@codefox-inc/oauth-provider 0.4.1 → 0.4.2

package/src/component/handlers.ts

@@ -245,14 +245,24 @@ export interface OAuthComponentAPI {
             allowedScopes: string[];
             tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
         } | null>;
+        getAuthorization?: (ctx: RunQueryCtx, args: { userId: string; clientId: string }) => Promise<{
+            userId: string;
+            clientId: string;
+            scopes: string[];
+            resource?: string;
+        } | null>;
         getRefreshToken: (ctx: RunQueryCtx, args: { refreshToken: string }) => Promise<{
             refreshToken?: string;
             clientId: string;
             userId: string;
             scopes: string[];
             refreshTokenExpiresAt?: number;
+            authorizationCode?: string;
+            refreshTokenFamilyId?: string;
+            refreshTokenRotatedAt?: number;
             resource?: string;
             audience?: string;
+            authTime?: number;
         } | null>;
         getTokensByUser: (ctx: RunQueryCtx, args: { userId: string }) => Promise<Array<{
             _id: string;
@@ -303,6 +313,7 @@ export interface OAuthComponentAPI {
             authorizationCode?: string;
             resource?: string;
             audience?: string;
+            authTime?: number;
         }) => Promise<void>;
         rotateRefreshToken: (ctx: RunMutationCtx, args: {
             oldRefreshToken: string;
@@ -315,7 +326,7 @@ export interface OAuthComponentAPI {
             refreshTokenExpiresAt: number;
             resource?: string;
             audience?: string;
-        }) => Promise<void>;
+        }) => Promise<void | { error: string; revokedTokens: number; authorizationDeleted: boolean }>;
         upsertAuthorization: (ctx: RunMutationCtx, args: {
             userId: string;
             clientId: string;
@@ -437,6 +448,15 @@ export async function authorizeHandler(
         );
     }
 
+    if (params.has("request") || params.has("request_uri")) {
+        return buildAuthorizeErrorRedirect(
+            redirectUri,
+            "invalid_request",
+            "request and request_uri parameters are not supported",
+            state
+        );
+    }
+
     if (consent === "approve" && !isConsentFromProvider(request, config)) {
         return buildAuthorizeErrorRedirect(
             redirectUri,
@@ -485,7 +505,11 @@ export async function authorizeHandler(
     let requestedScopes = scope
         ? scope.split(" ").filter(Boolean)
         : [];
-    if (requestedScopes.includes("offline_access") && !promptValues.has("consent")) {
+    if (
+        requestedScopes.includes("offline_access") &&
+        !promptValues.has("consent") &&
+        !promptValues.has("none")
+    ) {
         requestedScopes = requestedScopes.filter((s) => s !== "offline_access");
     }
     if (requestedScopes.length === 0) {
@@ -531,7 +555,52 @@ export async function authorizeHandler(
         );
     }
 
-    if (consent !== "approve") {
+    if (!config.getUserId) {
+        return new OAuthError("server_error", "getUserId is not configured", 500).toResponse(headers);
+    }
+    const userId = await config.getUserId(ctx as RunActionCtx & { auth: Auth }, request);
+
+    if (promptValues.has("none")) {
+        if (promptValues.size > 1) {
+            return buildAuthorizeErrorRedirect(
+                redirectUri,
+                "invalid_request",
+                "prompt=none cannot be combined with other prompt values",
+                state
+            );
+        }
+        if (!userId) {
+            return buildAuthorizeErrorRedirect(
+                redirectUri,
+                "login_required",
+                "User not authenticated",
+                state
+            );
+        }
+        if (consent !== "approve") {
+            if (!api.queries.getAuthorization) {
+                return buildAuthorizeErrorRedirect(
+                    redirectUri,
+                    "server_error",
+                    "OAuth component API is out of date; regenerate component API references",
+                    state
+                );
+            }
+            const authorization = await api.queries.getAuthorization(ctx, { userId, clientId });
+            const hasScopes = authorization !== null &&
+                requestedScopes.every((scope) => authorization.scopes.includes(scope));
+            const hasResource = authorization !== null &&
+                authorization.resource === (resource ?? undefined);
+            if (!hasScopes || !hasResource) {
+                return buildAuthorizeErrorRedirect(
+                    redirectUri,
+                    "consent_required",
+                    "User consent required",
+                    state
+                );
+            }
+        }
+    } else if (consent !== "approve") {
         return buildAuthorizeErrorRedirect(
             redirectUri,
             "access_denied",
@@ -540,10 +609,6 @@ export async function authorizeHandler(
         );
     }
 
-    if (!config.getUserId) {
-        return new OAuthError("server_error", "getUserId is not configured", 500).toResponse(headers);
-    }
-    const userId = await config.getUserId(ctx as RunActionCtx & { auth: Auth }, request);
     if (!userId) {
         return buildAuthorizeErrorRedirect(
             redirectUri,
@@ -586,7 +651,7 @@ export async function openIdConfigurationHandler(
     if (corsResponse) return corsResponse;
     const headers = createCorsHeaders(request.headers.get("Origin"), config, "GET, OPTIONS");
 
-    const backendUrl = config.convexSiteUrl ?? config.siteUrl;
+    const backendUrl = (config.convexSiteUrl ?? config.siteUrl).replace(/\/+$/, "");
     const prefix = normalizePrefix(config.prefix);
 
     const issuerUrl = getIssuerUrl(config);
@@ -607,6 +672,9 @@ export async function openIdConfigurationHandler(
         token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post", "none"],
         grant_types_supported: ["authorization_code", "refresh_token"],
         code_challenge_methods_supported: ["S256"],
+        request_uri_parameter_supported: false,
+        request_parameter_supported: false,
+        claims_parameter_supported: false,
     };
 
     if (config.allowDynamicClientRegistration) {
@@ -695,12 +763,16 @@ export async function tokenHandler(
                 throw new OAuthError("invalid_request", "Multiple client authentication methods");
             }
             const basicCredentials = parseBasicClientCredentials(authHeader);
+            if (bodyClientId && bodyClientId !== basicCredentials.clientId) {
+                throw new OAuthError("invalid_request", "Conflicting client_id");
+            }
             clientId = basicCredentials.clientId;
             clientSecret = basicCredentials.clientSecret;
             usedAuthMethod = "client_secret_basic";
         }
 
         if (!clientId) throw new OAuthError("invalid_request", "client_id required");
+        if (!grantType) throw new OAuthError("invalid_request", "grant_type required");
 
         // Client existence + confidential client check
         const client = await api.queries.getClient(ctx, { clientId });
@@ -816,6 +888,7 @@ export async function tokenHandler(
                 authorizationCode: codeData.codeHash, // Link to authorization code
                 resource: codeData.resource,
                 audience: accessTokenAudience,
+                authTime: codeData.authTime,
             });
 
             // F. Create/Update Authorization Record
@@ -858,6 +931,23 @@ export async function tokenHandler(
             const oldToken = await api.queries.getRefreshToken(ctx, { refreshToken });
 
             if (!oldToken) throw new OAuthError("invalid_grant", "Invalid refresh token");
+            if (oldToken.refreshTokenRotatedAt !== undefined) {
+                // rotateRefreshToken detects tombstones before storing the supplied replacement tokens.
+                await api.mutations.rotateRefreshToken(ctx, {
+                    oldRefreshToken: refreshToken,
+                    accessToken: "refresh-token-reuse-detected",
+                    refreshToken: "refresh-token-reuse-detected",
+                    clientId: oldToken.clientId,
+                    userId: oldToken.userId,
+                    scopes: oldToken.scopes,
+                    expiresAt: Date.now(),
+                    refreshTokenExpiresAt: Date.now(),
+                    resource: oldToken.resource,
+                    audience: oldToken.audience,
+                });
+                throw new OAuthError("invalid_grant", "Invalid refresh token");
+            }
+            if (oldToken.clientId !== clientId) throw new OAuthError("invalid_grant", "Client mismatch");
             const refreshTokenResource = oldToken.resource;
             const refreshTokenAudience = oldToken.audience ?? refreshTokenResource ?? config.applicationID ?? "convex";
             const accessTokenAudience = refreshTokenResource ?? refreshTokenAudience;
@@ -872,8 +962,6 @@ export async function tokenHandler(
                 throw new OAuthError("invalid_grant", "Refresh token expired");
             }
 
-            if (oldToken.clientId !== clientId) throw new OAuthError("invalid_grant", "Client mismatch");
-
             const userId = oldToken.userId;
 
             // RFC 6749 Section 6: スコープパラメータ処理（アクセストークン用）
@@ -943,6 +1031,7 @@ export async function tokenHandler(
                     sub: userId,
                     iss: issuerUrl,
                     aud: clientId,
+                    auth_time: oldToken.authTime,
                 })
                     .setProtectedHeader({ alg: "RS256", typ: "JWT", kid: keyId })
                     .setIssuedAt()
@@ -952,7 +1041,7 @@ export async function tokenHandler(
 
             // Rotate - 元のスコープ維持
             try {
-                await api.mutations.rotateRefreshToken(ctx, {
+                const rotationResult = await api.mutations.rotateRefreshToken(ctx, {
                     oldRefreshToken: refreshToken,
                     accessToken,
                     refreshToken: newRefreshToken,
@@ -964,6 +1053,9 @@ export async function tokenHandler(
                     resource: refreshTokenResource,
                     audience: refreshTokenAudience,
                 });
+                if (rotationResult && "error" in rotationResult && rotationResult.error === "refresh_token_reuse_detected") {
+                    throw new OAuthError("invalid_grant", "Invalid refresh token");
+                }
 
                 // Update authorization lastUsedAt
                 await api.mutations.updateAuthorizationLastUsed(ctx, {
@@ -1038,8 +1130,7 @@ export async function tokenHandler(
                 return new OAuthError("invalid_scope", e.message).toResponse(tokenHeaders);
             }
         }
-        const message = e instanceof Error ? e.message : String(e);
-        return new OAuthError("invalid_request", message).toResponse(tokenHeaders);
+        return new OAuthError("invalid_request", "Invalid request").toResponse(tokenHeaders);
     }
 }
 
@@ -1057,7 +1148,8 @@ export async function userInfoHandler(
     const headers = createCorsHeaders(request.headers.get("Origin"), config, "GET, POST, OPTIONS");
 
     const authHeader = request.headers.get("Authorization");
-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    const authMatch = authHeader?.match(/^Bearer\s+(.+)$/i);
+    if (!authMatch) {
         return new Response(null, {
             status: 401,
             headers: {
@@ -1067,7 +1159,7 @@ export async function userInfoHandler(
         });
     }
 
-    const token = authHeader.split(" ")[1];
+    const token = authMatch[1];
 
     try {
         const issuerUrl = getIssuerUrl(config);
@@ -1126,7 +1218,14 @@ export async function userInfoHandler(
             responseBody.email_verified = user.email_verified;
         }
 
-        return new Response(JSON.stringify(responseBody), { headers });
+        return new Response(JSON.stringify(responseBody), {
+            headers: {
+                ...headers,
+                "Content-Type": "application/json",
+                "Cache-Control": "no-store",
+                "Pragma": "no-cache",
+            },
+        });
 
     } catch {
         return new Response(null, {
@@ -1257,8 +1356,7 @@ export async function registerHandler(
         if (e instanceof OAuthError) {
             return e.toResponse(headers);
         }
-        const message = e instanceof Error ? e.message : String(e);
-        return new OAuthError("invalid_request", message).toResponse(headers);
+        return new OAuthError("invalid_request", "Invalid client metadata").toResponse(headers);
     }
 }
 

package/src/component/mutations.ts

@@ -21,6 +21,7 @@ export function isLoopbackRedirectUri(uri: string): boolean {
     return (
       parsed.hostname === "127.0.0.1" ||
       parsed.hostname === "::1" ||
+      parsed.hostname === "[::1]" ||
       parsed.hostname === "localhost"
     );
   } catch {
@@ -49,12 +50,50 @@ function validateResourceUri(resource: string | undefined): void {
     }
 }
 
+async function revokeTokenFamily(ctx: any, token: {
+    clientId: string;
+    userId: string;
+    authorizationCode?: string;
+    refreshTokenFamilyId?: string;
+}) {
+    const tokens = await ctx.db
+        .query("oauthTokens")
+        .withIndex("by_user", (q: any) => q.eq("userId", token.userId))
+        .collect();
+    const toDelete = tokens.filter((candidate: any) =>
+        candidate.clientId === token.clientId &&
+        (
+            (token.refreshTokenFamilyId !== undefined && candidate.refreshTokenFamilyId === token.refreshTokenFamilyId) ||
+            (token.authorizationCode !== undefined && candidate.authorizationCode === token.authorizationCode)
+        )
+    );
+
+    for (const candidate of toDelete) {
+        await ctx.db.delete(candidate._id);
+    }
+
+    const authorization = await ctx.db
+        .query("oauthAuthorizations")
+        .withIndex("by_user_client", (q: any) =>
+            q.eq("userId", token.userId).eq("clientId", token.clientId)
+        )
+        .unique();
+    if (authorization) {
+        await ctx.db.delete(authorization._id);
+    }
+
+    return {
+        revokedTokens: toDelete.length,
+        authorizationDeleted: authorization !== null,
+    };
+}
+
 async function verifyPkce(
     codeChallengeMethod: string,
     codeChallenge: string,
     codeVerifier: string
 ) {
-    if (codeChallengeMethod !== "S256" && codeChallengeMethod !== "plain") {
+    if (codeChallengeMethod !== "S256") {
         throw new Error("unsupported_code_challenge_method");
     }
 
@@ -75,12 +114,6 @@ async function verifyPkce(
         if (hashBase64 !== codeChallenge) {
             throw new Error("invalid_code_verifier");
         }
-    } else if (codeChallengeMethod === "plain") {
-        if (codeVerifier !== codeChallenge) {
-            throw new Error("invalid_code_verifier");
-        }
-    } else {
-        throw new Error("unsupported_code_challenge_method");
     }
 }
 
@@ -282,12 +315,23 @@ export const consumeAuthCode = mutation({
                 await ctx.db.delete(token._id);
             }
 
+            const authorization = await ctx.db
+                .query("oauthAuthorizations")
+                .withIndex("by_user_client", (q) =>
+                    q.eq("userId", authCode.userId).eq("clientId", authCode.clientId)
+                )
+                .unique();
+            if (authorization) {
+                await ctx.db.delete(authorization._id);
+            }
+
             await ctx.db.patch(authCode._id, { replayDetectedAt: Date.now() });
 
             // Return error status (cannot throw because it would rollback token deletion)
             return {
                 error: "authorization_code_reuse_detected",
                 revokedTokens: tokensToRevoke.length,
+                authorizationDeleted: authorization !== null,
             } as any;
         }
 
@@ -334,6 +378,7 @@ export const saveTokens = mutation({
         authorizationCode: v.optional(v.string()), // Hashed code for replay detection (RFC Line 1136)
         resource: v.optional(v.string()),
         audience: v.optional(v.string()),
+        authTime: v.optional(v.number()),
     },
     handler: async (ctx, args) => {
         const authorizationCode = args.authorizationCode;
@@ -356,6 +401,9 @@ export const saveTokens = mutation({
             refreshToken: args.refreshToken
                 ? await hashToken(args.refreshToken)
                 : undefined,
+            refreshTokenFamilyId: args.refreshToken
+                ? (args.authorizationCode ?? crypto.randomUUID())
+                : undefined,
         });
     },
 });
@@ -402,6 +450,14 @@ export const rotateRefreshToken = mutation({
             throw new Error("invalid_grant");
         }
 
+        if (oldToken.refreshTokenRotatedAt !== undefined) {
+            const result = await revokeTokenFamily(ctx, oldToken);
+            return {
+                error: "refresh_token_reuse_detected",
+                ...result,
+            } as any;
+        }
+
         // 2. Validate Client/User consistency
         if (oldToken.clientId !== args.clientId || oldToken.userId !== args.userId) {
             throw new Error("invalid_grant");
@@ -437,8 +493,13 @@ export const rotateRefreshToken = mutation({
             throw new Error(`invalid_scope: ${invalidScopes.join(", ")}`);
         }
 
-        // 5. Delete Old Token
-        await ctx.db.delete(oldToken._id);
+        const refreshTokenFamilyId = oldToken.refreshTokenFamilyId ?? oldToken.authorizationCode ?? crypto.randomUUID();
+
+        // 5. Keep old refresh token as a tombstone so reuse can revoke the family.
+        await ctx.db.patch(oldToken._id, {
+            refreshTokenFamilyId,
+            refreshTokenRotatedAt: Date.now(),
+        });
 
         // 6. Insert New Token (with hashed values)
         await ctx.db.insert("oauthTokens", {
@@ -451,6 +512,9 @@ export const rotateRefreshToken = mutation({
             refreshTokenExpiresAt: args.refreshTokenExpiresAt,
             resource: args.resource,
             audience: args.audience,
+            authorizationCode: oldToken.authorizationCode,
+            refreshTokenFamilyId,
+            authTime: oldToken.authTime,
         });
     },
 });
@@ -472,6 +536,30 @@ export const deleteClient = mutation({
             throw new Error("Client not found");
         }
 
+        const tokens = await ctx.db
+            .query("oauthTokens")
+            .filter((q) => q.eq(q.field("clientId"), args.clientId))
+            .collect();
+        for (const token of tokens) {
+            await ctx.db.delete(token._id);
+        }
+
+        const codes = await ctx.db
+            .query("oauthCodes")
+            .filter((q) => q.eq(q.field("clientId"), args.clientId))
+            .collect();
+        for (const code of codes) {
+            await ctx.db.delete(code._id);
+        }
+
+        const authorizations = await ctx.db
+            .query("oauthAuthorizations")
+            .filter((q) => q.eq(q.field("clientId"), args.clientId))
+            .collect();
+        for (const authorization of authorizations) {
+            await ctx.db.delete(authorization._id);
+        }
+
         await ctx.db.delete(client._id);
     },
 });
@@ -485,24 +573,65 @@ export const cleanupExpired = internalMutation({
     handler: async (ctx) => {
         const now = Date.now();
 
-        // Cleanup expired codes (both unused and used codes past retention period)
+        // Cleanup unused expired codes. Used codes are replay-detection tombstones and
+        // must outlive refresh tokens minted from the same authorization.
         const expiredCodes = await ctx.db
             .query("oauthCodes")
             .filter(q => q.lt(q.field("expiresAt"), now))
             .take(100);
 
         for (const code of expiredCodes) {
-            await ctx.db.delete(code._id);
+            const descendantTokens = await ctx.db
+                .query("oauthTokens")
+                .withIndex("by_authorization_code", (q) => q.eq("authorizationCode", code.code))
+                .collect();
+            const maxDescendantRefreshExpiry = Math.max(
+                0,
+                ...descendantTokens.map((token) => token.refreshTokenExpiresAt ?? 0)
+            );
+            const replayRetentionUntil = Math.max(
+                (code.usedAt ?? code.replayDetectedAt ?? 0) + OAUTH_CONSTANTS.REFRESH_TOKEN_EXPIRY_MS,
+                maxDescendantRefreshExpiry
+            );
+            if (code.usedAt === undefined && code.replayDetectedAt === undefined) {
+                await ctx.db.delete(code._id);
+            } else if (replayRetentionUntil < now) {
+                await ctx.db.delete(code._id);
+            }
         }
 
-        // Cleanup expired tokens
+        // Cleanup tokens only after every credential stored in the row has expired.
         const expiredTokens = await ctx.db
             .query("oauthTokens")
             .filter(q => q.lt(q.field("expiresAt"), now))
             .take(100);
 
         for (const token of expiredTokens) {
-            await ctx.db.delete(token._id);
+            const familyTokens = token.refreshTokenFamilyId
+                ? await ctx.db
+                    .query("oauthTokens")
+                    .filter((q) =>
+                        q.and(
+                            q.eq(q.field("clientId"), token.clientId),
+                            q.eq(q.field("userId"), token.userId),
+                            q.eq(q.field("refreshTokenFamilyId"), token.refreshTokenFamilyId)
+                        )
+                    )
+                    .collect()
+                : [];
+            const maxFamilyRefreshExpiry = Math.max(
+                0,
+                ...familyTokens.map((familyToken) => familyToken.refreshTokenExpiresAt ?? 0)
+            );
+            const shouldKeepTombstone =
+                token.refreshTokenRotatedAt !== undefined &&
+                maxFamilyRefreshExpiry >= now;
+            if (
+                !shouldKeepTombstone &&
+                (!token.refreshToken || !token.refreshTokenExpiresAt || token.refreshTokenExpiresAt < now)
+            ) {
+                await ctx.db.delete(token._id);
+            }
         }
 
         return {
@@ -540,11 +669,9 @@ export const upsertAuthorization = mutation({
         const now = Date.now();
 
         if (existing) {
-            // Update: merge scopes, update lastUsedAt
-            const mergedScopes = [...new Set([...existing.scopes, ...args.scopes])];
             await ctx.db.patch(existing._id, {
-                scopes: mergedScopes,
-                resource: args.resource ?? existing.resource,
+                scopes: args.scopes,
+                resource: args.resource,
                 lastUsedAt: now,
             });
             return existing._id;
@@ -616,9 +743,24 @@ export const revokeAuthorization = mutation({
             await ctx.db.delete(token._id);
         }
 
+        // 3. Delete pending authorization codes for this user-client pair.
+        const codes = (await ctx.db
+            .query("oauthCodes")
+            .filter((q) =>
+                q.and(
+                    q.eq(q.field("userId"), args.userId),
+                    q.eq(q.field("clientId"), args.clientId)
+                )
+            )
+            .collect()).filter((code) => code.usedAt === undefined);
+        for (const code of codes) {
+            await ctx.db.delete(code._id);
+        }
+
         return {
             authorizationDeleted: !!auth,
             tokensDeleted: toDelete.length,
+            codesDeleted: codes.length,
         };
     },
 });

package/src/component/queries.ts

@@ -8,10 +8,15 @@ import { hashToken, isHashedToken } from "./token_security.js";
 export const getClient = query({
     args: { clientId: v.string() },
     handler: async (ctx, args) => {
-        return await ctx.db
+        const client = await ctx.db
             .query("oauthClients")
             .withIndex("by_client_id", (q) => q.eq("clientId", args.clientId))
             .unique();
+        if (!client) return null;
+        return {
+            ...client,
+            clientSecret: undefined,
+        };
     },
 });
 

package/src/component/schema.ts

@@ -72,8 +72,11 @@ export default defineSchema({
 
         // RFC Line 1136: Track which authorization code issued this token for replay detection
         authorizationCode: v.optional(v.string()), // Hashed authorization code
+        refreshTokenFamilyId: v.optional(v.string()),
+        refreshTokenRotatedAt: v.optional(v.number()),
         resource: v.optional(v.string()),
         audience: v.optional(v.string()),
+        authTime: v.optional(v.number()),
     })
         .index("by_access_token", ["accessToken"])
         .index("by_refresh_token", ["refreshToken"])

package/src/lib/__tests__/oauth-jwt.test.ts

@@ -402,7 +402,7 @@ describe("OAuth JWT and Utilities", () => {
                 privateKey: TEST_PRIVATE_KEY,
                 keyId: "override-key"
             };
-            expect(getSigningKeyId(configWithOverride)).toBe("override-key");
+            expect(() => getSigningKeyId(configWithOverride)).toThrow(/not present in JWKS/);
 
             const configWithMissingKid: OAuthConfig = {
                 siteUrl: "https://example.com",