feat: auth pkg and file proxy scaffold

Co-authored-by: Ona <no-reply@ona.com>
2025-11-30 21:41:39 +00:00 · 2025-10-19 17:05:15 +00:00
parent c0f852ad35
commit e58caa6b16
14 changed files with 306 additions and 0 deletions
--- a/packages/auth/index.ts
+++ b/packages/auth/index.ts
@@ -0,0 +1,64 @@
+/**
+ * An unhashed api key.
+ * Always starts with sk, then the prefix specified at time of generation,
+ * and ends with the base64url-encoded key.
+ */
+export type UnhashedApiKey = `sk-${ApiKeyPrefix}-${string}`
+
+export type ApiKeyPrefix = string & { __brand: "ApiKeyPrefix" }
+
+export type GenerateApiKeyOptions = {
+	/**
+	 * How long the key should be (excluding prefix) in bytes.
+	 */
+	keyByteLength: number
+
+	/**
+	 * Prefix of the api key. Can be a brief name of the consumer of the key.
+	 * For example, if the prefix is "proxy", the key will be "sk-proxy-asdasjdjsdkjd.."
+	 */
+	prefix: ApiKeyPrefix
+
+	expiresAt?: Date
+	description: string
+}
+
+export type GenerateApiKeyResult = {
+	unhashedKey: UnhashedApiKey
+	hashedKey: string
+	expiresAt?: Date
+	description: string
+}
+
+export function newPrefix(prefix: string): ApiKeyPrefix | null {
+	if (prefix.includes("-")) {
+		return null
+	}
+	return prefix as ApiKeyPrefix
+}
+
+export async function generateApiKey({
+	keyByteLength,
+	prefix,
+	expiresAt,
+	description,
+}: GenerateApiKeyOptions): Promise<GenerateApiKeyResult> {
+	const keyContent = new Uint8Array(keyByteLength)
+	crypto.getRandomValues(keyContent)
+
+	const base64KeyContent = Buffer.from(keyContent).toString("base64url")
+	const unhashedKey: UnhashedApiKey = `sk-${prefix}-${base64KeyContent}`
+
+	const hashedKey = await Bun.password.hash(unhashedKey, {
+		algorithm: "argon2id",
+		memoryCost: 4, // memory usage in kibibytes
+		timeCost: 3, // the number of iterations
+	})
+
+	return {
+		unhashedKey,
+		hashedKey,
+		expiresAt,
+		description,
+	}
+}