npm - @dotdo/oauth - Versions diffs - 0.1.6 → 0.1.7 - Mend

@dotdo/oauth 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +8 -0
package/dist/index.js.map +1 -1
package/dist/jwt-signing.d.ts +133 -0
package/dist/jwt-signing.d.ts.map +1 -0
package/dist/jwt-signing.js +173 -0
package/dist/jwt-signing.js.map +1 -0
package/dist/server.d.ts +17 -1
package/dist/server.d.ts.map +1 -1
package/dist/server.js +451 -41
package/dist/server.js.map +1 -1
package/dist/storage-collections.d.ts +94 -0
package/dist/storage-collections.d.ts.map +1 -0
package/dist/storage-collections.js +291 -0
package/dist/storage-collections.js.map +1 -0
package/dist/storage-do.d.ts +97 -0
package/dist/storage-do.d.ts.map +1 -0
package/dist/storage-do.js +440 -0
package/dist/storage-do.js.map +1 -0
package/dist/stripe.d.ts +127 -0
package/dist/stripe.d.ts.map +1 -0
package/dist/stripe.js +262 -0
package/dist/stripe.js.map +1 -0
package/dist/types.d.ts +2 -0
package/dist/types.d.ts.map +1 -1
package/package.json +10 -10

package/dist/index.d.ts CHANGED Viewed

@@ -45,8 +45,15 @@ export { createTestHelpers, generateLoginFormHtml } from './dev.js';
 export type { DevModeConfig, DevUser, TestHelpers } from './dev.js';
 export { MemoryOAuthStorage } from './storage.js';
 export type { OAuthStorage, ListOptions } from './storage.js';
+export { DOSQLiteStorage } from './storage-do.js';
+export type { SqlStorage, SqlStorageResult, OAuthUserWithStripe, SerializedSigningKeyRow } from './storage-do.js';
+export { CollectionsOAuthStorage } from './storage-collections.js';
 export { generateCodeVerifier, generateCodeChallenge, verifyCodeChallenge, generatePkce, generateState, generateToken, generateAuthorizationCode, hashClientSecret, verifyClientSecret, base64UrlEncode, base64UrlDecode, constantTimeEqual, } from './pkce.js';
 export { verifyJWT, decodeJWT, isJWTExpired, clearJWKSCache } from './jwt.js';
 export type { JWTVerifyResult, JWTVerifyOptions, JWTHeader, JWTPayload } from './jwt.js';
+export { SigningKeyManager, generateSigningKey, serializeSigningKey, deserializeSigningKey, exportPublicKeyToJWKS, exportKeysToJWKS, signAccessToken, } from './jwt-signing.js';
+export type { SigningKey, SerializedSigningKey, JWKSPublicKey, JWKS, AccessTokenClaims, } from './jwt-signing.js';
+export { ensureStripeCustomer, getStripeCustomer, linkStripeCustomer, handleStripeWebhook, verifyStripeWebhook, verifyStripeWebhookAsync, createStripeClient, } from './stripe.js';
+export type { StripeCustomer, StripeSubscription, StripeWebhookEventType, StripeWebhookEvent, StripeStorage, StripeClient, OAuthUserWithStripe as StripeUser, } from './stripe.js';
 export type { OAuthUser, OAuthOrganization, OAuthClient, OAuthAuthorizationCode, OAuthAccessToken, OAuthRefreshToken, OAuthGrant, OAuthServerMetadata, OAuthResourceMetadata, TokenResponse, OAuthError, UpstreamOAuthConfig, } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AACjD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAGrE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AACnE,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AAGnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACjD,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAG7D,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,WAAW,CAAA;AAGlB,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAC7E,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAGxF,YAAY,EACV,SAAS,EACT,iBAAiB,EACjB,WAAW,EACX,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,mBAAmB,EACnB,qBAAqB,EACrB,aAAa,EACb,UAAU,EACV,mBAAmB,GACpB,MAAM,YAAY,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AACjD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAGrE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AACnE,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AAGnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACjD,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAG7D,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAA;AAGjH,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAA;AAGlE,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,WAAW,CAAA;AAGlB,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAC7E,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAGxF,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAA;AACzB,YAAY,EACV,UAAU,EACV,oBAAoB,EACpB,aAAa,EACb,IAAI,EACJ,iBAAiB,GAClB,MAAM,kBAAkB,CAAA;AAGzB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,mBAAmB,EACnB,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,cAAc,EACd,kBAAkB,EAClB,sBAAsB,EACtB,kBAAkB,EAClB,aAAa,EACb,YAAY,EACZ,mBAAmB,IAAI,UAAU,GAClC,MAAM,aAAa,CAAA;AAGpB,YAAY,EACV,SAAS,EACT,iBAAiB,EACjB,WAAW,EACX,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,mBAAmB,EACnB,qBAAqB,EACrB,aAAa,EACb,UAAU,EACV,mBAAmB,GACpB,MAAM,YAAY,CAAA"}

package/dist/index.js CHANGED Viewed

@@ -45,8 +45,16 @@ export { createOAuth21Server } from './server.js';
 export { createTestHelpers, generateLoginFormHtml } from './dev.js';
 // Storage
 export { MemoryOAuthStorage } from './storage.js';
+// DO SQLite Storage (legacy - use CollectionsOAuthStorage instead)
+export { DOSQLiteStorage } from './storage-do.js';
+// Collections-based Storage (preferred - no migrations needed)
+export { CollectionsOAuthStorage } from './storage-collections.js';
 // PKCE
 export { generateCodeVerifier, generateCodeChallenge, verifyCodeChallenge, generatePkce, generateState, generateToken, generateAuthorizationCode, hashClientSecret, verifyClientSecret, base64UrlEncode, base64UrlDecode, constantTimeEqual, } from './pkce.js';
 // JWT Verification
 export { verifyJWT, decodeJWT, isJWTExpired, clearJWKSCache } from './jwt.js';
+// JWT Signing
+export { SigningKeyManager, generateSigningKey, serializeSigningKey, deserializeSigningKey, exportPublicKeyToJWKS, exportKeysToJWKS, signAccessToken, } from './jwt-signing.js';
+// Stripe Integration
+export { ensureStripeCustomer, getStripeCustomer, linkStripeCustomer, handleStripeWebhook, verifyStripeWebhook, verifyStripeWebhookAsync, createStripeClient, } from './stripe.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,SAAS;AACT,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AAGjD,0BAA0B;AAC1B,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AAGnE,UAAU;AACV,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AAGjD,OAAO;AACP,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,WAAW,CAAA;AAElB,mBAAmB;AACnB,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,SAAS;AACT,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AAGjD,0BAA0B;AAC1B,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AAGnE,UAAU;AACV,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AAGjD,mEAAmE;AACnE,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAGjD,+DAA+D;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAA;AAElE,OAAO;AACP,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,WAAW,CAAA;AAElB,mBAAmB;AACnB,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAG7E,cAAc;AACd,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,GAChB,MAAM,kBAAkB,CAAA;AASzB,qBAAqB;AACrB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,mBAAmB,EACnB,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,aAAa,CAAA"}

package/dist/jwt-signing.d.ts ADDED Viewed

@@ -0,0 +1,133 @@
+/**
+ * @dotdo/oauth - JWT Signing Key Management
+ *
+ * Manages RSA-2048 signing keys for JWT token issuance.
+ * Supports key generation, storage/retrieval, and JWKS export.
+ */
+/**
+ * JWT Signing Key with public/private key pair
+ */
+export interface SigningKey {
+    /** Key identifier */
+    kid: string;
+    /** Algorithm (always RS256) */
+    alg: 'RS256';
+    /** Private key for signing */
+    privateKey: CryptoKey;
+    /** Public key for verification */
+    publicKey: CryptoKey;
+    /** When the key was created */
+    createdAt: number;
+}
+/**
+ * JWKS format for public key exposure
+ */
+export interface JWKSPublicKey {
+    kty: 'RSA';
+    kid: string;
+    use: 'sig';
+    alg: 'RS256';
+    n: string;
+    e: string;
+}
+/**
+ * JWKS document format
+ */
+export interface JWKS {
+    keys: JWKSPublicKey[];
+}
+/**
+ * Serialized key for storage
+ */
+export interface SerializedSigningKey {
+    kid: string;
+    alg: 'RS256';
+    privateKeyJwk: JsonWebKey;
+    publicKeyJwk: JsonWebKey;
+    createdAt: number;
+}
+/**
+ * JWT Claims for access tokens
+ */
+export interface AccessTokenClaims {
+    /** Subject (user ID) */
+    sub: string;
+    /** Client ID */
+    client_id: string;
+    /** Scopes */
+    scope?: string;
+    /** Additional claims */
+    [key: string]: unknown;
+}
+/**
+ * Generate a new RSA-2048 signing key pair
+ */
+export declare function generateSigningKey(kid?: string): Promise<SigningKey>;
+/**
+ * Export a signing key to serializable format for storage
+ */
+export declare function serializeSigningKey(key: SigningKey): Promise<SerializedSigningKey>;
+/**
+ * Import a signing key from serialized format
+ */
+export declare function deserializeSigningKey(serialized: SerializedSigningKey): Promise<SigningKey>;
+/**
+ * Export public key to JWKS format
+ */
+export declare function exportPublicKeyToJWKS(key: SigningKey): Promise<JWKSPublicKey>;
+/**
+ * Export multiple keys to JWKS document
+ */
+export declare function exportKeysToJWKS(keys: SigningKey[]): Promise<JWKS>;
+/**
+ * Sign a JWT with the given claims
+ */
+export declare function signAccessToken(key: SigningKey, claims: AccessTokenClaims, options: {
+    issuer: string;
+    audience?: string;
+    expiresIn?: number;
+}): Promise<string>;
+/**
+ * Signing Key Manager - handles key storage and rotation
+ */
+export declare class SigningKeyManager {
+    private options;
+    private keys;
+    private currentKeyIndex;
+    constructor(options?: {
+        maxKeys?: number;
+    });
+    /**
+     * Get the current signing key, generating one if needed
+     */
+    getCurrentKey(): Promise<SigningKey>;
+    /**
+     * Get all keys (for JWKS endpoint)
+     */
+    getAllKeys(): SigningKey[];
+    /**
+     * Rotate to a new key
+     */
+    rotateKey(): Promise<SigningKey>;
+    /**
+     * Load keys from serialized format
+     */
+    loadKeys(serializedKeys: SerializedSigningKey[]): Promise<void>;
+    /**
+     * Export keys to serializable format
+     */
+    exportKeys(): Promise<SerializedSigningKey[]>;
+    /**
+     * Export to JWKS format
+     */
+    toJWKS(): Promise<JWKS>;
+    /**
+     * Sign an access token with the current key
+     */
+    signAccessToken(claims: AccessTokenClaims, options: {
+        issuer: string;
+        audience?: string;
+        expiresIn?: number;
+    }): Promise<string>;
+}
+//# sourceMappingURL=jwt-signing.d.ts.map

package/dist/jwt-signing.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-signing.d.ts","sourceRoot":"","sources":["../src/jwt-signing.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,qBAAqB;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,+BAA+B;IAC/B,GAAG,EAAE,OAAO,CAAA;IACZ,8BAA8B;IAC9B,UAAU,EAAE,SAAS,CAAA;IACrB,kCAAkC;IAClC,SAAS,EAAE,SAAS,CAAA;IACpB,+BAA+B;IAC/B,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,KAAK,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,KAAK,CAAA;IACV,GAAG,EAAE,OAAO,CAAA;IACZ,CAAC,EAAE,MAAM,CAAA;IACT,CAAC,EAAE,MAAM,CAAA;CACV;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,aAAa,EAAE,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,OAAO,CAAA;IACZ,aAAa,EAAE,UAAU,CAAA;IACzB,YAAY,EAAE,UAAU,CAAA;IACxB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wBAAwB;IACxB,GAAG,EAAE,MAAM,CAAA;IACX,gBAAgB;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa;IACb,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,wBAAwB;IACxB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAmB1E;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAaxF;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,UAAU,EAAE,oBAAoB,GAAG,OAAO,CAAC,UAAU,CAAC,CAyBjG;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAWnF;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAGxE;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,UAAU,EACf,MAAM,EAAE,iBAAiB,EACzB,OAAO,EAAE;IACP,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAgCjB;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAIhB,OAAO,CAAC,OAAO;IAH3B,OAAO,CAAC,IAAI,CAAmB;IAC/B,OAAO,CAAC,eAAe,CAAI;gBAEP,OAAO,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO;IAItD;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC;IAQ1C;;OAEG;IACH,UAAU,IAAI,UAAU,EAAE;IAI1B;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,UAAU,CAAC;IAatC;;OAEG;IACG,QAAQ,CAAC,cAAc,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAKrE;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAInD;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAI7B;;OAEG;IACG,eAAe,CACnB,MAAM,EAAE,iBAAiB,EACzB,OAAO,EAAE;QACP,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,GACA,OAAO,CAAC,MAAM,CAAC;CAInB"}

package/dist/jwt-signing.js ADDED Viewed

@@ -0,0 +1,173 @@
+/**
+ * @dotdo/oauth - JWT Signing Key Management
+ *
+ * Manages RSA-2048 signing keys for JWT token issuance.
+ * Supports key generation, storage/retrieval, and JWKS export.
+ */
+import { base64UrlEncode } from './pkce.js';
+/**
+ * Generate a new RSA-2048 signing key pair
+ */
+export async function generateSigningKey(kid) {
+    const keyPair = await crypto.subtle.generateKey({
+        name: 'RSASSA-PKCS1-v1_5',
+        modulusLength: 2048,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        hash: 'SHA-256',
+    }, true, // extractable
+    ['sign', 'verify']);
+    return {
+        kid: kid || `oauth-do-key-${Date.now()}`,
+        alg: 'RS256',
+        privateKey: keyPair.privateKey,
+        publicKey: keyPair.publicKey,
+        createdAt: Date.now(),
+    };
+}
+/**
+ * Export a signing key to serializable format for storage
+ */
+export async function serializeSigningKey(key) {
+    const [privateKeyJwk, publicKeyJwk] = await Promise.all([
+        crypto.subtle.exportKey('jwk', key.privateKey),
+        crypto.subtle.exportKey('jwk', key.publicKey),
+    ]);
+    return {
+        kid: key.kid,
+        alg: key.alg,
+        privateKeyJwk,
+        publicKeyJwk,
+        createdAt: key.createdAt,
+    };
+}
+/**
+ * Import a signing key from serialized format
+ */
+export async function deserializeSigningKey(serialized) {
+    const [privateKey, publicKey] = await Promise.all([
+        crypto.subtle.importKey('jwk', serialized.privateKeyJwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, true, ['sign']),
+        crypto.subtle.importKey('jwk', serialized.publicKeyJwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, true, ['verify']),
+    ]);
+    return {
+        kid: serialized.kid,
+        alg: serialized.alg,
+        privateKey,
+        publicKey,
+        createdAt: serialized.createdAt,
+    };
+}
+/**
+ * Export public key to JWKS format
+ */
+export async function exportPublicKeyToJWKS(key) {
+    const jwk = await crypto.subtle.exportKey('jwk', key.publicKey);
+    return {
+        kty: 'RSA',
+        kid: key.kid,
+        use: 'sig',
+        alg: 'RS256',
+        n: jwk.n,
+        e: jwk.e,
+    };
+}
+/**
+ * Export multiple keys to JWKS document
+ */
+export async function exportKeysToJWKS(keys) {
+    const publicKeys = await Promise.all(keys.map(exportPublicKeyToJWKS));
+    return { keys: publicKeys };
+}
+/**
+ * Sign a JWT with the given claims
+ */
+export async function signAccessToken(key, claims, options) {
+    const { issuer, audience, expiresIn = 3600 } = options;
+    const now = Math.floor(Date.now() / 1000);
+    const header = {
+        alg: 'RS256',
+        typ: 'JWT',
+        kid: key.kid,
+    };
+    const payload = {
+        ...claims,
+        iss: issuer,
+        ...(audience && { aud: audience }),
+        iat: now,
+        exp: now + expiresIn,
+    };
+    const encoder = new TextEncoder();
+    const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)).buffer);
+    const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)).buffer);
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = await crypto.subtle.sign({ name: 'RSASSA-PKCS1-v1_5' }, key.privateKey, encoder.encode(data));
+    const signatureB64 = base64UrlEncode(signature);
+    return `${data}.${signatureB64}`;
+}
+/**
+ * Signing Key Manager - handles key storage and rotation
+ */
+export class SigningKeyManager {
+    options;
+    keys = [];
+    currentKeyIndex = 0;
+    constructor(options = {}) {
+        this.options = options;
+        this.options.maxKeys = options.maxKeys ?? 2;
+    }
+    /**
+     * Get the current signing key, generating one if needed
+     */
+    async getCurrentKey() {
+        if (this.keys.length === 0) {
+            const key = await generateSigningKey();
+            this.keys.push(key);
+        }
+        return this.keys[this.currentKeyIndex];
+    }
+    /**
+     * Get all keys (for JWKS endpoint)
+     */
+    getAllKeys() {
+        return [...this.keys];
+    }
+    /**
+     * Rotate to a new key
+     */
+    async rotateKey() {
+        const newKey = await generateSigningKey();
+        this.keys.push(newKey);
+        // Remove old keys if we exceed maxKeys
+        while (this.keys.length > this.options.maxKeys) {
+            this.keys.shift();
+        }
+        this.currentKeyIndex = this.keys.length - 1;
+        return newKey;
+    }
+    /**
+     * Load keys from serialized format
+     */
+    async loadKeys(serializedKeys) {
+        this.keys = await Promise.all(serializedKeys.map(deserializeSigningKey));
+        this.currentKeyIndex = this.keys.length - 1;
+    }
+    /**
+     * Export keys to serializable format
+     */
+    async exportKeys() {
+        return Promise.all(this.keys.map(serializeSigningKey));
+    }
+    /**
+     * Export to JWKS format
+     */
+    async toJWKS() {
+        return exportKeysToJWKS(this.keys);
+    }
+    /**
+     * Sign an access token with the current key
+     */
+    async signAccessToken(claims, options) {
+        const key = await this.getCurrentKey();
+        return signAccessToken(key, claims, options);
+    }
+}
+//# sourceMappingURL=jwt-signing.js.map

package/dist/jwt-signing.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt-signing.js","sourceRoot":"","sources":["../src/jwt-signing.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AA8D3C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAY;IACnD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC7C;QACE,IAAI,EAAE,mBAAmB;QACzB,aAAa,EAAE,IAAI;QACnB,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QACzC,IAAI,EAAE,SAAS;KAChB,EACD,IAAI,EAAE,cAAc;IACpB,CAAC,MAAM,EAAE,QAAQ,CAAC,CACF,CAAA;IAElB,OAAO;QACL,GAAG,EAAE,GAAG,IAAI,gBAAgB,IAAI,CAAC,GAAG,EAAE,EAAE;QACxC,GAAG,EAAE,OAAO;QACZ,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;KACtB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAe;IACvD,MAAM,CAAC,aAAa,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,UAAU,CAAwB;QACrE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,SAAS,CAAwB;KACrE,CAAC,CAAA;IAEF,OAAO;QACL,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,aAAa;QACb,YAAY;QACZ,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,UAAgC;IAC1E,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChD,MAAM,CAAC,MAAM,CAAC,SAAS,CACrB,KAAK,EACL,UAAU,CAAC,aAAa,EACxB,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9C,IAAI,EACJ,CAAC,MAAM,CAAC,CACT;QACD,MAAM,CAAC,MAAM,CAAC,SAAS,CACrB,KAAK,EACL,UAAU,CAAC,YAAY,EACvB,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9C,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX;KACF,CAAC,CAAA;IAEF,OAAO;QACL,GAAG,EAAE,UAAU,CAAC,GAAG;QACnB,GAAG,EAAE,UAAU,CAAC,GAAG;QACnB,UAAU;QACV,SAAS;QACT,SAAS,EAAE,UAAU,CAAC,SAAS;KAChC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAe;IACzD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,SAAS,CAAe,CAAA;IAE7E,OAAO;QACL,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO;QACZ,CAAC,EAAE,GAAG,CAAC,CAAE;QACT,CAAC,EAAE,GAAG,CAAC,CAAE;KACV,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAkB;IACvD,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAA;IACrE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAA;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAe,EACf,MAAyB,EACzB,OAIC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,OAAO,CAAA;IACtD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IAEzC,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,GAAG,CAAC,GAAG;KACb,CAAA;IAED,MAAM,OAAO,GAAG;QACd,GAAG,MAAM;QACT,GAAG,EAAE,MAAM;QACX,GAAG,CAAC,QAAQ,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;QAClC,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,SAAS;KACrB,CAAA;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,MAAqB,CAAC,CAAA;IAC/F,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAqB,CAAC,CAAA;IACjG,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAA;IAEzC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAC7B,GAAG,CAAC,UAAU,EACd,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAA;IAED,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,CAAA;IAE/C,OAAO,GAAG,IAAI,IAAI,YAAY,EAAE,CAAA;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,iBAAiB;IAIR;IAHZ,IAAI,GAAiB,EAAE,CAAA;IACvB,eAAe,GAAG,CAAC,CAAA;IAE3B,YAAoB,UAAgC,EAAE;QAAlC,YAAO,GAAP,OAAO,CAA2B;QACpD,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,CAAC,CAAA;IAC7C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QACjB,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,MAAM,kBAAkB,EAAE,CAAA;YACtC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAE,CAAA;IACzC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAA;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS;QACb,MAAM,MAAM,GAAG,MAAM,kBAAkB,EAAE,CAAA;QACzC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAEtB,uCAAuC;QACvC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAQ,EAAE,CAAC;YAChD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAA;QACnB,CAAC;QAED,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAA;QAC3C,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,cAAsC;QACnD,IAAI,CAAC,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAA;QACxE,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAA;IAC7C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAA;IACxD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM;QACV,OAAO,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACpC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,MAAyB,EACzB,OAIC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAA;QACtC,OAAO,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9C,CAAC;CACF"}

package/dist/server.d.ts CHANGED Viewed

@@ -4,9 +4,11 @@
  * Creates a Hono app that implements OAuth 2.1 authorization server endpoints:
  * - /.well-known/oauth-authorization-server (RFC 8414)
  * - /.well-known/oauth-protected-resource (draft-ietf-oauth-resource-metadata)
+ * - /.well-known/jwks.json (JWKS endpoint)
  * - /authorize (authorization endpoint)
  * - /callback (upstream OAuth callback)
  * - /token (token endpoint)
+ * - /introspect (token introspection - RFC 7662)
  * - /register (dynamic client registration - RFC 7591)
  * - /revoke (token revocation - RFC 7009)
  *
@@ -18,6 +20,7 @@ import { Hono } from 'hono';
 import type { OAuthStorage } from './storage.js';
 import type { OAuthUser, UpstreamOAuthConfig } from './types.js';
 import { type DevModeConfig, type TestHelpers } from './dev.js';
+import type { SigningKeyManager } from './jwt-signing.js';
 /**
  * Configuration for the OAuth 2.1 server
  */
@@ -46,13 +49,26 @@ export interface OAuth21ServerConfig {
     debug?: boolean;
     /** Allowed CORS origins (default: issuer origin only in production, '*' in dev mode) */
     allowedOrigins?: string[];
+    /**
+     * Signing key manager for JWT access tokens (optional)
+     * If provided, access tokens will be signed JWTs instead of opaque tokens.
+     * This enables the JWKS and introspection endpoints.
+     */
+    signingKeyManager?: SigningKeyManager;
+    /**
+     * Use JWT access tokens instead of opaque tokens (default: false)
+     * Requires signingKeyManager to be set, or will auto-create one in memory.
+     */
+    useJwtAccessTokens?: boolean;
 }
 /**
- * Extended Hono app with test helpers
+ * Extended Hono app with test helpers and signing key manager
  */
 export interface OAuth21Server extends Hono {
     /** Test helpers for E2E testing (only available in devMode) */
     testHelpers?: TestHelpers;
+    /** Signing key manager (available if useJwtAccessTokens is enabled) */
+    signingKeyManager?: SigningKeyManager;
 }
 /**
  * Create an OAuth 2.1 server as a Hono app

package/dist/server.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;GAeG~~;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAChD,OAAO,KAAK,EAIV,SAAS,EAGT,mBAAmB,EACpB,MAAM,YAAY,CAAA;AASnB,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,WAAW,EAGjB,MAAM,UAAU,CAAA;~~AAEjB~~;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,iDAAiD;IACjD,OAAO,EAAE,YAAY,CAAA;IACrB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,mBAAmB,CAAA;IAC9B,mEAAmE;IACnE,OAAO,CAAC,EAAE,aAAa,CAAA;IACvB,uBAAuB;IACvB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,uDAAuD;IACvD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,yEAAyE;IACzE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,yCAAyC;IACzC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,oDAAoD;IACpD,mBAAmB,CAAC,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/D,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,wFAAwF;IACxF,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;~~CAC1B~~;AAED;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,IAAI;IACzC,+DAA+D;IAC/D,WAAW,CAAC,EAAE,WAAW,CAAA;~~CAC1B~~;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,mBAAmB,GAAG,aAAa,~~CAokB9E~~;~~AAyeD~~,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAC7E,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA"}
1	+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAChD,OAAO,KAAK,EAIV,SAAS,EAGT,mBAAmB,EACpB,MAAM,YAAY,CAAA;AASnB,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,WAAW,EAGjB,MAAM,UAAU,CAAA;AACjB,OAAO,KAAK,EAAE,iBAAiB,EAAqB,MAAM,kBAAkB,CAAA;AAG5E;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,iDAAiD;IACjD,OAAO,EAAE,YAAY,CAAA;IACrB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,mBAAmB,CAAA;IAC9B,mEAAmE;IACnE,OAAO,CAAC,EAAE,aAAa,CAAA;IACvB,uBAAuB;IACvB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,uDAAuD;IACvD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,yEAAyE;IACzE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,yCAAyC;IACzC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,oDAAoD;IACpD,mBAAmB,CAAC,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/D,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,wFAAwF;IACxF,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;IACrC;;;OAGG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,IAAI;IACzC,+DAA+D;IAC/D,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,uEAAuE;IACvE,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;CACtC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,mBAAmB,GAAG,aAAa,CA2+B9E;AA2iBD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAC7E,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA"}