npm - @codefox-inc/oauth-provider - Versions diffs - 0.2.0 - Mend

@codefox-inc/oauth-provider 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/LICENSE +201 -0
package/README.md +572 -0
package/dist/client/_generated/_ignore.d.ts +1 -0
package/dist/client/_generated/_ignore.d.ts.map +1 -0
package/dist/client/_generated/_ignore.js +3 -0
package/dist/client/_generated/_ignore.js.map +1 -0
package/dist/client/auth-config.d.ts +85 -0
package/dist/client/auth-config.d.ts.map +1 -0
package/dist/client/auth-config.js +81 -0
package/dist/client/auth-config.js.map +1 -0
package/dist/client/auth-helper.d.ts +81 -0
package/dist/client/auth-helper.d.ts.map +1 -0
package/dist/client/auth-helper.js +97 -0
package/dist/client/auth-helper.js.map +1 -0
package/dist/client/index.d.ts +189 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +230 -0
package/dist/client/index.js.map +1 -0
package/dist/client/routes.d.ts +94 -0
package/dist/client/routes.d.ts.map +1 -0
package/dist/client/routes.js +113 -0
package/dist/client/routes.js.map +1 -0
package/dist/component/_generated/api.d.ts +44 -0
package/dist/component/_generated/api.d.ts.map +1 -0
package/dist/component/_generated/api.js +31 -0
package/dist/component/_generated/api.js.map +1 -0
package/dist/component/_generated/component.d.ts +123 -0
package/dist/component/_generated/component.d.ts.map +1 -0
package/dist/component/_generated/component.js +11 -0
package/dist/component/_generated/component.js.map +1 -0
package/dist/component/_generated/dataModel.d.ts +46 -0
package/dist/component/_generated/dataModel.d.ts.map +1 -0
package/dist/component/_generated/dataModel.js +11 -0
package/dist/component/_generated/dataModel.js.map +1 -0
package/dist/component/_generated/server.d.ts +121 -0
package/dist/component/_generated/server.d.ts.map +1 -0
package/dist/component/_generated/server.js +78 -0
package/dist/component/_generated/server.js.map +1 -0
package/dist/component/clientManagement.d.ts +39 -0
package/dist/component/clientManagement.d.ts.map +1 -0
package/dist/component/clientManagement.js +169 -0
package/dist/component/clientManagement.js.map +1 -0
package/dist/component/constants.d.ts +31 -0
package/dist/component/constants.d.ts.map +1 -0
package/dist/component/constants.js +36 -0
package/dist/component/constants.js.map +1 -0
package/dist/component/convex.config.d.ts +3 -0
package/dist/component/convex.config.d.ts.map +1 -0
package/dist/component/convex.config.js +3 -0
package/dist/component/convex.config.js.map +1 -0
package/dist/component/handlers.d.ts +143 -0
package/dist/component/handlers.d.ts.map +1 -0
package/dist/component/handlers.js +624 -0
package/dist/component/handlers.js.map +1 -0
package/dist/component/mutations.d.ts +111 -0
package/dist/component/mutations.d.ts.map +1 -0
package/dist/component/mutations.js +459 -0
package/dist/component/mutations.js.map +1 -0
package/dist/component/queries.d.ts +127 -0
package/dist/component/queries.d.ts.map +1 -0
package/dist/component/queries.js +145 -0
package/dist/component/queries.js.map +1 -0
package/dist/component/schema.d.ts +116 -0
package/dist/component/schema.d.ts.map +1 -0
package/dist/component/schema.js +77 -0
package/dist/component/schema.js.map +1 -0
package/dist/component/token_security.d.ts +53 -0
package/dist/component/token_security.d.ts.map +1 -0
package/dist/component/token_security.js +91 -0
package/dist/component/token_security.js.map +1 -0
package/dist/lib/convex-types.d.ts +21 -0
package/dist/lib/convex-types.d.ts.map +1 -0
package/dist/lib/convex-types.js +2 -0
package/dist/lib/convex-types.js.map +1 -0
package/dist/lib/oauth.d.ts +123 -0
package/dist/lib/oauth.d.ts.map +1 -0
package/dist/lib/oauth.js +295 -0
package/dist/lib/oauth.js.map +1 -0
package/dist/react/index.d.ts +2 -0
package/dist/react/index.d.ts.map +1 -0
package/dist/react/index.js +6 -0
package/dist/react/index.js.map +1 -0
package/package.json +121 -0
package/src/client/__tests__/auth-config.test.ts +244 -0
package/src/client/__tests__/auth-helper.test.ts +273 -0
package/src/client/__tests__/oauth-provider.test.ts +418 -0
package/src/client/__tests__/routes.test.ts +428 -0
package/src/client/_generated/_ignore.ts +1 -0
package/src/client/auth-config.ts +157 -0
package/src/client/auth-helper.ts +201 -0
package/src/client/index.ts +326 -0
package/src/client/routes.ts +251 -0
package/src/component/__tests__/oauth.test.ts +3310 -0
package/src/component/__tests__/rfc-compliance.test.ts +788 -0
package/src/component/__tests__/token-security.test.ts +133 -0
package/src/component/_generated/api.ts +60 -0
package/src/component/_generated/component.ts +201 -0
package/src/component/_generated/dataModel.ts +60 -0
package/src/component/_generated/server.ts +156 -0
package/src/component/clientManagement.ts +189 -0
package/src/component/constants.ts +40 -0
package/src/component/convex.config.ts +3 -0
package/src/component/handlers.ts +964 -0
package/src/component/mutations.ts +531 -0
package/src/component/queries.ts +165 -0
package/src/component/schema.ts +92 -0
package/src/component/token_security.ts +102 -0
package/src/lib/__tests__/oauth-helpers.test.ts +143 -0
package/src/lib/__tests__/oauth-jwt.test.ts +405 -0
package/src/lib/convex-types.ts +37 -0
package/src/lib/oauth.ts +412 -0
package/src/react/index.ts +7 -0
package/src/test.ts +21 -0

package/src/component/clientManagement.ts ADDED Viewed

@@ -0,0 +1,189 @@
+import { v } from "convex/values";
+import { mutation } from "./_generated/server";
+import * as bcrypt from "bcryptjs";
+import { generateClientSecret } from "../lib/oauth.js";
+import { OAUTH_CONSTANTS } from "./constants";
+/**
+ * OAuth Client Management Mutations
+ *
+ * Handles client registration, verification, and deletion.
+ * Uses bcryptjs (pure JavaScript implementation) for secure client secret hashing.
+ */
+function isValidRedirectUri(uri: string): boolean {
+    let parsed: URL;
+    try {
+        parsed = new URL(uri);
+    } catch {
+        return false;
+    }
+    if (parsed.hash) return false;
+    const host = parsed.hostname.toLowerCase();
+    const isLoopback =
+        host === "localhost" ||
+        host === "127.0.0.1" ||
+        host === "::1";
+    if (parsed.protocol === "https:") return true;
+    if (parsed.protocol === "http:" && isLoopback) return true;
+    return false;
+}
+/**
+ * Register OAuth Client
+ */
+export const registerClient = mutation({
+    args: {
+        name: v.string(),
+        redirectUris: v.array(v.string()),
+        scopes: v.array(v.string()),
+        type: v.union(v.literal("confidential"), v.literal("public")),
+        // metadata
+        description: v.optional(v.string()),
+        website: v.optional(v.string()),
+        logoUrl: v.optional(v.string()),
+        tosUrl: v.optional(v.string()),
+        policyUrl: v.optional(v.string()),
+        isInternal: v.optional(v.boolean()),
+    },
+    handler: async (ctx, args) => {
+        if (args.redirectUris.length === 0) {
+            throw new Error("redirect_uris required");
+        }
+        const invalidRedirect = args.redirectUris.find((uri) => !isValidRedirectUri(uri));
+        if (invalidRedirect) {
+            throw new Error(`Invalid redirect_uri: ${invalidRedirect}`);
+        }
+        const clientId = crypto.randomUUID();
+        // Generate secret only if confidential
+        if (args.type === "confidential") {
+            // Generate plain secret using CSPrng
+            const clientSecret = generateClientSecret(OAUTH_CONSTANTS.CLIENT_SECRET_LENGTH);
+            // Hash the secret
+            const clientSecretHash = await bcrypt.hash(clientSecret, 10);
+            // Store the HASH, return the PLAIN secret once
+            await ctx.db.insert("oauthClients", {
+                name: args.name,
+                clientId,
+                clientSecret: clientSecretHash, // Store Hash!
+                type: args.type,
+                redirectUris: args.redirectUris,
+                allowedScopes: args.scopes,
+                createdAt: Date.now(),
+                description: args.description,
+                website: args.website,
+                logoUrl: args.logoUrl,
+                tosUrl: args.tosUrl,
+                policyUrl: args.policyUrl,
+                isInternal: args.isInternal,
+            });
+            return {
+                clientId,
+                clientSecret, // Return Plain!
+                clientIdIssuedAt: Math.floor(Date.now() / 1000),
+            };
+        }
+        // Public client (no secret)
+        await ctx.db.insert("oauthClients", {
+            name: args.name,
+            clientId,
+            clientSecret: undefined,
+            type: args.type,
+            redirectUris: args.redirectUris,
+            allowedScopes: args.scopes,
+            createdAt: Date.now(),
+            description: args.description,
+            website: args.website,
+            logoUrl: args.logoUrl,
+            tosUrl: args.tosUrl,
+            policyUrl: args.policyUrl,
+            isInternal: args.isInternal,
+        });
+        return {
+            clientId,
+            clientIdIssuedAt: Math.floor(Date.now() / 1000),
+        };
+    },
+});
+/**
+ * Verify Client Secret
+ */
+export const verifyClientSecret = mutation({
+    args: {
+        clientId: v.string(),
+        clientSecret: v.string(),
+    },
+    handler: async (ctx, args) => {
+        const client = await ctx.db
+            .query("oauthClients")
+            .withIndex("by_client_id", (q) => q.eq("clientId", args.clientId))
+            .unique();
+        if (!client || !client.clientSecret) {
+            return false;
+        }
+        try {
+            return await bcrypt.compare(args.clientSecret, client.clientSecret);
+        } catch (e) {
+            console.error("Client Secret Verification Failed:", e);
+            return false;
+        }
+    },
+});
+/**
+ * Delete OAuth Client
+ */
+export const deleteClient = mutation({
+    args: {
+        clientId: v.string(),
+    },
+    handler: async (ctx, args) => {
+        const client = await ctx.db
+            .query("oauthClients")
+            .withIndex("by_client_id", (q) => q.eq("clientId", args.clientId))
+            .unique();
+        if (!client) {
+            throw new Error("Client not found");
+        }
+        // Delete all tokens for this client
+        const tokens = await ctx.db
+            .query("oauthTokens")
+            .filter(q => q.eq(q.field("clientId"), args.clientId))
+            .collect();
+        for (const token of tokens) {
+            await ctx.db.delete(token._id);
+        }
+        // Delete all codes for this client
+        const codes = await ctx.db
+            .query("oauthCodes")
+            .filter(q => q.eq(q.field("clientId"), args.clientId))
+            .collect();
+        for (const code of codes) {
+            await ctx.db.delete(code._id);
+        }
+        // Delete the client
+        await ctx.db.delete(client._id);
+        return { success: true };
+    },
+});

package/src/component/constants.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * OAuth 2.1 Provider Constants
+ */
+export const OAUTH_CONSTANTS = {
+    // Code & Token Expiry
+    CODE_EXPIRY_MS: 10 * 60 * 1000,              // 10 minutes
+    ACCESS_TOKEN_EXPIRY_SECONDS: 3600,           // 1 hour
+    ACCESS_TOKEN_EXPIRY: "1h",
+    ID_TOKEN_EXPIRY: "1h",
+    REFRESH_TOKEN_EXPIRY_MS: 30 * 24 * 60 * 60 * 1000, // 30 days
+    // Code Generation
+    AUTH_CODE_LENGTH: 32,
+    CLIENT_SECRET_LENGTH: 64,
+    // Supported Values
+    SUPPORTED_SCOPES: ["openid", "profile", "email", "offline_access"],
+    SUPPORTED_GRANT_TYPES: ["authorization_code", "refresh_token"],
+    SUPPORTED_RESPONSE_TYPES: ["code"],
+    SUPPORTED_CODE_CHALLENGE_METHODS: ["S256"],
+    // Keys
+    DEFAULT_KEY_ID: "default-key",
+    // CORS
+    CORS_MAX_AGE: "3600", // 1 hour
+} as const;
+/**
+ * OAuth Error Codes (RFC 6749)
+ */
+export const OAUTH_ERROR_CODES = {
+    INVALID_REQUEST: "invalid_request",
+    INVALID_CLIENT: "invalid_client",
+    INVALID_GRANT: "invalid_grant",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
+    INVALID_SCOPE: "invalid_scope",
+    SERVER_ERROR: "server_error",
+} as const;

package/src/component/convex.config.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { defineComponent } from "convex/server";
+export default defineComponent("oauthProvider");