@julr/sesame 0.0.0

package/build/src/types.d.ts

@@ -0,0 +1,141 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Supported grant types for v1 (MCP-focused).
+ *
+ * - `authorization_code`: RFC 6749 §4.1 — Authorization Code Grant
+ * - `refresh_token`: RFC 6749 §6 — Refreshing an Access Token
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
+ */
+export type GrantType = 'authorization_code' | 'refresh_token';
+/**
+ * User-facing configuration interface for Sésame.
+ *
+ * Provides all options needed to set up the OAuth 2.1 authorization
+ * server, including issuer identity, scopes, token lifetimes, and
+ * page redirects for the authorization flow.
+ */
+export interface SesameConfig {
+    /**
+     * The issuer URL (must be HTTPS in production).
+     * Used in JWT `iss` claim and discovery metadata.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc8414#section-2
+     */
+    issuer: string;
+    /**
+     * Available scopes as a record of scope name to description.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
+     */
+    scopes?: Record<string, string>;
+    /**
+     * Default scopes assigned when none are requested
+     * in the authorization request.
+     */
+    defaultScopes?: string[];
+    /**
+     * Enabled grant types.
+     * Defaults to `['authorization_code', 'refresh_token']`.
+     */
+    grantTypes?: GrantType[];
+    /**
+     * Access token TTL as a string duration (e.g. '1h', '30m').
+     * Defaults to '1h'.
+     */
+    accessTokenTtl?: string;
+    /**
+     * Refresh token TTL as a string duration.
+     * Defaults to '30d'.
+     */
+    refreshTokenTtl?: string;
+    /**
+     * Authorization code TTL as a string duration.
+     * Defaults to '10m'.
+     */
+    authorizationCodeTtl?: string;
+    /**
+     * Route or URL where unauthenticated users are redirected
+     * to log in during the authorization flow. Can be a string
+     * path or a function receiving the HttpContext and authorize
+     * query parameters.
+     */
+    loginPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
+    /**
+     * Route or URL where users are redirected to approve/deny
+     * client access during the authorization flow. Can be a string
+     * path or a function receiving the HttpContext and authorize
+     * query parameters.
+     */
+    consentPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
+    /**
+     * Allow dynamic client registration.
+     * Defaults to `false`.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc7591
+     */
+    allowDynamicRegistration?: boolean;
+    /**
+     * Allow unauthenticated client registration (needed for MCP).
+     * Defaults to `false`.
+     */
+    allowPublicRegistration?: boolean;
+}
+/**
+ * Fully resolved configuration with defaults applied.
+ * Created by `defineConfig()` from user-supplied `SesameConfig`.
+ */
+export interface ResolvedSesameConfig {
+    issuer: string;
+    scopes: Record<string, string>;
+    defaultScopes: string[];
+    grantTypes: GrantType[];
+    accessTokenTtl: string;
+    refreshTokenTtl: string;
+    authorizationCodeTtl: string;
+    loginPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
+    consentPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
+    allowDynamicRegistration: boolean;
+    allowPublicRegistration: boolean;
+}
+/**
+ * OAuth 2.0 Authorization Server Metadata as defined by RFC 8414.
+ *
+ * Returned by the `/.well-known/oauth-authorization-server` endpoint
+ * to allow clients to discover server capabilities.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc8414#section-2
+ */
+export interface AuthServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    registration_endpoint?: string;
+    introspection_endpoint?: string;
+    revocation_endpoint?: string;
+    response_types_supported: string[];
+    response_modes_supported: string[];
+    grant_types_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    introspection_endpoint_auth_methods_supported?: string[];
+    revocation_endpoint_auth_methods_supported?: string[];
+    code_challenge_methods_supported: string[];
+    authorization_response_iss_parameter_supported: boolean;
+}
+/**
+ * OAuth 2.0 Protected Resource Metadata as defined by RFC 9728.
+ *
+ * Returned by the `/.well-known/oauth-protected-resource` endpoint.
+ * Used by MCP clients to discover which authorization servers
+ * protect a given resource.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc9728
+ */
+export interface ResourceServerMetadata {
+    resource: string;
+    authorization_servers: string[];
+    scopes_supported?: string[];
+    bearer_methods_supported?: string[];
+    resource_documentation?: string;
+}

package/build/stubs/config/sesame.stub

@@ -0,0 +1,30 @@
+{{{
+  exports: { defineConfig: 'import { defineConfig } from \'@adonisjs/sesame\'' }
+}}}
+import env from '#start/env'
+
+const sesameConfig = defineConfig({
+  issuer: env.get('APP_URL'),
+
+  scopes: {
+    // Define your available scopes here
+    // 'read': 'Read access',
+    // 'write': 'Write access',
+  },
+
+  defaultScopes: [],
+
+  grantTypes: ['authorization_code', 'refresh_token'],
+
+  accessTokenTtl: '1h',
+  refreshTokenTtl: '30d',
+  authorizationCodeTtl: '10m',
+
+  loginPage: '/login',
+  consentPage: '/oauth/consent',
+
+  allowDynamicRegistration: false,
+  allowPublicRegistration: false,
+})
+
+export default sesameConfig

package/build/stubs/main.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Path to the root directory where the stubs are stored. We use
+ * this path within commands and the configure hook
+ */
+export declare const stubsRoot: string;

package/build/stubs/migrations/create_oauth_access_tokens_table.stub

@@ -0,0 +1,25 @@
+{{{
+  exports: { migration: "import { BaseSchema } from '@adonisjs/lucid/schema'" }
+}}}
+
+export default class extends BaseSchema {
+  protected tableName = 'oauth_access_tokens'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').primary()
+      table.string('token_hash').unique().notNullable()
+      table.string('client_id').notNullable().references('client_id').inTable('oauth_clients').onDelete('CASCADE')
+      table.string('user_id').nullable()
+      table.json('scopes').notNullable()
+      table.timestamp('expires_at').notNullable()
+      table.timestamp('revoked_at').nullable()
+      table.timestamp('created_at').notNullable()
+      table.timestamp('updated_at').notNullable()
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}

package/build/stubs/migrations/create_oauth_authorization_codes_table.stub

@@ -0,0 +1,27 @@
+{{{
+  exports: { migration: "import { BaseSchema } from '@adonisjs/lucid/schema'" }
+}}}
+
+export default class extends BaseSchema {
+  protected tableName = 'oauth_authorization_codes'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').primary()
+      table.string('code').notNullable().index()
+      table.string('client_id').notNullable().references('client_id').inTable('oauth_clients').onDelete('CASCADE')
+      table.string('user_id').notNullable()
+      table.json('scopes').notNullable()
+      table.text('redirect_uri').notNullable()
+      table.string('code_challenge').nullable()
+      table.string('code_challenge_method').nullable()
+      table.timestamp('expires_at').notNullable()
+      table.timestamp('created_at').notNullable()
+      table.timestamp('updated_at').notNullable()
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}

package/build/stubs/migrations/create_oauth_clients_table.stub

@@ -0,0 +1,31 @@
+{{{
+  exports: { migration: "import { BaseSchema } from '@adonisjs/lucid/schema'" }
+}}}
+
+export default class extends BaseSchema {
+  protected tableName = 'oauth_clients'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').primary()
+      table.string('client_id').unique().notNullable()
+      table.text('client_secret').nullable()
+      table.string('name').notNullable()
+      table.json('redirect_uris').notNullable()
+      table.json('scopes').notNullable().defaultTo('[]')
+      table.json('grant_types').notNullable().defaultTo('[]')
+      table.boolean('is_public').notNullable().defaultTo(false)
+      table.boolean('is_disabled').notNullable().defaultTo(false)
+      table.boolean('require_pkce').notNullable().defaultTo(true)
+      table.string('type').nullable()
+      table.json('metadata').nullable()
+      table.string('user_id').nullable()
+      table.timestamp('created_at').notNullable()
+      table.timestamp('updated_at').notNullable()
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}

package/build/stubs/migrations/create_oauth_consents_table.stub

@@ -0,0 +1,24 @@
+{{{
+  exports: { migration: "import { BaseSchema } from '@adonisjs/lucid/schema'" }
+}}}
+
+export default class extends BaseSchema {
+  protected tableName = 'oauth_consents'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').primary()
+      table.string('client_id').notNullable().references('client_id').inTable('oauth_clients').onDelete('CASCADE')
+      table.string('user_id').notNullable()
+      table.json('scopes').notNullable()
+      table.timestamp('created_at').notNullable()
+      table.timestamp('updated_at').notNullable()
+
+      table.unique(['client_id', 'user_id'])
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}

package/build/stubs/migrations/create_oauth_refresh_tokens_table.stub

@@ -0,0 +1,26 @@
+{{{
+  exports: { migration: "import { BaseSchema } from '@adonisjs/lucid/schema'" }
+}}}
+
+export default class extends BaseSchema {
+  protected tableName = 'oauth_refresh_tokens'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').primary()
+      table.string('token').notNullable().index()
+      table.string('access_token_id').notNullable()
+      table.string('client_id').notNullable().references('client_id').inTable('oauth_clients').onDelete('CASCADE')
+      table.string('user_id').notNullable()
+      table.json('scopes').notNullable()
+      table.timestamp('expires_at').notNullable()
+      table.timestamp('revoked_at').nullable()
+      table.timestamp('created_at').notNullable()
+      table.timestamp('updated_at').notNullable()
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}

package/build/token_controller-C9wh813f.js

@@ -0,0 +1,172 @@
+import "./decorate-2_8Ex77k.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE } from "./oauth_error-BQPqV-MV.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { DateTime } from "luxon";
+import { createHash } from "node:crypto";
+import vine from "@vinejs/vine";
+const codeVerifierValidator = vine.create({ code_verifier: vine.string().minLength(43).maxLength(128).regex(/^[A-Za-z0-9\-._~]+$/) });
+async function handleAuthorizationCodeGrant(ctx, manager) {
+	const tokenService = new TokenService(manager);
+	const clientService = new ClientService();
+	const body = ctx.request.body();
+	const code = body.code;
+	const redirectUri = body.redirect_uri;
+	const codeVerifier = body.code_verifier;
+	if (!code) throw new E_INVALID_REQUEST("Missing required parameter: code");
+	if (!redirectUri) throw new E_INVALID_REQUEST("Missing required parameter: redirect_uri");
+	const credentials = clientService.extractCredentials({
+		authorizationHeader: ctx.request.header("authorization"),
+		bodyClientId: body.client_id,
+		bodyClientSecret: body.client_secret
+	});
+	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
+	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+	if (!client) throw new E_INVALID_CLIENT("Client not found");
+	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+	if (!client.isPublic) {
+		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
+		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
+	}
+	if (!client.grantTypes.includes("authorization_code")) throw new E_INVALID_CLIENT("Client is not allowed to use the authorization_code grant");
+	const hashedCode = tokenService.hashToken(code);
+	const authCode = await OAuthAuthorizationCode.query().where("code", hashedCode).where("clientId", client.clientId).first();
+	if (!authCode) throw new E_INVALID_GRANT("Authorization code not found");
+	if (authCode.expiresAt < DateTime.now()) {
+		await OAuthAuthorizationCode.query().where("id", authCode.id).delete();
+		throw new E_INVALID_GRANT("Authorization code has expired");
+	}
+	if (authCode.redirectUri !== redirectUri) throw new E_INVALID_GRANT("Redirect URI mismatch");
+	const deleteResult = await OAuthAuthorizationCode.query().where("id", authCode.id).delete();
+	if ((Array.isArray(deleteResult) ? Number(deleteResult[0] ?? 0) : Number(deleteResult)) !== 1) throw new E_INVALID_GRANT("Authorization code has already been consumed");
+	const [verifierError] = await codeVerifierValidator.tryValidate({ code_verifier: codeVerifier });
+	if (verifierError) throw new E_INVALID_REQUEST("code_verifier must be 43-128 characters using only [A-Za-z0-9-._~] (RFC 7636 §4.1)");
+	if (!authCode.codeChallenge) throw new E_INVALID_GRANT("Authorization code is missing PKCE challenge");
+	if (createHash("sha256").update(codeVerifier).digest("base64url") !== authCode.codeChallenge) throw new E_INVALID_GRANT("PKCE verification failed");
+	clientService.validateClientScopes(authCode.scopes, client.scopes);
+	const { raw: accessTokenRaw, hash: tokenHash, expiresAt } = tokenService.createAccessToken();
+	await OAuthAccessToken.create({
+		id: crypto.randomUUID(),
+		tokenHash,
+		clientId: client.clientId,
+		userId: authCode.userId,
+		scopes: authCode.scopes,
+		expiresAt: DateTime.fromJSDate(expiresAt)
+	});
+	let refreshTokenRaw;
+	if (authCode.scopes.includes("offline_access")) {
+		const { raw, hash } = tokenService.createRefreshToken();
+		const refreshTtl = manager.parseTtl(manager.config.refreshTokenTtl);
+		await OAuthRefreshToken.create({
+			id: crypto.randomUUID(),
+			token: hash,
+			accessTokenId: tokenHash,
+			clientId: client.clientId,
+			userId: authCode.userId,
+			scopes: authCode.scopes,
+			expiresAt: DateTime.now().plus({ seconds: refreshTtl })
+		});
+		refreshTokenRaw = raw;
+	}
+	return {
+		access_token: accessTokenRaw,
+		token_type: "Bearer",
+		expires_in: manager.parseTtl(manager.config.accessTokenTtl),
+		scope: authCode.scopes.join(" "),
+		...refreshTokenRaw ? { refresh_token: refreshTokenRaw } : {}
+	};
+}
+async function handleRefreshTokenGrant(ctx, manager) {
+	const tokenService = new TokenService(manager);
+	const clientService = new ClientService();
+	const body = ctx.request.body();
+	const refreshTokenRaw = body.refresh_token;
+	if (!refreshTokenRaw) throw new E_INVALID_REQUEST("Missing required parameter: refresh_token");
+	const credentials = clientService.extractCredentials({
+		authorizationHeader: ctx.request.header("authorization"),
+		bodyClientId: body.client_id,
+		bodyClientSecret: body.client_secret
+	});
+	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
+	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+	if (!client) throw new E_INVALID_CLIENT("Client not found");
+	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+	if (!client.isPublic) {
+		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
+		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
+	}
+	if (!client.grantTypes.includes("refresh_token")) throw new E_INVALID_CLIENT("Client is not allowed to use the refresh_token grant");
+	const hashedToken = tokenService.hashToken(refreshTokenRaw);
+	const refreshToken = await OAuthRefreshToken.query().where("token", hashedToken).where("clientId", client.clientId).first();
+	if (!refreshToken) throw new E_INVALID_GRANT("Refresh token not found");
+	if (refreshToken.revokedAt) {
+		await OAuthRefreshToken.query().where("clientId", client.clientId).where("userId", refreshToken.userId).delete();
+		await OAuthAccessToken.query().where("clientId", client.clientId).where("userId", refreshToken.userId).whereNull("revokedAt").update({ revokedAt: DateTime.now().toSQL() });
+		throw new E_INVALID_GRANT("Refresh token has been revoked (possible replay attack)");
+	}
+	if (refreshToken.expiresAt < DateTime.now()) throw new E_INVALID_GRANT("Refresh token has expired");
+	const requestedScope = body.scope;
+	let scopes = refreshToken.scopes;
+	if (requestedScope) {
+		const requested = requestedScope.split(" ");
+		const originalSet = new Set(refreshToken.scopes);
+		const invalid = requested.filter((s) => !originalSet.has(s));
+		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not in original grant: ${invalid.join(", ")}`);
+		scopes = requested;
+	}
+	clientService.validateClientScopes(scopes, client.scopes);
+	const revokedAt = DateTime.now();
+	const updateResult = await OAuthRefreshToken.query().where("id", refreshToken.id).whereNull("revokedAt").update({ revokedAt: revokedAt.toSQL() });
+	if ((Array.isArray(updateResult) ? Number(updateResult[0] ?? 0) : Number(updateResult)) !== 1) throw new E_INVALID_GRANT("Refresh token has already been consumed");
+	await OAuthAccessToken.query().where("tokenHash", refreshToken.accessTokenId).whereNull("revokedAt").update({ revokedAt: revokedAt.toSQL() });
+	const { raw: accessTokenRaw, hash: tokenHash, expiresAt } = tokenService.createAccessToken();
+	await OAuthAccessToken.create({
+		id: crypto.randomUUID(),
+		tokenHash,
+		clientId: client.clientId,
+		userId: refreshToken.userId,
+		scopes,
+		expiresAt: DateTime.fromJSDate(expiresAt)
+	});
+	const { raw: newRefreshTokenRaw, hash: newRefreshTokenHash } = tokenService.createRefreshToken();
+	const refreshTtl = manager.parseTtl(manager.config.refreshTokenTtl);
+	await OAuthRefreshToken.create({
+		id: crypto.randomUUID(),
+		token: newRefreshTokenHash,
+		accessTokenId: tokenHash,
+		clientId: client.clientId,
+		userId: refreshToken.userId,
+		scopes,
+		expiresAt: DateTime.now().plus({ seconds: refreshTtl })
+	});
+	return {
+		access_token: accessTokenRaw,
+		token_type: "Bearer",
+		expires_in: manager.parseTtl(manager.config.accessTokenTtl),
+		scope: scopes.join(" "),
+		refresh_token: newRefreshTokenRaw
+	};
+}
+const grantHandlers = {
+	authorization_code: handleAuthorizationCodeGrant,
+	refresh_token: handleRefreshTokenGrant
+};
+var TokenController = class TokenController {
+	static validator = vine.create({ grant_type: vine.string() });
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const [error, body] = await TokenController.validator.tryValidate(ctx.request.body());
+		if (error) throw new E_UNSUPPORTED_GRANT_TYPE("Missing required parameter: grant_type");
+		if (!manager.isGrantTypeEnabled(body.grant_type)) throw new E_UNSUPPORTED_GRANT_TYPE(`Grant type "${body.grant_type}" is not enabled`);
+		const handler = grantHandlers[body.grant_type];
+		if (!handler) throw new E_UNSUPPORTED_GRANT_TYPE(`Unsupported grant type: ${body.grant_type}`);
+		const result = await handler(ctx, manager);
+		ctx.response.header("Cache-Control", "no-store");
+		ctx.response.header("Pragma", "no-cache");
+		return result;
+	}
+};
+export { TokenController as default };

package/build/token_service-Czz9v5GI.js

@@ -0,0 +1,30 @@
+import { createHash, randomBytes } from "node:crypto";
+var TokenService = class {
+	#manager;
+	constructor(manager) {
+		this.#manager = manager;
+	}
+	createAccessToken() {
+		const raw = this.generateOpaqueToken();
+		const ttlSeconds = this.#manager.parseTtl(this.#manager.config.accessTokenTtl);
+		return {
+			raw,
+			hash: this.hashToken(raw),
+			expiresAt: new Date(Date.now() + ttlSeconds * 1e3)
+		};
+	}
+	createRefreshToken() {
+		const raw = this.generateOpaqueToken();
+		return {
+			raw,
+			hash: this.hashToken(raw)
+		};
+	}
+	generateOpaqueToken() {
+		return randomBytes(32).toString("base64url");
+	}
+	hashToken(token) {
+		return createHash("sha256").update(token).digest("base64url");
+	}
+};
+export { TokenService as t };

package/build/user_provider-B3rXEUT3.js

@@ -0,0 +1,150 @@
+import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { DateTime } from "luxon";
+import { RuntimeException } from "@adonisjs/core/exceptions";
+import { errors } from "@adonisjs/auth";
+var OAuthGuard = class {
+	driverName = "oauth";
+	authenticationAttempted = false;
+	isAuthenticated = false;
+	user;
+	scopes = [];
+	clientId;
+	#name;
+	#ctx;
+	#emitter;
+	#userProvider;
+	#manager;
+	#resource;
+	constructor(name, ctx, emitter, userProvider, manager, resource) {
+		this.#name = name;
+		this.#ctx = ctx;
+		this.#emitter = emitter;
+		this.#userProvider = userProvider;
+		this.#manager = manager;
+		this.#resource = resource;
+	}
+	#extractBearerToken() {
+		const [type, token] = (this.#ctx.request.header("authorization") ?? "").split(" ");
+		if (!type || type.toLowerCase() !== "bearer" || !token) throw this.#authenticationFailed("Missing Bearer token");
+		return token;
+	}
+	#authenticationFailed(description, options) {
+		const suffix = this.#resource ?? "";
+		let header = `Bearer resource_metadata="${`${this.#manager.config.issuer}/.well-known/oauth-protected-resource${suffix}`}"`;
+		if (options?.includeError) header += `, error="invalid_token", error_description="${description}"`;
+		this.#ctx.response.header("WWW-Authenticate", header);
+		const error = new errors.E_UNAUTHORIZED_ACCESS(description, { guardDriverName: this.driverName });
+		this.#emitter.emit("oauth_auth:authentication_failed", {
+			ctx: this.#ctx,
+			guardName: this.#name,
+			error
+		});
+		return error;
+	}
+	getUserOrFail() {
+		if (!this.user) throw new errors.E_UNAUTHORIZED_ACCESS("Unauthorized access", { guardDriverName: this.driverName });
+		return this.user;
+	}
+	async authenticate() {
+		if (this.authenticationAttempted) return this.getUserOrFail();
+		this.authenticationAttempted = true;
+		this.#emitter.emit("oauth_auth:authentication_attempted", {
+			ctx: this.#ctx,
+			guardName: this.#name
+		});
+		const rawToken = this.#extractBearerToken();
+		const tokenService = new TokenService(this.#manager);
+		const includeError = { includeError: true };
+		const hashed = tokenService.hashToken(rawToken);
+		const record = await OAuthAccessToken.query().where("tokenHash", hashed).first();
+		if (!record) throw this.#authenticationFailed("Invalid or expired token", includeError);
+		if (record.revokedAt) throw this.#authenticationFailed("Token has been revoked", includeError);
+		if (record.expiresAt.toJSDate() < /* @__PURE__ */ new Date()) throw this.#authenticationFailed("Invalid or expired token", includeError);
+		if (!record.userId) throw this.#authenticationFailed("M2M tokens are not supported", includeError);
+		const providerUser = await this.#userProvider.findById(record.userId);
+		if (!providerUser) throw this.#authenticationFailed("User not found", includeError);
+		this.isAuthenticated = true;
+		this.user = providerUser.getOriginal();
+		this.scopes = record.scopes;
+		this.clientId = record.clientId;
+		this.#emitter.emit("oauth_auth:authentication_succeeded", {
+			ctx: this.#ctx,
+			guardName: this.#name,
+			user: this.user
+		});
+		return this.user;
+	}
+	async check() {
+		try {
+			await this.authenticate();
+			return true;
+		} catch (error) {
+			if (error instanceof errors.E_UNAUTHORIZED_ACCESS) return false;
+			throw error;
+		}
+	}
+	hasScope(...scopes) {
+		return scopes.every((s) => this.scopes.includes(s));
+	}
+	hasAnyScope(...scopes) {
+		return scopes.some((s) => this.scopes.includes(s));
+	}
+	async authenticateAsClient(user) {
+		const tokenService = new TokenService(this.#manager);
+		const defaultScopes = this.#manager.config.defaultScopes;
+		const testClient = await OAuthClient.firstOrCreate({ clientId: "__test_client__" }, {
+			id: crypto.randomUUID(),
+			clientId: "__test_client__",
+			name: "Test Client",
+			redirectUris: ["http://localhost/callback"],
+			grantTypes: ["authorization_code"],
+			scopes: defaultScopes,
+			isPublic: true,
+			requirePkce: false
+		});
+		const userId = String(user.id ?? user.getId?.() ?? "test-user");
+		const { raw, hash, expiresAt } = tokenService.createAccessToken();
+		await OAuthAccessToken.create({
+			id: crypto.randomUUID(),
+			tokenHash: hash,
+			clientId: testClient.clientId,
+			userId,
+			scopes: defaultScopes,
+			expiresAt: DateTime.fromJSDate(expiresAt)
+		});
+		return { headers: { authorization: `Bearer ${raw}` } };
+	}
+};
+var OAuthLucidUserProvider = class {
+	#model;
+	#options;
+	constructor(options) {
+		this.#options = options;
+	}
+	async #getModel() {
+		if (this.#model && !("hot" in import.meta)) return this.#model;
+		this.#model = (await this.#options.model()).default;
+		return this.#model;
+	}
+	async createUserForGuard(user) {
+		const model = await this.#getModel();
+		if (user instanceof model === false) throw new RuntimeException(`Invalid user object. It must be an instance of the "${model.name}" model`);
+		return {
+			getId() {
+				if (!user.$primaryKeyValue) throw new RuntimeException(`Cannot use "${model.name}" model for authentication. The value of column "${model.primaryKey}" is undefined or null`);
+				return user.$primaryKeyValue;
+			},
+			getOriginal() {
+				return user;
+			}
+		};
+	}
+	async findById(identifier) {
+		const user = await (await this.#getModel()).find(identifier);
+		if (!user) return null;
+		return this.createUserForGuard(user);
+	}
+};
+export { OAuthGuard as n, OAuthLucidUserProvider as t };