@julr/sesame 0.1.0 → 0.2.0

package/build/{authorize_controller-CUdEDNEi.js → authorize_controller-D3Kau97j.js}

@@ -1,10 +1,10 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { t as TokenService } from "./token_service-BLKxKIHI.js";
+import { t as ClientService } from "./client_service-DrkqOh37.js";
 import { DateTime } from "luxon";
 import vine from "@vinejs/vine";
 var AuthorizeController = class AuthorizeController {
@@ -17,11 +17,6 @@ var AuthorizeController = class AuthorizeController {
 		code_challenge: vine.string().optional(),
 		code_challenge_method: vine.string().optional()
 	});
-	#getAuthorizationSession(ctx) {
-		const session = ctx.session;
-		if (!session || typeof session.put !== "function") throw new E_INVALID_REQUEST("Session middleware is required for the browser authorization flow");
-		return session;
-	}
 	#redirectWithError(ctx, manager, redirectUri, error, description, state) {
 		const url = new URL(redirectUri);
 		url.searchParams.set("error", error);
@@ -30,17 +25,21 @@ var AuthorizeController = class AuthorizeController {
 		url.searchParams.set("iss", manager.config.issuer);
 		return ctx.response.redirect().toPath(url.toString());
 	}
-	#buildAuthorizationRequestParams(ctx, manager, options) {
-		const rawRequestToken = new TokenService(manager).generateOpaqueToken();
-		const session = this.#getAuthorizationSession(ctx);
-		session.put("sesame.authToken", rawRequestToken);
-		session.put("sesame.authRequest", {
+	async #buildAuthorizationRequestParams(manager, options) {
+		const tokenService = new TokenService(manager);
+		const rawRequestToken = tokenService.generateOpaqueToken();
+		const ttl = manager.parseTtl(manager.config.authorizationRequestTtl);
+		await OAuthPendingAuthorizationRequest.create({
+			id: crypto.randomUUID(),
+			token: tokenService.hashToken(rawRequestToken),
+			userId: options.userId,
 			clientId: options.clientId,
 			redirectUri: options.redirectUri,
 			scopes: options.scopes,
 			state: options.state ?? null,
 			codeChallenge: options.codeChallenge ?? null,
-			codeChallengeMethod: options.codeChallengeMethod ?? null
+			codeChallengeMethod: options.codeChallengeMethod ?? null,
+			expiresAt: DateTime.now().plus({ seconds: ttl })
 		});
 		const params = new URLSearchParams();
 		params.set("auth_token", rawRequestToken);
@@ -120,7 +119,8 @@ var AuthorizeController = class AuthorizeController {
 				state: query.state
 			});
 		}
-		const params = this.#buildAuthorizationRequestParams(ctx, manager, {
+		const params = await this.#buildAuthorizationRequestParams(manager, {
+			userId: String(user.id),
 			clientId: client.clientId,
 			redirectUri: query.redirect_uri,
 			scopes: requestedScopes,

package/build/{client_info_controller-DeIVcW8B.js → client_info_controller-CSipLLoV.js}

@@ -1,6 +1,6 @@
-import "./decorate-2_8Ex77k.js";
-import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import "./decorate-BKZEjPRg.js";
+import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
 import vine from "@vinejs/vine";
 var ClientInfoController = class ClientInfoController {
 	static validator = vine.create({ client_id: vine.string() });

package/build/{client_service-B9fD3ZGe.js → client_service-DrkqOh37.js}

@@ -1,4 +1,4 @@
-import { o as E_INVALID_SCOPE } from "./oauth_error-BQPqV-MV.js";
+import { o as E_INVALID_SCOPE } from "./oauth_error-BOn0846g.js";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 var ClientService = class {
 	parseBasicAuth(header) {

package/build/commands/sesame_purge.js

@@ -1,6 +1,6 @@
-import { t as __decorate } from "../decorate-2_8Ex77k.js";
-import "../oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "../sesame_manager-B4tO2PLO.js";
+import { t as __decorate } from "../decorate-BKZEjPRg.js";
+import "../oauth_access_token-bsoM5KeU.js";
+import { t as SesameManager } from "../sesame_manager-CA7dOGwg.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";
 var SesamePurge = class extends BaseCommand {
 	static commandName = "sesame:purge";

package/build/configure.js

@@ -1,13 +1,15 @@
-import { t as stubsRoot } from "./main-kn40V-hF.js";
+import { join } from "node:path";
 async function configure(command) {
 	const codemods = await command.createCodemods();
+	const stubsRoot = join(import.meta.url, "./stubs");
 	await codemods.makeUsingStub(stubsRoot, "config/sesame.stub", {});
 	for (const stub of [
 		"migrations/create_oauth_clients_table.stub",
 		"migrations/create_oauth_authorization_codes_table.stub",
 		"migrations/create_oauth_access_tokens_table.stub",
 		"migrations/create_oauth_refresh_tokens_table.stub",
-		"migrations/create_oauth_consents_table.stub"
+		"migrations/create_oauth_consents_table.stub",
+		"migrations/create_oauth_pending_authorization_requests_table.stub"
 	]) await codemods.makeUsingStub(stubsRoot, stub, {});
 	await codemods.updateRcFile((rcFile) => {
 		rcFile.addProvider("@julr/sesame/sesame_provider").addCommand("@julr/sesame/commands");

package/build/{consent_controller-DFfx7qVs.js → consent_controller-DXayMjAi.js}

@@ -1,17 +1,19 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { t as TokenService } from "./token_service-BLKxKIHI.js";
 import { DateTime } from "luxon";
 import vine from "@vinejs/vine";
 var ConsentController = class ConsentController {
 	static validator = vine.create({ auth_token: vine.string() });
-	#getAuthorizationSession(ctx) {
-		const session = ctx.session;
-		if (!session || typeof session.pull !== "function") throw new E_INVALID_REQUEST("Session middleware is required for the browser authorization flow");
-		return session;
+	async #consumePendingRequest(hashedToken, userId) {
+		const row = await OAuthPendingAuthorizationRequest.query().where("token", hashedToken).where("userId", userId).where("expiresAt", ">", DateTime.now().toSQL()).first();
+		if (!row) return null;
+		const deleted = await OAuthPendingAuthorizationRequest.query().where("id", row.id).delete();
+		if ((Array.isArray(deleted) ? Number(deleted[0]) : Number(deleted)) === 0) return null;
+		return row;
 	}
 	async #issueAuthorizationCode(ctx, manager, options) {
 		const tokenService = new TokenService(manager);
@@ -37,50 +39,45 @@ var ConsentController = class ConsentController {
 	}
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const session = this.#getAuthorizationSession(ctx);
 		await ctx.auth.check();
 		const user = ctx.auth.user;
 		if (!user) throw new E_INVALID_REQUEST("User must be authenticated");
 		const [error, body] = await ConsentController.validator.tryValidate(ctx.request.body());
 		if (error) throw new E_INVALID_REQUEST("Missing required parameter: auth_token");
 		const accept = ctx.request.body().accept;
-		const expectedAuthToken = session.pull("sesame.authToken");
-		const authorizationRequest = session.pull("sesame.authRequest");
-		if (!expectedAuthToken || expectedAuthToken !== body.auth_token) {
-			session.forget(["sesame.authToken", "sesame.authRequest"]);
-			throw new E_INVALID_GRANT("Authorization request token mismatch");
-		}
-		if (!authorizationRequest) throw new E_INVALID_GRANT("Authorization request not found");
-		const client = await OAuthClient.query().where("clientId", authorizationRequest.clientId).first();
+		const hashedToken = new TokenService(manager).hashToken(body.auth_token);
+		const pendingRequest = await this.#consumePendingRequest(hashedToken, String(user.id));
+		if (!pendingRequest) throw new E_INVALID_GRANT("Authorization request not found or expired");
+		const client = await OAuthClient.query().where("clientId", pendingRequest.clientId).first();
 		if (!client) throw new E_INVALID_CLIENT("Client not found");
 		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.redirectUris.includes(authorizationRequest.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
+		if (!client.redirectUris.includes(pendingRequest.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
 		if (!accept) {
-			const url = new URL(authorizationRequest.redirectUri);
+			const url = new URL(pendingRequest.redirectUri);
 			url.searchParams.set("error", "access_denied");
 			url.searchParams.set("error_description", "The user denied the authorization request");
-			if (authorizationRequest.state) url.searchParams.set("state", authorizationRequest.state);
+			if (pendingRequest.state) url.searchParams.set("state", pendingRequest.state);
 			url.searchParams.set("iss", manager.config.issuer);
 			return ctx.response.redirect().toPath(url.toString());
 		}
 		const existingConsent = await OAuthConsent.query().where("clientId", client.clientId).where("userId", String(user.id)).first();
 		if (existingConsent) {
-			existingConsent.scopes = [...new Set([...existingConsent.scopes, ...authorizationRequest.scopes])];
+			existingConsent.scopes = [...new Set([...existingConsent.scopes, ...pendingRequest.scopes])];
 			await existingConsent.save();
 		} else await OAuthConsent.create({
 			id: crypto.randomUUID(),
 			clientId: client.clientId,
 			userId: String(user.id),
-			scopes: authorizationRequest.scopes
+			scopes: pendingRequest.scopes
 		});
 		return this.#issueAuthorizationCode(ctx, manager, {
 			client,
 			userId: String(user.id),
-			scopes: authorizationRequest.scopes,
-			redirectUri: authorizationRequest.redirectUri,
-			codeChallenge: authorizationRequest.codeChallenge ?? void 0,
-			codeChallengeMethod: authorizationRequest.codeChallengeMethod ?? void 0,
-			state: authorizationRequest.state ?? void 0
+			scopes: pendingRequest.scopes,
+			redirectUri: pendingRequest.redirectUri,
+			codeChallenge: pendingRequest.codeChallenge ?? void 0,
+			codeChallengeMethod: pendingRequest.codeChallengeMethod ?? void 0,
+			state: pendingRequest.state ?? void 0
 		});
 	}
 };

package/build/index.d.ts

@@ -1,5 +1,4 @@
 export { configure } from './configure.ts';
-export { stubsRoot } from './stubs/main.ts';
 export { defineConfig } from './src/define_config.ts';
 export { SesameManager } from './src/sesame_manager.ts';
 export { OAuthError, E_INVALID_REQUEST, E_INVALID_CLIENT, E_INVALID_GRANT, E_INVALID_SCOPE, E_INVALID_TOKEN, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, E_ACCESS_DENIED, E_INVALID_CLIENT_METADATA, E_SERVER_ERROR, } from './src/oauth_error.ts';

package/build/index.js

@@ -1,14 +1,13 @@
-import { t as stubsRoot } from "./main-kn40V-hF.js";
 import { configure } from "./configure.js";
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, c as E_SERVER_ERROR, d as OAuthError, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, s as E_INVALID_TOKEN, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import "./token_service-Czz9v5GI.js";
-import { n as OAuthGuard, t as OAuthLucidUserProvider } from "./user_provider-B3rXEUT3.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { a as OAuthAuthorizationCode, i as OAuthConsent, o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { a as E_INVALID_REQUEST, c as E_SERVER_ERROR, d as OAuthError, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, s as E_INVALID_TOKEN, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import "./token_service-BLKxKIHI.js";
+import { n as OAuthGuard, t as OAuthLucidUserProvider } from "./user_provider-CQczt8_g.js";
 import { oauthGuard, oauthUserProvider } from "./src/guard/main.js";
-import { n as registerRoutes, t as registerProtectedResource } from "./routes-D6QCu0Pz.js";
+import { n as registerRoutes, t as registerProtectedResource } from "./routes-qYJLHjeB.js";
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,
@@ -18,10 +17,11 @@ function defineConfig(config) {
 		accessTokenTtl: config.accessTokenTtl ?? "1h",
 		refreshTokenTtl: config.refreshTokenTtl ?? "30d",
 		authorizationCodeTtl: config.authorizationCodeTtl ?? "10m",
+		authorizationRequestTtl: config.authorizationRequestTtl ?? config.authorizationCodeTtl ?? "10m",
 		loginPage: config.loginPage,
 		consentPage: config.consentPage,
 		allowDynamicRegistration: config.allowDynamicRegistration ?? false,
 		allowPublicRegistration: config.allowPublicRegistration ?? false
 	};
 }
-export { E_ACCESS_DENIED, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider, registerProtectedResource, registerRoutes, stubsRoot };
+export { E_ACCESS_DENIED, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider, registerProtectedResource, registerRoutes };

package/build/{introspect_controller-BzwfaUUE.js → introspect_controller-lK9gL03t.js}

@@ -1,10 +1,10 @@
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { t as TokenService } from "./token_service-BLKxKIHI.js";
+import { t as ClientService } from "./client_service-DrkqOh37.js";
 const INACTIVE = { active: false };
 var IntrospectController = class {
 	async handle(ctx) {

package/build/{metadata_controller-BSRRElQX.js → metadata_controller-DMAahJkn.js}

@@ -1,6 +1,6 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
 var MetadataController = class {
 	async authServer(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);

package/build/{oauth_access_token-BpG8sq-c.js → oauth_access_token-bsoM5KeU.js}

@@ -1,4 +1,4 @@
-import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
+import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
 var OAuthAccessToken = class extends BaseModel {
 	static table = "oauth_access_tokens";

package/build/{oauth_client-eh0e5ql-.js → oauth_client-Cpppi0_7.js}

@@ -1,4 +1,4 @@
-import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
+import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
 var OAuthClient = class extends BaseModel {
 	static table = "oauth_clients";

package/build/providers/sesame_provider.js

@@ -1,6 +1,6 @@
-import "../decorate-2_8Ex77k.js";
-import "../oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "../sesame_manager-B4tO2PLO.js";
+import "../decorate-BKZEjPRg.js";
+import "../oauth_access_token-bsoM5KeU.js";
+import { t as SesameManager } from "../sesame_manager-CA7dOGwg.js";
 var SesameProvider = class {
 	constructor(app) {
 		this.app = app;
@@ -12,7 +12,7 @@ var SesameProvider = class {
 	}
 	async boot() {
 		const router = await this.app.container.make("router");
-		const { registerRoutes } = await import("../routes-D6QCu0Pz.js").then((n) => n.r);
+		const { registerRoutes } = await import("../routes-qYJLHjeB.js").then((n) => n.r);
 		registerRoutes(router);
 	}
 };

package/build/{register_controller-BA7uQAgt.js → register_controller-B0saLAuc.js}

@@ -1,9 +1,9 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, t as E_ACCESS_DENIED } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { a as E_INVALID_REQUEST, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, t as E_ACCESS_DENIED } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { t as ClientService } from "./client_service-DrkqOh37.js";
 import vine from "@vinejs/vine";
 const DANGEROUS_SCHEMES = [
 	"javascript:",

package/build/{revoke_controller-CNIgNKH3.js → revoke_controller-D0nl2hS5.js}

@@ -1,10 +1,10 @@
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { t as TokenService } from "./token_service-BLKxKIHI.js";
+import { t as ClientService } from "./client_service-DrkqOh37.js";
 import { DateTime } from "luxon";
 var RevokeController = class {
 	async handle(ctx) {

package/build/{routes-D6QCu0Pz.js → routes-qYJLHjeB.js}

@@ -4,14 +4,14 @@ var routes_exports = /* @__PURE__ */ __exportAll({
 	registerRoutes: () => registerRoutes
 });
 const controllers = {
-	token: () => import("./token_controller-C9wh813f.js"),
-	authorize: () => import("./authorize_controller-CUdEDNEi.js"),
-	consent: () => import("./consent_controller-DFfx7qVs.js"),
-	introspect: () => import("./introspect_controller-BzwfaUUE.js"),
-	revoke: () => import("./revoke_controller-CNIgNKH3.js"),
-	register: () => import("./register_controller-BA7uQAgt.js"),
-	metadata: () => import("./metadata_controller-BSRRElQX.js"),
-	clientInfo: () => import("./client_info_controller-DeIVcW8B.js")
+	token: () => import("./token_controller-CDFuzY6S.js"),
+	authorize: () => import("./authorize_controller-D3Kau97j.js"),
+	consent: () => import("./consent_controller-DXayMjAi.js"),
+	introspect: () => import("./introspect_controller-lK9gL03t.js"),
+	revoke: () => import("./revoke_controller-D0nl2hS5.js"),
+	register: () => import("./register_controller-B0saLAuc.js"),
+	metadata: () => import("./metadata_controller-DMAahJkn.js"),
+	clientInfo: () => import("./client_info_controller-CSipLLoV.js")
 };
 function registerRoutes(router) {
 	router.post("/oauth/token", [controllers.token]).as("sesame.token");
@@ -28,7 +28,7 @@ function registerRoutes(router) {
 function registerProtectedResource(router, options) {
 	const wellKnownPath = `/.well-known/oauth-protected-resource${options.resource}`;
 	router.get(wellKnownPath, async (ctx) => {
-		const { SesameManager } = await import("./sesame_manager-B4tO2PLO.js").then((n) => n.n);
+		const { SesameManager } = await import("./sesame_manager-CA7dOGwg.js").then((n) => n.n);
 		const manager = await ctx.containerResolver.make(SesameManager);
 		const issuer = manager.config.issuer;
 		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");

package/build/{sesame_manager-B4tO2PLO.js → sesame_manager-CA7dOGwg.js}

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./rolldown-runtime-BASaM9lw.js";
-import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { DateTime } from "luxon";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
 var OAuthRefreshToken = class extends BaseModel {
@@ -48,6 +48,20 @@ __decorate([column.dateTime({
 	autoCreate: true,
 	autoUpdate: true
 })], OAuthConsent.prototype, "updatedAt", void 0);
+var OAuthPendingAuthorizationRequest = class extends BaseModel {
+	static table = "oauth_pending_authorization_requests";
+};
+__decorate([column({ isPrimary: true })], OAuthPendingAuthorizationRequest.prototype, "id", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "token", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "userId", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "clientId", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "redirectUri", void 0);
+__decorate([json()], OAuthPendingAuthorizationRequest.prototype, "scopes", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "state", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallenge", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallengeMethod", void 0);
+__decorate([column.dateTime()], OAuthPendingAuthorizationRequest.prototype, "expiresAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthPendingAuthorizationRequest.prototype, "createdAt", void 0);
 var sesame_manager_exports = /* @__PURE__ */ __exportAll({ SesameManager: () => SesameManager });
 var SesameManager = class {
 	#config;
@@ -72,6 +86,7 @@ var SesameManager = class {
 		await OAuthAccessToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
 		await OAuthRefreshToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
 		await OAuthAuthorizationCode.query().where("userId", userId).delete();
+		await OAuthPendingAuthorizationRequest.query().where("userId", userId).delete();
 		await OAuthConsent.query().where("userId", userId).delete();
 	}
 	async purgeTokens(options) {
@@ -84,6 +99,7 @@ var SesameManager = class {
 		let accessTokens = 0;
 		let refreshTokens = 0;
 		let authorizationCodes = 0;
+		let pendingRequests = 0;
 		if (purgeRevoked) {
 			accessTokens += await this.#deleteCount(OAuthAccessToken.query().whereNotNull("revokedAt").delete());
 			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().whereNotNull("revokedAt").delete());
@@ -93,10 +109,12 @@ var SesameManager = class {
 			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
 			authorizationCodes += await this.#deleteCount(OAuthAuthorizationCode.query().where("expiresAt", "<", cutoff.toSQL()).delete());
 		}
+		pendingRequests += await this.#deleteCount(OAuthPendingAuthorizationRequest.query().where("expiresAt", "<", DateTime.now().toSQL()).delete());
 		return {
 			accessTokens,
 			refreshTokens,
-			authorizationCodes
+			authorizationCodes,
+			pendingRequests
 		};
 	}
 	#deleteCount(result) {
@@ -113,4 +131,4 @@ var SesameManager = class {
 		}[match[2]];
 	}
 };
-export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, sesame_manager_exports as n, OAuthConsent as r, SesameManager as t };
+export { OAuthAuthorizationCode as a, OAuthConsent as i, sesame_manager_exports as n, OAuthRefreshToken as o, OAuthPendingAuthorizationRequest as r, SesameManager as t };

package/build/src/controllers/authorize_controller.d.ts

@@ -25,24 +25,24 @@ export default class AuthorizeController {
         code_challenge: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
         code_challenge_method: import("@vinejs/vine/schema/base/literal").OptionalModifier<import("@vinejs/vine").VineString>;
     }, {
-        scope?: string | null | undefined;
         state?: string | null | undefined;
+        scope?: string | null | undefined;
         code_challenge?: string | null | undefined;
         code_challenge_method?: string | null | undefined;
         redirect_uri: string;
         client_id: string;
         response_type: string;
     }, {
-        scope?: string | undefined;
         state?: string | undefined;
+        scope?: string | undefined;
         code_challenge?: string | undefined;
         code_challenge_method?: string | undefined;
         redirect_uri: string;
         client_id: string;
         response_type: string;
     }, {
-        scope?: string | undefined;
         state?: string | undefined;
+        scope?: string | undefined;
         code_challenge?: string | undefined;
         code_challenge_method?: string | undefined;
         redirect_uri: string;

package/build/src/guard/main.js

@@ -1,12 +1,12 @@
-import "../../decorate-2_8Ex77k.js";
-import "../../oauth_access_token-BpG8sq-c.js";
-import "../../oauth_client-eh0e5ql-.js";
-import "../../token_service-Czz9v5GI.js";
-import { n as OAuthGuard, t as OAuthLucidUserProvider } from "../../user_provider-B3rXEUT3.js";
+import "../../decorate-BKZEjPRg.js";
+import "../../oauth_access_token-bsoM5KeU.js";
+import "../../oauth_client-Cpppi0_7.js";
+import "../../token_service-BLKxKIHI.js";
+import { n as OAuthGuard, t as OAuthLucidUserProvider } from "../../user_provider-CQczt8_g.js";
 function oauthGuard(config) {
 	return { async resolver(name, app) {
 		const emitter = await app.container.make("emitter");
-		const { SesameManager } = await import("../../sesame_manager-B4tO2PLO.js").then((n) => n.n);
+		const { SesameManager } = await import("../../sesame_manager-CA7dOGwg.js").then((n) => n.n);
 		const manager = await app.container.make(SesameManager);
 		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
 	} };

package/build/src/models/oauth_pending_authorization_request.d.ts

@@ -0,0 +1,29 @@
+import { DateTime } from 'luxon';
+import { BaseModel } from '@adonisjs/lucid/orm';
+/**
+ * Temporary server-side record for an in-flight OAuth authorization
+ * request, created when the user is redirected to the consent page
+ * and consumed (deleted) when the user approves or denies.
+ *
+ * Stored in the database instead of the HTTP session to avoid
+ * last-write-wins race conditions when concurrent SPA requests
+ * overwrite session data.
+ *
+ * The `token` column stores a SHA-256 hash of the raw auth_token
+ * sent to the consent page, consistent with how authorization
+ * codes are stored.
+ */
+export declare class OAuthPendingAuthorizationRequest extends BaseModel {
+    static table: string;
+    id: string;
+    token: string;
+    userId: string;
+    clientId: string;
+    redirectUri: string;
+    scopes: string[];
+    state: string | null;
+    codeChallenge: string | null;
+    codeChallengeMethod: string | null;
+    expiresAt: DateTime;
+    createdAt: DateTime;
+}

package/build/src/sesame_manager.d.ts

@@ -3,6 +3,7 @@ export interface PurgeResult {
     accessTokens: number;
     refreshTokens: number;
     authorizationCodes: number;
+    pendingRequests: number;
 }
 /**
  * Central manager for the Sésame OAuth 2.1 server.

package/build/src/types.d.ts

@@ -55,6 +55,12 @@ export interface SesameConfig {
      * Defaults to '10m'.
      */
     authorizationCodeTtl?: string;
+    /**
+     * Pending authorization request TTL as a string duration.
+     * Controls how long a user has to approve/deny a consent screen.
+     * Defaults to `authorizationCodeTtl` (typically '10m').
+     */
+    authorizationRequestTtl?: string;
     /**
      * Route or URL where unauthenticated users are redirected
      * to log in during the authorization flow. Can be a string
@@ -94,6 +100,7 @@ export interface ResolvedSesameConfig {
     accessTokenTtl: string;
     refreshTokenTtl: string;
     authorizationCodeTtl: string;
+    authorizationRequestTtl: string;
     loginPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
     consentPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
     allowDynamicRegistration: boolean;

package/build/stubs/config/sesame.stub

@@ -1,5 +1,5 @@
 {{{
-  exports: { defineConfig: 'import { defineConfig } from \'@adonisjs/sesame\'' }
+  exports: { defineConfig: 'import { defineConfig } from \'@julr/sesame\'' }
 }}}
 import env from '#start/env'
 

package/build/stubs/migrations/create_oauth_pending_authorization_requests_table.stub

@@ -0,0 +1,32 @@
+{{{
+  exports: { migration: "import { BaseSchema } from '@adonisjs/lucid/schema'" }
+}}}
+
+export default class extends BaseSchema {
+  protected tableName = 'oauth_pending_authorization_requests'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').primary()
+      table.string('token').notNullable().index()
+      table
+        .string('client_id')
+        .notNullable()
+        .references('client_id')
+        .inTable('oauth_clients')
+        .onDelete('CASCADE')
+      table.string('user_id').notNullable()
+      table.json('scopes').notNullable()
+      table.text('redirect_uri').notNullable()
+      table.string('state').nullable()
+      table.string('code_challenge').nullable()
+      table.string('code_challenge_method').nullable()
+      table.timestamp('expires_at').notNullable()
+      table.timestamp('created_at').notNullable()
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}

package/build/{token_controller-C9wh813f.js → token_controller-CDFuzY6S.js}

@@ -1,10 +1,10 @@
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { a as OAuthAuthorizationCode, o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE } from "./oauth_error-BOn0846g.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { t as TokenService } from "./token_service-BLKxKIHI.js";
+import { t as ClientService } from "./client_service-DrkqOh37.js";
 import { DateTime } from "luxon";
 import { createHash } from "node:crypto";
 import vine from "@vinejs/vine";

package/build/{user_provider-B3rXEUT3.js → user_provider-CQczt8_g.js}

@@ -1,6 +1,6 @@
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { t as TokenService } from "./token_service-BLKxKIHI.js";
 import { DateTime } from "luxon";
 import { RuntimeException } from "@adonisjs/core/exceptions";
 import { errors } from "@adonisjs/auth";

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@julr/sesame",
   "description": "OAuth 2.1 + OIDC server for AdonisJS",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "engines": {
     "node": ">=24.0.0"
   },

package/build/main-kn40V-hF.js

@@ -1,2 +0,0 @@
-const stubsRoot = import.meta.dirname;
-export { stubsRoot as t };