@aooth/auth 0.1.15 → 0.1.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,7 +1,7 @@
1
1
  Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
2
2
  const require_clock = require("./clock-Bl-H3eqE.cjs");
3
3
  const require_payload = require("./payload-BJjvj8AH.cjs");
4
- const require_auth_code_store = require("./auth-code-store-CmUhRrwG.cjs");
4
+ const require_auth_code_store = require("./auth-code-store-B_m51OSB.cjs");
5
5
  let node_crypto = require("node:crypto");
6
6
  //#region src/atscript-db/authz-stores.ts
7
7
  /**
@@ -22,13 +22,15 @@ var PendingAuthorizationStoreAtscriptDb = class extends require_auth_code_store.
22
22
  async create(rec) {
23
23
  const now = this.clock.now();
24
24
  const handle = (0, node_crypto.randomUUID)();
25
+ const expiresAt = now + this.ttlMs;
25
26
  await this.table.insertOne({
26
27
  handle,
27
28
  redirectUri: rec.redirectUri,
28
29
  codeChallenge: rec.codeChallenge,
29
30
  tokenPolicy: JSON.stringify(rec.tokenPolicy),
31
+ binding: rec.binding,
30
32
  createdAt: now,
31
- expiresAt: now + this.ttlMs,
33
+ expiresAt,
32
34
  ...rec.clientId !== void 0 && { clientId: rec.clientId },
33
35
  ...rec.clientState !== void 0 && { clientState: rec.clientState },
34
36
  ...rec.scope !== void 0 && { scope: rec.scope },
@@ -37,7 +39,10 @@ var PendingAuthorizationStoreAtscriptDb = class extends require_auth_code_store.
37
39
  ...rec.accessToken !== void 0 && { accessToken: rec.accessToken },
38
40
  ...rec.audience !== void 0 && { audience: rec.audience }
39
41
  });
40
- return { handle };
42
+ return {
43
+ handle,
44
+ expiresAt
45
+ };
41
46
  }
42
47
  async get(handle) {
43
48
  const row = await this.table.findOne({ filter: { handle } });
@@ -59,6 +64,7 @@ function rowToPending(row) {
59
64
  redirectUri: row.redirectUri,
60
65
  codeChallenge: row.codeChallenge,
61
66
  tokenPolicy: JSON.parse(row.tokenPolicy),
67
+ binding: row.binding,
62
68
  createdAt: row.createdAt,
63
69
  expiresAt: row.expiresAt
64
70
  };
@@ -1,6 +1,6 @@
1
1
  import { a as CredentialState, t as CredentialStore } from "./store-BG6m6oSJ.cjs";
2
2
  import { t as Clock } from "./clock-BjXa0LXb.cjs";
3
- import { a as NewAuthCode, c as PendingAuthorizationStore, n as AuthCodeStore, o as NewPendingAuthorization, s as PendingAuthorization, t as AuthCode } from "./auth-code-store-HOHlz_3z.cjs";
3
+ import { a as NewAuthCode, c as PendingAuthorization, l as PendingAuthorizationStore, n as AuthCodeStore, s as NewPendingAuthorization, t as AuthCode } from "./auth-code-store-BZ88d_tq.cjs";
4
4
 
5
5
  //#region src/atscript-db/authz-stores.d.ts
6
6
  /**
@@ -30,6 +30,8 @@ interface PendingAuthorizationRow {
30
30
  audience?: string;
31
31
  /** `JSON.stringify(TokenPolicy)`. */
32
32
  tokenPolicy: string;
33
+ /** Browser-binding secret — mirrored into the `aooth_authz` cookie at `/authorize`. */
34
+ binding: string;
33
35
  createdAt: number;
34
36
  expiresAt: number;
35
37
  }
@@ -69,6 +71,7 @@ declare class PendingAuthorizationStoreAtscriptDb extends PendingAuthorizationSt
69
71
  constructor(opts: PendingAuthorizationStoreAtscriptDbOptions);
70
72
  create(rec: NewPendingAuthorization): Promise<{
71
73
  handle: string;
74
+ expiresAt: number;
72
75
  }>;
73
76
  get(handle: string): Promise<PendingAuthorization | null>;
74
77
  delete(handle: string): Promise<boolean>;
@@ -1,6 +1,6 @@
1
1
  import { a as CredentialState, t as CredentialStore } from "./store-BG6m6oSJ.mjs";
2
2
  import { t as Clock } from "./clock-BjXa0LXb.mjs";
3
- import { a as NewAuthCode, c as PendingAuthorizationStore, n as AuthCodeStore, o as NewPendingAuthorization, s as PendingAuthorization, t as AuthCode } from "./auth-code-store-NqEDfqrf.mjs";
3
+ import { a as NewAuthCode, c as PendingAuthorization, l as PendingAuthorizationStore, n as AuthCodeStore, s as NewPendingAuthorization, t as AuthCode } from "./auth-code-store-Om5MXNUT.mjs";
4
4
 
5
5
  //#region src/atscript-db/authz-stores.d.ts
6
6
  /**
@@ -30,6 +30,8 @@ interface PendingAuthorizationRow {
30
30
  audience?: string;
31
31
  /** `JSON.stringify(TokenPolicy)`. */
32
32
  tokenPolicy: string;
33
+ /** Browser-binding secret — mirrored into the `aooth_authz` cookie at `/authorize`. */
34
+ binding: string;
33
35
  createdAt: number;
34
36
  expiresAt: number;
35
37
  }
@@ -69,6 +71,7 @@ declare class PendingAuthorizationStoreAtscriptDb extends PendingAuthorizationSt
69
71
  constructor(opts: PendingAuthorizationStoreAtscriptDbOptions);
70
72
  create(rec: NewPendingAuthorization): Promise<{
71
73
  handle: string;
74
+ expiresAt: number;
72
75
  }>;
73
76
  get(handle: string): Promise<PendingAuthorization | null>;
74
77
  delete(handle: string): Promise<boolean>;
@@ -1,6 +1,6 @@
1
1
  import { t as defaultClock } from "./clock-Bdsep_1j.mjs";
2
2
  import { t as credentialPayloadOf } from "./payload-D-DzH5-J.mjs";
3
- import { a as PendingAuthorizationStore, t as AuthCodeStore } from "./auth-code-store-uaoL7dvU.mjs";
3
+ import { a as PendingAuthorizationStore, t as AuthCodeStore } from "./auth-code-store-Dqc4rEOx.mjs";
4
4
  import { randomUUID } from "node:crypto";
5
5
  //#region src/atscript-db/authz-stores.ts
6
6
  /**
@@ -21,13 +21,15 @@ var PendingAuthorizationStoreAtscriptDb = class extends PendingAuthorizationStor
21
21
  async create(rec) {
22
22
  const now = this.clock.now();
23
23
  const handle = randomUUID();
24
+ const expiresAt = now + this.ttlMs;
24
25
  await this.table.insertOne({
25
26
  handle,
26
27
  redirectUri: rec.redirectUri,
27
28
  codeChallenge: rec.codeChallenge,
28
29
  tokenPolicy: JSON.stringify(rec.tokenPolicy),
30
+ binding: rec.binding,
29
31
  createdAt: now,
30
- expiresAt: now + this.ttlMs,
32
+ expiresAt,
31
33
  ...rec.clientId !== void 0 && { clientId: rec.clientId },
32
34
  ...rec.clientState !== void 0 && { clientState: rec.clientState },
33
35
  ...rec.scope !== void 0 && { scope: rec.scope },
@@ -36,7 +38,10 @@ var PendingAuthorizationStoreAtscriptDb = class extends PendingAuthorizationStor
36
38
  ...rec.accessToken !== void 0 && { accessToken: rec.accessToken },
37
39
  ...rec.audience !== void 0 && { audience: rec.audience }
38
40
  });
39
- return { handle };
41
+ return {
42
+ handle,
43
+ expiresAt
44
+ };
40
45
  }
41
46
  async get(handle) {
42
47
  const row = await this.table.findOne({ filter: { handle } });
@@ -58,6 +63,7 @@ function rowToPending(row) {
58
63
  redirectUri: row.redirectUri,
59
64
  codeChallenge: row.codeChallenge,
60
65
  tokenPolicy: JSON.parse(row.tokenPolicy),
66
+ binding: row.binding,
61
67
  createdAt: row.createdAt,
62
68
  expiresAt: row.expiresAt
63
69
  };
@@ -57,6 +57,15 @@ interface PendingAuthorization {
57
57
  audience?: string;
58
58
  /** What the grant will mint (fixed at authorize time). */
59
59
  tokenPolicy: TokenPolicy;
60
+ /**
61
+ * High-entropy browser-binding secret (AUTH-SERVER.md §6). Set at
62
+ * `/auth/authorize` and mirrored into the `aooth_authz` cookie; the
63
+ * code-minting terminal accepts the handle ONLY when the request carries a
64
+ * cookie that constant-time-matches this value — so the opaque handle can be
65
+ * redeemed only by the browser that started the request, not one it was
66
+ * phished into.
67
+ */
68
+ binding: string;
60
69
  createdAt: number;
61
70
  expiresAt: number;
62
71
  }
@@ -72,6 +81,8 @@ interface NewPendingAuthorization {
72
81
  accessToken?: boolean;
73
82
  audience?: string;
74
83
  tokenPolicy: TokenPolicy;
84
+ /** Browser-binding secret (see {@link PendingAuthorization.binding}). */
85
+ binding: string;
75
86
  }
76
87
  /**
77
88
  * Storage seam for in-flight authorizations (AUTH-SERVER.md §4.3). Short-lived
@@ -81,9 +92,15 @@ interface NewPendingAuthorization {
81
92
  * `PENDING_AUTHORIZATION_STORE_TOKEN` (from `@aooth/auth-moost`).
82
93
  */
83
94
  declare abstract class PendingAuthorizationStore {
84
- /** Record a new pending authorization; returns its opaque `handle`. */
95
+ /**
96
+ * Record a new pending authorization; returns its opaque `handle` and the
97
+ * row's `expiresAt` (epoch ms). The caller derives the `aooth_authz` binding
98
+ * cookie's lifetime from `expiresAt`, so the cookie tracks the row's actual
99
+ * TTL even when a store is configured with a non-default `ttlMs`.
100
+ */
85
101
  abstract create(rec: NewPendingAuthorization): Promise<{
86
102
  handle: string;
103
+ expiresAt: number;
87
104
  }>;
88
105
  /** Fetch by handle, or `null` when unknown/expired. */
89
106
  abstract get(handle: string): Promise<PendingAuthorization | null>;
@@ -96,6 +113,8 @@ interface PendingAuthorizationStoreMemoryOptions {
96
113
  /** How long a pending authorization stays valid. Default 15 min. */
97
114
  ttlMs?: number;
98
115
  }
116
+ /** Default pending-authorization lifetime (15 min). Shared by the memory + atscript-db stores. */
117
+ declare const DEFAULT_PENDING_TTL_MS: number;
99
118
  /**
100
119
  * In-memory {@link PendingAuthorizationStore} — the reference impl for a
101
120
  * single-process app + tests. `structuredClone` on read/write isolates callers.
@@ -107,6 +126,7 @@ declare class PendingAuthorizationStoreMemory extends PendingAuthorizationStore
107
126
  constructor(opts?: PendingAuthorizationStoreMemoryOptions);
108
127
  create(rec: NewPendingAuthorization): Promise<{
109
128
  handle: string;
129
+ expiresAt: number;
110
130
  }>;
111
131
  get(handle: string): Promise<PendingAuthorization | null>;
112
132
  delete(handle: string): Promise<boolean>;
@@ -196,4 +216,4 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
196
216
  consume(code: string): Promise<AuthCode | null>;
197
217
  }
198
218
  //#endregion
199
- export { NewAuthCode as a, PendingAuthorizationStore as c, TokenPolicy as d, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStoreMemory as l, AuthCodeStore as n, NewPendingAuthorization as o, AuthCodeStoreMemory as r, PendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemoryOptions as u };
219
+ export { NewAuthCode as a, PendingAuthorization as c, PendingAuthorizationStoreMemoryOptions as d, TokenPolicy as f, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStore as l, AuthCodeStore as n, DEFAULT_PENDING_TTL_MS as o, AuthCodeStoreMemory as r, NewPendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemory as u };
@@ -31,6 +31,7 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
31
31
  redirectUri: rec.redirectUri,
32
32
  codeChallenge: rec.codeChallenge,
33
33
  tokenPolicy: structuredClone(rec.tokenPolicy),
34
+ binding: rec.binding,
34
35
  createdAt: now,
35
36
  expiresAt: now + this.ttlMs,
36
37
  ...rec.clientId !== void 0 && { clientId: rec.clientId },
@@ -42,7 +43,10 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
42
43
  ...rec.audience !== void 0 && { audience: rec.audience }
43
44
  };
44
45
  this.store.set(row.handle, structuredClone(row));
45
- return { handle: row.handle };
46
+ return {
47
+ handle: row.handle,
48
+ expiresAt: row.expiresAt
49
+ };
46
50
  }
47
51
  async get(handle) {
48
52
  const row = this.store.get(handle);
@@ -31,6 +31,7 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
31
31
  redirectUri: rec.redirectUri,
32
32
  codeChallenge: rec.codeChallenge,
33
33
  tokenPolicy: structuredClone(rec.tokenPolicy),
34
+ binding: rec.binding,
34
35
  createdAt: now,
35
36
  expiresAt: now + this.ttlMs,
36
37
  ...rec.clientId !== void 0 && { clientId: rec.clientId },
@@ -42,7 +43,10 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
42
43
  ...rec.audience !== void 0 && { audience: rec.audience }
43
44
  };
44
45
  this.store.set(row.handle, structuredClone(row));
45
- return { handle: row.handle };
46
+ return {
47
+ handle: row.handle,
48
+ expiresAt: row.expiresAt
49
+ };
46
50
  }
47
51
  async get(handle) {
48
52
  const row = this.store.get(handle);
@@ -57,6 +57,15 @@ interface PendingAuthorization {
57
57
  audience?: string;
58
58
  /** What the grant will mint (fixed at authorize time). */
59
59
  tokenPolicy: TokenPolicy;
60
+ /**
61
+ * High-entropy browser-binding secret (AUTH-SERVER.md §6). Set at
62
+ * `/auth/authorize` and mirrored into the `aooth_authz` cookie; the
63
+ * code-minting terminal accepts the handle ONLY when the request carries a
64
+ * cookie that constant-time-matches this value — so the opaque handle can be
65
+ * redeemed only by the browser that started the request, not one it was
66
+ * phished into.
67
+ */
68
+ binding: string;
60
69
  createdAt: number;
61
70
  expiresAt: number;
62
71
  }
@@ -72,6 +81,8 @@ interface NewPendingAuthorization {
72
81
  accessToken?: boolean;
73
82
  audience?: string;
74
83
  tokenPolicy: TokenPolicy;
84
+ /** Browser-binding secret (see {@link PendingAuthorization.binding}). */
85
+ binding: string;
75
86
  }
76
87
  /**
77
88
  * Storage seam for in-flight authorizations (AUTH-SERVER.md §4.3). Short-lived
@@ -81,9 +92,15 @@ interface NewPendingAuthorization {
81
92
  * `PENDING_AUTHORIZATION_STORE_TOKEN` (from `@aooth/auth-moost`).
82
93
  */
83
94
  declare abstract class PendingAuthorizationStore {
84
- /** Record a new pending authorization; returns its opaque `handle`. */
95
+ /**
96
+ * Record a new pending authorization; returns its opaque `handle` and the
97
+ * row's `expiresAt` (epoch ms). The caller derives the `aooth_authz` binding
98
+ * cookie's lifetime from `expiresAt`, so the cookie tracks the row's actual
99
+ * TTL even when a store is configured with a non-default `ttlMs`.
100
+ */
85
101
  abstract create(rec: NewPendingAuthorization): Promise<{
86
102
  handle: string;
103
+ expiresAt: number;
87
104
  }>;
88
105
  /** Fetch by handle, or `null` when unknown/expired. */
89
106
  abstract get(handle: string): Promise<PendingAuthorization | null>;
@@ -96,6 +113,8 @@ interface PendingAuthorizationStoreMemoryOptions {
96
113
  /** How long a pending authorization stays valid. Default 15 min. */
97
114
  ttlMs?: number;
98
115
  }
116
+ /** Default pending-authorization lifetime (15 min). Shared by the memory + atscript-db stores. */
117
+ declare const DEFAULT_PENDING_TTL_MS: number;
99
118
  /**
100
119
  * In-memory {@link PendingAuthorizationStore} — the reference impl for a
101
120
  * single-process app + tests. `structuredClone` on read/write isolates callers.
@@ -107,6 +126,7 @@ declare class PendingAuthorizationStoreMemory extends PendingAuthorizationStore
107
126
  constructor(opts?: PendingAuthorizationStoreMemoryOptions);
108
127
  create(rec: NewPendingAuthorization): Promise<{
109
128
  handle: string;
129
+ expiresAt: number;
110
130
  }>;
111
131
  get(handle: string): Promise<PendingAuthorization | null>;
112
132
  delete(handle: string): Promise<boolean>;
@@ -196,4 +216,4 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
196
216
  consume(code: string): Promise<AuthCode | null>;
197
217
  }
198
218
  //#endregion
199
- export { NewAuthCode as a, PendingAuthorizationStore as c, TokenPolicy as d, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStoreMemory as l, AuthCodeStore as n, NewPendingAuthorization as o, AuthCodeStoreMemory as r, PendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemoryOptions as u };
219
+ export { NewAuthCode as a, PendingAuthorization as c, PendingAuthorizationStoreMemoryOptions as d, TokenPolicy as f, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStore as l, AuthCodeStore as n, DEFAULT_PENDING_TTL_MS as o, AuthCodeStoreMemory as r, NewPendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemory as u };
package/dist/authz.cjs CHANGED
@@ -1,6 +1,6 @@
1
1
  Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
2
2
  const require_clock = require("./clock-Bl-H3eqE.cjs");
3
- const require_auth_code_store = require("./auth-code-store-CmUhRrwG.cjs");
3
+ const require_auth_code_store = require("./auth-code-store-B_m51OSB.cjs");
4
4
  let node_crypto = require("node:crypto");
5
5
  let jose = require("jose");
6
6
  //#region src/authz/authz-errors.ts
@@ -257,6 +257,7 @@ exports.AuthCodeStore = require_auth_code_store.AuthCodeStore;
257
257
  exports.AuthCodeStoreMemory = require_auth_code_store.AuthCodeStoreMemory;
258
258
  exports.AuthorizeError = AuthorizeError;
259
259
  exports.CompositeClientPolicy = CompositeClientPolicy;
260
+ exports.DEFAULT_PENDING_TTL_MS = require_auth_code_store.DEFAULT_PENDING_TTL_MS;
260
261
  exports.IdTokenSigner = IdTokenSigner;
261
262
  exports.LoopbackClientPolicy = LoopbackClientPolicy;
262
263
  exports.NoopOidcClaimsResolver = NoopOidcClaimsResolver;
package/dist/authz.d.cts CHANGED
@@ -1,5 +1,5 @@
1
1
  import { t as Clock } from "./clock-BjXa0LXb.cjs";
2
- import { a as NewAuthCode, c as PendingAuthorizationStore, d as TokenPolicy, i as AuthCodeStoreMemoryOptions, l as PendingAuthorizationStoreMemory, n as AuthCodeStore, o as NewPendingAuthorization, r as AuthCodeStoreMemory, s as PendingAuthorization, t as AuthCode, u as PendingAuthorizationStoreMemoryOptions } from "./auth-code-store-HOHlz_3z.cjs";
2
+ import { a as NewAuthCode, c as PendingAuthorization, d as PendingAuthorizationStoreMemoryOptions, f as TokenPolicy, i as AuthCodeStoreMemoryOptions, l as PendingAuthorizationStore, n as AuthCodeStore, o as DEFAULT_PENDING_TTL_MS, r as AuthCodeStoreMemory, s as NewPendingAuthorization, t as AuthCode, u as PendingAuthorizationStoreMemory } from "./auth-code-store-BZ88d_tq.cjs";
3
3
  import { JWK } from "jose";
4
4
 
5
5
  //#region src/authz/authz-errors.d.ts
@@ -304,4 +304,4 @@ declare class NoopOidcClaimsResolver extends OidcClaimsResolver {
304
304
  /** `true` when `scope` (space-joined) grants `claim` — `"email"`/`"profile"` etc. */
305
305
  declare function scopeGrants(scope: string | undefined, claim: string): boolean;
306
306
  //#endregion
307
- export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
307
+ export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, DEFAULT_PENDING_TTL_MS, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
package/dist/authz.d.mts CHANGED
@@ -1,5 +1,5 @@
1
1
  import { t as Clock } from "./clock-BjXa0LXb.mjs";
2
- import { a as NewAuthCode, c as PendingAuthorizationStore, d as TokenPolicy, i as AuthCodeStoreMemoryOptions, l as PendingAuthorizationStoreMemory, n as AuthCodeStore, o as NewPendingAuthorization, r as AuthCodeStoreMemory, s as PendingAuthorization, t as AuthCode, u as PendingAuthorizationStoreMemoryOptions } from "./auth-code-store-NqEDfqrf.mjs";
2
+ import { a as NewAuthCode, c as PendingAuthorization, d as PendingAuthorizationStoreMemoryOptions, f as TokenPolicy, i as AuthCodeStoreMemoryOptions, l as PendingAuthorizationStore, n as AuthCodeStore, o as DEFAULT_PENDING_TTL_MS, r as AuthCodeStoreMemory, s as NewPendingAuthorization, t as AuthCode, u as PendingAuthorizationStoreMemory } from "./auth-code-store-Om5MXNUT.mjs";
3
3
  import { JWK } from "jose";
4
4
 
5
5
  //#region src/authz/authz-errors.d.ts
@@ -304,4 +304,4 @@ declare class NoopOidcClaimsResolver extends OidcClaimsResolver {
304
304
  /** `true` when `scope` (space-joined) grants `claim` — `"email"`/`"profile"` etc. */
305
305
  declare function scopeGrants(scope: string | undefined, claim: string): boolean;
306
306
  //#endregion
307
- export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
307
+ export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, DEFAULT_PENDING_TTL_MS, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
package/dist/authz.mjs CHANGED
@@ -1,5 +1,5 @@
1
1
  import { t as defaultClock } from "./clock-Bdsep_1j.mjs";
2
- import { a as PendingAuthorizationStore, n as AuthCodeStoreMemory, o as PendingAuthorizationStoreMemory, t as AuthCodeStore } from "./auth-code-store-uaoL7dvU.mjs";
2
+ import { a as PendingAuthorizationStore, i as DEFAULT_PENDING_TTL_MS, n as AuthCodeStoreMemory, o as PendingAuthorizationStoreMemory, t as AuthCodeStore } from "./auth-code-store-Dqc4rEOx.mjs";
3
3
  import { timingSafeEqual } from "node:crypto";
4
4
  import { SignJWT, exportJWK, importPKCS8, importSPKI } from "jose";
5
5
  //#region src/authz/authz-errors.ts
@@ -252,4 +252,4 @@ var IdTokenSigner = class {
252
252
  }
253
253
  };
254
254
  //#endregion
255
- export { AuthCodeStore, AuthCodeStoreMemory, AuthorizeError, CompositeClientPolicy, IdTokenSigner, LoopbackClientPolicy, NoopOidcClaimsResolver, OidcClaimsResolver, PendingAuthorizationStore, PendingAuthorizationStoreMemory, RegisteredClientPolicy, isLoopbackRedirectUri, scopeGrants };
255
+ export { AuthCodeStore, AuthCodeStoreMemory, AuthorizeError, CompositeClientPolicy, DEFAULT_PENDING_TTL_MS, IdTokenSigner, LoopbackClientPolicy, NoopOidcClaimsResolver, OidcClaimsResolver, PendingAuthorizationStore, PendingAuthorizationStoreMemory, RegisteredClientPolicy, isLoopbackRedirectUri, scopeGrants };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aooth/auth",
3
- "version": "0.1.15",
3
+ "version": "0.1.17",
4
4
  "description": "Auth method layer for aoothjs (sessions, tokens, password reset, MFA primitives)",
5
5
  "keywords": [
6
6
  "aoothjs",
@@ -94,17 +94,17 @@
94
94
  },
95
95
  "dependencies": {
96
96
  "jose": "^6.2.3",
97
- "@aooth/user": "0.1.15"
97
+ "@aooth/user": "0.1.17"
98
98
  },
99
99
  "devDependencies": {
100
- "@atscript/core": "^0.1.74",
101
- "@atscript/db": "^0.1.101",
102
- "@atscript/db-sql-tools": "^0.1.101",
103
- "@atscript/db-sqlite": "^0.1.101",
104
- "@atscript/typescript": "^0.1.74",
100
+ "@atscript/core": "^0.1.75",
101
+ "@atscript/db": "^0.1.104",
102
+ "@atscript/db-sql-tools": "^0.1.104",
103
+ "@atscript/db-sqlite": "^0.1.104",
104
+ "@atscript/typescript": "^0.1.75",
105
105
  "@types/better-sqlite3": "^7.6.13",
106
106
  "better-sqlite3": "^12.6.2",
107
- "unplugin-atscript": "^0.1.74"
107
+ "unplugin-atscript": "^0.1.75"
108
108
  },
109
109
  "peerDependencies": {
110
110
  "@atscript/db": ">=0.1.79"
@@ -36,6 +36,15 @@ export interface AoothPendingAuthorization {
36
36
  */
37
37
  tokenPolicy: string
38
38
 
39
+ /**
40
+ * High-entropy browser-binding secret (AUTH-SERVER.md §6). Mirrored into the
41
+ * `aooth_authz` cookie at `/authorize`; the code-minting terminal accepts the
42
+ * handle only when the request carries a cookie that constant-time-matches
43
+ * this — so the opaque handle can't be redeemed in a browser it was phished
44
+ * into.
45
+ */
46
+ binding: string
47
+
39
48
  createdAt: number.timestamp
40
49
  /** Lazy-GC'd on read once past. */
41
50
  expiresAt: number.timestamp
@@ -25,6 +25,7 @@ export declare class AoothPendingAuthorization {
25
25
  accessToken?: boolean
26
26
  audience?: string
27
27
  tokenPolicy: string
28
+ binding: string
28
29
  createdAt: number /* timestamp */
29
30
  expiresAt: number /* timestamp */
30
31
  static __is_atscript_annotated_type: true
@@ -47,6 +48,7 @@ export declare class AoothPendingAuthorization {
47
48
  "accessToken"?: boolean
48
49
  "audience"?: string
49
50
  "tokenPolicy": string
51
+ "binding": string
50
52
  "createdAt": number /* timestamp */
51
53
  "expiresAt": number /* timestamp */
52
54
  }
@@ -62,6 +64,7 @@ export declare class AoothPendingAuthorization {
62
64
  "accessToken"?: boolean
63
65
  "audience"?: string
64
66
  "tokenPolicy": string
67
+ "binding": string
65
68
  "createdAt": number /* timestamp */
66
69
  "expiresAt": number /* timestamp */
67
70
  }