@julr/sesame 0.3.1 → 0.4.0

package/build/{authorize_controller-CfV9v3R2.js → authorize_controller-Bb54Bi_s.js}

@@ -1,10 +1,10 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import { DateTime } from "luxon";
 import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
@@ -130,6 +130,7 @@ var AuthorizeController = class AuthorizeController {
 			codeChallengeMethod: query.code_challenge_method
 		});
 		this.#copyAuthorizeDisplayParams(params, ctx.request.qs());
+		params.set("scope", requestedScopes.join(" "));
 		const consentPage = this.#resolvePageUrl(manager.config.consentPage, ctx, params);
 		return ctx.response.redirect().toPath(consentPage);
 	}

package/build/{client_service-BqPSlaTS.js → client_service-BD1CDQuC.js}

@@ -1,4 +1,5 @@
-import { s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
+import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 var ClientService = class {
 	parseBasicAuth(header) {
@@ -16,16 +17,25 @@ var ClientService = class {
 		}
 	}
 	extractCredentials(options) {
-		if (options.authorizationHeader) {
-			const basic = this.parseBasicAuth(options.authorizationHeader);
-			if (basic) return basic;
-		}
+		const basic = options.authorizationHeader ? this.parseBasicAuth(options.authorizationHeader) : null;
+		if (basic && options.bodyClientId) throw new E_INVALID_REQUEST("Multiple client authentication methods are not allowed");
+		if (basic) return basic;
 		if (options.bodyClientId) return {
 			clientId: options.bodyClientId,
 			clientSecret: options.bodyClientSecret
 		};
 		return null;
 	}
+	async authenticateClient(options) {
+		const credentials = this.extractCredentials(options);
+		if (!credentials) throw new E_INVALID_CLIENT("Client authentication failed");
+		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+		if (!client || client.isDisabled) throw new E_INVALID_CLIENT("Client authentication failed");
+		if (!client.isPublic) {
+			if (!credentials.clientSecret || !this.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Client authentication failed");
+		}
+		return client;
+	}
 	validateClientScopes(requestedScopes, clientScopes) {
 		if (clientScopes.length === 0 && requestedScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${requestedScopes.join(", ")}`);
 		const allowedSet = new Set(clientScopes);

package/build/commands/sesame_purge.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
 import { t as __decorate } from "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";

package/build/{consent_controller-DBtvczID.js → consent_controller-gMuS9nSx.js}

@@ -1,4 +1,4 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";

package/build/index.js

@@ -1,11 +1,11 @@
 import { configure } from "./configure.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import "./token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-ix9EOujk.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-BJRXMGrZ.js";
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,

package/build/{introspect_controller-D2SihAxt.js → introspect_controller-bKg1T2Xx.js}

@@ -1,28 +1,19 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_error-CnJ3L8tf.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 const INACTIVE = { active: false };
 var IntrospectController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const clientService = new ClientService();
-		const credentials = clientService.extractCredentials({
+		const client = await new ClientService().authenticateClient({
 			authorizationHeader: ctx.request.header("authorization"),
 			bodyClientId: ctx.request.body().client_id,
 			bodyClientSecret: ctx.request.body().client_secret
 		});
-		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
-		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.isPublic) {
-			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-		}
 		const token = ctx.request.body().token;
 		if (!token) return INACTIVE;
 		const tokenTypeHint = ctx.request.body().token_type_hint;

package/build/{main-ix9EOujk.js → main-BJRXMGrZ.js}

@@ -60,11 +60,11 @@ var OAuthGuard = class {
 		const hashed = tokenService.hashToken(rawToken);
 		const record = await OAuthAccessToken.query().where("tokenHash", hashed).first();
 		if (!record) throw this.#authenticationFailed("Invalid or expired token", includeError);
-		if (record.revokedAt) throw this.#authenticationFailed("Token has been revoked", includeError);
+		if (record.revokedAt) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		if (record.expiresAt.toJSDate() < /* @__PURE__ */ new Date()) throw this.#authenticationFailed("Invalid or expired token", includeError);
-		if (!record.userId) throw this.#authenticationFailed("M2M tokens are not supported", includeError);
+		if (!record.userId) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		const providerUser = await this.#userProvider.findById(record.userId);
-		if (!providerUser) throw this.#authenticationFailed("User not found", includeError);
+		if (!providerUser) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		this.isAuthenticated = true;
 		this.user = providerUser.getOriginal();
 		this.scopes = record.scopes;
@@ -150,7 +150,7 @@ var OAuthLucidUserProvider = class {
 function oauthGuard(config) {
 	return { async resolver(name, app) {
 		const emitter = await app.container.make("emitter");
-		const { SesameManager } = await import("./sesame_manager-Blf8pkgS.js");
+		const { SesameManager } = await import("./sesame_manager-BWqeaqn9.js");
 		const manager = await app.container.make(SesameManager);
 		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
 	} };

package/build/{metadata_controller-CekEP9i9.js → metadata_controller-CGaKw3UM.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
@@ -43,8 +43,16 @@ var MetadataController = class {
 				"client_secret_basic",
 				"client_secret_post"
 			],
-			introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-			revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+			introspection_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
+			revocation_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
 			code_challenge_methods_supported: ["S256"],
 			authorization_response_iss_parameter_supported: true
 		};

package/build/providers/sesame_provider.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 var SesameProvider = class {

package/build/{register_controller-Cmkyy0Pv.js → register_controller-CnzYR-iH.js}

@@ -1,9 +1,9 @@
-import { t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import vine from "@vinejs/vine";
 const DANGEROUS_SCHEMES = [
 	"javascript:",
@@ -35,24 +35,11 @@ const redirectUriRule = vine.createRule((value, _options, field) => {
 });
 const metadataUriRule = vine.createRule((value, _options, field) => {
 	const parsed = new URL(value);
-	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) {
-		field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
-		return;
-	}
-	const redirectUris = field.data.redirect_uris ?? [];
-	const redirectOrigins = new Set(redirectUris.map((u) => {
-		try {
-			return new URL(u);
-		} catch {
-			return null;
-		}
-	}).filter(Boolean).map((u) => `${u.protocol}//${u.hostname}`));
-	const metaOrigin = `${parsed.protocol}//${parsed.hostname}`;
-	if (!redirectOrigins.has(metaOrigin)) field.report("{{ field }} host and scheme must match at least one redirect_uri", "metadataUri", field);
+	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
 });
 const metadataUrl = vine.string().url({ require_protocol: true }).use(metadataUriRule()).optional();
 var RegisterController = class RegisterController {
-	static validator = vine.create({
+	static validator = vine.create(vine.object({
 		redirect_uris: vine.array(vine.string().use(redirectUriRule())).minLength(1),
 		token_endpoint_auth_method: vine.string().in([
 			"client_secret_basic",
@@ -70,7 +57,7 @@ var RegisterController = class RegisterController {
 		contacts: vine.array(vine.string().email()).optional(),
 		software_id: vine.string().optional(),
 		software_version: vine.string().optional()
-	});
+	}).allowUnknownProperties());
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
 		if (!manager.config.allowDynamicRegistration) throw new E_ACCESS_DENIED("Dynamic client registration is disabled");

package/build/{revoke_controller-CzRid0SB.js → revoke_controller-dJtMG1zK.js}

@@ -1,28 +1,19 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_error-CnJ3L8tf.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import { DateTime } from "luxon";
 var RevokeController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const clientService = new ClientService();
-		const credentials = clientService.extractCredentials({
+		const client = await new ClientService().authenticateClient({
 			authorizationHeader: ctx.request.header("authorization"),
 			bodyClientId: ctx.request.body().client_id,
 			bodyClientSecret: ctx.request.body().client_secret
 		});
-		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
-		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.isPublic) {
-			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-		}
 		const token = ctx.request.body().token;
 		if (!token) return ctx.response.ok({});
 		const tokenTypeHint = ctx.request.body().token_type_hint;

package/build/services/main.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "../sesame_manager-BIHBwkqK.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import app from "@adonisjs/core/services/app";

package/build/{sesame_manager-Br0DIJgM.js → sesame_manager-BIHBwkqK.js}

@@ -3,13 +3,13 @@ import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { DateTime } from "luxon";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
 const controllers = {
-	token: () => import("./token_controller-BEiR1lGn.js"),
-	authorize: () => import("./authorize_controller-CfV9v3R2.js"),
-	consent: () => import("./consent_controller-DBtvczID.js"),
-	introspect: () => import("./introspect_controller-D2SihAxt.js"),
-	revoke: () => import("./revoke_controller-CzRid0SB.js"),
-	register: () => import("./register_controller-Cmkyy0Pv.js"),
-	metadata: () => import("./metadata_controller-CekEP9i9.js"),
+	token: () => import("./token_controller-BijtWj5C.js"),
+	authorize: () => import("./authorize_controller-Bb54Bi_s.js"),
+	consent: () => import("./consent_controller-gMuS9nSx.js"),
+	introspect: () => import("./introspect_controller-bKg1T2Xx.js"),
+	revoke: () => import("./revoke_controller-dJtMG1zK.js"),
+	register: () => import("./register_controller-CnzYR-iH.js"),
+	metadata: () => import("./metadata_controller-CGaKw3UM.js"),
 	clientInfo: () => import("./client_info_controller-BucHGx4u.js")
 };
 function registerOAuthRoutes(router) {

package/build/{sesame_manager-Blf8pkgS.js → sesame_manager-BWqeaqn9.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 export { SesameManager };

package/build/src/controllers/register_controller.d.ts

@@ -41,6 +41,8 @@ export default class RegisterController {
         software_id?: string | null | undefined;
         software_version?: string | null | undefined;
         redirect_uris: string[];
+    } & {
+        [K: string]: unknown;
     }, {
         scope?: string | undefined;
         token_endpoint_auth_method?: string | undefined;
@@ -55,20 +57,24 @@ export default class RegisterController {
         software_id?: string | undefined;
         software_version?: string | undefined;
         redirect_uris: string[];
+    } & {
+        [K: string]: unknown;
     }, {
+        grantTypes?: string[] | undefined;
         scope?: string | undefined;
-        token_endpoint_auth_method?: string | undefined;
-        grant_types?: string[] | undefined;
-        response_types?: string[] | undefined;
-        client_name?: string | undefined;
-        client_uri?: string | undefined;
-        logo_uri?: string | undefined;
-        tos_uri?: string | undefined;
-        policy_uri?: string | undefined;
         contacts?: string[] | undefined;
-        software_id?: string | undefined;
-        software_version?: string | undefined;
-        redirect_uris: string[];
+        tokenEndpointAuthMethod?: string | undefined;
+        responseTypes?: string[] | undefined;
+        clientName?: string | undefined;
+        clientUri?: string | undefined;
+        logoUri?: string | undefined;
+        tosUri?: string | undefined;
+        policyUri?: string | undefined;
+        softwareId?: string | undefined;
+        softwareVersion?: string | undefined;
+        redirectUris: string[];
+    } & {
+        [K: string]: unknown;
     }>, Record<string, any> | undefined>;
     handle(ctx: HttpContext): Promise<{
         software_version?: string | undefined;

package/build/src/guard/guard.d.ts

@@ -27,5 +27,12 @@ export declare class OAuthGuard<UserProvider extends OAuthUserProviderContract<u
     check(): Promise<boolean>;
     hasScope(...scopes: Scope[]): boolean;
     hasAnyScope(...scopes: Scope[]): boolean;
+    /**
+     * Used internally by Japa's `loginAs` helper during testing.
+     * Creates a test client and access token in DB, then returns
+     * the authorization headers for the test HTTP client to use.
+     *
+     * @see https://docs.adonisjs.com/guides/auth/custom-auth-guard#implementing-the-guard
+     */
     authenticateAsClient(user: UserProvider[typeof symbols.PROVIDER_REAL_USER]): Promise<AuthClientResponse>;
 }

package/build/src/guard/main.js

@@ -2,5 +2,5 @@ import "../../decorate-BKZEjPRg.js";
 import "../../oauth_access_token-bsoM5KeU.js";
 import "../../oauth_client-BIoY5jBR.js";
 import "../../token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-ix9EOujk.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-BJRXMGrZ.js";
 export { OAuthGuard, OAuthLucidUserProvider, oauthGuard, oauthUserProvider };

package/build/src/rules.d.ts

@@ -4,8 +4,16 @@
  */
 export declare const redirectUriRule: (options?: undefined) => import("@vinejs/vine/types").Validation<undefined>;
 /**
- * Blocks dangerous URI schemes and enforces same host+scheme
- * matching with redirect_uris (RFC 7591 §5).
+ * Blocks dangerous URI schemes for metadata URIs (client_uri, logo_uri, etc.).
+ *
+ * RFC 7591 §5 says the server MAY verify that metadata URIs match the
+ * host+scheme of redirect_uris, but this is NOT required.
+ *
+ * We intentionally skip this check because it breaks legitimate CLI/desktop clients
+ * (e.g. OpenCode, Claude Code) that use localhost redirect URIs but have a
+ * different `client_uri` pointing to their website.
+ *
+ * Maybe we can add an option to enable this check in the future if needed.
  *
  * @see https://datatracker.ietf.org/doc/html/rfc7591#section-5
  */

package/build/src/services/client_service.d.ts

@@ -1,3 +1,4 @@
+import { OAuthClient } from '../models/oauth_client.ts';
 /**
  * Extracted client credentials from a request.
  */
@@ -37,6 +38,16 @@ export declare class ClientService {
         bodyClientId?: string;
         bodyClientSecret?: string;
     }): ClientCredentials | null;
+    /**
+     * Authenticate a client from request credentials.
+     * Extracts credentials, looks up the client in DB, and verifies the secret
+     * for confidential clients.
+     */
+    authenticateClient(options: {
+        authorizationHeader?: string;
+        bodyClientId?: string;
+        bodyClientSecret?: string;
+    }): Promise<OAuthClient>;
     /**
      * Validate that requested scopes are within the client's
      * allowed scopes. Throws `E_INVALID_SCOPE` if any scope

package/build/{token_controller-BEiR1lGn.js → token_controller-BijtWj5C.js}

@@ -1,10 +1,10 @@
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-BIHBwkqK.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-BD1CDQuC.js";
 import { DateTime } from "luxon";
 import { createHash } from "node:crypto";
 import string from "@adonisjs/core/helpers/string";
@@ -19,19 +19,11 @@ async function handleAuthorizationCodeGrant(ctx, manager) {
 	const codeVerifier = body.code_verifier;
 	if (!code) throw new E_INVALID_REQUEST("Missing required parameter: code");
 	if (!redirectUri) throw new E_INVALID_REQUEST("Missing required parameter: redirect_uri");
-	const credentials = clientService.extractCredentials({
+	const client = await clientService.authenticateClient({
 		authorizationHeader: ctx.request.header("authorization"),
 		bodyClientId: body.client_id,
 		bodyClientSecret: body.client_secret
 	});
-	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
-	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-	if (!client) throw new E_INVALID_CLIENT("Client not found");
-	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-	if (!client.isPublic) {
-		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-	}
 	if (!client.grantTypes.includes("authorization_code")) throw new E_INVALID_CLIENT("Client is not allowed to use the authorization_code grant");
 	const hashedCode = tokenService.hashToken(code);
 	const authCode = await OAuthAuthorizationCode.query().where("code", hashedCode).where("clientId", client.clientId).first();
@@ -86,19 +78,11 @@ async function handleRefreshTokenGrant(ctx, manager) {
 	const body = ctx.request.body();
 	const refreshTokenRaw = body.refresh_token;
 	if (!refreshTokenRaw) throw new E_INVALID_REQUEST("Missing required parameter: refresh_token");
-	const credentials = clientService.extractCredentials({
+	const client = await clientService.authenticateClient({
 		authorizationHeader: ctx.request.header("authorization"),
 		bodyClientId: body.client_id,
 		bodyClientSecret: body.client_secret
 	});
-	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
-	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-	if (!client) throw new E_INVALID_CLIENT("Client not found");
-	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-	if (!client.isPublic) {
-		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-	}
 	if (!client.grantTypes.includes("refresh_token")) throw new E_INVALID_CLIENT("Client is not allowed to use the refresh_token grant");
 	const hashedToken = tokenService.hashToken(refreshTokenRaw);
 	const refreshToken = await OAuthRefreshToken.query().where("token", hashedToken).where("clientId", client.clientId).first();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@julr/sesame",
   "description": "OAuth 2.1 + OIDC server for AdonisJS",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "engines": {
     "node": ">=24.0.0"
   },