@amodalai/runtime 0.3.70 → 0.3.72

package/dist/src/auth/strategies/oidc.integration.test.js

@@ -0,0 +1,290 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * End-to-end OIDC test driving the full auth-code+PKCE dance against an
+ * in-process `node-oidc-provider`. Boots a real IdP on a random port,
+ * mounts `OidcAuthStrategy` on a real Express app, and walks login →
+ * IdP /auth → interaction (auto-resolved) → callback → session cookie →
+ * protected route hit. Catches integration bugs that unit tests can't:
+ * cookie wiring, redirect handling, state/PKCE round-trip, callback URL
+ * matching.
+ */
+import http from 'node:http';
+import { randomBytes } from 'node:crypto';
+import express from 'express';
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import Provider from 'oidc-provider';
+import { OidcAuthStrategy } from './oidc.js';
+import { authenticate, authRouter, getSession } from '../compose.js';
+const TEST_USER = {
+    sub: 'user-42',
+    email: 'alice@example.com',
+    name: 'Alice Example',
+};
+async function resolveInteraction(provider, req, res) {
+    const details = await provider.interactionDetails(req, res);
+    if (details.prompt.name === 'login') {
+        await provider.interactionFinished(req, res, { login: { accountId: TEST_USER.sub } }, { mergeWithLastSubmission: false });
+        return;
+    }
+    // consent prompt — grant everything requested
+    const grant = new provider.Grant({
+        accountId: TEST_USER.sub,
+        clientId: 'test-client',
+    });
+    const missingScopes = details.prompt.details['missingOIDCScope'];
+    if (Array.isArray(missingScopes)) {
+        for (const scope of missingScopes) {
+            if (typeof scope === 'string')
+                grant.addOIDCScope(scope);
+        }
+    }
+    const grantId = await grant.save();
+    await provider.interactionFinished(req, res, { consent: { grantId } }, { mergeWithLastSubmission: true });
+}
+async function reservePort() {
+    return new Promise((resolve, reject) => {
+        const s = http.createServer();
+        s.on('error', reject);
+        s.listen(0, '127.0.0.1', () => {
+            const addr = s.address();
+            s.close(() => resolve(addr.port));
+        });
+    });
+}
+async function startIdp(issuerUrl, redirectUri) {
+    const provider = new Provider(issuerUrl, {
+        clients: [
+            {
+                client_id: 'test-client',
+                client_secret: 'test-secret',
+                redirect_uris: [redirectUri],
+                grant_types: ['authorization_code'],
+                response_types: ['code'],
+                token_endpoint_auth_method: 'client_secret_basic',
+            },
+        ],
+        pkce: { required: () => true },
+        findAccount: (_ctx, sub) => ({
+            accountId: sub,
+            claims: () => ({
+                sub,
+                email: TEST_USER.email,
+                name: TEST_USER.name,
+            }),
+        }),
+        cookies: {
+            keys: ['integration-test-cookie-key-please-rotate'],
+        },
+        // Most real IdPs (Okta, Auth0, Azure AD with optional claims) put
+        // scoped claims directly on the id_token. Match that behaviour so
+        // the strategy's `claims['email']` / `claims['name']` reads work.
+        conformIdTokenClaims: false,
+        claims: {
+            openid: ['sub'],
+            email: ['email', 'email_verified'],
+            profile: ['name', 'family_name', 'given_name', 'preferred_username'],
+        },
+        features: {
+            // The full IdP UI isn't relevant to us — we drive interactions via
+            // a custom resolver below.
+            devInteractions: { enabled: false },
+        },
+        // node-oidc-provider redirects to this URL when an interaction
+        // (login / consent) is required. The app provides routes there.
+        interactions: {
+            url: (_ctx, interaction) => `/interaction/${interaction.uid}`,
+        },
+    });
+    const app = express();
+    app.set('trust proxy', true);
+    // Auto-resolve every interaction as "this user has logged in and consented."
+    // Saves us from rendering or POSTing a real form.
+    app.get('/interaction/:uid', (req, res, next) => {
+        void resolveInteraction(provider, req, res).catch(next);
+    });
+    const oidcCallback = provider.callback();
+    app.use((req, res, next) => {
+        void oidcCallback(req, res).catch(next);
+    });
+    // Surface internal failures so the test can print them.
+    app.use((err, _req, res, _next) => {
+        const detail = err instanceof Error ? err.stack ?? err.message : String(err);
+        process.stderr.write(`[idp error] ${detail}\n`);
+        res.status(500).json({ error: detail });
+    });
+    const idpUrl = new URL(issuerUrl);
+    return new Promise((resolve, reject) => {
+        const server = http.createServer(app);
+        server.on('error', reject);
+        server.listen(Number(idpUrl.port), idpUrl.hostname, () => {
+            resolve({
+                url: issuerUrl,
+                close: () => new Promise((closeResolve, closeReject) => {
+                    server.close((err) => (err ? closeReject(err) : closeResolve()));
+                }),
+            });
+        });
+    });
+}
+async function startApp(strategy, port) {
+    const app = express();
+    app.use(authRouter(strategy));
+    app.get('/protected', authenticate(strategy), (_req, res) => {
+        const session = getSession(res);
+        res.json({ user: session?.user, method: session?.method });
+    });
+    return new Promise((resolve, reject) => {
+        const server = http.createServer(app);
+        server.on('error', reject);
+        server.listen(port, '127.0.0.1', () => {
+            resolve({
+                url: `http://127.0.0.1:${port}`,
+                close: () => new Promise((closeResolve, closeReject) => {
+                    server.close((err) => (err ? closeReject(err) : closeResolve()));
+                }),
+            });
+        });
+    });
+}
+function makeCookieJar() {
+    const store = new Map();
+    return {
+        store,
+        header: () => [...store.entries()].map(([name, value]) => `${name}=${value}`).join('; '),
+        ingest(setCookie) {
+            if (!setCookie)
+                return;
+            const list = Array.isArray(setCookie) ? setCookie : [setCookie];
+            for (const raw of list) {
+                const [pair] = raw.split(';');
+                if (!pair)
+                    continue;
+                const eq = pair.indexOf('=');
+                if (eq === -1)
+                    continue;
+                const name = pair.slice(0, eq).trim();
+                const value = pair.slice(eq + 1).trim();
+                if (value === '') {
+                    store.delete(name);
+                }
+                else {
+                    store.set(name, value);
+                }
+            }
+        },
+    };
+}
+async function followRedirects(start, jar, maxHops = 12) {
+    let current = start;
+    const trail = [];
+    for (let i = 0; i < maxHops; i++) {
+        const res = await fetch(current, {
+            redirect: 'manual',
+            headers: jar.store.size > 0 ? { cookie: jar.header() } : {},
+        });
+        const setCookie = res.headers.getSetCookie?.() ?? res.headers.get('set-cookie');
+        jar.ingest(setCookie ?? undefined);
+        trail.push(`${res.status} ${current}`);
+        if (res.status >= 300 && res.status < 400) {
+            const location = res.headers.get('location');
+            if (!location) {
+                return {
+                    status: res.status,
+                    url: current,
+                    headers: headerObject(res.headers),
+                    body: '',
+                    trail,
+                };
+            }
+            current = new URL(location, current).toString();
+            continue;
+        }
+        const body = await res.text();
+        return { status: res.status, url: current, headers: headerObject(res.headers), body, trail };
+    }
+    throw new Error(`Too many redirects starting at ${start}\n${trail.join('\n')}`);
+}
+function headerObject(h) {
+    const out = {};
+    h.forEach((value, key) => {
+        out[key] = value;
+    });
+    return out;
+}
+describe('OidcAuthStrategy — integration', () => {
+    let idp;
+    let app;
+    let strategy;
+    const sessionSecret = randomBytes(32).toString('hex');
+    beforeAll(async () => {
+        // Reserve both ports up front so we can pin issuer + callback URLs
+        // into both the IdP config and the strategy config before either
+        // starts listening.
+        const idpPort = await reservePort();
+        const appPort = await reservePort();
+        const issuerUrl = `http://127.0.0.1:${idpPort}`;
+        const callbackUrl = `http://127.0.0.1:${appPort}/auth/callback`;
+        idp = await startIdp(issuerUrl, callbackUrl);
+        strategy = new OidcAuthStrategy({
+            issuer: issuerUrl,
+            clientId: 'test-client',
+            clientSecret: 'test-secret',
+            callbackUrl,
+            sessionSecret,
+            allowInsecureRequests: true,
+        });
+        app = await startApp(strategy, appPort);
+    }, 30_000);
+    afterAll(async () => {
+        if (app)
+            await app.close();
+        if (idp)
+            await idp.close();
+    });
+    it('rejects an unauthenticated request', async () => {
+        const res = await fetch(`${app.url}/protected`);
+        expect(res.status).toBe(401);
+    });
+    it('discovery doc is reachable on the IdP', async () => {
+        const res = await fetch(`${idp.url}/.well-known/openid-configuration`);
+        expect(res.status).toBe(200);
+        const body = (await res.json());
+        expect(body.issuer).toBe(idp.url);
+    });
+    it('walks the full authorization-code + PKCE dance and authenticates', async () => {
+        const jar = makeCookieJar();
+        // /auth/login → IdP /auth → interaction (auto-resolved twice: login + consent)
+        // → IdP /auth/<uid> → our /auth/callback?code=... → 302 to returnTo ('/').
+        // The trail terminates on the app's '/' (404 here only because the test
+        // app didn't register one — that's fine; what matters is we got back to
+        // the app's domain and the session cookie was issued in the callback hop.
+        const final = await followRedirects(`${app.url}/auth/login`, jar, 20);
+        if (final.status >= 500) {
+            process.stderr.write(`[trail]\n${final.trail.join('\n')}\n[final body] ${final.body}\n`);
+            throw new Error(`Unexpected 5xx during OIDC dance: ${final.status}`);
+        }
+        expect(final.url.startsWith(app.url)).toBe(true);
+        // session cookie should now be set
+        expect(jar.store.has('amodal_session')).toBe(true);
+        // protected route should work with the session cookie
+        const res = await fetch(`${app.url}/protected`, {
+            headers: { cookie: jar.header() },
+        });
+        expect(res.status).toBe(200);
+        const body = (await res.json());
+        expect(body.user.id).toBe(TEST_USER.sub);
+        expect(body.user.email).toBe(TEST_USER.email);
+        expect(body.method).toBe('oidc');
+    }, 30_000);
+    it('rejects a request with a tampered session cookie', async () => {
+        const res = await fetch(`${app.url}/protected`, {
+            headers: { cookie: 'amodal_session=garbage.token.here' },
+        });
+        expect(res.status).toBe(401);
+    });
+});
+//# sourceMappingURL=oidc.integration.test.js.map

package/dist/src/auth/strategies/oidc.integration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.integration.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/oidc.integration.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;GAQG;AACH,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAC,MAAM,QAAQ,CAAC;AACjE,OAAO,QAAQ,MAAM,eAAe,CAAC;AAErC,OAAO,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAC,MAAM,eAAe,CAAC;AAOnE,MAAM,SAAS,GAAG;IAChB,GAAG,EAAE,SAAS;IACd,KAAK,EAAE,mBAAmB;IAC1B,IAAI,EAAE,eAAe;CACtB,CAAC;AAEF,KAAK,UAAU,kBAAkB,CAC/B,QAAkB,EAClB,GAAY,EACZ,GAAa;IAEb,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC5D,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACpC,MAAM,QAAQ,CAAC,mBAAmB,CAChC,GAAG,EACH,GAAG,EACH,EAAC,KAAK,EAAE,EAAC,SAAS,EAAE,SAAS,CAAC,GAAG,EAAC,EAAC,EACnC,EAAC,uBAAuB,EAAE,KAAK,EAAC,CACjC,CAAC;QACF,OAAO;IACT,CAAC;IACD,8CAA8C;IAC9C,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC;QAC/B,SAAS,EAAE,SAAS,CAAC,GAAG;QACxB,QAAQ,EAAE,aAAa;KACxB,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,CAAC,mBAAmB,CAChC,GAAG,EACH,GAAG,EACH,EAAC,OAAO,EAAE,EAAC,OAAO,EAAC,EAAC,EACpB,EAAC,uBAAuB,EAAE,IAAI,EAAC,CAChC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,WAAW;IACxB,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAC9B,CAAC,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACtB,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,EAAiB,CAAC;YACxC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,SAAiB,EAAE,WAAmB;IAC5D,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,SAAS,EAAE;QACvC,OAAO,EAAE;YACP;gBACE,SAAS,EAAE,aAAa;gBACxB,aAAa,EAAE,aAAa;gBAC5B,aAAa,EAAE,CAAC,WAAW,CAAC;gBAC5B,WAAW,EAAE,CAAC,oBAAoB,CAAC;gBACnC,cAAc,EAAE,CAAC,MAAM,CAAC;gBACxB,0BAA0B,EAAE,qBAAqB;aAClD;SACF;QACD,IAAI,EAAE,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,IAAI,EAAC;QAC5B,WAAW,EAAE,CAAC,IAAa,EAAE,GAAW,EAAE,EAAE,CAAC,CAAC;YAC5C,SAAS,EAAE,GAAG;YACd,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACb,GAAG;gBACH,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,IAAI,EAAE,SAAS,CAAC,IAAI;aACrB,CAAC;SACH,CAAC;QACF,OAAO,EAAE;YACP,IAAI,EAAE,CAAC,2CAA2C,CAAC;SACpD;QACD,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,oBAAoB,EAAE,KAAK;QAC3B,MAAM,EAAE;YACN,MAAM,EAAE,CAAC,KAAK,CAAC;YACf,KAAK,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC;YAClC,OAAO,EAAE,CAAC,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,oBAAoB,CAAC;SACrE;QACD,QAAQ,EAAE;YACR,mEAAmE;YACnE,2BAA2B;YAC3B,eAAe,EAAE,EAAC,OAAO,EAAE,KAAK,EAAC;SAClC;QACD,+DAA+D;QAC/D,gEAAgE;QAChE,YAAY,EAAE;YACZ,GAAG,EAAE,CAAC,IAAa,EAAE,WAA0B,EAAE,EAAE,CACjD,gBAAgB,WAAW,CAAC,GAAG,EAAE;SACpC;KACF,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IAE7B,6EAA6E;IAC7E,kDAAkD;IAClD,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9C,KAAK,kBAAkB,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;IACzC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,KAAK,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,wDAAwD;IACxD,GAAG,CAAC,GAAG,CACL,CAAC,GAAY,EAAE,IAAa,EAAE,GAAa,EAAE,KAAmB,EAAQ,EAAE;QACxE,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,MAAM,IAAI,CAAC,CAAC;QAChD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,MAAM,EAAC,CAAC,CAAC;IACxC,CAAC,CACF,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAClC,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE;YACvD,OAAO,CAAC;gBACN,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;gBACnE,CAAC,CAAC;aACL,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,QAA0B,EAAE,IAAY;IAC9D,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE;YACpC,OAAO,CAAC;gBACN,GAAG,EAAE,oBAAoB,IAAI,EAAE;gBAC/B,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;gBACnE,CAAC,CAAC;aACL,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAQD,SAAS,aAAa;IACpB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,OAAO;QACL,KAAK;QACL,MAAM,EAAE,GAAG,EAAE,CACX,CAAC,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;QAC5E,MAAM,CAAC,SAAS;YACd,IAAI,CAAC,SAAS;gBAAE,OAAO;YACvB,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YAChE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC9B,IAAI,CAAC,IAAI;oBAAE,SAAS;gBACpB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC7B,IAAI,EAAE,KAAK,CAAC,CAAC;oBAAE,SAAS;gBACxB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACxC,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;oBACjB,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,KAAa,EACb,GAAc,EACd,OAAO,GAAG,EAAE;IAQZ,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YAC/B,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAC,CAAC,CAAC,CAAC,EAAE;SAC1D,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChF,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS,CAAC,CAAC;QACnC,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC;QACvC,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC1C,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO;oBACL,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,GAAG,EAAE,OAAO;oBACZ,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC;oBAClC,IAAI,EAAE,EAAE;oBACR,KAAK;iBACN,CAAC;YACJ,CAAC;YACD,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;YAChD,SAAS;QACX,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,EAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAC,CAAC;IAC7F,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,kCAAkC,KAAK,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,YAAY,CAAC,CAAU;IAC9B,MAAM,GAAG,GAAkD,EAAE,CAAC;IAC9D,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACvB,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC,CAAC,CAAC;IACH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,IAAI,GAAkB,CAAC;IACvB,IAAI,GAAkB,CAAC;IACvB,IAAI,QAA0B,CAAC;IAC/B,MAAM,aAAa,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEtD,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,mEAAmE;QACnE,iEAAiE;QACjE,oBAAoB;QACpB,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,oBAAoB,OAAO,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,oBAAoB,OAAO,gBAAgB,CAAC;QAEhE,GAAG,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAC7C,QAAQ,GAAG,IAAI,gBAAgB,CAAC;YAC9B,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,aAAa;YACvB,YAAY,EAAE,aAAa;YAC3B,WAAW;YACX,aAAa;YACb,qBAAqB,EAAE,IAAI;SAC5B,CAAC,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC,EAAE,MAAM,CAAC,CAAC;IAEX,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAC3B,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;QAChD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,mCAAmC,CAAC,CAAC;QACvE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAqB,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAE5B,+EAA+E;QAC/E,2EAA2E;QAC3E,wEAAwE;QACxE,wEAAwE;QACxE,0EAA0E;QAC1E,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACtE,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,KAAK,CAAC,IAAI,IAAI,CACnE,CAAC;YACF,MAAM,IAAI,KAAK,CAAC,qCAAqC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEjD,mCAAmC;QACnC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEnD,sDAAsD;QACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC9C,OAAO,EAAE,EAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAC;SAChC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyD,CAAC;QACxF,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,EAAE,MAAM,CAAC,CAAC;IAEX,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC9C,OAAO,EAAE,EAAC,MAAM,EAAE,mCAAmC,EAAC;SACvD,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/auth/strategies/oidc.js

@@ -0,0 +1,284 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * OidcAuthStrategy — full OAuth2.1/OIDC dance via `openid-client`.
+ *
+ * Handles:
+ *  - Discovery against the IdP's `.well-known/openid-configuration`
+ *  - Authorization-code + PKCE login flow at `/auth/login`
+ *  - Callback at `/auth/callback` — exchanges code for tokens, verifies
+ *    the id_token, and issues an HMAC-signed session cookie
+ *  - Per-request verification of the session cookie (via JWKS for the
+ *    session JWT — actually HMAC since we sign it ourselves)
+ *  - Optional `authorize(claims)` rule for group/role gating
+ *
+ * Covers Okta, Azure AD, Google Workspace, Auth0 OIDC, OneLogin,
+ * Authentik, Keycloak — anything OIDC-compliant.
+ */
+import { Router } from 'express';
+import rateLimit from 'express-rate-limit';
+import * as oidc from 'openid-client';
+import { SignJWT, jwtVerify } from 'jose';
+const STATE_COOKIE = 'amodal_oauth_state';
+const STATE_TTL_SECONDS = 5 * 60;
+export class OidcAuthStrategy {
+    name = 'oidc';
+    opts;
+    sessionKey;
+    discoveryPromise = null;
+    constructor(options) {
+        this.opts = {
+            issuer: options.issuer,
+            clientId: options.clientId,
+            clientSecret: options.clientSecret,
+            callbackUrl: options.callbackUrl,
+            scopes: options.scopes ?? ['openid', 'email', 'profile'],
+            sessionSecret: options.sessionSecret,
+            cookieName: options.cookieName ?? 'amodal_session',
+            sessionTtlSeconds: options.sessionTtlSeconds ?? 24 * 3600,
+            authMethod: options.authMethod ?? 'oidc',
+            allowInsecureRequests: options.allowInsecureRequests ?? false,
+        };
+        if (options.authorize)
+            this.opts.authorize = options.authorize;
+        this.sessionKey = new TextEncoder().encode(options.sessionSecret);
+    }
+    valid(req) {
+        return readCookie(req, this.opts.cookieName) !== null;
+    }
+    async authenticate(req) {
+        const cookie = readCookie(req, this.opts.cookieName);
+        if (!cookie)
+            return { kind: 'rejected', reason: 'No session cookie' };
+        let payload;
+        try {
+            const result = await jwtVerify(cookie, this.sessionKey, {
+                algorithms: ['HS256'],
+                issuer: 'amodal-runtime',
+            });
+            payload = result.payload;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            return { kind: 'rejected', reason: `Session JWT invalid: ${detail}` };
+        }
+        const session = {
+            user: {
+                id: typeof payload['sub'] === 'string' ? payload['sub'] : '',
+                ...(typeof payload['email'] === 'string' ? { email: payload['email'] } : {}),
+                ...(typeof payload['name'] === 'string' ? { name: payload['name'] } : {}),
+            },
+            method: this.opts.authMethod,
+            claims: readClaims(payload['claims']),
+        };
+        return { kind: 'authenticated', session };
+    }
+    routes() {
+        const router = Router();
+        // Rate-limit the OAuth-dance endpoints. Both `/auth/login` and
+        // `/auth/callback` perform authorization side-effects (issuing
+        // signed cookies, exchanging codes with the IdP) and would
+        // otherwise be vulnerable to scrape / discovery flooding /
+        // credential-stuffing-adjacent abuse. Logout doesn't need to be
+        // rate-limited — it only clears a cookie.
+        const authLimiter = rateLimit({
+            windowMs: 15 * 60 * 1000,
+            max: 60,
+            standardHeaders: true,
+            legacyHeaders: false,
+        });
+        router.get('/auth/login', authLimiter, (req, res) => {
+            void this.handleLogin(req, res);
+        });
+        router.get('/auth/callback', authLimiter, (req, res) => {
+            void this.handleCallback(req, res);
+        });
+        router.post('/auth/logout', (_req, res) => {
+            clearCookie(res, this.opts.cookieName);
+            res.json({ ok: true });
+        });
+        return router;
+    }
+    // ---- internals ----------------------------------------------------------
+    async config() {
+        if (!this.discoveryPromise) {
+            this.discoveryPromise = oidc.discovery(new URL(this.opts.issuer), this.opts.clientId, this.opts.clientSecret, undefined, this.opts.allowInsecureRequests
+                ? { execute: [oidc.allowInsecureRequests] }
+                : undefined);
+        }
+        return this.discoveryPromise;
+    }
+    async handleLogin(req, res) {
+        try {
+            const config = await this.config();
+            const codeVerifier = oidc.randomPKCECodeVerifier();
+            const codeChallenge = await oidc.calculatePKCECodeChallenge(codeVerifier);
+            const state = oidc.randomState();
+            const returnTo = typeof req.query['return_to'] === 'string' ? req.query['return_to'] : '/';
+            // Stash state + codeVerifier + return_to in a short-lived signed cookie
+            // so the callback can recover them without server-side state.
+            const stateCookie = await new SignJWT({
+                state,
+                codeVerifier,
+                returnTo,
+            })
+                .setProtectedHeader({ alg: 'HS256' })
+                .setIssuer('amodal-runtime')
+                .setIssuedAt()
+                .setExpirationTime(`${STATE_TTL_SECONDS}s`)
+                .sign(this.sessionKey);
+            setCookie(res, STATE_COOKIE, stateCookie, STATE_TTL_SECONDS);
+            const url = oidc.buildAuthorizationUrl(config, {
+                redirect_uri: this.opts.callbackUrl,
+                scope: this.opts.scopes.join(' '),
+                code_challenge: codeChallenge,
+                code_challenge_method: 'S256',
+                state,
+            });
+            res.redirect(url.href);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            res.status(500).json({ error: { code: 'OIDC_LOGIN_FAILED', message } });
+        }
+    }
+    async handleCallback(req, res) {
+        try {
+            const stateCookie = readCookie(req, STATE_COOKIE);
+            if (!stateCookie) {
+                res.status(400).json({ error: { code: 'NO_STATE', message: 'OAuth state cookie missing' } });
+                return;
+            }
+            let stateClaims;
+            try {
+                const verified = await jwtVerify(stateCookie, this.sessionKey, {
+                    algorithms: ['HS256'],
+                    issuer: 'amodal-runtime',
+                });
+                stateClaims = verified.payload;
+            }
+            catch (err) {
+                const detail = err instanceof Error ? err.message : String(err);
+                res.status(400).json({ error: { code: 'BAD_STATE', message: `OAuth state invalid: ${detail}` } });
+                return;
+            }
+            clearCookie(res, STATE_COOKIE);
+            const expectedState = typeof stateClaims['state'] === 'string' ? stateClaims['state'] : '';
+            const codeVerifier = typeof stateClaims['codeVerifier'] === 'string' ? stateClaims['codeVerifier'] : '';
+            const returnTo = typeof stateClaims['returnTo'] === 'string' ? stateClaims['returnTo'] : '/';
+            if (!expectedState || !codeVerifier) {
+                res.status(400).json({ error: { code: 'BAD_STATE', message: 'State payload malformed' } });
+                return;
+            }
+            const config = await this.config();
+            const fullUrl = new URL(req.originalUrl, `${req.protocol}://${req.get('host') ?? 'localhost'}`);
+            const tokens = await oidc.authorizationCodeGrant(config, fullUrl, {
+                pkceCodeVerifier: codeVerifier,
+                expectedState,
+            });
+            const claims = tokens.claims();
+            if (!claims) {
+                res.status(401).json({ error: { code: 'NO_CLAIMS', message: 'id_token missing claims' } });
+                return;
+            }
+            const user = await this.resolveUser(claims);
+            if (!user) {
+                res.status(403).json({ error: { code: 'FORBIDDEN', message: 'User not authorized for this agent' } });
+                return;
+            }
+            const sessionJwt = await new SignJWT({
+                sub: user.id,
+                ...(user.email ? { email: user.email } : {}),
+                ...(user.name ? { name: user.name } : {}),
+                claims: { ...claims },
+            })
+                .setProtectedHeader({ alg: 'HS256' })
+                .setIssuer('amodal-runtime')
+                .setSubject(user.id)
+                .setIssuedAt()
+                .setExpirationTime(`${this.opts.sessionTtlSeconds}s`)
+                .sign(this.sessionKey);
+            setCookie(res, this.opts.cookieName, sessionJwt, this.opts.sessionTtlSeconds);
+            res.redirect(returnTo);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            res.status(500).json({ error: { code: 'OIDC_CALLBACK_FAILED', message } });
+        }
+    }
+    async resolveUser(claims) {
+        if (this.opts.authorize) {
+            const result = await this.opts.authorize(claims);
+            return result;
+        }
+        const id = typeof claims['sub'] === 'string' ? claims['sub'] : null;
+        if (!id)
+            return null;
+        const out = { id };
+        if (typeof claims['email'] === 'string')
+            out.email = claims['email'];
+        if (typeof claims['name'] === 'string')
+            out.name = claims['name'];
+        return out;
+    }
+}
+/**
+ * Defensive narrowing for the `claims` blob we round-trip through the
+ * session JWT. Anything other than a plain object yields an empty
+ * record; avoids a blanket `as Record<string, unknown>` cast on data
+ * that started life as JSON.
+ */
+function readClaims(raw) {
+    if (raw == null || typeof raw !== 'object' || Array.isArray(raw))
+        return {};
+    const out = {};
+    for (const [k, v] of Object.entries(raw))
+        out[k] = v;
+    return out;
+}
+function readCookie(req, name) {
+    const header = req.headers['cookie'];
+    if (typeof header !== 'string' || header.length === 0)
+        return null;
+    for (const pair of header.split(';')) {
+        const trimmed = pair.trim();
+        const eq = trimmed.indexOf('=');
+        if (eq === -1)
+            continue;
+        if (trimmed.slice(0, eq) !== name)
+            continue;
+        const value = trimmed.slice(eq + 1);
+        return value.length > 0 ? decodeURIComponent(value) : null;
+    }
+    return null;
+}
+function setCookie(res, name, value, ttlSeconds) {
+    const parts = [
+        `${name}=${encodeURIComponent(value)}`,
+        'Path=/',
+        `Max-Age=${ttlSeconds}`,
+        'HttpOnly',
+        'Secure',
+        'SameSite=Lax',
+    ];
+    appendSetCookie(res, parts.join('; '));
+}
+function clearCookie(res, name) {
+    appendSetCookie(res, `${name}=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Lax`);
+}
+function appendSetCookie(res, value) {
+    const existing = res.getHeader('Set-Cookie');
+    if (existing == null) {
+        res.setHeader('Set-Cookie', value);
+        return;
+    }
+    if (Array.isArray(existing)) {
+        res.setHeader('Set-Cookie', [...existing, value]);
+        return;
+    }
+    res.setHeader('Set-Cookie', [String(existing), value]);
+}
+//# sourceMappingURL=oidc.js.map

package/dist/src/auth/strategies/oidc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../../../../src/auth/strategies/oidc.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAC,MAAM,EAAC,MAAM,SAAS,CAAC;AAE/B,OAAO,SAAS,MAAM,oBAAoB,CAAC;AAC3C,OAAO,KAAK,IAAI,MAAM,eAAe,CAAC;AACtC,OAAO,EAAC,OAAO,EAAE,SAAS,EAAC,MAAM,MAAM,CAAC;AA+BxC,MAAM,YAAY,GAAG,oBAAoB,CAAC;AAC1C,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,CAAC;AAEjC,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,MAAM,CAAC;IACN,IAAI,CAMnB;IACe,UAAU,CAAa;IAChC,gBAAgB,GAAuC,IAAI,CAAC;IAEpE,YAAY,OAAgC;QAC1C,IAAI,CAAC,IAAI,GAAG;YACV,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;YACxD,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,gBAAgB;YAClD,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,IAAI,EAAE,GAAG,IAAI;YACzD,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,MAAM;YACxC,qBAAqB,EAAE,OAAO,CAAC,qBAAqB,IAAI,KAAK;SAC9D,CAAC;QACF,IAAI,OAAO,CAAC,SAAS;YAAE,IAAI,CAAC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,GAAY;QAChB,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM;YAAE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAC,CAAC;QAEpE,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE;gBACtD,UAAU,EAAE,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,gBAAgB;aACzB,CAAC,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,EAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,wBAAwB,MAAM,EAAE,EAAC,CAAC;QACtE,CAAC;QAED,MAAM,OAAO,GAAgB;YAC3B,IAAI,EAAE;gBACJ,EAAE,EAAE,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC5D,GAAG,CAAC,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,OAAO,CAAC,OAAO,CAAC,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,GAAG,CAAC,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aACxE;YACD,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU;YAC5B,MAAM,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;SACtC,CAAC;QACF,OAAO,EAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAC,CAAC;IAC1C,CAAC;IAED,MAAM;QACJ,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,+DAA+D;QAC/D,+DAA+D;QAC/D,2DAA2D;QAC3D,2DAA2D;QAC3D,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,WAAW,GAAG,SAAS,CAAC;YAC5B,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;YACxB,GAAG,EAAE,EAAE;YACP,eAAe,EAAE,IAAI;YACrB,aAAa,EAAE,KAAK;SACrB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAClD,KAAK,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,gBAAgB,EAAE,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACrD,KAAK,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YACxC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACvC,GAAG,CAAC,IAAI,CAAC,EAAC,EAAE,EAAE,IAAI,EAAC,CAAC,CAAC;QACvB,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,MAAM;QAClB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,SAAS,CACpC,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EACzB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAClB,IAAI,CAAC,IAAI,CAAC,YAAY,EACtB,SAAS,EACT,IAAI,CAAC,IAAI,CAAC,qBAAqB;gBAC7B,CAAC,CAAC,EAAC,OAAO,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,EAAC;gBACzC,CAAC,CAAC,SAAS,CACd,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,GAAY,EAAE,GAAa;QACnD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YACnC,MAAM,YAAY,GAAG,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACnD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;YAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,OAAO,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAE3F,wEAAwE;YACxE,8DAA8D;YAC9D,MAAM,WAAW,GAAG,MAAM,IAAI,OAAO,CAAC;gBACpC,KAAK;gBACL,YAAY;gBACZ,QAAQ;aACT,CAAC;iBACC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;iBAClC,SAAS,CAAC,gBAAgB,CAAC;iBAC3B,WAAW,EAAE;iBACb,iBAAiB,CAAC,GAAG,iBAAiB,GAAG,CAAC;iBAC1C,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAEzB,SAAS,CAAC,GAAG,EAAE,YAAY,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC;YAE7D,MAAM,GAAG,GAAG,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE;gBAC7C,YAAY,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;gBACnC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;gBACjC,cAAc,EAAE,aAAa;gBAC7B,qBAAqB,EAAE,MAAM;gBAC7B,KAAK;aACN,CAAC,CAAC;YACH,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAC,EAAC,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,GAAY,EAAE,GAAa;QACtD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,UAAU,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAClD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,4BAA4B,EAAC,EAAC,CAAC,CAAC;gBACzF,OAAO;YACT,CAAC;YAED,IAAI,WAAuB,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE;oBAC7D,UAAU,EAAE,CAAC,OAAO,CAAC;oBACrB,MAAM,EAAE,gBAAgB;iBACzB,CAAC,CAAC;gBACH,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,wBAAwB,MAAM,EAAE,EAAC,EAAC,CAAC,CAAC;gBAC9F,OAAO;YACT,CAAC;YAED,WAAW,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAE/B,MAAM,aAAa,GAAG,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3F,MAAM,YAAY,GAAG,OAAO,WAAW,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxG,MAAM,QAAQ,GAAG,OAAO,WAAW,CAAC,UAAU,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAC7F,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,EAAE,CAAC;gBACpC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,yBAAyB,EAAC,EAAC,CAAC,CAAC;gBACvF,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,CAAC;YAChG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,OAAO,EAAE;gBAChE,gBAAgB,EAAE,YAAY;gBAC9B,aAAa;aACd,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,yBAAyB,EAAC,EAAC,CAAC,CAAC;gBACvF,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,oCAAoC,EAAC,EAAC,CAAC,CAAC;gBAClG,OAAO;YACT,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,IAAI,OAAO,CAAC;gBACnC,GAAG,EAAE,IAAI,CAAC,EAAE;gBACZ,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1C,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,EAAE,EAAC,GAAG,MAAM,EAAC;aACpB,CAAC;iBACC,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAC,CAAC;iBAClC,SAAS,CAAC,gBAAgB,CAAC;iBAC3B,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;iBACnB,WAAW,EAAE;iBACb,iBAAiB,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,GAAG,CAAC;iBACpD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAEzB,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC9E,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,EAAC,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAC,EAAC,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,MAAkB;QAC1C,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACjD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,MAAM,EAAE,GAAG,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpE,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACrB,MAAM,GAAG,GAAwB,EAAC,EAAE,EAAC,CAAC;QACtC,IAAI,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QACrE,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAClE,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AAED;;;;;GAKG;AACH,SAAS,UAAU,CAAC,GAAY;IAC9B,IAAI,GAAG,IAAI,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAC5E,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,UAAU,CAAC,GAAY,EAAE,IAAY;IAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,EAAE,KAAK,CAAC,CAAC;YAAE,SAAS;QACxB,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI;YAAE,SAAS;QAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QACpC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,GAAa,EAAE,IAAY,EAAE,KAAa,EAAE,UAAkB;IAC/E,MAAM,KAAK,GAAG;QACZ,GAAG,IAAI,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE;QACtC,QAAQ;QACR,WAAW,UAAU,EAAE;QACvB,UAAU;QACV,QAAQ;QACR,cAAc;KACf,CAAC;IACF,eAAe,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,WAAW,CAAC,GAAa,EAAE,IAAY;IAC9C,eAAe,CAAC,GAAG,EAAE,GAAG,IAAI,sDAAsD,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,eAAe,CAAC,GAAa,EAAE,KAAa;IACnD,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IAC7C,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;QACrB,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACnC,OAAO;IACT,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;QAClD,OAAO;IACT,CAAC;IACD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACzD,CAAC"}

package/dist/src/auth/strategies/oidc.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};