@draftlab/auth 0.10.3 → 0.10.4

package/dist/client.d.mts

@@ -218,6 +218,7 @@ interface VerifyOptions {
   issuer?: string;
   /**
    * Expected audience for validation.
+   * Defaults to clientID for security. Override only if you know what you're doing.
    * @internal
    */
   audience?: string;

package/dist/client.mjs

@@ -203,7 +203,7 @@ const createClient = (input) => {
 			try {
 				const jwtResult = await jwtVerify(token, await getJWKS(), {
 					issuer: options?.issuer ?? issuer,
-					...options?.audience && { audience: options.audience }
+					audience: options?.audience ?? input.clientID
 				});
 				const validated = await subjects[jwtResult.payload.type]?.["~standard"].validate(jwtResult.payload.properties);
 				if (!validated?.issues && jwtResult.payload.mode === "access") return {

package/dist/core.mjs

@@ -396,6 +396,7 @@ const issuer = (input) => {
 				await Storage.remove(storage, key);
 				const response = {
 					access_token: tokens.access,
+					token_type: "Bearer",
 					expires_in: tokens.expiresIn,
 					refresh_token: tokens.refresh
 				};
@@ -475,6 +476,7 @@ const issuer = (input) => {
 				}, { generateRefreshToken });
 				const response = {
 					access_token: tokens.access,
+					token_type: "Bearer",
 					refresh_token: tokens.refresh,
 					expires_in: tokens.expiresIn
 				};
@@ -574,6 +576,12 @@ const issuer = (input) => {
 		};
 		c.set("authorization", authorization);
 		if (!redirect_uri) return c.text("Missing redirect_uri", { status: 400 });
+		try {
+			const uri = new URL(redirect_uri);
+			if (!uri.protocol || !uri.host) return c.text("Invalid redirect_uri format", { status: 400 });
+		} catch {
+			return c.text("Invalid redirect_uri format", { status: 400 });
+		}
 		if (!response_type) throw new MissingParameterError("response_type");
 		if (!client_id) throw new MissingParameterError("client_id");
 		if (input.start) await input.start(c.request);

package/dist/keys.mjs

@@ -1,3 +1,4 @@
+import { Mutex } from "./mutex.mjs";
 import { generateSecureToken } from "./random.mjs";
 import { Storage } from "./storage/storage.mjs";
 import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, importSPKI } from "jose";
@@ -11,6 +12,9 @@ import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, impor
 const signingAlg = "ES256";
 /** RSA algorithm used for token encryption operations */
 const encryptionAlg = "RSA-OAEP-512";
+/** Mutex to prevent concurrent key generation (race condition with eventually consistent storage) */
+const signingKeyMutex = new Mutex();
+const encryptionKeyMutex = new Mutex();
 /**
 * Loads or generates signing keys for JWT operations.
 * Returns existing valid keys, or generates new ones if none are available.
@@ -31,47 +35,49 @@ const encryptionAlg = "RSA-OAEP-512";
 * ```
 */
 const signingKeys = async (storage) => {
-	const results = [];
-	const scanner = Storage.scan(storage, ["signing:key"]);
-	for await (const [, value] of scanner) try {
-		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
-		const privateKey = await importPKCS8(value.privateKey, value.alg);
-		const jwk$1 = await exportJWK(publicKey);
-		jwk$1.kid = value.id;
-		jwk$1.use = "sig";
-		results.push({
-			id: value.id,
+	return signingKeyMutex.runExclusive(async () => {
+		const results = [];
+		const scanner = Storage.scan(storage, ["signing:key"]);
+		for await (const [, value] of scanner) try {
+			const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+			const privateKey = await importPKCS8(value.privateKey, value.alg);
+			const jwk$1 = await exportJWK(publicKey);
+			jwk$1.kid = value.id;
+			jwk$1.use = "sig";
+			results.push({
+				id: value.id,
+				alg: signingAlg,
+				created: new Date(value.created),
+				expired: value.expired ? new Date(value.expired) : void 0,
+				public: publicKey,
+				private: privateKey,
+				jwk: jwk$1
+			});
+		} catch {}
+		results.sort((a, b) => b.created.getTime() - a.created.getTime());
+		if (results.filter((item) => !item.expired).length) return results;
+		const key = await generateKeyPair(signingAlg, { extractable: true });
+		const serialized = {
+			id: generateSecureToken(16),
+			publicKey: await exportSPKI(key.publicKey),
+			privateKey: await exportPKCS8(key.privateKey),
+			created: Date.now(),
+			alg: signingAlg
+		};
+		await Storage.set(storage, ["signing:key", serialized.id], serialized);
+		const jwk = await exportJWK(key.publicKey);
+		jwk.kid = serialized.id;
+		jwk.use = "sig";
+		return [{
+			id: serialized.id,
 			alg: signingAlg,
-			created: new Date(value.created),
-			expired: value.expired ? new Date(value.expired) : void 0,
-			public: publicKey,
-			private: privateKey,
-			jwk: jwk$1
-		});
-	} catch {}
-	results.sort((a, b) => b.created.getTime() - a.created.getTime());
-	if (results.filter((item) => !item.expired).length) return results;
-	const key = await generateKeyPair(signingAlg, { extractable: true });
-	const serialized = {
-		id: generateSecureToken(16),
-		publicKey: await exportSPKI(key.publicKey),
-		privateKey: await exportPKCS8(key.privateKey),
-		created: Date.now(),
-		alg: signingAlg
-	};
-	await Storage.set(storage, ["signing:key", serialized.id], serialized);
-	const jwk = await exportJWK(key.publicKey);
-	jwk.kid = serialized.id;
-	jwk.use = "sig";
-	return [{
-		id: serialized.id,
-		alg: signingAlg,
-		created: new Date(serialized.created),
-		expired: serialized.expired ? new Date(serialized.expired) : void 0,
-		public: key.publicKey,
-		private: key.privateKey,
-		jwk
-	}, ...results];
+			created: new Date(serialized.created),
+			expired: serialized.expired ? new Date(serialized.expired) : void 0,
+			public: key.publicKey,
+			private: key.privateKey,
+			jwk
+		}, ...results];
+	});
 };
 /**
 * Loads or generates encryption keys for token encryption operations.
@@ -93,45 +99,47 @@ const signingKeys = async (storage) => {
 * ```
 */
 const encryptionKeys = async (storage) => {
-	const results = [];
-	const scanner = Storage.scan(storage, ["encryption:key"]);
-	for await (const [, value] of scanner) try {
-		const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
-		const privateKey = await importPKCS8(value.privateKey, value.alg);
-		const jwk$1 = await exportJWK(publicKey);
-		jwk$1.kid = value.id;
-		results.push({
-			id: value.id,
+	return encryptionKeyMutex.runExclusive(async () => {
+		const results = [];
+		const scanner = Storage.scan(storage, ["encryption:key"]);
+		for await (const [, value] of scanner) try {
+			const publicKey = await importSPKI(value.publicKey, value.alg, { extractable: true });
+			const privateKey = await importPKCS8(value.privateKey, value.alg);
+			const jwk$1 = await exportJWK(publicKey);
+			jwk$1.kid = value.id;
+			results.push({
+				id: value.id,
+				alg: encryptionAlg,
+				created: new Date(value.created),
+				expired: value.expired ? new Date(value.expired) : void 0,
+				public: publicKey,
+				private: privateKey,
+				jwk: jwk$1
+			});
+		} catch {}
+		results.sort((a, b) => b.created.getTime() - a.created.getTime());
+		if (results.filter((item) => !item.expired).length) return results;
+		const key = await generateKeyPair(encryptionAlg, { extractable: true });
+		const serialized = {
+			id: generateSecureToken(16),
+			publicKey: await exportSPKI(key.publicKey),
+			privateKey: await exportPKCS8(key.privateKey),
+			created: Date.now(),
+			alg: encryptionAlg
+		};
+		await Storage.set(storage, ["encryption:key", serialized.id], serialized);
+		const jwk = await exportJWK(key.publicKey);
+		jwk.kid = serialized.id;
+		return [{
+			id: serialized.id,
 			alg: encryptionAlg,
-			created: new Date(value.created),
-			expired: value.expired ? new Date(value.expired) : void 0,
-			public: publicKey,
-			private: privateKey,
-			jwk: jwk$1
-		});
-	} catch {}
-	results.sort((a, b) => b.created.getTime() - a.created.getTime());
-	if (results.filter((item) => !item.expired).length) return results;
-	const key = await generateKeyPair(encryptionAlg, { extractable: true });
-	const serialized = {
-		id: generateSecureToken(16),
-		publicKey: await exportSPKI(key.publicKey),
-		privateKey: await exportPKCS8(key.privateKey),
-		created: Date.now(),
-		alg: encryptionAlg
-	};
-	await Storage.set(storage, ["encryption:key", serialized.id], serialized);
-	const jwk = await exportJWK(key.publicKey);
-	jwk.kid = serialized.id;
-	return [{
-		id: serialized.id,
-		alg: encryptionAlg,
-		created: new Date(serialized.created),
-		expired: serialized.expired ? new Date(serialized.expired) : void 0,
-		public: key.publicKey,
-		private: key.privateKey,
-		jwk
-	}, ...results];
+			created: new Date(serialized.created),
+			expired: serialized.expired ? new Date(serialized.expired) : void 0,
+			public: key.publicKey,
+			private: key.privateKey,
+			jwk
+		}, ...results];
+	});
 };
 
 //#endregion

package/dist/mutex.d.mts

@@ -0,0 +1,44 @@
+//#region src/mutex.d.ts
+/**
+ * A Mutex (mutual exclusion lock) for async functions.
+ * It allows only one async task to access a critical section at a time.
+ *
+ * @example
+ * const mutex = new Mutex();
+ *
+ * async function criticalSection() {
+ *   await mutex.acquire();
+ *   try {
+ *     // This code section cannot be executed simultaneously
+ *   } finally {
+ *     mutex.release();
+ *   }
+ * }
+ */
+declare class Mutex {
+  private semaphore;
+  /**
+   * Checks if the mutex is currently locked.
+   * @returns True if the mutex is locked, false otherwise.
+   */
+  get isLocked(): boolean;
+  /**
+   * Acquires the mutex, blocking if necessary until it is available.
+   * @returns A promise that resolves when the mutex is acquired.
+   */
+  acquire(): Promise<void>;
+  /**
+   * Releases the mutex, allowing another waiting task to proceed.
+   */
+  release(): void;
+  /**
+   * Runs a function while holding the mutex lock.
+   * Automatically acquires before and releases after the function execution.
+   *
+   * @param fn - The function to execute while holding the lock
+   * @returns The result of the function
+   */
+  runExclusive<T>(fn: () => Promise<T>): Promise<T>;
+}
+//#endregion
+export { Mutex };

package/dist/mutex.mjs

@@ -0,0 +1,110 @@
+//#region src/mutex.ts
+/**
+* A counting semaphore for async functions that manages available permits.
+* Semaphores are mainly used to limit the number of concurrent async tasks.
+*
+* Each `acquire` operation takes a permit or waits until one is available.
+* Each `release` operation adds a permit, potentially allowing a waiting task to proceed.
+*
+* The semaphore ensures fairness by maintaining a FIFO (First In, First Out) order for acquirers.
+*/
+var Semaphore = class {
+	/**
+	* The maximum number of concurrent operations allowed.
+	*/
+	capacity;
+	/**
+	* The number of available permits.
+	*/
+	available;
+	deferredTasks = [];
+	/**
+	* Creates an instance of Semaphore.
+	* @param capacity - The maximum number of concurrent operations allowed.
+	*/
+	constructor(capacity) {
+		this.capacity = capacity;
+		this.available = capacity;
+	}
+	/**
+	* Acquires a semaphore, blocking if necessary until one is available.
+	* @returns A promise that resolves when the semaphore is acquired.
+	*/
+	async acquire() {
+		if (this.available > 0) {
+			this.available--;
+			return;
+		}
+		return new Promise((resolve) => {
+			this.deferredTasks.push(resolve);
+		});
+	}
+	/**
+	* Releases a semaphore, allowing one more operation to proceed.
+	*/
+	release() {
+		const deferredTask = this.deferredTasks.shift();
+		if (deferredTask != null) {
+			deferredTask();
+			return;
+		}
+		if (this.available < this.capacity) this.available++;
+	}
+};
+/**
+* A Mutex (mutual exclusion lock) for async functions.
+* It allows only one async task to access a critical section at a time.
+*
+* @example
+* const mutex = new Mutex();
+*
+* async function criticalSection() {
+*   await mutex.acquire();
+*   try {
+*     // This code section cannot be executed simultaneously
+*   } finally {
+*     mutex.release();
+*   }
+* }
+*/
+var Mutex = class {
+	semaphore = new Semaphore(1);
+	/**
+	* Checks if the mutex is currently locked.
+	* @returns True if the mutex is locked, false otherwise.
+	*/
+	get isLocked() {
+		return this.semaphore.available === 0;
+	}
+	/**
+	* Acquires the mutex, blocking if necessary until it is available.
+	* @returns A promise that resolves when the mutex is acquired.
+	*/
+	async acquire() {
+		return this.semaphore.acquire();
+	}
+	/**
+	* Releases the mutex, allowing another waiting task to proceed.
+	*/
+	release() {
+		this.semaphore.release();
+	}
+	/**
+	* Runs a function while holding the mutex lock.
+	* Automatically acquires before and releases after the function execution.
+	*
+	* @param fn - The function to execute while holding the lock
+	* @returns The result of the function
+	*/
+	async runExclusive(fn) {
+		await this.acquire();
+		try {
+			return await fn();
+		} finally {
+			this.release();
+		}
+	}
+};
+
+//#endregion
+export { Mutex };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@draftlab/auth",
-  "version": "0.10.3",
+  "version": "0.10.4",
   "type": "module",
   "description": "Core implementation for @draftlab/auth",
   "author": "Matheus Pergoli",
@@ -60,7 +60,7 @@
     "@standard-schema/spec": "^1.1.0",
     "jose": "^6.1.3",
     "otpauth": "^9.4.1",
-    "preact": "^10.28.0",
+    "preact": "^10.28.1",
     "preact-render-to-string": "^6.6.4",
     "qrcode": "^1.5.4",
     "@draftlab/auth-router": "0.4.1"