blade
Version:
React at the edge.
333 lines (324 loc) • 11.6 kB
JavaScript
import { o as getRecordIdentifier } from "../../dist-C7NzDGd9.js";
import "../../context-CKkJKjoo.js";
import "../../html-BHm7adlz.js";
import { n as decodeBase64Url, r as encodeBase64Url, t as decodeBase64 } from "../../encode-CtR4F3wv.js";
//#region ../../node_modules/hono/dist/utils/jwt/jwa.js
var AlgorithmTypes = /* @__PURE__ */ ((AlgorithmTypes2) => {
AlgorithmTypes2["HS256"] = "HS256";
AlgorithmTypes2["HS384"] = "HS384";
AlgorithmTypes2["HS512"] = "HS512";
AlgorithmTypes2["RS256"] = "RS256";
AlgorithmTypes2["RS384"] = "RS384";
AlgorithmTypes2["RS512"] = "RS512";
AlgorithmTypes2["PS256"] = "PS256";
AlgorithmTypes2["PS384"] = "PS384";
AlgorithmTypes2["PS512"] = "PS512";
AlgorithmTypes2["ES256"] = "ES256";
AlgorithmTypes2["ES384"] = "ES384";
AlgorithmTypes2["ES512"] = "ES512";
AlgorithmTypes2["EdDSA"] = "EdDSA";
return AlgorithmTypes2;
})(AlgorithmTypes || {});
//#endregion
//#region ../../node_modules/hono/dist/helper/adapter/index.js
var knownUserAgents = {
deno: "Deno",
bun: "Bun",
workerd: "Cloudflare-Workers",
node: "Node.js"
};
var getRuntimeKey = () => {
const global = globalThis;
if (typeof navigator !== "undefined" && typeof navigator.userAgent === "string") {
for (const [runtimeKey, userAgent] of Object.entries(knownUserAgents)) if (checkUserAgentEquals(userAgent)) return runtimeKey;
}
if (typeof global?.EdgeRuntime === "string") return "edge-light";
if (global?.fastly !== void 0) return "fastly";
if (global?.process?.release?.name === "node") return "node";
return "other";
};
var checkUserAgentEquals = (platform) => {
return navigator.userAgent.startsWith(platform);
};
//#endregion
//#region ../../node_modules/hono/dist/utils/jwt/types.js
var JwtAlgorithmNotImplemented = class extends Error {
constructor(alg) {
super(`${alg} is not an implemented algorithm`);
this.name = "JwtAlgorithmNotImplemented";
}
};
var JwtTokenInvalid = class extends Error {
constructor(token) {
super(`invalid JWT token: ${token}`);
this.name = "JwtTokenInvalid";
}
};
var JwtTokenNotBefore = class extends Error {
constructor(token) {
super(`token (${token}) is being used before it's valid`);
this.name = "JwtTokenNotBefore";
}
};
var JwtTokenExpired = class extends Error {
constructor(token) {
super(`token (${token}) expired`);
this.name = "JwtTokenExpired";
}
};
var JwtTokenIssuedAt = class extends Error {
constructor(currentTimestamp, iat) {
super(`Incorrect "iat" claim must be a older than "${currentTimestamp}" (iat: "${iat}")`);
this.name = "JwtTokenIssuedAt";
}
};
var JwtHeaderInvalid = class extends Error {
constructor(header) {
super(`jwt header is invalid: ${JSON.stringify(header)}`);
this.name = "JwtHeaderInvalid";
}
};
var JwtHeaderRequiresKid = class extends Error {
constructor(header) {
super(`required "kid" in jwt header: ${JSON.stringify(header)}`);
this.name = "JwtHeaderRequiresKid";
}
};
var JwtTokenSignatureMismatched = class extends Error {
constructor(token) {
super(`token(${token}) signature mismatched`);
this.name = "JwtTokenSignatureMismatched";
}
};
var CryptoKeyUsage = /* @__PURE__ */ ((CryptoKeyUsage2) => {
CryptoKeyUsage2["Encrypt"] = "encrypt";
CryptoKeyUsage2["Decrypt"] = "decrypt";
CryptoKeyUsage2["Sign"] = "sign";
CryptoKeyUsage2["Verify"] = "verify";
CryptoKeyUsage2["DeriveKey"] = "deriveKey";
CryptoKeyUsage2["DeriveBits"] = "deriveBits";
CryptoKeyUsage2["WrapKey"] = "wrapKey";
CryptoKeyUsage2["UnwrapKey"] = "unwrapKey";
return CryptoKeyUsage2;
})(CryptoKeyUsage || {});
//#endregion
//#region ../../node_modules/hono/dist/utils/jwt/utf8.js
var utf8Encoder = new TextEncoder();
var utf8Decoder = new TextDecoder();
//#endregion
//#region ../../node_modules/hono/dist/utils/jwt/jws.js
async function signing(privateKey, alg, data) {
const algorithm = getKeyAlgorithm(alg);
const cryptoKey = await importPrivateKey(privateKey, algorithm);
return await crypto.subtle.sign(algorithm, cryptoKey, data);
}
async function verifying(publicKey, alg, signature, data) {
const algorithm = getKeyAlgorithm(alg);
const cryptoKey = await importPublicKey(publicKey, algorithm);
return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
}
function pemToBinary(pem) {
return decodeBase64(pem.replace(/-+(BEGIN|END).*/g, "").replace(/\s/g, ""));
}
async function importPrivateKey(key, alg) {
if (!crypto.subtle || !crypto.subtle.importKey) throw new Error("`crypto.subtle.importKey` is undefined. JWT auth middleware requires it.");
if (isCryptoKey(key)) {
if (key.type !== "private" && key.type !== "secret") throw new Error(`unexpected key type: CryptoKey.type is ${key.type}, expected private or secret`);
return key;
}
const usages = [CryptoKeyUsage.Sign];
if (typeof key === "object") return await crypto.subtle.importKey("jwk", key, alg, false, usages);
if (key.includes("PRIVATE")) return await crypto.subtle.importKey("pkcs8", pemToBinary(key), alg, false, usages);
return await crypto.subtle.importKey("raw", utf8Encoder.encode(key), alg, false, usages);
}
async function importPublicKey(key, alg) {
if (!crypto.subtle || !crypto.subtle.importKey) throw new Error("`crypto.subtle.importKey` is undefined. JWT auth middleware requires it.");
if (isCryptoKey(key)) {
if (key.type === "public" || key.type === "secret") return key;
key = await exportPublicJwkFrom(key);
}
if (typeof key === "string" && key.includes("PRIVATE")) key = await exportPublicJwkFrom(await crypto.subtle.importKey("pkcs8", pemToBinary(key), alg, true, [CryptoKeyUsage.Sign]));
const usages = [CryptoKeyUsage.Verify];
if (typeof key === "object") return await crypto.subtle.importKey("jwk", key, alg, false, usages);
if (key.includes("PUBLIC")) return await crypto.subtle.importKey("spki", pemToBinary(key), alg, false, usages);
return await crypto.subtle.importKey("raw", utf8Encoder.encode(key), alg, false, usages);
}
async function exportPublicJwkFrom(privateKey) {
if (privateKey.type !== "private") throw new Error(`unexpected key type: ${privateKey.type}`);
if (!privateKey.extractable) throw new Error("unexpected private key is unextractable");
const jwk = await crypto.subtle.exportKey("jwk", privateKey);
const { kty } = jwk;
const { alg, e, n } = jwk;
const { crv, x, y } = jwk;
return {
kty,
alg,
e,
n,
crv,
x,
y,
key_ops: [CryptoKeyUsage.Verify]
};
}
function getKeyAlgorithm(name) {
switch (name) {
case "HS256": return {
name: "HMAC",
hash: { name: "SHA-256" }
};
case "HS384": return {
name: "HMAC",
hash: { name: "SHA-384" }
};
case "HS512": return {
name: "HMAC",
hash: { name: "SHA-512" }
};
case "RS256": return {
name: "RSASSA-PKCS1-v1_5",
hash: { name: "SHA-256" }
};
case "RS384": return {
name: "RSASSA-PKCS1-v1_5",
hash: { name: "SHA-384" }
};
case "RS512": return {
name: "RSASSA-PKCS1-v1_5",
hash: { name: "SHA-512" }
};
case "PS256": return {
name: "RSA-PSS",
hash: { name: "SHA-256" },
saltLength: 32
};
case "PS384": return {
name: "RSA-PSS",
hash: { name: "SHA-384" },
saltLength: 48
};
case "PS512": return {
name: "RSA-PSS",
hash: { name: "SHA-512" },
saltLength: 64
};
case "ES256": return {
name: "ECDSA",
hash: { name: "SHA-256" },
namedCurve: "P-256"
};
case "ES384": return {
name: "ECDSA",
hash: { name: "SHA-384" },
namedCurve: "P-384"
};
case "ES512": return {
name: "ECDSA",
hash: { name: "SHA-512" },
namedCurve: "P-521"
};
case "EdDSA": return {
name: "Ed25519",
namedCurve: "Ed25519"
};
default: throw new JwtAlgorithmNotImplemented(name);
}
}
function isCryptoKey(key) {
if (getRuntimeKey() === "node" && !!crypto.webcrypto) return key instanceof crypto.webcrypto.CryptoKey;
return key instanceof CryptoKey;
}
//#endregion
//#region ../../node_modules/hono/dist/utils/jwt/jwt.js
var encodeJwtPart = (part) => encodeBase64Url(utf8Encoder.encode(JSON.stringify(part)).buffer).replace(/=/g, "");
var encodeSignaturePart = (buf) => encodeBase64Url(buf).replace(/=/g, "");
var decodeJwtPart = (part) => JSON.parse(utf8Decoder.decode(decodeBase64Url(part)));
function isTokenHeader(obj) {
if (typeof obj === "object" && obj !== null) {
const objWithAlg = obj;
return "alg" in objWithAlg && Object.values(AlgorithmTypes).includes(objWithAlg.alg) && (!("typ" in objWithAlg) || objWithAlg.typ === "JWT");
}
return false;
}
var sign$1 = async (payload, privateKey, alg = "HS256") => {
const encodedPayload = encodeJwtPart(payload);
let encodedHeader;
if (typeof privateKey === "object" && "alg" in privateKey) {
alg = privateKey.alg;
encodedHeader = encodeJwtPart({
alg,
typ: "JWT",
kid: privateKey.kid
});
} else encodedHeader = encodeJwtPart({
alg,
typ: "JWT"
});
const partialToken = `${encodedHeader}.${encodedPayload}`;
return `${partialToken}.${encodeSignaturePart(await signing(privateKey, alg, utf8Encoder.encode(partialToken)))}`;
};
var verify$1 = async (token, publicKey, alg = "HS256") => {
const tokenParts = token.split(".");
if (tokenParts.length !== 3) throw new JwtTokenInvalid(token);
const { header, payload } = decode$1(token);
if (!isTokenHeader(header)) throw new JwtHeaderInvalid(header);
const now = Date.now() / 1e3 | 0;
if (payload.nbf && payload.nbf > now) throw new JwtTokenNotBefore(token);
if (payload.exp && payload.exp <= now) throw new JwtTokenExpired(token);
if (payload.iat && now < payload.iat) throw new JwtTokenIssuedAt(now, payload.iat);
const headerPayload = token.substring(0, token.lastIndexOf("."));
if (!await verifying(publicKey, alg, decodeBase64Url(tokenParts[2]), utf8Encoder.encode(headerPayload))) throw new JwtTokenSignatureMismatched(token);
return payload;
};
var verifyFromJwks = async (token, options, init) => {
const header = decodeHeader(token);
if (!isTokenHeader(header)) throw new JwtHeaderInvalid(header);
if (!header.kid) throw new JwtHeaderRequiresKid(header);
let keys = typeof options.keys === "function" ? await options.keys() : options.keys;
if (options.jwks_uri) {
const response = await fetch(options.jwks_uri, init);
if (!response.ok) throw new Error(`failed to fetch JWKS from ${options.jwks_uri}`);
const data = await response.json();
if (!data.keys) throw new Error("invalid JWKS response. \"keys\" field is missing");
if (!Array.isArray(data.keys)) throw new Error("invalid JWKS response. \"keys\" field is not an array");
if (keys) keys.push(...data.keys);
else keys = data.keys;
} else if (!keys) throw new Error("verifyFromJwks requires options for either \"keys\" or \"jwks_uri\" or both");
const matchingKey = keys.find((key) => key.kid === header.kid);
if (!matchingKey) throw new JwtTokenInvalid(token);
return await verify$1(token, matchingKey, matchingKey.alg || header.alg);
};
var decode$1 = (token) => {
try {
const [h, p] = token.split(".");
return {
header: decodeJwtPart(h),
payload: decodeJwtPart(p)
};
} catch {
throw new JwtTokenInvalid(token);
}
};
var decodeHeader = (token) => {
try {
const [h] = token.split(".");
return decodeJwtPart(h);
} catch {
throw new JwtTokenInvalid(token);
}
};
//#endregion
//#region ../../node_modules/hono/dist/utils/jwt/index.js
var Jwt = {
sign: sign$1,
verify: verify$1,
decode: decode$1,
verifyFromJwks
};
//#endregion
//#region ../../node_modules/hono/dist/middleware/jwt/jwt.js
var verify = Jwt.verify;
var decode = Jwt.decode;
var sign = Jwt.sign;
//#endregion
export { getRecordIdentifier, sign as signJWT, verify as verifyJWT };