@cloudflare/workers-oauth-provider 0.0.0-aa007fc → 0.0.0-be89144

package/dist/oauth-provider.d.ts

@@ -68,6 +68,39 @@ interface TokenExchangeCallbackOptions {
      */
     props: any;
 }
+/**
+ * Input parameters for the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenInput {
+    /**
+     * The token string that was provided in the Authorization header
+     */
+    token: string;
+    /**
+     * The original HTTP request
+     */
+    request: Request;
+    /**
+     * Cloudflare Worker environment variables
+     */
+    env: any;
+}
+/**
+ * Result returned from the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenResult {
+    /**
+     * Application-specific properties that will be passed to the API handlers
+     * These properties are set in the execution context (ctx.props) when the external token is validated
+     */
+    props: any;
+    /**
+     * Audience claim from the external token (RFC 7519 Section 4.1.3)
+     * If provided, will be validated against the resource server identity
+     *
+     */
+    audience?: string | string[];
+}
 interface OAuthProviderOptions {
     /**
      * URL(s) for API routes. Requests with URLs starting with any of these prefixes
@@ -157,6 +190,16 @@ interface OAuthProviderOptions {
      * If the callback returns nothing or undefined for a props field, the original props will be used.
      */
     tokenExchangeCallback?: (options: TokenExchangeCallbackOptions) => Promise<TokenExchangeCallbackResult | void> | TokenExchangeCallbackResult | void;
+    /**
+     * Optional callback function that is called when a provided token was not found in the internal KV.
+     * This allows authentication through external OAuth servers.
+     * For example, if a request includes an authenticated token from a different OAuth authentication server,
+     * the callback can be used to authenticate it and set the context props through it.
+     *
+     * The callback can optionally return props values that will passed-through to the apiHandlers.
+     * The callback can return `null` to signal resolution failure.
+     */
+    resolveExternalToken?: (input: ResolveExternalTokenInput) => Promise<ResolveExternalTokenResult | null>;
     /**
      * Optional callback function that is called whenever the OAuthProvider returns an error response
      * This allows the client to emit notifications or perform other actions when an error occurs.
@@ -267,6 +310,10 @@ interface AuthRequest {
      * PKCE code challenge method (plain or S256)
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter indicating target resource(s) (RFC 8707)
+     */
+    resource?: string | string[];
 }
 /**
  * OAuth client registration information
@@ -435,6 +482,11 @@ interface Grant {
      * Only present during the authorization code exchange process
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter from authorization request (RFC 8707 Section 2.1)
+     * Indicates the protected resource(s) for which access is requested
+     */
+    resource?: string | string[];
 }
 /**
  * Token record stored in KV
@@ -463,6 +515,11 @@ interface Token {
      * Unix timestamp when the token expires
      */
     expiresAt: number;
+    /**
+     * Intended audience for this token (RFC 7519 Section 4.1.3)
+     * Can be a single string or array of strings
+     */
+    audience?: string | string[];
     /**
      * The encryption key for props, wrapped with this token
      */
@@ -568,4 +625,4 @@ declare class OAuthProvider {
     fetch(request: Request, env: any, ctx: ExecutionContext): Promise<Response>;
 }
 
-export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };
+export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type ResolveExternalTokenInput, type ResolveExternalTokenResult, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };

package/dist/oauth-provider.js

@@ -231,7 +231,8 @@ var OAuthProviderImpl = class {
     }
     const formData = await request.formData();
     for (const [key, value] of formData.entries()) {
-      body[key] = value;
+      const allValues = formData.getAll(key);
+      body[key] = allValues.length > 1 ? allValues : value;
     }
     const authHeader = request.headers.get("Authorization");
     let clientId = "";
@@ -549,12 +550,32 @@ var OAuthProviderImpl = class {
       grantData.expiresAt = expiresAt;
     }
     await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -574,6 +595,9 @@ var OAuthProviderImpl = class {
     if (refreshToken) {
       tokenResponse.refresh_token = refreshToken;
     }
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
     return new Response(JSON.stringify(tokenResponse), {
       headers: { "Content-Type": "application/json" }
     });
@@ -701,12 +725,32 @@ var OAuthProviderImpl = class {
     grantData.refreshTokenId = newRefreshTokenId;
     grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
     await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -724,6 +768,9 @@ var OAuthProviderImpl = class {
       refresh_token: newRefreshToken,
       scope: grantData.scope.join(" ")
     };
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
     return new Response(JSON.stringify(tokenResponse), {
       headers: { "Content-Type": "application/json" }
     });
@@ -876,6 +923,9 @@ var OAuthProviderImpl = class {
       if (!redirectUris || redirectUris.length === 0) {
         throw new Error("At least one redirect URI is required");
       }
+      for (const uri of redirectUris) {
+        validateRedirectUriScheme(uri);
+      }
       clientInfo = {
         clientId,
         redirectUris,
@@ -940,30 +990,62 @@ var OAuthProviderImpl = class {
       });
     }
     const accessToken = authHeader.substring(7);
-    const tokenParts = accessToken.split(":");
-    if (tokenParts.length !== 3) {
-      return this.createErrorResponse("invalid_token", "Invalid token format", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
-    }
-    const [userId, grantId, _] = tokenParts;
-    const accessTokenId = await generateTokenId(accessToken);
-    const tokenKey = `token:${userId}:${grantId}:${accessTokenId}`;
-    const tokenData = await env.OAUTH_KV.get(tokenKey, { type: "json" });
-    if (!tokenData) {
+    const parts = accessToken.split(":");
+    const isPossiblyInternalFormat = parts.length === 3;
+    let tokenData = null;
+    let userId = "";
+    let grantId = "";
+    if (isPossiblyInternalFormat) {
+      [userId, grantId] = parts;
+      const id = await generateTokenId(accessToken);
+      tokenData = await env.OAUTH_KV.get(`token:${userId}:${grantId}:${id}`, { type: "json" });
+    }
+    if (!tokenData && !this.options.resolveExternalToken) {
       return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
       });
     }
-    const now = Math.floor(Date.now() / 1e3);
-    if (tokenData.expiresAt < now) {
-      return this.createErrorResponse("invalid_token", "Access token expired", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
+    if (tokenData) {
+      const now = Math.floor(Date.now() / 1e3);
+      if (tokenData.expiresAt < now) {
+        return this.createErrorResponse("invalid_token", "Access token expired", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      if (tokenData.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(tokenData.audience) ? tokenData.audience : [tokenData.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
+      const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
+      const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
+      ctx.props = decryptedProps;
+    } else if (this.options.resolveExternalToken) {
+      const ext = await this.options.resolveExternalToken({ token: accessToken, request, env });
+      if (!ext) {
+        return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      if (ext.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(ext.audience) ? ext.audience : [ext.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
+      ctx.props = ext.props;
     }
-    const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
-    const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
-    ctx.props = decryptedProps;
     if (!env.OAUTH_PROVIDER) {
       env.OAUTH_PROVIDER = this.createOAuthHelpers(env);
     }
@@ -1038,11 +1120,46 @@ var OAuthProviderImpl = class {
 };
 var DEFAULT_ACCESS_TOKEN_TTL = 60 * 60;
 var TOKEN_LENGTH = 32;
+function validateResourceUri(uri) {
+  if (!uri || typeof uri !== "string") {
+    return false;
+  }
+  try {
+    const parsed = new URL(uri);
+    if (!parsed.protocol) {
+      return false;
+    }
+    if (parsed.hash) {
+      return false;
+    }
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function audienceMatches(resourceServerUrl, audienceValue) {
+  return resourceServerUrl === audienceValue;
+}
+function parseResourceParameter(value) {
+  if (!value) {
+    return void 0;
+  }
+  const uris = Array.isArray(value) ? value : [value];
+  for (const uri of uris) {
+    if (typeof uri !== "string" || !validateResourceUri(uri)) {
+      return void 0;
+    }
+  }
+  return value;
+}
 async function hashSecret(secret) {
   return generateTokenId(secret);
 }
 function generateRandomString(length) {
-  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
   let result = "";
   const values = new Uint8Array(length);
   crypto.getRandomValues(values);
@@ -1059,6 +1176,26 @@ async function generateTokenId(token) {
   const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
   return hashHex;
 }
+function validateRedirectUriScheme(redirectUri) {
+  const dangerousSchemes = ["javascript:", "data:", "vbscript:", "file:", "mailto:", "blob:"];
+  const normalized = redirectUri.trim();
+  for (let i = 0; i < normalized.length; i++) {
+    const code = normalized.charCodeAt(i);
+    if (code >= 0 && code <= 31 || code >= 127 && code <= 159) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+  const colonIndex = normalized.indexOf(":");
+  if (colonIndex === -1) {
+    throw new Error("Invalid redirect URI");
+  }
+  const scheme = normalized.substring(0, colonIndex + 1).toLowerCase();
+  for (const dangerousScheme of dangerousSchemes) {
+    if (scheme === dangerousScheme) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+}
 function base64UrlEncode(str) {
   return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
@@ -1211,8 +1348,12 @@ var OAuthHelpersImpl = class {
     const state = url.searchParams.get("state") || "";
     const codeChallenge = url.searchParams.get("code_challenge") || void 0;
     const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
-    if (!redirectUri.startsWith("http://") && !redirectUri.startsWith("https://")) {
-      throw new Error("Invalid redirect URI");
+    const resourceParams = url.searchParams.getAll("resource");
+    const resourceParam = resourceParams.length > 0 ? resourceParams.length === 1 ? resourceParams[0] : resourceParams : void 0;
+    validateRedirectUriScheme(redirectUri);
+    const resource = parseResourceParameter(resourceParam);
+    if (resourceParam && !resource) {
+      throw new Error("The resource parameter must be a valid absolute URI without a fragment");
     }
     if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
       throw new Error("The implicit grant flow is not enabled for this provider");
@@ -1237,7 +1378,8 @@ var OAuthHelpersImpl = class {
       scope,
       state,
       codeChallenge,
-      codeChallengeMethod
+      codeChallengeMethod,
+      resource
     };
   }
   /**
@@ -1256,6 +1398,16 @@ var OAuthHelpersImpl = class {
    * @returns A Promise resolving to an object containing the redirect URL
    */
   async completeAuthorization(options) {
+    const { clientId, redirectUri } = options.request;
+    if (!clientId || !redirectUri) {
+      throw new Error("Client ID and Redirect URI are required in the authorization request.");
+    }
+    const clientInfo = await this.lookupClient(clientId);
+    if (!clientInfo || !clientInfo.redirectUris.includes(redirectUri)) {
+      throw new Error(
+        "Invalid redirect URI. The redirect URI provided does not match any registered URI for this client."
+      );
+    }
     const grantId = generateRandomString(16);
     const { encryptedData, key: encryptionKey } = await encryptProps(options.props);
     const now = Math.floor(Date.now() / 1e3);
@@ -1266,6 +1418,10 @@ var OAuthHelpersImpl = class {
       const accessTokenTTL = this.provider.options.accessTokenTTL || DEFAULT_ACCESS_TOKEN_TTL;
       const accessTokenExpiresAt = now + accessTokenTTL;
       const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, encryptionKey);
+      const audience = parseResourceParameter(options.request.resource);
+      if (options.request.resource && !audience) {
+        throw new Error("The resource parameter must be a valid absolute URI without a fragment");
+      }
       const grant = {
         id: grantId,
         clientId: options.request.clientId,
@@ -1273,7 +1429,8 @@ var OAuthHelpersImpl = class {
         scope: options.scope,
         metadata: options.metadata,
         encryptedProps: encryptedData,
-        createdAt: now
+        createdAt: now,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       await this.env.OAUTH_KV.put(grantKey, JSON.stringify(grant));
@@ -1283,6 +1440,7 @@ var OAuthHelpersImpl = class {
         userId: options.userId,
         createdAt: now,
         expiresAt: accessTokenExpiresAt,
+        audience,
         wrappedEncryptionKey: accessTokenWrappedKey,
         grant: {
           clientId: options.request.clientId,
@@ -1325,7 +1483,8 @@ var OAuthHelpersImpl = class {
         // Store the wrapped key
         // Store PKCE parameters if provided
         codeChallenge: options.request.codeChallenge,
-        codeChallengeMethod: options.request.codeChallengeMethod
+        codeChallengeMethod: options.request.codeChallengeMethod,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       const codeExpiresIn = 600;
@@ -1362,6 +1521,9 @@ var OAuthHelpersImpl = class {
       registrationDate: Math.floor(Date.now() / 1e3),
       tokenEndpointAuthMethod
     };
+    for (const uri of newClient.redirectUris) {
+      validateRedirectUriScheme(uri);
+    }
     let clientSecret;
     if (!isPublicClient) {
       clientSecret = generateRandomString(32);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.0-aa007fc",
+  "version": "0.0.0-be89144",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",