@aooth/auth-moost 0.1.15 → 0.1.17

package/dist/atscript/index.d.mts

@@ -1,2 +1,2 @@
-import { C as SetPasswordForm, E as WithInlineConsentForm, S as Select2faForm, T as TermsBumpForm, _ as ProveControlForm, a as EmailIdentifierForm, b as RecoveryModeSelectForm, c as EnrollPickMethodForm, d as LoginCredentialsForm, f as MagicLinkRequestForm, g as PincodeForm, h as PasswordReauthForm, i as ConcurrencyLimitForm, l as EnrollTotpQrForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, p as ManageMfaForm, r as ChangePasswordForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as ProveControlOtpForm, w as SignupForm, x as RemoveMfaConfirmForm, y as RecoveryFactorForm } from "../forms-11EDZgS1.mjs";
-export { AskEmailForm, AskPhoneForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };
+import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-D7ZfanKT.mjs";
+export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };

package/dist/atscript/index.mjs

@@ -1,2 +1,2 @@
-import { C as SetPasswordForm, E as WithInlineConsentForm, S as Select2faForm, T as TermsBumpForm, _ as ProveControlForm, a as EmailIdentifierForm, b as RecoveryModeSelectForm, c as EnrollPickMethodForm, d as LoginCredentialsForm, f as MagicLinkRequestForm, g as PincodeForm, h as PasswordReauthForm, i as ConcurrencyLimitForm, l as EnrollTotpQrForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, p as ManageMfaForm, r as ChangePasswordForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as ProveControlOtpForm, w as SignupForm, x as RemoveMfaConfirmForm, y as RecoveryFactorForm } from "../forms-11EDZgS1.mjs";
-export { AskEmailForm, AskPhoneForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };
+import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-D7ZfanKT.mjs";
+export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };

package/dist/{forms-11EDZgS1.mjs → forms-D7ZfanKT.mjs}

@@ -234,6 +234,15 @@ var ProveControlOtpForm = class {
 		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
 	}
 };
+var AuthorizeConsentForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "AuthorizeConsentForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
 defineAnnotatedType("object", WithInlineConsentForm).prop("consents", defineAnnotatedType("array").of(defineAnnotatedType().designType("string").tags("string").$type).annotate("meta.label", "Pending consents").annotate("ui.form.component", "AsConsentArray").annotate("ui.form.fn.attr", {
 	name: "pendingConsents",
 	fn: "(_, _d, ctx) => ctx.public?.consents?.pending"
@@ -304,7 +313,7 @@ defineAnnotatedType("object", SetPasswordForm).prop("consents", defineAnnotatedT
 }, true).annotate("ui.form.fn.attr", {
 	name: "password",
 	fn: "(_, data) => data.newPassword"
-}, true).annotate("ui.form.grid.colSpan", { desktop: "12" }).$type).annotate("ui.form.fn.title", "(_, _d, ctx) => ctx.public?.password?.heading || \"Set your password\"").annotate("wf.context.pass", "public", true);
+}, true).annotate("ui.form.grid.colSpan", { desktop: "12" }).$type).annotate("ui.form.fn.title", "(_, ctx) => ctx.public?.password?.heading || \"Set your password\"").annotate("wf.context.pass", "public", true);
 defineAnnotatedType("object", InviteForm).prop("email", defineAnnotatedType().designType("string").tags("email", "string").annotate("ui.form.order", 10).annotate("ui.form.type", "text").annotate("meta.label", "Email").annotate("ui.form.autocomplete", "email").annotate("meta.required", {}).annotate("expect.pattern", {
 	pattern: "^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$",
 	flags: "",
@@ -355,7 +364,7 @@ defineAnnotatedType("object", EnrollAddressForm).prop("address", defineAnnotated
 }).annotate("ui.form.fn.hidden", "() => true").optional().$type).prop("useDifferentMethod", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.action", {
 	id: "useDifferentMethod",
 	label: "Use a different method"
-}).annotate("ui.form.fn.hidden", "(_, _d, ctx) => (ctx.public?.mfaEnroll?.availableTransports?.length ?? 0) < 2 || ctx.public?.mfaEnroll?.mode === \"manage\"").optional().$type).annotate("ui.form.fn.title", "(_, _d, ctx) => ctx.public?.mfaEnroll?.method === \"sms\" ? \"Add your phone number\" : \"Add your email\"").annotate("meta.description", "We will send you a one-time code to confirm.").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Send code");
+}).annotate("ui.form.fn.hidden", "(_, _d, ctx) => (ctx.public?.mfaEnroll?.availableTransports?.length ?? 0) < 2 || ctx.public?.mfaEnroll?.mode === \"manage\"").optional().$type).annotate("ui.form.fn.title", "(_, ctx) => ctx.public?.mfaEnroll?.method === \"sms\" ? \"Add your phone number\" : \"Add your email\"").annotate("meta.description", "We will send you a one-time code to confirm.").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Send code");
 defineAnnotatedType("object", EnrollConfirmForm).prop("transportHint", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 1).annotate("ui.form.fn.value", "(_, _d, ctx) => ctx.public?.mfaEnroll?.method === \"totp\" ? \"Enter the 6-digit code from your authenticator app.\" : ctx.public?.pincode?.sentTo ? \"Code sent to \" + ctx.public.pincode.sentTo + \". Enter it below to confirm.\" : \"Enter the code to confirm enrollment.\"").optional().$type).prop("code", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.order", 10).annotate("ui.form.type", "text").annotate("meta.label", "Code").annotate("ui.form.autocomplete", "one-time-code").annotate("meta.required", {}).annotate("expect.minLength", { length: 4 }).annotate("expect.maxLength", { length: 12 }).annotate("expect.pattern", { pattern: "^[0-9]+$" }, true).$type).prop("resend", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.action", {
 	id: "resend",
 	label: "Resend code"
@@ -417,7 +426,7 @@ defineAnnotatedType("object", ChangePasswordForm).prop("intro", defineAnnotatedT
 }, true).annotate("ui.form.fn.attr", {
 	name: "password",
 	fn: "(_, data) => data.newPassword"
-}, true).annotate("ui.form.grid.colSpan", { desktop: "12" }).$type).annotate("ui.form.fn.title", "(_, _d, ctx) => ctx.public?.password?.heading || \"Change your password\"").annotate("ui.form.submit.text", "Change password").annotate("wf.context.pass", "public", true);
+}, true).annotate("ui.form.grid.colSpan", { desktop: "12" }).$type).annotate("ui.form.fn.title", "(_, ctx) => ctx.public?.password?.heading || \"Change your password\"").annotate("ui.form.submit.text", "Change password").annotate("wf.context.pass", "public", true);
 defineAnnotatedType("object", ProveControlForm).prop("intro", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 5).annotate("ui.form.fn.value", "(_, _d, ctx) => ctx.public?.proveControl?.hint ? \"An account for \" + ctx.public.proveControl.hint + \" already exists. Enter its password to link this sign-in method.\" : \"Enter your existing account password to link this sign-in method.\"").$type).prop("password", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.order", 10).annotate("ui.form.type", "password").annotate("meta.label", "Password").annotate("ui.form.autocomplete", "current-password").annotate("meta.sensitive", true).annotate("meta.required", {}).annotate("expect.minLength", { length: 1 }).$type).prop("cancel", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.order", 20).annotate("ui.form.action", {
 	id: "cancel",
 	label: "Cancel"
@@ -438,5 +447,12 @@ defineAnnotatedType("object", ProveControlOtpForm).prop("intro", defineAnnotated
 	name: "align",
 	value: "center"
 }, true).annotate("ui.form.pushDown", true).optional().$type).annotate("meta.label", "Confirm your identity").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Verify and link");
+defineAnnotatedType("object", AuthorizeConsentForm).prop("notice", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 1).annotate("ui.form.fn.value", "(_, _d, ctx) => { const a = ctx.public?.authz; const who = a?.clientName ? \"“\" + a.clientName + \"”\" : \"A local application\"; const sc = a?.scope ? \" It is requesting access to: \" + a.scope + \".\" : \"\"; return who + \" wants to sign in to your account.\" + sc + \" Authorize this only if you started it.\"; }").$type).prop("deny", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.order", 10).annotate("ui.form.action", {
+	id: "deny",
+	label: "Deny"
+}).annotate("ui.form.attr", {
+	name: "align",
+	value: "center"
+}, true).annotate("ui.form.pushDown", true).optional().$type).annotate("meta.label", "Authorize access").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Authorize");
 //#endregion
-export { SetPasswordForm as C, WithInlineConsentForm as E, Select2faForm as S, TermsBumpForm as T, ProveControlForm as _, EmailIdentifierForm as a, RecoveryModeSelectForm as b, EnrollPickMethodForm as c, LoginCredentialsForm as d, MagicLinkRequestForm as f, PincodeForm as g, PasswordReauthForm as h, ConcurrencyLimitForm as i, EnrollTotpQrForm as l, MfaCodeForm as m, AskPhoneForm as n, EnrollAddressForm as o, ManageMfaForm as p, ChangePasswordForm as r, EnrollConfirmForm as s, AskEmailForm as t, InviteForm as u, ProveControlOtpForm as v, SignupForm as w, RemoveMfaConfirmForm as x, RecoveryFactorForm as y };
+export { Select2faForm as C, WithInlineConsentForm as D, TermsBumpForm as E, RemoveMfaConfirmForm as S, SignupForm as T, PincodeForm as _, ConcurrencyLimitForm as a, RecoveryFactorForm as b, EnrollConfirmForm as c, InviteForm as d, LoginCredentialsForm as f, PasswordReauthForm as g, MfaCodeForm as h, ChangePasswordForm as i, EnrollPickMethodForm as l, ManageMfaForm as m, AskPhoneForm as n, EmailIdentifierForm as o, MagicLinkRequestForm as p, AuthorizeConsentForm as r, EnrollAddressForm as s, AskEmailForm as t, EnrollTotpQrForm as u, ProveControlForm as v, SetPasswordForm as w, RecoveryModeSelectForm as x, ProveControlOtpForm as y };

package/dist/index.d.mts

@@ -181,7 +181,7 @@ declare function authGuardInterceptor(opts?: AuthOptions): TInterceptorDef;
  */
 declare function AuthGuarded(opts?: AuthOptions): ClassDecorator & MethodDecorator;
 //#endregion
-//#region ../../node_modules/.pnpm/@wooksjs+event-wf@0.7.17_@prostojs+logger@0.4.3_@wooksjs+event-core@0.7.17_@wooksjs+eve_308375c6ad6313773ebd6e419ace01e4/node_modules/@wooksjs/event-wf/dist/index.d.ts
+//#region ../../node_modules/.pnpm/@wooksjs+event-wf@0.7.19_@prostojs+logger@0.4.3_@wooksjs+event-core@0.7.19_@wooksjs+eve_bb34de328332c0c9e9ce8e94ed9c5cac/node_modules/@wooksjs/event-wf/dist/index.d.ts
 interface WfFinishedResponse {
   type: 'redirect' | 'data';
   /** Redirect URL or response body */
@@ -946,6 +946,39 @@ declare class AuthorizeRuntime {
   constructor(pending: PendingAuthorizationStore, codes: AuthCodeStore);
 }
 //#endregion
+//#region src/authz/authz-binding.d.ts
+/**
+ * Name of the double-submit cookie that binds an in-flight authorization
+ * request to the browser that started it. Set at `GET /auth/authorize` (holding
+ * the high-entropy `binding` secret recorded on the `PendingAuthorization`), and
+ * matched — constant-time, via `safeEqual` from `oauth-csrf` — at the
+ * `mint-authz-code` / `authz-consent` workflow steps before any code is minted.
+ *
+ * Why this closes the account-takeover (AUTH-SERVER.md §6): the opaque `authz`
+ * handle alone is a bearer ticket — anyone holding it can drive it to the
+ * code-minting terminal. An attacker who initiates `/auth/authorize` (to inject
+ * their own client / redirect / PKCE challenge) receives the handle AND this
+ * cookie in THEIR browser; phishing only the handle into a victim's browser
+ * fails the match here, because the victim's browser never holds the secret. So
+ * a handle can only be redeemed by the same browser that started the request.
+ */
+declare const AUTHZ_BINDING_COOKIE = "aooth_authz";
+/**
+ * Cookie attributes for the authorize-binding cookie — the same httpOnly /
+ * `SameSite=Lax` shape as the OAuth CSRF cookie (Lax, NOT Strict, so the
+ * top-level GET navigation BACK from a "Continue with <provider>" detour still
+ * carries it), so it delegates to {@link oauthCsrfCookieAttrs}. `maxAgeSec` is
+ * the pending authorization's remaining lifetime — the caller derives it from
+ * the row's `expiresAt` (returned by `PendingAuthorizationStore.create`), so the
+ * cookie tracks the row's TTL even when a store is configured with a non-default
+ * `ttlMs`. `secure` is caller-controlled (off for the http test harness, on in
+ * production).
+ */
+declare function authzBindingCookieAttrs(opts: {
+  secure: boolean;
+  maxAgeSec: number;
+}): TCookieAttributesInput;
+//#endregion
 //#region src/authz/authz-tokens.d.ts
 /**
  * Explicit string DI tokens for the ABSTRACT authorization-server stores
@@ -1542,6 +1575,16 @@ interface AuthWfPublicState {
    * verify forms when a forced password change will follow.
    */
   newPasswordRequired?: boolean;
+  /**
+   * Mirrors the display-only fields of `ctx.authz` — the requesting client's
+   * id/name and granted scope, shown on the authorize-consent form. The
+   * `handle` and the `approved` gate stay server-only (never whitelisted onto
+   * the wire).
+   */
+  authz?: {
+    clientName?: string;
+    scope?: string;
+  };
 }
 /** Unified workflow context shape — one type for all three flows. */
 interface AuthWfCtx {
@@ -1612,11 +1655,17 @@ interface AuthWfCtx {
    * input `authz` (the opaque pending-authorization handle), and `sso-callback`
    * re-raises it from the federated `state.handle` when the user took a
    * "Continue with <provider>" detour mid-authorize. Presence routes the login
-   * tail to the `mint-authz-code` terminal (deliver an auth code to the client)
-   * INSTEAD of `issue`/`redirect` — no browser session is minted.
+   * tail to the `authz-consent` → `mint-authz-code` terminal (deliver an auth
+   * code to the client) INSTEAD of `issue`/`redirect` — no browser session is
+   * minted. `clientName`/`scope` are staged by `authz-consent` for the consent
+   * form's display copy; `approved` is the explicit user-consent gate the
+   * `mint-authz-code` terminal requires before it will mint a code.
    */
   authz?: {
     handle: string;
+    clientName?: string;
+    scope?: string;
+    approved?: boolean;
   };
   /**
    * FE-facing surface — the ONLY top-level ctx key whitelisted on form
@@ -1672,7 +1721,8 @@ interface AuthWorkflowOpts {
     termsBump?: TAtscriptAnnotatedType;
     concurrencyLimit?: TAtscriptAnnotatedType;
     recoveryPincode?: TAtscriptAnnotatedType; /** Self-signup identifier form (`auth/signup/flow` entry pause). */
-    signup?: TAtscriptAnnotatedType;
+    signup?: TAtscriptAnnotatedType; /** Consent prompt shown before `mint-authz-code` mints an auth code (AUTH-SERVER.md §6). */
+    authzConsent?: TAtscriptAnnotatedType;
   };
 }
 /**
@@ -1722,6 +1772,7 @@ interface ResolvedAuthWorkflowOpts {
     concurrencyLimit: TAtscriptAnnotatedType;
     recoveryPincode: TAtscriptAnnotatedType;
     signup: TAtscriptAnnotatedType;
+    authzConsent: TAtscriptAnnotatedType;
   };
 }
 //#endregion
@@ -2808,6 +2859,34 @@ declare class AuthWorkflow {
    * (cookies from `issue` are preserved).
    */
   redirect(ctx: AuthWfCtx): undefined;
+  /**
+   * Authorization-server consent gate (AUTH-SERVER.md §4.4 / §6). Runs BEFORE
+   * `mint-authz-code` whenever `ctx.authz` is set. Two mandatory jobs:
+   *
+   *  1. **Browser binding** — verify the request carries the `aooth_authz`
+   *     cookie that constant-time-matches the secret recorded on the pending
+   *     authorization. An `authz` handle phished into a DIFFERENT browser (the
+   *     account-takeover primitive) fails here, because the secret lives only
+   *     in the browser that initiated `GET /auth/authorize`.
+   *  2. **Explicit consent** — pause on the consent form and require the user
+   *     to press 'Authorize'. 'Deny' (or abandoning) 302s the client back with
+   *     `error=access_denied` and mints nothing. This blocks the same-browser
+   *     forced-navigation variant: a logged-in / silently-SSO-re-authenticated
+   *     victim is shown WHICH client is asking and must approve it.
+   *
+   * On approval it stamps `ctx.authz.approved`, which `mint-authz-code`
+   * re-checks alongside a binding re-verification before minting.
+   */
+  authzConsent(ctx: AuthWfCtx): Promise<undefined>;
+  /**
+   * Constant-time match of the `aooth_authz` binding cookie against the secret
+   * recorded on the pending authorization. Fail-closed (`false`) when the cookie
+   * is absent or differs, so a request without the browser binding can never
+   * redeem the handle. See {@link authzConsent}.
+   */
+  protected verifyAuthzBinding(req: {
+    binding: string;
+  }): boolean;
   /**
    * Authorization-server terminal (AUTH-SERVER.md §4.4). Reached INSTEAD of
    * `issue`/`redirect` when this login was started from `GET /auth/authorize`
@@ -2816,6 +2895,7 @@ declare class AuthWorkflow {
    * request's PKCE challenge / redirect / token policy, then 302s the browser to
    * `redirect_uri?code&state`. It does NOT issue a session and attaches NO
    * cookies — the token is minted later, off the browser, at `POST /auth/token`.
+   * Gated by {@link authzConsent} (binding + explicit approval).
    */
   mintAuthzCode(ctx: AuthWfCtx): Promise<undefined>;
   /**
@@ -3106,4 +3186,4 @@ interface AuditEmitter {
   emit(event: AuditEvent): Promise<void> | void;
 }
 //#endregion
-export { ADD_MFA_WORKFLOW, AUTH_CODE_STORE_TOKEN, type AuditEmitter, type AuditEvent, type AuthBindings, type AuthContext, AuthController, type AuthDeliveryPayload, type AuthEmailEvent, type AuthEmailKind, type AuthEmailOutletDeps, AuthGuarded, type AuthLoginResponse, type AuthLogoutBody, type AuthOkResponse, type AuthOptions, type AuthRefreshBody, type AuthSmsEvent, type AuthSmsKind, type AuthWfCompletionState, type AuthWfConsentsState, type AuthWfCtx, type AuthWfMfaEnrollState, type AuthWfOAuthState, type AuthWfPasswordUiState, type AuthWfPincodeUiState, AuthWorkflow, type AuthWorkflowOpts, AuthorizeController, AuthorizeRuntime, type BuildMagicLinkUrl, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, type ConcurrencyLimitOptions, type ConnectedAccount, type ConsentDescriptor, type ConsentDescriptorLike, type ConsentEvent, ConsentStore, DEFAULT_AUTH_WORKFLOWS, type EmailSender, type EnrichedSession, FEDERATED_IDENTITY_STORE_TOKEN, type IssueResult, type LoginRedirect, type MfaSummary, type MfaTransport, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, type ResolvedAuthCookieConfig, type ResolvedAuthOptions, type ResolvedAuthWorkflowOpts, type SessionEnricher, SessionEnricherProvider, type SessionInfo, SessionsController, type SmsSender, type SsoProvider, type TAuthMeta, UserId, WfTrigger, type WfTriggerOpts, WfTriggerProvider, authGuardInterceptor, buildInviteAlreadyAcceptedEnvelope, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };
+export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, type AuditEmitter, type AuditEvent, type AuthBindings, type AuthContext, AuthController, type AuthDeliveryPayload, type AuthEmailEvent, type AuthEmailKind, type AuthEmailOutletDeps, AuthGuarded, type AuthLoginResponse, type AuthLogoutBody, type AuthOkResponse, type AuthOptions, type AuthRefreshBody, type AuthSmsEvent, type AuthSmsKind, type AuthWfCompletionState, type AuthWfConsentsState, type AuthWfCtx, type AuthWfMfaEnrollState, type AuthWfOAuthState, type AuthWfPasswordUiState, type AuthWfPincodeUiState, AuthWorkflow, type AuthWorkflowOpts, AuthorizeController, AuthorizeRuntime, type BuildMagicLinkUrl, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, type ConcurrencyLimitOptions, type ConnectedAccount, type ConsentDescriptor, type ConsentDescriptorLike, type ConsentEvent, ConsentStore, DEFAULT_AUTH_WORKFLOWS, type EmailSender, type EnrichedSession, FEDERATED_IDENTITY_STORE_TOKEN, type IssueResult, type LoginRedirect, type MfaSummary, type MfaTransport, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, type ResolvedAuthCookieConfig, type ResolvedAuthOptions, type ResolvedAuthWorkflowOpts, type SessionEnricher, SessionEnricherProvider, type SessionInfo, SessionsController, type SmsSender, type SsoProvider, type TAuthMeta, UserId, WfTrigger, type WfTriggerOpts, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildInviteAlreadyAcceptedEnvelope, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };

package/dist/index.mjs

@@ -1,12 +1,12 @@
-import { C as SetPasswordForm, S as Select2faForm, T as TermsBumpForm, _ as ProveControlForm, a as EmailIdentifierForm, c as EnrollPickMethodForm, d as LoginCredentialsForm, g as PincodeForm, h as PasswordReauthForm, i as ConcurrencyLimitForm, l as EnrollTotpQrForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, p as ManageMfaForm, r as ChangePasswordForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as ProveControlOtpForm, w as SignupForm, x as RemoveMfaConfirmForm } from "./forms-11EDZgS1.mjs";
+import { C as Select2faForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, y as ProveControlOtpForm } from "./forms-D7ZfanKT.mjs";
 import { Controller, HandlerPaths, Inherit, Inject, InjectMoostLogger, Injectable, Intercept, MoostInit, Optional, Param, Resolve, TInterceptorPriority, defineAfterInterceptor, defineBeforeInterceptor, getMoostMate, useControllerContext } from "moost";
 import { AuthCredential, AuthError, generateMagicLinkToken } from "@aooth/auth";
 import { current, defineWook, eventTypeKey, key } from "@wooksjs/event-core";
 import { HttpError, useAuthorization, useCookies, useHeaders, useRequest, useResponse, useUrlParams } from "@wooksjs/event-http";
 import { ArbacAction, ArbacResource, getArbacMate } from "@aooth/arbac-moost";
-import { FederatedIdentityStore, UserAuthError, UserService, generateTotpSecret, generateTotpUri, maskEmail, maskPhone, pickDefinedProfile, verifyTotpCode } from "@aooth/user";
+import { FederatedIdentityStore, UserAuthError, UserService, generateMfaCode, generateTotpSecret, generateTotpUri, maskEmail, maskPhone, pickDefinedProfile, verifyTotpCode } from "@aooth/user";
 import { Body, Delete, Get, HttpError as HttpError$1, Post, Query } from "@moostjs/event-http";
-import { createHash, timingSafeEqual } from "node:crypto";
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 import { createAsHttpOutlet, finishWf, handleAsOutletRequest, useAtscriptWf } from "@atscript/moost-wf";
 import { EncapsulatedStateStrategy, MoostWf, Step, StepRetriableError, StepTTL, Workflow, WorkflowParam, WorkflowSchema, createEmailOutlet, outletEmail, swapStrategy, useWfFinished, useWfState } from "@moostjs/event-wf";
 import { FederatedLoginService, OAuthError, OAuthProviderRegistry, generateRandomState, pkceChallengeFor } from "@aooth/idp";
@@ -585,6 +585,56 @@ function safeEqual(a, b) {
 	return timingSafeEqual(ab, bb);
 }
 //#endregion
+//#region src/authz/authz-binding.ts
+/**
+* Name of the double-submit cookie that binds an in-flight authorization
+* request to the browser that started it. Set at `GET /auth/authorize` (holding
+* the high-entropy `binding` secret recorded on the `PendingAuthorization`), and
+* matched — constant-time, via `safeEqual` from `oauth-csrf` — at the
+* `mint-authz-code` / `authz-consent` workflow steps before any code is minted.
+*
+* Why this closes the account-takeover (AUTH-SERVER.md §6): the opaque `authz`
+* handle alone is a bearer ticket — anyone holding it can drive it to the
+* code-minting terminal. An attacker who initiates `/auth/authorize` (to inject
+* their own client / redirect / PKCE challenge) receives the handle AND this
+* cookie in THEIR browser; phishing only the handle into a victim's browser
+* fails the match here, because the victim's browser never holds the secret. So
+* a handle can only be redeemed by the same browser that started the request.
+*/
+const AUTHZ_BINDING_COOKIE = "aooth_authz";
+/**
+* Cookie attributes for the authorize-binding cookie — the same httpOnly /
+* `SameSite=Lax` shape as the OAuth CSRF cookie (Lax, NOT Strict, so the
+* top-level GET navigation BACK from a "Continue with <provider>" detour still
+* carries it), so it delegates to {@link oauthCsrfCookieAttrs}. `maxAgeSec` is
+* the pending authorization's remaining lifetime — the caller derives it from
+* the row's `expiresAt` (returned by `PendingAuthorizationStore.create`), so the
+* cookie tracks the row's TTL even when a store is configured with a non-default
+* `ttlMs`. `secure` is caller-controlled (off for the http test harness, on in
+* production).
+*/
+function authzBindingCookieAttrs(opts) {
+	return oauthCsrfCookieAttrs({
+		secure: opts.secure,
+		maxAgeSec: opts.maxAgeSec
+	});
+}
+//#endregion
+//#region src/authz/authz-redirect.ts
+/**
+* Build the client redirect URL for an authorization-server result (RFC 6749
+* §4.1.2 / §4.1.2.1): append the result params (`code` on success, `error` on
+* failure) and echo the client's `state` when it sent one. The single home for
+* this URL contract — the controller's fail-soft redirect and the workflow's
+* deny / code-mint terminals all build the same shape, only the transport
+* (controller response vs `finishWf` envelope) differs.
+*/
+function authzRedirectUrl(redirectUri, params) {
+	const url = new URL(redirectUri);
+	for (const [key, value] of Object.entries(params)) if (value !== void 0) url.searchParams.set(key, value);
+	return url.toString();
+}
+//#endregion
 //#region src/oauth/oauth-redirect.ts
 /**
 * Open-redirect defense for the post-login `redirect` carried across the OAuth
@@ -899,7 +949,8 @@ const DEFAULT_FORMS = {
 	termsBump: TermsBumpForm,
 	concurrencyLimit: ConcurrencyLimitForm,
 	recoveryPincode: PincodeForm,
-	signup: SignupForm
+	signup: SignupForm,
+	authzConsent: AuthorizeConsentForm
 };
 function mergeAuthWorkflowOpts(opts) {
 	return {
@@ -1699,6 +1750,10 @@ let AuthWorkflow = class AuthWorkflow {
 			if (sub) pub.proveControl = sub;
 		}
 		if (ctx.newPasswordRequired !== void 0) pub.newPasswordRequired = ctx.newPasswordRequired;
+		if (ctx.authz) {
+			const sub = pickDefined(ctx.authz, ["clientName", "scope"]);
+			if (sub) pub.authz = sub;
+		}
 		ctx.public = pub;
 	}
 	/**
@@ -1735,8 +1790,7 @@ let AuthWorkflow = class AuthWorkflow {
 	}
 	/** Mint a numeric pincode + stash it onto ctx. Returns the plain code. */
 	mintPin(ctx, length, ttlMs) {
-		let code = "";
-		for (let i = 0; i < length; i++) code += Math.floor(Math.random() * 10).toString();
+		const code = generateMfaCode(length);
 		ctx.pin = code;
 		ctx.pinExpire = Date.now() + ttlMs;
 		delete ctx.pinAttempts;
@@ -3605,6 +3659,74 @@ let AuthWorkflow = class AuthWorkflow {
 		(ctx.completion ??= {}).redirectUrl = url;
 	}
 	/**
+	* Authorization-server consent gate (AUTH-SERVER.md §4.4 / §6). Runs BEFORE
+	* `mint-authz-code` whenever `ctx.authz` is set. Two mandatory jobs:
+	*
+	*  1. **Browser binding** — verify the request carries the `aooth_authz`
+	*     cookie that constant-time-matches the secret recorded on the pending
+	*     authorization. An `authz` handle phished into a DIFFERENT browser (the
+	*     account-takeover primitive) fails here, because the secret lives only
+	*     in the browser that initiated `GET /auth/authorize`.
+	*  2. **Explicit consent** — pause on the consent form and require the user
+	*     to press 'Authorize'. 'Deny' (or abandoning) 302s the client back with
+	*     `error=access_denied` and mints nothing. This blocks the same-browser
+	*     forced-navigation variant: a logged-in / silently-SSO-re-authenticated
+	*     victim is shown WHICH client is asking and must approve it.
+	*
+	* On approval it stamps `ctx.authz.approved`, which `mint-authz-code`
+	* re-checks alongside a binding re-verification before minting.
+	*/
+	async authzConsent(ctx) {
+		this.requireSubject(ctx);
+		const authz = ctx.authz;
+		const { pending } = await this.authorizeRuntime();
+		const req = authz ? await pending.get(authz.handle) : null;
+		if (!authz || !req) {
+			finishWf({ message: {
+				level: "error",
+				text: "Authorization request expired. Please try again."
+			} });
+			return;
+		}
+		if (!this.verifyAuthzBinding(req)) {
+			await pending.delete(authz.handle);
+			finishWf({ message: {
+				level: "error",
+				text: "This authorization could not be verified for your browser. Please start again."
+			} });
+			return;
+		}
+		if (req.clientId !== void 0) authz.clientName = req.clientId;
+		if (req.scope !== void 0) authz.scope = req.scope;
+		const wf = this.useAtscriptWfPublic(ctx, this.opts.forms.authzConsent);
+		if (wf.resolveAction() === "deny") {
+			await pending.delete(authz.handle);
+			finishWf({ next: {
+				trigger: "immediate",
+				action: {
+					type: "redirect",
+					target: authzRedirectUrl(req.redirectUri, {
+						error: "access_denied",
+						state: req.clientState
+					}),
+					reason: "authz-denied"
+				}
+			} });
+			return;
+		}
+		wf.resolveInput();
+		authz.approved = true;
+	}
+	/**
+	* Constant-time match of the `aooth_authz` binding cookie against the secret
+	* recorded on the pending authorization. Fail-closed (`false`) when the cookie
+	* is absent or differs, so a request without the browser binding can never
+	* redeem the handle. See {@link authzConsent}.
+	*/
+	verifyAuthzBinding(req) {
+		return safeEqual(useCookies(current()).getCookie(AUTHZ_BINDING_COOKIE), req.binding);
+	}
+	/**
 	* Authorization-server terminal (AUTH-SERVER.md §4.4). Reached INSTEAD of
 	* `issue`/`redirect` when this login was started from `GET /auth/authorize`
 	* (`ctx.authz` set by `init-login` or re-raised by `sso-callback`). Mints a
@@ -3612,6 +3734,7 @@ let AuthWorkflow = class AuthWorkflow {
 	* request's PKCE challenge / redirect / token policy, then 302s the browser to
 	* `redirect_uri?code&state`. It does NOT issue a session and attaches NO
 	* cookies — the token is minted later, off the browser, at `POST /auth/token`.
+	* Gated by {@link authzConsent} (binding + explicit approval).
 	*/
 	async mintAuthzCode(ctx) {
 		this.requireSubject(ctx);
@@ -3625,6 +3748,14 @@ let AuthWorkflow = class AuthWorkflow {
 			} });
 			return;
 		}
+		if (ctx.authz?.approved !== true || !this.verifyAuthzBinding(req)) {
+			await pending.delete(handle);
+			finishWf({ message: {
+				level: "error",
+				text: "Authorization could not be completed. Please start again."
+			} });
+			return;
+		}
 		const { code } = await codes.mint({
 			userId: ctx.subject,
 			codeChallenge: req.codeChallenge,
@@ -3638,14 +3769,14 @@ let AuthWorkflow = class AuthWorkflow {
 			tokenPolicy: req.tokenPolicy
 		});
 		await pending.delete(handle);
-		const url = new URL(req.redirectUri);
-		url.searchParams.set("code", code);
-		if (req.clientState !== void 0) url.searchParams.set("state", req.clientState);
 		finishWf({ next: {
 			trigger: "immediate",
 			action: {
 				type: "redirect",
-				target: url.toString(),
+				target: authzRedirectUrl(req.redirectUri, {
+					code,
+					state: req.clientState
+				}),
 				reason: "authz-code"
 			}
 		} });
@@ -4841,6 +4972,14 @@ __decorate([
 	__decorateMetadata("design:paramtypes", [Object]),
 	__decorateMetadata("design:returntype", void 0)
 ], AuthWorkflow.prototype, "redirect", null);
+__decorate([
+	Step("authz-consent"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthWorkflow.prototype, "authzConsent", null);
 __decorate([
 	Step("mint-authz-code"),
 	Public(),
@@ -5033,8 +5172,12 @@ __decorate([
 			]
 		},
 		{
-			id: "mint-authz-code",
+			id: "authz-consent",
 			condition: (ctx) => !!ctx.authz
+		},
+		{
+			id: "mint-authz-code",
+			condition: (ctx) => ctx.authz?.approved === true
 		}
 	]),
 	__decorateMetadata("design:type", Function),
@@ -5844,7 +5987,8 @@ let AuthorizeController = class AuthorizeController {
 			return e instanceof AuthorizeError ? `invalid request: ${e.code}` : "invalid request";
 		}
 		if (responseType !== "code" || !codeChallenge || codeChallengeMethod !== "S256") return this.redirectError(resolved.redirectUri, "invalid_request", state);
-		const { handle } = await this.pending.create({
+		const binding = randomBytes(32).toString("base64url");
+		const { handle, expiresAt } = await this.pending.create({
 			...resolved.clientId !== void 0 && { clientId: resolved.clientId },
 			redirectUri: resolved.redirectUri,
 			codeChallenge,
@@ -5854,8 +5998,14 @@ let AuthorizeController = class AuthorizeController {
 			...resolved.idToken !== void 0 && { idToken: resolved.idToken },
 			...resolved.accessToken !== void 0 && { accessToken: resolved.accessToken },
 			...resolved.audience !== void 0 && { audience: resolved.audience },
-			tokenPolicy: resolved.tokenPolicy
+			tokenPolicy: resolved.tokenPolicy,
+			binding
 		});
+		const maxAgeSec = Math.max(1, Math.round((expiresAt - Date.now()) / 1e3));
+		res.setCookie(AUTHZ_BINDING_COOKIE, binding, authzBindingCookieAttrs({
+			secure: useAuth().options.cookie.secure,
+			maxAgeSec
+		}));
 		const loginPath = this.loginPath();
 		const target = `${loginPath}${loginPath.includes("?") ? "&" : "?"}authz=${encodeURIComponent(handle)}`;
 		res.status = 302;
@@ -5990,12 +6140,12 @@ let AuthorizeController = class AuthorizeController {
 	}
 	/** Fail soft: 302 the validated client redirect with an `?error=` (+ echoed `state`). */
 	redirectError(redirectUri, error, state) {
-		const url = new URL(redirectUri);
-		url.searchParams.set("error", error);
-		if (state !== void 0) url.searchParams.set("state", state);
 		const res = useResponse(current());
 		res.status = 302;
-		res.setHeader("Location", url.toString());
+		res.setHeader("Location", authzRedirectUrl(redirectUri, {
+			error,
+			state
+		}));
 		return "";
 	}
 };
@@ -6094,4 +6244,4 @@ function createAuthEmailOutlet(deps) {
 	});
 }
 //#endregion
-export { ADD_MFA_WORKFLOW, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, buildInviteAlreadyAcceptedEnvelope, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };
+export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildInviteAlreadyAcceptedEnvelope, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.15",
+  "version": "0.1.17",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -57,33 +57,33 @@
     "access": "public"
   },
   "dependencies": {
-    "@atscript/moost-wf": "^0.1.96",
-    "@wooksjs/http-body": "^0.7.17",
-    "@aooth/arbac-moost": "^0.1.15",
-    "@aooth/auth": "0.1.15",
-    "@aooth/idp": "0.1.15",
-    "@aooth/user": "0.1.15"
+    "@atscript/moost-wf": "^0.1.98",
+    "@wooksjs/http-body": "^0.7.19",
+    "@aooth/arbac-moost": "^0.1.17",
+    "@aooth/user": "0.1.17",
+    "@aooth/auth": "0.1.17",
+    "@aooth/idp": "0.1.17"
   },
   "devDependencies": {
-    "@atscript/core": "^0.1.74",
-    "@atscript/typescript": "^0.1.74",
-    "@atscript/ui": "^0.1.96",
-    "@atscript/ui-fns": "^0.1.96",
-    "@moostjs/event-http": "^0.6.25",
-    "@moostjs/event-wf": "^0.6.25",
-    "moost": "^0.6.25",
-    "unplugin-atscript": "^0.1.74",
-    "wooks": "^0.7.17"
+    "@atscript/core": "^0.1.75",
+    "@atscript/typescript": "^0.1.75",
+    "@atscript/ui": "^0.1.98",
+    "@atscript/ui-fns": "^0.1.98",
+    "@moostjs/event-http": "^0.6.26",
+    "@moostjs/event-wf": "^0.6.26",
+    "moost": "^0.6.26",
+    "unplugin-atscript": "^0.1.75",
+    "wooks": "^0.7.19"
   },
   "peerDependencies": {
-    "@atscript/moost-wf": "^0.1.96",
-    "@atscript/typescript": "^0.1.74",
-    "@moostjs/event-http": "^0.6.25",
-    "@moostjs/event-wf": "^0.6.25",
-    "@wooksjs/event-core": "^0.7.17",
-    "@wooksjs/event-http": "^0.7.17",
-    "@wooksjs/http-body": "^0.7.17",
-    "moost": "^0.6.25"
+    "@atscript/moost-wf": "^0.1.98",
+    "@atscript/typescript": "^0.1.75",
+    "@moostjs/event-http": "^0.6.26",
+    "@moostjs/event-wf": "^0.6.26",
+    "@wooksjs/event-core": "^0.7.19",
+    "@wooksjs/event-http": "^0.7.19",
+    "@wooksjs/http-body": "^0.7.19",
+    "moost": "^0.6.26"
   },
   "peerDependenciesMeta": {
     "@atscript/typescript": {

package/src/atscript/models/forms.as

@@ -258,7 +258,7 @@ export interface SignupForm {
  * wants to abandon the flow closes / refreshes the page (the wf state token
  * expires per the engine's TTL).
  */
-@ui.form.fn.title '(_, _d, ctx) => ctx.public?.password?.heading || "Set your password"'
+@ui.form.fn.title '(_, ctx) => ctx.public?.password?.heading || "Set your password"'
 @wf.context.pass 'public'
 export interface SetPasswordForm extends WithInlineConsentForm {
     /**
@@ -537,7 +537,7 @@ export interface EnrollPickMethodForm {
  * forbids backing out mid-flow). `useDifferentMethod` is hidden when the
  * consumer has only one transport configured (nothing to switch to).
  */
-@ui.form.fn.title '(_, _d, ctx) => ctx.public?.mfaEnroll?.method === "sms" ? "Add your phone number" : "Add your email"'
+@ui.form.fn.title '(_, ctx) => ctx.public?.mfaEnroll?.method === "sms" ? "Add your phone number" : "Add your email"'
 @meta.description 'We will send you a one-time code to confirm.'
 @wf.context.pass 'public'
 @ui.form.submit.text 'Send code'
@@ -849,7 +849,7 @@ export interface RecoveryFactorForm {
  * `SetPasswordForm`, so the live `AsPasswordRules` renderer and dynamic copy
  * work identically. Heading/intro are staged by `change-password-form`.
  */
-@ui.form.fn.title '(_, _d, ctx) => ctx.public?.password?.heading || "Change your password"'
+@ui.form.fn.title '(_, ctx) => ctx.public?.password?.heading || "Change your password"'
 @ui.form.submit.text 'Change password'
 @wf.context.pass 'public'
 export interface ChangePasswordForm {
@@ -982,3 +982,29 @@ export interface ProveControlOtpForm {
     @ui.form.pushDown
     cancel?: ui.action
 }
+
+/**
+ * Authorization-server consent prompt (AUTH-SERVER.md §4.4 / §6). Rendered by
+ * the `authz-consent` @Step once the human is authenticated, BEFORE
+ * `mint-authz-code` mints the authorization code — so a logged-in (or silently
+ * SSO-re-authenticated) browser cannot be walked into delivering a code to a
+ * client it never approved. Fieldless apart from the explanatory paragraph; the
+ * primary submit ('Authorize') records consent and proceeds to the mint, the
+ * 'Deny' action 302s the client back with `error=access_denied`. The requesting
+ * client + scope ride the `@wf.context.pass 'public'` `ctx.public.authz`
+ * whitelist (display-only — the handle / approval gate stay server-side).
+ */
+@meta.label 'Authorize access'
+@wf.context.pass 'public'
+@ui.form.submit.text 'Authorize'
+export interface AuthorizeConsentForm {
+    @ui.form.order 1
+    @ui.form.fn.value '(_, _d, ctx) => { const a = ctx.public?.authz; const who = a?.clientName ? "“" + a.clientName + "”" : "A local application"; const sc = a?.scope ? " It is requesting access to: " + a.scope + "." : ""; return who + " wants to sign in to your account." + sc + " Authorize this only if you started it."; }'
+    notice: ui.paragraph
+
+    @ui.form.order 10
+    @ui.form.action 'deny', 'Deny'
+    @ui.form.attr 'align', 'center'
+    @ui.form.pushDown
+    deny?: ui.action
+}

package/src/atscript/models/forms.as.d.ts

@@ -471,4 +471,21 @@ export declare class ProveControlOtpForm {
   /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
   static toExampleData?: () => any
 }
+
+/**
+ * Atscript interface **AuthorizeConsentForm**
+ * @see {@link ./forms.as:1000:18}
+ */
+export declare class AuthorizeConsentForm {
+  // notice: ui.paragraph
+  // deny: ui.action
+  static __is_atscript_annotated_type: true
+  static type: TAtscriptTypeObject<keyof AuthorizeConsentForm, AuthorizeConsentForm>
+  static metadata: TMetadataMap<AtscriptMetadata>
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AuthorizeConsentForm>
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any
+}
 // prettier-ignore-end