@_mustachio/openauth 0.6.0

package/src/provider/slack.ts

@@ -0,0 +1,67 @@
+/**
+ * Use this provider to authenticate with Slack.
+ *
+ * ```ts {5-10}
+ * import { SlackProvider } from "@openauthjs/openauth/provider/slack"
+ *
+ * export default issuer({
+ *   providers: {
+ *     slack: SlackProvider({
+ *       team: "T1234567890",
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321",
+ *       scopes: ["openid", "email", "profile"]
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import { Oauth2Provider, Oauth2WrappedConfig } from "./oauth2.js"
+
+export interface SlackConfig extends Oauth2WrappedConfig {
+  /**
+   * The workspace the user is intending to authenticate.
+   *
+   * If that workspace has been previously authenticated, the user will be signed in directly,
+   * bypassing the consent screen.
+   */
+  team: string
+  /**
+   * The scopes to request from the user.
+   *
+   * | Scope | Description |
+   * |-|-|
+   * | `email` | Grants permission to access the user's email address. |
+   * | `profile` | Grants permission to access the user's profile information. |
+   * | `openid` | Grants permission to use OpenID Connect to verify the user's identity. |
+   */
+  scopes: ("email" | "profile" | "openid")[]
+}
+
+/**
+ * Creates a [Slack OAuth2 provider](https://api.slack.com/authentication/sign-in-with-slack).
+ *
+ * @param {SlackConfig} config - The config for the provider.
+ * @example
+ * ```ts
+ * SlackProvider({
+ *   team: "T1234567890",
+ *   clientID: "1234567890",
+ *   clientSecret: "0987654321",
+ *   scopes: ["openid", "email", "profile"]
+ * })
+ * ```
+ */
+export function SlackProvider(config: SlackConfig) {
+  return Oauth2Provider({
+    ...config,
+    type: "slack",
+    endpoint: {
+      authorization: "https://slack.com/openid/connect/authorize",
+      token: "https://slack.com/api/openid.connect.token",
+    },
+  })
+}

package/src/provider/spotify.ts

@@ -0,0 +1,45 @@
+/**
+ * Use this provider to authenticate with Spotify.
+ *
+ * ```ts {5-8}
+ * import { SpotifyProvider } from "@openauthjs/openauth/provider/spotify"
+ *
+ * export default issuer({
+ *   providers: {
+ *     spotify: SpotifyProvider({
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import { Oauth2Provider, type Oauth2WrappedConfig } from "./oauth2.js"
+
+export interface SpotifyConfig extends Oauth2WrappedConfig {}
+
+/**
+ * Create a Spotify OAuth2 provider.
+ *
+ * @param config - The config for the provider.
+ * @example
+ * ```ts
+ * SpotifyProvider({
+ *   clientID: "1234567890",
+ *   clientSecret: "0987654321"
+ * })
+ * ```
+ */
+export function SpotifyProvider(config: SpotifyConfig) {
+  return Oauth2Provider({
+    ...config,
+    type: "spotify",
+    endpoint: {
+      authorization: "https://accounts.spotify.com/authorize",
+      token: "https://accounts.spotify.com/api/token",
+    },
+  })
+}

package/src/provider/twitch.ts

@@ -0,0 +1,45 @@
+/**
+ * Use this provider to authenticate with Twitch.
+ *
+ * ```ts {5-8}
+ * import { TwitchProvider } from "@openauthjs/openauth/provider/twitch"
+ *
+ * export default issuer({
+ *   providers: {
+ *     twitch: TwitchProvider({
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import { Oauth2Provider, Oauth2WrappedConfig } from "./oauth2.js"
+
+export interface TwitchConfig extends Oauth2WrappedConfig {}
+
+/**
+ * Create a Twitch OAuth2 provider.
+ *
+ * @param config - The config for the provider.
+ * @example
+ * ```ts
+ * TwitchProvider({
+ *   clientID: "1234567890",
+ *   clientSecret: "0987654321"
+ * })
+ * ```
+ */
+export function TwitchProvider(config: TwitchConfig) {
+  return Oauth2Provider({
+    type: "twitch",
+    ...config,
+    endpoint: {
+      authorization: "https://id.twitch.tv/oauth2/authorize",
+      token: "https://id.twitch.tv/oauth2/token",
+    },
+  })
+}

package/src/provider/x.ts

@@ -0,0 +1,46 @@
+/**
+ * Use this provider to authenticate with X.com.
+ *
+ * ```ts {5-8}
+ * import { XProvider } from "@openauthjs/openauth/provider/x"
+ *
+ * export default issuer({
+ *   providers: {
+ *     x: XProvider({
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import { Oauth2Provider, Oauth2WrappedConfig } from "./oauth2.js"
+
+export interface XProviderConfig extends Oauth2WrappedConfig {}
+
+/**
+ * Create a X.com OAuth2 provider.
+ *
+ * @param config - The config for the provider.
+ * @example
+ * ```ts
+ * XProvider({
+ *   clientID: "1234567890",
+ *   clientSecret: "0987654321"
+ * })
+ * ```
+ */
+export function XProvider(config: XProviderConfig) {
+  return Oauth2Provider({
+    ...config,
+    type: "x",
+    endpoint: {
+      authorization: "https://twitter.com/i/oauth2/authorize",
+      token: "https://api.x.com/2/oauth2/token",
+    },
+    pkce: true,
+  })
+}

package/src/provider/yahoo.ts

@@ -0,0 +1,45 @@
+/**
+ * Use this provider to authenticate with Yahoo.
+ *
+ * ```ts {5-8}
+ * import { YahooProvider } from "@openauthjs/openauth/provider/yahoo"
+ *
+ * export default issuer({
+ *   providers: {
+ *     yahoo: YahooProvider({
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import { Oauth2Provider, Oauth2WrappedConfig } from "./oauth2.js"
+
+export interface YahooConfig extends Oauth2WrappedConfig {}
+
+/**
+ * Create a Yahoo OAuth2 provider.
+ *
+ * @param config - The config for the provider.
+ * @example
+ * ```ts
+ * YahooProvider({
+ *   clientID: "1234567890",
+ *   clientSecret: "0987654321"
+ * })
+ * ```
+ */
+export function YahooProvider(config: YahooConfig) {
+  return Oauth2Provider({
+    ...config,
+    type: "yahoo",
+    endpoint: {
+      authorization: "https://api.login.yahoo.com/oauth2/request_auth",
+      token: "https://api.login.yahoo.com/oauth2/get_token",
+    },
+  })
+}

package/src/random.ts

@@ -0,0 +1,24 @@
+import { timingSafeEqual } from "node:crypto"
+
+export function generateUnbiasedDigits(length: number): string {
+  const result: number[] = []
+  while (result.length < length) {
+    const buffer = crypto.getRandomValues(new Uint8Array(length * 2))
+    for (const byte of buffer) {
+      if (byte < 250 && result.length < length) {
+        result.push(byte % 10)
+      }
+    }
+  }
+  return result.join("")
+}
+
+export function timingSafeCompare(a: string, b: string): boolean {
+  if (typeof a !== "string" || typeof b !== "string") {
+    return false
+  }
+  if (a.length !== b.length) {
+    return false
+  }
+  return timingSafeEqual(Buffer.from(a), Buffer.from(b))
+}

package/src/storage/aws.ts

@@ -0,0 +1,59 @@
+import { AwsClient } from "aws4fetch"
+
+interface EC2Credentials {
+  AccessKeyId: string
+  SecretAccessKey: string
+  Token: string
+  Expiration: string
+  Type: string
+}
+
+let cachedCredentials: EC2Credentials | null = null
+
+async function getCredentials(url: string): Promise<EC2Credentials> {
+  if (cachedCredentials) {
+    const currentTime = new Date()
+    const fiveMinutesFromNow = new Date(currentTime.getTime() + 5 * 60000)
+    const expirationTime = new Date(cachedCredentials.Expiration)
+    if (expirationTime > fiveMinutesFromNow) {
+      return cachedCredentials
+    }
+  }
+
+  const credentials = (await fetch(url).then((res) =>
+    res.json(),
+  )) as EC2Credentials
+  cachedCredentials = credentials
+  return credentials
+}
+
+export async function client(): Promise<AwsClient> {
+  if (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) {
+    return new AwsClient({
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+      sessionToken: process.env.AWS_SESSION_TOKEN,
+      region: process.env.AWS_REGION,
+    })
+  }
+
+  if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
+    const credentials = await getCredentials(
+      "http://169.254.170.2" +
+        process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,
+    )
+    return new AwsClient({
+      accessKeyId: credentials.AccessKeyId,
+      secretAccessKey: credentials.SecretAccessKey,
+      sessionToken: credentials.Token,
+      region: process.env.AWS_REGION,
+    })
+  }
+
+  throw new Error("No AWS credentials found")
+}
+
+export type AwsOptions = Exclude<
+  Parameters<AwsClient["fetch"]>[1],
+  null | undefined
+>["aws"]

package/src/storage/cloudflare.ts

@@ -0,0 +1,77 @@
+/**
+ * Configure OpenAuth to use [Cloudflare KV](https://developers.cloudflare.com/kv/) as a
+ * storage adapter.
+ *
+ * ```ts
+ * import { CloudflareStorage } from "@openauthjs/openauth/storage/cloudflare"
+ *
+ * const storage = CloudflareStorage({
+ *   namespace: "my-namespace"
+ * })
+ *
+ *
+ * export default issuer({
+ *   storage,
+ *   // ...
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+import type { KVNamespace } from "@cloudflare/workers-types"
+import { joinKey, splitKey, StorageAdapter } from "./storage.js"
+
+/**
+ * Configure the Cloudflare KV store that's created.
+ */
+export interface CloudflareStorageOptions {
+  namespace: KVNamespace
+}
+/**
+ * Creates a Cloudflare KV store.
+ * @param options - The config for the adapter.
+ */
+export function CloudflareStorage(
+  options: CloudflareStorageOptions,
+): StorageAdapter {
+  return {
+    async get(key: string[]) {
+      const value = await options.namespace.get(joinKey(key), "json")
+      if (!value) return
+      return value as Record<string, any>
+    },
+
+    async set(key: string[], value: any, expiry?: Date) {
+      await options.namespace.put(joinKey(key), JSON.stringify(value), {
+        expirationTtl: expiry
+          ? Math.max(Math.floor((expiry.getTime() - Date.now()) / 1000), 60)
+          : undefined,
+      })
+    },
+
+    async remove(key: string[]) {
+      await options.namespace.delete(joinKey(key))
+    },
+
+    async *scan(prefix: string[]) {
+      let cursor: string | undefined
+      while (true) {
+        const result = await options.namespace.list({
+          prefix: joinKey([...prefix, ""]),
+          cursor,
+        })
+
+        for (const key of result.keys) {
+          const value = await options.namespace.get(key.name, "json")
+          if (value !== null) {
+            yield [splitKey(key.name), value]
+          }
+        }
+        if (result.list_complete) {
+          break
+        }
+        cursor = result.cursor
+      }
+    },
+  }
+}

package/src/storage/dynamo.ts

@@ -0,0 +1,193 @@
+/**
+ * Configure OpenAuth to use [DynamoDB](https://aws.amazon.com/dynamodb/) as a storage adapter.
+ *
+ * ```ts
+ * import { DynamoStorage } from "@openauthjs/openauth/storage/dynamo"
+ *
+ * const storage = DynamoStorage({
+ *   table: "my-table",
+ *   pk: "pk",
+ *   sk: "sk"
+ * })
+ *
+ * export default issuer({
+ *   storage,
+ *   // ...
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+import { client } from "./aws.js"
+import { joinKey, StorageAdapter } from "./storage.js"
+
+/**
+ * Configure the DynamoDB table that's created.
+ *
+ * @example
+ * ```ts
+ * {
+ *   table: "my-table",
+ *   pk: "pk",
+ *   sk: "sk"
+ * }
+ * ```
+ */
+export interface DynamoStorageOptions {
+  /**
+   * The name of the DynamoDB table.
+   */
+  table: string
+  /**
+   * The primary key column name.
+   * @default "pk"
+   */
+  pk?: string
+  /**
+   * The sort key column name.
+   * @default "sk"
+   */
+  sk?: string
+  /**
+   * Endpoint URL for the DynamoDB service. Useful for local testing.
+   * @default "https://dynamodb.{region}.amazonaws.com"
+   */
+  endpoint?: string
+  /**
+   * The name of the time to live attribute.
+   * @default "expiry"
+   */
+  ttl?: string
+}
+
+/**
+ * Creates a DynamoDB store.
+ * @param options - The config for the adapter.
+ */
+export function DynamoStorage(options: DynamoStorageOptions): StorageAdapter {
+  const pk = options.pk || "pk"
+  const sk = options.sk || "sk"
+  const ttl = options.ttl || "expiry"
+  const tableName = options.table
+
+  function parseKey(key: string[]) {
+    if (key.length === 2) {
+      return {
+        pk: key[0],
+        sk: key[1],
+      }
+    }
+    return {
+      pk: joinKey(key.slice(0, 2)),
+      sk: joinKey(key.slice(2)),
+    }
+  }
+
+  async function dynamo(action: string, payload: any) {
+    const c = await client()
+    const endpoint =
+      options.endpoint || `https://dynamodb.${c.region}.amazonaws.com`
+    const response = await c.fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-amz-json-1.0",
+        "X-Amz-Target": `DynamoDB_20120810.${action}`,
+      },
+      body: JSON.stringify(payload),
+    })
+
+    if (!response.ok) {
+      throw new Error(`DynamoDB request failed: ${response.statusText}`)
+    }
+
+    return response.json() as Promise<any>
+  }
+
+  return {
+    async get(key: string[]) {
+      const { pk: keyPk, sk: keySk } = parseKey(key)
+      const params = {
+        TableName: tableName,
+        Key: {
+          [pk]: { S: keyPk },
+          [sk]: { S: keySk },
+        },
+      }
+      const result = await dynamo("GetItem", params)
+      if (!result.Item) return
+      if (result.Item[ttl] && result.Item[ttl].N < Date.now() / 1000) {
+        return
+      }
+      return JSON.parse(result.Item.value.S)
+    },
+
+    async set(key: string[], value: any, expiry?: Date) {
+      const parsed = parseKey(key)
+      const params = {
+        TableName: tableName,
+        Item: {
+          [pk]: { S: parsed.pk },
+          [sk]: { S: parsed.sk },
+          ...(expiry
+            ? {
+                [ttl]: { N: Math.floor(expiry.getTime() / 1000).toString() },
+              }
+            : {}),
+          value: { S: JSON.stringify(value) },
+        },
+      }
+      await dynamo("PutItem", params)
+    },
+
+    async remove(key: string[]) {
+      const { pk: keyPk, sk: keySk } = parseKey(key)
+      const params = {
+        TableName: tableName,
+        Key: {
+          [pk]: { S: keyPk },
+          [sk]: { S: keySk },
+        },
+      }
+
+      await dynamo("DeleteItem", params)
+    },
+
+    async *scan(prefix: string[]) {
+      const prefixPk =
+        prefix.length >= 2 ? joinKey(prefix.slice(0, 2)) : prefix[0]
+      const prefixSk = prefix.length > 2 ? joinKey(prefix.slice(2)) : ""
+      let lastEvaluatedKey = undefined
+      const now = Date.now() / 1000
+      while (true) {
+        const params = {
+          TableName: tableName,
+          ExclusiveStartKey: lastEvaluatedKey,
+          KeyConditionExpression: prefixSk
+            ? `#pk = :pk AND begins_with(#sk, :sk)`
+            : `#pk = :pk`,
+          ExpressionAttributeNames: {
+            "#pk": pk,
+            ...(prefixSk && { "#sk": sk }),
+          },
+          ExpressionAttributeValues: {
+            ":pk": { S: prefixPk },
+            ...(prefixSk && { ":sk": { S: prefixSk } }),
+          },
+        }
+
+        const result = await dynamo("Query", params)
+
+        for (const item of result.Items || []) {
+          if (item[ttl] && item[ttl].N < now) {
+            continue
+          }
+          yield [[item[pk].S, item[sk].S], JSON.parse(item.value.S)]
+        }
+
+        if (!result.LastEvaluatedKey) break
+        lastEvaluatedKey = result.LastEvaluatedKey
+      }
+    },
+  }
+}