aa5167835e
Three remaining Phase 1 P1 deliverables: 1. Dockerfile — multi-stage build (builder + production), node:18-alpine, non-root USER node, .dockerignore excluding secrets and dev artifacts 2. AGNTCY alignment docs (docs/agntcy/) — README and alignment.md mapping all 6 AGNTCY domains to AgentIdP features with Phase 2/3 pending items noted 3. Node.js SDK (@sentryagent/idp-sdk) — TypeScript strict, zero any, native fetch (Node 18+), TokenManager with 60s auto-refresh, service clients for all 14 endpoints (agents, credentials, tokens, audit), AgentIdPError typed error hierarchy, full README All three changes tracked under openspec/changes/ with tasks marked complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
81 lines
2.4 KiB
TypeScript
81 lines
2.4 KiB
TypeScript
import { request } from '../request.js';
|
|
import { AgentIdPError } from '../errors.js';
|
|
import type { IntrospectResponse } from '../types.js';
|
|
|
|
/**
|
|
* Client for OAuth 2.0 token operations (introspect and revoke).
|
|
* Token issuance is handled separately by TokenManager.
|
|
*/
|
|
export class TokenClient {
|
|
constructor(
|
|
private readonly baseUrl: string,
|
|
private readonly getToken: () => Promise<string>,
|
|
) {}
|
|
|
|
/**
|
|
* Introspect a token to check whether it is currently active.
|
|
* Always returns 200 — check the `active` field to determine validity.
|
|
* Requires a Bearer token with `tokens:read` scope.
|
|
*/
|
|
async introspectToken(tokenToCheck: string): Promise<IntrospectResponse> {
|
|
const token = await this.getToken();
|
|
const body = new URLSearchParams({ token: tokenToCheck });
|
|
|
|
let response: Response;
|
|
try {
|
|
response = await fetch(new URL('/api/v1/token/introspect', this.baseUrl).toString(), {
|
|
method: 'POST',
|
|
headers: {
|
|
Authorization: `Bearer ${token}`,
|
|
'Content-Type': 'application/x-www-form-urlencoded',
|
|
},
|
|
body: body.toString(),
|
|
});
|
|
} catch (err) {
|
|
throw new AgentIdPError(
|
|
'NETWORK_ERROR',
|
|
`Network error: ${err instanceof Error ? err.message : String(err)}`,
|
|
0,
|
|
);
|
|
}
|
|
|
|
const data: unknown = await response.json();
|
|
if (!response.ok) {
|
|
throw AgentIdPError.fromApiError(data, response.status);
|
|
}
|
|
return data as IntrospectResponse;
|
|
}
|
|
|
|
/**
|
|
* Revoke a token immediately. Idempotent — revoking an already-revoked
|
|
* or expired token is not an error (RFC 7009).
|
|
*/
|
|
async revokeToken(tokenToRevoke: string): Promise<void> {
|
|
const token = await this.getToken();
|
|
const body = new URLSearchParams({ token: tokenToRevoke });
|
|
|
|
let response: Response;
|
|
try {
|
|
response = await fetch(new URL('/api/v1/token/revoke', this.baseUrl).toString(), {
|
|
method: 'POST',
|
|
headers: {
|
|
Authorization: `Bearer ${token}`,
|
|
'Content-Type': 'application/x-www-form-urlencoded',
|
|
},
|
|
body: body.toString(),
|
|
});
|
|
} catch (err) {
|
|
throw new AgentIdPError(
|
|
'NETWORK_ERROR',
|
|
`Network error: ${err instanceof Error ? err.message : String(err)}`,
|
|
0,
|
|
);
|
|
}
|
|
|
|
if (!response.ok) {
|
|
const data: unknown = await response.json();
|
|
throw AgentIdPError.fromApiError(data, response.status);
|
|
}
|
|
}
|
|
}
|