@_mustachio/openauth 0.6.0

package/dist/esm/pkce.js

@@ -0,0 +1,35 @@
+// src/pkce.ts
+import { base64url } from "jose";
+function generateVerifier(length) {
+  const buffer = new Uint8Array(length);
+  crypto.getRandomValues(buffer);
+  return base64url.encode(buffer);
+}
+async function generateChallenge(verifier, method) {
+  if (method === "plain")
+    return verifier;
+  const encoder = new TextEncoder;
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return base64url.encode(new Uint8Array(hash));
+}
+async function generatePKCE(length = 64) {
+  if (length < 43 || length > 128) {
+    throw new Error("Code verifier length must be between 43 and 128 characters");
+  }
+  const verifier = generateVerifier(length);
+  const challenge = await generateChallenge(verifier, "S256");
+  return {
+    verifier,
+    challenge,
+    method: "S256"
+  };
+}
+async function validatePKCE(verifier, challenge, method = "S256") {
+  const generatedChallenge = await generateChallenge(verifier, method);
+  return generatedChallenge === challenge;
+}
+export {
+  validatePKCE,
+  generatePKCE
+};

package/dist/esm/provider/apple.js

@@ -0,0 +1,28 @@
+// src/provider/apple.ts
+import { Oauth2Provider } from "./oauth2.js";
+import { OidcProvider } from "./oidc.js";
+function AppleProvider(config) {
+  const { responseMode, ...restConfig } = config;
+  const additionalQuery = responseMode === "form_post" ? { response_mode: "form_post", ...config.query } : config.query || {};
+  return Oauth2Provider({
+    ...restConfig,
+    type: "apple",
+    endpoint: {
+      authorization: "https://appleid.apple.com/auth/authorize",
+      token: "https://appleid.apple.com/auth/token",
+      jwks: "https://appleid.apple.com/auth/keys"
+    },
+    query: additionalQuery
+  });
+}
+function AppleOidcProvider(config) {
+  return OidcProvider({
+    ...config,
+    type: "apple",
+    issuer: "https://appleid.apple.com"
+  });
+}
+export {
+  AppleProvider,
+  AppleOidcProvider
+};

package/dist/esm/provider/arctic.js

@@ -0,0 +1,43 @@
+// src/provider/arctic.ts
+import { OauthError } from "../error.js";
+import { getRelativeUrl } from "../util.js";
+function ArcticProvider(provider, config) {
+  function getClient(c) {
+    const callback = new URL(c.req.url);
+    const pathname = callback.pathname.replace(/authorize.*$/, "callback");
+    const url = getRelativeUrl(c, pathname);
+    return new provider(config.clientID, config.clientSecret, url);
+  }
+  return {
+    type: "arctic",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => {
+        const client = getClient(c);
+        const state = crypto.randomUUID();
+        await ctx.set(c, "provider", 60 * 10, {
+          state
+        });
+        return c.redirect(client.createAuthorizationURL(state, config.scopes));
+      });
+      routes.get("/callback", async (c) => {
+        const client = getClient(c);
+        const provider2 = await ctx.get(c, "provider");
+        if (!provider2)
+          return c.redirect("../authorize");
+        const code = c.req.query("code");
+        const state = c.req.query("state");
+        if (!code)
+          throw new Error("Missing code");
+        if (state !== provider2.state)
+          throw new OauthError("invalid_request", "Invalid state");
+        const tokens = await client.validateAuthorizationCode(code);
+        return ctx.success(c, {
+          tokenset: tokens
+        });
+      });
+    }
+  };
+}
+export {
+  ArcticProvider
+};

package/dist/esm/provider/code.js

@@ -0,0 +1,58 @@
+// src/provider/code.ts
+import { generateUnbiasedDigits, timingSafeCompare } from "../random.js";
+function CodeProvider(config) {
+  const length = config.length || 6;
+  function generate() {
+    return generateUnbiasedDigits(length);
+  }
+  return {
+    type: "code",
+    init(routes, ctx) {
+      async function transition(c, next, fd, err) {
+        await ctx.set(c, "provider", 60 * 60 * 24, next);
+        const resp = ctx.forward(c, await config.request(c.req.raw, next, fd, err));
+        return resp;
+      }
+      routes.get("/authorize", async (c) => {
+        const resp = await transition(c, {
+          type: "start"
+        });
+        return resp;
+      });
+      routes.post("/authorize", async (c) => {
+        const code = generate();
+        const fd = await c.req.formData();
+        const state = await ctx.get(c, "provider");
+        const action = fd.get("action")?.toString();
+        if (action === "request" || action === "resend") {
+          const claims = Object.fromEntries(fd);
+          delete claims.action;
+          const err = await config.sendCode(claims, code);
+          if (err)
+            return transition(c, { type: "start" }, fd, err);
+          return transition(c, {
+            type: "code",
+            resend: action === "resend",
+            claims,
+            code
+          }, fd);
+        }
+        if (fd.get("action")?.toString() === "verify" && state.type === "code") {
+          const fd2 = await c.req.formData();
+          const compare = fd2.get("code")?.toString();
+          if (!state.code || !compare || !timingSafeCompare(state.code, compare)) {
+            return transition(c, {
+              ...state,
+              resend: false
+            }, fd2, { type: "invalid_code" });
+          }
+          await ctx.unset(c, "provider");
+          return ctx.forward(c, await ctx.success(c, { claims: state.claims }));
+        }
+      });
+    }
+  };
+}
+export {
+  CodeProvider
+};

package/dist/esm/provider/cognito.js

@@ -0,0 +1,16 @@
+// src/provider/cognito.ts
+import { Oauth2Provider } from "./oauth2.js";
+function CognitoProvider(config) {
+  const domain = `${config.domain}.auth.${config.region}.amazoncognito.com`;
+  return Oauth2Provider({
+    type: "cognito",
+    ...config,
+    endpoint: {
+      authorization: `https://${domain}/oauth2/authorize`,
+      token: `https://${domain}/oauth2/token`
+    }
+  });
+}
+export {
+  CognitoProvider
+};

package/dist/esm/provider/discord.js

@@ -0,0 +1,15 @@
+// src/provider/discord.ts
+import { Oauth2Provider } from "./oauth2.js";
+function DiscordProvider(config) {
+  return Oauth2Provider({
+    type: "discord",
+    ...config,
+    endpoint: {
+      authorization: "https://discord.com/oauth2/authorize",
+      token: "https://discord.com/api/oauth2/token"
+    }
+  });
+}
+export {
+  DiscordProvider
+};

package/dist/esm/provider/facebook.js

@@ -0,0 +1,24 @@
+// src/provider/facebook.ts
+import { Oauth2Provider } from "./oauth2.js";
+import { OidcProvider } from "./oidc.js";
+function FacebookProvider(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "facebook",
+    endpoint: {
+      authorization: "https://www.facebook.com/v12.0/dialog/oauth",
+      token: "https://graph.facebook.com/v12.0/oauth/access_token"
+    }
+  });
+}
+function FacebookOidcProvider(config) {
+  return OidcProvider({
+    ...config,
+    type: "facebook",
+    issuer: "https://graph.facebook.com"
+  });
+}
+export {
+  FacebookProvider,
+  FacebookOidcProvider
+};

package/dist/esm/provider/github.js

@@ -0,0 +1,15 @@
+// src/provider/github.ts
+import { Oauth2Provider } from "./oauth2.js";
+function GithubProvider(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "github",
+    endpoint: {
+      authorization: "https://github.com/login/oauth/authorize",
+      token: "https://github.com/login/oauth/access_token"
+    }
+  });
+}
+export {
+  GithubProvider
+};

package/dist/esm/provider/google.js

@@ -0,0 +1,25 @@
+// src/provider/google.ts
+import { Oauth2Provider } from "./oauth2.js";
+import { OidcProvider } from "./oidc.js";
+function GoogleProvider(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "google",
+    endpoint: {
+      authorization: "https://accounts.google.com/o/oauth2/v2/auth",
+      token: "https://oauth2.googleapis.com/token",
+      jwks: "https://www.googleapis.com/oauth2/v3/certs"
+    }
+  });
+}
+function GoogleOidcProvider(config) {
+  return OidcProvider({
+    ...config,
+    type: "google",
+    issuer: "https://accounts.google.com"
+  });
+}
+export {
+  GoogleProvider,
+  GoogleOidcProvider
+};

package/dist/esm/provider/index.js

@@ -0,0 +1,3 @@
+// src/provider/index.ts
+export * from "./code.js";
+export * from "./spotify.js";

package/dist/esm/provider/jumpcloud.js

@@ -0,0 +1,15 @@
+// src/provider/jumpcloud.ts
+import { Oauth2Provider } from "./oauth2.js";
+function JumpCloudProvider(config) {
+  return Oauth2Provider({
+    type: "jumpcloud",
+    ...config,
+    endpoint: {
+      authorization: "https://oauth.id.jumpcloud.com/oauth2/auth",
+      token: "https://oauth.id.jumpcloud.com/oauth2/token"
+    }
+  });
+}
+export {
+  JumpCloudProvider
+};

package/dist/esm/provider/keycloak.js

@@ -0,0 +1,15 @@
+// src/provider/keycloak.ts
+import { Oauth2Provider } from "./oauth2.js";
+function KeycloakProvider(config) {
+  const baseConfig = {
+    ...config,
+    endpoint: {
+      authorization: `${config.baseUrl}/realms/${config.realm}/protocol/openid-connect/auth`,
+      token: `${config.baseUrl}/realms/${config.realm}/protocol/openid-connect/token`
+    }
+  };
+  return Oauth2Provider(baseConfig);
+}
+export {
+  KeycloakProvider
+};

package/dist/esm/provider/linkedin.js

@@ -0,0 +1,15 @@
+// src/provider/linkedin.ts
+import { Oauth2Provider } from "./oauth2.js";
+function LinkedInAdapter(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "linkedin",
+    endpoint: {
+      authorization: "https://www.linkedin.com/oauth/v2/authorization",
+      token: "https://www.linkedin.com/oauth/v2/accessToken"
+    }
+  });
+}
+export {
+  LinkedInAdapter
+};

package/dist/esm/provider/m2m.js

@@ -0,0 +1,17 @@
+// src/provider/m2m.ts
+function M2MProvider(config) {
+  return {
+    type: "m2m",
+    init() {
+    },
+    async client(input) {
+      const result = await config.verify(input.clientID, input.clientSecret, input.params);
+      if (!result)
+        throw new Error("Invalid client credentials");
+      return result;
+    }
+  };
+}
+export {
+  M2MProvider
+};

package/dist/esm/provider/microsoft.js

@@ -0,0 +1,24 @@
+// src/provider/microsoft.ts
+import { Oauth2Provider } from "./oauth2.js";
+import { OidcProvider } from "./oidc.js";
+function MicrosoftProvider(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "microsoft",
+    endpoint: {
+      authorization: `https://login.microsoftonline.com/${config?.tenant}/oauth2/v2.0/authorize`,
+      token: `https://login.microsoftonline.com/${config?.tenant}/oauth2/v2.0/token`
+    }
+  });
+}
+function MicrosoftOidcProvider(config) {
+  return OidcProvider({
+    ...config,
+    type: "microsoft",
+    issuer: "https://graph.microsoft.com/oidc/userinfo"
+  });
+}
+export {
+  MicrosoftProvider,
+  MicrosoftOidcProvider
+};

package/dist/esm/provider/oauth2.js

@@ -0,0 +1,119 @@
+// src/provider/oauth2.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { OauthError } from "../error.js";
+import { generatePKCE } from "../pkce.js";
+import { getRelativeUrl } from "../util.js";
+function Oauth2Provider(config) {
+  const query = config.query || {};
+  async function handleCallbackLogic(c, ctx, provider, code) {
+    if (!provider || !code) {
+      return c.redirect(getRelativeUrl(c, "./authorize"));
+    }
+    const body = new URLSearchParams({
+      client_id: config.clientID,
+      client_secret: config.clientSecret,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: provider.redirect,
+      ...provider.codeVerifier ? { code_verifier: provider.codeVerifier } : {}
+    });
+    const json = await fetch(config.endpoint.token, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: body.toString()
+    }).then((r) => r.json());
+    if ("error" in json) {
+      throw new OauthError(json.error, json.error_description);
+    }
+    let idTokenPayload = null;
+    if (config.endpoint.jwks) {
+      const jwksEndpoint = new URL(config.endpoint.jwks);
+      const jwks = createRemoteJWKSet(jwksEndpoint);
+      const { payload } = await jwtVerify(json.id_token, jwks, {
+        audience: config.clientID
+      });
+      idTokenPayload = payload;
+    }
+    return ctx.success(c, {
+      clientID: config.clientID,
+      tokenset: {
+        get access() {
+          return json.access_token;
+        },
+        get refresh() {
+          return json.refresh_token;
+        },
+        get expiry() {
+          return json.expires_in;
+        },
+        get id() {
+          if (!idTokenPayload)
+            return null;
+          return idTokenPayload;
+        },
+        get raw() {
+          return json;
+        }
+      }
+    });
+  }
+  return {
+    type: config.type || "oauth2",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => {
+        const state = crypto.randomUUID();
+        const pkce = config.pkce ? await generatePKCE() : undefined;
+        await ctx.set(c, "provider", 60 * 10, {
+          state,
+          redirect: getRelativeUrl(c, "./callback"),
+          codeVerifier: pkce?.verifier
+        });
+        const authorization = new URL(config.endpoint.authorization);
+        authorization.searchParams.set("client_id", config.clientID);
+        authorization.searchParams.set("redirect_uri", getRelativeUrl(c, "./callback"));
+        authorization.searchParams.set("response_type", "code");
+        authorization.searchParams.set("state", state);
+        authorization.searchParams.set("scope", config.scopes.join(" "));
+        if (pkce) {
+          authorization.searchParams.set("code_challenge", pkce.challenge);
+          authorization.searchParams.set("code_challenge_method", pkce.method);
+        }
+        for (const [key, value] of Object.entries(query)) {
+          authorization.searchParams.set(key, value);
+        }
+        return c.redirect(authorization.toString());
+      });
+      routes.get("/callback", async (c) => {
+        const provider = await ctx.get(c, "provider");
+        const code = c.req.query("code");
+        const state = c.req.query("state");
+        const error = c.req.query("error");
+        if (error)
+          throw new OauthError(error.toString(), c.req.query("error_description")?.toString() || "");
+        if (!provider || !code || provider.state && state !== provider.state) {
+          return c.redirect(getRelativeUrl(c, "./authorize"));
+        }
+        return handleCallbackLogic(c, ctx, provider, code);
+      });
+      routes.post("/callback", async (c) => {
+        const provider = await ctx.get(c, "provider");
+        const formData = await c.req.formData();
+        const code = formData.get("code")?.toString();
+        const state = formData.get("state")?.toString();
+        const error = formData.get("error")?.toString();
+        if (error)
+          throw new OauthError(error, formData.get("error_description")?.toString() || "");
+        if (!provider || !code || provider.state && state !== provider.state) {
+          return c.redirect(getRelativeUrl(c, "./authorize"));
+        }
+        return handleCallbackLogic(c, ctx, provider, code);
+      });
+    }
+  };
+}
+export {
+  Oauth2Provider
+};

package/dist/esm/provider/oidc.js

@@ -0,0 +1,69 @@
+// src/provider/oidc.ts
+import { createLocalJWKSet, jwtVerify } from "jose";
+import { OauthError } from "../error.js";
+import { getRelativeUrl, lazy } from "../util.js";
+function OidcProvider(config) {
+  const query = config.query || {};
+  const scopes = config.scopes || [];
+  const wk = lazy(() => fetch(config.issuer + "/.well-known/openid-configuration").then(async (r) => {
+    if (!r.ok)
+      throw new Error(await r.text());
+    return r.json();
+  }));
+  const jwks = lazy(() => wk().then((r) => r.jwks_uri).then(async (uri) => {
+    const r = await fetch(uri);
+    if (!r.ok)
+      throw new Error(await r.text());
+    return createLocalJWKSet(await r.json());
+  }));
+  return {
+    type: config.type || "oidc",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => {
+        const provider = {
+          state: crypto.randomUUID(),
+          nonce: crypto.randomUUID(),
+          redirect: getRelativeUrl(c, "./callback")
+        };
+        await ctx.set(c, "provider", 60 * 10, provider);
+        const authorization = new URL(await wk().then((r) => r.authorization_endpoint));
+        authorization.searchParams.set("client_id", config.clientID);
+        authorization.searchParams.set("response_type", "id_token");
+        authorization.searchParams.set("response_mode", "form_post");
+        authorization.searchParams.set("state", provider.state);
+        authorization.searchParams.set("nonce", provider.nonce);
+        authorization.searchParams.set("redirect_uri", provider.redirect);
+        authorization.searchParams.set("scope", ["openid", ...scopes].join(" "));
+        for (const [key, value] of Object.entries(query)) {
+          authorization.searchParams.set(key, value);
+        }
+        return c.redirect(authorization.toString());
+      });
+      routes.post("/callback", async (c) => {
+        const provider = await ctx.get(c, "provider");
+        if (!provider)
+          return c.redirect(getRelativeUrl(c, "./authorize"));
+        const body = await c.req.formData();
+        const error = body.get("error");
+        if (error)
+          throw new OauthError(error.toString(), body.get("error_description")?.toString() || "");
+        const idToken = body.get("id_token");
+        if (!idToken)
+          throw new OauthError("invalid_request", "Missing id_token");
+        const result = await jwtVerify(idToken.toString(), await jwks(), {
+          audience: config.clientID
+        });
+        if (result.payload.nonce !== provider.nonce) {
+          throw new OauthError("invalid_request", "Invalid nonce");
+        }
+        return ctx.success(c, {
+          id: result.payload,
+          clientID: config.clientID
+        });
+      });
+    }
+  };
+}
+export {
+  OidcProvider
+};