@aooth/auth 0.1.10 → 0.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/atscript-db.cjs +136 -0
- package/dist/atscript-db.d.cts +129 -1
- package/dist/atscript-db.d.mts +129 -1
- package/dist/atscript-db.mjs +135 -1
- package/dist/auth-code-store-CmUhRrwG.cjs +151 -0
- package/dist/auth-code-store-HOHlz_3z.d.cts +199 -0
- package/dist/auth-code-store-NqEDfqrf.d.mts +199 -0
- package/dist/auth-code-store-uaoL7dvU.mjs +116 -0
- package/dist/authz.cjs +5 -115
- package/dist/authz.d.cts +1 -196
- package/dist/authz.d.mts +1 -196
- package/dist/authz.mjs +2 -112
- package/package.json +23 -3
- package/src/atscript-db/auth-code.as +41 -0
- package/src/atscript-db/auth-code.as.d.ts +68 -0
- package/src/atscript-db/pending-authorization.as +42 -0
- package/src/atscript-db/pending-authorization.as.d.ts +71 -0
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@aooth/auth",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.12",
|
|
4
4
|
"description": "Auth method layer for aoothjs (sessions, tokens, password reset, MFA primitives)",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"aoothjs",
|
|
@@ -26,7 +26,11 @@
|
|
|
26
26
|
"files": [
|
|
27
27
|
"dist",
|
|
28
28
|
"src/atscript-db/auth-credential.as",
|
|
29
|
-
"src/atscript-db/auth-credential.as.d.ts"
|
|
29
|
+
"src/atscript-db/auth-credential.as.d.ts",
|
|
30
|
+
"src/atscript-db/pending-authorization.as",
|
|
31
|
+
"src/atscript-db/pending-authorization.as.d.ts",
|
|
32
|
+
"src/atscript-db/auth-code.as",
|
|
33
|
+
"src/atscript-db/auth-code.as.d.ts"
|
|
30
34
|
],
|
|
31
35
|
"type": "module",
|
|
32
36
|
"sideEffects": false,
|
|
@@ -67,6 +71,22 @@
|
|
|
67
71
|
"types": "./src/atscript-db/auth-credential.as.d.ts",
|
|
68
72
|
"default": "./src/atscript-db/auth-credential.as"
|
|
69
73
|
},
|
|
74
|
+
"./atscript-db/pending-authorization": {
|
|
75
|
+
"types": "./src/atscript-db/pending-authorization.as.d.ts",
|
|
76
|
+
"default": "./src/atscript-db/pending-authorization.as"
|
|
77
|
+
},
|
|
78
|
+
"./atscript-db/pending-authorization.as": {
|
|
79
|
+
"types": "./src/atscript-db/pending-authorization.as.d.ts",
|
|
80
|
+
"default": "./src/atscript-db/pending-authorization.as"
|
|
81
|
+
},
|
|
82
|
+
"./atscript-db/auth-code": {
|
|
83
|
+
"types": "./src/atscript-db/auth-code.as.d.ts",
|
|
84
|
+
"default": "./src/atscript-db/auth-code.as"
|
|
85
|
+
},
|
|
86
|
+
"./atscript-db/auth-code.as": {
|
|
87
|
+
"types": "./src/atscript-db/auth-code.as.d.ts",
|
|
88
|
+
"default": "./src/atscript-db/auth-code.as"
|
|
89
|
+
},
|
|
70
90
|
"./package.json": "./package.json"
|
|
71
91
|
},
|
|
72
92
|
"publishConfig": {
|
|
@@ -74,7 +94,7 @@
|
|
|
74
94
|
},
|
|
75
95
|
"dependencies": {
|
|
76
96
|
"jose": "^6.2.3",
|
|
77
|
-
"@aooth/user": "0.1.
|
|
97
|
+
"@aooth/user": "0.1.12"
|
|
78
98
|
},
|
|
79
99
|
"devDependencies": {
|
|
80
100
|
"@atscript/core": "^0.1.71",
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
@db.table 'aooth_auth_codes'
|
|
2
|
+
@db.depth.limit 0
|
|
3
|
+
export interface AoothAuthCode {
|
|
4
|
+
/**
|
|
5
|
+
* Opaque single-use code (PK). Server-generated UUID in
|
|
6
|
+
* `AuthCodeStoreAtscriptDb.mint`. Consumed atomically at `/token`: the
|
|
7
|
+
* `deleteOne(code)` whose `deletedCount === 1` is the single-use claim, so a
|
|
8
|
+
* concurrent double-redeem (or back-button replay) yields it to one caller.
|
|
9
|
+
*/
|
|
10
|
+
@meta.id
|
|
11
|
+
code: string
|
|
12
|
+
|
|
13
|
+
/** The user the login workflow authenticated. */
|
|
14
|
+
userId: string
|
|
15
|
+
/** PKCE S256 challenge from the originating authorize request. */
|
|
16
|
+
codeChallenge: string
|
|
17
|
+
/** The client's `redirect_uri` (bound; the code is meaningless elsewhere). */
|
|
18
|
+
redirectUri: string
|
|
19
|
+
|
|
20
|
+
/** Registered client id (Tier 2); absent for a public/loopback client. */
|
|
21
|
+
clientId?: string
|
|
22
|
+
/** Granted scope (space-joined). */
|
|
23
|
+
scope?: string
|
|
24
|
+
/** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
|
|
25
|
+
nonce?: string
|
|
26
|
+
/** Mint an `id_token` at `/token` (Tier 2). */
|
|
27
|
+
idToken?: boolean
|
|
28
|
+
/** Mint an access token at `/token`. */
|
|
29
|
+
accessToken?: boolean
|
|
30
|
+
/** The `id_token` `aud` (the registered `client_id`). */
|
|
31
|
+
audience?: string
|
|
32
|
+
|
|
33
|
+
/**
|
|
34
|
+
* The grant's `TokenPolicy`, serialized as a JSON string — see
|
|
35
|
+
* `AoothPendingAuthorization.tokenPolicy` for why it is opaque, not `@db.json`.
|
|
36
|
+
*/
|
|
37
|
+
tokenPolicy: string
|
|
38
|
+
|
|
39
|
+
/** Very short (≈ 30–60 s). Past-expiry rows are rejected on consume. */
|
|
40
|
+
expiresAt: number.timestamp
|
|
41
|
+
}
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
// prettier-ignore-start
|
|
2
|
+
/* eslint-disable */
|
|
3
|
+
/* oxlint-disable */
|
|
4
|
+
/// <reference path="./auth-code.as" />
|
|
5
|
+
/**
|
|
6
|
+
* 🪄 This file was generated by Atscript
|
|
7
|
+
* Do not edit this file!
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
|
|
11
|
+
|
|
12
|
+
/**
|
|
13
|
+
* Atscript interface **AoothAuthCode**
|
|
14
|
+
* @see {@link ./auth-code.as:3:18}
|
|
15
|
+
*/
|
|
16
|
+
export declare class AoothAuthCode {
|
|
17
|
+
code: string
|
|
18
|
+
userId: string
|
|
19
|
+
codeChallenge: string
|
|
20
|
+
redirectUri: string
|
|
21
|
+
clientId?: string
|
|
22
|
+
scope?: string
|
|
23
|
+
nonce?: string
|
|
24
|
+
idToken?: boolean
|
|
25
|
+
accessToken?: boolean
|
|
26
|
+
audience?: string
|
|
27
|
+
tokenPolicy: string
|
|
28
|
+
expiresAt: number /* timestamp */
|
|
29
|
+
static __is_atscript_annotated_type: true
|
|
30
|
+
static type: TAtscriptTypeObject<keyof AoothAuthCode, AoothAuthCode>
|
|
31
|
+
static metadata: TMetadataMap<AtscriptMetadata>
|
|
32
|
+
static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothAuthCode>
|
|
33
|
+
/** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
|
|
34
|
+
static toJsonSchema: () => any
|
|
35
|
+
/** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
|
|
36
|
+
static toExampleData?: () => any
|
|
37
|
+
static __flat: {
|
|
38
|
+
"code": string
|
|
39
|
+
"userId": string
|
|
40
|
+
"codeChallenge": string
|
|
41
|
+
"redirectUri": string
|
|
42
|
+
"clientId"?: string
|
|
43
|
+
"scope"?: string
|
|
44
|
+
"nonce"?: string
|
|
45
|
+
"idToken"?: boolean
|
|
46
|
+
"accessToken"?: boolean
|
|
47
|
+
"audience"?: string
|
|
48
|
+
"tokenPolicy": string
|
|
49
|
+
"expiresAt": number /* timestamp */
|
|
50
|
+
}
|
|
51
|
+
static __ownProps: {
|
|
52
|
+
"code": string
|
|
53
|
+
"userId": string
|
|
54
|
+
"codeChallenge": string
|
|
55
|
+
"redirectUri": string
|
|
56
|
+
"clientId"?: string
|
|
57
|
+
"scope"?: string
|
|
58
|
+
"nonce"?: string
|
|
59
|
+
"idToken"?: boolean
|
|
60
|
+
"accessToken"?: boolean
|
|
61
|
+
"audience"?: string
|
|
62
|
+
"tokenPolicy": string
|
|
63
|
+
"expiresAt": number /* timestamp */
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
static __pk: string
|
|
67
|
+
}
|
|
68
|
+
// prettier-ignore-end
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
@db.table 'aooth_pending_authorizations'
|
|
2
|
+
@db.depth.limit 0
|
|
3
|
+
export interface AoothPendingAuthorization {
|
|
4
|
+
/**
|
|
5
|
+
* Opaque server-side handle (PK) — the only thing that rides the URL / wf
|
|
6
|
+
* state. Server-generated UUID in `PendingAuthorizationStoreAtscriptDb.create`.
|
|
7
|
+
*/
|
|
8
|
+
@meta.id
|
|
9
|
+
handle: string
|
|
10
|
+
|
|
11
|
+
/** The client's validated `redirect_uri` — where the auth code is delivered. */
|
|
12
|
+
redirectUri: string
|
|
13
|
+
/** PKCE S256 challenge; verified against the verifier at `/token`. */
|
|
14
|
+
codeChallenge: string
|
|
15
|
+
|
|
16
|
+
/** Registered client id (Tier 2); absent for a public/loopback client. */
|
|
17
|
+
clientId?: string
|
|
18
|
+
/** The client's `state`, echoed back on the redirect so it can correlate. */
|
|
19
|
+
clientState?: string
|
|
20
|
+
/** Granted scope (space-joined). */
|
|
21
|
+
scope?: string
|
|
22
|
+
/** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
|
|
23
|
+
nonce?: string
|
|
24
|
+
/** Mint an `id_token` at `/token` (Tier 2). */
|
|
25
|
+
idToken?: boolean
|
|
26
|
+
/** Mint an access token at `/token`. */
|
|
27
|
+
accessToken?: boolean
|
|
28
|
+
/** The `id_token` `aud` (the registered `client_id`). */
|
|
29
|
+
audience?: string
|
|
30
|
+
|
|
31
|
+
/**
|
|
32
|
+
* The grant's `TokenPolicy`, serialized as a JSON string. `TokenPolicy.payload`
|
|
33
|
+
* is an OPEN `Record<string, unknown>` (consumer attenuation), which a closed
|
|
34
|
+
* `@db.json` schema would reject — so the whole policy is stored opaque and
|
|
35
|
+
* (de)serialized at the adapter boundary (`PendingAuthorizationStoreAtscriptDb`).
|
|
36
|
+
*/
|
|
37
|
+
tokenPolicy: string
|
|
38
|
+
|
|
39
|
+
createdAt: number.timestamp
|
|
40
|
+
/** Lazy-GC'd on read once past. */
|
|
41
|
+
expiresAt: number.timestamp
|
|
42
|
+
}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
// prettier-ignore-start
|
|
2
|
+
/* eslint-disable */
|
|
3
|
+
/* oxlint-disable */
|
|
4
|
+
/// <reference path="./pending-authorization.as" />
|
|
5
|
+
/**
|
|
6
|
+
* 🪄 This file was generated by Atscript
|
|
7
|
+
* Do not edit this file!
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
|
|
11
|
+
|
|
12
|
+
/**
|
|
13
|
+
* Atscript interface **AoothPendingAuthorization**
|
|
14
|
+
* @see {@link ./pending-authorization.as:3:18}
|
|
15
|
+
*/
|
|
16
|
+
export declare class AoothPendingAuthorization {
|
|
17
|
+
handle: string
|
|
18
|
+
redirectUri: string
|
|
19
|
+
codeChallenge: string
|
|
20
|
+
clientId?: string
|
|
21
|
+
clientState?: string
|
|
22
|
+
scope?: string
|
|
23
|
+
nonce?: string
|
|
24
|
+
idToken?: boolean
|
|
25
|
+
accessToken?: boolean
|
|
26
|
+
audience?: string
|
|
27
|
+
tokenPolicy: string
|
|
28
|
+
createdAt: number /* timestamp */
|
|
29
|
+
expiresAt: number /* timestamp */
|
|
30
|
+
static __is_atscript_annotated_type: true
|
|
31
|
+
static type: TAtscriptTypeObject<keyof AoothPendingAuthorization, AoothPendingAuthorization>
|
|
32
|
+
static metadata: TMetadataMap<AtscriptMetadata>
|
|
33
|
+
static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothPendingAuthorization>
|
|
34
|
+
/** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
|
|
35
|
+
static toJsonSchema: () => any
|
|
36
|
+
/** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
|
|
37
|
+
static toExampleData?: () => any
|
|
38
|
+
static __flat: {
|
|
39
|
+
"handle": string
|
|
40
|
+
"redirectUri": string
|
|
41
|
+
"codeChallenge": string
|
|
42
|
+
"clientId"?: string
|
|
43
|
+
"clientState"?: string
|
|
44
|
+
"scope"?: string
|
|
45
|
+
"nonce"?: string
|
|
46
|
+
"idToken"?: boolean
|
|
47
|
+
"accessToken"?: boolean
|
|
48
|
+
"audience"?: string
|
|
49
|
+
"tokenPolicy": string
|
|
50
|
+
"createdAt": number /* timestamp */
|
|
51
|
+
"expiresAt": number /* timestamp */
|
|
52
|
+
}
|
|
53
|
+
static __ownProps: {
|
|
54
|
+
"handle": string
|
|
55
|
+
"redirectUri": string
|
|
56
|
+
"codeChallenge": string
|
|
57
|
+
"clientId"?: string
|
|
58
|
+
"clientState"?: string
|
|
59
|
+
"scope"?: string
|
|
60
|
+
"nonce"?: string
|
|
61
|
+
"idToken"?: boolean
|
|
62
|
+
"accessToken"?: boolean
|
|
63
|
+
"audience"?: string
|
|
64
|
+
"tokenPolicy": string
|
|
65
|
+
"createdAt": number /* timestamp */
|
|
66
|
+
"expiresAt": number /* timestamp */
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
static __pk: string
|
|
70
|
+
}
|
|
71
|
+
// prettier-ignore-end
|