sst 3.0.8 → 3.0.10

package/dist/auth/adapter/adapter.d.ts

@@ -7,12 +7,12 @@ export interface AdapterOptions<Properties> {
     name: string;
     algorithm: string;
     encryption: {
-        publicKey: Promise<KeyLike>;
-        privateKey: Promise<KeyLike>;
+        publicKey: () => Promise<KeyLike>;
+        privateKey: () => Promise<KeyLike>;
     };
     signing: {
-        publicKey: Promise<KeyLike>;
-        privateKey: Promise<KeyLike>;
+        publicKey: () => Promise<KeyLike>;
+        privateKey: () => Promise<KeyLike>;
     };
     success: (ctx: Context, properties: Properties) => Promise<Response>;
     forward: (ctx: Context, response: Response) => Response;

package/dist/auth/adapter/code.js

@@ -23,7 +23,7 @@ export function CodeAdapter(config) {
                 code,
             })))
                 .setProtectedHeader({ alg: "RSA-OAEP-512", enc: "A256GCM" })
-                .encrypt(await ctx.encryption.publicKey);
+                .encrypt(await ctx.encryption.publicKey());
             ctx.cookie(c, "authorization", authorization, 60 * 10);
             return ctx.forward(c, await config.onCodeRequest(code, claims, c.req.raw));
         });
@@ -31,7 +31,7 @@ export function CodeAdapter(config) {
             const authorization = getCookie(c, "authorization");
             if (!authorization)
                 throw new UnknownStateError();
-            const { code, claims } = JSON.parse(new TextDecoder().decode(await compactDecrypt(authorization, await ctx.encryption.privateKey).then((value) => value.plaintext)));
+            const { code, claims } = JSON.parse(new TextDecoder().decode(await compactDecrypt(authorization, await ctx.encryption.privateKey()).then((value) => value.plaintext)));
             if (!code || !claims) {
                 return ctx.forward(c, await config.onCodeInvalid(code, claims, c.req.raw));
             }

package/dist/auth/adapter/link.js

@@ -5,7 +5,7 @@ export function LinkAdapter(config) {
             const token = await new SignJWT(c.req.query())
                 .setProtectedHeader({ alg: ctx.algorithm })
                 .setExpirationTime("10m")
-                .sign(await ctx.signing.privateKey);
+                .sign(await ctx.signing.privateKey());
             const url = new URL(new URL(c.req.url).origin);
             url.pathname = `/${ctx.name}/callback`;
             for (const key of url.searchParams.keys()) {
@@ -19,7 +19,7 @@ export function LinkAdapter(config) {
             const token = c.req.query("token");
             if (!token)
                 throw new Error("Missing token parameter");
-            const verified = await jwtVerify(token, await ctx.signing.publicKey);
+            const verified = await jwtVerify(token, await ctx.signing.publicKey());
             const resp = await ctx.success(c, { claims: verified.payload });
             return resp;
         });

package/dist/auth/handler.js

@@ -50,12 +50,12 @@ export function AuthHandler(input) {
     }
     const options = {
         signing: {
-            privateKey: importPKCS8(process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512"),
-            publicKey: importSPKI(process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RS512"),
+            privateKey: () => importPKCS8(process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RS512"),
+            publicKey: () => importSPKI(process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RS512"),
         },
         encryption: {
-            privateKey: importPKCS8(process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RSA-OAEP-512"),
-            publicKey: importSPKI(process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RSA-OAEP-512"),
+            privateKey: () => importPKCS8(process.env.AUTH_PRIVATE_KEY || Resource.AUTH_PRIVATE_KEY, "RSA-OAEP-512"),
+            publicKey: () => importSPKI(process.env.AUTH_PUBLIC_KEY || Resource.AUTH_PUBLIC_KEY, "RSA-OAEP-512"),
         },
         algorithm: "RS512",
         async success(ctx, properties) {
@@ -69,7 +69,7 @@ export function AuthHandler(input) {
                     const token = await new SignJWT(session)
                         .setProtectedHeader({ alg: "RS512" })
                         .setExpirationTime("1yr")
-                        .sign(await options.signing.privateKey);
+                        .sign(await options.signing.privateKey());
                     deleteCookie(ctx, "provider");
                     deleteCookie(ctx, "response_type");
                     deleteCookie(ctx, "redirect_uri");
@@ -92,7 +92,7 @@ export function AuthHandler(input) {
                         })
                             .setProtectedHeader({ alg: "RS512" })
                             .setExpirationTime("30s")
-                            .sign(await options.signing.privateKey);
+                            .sign(await options.signing.privateKey());
                         const location = new URL(redirect_uri);
                         location.searchParams.set("code", code);
                         location.searchParams.set("state", state || "");
@@ -131,7 +131,7 @@ export function AuthHandler(input) {
             c.status(400);
             return c.text("Missing code");
         }
-        const { payload } = await jwtVerify(code, await options.signing.publicKey);
+        const { payload } = await jwtVerify(code, await options.signing.publicKey());
         if (payload.redirect_uri !== form.get("redirect_uri")) {
             c.status(400);
             return c.text("redirect_uri mismatch");

package/dist/auth/session.js

@@ -1,5 +1,6 @@
 import { SignJWT, importPKCS8, importSPKI, jwtVerify } from "jose";
 import { Resource } from "../resource.js";
+import process from "node:process";
 export function createSessionBuilder() {
     return {
         async verify(token) {

package/package.json

@@ -3,7 +3,7 @@
   "name": "sst",
   "type": "module",
   "sideEffects": false,
-  "version": "3.0.8",
+  "version": "3.0.10",
   "main": "./dist/index.js",
   "exports": {
     ".": "./dist/index.js",