npm - @cloudflare/workers-oauth-provider - Versions diffs - 0.8.0 → 0.8.1 - Mend

@cloudflare/workers-oauth-provider 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/oauth-provider.js +32 -5
package/package.json +1 -1

package/dist/oauth-provider.js CHANGED Viewed

@@ -639,9 +639,11 @@ function validateEmaMapperResult(result) {
 * TOCTOU window between claim validation and token mint.
 */
 function computeEmaAccessTokenTTL(input) {
-	const { configuredDefaultSeconds, assertionExp, mapperTtl, now } = input;
+	const { configuredDefaultSeconds, assertionExp, mapperTtl, now, minTtlSeconds } = input;
 	if (assertionExp - now <= 0) return err({ reason: "assertion_expired_after_processing" });
-	return ok(mapperTtl ?? configuredDefaultSeconds);
+	const ttl = mapperTtl ?? configuredDefaultSeconds;
+	if (ttl < minTtlSeconds) return err({ reason: "invalid_mapped_ttl" });
+	return ok(ttl);
 }
 function readRequiredString(claims, claimName) {
 	const value = claims[claimName];
@@ -785,6 +787,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			onError: ({ status, code, description }) => console.warn(`OAuth error response: ${status} ${code} - ${description}`),
 			...options
 		};
+		if (!Number.isInteger(this.options.accessTokenTTL) || this.options.accessTokenTTL < KV_MIN_EXPIRATION_TTL_SECONDS) throw new TypeError(`accessTokenTTL must be an integer of at least ${KV_MIN_EXPIRATION_TTL_SECONDS} seconds (Cloudflare KV's minimum expiration window).`);
 		this.validateEmaOptions(this.options.enterpriseManagedAuthorization);
 		if (this.options.enterpriseManagedAuthorization) {
 			this.jwksProvider = createDefaultJwksProvider({ cacheTtlSeconds: this.options.enterpriseManagedAuthorization.jwksCacheTtlSeconds });
@@ -1375,7 +1378,8 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		if (!isCurrentToken && !isPreviousToken) return this.createErrorResponse("invalid_grant", { description: "Invalid refresh token" });
 		if (grantData.clientId !== clientInfo.clientId) return this.createErrorResponse("invalid_grant", { description: "Client ID mismatch" });
 		if (grantData.expiresAt !== void 0) {
-			if (Math.floor(Date.now() / 1e3) >= grantData.expiresAt) return this.createErrorResponse("invalid_grant", { description: "Refresh token has expired" });
+			const now$1 = Math.floor(Date.now() / 1e3);
+			if (grantData.expiresAt - now$1 < KV_MIN_EXPIRATION_TTL_SECONDS) return this.createErrorResponse("invalid_grant", { description: "Refresh token has expired" });
 		}
 		const newAccessToken = `${userId}:${grantId}:${generateRandomString(TOKEN_LENGTH)}`;
 		const accessTokenId = await generateTokenId(newAccessToken);
@@ -1432,10 +1436,12 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			}
 		}
 		const now = Math.floor(Date.now() / 1e3);
+		if (grantData.expiresAt !== void 0 && grantData.expiresAt - now < KV_MIN_EXPIRATION_TTL_SECONDS) return this.createErrorResponse("invalid_grant", { description: "Refresh token has expired" });
 		if (grantData.expiresAt !== void 0) {
 			const remainingRefreshTokenLifetime = grantData.expiresAt - now;
 			if (remainingRefreshTokenLifetime > 0) accessTokenTTL = Math.min(accessTokenTTL, remainingRefreshTokenLifetime);
 		}
+		if (accessTokenTTL < KV_MIN_EXPIRATION_TTL_SECONDS) return this.createErrorResponse("invalid_request", { description: "Requested token lifetime must be at least 60 seconds" });
 		const accessTokenExpiresAt = now + accessTokenTTL;
 		const accessTokenWrappedKey = await wrapKeyWithToken(newAccessToken, accessTokenEncryptionKey);
 		const newRefreshToken = `${userId}:${grantId}:${generateRandomString(TOKEN_LENGTH)}`;
@@ -1524,6 +1530,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		}
 		const now = Math.floor(Date.now() / 1e3);
 		const subjectTokenRemainingLifetime = tokenSummary.expiresAt - now;
+		if (subjectTokenRemainingLifetime < KV_MIN_EXPIRATION_TTL_SECONDS) throw new OAuthError("invalid_grant", { description: "Subject token is too close to expiry to exchange" });
 		let accessTokenTTL = this.options.accessTokenTTL ?? DEFAULT_ACCESS_TOKEN_TTL;
 		if (expiresIn !== void 0) {
 			if (expiresIn <= 0) throw new OAuthError("invalid_request", { description: "Invalid expires_in parameter" });
@@ -1561,6 +1568,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 				if (callbackResult.accessTokenScope) tokenScopes = this.downscope(callbackResult.accessTokenScope, grantData.scope);
 			}
 		}
+		if (accessTokenTTL < KV_MIN_EXPIRATION_TTL_SECONDS) throw new OAuthError("invalid_request", { description: "Requested token lifetime must be at least 60 seconds" });
 		const tokenResponse = {
 			access_token: await this.createAccessToken({
 				userId: tokenSummary.userId,
@@ -1737,7 +1745,8 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			configuredDefaultSeconds: this.options.accessTokenTTL ?? DEFAULT_ACCESS_TOKEN_TTL,
 			assertionExp: claims.value.claims.exp,
 			mapperTtl: mapped.value.accessTokenTTL,
-			now: issueNow
+			now: issueNow,
+			minTtlSeconds: KV_MIN_EXPIRATION_TTL_SECONDS
 		});
 		if (!ttl.ok) return ttl;
 		return ok(await this.issueEmaAccessToken({
@@ -2114,7 +2123,8 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 	* @param now - Current timestamp in seconds
 	*/
 	async saveGrantWithTTL(env, grantKey, grantData, now) {
-		const kvOptions = grantData.expiresAt !== void 0 ? { expiration: grantData.expiresAt } : {};
+		const minExpiration = now + KV_MIN_EXPIRATION_TTL_SECONDS + KV_EXPIRATION_CLAMP_MARGIN_SECONDS;
+		const kvOptions = grantData.expiresAt !== void 0 ? { expiration: Math.max(grantData.expiresAt, minExpiration) } : {};
 		try {
 			await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData), kvOptions);
 		} catch (error) {
@@ -2171,6 +2181,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 	*/
 	async createAccessToken(params) {
 		const { userId, grantId, clientId, scope, encryptedProps, encryptionKey, expiresIn, audience, env } = params;
+		if (expiresIn < KV_MIN_EXPIRATION_TTL_SECONDS) throw new OAuthError("invalid_request", { description: "Requested token lifetime must be at least 60 seconds" });
 		const accessToken = `${userId}:${grantId}:${generateRandomString(TOKEN_LENGTH)}`;
 		const now = Math.floor(Date.now() / 1e3);
 		const accessTokenId = await generateTokenId(accessToken);
@@ -2522,6 +2533,22 @@ const DEFAULT_REFRESH_TOKEN_TTL = 720 * 60 * 60;
 */
 const DEFAULT_CLIENT_REGISTRATION_TTL = 2160 * 60 * 60;
 /**
+* Minimum number of seconds an absolute KV expiration must be in the future.
+* Cloudflare KV rejects `put` calls whose `expiration` is less than 60 seconds
+* away with "400 Invalid expiration ... Expiration times must be at least 60
+* seconds in the future." We use this to treat near-expiry grants as expired and
+* to clamp absolute expirations when writing grants back to KV.
+*/
+const KV_MIN_EXPIRATION_TTL_SECONDS = 60;
+/**
+* Safety margin (seconds) added on top of `KV_MIN_EXPIRATION_TTL_SECONDS` when clamping an
+* absolute KV expiration. Absolute expirations are validated against KV's clock at the
+* moment the write is processed, so writing exactly `now + 60` can be rejected once
+* worker→KV latency or minor clock skew is accounted for. The margin keeps clamped writes
+* comfortably above KV's hard minimum without meaningfully extending a grant's lifetime.
+*/
+const KV_EXPIRATION_CLAMP_MARGIN_SECONDS = 5;
+/**
 * Default batch size for purgeExpiredData. Conservative to stay within
 * Cloudflare's 1000 subrequest limit per invocation.
 */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.8.0",
+  "version": "0.8.1",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",