@hotfusion/modeller 0.0.13 → 0.0.16

package/dist/oidc/adapters/cipher.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CipherAdapter = void 0;
+const core_1 = require("../../core");
+const cipher_1 = require("@hotfusion/cipher");
+class CipherAdapter extends core_1.Adapter {
+    cipher;
+    ready;
+    id;
+    constructor(id) {
+        super(id);
+        this.id = id;
+        // Password resolved inside Cipher from:
+        //   1. VAULT_PASSWORD env var
+        //   2. --password=xxx CLI arg
+        this.cipher = new cipher_1.Cipher({
+            path: `./vault/${id}`,
+            password: process.env.VAULT_PASSWORD || '',
+            //@ts-ignore
+            locked: false,
+            readonly: false,
+        }, [{ name: id, schema: {} }, { name: 'trash', schema: {} }]);
+        this.ready = this.cipher.ready();
+    }
+    async sync(id, doc) {
+        await this.ready;
+        const col = this.cipher.collection(id);
+        const key = { id: doc._id.toString() };
+        const existing = col.find(key);
+        if (existing) {
+            await col.update(key, doc);
+        }
+        else {
+            await col.insert(key, doc);
+        }
+    }
+    async pull() {
+        await this.ready;
+        const col = this.cipher.collection(this.id);
+        return col.list()
+            .map((entry) => {
+            const id = Object.values(entry.key)[0];
+            if (!id)
+                return null;
+            return col.unseal(id);
+        })
+            .filter(Boolean);
+    }
+}
+exports.CipherAdapter = CipherAdapter;
+//# sourceMappingURL=cipher.js.map

package/dist/oidc/adapters/cipher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cipher.js","sourceRoot":"","sources":["../../../src/oidc/adapters/cipher.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAGrC,8CAA4C;AAE5C,MAAa,aAAc,SAAQ,cAAO;IAC9B,MAAM,CAAU;IAChB,KAAK,CAAkB;IACvB,EAAE,CAAc;IAExB,YAAY,EAAU;QAClB,KAAK,CAAC,EAAE,CAAC,CAAC;QACV,IAAI,CAAC,EAAE,GAAO,EAAE,CAAC;QACjB,wCAAwC;QACxC,8BAA8B;QAC9B,8BAA8B;QAC9B,IAAI,CAAC,MAAM,GAAG,IAAI,eAAM,CAAC;YACrB,IAAI,EAAO,WAAW,EAAE,EAAE;YAC1B,QAAQ,EAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE;YAC3C,YAAY;YACZ,MAAM,EAAK,KAAK;YAChB,QAAQ,EAAG,KAAK;SACnB,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU,EAAE,GAA0C;QAC7D,MAAM,IAAI,CAAC,KAAK,CAAC;QACjB,MAAM,GAAG,GAAQ,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAQ,EAAE,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC5C,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE/B,IAAI,QAAQ,EAAE,CAAC;YACX,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACJ,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/B,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI;QACN,MAAM,IAAI,CAAC,KAAK,CAAC;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC5C,OAAO,GAAG,CAAC,IAAI,EAAE;aACZ,GAAG,CAAC,CAAC,KAAS,EAAE,EAAE;YACf,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACvC,IAAI,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAC;YACrB,OAAO,GAAG,CAAC,MAAM,CAAC,EAAS,CAAC,CAAC;QACjC,CAAC,CAAC;aACD,MAAM,CAAC,OAAO,CAAC,CAAC;IACzB,CAAC;CACJ;AA7CD,sCA6CC"}

package/dist/oidc/client.js

@@ -0,0 +1,66 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientModel = void 0;
+const model_1 = require("../model");
+const client_schema_json_1 = __importDefault(require("./schemas/client.schema.json"));
+const cipher_1 = require("./adapters/cipher");
+const utils_1 = require("./utils");
+exports.ClientModel = new model_1.Model('client', client_schema_json_1.default, {
+    adapter: cipher_1.CipherAdapter,
+    trash: false
+})
+    .hook('client-before-insert', {
+    on: 'before:insert',
+    callback: async (payload) => {
+        if (payload.data._sync)
+            return;
+        try {
+            const { client_id, client_secret, redirect_uris } = payload.data;
+            if (!client_id || !client_secret || !redirect_uris?.length) {
+                throw { code: 'MISSING_REQUIRED_FIELDS' };
+            }
+            if (!payload.data.grant_types)
+                payload.data.grant_types = ['authorization_code', 'refresh_token'];
+            if (!payload.data.response_types)
+                payload.data.response_types = ['code'];
+            if (!payload.data.token_endpoint_auth_method)
+                payload.data.token_endpoint_auth_method = 'client_secret_basic';
+            if (!payload.data.scopes)
+                payload.data.scopes = ['openid', 'email', 'profile'];
+            if (!payload.data.providers)
+                payload.data.providers = [];
+            if (!payload.data.provider_configs)
+                payload.data.provider_configs = [];
+            if (payload.data.isActive === undefined)
+                payload.data.isActive = true;
+        }
+        catch (err) {
+            throw {
+                code: 'CLIENT_INSERT_FAILED',
+                message: (0, utils_1.extractError)(err),
+                details: err
+            };
+        }
+    }
+})
+    .hook('client-before-delete', {
+    on: 'before:delete',
+    callback: async (payload) => {
+        if (payload.key?._sync)
+            return;
+        try {
+            const client = await exports.ClientModel.get({ _id: payload.key._id });
+            console.log(`[Client] Deleting client: ${client.client_id}`);
+        }
+        catch (err) {
+            throw {
+                code: 'CLIENT_DELETE_FAILED',
+                message: (0, utils_1.extractError)(err)
+            };
+        }
+    }
+});
+//# sourceMappingURL=client.js.map

package/dist/oidc/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/oidc/client.ts"],"names":[],"mappings":";;;;;;AAAA,oCAAiC;AACjC,sFAAkD;AAClD,8CAAkD;AAClD,mCAAuC;AAE1B,QAAA,WAAW,GAAG,IAAI,aAAK,CAAC,QAAQ,EAAE,4BAAM,EAAE;IACnD,OAAO,EAAE,sBAAa;IACtB,KAAK,EAAE,KAAK;CACf,CAAC;KACG,IAAI,CAAC,sBAAsB,EAAE;IAC1B,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QAC7B,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QAC/B,IAAI,CAAC;YACD,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YACjE,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,EAAE,MAAM,EAAE,CAAC;gBACzD,MAAM,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;YAC9C,CAAC;YACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW;gBAAQ,OAAO,CAAC,IAAI,CAAC,WAAW,GAAS,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAC;YAC9G,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc;gBAAK,OAAO,CAAC,IAAI,CAAC,cAAc,GAAM,CAAC,MAAM,CAAC,CAAC;YAC/E,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,0BAA0B;gBAAE,OAAO,CAAC,IAAI,CAAC,0BAA0B,GAAG,qBAAqB,CAAC;YAC9G,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM;gBAAa,OAAO,CAAC,IAAI,CAAC,MAAM,GAAc,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YACrG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS;gBAAU,OAAO,CAAC,IAAI,CAAC,SAAS,GAAW,EAAE,CAAC;YACzE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB;gBAAG,OAAO,CAAC,IAAI,CAAC,gBAAgB,GAAI,EAAE,CAAC;YACzE,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS;gBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAQ,IAAI,CAAC;QAC/E,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAChB,MAAM;gBACF,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC;gBAC1B,OAAO,EAAE,GAAG;aACf,CAAC;QACN,CAAC;IACL,CAAC;CACJ,CAAC;KAED,IAAI,CAAC,sBAAsB,EAAE;IAC1B,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QAC7B,IAAI,OAAO,CAAC,GAAG,EAAE,KAAK;YAAE,OAAO;QAC/B,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,mBAAW,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;YAC/D,OAAO,CAAC,GAAG,CAAC,6BAA6B,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QACjE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAChB,MAAM;gBACF,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC;aAC7B,CAAC;QACN,CAAC;IACL,CAAC;CACJ,CAAC,CAAC"}

package/dist/oidc/code.js

@@ -0,0 +1,37 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CodeModel = void 0;
+const model_1 = require("../model");
+const code_schema_json_1 = __importDefault(require("./schemas/code.schema.json"));
+const cipher_1 = require("./adapters/cipher");
+const utils_1 = require("./utils");
+exports.CodeModel = new model_1.Model('code', code_schema_json_1.default, {
+    adapter: cipher_1.CipherAdapter,
+    trash: false
+})
+    .hook('code-before-insert', {
+    on: 'before:insert',
+    callback: async (payload) => {
+        if (payload.data._sync)
+            return;
+        try {
+            const { jti, clientId, accountId } = payload.data;
+            if (!jti || !clientId || !accountId) {
+                throw { code: 'MISSING_REQUIRED_FIELDS' };
+            }
+            if (payload.data.consumed === undefined)
+                payload.data.consumed = false;
+        }
+        catch (err) {
+            throw {
+                code: 'CODE_INSERT_FAILED',
+                message: (0, utils_1.extractError)(err),
+                details: err
+            };
+        }
+    }
+});
+//# sourceMappingURL=code.js.map

package/dist/oidc/code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"code.js","sourceRoot":"","sources":["../../src/oidc/code.ts"],"names":[],"mappings":";;;;;;AAAA,oCAAiC;AACjC,kFAAgD;AAChD,8CAAkD;AAClD,mCAAuC;AAE1B,QAAA,SAAS,GAAG,IAAI,aAAK,CAAC,MAAM,EAAE,0BAAM,EAAE;IAC/C,OAAO,EAAE,sBAAa;IACtB,KAAK,EAAE,KAAK;CACf,CAAC;KACG,IAAI,CAAC,oBAAoB,EAAE;IACxB,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QAC7B,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QAC/B,IAAI,CAAC;YACD,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAClD,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;gBAClC,MAAM,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;YAC9C,CAAC;YACD,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS;gBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QAC3E,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAChB,MAAM;gBACF,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC;gBAC1B,OAAO,EAAE,GAAG;aACf,CAAC;QACN,CAAC;IACL,CAAC;CACJ,CAAC,CAAC"}

package/dist/oidc/default.config.js

@@ -0,0 +1,200 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OIDCConfig = void 0;
+exports.resolveJWKS = resolveJWKS;
+const jose_1 = require("jose");
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const JWKS_PATH = node_path_1.default.resolve(process.cwd(), './data/oidc.jwks.json');
+// ==============================================================================
+// JWKS — env → disk → generate
+// ==============================================================================
+async function resolveJWKS() {
+    if (process.env.OIDC_JWKS) {
+        try {
+            return JSON.parse(process.env.OIDC_JWKS);
+        }
+        catch {
+            throw new Error('[OIDC] Failed to parse OIDC_JWKS env variable');
+        }
+    }
+    if (node_fs_1.default.existsSync(JWKS_PATH)) {
+        try {
+            return JSON.parse(node_fs_1.default.readFileSync(JWKS_PATH, 'utf-8'));
+        }
+        catch {
+            throw new Error('[OIDC] Failed to read JWKS from disk');
+        }
+    }
+    const { privateKey } = await (0, jose_1.generateKeyPair)('RS256', { extractable: true });
+    const jwk = await (0, jose_1.exportJWK)(privateKey);
+    jwk.use = 'sig';
+    jwk.alg = 'RS256';
+    jwk.kid = `key-${Date.now()}`;
+    const jwks = { keys: [jwk] };
+    node_fs_1.default.mkdirSync(node_path_1.default.dirname(JWKS_PATH), { recursive: true });
+    node_fs_1.default.writeFileSync(JWKS_PATH, JSON.stringify(jwks, null, 2), 'utf-8');
+    return jwks;
+}
+// ==============================================================================
+// Base OIDCConfig
+// Abstract — no imports from modeller model stack.
+// Everything is resolved dynamically via the model instance at runtime.
+// Extend this class in your model; override only what you need.
+// ==============================================================================
+class OIDCConfig {
+    // ?? Developer overrides (optional) ????????????????????????????????????????
+    // OIDC issuer URL
+    static issuer;
+    // Additional registered clients beyond the default one
+    static clients;
+    // Federation providers — empty by default (username/password only)
+    static federation;
+    // Override the adapter — must be a class compatible with node-oidc-provider adapter spec
+    // Defaults to the modeller OIDCAdapter resolved from model at runtime
+    static adapter;
+    // Override account resolution
+    static findAccount;
+    // Override user verification
+    static verifyUser;
+    // Override federated user resolution
+    static findOrCreateFederatedUser;
+    // Override TTLs (merged with defaults)
+    static ttl;
+    // Override scopes
+    static scopes;
+    // Override claims
+    static claims;
+    // ?? Internal methods — called by server, not meant to be overridden ????????
+    static _getIssuer(port) {
+        return this.issuer
+            ?? process.env.ISSUER_URL
+            ?? `http://localhost:${port}`;
+    }
+    static _getAdapter(defaultAdapter) {
+        // Use static override if provided, otherwise use the default passed by server
+        return this.adapter ?? defaultAdapter;
+    }
+    static _getScopes() {
+        return this.scopes ?? ['openid', 'email', 'profile'];
+    }
+    static _getClaims() {
+        return this.claims ?? {
+            openid: ['sub'],
+            email: ['email'],
+            profile: ['username', 'name'],
+        };
+    }
+    static _getTTL() {
+        return {
+            AccessToken: 60 * 60,
+            AuthorizationCode: 10 * 60,
+            IdToken: 60 * 60,
+            RefreshToken: 14 * 24 * 60 * 60,
+            Session: 14 * 24 * 60 * 60,
+            Interaction: 60 * 60,
+            Grant: 14 * 24 * 60 * 60,
+            ...((this.ttl) ?? {}),
+        };
+    }
+    static _buildDefaultClient(issuer) {
+        return {
+            client_id: 'default',
+            client_secret: 'default-secret',
+            redirect_uris: [`${issuer}/auth/callback`],
+            grant_types: ['authorization_code'],
+            response_types: ['code'],
+            token_endpoint_auth_method: 'client_secret_basic',
+            scopes: ['openid', 'email', 'profile'],
+            isActive: true,
+        };
+    }
+    static async _seedClients(issuer, adapter) {
+        console.log('[OIDC] _seedClients start, adapter:', adapter?.name);
+        const clientAdapter = new adapter('Client');
+        console.log('[OIDC] clientAdapter created');
+        const allClients = [
+            this._buildDefaultClient(issuer),
+            ...(this.clients ?? []),
+        ];
+        for (const client of allClients) {
+            try {
+                const existing = await clientAdapter.find(client.client_id);
+                if (!existing) {
+                    await clientAdapter.upsert(client.client_id, client, 0);
+                }
+            }
+            catch (err) {
+                throw { ...err, model: 'ClientModel', client_id: client.client_id };
+            }
+        }
+    }
+    static async _findAccount(ctx, id, model) {
+        const fn = this.findAccount;
+        if (fn)
+            return fn(ctx, id, model);
+        const user = await model.user?.get({ _id: id }, { private: false });
+        if (!user)
+            return undefined;
+        return {
+            accountId: user._id,
+            claims: async () => ({
+                sub: user._id,
+                email: user.email,
+                username: user.username,
+            }),
+        };
+    }
+    static async _verifyUser(username, password, model) {
+        const fn = this.verifyUser;
+        if (fn)
+            return fn(username, password, model);
+        return model.user?.call('verify', { username, password });
+    }
+    static async _findOrCreateFederatedUser(email, model) {
+        const fn = this.findOrCreateFederatedUser;
+        if (fn)
+            return fn(email, model);
+        let user = await model.user?.get({ email }).catch(() => null);
+        if (!user) {
+            user = await model.user?.insert({
+                username: email,
+                email: email,
+                password: Math.random().toString(36),
+                isActive: true,
+                roles: 'user',
+                _sync: true,
+            });
+        }
+        return user;
+    }
+    static async _buildProviderConfig(issuer, secret) {
+        const jwks = await resolveJWKS();
+        return {
+            jwks,
+            features: {
+                devInteractions: { enabled: false },
+                clientCredentials: { enabled: true },
+                introspection: { enabled: true },
+                revocation: { enabled: true },
+                rpInitiatedLogout: { enabled: true },
+            },
+            scopes: this._getScopes(),
+            claims: this._getClaims(),
+            ttl: this._getTTL(),
+            pkce: {
+                required: () => false,
+            },
+            cookies: {
+                keys: [process.env.OIDC_COOKIE_SECRET ?? secret],
+                short: { secure: false, sameSite: 'lax' },
+                long: { secure: false, sameSite: 'lax' },
+            },
+        };
+    }
+}
+exports.OIDCConfig = OIDCConfig;
+//# sourceMappingURL=default.config.js.map

package/dist/oidc/default.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"default.config.js","sourceRoot":"","sources":["../../src/oidc/default.config.ts"],"names":[],"mappings":";;;;;;AAUA,kCA6BC;AAvCD,+BAAkD;AAClD,sDAAqD;AACrD,0DAAuD;AAEvD,MAAM,SAAS,GAAG,mBAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,uBAAuB,CAAC,CAAC;AAEvE,iFAAiF;AACjF,+BAA+B;AAC/B,iFAAiF;AAE1E,KAAK,UAAU,WAAW;IAC7B,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACxB,IAAI,CAAC;YACD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACL,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACrE,CAAC;IACL,CAAC;IAED,IAAI,iBAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACD,OAAO,IAAI,CAAC,KAAK,CAAC,iBAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACL,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC5D,CAAC;IACL,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,sBAAe,EAAC,OAAO,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAc,MAAM,IAAA,gBAAS,EAAC,UAAU,CAAC,CAAC;IACnD,GAAG,CAAC,GAAG,GAAe,KAAK,CAAC;IAC5B,GAAG,CAAC,GAAG,GAAe,OAAO,CAAC;IAC9B,GAAG,CAAC,GAAG,GAAe,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAE1C,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAE7B,iBAAE,CAAC,SAAS,CAAC,mBAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,iBAAE,CAAC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAEpE,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,iFAAiF;AACjF,kBAAkB;AAClB,mDAAmD;AACnD,wEAAwE;AACxE,gEAAgE;AAChE,iFAAiF;AAEjF,MAAa,UAAU;IAEnB,6EAA6E;IAE7E,kBAAkB;IAClB,MAAM,CAAC,MAAM,CAAU;IAEvB,uDAAuD;IACvD,MAAM,CAAC,OAAO,CAAS;IAEvB,mEAAmE;IACnE,MAAM,CAAC,UAAU,CAMd;IAEH,yFAAyF;IACzF,sEAAsE;IACtE,MAAM,CAAC,OAAO,CAAO;IAErB,8BAA8B;IAC9B,MAAM,CAAC,WAAW,CAAsD;IAExE,6BAA6B;IAC7B,MAAM,CAAC,UAAU,CAAoE;IAErF,qCAAqC;IACrC,MAAM,CAAC,yBAAyB,CAA+C;IAE/E,uCAAuC;IACvC,MAAM,CAAC,GAAG,CAA0B;IAEpC,kBAAkB;IAClB,MAAM,CAAC,MAAM,CAAY;IAEzB,kBAAkB;IAClB,MAAM,CAAC,MAAM,CAA4B;IAEzC,8EAA8E;IAE9E,MAAM,CAAC,UAAU,CAAC,IAAY;QAC1B,OAAQ,IAAY,CAAC,MAAM;eACpB,OAAO,CAAC,GAAG,CAAC,UAAU;eACtB,oBAAoB,IAAI,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,CAAC,WAAW,CAAC,cAAoB;QACnC,8EAA8E;QAC9E,OAAQ,IAAY,CAAC,OAAO,IAAI,cAAc,CAAC;IACnD,CAAC;IAED,MAAM,CAAC,UAAU;QACb,OAAQ,IAAY,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,CAAC,UAAU;QACb,OAAQ,IAAY,CAAC,MAAM,IAAI;YAC3B,MAAM,EAAI,CAAC,KAAK,CAAC;YACjB,KAAK,EAAK,CAAC,OAAO,CAAC;YACnB,OAAO,EAAG,CAAC,UAAU,EAAE,MAAM,CAAC;SACjC,CAAC;IACN,CAAC;IAED,MAAM,CAAC,OAAO;QACV,OAAO;YACH,WAAW,EAAQ,EAAE,GAAG,EAAE;YAC1B,iBAAiB,EAAE,EAAE,GAAG,EAAE;YAC1B,OAAO,EAAY,EAAE,GAAG,EAAE;YAC1B,YAAY,EAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;YACpC,OAAO,EAAY,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;YACpC,WAAW,EAAQ,EAAE,GAAG,EAAE;YAC1B,KAAK,EAAc,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;YACpC,GAAG,CAAC,CAAE,IAAY,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;SACjC,CAAC;IACN,CAAC;IAED,MAAM,CAAC,mBAAmB,CAAC,MAAc;QACrC,OAAO;YACH,SAAS,EAAoB,SAAS;YACtC,aAAa,EAAgB,gBAAgB;YAC7C,aAAa,EAAgB,CAAC,GAAG,MAAM,gBAAgB,CAAC;YACxD,WAAW,EAAkB,CAAC,oBAAoB,CAAC;YACnD,cAAc,EAAe,CAAC,MAAM,CAAC;YACrC,0BAA0B,EAAG,qBAAqB;YAClD,MAAM,EAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;YAC3D,QAAQ,EAAqB,IAAI;SACpC,CAAC;IACN,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,MAAc,EAAE,OAAY;QAElD,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAClE,MAAM,aAAa,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAM;YAClB,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC;YAChC,GAAG,CAAE,IAAY,CAAC,OAAO,IAAI,EAAE,CAAC;SACnC,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC5D,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;gBAC5D,CAAC;YACL,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAChB,MAAM,EAAE,GAAG,GAAG,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;YACxE,CAAC;QACL,CAAC;IACL,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,GAAQ,EAAE,EAAU,EAAE,KAAU;QACtD,MAAM,EAAE,GAAI,IAAY,CAAC,WAAW,CAAC;QACrC,IAAI,EAAE;YAAE,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC;QAElC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,IAAI,CAAC,IAAI;YAAE,OAAO,SAAS,CAAC;QAC5B,OAAO;YACH,SAAS,EAAG,IAAI,CAAC,GAAG;YACpB,MAAM,EAAM,KAAK,IAAI,EAAE,CAAC,CAAC;gBACrB,GAAG,EAAQ,IAAI,CAAC,GAAG;gBACnB,KAAK,EAAM,IAAI,CAAC,KAAK;gBACrB,QAAQ,EAAG,IAAI,CAAC,QAAQ;aAC3B,CAAC;SACL,CAAC;IACN,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,QAAgB,EAAE,QAAgB,EAAE,KAAU;QACnE,MAAM,EAAE,GAAI,IAAY,CAAC,UAAU,CAAC;QACpC,IAAI,EAAE;YAAE,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,KAAa,EAAE,KAAU;QAC7D,MAAM,EAAE,GAAI,IAAY,CAAC,yBAAyB,CAAC;QACnD,IAAI,EAAE;YAAE,OAAO,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAEhC,IAAI,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC;gBAC5B,QAAQ,EAAG,KAAK;gBAChB,KAAK,EAAM,KAAK;gBAChB,QAAQ,EAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrC,QAAQ,EAAG,IAAI;gBACf,KAAK,EAAM,MAAM;gBACjB,KAAK,EAAM,IAAI;aAClB,CAAC,CAAC;QACP,CAAC;QACD,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,MAAc,EAAE,MAAc;QAC5D,MAAM,IAAI,GAAG,MAAM,WAAW,EAAE,CAAC;QAEjC,OAAO;YACH,IAAI;YAEJ,QAAQ,EAAE;gBACN,eAAe,EAAI,EAAE,OAAO,EAAE,KAAK,EAAE;gBACrC,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAG;gBACrC,aAAa,EAAM,EAAE,OAAO,EAAE,IAAI,EAAG;gBACrC,UAAU,EAAS,EAAE,OAAO,EAAE,IAAI,EAAG;gBACrC,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAG;aACxC;YAED,MAAM,EAAG,IAAI,CAAC,UAAU,EAAE;YAC1B,MAAM,EAAG,IAAI,CAAC,UAAU,EAAE;YAC1B,GAAG,EAAM,IAAI,CAAC,OAAO,EAAE;YAEvB,IAAI,EAAE;gBACF,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK;aACxB;YAED,OAAO,EAAE;gBACL,IAAI,EAAI,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,MAAM,CAAC;gBAClD,KAAK,EAAG,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE;gBAC1C,IAAI,EAAI,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE;aAC7C;SACJ,CAAC;IACN,CAAC;CACJ;AAvLD,gCAuLC"}

package/dist/oidc/federation.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FederationModel = void 0;
+const model_1 = require("../model");
+const cipher_1 = require("./adapters/cipher");
+const utils_1 = require("./utils");
+const schema = {
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "properties": {
+        "name": { "type": "string", "label": "Provider Name", "description": "e.g. google, github" },
+        "client_id": { "type": "string", "label": "Client ID" },
+        "client_secret": { "type": "string", "label": "Client Secret", "private": true },
+        "issuer": { "type": "string", "label": "Issuer URL", "description": "e.g. https://accounts.google.com" },
+        "scopes": { "type": "string", "label": "Scopes", "description": "e.g. openid email profile" },
+        "isActive": { "type": "boolean", "label": "Active" }
+    },
+    "required": ["name", "client_id", "client_secret", "issuer"]
+};
+exports.FederationModel = new model_1.Model('federation', schema, {
+    adapter: cipher_1.CipherAdapter,
+    trash: false,
+})
+    .hook('federation-before-insert', {
+    on: 'before:insert',
+    callback: async (payload) => {
+        if (payload.data._sync)
+            return;
+        try {
+            const { name, client_id, client_secret, issuer } = payload.data;
+            if (!name || !client_id || !client_secret || !issuer) {
+                throw { code: 'MISSING_REQUIRED_FIELDS' };
+            }
+            if (!payload.data.scopes)
+                payload.data.scopes = 'openid email profile';
+            if (payload.data.isActive === undefined)
+                payload.data.isActive = true;
+        }
+        catch (err) {
+            throw { code: 'FEDERATION_INSERT_FAILED', message: (0, utils_1.extractError)(err), details: err };
+        }
+    }
+})
+    .hook('federation-before-delete', {
+    on: 'before:delete',
+    callback: async (payload) => {
+        if (payload.key?._sync)
+            return;
+    }
+});
+//# sourceMappingURL=federation.js.map

package/dist/oidc/federation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"federation.js","sourceRoot":"","sources":["../../src/oidc/federation.ts"],"names":[],"mappings":";;;AAAA,oCAAyC;AACzC,8CAAkD;AAClD,mCAAwC;AAExC,MAAM,MAAM,GAAG;IACX,SAAS,EAAM,yCAAyC;IACxD,MAAM,EAAS,QAAQ;IACvB,YAAY,EAAG;QACX,MAAM,EAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAI,aAAa,EAAE,qBAAqB,EAAE;QACxG,WAAW,EAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAA8C;QACxG,eAAe,EAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAG,SAAS,EAAE,IAAI,EAAuB;QACvG,QAAQ,EAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAO,aAAa,EAAE,kCAAkC,EAAE;QACrH,QAAQ,EAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAW,aAAa,EAAE,2BAA2B,EAAS;QACrH,UAAU,EAAQ,EAAE,MAAM,EAAE,SAAS,EAAC,OAAO,EAAE,QAAQ,EAAkD;KAC5G;IACD,UAAU,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,CAAC;CAC/D,CAAC;AAEW,QAAA,eAAe,GAAG,IAAI,aAAK,CAAC,YAAY,EAAE,MAAM,EAAE;IAC3D,OAAO,EAAG,sBAAa;IACvB,KAAK,EAAK,KAAK;CAClB,CAAC;KACG,IAAI,CAAC,0BAA0B,EAAE;IAC9B,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QAC7B,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QAC/B,IAAI,CAAC;YACD,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAChE,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa,IAAI,CAAC,MAAM,EAAE,CAAC;gBACnD,MAAM,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;YAC9C,CAAC;YACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM;gBAAI,OAAO,CAAC,IAAI,CAAC,MAAM,GAAK,sBAAsB,CAAC;YAC3E,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS;gBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAC1E,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAChB,MAAM,EAAE,IAAI,EAAE,0BAA0B,EAAE,OAAO,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;QACzF,CAAC;IACL,CAAC;CACJ,CAAC;KACD,IAAI,CAAC,0BAA0B,EAAE;IAC9B,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QAC7B,IAAI,OAAO,CAAC,GAAG,EAAE,KAAK;YAAE,OAAO;IACnC,CAAC;CACJ,CAAC,CAAC"}

package/dist/oidc/grant.js

@@ -0,0 +1,37 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GrantModel = void 0;
+const model_1 = require("../model");
+const grant_schema_json_1 = __importDefault(require("./schemas/grant.schema.json"));
+const cipher_1 = require("./adapters/cipher");
+const utils_1 = require("./utils");
+exports.GrantModel = new model_1.Model('grant', grant_schema_json_1.default, {
+    adapter: cipher_1.CipherAdapter,
+    trash: false
+})
+    .hook('grant-before-insert', {
+    on: 'before:insert',
+    callback: async (payload) => {
+        if (payload.data._sync)
+            return;
+        try {
+            const { jti, clientId, accountId } = payload.data;
+            if (!jti || !clientId || !accountId) {
+                throw { code: 'MISSING_REQUIRED_FIELDS' };
+            }
+            if (payload.data.consumed === undefined)
+                payload.data.consumed = false;
+        }
+        catch (err) {
+            throw {
+                code: 'GRANT_INSERT_FAILED',
+                message: (0, utils_1.extractError)(err),
+                details: err
+            };
+        }
+    }
+});
+//# sourceMappingURL=grant.js.map

package/dist/oidc/grant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/oidc/grant.ts"],"names":[],"mappings":";;;;;;AAAA,oCAAiC;AACjC,oFAAiD;AACjD,8CAAkD;AAClD,mCAAuC;AAE1B,QAAA,UAAU,GAAG,IAAI,aAAK,CAAC,OAAO,EAAE,2BAAM,EAAE;IACjD,OAAO,EAAE,sBAAa;IACtB,KAAK,EAAE,KAAK;CACf,CAAC;KACG,IAAI,CAAC,qBAAqB,EAAE;IACzB,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QAC7B,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QAC/B,IAAI,CAAC;YACD,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAClD,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;gBAClC,MAAM,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;YAC9C,CAAC;YACD,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS;gBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QAC3E,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAChB,MAAM;gBACF,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC;gBAC1B,OAAO,EAAE,GAAG;aACf,CAAC;QACN,CAAC;IACL,CAAC;CACJ,CAAC,CAAC"}

package/dist/oidc/interaction.js

@@ -0,0 +1,36 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InteractionModel = void 0;
+const model_1 = require("../model");
+const interaction_schema_json_1 = __importDefault(require("./schemas/interaction.schema.json"));
+const cipher_1 = require("./adapters/cipher");
+const utils_1 = require("./utils");
+exports.InteractionModel = new model_1.Model('interaction', interaction_schema_json_1.default, {
+    adapter: cipher_1.CipherAdapter,
+    trash: false
+})
+    .hook('interaction-before-insert', {
+    on: 'before:insert',
+    callback: async (payload) => {
+        if (payload.data._sync)
+            return;
+        try {
+            const { jti } = payload.data;
+            if (!jti)
+                throw { code: 'MISSING_REQUIRED_FIELDS' };
+            if (payload.data.consumed === undefined)
+                payload.data.consumed = false;
+        }
+        catch (err) {
+            throw {
+                code: 'INTERACTION_INSERT_FAILED',
+                message: (0, utils_1.extractError)(err),
+                details: err
+            };
+        }
+    }
+});
+//# sourceMappingURL=interaction.js.map

package/dist/oidc/interaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interaction.js","sourceRoot":"","sources":["../../src/oidc/interaction.ts"],"names":[],"mappings":";;;;;;AAAA,oCAAiC;AACjC,gGAAuD;AACvD,8CAAkD;AAClD,mCAAuC;AAE1B,QAAA,gBAAgB,GAAG,IAAI,aAAK,CAAC,aAAa,EAAE,iCAAM,EAAE;IAC7D,OAAO,EAAE,sBAAa;IACtB,KAAK,EAAE,KAAK;CACf,CAAC;KACG,IAAI,CAAC,2BAA2B,EAAE;IAC/B,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QAC7B,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QAC/B,IAAI,CAAC;YACD,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAC7B,IAAI,CAAC,GAAG;gBAAE,MAAM,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;YACpD,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS;gBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QAC3E,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAChB,MAAM;gBACF,IAAI,EAAE,2BAA2B;gBACjC,OAAO,EAAE,IAAA,oBAAY,EAAC,GAAG,CAAC;gBAC1B,OAAO,EAAE,GAAG;aACf,CAAC;QACN,CAAC;IACL,CAAC;CACJ,CAAC,CAAC"}

package/dist/oidc/oidc.config.js

@@ -0,0 +1,79 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOIDCConfig = createOIDCConfig;
+const jose_1 = require("jose");
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const JWKS_PATH = node_path_1.default.resolve(process.cwd(), './data/oidc.jwks.json');
+async function resolveJWKS() {
+    if (process.env.OIDC_JWKS) {
+        try {
+            return JSON.parse(process.env.OIDC_JWKS);
+        }
+        catch {
+            throw new Error('[OIDC] Failed to parse OIDC_JWKS env variable');
+        }
+    }
+    if (node_fs_1.default.existsSync(JWKS_PATH)) {
+        try {
+            return JSON.parse(node_fs_1.default.readFileSync(JWKS_PATH, 'utf-8'));
+        }
+        catch {
+            throw new Error('[OIDC] Failed to read JWKS from disk');
+        }
+    }
+    const { privateKey } = await (0, jose_1.generateKeyPair)('RS256', { extractable: true });
+    const jwk = await (0, jose_1.exportJWK)(privateKey);
+    jwk.use = 'sig';
+    jwk.alg = 'RS256';
+    jwk.kid = `key-${Date.now()}`;
+    const jwks = { keys: [jwk] };
+    node_fs_1.default.mkdirSync(node_path_1.default.dirname(JWKS_PATH), { recursive: true });
+    node_fs_1.default.writeFileSync(JWKS_PATH, JSON.stringify(jwks, null, 2), 'utf-8');
+    return jwks;
+}
+async function createOIDCConfig(opts) {
+    const { issuer, secret, findAccount } = opts;
+    const jwks = await resolveJWKS();
+    return {
+        jwks,
+        findAccount,
+        interactions: {
+            url: (ctx, interaction) => `/interaction/${interaction.uid}`,
+        },
+        features: {
+            devInteractions: { enabled: false },
+            clientCredentials: { enabled: true },
+            introspection: { enabled: true },
+            revocation: { enabled: true },
+            rpInitiatedLogout: { enabled: true },
+        },
+        claims: {
+            openid: ['sub'],
+            email: ['email'],
+            profile: ['username', 'name'],
+        },
+        scopes: ['openid', 'email', 'profile'],
+        pkce: {
+            required: () => false,
+        },
+        ttl: {
+            AccessToken: 60 * 60,
+            AuthorizationCode: 10 * 60,
+            IdToken: 60 * 60,
+            RefreshToken: 14 * 24 * 60 * 60,
+            Session: 14 * 24 * 60 * 60,
+            Interaction: 60 * 60,
+            Grant: 14 * 24 * 60 * 60,
+        },
+        cookies: {
+            keys: [process.env.OIDC_COOKIE_SECRET ?? secret],
+            short: { secure: false, sameSite: 'lax' },
+            long: { secure: false, sameSite: 'lax' },
+        },
+    };
+}
+//# sourceMappingURL=oidc.config.js.map

package/dist/oidc/oidc.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.config.js","sourceRoot":"","sources":["../../src/oidc/oidc.config.ts"],"names":[],"mappings":";;;;;AA2CA,4CAgDC;AA3FD,+BAAkD;AAClD,sDAAqD;AACrD,0DAAuD;AAEvD,MAAM,SAAS,GAAG,mBAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,uBAAuB,CAAC,CAAC;AAEvE,KAAK,UAAU,WAAW;IACtB,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACxB,IAAI,CAAC;YACD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACL,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACrE,CAAC;IACL,CAAC;IAED,IAAI,iBAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACD,OAAO,IAAI,CAAC,KAAK,CAAC,iBAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACL,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC5D,CAAC;IACL,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,sBAAe,EAAC,OAAO,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAc,MAAM,IAAA,gBAAS,EAAC,UAAU,CAAC,CAAC;IACnD,GAAG,CAAC,GAAG,GAAe,KAAK,CAAC;IAC5B,GAAG,CAAC,GAAG,GAAe,OAAO,CAAC;IAC9B,GAAG,CAAC,GAAG,GAAe,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAE1C,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAE7B,iBAAE,CAAC,SAAS,CAAC,mBAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,iBAAE,CAAC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAEpE,OAAO,IAAI,CAAC;AAChB,CAAC;AAQM,KAAK,UAAU,gBAAgB,CAAC,IAAwB;IAC3D,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;IAC7C,MAAM,IAAI,GAA8B,MAAM,WAAW,EAAE,CAAC;IAE5D,OAAO;QACH,IAAI;QACJ,WAAW;QAEX,YAAY,EAAE;YACV,GAAG,EAAE,CAAC,GAAQ,EAAE,WAAgB,EAAE,EAAE,CAAC,gBAAgB,WAAW,CAAC,GAAG,EAAE;SACzE;QAED,QAAQ,EAAE;YACN,eAAe,EAAI,EAAE,OAAO,EAAE,KAAK,EAAE;YACrC,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAG;YACrC,aAAa,EAAM,EAAE,OAAO,EAAE,IAAI,EAAG;YACrC,UAAU,EAAS,EAAE,OAAO,EAAE,IAAI,EAAG;YACrC,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAG;SACxC;QAED,MAAM,EAAE;YACJ,MAAM,EAAI,CAAC,KAAK,CAAC;YACjB,KAAK,EAAK,CAAC,OAAO,CAAC;YACnB,OAAO,EAAG,CAAC,UAAU,EAAE,MAAM,CAAC;SACjC;QAED,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;QAEtC,IAAI,EAAE;YACF,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK;SACxB;QAED,GAAG,EAAE;YACD,WAAW,EAAI,EAAE,GAAG,EAAE;YACtB,iBAAiB,EAAE,EAAE,GAAG,EAAE;YAC1B,OAAO,EAAQ,EAAE,GAAG,EAAE;YACtB,YAAY,EAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;YAChC,OAAO,EAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;YAChC,WAAW,EAAI,EAAE,GAAG,EAAE;YACtB,KAAK,EAAU,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;SACnC;QAED,OAAO,EAAE;YACL,IAAI,EAAI,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,MAAM,CAAC;YAClD,KAAK,EAAG,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE;YAC1C,IAAI,EAAI,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE;SAC7C;KACJ,CAAC;AACN,CAAC"}