@cloudflare/workers-oauth-provider 0.0.0-9587b58 → 0.0.0-9d4b595

package/README.md

@@ -38,7 +38,7 @@ export default new OAuthProvider({
   // You can provide either an object with a fetch method (ExportedHandler)
   // or a class extending WorkerEntrypoint.
   apiHandler: ApiHandler, // Using a WorkerEntrypoint class
-  
+
   // For multi-handler setups, you can use apiHandlers instead of apiRoute+apiHandler.
   // This allows you to use different handlers for different API routes.
   // Note: You must use either apiRoute+apiHandler (single-handler) OR apiHandlers (multi-handler), not both.
@@ -87,7 +87,13 @@ export default new OAuthProvider({
   // Note: Creating public clients via the OAuthHelpers.createClient() method
   // is always allowed regardless of this setting.
   // Defaults to false.
-  disallowPublicClientRegistration: false
+  disallowPublicClientRegistration: false,
+
+  // Optional: Time-to-live for refresh tokens in seconds.
+  // If not specified, refresh tokens do not expire.
+  // Set to 0 to disable refresh tokens (only access tokens will be issued).
+  // For example: 3600 = 1 hour, 86400 = 1 day, 2592000 = 30 days
+  refreshTokenTTL: 2592000 // 30 days
 });
 
 // The default handler object - the OAuthProvider will pass through HTTP requests to this object's fetch method
@@ -261,6 +267,7 @@ The callback can:
 - Return only `accessTokenProps` to update just the current access token
 - Return only `newProps` to update both the grant and access token (the access token inherits these props)
 - Return `accessTokenTTL` to override the default TTL for this specific access token
+- Return `refreshTokenTTL` to override the default TTL for this specific refresh token
 - Return nothing to keep the original props unchanged
 
 The `accessTokenTTL` override is particularly useful when the application is also an OAuth client to another service and wants to match its access token TTL to the upstream access token TTL. This helps prevent situations where the downstream token is still valid but the upstream token has expired.

package/dist/oauth-provider.d.ts

@@ -33,6 +33,13 @@ interface TokenExchangeCallbackResult {
      * Value should be in seconds.
      */
     accessTokenTTL?: number;
+    /**
+     * Override the default refresh token TTL (time-to-live) for this specific grant.
+     * Value should be in seconds.
+     * Note: This is only honored during authorization code exchange. If returned during
+     * refresh token exchange, it will be ignored.
+     */
+    refreshTokenTTL?: number;
 }
 /**
  * Options for token exchange callback functions
@@ -116,6 +123,12 @@ interface OAuthProviderOptions {
      * Defaults to 1 hour (3600 seconds) if not specified.
      */
     accessTokenTTL?: number;
+    /**
+     * Time-to-live for refresh tokens in seconds.
+     * If not specified, refresh tokens do not expire.
+     * For example: 3600 = 1 hour, 2592000 = 30 days
+     */
+    refreshTokenTTL?: number;
     /**
      * List of scopes supported by this OAuth provider.
      * If not provided, the 'scopes_supported' field will be omitted from the OAuth metadata.
@@ -381,6 +394,10 @@ interface Grant {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
     /**
      * The hash of the current refresh token associated with this grant
      */
@@ -523,6 +540,10 @@ interface GrantSummary {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
 }
 /**
  * OAuth 2.0 Provider implementation for Cloudflare Workers

package/dist/oauth-provider.js

@@ -478,12 +478,10 @@ var OAuthProviderImpl = class {
       }
     }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
     const accessToken = `${userId}:${grantId}:${accessTokenSecret}`;
-    const refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
     const accessTokenId = await generateTokenId(accessToken);
-    const refreshTokenId = await generateTokenId(refreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
+    let refreshTokenTTL = this.options.refreshTokenTTL;
     const encryptionKey = await unwrapKeyWithToken(code, grantData.authCodeWrappedKey);
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
@@ -513,6 +511,9 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          refreshTokenTTL = callbackResult.refreshTokenTTL;
+        }
       }
       const grantResult = await encryptProps(grantProps);
       grantData.encryptedProps = grantResult.encryptedData;
@@ -528,17 +529,26 @@ var OAuthProviderImpl = class {
     }
     const now = Math.floor(Date.now() / 1e3);
     const accessTokenExpiresAt = now + accessTokenTTL;
+    const useRefreshToken = refreshTokenTTL !== 0;
     const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, accessTokenEncryptionKey);
-    const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
     delete grantData.authCodeId;
     delete grantData.codeChallenge;
     delete grantData.codeChallengeMethod;
     delete grantData.authCodeWrappedKey;
-    grantData.refreshTokenId = refreshTokenId;
-    grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
-    grantData.previousRefreshTokenId = void 0;
-    grantData.previousRefreshTokenWrappedKey = void 0;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    let refreshToken;
+    if (useRefreshToken) {
+      const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+      refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+      const refreshTokenId = await generateTokenId(refreshToken);
+      const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
+      const expiresAt = refreshTokenTTL !== void 0 ? now + refreshTokenTTL : void 0;
+      grantData.refreshTokenId = refreshTokenId;
+      grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
+      grantData.previousRefreshTokenId = void 0;
+      grantData.previousRefreshTokenWrappedKey = void 0;
+      grantData.expiresAt = expiresAt;
+    }
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
     const accessTokenData = {
       id: accessTokenId,
       grantId,
@@ -555,18 +565,18 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: accessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: refreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      scope: grantData.scope.join(" ")
+    };
+    if (refreshToken) {
+      tokenResponse.refresh_token = refreshToken;
+    }
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
   }
   /**
    * Handles the refresh token grant type
@@ -600,12 +610,15 @@ var OAuthProviderImpl = class {
     if (grantData.clientId !== clientInfo.clientId) {
       return this.createErrorResponse("invalid_grant", "Client ID mismatch");
     }
+    if (grantData.expiresAt !== void 0) {
+      const now2 = Math.floor(Date.now() / 1e3);
+      if (now2 >= grantData.expiresAt) {
+        return this.createErrorResponse("invalid_grant", "Refresh token has expired");
+      }
+    }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
     const newAccessToken = `${userId}:${grantId}:${accessTokenSecret}`;
     const accessTokenId = await generateTokenId(newAccessToken);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
-    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
     let wrappedKeyToUse;
     if (isCurrentToken) {
@@ -617,6 +630,7 @@ var OAuthProviderImpl = class {
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
     let encryptedAccessTokenProps = grantData.encryptedProps;
+    let grantPropsChanged = false;
     if (this.options.tokenExchangeCallback) {
       const decryptedProps = await decryptProps(encryptionKey, grantData.encryptedProps);
       let grantProps = decryptedProps;
@@ -629,7 +643,6 @@ var OAuthProviderImpl = class {
         props: decryptedProps
       };
       const callbackResult = await Promise.resolve(this.options.tokenExchangeCallback(callbackOptions));
-      let grantPropsChanged = false;
       if (callbackResult) {
         if (callbackResult.newProps) {
           grantProps = callbackResult.newProps;
@@ -644,6 +657,12 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          return this.createErrorResponse(
+            "invalid_request",
+            "refreshTokenTTL cannot be changed during refresh token exchange"
+          );
+        }
       }
       if (grantPropsChanged) {
         const grantResult = await encryptProps(grantProps);
@@ -665,14 +684,23 @@ var OAuthProviderImpl = class {
       }
     }
     const now = Math.floor(Date.now() / 1e3);
+    if (grantData.expiresAt !== void 0) {
+      const remainingRefreshTokenLifetime = grantData.expiresAt - now;
+      if (remainingRefreshTokenLifetime > 0) {
+        accessTokenTTL = Math.min(accessTokenTTL, remainingRefreshTokenLifetime);
+      }
+    }
     const accessTokenExpiresAt = now + accessTokenTTL;
     const accessTokenWrappedKey = await wrapKeyWithToken(newAccessToken, accessTokenEncryptionKey);
+    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     const newRefreshTokenWrappedKey = await wrapKeyWithToken(newRefreshToken, grantEncryptionKey);
     grantData.previousRefreshTokenId = providedTokenHash;
     grantData.previousRefreshTokenWrappedKey = wrappedKeyToUse;
     grantData.refreshTokenId = newRefreshTokenId;
     grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
     const accessTokenData = {
       id: accessTokenId,
       grantId,
@@ -689,18 +717,16 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: newAccessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: newRefreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: newAccessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      refresh_token: newRefreshToken,
+      scope: grantData.scope.join(" ")
+    };
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
   }
   /**
    * Handles OAuth 2.0 token revocation requests (RFC 7009)
@@ -736,7 +762,7 @@ var OAuthProviderImpl = class {
     } else if (isRefreshToken) {
       await this.createOAuthHelpers(env).revokeGrant(grantId, userId);
     }
-    return new Response("", { status: 500 });
+    return new Response("", { status: 200 });
   }
   /**
    * Revokes a specific access token without affecting the refresh token
@@ -962,6 +988,17 @@ var OAuthProviderImpl = class {
   createOAuthHelpers(env) {
     return new OAuthHelpersImpl(env, this);
   }
+  /**
+   * Saves a grant to KV with appropriate TTL based on expiration
+   * @param env - The environment bindings
+   * @param grantKey - The KV key for the grant
+   * @param grantData - The grant data to save
+   * @param now - Current timestamp in seconds
+   */
+  async saveGrantWithTTL(env, grantKey, grantData, now) {
+    const kvOptions = grantData.expiresAt !== void 0 ? { expiration: grantData.expiresAt } : {};
+    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData), kvOptions);
+  }
   /**
    * Fetches client information from KV storage
    * This method is not private because `OAuthHelpers` needs to call it. Note that since
@@ -1444,7 +1481,8 @@ var OAuthHelpersImpl = class {
           userId: grantData.userId,
           scope: grantData.scope,
           metadata: grantData.metadata,
-          createdAt: grantData.createdAt
+          createdAt: grantData.createdAt,
+          expiresAt: grantData.expiresAt
         };
         grantSummaries.push(summary);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.0-9587b58",
+  "version": "0.0.0-9d4b595",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",
@@ -26,11 +26,12 @@
   },
   "devDependencies": {
     "@changesets/changelog-github": "^0.5.1",
-    "@changesets/cli": "^2.29.5",
+    "@changesets/cli": "^2.29.7",
     "@cloudflare/workers-types": "^4.20250807.0",
+    "pkg-pr-new": "^0.0.59",
     "prettier": "^3.6.2",
     "tsup": "^8.5.0",
-    "tsx": "^4.20.3",
+    "tsx": "^4.20.5",
     "typescript": "^5.9.2",
     "vitest": "^3.2.4"
   },