@julr/sesame 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/{authorize_controller-BGzxPvYU.js → authorize_controller-YUfAy-R2.js} +2 -2
- package/build/{client_service-C3rfXGk_.js → client_service-WTNMqWzY.js} +1 -1
- package/build/commands/sesame_purge.js +1 -1
- package/build/{consent_controller-BHoB9mip.js → consent_controller-Dprwd1ed.js} +1 -1
- package/build/index.js +2 -2
- package/build/{introspect_controller-un95fs4y.js → introspect_controller-6bRt9sZt.js} +2 -2
- package/build/{main-B3M6ihoS.js → main-EbeMS5S9.js} +1 -1
- package/build/{metadata_controller-CJeZG93_.js → metadata_controller-DeaMRnUr.js} +3 -3
- package/build/providers/sesame_provider.js +1 -1
- package/build/{register_controller-Dch4ecyD.js → register_controller-sIJ1rxdM.js} +2 -2
- package/build/{revoke_controller-DnPmzYMd.js → revoke_controller-D6isoQCi.js} +2 -2
- package/build/services/main.js +1 -1
- package/build/{sesame_manager-BQIW2mqt.js → sesame_manager-Bu4MHqZV.js} +1 -1
- package/build/{sesame_manager-C-eEFFHM.js → sesame_manager-DwDZy5Vy.js} +8 -8
- package/build/src/controllers/metadata_controller.d.ts +1 -1
- package/build/src/grants/authorization_code_grant.d.ts +6 -10
- package/build/src/guard/main.js +1 -1
- package/build/src/types.d.ts +12 -3
- package/build/{token_controller-hGDAYuBS.js → token_controller-DzcrLMyS.js} +3 -3
- package/package.json +1 -1
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-
|
|
1
|
+
import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import "./decorate-BKZEjPRg.js";
|
|
3
3
|
import "./oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
|
|
5
5
|
import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
|
|
6
6
|
import { t as TokenService } from "./token_service-fhoA4slP.js";
|
|
7
|
-
import { t as ClientService } from "./client_service-
|
|
7
|
+
import { t as ClientService } from "./client_service-WTNMqWzY.js";
|
|
8
8
|
import { DateTime } from "luxon";
|
|
9
9
|
import string from "@adonisjs/core/helpers/string";
|
|
10
10
|
import vine from "@vinejs/vine";
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { o as BUILTIN_SCOPES } from "./sesame_manager-
|
|
1
|
+
import { o as BUILTIN_SCOPES } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
|
|
3
3
|
import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
|
|
4
4
|
import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { t as SesameManager } from "../sesame_manager-
|
|
1
|
+
import { t as SesameManager } from "../sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import { t as __decorate } from "../decorate-BKZEjPRg.js";
|
|
3
3
|
import "../oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import { BaseCommand, flags } from "@adonisjs/core/ace";
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-
|
|
1
|
+
import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import "./decorate-BKZEjPRg.js";
|
|
3
3
|
import "./oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
|
package/build/index.js
CHANGED
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
import { configure } from "./configure.js";
|
|
2
|
-
import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-
|
|
2
|
+
import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
3
3
|
import "./decorate-BKZEjPRg.js";
|
|
4
4
|
import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
|
|
5
5
|
import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
|
|
6
6
|
import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
|
|
7
7
|
import "./token_service-fhoA4slP.js";
|
|
8
|
-
import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-
|
|
8
|
+
import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-EbeMS5S9.js";
|
|
9
9
|
function defineConfig(config) {
|
|
10
10
|
return {
|
|
11
11
|
issuer: config.issuer,
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-
|
|
1
|
+
import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import "./decorate-BKZEjPRg.js";
|
|
3
3
|
import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import "./oauth_error-CnJ3L8tf.js";
|
|
5
5
|
import "./oauth_client-BIoY5jBR.js";
|
|
6
6
|
import { t as TokenService } from "./token_service-fhoA4slP.js";
|
|
7
|
-
import { t as ClientService } from "./client_service-
|
|
7
|
+
import { t as ClientService } from "./client_service-WTNMqWzY.js";
|
|
8
8
|
const INACTIVE = { active: false };
|
|
9
9
|
var IntrospectController = class {
|
|
10
10
|
async handle(ctx) {
|
|
@@ -150,7 +150,7 @@ var OAuthLucidUserProvider = class {
|
|
|
150
150
|
function oauthGuard(config) {
|
|
151
151
|
return { async resolver(name, app) {
|
|
152
152
|
const emitter = await app.container.make("emitter");
|
|
153
|
-
const { SesameManager } = await import("./sesame_manager-
|
|
153
|
+
const { SesameManager } = await import("./sesame_manager-Bu4MHqZV.js");
|
|
154
154
|
const manager = await app.container.make(SesameManager);
|
|
155
155
|
return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
|
|
156
156
|
} };
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { t as SesameManager } from "./sesame_manager-
|
|
1
|
+
import { o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import "./decorate-BKZEjPRg.js";
|
|
3
3
|
import "./oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
|
|
@@ -63,7 +63,7 @@ var MetadataController = class {
|
|
|
63
63
|
return {
|
|
64
64
|
...base,
|
|
65
65
|
subject_types_supported: ["public"],
|
|
66
|
-
scopes_supported: Object.keys(manager.config.scopes)
|
|
66
|
+
scopes_supported: [...Object.keys(manager.config.scopes), ...BUILTIN_SCOPES]
|
|
67
67
|
};
|
|
68
68
|
}
|
|
69
69
|
async protectedResource(ctx) {
|
|
@@ -73,7 +73,7 @@ var MetadataController = class {
|
|
|
73
73
|
return {
|
|
74
74
|
resource: issuer,
|
|
75
75
|
authorization_servers: [issuer],
|
|
76
|
-
scopes_supported: Object.keys(manager.config.scopes),
|
|
76
|
+
scopes_supported: [...Object.keys(manager.config.scopes), ...BUILTIN_SCOPES],
|
|
77
77
|
bearer_methods_supported: ["header"]
|
|
78
78
|
};
|
|
79
79
|
}
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import { t as SesameManager } from "./sesame_manager-
|
|
1
|
+
import { t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import "./decorate-BKZEjPRg.js";
|
|
3
3
|
import "./oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
|
|
5
5
|
import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
|
|
6
|
-
import { t as ClientService } from "./client_service-
|
|
6
|
+
import { t as ClientService } from "./client_service-WTNMqWzY.js";
|
|
7
7
|
import vine from "@vinejs/vine";
|
|
8
8
|
const DANGEROUS_SCHEMES = [
|
|
9
9
|
"javascript:",
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-
|
|
1
|
+
import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import "./decorate-BKZEjPRg.js";
|
|
3
3
|
import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import "./oauth_error-CnJ3L8tf.js";
|
|
5
5
|
import "./oauth_client-BIoY5jBR.js";
|
|
6
6
|
import { t as TokenService } from "./token_service-fhoA4slP.js";
|
|
7
|
-
import { t as ClientService } from "./client_service-
|
|
7
|
+
import { t as ClientService } from "./client_service-WTNMqWzY.js";
|
|
8
8
|
import { DateTime } from "luxon";
|
|
9
9
|
var RevokeController = class {
|
|
10
10
|
async handle(ctx) {
|
package/build/services/main.js
CHANGED
|
@@ -4,13 +4,13 @@ import { DateTime } from "luxon";
|
|
|
4
4
|
import { BaseModel, column } from "@adonisjs/lucid/orm";
|
|
5
5
|
const BUILTIN_SCOPES = new Set(["offline_access"]);
|
|
6
6
|
const controllers = {
|
|
7
|
-
token: () => import("./token_controller-
|
|
8
|
-
authorize: () => import("./authorize_controller-
|
|
9
|
-
consent: () => import("./consent_controller-
|
|
10
|
-
introspect: () => import("./introspect_controller-
|
|
11
|
-
revoke: () => import("./revoke_controller-
|
|
12
|
-
register: () => import("./register_controller-
|
|
13
|
-
metadata: () => import("./metadata_controller-
|
|
7
|
+
token: () => import("./token_controller-DzcrLMyS.js"),
|
|
8
|
+
authorize: () => import("./authorize_controller-YUfAy-R2.js"),
|
|
9
|
+
consent: () => import("./consent_controller-Dprwd1ed.js"),
|
|
10
|
+
introspect: () => import("./introspect_controller-6bRt9sZt.js"),
|
|
11
|
+
revoke: () => import("./revoke_controller-D6isoQCi.js"),
|
|
12
|
+
register: () => import("./register_controller-sIJ1rxdM.js"),
|
|
13
|
+
metadata: () => import("./metadata_controller-DeaMRnUr.js"),
|
|
14
14
|
clientInfo: () => import("./client_info_controller-BucHGx4u.js")
|
|
15
15
|
};
|
|
16
16
|
function registerOAuthRoutes(router) {
|
|
@@ -155,7 +155,7 @@ var SesameManager = class {
|
|
|
155
155
|
return {
|
|
156
156
|
resource: `${this.#config.issuer}${options.resource}`,
|
|
157
157
|
authorization_servers: [this.#config.issuer],
|
|
158
|
-
scopes_supported: options.scopes ?? Object.keys(this.#config.scopes),
|
|
158
|
+
scopes_supported: [...options.scopes ?? Object.keys(this.#config.scopes), ...BUILTIN_SCOPES],
|
|
159
159
|
bearer_methods_supported: ["header"]
|
|
160
160
|
};
|
|
161
161
|
});
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import type { HttpContext } from '@adonisjs/core/http';
|
|
2
|
-
import type
|
|
2
|
+
import { type AuthServerMetadata, type ResourceServerMetadata } from '../types.ts';
|
|
3
3
|
/**
|
|
4
4
|
* Serves OAuth 2.0 discovery metadata documents.
|
|
5
5
|
*
|
|
@@ -3,17 +3,13 @@ import type { SesameManager } from '../sesame_manager.ts';
|
|
|
3
3
|
/**
|
|
4
4
|
* Handle the Authorization Code Grant (RFC 6749 §4.1.3).
|
|
5
5
|
*
|
|
6
|
-
* Exchanges an authorization code for an access token
|
|
7
|
-
*
|
|
6
|
+
* Exchanges an authorization code for an access token and a refresh
|
|
7
|
+
* token. A refresh token is always issued when the `refresh_token`
|
|
8
|
+
* grant type is enabled on the server — the client does not need
|
|
9
|
+
* to request `offline_access` explicitly.
|
|
8
10
|
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
* - Authorization code existence, expiration, and single-use enforcement
|
|
12
|
-
* - Redirect URI matching against the original authorization request
|
|
13
|
-
* - PKCE code_verifier verification using S256 (RFC 7636 §4.6)
|
|
14
|
-
*
|
|
15
|
-
* All tokens (access tokens, refresh tokens, authorization codes)
|
|
16
|
-
* are opaque values stored as SHA-256 hashes.
|
|
11
|
+
* This matches the behavior of major OAuth providers and avoids
|
|
12
|
+
* forcing MCP clients like ClaudeDesktop to know about `offline_access` to get long-lived sessions.
|
|
17
13
|
*
|
|
18
14
|
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
|
|
19
15
|
* @see https://datatracker.ietf.org/doc/html/rfc7636#section-4.6
|
package/build/src/guard/main.js
CHANGED
|
@@ -2,5 +2,5 @@ import "../../decorate-BKZEjPRg.js";
|
|
|
2
2
|
import "../../oauth_access_token-bsoM5KeU.js";
|
|
3
3
|
import "../../oauth_client-BIoY5jBR.js";
|
|
4
4
|
import "../../token_service-fhoA4slP.js";
|
|
5
|
-
import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-
|
|
5
|
+
import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "../../main-EbeMS5S9.js";
|
|
6
6
|
export { OAuthGuard, OAuthLucidUserProvider, oauthGuard, oauthUserProvider };
|
package/build/src/types.d.ts
CHANGED
|
@@ -30,12 +30,21 @@ export type InferScopes<T extends {
|
|
|
30
30
|
* Standard OAuth/OIDC scopes that are always valid regardless
|
|
31
31
|
* of server or client scope configuration.
|
|
32
32
|
*
|
|
33
|
+
* These scopes are:
|
|
34
|
+
* - Accepted during scope validation (client and server level)
|
|
35
|
+
* - Advertised in `scopes_supported` of all metadata endpoints
|
|
36
|
+
* (protected resource, OIDC discovery) so MCP clients know
|
|
37
|
+
* they can request them
|
|
38
|
+
*
|
|
33
39
|
* - `offline_access`: signals that the client needs a refresh token
|
|
34
|
-
* (OIDC Core §11
|
|
35
|
-
*
|
|
36
|
-
*
|
|
40
|
+
* (OIDC Core §11). Note: Sesame issues refresh tokens by default
|
|
41
|
+
* when the `refresh_token` grant is enabled, regardless of whether
|
|
42
|
+
* the client requests this scope (per RFC 6749 §5.1). This scope
|
|
43
|
+
* is still advertised for clients that check metadata before
|
|
44
|
+
* building their authorization request.
|
|
37
45
|
*
|
|
38
46
|
* @see https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
|
|
47
|
+
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
|
|
39
48
|
*/
|
|
40
49
|
export declare const BUILTIN_SCOPES: Set<string>;
|
|
41
50
|
/**
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-
|
|
1
|
+
import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
|
|
2
2
|
import "./decorate-BKZEjPRg.js";
|
|
3
3
|
import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
|
|
4
4
|
import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
|
|
5
5
|
import "./oauth_client-BIoY5jBR.js";
|
|
6
6
|
import { t as TokenService } from "./token_service-fhoA4slP.js";
|
|
7
|
-
import { t as ClientService } from "./client_service-
|
|
7
|
+
import { t as ClientService } from "./client_service-WTNMqWzY.js";
|
|
8
8
|
import { DateTime } from "luxon";
|
|
9
9
|
import { createHash } from "node:crypto";
|
|
10
10
|
import string from "@adonisjs/core/helpers/string";
|
|
@@ -50,7 +50,7 @@ async function handleAuthorizationCodeGrant(ctx, manager) {
|
|
|
50
50
|
expiresAt: DateTime.fromJSDate(expiresAt)
|
|
51
51
|
});
|
|
52
52
|
let refreshTokenRaw;
|
|
53
|
-
if (
|
|
53
|
+
if (manager.isGrantTypeEnabled("refresh_token")) {
|
|
54
54
|
const { raw, hash } = tokenService.createRefreshToken();
|
|
55
55
|
const refreshTtl = string.seconds.parse(manager.config.refreshTokenTtl);
|
|
56
56
|
await OAuthRefreshToken.create({
|