@julr/sesame 0.5.0 → 0.6.0

package/build/authorize_controller-BiycO4be.js

@@ -0,0 +1,251 @@
+import "./chunk-DF48asd8.js";
+import { n as OAuthPendingAuthorizationRequest, o as ClientService, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import { t as OAuthClient } from "./oauth_client-BSanvSql.js";
+import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-C7UhDb2q.js";
+import "./oauth_access_token-Cz_5gNBx.js";
+import { t as TokenService } from "./token_service-DwnfAR9F.js";
+import { t as IssueAuthorizationCodeAction } from "./issue_authorization_code-B9ERu1uO.js";
+import { DateTime } from "luxon";
+import string from "@adonisjs/core/helpers/string";
+import vine from "@vinejs/vine";
+//#region src/actions/authorize.ts
+/**
+* Handles the OAuth 2.0 authorization request business logic.
+*
+* Validates the client, scopes, and PKCE parameters, checks
+* existing consent, and either issues an authorization code
+* or signals that login/consent is required.
+*
+* Errors before redirect_uri validation are thrown as exceptions.
+* Errors after are returned as `redirect_error` results so the
+* controller can redirect back to the client per spec.
+*/
+var AuthorizeAction = class {
+	/**
+	* Process an authorization request. Returns a discriminated
+	* union that the controller interprets as the appropriate
+	* HTTP redirect.
+	*/
+	async execute(manager, input) {
+		if (input.responseType !== "code") throw new E_UNSUPPORTED_RESPONSE_TYPE("Only \"code\" is supported");
+		const client = await OAuthClient.query().where("clientId", input.clientId).first();
+		if (!client) throw new E_INVALID_CLIENT("Client not found");
+		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+		if (!client.redirectUris.includes(input.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
+		if (!client.grantTypes.includes("authorization_code")) return {
+			type: "redirect_error",
+			error: "unauthorized_client",
+			description: "Client is not allowed to use the authorization_code grant"
+		};
+		const requestedScopes = input.scope ? input.scope.split(" ") : manager.config.defaultScopes;
+		const scopeError = this.#validateScopes(manager, requestedScopes, client);
+		if (scopeError) return scopeError;
+		const pkceError = this.#validatePkce(input);
+		if (pkceError) return pkceError;
+		if (!input.userId) return { type: "login_required" };
+		return this.#resolveConsent(manager, {
+			...input,
+			userId: input.userId
+		}, client, requestedScopes);
+	}
+	/**
+	* Validate requested scopes against server config, client
+	* permissions, and OIDC availability.
+	*/
+	#validateScopes(manager, scopes, client) {
+		const invalidScopes = manager.validateScopes(scopes);
+		if (invalidScopes.length > 0) return {
+			type: "redirect_error",
+			error: "invalid_scope",
+			description: `Invalid scopes: ${invalidScopes.join(", ")}`
+		};
+		const clientService = new ClientService();
+		try {
+			clientService.validateClientScopes(scopes, client.scopes);
+		} catch (err) {
+			return {
+				type: "redirect_error",
+				error: "invalid_scope",
+				description: err.message
+			};
+		}
+		if (manager.usesOidcScopes(scopes) && !manager.isOidcEnabled) return {
+			type: "redirect_error",
+			error: "invalid_scope",
+			description: "OIDC scopes require OIDC to be configured (set jwk and oidcProvider in config)"
+		};
+		return null;
+	}
+	/**
+	* Ensure PKCE code_challenge is present and uses S256
+	* (mandatory per OAuth 2.1).
+	*/
+	#validatePkce(input) {
+		if (!input.codeChallenge) return {
+			type: "redirect_error",
+			error: "invalid_request",
+			description: "PKCE code_challenge is required"
+		};
+		if (input.codeChallengeMethod !== "S256") return {
+			type: "redirect_error",
+			error: "invalid_request",
+			description: "Only S256 code_challenge_method is supported"
+		};
+		return null;
+	}
+	/**
+	* Check if the user has already consented to all requested
+	* scopes. If so, issue the code directly. Otherwise, create
+	* a pending authorization request for the consent page.
+	*/
+	async #resolveConsent(manager, input, client, scopes) {
+		const existingConsent = await OAuthConsent.query().where("clientId", client.clientId).where("userId", input.userId).first();
+		if (existingConsent) {
+			const consentedSet = new Set(existingConsent.scopes);
+			if (scopes.every((s) => consentedSet.has(s))) return {
+				type: "authorized",
+				code: await new IssueAuthorizationCodeAction().execute(manager, {
+					client,
+					userId: input.userId,
+					scopes,
+					redirectUri: input.redirectUri,
+					codeChallenge: input.codeChallenge,
+					codeChallengeMethod: input.codeChallengeMethod,
+					nonce: input.nonce
+				})
+			};
+		}
+		return {
+			type: "consent_required",
+			authToken: await this.#createPendingRequest(manager, input, client.clientId, scopes),
+			scopes
+		};
+	}
+	/**
+	* Store the authorization request in the database so it can
+	* be consumed atomically by the consent controller.
+	*/
+	async #createPendingRequest(manager, input, clientId, scopes) {
+		const tokenService = new TokenService(manager);
+		const rawToken = tokenService.generateOpaqueToken();
+		const ttl = string.seconds.parse(manager.config.authorizationRequestTtl);
+		await OAuthPendingAuthorizationRequest.create({
+			id: crypto.randomUUID(),
+			token: tokenService.hashToken(rawToken),
+			userId: input.userId,
+			clientId,
+			redirectUri: input.redirectUri,
+			scopes,
+			state: input.state ?? null,
+			codeChallenge: input.codeChallenge ?? null,
+			codeChallengeMethod: input.codeChallengeMethod ?? null,
+			nonce: input.nonce ?? null,
+			expiresAt: DateTime.now().plus({ seconds: ttl })
+		});
+		return rawToken;
+	}
+};
+//#endregion
+//#region src/controllers/authorize_controller.ts
+/**
+* Handles the OAuth 2.0 Authorization Endpoint (RFC 6749 §3.1).
+*
+* Validates HTTP parameters, delegates business logic to
+* AuthorizeAction, and interprets the result as redirects.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
+*/
+var AuthorizeController = class AuthorizeController {
+	static validator = vine.create({
+		client_id: vine.string(),
+		response_type: vine.string(),
+		redirect_uri: vine.string(),
+		scope: vine.string().optional(),
+		state: vine.string().optional(),
+		code_challenge: vine.string().optional(),
+		code_challenge_method: vine.string().optional(),
+		nonce: vine.string().optional()
+	});
+	/**
+	* Validate the authorization request query params, run the
+	* authorize action, and redirect based on the result.
+	*/
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const [error, query] = await AuthorizeController.validator.tryValidate(ctx.request.qs());
+		if (error) throw new E_INVALID_REQUEST("Invalid authorization request parameters");
+		await ctx.auth.check();
+		const user = ctx.auth.user;
+		const result = await new AuthorizeAction().execute(manager, {
+			clientId: query.client_id,
+			responseType: query.response_type,
+			redirectUri: query.redirect_uri,
+			scope: query.scope,
+			state: query.state,
+			codeChallenge: query.code_challenge,
+			codeChallengeMethod: query.code_challenge_method,
+			nonce: query.nonce,
+			userId: user ? String(user.id) : void 0
+		});
+		if (result.type === "redirect_error") return this.#redirectToClient(ctx, {
+			issuer: manager.config.issuer,
+			redirectUri: query.redirect_uri,
+			state: query.state,
+			params: {
+				error: result.error,
+				error_description: result.description
+			}
+		});
+		if (result.type === "login_required") {
+			const params = this.#buildDisplayParams(ctx);
+			const url = this.#resolvePageUrl(manager.config.loginPage, ctx, params);
+			return ctx.response.redirect().toPath(url);
+		}
+		if (result.type === "consent_required") {
+			const params = this.#buildDisplayParams(ctx);
+			params.set("auth_token", result.authToken);
+			params.set("scope", result.scopes.join(" "));
+			const url = this.#resolvePageUrl(manager.config.consentPage, ctx, params);
+			return ctx.response.redirect().toPath(url);
+		}
+		return this.#redirectToClient(ctx, {
+			issuer: manager.config.issuer,
+			redirectUri: query.redirect_uri,
+			state: query.state,
+			params: { code: result.code }
+		});
+	}
+	/**
+	* Build a redirect URL with OAuth params, state, and issuer,
+	* then redirect the user agent to the client's redirect_uri.
+	*/
+	#redirectToClient(ctx, options) {
+		const url = new URL(options.redirectUri);
+		for (const [key, value] of Object.entries(options.params)) url.searchParams.set(key, value);
+		if (options.state) url.searchParams.set("state", options.state);
+		url.searchParams.set("iss", options.issuer);
+		return ctx.response.redirect().toPath(url.toString());
+	}
+	/**
+	* Forward original authorize query params so the
+	* login/consent page can display them.
+	*/
+	#buildDisplayParams(ctx) {
+		const params = new URLSearchParams();
+		for (const [key, value] of Object.entries(ctx.request.qs())) {
+			if (key === "auth_token" || value == null) continue;
+			params.set(key, String(value));
+		}
+		return params;
+	}
+	/**
+	* Resolve a login/consent page URL from either a static
+	* string path or a dynamic function.
+	*/
+	#resolvePageUrl(page, ctx, params) {
+		if (typeof page === "function") return page(ctx, params);
+		return `${page}?${params.toString()}`;
+	}
+};
+//#endregion
+export { AuthorizeController as default };

package/build/chunk-DF48asd8.js

@@ -0,0 +1,9 @@
+import "node:module";
+Object.create;
+Object.defineProperty;
+Object.getOwnPropertyDescriptor;
+Object.getOwnPropertyNames;
+Object.getPrototypeOf;
+Object.prototype.hasOwnProperty;
+//#endregion
+export {};

package/build/{client_info_controller-BucHGx4u.js → client_info_controller-AcOG8lWu.js}

@@ -1,7 +1,14 @@
-import "./decorate-BKZEjPRg.js";
-import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
+import "./chunk-DF48asd8.js";
+import { t as OAuthClient } from "./oauth_client-BSanvSql.js";
+import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-C7UhDb2q.js";
 import vine from "@vinejs/vine";
+//#region src/controllers/client_info_controller.ts
+/**
+* Returns public information about an OAuth client.
+* Used by the consent page to display the client's name
+* from server-side data rather than query parameters
+* (RFC 6819 §4.4.1.4 — prevent client identity spoofing).
+*/
 var ClientInfoController = class ClientInfoController {
 	static validator = vine.create({ client_id: vine.string() });
 	async handle(ctx) {
@@ -15,4 +22,5 @@ var ClientInfoController = class ClientInfoController {
 		};
 	}
 };
+//#endregion
 export { ClientInfoController as default };

package/build/commands/sesame_client.d.ts

@@ -0,0 +1,20 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+import type { CommandOptions } from '@adonisjs/core/types/ace';
+/**
+ * Interactively create a new OAuth client.
+ *
+ * Prompts for name, redirect URIs, client type, and scopes,
+ * then outputs the generated client_id and client_secret.
+ */
+export default class SesameClient extends BaseCommand {
+    static commandName: string;
+    static description: string;
+    static options: CommandOptions;
+    public: boolean;
+    name: string;
+    redirectUris: string[];
+    scopes: string[];
+    grantTypes: string[];
+    userId: string;
+    run(): Promise<void>;
+}

package/build/commands/sesame_key.d.ts

@@ -0,0 +1,12 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+/**
+ * Generate an RSA JWK key pair for signing OIDC ID tokens.
+ */
+export default class SesameKey extends BaseCommand {
+    #private;
+    static commandName: string;
+    static description: string;
+    raw: boolean;
+    writeEnv: boolean;
+    run(): Promise<boolean | void>;
+}

package/build/commands/sesame_purge.d.ts

@@ -7,8 +7,6 @@ import type { CommandOptions } from '@adonisjs/core/types/ace';
  * or `--expired` to target only one category. Expired tokens are
  * retained for a configurable period (default 168h / 7 days) to
  * allow for debugging and audit trails.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc6749
  */
 export default class SesamePurge extends BaseCommand {
     static commandName: string;

package/build/commands/sesame_purge.js

@@ -1,7 +1,18 @@
-import { t as SesameManager } from "../sesame_manager-C-eEFFHM.js";
-import { t as __decorate } from "../decorate-BKZEjPRg.js";
-import "../oauth_access_token-bsoM5KeU.js";
+import "../chunk-DF48asd8.js";
+import { t as SesameManager } from "../sesame_manager-DYUSZ0NC.js";
+import { n as __decorate } from "../oauth_client-BSanvSql.js";
+import "../oauth_error-C7UhDb2q.js";
+import "../oauth_access_token-Cz_5gNBx.js";
 import { BaseCommand, flags } from "@adonisjs/core/ace";
+//#region commands/sesame_purge.ts
+/**
+* Purge revoked and/or expired OAuth tokens and authorization codes.
+*
+* By default, purges both revoked and expired records. Use `--revoked`
+* or `--expired` to target only one category. Expired tokens are
+* retained for a configurable period (default 168h / 7 days) to
+* allow for debugging and audit trails.
+*/
 var SesamePurge = class extends BaseCommand {
 	static commandName = "sesame:purge";
 	static description = "Purge revoked and/or expired tokens and authorization codes";
@@ -25,4 +36,5 @@ __decorate([flags.number({
 	description: "Number of hours to retain expired tokens (default: 168 = 7 days)",
 	default: 168
 })], SesamePurge.prototype, "hours", void 0);
+//#endregion
 export { SesamePurge as default };

package/build/configure-DkDkIlt8.js

@@ -0,0 +1,27 @@
+import { join } from "node:path";
+//#region configure.ts
+async function configure(command) {
+	const codemods = await command.createCodemods();
+	const stubsRoot = join(import.meta.dirname, "stubs");
+	await codemods.makeUsingStub(stubsRoot, "config/sesame.stub", {});
+	for (const stub of [
+		"migrations/create_oauth_clients_table.stub",
+		"migrations/create_oauth_authorization_codes_table.stub",
+		"migrations/create_oauth_access_tokens_table.stub",
+		"migrations/create_oauth_refresh_tokens_table.stub",
+		"migrations/create_oauth_consents_table.stub",
+		"migrations/create_oauth_pending_authorization_requests_table.stub"
+	]) await codemods.makeUsingStub(stubsRoot, stub, {});
+	await codemods.updateRcFile((rcFile) => {
+		rcFile.addProvider("@julr/sesame/sesame_provider").addCommand("@julr/sesame/commands");
+	});
+	await codemods.registerMiddleware("named", [{
+		name: "scopes",
+		path: "@julr/sesame/scope_middleware"
+	}, {
+		name: "anyScope",
+		path: "@julr/sesame/any_scope_middleware"
+	}]);
+}
+//#endregion
+export { configure as t };

package/build/configure.js

@@ -1,25 +1,3 @@
-import { join } from "node:path";
-async function configure(command) {
-	const codemods = await command.createCodemods();
-	const stubsRoot = join(import.meta.url, "./stubs");
-	await codemods.makeUsingStub(stubsRoot, "config/sesame.stub", {});
-	for (const stub of [
-		"migrations/create_oauth_clients_table.stub",
-		"migrations/create_oauth_authorization_codes_table.stub",
-		"migrations/create_oauth_access_tokens_table.stub",
-		"migrations/create_oauth_refresh_tokens_table.stub",
-		"migrations/create_oauth_consents_table.stub",
-		"migrations/create_oauth_pending_authorization_requests_table.stub"
-	]) await codemods.makeUsingStub(stubsRoot, stub, {});
-	await codemods.updateRcFile((rcFile) => {
-		rcFile.addProvider("@julr/sesame/sesame_provider").addCommand("@julr/sesame/commands");
-	});
-	await codemods.registerMiddleware("named", [{
-		name: "scopes",
-		path: "@julr/sesame/scope_middleware"
-	}, {
-		name: "anyScope",
-		path: "@julr/sesame/any_scope_middleware"
-	}]);
-}
+import "./chunk-DF48asd8.js";
+import { t as configure } from "./configure-DkDkIlt8.js";
 export { configure };

package/build/consent_controller-Dsdhv6-f.js

@@ -0,0 +1,108 @@
+import "./chunk-DF48asd8.js";
+import { n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import { t as OAuthClient } from "./oauth_client-BSanvSql.js";
+import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-C7UhDb2q.js";
+import "./oauth_access_token-Cz_5gNBx.js";
+import { t as TokenService } from "./token_service-DwnfAR9F.js";
+import { t as IssueAuthorizationCodeAction } from "./issue_authorization_code-B9ERu1uO.js";
+import { DateTime } from "luxon";
+import vine from "@vinejs/vine";
+//#region src/controllers/consent_controller.ts
+/**
+* Handles user consent submission for the OAuth authorization flow.
+*
+* When a user approves access, this controller stores or updates
+* the consent record and issues an authorization code via redirect.
+* When the user denies access, it redirects back to the client
+* with an `access_denied` error.
+*
+* Consent records are persisted so that returning users are not
+* prompted again for previously approved scopes.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+*/
+var ConsentController = class ConsentController {
+	static validator = vine.create({ auth_token: vine.string() });
+	/**
+	* Validate the consent submission, consume the pending
+	* request, and redirect back to the client with either
+	* an authorization code or an access_denied error.
+	*/
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		await ctx.auth.check();
+		const user = ctx.auth.user;
+		if (!user) throw new E_INVALID_REQUEST("User must be authenticated");
+		const [error, body] = await ConsentController.validator.tryValidate(ctx.request.body());
+		if (error) throw new E_INVALID_REQUEST("Missing required parameter: auth_token");
+		const userId = String(user.id);
+		const hashedToken = new TokenService(manager).hashToken(body.auth_token);
+		const pendingRequest = await this.#consumePendingRequest(hashedToken, userId);
+		if (!pendingRequest) throw new E_INVALID_GRANT("Authorization request not found or expired");
+		const client = await OAuthClient.query().where("clientId", pendingRequest.clientId).first();
+		if (!client) throw new E_INVALID_CLIENT("Client not found");
+		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
+		if (!client.redirectUris.includes(pendingRequest.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
+		if (!ctx.request.body().accept) return this.#redirectWithDenied(ctx, manager, pendingRequest);
+		await this.#persistConsent(client.clientId, userId, pendingRequest.scopes);
+		const code = await new IssueAuthorizationCodeAction().execute(manager, {
+			client,
+			userId,
+			scopes: pendingRequest.scopes,
+			redirectUri: pendingRequest.redirectUri,
+			codeChallenge: pendingRequest.codeChallenge ?? void 0,
+			codeChallengeMethod: pendingRequest.codeChallengeMethod ?? void 0,
+			nonce: pendingRequest.nonce ?? void 0
+		});
+		const url = new URL(pendingRequest.redirectUri);
+		url.searchParams.set("code", code);
+		if (pendingRequest.state) url.searchParams.set("state", pendingRequest.state);
+		url.searchParams.set("iss", manager.config.issuer);
+		return ctx.response.redirect().toPath(url.toString());
+	}
+	/**
+	* Atomically consume a pending authorization request.
+	* Uses DELETE-by-PK with affected-row check to prevent
+	* concurrent consent submissions from producing two
+	* authorization codes.
+	*/
+	async #consumePendingRequest(hashedToken, userId) {
+		const row = await OAuthPendingAuthorizationRequest.query().where("token", hashedToken).where("userId", userId).where("expiresAt", ">", DateTime.now().toSQL()).first();
+		if (!row) return null;
+		const deleted = await OAuthPendingAuthorizationRequest.query().where("id", row.id).delete();
+		if ((Array.isArray(deleted) ? Number(deleted[0]) : Number(deleted)) === 0) return null;
+		return row;
+	}
+	/**
+	* Persist or merge consent so future authorization requests
+	* for the same client skip the consent screen.
+	*/
+	async #persistConsent(clientId, userId, scopes) {
+		const existingConsent = await OAuthConsent.query().where("clientId", clientId).where("userId", userId).first();
+		if (existingConsent) {
+			existingConsent.scopes = [...new Set([...existingConsent.scopes, ...scopes])];
+			await existingConsent.save();
+			return;
+		}
+		await OAuthConsent.create({
+			id: crypto.randomUUID(),
+			clientId,
+			userId,
+			scopes
+		});
+	}
+	/**
+	* Redirect back to the client with an access_denied error
+	* when the user denies the authorization request.
+	*/
+	#redirectWithDenied(ctx, manager, pendingRequest) {
+		const url = new URL(pendingRequest.redirectUri);
+		url.searchParams.set("error", "access_denied");
+		url.searchParams.set("error_description", "The user denied the authorization request");
+		if (pendingRequest.state) url.searchParams.set("state", pendingRequest.state);
+		url.searchParams.set("iss", manager.config.issuer);
+		return ctx.response.redirect().toPath(url.toString());
+	}
+};
+//#endregion
+export { ConsentController as default };

package/build/id_token_service-CpTzOUDe.js

@@ -0,0 +1,54 @@
+import { l as RESERVED_OIDC_CLAIMS } from "./sesame_manager-DYUSZ0NC.js";
+import { createHash } from "node:crypto";
+import string from "@adonisjs/core/helpers/string";
+//#region src/services/id_token_service.ts
+/**
+* Builds and signs OIDC `id_token` JWTs.
+*/
+var IdTokenService = class IdTokenService {
+	#manager;
+	constructor(manager) {
+		this.#manager = manager;
+	}
+	/**
+	* Compute `at_hash` — left half of SHA-256 hash of the access token, base64url-encoded.
+	* @see OIDC Core §3.1.3.6
+	*/
+	static computeAtHash(accessToken) {
+		const hash = createHash("sha256").update(accessToken).digest();
+		return hash.subarray(0, hash.length / 2).toString("base64url");
+	}
+	/**
+	* Filter out reserved claims that the server owns.
+	*/
+	static filterReservedClaims(claims) {
+		const filtered = {};
+		for (const [key, value] of Object.entries(claims)) if (!RESERVED_OIDC_CLAIMS.has(key)) filtered[key] = value;
+		return filtered;
+	}
+	/**
+	* Resolve user OIDC claims by calling `getOidcClaims` if present,
+	* then filtering out reserved protocol claims.
+	*/
+	static async resolveUserClaims(user, scopes) {
+		const rawClaims = typeof user?.getOidcClaims === "function" ? await user.getOidcClaims(scopes) : {};
+		return IdTokenService.filterReservedClaims(rawClaims);
+	}
+	async sign(options) {
+		const now = Math.floor(Date.now() / 1e3);
+		const ttlSeconds = string.seconds.parse(this.#manager.config.idTokenTtl);
+		const payload = {
+			...await IdTokenService.resolveUserClaims(options.user, options.scopes),
+			iss: this.#manager.config.issuer,
+			sub: String(options.sub),
+			aud: options.clientId,
+			iat: now,
+			exp: now + ttlSeconds,
+			at_hash: IdTokenService.computeAtHash(options.accessToken)
+		};
+		if (options.nonce) payload.nonce = options.nonce;
+		return this.#manager.keyService.sign(payload);
+	}
+};
+//#endregion
+export { IdTokenService as t };

package/build/index.d.ts

@@ -1,7 +1,7 @@
 export { configure } from './configure.ts';
 export { defineConfig } from './src/define_config.ts';
 export { SesameManager } from './src/sesame_manager.ts';
-export { OAuthError, E_INVALID_REQUEST, E_INVALID_CLIENT, E_INVALID_GRANT, E_INVALID_SCOPE, E_INVALID_TOKEN, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, E_ACCESS_DENIED, E_INVALID_CLIENT_METADATA, E_SERVER_ERROR, E_INSUFFICIENT_SCOPE, } from './src/oauth_error.ts';
+export type { CreateClientOptions, CreateClientResult, UpdateClientOptions } from './src/types.ts';
 export { OAuthClient } from './src/models/oauth_client.ts';
 export { OAuthAccessToken } from './src/models/oauth_access_token.ts';
 export { OAuthRefreshToken } from './src/models/oauth_refresh_token.ts';

package/build/index.js

@@ -1,11 +1,26 @@
-import { configure } from "./configure.js";
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-C-eEFFHM.js";
-import "./decorate-BKZEjPRg.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { a as E_INVALID_GRANT, c as E_INVALID_TOKEN, d as E_UNSUPPORTED_RESPONSE_TYPE, f as OAuthError, i as E_INVALID_CLIENT_METADATA, l as E_SERVER_ERROR, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import "./token_service-fhoA4slP.js";
-import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-B3M6ihoS.js";
+import "./chunk-DF48asd8.js";
+import { t as configure } from "./configure-DkDkIlt8.js";
+import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import { t as OAuthClient } from "./oauth_client-BSanvSql.js";
+import "./oauth_error-C7UhDb2q.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-Cz_5gNBx.js";
+import "./token_service-DwnfAR9F.js";
+import { i as OAuthGuard, n as oauthUserProvider, r as OAuthLucidUserProvider, t as oauthGuard } from "./main-DGBJhq3E.js";
+//#region src/define_config.ts
+/**
+* Resolve user-supplied `SesameConfig` into a `ResolvedSesameConfig`
+* by applying sensible defaults for all optional fields.
+*
+* Defaults:
+* - `scopes`: `{}`
+* - `defaultScopes`: `[]`
+* - `grantTypes`: `['authorization_code', 'refresh_token']`
+* - `accessTokenTtl`: `'1h'`
+* - `refreshTokenTtl`: `'30d'`
+* - `authorizationCodeTtl`: `'10m'`
+* - `allowDynamicRegistration`: `false`
+* - `allowPublicRegistration`: `false`
+*/
 function defineConfig(config) {
 	return {
 		issuer: config.issuer,
@@ -15,12 +30,17 @@ function defineConfig(config) {
 		accessTokenTtl: config.accessTokenTtl ?? "1h",
 		clientCredentialsAccessTokenTtl: config.clientCredentialsAccessTokenTtl ?? config.accessTokenTtl ?? "1h",
 		refreshTokenTtl: config.refreshTokenTtl ?? "30d",
+		refreshTokenRotationGracePeriod: config.refreshTokenRotationGracePeriod ?? 120,
 		authorizationCodeTtl: config.authorizationCodeTtl ?? "10m",
 		authorizationRequestTtl: config.authorizationRequestTtl ?? config.authorizationCodeTtl ?? "10m",
 		loginPage: config.loginPage,
 		consentPage: config.consentPage,
 		allowDynamicRegistration: config.allowDynamicRegistration ?? false,
-		allowPublicRegistration: config.allowPublicRegistration ?? false
+		allowPublicRegistration: config.allowPublicRegistration ?? false,
+		jwk: config.jwk,
+		oidcProvider: config.oidcProvider,
+		idTokenTtl: config.idTokenTtl ?? "1h"
 	};
 }
-export { E_ACCESS_DENIED, E_INSUFFICIENT_SCOPE, E_INVALID_CLIENT, E_INVALID_CLIENT_METADATA, E_INVALID_GRANT, E_INVALID_REQUEST, E_INVALID_SCOPE, E_INVALID_TOKEN, E_SERVER_ERROR, E_UNSUPPORTED_GRANT_TYPE, E_UNSUPPORTED_RESPONSE_TYPE, OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthError, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider };
+//#endregion
+export { OAuthAccessToken, OAuthAuthorizationCode, OAuthClient, OAuthConsent, OAuthGuard, OAuthLucidUserProvider, OAuthRefreshToken, SesameManager, configure, defineConfig, oauthGuard, oauthUserProvider };