sst 3.0.13 → 3.0.15

package/dist/auth/adapter/oauth.js

@@ -8,7 +8,7 @@ export const OauthAdapter =
 (config) => {
     return async function (routes, ctx) {
         function getClient(c) {
-            const callback = c.req.url.replace(/authorize$/, "callback");
+            const callback = c.req.url.replace(/authorize\/.*$/, "callback");
             return [
                 callback,
                 new config.issuer.Client({

package/dist/auth/adapter/oidc.js

@@ -3,7 +3,7 @@ import { getCookie } from "hono/cookie";
 export const OidcAdapter = /* @__PURE__ */ (config) => {
     return async function (routes, ctx) {
         routes.get("/authorize", async (c) => {
-            const callback = c.req.url.replace(/authorize$/, "callback");
+            const callback = c.req.url.replace(/authorize\/.*$/, "callback");
             const client = new config.issuer.Client({
                 client_id: config.clientID,
                 redirect_uris: [callback],
@@ -23,7 +23,7 @@ export const OidcAdapter = /* @__PURE__ */ (config) => {
             return c.redirect(url);
         });
         routes.post("/callback", async (c) => {
-            const callback = c.req.url.replace(/authorize$/, "callback");
+            const callback = c.req.url.replace(/authorize\/.*$/, "callback");
             const client = new config.issuer.Client({
                 client_id: config.clientID,
                 redirect_uris: [callback],

package/dist/auth/handler.js

@@ -52,12 +52,20 @@ export function AuthHandler(input) {
     }
     const options = {
         signing: {
-            privateKey: () => importPKCS8(process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512"),
-            publicKey: () => importSPKI(process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RS512"),
+            privateKey: () => importPKCS8(
+            // @ts-expect-error
+            process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512"),
+            publicKey: () => importSPKI(
+            // @ts-expect-error
+            process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RS512"),
         },
         encryption: {
-            privateKey: () => importPKCS8(process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RSA-OAEP-512"),
-            publicKey: () => importSPKI(process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RSA-OAEP-512"),
+            privateKey: () => importPKCS8(
+            // @ts-expect-error
+            process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RSA-OAEP-512"),
+            publicKey: () => importSPKI(
+            // @ts-expect-error
+            process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RSA-OAEP-512"),
         },
         algorithm: "RS512",
         async success(ctx, properties) {
@@ -121,7 +129,7 @@ export function AuthHandler(input) {
             });
         },
     };
-    app.get("/token", async (c) => {
+    app.post("/token", async (c) => {
         console.log("token request");
         const form = await c.req.formData();
         if (form.get("grant_type") !== "authorization_code") {
@@ -152,6 +160,7 @@ export function AuthHandler(input) {
         const response_type = c.req.query("response_type") || getCookie(c, "response_type");
         const redirect_uri = c.req.query("redirect_uri") || getCookie(c, "redirect_uri");
         const state = c.req.query("state") || getCookie(c, "state");
+        const client_id = c.req.query("client_id") || getCookie(c, "client_id");
         if (!provider) {
             c.status(400);
             return c.text("Missing provider");
@@ -164,10 +173,15 @@ export function AuthHandler(input) {
             c.status(400);
             return c.text("Missing response_type");
         }
+        if (!client_id) {
+            c.status(400);
+            return c.text("Missing client_id");
+        }
         options.cookie(c, "provider", provider, 60 * 10);
         options.cookie(c, "response_type", response_type, 60 * 10);
         options.cookie(c, "redirect_uri", redirect_uri, 60 * 10);
         options.cookie(c, "state", state || "", 60 * 10);
+        options.cookie(c, "client_id", client_id || "", 60 * 10);
         if (input.callbacks.auth.start) {
             await input.callbacks.auth.start(c.req.raw);
         }

package/dist/auth/session.js

@@ -13,7 +13,9 @@ export function createSessionBuilder() {
             return result.payload;
         },
         async create(session) {
-            const privateKey = await importPKCS8(process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512");
+            const privateKey = await importPKCS8(
+            // @ts-expect-error
+            process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512");
             const token = await new SignJWT(session)
                 .setProtectedHeader({ alg: "RS512" })
                 .setExpirationTime("1yr")

package/dist/index.d.ts

@@ -1,2 +1,3 @@
+export * from "./realtime/index.js";
 export * from "./resource.js";
-export * from "./vector-client.js";
+export * from "./vector/index.js";

package/dist/index.js

@@ -1,2 +1,3 @@
+export * from "./realtime/index.js";
 export * from "./resource.js";
-export * from "./vector-client.js";
+export * from "./vector/index.js";

package/dist/realtime/index.d.ts

@@ -0,0 +1,59 @@
+import type { IoTCustomAuthorizerHandler } from "aws-lambda";
+export interface RealtimeAuthResult {
+    /**
+     * The topics the client can subscribe to.
+     * @example
+     * For example, this subscribes to specific topics.
+     * ```js
+     * {
+     *   subscribe: ["chat/room1", "chat/room2"]
+     * }
+     * ```
+     *
+     * And to subscribe to all topics under a specific prefix.
+     * ```js
+     * {
+     *   subscribe: ["chat/#"]
+     * }
+     * ```
+     */
+    subscribe?: string[];
+    /**
+     * The topics the client can publish to.
+     * @example
+     * For example, this publishes to specific topics.
+     * ```js
+     * {
+     *   publish: ["chat/room1", "chat/room2"]
+     * }
+     * ```
+     * And to publish to all topics under a specific prefix.
+     * ```js
+     * {
+     *   publish: ["chat/#"]
+     * }
+     * ```
+     */
+    publish?: string[];
+}
+/**
+ * Creates an authorization handler for the `Realtime` component, that validates
+ * the token and grants permissions for the topics the client can subscribe and publish to.
+ *
+ * @example
+ * ```js
+ * import { RealtimeAuthHandler, Resource } from "sst";
+ *
+ * export const handler = RealtimeAuthHandler(async (token) => {
+ *   // Validate the token
+ *   console.log(token);
+ *
+ *   // Return the topics to subscribe and publish
+ *   return {
+ *     subscribe: [`${Resource.App.name}/${Resource.App.stage}/chat/room1`],
+ *     publish: [`${Resource.App.name}/${Resource.App.stage}/chat/room1`],
+ *   };
+ * });
+ * ```
+ */
+export declare function RealtimeAuthHandler(input: (token: string) => Promise<RealtimeAuthResult>): IoTCustomAuthorizerHandler;

package/dist/realtime/index.js

@@ -0,0 +1,72 @@
+/**
+ * Creates an authorization handler for the `Realtime` component, that validates
+ * the token and grants permissions for the topics the client can subscribe and publish to.
+ *
+ * @example
+ * ```js
+ * import { RealtimeAuthHandler, Resource } from "sst";
+ *
+ * export const handler = RealtimeAuthHandler(async (token) => {
+ *   // Validate the token
+ *   console.log(token);
+ *
+ *   // Return the topics to subscribe and publish
+ *   return {
+ *     subscribe: [`${Resource.App.name}/${Resource.App.stage}/chat/room1`],
+ *     publish: [`${Resource.App.name}/${Resource.App.stage}/chat/room1`],
+ *   };
+ * });
+ * ```
+ */
+export function RealtimeAuthHandler(input) {
+    return async (evt, context) => {
+        const [, , , region, accountId] = context.invokedFunctionArn.split(":");
+        const token = Buffer.from(evt.protocolData.mqtt?.password ?? "", "base64").toString();
+        const ret = await input(token);
+        return {
+            isAuthenticated: true,
+            principalId: Date.now().toString(),
+            disconnectAfterInSeconds: 86400,
+            refreshAfterInSeconds: 300,
+            policyDocuments: [
+                {
+                    Version: "2012-10-17",
+                    Statement: [
+                        {
+                            Action: "iot:Connect",
+                            Effect: "Allow",
+                            Resource: "*",
+                        },
+                        ...(ret.subscribe
+                            ? [
+                                {
+                                    Action: "iot:Receive",
+                                    Effect: "Allow",
+                                    Resource: ret.subscribe.map((t) => `arn:aws:iot:${region}:${accountId}:topic/${t}`),
+                                },
+                            ]
+                            : []),
+                        ...(ret.subscribe
+                            ? [
+                                {
+                                    Action: "iot:Subscribe",
+                                    Effect: "Allow",
+                                    Resource: ret.subscribe.map((t) => `arn:aws:iot:${region}:${accountId}:topicfilter/${t}`),
+                                },
+                            ]
+                            : []),
+                        ...(ret.publish
+                            ? [
+                                {
+                                    Action: "iot:Publish",
+                                    Effect: "Allow",
+                                    Resource: ret.publish.map((t) => `arn:aws:iot:${region}:${accountId}:topic/${t}`),
+                                },
+                            ]
+                            : []),
+                    ],
+                },
+            ],
+        };
+    };
+}

package/dist/resource.d.ts

@@ -1,5 +1,8 @@
 export interface Resource {
-    [key: string]: any;
+    App: {
+        name: string;
+        stage: string;
+    };
 }
 export declare function fromCloudflareEnv(input: any): void;
 export declare function wrapCloudflareHandler(handler: any): any;

package/dist/resource.js

@@ -20,6 +20,14 @@ export function fromCloudflareEnv(input) {
     }
 }
 export function wrapCloudflareHandler(handler) {
+    if (typeof handler === "function" && handler.hasOwnProperty("prototype")) {
+        return class extends handler {
+            constructor(ctx, env) {
+                fromCloudflareEnv(env);
+                super(ctx, env);
+            }
+        };
+    }
     function wrap(fn) {
         return function (req, env, ...rest) {
             fromCloudflareEnv(env);

package/dist/vector/index.d.ts

@@ -0,0 +1,217 @@
+import { Resource } from "../resource.js";
+export interface IngestEvent {
+    /**
+     * The text used to generate the embedding vector.
+     * At least one of `text` or `image` must be provided.
+     * @example
+     * ```js
+     * {
+     *   text: "This is an example text.",
+     * }
+     * ```
+     */
+    text?: string;
+    /**
+     * The base64 representation of the image used to generate the embedding vector.
+     * At least one of `text` or `image` must be provided.
+     * @example
+     * ```js
+     * {
+     *   image: await fs.readFile("./file.jpg").toString("base64"),
+     * }
+     * ```
+     */
+    image?: string;
+    /**
+     * Metadata for the event in JSON format.
+     * This metadata will be used to filter when retrieving and removing embeddings.
+     * @example
+     * ```js
+     * {
+     *   metadata: {
+     *     type: "movie",
+     *     id: "movie-123",
+     *     name: "Spiderman",
+     *   }
+     * }
+     * ```
+     */
+    metadata: Record<string, any>;
+}
+export interface RetrieveEvent {
+    /**
+     * The text prompt used to retrieve embeddings.
+     * At least one of `text` or `image` must be provided.
+     * @example
+     * ```js
+     * {
+     *   text: "This is an example text.",
+     * }
+     * ```
+     */
+    text?: string;
+    /**
+     * The base64 representation of the image prompt used to retrive embeddings.
+     * At least one of `text` or `image` must be provided.
+     * @example
+     * ```js
+     * {
+     *   image: await fs.readFile("./file.jpg").toString("base64"),
+     * }
+     * ```
+     */
+    image?: string;
+    /**
+     * The metadata used to filter the retrieval of embeddings.
+     * Only embeddings with metadata that match the provided fields will be returned.
+     * @example
+     * ```js
+     * {
+     *   include: {
+     *     type: "movie",
+     *     release: "2001",
+     *   }
+     * }
+     * ```
+     * This will match the embedding with metadata:
+     * ```js
+     *  {
+     *    type: "movie",
+     *    name: "Spiderman",
+     *    release: "2001",
+     *  }
+     * ```
+     *
+     * But not the embedding with metadata:
+     * ```js
+     *  {
+     *    type: "book",
+     *    name: "Spiderman",
+     *    release: "2001",
+     *  }
+     * ```
+     */
+    include: Record<string, any>;
+    /**
+     * Exclude embeddings with metadata that match the provided fields.
+     * @example
+     * ```js
+     * {
+     *   include: {
+     *     type: "movie",
+     *     release: "2001",
+     *   },
+     *   exclude: {
+     *     name: "Spiderman",
+     *   }
+     * }
+     * ```
+     * This will match the embedding with metadata:
+     * ```js
+     *  {
+     *    type: "movie",
+     *    name: "A Beautiful Mind",
+     *    release: "2001",
+     *  }
+     * ```
+     *
+     * But not the embedding with metadata:
+     * ```js
+     *  {
+     *    type: "book",
+     *    name: "Spiderman",
+     *    release: "2001",
+     *  }
+     * ```
+     */
+    exclude?: Record<string, any>;
+    /**
+     * The threshold of similarity between the prompt and the retrieved embeddings.
+     * Only embeddings with a similarity score higher than the threshold will be returned.
+     * Expected value is between 0 and 1.
+     * - 0 means the prompt and the retrieved embeddings are completely different.
+     * - 1 means the prompt and the retrieved embeddings are identical.
+     * @default `0`
+     * @example
+     * ```js
+     * {
+     *   threshold: 0.5,
+     * }
+     * ```
+     */
+    threshold?: number;
+    /**
+     * The number of results to return.
+     * @default `10`
+     * @example
+     * ```js
+     * {
+     *   count: 10,
+     * }
+     * ```
+     */
+    count?: number;
+}
+export interface RemoveEvent {
+    /**
+     * The metadata used to filter the removal of embeddings.
+     * Only embeddings with metadata that match the provided fields will be removed.
+     * @example
+     * To remove embeddings for movie with id "movie-123":
+     * ```js
+     * {
+     *   include: {
+     *     id: "movie-123",
+     *   }
+     * }
+     * ```
+     * To remove embeddings for all movies:
+     * ```js
+     *  {
+     *   include: {
+     *    type: "movie",
+     *   }
+     *  }
+     * ```
+     */
+    include: Record<string, any>;
+}
+export interface RetrieveResponse {
+    /**
+     * Metadata for the event in JSON format that was provided when ingesting the embedding.
+     */
+    metadata: Record<string, any>;
+    /**
+     * The similarity score between the prompt and the retrieved embedding.
+     */
+    score: number;
+}
+export interface VectorClientResponse {
+    ingest: (event: IngestEvent) => Promise<void>;
+    retrieve: (event: RetrieveEvent) => Promise<RetrieveResponse>;
+    remove: (event: RemoveEvent) => Promise<void>;
+}
+/**
+ * Create a client to interact with the Vector database.
+ * @example
+ * ```js
+ * import { VectorClient } from "sst";
+ * const client = VectorClient("MyVectorDB");
+ *
+ * // Ingest a text into the vector db
+ * await client.ingest({
+ *   text: "Lorem ipsum dolor sit amet, consectetur adipiscing elit.",
+ *   metadata: { type: "movie", genre: "comedy" },
+ * });
+ *
+ * // Retrieve embeddings similar to the provided text
+ * const result = await client.retrieve({
+ *   text: "Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
+ *   include: { type: "movie" },
+ *   exclude: { genre: "thriller" },
+ * });
+ * ```
+ */
+export declare function VectorClient<T extends keyof {
+    [key in keyof Resource as "sst.aws.Vector" extends Resource[key]["type"] ? string extends key ? never : key : never]: Resource[key];
+}>(name: T): VectorClientResponse;

package/dist/vector/index.js

@@ -0,0 +1,62 @@
+import { LambdaClient, InvokeCommand, } from "@aws-sdk/client-lambda";
+import { Resource } from "../resource.js";
+const lambda = new LambdaClient();
+/**
+ * Create a client to interact with the Vector database.
+ * @example
+ * ```js
+ * import { VectorClient } from "sst";
+ * const client = VectorClient("MyVectorDB");
+ *
+ * // Ingest a text into the vector db
+ * await client.ingest({
+ *   text: "Lorem ipsum dolor sit amet, consectetur adipiscing elit.",
+ *   metadata: { type: "movie", genre: "comedy" },
+ * });
+ *
+ * // Retrieve embeddings similar to the provided text
+ * const result = await client.retrieve({
+ *   text: "Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
+ *   include: { type: "movie" },
+ *   exclude: { genre: "thriller" },
+ * });
+ * ```
+ */
+export function VectorClient(name) {
+    return {
+        ingest: async (event) => {
+            const ret = await lambda.send(new InvokeCommand({
+                // @ts-expect-error
+                FunctionName: Resource[name].ingestor,
+                Payload: JSON.stringify(event),
+            }));
+            parsePayload(ret, "Failed to ingest into the vector db");
+        },
+        retrieve: async (event) => {
+            const ret = await lambda.send(new InvokeCommand({
+                // @ts-expect-error
+                FunctionName: Resource[name].retriever,
+                Payload: JSON.stringify(event),
+            }));
+            return parsePayload(ret, "Failed to retrieve from the vector db");
+        },
+        remove: async (event) => {
+            const ret = await lambda.send(new InvokeCommand({
+                // @ts-expect-error
+                FunctionName: Resource[name].remover,
+                Payload: JSON.stringify(event),
+            }));
+            parsePayload(ret, "Failed to remove from the vector db");
+        },
+    };
+}
+function parsePayload(output, message) {
+    const payload = JSON.parse(Buffer.from(output.Payload).toString());
+    // Set cause to the payload so that it can be logged in CloudWatch
+    if (output.FunctionError) {
+        const e = new Error(message);
+        e.cause = payload;
+        throw e;
+    }
+    return payload;
+}

package/dist/vector-client.js

@@ -5,6 +5,7 @@ export function VectorClient(name) {
     return {
         ingest: async (event) => {
             const ret = await lambda.send(new InvokeCommand({
+                // @ts-expect-error
                 FunctionName: Resource[name].ingestor,
                 Payload: JSON.stringify(event),
             }));
@@ -12,6 +13,7 @@ export function VectorClient(name) {
         },
         retrieve: async (event) => {
             const ret = await lambda.send(new InvokeCommand({
+                // @ts-expect-error
                 FunctionName: Resource[name].retriever,
                 Payload: JSON.stringify(event),
             }));
@@ -19,6 +21,7 @@ export function VectorClient(name) {
         },
         remove: async (event) => {
             const ret = await lambda.send(new InvokeCommand({
+                // @ts-expect-error
                 FunctionName: Resource[name].remover,
                 Payload: JSON.stringify(event),
             }));

package/package.json

@@ -3,7 +3,7 @@
   "name": "sst",
   "type": "module",
   "sideEffects": false,
-  "version": "3.0.13",
+  "version": "3.0.15",
   "main": "./dist/index.js",
   "exports": {
     ".": "./dist/index.js",