wcz-layout/dist/msalServer-BHuM63vM.mjs.map

{"version":3,"file":"msalServer-BHuM63vM.mjs","names":["createServerOnlyFn","ConfidentialClientApplication","scopes","definedScopes","ccaInstance","getCCA","Promise","createConfidentialClient","getTokenOnBehalfOf","userToken","scopeKey","cca","result","acquireTokenOnBehalfOf","oboAssertion","Error","accessToken","getAppToken","defaultScopes","map","scope","lastSlash","lastIndexOf","baseUri","substring","uniqueScopes","Set","acquireTokenByClientCredential"],"sources":["../src/lib/auth/msalServer.ts"],"sourcesContent":["import { createServerOnlyFn } from \"@tanstack/react-start\";\r\nimport type { ConfidentialClientApplication } from \"@azure/msal-node\";\r\nimport { scopes as definedScopes } from \"virtual:wcz-layout\";\r\n\r\n/**\r\n * Singleton client for the service flows. Unlike the interactive refresh flow,\r\n * caching here is safe and desirable: MSAL partitions on-behalf-of tokens by the\r\n * incoming user assertion, and client-credentials tokens are app-level (no user).\r\n *\r\n * `entra` is imported dynamically so its `@azure/msal-node` dependency is never\r\n * pulled into the client bundle by anything re-exporting these server functions.\r\n */\r\nlet ccaInstance: ConfidentialClientApplication | null = null;\r\nconst getCCA = async (): Promise<ConfidentialClientApplication> => {\r\n  if (!ccaInstance) {\r\n    const { createConfidentialClient } = await import(\"./entra\");\r\n    ccaInstance = createConfidentialClient();\r\n  }\r\n  return ccaInstance;\r\n};\r\n\r\n/**\r\n * On-Behalf-Of flow: Exchange user token for a token to call downstream API\r\n * Use when: Server needs to call microservice on behalf of the logged-in user\r\n */\r\nexport const getTokenOnBehalfOf = createServerOnlyFn(\r\n  async (userToken: string, scopeKey: keyof typeof definedScopes): Promise<string> => {\r\n    const cca = await getCCA();\r\n    const scopes = [...definedScopes[scopeKey]];\r\n    const result = await cca.acquireTokenOnBehalfOf({\r\n      oboAssertion: userToken,\r\n      scopes,\r\n    });\r\n    if (!result) throw new Error(\"Failed to acquire OBO token\");\r\n    return result.accessToken;\r\n  },\r\n);\r\n\r\n/**\r\n * Client Credentials flow: Get app-only token (no user context)\r\n * Use when: Background jobs, scheduled tasks, service-to-service calls\r\n */\r\nexport const getAppToken = createServerOnlyFn(\r\n  async (scopeKey: keyof typeof definedScopes): Promise<string> => {\r\n    const cca = await getCCA();\r\n    const scopes = definedScopes[scopeKey];\r\n    const defaultScopes = scopes.map((scope) => {\r\n      const lastSlash = scope.lastIndexOf(\"/\");\r\n      const baseUri = scope.substring(0, lastSlash);\r\n      return `${baseUri}/.default`;\r\n    });\r\n    const uniqueScopes = [...new Set(defaultScopes)];\r\n    const result = await cca.acquireTokenByClientCredential({ scopes: uniqueScopes });\r\n    if (!result) throw new Error(\"Failed to acquire app token\");\r\n    return result.accessToken;\r\n  },\r\n);\r\n"],"mappings":";;;;;;;;;;;AAYA,IAAII,cAAoD;AACxD,MAAMC,SAAS,YAAoD;CACjE,IAAI,CAACD,aAAa;EAChB,MAAM,EAAEG,6BAA6B,MAAM,OAAO;EAClDH,cAAcG,yBAAyB;CACzC;CACA,OAAOH;AACT;;;;;AAMA,MAAaI,qBAAqBR,mBAChC,OAAOS,WAAmBC,aAA0D;CAClF,MAAMC,MAAM,MAAMN,OAAO;CACzB,MAAMH,WAAS,CAAC,GAAGC,OAAcO,SAAS;CAC1C,MAAME,SAAS,MAAMD,IAAIE,uBAAuB;EAC9CC,cAAcL;EACdP,QAAAA;CACF,CAAC;CACD,IAAI,CAACU,QAAQ,MAAM,IAAIG,MAAM,6BAA6B;CAC1D,OAAOH,OAAOI;AAChB,CACF;;;;;AAMA,MAAaC,cAAcjB,mBACzB,OAAOU,aAA0D;CAC/D,MAAMC,MAAM,MAAMN,OAAO;CAEzB,MAAMa,gBADSf,OAAcO,SACD,CAACS,KAAKC,UAAU;EAC1C,MAAMC,YAAYD,MAAME,YAAY,GAAG;EAEvC,OAAO,GADSF,MAAMI,UAAU,GAAGH,SACzBE,EAAO;CACnB,CAAC;CACD,MAAME,eAAe,CAAC,GAAG,IAAIC,IAAIR,aAAa,CAAC;CAC/C,MAAMN,SAAS,MAAMD,IAAIgB,+BAA+B,EAAEzB,QAAQuB,aAAa,CAAC;CAChF,IAAI,CAACb,QAAQ,MAAM,IAAIG,MAAM,6BAA6B;CAC1D,OAAOH,OAAOI;AAChB,CACF"}