sst 3.0.1-8 → 3.0.1

package/dist/auth/handler.d.ts

@@ -0,0 +1,57 @@
+/// <reference types="node" resolution-mode="require"/>
+import { Adapter } from "./adapter/adapter.js";
+import { JWTPayload } from "jose";
+import { SessionBuilder } from "./session.js";
+import { Hono } from "hono/tiny";
+export interface OnSuccessResponder<T extends {
+    type: any;
+    properties: any;
+}> {
+    session(input: T & JWTPayload): Promise<Response>;
+}
+export declare class UnknownProviderError extends Error {
+    provider?: string | undefined;
+    constructor(provider?: string | undefined);
+}
+export declare class MissingParameterError extends Error {
+    parameter: string;
+    constructor(parameter: string);
+}
+export declare class UnknownStateError extends Error {
+    constructor();
+}
+export declare class UnauthorizedClientError extends Error {
+    client: string;
+    redirect_uri: string;
+    constructor(client: string, redirect_uri: string);
+}
+export declare class InvalidSessionError extends Error {
+    constructor();
+}
+export type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+export declare const aws: <E extends import("hono").Env = import("hono").Env, S extends import("hono").Schema = {}, BasePath extends string = "/">(app: import("hono").Hono<E, S, BasePath>) => (event: import("hono/aws-lambda").LambdaEvent, lambdaContext?: import("hono/aws-lambda").LambdaContext | undefined) => Promise<import("hono/aws-lambda").APIGatewayProxyResult>;
+export declare function AuthHandler<Providers extends Record<string, Adapter<any>>, Sessions extends SessionBuilder = SessionBuilder, Result = {
+    [key in keyof Providers]: Prettify<{
+        provider: key;
+    } & (Providers[key] extends Adapter<infer T> ? T : {})>;
+}[keyof Providers]>(input: {
+    session?: Sessions;
+    providers: Providers;
+    callbacks: {
+        index?(req: Request): Promise<Response>;
+        error?(error: UnknownStateError, req: Request): Promise<Response | undefined>;
+        auth: {
+            error?(error: MissingParameterError | UnauthorizedClientError | UnknownProviderError, req: Request): Promise<Response>;
+            start?(event: Request): Promise<void>;
+            allowClient(clientID: string, redirect: string, req: Request): Promise<boolean>;
+            success(response: OnSuccessResponder<Sessions["$typeValues"]>, input: Result, req: Request): Promise<Response>;
+        };
+        connect?: {
+            error?(error: InvalidSessionError | UnknownProviderError, req: Request): Promise<Response | undefined>;
+            start?(session: Sessions["$typeValues"], req: Request): Promise<void>;
+            success?(session: Sessions["$typeValues"], input: {}): Promise<Response>;
+        };
+    };
+}): Hono<import("hono").Env, import("hono/types").BlankSchema, "/">;

package/dist/auth/handler.js

@@ -0,0 +1,207 @@
+import { SignJWT, importPKCS8, importSPKI, jwtVerify } from "jose";
+import { Hono } from "hono/tiny";
+import { handle as awsHandle } from "hono/aws-lambda";
+import { deleteCookie, getCookie, setCookie } from "hono/cookie";
+export class UnknownProviderError extends Error {
+    provider;
+    constructor(provider) {
+        super("Unknown provider: " + provider);
+        this.provider = provider;
+    }
+}
+export class MissingParameterError extends Error {
+    parameter;
+    constructor(parameter) {
+        super("Missing parameter: " + parameter);
+        this.parameter = parameter;
+    }
+}
+export class UnknownStateError extends Error {
+    constructor() {
+        super("The browser was in an unknown state. This could be because certain cookies expired or the browser was switched in the middle of an authentication flow");
+    }
+}
+export class UnauthorizedClientError extends Error {
+    client;
+    redirect_uri;
+    constructor(client, redirect_uri) {
+        super("Unauthorized client");
+        this.client = client;
+        this.redirect_uri = redirect_uri;
+    }
+}
+export class InvalidSessionError extends Error {
+    constructor() {
+        super("Invalid session");
+    }
+}
+import process from "node:process";
+import { Resource } from "../resource.js";
+export const aws = awsHandle;
+export function AuthHandler(input) {
+    const app = new Hono();
+    if (!input.callbacks.auth.error) {
+        input.callbacks.auth.error = async (err) => {
+            return new Response(err.message, {
+                status: 400,
+                headers: {
+                    "Content-Type": "text/plain",
+                },
+            });
+        };
+    }
+    const options = {
+        signing: {
+            privateKey: () => importPKCS8(
+            // @ts-expect-error
+            process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512"),
+            publicKey: () => importSPKI(
+            // @ts-expect-error
+            process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RS512"),
+        },
+        encryption: {
+            privateKey: () => importPKCS8(
+            // @ts-expect-error
+            process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RSA-OAEP-512"),
+            publicKey: () => importSPKI(
+            // @ts-expect-error
+            process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RSA-OAEP-512"),
+        },
+        algorithm: "RS512",
+        async success(ctx, properties) {
+            const redirect_uri = getCookie(ctx, "redirect_uri");
+            const response_type = getCookie(ctx, "response_type");
+            if (!redirect_uri) {
+                return options.forward(ctx, await input.callbacks.auth.error(new UnknownStateError(), ctx.req.raw));
+            }
+            return await input.callbacks.auth.success({
+                async session(session) {
+                    const token = await new SignJWT(session)
+                        .setProtectedHeader({ alg: "RS512" })
+                        .setExpirationTime("1yr")
+                        .sign(await options.signing.privateKey());
+                    deleteCookie(ctx, "provider");
+                    deleteCookie(ctx, "response_type");
+                    deleteCookie(ctx, "redirect_uri");
+                    deleteCookie(ctx, "state");
+                    const client_id = getCookie(ctx, "client_id");
+                    const state = getCookie(ctx, "state");
+                    if (response_type === "token") {
+                        const location = new URL(redirect_uri);
+                        location.hash = `access_token=${token}&state=${state || ""}`;
+                        return ctx.redirect(location.toString(), 302);
+                    }
+                    if (response_type === "code") {
+                        // This allows the code to be reused within a 30 second window
+                        // The code should be single use but we're making this tradeoff to remain stateless
+                        // In the future can store this in a dynamo table to ensure single use
+                        const code = await new SignJWT({
+                            client_id,
+                            redirect_uri,
+                            token,
+                        })
+                            .setProtectedHeader({ alg: "RS512" })
+                            .setExpirationTime("30s")
+                            .sign(await options.signing.privateKey());
+                        const location = new URL(redirect_uri);
+                        location.searchParams.set("code", code);
+                        location.searchParams.set("state", state || "");
+                        return ctx.redirect(location.toString(), 302);
+                    }
+                    ctx.status(400);
+                    return ctx.text(`Unsupported response_type: ${response_type}`);
+                },
+            }, {
+                provider: ctx.get("provider"),
+                ...properties,
+            }, ctx.req.raw);
+        },
+        forward(ctx, response) {
+            return ctx.newResponse(response.body, response.status, Object.fromEntries(response.headers.entries()));
+        },
+        cookie(c, key, value, maxAge) {
+            setCookie(c, key, value, {
+                maxAge,
+                httpOnly: true,
+                ...(c.req.url.startsWith("https://")
+                    ? { secure: true, sameSite: "None" }
+                    : {}),
+            });
+        },
+    };
+    app.post("/token", async (c) => {
+        console.log("token request");
+        const form = await c.req.formData();
+        if (form.get("grant_type") !== "authorization_code") {
+            c.status(400);
+            return c.text("Invalid grant_type");
+        }
+        const code = form.get("code");
+        if (!code) {
+            c.status(400);
+            return c.text("Missing code");
+        }
+        const { payload } = await jwtVerify(code, await options.signing.publicKey());
+        if (payload.redirect_uri !== form.get("redirect_uri")) {
+            c.status(400);
+            return c.text("redirect_uri mismatch");
+        }
+        if (payload.client_id !== form.get("client_id")) {
+            c.status(400);
+            return c.text("client_id mismatch");
+        }
+        return c.json({
+            access_token: payload.token,
+        });
+    });
+    app.use("/:provider/authorize", async (c, next) => {
+        const provider = c.req.param("provider");
+        console.log("authorize request for", provider);
+        const response_type = c.req.query("response_type") || getCookie(c, "response_type");
+        const redirect_uri = c.req.query("redirect_uri") || getCookie(c, "redirect_uri");
+        const state = c.req.query("state") || getCookie(c, "state");
+        const client_id = c.req.query("client_id") || getCookie(c, "client_id");
+        if (!provider) {
+            c.status(400);
+            return c.text("Missing provider");
+        }
+        if (!redirect_uri) {
+            c.status(400);
+            return c.text("Missing redirect_uri");
+        }
+        if (!response_type) {
+            c.status(400);
+            return c.text("Missing response_type");
+        }
+        if (!client_id) {
+            c.status(400);
+            return c.text("Missing client_id");
+        }
+        options.cookie(c, "provider", provider, 60 * 10);
+        options.cookie(c, "response_type", response_type, 60 * 10);
+        options.cookie(c, "redirect_uri", redirect_uri, 60 * 10);
+        options.cookie(c, "state", state || "", 60 * 10);
+        options.cookie(c, "client_id", client_id || "", 60 * 10);
+        if (input.callbacks.auth.start) {
+            await input.callbacks.auth.start(c.req.raw);
+        }
+        await next();
+    });
+    for (const [name, value] of Object.entries(input.providers)) {
+        const route = new Hono();
+        route.use(async (c, next) => {
+            c.set("provider", name);
+            await next();
+        });
+        value(route, {
+            name,
+            ...options,
+        });
+        app.route(`/${name}`, route);
+    }
+    app.all("/*", async (c) => {
+        return c.notFound();
+    });
+    console.log(app.routes);
+    return app;
+}

package/dist/auth/index.d.ts

@@ -0,0 +1,10 @@
+export * from "./session.js";
+export * from "./handler.js";
+export { Issuer } from "openid-client";
+import { AuthHandler } from "./handler.js";
+import { createSessionBuilder } from "./session.js";
+export declare namespace auth {
+    type Issuer = import("openid-client").Issuer;
+    const authorizer: typeof AuthHandler;
+    const sessions: typeof createSessionBuilder;
+}

package/dist/auth/index.js

@@ -0,0 +1,10 @@
+export * from "./session.js";
+export * from "./handler.js";
+export { Issuer } from "openid-client";
+import { AuthHandler } from "./handler.js";
+import { createSessionBuilder } from "./session.js";
+export var auth;
+(function (auth) {
+    auth.authorizer = AuthHandler;
+    auth.sessions = createSessionBuilder;
+})(auth || (auth = {}));

package/dist/auth/session.d.ts

@@ -0,0 +1,25 @@
+export type SessionBuilder = ReturnType<typeof createSessionBuilder>;
+export declare function createSessionBuilder<SessionTypes extends Record<string, any> = {}>(): {
+    verify(token: string): Promise<{ [type in keyof SessionTypes]: {
+        type: type;
+        properties: SessionTypes[type];
+    }; }[keyof SessionTypes] | {
+        type: "public";
+        properties: {};
+    }>;
+    create(session: { [type in keyof SessionTypes]: {
+        type: type;
+        properties: SessionTypes[type];
+    }; }[keyof SessionTypes] | {
+        type: "public";
+        properties: {};
+    }): Promise<string>;
+    $type: SessionTypes;
+    $typeValues: { [type in keyof SessionTypes]: {
+        type: type;
+        properties: SessionTypes[type];
+    }; }[keyof SessionTypes] | {
+        type: "public";
+        properties: {};
+    };
+};

package/dist/auth/session.js

@@ -0,0 +1,28 @@
+import { SignJWT, importPKCS8, importSPKI, jwtVerify } from "jose";
+import { Resource } from "../resource.js";
+import process from "node:process";
+export function createSessionBuilder() {
+    return {
+        async verify(token) {
+            const auth = Object.values(Resource).find((value) => value.publicKey);
+            if (!auth) {
+                throw new Error("No auth resource found. Make sure to link the auth resource to this function.");
+            }
+            const publicKey = auth.publicKey;
+            const result = await jwtVerify(token, await importSPKI(publicKey, "RS512"));
+            return result.payload;
+        },
+        async create(session) {
+            const privateKey = await importPKCS8(
+            // @ts-expect-error
+            process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512");
+            const token = await new SignJWT(session)
+                .setProtectedHeader({ alg: "RS512" })
+                .setExpirationTime("1yr")
+                .sign(privateKey);
+            return token;
+        },
+        $type: {},
+        $typeValues: {},
+    };
+}

package/dist/aws/auth.d.ts

@@ -0,0 +1,9 @@
+import { Handler } from "aws-lambda";
+import { Adapter } from "../auth/adapter/adapter.js";
+import { AuthHandler } from "../auth/handler.js";
+import { SessionBuilder, createSessionBuilder } from "../auth/session.js";
+export declare namespace auth {
+    type Issuer = import("openid-client").Issuer;
+    function authorizer<Providers extends Record<string, Adapter<any>>, Sessions extends SessionBuilder>(...args: Parameters<typeof AuthHandler<Providers, Sessions>>): Handler<any, any>;
+    const sessions: typeof createSessionBuilder;
+}

package/dist/aws/auth.js

@@ -0,0 +1,12 @@
+import { AuthHandler } from "../auth/handler.js";
+import { createSessionBuilder } from "../auth/session.js";
+import { handle, streamHandle } from "hono/aws-lambda";
+export var auth;
+(function (auth) {
+    function authorizer(...args) {
+        const hono = AuthHandler(...args);
+        return (process.env.SST_LIVE ? handle(hono) : streamHandle(hono));
+    }
+    auth.authorizer = authorizer;
+    auth.sessions = createSessionBuilder;
+})(auth || (auth = {}));

package/dist/aws/bus.d.ts

@@ -0,0 +1,29 @@
+/// <reference types="node" resolution-mode="require"/>
+import { AwsOptions } from "../aws/client.js";
+import { Resource } from "../resource.js";
+import { event } from "../event/index.js";
+import { EventBridgeEvent, EventBridgeHandler } from "aws-lambda";
+export declare namespace bus {
+    type Name = Extract<typeof Resource, {
+        type: "sst.aws.Bus";
+    }>["name"];
+    function subscriber<Events extends event.Definition>(_events: Events | Events[], cb: (input: {
+        [K in Events["type"]]: Extract<Events, {
+            type: K;
+        }>["$payload"];
+    }[Events["type"]], raw: EventBridgeEvent<string, any>) => Promise<void>): EventBridgeHandler<string, any, void>;
+    /** @deprecated
+     * use bus.subscriber instead
+     * */
+    const handler: typeof subscriber;
+    function publish<Definition extends event.Definition = any>(name: string | {
+        name: string;
+    }, def: Definition | string, properties: Definition["$input"], options?: {
+        metadata?: Definition["$metadata"];
+        aws?: AwsOptions;
+    }): Promise<any>;
+    class PublishError extends Error {
+        readonly response: Response;
+        constructor(response: Response);
+    }
+}

package/dist/aws/bus.js

@@ -0,0 +1,69 @@
+import { client } from "../aws/client.js";
+import { Resource } from "../resource.js";
+export var bus;
+(function (bus) {
+    function url(region, options) {
+        if (options?.region)
+            region = options.region;
+        return `https://events.${region}.amazonaws.com/`;
+    }
+    function subscriber(_events, cb) {
+        return async function (event) {
+            const payload = {
+                type: event["detail-type"],
+                properties: event.detail.properties,
+                metadata: event.detail.metadata,
+            };
+            return cb(payload, event);
+        };
+    }
+    bus.subscriber = subscriber;
+    /** @deprecated
+     * use bus.subscriber instead
+     * */
+    bus.handler = subscriber;
+    async function publish(name, def, properties, options) {
+        const c = await client();
+        const u = url(c.region, options?.aws);
+        const evt = typeof def === "string"
+            ? {
+                type: def,
+                properties,
+                metadata: options?.metadata || {},
+            }
+            : await def.create(properties, options?.metadata);
+        const res = await c.fetch(u, {
+            method: "POST",
+            aws: options?.aws,
+            headers: {
+                "X-Amz-Target": "AWSEvents.PutEvents",
+                "Content-Type": "application/x-amz-json-1.1",
+            },
+            body: JSON.stringify({
+                Entries: [
+                    {
+                        Source: [Resource.App.name, Resource.App.stage].join("."),
+                        DetailType: evt.type,
+                        Detail: JSON.stringify({
+                            metadata: evt.metadata,
+                            properties: evt.properties,
+                        }),
+                        EventBusName: typeof name === "string" ? name : name.name,
+                    },
+                ],
+            }),
+        });
+        if (!res.ok)
+            throw new PublishError(res);
+        return res.json();
+    }
+    bus.publish = publish;
+    class PublishError extends Error {
+        response;
+        constructor(response) {
+            super("Failed to publish event to bus");
+            this.response = response;
+        }
+    }
+    bus.PublishError = PublishError;
+})(bus || (bus = {}));

package/dist/aws/client.d.ts

@@ -0,0 +1,3 @@
+import { AwsClient } from "aws4fetch";
+export declare function client(): Promise<AwsClient>;
+export type AwsOptions = Exclude<Parameters<AwsClient["fetch"]>[1], null | undefined>["aws"];

package/dist/aws/client.js

@@ -0,0 +1,36 @@
+import { AwsClient } from "aws4fetch";
+let cachedCredentials = null;
+async function getCredentials(url) {
+    if (cachedCredentials) {
+        const currentTime = new Date();
+        const fiveMinutesFromNow = new Date(currentTime.getTime() + 5 * 60000);
+        const expirationTime = new Date(cachedCredentials.Expiration);
+        if (expirationTime > fiveMinutesFromNow) {
+            return cachedCredentials;
+        }
+    }
+    const credentials = (await fetch(url).then((res) => res.json()));
+    cachedCredentials = credentials;
+    return credentials;
+}
+export async function client() {
+    if (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) {
+        return new AwsClient({
+            accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+            secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+            sessionToken: process.env.AWS_SESSION_TOKEN,
+            region: process.env.AWS_REGION,
+        });
+    }
+    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
+        const credentials = await getCredentials("http://169.254.170.2" +
+            process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI);
+        return new AwsClient({
+            accessKeyId: credentials.AccessKeyId,
+            secretAccessKey: credentials.SecretAccessKey,
+            sessionToken: credentials.Token,
+            region: process.env.AWS_REGION,
+        });
+    }
+    throw new Error("No AWS credentials found");
+}

package/dist/aws/realtime.d.ts

@@ -0,0 +1,84 @@
+import { Context, IoTCustomAuthorizerEvent } from "aws-lambda";
+/**
+ * The `realtime` client SDK is available through the following.
+ *
+ * @example
+ * ```js title="src/authorizer.ts"
+ * import { realtime } from "sst/aws/realtime";
+ * ```
+ */
+export declare namespace realtime {
+    interface AuthResult {
+        /**
+         * The topics the client can subscribe to.
+         * @example
+         * For example, this subscribes to two specific topics.
+         * ```js
+         * {
+         *   subscribe: ["chat/room1", "chat/room2"]
+         * }
+         * ```
+         *
+         * And to subscribe to all topics under a given prefix.
+         * ```js
+         * {
+         *   subscribe: ["chat/*"]
+         * }
+         * ```
+         */
+        subscribe?: string[];
+        /**
+         * The topics the client can publish to.
+         * @example
+         * For example, this publishes to two specific topics.
+         * ```js
+         * {
+         *   publish: ["chat/room1", "chat/room2"]
+         * }
+         * ```
+         * And to publish to all topics under a given prefix.
+         * ```js
+         * {
+         *   publish: ["chat/*"]
+         * }
+         * ```
+         */
+        publish?: string[];
+    }
+    /**
+     * Creates an authorization handler for the `Realtime` component. It validates
+     * the token and grants permissions for the topics the client can subscribe and publish to.
+     *
+     * @example
+     * ```js title="src/authorizer.ts" "realtime.authorizer"
+     * export const handler = realtime.authorizer(async (token) => {
+     *   // Validate the token
+     *   console.log(token);
+     *
+     *   // Return the topics to subscribe and publish
+     *   return {
+     *     subscribe: ["*"],
+     *     publish: ["*"],
+     *   };
+     * });
+     * ```
+     */
+    function authorizer(input: (token: string) => Promise<AuthResult>): (evt: IoTCustomAuthorizerEvent, context: Context) => Promise<{
+        isAuthenticated: boolean;
+        principalId: string;
+        disconnectAfterInSeconds: number;
+        refreshAfterInSeconds: number;
+        policyDocuments: {
+            Version: string;
+            Statement: ({
+                Action: string;
+                Effect: string;
+                Resource: string;
+            } | {
+                Action: string;
+                Effect: string;
+                Resource: string[];
+            })[];
+        }[];
+    }>;
+}

package/dist/aws/realtime.js

@@ -0,0 +1,82 @@
+/**
+ * The `realtime` client SDK is available through the following.
+ *
+ * @example
+ * ```js title="src/authorizer.ts"
+ * import { realtime } from "sst/aws/realtime";
+ * ```
+ */
+export var realtime;
+(function (realtime) {
+    /**
+     * Creates an authorization handler for the `Realtime` component. It validates
+     * the token and grants permissions for the topics the client can subscribe and publish to.
+     *
+     * @example
+     * ```js title="src/authorizer.ts" "realtime.authorizer"
+     * export const handler = realtime.authorizer(async (token) => {
+     *   // Validate the token
+     *   console.log(token);
+     *
+     *   // Return the topics to subscribe and publish
+     *   return {
+     *     subscribe: ["*"],
+     *     publish: ["*"],
+     *   };
+     * });
+     * ```
+     */
+    function authorizer(input) {
+        return async (evt, context) => {
+            const [, , , region, accountId] = context.invokedFunctionArn.split(":");
+            const token = Buffer.from(evt.protocolData.mqtt?.password ?? "", "base64").toString();
+            const ret = await input(token);
+            return {
+                isAuthenticated: true,
+                principalId: Date.now().toString(),
+                disconnectAfterInSeconds: 86400,
+                refreshAfterInSeconds: 300,
+                policyDocuments: [
+                    {
+                        Version: "2012-10-17",
+                        Statement: [
+                            {
+                                Action: "iot:Connect",
+                                Effect: "Allow",
+                                Resource: "*",
+                            },
+                            ...(ret.subscribe
+                                ? [
+                                    {
+                                        Action: "iot:Receive",
+                                        Effect: "Allow",
+                                        Resource: ret.subscribe.map((t) => `arn:aws:iot:${region}:${accountId}:topic/${t}`),
+                                    },
+                                ]
+                                : []),
+                            ...(ret.subscribe
+                                ? [
+                                    {
+                                        Action: "iot:Subscribe",
+                                        Effect: "Allow",
+                                        Resource: ret.subscribe.map((t) => `arn:aws:iot:${region}:${accountId}:topicfilter/${t}`),
+                                    },
+                                ]
+                                : []),
+                            ...(ret.publish
+                                ? [
+                                    {
+                                        Action: "iot:Publish",
+                                        Effect: "Allow",
+                                        Resource: ret.publish.map((t) => `arn:aws:iot:${region}:${accountId}:topic/${t}`),
+                                    },
+                                ]
+                                : []),
+                        ],
+                    },
+                ],
+            };
+        };
+    }
+    realtime.authorizer = authorizer;
+})(realtime || (realtime = {}));