@crossauth/sveltekit 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/LICENSE +203 -0
  2. package/README.md +12 -0
  3. package/dist/index.cjs +7018 -0
  4. package/dist/index.d.ts +37 -0
  5. package/dist/index.js +7018 -0
  6. package/dist/sveltekitadminclientendpoints.d.ts +150 -0
  7. package/dist/sveltekitadminendpoints.d.ts +369 -0
  8. package/dist/sveltekitapikey.d.ts +48 -0
  9. package/dist/sveltekitoauthclient.d.ts +704 -0
  10. package/dist/sveltekitoauthserver.d.ts +406 -0
  11. package/dist/sveltekitresserver.d.ts +101 -0
  12. package/dist/sveltekitserver.d.ts +286 -0
  13. package/dist/sveltekitsession.d.ts +629 -0
  14. package/dist/sveltekitsessionadapter.d.ts +48 -0
  15. package/dist/sveltekitsharedclientendpoints.d.ts +289 -0
  16. package/dist/sveltekituserclientendpoints.d.ts +151 -0
  17. package/dist/sveltekituserendpoints.d.ts +730 -0
  18. package/dist/tests/sveltekitadminclientendpoints.test.d.ts +6 -0
  19. package/dist/tests/sveltekitadminendpoints.test.d.ts +6 -0
  20. package/dist/tests/sveltekitapikeyserver.test.d.ts +1 -0
  21. package/dist/tests/sveltekitoauthclient.test.d.ts +11 -0
  22. package/dist/tests/sveltekitoauthresserver.test.d.ts +10 -0
  23. package/dist/tests/sveltekitoauthserver.test.d.ts +6 -0
  24. package/dist/tests/sveltekituserclientendpoints.test.d.ts +6 -0
  25. package/dist/tests/sveltekituserendpoints.test.d.ts +6 -0
  26. package/dist/tests/sveltemock.test.d.ts +1 -0
  27. package/dist/tests/sveltemocks.d.ts +77 -0
  28. package/dist/tests/sveltesessionhooks.test.d.ts +1 -0
  29. package/dist/tests/testshared.d.ts +79 -0
  30. package/dist/utils.d.ts +38 -0
  31. package/package.json +52 -0
package/dist/sveltekitoauthclient.d.ts ADDED
@@ -0,0 +1,704 @@
1
+ import { CrossauthError, ErrorCode, OAuthTokenResponse, OAuthDeviceAuthorizationResponse } from '@crossauth/common';
2
+ import { OAuthClientBackend, OAuthClientOptions } from '@crossauth/backend';
3
+ import { SvelteKitServer } from './sveltekitserver';
4
+ import { RequestEvent } from '@sveltejs/kit';
5
+
6
+ export type SvelteKitErrorFn = (server: SvelteKitServer, event: RequestEvent, ce: CrossauthError) => Promise<Response>;
7
+ /**
8
+ * Options for {@link SvelteKitOAuthClient}.
9
+ */
10
+ export interface SvelteKitOAuthClientOptions extends OAuthClientOptions {
11
+ /**
12
+ * You will have to create a route for the redirect Uri, using
13
+ * the `redirectUriEndpoint` load function. But the URL for it
14
+ * here. It should be an absolute URL.
15
+ *
16
+ * It should be a fully qualified URL as it is called from
17
+ * the browser in a redriect.
18
+ *
19
+ * The default is "oauth/authzcode".
20
+ */
21
+ redirect_uri?: string;
22
+ /**
23
+ * When using the BFF (backend-for-frontend) pattern, tokens are saved
24
+ * in the `data` field of the session ID. They are saved in the JSON
25
+ * object with this field name. Default `oauth`.
26
+ */
27
+ sessionDataName?: string;
28
+ /**
29
+ * If the {@link SvelteKitOAuthClientOptions.tokenResponseType} is
30
+ * `saveInSessionAndRedirect`, this is the relative URL that the usder
31
+ * will be redirected to after authorization is complete.
32
+ */
33
+ authorizedUrl?: string;
34
+ /**
35
+ * Relative URL to redirect user to if login is required.
36
+ */
37
+ loginUrl?: string;
38
+ /**
39
+ * All flows listed here will require the user to login (here at the client).
40
+ * If if a flow is not listed here, there does not need to be a user
41
+ * logged in here at the client.
42
+ *
43
+ * In most cases you can ignore this and use
44
+ * {@link SvelteKitsessionAdapterOptions.loginProtectedPageEndpoints}
45
+ * to protect the endpoints that begin the flows.
46
+ *
47
+ * See {@link @crossauth/common!OAuthFlows}.
48
+ */
49
+ loginProtectedFlows?: string[];
50
+ /**
51
+ * This function is called after successful authorization to pass the
52
+ * new tokens to.
53
+ * @param oauthResponse the response from the OAuth `token` endpoint.
54
+ * @param client the OAuth client
55
+ * @param event the SvelteKit request event
56
+ * @param silent if true, don't return a Response, only JSON or undefined.
57
+ * @returns a Response, JSON or undefined
58
+ */
59
+ receiveTokenFn?: (oauthResponse: OAuthTokenResponse, client: SvelteKitOAuthClient, event: RequestEvent, silent: boolean) => Promise<Response | TokenReturn | undefined>;
60
+ /**
61
+ * The function to call when there is an OAuth error and
62
+ * {@link SvelteKitOAuthClientOptions.errorResponseType}
63
+ * is `custom`.
64
+ * See {@link SvelteKitErrorFn}.
65
+ */
66
+ errorFn?: SvelteKitErrorFn;
67
+ /**
68
+ * What to do when receiving tokens.
69
+ * See {@link SvelteKitOAuthClient} class documentation for full description.
70
+ */
71
+ tokenResponseType?: "sendJson" | "saveInSessionAndLoad" | "saveInSessionAndRedirect" | "saveInSessionAndReturn" | "sendInPage" | "custom";
72
+ /**
73
+ * What do do on receiving an OAuth error.
74
+ * See lass documentation for full description.
75
+ */
76
+ errorResponseType?: "sendJson" | "svelteKitError" | "custom";
77
+ /**
78
+ * Array of resource server endppints to serve through the
79
+ * BFF (backend-for-frontend) mechanism.
80
+ * See {@link SvelteKitOAuthClient} class documentation for full description.
81
+ */
82
+ bffEndpoints?: {
83
+ url: string;
84
+ methods: ("GET" | "POST" | "PUT" | "DELETE" | "PATCH")[];
85
+ matchSubUrls?: boolean;
86
+ }[];
87
+ /**
88
+ * Prefix for BFF endpoints. Default "bff".
89
+ * See {@link SvelteKitOAuthClient} class documentation for full description.
90
+ */
91
+ bffEndpointName?: string;
92
+ /**
93
+ * Base URL for resource server endpoints called through the BFF
94
+ * mechanism.
95
+ * See {@link SvelteKitOAuthClient} class documentation for full description.
96
+ */
97
+ bffBaseUrl?: string;
98
+ /**
99
+ * Now many times to attempt to make a BFF request before failing
100
+ * with an unauthorized reponse. This is useful when you have
101
+ * enable auto refresh. If you make a resource request just as the
102
+ * token is renewing, you might get an error.
103
+ *
104
+ * Default 1
105
+ */
106
+ bffMaxTries?: number;
107
+ /**
108
+ * How many milliseconds to sleep between BFF tries.
109
+ *
110
+ * See {@link SvelteKitOAuthClientOptions.bffMaxTries}
111
+ *
112
+ * Default 500
113
+ */
114
+ bffSleepMilliseconds?: number;
115
+ /**
116
+ * Endpoints to provide to acces tokens through the BFF mechanism,
117
+ * See {@link FastifyOAuthClient} class documentation for full description.
118
+ */
119
+ tokenEndpoints?: ("access_token" | "refresh_token" | "id_token" | "have_access_token" | "have_refresh_token" | "have_id_token")[];
120
+ /** Pass the Sveltekit redirect function */
121
+ redirect?: any;
122
+ /** Pass the Sveltekit error function */
123
+ error?: any;
124
+ /**
125
+ * Set of flows to enable (see {@link @crossauth/common!OAuthFlows}).
126
+ *
127
+ * Defaults to all flows, as they must be created manually in
128
+ * your `routes`. However, be aware that the Password and Password MFA
129
+ * flows are on the same endpoint, so if you want to support one and
130
+ * not the other, set this variable.
131
+ */
132
+ validFlows?: string[];
133
+ }
134
+ /**
135
+ * Returned by the authorize endpoint
136
+ */
137
+ export interface AuthorizationCodeFlowReturn {
138
+ ok: boolean;
139
+ error?: string;
140
+ error_description?: string;
141
+ }
142
+ /**
143
+ * Returned by the token endpoint
144
+ */
145
+ export interface TokenReturn extends OAuthTokenResponse {
146
+ ok: boolean;
147
+ id_payload?: {
148
+ [key: string]: any;
149
+ };
150
+ }
151
+ /**
152
+ * Returned by the redirect URI endpoint
153
+ */
154
+ export interface RedirectUriReturn extends OAuthTokenResponse {
155
+ ok: boolean;
156
+ }
157
+ /**
158
+ * The SvelteKit version of the OAuth client.
159
+ *
160
+ * Makes requests to an authorization server, using a configurable set
161
+ * of flows, which sends back errors or tokens,
162
+ *
163
+ * When constructing this class, you define what happens with tokens that
164
+ * are returned, or errors that are returned. You do this with the
165
+ * configuration options {@link SvelteKitOAuthClientOptions.tokenResponseType}
166
+ * and {@link SvelteKitOAuthClientOptions.errorResponseType}.
167
+ *
168
+ * **{@link SvelteKitOAuthClientOptions.tokenResponseType}**
169
+ *
170
+ * - `sendJson` the token response is sent as-is as a JSON Response.
171
+ * In addition to the `token` endpoint response fields,
172
+ * `ok: true` and `id_payload` with the decoded
173
+ * payload of the ID token are retruned.
174
+ * This method should be used
175
+ * with `get`/ `post` endpoints, not `load`/`actions`.
176
+ * - `saveInSessionAndLoad` the response fields are saved in the `data`
177
+ * field of the session ID in key storage. In addition, `expires_at` is
178
+ * set to the number of seconds since Epoch that the access token expires
179
+ * at. When using this method, you should define a SvelteKit page
180
+ * in your routes and put the the `load` (GET methods) or `actions`
181
+ * (POST methods) function for each endpoint
182
+ * in the route's `+page.server.ts`.
183
+ * A consequence is the query parameters passed to the
184
+ * redirect Uri are displayed in the address bar, as the response
185
+ * is to the redirect to the redirect Uri.
186
+ * - saveInSessionAndRedirect` same as `saveInSessionAndLoad` except that
187
+ * a redirect is done to the `authorizedUrl`. As an alternative to using `load`
188
+ * or `actions` method in a `+page.server.ts`, you can use the `get`
189
+ * or `post` method in a `+server.ts`.
190
+ * - saveInSessionAndReturn` same as `saveInSessionAndLoad` except that
191
+ * a JSON response is returned`. Instead of using the `load`
192
+ * or `actions` method in a `+page.server.ts`, you should use the `get`
193
+ * or `post` method in a `+server.ts`.
194
+ * - `sendInPage` same as `saveinSessionAndLoad` except the tokens are
195
+ * not saved in the session. Use the `load`/`actions` function in your
196
+ * `+page.server.ts`.
197
+ * - `custom` the function in
198
+ * {@link SvelteKitOAuthClientOptions.receiveTokenFn} is called. If
199
+ * using `get` or `post` methods, your functiin should return
200
+ * a Response. If using `load` and `actions` ir shouls ewruen
201
+ * an object for passing in `data` or `form` exports.
202
+ *
203
+ * **{@link SvelteKitOAuthClientOptions.errorResponseType}**
204
+ *
205
+ * - `sendJson` a JSON response is sent with fields
206
+ * `status`, `errorMessage`,
207
+ * `errorMessages` and `errorCodeName`.
208
+ * - `svelteKitError` calls the SvelteKit `error` function (the one
209
+ * provided in the options to {@link SvelteKitServe}).
210
+ * - `custom` {@link SvelteKitOAuthClientOptions.errorFn} is called.
211
+ *
212
+ * Note that this parameter is only used when you are using the `get`/`post`
213
+ * endpoints, not the `load`/ `actions` ones. The latter return the error in
214
+ * the PageData from the load.
215
+ *
216
+ * **Backend-for-Frontend (BFF)**
217
+ *
218
+ * This class supports the backend-for-frontend (BFF) model.
219
+ * This pattern avoids you having to store the access token in the frontend.
220
+
221
+ * For this to work
222
+ * you should set @link SvelteKitOAuthClientOptions.tokenResponseType} to
223
+ * `saveInSessionAndLoad` or `saveInSessionAndRedirect`. Then to call
224
+ * your resource server functions, you call then on a URL on this client
225
+ * rather than the resource server directly. The client backend will
226
+ * attach the access token, and also refresh the token automatically if
227
+ * expired.
228
+ *
229
+ * You need to provide the following options:
230
+ * - `bffBaseUrl` - the resource server URL, eg `http://resserver.com`
231
+ * - `bffEndpointName` - the prefix for BFF endpoints on this server.
232
+ * Eg if your BFF URL on this server is in `routes/bff` then
233
+ * set `bffEndpointName` to `/bff`.
234
+ *
235
+ * You may optionally also se `bffEndpoints`.
236
+ *
237
+ * To sue BFF, first set `tokenResponseType` to
238
+ * `saveInSessionAndLoad` or `saveInSessionAndRedirect` and set `bffBaseUrl`
239
+ * and `bffEndpointName`. THen create a route in your `routes` called
240
+ * *bffEndpointName*`/`*someMethod* with a `+server.ts`. In that `+server.ts`,
241
+ * create a `GET` and/or `POST` endpoint with
242
+ * `bffEndpoint.get` or `bffEndpoint.post`. The request will be forwarded
243
+ * to *bffBaseUrl*`/`*someMethod* with the the body and query parameters
244
+ * taken from your query and with the access token attached as the
245
+ * `Authorization` header. The resulting JSON and HTTP status will be returned.
246
+ *
247
+ * If you have a lot of endpoints, you may instead prefer to create a single
248
+ * one, eg as `routes/[...method]` and use `allBffEndpoint.get` or `.post` .
249
+ * Put all valid BFF endpoints in the `bffEndpoints` option. If, for one
250
+ * of these endpoints, eg `method`, you set `matchSubUrls` to true, then
251
+ * `method/XXX`, `method/YYY` will match as well as `method`.
252
+ *
253
+ * **Endpoints provided by this class**
254
+ *
255
+ * | Name | Description | PageData (returned by load) or JSON returned by get/post | ActionData (return by actions) | Form fields expected by actions or post/get input data |
256
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
257
+ * | authorizationCodeFlowEndpoint | Starts the authorization code flow. | None - redirects to `redirect_uri` | *Not provided* | - `scope` |
258
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
259
+ * | authorizationCodeFlowWithPKCEEndpoint | Starts the authorization code flow with PKCE. | None - redirects to `redirect_uri` | *Not provided* | - `scope` |
260
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
261
+ * | redirectUriEndpoint | Redirect Uri for authorization code flows | See {@link OAuthTokenResponse} | *Not provided* | As per OAuth Authorization Code Flow spec |
262
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
263
+ * | clientCredentialsFlowEndpoint | Executes the client credentials flow | *Not provided* | See {@link OAuthTokenResponse} | As per OAuth Client Credentials Flow spec |
264
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
265
+ * | refreshTokenFlowEndpoint | Executes the refresh token flow | *Not provided* | See {@link OAuthTokenResponse} | As per OAuth Refresh Token Flow spec |
266
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
267
+ * | refreshTokensIfExpiredEndpoint | Executes the refresh token flow only if access token expired | *Not provided* | See {@link OAuthTokenResponse} | As per OAuth Refresh Token Flow spec or nothing |
268
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
269
+ * | autoRefreshTokensIfExpiredEndpoint | Same as refreshTokensIfExpiredEndpoint but only returns an object, no redirect | *Not provided* | See {@link OAuthTokenResponse} | As per OAuth Refresh Token Flow spec or nothing |
270
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
271
+ * | refreshTokensIfExpiredEndpoint | Same as refreshTokenFlowEndpoint but only returns an object, no redirect | *Not provided* | See {@link OAuthTokenResponse} | As per OAuth Refresh Token Flow spec or nothing |
272
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
273
+ * | passwordFlowEndpoint | | *Not provided* | `password` | |
274
+ * | | Executes the password flow only with out without MFA | | - See {@link OAuthTokenResponse}. Returns password flow response if no MFA, MFA challenge response if user has 2FA | See OAuth password flow or Auth0 Password with MFA password flow specs |
275
+ * | | | | `passwordOtp` | |
276
+ * | | Pass OTP for Password MFA flow | | - See {@link OAuthTokenResponse}. Returns Password MFA challenge response if user has 2FA | See Auth0 Password with MFA password flow specs |
277
+ * | | | | `passwordOob` | |
278
+ * | | Pass OOB for Password MFA flow | | - See {@link OAuthTokenResponse}. Returns Password MFA challenge response if user has 2FA | See Auth0 Password with MFA password flow specs |
279
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
280
+ * | passwordOtp Endpoint | `post` is same as `passwordOtp` action above | *Not provided* | See {@link OAuthTokenResponse}. Returns MFA challenge response if user has 2FA | See OAuth password flow or Auth0 Password with MFA password flow specs |
281
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
282
+ * | passwordOob Endpoint | `post` is same as `passwordOob` action above | *Not provided* | See {@link OAuthTokenResponse}. Returns MFA challenge response if user has 2FA | See OAuth password flow or Auth0 Password with MFA password flow specs |
283
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
284
+ * | bffEndpoint | BFF resource server request. See class documentation | As per the corresponding resource server endpoint | As per the correspoinding resource server endpoint | As per the corresponding resource server endpoint |
285
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
286
+ * | allBffEndpoint | BFF resource server request. See class documentation | As per the corresponding resource server endpoint | As per the correspoinding resource server endpoint | As per the corresponding resource server endpoint |
287
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
288
+ * | accessTokenEndpoint | For BFF only, return the access token payload or error | JSON of the access token payload | *Not provided* | |
289
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
290
+ * | refreshTokenEndpoint | For BFF only, return the refresh token payload or error | JSON of the refresh token payload | *Not provided* | |
291
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
292
+ * | idTokenEndpoint | For BFF only, return the id token payload or error | POST: JSON of the id token payload | *Not provided* | |
293
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
294
+ * | havAeccessTokenEndpoint | For BFF only, return whether access token present | POST: `ok` of false or true | *Not provided* | |
295
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
296
+ * | haveRefreshTokenEndpoint | For BFF only, return whether refresh token present | POST: `ok` of false or true | *Not provided* | |
297
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
298
+ * | haveIdTokenEndpoint | For BFF only, return whether id token present | POST: `ok` of false or true | *Not provided* | |
299
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
300
+ * | tokensEndpoint | For BFF only, return a JSON object of all of the above | POST: All of the above, keyed on `access_token`, `have_access_token`, etc. | *Not provided* | |
301
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
302
+ * | deleteTokensEndpoint | For BFF only, deletes tokens saved for session | POST: `ok` of false or true | `default`: `ok` of false or true | *None* |
303
+ * | ------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------- |
304
+ */
305
+ export declare class SvelteKitOAuthClient extends OAuthClientBackend {
306
+ server: SvelteKitServer;
307
+ sessionDataName: string;
308
+ private receiveTokenFn;
309
+ readonly errorFn: SvelteKitErrorFn;
310
+ private loginUrl;
311
+ private validFlows;
312
+ authorizedUrl: string;
313
+ private autoRefreshActive;
314
+ readonly redirect: any;
315
+ readonly error: any;
316
+ /**
317
+ * See {@link FastifyOAuthClientOptions}
318
+ */
319
+ loginProtectedFlows: string[];
320
+ private tokenResponseType;
321
+ private errorResponseType;
322
+ private bffEndpoints;
323
+ private bffEndpointName;
324
+ private bffBaseUrl?;
325
+ private tokenEndpoints;
326
+ private bffMaxTries;
327
+ private bffSleepMilliseconds;
328
+ /**
329
+ * Constructor
330
+ * @param server the {@link FastifyServer} instance
331
+ * @param authServerBaseUrl the `iss` claim in the access token must match this value
332
+ * @param options See {@link FastifyOAuthClientOptions}
333
+ */
334
+ constructor(server: SvelteKitServer, authServerBaseUrl: string, options: SvelteKitOAuthClientOptions);
335
+ private passwordPost;
336
+ private passwordMfa;
337
+ private passwordOtp;
338
+ private passwordOob;
339
+ private refresh;
340
+ private refreshTokens;
341
+ private passwordFlow_post;
342
+ private passwordFlow_action;
343
+ /**
344
+ * Call a resource on the resource server, passing in the access token
345
+ * along with the body from the event and, unless overridden, the URL.
346
+ *
347
+ * It is probably easier to use `bffEndpoint` instead of this method.
348
+ * However you can use this if you need to pass custom headers or want
349
+ * to specify the URL manually.
350
+ *
351
+ * @param event the Sveltekit request event
352
+ * @param opts additional data to put in resource server request. You can also override the URL here
353
+ * @returns resource server response
354
+ */
355
+ bff(event: RequestEvent, opts?: {
356
+ method?: "GET" | "POST" | "PUT" | "HEAD" | "OPTIONS" | "PATCH" | "DELETE";
357
+ headers?: Headers;
358
+ url?: string;
359
+ }): Promise<Response>;
360
+ unpack(resp: Response): Promise<{
361
+ status: number;
362
+ body: {
363
+ [key: string]: any;
364
+ };
365
+ error?: string;
366
+ error_description?: string;
367
+ }>;
368
+ pack(ret: {
369
+ [key: string]: any;
370
+ } | undefined | Response): Response;
371
+ /**
372
+ * Ordinarily you would not call this directly but use `allBffEndpoint`.
373
+ *
374
+ * However you can use this if you need to pass custom headers.
375
+ * @param event the Sveltekit request event
376
+ * @param opts additional data to put in resource server request
377
+ * @returns resource server response
378
+ */
379
+ allBff(event: RequestEvent, opts?: {
380
+ method?: "GET" | "POST" | "PUT" | "HEAD" | "OPTIONS" | "PATCH" | "DELETE";
381
+ headers?: Headers;
382
+ }): Promise<Response>;
383
+ private tokenPayload;
384
+ tokens(event: RequestEvent, token: string | string[]): Promise<{
385
+ status: number;
386
+ body?: {
387
+ [key: string]: any;
388
+ };
389
+ }>;
390
+ tokensResponse(event: RequestEvent, token: string | string[]): Promise<Response>;
391
+ private startDeviceCodeFlow_internal;
392
+ private pollDeviceCodeFlow_internal;
393
+ private deleteSessionData;
394
+ readonly authorizationCodeFlowEndpoint: {
395
+ get: (event: RequestEvent) => Promise<Response>;
396
+ load: (event: RequestEvent) => Promise<AuthorizationCodeFlowReturn>;
397
+ };
398
+ readonly authorizationCodeFlowWithPKCEEndpoint: {
399
+ get: (event: RequestEvent) => Promise<Response>;
400
+ load: (event: RequestEvent) => Promise<AuthorizationCodeFlowReturn>;
401
+ };
402
+ readonly redirectUriEndpoint: {
403
+ get: (event: RequestEvent) => Promise<Response | TokenReturn | undefined>;
404
+ load: (event: RequestEvent) => Promise<RedirectUriReturn>;
405
+ };
406
+ readonly clientCredentialsFlowEndpoint: {
407
+ post: (event: RequestEvent) => Promise<Response>;
408
+ actions: {
409
+ default: (event: RequestEvent) => Promise<{}>;
410
+ };
411
+ };
412
+ readonly refreshTokenFlowEndpoint: {
413
+ post: (event: RequestEvent) => Promise<Response>;
414
+ actions: {
415
+ default: (event: RequestEvent) => Promise<{}>;
416
+ };
417
+ };
418
+ readonly refreshTokensIfExpiredEndpoint: {
419
+ post: (event: RequestEvent) => Promise<Response>;
420
+ actions: {
421
+ default: (event: RequestEvent) => Promise<Response | (TokenReturn & {
422
+ expires_at?: number | undefined;
423
+ }) | undefined>;
424
+ };
425
+ };
426
+ readonly autoRefreshTokensIfExpiredEndpoint: {
427
+ post: (event: RequestEvent) => Promise<Response>;
428
+ };
429
+ readonly autoRefreshTokensEndpoint: {
430
+ post: (event: RequestEvent) => Promise<Response>;
431
+ };
432
+ readonly startDeviceCodeFlowEndpoint: {
433
+ actions: {
434
+ default: (event: RequestEvent) => Promise<OAuthDeviceAuthorizationResponse & {
435
+ verification_uri_qrdata?: string | undefined;
436
+ }>;
437
+ };
438
+ post: (event: RequestEvent) => Promise<Response>;
439
+ };
440
+ readonly pollDeviceCodeFlowEndpoint: {
441
+ actions: {
442
+ default: (event: RequestEvent) => Promise<{}>;
443
+ };
444
+ post: (event: RequestEvent) => Promise<Response>;
445
+ };
446
+ readonly passwordFlowEndpoint: {
447
+ post: (event: RequestEvent) => Promise<Response | {
448
+ access_token?: string | undefined;
449
+ refresh_token?: string | undefined;
450
+ id_token?: string | undefined;
451
+ token_type?: string | undefined;
452
+ expires_in?: number | undefined;
453
+ error?: string | undefined;
454
+ error_description?: string | undefined;
455
+ scope?: string | undefined;
456
+ mfa_token?: string | undefined;
457
+ oob_channel?: string | undefined;
458
+ oob_code?: string | undefined;
459
+ challenge_type?: string | undefined;
460
+ binding_method?: string | undefined;
461
+ name?: string | undefined;
462
+ ok: boolean;
463
+ }>;
464
+ actions: {
465
+ password: (event: RequestEvent) => Promise<{}>;
466
+ passwordOtp: (event: RequestEvent) => Promise<{}>;
467
+ passwordOob: (event: RequestEvent) => Promise<{}>;
468
+ };
469
+ };
470
+ readonly passwordOtpEndpoint: {
471
+ post: (event: RequestEvent) => Promise<Response | {
472
+ access_token?: string | undefined;
473
+ refresh_token?: string | undefined;
474
+ id_token?: string | undefined;
475
+ token_type?: string | undefined;
476
+ expires_in?: number | undefined;
477
+ error?: string | undefined;
478
+ error_description?: string | undefined;
479
+ scope?: string | undefined;
480
+ mfa_token?: string | undefined;
481
+ oob_channel?: string | undefined;
482
+ oob_code?: string | undefined;
483
+ challenge_type?: string | undefined;
484
+ binding_method?: string | undefined;
485
+ name?: string | undefined;
486
+ ok: boolean;
487
+ }>;
488
+ actions: {
489
+ default: (event: RequestEvent) => Promise<{}>;
490
+ };
491
+ };
492
+ readonly passwordOobEndpoint: {
493
+ post: (event: RequestEvent) => Promise<Response | {
494
+ access_token?: string | undefined;
495
+ refresh_token?: string | undefined;
496
+ id_token?: string | undefined;
497
+ token_type?: string | undefined;
498
+ expires_in?: number | undefined;
499
+ error?: string | undefined;
500
+ error_description?: string | undefined;
501
+ scope?: string | undefined;
502
+ mfa_token?: string | undefined;
503
+ oob_channel?: string | undefined;
504
+ oob_code?: string | undefined;
505
+ challenge_type?: string | undefined;
506
+ binding_method?: string | undefined;
507
+ name?: string | undefined;
508
+ ok: boolean;
509
+ }>;
510
+ actions: {
511
+ default: (event: RequestEvent) => Promise<{}>;
512
+ };
513
+ };
514
+ readonly deleteTokensEndpoint: {
515
+ post: (event: RequestEvent) => Promise<Response>;
516
+ actions: {
517
+ default: (event: RequestEvent) => Promise<{
518
+ ok: boolean;
519
+ user?: undefined;
520
+ csrfToken?: undefined;
521
+ errorCode?: undefined;
522
+ errorCodeName?: undefined;
523
+ errorMessage?: undefined;
524
+ exception?: undefined;
525
+ } | {
526
+ ok: boolean;
527
+ user: import('@crossauth/common').User | undefined;
528
+ csrfToken: string | undefined;
529
+ errorCode: ErrorCode;
530
+ errorCodeName: string;
531
+ errorMessage: string;
532
+ exception: CrossauthError;
533
+ }>;
534
+ };
535
+ };
536
+ readonly bffEndpoint: {
537
+ post: (event: RequestEvent) => Promise<Response>;
538
+ get: (event: RequestEvent) => Promise<Response>;
539
+ put: (event: RequestEvent) => Promise<Response>;
540
+ head: (event: RequestEvent) => Promise<Response>;
541
+ options: (event: RequestEvent) => Promise<Response>;
542
+ delete: (event: RequestEvent) => Promise<Response>;
543
+ patch: (event: RequestEvent) => Promise<Response>;
544
+ actions: {
545
+ get: (event: RequestEvent) => Promise<{
546
+ status: number;
547
+ body: {
548
+ [key: string]: any;
549
+ };
550
+ error?: string | undefined;
551
+ error_description?: string | undefined;
552
+ }>;
553
+ post: (event: RequestEvent) => Promise<{
554
+ status: number;
555
+ body: {
556
+ [key: string]: any;
557
+ };
558
+ error?: string | undefined;
559
+ error_description?: string | undefined;
560
+ }>;
561
+ };
562
+ };
563
+ readonly allBffEndpoint: {
564
+ post: (event: RequestEvent) => Promise<Response>;
565
+ get: (event: RequestEvent) => Promise<Response>;
566
+ put: (event: RequestEvent) => Promise<Response>;
567
+ head: (event: RequestEvent) => Promise<Response>;
568
+ options: (event: RequestEvent) => Promise<Response>;
569
+ delete: (event: RequestEvent) => Promise<Response>;
570
+ patch: (event: RequestEvent) => Promise<Response>;
571
+ actions: {
572
+ get: (event: RequestEvent) => Promise<{
573
+ status: number;
574
+ body: {
575
+ [key: string]: any;
576
+ };
577
+ error?: string | undefined;
578
+ error_description?: string | undefined;
579
+ }>;
580
+ gpostet: (event: RequestEvent) => Promise<{
581
+ status: number;
582
+ body: {
583
+ [key: string]: any;
584
+ };
585
+ error?: string | undefined;
586
+ error_description?: string | undefined;
587
+ }>;
588
+ put: (event: RequestEvent) => Promise<{
589
+ status: number;
590
+ body: {
591
+ [key: string]: any;
592
+ };
593
+ error?: string | undefined;
594
+ error_description?: string | undefined;
595
+ }>;
596
+ options: (event: RequestEvent) => Promise<{
597
+ status: number;
598
+ body: {
599
+ [key: string]: any;
600
+ };
601
+ error?: string | undefined;
602
+ error_description?: string | undefined;
603
+ }>;
604
+ delete: (event: RequestEvent) => Promise<{
605
+ status: number;
606
+ body: {
607
+ [key: string]: any;
608
+ };
609
+ error?: string | undefined;
610
+ error_description?: string | undefined;
611
+ }>;
612
+ patch: (event: RequestEvent) => Promise<{
613
+ status: number;
614
+ body: {
615
+ [key: string]: any;
616
+ };
617
+ error?: string | undefined;
618
+ error_description?: string | undefined;
619
+ }>;
620
+ };
621
+ };
622
+ readonly accessTokenEndpoint: {
623
+ post: (event: RequestEvent) => Promise<{
624
+ status: number;
625
+ body?: {
626
+ [key: string]: any;
627
+ } | undefined;
628
+ }>;
629
+ actions: {
630
+ default: (event: RequestEvent) => Promise<{
631
+ status: number;
632
+ body?: {
633
+ [key: string]: any;
634
+ } | undefined;
635
+ }>;
636
+ };
637
+ };
638
+ readonly haveAccessTokenEndpoint: {
639
+ post: (event: RequestEvent) => Promise<Response>;
640
+ actions: {
641
+ default: (event: RequestEvent) => Promise<{
642
+ status: number;
643
+ body?: {
644
+ [key: string]: any;
645
+ } | undefined;
646
+ }>;
647
+ };
648
+ };
649
+ readonly refreshTokenEndpoint: {
650
+ post: (event: RequestEvent) => Promise<Response>;
651
+ actions: {
652
+ default: (event: RequestEvent) => Promise<{
653
+ status: number;
654
+ body?: {
655
+ [key: string]: any;
656
+ } | undefined;
657
+ }>;
658
+ };
659
+ };
660
+ readonly haveRefreshTokenEndpoint: {
661
+ post: (event: RequestEvent) => Promise<Response>;
662
+ actions: {
663
+ default: (event: RequestEvent) => Promise<{
664
+ status: number;
665
+ body?: {
666
+ [key: string]: any;
667
+ } | undefined;
668
+ }>;
669
+ };
670
+ };
671
+ readonly idTokenEndpoint: {
672
+ post: (event: RequestEvent) => Promise<Response>;
673
+ actions: {
674
+ default: (event: RequestEvent) => Promise<{
675
+ status: number;
676
+ body?: {
677
+ [key: string]: any;
678
+ } | undefined;
679
+ }>;
680
+ };
681
+ };
682
+ readonly haveIdTokenEndpoint: {
683
+ post: (event: RequestEvent) => Promise<Response>;
684
+ actions: {
685
+ default: (event: RequestEvent) => Promise<{
686
+ status: number;
687
+ body?: {
688
+ [key: string]: any;
689
+ } | undefined;
690
+ }>;
691
+ };
692
+ };
693
+ readonly tokensEndpoint: {
694
+ post: (event: RequestEvent) => Promise<Response>;
695
+ actions: {
696
+ default: (event: RequestEvent) => Promise<{
697
+ status: number;
698
+ body?: {
699
+ [key: string]: any;
700
+ } | undefined;
701
+ }>;
702
+ };
703
+ };
704
+ }