@flink-app/oidc-plugin 1.0.0

package/dist/repos/OidcConnectionRepo.d.ts

@@ -0,0 +1,75 @@
+import { Db } from "mongodb";
+import OidcConnection from "../schemas/OidcConnection";
+/**
+ * Repository for OIDC connections
+ *
+ * Manages persistent connections between users and OIDC providers.
+ * Stores the mapping of app users to IdP subjects, and optionally
+ * stores encrypted tokens for API access.
+ */
+export default class OidcConnectionRepo {
+    private collection;
+    constructor(collectionName: string, db: Db);
+    /**
+     * Create a new OIDC connection
+     *
+     * @param connection - Connection data
+     * @returns Created connection with _id
+     */
+    create(connection: Omit<OidcConnection, "_id">): Promise<OidcConnection>;
+    /**
+     * Find connection by user ID and provider
+     *
+     * @param userId - Application user ID
+     * @param provider - Provider name
+     * @returns Connection or null if not found
+     */
+    findByUserAndProvider(userId: string, provider: string): Promise<OidcConnection | null>;
+    /**
+     * Find connection by subject and issuer
+     *
+     * Used to look up users by their IdP identity.
+     *
+     * @param subject - OIDC subject (sub claim)
+     * @param issuer - OIDC issuer (iss claim)
+     * @returns Connection or null if not found
+     */
+    findBySubjectAndIssuer(subject: string, issuer: string): Promise<OidcConnection | null>;
+    /**
+     * Find all connections for a user
+     *
+     * @param userId - Application user ID
+     * @returns Array of connections
+     */
+    findByUserId(userId: string): Promise<OidcConnection[]>;
+    /**
+     * Update connection
+     *
+     * Typically used to update tokens when they're refreshed.
+     *
+     * @param connectionId - Connection _id
+     * @param updates - Fields to update
+     */
+    updateOne(connectionId: string, updates: Partial<OidcConnection>): Promise<void>;
+    /**
+     * Delete connection by user and provider
+     *
+     * @param userId - Application user ID
+     * @param provider - Provider name
+     */
+    deleteByUserAndProvider(userId: string, provider: string): Promise<void>;
+    /**
+     * Delete all connections for a user
+     *
+     * @param userId - Application user ID
+     */
+    deleteByUserId(userId: string): Promise<number>;
+    /**
+     * Find one connection by query
+     *
+     * @param query - MongoDB query
+     * @returns Connection or null if not found
+     */
+    getOne(query: Partial<OidcConnection>): Promise<OidcConnection | null>;
+}
+//# sourceMappingURL=OidcConnectionRepo.d.ts.map

package/dist/repos/OidcConnectionRepo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcConnectionRepo.d.ts","sourceRoot":"","sources":["../../src/repos/OidcConnectionRepo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,cAAc,MAAM,2BAA2B,CAAC;AAEvD;;;;;;GAMG;AACH,MAAM,CAAC,OAAO,OAAO,kBAAkB;IACnC,OAAO,CAAC,UAAU,CAA6B;gBAEnC,cAAc,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE;IAI1C;;;;;OAKG;IACG,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG,OAAO,CAAC,cAAc,CAAC;IAQ9E;;;;;;OAMG;IACG,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAW7F;;;;;;;;OAQG;IACG,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAW7F;;;;;OAKG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAQ7D;;;;;;;OAOG;IACG,SAAS,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAItF;;;;;OAKG;IACG,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9E;;;;OAIG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKrD;;;;;OAKG;IACG,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;CAU/E"}

package/dist/repos/OidcConnectionRepo.js

@@ -0,0 +1,122 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Repository for OIDC connections
+ *
+ * Manages persistent connections between users and OIDC providers.
+ * Stores the mapping of app users to IdP subjects, and optionally
+ * stores encrypted tokens for API access.
+ */
+class OidcConnectionRepo {
+    constructor(collectionName, db) {
+        this.collection = db.collection(collectionName);
+    }
+    /**
+     * Create a new OIDC connection
+     *
+     * @param connection - Connection data
+     * @returns Created connection with _id
+     */
+    async create(connection) {
+        const result = await this.collection.insertOne(connection);
+        return {
+            ...connection,
+            _id: result.insertedId.toString(),
+        };
+    }
+    /**
+     * Find connection by user ID and provider
+     *
+     * @param userId - Application user ID
+     * @param provider - Provider name
+     * @returns Connection or null if not found
+     */
+    async findByUserAndProvider(userId, provider) {
+        const connection = await this.collection.findOne({ userId, provider });
+        if (!connection) {
+            return null;
+        }
+        return {
+            ...connection,
+            _id: connection._id?.toString(),
+        };
+    }
+    /**
+     * Find connection by subject and issuer
+     *
+     * Used to look up users by their IdP identity.
+     *
+     * @param subject - OIDC subject (sub claim)
+     * @param issuer - OIDC issuer (iss claim)
+     * @returns Connection or null if not found
+     */
+    async findBySubjectAndIssuer(subject, issuer) {
+        const connection = await this.collection.findOne({ subject, issuer });
+        if (!connection) {
+            return null;
+        }
+        return {
+            ...connection,
+            _id: connection._id?.toString(),
+        };
+    }
+    /**
+     * Find all connections for a user
+     *
+     * @param userId - Application user ID
+     * @returns Array of connections
+     */
+    async findByUserId(userId) {
+        const connections = await this.collection.find({ userId }).toArray();
+        return connections.map((conn) => ({
+            ...conn,
+            _id: conn._id?.toString(),
+        }));
+    }
+    /**
+     * Update connection
+     *
+     * Typically used to update tokens when they're refreshed.
+     *
+     * @param connectionId - Connection _id
+     * @param updates - Fields to update
+     */
+    async updateOne(connectionId, updates) {
+        await this.collection.updateOne({ _id: connectionId }, { $set: updates });
+    }
+    /**
+     * Delete connection by user and provider
+     *
+     * @param userId - Application user ID
+     * @param provider - Provider name
+     */
+    async deleteByUserAndProvider(userId, provider) {
+        await this.collection.deleteOne({ userId, provider });
+    }
+    /**
+     * Delete all connections for a user
+     *
+     * @param userId - Application user ID
+     */
+    async deleteByUserId(userId) {
+        const result = await this.collection.deleteMany({ userId });
+        return result.deletedCount;
+    }
+    /**
+     * Find one connection by query
+     *
+     * @param query - MongoDB query
+     * @returns Connection or null if not found
+     */
+    async getOne(query) {
+        const connection = await this.collection.findOne(query);
+        if (!connection) {
+            return null;
+        }
+        return {
+            ...connection,
+            _id: connection._id?.toString(),
+        };
+    }
+}
+exports.default = OidcConnectionRepo;

package/dist/repos/OidcSessionRepo.d.ts

@@ -0,0 +1,57 @@
+import { Db } from "mongodb";
+import OidcSession from "../schemas/OidcSession";
+/**
+ * Repository for OIDC sessions
+ *
+ * Manages temporary sessions during the OIDC authorization flow.
+ * Sessions are automatically deleted by MongoDB TTL index after expiration.
+ */
+export default class OidcSessionRepo {
+    private collection;
+    constructor(collectionName: string, db: Db);
+    /**
+     * Create a new OIDC session
+     *
+     * @param session - Session data
+     * @returns Created session with _id
+     */
+    create(session: Omit<OidcSession, "_id">): Promise<OidcSession>;
+    /**
+     * Find session by state parameter
+     *
+     * Used during callback to validate the state and retrieve session data.
+     *
+     * @param state - State parameter from callback
+     * @returns Session or null if not found
+     */
+    getByState(state: string): Promise<OidcSession | null>;
+    /**
+     * Find one session by query
+     *
+     * @param query - MongoDB query
+     * @returns Session or null if not found
+     */
+    getOne(query: Partial<OidcSession>): Promise<OidcSession | null>;
+    /**
+     * Delete session by session ID
+     *
+     * Sessions are one-time use - delete after successful validation.
+     *
+     * @param sessionId - Session identifier
+     */
+    deleteBySessionId(sessionId: string): Promise<void>;
+    /**
+     * Delete session by state
+     *
+     * @param state - State parameter
+     */
+    deleteByState(state: string): Promise<void>;
+    /**
+     * Delete all expired sessions
+     *
+     * This is handled automatically by MongoDB TTL index,
+     * but can be called manually for testing or cleanup.
+     */
+    deleteExpired(): Promise<number>;
+}
+//# sourceMappingURL=OidcSessionRepo.d.ts.map

package/dist/repos/OidcSessionRepo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcSessionRepo.d.ts","sourceRoot":"","sources":["../../src/repos/OidcSessionRepo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,WAAW,MAAM,wBAAwB,CAAC;AAEjD;;;;;GAKG;AACH,MAAM,CAAC,OAAO,OAAO,eAAe;IAChC,OAAO,CAAC,UAAU,CAA0B;gBAEhC,cAAc,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE;IAI1C;;;;;OAKG;IACG,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAQrE;;;;;;;OAOG;IACG,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAW5D;;;;;OAKG;IACG,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAWtE;;;;;;OAMG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD;;;;OAIG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjD;;;;;OAKG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC;CAMzC"}

package/dist/repos/OidcSessionRepo.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Repository for OIDC sessions
+ *
+ * Manages temporary sessions during the OIDC authorization flow.
+ * Sessions are automatically deleted by MongoDB TTL index after expiration.
+ */
+class OidcSessionRepo {
+    constructor(collectionName, db) {
+        this.collection = db.collection(collectionName);
+    }
+    /**
+     * Create a new OIDC session
+     *
+     * @param session - Session data
+     * @returns Created session with _id
+     */
+    async create(session) {
+        const result = await this.collection.insertOne(session);
+        return {
+            ...session,
+            _id: result.insertedId.toString(),
+        };
+    }
+    /**
+     * Find session by state parameter
+     *
+     * Used during callback to validate the state and retrieve session data.
+     *
+     * @param state - State parameter from callback
+     * @returns Session or null if not found
+     */
+    async getByState(state) {
+        const session = await this.collection.findOne({ state });
+        if (!session) {
+            return null;
+        }
+        return {
+            ...session,
+            _id: session._id?.toString(),
+        };
+    }
+    /**
+     * Find one session by query
+     *
+     * @param query - MongoDB query
+     * @returns Session or null if not found
+     */
+    async getOne(query) {
+        const session = await this.collection.findOne(query);
+        if (!session) {
+            return null;
+        }
+        return {
+            ...session,
+            _id: session._id?.toString(),
+        };
+    }
+    /**
+     * Delete session by session ID
+     *
+     * Sessions are one-time use - delete after successful validation.
+     *
+     * @param sessionId - Session identifier
+     */
+    async deleteBySessionId(sessionId) {
+        await this.collection.deleteOne({ sessionId });
+    }
+    /**
+     * Delete session by state
+     *
+     * @param state - State parameter
+     */
+    async deleteByState(state) {
+        await this.collection.deleteOne({ state });
+    }
+    /**
+     * Delete all expired sessions
+     *
+     * This is handled automatically by MongoDB TTL index,
+     * but can be called manually for testing or cleanup.
+     */
+    async deleteExpired() {
+        const result = await this.collection.deleteMany({
+            createdAt: { $lt: new Date(Date.now() - 600000) }, // 10 minutes
+        });
+        return result.deletedCount;
+    }
+}
+exports.default = OidcSessionRepo;

package/dist/schemas/CallbackRequest.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Query parameters for the OIDC callback endpoint
+ *
+ * GET /oidc/:provider/callback?code=...&state=...&response_type=json
+ */
+export default interface CallbackRequest {
+    /**
+     * Authorization code from the IdP
+     * Required for successful authentication
+     */
+    code?: string;
+    /**
+     * State parameter for CSRF protection
+     * Must match the state stored in the session
+     */
+    state?: string;
+    /**
+     * Error code from the IdP (if authorization failed)
+     * e.g., "access_denied" if user cancelled
+     */
+    error?: string;
+    /**
+     * Human-readable error description from the IdP
+     */
+    error_description?: string;
+    /**
+     * Response format for the callback
+     * - "json": Return JSON response with user and token
+     * - undefined: Redirect to redirectUri with token in URL fragment
+     */
+    response_type?: "json";
+    /**
+     * Index signature for Flink Query type compatibility
+     */
+    [key: string]: string | string[] | undefined;
+}
+//# sourceMappingURL=CallbackRequest.d.ts.map

package/dist/schemas/CallbackRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CallbackRequest.d.ts","sourceRoot":"","sources":["../../src/schemas/CallbackRequest.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,CAAC,OAAO,WAAW,eAAe;IACpC;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;CAChD"}

package/dist/schemas/CallbackRequest.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/InitiateRequest.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Query parameters for the OIDC initiate endpoint
+ *
+ * GET /oidc/:provider/initiate?redirectUri=...
+ */
+export default interface InitiateRequest {
+    /**
+     * Optional redirect URI after successful authentication
+     * If not provided, uses the default callbackUrl from provider config
+     */
+    redirectUri?: string;
+    /**
+     * Index signature for Flink Query type compatibility
+     */
+    [key: string]: string | string[] | undefined;
+}
+//# sourceMappingURL=InitiateRequest.d.ts.map

package/dist/schemas/InitiateRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"InitiateRequest.d.ts","sourceRoot":"","sources":["../../src/schemas/InitiateRequest.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,CAAC,OAAO,WAAW,eAAe;IACpC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;CAChD"}

package/dist/schemas/InitiateRequest.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/OidcConnection.d.ts

@@ -0,0 +1,69 @@
+/**
+ * OIDC connection linking a user to an IdP
+ *
+ * Persistent record of the user's connection to an OIDC provider.
+ * Stores the mapping between the app's user and the IdP's subject identifier.
+ * Optionally stores encrypted OAuth tokens if storeTokens is enabled.
+ */
+export default interface OidcConnection {
+    /**
+     * MongoDB document ID
+     */
+    _id?: string;
+    /**
+     * Application user ID
+     * References the user in your app's user collection
+     */
+    userId: string;
+    /**
+     * OIDC provider name (e.g., "acme", "contoso")
+     */
+    provider: string;
+    /**
+     * OIDC subject identifier from the IdP
+     * The 'sub' claim from the ID token - unique per user per IdP
+     */
+    subject: string;
+    /**
+     * OIDC issuer identifier
+     * The 'iss' claim from the ID token - identifies the IdP
+     */
+    issuer: string;
+    /**
+     * User's email from the IdP
+     * Optional - for reference and display
+     */
+    email?: string;
+    /**
+     * Encrypted access token (if storeTokens enabled)
+     * Used to call IdP APIs on behalf of the user
+     */
+    accessToken?: string;
+    /**
+     * Encrypted refresh token (if storeTokens enabled)
+     * Used to obtain new access tokens
+     */
+    refreshToken?: string;
+    /**
+     * Encrypted ID token (if storeTokens enabled)
+     * The JWT containing user claims
+     */
+    idToken?: string;
+    /**
+     * Space-separated list of granted scopes
+     */
+    scope?: string;
+    /**
+     * Access token expiration time
+     */
+    expiresAt?: Date;
+    /**
+     * Connection creation timestamp
+     */
+    createdAt: Date;
+    /**
+     * Last update timestamp
+     */
+    updatedAt: Date;
+}
+//# sourceMappingURL=OidcConnection.d.ts.map

package/dist/schemas/OidcConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcConnection.d.ts","sourceRoot":"","sources":["../../src/schemas/OidcConnection.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,CAAC,OAAO,WAAW,cAAc;IACnC;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,IAAI,CAAC;IAEjB;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;IAEhB;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;CACnB"}

package/dist/schemas/OidcConnection.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/OidcProfile.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Normalized user profile from OIDC ID token and UserInfo endpoint
+ *
+ * This is the standardized profile format passed to the onAuthSuccess callback.
+ * Maps OIDC standard claims to a consistent profile structure.
+ */
+export default interface OidcProfile {
+    /**
+     * Subject identifier - unique user ID from the IdP
+     * OIDC standard claim: 'sub'
+     */
+    id: string;
+    /**
+     * User's email address
+     * OIDC standard claim: 'email'
+     */
+    email: string;
+    /**
+     * Whether the email has been verified by the IdP
+     * OIDC standard claim: 'email_verified'
+     */
+    emailVerified?: boolean;
+    /**
+     * User's full name
+     * OIDC standard claim: 'name'
+     */
+    name?: string;
+    /**
+     * User's given name (first name)
+     * OIDC standard claim: 'given_name'
+     */
+    givenName?: string;
+    /**
+     * User's family name (last name)
+     * OIDC standard claim: 'family_name'
+     */
+    familyName?: string;
+    /**
+     * User's middle name
+     * OIDC standard claim: 'middle_name'
+     */
+    middleName?: string;
+    /**
+     * User's preferred username
+     * OIDC standard claim: 'preferred_username'
+     */
+    username?: string;
+    /**
+     * URL of the user's profile picture
+     * OIDC standard claim: 'picture'
+     */
+    picture?: string;
+    /**
+     * User's phone number
+     * OIDC standard claim: 'phone_number'
+     */
+    phoneNumber?: string;
+    /**
+     * Whether the phone number has been verified
+     * OIDC standard claim: 'phone_number_verified'
+     */
+    phoneNumberVerified?: boolean;
+    /**
+     * Raw OIDC claims from ID token and UserInfo
+     * Contains all claims returned by the IdP
+     */
+    raw: Record<string, any>;
+}
+//# sourceMappingURL=OidcProfile.d.ts.map

package/dist/schemas/OidcProfile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcProfile.d.ts","sourceRoot":"","sources":["../../src/schemas/OidcProfile.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,CAAC,OAAO,WAAW,WAAW;IAChC;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;IAEX;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAE9B;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC5B"}

package/dist/schemas/OidcProfile.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/OidcSession.d.ts

@@ -0,0 +1,46 @@
+/**
+ * OIDC session stored during the authorization flow
+ *
+ * Temporary session that exists only during the OAuth/OIDC flow (typically 10 minutes).
+ * Used for CSRF protection (state), PKCE (codeVerifier), and replay protection (nonce).
+ */
+export default interface OidcSession {
+    /**
+     * MongoDB document ID
+     */
+    _id?: string;
+    /**
+     * Unique session identifier
+     */
+    sessionId: string;
+    /**
+     * CSRF protection token
+     * Random value used to prevent cross-site request forgery attacks
+     */
+    state: string;
+    /**
+     * PKCE code verifier
+     * Secret value used to prove the client initiated the authorization request
+     */
+    codeVerifier: string;
+    /**
+     * Nonce for ID token validation
+     * Random value used to prevent replay attacks on the ID token
+     */
+    nonce: string;
+    /**
+     * Provider name (e.g., "acme", "contoso")
+     */
+    provider: string;
+    /**
+     * URL to redirect to after successful authentication
+     * Can be overridden by the client via query parameter
+     */
+    redirectUri: string;
+    /**
+     * Session creation timestamp
+     * MongoDB TTL index will automatically delete expired sessions
+     */
+    createdAt: Date;
+}
+//# sourceMappingURL=OidcSession.d.ts.map

package/dist/schemas/OidcSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcSession.d.ts","sourceRoot":"","sources":["../../src/schemas/OidcSession.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,CAAC,OAAO,WAAW,WAAW;IAChC;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,SAAS,EAAE,IAAI,CAAC;CACnB"}

package/dist/schemas/OidcSession.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/schemas/OidcTokenSet.d.ts

@@ -0,0 +1,42 @@
+/**
+ * OIDC token set returned from the token endpoint
+ *
+ * Contains the tokens issued by the IdP after successful authorization.
+ */
+export default interface OidcTokenSet {
+    /**
+     * Access token for calling IdP APIs
+     * Used to access protected resources at the IdP
+     */
+    accessToken: string;
+    /**
+     * ID token (JWT) containing user claims
+     * This is the core OIDC token that contains user identity information
+     */
+    idToken: string;
+    /**
+     * Refresh token for obtaining new access tokens
+     * Optional - only if IdP supports and grants refresh tokens
+     */
+    refreshToken?: string;
+    /**
+     * Token type (usually "Bearer")
+     */
+    tokenType: string;
+    /**
+     * Expiration time in seconds
+     * How many seconds until the access token expires
+     */
+    expiresIn?: number;
+    /**
+     * Scope granted by the IdP
+     * Space-separated list of scopes
+     */
+    scope?: string;
+    /**
+     * All claims from the ID token
+     * Parsed and validated JWT claims
+     */
+    claims: Record<string, any>;
+}
+//# sourceMappingURL=OidcTokenSet.d.ts.map

package/dist/schemas/OidcTokenSet.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcTokenSet.d.ts","sourceRoot":"","sources":["../../src/schemas/OidcTokenSet.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,CAAC,OAAO,WAAW,YAAY;IACjC;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC/B"}