@julr/sesame 0.1.0 → 0.2.1

package/build/src/sesame_manager.d.ts

@@ -1,8 +1,10 @@
-import type { ResolvedSesameConfig } from './types.ts';
+import type { Router } from '@adonisjs/core/http';
+import type { ResolvedSesameConfig, Scope } from './types.ts';
 export interface PurgeResult {
     accessTokens: number;
     refreshTokens: number;
     authorizationCodes: number;
+    pendingRequests: number;
 }
 /**
  * Central manager for the Sésame OAuth 2.1 server.
@@ -19,7 +21,7 @@ export declare class SesameManager {
      *
      * @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
      */
-    hasScope(scope: string): boolean;
+    hasScope(scope: Scope): boolean;
     /**
      * Return the list of scopes that are not registered in the
      * server configuration. When no scopes are configured, all
@@ -30,7 +32,7 @@ export declare class SesameManager {
      * @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
      * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
      */
-    validateScopes(scopes: string[]): string[];
+    validateScopes(scopes: Scope[]): string[];
     /**
      * Check if a grant type is enabled in the server configuration.
      */
@@ -50,8 +52,6 @@ export declare class SesameManager {
      * Returns the total number of deleted records. Expired tokens are
      * retained for `retentionHours` (default 168 = 7 days) to allow
      * for debugging and audit trails.
-     *
-     * Inspired by Laravel Passport's `passport:purge` command.
      */
     purgeTokens(options?: {
         revokedOnly?: boolean;
@@ -59,8 +59,39 @@ export declare class SesameManager {
         retentionHours?: number;
     }): Promise<PurgeResult>;
     /**
-     * Parse a duration string like '1h', '30m', '10d' into seconds.
-     * Supported units: `s` (seconds), `m` (minutes), `h` (hours), `d` (days).
+     * Register OAuth 2.1 endpoint routes (token, authorize, consent, etc.).
+     *
+     * Paths are relative — wrap the call in a `router.group().prefix()`
+     * to control the mount point.
+     *
+     * Do not apply session-auth middleware to the entire OAuth group.
+     * Endpoints like `/token`, `/introspect`, `/revoke`, and `/register`
+     * must stay callable without a browser session.
+     *
+     * @example
+     * ```ts
+     * router.group(() => {
+     *   sesame.registerRoutes(router)
+     * }).prefix('/oauth')
+     * ```
+     */
+    registerRoutes(router: Router): void;
+    /**
+     * Register well-known discovery routes at the root level.
+     *
+     * Must be called outside any prefix group so endpoints
+     * remain at `/.well-known/...`.
+     */
+    registerWellKnownRoutes(router: Router): void;
+    /**
+     * Register a `/.well-known/oauth-protected-resource` endpoint
+     * for a specific resource path (RFC 9728). Useful for MCP
+     * servers that need per-resource discovery.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc9728
      */
-    parseTtl(ttl: string): number;
+    registerProtectedResource(router: Router, options: {
+        resource: string;
+        scopes?: Scope[];
+    }): void;
 }

package/build/src/types.d.ts

@@ -1,4 +1,31 @@
 import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Augment this interface via module augmentation to enable
+ * type-safe scope names across the application.
+ *
+ * @example
+ * ```ts
+ * declare module '@julr/sesame/types' {
+ *   interface SesameScopes extends InferScopes<typeof sesameConfig> {}
+ * }
+ * ```
+ */
+export interface SesameScopes {
+}
+/**
+ * Resolved scope type. When `SesameScopes` is augmented, narrows
+ * to the declared scope keys. Otherwise falls back to `string`.
+ */
+export type Scope = keyof SesameScopes extends never ? string : keyof SesameScopes & string;
+/**
+ * Extract scope keys from a config object returned by `defineConfig`.
+ * Use with `declare module` to propagate type-safe scopes globally.
+ */
+export type InferScopes<T extends {
+    scopes: Record<string, string>;
+}> = {
+    [K in keyof T['scopes'] & string]: true;
+};
 /**
  * Supported grant types for v1 (MCP-focused).
  *
@@ -55,6 +82,12 @@ export interface SesameConfig {
      * Defaults to '10m'.
      */
     authorizationCodeTtl?: string;
+    /**
+     * Pending authorization request TTL as a string duration.
+     * Controls how long a user has to approve/deny a consent screen.
+     * Defaults to `authorizationCodeTtl` (typically '10m').
+     */
+    authorizationRequestTtl?: string;
     /**
      * Route or URL where unauthenticated users are redirected
      * to log in during the authorization flow. Can be a string
@@ -94,6 +127,7 @@ export interface ResolvedSesameConfig {
     accessTokenTtl: string;
     refreshTokenTtl: string;
     authorizationCodeTtl: string;
+    authorizationRequestTtl: string;
     loginPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
     consentPage: string | ((ctx: HttpContext, params: URLSearchParams) => string);
     allowDynamicRegistration: boolean;

package/build/stubs/config/sesame.stub

@@ -1,7 +1,8 @@
 {{{
-  exports: { defineConfig: 'import { defineConfig } from \'@adonisjs/sesame\'' }
+  exports: { defineConfig: 'import { defineConfig } from \'@julr/sesame\'' }
 }}}
 import env from '#start/env'
+import type { InferScopes } from '@julr/sesame/types'
 
 const sesameConfig = defineConfig({
   issuer: env.get('APP_URL'),
@@ -28,3 +29,7 @@ const sesameConfig = defineConfig({
 })
 
 export default sesameConfig
+
+declare module '@julr/sesame/types' {
+  interface SesameScopes extends InferScopes<typeof sesameConfig> {}
+}

package/build/stubs/migrations/create_oauth_pending_authorization_requests_table.stub

@@ -0,0 +1,32 @@
+{{{
+  exports: { migration: "import { BaseSchema } from '@adonisjs/lucid/schema'" }
+}}}
+
+export default class extends BaseSchema {
+  protected tableName = 'oauth_pending_authorization_requests'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').primary()
+      table.string('token').notNullable().index()
+      table
+        .string('client_id')
+        .notNullable()
+        .references('client_id')
+        .inTable('oauth_clients')
+        .onDelete('CASCADE')
+      table.string('user_id').notNullable()
+      table.json('scopes').notNullable()
+      table.text('redirect_uri').notNullable()
+      table.string('state').nullable()
+      table.string('code_challenge').nullable()
+      table.string('code_challenge_method').nullable()
+      table.timestamp('expires_at').notNullable()
+      table.timestamp('created_at').notNullable()
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}

package/build/{token_controller-C9wh813f.js → token_controller-ll9sjcvn.js}

@@ -1,12 +1,13 @@
-import "./decorate-2_8Ex77k.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE } from "./oauth_error-BQPqV-MV.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
-import { t as ClientService } from "./client_service-B9fD3ZGe.js";
+import { a as OAuthAuthorizationCode, o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
+import "./decorate-BKZEjPRg.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 import { DateTime } from "luxon";
 import { createHash } from "node:crypto";
+import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
 const codeVerifierValidator = vine.create({ code_verifier: vine.string().minLength(43).maxLength(128).regex(/^[A-Za-z0-9\-._~]+$/) });
 async function handleAuthorizationCodeGrant(ctx, manager) {
@@ -59,7 +60,7 @@ async function handleAuthorizationCodeGrant(ctx, manager) {
 	let refreshTokenRaw;
 	if (authCode.scopes.includes("offline_access")) {
 		const { raw, hash } = tokenService.createRefreshToken();
-		const refreshTtl = manager.parseTtl(manager.config.refreshTokenTtl);
+		const refreshTtl = string.seconds.parse(manager.config.refreshTokenTtl);
 		await OAuthRefreshToken.create({
 			id: crypto.randomUUID(),
 			token: hash,
@@ -74,7 +75,7 @@ async function handleAuthorizationCodeGrant(ctx, manager) {
 	return {
 		access_token: accessTokenRaw,
 		token_type: "Bearer",
-		expires_in: manager.parseTtl(manager.config.accessTokenTtl),
+		expires_in: string.seconds.parse(manager.config.accessTokenTtl),
 		scope: authCode.scopes.join(" "),
 		...refreshTokenRaw ? { refresh_token: refreshTokenRaw } : {}
 	};
@@ -132,7 +133,7 @@ async function handleRefreshTokenGrant(ctx, manager) {
 		expiresAt: DateTime.fromJSDate(expiresAt)
 	});
 	const { raw: newRefreshTokenRaw, hash: newRefreshTokenHash } = tokenService.createRefreshToken();
-	const refreshTtl = manager.parseTtl(manager.config.refreshTokenTtl);
+	const refreshTtl = string.seconds.parse(manager.config.refreshTokenTtl);
 	await OAuthRefreshToken.create({
 		id: crypto.randomUUID(),
 		token: newRefreshTokenHash,
@@ -145,7 +146,7 @@ async function handleRefreshTokenGrant(ctx, manager) {
 	return {
 		access_token: accessTokenRaw,
 		token_type: "Bearer",
-		expires_in: manager.parseTtl(manager.config.accessTokenTtl),
+		expires_in: string.seconds.parse(manager.config.accessTokenTtl),
 		scope: scopes.join(" "),
 		refresh_token: newRefreshTokenRaw
 	};

package/build/{token_service-Czz9v5GI.js → token_service-fhoA4slP.js}

@@ -1,4 +1,5 @@
 import { createHash, randomBytes } from "node:crypto";
+import string from "@adonisjs/core/helpers/string";
 var TokenService = class {
 	#manager;
 	constructor(manager) {
@@ -6,7 +7,7 @@ var TokenService = class {
 	}
 	createAccessToken() {
 		const raw = this.generateOpaqueToken();
-		const ttlSeconds = this.#manager.parseTtl(this.#manager.config.accessTokenTtl);
+		const ttlSeconds = string.seconds.parse(this.#manager.config.accessTokenTtl);
 		return {
 			raw,
 			hash: this.hashToken(raw),

package/build/{user_provider-B3rXEUT3.js → user_provider-DXAOfv8-.js}

@@ -1,6 +1,6 @@
-import { t as OAuthAccessToken } from "./oauth_access_token-BpG8sq-c.js";
-import { t as OAuthClient } from "./oauth_client-eh0e5ql-.js";
-import { t as TokenService } from "./token_service-Czz9v5GI.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
 import { DateTime } from "luxon";
 import { RuntimeException } from "@adonisjs/core/exceptions";
 import { errors } from "@adonisjs/auth";

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@julr/sesame",
   "description": "OAuth 2.1 + OIDC server for AdonisJS",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "engines": {
     "node": ">=24.0.0"
   },
@@ -18,6 +18,8 @@
     "./types": "./build/src/types.js",
     "./sesame_provider": "./build/providers/sesame_provider.js",
     "./guard": "./build/src/guard/main.js",
+    "./scope_middleware": "./build/src/middleware/scope_middleware.js",
+    "./any_scope_middleware": "./build/src/middleware/any_scope_middleware.js",
     "./commands/*": "./build/commands/*.js",
     "./commands": "./build/commands/main.js"
   },
@@ -57,6 +59,7 @@
     "@adonisjs/prettier-config": "^1.4.5",
     "@adonisjs/tsconfig": "^2.0.0",
     "@japa/assert": "^4.2.0",
+    "@japa/expect-type": "^2.0.4",
     "@japa/runner": "^5.3.0",
     "@poppinss/ts-exec": "^1.4.4",
     "@release-it/conventional-changelog": "^10.0.5",
@@ -94,7 +97,9 @@
       "./configure.ts",
       "./providers/sesame_provider.ts",
       "./src/guard/main.ts",
-      "./commands/sesame_purge.ts"
+      "./commands/sesame_purge.ts",
+      "./src/middleware/scope_middleware.ts",
+      "./src/middleware/any_scope_middleware.ts"
     ],
     "outDir": "./build",
     "clean": true,

package/build/main-kn40V-hF.js

@@ -1,2 +0,0 @@
-const stubsRoot = import.meta.dirname;
-export { stubsRoot as t };

package/build/metadata_controller-BSRRElQX.js

@@ -1,51 +0,0 @@
-import "./decorate-2_8Ex77k.js";
-import "./oauth_access_token-BpG8sq-c.js";
-import { t as SesameManager } from "./sesame_manager-B4tO2PLO.js";
-var MetadataController = class {
-	async authServer(ctx) {
-		const manager = await ctx.containerResolver.make(SesameManager);
-		const issuer = manager.config.issuer;
-		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
-		return {
-			issuer,
-			authorization_endpoint: `${issuer}/oauth/authorize`,
-			token_endpoint: `${issuer}/oauth/token`,
-			registration_endpoint: manager.config.allowDynamicRegistration ? `${issuer}/oauth/register` : void 0,
-			introspection_endpoint: `${issuer}/oauth/introspect`,
-			revocation_endpoint: `${issuer}/oauth/revoke`,
-			response_types_supported: ["code"],
-			response_modes_supported: ["query"],
-			grant_types_supported: manager.config.grantTypes,
-			token_endpoint_auth_methods_supported: [
-				"none",
-				"client_secret_basic",
-				"client_secret_post"
-			],
-			introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-			revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-			code_challenge_methods_supported: ["S256"],
-			authorization_response_iss_parameter_supported: true
-		};
-	}
-	async oidc(ctx) {
-		const base = await this.authServer(ctx);
-		const manager = await ctx.containerResolver.make(SesameManager);
-		return {
-			...base,
-			subject_types_supported: ["public"],
-			scopes_supported: Object.keys(manager.config.scopes)
-		};
-	}
-	async protectedResource(ctx) {
-		const manager = await ctx.containerResolver.make(SesameManager);
-		const issuer = manager.config.issuer;
-		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
-		return {
-			resource: issuer,
-			authorization_servers: [issuer],
-			scopes_supported: Object.keys(manager.config.scopes),
-			bearer_methods_supported: ["header"]
-		};
-	}
-};
-export { MetadataController as default };

package/build/rolldown-runtime-BASaM9lw.js

@@ -1,12 +0,0 @@
-import "node:module";
-var __defProp = Object.defineProperty;
-var __exportAll = (all, no_symbols) => {
-	let target = {};
-	for (var name in all) __defProp(target, name, {
-		get: all[name],
-		enumerable: true
-	});
-	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
-	return target;
-};
-export { __exportAll as t };

package/build/routes-D6QCu0Pz.js

@@ -1,43 +0,0 @@
-import { t as __exportAll } from "./rolldown-runtime-BASaM9lw.js";
-var routes_exports = /* @__PURE__ */ __exportAll({
-	registerProtectedResource: () => registerProtectedResource,
-	registerRoutes: () => registerRoutes
-});
-const controllers = {
-	token: () => import("./token_controller-C9wh813f.js"),
-	authorize: () => import("./authorize_controller-CUdEDNEi.js"),
-	consent: () => import("./consent_controller-DFfx7qVs.js"),
-	introspect: () => import("./introspect_controller-BzwfaUUE.js"),
-	revoke: () => import("./revoke_controller-CNIgNKH3.js"),
-	register: () => import("./register_controller-BA7uQAgt.js"),
-	metadata: () => import("./metadata_controller-BSRRElQX.js"),
-	clientInfo: () => import("./client_info_controller-DeIVcW8B.js")
-};
-function registerRoutes(router) {
-	router.post("/oauth/token", [controllers.token]).as("sesame.token");
-	router.get("/oauth/authorize", [controllers.authorize]).as("sesame.authorize");
-	router.post("/oauth/consent", [controllers.consent]).as("sesame.consent");
-	router.get("/oauth/client-info", [controllers.clientInfo]).as("sesame.clientInfo");
-	router.post("/oauth/introspect", [controllers.introspect]).as("sesame.introspect");
-	router.post("/oauth/revoke", [controllers.revoke]).as("sesame.revoke");
-	router.post("/oauth/register", [controllers.register]).as("sesame.register");
-	router.get("/.well-known/oauth-authorization-server", [controllers.metadata, "authServer"]).as("sesame.metadata.authServer");
-	router.get("/.well-known/openid-configuration", [controllers.metadata, "oidc"]).as("sesame.metadata.oidc");
-	router.get("/.well-known/oauth-protected-resource", [controllers.metadata, "protectedResource"]).as("sesame.metadata.protectedResource");
-}
-function registerProtectedResource(router, options) {
-	const wellKnownPath = `/.well-known/oauth-protected-resource${options.resource}`;
-	router.get(wellKnownPath, async (ctx) => {
-		const { SesameManager } = await import("./sesame_manager-B4tO2PLO.js").then((n) => n.n);
-		const manager = await ctx.containerResolver.make(SesameManager);
-		const issuer = manager.config.issuer;
-		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
-		return {
-			resource: `${issuer}${options.resource}`,
-			authorization_servers: [issuer],
-			scopes_supported: options.scopes ?? Object.keys(manager.config.scopes),
-			bearer_methods_supported: ["header"]
-		};
-	});
-}
-export { registerRoutes as n, routes_exports as r, registerProtectedResource as t };