@dwk/oauth 0.1.0-beta.0

package/dist/introspection.js

@@ -0,0 +1,118 @@
+/**
+ * OAuth 2.0 Token Introspection (RFC 7662).
+ *
+ * A protected POST endpoint a Resource Server queries to learn whether a token
+ * is currently active and, if so, its metadata. The endpoint **MUST** be
+ * protected (RFC 7662 §2.1) so it cannot be used as a token-scanning oracle —
+ * hence {@link IntrospectionConfig.authenticate} is required, not optional.
+ *
+ * The lib owns only the protocol mechanics: it asks the caller to look the token
+ * up (storage stays in the consuming package, see `./store`), derives the
+ * `active` flag, and maps the record to the snake_case response. A DPoP-bound
+ * token surfaces its key thumbprint as `cnf: { jkt }` so the RS can complete the
+ * proof-of-possession binding via `@dwk/dpop`.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc7662
+ */
+import { hostFromUrl } from "@dwk/log";
+import { OAuthError, oauthErrorResponse } from "./errors";
+import { json, methodNotAllowed, readForm } from "./http";
+import { OAuthLogEvent } from "./log";
+import { emit, resolveObservability, } from "./observability";
+/** The single inactive response RFC 7662 §2.2 mandates for any non-active token. */
+const INACTIVE = { active: false };
+/**
+ * Whether `record` represents a currently-active token at `now`. A record is
+ * active unless it is `null`, explicitly `active: false`, revoked, past its
+ * `expiresAt`, or before its `notBefore`. Pure and side-effect-free.
+ */
+export function isTokenActive(record, now) {
+    if (record === null)
+        return false;
+    if (record.active === false)
+        return false;
+    if (record.revoked === true)
+        return false;
+    if (record.expiresAt !== undefined && now >= record.expiresAt)
+        return false;
+    if (record.notBefore !== undefined && now < record.notBefore)
+        return false;
+    return true;
+}
+/**
+ * Map an active token record to its RFC 7662 response, emitting only members the
+ * record actually carries (so the response never advertises empty claims). The
+ * caller MUST have already established the token is active.
+ */
+export function buildIntrospectionResponse(record) {
+    const response = { active: true };
+    if (record.scope !== undefined)
+        response.scope = record.scope;
+    if (record.clientId !== undefined)
+        response.client_id = record.clientId;
+    if (record.username !== undefined)
+        response.username = record.username;
+    if (record.tokenType !== undefined)
+        response.token_type = record.tokenType;
+    if (record.expiresAt !== undefined)
+        response.exp = record.expiresAt;
+    if (record.issuedAt !== undefined)
+        response.iat = record.issuedAt;
+    if (record.notBefore !== undefined)
+        response.nbf = record.notBefore;
+    if (record.subject !== undefined)
+        response.sub = record.subject;
+    if (record.audience !== undefined)
+        response.aud = record.audience;
+    if (record.issuer !== undefined)
+        response.iss = record.issuer;
+    if (record.tokenId !== undefined)
+        response.jti = record.tokenId;
+    if (record.jkt !== undefined)
+        response.cnf = { jkt: record.jkt };
+    return response;
+}
+/**
+ * Create the introspection endpoint handler. The returned handler accepts a
+ * `POST` request and returns the introspection JSON; route it at whatever path
+ * the deployer mounts (it is path-agnostic).
+ */
+export function createIntrospectionHandler(config) {
+    const obs = resolveObservability(config);
+    const clock = config.now ?? (() => Math.floor(Date.now() / 1000));
+    return async (request) => {
+        if (request.method.toUpperCase() !== "POST") {
+            return methodNotAllowed("POST");
+        }
+        // Clone before consuming the body so the authenticator can read it too.
+        const authRequest = request.clone();
+        const form = await readForm(request);
+        // Protect the endpoint first, so an unauthenticated caller learns nothing
+        // about any token (not even "unknown" vs "known") — the token lookup stays
+        // after this gate. Reading the (small) form body up front is not sensitive.
+        const clientId = form.get("client_id") ?? undefined;
+        if (!(await config.authenticate(authRequest, clientId))) {
+            emit(obs, "warn", OAuthLogEvent.IntrospectionRejected, {
+                reason: "unauthenticated",
+            });
+            return oauthErrorResponse(OAuthError.InvalidClient, "introspection requires client authentication", 401, { "WWW-Authenticate": "Bearer" });
+        }
+        const token = form.get("token") ?? "";
+        if (!token) {
+            return oauthErrorResponse(OAuthError.InvalidRequest, "`token` is required");
+        }
+        const hint = form.get("token_type_hint") ?? undefined;
+        const record = await config.lookupToken(token, hint);
+        if (!isTokenActive(record, clock())) {
+            emit(obs, "info", OAuthLogEvent.IntrospectionInactive);
+            return json(INACTIVE);
+        }
+        // `record` is non-null here: isTokenActive(null) is false.
+        const active = record;
+        emit(obs, "info", OAuthLogEvent.IntrospectionActive, {
+            clientHost: active.clientId ? hostFromUrl(active.clientId) : undefined,
+        });
+        return json(buildIntrospectionResponse(active));
+    };
+}
+//# sourceMappingURL=introspection.js.map

package/dist/introspection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"introspection.js","sourceRoot":"","sources":["../src/introspection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAEvC,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC1D,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AACtC,OAAO,EACL,IAAI,EACJ,oBAAoB,GAErB,MAAM,iBAAiB,CAAC;AAwDzB,oFAAoF;AACpF,MAAM,QAAQ,GAA0B,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAE1D;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAuC,EACvC,GAAW;IAEX,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAClC,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,MAAM,CAAC,OAAO,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,GAAG,IAAI,MAAM,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC5E,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC3E,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAAgC;IAEhC,MAAM,QAAQ,GAA4B,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC3D,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;QAAE,QAAQ,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC9D,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS;QAAE,QAAQ,CAAC,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC;IACxE,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS;QAAE,QAAQ,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IACvE,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS;QAAE,QAAQ,CAAC,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC;IAC3E,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC;IACpE,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAClE,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC;IACpE,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC;IAChE,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAClE,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;IAC9D,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC;IAChE,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;IACjE,OAAO,QAA4C,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAA2B;IAE3B,MAAM,GAAG,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAElE,OAAO,KAAK,EAAE,OAAO,EAAE,EAAE;QACvB,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE,CAAC;YAC5C,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAClC,CAAC;QAED,wEAAwE;QACxE,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC;QAErC,0EAA0E;QAC1E,2EAA2E;QAC3E,4EAA4E;QAC5E,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC;QACpD,IAAI,CAAC,CAAC,MAAM,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,CAAC,qBAAqB,EAAE;gBACrD,MAAM,EAAE,iBAAiB;aAC1B,CAAC,CAAC;YACH,OAAO,kBAAkB,CACvB,UAAU,CAAC,aAAa,EACxB,8CAA8C,EAC9C,GAAG,EACH,EAAE,kBAAkB,EAAE,QAAQ,EAAE,CACjC,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,kBAAkB,CACvB,UAAU,CAAC,cAAc,EACzB,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC;QAEtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACrD,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,CAAC,qBAAqB,CAAC,CAAC;YACvD,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxB,CAAC;QAED,2DAA2D;QAC3D,MAAM,MAAM,GAAG,MAAkC,CAAC;QAClD,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,aAAa,CAAC,mBAAmB,EAAE;YACnD,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;SACvE,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,0BAA0B,CAAC,MAAM,CAAC,CAAC,CAAC;IAClD,CAAC,CAAC;AACJ,CAAC"}

package/dist/log.d.ts

@@ -0,0 +1,42 @@
+/**
+ * `@dwk/oauth` — structured observability event taxonomy.
+ *
+ * These endpoints sit on the security-sensitive edge of an authorization server:
+ * a refused introspection (token scanning), a rejected registration, or a
+ * consumed/forged `request_uri` is exactly the kind of event an operator needs a
+ * signal for. Logging and metrics are opt-in via an injected {@link Logger} and
+ * {@link Metrics} (see `@dwk/log`) and **share this one vocabulary** — the same
+ * dotted event name is passed to the logger and the metrics sink so a log line
+ * and its counter line up.
+ *
+ * Fields follow the redaction policy: a `client_id` URL is reduced to its host
+ * via `hostFromUrl`, and tokens, secrets, codes, and `request_uri` reference
+ * values are **never** logged — only machine-readable reason codes, hosts, and
+ * scopes.
+ *
+ * @packageDocumentation
+ */
+/** Stable event names emitted by `@dwk/oauth`. */
+export declare const OAuthLogEvent: {
+    /** A token was introspected and reported active. */
+    readonly IntrospectionActive: "oauth.introspection.active";
+    /** A token was introspected and reported inactive (unknown/expired/revoked). */
+    readonly IntrospectionInactive: "oauth.introspection.inactive";
+    /** An introspection request was refused (failed endpoint authentication). */
+    readonly IntrospectionRejected: "oauth.introspection.rejected";
+    /** A token was revoked (or the no-op revocation of an unknown token). */
+    readonly TokenRevoked: "oauth.revocation.revoked";
+    /** A revocation request was refused (failed endpoint authentication). */
+    readonly RevocationRejected: "oauth.revocation.rejected";
+    /** A pushed authorization request was stored and a `request_uri` issued. */
+    readonly PushedRequestStored: "oauth.par.stored";
+    /** A pushed authorization request was rejected before storage. Field: `reason`. */
+    readonly PushedRequestRejected: "oauth.par.rejected";
+    /** A dynamic client registration succeeded. Field: `clientHost`. */
+    readonly ClientRegistered: "oauth.registration.registered";
+    /** A dynamic client registration was rejected. Field: `reason`. */
+    readonly ClientRegistrationRejected: "oauth.registration.rejected";
+};
+/** Union of the event-name string literals in {@link OAuthLogEvent}. */
+export type OAuthLogEvent = (typeof OAuthLogEvent)[keyof typeof OAuthLogEvent];
+//# sourceMappingURL=log.d.ts.map

package/dist/log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.d.ts","sourceRoot":"","sources":["../src/log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,kDAAkD;AAClD,eAAO,MAAM,aAAa;IACxB,oDAAoD;;IAEpD,gFAAgF;;IAEhF,6EAA6E;;IAE7E,yEAAyE;;IAEzE,yEAAyE;;IAEzE,4EAA4E;;IAE5E,mFAAmF;;IAEnF,oEAAoE;;IAEpE,mEAAmE;;CAE3D,CAAC;AAEX,wEAAwE;AACxE,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,OAAO,aAAa,CAAC,CAAC"}

package/dist/log.js

@@ -0,0 +1,40 @@
+/**
+ * `@dwk/oauth` — structured observability event taxonomy.
+ *
+ * These endpoints sit on the security-sensitive edge of an authorization server:
+ * a refused introspection (token scanning), a rejected registration, or a
+ * consumed/forged `request_uri` is exactly the kind of event an operator needs a
+ * signal for. Logging and metrics are opt-in via an injected {@link Logger} and
+ * {@link Metrics} (see `@dwk/log`) and **share this one vocabulary** — the same
+ * dotted event name is passed to the logger and the metrics sink so a log line
+ * and its counter line up.
+ *
+ * Fields follow the redaction policy: a `client_id` URL is reduced to its host
+ * via `hostFromUrl`, and tokens, secrets, codes, and `request_uri` reference
+ * values are **never** logged — only machine-readable reason codes, hosts, and
+ * scopes.
+ *
+ * @packageDocumentation
+ */
+/** Stable event names emitted by `@dwk/oauth`. */
+export const OAuthLogEvent = {
+    /** A token was introspected and reported active. */
+    IntrospectionActive: "oauth.introspection.active",
+    /** A token was introspected and reported inactive (unknown/expired/revoked). */
+    IntrospectionInactive: "oauth.introspection.inactive",
+    /** An introspection request was refused (failed endpoint authentication). */
+    IntrospectionRejected: "oauth.introspection.rejected",
+    /** A token was revoked (or the no-op revocation of an unknown token). */
+    TokenRevoked: "oauth.revocation.revoked",
+    /** A revocation request was refused (failed endpoint authentication). */
+    RevocationRejected: "oauth.revocation.rejected",
+    /** A pushed authorization request was stored and a `request_uri` issued. */
+    PushedRequestStored: "oauth.par.stored",
+    /** A pushed authorization request was rejected before storage. Field: `reason`. */
+    PushedRequestRejected: "oauth.par.rejected",
+    /** A dynamic client registration succeeded. Field: `clientHost`. */
+    ClientRegistered: "oauth.registration.registered",
+    /** A dynamic client registration was rejected. Field: `reason`. */
+    ClientRegistrationRejected: "oauth.registration.rejected",
+};
+//# sourceMappingURL=log.js.map

package/dist/log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.js","sourceRoot":"","sources":["../src/log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,kDAAkD;AAClD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,oDAAoD;IACpD,mBAAmB,EAAE,4BAA4B;IACjD,gFAAgF;IAChF,qBAAqB,EAAE,8BAA8B;IACrD,6EAA6E;IAC7E,qBAAqB,EAAE,8BAA8B;IACrD,yEAAyE;IACzE,YAAY,EAAE,0BAA0B;IACxC,yEAAyE;IACzE,kBAAkB,EAAE,2BAA2B;IAC/C,4EAA4E;IAC5E,mBAAmB,EAAE,kBAAkB;IACvC,mFAAmF;IACnF,qBAAqB,EAAE,oBAAoB;IAC3C,oEAAoE;IACpE,gBAAgB,EAAE,+BAA+B;IACjD,mEAAmE;IACnE,0BAA0B,EAAE,6BAA6B;CACjD,CAAC"}

package/dist/metadata.d.ts

@@ -0,0 +1,79 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414).
+ *
+ * One source of truth drives two consumers: the **static** metadata document
+ * Anglesite publishes at `/.well-known/oauth-authorization-server` (derived from
+ * config at build time), and any **runtime** behaviour that must agree with what
+ * was advertised. The builder is pure config→JSON; it is protocol-agnostic, so
+ * IndieAuth, a Solid-OIDC OP, or a bare OAuth AS all feed it their own endpoints
+ * and supported-value lists.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc8414
+ */
+/** Configuration for {@link buildAuthorizationServerMetadata}. */
+export interface AuthorizationServerMetadataConfig {
+    /** The authorization-server issuer identifier (a URL, no query/fragment). */
+    readonly issuer: string;
+    /** Absolute authorization endpoint URL. */
+    readonly authorizationEndpoint?: string;
+    /** Absolute token endpoint URL. */
+    readonly tokenEndpoint?: string;
+    /** Absolute token-introspection endpoint URL (RFC 7662). */
+    readonly introspectionEndpoint?: string;
+    /** Absolute token-revocation endpoint URL (RFC 7009). */
+    readonly revocationEndpoint?: string;
+    /** Absolute pushed-authorization-request endpoint URL (RFC 9126). */
+    readonly pushedAuthorizationRequestEndpoint?: string;
+    /** Absolute dynamic-client-registration endpoint URL (RFC 7591). */
+    readonly registrationEndpoint?: string;
+    /** Absolute JWK Set document URL. */
+    readonly jwksUri?: string;
+    /** OAuth scopes the server supports. Omitted from the document when empty. */
+    readonly scopesSupported?: readonly string[];
+    /** Supported `response_type` values. Defaults to `["code"]`. */
+    readonly responseTypesSupported?: readonly string[];
+    /** Supported `grant_type` values. Defaults to `["authorization_code"]`. */
+    readonly grantTypesSupported?: readonly string[];
+    /** Supported token-endpoint client authentication methods. Defaults to `["none"]`. */
+    readonly tokenEndpointAuthMethodsSupported?: readonly string[];
+    /** Supported PKCE `code_challenge` methods. Defaults to `["S256"]`. */
+    readonly codeChallengeMethodsSupported?: readonly string[];
+    /** Supported DPoP proof signing algorithms (RFC 9449), if DPoP is offered. */
+    readonly dpopSigningAlgValuesSupported?: readonly string[];
+    /**
+     * Whether the AS *requires* PAR for every authorization request (RFC 9126
+     * §4). Only emitted (as `true`) when a PAR endpoint is configured.
+     */
+    readonly requirePushedAuthorizationRequests?: boolean;
+}
+/**
+ * The JSON shape of the authorization-server metadata document. Snake-cased per
+ * RFC 8414; optional members are omitted (not `null`) when not configured.
+ */
+export interface AuthorizationServerMetadata {
+    readonly issuer: string;
+    readonly authorization_endpoint?: string;
+    readonly token_endpoint?: string;
+    readonly introspection_endpoint?: string;
+    readonly revocation_endpoint?: string;
+    readonly pushed_authorization_request_endpoint?: string;
+    readonly require_pushed_authorization_requests?: boolean;
+    readonly registration_endpoint?: string;
+    readonly jwks_uri?: string;
+    readonly scopes_supported?: readonly string[];
+    readonly response_types_supported: readonly string[];
+    readonly grant_types_supported: readonly string[];
+    readonly token_endpoint_auth_methods_supported: readonly string[];
+    readonly code_challenge_methods_supported: readonly string[];
+    readonly dpop_signing_alg_values_supported?: readonly string[];
+}
+/**
+ * Build the RFC 8414 metadata document from config. `issuer`,
+ * `response_types_supported`, `grant_types_supported`,
+ * `token_endpoint_auth_methods_supported`, and `code_challenge_methods_supported`
+ * are always present (with defaults); every endpoint URL and the optional value
+ * lists are emitted only when supplied, so the document never advertises an
+ * endpoint the deployer did not mount.
+ */
+export declare function buildAuthorizationServerMetadata(config: AuthorizationServerMetadataConfig): AuthorizationServerMetadata;
+//# sourceMappingURL=metadata.d.ts.map

package/dist/metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../src/metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,kEAAkE;AAClE,MAAM,WAAW,iCAAiC;IAChD,6EAA6E;IAC7E,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,2CAA2C;IAC3C,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,mCAAmC;IACnC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,4DAA4D;IAC5D,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,yDAAyD;IACzD,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,qEAAqE;IACrE,QAAQ,CAAC,kCAAkC,CAAC,EAAE,MAAM,CAAC;IACrD,oEAAoE;IACpE,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IACvC,qCAAqC;IACrC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,8EAA8E;IAC9E,QAAQ,CAAC,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7C,gEAAgE;IAChE,QAAQ,CAAC,sBAAsB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpD,2EAA2E;IAC3E,QAAQ,CAAC,mBAAmB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjD,sFAAsF;IACtF,QAAQ,CAAC,iCAAiC,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/D,uEAAuE;IACvE,QAAQ,CAAC,6BAA6B,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3D,8EAA8E;IAC9E,QAAQ,CAAC,6BAA6B,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3D;;;OAGG;IACH,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,CAAC;CACvD;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IACzC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IACzC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,qCAAqC,CAAC,EAAE,MAAM,CAAC;IACxD,QAAQ,CAAC,qCAAqC,CAAC,EAAE,OAAO,CAAC;IACzD,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9C,QAAQ,CAAC,wBAAwB,EAAE,SAAS,MAAM,EAAE,CAAC;IACrD,QAAQ,CAAC,qBAAqB,EAAE,SAAS,MAAM,EAAE,CAAC;IAClD,QAAQ,CAAC,qCAAqC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClE,QAAQ,CAAC,gCAAgC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7D,QAAQ,CAAC,iCAAiC,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChE;AAED;;;;;;;GAOG;AACH,wBAAgB,gCAAgC,CAC9C,MAAM,EAAE,iCAAiC,GACxC,2BAA2B,CAkD7B"}

package/dist/metadata.js

@@ -0,0 +1,67 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414).
+ *
+ * One source of truth drives two consumers: the **static** metadata document
+ * Anglesite publishes at `/.well-known/oauth-authorization-server` (derived from
+ * config at build time), and any **runtime** behaviour that must agree with what
+ * was advertised. The builder is pure config→JSON; it is protocol-agnostic, so
+ * IndieAuth, a Solid-OIDC OP, or a bare OAuth AS all feed it their own endpoints
+ * and supported-value lists.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc8414
+ */
+/**
+ * Build the RFC 8414 metadata document from config. `issuer`,
+ * `response_types_supported`, `grant_types_supported`,
+ * `token_endpoint_auth_methods_supported`, and `code_challenge_methods_supported`
+ * are always present (with defaults); every endpoint URL and the optional value
+ * lists are emitted only when supplied, so the document never advertises an
+ * endpoint the deployer did not mount.
+ */
+export function buildAuthorizationServerMetadata(config) {
+    const metadata = {
+        issuer: config.issuer,
+        response_types_supported: config.responseTypesSupported ?? ["code"],
+        grant_types_supported: config.grantTypesSupported ?? ["authorization_code"],
+        token_endpoint_auth_methods_supported: config.tokenEndpointAuthMethodsSupported ?? ["none"],
+        code_challenge_methods_supported: config.codeChallengeMethodsSupported ?? [
+            "S256",
+        ],
+    };
+    if (config.authorizationEndpoint !== undefined) {
+        metadata.authorization_endpoint = config.authorizationEndpoint;
+    }
+    if (config.tokenEndpoint !== undefined) {
+        metadata.token_endpoint = config.tokenEndpoint;
+    }
+    if (config.introspectionEndpoint !== undefined) {
+        metadata.introspection_endpoint = config.introspectionEndpoint;
+    }
+    if (config.revocationEndpoint !== undefined) {
+        metadata.revocation_endpoint = config.revocationEndpoint;
+    }
+    if (config.pushedAuthorizationRequestEndpoint !== undefined) {
+        metadata.pushed_authorization_request_endpoint =
+            config.pushedAuthorizationRequestEndpoint;
+        // `require_*` is only meaningful alongside the endpoint that satisfies it.
+        if (config.requirePushedAuthorizationRequests) {
+            metadata.require_pushed_authorization_requests = true;
+        }
+    }
+    if (config.registrationEndpoint !== undefined) {
+        metadata.registration_endpoint = config.registrationEndpoint;
+    }
+    if (config.jwksUri !== undefined) {
+        metadata.jwks_uri = config.jwksUri;
+    }
+    if (config.scopesSupported && config.scopesSupported.length > 0) {
+        metadata.scopes_supported = config.scopesSupported;
+    }
+    if (config.dpopSigningAlgValuesSupported &&
+        config.dpopSigningAlgValuesSupported.length > 0) {
+        metadata.dpop_signing_alg_values_supported =
+            config.dpopSigningAlgValuesSupported;
+    }
+    return metadata;
+}
+//# sourceMappingURL=metadata.js.map

package/dist/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../src/metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA6DH;;;;;;;GAOG;AACH,MAAM,UAAU,gCAAgC,CAC9C,MAAyC;IAEzC,MAAM,QAAQ,GAA4B;QACxC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,wBAAwB,EAAE,MAAM,CAAC,sBAAsB,IAAI,CAAC,MAAM,CAAC;QACnE,qBAAqB,EAAE,MAAM,CAAC,mBAAmB,IAAI,CAAC,oBAAoB,CAAC;QAC3E,qCAAqC,EACnC,MAAM,CAAC,iCAAiC,IAAI,CAAC,MAAM,CAAC;QACtD,gCAAgC,EAAE,MAAM,CAAC,6BAA6B,IAAI;YACxE,MAAM;SACP;KACF,CAAC;IAEF,IAAI,MAAM,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;QAC/C,QAAQ,CAAC,sBAAsB,GAAG,MAAM,CAAC,qBAAqB,CAAC;IACjE,CAAC;IACD,IAAI,MAAM,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACvC,QAAQ,CAAC,cAAc,GAAG,MAAM,CAAC,aAAa,CAAC;IACjD,CAAC;IACD,IAAI,MAAM,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;QAC/C,QAAQ,CAAC,sBAAsB,GAAG,MAAM,CAAC,qBAAqB,CAAC;IACjE,CAAC;IACD,IAAI,MAAM,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QAC5C,QAAQ,CAAC,mBAAmB,GAAG,MAAM,CAAC,kBAAkB,CAAC;IAC3D,CAAC;IACD,IAAI,MAAM,CAAC,kCAAkC,KAAK,SAAS,EAAE,CAAC;QAC5D,QAAQ,CAAC,qCAAqC;YAC5C,MAAM,CAAC,kCAAkC,CAAC;QAC5C,2EAA2E;QAC3E,IAAI,MAAM,CAAC,kCAAkC,EAAE,CAAC;YAC9C,QAAQ,CAAC,qCAAqC,GAAG,IAAI,CAAC;QACxD,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;QAC9C,QAAQ,CAAC,qBAAqB,GAAG,MAAM,CAAC,oBAAoB,CAAC;IAC/D,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,QAAQ,CAAC,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC;IACrC,CAAC;IACD,IAAI,MAAM,CAAC,eAAe,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,QAAQ,CAAC,gBAAgB,GAAG,MAAM,CAAC,eAAe,CAAC;IACrD,CAAC;IACD,IACE,MAAM,CAAC,6BAA6B;QACpC,MAAM,CAAC,6BAA6B,CAAC,MAAM,GAAG,CAAC,EAC/C,CAAC;QACD,QAAQ,CAAC,iCAAiC;YACxC,MAAM,CAAC,6BAA6B,CAAC;IACzC,CAAC;IAED,OAAO,QAAkD,CAAC;AAC5D,CAAC"}

package/dist/observability.d.ts

@@ -0,0 +1,37 @@
+/**
+ * The shared logging/metrics seam used by every endpoint. Logging and metrics
+ * are opt-in (default no-op) and share one event vocabulary (see `./log` and
+ * `@dwk/log`): the same dotted event name flows to both the logger and the
+ * metrics sink so a log line and its counter line up.
+ */
+import { type Logger, type Metrics } from "@dwk/log";
+import type { LogFields } from "@dwk/log";
+/** Observability config fragment mixed into each handler's config. */
+export interface ObservabilityConfig {
+    /**
+     * Logger for endpoint events; defaults to a no-op. Wire a real logger (see
+     * `@dwk/log`) to surface introspection refusals, registration rejections, and
+     * the like instead of swallowing them.
+     */
+    readonly logger?: Logger;
+    /**
+     * Metrics sink for the same events; defaults to a no-op. Wire an adapter (e.g.
+     * `analyticsEngineMetrics` from `@dwk/log`) to chart what the logger names.
+     */
+    readonly metrics?: Metrics;
+}
+/** A resolved logger/metrics pair, defaults applied. */
+export interface Observability {
+    readonly logger: Logger;
+    readonly metrics: Metrics;
+}
+/** Resolve the optional observability config to concrete (no-op) sinks. */
+export declare function resolveObservability(config: ObservabilityConfig): Observability;
+/**
+ * Emit a structured event on both the logger and the metrics sink. `warn` for
+ * handled-but-notable rejections, `info` for normal outcomes. Honors the
+ * redaction policy — callers pass only reason codes, sanitized hosts, and
+ * scopes, never tokens, secrets, or `request_uri` references.
+ */
+export declare function emit(obs: Observability, level: "info" | "warn", event: string, fields?: LogFields): void;
+//# sourceMappingURL=observability.d.ts.map

package/dist/observability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"observability.d.ts","sourceRoot":"","sources":["../src/observability.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAA2B,KAAK,MAAM,EAAE,KAAK,OAAO,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE1C,sEAAsE;AACtE,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,wDAAwD;AACxD,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAED,2EAA2E;AAC3E,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,mBAAmB,GAC1B,aAAa,CAKf;AAED;;;;;GAKG;AACH,wBAAgB,IAAI,CAClB,GAAG,EAAE,aAAa,EAClB,KAAK,EAAE,MAAM,GAAG,MAAM,EACtB,KAAK,EAAE,MAAM,EACb,MAAM,CAAC,EAAE,SAAS,GACjB,IAAI,CAGN"}

package/dist/observability.js

@@ -0,0 +1,25 @@
+/**
+ * The shared logging/metrics seam used by every endpoint. Logging and metrics
+ * are opt-in (default no-op) and share one event vocabulary (see `./log` and
+ * `@dwk/log`): the same dotted event name flows to both the logger and the
+ * metrics sink so a log line and its counter line up.
+ */
+import { noopLogger, noopMetrics } from "@dwk/log";
+/** Resolve the optional observability config to concrete (no-op) sinks. */
+export function resolveObservability(config) {
+    return {
+        logger: config.logger ?? noopLogger,
+        metrics: config.metrics ?? noopMetrics,
+    };
+}
+/**
+ * Emit a structured event on both the logger and the metrics sink. `warn` for
+ * handled-but-notable rejections, `info` for normal outcomes. Honors the
+ * redaction policy — callers pass only reason codes, sanitized hosts, and
+ * scopes, never tokens, secrets, or `request_uri` references.
+ */
+export function emit(obs, level, event, fields) {
+    obs.logger[level](event, fields);
+    obs.metrics.count(event, fields);
+}
+//# sourceMappingURL=observability.js.map

package/dist/observability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"observability.js","sourceRoot":"","sources":["../src/observability.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAA6B,MAAM,UAAU,CAAC;AAwB9E,2EAA2E;AAC3E,MAAM,UAAU,oBAAoB,CAClC,MAA2B;IAE3B,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,UAAU;QACnC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,WAAW;KACvC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,IAAI,CAClB,GAAkB,EAClB,KAAsB,EACtB,KAAa,EACb,MAAkB;IAElB,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACjC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AACnC,CAAC"}

package/dist/par.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Pushed Authorization Requests (RFC 9126).
+ *
+ * The client POSTs its authorization-request parameters directly to this
+ * endpoint; the server validates and stores them and hands back a short-lived,
+ * single-use `request_uri`. The client then starts the normal authorization
+ * flow with just `client_id` + `request_uri`, so the request parameters never
+ * travel through the browser/redirect and cannot be tampered with.
+ *
+ * This lib owns the *push* side (validate → store → mint `request_uri`). The
+ * *consume* side lives at the authorization endpoint in the consuming package:
+ * use {@link parseRequestUri} to recover the reference and the store's
+ * single-use `consume` ({@link PushedAuthorizationStore}). When DPoP binding is
+ * enabled and the push carries a `DPoP` header, the proof is verified via
+ * `@dwk/dpop` and its `jkt` recorded so the eventual token is key-bound
+ * (RFC 9449 §10).
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc9126
+ */
+import { type ObservabilityConfig } from "./observability";
+import type { EndpointAuthenticator } from "./introspection";
+import type { PushedRequestRecord } from "./store";
+/** The URN prefix RFC 9126 §2.2 mandates for a PAR `request_uri`. */
+export declare const PUSHED_REQUEST_URI_PREFIX = "urn:ietf:params:oauth:request_uri:";
+/** Build the `request_uri` URN for a stored reference. */
+export declare function requestUriFor(reference: string): string;
+/**
+ * Recover the opaque reference from a PAR `request_uri`, or `null` if `uri` is
+ * not a `urn:ietf:params:oauth:request_uri:` value. Use this at the
+ * authorization endpoint before calling the store's single-use `consume`.
+ */
+export declare function parseRequestUri(uri: string): string | null;
+/** Configuration for {@link createPushedAuthorizationRequestHandler}. */
+export interface PushedAuthorizationRequestConfig extends ObservabilityConfig {
+    /** Persist a freshly pushed request (keyed by its `reference`). */
+    readonly saveRequest: (record: PushedRequestRecord) => Promise<void>;
+    /**
+     * Optionally authenticate the caller (RFC 9126 §2: clients authenticate as at
+     * the token endpoint). Omit for public clients. Return `false` to reject with
+     * `401 invalid_client`.
+     */
+    readonly authenticate?: EndpointAuthenticator;
+    /**
+     * Optional extra validation of the pushed parameters (e.g. requiring PKCE or a
+     * known `response_type`). Return an error description string to reject with
+     * `400 invalid_request`, or `null` to accept.
+     */
+    readonly validate?: (params: Readonly<Record<string, string>>) => string | null | Promise<string | null>;
+    /** `request_uri` lifetime in seconds. Defaults to 60 (RFC 9126 favors short). */
+    readonly lifetimeSeconds?: number;
+    /**
+     * Enable RFC 9449 DPoP binding: when `true` and the push carries a `DPoP`
+     * header, the proof is verified and its `jkt` recorded on the request. The
+     * `htu` is bound to {@link endpoint} (falling back to the request URL).
+     */
+    readonly dpopBinding?: boolean;
+    /** Absolute PAR endpoint URL, used as the DPoP `htu`. */
+    readonly endpoint?: string;
+    /** Current time (seconds since the epoch). Defaults to `Date.now()`. */
+    readonly now?: () => number;
+}
+/**
+ * Create the pushed-authorization-request endpoint handler. On success it
+ * returns `201` with `{ request_uri, expires_in }` (RFC 9126 §2.2).
+ */
+export declare function createPushedAuthorizationRequestHandler(config: PushedAuthorizationRequestConfig): (request: Request) => Promise<Response>;
+//# sourceMappingURL=par.d.ts.map

package/dist/par.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"par.d.ts","sourceRoot":"","sources":["../src/par.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AASH,OAAO,EAGL,KAAK,mBAAmB,EACzB,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAEnD,qEAAqE;AACrE,eAAO,MAAM,yBAAyB,uCAAuC,CAAC;AAM9E,0DAA0D;AAC1D,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI1D;AAED,yEAAyE;AACzE,MAAM,WAAW,gCAAiC,SAAQ,mBAAmB;IAC3E,mEAAmE;IACnE,QAAQ,CAAC,WAAW,EAAE,CAAC,MAAM,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACrE;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,qBAAqB,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAClB,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,KACrC,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C,iFAAiF;IACjF,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B,yDAAyD;IACzD,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,wEAAwE;IACxE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAED;;;GAGG;AACH,wBAAgB,uCAAuC,CACrD,MAAM,EAAE,gCAAgC,GACvC,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA4GzC"}