@deque/axe-auth 1.1.0-next.97bcb8e6 → 1.1.0-next.f082f98a

package/dist/oauth/refreshTokens.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.refreshTokens = refreshTokens;
+const errors_1 = require("./errors");
+const tokenResponse_1 = require("./tokenResponse");
+const userAgent_1 = require("../userAgent");
+/**
+ * Exchanges a refresh token for a fresh access token via RFC 6749 §6.
+ *
+ * Some providers (Keycloak by default) rotate refresh tokens and
+ * return a new one in the response; others leave the refresh token
+ * alone. When the server omits `refresh_token` from the response,
+ * the returned `TokenSet` carries forward the input `refreshToken`
+ * so callers never lose refresh capability after one use.
+ *
+ * @throws {OAuthFlowError} with code `TOKEN_EXCHANGE_FAILED` on any
+ *   failure. `details` surfaces the OAuth `error` /
+ *   `error_description` when present; callers distinguishing
+ *   "refresh revoked" from "network hiccup" should inspect
+ *   `details.error === "invalid_grant"`.
+ */
+async function refreshTokens(options) {
+    const now = options.now ?? Date.now;
+    // RFC 6749 §6 permits a `scope` parameter to request a subset of
+    // the originally-granted scopes. We deliberately omit it: Keycloak
+    // (our primary target) preserves the scope set across refresh, so
+    // re-sending would be redundant. Callers targeting a provider that
+    // reduces scopes when `scope` is omitted (some Okta configurations
+    // are rumored to) will need a provider-specific code path.
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: options.clientId,
+        refresh_token: options.refreshToken,
+    });
+    const issuedAt = now();
+    let response;
+    try {
+        response = await fetch(options.tokenEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+                "User-Agent": userAgent_1.USER_AGENT,
+            },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Could not reach the token endpoint at ${options.tokenEndpoint}. Check your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        await (0, tokenResponse_1.throwTokenEndpointError)(response, "Token refresh");
+    }
+    const fresh = await (0, tokenResponse_1.parseTokenResponse)(response, issuedAt, options.tokenEndpoint);
+    // Preserve the input refresh token if the server didn't rotate.
+    // Keycloak rotates by default; others (e.g. Okta with some
+    // configs) don't.
+    return {
+        ...fresh,
+        refreshToken: fresh.refreshToken ?? options.refreshToken,
+    };
+}

package/dist/oauth/renderHtml.d.ts

@@ -0,0 +1,9 @@
+export type HtmlInput = {
+    kind: "success";
+} | {
+    kind: "error";
+    reason: string;
+    description?: string;
+};
+export declare const CSP_HEADER: string;
+export declare const renderHtml: (input: HtmlInput) => string;

package/dist/oauth/renderHtml.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderHtml = exports.CSP_HEADER = void 0;
+const node_crypto_1 = require("node:crypto");
+const logo_generated_1 = require("./logo.generated");
+const CSS = `:root{--off-black:#666;--off-white:#fdfdfe;--white:#fff;--pink:#d71ef7;--blue:#3c7aae;--space-small:12px;--space-medium:24px;--space-large:36px;--space-huge:48px;--border-radius:3px}
+html{box-sizing:border-box}
+*,*::before,*::after{box-sizing:inherit}
+*:focus{outline:2px solid var(--pink);outline-offset:2px}
+body{margin:0;padding:0;width:100%;height:100%;font-family:Roboto,Helvetica,Arial,sans-serif;font-style:normal;font-weight:400;color:var(--off-black);background-color:var(--off-white);font-size:15px}
+h1{padding:0;margin:0;font-size:34px;font-weight:700}
+main{margin:var(--space-huge) auto;padding-left:var(--space-medium);padding-right:var(--space-medium);max-width:400px;text-align:center}
+.hero{margin-bottom:var(--space-medium)}
+.hero img{width:180px;max-width:100%;margin-bottom:var(--space-medium)}
+.reason{margin-top:var(--space-medium);font-weight:500}
+.description{margin-top:var(--space-small);font-size:13px}
+.close{margin-top:var(--space-large)}`;
+// CSP uses a SHA-256 hash of the <style> block contents instead of
+// 'unsafe-inline'. Any drift between this digest and the rendered <style> tag
+// causes the browser to refuse the stylesheet — see docs/callback-page.md.
+const STYLE_HASH = (0, node_crypto_1.createHash)("sha256").update(CSS, "utf8").digest("base64");
+exports.CSP_HEADER = `default-src 'none'; img-src data:; style-src 'sha256-${STYLE_HASH}'; frame-ancestors 'none'`;
+// OWASP-recommended 5-character set for HTML body/attribute contexts;
+// & must come first to avoid double-escaping. Not safe for JS/CSS/URL contexts.
+// https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-contexts
+const escape = (s) => s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+const page = (title, body) => `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>${escape(title)}</title>
+<style>${CSS}</style>
+</head>
+<body>
+<main>
+<div class="hero"><img src="data:image/png;base64,${logo_generated_1.LOGO_PNG_BASE64}" alt="Deque"></div>
+${body}
+</main>
+</body>
+</html>`;
+const renderHtml = (input) => {
+    if (input.kind === "success") {
+        return page("Authenticated", `<h1>Authenticated</h1>
+<p class="close">You can close this tab and return to your terminal.</p>`);
+    }
+    const descriptionBlock = input.description
+        ? `<p class="description">${escape(input.description)}</p>`
+        : "";
+    return page("Authentication failed", `<h1>Authentication failed</h1>
+<p class="reason">${escape(input.reason)}</p>
+${descriptionBlock}
+<p class="close">You can close this tab and return to your terminal.</p>`);
+};
+exports.renderHtml = renderHtml;

package/dist/oauth/revokeToken.d.ts

@@ -0,0 +1,28 @@
+/** Options for `revokeRefreshToken`. */
+export interface RevokeRefreshTokenOptions {
+    /** Revocation endpoint resolved from OIDC discovery. */
+    revocationEndpoint: string;
+    /** OAuth client ID. */
+    clientId: string;
+    /** The refresh token to revoke server-side. */
+    refreshToken: string;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+export declare function revokeRefreshToken(options: RevokeRefreshTokenOptions): Promise<void>;

package/dist/oauth/revokeToken.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revokeRefreshToken = revokeRefreshToken;
+const userAgent_1 = require("../userAgent");
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+async function revokeRefreshToken(options) {
+    const body = new URLSearchParams({
+        token: options.refreshToken,
+        token_type_hint: "refresh_token",
+        client_id: options.clientId,
+    });
+    let response;
+    try {
+        response = await fetch(options.revocationEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": userAgent_1.USER_AGENT,
+            },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        const reason = cause instanceof Error ? cause.message : String(cause);
+        throw new Error(`Could not reach the revocation endpoint at ${options.revocationEndpoint}: ${reason}`, { cause });
+    }
+    if (!response.ok) {
+        // Deliberately do NOT include the response body. The request
+        // body we POSTed contains the refresh token; some Keycloak
+        // custom error templates and many WAFs / reverse proxies echo
+        // request fields back into 4xx pages, which would land the
+        // refresh token on stderr (the caller's `describeError(err)`
+        // path is `axe-auth: server-side revocation failed (...)`). Status
+        // alone is enough for the user to act on; if more detail is
+        // needed they can hit the revocation endpoint directly.
+        //
+        // We also drain the body so the underlying connection isn't
+        // held open by the unread stream.
+        try {
+            await response.text();
+        }
+        catch {
+            // ignore — body is purely diagnostic
+        }
+        throw new Error(`Revocation endpoint at ${options.revocationEndpoint} returned HTTP ${response.status}`);
+    }
+}

package/dist/oauth/testUtils.d.ts

@@ -0,0 +1,35 @@
+/**
+ * A fixed "now" timestamp used by token-endpoint tests that need
+ * determinism for `expiresAt` assertions. Any constant would do;
+ * choosing one value keeps the arithmetic trivial to eyeball
+ * (2023-11-14T22:13:20.000Z).
+ */
+export declare const FIXED_NOW = 1700000000000;
+/** Signature matching the global `fetch` implementation. */
+export type FetchMock = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+/**
+ * Swaps `globalThis.fetch` for `mock` while `fn` runs, then restores.
+ * Use in tests that mock *every* fetch the subject under test makes.
+ * (Tests that want pass-through-on-miss behavior should keep their
+ * own router — see `authorize.test.ts`.)
+ */
+export declare function withFetch(mock: FetchMock, fn: () => Promise<void>): Promise<void>;
+/**
+ * JSON-serialized `Response` with `Content-Type: application/json`
+ * already set. Any headers in `init.headers` merge on top.
+ */
+export declare function jsonResponse(body: unknown, init?: ResponseInit): Response;
+/**
+ * Canonical local Keycloak issuer URL used across tests — matches
+ * walnut's dev setup (`http://localhost:8080/auth/realms/local`).
+ * Use this anywhere a test needs "the Keycloak issuer" rather than
+ * a test-specific URL (e.g. `http://auth.test.invalid`).
+ */
+export declare const KEYCLOAK_ISSUER = "http://localhost:8080/auth/realms/local";
+/**
+ * Standard OAuth 2.0 token-endpoint success body. Returns a fresh
+ * plain object on each call so tests can safely mutate it after.
+ * Override any field via `overrides`; the happy-path defaults
+ * (Bearer, positive `expires_in`) are what most tests want.
+ */
+export declare function tokenResponseBody(overrides?: Record<string, unknown>): Record<string, unknown>;

package/dist/oauth/testUtils.js

@@ -0,0 +1,61 @@
+"use strict";
+// Shared helpers for the oauth test files. Not a `.test.ts` itself so
+// the test runner doesn't pick it up directly, and excluded from c8
+// coverage in `.c8rc.json` since nothing in here is production code.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KEYCLOAK_ISSUER = exports.FIXED_NOW = void 0;
+exports.withFetch = withFetch;
+exports.jsonResponse = jsonResponse;
+exports.tokenResponseBody = tokenResponseBody;
+/**
+ * A fixed "now" timestamp used by token-endpoint tests that need
+ * determinism for `expiresAt` assertions. Any constant would do;
+ * choosing one value keeps the arithmetic trivial to eyeball
+ * (2023-11-14T22:13:20.000Z).
+ */
+exports.FIXED_NOW = 1_700_000_000_000;
+/**
+ * Swaps `globalThis.fetch` for `mock` while `fn` runs, then restores.
+ * Use in tests that mock *every* fetch the subject under test makes.
+ * (Tests that want pass-through-on-miss behavior should keep their
+ * own router — see `authorize.test.ts`.)
+ */
+function withFetch(mock, fn) {
+    const original = globalThis.fetch;
+    globalThis.fetch = mock;
+    return fn().finally(() => {
+        globalThis.fetch = original;
+    });
+}
+/**
+ * JSON-serialized `Response` with `Content-Type: application/json`
+ * already set. Any headers in `init.headers` merge on top.
+ */
+function jsonResponse(body, init = { status: 200 }) {
+    return new Response(JSON.stringify(body), {
+        ...init,
+        headers: { "Content-Type": "application/json", ...(init.headers ?? {}) },
+    });
+}
+/**
+ * Canonical local Keycloak issuer URL used across tests — matches
+ * walnut's dev setup (`http://localhost:8080/auth/realms/local`).
+ * Use this anywhere a test needs "the Keycloak issuer" rather than
+ * a test-specific URL (e.g. `http://auth.test.invalid`).
+ */
+exports.KEYCLOAK_ISSUER = "http://localhost:8080/auth/realms/local";
+/**
+ * Standard OAuth 2.0 token-endpoint success body. Returns a fresh
+ * plain object on each call so tests can safely mutate it after.
+ * Override any field via `overrides`; the happy-path defaults
+ * (Bearer, positive `expires_in`) are what most tests want.
+ */
+function tokenResponseBody(overrides = {}) {
+    return {
+        access_token: "at",
+        refresh_token: "rt",
+        expires_in: 300,
+        token_type: "Bearer",
+        ...overrides,
+    };
+}

package/dist/oauth/tokenExchange.d.ts

@@ -0,0 +1,26 @@
+import { type TokenSet } from "./tokenResponse";
+/** Options for `exchangeCodeForTokens`. */
+export interface ExchangeCodeForTokensOptions {
+    /** Token endpoint resolved from OIDC discovery. */
+    tokenEndpoint: string;
+    /** OAuth client identifier. */
+    clientId: string;
+    /** Authorization code received via the loopback callback. */
+    code: string;
+    /** PKCE verifier paired with the `code_challenge` sent at auth time. */
+    codeVerifier: string;
+    /** Redirect URI originally sent to the authorization endpoint. */
+    redirectUri: string;
+    /** Source of `now`. Injected for test determinism; defaults to `Date.now`. */
+    now?: () => number;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Exchanges an authorization code for a `TokenSet` via the
+ * authorization server's token endpoint (RFC 6749 §4.1.3 + RFC 7636
+ * §4.5). Rejects with `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)`
+ * for any failure mode, surfacing the OAuth `error` /
+ * `error_description` when available.
+ */
+export declare function exchangeCodeForTokens(options: ExchangeCodeForTokensOptions): Promise<TokenSet>;

package/dist/oauth/tokenExchange.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exchangeCodeForTokens = exchangeCodeForTokens;
+const errors_1 = require("./errors");
+const tokenResponse_1 = require("./tokenResponse");
+const userAgent_1 = require("../userAgent");
+/**
+ * Exchanges an authorization code for a `TokenSet` via the
+ * authorization server's token endpoint (RFC 6749 §4.1.3 + RFC 7636
+ * §4.5). Rejects with `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)`
+ * for any failure mode, surfacing the OAuth `error` /
+ * `error_description` when available.
+ */
+async function exchangeCodeForTokens(options) {
+    const now = options.now ?? Date.now;
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: options.clientId,
+        code: options.code,
+        code_verifier: options.codeVerifier,
+        redirect_uri: options.redirectUri,
+    });
+    const issuedAt = now();
+    let response;
+    try {
+        response = await fetch(options.tokenEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+                "User-Agent": userAgent_1.USER_AGENT,
+            },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Could not reach the token endpoint at ${options.tokenEndpoint}. Check your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        await (0, tokenResponse_1.throwTokenEndpointError)(response, "Token exchange");
+    }
+    return (0, tokenResponse_1.parseTokenResponse)(response, issuedAt, options.tokenEndpoint);
+}

package/dist/oauth/tokenResponse.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Tokens returned by a successful token-endpoint call (authorization
+ * code exchange, refresh-token grant, etc.).
+ *
+ * `refreshToken` is optional because not all flows return one. On
+ * authorization-code exchange it's absent if the caller did not
+ * request `offline_access` (or the provider equivalent); on refresh
+ * some providers rotate tokens (return a new one) while others don't
+ * (the caller should keep the existing refresh token).
+ *
+ * `grantedScope` reflects the authorization server's `scope` response
+ * field when present. RFC 6749 §5.1 says `scope` is required in the
+ * response when the granted set differs from the requested set; many
+ * servers send it unconditionally.
+ */
+export interface TokenSet {
+    /** Access token for authenticated API calls. */
+    accessToken: string;
+    /** Long-lived token used to mint new access tokens without re-auth. Absent if the flow did not return one. */
+    refreshToken?: string;
+    /** Absolute timestamp (ms since epoch) when the access token expires. */
+    expiresAt: number;
+    /** Space-delimited scopes the server actually granted, if reported. */
+    grantedScope?: string;
+}
+/**
+ * Reads a non-2xx response body and throws
+ * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
+ * `error` / `error_description` surfaced in both message and details
+ * when present. Shared by both the authorization-code exchange and
+ * refresh-token paths since the error contract is identical.
+ *
+ * @param context Short human-readable description of which call
+ *   failed ("Token exchange", "Token refresh", etc.). Appears in the
+ *   error message.
+ */
+export declare function throwTokenEndpointError(response: Response, context: string): Promise<never>;
+/**
+ * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
+ * (authorization-code exchange, refresh-token grant, etc.) into a
+ * `TokenSet`. Validates the required shape (`access_token`,
+ * `expires_in`, Bearer `token_type`) and converts the relative
+ * `expires_in` into an absolute `expiresAt` using `issuedAt`.
+ *
+ * @param response The HTTP response (must be 2xx; caller handles
+ *   error statuses via `throwTokenEndpointError`).
+ * @param issuedAt The timestamp captured just before the network
+ *   call. Slightly conservative — the token actually expires
+ *   `expires_in` seconds from when the server issued it, so the
+ *   effective usable window is `expires_in - RTT`, which errs toward
+ *   "expires sooner" rather than "expires later."
+ * @param endpointURL URL used for error messages.
+ */
+export declare function parseTokenResponse(response: Response, issuedAt: number, endpointURL: string): Promise<TokenSet>;

package/dist/oauth/tokenResponse.js

@@ -0,0 +1,121 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.throwTokenEndpointError = throwTokenEndpointError;
+exports.parseTokenResponse = parseTokenResponse;
+const errors_1 = require("./errors");
+const predicates_1 = require("./predicates");
+// RFC 6749 §5.1 describes `expires_in` as "the lifetime in seconds"
+// without pinning the JSON type, and some providers historically send
+// numeric strings. Accept both; reject anything non-positive or
+// non-finite.
+function parseExpiresIn(v) {
+    if (typeof v === "number" && Number.isFinite(v) && v > 0)
+        return v;
+    if (typeof v === "string") {
+        const n = Number(v);
+        if (Number.isFinite(n) && n > 0)
+            return n;
+    }
+    return null;
+}
+function parseErrorBody(body) {
+    let parsed;
+    try {
+        parsed = JSON.parse(body);
+    }
+    catch {
+        return {};
+    }
+    if (parsed === null || typeof parsed !== "object")
+        return {};
+    const raw = parsed;
+    return {
+        error: (0, predicates_1.isNonEmptyString)(raw.error) ? raw.error : undefined,
+        description: (0, predicates_1.isNonEmptyString)(raw.error_description)
+            ? raw.error_description
+            : undefined,
+    };
+}
+/**
+ * Reads a non-2xx response body and throws
+ * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
+ * `error` / `error_description` surfaced in both message and details
+ * when present. Shared by both the authorization-code exchange and
+ * refresh-token paths since the error contract is identical.
+ *
+ * @param context Short human-readable description of which call
+ *   failed ("Token exchange", "Token refresh", etc.). Appears in the
+ *   error message.
+ */
+async function throwTokenEndpointError(response, context) {
+    const body = await response.text().catch(() => "");
+    const { error, description } = parseErrorBody(body);
+    const suffix = error
+        ? description
+            ? `: ${error}: ${description}`
+            : `: ${error}`
+        : "";
+    const details = {};
+    if (error)
+        details.error = error;
+    if (description)
+        details.error_description = description;
+    throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `${context} failed with HTTP ${response.status}${suffix}`, Object.keys(details).length > 0 ? { details } : undefined);
+}
+/**
+ * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
+ * (authorization-code exchange, refresh-token grant, etc.) into a
+ * `TokenSet`. Validates the required shape (`access_token`,
+ * `expires_in`, Bearer `token_type`) and converts the relative
+ * `expires_in` into an absolute `expiresAt` using `issuedAt`.
+ *
+ * @param response The HTTP response (must be 2xx; caller handles
+ *   error statuses via `throwTokenEndpointError`).
+ * @param issuedAt The timestamp captured just before the network
+ *   call. Slightly conservative — the token actually expires
+ *   `expires_in` seconds from when the server issued it, so the
+ *   effective usable window is `expires_in - RTT`, which errs toward
+ *   "expires sooner" rather than "expires later."
+ * @param endpointURL URL used for error messages.
+ */
+async function parseTokenResponse(response, issuedAt, endpointURL) {
+    let parsed;
+    try {
+        parsed = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${endpointURL} returned a non-JSON response`, { cause });
+    }
+    if (parsed === null || typeof parsed !== "object") {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${endpointURL} returned a non-object response`);
+    }
+    const raw = parsed;
+    if (!(0, predicates_1.isNonEmptyString)(raw.access_token)) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing 'access_token'`);
+    }
+    const expiresIn = parseExpiresIn(raw.expires_in);
+    if (expiresIn === null) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing or has invalid 'expires_in'`);
+    }
+    // RFC 6749 §5.1: token_type is REQUIRED. We only speak Bearer;
+    // DPoP / MAC / other proof-of-possession types need request-side
+    // support we don't implement, and silently treating them as Bearer
+    // would send tokens in the wrong header with unclear semantics.
+    if (!(0, predicates_1.isNonEmptyString)(raw.token_type)) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing required 'token_type'`);
+    }
+    if (raw.token_type.toLowerCase() !== "bearer") {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Unsupported token_type '${raw.token_type}'; this library only handles Bearer.`);
+    }
+    const tokens = {
+        accessToken: raw.access_token,
+        expiresAt: issuedAt + expiresIn * 1000,
+    };
+    if ((0, predicates_1.isNonEmptyString)(raw.refresh_token)) {
+        tokens.refreshToken = raw.refresh_token;
+    }
+    if ((0, predicates_1.isNonEmptyString)(raw.scope)) {
+        tokens.grantedScope = raw.scope;
+    }
+    return tokens;
+}