@julr/sesame 0.0.0

package/LICENSE.md

@@ -0,0 +1,9 @@
+# The MIT License
+
+Copyright (c) 2023
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,130 @@
+# AdonisJS package starter kit
+
+> [!note]
+> This starter kit targets **AdonisJS v7**
+
+> A boilerplate for creating AdonisJS packages
+
+This repo provides you with a starting point for creating AdonisJS packages. Of course, you can create a package from scratch with your folder structure and workflow. However, using this starter kit can speed up the process, as you have fewer decisions to make.
+
+## Setup
+
+- Clone the repo on your computer, or use `giget` to download this repo without the Git history.
+  ```sh
+  npx giget@latest gh:adonisjs/pkg-starter-kit
+  ```
+- Install dependencies.
+- Update the `package.json` file and define the `name`, `description`, `keywords`, and `author` properties.
+- The repo is configured with an MIT license. Feel free to change that if you are not publishing under the MIT license.
+
+## Folder structure
+
+The starter kit mimics the folder structure of the official packages. Feel free to rename files and folders as per your requirements.
+
+```
+├── providers
+├── src
+├── bin
+├── stubs
+├── configure.ts
+├── index.ts
+├── LICENSE.md
+├── package.json
+├── README.md
+├── tsconfig.json
+├── tsnode.esm.js
+```
+
+- The `configure.ts` file exports the `configure` hook to configure the package using the `node ace configure` command.
+- The `index.ts` file is the main entry point of the package.
+- The `tsnode.esm.js` file runs TypeScript code using TS-Node + SWC. Please read the code comment in this file to learn more.
+- The `bin` directory contains the entry point file to run Japa tests.
+- Learn more about [the `providers` directory](./providers/README.md).
+- Learn more about [the `src` directory](./src/README.md).
+- Learn more about [the `stubs` directory](./stubs/README.md).
+
+### File system naming convention
+
+We use `snake_case` naming conventions for the file system. The rule is enforced using ESLint. However, turn off the rule and use your preferred naming conventions.
+
+## Peer dependencies
+
+The starter kit has a peer dependency on `@adonisjs/core@6`. Since you are creating a package for AdonisJS, you must make it against a specific version of the framework core.
+
+If your package needs Lucid to be functional, you may install `@adonisjs/lucid` as a development dependency and add it to the list of `peerDependencies`.
+
+As a rule of thumb, packages installed in the user application should be part of the `peerDependencies` of your package and not the main dependency.
+
+For example, if you install `@adonisjs/core` as a main dependency, then essentially, you are importing a separate copy of `@adonisjs/core` and not sharing the one from the user application. Here is a great article explaining [peer dependencies](https://blog.bitsrc.io/understanding-peer-dependencies-in-javascript-dbdb4ab5a7be).
+
+## Published files
+
+Instead of publishing your repo's source code to npm, you must cherry-pick files and folders to publish only the required files.
+
+The cherry-picking uses the `files` property inside the `package.json` file. By default, we publish the following files and folders.
+
+```json
+{
+  "files": [
+    "build/src",
+    "build/providers",
+    "build/stubs",
+    "build/index.d.ts",
+    "build/index.js",
+    "build/configure.d.ts",
+    "build/configure.js"
+  ]
+}
+```
+
+If you create additional folders or files, mention them inside the `files` array.
+
+## Exports
+
+[Node.js Subpath exports](https://nodejs.org/api/packages.html#subpath-exports) allows you to define the exports of your package regardless of the folder structure. This starter kit defines the following exports.
+
+```json
+{
+  "exports": {
+    ".": "./build/index.js",
+    "./types": "./build/src/types.js"
+  }
+}
+```
+
+- The dot `.` export is the main export.
+- The `./types` exports all the types defined inside the `./build/src/types.js` file (the compiled output).
+
+Feel free to change the exports as per your requirements.
+
+## Testing
+
+We configure the [Japa test runner](https://japa.dev/) with this starter kit. Japa is used in AdonisJS applications as well. Just run one of the following commands to execute tests.
+
+- `npm run test`: This command will first lint the code using ESlint and then run tests and report the test coverage using [c8](https://github.com/bcoe/c8).
+- `npm run quick:test`: Runs only the tests without linting or coverage reporting.
+
+The starter kit also has a Github workflow file to run tests using Github Actions. The tests are executed against `Node.js 20.x` and `Node.js 21.x` versions on both Linux and Windows. Feel free to edit the workflow file in the `.github/workflows` directory.
+
+## TypeScript workflow
+
+- The starter kit uses [tsc](https://www.typescriptlang.org/docs/handbook/compiler-options.html) for compiling the TypeScript to JavaScript when publishing the package.
+- [TS-Node](https://typestrong.org/ts-node/) and [SWC](https://swc.rs/) are used to run tests without compiling the source code.
+- The `tsconfig.json` file is extended from [`@adonisjs/tsconfig`](https://github.com/adonisjs/tooling-config/tree/main/packages/typescript-config) and uses the `NodeNext` module system. Meaning the packages are written using ES modules.
+- You can perform type checking without compiling the source code using the `npm run type check` script.
+
+Feel free to explore the `tsconfig.json` file for all the configured options.
+
+## ESLint and Prettier setup
+
+The starter kit configures ESLint and Prettier
+using our [shared config](https://github.com/adonisjs/tooling-config/tree/main/packages).
+ESLint configuration is stored within the `eslint.config.js` file.
+Prettier configuration is stored within the `package.json` file.
+Feel free to change the configuration, use custom plugins, or remove both tools altogether.
+
+## Using Stale bot
+
+The [Stale bot](https://github.com/apps/stale) is a Github application that automatically marks issues and PRs as stale and closes after a specific duration of inactivity.
+
+Feel free to delete the `.github/stale.yml` and `.github/lock.yml` files if you decide not to use the Stale bot.

package/build/authorize_controller-CUdEDNEi.js

@@ -0,0 +1,136 @@
+import "./decorate-2_8Ex77k.js";
+import "./oauth_access_token-BpG8sq-c.js";
+import { i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { DateTime } from "luxon";
+import vine from "@vinejs/vine";
+var AuthorizeController = class AuthorizeController {
+	static validator = vine.create({
+		client_id: vine.string(),
+		response_type: vine.string(),
+		redirect_uri: vine.string(),
+		scope: vine.string().optional(),
+		state: vine.string().optional(),
+		code_challenge: vine.string().optional(),
+		code_challenge_method: vine.string().optional()
+	});
+	#getAuthorizationSession(ctx) {
+		const session = ctx.session;
+		if (!session || typeof session.put !== "function") throw new E_INVALID_REQUEST("Session middleware is required for the browser authorization flow");
+		return session;
+	}
+	#redirectWithError(ctx, manager, redirectUri, error, description, state) {
+		const url = new URL(redirectUri);
+		url.searchParams.set("error", error);
+		url.searchParams.set("error_description", description);
+		if (state) url.searchParams.set("state", state);
+		url.searchParams.set("iss", manager.config.issuer);
+		return ctx.response.redirect().toPath(url.toString());
+	}
+	#buildAuthorizationRequestParams(ctx, manager, options) {
+		const rawRequestToken = new TokenService(manager).generateOpaqueToken();
+		const session = this.#getAuthorizationSession(ctx);
+		session.put("sesame.authToken", rawRequestToken);
+		session.put("sesame.authRequest", {
+			clientId: options.clientId,
+			redirectUri: options.redirectUri,
+			scopes: options.scopes,
+			state: options.state ?? null,
+			codeChallenge: options.codeChallenge ?? null,
+			codeChallengeMethod: options.codeChallengeMethod ?? null
+		});
+		const params = new URLSearchParams();
+		params.set("auth_token", rawRequestToken);
+		return params;
+	}
+	#copyAuthorizeDisplayParams(params, query) {
+		for (const [key, value] of Object.entries(query)) {
+			if (key === "auth_token") continue;
+			if (value != null) params.set(key, String(value));
+		}
+	}
+	#resolvePageUrl(page, ctx, params) {
+		if (typeof page === "function") return page(ctx, params);
+		return `${page}?${params.toString()}`;
+	}
+	async #issueAuthorizationCode(ctx, manager, options) {
+		const tokenService = new TokenService(manager);
+		const raw = tokenService.generateOpaqueToken();
+		const hashed = tokenService.hashToken(raw);
+		const ttl = manager.parseTtl(manager.config.authorizationCodeTtl);
+		await OAuthAuthorizationCode.create({
+			id: crypto.randomUUID(),
+			code: hashed,
+			clientId: options.client.clientId,
+			userId: options.userId,
+			scopes: options.scopes,
+			redirectUri: options.redirectUri,
+			codeChallenge: options.codeChallenge ?? null,
+			codeChallengeMethod: options.codeChallengeMethod ?? null,
+			expiresAt: DateTime.now().plus({ seconds: ttl })
+		});
+		const url = new URL(options.redirectUri);
+		url.searchParams.set("code", raw);
+		if (options.state) url.searchParams.set("state", options.state);
+		url.searchParams.set("iss", manager.config.issuer);
+		return ctx.response.redirect().toPath(url.toString());
+	}
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const clientService = new ClientService();
+		const [error, query] = await AuthorizeController.validator.tryValidate(ctx.request.qs());
+		if (error) throw new E_INVALID_REQUEST("Invalid authorization request parameters");
+		if (query.response_type !== "code") throw new E_UNSUPPORTED_RESPONSE_TYPE("Only \"code\" is supported");
+		const client = await OAuthClient.query().where("clientId", query.client_id).first();
+		if (!client) throw new E_INVALID_CLIENT("Client not found");
+		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+		if (!client.redirectUris.includes(query.redirect_uri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
+		if (!client.grantTypes.includes("authorization_code")) return this.#redirectWithError(ctx, manager, query.redirect_uri, "unauthorized_client", "Client is not allowed to use the authorization_code grant", query.state);
+		const requestedScopes = query.scope ? query.scope.split(" ") : manager.config.defaultScopes;
+		const invalidScopes = manager.validateScopes(requestedScopes);
+		if (invalidScopes.length > 0) return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_scope", `Invalid scopes: ${invalidScopes.join(", ")}`, query.state);
+		try {
+			clientService.validateClientScopes(requestedScopes, client.scopes);
+		} catch (error) {
+			return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_scope", error.message, query.state);
+		}
+		if (!query.code_challenge) return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_request", "PKCE code_challenge is required", query.state);
+		if (query.code_challenge_method !== "S256") return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_request", "Only S256 code_challenge_method is supported", query.state);
+		await ctx.auth.check();
+		const user = ctx.auth.user;
+		if (!user) {
+			const params = new URLSearchParams();
+			this.#copyAuthorizeDisplayParams(params, ctx.request.qs());
+			const loginPage = this.#resolvePageUrl(manager.config.loginPage, ctx, params);
+			return ctx.response.redirect().toPath(loginPage);
+		}
+		const existingConsent = await OAuthConsent.query().where("clientId", client.clientId).where("userId", String(user.id)).first();
+		if (existingConsent) {
+			const consentedSet = new Set(existingConsent.scopes);
+			if (requestedScopes.every((s) => consentedSet.has(s))) return this.#issueAuthorizationCode(ctx, manager, {
+				client,
+				userId: String(user.id),
+				scopes: requestedScopes,
+				redirectUri: query.redirect_uri,
+				codeChallenge: query.code_challenge,
+				codeChallengeMethod: query.code_challenge_method,
+				state: query.state
+			});
+		}
+		const params = this.#buildAuthorizationRequestParams(ctx, manager, {
+			clientId: client.clientId,
+			redirectUri: query.redirect_uri,
+			scopes: requestedScopes,
+			state: query.state,
+			codeChallenge: query.code_challenge,
+			codeChallengeMethod: query.code_challenge_method
+		});
+		this.#copyAuthorizeDisplayParams(params, ctx.request.qs());
+		const consentPage = this.#resolvePageUrl(manager.config.consentPage, ctx, params);
+		return ctx.response.redirect().toPath(consentPage);
+	}
+};
+export { AuthorizeController as default };

package/build/client_info_controller-DeIVcW8B.js

@@ -0,0 +1,18 @@
+import "./decorate-2_8Ex77k.js";
+import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import vine from "@vinejs/vine";
+var ClientInfoController = class ClientInfoController {
+	static validator = vine.create({ client_id: vine.string() });
+	async handle(ctx) {
+		const [error, query] = await ClientInfoController.validator.tryValidate(ctx.request.qs());
+		if (error) throw new E_INVALID_REQUEST("Missing client_id");
+		const client = await OAuthClient.query().where("clientId", query.client_id).first();
+		if (!client) throw new E_INVALID_CLIENT("Client not found");
+		return {
+			client_id: client.clientId,
+			client_name: client.name
+		};
+	}
+};
+export { ClientInfoController as default };

package/build/client_service-B9fD3ZGe.js

@@ -0,0 +1,53 @@
+import { o as E_INVALID_SCOPE } from "./oauth_error-BQPqV-MV.js";
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+var ClientService = class {
+	parseBasicAuth(header) {
+		if (!header.startsWith("Basic ")) return null;
+		try {
+			const decoded = Buffer.from(header.slice(6), "base64").toString("utf-8");
+			const colonIndex = decoded.indexOf(":");
+			if (colonIndex === -1) return null;
+			return {
+				clientId: decodeURIComponent(decoded.slice(0, colonIndex)),
+				clientSecret: decodeURIComponent(decoded.slice(colonIndex + 1))
+			};
+		} catch {
+			return null;
+		}
+	}
+	extractCredentials(options) {
+		if (options.authorizationHeader) {
+			const basic = this.parseBasicAuth(options.authorizationHeader);
+			if (basic) return basic;
+		}
+		if (options.bodyClientId) return {
+			clientId: options.bodyClientId,
+			clientSecret: options.bodyClientSecret
+		};
+		return null;
+	}
+	validateClientScopes(requestedScopes, clientScopes) {
+		if (clientScopes.length === 0 && requestedScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${requestedScopes.join(", ")}`);
+		const allowedSet = new Set(clientScopes);
+		const invalid = requestedScopes.filter((s) => !allowedSet.has(s));
+		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${invalid.join(", ")}`);
+	}
+	hashSecret(secret) {
+		return createHash("sha256").update(secret).digest("base64url");
+	}
+	verifySecret(secret, storedHash) {
+		const hash = this.hashSecret(secret);
+		try {
+			return timingSafeEqual(Buffer.from(hash), Buffer.from(storedHash));
+		} catch {
+			return false;
+		}
+	}
+	generateClientId() {
+		return randomBytes(16).toString("hex");
+	}
+	generateClientSecret() {
+		return randomBytes(32).toString("base64url");
+	}
+};
+export { ClientService as t };

package/build/commands/commands.json

@@ -0,0 +1 @@
+{"commands":[{"commandName":"sesame:purge","description":"Purge revoked and/or expired tokens and authorization codes","help":"","namespace":"sesame","aliases":[],"flags":[{"name":"revoked","flagName":"revoked","required":false,"type":"boolean","description":"Only purge revoked tokens and authorization codes"},{"name":"expired","flagName":"expired","required":false,"type":"boolean","description":"Only purge expired tokens and authorization codes"},{"name":"hours","flagName":"hours","required":false,"type":"number","description":"Number of hours to retain expired tokens (default: 168 = 7 days)","default":168}],"args":[],"options":{"startApp":true},"filePath":"sesame_purge.js"}],"version":1}

package/build/commands/main.d.ts

@@ -0,0 +1,4 @@
+import { CommandMetaData, Command } from '@adonisjs/ace/types';
+
+export function getMetaData(): Promise<CommandMetaData[]>
+export function getCommand(metaData: CommandMetaData): Promise<Command | null>

package/build/commands/main.js

@@ -0,0 +1,36 @@
+import { readFile } from 'node:fs/promises'
+
+/**
+ * In-memory cache of commands after they have been loaded
+ */
+let commandsMetaData
+
+/**
+ * Reads the commands from the "./commands.json" file. Since, the commands.json
+ * file is generated automatically, we do not have to validate its contents
+ */
+export async function getMetaData() {
+  if (commandsMetaData) {
+    return commandsMetaData
+  }
+
+  const commandsIndex = await readFile(new URL('./commands.json', import.meta.url), 'utf-8')
+  commandsMetaData = JSON.parse(commandsIndex).commands
+
+  return commandsMetaData
+}
+
+/**
+ * Imports the command by lookingup its path from the commands
+ * metadata
+ */
+export async function getCommand(metaData) {
+  const commands = await getMetaData()
+  const command = commands.find(({ commandName }) => metaData.commandName === commandName)
+  if (!command) {
+    return null
+  }
+
+  const { default: commandConstructor } = await import(new URL(command.filePath, import.meta.url).href)
+  return commandConstructor
+}

package/build/commands/sesame_purge.d.ts

@@ -0,0 +1,21 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+import type { CommandOptions } from '@adonisjs/core/types/ace';
+/**
+ * Purge revoked and/or expired OAuth tokens and authorization codes.
+ *
+ * By default, purges both revoked and expired records. Use `--revoked`
+ * or `--expired` to target only one category. Expired tokens are
+ * retained for a configurable period (default 168h / 7 days) to
+ * allow for debugging and audit trails.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749
+ */
+export default class SesamePurge extends BaseCommand {
+    static commandName: string;
+    static description: string;
+    static options: CommandOptions;
+    revoked: boolean;
+    expired: boolean;
+    hours: number;
+    run(): Promise<void>;
+}

package/build/commands/sesame_purge.js

@@ -0,0 +1,28 @@
+import { t as __decorate } from "../decorate-2_8Ex77k.js";
+import "../oauth_access_token-BpG8sq-c.js";
+import { t as SesameManager } from "../sesame_manager-B4tO2PLO.js";
+import { BaseCommand, flags } from "@adonisjs/core/ace";
+var SesamePurge = class extends BaseCommand {
+	static commandName = "sesame:purge";
+	static description = "Purge revoked and/or expired tokens and authorization codes";
+	static options = { startApp: true };
+	async run() {
+		const result = await (await this.app.container.make(SesameManager)).purgeTokens({
+			revokedOnly: this.revoked,
+			expiredOnly: this.expired,
+			retentionHours: this.hours
+		});
+		const total = result.accessTokens + result.refreshTokens + result.authorizationCodes;
+		if (result.accessTokens > 0) this.logger.info(`  Access tokens: ${result.accessTokens}`);
+		if (result.refreshTokens > 0) this.logger.info(`  Refresh tokens: ${result.refreshTokens}`);
+		if (result.authorizationCodes > 0) this.logger.info(`  Authorization codes: ${result.authorizationCodes}`);
+		this.logger.success(`Purged ${total} record(s).`);
+	}
+};
+__decorate([flags.boolean({ description: "Only purge revoked tokens and authorization codes" })], SesamePurge.prototype, "revoked", void 0);
+__decorate([flags.boolean({ description: "Only purge expired tokens and authorization codes" })], SesamePurge.prototype, "expired", void 0);
+__decorate([flags.number({
+	description: "Number of hours to retain expired tokens (default: 168 = 7 days)",
+	default: 168
+})], SesamePurge.prototype, "hours", void 0);
+export { SesamePurge as default };

package/build/configure.d.ts

@@ -0,0 +1,2 @@
+import type Configure from '@adonisjs/core/commands/configure';
+export declare function configure(command: Configure): Promise<void>;

package/build/configure.js

@@ -0,0 +1,16 @@
+import { t as stubsRoot } from "./main-kn40V-hF.js";
+async function configure(command) {
+	const codemods = await command.createCodemods();
+	await codemods.makeUsingStub(stubsRoot, "config/sesame.stub", {});
+	for (const stub of [
+		"migrations/create_oauth_clients_table.stub",
+		"migrations/create_oauth_authorization_codes_table.stub",
+		"migrations/create_oauth_access_tokens_table.stub",
+		"migrations/create_oauth_refresh_tokens_table.stub",
+		"migrations/create_oauth_consents_table.stub"
+	]) await codemods.makeUsingStub(stubsRoot, stub, {});
+	await codemods.updateRcFile((rcFile) => {
+		rcFile.addProvider("@julr/sesame/sesame_provider").addCommand("@julr/sesame/commands");
+	});
+}
+export { configure };

package/build/consent_controller-DFfx7qVs.js

@@ -0,0 +1,87 @@
+import "./decorate-2_8Ex77k.js";
+import "./oauth_access_token-BpG8sq-c.js";
+import { i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { DateTime } from "luxon";
+import vine from "@vinejs/vine";
+var ConsentController = class ConsentController {
+	static validator = vine.create({ auth_token: vine.string() });
+	#getAuthorizationSession(ctx) {
+		const session = ctx.session;
+		if (!session || typeof session.pull !== "function") throw new E_INVALID_REQUEST("Session middleware is required for the browser authorization flow");
+		return session;
+	}
+	async #issueAuthorizationCode(ctx, manager, options) {
+		const tokenService = new TokenService(manager);
+		const raw = tokenService.generateOpaqueToken();
+		const hashed = tokenService.hashToken(raw);
+		const ttl = manager.parseTtl(manager.config.authorizationCodeTtl);
+		await OAuthAuthorizationCode.create({
+			id: crypto.randomUUID(),
+			code: hashed,
+			clientId: options.client.clientId,
+			userId: options.userId,
+			scopes: options.scopes,
+			redirectUri: options.redirectUri,
+			codeChallenge: options.codeChallenge ?? null,
+			codeChallengeMethod: options.codeChallengeMethod ?? null,
+			expiresAt: DateTime.now().plus({ seconds: ttl })
+		});
+		const url = new URL(options.redirectUri);
+		url.searchParams.set("code", raw);
+		if (options.state) url.searchParams.set("state", options.state);
+		url.searchParams.set("iss", manager.config.issuer);
+		return ctx.response.redirect().toPath(url.toString());
+	}
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const session = this.#getAuthorizationSession(ctx);
+		await ctx.auth.check();
+		const user = ctx.auth.user;
+		if (!user) throw new E_INVALID_REQUEST("User must be authenticated");
+		const [error, body] = await ConsentController.validator.tryValidate(ctx.request.body());
+		if (error) throw new E_INVALID_REQUEST("Missing required parameter: auth_token");
+		const accept = ctx.request.body().accept;
+		const expectedAuthToken = session.pull("sesame.authToken");
+		const authorizationRequest = session.pull("sesame.authRequest");
+		if (!expectedAuthToken || expectedAuthToken !== body.auth_token) {
+			session.forget(["sesame.authToken", "sesame.authRequest"]);
+			throw new E_INVALID_GRANT("Authorization request token mismatch");
+		}
+		if (!authorizationRequest) throw new E_INVALID_GRANT("Authorization request not found");
+		const client = await OAuthClient.query().where("clientId", authorizationRequest.clientId).first();
+		if (!client) throw new E_INVALID_CLIENT("Client not found");
+		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+		if (!client.redirectUris.includes(authorizationRequest.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
+		if (!accept) {
+			const url = new URL(authorizationRequest.redirectUri);
+			url.searchParams.set("error", "access_denied");
+			url.searchParams.set("error_description", "The user denied the authorization request");
+			if (authorizationRequest.state) url.searchParams.set("state", authorizationRequest.state);
+			url.searchParams.set("iss", manager.config.issuer);
+			return ctx.response.redirect().toPath(url.toString());
+		}
+		const existingConsent = await OAuthConsent.query().where("clientId", client.clientId).where("userId", String(user.id)).first();
+		if (existingConsent) {
+			existingConsent.scopes = [...new Set([...existingConsent.scopes, ...authorizationRequest.scopes])];
+			await existingConsent.save();
+		} else await OAuthConsent.create({
+			id: crypto.randomUUID(),
+			clientId: client.clientId,
+			userId: String(user.id),
+			scopes: authorizationRequest.scopes
+		});
+		return this.#issueAuthorizationCode(ctx, manager, {
+			client,
+			userId: String(user.id),
+			scopes: authorizationRequest.scopes,
+			redirectUri: authorizationRequest.redirectUri,
+			codeChallenge: authorizationRequest.codeChallenge ?? void 0,
+			codeChallengeMethod: authorizationRequest.codeChallengeMethod ?? void 0,
+			state: authorizationRequest.state ?? void 0
+		});
+	}
+};
+export { ConsentController as default };

package/build/decorate-2_8Ex77k.js

@@ -0,0 +1,15 @@
+import { column } from "@adonisjs/lucid/orm";
+function json(options) {
+	return column({
+		...options,
+		prepare: (value) => value == null ? null : JSON.stringify(value),
+		consume: (value) => value == null ? null : typeof value === "string" ? JSON.parse(value) : value
+	});
+}
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+export { json as n, __decorate as t };

package/build/index.d.ts

@@ -0,0 +1,14 @@
+export { configure } from './configure.ts';
+export { stubsRoot } from './stubs/main.ts';
+export { defineConfig } from './src/define_config.ts';
+export { SesameManager } from './src/sesame_manager.ts';
+export { OAuthError, E_INVALID_REQUEST, E_INVALID_CLIENT, E_INVALID_GRANT, E_INVALID_SCOPE, E_INVALID_TOKEN, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, E_ACCESS_DENIED, E_INVALID_CLIENT_METADATA, E_SERVER_ERROR, } from './src/oauth_error.ts';
+export { OAuthClient } from './src/models/oauth_client.ts';
+export { OAuthAccessToken } from './src/models/oauth_access_token.ts';
+export { OAuthRefreshToken } from './src/models/oauth_refresh_token.ts';
+export { OAuthAuthorizationCode } from './src/models/oauth_authorization_code.ts';
+export { OAuthConsent } from './src/models/oauth_consent.ts';
+export { OAuthGuard } from './src/guard/guard.ts';
+export { OAuthLucidUserProvider } from './src/guard/user_provider.ts';
+export { oauthGuard, oauthUserProvider } from './src/guard/main.ts';
+export { registerRoutes, registerProtectedResource } from './src/routes.ts';

package/build/index.js

@@ -0,0 +1,27 @@
+import { t as stubsRoot } from "./main-kn40V-hF.js";
+import { configure } from "./configure.js";
+import "./decorate-2_8Ex77k.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import { a as E_INVALID_REQUEST, c as E_SERVER_ERROR, d as OAuthError, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, s as E_INVALID_TOKEN, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import "./token_service-Czz9v5GI.js";
+import { n as OAuthGuard, t as OAuthLucidUserProvider } from "./user_provider-B3rXEUT3.js";
+import { oauthGuard, oauthUserProvider } from "./src/guard/main.js";
+import { n as registerRoutes, t as registerProtectedResource } from "./routes-D6QCu0Pz.js";
+function defineConfig(config) {
+	return {
+		issuer: config.issuer,
+		scopes: config.scopes ?? {},
+		defaultScopes: config.defaultScopes ?? [],
+		grantTypes: config.grantTypes ?? ["authorization_code", "refresh_token"],
+		accessTokenTtl: config.accessTokenTtl ?? "1h",
+		refreshTokenTtl: config.refreshTokenTtl ?? "30d",
+		authorizationCodeTtl: config.authorizationCodeTtl ?? "10m",
+		loginPage: config.loginPage,
+		consentPage: config.consentPage,
+		allowDynamicRegistration: config.allowDynamicRegistration ?? false,
+		allowPublicRegistration: config.allowPublicRegistration ?? false
+	};
+}
+export { E_ACCESS_DENIED, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider, registerProtectedResource, registerRoutes, stubsRoot };