@deque/axe-auth 1.1.0-next.907ffbd7 → 1.1.0-next.9310ae44

package/dist/oauth/index.d.ts

@@ -4,8 +4,13 @@ export { OAuthCallbackError, OAuthFlowError } from "./errors";
 export type { OAuthCallbackErrorCode, OAuthCallbackErrorOptions, OAuthFlowErrorCode, OAuthFlowErrorOptions, } from "./errors";
 export { authorize } from "./authorize";
 export type { AuthorizeOptions } from "./authorize";
-export type { TokenSet } from "./tokenExchange";
+export { getValidAccessToken } from "./getValidAccessToken";
+export type { GetValidAccessTokenOptions } from "./getValidAccessToken";
+export { refreshTokens } from "./refreshTokens";
+export type { RefreshTokensOptions } from "./refreshTokens";
+export type { TokenSet } from "./tokenResponse";
 export { KeyringTokenStore, STORED_BLOB_VERSION } from "./tokenStore";
-export type { TokenStore, LoadResult, KeyringEntry, KeyringEntryFactory, } from "./tokenStore";
+export type { LoadResult, StoredEntry, TokenStore } from "./tokenStore";
+export type { KeyringEntry, KeyringEntryFactory } from "./keyringBinding";
 export { discoverOIDC } from "./discoverOIDC";
 export type { OIDCConfiguration, DiscoverOIDCOptions } from "./discoverOIDC";

package/dist/oauth/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.discoverOIDC = exports.STORED_BLOB_VERSION = exports.KeyringTokenStore = exports.authorize = exports.OAuthFlowError = exports.OAuthCallbackError = exports.startCallbackServer = void 0;
+exports.discoverOIDC = exports.STORED_BLOB_VERSION = exports.KeyringTokenStore = exports.refreshTokens = exports.getValidAccessToken = exports.authorize = exports.OAuthFlowError = exports.OAuthCallbackError = exports.startCallbackServer = void 0;
 var callbackServer_1 = require("./callbackServer");
 Object.defineProperty(exports, "startCallbackServer", { enumerable: true, get: function () { return callbackServer_1.startCallbackServer; } });
 var errors_1 = require("./errors");
@@ -8,6 +8,10 @@ Object.defineProperty(exports, "OAuthCallbackError", { enumerable: true, get: fu
 Object.defineProperty(exports, "OAuthFlowError", { enumerable: true, get: function () { return errors_1.OAuthFlowError; } });
 var authorize_1 = require("./authorize");
 Object.defineProperty(exports, "authorize", { enumerable: true, get: function () { return authorize_1.authorize; } });
+var getValidAccessToken_1 = require("./getValidAccessToken");
+Object.defineProperty(exports, "getValidAccessToken", { enumerable: true, get: function () { return getValidAccessToken_1.getValidAccessToken; } });
+var refreshTokens_1 = require("./refreshTokens");
+Object.defineProperty(exports, "refreshTokens", { enumerable: true, get: function () { return refreshTokens_1.refreshTokens; } });
 var tokenStore_1 = require("./tokenStore");
 Object.defineProperty(exports, "KeyringTokenStore", { enumerable: true, get: function () { return tokenStore_1.KeyringTokenStore; } });
 Object.defineProperty(exports, "STORED_BLOB_VERSION", { enumerable: true, get: function () { return tokenStore_1.STORED_BLOB_VERSION; } });

package/dist/oauth/keyringBinding.d.ts

@@ -0,0 +1,22 @@
+/** Minimal keyring-entry surface consumed by the package's stores. */
+export interface KeyringEntry {
+    /** Writes the password for this entry. */
+    setPassword(password: string): void;
+    /** Reads the current password, or returns `null` if none is set. */
+    getPassword(): string | null;
+    /** Deletes the password and returns `true` if one existed. */
+    deletePassword(): boolean;
+}
+/**
+ * Factory for `KeyringEntry` values. Injection seam for tests;
+ * production callers use the default that constructs
+ * `@napi-rs/keyring` entries lazily.
+ */
+export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+export declare const defaultEntryFactory: KeyringEntryFactory;

package/dist/oauth/keyringBinding.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultEntryFactory = void 0;
+const node_module_1 = require("node:module");
+const errors_1 = require("./errors");
+const requireFromHere = (0, node_module_1.createRequire)(__filename);
+// Lazy-resolved Entry constructor. Importing @napi-rs/keyring at the
+// top of this module would run its native binding loader at
+// module-load time, throwing before any of our OAuthFlowError code
+// catches it and preventing the module from being imported at all on
+// platforms without a prebuilt. We defer the require into
+// `defaultEntryFactory`, which turns that import-time failure into a
+// `KEYRING_UNAVAILABLE` surfaced on the first store construction —
+// not on first save/load/clear, since callers construct stores
+// eagerly as default-arg expressions. Runtime keychain errors
+// (missing D-Bus Secret Service, macOS Keychain denial, etc.) are a
+// separate concern and surface later, inside save/load/clear.
+let cachedEntryCtor = null;
+function resolveEntryCtor() {
+    if (cachedEntryCtor)
+        return cachedEntryCtor;
+    try {
+        const mod = requireFromHere("@napi-rs/keyring");
+        cachedEntryCtor = mod.Entry;
+        return cachedEntryCtor;
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `Could not load @napi-rs/keyring. A prebuilt native binding for this platform may be missing.`, { cause });
+    }
+}
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+const defaultEntryFactory = (service, account) => {
+    const Ctor = resolveEntryCtor();
+    return new Ctor(service, account);
+};
+exports.defaultEntryFactory = defaultEntryFactory;

package/dist/oauth/openBrowser.d.ts

@@ -7,13 +7,24 @@ export interface OpenBrowserOptions {
     platform?: NodeJS.Platform;
     /** Override for `child_process.spawn`. Used by tests. */
     spawnFn?: SpawnFn;
+    /**
+     * Override for `process.env.BROWSER`. The de-facto convention shared
+     * with `xdg-open` and Python's `webbrowser`: when set, it names the
+     * command to invoke instead of the platform default. Parsed shlex-style
+     * (POSIX shell tokenization) so values like `firefox --new-window` or
+     * `/path/with\ spaces/firefox` work as expected. An empty or missing
+     * value falls back to the platform default.
+     */
+    browserEnv?: string;
 }
 /**
  * Launches the system browser at `url` in a detached child process.
- * Returns synchronously once the child is spawned — completion of the
- * browser load is intentionally not awaited.
+ * Honors `$BROWSER` when set, falling back to the platform default
+ * (`open` / `xdg-open` / `cmd start`). Returns synchronously once the
+ * child is spawned — completion of the browser load is intentionally
+ * not awaited.
  *
  * @param url Absolute URL to open.
- * @param options Platform/spawn overrides; only exposed for tests.
+ * @param options Platform/spawn/env overrides; only exposed for tests.
  */
 export declare function openBrowser(url: string, options?: OpenBrowserOptions): void;

package/dist/oauth/openBrowser.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.openBrowser = openBrowser;
 const node_child_process_1 = require("node:child_process");
+const shlex_1 = require("shlex");
 const errors_1 = require("./errors");
 // On Windows `start` is a cmd.exe builtin, not a standalone binary.
 // The empty `""` pair is a positional placeholder for the window
@@ -26,7 +27,11 @@ function windowsCommand(url) {
         args: ["/c", "start", '""', url.replace(/[&|^<>"%\r\n]/g, (c) => `^${c}`)],
     };
 }
-function browserCommand(platform, url) {
+function browserCommand(platform, url, browserOverride) {
+    if (browserOverride && browserOverride.length > 0) {
+        const [command, ...extraArgs] = browserOverride;
+        return { command, args: [...extraArgs, url] };
+    }
     switch (platform) {
         case "darwin":
             return { command: "open", args: [url] };
@@ -47,16 +52,28 @@ function browserCommand(platform, url) {
 }
 /**
  * Launches the system browser at `url` in a detached child process.
- * Returns synchronously once the child is spawned — completion of the
- * browser load is intentionally not awaited.
+ * Honors `$BROWSER` when set, falling back to the platform default
+ * (`open` / `xdg-open` / `cmd start`). Returns synchronously once the
+ * child is spawned — completion of the browser load is intentionally
+ * not awaited.
  *
  * @param url Absolute URL to open.
- * @param options Platform/spawn overrides; only exposed for tests.
+ * @param options Platform/spawn/env overrides; only exposed for tests.
  */
 function openBrowser(url, options = {}) {
     const platform = options.platform ?? process.platform;
     const spawnFn = options.spawnFn ?? node_child_process_1.spawn;
-    const { command, args } = browserCommand(platform, url);
+    const browserEnv = options.browserEnv ?? process.env.BROWSER;
+    let browserOverride;
+    if (browserEnv && browserEnv.length > 0) {
+        try {
+            browserOverride = (0, shlex_1.split)(browserEnv);
+        }
+        catch (cause) {
+            throw new errors_1.OAuthFlowError("BROWSER_LAUNCH_FAILED", `Failed to parse $BROWSER (${browserEnv}). Open this URL manually:\n${url}`, { cause });
+        }
+    }
+    const { command, args } = browserCommand(platform, url, browserOverride);
     let child;
     try {
         child = spawnFn(command, args, {

package/dist/oauth/predicates.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Narrows `v` to `string` when it is a non-empty string. Useful for
+ * validating JSON fields from authorization-server responses, where
+ * the spec declares a field as "string" but servers occasionally
+ * return `""` / `null` / missing.
+ */
+export declare function isNonEmptyString(v: unknown): v is string;

package/dist/oauth/predicates.js

@@ -0,0 +1,15 @@
+"use strict";
+// Type-guard predicates shared across the oauth modules. Keep this
+// narrow: anything more substantial than a one-liner probably
+// belongs in its own module rather than piling in here.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNonEmptyString = isNonEmptyString;
+/**
+ * Narrows `v` to `string` when it is a non-empty string. Useful for
+ * validating JSON fields from authorization-server responses, where
+ * the spec declares a field as "string" but servers occasionally
+ * return `""` / `null` / missing.
+ */
+function isNonEmptyString(v) {
+    return typeof v === "string" && v.length > 0;
+}

package/dist/oauth/refreshTokens.d.ts

@@ -0,0 +1,30 @@
+import { type TokenSet } from "./tokenResponse";
+/** Options for `refreshTokens`. */
+export interface RefreshTokensOptions {
+    /** Token endpoint resolved from OIDC discovery. */
+    tokenEndpoint: string;
+    /** OAuth client identifier. */
+    clientId: string;
+    /** The refresh token to exchange for a new access token. */
+    refreshToken: string;
+    /** Source of `now`. Defaults to `Date.now`. Injected for test determinism. */
+    now?: () => number;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Exchanges a refresh token for a fresh access token via RFC 6749 §6.
+ *
+ * Some providers (Keycloak by default) rotate refresh tokens and
+ * return a new one in the response; others leave the refresh token
+ * alone. When the server omits `refresh_token` from the response,
+ * the returned `TokenSet` carries forward the input `refreshToken`
+ * so callers never lose refresh capability after one use.
+ *
+ * @throws {OAuthFlowError} with code `TOKEN_EXCHANGE_FAILED` on any
+ *   failure. `details` surfaces the OAuth `error` /
+ *   `error_description` when present; callers distinguishing
+ *   "refresh revoked" from "network hiccup" should inspect
+ *   `details.error === "invalid_grant"`.
+ */
+export declare function refreshTokens(options: RefreshTokensOptions): Promise<TokenSet>;

package/dist/oauth/refreshTokens.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.refreshTokens = refreshTokens;
+const errors_1 = require("./errors");
+const tokenResponse_1 = require("./tokenResponse");
+const userAgent_1 = require("../userAgent");
+/**
+ * Exchanges a refresh token for a fresh access token via RFC 6749 §6.
+ *
+ * Some providers (Keycloak by default) rotate refresh tokens and
+ * return a new one in the response; others leave the refresh token
+ * alone. When the server omits `refresh_token` from the response,
+ * the returned `TokenSet` carries forward the input `refreshToken`
+ * so callers never lose refresh capability after one use.
+ *
+ * @throws {OAuthFlowError} with code `TOKEN_EXCHANGE_FAILED` on any
+ *   failure. `details` surfaces the OAuth `error` /
+ *   `error_description` when present; callers distinguishing
+ *   "refresh revoked" from "network hiccup" should inspect
+ *   `details.error === "invalid_grant"`.
+ */
+async function refreshTokens(options) {
+    const now = options.now ?? Date.now;
+    // RFC 6749 §6 permits a `scope` parameter to request a subset of
+    // the originally-granted scopes. We deliberately omit it: Keycloak
+    // (our primary target) preserves the scope set across refresh, so
+    // re-sending would be redundant. Callers targeting a provider that
+    // reduces scopes when `scope` is omitted (some Okta configurations
+    // are rumored to) will need a provider-specific code path.
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: options.clientId,
+        refresh_token: options.refreshToken,
+    });
+    const issuedAt = now();
+    let response;
+    try {
+        response = await fetch(options.tokenEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+                "User-Agent": userAgent_1.USER_AGENT,
+            },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Could not reach the token endpoint at ${options.tokenEndpoint}. Check your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        await (0, tokenResponse_1.throwTokenEndpointError)(response, "Token refresh");
+    }
+    const fresh = await (0, tokenResponse_1.parseTokenResponse)(response, issuedAt, options.tokenEndpoint);
+    return {
+        ...fresh,
+        refreshToken: fresh.refreshToken ?? options.refreshToken,
+    };
+}

package/dist/oauth/revokeToken.d.ts

@@ -0,0 +1,28 @@
+/** Options for `revokeRefreshToken`. */
+export interface RevokeRefreshTokenOptions {
+    /** Revocation endpoint resolved from OIDC discovery. */
+    revocationEndpoint: string;
+    /** OAuth client ID. */
+    clientId: string;
+    /** The refresh token to revoke server-side. */
+    refreshToken: string;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+export declare function revokeRefreshToken(options: RevokeRefreshTokenOptions): Promise<void>;

package/dist/oauth/revokeToken.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revokeRefreshToken = revokeRefreshToken;
+const userAgent_1 = require("../userAgent");
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+async function revokeRefreshToken(options) {
+    const body = new URLSearchParams({
+        token: options.refreshToken,
+        token_type_hint: "refresh_token",
+        client_id: options.clientId,
+    });
+    let response;
+    try {
+        response = await fetch(options.revocationEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": userAgent_1.USER_AGENT,
+            },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        const reason = cause instanceof Error ? cause.message : String(cause);
+        throw new Error(`Could not reach the revocation endpoint at ${options.revocationEndpoint}: ${reason}`, { cause });
+    }
+    if (!response.ok) {
+        // Deliberately do NOT include the response body. The request
+        // body we POSTed contains the refresh token; some Keycloak
+        // custom error templates and many WAFs / reverse proxies echo
+        // request fields back into 4xx pages, which would land the
+        // refresh token on stderr (the caller's `describeError(err)`
+        // path is `axe-auth: server-side revocation failed (...)`). Status
+        // alone is enough for the user to act on; if more detail is
+        // needed they can hit the revocation endpoint directly.
+        //
+        // We also drain the body so the underlying connection isn't
+        // held open by the unread stream.
+        try {
+            await response.text();
+        }
+        catch {
+            // ignore — body is purely diagnostic
+        }
+        throw new Error(`Revocation endpoint at ${options.revocationEndpoint} returned HTTP ${response.status}`);
+    }
+}

package/dist/oauth/testUtils.d.ts

@@ -0,0 +1,35 @@
+/**
+ * A fixed "now" timestamp used by token-endpoint tests that need
+ * determinism for `expiresAt` assertions. Any constant would do;
+ * choosing one value keeps the arithmetic trivial to eyeball
+ * (2023-11-14T22:13:20.000Z).
+ */
+export declare const FIXED_NOW = 1700000000000;
+/** Signature matching the global `fetch` implementation. */
+export type FetchMock = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+/**
+ * Swaps `globalThis.fetch` for `mock` while `fn` runs, then restores.
+ * Use in tests that mock *every* fetch the subject under test makes.
+ * (Tests that want pass-through-on-miss behavior should keep their
+ * own router — see `authorize.test.ts`.)
+ */
+export declare function withFetch(mock: FetchMock, fn: () => Promise<void>): Promise<void>;
+/**
+ * JSON-serialized `Response` with `Content-Type: application/json`
+ * already set. Any headers in `init.headers` merge on top.
+ */
+export declare function jsonResponse(body: unknown, init?: ResponseInit): Response;
+/**
+ * Canonical local Keycloak issuer URL used across tests — matches
+ * walnut's dev setup (`http://localhost:8080/auth/realms/local`).
+ * Use this anywhere a test needs "the Keycloak issuer" rather than
+ * a test-specific URL (e.g. `http://auth.test.invalid`).
+ */
+export declare const KEYCLOAK_ISSUER = "http://localhost:8080/auth/realms/local";
+/**
+ * Standard OAuth 2.0 token-endpoint success body. Returns a fresh
+ * plain object on each call so tests can safely mutate it after.
+ * Override any field via `overrides`; the happy-path defaults
+ * (Bearer, positive `expires_in`) are what most tests want.
+ */
+export declare function tokenResponseBody(overrides?: Record<string, unknown>): Record<string, unknown>;

package/dist/oauth/testUtils.js

@@ -0,0 +1,61 @@
+"use strict";
+// Shared helpers for the oauth test files. Not a `.test.ts` itself so
+// the test runner doesn't pick it up directly, and excluded from c8
+// coverage in `.c8rc.json` since nothing in here is production code.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KEYCLOAK_ISSUER = exports.FIXED_NOW = void 0;
+exports.withFetch = withFetch;
+exports.jsonResponse = jsonResponse;
+exports.tokenResponseBody = tokenResponseBody;
+/**
+ * A fixed "now" timestamp used by token-endpoint tests that need
+ * determinism for `expiresAt` assertions. Any constant would do;
+ * choosing one value keeps the arithmetic trivial to eyeball
+ * (2023-11-14T22:13:20.000Z).
+ */
+exports.FIXED_NOW = 1_700_000_000_000;
+/**
+ * Swaps `globalThis.fetch` for `mock` while `fn` runs, then restores.
+ * Use in tests that mock *every* fetch the subject under test makes.
+ * (Tests that want pass-through-on-miss behavior should keep their
+ * own router — see `authorize.test.ts`.)
+ */
+function withFetch(mock, fn) {
+    const original = globalThis.fetch;
+    globalThis.fetch = mock;
+    return fn().finally(() => {
+        globalThis.fetch = original;
+    });
+}
+/**
+ * JSON-serialized `Response` with `Content-Type: application/json`
+ * already set. Any headers in `init.headers` merge on top.
+ */
+function jsonResponse(body, init = { status: 200 }) {
+    return new Response(JSON.stringify(body), {
+        ...init,
+        headers: { "Content-Type": "application/json", ...(init.headers ?? {}) },
+    });
+}
+/**
+ * Canonical local Keycloak issuer URL used across tests — matches
+ * walnut's dev setup (`http://localhost:8080/auth/realms/local`).
+ * Use this anywhere a test needs "the Keycloak issuer" rather than
+ * a test-specific URL (e.g. `http://auth.test.invalid`).
+ */
+exports.KEYCLOAK_ISSUER = "http://localhost:8080/auth/realms/local";
+/**
+ * Standard OAuth 2.0 token-endpoint success body. Returns a fresh
+ * plain object on each call so tests can safely mutate it after.
+ * Override any field via `overrides`; the happy-path defaults
+ * (Bearer, positive `expires_in`) are what most tests want.
+ */
+function tokenResponseBody(overrides = {}) {
+    return {
+        access_token: "at",
+        refresh_token: "rt",
+        expires_in: 300,
+        token_type: "Bearer",
+        ...overrides,
+    };
+}

package/dist/oauth/tokenExchange.d.ts

@@ -1,27 +1,4 @@
-/**
- * Tokens returned by a successful authorization-code exchange.
- *
- * `refreshToken` is optional because not all flows return one —
- * callers that did not request `offline_access` (or the provider
- * equivalent) will receive only an access token. Refresh logic (issue
- * #422) must handle this case.
- *
- * `grantedScope` reflects the authorization server's `scope` response
- * field when present (RFC 6749 §5.1 says `scope` is required when the
- * granted set differs from the requested set; optional otherwise).
- * Callers comparing granted vs requested to surface diagnostics should
- * read this field.
- */
-export interface TokenSet {
-    /** Access token for authenticated API calls. */
-    accessToken: string;
-    /** Long-lived token used to mint new access tokens without re-auth. Absent if the flow did not request it. */
-    refreshToken?: string;
-    /** Absolute timestamp (ms since epoch) when the access token expires. */
-    expiresAt: number;
-    /** Space-delimited scopes the server actually granted, if reported. */
-    grantedScope?: string;
-}
+import { type TokenSet } from "./tokenResponse";
 /** Options for `exchangeCodeForTokens`. */
 export interface ExchangeCodeForTokensOptions {
     /** Token endpoint resolved from OIDC discovery. */

package/dist/oauth/tokenExchange.js

@@ -2,55 +2,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeCodeForTokens = exchangeCodeForTokens;
 const errors_1 = require("./errors");
-function isNonEmptyString(v) {
-    return typeof v === "string" && v.length > 0;
-}
-// RFC 6749 §5.1 describes `expires_in` as "the lifetime in seconds"
-// without pinning the JSON type, and some providers historically send
-// numeric strings. Accept both; reject anything non-positive or
-// non-finite.
-function parseExpiresIn(v) {
-    if (typeof v === "number" && Number.isFinite(v) && v > 0)
-        return v;
-    if (typeof v === "string") {
-        const n = Number(v);
-        if (Number.isFinite(n) && n > 0)
-            return n;
-    }
-    return null;
-}
-function parseErrorBody(body) {
-    let parsed;
-    try {
-        parsed = JSON.parse(body);
-    }
-    catch {
-        return {};
-    }
-    if (parsed === null || typeof parsed !== "object")
-        return {};
-    const raw = parsed;
-    return {
-        error: isNonEmptyString(raw.error) ? raw.error : undefined,
-        description: isNonEmptyString(raw.error_description)
-            ? raw.error_description
-            : undefined,
-    };
-}
-function throwFromErrorResponse(status, body) {
-    const { error, description } = parseErrorBody(body);
-    const suffix = error
-        ? description
-            ? `: ${error}: ${description}`
-            : `: ${error}`
-        : "";
-    const details = {};
-    if (error)
-        details.error = error;
-    if (description)
-        details.error_description = description;
-    throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token exchange failed with HTTP ${status}${suffix}`, Object.keys(details).length > 0 ? { details } : undefined);
-}
+const tokenResponse_1 = require("./tokenResponse");
+const userAgent_1 = require("../userAgent");
 /**
  * Exchanges an authorization code for a `TokenSet` via the
  * authorization server's token endpoint (RFC 6749 §4.1.3 + RFC 7636
@@ -67,13 +20,6 @@ async function exchangeCodeForTokens(options) {
         code_verifier: options.codeVerifier,
         redirect_uri: options.redirectUri,
     });
-    // Capture `issuedAt` before the network call so we don't drift past
-    // expiry just because the network was slow. Slightly conservative —
-    // the token actually expires `expires_in` seconds from when the
-    // server issued it, so the effective usable window is `expires_in -
-    // RTT`, which errs toward "expires sooner" rather than "expires
-    // later." That's the safer direction for any consumer doing
-    // pre-expiry checks.
     const issuedAt = now();
     let response;
     try {
@@ -82,6 +28,7 @@ async function exchangeCodeForTokens(options) {
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
                 Accept: "application/json",
+                "User-Agent": userAgent_1.USER_AGENT,
             },
             body,
             signal: options.signal,
@@ -91,46 +38,7 @@ async function exchangeCodeForTokens(options) {
         throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Could not reach the token endpoint at ${options.tokenEndpoint}. Check your network connection.`, { cause });
     }
     if (!response.ok) {
-        const text = await response.text().catch(() => "");
-        throwFromErrorResponse(response.status, text);
-    }
-    let parsed;
-    try {
-        parsed = await response.json();
-    }
-    catch (cause) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${options.tokenEndpoint} returned a non-JSON response`, { cause });
-    }
-    if (parsed === null || typeof parsed !== "object") {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${options.tokenEndpoint} returned a non-object response`);
-    }
-    const raw = parsed;
-    if (!isNonEmptyString(raw.access_token)) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing 'access_token'`);
-    }
-    const expiresIn = parseExpiresIn(raw.expires_in);
-    if (expiresIn === null) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing or has invalid 'expires_in'`);
-    }
-    // RFC 6749 §5.1: token_type is REQUIRED. We only speak Bearer;
-    // DPoP / MAC / other proof-of-possession types need request-side
-    // support we don't implement, and silently treating them as Bearer
-    // would send tokens in the wrong header with unclear semantics.
-    if (!isNonEmptyString(raw.token_type)) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing required 'token_type'`);
-    }
-    if (raw.token_type.toLowerCase() !== "bearer") {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Unsupported token_type '${raw.token_type}'; this library only handles Bearer.`);
-    }
-    const tokens = {
-        accessToken: raw.access_token,
-        expiresAt: issuedAt + expiresIn * 1000,
-    };
-    if (isNonEmptyString(raw.refresh_token)) {
-        tokens.refreshToken = raw.refresh_token;
-    }
-    if (isNonEmptyString(raw.scope)) {
-        tokens.grantedScope = raw.scope;
+        await (0, tokenResponse_1.throwTokenEndpointError)(response, "Token exchange");
     }
-    return tokens;
+    return (0, tokenResponse_1.parseTokenResponse)(response, issuedAt, options.tokenEndpoint);
 }