npm - @frontmcp/sdk - Versions diffs - 0.2.5 → 0.3.0 - Mend

@frontmcp/sdk 0.2.5 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (896) hide show

package/src/auth/jwks/jwks.service.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import crypto from 'node:crypto';
+import { JSONWebKeySet } from 'jose';
+import { JwksServiceOptions, ProviderVerifyRef, VerifyResult } from './jwks.types';
+export declare class JwksService {
+    private readonly opts;
+    private orchestratorKey;
+    private providerJwks;
+    constructor(opts?: JwksServiceOptions);
+    /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */
+    getPublicJwks(): JSONWebKeySet;
+    /** Verify a token issued by the gateway itself (orchestrated mode). */
+    verifyGatewayToken(token: string, expectedIssuer: string): Promise<VerifyResult>;
+    /**
+     * Verify a token against candidate transparent providers.
+     * Ensures JWKS are available (cached/TTL/AS discovery) per provider.
+     */
+    verifyTransparentToken(token: string, candidates: ProviderVerifyRef[]): Promise<VerifyResult>;
+    /** Directly set provider JWKS (e.g., inline keys from config). */
+    setProviderJwks(providerId: string, jwks: JSONWebKeySet): void;
+    /**
+     * Ensure JWKS for a provider:
+     *   1) inline jwks (if provided) → cache & return
+     *   2) cached & fresh (TTL)      → return
+     *   3) explicit jwksUri          → fetch, cache, return
+     *   4) discover jwks_uri via AS  → fetch AS metadata, then jwks_uri, cache, return
+     */
+    getJwksForProvider(ref: ProviderVerifyRef): Promise<JSONWebKeySet | undefined>;
+    /** Return the orchestrator public JWKS (generates/rotates as needed). */
+    getOrchestratorJwks(): JSONWebKeySet;
+    /** Return private signing key + kid for issuing orchestrator tokens. */
+    getOrchestratorSigningKey(): {
+        kid: string;
+        key: crypto.KeyObject;
+        alg: string;
+    };
+    private tryFetchJwks;
+    private tryFetchAsMeta;
+    private fetchJson;
+    private ensureOrchestratorKey;
+    private generateKey;
+}

package/src/auth/jwks/jwks.service.js ADDED Viewed

@@ -0,0 +1,235 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwksService = void 0;
+const tslib_1 = require("tslib");
+// auth/jwks/jwks.service.ts
+const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
+const jose_1 = require("jose");
+const jwks_utils_1 = require("./jwks.utils");
+class JwksService {
+    opts;
+    // Orchestrator signing material
+    orchestratorKey;
+    // Provider JWKS cache (providerId -> jwks + fetchedAt)
+    providerJwks = new Map();
+    constructor(opts) {
+        this.opts = {
+            orchestratorAlg: opts?.orchestratorAlg ?? 'RS256',
+            rotateDays: opts?.rotateDays ?? 30,
+            providerJwksTtlMs: opts?.providerJwksTtlMs ?? 6 * 60 * 60 * 1000, // 6h
+            networkTimeoutMs: opts?.networkTimeoutMs ?? 5000, // 5s
+        };
+    }
+    // ===========================================================================
+    // Public JWKS (what /.well-known/jwks.json serves)
+    // ===========================================================================
+    /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */
+    getPublicJwks() {
+        return this.getOrchestratorJwks();
+    }
+    // ===========================================================================
+    // Scope-aware verification API
+    // ===========================================================================
+    /** Verify a token issued by the gateway itself (orchestrated mode). */
+    async verifyGatewayToken(token, expectedIssuer) {
+        try {
+            // TODO: add support for local/remote proxy mode
+            //       current implementation for anonymous mode only
+            // const jwks = this.getPublicJwks();
+            // const JWKS = createLocalJWKSet(jwks);
+            // const {payload, protectedHeader} = await jwtVerify(token, JWKS, {
+            //   issuer: normalizeIssuer(expectedIssuer),
+            // });
+            // return {
+            //   ok: true,
+            //   issuer: payload?.iss as string | undefined,
+            //   sub: payload?.sub as string | undefined,
+            //   header: protectedHeader,
+            //   payload,
+            // };
+            const payload = (0, jwks_utils_1.decodeJwtPayloadSafe)(token);
+            if (!payload) {
+                return {
+                    ok: false,
+                    error: 'invalid bearer token'
+                };
+            }
+            return {
+                ok: true,
+                issuer: expectedIssuer,
+                sub: payload['sub'],
+                payload,
+                header: (0, jose_1.decodeProtectedHeader)(token),
+            };
+        }
+        catch (err) {
+            return { ok: false, error: err?.message ?? 'verification_failed' };
+        }
+    }
+    /**
+     * Verify a token against candidate transparent providers.
+     * Ensures JWKS are available (cached/TTL/AS discovery) per provider.
+     */
+    async verifyTransparentToken(token, candidates) {
+        if (!candidates?.length)
+            return { ok: false, error: 'no_providers' };
+        // Helpful only for error messages
+        let kid;
+        try {
+            const header = (0, jose_1.decodeProtectedHeader)(token);
+            kid = typeof header?.kid === 'string' ? header.kid : undefined;
+        }
+        catch {
+            /* empty */
+        }
+        for (const p of candidates) {
+            try {
+                const jwks = await this.getJwksForProvider(p);
+                if (!jwks?.keys?.length)
+                    continue;
+                const draftPayload = (0, jwks_utils_1.decodeJwtPayloadSafe)(token);
+                const JWKS = (0, jose_1.createLocalJWKSet)(jwks);
+                const { payload, protectedHeader } = await (0, jose_1.jwtVerify)(token, JWKS, {
+                    issuer: [
+                        (0, jwks_utils_1.normalizeIssuer)(p.issuerUrl),
+                        // ]
+                    ].concat((draftPayload?.['iss'] ? [draftPayload['iss']] : [])), // used because current cloud gateway have invalid issuer
+                });
+                return {
+                    ok: true,
+                    issuer: payload?.iss,
+                    sub: payload?.sub,
+                    providerId: p.id,
+                    header: protectedHeader,
+                    payload,
+                };
+            }
+            catch (e) {
+                console.log('failed to verify token for provider: ', p.id, e);
+                // try next provider
+            }
+        }
+        return { ok: false, error: `no_provider_verified${kid ? ` (kid=${kid})` : ''}` };
+    }
+    // ===========================================================================
+    // Provider JWKS (cache + preload + discovery)
+    // ===========================================================================
+    /** Directly set provider JWKS (e.g., inline keys from config). */
+    setProviderJwks(providerId, jwks) {
+        this.providerJwks.set(providerId, { jwks, fetchedAt: Date.now() });
+    }
+    /**
+     * Ensure JWKS for a provider:
+     *   1) inline jwks (if provided) → cache & return
+     *   2) cached & fresh (TTL)      → return
+     *   3) explicit jwksUri          → fetch, cache, return
+     *   4) discover jwks_uri via AS  → fetch AS metadata, then jwks_uri, cache, return
+     */
+    async getJwksForProvider(ref) {
+        // Inline keys win
+        if (ref.jwks?.keys?.length) {
+            this.setProviderJwks(ref.id, ref.jwks);
+            return ref.jwks;
+        }
+        // Cache hit and fresh?
+        const cached = this.providerJwks.get(ref.id);
+        if (cached && Date.now() - cached.fetchedAt < this.opts.providerJwksTtlMs) {
+            return cached.jwks;
+        }
+        // If we have a jwksUri, try it
+        if (ref.jwksUri) {
+            const fromUri = await this.tryFetchJwks(ref.id, ref.jwksUri);
+            if (fromUri?.keys?.length)
+                return fromUri;
+        }
+        // Discover via AS .well-known
+        const issuer = (0, jwks_utils_1.trimSlash)(ref.issuerUrl);
+        const meta = await this.tryFetchAsMeta(`${issuer}/.well-known/oauth-authorization-server`);
+        const uri = meta && typeof meta === 'object' && meta.jwks_uri ? String(meta.jwks_uri) : undefined;
+        if (uri) {
+            const fromMeta = await this.tryFetchJwks(ref.id, uri);
+            if (fromMeta?.keys?.length)
+                return fromMeta;
+        }
+        return cached?.jwks; // return stale if we had anything, else undefined
+    }
+    // ===========================================================================
+    // Orchestrator keys (generation/rotation)
+    // ===========================================================================
+    /** Return the orchestrator public JWKS (generates/rotates as needed). */
+    getOrchestratorJwks() {
+        this.ensureOrchestratorKey();
+        return this.orchestratorKey.publicJwk;
+    }
+    /** Return private signing key + kid for issuing orchestrator tokens. */
+    getOrchestratorSigningKey() {
+        this.ensureOrchestratorKey();
+        return { kid: this.orchestratorKey.kid, key: this.orchestratorKey.privateKey, alg: this.opts.orchestratorAlg };
+    }
+    // ===========================================================================
+    // Internals (fetch, rotation, helpers)
+    // ===========================================================================
+    async tryFetchJwks(providerId, uri) {
+        try {
+            const jwks = await this.fetchJson(uri);
+            if (jwks?.keys?.length) {
+                this.setProviderJwks(providerId, jwks);
+                return jwks;
+            }
+        }
+        catch {
+            /* empty */
+        }
+        return undefined;
+    }
+    async tryFetchAsMeta(url) {
+        try {
+            return await this.fetchJson(url);
+        }
+        catch {
+            return undefined;
+        }
+    }
+    async fetchJson(url) {
+        const ctl = typeof AbortController !== 'undefined' ? new AbortController() : undefined;
+        const timer = setTimeout(() => ctl?.abort(), this.opts.networkTimeoutMs);
+        try {
+            const res = await fetch(url, {
+                method: 'GET',
+                headers: { accept: 'application/json' },
+                signal: ctl?.signal,
+            });
+            if (!res.ok)
+                throw new Error(`HTTP ${res.status}`);
+            return (await res.json());
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    ensureOrchestratorKey() {
+        const now = Date.now();
+        const maxAge = this.opts.rotateDays * 24 * 60 * 60 * 1000;
+        if (!this.orchestratorKey || now - this.orchestratorKey.createdAt > maxAge) {
+            this.orchestratorKey = this.generateKey(this.opts.orchestratorAlg);
+        }
+    }
+    generateKey(alg) {
+        if (alg === 'RS256') {
+            const { privateKey, publicKey } = node_crypto_1.default.generateKeyPairSync('rsa', { modulusLength: 2048 });
+            const kid = node_crypto_1.default.randomBytes(8).toString('hex');
+            const publicJwk = publicKey.export({ format: 'jwk' });
+            Object.assign(publicJwk, { kid, alg: 'RS256', use: 'sig', kty: 'RSA' });
+            return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };
+        }
+        else {
+            const { privateKey, publicKey } = node_crypto_1.default.generateKeyPairSync('ec', { namedCurve: 'P-256' });
+            const kid = node_crypto_1.default.randomBytes(8).toString('hex');
+            const publicJwk = publicKey.export({ format: 'jwk' });
+            Object.assign(publicJwk, { kid, alg: 'ES256', use: 'sig', kty: 'EC' });
+            return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };
+        }
+    }
+}
+exports.JwksService = JwksService;
+//# sourceMappingURL=jwks.service.js.map

package/src/auth/jwks/jwks.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks.service.js","sourceRoot":"","sources":["../../../../src/auth/jwks/jwks.service.ts"],"names":[],"mappings":";;;;AAAA,4BAA4B;AAC5B,sEAAiC;AACjC,+BAAwF;AAExF,6CAA8E;AAE9E,MAAa,WAAW;IACL,IAAI,CAA+B;IAEpD,gCAAgC;IACxB,eAAe,CAKrB;IAEF,uDAAuD;IAC/C,YAAY,GAAG,IAAI,GAAG,EAAsD,CAAC;IAErF,YAAY,IAAyB;QACnC,IAAI,CAAC,IAAI,GAAG;YACV,eAAe,EAAE,IAAI,EAAE,eAAe,IAAI,OAAO;YACjD,UAAU,EAAE,IAAI,EAAE,UAAU,IAAI,EAAE;YAClC,iBAAiB,EAAE,IAAI,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,KAAK;YACvE,gBAAgB,EAAE,IAAI,EAAE,gBAAgB,IAAI,IAAI,EAAE,KAAK;SACxD,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,mDAAmD;IACnD,8EAA8E;IAE9E,mFAAmF;IACnF,aAAa;QACX,OAAO,IAAI,CAAC,mBAAmB,EAAE,CAAC;IACpC,CAAC;IAED,8EAA8E;IAC9E,+BAA+B;IAC/B,8EAA8E;IAE9E,uEAAuE;IACvE,KAAK,CAAC,kBAAkB,CAAC,KAAa,EAAE,cAAsB;QAC5D,IAAI,CAAC;YACH,gDAAgD;YAChD,uDAAuD;YAEvD,qCAAqC;YACrC,wCAAwC;YACxC,oEAAoE;YACpE,6CAA6C;YAC7C,MAAM;YACN,WAAW;YACX,cAAc;YACd,gDAAgD;YAChD,6CAA6C;YAC7C,6BAA6B;YAC7B,aAAa;YACb,KAAK;YAEL,MAAM,OAAO,GAAG,IAAA,iCAAoB,EAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,sBAAsB;iBAC9B,CAAA;YACH,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,MAAM,EAAE,cAAc;gBACtB,GAAG,EAAE,OAAO,CAAC,KAAK,CAAW;gBAC7B,OAAO;gBACP,MAAM,EAAE,IAAA,4BAAqB,EAAC,KAAK,CAAC;aACrC,CAAA;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,EAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,sBAAsB,CAAC,KAAa,EAAE,UAA+B;QACzE,IAAI,CAAC,UAAU,EAAE,MAAM;YAAE,OAAO,EAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAC,CAAC;QAEnE,kCAAkC;QAClC,IAAI,GAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,4BAAqB,EAAC,KAAK,CAAC,CAAC;YAE5C,GAAG,GAAG,OAAO,MAAM,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;gBAC9C,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM;oBAAE,SAAS;gBAClC,MAAM,YAAY,GAAG,IAAA,iCAAoB,EAAC,KAAK,CAAC,CAAC;gBACjD,MAAM,IAAI,GAAG,IAAA,wBAAiB,EAAC,IAAI,CAAC,CAAC;gBACrC,MAAM,EAAC,OAAO,EAAE,eAAe,EAAC,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,IAAI,EAAE;oBAC9D,MAAM,EAAE;wBACN,IAAA,4BAAe,EAAC,CAAC,CAAC,SAAS,CAAC;wBAE5B,IAAI;qBACL,CAAC,MAAM,CAAC,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAa,CAAC,EAAE,yDAAyD;iBACtI,CAAC,CAAC;gBAEH,OAAO;oBACL,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,OAAO,EAAE,GAAyB;oBAC1C,GAAG,EAAE,OAAO,EAAE,GAAyB;oBACvC,UAAU,EAAE,CAAC,CAAC,EAAE;oBAChB,MAAM,EAAE,eAAe;oBACvB,OAAO;iBACR,CAAC;YACJ,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAC9D,oBAAoB;YACtB,CAAC;QACH,CAAC;QAED,OAAO,EAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAC,CAAC;IACjF,CAAC;IAED,8EAA8E;IAC9E,8CAA8C;IAC9C,8EAA8E;IAE9E,kEAAkE;IAClE,eAAe,CAAC,UAAkB,EAAE,IAAmB;QACrD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,EAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAC,CAAC;IACnE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,kBAAkB,CAAC,GAAsB;QAC7C,kBAAkB;QAClB,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YACvC,OAAO,GAAG,CAAC,IAAI,CAAC;QAClB,CAAC;QAED,uBAAuB;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7C,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC1E,OAAO,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;QAED,+BAA+B;QAC/B,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAC7D,IAAI,OAAO,EAAE,IAAI,EAAE,MAAM;gBAAE,OAAO,OAAO,CAAC;QAC5C,CAAC;QAED,8BAA8B;QAC9B,MAAM,MAAM,GAAG,IAAA,sBAAS,EAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,MAAM,yCAAyC,CAAC,CAAC;QAC3F,MAAM,GAAG,GAAG,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAClG,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;YACtD,IAAI,QAAQ,EAAE,IAAI,EAAE,MAAM;gBAAE,OAAO,QAAQ,CAAC;QAC9C,CAAC;QAED,OAAO,MAAM,EAAE,IAAI,CAAC,CAAC,kDAAkD;IACzE,CAAC;IAED,8EAA8E;IAC9E,0CAA0C;IAC1C,8EAA8E;IAE9E,yEAAyE;IACzE,mBAAmB;QACjB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC;IACxC,CAAC;IAED,wEAAwE;IACxE,yBAAyB;QACvB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,OAAO,EAAC,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAC,CAAC;IAC/G,CAAC;IAED,8EAA8E;IAC9E,uCAAuC;IACvC,8EAA8E;IAEtE,KAAK,CAAC,YAAY,CAAC,UAAkB,EAAE,GAAW;QACxD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAgB,GAAG,CAAC,CAAC;YACtD,IAAI,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;gBACvB,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,GAAW;QACtC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAU,GAAW;QAC1C,MAAM,GAAG,GAAG,OAAO,eAAe,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QACvF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACzE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAC,MAAM,EAAE,kBAAkB,EAAC;gBACrC,MAAM,EAAE,GAAG,EAAE,MAAM;aACpB,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;QACjC,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAEO,qBAAqB;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC1D,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;YAC3E,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,GAAsB;QACxC,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACpB,MAAM,EAAC,UAAU,EAAE,SAAS,EAAC,GAAG,qBAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE,EAAC,aAAa,EAAE,IAAI,EAAC,CAAC,CAAC;YACzF,MAAM,GAAG,GAAG,qBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAC,MAAM,EAAE,KAAK,EAAC,CAAC,CAAC;YACpD,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,EAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAC,CAAC,CAAC;YACtE,OAAO,EAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,EAAC,IAAI,EAAE,CAAC,SAAS,CAAC,EAAC,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAC;QAClF,CAAC;aAAM,CAAC;YACN,MAAM,EAAC,UAAU,EAAE,SAAS,EAAC,GAAG,qBAAM,CAAC,mBAAmB,CAAC,IAAI,EAAE,EAAC,UAAU,EAAE,OAAO,EAAC,CAAC,CAAC;YACxF,MAAM,GAAG,GAAG,qBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAC,MAAM,EAAE,KAAK,EAAC,CAAC,CAAC;YACpD,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,EAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAC,CAAC,CAAC;YACrE,OAAO,EAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,EAAC,IAAI,EAAE,CAAC,SAAS,CAAC,EAAC,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAC;QAClF,CAAC;IACH,CAAC;CACF;AAzPD,kCAyPC","sourcesContent":["// auth/jwks/jwks.service.ts\nimport crypto from 'node:crypto';\nimport {jwtVerify, createLocalJWKSet, decodeProtectedHeader, JSONWebKeySet} from 'jose';\nimport {JwksServiceOptions, ProviderVerifyRef, VerifyResult} from './jwks.types';\nimport {normalizeIssuer, trimSlash, decodeJwtPayloadSafe} from './jwks.utils';\n\nexport class JwksService {\n private readonly opts: Required<JwksServiceOptions>;\n\n // Orchestrator signing material\n private orchestratorKey!: {\n kid: string;\n privateKey: crypto.KeyObject;\n publicJwk: JSONWebKeySet;\n createdAt: number;\n };\n\n // Provider JWKS cache (providerId -> jwks + fetchedAt)\n private providerJwks = new Map<string, { jwks: JSONWebKeySet; fetchedAt: number }>();\n\n constructor(opts?: JwksServiceOptions) {\n this.opts = {\n orchestratorAlg: opts?.orchestratorAlg ?? 'RS256',\n rotateDays: opts?.rotateDays ?? 30,\n providerJwksTtlMs: opts?.providerJwksTtlMs ?? 6 * 60 * 60 * 1000, // 6h\n networkTimeoutMs: opts?.networkTimeoutMs ?? 5000, // 5s\n };\n }\n\n // ===========================================================================\n // Public JWKS (what /.well-known/jwks.json serves)\n // ===========================================================================\n\n /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */\n getPublicJwks(): JSONWebKeySet {\n return this.getOrchestratorJwks();\n }\n\n // ===========================================================================\n // Scope-aware verification API\n // ===========================================================================\n\n /** Verify a token issued by the gateway itself (orchestrated mode). */\n async verifyGatewayToken(token: string, expectedIssuer: string): Promise<VerifyResult> {\n try {\n // TODO: add support for local/remote proxy mode\n // current implementation for anonymous mode only\n\n // const jwks = this.getPublicJwks();\n // const JWKS = createLocalJWKSet(jwks);\n // const {payload, protectedHeader} = await jwtVerify(token, JWKS, {\n // issuer: normalizeIssuer(expectedIssuer),\n // });\n // return {\n // ok: true,\n // issuer: payload?.iss as string | undefined,\n // sub: payload?.sub as string | undefined,\n // header: protectedHeader,\n // payload,\n // };\n\n const payload = decodeJwtPayloadSafe(token);\n if (!payload) {\n return {\n ok: false,\n error: 'invalid bearer token'\n }\n }\n return {\n ok: true,\n issuer: expectedIssuer,\n sub: payload['sub'] as string,\n payload,\n header: decodeProtectedHeader(token),\n }\n } catch (err: any) {\n return {ok: false, error: err?.message ?? 'verification_failed'};\n }\n }\n\n /**\n * Verify a token against candidate transparent providers.\n * Ensures JWKS are available (cached/TTL/AS discovery) per provider.\n */\n async verifyTransparentToken(token: string, candidates: ProviderVerifyRef[]): Promise<VerifyResult> {\n if (!candidates?.length) return {ok: false, error: 'no_providers'};\n\n // Helpful only for error messages\n let kid: string | undefined;\n try {\n const header = decodeProtectedHeader(token);\n\n kid = typeof header?.kid === 'string' ? header.kid : undefined;\n } catch {\n /* empty */\n }\n\n for (const p of candidates) {\n try {\n const jwks = await this.getJwksForProvider(p);\n if (!jwks?.keys?.length) continue;\n const draftPayload = decodeJwtPayloadSafe(token);\n const JWKS = createLocalJWKSet(jwks);\n const {payload, protectedHeader} = await jwtVerify(token, JWKS, {\n issuer: [\n normalizeIssuer(p.issuerUrl),\n\n // ]\n ].concat((draftPayload?.['iss'] ? [draftPayload['iss']] : []) as string[]), // used because current cloud gateway have invalid issuer\n });\n\n return {\n ok: true,\n issuer: payload?.iss as string | undefined,\n sub: payload?.sub as string | undefined,\n providerId: p.id,\n header: protectedHeader,\n payload,\n };\n } catch (e) {\n console.log('failed to verify token for provider: ', p.id, e);\n // try next provider\n }\n }\n\n return {ok: false, error: `no_provider_verified${kid ? ` (kid=${kid})` : ''}`};\n }\n\n // ===========================================================================\n // Provider JWKS (cache + preload + discovery)\n // ===========================================================================\n\n /** Directly set provider JWKS (e.g., inline keys from config). */\n setProviderJwks(providerId: string, jwks: JSONWebKeySet) {\n this.providerJwks.set(providerId, {jwks, fetchedAt: Date.now()});\n }\n\n /**\n * Ensure JWKS for a provider:\n * 1) inline jwks (if provided) → cache & return\n * 2) cached & fresh (TTL) → return\n * 3) explicit jwksUri → fetch, cache, return\n * 4) discover jwks_uri via AS → fetch AS metadata, then jwks_uri, cache, return\n */\n async getJwksForProvider(ref: ProviderVerifyRef): Promise<JSONWebKeySet | undefined> {\n // Inline keys win\n if (ref.jwks?.keys?.length) {\n this.setProviderJwks(ref.id, ref.jwks);\n return ref.jwks;\n }\n\n // Cache hit and fresh?\n const cached = this.providerJwks.get(ref.id);\n if (cached && Date.now() - cached.fetchedAt < this.opts.providerJwksTtlMs) {\n return cached.jwks;\n }\n\n // If we have a jwksUri, try it\n if (ref.jwksUri) {\n const fromUri = await this.tryFetchJwks(ref.id, ref.jwksUri);\n if (fromUri?.keys?.length) return fromUri;\n }\n\n // Discover via AS .well-known\n const issuer = trimSlash(ref.issuerUrl);\n const meta = await this.tryFetchAsMeta(`${issuer}/.well-known/oauth-authorization-server`);\n const uri = meta && typeof meta === 'object' && meta.jwks_uri ? String(meta.jwks_uri) : undefined;\n if (uri) {\n const fromMeta = await this.tryFetchJwks(ref.id, uri);\n if (fromMeta?.keys?.length) return fromMeta;\n }\n\n return cached?.jwks; // return stale if we had anything, else undefined\n }\n\n // ===========================================================================\n // Orchestrator keys (generation/rotation)\n // ===========================================================================\n\n /** Return the orchestrator public JWKS (generates/rotates as needed). */\n getOrchestratorJwks(): JSONWebKeySet {\n this.ensureOrchestratorKey();\n return this.orchestratorKey.publicJwk;\n }\n\n /** Return private signing key + kid for issuing orchestrator tokens. */\n getOrchestratorSigningKey(): { kid: string; key: crypto.KeyObject; alg: string } {\n this.ensureOrchestratorKey();\n return {kid: this.orchestratorKey.kid, key: this.orchestratorKey.privateKey, alg: this.opts.orchestratorAlg};\n }\n\n // ===========================================================================\n // Internals (fetch, rotation, helpers)\n // ===========================================================================\n\n private async tryFetchJwks(providerId: string, uri: string): Promise<JSONWebKeySet | undefined> {\n try {\n const jwks = await this.fetchJson<JSONWebKeySet>(uri);\n if (jwks?.keys?.length) {\n this.setProviderJwks(providerId, jwks);\n return jwks;\n }\n } catch {\n /* empty */\n }\n return undefined;\n }\n\n private async tryFetchAsMeta(url: string): Promise<any | undefined> {\n try {\n return await this.fetchJson(url);\n } catch {\n return undefined;\n }\n }\n\n private async fetchJson<T = any>(url: string): Promise<T> {\n const ctl = typeof AbortController !== 'undefined' ? new AbortController() : undefined;\n const timer = setTimeout(() => ctl?.abort(), this.opts.networkTimeoutMs);\n try {\n const res = await fetch(url, {\n method: 'GET',\n headers: {accept: 'application/json'},\n signal: ctl?.signal,\n });\n if (!res.ok) throw new Error(`HTTP ${res.status}`);\n return (await res.json()) as T;\n } finally {\n clearTimeout(timer);\n }\n }\n\n private ensureOrchestratorKey() {\n const now = Date.now();\n const maxAge = this.opts.rotateDays * 24 * 60 * 60 * 1000;\n if (!this.orchestratorKey || now - this.orchestratorKey.createdAt > maxAge) {\n this.orchestratorKey = this.generateKey(this.opts.orchestratorAlg);\n }\n }\n\n private generateKey(alg: 'RS256' | 'ES256') {\n if (alg === 'RS256') {\n const {privateKey, publicKey} = crypto.generateKeyPairSync('rsa', {modulusLength: 2048});\n const kid = crypto.randomBytes(8).toString('hex');\n const publicJwk = publicKey.export({format: 'jwk'});\n Object.assign(publicJwk, {kid, alg: 'RS256', use: 'sig', kty: 'RSA'});\n return {kid, privateKey, publicJwk: {keys: [publicJwk]}, createdAt: Date.now()};\n } else {\n const {privateKey, publicKey} = crypto.generateKeyPairSync('ec', {namedCurve: 'P-256'});\n const kid = crypto.randomBytes(8).toString('hex');\n const publicJwk = publicKey.export({format: 'jwk'});\n Object.assign(publicJwk, {kid, alg: 'ES256', use: 'sig', kty: 'EC'});\n return {kid, privateKey, publicJwk: {keys: [publicJwk]}, createdAt: Date.now()};\n }\n }\n}\n"]}

package/src/auth/jwks/jwks.types.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { JSONWebKeySet } from 'jose';
+export type JwksServiceOptions = {
+    orchestratorAlg?: 'RS256' | 'ES256';
+    rotateDays?: number;
+    /** TTL (ms) for cached provider JWKS before attempting refresh. Default: 6h */
+    providerJwksTtlMs?: number;
+    /** Timeout (ms) for network metadata/JWKS fetches. Default: 5s */
+    networkTimeoutMs?: number;
+};
+/** Rich descriptor used by verification & fetching */
+export type ProviderVerifyRef = {
+    id: string;
+    issuerUrl: string;
+    jwksUri?: string;
+    jwks?: JSONWebKeySet;
+};
+export type VerifyResult = {
+    ok: boolean;
+    issuer?: string;
+    sub?: string;
+    providerId?: string;
+    header?: any;
+    payload?: any;
+    error?: string;
+};

package/src/auth/jwks/jwks.types.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=jwks.types.js.map

package/src/auth/jwks/jwks.types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks.types.js","sourceRoot":"","sources":["../../../../src/auth/jwks/jwks.types.ts"],"names":[],"mappings":"","sourcesContent":["import { JSONWebKeySet } from 'jose';\n\nexport type JwksServiceOptions = {\n orchestratorAlg?: 'RS256' | 'ES256';\n rotateDays?: number;\n /** TTL (ms) for cached provider JWKS before attempting refresh. Default: 6h */\n providerJwksTtlMs?: number;\n /** Timeout (ms) for network metadata/JWKS fetches. Default: 5s */\n networkTimeoutMs?: number;\n};\n\n/** Rich descriptor used by verification & fetching */\nexport type ProviderVerifyRef = {\n id: string;\n issuerUrl: string; // upstream issuer (e.g., https://idp.example.com)\n jwksUri?: string; // optional explicit JWKS uri\n jwks?: JSONWebKeySet; // optional inline keys (prioritized)\n};\n\nexport type VerifyResult = {\n ok: boolean;\n issuer?: string;\n sub?: string;\n providerId?: string;\n header?: any;\n payload?: any;\n error?: string;\n};\n"]}

package/src/auth/jwks/jwks.utils.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export declare function trimSlash(s: string): string;
+export declare function normalizeIssuer(u?: string): string;
+/** Safe, no-verify JWT payload decode (returns undefined on error). */
+export declare function decodeJwtPayloadSafe(token?: string): Record<string, unknown> | undefined;

package/src/auth/jwks/jwks.utils.js ADDED Viewed

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.trimSlash = trimSlash;
+exports.normalizeIssuer = normalizeIssuer;
+exports.decodeJwtPayloadSafe = decodeJwtPayloadSafe;
+function trimSlash(s) {
+    return (s ?? '').replace(/\/+$/, '');
+}
+function normalizeIssuer(u) {
+    return trimSlash(String(u ?? ''));
+}
+/** Safe, no-verify JWT payload decode (returns undefined on error). */
+function decodeJwtPayloadSafe(token) {
+    if (!token)
+        return undefined;
+    const parts = token.split('.');
+    if (parts.length < 2)
+        return undefined;
+    try {
+        const b64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+        const json = typeof Buffer !== 'undefined'
+            ? Buffer.from(b64, 'base64').toString('utf8')
+            : // browser fallback
+                atob(b64);
+        const obj = JSON.parse(json);
+        return obj && typeof obj === 'object' ? obj : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+//# sourceMappingURL=jwks.utils.js.map

package/src/auth/jwks/jwks.utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks.utils.js","sourceRoot":"","sources":["../../../../src/auth/jwks/jwks.utils.ts"],"names":[],"mappings":";;AAAA,8BAEC;AACD,0CAEC;AAGD,oDAgBC;AAxBD,SAAgB,SAAS,CAAC,CAAS;IACjC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACvC,CAAC;AACD,SAAgB,eAAe,CAAC,CAAU;IACxC,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,uEAAuE;AACvE,SAAgB,oBAAoB,CAAC,KAAc;IACjD,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAC3D,MAAM,IAAI,GACR,OAAO,MAAM,KAAK,WAAW;YAC3B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC7C,CAAC,CAAC,mBAAmB;gBACrB,IAAI,CAAC,GAAG,CAAC,CAAC;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC7B,OAAO,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAE,GAA+B,CAAC,CAAC,CAAC,SAAS,CAAC;IACvF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC","sourcesContent":["export function trimSlash(s: string) {\n return (s ?? '').replace(/\\/+$/, '');\n}\nexport function normalizeIssuer(u?: string) {\n return trimSlash(String(u ?? ''));\n}\n\n/** Safe, no-verify JWT payload decode (returns undefined on error). */\nexport function decodeJwtPayloadSafe(token?: string): Record<string, unknown> | undefined {\n if (!token) return undefined;\n const parts = token.split('.');\n if (parts.length < 2) return undefined;\n try {\n const b64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');\n const json =\n typeof Buffer !== 'undefined'\n ? Buffer.from(b64, 'base64').toString('utf8')\n : // browser fallback\n atob(b64);\n const obj = JSON.parse(json);\n return obj && typeof obj === 'object' ? (obj as Record<string, unknown>) : undefined;\n } catch {\n return undefined;\n }\n}\n"]}

package/src/auth/oauth/flows/oauth.authorize.flow.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+export {};
+/**
+ * Authorization Endpoint — GET /oauth/authorize
+ *
+ * Who calls: Browser via the Client (RP).
+ *
+ * When: Start of the flow.
+ *
+ * Purpose: Authenticate the user and obtain consent; returns an authorization code to the client’s redirect URI.
+ *
+ * Notes: Must support PKCE. Implicit/Hybrid are out in OAuth 2.1.
+ */
+/**
+ * Typical parameter shapes
+ *
+ * /oauth/authorize (GET)
+ *
+ * response_type=code, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method=S256, (optionally request_uri from PAR)
+ */
+/**
+ * Quick checklist (security & correctness)
+ * - PKCE (S256) required for public clients (and basically for all).
+ * - Use authorization code grant only (no implicit/hybrid).
+ * - Rotate refresh tokens and bind them to client + user + scopes.
+ * - Prefer private_key_jwt or mTLS for confidential clients.
+ * - PAR + JAR recommended for higher security.
+ * - Consider DPoP (proof-of-possession) to reduce token replay.
+ * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
+ * - Publish discovery and JWKS, rotate keys safely.
+ * - Decide JWT vs opaque access tokens; provide introspection if opaque.
+ */

package/src/auth/oauth/flows/oauth.authorize.flow.js ADDED Viewed

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Authorization Endpoint — GET /oauth/authorize
+ *
+ * Who calls: Browser via the Client (RP).
+ *
+ * When: Start of the flow.
+ *
+ * Purpose: Authenticate the user and obtain consent; returns an authorization code to the client’s redirect URI.
+ *
+ * Notes: Must support PKCE. Implicit/Hybrid are out in OAuth 2.1.
+ */
+/**
+ * Typical parameter shapes
+ *
+ * /oauth/authorize (GET)
+ *
+ * response_type=code, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method=S256, (optionally request_uri from PAR)
+ */
+/**
+ * Quick checklist (security & correctness)
+ * - PKCE (S256) required for public clients (and basically for all).
+ * - Use authorization code grant only (no implicit/hybrid).
+ * - Rotate refresh tokens and bind them to client + user + scopes.
+ * - Prefer private_key_jwt or mTLS for confidential clients.
+ * - PAR + JAR recommended for higher security.
+ * - Consider DPoP (proof-of-possession) to reduce token replay.
+ * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
+ * - Publish discovery and JWKS, rotate keys safely.
+ * - Decide JWT vs opaque access tokens; provide introspection if opaque.
+ */
+//# sourceMappingURL=oauth.authorize.flow.js.map

package/src/auth/oauth/flows/oauth.authorize.flow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth.authorize.flow.js","sourceRoot":"","sources":["../../../../../src/auth/oauth/flows/oauth.authorize.flow.ts"],"names":[],"mappings":";;AAAA;;;;;;;;;;GAUG;AACH;;;;;;GAMG;AACH;;;;;;;;;;;GAWG","sourcesContent":["/**\n * Authorization Endpoint — GET /oauth/authorize\n *\n * Who calls: Browser via the Client (RP).\n *\n * When: Start of the flow.\n *\n * Purpose: Authenticate the user and obtain consent; returns an authorization code to the client’s redirect URI.\n *\n * Notes: Must support PKCE. Implicit/Hybrid are out in OAuth 2.1.\n */\n/**\n * Typical parameter shapes\n *\n * /oauth/authorize (GET)\n *\n * response_type=code, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method=S256, (optionally request_uri from PAR)\n */\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n"]}

package/src/auth/oauth/flows/oauth.device-authorization.flow.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Device Authorization — POST /oauth/device_authorization
+ *
+ * Who calls: Device/TV app.
+ *
+ * Purpose: Start the device flow (user completes authorization on a second screen).
+ */
+export {};
+/**
+ * Quick checklist (security & correctness)
+ * - PKCE (S256) required for public clients (and basically for all).
+ * - Use authorization code grant only (no implicit/hybrid).
+ * - Rotate refresh tokens and bind them to client + user + scopes.
+ * - Prefer private_key_jwt or mTLS for confidential clients.
+ * - PAR + JAR recommended for higher security.
+ * - Consider DPoP (proof-of-possession) to reduce token replay.
+ * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
+ * - Publish discovery and JWKS, rotate keys safely.
+ * - Decide JWT vs opaque access tokens; provide introspection if opaque.
+ */
+/**
+ *
+ * OAuth 2.0 Device Authorization Grant (“device code flow”)
+ * Who does what (at a glance)
+ *
+ * Device/TV/CLI (no browser)
+ * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.
+ *
+ * User (on phone/laptop browser)
+ * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
+ *
+ * Auth Server (you)
+ * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.
+ *
+ * Endpoints you need (only two “new” ones)
+ *
+ * POST /oauth/device_authorization ✅ (device calls)
+ *
+ * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
+ *
+ * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
+ *
+ * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)
+ *
+ * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
+ */

package/src/auth/oauth/flows/oauth.device-authorization.flow.js ADDED Viewed

@@ -0,0 +1,48 @@
+"use strict";
+/**
+ * Device Authorization — POST /oauth/device_authorization
+ *
+ * Who calls: Device/TV app.
+ *
+ * Purpose: Start the device flow (user completes authorization on a second screen).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Quick checklist (security & correctness)
+ * - PKCE (S256) required for public clients (and basically for all).
+ * - Use authorization code grant only (no implicit/hybrid).
+ * - Rotate refresh tokens and bind them to client + user + scopes.
+ * - Prefer private_key_jwt or mTLS for confidential clients.
+ * - PAR + JAR recommended for higher security.
+ * - Consider DPoP (proof-of-possession) to reduce token replay.
+ * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
+ * - Publish discovery and JWKS, rotate keys safely.
+ * - Decide JWT vs opaque access tokens; provide introspection if opaque.
+ */
+/**
+ *
+ * OAuth 2.0 Device Authorization Grant (“device code flow”)
+ * Who does what (at a glance)
+ *
+ * Device/TV/CLI (no browser)
+ * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.
+ *
+ * User (on phone/laptop browser)
+ * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
+ *
+ * Auth Server (you)
+ * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.
+ *
+ * Endpoints you need (only two “new” ones)
+ *
+ * POST /oauth/device_authorization ✅ (device calls)
+ *
+ * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
+ *
+ * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
+ *
+ * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)
+ *
+ * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
+ */
+//# sourceMappingURL=oauth.device-authorization.flow.js.map

package/src/auth/oauth/flows/oauth.device-authorization.flow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth.device-authorization.flow.js","sourceRoot":"","sources":["../../../../../src/auth/oauth/flows/oauth.device-authorization.flow.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAEH;;;;;;;;;;;GAWG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG","sourcesContent":["/**\n * Device Authorization — POST /oauth/device_authorization\n *\n * Who calls: Device/TV app.\n *\n * Purpose: Start the device flow (user completes authorization on a second screen).\n */\n\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n\n/**\n *\n * OAuth 2.0 Device Authorization Grant (“device code flow”)\n * Who does what (at a glance)\n *\n * Device/TV/CLI (no browser)\n * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.\n *\n * User (on phone/laptop browser)\n * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.\n *\n * Auth Server (you)\n * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.\n *\n * Endpoints you need (only two “new” ones)\n *\n * POST /oauth/device_authorization ✅ (device calls)\n *\n * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)\n *\n * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)\n *\n * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)\n *\n * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize\n */\n"]}

package/src/auth/oauth/flows/oauth.introspect.flow.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Token Introspection — POST /oauth/introspect
+ *
+ * Who calls: Resource servers (API gateways).
+ *
+ * Purpose: Check if a token is active and fetch metadata (subject, scopes, expiry)
+ * when you use opaque tokens or want server-side validation (RFC 7662).
+ */
+export {};
+/**
+ * Typical parameter shapes
+ *
+ * /oauth/introspect (POST): token, optional token_type_hint
+ */
+/**
+ * Quick checklist (security & correctness)
+ * - PKCE (S256) required for public clients (and basically for all).
+ * - Use authorization code grant only (no implicit/hybrid).
+ * - Rotate refresh tokens and bind them to client + user + scopes.
+ * - Prefer private_key_jwt or mTLS for confidential clients.
+ * - PAR + JAR recommended for higher security.
+ * - Consider DPoP (proof-of-possession) to reduce token replay.
+ * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
+ * - Publish discovery and JWKS, rotate keys safely.
+ * - Decide JWT vs opaque access tokens; provide introspection if opaque.
+ */

package/src/auth/oauth/flows/oauth.introspect.flow.js ADDED Viewed

@@ -0,0 +1,28 @@
+"use strict";
+/**
+ * Token Introspection — POST /oauth/introspect
+ *
+ * Who calls: Resource servers (API gateways).
+ *
+ * Purpose: Check if a token is active and fetch metadata (subject, scopes, expiry)
+ * when you use opaque tokens or want server-side validation (RFC 7662).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Typical parameter shapes
+ *
+ * /oauth/introspect (POST): token, optional token_type_hint
+ */
+/**
+ * Quick checklist (security & correctness)
+ * - PKCE (S256) required for public clients (and basically for all).
+ * - Use authorization code grant only (no implicit/hybrid).
+ * - Rotate refresh tokens and bind them to client + user + scopes.
+ * - Prefer private_key_jwt or mTLS for confidential clients.
+ * - PAR + JAR recommended for higher security.
+ * - Consider DPoP (proof-of-possession) to reduce token replay.
+ * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
+ * - Publish discovery and JWKS, rotate keys safely.
+ * - Decide JWT vs opaque access tokens; provide introspection if opaque.
+ */
+//# sourceMappingURL=oauth.introspect.flow.js.map

package/src/auth/oauth/flows/oauth.introspect.flow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth.introspect.flow.js","sourceRoot":"","sources":["../../../../../src/auth/oauth/flows/oauth.introspect.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AAEH;;;;GAIG;AACH;;;;;;;;;;;GAWG","sourcesContent":["/**\n * Token Introspection — POST /oauth/introspect\n *\n * Who calls: Resource servers (API gateways).\n *\n * Purpose: Check if a token is active and fetch metadata (subject, scopes, expiry)\n * when you use opaque tokens or want server-side validation (RFC 7662).\n */\n\n/**\n * Typical parameter shapes\n *\n * /oauth/introspect (POST): token, optional token_type_hint\n */\n/**\n * Quick checklist (security & correctness)\n * - PKCE (S256) required for public clients (and basically for all).\n * - Use authorization code grant only (no implicit/hybrid).\n * - Rotate refresh tokens and bind them to client + user + scopes.\n * - Prefer private_key_jwt or mTLS for confidential clients.\n * - PAR + JAR recommended for higher security.\n * - Consider DPoP (proof-of-possession) to reduce token replay.\n * - Keep codes very short-lived (e.g., ≤60 s) and single-use.\n * - Publish discovery and JWKS, rotate keys safely.\n * - Decide JWT vs opaque access tokens; provide introspection if opaque.\n */\n"]}