
+    };
+}
+export function cognitoPlugin(options) {
+    return (client) => {
+        client.use(cognito(options));
+    };
+}

package/dist/plugins/auth/digest.d.ts

@@ -0,0 +1,8 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface DigestAuthOptions {
+    username: string;
+    password: string;
+    preemptive?: boolean;
+}
+export declare function digestAuth(options: DigestAuthOptions): Middleware;
+export declare function digestAuthPlugin(options: DigestAuthOptions): Plugin;

package/dist/plugins/auth/digest.js

@@ -0,0 +1,100 @@
+import { createHash, randomBytes } from 'node:crypto';
+function parseDigestChallenge(header) {
+    if (!header.toLowerCase().startsWith('digest ')) {
+        return null;
+    }
+    const params = {};
+    const regex = /(\w+)=(?:"([^"]+)"|([^\s,]+))/g;
+    let match;
+    while ((match = regex.exec(header)) !== null) {
+        params[match[1].toLowerCase()] = match[2] || match[3];
+    }
+    if (!params.realm || !params.nonce) {
+        return null;
+    }
+    return {
+        realm: params.realm,
+        nonce: params.nonce,
+        qop: params.qop,
+        opaque: params.opaque,
+        algorithm: params.algorithm,
+        stale: params.stale === 'true',
+    };
+}
+function md5(str) {
+    return createHash('md5').update(str).digest('hex');
+}
+function sha256(str) {
+    return createHash('sha256').update(str).digest('hex');
+}
+function generateDigestHeader(method, uri, username, password, challenge, nc) {
+    const algorithm = challenge.algorithm?.toUpperCase() || 'MD5';
+    const hashFn = algorithm.includes('SHA-256') ? sha256 : md5;
+    const cnonce = randomBytes(8).toString('hex');
+    const ncStr = nc.toString(16).padStart(8, '0');
+    let ha1 = hashFn(`${username}:${challenge.realm}:${password}`);
+    if (algorithm.endsWith('-SESS')) {
+        ha1 = hashFn(`${ha1}:${challenge.nonce}:${cnonce}`);
+    }
+    const ha2 = hashFn(`${method}:${uri}`);
+    let response;
+    if (challenge.qop) {
+        response = hashFn(`${ha1}:${challenge.nonce}:${ncStr}:${cnonce}:${challenge.qop}:${ha2}`);
+    }
+    else {
+        response = hashFn(`${ha1}:${challenge.nonce}:${ha2}`);
+    }
+    const parts = [
+        `username="${username}"`,
+        `realm="${challenge.realm}"`,
+        `nonce="${challenge.nonce}"`,
+        `uri="${uri}"`,
+        `response="${response}"`,
+    ];
+    if (challenge.qop) {
+        parts.push(`qop=${challenge.qop.split(',')[0].trim()}`);
+        parts.push(`nc=${ncStr}`);
+        parts.push(`cnonce="${cnonce}"`);
+    }
+    if (challenge.opaque) {
+        parts.push(`opaque="${challenge.opaque}"`);
+    }
+    if (algorithm !== 'MD5') {
+        parts.push(`algorithm=${algorithm}`);
+    }
+    return `Digest ${parts.join(', ')}`;
+}
+export function digestAuth(options) {
+    let nc = 0;
+    let lastChallenge = null;
+    return async (req, next) => {
+        if (lastChallenge && options.preemptive) {
+            nc++;
+            const uri = new URL(req.url).pathname + new URL(req.url).search;
+            const authHeader = generateDigestHeader(req.method, uri, options.username, options.password, lastChallenge, nc);
+            const newReq = req.withHeader('Authorization', authHeader);
+            return next(newReq);
+        }
+        const response = await next(req);
+        if (response.status === 401) {
+            const wwwAuth = response.headers.get('WWW-Authenticate');
+            if (wwwAuth) {
+                const challenge = parseDigestChallenge(wwwAuth);
+                if (challenge) {
+                    lastChallenge = challenge;
+                    nc++;
+                    const uri = new URL(req.url).pathname + new URL(req.url).search;
+                    const authHeader = generateDigestHeader(req.method, uri, options.username, options.password, challenge, nc);
+                    const newReq = req.withHeader('Authorization', authHeader);
+                    return next(newReq);
+                }
+            }
+        }
+        return response;
+    };
+}
+export function digestAuthPlugin(options) {
+    return (client) => {
+        client.use(digestAuth(options));
+    };
+}

package/dist/plugins/auth/firebase.d.ts

@@ -0,0 +1,32 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface FirebaseAuthOptions {
+    projectId: string;
+    idToken?: string | (() => string | Promise<string>);
+    serviceAccount?: FirebaseServiceAccount;
+    serviceAccountPath?: string;
+    apiKey?: string;
+    customToken?: string;
+    tokenStorage?: {
+        get: () => Promise<FirebaseTokens | null>;
+        set: (tokens: FirebaseTokens) => Promise<void>;
+    };
+}
+export interface FirebaseServiceAccount {
+    type: 'service_account';
+    project_id: string;
+    private_key_id: string;
+    private_key: string;
+    client_email: string;
+    client_id: string;
+    auth_uri: string;
+    token_uri: string;
+}
+export interface FirebaseTokens {
+    idToken: string;
+    refreshToken?: string;
+    expiresAt?: number;
+}
+export declare function createFirebaseCustomToken(serviceAccount: FirebaseServiceAccount, uid: string, claims?: Record<string, unknown>): string;
+export declare function verifyFirebaseIdToken(projectId: string, idToken: string): Promise<Record<string, unknown>>;
+export declare function firebase(options: FirebaseAuthOptions): Middleware;
+export declare function firebasePlugin(options: FirebaseAuthOptions): Plugin;