@aooth/auth 0.1.15 → 0.1.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/atscript-db.cjs +9 -3
- package/dist/atscript-db.d.cts +4 -1
- package/dist/atscript-db.d.mts +4 -1
- package/dist/atscript-db.mjs +9 -3
- package/dist/{auth-code-store-HOHlz_3z.d.cts → auth-code-store-BZ88d_tq.d.cts} +22 -2
- package/dist/{auth-code-store-CmUhRrwG.cjs → auth-code-store-B_m51OSB.cjs} +5 -1
- package/dist/{auth-code-store-uaoL7dvU.mjs → auth-code-store-Dqc4rEOx.mjs} +5 -1
- package/dist/{auth-code-store-NqEDfqrf.d.mts → auth-code-store-Om5MXNUT.d.mts} +22 -2
- package/dist/authz.cjs +2 -1
- package/dist/authz.d.cts +2 -2
- package/dist/authz.d.mts +2 -2
- package/dist/authz.mjs +2 -2
- package/package.json +8 -8
- package/src/atscript-db/pending-authorization.as +9 -0
- package/src/atscript-db/pending-authorization.as.d.ts +3 -0
package/dist/atscript-db.cjs
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
|
|
2
2
|
const require_clock = require("./clock-Bl-H3eqE.cjs");
|
|
3
3
|
const require_payload = require("./payload-BJjvj8AH.cjs");
|
|
4
|
-
const require_auth_code_store = require("./auth-code-store-
|
|
4
|
+
const require_auth_code_store = require("./auth-code-store-B_m51OSB.cjs");
|
|
5
5
|
let node_crypto = require("node:crypto");
|
|
6
6
|
//#region src/atscript-db/authz-stores.ts
|
|
7
7
|
/**
|
|
@@ -22,13 +22,15 @@ var PendingAuthorizationStoreAtscriptDb = class extends require_auth_code_store.
|
|
|
22
22
|
async create(rec) {
|
|
23
23
|
const now = this.clock.now();
|
|
24
24
|
const handle = (0, node_crypto.randomUUID)();
|
|
25
|
+
const expiresAt = now + this.ttlMs;
|
|
25
26
|
await this.table.insertOne({
|
|
26
27
|
handle,
|
|
27
28
|
redirectUri: rec.redirectUri,
|
|
28
29
|
codeChallenge: rec.codeChallenge,
|
|
29
30
|
tokenPolicy: JSON.stringify(rec.tokenPolicy),
|
|
31
|
+
binding: rec.binding,
|
|
30
32
|
createdAt: now,
|
|
31
|
-
expiresAt
|
|
33
|
+
expiresAt,
|
|
32
34
|
...rec.clientId !== void 0 && { clientId: rec.clientId },
|
|
33
35
|
...rec.clientState !== void 0 && { clientState: rec.clientState },
|
|
34
36
|
...rec.scope !== void 0 && { scope: rec.scope },
|
|
@@ -37,7 +39,10 @@ var PendingAuthorizationStoreAtscriptDb = class extends require_auth_code_store.
|
|
|
37
39
|
...rec.accessToken !== void 0 && { accessToken: rec.accessToken },
|
|
38
40
|
...rec.audience !== void 0 && { audience: rec.audience }
|
|
39
41
|
});
|
|
40
|
-
return {
|
|
42
|
+
return {
|
|
43
|
+
handle,
|
|
44
|
+
expiresAt
|
|
45
|
+
};
|
|
41
46
|
}
|
|
42
47
|
async get(handle) {
|
|
43
48
|
const row = await this.table.findOne({ filter: { handle } });
|
|
@@ -59,6 +64,7 @@ function rowToPending(row) {
|
|
|
59
64
|
redirectUri: row.redirectUri,
|
|
60
65
|
codeChallenge: row.codeChallenge,
|
|
61
66
|
tokenPolicy: JSON.parse(row.tokenPolicy),
|
|
67
|
+
binding: row.binding,
|
|
62
68
|
createdAt: row.createdAt,
|
|
63
69
|
expiresAt: row.expiresAt
|
|
64
70
|
};
|
package/dist/atscript-db.d.cts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { a as CredentialState, t as CredentialStore } from "./store-BG6m6oSJ.cjs";
|
|
2
2
|
import { t as Clock } from "./clock-BjXa0LXb.cjs";
|
|
3
|
-
import { a as NewAuthCode, c as
|
|
3
|
+
import { a as NewAuthCode, c as PendingAuthorization, l as PendingAuthorizationStore, n as AuthCodeStore, s as NewPendingAuthorization, t as AuthCode } from "./auth-code-store-BZ88d_tq.cjs";
|
|
4
4
|
|
|
5
5
|
//#region src/atscript-db/authz-stores.d.ts
|
|
6
6
|
/**
|
|
@@ -30,6 +30,8 @@ interface PendingAuthorizationRow {
|
|
|
30
30
|
audience?: string;
|
|
31
31
|
/** `JSON.stringify(TokenPolicy)`. */
|
|
32
32
|
tokenPolicy: string;
|
|
33
|
+
/** Browser-binding secret — mirrored into the `aooth_authz` cookie at `/authorize`. */
|
|
34
|
+
binding: string;
|
|
33
35
|
createdAt: number;
|
|
34
36
|
expiresAt: number;
|
|
35
37
|
}
|
|
@@ -69,6 +71,7 @@ declare class PendingAuthorizationStoreAtscriptDb extends PendingAuthorizationSt
|
|
|
69
71
|
constructor(opts: PendingAuthorizationStoreAtscriptDbOptions);
|
|
70
72
|
create(rec: NewPendingAuthorization): Promise<{
|
|
71
73
|
handle: string;
|
|
74
|
+
expiresAt: number;
|
|
72
75
|
}>;
|
|
73
76
|
get(handle: string): Promise<PendingAuthorization | null>;
|
|
74
77
|
delete(handle: string): Promise<boolean>;
|
package/dist/atscript-db.d.mts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { a as CredentialState, t as CredentialStore } from "./store-BG6m6oSJ.mjs";
|
|
2
2
|
import { t as Clock } from "./clock-BjXa0LXb.mjs";
|
|
3
|
-
import { a as NewAuthCode, c as
|
|
3
|
+
import { a as NewAuthCode, c as PendingAuthorization, l as PendingAuthorizationStore, n as AuthCodeStore, s as NewPendingAuthorization, t as AuthCode } from "./auth-code-store-Om5MXNUT.mjs";
|
|
4
4
|
|
|
5
5
|
//#region src/atscript-db/authz-stores.d.ts
|
|
6
6
|
/**
|
|
@@ -30,6 +30,8 @@ interface PendingAuthorizationRow {
|
|
|
30
30
|
audience?: string;
|
|
31
31
|
/** `JSON.stringify(TokenPolicy)`. */
|
|
32
32
|
tokenPolicy: string;
|
|
33
|
+
/** Browser-binding secret — mirrored into the `aooth_authz` cookie at `/authorize`. */
|
|
34
|
+
binding: string;
|
|
33
35
|
createdAt: number;
|
|
34
36
|
expiresAt: number;
|
|
35
37
|
}
|
|
@@ -69,6 +71,7 @@ declare class PendingAuthorizationStoreAtscriptDb extends PendingAuthorizationSt
|
|
|
69
71
|
constructor(opts: PendingAuthorizationStoreAtscriptDbOptions);
|
|
70
72
|
create(rec: NewPendingAuthorization): Promise<{
|
|
71
73
|
handle: string;
|
|
74
|
+
expiresAt: number;
|
|
72
75
|
}>;
|
|
73
76
|
get(handle: string): Promise<PendingAuthorization | null>;
|
|
74
77
|
delete(handle: string): Promise<boolean>;
|
package/dist/atscript-db.mjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { t as defaultClock } from "./clock-Bdsep_1j.mjs";
|
|
2
2
|
import { t as credentialPayloadOf } from "./payload-D-DzH5-J.mjs";
|
|
3
|
-
import { a as PendingAuthorizationStore, t as AuthCodeStore } from "./auth-code-store-
|
|
3
|
+
import { a as PendingAuthorizationStore, t as AuthCodeStore } from "./auth-code-store-Dqc4rEOx.mjs";
|
|
4
4
|
import { randomUUID } from "node:crypto";
|
|
5
5
|
//#region src/atscript-db/authz-stores.ts
|
|
6
6
|
/**
|
|
@@ -21,13 +21,15 @@ var PendingAuthorizationStoreAtscriptDb = class extends PendingAuthorizationStor
|
|
|
21
21
|
async create(rec) {
|
|
22
22
|
const now = this.clock.now();
|
|
23
23
|
const handle = randomUUID();
|
|
24
|
+
const expiresAt = now + this.ttlMs;
|
|
24
25
|
await this.table.insertOne({
|
|
25
26
|
handle,
|
|
26
27
|
redirectUri: rec.redirectUri,
|
|
27
28
|
codeChallenge: rec.codeChallenge,
|
|
28
29
|
tokenPolicy: JSON.stringify(rec.tokenPolicy),
|
|
30
|
+
binding: rec.binding,
|
|
29
31
|
createdAt: now,
|
|
30
|
-
expiresAt
|
|
32
|
+
expiresAt,
|
|
31
33
|
...rec.clientId !== void 0 && { clientId: rec.clientId },
|
|
32
34
|
...rec.clientState !== void 0 && { clientState: rec.clientState },
|
|
33
35
|
...rec.scope !== void 0 && { scope: rec.scope },
|
|
@@ -36,7 +38,10 @@ var PendingAuthorizationStoreAtscriptDb = class extends PendingAuthorizationStor
|
|
|
36
38
|
...rec.accessToken !== void 0 && { accessToken: rec.accessToken },
|
|
37
39
|
...rec.audience !== void 0 && { audience: rec.audience }
|
|
38
40
|
});
|
|
39
|
-
return {
|
|
41
|
+
return {
|
|
42
|
+
handle,
|
|
43
|
+
expiresAt
|
|
44
|
+
};
|
|
40
45
|
}
|
|
41
46
|
async get(handle) {
|
|
42
47
|
const row = await this.table.findOne({ filter: { handle } });
|
|
@@ -58,6 +63,7 @@ function rowToPending(row) {
|
|
|
58
63
|
redirectUri: row.redirectUri,
|
|
59
64
|
codeChallenge: row.codeChallenge,
|
|
60
65
|
tokenPolicy: JSON.parse(row.tokenPolicy),
|
|
66
|
+
binding: row.binding,
|
|
61
67
|
createdAt: row.createdAt,
|
|
62
68
|
expiresAt: row.expiresAt
|
|
63
69
|
};
|
|
@@ -57,6 +57,15 @@ interface PendingAuthorization {
|
|
|
57
57
|
audience?: string;
|
|
58
58
|
/** What the grant will mint (fixed at authorize time). */
|
|
59
59
|
tokenPolicy: TokenPolicy;
|
|
60
|
+
/**
|
|
61
|
+
* High-entropy browser-binding secret (AUTH-SERVER.md §6). Set at
|
|
62
|
+
* `/auth/authorize` and mirrored into the `aooth_authz` cookie; the
|
|
63
|
+
* code-minting terminal accepts the handle ONLY when the request carries a
|
|
64
|
+
* cookie that constant-time-matches this value — so the opaque handle can be
|
|
65
|
+
* redeemed only by the browser that started the request, not one it was
|
|
66
|
+
* phished into.
|
|
67
|
+
*/
|
|
68
|
+
binding: string;
|
|
60
69
|
createdAt: number;
|
|
61
70
|
expiresAt: number;
|
|
62
71
|
}
|
|
@@ -72,6 +81,8 @@ interface NewPendingAuthorization {
|
|
|
72
81
|
accessToken?: boolean;
|
|
73
82
|
audience?: string;
|
|
74
83
|
tokenPolicy: TokenPolicy;
|
|
84
|
+
/** Browser-binding secret (see {@link PendingAuthorization.binding}). */
|
|
85
|
+
binding: string;
|
|
75
86
|
}
|
|
76
87
|
/**
|
|
77
88
|
* Storage seam for in-flight authorizations (AUTH-SERVER.md §4.3). Short-lived
|
|
@@ -81,9 +92,15 @@ interface NewPendingAuthorization {
|
|
|
81
92
|
* `PENDING_AUTHORIZATION_STORE_TOKEN` (from `@aooth/auth-moost`).
|
|
82
93
|
*/
|
|
83
94
|
declare abstract class PendingAuthorizationStore {
|
|
84
|
-
/**
|
|
95
|
+
/**
|
|
96
|
+
* Record a new pending authorization; returns its opaque `handle` and the
|
|
97
|
+
* row's `expiresAt` (epoch ms). The caller derives the `aooth_authz` binding
|
|
98
|
+
* cookie's lifetime from `expiresAt`, so the cookie tracks the row's actual
|
|
99
|
+
* TTL even when a store is configured with a non-default `ttlMs`.
|
|
100
|
+
*/
|
|
85
101
|
abstract create(rec: NewPendingAuthorization): Promise<{
|
|
86
102
|
handle: string;
|
|
103
|
+
expiresAt: number;
|
|
87
104
|
}>;
|
|
88
105
|
/** Fetch by handle, or `null` when unknown/expired. */
|
|
89
106
|
abstract get(handle: string): Promise<PendingAuthorization | null>;
|
|
@@ -96,6 +113,8 @@ interface PendingAuthorizationStoreMemoryOptions {
|
|
|
96
113
|
/** How long a pending authorization stays valid. Default 15 min. */
|
|
97
114
|
ttlMs?: number;
|
|
98
115
|
}
|
|
116
|
+
/** Default pending-authorization lifetime (15 min). Shared by the memory + atscript-db stores. */
|
|
117
|
+
declare const DEFAULT_PENDING_TTL_MS: number;
|
|
99
118
|
/**
|
|
100
119
|
* In-memory {@link PendingAuthorizationStore} — the reference impl for a
|
|
101
120
|
* single-process app + tests. `structuredClone` on read/write isolates callers.
|
|
@@ -107,6 +126,7 @@ declare class PendingAuthorizationStoreMemory extends PendingAuthorizationStore
|
|
|
107
126
|
constructor(opts?: PendingAuthorizationStoreMemoryOptions);
|
|
108
127
|
create(rec: NewPendingAuthorization): Promise<{
|
|
109
128
|
handle: string;
|
|
129
|
+
expiresAt: number;
|
|
110
130
|
}>;
|
|
111
131
|
get(handle: string): Promise<PendingAuthorization | null>;
|
|
112
132
|
delete(handle: string): Promise<boolean>;
|
|
@@ -196,4 +216,4 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
|
|
|
196
216
|
consume(code: string): Promise<AuthCode | null>;
|
|
197
217
|
}
|
|
198
218
|
//#endregion
|
|
199
|
-
export { NewAuthCode as a,
|
|
219
|
+
export { NewAuthCode as a, PendingAuthorization as c, PendingAuthorizationStoreMemoryOptions as d, TokenPolicy as f, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStore as l, AuthCodeStore as n, DEFAULT_PENDING_TTL_MS as o, AuthCodeStoreMemory as r, NewPendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemory as u };
|
|
@@ -31,6 +31,7 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
|
|
|
31
31
|
redirectUri: rec.redirectUri,
|
|
32
32
|
codeChallenge: rec.codeChallenge,
|
|
33
33
|
tokenPolicy: structuredClone(rec.tokenPolicy),
|
|
34
|
+
binding: rec.binding,
|
|
34
35
|
createdAt: now,
|
|
35
36
|
expiresAt: now + this.ttlMs,
|
|
36
37
|
...rec.clientId !== void 0 && { clientId: rec.clientId },
|
|
@@ -42,7 +43,10 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
|
|
|
42
43
|
...rec.audience !== void 0 && { audience: rec.audience }
|
|
43
44
|
};
|
|
44
45
|
this.store.set(row.handle, structuredClone(row));
|
|
45
|
-
return {
|
|
46
|
+
return {
|
|
47
|
+
handle: row.handle,
|
|
48
|
+
expiresAt: row.expiresAt
|
|
49
|
+
};
|
|
46
50
|
}
|
|
47
51
|
async get(handle) {
|
|
48
52
|
const row = this.store.get(handle);
|
|
@@ -31,6 +31,7 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
|
|
|
31
31
|
redirectUri: rec.redirectUri,
|
|
32
32
|
codeChallenge: rec.codeChallenge,
|
|
33
33
|
tokenPolicy: structuredClone(rec.tokenPolicy),
|
|
34
|
+
binding: rec.binding,
|
|
34
35
|
createdAt: now,
|
|
35
36
|
expiresAt: now + this.ttlMs,
|
|
36
37
|
...rec.clientId !== void 0 && { clientId: rec.clientId },
|
|
@@ -42,7 +43,10 @@ var PendingAuthorizationStoreMemory = class extends PendingAuthorizationStore {
|
|
|
42
43
|
...rec.audience !== void 0 && { audience: rec.audience }
|
|
43
44
|
};
|
|
44
45
|
this.store.set(row.handle, structuredClone(row));
|
|
45
|
-
return {
|
|
46
|
+
return {
|
|
47
|
+
handle: row.handle,
|
|
48
|
+
expiresAt: row.expiresAt
|
|
49
|
+
};
|
|
46
50
|
}
|
|
47
51
|
async get(handle) {
|
|
48
52
|
const row = this.store.get(handle);
|
|
@@ -57,6 +57,15 @@ interface PendingAuthorization {
|
|
|
57
57
|
audience?: string;
|
|
58
58
|
/** What the grant will mint (fixed at authorize time). */
|
|
59
59
|
tokenPolicy: TokenPolicy;
|
|
60
|
+
/**
|
|
61
|
+
* High-entropy browser-binding secret (AUTH-SERVER.md §6). Set at
|
|
62
|
+
* `/auth/authorize` and mirrored into the `aooth_authz` cookie; the
|
|
63
|
+
* code-minting terminal accepts the handle ONLY when the request carries a
|
|
64
|
+
* cookie that constant-time-matches this value — so the opaque handle can be
|
|
65
|
+
* redeemed only by the browser that started the request, not one it was
|
|
66
|
+
* phished into.
|
|
67
|
+
*/
|
|
68
|
+
binding: string;
|
|
60
69
|
createdAt: number;
|
|
61
70
|
expiresAt: number;
|
|
62
71
|
}
|
|
@@ -72,6 +81,8 @@ interface NewPendingAuthorization {
|
|
|
72
81
|
accessToken?: boolean;
|
|
73
82
|
audience?: string;
|
|
74
83
|
tokenPolicy: TokenPolicy;
|
|
84
|
+
/** Browser-binding secret (see {@link PendingAuthorization.binding}). */
|
|
85
|
+
binding: string;
|
|
75
86
|
}
|
|
76
87
|
/**
|
|
77
88
|
* Storage seam for in-flight authorizations (AUTH-SERVER.md §4.3). Short-lived
|
|
@@ -81,9 +92,15 @@ interface NewPendingAuthorization {
|
|
|
81
92
|
* `PENDING_AUTHORIZATION_STORE_TOKEN` (from `@aooth/auth-moost`).
|
|
82
93
|
*/
|
|
83
94
|
declare abstract class PendingAuthorizationStore {
|
|
84
|
-
/**
|
|
95
|
+
/**
|
|
96
|
+
* Record a new pending authorization; returns its opaque `handle` and the
|
|
97
|
+
* row's `expiresAt` (epoch ms). The caller derives the `aooth_authz` binding
|
|
98
|
+
* cookie's lifetime from `expiresAt`, so the cookie tracks the row's actual
|
|
99
|
+
* TTL even when a store is configured with a non-default `ttlMs`.
|
|
100
|
+
*/
|
|
85
101
|
abstract create(rec: NewPendingAuthorization): Promise<{
|
|
86
102
|
handle: string;
|
|
103
|
+
expiresAt: number;
|
|
87
104
|
}>;
|
|
88
105
|
/** Fetch by handle, or `null` when unknown/expired. */
|
|
89
106
|
abstract get(handle: string): Promise<PendingAuthorization | null>;
|
|
@@ -96,6 +113,8 @@ interface PendingAuthorizationStoreMemoryOptions {
|
|
|
96
113
|
/** How long a pending authorization stays valid. Default 15 min. */
|
|
97
114
|
ttlMs?: number;
|
|
98
115
|
}
|
|
116
|
+
/** Default pending-authorization lifetime (15 min). Shared by the memory + atscript-db stores. */
|
|
117
|
+
declare const DEFAULT_PENDING_TTL_MS: number;
|
|
99
118
|
/**
|
|
100
119
|
* In-memory {@link PendingAuthorizationStore} — the reference impl for a
|
|
101
120
|
* single-process app + tests. `structuredClone` on read/write isolates callers.
|
|
@@ -107,6 +126,7 @@ declare class PendingAuthorizationStoreMemory extends PendingAuthorizationStore
|
|
|
107
126
|
constructor(opts?: PendingAuthorizationStoreMemoryOptions);
|
|
108
127
|
create(rec: NewPendingAuthorization): Promise<{
|
|
109
128
|
handle: string;
|
|
129
|
+
expiresAt: number;
|
|
110
130
|
}>;
|
|
111
131
|
get(handle: string): Promise<PendingAuthorization | null>;
|
|
112
132
|
delete(handle: string): Promise<boolean>;
|
|
@@ -196,4 +216,4 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
|
|
|
196
216
|
consume(code: string): Promise<AuthCode | null>;
|
|
197
217
|
}
|
|
198
218
|
//#endregion
|
|
199
|
-
export { NewAuthCode as a,
|
|
219
|
+
export { NewAuthCode as a, PendingAuthorization as c, PendingAuthorizationStoreMemoryOptions as d, TokenPolicy as f, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStore as l, AuthCodeStore as n, DEFAULT_PENDING_TTL_MS as o, AuthCodeStoreMemory as r, NewPendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemory as u };
|
package/dist/authz.cjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
|
|
2
2
|
const require_clock = require("./clock-Bl-H3eqE.cjs");
|
|
3
|
-
const require_auth_code_store = require("./auth-code-store-
|
|
3
|
+
const require_auth_code_store = require("./auth-code-store-B_m51OSB.cjs");
|
|
4
4
|
let node_crypto = require("node:crypto");
|
|
5
5
|
let jose = require("jose");
|
|
6
6
|
//#region src/authz/authz-errors.ts
|
|
@@ -257,6 +257,7 @@ exports.AuthCodeStore = require_auth_code_store.AuthCodeStore;
|
|
|
257
257
|
exports.AuthCodeStoreMemory = require_auth_code_store.AuthCodeStoreMemory;
|
|
258
258
|
exports.AuthorizeError = AuthorizeError;
|
|
259
259
|
exports.CompositeClientPolicy = CompositeClientPolicy;
|
|
260
|
+
exports.DEFAULT_PENDING_TTL_MS = require_auth_code_store.DEFAULT_PENDING_TTL_MS;
|
|
260
261
|
exports.IdTokenSigner = IdTokenSigner;
|
|
261
262
|
exports.LoopbackClientPolicy = LoopbackClientPolicy;
|
|
262
263
|
exports.NoopOidcClaimsResolver = NoopOidcClaimsResolver;
|
package/dist/authz.d.cts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { t as Clock } from "./clock-BjXa0LXb.cjs";
|
|
2
|
-
import { a as NewAuthCode, c as
|
|
2
|
+
import { a as NewAuthCode, c as PendingAuthorization, d as PendingAuthorizationStoreMemoryOptions, f as TokenPolicy, i as AuthCodeStoreMemoryOptions, l as PendingAuthorizationStore, n as AuthCodeStore, o as DEFAULT_PENDING_TTL_MS, r as AuthCodeStoreMemory, s as NewPendingAuthorization, t as AuthCode, u as PendingAuthorizationStoreMemory } from "./auth-code-store-BZ88d_tq.cjs";
|
|
3
3
|
import { JWK } from "jose";
|
|
4
4
|
|
|
5
5
|
//#region src/authz/authz-errors.d.ts
|
|
@@ -304,4 +304,4 @@ declare class NoopOidcClaimsResolver extends OidcClaimsResolver {
|
|
|
304
304
|
/** `true` when `scope` (space-joined) grants `claim` — `"email"`/`"profile"` etc. */
|
|
305
305
|
declare function scopeGrants(scope: string | undefined, claim: string): boolean;
|
|
306
306
|
//#endregion
|
|
307
|
-
export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
|
|
307
|
+
export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, DEFAULT_PENDING_TTL_MS, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
|
package/dist/authz.d.mts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { t as Clock } from "./clock-BjXa0LXb.mjs";
|
|
2
|
-
import { a as NewAuthCode, c as
|
|
2
|
+
import { a as NewAuthCode, c as PendingAuthorization, d as PendingAuthorizationStoreMemoryOptions, f as TokenPolicy, i as AuthCodeStoreMemoryOptions, l as PendingAuthorizationStore, n as AuthCodeStore, o as DEFAULT_PENDING_TTL_MS, r as AuthCodeStoreMemory, s as NewPendingAuthorization, t as AuthCode, u as PendingAuthorizationStoreMemory } from "./auth-code-store-Om5MXNUT.mjs";
|
|
3
3
|
import { JWK } from "jose";
|
|
4
4
|
|
|
5
5
|
//#region src/authz/authz-errors.d.ts
|
|
@@ -304,4 +304,4 @@ declare class NoopOidcClaimsResolver extends OidcClaimsResolver {
|
|
|
304
304
|
/** `true` when `scope` (space-joined) grants `claim` — `"email"`/`"profile"` etc. */
|
|
305
305
|
declare function scopeGrants(scope: string | undefined, claim: string): boolean;
|
|
306
306
|
//#endregion
|
|
307
|
-
export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
|
|
307
|
+
export { type AuthCode, AuthCodeStore, AuthCodeStoreMemory, type AuthCodeStoreMemoryOptions, AuthorizeError, type AuthorizeErrorCode, type ClientRedirectPolicy, CompositeClientPolicy, type CompositeClientPolicyOptions, DEFAULT_PENDING_TTL_MS, type IdTokenAlg, type IdTokenClaims, IdTokenSigner, type IdTokenSignerOptions, LoopbackClientPolicy, type LoopbackClientPolicyOptions, type NewAuthCode, type NewPendingAuthorization, NoopOidcClaimsResolver, OidcClaimsResolver, type PendingAuthorization, PendingAuthorizationStore, PendingAuthorizationStoreMemory, type PendingAuthorizationStoreMemoryOptions, type RegisteredClient, RegisteredClientPolicy, type RegisteredClientPolicyOptions, type ResolvedClient, type TokenPolicy, isLoopbackRedirectUri, scopeGrants };
|
package/dist/authz.mjs
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { t as defaultClock } from "./clock-Bdsep_1j.mjs";
|
|
2
|
-
import { a as PendingAuthorizationStore, n as AuthCodeStoreMemory, o as PendingAuthorizationStoreMemory, t as AuthCodeStore } from "./auth-code-store-
|
|
2
|
+
import { a as PendingAuthorizationStore, i as DEFAULT_PENDING_TTL_MS, n as AuthCodeStoreMemory, o as PendingAuthorizationStoreMemory, t as AuthCodeStore } from "./auth-code-store-Dqc4rEOx.mjs";
|
|
3
3
|
import { timingSafeEqual } from "node:crypto";
|
|
4
4
|
import { SignJWT, exportJWK, importPKCS8, importSPKI } from "jose";
|
|
5
5
|
//#region src/authz/authz-errors.ts
|
|
@@ -252,4 +252,4 @@ var IdTokenSigner = class {
|
|
|
252
252
|
}
|
|
253
253
|
};
|
|
254
254
|
//#endregion
|
|
255
|
-
export { AuthCodeStore, AuthCodeStoreMemory, AuthorizeError, CompositeClientPolicy, IdTokenSigner, LoopbackClientPolicy, NoopOidcClaimsResolver, OidcClaimsResolver, PendingAuthorizationStore, PendingAuthorizationStoreMemory, RegisteredClientPolicy, isLoopbackRedirectUri, scopeGrants };
|
|
255
|
+
export { AuthCodeStore, AuthCodeStoreMemory, AuthorizeError, CompositeClientPolicy, DEFAULT_PENDING_TTL_MS, IdTokenSigner, LoopbackClientPolicy, NoopOidcClaimsResolver, OidcClaimsResolver, PendingAuthorizationStore, PendingAuthorizationStoreMemory, RegisteredClientPolicy, isLoopbackRedirectUri, scopeGrants };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@aooth/auth",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.17",
|
|
4
4
|
"description": "Auth method layer for aoothjs (sessions, tokens, password reset, MFA primitives)",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"aoothjs",
|
|
@@ -94,17 +94,17 @@
|
|
|
94
94
|
},
|
|
95
95
|
"dependencies": {
|
|
96
96
|
"jose": "^6.2.3",
|
|
97
|
-
"@aooth/user": "0.1.
|
|
97
|
+
"@aooth/user": "0.1.17"
|
|
98
98
|
},
|
|
99
99
|
"devDependencies": {
|
|
100
|
-
"@atscript/core": "^0.1.
|
|
101
|
-
"@atscript/db": "^0.1.
|
|
102
|
-
"@atscript/db-sql-tools": "^0.1.
|
|
103
|
-
"@atscript/db-sqlite": "^0.1.
|
|
104
|
-
"@atscript/typescript": "^0.1.
|
|
100
|
+
"@atscript/core": "^0.1.75",
|
|
101
|
+
"@atscript/db": "^0.1.104",
|
|
102
|
+
"@atscript/db-sql-tools": "^0.1.104",
|
|
103
|
+
"@atscript/db-sqlite": "^0.1.104",
|
|
104
|
+
"@atscript/typescript": "^0.1.75",
|
|
105
105
|
"@types/better-sqlite3": "^7.6.13",
|
|
106
106
|
"better-sqlite3": "^12.6.2",
|
|
107
|
-
"unplugin-atscript": "^0.1.
|
|
107
|
+
"unplugin-atscript": "^0.1.75"
|
|
108
108
|
},
|
|
109
109
|
"peerDependencies": {
|
|
110
110
|
"@atscript/db": ">=0.1.79"
|
|
@@ -36,6 +36,15 @@ export interface AoothPendingAuthorization {
|
|
|
36
36
|
*/
|
|
37
37
|
tokenPolicy: string
|
|
38
38
|
|
|
39
|
+
/**
|
|
40
|
+
* High-entropy browser-binding secret (AUTH-SERVER.md §6). Mirrored into the
|
|
41
|
+
* `aooth_authz` cookie at `/authorize`; the code-minting terminal accepts the
|
|
42
|
+
* handle only when the request carries a cookie that constant-time-matches
|
|
43
|
+
* this — so the opaque handle can't be redeemed in a browser it was phished
|
|
44
|
+
* into.
|
|
45
|
+
*/
|
|
46
|
+
binding: string
|
|
47
|
+
|
|
39
48
|
createdAt: number.timestamp
|
|
40
49
|
/** Lazy-GC'd on read once past. */
|
|
41
50
|
expiresAt: number.timestamp
|
|
@@ -25,6 +25,7 @@ export declare class AoothPendingAuthorization {
|
|
|
25
25
|
accessToken?: boolean
|
|
26
26
|
audience?: string
|
|
27
27
|
tokenPolicy: string
|
|
28
|
+
binding: string
|
|
28
29
|
createdAt: number /* timestamp */
|
|
29
30
|
expiresAt: number /* timestamp */
|
|
30
31
|
static __is_atscript_annotated_type: true
|
|
@@ -47,6 +48,7 @@ export declare class AoothPendingAuthorization {
|
|
|
47
48
|
"accessToken"?: boolean
|
|
48
49
|
"audience"?: string
|
|
49
50
|
"tokenPolicy": string
|
|
51
|
+
"binding": string
|
|
50
52
|
"createdAt": number /* timestamp */
|
|
51
53
|
"expiresAt": number /* timestamp */
|
|
52
54
|
}
|
|
@@ -62,6 +64,7 @@ export declare class AoothPendingAuthorization {
|
|
|
62
64
|
"accessToken"?: boolean
|
|
63
65
|
"audience"?: string
|
|
64
66
|
"tokenPolicy": string
|
|
67
|
+
"binding": string
|
|
65
68
|
"createdAt": number /* timestamp */
|
|
66
69
|
"expiresAt": number /* timestamp */
|
|
67
70
|
}
|