@julr/sesame 0.3.0 → 0.4.0

package/README.md

@@ -84,11 +84,11 @@ import sesame from '@julr/sesame/services/main'
 
 // OAuth endpoints under /oauth
 router.group(() => {
-  sesame.registerRoutes(router)
+  sesame.registerRoutes()
 }).prefix('/oauth')
 
 // Discovery endpoints at the root
-sesame.registerWellKnownRoutes(router)
+sesame.registerWellKnownRoutes()
 ```
 
 This registers the following endpoints:
@@ -159,7 +159,7 @@ router
 For MCP (Model Context Protocol) servers, register per-resource discovery:
 
 ```ts
-sesame.registerProtectedResource(router, {
+sesame.registerProtectedResource({
   resource: '/api/mcp',
   scopes: ['read:mcp'],
 })

package/build/{authorize_controller-ekxbVGSh.js → authorize_controller-Bb54Bi_s.js}

@@ -1,10 +1,10 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import { DateTime } from "luxon";
 import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
@@ -130,6 +130,7 @@ var AuthorizeController = class AuthorizeController {
 			codeChallengeMethod: query.code_challenge_method
 		});
 		this.#copyAuthorizeDisplayParams(params, ctx.request.qs());
+		params.set("scope", requestedScopes.join(" "));
 		const consentPage = this.#resolvePageUrl(manager.config.consentPage, ctx, params);
 		return ctx.response.redirect().toPath(consentPage);
 	}

package/build/{client_service-BqPSlaTS.js → client_service-BD1CDQuC.js}

@@ -1,4 +1,5 @@
-import { s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
+import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 var ClientService = class {
 	parseBasicAuth(header) {
@@ -16,16 +17,25 @@ var ClientService = class {
 		}
 	}
 	extractCredentials(options) {
-		if (options.authorizationHeader) {
-			const basic = this.parseBasicAuth(options.authorizationHeader);
-			if (basic) return basic;
-		}
+		const basic = options.authorizationHeader ? this.parseBasicAuth(options.authorizationHeader) : null;
+		if (basic && options.bodyClientId) throw new E_INVALID_REQUEST("Multiple client authentication methods are not allowed");
+		if (basic) return basic;
 		if (options.bodyClientId) return {
 			clientId: options.bodyClientId,
 			clientSecret: options.bodyClientSecret
 		};
 		return null;
 	}
+	async authenticateClient(options) {
+		const credentials = this.extractCredentials(options);
+		if (!credentials) throw new E_INVALID_CLIENT("Client authentication failed");
+		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+		if (!client || client.isDisabled) throw new E_INVALID_CLIENT("Client authentication failed");
+		if (!client.isPublic) {
+			if (!credentials.clientSecret || !this.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Client authentication failed");
+		}
+		return client;
+	}
 	validateClientScopes(requestedScopes, clientScopes) {
 		if (clientScopes.length === 0 && requestedScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${requestedScopes.join(", ")}`);
 		const allowedSet = new Set(clientScopes);

package/build/commands/sesame_purge.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-2iG9p7_F.js";
+import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
 import { t as __decorate } from "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";

package/build/{consent_controller-CqE3-kWO.js → consent_controller-gMuS9nSx.js}

@@ -1,4 +1,4 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";

package/build/index.js

@@ -1,11 +1,11 @@
 import { configure } from "./configure.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import "./token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-C6VqRjlK.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-BJRXMGrZ.js";
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,

package/build/{introspect_controller-Dx3Hz87G.js → introspect_controller-bKg1T2Xx.js}

@@ -1,28 +1,19 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_error-CnJ3L8tf.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 const INACTIVE = { active: false };
 var IntrospectController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const clientService = new ClientService();
-		const credentials = clientService.extractCredentials({
+		const client = await new ClientService().authenticateClient({
 			authorizationHeader: ctx.request.header("authorization"),
 			bodyClientId: ctx.request.body().client_id,
 			bodyClientSecret: ctx.request.body().client_secret
 		});
-		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
-		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.isPublic) {
-			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-		}
 		const token = ctx.request.body().token;
 		if (!token) return INACTIVE;
 		const tokenTypeHint = ctx.request.body().token_type_hint;

package/build/{main-C6VqRjlK.js → main-BJRXMGrZ.js}

@@ -60,11 +60,11 @@ var OAuthGuard = class {
 		const hashed = tokenService.hashToken(rawToken);
 		const record = await OAuthAccessToken.query().where("tokenHash", hashed).first();
 		if (!record) throw this.#authenticationFailed("Invalid or expired token", includeError);
-		if (record.revokedAt) throw this.#authenticationFailed("Token has been revoked", includeError);
+		if (record.revokedAt) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		if (record.expiresAt.toJSDate() < /* @__PURE__ */ new Date()) throw this.#authenticationFailed("Invalid or expired token", includeError);
-		if (!record.userId) throw this.#authenticationFailed("M2M tokens are not supported", includeError);
+		if (!record.userId) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		const providerUser = await this.#userProvider.findById(record.userId);
-		if (!providerUser) throw this.#authenticationFailed("User not found", includeError);
+		if (!providerUser) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		this.isAuthenticated = true;
 		this.user = providerUser.getOriginal();
 		this.scopes = record.scopes;
@@ -150,7 +150,7 @@ var OAuthLucidUserProvider = class {
 function oauthGuard(config) {
 	return { async resolver(name, app) {
 		const emitter = await app.container.make("emitter");
-		const { SesameManager } = await import("./sesame_manager-BLmhC1jV.js");
+		const { SesameManager } = await import("./sesame_manager-BWqeaqn9.js");
 		const manager = await app.container.make(SesameManager);
 		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
 	} };

package/build/{metadata_controller-CrR-rU1y.js → metadata_controller-CGaKw3UM.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
@@ -43,8 +43,16 @@ var MetadataController = class {
 				"client_secret_basic",
 				"client_secret_post"
 			],
-			introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-			revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+			introspection_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
+			revocation_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
 			code_challenge_methods_supported: ["S256"],
 			authorization_response_iss_parameter_supported: true
 		};

package/build/providers/sesame_provider.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-2iG9p7_F.js";
+import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 var SesameProvider = class {
@@ -6,8 +6,8 @@ var SesameProvider = class {
 		this.app = app;
 	}
 	register() {
-		this.app.container.singleton(SesameManager, () => {
-			return new SesameManager(this.app.config.get("sesame"));
+		this.app.container.singleton(SesameManager, async () => {
+			return new SesameManager(this.app.config.get("sesame"), await this.app.container.make("router"));
 		});
 	}
 };

package/build/{register_controller-B7IT9U1P.js → register_controller-CnzYR-iH.js}

@@ -1,9 +1,9 @@
-import { t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import vine from "@vinejs/vine";
 const DANGEROUS_SCHEMES = [
 	"javascript:",
@@ -35,24 +35,11 @@ const redirectUriRule = vine.createRule((value, _options, field) => {
 });
 const metadataUriRule = vine.createRule((value, _options, field) => {
 	const parsed = new URL(value);
-	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) {
-		field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
-		return;
-	}
-	const redirectUris = field.data.redirect_uris ?? [];
-	const redirectOrigins = new Set(redirectUris.map((u) => {
-		try {
-			return new URL(u);
-		} catch {
-			return null;
-		}
-	}).filter(Boolean).map((u) => `${u.protocol}//${u.hostname}`));
-	const metaOrigin = `${parsed.protocol}//${parsed.hostname}`;
-	if (!redirectOrigins.has(metaOrigin)) field.report("{{ field }} host and scheme must match at least one redirect_uri", "metadataUri", field);
+	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
 });
 const metadataUrl = vine.string().url({ require_protocol: true }).use(metadataUriRule()).optional();
 var RegisterController = class RegisterController {
-	static validator = vine.create({
+	static validator = vine.create(vine.object({
 		redirect_uris: vine.array(vine.string().use(redirectUriRule())).minLength(1),
 		token_endpoint_auth_method: vine.string().in([
 			"client_secret_basic",
@@ -70,7 +57,7 @@ var RegisterController = class RegisterController {
 		contacts: vine.array(vine.string().email()).optional(),
 		software_id: vine.string().optional(),
 		software_version: vine.string().optional()
-	});
+	}).allowUnknownProperties());
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
 		if (!manager.config.allowDynamicRegistration) throw new E_ACCESS_DENIED("Dynamic client registration is disabled");

package/build/{revoke_controller-E15HmMCv.js → revoke_controller-dJtMG1zK.js}

@@ -1,28 +1,19 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_error-CnJ3L8tf.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import { DateTime } from "luxon";
 var RevokeController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const clientService = new ClientService();
-		const credentials = clientService.extractCredentials({
+		const client = await new ClientService().authenticateClient({
 			authorizationHeader: ctx.request.header("authorization"),
 			bodyClientId: ctx.request.body().client_id,
 			bodyClientSecret: ctx.request.body().client_secret
 		});
-		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
-		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.isPublic) {
-			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-		}
 		const token = ctx.request.body().token;
 		if (!token) return ctx.response.ok({});
 		const tokenTypeHint = ctx.request.body().token_type_hint;

package/build/services/main.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-2iG9p7_F.js";
+import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import app from "@adonisjs/core/services/app";

package/build/{sesame_manager-2iG9p7_F.js → sesame_manager-BIHBwkqK.js}

@@ -3,13 +3,13 @@ import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { DateTime } from "luxon";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
 const controllers = {
-	token: () => import("./token_controller-qFmejgux.js"),
-	authorize: () => import("./authorize_controller-ekxbVGSh.js"),
-	consent: () => import("./consent_controller-CqE3-kWO.js"),
-	introspect: () => import("./introspect_controller-Dx3Hz87G.js"),
-	revoke: () => import("./revoke_controller-E15HmMCv.js"),
-	register: () => import("./register_controller-B7IT9U1P.js"),
-	metadata: () => import("./metadata_controller-CrR-rU1y.js"),
+	token: () => import("./token_controller-BijtWj5C.js"),
+	authorize: () => import("./authorize_controller-Bb54Bi_s.js"),
+	consent: () => import("./consent_controller-gMuS9nSx.js"),
+	introspect: () => import("./introspect_controller-bKg1T2Xx.js"),
+	revoke: () => import("./revoke_controller-dJtMG1zK.js"),
+	register: () => import("./register_controller-CnzYR-iH.js"),
+	metadata: () => import("./metadata_controller-CGaKw3UM.js"),
 	clientInfo: () => import("./client_info_controller-BucHGx4u.js")
 };
 function registerOAuthRoutes(router) {
@@ -87,8 +87,10 @@ __decorate([column.dateTime()], OAuthPendingAuthorizationRequest.prototype, "exp
 __decorate([column.dateTime({ autoCreate: true })], OAuthPendingAuthorizationRequest.prototype, "createdAt", void 0);
 var SesameManager = class {
 	#config;
-	constructor(config) {
+	#router;
+	constructor(config, router) {
 		this.#config = config;
+		this.#router = router;
 	}
 	get config() {
 		return this.#config;
@@ -139,15 +141,15 @@ var SesameManager = class {
 			pendingRequests
 		};
 	}
-	registerRoutes(router) {
-		registerOAuthRoutes(router);
+	registerRoutes() {
+		registerOAuthRoutes(this.#router);
 	}
-	registerWellKnownRoutes(router) {
-		registerWellKnownRoutes(router);
+	registerWellKnownRoutes() {
+		registerWellKnownRoutes(this.#router);
 	}
-	registerProtectedResource(router, options) {
+	registerProtectedResource(options) {
 		const wellKnownPath = `/.well-known/oauth-protected-resource${options.resource}`;
-		router.get(wellKnownPath, async (ctx) => {
+		this.#router.get(wellKnownPath, async (ctx) => {
 			ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
 			return {
 				resource: `${this.#config.issuer}${options.resource}`,

package/build/{sesame_manager-BLmhC1jV.js → sesame_manager-BWqeaqn9.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 export { SesameManager };

package/build/src/controllers/register_controller.d.ts

@@ -41,6 +41,8 @@ export default class RegisterController {
         software_id?: string | null | undefined;
         software_version?: string | null | undefined;
         redirect_uris: string[];
+    } & {
+        [K: string]: unknown;
     }, {
         scope?: string | undefined;
         token_endpoint_auth_method?: string | undefined;
@@ -55,20 +57,24 @@ export default class RegisterController {
         software_id?: string | undefined;
         software_version?: string | undefined;
         redirect_uris: string[];
+    } & {
+        [K: string]: unknown;
     }, {
+        grantTypes?: string[] | undefined;
         scope?: string | undefined;
-        token_endpoint_auth_method?: string | undefined;
-        grant_types?: string[] | undefined;
-        response_types?: string[] | undefined;
-        client_name?: string | undefined;
-        client_uri?: string | undefined;
-        logo_uri?: string | undefined;
-        tos_uri?: string | undefined;
-        policy_uri?: string | undefined;
         contacts?: string[] | undefined;
-        software_id?: string | undefined;
-        software_version?: string | undefined;
-        redirect_uris: string[];
+        tokenEndpointAuthMethod?: string | undefined;
+        responseTypes?: string[] | undefined;
+        clientName?: string | undefined;
+        clientUri?: string | undefined;
+        logoUri?: string | undefined;
+        tosUri?: string | undefined;
+        policyUri?: string | undefined;
+        softwareId?: string | undefined;
+        softwareVersion?: string | undefined;
+        redirectUris: string[];
+    } & {
+        [K: string]: unknown;
     }>, Record<string, any> | undefined>;
     handle(ctx: HttpContext): Promise<{
         software_version?: string | undefined;

package/build/src/guard/guard.d.ts

@@ -27,5 +27,12 @@ export declare class OAuthGuard<UserProvider extends OAuthUserProviderContract<u
     check(): Promise<boolean>;
     hasScope(...scopes: Scope[]): boolean;
     hasAnyScope(...scopes: Scope[]): boolean;
+    /**
+     * Used internally by Japa's `loginAs` helper during testing.
+     * Creates a test client and access token in DB, then returns
+     * the authorization headers for the test HTTP client to use.
+     *
+     * @see https://docs.adonisjs.com/guides/auth/custom-auth-guard#implementing-the-guard
+     */
     authenticateAsClient(user: UserProvider[typeof symbols.PROVIDER_REAL_USER]): Promise<AuthClientResponse>;
 }

package/build/src/guard/main.js

@@ -2,5 +2,5 @@ import "../../decorate-BKZEjPRg.js";
 import "../../oauth_access_token-bsoM5KeU.js";
 import "../../oauth_client-BIoY5jBR.js";
 import "../../token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-C6VqRjlK.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-BJRXMGrZ.js";
 export { OAuthGuard, OAuthLucidUserProvider, oauthGuard, oauthUserProvider };

package/build/src/rules.d.ts

@@ -4,8 +4,16 @@
  */
 export declare const redirectUriRule: (options?: undefined) => import("@vinejs/vine/types").Validation<undefined>;
 /**
- * Blocks dangerous URI schemes and enforces same host+scheme
- * matching with redirect_uris (RFC 7591 §5).
+ * Blocks dangerous URI schemes for metadata URIs (client_uri, logo_uri, etc.).
+ *
+ * RFC 7591 §5 says the server MAY verify that metadata URIs match the
+ * host+scheme of redirect_uris, but this is NOT required.
+ *
+ * We intentionally skip this check because it breaks legitimate CLI/desktop clients
+ * (e.g. OpenCode, Claude Code) that use localhost redirect URIs but have a
+ * different `client_uri` pointing to their website.
+ *
+ * Maybe we can add an option to enable this check in the future if needed.
  *
  * @see https://datatracker.ietf.org/doc/html/rfc7591#section-5
  */

package/build/src/services/client_service.d.ts

@@ -1,3 +1,4 @@
+import { OAuthClient } from '../models/oauth_client.ts';
 /**
  * Extracted client credentials from a request.
  */
@@ -37,6 +38,16 @@ export declare class ClientService {
         bodyClientId?: string;
         bodyClientSecret?: string;
     }): ClientCredentials | null;
+    /**
+     * Authenticate a client from request credentials.
+     * Extracts credentials, looks up the client in DB, and verifies the secret
+     * for confidential clients.
+     */
+    authenticateClient(options: {
+        authorizationHeader?: string;
+        bodyClientId?: string;
+        bodyClientSecret?: string;
+    }): Promise<OAuthClient>;
     /**
      * Validate that requested scopes are within the client's
      * allowed scopes. Throws `E_INVALID_SCOPE` if any scope

package/build/src/sesame_manager.d.ts

@@ -14,7 +14,7 @@ export interface PurgeResult {
  */
 export declare class SesameManager {
     #private;
-    constructor(config: ResolvedSesameConfig);
+    constructor(config: ResolvedSesameConfig, router: Router);
     get config(): ResolvedSesameConfig;
     /**
      * Check if a scope is registered in the server configuration.
@@ -71,18 +71,18 @@ export declare class SesameManager {
      * @example
      * ```ts
      * router.group(() => {
-     *   sesame.registerRoutes(router)
+     *   sesame.registerRoutes()
      * }).prefix('/oauth')
      * ```
      */
-    registerRoutes(router: Router): void;
+    registerRoutes(): void;
     /**
      * Register well-known discovery routes at the root level.
      *
      * Must be called outside any prefix group so endpoints
      * remain at `/.well-known/...`.
      */
-    registerWellKnownRoutes(router: Router): void;
+    registerWellKnownRoutes(): void;
     /**
      * Register a `/.well-known/oauth-protected-resource` endpoint
      * for a specific resource path (RFC 9728). Useful for MCP
@@ -90,7 +90,7 @@ export declare class SesameManager {
      *
      * @see https://datatracker.ietf.org/doc/html/rfc9728
      */
-    registerProtectedResource(router: Router, options: {
+    registerProtectedResource(options: {
         resource: string;
         scopes?: Scope[];
     }): void;

package/build/{token_controller-qFmejgux.js → token_controller-BijtWj5C.js}

@@ -1,10 +1,10 @@
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-2iG9p7_F.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import { DateTime } from "luxon";
 import { createHash } from "node:crypto";
 import string from "@adonisjs/core/helpers/string";
@@ -19,19 +19,11 @@ async function handleAuthorizationCodeGrant(ctx, manager) {
 	const codeVerifier = body.code_verifier;
 	if (!code) throw new E_INVALID_REQUEST("Missing required parameter: code");
 	if (!redirectUri) throw new E_INVALID_REQUEST("Missing required parameter: redirect_uri");
-	const credentials = clientService.extractCredentials({
+	const client = await clientService.authenticateClient({
 		authorizationHeader: ctx.request.header("authorization"),
 		bodyClientId: body.client_id,
 		bodyClientSecret: body.client_secret
 	});
-	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
-	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-	if (!client) throw new E_INVALID_CLIENT("Client not found");
-	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-	if (!client.isPublic) {
-		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-	}
 	if (!client.grantTypes.includes("authorization_code")) throw new E_INVALID_CLIENT("Client is not allowed to use the authorization_code grant");
 	const hashedCode = tokenService.hashToken(code);
 	const authCode = await OAuthAuthorizationCode.query().where("code", hashedCode).where("clientId", client.clientId).first();
@@ -86,19 +78,11 @@ async function handleRefreshTokenGrant(ctx, manager) {
 	const body = ctx.request.body();
 	const refreshTokenRaw = body.refresh_token;
 	if (!refreshTokenRaw) throw new E_INVALID_REQUEST("Missing required parameter: refresh_token");
-	const credentials = clientService.extractCredentials({
+	const client = await clientService.authenticateClient({
 		authorizationHeader: ctx.request.header("authorization"),
 		bodyClientId: body.client_id,
 		bodyClientSecret: body.client_secret
 	});
-	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
-	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-	if (!client) throw new E_INVALID_CLIENT("Client not found");
-	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-	if (!client.isPublic) {
-		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-	}
 	if (!client.grantTypes.includes("refresh_token")) throw new E_INVALID_CLIENT("Client is not allowed to use the refresh_token grant");
 	const hashedToken = tokenService.hashToken(refreshTokenRaw);
 	const refreshToken = await OAuthRefreshToken.query().where("token", hashedToken).where("clientId", client.clientId).first();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@julr/sesame",
   "description": "OAuth 2.1 + OIDC server for AdonisJS",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "engines": {
     "node": ">=24.0.0"
   },