@openparachute/scope-guard
Advanced tools
+13
-0
@@ -56,2 +56,15 @@ import { type JwksGetter, type JwksOptions } from "./jwks.js"; | ||
| vaultScope: string[]; | ||
| /** | ||
| * Raw `permissions` claim from the validated JWT payload, surfaced | ||
| * verbatim. scope-guard does NOT interpret it — it parses-and-passes the | ||
| * object so resource servers can read their own permission shapes without | ||
| * re-decoding the token. e.g. vault reads `permissions.scoped_tags` for | ||
| * tag-scoping; scope-guard knows nothing of `scoped_tags` semantics. | ||
| * | ||
| * Present only when the validated payload carries a non-null plain object | ||
| * under `permissions`. Absent or non-object (string / number / array) | ||
| * surfaces as `undefined` — distinct from an empty object `{}` so consumers | ||
| * can tell "no permissions claim" from "permissions claim with no entries." | ||
| */ | ||
| permissions?: Record<string, unknown>; | ||
| } | ||
@@ -58,0 +71,0 @@ /** Reasons a hub JWT may fail validation. Each maps to a `HubJwtError.code`. */ |
+14
-1
@@ -134,2 +134,15 @@ import { jwtVerify } from "jose"; | ||
| : []; | ||
| // permissions: raw passthrough of the consumer-interpreted permissions | ||
| // object (e.g. vault's `scoped_tags`). scope-guard surfaces it verbatim | ||
| // without knowing its shape. Only a non-null plain object is surfaced; | ||
| // absent / null / non-object (string, number, array) leaves it | ||
| // `undefined` so "no claim" stays distinguishable from `{}`. Mirrors | ||
| // the defensive style of vaultScope above — malformed input is tolerated | ||
| // (left undefined), never thrown on. | ||
| const permissionsRaw = payload.permissions; | ||
| const permissions = typeof permissionsRaw === "object" && | ||
| permissionsRaw !== null && | ||
| !Array.isArray(permissionsRaw) | ||
| ? permissionsRaw | ||
| : undefined; | ||
| // Revocation enforcement runs LAST — only consulted if the JWT is | ||
@@ -157,3 +170,3 @@ // otherwise valid. Cheaper checks (signature, iss, aud, expiry, | ||
| } | ||
| return { sub: payload.sub, scopes, aud, jti, clientId, vaultScope }; | ||
| return { sub: payload.sub, scopes, aud, jti, clientId, vaultScope, permissions }; | ||
| }, | ||
@@ -160,0 +173,0 @@ resetJwksCache() { |
+1
-1
| { | ||
| "name": "@openparachute/scope-guard", | ||
| "version": "0.4.0-rc.1", | ||
| "version": "0.4.0-rc.2", | ||
| "description": "Hub-issued JWT validation for Parachute resource servers (vault, scribe, parachute-agent, third-party modules).", | ||
@@ -5,0 +5,0 @@ "license": "AGPL-3.0", |
54601
3.03%1040
2.56%