@aooth/auth 0.1.10 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aooth/auth",
3
- "version": "0.1.10",
3
+ "version": "0.1.12",
4
4
  "description": "Auth method layer for aoothjs (sessions, tokens, password reset, MFA primitives)",
5
5
  "keywords": [
6
6
  "aoothjs",
@@ -26,7 +26,11 @@
26
26
  "files": [
27
27
  "dist",
28
28
  "src/atscript-db/auth-credential.as",
29
- "src/atscript-db/auth-credential.as.d.ts"
29
+ "src/atscript-db/auth-credential.as.d.ts",
30
+ "src/atscript-db/pending-authorization.as",
31
+ "src/atscript-db/pending-authorization.as.d.ts",
32
+ "src/atscript-db/auth-code.as",
33
+ "src/atscript-db/auth-code.as.d.ts"
30
34
  ],
31
35
  "type": "module",
32
36
  "sideEffects": false,
@@ -67,6 +71,22 @@
67
71
  "types": "./src/atscript-db/auth-credential.as.d.ts",
68
72
  "default": "./src/atscript-db/auth-credential.as"
69
73
  },
74
+ "./atscript-db/pending-authorization": {
75
+ "types": "./src/atscript-db/pending-authorization.as.d.ts",
76
+ "default": "./src/atscript-db/pending-authorization.as"
77
+ },
78
+ "./atscript-db/pending-authorization.as": {
79
+ "types": "./src/atscript-db/pending-authorization.as.d.ts",
80
+ "default": "./src/atscript-db/pending-authorization.as"
81
+ },
82
+ "./atscript-db/auth-code": {
83
+ "types": "./src/atscript-db/auth-code.as.d.ts",
84
+ "default": "./src/atscript-db/auth-code.as"
85
+ },
86
+ "./atscript-db/auth-code.as": {
87
+ "types": "./src/atscript-db/auth-code.as.d.ts",
88
+ "default": "./src/atscript-db/auth-code.as"
89
+ },
70
90
  "./package.json": "./package.json"
71
91
  },
72
92
  "publishConfig": {
@@ -74,7 +94,7 @@
74
94
  },
75
95
  "dependencies": {
76
96
  "jose": "^6.2.3",
77
- "@aooth/user": "0.1.10"
97
+ "@aooth/user": "0.1.12"
78
98
  },
79
99
  "devDependencies": {
80
100
  "@atscript/core": "^0.1.71",
@@ -0,0 +1,41 @@
1
+ @db.table 'aooth_auth_codes'
2
+ @db.depth.limit 0
3
+ export interface AoothAuthCode {
4
+ /**
5
+ * Opaque single-use code (PK). Server-generated UUID in
6
+ * `AuthCodeStoreAtscriptDb.mint`. Consumed atomically at `/token`: the
7
+ * `deleteOne(code)` whose `deletedCount === 1` is the single-use claim, so a
8
+ * concurrent double-redeem (or back-button replay) yields it to one caller.
9
+ */
10
+ @meta.id
11
+ code: string
12
+
13
+ /** The user the login workflow authenticated. */
14
+ userId: string
15
+ /** PKCE S256 challenge from the originating authorize request. */
16
+ codeChallenge: string
17
+ /** The client's `redirect_uri` (bound; the code is meaningless elsewhere). */
18
+ redirectUri: string
19
+
20
+ /** Registered client id (Tier 2); absent for a public/loopback client. */
21
+ clientId?: string
22
+ /** Granted scope (space-joined). */
23
+ scope?: string
24
+ /** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
25
+ nonce?: string
26
+ /** Mint an `id_token` at `/token` (Tier 2). */
27
+ idToken?: boolean
28
+ /** Mint an access token at `/token`. */
29
+ accessToken?: boolean
30
+ /** The `id_token` `aud` (the registered `client_id`). */
31
+ audience?: string
32
+
33
+ /**
34
+ * The grant's `TokenPolicy`, serialized as a JSON string — see
35
+ * `AoothPendingAuthorization.tokenPolicy` for why it is opaque, not `@db.json`.
36
+ */
37
+ tokenPolicy: string
38
+
39
+ /** Very short (≈ 30–60 s). Past-expiry rows are rejected on consume. */
40
+ expiresAt: number.timestamp
41
+ }
@@ -0,0 +1,68 @@
1
+ // prettier-ignore-start
2
+ /* eslint-disable */
3
+ /* oxlint-disable */
4
+ /// <reference path="./auth-code.as" />
5
+ /**
6
+ * 🪄 This file was generated by Atscript
7
+ * Do not edit this file!
8
+ */
9
+
10
+ import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
11
+
12
+ /**
13
+ * Atscript interface **AoothAuthCode**
14
+ * @see {@link ./auth-code.as:3:18}
15
+ */
16
+ export declare class AoothAuthCode {
17
+ code: string
18
+ userId: string
19
+ codeChallenge: string
20
+ redirectUri: string
21
+ clientId?: string
22
+ scope?: string
23
+ nonce?: string
24
+ idToken?: boolean
25
+ accessToken?: boolean
26
+ audience?: string
27
+ tokenPolicy: string
28
+ expiresAt: number /* timestamp */
29
+ static __is_atscript_annotated_type: true
30
+ static type: TAtscriptTypeObject<keyof AoothAuthCode, AoothAuthCode>
31
+ static metadata: TMetadataMap<AtscriptMetadata>
32
+ static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothAuthCode>
33
+ /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
34
+ static toJsonSchema: () => any
35
+ /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
36
+ static toExampleData?: () => any
37
+ static __flat: {
38
+ "code": string
39
+ "userId": string
40
+ "codeChallenge": string
41
+ "redirectUri": string
42
+ "clientId"?: string
43
+ "scope"?: string
44
+ "nonce"?: string
45
+ "idToken"?: boolean
46
+ "accessToken"?: boolean
47
+ "audience"?: string
48
+ "tokenPolicy": string
49
+ "expiresAt": number /* timestamp */
50
+ }
51
+ static __ownProps: {
52
+ "code": string
53
+ "userId": string
54
+ "codeChallenge": string
55
+ "redirectUri": string
56
+ "clientId"?: string
57
+ "scope"?: string
58
+ "nonce"?: string
59
+ "idToken"?: boolean
60
+ "accessToken"?: boolean
61
+ "audience"?: string
62
+ "tokenPolicy": string
63
+ "expiresAt": number /* timestamp */
64
+ }
65
+
66
+ static __pk: string
67
+ }
68
+ // prettier-ignore-end
@@ -0,0 +1,42 @@
1
+ @db.table 'aooth_pending_authorizations'
2
+ @db.depth.limit 0
3
+ export interface AoothPendingAuthorization {
4
+ /**
5
+ * Opaque server-side handle (PK) — the only thing that rides the URL / wf
6
+ * state. Server-generated UUID in `PendingAuthorizationStoreAtscriptDb.create`.
7
+ */
8
+ @meta.id
9
+ handle: string
10
+
11
+ /** The client's validated `redirect_uri` — where the auth code is delivered. */
12
+ redirectUri: string
13
+ /** PKCE S256 challenge; verified against the verifier at `/token`. */
14
+ codeChallenge: string
15
+
16
+ /** Registered client id (Tier 2); absent for a public/loopback client. */
17
+ clientId?: string
18
+ /** The client's `state`, echoed back on the redirect so it can correlate. */
19
+ clientState?: string
20
+ /** Granted scope (space-joined). */
21
+ scope?: string
22
+ /** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
23
+ nonce?: string
24
+ /** Mint an `id_token` at `/token` (Tier 2). */
25
+ idToken?: boolean
26
+ /** Mint an access token at `/token`. */
27
+ accessToken?: boolean
28
+ /** The `id_token` `aud` (the registered `client_id`). */
29
+ audience?: string
30
+
31
+ /**
32
+ * The grant's `TokenPolicy`, serialized as a JSON string. `TokenPolicy.payload`
33
+ * is an OPEN `Record<string, unknown>` (consumer attenuation), which a closed
34
+ * `@db.json` schema would reject — so the whole policy is stored opaque and
35
+ * (de)serialized at the adapter boundary (`PendingAuthorizationStoreAtscriptDb`).
36
+ */
37
+ tokenPolicy: string
38
+
39
+ createdAt: number.timestamp
40
+ /** Lazy-GC'd on read once past. */
41
+ expiresAt: number.timestamp
42
+ }
@@ -0,0 +1,71 @@
1
+ // prettier-ignore-start
2
+ /* eslint-disable */
3
+ /* oxlint-disable */
4
+ /// <reference path="./pending-authorization.as" />
5
+ /**
6
+ * 🪄 This file was generated by Atscript
7
+ * Do not edit this file!
8
+ */
9
+
10
+ import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
11
+
12
+ /**
13
+ * Atscript interface **AoothPendingAuthorization**
14
+ * @see {@link ./pending-authorization.as:3:18}
15
+ */
16
+ export declare class AoothPendingAuthorization {
17
+ handle: string
18
+ redirectUri: string
19
+ codeChallenge: string
20
+ clientId?: string
21
+ clientState?: string
22
+ scope?: string
23
+ nonce?: string
24
+ idToken?: boolean
25
+ accessToken?: boolean
26
+ audience?: string
27
+ tokenPolicy: string
28
+ createdAt: number /* timestamp */
29
+ expiresAt: number /* timestamp */
30
+ static __is_atscript_annotated_type: true
31
+ static type: TAtscriptTypeObject<keyof AoothPendingAuthorization, AoothPendingAuthorization>
32
+ static metadata: TMetadataMap<AtscriptMetadata>
33
+ static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothPendingAuthorization>
34
+ /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
35
+ static toJsonSchema: () => any
36
+ /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
37
+ static toExampleData?: () => any
38
+ static __flat: {
39
+ "handle": string
40
+ "redirectUri": string
41
+ "codeChallenge": string
42
+ "clientId"?: string
43
+ "clientState"?: string
44
+ "scope"?: string
45
+ "nonce"?: string
46
+ "idToken"?: boolean
47
+ "accessToken"?: boolean
48
+ "audience"?: string
49
+ "tokenPolicy": string
50
+ "createdAt": number /* timestamp */
51
+ "expiresAt": number /* timestamp */
52
+ }
53
+ static __ownProps: {
54
+ "handle": string
55
+ "redirectUri": string
56
+ "codeChallenge": string
57
+ "clientId"?: string
58
+ "clientState"?: string
59
+ "scope"?: string
60
+ "nonce"?: string
61
+ "idToken"?: boolean
62
+ "accessToken"?: boolean
63
+ "audience"?: string
64
+ "tokenPolicy": string
65
+ "createdAt": number /* timestamp */
66
+ "expiresAt": number /* timestamp */
67
+ }
68
+
69
+ static __pk: string
70
+ }
71
+ // prettier-ignore-end