@cloudflare/workers-oauth-provider 0.0.0-a204c64 → 0.0.0-b7784c7

package/README.md

@@ -38,7 +38,7 @@ export default new OAuthProvider({
   // You can provide either an object with a fetch method (ExportedHandler)
   // or a class extending WorkerEntrypoint.
   apiHandler: ApiHandler, // Using a WorkerEntrypoint class
-  
+
   // For multi-handler setups, you can use apiHandlers instead of apiRoute+apiHandler.
   // This allows you to use different handlers for different API routes.
   // Note: You must use either apiRoute+apiHandler (single-handler) OR apiHandlers (multi-handler), not both.
@@ -87,7 +87,13 @@ export default new OAuthProvider({
   // Note: Creating public clients via the OAuthHelpers.createClient() method
   // is always allowed regardless of this setting.
   // Defaults to false.
-  disallowPublicClientRegistration: false
+  disallowPublicClientRegistration: false,
+
+  // Optional: Time-to-live for refresh tokens in seconds.
+  // If not specified, refresh tokens do not expire.
+  // Set to 0 to disable refresh tokens (only access tokens will be issued).
+  // For example: 3600 = 1 hour, 86400 = 1 day, 2592000 = 30 days
+  refreshTokenTTL: 2592000 // 30 days
 });
 
 // The default handler object - the OAuthProvider will pass through HTTP requests to this object's fetch method
@@ -261,6 +267,7 @@ The callback can:
 - Return only `accessTokenProps` to update just the current access token
 - Return only `newProps` to update both the grant and access token (the access token inherits these props)
 - Return `accessTokenTTL` to override the default TTL for this specific access token
+- Return `refreshTokenTTL` to override the default TTL for this specific refresh token
 - Return nothing to keep the original props unchanged
 
 The `accessTokenTTL` override is particularly useful when the application is also an OAuth client to another service and wants to match its access token TTL to the upstream access token TTL. This helps prevent situations where the downstream token is still valid but the upstream token has expired.

package/dist/oauth-provider.d.ts

@@ -33,6 +33,13 @@ interface TokenExchangeCallbackResult {
      * Value should be in seconds.
      */
     accessTokenTTL?: number;
+    /**
+     * Override the default refresh token TTL (time-to-live) for this specific grant.
+     * Value should be in seconds.
+     * Note: This is only honored during authorization code exchange. If returned during
+     * refresh token exchange, it will be ignored.
+     */
+    refreshTokenTTL?: number;
 }
 /**
  * Options for token exchange callback functions
@@ -61,6 +68,33 @@ interface TokenExchangeCallbackOptions {
      */
     props: any;
 }
+/**
+ * Input parameters for the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenInput {
+    /**
+     * The token string that was provided in the Authorization header
+     */
+    token: string;
+    /**
+     * The original HTTP request
+     */
+    request: Request;
+    /**
+     * Cloudflare Worker environment variables
+     */
+    env: any;
+}
+/**
+ * Result returned from the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenResult {
+    /**
+     * Application-specific properties that will be passed to the API handlers
+     * These properties are set in the execution context (ctx.props) when the external token is validated
+     */
+    props: any;
+}
 interface OAuthProviderOptions {
     /**
      * URL(s) for API routes. Requests with URLs starting with any of these prefixes
@@ -116,6 +150,12 @@ interface OAuthProviderOptions {
      * Defaults to 1 hour (3600 seconds) if not specified.
      */
     accessTokenTTL?: number;
+    /**
+     * Time-to-live for refresh tokens in seconds.
+     * If not specified, refresh tokens do not expire.
+     * For example: 3600 = 1 hour, 2592000 = 30 days
+     */
+    refreshTokenTTL?: number;
     /**
      * List of scopes supported by this OAuth provider.
      * If not provided, the 'scopes_supported' field will be omitted from the OAuth metadata.
@@ -144,6 +184,16 @@ interface OAuthProviderOptions {
      * If the callback returns nothing or undefined for a props field, the original props will be used.
      */
     tokenExchangeCallback?: (options: TokenExchangeCallbackOptions) => Promise<TokenExchangeCallbackResult | void> | TokenExchangeCallbackResult | void;
+    /**
+     * Optional callback function that is called when a provided token was not found in the internal KV.
+     * This allows authentication through external OAuth servers.
+     * For example, if a request includes an authenticated token from a different OAuth authentication server,
+     * the callback can be used to authenticate it and set the context props through it.
+     *
+     * The callback can optionally return props values that will passed-through to the apiHandlers.
+     * The callback can return `null` to signal resolution failure.
+     */
+    resolveExternalToken?: (input: ResolveExternalTokenInput) => Promise<ResolveExternalTokenResult | null>;
     /**
      * Optional callback function that is called whenever the OAuthProvider returns an error response
      * This allows the client to emit notifications or perform other actions when an error occurs.
@@ -381,6 +431,10 @@ interface Grant {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
     /**
      * The hash of the current refresh token associated with this grant
      */
@@ -523,6 +577,10 @@ interface GrantSummary {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
 }
 /**
  * OAuth 2.0 Provider implementation for Cloudflare Workers
@@ -547,4 +605,4 @@ declare class OAuthProvider {
     fetch(request: Request, env: any, ctx: ExecutionContext): Promise<Response>;
 }
 
-export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };
+export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type ResolveExternalTokenInput, type ResolveExternalTokenResult, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };

package/dist/oauth-provider.js

@@ -478,12 +478,10 @@ var OAuthProviderImpl = class {
       }
     }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
     const accessToken = `${userId}:${grantId}:${accessTokenSecret}`;
-    const refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
     const accessTokenId = await generateTokenId(accessToken);
-    const refreshTokenId = await generateTokenId(refreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
+    let refreshTokenTTL = this.options.refreshTokenTTL;
     const encryptionKey = await unwrapKeyWithToken(code, grantData.authCodeWrappedKey);
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
@@ -513,6 +511,9 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          refreshTokenTTL = callbackResult.refreshTokenTTL;
+        }
       }
       const grantResult = await encryptProps(grantProps);
       grantData.encryptedProps = grantResult.encryptedData;
@@ -528,17 +529,26 @@ var OAuthProviderImpl = class {
     }
     const now = Math.floor(Date.now() / 1e3);
     const accessTokenExpiresAt = now + accessTokenTTL;
+    const useRefreshToken = refreshTokenTTL !== 0;
     const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, accessTokenEncryptionKey);
-    const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
     delete grantData.authCodeId;
     delete grantData.codeChallenge;
     delete grantData.codeChallengeMethod;
     delete grantData.authCodeWrappedKey;
-    grantData.refreshTokenId = refreshTokenId;
-    grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
-    grantData.previousRefreshTokenId = void 0;
-    grantData.previousRefreshTokenWrappedKey = void 0;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    let refreshToken;
+    if (useRefreshToken) {
+      const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+      refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+      const refreshTokenId = await generateTokenId(refreshToken);
+      const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
+      const expiresAt = refreshTokenTTL !== void 0 ? now + refreshTokenTTL : void 0;
+      grantData.refreshTokenId = refreshTokenId;
+      grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
+      grantData.previousRefreshTokenId = void 0;
+      grantData.previousRefreshTokenWrappedKey = void 0;
+      grantData.expiresAt = expiresAt;
+    }
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
     const accessTokenData = {
       id: accessTokenId,
       grantId,
@@ -555,18 +565,18 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: accessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: refreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      scope: grantData.scope.join(" ")
+    };
+    if (refreshToken) {
+      tokenResponse.refresh_token = refreshToken;
+    }
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
   }
   /**
    * Handles the refresh token grant type
@@ -600,12 +610,15 @@ var OAuthProviderImpl = class {
     if (grantData.clientId !== clientInfo.clientId) {
       return this.createErrorResponse("invalid_grant", "Client ID mismatch");
     }
+    if (grantData.expiresAt !== void 0) {
+      const now2 = Math.floor(Date.now() / 1e3);
+      if (now2 >= grantData.expiresAt) {
+        return this.createErrorResponse("invalid_grant", "Refresh token has expired");
+      }
+    }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
     const newAccessToken = `${userId}:${grantId}:${accessTokenSecret}`;
     const accessTokenId = await generateTokenId(newAccessToken);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
-    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
     let wrappedKeyToUse;
     if (isCurrentToken) {
@@ -617,6 +630,7 @@ var OAuthProviderImpl = class {
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
     let encryptedAccessTokenProps = grantData.encryptedProps;
+    let grantPropsChanged = false;
     if (this.options.tokenExchangeCallback) {
       const decryptedProps = await decryptProps(encryptionKey, grantData.encryptedProps);
       let grantProps = decryptedProps;
@@ -629,7 +643,6 @@ var OAuthProviderImpl = class {
         props: decryptedProps
       };
       const callbackResult = await Promise.resolve(this.options.tokenExchangeCallback(callbackOptions));
-      let grantPropsChanged = false;
       if (callbackResult) {
         if (callbackResult.newProps) {
           grantProps = callbackResult.newProps;
@@ -644,6 +657,12 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          return this.createErrorResponse(
+            "invalid_request",
+            "refreshTokenTTL cannot be changed during refresh token exchange"
+          );
+        }
       }
       if (grantPropsChanged) {
         const grantResult = await encryptProps(grantProps);
@@ -665,14 +684,23 @@ var OAuthProviderImpl = class {
       }
     }
     const now = Math.floor(Date.now() / 1e3);
+    if (grantData.expiresAt !== void 0) {
+      const remainingRefreshTokenLifetime = grantData.expiresAt - now;
+      if (remainingRefreshTokenLifetime > 0) {
+        accessTokenTTL = Math.min(accessTokenTTL, remainingRefreshTokenLifetime);
+      }
+    }
     const accessTokenExpiresAt = now + accessTokenTTL;
     const accessTokenWrappedKey = await wrapKeyWithToken(newAccessToken, accessTokenEncryptionKey);
+    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     const newRefreshTokenWrappedKey = await wrapKeyWithToken(newRefreshToken, grantEncryptionKey);
     grantData.previousRefreshTokenId = providedTokenHash;
     grantData.previousRefreshTokenWrappedKey = wrappedKeyToUse;
     grantData.refreshTokenId = newRefreshTokenId;
     grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
     const accessTokenData = {
       id: accessTokenId,
       grantId,
@@ -689,18 +717,16 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: newAccessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: newRefreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: newAccessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      refresh_token: newRefreshToken,
+      scope: grantData.scope.join(" ")
+    };
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
   }
   /**
    * Handles OAuth 2.0 token revocation requests (RFC 7009)
@@ -736,7 +762,7 @@ var OAuthProviderImpl = class {
     } else if (isRefreshToken) {
       await this.createOAuthHelpers(env).revokeGrant(grantId, userId);
     }
-    return new Response("", { status: 500 });
+    return new Response("", { status: 200 });
   }
   /**
    * Revokes a specific access token without affecting the refresh token
@@ -914,30 +940,40 @@ var OAuthProviderImpl = class {
       });
     }
     const accessToken = authHeader.substring(7);
-    const tokenParts = accessToken.split(":");
-    if (tokenParts.length !== 3) {
-      return this.createErrorResponse("invalid_token", "Invalid token format", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
-    }
-    const [userId, grantId, _] = tokenParts;
-    const accessTokenId = await generateTokenId(accessToken);
-    const tokenKey = `token:${userId}:${grantId}:${accessTokenId}`;
-    const tokenData = await env.OAUTH_KV.get(tokenKey, { type: "json" });
-    if (!tokenData) {
+    const parts = accessToken.split(":");
+    const isPossiblyInternalFormat = parts.length === 3;
+    let tokenData = null;
+    let userId = "";
+    let grantId = "";
+    if (isPossiblyInternalFormat) {
+      [userId, grantId] = parts;
+      const id = await generateTokenId(accessToken);
+      tokenData = await env.OAUTH_KV.get(`token:${userId}:${grantId}:${id}`, { type: "json" });
+    }
+    if (!tokenData && !this.options.resolveExternalToken) {
       return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
       });
     }
-    const now = Math.floor(Date.now() / 1e3);
-    if (tokenData.expiresAt < now) {
-      return this.createErrorResponse("invalid_token", "Access token expired", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
+    if (tokenData) {
+      const now = Math.floor(Date.now() / 1e3);
+      if (tokenData.expiresAt < now) {
+        return this.createErrorResponse("invalid_token", "Access token expired", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
+      const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
+      ctx.props = decryptedProps;
+    } else if (this.options.resolveExternalToken) {
+      const ext = await this.options.resolveExternalToken({ token: accessToken, request, env });
+      if (!ext) {
+        return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      ctx.props = ext.props;
     }
-    const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
-    const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
-    ctx.props = decryptedProps;
     if (!env.OAUTH_PROVIDER) {
       env.OAUTH_PROVIDER = this.createOAuthHelpers(env);
     }
@@ -962,6 +998,17 @@ var OAuthProviderImpl = class {
   createOAuthHelpers(env) {
     return new OAuthHelpersImpl(env, this);
   }
+  /**
+   * Saves a grant to KV with appropriate TTL based on expiration
+   * @param env - The environment bindings
+   * @param grantKey - The KV key for the grant
+   * @param grantData - The grant data to save
+   * @param now - Current timestamp in seconds
+   */
+  async saveGrantWithTTL(env, grantKey, grantData, now) {
+    const kvOptions = grantData.expiresAt !== void 0 ? { expiration: grantData.expiresAt } : {};
+    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData), kvOptions);
+  }
   /**
    * Fetches client information from KV storage
    * This method is not private because `OAuthHelpers` needs to call it. Note that since
@@ -1005,7 +1052,7 @@ async function hashSecret(secret) {
   return generateTokenId(secret);
 }
 function generateRandomString(length) {
-  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
   let result = "";
   const values = new Uint8Array(length);
   crypto.getRandomValues(values);
@@ -1174,6 +1221,9 @@ var OAuthHelpersImpl = class {
     const state = url.searchParams.get("state") || "";
     const codeChallenge = url.searchParams.get("code_challenge") || void 0;
     const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
+    if (redirectUri.startsWith("javascript:") || redirectUri.startsWith("data:") || redirectUri.startsWith("vbscript:") || redirectUri.startsWith("file:") || redirectUri.startsWith("mailto:") || redirectUri.startsWith("blob:")) {
+      throw new Error("Invalid redirect URI");
+    }
     if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
       throw new Error("The implicit grant flow is not enabled for this provider");
     }
@@ -1441,7 +1491,8 @@ var OAuthHelpersImpl = class {
           userId: grantData.userId,
           scope: grantData.scope,
           metadata: grantData.metadata,
-          createdAt: grantData.createdAt
+          createdAt: grantData.createdAt,
+          expiresAt: grantData.expiresAt
         };
         grantSummaries.push(summary);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.0-a204c64",
+  "version": "0.0.0-b7784c7",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",
@@ -26,11 +26,12 @@
   },
   "devDependencies": {
     "@changesets/changelog-github": "^0.5.1",
-    "@changesets/cli": "^2.29.5",
+    "@changesets/cli": "^2.29.7",
     "@cloudflare/workers-types": "^4.20250807.0",
+    "pkg-pr-new": "^0.0.59",
     "prettier": "^3.6.2",
     "tsup": "^8.5.0",
-    "tsx": "^4.20.3",
+    "tsx": "^4.20.5",
     "typescript": "^5.9.2",
     "vitest": "^3.2.4"
   },