@julr/sesame 0.3.1 → 0.5.0

package/README.md

@@ -24,6 +24,7 @@ node ace add @julr/sesame
 ```
 
 This will:
+
 - Publish the configuration file to `config/sesame.ts`
 - Publish database migrations (6 tables)
 - Register the service provider and commands
@@ -47,8 +48,8 @@ const sesameConfig = defineConfig({
   issuer: env.get('APP_URL'),
 
   scopes: {
-    'read': 'Read access',
-    'write': 'Write access',
+    read: 'Read access',
+    write: 'Write access',
   },
 
   defaultScopes: ['read'],
@@ -83,9 +84,11 @@ Register OAuth routes from your `start/routes.ts` file:
 import sesame from '@julr/sesame/services/main'
 
 // OAuth endpoints under /oauth
-router.group(() => {
-  sesame.registerRoutes()
-}).prefix('/oauth')
+router
+  .group(() => {
+    sesame.registerRoutes()
+  })
+  .prefix('/oauth')
 
 // Discovery endpoints at the root
 sesame.registerWellKnownRoutes()
@@ -144,14 +147,10 @@ Two named middleware are available for checking scopes on authenticated requests
 
 ```ts
 // Requires ALL listed scopes
-router
-  .get('/admin', [AdminController])
-  .use(middleware.scopes({ scopes: ['admin', 'write'] }))
+router.get('/admin', [AdminController]).use(middleware.scopes({ scopes: ['admin', 'write'] }))
 
 // Requires AT LEAST ONE of the listed scopes
-router
-  .get('/data', [DataController])
-  .use(middleware.anyScope({ scopes: ['read', 'write'] }))
+router.get('/data', [DataController]).use(middleware.anyScope({ scopes: ['read', 'write'] }))
 ```
 
 ## MCP Support

package/build/{authorize_controller-CfV9v3R2.js → authorize_controller-BGzxPvYU.js}

@@ -1,10 +1,10 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-C3rfXGk_.js";
 import { DateTime } from "luxon";
 import string from "@adonisjs/core/helpers/string";
 import vine from "@vinejs/vine";
@@ -130,6 +130,7 @@ var AuthorizeController = class AuthorizeController {
 			codeChallengeMethod: query.code_challenge_method
 		});
 		this.#copyAuthorizeDisplayParams(params, ctx.request.qs());
+		params.set("scope", requestedScopes.join(" "));
 		const consentPage = this.#resolvePageUrl(manager.config.consentPage, ctx, params);
 		return ctx.response.redirect().toPath(consentPage);
 	}

package/build/client_service-C3rfXGk_.js

@@ -0,0 +1,65 @@
+import { o as BUILTIN_SCOPES } from "./sesame_manager-C-eEFFHM.js";
+import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
+import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+var ClientService = class {
+	parseBasicAuth(header) {
+		if (!header.startsWith("Basic ")) return null;
+		try {
+			const decoded = Buffer.from(header.slice(6), "base64").toString("utf-8");
+			const colonIndex = decoded.indexOf(":");
+			if (colonIndex === -1) return null;
+			return {
+				clientId: decodeURIComponent(decoded.slice(0, colonIndex)),
+				clientSecret: decodeURIComponent(decoded.slice(colonIndex + 1))
+			};
+		} catch {
+			return null;
+		}
+	}
+	extractCredentials(options) {
+		const basic = options.authorizationHeader ? this.parseBasicAuth(options.authorizationHeader) : null;
+		if (basic && options.bodyClientId) throw new E_INVALID_REQUEST("Multiple client authentication methods are not allowed");
+		if (basic) return basic;
+		if (options.bodyClientId) return {
+			clientId: options.bodyClientId,
+			clientSecret: options.bodyClientSecret
+		};
+		return null;
+	}
+	async authenticateClient(options) {
+		const credentials = this.extractCredentials(options);
+		if (!credentials) throw new E_INVALID_CLIENT("Client authentication failed");
+		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+		if (!client || client.isDisabled) throw new E_INVALID_CLIENT("Client authentication failed");
+		if (!client.isPublic) {
+			if (!credentials.clientSecret || !this.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Client authentication failed");
+		}
+		return client;
+	}
+	validateClientScopes(requestedScopes, clientScopes) {
+		const nonBuiltinScopes = requestedScopes.filter((s) => !BUILTIN_SCOPES.has(s));
+		if (clientScopes.length === 0 && nonBuiltinScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${nonBuiltinScopes.join(", ")}`);
+		const allowedSet = new Set(clientScopes);
+		const invalid = nonBuiltinScopes.filter((s) => !allowedSet.has(s));
+		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${invalid.join(", ")}`);
+	}
+	hashSecret(secret) {
+		return createHash("sha256").update(secret).digest("base64url");
+	}
+	verifySecret(secret, storedHash) {
+		const hash = this.hashSecret(secret);
+		try {
+			return timingSafeEqual(Buffer.from(hash), Buffer.from(storedHash));
+		} catch {
+			return false;
+		}
+	}
+	generateClientId() {
+		return randomBytes(16).toString("hex");
+	}
+	generateClientSecret() {
+		return randomBytes(32).toString("base64url");
+	}
+};
+export { ClientService as t };

package/build/commands/sesame_purge.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "../sesame_manager-C-eEFFHM.js";
 import { t as __decorate } from "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";

package/build/{consent_controller-DBtvczID.js → consent_controller-BHoB9mip.js}

@@ -1,4 +1,4 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";

package/build/index.js

@@ -1,11 +1,11 @@
 import { configure } from "./configure.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
 import "./token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-ix9EOujk.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-B3M6ihoS.js";
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,
@@ -13,6 +13,7 @@ function defineConfig(config) {
 		defaultScopes: config.defaultScopes ?? [],
 		grantTypes: config.grantTypes ?? ["authorization_code", "refresh_token"],
 		accessTokenTtl: config.accessTokenTtl ?? "1h",
+		clientCredentialsAccessTokenTtl: config.clientCredentialsAccessTokenTtl ?? config.accessTokenTtl ?? "1h",
 		refreshTokenTtl: config.refreshTokenTtl ?? "30d",
 		authorizationCodeTtl: config.authorizationCodeTtl ?? "10m",
 		authorizationRequestTtl: config.authorizationRequestTtl ?? config.authorizationCodeTtl ?? "10m",

package/build/{introspect_controller-D2SihAxt.js → introspect_controller-un95fs4y.js}

@@ -1,28 +1,19 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_error-CnJ3L8tf.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-C3rfXGk_.js";
 const INACTIVE = { active: false };
 var IntrospectController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const clientService = new ClientService();
-		const credentials = clientService.extractCredentials({
+		const client = await new ClientService().authenticateClient({
 			authorizationHeader: ctx.request.header("authorization"),
 			bodyClientId: ctx.request.body().client_id,
 			bodyClientSecret: ctx.request.body().client_secret
 		});
-		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
-		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.isPublic) {
-			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-		}
 		const token = ctx.request.body().token;
 		if (!token) return INACTIVE;
 		const tokenTypeHint = ctx.request.body().token_type_hint;

package/build/{main-ix9EOujk.js → main-B3M6ihoS.js}

@@ -60,11 +60,11 @@ var OAuthGuard = class {
 		const hashed = tokenService.hashToken(rawToken);
 		const record = await OAuthAccessToken.query().where("tokenHash", hashed).first();
 		if (!record) throw this.#authenticationFailed("Invalid or expired token", includeError);
-		if (record.revokedAt) throw this.#authenticationFailed("Token has been revoked", includeError);
+		if (record.revokedAt) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		if (record.expiresAt.toJSDate() < /* @__PURE__ */ new Date()) throw this.#authenticationFailed("Invalid or expired token", includeError);
-		if (!record.userId) throw this.#authenticationFailed("M2M tokens are not supported", includeError);
+		if (!record.userId) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		const providerUser = await this.#userProvider.findById(record.userId);
-		if (!providerUser) throw this.#authenticationFailed("User not found", includeError);
+		if (!providerUser) throw this.#authenticationFailed("Invalid or expired token", includeError);
 		this.isAuthenticated = true;
 		this.user = providerUser.getOriginal();
 		this.scopes = record.scopes;
@@ -150,7 +150,7 @@ var OAuthLucidUserProvider = class {
 function oauthGuard(config) {
 	return { async resolver(name, app) {
 		const emitter = await app.container.make("emitter");
-		const { SesameManager } = await import("./sesame_manager-Blf8pkgS.js");
+		const { SesameManager } = await import("./sesame_manager-BQIW2mqt.js");
 		const manager = await app.container.make(SesameManager);
 		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
 	} };

package/build/{metadata_controller-CekEP9i9.js → metadata_controller-CJeZG93_.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
@@ -43,8 +43,16 @@ var MetadataController = class {
 				"client_secret_basic",
 				"client_secret_post"
 			],
-			introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-			revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+			introspection_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
+			revocation_endpoint_auth_methods_supported: [
+				"none",
+				"client_secret_basic",
+				"client_secret_post"
+			],
 			code_challenge_methods_supported: ["S256"],
 			authorization_response_iss_parameter_supported: true
 		};

package/build/providers/sesame_provider.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "../sesame_manager-C-eEFFHM.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 var SesameProvider = class {

package/build/{register_controller-Cmkyy0Pv.js → register_controller-Dch4ecyD.js}

@@ -1,9 +1,9 @@
-import { t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
 import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-C3rfXGk_.js";
 import vine from "@vinejs/vine";
 const DANGEROUS_SCHEMES = [
 	"javascript:",
@@ -35,24 +35,11 @@ const redirectUriRule = vine.createRule((value, _options, field) => {
 });
 const metadataUriRule = vine.createRule((value, _options, field) => {
 	const parsed = new URL(value);
-	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) {
-		field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
-		return;
-	}
-	const redirectUris = field.data.redirect_uris ?? [];
-	const redirectOrigins = new Set(redirectUris.map((u) => {
-		try {
-			return new URL(u);
-		} catch {
-			return null;
-		}
-	}).filter(Boolean).map((u) => `${u.protocol}//${u.hostname}`));
-	const metaOrigin = `${parsed.protocol}//${parsed.hostname}`;
-	if (!redirectOrigins.has(metaOrigin)) field.report("{{ field }} host and scheme must match at least one redirect_uri", "metadataUri", field);
+	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
 });
 const metadataUrl = vine.string().url({ require_protocol: true }).use(metadataUriRule()).optional();
 var RegisterController = class RegisterController {
-	static validator = vine.create({
+	static validator = vine.create(vine.object({
 		redirect_uris: vine.array(vine.string().use(redirectUriRule())).minLength(1),
 		token_endpoint_auth_method: vine.string().in([
 			"client_secret_basic",
@@ -70,7 +57,7 @@ var RegisterController = class RegisterController {
 		contacts: vine.array(vine.string().email()).optional(),
 		software_id: vine.string().optional(),
 		software_version: vine.string().optional()
-	});
+	}).allowUnknownProperties());
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
 		if (!manager.config.allowDynamicRegistration) throw new E_ACCESS_DENIED("Dynamic client registration is disabled");

package/build/{revoke_controller-CzRid0SB.js → revoke_controller-DnPmzYMd.js}

@@ -1,28 +1,19 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_error-CnJ3L8tf.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-C3rfXGk_.js";
 import { DateTime } from "luxon";
 var RevokeController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
-		const clientService = new ClientService();
-		const credentials = clientService.extractCredentials({
+		const client = await new ClientService().authenticateClient({
 			authorizationHeader: ctx.request.header("authorization"),
 			bodyClientId: ctx.request.body().client_id,
 			bodyClientSecret: ctx.request.body().client_secret
 		});
-		if (!credentials) throw new E_INVALID_CLIENT("Client authentication required");
-		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.isPublic) {
-			if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-			if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-		}
 		const token = ctx.request.body().token;
 		if (!token) return ctx.response.ok({});
 		const tokenTypeHint = ctx.request.body().token_type_hint;

package/build/services/main.js

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "../sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "../sesame_manager-C-eEFFHM.js";
 import "../decorate-BKZEjPRg.js";
 import "../oauth_access_token-bsoM5KeU.js";
 import app from "@adonisjs/core/services/app";

package/build/{sesame_manager-Blf8pkgS.js → sesame_manager-BQIW2mqt.js}

@@ -1,4 +1,4 @@
-import { t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import "./oauth_access_token-bsoM5KeU.js";
 export { SesameManager };

package/build/{sesame_manager-Br0DIJgM.js → sesame_manager-C-eEFFHM.js}

@@ -2,14 +2,15 @@ import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { DateTime } from "luxon";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
+const BUILTIN_SCOPES = new Set(["offline_access"]);
 const controllers = {
-	token: () => import("./token_controller-BEiR1lGn.js"),
-	authorize: () => import("./authorize_controller-CfV9v3R2.js"),
-	consent: () => import("./consent_controller-DBtvczID.js"),
-	introspect: () => import("./introspect_controller-D2SihAxt.js"),
-	revoke: () => import("./revoke_controller-CzRid0SB.js"),
-	register: () => import("./register_controller-Cmkyy0Pv.js"),
-	metadata: () => import("./metadata_controller-CekEP9i9.js"),
+	token: () => import("./token_controller-hGDAYuBS.js"),
+	authorize: () => import("./authorize_controller-BGzxPvYU.js"),
+	consent: () => import("./consent_controller-BHoB9mip.js"),
+	introspect: () => import("./introspect_controller-un95fs4y.js"),
+	revoke: () => import("./revoke_controller-DnPmzYMd.js"),
+	register: () => import("./register_controller-Dch4ecyD.js"),
+	metadata: () => import("./metadata_controller-CJeZG93_.js"),
 	clientInfo: () => import("./client_info_controller-BucHGx4u.js")
 };
 function registerOAuthRoutes(router) {
@@ -99,8 +100,8 @@ var SesameManager = class {
 		return scope in this.#config.scopes;
 	}
 	validateScopes(scopes) {
-		if (Object.keys(this.#config.scopes).length === 0) return scopes;
-		return scopes.filter((s) => !this.hasScope(s));
+		if (Object.keys(this.#config.scopes).length === 0) return scopes.filter((s) => !BUILTIN_SCOPES.has(s));
+		return scopes.filter((s) => !BUILTIN_SCOPES.has(s) && !this.hasScope(s));
 	}
 	isGrantTypeEnabled(grantType) {
 		return this.#config.grantTypes.includes(grantType);
@@ -163,4 +164,4 @@ var SesameManager = class {
 		return result.then((r) => Array.isArray(r) ? Number(r[0] ?? 0) : Number(r));
 	}
 };
-export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, OAuthPendingAuthorizationRequest as n, OAuthConsent as r, SesameManager as t };
+export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, OAuthPendingAuthorizationRequest as n, BUILTIN_SCOPES as o, OAuthConsent as r, SesameManager as t };

package/build/src/controllers/register_controller.d.ts

@@ -41,6 +41,8 @@ export default class RegisterController {
         software_id?: string | null | undefined;
         software_version?: string | null | undefined;
         redirect_uris: string[];
+    } & {
+        [K: string]: unknown;
     }, {
         scope?: string | undefined;
         token_endpoint_auth_method?: string | undefined;
@@ -55,20 +57,24 @@ export default class RegisterController {
         software_id?: string | undefined;
         software_version?: string | undefined;
         redirect_uris: string[];
+    } & {
+        [K: string]: unknown;
     }, {
+        grantTypes?: string[] | undefined;
         scope?: string | undefined;
-        token_endpoint_auth_method?: string | undefined;
-        grant_types?: string[] | undefined;
-        response_types?: string[] | undefined;
-        client_name?: string | undefined;
-        client_uri?: string | undefined;
-        logo_uri?: string | undefined;
-        tos_uri?: string | undefined;
-        policy_uri?: string | undefined;
         contacts?: string[] | undefined;
-        software_id?: string | undefined;
-        software_version?: string | undefined;
-        redirect_uris: string[];
+        tokenEndpointAuthMethod?: string | undefined;
+        responseTypes?: string[] | undefined;
+        clientName?: string | undefined;
+        clientUri?: string | undefined;
+        logoUri?: string | undefined;
+        tosUri?: string | undefined;
+        policyUri?: string | undefined;
+        softwareId?: string | undefined;
+        softwareVersion?: string | undefined;
+        redirectUris: string[];
+    } & {
+        [K: string]: unknown;
     }>, Record<string, any> | undefined>;
     handle(ctx: HttpContext): Promise<{
         software_version?: string | undefined;

package/build/src/grants/client_credentials_grant.d.ts

@@ -0,0 +1,23 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { SesameManager } from '../sesame_manager.ts';
+/**
+ * Handle the Client Credentials Grant (RFC 6749 §4.4).
+ *
+ * Issues an access token directly to the client for
+ * machine-to-machine (M2M) communication. The client
+ * authenticates with its own credentials and receives an
+ * access token without an interactive user step.
+ *
+ * No refresh token is issued (per spec and convention).
+ *
+ * Built-in OIDC scopes (e.g. `offline_access`) are rejected
+ * since they are user-centric and meaningless in an M2M context.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
+ */
+export declare function handleClientCredentialsGrant(ctx: HttpContext, manager: SesameManager): Promise<{
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+}>;

package/build/src/guard/guard.d.ts

@@ -27,5 +27,12 @@ export declare class OAuthGuard<UserProvider extends OAuthUserProviderContract<u
     check(): Promise<boolean>;
     hasScope(...scopes: Scope[]): boolean;
     hasAnyScope(...scopes: Scope[]): boolean;
+    /**
+     * Used internally by Japa's `loginAs` helper during testing.
+     * Creates a test client and access token in DB, then returns
+     * the authorization headers for the test HTTP client to use.
+     *
+     * @see https://docs.adonisjs.com/guides/auth/custom-auth-guard#implementing-the-guard
+     */
     authenticateAsClient(user: UserProvider[typeof symbols.PROVIDER_REAL_USER]): Promise<AuthClientResponse>;
 }

package/build/src/guard/main.js

@@ -2,5 +2,5 @@ import "../../decorate-BKZEjPRg.js";
 import "../../oauth_access_token-bsoM5KeU.js";
 import "../../oauth_client-BIoY5jBR.js";
 import "../../token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-ix9EOujk.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-B3M6ihoS.js";
 export { OAuthGuard, OAuthLucidUserProvider, oauthGuard, oauthUserProvider };

package/build/src/rules.d.ts

@@ -4,8 +4,16 @@
  */
 export declare const redirectUriRule: (options?: undefined) => import("@vinejs/vine/types").Validation<undefined>;
 /**
- * Blocks dangerous URI schemes and enforces same host+scheme
- * matching with redirect_uris (RFC 7591 §5).
+ * Blocks dangerous URI schemes for metadata URIs (client_uri, logo_uri, etc.).
+ *
+ * RFC 7591 §5 says the server MAY verify that metadata URIs match the
+ * host+scheme of redirect_uris, but this is NOT required.
+ *
+ * We intentionally skip this check because it breaks legitimate CLI/desktop clients
+ * (e.g. OpenCode, Claude Code) that use localhost redirect URIs but have a
+ * different `client_uri` pointing to their website.
+ *
+ * Maybe we can add an option to enable this check in the future if needed.
  *
  * @see https://datatracker.ietf.org/doc/html/rfc7591#section-5
  */

package/build/src/services/client_service.d.ts

@@ -1,3 +1,4 @@
+import { OAuthClient } from '../models/oauth_client.ts';
 /**
  * Extracted client credentials from a request.
  */
@@ -37,6 +38,16 @@ export declare class ClientService {
         bodyClientId?: string;
         bodyClientSecret?: string;
     }): ClientCredentials | null;
+    /**
+     * Authenticate a client from request credentials.
+     * Extracts credentials, looks up the client in DB, and verifies the secret
+     * for confidential clients.
+     */
+    authenticateClient(options: {
+        authorizationHeader?: string;
+        bodyClientId?: string;
+        bodyClientSecret?: string;
+    }): Promise<OAuthClient>;
     /**
      * Validate that requested scopes are within the client's
      * allowed scopes. Throws `E_INVALID_SCOPE` if any scope

package/build/src/sesame_manager.d.ts

@@ -1,5 +1,5 @@
 import type { Router } from '@adonisjs/core/http';
-import type { ResolvedSesameConfig, Scope } from './types.ts';
+import { type ResolvedSesameConfig, type Scope } from './types.ts';
 export interface PurgeResult {
     accessTokens: number;
     refreshTokens: number;

package/build/src/types.d.ts

@@ -27,15 +27,29 @@ export type InferScopes<T extends {
     [K in keyof T['scopes'] & string]: true;
 };
 /**
- * Supported grant types for v1 (MCP-focused).
+ * Standard OAuth/OIDC scopes that are always valid regardless
+ * of server or client scope configuration.
+ *
+ * - `offline_access`: signals that the client needs a refresh token
+ *   (OIDC Core §11, OAuth 2.1). Without this built-in treatment,
+ *   MCP clients that don't explicitly configure scopes would never
+ *   receive a refresh token and would expire after the access token TTL.
+ *
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+ */
+export declare const BUILTIN_SCOPES: Set<string>;
+/**
+ * Supported OAuth 2.1 grant types.
  *
  * - `authorization_code`: RFC 6749 §4.1 — Authorization Code Grant
  * - `refresh_token`: RFC 6749 §6 — Refreshing an Access Token
+ * - `client_credentials`: RFC 6749 §4.4 — Client Credentials Grant (M2M)
  *
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
  */
-export type GrantType = 'authorization_code' | 'refresh_token';
+export type GrantType = 'authorization_code' | 'refresh_token' | 'client_credentials';
 /**
  * User-facing configuration interface for Sésame.
  *
@@ -77,6 +91,11 @@ export interface SesameConfig {
      * Defaults to '30d'.
      */
     refreshTokenTtl?: string;
+    /**
+     * Access token TTL for the client_credentials grant (M2M).
+     * Defaults to `accessTokenTtl`.
+     */
+    clientCredentialsAccessTokenTtl?: string;
     /**
      * Authorization code TTL as a string duration.
      * Defaults to '10m'.
@@ -125,6 +144,7 @@ export interface ResolvedSesameConfig {
     defaultScopes: string[];
     grantTypes: GrantType[];
     accessTokenTtl: string;
+    clientCredentialsAccessTokenTtl: string;
     refreshTokenTtl: string;
     authorizationCodeTtl: string;
     authorizationRequestTtl: string;

package/build/{token_controller-BEiR1lGn.js → token_controller-hGDAYuBS.js}

@@ -1,10 +1,10 @@
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, t as SesameManager } from "./sesame_manager-Br0DIJgM.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
 import "./decorate-BKZEjPRg.js";
 import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
 import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./oauth_client-BIoY5jBR.js";
 import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-BqPSlaTS.js";
+import { t as ClientService } from "./client_service-C3rfXGk_.js";
 import { DateTime } from "luxon";
 import { createHash } from "node:crypto";
 import string from "@adonisjs/core/helpers/string";
@@ -19,19 +19,11 @@ async function handleAuthorizationCodeGrant(ctx, manager) {
 	const codeVerifier = body.code_verifier;
 	if (!code) throw new E_INVALID_REQUEST("Missing required parameter: code");
 	if (!redirectUri) throw new E_INVALID_REQUEST("Missing required parameter: redirect_uri");
-	const credentials = clientService.extractCredentials({
+	const client = await clientService.authenticateClient({
 		authorizationHeader: ctx.request.header("authorization"),
 		bodyClientId: body.client_id,
 		bodyClientSecret: body.client_secret
 	});
-	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
-	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-	if (!client) throw new E_INVALID_CLIENT("Client not found");
-	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-	if (!client.isPublic) {
-		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-	}
 	if (!client.grantTypes.includes("authorization_code")) throw new E_INVALID_CLIENT("Client is not allowed to use the authorization_code grant");
 	const hashedCode = tokenService.hashToken(code);
 	const authCode = await OAuthAuthorizationCode.query().where("code", hashedCode).where("clientId", client.clientId).first();
@@ -86,19 +78,11 @@ async function handleRefreshTokenGrant(ctx, manager) {
 	const body = ctx.request.body();
 	const refreshTokenRaw = body.refresh_token;
 	if (!refreshTokenRaw) throw new E_INVALID_REQUEST("Missing required parameter: refresh_token");
-	const credentials = clientService.extractCredentials({
+	const client = await clientService.authenticateClient({
 		authorizationHeader: ctx.request.header("authorization"),
 		bodyClientId: body.client_id,
 		bodyClientSecret: body.client_secret
 	});
-	if (!credentials) throw new E_INVALID_CLIENT("Missing client credentials");
-	const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-	if (!client) throw new E_INVALID_CLIENT("Client not found");
-	if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-	if (!client.isPublic) {
-		if (!credentials.clientSecret) throw new E_INVALID_CLIENT("Missing client secret");
-		if (!clientService.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Invalid client secret");
-	}
 	if (!client.grantTypes.includes("refresh_token")) throw new E_INVALID_CLIENT("Client is not allowed to use the refresh_token grant");
 	const hashedToken = tokenService.hashToken(refreshTokenRaw);
 	const refreshToken = await OAuthRefreshToken.query().where("token", hashedToken).where("clientId", client.clientId).first();
@@ -151,9 +135,46 @@ async function handleRefreshTokenGrant(ctx, manager) {
 		refresh_token: newRefreshTokenRaw
 	};
 }
+async function handleClientCredentialsGrant(ctx, manager) {
+	const tokenService = new TokenService(manager);
+	const clientService = new ClientService();
+	const body = ctx.request.body();
+	const client = await clientService.authenticateClient({
+		authorizationHeader: ctx.request.header("authorization"),
+		bodyClientId: body.client_id,
+		bodyClientSecret: body.client_secret
+	});
+	if (client.isPublic) throw new E_INVALID_CLIENT("Public clients cannot use the client_credentials grant");
+	if (!client.grantTypes.includes("client_credentials")) throw new E_INVALID_CLIENT("Client is not allowed to use the client_credentials grant");
+	const requestedScopes = body.scope ? body.scope.split(" ") : client.scopes.filter((scope) => !BUILTIN_SCOPES.has(scope));
+	const builtinRequested = requestedScopes.filter((s) => BUILTIN_SCOPES.has(s));
+	if (builtinRequested.length > 0) throw new E_INVALID_SCOPE(`Scopes not allowed for client_credentials: ${builtinRequested.join(", ")}`);
+	const invalidScopes = manager.validateScopes(requestedScopes);
+	if (invalidScopes.length > 0) throw new E_INVALID_SCOPE(`Invalid scopes: ${invalidScopes.join(", ")}`);
+	clientService.validateClientScopes(requestedScopes, client.scopes);
+	if (!client.userId) throw new E_INVALID_CLIENT("Client must be associated with a user to use the client_credentials grant");
+	const ttlSeconds = string.seconds.parse(manager.config.clientCredentialsAccessTokenTtl);
+	const { raw: accessTokenRaw, hash: tokenHash } = tokenService.createAccessToken();
+	const expiresAt = new Date(Date.now() + ttlSeconds * 1e3);
+	await OAuthAccessToken.create({
+		id: crypto.randomUUID(),
+		tokenHash,
+		clientId: client.clientId,
+		userId: client.userId,
+		scopes: requestedScopes,
+		expiresAt: DateTime.fromJSDate(expiresAt)
+	});
+	return {
+		access_token: accessTokenRaw,
+		token_type: "Bearer",
+		expires_in: ttlSeconds,
+		scope: requestedScopes.join(" ")
+	};
+}
 const grantHandlers = {
 	authorization_code: handleAuthorizationCodeGrant,
-	refresh_token: handleRefreshTokenGrant
+	refresh_token: handleRefreshTokenGrant,
+	client_credentials: handleClientCredentialsGrant
 };
 var TokenController = class TokenController {
 	static validator = vine.create({ grant_type: vine.string() });

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@julr/sesame",
   "description": "OAuth 2.1 + OIDC server for AdonisJS",
-  "version": "0.3.1",
+  "version": "0.5.0",
   "engines": {
     "node": ">=24.0.0"
   },

package/build/client_service-BqPSlaTS.js

@@ -1,53 +0,0 @@
-import { s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
-import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
-var ClientService = class {
-	parseBasicAuth(header) {
-		if (!header.startsWith("Basic ")) return null;
-		try {
-			const decoded = Buffer.from(header.slice(6), "base64").toString("utf-8");
-			const colonIndex = decoded.indexOf(":");
-			if (colonIndex === -1) return null;
-			return {
-				clientId: decodeURIComponent(decoded.slice(0, colonIndex)),
-				clientSecret: decodeURIComponent(decoded.slice(colonIndex + 1))
-			};
-		} catch {
-			return null;
-		}
-	}
-	extractCredentials(options) {
-		if (options.authorizationHeader) {
-			const basic = this.parseBasicAuth(options.authorizationHeader);
-			if (basic) return basic;
-		}
-		if (options.bodyClientId) return {
-			clientId: options.bodyClientId,
-			clientSecret: options.bodyClientSecret
-		};
-		return null;
-	}
-	validateClientScopes(requestedScopes, clientScopes) {
-		if (clientScopes.length === 0 && requestedScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${requestedScopes.join(", ")}`);
-		const allowedSet = new Set(clientScopes);
-		const invalid = requestedScopes.filter((s) => !allowedSet.has(s));
-		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${invalid.join(", ")}`);
-	}
-	hashSecret(secret) {
-		return createHash("sha256").update(secret).digest("base64url");
-	}
-	verifySecret(secret, storedHash) {
-		const hash = this.hashSecret(secret);
-		try {
-			return timingSafeEqual(Buffer.from(hash), Buffer.from(storedHash));
-		} catch {
-			return false;
-		}
-	}
-	generateClientId() {
-		return randomBytes(16).toString("hex");
-	}
-	generateClientSecret() {
-		return randomBytes(32).toString("base64url");
-	}
-};
-export { ClientService as t };