npm - @codefox-inc/oauth-provider - Versions diffs - 0.2.0 - Mend

@codefox-inc/oauth-provider 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/LICENSE +201 -0
package/README.md +572 -0
package/dist/client/_generated/_ignore.d.ts +1 -0
package/dist/client/_generated/_ignore.d.ts.map +1 -0
package/dist/client/_generated/_ignore.js +3 -0
package/dist/client/_generated/_ignore.js.map +1 -0
package/dist/client/auth-config.d.ts +85 -0
package/dist/client/auth-config.d.ts.map +1 -0
package/dist/client/auth-config.js +81 -0
package/dist/client/auth-config.js.map +1 -0
package/dist/client/auth-helper.d.ts +81 -0
package/dist/client/auth-helper.d.ts.map +1 -0
package/dist/client/auth-helper.js +97 -0
package/dist/client/auth-helper.js.map +1 -0
package/dist/client/index.d.ts +189 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +230 -0
package/dist/client/index.js.map +1 -0
package/dist/client/routes.d.ts +94 -0
package/dist/client/routes.d.ts.map +1 -0
package/dist/client/routes.js +113 -0
package/dist/client/routes.js.map +1 -0
package/dist/component/_generated/api.d.ts +44 -0
package/dist/component/_generated/api.d.ts.map +1 -0
package/dist/component/_generated/api.js +31 -0
package/dist/component/_generated/api.js.map +1 -0
package/dist/component/_generated/component.d.ts +123 -0
package/dist/component/_generated/component.d.ts.map +1 -0
package/dist/component/_generated/component.js +11 -0
package/dist/component/_generated/component.js.map +1 -0
package/dist/component/_generated/dataModel.d.ts +46 -0
package/dist/component/_generated/dataModel.d.ts.map +1 -0
package/dist/component/_generated/dataModel.js +11 -0
package/dist/component/_generated/dataModel.js.map +1 -0
package/dist/component/_generated/server.d.ts +121 -0
package/dist/component/_generated/server.d.ts.map +1 -0
package/dist/component/_generated/server.js +78 -0
package/dist/component/_generated/server.js.map +1 -0
package/dist/component/clientManagement.d.ts +39 -0
package/dist/component/clientManagement.d.ts.map +1 -0
package/dist/component/clientManagement.js +169 -0
package/dist/component/clientManagement.js.map +1 -0
package/dist/component/constants.d.ts +31 -0
package/dist/component/constants.d.ts.map +1 -0
package/dist/component/constants.js +36 -0
package/dist/component/constants.js.map +1 -0
package/dist/component/convex.config.d.ts +3 -0
package/dist/component/convex.config.d.ts.map +1 -0
package/dist/component/convex.config.js +3 -0
package/dist/component/convex.config.js.map +1 -0
package/dist/component/handlers.d.ts +143 -0
package/dist/component/handlers.d.ts.map +1 -0
package/dist/component/handlers.js +624 -0
package/dist/component/handlers.js.map +1 -0
package/dist/component/mutations.d.ts +111 -0
package/dist/component/mutations.d.ts.map +1 -0
package/dist/component/mutations.js +459 -0
package/dist/component/mutations.js.map +1 -0
package/dist/component/queries.d.ts +127 -0
package/dist/component/queries.d.ts.map +1 -0
package/dist/component/queries.js +145 -0
package/dist/component/queries.js.map +1 -0
package/dist/component/schema.d.ts +116 -0
package/dist/component/schema.d.ts.map +1 -0
package/dist/component/schema.js +77 -0
package/dist/component/schema.js.map +1 -0
package/dist/component/token_security.d.ts +53 -0
package/dist/component/token_security.d.ts.map +1 -0
package/dist/component/token_security.js +91 -0
package/dist/component/token_security.js.map +1 -0
package/dist/lib/convex-types.d.ts +21 -0
package/dist/lib/convex-types.d.ts.map +1 -0
package/dist/lib/convex-types.js +2 -0
package/dist/lib/convex-types.js.map +1 -0
package/dist/lib/oauth.d.ts +123 -0
package/dist/lib/oauth.d.ts.map +1 -0
package/dist/lib/oauth.js +295 -0
package/dist/lib/oauth.js.map +1 -0
package/dist/react/index.d.ts +2 -0
package/dist/react/index.d.ts.map +1 -0
package/dist/react/index.js +6 -0
package/dist/react/index.js.map +1 -0
package/package.json +121 -0
package/src/client/__tests__/auth-config.test.ts +244 -0
package/src/client/__tests__/auth-helper.test.ts +273 -0
package/src/client/__tests__/oauth-provider.test.ts +418 -0
package/src/client/__tests__/routes.test.ts +428 -0
package/src/client/_generated/_ignore.ts +1 -0
package/src/client/auth-config.ts +157 -0
package/src/client/auth-helper.ts +201 -0
package/src/client/index.ts +326 -0
package/src/client/routes.ts +251 -0
package/src/component/__tests__/oauth.test.ts +3310 -0
package/src/component/__tests__/rfc-compliance.test.ts +788 -0
package/src/component/__tests__/token-security.test.ts +133 -0
package/src/component/_generated/api.ts +60 -0
package/src/component/_generated/component.ts +201 -0
package/src/component/_generated/dataModel.ts +60 -0
package/src/component/_generated/server.ts +156 -0
package/src/component/clientManagement.ts +189 -0
package/src/component/constants.ts +40 -0
package/src/component/convex.config.ts +3 -0
package/src/component/handlers.ts +964 -0
package/src/component/mutations.ts +531 -0
package/src/component/queries.ts +165 -0
package/src/component/schema.ts +92 -0
package/src/component/token_security.ts +102 -0
package/src/lib/__tests__/oauth-helpers.test.ts +143 -0
package/src/lib/__tests__/oauth-jwt.test.ts +405 -0
package/src/lib/convex-types.ts +37 -0
package/src/lib/oauth.ts +412 -0
package/src/react/index.ts +7 -0
package/src/test.ts +21 -0

package/dist/client/auth-config.js ADDED Viewed

@@ -0,0 +1,81 @@
+/**
+ * Auth Config Generator
+ *
+ * Generates auth.config.ts configuration for Convex Auth
+ * to trust JWTs from the OAuth Provider.
+ */
+import { normalizePrefix } from "../lib/oauth.js";
+/**
+ * Generate auth.config.ts configuration for OAuth Provider
+ *
+ * @example
+ * ```typescript
+ * // convex/auth.config.ts
+ * import { generateAuthConfig } from "@codefox-inc/oauth-provider";
+ *
+ * export default generateAuthConfig({
+ *   convexSiteUrl: process.env.CONVEX_SITE_URL,
+ *   localPort: 5173,
+ * });
+ * ```
+ *
+ * @example Output
+ * ```javascript
+ * {
+ *   providers: [
+ *     { domain: "https://your-app.convex.site", applicationID: "convex" },
+ *     { domain: "http://localhost:5173/oauth", applicationID: "convex" },
+ *     { domain: "https://your-app.convex.site/oauth", applicationID: "convex" },
+ *   ]
+ * }
+ * ```
+ */
+export function generateAuthConfig(options = {}) {
+    const { convexSiteUrl, localPort = 5173, prefix: rawPrefix = "/oauth", applicationID = "convex", additionalProviders = [], includeConvexSiteUrl = true, } = options;
+    const prefix = normalizePrefix(rawPrefix);
+    const providers = [];
+    // 1. CONVEX_SITE_URL for Convex Auth (session-based auth)
+    if (includeConvexSiteUrl && convexSiteUrl) {
+        providers.push({
+            domain: convexSiteUrl,
+            applicationID,
+        });
+    }
+    // 2. Local development OAuth issuer
+    providers.push({
+        domain: `http://localhost:${localPort}${prefix}`,
+        applicationID,
+    });
+    // 3. Production OAuth issuer (CONVEX_SITE_URL + prefix)
+    if (convexSiteUrl) {
+        providers.push({
+            domain: `${convexSiteUrl}${prefix}`,
+            applicationID,
+        });
+    }
+    // 4. Additional providers
+    providers.push(...additionalProviders);
+    return { providers };
+}
+/**
+ * Create auth config with validation
+ * Throws if required environment variables are missing
+ */
+export function createAuthConfig(options = {}) {
+    const config = generateAuthConfig(options);
+    const prefix = normalizePrefix(options.prefix);
+    const localPort = options.localPort ?? 5173;
+    // Validate that we have at least one OAuth issuer (with the configured prefix/port)
+    const hasOAuthIssuer = config.providers.some(p => {
+        if (prefix) {
+            return p.domain.includes(prefix) || p.domain.includes(`:${localPort}`);
+        }
+        return p.domain.includes(`:${localPort}`) || (!!options.convexSiteUrl && p.domain === options.convexSiteUrl);
+    });
+    if (!hasOAuthIssuer) {
+        console.warn("[oauth-provider] Warning: No OAuth issuer found in auth config. " +
+            "MCP clients may not be able to authenticate.");
+    }
+    return config;
+}
+//# sourceMappingURL=auth-config.js.map

package/dist/client/auth-config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-config.js","sourceRoot":"","sources":["../../src/client/auth-config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAyDlD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAqC,EAAE;IACtE,MAAM,EACF,aAAa,EACb,SAAS,GAAG,IAAI,EAChB,MAAM,EAAE,SAAS,GAAG,QAAQ,EAC5B,aAAa,GAAG,QAAQ,EACxB,mBAAmB,GAAG,EAAE,EACxB,oBAAoB,GAAG,IAAI,GAC9B,GAAG,OAAO,CAAC;IACZ,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAE1C,MAAM,SAAS,GAAmB,EAAE,CAAC;IAErC,0DAA0D;IAC1D,IAAI,oBAAoB,IAAI,aAAa,EAAE,CAAC;QACxC,SAAS,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,aAAa;YACrB,aAAa;SAChB,CAAC,CAAC;IACP,CAAC;IAED,oCAAoC;IACpC,SAAS,CAAC,IAAI,CAAC;QACX,MAAM,EAAE,oBAAoB,SAAS,GAAG,MAAM,EAAE;QAChD,aAAa;KAChB,CAAC,CAAC;IAEH,wDAAwD;IACxD,IAAI,aAAa,EAAE,CAAC;QAChB,SAAS,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,GAAG,aAAa,GAAG,MAAM,EAAE;YACnC,aAAa;SAChB,CAAC,CAAC;IACP,CAAC;IAED,0BAA0B;IAC1B,SAAS,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,CAAC;IAEvC,OAAO,EAAE,SAAS,EAAE,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAqC,EAAE;IACpE,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;IAE5C,oFAAoF;IACpF,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;QAC7C,IAAI,MAAM,EAAE,CAAC;YACT,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,SAAS,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,SAAS,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,IAAI,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,aAAa,CAAC,CAAC;IACjH,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,cAAc,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CACR,kEAAkE;YAClE,8CAA8C,CACjD,CAAC;IACN,CAAC;IAED,OAAO,MAAM,CAAC;AAClB,CAAC"}

package/dist/client/auth-helper.d.ts ADDED Viewed

@@ -0,0 +1,81 @@
+/**
+ * Auth Helper for handling both Convex Auth and OAuth tokens
+ *
+ * This helper provides a unified way to get the current user
+ * regardless of whether they authenticated via Convex Auth (session)
+ * or OAuth token (MCP clients).
+ */
+/**
+ * Context types (simplified for compatibility)
+ */
+type QueryCtx = any;
+type MutationCtx = any;
+/**
+ * Configuration for the auth helper
+ */
+export interface AuthHelperConfig {
+    /**
+     * Convex Auth provider names to check for subject ID lookup
+     * @example ["anonymous", "password", "google"]
+     */
+    providers?: string[];
+    /**
+     * Custom function to get auth user ID from Convex Auth
+     * If not provided, you must pass it when calling methods
+     */
+    getAuthUserId?: (ctx: QueryCtx | MutationCtx) => Promise<string | null>;
+    /**
+     * Function to check if OAuth authorization is still valid
+     * Called for OAuth token requests to verify the authorization wasn't revoked
+     * @param ctx - Query/Mutation context
+     * @param userId - User ID from JWT
+     * @param clientId - Client ID from JWT (may be undefined if not in JWT)
+     * @returns true if authorization is valid, false if revoked
+     */
+    checkAuthorization?: (ctx: QueryCtx | MutationCtx, userId: string, clientId?: string) => Promise<boolean>;
+    /**
+     * OAuth issuer URL pattern to identify OAuth tokens
+     * If the token's issuer contains this string, authorization check is enforced
+     * @example "/oauth"
+     */
+    oauthIssuerPattern?: string;
+}
+/**
+ * Auth Helper instance
+ */
+export interface AuthHelper {
+    /**
+     * Get the current user ID from either Convex Auth or OAuth token
+     * Returns null if not authenticated
+     */
+    getCurrentUserId: (ctx: QueryCtx | MutationCtx, getAuthUserId?: (ctx: QueryCtx | MutationCtx) => Promise<string | null>) => Promise<string | null>;
+    /**
+     * Get the current user document from the database
+     * Returns null if not authenticated or user not found
+     */
+    getCurrentUser: <T>(ctx: QueryCtx | MutationCtx, getAuthUserId?: (ctx: QueryCtx | MutationCtx) => Promise<string | null>) => Promise<T | null>;
+    /**
+     * Require authentication - throws if not authenticated
+     */
+    requireAuth: (ctx: QueryCtx | MutationCtx, getAuthUserId?: (ctx: QueryCtx | MutationCtx) => Promise<string | null>) => Promise<string>;
+}
+/**
+ * Create an auth helper for handling both Convex Auth and OAuth tokens
+ *
+ * @example
+ * ```typescript
+ * import { createAuthHelper } from "@codefox-inc/oauth-provider";
+ * import { getAuthUserId } from "./auth";
+ *
+ * const authHelper = createAuthHelper({
+ *   providers: ["anonymous"],
+ * });
+ *
+ * // In a query/mutation:
+ * const userId = await authHelper.getCurrentUserId(ctx, getAuthUserId);
+ * const user = await authHelper.getCurrentUser(ctx, getAuthUserId);
+ * ```
+ */
+export declare function createAuthHelper(config?: AuthHelperConfig): AuthHelper;
+export {};
+//# sourceMappingURL=auth-helper.d.ts.map

package/dist/client/auth-helper.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-helper.d.ts","sourceRoot":"","sources":["../../src/client/auth-helper.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAQH;;GAEG;AAEH,KAAK,QAAQ,GAAG,GAAG,CAAC;AAEpB,KAAK,WAAW,GAAG,GAAG,CAAC;AAEvB;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC7B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IAErB;;;OAGG;IACH,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,GAAG,WAAW,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAExE;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,GAAG,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAE1G;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACvB;;;OAGG;IACH,gBAAgB,EAAE,CACd,GAAG,EAAE,QAAQ,GAAG,WAAW,EAC3B,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,GAAG,WAAW,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,KACtE,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAE5B;;;OAGG;IACH,cAAc,EAAE,CAAC,CAAC,EACd,GAAG,EAAE,QAAQ,GAAG,WAAW,EAC3B,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,GAAG,WAAW,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,KACtE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAEvB;;OAEG;IACH,WAAW,EAAE,CACT,GAAG,EAAE,QAAQ,GAAG,WAAW,EAC3B,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,GAAG,WAAW,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,KACtE,OAAO,CAAC,MAAM,CAAC,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,GAAE,gBAAqB,GAAG,UAAU,CAgG1E"}

package/dist/client/auth-helper.js ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * Auth Helper for handling both Convex Auth and OAuth tokens
+ *
+ * This helper provides a unified way to get the current user
+ * regardless of whether they authenticated via Convex Auth (session)
+ * or OAuth token (MCP clients).
+ */
+import { isOAuthToken as checkIsOAuthToken, getOAuthClientId, DEFAULT_OAUTH_ISSUER_PATTERN, } from "../lib/oauth.js";
+/**
+ * Create an auth helper for handling both Convex Auth and OAuth tokens
+ *
+ * @example
+ * ```typescript
+ * import { createAuthHelper } from "@codefox-inc/oauth-provider";
+ * import { getAuthUserId } from "./auth";
+ *
+ * const authHelper = createAuthHelper({
+ *   providers: ["anonymous"],
+ * });
+ *
+ * // In a query/mutation:
+ * const userId = await authHelper.getCurrentUserId(ctx, getAuthUserId);
+ * const user = await authHelper.getCurrentUser(ctx, getAuthUserId);
+ * ```
+ */
+export function createAuthHelper(config = {}) {
+    const { providers = ["anonymous"], getAuthUserId: defaultGetAuthUserId, checkAuthorization, oauthIssuerPattern = DEFAULT_OAUTH_ISSUER_PATTERN, } = config;
+    async function getCurrentUserId(ctx, getAuthUserId) {
+        const authFn = getAuthUserId ?? defaultGetAuthUserId;
+        // First, check if this is an OAuth token by looking at identity issuer
+        const identity = await ctx.auth.getUserIdentity();
+        const isOAuth = checkIsOAuthToken(identity, oauthIssuerPattern);
+        // If this is an OAuth token, skip Convex Auth and enforce authorization check
+        if (isOAuth && identity?.subject) {
+            const validId = ctx.db.normalizeId("users", identity.subject);
+            if (validId) {
+                // OAuth tokens MUST pass authorization check
+                if (checkAuthorization) {
+                    const clientId = getOAuthClientId(identity);
+                    const isValid = await checkAuthorization(ctx, validId, clientId);
+                    if (!isValid) {
+                        // Authorization was revoked - reject access
+                        return null;
+                    }
+                }
+                return validId;
+            }
+            // OAuth token but invalid user ID
+            return null;
+        }
+        // 1. Try Convex Auth (session-based, getAuthUserId)
+        if (authFn) {
+            const userIdOrSubject = await authFn(ctx);
+            if (userIdOrSubject) {
+                // Handle "userId|sessionId" format from some Convex Auth versions
+                const idToLookup = userIdOrSubject.includes("|")
+                    ? userIdOrSubject.split("|")[0]
+                    : userIdOrSubject;
+                // Try as Convex ID
+                const validId = ctx.db.normalizeId("users", idToLookup);
+                if (validId) {
+                    return validId;
+                }
+                // Try as Subject ID via authAccounts
+                for (const provider of providers) {
+                    const account = await ctx.db
+                        .query("authAccounts")
+                        .withIndex("providerAndAccountId", (q) => q.eq("provider", provider).eq("providerAccountId", idToLookup))
+                        .unique();
+                    if (account) {
+                        return account.userId;
+                    }
+                }
+            }
+        }
+        return null;
+    }
+    async function getCurrentUser(ctx, getAuthUserId) {
+        const userId = await getCurrentUserId(ctx, getAuthUserId);
+        if (!userId)
+            return null;
+        return ctx.db.get(userId);
+    }
+    async function requireAuth(ctx, getAuthUserId) {
+        const userId = await getCurrentUserId(ctx, getAuthUserId);
+        if (!userId) {
+            throw new Error("Not authenticated");
+        }
+        return userId;
+    }
+    return {
+        getCurrentUserId,
+        getCurrentUser,
+        requireAuth,
+    };
+}
+//# sourceMappingURL=auth-helper.js.map

package/dist/client/auth-helper.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-helper.js","sourceRoot":"","sources":["../../src/client/auth-helper.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACH,YAAY,IAAI,iBAAiB,EACjC,gBAAgB,EAChB,4BAA4B,GAC/B,MAAM,iBAAiB,CAAC;AA2EzB;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAA2B,EAAE;IAC1D,MAAM,EACF,SAAS,GAAG,CAAC,WAAW,CAAC,EACzB,aAAa,EAAE,oBAAoB,EACnC,kBAAkB,EAClB,kBAAkB,GAAG,4BAA4B,GACpD,GAAG,MAAM,CAAC;IAEX,KAAK,UAAU,gBAAgB,CAC3B,GAA2B,EAC3B,aAAuE;QAEvE,MAAM,MAAM,GAAG,aAAa,IAAI,oBAAoB,CAAC;QAErD,uEAAuE;QACvE,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;QAClD,MAAM,OAAO,GAAG,iBAAiB,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;QAEhE,8EAA8E;QAC9E,IAAI,OAAO,IAAI,QAAQ,EAAE,OAAO,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,GAAG,CAAC,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC9D,IAAI,OAAO,EAAE,CAAC;gBACV,6CAA6C;gBAC7C,IAAI,kBAAkB,EAAE,CAAC;oBACrB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;oBAC5C,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;oBACjE,IAAI,CAAC,OAAO,EAAE,CAAC;wBACX,4CAA4C;wBAC5C,OAAO,IAAI,CAAC;oBAChB,CAAC;gBACL,CAAC;gBACD,OAAO,OAAO,CAAC;YACnB,CAAC;YACD,kCAAkC;YAClC,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,oDAAoD;QACpD,IAAI,MAAM,EAAE,CAAC;YACT,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,eAAe,EAAE,CAAC;gBAClB,kEAAkE;gBAClE,MAAM,UAAU,GAAG,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAC5C,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBAC/B,CAAC,CAAC,eAAe,CAAC;gBAEtB,mBAAmB;gBACnB,MAAM,OAAO,GAAG,GAAG,CAAC,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;gBACxD,IAAI,OAAO,EAAE,CAAC;oBACV,OAAO,OAAO,CAAC;gBACnB,CAAC;gBAED,qCAAqC;gBACrC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;oBAE/B,MAAM,OAAO,GAAG,MAAO,GAAG,CAAC,EAAU;yBAChC,KAAK,CAAC,cAAc,CAAC;yBACrB,SAAS,CAAC,sBAAsB,EAAE,CAAC,CAA8F,EAAE,EAAE,CAClI,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC,mBAAmB,EAAE,UAAU,CAAC,CACjE;yBACA,MAAM,EAAE,CAAC;oBACd,IAAI,OAAO,EAAE,CAAC;wBACV,OAAO,OAAO,CAAC,MAAM,CAAC;oBAC1B,CAAC;gBACL,CAAC;YACL,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,KAAK,UAAU,cAAc,CACzB,GAA2B,EAC3B,aAAuE;QAEvE,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,CAAsB,CAAC;IACnD,CAAC;IAED,KAAK,UAAU,WAAW,CACtB,GAA2B,EAC3B,aAAuE;QAEvE,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,MAAM,CAAC;IAClB,CAAC;IAED,OAAO;QACH,gBAAgB;QAChB,cAAc;QACd,WAAW;KACd,CAAC;AACN,CAAC"}

package/dist/client/index.d.ts ADDED Viewed

@@ -0,0 +1,189 @@
+import type { OAuthConfig, UserProfile } from "../lib/oauth.js";
+import type { RunQueryCtx, RunMutationCtx, RunActionCtx } from "../lib/convex-types.js";
+export type { OAuthConfig, UserProfile } from "../lib/oauth.js";
+export { OAuthError, verifyAccessToken, isOAuthToken, getOAuthClientId, DEFAULT_OAUTH_ISSUER_PATTERN, } from "../lib/oauth.js";
+export { OAUTH_CONSTANTS, OAUTH_ERROR_CODES } from "../component/constants.js";
+export { createAuthHelper } from "./auth-helper.js";
+export type { AuthHelper, AuthHelperConfig } from "./auth-helper.js";
+export { registerOAuthRoutes } from "./routes.js";
+export type { RegisterOAuthRoutesOptions } from "./routes.js";
+export { generateAuthConfig, createAuthConfig } from "./auth-config.js";
+export type { AuthConfig, AuthProvider, GenerateAuthConfigOptions } from "./auth-config.js";
+/**
+ * OAuth Provider Client Configuration
+ */
+export type OAuthProviderConfig = OAuthConfig;
+/**
+ * OAuth Provider SDK
+ *
+ * Usage:
+ * ```typescript
+ * import { OAuthProvider } from "@codefox-inc/oauth-provider";
+ * import { components } from "./_generated/api";
+ *
+ * const oauthProvider = new OAuthProvider(components.oauthProvider, {
+ *   privateKey: process.env.OAUTH_PRIVATE_KEY!,
+ *   publicKey: process.env.OAUTH_PUBLIC_KEY!,
+ *   siteUrl: process.env.SITE_URL!,
+ * });
+ *
+ * // In http.ts
+ * http.route({
+ *   path: "/oauth/.well-known/openid-configuration",
+ *   method: "GET",
+ *   handler: httpAction((ctx, req) => oauthProvider.handlers.openIdConfiguration(ctx, req)),
+ * });
+ * ```
+ */
+export declare class OAuthProvider {
+    private config;
+    private api;
+    private component;
+    constructor(component: any, config: OAuthProviderConfig);
+    getConfig(): OAuthProviderConfig;
+    private createAPI;
+    /**
+     * HTTP Handlers for mounting in http.ts
+     *
+     * Note: ctx expects Convex ActionCtx (HTTP Action context).
+     * RunActionCtx is used as the base type for compatibility.
+     */
+    get handlers(): {
+        /**
+         * OpenID Connect Discovery
+         * Mount at: /oauth/.well-known/openid-configuration
+         */
+        openIdConfiguration: (ctx: RunActionCtx, request: Request) => Promise<Response>;
+        /**
+         * Authorization Endpoint
+         * Mount at: /oauth/authorize
+         */
+        authorize: (ctx: RunActionCtx, request: Request) => Promise<Response>;
+        /**
+         * JWKS Endpoint
+         * Mount at: /oauth/.well-known/jwks.json
+         */
+        jwks: (ctx: RunActionCtx, request: Request) => Promise<Response>;
+        /**
+         * Token Endpoint
+         * Mount at: /oauth/token
+         */
+        token: (ctx: RunActionCtx, request: Request) => Promise<Response>;
+        /**
+         * UserInfo Endpoint
+         * Mount at: /oauth/userinfo
+         * Requires getUserProfile callback
+         */
+        userInfo: (ctx: RunActionCtx, request: Request, getUserProfile: (userId: string) => Promise<UserProfile | null>) => Promise<Response>;
+        /**
+         * Dynamic Client Registration
+         * Mount at: /oauth/register
+         */
+        register: (ctx: RunActionCtx, request: Request) => Promise<Response>;
+        /**
+         * Protected Resource Metadata
+         * Mount at: /.well-known/oauth-protected-resource
+         */
+        protectedResource: (ctx: RunActionCtx, request: Request) => Promise<Response>;
+    };
+    /**
+     * Issue Authorization Code
+     * Called from consent approval mutation
+     * Also creates/updates authorization record automatically
+     */
+    issueAuthorizationCode(ctx: RunMutationCtx, args: {
+        userId: string;
+        clientId: string;
+        scopes: string[];
+        redirectUri: string;
+        codeChallenge?: string;
+        codeChallengeMethod?: string;
+        nonce?: string;
+    }): Promise<string>;
+    /**
+     * Get OAuth Client
+     */
+    getClient(ctx: RunQueryCtx, clientId: string): Promise<{
+        clientId: string;
+        type: "confidential" | "public";
+        redirectUris: string[];
+        allowedScopes: string[];
+    } | null>;
+    /**
+     * Register OAuth Client (for admin use)
+     */
+    registerClient(ctx: RunMutationCtx, args: {
+        name: string;
+        redirectUris: string[];
+        scopes: string[];
+        type: "confidential" | "public";
+        website?: string;
+        logoUrl?: string;
+        tosUrl?: string;
+        policyUrl?: string;
+    }): Promise<{
+        clientId: string;
+        clientSecret?: string;
+        clientIdIssuedAt: number;
+    }>;
+    /**
+     * Get user's active tokens
+     */
+    getTokensByUser(ctx: RunQueryCtx, userId: string): Promise<{
+        _id: string;
+        clientId: string;
+        userId: string;
+        scopes: string[];
+        accessTokenExpiresAt: number;
+        refreshTokenExpiresAt?: number;
+    }[]>;
+    /**
+     * Get authorization for a specific user-client pair
+     * Returns null if user has not authorized this client
+     */
+    getAuthorization(ctx: RunQueryCtx, userId: string, clientId: string): Promise<any>;
+    /**
+     * List all authorized apps for a user
+     * Returns client info along with authorization details
+     */
+    listUserAuthorizations(ctx: RunQueryCtx, userId: string): Promise<any>;
+    /**
+     * Create or update authorization when user grants consent
+     * Call this when user approves OAuth consent
+     */
+    upsertAuthorization(ctx: RunMutationCtx, args: {
+        userId: string;
+        clientId: string;
+        scopes: string[];
+    }): Promise<any>;
+    /**
+     * Revoke authorization and delete all associated tokens
+     * Call this when user wants to disconnect an app
+     */
+    revokeAuthorization(ctx: RunMutationCtx, userId: string, clientId: string): Promise<any>;
+    /**
+     * Check if user has already authorized this client with sufficient scopes
+     * Useful for "skip consent" flow
+     */
+    hasAuthorization(ctx: RunQueryCtx, userId: string, clientId: string, requiredScopes: string[]): Promise<boolean>;
+    /**
+     * Check if authorization exists (for revocation check)
+     * Use this with createAuthHelper's checkAuthorization option
+     */
+    checkAuthorizationValid(ctx: RunQueryCtx, userId: string, clientId?: string): Promise<boolean>;
+    /**
+     * Create a checkAuthorization function for use with createAuthHelper
+     * This ensures revoked authorizations are rejected
+     *
+     * @example
+     * ```typescript
+     * const oauthProvider = new OAuthProvider(components.oauthProvider, config);
+     * const authHelper = createAuthHelper({
+     *   providers: ["anonymous"],
+     *   checkAuthorization: oauthProvider.createAuthorizationChecker(),
+     * });
+     * ```
+     */
+    createAuthorizationChecker(): (ctx: RunQueryCtx, userId: string, clientId?: string) => Promise<boolean>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAChE,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGxF,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAChE,OAAO,EACH,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAChB,4BAA4B,GAC/B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAG/E,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAGrE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,YAAY,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AAG9D,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACxE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAE5F;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,aAAa;IACtB,OAAO,CAAC,MAAM,CAAsB;IACpC,OAAO,CAAC,GAAG,CAAoB;IAE/B,OAAO,CAAC,SAAS,CAAM;gBAInB,SAAS,EAAE,GAAG,EACd,MAAM,EAAE,mBAAmB;IAO/B,SAAS,IAAI,mBAAmB;IAKhC,OAAO,CAAC,SAAS;IA8BjB;;;;;OAKG;IACH,IAAI,QAAQ;QAEJ;;;WAGG;mCACwB,YAAY,WAAW,OAAO;QAGzD;;;WAGG;yBACc,YAAY,WAAW,OAAO;QAG/C;;;WAGG;oBACS,YAAY,WAAW,OAAO;QAG1C;;;WAGG;qBACU,YAAY,WAAW,OAAO;QAG3C;;;;WAIG;wBACa,YAAY,WAAW,OAAO,kBAAkB,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;QAG/G;;;WAGG;wBACa,YAAY,WAAW,OAAO;QAG9C;;;WAGG;iCACsB,YAAY,WAAW,OAAO;MAG9D;IAED;;;;OAIG;IACG,sBAAsB,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE;QACpD,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,MAAM,CAAC;IAwBnB;;OAEG;IACG,SAAS,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM;;;;;;IAIlD;;OAEG;IACG,cAAc,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE;QAC5C,IAAI,EAAE,MAAM,CAAC;QACb,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,IAAI,EAAE,cAAc,GAAG,QAAQ,CAAC;QAChC,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;KACtB;;;;;IAID;;OAEG;IACG,eAAe,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM;;;;;;;;IAQtD;;;OAGG;IACG,gBAAgB,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;IAIzE;;;OAGG;IACG,sBAAsB,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM;IAI7D;;;OAGG;IACG,mBAAmB,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE;QACjD,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;KACpB;IAID;;;OAGG;IACG,mBAAmB,CAAC,GAAG,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;IAI/E;;;OAGG;IACG,gBAAgB,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAQtH;;;OAGG;IACG,uBAAuB,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUpG;;;;;;;;;;;;OAYG;IACH,0BAA0B,KACR,KAAK,WAAW,EAAE,QAAQ,MAAM,EAAE,WAAW,MAAM,KAAG,OAAO,CAAC,OAAO,CAAC;CAI3F"}