npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@kura-iam/service-sdk

v0.1.1

Published

Node.js SDK for Internal Auth IDP OIDC token verification and service credentials.

Readme

@kura-iam/service-sdk

SDK Node.js para micro-servicos que consomem o Internal Auth IDP.

Ele cobre dois casos:

  • validar access tokens OIDC/JWT emitidos pelo IdP usando discovery e JWKS;
  • obter tokens client_credentials para chamadas service-to-service.

Requisitos

  • Node.js 20 ou superior.
  • fetch, Request, Response e Headers globais disponiveis.
  • Issuer HTTPS publico do IdP, normalmente https://auth.example.com/api/auth.
  • Audience do resource server cadastrado no IdP.

Instalacao

pnpm add @kura-iam/service-sdk

O pacote deve ser publicado no registry npm da organizacao. Enquanto ele estiver sendo consumido por workspace, use a dependencia workspace:*.

Validar chamadas recebidas

import { authenticateRequest, authErrorResponse } from "@kura-iam/service-sdk"

const issuer = process.env.AUTH_ISSUER!
const audience = process.env.AUTH_AUDIENCE!

export async function handleRequest(request: Request) {
  try {
    const subject = await authenticateRequest(request, {
      issuer,
      audience,
      requiredPermission: "orders:read",
    })

    return Response.json({
      ok: true,
      subject,
    })
  } catch (error) {
    return authErrorResponse(error)
  }
}

authenticateRequest espera Authorization: Bearer <token>, valida assinatura, issuer, audience e, quando informado, a permissao exigida.

O retorno e um AuthSubject discriminado:

  • kind: "service" para tokens client_credentials;
  • kind: "user" para tokens de usuario.

Middleware com Hono

import { authenticateRequest, authErrorResponse } from "@kura-iam/service-sdk"
import { Hono } from "hono"

const app = new Hono()

app.use("/orders/*", async (c, next) => {
  try {
    const subject = await authenticateRequest(c.req.raw, {
      issuer: process.env.AUTH_ISSUER!,
      audience: process.env.AUTH_AUDIENCE!,
      requiredPermission: "orders:read",
    })

    c.set("auth", subject)
    await next()
  } catch (error) {
    return authErrorResponse(error)
  }
})

Chamar outro servico com client credentials

import { createServiceClient } from "@kura-iam/service-sdk"

const ordersClient = createServiceClient({
  issuer: process.env.AUTH_ISSUER!,
  audience: "https://orders.internal.example.com",
  clientId: process.env.AUTH_CLIENT_ID!,
  clientSecret: process.env.AUTH_CLIENT_SECRET!,
})

const response = await ordersClient.fetch("https://orders.internal.example.com/v1/orders")

O client faz discovery do token endpoint, solicita client_credentials, deduplica requisicoes concorrentes e renova o token antes da expiracao.

Permissoes

import { hasPermission, requirePermission } from "@kura-iam/service-sdk"

hasPermission(["orders:*"], "orders:write") // true
requirePermission(["orders:read"], "orders:read")

Sao suportados:

  • permissao exata, como orders:read;
  • wildcard global *;
  • wildcard por recurso, como orders:*.

Configuracao recomendada por servico

AUTH_ISSUER=https://auth.example.com/api/auth
AUTH_AUDIENCE=https://orders.internal.example.com
AUTH_CLIENT_ID=...
AUTH_CLIENT_SECRET=...

Cada micro-servico deve validar tokens com a propria audience. Nao reutilize uma audience generica para APIs diferentes.

Publicacao

Antes de publicar:

pnpm --filter @kura-iam/service-sdk check-types
pnpm --filter @kura-iam/service-sdk test
pnpm --filter @kura-iam/service-sdk build
pnpm --filter @kura-iam/service-sdk pack --dry-run

O publish deve acontecer via GitHub Actions com npm Trusted Publishing/OIDC, sem NPM_TOKEN. Configure o Trusted Publisher no npm com:

  • provider: GitHub Actions;
  • owner/repo: GabrielAlvesSantis/kura;
  • workflow file: release.yml;
  • environment: npm;
  • access: public.

Para publicar uma nova versao do SDK, faca merge na main, atualize a versao e crie uma tag de pacote:

git checkout main
git pull origin main
pnpm --filter @kura-iam/service-sdk version patch --no-git-tag-version
pnpm install --lockfile-only
git add packages/service-sdk/package.json pnpm-lock.yaml
git commit -m "chore: release service-sdk"
git tag service-sdk-v$(node -p "require('./packages/service-sdk/package.json').version")
git push origin main --tags

O workflow release.yml publica somente quando uma tag service-sdk-v*.*.*, bff-kit-v*.*.* ou packages-v*.*.* e enviada.

Tambem rode os E2E do servidor com permissao elevada antes de promover uma versao, porque eles validam o contrato real entre IdP e SDK.

Escopo

Este pacote e deliberadamente pequeno. Ele nao cria uma aplicacao BFF completa, nao gerencia sessoes de browser e nao define rotas. Essas responsabilidades pertencem a um template ou pacote separado de BFF.