@draftlab/auth 0.15.0 → 0.16.0

package/dist/esm/keys.js

@@ -0,0 +1,126 @@
+// src/keys.ts
+import {
+  exportJWK,
+  exportPKCS8,
+  exportSPKI,
+  generateKeyPair,
+  importPKCS8,
+  importSPKI
+} from "jose";
+import { Mutex } from "./mutex";
+import { generateSecureToken } from "./random";
+import { Storage } from "./storage/storage";
+var signingAlg = "ES256";
+var encryptionAlg = "RSA-OAEP-512";
+var signingKeyMutex = new Mutex;
+var encryptionKeyMutex = new Mutex;
+var signingKeys = async (storage) => {
+  return signingKeyMutex.runExclusive(async () => {
+    const results = [];
+    const scanner = Storage.scan(storage, ["signing:key"]);
+    for await (const [, value] of scanner) {
+      try {
+        const publicKey = await importSPKI(value.publicKey, value.alg, {
+          extractable: true
+        });
+        const privateKey = await importPKCS8(value.privateKey, value.alg);
+        const jwk2 = await exportJWK(publicKey);
+        jwk2.kid = value.id;
+        jwk2.use = "sig";
+        results.push({
+          id: value.id,
+          alg: signingAlg,
+          created: new Date(value.created),
+          expired: value.expired ? new Date(value.expired) : undefined,
+          public: publicKey,
+          private: privateKey,
+          jwk: jwk2
+        });
+      } catch {}
+    }
+    results.sort((a, b) => b.created.getTime() - a.created.getTime());
+    if (results.filter((item) => !item.expired).length) {
+      return results;
+    }
+    const key = await generateKeyPair(signingAlg, {
+      extractable: true
+    });
+    const serialized = {
+      id: generateSecureToken(16),
+      publicKey: await exportSPKI(key.publicKey),
+      privateKey: await exportPKCS8(key.privateKey),
+      created: Date.now(),
+      alg: signingAlg
+    };
+    await Storage.set(storage, ["signing:key", serialized.id], serialized);
+    const jwk = await exportJWK(key.publicKey);
+    jwk.kid = serialized.id;
+    jwk.use = "sig";
+    const newKeyPair = {
+      id: serialized.id,
+      alg: signingAlg,
+      created: new Date(serialized.created),
+      expired: serialized.expired ? new Date(serialized.expired) : undefined,
+      public: key.publicKey,
+      private: key.privateKey,
+      jwk
+    };
+    return [newKeyPair, ...results];
+  });
+};
+var encryptionKeys = async (storage) => {
+  return encryptionKeyMutex.runExclusive(async () => {
+    const results = [];
+    const scanner = Storage.scan(storage, ["encryption:key"]);
+    for await (const [, value] of scanner) {
+      try {
+        const publicKey = await importSPKI(value.publicKey, value.alg, {
+          extractable: true
+        });
+        const privateKey = await importPKCS8(value.privateKey, value.alg);
+        const jwk2 = await exportJWK(publicKey);
+        jwk2.kid = value.id;
+        results.push({
+          id: value.id,
+          alg: encryptionAlg,
+          created: new Date(value.created),
+          expired: value.expired ? new Date(value.expired) : undefined,
+          public: publicKey,
+          private: privateKey,
+          jwk: jwk2
+        });
+      } catch {}
+    }
+    results.sort((a, b) => b.created.getTime() - a.created.getTime());
+    if (results.filter((item) => !item.expired).length) {
+      return results;
+    }
+    const key = await generateKeyPair(encryptionAlg, {
+      extractable: true
+    });
+    const serialized = {
+      id: generateSecureToken(16),
+      publicKey: await exportSPKI(key.publicKey),
+      privateKey: await exportPKCS8(key.privateKey),
+      created: Date.now(),
+      alg: encryptionAlg
+    };
+    await Storage.set(storage, ["encryption:key", serialized.id], serialized);
+    const jwk = await exportJWK(key.publicKey);
+    jwk.kid = serialized.id;
+    const newKeyPair = {
+      id: serialized.id,
+      alg: encryptionAlg,
+      created: new Date(serialized.created),
+      expired: serialized.expired ? new Date(serialized.expired) : undefined,
+      public: key.publicKey,
+      private: key.privateKey,
+      jwk
+    };
+    return [newKeyPair, ...results];
+  });
+};
+export {
+  signingKeys,
+  encryptionKeys
+};

package/dist/esm/mutex.js

@@ -0,0 +1,53 @@
+// src/mutex.ts
+class Semaphore {
+  capacity;
+  available;
+  deferredTasks = [];
+  constructor(capacity) {
+    this.capacity = capacity;
+    this.available = capacity;
+  }
+  async acquire() {
+    if (this.available > 0) {
+      this.available--;
+      return;
+    }
+    return new Promise((resolve) => {
+      this.deferredTasks.push(resolve);
+    });
+  }
+  release() {
+    const deferredTask = this.deferredTasks.shift();
+    if (deferredTask != null) {
+      deferredTask();
+      return;
+    }
+    if (this.available < this.capacity) {
+      this.available++;
+    }
+  }
+}
+
+class Mutex {
+  semaphore = new Semaphore(1);
+  get isLocked() {
+    return this.semaphore.available === 0;
+  }
+  async acquire() {
+    return this.semaphore.acquire();
+  }
+  release() {
+    this.semaphore.release();
+  }
+  async runExclusive(fn) {
+    await this.acquire();
+    try {
+      return await fn();
+    } finally {
+      this.release();
+    }
+  }
+}
+export {
+  Mutex
+};

package/dist/esm/pkce.js

@@ -0,0 +1,87 @@
+// src/pkce.ts
+import { base64url } from "jose";
+var timingSafeCompare = (a, b) => {
+  if (typeof a !== "string" || typeof b !== "string") {
+    return false;
+  }
+  const encoder = new TextEncoder;
+  const aBytes = encoder.encode(a);
+  const bBytes = encoder.encode(b);
+  let diff = aBytes.length ^ bBytes.length;
+  for (const [i, aByte] of aBytes.entries()) {
+    diff |= aByte ^ (bBytes[i] ?? 0);
+  }
+  return diff === 0;
+};
+var generateVerifier = (length) => {
+  const buffer = new Uint8Array(length);
+  crypto.getRandomValues(buffer);
+  return base64url.encode(buffer);
+};
+var generateChallenge = async (verifier, method) => {
+  if (method === "plain") {
+    return verifier;
+  }
+  const encoder = new TextEncoder;
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return base64url.encode(new Uint8Array(hash));
+};
+var generatePKCE = async (length = 48) => {
+  if (!Number.isInteger(length) || length < 32 || length > 96) {
+    throw new RangeError("Random buffer length must be between 32 and 96 bytes (generates 43-128 character verifier)");
+  }
+  const verifier = generateVerifier(length);
+  if (verifier.length < 43 || verifier.length > 128) {
+    throw new Error("Generated verifier does not meet requirements");
+  }
+  if (!/^[A-Za-z0-9_-]+$/.test(verifier)) {
+    throw new Error("Generated verifier is not valid base64url format");
+  }
+  const challenge = await generateChallenge(verifier, "S256");
+  return {
+    verifier,
+    challenge,
+    method: "S256"
+  };
+};
+var validatePKCE = async (verifier, challenge, method = "S256") => {
+  const MIN_PROCESSING_TIME = 50;
+  const RANDOM_JITTER_MAX = 20;
+  const startTime = performance.now();
+  let isValid = false;
+  let hasEarlyFailure = false;
+  const normalizedVerifier = String(verifier || "");
+  const normalizedChallenge = String(challenge || "");
+  const validations = [
+    typeof verifier === "string" && typeof challenge === "string" && verifier && challenge,
+    normalizedVerifier.length >= 43 && normalizedVerifier.length <= 128,
+    normalizedChallenge.length >= 43 && normalizedChallenge.length <= 128,
+    /^[A-Za-z0-9_-]+$/.test(normalizedVerifier),
+    /^[A-Za-z0-9_-]+$/.test(normalizedChallenge)
+  ];
+  hasEarlyFailure = !validations.every(Boolean);
+  const verifierToUse = hasEarlyFailure ? "dummyverifier_".repeat(6) : normalizedVerifier;
+  try {
+    const generatedChallenge = await generateChallenge(verifierToUse, method);
+    const challengeToCompare = hasEarlyFailure ? "dummychallenge_".repeat(6) : normalizedChallenge;
+    const comparisonResult = timingSafeCompare(generatedChallenge, challengeToCompare);
+    isValid = !hasEarlyFailure && comparisonResult;
+  } catch {
+    isValid = false;
+  }
+  const elapsed = performance.now() - startTime;
+  const remainingTime = Math.max(0, MIN_PROCESSING_TIME - elapsed);
+  if (remainingTime > 0 || elapsed < MIN_PROCESSING_TIME) {
+    const jitterArray = new Uint32Array(1);
+    crypto.getRandomValues(jitterArray);
+    const jitter = (jitterArray[0] ?? 0) / 4294967295 * RANDOM_JITTER_MAX;
+    const totalDelay = Math.max(remainingTime, MIN_PROCESSING_TIME - elapsed) + jitter;
+    await new Promise((resolve) => setTimeout(resolve, totalDelay));
+  }
+  return isValid;
+};
+export {
+  validatePKCE,
+  generatePKCE
+};

package/dist/esm/provider/apple.js

@@ -0,0 +1,15 @@
+// src/provider/apple.ts
+import { Oauth2Provider } from "./oauth2";
+var AppleProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "apple",
+    endpoint: {
+      authorization: "https://appleid.apple.com/auth/authorize",
+      token: "https://appleid.apple.com/auth/token"
+    }
+  });
+};
+export {
+  AppleProvider
+};

package/dist/esm/provider/code.js

@@ -0,0 +1,62 @@
+// src/provider/code.ts
+import { generateUnbiasedDigits, timingSafeCompare } from "../random";
+var CodeProvider = (config) => {
+  const codeLength = config.length || 6;
+  const generateCode = () => {
+    return generateUnbiasedDigits(codeLength);
+  };
+  return {
+    type: "code",
+    init(routes, ctx) {
+      const transition = async (c, nextState, formData, error) => {
+        await ctx.set(c, "provider", 60 * 60 * 24, nextState);
+        const response = await config.request(c.req.raw, nextState, formData, error);
+        return ctx.forward(c, response);
+      };
+      routes.get("/authorize", (c) => {
+        return transition(c, { type: "start" });
+      });
+      routes.post("/authorize", async (c) => {
+        const formData = await c.req.formData();
+        const currentState = await ctx.get(c, "provider");
+        const action = formData.get("action")?.toString();
+        if (action === "request" || action === "resend") {
+          const code = generateCode();
+          const formEntries = Object.fromEntries(formData);
+          const { action: _, ...claims } = formEntries;
+          await config.sendCode(claims, code);
+          return transition(c, {
+            type: "code",
+            resend: action === "resend",
+            claims,
+            code
+          }, formData);
+        } else if (action === "verify" && currentState?.type === "code") {
+          const enteredCode = formData.get("code")?.toString();
+          if (!(currentState.code && enteredCode && timingSafeCompare(currentState.code, enteredCode))) {
+            return transition(c, {
+              ...currentState,
+              resend: false
+            }, formData, { type: "invalid_code" });
+          }
+          const authorization = await ctx.get(c, "authorization");
+          if (!authorization) {
+            return transition(c, { type: "start" }, formData, {
+              type: "invalid_claim",
+              key: "session",
+              value: "Authentication session expired"
+            });
+          }
+          await ctx.unset(c, "provider");
+          return await ctx.success(c, {
+            claims: currentState.claims
+          });
+        }
+        return transition(c, { type: "start" });
+      });
+    }
+  };
+};
+export {
+  CodeProvider
+};

package/dist/esm/provider/discord.js

@@ -0,0 +1,15 @@
+// src/provider/discord.ts
+import { Oauth2Provider } from "./oauth2";
+var DiscordProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "discord",
+    endpoint: {
+      authorization: "https://discord.com/oauth2/authorize",
+      token: "https://discord.com/api/oauth2/token"
+    }
+  });
+};
+export {
+  DiscordProvider
+};

package/dist/esm/provider/facebook.js

@@ -0,0 +1,15 @@
+// src/provider/facebook.ts
+import { Oauth2Provider } from "./oauth2";
+var FacebookProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "facebook",
+    endpoint: {
+      authorization: "https://www.facebook.com/v18.0/dialog/oauth",
+      token: "https://graph.facebook.com/v18.0/oauth/access_token"
+    }
+  });
+};
+export {
+  FacebookProvider
+};

package/dist/esm/provider/github.js

@@ -0,0 +1,15 @@
+// src/provider/github.ts
+import { Oauth2Provider } from "./oauth2";
+var GithubProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "github",
+    endpoint: {
+      authorization: "https://github.com/login/oauth/authorize",
+      token: "https://github.com/login/oauth/access_token"
+    }
+  });
+};
+export {
+  GithubProvider
+};

package/dist/esm/provider/gitlab.js

@@ -0,0 +1,15 @@
+// src/provider/gitlab.ts
+import { Oauth2Provider } from "./oauth2";
+var GitlabProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "gitlab",
+    endpoint: {
+      authorization: "https://gitlab.com/oauth/authorize",
+      token: "https://gitlab.com/oauth/token"
+    }
+  });
+};
+export {
+  GitlabProvider
+};

package/dist/esm/provider/google.js

@@ -0,0 +1,16 @@
+// src/provider/google.ts
+import { Oauth2Provider } from "./oauth2";
+var GoogleProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "google",
+    endpoint: {
+      authorization: "https://accounts.google.com/o/oauth2/v2/auth",
+      token: "https://oauth2.googleapis.com/token",
+      jwks: "https://www.googleapis.com/oauth2/v3/certs"
+    }
+  });
+};
+export {
+  GoogleProvider
+};

package/dist/esm/provider/linkedin.js

@@ -0,0 +1,15 @@
+// src/provider/linkedin.ts
+import { Oauth2Provider } from "./oauth2";
+var LinkedInProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "linkedin",
+    endpoint: {
+      authorization: "https://www.linkedin.com/oauth/v2/authorization",
+      token: "https://www.linkedin.com/oauth/v2/accessToken"
+    }
+  });
+};
+export {
+  LinkedInProvider
+};

package/dist/esm/provider/magiclink.js

@@ -0,0 +1,83 @@
+// src/provider/magiclink.ts
+import { generateUnbiasedDigits, timingSafeCompare } from "../random";
+var MagicLinkProvider = (config) => {
+  const generateToken = () => {
+    return generateUnbiasedDigits(32);
+  };
+  return {
+    type: "magiclink",
+    init(routes, ctx) {
+      const transition = async (c, nextState, formData, error) => {
+        await ctx.set(c, "provider", 60 * 60 * 24, nextState);
+        const response = await config.request(c.req.raw, nextState, formData, error);
+        return ctx.forward(c, response);
+      };
+      routes.get("/authorize", async (c) => {
+        return transition(c, { type: "start" });
+      });
+      routes.post("/authorize", async (c) => {
+        const formData = await c.req.formData();
+        const action = formData.get("action")?.toString();
+        if (action === "request" || action === "resend") {
+          const token = generateToken();
+          const formEntries = Object.fromEntries(formData);
+          const { action: _, ...claims } = formEntries;
+          const baseUrl = new URL(c.req.url).origin;
+          const magicUrl = new URL(`/auth/${ctx.name}/verify`, baseUrl);
+          magicUrl.searchParams.set("token", token);
+          for (const [key, value] of Object.entries(claims)) {
+            if (typeof value === "string") {
+              magicUrl.searchParams.set(key, value);
+            }
+          }
+          await config.sendLink(claims, magicUrl.toString());
+          return transition(c, {
+            type: "sent",
+            resend: action === "resend",
+            claims,
+            token
+          }, formData);
+        }
+        return transition(c, { type: "start" });
+      });
+      routes.get("/verify", async (c) => {
+        const url = new URL(c.req.url);
+        const token = url.searchParams.get("token");
+        const storedState = await ctx.get(c, "provider");
+        if (!token || !storedState || storedState.type !== "sent") {
+          return transition(c, { type: "start" }, undefined, { type: "invalid_link" });
+        }
+        if (!timingSafeCompare(storedState.token, token)) {
+          return transition(c, { type: "start" }, undefined, { type: "invalid_link" });
+        }
+        const urlClaims = {};
+        for (const [key, value] of url.searchParams) {
+          if (key !== "token" && value) {
+            urlClaims[key] = value;
+          }
+        }
+        const claimsMatch = Object.keys(storedState.claims).every((key) => {
+          const urlValue = urlClaims[key];
+          const storedValue = storedState.claims[key];
+          if (!urlValue || !storedValue)
+            return false;
+          return timingSafeCompare(storedValue, urlValue);
+        });
+        if (!claimsMatch) {
+          return transition(c, { type: "start" }, undefined, { type: "invalid_link" });
+        }
+        const authorization = await ctx.get(c, "authorization");
+        if (!authorization) {
+          return transition(c, { type: "start" }, undefined, { type: "invalid_link" });
+        }
+        await ctx.unset(c, "provider");
+        return await ctx.success(c, {
+          claims: storedState.claims
+        });
+      });
+    }
+  };
+};
+export {
+  MagicLinkProvider
+};

package/dist/esm/provider/microsoft.js

@@ -0,0 +1,15 @@
+// src/provider/microsoft.ts
+import { Oauth2Provider } from "./oauth2";
+var MicrosoftProvider = (config) => {
+  return Oauth2Provider({
+    ...config,
+    type: "microsoft",
+    endpoint: {
+      authorization: `https://login.microsoftonline.com/${config.tenant}/oauth2/v2.0/authorize`,
+      token: `https://login.microsoftonline.com/${config.tenant}/oauth2/v2.0/token`
+    }
+  });
+};
+export {
+  MicrosoftProvider
+};

package/dist/esm/provider/oauth2.js

@@ -0,0 +1,130 @@
+// src/provider/oauth2.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { OauthError } from "../error";
+import { generatePKCE } from "../pkce";
+import { generateSecureToken, timingSafeCompare } from "../random";
+import { getRelativeUrl } from "../util";
+var Oauth2Provider = (config) => {
+  const authQuery = config.query || {};
+  const handleCallbackLogic = async (c, ctx, provider, code) => {
+    if (!(provider && code)) {
+      return c.redirect(getRelativeUrl(c, "./authorize"));
+    }
+    const tokenRequestBody = new URLSearchParams({
+      client_id: config.clientID,
+      client_secret: config.clientSecret,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: provider.redirect,
+      ...provider.codeVerifier ? { code_verifier: provider.codeVerifier } : {}
+    });
+    try {
+      const response = await fetch(config.endpoint.token, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Accept: "application/json"
+        },
+        body: tokenRequestBody.toString()
+      });
+      if (!response.ok) {
+        throw new Error(`Token request failed with status ${response.status}`);
+      }
+      const tokenData = await response.json();
+      if (tokenData.error) {
+        throw new OauthError(tokenData.error, tokenData.error_description || "");
+      }
+      if (tokenData.id_token && config.endpoint.jwks) {
+        try {
+          const jwks = createRemoteJWKSet(new URL(config.endpoint.jwks));
+          await jwtVerify(tokenData.id_token, jwks, {
+            issuer: config.endpoint.authorization.split("/").slice(0, 3).join("/"),
+            clockTolerance: 60
+          });
+        } catch (error) {
+          throw new OauthError("invalid_request", `ID token validation failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+        }
+      }
+      return await ctx.success(c, {
+        clientID: config.clientID,
+        tokenset: {
+          get access() {
+            return tokenData.access_token;
+          },
+          get refresh() {
+            return tokenData.refresh_token || "";
+          },
+          get expiry() {
+            return tokenData.expires_in || 0;
+          },
+          get raw() {
+            return tokenData;
+          }
+        }
+      });
+    } catch (error) {
+      if (error instanceof OauthError) {
+        throw error;
+      }
+      throw new OauthError("server_error", `Token exchange failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+  };
+  return {
+    type: config.type || "oauth2",
+    init(routes, ctx) {
+      routes.get("/authorize", async (c) => {
+        const state = generateSecureToken();
+        const pkce = config.pkce ? await generatePKCE() : undefined;
+        await ctx.set(c, "provider", 60 * 10, {
+          state,
+          redirect: getRelativeUrl(c, "./callback"),
+          codeVerifier: pkce?.verifier
+        });
+        const authorizationUrl = new URL(config.endpoint.authorization);
+        authorizationUrl.searchParams.set("client_id", config.clientID);
+        authorizationUrl.searchParams.set("redirect_uri", getRelativeUrl(c, "./callback"));
+        authorizationUrl.searchParams.set("response_type", "code");
+        authorizationUrl.searchParams.set("state", state);
+        authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
+        if (pkce) {
+          authorizationUrl.searchParams.set("code_challenge", pkce.challenge);
+          authorizationUrl.searchParams.set("code_challenge_method", pkce.method);
+        }
+        for (const [key, value] of Object.entries(authQuery)) {
+          authorizationUrl.searchParams.set(key, value);
+        }
+        return c.redirect(authorizationUrl.toString());
+      });
+      routes.get("/callback", async (c) => {
+        const provider = await ctx.get(c, "provider");
+        const code = c.req.query("code");
+        const state = c.req.query("state");
+        const error = c.req.query("error");
+        if (error) {
+          throw new OauthError(error, c.req.query("error_description") || "");
+        }
+        if (!(provider && code) || provider.state && !timingSafeCompare(state || "", provider.state)) {
+          return c.redirect(getRelativeUrl(c, "./authorize"));
+        }
+        return await handleCallbackLogic(c, ctx, provider, code);
+      });
+      routes.post("/callback", async (c) => {
+        const provider = await ctx.get(c, "provider");
+        const formData = await c.req.formData();
+        const code = formData.get("code")?.toString();
+        const state = formData.get("state")?.toString();
+        const error = formData.get("error")?.toString();
+        if (error) {
+          throw new OauthError(error, formData.get("error_description")?.toString() || "");
+        }
+        if (!(provider && code) || provider.state && !timingSafeCompare(state || "", provider.state)) {
+          return c.redirect(getRelativeUrl(c, "./authorize"));
+        }
+        return await handleCallbackLogic(c, ctx, provider, code);
+      });
+    }
+  };
+};
+export {
+  Oauth2Provider
+};