@julr/sesame 0.0.0

package/build/introspect_controller-BzwfaUUE.js

@@ -0,0 +1,63 @@
+import "./decorate-2_8Ex77k.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import { n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+const INACTIVE = { active: false };
+var IntrospectController = class {
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const clientService = new ClientService();
+		const credentials = clientService.extractCredentials({
+			authorizationHeader: ctx.request.header("authorization"),
+			bodyClientId: ctx.request.body().client_id,
+			bodyClientSecret: ctx.request.body().client_secret
+		});
+		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
+		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+		if (!client) throw new E_INVALID_CLIENT("Client not found");
+		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+		if (!client.isPublic) {
+			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
+			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
+		}
+		const token = ctx.request.body().token;
+		if (!token) return INACTIVE;
+		const tokenTypeHint = ctx.request.body().token_type_hint;
+		const hashed = new TokenService(manager).hashToken(token);
+		if (!tokenTypeHint || tokenTypeHint === "access_token") {
+			const record = await OAuthAccessToken.query().where("tokenHash", hashed).where("clientId", client.clientId).first();
+			if (record && !record.revokedAt && record.expiresAt.toJSDate() >= /* @__PURE__ */ new Date()) return {
+				active: true,
+				token_type: "Bearer",
+				client_id: record.clientId,
+				sub: record.userId || void 0,
+				scope: record.scopes.join(" "),
+				iss: manager.config.issuer,
+				iat: Math.floor(record.createdAt.toMillis() / 1e3),
+				exp: Math.floor(record.expiresAt.toMillis() / 1e3)
+			};
+			if (tokenTypeHint === "access_token") return INACTIVE;
+		}
+		if (!tokenTypeHint || tokenTypeHint === "refresh_token") {
+			const refreshToken = await OAuthRefreshToken.query().where("token", hashed).where("clientId", client.clientId).first();
+			if (!refreshToken) return INACTIVE;
+			if (refreshToken.revokedAt) return INACTIVE;
+			if (refreshToken.expiresAt.toJSDate() < /* @__PURE__ */ new Date()) return INACTIVE;
+			return {
+				active: true,
+				token_type: "refresh_token",
+				client_id: refreshToken.clientId,
+				sub: refreshToken.userId,
+				scope: refreshToken.scopes.join(" "),
+				iss: manager.config.issuer,
+				iat: Math.floor(refreshToken.createdAt.toMillis() / 1e3),
+				exp: Math.floor(refreshToken.expiresAt.toMillis() / 1e3)
+			};
+		}
+		return INACTIVE;
+	}
+};
+export { IntrospectController as default };

package/build/main-kn40V-hF.js

@@ -0,0 +1,2 @@
+const stubsRoot = import.meta.dirname;
+export { stubsRoot as t };

package/build/metadata_controller-BSRRElQX.js

@@ -0,0 +1,51 @@
+import "./decorate-2_8Ex77k.js";
+import "./oauth_access_token-BpG8sq-c.js";
+import { t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+var MetadataController = class {
+	async authServer(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const issuer = manager.config.issuer;
+		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
+		return {
+			issuer,
+			authorization_endpoint: `${issuer}/oauth/authorize`,
+			token_endpoint: `${issuer}/oauth/token`,
+			registration_endpoint: manager.config.allowDynamicRegistration ? `${issuer}/oauth/register` : void 0,
+			introspection_endpoint: `${issuer}/oauth/introspect`,
+			revocation_endpoint: `${issuer}/oauth/revoke`,
+			response_types_supported: ["code"],
+			response_modes_supported: ["query"],
+			grant_types_supported: manager.config.grantTypes,
+			token_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
+			introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+			revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+			code_challenge_methods_supported: ["S256"],
+			authorization_response_iss_parameter_supported: true
+		};
+	}
+	async oidc(ctx) {
+		const base = await this.authServer(ctx);
+		const manager = await ctx.containerResolver.make(SesameManager);
+		return {
+			...base,
+			subject_types_supported: ["public"],
+			scopes_supported: Object.keys(manager.config.scopes)
+		};
+	}
+	async protectedResource(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const issuer = manager.config.issuer;
+		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
+		return {
+			resource: issuer,
+			authorization_servers: [issuer],
+			scopes_supported: Object.keys(manager.config.scopes),
+			bearer_methods_supported: ["header"]
+		};
+	}
+};
+export { MetadataController as default };

package/build/oauth_access_token-BpG8sq-c.js

@@ -0,0 +1,18 @@
+import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
+import { BaseModel, column } from "@adonisjs/lucid/orm";
+var OAuthAccessToken = class extends BaseModel {
+	static table = "oauth_access_tokens";
+};
+__decorate([column({ isPrimary: true })], OAuthAccessToken.prototype, "id", void 0);
+__decorate([column()], OAuthAccessToken.prototype, "tokenHash", void 0);
+__decorate([column()], OAuthAccessToken.prototype, "clientId", void 0);
+__decorate([column()], OAuthAccessToken.prototype, "userId", void 0);
+__decorate([json()], OAuthAccessToken.prototype, "scopes", void 0);
+__decorate([column.dateTime()], OAuthAccessToken.prototype, "expiresAt", void 0);
+__decorate([column.dateTime()], OAuthAccessToken.prototype, "revokedAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthAccessToken.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthAccessToken.prototype, "updatedAt", void 0);
+export { OAuthAccessToken as t };

package/build/oauth_client-eh0e5ql-.js

@@ -0,0 +1,24 @@
+import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
+import { BaseModel, column } from "@adonisjs/lucid/orm";
+var OAuthClient = class extends BaseModel {
+	static table = "oauth_clients";
+};
+__decorate([column({ isPrimary: true })], OAuthClient.prototype, "id", void 0);
+__decorate([column()], OAuthClient.prototype, "clientId", void 0);
+__decorate([column({ serializeAs: null })], OAuthClient.prototype, "clientSecret", void 0);
+__decorate([column()], OAuthClient.prototype, "name", void 0);
+__decorate([json()], OAuthClient.prototype, "redirectUris", void 0);
+__decorate([json()], OAuthClient.prototype, "scopes", void 0);
+__decorate([json()], OAuthClient.prototype, "grantTypes", void 0);
+__decorate([column()], OAuthClient.prototype, "isPublic", void 0);
+__decorate([column()], OAuthClient.prototype, "isDisabled", void 0);
+__decorate([column()], OAuthClient.prototype, "requirePkce", void 0);
+__decorate([column()], OAuthClient.prototype, "type", void 0);
+__decorate([json()], OAuthClient.prototype, "metadata", void 0);
+__decorate([column()], OAuthClient.prototype, "userId", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthClient.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthClient.prototype, "updatedAt", void 0);
+export { OAuthClient as t };

package/build/oauth_error-BQPqV-MV.js

@@ -0,0 +1,78 @@
+import { Exception } from "@adonisjs/core/exceptions";
+var OAuthError = class extends Exception {
+	static oauthCode;
+	get oauthCode() {
+		return this.constructor.oauthCode;
+	}
+	handle(error, ctx) {
+		ctx.response.status(error.status).json({
+			error: error.oauthCode,
+			error_description: error.message
+		});
+	}
+};
+const E_INVALID_REQUEST = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_REQUEST";
+	static message = "Invalid request";
+	static oauthCode = "invalid_request";
+};
+const E_INVALID_CLIENT = class extends OAuthError {
+	static status = 401;
+	static code = "E_INVALID_CLIENT";
+	static message = "Invalid client";
+	static oauthCode = "invalid_client";
+	handle(error, ctx) {
+		if (ctx.request.header("authorization")?.startsWith("Basic ")) ctx.response.header("WWW-Authenticate", "Basic");
+		super.handle(error, ctx);
+	}
+};
+const E_INVALID_GRANT = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_GRANT";
+	static message = "Invalid grant";
+	static oauthCode = "invalid_grant";
+};
+const E_INVALID_SCOPE = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_SCOPE";
+	static message = "Invalid scope";
+	static oauthCode = "invalid_scope";
+};
+const E_INVALID_TOKEN = class extends OAuthError {
+	static status = 401;
+	static code = "E_INVALID_TOKEN";
+	static message = "Invalid token";
+	static oauthCode = "invalid_token";
+};
+const E_UNSUPPORTED_GRANT_TYPE = class extends OAuthError {
+	static status = 400;
+	static code = "E_UNSUPPORTED_GRANT_TYPE";
+	static message = "Unsupported grant type";
+	static oauthCode = "unsupported_grant_type";
+};
+const E_UNSUPPORTED_RESPONSE_TYPE = class extends OAuthError {
+	static status = 400;
+	static code = "E_UNSUPPORTED_RESPONSE_TYPE";
+	static message = "Unsupported response type";
+	static oauthCode = "unsupported_response_type";
+};
+const E_ACCESS_DENIED = class extends OAuthError {
+	static status = 403;
+	static code = "E_ACCESS_DENIED";
+	static message = "Access denied";
+	static oauthCode = "access_denied";
+};
+const E_INVALID_CLIENT_METADATA = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_CLIENT_METADATA";
+	static message = "Invalid client metadata";
+	static oauthCode = "invalid_client_metadata";
+};
+const E_SERVER_ERROR = class extends OAuthError {
+	static status = 500;
+	static code = "E_SERVER_ERROR";
+	static message = "Server error";
+	static oauthCode = "server_error";
+};
+export { E_INVALID_REQUEST as a, E_SERVER_ERROR as c, OAuthError as d, E_INVALID_GRANT as i, E_UNSUPPORTED_GRANT_TYPE as l, E_INVALID_CLIENT as n, E_INVALID_SCOPE as o, E_INVALID_CLIENT_METADATA as r, E_INVALID_TOKEN as s, E_ACCESS_DENIED as t, E_UNSUPPORTED_RESPONSE_TYPE as u };

package/build/providers/sesame_provider.d.ts

@@ -0,0 +1,21 @@
+import type { ApplicationService } from '@adonisjs/core/types';
+/**
+ * AdonisJS service provider for the Sésame OAuth 2.1 server.
+ *
+ * - `register()`: Binds `SesameManager` as a singleton in the IoC
+ *   container, reading the resolved config from `config/sesame.ts`.
+ * - `boot()`: Registers all OAuth routes on the AdonisJS router.
+ */
+export default class SesameProvider {
+    protected app: ApplicationService;
+    constructor(app: ApplicationService);
+    /**
+     * Register `SesameManager` as a singleton binding.
+     * The manager is resolved from the `sesame` config key.
+     */
+    register(): void;
+    /**
+     * Boot the provider by registering all OAuth 2.1 routes.
+     */
+    boot(): Promise<void>;
+}

package/build/providers/sesame_provider.js

@@ -0,0 +1,19 @@
+import "../decorate-2_8Ex77k.js";
+import "../oauth_access_token-BpG8sq-c.js";
+import { t as SesameManager } from "../sesame_manager-B4tO2PLO.js";
+var SesameProvider = class {
+	constructor(app) {
+		this.app = app;
+	}
+	register() {
+		this.app.container.singleton(SesameManager, () => {
+			return new SesameManager(this.app.config.get("sesame"));
+		});
+	}
+	async boot() {
+		const router = await this.app.container.make("router");
+		const { registerRoutes } = await import("../routes-D6QCu0Pz.js").then((n) => n.r);
+		registerRoutes(router);
+	}
+};
+export { SesameProvider as default };

package/build/register_controller-BA7uQAgt.js

@@ -0,0 +1,139 @@
+import "./decorate-2_8Ex77k.js";
+import "./oauth_access_token-BpG8sq-c.js";
+import { t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import { a as E_INVALID_REQUEST, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, t as E_ACCESS_DENIED } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import vine from "@vinejs/vine";
+const DANGEROUS_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
+const LOCALHOST_HOSTS = [
+	"localhost",
+	"127.0.0.1",
+	"[::1]"
+];
+const redirectUriRule = vine.createRule((value, _options, field) => {
+	let parsed;
+	try {
+		parsed = new URL(value);
+	} catch {
+		field.report("Invalid redirect URI", "redirectUri", field);
+		return;
+	}
+	if (parsed.hash) {
+		field.report("Redirect URI must not contain a fragment", "redirectUri", field);
+		return;
+	}
+	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) {
+		field.report("Redirect URI uses a disallowed scheme", "redirectUri", field);
+		return;
+	}
+	if (parsed.protocol === "http:" && !LOCALHOST_HOSTS.includes(parsed.hostname)) field.report("Redirect URI must use HTTPS for non-localhost hosts", "redirectUri", field);
+});
+const metadataUriRule = vine.createRule((value, _options, field) => {
+	const parsed = new URL(value);
+	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) {
+		field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
+		return;
+	}
+	const redirectUris = field.data.redirect_uris ?? [];
+	const redirectOrigins = new Set(redirectUris.map((u) => {
+		try {
+			return new URL(u);
+		} catch {
+			return null;
+		}
+	}).filter(Boolean).map((u) => `${u.protocol}//${u.hostname}`));
+	const metaOrigin = `${parsed.protocol}//${parsed.hostname}`;
+	if (!redirectOrigins.has(metaOrigin)) field.report("{{ field }} host and scheme must match at least one redirect_uri", "metadataUri", field);
+});
+const metadataUrl = vine.string().url({ require_protocol: true }).use(metadataUriRule()).optional();
+var RegisterController = class RegisterController {
+	static validator = vine.create({
+		redirect_uris: vine.array(vine.string().use(redirectUriRule())).minLength(1),
+		token_endpoint_auth_method: vine.string().in([
+			"client_secret_basic",
+			"client_secret_post",
+			"none"
+		]).optional(),
+		grant_types: vine.array(vine.string()).optional(),
+		response_types: vine.array(vine.string()).optional(),
+		scope: vine.string().optional(),
+		client_name: vine.string().maxLength(255).trim().optional(),
+		client_uri: metadataUrl,
+		logo_uri: metadataUrl,
+		tos_uri: metadataUrl,
+		policy_uri: metadataUrl,
+		contacts: vine.array(vine.string().email()).optional(),
+		software_id: vine.string().optional(),
+		software_version: vine.string().optional()
+	});
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		if (!manager.config.allowDynamicRegistration) throw new E_ACCESS_DENIED("Dynamic client registration is disabled");
+		const user = ctx.auth?.user;
+		if (!user && !manager.config.allowPublicRegistration) throw new E_INVALID_REQUEST("Authentication required for client registration");
+		let body;
+		try {
+			body = await RegisterController.validator.validate(ctx.request.body());
+		} catch {
+			throw new E_INVALID_CLIENT_METADATA("Invalid request body");
+		}
+		const clientService = new ClientService();
+		const tokenEndpointAuthMethod = body.token_endpoint_auth_method ?? "client_secret_basic";
+		const isPublic = tokenEndpointAuthMethod === "none";
+		const grantTypes = body.grant_types ?? ["authorization_code"];
+		const responseTypes = body.response_types ?? ["code"];
+		const scopes = body.scope ? body.scope.split(" ") : manager.config.defaultScopes;
+		const invalidScopes = manager.validateScopes(scopes);
+		if (invalidScopes.length > 0) throw new E_INVALID_SCOPE(`Unknown scopes: ${invalidScopes.join(", ")}`);
+		const clientName = body.client_name ?? "Unnamed Client";
+		for (const gt of grantTypes) if (!manager.isGrantTypeEnabled(gt)) throw new E_INVALID_CLIENT_METADATA(`Unsupported grant type: ${gt}`);
+		if (responseTypes.some((rt) => rt !== "code")) throw new E_INVALID_CLIENT_METADATA("Only \"code\" response type is supported");
+		const clientId = clientService.generateClientId();
+		const clientSecret = isPublic ? null : clientService.generateClientSecret();
+		const hashedSecret = clientSecret ? clientService.hashSecret(clientSecret) : null;
+		const metadata = {
+			token_endpoint_auth_method: tokenEndpointAuthMethod,
+			response_types: responseTypes,
+			...body.client_uri ? { client_uri: body.client_uri } : {},
+			...body.logo_uri ? { logo_uri: body.logo_uri } : {},
+			...body.contacts ? { contacts: body.contacts } : {},
+			...body.tos_uri ? { tos_uri: body.tos_uri } : {},
+			...body.policy_uri ? { policy_uri: body.policy_uri } : {},
+			...body.software_id ? { software_id: body.software_id } : {},
+			...body.software_version ? { software_version: body.software_version } : {}
+		};
+		await OAuthClient.create({
+			id: crypto.randomUUID(),
+			clientId,
+			clientSecret: hashedSecret,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes,
+			grantTypes,
+			isPublic,
+			isDisabled: false,
+			requirePkce: true,
+			type: isPublic ? "public" : "confidential",
+			metadata,
+			userId: user ? String(user.id) : null
+		});
+		ctx.response.header("Cache-Control", "no-store");
+		ctx.response.status(201);
+		return {
+			client_id: clientId,
+			...clientSecret ? { client_secret: clientSecret } : {},
+			client_secret_expires_at: 0,
+			client_name: clientName,
+			redirect_uris: body.redirect_uris,
+			grant_types: grantTypes,
+			scope: scopes.join(" "),
+			...metadata
+		};
+	}
+};
+export { RegisterController as default };

package/build/revoke_controller-CNIgNKH3.js

@@ -0,0 +1,50 @@
+import "./decorate-2_8Ex77k.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import { n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { DateTime } from "luxon";
+var RevokeController = class {
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const clientService = new ClientService();
+		const credentials = clientService.extractCredentials({
+			authorizationHeader: ctx.request.header("authorization"),
+			bodyClientId: ctx.request.body().client_id,
+			bodyClientSecret: ctx.request.body().client_secret
+		});
+		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
+		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+		if (!client) throw new E_INVALID_CLIENT("Client not found");
+		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+		if (!client.isPublic) {
+			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
+			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
+		}
+		const token = ctx.request.body().token;
+		if (!token) return ctx.response.ok({});
+		const tokenTypeHint = ctx.request.body().token_type_hint;
+		const hashed = new TokenService(manager).hashToken(token);
+		if (!tokenTypeHint || tokenTypeHint === "access_token") {
+			const record = await OAuthAccessToken.query().where("tokenHash", hashed).where("clientId", client.clientId).first();
+			if (record && !record.revokedAt) {
+				record.revokedAt = DateTime.now();
+				await record.save();
+				return ctx.response.ok({});
+			}
+			if (tokenTypeHint === "access_token") return ctx.response.ok({});
+		}
+		if (!tokenTypeHint || tokenTypeHint === "refresh_token") {
+			const refreshToken = await OAuthRefreshToken.query().where("token", hashed).where("clientId", client.clientId).first();
+			if (refreshToken && !refreshToken.revokedAt) {
+				refreshToken.revokedAt = DateTime.now();
+				await refreshToken.save();
+				await OAuthAccessToken.query().where("tokenHash", refreshToken.accessTokenId).whereNull("revokedAt").update({ revokedAt: DateTime.now().toSQL() });
+			}
+		}
+		return ctx.response.ok({});
+	}
+};
+export { RevokeController as default };

package/build/rolldown-runtime-BASaM9lw.js

@@ -0,0 +1,12 @@
+import "node:module";
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+export { __exportAll as t };

package/build/routes-D6QCu0Pz.js

@@ -0,0 +1,43 @@
+import { t as __exportAll } from "./rolldown-runtime-BASaM9lw.js";
+var routes_exports = /* @__PURE__ */ __exportAll({
+	registerProtectedResource: () => registerProtectedResource,
+	registerRoutes: () => registerRoutes
+});
+const controllers = {
+	token: () => import("./token_controller-C9wh813f.js"),
+	authorize: () => import("./authorize_controller-CUdEDNEi.js"),
+	consent: () => import("./consent_controller-DFfx7qVs.js"),
+	introspect: () => import("./introspect_controller-BzwfaUUE.js"),
+	revoke: () => import("./revoke_controller-CNIgNKH3.js"),
+	register: () => import("./register_controller-BA7uQAgt.js"),
+	metadata: () => import("./metadata_controller-BSRRElQX.js"),
+	clientInfo: () => import("./client_info_controller-DeIVcW8B.js")
+};
+function registerRoutes(router) {
+	router.post("/oauth/token", [controllers.token]).as("sesame.token");
+	router.get("/oauth/authorize", [controllers.authorize]).as("sesame.authorize");
+	router.post("/oauth/consent", [controllers.consent]).as("sesame.consent");
+	router.get("/oauth/client-info", [controllers.clientInfo]).as("sesame.clientInfo");
+	router.post("/oauth/introspect", [controllers.introspect]).as("sesame.introspect");
+	router.post("/oauth/revoke", [controllers.revoke]).as("sesame.revoke");
+	router.post("/oauth/register", [controllers.register]).as("sesame.register");
+	router.get("/.well-known/oauth-authorization-server", [controllers.metadata, "authServer"]).as("sesame.metadata.authServer");
+	router.get("/.well-known/openid-configuration", [controllers.metadata, "oidc"]).as("sesame.metadata.oidc");
+	router.get("/.well-known/oauth-protected-resource", [controllers.metadata, "protectedResource"]).as("sesame.metadata.protectedResource");
+}
+function registerProtectedResource(router, options) {
+	const wellKnownPath = `/.well-known/oauth-protected-resource${options.resource}`;
+	router.get(wellKnownPath, async (ctx) => {
+		const { SesameManager } = await import("./sesame_manager-B4tO2PLO.js").then((n) => n.n);
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const issuer = manager.config.issuer;
+		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
+		return {
+			resource: `${issuer}${options.resource}`,
+			authorization_servers: [issuer],
+			scopes_supported: options.scopes ?? Object.keys(manager.config.scopes),
+			bearer_methods_supported: ["header"]
+		};
+	});
+}
+export { registerRoutes as n, routes_exports as r, registerProtectedResource as t };

package/build/sesame_manager-B4tO2PLO.js

@@ -0,0 +1,116 @@
+import { t as __exportAll } from "./rolldown-runtime-BASaM9lw.js";
+import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { DateTime } from "luxon";
+import { BaseModel, column } from "@adonisjs/lucid/orm";
+var OAuthRefreshToken = class extends BaseModel {
+	static table = "oauth_refresh_tokens";
+};
+__decorate([column({ isPrimary: true })], OAuthRefreshToken.prototype, "id", void 0);
+__decorate([column({ serializeAs: null })], OAuthRefreshToken.prototype, "token", void 0);
+__decorate([column()], OAuthRefreshToken.prototype, "accessTokenId", void 0);
+__decorate([column()], OAuthRefreshToken.prototype, "clientId", void 0);
+__decorate([column()], OAuthRefreshToken.prototype, "userId", void 0);
+__decorate([json()], OAuthRefreshToken.prototype, "scopes", void 0);
+__decorate([column.dateTime()], OAuthRefreshToken.prototype, "expiresAt", void 0);
+__decorate([column.dateTime()], OAuthRefreshToken.prototype, "revokedAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthRefreshToken.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthRefreshToken.prototype, "updatedAt", void 0);
+var OAuthAuthorizationCode = class extends BaseModel {
+	static table = "oauth_authorization_codes";
+};
+__decorate([column({ isPrimary: true })], OAuthAuthorizationCode.prototype, "id", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "code", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "clientId", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "userId", void 0);
+__decorate([json()], OAuthAuthorizationCode.prototype, "scopes", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "redirectUri", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "codeChallenge", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "codeChallengeMethod", void 0);
+__decorate([column.dateTime()], OAuthAuthorizationCode.prototype, "expiresAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthAuthorizationCode.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthAuthorizationCode.prototype, "updatedAt", void 0);
+var OAuthConsent = class extends BaseModel {
+	static table = "oauth_consents";
+};
+__decorate([column({ isPrimary: true })], OAuthConsent.prototype, "id", void 0);
+__decorate([column()], OAuthConsent.prototype, "clientId", void 0);
+__decorate([column()], OAuthConsent.prototype, "userId", void 0);
+__decorate([json()], OAuthConsent.prototype, "scopes", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthConsent.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthConsent.prototype, "updatedAt", void 0);
+var sesame_manager_exports = /* @__PURE__ */ __exportAll({ SesameManager: () => SesameManager });
+var SesameManager = class {
+	#config;
+	constructor(config) {
+		this.#config = config;
+	}
+	get config() {
+		return this.#config;
+	}
+	hasScope(scope) {
+		return scope in this.#config.scopes;
+	}
+	validateScopes(scopes) {
+		if (Object.keys(this.#config.scopes).length === 0) return scopes;
+		return scopes.filter((s) => !this.hasScope(s));
+	}
+	isGrantTypeEnabled(grantType) {
+		return this.#config.grantTypes.includes(grantType);
+	}
+	async revokeAllForUser(userId) {
+		const now = DateTime.now();
+		await OAuthAccessToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
+		await OAuthRefreshToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
+		await OAuthAuthorizationCode.query().where("userId", userId).delete();
+		await OAuthConsent.query().where("userId", userId).delete();
+	}
+	async purgeTokens(options) {
+		const revokedOnly = options?.revokedOnly ?? false;
+		const expiredOnly = options?.expiredOnly ?? false;
+		const retentionHours = options?.retentionHours ?? 168;
+		const purgeRevoked = revokedOnly || !expiredOnly;
+		const purgeExpired = expiredOnly || !revokedOnly;
+		const cutoff = DateTime.now().minus({ hours: retentionHours });
+		let accessTokens = 0;
+		let refreshTokens = 0;
+		let authorizationCodes = 0;
+		if (purgeRevoked) {
+			accessTokens += await this.#deleteCount(OAuthAccessToken.query().whereNotNull("revokedAt").delete());
+			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().whereNotNull("revokedAt").delete());
+		}
+		if (purgeExpired) {
+			accessTokens += await this.#deleteCount(OAuthAccessToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
+			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
+			authorizationCodes += await this.#deleteCount(OAuthAuthorizationCode.query().where("expiresAt", "<", cutoff.toSQL()).delete());
+		}
+		return {
+			accessTokens,
+			refreshTokens,
+			authorizationCodes
+		};
+	}
+	#deleteCount(result) {
+		return result.then((r) => Array.isArray(r) ? Number(r[0] ?? 0) : Number(r));
+	}
+	parseTtl(ttl) {
+		const match = ttl.match(/^(\d+)(s|m|h|d)$/);
+		if (!match) throw new Error(`Invalid TTL format: ${ttl}`);
+		return Number.parseInt(match[1], 10) * {
+			s: 1,
+			m: 60,
+			h: 3600,
+			d: 86400
+		}[match[2]];
+	}
+};
+export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, sesame_manager_exports as n, OAuthConsent as r, SesameManager as t };