UNPKG

@wix/cli

Version:

CLI tool for building Wix sites and applications

741 lines (740 loc) 24.1 kB
import { createRequire as _createRequire } from 'node:module'; const require = _createRequire(import.meta.url); import { init_esm_shims } from "./chunk-EXLZF52D.js"; // ../../node_modules/@wix/zero-config-implementation/dist/index-BGHyk7CU.js init_esm_shims(); import { Buffer as F } from "node:buffer"; import * as K from "node:crypto"; import { KeyObject as v, createPublicKey as G, createPrivateKey as oe, constants as D, createSecretKey as L } from "node:crypto"; import * as B from "node:util"; import { promisify as k } from "node:util"; var P = new TextEncoder(); var I = new TextDecoder(); function ie(...e) { const t = e.reduce((o, { length: a }) => o + a, 0), r = new Uint8Array(t); let n = 0; for (const o of e) r.set(o, n), n += o.length; return r; } function ae(e) { let t = e; return t instanceof Uint8Array && (t = I.decode(t)), t; } var R = (e) => new Uint8Array(F.from(ae(e), "base64url")); var S = class extends Error { static code = "ERR_JOSE_GENERIC"; code = "ERR_JOSE_GENERIC"; constructor(t, r) { super(t, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor); } }; var h = class extends S { static code = "ERR_JWT_CLAIM_VALIDATION_FAILED"; code = "ERR_JWT_CLAIM_VALIDATION_FAILED"; claim; reason; payload; constructor(t, r, n = "unspecified", o = "unspecified") { super(t, { cause: { claim: n, reason: o, payload: r } }), this.claim = n, this.reason = o, this.payload = r; } }; var N = class extends S { static code = "ERR_JWT_EXPIRED"; code = "ERR_JWT_EXPIRED"; claim; reason; payload; constructor(t, r, n = "unspecified", o = "unspecified") { super(t, { cause: { claim: n, reason: o, payload: r } }), this.claim = n, this.reason = o, this.payload = r; } }; var se = class extends S { static code = "ERR_JOSE_ALG_NOT_ALLOWED"; code = "ERR_JOSE_ALG_NOT_ALLOWED"; }; var w = class extends S { static code = "ERR_JOSE_NOT_SUPPORTED"; code = "ERR_JOSE_NOT_SUPPORTED"; }; var c = class extends S { static code = "ERR_JWS_INVALID"; code = "ERR_JWS_INVALID"; }; var q = class extends S { static code = "ERR_JWT_INVALID"; code = "ERR_JWT_INVALID"; }; var ce = class extends S { static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"; code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"; constructor(t = "signature verification failed", r) { super(t, r); } }; var z = (e) => B.types.isKeyObject(e); var fe = K.webcrypto; var C = (e) => B.types.isCryptoKey(e); function l(e, t = "algorithm.name") { return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`); } function T(e, t) { return e.name === t; } function J(e) { return parseInt(e.name.slice(4), 10); } function de(e) { switch (e) { case "ES256": return "P-256"; case "ES384": return "P-384"; case "ES512": return "P-521"; default: throw new Error("unreachable"); } } function ue(e, t) { if (t.length && !t.some((r) => e.usages.includes(r))) { let r = "CryptoKey does not support this operation, its usages must include "; if (t.length > 2) { const n = t.pop(); r += `one of ${t.join(", ")}, or ${n}.`; } else t.length === 2 ? r += `one of ${t[0]} or ${t[1]}.` : r += `${t[0]}.`; throw new TypeError(r); } } function pe(e, t, ...r) { switch (t) { case "HS256": case "HS384": case "HS512": { if (!T(e.algorithm, "HMAC")) throw l("HMAC"); const n = parseInt(t.slice(2), 10); if (J(e.algorithm.hash) !== n) throw l(`SHA-${n}`, "algorithm.hash"); break; } case "RS256": case "RS384": case "RS512": { if (!T(e.algorithm, "RSASSA-PKCS1-v1_5")) throw l("RSASSA-PKCS1-v1_5"); const n = parseInt(t.slice(2), 10); if (J(e.algorithm.hash) !== n) throw l(`SHA-${n}`, "algorithm.hash"); break; } case "PS256": case "PS384": case "PS512": { if (!T(e.algorithm, "RSA-PSS")) throw l("RSA-PSS"); const n = parseInt(t.slice(2), 10); if (J(e.algorithm.hash) !== n) throw l(`SHA-${n}`, "algorithm.hash"); break; } case "EdDSA": { if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448") throw l("Ed25519 or Ed448"); break; } case "Ed25519": { if (!T(e.algorithm, "Ed25519")) throw l("Ed25519"); break; } case "ES256": case "ES384": case "ES512": { if (!T(e.algorithm, "ECDSA")) throw l("ECDSA"); const n = de(t); if (e.algorithm.namedCurve !== n) throw l(n, "algorithm.namedCurve"); break; } default: throw new TypeError("CryptoKey does not support this operation"); } ue(e, r); } function X(e, t, ...r) { if (r = r.filter(Boolean), r.length > 2) { const n = r.pop(); e += `one of type ${r.join(", ")}, or ${n}.`; } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`; return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e; } var W = (e, ...t) => X("Key must be ", e, ...t); function Y(e, t, ...r) { return X(`Key for the ${e} algorithm must be `, t, ...r); } var Q = (e) => z(e) || C(e); var E = ["KeyObject"]; (globalThis.CryptoKey || fe?.CryptoKey) && E.push("CryptoKey"); var he = (...e) => { const t = e.filter(Boolean); if (t.length === 0 || t.length === 1) return true; let r; for (const n of t) { const o = Object.keys(n); if (!r || r.size === 0) { r = new Set(o); continue; } for (const a of o) { if (r.has(a)) return false; r.add(a); } } return true; }; function le(e) { return typeof e == "object" && e !== null; } function A(e) { if (!le(e) || Object.prototype.toString.call(e) !== "[object Object]") return false; if (Object.getPrototypeOf(e) === null) return true; let t = e; for (; Object.getPrototypeOf(t) !== null; ) t = Object.getPrototypeOf(t); return Object.getPrototypeOf(e) === t; } function g(e) { return A(e) && typeof e.kty == "string"; } function me(e) { return e.kty !== "oct" && typeof e.d == "string"; } function ye(e) { return e.kty !== "oct" && typeof e.d > "u"; } function we(e) { return g(e) && e.kty === "oct" && typeof e.k == "string"; } var Se = (e) => { switch (e) { case "prime256v1": return "P-256"; case "secp384r1": return "P-384"; case "secp521r1": return "P-521"; case "secp256k1": return "secp256k1"; default: throw new w("Unsupported key curve for this operation"); } }; var be = (e, t) => { let r; if (C(e)) r = v.from(e); else if (z(e)) r = e; else { if (g(e)) return e.crv; throw new TypeError(W(e, ...E)); } if (r.type === "secret") throw new TypeError('only "private" or "public" type keys can be used for this operation'); switch (r.asymmetricKeyType) { case "ed25519": case "ed448": return `Ed${r.asymmetricKeyType.slice(2)}`; case "x25519": case "x448": return `X${r.asymmetricKeyType.slice(1)}`; case "ec": { const n = r.asymmetricKeyDetails.namedCurve; return Se(n); } default: throw new TypeError("Invalid asymmetric key type for this operation"); } }; var H = (e, t) => { let r; try { e instanceof v ? r = e.asymmetricKeyDetails?.modulusLength : r = Buffer.from(e.n, "base64url").byteLength << 3; } catch { } if (typeof r != "number" || r < 2048) throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`); }; var Ee = (e) => G({ key: F.from(e.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, ""), "base64"), type: "spki", format: "der" }); var ge = (e) => e.d ? oe({ format: "jwk", key: e }) : G({ format: "jwk", key: e }); async function Ge(e, t, r) { if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0) throw new TypeError('"spki" must be SPKI formatted string'); return Ee(e); } async function Te(e, t) { if (!A(e)) throw new TypeError("JWK must be an object"); switch (t ||= e.alg, e.kty) { case "oct": if (typeof e.k != "string" || !e.k) throw new TypeError('missing "k" (Key Value) Parameter value'); return R(e.k); case "RSA": if ("oth" in e && e.oth !== void 0) throw new w('RSA JWK "oth" (Other Primes Info) Parameter value is not supported'); case "EC": case "OKP": return ge({ ...e, alg: t }); default: throw new w('Unsupported "kty" (Key Type) Parameter value'); } } var b = (e) => e?.[Symbol.toStringTag]; var O = (e, t, r) => { if (t.use !== void 0 && t.use !== "sig") throw new TypeError("Invalid key for this operation, when present its use must be sig"); if (t.key_ops !== void 0 && t.key_ops.includes?.(r) !== true) throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${r}`); if (t.alg !== void 0 && t.alg !== e) throw new TypeError(`Invalid key for this operation, when present its alg must be ${e}`); return true; }; var ve = (e, t, r, n) => { if (!(t instanceof Uint8Array)) { if (n && g(t)) { if (we(t) && O(e, t, r)) return; throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present'); } if (!Q(t)) throw new TypeError(Y(e, t, ...E, "Uint8Array", n ? "JSON Web Key" : null)); if (t.type !== "secret") throw new TypeError(`${b(t)} instances for symmetric algorithms must be of type "secret"`); } }; var Ae = (e, t, r, n) => { if (n && g(t)) switch (r) { case "sign": if (me(t) && O(e, t, r)) return; throw new TypeError("JSON Web Key for this operation be a private JWK"); case "verify": if (ye(t) && O(e, t, r)) return; throw new TypeError("JSON Web Key for this operation be a public JWK"); } if (!Q(t)) throw new TypeError(Y(e, t, ...E, n ? "JSON Web Key" : null)); if (t.type === "secret") throw new TypeError(`${b(t)} instances for asymmetric algorithms must not be of type "secret"`); if (r === "sign" && t.type === "public") throw new TypeError(`${b(t)} instances for asymmetric algorithm signing must be of type "private"`); if (r === "decrypt" && t.type === "public") throw new TypeError(`${b(t)} instances for asymmetric algorithm decryption must be of type "private"`); if (t.algorithm && r === "verify" && t.type === "private") throw new TypeError(`${b(t)} instances for asymmetric algorithm verifying must be of type "public"`); if (t.algorithm && r === "encrypt" && t.type === "private") throw new TypeError(`${b(t)} instances for asymmetric algorithm encryption must be of type "public"`); }; function Z(e, t, r, n) { t.startsWith("HS") || t === "dir" || t.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(t) ? ve(t, r, n, e) : Ae(t, r, n, e); } Z.bind(void 0, false); var U = Z.bind(void 0, true); function Ke(e, t, r, n, o) { if (o.crit !== void 0 && n?.crit === void 0) throw new e('"crit" (Critical) Header Parameter MUST be integrity protected'); if (!n || n.crit === void 0) return /* @__PURE__ */ new Set(); if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((i) => typeof i != "string" || i.length === 0)) throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present'); let a; r !== void 0 ? a = new Map([...Object.entries(r), ...t.entries()]) : a = t; for (const i of n.crit) { if (!a.has(i)) throw new w(`Extension Header Parameter "${i}" is not recognized`); if (o[i] === void 0) throw new e(`Extension Header Parameter "${i}" is missing`); if (a.get(i) && n[i] === void 0) throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`); } return new Set(n.crit); } var Pe = (e, t) => { if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string"))) throw new TypeError(`"${e}" option must be an array of strings`); if (t) return new Set(t); }; function j(e) { switch (e) { case "PS256": case "RS256": case "ES256": case "ES256K": return "sha256"; case "PS384": case "RS384": case "ES384": return "sha384"; case "PS512": case "RS512": case "ES512": return "sha512"; case "Ed25519": case "EdDSA": return; default: throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`); } } var Re = /* @__PURE__ */ new Map([ ["ES256", "P-256"], ["ES256K", "secp256k1"], ["ES384", "P-384"], ["ES512", "P-521"] ]); function ee(e, t) { let r, n, o; if (t instanceof v) r = t.asymmetricKeyType, n = t.asymmetricKeyDetails; else switch (o = true, t.kty) { case "RSA": r = "rsa"; break; case "EC": r = "ec"; break; case "OKP": { if (t.crv === "Ed25519") { r = "ed25519"; break; } if (t.crv === "Ed448") { r = "ed448"; break; } throw new TypeError("Invalid key for this operation, its crv must be Ed25519 or Ed448"); } default: throw new TypeError("Invalid key for this operation, its kty must be RSA, OKP, or EC"); } let a; switch (e) { case "Ed25519": if (r !== "ed25519") throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519"); break; case "EdDSA": if (!["ed25519", "ed448"].includes(r)) throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448"); break; case "RS256": case "RS384": case "RS512": if (r !== "rsa") throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa"); H(t, e); break; case "PS256": case "PS384": case "PS512": if (r === "rsa-pss") { const { hashAlgorithm: i, mgf1HashAlgorithm: s, saltLength: f } = n, d = parseInt(e.slice(-3), 10); if (i !== void 0 && (i !== `sha${d}` || s !== i)) throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${e}`); if (f !== void 0 && f > d >> 3) throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${e}`); } else if (r !== "rsa") throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss"); H(t, e), a = { padding: D.RSA_PKCS1_PSS_PADDING, saltLength: D.RSA_PSS_SALTLEN_DIGEST }; break; case "ES256": case "ES256K": case "ES384": case "ES512": { if (r !== "ec") throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec"); const i = be(t), s = Re.get(e); if (i !== s) throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${s}, got ${i}`); a = { dsaEncoding: "ieee-p1363" }; break; } default: throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`); } return o ? { format: "jwk", key: t, ...a } : a ? { ...a, key: t } : t; } function Ie(e) { switch (e) { case "HS256": return "sha256"; case "HS384": return "sha384"; case "HS512": return "sha512"; default: throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`); } } function te(e, t, r) { if (t instanceof Uint8Array) { if (!e.startsWith("HS")) throw new TypeError(W(t, ...E)); return L(t); } if (t instanceof v) return t; if (C(t)) return pe(t, e, r), v.from(t); if (g(t)) return e.startsWith("HS") ? L(Buffer.from(t.k, "base64url")) : t; throw new TypeError(W(t, ...E, "Uint8Array", "JSON Web Key")); } var _e = k(K.sign); var Je = async (e, t, r) => { const n = te(e, t, "sign"); if (e.startsWith("HS")) { const o = K.createHmac(Ie(e), n); return o.update(r), o.digest(); } return _e(j(e), r, ee(e, n)); }; var We = k(K.verify); var Oe = async (e, t, r, n) => { const o = te(e, t, "verify"); if (e.startsWith("HS")) { const s = await Je(e, o, n), f = r; try { return K.timingSafeEqual(f, s); } catch { return false; } } const a = j(e), i = ee(e, o); try { return await We(a, n, i, r); } catch { return false; } }; async function Ce(e, t, r) { if (!A(e)) throw new c("Flattened JWS must be an object"); if (e.protected === void 0 && e.header === void 0) throw new c('Flattened JWS must have either of the "protected" or "header" members'); if (e.protected !== void 0 && typeof e.protected != "string") throw new c("JWS Protected Header incorrect type"); if (e.payload === void 0) throw new c("JWS Payload missing"); if (typeof e.signature != "string") throw new c("JWS Signature missing or incorrect type"); if (e.header !== void 0 && !A(e.header)) throw new c("JWS Unprotected Header incorrect type"); let n = {}; if (e.protected) try { const _ = R(e.protected); n = JSON.parse(I.decode(_)); } catch { throw new c("JWS Protected Header is invalid"); } if (!he(n, e.header)) throw new c("JWS Protected and JWS Unprotected Header Parameter names must be disjoint"); const o = { ...n, ...e.header }, a = Ke(c, /* @__PURE__ */ new Map([["b64", true]]), r?.crit, n, o); let i = true; if (a.has("b64") && (i = n.b64, typeof i != "boolean")) throw new c('The "b64" (base64url-encode payload) Header Parameter must be a boolean'); const { alg: s } = o; if (typeof s != "string" || !s) throw new c('JWS "alg" (Algorithm) Header Parameter missing or invalid'); const f = r && Pe("algorithms", r.algorithms); if (f && !f.has(s)) throw new se('"alg" (Algorithm) Header Parameter value not allowed'); if (i) { if (typeof e.payload != "string") throw new c("JWS Payload must be a string"); } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array)) throw new c("JWS Payload must be a string or an Uint8Array instance"); let d = false; typeof t == "function" ? (t = await t(n, e), d = true, U(s, t, "verify"), g(t) && (t = await Te(t, s))) : U(s, t, "verify"); const y = ie(P.encode(e.protected ?? ""), P.encode("."), typeof e.payload == "string" ? P.encode(e.payload) : e.payload); let p; try { p = R(e.signature); } catch { throw new c("Failed to base64url decode the signature"); } if (!await Oe(s, t, p, y)) throw new ce(); let m; if (i) try { m = R(e.payload); } catch { throw new c("Failed to base64url decode the payload"); } else typeof e.payload == "string" ? m = P.encode(e.payload) : m = e.payload; const u = { payload: m }; return e.protected !== void 0 && (u.protectedHeader = n), e.header !== void 0 && (u.unprotectedHeader = e.header), d ? { ...u, key: t } : u; } async function $e(e, t, r) { if (e instanceof Uint8Array && (e = I.decode(e)), typeof e != "string") throw new c("Compact JWS must be a string or Uint8Array"); const { 0: n, 1: o, 2: a, length: i } = e.split("."); if (i !== 3) throw new c("Invalid Compact JWS"); const s = await Ce({ payload: o, protected: n, signature: a }, t, r), f = { payload: s.payload, protectedHeader: s.protectedHeader }; return typeof t == "function" ? { ...f, key: s.key } : f; } var xe = (e) => Math.floor(e.getTime() / 1e3); var re = 60; var ne = re * 60; var $ = ne * 24; var De = $ * 7; var Le = $ * 365.25; var Ne = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i; var M = (e) => { const t = Ne.exec(e); if (!t || t[4] && t[1]) throw new TypeError("Invalid time period format"); const r = parseFloat(t[2]), n = t[3].toLowerCase(); let o; switch (n) { case "sec": case "secs": case "second": case "seconds": case "s": o = Math.round(r); break; case "minute": case "minutes": case "min": case "mins": case "m": o = Math.round(r * re); break; case "hour": case "hours": case "hr": case "hrs": case "h": o = Math.round(r * ne); break; case "day": case "days": case "d": o = Math.round(r * $); break; case "week": case "weeks": case "w": o = Math.round(r * De); break; default: o = Math.round(r * Le); break; } return t[1] === "-" || t[4] === "ago" ? -o : o; }; var V = (e) => e.toLowerCase().replace(/^application\//, ""); var He = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : false; var Ue = (e, t, r = {}) => { let n; try { n = JSON.parse(I.decode(t)); } catch { } if (!A(n)) throw new q("JWT Claims Set must be a top-level JSON object"); const { typ: o } = r; if (o && (typeof e.typ != "string" || V(e.typ) !== V(o))) throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed"); const { requiredClaims: a = [], issuer: i, subject: s, audience: f, maxTokenAge: d } = r, y = [...a]; d !== void 0 && y.push("iat"), f !== void 0 && y.push("aud"), s !== void 0 && y.push("sub"), i !== void 0 && y.push("iss"); for (const u of new Set(y.reverse())) if (!(u in n)) throw new h(`missing required "${u}" claim`, n, u, "missing"); if (i && !(Array.isArray(i) ? i : [i]).includes(n.iss)) throw new h('unexpected "iss" claim value', n, "iss", "check_failed"); if (s && n.sub !== s) throw new h('unexpected "sub" claim value', n, "sub", "check_failed"); if (f && !He(n.aud, typeof f == "string" ? [f] : f)) throw new h('unexpected "aud" claim value', n, "aud", "check_failed"); let p; switch (typeof r.clockTolerance) { case "string": p = M(r.clockTolerance); break; case "number": p = r.clockTolerance; break; case "undefined": p = 0; break; default: throw new TypeError("Invalid clockTolerance option type"); } const { currentDate: x } = r, m = xe(x || /* @__PURE__ */ new Date()); if ((n.iat !== void 0 || d) && typeof n.iat != "number") throw new h('"iat" claim must be a number', n, "iat", "invalid"); if (n.nbf !== void 0) { if (typeof n.nbf != "number") throw new h('"nbf" claim must be a number', n, "nbf", "invalid"); if (n.nbf > m + p) throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed"); } if (n.exp !== void 0) { if (typeof n.exp != "number") throw new h('"exp" claim must be a number', n, "exp", "invalid"); if (n.exp <= m - p) throw new N('"exp" claim timestamp check failed', n, "exp", "check_failed"); } if (d) { const u = m - n.iat, _ = typeof d == "number" ? d : M(d); if (u - p > _) throw new N('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed"); if (u < 0 - p) throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed"); } return n; }; async function Be(e, t, r) { const n = await $e(e, t, r); if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === false) throw new q("JWTs MUST NOT use unencoded payload"); const a = { payload: Ue(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader }; return typeof t == "function" ? { ...a, key: n.key } : a; } export { $e as compactVerify, Ce as flattenedVerify, Te as importJWK, Ge as importSPKI, Be as jwtVerify }; //# sourceMappingURL=index-BGHyk7CU-AMXFKSVJ.js.map