npm - @_mustachio/openauth - Versions diffs - 0.6.0 - Mend

@_mustachio/openauth 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/dist/esm/client.js +186 -0
package/dist/esm/css.d.js +0 -0
package/dist/esm/error.js +73 -0
package/dist/esm/index.js +14 -0
package/dist/esm/issuer.js +558 -0
package/dist/esm/jwt.js +16 -0
package/dist/esm/keys.js +113 -0
package/dist/esm/pkce.js +35 -0
package/dist/esm/provider/apple.js +28 -0
package/dist/esm/provider/arctic.js +43 -0
package/dist/esm/provider/code.js +58 -0
package/dist/esm/provider/cognito.js +16 -0
package/dist/esm/provider/discord.js +15 -0
package/dist/esm/provider/facebook.js +24 -0
package/dist/esm/provider/github.js +15 -0
package/dist/esm/provider/google.js +25 -0
package/dist/esm/provider/index.js +3 -0
package/dist/esm/provider/jumpcloud.js +15 -0
package/dist/esm/provider/keycloak.js +15 -0
package/dist/esm/provider/linkedin.js +15 -0
package/dist/esm/provider/m2m.js +17 -0
package/dist/esm/provider/microsoft.js +24 -0
package/dist/esm/provider/oauth2.js +119 -0
package/dist/esm/provider/oidc.js +69 -0
package/dist/esm/provider/passkey.js +315 -0
package/dist/esm/provider/password.js +306 -0
package/dist/esm/provider/provider.js +10 -0
package/dist/esm/provider/slack.js +15 -0
package/dist/esm/provider/spotify.js +15 -0
package/dist/esm/provider/twitch.js +15 -0
package/dist/esm/provider/x.js +16 -0
package/dist/esm/provider/yahoo.js +15 -0
package/dist/esm/random.js +27 -0
package/dist/esm/storage/aws.js +39 -0
package/dist/esm/storage/cloudflare.js +42 -0
package/dist/esm/storage/dynamo.js +116 -0
package/dist/esm/storage/memory.js +88 -0
package/dist/esm/storage/storage.js +36 -0
package/dist/esm/subject.js +7 -0
package/dist/esm/ui/base.js +407 -0
package/dist/esm/ui/code.js +151 -0
package/dist/esm/ui/form.js +43 -0
package/dist/esm/ui/icon.js +92 -0
package/dist/esm/ui/passkey.js +329 -0
package/dist/esm/ui/password.js +338 -0
package/dist/esm/ui/select.js +187 -0
package/dist/esm/ui/theme.js +115 -0
package/dist/esm/util.js +54 -0
package/dist/types/client.d.ts +466 -0
package/dist/types/client.d.ts.map +1 -0
package/dist/types/error.d.ts +77 -0
package/dist/types/error.d.ts.map +1 -0
package/dist/types/index.d.ts +20 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/issuer.d.ts +465 -0
package/dist/types/issuer.d.ts.map +1 -0
package/dist/types/jwt.d.ts +6 -0
package/dist/types/jwt.d.ts.map +1 -0
package/dist/types/keys.d.ts +18 -0
package/dist/types/keys.d.ts.map +1 -0
package/dist/types/pkce.d.ts +7 -0
package/dist/types/pkce.d.ts.map +1 -0
package/dist/types/provider/apple.d.ts +108 -0
package/dist/types/provider/apple.d.ts.map +1 -0
package/dist/types/provider/arctic.d.ts +16 -0
package/dist/types/provider/arctic.d.ts.map +1 -0
package/dist/types/provider/code.d.ts +74 -0
package/dist/types/provider/code.d.ts.map +1 -0
package/dist/types/provider/cognito.d.ts +64 -0
package/dist/types/provider/cognito.d.ts.map +1 -0
package/dist/types/provider/discord.d.ts +38 -0
package/dist/types/provider/discord.d.ts.map +1 -0
package/dist/types/provider/facebook.d.ts +74 -0
package/dist/types/provider/facebook.d.ts.map +1 -0
package/dist/types/provider/github.d.ts +38 -0
package/dist/types/provider/github.d.ts.map +1 -0
package/dist/types/provider/google.d.ts +74 -0
package/dist/types/provider/google.d.ts.map +1 -0
package/dist/types/provider/index.d.ts +4 -0
package/dist/types/provider/index.d.ts.map +1 -0
package/dist/types/provider/jumpcloud.d.ts +38 -0
package/dist/types/provider/jumpcloud.d.ts.map +1 -0
package/dist/types/provider/keycloak.d.ts +67 -0
package/dist/types/provider/keycloak.d.ts.map +1 -0
package/dist/types/provider/linkedin.d.ts +6 -0
package/dist/types/provider/linkedin.d.ts.map +1 -0
package/dist/types/provider/m2m.d.ts +34 -0
package/dist/types/provider/m2m.d.ts.map +1 -0
package/dist/types/provider/microsoft.d.ts +89 -0
package/dist/types/provider/microsoft.d.ts.map +1 -0
package/dist/types/provider/oauth2.d.ts +133 -0
package/dist/types/provider/oauth2.d.ts.map +1 -0
package/dist/types/provider/oidc.d.ts +91 -0
package/dist/types/provider/oidc.d.ts.map +1 -0
package/dist/types/provider/passkey.d.ts +143 -0
package/dist/types/provider/passkey.d.ts.map +1 -0
package/dist/types/provider/password.d.ts +210 -0
package/dist/types/provider/password.d.ts.map +1 -0
package/dist/types/provider/provider.d.ts +29 -0
package/dist/types/provider/provider.d.ts.map +1 -0
package/dist/types/provider/slack.d.ts +59 -0
package/dist/types/provider/slack.d.ts.map +1 -0
package/dist/types/provider/spotify.d.ts +38 -0
package/dist/types/provider/spotify.d.ts.map +1 -0
package/dist/types/provider/twitch.d.ts +38 -0
package/dist/types/provider/twitch.d.ts.map +1 -0
package/dist/types/provider/x.d.ts +38 -0
package/dist/types/provider/x.d.ts.map +1 -0
package/dist/types/provider/yahoo.d.ts +38 -0
package/dist/types/provider/yahoo.d.ts.map +1 -0
package/dist/types/random.d.ts +3 -0
package/dist/types/random.d.ts.map +1 -0
package/dist/types/storage/aws.d.ts +4 -0
package/dist/types/storage/aws.d.ts.map +1 -0
package/dist/types/storage/cloudflare.d.ts +34 -0
package/dist/types/storage/cloudflare.d.ts.map +1 -0
package/dist/types/storage/dynamo.d.ts +65 -0
package/dist/types/storage/dynamo.d.ts.map +1 -0
package/dist/types/storage/memory.d.ts +49 -0
package/dist/types/storage/memory.d.ts.map +1 -0
package/dist/types/storage/storage.d.ts +15 -0
package/dist/types/storage/storage.d.ts.map +1 -0
package/dist/types/subject.d.ts +122 -0
package/dist/types/subject.d.ts.map +1 -0
package/dist/types/ui/base.d.ts +5 -0
package/dist/types/ui/base.d.ts.map +1 -0
package/dist/types/ui/code.d.ts +104 -0
package/dist/types/ui/code.d.ts.map +1 -0
package/dist/types/ui/form.d.ts +6 -0
package/dist/types/ui/form.d.ts.map +1 -0
package/dist/types/ui/icon.d.ts +6 -0
package/dist/types/ui/icon.d.ts.map +1 -0
package/dist/types/ui/passkey.d.ts +5 -0
package/dist/types/ui/passkey.d.ts.map +1 -0
package/dist/types/ui/password.d.ts +139 -0
package/dist/types/ui/password.d.ts.map +1 -0
package/dist/types/ui/select.d.ts +55 -0
package/dist/types/ui/select.d.ts.map +1 -0
package/dist/types/ui/theme.d.ts +207 -0
package/dist/types/ui/theme.d.ts.map +1 -0
package/dist/types/util.d.ts +8 -0
package/dist/types/util.d.ts.map +1 -0
package/package.json +51 -0
package/src/client.ts +749 -0
package/src/css.d.ts +4 -0
package/src/error.ts +120 -0
package/src/index.ts +26 -0
package/src/issuer.ts +1302 -0
package/src/jwt.ts +17 -0
package/src/keys.ts +139 -0
package/src/pkce.ts +40 -0
package/src/provider/apple.ts +127 -0
package/src/provider/arctic.ts +66 -0
package/src/provider/code.ts +227 -0
package/src/provider/cognito.ts +74 -0
package/src/provider/discord.ts +45 -0
package/src/provider/facebook.ts +84 -0
package/src/provider/github.ts +45 -0
package/src/provider/google.ts +85 -0
package/src/provider/index.ts +3 -0
package/src/provider/jumpcloud.ts +45 -0
package/src/provider/keycloak.ts +75 -0
package/src/provider/linkedin.ts +12 -0
package/src/provider/m2m.ts +56 -0
package/src/provider/microsoft.ts +100 -0
package/src/provider/oauth2.ts +297 -0
package/src/provider/oidc.ts +179 -0
package/src/provider/passkey.ts +655 -0
package/src/provider/password.ts +672 -0
package/src/provider/provider.ts +33 -0
package/src/provider/slack.ts +67 -0
package/src/provider/spotify.ts +45 -0
package/src/provider/twitch.ts +45 -0
package/src/provider/x.ts +46 -0
package/src/provider/yahoo.ts +45 -0
package/src/random.ts +24 -0
package/src/storage/aws.ts +59 -0
package/src/storage/cloudflare.ts +77 -0
package/src/storage/dynamo.ts +193 -0
package/src/storage/memory.ts +135 -0
package/src/storage/storage.ts +46 -0
package/src/subject.ts +130 -0
package/src/ui/base.tsx +118 -0
package/src/ui/code.tsx +215 -0
package/src/ui/form.tsx +40 -0
package/src/ui/icon.tsx +95 -0
package/src/ui/passkey.tsx +321 -0
package/src/ui/password.tsx +405 -0
package/src/ui/select.tsx +221 -0
package/src/ui/theme.ts +319 -0
package/src/ui/ui.css +252 -0
package/src/util.ts +58 -0

package/src/provider/oauth2.ts ADDED Viewed

@@ -0,0 +1,297 @@
+/**
+ * Use this to connect authentication providers that support OAuth 2.0.
+ *
+ * ```ts {5-12}
+ * import { Oauth2Provider } from "@openauthjs/openauth/provider/oauth2"
+ *
+ * export default issuer({
+ *   providers: {
+ *     oauth2: Oauth2Provider({
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321",
+ *       endpoint: {
+ *         authorization: "https://auth.myserver.com/authorize",
+ *         token: "https://auth.myserver.com/token"
+ *       }
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ *
+ * @packageDocumentation
+ */
+import { createRemoteJWKSet, jwtVerify } from "jose"
+import { OauthError } from "../error.js"
+import { generatePKCE } from "../pkce.js"
+import { getRelativeUrl } from "../util.js"
+import { Provider } from "./provider.js"
+export interface Oauth2Config {
+  /**
+   * @internal
+   */
+  type?: string
+  /**
+   * The client ID.
+   *
+   * This is just a string to identify your app.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientID: "my-client"
+   * }
+   * ```
+   */
+  clientID: string
+  /**
+   * The client secret.
+   *
+   * This is a private key that's used to authenticate your app. It should be kept secret.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientSecret: "0987654321"
+   * }
+   * ```
+   */
+  clientSecret: string
+  /**
+   * The URLs of the authorization and token endpoints.
+   *
+   * @example
+   * ```ts
+   * {
+   *   endpoint: {
+   *     authorization: "https://auth.myserver.com/authorize",
+   *     token: "https://auth.myserver.com/token",
+   *     jwks: "https://auth.myserver.com/auth/keys"
+   *   }
+   * }
+   * ```
+   */
+  endpoint: {
+    /**
+     * The URL of the authorization endpoint.
+     */
+    authorization: string
+    /**
+     * The URL of the token endpoint.
+     */
+    token: string
+    /**
+     * The URL of the JWKS endpoint.
+     */
+    jwks?: string
+  }
+  /**
+   * A list of OAuth scopes that you want to request.
+   *
+   * @example
+   * ```ts
+   * {
+   *   scopes: ["email", "profile"]
+   * }
+   * ```
+   */
+  scopes: string[]
+  /**
+   * Whether to use PKCE (Proof Key for Code Exchange) for the authorization code flow.
+   * Some providers like x.com require this.
+   * @default false
+   */
+  pkce?: boolean
+  /**
+   * Any additional parameters that you want to pass to the authorization endpoint.
+   * @example
+   * ```ts
+   * {
+   *   query: {
+   *     access_type: "offline",
+   *     prompt: "consent"
+   *   }
+   * }
+   * ```
+   */
+  query?: Record<string, string>
+}
+/**
+ * @internal
+ */
+export type Oauth2WrappedConfig = Omit<Oauth2Config, "endpoint" | "name">
+/**
+ * @internal
+ */
+export interface Oauth2Token {
+  access: string
+  refresh: string
+  expiry: number
+  id?: Record<string, any>
+  raw: Record<string, any>
+}
+interface ProviderState {
+  state: string
+  redirect: string
+  codeVerifier?: string
+}
+export function Oauth2Provider(
+  config: Oauth2Config,
+): Provider<{ tokenset: Oauth2Token; clientID: string }> {
+  const query = config.query || {}
+  // Helper function to handle token exchange and response building
+  async function handleCallbackLogic(
+    c: any,
+    ctx: any,
+    provider: ProviderState,
+    code: string | undefined,
+  ) {
+    if (!provider || !code) {
+      return c.redirect(getRelativeUrl(c, "./authorize"))
+    }
+    const body = new URLSearchParams({
+      client_id: config.clientID,
+      client_secret: config.clientSecret,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: provider.redirect,
+      ...(provider.codeVerifier
+        ? { code_verifier: provider.codeVerifier }
+        : {}),
+    })
+    const json: any = await fetch(config.endpoint.token, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+      },
+      body: body.toString(),
+    }).then((r) => r.json())
+    if ("error" in json) {
+      throw new OauthError(json.error, json.error_description)
+    }
+    let idTokenPayload: Record<string, any> | null = null
+    if (config.endpoint.jwks) {
+      const jwksEndpoint = new URL(config.endpoint.jwks)
+      // @ts-expect-error bun/node mismatch
+      const jwks = createRemoteJWKSet(jwksEndpoint)
+      const { payload } = await jwtVerify(json.id_token, jwks, {
+        audience: config.clientID,
+      })
+      idTokenPayload = payload
+    }
+    return ctx.success(c, {
+      clientID: config.clientID,
+      tokenset: {
+        get access() {
+          return json.access_token
+        },
+        get refresh() {
+          return json.refresh_token
+        },
+        get expiry() {
+          return json.expires_in
+        },
+        get id() {
+          if (!idTokenPayload) return null
+          return idTokenPayload
+        },
+        get raw() {
+          return json
+        },
+      },
+    })
+  }
+  return {
+    type: config.type || "oauth2",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => {
+        const state = crypto.randomUUID()
+        const pkce = config.pkce ? await generatePKCE() : undefined
+        await ctx.set<ProviderState>(c, "provider", 60 * 10, {
+          state,
+          redirect: getRelativeUrl(c, "./callback"),
+          codeVerifier: pkce?.verifier,
+        })
+        const authorization = new URL(config.endpoint.authorization)
+        authorization.searchParams.set("client_id", config.clientID)
+        authorization.searchParams.set(
+          "redirect_uri",
+          getRelativeUrl(c, "./callback"),
+        )
+        authorization.searchParams.set("response_type", "code")
+        authorization.searchParams.set("state", state)
+        authorization.searchParams.set("scope", config.scopes.join(" "))
+        if (pkce) {
+          authorization.searchParams.set("code_challenge", pkce.challenge)
+          authorization.searchParams.set("code_challenge_method", pkce.method)
+        }
+        for (const [key, value] of Object.entries(query)) {
+          authorization.searchParams.set(key, value)
+        }
+        return c.redirect(authorization.toString())
+      })
+      routes.get("/callback", async (c) => {
+        const provider = (await ctx.get(c, "provider")) as ProviderState
+        const code = c.req.query("code")
+        const state = c.req.query("state")
+        const error = c.req.query("error")
+        if (error)
+          throw new OauthError(
+            error.toString() as any,
+            c.req.query("error_description")?.toString() || "",
+          )
+        if (
+          !provider ||
+          !code ||
+          (provider.state && state !== provider.state)
+        ) {
+          return c.redirect(getRelativeUrl(c, "./authorize"))
+        }
+        return handleCallbackLogic(c, ctx, provider, code)
+      })
+      routes.post("/callback", async (c) => {
+        const provider = (await ctx.get(c, "provider")) as ProviderState
+        // Handle form data from POST request
+        const formData = await c.req.formData()
+        const code = formData.get("code")?.toString()
+        const state = formData.get("state")?.toString()
+        const error = formData.get("error")?.toString()
+        if (error)
+          throw new OauthError(
+            error as any,
+            formData.get("error_description")?.toString() || "",
+          )
+        if (
+          !provider ||
+          !code ||
+          (provider.state && state !== provider.state)
+        ) {
+          return c.redirect(getRelativeUrl(c, "./authorize"))
+        }
+        return handleCallbackLogic(c, ctx, provider, code)
+      })
+    },
+  }
+}

package/src/provider/oidc.ts ADDED Viewed

@@ -0,0 +1,179 @@
+/**
+ * Use this to connect authentication providers that support OIDC.
+ *
+ * ```ts {5-8}
+ * import { OidcProvider } from "@openauthjs/openauth/provider/oidc"
+ *
+ * export default issuer({
+ *   providers: {
+ *     oauth2: OidcProvider({
+ *       clientId: "1234567890",
+ *       issuer: "https://auth.myserver.com"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ *
+ * @packageDocumentation
+ */
+import { createLocalJWKSet, JSONWebKeySet, jwtVerify } from "jose"
+import { WellKnown } from "../client.js"
+import { OauthError } from "../error.js"
+import { Provider } from "./provider.js"
+import { JWTPayload } from "hono/utils/jwt/types"
+import { getRelativeUrl, lazy } from "../util.js"
+export interface OidcConfig {
+  /**
+   * @internal
+   */
+  type?: string
+  /**
+   * The client ID.
+   *
+   * This is just a string to identify your app.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientID: "my-client"
+   * }
+   * ```
+   */
+  clientID: string
+  /**
+   * The URL of your authorization server.
+   *
+   * @example
+   * ```ts
+   * {
+   *   issuer: "https://auth.myserver.com"
+   * }
+   * ```
+   */
+  issuer: string
+  /**
+   * A list of OIDC scopes that you want to request.
+   *
+   * @example
+   * ```ts
+   * {
+   *   scopes: ["openid", "profile", "email"]
+   * }
+   * ```
+   */
+  scopes?: string[]
+  /**
+   * Any additional parameters that you want to pass to the authorization endpoint.
+   * @example
+   * ```ts
+   * {
+   *   query: {
+   *     prompt: "consent"
+   *   }
+   * }
+   * ```
+   */
+  query?: Record<string, string>
+}
+/**
+ * @internal
+ */
+export type OidcWrappedConfig = Omit<OidcConfig, "issuer" | "name">
+interface ProviderState {
+  state: string
+  nonce: string
+  redirect: string
+}
+/**
+ * @internal
+ */
+export interface IdTokenResponse {
+  idToken: string
+  claims: Record<string, any>
+  raw: Record<string, any>
+}
+export function OidcProvider(
+  config: OidcConfig,
+): Provider<{ id: JWTPayload; clientID: string }> {
+  const query = config.query || {}
+  const scopes = config.scopes || []
+  const wk = lazy(() =>
+    fetch(config.issuer + "/.well-known/openid-configuration").then(
+      async (r) => {
+        if (!r.ok) throw new Error(await r.text())
+        return r.json() as Promise<WellKnown>
+      },
+    ),
+  )
+  const jwks = lazy(() =>
+    wk()
+      .then((r) => r.jwks_uri)
+      .then(async (uri) => {
+        const r = await fetch(uri)
+        if (!r.ok) throw new Error(await r.text())
+        return createLocalJWKSet((await r.json()) as JSONWebKeySet)
+      }),
+  )
+  return {
+    type: config.type || "oidc",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => {
+        const provider: ProviderState = {
+          state: crypto.randomUUID(),
+          nonce: crypto.randomUUID(),
+          redirect: getRelativeUrl(c, "./callback"),
+        }
+        await ctx.set(c, "provider", 60 * 10, provider)
+        const authorization = new URL(
+          await wk().then((r) => r.authorization_endpoint),
+        )
+        authorization.searchParams.set("client_id", config.clientID)
+        authorization.searchParams.set("response_type", "id_token")
+        authorization.searchParams.set("response_mode", "form_post")
+        authorization.searchParams.set("state", provider.state)
+        authorization.searchParams.set("nonce", provider.nonce)
+        authorization.searchParams.set("redirect_uri", provider.redirect)
+        authorization.searchParams.set("scope", ["openid", ...scopes].join(" "))
+        for (const [key, value] of Object.entries(query)) {
+          authorization.searchParams.set(key, value)
+        }
+        return c.redirect(authorization.toString())
+      })
+      routes.post("/callback", async (c) => {
+        const provider = await ctx.get<ProviderState>(c, "provider")
+        if (!provider) return c.redirect(getRelativeUrl(c, "./authorize"))
+        const body = await c.req.formData()
+        const error = body.get("error")
+        if (error)
+          throw new OauthError(
+            error.toString() as any,
+            body.get("error_description")?.toString() || "",
+          )
+        const idToken = body.get("id_token")
+        if (!idToken)
+          throw new OauthError("invalid_request", "Missing id_token")
+        const result = await jwtVerify(idToken.toString(), await jwks(), {
+          audience: config.clientID,
+        })
+        if (result.payload.nonce !== provider.nonce) {
+          throw new OauthError("invalid_request", "Invalid nonce")
+        }
+        return ctx.success(c, {
+          id: result.payload,
+          clientID: config.clientID,
+        })
+      })
+    },
+  }
+}