@deque/axe-auth 1.1.0-next.d59ba863 → 1.1.0-next.d5a755f8

package/dist/oauth/refreshTokens.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.refreshTokens = refreshTokens;
 const errors_1 = require("./errors");
+const retry_1 = require("./retry");
 const tokenResponse_1 = require("./tokenResponse");
 const userAgent_1 = require("../userAgent");
 /**
@@ -31,11 +32,11 @@ async function refreshTokens(options) {
         grant_type: "refresh_token",
         client_id: options.clientId,
         refresh_token: options.refreshToken,
-    });
+    }).toString();
     const issuedAt = now();
     let response;
     try {
-        response = await fetch(options.tokenEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.tokenEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
@@ -53,9 +54,6 @@ async function refreshTokens(options) {
         await (0, tokenResponse_1.throwTokenEndpointError)(response, "Token refresh");
     }
     const fresh = await (0, tokenResponse_1.parseTokenResponse)(response, issuedAt, options.tokenEndpoint);
-    // Preserve the input refresh token if the server didn't rotate.
-    // Keycloak rotates by default; others (e.g. Okta with some
-    // configs) don't.
     return {
         ...fresh,
         refreshToken: fresh.refreshToken ?? options.refreshToken,

package/dist/oauth/renderHTML.d.ts

@@ -0,0 +1,12 @@
+/** Discriminates the success vs. error variant of the callback page. */
+export type HTMLInput = {
+    kind: "success";
+} | {
+    kind: "error";
+    reason: string;
+    description?: string;
+};
+/** Content-Security-Policy header value sent with every callback page. */
+export declare const CSP_HEADER: string;
+/** Renders the loopback callback page shown in the user's browser. */
+export declare function renderHTML(input: HTMLInput): string;

package/dist/oauth/{renderHtml.js → renderHTML.js}

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.renderHtml = exports.CSP_HEADER = void 0;
+exports.CSP_HEADER = void 0;
+exports.renderHTML = renderHTML;
 const node_crypto_1 = require("node:crypto");
 const logo_generated_1 = require("./logo.generated");
 const CSS = `:root{--off-black:#666;--off-white:#fdfdfe;--white:#fff;--pink:#d71ef7;--blue:#3c7aae;--space-small:12px;--space-medium:24px;--space-large:36px;--space-huge:48px;--border-radius:3px}
@@ -19,17 +20,21 @@ main{margin:var(--space-huge) auto;padding-left:var(--space-medium);padding-righ
 // 'unsafe-inline'. Any drift between this digest and the rendered <style> tag
 // causes the browser to refuse the stylesheet — see docs/callback-page.md.
 const STYLE_HASH = (0, node_crypto_1.createHash)("sha256").update(CSS, "utf8").digest("base64");
+/** Content-Security-Policy header value sent with every callback page. */
 exports.CSP_HEADER = `default-src 'none'; img-src data:; style-src 'sha256-${STYLE_HASH}'; frame-ancestors 'none'`;
 // OWASP-recommended 5-character set for HTML body/attribute contexts;
 // & must come first to avoid double-escaping. Not safe for JS/CSS/URL contexts.
 // https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-contexts
-const escape = (s) => s
-    .replace(/&/g, "&amp;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#39;");
-const page = (title, body) => `<!doctype html>
+function escape(s) {
+    return s
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+function page(title, body) {
+    return `<!doctype html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
@@ -44,7 +49,9 @@ ${body}
 </main>
 </body>
 </html>`;
-const renderHtml = (input) => {
+}
+/** Renders the loopback callback page shown in the user's browser. */
+function renderHTML(input) {
     if (input.kind === "success") {
         return page("Authenticated", `<h1>Authenticated</h1>
 <p class="close">You can close this tab and return to your terminal.</p>`);
@@ -56,5 +63,4 @@ const renderHtml = (input) => {
 <p class="reason">${escape(input.reason)}</p>
 ${descriptionBlock}
 <p class="close">You can close this tab and return to your terminal.</p>`);
-};
-exports.renderHtml = renderHtml;
+}

package/dist/oauth/retry.d.ts

@@ -0,0 +1,2 @@
+/** Wraps `fetch` with bounded retries on transient connection errors. */
+export declare function fetchWithRetry(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

package/dist/oauth/retry.js

@@ -0,0 +1,50 @@
+"use strict";
+// undici's `RetryAgent` cannot retry POSTs through `fetch()` — its retry
+// handler aborts once the fetch ReadableStream body is consumed. Re-invoking
+// `fetch()` per attempt with a string body sidesteps that. POST replay is
+// safe for our OAuth endpoints by spec: single-use codes (RFC 6749 §4.1.2),
+// refresh requests that never reached the server (§6), no-op revocation
+// (RFC 7009 §2.2).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchWithRetry = fetchWithRetry;
+const promises_1 = require("node:timers/promises");
+const MAX_RETRIES = 3;
+const CONNECTION_ERROR_CODES = new Set([
+    "ECONNRESET",
+    "ECONNREFUSED",
+    "ENOTFOUND",
+    "ENETDOWN",
+    "ENETUNREACH",
+    "EHOSTDOWN",
+    "UND_ERR_SOCKET",
+]);
+function isConnectionError(err) {
+    const seen = new Set();
+    let current = err;
+    while (current && typeof current === "object" && !seen.has(current)) {
+        seen.add(current);
+        const e = current;
+        if (typeof e.code === "string" && CONNECTION_ERROR_CODES.has(e.code)) {
+            return true;
+        }
+        current = e.cause;
+    }
+    return false;
+}
+/** Wraps `fetch` with bounded retries on transient connection errors. */
+async function fetchWithRetry(input, init) {
+    for (let attempt = 0;; attempt++) {
+        try {
+            return await fetch(input, init);
+        }
+        catch (err) {
+            if (attempt >= MAX_RETRIES || !isConnectionError(err)) {
+                throw err;
+            }
+            // Exponential backoff: 500ms, 1s, 2s, capped at 30s.
+            // `sleep` honors `init.signal` so an aborted request interrupts the wait.
+            const delay = Math.min(500 * Math.pow(2, attempt), 30_000);
+            await (0, promises_1.setTimeout)(delay, undefined, { signal: init?.signal ?? undefined });
+        }
+    }
+}

package/dist/oauth/revokeToken.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.revokeRefreshToken = revokeRefreshToken;
+const retry_1 = require("./retry");
 const userAgent_1 = require("../userAgent");
 /**
  * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
@@ -23,10 +24,10 @@ async function revokeRefreshToken(options) {
         token: options.refreshToken,
         token_type_hint: "refresh_token",
         client_id: options.clientId,
-    });
+    }).toString();
     let response;
     try {
-        response = await fetch(options.revocationEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.revocationEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/tokenExchange.d.ts

@@ -10,7 +10,7 @@ export interface ExchangeCodeForTokensOptions {
     /** PKCE verifier paired with the `code_challenge` sent at auth time. */
     codeVerifier: string;
     /** Redirect URI originally sent to the authorization endpoint. */
-    redirectUri: string;
+    redirectURI: string;
     /** Source of `now`. Injected for test determinism; defaults to `Date.now`. */
     now?: () => number;
     /** Aborts the underlying fetch when fired. */

package/dist/oauth/tokenExchange.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeCodeForTokens = exchangeCodeForTokens;
 const errors_1 = require("./errors");
+const retry_1 = require("./retry");
 const tokenResponse_1 = require("./tokenResponse");
 const userAgent_1 = require("../userAgent");
 /**
@@ -18,12 +19,12 @@ async function exchangeCodeForTokens(options) {
         client_id: options.clientId,
         code: options.code,
         code_verifier: options.codeVerifier,
-        redirect_uri: options.redirectUri,
-    });
+        redirect_uri: options.redirectURI,
+    }).toString();
     const issuedAt = now();
     let response;
     try {
-        response = await fetch(options.tokenEndpoint, {
+        response = await (0, retry_1.fetchWithRetry)(options.tokenEndpoint, {
             method: "POST",
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",

package/dist/oauth/tokenResponse.d.ts

@@ -1,18 +1,4 @@
-/**
- * Tokens returned by a successful token-endpoint call (authorization
- * code exchange, refresh-token grant, etc.).
- *
- * `refreshToken` is optional because not all flows return one. On
- * authorization-code exchange it's absent if the caller did not
- * request `offline_access` (or the provider equivalent); on refresh
- * some providers rotate tokens (return a new one) while others don't
- * (the caller should keep the existing refresh token).
- *
- * `grantedScope` reflects the authorization server's `scope` response
- * field when present. RFC 6749 §5.1 says `scope` is required in the
- * response when the granted set differs from the requested set; many
- * servers send it unconditionally.
- */
+/** Tokens returned by a successful token-endpoint call. */
 export interface TokenSet {
     /** Access token for authenticated API calls. */
     accessToken: string;
@@ -24,31 +10,13 @@ export interface TokenSet {
     grantedScope?: string;
 }
 /**
- * Reads a non-2xx response body and throws
- * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
- * `error` / `error_description` surfaced in both message and details
- * when present. Shared by both the authorization-code exchange and
- * refresh-token paths since the error contract is identical.
- *
- * @param context Short human-readable description of which call
- *   failed ("Token exchange", "Token refresh", etc.). Appears in the
- *   error message.
+ * Reads a non-2xx response body and throws `TOKEN_EXCHANGE_FAILED`
+ * with the OAuth `error` / `error_description` surfaced when present.
  */
 export declare function throwTokenEndpointError(response: Response, context: string): Promise<never>;
 /**
- * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
- * (authorization-code exchange, refresh-token grant, etc.) into a
- * `TokenSet`. Validates the required shape (`access_token`,
- * `expires_in`, Bearer `token_type`) and converts the relative
- * `expires_in` into an absolute `expiresAt` using `issuedAt`.
- *
- * @param response The HTTP response (must be 2xx; caller handles
- *   error statuses via `throwTokenEndpointError`).
- * @param issuedAt The timestamp captured just before the network
- *   call. Slightly conservative — the token actually expires
- *   `expires_in` seconds from when the server issued it, so the
- *   effective usable window is `expires_in - RTT`, which errs toward
- *   "expires sooner" rather than "expires later."
- * @param endpointURL URL used for error messages.
+ * Parses a 2xx response from an RFC 6749 §5.1 token endpoint into a
+ * `TokenSet`. `issuedAt` is the timestamp captured just before the
+ * network call; the resulting `expiresAt` is conservative by ~RTT.
  */
 export declare function parseTokenResponse(response: Response, issuedAt: number, endpointURL: string): Promise<TokenSet>;

package/dist/oauth/tokenResponse.js

@@ -4,10 +4,8 @@ exports.throwTokenEndpointError = throwTokenEndpointError;
 exports.parseTokenResponse = parseTokenResponse;
 const errors_1 = require("./errors");
 const predicates_1 = require("./predicates");
-// RFC 6749 §5.1 describes `expires_in` as "the lifetime in seconds"
-// without pinning the JSON type, and some providers historically send
-// numeric strings. Accept both; reject anything non-positive or
-// non-finite.
+// RFC 6749 §5.1 doesn't pin the JSON type and some providers send
+// numeric strings; accept both, reject non-positive or non-finite.
 function parseExpiresIn(v) {
     if (typeof v === "number" && Number.isFinite(v) && v > 0)
         return v;
@@ -37,15 +35,8 @@ function parseErrorBody(body) {
     };
 }
 /**
- * Reads a non-2xx response body and throws
- * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
- * `error` / `error_description` surfaced in both message and details
- * when present. Shared by both the authorization-code exchange and
- * refresh-token paths since the error contract is identical.
- *
- * @param context Short human-readable description of which call
- *   failed ("Token exchange", "Token refresh", etc.). Appears in the
- *   error message.
+ * Reads a non-2xx response body and throws `TOKEN_EXCHANGE_FAILED`
+ * with the OAuth `error` / `error_description` surfaced when present.
  */
 async function throwTokenEndpointError(response, context) {
     const body = await response.text().catch(() => "");
@@ -63,20 +54,9 @@ async function throwTokenEndpointError(response, context) {
     throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `${context} failed with HTTP ${response.status}${suffix}`, Object.keys(details).length > 0 ? { details } : undefined);
 }
 /**
- * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
- * (authorization-code exchange, refresh-token grant, etc.) into a
- * `TokenSet`. Validates the required shape (`access_token`,
- * `expires_in`, Bearer `token_type`) and converts the relative
- * `expires_in` into an absolute `expiresAt` using `issuedAt`.
- *
- * @param response The HTTP response (must be 2xx; caller handles
- *   error statuses via `throwTokenEndpointError`).
- * @param issuedAt The timestamp captured just before the network
- *   call. Slightly conservative — the token actually expires
- *   `expires_in` seconds from when the server issued it, so the
- *   effective usable window is `expires_in - RTT`, which errs toward
- *   "expires sooner" rather than "expires later."
- * @param endpointURL URL used for error messages.
+ * Parses a 2xx response from an RFC 6749 §5.1 token endpoint into a
+ * `TokenSet`. `issuedAt` is the timestamp captured just before the
+ * network call; the resulting `expiresAt` is conservative by ~RTT.
  */
 async function parseTokenResponse(response, issuedAt, endpointURL) {
     let parsed;

package/dist/oauth/tokenStore.d.ts

@@ -1,5 +1,16 @@
 import { type KeyringEntryFactory } from "./keyringBinding";
 import type { TokenSet } from "./tokenResponse";
+/**
+ * Whether `KeyringTokenStore` should split the stored blob across
+ * multiple keychain entries on this platform. Windows-only: Credential
+ * Manager has a 2560-byte per-entry cap that large OAuth tokens
+ * routinely exceed. macOS Keychain and Linux libsecret have no
+ * comparable limit, and on macOS each entry is independently lockable
+ * (chunking there would multiply per-entry ACL prompts). Exported
+ * (parameterized for tests) so the chunking path can be exercised
+ * deterministically.
+ */
+export declare function shouldChunkForKeyring(platform?: NodeJS.Platform): boolean;
 /**
  * Current on-disk blob schema version. Exported so consumers can
  * display "stored v:N, expected v:M" diagnostics when `load()` returns
@@ -100,17 +111,61 @@ export type BlobChainResult = {
  * and `MIGRATORS` and applies the latest-shape check on top.
  */
 export declare function parseAndMigrateBlob(raw: string | null, expectedVersion?: number, migrators?: ReadonlyMap<number, (old: unknown) => unknown | null>): BlobChainResult;
+/**
+ * Builds the user-facing keychain error message: the underlying
+ * cause's text plus a per-platform hint. Platform is a parameter
+ * (defaulting to `process.platform`) so tests can drive each branch
+ * without mocking the runtime; mirrors the pattern in
+ * `platformKeyringHint`.
+ */
+export declare function keyringErrorMessage(op: string, cause: unknown, platform?: NodeJS.Platform): string;
+/**
+ * Returns a per-platform hint appended to keychain error messages so
+ * users see actionable guidance for their OS instead of generic or
+ * Linux-only advice. Exported (but not re-exported from the package
+ * index) so tests can exercise each branch without mocking
+ * `process.platform`.
+ */
+export declare function platformKeyringHint(platform?: NodeJS.Platform): string;
 /**
  * `TokenStore` backed by the operating system's native keychain via
  * `@napi-rs/keyring` (macOS Keychain, Windows Credential Manager, Linux
- * Secret Service). One entry per machine, keyed by a fixed account
- * name; the blob carries its own issuer/client coordinates so verbs
- * can recover full config without per-issuer keying.
+ * Secret Service). On macOS and Linux the blob lives in a single entry
+ * keyed by the fixed `credentials` account name. On Windows the blob
+ * is split across `credentials.0`, `credentials.1`, … entries to fit
+ * under Credential Manager's 2560-byte (1280 UTF-16 char) per-entry
+ * cap; see `shouldChunkForKeyring`.
+ *
+ * The blob carries its own issuer/client coordinates so verbs can
+ * recover full config without per-issuer keying.
  */
 export declare class KeyringTokenStore implements TokenStore {
     #private;
+    /**
+     * @param entryFactory Injection seam for `@napi-rs/keyring` entries.
+     *   Defaults to the production lazy-resolved factory; tests pass a
+     *   recording / faking variant.
+     */
     constructor(entryFactory?: KeyringEntryFactory);
+    /**
+     * @internal Test seam. Constructs a store with an explicit chunking
+     * decision instead of the platform-determined default, so the
+     * chunked path can be exercised on macOS/Linux CI and the unchunked
+     * path on Windows CI. Production code must use the regular
+     * constructor and let `shouldChunkForKeyring()` decide — passing
+     * `chunked: true` on macOS would write data that the regular
+     * constructor wouldn't be able to read.
+     */
+    static forTesting(entryFactory: KeyringEntryFactory, chunked: boolean): KeyringTokenStore;
     save(entry: StoredEntry): Promise<void>;
     load(): Promise<LoadResult>;
     clear(): Promise<void>;
 }
+/**
+ * Splits `blob` into the N parts that `KeyringTokenStore.#saveChunked`
+ * writes to `credentials.0..N-1`. Chunk 0 is prefixed with `<N>\n` so
+ * the reader can learn N from a single getPassword call. Each chunk
+ * stays under `CHUNK_LIMIT` UTF-16 characters; throws if the blob would
+ * require more than `MAX_CHUNKS` chunks. Exported for tests.
+ */
+export declare function chunkBlobForKeyring(blob: string): string[];