@draftlab/auth 0.15.1 → 0.16.0

package/dist/esm/core.js

@@ -0,0 +1,597 @@
+// src/core.ts
+import { Hono } from "hono";
+import { deleteCookie, getCookie, setCookie } from "hono/cookie";
+import { cors } from "hono/cors";
+import { CompactEncrypt, compactDecrypt, SignJWT } from "jose";
+import { defaultAllowCheck } from "./allow";
+import {
+  MissingParameterError,
+  OauthError,
+  UnauthorizedClientError,
+  UnknownStateError
+} from "./error";
+import { encryptionKeys, signingKeys } from "./keys";
+import { validatePKCE } from "./pkce";
+import { generateSecureToken } from "./random";
+import { Revocation } from "./revocation";
+import { Storage } from "./storage/storage";
+import { setTheme } from "./themes/theme";
+import { Select } from "./ui/select";
+import { getRelativeUrl, lazy } from "./util";
+var normalizeTimingAsync = async (fn, minTimeMs = 100) => {
+  const startTime = performance.now();
+  const result = await fn();
+  const elapsed = performance.now() - startTime;
+  const remainingTime = Math.max(0, minTimeMs - elapsed);
+  if (remainingTime > 0) {
+    const jitterBuffer = new Uint32Array(1);
+    crypto.getRandomValues(jitterBuffer);
+    const jitter = (jitterBuffer[0] ?? 0) / 4294967295 * 20;
+    const totalDelay = remainingTime + jitter;
+    await new Promise((resolve) => setTimeout(resolve, totalDelay));
+  }
+  return result;
+};
+var isHttpsRequest = (c) => {
+  return c.req.header("x-forwarded-proto") === "https" || c.req.header("x-forwarded-ssl") === "on" || c.req.url.startsWith("https://");
+};
+var issuer = (input) => {
+  const error = input.error ?? ((err) => {
+    return new Response(err.message, {
+      status: 400,
+      headers: { "Content-Type": "text/plain" }
+    });
+  });
+  const ttlAccess = input.ttl?.access ?? 60 * 60 * 24 * 30;
+  const ttlRefresh = input.ttl?.refresh ?? 60 * 60 * 24 * 365;
+  const ttlRefreshReuse = input.ttl?.reuse ?? 60;
+  const ttlRefreshRetention = input.ttl?.retention ?? 0;
+  if (input.theme) {
+    setTheme(input.theme);
+  }
+  const storage = input.storage;
+  const select = lazy(() => input.select ?? Select());
+  const allSigning = lazy(() => signingKeys(storage));
+  const allEncryption = lazy(() => encryptionKeys(storage));
+  const allow = lazy(() => input.allow ?? defaultAllowCheck);
+  const signingKey = lazy(() => allSigning().then((all) => all[0]));
+  const encryptionKey = lazy(() => allEncryption().then((all) => all[0]));
+  const cookiePath = input.basePath || "/";
+  const issuerUrl = (c) => {
+    const baseUrl = new URL(getRelativeUrl(c, "/"));
+    if (input.basePath) {
+      const normalizedBasePath = input.basePath.startsWith("/") ? input.basePath : `/${input.basePath}`;
+      baseUrl.pathname = normalizedBasePath.replace(/\/$/, "");
+      return baseUrl.href;
+    }
+    return baseUrl.origin;
+  };
+  const encrypt = async (value) => {
+    const key = await encryptionKey();
+    if (!key) {
+      throw new Error("Encryption key not available");
+    }
+    return await new CompactEncrypt(new TextEncoder().encode(JSON.stringify(value))).setProtectedHeader({ alg: "RSA-OAEP-512", enc: "A256GCM" }).encrypt(key.public);
+  };
+  const decrypt = async (value) => {
+    const key = await encryptionKey();
+    if (!key) {
+      throw new Error("Encryption key not available");
+    }
+    return JSON.parse(new TextDecoder().decode(await compactDecrypt(value, key.private).then((result) => result.plaintext)));
+  };
+  const resolveSubject = async (type, properties) => {
+    const jsonString = JSON.stringify(properties);
+    const encoder = new TextEncoder;
+    const data = encoder.encode(jsonString);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+    return `${type}:${hashHex.slice(0, 16)}`;
+  };
+  const generateTokens = async (c, value, opts) => {
+    const refreshToken = value.nextToken ?? generateSecureToken();
+    if (opts?.generateRefreshToken ?? true) {
+      const refreshPayload = {
+        type: value.type,
+        properties: value.properties,
+        clientID: value.clientID,
+        subject: value.subject,
+        ttl: value.ttl,
+        nextToken: generateSecureToken(),
+        timeUsed: value.timeUsed
+      };
+      const refreshKey = ["oauth:refresh", value.subject, refreshToken];
+      await Storage.set(storage, refreshKey, refreshPayload, value.ttl.refresh);
+    }
+    const signingKeyData = await signingKey();
+    if (!signingKeyData) {
+      throw new Error("Signing key not available");
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (!value.clientID.trim()) {
+      throw new Error("Invalid audience: client ID cannot be empty");
+    }
+    const accessPayload = {
+      type: value.type,
+      properties: value.properties,
+      sub: value.subject,
+      aud: value.clientID,
+      iss: issuerUrl(c),
+      exp: now + value.ttl.access,
+      iat: now,
+      mode: "access"
+    };
+    const access = await new SignJWT(accessPayload).setExpirationTime(Math.floor(now + value.ttl.access)).setProtectedHeader({
+      alg: signingKeyData.alg,
+      kid: signingKeyData.id,
+      typ: "JWT"
+    }).sign(signingKeyData.private);
+    return {
+      access,
+      refresh: [value.subject, refreshToken].join(":"),
+      expiresIn: Math.floor(now + value.ttl.access - Date.now() / 1000)
+    };
+  };
+  const getAuthorization = async (c) => {
+    const match = await auth.get(c, "authorization") || c.get("authorization");
+    if (!match) {
+      throw new UnknownStateError;
+    }
+    return match;
+  };
+  const auth = {
+    async success(c, properties, successOpts) {
+      const authorization = await getAuthorization(c);
+      const currentProvider = c.get("provider") || "unknown";
+      if (!authorization.client_id) {
+        throw new Error("client_id is required");
+      }
+      return await input.success({
+        async subject(type, properties2, subjectOpts) {
+          const subject = subjectOpts?.subject ?? await resolveSubject(type, properties2);
+          await successOpts?.invalidate?.(await resolveSubject(type, properties2));
+          if (authorization.response_type === "token") {
+            if (!authorization.redirect_uri) {
+              throw new Error("redirect_uri is required");
+            }
+            const location2 = new URL(authorization.redirect_uri);
+            if (!authorization.client_id) {
+              throw new Error("client_id is required");
+            }
+            const tokens = await generateTokens(c, {
+              type,
+              subject,
+              properties: properties2,
+              clientID: authorization.client_id,
+              ttl: {
+                access: subjectOpts?.ttl?.access ?? ttlAccess,
+                refresh: subjectOpts?.ttl?.refresh ?? ttlRefresh
+              }
+            });
+            location2.hash = new URLSearchParams({
+              access_token: tokens.access,
+              token_type: "Bearer",
+              expires_in: tokens.expiresIn.toString(),
+              ...authorization.state && { state: authorization.state }
+            }).toString();
+            await auth.unset(c, "authorization");
+            return c.redirect(location2.toString(), 302);
+          }
+          if (!authorization.redirect_uri) {
+            throw new Error("redirect_uri is required");
+          }
+          if (!authorization.client_id) {
+            throw new Error("client_id is required");
+          }
+          const code = generateSecureToken();
+          const codePayload = {
+            type,
+            properties: properties2,
+            subject,
+            redirectURI: authorization.redirect_uri,
+            clientID: authorization.client_id,
+            scopes: authorization.scopes,
+            pkce: authorization.pkce,
+            ttl: {
+              access: subjectOpts?.ttl?.access ?? ttlAccess,
+              refresh: subjectOpts?.ttl?.refresh ?? ttlRefresh
+            }
+          };
+          await Storage.set(storage, ["oauth:code", code], codePayload, 60);
+          if (!authorization.redirect_uri) {
+            throw new Error("redirect_uri is required");
+          }
+          const location = new URL(authorization.redirect_uri);
+          location.searchParams.set("code", code);
+          if (authorization.state) {
+            location.searchParams.set("state", authorization.state);
+          }
+          await auth.unset(c, "authorization");
+          return c.redirect(location.toString(), 302);
+        }
+      }, {
+        provider: currentProvider,
+        ...properties && typeof properties === "object" ? properties : {}
+      }, c.req.raw, authorization.client_id);
+    },
+    forward(c, response) {
+      return c.newResponse(response.body, response);
+    },
+    async set(c, key, maxAge, value) {
+      const isHttps = isHttpsRequest(c);
+      const encryptedValue = await encrypt(value);
+      setCookie(c, key, encryptedValue, {
+        maxAge,
+        httpOnly: true,
+        secure: isHttps,
+        sameSite: isHttps ? "None" : "Lax",
+        path: cookiePath
+      });
+    },
+    async get(c, key) {
+      const raw = getCookie(c, key);
+      if (!raw) {
+        return;
+      }
+      try {
+        const decrypted = await decrypt(raw);
+        return decrypted;
+      } catch {
+        deleteCookie(c, key, {
+          path: cookiePath
+        });
+        return;
+      }
+    },
+    async unset(c, key) {
+      deleteCookie(c, key, {
+        path: cookiePath
+      });
+    },
+    async invalidate(subject) {
+      for await (const [key] of Storage.scan(storage, ["oauth:refresh", subject])) {
+        await Storage.remove(storage, key);
+      }
+    },
+    storage
+  };
+  const app = new Hono({
+    strict: false
+  }).basePath(input.basePath || "/");
+  for (const [name, value] of Object.entries(input.providers)) {
+    const route = new Hono;
+    route.use(async (c, next) => {
+      c.set("provider", name);
+      await next();
+    });
+    value.init(route, {
+      name,
+      ...auth
+    });
+    app.route(`/${name}`, route);
+  }
+  app.get("/.well-known/jwks.json", cors({
+    origin: "*",
+    allowHeaders: ["*"],
+    allowMethods: ["GET"],
+    credentials: false
+  }), async (c) => {
+    const signingKeysData = await allSigning();
+    const jwksDocument = {
+      keys: signingKeysData.map((keyInfo) => ({
+        ...keyInfo.jwk,
+        alg: keyInfo.alg,
+        exp: keyInfo.expired ? Math.floor(keyInfo.expired.getTime() / 1000) : undefined
+      }))
+    };
+    return c.json(jwksDocument);
+  });
+  app.get("/.well-known/oauth-authorization-server", cors({
+    origin: "*",
+    allowHeaders: ["*"],
+    allowMethods: ["GET"],
+    credentials: false
+  }), (c) => {
+    const iss = issuerUrl(c);
+    const oauth2Document = {
+      issuer: iss,
+      authorization_endpoint: `${iss}/authorize`,
+      token_endpoint: `${iss}/token`,
+      jwks_uri: `${iss}/.well-known/jwks.json`,
+      response_types_supported: ["code", "token"]
+    };
+    return c.json(oauth2Document);
+  });
+  app.post("/token", cors({
+    origin: "*",
+    allowHeaders: ["*"],
+    allowMethods: ["POST"],
+    credentials: false
+  }), async (c) => {
+    const form = await c.req.formData();
+    const grantType = form.get("grant_type");
+    if (grantType === "authorization_code") {
+      const code = form.get("code");
+      if (!code) {
+        const err = new OauthError("invalid_request", "Missing code");
+        return c.json(err.toJSON(), 400);
+      }
+      const key = ["oauth:code", code.toString()];
+      const { isValid, payload } = await normalizeTimingAsync(async () => {
+        const data = await Storage.get(storage, key);
+        const redirectUri = form.get("redirect_uri");
+        const clientId = form.get("client_id");
+        const valid = !!(data && data.redirectURI === redirectUri && data.clientID === clientId);
+        return {
+          isValid: valid,
+          payload: valid ? data : undefined
+        };
+      });
+      if (!isValid || !payload) {
+        const err = new OauthError("invalid_grant", "Authorization code has been used or expired");
+        return c.json(err.toJSON(), 400);
+      }
+      if (payload.pkce) {
+        const codeVerifier = form.get("code_verifier")?.toString();
+        if (!codeVerifier) {
+          const err = new OauthError("invalid_grant", "Missing code_verifier");
+          return c.json(err.toJSON(), 400);
+        }
+        if (!await validatePKCE(codeVerifier, payload.pkce.challenge, payload.pkce.method)) {
+          const err = new OauthError("invalid_grant", "Code verifier does not match");
+          return c.json(err.toJSON(), 400);
+        }
+      }
+      const tokens = await generateTokens(c, payload);
+      await Storage.remove(storage, key);
+      const response = {
+        access_token: tokens.access,
+        token_type: "Bearer",
+        expires_in: tokens.expiresIn,
+        refresh_token: tokens.refresh
+      };
+      return c.json(response);
+    }
+    if (grantType === "refresh_token") {
+      const refreshToken = form.get("refresh_token");
+      if (!refreshToken) {
+        const err = new OauthError("invalid_request", "Missing refresh_token");
+        return c.json(err.toJSON(), 400);
+      }
+      const refreshTokenStr = refreshToken.toString();
+      const isRevoked = await Revocation.isRevoked(storage, refreshTokenStr);
+      if (isRevoked) {
+        const err = new OauthError("invalid_grant", "Refresh token has been revoked");
+        return c.json(err.toJSON(), 400);
+      }
+      const splits = refreshTokenStr.split(":");
+      const token = splits.pop();
+      if (!token) {
+        throw new Error("Invalid refresh token format");
+      }
+      const subject = splits.join(":");
+      const key = ["oauth:refresh", subject, token];
+      const payload = await Storage.get(storage, key);
+      if (!payload) {
+        const err = new OauthError("invalid_grant", "Refresh token has been used or expired");
+        return c.json(err.toJSON(), 400);
+      }
+      if (input.refresh) {
+        try {
+          const refreshResult = await input.refresh({
+            type: payload.type,
+            properties: payload.properties,
+            subject: payload.subject,
+            clientID: payload.clientID,
+            scopes: payload.scopes
+          }, c.req.raw);
+          if (!refreshResult) {
+            await auth.invalidate(subject);
+            return c.json({
+              error: "invalid_grant",
+              error_description: "Refresh token is no longer valid"
+            }, 400);
+          }
+          payload.type = refreshResult.type;
+          payload.properties = refreshResult.properties;
+          if (refreshResult.subject) {
+            payload.subject = refreshResult.subject;
+          }
+          if (refreshResult.scopes) {
+            payload.scopes = refreshResult.scopes;
+          }
+        } catch {
+          return c.json({
+            error: "server_error",
+            error_description: "Internal server error during token refresh"
+          }, 500);
+        }
+      }
+      const generateRefreshToken = !payload.timeUsed;
+      if (ttlRefreshReuse <= 0) {
+        await Storage.remove(storage, key);
+      } else if (!payload.timeUsed) {
+        payload.timeUsed = Date.now();
+        await Storage.set(storage, key, payload, ttlRefreshReuse + ttlRefreshRetention);
+      } else if (Date.now() > payload.timeUsed + ttlRefreshReuse * 1000) {
+        await auth.invalidate(subject);
+        return c.json({
+          error: "invalid_grant",
+          error_description: "Refresh token has been used or expired"
+        }, 400);
+      }
+      const tokens = await generateTokens(c, {
+        type: payload.type,
+        properties: payload.properties,
+        subject: payload.subject,
+        clientID: payload.clientID,
+        ttl: {
+          access: ttlAccess,
+          refresh: ttlRefresh
+        }
+      }, {
+        generateRefreshToken
+      });
+      const response = {
+        access_token: tokens.access,
+        token_type: "Bearer",
+        refresh_token: tokens.refresh,
+        expires_in: tokens.expiresIn
+      };
+      return c.json(response);
+    }
+    return c.json({
+      error: "unsupported_grant_type",
+      error_description: "The authorization grant type is not supported by the authorization server"
+    }, 400);
+  });
+  app.post("/revoke", cors({
+    origin: "*",
+    allowHeaders: ["Content-Type"],
+    allowMethods: ["POST"],
+    credentials: false
+  }), async (c) => {
+    const form = await c.req.formData();
+    const token = form.get("token")?.toString();
+    const tokenTypeHint = form.get("token_type_hint")?.toString();
+    if (!token) {
+      const err = new OauthError("invalid_request", "Missing token parameter");
+      return c.json(err.toJSON(), 400);
+    }
+    try {
+      if (tokenTypeHint === "refresh_token") {
+        const splits2 = token.split(":");
+        const tokenPart2 = splits2.pop();
+        if (tokenPart2 && splits2.length > 0) {
+          const subject = splits2.join(":");
+          const key = ["oauth:refresh", subject, tokenPart2];
+          const payload = await Storage.get(storage, key);
+          if (payload) {
+            await Storage.remove(storage, key);
+            const expiresAt2 = Date.now() + ttlRefreshRetention * 1000;
+            await Revocation.revoke(storage, token, expiresAt2);
+            return c.json({});
+          }
+        }
+      } else if (tokenTypeHint === "access_token") {
+        const expiresAt2 = Date.now() + ttlAccess * 1000;
+        await Revocation.revoke(storage, token, expiresAt2);
+        return c.json({});
+      }
+      const splits = token.split(":");
+      const tokenPart = splits.pop();
+      if (tokenPart && splits.length > 0) {
+        const subject = splits.join(":");
+        const key = ["oauth:refresh", subject, tokenPart];
+        const payload = await Storage.get(storage, key);
+        if (payload) {
+          await Storage.remove(storage, key);
+          const expiresAt2 = Date.now() + ttlRefreshRetention * 1000;
+          await Revocation.revoke(storage, token, expiresAt2);
+          return c.json({});
+        }
+      }
+      const expiresAt = Date.now() + ttlAccess * 1000;
+      await Revocation.revoke(storage, token, expiresAt);
+      return c.json({});
+    } catch {
+      return c.json({
+        error: "server_error",
+        error_description: "Token revocation failed"
+      }, 500);
+    }
+  });
+  app.get("/authorize", async (c) => {
+    const provider = c.req.query("provider");
+    const response_type = c.req.query("response_type");
+    const redirect_uri = c.req.query("redirect_uri");
+    const state = c.req.query("state");
+    const client_id = c.req.query("client_id");
+    const audience = c.req.query("audience");
+    const code_challenge = c.req.query("code_challenge");
+    const code_challenge_method = c.req.query("code_challenge_method");
+    const scope = c.req.query("scope");
+    const scopes = scope ? scope.split(" ").filter(Boolean) : undefined;
+    const authorization = {
+      response_type,
+      redirect_uri,
+      state,
+      client_id,
+      audience,
+      scope,
+      scopes,
+      ...code_challenge && code_challenge_method && {
+        pkce: {
+          challenge: code_challenge,
+          method: code_challenge_method
+        }
+      }
+    };
+    c.set("authorization", authorization);
+    if (!redirect_uri) {
+      return c.text("Missing redirect_uri", 400);
+    }
+    try {
+      const uri = new URL(redirect_uri);
+      if (!uri.protocol || !uri.host) {
+        return c.text("Invalid redirect_uri format", 400);
+      }
+    } catch {
+      return c.text("Invalid redirect_uri format", 400);
+    }
+    if (!response_type) {
+      throw new MissingParameterError("response_type");
+    }
+    if (!client_id) {
+      throw new MissingParameterError("client_id");
+    }
+    if (input.start) {
+      await input.start(c.req.raw);
+    }
+    if (!await allow()({
+      clientID: client_id,
+      redirectURI: redirect_uri,
+      audience
+    }, c.req.raw)) {
+      throw new UnauthorizedClientError(client_id, redirect_uri);
+    }
+    await auth.set(c, "authorization", 60 * 15, authorization);
+    if (provider) {
+      return c.redirect(`${provider}/authorize`);
+    }
+    const availableProviders = Object.keys(input.providers);
+    if (availableProviders.length === 1) {
+      return c.redirect(`${availableProviders[0]}/authorize`);
+    }
+    return auth.forward(c, await select()(Object.fromEntries(Object.entries(input.providers).map(([key, value]) => [key, value.type])), c.req.raw));
+  });
+  app.onError(async (err, c) => {
+    if (err instanceof UnknownStateError) {
+      return auth.forward(c, await error(err, c.req.raw));
+    }
+    try {
+      const authorization = await getAuthorization(c);
+      if (!authorization.redirect_uri) {
+        throw new Error("redirect_uri is required");
+      }
+      const url = new URL(authorization.redirect_uri);
+      const oauth = err instanceof OauthError ? err : new OauthError("server_error", err.message);
+      url.searchParams.set("error", oauth.error);
+      url.searchParams.set("error_description", oauth.description);
+      if (authorization.state) {
+        url.searchParams.set("state", authorization.state);
+      }
+      return c.redirect(url.toString());
+    } catch {
+      return c.json({
+        error: "server_error",
+        error_description: err.message
+      }, 500);
+    }
+  });
+  return app;
+};
+export {
+  issuer
+};

package/dist/esm/error.js

@@ -0,0 +1,88 @@
+// src/error.ts
+class OauthError extends Error {
+  error;
+  description;
+  constructor(error, description) {
+    super(`${error} - ${description}`);
+    this.name = "OauthError";
+    this.error = error;
+    this.description = description;
+  }
+  toJSON() {
+    return {
+      error: this.error,
+      error_description: this.description
+    };
+  }
+}
+
+class MissingProviderError extends OauthError {
+  constructor() {
+    super("invalid_request", "Must specify `provider` query parameter if `select` callback on issuer is not specified");
+    this.name = "MissingProviderError";
+  }
+}
+
+class MissingParameterError extends OauthError {
+  parameter;
+  constructor(parameter) {
+    super("invalid_request", `Missing parameter: ${parameter}`);
+    this.name = "MissingParameterError";
+    this.parameter = parameter;
+  }
+}
+
+class UnauthorizedClientError extends OauthError {
+  clientID;
+  constructor(clientID, redirectURI) {
+    super("unauthorized_client", `Client ${clientID} is not authorized to use this redirect_uri: ${redirectURI}`);
+    this.name = "UnauthorizedClientError";
+    this.clientID = clientID;
+  }
+}
+
+class UnknownStateError extends Error {
+  constructor() {
+    super("The browser was in an unknown state. This could be because certain cookies expired or the browser was switched in the middle of an authentication flow.");
+    this.name = "UnknownStateError";
+  }
+}
+
+class InvalidSubjectError extends Error {
+  constructor() {
+    super("Invalid subject");
+    this.name = "InvalidSubjectError";
+  }
+}
+
+class InvalidRefreshTokenError extends Error {
+  constructor() {
+    super("Invalid refresh token");
+    this.name = "InvalidRefreshTokenError";
+  }
+}
+
+class InvalidAccessTokenError extends Error {
+  constructor() {
+    super("Invalid access token");
+    this.name = "InvalidAccessTokenError";
+  }
+}
+
+class InvalidAuthorizationCodeError extends Error {
+  constructor() {
+    super("Invalid authorization code");
+    this.name = "InvalidAuthorizationCodeError";
+  }
+}
+export {
+  UnknownStateError,
+  UnauthorizedClientError,
+  OauthError,
+  MissingProviderError,
+  MissingParameterError,
+  InvalidSubjectError,
+  InvalidRefreshTokenError,
+  InvalidAuthorizationCodeError,
+  InvalidAccessTokenError
+};

package/dist/esm/index.js

@@ -0,0 +1,5 @@
+// src/index.ts
+import { issuer } from "./core";
+export {
+  issuer
+};