@draftlab/auth 0.0.3 → 0.1.0

package/dist/error.d.ts

@@ -1,2 +1,243 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError, MissingParameterError, MissingProviderError, OauthError, OauthErrorType, UnauthorizedClientError, UnknownStateError } from "./error-CWAdNAzm.js";
+//#region src/error.d.ts
+/**
+ * Error classes and types for Draft Auth operations.
+ * Provides comprehensive error handling for OAuth 2.0 and authentication flows.
+ *
+ * ## Usage
+ *
+ * ```ts
+ * import {
+ *   InvalidAuthorizationCodeError,
+ *   OauthError,
+ *   UnknownStateError
+ * } from "@draftlab/auth/error"
+ *
+ * try {
+ *   await client.exchange(code, redirectUri)
+ * } catch (error) {
+ *   if (error instanceof InvalidAuthorizationCodeError) {
+ *     // Handle invalid authorization code
+ *     // Authorization code expired or invalid
+ *   } else if (error instanceof OauthError) {
+ *     // Handle OAuth-specific errors
+ *     // OAuth error: error.error - error.description
+ *   }
+ * }
+ * ```
+ *
+ * ## Error Categories
+ *
+ * - **OAuth Errors**: Standard OAuth error responses
+ * - **Token Errors**: Issues with access tokens, refresh tokens, and authorization codes
+ * - **Client Errors**: Problems with client configuration and authorization
+ * - **State Errors**: Session and flow state management issues
+ *
+ * @packageDocumentation
+ */
+/**
+ * Standard OAuth error types
+ * These error codes are returned by OAuth authorization servers.
+ */
+type OauthErrorType = "invalid_request" | "invalid_client" | "invalid_grant" | "invalid_token" | "invalid_redirect_uri" | "insufficient_scope" | "unauthorized_client" | "access_denied" | "unsupported_grant_type" | "server_error" | "temporarily_unavailable" | "unsupported_response_type";
+/**
+ * Base OAuth error class for handling standard OAuth error responses.
+ * Contains both the error code and human-readable description.
+ */
+declare class OauthError extends Error {
+  /** The OAuth error code as defined in the specification */
+  readonly error: OauthErrorType;
+  /** Human-readable description of the error */
+  readonly description: string;
+  /**
+   * Creates a new OAuth error with the specified error code and description.
+   *
+   * @param error - The OAuth error type
+   * @param description - Human-readable error description
+   *
+   * @example
+   * ```ts
+   * throw new OauthError("invalid_grant", "Authorization code has expired")
+   * ```
+   */
+  constructor(error: OauthErrorType, description: string);
+  /**
+   * Converts the error to a standard OAuth JSON response format.
+   *
+   * @returns Object with error and error_description fields
+   *
+   * @example
+   * ```ts
+   * const oauthError = new OauthError("invalid_request", "Missing parameter")
+   * return c.json(oauthError.toJSON(), 400)
+   * ```
+   */
+  toJSON(): {
+    error: OauthErrorType;
+    error_description: string;
+  };
+}
+/**
+ * Error thrown when a provider parameter is missing from the authorization request.
+ * Occurs when multiple providers are configured but no specific provider is selected.
+ */
+declare class MissingProviderError extends OauthError {
+  /**
+   * Creates a missing provider error.
+   * Thrown when the provider query parameter is required but not provided.
+   */
+  constructor();
+}
+/**
+ * Error thrown when a required parameter is missing from a request.
+ * Used for validating OAuth request parameters.
+ */
+declare class MissingParameterError extends OauthError {
+  /** The name of the missing parameter */
+  readonly parameter: string;
+  /**
+   * Creates a missing parameter error.
+   *
+   * @param parameter - The name of the missing parameter
+   *
+   * @example
+   * ```ts
+   * throw new MissingParameterError("client_id")
+   * ```
+   */
+  constructor(parameter: string);
+}
+/**
+ * Error thrown when a client is not authorized to use a specific redirect URI.
+ * Prevents unauthorized clients from hijacking authorization codes.
+ */
+declare class UnauthorizedClientError extends OauthError {
+  /** The client ID that attempted unauthorized access */
+  readonly clientID: string;
+  /**
+   * Creates an unauthorized client error.
+   *
+   * @param clientID - The client ID attempting unauthorized access
+   * @param redirectURI - The unauthorized redirect URI
+   *
+   * @example
+   * ```ts
+   * throw new UnauthorizedClientError("malicious-client", "https://evil.com/callback")
+   * ```
+   */
+  constructor(clientID: string, redirectURI: string);
+}
+/**
+ * Error thrown when the authentication flow is in an unknown or invalid state.
+ *
+ * ## Common Causes
+ * - Session cookies have expired during the authentication flow
+ * - User switched browsers or devices mid-flow
+ * - Authentication state was manually tampered with
+ * - Server session storage was cleared
+ *
+ * @example
+ * ```ts
+ * // In provider callback handling
+ * const state = await getAuthState(request)
+ * if (!state) {
+ *   throw new UnknownStateError()
+ * }
+ * ```
+ */
+declare class UnknownStateError extends Error {
+  /**
+   * Creates an unknown state error.
+   * Indicates that the authentication flow cannot continue due to missing state.
+   */
+  constructor();
+}
+/**
+ * Error thrown when a subject (user identifier) is invalid or malformed.
+ * Used during token verification and subject validation.
+ *
+ * @example
+ * ```ts
+ * // During token verification
+ * const subject = extractSubject(token)
+ * if (!isValidSubject(subject)) {
+ *   throw new InvalidSubjectError()
+ * }
+ * ```
+ */
+declare class InvalidSubjectError extends Error {
+  /**
+   * Creates an invalid subject error.
+   */
+  constructor();
+}
+/**
+ * Error thrown when a refresh token is invalid, expired, or revoked.
+ * Occurs during token refresh operations.
+ *
+ * @example
+ * ```ts
+ * // During token refresh
+ * try {
+ *   const newTokens = await client.refresh(refreshToken)
+ * } catch (error) {
+ *   if (error instanceof InvalidRefreshTokenError) {
+ *     // Redirect user to login again
+ *     redirectToLogin()
+ *   }
+ * }
+ * ```
+ */
+declare class InvalidRefreshTokenError extends Error {
+  /**
+   * Creates an invalid refresh token error.
+   */
+  constructor();
+}
+/**
+ * Error thrown when an access token is invalid, expired, or malformed.
+ * Occurs during token verification and API requests.
+ *
+ * @example
+ * ```ts
+ * // During API request
+ * try {
+ *   const user = await api.getUser(accessToken)
+ * } catch (error) {
+ *   if (error instanceof InvalidAccessTokenError) {
+ *     // Try to refresh the token
+ *     await refreshAccessToken()
+ *   }
+ * }
+ * ```
+ */
+declare class InvalidAccessTokenError extends Error {
+  /**
+   * Creates an invalid access token error.
+   */
+  constructor();
+}
+/**
+ * Error thrown when an authorization code is invalid, expired, or already used.
+ * Occurs during the token exchange step of the OAuth flow.
+ *
+ * @example
+ * ```ts
+ * // During authorization code exchange
+ * try {
+ *   const tokens = await client.exchange(code, redirectUri)
+ * } catch (error) {
+ *   if (error instanceof InvalidAuthorizationCodeError) {
+ *     // Code may have expired or been used already
+ *     redirectToAuthorize()
+ *   }
+ * }
+ * ```
+ */
+declare class InvalidAuthorizationCodeError extends Error {
+  /**
+   * Creates an invalid authorization code error.
+   */
+  constructor();
+}
+//#endregion
 export { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError, MissingParameterError, MissingProviderError, OauthError, OauthErrorType, UnauthorizedClientError, UnknownStateError };

package/dist/error.js

@@ -1,3 +1,237 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError, MissingParameterError, MissingProviderError, OauthError, UnauthorizedClientError, UnknownStateError } from "./error-DgAKK7b2.js";
+//#region src/error.ts
+/**
+* Base OAuth error class for handling standard OAuth error responses.
+* Contains both the error code and human-readable description.
+*/
+var OauthError = class extends Error {
+	/** The OAuth error code as defined in the specification */
+	error;
+	/** Human-readable description of the error */
+	description;
+	/**
+	* Creates a new OAuth error with the specified error code and description.
+	*
+	* @param error - The OAuth error type
+	* @param description - Human-readable error description
+	*
+	* @example
+	* ```ts
+	* throw new OauthError("invalid_grant", "Authorization code has expired")
+	* ```
+	*/
+	constructor(error, description) {
+		super(`${error} - ${description}`);
+		this.name = "OauthError";
+		this.error = error;
+		this.description = description;
+	}
+	/**
+	* Converts the error to a standard OAuth JSON response format.
+	*
+	* @returns Object with error and error_description fields
+	*
+	* @example
+	* ```ts
+	* const oauthError = new OauthError("invalid_request", "Missing parameter")
+	* return c.json(oauthError.toJSON(), 400)
+	* ```
+	*/
+	toJSON() {
+		return {
+			error: this.error,
+			error_description: this.description
+		};
+	}
+};
+/**
+* Error thrown when a provider parameter is missing from the authorization request.
+* Occurs when multiple providers are configured but no specific provider is selected.
+*/
+var MissingProviderError = class extends OauthError {
+	/**
+	* Creates a missing provider error.
+	* Thrown when the provider query parameter is required but not provided.
+	*/
+	constructor() {
+		super("invalid_request", "Must specify `provider` query parameter if `select` callback on issuer is not specified");
+		this.name = "MissingProviderError";
+	}
+};
+/**
+* Error thrown when a required parameter is missing from a request.
+* Used for validating OAuth request parameters.
+*/
+var MissingParameterError = class extends OauthError {
+	/** The name of the missing parameter */
+	parameter;
+	/**
+	* Creates a missing parameter error.
+	*
+	* @param parameter - The name of the missing parameter
+	*
+	* @example
+	* ```ts
+	* throw new MissingParameterError("client_id")
+	* ```
+	*/
+	constructor(parameter) {
+		super("invalid_request", `Missing parameter: ${parameter}`);
+		this.name = "MissingParameterError";
+		this.parameter = parameter;
+	}
+};
+/**
+* Error thrown when a client is not authorized to use a specific redirect URI.
+* Prevents unauthorized clients from hijacking authorization codes.
+*/
+var UnauthorizedClientError = class extends OauthError {
+	/** The client ID that attempted unauthorized access */
+	clientID;
+	/**
+	* Creates an unauthorized client error.
+	*
+	* @param clientID - The client ID attempting unauthorized access
+	* @param redirectURI - The unauthorized redirect URI
+	*
+	* @example
+	* ```ts
+	* throw new UnauthorizedClientError("malicious-client", "https://evil.com/callback")
+	* ```
+	*/
+	constructor(clientID, redirectURI) {
+		super("unauthorized_client", `Client ${clientID} is not authorized to use this redirect_uri: ${redirectURI}`);
+		this.name = "UnauthorizedClientError";
+		this.clientID = clientID;
+	}
+};
+/**
+* Error thrown when the authentication flow is in an unknown or invalid state.
+*
+* ## Common Causes
+* - Session cookies have expired during the authentication flow
+* - User switched browsers or devices mid-flow
+* - Authentication state was manually tampered with
+* - Server session storage was cleared
+*
+* @example
+* ```ts
+* // In provider callback handling
+* const state = await getAuthState(request)
+* if (!state) {
+*   throw new UnknownStateError()
+* }
+* ```
+*/
+var UnknownStateError = class extends Error {
+	/**
+	* Creates an unknown state error.
+	* Indicates that the authentication flow cannot continue due to missing state.
+	*/
+	constructor() {
+		super("The browser was in an unknown state. This could be because certain cookies expired or the browser was switched in the middle of an authentication flow.");
+		this.name = "UnknownStateError";
+	}
+};
+/**
+* Error thrown when a subject (user identifier) is invalid or malformed.
+* Used during token verification and subject validation.
+*
+* @example
+* ```ts
+* // During token verification
+* const subject = extractSubject(token)
+* if (!isValidSubject(subject)) {
+*   throw new InvalidSubjectError()
+* }
+* ```
+*/
+var InvalidSubjectError = class extends Error {
+	/**
+	* Creates an invalid subject error.
+	*/
+	constructor() {
+		super("Invalid subject");
+		this.name = "InvalidSubjectError";
+	}
+};
+/**
+* Error thrown when a refresh token is invalid, expired, or revoked.
+* Occurs during token refresh operations.
+*
+* @example
+* ```ts
+* // During token refresh
+* try {
+*   const newTokens = await client.refresh(refreshToken)
+* } catch (error) {
+*   if (error instanceof InvalidRefreshTokenError) {
+*     // Redirect user to login again
+*     redirectToLogin()
+*   }
+* }
+* ```
+*/
+var InvalidRefreshTokenError = class extends Error {
+	/**
+	* Creates an invalid refresh token error.
+	*/
+	constructor() {
+		super("Invalid refresh token");
+		this.name = "InvalidRefreshTokenError";
+	}
+};
+/**
+* Error thrown when an access token is invalid, expired, or malformed.
+* Occurs during token verification and API requests.
+*
+* @example
+* ```ts
+* // During API request
+* try {
+*   const user = await api.getUser(accessToken)
+* } catch (error) {
+*   if (error instanceof InvalidAccessTokenError) {
+*     // Try to refresh the token
+*     await refreshAccessToken()
+*   }
+* }
+* ```
+*/
+var InvalidAccessTokenError = class extends Error {
+	/**
+	* Creates an invalid access token error.
+	*/
+	constructor() {
+		super("Invalid access token");
+		this.name = "InvalidAccessTokenError";
+	}
+};
+/**
+* Error thrown when an authorization code is invalid, expired, or already used.
+* Occurs during the token exchange step of the OAuth flow.
+*
+* @example
+* ```ts
+* // During authorization code exchange
+* try {
+*   const tokens = await client.exchange(code, redirectUri)
+* } catch (error) {
+*   if (error instanceof InvalidAuthorizationCodeError) {
+*     // Code may have expired or been used already
+*     redirectToAuthorize()
+*   }
+* }
+* ```
+*/
+var InvalidAuthorizationCodeError = class extends Error {
+	/**
+	* Creates an invalid authorization code error.
+	*/
+	constructor() {
+		super("Invalid authorization code");
+		this.name = "InvalidAuthorizationCodeError";
+	}
+};
 
+//#endregion
 export { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError, MissingParameterError, MissingProviderError, OauthError, UnauthorizedClientError, UnknownStateError };

package/dist/index.d.ts

@@ -1,9 +1,2 @@
-import "./allow-CixonwTW.js";
-import "./error-CWAdNAzm.js";
-import "./util-DbSKG1Xm.js";
-import "./subject-DMIMVtaT.js";
-import "./storage-CxKerLlc.js";
-import "./provider-tndlqCzp.js";
-import "./theme-C9by7VXf.js";
-import { issuer } from "./core-BZHEAefX.js";
+import { issuer } from "./core.js";
 export { issuer };

package/dist/index.js

@@ -1,14 +1,3 @@
-import "./util-CSdHUFOo.js";
-import "./allow-DX5cehSc.js";
-import "./error-DgAKK7b2.js";
-import "./pkce-276Za_rZ.js";
-import "./random-SXMYlaVr.js";
-import "./storage-BEaqEPNQ.js";
-import "./keys-EEfxEGfO.js";
-import "./theme-CswaLtbW.js";
-import "./base-DRutbxgL.js";
-import "./icon-Ci5uqGB_.js";
-import "./select-BjySLL8I.js";
-import { issuer } from "./core-CDM5o4rs.js";
+import { issuer } from "./core.js";
 
 export { issuer };

package/dist/keys.d.ts

@@ -1,4 +1,4 @@
-import { StorageAdapter } from "./storage-CxKerLlc.js";
+import { StorageAdapter } from "./storage/storage.js";
 import { CryptoKey, JWK } from "jose";
 
 //#region src/keys.d.ts

package/dist/keys.js

@@ -1,5 +1,140 @@
-import "./random-SXMYlaVr.js";
-import "./storage-BEaqEPNQ.js";
-import { encryptionKeys, signingKeys } from "./keys-EEfxEGfO.js";
+import { generateSecureToken } from "./random.js";
+import { Storage } from "./storage/storage.js";
+import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, importSPKI } from "jose";
 
+//#region src/keys.ts
+/**
+* Cryptographic key management for JWT signing and encryption operations.
+* Handles automatic key generation, rotation, and storage for OAuth operations.
+*/
+/** Elliptic Curve algorithm used for JWT signing operations */
+const signingAlg = "ES256";
+/** RSA algorithm used for token encryption operations */
+const encryptionAlg = "RSA-OAEP-512";
+/**
+* Loads or generates signing keys for JWT operations.
+* Returns existing valid keys, or generates new ones if none are available.
+* Keys are automatically sorted by creation date (newest first).
+*
+* @param storage - Storage adapter for persistent key storage
+* @returns Promise resolving to array of available signing key pairs
+*
+* @example
+* ```ts
+* const keys = await signingKeys(storage)
+* const currentKey = keys[0] // Most recent key
+*
+* // Use for JWT signing
+* const jwt = await new SignJWT(payload)
+*   .setProtectedHeader({ alg: currentKey.alg, kid: currentKey.id })
+*   .sign(currentKey.private)
+* ```
+*/
+const signingKeys = async (storage) => {
+	const results = [];
+	const scanner = Storage.scan(storage, ["signing:key"]);
+	for await (const [, value] of scanner) try {
+		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+		const privateKey = await importPKCS8(value.privateKey, value.alg);
+		const jwk$1 = await exportJWK(publicKey);
+		jwk$1.kid = value.id;
+		jwk$1.use = "sig";
+		results.push({
+			id: value.id,
+			alg: signingAlg,
+			created: new Date(value.created),
+			expired: value.expired ? new Date(value.expired) : void 0,
+			public: publicKey,
+			private: privateKey,
+			jwk: jwk$1
+		});
+	} catch {}
+	results.sort((a, b) => b.created.getTime() - a.created.getTime());
+	if (results.filter((item) => !item.expired).length) return results;
+	const key = await generateKeyPair(signingAlg, { extractable: true });
+	const serialized = {
+		id: generateSecureToken(16),
+		publicKey: await exportSPKI(key.publicKey),
+		privateKey: await exportPKCS8(key.privateKey),
+		created: Date.now(),
+		alg: signingAlg
+	};
+	await Storage.set(storage, ["signing:key", serialized.id], serialized);
+	const jwk = await exportJWK(key.publicKey);
+	jwk.kid = serialized.id;
+	jwk.use = "sig";
+	const newKeyPair = {
+		id: serialized.id,
+		alg: signingAlg,
+		created: new Date(serialized.created),
+		expired: serialized.expired ? new Date(serialized.expired) : void 0,
+		public: key.publicKey,
+		private: key.privateKey,
+		jwk
+	};
+	return [newKeyPair, ...results];
+};
+/**
+* Loads or generates encryption keys for token encryption operations.
+* Returns existing valid keys, or generates new ones if none are available.
+* Keys are automatically sorted by creation date (newest first).
+*
+* @param storage - Storage adapter for persistent key storage
+* @returns Promise resolving to array of available encryption key pairs
+*
+* @example
+* ```ts
+* const keys = await encryptionKeys(storage)
+* const currentKey = keys[0] // Most recent key
+*
+* // Use for token encryption
+* const encrypted = await new EncryptJWT(payload)
+*   .setProtectedHeader({ alg: 'RSA-OAEP-512', enc: 'A256GCM' })
+*   .encrypt(currentKey.public)
+* ```
+*/
+const encryptionKeys = async (storage) => {
+	const results = [];
+	const scanner = Storage.scan(storage, ["encryption:key"]);
+	for await (const [, value] of scanner) try {
+		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+		const privateKey = await importPKCS8(value.privateKey, value.alg);
+		const jwk$1 = await exportJWK(publicKey);
+		jwk$1.kid = value.id;
+		results.push({
+			id: value.id,
+			alg: encryptionAlg,
+			created: new Date(value.created),
+			expired: value.expired ? new Date(value.expired) : void 0,
+			public: publicKey,
+			private: privateKey,
+			jwk: jwk$1
+		});
+	} catch {}
+	results.sort((a, b) => b.created.getTime() - a.created.getTime());
+	if (results.filter((item) => !item.expired).length) return results;
+	const key = await generateKeyPair(encryptionAlg, { extractable: true });
+	const serialized = {
+		id: generateSecureToken(16),
+		publicKey: await exportSPKI(key.publicKey),
+		privateKey: await exportPKCS8(key.privateKey),
+		created: Date.now(),
+		alg: encryptionAlg
+	};
+	await Storage.set(storage, ["encryption:key", serialized.id], serialized);
+	const jwk = await exportJWK(key.publicKey);
+	jwk.kid = serialized.id;
+	const newKeyPair = {
+		id: serialized.id,
+		alg: encryptionAlg,
+		created: new Date(serialized.created),
+		expired: serialized.expired ? new Date(serialized.expired) : void 0,
+		public: key.publicKey,
+		private: key.privateKey,
+		jwk
+	};
+	return [newKeyPair, ...results];
+};
+
+//#endregion
 export { encryptionKeys, signingKeys };