@dotdo/oauth 0.1.5 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/dev.d.ts +10 -1
- package/dist/dev.d.ts.map +1 -1
- package/dist/dev.js +6 -5
- package/dist/dev.js.map +1 -1
- package/dist/index.d.ts +7 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -1
- package/dist/jwt-signing.d.ts +133 -0
- package/dist/jwt-signing.d.ts.map +1 -0
- package/dist/jwt-signing.js +173 -0
- package/dist/jwt-signing.js.map +1 -0
- package/dist/jwt.d.ts +17 -11
- package/dist/jwt.d.ts.map +1 -1
- package/dist/jwt.js.map +1 -1
- package/dist/pkce.d.ts.map +1 -1
- package/dist/pkce.js +33 -19
- package/dist/pkce.js.map +1 -1
- package/dist/server.d.ts +19 -1
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +697 -114
- package/dist/server.js.map +1 -1
- package/dist/storage-collections.d.ts +94 -0
- package/dist/storage-collections.d.ts.map +1 -0
- package/dist/storage-collections.js +291 -0
- package/dist/storage-collections.js.map +1 -0
- package/dist/storage-do.d.ts +97 -0
- package/dist/storage-do.d.ts.map +1 -0
- package/dist/storage-do.js +440 -0
- package/dist/storage-do.js.map +1 -0
- package/dist/stripe.d.ts +127 -0
- package/dist/stripe.d.ts.map +1 -0
- package/dist/stripe.js +262 -0
- package/dist/stripe.js.map +1 -0
- package/dist/types.d.ts +38 -8
- package/dist/types.d.ts.map +1 -1
- package/package.json +10 -10
package/dist/pkce.js
CHANGED
|
@@ -19,11 +19,16 @@ export function generateCodeVerifier(length = 64) {
|
|
|
19
19
|
throw new Error('Code verifier length must be between 43 and 128 characters');
|
|
20
20
|
}
|
|
21
21
|
const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
|
|
22
|
-
|
|
23
|
-
|
|
22
|
+
// Use rejection sampling to avoid modulo bias
|
|
23
|
+
// For 66 chars, maxValid = 256 - (256 % 66) = 256 - 58 = 198
|
|
24
|
+
const maxValid = 256 - (256 % chars.length);
|
|
24
25
|
let verifier = '';
|
|
25
26
|
for (let i = 0; i < length; i++) {
|
|
26
|
-
|
|
27
|
+
let value;
|
|
28
|
+
do {
|
|
29
|
+
value = crypto.getRandomValues(new Uint8Array(1))[0];
|
|
30
|
+
} while (value >= maxValid);
|
|
31
|
+
verifier += chars[value % chars.length];
|
|
27
32
|
}
|
|
28
33
|
return verifier;
|
|
29
34
|
}
|
|
@@ -120,6 +125,29 @@ export function constantTimeEqual(a, b) {
|
|
|
120
125
|
}
|
|
121
126
|
return result === 0;
|
|
122
127
|
}
|
|
128
|
+
/** Alphanumeric characters for token/state generation */
|
|
129
|
+
const ALPHANUMERIC_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
|
|
130
|
+
/**
|
|
131
|
+
* Generate a cryptographically random string from a given charset
|
|
132
|
+
* Uses rejection sampling to avoid modulo bias.
|
|
133
|
+
*
|
|
134
|
+
* @param length - Length of the string
|
|
135
|
+
* @param charset - Characters to use for generation
|
|
136
|
+
* @returns Random string
|
|
137
|
+
*/
|
|
138
|
+
function generateRandomString(length, charset) {
|
|
139
|
+
// Use rejection sampling to avoid modulo bias
|
|
140
|
+
const maxValid = 256 - (256 % charset.length);
|
|
141
|
+
let result = '';
|
|
142
|
+
for (let i = 0; i < length; i++) {
|
|
143
|
+
let value;
|
|
144
|
+
do {
|
|
145
|
+
value = crypto.getRandomValues(new Uint8Array(1))[0];
|
|
146
|
+
} while (value >= maxValid);
|
|
147
|
+
result += charset[value % charset.length];
|
|
148
|
+
}
|
|
149
|
+
return result;
|
|
150
|
+
}
|
|
123
151
|
/**
|
|
124
152
|
* Generate a random state parameter for CSRF protection
|
|
125
153
|
*
|
|
@@ -127,14 +155,7 @@ export function constantTimeEqual(a, b) {
|
|
|
127
155
|
* @returns Random state string
|
|
128
156
|
*/
|
|
129
157
|
export function generateState(length = 32) {
|
|
130
|
-
|
|
131
|
-
const randomValues = new Uint8Array(length);
|
|
132
|
-
crypto.getRandomValues(randomValues);
|
|
133
|
-
let state = '';
|
|
134
|
-
for (let i = 0; i < length; i++) {
|
|
135
|
-
state += chars[randomValues[i] % chars.length];
|
|
136
|
-
}
|
|
137
|
-
return state;
|
|
158
|
+
return generateRandomString(length, ALPHANUMERIC_CHARS);
|
|
138
159
|
}
|
|
139
160
|
/**
|
|
140
161
|
* Generate a random token (for access tokens, refresh tokens, etc.)
|
|
@@ -143,14 +164,7 @@ export function generateState(length = 32) {
|
|
|
143
164
|
* @returns Random token string
|
|
144
165
|
*/
|
|
145
166
|
export function generateToken(length = 32) {
|
|
146
|
-
|
|
147
|
-
const randomValues = new Uint8Array(length);
|
|
148
|
-
crypto.getRandomValues(randomValues);
|
|
149
|
-
let token = '';
|
|
150
|
-
for (let i = 0; i < length; i++) {
|
|
151
|
-
token += chars[randomValues[i] % chars.length];
|
|
152
|
-
}
|
|
153
|
-
return token;
|
|
167
|
+
return generateRandomString(length, ALPHANUMERIC_CHARS);
|
|
154
168
|
}
|
|
155
169
|
/**
|
|
156
170
|
* Generate a unique authorization code
|
package/dist/pkce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../src/pkce.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAAC,SAAiB,EAAE;IACtD,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;IAC/E,CAAC;IAED,MAAM,KAAK,GAAG,oEAAoE,CAAA;IAClF,MAAM,
|
|
1
|
+
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../src/pkce.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAAC,SAAiB,EAAE;IACtD,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;IAC/E,CAAC;IAED,MAAM,KAAK,GAAG,oEAAoE,CAAA;IAClF,8CAA8C;IAC9C,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,CAAA;IAE3C,IAAI,QAAQ,GAAG,EAAE,CAAA;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,IAAI,KAAa,CAAA;QACjB,GAAG,CAAC;YACF,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAE,CAAA;QACvD,CAAC,QAAQ,KAAK,IAAI,QAAQ,EAAC;QAC3B,QAAQ,IAAI,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAA;IACzC,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,QAAgB;IAC1D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACrC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC9D,OAAO,eAAe,CAAC,UAAU,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,SAAiB,EACjB,SAAiB,MAAM;IAEvB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,+BAA+B;QAC/B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,iBAAiB,GAAG,MAAM,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IAC/D,OAAO,iBAAiB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAA;AACxD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE;IACpD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAA;IAC7C,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,QAAQ,CAAC,CAAA;IACvD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAA;AAChC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,MAAmB;IACjD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IACpC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC;SAChB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AACvB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,wBAAwB;IACxB,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;IAC3D,mCAAmC;IACnC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAA;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IACjC,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAA;AACrB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAS,EAAE,CAAS;IACpD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAA;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7C,CAAC;IAED,OAAO,MAAM,KAAK,CAAC,CAAA;AACrB,CAAC;AAED,yDAAyD;AACzD,MAAM,kBAAkB,GAAG,gEAAgE,CAAA;AAE3F;;;;;;;GAOG;AACH,SAAS,oBAAoB,CAAC,MAAc,EAAE,OAAe;IAC3D,8CAA8C;IAC9C,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAE7C,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,IAAI,KAAa,CAAA;QACjB,GAAG,CAAC;YACF,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAE,CAAA;QACvD,CAAC,QAAQ,KAAK,IAAI,QAAQ,EAAC;QAC3B,MAAM,IAAI,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE;IAC/C,OAAO,oBAAoB,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAA;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE;IAC/C,OAAO,oBAAoB,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAA;AACzD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB;IACvC,OAAO,aAAa,CAAC,EAAE,CAAC,CAAA;AAC1B,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAAc;IACnD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC9D,OAAO,eAAe,CAAC,UAAU,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc,EAAE,IAAY;IACnE,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAA;IACnD,OAAO,iBAAiB,CAAC,YAAY,EAAE,IAAI,CAAC,CAAA;AAC9C,CAAC"}
|
package/dist/server.d.ts
CHANGED
|
@@ -4,9 +4,11 @@
|
|
|
4
4
|
* Creates a Hono app that implements OAuth 2.1 authorization server endpoints:
|
|
5
5
|
* - /.well-known/oauth-authorization-server (RFC 8414)
|
|
6
6
|
* - /.well-known/oauth-protected-resource (draft-ietf-oauth-resource-metadata)
|
|
7
|
+
* - /.well-known/jwks.json (JWKS endpoint)
|
|
7
8
|
* - /authorize (authorization endpoint)
|
|
8
9
|
* - /callback (upstream OAuth callback)
|
|
9
10
|
* - /token (token endpoint)
|
|
11
|
+
* - /introspect (token introspection - RFC 7662)
|
|
10
12
|
* - /register (dynamic client registration - RFC 7591)
|
|
11
13
|
* - /revoke (token revocation - RFC 7009)
|
|
12
14
|
*
|
|
@@ -18,6 +20,7 @@ import { Hono } from 'hono';
|
|
|
18
20
|
import type { OAuthStorage } from './storage.js';
|
|
19
21
|
import type { OAuthUser, UpstreamOAuthConfig } from './types.js';
|
|
20
22
|
import { type DevModeConfig, type TestHelpers } from './dev.js';
|
|
23
|
+
import type { SigningKeyManager } from './jwt-signing.js';
|
|
21
24
|
/**
|
|
22
25
|
* Configuration for the OAuth 2.1 server
|
|
23
26
|
*/
|
|
@@ -44,13 +47,28 @@ export interface OAuth21ServerConfig {
|
|
|
44
47
|
onUserAuthenticated?: (user: OAuthUser) => void | Promise<void>;
|
|
45
48
|
/** Enable debug logging */
|
|
46
49
|
debug?: boolean;
|
|
50
|
+
/** Allowed CORS origins (default: issuer origin only in production, '*' in dev mode) */
|
|
51
|
+
allowedOrigins?: string[];
|
|
52
|
+
/**
|
|
53
|
+
* Signing key manager for JWT access tokens (optional)
|
|
54
|
+
* If provided, access tokens will be signed JWTs instead of opaque tokens.
|
|
55
|
+
* This enables the JWKS and introspection endpoints.
|
|
56
|
+
*/
|
|
57
|
+
signingKeyManager?: SigningKeyManager;
|
|
58
|
+
/**
|
|
59
|
+
* Use JWT access tokens instead of opaque tokens (default: false)
|
|
60
|
+
* Requires signingKeyManager to be set, or will auto-create one in memory.
|
|
61
|
+
*/
|
|
62
|
+
useJwtAccessTokens?: boolean;
|
|
47
63
|
}
|
|
48
64
|
/**
|
|
49
|
-
* Extended Hono app with test helpers
|
|
65
|
+
* Extended Hono app with test helpers and signing key manager
|
|
50
66
|
*/
|
|
51
67
|
export interface OAuth21Server extends Hono {
|
|
52
68
|
/** Test helpers for E2E testing (only available in devMode) */
|
|
53
69
|
testHelpers?: TestHelpers;
|
|
70
|
+
/** Signing key manager (available if useJwtAccessTokens is enabled) */
|
|
71
|
+
signingKeyManager?: SigningKeyManager;
|
|
54
72
|
}
|
|
55
73
|
/**
|
|
56
74
|
* Create an OAuth 2.1 server as a Hono app
|
package/dist/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAChD,OAAO,KAAK,EAIV,SAAS,EAGT,mBAAmB,EACpB,MAAM,YAAY,CAAA;AASnB,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,WAAW,EAGjB,MAAM,UAAU,CAAA;AACjB,OAAO,KAAK,EAAE,iBAAiB,EAAqB,MAAM,kBAAkB,CAAA;AAG5E;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,iDAAiD;IACjD,OAAO,EAAE,YAAY,CAAA;IACrB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,mBAAmB,CAAA;IAC9B,mEAAmE;IACnE,OAAO,CAAC,EAAE,aAAa,CAAA;IACvB,uBAAuB;IACvB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,uDAAuD;IACvD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,yEAAyE;IACzE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,yCAAyC;IACzC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,oDAAoD;IACpD,mBAAmB,CAAC,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/D,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,wFAAwF;IACxF,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;IACrC;;;OAGG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,IAAI;IACzC,+DAA+D;IAC/D,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,uEAAuE;IACvE,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;CACtC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,mBAAmB,GAAG,aAAa,CA2+B9E;AA2iBD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAC7E,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA"}
|