@julr/sesame 0.2.0 → 0.2.1

package/README.md

@@ -1,130 +1,211 @@
-# AdonisJS package starter kit
+# Sésame
 
-> [!note]
-> This starter kit targets **AdonisJS v7**
+> OAuth 2.1 + OIDC server for AdonisJS
 
-> A boilerplate for creating AdonisJS packages
+Sésame is an AdonisJS package that turns your application into a full-featured OAuth 2.1 authorization server. It implements the core OAuth 2.1 specification along with OIDC discovery, token introspection, dynamic client registration, and MCP (Model Context Protocol) support.
 
-This repo provides you with a starting point for creating AdonisJS packages. Of course, you can create a package from scratch with your folder structure and workflow. However, using this starter kit can speed up the process, as you have fewer decisions to make.
+## Features
 
-## Setup
+- **Authorization Code Grant** with PKCE (S256)
+- **Refresh Token Rotation** with replay detection
+- **Token Introspection** (RFC 7662) and **Revocation** (RFC 7009)
+- **Dynamic Client Registration** (RFC 7591)
+- **OIDC Discovery** (`/.well-known/openid-configuration`)
+- **OAuth Server Metadata** (RFC 8414)
+- **Protected Resource Metadata** (RFC 9728) for MCP servers
+- **Type-safe scopes** via module augmentation
+- **OAuth guard** for `@adonisjs/auth` with scope-checking middleware
+- **Token cleanup** via `sesame:purge` Ace command
 
-- Clone the repo on your computer, or use `giget` to download this repo without the Git history.
-  ```sh
-  npx giget@latest gh:adonisjs/pkg-starter-kit
-  ```
-- Install dependencies.
-- Update the `package.json` file and define the `name`, `description`, `keywords`, and `author` properties.
-- The repo is configured with an MIT license. Feel free to change that if you are not publishing under the MIT license.
+## Installation
 
-## Folder structure
+```bash
+node ace add @julr/sesame
+```
 
-The starter kit mimics the folder structure of the official packages. Feel free to rename files and folders as per your requirements.
+This will:
+- Publish the configuration file to `config/sesame.ts`
+- Publish database migrations (6 tables)
+- Register the service provider and commands
 
-```
-├── providers
-├── src
-├── bin
-├── stubs
-├── configure.ts
-├── index.ts
-├── LICENSE.md
-├── package.json
-├── README.md
-├── tsconfig.json
-├── tsnode.esm.js
+Then run the migrations:
+
+```bash
+node ace migration:run
 ```
 
-- The `configure.ts` file exports the `configure` hook to configure the package using the `node ace configure` command.
-- The `index.ts` file is the main entry point of the package.
-- The `tsnode.esm.js` file runs TypeScript code using TS-Node + SWC. Please read the code comment in this file to learn more.
-- The `bin` directory contains the entry point file to run Japa tests.
-- Learn more about [the `providers` directory](./providers/README.md).
-- Learn more about [the `src` directory](./src/README.md).
-- Learn more about [the `stubs` directory](./stubs/README.md).
+## Configuration
 
-### File system naming convention
+The configuration file lives at `config/sesame.ts`:
 
-We use `snake_case` naming conventions for the file system. The rule is enforced using ESLint. However, turn off the rule and use your preferred naming conventions.
+```ts
+import env from '#start/env'
+import { defineConfig } from '@julr/sesame'
+import type { InferScopes } from '@julr/sesame/types'
 
-## Peer dependencies
+const sesameConfig = defineConfig({
+  issuer: env.get('APP_URL'),
 
-The starter kit has a peer dependency on `@adonisjs/core@6`. Since you are creating a package for AdonisJS, you must make it against a specific version of the framework core.
+  scopes: {
+    'read': 'Read access',
+    'write': 'Write access',
+  },
 
-If your package needs Lucid to be functional, you may install `@adonisjs/lucid` as a development dependency and add it to the list of `peerDependencies`.
+  defaultScopes: ['read'],
 
-As a rule of thumb, packages installed in the user application should be part of the `peerDependencies` of your package and not the main dependency.
+  grantTypes: ['authorization_code', 'refresh_token'],
 
-For example, if you install `@adonisjs/core` as a main dependency, then essentially, you are importing a separate copy of `@adonisjs/core` and not sharing the one from the user application. Here is a great article explaining [peer dependencies](https://blog.bitsrc.io/understanding-peer-dependencies-in-javascript-dbdb4ab5a7be).
+  accessTokenTtl: '1h',
+  refreshTokenTtl: '30d',
+  authorizationCodeTtl: '10m',
 
-## Published files
+  loginPage: '/login',
+  consentPage: '/oauth/consent',
 
-Instead of publishing your repo's source code to npm, you must cherry-pick files and folders to publish only the required files.
+  allowDynamicRegistration: false,
+  allowPublicRegistration: false,
+})
 
-The cherry-picking uses the `files` property inside the `package.json` file. By default, we publish the following files and folders.
+export default sesameConfig
 
-```json
-{
-  "files": [
-    "build/src",
-    "build/providers",
-    "build/stubs",
-    "build/index.d.ts",
-    "build/index.js",
-    "build/configure.d.ts",
-    "build/configure.js"
-  ]
+declare module '@julr/sesame/types' {
+  interface SesameScopes extends InferScopes<typeof sesameConfig> {}
 }
 ```
 
-If you create additional folders or files, mention them inside the `files` array.
+The `SesameScopes` augmentation gives you type-safe scope names throughout your application.
+
+## Routes
+
+Register OAuth routes from your `start/routes.ts` file:
+
+```ts
+import { SesameManager } from '@julr/sesame'
+
+const sesame = await app.container.make(SesameManager)
+
+// OAuth endpoints under /oauth
+router.group(() => {
+  sesame.registerRoutes(router)
+}).prefix('/oauth')
+
+// Discovery endpoints at the root
+sesame.registerWellKnownRoutes(router)
+```
+
+This registers the following endpoints:
+
+| Method | Path                                      | Description                            |
+| ------ | ----------------------------------------- | -------------------------------------- |
+| `POST` | `/oauth/token`                            | Token endpoint                         |
+| `GET`  | `/oauth/authorize`                        | Authorization endpoint                 |
+| `POST` | `/oauth/consent`                          | Consent submission                     |
+| `POST` | `/oauth/introspect`                       | Token introspection (RFC 7662)         |
+| `POST` | `/oauth/revoke`                           | Token revocation (RFC 7009)            |
+| `POST` | `/oauth/register`                         | Dynamic client registration (RFC 7591) |
+| `GET`  | `/oauth/client-info`                      | Public client info                     |
+| `GET`  | `/.well-known/oauth-authorization-server` | Server metadata (RFC 8414)             |
+| `GET`  | `/.well-known/openid-configuration`       | OIDC discovery                         |
+
+## Authentication Guard
+
+Sésame provides an OAuth guard for `@adonisjs/auth`. Configure it in `config/auth.ts`:
+
+```ts
+import { oauthGuard, oauthUserProvider } from '@julr/sesame/guard'
+import User from '#models/user'
+
+const authConfig = defineConfig({
+  default: 'web',
+  guards: {
+    // ...your other guards
+    oauth: oauthGuard({
+      provider: oauthUserProvider({ model: () => import('#models/user') }),
+    }),
+  },
+})
+```
 
-## Exports
+Then use it in your controllers:
 
-[Node.js Subpath exports](https://nodejs.org/api/packages.html#subpath-exports) allows you to define the exports of your package regardless of the folder structure. This starter kit defines the following exports.
+```ts
+export default class ApiController {
+  async index({ auth }: HttpContext) {
+    const guard = auth.use('oauth')
+    await guard.authenticate()
 
-```json
-{
-  "exports": {
-    ".": "./build/index.js",
-    "./types": "./build/src/types.js"
+    const user = auth.user!
+    const scopes = guard.scopes
   }
 }
 ```
 
-- The dot `.` export is the main export.
-- The `./types` exports all the types defined inside the `./build/src/types.js` file (the compiled output).
+## Scope Middleware
+
+Two named middleware are available for checking scopes on authenticated requests:
+
+```ts
+// Requires ALL listed scopes
+router
+  .get('/admin', [AdminController])
+  .use(middleware.scopes({ scopes: ['admin', 'write'] }))
 
-Feel free to change the exports as per your requirements.
+// Requires AT LEAST ONE of the listed scopes
+router
+  .get('/data', [DataController])
+  .use(middleware.anyScope({ scopes: ['read', 'write'] }))
+```
 
-## Testing
+## MCP Support
 
-We configure the [Japa test runner](https://japa.dev/) with this starter kit. Japa is used in AdonisJS applications as well. Just run one of the following commands to execute tests.
+For MCP (Model Context Protocol) servers, register per-resource discovery:
 
-- `npm run test`: This command will first lint the code using ESlint and then run tests and report the test coverage using [c8](https://github.com/bcoe/c8).
-- `npm run quick:test`: Runs only the tests without linting or coverage reporting.
+```ts
+sesame.registerProtectedResource(router, {
+  resource: '/api/mcp',
+  scopes: ['read:mcp'],
+})
+```
 
-The starter kit also has a Github workflow file to run tests using Github Actions. The tests are executed against `Node.js 20.x` and `Node.js 21.x` versions on both Linux and Windows. Feel free to edit the workflow file in the `.github/workflows` directory.
+This creates a `/.well-known/oauth-protected-resource/api/mcp` endpoint following RFC 9728.
 
-## TypeScript workflow
+You can also enable public client registration for MCP clients:
 
-- The starter kit uses [tsc](https://www.typescriptlang.org/docs/handbook/compiler-options.html) for compiling the TypeScript to JavaScript when publishing the package.
-- [TS-Node](https://typestrong.org/ts-node/) and [SWC](https://swc.rs/) are used to run tests without compiling the source code.
-- The `tsconfig.json` file is extended from [`@adonisjs/tsconfig`](https://github.com/adonisjs/tooling-config/tree/main/packages/typescript-config) and uses the `NodeNext` module system. Meaning the packages are written using ES modules.
-- You can perform type checking without compiling the source code using the `npm run type check` script.
+```ts
+const sesameConfig = defineConfig({
+  // ...
+  allowDynamicRegistration: true,
+  allowPublicRegistration: true,
+})
+```
 
-Feel free to explore the `tsconfig.json` file for all the configured options.
+## Token Cleanup
 
-## ESLint and Prettier setup
+Purge expired and revoked tokens with the Ace command:
+
+```bash
+node ace sesame:purge
+node ace sesame:purge --revoked-only
+node ace sesame:purge --expired-only
+node ace sesame:purge --retention-hours=168
+```
+
+You can also call it programmatically:
+
+```ts
+const sesame = await app.container.make(SesameManager)
+const result = await sesame.purgeTokens({ retentionHours: 168 })
+```
 
-The starter kit configures ESLint and Prettier
-using our [shared config](https://github.com/adonisjs/tooling-config/tree/main/packages).
-ESLint configuration is stored within the `eslint.config.js` file.
-Prettier configuration is stored within the `package.json` file.
-Feel free to change the configuration, use custom plugins, or remove both tools altogether.
+## Security
 
-## Using Stale bot
+- Tokens (access, refresh, authorization codes, client secrets) are stored as **SHA-256 hashes** — raw values are never persisted
+- PKCE with **S256** is required for public clients
+- Refresh tokens use **rotation** — the old token is revoked on each use
+- **Replay detection**: if a revoked refresh token is reused, all tokens for that client+user pair are revoked
+- Client secret verification uses **timing-safe comparison**
+- OAuth errors follow the standard JSON format with proper HTTP status codes and `WWW-Authenticate` headers
 
-The [Stale bot](https://github.com/apps/stale) is a Github application that automatically marks issues and PRs as stale and closes after a specific duration of inactivity.
+## License
 
-Feel free to delete the `.github/stale.yml` and `.github/lock.yml` files if you decide not to use the Stale bot.
+MIT

package/build/{authorize_controller-D3Kau97j.js → authorize_controller-BNWhlPZQ.js}

@@ -1,11 +1,12 @@
+import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
-import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
-import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BOn0846g.js";
-import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
-import { t as TokenService } from "./token_service-BLKxKIHI.js";
-import { t as ClientService } from "./client_service-DrkqOh37.js";
+import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 import { DateTime } from "luxon";
+import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
 var AuthorizeController = class AuthorizeController {
 	static validator = vine.create({
@@ -28,7 +29,7 @@ var AuthorizeController = class AuthorizeController {
 	async #buildAuthorizationRequestParams(manager, options) {
 		const tokenService = new TokenService(manager);
 		const rawRequestToken = tokenService.generateOpaqueToken();
-		const ttl = manager.parseTtl(manager.config.authorizationRequestTtl);
+		const ttl = string.seconds.parse(manager.config.authorizationRequestTtl);
 		await OAuthPendingAuthorizationRequest.create({
 			id: crypto.randomUUID(),
 			token: tokenService.hashToken(rawRequestToken),
@@ -59,7 +60,7 @@ var AuthorizeController = class AuthorizeController {
 		const tokenService = new TokenService(manager);
 		const raw = tokenService.generateOpaqueToken();
 		const hashed = tokenService.hashToken(raw);
-		const ttl = manager.parseTtl(manager.config.authorizationCodeTtl);
+		const ttl = string.seconds.parse(manager.config.authorizationCodeTtl);
 		await OAuthAuthorizationCode.create({
 			id: crypto.randomUUID(),
 			code: hashed,

package/build/{client_info_controller-CSipLLoV.js → client_info_controller-BucHGx4u.js}

@@ -1,6 +1,6 @@
 import "./decorate-BKZEjPRg.js";
-import { a as E_INVALID_REQUEST, n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
-import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
+import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import vine from "@vinejs/vine";
 var ClientInfoController = class ClientInfoController {
 	static validator = vine.create({ client_id: vine.string() });

package/build/{client_service-DrkqOh37.js → client_service-BqPSlaTS.js}

@@ -1,4 +1,4 @@
-import { o as E_INVALID_SCOPE } from "./oauth_error-BOn0846g.js";
+import { s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 var ClientService = class {
 	parseBasicAuth(header) {

package/build/commands/sesame_purge.js

@@ -1,6 +1,6 @@
+import { t as SesameManager } from "../sesame_manager-CFq4VEIZ.js";
 import { t as __decorate } from "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
-import { t as SesameManager } from "../sesame_manager-CA7dOGwg.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";
 var SesamePurge = class extends BaseCommand {
 	static commandName = "sesame:purge";

package/build/configure.js

@@ -14,5 +14,12 @@ async function configure(command) {
 	await codemods.updateRcFile((rcFile) => {
 		rcFile.addProvider("@julr/sesame/sesame_provider").addCommand("@julr/sesame/commands");
 	});
+	await codemods.registerMiddleware("named", [{
+		name: "scopes",
+		path: "@julr/sesame/scope_middleware"
+	}, {
+		name: "anyScope",
+		path: "@julr/sesame/any_scope_middleware"
+	}]);
 }
 export { configure };

package/build/{consent_controller-DXayMjAi.js → consent_controller-COvvkpHM.js}

@@ -1,10 +1,11 @@
+import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
-import { a as OAuthAuthorizationCode, i as OAuthConsent, r as OAuthPendingAuthorizationRequest, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
-import { a as E_INVALID_REQUEST, i as E_INVALID_GRANT, n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
-import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
-import { t as TokenService } from "./token_service-BLKxKIHI.js";
+import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
 import { DateTime } from "luxon";
+import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
 var ConsentController = class ConsentController {
 	static validator = vine.create({ auth_token: vine.string() });
@@ -19,7 +20,7 @@ var ConsentController = class ConsentController {
 		const tokenService = new TokenService(manager);
 		const raw = tokenService.generateOpaqueToken();
 		const hashed = tokenService.hashToken(raw);
-		const ttl = manager.parseTtl(manager.config.authorizationCodeTtl);
+		const ttl = string.seconds.parse(manager.config.authorizationCodeTtl);
 		await OAuthAuthorizationCode.create({
 			id: crypto.randomUUID(),
 			code: hashed,

package/build/index.d.ts

@@ -1,7 +1,7 @@
 export { configure } from './configure.ts';
 export { defineConfig } from './src/define_config.ts';
 export { SesameManager } from './src/sesame_manager.ts';
-export { OAuthError, E_INVALID_REQUEST, E_INVALID_CLIENT, E_INVALID_GRANT, E_INVALID_SCOPE, E_INVALID_TOKEN, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, E_ACCESS_DENIED, E_INVALID_CLIENT_METADATA, E_SERVER_ERROR, } from './src/oauth_error.ts';
+export { OAuthError, E_INVALID_REQUEST, E_INVALID_CLIENT, E_INVALID_GRANT, E_INVALID_SCOPE, E_INVALID_TOKEN, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, E_ACCESS_DENIED, E_INVALID_CLIENT_METADATA, E_SERVER_ERROR, E_INSUFFICIENT_SCOPE, } from './src/oauth_error.ts';
 export { OAuthClient } from './src/models/oauth_client.ts';
 export { OAuthAccessToken } from './src/models/oauth_access_token.ts';
 export { OAuthRefreshToken } from './src/models/oauth_refresh_token.ts';
@@ -10,4 +10,3 @@ export { OAuthConsent } from './src/models/oauth_consent.ts';
 export { OAuthGuard } from './src/guard/guard.ts';
 export { OAuthLucidUserProvider } from './src/guard/user_provider.ts';
 export { oauthGuard, oauthUserProvider } from './src/guard/main.ts';
-export { registerRoutes, registerProtectedResource } from './src/routes.ts';

package/build/index.js

@@ -1,13 +1,12 @@
+import { a as OAuthAuthorizationCode, i as OAuthConsent, o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import { configure } from "./configure.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { a as OAuthAuthorizationCode, i as OAuthConsent, o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
-import { a as E_INVALID_REQUEST, c as E_SERVER_ERROR, d as OAuthError, i as E_INVALID_GRANT, l as E_UNSUPPORTED_GRANT_TYPE, n as E_INVALID_CLIENT, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, s as E_INVALID_TOKEN, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_RESPONSE_TYPE } from "./oauth_error-BOn0846g.js";
-import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
-import "./token_service-BLKxKIHI.js";
-import { n as OAuthGuard, t as OAuthLucidUserProvider } from "./user_provider-CQczt8_g.js";
+import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./token_service-fhoA4slP.js";
+import { n as OAuthGuard, t as OAuthLucidUserProvider } from "./user_provider-DXAOfv8-.js";
 import { oauthGuard, oauthUserProvider } from "./src/guard/main.js";
-import { n as registerRoutes, t as registerProtectedResource } from "./routes-qYJLHjeB.js";
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,
@@ -24,4 +23,4 @@ function defineConfig(config) {
 		allowPublicRegistration: config.allowPublicRegistration ?? false
 	};
 }
-export { E_ACCESS_DENIED, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider, registerProtectedResource, registerRoutes };
+export { E_ACCESS_DENIED, E_INSUFFICIENT_SCOPE, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider };

package/build/{introspect_controller-lK9gL03t.js → introspect_controller-JjAAXFIV.js}

@@ -1,10 +1,10 @@
+import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
-import { n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
-import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
-import { t as TokenService } from "./token_service-BLKxKIHI.js";
-import { t as ClientService } from "./client_service-DrkqOh37.js";
+import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 const INACTIVE = { active: false };
 var IntrospectController = class {
 	async handle(ctx) {

package/build/{metadata_controller-DMAahJkn.js → metadata_controller-BzCjyqUG.js}

@@ -1,18 +1,40 @@
+import { t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
-import { t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
+import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
+const DISCOVERY_ROUTE_NAMES = {
+	authorization_endpoint: "sesame.authorize",
+	token_endpoint: "sesame.token",
+	registration_endpoint: "sesame.register",
+	introspection_endpoint: "sesame.introspect",
+	revocation_endpoint: "sesame.revoke"
+};
 var MetadataController = class {
+	#assertDiscoveryRoutes(router, options) {
+		const requiredRoutes = [
+			DISCOVERY_ROUTE_NAMES.authorization_endpoint,
+			DISCOVERY_ROUTE_NAMES.token_endpoint,
+			DISCOVERY_ROUTE_NAMES.introspection_endpoint,
+			DISCOVERY_ROUTE_NAMES.revocation_endpoint
+		];
+		if (options.includeRegistration) requiredRoutes.push(DISCOVERY_ROUTE_NAMES.registration_endpoint);
+		const missingRoutes = requiredRoutes.filter((routeName) => !router.has(routeName));
+		if (missingRoutes.length > 0) throw new E_SERVER_ERROR(`OAuth discovery is misconfigured. Missing named route(s): ${missingRoutes.join(", ")}. Register OAuth routes with sesame.registerRoutes(router) before exposing well-known metadata.`);
+	}
 	async authServer(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
+		const router = await ctx.containerResolver.make("router");
 		const issuer = manager.config.issuer;
+		const prefixUrl = issuer;
+		this.#assertDiscoveryRoutes(router, { includeRegistration: manager.config.allowDynamicRegistration });
 		ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
 		return {
 			issuer,
-			authorization_endpoint: `${issuer}/oauth/authorize`,
-			token_endpoint: `${issuer}/oauth/token`,
-			registration_endpoint: manager.config.allowDynamicRegistration ? `${issuer}/oauth/register` : void 0,
-			introspection_endpoint: `${issuer}/oauth/introspect`,
-			revocation_endpoint: `${issuer}/oauth/revoke`,
+			authorization_endpoint: router.makeUrl("sesame.authorize", {}, { prefixUrl }),
+			token_endpoint: router.makeUrl("sesame.token", {}, { prefixUrl }),
+			registration_endpoint: manager.config.allowDynamicRegistration ? router.makeUrl("sesame.register", {}, { prefixUrl }) : void 0,
+			introspection_endpoint: router.makeUrl("sesame.introspect", {}, { prefixUrl }),
+			revocation_endpoint: router.makeUrl("sesame.revoke", {}, { prefixUrl }),
 			response_types_supported: ["code"],
 			response_modes_supported: ["query"],
 			grant_types_supported: manager.config.grantTypes,

package/build/{oauth_error-BOn0846g.js → oauth_error-CnJ3L8tf.js}

@@ -75,4 +75,20 @@ const E_SERVER_ERROR = class extends OAuthError {
 	static message = "Server error";
 	static oauthCode = "server_error";
 };
-export { E_INVALID_REQUEST as a, E_SERVER_ERROR as c, OAuthError as d, E_INVALID_GRANT as i, E_UNSUPPORTED_GRANT_TYPE as l, E_INVALID_CLIENT as n, E_INVALID_SCOPE as o, E_INVALID_CLIENT_METADATA as r, E_INVALID_TOKEN as s, E_ACCESS_DENIED as t, E_UNSUPPORTED_RESPONSE_TYPE as u };
+const E_INSUFFICIENT_SCOPE = class extends OAuthError {
+	static status = 403;
+	static code = "E_INSUFFICIENT_SCOPE";
+	static message = "Insufficient scope";
+	static oauthCode = "insufficient_scope";
+	missingScopes;
+	constructor(missingScopes, message) {
+		super(message ?? "The token does not have the required scope(s)");
+		this.missingScopes = missingScopes;
+	}
+	handle(error, ctx) {
+		const scope = error.missingScopes.join(" ");
+		ctx.response.header("WWW-Authenticate", `Bearer error="insufficient_scope", error_description="${error.message}", scope="${scope}"`);
+		super.handle(error, ctx);
+	}
+};
+export { E_INVALID_GRANT as a, E_INVALID_TOKEN as c, E_UNSUPPORTED_RESPONSE_TYPE as d, OAuthError as f, E_INVALID_CLIENT_METADATA as i, E_SERVER_ERROR as l, E_INSUFFICIENT_SCOPE as n, E_INVALID_REQUEST as o, E_INVALID_CLIENT as r, E_INVALID_SCOPE as s, E_ACCESS_DENIED as t, E_UNSUPPORTED_GRANT_TYPE as u };

package/build/providers/sesame_provider.d.ts

@@ -1,10 +1,6 @@
 import type { ApplicationService } from '@adonisjs/core/types';
 /**
  * AdonisJS service provider for the Sésame OAuth 2.1 server.
- *
- * - `register()`: Binds `SesameManager` as a singleton in the IoC
- *   container, reading the resolved config from `config/sesame.ts`.
- * - `boot()`: Registers all OAuth routes on the AdonisJS router.
  */
 export default class SesameProvider {
     protected app: ApplicationService;
@@ -14,8 +10,4 @@ export default class SesameProvider {
      * The manager is resolved from the `sesame` config key.
      */
     register(): void;
-    /**
-     * Boot the provider by registering all OAuth 2.1 routes.
-     */
-    boot(): Promise<void>;
 }

package/build/providers/sesame_provider.js

@@ -1,6 +1,6 @@
+import { t as SesameManager } from "../sesame_manager-CFq4VEIZ.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
-import { t as SesameManager } from "../sesame_manager-CA7dOGwg.js";
 var SesameProvider = class {
 	constructor(app) {
 		this.app = app;
@@ -10,10 +10,5 @@ var SesameProvider = class {
 			return new SesameManager(this.app.config.get("sesame"));
 		});
 	}
-	async boot() {
-		const router = await this.app.container.make("router");
-		const { registerRoutes } = await import("../routes-qYJLHjeB.js").then((n) => n.r);
-		registerRoutes(router);
-	}
 };
 export { SesameProvider as default };

package/build/{register_controller-B0saLAuc.js → register_controller-DOlN9wNl.js}

@@ -1,9 +1,9 @@
+import { t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
-import { t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
-import { a as E_INVALID_REQUEST, o as E_INVALID_SCOPE, r as E_INVALID_CLIENT_METADATA, t as E_ACCESS_DENIED } from "./oauth_error-BOn0846g.js";
-import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
-import { t as ClientService } from "./client_service-DrkqOh37.js";
+import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 import vine from "@vinejs/vine";
 const DANGEROUS_SCHEMES = [
 	"javascript:",

package/build/{revoke_controller-D0nl2hS5.js → revoke_controller-B281b8ZO.js}

@@ -1,10 +1,10 @@
+import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CFq4VEIZ.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { o as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-CA7dOGwg.js";
-import { n as E_INVALID_CLIENT } from "./oauth_error-BOn0846g.js";
-import { t as OAuthClient } from "./oauth_client-Cpppi0_7.js";
-import { t as TokenService } from "./token_service-BLKxKIHI.js";
-import { t as ClientService } from "./client_service-DrkqOh37.js";
+import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as ClientService } from "./client_service-BqPSlaTS.js";
 import { DateTime } from "luxon";
 var RevokeController = class {
 	async handle(ctx) {