@julr/sesame 0.1.0 → 0.2.1

package/README.md

@@ -1,130 +1,211 @@
-# AdonisJS package starter kit
+# Sésame
 
-> [!note]
-> This starter kit targets **AdonisJS v7**
+> OAuth 2.1 + OIDC server for AdonisJS
 
-> A boilerplate for creating AdonisJS packages
+Sésame is an AdonisJS package that turns your application into a full-featured OAuth 2.1 authorization server. It implements the core OAuth 2.1 specification along with OIDC discovery, token introspection, dynamic client registration, and MCP (Model Context Protocol) support.
 
-This repo provides you with a starting point for creating AdonisJS packages. Of course, you can create a package from scratch with your folder structure and workflow. However, using this starter kit can speed up the process, as you have fewer decisions to make.
+## Features
 
-## Setup
+- **Authorization Code Grant** with PKCE (S256)
+- **Refresh Token Rotation** with replay detection
+- **Token Introspection** (RFC 7662) and **Revocation** (RFC 7009)
+- **Dynamic Client Registration** (RFC 7591)
+- **OIDC Discovery** (`/.well-known/openid-configuration`)
+- **OAuth Server Metadata** (RFC 8414)
+- **Protected Resource Metadata** (RFC 9728) for MCP servers
+- **Type-safe scopes** via module augmentation
+- **OAuth guard** for `@adonisjs/auth` with scope-checking middleware
+- **Token cleanup** via `sesame:purge` Ace command
 
-- Clone the repo on your computer, or use `giget` to download this repo without the Git history.
-  ```sh
-  npx giget@latest gh:adonisjs/pkg-starter-kit
-  ```
-- Install dependencies.
-- Update the `package.json` file and define the `name`, `description`, `keywords`, and `author` properties.
-- The repo is configured with an MIT license. Feel free to change that if you are not publishing under the MIT license.
+## Installation
 
-## Folder structure
+```bash
+node ace add @julr/sesame
+```
 
-The starter kit mimics the folder structure of the official packages. Feel free to rename files and folders as per your requirements.
+This will:
+- Publish the configuration file to `config/sesame.ts`
+- Publish database migrations (6 tables)
+- Register the service provider and commands
 
-```
-├── providers
-├── src
-├── bin
-├── stubs
-├── configure.ts
-├── index.ts
-├── LICENSE.md
-├── package.json
-├── README.md
-├── tsconfig.json
-├── tsnode.esm.js
+Then run the migrations:
+
+```bash
+node ace migration:run
 ```
 
-- The `configure.ts` file exports the `configure` hook to configure the package using the `node ace configure` command.
-- The `index.ts` file is the main entry point of the package.
-- The `tsnode.esm.js` file runs TypeScript code using TS-Node + SWC. Please read the code comment in this file to learn more.
-- The `bin` directory contains the entry point file to run Japa tests.
-- Learn more about [the `providers` directory](./providers/README.md).
-- Learn more about [the `src` directory](./src/README.md).
-- Learn more about [the `stubs` directory](./stubs/README.md).
+## Configuration
 
-### File system naming convention
+The configuration file lives at `config/sesame.ts`:
 
-We use `snake_case` naming conventions for the file system. The rule is enforced using ESLint. However, turn off the rule and use your preferred naming conventions.
+```ts
+import env from '#start/env'
+import { defineConfig } from '@julr/sesame'
+import type { InferScopes } from '@julr/sesame/types'
 
-## Peer dependencies
+const sesameConfig = defineConfig({
+  issuer: env.get('APP_URL'),
 
-The starter kit has a peer dependency on `@adonisjs/core@6`. Since you are creating a package for AdonisJS, you must make it against a specific version of the framework core.
+  scopes: {
+    'read': 'Read access',
+    'write': 'Write access',
+  },
 
-If your package needs Lucid to be functional, you may install `@adonisjs/lucid` as a development dependency and add it to the list of `peerDependencies`.
+  defaultScopes: ['read'],
 
-As a rule of thumb, packages installed in the user application should be part of the `peerDependencies` of your package and not the main dependency.
+  grantTypes: ['authorization_code', 'refresh_token'],
 
-For example, if you install `@adonisjs/core` as a main dependency, then essentially, you are importing a separate copy of `@adonisjs/core` and not sharing the one from the user application. Here is a great article explaining [peer dependencies](https://blog.bitsrc.io/understanding-peer-dependencies-in-javascript-dbdb4ab5a7be).
+  accessTokenTtl: '1h',
+  refreshTokenTtl: '30d',
+  authorizationCodeTtl: '10m',
 
-## Published files
+  loginPage: '/login',
+  consentPage: '/oauth/consent',
 
-Instead of publishing your repo's source code to npm, you must cherry-pick files and folders to publish only the required files.
+  allowDynamicRegistration: false,
+  allowPublicRegistration: false,
+})
 
-The cherry-picking uses the `files` property inside the `package.json` file. By default, we publish the following files and folders.
+export default sesameConfig
 
-```json
-{
-  "files": [
-    "build/src",
-    "build/providers",
-    "build/stubs",
-    "build/index.d.ts",
-    "build/index.js",
-    "build/configure.d.ts",
-    "build/configure.js"
-  ]
+declare module '@julr/sesame/types' {
+  interface SesameScopes extends InferScopes<typeof sesameConfig> {}
 }
 ```
 
-If you create additional folders or files, mention them inside the `files` array.
+The `SesameScopes` augmentation gives you type-safe scope names throughout your application.
+
+## Routes
+
+Register OAuth routes from your `start/routes.ts` file:
+
+```ts
+import { SesameManager } from '@julr/sesame'
+
+const sesame = await app.container.make(SesameManager)
+
+// OAuth endpoints under /oauth
+router.group(() => {
+  sesame.registerRoutes(router)
+}).prefix('/oauth')
+
+// Discovery endpoints at the root
+sesame.registerWellKnownRoutes(router)
+```
+
+This registers the following endpoints:
+
+| Method | Path                                      | Description                            |
+| ------ | ----------------------------------------- | -------------------------------------- |
+| `POST` | `/oauth/token`                            | Token endpoint                         |
+| `GET`  | `/oauth/authorize`                        | Authorization endpoint                 |
+| `POST` | `/oauth/consent`                          | Consent submission                     |
+| `POST` | `/oauth/introspect`                       | Token introspection (RFC 7662)         |
+| `POST` | `/oauth/revoke`                           | Token revocation (RFC 7009)            |
+| `POST` | `/oauth/register`                         | Dynamic client registration (RFC 7591) |
+| `GET`  | `/oauth/client-info`                      | Public client info                     |
+| `GET`  | `/.well-known/oauth-authorization-server` | Server metadata (RFC 8414)             |
+| `GET`  | `/.well-known/openid-configuration`       | OIDC discovery                         |
+
+## Authentication Guard
+
+Sésame provides an OAuth guard for `@adonisjs/auth`. Configure it in `config/auth.ts`:
+
+```ts
+import { oauthGuard, oauthUserProvider } from '@julr/sesame/guard'
+import User from '#models/user'
+
+const authConfig = defineConfig({
+  default: 'web',
+  guards: {
+    // ...your other guards
+    oauth: oauthGuard({
+      provider: oauthUserProvider({ model: () => import('#models/user') }),
+    }),
+  },
+})
+```
 
-## Exports
+Then use it in your controllers:
 
-[Node.js Subpath exports](https://nodejs.org/api/packages.html#subpath-exports) allows you to define the exports of your package regardless of the folder structure. This starter kit defines the following exports.
+```ts
+export default class ApiController {
+  async index({ auth }: HttpContext) {
+    const guard = auth.use('oauth')
+    await guard.authenticate()
 
-```json
-{
-  "exports": {
-    ".": "./build/index.js",
-    "./types": "./build/src/types.js"
+    const user = auth.user!
+    const scopes = guard.scopes
   }
 }
 ```
 
-- The dot `.` export is the main export.
-- The `./types` exports all the types defined inside the `./build/src/types.js` file (the compiled output).
+## Scope Middleware
+
+Two named middleware are available for checking scopes on authenticated requests:
+
+```ts
+// Requires ALL listed scopes
+router
+  .get('/admin', [AdminController])
+  .use(middleware.scopes({ scopes: ['admin', 'write'] }))
 
-Feel free to change the exports as per your requirements.
+// Requires AT LEAST ONE of the listed scopes
+router
+  .get('/data', [DataController])
+  .use(middleware.anyScope({ scopes: ['read', 'write'] }))
+```
 
-## Testing
+## MCP Support
 
-We configure the [Japa test runner](https://japa.dev/) with this starter kit. Japa is used in AdonisJS applications as well. Just run one of the following commands to execute tests.
+For MCP (Model Context Protocol) servers, register per-resource discovery:
 
-- `npm run test`: This command will first lint the code using ESlint and then run tests and report the test coverage using [c8](https://github.com/bcoe/c8).
-- `npm run quick:test`: Runs only the tests without linting or coverage reporting.
+```ts
+sesame.registerProtectedResource(router, {
+  resource: '/api/mcp',
+  scopes: ['read:mcp'],
+})
+```
 
-The starter kit also has a Github workflow file to run tests using Github Actions. The tests are executed against `Node.js 20.x` and `Node.js 21.x` versions on both Linux and Windows. Feel free to edit the workflow file in the `.github/workflows` directory.
+This creates a `/.well-known/oauth-protected-resource/api/mcp` endpoint following RFC 9728.
 
-## TypeScript workflow
+You can also enable public client registration for MCP clients:
 
-- The starter kit uses [tsc](https://www.typescriptlang.org/docs/handbook/compiler-options.html) for compiling the TypeScript to JavaScript when publishing the package.
-- [TS-Node](https://typestrong.org/ts-node/) and [SWC](https://swc.rs/) are used to run tests without compiling the source code.
-- The `tsconfig.json` file is extended from [`@adonisjs/tsconfig`](https://github.com/adonisjs/tooling-config/tree/main/packages/typescript-config) and uses the `NodeNext` module system. Meaning the packages are written using ES modules.
-- You can perform type checking without compiling the source code using the `npm run type check` script.
+```ts
+const sesameConfig = defineConfig({
+  // ...
+  allowDynamicRegistration: true,
+  allowPublicRegistration: true,
+})
+```
 
-Feel free to explore the `tsconfig.json` file for all the configured options.
+## Token Cleanup
 
-## ESLint and Prettier setup
+Purge expired and revoked tokens with the Ace command:
+
+```bash
+node ace sesame:purge
+node ace sesame:purge --revoked-only
+node ace sesame:purge --expired-only
+node ace sesame:purge --retention-hours=168
+```
+
+You can also call it programmatically:
+
+```ts
+const sesame = await app.container.make(SesameManager)
+const result = await sesame.purgeTokens({ retentionHours: 168 })
+```
 
-The starter kit configures ESLint and Prettier
-using our [shared config](https://github.com/adonisjs/tooling-config/tree/main/packages).
-ESLint configuration is stored within the `eslint.config.js` file.
-Prettier configuration is stored within the `package.json` file.
-Feel free to change the configuration, use custom plugins, or remove both tools altogether.
+## Security
 
-## Using Stale bot
+- Tokens (access, refresh, authorization codes, client secrets) are stored as **SHA-256 hashes** — raw values are never persisted
+- PKCE with **S256** is required for public clients
+- Refresh tokens use **rotation** — the old token is revoked on each use
+- **Replay detection**: if a revoked refresh token is reused, all tokens for that client+user pair are revoked
+- Client secret verification uses **timing-safe comparison**
+- OAuth errors follow the standard JSON format with proper HTTP status codes and `WWW-Authenticate` headers
 
-The [Stale bot](https://github.com/apps/stale) is a Github application that automatically marks issues and PRs as stale and closes after a specific duration of inactivity.
+## License
 
-Feel free to delete the `.github/stale.yml` and `.github/lock.yml` files if you decide not to use the Stale bot.
+MIT

package/build/{authorize_controller-CUdEDNEi.js → authorize_controller-BNWhlPZQ.js}

@@ -1,11 +1,12 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 import { DateTime } from "luxon";
+import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
 var AuthorizeController = class AuthorizeController {
 	static validator = vine.create({
@@ -17,11 +18,6 @@ var AuthorizeController = class AuthorizeController {
 		code_challenge: vine.string().optional(),
 		code_challenge_method: vine.string().optional()
 	});
-	#getAuthorizationSession(ctx) {
-		const session = ctx.session;
-		if (!session || typeof session.put !== "function") throw new E_INVALID_REQUEST("Session middleware is required for the browser authorization flow");
-		return session;
-	}
 	#redirectWithError(ctx, manager, redirectUri, error, description, state) {
 		const url = new URL(redirectUri);
 		url.searchParams.set("error", error);
@@ -30,17 +26,21 @@ var AuthorizeController = class AuthorizeController {
 		url.searchParams.set("iss", manager.config.issuer);
 		return ctx.response.redirect().toPath(url.toString());
 	}
-	#buildAuthorizationRequestParams(ctx, manager, options) {
-		const rawRequestToken = new TokenService(manager).generateOpaqueToken();
-		const session = this.#getAuthorizationSession(ctx);
-		session.put("sesame.authToken", rawRequestToken);
-		session.put("sesame.authRequest", {
+	async #buildAuthorizationRequestParams(manager, options) {
+		const tokenService = new TokenService(manager);
+		const rawRequestToken = tokenService.generateOpaqueToken();
+		const ttl = string.seconds.parse(manager.config.authorizationRequestTtl);
+		await OAuthPendingAuthorizationRequest.create({
+			id: crypto.randomUUID(),
+			token: tokenService.hashToken(rawRequestToken),
+			userId: options.userId,
 			clientId: options.clientId,
 			redirectUri: options.redirectUri,
 			scopes: options.scopes,
 			state: options.state ?? null,
 			codeChallenge: options.codeChallenge ?? null,
-			codeChallengeMethod: options.codeChallengeMethod ?? null
+			codeChallengeMethod: options.codeChallengeMethod ?? null,
+			expiresAt: DateTime.now().plus({ seconds: ttl })
 		});
 		const params = new URLSearchParams();
 		params.set("auth_token", rawRequestToken);
@@ -60,7 +60,7 @@ var AuthorizeController = class AuthorizeController {
 		const tokenService = new TokenService(manager);
 		const raw = tokenService.generateOpaqueToken();
 		const hashed = tokenService.hashToken(raw);
-		const ttl = manager.parseTtl(manager.config.authorizationCodeTtl);
+		const ttl = string.seconds.parse(manager.config.authorizationCodeTtl);
 		await OAuthAuthorizationCode.create({
 			id: crypto.randomUUID(),
 			code: hashed,
@@ -120,7 +120,8 @@ var AuthorizeController = class AuthorizeController {
 				state: query.state
 			});
 		}
-		const params = this.#buildAuthorizationRequestParams(ctx, manager, {
+		const params = await this.#buildAuthorizationRequestParams(manager, {
+			userId: String(user.id),
 			clientId: client.clientId,
 			redirectUri: query.redirect_uri,
 			scopes: requestedScopes,

package/build/{client_info_controller-DeIVcW8B.js → client_info_controller-BucHGx4u.js}

@@ -1,6 +1,6 @@
-import "./decorate-2_8Ex77k.js";
-import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
+import "./decorate-BKZEjPRg.js";
+import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import vine from "@vinejs/vine";
 var ClientInfoController = class ClientInfoController {
 	static validator = vine.create({ client_id: vine.string() });

package/build/{client_service-B9fD3ZGe.js → client_service-BqPSlaTS.js}

@@ -1,4 +1,4 @@
-import { o as E_INVALID_SCOPE } from "./oauth_error-BQPqV-MV.js";
+import { s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 var ClientService = class {
 	parseBasicAuth(header) {

package/build/commands/sesame_purge.js

@@ -1,6 +1,6 @@
-import { t as __decorate } from "../decorate-2_8Ex77k.js";
-import "../oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "../sesame_manager-B4tO2PLO.js";
+import { t as SesameManager } from "../sesame_manager-CFq4VEIZ.js";
+import { t as __decorate } from "../decorate-BKZEjPRg.js";
+import "../oauth_access_token-bsoM5KeU.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";
 var SesamePurge = class extends BaseCommand {
 	static commandName = "sesame:purge";

package/build/configure.js

@@ -1,16 +1,25 @@
-import { t as stubsRoot } from "./main-kn40V-hF.js";
+import { join } from "node:path";
 async function configure(command) {
 	const codemods = await command.createCodemods();
+	const stubsRoot = join(import.meta.url, "./stubs");
 	await codemods.makeUsingStub(stubsRoot, "config/sesame.stub", {});
 	for (const stub of [
 		"migrations/create_oauth_clients_table.stub",
 		"migrations/create_oauth_authorization_codes_table.stub",
 		"migrations/create_oauth_access_tokens_table.stub",
 		"migrations/create_oauth_refresh_tokens_table.stub",
-		"migrations/create_oauth_consents_table.stub"
+		"migrations/create_oauth_consents_table.stub",
+		"migrations/create_oauth_pending_authorization_requests_table.stub"
 	]) await codemods.makeUsingStub(stubsRoot, stub, {});
 	await codemods.updateRcFile((rcFile) => {
 		rcFile.addProvider("@julr/sesame/sesame_provider").addCommand("@julr/sesame/commands");
 	});
+	await codemods.registerMiddleware("named", [{
+		name: "scopes",
+		path: "@julr/sesame/scope_middleware"
+	}, {
+		name: "anyScope",
+		path: "@julr/sesame/any_scope_middleware"
+	}]);
 }
 export { configure };

package/build/{consent_controller-DFfx7qVs.js → consent_controller-COvvkpHM.js}

@@ -1,23 +1,26 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
 import { DateTime } from "luxon";
+import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
 var ConsentController = class ConsentController {
 	static validator = vine.create({ auth_token: vine.string() });
-	#getAuthorizationSession(ctx) {
-		const session = ctx.session;
-		if (!session || typeof session.pull !== "function") throw new E_INVALID_REQUEST("Session middleware is required for the browser authorization flow");
-		return session;
+	async #consumePendingRequest(hashedToken, userId) {
+		const row = await OAuthPendingAuthorizationRequest.query().where("token", hashedToken).where("userId", userId).where("expiresAt", ">", DateTime.now().toSQL()).first();
+		if (!row) return null;
+		const deleted = await OAuthPendingAuthorizationRequest.query().where("id", row.id).delete();
+		if ((Array.isArray(deleted) ? Number(deleted[0]) : Number(deleted)) === 0) return null;
+		return row;
 	}
 	async #issueAuthorizationCode(ctx, manager, options) {
 		const tokenService = new TokenService(manager);
 		const raw = tokenService.generateOpaqueToken();
 		const hashed = tokenService.hashToken(raw);
-		const ttl = manager.parseTtl(manager.config.authorizationCodeTtl);
+		const ttl = string.seconds.parse(manager.config.authorizationCodeTtl);
 		await OAuthAuthorizationCode.create({
 			id: crypto.randomUUID(),
 			code: hashed,
@@ -37,50 +40,45 @@ var ConsentController = class ConsentController {
 	}
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const session = this.#getAuthorizationSession(ctx);
 		await ctx.auth.check();
 		const user = ctx.auth.user;
 		if (!user) throw new E_INVALID_REQUEST("User must be authenticated");
 		const [error, body] = await ConsentController.validator.tryValidate(ctx.request.body());
 		if (error) throw new E_INVALID_REQUEST("Missing required parameter: auth_token");
 		const accept = ctx.request.body().accept;
-		const expectedAuthToken = session.pull("sesame.authToken");
-		const authorizationRequest = session.pull("sesame.authRequest");
-		if (!expectedAuthToken || expectedAuthToken !== body.auth_token) {
-			session.forget(["sesame.authToken", "sesame.authRequest"]);
-			throw new E_INVALID_GRANT("Authorization request token mismatch");
-		}
-		if (!authorizationRequest) throw new E_INVALID_GRANT("Authorization request not found");
-		const client = await OAuthClient.query().where("clientId", authorizationRequest.clientId).first();
+		const hashedToken = new TokenService(manager).hashToken(body.auth_token);
+		const pendingRequest = await this.#consumePendingRequest(hashedToken, String(user.id));
+		if (!pendingRequest) throw new E_INVALID_GRANT("Authorization request not found or expired");
+		const client = await OAuthClient.query().where("clientId", pendingRequest.clientId).first();
 		if (!client) throw new E_INVALID_CLIENT("Client not found");
 		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.redirectUris.includes(authorizationRequest.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
+		if (!client.redirectUris.includes(pendingRequest.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
 		if (!accept) {
-			const url = new URL(authorizationRequest.redirectUri);
+			const url = new URL(pendingRequest.redirectUri);
 			url.searchParams.set("error", "access_denied");
 			url.searchParams.set("error_description", "The user denied the authorization request");
-			if (authorizationRequest.state) url.searchParams.set("state", authorizationRequest.state);
+			if (pendingRequest.state) url.searchParams.set("state", pendingRequest.state);
 			url.searchParams.set("iss", manager.config.issuer);
 			return ctx.response.redirect().toPath(url.toString());
 		}
 		const existingConsent = await OAuthConsent.query().where("clientId", client.clientId).where("userId", String(user.id)).first();
 		if (existingConsent) {
-			existingConsent.scopes = [...new Set([...existingConsent.scopes, ...authorizationRequest.scopes])];
+			existingConsent.scopes = [...new Set([...existingConsent.scopes, ...pendingRequest.scopes])];
 			await existingConsent.save();
 		} else await OAuthConsent.create({
 			id: crypto.randomUUID(),
 			clientId: client.clientId,
 			userId: String(user.id),
-			scopes: authorizationRequest.scopes
+			scopes: pendingRequest.scopes
 		});
 		return this.#issueAuthorizationCode(ctx, manager, {
 			client,
 			userId: String(user.id),
-			scopes: authorizationRequest.scopes,
-			redirectUri: authorizationRequest.redirectUri,
-			codeChallenge: authorizationRequest.codeChallenge ?? void 0,
-			codeChallengeMethod: authorizationRequest.codeChallengeMethod ?? void 0,
-			state: authorizationRequest.state ?? void 0
+			scopes: pendingRequest.scopes,
+			redirectUri: pendingRequest.redirectUri,
+			codeChallenge: pendingRequest.codeChallenge ?? void 0,
+			codeChallengeMethod: pendingRequest.codeChallengeMethod ?? void 0,
+			state: pendingRequest.state ?? void 0
 		});
 	}
 };

package/build/index.d.ts

@@ -1,8 +1,7 @@
 export { configure } from './configure.ts';
-export { stubsRoot } from './stubs/main.ts';
 export { defineConfig } from './src/define_config.ts';
 export { SesameManager } from './src/sesame_manager.ts';
-export { OAuthError, E_INVALID_REQUEST, E_INVALID_CLIENT, E_INVALID_GRANT, E_INVALID_SCOPE, E_INVALID_TOKEN, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, E_ACCESS_DENIED, E_INVALID_CLIENT_METADATA, E_SERVER_ERROR, } from './src/oauth_error.ts';
+export { OAuthError, E_INVALID_REQUEST, E_INVALID_CLIENT, E_INVALID_GRANT, E_INVALID_SCOPE, E_INVALID_TOKEN, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, E_ACCESS_DENIED, E_INVALID_CLIENT_METADATA, E_SERVER_ERROR, E_INSUFFICIENT_SCOPE, } from './src/oauth_error.ts';
 export { OAuthClient } from './src/models/oauth_client.ts';
 export { OAuthAccessToken } from './src/models/oauth_access_token.ts';
 export { OAuthRefreshToken } from './src/models/oauth_refresh_token.ts';
@@ -11,4 +10,3 @@ export { OAuthConsent } from './src/models/oauth_consent.ts';
 export { OAuthGuard } from './src/guard/guard.ts';
 export { OAuthLucidUserProvider } from './src/guard/user_provider.ts';
 export { oauthGuard, oauthUserProvider } from './src/guard/main.ts';
-export { registerRoutes, registerProtectedResource } from './src/routes.ts';

package/build/index.js

@@ -1,14 +1,12 @@
-import { t as stubsRoot } from "./main-kn40V-hF.js";
+import { a as OAuthAuthorizationCode, i as OAuthConsent, o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import { configure } from "./configure.js";
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, c as E_SERVER_ERROR, d as OAuthError, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, s as E_INVALID_TOKEN, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import "./token_service-Czz9v5GI.js";
-import { n as OAuthGuard, t as OAuthLucidUserProvider } from "./user_provider-B3rXEUT3.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./token_service-fhoA4slP.js";
+import { n as OAuthGuard, t as OAuthLucidUserProvider } from "./user_provider-DXAOfv8-.js";
 import { oauthGuard, oauthUserProvider } from "./src/guard/main.js";
-import { n as registerRoutes, t as registerProtectedResource } from "./routes-D6QCu0Pz.js";
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,
@@ -18,10 +16,11 @@ function defineConfig(config) {
 		accessTokenTtl: config.accessTokenTtl ?? "1h",
 		refreshTokenTtl: config.refreshTokenTtl ?? "30d",
 		authorizationCodeTtl: config.authorizationCodeTtl ?? "10m",
+		authorizationRequestTtl: config.authorizationRequestTtl ?? config.authorizationCodeTtl ?? "10m",
 		loginPage: config.loginPage,
 		consentPage: config.consentPage,
 		allowDynamicRegistration: config.allowDynamicRegistration ?? false,
 		allowPublicRegistration: config.allowPublicRegistration ?? false
 	};
 }
-export { E_ACCESS_DENIED, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider, registerProtectedResource, registerRoutes, stubsRoot };
+export { E_ACCESS_DENIED, E_INSUFFICIENT_SCOPE, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider };

package/build/{introspect_controller-BzwfaUUE.js → introspect_controller-JjAAXFIV.js}

@@ -1,10 +1,10 @@
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 const INACTIVE = { active: false };
 var IntrospectController = class {
 	async handle(ctx) {