@draftlab/auth 0.15.0 → 0.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/esm/allow.js +26 -0
- package/dist/esm/client.js +254 -0
- package/dist/esm/core.js +597 -0
- package/dist/esm/css.d.js +0 -0
- package/dist/esm/error.js +88 -0
- package/dist/esm/index.js +5 -0
- package/dist/esm/keys.js +126 -0
- package/dist/esm/mutex.js +53 -0
- package/dist/esm/pkce.js +87 -0
- package/dist/esm/provider/apple.js +15 -0
- package/dist/esm/provider/code.js +62 -0
- package/dist/esm/provider/discord.js +15 -0
- package/dist/esm/provider/facebook.js +15 -0
- package/dist/esm/provider/github.js +15 -0
- package/dist/esm/provider/gitlab.js +15 -0
- package/dist/esm/provider/google.js +16 -0
- package/dist/esm/provider/linkedin.js +15 -0
- package/dist/esm/provider/magiclink.js +83 -0
- package/dist/esm/provider/microsoft.js +15 -0
- package/dist/esm/provider/oauth2.js +130 -0
- package/dist/esm/provider/password.js +331 -0
- package/dist/esm/provider/provider.js +18 -0
- package/dist/esm/provider/reddit.js +15 -0
- package/dist/esm/provider/slack.js +15 -0
- package/dist/esm/provider/spotify.js +15 -0
- package/dist/esm/provider/twitch.js +15 -0
- package/dist/esm/provider/vercel.js +17 -0
- package/dist/esm/random.js +40 -0
- package/dist/esm/revocation.js +27 -0
- package/dist/esm/storage/memory.js +110 -0
- package/dist/esm/storage/storage.js +56 -0
- package/dist/esm/storage/turso.js +93 -0
- package/dist/esm/storage/unstorage.js +78 -0
- package/dist/esm/subject.js +7 -0
- package/dist/esm/themes/theme.js +115 -0
- package/dist/esm/toolkit/client.js +119 -0
- package/dist/esm/toolkit/index.js +25 -0
- package/dist/esm/toolkit/providers/facebook.js +11 -0
- package/dist/esm/toolkit/providers/github.js +11 -0
- package/dist/esm/toolkit/providers/google.js +11 -0
- package/dist/esm/toolkit/providers/strategy.js +0 -0
- package/dist/esm/toolkit/storage.js +81 -0
- package/dist/esm/toolkit/utils.js +18 -0
- package/dist/esm/types.js +0 -0
- package/dist/esm/ui/base.js +478 -0
- package/dist/esm/ui/code.js +186 -0
- package/dist/esm/ui/form.js +46 -0
- package/dist/esm/ui/icon.js +242 -0
- package/dist/esm/ui/magiclink.js +158 -0
- package/dist/esm/ui/password.js +435 -0
- package/dist/esm/ui/select.js +102 -0
- package/dist/esm/util.js +59 -0
- package/dist/{allow.d.mts → types/allow.d.ts} +9 -11
- package/dist/types/allow.d.ts.map +1 -0
- package/dist/types/client.d.ts +462 -0
- package/dist/types/client.d.ts.map +1 -0
- package/dist/types/core.d.ts +113 -0
- package/dist/types/core.d.ts.map +1 -0
- package/dist/{error.d.mts → types/error.d.ts} +95 -97
- package/dist/types/error.d.ts.map +1 -0
- package/dist/types/index.d.ts +2 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/{keys.d.mts → types/keys.d.ts} +20 -24
- package/dist/types/keys.d.ts.map +1 -0
- package/dist/types/mutex.d.ts +42 -0
- package/dist/types/mutex.d.ts.map +1 -0
- package/dist/{pkce.d.mts → types/pkce.d.ts} +10 -11
- package/dist/types/pkce.d.ts.map +1 -0
- package/dist/types/provider/apple.d.ts +197 -0
- package/dist/types/provider/apple.d.ts.map +1 -0
- package/dist/types/provider/code.d.ts +288 -0
- package/dist/types/provider/code.d.ts.map +1 -0
- package/dist/types/provider/discord.d.ts +206 -0
- package/dist/types/provider/discord.d.ts.map +1 -0
- package/dist/types/provider/facebook.d.ts +200 -0
- package/dist/types/provider/facebook.d.ts.map +1 -0
- package/dist/types/provider/github.d.ts +220 -0
- package/dist/types/provider/github.d.ts.map +1 -0
- package/dist/types/provider/gitlab.d.ts +180 -0
- package/dist/types/provider/gitlab.d.ts.map +1 -0
- package/dist/types/provider/google.d.ts +158 -0
- package/dist/types/provider/google.d.ts.map +1 -0
- package/dist/types/provider/linkedin.d.ts +190 -0
- package/dist/types/provider/linkedin.d.ts.map +1 -0
- package/dist/types/provider/magiclink.d.ts +141 -0
- package/dist/types/provider/magiclink.d.ts.map +1 -0
- package/dist/types/provider/microsoft.d.ts +247 -0
- package/dist/types/provider/microsoft.d.ts.map +1 -0
- package/dist/types/provider/oauth2.d.ts +229 -0
- package/dist/types/provider/oauth2.d.ts.map +1 -0
- package/dist/types/provider/password.d.ts +408 -0
- package/dist/types/provider/password.d.ts.map +1 -0
- package/dist/types/provider/provider.d.ts +226 -0
- package/dist/types/provider/provider.d.ts.map +1 -0
- package/dist/types/provider/reddit.d.ts +159 -0
- package/dist/types/provider/reddit.d.ts.map +1 -0
- package/dist/types/provider/slack.d.ts +171 -0
- package/dist/types/provider/slack.d.ts.map +1 -0
- package/dist/types/provider/spotify.d.ts +168 -0
- package/dist/types/provider/spotify.d.ts.map +1 -0
- package/dist/types/provider/twitch.d.ts +163 -0
- package/dist/types/provider/twitch.d.ts.map +1 -0
- package/dist/types/provider/vercel.d.ts +294 -0
- package/dist/types/provider/vercel.d.ts.map +1 -0
- package/dist/{random.d.mts → types/random.d.ts} +4 -6
- package/dist/types/random.d.ts.map +1 -0
- package/dist/types/revocation.d.ts +76 -0
- package/dist/types/revocation.d.ts.map +1 -0
- package/dist/{storage/memory.d.mts → types/storage/memory.d.ts} +17 -21
- package/dist/types/storage/memory.d.ts.map +1 -0
- package/dist/types/storage/storage.d.ts +177 -0
- package/dist/types/storage/storage.d.ts.map +1 -0
- package/dist/{storage/turso.d.mts → types/storage/turso.d.ts} +4 -8
- package/dist/types/storage/turso.d.ts.map +1 -0
- package/dist/{storage/unstorage.d.mts → types/storage/unstorage.d.ts} +12 -11
- package/dist/types/storage/unstorage.d.ts.map +1 -0
- package/dist/types/subject.d.ts +115 -0
- package/dist/types/subject.d.ts.map +1 -0
- package/dist/types/themes/theme.d.ts +207 -0
- package/dist/types/themes/theme.d.ts.map +1 -0
- package/dist/types/toolkit/client.d.ts +235 -0
- package/dist/types/toolkit/client.d.ts.map +1 -0
- package/dist/types/toolkit/index.d.ts +45 -0
- package/dist/types/toolkit/index.d.ts.map +1 -0
- package/dist/types/toolkit/providers/facebook.d.ts +8 -0
- package/dist/types/toolkit/providers/facebook.d.ts.map +1 -0
- package/dist/types/toolkit/providers/github.d.ts +8 -0
- package/dist/types/toolkit/providers/github.d.ts.map +1 -0
- package/dist/types/toolkit/providers/google.d.ts +8 -0
- package/dist/types/toolkit/providers/google.d.ts.map +1 -0
- package/dist/types/toolkit/providers/strategy.d.ts +38 -0
- package/dist/types/toolkit/providers/strategy.d.ts.map +1 -0
- package/dist/{toolkit/storage.d.mts → types/toolkit/storage.d.ts} +37 -39
- package/dist/types/toolkit/storage.d.ts.map +1 -0
- package/dist/{toolkit/utils.d.mts → types/toolkit/utils.d.ts} +2 -4
- package/dist/types/toolkit/utils.d.ts.map +1 -0
- package/dist/types/types.d.ts +92 -0
- package/dist/types/types.d.ts.map +1 -0
- package/dist/types/ui/base.d.ts +18 -0
- package/dist/types/ui/base.d.ts.map +1 -0
- package/dist/types/ui/code.d.ts +43 -0
- package/dist/types/ui/code.d.ts.map +1 -0
- package/dist/types/ui/form.d.ts +24 -0
- package/dist/types/ui/form.d.ts.map +1 -0
- package/dist/types/ui/icon.d.ts +60 -0
- package/dist/types/ui/icon.d.ts.map +1 -0
- package/dist/types/ui/magiclink.d.ts +41 -0
- package/dist/types/ui/magiclink.d.ts.map +1 -0
- package/dist/types/ui/password.d.ts +43 -0
- package/dist/types/ui/password.d.ts.map +1 -0
- package/dist/types/ui/select.d.ts +33 -0
- package/dist/types/ui/select.d.ts.map +1 -0
- package/dist/{util.d.mts → types/util.d.ts} +11 -13
- package/dist/types/util.d.ts.map +1 -0
- package/package.json +10 -16
- package/dist/adapters/node.d.mts +0 -18
- package/dist/adapters/node.mjs +0 -69
- package/dist/allow.mjs +0 -63
- package/dist/client.d.mts +0 -456
- package/dist/client.mjs +0 -283
- package/dist/core.d.mts +0 -110
- package/dist/core.mjs +0 -595
- package/dist/error.mjs +0 -237
- package/dist/index.d.mts +0 -2
- package/dist/index.mjs +0 -3
- package/dist/keys.mjs +0 -146
- package/dist/mutex.d.mts +0 -44
- package/dist/mutex.mjs +0 -110
- package/dist/pkce.mjs +0 -157
- package/dist/provider/apple.d.mts +0 -111
- package/dist/provider/apple.mjs +0 -164
- package/dist/provider/code.d.mts +0 -228
- package/dist/provider/code.mjs +0 -246
- package/dist/provider/discord.d.mts +0 -146
- package/dist/provider/discord.mjs +0 -156
- package/dist/provider/facebook.d.mts +0 -142
- package/dist/provider/facebook.mjs +0 -150
- package/dist/provider/github.d.mts +0 -140
- package/dist/provider/github.mjs +0 -169
- package/dist/provider/gitlab.d.mts +0 -106
- package/dist/provider/gitlab.mjs +0 -147
- package/dist/provider/google.d.mts +0 -112
- package/dist/provider/google.mjs +0 -109
- package/dist/provider/linkedin.d.mts +0 -132
- package/dist/provider/linkedin.mjs +0 -142
- package/dist/provider/magiclink.d.mts +0 -89
- package/dist/provider/magiclink.mjs +0 -143
- package/dist/provider/microsoft.d.mts +0 -178
- package/dist/provider/microsoft.mjs +0 -177
- package/dist/provider/oauth2.d.mts +0 -176
- package/dist/provider/oauth2.mjs +0 -222
- package/dist/provider/passkey.d.mts +0 -104
- package/dist/provider/passkey.mjs +0 -320
- package/dist/provider/password.d.mts +0 -412
- package/dist/provider/password.mjs +0 -363
- package/dist/provider/provider.d.mts +0 -227
- package/dist/provider/provider.mjs +0 -44
- package/dist/provider/reddit.d.mts +0 -107
- package/dist/provider/reddit.mjs +0 -127
- package/dist/provider/slack.d.mts +0 -114
- package/dist/provider/slack.mjs +0 -138
- package/dist/provider/spotify.d.mts +0 -113
- package/dist/provider/spotify.mjs +0 -135
- package/dist/provider/totp.d.mts +0 -112
- package/dist/provider/totp.mjs +0 -191
- package/dist/provider/twitch.d.mts +0 -108
- package/dist/provider/twitch.mjs +0 -131
- package/dist/provider/vercel.d.mts +0 -177
- package/dist/provider/vercel.mjs +0 -230
- package/dist/random.mjs +0 -86
- package/dist/revocation.d.mts +0 -55
- package/dist/revocation.mjs +0 -63
- package/dist/router/context.d.mts +0 -21
- package/dist/router/context.mjs +0 -193
- package/dist/router/cookies.d.mts +0 -8
- package/dist/router/cookies.mjs +0 -13
- package/dist/router/index.d.mts +0 -21
- package/dist/router/index.mjs +0 -107
- package/dist/router/matcher.d.mts +0 -15
- package/dist/router/matcher.mjs +0 -76
- package/dist/router/middleware/cors.d.mts +0 -15
- package/dist/router/middleware/cors.mjs +0 -114
- package/dist/router/safe-request.d.mts +0 -52
- package/dist/router/safe-request.mjs +0 -160
- package/dist/router/types.d.mts +0 -67
- package/dist/router/types.mjs +0 -1
- package/dist/router/variables.d.mts +0 -12
- package/dist/router/variables.mjs +0 -20
- package/dist/storage/memory.mjs +0 -125
- package/dist/storage/storage.d.mts +0 -179
- package/dist/storage/storage.mjs +0 -104
- package/dist/storage/turso.mjs +0 -117
- package/dist/storage/unstorage.mjs +0 -103
- package/dist/subject.d.mts +0 -62
- package/dist/subject.mjs +0 -36
- package/dist/themes/theme.d.mts +0 -209
- package/dist/themes/theme.mjs +0 -120
- package/dist/toolkit/client.d.mts +0 -169
- package/dist/toolkit/client.mjs +0 -209
- package/dist/toolkit/index.d.mts +0 -9
- package/dist/toolkit/index.mjs +0 -9
- package/dist/toolkit/providers/facebook.d.mts +0 -12
- package/dist/toolkit/providers/facebook.mjs +0 -16
- package/dist/toolkit/providers/github.d.mts +0 -12
- package/dist/toolkit/providers/github.mjs +0 -16
- package/dist/toolkit/providers/google.d.mts +0 -12
- package/dist/toolkit/providers/google.mjs +0 -20
- package/dist/toolkit/providers/strategy.d.mts +0 -40
- package/dist/toolkit/providers/strategy.mjs +0 -1
- package/dist/toolkit/storage.mjs +0 -157
- package/dist/toolkit/utils.mjs +0 -30
- package/dist/types.d.mts +0 -94
- package/dist/types.mjs +0 -1
- package/dist/ui/base.d.mts +0 -30
- package/dist/ui/base.mjs +0 -407
- package/dist/ui/code.d.mts +0 -43
- package/dist/ui/code.mjs +0 -173
- package/dist/ui/form.d.mts +0 -32
- package/dist/ui/form.mjs +0 -49
- package/dist/ui/icon.d.mts +0 -58
- package/dist/ui/icon.mjs +0 -247
- package/dist/ui/magiclink.d.mts +0 -41
- package/dist/ui/magiclink.mjs +0 -152
- package/dist/ui/passkey.d.mts +0 -27
- package/dist/ui/passkey.mjs +0 -323
- package/dist/ui/password.d.mts +0 -42
- package/dist/ui/password.mjs +0 -402
- package/dist/ui/select.d.mts +0 -34
- package/dist/ui/select.mjs +0 -98
- package/dist/ui/totp.d.mts +0 -34
- package/dist/ui/totp.mjs +0 -270
- package/dist/util.mjs +0 -128
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
// src/allow.ts
|
|
2
|
+
import { isDomainMatch } from "./util";
|
|
3
|
+
var defaultAllowCheck = (input, req) => {
|
|
4
|
+
return Promise.resolve((() => {
|
|
5
|
+
let redirectHostname;
|
|
6
|
+
try {
|
|
7
|
+
redirectHostname = new URL(input.redirectURI).hostname;
|
|
8
|
+
} catch {
|
|
9
|
+
return false;
|
|
10
|
+
}
|
|
11
|
+
if (redirectHostname === "localhost" || redirectHostname === "127.0.0.1") {
|
|
12
|
+
return true;
|
|
13
|
+
}
|
|
14
|
+
let currentHostname;
|
|
15
|
+
try {
|
|
16
|
+
const forwardedHost = req.headers.get("x-forwarded-host");
|
|
17
|
+
currentHostname = forwardedHost ? new URL(`https://${forwardedHost}`).hostname : new URL(req.url).hostname;
|
|
18
|
+
} catch {
|
|
19
|
+
return false;
|
|
20
|
+
}
|
|
21
|
+
return isDomainMatch(redirectHostname, currentHostname);
|
|
22
|
+
})());
|
|
23
|
+
};
|
|
24
|
+
export {
|
|
25
|
+
defaultAllowCheck
|
|
26
|
+
};
|
|
@@ -0,0 +1,254 @@
|
|
|
1
|
+
// src/client.ts
|
|
2
|
+
import { createLocalJWKSet, errors, jwtVerify } from "jose";
|
|
3
|
+
import {
|
|
4
|
+
InvalidAccessTokenError,
|
|
5
|
+
InvalidAuthorizationCodeError,
|
|
6
|
+
InvalidRefreshTokenError,
|
|
7
|
+
InvalidSubjectError
|
|
8
|
+
} from "./error";
|
|
9
|
+
import { generatePKCE } from "./pkce";
|
|
10
|
+
var createClient = (input) => {
|
|
11
|
+
const jwksCache = new Map;
|
|
12
|
+
const issuerCache = new Map;
|
|
13
|
+
const issuer = input.issuer;
|
|
14
|
+
if (!issuer) {
|
|
15
|
+
throw new Error("No issuer configured");
|
|
16
|
+
}
|
|
17
|
+
const f = input.fetch ?? fetch;
|
|
18
|
+
const getIssuer = async () => {
|
|
19
|
+
const cached = issuerCache.get(issuer);
|
|
20
|
+
if (cached)
|
|
21
|
+
return cached;
|
|
22
|
+
const wellKnown = await f(`${issuer}/.well-known/oauth-authorization-server`).then((r) => r.json());
|
|
23
|
+
issuerCache.set(issuer, wellKnown);
|
|
24
|
+
return wellKnown;
|
|
25
|
+
};
|
|
26
|
+
const getJWKS = async () => {
|
|
27
|
+
const wk = await getIssuer();
|
|
28
|
+
const cached = jwksCache.get(issuer);
|
|
29
|
+
if (cached)
|
|
30
|
+
return cached;
|
|
31
|
+
const keyset = await f(wk.jwks_uri).then((r) => r.json());
|
|
32
|
+
const result = createLocalJWKSet(keyset);
|
|
33
|
+
jwksCache.set(issuer, result);
|
|
34
|
+
return result;
|
|
35
|
+
};
|
|
36
|
+
const client = {
|
|
37
|
+
async authorize(redirectURI, response, opts) {
|
|
38
|
+
try {
|
|
39
|
+
const wk = await getIssuer();
|
|
40
|
+
const authUrl = new URL(wk.authorization_endpoint);
|
|
41
|
+
const challenge = {
|
|
42
|
+
state: crypto.randomUUID()
|
|
43
|
+
};
|
|
44
|
+
authUrl.searchParams.set("client_id", input.clientID);
|
|
45
|
+
authUrl.searchParams.set("redirect_uri", redirectURI);
|
|
46
|
+
authUrl.searchParams.set("response_type", response);
|
|
47
|
+
authUrl.searchParams.set("state", challenge.state);
|
|
48
|
+
if (opts?.provider) {
|
|
49
|
+
authUrl.searchParams.set("provider", opts.provider);
|
|
50
|
+
}
|
|
51
|
+
if (opts?.pkce && response === "code") {
|
|
52
|
+
const pkce = await generatePKCE();
|
|
53
|
+
authUrl.searchParams.set("code_challenge_method", "S256");
|
|
54
|
+
authUrl.searchParams.set("code_challenge", pkce.challenge);
|
|
55
|
+
challenge.verifier = pkce.verifier;
|
|
56
|
+
}
|
|
57
|
+
return {
|
|
58
|
+
success: true,
|
|
59
|
+
data: {
|
|
60
|
+
challenge,
|
|
61
|
+
url: authUrl.toString()
|
|
62
|
+
}
|
|
63
|
+
};
|
|
64
|
+
} catch (error) {
|
|
65
|
+
return { success: false, error };
|
|
66
|
+
}
|
|
67
|
+
},
|
|
68
|
+
async exchange(code, redirectURI, verifier) {
|
|
69
|
+
try {
|
|
70
|
+
const wk = await getIssuer();
|
|
71
|
+
const response = await f(wk.token_endpoint, {
|
|
72
|
+
method: "POST",
|
|
73
|
+
headers: {
|
|
74
|
+
"Content-Type": "application/x-www-form-urlencoded"
|
|
75
|
+
},
|
|
76
|
+
body: new URLSearchParams({
|
|
77
|
+
code,
|
|
78
|
+
redirect_uri: redirectURI,
|
|
79
|
+
grant_type: "authorization_code",
|
|
80
|
+
client_id: input.clientID,
|
|
81
|
+
...verifier ? { code_verifier: verifier } : {}
|
|
82
|
+
}).toString()
|
|
83
|
+
});
|
|
84
|
+
if (!response.ok) {
|
|
85
|
+
return {
|
|
86
|
+
success: false,
|
|
87
|
+
error: new InvalidAuthorizationCodeError
|
|
88
|
+
};
|
|
89
|
+
}
|
|
90
|
+
const responseText = await response.text();
|
|
91
|
+
let json;
|
|
92
|
+
try {
|
|
93
|
+
json = JSON.parse(responseText);
|
|
94
|
+
} catch {
|
|
95
|
+
return {
|
|
96
|
+
success: false,
|
|
97
|
+
error: new InvalidAuthorizationCodeError
|
|
98
|
+
};
|
|
99
|
+
}
|
|
100
|
+
const tokenResponse = json;
|
|
101
|
+
return {
|
|
102
|
+
success: true,
|
|
103
|
+
data: {
|
|
104
|
+
access: tokenResponse.access_token,
|
|
105
|
+
refresh: tokenResponse.refresh_token,
|
|
106
|
+
expiresIn: tokenResponse.expires_in
|
|
107
|
+
}
|
|
108
|
+
};
|
|
109
|
+
} catch {
|
|
110
|
+
return {
|
|
111
|
+
success: false,
|
|
112
|
+
error: new InvalidAuthorizationCodeError
|
|
113
|
+
};
|
|
114
|
+
}
|
|
115
|
+
},
|
|
116
|
+
async refresh(refresh, opts) {
|
|
117
|
+
try {
|
|
118
|
+
if (opts?.access) {
|
|
119
|
+
try {
|
|
120
|
+
const jwks = await getJWKS();
|
|
121
|
+
await jwtVerify(opts.access, jwks, { issuer });
|
|
122
|
+
return { success: true, data: {} };
|
|
123
|
+
} catch {}
|
|
124
|
+
}
|
|
125
|
+
const wk = await getIssuer();
|
|
126
|
+
const response = await f(wk.token_endpoint, {
|
|
127
|
+
method: "POST",
|
|
128
|
+
headers: {
|
|
129
|
+
"Content-Type": "application/x-www-form-urlencoded"
|
|
130
|
+
},
|
|
131
|
+
body: new URLSearchParams({
|
|
132
|
+
refresh_token: refresh,
|
|
133
|
+
grant_type: "refresh_token"
|
|
134
|
+
}).toString()
|
|
135
|
+
});
|
|
136
|
+
if (!response.ok) {
|
|
137
|
+
return {
|
|
138
|
+
success: false,
|
|
139
|
+
error: new InvalidRefreshTokenError
|
|
140
|
+
};
|
|
141
|
+
}
|
|
142
|
+
const tokenResponse = await response.json();
|
|
143
|
+
return {
|
|
144
|
+
success: true,
|
|
145
|
+
data: {
|
|
146
|
+
tokens: {
|
|
147
|
+
access: tokenResponse.access_token,
|
|
148
|
+
refresh: tokenResponse.refresh_token,
|
|
149
|
+
expiresIn: tokenResponse.expires_in
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
};
|
|
153
|
+
} catch {
|
|
154
|
+
return {
|
|
155
|
+
success: false,
|
|
156
|
+
error: new InvalidRefreshTokenError
|
|
157
|
+
};
|
|
158
|
+
}
|
|
159
|
+
},
|
|
160
|
+
async verify(subjects, token, options) {
|
|
161
|
+
try {
|
|
162
|
+
const jwks = await getJWKS();
|
|
163
|
+
const jwtResult = await jwtVerify(token, jwks, {
|
|
164
|
+
issuer: options?.issuer ?? issuer,
|
|
165
|
+
audience: options?.audience ?? input.clientID
|
|
166
|
+
});
|
|
167
|
+
const validated = await subjects[jwtResult.payload.type]?.["~standard"].validate(jwtResult.payload.properties);
|
|
168
|
+
if (!validated?.issues && jwtResult.payload.mode === "access") {
|
|
169
|
+
return {
|
|
170
|
+
success: true,
|
|
171
|
+
data: {
|
|
172
|
+
aud: jwtResult.payload.aud,
|
|
173
|
+
sub: jwtResult.payload.sub,
|
|
174
|
+
subject: {
|
|
175
|
+
type: jwtResult.payload.type,
|
|
176
|
+
properties: validated?.value
|
|
177
|
+
}
|
|
178
|
+
}
|
|
179
|
+
};
|
|
180
|
+
}
|
|
181
|
+
return {
|
|
182
|
+
success: false,
|
|
183
|
+
error: new InvalidSubjectError
|
|
184
|
+
};
|
|
185
|
+
} catch (e) {
|
|
186
|
+
if (e instanceof errors.JWTExpired && options?.refresh) {
|
|
187
|
+
const refreshed = await client.refresh(options.refresh);
|
|
188
|
+
if (!refreshed.success)
|
|
189
|
+
return refreshed;
|
|
190
|
+
if (!refreshed.data.tokens) {
|
|
191
|
+
return {
|
|
192
|
+
success: false,
|
|
193
|
+
error: new InvalidAccessTokenError
|
|
194
|
+
};
|
|
195
|
+
}
|
|
196
|
+
const verified = await client.verify(subjects, refreshed.data.tokens.access, {
|
|
197
|
+
refresh: refreshed.data.tokens.refresh,
|
|
198
|
+
issuer: options?.issuer,
|
|
199
|
+
audience: options?.audience,
|
|
200
|
+
fetch: options?.fetch
|
|
201
|
+
});
|
|
202
|
+
if (!verified.success)
|
|
203
|
+
return verified;
|
|
204
|
+
return {
|
|
205
|
+
success: true,
|
|
206
|
+
data: {
|
|
207
|
+
...verified.data,
|
|
208
|
+
tokens: refreshed.data.tokens
|
|
209
|
+
}
|
|
210
|
+
};
|
|
211
|
+
}
|
|
212
|
+
return {
|
|
213
|
+
success: false,
|
|
214
|
+
error: new InvalidAccessTokenError
|
|
215
|
+
};
|
|
216
|
+
}
|
|
217
|
+
},
|
|
218
|
+
async revoke(token, opts) {
|
|
219
|
+
try {
|
|
220
|
+
const wk = await getIssuer();
|
|
221
|
+
const body = new URLSearchParams({
|
|
222
|
+
token,
|
|
223
|
+
...opts?.tokenTypeHint ? { token_type_hint: opts.tokenTypeHint } : {}
|
|
224
|
+
});
|
|
225
|
+
const response = await f(wk.token_endpoint.replace("/token", "/revoke"), {
|
|
226
|
+
method: "POST",
|
|
227
|
+
headers: {
|
|
228
|
+
"Content-Type": "application/x-www-form-urlencoded"
|
|
229
|
+
},
|
|
230
|
+
body: body.toString()
|
|
231
|
+
});
|
|
232
|
+
if (response.ok) {
|
|
233
|
+
return {
|
|
234
|
+
success: true,
|
|
235
|
+
data: undefined
|
|
236
|
+
};
|
|
237
|
+
}
|
|
238
|
+
return {
|
|
239
|
+
success: false,
|
|
240
|
+
error: new Error("Failed to revoke token")
|
|
241
|
+
};
|
|
242
|
+
} catch (error) {
|
|
243
|
+
return {
|
|
244
|
+
success: false,
|
|
245
|
+
error
|
|
246
|
+
};
|
|
247
|
+
}
|
|
248
|
+
}
|
|
249
|
+
};
|
|
250
|
+
return client;
|
|
251
|
+
};
|
|
252
|
+
export {
|
|
253
|
+
createClient
|
|
254
|
+
};
|