@dainprotocol/oauth2-token-manager 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +786 -0
  2. package/dist/index.cjs +3 -0
  3. package/dist/index.cjs.map +1 -0
  4. package/dist/index.d.cts +785 -0
  5. package/dist/index.d.ts +785 -0
  6. package/dist/index.js +3 -0
  7. package/dist/index.js.map +1 -0
  8. package/package.json +99 -0
package/dist/index.d.ts ADDED
@@ -0,0 +1,785 @@
1
+ interface OAuth2Config {
2
+ clientId: string;
3
+ clientSecret?: string;
4
+ authorizationUrl: string;
5
+ tokenUrl: string;
6
+ redirectUri: string;
7
+ scopes: string[];
8
+ usePKCE?: boolean;
9
+ pkce?: boolean;
10
+ additionalParams?: Record<string, string>;
11
+ extraAuthParams?: Record<string, string>;
12
+ responseRootKey?: string;
13
+ profileUrl?: string;
14
+ userInfoUrl?: string;
15
+ onSuccess?: (userId: string, tokens: OAuth2Token) => Promise<void>;
16
+ }
17
+ interface OAuth2Token {
18
+ accessToken: string;
19
+ refreshToken?: string;
20
+ expiresAt: Date;
21
+ expiresIn?: number;
22
+ tokenType: string;
23
+ scope?: string;
24
+ createdAt?: number;
25
+ raw?: Record<string, any>;
26
+ }
27
+ interface User {
28
+ id: string;
29
+ systemId: string;
30
+ metadata?: Record<string, any>;
31
+ createdAt: Date;
32
+ updatedAt: Date;
33
+ }
34
+ interface UserToken {
35
+ id: string;
36
+ userId: string;
37
+ systemId: string;
38
+ scopeId: string;
39
+ provider: string;
40
+ email?: string;
41
+ token: OAuth2Token;
42
+ createdAt: Date;
43
+ updatedAt: Date;
44
+ }
45
+ interface System {
46
+ id: string;
47
+ name: string;
48
+ description?: string;
49
+ scopes: Scope[];
50
+ metadata?: Record<string, any>;
51
+ createdAt: Date;
52
+ updatedAt: Date;
53
+ }
54
+ interface Scope {
55
+ id: string;
56
+ systemId: string;
57
+ name: string;
58
+ type: 'authentication' | 'access' | 'custom';
59
+ permissions: string[];
60
+ isolated: boolean;
61
+ metadata?: Record<string, any>;
62
+ }
63
+ interface AuthorizationState {
64
+ state: string;
65
+ codeVerifier?: string;
66
+ config: OAuth2Config;
67
+ timestamp: Date;
68
+ metadata?: Record<string, any>;
69
+ }
70
+
71
+ interface CreateUserInput {
72
+ systemId: string;
73
+ metadata?: Record<string, any>;
74
+ email?: string;
75
+ externalId?: string;
76
+ }
77
+ interface UserTokenWithProfile {
78
+ id: string;
79
+ userId: string;
80
+ systemId: string;
81
+ scopeId: string;
82
+ provider: string;
83
+ token: {
84
+ accessToken: string;
85
+ refreshToken?: string;
86
+ expiresAt: Date;
87
+ expiresIn?: number;
88
+ tokenType: string;
89
+ scope?: string;
90
+ createdAt?: number;
91
+ raw?: Record<string, any>;
92
+ };
93
+ createdAt: Date;
94
+ updatedAt: Date;
95
+ user: {
96
+ email?: string;
97
+ name?: string;
98
+ externalId?: string;
99
+ metadata?: Record<string, any>;
100
+ };
101
+ }
102
+ interface ProfileBasedTokenOptions {
103
+ checkProfileEmail?: boolean;
104
+ replaceConflictingTokens?: boolean;
105
+ mergeUserData?: boolean;
106
+ }
107
+ interface StorageAdapter {
108
+ createSystem(system: Omit<System, 'id' | 'createdAt' | 'updatedAt'>): Promise<System>;
109
+ getSystem(id: string): Promise<System | null>;
110
+ updateSystem(id: string, system: Partial<System>): Promise<System>;
111
+ deleteSystem(id: string): Promise<void>;
112
+ listSystems(): Promise<System[]>;
113
+ createScope(scope: Omit<Scope, 'id'>): Promise<Scope>;
114
+ getScope(id: string): Promise<Scope | null>;
115
+ getScopesBySystem(systemId: string): Promise<Scope[]>;
116
+ updateScope(id: string, scope: Partial<Scope>): Promise<Scope>;
117
+ deleteScope(id: string): Promise<void>;
118
+ createUser(user: Omit<User, 'id' | 'createdAt' | 'updatedAt'>): Promise<User>;
119
+ getOrCreateUser(input: CreateUserInput): Promise<User>;
120
+ findUserByEmail(systemId: string, email: string): Promise<User | null>;
121
+ findUserByExternalId(systemId: string, externalId: string): Promise<User | null>;
122
+ getUser(id: string): Promise<User | null>;
123
+ getUsersBySystem(systemId: string): Promise<User[]>;
124
+ updateUser(id: string, user: Partial<User>): Promise<User>;
125
+ deleteUser(id: string): Promise<void>;
126
+ saveToken(token: Omit<UserToken, 'id' | 'createdAt' | 'updatedAt'>): Promise<UserToken>;
127
+ saveTokenWithEmailValidation(userId: string, systemId: string, scopeId: string, provider: string, email: string, token: Omit<UserToken, 'id' | 'createdAt' | 'updatedAt'>): Promise<UserToken>;
128
+ getTokensByUser(userId: string): Promise<UserToken[]>;
129
+ getTokensByUserAndScope(userId: string, scopeId: string): Promise<UserToken[]>;
130
+ getTokensByUserAndProvider(userId: string, provider: string): Promise<UserToken[]>;
131
+ getTokensByUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<UserToken[]>;
132
+ getTokensByScope(systemId: string, scopeId: string): Promise<UserToken[]>;
133
+ getTokensByProvider(systemId: string, provider: string): Promise<UserToken[]>;
134
+ getTokensBySystem(systemId: string): Promise<UserToken[]>;
135
+ findTokensByEmail(email: string, systemId: string): Promise<UserToken[]>;
136
+ findTokensByEmailAndScope(email: string, systemId: string, scopeId: string): Promise<UserToken[]>;
137
+ findTokensByEmailAndProvider(email: string, systemId: string, provider: string): Promise<UserToken[]>;
138
+ findTokenByEmailScopeProvider(email: string, systemId: string, scopeId: string, provider: string): Promise<UserToken | null>;
139
+ getTokensByUserWithProfile(userId: string): Promise<UserTokenWithProfile[]>;
140
+ getTokensByUserAndScopeWithProfile(userId: string, scopeId: string): Promise<UserTokenWithProfile[]>;
141
+ getTokensByUserAndProviderWithProfile(userId: string, provider: string): Promise<UserTokenWithProfile[]>;
142
+ getTokensByUserScopeProviderWithProfile(userId: string, scopeId: string, provider: string): Promise<UserTokenWithProfile[]>;
143
+ getTokensByScopeWithProfile(systemId: string, scopeId: string): Promise<UserTokenWithProfile[]>;
144
+ getTokensBySystemWithProfile(systemId: string): Promise<UserTokenWithProfile[]>;
145
+ findTokensByEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string): Promise<UserToken[]>;
146
+ hasTokenWithEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string): Promise<boolean>;
147
+ replaceTokensByEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string, newToken: Omit<UserToken, 'id' | 'createdAt' | 'updatedAt'>): Promise<UserToken>;
148
+ getTokenById(id: string): Promise<UserToken | null>;
149
+ updateToken(id: string, token: Partial<UserToken>): Promise<UserToken>;
150
+ deleteToken(id: string): Promise<void>;
151
+ deleteTokensByUser(userId: string): Promise<void>;
152
+ deleteTokensByUserAndScope(userId: string, scopeId: string): Promise<void>;
153
+ deleteTokensByUserAndProvider(userId: string, provider: string): Promise<void>;
154
+ saveAuthorizationState(state: AuthorizationState): Promise<void>;
155
+ getAuthorizationState(state: string): Promise<AuthorizationState | null>;
156
+ deleteAuthorizationState(state: string): Promise<void>;
157
+ cleanupExpiredStates(expiryMs: number): Promise<void>;
158
+ }
159
+
160
+ interface UserProfile {
161
+ email: string;
162
+ name?: string;
163
+ id?: string;
164
+ avatar?: string;
165
+ username?: string;
166
+ raw?: Record<string, any>;
167
+ }
168
+ interface ProfileFetcher {
169
+ /**
170
+ * Fetch user profile using an access token
171
+ * @param accessToken The OAuth access token
172
+ * @returns Promise resolving to user profile information
173
+ */
174
+ fetchProfile(accessToken: string): Promise<UserProfile>;
175
+ /**
176
+ * Get the profile endpoint URL for this provider
177
+ * @returns The URL used to fetch user profiles
178
+ */
179
+ getProfileEndpoint(): string;
180
+ }
181
+
182
+ interface AuthorizationUrlStrategy {
183
+ generateAuthorizationUrl(config: OAuth2Config, state: string, codeChallenge?: string): string;
184
+ }
185
+
186
+ interface TokenExchangeStrategy {
187
+ exchangeCodeForToken(code: string, config: OAuth2Config, codeVerifier?: string): Promise<OAuth2Token>;
188
+ refreshToken(refreshToken: string, config: OAuth2Config): Promise<OAuth2Token>;
189
+ }
190
+
191
+ declare abstract class BaseProfileFetcher {
192
+ protected profileEndpoint: string;
193
+ constructor(profileEndpoint: string);
194
+ /**
195
+ * Fetch user profile information from the OAuth provider
196
+ * @param accessToken The OAuth access token
197
+ * @returns Promise resolving to standardized user profile
198
+ */
199
+ fetchUserInfo(accessToken: string): Promise<UserProfile>;
200
+ /**
201
+ * Map the raw API response to our standardized UserProfile structure
202
+ * Override this method to customize mapping for different providers
203
+ */
204
+ protected abstract mapToUserProfile(rawData: any): UserProfile;
205
+ /**
206
+ * Get additional headers if needed for the profile request
207
+ * Override this method to add provider-specific headers
208
+ */
209
+ protected getAdditionalHeaders(): Record<string, string>;
210
+ /**
211
+ * Get the profile endpoint URL
212
+ */
213
+ getEndpoint(): string;
214
+ }
215
+
216
+ declare abstract class OAuth2Provider {
217
+ protected config: OAuth2Config;
218
+ protected authUrlStrategy: AuthorizationUrlStrategy;
219
+ protected tokenStrategy: TokenExchangeStrategy;
220
+ protected profileFetcher?: BaseProfileFetcher;
221
+ constructor(config: OAuth2Config, authUrlStrategy?: AuthorizationUrlStrategy, tokenStrategy?: TokenExchangeStrategy, profileFetcher?: BaseProfileFetcher);
222
+ protected abstract createAuthorizationUrlStrategy(): AuthorizationUrlStrategy;
223
+ protected abstract createTokenExchangeStrategy(): TokenExchangeStrategy;
224
+ fetchProfile(accessToken: string): Promise<UserProfile>;
225
+ getProfileEndpoint(): string;
226
+ setProfileFetcher(profileFetcher: BaseProfileFetcher): void;
227
+ hasProfileFetcher(): boolean;
228
+ generateAuthorizationUrl(state: string, codeChallenge?: string): string;
229
+ exchangeCodeForToken(code: string, codeVerifier?: string): Promise<OAuth2Token>;
230
+ refreshToken(refreshToken: string): Promise<OAuth2Token>;
231
+ }
232
+
233
+ interface OAuth2GranularOperations {
234
+ createUserInSystem(systemId: string, options: UserCreationOptions): Promise<User>;
235
+ getOrCreateUserInSystem(systemId: string, options: UserCreationOptions): Promise<User>;
236
+ getUserById(userId: string): Promise<User | null>;
237
+ findUserByEmailInSystem(systemId: string, email: string): Promise<User | null>;
238
+ findUserByExternalIdInSystem(systemId: string, externalId: string): Promise<User | null>;
239
+ getUsersBySystem(systemId: string): Promise<User[]>;
240
+ saveTokenForUser(userId: string, systemId: string, scopeId: string, provider: string, email: string, token: OAuth2Token): Promise<UserToken>;
241
+ getTokensByUser(userId: string): Promise<UserToken[]>;
242
+ getTokensByUserAndScope(userId: string, scopeId: string): Promise<UserToken[]>;
243
+ getTokensByUserAndProvider(userId: string, provider: string): Promise<UserToken[]>;
244
+ getTokensByUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<UserToken[]>;
245
+ getTokensByScope(systemId: string, scopeId: string): Promise<UserToken[]>;
246
+ getTokensByProvider(systemId: string, provider: string): Promise<UserToken[]>;
247
+ getTokensBySystem(systemId: string): Promise<UserToken[]>;
248
+ findTokensByEmail(email: string, systemId: string): Promise<UserToken[]>;
249
+ findTokensByEmailAndScope(email: string, systemId: string, scopeId: string): Promise<UserToken[]>;
250
+ findTokensByEmailAndProvider(email: string, systemId: string, provider: string): Promise<UserToken[]>;
251
+ findTokenByEmailScopeProvider(email: string, systemId: string, scopeId: string, provider: string): Promise<UserToken | null>;
252
+ getValidTokenByEmail(email: string, systemId: string, scopeId: string, provider: string, options?: TokenOptions): Promise<OAuth2Token>;
253
+ getAccessTokenByEmail(email: string, systemId: string, scopeId: string, provider: string, options?: TokenOptions): Promise<string>;
254
+ withValidTokenByEmail<T>(email: string, systemId: string, scopeId: string, provider: string, callback: (accessToken: string) => Promise<T>, options?: TokenOptions): Promise<T>;
255
+ getAllValidTokensForUser(userId: string, options?: TokenOptions): Promise<{
256
+ provider: string;
257
+ scopeId: string;
258
+ token: OAuth2Token;
259
+ userToken: UserToken;
260
+ }[]>;
261
+ getAllValidTokensForUserScopeProvider(userId: string, scopeId: string, provider: string, options?: TokenOptions): Promise<{
262
+ email: string;
263
+ token: OAuth2Token;
264
+ userToken: UserToken;
265
+ }[]>;
266
+ getAllValidTokensForEmail(email: string, systemId: string, options?: TokenOptions): Promise<{
267
+ provider: string;
268
+ scopeId: string;
269
+ token: OAuth2Token;
270
+ userToken: UserToken;
271
+ }[]>;
272
+ hasTokensForUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<boolean>;
273
+ hasTokenByEmail(email: string, systemId: string, scopeId: string, provider: string): Promise<boolean>;
274
+ hasTokenWithEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string): Promise<boolean>;
275
+ replaceTokensByEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string, token: OAuth2Token): Promise<UserToken>;
276
+ deleteTokensByUser(userId: string): Promise<void>;
277
+ deleteTokensByUserAndScope(userId: string, scopeId: string): Promise<void>;
278
+ deleteTokensByUserAndProvider(userId: string, provider: string): Promise<void>;
279
+ deleteTokensByUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<void>;
280
+ deleteTokenByEmail(email: string, systemId: string, scopeId: string, provider: string): Promise<void>;
281
+ createSystem(name: string, description?: string): Promise<System>;
282
+ getSystem(systemId: string): Promise<System | null>;
283
+ createScopeInSystem(systemId: string, name: string, options?: {
284
+ type?: 'authentication' | 'access' | 'custom';
285
+ permissions?: string[];
286
+ isolated?: boolean;
287
+ }): Promise<Scope>;
288
+ getScope(scopeId: string): Promise<Scope | null>;
289
+ getScopesBySystem(systemId: string): Promise<Scope[]>;
290
+ }
291
+ declare class OAuth2GranularClient implements OAuth2GranularOperations {
292
+ private storage;
293
+ private providers;
294
+ private now;
295
+ constructor(storage: StorageAdapter, providers: Map<string, OAuth2Provider>, now?: () => number);
296
+ createUserInSystem(systemId: string, options?: UserCreationOptions): Promise<User>;
297
+ getOrCreateUserInSystem(systemId: string, options?: UserCreationOptions): Promise<User>;
298
+ getUserById(userId: string): Promise<User | null>;
299
+ findUserByEmailInSystem(systemId: string, email: string): Promise<User | null>;
300
+ findUserByExternalIdInSystem(systemId: string, externalId: string): Promise<User | null>;
301
+ getUsersBySystem(systemId: string): Promise<User[]>;
302
+ saveTokenForUser(userId: string, systemId: string, scopeId: string, provider: string, email: string, token: OAuth2Token): Promise<UserToken>;
303
+ getTokensByUser(userId: string): Promise<UserToken[]>;
304
+ getTokensByUserAndScope(userId: string, scopeId: string): Promise<UserToken[]>;
305
+ getTokensByUserAndProvider(userId: string, provider: string): Promise<UserToken[]>;
306
+ getTokensByUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<UserToken[]>;
307
+ getTokensByScope(systemId: string, scopeId: string): Promise<UserToken[]>;
308
+ getTokensByProvider(systemId: string, provider: string): Promise<UserToken[]>;
309
+ getTokensBySystem(systemId: string): Promise<UserToken[]>;
310
+ findTokensByEmail(email: string, systemId: string): Promise<UserToken[]>;
311
+ findTokensByEmailAndScope(email: string, systemId: string, scopeId: string): Promise<UserToken[]>;
312
+ findTokensByEmailAndProvider(email: string, systemId: string, provider: string): Promise<UserToken[]>;
313
+ findTokenByEmailScopeProvider(email: string, systemId: string, scopeId: string, provider: string): Promise<UserToken | null>;
314
+ getValidTokenByEmail(email: string, systemId: string, scopeId: string, provider: string, options?: TokenOptions): Promise<OAuth2Token>;
315
+ getAccessTokenByEmail(email: string, systemId: string, scopeId: string, provider: string, options?: TokenOptions): Promise<string>;
316
+ getAllValidTokensForUser(userId: string, options?: TokenOptions): Promise<{
317
+ provider: string;
318
+ scopeId: string;
319
+ token: OAuth2Token;
320
+ userToken: UserToken;
321
+ }[]>;
322
+ getAllValidTokensForUserScopeProvider(userId: string, scopeId: string, provider: string, options?: TokenOptions): Promise<{
323
+ email: string;
324
+ token: OAuth2Token;
325
+ userToken: UserToken;
326
+ }[]>;
327
+ getAllValidTokensForEmail(email: string, systemId: string, options?: TokenOptions): Promise<{
328
+ provider: string;
329
+ scopeId: string;
330
+ token: OAuth2Token;
331
+ userToken: UserToken;
332
+ }[]>;
333
+ withValidTokenByEmail<T>(email: string, systemId: string, scopeId: string, provider: string, callback: (accessToken: string) => Promise<T>, options?: TokenOptions): Promise<T>;
334
+ hasTokensForUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<boolean>;
335
+ hasTokenByEmail(email: string, systemId: string, scopeId: string, provider: string): Promise<boolean>;
336
+ hasTokenWithEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string): Promise<boolean>;
337
+ replaceTokensByEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string, token: OAuth2Token): Promise<UserToken>;
338
+ deleteTokensByUser(userId: string): Promise<void>;
339
+ deleteTokensByUserAndScope(userId: string, scopeId: string): Promise<void>;
340
+ deleteTokensByUserAndProvider(userId: string, provider: string): Promise<void>;
341
+ deleteTokensByUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<void>;
342
+ deleteTokenByEmail(email: string, systemId: string, scopeId: string, provider: string): Promise<void>;
343
+ createSystem(name: string, description?: string): Promise<System>;
344
+ getSystem(systemId: string): Promise<System | null>;
345
+ createScopeInSystem(systemId: string, name: string, options?: {
346
+ type?: 'authentication' | 'access' | 'custom';
347
+ permissions?: string[];
348
+ isolated?: boolean;
349
+ }): Promise<Scope>;
350
+ getScope(scopeId: string): Promise<Scope | null>;
351
+ getScopesBySystem(systemId: string): Promise<Scope[]>;
352
+ private isTokenExpired;
353
+ }
354
+
355
+ interface OAuth2Options {
356
+ storage?: StorageAdapter;
357
+ sealKey?: string;
358
+ providers?: Record<string, OAuth2Config>;
359
+ }
360
+ interface AuthorizationOptions {
361
+ provider: string;
362
+ scopes?: string[];
363
+ metadata?: Record<string, any>;
364
+ usePKCE?: boolean;
365
+ userId?: string;
366
+ }
367
+ interface TokenOptions {
368
+ autoRefresh?: boolean;
369
+ refreshBuffer?: number;
370
+ expirationBuffer?: number;
371
+ defaultExpiresIn?: number;
372
+ }
373
+ interface UserCreationOptions {
374
+ email?: string;
375
+ externalId?: string;
376
+ metadata?: Record<string, any>;
377
+ }
378
+ interface CallbackOptions {
379
+ userId?: string;
380
+ scopeId?: string;
381
+ profileOptions?: ProfileBasedTokenOptions;
382
+ }
383
+ interface CallbackResult {
384
+ userToken: UserToken;
385
+ userId: string;
386
+ systemId: string;
387
+ scopeId: string;
388
+ provider: string;
389
+ profile?: UserProfile;
390
+ }
391
+ declare class OAuth2Client {
392
+ private storage;
393
+ private providerFactory;
394
+ private providers;
395
+ private providerConfigs;
396
+ private now;
397
+ private currentSystem?;
398
+ private currentUser?;
399
+ private defaultScope?;
400
+ readonly granular: OAuth2GranularOperations;
401
+ constructor(options?: OAuth2Options);
402
+ /**
403
+ * Quick setup for common use cases
404
+ */
405
+ static quickSetup(appName: string, providers: Record<string, OAuth2Config>): Promise<OAuth2Client>;
406
+ /**
407
+ * Register a provider configuration
408
+ */
409
+ registerProvider(name: string, config: OAuth2Config): void;
410
+ /**
411
+ * Create or select a system to work with
412
+ */
413
+ createSystem(name: string, description?: string): Promise<System>;
414
+ useSystem(systemId: string): Promise<void>;
415
+ /**
416
+ * Create a scope within the current system
417
+ */
418
+ createScope(name: string, options?: {
419
+ type?: 'authentication' | 'access' | 'custom';
420
+ permissions?: string[];
421
+ isolated?: boolean;
422
+ }): Promise<Scope>;
423
+ setDefaultScope(scopeId: string): void;
424
+ /**
425
+ * Create a user (legacy method - always creates new user)
426
+ * @deprecated Use getOrCreateUser for better user management
427
+ */
428
+ createUser(metadata?: Record<string, any>): Promise<User>;
429
+ /**
430
+ * Get or create a user (recommended method)
431
+ */
432
+ getOrCreateUser(options?: UserCreationOptions): Promise<User>;
433
+ /**
434
+ * Get or create a user (stateless version for backend APIs)
435
+ */
436
+ getOrCreateUserStateless(systemId: string, options?: UserCreationOptions): Promise<User>;
437
+ /**
438
+ * Start authorization flow for a specific user (stateless backend API method)
439
+ */
440
+ authorizeForUser(userId: string, provider: string, options?: {
441
+ systemId?: string;
442
+ scopeId?: string;
443
+ scopes?: string[];
444
+ metadata?: Record<string, any>;
445
+ usePKCE?: boolean;
446
+ }): Promise<{
447
+ url: string;
448
+ state: string;
449
+ }>;
450
+ /**
451
+ * Complete workflow: get/create user and start authorization (for backend APIs)
452
+ */
453
+ createUserAndAuthorize(systemId: string, provider: string, userOptions: UserCreationOptions, authOptions?: {
454
+ scopeId?: string;
455
+ scopes?: string[];
456
+ metadata?: Record<string, any>;
457
+ usePKCE?: boolean;
458
+ }): Promise<{
459
+ user: User;
460
+ authUrl: string;
461
+ state: string;
462
+ }>;
463
+ /**
464
+ * Find user by email
465
+ */
466
+ findUserByEmail(email: string): Promise<User | null>;
467
+ /**
468
+ * Find user by email (stateless version)
469
+ */
470
+ findUserByEmailStateless(systemId: string, email: string): Promise<User | null>;
471
+ /**
472
+ * Find user by external ID
473
+ */
474
+ findUserByExternalId(externalId: string): Promise<User | null>;
475
+ /**
476
+ * Find user by external ID (stateless version)
477
+ */
478
+ findUserByExternalIdStateless(systemId: string, externalId: string): Promise<User | null>;
479
+ useUser(userId: string): Promise<void>;
480
+ /**
481
+ * Start the OAuth authorization flow
482
+ */
483
+ authorize(options: AuthorizationOptions): Promise<{
484
+ url: string;
485
+ state: string;
486
+ }>;
487
+ /**
488
+ * Handle the OAuth callback
489
+ */
490
+ handleCallback(code: string, state: string, options?: CallbackOptions): Promise<CallbackResult>;
491
+ /**
492
+ * Merge user data from OAuth profile
493
+ */
494
+ private mergeUserDataFromProfile;
495
+ /**
496
+ * Fetch user profile for a given provider and user
497
+ * Note: If user has multiple tokens for the provider, this will fail.
498
+ * Use fetchUserProfileByEmail() for unambiguous profile fetching.
499
+ */
500
+ fetchUserProfile(provider: string, userId?: string): Promise<UserProfile>;
501
+ /**
502
+ * Fetch user profile by email (unambiguous)
503
+ */
504
+ fetchUserProfileByEmail(provider: string, email: string, systemId?: string, scopeId?: string): Promise<UserProfile>;
505
+ /**
506
+ * Replace tokens for users with conflicting email addresses
507
+ */
508
+ replaceConflictingTokensByEmail(email: string, provider: string, newUserId: string, newToken: OAuth2Token): Promise<UserToken>;
509
+ /**
510
+ * Check if a token is expired
511
+ */
512
+ isTokenExpired(token: OAuth2Token, options?: TokenOptions): boolean;
513
+ /**
514
+ * Get a valid access token (auto-refresh if needed)
515
+ * Uses current context (user + default scope)
516
+ */
517
+ getAccessToken(provider: string, options?: TokenOptions): Promise<string>;
518
+ /**
519
+ * Get access token by email (unambiguous)
520
+ */
521
+ getAccessTokenByEmail(email: string, systemId: string, scopeId: string, provider: string, options?: TokenOptions): Promise<string>;
522
+ /**
523
+ * Ensure we have a valid token, refreshing if needed
524
+ * Uses current context (user + default scope)
525
+ */
526
+ ensureValidToken(provider: string, options?: TokenOptions): Promise<OAuth2Token>;
527
+ /**
528
+ * Execute a callback with a valid access token
529
+ * Uses current context (user + default scope)
530
+ */
531
+ withValidToken<T>(provider: string, callback: (accessToken: string) => Promise<T>, options?: TokenOptions): Promise<T>;
532
+ /**
533
+ * Get user token entity (includes all metadata) for specific user
534
+ */
535
+ getUserTokenForUser(userId: string, _systemId: string, scopeId: string, provider: string): Promise<UserToken | null>;
536
+ /**
537
+ * Check if token exists for specific user/provider combination
538
+ */
539
+ hasTokenForUser(userId: string, _systemId: string, scopeId: string, provider: string): Promise<boolean>;
540
+ /**
541
+ * Revoke tokens for a specific user and provider (stateless method)
542
+ * This removes ALL tokens for the user/scope/provider combination
543
+ */
544
+ revokeTokensForUser(userId: string, _systemId: string, scopeId: string, provider: string): Promise<void>;
545
+ /**
546
+ * Revoke tokens for a provider
547
+ */
548
+ revokeTokens(provider: string): Promise<void>;
549
+ /**
550
+ * Get all tokens for the current user
551
+ */
552
+ getUserTokens(): Promise<UserToken[]>;
553
+ /**
554
+ * Get all tokens for a user by ID with validation and auto-refresh
555
+ */
556
+ getAllValidTokensForUser(userId: string, options?: TokenOptions): Promise<{
557
+ provider: string;
558
+ scopeId: string;
559
+ token: OAuth2Token;
560
+ userToken: UserToken;
561
+ }[]>;
562
+ /**
563
+ * Get all valid tokens for a user by email with validation and auto-refresh
564
+ */
565
+ getAllValidTokensForEmail(email: string, systemId?: string, options?: TokenOptions): Promise<{
566
+ provider: string;
567
+ scopeId: string;
568
+ token: OAuth2Token;
569
+ userToken: UserToken;
570
+ }[]>;
571
+ /**
572
+ * Get specific token for an email
573
+ */
574
+ getTokenForEmail(email: string, provider: string, systemId?: string, scopeId?: string): Promise<UserToken | null>;
575
+ /**
576
+ * Get valid token for an email (with auto-refresh)
577
+ */
578
+ getValidTokenForEmail(email: string, provider: string, systemId?: string, scopeId?: string, options?: TokenOptions): Promise<OAuth2Token>;
579
+ /**
580
+ * Get valid access token for an email (with auto-refresh)
581
+ */
582
+ getAccessTokenForEmail(email: string, provider: string, systemId?: string, scopeId?: string, options?: TokenOptions): Promise<string>;
583
+ /**
584
+ * Execute a callback with a valid access token for an email
585
+ */
586
+ withValidTokenForEmail<T>(email: string, provider: string, callback: (accessToken: string) => Promise<T>, systemId?: string, scopeId?: string, options?: TokenOptions): Promise<T>;
587
+ /**
588
+ * Check if token exists for specific email/provider combination
589
+ */
590
+ hasTokenForEmail(email: string, provider: string, systemId?: string, scopeId?: string): Promise<boolean>;
591
+ /**
592
+ * Revoke tokens for a specific email and provider
593
+ */
594
+ revokeTokensForEmail(email: string, provider: string, systemId?: string, scopeId?: string): Promise<void>;
595
+ /**
596
+ * Get tokens by scope (stateless method)
597
+ */
598
+ getTokensByScope(systemId?: string, scopeId?: string): Promise<UserToken[]>;
599
+ /**
600
+ * Find token by email and scope
601
+ */
602
+ findTokenByEmailAndScope(email: string, provider: string, systemId?: string, scopeId?: string): Promise<UserToken | null>;
603
+ /**
604
+ * Find all tokens by email and scope
605
+ */
606
+ findAllTokensByEmailAndScope(email: string, provider: string, systemId?: string, scopeId?: string): Promise<UserToken[]>;
607
+ private detectProviderType;
608
+ /**
609
+ * Clean up expired authorization states
610
+ */
611
+ cleanup(expiryMs?: number): Promise<void>;
612
+ /**
613
+ * Get all valid tokens for a user with OAuth provider profile information (RECOMMENDED FOR UI)
614
+ * This fetches the actual email/profile from each OAuth provider using the access token
615
+ */
616
+ getAllValidTokensWithProviderProfiles(userId: string, options?: TokenOptions): Promise<{
617
+ provider: string;
618
+ scopeId: string;
619
+ token: OAuth2Token;
620
+ userToken: UserToken;
621
+ profile?: UserProfile;
622
+ }[]>;
623
+ /**
624
+ * Get all valid tokens for a user and scope with OAuth provider profile information
625
+ */
626
+ getAllValidTokensForUserAndScopeWithProviderProfiles(userId: string, scopeId: string, options?: TokenOptions): Promise<{
627
+ provider: string;
628
+ token: OAuth2Token;
629
+ userToken: UserToken;
630
+ profile?: UserProfile;
631
+ }[]>;
632
+ /**
633
+ * Get all valid tokens for a user and provider with OAuth provider profile information
634
+ */
635
+ getAllValidTokensForUserAndProviderWithProviderProfiles(userId: string, provider: string, options?: TokenOptions): Promise<{
636
+ scopeId: string;
637
+ token: OAuth2Token;
638
+ userToken: UserToken;
639
+ profile?: UserProfile;
640
+ }[]>;
641
+ /**
642
+ * Get OAuth provider profile for a specific token
643
+ * This fetches the actual email/profile from the OAuth provider using the access token
644
+ */
645
+ getTokenProfile(token: OAuth2Token, provider: string): Promise<UserProfile | null>;
646
+ /**
647
+ * Get OAuth provider profile for a specific user token
648
+ * This fetches the actual email/profile from the OAuth provider using the access token
649
+ */
650
+ getUserTokenProfile(userToken: UserToken): Promise<UserProfile | null>;
651
+ }
652
+
653
+ declare class InMemoryStorageAdapter implements StorageAdapter {
654
+ private systems;
655
+ private scopes;
656
+ private users;
657
+ private tokens;
658
+ private states;
659
+ private generateId;
660
+ createSystem(system: Omit<System, 'id' | 'createdAt' | 'updatedAt'>): Promise<System>;
661
+ getSystem(id: string): Promise<System | null>;
662
+ updateSystem(id: string, updates: Partial<System>): Promise<System>;
663
+ deleteSystem(id: string): Promise<void>;
664
+ listSystems(): Promise<System[]>;
665
+ createScope(scope: Omit<Scope, 'id'>): Promise<Scope>;
666
+ getScope(id: string): Promise<Scope | null>;
667
+ getScopesBySystem(systemId: string): Promise<Scope[]>;
668
+ updateScope(id: string, updates: Partial<Scope>): Promise<Scope>;
669
+ deleteScope(id: string): Promise<void>;
670
+ createUser(user: Omit<User, 'id' | 'createdAt' | 'updatedAt'>): Promise<User>;
671
+ getOrCreateUser(input: CreateUserInput): Promise<User>;
672
+ findUserByEmail(systemId: string, email: string): Promise<User | null>;
673
+ findUserByExternalId(systemId: string, externalId: string): Promise<User | null>;
674
+ getUser(id: string): Promise<User | null>;
675
+ getUsersBySystem(systemId: string): Promise<User[]>;
676
+ updateUser(id: string, updates: Partial<User>): Promise<User>;
677
+ deleteUser(id: string): Promise<void>;
678
+ saveToken(token: Omit<UserToken, 'id' | 'createdAt' | 'updatedAt'>): Promise<UserToken>;
679
+ saveTokenWithEmailValidation(userId: string, systemId: string, scopeId: string, provider: string, email: string, token: Omit<UserToken, 'id' | 'createdAt' | 'updatedAt'>): Promise<UserToken>;
680
+ getTokensByUser(userId: string): Promise<UserToken[]>;
681
+ getTokensByUserAndScope(userId: string, scopeId: string): Promise<UserToken[]>;
682
+ getTokensByUserAndProvider(userId: string, provider: string): Promise<UserToken[]>;
683
+ getTokensByUserScopeProvider(userId: string, scopeId: string, provider: string): Promise<UserToken[]>;
684
+ getTokensByScope(systemId: string, scopeId: string): Promise<UserToken[]>;
685
+ getTokensByProvider(systemId: string, provider: string): Promise<UserToken[]>;
686
+ getTokensBySystem(systemId: string): Promise<UserToken[]>;
687
+ findTokensByEmail(email: string, systemId: string): Promise<UserToken[]>;
688
+ findTokensByEmailAndScope(email: string, systemId: string, scopeId: string): Promise<UserToken[]>;
689
+ findTokensByEmailAndProvider(email: string, systemId: string, provider: string): Promise<UserToken[]>;
690
+ findTokenByEmailScopeProvider(email: string, systemId: string, scopeId: string, provider: string): Promise<UserToken | null>;
691
+ findTokensByEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string): Promise<UserToken[]>;
692
+ hasTokenWithEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string): Promise<boolean>;
693
+ replaceTokensByEmailInUserScopeProvider(userId: string, scopeId: string, provider: string, email: string, newToken: Omit<UserToken, 'id' | 'createdAt' | 'updatedAt'>): Promise<UserToken>;
694
+ getTokenById(id: string): Promise<UserToken | null>;
695
+ updateToken(id: string, updates: Partial<UserToken>): Promise<UserToken>;
696
+ deleteToken(id: string): Promise<void>;
697
+ deleteTokensByUser(userId: string): Promise<void>;
698
+ deleteTokensByUserAndScope(userId: string, scopeId: string): Promise<void>;
699
+ deleteTokensByUserAndProvider(userId: string, provider: string): Promise<void>;
700
+ saveAuthorizationState(state: AuthorizationState): Promise<void>;
701
+ getAuthorizationState(state: string): Promise<AuthorizationState | null>;
702
+ deleteAuthorizationState(state: string): Promise<void>;
703
+ cleanupExpiredStates(expiryMs: number): Promise<void>;
704
+ getTokensByUserWithProfile(userId: string): Promise<UserTokenWithProfile[]>;
705
+ getTokensByUserAndScopeWithProfile(userId: string, scopeId: string): Promise<UserTokenWithProfile[]>;
706
+ getTokensByUserAndProviderWithProfile(userId: string, provider: string): Promise<UserTokenWithProfile[]>;
707
+ getTokensByUserScopeProviderWithProfile(userId: string, scopeId: string, provider: string): Promise<UserTokenWithProfile[]>;
708
+ getTokensByScopeWithProfile(systemId: string, scopeId: string): Promise<UserTokenWithProfile[]>;
709
+ getTokensBySystemWithProfile(systemId: string): Promise<UserTokenWithProfile[]>;
710
+ }
711
+
712
+ type ProviderType = 'google' | 'github' | 'microsoft' | 'outlook' | 'facebook' | 'generic';
713
+ interface ProviderFactory {
714
+ createProvider(type: ProviderType, config: OAuth2Config): OAuth2Provider;
715
+ }
716
+
717
+ declare class StandardTokenExchangeStrategy implements TokenExchangeStrategy {
718
+ protected buildUrlParams(params: Record<string, string | undefined>): string;
719
+ exchangeCodeForToken(code: string, config: OAuth2Config, codeVerifier?: string): Promise<OAuth2Token>;
720
+ refreshToken(refreshToken: string, config: OAuth2Config): Promise<OAuth2Token>;
721
+ }
722
+
723
+ declare class StandardAuthorizationUrlStrategy implements AuthorizationUrlStrategy {
724
+ protected buildUrlParams(params: Record<string, string | undefined>): string;
725
+ generateAuthorizationUrl(config: OAuth2Config, state: string, codeChallenge?: string): string;
726
+ }
727
+
728
+ declare class GenericOAuth2Provider extends OAuth2Provider {
729
+ constructor(config: any, authUrlStrategy?: AuthorizationUrlStrategy, tokenStrategy?: TokenExchangeStrategy, profileFetcher?: BaseProfileFetcher);
730
+ protected createAuthorizationUrlStrategy(): AuthorizationUrlStrategy;
731
+ protected createTokenExchangeStrategy(): TokenExchangeStrategy;
732
+ }
733
+
734
+ declare class GoogleProfileFetcher extends BaseProfileFetcher {
735
+ constructor();
736
+ mapToUserProfile(rawData: any): UserProfile;
737
+ }
738
+
739
+ declare class GitHubProfileFetcher extends BaseProfileFetcher {
740
+ constructor();
741
+ protected mapToUserProfile(rawData: any): UserProfile;
742
+ protected getAdditionalHeaders(): Record<string, string>;
743
+ }
744
+
745
+ declare class MicrosoftProfileFetcher extends BaseProfileFetcher {
746
+ constructor();
747
+ protected mapToUserProfile(rawData: any): UserProfile;
748
+ }
749
+
750
+ interface ProfileMapping {
751
+ email: string;
752
+ name?: string;
753
+ id?: string;
754
+ avatar?: string;
755
+ username?: string;
756
+ }
757
+ declare class GenericProfileFetcher extends BaseProfileFetcher {
758
+ private mapping?;
759
+ private additionalHeaders?;
760
+ constructor(profileEndpoint: string, mapping?: ProfileMapping | undefined, additionalHeaders?: Record<string, string> | undefined);
761
+ protected mapToUserProfile(rawData: any): UserProfile;
762
+ protected getAdditionalHeaders(): Record<string, string>;
763
+ private getNestedProperty;
764
+ }
765
+
766
+ interface ProfileFetcherOptions {
767
+ profileUrl?: string;
768
+ profileMapping?: ProfileMapping;
769
+ profileHeaders?: Record<string, string>;
770
+ }
771
+ declare class ProfileFetcherFactory {
772
+ static createProfileFetcher(providerType: ProviderType, config: OAuth2Config, options?: ProfileFetcherOptions): BaseProfileFetcher;
773
+ static registerCustomProfileFetcher(providerName: string, profileFetcher: BaseProfileFetcher): void;
774
+ private static customFetchers;
775
+ static getCustomProfileFetcher(providerName: string): BaseProfileFetcher | undefined;
776
+ }
777
+
778
+ declare const createCodeVerifier: () => string;
779
+ declare const createCodeChallenge: (verifier: string) => string;
780
+ declare const generateState: () => string;
781
+
782
+ declare const seal: <T>(d: T, key: string) => Promise<string>;
783
+ declare const unseal: <T>(s: string, key: string) => Promise<T>;
784
+
785
+ export { type AuthorizationState, type AuthorizationUrlStrategy, BaseProfileFetcher, type CreateUserInput, GenericOAuth2Provider, GenericProfileFetcher, GitHubProfileFetcher, GoogleProfileFetcher, InMemoryStorageAdapter, MicrosoftProfileFetcher, OAuth2Client, type OAuth2Config, OAuth2GranularClient, OAuth2Provider, type OAuth2Token, type ProfileFetcher, ProfileFetcherFactory, type ProfileFetcherOptions, type ProfileMapping, type ProviderFactory, type ProviderType, type Scope, StandardAuthorizationUrlStrategy, StandardTokenExchangeStrategy, type StorageAdapter, type System, type TokenExchangeStrategy, type User, type UserProfile, type UserToken, type UserTokenWithProfile, createCodeChallenge, createCodeVerifier, generateState, seal, unseal };