npm - @harperfast/oauth - Versions diffs - 1.2.1 - Mend

@harperfast/oauth 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/LICENSE +201 -0
package/README.md +219 -0
package/assets/test.html +321 -0
package/config.yaml +23 -0
package/dist/index.d.ts +43 -0
package/dist/index.js +241 -0
package/dist/index.js.map +1 -0
package/dist/lib/CSRFTokenManager.d.ts +32 -0
package/dist/lib/CSRFTokenManager.js +90 -0
package/dist/lib/CSRFTokenManager.js.map +1 -0
package/dist/lib/OAuthProvider.d.ts +59 -0
package/dist/lib/OAuthProvider.js +370 -0
package/dist/lib/OAuthProvider.js.map +1 -0
package/dist/lib/config.d.ts +31 -0
package/dist/lib/config.js +138 -0
package/dist/lib/config.js.map +1 -0
package/dist/lib/handlers.d.ts +56 -0
package/dist/lib/handlers.js +386 -0
package/dist/lib/handlers.js.map +1 -0
package/dist/lib/hookManager.d.ts +52 -0
package/dist/lib/hookManager.js +114 -0
package/dist/lib/hookManager.js.map +1 -0
package/dist/lib/providers/auth0.d.ts +8 -0
package/dist/lib/providers/auth0.js +34 -0
package/dist/lib/providers/auth0.js.map +1 -0
package/dist/lib/providers/azure.d.ts +7 -0
package/dist/lib/providers/azure.js +33 -0
package/dist/lib/providers/azure.js.map +1 -0
package/dist/lib/providers/generic.d.ts +7 -0
package/dist/lib/providers/generic.js +20 -0
package/dist/lib/providers/generic.js.map +1 -0
package/dist/lib/providers/github.d.ts +7 -0
package/dist/lib/providers/github.js +73 -0
package/dist/lib/providers/github.js.map +1 -0
package/dist/lib/providers/google.d.ts +7 -0
package/dist/lib/providers/google.js +27 -0
package/dist/lib/providers/google.js.map +1 -0
package/dist/lib/providers/index.d.ts +17 -0
package/dist/lib/providers/index.js +49 -0
package/dist/lib/providers/index.js.map +1 -0
package/dist/lib/providers/okta.d.ts +8 -0
package/dist/lib/providers/okta.js +45 -0
package/dist/lib/providers/okta.js.map +1 -0
package/dist/lib/providers/validation.d.ts +67 -0
package/dist/lib/providers/validation.js +156 -0
package/dist/lib/providers/validation.js.map +1 -0
package/dist/lib/resource.d.ts +102 -0
package/dist/lib/resource.js +368 -0
package/dist/lib/resource.js.map +1 -0
package/dist/lib/sessionValidator.d.ts +38 -0
package/dist/lib/sessionValidator.js +162 -0
package/dist/lib/sessionValidator.js.map +1 -0
package/dist/lib/tenantManager.d.ts +102 -0
package/dist/lib/tenantManager.js +177 -0
package/dist/lib/tenantManager.js.map +1 -0
package/dist/lib/withOAuthValidation.d.ts +64 -0
package/dist/lib/withOAuthValidation.js +188 -0
package/dist/lib/withOAuthValidation.js.map +1 -0
package/dist/types.d.ts +326 -0
package/dist/types.js +5 -0
package/dist/types.js.map +1 -0
package/package.json +89 -0
package/schema/oauth.graphql +21 -0

package/assets/test.html ADDED Viewed

@@ -0,0 +1,321 @@
+<!doctype html>
+<html>
+	<head>
+		<title>Harper OAuth Test</title>
+		<style>
+			body {
+				font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+				max-width: 800px;
+				margin: 50px auto;
+				padding: 20px;
+			}
+			.user-info {
+				background: #f5f5f5;
+				padding: 20px;
+				border-radius: 8px;
+				margin: 20px 0;
+			}
+			.providers {
+				margin: 20px 0;
+			}
+			.provider-button {
+				display: inline-block;
+				padding: 10px 20px;
+				margin: 10px 10px 10px 0;
+				background: #0366d6;
+				color: white;
+				text-decoration: none;
+				border-radius: 6px;
+				border: none;
+				cursor: pointer;
+				font-size: 14px;
+			}
+			.provider-button.github {
+				background: #24292e;
+			}
+			.provider-button.github:hover {
+				background: #1a1e22;
+			}
+			.provider-button.google {
+				background: #4285f4;
+			}
+			.provider-button.google:hover {
+				background: #357ae8;
+			}
+			.provider-button.azure,
+			.provider-button.microsoft {
+				background: #0078d4;
+			}
+			.provider-button.azure:hover,
+			.provider-button.microsoft:hover {
+				background: #006cc1;
+			}
+			.provider-button.auth0 {
+				background: #eb5424;
+			}
+			.provider-button.auth0:hover {
+				background: #d44820;
+			}
+			.provider-button.okta {
+				background: #007dc1;
+			}
+			.provider-button.okta:hover {
+				background: #006ba1;
+			}
+			.button {
+				display: inline-block;
+				padding: 10px 20px;
+				margin: 10px 10px 10px 0;
+				background: #6c757d;
+				color: white;
+				text-decoration: none;
+				border-radius: 6px;
+				border: none;
+				cursor: pointer;
+				font-size: 14px;
+			}
+			.button:hover {
+				background: #5a6268;
+			}
+			pre {
+				background: #f6f8fa;
+				padding: 10px;
+				border-radius: 6px;
+				overflow-x: auto;
+			}
+			.error {
+				color: #d73a49;
+				background: #ffeef0;
+				padding: 10px;
+				border-radius: 6px;
+				margin: 10px 0;
+			}
+			.success {
+				color: #28a745;
+				background: #d4edda;
+				padding: 10px;
+				border-radius: 6px;
+				margin: 10px 0;
+			}
+			.loading {
+				color: #666;
+				font-style: italic;
+			}
+		</style>
+	</head>
+	<body>
+		<h1>Harper OAuth Test</h1>
+		<div id="user-info" class="user-info">
+			<h2>Current User</h2>
+			<div id="user-status" class="loading">Loading...</div>
+		</div>
+		<div class="providers">
+			<h2>Login Options</h2>
+			<div id="provider-buttons" class="loading">Loading providers...</div>
+		</div>
+		<div id="actions">
+			<button onclick="logout()" class="button">Logout</button>
+			<button onclick="checkUser()" class="button">Refresh Status</button>
+		</div>
+		<div id="message"></div>
+		<h2>Debug Endpoints</h2>
+		<p>These endpoints are available in debug mode:</p>
+		<ul>
+			<li><a href="/oauth" target="_blank">/oauth</a> - List all configured providers</li>
+			<li id="user-endpoint">Loading...</li>
+			<li id="refresh-endpoint" style="display: none">
+				<a href="#" onclick="refreshToken(); return false;">/oauth/{provider}/refresh</a> - Refresh access token
+			</li>
+		</ul>
+		<script>
+			let currentProvider = null;
+			let availableProviders = [];
+			async function loadProviders() {
+				try {
+					const response = await fetch('/oauth');
+					const data = await response.json();
+					const providerButtons = document.getElementById('provider-buttons');
+					if (data.providers && data.providers.length > 0) {
+						availableProviders = data.providers;
+						providerButtons.innerHTML = data.providers
+							.map(
+								(p) => `
+                        <a href="/oauth/${p.name}/login"
+                           class="provider-button ${p.provider}"
+                           onclick="setProvider('${p.name}'); return true;">
+                            Login with ${p.name.charAt(0).toUpperCase() + p.name.slice(1)}
+                        </a>
+                    `
+							)
+							.join('');
+						// Update user endpoint link
+						if (data.providers[0]) {
+							currentProvider = data.providers[0].name;
+							updateEndpoints();
+						}
+					} else {
+						providerButtons.innerHTML = '<p class="error">No OAuth providers configured</p>';
+					}
+				} catch (error) {
+					document.getElementById('provider-buttons').innerHTML =
+						'<p class="error">Error loading providers: ' + error.message + '</p>';
+				}
+			}
+			function setProvider(provider) {
+				currentProvider = provider;
+				localStorage.setItem('oauth-provider', provider);
+				updateEndpoints();
+			}
+			function updateEndpoints() {
+				if (currentProvider) {
+					document.getElementById('user-endpoint').innerHTML =
+						`<a href="/oauth/${currentProvider}/user" target="_blank">/oauth/${currentProvider}/user</a> - Current user info (JSON)`;
+				}
+			}
+			async function checkUser() {
+				if (!currentProvider && availableProviders.length > 0) {
+					currentProvider = availableProviders[0].name;
+				}
+				if (!currentProvider) {
+					document.getElementById('user-status').innerHTML = '<p class="error">No OAuth provider available</p>';
+					return;
+				}
+				try {
+					const response = await fetch(`/oauth/${currentProvider}/user`);
+					const data = await response.json();
+					const userStatus = document.getElementById('user-status');
+					if (response.status === 200 && (data.authenticated || data.body?.authenticated)) {
+						const user = data.body || data;
+						userStatus.innerHTML = `
+                        <p><strong>Authenticated:</strong> Yes</p>
+                        <p><strong>Username:</strong> ${user.username}</p>
+                        <p><strong>Email:</strong> ${user.email || 'N/A'}</p>
+                        <p><strong>Name:</strong> ${user.name || 'N/A'}</p>
+                        <p><strong>Role:</strong> ${user.role || 'N/A'}</p>
+                        <p><strong>Provider:</strong> ${user.provider}</p>
+                        <pre>${JSON.stringify(user, null, 2)}</pre>
+                    `;
+						showMessage('Authenticated successfully', 'success');
+					} else {
+						userStatus.innerHTML = `
+                        <p><strong>Authenticated:</strong> No</p>
+                        <p>Select a provider above to login.</p>
+                    `;
+					}
+				} catch (error) {
+					document.getElementById('user-status').innerHTML =
+						'<p class="error">Error checking user status: ' + error.message + '</p>';
+				}
+			}
+			async function logout() {
+				try {
+					const response = await fetch('/oauth/logout', {
+						method: 'POST',
+						headers: {
+							'Content-Type': 'application/json',
+						},
+					});
+					if (response.ok) {
+						showMessage('Logged out successfully', 'success');
+						checkUser();
+					} else {
+						throw new Error('Logout failed');
+					}
+				} catch (error) {
+					showMessage('Error logging out: ' + error.message, 'error');
+				}
+			}
+			async function refreshToken() {
+				if (!currentProvider) {
+					showMessage('No provider selected', 'error');
+					return;
+				}
+				try {
+					const response = await fetch(`/oauth/${currentProvider}/refresh`);
+					const data = await response.json();
+					if (response.ok) {
+						showMessage(
+							`Token refreshed successfully (expires in ${data.expiresIn || data.body?.expiresIn || 'unknown'} seconds)`,
+							'success'
+						);
+					} else {
+						showMessage(`Refresh failed: ${data.error || data.body?.error || 'Unknown error'}`, 'error');
+					}
+				} catch (error) {
+					showMessage('Error refreshing token: ' + error.message, 'error');
+				}
+			}
+			function showMessage(text, type) {
+				const messageEl = document.getElementById('message');
+				messageEl.className = type;
+				messageEl.textContent = text;
+				messageEl.style.display = 'block';
+				setTimeout(() => {
+					messageEl.style.display = 'none';
+				}, 5000);
+			}
+			// Initialize on page load
+			async function init() {
+				// Load saved provider preference
+				currentProvider = localStorage.getItem('oauth-provider');
+				await loadProviders();
+				await checkUser();
+				// Check for OAuth error parameters
+				const urlParams = new URLSearchParams(window.location.search);
+				const error = urlParams.get('error');
+				if (error) {
+					if (error === 'session_expired') {
+						showMessage('Session expired. Please login again.', 'error');
+					} else if (error === 'oauth_failed') {
+						const reason = urlParams.get('reason') || 'unknown';
+						showMessage(`OAuth login failed: ${reason}`, 'error');
+					} else if (error === 'invalid_request') {
+						showMessage('Invalid OAuth request. Please try again.', 'error');
+					} else {
+						showMessage(`Login error: ${error}`, 'error');
+					}
+					// Clean URL after showing error
+					window.history.replaceState({}, document.title, window.location.pathname);
+				}
+				// Check if we just logged in (redirected back)
+				if (window.location.pathname.includes('/callback')) {
+					showMessage('Login successful!', 'success');
+					// Redirect to test page to clean URL
+					setTimeout(() => {
+						window.location.href = '/oauth/test';
+					}, 1000);
+				}
+			}
+			init();
+		</script>
+	</body>
+</html>

package/config.yaml ADDED Viewed

@@ -0,0 +1,23 @@
+# OAuth Plugin Configuration
+# This file defines the plugin entry point and default settings
+# All settings can be overridden in your application's config.yaml
+# Plugin entry point (required by Harper)
+pluginModule: 'dist/index.js'
+# GraphQL schema for OAuth tables
+graphqlSchema:
+  files: 'schema/oauth.graphql'
+# Default settings (optional - these are used if not specified in app config)
+# No providers configured by default - must be configured in application
+# providers: {}
+# Default OAuth settings
+scope: 'openid profile email'
+usernameClaim: 'email'
+defaultRole: 'user'
+postLoginRedirect: '/'
+# Default redirect URI pattern (will be adjusted per provider)
+redirectUri: 'https://localhost:9953/oauth/callback'

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * Harper OAuth Plugin
+ *
+ * Provides OAuth 2.0 authentication for Harper applications.
+ * Supports any standard OAuth 2.0 provider through configuration.
+ */
+import type { Scope, OAuthHooks } from './types.ts';
+export { HookManager } from './lib/hookManager.ts';
+export { OAuthResource } from './lib/resource.ts';
+export type { OAuthHooks, OAuthUser, TokenResponse } from './types.ts';
+export { TenantManager } from './lib/tenantManager.ts';
+export type { TenantConfig, TenantRegistryEntry } from './lib/tenantManager.ts';
+export { validateDomainSafety, validateDomainAllowlist, validateEmailDomain, validateTenantId, sanitizeTenantName, validateAzureTenantId, } from './lib/providers/validation.ts';
+export { getProvider } from './lib/providers/index.ts';
+/**
+ * Register OAuth hooks programmatically
+ * Call this from your application code to register lifecycle hooks
+ *
+ * This can be called:
+ * - At module load time (before the plugin initializes) - hooks will be queued
+ * - After plugin initialization - hooks will be applied immediately
+ *
+ * NOTE: This registers hooks at the module level, shared across all instances
+ * of the OAuth plugin. For most applications with a single OAuth plugin instance,
+ * this is the simplest and recommended approach.
+ *
+ * @example
+ * ```typescript
+ * import { registerHooks } from '@harperfast/oauth';
+ *
+ * // Can be called at module load time or later
+ * registerHooks({
+ *   onLogin: async (oauthUser, tokenResponse, session, request, provider) => {
+ *     console.log(`User logged in: ${oauthUser.username}`);
+ *   }
+ * });
+ * ```
+ */
+export declare function registerHooks(hooks: OAuthHooks): void;
+/**
+ * Plugin entry point
+ */
+export declare function handleApplication(scope: Scope): Promise<void>;

package/dist/index.js ADDED Viewed

@@ -0,0 +1,241 @@
+/**
+ * Harper OAuth Plugin
+ *
+ * Provides OAuth 2.0 authentication for Harper applications.
+ * Supports any standard OAuth 2.0 provider through configuration.
+ */
+import { initializeProviders, expandEnvVar, extractPluginDefaults } from "./lib/config.js";
+import { OAuthResource } from "./lib/resource.js";
+import { validateAndRefreshSession } from "./lib/sessionValidator.js";
+import { clearOAuthSession } from "./lib/handlers.js";
+import { HookManager } from "./lib/hookManager.js";
+// Export HookManager class, OAuthResource class, and types
+export { HookManager } from "./lib/hookManager.js";
+export { OAuthResource } from "./lib/resource.js";
+// Export multi-tenant SSO support
+export { TenantManager } from "./lib/tenantManager.js";
+// Export validation utilities for secure tenant configuration
+export { validateDomainSafety, validateDomainAllowlist, validateEmailDomain, validateTenantId, sanitizeTenantName, validateAzureTenantId, } from "./lib/providers/validation.js";
+// Export provider utilities
+export { getProvider } from "./lib/providers/index.js";
+// Store hooks registered at module load time and active hookManager
+let pendingHooks = null;
+let activeHookManager = null;
+/**
+ * Register OAuth hooks programmatically
+ * Call this from your application code to register lifecycle hooks
+ *
+ * This can be called:
+ * - At module load time (before the plugin initializes) - hooks will be queued
+ * - After plugin initialization - hooks will be applied immediately
+ *
+ * NOTE: This registers hooks at the module level, shared across all instances
+ * of the OAuth plugin. For most applications with a single OAuth plugin instance,
+ * this is the simplest and recommended approach.
+ *
+ * @example
+ * ```typescript
+ * import { registerHooks } from '@harperfast/oauth';
+ *
+ * // Can be called at module load time or later
+ * registerHooks({
+ *   onLogin: async (oauthUser, tokenResponse, session, request, provider) => {
+ *     console.log(`User logged in: ${oauthUser.username}`);
+ *   }
+ * });
+ * ```
+ */
+export function registerHooks(hooks) {
+    if (activeHookManager) {
+        // Plugin is already loaded - apply immediately
+        activeHookManager.register(hooks);
+    }
+    else {
+        // Plugin not loaded yet - queue for later
+        pendingHooks = hooks;
+    }
+}
+/**
+ * Plugin entry point
+ */
+export async function handleApplication(scope) {
+    const logger = scope.logger;
+    let providers = {};
+    let debugMode = false;
+    let isInitialized = false;
+    let pluginDefaults = {}; // Store plugin defaults for dynamic provider resolution
+    // Create hookManager instance scoped to this application
+    const hookManager = new HookManager(logger);
+    // Set as active hookManager for late hook registration
+    activeHookManager = hookManager;
+    // Apply any hooks that were registered at module load time
+    if (pendingHooks) {
+        hookManager.register(pendingHooks);
+        logger?.debug?.('Applied pending OAuth hooks');
+        pendingHooks = null; // Clear pending hooks after applying
+    }
+    /**
+     * Update OAuth configuration when options change
+     */
+    async function updateConfiguration() {
+        const rawOptions = (scope.options.getAll() || {});
+        // Expand environment variables in plugin-level options
+        const debugValue = expandEnvVar(rawOptions.debug);
+        const options = { ...rawOptions, debug: debugValue };
+        const previousDebugMode = debugMode;
+        // Handle both boolean and string values (from environment variables)
+        debugMode = options.debug === true || options.debug === 'true';
+        // Log configuration update
+        if (isInitialized) {
+            logger?.info?.('OAuth configuration changed, updating providers...');
+        }
+        else {
+            logger?.info?.('OAuth plugin loading with options:', JSON.stringify(options, null, 2));
+            isInitialized = true;
+        }
+        // Re-initialize providers from new configuration
+        // Clear existing providers and repopulate (don't reassign to preserve closure reference)
+        const newProviders = initializeProviders(options, logger);
+        Object.keys(providers).forEach((key) => delete providers[key]);
+        Object.assign(providers, newProviders);
+        // Extract plugin defaults for dynamic provider resolution
+        pluginDefaults = extractPluginDefaults(options);
+        // Update the resource with new providers
+        if (Object.keys(providers).length === 0) {
+            // No valid providers configured - register a simple error resource
+            scope.resources.set('oauth', {
+                async get() {
+                    return {
+                        status: 503,
+                        body: {
+                            error: 'No valid OAuth providers configured',
+                            message: 'Please check your OAuth configuration',
+                            example: options.providers
+                                ? 'Check that all required fields are provided'
+                                : {
+                                    providers: {
+                                        github: {
+                                            provider: 'github',
+                                            clientId: '${OAUTH_GITHUB_CLIENT_ID}',
+                                            clientSecret: '${OAUTH_GITHUB_CLIENT_SECRET}',
+                                        },
+                                    },
+                                },
+                        },
+                    };
+                },
+            });
+        }
+        else {
+            // Configure the OAuth resource with providers and settings
+            OAuthResource.configure(providers, debugMode, hookManager, pluginDefaults, logger);
+            // Register the OAuth resource class
+            scope.resources.set('oauth', OAuthResource);
+            // Log all configured providers
+            logger?.info?.('OAuth plugin ready:', {
+                providers: Object.entries(providers).map(([name, data]) => ({
+                    name,
+                    type: data.config.provider,
+                    redirectUri: data.config.redirectUri,
+                })),
+            });
+        }
+        // Log debug mode change if it changed
+        if (isInitialized && previousDebugMode !== debugMode) {
+            logger?.info?.(`OAuth debug mode ${debugMode ? 'enabled' : 'disabled'}`);
+        }
+    }
+    // Register HTTP middleware for automatic OAuth session validation
+    // This runs on every HTTP request after authentication but before REST
+    scope.server.http?.(async (request, next) => {
+        // Only process requests with sessions that have OAuth data
+        if (!request.session?.oauth) {
+            return next(request);
+        }
+        // Get the provider config ID for this OAuth session
+        // Use providerConfigId (new) or fall back to provider (old) for backwards compatibility
+        const providerConfigId = request.session.oauth.providerConfigId || request.session.oauth.provider;
+        let providerData = providers[providerConfigId];
+        // If provider not found in registry, try to resolve via hook (dynamic providers)
+        if (!providerData && hookManager?.hasHook('onResolveProvider')) {
+            try {
+                logger?.debug?.(`Provider config "${providerConfigId}" not in registry, attempting dynamic resolution`);
+                const hookConfig = await hookManager.callResolveProvider(providerConfigId, logger);
+                if (hookConfig) {
+                    // Hook resolved provider - build full config and register dynamically
+                    const { OAuthProvider } = await import("./lib/OAuthProvider.js");
+                    const { buildProviderConfig } = await import("./lib/config.js");
+                    // Build full provider config (handles Okta/Azure/Auth0 domain configuration)
+                    const config = buildProviderConfig(hookConfig, providerConfigId, pluginDefaults);
+                    const provider = new OAuthProvider(config, logger);
+                    providers[providerConfigId] = {
+                        provider,
+                        config,
+                    };
+                    providerData = providers[providerConfigId];
+                    logger?.info?.(`Dynamically registered provider for session validation: ${providerConfigId}`);
+                }
+            }
+            catch (error) {
+                logger?.error?.(`Error resolving provider ${providerConfigId} for session:`, error.message);
+            }
+        }
+        if (!providerData) {
+            logger?.warn?.(`OAuth provider config '${providerConfigId}' not found, logging out user`);
+            // Provider no longer exists - complete logout
+            await clearOAuthSession(request.session, logger);
+            return next(request);
+        }
+        // Validate and refresh session automatically
+        const validation = await validateAndRefreshSession(request, providerData.provider, logger, hookManager);
+        if (!validation.valid) {
+            // Session is no longer valid (already cleaned up by validator)
+            logger?.debug?.(`OAuth session invalidated: ${validation.error}`);
+        }
+        else if (validation.refreshed) {
+            logger?.debug?.(`OAuth token auto-refreshed for ${providerConfigId}`);
+        }
+        // Continue with the request (session updated if refreshed)
+        return next(request);
+    });
+    // Concurrency control for configuration updates
+    let updating = false;
+    let pendingUpdate = false;
+    /**
+     * Run configuration update with concurrency protection
+     */
+    const runUpdate = async () => {
+        if (updating) {
+            pendingUpdate = true;
+            return;
+        }
+        updating = true;
+        try {
+            await updateConfiguration();
+            // If another update was requested while we were running, run again
+            if (pendingUpdate) {
+                pendingUpdate = false;
+                await runUpdate();
+            }
+        }
+        catch (error) {
+            logger?.error?.('Failed to update OAuth configuration:', error);
+        }
+        finally {
+            updating = false;
+        }
+    };
+    // Initial configuration (errors propagate to plugin loader)
+    await updateConfiguration();
+    // Watch for configuration changes (errors caught internally)
+    scope.options.on('change', () => {
+        runUpdate().catch((error) => {
+            logger?.error?.('Unexpected error in OAuth config update:', error);
+        });
+    });
+    // Clean up on scope close
+    scope.on('close', () => {
+        logger?.info?.('OAuth plugin shutting down');
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC3F,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,2DAA2D;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,kCAAkC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAGvD,8DAA8D;AAC9D,OAAO,EACN,oBAAoB,EACpB,uBAAuB,EACvB,mBAAmB,EACnB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,GACrB,MAAM,+BAA+B,CAAC;AAEvC,4BAA4B;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,oEAAoE;AACpE,IAAI,YAAY,GAAsB,IAAI,CAAC;AAC3C,IAAI,iBAAiB,GAAuB,IAAI,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,aAAa,CAAC,KAAiB;IAC9C,IAAI,iBAAiB,EAAE,CAAC;QACvB,+CAA+C;QAC/C,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;SAAM,CAAC;QACP,0CAA0C;QAC1C,YAAY,GAAG,KAAK,CAAC;IACtB,CAAC;AACF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAAY;IACnD,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC5B,IAAI,SAAS,GAAqB,EAAE,CAAC;IACrC,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,cAAc,GAAQ,EAAE,CAAC,CAAC,wDAAwD;IAEtF,yDAAyD;IACzD,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IAE5C,uDAAuD;IACvD,iBAAiB,GAAG,WAAW,CAAC;IAEhC,2DAA2D;IAC3D,IAAI,YAAY,EAAE,CAAC;QAClB,WAAW,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACnC,MAAM,EAAE,KAAK,EAAE,CAAC,6BAA6B,CAAC,CAAC;QAC/C,YAAY,GAAG,IAAI,CAAC,CAAC,qCAAqC;IAC3D,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,mBAAmB;QACjC,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,CAAsB,CAAC;QAEvE,uDAAuD;QACvD,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QAElD,MAAM,OAAO,GAAG,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QACrD,MAAM,iBAAiB,GAAG,SAAS,CAAC;QACpC,qEAAqE;QACrE,SAAS,GAAG,OAAO,CAAC,KAAK,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,KAAK,MAAM,CAAC;QAE/D,2BAA2B;QAC3B,IAAI,aAAa,EAAE,CAAC;YACnB,MAAM,EAAE,IAAI,EAAE,CAAC,oDAAoD,CAAC,CAAC;QACtE,CAAC;aAAM,CAAC;YACP,MAAM,EAAE,IAAI,EAAE,CAAC,oCAAoC,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACvF,aAAa,GAAG,IAAI,CAAC;QACtB,CAAC;QAED,iDAAiD;QACjD,yFAAyF;QACzF,MAAM,YAAY,GAAG,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAEvC,0DAA0D;QAC1D,cAAc,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAEhD,yCAAyC;QACzC,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzC,mEAAmE;YACnE,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE;gBAC5B,KAAK,CAAC,GAAG;oBACR,OAAO;wBACN,MAAM,EAAE,GAAG;wBACX,IAAI,EAAE;4BACL,KAAK,EAAE,qCAAqC;4BAC5C,OAAO,EAAE,uCAAuC;4BAChD,OAAO,EAAE,OAAO,CAAC,SAAS;gCACzB,CAAC,CAAC,6CAA6C;gCAC/C,CAAC,CAAC;oCACA,SAAS,EAAE;wCACV,MAAM,EAAE;4CACP,QAAQ,EAAE,QAAQ;4CAClB,QAAQ,EAAE,2BAA2B;4CACrC,YAAY,EAAE,+BAA+B;yCAC7C;qCACD;iCACD;yBACH;qBACD,CAAC;gBACH,CAAC;aACD,CAAC,CAAC;QACJ,CAAC;aAAM,CAAC;YACP,2DAA2D;YAC3D,aAAa,CAAC,SAAS,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;YAEnF,oCAAoC;YACpC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YAE5C,+BAA+B;YAC/B,MAAM,EAAE,IAAI,EAAE,CAAC,qBAAqB,EAAE;gBACrC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC3D,IAAI;oBACJ,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;oBAC1B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;iBACpC,CAAC,CAAC;aACH,CAAC,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,aAAa,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACtD,MAAM,EAAE,IAAI,EAAE,CAAC,oBAAoB,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;QAC1E,CAAC;IACF,CAAC;IAED,kEAAkE;IAClE,uEAAuE;IACvE,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,OAAY,EAAE,IAAuB,EAAE,EAAE;QACnE,2DAA2D;QAC3D,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;QAED,oDAAoD;QACpD,wFAAwF;QACxF,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC;QAClG,IAAI,YAAY,GAAG,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAE/C,iFAAiF;QACjF,IAAI,CAAC,YAAY,IAAI,WAAW,EAAE,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAChE,IAAI,CAAC;gBACJ,MAAM,EAAE,KAAK,EAAE,CAAC,oBAAoB,gBAAgB,kDAAkD,CAAC,CAAC;gBAExG,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,mBAAmB,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;gBAEnF,IAAI,UAAU,EAAE,CAAC;oBAChB,sEAAsE;oBACtE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;oBACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBAEhE,6EAA6E;oBAC7E,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;oBACjF,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;oBAEnD,SAAS,CAAC,gBAAgB,CAAC,GAAG;wBAC7B,QAAQ;wBACR,MAAM;qBACN,CAAC;oBAEF,YAAY,GAAG,SAAS,CAAC,gBAAgB,CAAC,CAAC;oBAC3C,MAAM,EAAE,IAAI,EAAE,CAAC,2DAA2D,gBAAgB,EAAE,CAAC,CAAC;gBAC/F,CAAC;YACF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,MAAM,EAAE,KAAK,EAAE,CAAC,4BAA4B,gBAAgB,eAAe,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YACxG,CAAC;QACF,CAAC;QAED,IAAI,CAAC,YAAY,EAAE,CAAC;YACnB,MAAM,EAAE,IAAI,EAAE,CAAC,0BAA0B,gBAAgB,+BAA+B,CAAC,CAAC;YAC1F,8CAA8C;YAC9C,MAAM,iBAAiB,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACjD,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;QAED,6CAA6C;QAC7C,MAAM,UAAU,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;QAExG,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACvB,+DAA+D;YAC/D,MAAM,EAAE,KAAK,EAAE,CAAC,8BAA8B,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;QACnE,CAAC;aAAM,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;YACjC,MAAM,EAAE,KAAK,EAAE,CAAC,kCAAkC,gBAAgB,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,2DAA2D;QAC3D,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,gDAAgD;IAChD,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,aAAa,GAAG,KAAK,CAAC;IAE1B;;OAEG;IACH,MAAM,SAAS,GAAG,KAAK,IAAI,EAAE;QAC5B,IAAI,QAAQ,EAAE,CAAC;YACd,aAAa,GAAG,IAAI,CAAC;YACrB,OAAO;QACR,CAAC;QAED,QAAQ,GAAG,IAAI,CAAC;QAChB,IAAI,CAAC;YACJ,MAAM,mBAAmB,EAAE,CAAC;YAE5B,mEAAmE;YACnE,IAAI,aAAa,EAAE,CAAC;gBACnB,aAAa,GAAG,KAAK,CAAC;gBACtB,MAAM,SAAS,EAAE,CAAC;YACnB,CAAC;QACF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,EAAE,KAAK,EAAE,CAAC,uCAAuC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;gBAAS,CAAC;YACV,QAAQ,GAAG,KAAK,CAAC;QAClB,CAAC;IACF,CAAC,CAAC;IAEF,4DAA4D;IAC5D,MAAM,mBAAmB,EAAE,CAAC;IAE5B,6DAA6D;IAC7D,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;QAC/B,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,MAAM,EAAE,KAAK,EAAE,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAC1B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QACtB,MAAM,EAAE,IAAI,EAAE,CAAC,4BAA4B,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACJ,CAAC"}

package/dist/lib/CSRFTokenManager.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * CSRF Token Manager for OAuth flows
+ *
+ * Manages CSRF protection tokens that prevent cross-site request forgery
+ * during OAuth authorization flows. Tokens are stored in Harper table
+ * for distributed access across workers and cluster nodes.
+ */
+import type { CSRFTokenData, Logger } from '../types.ts';
+/**
+ * Reset the cached CSRF table reference (for testing only)
+ * @internal
+ */
+export declare function resetCSRFTableCache(): void;
+export declare class CSRFTokenManager {
+    private logger?;
+    constructor(logger?: Logger);
+    /**
+     * Store CSRF token with metadata
+     * Table expiration is handled by Harper (10 minutes)
+     */
+    set(token: string, data: CSRFTokenData): Promise<void>;
+    /**
+     * Retrieve CSRF token
+     * Harper automatically handles expiration via table-level setting
+     */
+    get(token: string): Promise<CSRFTokenData | null>;
+    /**
+     * Delete CSRF token (after successful verification)
+     */
+    delete(token: string): Promise<void>;
+}
+export declare const csrfTokenManager: CSRFTokenManager;