@deque/axe-auth 1.1.0-next.f7b98204 → 1.1.0-next.fda76051

package/dist/oauth/authorize.d.ts

@@ -1,4 +1,4 @@
-import { type TokenSet } from "./tokenExchange";
+import type { TokenSet } from "./tokenResponse";
 import { type TokenStore } from "./tokenStore";
 /** Options for `authorize`. */
 export interface AuthorizeOptions {
@@ -25,8 +25,9 @@ export interface AuthorizeOptions {
     /** Aborts the in-flight discovery, callback wait, and token exchange. */
     signal?: AbortSignal;
     /**
-     * Override for the token persistence layer. Defaults to
-     * `KeyringTokenStore` keyed by the normalized issuer URL.
+     * Override for the token persistence layer. Defaults to a fresh
+     * `KeyringTokenStore()` (single keychain entry per machine; the
+     * blob carries its own issuer/client coordinates).
      */
     tokenStore?: TokenStore;
     /** Override for the system browser launcher. Injected for tests. */

package/dist/oauth/authorize.js

@@ -38,7 +38,7 @@ function defaultOnWarning(message) {
  * @throws {OAuthCallbackError} For loopback/callback-server failures.
  */
 async function authorize(options) {
-    const { issuerURL, clientId, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(issuerURL), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
+    const { issuerURL, clientId, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
     // Discovery first. If the auth server is unreachable we want to fail
     // *before* opening a browser — a rejected discovery throw is
     // strictly more useful than a browser tab pointing at a
@@ -98,14 +98,18 @@ async function authorize(options) {
         // came back, warn. Prefer the server's reported `grantedScope`
         // when present (RFC 6749 §5.1) since the provider's consent
         // screen may have dropped the scope.
-        if (scopes.includes("offline_access") &&
-            tokens.refreshToken === undefined) {
+        if (scopes.includes("offline_access") && !tokens.refreshToken) {
             const grantedSuffix = tokens.grantedScope
                 ? ` (server granted: ${tokens.grantedScope})`
                 : "";
             onWarning(`'offline_access' was requested but no refresh_token was returned${grantedSuffix}. Cross-session refresh will not be available.`);
         }
-        await tokenStore.save(tokens);
+        await tokenStore.save({
+            tokens,
+            issuerURL,
+            clientId,
+            allowInsecureIssuer: allowInsecureIssuer ?? false,
+        });
         return tokens;
     }
     finally {

package/dist/oauth/discoverOIDC.js

@@ -3,12 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.discoverOIDC = discoverOIDC;
 const errors_1 = require("./errors");
 const issuerURL_1 = require("./issuerURL");
+const predicates_1 = require("./predicates");
 const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
-function isNonEmptyString(v) {
-    return typeof v === "string" && v.length > 0;
-}
 function optionalString(v) {
-    return isNonEmptyString(v) ? v : undefined;
+    return (0, predicates_1.isNonEmptyString)(v) ? v : undefined;
 }
 /**
  * Throws `DISCOVERY_FAILED` if `url` is not safe to transmit OAuth
@@ -53,12 +51,12 @@ function buildDiscoveryURL(issuerURL) {
 }
 function parseConfiguration(body, url) {
     const missing = [];
-    if (!isNonEmptyString(body.issuer))
+    if (!(0, predicates_1.isNonEmptyString)(body.issuer))
         missing.push("issuer");
-    if (!isNonEmptyString(body.authorization_endpoint)) {
+    if (!(0, predicates_1.isNonEmptyString)(body.authorization_endpoint)) {
         missing.push("authorization_endpoint");
     }
-    if (!isNonEmptyString(body.token_endpoint))
+    if (!(0, predicates_1.isNonEmptyString)(body.token_endpoint))
         missing.push("token_endpoint");
     if (missing.length > 0) {
         throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} is missing required field(s): ${missing.join(", ")}`);

package/dist/oauth/errors.d.ts

@@ -42,7 +42,9 @@ export type OAuthFlowErrorCode =
 /** System keychain is unavailable (e.g. no D-Bus secret service on Linux). */
  | "KEYRING_UNAVAILABLE"
 /** Authorization endpoint returned by discovery cannot be used (e.g. already carries an OAuth-required param). Server misconfiguration. */
- | "INVALID_AUTHORIZATION_ENDPOINT";
+ | "INVALID_AUTHORIZATION_ENDPOINT"
+/** No usable stored credentials; the user needs to run `login` to re-authenticate. Covers empty / corrupt / version-mismatched store and refresh tokens the authorization server has revoked. */
+ | "NOT_AUTHENTICATED";
 /** Options for `OAuthFlowError`. */
 export interface OAuthFlowErrorOptions {
     /** Structured metadata for callers that want to surface specific fields. */

package/dist/oauth/getValidAccessToken.d.ts

@@ -0,0 +1,89 @@
+import { type LoadResult, type TokenStore } from "./tokenStore";
+/** Options for `getValidAccessToken`. */
+export interface GetValidAccessTokenOptions {
+    /**
+     * OIDC issuer URL (same value passed to `authorize`). Must match
+     * the stored entry's `issuerURL`; mismatch throws
+     * `OAuthFlowError("NOT_AUTHENTICATED", ...)` rather than refreshing
+     * the wrong issuer's tokens at the requested endpoint.
+     */
+    issuerURL: string;
+    /**
+     * OAuth client identifier. Must match the stored entry's
+     * `clientId`; see the note on `issuerURL` for the mismatch
+     * behavior.
+     */
+    clientId: string;
+    /**
+     * How close to expiry we start preemptively refreshing, in
+     * milliseconds. Defaults to 60_000 (60s). The buffer gives headroom
+     * between our "still fresh enough" check and the server's view of
+     * expiry (which may differ by a few seconds of clock skew) and
+     * prevents a token from expiring mid-request after we hand it out.
+     *
+     * Assumes the access-token TTL is much larger than the buffer. With
+     * TTLs ≤ `expiryBufferMs`, every call will trigger a refresh.
+     */
+    expiryBufferMs?: number;
+    /**
+     * Override for the token store. Defaults to a fresh
+     * `KeyringTokenStore()` (single keychain entry per machine).
+     */
+    tokenStore?: TokenStore;
+    /**
+     * Pre-loaded result of `tokenStore.load()`. When provided, the
+     * function skips its own keychain read and uses this value
+     * instead — lets a caller that already loaded the entry (the CLI
+     * dispatcher does, to derive `parseCommonArgs` defaults) avoid a
+     * redundant second read on the hot path. The same `tokenStore` is
+     * still used for the post-refresh `save()` and the
+     * `invalid_grant` `clear()`.
+     */
+    loadedEntry?: LoadResult;
+    /** Aborts discovery + the refresh POST when fired. */
+    signal?: AbortSignal;
+    /**
+     * Forwarded to discovery. Loopback issuers are always permitted
+     * over http; this flag is the opt-in for non-loopback http.
+     */
+    allowInsecureIssuer?: boolean;
+    /**
+     * Called for soft warnings that are not errors but warrant user
+     * attention (e.g. a fresh `TokenSet` could not be written to the
+     * keychain, stranding the rotated refresh token — see the hazard
+     * note in the body of `getValidAccessToken`). The default prints
+     * to stderr only when stderr is a TTY. Pass a custom handler to
+     * route warnings through your own UI, or `() => {}` to suppress.
+     */
+    onWarning?: (message: string) => void;
+    /** Source of `now`. Defaults to `Date.now`. Injected for test determinism. */
+    now?: () => number;
+}
+/**
+ * Returns a currently-valid access token string for the given issuer,
+ * refreshing via the stored refresh token if the cached access token
+ * is within `expiryBufferMs` of expiring (or already expired).
+ *
+ * Throws `OAuthFlowError("NOT_AUTHENTICATED", ...)` when the user
+ * must re-run `axe-auth login` — covers an empty / corrupt /
+ * version-mismatched store, an expired access token with no refresh
+ * token to rotate with, and a refresh attempt rejected with
+ * `invalid_grant` (which also clears the stored tokens).
+ *
+ * Throws `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)` for transient
+ * failures during refresh (network errors, 5xx, malformed responses)
+ * and leaves the stored tokens intact so a retry is possible.
+ *
+ * Throws `OAuthFlowError("DISCOVERY_FAILED", ...)` when the issuer
+ * URL cannot be reached or parsed at refresh time.
+ *
+ * **Concurrency note.** Not safe against parallel invocations for
+ * the same issuer. Keycloak rotates refresh tokens by default; if
+ * two parallel calls both land on the refresh path, only one
+ * winner's rotated refresh token will be persisted and the loser's
+ * rotated token is stranded. The intended consumer is the
+ * `axe-auth token` CLI (a one-shot), so this is fine in context;
+ * per-request callers should wrap in an in-flight-Promise singleton
+ * keyed by issuer.
+ */
+export declare function getValidAccessToken(options: GetValidAccessTokenOptions): Promise<string>;

package/dist/oauth/getValidAccessToken.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getValidAccessToken = getValidAccessToken;
+const discoverOIDC_1 = require("./discoverOIDC");
+const errors_1 = require("./errors");
+const refreshTokens_1 = require("./refreshTokens");
+const tokenStore_1 = require("./tokenStore");
+const DEFAULT_EXPIRY_BUFFER_MS = 60_000;
+function defaultOnWarning(message) {
+    if (process.stderr.isTTY) {
+        console.error(`axe-auth: ${message}`);
+    }
+}
+function isInvalidGrant(err) {
+    return (err instanceof errors_1.OAuthFlowError &&
+        err.code === "TOKEN_EXCHANGE_FAILED" &&
+        err.details?.error === "invalid_grant");
+}
+function notAuthenticated(message, cause) {
+    return new errors_1.OAuthFlowError("NOT_AUTHENTICATED", message, cause === undefined ? undefined : { cause });
+}
+/**
+ * Returns a currently-valid access token string for the given issuer,
+ * refreshing via the stored refresh token if the cached access token
+ * is within `expiryBufferMs` of expiring (or already expired).
+ *
+ * Throws `OAuthFlowError("NOT_AUTHENTICATED", ...)` when the user
+ * must re-run `axe-auth login` — covers an empty / corrupt /
+ * version-mismatched store, an expired access token with no refresh
+ * token to rotate with, and a refresh attempt rejected with
+ * `invalid_grant` (which also clears the stored tokens).
+ *
+ * Throws `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)` for transient
+ * failures during refresh (network errors, 5xx, malformed responses)
+ * and leaves the stored tokens intact so a retry is possible.
+ *
+ * Throws `OAuthFlowError("DISCOVERY_FAILED", ...)` when the issuer
+ * URL cannot be reached or parsed at refresh time.
+ *
+ * **Concurrency note.** Not safe against parallel invocations for
+ * the same issuer. Keycloak rotates refresh tokens by default; if
+ * two parallel calls both land on the refresh path, only one
+ * winner's rotated refresh token will be persisted and the loser's
+ * rotated token is stranded. The intended consumer is the
+ * `axe-auth token` CLI (a one-shot), so this is fine in context;
+ * per-request callers should wrap in an in-flight-Promise singleton
+ * keyed by issuer.
+ */
+async function getValidAccessToken(options) {
+    const { issuerURL, clientId, expiryBufferMs = DEFAULT_EXPIRY_BUFFER_MS, tokenStore = new tokenStore_1.KeyringTokenStore(), loadedEntry, signal, allowInsecureIssuer, onWarning = defaultOnWarning, now = Date.now, } = options;
+    const loaded = loadedEntry ?? (await tokenStore.load());
+    if (!loaded.ok) {
+        switch (loaded.reason) {
+            case "empty":
+                throw notAuthenticated("No stored credentials. Run `axe-auth login` first.");
+            case "corrupt":
+                throw notAuthenticated("Stored credentials are unreadable. Run `axe-auth login` to re-authenticate.");
+            case "version-mismatch":
+                throw notAuthenticated(`Stored credentials are from an unsupported schema version (v:${loaded.storedVersion}). Run \`axe-auth login\` to re-authenticate.`);
+        }
+    }
+    // Guard against a mismatch between the requested issuer/client and
+    // the stored entry's. Under single-entry storage, the keychain
+    // holds one set of tokens minted against one (issuer, client)
+    // pair. Refreshing those tokens against a different
+    // discovery/token endpoint would land an unrelated refresh token
+    // at the wrong server and leak it. Refuse rather than silently
+    // proceed so direct library callers (the CLI's verbs warn + route
+    // before getting here) get a clear signal.
+    if (loaded.entry.issuerURL !== issuerURL ||
+        loaded.entry.clientId !== clientId) {
+        throw notAuthenticated(`Stored credentials are for issuer ${loaded.entry.issuerURL} (client ${loaded.entry.clientId}), but the requested issuer is ${issuerURL} (client ${clientId}). Run \`axe-auth login\` to re-authenticate.`);
+    }
+    const tokens = loaded.entry.tokens;
+    if (now() + expiryBufferMs < tokens.expiresAt) {
+        // Still fresh — no network call, no store write.
+        return tokens.accessToken;
+    }
+    if (!tokens.refreshToken) {
+        throw notAuthenticated("Access token has expired and no refresh token is available. Run `axe-auth login` to re-authenticate.");
+    }
+    const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
+        signal,
+        allowInsecureIssuer,
+    });
+    let fresh;
+    try {
+        fresh = await (0, refreshTokens_1.refreshTokens)({
+            tokenEndpoint: config.tokenEndpoint,
+            clientId,
+            refreshToken: tokens.refreshToken,
+            now,
+            signal,
+        });
+    }
+    catch (err) {
+        if (isInvalidGrant(err)) {
+            // Refresh token revoked / expired server-side. Best-effort
+            // clear of the stored tokens so the next run starts clean —
+            // but if the clear itself fails (e.g. KEYRING_UNAVAILABLE),
+            // prefer surfacing NOT_AUTHENTICATED so the user still gets
+            // the actionable "please run login" signal. Note the clear
+            // failure via onWarning; the next run will see the stale
+            // tokens, try to refresh, and land back here.
+            try {
+                await tokenStore.clear();
+            }
+            catch (clearErr) {
+                onWarning(`Failed to clear stored tokens after refresh rejection: ${clearErr instanceof Error ? clearErr.message : String(clearErr)}. Next run may need to clear manually.`);
+            }
+            throw notAuthenticated("Your session has expired. Run `axe-auth login` to re-authenticate.", err);
+        }
+        // Transient failure — leave the store alone so the user can
+        // retry without re-logging-in.
+        throw err;
+    }
+    // HAZARD: Keycloak (and most rotating-refresh-token providers) have
+    // already consumed the old refresh token server-side by the time
+    // `refreshTokens` returns. If persisting the rotated set fails
+    // here, we hold a valid access token in memory but the stored
+    // refresh token is now stale — the next invocation will POST it,
+    // get `invalid_grant`, and prompt re-authentication.
+    //
+    // We still return the fresh access token so the current call is
+    // useful, and warn the caller so "why does the next run need me to
+    // log in again?" has a breadcrumb.
+    try {
+        await tokenStore.save({
+            tokens: fresh,
+            issuerURL: loaded.entry.issuerURL,
+            clientId: loaded.entry.clientId,
+            allowInsecureIssuer: loaded.entry.allowInsecureIssuer,
+        });
+    }
+    catch (err) {
+        onWarning(`Refreshed tokens could not be saved: ${err instanceof Error ? err.message : String(err)}. The current call will succeed, but the next invocation will require re-authentication.`);
+    }
+    return fresh.accessToken;
+}

package/dist/oauth/index.d.ts

@@ -4,8 +4,13 @@ export { OAuthCallbackError, OAuthFlowError } from "./errors";
 export type { OAuthCallbackErrorCode, OAuthCallbackErrorOptions, OAuthFlowErrorCode, OAuthFlowErrorOptions, } from "./errors";
 export { authorize } from "./authorize";
 export type { AuthorizeOptions } from "./authorize";
-export type { TokenSet } from "./tokenExchange";
+export { getValidAccessToken } from "./getValidAccessToken";
+export type { GetValidAccessTokenOptions } from "./getValidAccessToken";
+export { refreshTokens } from "./refreshTokens";
+export type { RefreshTokensOptions } from "./refreshTokens";
+export type { TokenSet } from "./tokenResponse";
 export { KeyringTokenStore, STORED_BLOB_VERSION } from "./tokenStore";
-export type { TokenStore, LoadResult, KeyringEntry, KeyringEntryFactory, } from "./tokenStore";
+export type { LoadResult, StoredEntry, TokenStore } from "./tokenStore";
+export type { KeyringEntry, KeyringEntryFactory } from "./keyringBinding";
 export { discoverOIDC } from "./discoverOIDC";
 export type { OIDCConfiguration, DiscoverOIDCOptions } from "./discoverOIDC";

package/dist/oauth/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.discoverOIDC = exports.STORED_BLOB_VERSION = exports.KeyringTokenStore = exports.authorize = exports.OAuthFlowError = exports.OAuthCallbackError = exports.startCallbackServer = void 0;
+exports.discoverOIDC = exports.STORED_BLOB_VERSION = exports.KeyringTokenStore = exports.refreshTokens = exports.getValidAccessToken = exports.authorize = exports.OAuthFlowError = exports.OAuthCallbackError = exports.startCallbackServer = void 0;
 var callbackServer_1 = require("./callbackServer");
 Object.defineProperty(exports, "startCallbackServer", { enumerable: true, get: function () { return callbackServer_1.startCallbackServer; } });
 var errors_1 = require("./errors");
@@ -8,6 +8,10 @@ Object.defineProperty(exports, "OAuthCallbackError", { enumerable: true, get: fu
 Object.defineProperty(exports, "OAuthFlowError", { enumerable: true, get: function () { return errors_1.OAuthFlowError; } });
 var authorize_1 = require("./authorize");
 Object.defineProperty(exports, "authorize", { enumerable: true, get: function () { return authorize_1.authorize; } });
+var getValidAccessToken_1 = require("./getValidAccessToken");
+Object.defineProperty(exports, "getValidAccessToken", { enumerable: true, get: function () { return getValidAccessToken_1.getValidAccessToken; } });
+var refreshTokens_1 = require("./refreshTokens");
+Object.defineProperty(exports, "refreshTokens", { enumerable: true, get: function () { return refreshTokens_1.refreshTokens; } });
 var tokenStore_1 = require("./tokenStore");
 Object.defineProperty(exports, "KeyringTokenStore", { enumerable: true, get: function () { return tokenStore_1.KeyringTokenStore; } });
 Object.defineProperty(exports, "STORED_BLOB_VERSION", { enumerable: true, get: function () { return tokenStore_1.STORED_BLOB_VERSION; } });

package/dist/oauth/keyringBinding.d.ts

@@ -0,0 +1,22 @@
+/** Minimal keyring-entry surface consumed by the package's stores. */
+export interface KeyringEntry {
+    /** Writes the password for this entry. */
+    setPassword(password: string): void;
+    /** Reads the current password, or returns `null` if none is set. */
+    getPassword(): string | null;
+    /** Deletes the password and returns `true` if one existed. */
+    deletePassword(): boolean;
+}
+/**
+ * Factory for `KeyringEntry` values. Injection seam for tests;
+ * production callers use the default that constructs
+ * `@napi-rs/keyring` entries lazily.
+ */
+export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+export declare const defaultEntryFactory: KeyringEntryFactory;

package/dist/oauth/keyringBinding.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultEntryFactory = void 0;
+const node_module_1 = require("node:module");
+const errors_1 = require("./errors");
+const requireFromHere = (0, node_module_1.createRequire)(__filename);
+// Lazy-resolved Entry constructor. Importing @napi-rs/keyring at the
+// top of this module would run its native binding loader at
+// module-load time, throwing before any of our OAuthFlowError code
+// catches it and preventing the module from being imported at all on
+// platforms without a prebuilt. We defer the require into
+// `defaultEntryFactory`, which turns that import-time failure into a
+// `KEYRING_UNAVAILABLE` surfaced on the first store construction —
+// not on first save/load/clear, since callers construct stores
+// eagerly as default-arg expressions. Runtime keychain errors
+// (missing D-Bus Secret Service, macOS Keychain denial, etc.) are a
+// separate concern and surface later, inside save/load/clear.
+let cachedEntryCtor = null;
+function resolveEntryCtor() {
+    if (cachedEntryCtor)
+        return cachedEntryCtor;
+    try {
+        const mod = requireFromHere("@napi-rs/keyring");
+        cachedEntryCtor = mod.Entry;
+        return cachedEntryCtor;
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("KEYRING_UNAVAILABLE", `Could not load @napi-rs/keyring. A prebuilt native binding for this platform may be missing.`, { cause });
+    }
+}
+/**
+ * Default `KeyringEntryFactory`. Resolves `@napi-rs/keyring` lazily
+ * so platforms without a prebuilt binding only see a
+ * `KEYRING_UNAVAILABLE` on first store construction, not on module
+ * import.
+ */
+const defaultEntryFactory = (service, account) => {
+    const Ctor = resolveEntryCtor();
+    return new Ctor(service, account);
+};
+exports.defaultEntryFactory = defaultEntryFactory;

package/dist/oauth/predicates.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Narrows `v` to `string` when it is a non-empty string. Useful for
+ * validating JSON fields from authorization-server responses, where
+ * the spec declares a field as "string" but servers occasionally
+ * return `""` / `null` / missing.
+ */
+export declare function isNonEmptyString(v: unknown): v is string;

package/dist/oauth/predicates.js

@@ -0,0 +1,15 @@
+"use strict";
+// Type-guard predicates shared across the oauth modules. Keep this
+// narrow: anything more substantial than a one-liner probably
+// belongs in its own module rather than piling in here.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNonEmptyString = isNonEmptyString;
+/**
+ * Narrows `v` to `string` when it is a non-empty string. Useful for
+ * validating JSON fields from authorization-server responses, where
+ * the spec declares a field as "string" but servers occasionally
+ * return `""` / `null` / missing.
+ */
+function isNonEmptyString(v) {
+    return typeof v === "string" && v.length > 0;
+}

package/dist/oauth/refreshTokens.d.ts

@@ -0,0 +1,30 @@
+import { type TokenSet } from "./tokenResponse";
+/** Options for `refreshTokens`. */
+export interface RefreshTokensOptions {
+    /** Token endpoint resolved from OIDC discovery. */
+    tokenEndpoint: string;
+    /** OAuth client identifier. */
+    clientId: string;
+    /** The refresh token to exchange for a new access token. */
+    refreshToken: string;
+    /** Source of `now`. Defaults to `Date.now`. Injected for test determinism. */
+    now?: () => number;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Exchanges a refresh token for a fresh access token via RFC 6749 §6.
+ *
+ * Some providers (Keycloak by default) rotate refresh tokens and
+ * return a new one in the response; others leave the refresh token
+ * alone. When the server omits `refresh_token` from the response,
+ * the returned `TokenSet` carries forward the input `refreshToken`
+ * so callers never lose refresh capability after one use.
+ *
+ * @throws {OAuthFlowError} with code `TOKEN_EXCHANGE_FAILED` on any
+ *   failure. `details` surfaces the OAuth `error` /
+ *   `error_description` when present; callers distinguishing
+ *   "refresh revoked" from "network hiccup" should inspect
+ *   `details.error === "invalid_grant"`.
+ */
+export declare function refreshTokens(options: RefreshTokensOptions): Promise<TokenSet>;

package/dist/oauth/refreshTokens.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.refreshTokens = refreshTokens;
+const errors_1 = require("./errors");
+const tokenResponse_1 = require("./tokenResponse");
+/**
+ * Exchanges a refresh token for a fresh access token via RFC 6749 §6.
+ *
+ * Some providers (Keycloak by default) rotate refresh tokens and
+ * return a new one in the response; others leave the refresh token
+ * alone. When the server omits `refresh_token` from the response,
+ * the returned `TokenSet` carries forward the input `refreshToken`
+ * so callers never lose refresh capability after one use.
+ *
+ * @throws {OAuthFlowError} with code `TOKEN_EXCHANGE_FAILED` on any
+ *   failure. `details` surfaces the OAuth `error` /
+ *   `error_description` when present; callers distinguishing
+ *   "refresh revoked" from "network hiccup" should inspect
+ *   `details.error === "invalid_grant"`.
+ */
+async function refreshTokens(options) {
+    const now = options.now ?? Date.now;
+    // RFC 6749 §6 permits a `scope` parameter to request a subset of
+    // the originally-granted scopes. We deliberately omit it: Keycloak
+    // (our primary target) preserves the scope set across refresh, so
+    // re-sending would be redundant. Callers targeting a provider that
+    // reduces scopes when `scope` is omitted (some Okta configurations
+    // are rumored to) will need a provider-specific code path.
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: options.clientId,
+        refresh_token: options.refreshToken,
+    });
+    const issuedAt = now();
+    let response;
+    try {
+        response = await fetch(options.tokenEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+            },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Could not reach the token endpoint at ${options.tokenEndpoint}. Check your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        await (0, tokenResponse_1.throwTokenEndpointError)(response, "Token refresh");
+    }
+    const fresh = await (0, tokenResponse_1.parseTokenResponse)(response, issuedAt, options.tokenEndpoint);
+    // Preserve the input refresh token if the server didn't rotate.
+    // Keycloak rotates by default; others (e.g. Okta with some
+    // configs) don't.
+    return {
+        ...fresh,
+        refreshToken: fresh.refreshToken ?? options.refreshToken,
+    };
+}

package/dist/oauth/revokeToken.d.ts

@@ -0,0 +1,28 @@
+/** Options for `revokeRefreshToken`. */
+export interface RevokeRefreshTokenOptions {
+    /** Revocation endpoint resolved from OIDC discovery. */
+    revocationEndpoint: string;
+    /** OAuth client ID. */
+    clientId: string;
+    /** The refresh token to revoke server-side. */
+    refreshToken: string;
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+}
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+export declare function revokeRefreshToken(options: RevokeRefreshTokenOptions): Promise<void>;

package/dist/oauth/revokeToken.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revokeRefreshToken = revokeRefreshToken;
+/**
+ * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
+ * regardless of whether the token was valid (the spec doesn't want
+ * revocation to be a probing oracle for token existence). In
+ * practice this helper still surfaces network errors and any
+ * non-2xx response from the revocation endpoint, on the assumption
+ * that a 4xx is more likely a misconfiguration the user should hear
+ * about than a routine condition to swallow.
+ *
+ * Throws a plain `Error` rather than `OAuthFlowError`: revocation
+ * is best-effort cleanup invoked from `axe-auth logout`, and the
+ * caller already handles failure by warning + continuing with the
+ * local clear. Adding a dedicated `OAuthFlowError` code for this
+ * one shallow operation is more bloat than the discrimination is
+ * worth.
+ */
+async function revokeRefreshToken(options) {
+    const body = new URLSearchParams({
+        token: options.refreshToken,
+        token_type_hint: "refresh_token",
+        client_id: options.clientId,
+    });
+    let response;
+    try {
+        response = await fetch(options.revocationEndpoint, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body,
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        const reason = cause instanceof Error ? cause.message : String(cause);
+        throw new Error(`Could not reach the revocation endpoint at ${options.revocationEndpoint}: ${reason}`, { cause });
+    }
+    if (!response.ok) {
+        // Deliberately do NOT include the response body. The request
+        // body we POSTed contains the refresh token; some Keycloak
+        // custom error templates and many WAFs / reverse proxies echo
+        // request fields back into 4xx pages, which would land the
+        // refresh token on stderr (the caller's `describeError(err)`
+        // path is `axe-auth: server-side revocation failed (...)`). Status
+        // alone is enough for the user to act on; if more detail is
+        // needed they can hit the revocation endpoint directly.
+        //
+        // We also drain the body so the underlying connection isn't
+        // held open by the unread stream.
+        try {
+            await response.text();
+        }
+        catch {
+            // ignore — body is purely diagnostic
+        }
+        throw new Error(`Revocation endpoint at ${options.revocationEndpoint} returned HTTP ${response.status}`);
+    }
+}