@crossauth/fastify 0.0.2

package/dist/fastifyoauthclient.d.ts

@@ -0,0 +1,429 @@
+import { FastifyRequest, FastifyReply } from 'fastify';
+import { OAuthTokenResponse, OAuthDeviceAuthorizationResponse, User } from '@crossauth/common';
+import { OAuthClientBackend, OAuthClientOptions } from '@crossauth/backend';
+import { FastifyServer, FastifyErrorFn } from './fastifyserver';
+
+/**
+ * Options for {@link FastifyOAuthClient}.
+ */
+export interface FastifyOAuthClientOptions extends OAuthClientOptions {
+    /** The base URL for endpoints served by this class.
+     * THe only endpoint that is created is the redirect Uri, which is
+     * `siteUrl` + `prefix` + `authzcode`,
+     */
+    siteUrl?: string;
+    /**
+     * The prefix between the `siteUrl` and endpoints created by this
+     * class.  See {@link FastifyOAuthClientOptions.siteUrl}.
+     */
+    prefix?: string;
+    /**
+     * When using the BFF (backend-for-frontend) pattern, tokens are saved
+     * in the `data` field of the session ID.  They are saved in the JSON
+     * object with this field name.  Default `oauth`.
+     */
+    sessionDataName?: string;
+    /**
+     * The template file for rendering error messages
+     * when {@link FastifyOAuthClientOptions.errorResponseType}
+     * is `errorPage`.
+     */
+    errorPage?: string;
+    /**
+     * The template file for asking the user for username and password
+     * in the password flow,
+     *
+     * Default `passwordflow.njk`
+     */
+    passwordFlowPage?: string;
+    /**
+     * The template file to tell users the url to go to to complete the
+     * device code flow.
+     *
+     * Default `devicecodeflow.njk`
+     */
+    deviceCodeFlowPage?: string;
+    /**
+     * The template file to show the result in the `deletetokens` endpoint.
+     *
+     * Default `deletetokens.njk`
+     */
+    deleteTokensPage?: string;
+    /**
+     * Tthe `deletetokens` GET endpoint.
+     *
+     * Default undefined - don't create the endpoint
+     */
+    deleteTokensGetUrl?: string;
+    /**
+     * Whether to add the `deletetokens` POST endpoint.
+     *
+     * Default undefined - don't create the endpoint
+     */
+    deleteTokensPostUrl?: string;
+    /**
+     * Whether to add the `api/deletetokens` POST endpoint.
+     *
+     * Default undefined - don't create the endpoint
+     */
+    apiDeleteTokensPostUrl?: string;
+    /**
+     * The template file for asking the user for an OTP in the password MFA
+     * flow.
+     */
+    mfaOtpPage?: string;
+    /**
+     * The template file for asking the user for an OOB in the password MFA
+     * flow.
+     */
+    mfaOobPage?: string;
+    /**
+     * The template file for telling the user that authorization was successful.
+     */
+    authorizedPage?: string;
+    /**
+     * If the {@link FastifyOAuthClientOptions.tokenResponseType} is
+     * `saveInSessionAndRedirect`, this is the relative URL that the usder
+     * will be redirected to after authorization is complete.
+     */
+    authorizedUrl?: string;
+    /**
+     * Relative URL to redirect user to if login is required.
+     */
+    loginUrl?: string;
+    /**
+     * All flows listed here will require the user to login (here at the client).
+     * If if a flow is not listed here, there does not need to be a user
+     * logged in here at the client.
+     * See {@link @crossauth/common!OAuthFlows}.
+     */
+    loginProtectedFlows?: string[];
+    /**
+     * The URL to create the password flow under.  Default `passwordflow`.
+     */
+    passwordFlowUrl?: string;
+    /**
+     * The URL to to create the device code flow under.  Default `devicecodeflow`.
+     */
+    deviceCodeFlowUrl?: string;
+    /**
+     * The URL to to for polling until the device code flow completes.
+     * Default `devicecodepoll`.
+     */
+    deviceCodePollUrl?: string;
+    /**
+     * The URL to create the otp endpoint for the password mfa flow under.
+     * This endpoint asks the user for his or her OTP.
+     * Default `passwordflowotp`.
+     */
+    passwordOtpUrl?: string;
+    /**
+     * The URL to create the otp endpoint for the password mfa flow under.
+     * This endpoint asks the user for his or her OOB.
+     * Default `passwordflowoob`.
+     */
+    passwordOobUrl?: string;
+    /**
+     * This function is called after successful authorization to pass the
+     * new tokens to.
+     * @param oauthResponse the response from the OAuth `token` endpoint.
+     * @param client the fastify OAuth client
+     * @param request the Fastify request
+     * @param reply the Fastify reply
+     * @returns the Fastify reply
+     */
+    receiveTokenFn?: (oauthResponse: OAuthTokenResponse, client: FastifyOAuthClient, request: FastifyRequest, reply?: FastifyReply) => Promise<FastifyReply | undefined>;
+    /**
+     * The function to call when there is an OAuth error and
+     * {@link FastifyOAuthClientOptions.errorResponseType}
+     * is `custom`.
+     * See {@link FastifyErrorFn}.
+     */
+    errorFn?: FastifyErrorFn;
+    /**
+     * What to do when receiving tokens.
+     * See {@link FastifyOAuthClient} class documentation for full description.
+     */
+    tokenResponseType?: "sendJson" | "saveInSessionAndLoad" | "saveInSessionAndRedirect" | "sendInPage" | "custom";
+    /**
+     * What do do on receiving an OAuth error.
+     * See lass documentation for full description.
+     */
+    errorResponseType?: "sendJson" | "errorPage" | "custom";
+    /**
+     * Array of resource server endppints to serve through the
+     * BFF (backend-for-frontend) mechanism.
+     * See {@link FastifyOAuthClient} class documentation for full description.
+     */
+    bffEndpoints?: {
+        url: string;
+        methods: ("GET" | "POST" | "PUT" | "DELETE" | "PATCH")[];
+        matchSubUrls?: boolean;
+    }[];
+    /**
+     * Prefix for BFF endpoints.  Default "bff".
+     * See {@link FastifyOAuthClient} class documentation for full description.
+     */
+    bffEndpointName?: string;
+    /**
+     * Base URL for resource server endpoints called through the BFF
+     * mechanism.
+     * See {@link FastifyOAuthClient} class documentation for full description.
+     */
+    bffBaseUrl?: string;
+    /**
+     * Endpoints to provide to acces tokens through the BFF mechanism,
+     * See {@link FastifyOAuthClient} class documentation for full description.
+     */
+    tokenEndpoints?: ("access_token" | "refresh_token" | "id_token" | "have_access_token" | "have_refresh_token" | "have_id_token")[];
+    /**
+     * Set of flows to enable (see {@link @crossauth/common!OAuthFlows}).
+     *
+     * Defaults to empty.
+     */
+    validFlows?: string[];
+}
+/**
+ * Query type for the `authorize` Fastify request.
+ */
+export interface ClientAuthorizeQueryType {
+    scope?: string;
+}
+/**
+ * Query type for the redirect Uri Fastify request.
+ */
+export interface RedirectUriQueryType {
+    code?: string;
+    state?: string;
+    error?: string;
+    error_description?: string;
+}
+/**
+ * Query type for the password flow Fastify request.
+ */
+export interface PasswordQueryType {
+    scope?: string;
+}
+/**
+ * Query type for the client cresentials flow Fastify request.
+ */
+export interface ClientCredentialsBodyType {
+    scope?: string;
+    csrfToken?: string;
+}
+/**
+ * Query type for the refresh token flow Fastify request.
+ */
+export interface RefreshTokenBodyType {
+    refreshToken?: string;
+    csrfToken?: string;
+}
+/**
+ * Body type for the password flow Fastify request.
+ */
+export interface PasswordBodyType {
+    username: string;
+    password: string;
+    scope?: string;
+    csrfToken?: string;
+}
+export interface DeviceCodeFlowResponse extends OAuthDeviceAuthorizationResponse {
+    user?: User;
+    scope?: string;
+    verification_uri_qrdata?: string;
+    errorMessage?: string;
+    errorCode?: number;
+    errorCodeName?: string;
+    csrfToken?: string;
+}
+/**
+ * Body type for the device code flow Fastify request.
+ */
+export interface DeviceCodeBodyType {
+    scope?: string;
+    csrfToken?: string;
+}
+/**
+ * Body type for the device code flow Fastify request.
+ */
+export interface DeviceCodePollBodyType {
+    device_code: string;
+    csrfToken?: string;
+}
+/**
+ * Query type for the OTP endpoint on the password mfa flow Fastify request.
+ */
+export interface PasswordOtpType {
+    scope?: string;
+    mfa_token: string;
+    otp: string;
+    challenge_type?: string;
+}
+/**
+ * Query type for the OOB endpoint on the password mfa flow Fastify request.
+ */
+export interface PasswordOobType {
+    scope?: string;
+    mfa_token: string;
+    oob_code: string;
+    binding_code: string;
+    challenge_type?: string;
+    name?: string;
+}
+/**
+ * The Fastify implementation of the OAuth client.
+ *
+ * Makes requests to an authorization server, using a configurable set
+ * of flows, which sends back errors or tokens,
+ *
+ * When constructing this class, you define what happens with tokens that
+ * are returned, or errors that are returned.  You do this with the
+ * configuration options {@link FastifyOAuthClientOptions.tokenResponseType}
+ * and {@link FastifyOAuthClientOptions.errorResponseType}.
+ *
+ * **{@link FastifyOAuthClientOptions.tokenResponseType}**
+ *
+ *   - `sendJson` the token response is sent as-is in the reply to the Fastify
+ *      request.  In addition to the `token` endpoint response fields,
+ *      `ok: true` and `id_payload` with the decoded
+ *      payload of the ID token are retruned.
+ *   - `saveInSessionAndLoad` the response fields are saved in the `data`
+ *      field of the session ID in key storage.  In addition, `expires_at` is
+ *      set to the number of seconds since Epoch that the access token expires
+ *      at.  After saving, page defined in `authorizedPage` is displayed.
+ *      A consequence is the query parameters passed to the
+ *      redirect Uri are displayed in the address bar, as the response
+ *      is to the redirect to the redirect Uri.
+ *    - saveInSessionAndRedirect` same as `saveInSessionAndLoad` except that
+ *      a redirect is done to the `authorizedUrl` rather than displaying
+ *      `authorizedPage` template.
+ *    - `sendInPage` the `token` endpoint response is not saved in the session
+ *      but just sent as template arguments when rendering the
+ *      template in `authorizedPage`.  The JSON response fields are sent
+ *      verbatim, with the additional fild of `id_payload` which is the
+ *      decoded payload from the ID token, if present.
+ *    - `custom` the function in
+ *       {@link FastifyOAuthClientOptions.receiveTokenFn} is called.
+ *
+ * **{@link FastifyOAuthClientOptions.errorResponseType}**
+ *
+ *    - `sendJson` a JSON response is sent with fields
+ *       `status`, `errorMessage`,
+ *      `errorMessages` and `errorCodeName`.
+ *    - `errorPage` the template in {@link FastifyOAuthClientOptions.errorPage}
+ *      is displayed with template parameters `status`, `errorMessage`,
+ *      `errorMessages` and `errorCodeName`.
+ *    - `custom` {@link FastifyOAuthClientOptions.errorFn} is called.
+ *
+ * **Backend-for-Frontend (BFF)**
+ *
+ * This class supports the backend-for-frontend (BFF) model.  You create an
+ * endpoint for every resource server endpoint you want to be able to call, by
+ * setting them in {@link FastifyOAuthClientOptions.bffEbdpoints}.  You set the
+ * {@link FastifyOAuthClientOptions.tokenResponseType} to `saveInSessionAndLoad`
+ * or `saveInSessionAndRedirect` so that tokens are saved in the session.
+ * You also set `bffBaseUrl` to the base URL of the resource server.
+ * When you want to call a resource server endpoint, you call
+ * `siteUrl` + `prefix` + `bffEndpointName` + *`url`*. The client will
+ * pull the access token from the session, put it in the `Authorization` header
+ * and called `bffBaseUrl` + *`url`* using fetch, and return the
+ * response verbatim.
+ *
+ * This pattern avoids you having to store the access token in the frontend.
+ *
+ * **Endpoints provided by this class**
+ *
+ * In addition to the BFF endpoints above, this class provides the following
+ * endpoints. The ENDPOINT column values can be overridden in
+ * {@link FastifyOAuthClientOptions}.
+ * All POST endpoints also require `csrfToken`.
+ * The Flow endpoints are only enabled if the corresponding flow is set
+ * in {@link FastifyOAuthClientOptions.validFlows}.
+ * Token endpoints are only enabled if the corresponding endpoint is set
+ * in {@link FastifyOAuthClientOptions.tokenEndpoints}.
+ *
+ * | METHOD | ENDPOINT            |Description                                                   | GET/BODY PARAMS                                     | VARIABLES PASSED/RESPONSE                                 | FILE                     |
+ * | ------ | --------------------| ------------------------------------------------------------ | --------------------------------------------------- | --------------------------------------------------------- | ------------------------ |
+ * | GET    | `authzcode`         | Redirect URI for receiving authz code                        | *See OAuth authorization code flow spec*            | *See docs for`tokenResponseType`*                         |                          |
+ * | GET    | `passwordflow`      | Displays page to request username/password for password flow | scope                                               | user, scope                                               | passwordFlowPage         |
+ * | POST   | `passwordflow`      | Initiates the password flow                                  | *See OAuth password flow spec*                      | *See docs for`tokenResponseType`*                         |                          |
+ * |        |                     | Requests an OTP from the user for the Password MFA OTP flow  | `mfa_token`, `scope`, `otp`                         | `mfa_token`, `scope`, `error`, `errorMessage`             | mfaOtpPage               |
+ * |        |                     | Requests an OOB from the user for the Password MFA OOB flow  | `mfa_token`, `oob_code`, `scope`, `oob`             | `mfa_token`, `oob_code`, `scope`, `error`, `errorMessage` | mfaOobPage               |
+ * | POST   | `passwordotp`       | Token request with the MFA OTP                               | *See Password MFA flow spec*                        | *See docs for`tokenResponseType`*                         |                          |
+ * | POST   | `passwordoob`       | Token request with the MFA OOB                               | *See Password MFA flow spec*                        | *See docs for`tokenResponseType`*                         |                          |
+ * | POST   | `authzcodeflow`     | Initiates the authorization code flow                        | *See OAuth authorization code flow spec*            | *See docs for`tokenResponseType`*                         |                          |
+ * | POST   | `authzcodeflowpkce` | Initiates the authorization code flow with PKCE              | *See OAuth authorization code flow with PKCE spec*  | *See docs for`tokenResponseType`*                         |                          |
+ * | POST   | `clientcredflow`    | Initiates the client credentials flow                        | *See OAuth client credentials flow spec*            | *See docs for`tokenResponseType`*                         |                          |
+ * | POST   | `refreshtokenflow`  | Initiates the refresh token flow                             | *See OAuth refresh token flow spec*                 | *See docs for`tokenResponseType`*                         |                          |
+ * | POST   | `devicecodeflow`    | Initiates the device code flow                               | See {@link DeviceCodeBodyType}                      | See {@link DeviceCodeFlowResponse}                        | `deviceCodeFlowPage`     |
+ * | POST   | `api/devicecodeflow` | Initiates the device code flow                              | See {@link DeviceCodeBodyType}                      | See {@link DeviceCodeFlowResponse}                        |                          |
+ * | POST   | `devicecodepoll`     | Initiates the device code flow                              | See {@link DeviceCodePollBodyType}                  | Authorization complete: See docs for`tokenResponseType`.  Other cases, {@link @crossauth/common!OAuthTokenResponse} |                          |
+ * | POST   | `api/devicecodepoll` | Initiates the device code flow                              | See {@link DeviceCodePollBodyType}                  | {@link @crossauth/common!OAuthTokenResponse}              |                          |
+ * | POST   | `access_token`      | For BFF mode, returns the saved access token                 |                                                     | *Access token payload*                                    |                          |
+ * | POST   | `refresh_token`     | For BFF mode, returns the saved refresh token                |                                                     | `token` containing the refresh token                      |                          |
+ * | POST   | `id_token     `     | For BFF mode, returns the saved ID token                     |                                                     | *ID token payload*                                        |                          |
+ * | POST   | `have_access_token` | For BFF mode, returns whether an acccess token is saved      |                                                     | `ok`                                                      |                          |
+ * | POST   | `have_refresh_token`| For BFF mode, returns whether a refresh token is saved       |                                                     | `ok`                                                      |                          |
+ * | POST   | `have_id_token`     | For BFF mode, returns whether an ID token is saved           |                                                     | `ok`                                                      |                          |
+ * | POST   | `deletetokens`      | Deletes all BFF tokens and displays a page                   | None                                                | `ok`                                                      | `deleteTokensPage`       |
+ * | POST   | `api/deletetokens`  | Delertes all tokens and returns JSON                         | None                                                | `ok`                                                      |                          |
+ */
+export declare class FastifyOAuthClient extends OAuthClientBackend {
+    server: FastifyServer;
+    private siteUrl;
+    private prefix;
+    errorPage: string;
+    passwordFlowPage: string;
+    deviceCodeFlowPage: string;
+    deleteTokensPage: string;
+    deleteTokensGetUrl: string | undefined;
+    deleteTokensPostUrl: string | undefined;
+    apiDeleteTokensPostUrl: string | undefined;
+    mfaOtpPage: string;
+    mfaOobPage: string;
+    authorizedPage: string;
+    authorizedUrl: string;
+    sessionDataName: string;
+    private receiveTokenFn;
+    private errorFn;
+    private loginUrl;
+    private validFlows;
+    /**
+     * See {@link FastifyOAuthClientOptions}
+     */
+    loginProtectedFlows: string[];
+    private tokenResponseType;
+    private errorResponseType;
+    private passwordFlowUrl;
+    private passwordOtpUrl;
+    private passwordOobUrl;
+    private deviceCodeFlowUrl;
+    private deviceCodePollUrl;
+    private bffEndpoints;
+    private bffEndpointName;
+    private bffBaseUrl?;
+    private tokenEndpoints;
+    /**
+     * Constructor
+     * @param server the {@link FastifyServer} instance
+     * @param authServerBaseUrl the `iss` claim in the access token must match this value
+     * @param options See {@link FastifyOAuthClientOptions}
+     */
+    constructor(server: FastifyServer, authServerBaseUrl: string, options: FastifyOAuthClientOptions);
+    private passwordPost;
+    private passwordMfa;
+    private passwordOtp;
+    private passwordOob;
+    private deviceCodePost;
+    private deviceCodePoll;
+    refresh(request: FastifyRequest, reply: FastifyReply, silent: boolean, onlyIfExpired: boolean, refreshToken?: string, expiresAt?: number): Promise<{
+        refresh_token?: string;
+        access_token?: string;
+        expires_in?: number;
+        expires_at?: number;
+        error?: string;
+        error_description?: string;
+    } | FastifyReply | undefined>;
+    private refreshTokens;
+    private deleteTokens;
+}

package/dist/fastifyoauthserver.d.ts

@@ -0,0 +1,248 @@
+import { FastifyInstance } from 'fastify';
+import { Server, IncomingMessage, ServerResponse } from 'http';
+import { OAuthClientStorage, KeyStorage, OAuthAuthorizationServer, Authenticator, OAuthAuthorizationServerOptions, DoubleSubmitCsrfTokenOptions } from '@crossauth/backend';
+import { OpenIdConfiguration } from '@crossauth/common';
+import { FastifyServer } from './fastifyserver';
+
+/**
+ * Options for {@link FastifyAuthorizationServer}
+ */
+export interface FastifyAuthorizationServerOptions extends OAuthAuthorizationServerOptions {
+    /**
+     * Template file to display on error.  It receives the following parameters;
+     *   - `httpStatus`,
+     *   - `errorCode`,
+     *   - `errorCodeName`
+     *   - `errorMessage`
+     * Default `error.njk`
+     */
+    errorPage?: string;
+    /**
+     * Template file for the device endpoint.  It receives the following parameters;
+     *   - `httpStatus`,
+     *   - `errorCode`,
+     *   - `errorCodeName`
+     *   - `errorMessage`
+     *   - `ok`
+     *   - `authorizationNeeded`
+     *      - `client_id`
+     *      - `client_name`
+     *      - `scope`
+     *      - `scopes`
+     *      - `user`
+     *   - `user_code`
+     *   - `retryAlllowed`
+     *   - `csrfToken`
+     * Default `device.njk`
+     */
+    devicePage?: string;
+    /**
+     * Template file for page asking user to authorize a client.
+     * It receives the following parameters;
+     *   - `user`
+     *   - `response_type`
+     *   - `client_id`
+     *   - `client_name`
+     *   - `redirect_uri`
+     *   - `scope`
+     *   - `scopes`
+     *   - `state`
+     *   - `code_challenge`
+     *   - `code_challenge_method`
+     *   - `csrfToken`
+     * Default `userauthorize.njk`
+     */
+    oauthAuthorizePage?: string;
+    /**
+     * Prefix for URLs.  Default `/`
+     */
+    prefix?: string;
+    /**
+     * The login URL (provided by {@link FastifySessionServer}). Default `/login`
+     */
+    loginUrl?: string;
+    /**
+     * How to send the refresh token.
+     *   - `json` sent in the JSON response as per the OAuth specification
+     *   - `cookie` sent as a cookie called `refreshTokenCookieName`.
+     *   - `both` both of the above
+     * Default `json`
+     */
+    refreshTokenType?: "json" | "cookie" | "both";
+    /**
+     * If `refreshTokenType` is `cookie` or `both`, this will be the cookie
+     * name.  Default `CROSSAUTH_REFRESH_TOKEN`
+     */
+    refreshTokenCookieName?: string;
+    /**
+     * Domain to set when sending a refresh token cookie.
+     * Only used if `refreshTokenType` is not `json`
+     */
+    refreshTokenCookieDomain?: string | undefined;
+    /**
+     * Whether to set `httpOnly` when sending a refresh token cookie.
+     * Only used if `refreshTokenType` is not `json`
+     */
+    refreshTokenCookieHttpOnly?: boolean;
+    /**
+     * Path to set when sending a refresh token cookie.
+     * Only used if `refreshTokenType` is not `json`
+     */
+    refreshTokenCookiePath?: string;
+    /**
+     * Whether to set the `secure` flag when sending a refresh token cookie.
+     * Only used if `refreshTokenType` is not `json`
+     */
+    refreshTokenCookieSecure?: boolean;
+    /**
+     * SameSite value to set when sending a refresh token cookie.
+     * Only used if `refreshTokenType` is not `json`
+     */
+    refreshTokenCookieSameSite?: boolean | "lax" | "strict" | "none" | undefined;
+    /** If true, create a `getcsrftoken` endpoint.
+     * You will only need to do this is you don't have session management
+     * enabled on your server, which provides an identical  `api/getcsrftoken`,
+     * and if `refreshTokenType` is not `json`.
+     * Default `false`
+     */
+    createGetCsrfTokenEndpoint?: false;
+    /** options for csrf cookie manager */
+    doubleSubmitCookieOptions?: DoubleSubmitCsrfTokenOptions;
+}
+/**
+ * Query parameters for the `authorize` Fastify request.
+ */
+export interface AuthorizeQueryType {
+    response_type: string;
+    client_id: string;
+    redirect_uri: string;
+    scope?: string;
+    state: string;
+    code_challenge?: string;
+    code_challenge_method: string;
+}
+/**
+ * Body parameters for the `userauthorize` endpoint
+ * Fastify request requesting the user
+ * to authorize a client.
+ */
+export interface UserAuthorizeBodyType {
+    csrfToken: string;
+    response_type: string;
+    client_id: string;
+    redirect_uri: string;
+    scope?: string;
+    state: string;
+    code_challenge?: string;
+    code_challenge_method: string;
+    authorized: string;
+}
+/**
+ * The body parameters for the `mfa/challenge` endpoint.
+ */
+export interface MfaChallengeBodyType {
+    client_id: string;
+    client_secret?: string;
+    challenge_type: string;
+    mfa_token: string;
+    authenticator_id: string;
+}
+/**
+ * Query parameters for the `device` Fastify request.
+ */
+export interface DeviceQueryType {
+    user_code?: string;
+}
+/**
+ * The body for the `device` Fastify request.
+ */
+export interface DeviceBodyType {
+    authorized: string;
+    user_code: string;
+    client_id: string;
+    scope?: string;
+}
+/**
+ * The body for the `device_authorization` Fastify request.
+ */
+export interface DeviceAuthorizationBodyType {
+    client_id: string;
+    client_secret?: string;
+    scope?: string;
+}
+/**
+ * This class implements an OAuth authorization server, serving endpoints
+ * with Fastify.
+ *
+ * You shouldn't have to instantiate this directly.  It is instantiated
+ * by {@link FastifyServer} if you enable the authorization server there.
+ *
+ * | METHOD | ENDPOINT                   | GET/BODY PARAMS                                                                   | RESPONSE/TEMPLATE FILE                             |
+ * | ------ | -------------------------- | --------------------------------------------------------------------------------- | -------------------------------------------------- |
+ * | GET    | `authorize`                | See OAuth spec                                                                    | See OAuth spec                                     |
+ * | GET    | `userauthorize`            | See {@link UserAuthorizeBodyType}                                                 | oauthAuthorizePage                                 |
+ * | GET    | `csrftoken`                |                                                                                   | ok, csrfToken (and Set-Cookie)                     |
+ * | POST   | `token`                    | See OAuth spec                                                                    | See OAuth spec                                     |
+ * | GET    | `mfa/authenticators`       | See {@link https://auth0.com/docs/api/authentication#multi-factor-authentication} | See link to the left                               |
+ * | POST   | `mfa/authenticators`       | See {@link https://auth0.com/docs/api/authentication#multi-factor-authentication} | See link to the left                               |
+ * | POST   | `mfa/challenge`            | See {@link https://auth0.com/docs/api/authentication#multi-factor-authentication} | See link to the left                               |
+ * | POST   | `device_authorization`     | See {@link https://datatracker.ietf.org/doc/html/rfc8628}                         | See link to the left                               |
+ * | GET    | `device`                   | `user_code` (optional).                                                           | `devicePage`                                       |
+ * | POST   | `device`                   | See {@link DeviceBodyType}.                                                       | `devicePage`                                       |
+ *
+ */
+export declare class FastifyAuthorizationServer {
+    /** The Fastify app passed to the constructor */
+    readonly app: FastifyInstance<Server, IncomingMessage, ServerResponse>;
+    /** The underlying framework-independent authorization server */
+    readonly authServer: OAuthAuthorizationServer;
+    private fastifyServer;
+    private prefix;
+    private loginUrl;
+    private oauthAuthorizePage;
+    private errorPage;
+    private devicePage;
+    private clientStorage;
+    private refreshTokenType;
+    private refreshTokenCookieName;
+    private refreshTokenCookieDomain;
+    private refreshTokenCookieHttpOnly;
+    private refreshTokenCookiePath;
+    private refreshTokenCookieSecure;
+    private refreshTokenCookieSameSite;
+    private csrfTokens;
+    private createGetCsrfTokenEndpoint;
+    /**
+     * Constructor
+     * @param app the Fastify app
+     * @param fastifyServer the Fastify server this belongs to
+     * @param clientStorage where OAuth clients are stored
+     * @param keyStorage where refresh tokens, authorization cods, etc are temporarily stored
+     * @param authenticators The authenticators (factor1 and factor2) to enable
+     *        for the password flow
+     * @param options see {@link FastifyAuthorizationServerOptions}
+     */
+    constructor(app: FastifyInstance<Server, IncomingMessage, ServerResponse>, fastifyServer: FastifyServer, clientStorage: OAuthClientStorage, keyStorage: KeyStorage, authenticators?: {
+        [key: string]: Authenticator;
+    }, options?: FastifyAuthorizationServerOptions);
+    /**
+     * Creates and returns a signed CSRF token based on the session ID
+     * @returns a CSRF cookie and value to put in the form or CSRF header
+     */
+    private createCsrfToken;
+    private addApiGetCsrfTokenEndpoints;
+    private authorizeEndpoint;
+    private authorize;
+    private mfaAuthenticatorsEndpoint;
+    private mfaChallengeEndpoint;
+    private setRefreshTokenCookie;
+    /**
+     * Returns this server's OIDC configuration.  Just wraps
+     * {@link @crossauth/backend!OAuthAuthorizationServer.oidcConfiguration}
+     * @returns An {@link @crossauth/common!OpenIdConfiguration} object
+     */
+    oidcConfiguration(): OpenIdConfiguration;
+    private applyUserCode;
+    private deviceGet;
+    private deviceCodePost;
+}