recker 1.0.20 → 1.0.21-next.ab2d00f

package/dist/plugins/auth/google-service-account.js

@@ -0,0 +1,172 @@
+import { createSign, createPrivateKey } from 'node:crypto';
+function createServiceAccountJWT(credentials, scopes, subject) {
+    const now = Math.floor(Date.now() / 1000);
+    const header = {
+        alg: 'RS256',
+        typ: 'JWT',
+        kid: credentials.private_key_id,
+    };
+    const payload = {
+        iss: credentials.client_email,
+        aud: credentials.token_uri,
+        iat: now,
+        exp: now + 3600,
+        scope: scopes.join(' '),
+    };
+    if (subject) {
+        payload.sub = subject;
+    }
+    const encodedHeader = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const encodedPayload = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signatureInput = `${encodedHeader}.${encodedPayload}`;
+    const privateKey = createPrivateKey(credentials.private_key);
+    const sign = createSign('RSA-SHA256');
+    sign.update(signatureInput);
+    const signature = sign.sign(privateKey, 'base64url');
+    return `${signatureInput}.${signature}`;
+}
+async function exchangeJWTForAccessToken(credentials, jwt) {
+    const response = await fetch(credentials.token_uri, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: new URLSearchParams({
+            grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+            assertion: jwt,
+        }).toString(),
+    });
+    if (!response.ok) {
+        const error = await response.json();
+        throw new Error(`Failed to get access token: ${error.error_description || error.error}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        expiresAt: Date.now() + data.expires_in * 1000,
+    };
+}
+export async function getGoogleIdToken(credentials, targetAudience) {
+    const now = Math.floor(Date.now() / 1000);
+    const header = {
+        alg: 'RS256',
+        typ: 'JWT',
+        kid: credentials.private_key_id,
+    };
+    const payload = {
+        iss: credentials.client_email,
+        aud: credentials.token_uri,
+        iat: now,
+        exp: now + 3600,
+        target_audience: targetAudience,
+    };
+    const encodedHeader = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const encodedPayload = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signatureInput = `${encodedHeader}.${encodedPayload}`;
+    const privateKey = createPrivateKey(credentials.private_key);
+    const sign = createSign('RSA-SHA256');
+    sign.update(signatureInput);
+    const signature = sign.sign(privateKey, 'base64url');
+    const jwt = `${signatureInput}.${signature}`;
+    const response = await fetch(credentials.token_uri, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: new URLSearchParams({
+            grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+            assertion: jwt,
+        }).toString(),
+    });
+    if (!response.ok) {
+        const error = await response.json();
+        throw new Error(`Failed to get ID token: ${error.error_description || error.error}`);
+    }
+    const data = await response.json();
+    return data.id_token;
+}
+async function loadCredentialsFromFile(keyFile) {
+    const fs = await import('node:fs/promises');
+    const content = await fs.readFile(keyFile, 'utf-8');
+    return JSON.parse(content);
+}
+export function googleServiceAccount(options) {
+    let cachedToken = null;
+    let credentialsLoaded = null;
+    const getCredentials = async () => {
+        if (credentialsLoaded) {
+            return credentialsLoaded;
+        }
+        if (options.credentials) {
+            credentialsLoaded = options.credentials;
+            return credentialsLoaded;
+        }
+        if (options.keyFile) {
+            credentialsLoaded = await loadCredentialsFromFile(options.keyFile);
+            return credentialsLoaded;
+        }
+        const adcPath = process.env.GOOGLE_APPLICATION_CREDENTIALS;
+        if (adcPath) {
+            credentialsLoaded = await loadCredentialsFromFile(adcPath);
+            return credentialsLoaded;
+        }
+        throw new Error('No credentials provided. Set credentials, keyFile, or GOOGLE_APPLICATION_CREDENTIALS environment variable.');
+    };
+    const getAccessToken = async () => {
+        if (options.accessToken) {
+            const token = typeof options.accessToken === 'function'
+                ? await options.accessToken()
+                : options.accessToken;
+            return token;
+        }
+        if (cachedToken && cachedToken.expiresAt > Date.now() + 60000) {
+            return cachedToken.accessToken;
+        }
+        const credentials = await getCredentials();
+        const jwt = createServiceAccountJWT(credentials, options.scopes, options.subject);
+        cachedToken = await exchangeJWTForAccessToken(credentials, jwt);
+        return cachedToken.accessToken;
+    };
+    return async (req, next) => {
+        const token = await getAccessToken();
+        const authReq = req.withHeader('Authorization', `Bearer ${token}`);
+        const response = await next(authReq);
+        if (response.status === 401) {
+            cachedToken = null;
+            const newToken = await getAccessToken();
+            const retryReq = req.withHeader('Authorization', `Bearer ${newToken}`);
+            return next(retryReq);
+        }
+        return response;
+    };
+}
+export function googleServiceAccountPlugin(options) {
+    return (client) => {
+        client.use(googleServiceAccount(options));
+    };
+}
+export const GoogleScopes = {
+    CLOUD_PLATFORM: 'https://www.googleapis.com/auth/cloud-platform',
+    CLOUD_PLATFORM_READ_ONLY: 'https://www.googleapis.com/auth/cloud-platform.read-only',
+    BIGQUERY: 'https://www.googleapis.com/auth/bigquery',
+    BIGQUERY_READ_ONLY: 'https://www.googleapis.com/auth/bigquery.readonly',
+    STORAGE_FULL: 'https://www.googleapis.com/auth/devstorage.full_control',
+    STORAGE_READ_WRITE: 'https://www.googleapis.com/auth/devstorage.read_write',
+    STORAGE_READ_ONLY: 'https://www.googleapis.com/auth/devstorage.read_only',
+    COMPUTE: 'https://www.googleapis.com/auth/compute',
+    COMPUTE_READ_ONLY: 'https://www.googleapis.com/auth/compute.readonly',
+    PUBSUB: 'https://www.googleapis.com/auth/pubsub',
+    DATASTORE: 'https://www.googleapis.com/auth/datastore',
+    FIRESTORE: 'https://www.googleapis.com/auth/datastore',
+    FIREBASE: 'https://www.googleapis.com/auth/firebase',
+    DRIVE: 'https://www.googleapis.com/auth/drive',
+    DRIVE_READ_ONLY: 'https://www.googleapis.com/auth/drive.readonly',
+    GMAIL_SEND: 'https://www.googleapis.com/auth/gmail.send',
+    GMAIL_READ_ONLY: 'https://www.googleapis.com/auth/gmail.readonly',
+    CALENDAR: 'https://www.googleapis.com/auth/calendar',
+    CALENDAR_READ_ONLY: 'https://www.googleapis.com/auth/calendar.readonly',
+    SHEETS: 'https://www.googleapis.com/auth/spreadsheets',
+    SHEETS_READ_ONLY: 'https://www.googleapis.com/auth/spreadsheets.readonly',
+    ADMIN_DIRECTORY_USER: 'https://www.googleapis.com/auth/admin.directory.user',
+    ADMIN_DIRECTORY_GROUP: 'https://www.googleapis.com/auth/admin.directory.group',
+};

package/dist/plugins/auth/index.d.ts

@@ -0,0 +1,15 @@
+export { basicAuth, basicAuthPlugin, type BasicAuthOptions, } from './basic.js';
+export { bearerAuth, bearerAuthPlugin, type BearerAuthOptions, } from './bearer.js';
+export { apiKeyAuth, apiKeyAuthPlugin, type ApiKeyAuthOptions, } from './api-key.js';
+export { digestAuth, digestAuthPlugin, type DigestAuthOptions, } from './digest.js';
+export { oauth2, oauth2Plugin, type OAuth2Options, } from './oauth2.js';
+export { awsSignatureV4, awsSignatureV4Plugin, type AWSSignatureV4Options, } from './aws-sigv4.js';
+export { oidc, oidcPlugin, generatePKCE, generateAuthorizationUrl, fetchDiscoveryDocument, exchangeCode, refreshTokens, clientCredentialsFlow, type OIDCOptions, type OIDCTokens, type OIDCDiscoveryDocument, } from './oidc.js';
+export { auth0, auth0Plugin, generateAuth0AuthUrl, exchangeAuth0Code, getAuth0UserInfo, type Auth0Options, } from './auth0.js';
+export { cognito, cognitoPlugin, getCognitoIdentityCredentials, getCognitoHostedUIUrl, type CognitoOptions, type CognitoTokens, type CognitoAWSCredentials, } from './cognito.js';
+export { okta, oktaPlugin, generateOktaAuthUrl, exchangeOktaCode, getOktaUserInfo, introspectOktaToken, revokeOktaToken, type OktaOptions, } from './okta.js';
+export { azureAD, azureADPlugin, entraId, entraIdPlugin, generateAzureADAuthUrl, exchangeAzureADCode, azureADOnBehalfOf, getAzureADUserInfo, type AzureADOptions, } from './azure-ad.js';
+export { firebase, firebasePlugin, createFirebaseCustomToken, verifyFirebaseIdToken, type FirebaseAuthOptions, type FirebaseServiceAccount, type FirebaseTokens, } from './firebase.js';
+export { googleServiceAccount, googleServiceAccountPlugin, getGoogleIdToken, GoogleScopes, type GoogleServiceAccountOptions, type GoogleServiceAccountCredentials, } from './google-service-account.js';
+export { githubApp, githubAppPlugin, createGitHubAppJWT, listGitHubAppInstallations, getGitHubAppInstallationForRepo, getGitHubAppInfo, type GitHubAppOptions, type GitHubInstallationToken, } from './github-app.js';
+export { mtls, mtlsPlugin, createMTLSAgent, parseCertificateInfo, isCertificateValid, verifyCertificateFingerprint, type MTLSOptions, type MTLSCertificateInfo, } from './mtls.js';

package/dist/plugins/auth/index.js

@@ -0,0 +1,15 @@
+export { basicAuth, basicAuthPlugin, } from './basic.js';
+export { bearerAuth, bearerAuthPlugin, } from './bearer.js';
+export { apiKeyAuth, apiKeyAuthPlugin, } from './api-key.js';
+export { digestAuth, digestAuthPlugin, } from './digest.js';
+export { oauth2, oauth2Plugin, } from './oauth2.js';
+export { awsSignatureV4, awsSignatureV4Plugin, } from './aws-sigv4.js';
+export { oidc, oidcPlugin, generatePKCE, generateAuthorizationUrl, fetchDiscoveryDocument, exchangeCode, refreshTokens, clientCredentialsFlow, } from './oidc.js';
+export { auth0, auth0Plugin, generateAuth0AuthUrl, exchangeAuth0Code, getAuth0UserInfo, } from './auth0.js';
+export { cognito, cognitoPlugin, getCognitoIdentityCredentials, getCognitoHostedUIUrl, } from './cognito.js';
+export { okta, oktaPlugin, generateOktaAuthUrl, exchangeOktaCode, getOktaUserInfo, introspectOktaToken, revokeOktaToken, } from './okta.js';
+export { azureAD, azureADPlugin, entraId, entraIdPlugin, generateAzureADAuthUrl, exchangeAzureADCode, azureADOnBehalfOf, getAzureADUserInfo, } from './azure-ad.js';
+export { firebase, firebasePlugin, createFirebaseCustomToken, verifyFirebaseIdToken, } from './firebase.js';
+export { googleServiceAccount, googleServiceAccountPlugin, getGoogleIdToken, GoogleScopes, } from './google-service-account.js';
+export { githubApp, githubAppPlugin, createGitHubAppJWT, listGitHubAppInstallations, getGitHubAppInstallationForRepo, getGitHubAppInfo, } from './github-app.js';
+export { mtls, mtlsPlugin, createMTLSAgent, parseCertificateInfo, isCertificateValid, verifyCertificateFingerprint, } from './mtls.js';

package/dist/plugins/auth/mtls.d.ts

@@ -0,0 +1,37 @@
+import { Middleware, Plugin } from '../../types/index.js';
+import type { Dispatcher } from 'undici';
+export interface MTLSOptions {
+    cert: string | Buffer;
+    key: string | Buffer;
+    ca?: string | Buffer | Array<string | Buffer>;
+    passphrase?: string;
+    certPath?: string;
+    keyPath?: string;
+    caPath?: string;
+    rejectUnauthorized?: boolean;
+    pfx?: string | Buffer;
+    pfxPassphrase?: string;
+    servername?: string;
+    minVersion?: 'TLSv1.2' | 'TLSv1.3';
+    maxVersion?: 'TLSv1.2' | 'TLSv1.3';
+    ciphers?: string;
+    ALPNProtocols?: string[];
+}
+export interface MTLSCertificateInfo {
+    subject: Record<string, string>;
+    issuer: Record<string, string>;
+    validFrom: Date;
+    validTo: Date;
+    fingerprint: string;
+    serialNumber: string;
+}
+export declare function parseCertificateInfo(cert: string | Buffer): MTLSCertificateInfo | null;
+export declare function isCertificateValid(cert: string | Buffer, bufferDays?: number): {
+    valid: boolean;
+    expiresAt?: Date;
+    error?: string;
+};
+export declare function mtls(options: MTLSOptions): Middleware;
+export declare function mtlsPlugin(options: MTLSOptions): Plugin;
+export declare function createMTLSAgent(options: MTLSOptions): Promise<Dispatcher>;
+export declare function verifyCertificateFingerprint(cert: string | Buffer, expectedFingerprint: string): boolean;

package/dist/plugins/auth/mtls.js

@@ -0,0 +1,140 @@
+async function loadCertificateFile(path) {
+    const fs = await import('node:fs/promises');
+    return fs.readFile(path);
+}
+export function parseCertificateInfo(cert) {
+    try {
+        const crypto = require('node:crypto');
+        const x509 = new crypto.X509Certificate(cert);
+        return {
+            subject: parseX509Name(x509.subject),
+            issuer: parseX509Name(x509.issuer),
+            validFrom: new Date(x509.validFrom),
+            validTo: new Date(x509.validTo),
+            fingerprint: x509.fingerprint256,
+            serialNumber: x509.serialNumber,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function parseX509Name(name) {
+    const result = {};
+    const parts = name.split('\n');
+    for (const part of parts) {
+        const [key, value] = part.split('=');
+        if (key && value) {
+            result[key.trim()] = value.trim();
+        }
+    }
+    return result;
+}
+export function isCertificateValid(cert, bufferDays = 30) {
+    const info = parseCertificateInfo(cert);
+    if (!info) {
+        return { valid: false, error: 'Failed to parse certificate' };
+    }
+    const now = new Date();
+    const bufferMs = bufferDays * 24 * 60 * 60 * 1000;
+    if (now < info.validFrom) {
+        return { valid: false, expiresAt: info.validTo, error: 'Certificate not yet valid' };
+    }
+    if (now > info.validTo) {
+        return { valid: false, expiresAt: info.validTo, error: 'Certificate expired' };
+    }
+    if (now.getTime() + bufferMs > info.validTo.getTime()) {
+        return { valid: true, expiresAt: info.validTo, error: `Certificate expires soon (${info.validTo.toISOString()})` };
+    }
+    return { valid: true, expiresAt: info.validTo };
+}
+async function createTLSOptions(options) {
+    const tlsOptions = {};
+    if (options.certPath) {
+        tlsOptions.cert = await loadCertificateFile(options.certPath);
+    }
+    else if (options.cert) {
+        tlsOptions.cert = options.cert;
+    }
+    if (options.keyPath) {
+        tlsOptions.key = await loadCertificateFile(options.keyPath);
+    }
+    else if (options.key) {
+        tlsOptions.key = options.key;
+    }
+    if (options.caPath) {
+        tlsOptions.ca = await loadCertificateFile(options.caPath);
+    }
+    else if (options.ca) {
+        tlsOptions.ca = options.ca;
+    }
+    if (options.passphrase) {
+        tlsOptions.passphrase = options.passphrase;
+    }
+    if (options.pfx) {
+        tlsOptions.pfx = options.pfx;
+        if (options.pfxPassphrase) {
+            tlsOptions.passphrase = options.pfxPassphrase;
+        }
+    }
+    if (options.rejectUnauthorized !== undefined) {
+        tlsOptions.rejectUnauthorized = options.rejectUnauthorized;
+    }
+    if (options.servername) {
+        tlsOptions.servername = options.servername;
+    }
+    if (options.minVersion) {
+        tlsOptions.minVersion = options.minVersion;
+    }
+    if (options.maxVersion) {
+        tlsOptions.maxVersion = options.maxVersion;
+    }
+    if (options.ciphers) {
+        tlsOptions.ciphers = options.ciphers;
+    }
+    if (options.ALPNProtocols) {
+        tlsOptions.ALPNProtocols = options.ALPNProtocols;
+    }
+    return tlsOptions;
+}
+export function mtls(options) {
+    let validated = false;
+    return async (req, next) => {
+        if (!validated) {
+            if (options.cert || options.certPath) {
+                const cert = options.cert || (options.certPath ? await loadCertificateFile(options.certPath) : null);
+                if (cert) {
+                    const validation = isCertificateValid(cert);
+                    if (!validation.valid) {
+                        throw new Error(`mTLS certificate error: ${validation.error}`);
+                    }
+                }
+            }
+            validated = true;
+        }
+        return next(req);
+    };
+}
+export function mtlsPlugin(options) {
+    return (client) => {
+        client.use(mtls(options));
+    };
+}
+export async function createMTLSAgent(options) {
+    const { Agent } = await import('undici');
+    const tlsOptions = await createTLSOptions(options);
+    return new Agent({
+        connect: {
+            ...tlsOptions,
+        },
+    });
+}
+export function verifyCertificateFingerprint(cert, expectedFingerprint) {
+    const info = parseCertificateInfo(cert);
+    if (!info) {
+        return false;
+    }
+    const normalizedExpected = expectedFingerprint.replace(/:/g, '').toLowerCase();
+    const normalizedActual = info.fingerprint.replace(/:/g, '').toLowerCase();
+    return normalizedExpected === normalizedActual;
+}

package/dist/plugins/auth/oauth2.d.ts

@@ -0,0 +1,8 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface OAuth2Options {
+    accessToken: string | (() => string | Promise<string>);
+    tokenType?: string;
+    onTokenExpired?: () => Promise<string>;
+}
+export declare function oauth2(options: OAuth2Options): Middleware;
+export declare function oauth2Plugin(options: OAuth2Options): Plugin;

package/dist/plugins/auth/oauth2.js

@@ -0,0 +1,26 @@
+export function oauth2(options) {
+    const tokenType = options.tokenType ?? 'Bearer';
+    return async (req, next) => {
+        const token = typeof options.accessToken === 'function'
+            ? await options.accessToken()
+            : options.accessToken;
+        const authReq = req.withHeader('Authorization', `${tokenType} ${token}`);
+        const response = await next(authReq);
+        if (response.status === 401 && options.onTokenExpired) {
+            try {
+                const newToken = await options.onTokenExpired();
+                const retryReq = req.withHeader('Authorization', `${tokenType} ${newToken}`);
+                return next(retryReq);
+            }
+            catch {
+                return response;
+            }
+        }
+        return response;
+    };
+}
+export function oauth2Plugin(options) {
+    return (client) => {
+        client.use(oauth2(options));
+    };
+}

package/dist/plugins/auth/oidc.d.ts

@@ -0,0 +1,55 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface OIDCOptions {
+    issuer: string;
+    clientId: string;
+    clientSecret?: string;
+    redirectUri?: string;
+    scopes?: string[];
+    accessToken?: string | (() => string | Promise<string>);
+    refreshToken?: string;
+    tokenStorage?: {
+        get: () => Promise<OIDCTokens | null>;
+        set: (tokens: OIDCTokens) => Promise<void>;
+    };
+    audience?: string;
+    fetch?: typeof fetch;
+}
+export interface OIDCTokens {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    expiresAt?: number;
+    tokenType?: string;
+}
+export interface OIDCDiscoveryDocument {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint?: string;
+    jwks_uri: string;
+    revocation_endpoint?: string;
+    introspection_endpoint?: string;
+    end_session_endpoint?: string;
+    scopes_supported?: string[];
+    response_types_supported: string[];
+    grant_types_supported?: string[];
+    token_endpoint_auth_methods_supported?: string[];
+}
+declare function fetchDiscoveryDocument(issuer: string, customFetch?: typeof fetch): Promise<OIDCDiscoveryDocument>;
+declare function exchangeCode(discovery: OIDCDiscoveryDocument, options: OIDCOptions, code: string, codeVerifier?: string, customFetch?: typeof fetch): Promise<OIDCTokens>;
+declare function refreshTokens(discovery: OIDCDiscoveryDocument, options: OIDCOptions, refreshToken: string, customFetch?: typeof fetch): Promise<OIDCTokens>;
+declare function clientCredentialsFlow(discovery: OIDCDiscoveryDocument, options: OIDCOptions, customFetch?: typeof fetch): Promise<OIDCTokens>;
+export declare function generatePKCE(): {
+    codeVerifier: string;
+    codeChallenge: string;
+};
+export declare function generateAuthorizationUrl(options: OIDCOptions & {
+    state?: string;
+    nonce?: string;
+    pkce?: {
+        codeChallenge: string;
+    };
+}): Promise<string>;
+export declare function oidc(options: OIDCOptions): Middleware;
+export declare function oidcPlugin(options: OIDCOptions): Plugin;
+export { fetchDiscoveryDocument, exchangeCode, refreshTokens, clientCredentialsFlow };