@_mustachio/openauth 0.6.0

package/dist/esm/provider/passkey.js

@@ -0,0 +1,315 @@
+// src/provider/passkey.ts
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+  generateAuthenticationOptions,
+  verifyAuthenticationResponse
+} from "@simplewebauthn/server";
+import { Storage } from "../storage/storage.js";
+function uint8ArrayToBase64Url(bytes) {
+  let str = "";
+  for (const charCode of bytes) {
+    str += String.fromCharCode(charCode);
+  }
+  const base64String = btoa(str);
+  return base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64UrlToUint8Array(base64urlString) {
+  const base64 = base64urlString.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  const padded = base64.padEnd(base64.length + padLength, "=");
+  const binary = atob(padded);
+  const buffer = new ArrayBuffer(binary.length);
+  const bytes = new Uint8Array(buffer);
+  for (let i = 0;i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+var userKey = (userId) => ["passkey", "user", userId];
+var passkeyKey = (userId, credentialId) => [
+  "passkey",
+  "user",
+  userId,
+  "credential",
+  credentialId,
+  "passkey"
+];
+var optionsKey = (userId) => ["passkey", "user", userId, "options"];
+var userPasskeysIndexKey = (userId) => [
+  "passkey",
+  "user",
+  userId,
+  "passkeys"
+];
+var DEFAULT_COPY = {
+  error_user_not_allowed: "There is already an account with this email. Login to add a passkey."
+};
+function PasskeyProvider(config) {
+  const copy = {
+    ...DEFAULT_COPY,
+    ...config.copy
+  };
+  return {
+    type: "passkey",
+    init(routes, ctx) {
+      const {
+        rpName,
+        authenticatorSelection,
+        attestationType = "none",
+        timeout = 5 * 60 * 1000
+      } = config;
+      async function getStoredUserById(userId) {
+        return await Storage.get(ctx.storage, userKey(userId));
+      }
+      async function saveUser(user) {
+        await Storage.set(ctx.storage, userKey(user.id), user);
+      }
+      async function getStoredPasskeyById(userId, credentialID) {
+        const storedPasskey = await Storage.get(ctx.storage, passkeyKey(userId, credentialID));
+        if (!storedPasskey)
+          return null;
+        return {
+          ...storedPasskey,
+          publicKey: base64UrlToUint8Array(storedPasskey.publicKey)
+        };
+      }
+      async function getStoredUserPasskeys(userId) {
+        const passkeyIds = await Storage.get(ctx.storage, userPasskeysIndexKey(userId)) || [];
+        const passkeys = [];
+        for (const id of passkeyIds) {
+          const pk = await getStoredPasskeyById(userId, id);
+          if (pk)
+            passkeys.push(pk);
+        }
+        return passkeys;
+      }
+      async function saveNewStoredPasskey(passkeyData) {
+        const storablePasskey = {
+          ...passkeyData,
+          publicKey: uint8ArrayToBase64Url(passkeyData.publicKey)
+        };
+        await Storage.set(ctx.storage, passkeyKey(passkeyData.userId, passkeyData.id), storablePasskey);
+        const passkeyIds = await Storage.get(ctx.storage, userPasskeysIndexKey(passkeyData.userId)) || [];
+        if (!passkeyIds.includes(passkeyData.id)) {
+          passkeyIds.push(passkeyData.id);
+          await Storage.set(ctx.storage, userPasskeysIndexKey(passkeyData.userId), passkeyIds);
+        }
+      }
+      async function updateStoredPasskeyCounter(userId, credentialID, newCounter) {
+        const passkey = await getStoredPasskeyById(userId, credentialID);
+        if (passkey) {
+          passkey.counter = newCounter;
+          const storablePasskey = {
+            ...passkey,
+            publicKey: uint8ArrayToBase64Url(passkey.publicKey)
+          };
+          await Storage.set(ctx.storage, passkeyKey(userId, credentialID), storablePasskey);
+        }
+      }
+      routes.get("/authorize", async (c) => {
+        return ctx.forward(c, await config.authorize(c.req.raw));
+      });
+      routes.get("/register", async (c) => {
+        return ctx.forward(c, await config.register(c.req.raw));
+      });
+      routes.get("/register-request", async (c) => {
+        const userId = c.req.query("userId");
+        const rpID = config.rpID || c.req.query("rpID");
+        const otherDevice = c.req.query("otherDevice") === "true";
+        if (!userId) {
+          return c.json({ error: "User ID for registration is required." }, 400);
+        }
+        if (!rpID) {
+          return c.json({ error: "RP ID for registration is required." }, 400);
+        }
+        const username = c.req.query("username") || userId;
+        let user = await getStoredUserById(userId);
+        if (config.userCanRegisterPasskey) {
+          const isAllowed = await config.userCanRegisterPasskey(userId, c.req.raw);
+          if (!isAllowed) {
+            return c.json({
+              error: copy.error_user_not_allowed
+            }, 403);
+          }
+        }
+        if (!user) {
+          user = { id: userId, username };
+          await saveUser(user);
+        }
+        const userPasskeys = await getStoredUserPasskeys(user.id);
+        const regOptions = await generateRegistrationOptions({
+          rpName,
+          rpID,
+          userName: user.username,
+          attestationType,
+          excludeCredentials: userPasskeys.map((pk) => ({
+            id: pk.id,
+            transports: pk.transports
+          })),
+          authenticatorSelection: authenticatorSelection ?? {
+            residentKey: "preferred",
+            userVerification: "preferred",
+            authenticatorAttachment: otherDevice ? "cross-platform" : "platform"
+          },
+          timeout
+        });
+        await Storage.set(ctx.storage, optionsKey(user.id), regOptions);
+        return c.json(regOptions);
+      });
+      routes.post("/register-verify", async (c) => {
+        const body = await c.req.json();
+        const { userId } = c.req.query();
+        const rpID = config.rpID || c.req.query("rpID");
+        const origin = config.origin || c.req.query("origin");
+        if (!userId) {
+          return c.json({
+            verified: false,
+            error: "User ID for verification is required."
+          }, 400);
+        }
+        if (!rpID) {
+          return c.json({ error: "RP ID for verification is required." }, 400);
+        }
+        if (!origin) {
+          return c.json({ error: "Origin for verification is required." }, 400);
+        }
+        const user = await getStoredUserById(userId);
+        if (!user) {
+          return c.json({ verified: false, error: "User not found during verification." }, 404);
+        }
+        const regOptions = await Storage.get(ctx.storage, optionsKey(user.id));
+        if (!regOptions) {
+          return c.json({ verified: false, error: "Registration options not found." }, 400);
+        }
+        const challenge = regOptions.challenge;
+        let verification;
+        try {
+          verification = await verifyRegistrationResponse({
+            response: body,
+            expectedChallenge: challenge,
+            expectedOrigin: origin,
+            expectedRPID: rpID,
+            requireUserVerification: authenticatorSelection?.userVerification !== "discouraged"
+          });
+        } catch (error) {
+          console.error("Passkey Registration Verification Error:", error);
+          return c.json({ verified: false, error: error.message }, 400);
+        }
+        const { verified, registrationInfo } = verification;
+        if (verified && registrationInfo) {
+          const { credential, credentialDeviceType, credentialBackedUp } = registrationInfo;
+          if (credential) {
+            const newPasskey = {
+              id: credential.id,
+              userId: user.id,
+              webauthnUserID: regOptions.user.id,
+              publicKey: credential.publicKey,
+              counter: credential.counter,
+              transports: credential.transports,
+              deviceType: credentialDeviceType,
+              backedUp: credentialBackedUp
+            };
+            await saveNewStoredPasskey(newPasskey);
+            return ctx.success(c, {
+              userId: user.id,
+              credentialId: newPasskey.id,
+              verified: true
+            });
+          }
+        }
+        return c.json({ verified: false, error: "Registration verification failed." }, 400);
+      });
+      routes.get("/authenticate-options", async (c) => {
+        const { userId } = c.req.query();
+        if (!userId) {
+          return c.json({ error: "User ID for authentication is required." }, 400);
+        }
+        const rpID = config.rpID || c.req.query("rpID");
+        if (!rpID) {
+          return c.json({ error: "RP ID for authentication is required." }, 400);
+        }
+        const userForAuth = await getStoredUserById(userId);
+        if (!userForAuth) {
+          return c.json({ error: "User not found for authentication." }, 404);
+        }
+        const userPasskeys = await getStoredUserPasskeys(userForAuth.id);
+        const allowCredentialsList = userPasskeys.map((pk) => ({
+          id: pk.id,
+          transports: pk.transports
+        }));
+        const authOptions = await generateAuthenticationOptions({
+          rpID,
+          allowCredentials: allowCredentialsList,
+          userVerification: authenticatorSelection?.userVerification ?? "preferred",
+          timeout
+        });
+        await Storage.set(ctx.storage, optionsKey(userForAuth.id), authOptions);
+        return c.json(authOptions);
+      });
+      routes.post("/authenticate-verify", async (c) => {
+        const body = await c.req.json();
+        const { userId } = c.req.query();
+        if (!userId) {
+          return c.json({ error: "User ID for authentication is required." }, 400);
+        }
+        const rpID = config.rpID || c.req.query("rpID");
+        if (!rpID) {
+          return c.json({ error: "RP ID for authentication is required." }, 400);
+        }
+        const origin = config.origin || c.req.query("origin");
+        if (!origin) {
+          return c.json({ error: "Origin for authentication is required." }, 400);
+        }
+        const user = await getStoredUserById(userId);
+        if (!user) {
+          return c.json({ verified: false, error: `User ${userId} not found.` }, 404);
+        }
+        const authOptions = await Storage.get(ctx.storage, optionsKey(user.id));
+        if (!authOptions) {
+          return c.json({ error: "Authentication options not found." }, 400);
+        }
+        const passkey = await getStoredPasskeyById(userId, body.id);
+        if (!passkey) {
+          return c.json({
+            verified: false,
+            error: `Passkey ${body.id} not found for user ${user.username}.`
+          }, 400);
+        }
+        const { publicKey, counter, transports } = passkey;
+        if (!publicKey || typeof counter !== "number" || !transports) {
+          return c.json({ error: "Passkey not found for authentication." }, 400);
+        }
+        const challenge = authOptions.challenge;
+        if (!challenge) {
+          return c.json({ error: "Authentication challenge not found." }, 400);
+        }
+        const verification = await verifyAuthenticationResponse({
+          response: body,
+          expectedChallenge: challenge,
+          expectedOrigin: origin || "",
+          expectedRPID: rpID,
+          credential: {
+            id: passkey.id,
+            publicKey,
+            counter,
+            transports
+          }
+        });
+        const { verified, authenticationInfo } = verification;
+        if (verified) {
+          await updateStoredPasskeyCounter(user.id, passkey.id, authenticationInfo.newCounter);
+          return ctx.success(c, {
+            userId: user.id,
+            credentialId: passkey.id,
+            verified: true
+          });
+        }
+        return c.json({ verified: false, error: "Authentication verification failed." }, 400);
+      });
+    }
+  };
+}
+export {
+  PasskeyProvider
+};

package/dist/esm/provider/password.js

@@ -0,0 +1,306 @@
+// src/provider/password.ts
+import { UnknownStateError } from "../error.js";
+import { Storage } from "../storage/storage.js";
+import { generateUnbiasedDigits, timingSafeCompare } from "../random.js";
+import * as jose from "jose";
+import { TextEncoder } from "node:util";
+import { timingSafeEqual, randomBytes, scrypt } from "node:crypto";
+import { getRelativeUrl } from "../util.js";
+function PasswordProvider(config) {
+  const hasher = config.hasher ?? ScryptHasher();
+  function generate() {
+    return generateUnbiasedDigits(6);
+  }
+  return {
+    type: "password",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => ctx.forward(c, await config.login(c.req.raw)));
+      routes.post("/authorize", async (c) => {
+        const fd = await c.req.formData();
+        async function error(err) {
+          return ctx.forward(c, await config.login(c.req.raw, fd, err));
+        }
+        const email = fd.get("email")?.toString()?.toLowerCase();
+        if (!email)
+          return error({ type: "invalid_email" });
+        const hash = await Storage.get(ctx.storage, [
+          "email",
+          email,
+          "password"
+        ]);
+        const password = fd.get("password")?.toString();
+        if (!password || !hash || !await hasher.verify(password, hash))
+          return error({ type: "invalid_password" });
+        return ctx.success(c, {
+          email
+        }, {
+          invalidate: async (subject) => {
+            await Storage.set(ctx.storage, ["email", email, "subject"], subject);
+          }
+        });
+      });
+      routes.get("/register", async (c) => {
+        const state = {
+          type: "start"
+        };
+        await ctx.set(c, "provider", 60 * 60 * 24, state);
+        return ctx.forward(c, await config.register(c.req.raw, state));
+      });
+      routes.post("/register", async (c) => {
+        const fd = await c.req.formData();
+        const email = fd.get("email")?.toString()?.toLowerCase();
+        const action = fd.get("action")?.toString();
+        const provider = await ctx.get(c, "provider");
+        async function transition(next, err) {
+          await ctx.set(c, "provider", 60 * 60 * 24, next);
+          return ctx.forward(c, await config.register(c.req.raw, next, fd, err));
+        }
+        if (action === "register" && provider.type === "start") {
+          const password = fd.get("password")?.toString();
+          const repeat = fd.get("repeat")?.toString();
+          if (!email)
+            return transition(provider, { type: "invalid_email" });
+          if (!password)
+            return transition(provider, { type: "invalid_password" });
+          if (password !== repeat)
+            return transition(provider, { type: "password_mismatch" });
+          if (config.validatePassword) {
+            let validationError;
+            try {
+              if (typeof config.validatePassword === "function") {
+                validationError = await config.validatePassword(password);
+              } else {
+                const res = await config.validatePassword["~standard"].validate(password);
+                if (res.issues?.length) {
+                  throw new Error(res.issues.map((issue) => issue.message).join(", "));
+                }
+              }
+            } catch (error) {
+              validationError = error instanceof Error ? error.message : undefined;
+            }
+            if (validationError)
+              return transition(provider, {
+                type: "validation_error",
+                message: validationError
+              });
+          }
+          const existing = await Storage.get(ctx.storage, [
+            "email",
+            email,
+            "password"
+          ]);
+          if (existing)
+            return transition(provider, { type: "email_taken" });
+          const code = generate();
+          await config.sendCode(email, code);
+          return transition({
+            type: "code",
+            code,
+            password: await hasher.hash(password),
+            email
+          });
+        }
+        if (action === "register" && provider.type === "code") {
+          const code = generate();
+          await config.sendCode(provider.email, code);
+          return transition({
+            type: "code",
+            code,
+            password: provider.password,
+            email: provider.email
+          });
+        }
+        if (action === "verify" && provider.type === "code") {
+          const code = fd.get("code")?.toString();
+          if (!code || !timingSafeCompare(code, provider.code))
+            return transition(provider, { type: "invalid_code" });
+          const existing = await Storage.get(ctx.storage, [
+            "email",
+            provider.email,
+            "password"
+          ]);
+          if (existing)
+            return transition({ type: "start" }, { type: "email_taken" });
+          await Storage.set(ctx.storage, ["email", provider.email, "password"], provider.password);
+          return ctx.success(c, {
+            email: provider.email
+          });
+        }
+        return transition({ type: "start" });
+      });
+      routes.get("/change", async (c) => {
+        let redirect = c.req.query("redirect_uri") || getRelativeUrl(c, "./authorize");
+        const state = {
+          type: "start",
+          redirect
+        };
+        await ctx.set(c, "provider", 60 * 60 * 24, state);
+        return ctx.forward(c, await config.change(c.req.raw, state));
+      });
+      routes.post("/change", async (c) => {
+        const fd = await c.req.formData();
+        const action = fd.get("action")?.toString();
+        const provider = await ctx.get(c, "provider");
+        if (!provider)
+          throw new UnknownStateError;
+        async function transition(next, err) {
+          await ctx.set(c, "provider", 60 * 60 * 24, next);
+          return ctx.forward(c, await config.change(c.req.raw, next, fd, err));
+        }
+        if (action === "code") {
+          const email = fd.get("email")?.toString()?.toLowerCase();
+          if (!email)
+            return transition({ type: "start", redirect: provider.redirect }, { type: "invalid_email" });
+          const code = generate();
+          await config.sendCode(email, code);
+          return transition({
+            type: "code",
+            code,
+            email,
+            redirect: provider.redirect
+          });
+        }
+        if (action === "verify" && provider.type === "code") {
+          const code = fd.get("code")?.toString();
+          if (!code || !timingSafeCompare(code, provider.code))
+            return transition(provider, { type: "invalid_code" });
+          return transition({
+            type: "update",
+            email: provider.email,
+            redirect: provider.redirect
+          });
+        }
+        if (action === "update" && provider.type === "update") {
+          const existing = await Storage.get(ctx.storage, [
+            "email",
+            provider.email,
+            "password"
+          ]);
+          if (!existing)
+            return c.redirect(provider.redirect, 302);
+          const password = fd.get("password")?.toString();
+          const repeat = fd.get("repeat")?.toString();
+          if (!password)
+            return transition(provider, { type: "invalid_password" });
+          if (password !== repeat)
+            return transition(provider, { type: "password_mismatch" });
+          if (config.validatePassword) {
+            let validationError;
+            try {
+              if (typeof config.validatePassword === "function") {
+                validationError = await config.validatePassword(password);
+              } else {
+                const res = await config.validatePassword["~standard"].validate(password);
+                if (res.issues?.length) {
+                  throw new Error(res.issues.map((issue) => issue.message).join(", "));
+                }
+              }
+            } catch (error) {
+              validationError = error instanceof Error ? error.message : undefined;
+            }
+            if (validationError)
+              return transition(provider, {
+                type: "validation_error",
+                message: validationError
+              });
+          }
+          await Storage.set(ctx.storage, ["email", provider.email, "password"], await hasher.hash(password));
+          const subject = await Storage.get(ctx.storage, [
+            "email",
+            provider.email,
+            "subject"
+          ]);
+          if (subject)
+            await ctx.invalidate(subject);
+          return c.redirect(provider.redirect, 302);
+        }
+        return transition({ type: "start", redirect: provider.redirect });
+      });
+    }
+  };
+}
+function PBKDF2Hasher(opts) {
+  const iterations = opts?.iterations ?? 600000;
+  return {
+    async hash(password) {
+      const encoder = new TextEncoder;
+      const bytes = encoder.encode(password);
+      const salt = crypto.getRandomValues(new Uint8Array(16));
+      const keyMaterial = await crypto.subtle.importKey("raw", bytes, "PBKDF2", false, ["deriveBits"]);
+      const hash = await crypto.subtle.deriveBits({
+        name: "PBKDF2",
+        hash: "SHA-256",
+        salt,
+        iterations
+      }, keyMaterial, 256);
+      const hashBase64 = jose.base64url.encode(new Uint8Array(hash));
+      const saltBase64 = jose.base64url.encode(salt);
+      return {
+        hash: hashBase64,
+        salt: saltBase64,
+        iterations
+      };
+    },
+    async verify(password, compare) {
+      const encoder = new TextEncoder;
+      const passwordBytes = encoder.encode(password);
+      const salt = jose.base64url.decode(compare.salt);
+      const params = {
+        name: "PBKDF2",
+        hash: "SHA-256",
+        salt,
+        iterations: compare.iterations
+      };
+      const keyMaterial = await crypto.subtle.importKey("raw", passwordBytes, "PBKDF2", false, ["deriveBits"]);
+      const hash = await crypto.subtle.deriveBits(params, keyMaterial, 256);
+      const hashBase64 = jose.base64url.encode(new Uint8Array(hash));
+      return hashBase64 === compare.hash;
+    }
+  };
+}
+function ScryptHasher(opts) {
+  const N = opts?.N ?? 16384;
+  const r = opts?.r ?? 8;
+  const p = opts?.p ?? 1;
+  return {
+    async hash(password) {
+      const salt = randomBytes(16);
+      const keyLength = 32;
+      const derivedKey = await new Promise((resolve, reject) => {
+        scrypt(password, salt, keyLength, { N, r, p }, (err, derivedKey2) => {
+          if (err)
+            reject(err);
+          else
+            resolve(derivedKey2);
+        });
+      });
+      const hashBase64 = derivedKey.toString("base64");
+      const saltBase64 = salt.toString("base64");
+      return {
+        hash: hashBase64,
+        salt: saltBase64,
+        N,
+        r,
+        p
+      };
+    },
+    async verify(password, compare) {
+      const salt = Buffer.from(compare.salt, "base64");
+      const keyLength = 32;
+      const derivedKey = await new Promise((resolve, reject) => {
+        scrypt(password, salt, keyLength, { N: compare.N, r: compare.r, p: compare.p }, (err, derivedKey2) => {
+          if (err)
+            reject(err);
+          else
+            resolve(derivedKey2);
+        });
+      });
+      return timingSafeEqual(derivedKey, Buffer.from(compare.hash, "base64"));
+    }
+  };
+}
+export {
+  ScryptHasher,
+  PasswordProvider,
+  PBKDF2Hasher
+};

package/dist/esm/provider/provider.js

@@ -0,0 +1,10 @@
+// src/provider/provider.ts
+class ProviderError extends Error {
+}
+
+class ProviderUnknownError extends ProviderError {
+}
+export {
+  ProviderUnknownError,
+  ProviderError
+};

package/dist/esm/provider/slack.js

@@ -0,0 +1,15 @@
+// src/provider/slack.ts
+import { Oauth2Provider } from "./oauth2.js";
+function SlackProvider(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "slack",
+    endpoint: {
+      authorization: "https://slack.com/openid/connect/authorize",
+      token: "https://slack.com/api/openid.connect.token"
+    }
+  });
+}
+export {
+  SlackProvider
+};

package/dist/esm/provider/spotify.js

@@ -0,0 +1,15 @@
+// src/provider/spotify.ts
+import { Oauth2Provider } from "./oauth2.js";
+function SpotifyProvider(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "spotify",
+    endpoint: {
+      authorization: "https://accounts.spotify.com/authorize",
+      token: "https://accounts.spotify.com/api/token"
+    }
+  });
+}
+export {
+  SpotifyProvider
+};

package/dist/esm/provider/twitch.js

@@ -0,0 +1,15 @@
+// src/provider/twitch.ts
+import { Oauth2Provider } from "./oauth2.js";
+function TwitchProvider(config) {
+  return Oauth2Provider({
+    type: "twitch",
+    ...config,
+    endpoint: {
+      authorization: "https://id.twitch.tv/oauth2/authorize",
+      token: "https://id.twitch.tv/oauth2/token"
+    }
+  });
+}
+export {
+  TwitchProvider
+};

package/dist/esm/provider/x.js

@@ -0,0 +1,16 @@
+// src/provider/x.ts
+import { Oauth2Provider } from "./oauth2.js";
+function XProvider(config) {
+  return Oauth2Provider({
+    ...config,
+    type: "x",
+    endpoint: {
+      authorization: "https://twitter.com/i/oauth2/authorize",
+      token: "https://api.x.com/2/oauth2/token"
+    },
+    pkce: true
+  });
+}
+export {
+  XProvider
+};