@enterprisestandard/react 0.0.4 → 0.0.5-beta.20260114.1

package/dist/types/workload-schema.d.ts

@@ -0,0 +1,106 @@
+import type { StandardSchemaV1 } from './standard-schema';
+/**
+ * JWT Assertion Claims for OAuth2 JWT Bearer Grant (RFC 7523) and OAuth2 Access Tokens
+ * @see https://datatracker.ietf.org/doc/html/rfc7523
+ * @see https://datatracker.ietf.org/doc/html/rfc9068
+ */
+export interface JWTAssertionClaims {
+    /**
+     * REQUIRED. Issuer - the workload identity (e.g., SPIFFE ID) or authorization server
+     */
+    iss: string;
+    /**
+     * REQUIRED. Subject - the workload identity or service account
+     */
+    sub: string;
+    /**
+     * OPTIONAL. Audience - may be a string or array of strings
+     * Note: Required for JWT assertions, but may be absent in OAuth2 access tokens
+     */
+    aud?: string | string[];
+    /**
+     * REQUIRED. Expiration time (Unix timestamp)
+     */
+    exp: number;
+    /**
+     * REQUIRED. Issued at time (Unix timestamp)
+     */
+    iat: number;
+    /**
+     * OPTIONAL. JWT ID - unique identifier for this token
+     * Note: Required for JWT assertions, optional for access tokens
+     */
+    jti?: string;
+    /**
+     * OPTIONAL. Requested OAuth scopes (space-delimited)
+     */
+    scope?: string;
+    /**
+     * Allow additional claims for extensibility
+     */
+    [key: string]: unknown;
+}
+/**
+ * Creates a StandardSchemaV1 for validating JWT Assertion Claims.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for JWT Assertion Claims validation
+ */
+export declare function jwtAssertionClaimsSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, JWTAssertionClaims>;
+/**
+ * Workload Token Response from OAuth2 token endpoint
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
+export interface WorkloadTokenResponse {
+    /**
+     * REQUIRED. The access token issued by the authorization server.
+     */
+    access_token: string;
+    /**
+     * REQUIRED. The type of the token (typically "Bearer").
+     */
+    token_type: string;
+    /**
+     * RECOMMENDED. The lifetime in seconds of the access token.
+     */
+    expires_in?: number;
+    /**
+     * OPTIONAL. The scope of the access token.
+     */
+    scope?: string;
+    /**
+     * OPTIONAL. The refresh token (rarely used for workload identities).
+     */
+    refresh_token?: string;
+    /**
+     * OPTIONAL. The expiration time as an ISO 8601 string.
+     */
+    expires?: string;
+}
+/**
+ * Creates a StandardSchemaV1 for validating Workload Token Responses.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for Workload Token Response validation
+ */
+export declare function workloadTokenResponseSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, WorkloadTokenResponse>;
+/**
+ * Token Validation Result
+ */
+export interface TokenValidationResult {
+    /**
+     * Whether the token is valid
+     */
+    valid: boolean;
+    /**
+     * The decoded and validated claims (if valid)
+     */
+    claims?: JWTAssertionClaims;
+    /**
+     * Error message (if invalid)
+     */
+    error?: string;
+    /**
+     * Token expiration time (if valid)
+     */
+    expiresAt?: Date;
+}
+//# sourceMappingURL=workload-schema.d.ts.map

package/dist/types/workload-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload-schema.d.ts","sourceRoot":"","sources":["../../src/types/workload-schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,MAAM,GACb,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,kBAAkB,CAAC,CA6F/D;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,MAAM,GACb,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,CAAC,CA4GlE;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;OAEG;IACH,KAAK,EAAE,OAAO,CAAC;IAEf;;OAEG;IACH,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAE5B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB"}

package/dist/ui/sso-provider.d.ts

@@ -1,5 +1,5 @@
 import { type ReactNode } from 'react';
-import type { EnterpriseUser } from '../enterprise-user';
+import type { User } from '../types/user';
 type StorageType = 'local' | 'session' | 'memory';
 interface SSOProviderProps {
     tenantId?: string;
@@ -12,8 +12,8 @@ interface SSOProviderProps {
     children: ReactNode;
 }
 interface SSOContext {
-    user: EnterpriseUser | null;
-    setUser: (user: EnterpriseUser | null) => void;
+    user: User | null;
+    setUser: (user: User | null) => void;
     isLoading: boolean;
     tokenUrl?: string;
     refreshUrl?: string;

package/dist/ui/sso-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sso-provider.d.ts","sourceRoot":"","sources":["../../src/ui/sso-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,SAAS,EAAgD,MAAM,OAAO,CAAC;AACpG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEzD,KAAK,WAAW,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,CAAC;AAElD,UAAU,gBAAgB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,SAAS,CAAC;CACrB;AAED,UAAU,UAAU;IAClB,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,OAAO,EAAE,CAAC,IAAI,EAAE,cAAc,GAAG,IAAI,KAAK,IAAI,CAAC;IAC/C,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAWD,wBAAgB,WAAW,CAAC,EAC1B,QAAQ,EACR,OAAkB,EAClB,UAAU,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EACV,eAAuB,EACvB,QAAQ,GACT,EAAE,gBAAgB,2CA8JlB;AAED,wBAAgB,OAAO,IAAI,UAAU,CAMpC;AAOD,UAAU,cAAc;IACtB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,wBAAgB,QAAQ,IAAI,cAAc,CAiGzC;AAED,wBAAsB,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7F"}
+{"version":3,"file":"sso-provider.d.ts","sourceRoot":"","sources":["../../src/ui/sso-provider.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,SAAS,EAAgD,MAAM,OAAO,CAAC;AACpG,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAE1C,KAAK,WAAW,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,CAAC;AAElD,UAAU,gBAAgB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,SAAS,CAAC;CACrB;AAED,UAAU,UAAU;IAClB,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAClB,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,KAAK,IAAI,CAAC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAWD,wBAAgB,WAAW,CAAC,EAC1B,QAAQ,EACR,OAAkB,EAClB,UAAU,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EACV,eAAuB,EACvB,QAAQ,GACT,EAAE,gBAAgB,2CA8JlB;AAED,wBAAgB,OAAO,IAAI,UAAU,CAMpC;AAOD,UAAU,cAAc;IACtB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,wBAAgB,QAAQ,IAAI,cAAc,CAiGzC;AAED,wBAAsB,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7F"}

package/dist/user-store.d.ts

@@ -0,0 +1,161 @@
+/**
+ * User storage for persisting user profiles from SSO authentication.
+ *
+ * User stores are optional - the package works with JWT cookies alone.
+ * User stores are useful when you want to:
+ * - Cache user profiles for fast lookup
+ * - Store users close to your application (in-memory, Redis, etc.)
+ * - Avoid custom IAM/SCIM integration for simple use cases
+ *
+ * ## When to Use UserStore vs IAM
+ *
+ * **Use UserStore when:**
+ * - You just need fast user lookups without external systems
+ * - Users are managed by an external IdP and you just cache them locally
+ * - You want simple in-memory or Redis storage
+ *
+ * **Use IAM (SCIM) when:**
+ * - You need to provision users to an external identity provider
+ * - You need custom user attributes beyond what SSO provides
+ * - You need to sync users with enterprise directories
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { sso, InMemoryUserStore } from '@enterprisestandard/react/server';
+ *
+ * const userStore = new InMemoryUserStore();
+ *
+ * const auth = sso({
+ *   // ... other config
+ *   user_store: userStore,
+ * });
+ *
+ * // Later, look up users
+ * const user = await userStore.get('user-sub-id');
+ * const userByEmail = await userStore.getByEmail('user@example.com');
+ * ```
+ */
+import type { User } from './types/user';
+/**
+ * Stored user data with required id and tracking metadata.
+ *
+ * Extends the SSO User type with:
+ * - Required `id` (the `sub` claim from the IdP)
+ * - Timestamps for tracking when users were first seen and last updated
+ * - Optional custom extended data
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ */
+export type StoredUser<TExtended = {}> = User & {
+    /**
+     * Required unique identifier (the `sub` claim from the IdP).
+     * This is the primary key for user storage.
+     */
+    id: string;
+    /**
+     * Timestamp when the user was first stored.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp when the user was last updated (e.g., on re-login).
+     */
+    updatedAt: Date;
+} & TExtended;
+/**
+ * Abstract interface for user storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - In-memory (for development/testing)
+ * - Redis (for production with fast lookups)
+ * - Database (PostgreSQL, MySQL, etc.)
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ *
+ * @example
+ * ```typescript
+ * // Custom user data
+ * type MyUserData = {
+ *   department: string;
+ *   roles: string[];
+ * };
+ *
+ * // Implement custom store
+ * class RedisUserStore implements UserStore<MyUserData> {
+ *   async get(sub: string): Promise<StoredUser<MyUserData> | null> {
+ *     const data = await redis.get(`user:${sub}`);
+ *     return data ? JSON.parse(data) : null;
+ *   }
+ *   // ... other methods
+ * }
+ * ```
+ */
+export interface UserStore<TExtended = {}> {
+    /**
+     * Retrieve a user by their subject identifier (sub).
+     *
+     * @param sub - The user's unique identifier from the IdP
+     * @returns The user if found, null otherwise
+     */
+    get(sub: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Retrieve a user by their email address.
+     *
+     * @param email - The user's email address
+     * @returns The user if found, null otherwise
+     */
+    getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Retrieve a user by their username.
+     *
+     * @param userName - The user's username
+     * @returns The user if found, null otherwise
+     */
+    getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+    /**
+     * Create or update a user in the store.
+     *
+     * If a user with the same `id` (sub) exists, it will be updated.
+     * Otherwise, a new user will be created.
+     *
+     * @param user - The user data to store
+     */
+    upsert(user: StoredUser<TExtended>): Promise<void>;
+    /**
+     * Delete a user by their subject identifier (sub).
+     *
+     * @param sub - The user's unique identifier to delete
+     */
+    delete(sub: string): Promise<void>;
+}
+/**
+ * In-memory user store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (users not shared)
+ * - High availability scenarios (users lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement UserStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to users
+ */
+export declare class InMemoryUserStore<TExtended = {}> implements UserStore<TExtended> {
+    /** Primary storage: sub -> user */
+    private users;
+    /** Secondary index: email -> sub */
+    private emailIndex;
+    /** Secondary index: userName -> sub */
+    private userNameIndex;
+    get(sub: string): Promise<StoredUser<TExtended> | null>;
+    getByEmail(email: string): Promise<StoredUser<TExtended> | null>;
+    getByUserName(userName: string): Promise<StoredUser<TExtended> | null>;
+    upsert(user: StoredUser<TExtended>): Promise<void>;
+    delete(sub: string): Promise<void>;
+}
+//# sourceMappingURL=user-store.d.ts.map

package/dist/user-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-store.d.ts","sourceRoot":"","sources":["../src/user-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAEzC;;;;;;;;;GASG;AACH,MAAM,MAAM,UAAU,CAAC,SAAS,GAAG,EAAE,IAAI,IAAI,GAAG;IAC9C;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;IAEX;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;IAEhB;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;CACjB,GAAG,SAAS,CAAC;AAEd;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,WAAW,SAAS,CAAC,SAAS,GAAG,EAAE;IACvC;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAExD;;;;;OAKG;IACH,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAEjE;;;;;OAKG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAEvE;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnD;;;;OAIG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,iBAAiB,CAAC,SAAS,GAAG,EAAE,CAAE,YAAW,SAAS,CAAC,SAAS,CAAC;IAC5E,mCAAmC;IACnC,OAAO,CAAC,KAAK,CAA4C;IAEzD,oCAAoC;IACpC,OAAO,CAAC,UAAU,CAA6B;IAE/C,uCAAuC;IACvC,OAAO,CAAC,aAAa,CAA6B;IAE5C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAIvD,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAMhE,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAMtE,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAyBlD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAazC"}

package/dist/workload-server.d.ts

@@ -0,0 +1,126 @@
+import type { TokenValidationResult } from './types/workload-schema';
+import type { ESConfig, WorkloadIdentity } from './workload';
+/**
+ * Get the workload identity from an incoming request.
+ * Returns undefined if no valid workload token is present.
+ *
+ * @param request - Request with Authorization header
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns WorkloadIdentity or undefined
+ *
+ * @example
+ * ```typescript
+ * import { getWorkload } from '@enterprisestandard/react';
+ *
+ * export async function handler(request: Request) {
+ *   const workload = await getWorkload(request);
+ *
+ *   if (!workload) {
+ *     return new Response('Unauthorized', { status: 401 });
+ *   }
+ *
+ *   console.log('Request from workload:', workload.workload_id);
+ *   // ... process authenticated request
+ * }
+ * ```
+ */
+export declare function getWorkload(request: Request, config?: ESConfig): Promise<WorkloadIdentity | undefined>;
+/**
+ * Get an access token for the configured workload identity.
+ *
+ * @param scope - Optional OAuth2 scopes (space-delimited)
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns Access token string
+ *
+ * @example
+ * ```typescript
+ * import { getWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * // Get token for API calls
+ * const token = await getWorkloadToken('api:read api:write');
+ *
+ * // Use in outbound requests
+ * const response = await fetch('https://api.example.com/data', {
+ *   headers: { 'Authorization': `Bearer ${token}` },
+ * });
+ * ```
+ */
+export declare function getWorkloadToken(scope?: string, config?: ESConfig): Promise<string>;
+/**
+ * Validate a workload token from an incoming request.
+ *
+ * @param request - Request with Authorization header
+ * @param config - Optional EnterpriseStandard configuration
+ * @returns Token validation result
+ *
+ * @example
+ * ```typescript
+ * import { validateWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * export async function handler(request: Request) {
+ *   const result = await validateWorkloadToken(request);
+ *
+ *   if (!result.valid) {
+ *     return new Response(
+ *       JSON.stringify({ error: result.error }),
+ *       { status: 401 }
+ *     );
+ *   }
+ *
+ *   const workloadId = result.claims?.iss;
+ *   // ... process authenticated request
+ * }
+ * ```
+ */
+export declare function validateWorkloadToken(request: Request, config?: ESConfig): Promise<TokenValidationResult>;
+/**
+ * Revoke a workload access token.
+ *
+ * @param token - The access token to revoke
+ * @param config - Optional EnterpriseStandard configuration
+ *
+ * @example
+ * ```typescript
+ * import { revokeWorkloadToken } from '@enterprisestandard/react/server';
+ *
+ * // Revoke token when workload is decommissioned
+ * await revokeWorkloadToken(accessToken);
+ * ```
+ */
+export declare function revokeWorkloadToken(token: string, config?: ESConfig): Promise<void>;
+/**
+ * Framework-agnostic handler for workload authentication routes.
+ *
+ * The handler reads configuration (handler URLs, validation) directly from the
+ * EnterpriseStandard instance, so no config parameter is needed.
+ *
+ * @param request - Incoming request
+ * @param config - Optional ESConfig to specify which EnterpriseStandard instance to use
+ * @returns Response
+ *
+ * @example
+ * ```typescript
+ * import { workloadHandler } from '@enterprisestandard/react/server';
+ *
+ * // TanStack Start example
+ * export const Route = createFileRoute('/api/workload/$')({
+ *   server: {
+ *     handlers: ({ createHandlers }) =>
+ *       createHandlers({
+ *         GET: {
+ *           handler: async ({ request }) => {
+ *             return workloadHandler(request);
+ *           },
+ *         },
+ *         POST: {
+ *           handler: async ({ request }) => {
+ *             return workloadHandler(request);
+ *           },
+ *         },
+ *       }),
+ *   },
+ * });
+ * ```
+ */
+export declare function workloadHandler(request: Request, config?: ESConfig): Promise<Response>;
+//# sourceMappingURL=workload-server.d.ts.map

package/dist/workload-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload-server.d.ts","sourceRoot":"","sources":["../src/workload-server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAErE,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAmB7D;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAM5G;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAIzF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAa/G;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAIzF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAI5F"}

package/dist/workload-token-store.d.ts

@@ -0,0 +1,187 @@
+/**
+ * Token caching for workload identity authentication.
+ *
+ * Token stores are optional but recommended for performance - they enable:
+ * - Token caching to avoid repeated token acquisition
+ * - Automatic token refresh before expiration
+ * - Reduced load on authorization servers
+ *
+ * ## Token Caching Strategy
+ *
+ * Unlike session stores for user authentication, workload token stores cache
+ * short-lived access tokens (typically 5 minutes) for service-to-service calls.
+ *
+ * **Default Behavior:**
+ * - Tokens cached with 5-minute TTL
+ * - Auto-refresh 60 seconds before expiration
+ * - Expired tokens automatically removed
+ *
+ * ## Performance Characteristics
+ *
+ * | Backend      | Lookup Time | Use Case                    |
+ * |--------------|-------------|----------------------------|
+ * | InMemory     | <0.00005ms  | Single-server deployments  |
+ * | Redis        | 1-2ms       | Multi-server deployments   |
+ * | Database     | 5-20ms      | Persistent token storage   |
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { workload, InMemoryWorkloadTokenStore } from '@enterprisestandard/react/server';
+ *
+ * // With token caching
+ * const workloadAuth = workload({
+ *   // ... other config
+ *   token_store: new InMemoryWorkloadTokenStore(),
+ *   auto_refresh: true,  // Refresh before expiry
+ * });
+ *
+ * // Without token caching (fetch new token each time)
+ * const workloadAuth = workload({
+ *   // ... config without token_store
+ * });
+ * ```
+ */
+/**
+ * Cached workload token data.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to cached tokens
+ */
+export type CachedWorkloadToken<TExtended = object> = {
+    /**
+     * Workload identifier (typically SPIFFE ID).
+     * Used as the primary key for token lookup.
+     */
+    workload_id: string;
+    /**
+     * OAuth2 access token (Bearer token)
+     */
+    access_token: string;
+    /**
+     * Token type (always "Bearer" for OAuth2)
+     */
+    token_type: string;
+    /**
+     * OAuth2 scopes granted for this token
+     */
+    scope?: string;
+    /**
+     * Timestamp when the token expires.
+     * Used for automatic cleanup and refresh logic.
+     */
+    expires_at: Date;
+    /**
+     * Timestamp when the token was created/cached.
+     */
+    created_at: Date;
+    /**
+     * Optional refresh token (rarely used for workload identities)
+     */
+    refresh_token?: string;
+} & TExtended;
+/**
+ * Abstract interface for workload token storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - Redis (recommended for multi-server deployments)
+ * - Database (PostgreSQL, MySQL, etc. for persistence)
+ * - Distributed cache (Memcached, etc.)
+ * - Custom solutions
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to cached tokens
+ *
+ * @example
+ * ```typescript
+ * // Custom token cache data
+ * type MyTokenData = {
+ *   environment: string;
+ *   region: string;
+ * };
+ *
+ * // Implement custom store with Redis
+ * class RedisWorkloadTokenStore implements WorkloadTokenStore<MyTokenData> {
+ *   async set(token: CachedWorkloadToken<MyTokenData>): Promise<void> {
+ *     const ttl = Math.floor((token.expires_at.getTime() - Date.now()) / 1000);
+ *     await redis.setex(
+ *       `workload:token:${token.workload_id}`,
+ *       ttl,
+ *       JSON.stringify(token)
+ *     );
+ *   }
+ *
+ *   async get(workload_id: string): Promise<CachedWorkloadToken<MyTokenData> | null> {
+ *     const data = await redis.get(`workload:token:${workload_id}`);
+ *     if (!data) return null;
+ *     const token = JSON.parse(data);
+ *     // Convert date strings back to Date objects
+ *     token.expires_at = new Date(token.expires_at);
+ *     token.created_at = new Date(token.created_at);
+ *     return token;
+ *   }
+ *
+ *   // ... other methods
+ * }
+ * ```
+ */
+export interface WorkloadTokenStore<TExtended = object> {
+    /**
+     * Store or update a workload token in the cache.
+     *
+     * @param token - The token data to cache
+     */
+    set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+    /**
+     * Retrieve a cached token by workload ID.
+     *
+     * @param workload_id - The workload identifier (e.g., SPIFFE ID)
+     * @returns The cached token if found and not expired, null otherwise
+     */
+    get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+    /**
+     * Delete a cached token by workload ID.
+     *
+     * Used when explicitly revoking tokens or clearing cache.
+     *
+     * @param workload_id - The workload identifier to remove
+     */
+    delete(workload_id: string): Promise<void>;
+    /**
+     * Check if a valid (non-expired) token exists for a workload.
+     *
+     * @param workload_id - The workload identifier to check
+     * @returns true if a valid token exists, false otherwise
+     */
+    isValid(workload_id: string): Promise<boolean>;
+    /**
+     * Remove all expired tokens from the cache.
+     *
+     * Should be called periodically to prevent memory leaks.
+     */
+    cleanup(): Promise<void>;
+}
+/**
+ * In-memory workload token store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (tokens not shared across instances)
+ * - High availability scenarios (tokens lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production multi-server deployments, implement WorkloadTokenStore with Redis.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to cached tokens
+ */
+export declare class InMemoryWorkloadTokenStore<TExtended = object> implements WorkloadTokenStore<TExtended> {
+    private tokens;
+    set(token: CachedWorkloadToken<TExtended>): Promise<void>;
+    get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
+    delete(workload_id: string): Promise<void>;
+    isValid(workload_id: string): Promise<boolean>;
+    cleanup(): Promise<void>;
+}
+//# sourceMappingURL=workload-token-store.d.ts.map

package/dist/workload-token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload-token-store.d.ts","sourceRoot":"","sources":["../src/workload-token-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,CAAC,SAAS,GAAG,MAAM,IAAI;IACpD;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,UAAU,EAAE,IAAI,CAAC;IAEjB;;OAEG;IACH,UAAU,EAAE,IAAI,CAAC;IAEjB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,SAAS,CAAC;AAEd;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,MAAM,WAAW,kBAAkB,CAAC,SAAS,GAAG,MAAM;IACpD;;;;OAIG;IACH,GAAG,CAAC,KAAK,EAAE,mBAAmB,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1D;;;;;OAKG;IACH,GAAG,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAEzE;;;;;;OAMG;IACH,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3C;;;;;OAKG;IACH,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE/C;;;;OAIG;IACH,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,0BAA0B,CAAC,SAAS,GAAG,MAAM,CAAE,YAAW,kBAAkB,CAAC,SAAS,CAAC;IAClG,OAAO,CAAC,MAAM,CAAqD;IAE7D,GAAG,CAAC,KAAK,EAAE,mBAAmB,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,GAAG,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAaxE,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1C,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9C,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAQ/B"}