scorezilla 0.3.0-next.1 → 0.3.0-next.3

package/dist/server.cjs

@@ -624,13 +624,225 @@ function defaultUserAgent(version, runtime = detectRuntime()) {
   return `scorezilla-js/${version} (${runtime})`;
 }
 
+// src/verifiers.ts
+async function loadJose() {
+  try {
+    return await import('jose');
+  } catch (cause) {
+    throw new Error(
+      "scorezilla/server: the optional peer dependency 'jose' is required for verifyJwt() / verifySupabaseJwt(). Install it with `npm i jose` (or your package manager).",
+      { cause }
+    );
+  }
+}
+function extractBearerToken(req) {
+  const header = req.headers.get("authorization");
+  if (!header) return null;
+  const trimmed = header.trim();
+  if (!/^bearer\s+/i.test(trimmed)) return null;
+  return trimmed.replace(/^bearer\s+/i, "").trim() || null;
+}
+function verifyJwt(options) {
+  const claim = options.claim ?? "sub";
+  let keySet = null;
+  return async (req) => {
+    const token = extractBearerToken(req);
+    if (token === null) return null;
+    const jose = await loadJose();
+    if (keySet === null) {
+      keySet = jose.createRemoteJWKSet(
+        new URL(options.jwksUrl),
+        options.fetch ? { [jose.customFetch]: options.fetch } : void 0
+      );
+    }
+    try {
+      const { payload } = await jose.jwtVerify(token, keySet, {
+        ...options.issuer !== void 0 ? { issuer: options.issuer } : {},
+        ...options.audience !== void 0 ? { audience: options.audience } : {}
+      });
+      const id = payload[claim];
+      return typeof id === "string" && id.length > 0 ? { playerId: id } : null;
+    } catch {
+      return null;
+    }
+  };
+}
+function verifySupabaseJwt(options) {
+  const base = options.supabaseUrl.replace(/\/+$/, "");
+  return verifyJwt({
+    jwksUrl: `${base}/auth/v1/.well-known/jwks.json`,
+    issuer: `${base}/auth/v1`,
+    audience: "authenticated",
+    ...options.claim !== void 0 ? { claim: options.claim } : {},
+    ...options.fetch !== void 0 ? { fetch: options.fetch } : {}
+  });
+}
+function verifyClerkJwt(options) {
+  const issuer = options.issuer.replace(/\/+$/, "");
+  return verifyJwt({
+    jwksUrl: `${issuer}/.well-known/jwks.json`,
+    issuer,
+    ...options.audience !== void 0 ? { audience: options.audience } : {},
+    ...options.claim !== void 0 ? { claim: options.claim } : {},
+    ...options.fetch !== void 0 ? { fetch: options.fetch } : {}
+  });
+}
+function verifyAuth0Jwt(options) {
+  const host = options.domain.replace(/^https?:\/\//, "").replace(/\/+$/, "");
+  return verifyJwt({
+    jwksUrl: `https://${host}/.well-known/jwks.json`,
+    issuer: `https://${host}/`,
+    audience: options.audience,
+    ...options.claim !== void 0 ? { claim: options.claim } : {},
+    ...options.fetch !== void 0 ? { fetch: options.fetch } : {}
+  });
+}
+var FIREBASE_JWKS_URL = "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com";
+function verifyFirebaseIdToken(options) {
+  return verifyJwt({
+    jwksUrl: FIREBASE_JWKS_URL,
+    issuer: `https://securetoken.google.com/${options.projectId}`,
+    audience: options.projectId,
+    ...options.claim !== void 0 ? { claim: options.claim } : {},
+    ...options.fetch !== void 0 ? { fetch: options.fetch } : {}
+  });
+}
+
+// src/github-oauth.ts
+var GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token";
+var GITHUB_USER_URL = "https://api.github.com/user";
+var MESSAGE_SOURCE = "scorezilla:github-oauth";
+var USER_AGENT = "scorezilla-sdk-github-oauth";
+var STATE_RE = /^[A-Za-z0-9_-]{8,128}$/;
+var CODE_RE = /^[A-Za-z0-9_-]{1,128}$/;
+function createGitHubOAuthHandler(config) {
+  if (typeof config.clientId !== "string" || config.clientId.length === 0) {
+    throw new TypeError("createGitHubOAuthHandler: clientId is required.");
+  }
+  if (typeof config.clientSecret !== "string" || config.clientSecret.length === 0) {
+    throw new TypeError("createGitHubOAuthHandler: clientSecret is required.");
+  }
+  let allowedOrigin;
+  try {
+    const parsed = new URL(config.allowedOrigin);
+    allowedOrigin = parsed.origin;
+    if (allowedOrigin === "null") throw new Error("opaque origin");
+  } catch {
+    throw new TypeError(
+      "createGitHubOAuthHandler: allowedOrigin must be an absolute origin, e.g. 'https://mygame.example' (got " + JSON.stringify(config.allowedOrigin) + ")."
+    );
+  }
+  const fetchImpl = config.fetch ?? fetch;
+  return async (req) => {
+    if (req.method !== "GET") {
+      return new Response("method not allowed", { status: 405, headers: { allow: "GET" } });
+    }
+    const url = new URL(req.url);
+    const state = url.searchParams.get("state") ?? "";
+    const code = url.searchParams.get("code");
+    const ghError = url.searchParams.get("error");
+    if (!STATE_RE.test(state)) {
+      return new Response("invalid or missing state parameter", { status: 400 });
+    }
+    if (ghError !== null) {
+      return callbackPage(
+        { state, error: ghError === "access_denied" ? "access_denied" : "exchange_failed" },
+        allowedOrigin
+      );
+    }
+    if (code === null || !CODE_RE.test(code)) {
+      return new Response("invalid or missing code parameter", { status: 400 });
+    }
+    let accessToken;
+    try {
+      const tokenRes = await fetchImpl(GITHUB_TOKEN_URL, {
+        method: "POST",
+        headers: {
+          accept: "application/json",
+          "content-type": "application/x-www-form-urlencoded",
+          "user-agent": USER_AGENT
+        },
+        body: new URLSearchParams({
+          client_id: config.clientId,
+          client_secret: config.clientSecret,
+          code
+        }).toString()
+      });
+      const tokenBody = await tokenRes.json();
+      if (!tokenRes.ok || typeof tokenBody.access_token !== "string") {
+        return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+      }
+      accessToken = tokenBody.access_token;
+    } catch {
+      return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+    }
+    try {
+      const userRes = await fetchImpl(GITHUB_USER_URL, {
+        method: "GET",
+        headers: {
+          authorization: `Bearer ${accessToken}`,
+          accept: "application/vnd.github+json",
+          "user-agent": USER_AGENT
+        }
+      });
+      if (!userRes.ok) {
+        return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+      }
+      const user = await userRes.json();
+      if (typeof user.id !== "number" || !Number.isSafeInteger(user.id)) {
+        return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+      }
+      return callbackPage({ state, id: String(user.id) }, allowedOrigin);
+    } catch {
+      return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+    }
+  };
+}
+function callbackPage(payload, allowedOrigin) {
+  const message = JSON.stringify({ source: MESSAGE_SOURCE, ...payload });
+  const target = JSON.stringify(allowedOrigin);
+  const html = `<!doctype html>
+<html>
+<head><meta charset="utf-8"><title>Signing in\u2026</title></head>
+<body>
+<script>
+(function () {
+  if (window.opener) {
+    window.opener.postMessage(${message}, ${target});
+    window.close();
+  } else {
+    document.body.textContent =
+      'Sign-in handled \u2014 you can close this window. (If this keeps appearing, ' +
+      'the game page may be setting Cross-Origin-Opener-Policy: same-origin, ' +
+      'which severs the popup link; use same-origin-allow-popups.)';
+  }
+})();
+</script>
+</body>
+</html>`;
+  return new Response(html, {
+    status: 200,
+    headers: {
+      "content-type": "text/html; charset=utf-8",
+      // One-shot page embedding a one-shot state — never cache it.
+      "cache-control": "no-store",
+      // The URL carried the OAuth `code`; nothing on this page may leak it.
+      "referrer-policy": "no-referrer",
+      // Defense in depth for the inline script: nothing else may load or
+      // run on this page even if a future regression reflected input here.
+      "content-security-policy": "default-src 'none'; script-src 'unsafe-inline'",
+      "x-content-type-options": "nosniff"
+    }
+  });
+}
+
 // src/server.ts
 var Scorezilla = class _Scorezilla {
   /** The package version, injected at build time from `package.json`.
    *  Mirrors the static on the public-key client so consumers can log
    *  the running SDK build the same way regardless of which surface
    *  they imported. */
-  static version = "0.3.0-next.1";
+  static version = "0.3.0-next.3";
   #keyId;
   #secret;
   #baseUrl;
@@ -772,8 +984,139 @@ function isRealBrowserEnvironment() {
   const hasNodeLikeHost = Boolean(g.process?.versions?.node) || typeof g.Deno !== "undefined" || typeof g.Bun !== "undefined";
   return !hasNodeLikeHost;
 }
+function createScoreSubmitHandler(config) {
+  const sz = new Scorezilla({
+    secretKey: config.secretKey,
+    ...config.baseUrl !== void 0 ? { baseUrl: config.baseUrl } : {},
+    ...config.fetch !== void 0 ? { fetch: config.fetch } : {},
+    ...config.maxRetries !== void 0 ? { maxRetries: config.maxRetries } : {},
+    ...config.timeoutMs !== void 0 ? { timeoutMs: config.timeoutMs } : {}
+  });
+  const parse = config.parseSubmission ?? defaultParseSubmission;
+  return async (req) => {
+    const cors = config.cors ? buildCorsHeaders(config.cors, req.headers.get("Origin")) : {};
+    if (req.method === "OPTIONS" && config.cors) {
+      return new Response(null, { status: 204, headers: cors });
+    }
+    if (req.method !== "POST") {
+      return jsonResponse({ ok: false, error: "method_not_allowed" }, 405, cors);
+    }
+    if (config.rateLimit) {
+      const decision = await config.rateLimit(req);
+      if (!decision.ok) {
+        const headers = { ...cors };
+        if (decision.retryAfterSeconds !== void 0) {
+          headers["Retry-After"] = String(decision.retryAfterSeconds);
+        }
+        return jsonResponse({ ok: false, error: "rate_limited" }, 429, headers);
+      }
+    }
+    let identity;
+    try {
+      identity = await config.verify(req);
+    } catch {
+      identity = null;
+    }
+    if (!identity || typeof identity.playerId !== "string" || identity.playerId.length === 0) {
+      return jsonResponse({ ok: false, error: "unauthorized" }, 401, cors);
+    }
+    let submission;
+    try {
+      submission = await parse(req);
+    } catch {
+      submission = null;
+    }
+    if (!submission || typeof submission.score !== "number" || !Number.isFinite(submission.score)) {
+      return jsonResponse(
+        { ok: false, error: "bad_request", message: "invalid score submission" },
+        400,
+        cors
+      );
+    }
+    const metadata = mergeMetadata(submission.metadata, identity.metadata);
+    try {
+      const result = await sz.submitScore({
+        boardId: config.boardId,
+        playerId: identity.playerId,
+        score: submission.score,
+        ...metadata !== void 0 ? { metadata } : {}
+      });
+      return jsonResponse(
+        {
+          ok: true,
+          rank: result.rank,
+          totalEntries: result.totalEntries,
+          isPersonalBest: result.isPersonalBest
+        },
+        200,
+        cors
+      );
+    } catch (err) {
+      return mapSubmitError(err, cors);
+    }
+  };
+}
+async function defaultParseSubmission(req) {
+  const raw = await req.json().catch(() => null);
+  if (!isPlainObject(raw)) return null;
+  const score = raw.score;
+  if (typeof score !== "number" || !Number.isFinite(score)) return null;
+  return { score, metadata: isPlainObject(raw.metadata) ? raw.metadata : void 0 };
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function mergeMetadata(client, verified) {
+  if (!client && !verified) return void 0;
+  return { ...client ?? {}, ...verified ?? {} };
+}
+function jsonResponse(body, status, extra) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json; charset=utf-8", ...extra }
+  });
+}
+function mapSubmitError(err, cors) {
+  if (err instanceof ScorezillaError) {
+    if (err.isRateLimited()) {
+      const headers = { ...cors };
+      if (err.retryAfter !== void 0) headers["Retry-After"] = String(err.retryAfter);
+      return jsonResponse({ ok: false, error: "rate_limited" }, 429, headers);
+    }
+    if (err.status >= 400 && err.status < 500) {
+      return jsonResponse({ ok: false, error: err.code, message: err.message }, err.status, cors);
+    }
+    return jsonResponse({ ok: false, error: "upstream_error" }, 502, cors);
+  }
+  return jsonResponse({ ok: false, error: "server_error" }, 500, cors);
+}
+function buildCorsHeaders(cors, origin) {
+  const headers = {
+    "Access-Control-Allow-Methods": (cors.methods ?? ["POST", "OPTIONS"]).join(", "),
+    "Access-Control-Allow-Headers": (cors.headers ?? ["content-type", "authorization"]).join(", "),
+    "Access-Control-Max-Age": String(cors.maxAgeSeconds ?? 600),
+    Vary: "Origin"
+  };
+  if (origin !== null && isCorsOriginAllowed(cors.origin, origin)) {
+    headers["Access-Control-Allow-Origin"] = origin;
+  }
+  return headers;
+}
+function isCorsOriginAllowed(rule, origin) {
+  if (typeof rule === "boolean") return rule;
+  if (typeof rule === "string") return rule === origin;
+  if (typeof rule === "function") return rule(origin);
+  return rule.includes(origin);
+}
 
 exports.Scorezilla = Scorezilla;
 exports.ScorezillaError = ScorezillaError;
+exports.createGitHubOAuthHandler = createGitHubOAuthHandler;
+exports.createScoreSubmitHandler = createScoreSubmitHandler;
+exports.verifyAuth0Jwt = verifyAuth0Jwt;
+exports.verifyClerkJwt = verifyClerkJwt;
+exports.verifyFirebaseIdToken = verifyFirebaseIdToken;
+exports.verifyJwt = verifyJwt;
+exports.verifySupabaseJwt = verifySupabaseJwt;
 //# sourceMappingURL=server.cjs.map
 //# sourceMappingURL=server.cjs.map