@aooth/auth 0.1.18 → 0.1.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/atscript-db.cjs +80 -3
- package/dist/atscript-db.d.cts +70 -2
- package/dist/atscript-db.d.mts +70 -2
- package/dist/atscript-db.mjs +78 -2
- package/dist/authz.cjs +380 -16
- package/dist/authz.d.cts +337 -14
- package/dist/authz.d.mts +337 -14
- package/dist/authz.mjs +366 -12
- package/dist/{auth-code-store-B_m51OSB.cjs → dynamic-client-store-DAStgv2j.cjs} +74 -0
- package/dist/{auth-code-store-Dqc4rEOx.mjs → dynamic-client-store-DLRfntHr.mjs} +63 -1
- package/dist/{auth-code-store-BZ88d_tq.d.cts → dynamic-client-store-DzqdUwnw.d.cts} +112 -1
- package/dist/{auth-code-store-Om5MXNUT.d.mts → dynamic-client-store-oHEsQaJg.d.mts} +112 -1
- package/package.json +13 -3
- package/src/atscript-db/auth-code.as +2 -0
- package/src/atscript-db/auth-code.as.d.ts +3 -0
- package/src/atscript-db/dynamic-client.as +44 -0
- package/src/atscript-db/dynamic-client.as.d.ts +59 -0
- package/src/atscript-db/pending-authorization.as +7 -0
- package/src/atscript-db/pending-authorization.as.d.ts +6 -0
|
@@ -39,12 +39,25 @@ interface PendingAuthorization {
|
|
|
39
39
|
handle: string;
|
|
40
40
|
/** Registered client id (Tier 2), absent for a public/loopback client. */
|
|
41
41
|
clientId?: string;
|
|
42
|
+
/**
|
|
43
|
+
* Display name resolved at `/authorize` (DCR `client_name` or a registered
|
|
44
|
+
* client's label) — UNTRUSTED text staged for the consent prompt; render as
|
|
45
|
+
* a text node only. Snapshot-at-authorize: a later rename/GC of the
|
|
46
|
+
* registration doesn't change what consent shows for this grant.
|
|
47
|
+
*/
|
|
48
|
+
clientName?: string;
|
|
42
49
|
/** The client's validated `redirect_uri` — where the code is delivered. */
|
|
43
50
|
redirectUri: string;
|
|
44
51
|
/** PKCE S256 challenge (client-generated); verified against the verifier at `/token`. */
|
|
45
52
|
codeChallenge: string;
|
|
46
53
|
/** The client's `state`, echoed back on the redirect so the client can correlate. */
|
|
47
54
|
clientState?: string;
|
|
55
|
+
/**
|
|
56
|
+
* RFC 8707 `resource` indicator from the authorize request. v1 records it
|
|
57
|
+
* (and checks `/token`-leg consistency) without audience enforcement — see
|
|
58
|
+
* OAUTH.md R4.
|
|
59
|
+
*/
|
|
60
|
+
resource?: string;
|
|
48
61
|
/** Granted scope (space-joined) — `requested ∩ allowed`; drives the `id_token` profile claims. */
|
|
49
62
|
scope?: string;
|
|
50
63
|
/** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
|
|
@@ -72,9 +85,11 @@ interface PendingAuthorization {
|
|
|
72
85
|
/** Input to {@link PendingAuthorizationStore.create} — `handle`/timestamps are store-assigned. */
|
|
73
86
|
interface NewPendingAuthorization {
|
|
74
87
|
clientId?: string;
|
|
88
|
+
clientName?: string;
|
|
75
89
|
redirectUri: string;
|
|
76
90
|
codeChallenge: string;
|
|
77
91
|
clientState?: string;
|
|
92
|
+
resource?: string;
|
|
78
93
|
scope?: string;
|
|
79
94
|
nonce?: string;
|
|
80
95
|
idToken?: boolean;
|
|
@@ -152,6 +167,12 @@ interface AuthCode {
|
|
|
152
167
|
clientId?: string;
|
|
153
168
|
/** Granted scope (space-joined) — drives the `id_token` profile claims. */
|
|
154
169
|
scope?: string;
|
|
170
|
+
/**
|
|
171
|
+
* RFC 8707 `resource` indicator recorded at `/authorize`. The token endpoint
|
|
172
|
+
* checks consistency (a `/token`-leg `resource` must match) — no audience
|
|
173
|
+
* enforcement in v1 (OAUTH.md R4).
|
|
174
|
+
*/
|
|
175
|
+
resource?: string;
|
|
155
176
|
/** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
|
|
156
177
|
nonce?: string;
|
|
157
178
|
/** Mint an `id_token` at `/token` (Tier 2). */
|
|
@@ -171,6 +192,7 @@ interface NewAuthCode {
|
|
|
171
192
|
redirectUri: string;
|
|
172
193
|
clientId?: string;
|
|
173
194
|
scope?: string;
|
|
195
|
+
resource?: string;
|
|
174
196
|
nonce?: string;
|
|
175
197
|
idToken?: boolean;
|
|
176
198
|
accessToken?: boolean;
|
|
@@ -216,4 +238,93 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
|
|
|
216
238
|
consume(code: string): Promise<AuthCode | null>;
|
|
217
239
|
}
|
|
218
240
|
//#endregion
|
|
219
|
-
|
|
241
|
+
//#region src/authz/dynamic-client-store.d.ts
|
|
242
|
+
/**
|
|
243
|
+
* One dynamically-registered OAuth client (RFC 7591) — the record behind a
|
|
244
|
+
* connector-style public client that self-registered at `POST /register`.
|
|
245
|
+
* Everything here is **registrant-supplied** (post-validation) except
|
|
246
|
+
* `clientId` and the timestamps: treat `clientName` as untrusted display text
|
|
247
|
+
* and `redirectUris` as the exact-match delivery allowlist that
|
|
248
|
+
* `DynamicClientPolicy` enforces at `/authorize`.
|
|
249
|
+
*/
|
|
250
|
+
interface DynamicClient {
|
|
251
|
+
/** Store-minted opaque client identifier (the DCR response `client_id`). */
|
|
252
|
+
clientId: string;
|
|
253
|
+
/** Sanitized display name (DCR `client_name`) — untrusted, rendered as text on consent. */
|
|
254
|
+
clientName?: string;
|
|
255
|
+
/** Validated redirect allowlist — https exact-match entries and/or loopback literals. */
|
|
256
|
+
redirectUris: string[];
|
|
257
|
+
/** v1 supports public clients only — PKCE is the binding, no secret exists. */
|
|
258
|
+
tokenEndpointAuthMethod: "none";
|
|
259
|
+
/** Registered grant types (narrowed to what the server supports). */
|
|
260
|
+
grantTypes: string[];
|
|
261
|
+
/** Registered response types (narrowed to what the server supports). */
|
|
262
|
+
responseTypes: string[];
|
|
263
|
+
/** Scope string from registration (space-joined) — an upper bound, not a grant. */
|
|
264
|
+
scope?: string;
|
|
265
|
+
createdAt: number;
|
|
266
|
+
/**
|
|
267
|
+
* Last time the client started an authorize request. Unset ⇒ the
|
|
268
|
+
* registration was never used — the garbage-collection target of
|
|
269
|
+
* {@link DynamicClientStore.deleteUnusedBefore} (anonymous `/register` spam
|
|
270
|
+
* registers but never authorizes).
|
|
271
|
+
*/
|
|
272
|
+
lastUsedAt?: number;
|
|
273
|
+
}
|
|
274
|
+
/** Input to {@link DynamicClientStore.create} — `clientId`/timestamps are store-assigned. */
|
|
275
|
+
interface NewDynamicClient {
|
|
276
|
+
clientName?: string;
|
|
277
|
+
redirectUris: string[];
|
|
278
|
+
tokenEndpointAuthMethod: "none";
|
|
279
|
+
grantTypes: string[];
|
|
280
|
+
responseTypes: string[];
|
|
281
|
+
scope?: string;
|
|
282
|
+
}
|
|
283
|
+
/**
|
|
284
|
+
* Storage seam for dynamically-registered clients (OAUTH.md R2). Long-lived
|
|
285
|
+
* (unlike the pending-auth / auth-code stores): a connector caches its
|
|
286
|
+
* `client_id` and reuses it across grants, so rows survive until deleted or
|
|
287
|
+
* garbage-collected as never-used. An in-memory impl ships for single-process
|
|
288
|
+
* apps + tests; a durable impl (atscript-db) slots under the same
|
|
289
|
+
* `DYNAMIC_CLIENT_STORE_TOKEN` (from `@aooth/auth-moost`).
|
|
290
|
+
*/
|
|
291
|
+
declare abstract class DynamicClientStore {
|
|
292
|
+
/** Persist a validated registration; mints and returns the full record (with `clientId`). */
|
|
293
|
+
abstract create(rec: NewDynamicClient): Promise<DynamicClient>;
|
|
294
|
+
/** Fetch by client id, or `null` when unknown. */
|
|
295
|
+
abstract get(clientId: string): Promise<DynamicClient | null>;
|
|
296
|
+
/** Remove a registration. Returns `true` when a row was removed. */
|
|
297
|
+
abstract delete(clientId: string): Promise<boolean>;
|
|
298
|
+
/** Number of stored registrations — the `maxClients` hard-cap check. */
|
|
299
|
+
abstract count(): Promise<number>;
|
|
300
|
+
/** Stamp `lastUsedAt` — marks the registration as used (exempt from never-used GC). */
|
|
301
|
+
abstract touch(clientId: string, at: number): Promise<void>;
|
|
302
|
+
/**
|
|
303
|
+
* Garbage-collect never-used registrations: delete rows with
|
|
304
|
+
* `createdAt < cutoff` AND no `lastUsedAt`. Returns the number removed.
|
|
305
|
+
* Used rows are NEVER evicted — a connector caches its `client_id`, and
|
|
306
|
+
* evicting it strands the client (see OAUTH.md R2 abuse posture).
|
|
307
|
+
*/
|
|
308
|
+
abstract deleteUnusedBefore(cutoff: number): Promise<number>;
|
|
309
|
+
}
|
|
310
|
+
interface DynamicClientStoreMemoryOptions {
|
|
311
|
+
/** Injectable clock for deterministic `createdAt`. Defaults to {@link defaultClock}. */
|
|
312
|
+
clock?: Clock;
|
|
313
|
+
}
|
|
314
|
+
/**
|
|
315
|
+
* In-memory {@link DynamicClientStore} — the reference impl for a
|
|
316
|
+
* single-process app + tests. `structuredClone` on read/write isolates callers.
|
|
317
|
+
*/
|
|
318
|
+
declare class DynamicClientStoreMemory extends DynamicClientStore {
|
|
319
|
+
private store;
|
|
320
|
+
private clock;
|
|
321
|
+
constructor(opts?: DynamicClientStoreMemoryOptions);
|
|
322
|
+
create(rec: NewDynamicClient): Promise<DynamicClient>;
|
|
323
|
+
get(clientId: string): Promise<DynamicClient | null>;
|
|
324
|
+
delete(clientId: string): Promise<boolean>;
|
|
325
|
+
count(): Promise<number>;
|
|
326
|
+
touch(clientId: string, at: number): Promise<void>;
|
|
327
|
+
deleteUnusedBefore(cutoff: number): Promise<number>;
|
|
328
|
+
}
|
|
329
|
+
//#endregion
|
|
330
|
+
export { TokenPolicy as _, NewDynamicClient as a, AuthCodeStoreMemory as c, DEFAULT_PENDING_TTL_MS as d, NewPendingAuthorization as f, PendingAuthorizationStoreMemoryOptions as g, PendingAuthorizationStoreMemory as h, DynamicClientStoreMemoryOptions as i, AuthCodeStoreMemoryOptions as l, PendingAuthorizationStore as m, DynamicClientStore as n, AuthCode as o, PendingAuthorization as p, DynamicClientStoreMemory as r, AuthCodeStore as s, DynamicClient as t, NewAuthCode as u };
|
|
@@ -39,12 +39,25 @@ interface PendingAuthorization {
|
|
|
39
39
|
handle: string;
|
|
40
40
|
/** Registered client id (Tier 2), absent for a public/loopback client. */
|
|
41
41
|
clientId?: string;
|
|
42
|
+
/**
|
|
43
|
+
* Display name resolved at `/authorize` (DCR `client_name` or a registered
|
|
44
|
+
* client's label) — UNTRUSTED text staged for the consent prompt; render as
|
|
45
|
+
* a text node only. Snapshot-at-authorize: a later rename/GC of the
|
|
46
|
+
* registration doesn't change what consent shows for this grant.
|
|
47
|
+
*/
|
|
48
|
+
clientName?: string;
|
|
42
49
|
/** The client's validated `redirect_uri` — where the code is delivered. */
|
|
43
50
|
redirectUri: string;
|
|
44
51
|
/** PKCE S256 challenge (client-generated); verified against the verifier at `/token`. */
|
|
45
52
|
codeChallenge: string;
|
|
46
53
|
/** The client's `state`, echoed back on the redirect so the client can correlate. */
|
|
47
54
|
clientState?: string;
|
|
55
|
+
/**
|
|
56
|
+
* RFC 8707 `resource` indicator from the authorize request. v1 records it
|
|
57
|
+
* (and checks `/token`-leg consistency) without audience enforcement — see
|
|
58
|
+
* OAUTH.md R4.
|
|
59
|
+
*/
|
|
60
|
+
resource?: string;
|
|
48
61
|
/** Granted scope (space-joined) — `requested ∩ allowed`; drives the `id_token` profile claims. */
|
|
49
62
|
scope?: string;
|
|
50
63
|
/** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
|
|
@@ -72,9 +85,11 @@ interface PendingAuthorization {
|
|
|
72
85
|
/** Input to {@link PendingAuthorizationStore.create} — `handle`/timestamps are store-assigned. */
|
|
73
86
|
interface NewPendingAuthorization {
|
|
74
87
|
clientId?: string;
|
|
88
|
+
clientName?: string;
|
|
75
89
|
redirectUri: string;
|
|
76
90
|
codeChallenge: string;
|
|
77
91
|
clientState?: string;
|
|
92
|
+
resource?: string;
|
|
78
93
|
scope?: string;
|
|
79
94
|
nonce?: string;
|
|
80
95
|
idToken?: boolean;
|
|
@@ -152,6 +167,12 @@ interface AuthCode {
|
|
|
152
167
|
clientId?: string;
|
|
153
168
|
/** Granted scope (space-joined) — drives the `id_token` profile claims. */
|
|
154
169
|
scope?: string;
|
|
170
|
+
/**
|
|
171
|
+
* RFC 8707 `resource` indicator recorded at `/authorize`. The token endpoint
|
|
172
|
+
* checks consistency (a `/token`-leg `resource` must match) — no audience
|
|
173
|
+
* enforcement in v1 (OAUTH.md R4).
|
|
174
|
+
*/
|
|
175
|
+
resource?: string;
|
|
155
176
|
/** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
|
|
156
177
|
nonce?: string;
|
|
157
178
|
/** Mint an `id_token` at `/token` (Tier 2). */
|
|
@@ -171,6 +192,7 @@ interface NewAuthCode {
|
|
|
171
192
|
redirectUri: string;
|
|
172
193
|
clientId?: string;
|
|
173
194
|
scope?: string;
|
|
195
|
+
resource?: string;
|
|
174
196
|
nonce?: string;
|
|
175
197
|
idToken?: boolean;
|
|
176
198
|
accessToken?: boolean;
|
|
@@ -216,4 +238,93 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
|
|
|
216
238
|
consume(code: string): Promise<AuthCode | null>;
|
|
217
239
|
}
|
|
218
240
|
//#endregion
|
|
219
|
-
|
|
241
|
+
//#region src/authz/dynamic-client-store.d.ts
|
|
242
|
+
/**
|
|
243
|
+
* One dynamically-registered OAuth client (RFC 7591) — the record behind a
|
|
244
|
+
* connector-style public client that self-registered at `POST /register`.
|
|
245
|
+
* Everything here is **registrant-supplied** (post-validation) except
|
|
246
|
+
* `clientId` and the timestamps: treat `clientName` as untrusted display text
|
|
247
|
+
* and `redirectUris` as the exact-match delivery allowlist that
|
|
248
|
+
* `DynamicClientPolicy` enforces at `/authorize`.
|
|
249
|
+
*/
|
|
250
|
+
interface DynamicClient {
|
|
251
|
+
/** Store-minted opaque client identifier (the DCR response `client_id`). */
|
|
252
|
+
clientId: string;
|
|
253
|
+
/** Sanitized display name (DCR `client_name`) — untrusted, rendered as text on consent. */
|
|
254
|
+
clientName?: string;
|
|
255
|
+
/** Validated redirect allowlist — https exact-match entries and/or loopback literals. */
|
|
256
|
+
redirectUris: string[];
|
|
257
|
+
/** v1 supports public clients only — PKCE is the binding, no secret exists. */
|
|
258
|
+
tokenEndpointAuthMethod: "none";
|
|
259
|
+
/** Registered grant types (narrowed to what the server supports). */
|
|
260
|
+
grantTypes: string[];
|
|
261
|
+
/** Registered response types (narrowed to what the server supports). */
|
|
262
|
+
responseTypes: string[];
|
|
263
|
+
/** Scope string from registration (space-joined) — an upper bound, not a grant. */
|
|
264
|
+
scope?: string;
|
|
265
|
+
createdAt: number;
|
|
266
|
+
/**
|
|
267
|
+
* Last time the client started an authorize request. Unset ⇒ the
|
|
268
|
+
* registration was never used — the garbage-collection target of
|
|
269
|
+
* {@link DynamicClientStore.deleteUnusedBefore} (anonymous `/register` spam
|
|
270
|
+
* registers but never authorizes).
|
|
271
|
+
*/
|
|
272
|
+
lastUsedAt?: number;
|
|
273
|
+
}
|
|
274
|
+
/** Input to {@link DynamicClientStore.create} — `clientId`/timestamps are store-assigned. */
|
|
275
|
+
interface NewDynamicClient {
|
|
276
|
+
clientName?: string;
|
|
277
|
+
redirectUris: string[];
|
|
278
|
+
tokenEndpointAuthMethod: "none";
|
|
279
|
+
grantTypes: string[];
|
|
280
|
+
responseTypes: string[];
|
|
281
|
+
scope?: string;
|
|
282
|
+
}
|
|
283
|
+
/**
|
|
284
|
+
* Storage seam for dynamically-registered clients (OAUTH.md R2). Long-lived
|
|
285
|
+
* (unlike the pending-auth / auth-code stores): a connector caches its
|
|
286
|
+
* `client_id` and reuses it across grants, so rows survive until deleted or
|
|
287
|
+
* garbage-collected as never-used. An in-memory impl ships for single-process
|
|
288
|
+
* apps + tests; a durable impl (atscript-db) slots under the same
|
|
289
|
+
* `DYNAMIC_CLIENT_STORE_TOKEN` (from `@aooth/auth-moost`).
|
|
290
|
+
*/
|
|
291
|
+
declare abstract class DynamicClientStore {
|
|
292
|
+
/** Persist a validated registration; mints and returns the full record (with `clientId`). */
|
|
293
|
+
abstract create(rec: NewDynamicClient): Promise<DynamicClient>;
|
|
294
|
+
/** Fetch by client id, or `null` when unknown. */
|
|
295
|
+
abstract get(clientId: string): Promise<DynamicClient | null>;
|
|
296
|
+
/** Remove a registration. Returns `true` when a row was removed. */
|
|
297
|
+
abstract delete(clientId: string): Promise<boolean>;
|
|
298
|
+
/** Number of stored registrations — the `maxClients` hard-cap check. */
|
|
299
|
+
abstract count(): Promise<number>;
|
|
300
|
+
/** Stamp `lastUsedAt` — marks the registration as used (exempt from never-used GC). */
|
|
301
|
+
abstract touch(clientId: string, at: number): Promise<void>;
|
|
302
|
+
/**
|
|
303
|
+
* Garbage-collect never-used registrations: delete rows with
|
|
304
|
+
* `createdAt < cutoff` AND no `lastUsedAt`. Returns the number removed.
|
|
305
|
+
* Used rows are NEVER evicted — a connector caches its `client_id`, and
|
|
306
|
+
* evicting it strands the client (see OAUTH.md R2 abuse posture).
|
|
307
|
+
*/
|
|
308
|
+
abstract deleteUnusedBefore(cutoff: number): Promise<number>;
|
|
309
|
+
}
|
|
310
|
+
interface DynamicClientStoreMemoryOptions {
|
|
311
|
+
/** Injectable clock for deterministic `createdAt`. Defaults to {@link defaultClock}. */
|
|
312
|
+
clock?: Clock;
|
|
313
|
+
}
|
|
314
|
+
/**
|
|
315
|
+
* In-memory {@link DynamicClientStore} — the reference impl for a
|
|
316
|
+
* single-process app + tests. `structuredClone` on read/write isolates callers.
|
|
317
|
+
*/
|
|
318
|
+
declare class DynamicClientStoreMemory extends DynamicClientStore {
|
|
319
|
+
private store;
|
|
320
|
+
private clock;
|
|
321
|
+
constructor(opts?: DynamicClientStoreMemoryOptions);
|
|
322
|
+
create(rec: NewDynamicClient): Promise<DynamicClient>;
|
|
323
|
+
get(clientId: string): Promise<DynamicClient | null>;
|
|
324
|
+
delete(clientId: string): Promise<boolean>;
|
|
325
|
+
count(): Promise<number>;
|
|
326
|
+
touch(clientId: string, at: number): Promise<void>;
|
|
327
|
+
deleteUnusedBefore(cutoff: number): Promise<number>;
|
|
328
|
+
}
|
|
329
|
+
//#endregion
|
|
330
|
+
export { TokenPolicy as _, NewDynamicClient as a, AuthCodeStoreMemory as c, DEFAULT_PENDING_TTL_MS as d, NewPendingAuthorization as f, PendingAuthorizationStoreMemoryOptions as g, PendingAuthorizationStoreMemory as h, DynamicClientStoreMemoryOptions as i, AuthCodeStoreMemoryOptions as l, PendingAuthorizationStore as m, DynamicClientStore as n, AuthCode as o, PendingAuthorization as p, DynamicClientStoreMemory as r, AuthCodeStore as s, DynamicClient as t, NewAuthCode as u };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@aooth/auth",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.19",
|
|
4
4
|
"description": "Auth method layer for aoothjs (sessions, tokens, password reset, MFA primitives)",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"aoothjs",
|
|
@@ -30,7 +30,9 @@
|
|
|
30
30
|
"src/atscript-db/pending-authorization.as",
|
|
31
31
|
"src/atscript-db/pending-authorization.as.d.ts",
|
|
32
32
|
"src/atscript-db/auth-code.as",
|
|
33
|
-
"src/atscript-db/auth-code.as.d.ts"
|
|
33
|
+
"src/atscript-db/auth-code.as.d.ts",
|
|
34
|
+
"src/atscript-db/dynamic-client.as",
|
|
35
|
+
"src/atscript-db/dynamic-client.as.d.ts"
|
|
34
36
|
],
|
|
35
37
|
"type": "module",
|
|
36
38
|
"sideEffects": false,
|
|
@@ -87,6 +89,14 @@
|
|
|
87
89
|
"types": "./src/atscript-db/auth-code.as.d.ts",
|
|
88
90
|
"default": "./src/atscript-db/auth-code.as"
|
|
89
91
|
},
|
|
92
|
+
"./atscript-db/dynamic-client": {
|
|
93
|
+
"types": "./src/atscript-db/dynamic-client.as.d.ts",
|
|
94
|
+
"default": "./src/atscript-db/dynamic-client.as"
|
|
95
|
+
},
|
|
96
|
+
"./atscript-db/dynamic-client.as": {
|
|
97
|
+
"types": "./src/atscript-db/dynamic-client.as.d.ts",
|
|
98
|
+
"default": "./src/atscript-db/dynamic-client.as"
|
|
99
|
+
},
|
|
90
100
|
"./package.json": "./package.json"
|
|
91
101
|
},
|
|
92
102
|
"publishConfig": {
|
|
@@ -94,7 +104,7 @@
|
|
|
94
104
|
},
|
|
95
105
|
"dependencies": {
|
|
96
106
|
"jose": "^6.2.3",
|
|
97
|
-
"@aooth/user": "0.1.
|
|
107
|
+
"@aooth/user": "0.1.19"
|
|
98
108
|
},
|
|
99
109
|
"devDependencies": {
|
|
100
110
|
"@atscript/core": "^0.1.75",
|
|
@@ -21,6 +21,8 @@ export interface AoothAuthCode {
|
|
|
21
21
|
clientId?: string
|
|
22
22
|
/** Granted scope (space-joined). */
|
|
23
23
|
scope?: string
|
|
24
|
+
/** RFC 8707 `resource` indicator (recorded; consistency-checked at /token). */
|
|
25
|
+
resource?: string
|
|
24
26
|
/** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
|
|
25
27
|
nonce?: string
|
|
26
28
|
/** Mint an `id_token` at `/token` (Tier 2). */
|
|
@@ -20,6 +20,7 @@ export declare class AoothAuthCode {
|
|
|
20
20
|
redirectUri: string
|
|
21
21
|
clientId?: string
|
|
22
22
|
scope?: string
|
|
23
|
+
resource?: string
|
|
23
24
|
nonce?: string
|
|
24
25
|
idToken?: boolean
|
|
25
26
|
accessToken?: boolean
|
|
@@ -41,6 +42,7 @@ export declare class AoothAuthCode {
|
|
|
41
42
|
"redirectUri": string
|
|
42
43
|
"clientId"?: string
|
|
43
44
|
"scope"?: string
|
|
45
|
+
"resource"?: string
|
|
44
46
|
"nonce"?: string
|
|
45
47
|
"idToken"?: boolean
|
|
46
48
|
"accessToken"?: boolean
|
|
@@ -55,6 +57,7 @@ export declare class AoothAuthCode {
|
|
|
55
57
|
"redirectUri": string
|
|
56
58
|
"clientId"?: string
|
|
57
59
|
"scope"?: string
|
|
60
|
+
"resource"?: string
|
|
58
61
|
"nonce"?: string
|
|
59
62
|
"idToken"?: boolean
|
|
60
63
|
"accessToken"?: boolean
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
@db.table 'aooth_dynamic_clients'
|
|
2
|
+
@db.depth.limit 0
|
|
3
|
+
export interface AoothDynamicClient {
|
|
4
|
+
/**
|
|
5
|
+
* Opaque client identifier (PK) — the DCR response `client_id`.
|
|
6
|
+
* Server-generated UUID in `DynamicClientStoreAtscriptDb.create`.
|
|
7
|
+
*/
|
|
8
|
+
@meta.id
|
|
9
|
+
clientId: string
|
|
10
|
+
|
|
11
|
+
/**
|
|
12
|
+
* Sanitized DCR `client_name` — untrusted registrant-supplied display text
|
|
13
|
+
* for the consent prompt; rendered as a text node only.
|
|
14
|
+
*/
|
|
15
|
+
clientName?: string
|
|
16
|
+
|
|
17
|
+
/**
|
|
18
|
+
* Validated redirect allowlist, serialized as a JSON string array — same
|
|
19
|
+
* opaque-string pattern as `AoothPendingAuthorization.tokenPolicy` (a
|
|
20
|
+
* string[] column would need engine-specific array support; the adapter
|
|
21
|
+
* (de)serializes at the boundary and matching happens in
|
|
22
|
+
* `DynamicClientPolicy`).
|
|
23
|
+
*/
|
|
24
|
+
redirectUris: string
|
|
25
|
+
|
|
26
|
+
/** v1 supports public clients only ("none") — PKCE is the binding. */
|
|
27
|
+
tokenEndpointAuthMethod: string
|
|
28
|
+
|
|
29
|
+
/** Registered grant types (narrowed to supported), JSON string array. */
|
|
30
|
+
grantTypes: string
|
|
31
|
+
/** Registered response types (narrowed to supported), JSON string array. */
|
|
32
|
+
responseTypes: string
|
|
33
|
+
|
|
34
|
+
/** Scope string from registration (space-joined) — an upper bound, not a grant. */
|
|
35
|
+
scope?: string
|
|
36
|
+
|
|
37
|
+
createdAt: number.timestamp
|
|
38
|
+
/**
|
|
39
|
+
* Last authorize-request use. Unset ⇒ never used — the GC target of
|
|
40
|
+
* `deleteUnusedBefore` (anonymous /register spam registers but never
|
|
41
|
+
* authorizes). Used rows are never evicted.
|
|
42
|
+
*/
|
|
43
|
+
lastUsedAt?: number.timestamp
|
|
44
|
+
}
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
// prettier-ignore-start
|
|
2
|
+
/* eslint-disable */
|
|
3
|
+
/* oxlint-disable */
|
|
4
|
+
/// <reference path="./dynamic-client.as" />
|
|
5
|
+
/**
|
|
6
|
+
* 🪄 This file was generated by Atscript
|
|
7
|
+
* Do not edit this file!
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
|
|
11
|
+
|
|
12
|
+
/**
|
|
13
|
+
* Atscript interface **AoothDynamicClient**
|
|
14
|
+
* @see {@link ./dynamic-client.as:3:18}
|
|
15
|
+
*/
|
|
16
|
+
export declare class AoothDynamicClient {
|
|
17
|
+
clientId: string
|
|
18
|
+
clientName?: string
|
|
19
|
+
redirectUris: string
|
|
20
|
+
tokenEndpointAuthMethod: string
|
|
21
|
+
grantTypes: string
|
|
22
|
+
responseTypes: string
|
|
23
|
+
scope?: string
|
|
24
|
+
createdAt: number /* timestamp */
|
|
25
|
+
lastUsedAt?: number /* timestamp */
|
|
26
|
+
static __is_atscript_annotated_type: true
|
|
27
|
+
static type: TAtscriptTypeObject<keyof AoothDynamicClient, AoothDynamicClient>
|
|
28
|
+
static metadata: TMetadataMap<AtscriptMetadata>
|
|
29
|
+
static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothDynamicClient>
|
|
30
|
+
/** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
|
|
31
|
+
static toJsonSchema: () => any
|
|
32
|
+
/** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
|
|
33
|
+
static toExampleData?: () => any
|
|
34
|
+
static __flat: {
|
|
35
|
+
"clientId": string
|
|
36
|
+
"clientName"?: string
|
|
37
|
+
"redirectUris": string
|
|
38
|
+
"tokenEndpointAuthMethod": string
|
|
39
|
+
"grantTypes": string
|
|
40
|
+
"responseTypes": string
|
|
41
|
+
"scope"?: string
|
|
42
|
+
"createdAt": number /* timestamp */
|
|
43
|
+
"lastUsedAt"?: number /* timestamp */
|
|
44
|
+
}
|
|
45
|
+
static __ownProps: {
|
|
46
|
+
"clientId": string
|
|
47
|
+
"clientName"?: string
|
|
48
|
+
"redirectUris": string
|
|
49
|
+
"tokenEndpointAuthMethod": string
|
|
50
|
+
"grantTypes": string
|
|
51
|
+
"responseTypes": string
|
|
52
|
+
"scope"?: string
|
|
53
|
+
"createdAt": number /* timestamp */
|
|
54
|
+
"lastUsedAt"?: number /* timestamp */
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
static __pk: string
|
|
58
|
+
}
|
|
59
|
+
// prettier-ignore-end
|
|
@@ -15,8 +15,15 @@ export interface AoothPendingAuthorization {
|
|
|
15
15
|
|
|
16
16
|
/** Registered client id (Tier 2); absent for a public/loopback client. */
|
|
17
17
|
clientId?: string
|
|
18
|
+
/**
|
|
19
|
+
* Display name resolved at /authorize (DCR `client_name` or a registered
|
|
20
|
+
* client's label) — untrusted text staged for the consent prompt.
|
|
21
|
+
*/
|
|
22
|
+
clientName?: string
|
|
18
23
|
/** The client's `state`, echoed back on the redirect so it can correlate. */
|
|
19
24
|
clientState?: string
|
|
25
|
+
/** RFC 8707 `resource` indicator (recorded; consistency-checked at /token). */
|
|
26
|
+
resource?: string
|
|
20
27
|
/** Granted scope (space-joined). */
|
|
21
28
|
scope?: string
|
|
22
29
|
/** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
|
|
@@ -18,7 +18,9 @@ export declare class AoothPendingAuthorization {
|
|
|
18
18
|
redirectUri: string
|
|
19
19
|
codeChallenge: string
|
|
20
20
|
clientId?: string
|
|
21
|
+
clientName?: string
|
|
21
22
|
clientState?: string
|
|
23
|
+
resource?: string
|
|
22
24
|
scope?: string
|
|
23
25
|
nonce?: string
|
|
24
26
|
idToken?: boolean
|
|
@@ -41,7 +43,9 @@ export declare class AoothPendingAuthorization {
|
|
|
41
43
|
"redirectUri": string
|
|
42
44
|
"codeChallenge": string
|
|
43
45
|
"clientId"?: string
|
|
46
|
+
"clientName"?: string
|
|
44
47
|
"clientState"?: string
|
|
48
|
+
"resource"?: string
|
|
45
49
|
"scope"?: string
|
|
46
50
|
"nonce"?: string
|
|
47
51
|
"idToken"?: boolean
|
|
@@ -57,7 +61,9 @@ export declare class AoothPendingAuthorization {
|
|
|
57
61
|
"redirectUri": string
|
|
58
62
|
"codeChallenge": string
|
|
59
63
|
"clientId"?: string
|
|
64
|
+
"clientName"?: string
|
|
60
65
|
"clientState"?: string
|
|
66
|
+
"resource"?: string
|
|
61
67
|
"scope"?: string
|
|
62
68
|
"nonce"?: string
|
|
63
69
|
"idToken"?: boolean
|