@enterprisestandard/esv 0.0.5-beta.20260115.3 → 0.0.5-beta.20260115.4

package/dist/server/server.js

@@ -1,223 +0,0 @@
-/**
- * ESV Mock Server
- *
- * A zero-dependency mock server that simulates Vault, SSO/IDP, IAM/SCIM,
- * and Workload Identity services for testing Enterprise Standard integrations.
- *
- * @example
- * ```typescript
- * import { startServer, stopServer } from '@enterprisestandard/esv/server';
- *
- * // Start before tests
- * await startServer();
- *
- * // Initialize with ES_VAULT_URL, ES_VAULT_TOKEN, and ES_VAULT_PATH set
- * const es = await enterpriseStandard(undefined, {
- *   vaultUrl: process.env.ES_VAULT_URL,
- *   vaultToken: process.env.ES_VAULT_TOKEN,
- *   vaultPath: process.env.ES_VAULT_PATH,
- * });
- *
- * // Stop after tests
- * await stopServer();
- * ```
- */
-import { createServer } from 'node:http';
-import { initializeKeys } from './crypto.js';
-import { handleIamRequest } from './iam.js';
-import { handleSsoRequest } from './sso.js';
-import { resetState } from './state.js';
-import { handleVaultRequest } from './vault.js';
-import { handleWhoamiRequest, handleWorkloadRequest } from './workload.js';
-/**
- * Handle webhook requests for tenant status updates
- */
-async function handleWebhook(req, res) {
-    if (req.method !== 'POST') {
-        res.writeHead(405, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Method not allowed' }));
-        return;
-    }
-    // Read request body
-    let body = '';
-    req.on('data', (chunk) => {
-        body += chunk.toString();
-    });
-    req.on('end', () => {
-        try {
-            const payload = JSON.parse(body);
-            // Just acknowledge the webhook - we don't need to do anything with it for testing
-            res.writeHead(200, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ received: true, payload }));
-        }
-        catch (_error) {
-            res.writeHead(400, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Invalid JSON' }));
-        }
-    });
-}
-const DEFAULT_PORT = 3555;
-const DEFAULT_HOST = 'localhost';
-let server = null;
-let isStarted = false;
-/**
- * Request router
- */
-async function handleRequest(req, res, verbose) {
-    const url = new URL(req.url || '/', `http://${req.headers.host}`);
-    const pathname = url.pathname;
-    if (verbose) {
-        console.log(`[ESV Server] ${req.method} ${pathname}`);
-    }
-    // Add CORS headers for local development
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Vault-Token');
-    // Handle preflight requests
-    if (req.method === 'OPTIONS') {
-        res.writeHead(204);
-        res.end();
-        return;
-    }
-    try {
-        // Route to appropriate handler
-        if (pathname.startsWith('/vault')) {
-            handleVaultRequest(req, res, pathname);
-        }
-        else if (pathname.startsWith('/sso')) {
-            await handleSsoRequest(req, res, pathname);
-        }
-        else if (pathname.startsWith('/iam')) {
-            await handleIamRequest(req, res, pathname);
-        }
-        else if (pathname.startsWith('/workload')) {
-            await handleWorkloadRequest(req, res, pathname);
-        }
-        else if (pathname === '/api/whoami') {
-            // Mock whoami endpoint for testing workload authentication independently
-            handleWhoamiRequest(req, res);
-        }
-        else if (pathname === '/webhook') {
-            // Webhook endpoint for tenant status updates
-            handleWebhook(req, res);
-        }
-        else if (pathname === '/health' || pathname === '/') {
-            res.writeHead(200, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ status: 'ok', service: 'esv-mock-server' }));
-        }
-        else {
-            res.writeHead(404, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Not found' }));
-        }
-    }
-    catch (error) {
-        console.error('[ESV Server] Error handling request:', error);
-        res.writeHead(500, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Internal server error' }));
-    }
-}
-/**
- * Start the ESV mock server
- *
- * @param options - Server configuration options
- * @returns Promise that resolves when the server is listening
- */
-export function startServer(options = {}) {
-    const { port = DEFAULT_PORT, host = DEFAULT_HOST, verbose = false } = options;
-    if (isStarted && server) {
-        if (verbose) {
-            console.log('[ESV Server] Server already running');
-        }
-        return Promise.resolve();
-    }
-    return new Promise((resolve, reject) => {
-        try {
-            // Initialize cryptographic keys
-            initializeKeys();
-            // Reset state for fresh start
-            resetState();
-            server = createServer((req, res) => {
-                handleRequest(req, res, verbose).catch((error) => {
-                    console.error('[ESV Server] Unhandled error:', error);
-                    if (!res.headersSent) {
-                        res.writeHead(500, { 'Content-Type': 'application/json' });
-                        res.end(JSON.stringify({ error: 'Internal server error' }));
-                    }
-                });
-            });
-            server.on('error', (error) => {
-                if (error.code === 'EADDRINUSE') {
-                    // Port already in use - maybe server is already running
-                    if (verbose) {
-                        console.log(`[ESV Server] Port ${port} already in use, assuming server is running`);
-                    }
-                    isStarted = true;
-                    resolve();
-                }
-                else {
-                    reject(error);
-                }
-            });
-            server.listen(port, host, () => {
-                isStarted = true;
-                console.log(`[ESV Server] Running at http://${host}:${port}/`);
-                console.log('[ESV Server] Endpoints:');
-                console.log(`  - Vault:    http://${host}:${port}/vault/v1/secret/data/esv/config`);
-                console.log(`  - SSO:      http://${host}:${port}/sso/*`);
-                console.log(`  - IAM:      http://${host}:${port}/iam/*`);
-                console.log(`  - Workload: http://${host}:${port}/workload/*`);
-                console.log(`  - Whoami:   http://${host}:${port}/api/whoami`);
-                console.log(`  - Webhook:  http://${host}:${port}/webhook`);
-                resolve();
-            });
-        }
-        catch (error) {
-            reject(error);
-        }
-    });
-}
-/**
- * Stop the ESV mock server
- *
- * @returns Promise that resolves when the server has stopped
- */
-export function stopServer() {
-    return new Promise((resolve, reject) => {
-        if (!server) {
-            isStarted = false;
-            resolve();
-            return;
-        }
-        server.close((error) => {
-            if (error) {
-                // Ignore errors if server wasn't running
-                if (error.code === 'ERR_SERVER_NOT_RUNNING') {
-                    server = null;
-                    isStarted = false;
-                    resolve();
-                    return;
-                }
-                reject(error);
-                return;
-            }
-            server = null;
-            isStarted = false;
-            console.log('[ESV Server] Stopped');
-            resolve();
-        });
-    });
-}
-/**
- * Check if the server is running
- */
-export function isServerRunning() {
-    return isStarted;
-}
-/**
- * Get the server URL
- */
-export function getServerUrl(options = {}) {
-    const { port = DEFAULT_PORT, host = DEFAULT_HOST } = options;
-    return `http://${host}:${port}`;
-}
-//# sourceMappingURL=server.js.map

package/dist/server/server.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/server/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,YAAY,EAA0D,MAAM,WAAW,CAAC;AACjG,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAE3E;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,GAAoB,EAAE,GAAmB;IACpE,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC1B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IAED,oBAAoB;IACpB,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;QACvB,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;QACjB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,kFAAkF;YAClF,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,MAAM,EAAE,CAAC;YAChB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,YAAY,GAAG,WAAW,CAAC;AAEjC,IAAI,MAAM,GAAkB,IAAI,CAAC;AACjC,IAAI,SAAS,GAAG,KAAK,CAAC;AAyBtB;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,GAAoB,EAAE,GAAmB,EAAE,OAAgB;IACtF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAE9B,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,yCAAyC;IACzC,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAClD,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,wCAAwC,CAAC,CAAC;IACxF,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,4CAA4C,CAAC,CAAC;IAE5F,4BAA4B;IAC5B,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnB,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,+BAA+B;QAC/B,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,kBAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACvC,MAAM,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;aAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACvC,MAAM,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;aAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5C,MAAM,qBAAqB,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;aAAM,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;YACtC,yEAAyE;YACzE,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAChC,CAAC;aAAM,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YACnC,6CAA6C;YAC7C,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC1B,CAAC;aAAM,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,GAAG,EAAE,CAAC;YACtD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC;QACxE,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC7D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,UAAyB,EAAE;IACrD,MAAM,EAAE,IAAI,GAAG,YAAY,EAAE,IAAI,GAAG,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAE9E,IAAI,SAAS,IAAI,MAAM,EAAE,CAAC;QACxB,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC;YACH,gCAAgC;YAChC,cAAc,EAAE,CAAC;YAEjB,8BAA8B;YAC9B,UAAU,EAAE,CAAC;YAEb,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBACjC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;oBAC/C,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;oBACtD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;wBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;wBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC;oBAC9D,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAA4B,EAAE,EAAE;gBAClD,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAChC,wDAAwD;oBACxD,IAAI,OAAO,EAAE,CAAC;wBACZ,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,6CAA6C,CAAC,CAAC;oBACtF,CAAC;oBACD,SAAS,GAAG,IAAI,CAAC;oBACjB,OAAO,EAAE,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;gBAC7B,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,kCAAkC,IAAI,IAAI,IAAI,GAAG,CAAC,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,IAAI,IAAI,kCAAkC,CAAC,CAAC;gBACpF,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,IAAI,IAAI,QAAQ,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,IAAI,IAAI,QAAQ,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,IAAI,IAAI,aAAa,CAAC,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,IAAI,IAAI,aAAa,CAAC,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,IAAI,IAAI,UAAU,CAAC,CAAC;gBAC5D,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,SAAS,GAAG,KAAK,CAAC;YAClB,OAAO,EAAE,CAAC;YACV,OAAO;QACT,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACrB,IAAI,KAAK,EAAE,CAAC;gBACV,yCAAyC;gBACzC,IAAK,KAA+B,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;oBACvE,MAAM,GAAG,IAAI,CAAC;oBACd,SAAS,GAAG,KAAK,CAAC;oBAClB,OAAO,EAAE,CAAC;oBACV,OAAO;gBACT,CAAC;gBACD,MAAM,CAAC,KAAK,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YAED,MAAM,GAAG,IAAI,CAAC;YACd,SAAS,GAAG,KAAK,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACpC,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,UAAyB,EAAE;IACtD,MAAM,EAAE,IAAI,GAAG,YAAY,EAAE,IAAI,GAAG,YAAY,EAAE,GAAG,OAAO,CAAC;IAC7D,OAAO,UAAU,IAAI,IAAI,IAAI,EAAE,CAAC;AAClC,CAAC"}

package/dist/server/sso.d.ts

@@ -1,11 +0,0 @@
-/**
- * SSO/OIDC endpoint handlers for the ESV mock server
- *
- * Implements a minimal OIDC provider for testing SSO integrations.
- */
-import type { IncomingMessage, ServerResponse } from 'node:http';
-/**
- * Handle SSO requests
- */
-export declare function handleSsoRequest(req: IncomingMessage, res: ServerResponse, pathname: string): Promise<void>;
-//# sourceMappingURL=sso.d.ts.map

package/dist/server/sso.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../../src/server/sso.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAqCjE;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDjH"}

package/dist/server/sso.js

@@ -1,428 +0,0 @@
-/**
- * SSO/OIDC endpoint handlers for the ESV mock server
- *
- * Implements a minimal OIDC provider for testing SSO integrations.
- */
-import { generateRandomString, generateUUID, getJwks, signJwt, verifyCodeChallenge } from './crypto.js';
-import { createSession, deleteAuthCode, deleteRefreshToken, deleteSession, getAuthCode, getRefreshToken, getTestUser, storeAuthCode, storeRefreshToken, } from './state.js';
-const ISSUER = 'http://localhost:3555/sso';
-const TOKEN_EXPIRY = 3600; // 1 hour
-const REFRESH_EXPIRY = 86400; // 24 hours
-const CODE_EXPIRY = 300; // 5 minutes
-/**
- * Parse request body as URL-encoded form data
- */
-async function parseFormBody(req) {
-    return new Promise((resolve, reject) => {
-        let body = '';
-        req.on('data', (chunk) => {
-            body += chunk.toString();
-        });
-        req.on('end', () => {
-            resolve(new URLSearchParams(body));
-        });
-        req.on('error', reject);
-    });
-}
-/**
- * Handle SSO requests
- */
-export async function handleSsoRequest(req, res, pathname) {
-    // Remove /sso prefix
-    const ssoPath = pathname.replace(/^\/sso/, '');
-    // GET /sso/authorize - Authorization endpoint
-    if (req.method === 'GET' && ssoPath === '/authorize') {
-        await handleAuthorize(req, res);
-        return;
-    }
-    // POST /sso/token - Token endpoint
-    if (req.method === 'POST' && ssoPath === '/token') {
-        await handleToken(req, res);
-        return;
-    }
-    // GET /sso/certs - JWKS endpoint
-    if (req.method === 'GET' && ssoPath === '/certs') {
-        handleCerts(res);
-        return;
-    }
-    // POST /sso/revoke - Token revocation
-    if (req.method === 'POST' && ssoPath === '/revoke') {
-        await handleRevoke(req, res);
-        return;
-    }
-    // GET /sso/userinfo - User info endpoint
-    if (req.method === 'GET' && ssoPath === '/userinfo') {
-        handleUserInfo(req, res);
-        return;
-    }
-    // GET /sso/logout - End session endpoint
-    if (req.method === 'GET' && ssoPath === '/logout') {
-        handleLogout(req, res);
-        return;
-    }
-    // POST /sso/logout - Back-channel logout
-    if (req.method === 'POST' && ssoPath === '/logout/backchannel') {
-        await handleBackChannelLogout(req, res);
-        return;
-    }
-    // GET /sso/.well-known/openid-configuration
-    if (req.method === 'GET' && ssoPath === '/.well-known/openid-configuration') {
-        handleOpenIDConfig(res);
-        return;
-    }
-    res.writeHead(404, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ error: 'not_found' }));
-}
-/**
- * Authorization endpoint - issues authorization codes
- *
- * In a real implementation, this would show a login form.
- * For testing, we auto-authenticate with the test user.
- */
-async function handleAuthorize(req, res) {
-    const url = new URL(req.url || '', `http://${req.headers.host}`);
-    const params = url.searchParams;
-    const clientId = params.get('client_id');
-    const redirectUri = params.get('redirect_uri');
-    const responseType = params.get('response_type');
-    const scope = params.get('scope') || 'openid';
-    const state = params.get('state');
-    const codeChallenge = params.get('code_challenge');
-    const codeChallengeMethod = params.get('code_challenge_method');
-    // Validate required parameters
-    if (!clientId || !redirectUri || !responseType) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'invalid_request',
-            error_description: 'Missing required parameters',
-        }));
-        return;
-    }
-    if (responseType !== 'code') {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'unsupported_response_type',
-            error_description: 'Only code response type is supported',
-        }));
-        return;
-    }
-    // Generate authorization code
-    const testUser = getTestUser();
-    const code = generateRandomString(32);
-    const authCode = {
-        code,
-        userId: testUser.id,
-        clientId,
-        redirectUri,
-        scope,
-        codeChallenge: codeChallenge || undefined,
-        codeChallengeMethod: codeChallengeMethod || undefined,
-        state: state || undefined,
-        createdAt: new Date(),
-        expiresAt: new Date(Date.now() + CODE_EXPIRY * 1000),
-    };
-    storeAuthCode(authCode);
-    // Redirect back with code
-    const redirectUrl = new URL(redirectUri);
-    redirectUrl.searchParams.set('code', code);
-    if (state) {
-        redirectUrl.searchParams.set('state', state);
-    }
-    res.writeHead(302, { Location: redirectUrl.toString() });
-    res.end();
-}
-/**
- * Token endpoint - exchanges codes for tokens or refreshes tokens
- */
-async function handleToken(req, res) {
-    const body = await parseFormBody(req);
-    const grantType = body.get('grant_type');
-    if (grantType === 'authorization_code') {
-        await handleAuthorizationCodeGrant(body, res);
-    }
-    else if (grantType === 'refresh_token') {
-        await handleRefreshTokenGrant(body, res);
-    }
-    else {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'unsupported_grant_type',
-            error_description: 'Only authorization_code and refresh_token are supported',
-        }));
-    }
-}
-/**
- * Handle authorization code exchange
- */
-async function handleAuthorizationCodeGrant(body, res) {
-    const code = body.get('code');
-    const redirectUri = body.get('redirect_uri');
-    const codeVerifier = body.get('code_verifier');
-    if (!code || !redirectUri) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'invalid_request',
-            error_description: 'Missing code or redirect_uri',
-        }));
-        return;
-    }
-    const authCode = getAuthCode(code);
-    if (!authCode) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'invalid_grant',
-            error_description: 'Invalid or expired authorization code',
-        }));
-        return;
-    }
-    // Validate redirect URI
-    if (authCode.redirectUri !== redirectUri) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'invalid_grant',
-            error_description: 'Redirect URI mismatch',
-        }));
-        return;
-    }
-    // Validate PKCE if present
-    if (authCode.codeChallenge && authCode.codeChallengeMethod === 'S256') {
-        if (!codeVerifier || !verifyCodeChallenge(codeVerifier, authCode.codeChallenge)) {
-            res.writeHead(400, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({
-                error: 'invalid_grant',
-                error_description: 'Invalid code verifier',
-            }));
-            return;
-        }
-    }
-    // Delete used code
-    deleteAuthCode(code);
-    // Create session
-    const sessionId = generateUUID();
-    createSession({
-        id: sessionId,
-        userId: authCode.userId,
-        createdAt: new Date(),
-        lastActivityAt: new Date(),
-    });
-    // Generate tokens
-    const testUser = getTestUser();
-    const tokens = generateTokens(testUser, authCode.clientId, authCode.scope, sessionId);
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify(tokens));
-}
-/**
- * Handle refresh token grant
- */
-async function handleRefreshTokenGrant(body, res) {
-    const refreshToken = body.get('refresh_token');
-    if (!refreshToken) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'invalid_request',
-            error_description: 'Missing refresh_token',
-        }));
-        return;
-    }
-    const tokenData = getRefreshToken(refreshToken);
-    if (!tokenData || tokenData.expiresAt < new Date()) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-            error: 'invalid_grant',
-            error_description: 'Invalid or expired refresh token',
-        }));
-        return;
-    }
-    // Delete old refresh token (rotation)
-    deleteRefreshToken(refreshToken);
-    // Generate new tokens
-    const testUser = getTestUser();
-    const tokens = generateTokens(testUser, tokenData.clientId, tokenData.scope, tokenData.sessionId);
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify(tokens));
-}
-/**
- * Generate access token, ID token, and refresh token
- */
-function generateTokens(user, clientId, scope, sessionId) {
-    const now = Math.floor(Date.now() / 1000);
-    // ID Token claims
-    const idTokenClaims = {
-        iss: ISSUER,
-        sub: user.id,
-        aud: clientId,
-        nonce: generateRandomString(16),
-        sid: sessionId,
-        auth_time: now,
-        email: user.email,
-        email_verified: true,
-        name: user.name,
-        given_name: user.givenName,
-        family_name: user.familyName,
-        preferred_username: user.userName,
-        picture: user.picture,
-    };
-    // Access token claims
-    const accessTokenClaims = {
-        iss: ISSUER,
-        sub: user.id,
-        aud: clientId,
-        scope,
-        sid: sessionId,
-    };
-    const idToken = signJwt(idTokenClaims, TOKEN_EXPIRY);
-    const accessToken = signJwt(accessTokenClaims, TOKEN_EXPIRY);
-    const refreshTokenValue = generateRandomString(64);
-    // Store refresh token
-    const refreshToken = {
-        token: refreshTokenValue,
-        userId: user.id,
-        clientId,
-        scope,
-        sessionId,
-        createdAt: new Date(),
-        expiresAt: new Date(Date.now() + REFRESH_EXPIRY * 1000),
-    };
-    storeRefreshToken(refreshToken);
-    return {
-        access_token: accessToken,
-        token_type: 'Bearer',
-        expires_in: TOKEN_EXPIRY,
-        refresh_token: refreshTokenValue,
-        refresh_expires_in: REFRESH_EXPIRY,
-        id_token: idToken,
-        scope,
-        session_state: sessionId,
-    };
-}
-/**
- * JWKS endpoint
- */
-function handleCerts(res) {
-    const jwks = getJwks();
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify(jwks));
-}
-/**
- * Token revocation endpoint
- */
-async function handleRevoke(req, res) {
-    const body = await parseFormBody(req);
-    const token = body.get('token');
-    const tokenTypeHint = body.get('token_type_hint');
-    if (token) {
-        if (tokenTypeHint === 'refresh_token' || !tokenTypeHint) {
-            deleteRefreshToken(token);
-        }
-        // Access tokens are stateless, can't be revoked
-    }
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ success: true }));
-}
-/**
- * User info endpoint
- */
-function handleUserInfo(req, res) {
-    // Extract and validate token
-    const authHeader = req.headers.authorization;
-    if (!authHeader?.startsWith('Bearer ')) {
-        res.writeHead(401, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'invalid_token' }));
-        return;
-    }
-    // For simplicity, we don't validate the token here - just return test user
-    const user = getTestUser();
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({
-        sub: user.id,
-        email: user.email,
-        email_verified: true,
-        name: user.name,
-        given_name: user.givenName,
-        family_name: user.familyName,
-        preferred_username: user.userName,
-        picture: user.picture,
-    }));
-}
-/**
- * End session / logout endpoint
- */
-function handleLogout(req, res) {
-    const url = new URL(req.url || '', `http://${req.headers.host}`);
-    const postLogoutRedirectUri = url.searchParams.get('post_logout_redirect_uri');
-    if (postLogoutRedirectUri) {
-        res.writeHead(302, { Location: postLogoutRedirectUri });
-        res.end();
-    }
-    else {
-        res.writeHead(200, { 'Content-Type': 'text/html' });
-        res.end('<html><body><h1>Logged out</h1></body></html>');
-    }
-}
-/**
- * Back-channel logout endpoint
- */
-async function handleBackChannelLogout(req, res) {
-    const body = await parseFormBody(req);
-    const logoutToken = body.get('logout_token');
-    if (!logoutToken) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'invalid_request', error_description: 'Missing logout_token' }));
-        return;
-    }
-    // Parse the logout token to get sid
-    try {
-        const parts = logoutToken.split('.');
-        if (parts.length >= 2) {
-            const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf-8'));
-            if (payload.sid) {
-                deleteSession(payload.sid);
-            }
-        }
-    }
-    catch {
-        // Ignore parsing errors
-    }
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ success: true }));
-}
-/**
- * OpenID Configuration endpoint
- */
-function handleOpenIDConfig(res) {
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({
-        issuer: ISSUER,
-        authorization_endpoint: `${ISSUER}/authorize`,
-        token_endpoint: `${ISSUER}/token`,
-        userinfo_endpoint: `${ISSUER}/userinfo`,
-        jwks_uri: `${ISSUER}/certs`,
-        end_session_endpoint: `${ISSUER}/logout`,
-        revocation_endpoint: `${ISSUER}/revoke`,
-        response_types_supported: ['code'],
-        subject_types_supported: ['public'],
-        id_token_signing_alg_values_supported: ['RS256'],
-        scopes_supported: ['openid', 'profile', 'email'],
-        token_endpoint_auth_methods_supported: ['client_secret_post', 'client_secret_basic'],
-        claims_supported: [
-            'sub',
-            'iss',
-            'aud',
-            'exp',
-            'iat',
-            'nonce',
-            'email',
-            'email_verified',
-            'name',
-            'given_name',
-            'family_name',
-            'preferred_username',
-            'picture',
-            'sid',
-        ],
-        code_challenge_methods_supported: ['S256'],
-        backchannel_logout_supported: true,
-        backchannel_logout_session_supported: true,
-    }));
-}
-//# sourceMappingURL=sso.js.map