@deque/axe-auth 1.1.0-next.f7b98204 → 1.1.0-next.fda76051

package/dist/oauth/testUtils.d.ts

@@ -0,0 +1,35 @@
+/**
+ * A fixed "now" timestamp used by token-endpoint tests that need
+ * determinism for `expiresAt` assertions. Any constant would do;
+ * choosing one value keeps the arithmetic trivial to eyeball
+ * (2023-11-14T22:13:20.000Z).
+ */
+export declare const FIXED_NOW = 1700000000000;
+/** Signature matching the global `fetch` implementation. */
+export type FetchMock = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+/**
+ * Swaps `globalThis.fetch` for `mock` while `fn` runs, then restores.
+ * Use in tests that mock *every* fetch the subject under test makes.
+ * (Tests that want pass-through-on-miss behavior should keep their
+ * own router — see `authorize.test.ts`.)
+ */
+export declare function withFetch(mock: FetchMock, fn: () => Promise<void>): Promise<void>;
+/**
+ * JSON-serialized `Response` with `Content-Type: application/json`
+ * already set. Any headers in `init.headers` merge on top.
+ */
+export declare function jsonResponse(body: unknown, init?: ResponseInit): Response;
+/**
+ * Canonical local Keycloak issuer URL used across tests — matches
+ * walnut's dev setup (`http://localhost:8080/auth/realms/local`).
+ * Use this anywhere a test needs "the Keycloak issuer" rather than
+ * a test-specific URL (e.g. `http://auth.test.invalid`).
+ */
+export declare const KEYCLOAK_ISSUER = "http://localhost:8080/auth/realms/local";
+/**
+ * Standard OAuth 2.0 token-endpoint success body. Returns a fresh
+ * plain object on each call so tests can safely mutate it after.
+ * Override any field via `overrides`; the happy-path defaults
+ * (Bearer, positive `expires_in`) are what most tests want.
+ */
+export declare function tokenResponseBody(overrides?: Record<string, unknown>): Record<string, unknown>;

package/dist/oauth/testUtils.js

@@ -0,0 +1,61 @@
+"use strict";
+// Shared helpers for the oauth test files. Not a `.test.ts` itself so
+// the test runner doesn't pick it up directly, and excluded from c8
+// coverage in `.c8rc.json` since nothing in here is production code.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KEYCLOAK_ISSUER = exports.FIXED_NOW = void 0;
+exports.withFetch = withFetch;
+exports.jsonResponse = jsonResponse;
+exports.tokenResponseBody = tokenResponseBody;
+/**
+ * A fixed "now" timestamp used by token-endpoint tests that need
+ * determinism for `expiresAt` assertions. Any constant would do;
+ * choosing one value keeps the arithmetic trivial to eyeball
+ * (2023-11-14T22:13:20.000Z).
+ */
+exports.FIXED_NOW = 1_700_000_000_000;
+/**
+ * Swaps `globalThis.fetch` for `mock` while `fn` runs, then restores.
+ * Use in tests that mock *every* fetch the subject under test makes.
+ * (Tests that want pass-through-on-miss behavior should keep their
+ * own router — see `authorize.test.ts`.)
+ */
+function withFetch(mock, fn) {
+    const original = globalThis.fetch;
+    globalThis.fetch = mock;
+    return fn().finally(() => {
+        globalThis.fetch = original;
+    });
+}
+/**
+ * JSON-serialized `Response` with `Content-Type: application/json`
+ * already set. Any headers in `init.headers` merge on top.
+ */
+function jsonResponse(body, init = { status: 200 }) {
+    return new Response(JSON.stringify(body), {
+        ...init,
+        headers: { "Content-Type": "application/json", ...(init.headers ?? {}) },
+    });
+}
+/**
+ * Canonical local Keycloak issuer URL used across tests — matches
+ * walnut's dev setup (`http://localhost:8080/auth/realms/local`).
+ * Use this anywhere a test needs "the Keycloak issuer" rather than
+ * a test-specific URL (e.g. `http://auth.test.invalid`).
+ */
+exports.KEYCLOAK_ISSUER = "http://localhost:8080/auth/realms/local";
+/**
+ * Standard OAuth 2.0 token-endpoint success body. Returns a fresh
+ * plain object on each call so tests can safely mutate it after.
+ * Override any field via `overrides`; the happy-path defaults
+ * (Bearer, positive `expires_in`) are what most tests want.
+ */
+function tokenResponseBody(overrides = {}) {
+    return {
+        access_token: "at",
+        refresh_token: "rt",
+        expires_in: 300,
+        token_type: "Bearer",
+        ...overrides,
+    };
+}

package/dist/oauth/tokenExchange.d.ts

@@ -1,27 +1,4 @@
-/**
- * Tokens returned by a successful authorization-code exchange.
- *
- * `refreshToken` is optional because not all flows return one —
- * callers that did not request `offline_access` (or the provider
- * equivalent) will receive only an access token. Refresh logic (issue
- * #422) must handle this case.
- *
- * `grantedScope` reflects the authorization server's `scope` response
- * field when present (RFC 6749 §5.1 says `scope` is required when the
- * granted set differs from the requested set; optional otherwise).
- * Callers comparing granted vs requested to surface diagnostics should
- * read this field.
- */
-export interface TokenSet {
-    /** Access token for authenticated API calls. */
-    accessToken: string;
-    /** Long-lived token used to mint new access tokens without re-auth. Absent if the flow did not request it. */
-    refreshToken?: string;
-    /** Absolute timestamp (ms since epoch) when the access token expires. */
-    expiresAt: number;
-    /** Space-delimited scopes the server actually granted, if reported. */
-    grantedScope?: string;
-}
+import { type TokenSet } from "./tokenResponse";
 /** Options for `exchangeCodeForTokens`. */
 export interface ExchangeCodeForTokensOptions {
     /** Token endpoint resolved from OIDC discovery. */

package/dist/oauth/tokenExchange.js

@@ -2,55 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeCodeForTokens = exchangeCodeForTokens;
 const errors_1 = require("./errors");
-function isNonEmptyString(v) {
-    return typeof v === "string" && v.length > 0;
-}
-// RFC 6749 §5.1 describes `expires_in` as "the lifetime in seconds"
-// without pinning the JSON type, and some providers historically send
-// numeric strings. Accept both; reject anything non-positive or
-// non-finite.
-function parseExpiresIn(v) {
-    if (typeof v === "number" && Number.isFinite(v) && v > 0)
-        return v;
-    if (typeof v === "string") {
-        const n = Number(v);
-        if (Number.isFinite(n) && n > 0)
-            return n;
-    }
-    return null;
-}
-function parseErrorBody(body) {
-    let parsed;
-    try {
-        parsed = JSON.parse(body);
-    }
-    catch {
-        return {};
-    }
-    if (parsed === null || typeof parsed !== "object")
-        return {};
-    const raw = parsed;
-    return {
-        error: isNonEmptyString(raw.error) ? raw.error : undefined,
-        description: isNonEmptyString(raw.error_description)
-            ? raw.error_description
-            : undefined,
-    };
-}
-function throwFromErrorResponse(status, body) {
-    const { error, description } = parseErrorBody(body);
-    const suffix = error
-        ? description
-            ? `: ${error}: ${description}`
-            : `: ${error}`
-        : "";
-    const details = {};
-    if (error)
-        details.error = error;
-    if (description)
-        details.error_description = description;
-    throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token exchange failed with HTTP ${status}${suffix}`, Object.keys(details).length > 0 ? { details } : undefined);
-}
+const tokenResponse_1 = require("./tokenResponse");
 /**
  * Exchanges an authorization code for a `TokenSet` via the
  * authorization server's token endpoint (RFC 6749 §4.1.3 + RFC 7636
@@ -67,13 +19,6 @@ async function exchangeCodeForTokens(options) {
         code_verifier: options.codeVerifier,
         redirect_uri: options.redirectUri,
     });
-    // Capture `issuedAt` before the network call so we don't drift past
-    // expiry just because the network was slow. Slightly conservative —
-    // the token actually expires `expires_in` seconds from when the
-    // server issued it, so the effective usable window is `expires_in -
-    // RTT`, which errs toward "expires sooner" rather than "expires
-    // later." That's the safer direction for any consumer doing
-    // pre-expiry checks.
     const issuedAt = now();
     let response;
     try {
@@ -91,46 +36,7 @@ async function exchangeCodeForTokens(options) {
         throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Could not reach the token endpoint at ${options.tokenEndpoint}. Check your network connection.`, { cause });
     }
     if (!response.ok) {
-        const text = await response.text().catch(() => "");
-        throwFromErrorResponse(response.status, text);
-    }
-    let parsed;
-    try {
-        parsed = await response.json();
-    }
-    catch (cause) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${options.tokenEndpoint} returned a non-JSON response`, { cause });
-    }
-    if (parsed === null || typeof parsed !== "object") {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${options.tokenEndpoint} returned a non-object response`);
-    }
-    const raw = parsed;
-    if (!isNonEmptyString(raw.access_token)) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing 'access_token'`);
-    }
-    const expiresIn = parseExpiresIn(raw.expires_in);
-    if (expiresIn === null) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing or has invalid 'expires_in'`);
-    }
-    // RFC 6749 §5.1: token_type is REQUIRED. We only speak Bearer;
-    // DPoP / MAC / other proof-of-possession types need request-side
-    // support we don't implement, and silently treating them as Bearer
-    // would send tokens in the wrong header with unclear semantics.
-    if (!isNonEmptyString(raw.token_type)) {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing required 'token_type'`);
-    }
-    if (raw.token_type.toLowerCase() !== "bearer") {
-        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Unsupported token_type '${raw.token_type}'; this library only handles Bearer.`);
-    }
-    const tokens = {
-        accessToken: raw.access_token,
-        expiresAt: issuedAt + expiresIn * 1000,
-    };
-    if (isNonEmptyString(raw.refresh_token)) {
-        tokens.refreshToken = raw.refresh_token;
-    }
-    if (isNonEmptyString(raw.scope)) {
-        tokens.grantedScope = raw.scope;
+        await (0, tokenResponse_1.throwTokenEndpointError)(response, "Token exchange");
     }
-    return tokens;
+    return (0, tokenResponse_1.parseTokenResponse)(response, issuedAt, options.tokenEndpoint);
 }

package/dist/oauth/tokenResponse.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Tokens returned by a successful token-endpoint call (authorization
+ * code exchange, refresh-token grant, etc.).
+ *
+ * `refreshToken` is optional because not all flows return one. On
+ * authorization-code exchange it's absent if the caller did not
+ * request `offline_access` (or the provider equivalent); on refresh
+ * some providers rotate tokens (return a new one) while others don't
+ * (the caller should keep the existing refresh token).
+ *
+ * `grantedScope` reflects the authorization server's `scope` response
+ * field when present. RFC 6749 §5.1 says `scope` is required in the
+ * response when the granted set differs from the requested set; many
+ * servers send it unconditionally.
+ */
+export interface TokenSet {
+    /** Access token for authenticated API calls. */
+    accessToken: string;
+    /** Long-lived token used to mint new access tokens without re-auth. Absent if the flow did not return one. */
+    refreshToken?: string;
+    /** Absolute timestamp (ms since epoch) when the access token expires. */
+    expiresAt: number;
+    /** Space-delimited scopes the server actually granted, if reported. */
+    grantedScope?: string;
+}
+/**
+ * Reads a non-2xx response body and throws
+ * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
+ * `error` / `error_description` surfaced in both message and details
+ * when present. Shared by both the authorization-code exchange and
+ * refresh-token paths since the error contract is identical.
+ *
+ * @param context Short human-readable description of which call
+ *   failed ("Token exchange", "Token refresh", etc.). Appears in the
+ *   error message.
+ */
+export declare function throwTokenEndpointError(response: Response, context: string): Promise<never>;
+/**
+ * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
+ * (authorization-code exchange, refresh-token grant, etc.) into a
+ * `TokenSet`. Validates the required shape (`access_token`,
+ * `expires_in`, Bearer `token_type`) and converts the relative
+ * `expires_in` into an absolute `expiresAt` using `issuedAt`.
+ *
+ * @param response The HTTP response (must be 2xx; caller handles
+ *   error statuses via `throwTokenEndpointError`).
+ * @param issuedAt The timestamp captured just before the network
+ *   call. Slightly conservative — the token actually expires
+ *   `expires_in` seconds from when the server issued it, so the
+ *   effective usable window is `expires_in - RTT`, which errs toward
+ *   "expires sooner" rather than "expires later."
+ * @param endpointURL URL used for error messages.
+ */
+export declare function parseTokenResponse(response: Response, issuedAt: number, endpointURL: string): Promise<TokenSet>;

package/dist/oauth/tokenResponse.js

@@ -0,0 +1,121 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.throwTokenEndpointError = throwTokenEndpointError;
+exports.parseTokenResponse = parseTokenResponse;
+const errors_1 = require("./errors");
+const predicates_1 = require("./predicates");
+// RFC 6749 §5.1 describes `expires_in` as "the lifetime in seconds"
+// without pinning the JSON type, and some providers historically send
+// numeric strings. Accept both; reject anything non-positive or
+// non-finite.
+function parseExpiresIn(v) {
+    if (typeof v === "number" && Number.isFinite(v) && v > 0)
+        return v;
+    if (typeof v === "string") {
+        const n = Number(v);
+        if (Number.isFinite(n) && n > 0)
+            return n;
+    }
+    return null;
+}
+function parseErrorBody(body) {
+    let parsed;
+    try {
+        parsed = JSON.parse(body);
+    }
+    catch {
+        return {};
+    }
+    if (parsed === null || typeof parsed !== "object")
+        return {};
+    const raw = parsed;
+    return {
+        error: (0, predicates_1.isNonEmptyString)(raw.error) ? raw.error : undefined,
+        description: (0, predicates_1.isNonEmptyString)(raw.error_description)
+            ? raw.error_description
+            : undefined,
+    };
+}
+/**
+ * Reads a non-2xx response body and throws
+ * `OAuthFlowError("TOKEN_EXCHANGE_FAILED", …)` with the OAuth
+ * `error` / `error_description` surfaced in both message and details
+ * when present. Shared by both the authorization-code exchange and
+ * refresh-token paths since the error contract is identical.
+ *
+ * @param context Short human-readable description of which call
+ *   failed ("Token exchange", "Token refresh", etc.). Appears in the
+ *   error message.
+ */
+async function throwTokenEndpointError(response, context) {
+    const body = await response.text().catch(() => "");
+    const { error, description } = parseErrorBody(body);
+    const suffix = error
+        ? description
+            ? `: ${error}: ${description}`
+            : `: ${error}`
+        : "";
+    const details = {};
+    if (error)
+        details.error = error;
+    if (description)
+        details.error_description = description;
+    throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `${context} failed with HTTP ${response.status}${suffix}`, Object.keys(details).length > 0 ? { details } : undefined);
+}
+/**
+ * Parses a 2xx response body from an RFC 6749 §5.1 token endpoint
+ * (authorization-code exchange, refresh-token grant, etc.) into a
+ * `TokenSet`. Validates the required shape (`access_token`,
+ * `expires_in`, Bearer `token_type`) and converts the relative
+ * `expires_in` into an absolute `expiresAt` using `issuedAt`.
+ *
+ * @param response The HTTP response (must be 2xx; caller handles
+ *   error statuses via `throwTokenEndpointError`).
+ * @param issuedAt The timestamp captured just before the network
+ *   call. Slightly conservative — the token actually expires
+ *   `expires_in` seconds from when the server issued it, so the
+ *   effective usable window is `expires_in - RTT`, which errs toward
+ *   "expires sooner" rather than "expires later."
+ * @param endpointURL URL used for error messages.
+ */
+async function parseTokenResponse(response, issuedAt, endpointURL) {
+    let parsed;
+    try {
+        parsed = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${endpointURL} returned a non-JSON response`, { cause });
+    }
+    if (parsed === null || typeof parsed !== "object") {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token endpoint at ${endpointURL} returned a non-object response`);
+    }
+    const raw = parsed;
+    if (!(0, predicates_1.isNonEmptyString)(raw.access_token)) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing 'access_token'`);
+    }
+    const expiresIn = parseExpiresIn(raw.expires_in);
+    if (expiresIn === null) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing or has invalid 'expires_in'`);
+    }
+    // RFC 6749 §5.1: token_type is REQUIRED. We only speak Bearer;
+    // DPoP / MAC / other proof-of-possession types need request-side
+    // support we don't implement, and silently treating them as Bearer
+    // would send tokens in the wrong header with unclear semantics.
+    if (!(0, predicates_1.isNonEmptyString)(raw.token_type)) {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Token response missing required 'token_type'`);
+    }
+    if (raw.token_type.toLowerCase() !== "bearer") {
+        throw new errors_1.OAuthFlowError("TOKEN_EXCHANGE_FAILED", `Unsupported token_type '${raw.token_type}'; this library only handles Bearer.`);
+    }
+    const tokens = {
+        accessToken: raw.access_token,
+        expiresAt: issuedAt + expiresIn * 1000,
+    };
+    if ((0, predicates_1.isNonEmptyString)(raw.refresh_token)) {
+        tokens.refreshToken = raw.refresh_token;
+    }
+    if ((0, predicates_1.isNonEmptyString)(raw.scope)) {
+        tokens.grantedScope = raw.scope;
+    }
+    return tokens;
+}

package/dist/oauth/tokenStore.d.ts

@@ -1,10 +1,27 @@
-import type { TokenSet } from "./tokenExchange";
+import { type KeyringEntryFactory } from "./keyringBinding";
+import type { TokenSet } from "./tokenResponse";
 /**
  * Current on-disk blob schema version. Exported so consumers can
  * display "stored v:N, expected v:M" diagnostics when `load()` returns
  * a `version-mismatch` result.
  */
 export declare const STORED_BLOB_VERSION = 1;
+/**
+ * What `KeyringTokenStore` persists: the OAuth tokens plus the
+ * issuer/client coordinates they were minted against. Carrying the
+ * coordinates inside the entry means a verb can recover its full
+ * config from the keychain alone, with no separate "default issuer"
+ * pointer.
+ */
+export interface StoredEntry {
+    tokens: TokenSet;
+    /** OIDC issuer URL the tokens were minted against. */
+    issuerURL: string;
+    /** OAuth client ID used at login. */
+    clientId: string;
+    /** Whether the original login allowed a non-loopback http issuer. */
+    allowInsecureIssuer: boolean;
+}
 /**
  * Outcome of a `TokenStore.load()` call.
  *
@@ -19,7 +36,7 @@ export declare const STORED_BLOB_VERSION = 1;
  */
 export type LoadResult = {
     ok: true;
-    tokens: TokenSet;
+    entry: StoredEntry;
 } | {
     ok: false;
     reason: "empty";
@@ -31,48 +48,64 @@ export type LoadResult = {
     reason: "version-mismatch";
     storedVersion: number;
 };
-/** Persistence layer for an OAuth `TokenSet`. */
+/** Persistence layer for an OAuth `StoredEntry`. */
 export interface TokenStore {
-    /** Write-through save. Replaces any previously stored tokens. */
-    save(tokens: TokenSet): Promise<void>;
+    /** Write-through save. Replaces any previously stored entry. */
+    save(entry: StoredEntry): Promise<void>;
     /**
-     * Reads the stored tokens and returns a structured result.
+     * Reads the stored entry and returns a structured result.
      *
      * Callers should branch on `result.ok` first. When `ok` is `false`,
-     * `reason` tells them *why* there is no usable `TokenSet`: `empty`
+     * `reason` tells them *why* there is no usable entry: `empty`
      * (nothing stored), `corrupt` (unparseable or shape-invalid), or
      * `version-mismatch` (stored under a schema we cannot migrate from).
      * The library does not emit output on these cases — surfacing them
      * to the user is the caller's responsibility.
      */
     load(): Promise<LoadResult>;
-    /** Removes any stored tokens. No-op if none are present. */
+    /** Removes any stored entry. No-op if none is present. */
     clear(): Promise<void>;
 }
-/** Minimal keyring-entry surface consumed by `KeyringTokenStore`. */
-export interface KeyringEntry {
-    /** Writes the password for this entry. */
-    setPassword(password: string): void;
-    /** Reads the current password, or returns `null` if none is set. */
-    getPassword(): string | null;
-    /** Deletes the password and returns `true` if one existed. */
-    deletePassword(): boolean;
-}
 /**
- * Factory for `KeyringEntry` values. Injection seam for tests;
- * production callers use the default that constructs
- * `@napi-rs/keyring` entries lazily.
+ * Outcome of `parseAndMigrateBlob`: same set of failure reasons as
+ * `LoadResult`, but on success carries the post-migration blob as an
+ * unknown payload. The caller is responsible for shape-validating
+ * that payload against the latest schema.
+ */
+export type BlobChainResult = {
+    ok: true;
+    blob: unknown;
+} | {
+    ok: false;
+    reason: "empty";
+} | {
+    ok: false;
+    reason: "corrupt";
+} | {
+    ok: false;
+    reason: "version-mismatch";
+    storedVersion: number;
+};
+/**
+ * JSON-parses the raw keychain password and walks the migrator chain
+ * until it reaches `expectedVersion`. Exported with `expectedVersion`
+ * and `migrators` parameters only for testing the chain mechanics
+ * against synthetic versions / migrators; production callers use
+ * `KeyringTokenStore.load()`, which feeds in `STORED_BLOB_VERSION`
+ * and `MIGRATORS` and applies the latest-shape check on top.
  */
-export type KeyringEntryFactory = (service: string, account: string) => KeyringEntry;
+export declare function parseAndMigrateBlob(raw: string | null, expectedVersion?: number, migrators?: ReadonlyMap<number, (old: unknown) => unknown | null>): BlobChainResult;
 /**
  * `TokenStore` backed by the operating system's native keychain via
  * `@napi-rs/keyring` (macOS Keychain, Windows Credential Manager, Linux
- * Secret Service). Account is keyed by the normalized issuer URL.
+ * Secret Service). One entry per machine, keyed by a fixed account
+ * name; the blob carries its own issuer/client coordinates so verbs
+ * can recover full config without per-issuer keying.
  */
 export declare class KeyringTokenStore implements TokenStore {
     #private;
-    constructor(issuerURL: string, entryFactory?: KeyringEntryFactory);
-    save(tokens: TokenSet): Promise<void>;
+    constructor(entryFactory?: KeyringEntryFactory);
+    save(entry: StoredEntry): Promise<void>;
     load(): Promise<LoadResult>;
     clear(): Promise<void>;
 }