@deque/axe-auth 1.1.0-next.97bcb8e6 → 1.1.0-next.f7b98204

package/dist/oauth/renderHtml.d.ts

@@ -0,0 +1,9 @@
+export type HtmlInput = {
+    kind: "success";
+} | {
+    kind: "error";
+    reason: string;
+    description?: string;
+};
+export declare const CSP_HEADER: string;
+export declare const renderHtml: (input: HtmlInput) => string;

package/dist/oauth/renderHtml.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderHtml = exports.CSP_HEADER = void 0;
+const node_crypto_1 = require("node:crypto");
+const logo_generated_1 = require("./logo.generated");
+const CSS = `:root{--off-black:#666;--off-white:#fdfdfe;--white:#fff;--pink:#d71ef7;--blue:#3c7aae;--space-small:12px;--space-medium:24px;--space-large:36px;--space-huge:48px;--border-radius:3px}
+html{box-sizing:border-box}
+*,*::before,*::after{box-sizing:inherit}
+*:focus{outline:2px solid var(--pink);outline-offset:2px}
+body{margin:0;padding:0;width:100%;height:100%;font-family:Roboto,Helvetica,Arial,sans-serif;font-style:normal;font-weight:400;color:var(--off-black);background-color:var(--off-white);font-size:15px}
+h1{padding:0;margin:0;font-size:34px;font-weight:700}
+main{margin:var(--space-huge) auto;padding-left:var(--space-medium);padding-right:var(--space-medium);max-width:400px;text-align:center}
+.hero{margin-bottom:var(--space-medium)}
+.hero img{width:180px;max-width:100%;margin-bottom:var(--space-medium)}
+.reason{margin-top:var(--space-medium);font-weight:500}
+.description{margin-top:var(--space-small);font-size:13px}
+.close{margin-top:var(--space-large)}`;
+// CSP uses a SHA-256 hash of the <style> block contents instead of
+// 'unsafe-inline'. Any drift between this digest and the rendered <style> tag
+// causes the browser to refuse the stylesheet — see docs/callback-page.md.
+const STYLE_HASH = (0, node_crypto_1.createHash)("sha256").update(CSS, "utf8").digest("base64");
+exports.CSP_HEADER = `default-src 'none'; img-src data:; style-src 'sha256-${STYLE_HASH}'; frame-ancestors 'none'`;
+// OWASP-recommended 5-character set for HTML body/attribute contexts;
+// & must come first to avoid double-escaping. Not safe for JS/CSS/URL contexts.
+// https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-contexts
+const escape = (s) => s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+const page = (title, body) => `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>${escape(title)}</title>
+<style>${CSS}</style>
+</head>
+<body>
+<main>
+<div class="hero"><img src="data:image/png;base64,${logo_generated_1.LOGO_PNG_BASE64}" alt="Deque"></div>
+${body}
+</main>
+</body>
+</html>`;
+const renderHtml = (input) => {
+    if (input.kind === "success") {
+        return page("Authenticated", `<h1>Authenticated</h1>
+<p class="close">You can close this tab and return to your terminal.</p>`);
+    }
+    const descriptionBlock = input.description
+        ? `<p class="description">${escape(input.description)}</p>`
+        : "";
+    return page("Authentication failed", `<h1>Authentication failed</h1>
+<p class="reason">${escape(input.reason)}</p>
+${descriptionBlock}
+<p class="close">You can close this tab and return to your terminal.</p>`);
+};
+exports.renderHtml = renderHtml;

package/dist/oauth/tokenExchange.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Tokens returned by a successful authorization-code exchange.
+ *
+ * `refreshToken` is optional because not all flows return one —
+ * callers that did not request `offline_access` (or the provider
+ * equivalent) will receive only an access token. Refresh logic (issue
+ * #422) must handle this case.
+ *
+ * `grantedScope` reflects the authorization server's `scope` response
+ * field when present (RFC 6749 §5.1 says `scope` is required when the
+ * granted set differs from the requested set; optional otherwise).
+ * Callers comparing granted vs requested to surface diagnostics should
+ * read this field.
+ */
+export interface TokenSet {
+    /** Access token for authenticated API calls. */
+    accessToken: string;
+    /** Long-lived token used to mint new access tokens without re-auth. Absent if the flow did not request it. */
+    refreshToken?: string;
+    /** Absolute timestamp (ms since epoch) when the access token expires. */
+    expiresAt: number;
+    /** Space-delimited scopes the server actually granted, if reported. */
+    grantedScope?: string;
+}
+/** Options for `exchangeCodeForTokens`. */
+export interface ExchangeCodeForTokensOptions {
+    /** Token endpoint resolved from OIDC discovery. */
+    tokenEndpoint: string;
+    /** OAuth client identifier. */
+    clientId: string;
+    /** Authorization code received via the loopback callback. */
+    code: string;
+    /** PKCE verifier paired with the `code_challenge` sent at auth time. */
+    codeVerifier: string;
+    /** Redirect URI originally sent to the authorization endpoint. */
+    redirectUri: string;
+    /** Source of `now`. Injected for test determinism; defaults to `Date.now`. */
+    now?: () => number;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Exchanges an authorization code for a `TokenSet` via the
+ * authorization server's token endpoint (RFC 6749 §4.1.3 + RFC 7636
+ * §4.5). Rejects with `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)`
+ * for any failure mode, surfacing the OAuth `error` /
+ * `error_description` when available.
+ */
+export declare function exchangeCodeForTokens(options: ExchangeCodeForTokensOptions): Promise<TokenSet>;

package/dist/oauth/tokenExchange.js

@@ -0,0 +1,136 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exchangeCodeForTokens = exchangeCodeForTokens;
+const errors_1 = require("./errors");
+function isNonEmptyString(v) {
+    return typeof v === "string" && v.length > 0;
+}
+// RFC 6749 §5.1 describes `expires_in` as "the lifetime in seconds"
+// without pinning the JSON type, and some providers historically send
+// numeric strings. Accept both; reject anything non-positive or
+// non-finite.
+function parseExpiresIn(v) {
+    if (typeof v === "number" && Number.isFinite(v) && v > 0)
+        return v;
+    if (typeof v === "string") {
+        const n = Number(v);
+        if (Number.isFinite(n) && n > 0)
+            return n;
+    }
+    return null;
+}
+function parseErrorBody(body) {
+    let parsed;
+    try {
+        parsed = JSON.parse(body);
+    }
+    catch {
+        return {};
+    }
+    if (parsed === null || typeof parsed !== "object")
+        return {};
+    const raw = parsed;
+    return {
+        error: isNonEmptyString(raw.error) ? raw.error : undefined,
+        description: isNonEmptyString(raw.error_description)
+            ? raw.error_description
+            : undefined,
+    };
+}
+function throwFromErrorResponse(status, body) {
+    const { error, description } = parseErrorBody(body);
+    const suffix = error
+        ? description
+            ? `: ${error}: ${description}`
+            : `: ${error}`
+        : "";
+    const details = {};
+    if (error)
+        details.error = error;
+    if (description)
+        details.error_description = description;
+    throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token exchange failed with HTTP ${status}${suffix}`, Object.keys(details).length > 0 ? { details } : undefined);
+}
+/**
+ * Exchanges an authorization code for a `TokenSet` via the
+ * authorization server's token endpoint (RFC 6749 §4.1.3 + RFC 7636
+ * §4.5). Rejects with `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)`
+ * for any failure mode, surfacing the OAuth `error` /
+ * `error_description` when available.
+ */
+async function exchangeCodeForTokens(options) {
+    const now = options.now ?? Date.now;
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: options.clientId,
+        code: options.code,
+        code_verifier: options.codeVerifier,
+        redirect_uri: options.redirectUri,
+    });
+    // Capture `issuedAt` before the network call so we don't drift past
+    // expiry just because the network was slow. Slightly conservative —
+    // the token actually expires `expires_in` seconds from when the
+    // server issued it, so the effective usable window is `expires_in -
+    // RTT`, which errs toward "expires sooner" rather than "expires
+    // later." That's the safer direction for any consumer doing
+    // pre-expiry checks.
+    const issuedAt = now();
+    let response;
+    try {
+        response = await fetch(options.tokenEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+            },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Could not reach the token endpoint at ${options.tokenEndpoint}. Check your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throwFromErrorResponse(response.status, text);
+    }
+    let parsed;
+    try {
+        parsed = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${options.tokenEndpoint} returned a non-JSON response`, { cause });
+    }
+    if (parsed === null || typeof parsed !== "object") {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${options.tokenEndpoint} returned a non-object response`);
+    }
+    const raw = parsed;
+    if (!isNonEmptyString(raw.access_token)) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing 'access_token'`);
+    }
+    const expiresIn = parseExpiresIn(raw.expires_in);
+    if (expiresIn === null) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing or has invalid 'expires_in'`);
+    }
+    // RFC 6749 §5.1: token_type is REQUIRED. We only speak Bearer;
+    // DPoP / MAC / other proof-of-possession types need request-side
+    // support we don't implement, and silently treating them as Bearer
+    // would send tokens in the wrong header with unclear semantics.
+    if (!isNonEmptyString(raw.token_type)) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing required 'token_type'`);
+    }
+    if (raw.token_type.toLowerCase() !== "bearer") {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Unsupported token_type '${raw.token_type}'; this library only handles Bearer.`);
+    }
+    const tokens = {
+        accessToken: raw.access_token,
+        expiresAt: issuedAt + expiresIn * 1000,
+    };
+    if (isNonEmptyString(raw.refresh_token)) {
+        tokens.refreshToken = raw.refresh_token;
+    }
+    if (isNonEmptyString(raw.scope)) {
+        tokens.grantedScope = raw.scope;
+    }
+    return tokens;
+}

package/dist/oauth/tokenStore.d.ts

@@ -0,0 +1,78 @@
+import type { TokenSet } from "./tokenExchange";
+/**
+ * Current on-disk blob schema version. Exported so consumers can
+ * display "stored v:N, expected v:M" diagnostics when `load()` returns
+ * a `version-mismatch` result.
+ */
+export declare const STORED_BLOB_VERSION = 1;
+/**
+ * Outcome of a `TokenStore.load()` call.
+ *
+ * Note on downgrades: the migrator chain only walks *forward*. A user
+ * who downgrades `axe-auth` to a release that predates a schema bump
+ * will see `version-mismatch` on any blob written by the newer
+ * release, even if the change was strictly additive. That is the safe
+ * default for a credentials blob — the older version cannot vouch for
+ * the meaning of fields it has never seen. Callers hitting this case
+ * should treat it as "re-authenticate" rather than attempting to
+ * parse an unknown future shape.
+ */
+export type LoadResult = {
+    ok: true;
+    tokens: TokenSet;
+} | {
+    ok: false;
+    reason: "empty";
+} | {
+    ok: false;
+    reason: "corrupt";
+} | {
+    ok: false;
+    reason: "version-mismatch";
+    storedVersion: number;
+};
+/** Persistence layer for an OAuth `TokenSet`. */
+export interface TokenStore {
+    /** Write-through save. Replaces any previously stored tokens. */
+    save(tokens: TokenSet): Promise<void>;
+    /**
+     * Reads the stored tokens and returns a structured result.
+     *
+     * Callers should branch on `result.ok` first. When `ok` is `false`,
+     * `reason` tells them *why* there is no usable `TokenSet`: `empty`
+     * (nothing stored), `corrupt` (unparseable or shape-invalid), or
+     * `version-mismatch` (stored under a schema we cannot migrate from).
+     * The library does not emit output on these cases — surfacing them
+     * to the user is the caller's responsibility.
+     */
+    load(): Promise<LoadResult>;
+    /** Removes any stored tokens. No-op if none are present. */
+    clear(): Promise<void>;
+}
+/** Minimal keyring-entry surface consumed by `KeyringTokenStore`. */
+export interface KeyringEntry {
+    /** Writes the password for this entry. */
+    setPassword(password: string): void;
+    /** Reads the current password, or returns `null` if none is set. */
+    getPassword(): string | null;
+    /** Deletes the password and returns `true` if one existed. */
+    deletePassword(): boolean;
+}
+/**
+ * Factory for `KeyringEntry` values. Injection seam for tests;
+ * production callers use the default that constructs
+ * `@napi-rs/keyring` entries lazily.
+ */
+export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+/**
+ * `TokenStore` backed by the operating system's native keychain via
+ * `@napi-rs/keyring` (macOS Keychain, Windows Credential Manager, Linux
+ * Secret Service). Account is keyed by the normalized issuer URL.
+ */
+export declare class KeyringTokenStore implements TokenStore {
+    #private;
+    constructor(issuerURL: string, entryFactory?: KeyringEntryFactory);
+    save(tokens: TokenSet): Promise<void>;
+    load(): Promise<LoadResult>;
+    clear(): Promise<void>;
+}

package/dist/oauth/tokenStore.js

@@ -0,0 +1,176 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyringTokenStore = exports.STORED_BLOB_VERSION = void 0;
+const node_module_1 = require("node:module");
+const errors_1 = require("./errors");
+const issuerURL_1 = require("./issuerURL");
+const requireFromHere = (0, node_module_1.createRequire)(__filename);
+// On macOS: Keychain generic password item with the service name below.
+// On Windows: Credential Manager entry. On Linux: Secret Service / libsecret.
+// Exposed as a human-readable string because these all surface the service
+// name in OS UIs (Keychain Access, credmgr.exe, seahorse).
+const SERVICE_NAME = "axe-auth";
+/**
+ * Current on-disk blob schema version. Exported so consumers can
+ * display "stored v:N, expected v:M" diagnostics when `load()` returns
+ * a `version-mismatch` result.
+ */
+exports.STORED_BLOB_VERSION = 1;
+/**
+ * Migrators upgrade an older blob to the next version up. Walked by
+ * `load()` until the stored blob reaches `STORED_BLOB_VERSION`.
+ *
+ * A migrator returns `null` when the bump cannot be inferred from the
+ * old shape (e.g. a new required field with no derivable default); the
+ * caller then sees `{ ok: false, reason: "version-mismatch" }` and
+ * decides whether to re-auth, prompt, or preserve the old blob.
+ *
+ * Each migrator is responsible for taking `vN` → `vN+1`. To skip a
+ * version deliberately, register a migrator that returns `null` for
+ * that `fromVersion`.
+ */
+const MIGRATORS = new Map([
+// [1, (v1) => migrateV1ToV2(v1 as StoredBlobV1)],
+]);
+// Lazy-resolved Entry constructor. Importing @napi-rs/keyring at the
+// top of this module would run its native binding loader at
+// module-load time, throwing before any of our OAuthFlowError code
+// catches it and preventing the module from being imported at all on
+// platforms without a prebuilt. We defer the require into
+// `defaultEntryFactory`, which turns that import-time failure into a
+// `KEYRING_UNAVAILABLE` surfaced on the first `new
+// KeyringTokenStore(...)` call — not on first save/load/clear, since
+// `authorize()` (and similar callers) construct the store eagerly as
+// a default-arg expression. Runtime keychain errors (missing D-Bus
+// Secret Service, macOS Keychain denial, etc.) are a separate
+// concern and surface later, inside save/load/clear.
+let cachedEntryCtor = null;
+function resolveEntryCtor() {
+    if (cachedEntryCtor)
+        return cachedEntryCtor;
+    try {
+        const mod = requireFromHere("@napi-rs/keyring");
+        cachedEntryCtor = mod.Entry;
+        return cachedEntryCtor;
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `Could not load @napi-rs/keyring. A prebuilt native binding for this platform may be missing.`, { cause });
+    }
+}
+const defaultEntryFactory = (service, account) => {
+    const Ctor = resolveEntryCtor();
+    return new Ctor(service, account);
+};
+function getStoredVersion(blob) {
+    if (blob === null || typeof blob !== "object")
+        return null;
+    const v = blob.v;
+    return typeof v === "number" && Number.isInteger(v) && v > 0 ? v : null;
+}
+function isLatestBlob(blob) {
+    if (blob === null || typeof blob !== "object")
+        return false;
+    const b = blob;
+    return (b.v === exports.STORED_BLOB_VERSION &&
+        typeof b.accessToken === "string" &&
+        typeof b.expiresAt === "number" &&
+        (b.refreshToken === undefined || typeof b.refreshToken === "string"));
+}
+function blobToTokens(blob) {
+    const tokens = {
+        accessToken: blob.accessToken,
+        expiresAt: blob.expiresAt,
+    };
+    if (blob.refreshToken !== undefined)
+        tokens.refreshToken = blob.refreshToken;
+    return tokens;
+}
+function tokensToBlob(tokens) {
+    const blob = {
+        v: exports.STORED_BLOB_VERSION,
+        accessToken: tokens.accessToken,
+        expiresAt: tokens.expiresAt,
+    };
+    if (tokens.refreshToken !== undefined)
+        blob.refreshToken = tokens.refreshToken;
+    return blob;
+}
+function wrapKeyringError(op, cause) {
+    throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `System keychain ${op} failed. On Linux this usually means no D-Bus Secret Service is running.`, { cause });
+}
+/**
+ * `TokenStore` backed by the operating system's native keychain via
+ * `@napi-rs/keyring` (macOS Keychain, Windows Credential Manager, Linux
+ * Secret Service). Account is keyed by the normalized issuer URL.
+ */
+class KeyringTokenStore {
+    #entry;
+    constructor(issuerURL, entryFactory = defaultEntryFactory) {
+        this.#entry = entryFactory(SERVICE_NAME, (0, issuerURL_1.normalizeIssuerURL)(issuerURL));
+    }
+    async save(tokens) {
+        try {
+            this.#entry.setPassword(JSON.stringify(tokensToBlob(tokens)));
+        }
+        catch (cause) {
+            wrapKeyringError("write", cause);
+        }
+    }
+    async load() {
+        let raw;
+        try {
+            raw = this.#entry.getPassword();
+        }
+        catch (cause) {
+            wrapKeyringError("read", cause);
+        }
+        if (raw === null)
+            return { ok: false, reason: "empty" };
+        let parsed;
+        try {
+            parsed = JSON.parse(raw);
+        }
+        catch {
+            return { ok: false, reason: "corrupt" };
+        }
+        const storedVersion = getStoredVersion(parsed);
+        if (storedVersion === null)
+            return { ok: false, reason: "corrupt" };
+        // Walk the migrator chain until we reach the current version. A
+        // missing or null-returning migrator means the old blob cannot be
+        // upgraded; surface that so callers can prompt re-auth with a
+        // clear signal instead of silently returning `empty`.
+        let current = parsed;
+        let currentVersion = storedVersion;
+        while (currentVersion !== exports.STORED_BLOB_VERSION) {
+            const migrator = MIGRATORS.get(currentVersion);
+            if (!migrator) {
+                return { ok: false, reason: "version-mismatch", storedVersion };
+            }
+            const next = migrator(current);
+            if (next === null) {
+                return { ok: false, reason: "version-mismatch", storedVersion };
+            }
+            const nextVersion = getStoredVersion(next);
+            if (nextVersion === null || nextVersion <= currentVersion) {
+                // Migrator output is malformed or didn't advance. Treat the
+                // stored blob as un-migratable rather than loop forever.
+                return { ok: false, reason: "version-mismatch", storedVersion };
+            }
+            current = next;
+            currentVersion = nextVersion;
+        }
+        if (!isLatestBlob(current))
+            return { ok: false, reason: "corrupt" };
+        return { ok: true, tokens: blobToTokens(current) };
+    }
+    async clear() {
+        try {
+            this.#entry.deletePassword();
+        }
+        catch (cause) {
+            wrapKeyringError("delete", cause);
+        }
+    }
+}
+exports.KeyringTokenStore = KeyringTokenStore;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@deque/axe-auth",
-  "version": "1.1.0-next.97bcb8e6",
+  "version": "1.1.0-next.f7b98204",
   "description": "CLI authentication utility for Deque services",
   "license": "SEE LICENSE IN LICENSE",
   "type": "commonjs",
@@ -20,13 +20,21 @@
   "engines": {
     "node": ">=22.13.0"
   },
+  "dependencies": {
+    "@napi-rs/keyring": "^1.2.0"
+  },
   "devDependencies": {
     "@types/node": "^22.13.10",
+    "c8": "^10.1.3",
     "tsx": "^4.20.6",
     "typescript": "^5.9.3"
   },
   "scripts": {
     "build": "tsc",
-    "test": "tsx --test 'src/**/*.test.ts'"
+    "test": "tsx --test 'src/**/*.test.ts'",
+    "coverage": "c8 pnpm test",
+    "register-dev-client": "tsx scripts/registerDevClient.ts",
+    "smoke-authorize": "tsx scripts/smokeAuthorize.ts",
+    "manual-authorize": "tsx scripts/manualAuthorize.ts"
   }
 }