@draftlab/auth 0.15.0 → 0.16.0

package/dist/provider/oauth2.mjs

@@ -1,222 +0,0 @@
-import { getRelativeUrl } from "../util.mjs";
-import { OauthError } from "../error.mjs";
-import { generatePKCE } from "../pkce.mjs";
-import { generateSecureToken, timingSafeCompare } from "../random.mjs";
-import { createRemoteJWKSet, jwtVerify } from "jose";
-
-//#region src/provider/oauth2.ts
-/**
-* OAuth 2.0 authentication provider for Draft Auth.
-* Implements the Authorization Code Grant flow with optional PKCE support.
-*
-* ## Quick Setup
-*
-* ```ts
-* import { Oauth2Provider } from "@draftlab/auth/provider/oauth2"
-*
-* export default issuer({
-*   providers: {
-*     github: Oauth2Provider({
-*       clientID: process.env.GITHUB_CLIENT_ID,
-*       clientSecret: process.env.GITHUB_CLIENT_SECRET,
-*       endpoint: {
-*         authorization: "https://github.com/login/oauth/authorize",
-*         token: "https://github.com/login/oauth/access_token"
-*       },
-*       scopes: ["user:email", "read:user"]
-*     }),
-*     discord: Oauth2Provider({
-*       clientID: process.env.DISCORD_CLIENT_ID,
-*       clientSecret: process.env.DISCORD_CLIENT_SECRET,
-*       endpoint: {
-*         authorization: "https://discord.com/api/oauth2/authorize",
-*         token: "https://discord.com/api/oauth2/token"
-*       },
-*       scopes: ["identify", "email"],
-*       pkce: true // Required by some providers
-*     })
-*   }
-* })
-* ```
-*
-* ## Features
-*
-* - **Authorization Code Grant**: Secure server-side OAuth 2.0 flow
-* - **PKCE Support**: Optional Proof Key for Code Exchange for enhanced security
-* - **Flexible Endpoints**: Configure custom authorization and token endpoints
-* - **Custom Parameters**: Support for provider-specific authorization parameters
-*
-* ## User Data
-*
-* The provider returns access tokens:
-*
-* ```ts
-* success: async (ctx, value) => {
-*   if (value.provider === "oauth2") {
-*     // Access token for API calls: value.tokenset.access
-*     // Refresh token (if provided): value.tokenset.refresh
-*     // Client ID used: value.clientID
-*   }
-* }
-* ```
-*
-* @packageDocumentation
-*/
-/**
-* Creates an OAuth 2.0 authentication provider.
-* Implements the Authorization Code Grant flow with optional PKCE support.
-*
-* @param config - OAuth 2.0 provider configuration
-* @returns Provider instance implementing OAuth 2.0 authentication
-*
-* @example
-* ```ts
-* // GitHub provider with basic configuration
-* const githubProvider = Oauth2Provider({
-*   clientID: process.env.GITHUB_CLIENT_ID,
-*   clientSecret: process.env.GITHUB_CLIENT_SECRET,
-*   endpoint: {
-*     authorization: "https://github.com/login/oauth/authorize",
-*     token: "https://github.com/login/oauth/access_token"
-*   },
-*   scopes: ["user:email", "read:user"]
-* })
-*
-* // Provider with PKCE and custom parameters
-* const customProvider = Oauth2Provider({
-*   clientID: "my-client-id",
-*   clientSecret: "my-client-secret",
-*   endpoint: {
-*     authorization: "https://provider.com/oauth/authorize",
-*     token: "https://provider.com/oauth/token",
-*     jwks: "https://provider.com/.well-known/jwks.json"
-*   },
-*   scopes: ["read", "write"],
-*   pkce: true,
-*   query: {
-*     prompt: "consent",
-*     access_type: "offline"
-*   }
-* })
-* ```
-*/
-const Oauth2Provider = (config) => {
-	const authQuery = config.query || {};
-	/**
-	* Handles the OAuth 2.0 callback logic for both GET and POST requests.
-	* Exchanges the authorization code for tokens and processes the response.
-	*/
-	const handleCallbackLogic = async (c, ctx, provider, code) => {
-		if (!(provider && code)) return c.redirect(getRelativeUrl(c, "./authorize"));
-		const tokenRequestBody = new URLSearchParams({
-			client_id: config.clientID,
-			client_secret: config.clientSecret,
-			code,
-			grant_type: "authorization_code",
-			redirect_uri: provider.redirect,
-			...provider.codeVerifier ? { code_verifier: provider.codeVerifier } : {}
-		});
-		try {
-			const response = await fetch(config.endpoint.token, {
-				method: "POST",
-				headers: {
-					"Content-Type": "application/x-www-form-urlencoded",
-					Accept: "application/json"
-				},
-				body: tokenRequestBody.toString()
-			});
-			if (!response.ok) throw new Error(`Token request failed with status ${response.status}`);
-			const tokenData = await response.json();
-			if (tokenData.error) throw new OauthError(tokenData.error, tokenData.error_description || "");
-			if (tokenData.id_token && config.endpoint.jwks) try {
-				const jwks = createRemoteJWKSet(new URL(config.endpoint.jwks));
-				await jwtVerify(tokenData.id_token, jwks, {
-					issuer: config.endpoint.authorization.split("/").slice(0, 3).join("/"),
-					clockTolerance: 60
-				});
-			} catch (error) {
-				throw new OauthError("invalid_request", `ID token validation failed: ${error instanceof Error ? error.message : "Unknown error"}`);
-			}
-			return await ctx.success(c, {
-				clientID: config.clientID,
-				tokenset: {
-					get access() {
-						return tokenData.access_token;
-					},
-					get refresh() {
-						return tokenData.refresh_token || "";
-					},
-					get expiry() {
-						return tokenData.expires_in || 0;
-					},
-					get raw() {
-						return tokenData;
-					}
-				}
-			});
-		} catch (error) {
-			if (error instanceof OauthError) throw error;
-			throw new OauthError("server_error", `Token exchange failed: ${error instanceof Error ? error.message : "Unknown error"}`);
-		}
-	};
-	return {
-		type: config.type || "oauth2",
-		init(routes, ctx) {
-			/**
-			* Initiates OAuth 2.0 authorization flow.
-			* Redirects user to the provider's authorization endpoint with proper parameters.
-			*/
-			routes.get("/authorize", async (c) => {
-				const state = generateSecureToken();
-				const pkce = config.pkce ? await generatePKCE() : void 0;
-				await ctx.set(c, "provider", 600, {
-					state,
-					redirect: getRelativeUrl(c, "./callback"),
-					codeVerifier: pkce?.verifier
-				});
-				const authorizationUrl = new URL(config.endpoint.authorization);
-				authorizationUrl.searchParams.set("client_id", config.clientID);
-				authorizationUrl.searchParams.set("redirect_uri", getRelativeUrl(c, "./callback"));
-				authorizationUrl.searchParams.set("response_type", "code");
-				authorizationUrl.searchParams.set("state", state);
-				authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
-				if (pkce) {
-					authorizationUrl.searchParams.set("code_challenge", pkce.challenge);
-					authorizationUrl.searchParams.set("code_challenge_method", pkce.method);
-				}
-				for (const [key, value] of Object.entries(authQuery)) authorizationUrl.searchParams.set(key, value);
-				return c.redirect(authorizationUrl.toString());
-			});
-			/**
-			* Handles OAuth 2.0 callback via query parameters (GET request).
-			* Standard OAuth 2.0 callback method for most providers.
-			*/
-			routes.get("/callback", async (c) => {
-				const provider = await ctx.get(c, "provider");
-				const code = c.query("code");
-				const state = c.query("state");
-				const error = c.query("error");
-				if (error) throw new OauthError(error, c.query("error_description") || "");
-				if (!(provider && code) || provider.state && !timingSafeCompare(state || "", provider.state)) return c.redirect(getRelativeUrl(c, "./authorize"));
-				return await handleCallbackLogic(c, ctx, provider, code);
-			});
-			/**
-			* Handles OAuth 2.0 callback via form data (POST request).
-			* Alternative callback method supported by some providers.
-			*/
-			routes.post("/callback", async (c) => {
-				const provider = await ctx.get(c, "provider");
-				const formData = await c.formData();
-				const code = formData.get("code")?.toString();
-				const state = formData.get("state")?.toString();
-				const error = formData.get("error")?.toString();
-				if (error) throw new OauthError(error, formData.get("error_description")?.toString() || "");
-				if (!(provider && code) || provider.state && !timingSafeCompare(state || "", provider.state)) return c.redirect(getRelativeUrl(c, "./authorize"));
-				return await handleCallbackLogic(c, ctx, provider, code);
-			});
-		}
-	};
-};
-
-//#endregion
-export { Oauth2Provider };

package/dist/provider/passkey.d.mts

@@ -1,104 +0,0 @@
-import { Provider } from "./provider.mjs";
-import { AuthenticatorSelectionCriteria, AuthenticatorTransportFuture, Base64URLString, CredentialDeviceType } from "@simplewebauthn/server";
-
-//#region src/provider/passkey.d.ts
-
-/**
- * User model for passkey authentication.
- * Contains the core user data needed for WebAuthn operations.
- */
-interface UserModel {
-  id: string;
-  username: string;
-}
-/**
- * Original PasskeyModel structure for in-memory use.
- * Represents a registered credential with public key as Uint8Array.
- */
-interface PasskeyModel {
-  id: string;
-  publicKey: Uint8Array<ArrayBuffer>;
-  userId: string;
-  webauthnUserID: string;
-  counter: number;
-  deviceType: CredentialDeviceType;
-  backedUp: boolean;
-  transports?: AuthenticatorTransportFuture[];
-}
-/**
- * PasskeyModel version for KV storage with publicKey as string.
- * Used for storing credentials in a key-value store.
- */
-interface PasskeyModelStored extends Omit<PasskeyModel, "publicKey"> {
-  publicKey: string;
-}
-declare const DEFAULT_COPY: {
-  error_user_not_allowed: string;
-};
-/**
- * Configuration for the PasskeyProvider.
- * Defines how the passkey authentication flow should behave.
- */
-interface PasskeyProviderConfig {
-  /**
-   * Custom authorization handler that generates the UI for authorization.
-   */
-  authorize: (req: Request) => Promise<Response>;
-  /**
-   * Custom registration handler that generates the UI for registration.
-   */
-  register: (req: Request) => Promise<Response>;
-  /**
-   * The human-readable name of the relying party (your application).
-   */
-  rpName: string;
-  /**
-   * The ID of the relying party, typically the domain name without protocol.
-   */
-  rpID?: string;
-  /**
-   * The origin URL(s) that are allowed to initiate WebAuthn ceremonies.
-   */
-  origin?: string | string[];
-  /**
-   * Optional function to check if a user is allowed to register a passkey.
-   */
-  userCanRegisterPasskey?: (userId: string, req: Request) => Promise<boolean>;
-  /**
-   * Optional WebAuthn authenticator selection criteria.
-   */
-  authenticatorSelection?: AuthenticatorSelectionCriteria;
-  /**
-   * Optional attestation type.
-   */
-  attestationType?: "none" | "direct" | "enterprise";
-  /**
-   * Optional timeout for challenges in milliseconds.
-   */
-  timeout?: number;
-  /**
-   * Custom copy texts for error messages and UI elements.
-   */
-  copy?: Partial<typeof DEFAULT_COPY>;
-}
-/**
- * Creates a passkey (WebAuthn) authentication provider.
- *
- * This provider enables passwordless authentication using biometrics, hardware security
- * keys, or platform authenticators. It implements the Web Authentication (WebAuthn) standard.
- *
- * It handles:
- * - Passkey registration (creating new credentials)
- * - Authentication with existing passkeys
- * - Secure storage of credentials
- * - Challenge verification
- *
- * @param config Configuration options for the passkey provider
- * @returns A Provider instance configured for passkey authentication
- */
-declare const PasskeyProvider: (config: PasskeyProviderConfig) => Provider<{
-  userId: string;
-  credentialId?: Base64URLString;
-}>;
-//#endregion
-export { PasskeyModel, PasskeyModelStored, PasskeyProvider, PasskeyProviderConfig, UserModel };

package/dist/provider/passkey.mjs

@@ -1,320 +0,0 @@
-import { Storage } from "../storage/storage.mjs";
-import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from "@simplewebauthn/server";
-
-//#region src/provider/passkey.ts
-/**
-* Converts a Uint8Array to a Base64URL encoded string.
-* This is used to convert binary data for storage in databases or JSON.
-*
-* @param bytes - The Uint8Array to convert
-* @returns Base64URL encoded string
-*/
-const uint8ArrayToBase64Url = (bytes) => {
-	let str = "";
-	for (const charCode of bytes) str += String.fromCharCode(charCode);
-	return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-};
-/**
-* Converts a Base64URL encoded string back to a Uint8Array.
-* This is used to convert stored data back to binary format for WebAuthn operations.
-*
-* @param base64urlString - The Base64URL encoded string to convert
-* @returns Uint8Array containing the decoded data
-*/
-const base64UrlToUint8Array = (base64urlString) => {
-	const base64 = base64urlString.replace(/-/g, "+").replace(/_/g, "/");
-	/**
-	* Pad with '=' until it's a multiple of four
-	* (4 - (85 % 4 = 1) = 3) % 4 = 3 padding
-	* (4 - (86 % 4 = 2) = 2) % 4 = 2 padding
-	* (4 - (87 % 4 = 3) = 1) % 4 = 1 padding
-	* (4 - (88 % 4 = 0) = 4) % 4 = 0 padding
-	*/
-	const padLength = (4 - base64.length % 4) % 4;
-	const padded = base64.padEnd(base64.length + padLength, "=");
-	const binary = atob(padded);
-	const buffer = new ArrayBuffer(binary.length);
-	const bytes = new Uint8Array(buffer);
-	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
-	return bytes;
-};
-const userKey = (userId) => [
-	"passkey",
-	"user",
-	userId
-];
-const passkeyKey = (userId, credentialId) => [
-	"passkey",
-	"user",
-	userId,
-	"credential",
-	credentialId,
-	"passkey"
-];
-const optionsKey = (userId) => [
-	"passkey",
-	"user",
-	userId,
-	"options"
-];
-const userPasskeysIndexKey = (userId) => [
-	"passkey",
-	"user",
-	userId,
-	"passkeys"
-];
-const DEFAULT_COPY = { error_user_not_allowed: "There is already an account with this email. Login to add a passkey." };
-/**
-* Creates a passkey (WebAuthn) authentication provider.
-*
-* This provider enables passwordless authentication using biometrics, hardware security
-* keys, or platform authenticators. It implements the Web Authentication (WebAuthn) standard.
-*
-* It handles:
-* - Passkey registration (creating new credentials)
-* - Authentication with existing passkeys
-* - Secure storage of credentials
-* - Challenge verification
-*
-* @param config Configuration options for the passkey provider
-* @returns A Provider instance configured for passkey authentication
-*/
-const PasskeyProvider = (config) => {
-	const copy = {
-		...DEFAULT_COPY,
-		...config.copy
-	};
-	return {
-		type: "passkey",
-		init(routes, ctx) {
-			const { rpName, authenticatorSelection, attestationType = "none", timeout = 300 * 1e3 } = config;
-			const getStoredUserById = async (userId) => {
-				return await Storage.get(ctx.storage, userKey(userId));
-			};
-			const saveUser = async (user) => {
-				await Storage.set(ctx.storage, userKey(user.id), user);
-			};
-			const getStoredPasskeyById = async (userId, credentialID) => {
-				const storedPasskey = await Storage.get(ctx.storage, passkeyKey(userId, credentialID));
-				if (!storedPasskey) return null;
-				return {
-					...storedPasskey,
-					publicKey: base64UrlToUint8Array(storedPasskey.publicKey)
-				};
-			};
-			const getStoredUserPasskeys = async (userId) => {
-				const passkeyIds = await Storage.get(ctx.storage, userPasskeysIndexKey(userId)) || [];
-				const passkeys = [];
-				for (const id of passkeyIds) {
-					const pk = await getStoredPasskeyById(userId, id);
-					if (pk) passkeys.push(pk);
-				}
-				return passkeys;
-			};
-			const saveNewStoredPasskey = async (passkeyData) => {
-				const storablePasskey = {
-					...passkeyData,
-					publicKey: uint8ArrayToBase64Url(passkeyData.publicKey)
-				};
-				await Storage.set(ctx.storage, passkeyKey(passkeyData.userId, passkeyData.id), storablePasskey);
-				const passkeyIds = await Storage.get(ctx.storage, userPasskeysIndexKey(passkeyData.userId)) || [];
-				if (!passkeyIds.includes(passkeyData.id)) {
-					passkeyIds.push(passkeyData.id);
-					await Storage.set(ctx.storage, userPasskeysIndexKey(passkeyData.userId), passkeyIds);
-				}
-			};
-			const updateStoredPasskeyCounter = async (userId, credentialID, newCounter) => {
-				const passkey = await getStoredPasskeyById(userId, credentialID);
-				if (passkey) {
-					passkey.counter = newCounter;
-					const storablePasskey = {
-						...passkey,
-						publicKey: uint8ArrayToBase64Url(passkey.publicKey)
-					};
-					await Storage.set(ctx.storage, passkeyKey(userId, credentialID), storablePasskey);
-				}
-			};
-			routes.get("/authorize", async (c) => {
-				return ctx.forward(c, await config.authorize(c.request));
-			});
-			routes.get("/register", async (c) => {
-				return ctx.forward(c, await config.register(c.request));
-			});
-			routes.get("/register-request", async (c) => {
-				const userId = c.query("userId");
-				const rpID = config.rpID || c.query("rpID");
-				const otherDevice = c.query("otherDevice") === "true";
-				if (!userId) return c.json({ error: "User ID for registration is required." }, { status: 400 });
-				if (!rpID) return c.json({ error: "RP ID for registration is required." }, { status: 400 });
-				const username = c.query("username") || userId;
-				let user = await getStoredUserById(userId);
-				if (config.userCanRegisterPasskey) {
-					if (!await config.userCanRegisterPasskey(userId, c.request)) return c.json({ error: copy.error_user_not_allowed }, { status: 403 });
-				}
-				if (!user) {
-					user = {
-						id: userId,
-						username
-					};
-					await saveUser(user);
-				}
-				const userPasskeys = await getStoredUserPasskeys(user.id);
-				const regOptions = await generateRegistrationOptions({
-					rpName,
-					rpID,
-					userName: user.username,
-					attestationType,
-					excludeCredentials: userPasskeys.map((pk) => ({
-						id: pk.id,
-						transports: pk.transports
-					})),
-					authenticatorSelection: authenticatorSelection ?? {
-						residentKey: "preferred",
-						userVerification: "preferred",
-						authenticatorAttachment: otherDevice ? void 0 : "platform"
-					},
-					timeout
-				});
-				await Storage.set(ctx.storage, optionsKey(user.id), regOptions);
-				return c.json(regOptions);
-			});
-			routes.post("/register-verify", async (c) => {
-				const body = await c.parseJson();
-				const userId = c.query("userId");
-				const rpID = config.rpID || c.query("rpID");
-				const origin = config.origin || c.query("origin");
-				if (!userId) return c.json({
-					verified: false,
-					error: "User ID for verification is required."
-				}, { status: 400 });
-				if (!rpID) return c.json({ error: "RP ID for verification is required." }, { status: 400 });
-				if (!origin) return c.json({ error: "Origin for verification is required." }, { status: 400 });
-				const user = await getStoredUserById(userId);
-				if (!user) return c.json({
-					verified: false,
-					error: "User not found during verification."
-				}, { status: 404 });
-				const regOptions = await Storage.get(ctx.storage, optionsKey(user.id));
-				if (!regOptions) return c.json({
-					verified: false,
-					error: "Registration options not found."
-				}, { status: 400 });
-				const challenge = regOptions.challenge;
-				let verification;
-				try {
-					verification = await verifyRegistrationResponse({
-						response: body,
-						expectedChallenge: challenge,
-						expectedOrigin: origin,
-						expectedRPID: rpID,
-						requireUserVerification: authenticatorSelection?.userVerification !== "discouraged"
-					});
-				} catch (error) {
-					console.error("Passkey Registration Verification Error:", error);
-					const message = error instanceof Error ? error.message : "Unknown error";
-					return c.json({
-						verified: false,
-						error: message
-					}, { status: 400 });
-				}
-				const { verified, registrationInfo } = verification;
-				if (verified && registrationInfo) {
-					const { credential, credentialDeviceType, credentialBackedUp } = registrationInfo;
-					if (credential) {
-						const newPasskey = {
-							id: credential.id,
-							userId: user.id,
-							webauthnUserID: regOptions.user.id,
-							publicKey: credential.publicKey,
-							counter: credential.counter,
-							transports: credential.transports,
-							deviceType: credentialDeviceType,
-							backedUp: credentialBackedUp
-						};
-						await saveNewStoredPasskey(newPasskey);
-						return ctx.success(c, {
-							userId: user.id,
-							credentialId: newPasskey.id,
-							verified: true
-						});
-					}
-				}
-				return c.json({
-					verified: false,
-					error: "Registration verification failed."
-				}, { status: 400 });
-			});
-			routes.get("/authenticate-options", async (c) => {
-				const userId = c.query("userId");
-				if (!userId) return c.json({ error: "User ID for authentication is required." }, { status: 400 });
-				const rpID = config.rpID || c.query("rpID");
-				if (!rpID) return c.json({ error: "RP ID for authentication is required." }, { status: 400 });
-				const userForAuth = await getStoredUserById(userId);
-				if (!userForAuth) return c.json({ error: "User not found for authentication." }, { status: 404 });
-				const authOptions = await generateAuthenticationOptions({
-					rpID,
-					allowCredentials: (await getStoredUserPasskeys(userForAuth.id)).map((pk) => ({
-						id: pk.id,
-						transports: pk.transports
-					})),
-					userVerification: authenticatorSelection?.userVerification ?? "preferred",
-					timeout
-				});
-				await Storage.set(ctx.storage, optionsKey(userForAuth.id), authOptions);
-				return c.json(authOptions);
-			});
-			routes.post("/authenticate-verify", async (c) => {
-				const body = await c.parseJson();
-				const userId = c.query("userId");
-				if (!userId) return c.json({ error: "User ID for authentication is required." }, { status: 400 });
-				const rpID = config.rpID || c.query("rpID");
-				if (!rpID) return c.json({ error: "RP ID for authentication is required." }, { status: 400 });
-				const origin = config.origin || c.query("origin");
-				if (!origin) return c.json({ error: "Origin for authentication is required." }, { status: 400 });
-				const user = await getStoredUserById(userId);
-				if (!user) return c.json({
-					verified: false,
-					error: `User ${userId} not found.`
-				}, { status: 404 });
-				const authOptions = await Storage.get(ctx.storage, optionsKey(user.id));
-				if (!authOptions) return c.json({ error: "Authentication options not found." }, { status: 400 });
-				const passkey = await getStoredPasskeyById(userId, body.id);
-				if (!passkey) return c.json({
-					verified: false,
-					error: `Passkey ${body.id} not found for user ${user.username}.`
-				}, { status: 400 });
-				const { publicKey, counter, transports } = passkey;
-				if (!publicKey || typeof counter !== "number" || !transports) return c.json({ error: "Passkey not found for authentication." }, { status: 400 });
-				const challenge = authOptions.challenge;
-				if (!challenge) return c.json({ error: "Authentication challenge not found." }, { status: 400 });
-				const { verified, authenticationInfo } = await verifyAuthenticationResponse({
-					response: body,
-					expectedChallenge: challenge,
-					expectedOrigin: origin || "",
-					expectedRPID: rpID,
-					credential: {
-						id: passkey.id,
-						publicKey,
-						counter,
-						transports
-					}
-				});
-				if (verified) {
-					await updateStoredPasskeyCounter(user.id, passkey.id, authenticationInfo.newCounter);
-					return ctx.success(c, {
-						userId: user.id,
-						credentialId: passkey.id,
-						verified: true
-					});
-				}
-				return c.json({
-					verified: false,
-					error: "Authentication verification failed."
-				}, { status: 400 });
-			});
-		}
-	};
-};
-
-//#endregion
-export { PasskeyProvider };