@harperfast/oauth 1.2.1

package/dist/lib/hookManager.js

@@ -0,0 +1,114 @@
+/**
+ * OAuth Hook Manager
+ *
+ * Manages loading and calling lifecycle hooks for the OAuth plugin
+ */
+/**
+ * Hook Manager
+ * Loads and executes OAuth lifecycle hooks
+ */
+export class HookManager {
+    hooks = {};
+    logger;
+    constructor(logger) {
+        this.logger = logger;
+    }
+    /**
+     * Register hooks programmatically
+     * Allows applications to register hooks directly without using config
+     */
+    register(hooks) {
+        this.hooks = hooks;
+        this.logger?.debug?.(`Registered OAuth hooks: ${Object.keys(hooks)
+            .filter((key) => hooks[key])
+            .join(', ')}`);
+    }
+    /**
+     * Call onLogin hook
+     */
+    async callOnLogin(oauthUser, tokenResponse, session, request, provider) {
+        if (!this.hooks.onLogin)
+            return;
+        try {
+            this.logger?.debug?.(`Calling onLogin hook for provider: ${provider}`);
+            const result = await this.hooks.onLogin(oauthUser, tokenResponse, session, request, provider);
+            return result;
+        }
+        catch (error) {
+            this.logger?.error?.('onLogin hook failed:', error.message);
+            // Don't throw - hooks should not break the OAuth flow
+            return;
+        }
+    }
+    /**
+     * Call onLogout hook
+     */
+    async callOnLogout(session, request) {
+        if (!this.hooks.onLogout)
+            return;
+        try {
+            this.logger?.debug?.('Calling onLogout hook');
+            await this.hooks.onLogout(session, request);
+        }
+        catch (error) {
+            this.logger?.error?.('onLogout hook failed:', error.message);
+            // Don't throw - hooks should not break logout
+        }
+    }
+    /**
+     * Call onTokenRefresh hook
+     */
+    async callOnTokenRefresh(session, refreshed, request) {
+        if (!this.hooks.onTokenRefresh)
+            return;
+        try {
+            this.logger?.debug?.(`Calling onTokenRefresh hook (refreshed: ${refreshed})`);
+            await this.hooks.onTokenRefresh(session, refreshed, request);
+        }
+        catch (error) {
+            this.logger?.error?.('onTokenRefresh hook failed:', error.message);
+            // Don't throw - hooks should not break token refresh
+        }
+    }
+    /**
+     * Check if a specific hook is registered
+     */
+    hasHook(hookName) {
+        return !!this.hooks[hookName];
+    }
+    /**
+     * Check if any hooks are loaded
+     */
+    hasHooks() {
+        return Object.keys(this.hooks).length > 0;
+    }
+    /**
+     * Call onResolveProvider hook
+     *
+     * Called when a provider is not found in the static registry.
+     * Allows applications to dynamically resolve provider configurations.
+     *
+     * @param providerName - Provider name from URL path (e.g., "okta-org_abc123")
+     * @param logger - Optional logger instance
+     * @returns Provider configuration or null if not found
+     * @throws Error if resolution fails
+     */
+    async callResolveProvider(providerName, logger) {
+        const hook = this.hooks.onResolveProvider;
+        if (!hook)
+            return null;
+        try {
+            this.logger?.debug?.(`Calling onResolveProvider hook for: ${providerName}`);
+            const config = await hook(providerName, logger || this.logger);
+            if (config) {
+                this.logger?.debug?.(`Provider resolved: ${providerName} → ${config.provider}`);
+            }
+            return config;
+        }
+        catch (error) {
+            this.logger?.error?.('onResolveProvider hook failed:', error.message);
+            throw error; // Re-throw for resource to handle (returns 500)
+        }
+    }
+}
+//# sourceMappingURL=hookManager.js.map

package/dist/lib/hookManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hookManager.js","sourceRoot":"","sources":["../../src/lib/hookManager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,MAAM,OAAO,WAAW;IACf,KAAK,GAAe,EAAE,CAAC;IACvB,MAAM,CAAU;IAExB,YAAY,MAAe;QAC1B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED;;;OAGG;IACH,QAAQ,CAAC,KAAiB;QACzB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CACnB,2BAA2B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;aAC3C,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,GAAuB,CAAC,CAAC;aAC/C,IAAI,CAAC,IAAI,CAAC,EAAE,CACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAChB,SAAoB,EACpB,aAA4B,EAC5B,OAAY,EACZ,OAAY,EACZ,QAAgB;QAEhB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,OAAO;QAEhC,IAAI,CAAC;YACJ,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;YACvE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC9F,OAAO,MAAM,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,sBAAsB,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YACvE,sDAAsD;YACtD,OAAO;QACR,CAAC;IACF,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,OAAY,EAAE,OAAY;QAC5C,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ;YAAE,OAAO;QAEjC,IAAI,CAAC;YACJ,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uBAAuB,CAAC,CAAC;YAC9C,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uBAAuB,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YACxE,8CAA8C;QAC/C,CAAC;IACF,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,OAAY,EAAE,SAAkB,EAAE,OAAa;QACvE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc;YAAE,OAAO;QAEvC,IAAI,CAAC;YACJ,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,2CAA2C,SAAS,GAAG,CAAC,CAAC;YAC9E,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,6BAA6B,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YAC9E,qDAAqD;QACtD,CAAC;IACF,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,QAA0B;QACjC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,QAAQ;QACP,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,mBAAmB,CAAC,YAAoB,EAAE,MAAe;QAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC;YACJ,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uCAAuC,YAAY,EAAE,CAAC,CAAC;YAC5E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/D,IAAI,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,sBAAsB,YAAY,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YACjF,CAAC;YACD,OAAO,MAAM,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,gCAAgC,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YACjF,MAAM,KAAK,CAAC,CAAC,gDAAgD;QAC9D,CAAC;IACF,CAAC;CACD"}

package/dist/lib/providers/auth0.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Auth0 OAuth Provider Preset
+ *
+ * Configuration for Auth0 OAuth 2.0 authentication.
+ * Requires domain configuration.
+ */
+import type { OAuthProviderConfig } from '../../types.ts';
+export declare const auth0Provider: OAuthProviderConfig;

package/dist/lib/providers/auth0.js

@@ -0,0 +1,34 @@
+/**
+ * Auth0 OAuth Provider Preset
+ *
+ * Configuration for Auth0 OAuth 2.0 authentication.
+ * Requires domain configuration.
+ */
+import { validateDomainSafety, validateDomainAllowlist } from "./validation.js";
+export const auth0Provider = {
+    provider: 'auth0',
+    clientId: '', // Will be overridden by config
+    clientSecret: '', // Will be overridden by config
+    authorizationUrl: '', // Will be set by configure()
+    tokenUrl: '', // Will be set by configure()
+    userInfoUrl: '', // Will be set by configure()
+    scope: 'openid profile email',
+    usernameClaim: 'email',
+    defaultRole: 'user',
+    // URLs are configured dynamically based on domain
+    configure: (domain) => {
+        // Validate domain safety (SSRF protection, private IPs, etc.)
+        const hostname = validateDomainSafety(domain, 'Auth0');
+        // Validate against Auth0 domain allowlist
+        const ALLOWED_AUTH0_DOMAINS = ['.auth0.com', '.us.auth0.com', '.eu.auth0.com', '.au.auth0.com', '.jp.auth0.com'];
+        validateDomainAllowlist(hostname, ALLOWED_AUTH0_DOMAINS, 'Auth0');
+        return {
+            authorizationUrl: `https://${hostname}/authorize`,
+            tokenUrl: `https://${hostname}/oauth/token`,
+            userInfoUrl: `https://${hostname}/userinfo`,
+            jwksUri: `https://${hostname}/.well-known/jwks.json`,
+            issuer: `https://${hostname}/`,
+        };
+    },
+};
+//# sourceMappingURL=auth0.js.map

package/dist/lib/providers/auth0.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth0.js","sourceRoot":"","sources":["../../../src/lib/providers/auth0.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAEhF,MAAM,CAAC,MAAM,aAAa,GAAwB;IACjD,QAAQ,EAAE,OAAO;IACjB,QAAQ,EAAE,EAAE,EAAE,+BAA+B;IAC7C,YAAY,EAAE,EAAE,EAAE,+BAA+B;IACjD,gBAAgB,EAAE,EAAE,EAAE,6BAA6B;IACnD,QAAQ,EAAE,EAAE,EAAE,6BAA6B;IAC3C,WAAW,EAAE,EAAE,EAAE,6BAA6B;IAC9C,KAAK,EAAE,sBAAsB;IAC7B,aAAa,EAAE,OAAO;IACtB,WAAW,EAAE,MAAM;IAEnB,kDAAkD;IAClD,SAAS,EAAE,CAAC,MAAc,EAAgC,EAAE;QAC3D,8DAA8D;QAC9D,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAEvD,0CAA0C;QAC1C,MAAM,qBAAqB,GAAG,CAAC,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;QACjH,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,EAAE,OAAO,CAAC,CAAC;QAElE,OAAO;YACN,gBAAgB,EAAE,WAAW,QAAQ,YAAY;YACjD,QAAQ,EAAE,WAAW,QAAQ,cAAc;YAC3C,WAAW,EAAE,WAAW,QAAQ,WAAW;YAC3C,OAAO,EAAE,WAAW,QAAQ,wBAAwB;YACpD,MAAM,EAAE,WAAW,QAAQ,GAAG;SAC9B,CAAC;IACH,CAAC;CACD,CAAC"}

package/dist/lib/providers/azure.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Azure AD OAuth Provider Configuration
+ *
+ * Supports both single-tenant and multi-tenant configurations
+ */
+import type { OAuthProviderConfig } from '../../types.ts';
+export declare const AzureADProvider: OAuthProviderConfig;

package/dist/lib/providers/azure.js

@@ -0,0 +1,33 @@
+/**
+ * Azure AD OAuth Provider Configuration
+ *
+ * Supports both single-tenant and multi-tenant configurations
+ */
+import { validateAzureTenantId } from "./validation.js";
+export const AzureADProvider = {
+    provider: 'azure',
+    clientId: '', // Will be overridden by config
+    clientSecret: '', // Will be overridden by config
+    // Default to common endpoint (multi-tenant)
+    authorizationUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
+    tokenUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
+    userInfoUrl: 'https://graph.microsoft.com/v1.0/me',
+    jwksUri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
+    issuer: null, // Varies by tenant
+    scope: 'openid profile email User.Read',
+    usernameClaim: 'email',
+    emailClaim: 'email',
+    nameClaim: 'displayName',
+    // Azure-specific: configure endpoints based on tenant
+    configure: (tenantId) => {
+        // Validate Azure tenant ID format
+        validateAzureTenantId(tenantId);
+        return {
+            authorizationUrl: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`,
+            tokenUrl: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
+            jwksUri: `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`,
+            issuer: `https://login.microsoftonline.com/${tenantId}/v2.0`,
+        };
+    },
+};
+//# sourceMappingURL=azure.js.map

package/dist/lib/providers/azure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure.js","sourceRoot":"","sources":["../../../src/lib/providers/azure.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAExD,MAAM,CAAC,MAAM,eAAe,GAAwB;IACnD,QAAQ,EAAE,OAAO;IACjB,QAAQ,EAAE,EAAE,EAAE,+BAA+B;IAC7C,YAAY,EAAE,EAAE,EAAE,+BAA+B;IACjD,4CAA4C;IAC5C,gBAAgB,EAAE,gEAAgE;IAClF,QAAQ,EAAE,4DAA4D;IACtE,WAAW,EAAE,qCAAqC;IAClD,OAAO,EAAE,8DAA8D;IACvE,MAAM,EAAE,IAAI,EAAE,mBAAmB;IACjC,KAAK,EAAE,gCAAgC;IACvC,aAAa,EAAE,OAAO;IACtB,UAAU,EAAE,OAAO;IACnB,SAAS,EAAE,aAAa;IAExB,sDAAsD;IACtD,SAAS,EAAE,CAAC,QAAgB,EAAgC,EAAE;QAC7D,kCAAkC;QAClC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAEhC,OAAO;YACN,gBAAgB,EAAE,qCAAqC,QAAQ,wBAAwB;YACvF,QAAQ,EAAE,qCAAqC,QAAQ,oBAAoB;YAC3E,OAAO,EAAE,qCAAqC,QAAQ,sBAAsB;YAC5E,MAAM,EAAE,qCAAqC,QAAQ,OAAO;SAC5D,CAAC;IACH,CAAC;CACD,CAAC"}

package/dist/lib/providers/generic.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Generic OAuth Provider Configuration
+ *
+ * Base configuration for custom OAuth 2.0 providers
+ */
+import type { OAuthProviderConfig } from '../../types.ts';
+export declare const genericProvider: OAuthProviderConfig;

package/dist/lib/providers/generic.js

@@ -0,0 +1,20 @@
+/**
+ * Generic OAuth Provider Configuration
+ *
+ * Base configuration for custom OAuth 2.0 providers
+ */
+export const genericProvider = {
+    provider: 'generic',
+    clientId: '', // Must be provided in config
+    clientSecret: '', // Must be provided in config
+    authorizationUrl: '', // Must be provided in config
+    tokenUrl: '', // Must be provided in config
+    userInfoUrl: '', // Must be provided in config
+    scope: 'openid profile email',
+    usernameClaim: 'email',
+    emailClaim: 'email',
+    nameClaim: 'name',
+    defaultRole: 'user',
+    postLoginRedirect: '/',
+};
+//# sourceMappingURL=generic.js.map

package/dist/lib/providers/generic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generic.js","sourceRoot":"","sources":["../../../src/lib/providers/generic.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,eAAe,GAAwB;IACnD,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,EAAE,EAAE,6BAA6B;IAC3C,YAAY,EAAE,EAAE,EAAE,6BAA6B;IAC/C,gBAAgB,EAAE,EAAE,EAAE,6BAA6B;IACnD,QAAQ,EAAE,EAAE,EAAE,6BAA6B;IAC3C,WAAW,EAAE,EAAE,EAAE,6BAA6B;IAC9C,KAAK,EAAE,sBAAsB;IAC7B,aAAa,EAAE,OAAO;IACtB,UAAU,EAAE,OAAO;IACnB,SAAS,EAAE,MAAM;IACjB,WAAW,EAAE,MAAM;IACnB,iBAAiB,EAAE,GAAG;CACtB,CAAC"}

package/dist/lib/providers/github.d.ts

@@ -0,0 +1,7 @@
+/**
+ * GitHub OAuth Provider Configuration
+ *
+ * Note: GitHub uses OAuth 2.0, not OIDC, so no ID tokens or JWKS
+ */
+import type { OAuthProviderConfig } from '../../types.ts';
+export declare const GitHubProvider: OAuthProviderConfig;

package/dist/lib/providers/github.js

@@ -0,0 +1,73 @@
+/**
+ * GitHub OAuth Provider Configuration
+ *
+ * Note: GitHub uses OAuth 2.0, not OIDC, so no ID tokens or JWKS
+ */
+export const GitHubProvider = {
+    provider: 'github',
+    clientId: '', // Will be overridden by config
+    clientSecret: '', // Will be overridden by config
+    authorizationUrl: 'https://github.com/login/oauth/authorize',
+    tokenUrl: 'https://github.com/login/oauth/access_token',
+    userInfoUrl: 'https://api.github.com/user',
+    // No JWKS - GitHub doesn't support OIDC
+    jwksUri: null,
+    issuer: null,
+    scope: 'read:user user:email',
+    usernameClaim: 'login',
+    emailClaim: 'email',
+    nameClaim: 'name',
+    // Validate token every 15 minutes (GitHub tokens don't expire but can be revoked)
+    tokenValidationInterval: 15 * 60 * 1000, // 15 minutes
+    // GitHub-specific: validate token by making lightweight API call
+    async validateToken(accessToken, logger) {
+        try {
+            const response = await fetch('https://api.github.com/user', {
+                method: 'HEAD', // HEAD request - no body, just status
+                headers: {
+                    Authorization: `Bearer ${accessToken}`,
+                    Accept: 'application/json',
+                },
+            });
+            const isValid = response.ok;
+            if (!isValid) {
+                logger?.debug?.(`GitHub token validation failed: ${response.status} ${response.statusText}`);
+            }
+            return isValid;
+        }
+        catch (error) {
+            logger?.warn?.('GitHub token validation error:', error.message);
+            return false; // Assume invalid on error
+        }
+    },
+    // GitHub-specific: need to fetch email separately if not public
+    async getUserInfo(accessToken, helpers) {
+        // Get basic user info using the base getUserInfo method
+        const userInfo = await helpers.getUserInfo(accessToken);
+        // If email is not public, fetch from emails endpoint
+        if (!userInfo.email) {
+            try {
+                const emailResponse = await fetch('https://api.github.com/user/emails', {
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`,
+                        Accept: 'application/json',
+                    },
+                });
+                if (emailResponse.ok) {
+                    const emails = (await emailResponse.json());
+                    const primaryEmail = emails.find((e) => e.primary);
+                    if (primaryEmail) {
+                        userInfo.email = primaryEmail.email;
+                        userInfo.email_verified = primaryEmail.verified;
+                    }
+                }
+            }
+            catch (error) {
+                // Email fetch failed, continue without it
+                helpers.logger?.warn?.('Failed to fetch GitHub user emails:', error.message);
+            }
+        }
+        return userInfo;
+    },
+};
+//# sourceMappingURL=github.js.map

package/dist/lib/providers/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../../src/lib/providers/github.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,cAAc,GAAwB;IAClD,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,EAAE,EAAE,+BAA+B;IAC7C,YAAY,EAAE,EAAE,EAAE,+BAA+B;IACjD,gBAAgB,EAAE,0CAA0C;IAC5D,QAAQ,EAAE,6CAA6C;IACvD,WAAW,EAAE,6BAA6B;IAC1C,wCAAwC;IACxC,OAAO,EAAE,IAAI;IACb,MAAM,EAAE,IAAI;IACZ,KAAK,EAAE,sBAAsB;IAC7B,aAAa,EAAE,OAAO;IACtB,UAAU,EAAE,OAAO;IACnB,SAAS,EAAE,MAAM;IACjB,kFAAkF;IAClF,uBAAuB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;IAEtD,iEAAiE;IACjE,KAAK,CAAC,aAAa,CAAC,WAAmB,EAAE,MAAY;QACpD,IAAI,CAAC;YACJ,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6BAA6B,EAAE;gBAC3D,MAAM,EAAE,MAAM,EAAE,sCAAsC;gBACtD,OAAO,EAAE;oBACR,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,kBAAkB;iBAC1B;aACD,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,QAAQ,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YAC9F,CAAC;YACD,OAAO,OAAO,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,EAAE,IAAI,EAAE,CAAC,gCAAgC,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC,CAAC,0BAA0B;QACzC,CAAC;IACF,CAAC;IAED,gEAAgE;IAChE,KAAK,CAAC,WAAW,CAAC,WAAmB,EAAE,OAA2B;QACjE,wDAAwD;QACxD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QAExD,qDAAqD;QACrD,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC;gBACJ,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,oCAAoC,EAAE;oBACvE,OAAO,EAAE;wBACR,aAAa,EAAE,UAAU,WAAW,EAAE;wBACtC,MAAM,EAAE,kBAAkB;qBAC1B;iBACD,CAAC,CAAC;gBAEH,IAAI,aAAa,CAAC,EAAE,EAAE,CAAC;oBACtB,MAAM,MAAM,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAIxC,CAAC;oBACH,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;oBACnD,IAAI,YAAY,EAAE,CAAC;wBAClB,QAAQ,CAAC,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC;wBACpC,QAAQ,CAAC,cAAc,GAAG,YAAY,CAAC,QAAQ,CAAC;oBACjD,CAAC;gBACF,CAAC;YACF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,0CAA0C;gBAC1C,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,qCAAqC,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YACzF,CAAC;QACF,CAAC;QAED,OAAO,QAAQ,CAAC;IACjB,CAAC;CACD,CAAC"}

package/dist/lib/providers/google.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Google OAuth Provider Configuration
+ *
+ * Supports OpenID Connect (OIDC) with ID tokens
+ */
+import type { OAuthProviderConfig } from '../../types.ts';
+export declare const GoogleProvider: OAuthProviderConfig;

package/dist/lib/providers/google.js

@@ -0,0 +1,27 @@
+/**
+ * Google OAuth Provider Configuration
+ *
+ * Supports OpenID Connect (OIDC) with ID tokens
+ */
+export const GoogleProvider = {
+    provider: 'google',
+    clientId: '', // Will be overridden by config
+    clientSecret: '', // Will be overridden by config
+    authorizationUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
+    tokenUrl: 'https://oauth2.googleapis.com/token',
+    userInfoUrl: 'https://www.googleapis.com/oauth2/v3/userinfo',
+    jwksUri: 'https://www.googleapis.com/oauth2/v3/certs',
+    issuer: 'https://accounts.google.com',
+    scope: 'openid profile email',
+    usernameClaim: 'email',
+    emailClaim: 'email',
+    nameClaim: 'name',
+    // Google includes user info in ID token, prefer that
+    preferIdToken: true,
+    // Additional Google-specific parameters
+    additionalParams: {
+        access_type: 'offline', // Request refresh token
+        prompt: 'consent', // Force consent to get refresh token
+    },
+};
+//# sourceMappingURL=google.js.map

package/dist/lib/providers/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../../src/lib/providers/google.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,cAAc,GAAwB;IAClD,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,EAAE,EAAE,+BAA+B;IAC7C,YAAY,EAAE,EAAE,EAAE,+BAA+B;IACjD,gBAAgB,EAAE,8CAA8C;IAChE,QAAQ,EAAE,qCAAqC;IAC/C,WAAW,EAAE,+CAA+C;IAC5D,OAAO,EAAE,4CAA4C;IACrD,MAAM,EAAE,6BAA6B;IACrC,KAAK,EAAE,sBAAsB;IAC7B,aAAa,EAAE,OAAO;IACtB,UAAU,EAAE,OAAO;IACnB,SAAS,EAAE,MAAM;IACjB,qDAAqD;IACrD,aAAa,EAAE,IAAI;IACnB,wCAAwC;IACxC,gBAAgB,EAAE;QACjB,WAAW,EAAE,SAAS,EAAE,wBAAwB;QAChD,MAAM,EAAE,SAAS,EAAE,qCAAqC;KACxD;CACD,CAAC"}

package/dist/lib/providers/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * OAuth Provider Registry
+ */
+import type { OAuthProviderConfig } from '../../types.ts';
+export declare const providers: Record<string, OAuthProviderConfig>;
+/**
+ * Get a pre-configured provider by name
+ */
+export declare function getProvider(name: string): OAuthProviderConfig | null;
+/**
+ * Register a custom provider
+ */
+export declare function registerProvider(name: string, config: OAuthProviderConfig): void;
+/**
+ * Get all registered provider names
+ */
+export declare function getProviderNames(): string[];

package/dist/lib/providers/index.js

@@ -0,0 +1,49 @@
+/**
+ * OAuth Provider Registry
+ */
+import { GitHubProvider } from "./github.js";
+import { GoogleProvider } from "./google.js";
+import { AzureADProvider } from "./azure.js";
+import { auth0Provider } from "./auth0.js";
+import { OktaProvider } from "./okta.js";
+import { genericProvider } from "./generic.js";
+// Auto-register all providers
+const providerModules = {
+    github: GitHubProvider,
+    google: GoogleProvider,
+    azure: AzureADProvider,
+    auth0: auth0Provider,
+    okta: OktaProvider,
+    generic: genericProvider,
+};
+export const providers = {
+    ...providerModules,
+    // Aliases
+    microsoft: AzureADProvider,
+};
+/**
+ * Get a pre-configured provider by name
+ */
+export function getProvider(name) {
+    const provider = providers[name?.toLowerCase()];
+    if (!provider) {
+        // Return null to allow custom provider configuration
+        return null;
+    }
+    // Return a shallow copy to avoid direct mutations
+    // Note: Functions (getUserInfo, configure, validateToken) are preserved by reference
+    return { ...provider };
+}
+/**
+ * Register a custom provider
+ */
+export function registerProvider(name, config) {
+    providers[name] = config;
+}
+/**
+ * Get all registered provider names
+ */
+export function getProviderNames() {
+    return Object.keys(providers);
+}
+//# sourceMappingURL=index.js.map

package/dist/lib/providers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAG/C,8BAA8B;AAC9B,MAAM,eAAe,GAAG;IACvB,MAAM,EAAE,cAAc;IACtB,MAAM,EAAE,cAAc;IACtB,KAAK,EAAE,eAAe;IACtB,KAAK,EAAE,aAAa;IACpB,IAAI,EAAE,YAAY;IAClB,OAAO,EAAE,eAAe;CACxB,CAAC;AAEF,MAAM,CAAC,MAAM,SAAS,GAAwC;IAC7D,GAAG,eAAe;IAClB,UAAU;IACV,SAAS,EAAE,eAAe;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY;IACvC,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;IAEhD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACf,qDAAqD;QACrD,OAAO,IAAI,CAAC;IACb,CAAC;IAED,kDAAkD;IAClD,qFAAqF;IACrF,OAAO,EAAE,GAAG,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,MAA2B;IACzE,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC/B,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAC/B,CAAC"}

package/dist/lib/providers/okta.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Okta OAuth Provider Configuration
+ *
+ * Supports Okta's OAuth 2.0 / OIDC implementation
+ * Requires domain configuration (e.g., 'dev-12345.okta.com')
+ */
+import type { OAuthProviderConfig } from '../../types.ts';
+export declare const OktaProvider: OAuthProviderConfig;

package/dist/lib/providers/okta.js

@@ -0,0 +1,45 @@
+/**
+ * Okta OAuth Provider Configuration
+ *
+ * Supports Okta's OAuth 2.0 / OIDC implementation
+ * Requires domain configuration (e.g., 'dev-12345.okta.com')
+ */
+import { validateDomainSafety, validateDomainAllowlist } from "./validation.js";
+export const OktaProvider = {
+    provider: 'okta',
+    clientId: '', // Will be overridden by config
+    clientSecret: '', // Will be overridden by config
+    authorizationUrl: '', // Will be set by configure()
+    tokenUrl: '', // Will be set by configure()
+    userInfoUrl: '', // Will be set by configure()
+    jwksUri: '', // Will be set by configure()
+    issuer: '', // Will be set by configure()
+    scope: 'openid profile email groups',
+    usernameClaim: 'preferred_username',
+    emailClaim: 'email',
+    nameClaim: 'name',
+    // Use 'groups' claim for role mapping (optional)
+    roleClaim: 'groups',
+    defaultRole: 'user',
+    // Okta includes user info in ID token, prefer that
+    preferIdToken: true,
+    // Okta-specific: configure endpoints based on domain
+    configure: (domain) => {
+        // Validate domain safety (SSRF protection, private IPs, etc.)
+        const hostname = validateDomainSafety(domain, 'Okta');
+        // Validate against Okta domain allowlist
+        const ALLOWED_OKTA_DOMAINS = ['.okta.com', '.okta-emea.com', '.oktapreview.com'];
+        validateDomainAllowlist(hostname, ALLOWED_OKTA_DOMAINS, 'Okta');
+        // Use /oauth2/v1 (org authorization server - most compatible)
+        // For /oauth2/default or custom auth servers, set authorizationUrl/tokenUrl/userInfoUrl directly in config
+        const authServerPath = '/oauth2/v1';
+        return {
+            authorizationUrl: `https://${hostname}${authServerPath}/authorize`,
+            tokenUrl: `https://${hostname}${authServerPath}/token`,
+            userInfoUrl: `https://${hostname}${authServerPath}/userinfo`,
+            jwksUri: `https://${hostname}${authServerPath}/keys`,
+            issuer: `https://${hostname}${authServerPath}`,
+        };
+    },
+};
+//# sourceMappingURL=okta.js.map

package/dist/lib/providers/okta.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"okta.js","sourceRoot":"","sources":["../../../src/lib/providers/okta.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAEhF,MAAM,CAAC,MAAM,YAAY,GAAwB;IAChD,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,EAAE,EAAE,+BAA+B;IAC7C,YAAY,EAAE,EAAE,EAAE,+BAA+B;IACjD,gBAAgB,EAAE,EAAE,EAAE,6BAA6B;IACnD,QAAQ,EAAE,EAAE,EAAE,6BAA6B;IAC3C,WAAW,EAAE,EAAE,EAAE,6BAA6B;IAC9C,OAAO,EAAE,EAAE,EAAE,6BAA6B;IAC1C,MAAM,EAAE,EAAE,EAAE,6BAA6B;IACzC,KAAK,EAAE,6BAA6B;IACpC,aAAa,EAAE,oBAAoB;IACnC,UAAU,EAAE,OAAO;IACnB,SAAS,EAAE,MAAM;IACjB,iDAAiD;IACjD,SAAS,EAAE,QAAQ;IACnB,WAAW,EAAE,MAAM;IACnB,mDAAmD;IACnD,aAAa,EAAE,IAAI;IAEnB,qDAAqD;IACrD,SAAS,EAAE,CAAC,MAAc,EAAgC,EAAE;QAC3D,8DAA8D;QAC9D,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEtD,yCAAyC;QACzC,MAAM,oBAAoB,GAAG,CAAC,WAAW,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;QACjF,uBAAuB,CAAC,QAAQ,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAEhE,8DAA8D;QAC9D,2GAA2G;QAC3G,MAAM,cAAc,GAAG,YAAY,CAAC;QAEpC,OAAO;YACN,gBAAgB,EAAE,WAAW,QAAQ,GAAG,cAAc,YAAY;YAClE,QAAQ,EAAE,WAAW,QAAQ,GAAG,cAAc,QAAQ;YACtD,WAAW,EAAE,WAAW,QAAQ,GAAG,cAAc,WAAW;YAC5D,OAAO,EAAE,WAAW,QAAQ,GAAG,cAAc,OAAO;YACpD,MAAM,EAAE,WAAW,QAAQ,GAAG,cAAc,EAAE;SAC9C,CAAC;IACH,CAAC;CACD,CAAC"}

package/dist/lib/providers/validation.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Shared validation utilities for OAuth providers
+ *
+ * Security-first validation helpers to prevent SSRF, injection attacks,
+ * and other common OAuth configuration vulnerabilities.
+ */
+/**
+ * Validates that a domain string is safe from common attacks
+ *
+ * Prevents SSRF attacks by blocking private IPs, localhost, cloud metadata endpoints,
+ * and non-HTTP protocols.
+ *
+ * @param domain - Domain string to validate (e.g., 'example.okta.com' or 'https://example.okta.com')
+ * @param providerName - Name of provider for error messages
+ * @returns Validated hostname (without protocol)
+ * @throws Error if domain is invalid or unsafe
+ */
+export declare function validateDomainSafety(domain: string, providerName: string): string;
+/**
+ * Validates that a domain matches an allowlist of permitted suffixes
+ *
+ * Use after validateDomainSafety() to ensure domains match expected patterns
+ * (e.g., *.okta.com, *.auth0.com)
+ *
+ * @param hostname - Validated hostname (from validateDomainSafety)
+ * @param allowedSuffixes - Array of allowed domain suffixes (e.g., ['.okta.com', '.okta-emea.com'])
+ * @param providerName - Name of provider for error messages
+ * @throws Error if hostname doesn't match any allowed suffix
+ */
+export declare function validateDomainAllowlist(hostname: string, allowedSuffixes: string[], providerName: string): void;
+/**
+ * Validates email domain format
+ *
+ * Prevents injection attacks by blocking CRLF, null bytes, and control characters.
+ *
+ * @param emailDomain - Email domain to validate (e.g., 'example.com')
+ * @throws Error if domain contains dangerous characters
+ */
+export declare function validateEmailDomain(emailDomain: string): void;
+/**
+ * Validates tenant ID format
+ *
+ * Ensures tenant IDs are safe for URLs and file paths. Enforces length limits
+ * and character restrictions.
+ *
+ * @param tenantId - Tenant ID to validate
+ * @throws Error if tenant ID is invalid or unsafe
+ */
+export declare function validateTenantId(tenantId: string): void;
+/**
+ * Sanitizes tenant name for safe HTML output
+ *
+ * Prevents XSS attacks by HTML-escaping special characters.
+ *
+ * @param name - Tenant name to sanitize
+ * @returns HTML-escaped tenant name
+ */
+export declare function sanitizeTenantName(name: string): string;
+/**
+ * Validates Azure tenant ID format
+ *
+ * Valid formats: GUID, 'common', 'organizations', or 'consumers'
+ *
+ * @param tenantId - Azure tenant ID to validate
+ * @throws Error if tenant ID is invalid
+ */
+export declare function validateAzureTenantId(tenantId: string): void;