@julr/sesame 0.1.0 → 0.2.1

package/build/metadata_controller-BzCjyqUG.js

@@ -0,0 +1,73 @@
+import { t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
+const DISCOVERY_ROUTE_NAMES = {
+	authorization_endpoint: "sesame.authorize",
+	token_endpoint: "sesame.token",
+	registration_endpoint: "sesame.register",
+	introspection_endpoint: "sesame.introspect",
+	revocation_endpoint: "sesame.revoke"
+};
+var MetadataController = class {
+	#assertDiscoveryRoutes(router, options) {
+		const requiredRoutes = [
+			DISCOVERY_ROUTE_NAMES.authorization_endpoint,
+			DISCOVERY_ROUTE_NAMES.token_endpoint,
+			DISCOVERY_ROUTE_NAMES.introspection_endpoint,
+			DISCOVERY_ROUTE_NAMES.revocation_endpoint
+		];
+		if (options.includeRegistration) requiredRoutes.push(DISCOVERY_ROUTE_NAMES.registration_endpoint);
+		const missingRoutes = requiredRoutes.filter((routeName) => !router.has(routeName));
+		if (missingRoutes.length > 0) throw new E_SERVER_ERROR(`OAuth discovery is misconfigured. Missing named route(s): ${missingRoutes.join(", ")}. Register OAuth routes with sesame.registerRoutes(router) before exposing well-known metadata.`);
+	}
+	async authServer(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const router = await ctx.containerResolver.make("router");
+		const issuer = manager.config.issuer;
+		const prefixUrl = issuer;
+		this.#assertDiscoveryRoutes(router, { includeRegistration: manager.config.allowDynamicRegistration });
+		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
+		return {
+			issuer,
+			authorization_endpoint: router.makeUrl("sesame.authorize", {}, { prefixUrl }),
+			token_endpoint: router.makeUrl("sesame.token", {}, { prefixUrl }),
+			registration_endpoint: manager.config.allowDynamicRegistration ? router.makeUrl("sesame.register", {}, { prefixUrl }) : void 0,
+			introspection_endpoint: router.makeUrl("sesame.introspect", {}, { prefixUrl }),
+			revocation_endpoint: router.makeUrl("sesame.revoke", {}, { prefixUrl }),
+			response_types_supported: ["code"],
+			response_modes_supported: ["query"],
+			grant_types_supported: manager.config.grantTypes,
+			token_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
+			introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+			revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+			code_challenge_methods_supported: ["S256"],
+			authorization_response_iss_parameter_supported: true
+		};
+	}
+	async oidc(ctx) {
+		const base = await this.authServer(ctx);
+		const manager = await ctx.containerResolver.make(SesameManager);
+		return {
+			...base,
+			subject_types_supported: ["public"],
+			scopes_supported: Object.keys(manager.config.scopes)
+		};
+	}
+	async protectedResource(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const issuer = manager.config.issuer;
+		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
+		return {
+			resource: issuer,
+			authorization_servers: [issuer],
+			scopes_supported: Object.keys(manager.config.scopes),
+			bearer_methods_supported: ["header"]
+		};
+	}
+};
+export { MetadataController as default };

package/build/{oauth_access_token-BpG8sq-c.js → oauth_access_token-bsoM5KeU.js}

@@ -1,4 +1,4 @@
-import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
+import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
 var OAuthAccessToken = class extends BaseModel {
 	static table = "oauth_access_tokens";

package/build/{oauth_client-eh0e5ql-.js → oauth_client-BIoY5jBR.js}

@@ -1,4 +1,4 @@
-import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
+import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
 var OAuthClient = class extends BaseModel {
 	static table = "oauth_clients";

package/build/{oauth_error-BQPqV-MV.js → oauth_error-CnJ3L8tf.js}

@@ -75,4 +75,20 @@ const E_SERVER_ERROR = class extends OAuthError {
 	static message = "Server error";
 	static oauthCode = "server_error";
 };
-export { E_INVALID_REQUEST as a, E_SERVER_ERROR as c, OAuthError as d, E_INVALID_GRANT as i, E_UNSUPPORTED_GRANT_TYPE as l, E_INVALID_CLIENT as n, E_INVALID_SCOPE as o, E_INVALID_CLIENT_METADATA as r, E_INVALID_TOKEN as s, E_ACCESS_DENIED as t, E_UNSUPPORTED_RESPONSE_TYPE as u };
+const E_INSUFFICIENT_SCOPE = class extends OAuthError {
+	static status = 403;
+	static code = "E_INSUFFICIENT_SCOPE";
+	static message = "Insufficient scope";
+	static oauthCode = "insufficient_scope";
+	missingScopes;
+	constructor(missingScopes, message) {
+		super(message ?? "The token does not have the required scope(s)");
+		this.missingScopes = missingScopes;
+	}
+	handle(error, ctx) {
+		const scope = error.missingScopes.join(" ");
+		ctx.response.header("WWW-Authenticate", `Bearer error="insufficient_scope", error_description="${error.message}", scope="${scope}"`);
+		super.handle(error, ctx);
+	}
+};
+export { E_INVALID_GRANT as a, E_INVALID_TOKEN as c, E_UNSUPPORTED_RESPONSE_TYPE as d, OAuthError as f, E_INVALID_CLIENT_METADATA as i, E_SERVER_ERROR as l, E_INSUFFICIENT_SCOPE as n, E_INVALID_REQUEST as o, E_INVALID_CLIENT as r, E_INVALID_SCOPE as s, E_ACCESS_DENIED as t, E_UNSUPPORTED_GRANT_TYPE as u };

package/build/providers/sesame_provider.d.ts

@@ -1,10 +1,6 @@
 import type { ApplicationService } from '@adonisjs/core/types';
 /**
  * AdonisJS service provider for the Sésame OAuth 2.1 server.
- *
- * - `register()`: Binds `SesameManager` as a singleton in the IoC
- *   container, reading the resolved config from `config/sesame.ts`.
- * - `boot()`: Registers all OAuth routes on the AdonisJS router.
  */
 export default class SesameProvider {
     protected app: ApplicationService;
@@ -14,8 +10,4 @@ export default class SesameProvider {
      * The manager is resolved from the `sesame` config key.
      */
     register(): void;
-    /**
-     * Boot the provider by registering all OAuth 2.1 routes.
-     */
-    boot(): Promise<void>;
 }

package/build/providers/sesame_provider.js

@@ -1,6 +1,6 @@
-import "../decorate-2_8Ex77k.js";
-import "../oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "../sesame_manager-B4tO2PLO.js";
+import { t as SesameManager } from "../sesame_manager-CFq4VEIZ.js";
+import "../decorate-BKZEjPRg.js";
+import "../oauth_access_token-bsoM5KeU.js";
 var SesameProvider = class {
 	constructor(app) {
 		this.app = app;
@@ -10,10 +10,5 @@ var SesameProvider = class {
 			return new SesameManager(this.app.config.get("sesame"));
 		});
 	}
-	async boot() {
-		const router = await this.app.container.make("router");
-		const { registerRoutes } = await import("../routes-D6QCu0Pz.js").then((n) => n.r);
-		registerRoutes(router);
-	}
 };
 export { SesameProvider as default };

package/build/{register_controller-BA7uQAgt.js → register_controller-DOlN9wNl.js}

@@ -1,9 +1,9 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, t as E_ACCESS_DENIED } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
+import "./decorate-BKZEjPRg.js";
+import "./oauth_access_token-bsoM5KeU.js";
+import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 import vine from "@vinejs/vine";
 const DANGEROUS_SCHEMES = [
 	"javascript:",

package/build/{revoke_controller-CNIgNKH3.js → revoke_controller-B281b8ZO.js}

@@ -1,10 +1,10 @@
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { n as E_INVALID_CLIENT } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 import { DateTime } from "luxon";
 var RevokeController = class {
 	async handle(ctx) {

package/build/{sesame_manager-B4tO2PLO.js → sesame_manager-CFq4VEIZ.js}

@@ -1,8 +1,42 @@
-import { t as __exportAll } from "./rolldown-runtime-BASaM9lw.js";
-import { n as json, t as __decorate } from "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
+import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import "node:module";
 import { DateTime } from "luxon";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+const controllers = {
+	token: () => import("./token_controller-ll9sjcvn.js"),
+	authorize: () => import("./authorize_controller-BNWhlPZQ.js"),
+	consent: () => import("./consent_controller-COvvkpHM.js"),
+	introspect: () => import("./introspect_controller-JjAAXFIV.js"),
+	revoke: () => import("./revoke_controller-B281b8ZO.js"),
+	register: () => import("./register_controller-DOlN9wNl.js"),
+	metadata: () => import("./metadata_controller-BzCjyqUG.js"),
+	clientInfo: () => import("./client_info_controller-BucHGx4u.js")
+};
+function registerOAuthRoutes(router) {
+	router.post("/token", [controllers.token]).as("sesame.token");
+	router.get("/authorize", [controllers.authorize]).as("sesame.authorize");
+	router.post("/consent", [controllers.consent]).as("sesame.consent");
+	router.get("/client-info", [controllers.clientInfo]).as("sesame.clientInfo");
+	router.post("/introspect", [controllers.introspect]).as("sesame.introspect");
+	router.post("/revoke", [controllers.revoke]).as("sesame.revoke");
+	router.post("/register", [controllers.register]).as("sesame.register");
+}
+function registerWellKnownRoutes(router) {
+	router.get("/.well-known/oauth-authorization-server", [controllers.metadata, "authServer"]).as("sesame.metadata.authServer");
+	router.get("/.well-known/openid-configuration", [controllers.metadata, "oidc"]).as("sesame.metadata.oidc");
+	router.get("/.well-known/oauth-protected-resource", [controllers.metadata, "protectedResource"]).as("sesame.metadata.protectedResource");
+}
 var OAuthRefreshToken = class extends BaseModel {
 	static table = "oauth_refresh_tokens";
 };
@@ -48,6 +82,20 @@ __decorate([column.dateTime({
 	autoCreate: true,
 	autoUpdate: true
 })], OAuthConsent.prototype, "updatedAt", void 0);
+var OAuthPendingAuthorizationRequest = class extends BaseModel {
+	static table = "oauth_pending_authorization_requests";
+};
+__decorate([column({ isPrimary: true })], OAuthPendingAuthorizationRequest.prototype, "id", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "token", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "userId", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "clientId", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "redirectUri", void 0);
+__decorate([json()], OAuthPendingAuthorizationRequest.prototype, "scopes", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "state", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallenge", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallengeMethod", void 0);
+__decorate([column.dateTime()], OAuthPendingAuthorizationRequest.prototype, "expiresAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthPendingAuthorizationRequest.prototype, "createdAt", void 0);
 var sesame_manager_exports = /* @__PURE__ */ __exportAll({ SesameManager: () => SesameManager });
 var SesameManager = class {
 	#config;
@@ -72,6 +120,7 @@ var SesameManager = class {
 		await OAuthAccessToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
 		await OAuthRefreshToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
 		await OAuthAuthorizationCode.query().where("userId", userId).delete();
+		await OAuthPendingAuthorizationRequest.query().where("userId", userId).delete();
 		await OAuthConsent.query().where("userId", userId).delete();
 	}
 	async purgeTokens(options) {
@@ -84,6 +133,7 @@ var SesameManager = class {
 		let accessTokens = 0;
 		let refreshTokens = 0;
 		let authorizationCodes = 0;
+		let pendingRequests = 0;
 		if (purgeRevoked) {
 			accessTokens += await this.#deleteCount(OAuthAccessToken.query().whereNotNull("revokedAt").delete());
 			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().whereNotNull("revokedAt").delete());
@@ -93,24 +143,34 @@ var SesameManager = class {
 			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
 			authorizationCodes += await this.#deleteCount(OAuthAuthorizationCode.query().where("expiresAt", "<", cutoff.toSQL()).delete());
 		}
+		pendingRequests += await this.#deleteCount(OAuthPendingAuthorizationRequest.query().where("expiresAt", "<", DateTime.now().toSQL()).delete());
 		return {
 			accessTokens,
 			refreshTokens,
-			authorizationCodes
+			authorizationCodes,
+			pendingRequests
 		};
 	}
+	registerRoutes(router) {
+		registerOAuthRoutes(router);
+	}
+	registerWellKnownRoutes(router) {
+		registerWellKnownRoutes(router);
+	}
+	registerProtectedResource(router, options) {
+		const wellKnownPath = `/.well-known/oauth-protected-resource${options.resource}`;
+		router.get(wellKnownPath, async (ctx) => {
+			ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
+			return {
+				resource: `${this.#config.issuer}${options.resource}`,
+				authorization_servers: [this.#config.issuer],
+				scopes_supported: options.scopes ?? Object.keys(this.#config.scopes),
+				bearer_methods_supported: ["header"]
+			};
+		});
+	}
 	#deleteCount(result) {
 		return result.then((r) => Array.isArray(r) ? Number(r[0] ?? 0) : Number(r));
 	}
-	parseTtl(ttl) {
-		const match = ttl.match(/^(\d+)(s|m|h|d)$/);
-		if (!match) throw new Error(`Invalid TTL format: ${ttl}`);
-		return Number.parseInt(match[1], 10) * {
-			s: 1,
-			m: 60,
-			h: 3600,
-			d: 86400
-		}[match[2]];
-	}
 };
-export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, sesame_manager_exports as n, OAuthConsent as r, SesameManager as t };
+export { OAuthAuthorizationCode as a, OAuthConsent as i, sesame_manager_exports as n, OAuthRefreshToken as o, OAuthPendingAuthorizationRequest as r, SesameManager as t };

package/build/src/controllers/metadata_controller.d.ts

@@ -13,6 +13,7 @@ import type { AuthServerMetadata, ResourceServerMetadata } from '../types.ts';
  * @see https://openid.net/specs/openid-connect-discovery-1_0.html
  */
 export default class MetadataController {
+    #private;
     /**
      * OAuth 2.0 Authorization Server Metadata (RFC 8414).
      *

package/build/src/define_config.d.ts

@@ -13,4 +13,9 @@ import type { SesameConfig, ResolvedSesameConfig } from './types.ts';
  * - `allowDynamicRegistration`: `false`
  * - `allowPublicRegistration`: `false`
  */
-export declare function defineConfig(config: SesameConfig): ResolvedSesameConfig;
+export declare function defineConfig<const TScopes extends Record<string, string>>(config: Omit<SesameConfig, 'scopes' | 'defaultScopes'> & {
+    scopes?: TScopes;
+    defaultScopes?: Array<Extract<keyof TScopes, string>>;
+}): Omit<ResolvedSesameConfig, 'scopes'> & {
+    scopes: TScopes;
+};

package/build/src/guard/guard.d.ts

@@ -2,6 +2,7 @@ import type { HttpContext } from '@adonisjs/core/http';
 import type { EmitterLike } from '@adonisjs/core/types/events';
 import { symbols } from '@adonisjs/auth';
 import type { AuthClientResponse, GuardContract } from '@adonisjs/auth/types';
+import type { Scope } from '../types.ts';
 import type { SesameManager } from '../sesame_manager.ts';
 import type { OAuthGuardEvents, OAuthUserProviderContract } from './types.ts';
 /**
@@ -18,13 +19,13 @@ export declare class OAuthGuard<UserProvider extends OAuthUserProviderContract<u
     authenticationAttempted: boolean;
     isAuthenticated: boolean;
     user?: UserProvider[typeof symbols.PROVIDER_REAL_USER];
-    scopes: string[];
+    scopes: Scope[];
     clientId?: string;
     constructor(name: string, ctx: HttpContext, emitter: EmitterLike<OAuthGuardEvents<UserProvider[typeof symbols.PROVIDER_REAL_USER]>>, userProvider: UserProvider, manager: SesameManager, resource?: string);
     getUserOrFail(): UserProvider[typeof symbols.PROVIDER_REAL_USER];
     authenticate(): Promise<UserProvider[typeof symbols.PROVIDER_REAL_USER]>;
     check(): Promise<boolean>;
-    hasScope(...scopes: string[]): boolean;
-    hasAnyScope(...scopes: string[]): boolean;
+    hasScope(...scopes: Scope[]): boolean;
+    hasAnyScope(...scopes: Scope[]): boolean;
     authenticateAsClient(user: UserProvider[typeof symbols.PROVIDER_REAL_USER]): Promise<AuthClientResponse>;
 }

package/build/src/guard/main.js

@@ -1,12 +1,12 @@
-import "../../decorate-2_8Ex77k.js";
-import "../../oauth_access_token-BpG8sq-c.js";
-import "../../oauth_client-eh0e5ql-.js";
-import "../../token_service-Czz9v5GI.js";
-import { n as OAuthGuard, t as OAuthLucidUserProvider } from "../../user_provider-B3rXEUT3.js";
+import "../../decorate-BKZEjPRg.js";
+import "../../oauth_access_token-bsoM5KeU.js";
+import "../../oauth_client-BIoY5jBR.js";
+import "../../token_service-fhoA4slP.js";
+import { n as OAuthGuard, t as OAuthLucidUserProvider } from "../../user_provider-DXAOfv8-.js";
 function oauthGuard(config) {
 	return { async resolver(name, app) {
 		const emitter = await app.container.make("emitter");
-		const { SesameManager } = await import("../../sesame_manager-B4tO2PLO.js").then((n) => n.n);
+		const { SesameManager } = await import("../../sesame_manager-CFq4VEIZ.js").then((n) => n.n);
 		const manager = await app.container.make(SesameManager);
 		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
 	} };

package/build/src/middleware/any_scope_middleware.d.ts

@@ -0,0 +1,15 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { NextFn } from '@adonisjs/core/types/http';
+import type { Scope } from '../types.ts';
+/**
+ * Any-scope middleware requires ANY of the listed scopes on the
+ * authenticated OAuth token. Throws 403 if none match.
+ *
+ * @example
+ * router.get('/data', [DataController]).use(middleware.anyScope({ scopes: ['read', 'read-all'] }))
+ */
+export default class AnyScopeMiddleware {
+    handle(ctx: HttpContext, next: NextFn, options: {
+        scopes: Scope[];
+    }): Promise<any>;
+}

package/build/src/middleware/any_scope_middleware.js

@@ -0,0 +1,18 @@
+import { n as E_INSUFFICIENT_SCOPE } from "../../oauth_error-CnJ3L8tf.js";
+var AnyScopeMiddleware = class {
+	async handle(ctx, next, options) {
+		const guard = ctx.auth.use("oauth");
+		if (guard.isAuthenticated) {
+			if (!guard.hasAnyScope(...options.scopes)) throw new E_INSUFFICIENT_SCOPE(options.scopes);
+			return next();
+		}
+		if (ctx.request.header("authorization")) {
+			await guard.authenticate();
+			if (!guard.hasAnyScope(...options.scopes)) throw new E_INSUFFICIENT_SCOPE(options.scopes);
+			return next();
+		}
+		if (await ctx.auth.check()) return next();
+		await guard.authenticate();
+	}
+};
+export { AnyScopeMiddleware as default };

package/build/src/middleware/scope_middleware.d.ts

@@ -0,0 +1,15 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { NextFn } from '@adonisjs/core/types/http';
+import type { Scope } from '../types.ts';
+/**
+ * Scope middleware requires ALL listed scopes on the authenticated
+ * OAuth token. Throws 403 if any scope is missing.
+ *
+ * @example
+ * router.get('/admin', [AdminController]).use(middleware.scopes({ scopes: ['admin', 'manage'] }))
+ */
+export default class ScopeMiddleware {
+    handle(ctx: HttpContext, next: NextFn, options: {
+        scopes: Scope[];
+    }): Promise<any>;
+}

package/build/src/middleware/scope_middleware.js

@@ -0,0 +1,18 @@
+import { n as E_INSUFFICIENT_SCOPE } from "../../oauth_error-CnJ3L8tf.js";
+var ScopeMiddleware = class {
+	async handle(ctx, next, options) {
+		const guard = ctx.auth.use("oauth");
+		if (guard.isAuthenticated) {
+			if (!guard.hasScope(...options.scopes)) throw new E_INSUFFICIENT_SCOPE(options.scopes);
+			return next();
+		}
+		if (ctx.request.header("authorization")) {
+			await guard.authenticate();
+			if (!guard.hasScope(...options.scopes)) throw new E_INSUFFICIENT_SCOPE(options.scopes);
+			return next();
+		}
+		if (await ctx.auth.check()) return next();
+		await guard.authenticate();
+	}
+};
+export { ScopeMiddleware as default };

package/build/src/models/oauth_pending_authorization_request.d.ts

@@ -0,0 +1,29 @@
+import { DateTime } from 'luxon';
+import { BaseModel } from '@adonisjs/lucid/orm';
+/**
+ * Temporary server-side record for an in-flight OAuth authorization
+ * request, created when the user is redirected to the consent page
+ * and consumed (deleted) when the user approves or denies.
+ *
+ * Stored in the database instead of the HTTP session to avoid
+ * last-write-wins race conditions when concurrent SPA requests
+ * overwrite session data.
+ *
+ * The `token` column stores a SHA-256 hash of the raw auth_token
+ * sent to the consent page, consistent with how authorization
+ * codes are stored.
+ */
+export declare class OAuthPendingAuthorizationRequest extends BaseModel {
+    static table: string;
+    id: string;
+    token: string;
+    userId: string;
+    clientId: string;
+    redirectUri: string;
+    scopes: string[];
+    state: string | null;
+    codeChallenge: string | null;
+    codeChallengeMethod: string | null;
+    expiresAt: DateTime;
+    createdAt: DateTime;
+}

package/build/src/oauth_error.d.ts

@@ -357,3 +357,35 @@ export declare const E_SERVER_ERROR: {
     prepareStackTrace(err: Error, stackTraces: NodeJS.CallSite[]): any;
     stackTraceLimit: number;
 };
+/**
+ * The access token does not have the required scope(s) to access
+ * the protected resource. Returns 403 with a WWW-Authenticate header
+ * per RFC 6750 §3.1.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
+ */
+export declare const E_INSUFFICIENT_SCOPE: {
+    new (missingScopes: string[], message?: string): {
+        missingScopes: string[];
+        handle(error: /*elided*/ any, ctx: HttpContext): void;
+        get oauthCode(): string;
+        name: string;
+        help?: string;
+        code?: string;
+        status: number;
+        toString(): string;
+        get [Symbol.toStringTag](): string;
+        message: string;
+        stack?: string;
+        cause?: unknown;
+    };
+    readonly status: number;
+    readonly code: string;
+    readonly message: string;
+    readonly oauthCode: string;
+    help?: string;
+    isError(error: unknown): error is Error;
+    captureStackTrace(targetObject: object, constructorOpt?: Function): void;
+    prepareStackTrace(err: Error, stackTraces: NodeJS.CallSite[]): any;
+    stackTraceLimit: number;
+};

package/build/src/routes.d.ts

@@ -1,28 +1,29 @@
 import { Router } from '@adonisjs/core/http';
 /**
- * Register all OAuth 2.1 routes on the given AdonisJS router.
+ * Register OAuth 2.1 endpoint routes on the given router.
+ *
+ * Paths are relative (no prefix) — the user wraps the call
+ * in a `router.group().prefix('/oauth')` to control the mount point.
  *
  * Endpoints registered:
- * - `POST /oauth/token` — Token endpoint (RFC 6749 §3.2)
- * - `GET /oauth/authorize` — Authorization endpoint (RFC 6749 §3.1)
- * - `POST /oauth/consent` — User consent submission
- * - `POST /oauth/introspect` — Token introspection (RFC 7662)
- * - `POST /oauth/revoke` — Token revocation (RFC 7009)
- * - `POST /oauth/register` — Dynamic client registration (RFC 7591)
- * - `GET /oauth/client-info` — Public client information (RFC 6819 §4.4.1.4)
- * - `GET /.well-known/oauth-authorization-server` — Server metadata (RFC 8414)
- * - `GET /.well-known/openid-configuration` — OpenID Connect discovery
- * - `GET /.well-known/oauth-protected-resource` — Protected resource metadata (RFC 9728)
+ * - `POST /token` — Token endpoint (RFC 6749 §3.2)
+ * - `GET /authorize` — Authorization endpoint (RFC 6749 §3.1)
+ * - `POST /consent` — User consent submission
+ * - `POST /introspect` — Token introspection (RFC 7662)
+ * - `POST /revoke` — Token revocation (RFC 7009)
+ * - `POST /register` — Dynamic client registration (RFC 7591)
+ * - `GET /client-info` — Public client information (RFC 6819 §4.4.1.4)
  */
-export declare function registerRoutes(router: Router): void;
+export declare function registerOAuthRoutes(router: Router): void;
 /**
- * Register a `/.well-known/oauth-protected-resource` endpoint for a
- * specific resource path (RFC 9728). Useful for MCP servers that need
- * per-resource discovery.
+ * Register well-known discovery routes at the root level.
+ *
+ * These must be registered outside any prefix group so they
+ * remain at `/.well-known/...`.
  *
- * @see https://datatracker.ietf.org/doc/html/rfc9728
+ * Endpoints registered:
+ * - `GET /.well-known/oauth-authorization-server` — Server metadata (RFC 8414)
+ * - `GET /.well-known/openid-configuration` — OpenID Connect discovery
+ * - `GET /.well-known/oauth-protected-resource` — Protected resource metadata (RFC 9728)
  */
-export declare function registerProtectedResource(router: Router, options: {
-    resource: string;
-    scopes?: string[];
-}): void;
+export declare function registerWellKnownRoutes(router: Router): void;