@julr/sesame 0.5.1 → 0.6.0

package/build/{introspect_controller-6bRt9sZt.js → introspect_controller-DvOp9scr.js}

@@ -1,11 +1,24 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import "./oauth_error-CnJ3L8tf.js";
-import "./oauth_client-BIoY5jBR.js";
-import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-WTNMqWzY.js";
+import "./chunk-DF48asd8.js";
+import { a as OAuthRefreshToken, o as ClientService, t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import "./oauth_client-BSanvSql.js";
+import "./oauth_error-C7UhDb2q.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-Cz_5gNBx.js";
+import { t as TokenService } from "./token_service-DwnfAR9F.js";
+//#region src/controllers/introspect_controller.ts
 const INACTIVE = { active: false };
+/**
+* Handles the OAuth 2.0 Token Introspection Endpoint (RFC 7662).
+*
+* Allows an authenticated client to determine the active state and
+* metadata of a token (access token or refresh token). The response
+* always includes at least `{ active: boolean }`.
+*
+* Supports the `token_type_hint` parameter to optimize lookup order.
+* Both access tokens and refresh tokens are opaque values looked up
+* by their SHA-256 hash in the database.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7662
+*/
 var IntrospectController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
@@ -51,4 +64,5 @@ var IntrospectController = class {
 		return INACTIVE;
 	}
 };
+//#endregion
 export { IntrospectController as default };

package/build/issue_authorization_code-B9ERu1uO.js

@@ -0,0 +1,40 @@
+import { i as OAuthAuthorizationCode } from "./sesame_manager-DYUSZ0NC.js";
+import { t as TokenService } from "./token_service-DwnfAR9F.js";
+import { DateTime } from "luxon";
+import string from "@adonisjs/core/helpers/string";
+//#region src/actions/issue_authorization_code.ts
+/**
+* Create and persist an authorization code in the database.
+* Returns the raw (unhashed) code to be sent to the client.
+*
+* Shared between the authorize and consent flows to avoid
+* duplicating the code-issuance logic.
+*/
+var IssueAuthorizationCodeAction = class {
+	/**
+	* Generate an opaque authorization code, store its SHA-256
+	* hash in the database, and return the raw value for the
+	* client redirect.
+	*/
+	async execute(manager, input) {
+		const tokenService = new TokenService(manager);
+		const raw = tokenService.generateOpaqueToken();
+		const hashed = tokenService.hashToken(raw);
+		const ttl = string.seconds.parse(manager.config.authorizationCodeTtl);
+		await OAuthAuthorizationCode.create({
+			id: crypto.randomUUID(),
+			code: hashed,
+			clientId: input.client.clientId,
+			userId: input.userId,
+			scopes: input.scopes,
+			redirectUri: input.redirectUri,
+			codeChallenge: input.codeChallenge ?? null,
+			codeChallengeMethod: input.codeChallengeMethod ?? null,
+			nonce: input.nonce ?? null,
+			expiresAt: DateTime.now().plus({ seconds: ttl })
+		});
+		return raw;
+	}
+};
+//#endregion
+export { IssueAuthorizationCodeAction as t };

package/build/jwks_controller-keo4kBZc.js

@@ -0,0 +1,26 @@
+import "./chunk-DF48asd8.js";
+import { t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import "./oauth_client-BSanvSql.js";
+import "./oauth_error-C7UhDb2q.js";
+import "./oauth_access_token-Cz_5gNBx.js";
+//#region src/controllers/jwks_controller.ts
+/**
+* Serves the JSON Web Key Set (JWKS) containing public keys
+* used to verify ID token signatures.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7517
+*/
+var JwksController = class {
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		if (!manager.isOidcEnabled) {
+			ctx.response.status(404);
+			return { error: "OIDC is not configured" };
+		}
+		ctx.response.header("Cache-Control", "public, max-age=900");
+		ctx.response.header("Content-Type", "application/jwk-set+json");
+		return manager.keyService.getPublicJwks();
+	}
+};
+//#endregion
+export { JwksController as default };

package/build/{main-EbeMS5S9.js → main-DGBJhq3E.js}

@@ -1,9 +1,17 @@
-import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as TokenService } from "./token_service-fhoA4slP.js";
+import { t as OAuthClient } from "./oauth_client-BSanvSql.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-Cz_5gNBx.js";
+import { t as TokenService } from "./token_service-DwnfAR9F.js";
 import { DateTime } from "luxon";
 import { RuntimeException } from "@adonisjs/core/exceptions";
 import { errors } from "@adonisjs/auth";
+//#region src/guard/guard.ts
+/**
+* OAuth 2.0 guard for `@adonisjs/auth`.
+*
+* Verifies opaque Bearer tokens against the database,
+* checks revocation and expiry, loads the real User model
+* via the provider, and exposes OAuth-specific data (scopes, clientId).
+*/
 var OAuthGuard = class {
 	driverName = "oauth";
 	authenticationAttempted = false;
@@ -91,6 +99,13 @@ var OAuthGuard = class {
 	hasAnyScope(...scopes) {
 		return scopes.some((s) => this.scopes.includes(s));
 	}
+	/**
+	* Used internally by Japa's `loginAs` helper during testing.
+	* Creates a test client and access token in DB, then returns
+	* the authorization headers for the test HTTP client to use.
+	*
+	* @see https://docs.adonisjs.com/guides/auth/custom-auth-guard#implementing-the-guard
+	*/
 	async authenticateAsClient(user) {
 		const tokenService = new TokenService(this.#manager);
 		const defaultScopes = this.#manager.config.defaultScopes;
@@ -117,6 +132,12 @@ var OAuthGuard = class {
 		return { headers: { authorization: `Bearer ${raw}` } };
 	}
 };
+//#endregion
+//#region src/guard/user_provider.ts
+/**
+* Lucid-based user provider for the OAuth guard.
+* Lazily loads the model and wraps instances as guard users.
+*/
 var OAuthLucidUserProvider = class {
 	#model;
 	#options;
@@ -147,15 +168,24 @@ var OAuthLucidUserProvider = class {
 		return this.createUserForGuard(user);
 	}
 };
+//#endregion
+//#region src/guard/main.ts
+/**
+* Configure the OAuth guard for `@adonisjs/auth`.
+*/
 function oauthGuard(config) {
 	return { async resolver(name, app) {
 		const emitter = await app.container.make("emitter");
-		const { SesameManager } = await import("./sesame_manager-Bu4MHqZV.js");
+		const { SesameManager } = await import("./sesame_manager-B1Jgq1v2.js");
 		const manager = await app.container.make(SesameManager);
 		return (ctx) => new OAuthGuard(name, ctx, emitter, config.provider, manager, config.resource);
 	} };
 }
+/**
+* Create a Lucid-based user provider for the OAuth guard.
+*/
 function oauthUserProvider(options) {
 	return new OAuthLucidUserProvider(options);
 }
+//#endregion
 export { OAuthGuard as i, oauthUserProvider as n, OAuthLucidUserProvider as r, oauthGuard as t };

package/build/{metadata_controller-DeaMRnUr.js → metadata_controller-BVsTo0Gp.js}

@@ -1,7 +1,9 @@
-import { o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import "./oauth_access_token-bsoM5KeU.js";
-import { l as E_SERVER_ERROR } from "./oauth_error-CnJ3L8tf.js";
+import "./chunk-DF48asd8.js";
+import { s as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import "./oauth_client-BSanvSql.js";
+import { l as E_SERVER_ERROR } from "./oauth_error-C7UhDb2q.js";
+import "./oauth_access_token-Cz_5gNBx.js";
+//#region src/controllers/metadata_controller.ts
 const DISCOVERY_ROUTE_NAMES = {
 	authorization_endpoint: "sesame.authorize",
 	token_endpoint: "sesame.token",
@@ -9,6 +11,22 @@ const DISCOVERY_ROUTE_NAMES = {
 	introspection_endpoint: "sesame.introspect",
 	revocation_endpoint: "sesame.revoke"
 };
+const OIDC_DISCOVERY_ROUTE_NAMES = {
+	userinfo_endpoint: "sesame.userinfo",
+	jwks_uri: "sesame.jwks"
+};
+/**
+* Serves OAuth 2.0 discovery metadata documents.
+*
+* Exposes three well-known endpoints:
+* - `authServer()` — OAuth Authorization Server Metadata (RFC 8414)
+* - `oidc()` — OpenID Connect Discovery 1.0 (extends authServer metadata)
+* - `protectedResource()` — OAuth Protected Resource Metadata (RFC 9728)
+*
+* @see https://datatracker.ietf.org/doc/html/rfc8414
+* @see https://datatracker.ietf.org/doc/html/rfc9728
+* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+*/
 var MetadataController = class {
 	#assertDiscoveryRoutes(router, options) {
 		const requiredRoutes = [
@@ -21,6 +39,19 @@ var MetadataController = class {
 		const missingRoutes = requiredRoutes.filter((routeName) => !router.has(routeName));
 		if (missingRoutes.length > 0) throw new E_SERVER_ERROR(`OAuth discovery is misconfigured. Missing named route(s): ${missingRoutes.join(", ")}. Register OAuth routes with sesame.registerRoutes(router) before exposing well-known metadata.`);
 	}
+	#assertOidcDiscoveryRoutes(router) {
+		const missingRoutes = Object.values(OIDC_DISCOVERY_ROUTE_NAMES).filter((routeName) => !router.has(routeName));
+		if (missingRoutes.length > 0) throw new E_SERVER_ERROR(`OIDC discovery is misconfigured. Missing named route(s): ${missingRoutes.join(", ")}. Register OAuth routes with sesame.registerRoutes(router) and sesame.registerWellKnownRoutes(router) before exposing OpenID discovery.`);
+	}
+	/**
+	* OAuth 2.0 Authorization Server Metadata (RFC 8414).
+	*
+	* Returns a JSON document describing the server's endpoints,
+	* supported grant types, response types, authentication methods,
+	* and PKCE support.
+	*
+	* @see https://datatracker.ietf.org/doc/html/rfc8414#section-2
+	*/
 	async authServer(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
 		const router = await ctx.containerResolver.make("router");
@@ -57,15 +88,60 @@ var MetadataController = class {
 			authorization_response_iss_parameter_supported: true
 		};
 	}
+	/**
+	* OpenID Connect Discovery 1.0 metadata.
+	*
+	* Extends the authorization server metadata with OIDC-specific
+	* fields like `subject_types_supported` and
+	* `id_token_signing_alg_values_supported`.
+	*
+	* @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+	*/
 	async oidc(ctx) {
-		const base = await this.authServer(ctx);
 		const manager = await ctx.containerResolver.make(SesameManager);
+		if (!manager.isOidcEnabled) {
+			ctx.response.status(404);
+			return { error: "OIDC is not configured" };
+		}
+		const base = await this.authServer(ctx);
+		const router = await ctx.containerResolver.make("router");
+		const prefixUrl = manager.config.issuer;
+		this.#assertOidcDiscoveryRoutes(router);
 		return {
 			...base,
+			userinfo_endpoint: router.makeUrl("sesame.userinfo", {}, { prefixUrl }),
+			jwks_uri: router.makeUrl("sesame.jwks", {}, { prefixUrl }),
 			subject_types_supported: ["public"],
-			scopes_supported: [...Object.keys(manager.config.scopes), ...BUILTIN_SCOPES]
+			id_token_signing_alg_values_supported: ["RS256"],
+			scopes_supported: [...new Set([
+				"openid",
+				"profile",
+				"email",
+				...Object.keys(manager.config.scopes),
+				...BUILTIN_SCOPES
+			])],
+			claims_supported: [
+				"sub",
+				"iss",
+				"aud",
+				"exp",
+				"iat",
+				"nonce",
+				"at_hash"
+			],
+			response_types_supported: ["code"]
 		};
 	}
+	/**
+	* OAuth 2.0 Protected Resource Metadata (RFC 9728).
+	*
+	* Returns a JSON document that tells clients which authorization
+	* servers protect this resource, which scopes are available, and
+	* how to present bearer tokens. Used by MCP clients to discover
+	* the authorization server.
+	*
+	* @see https://datatracker.ietf.org/doc/html/rfc9728
+	*/
 	async protectedResource(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
 		const issuer = manager.config.issuer;
@@ -78,4 +154,5 @@ var MetadataController = class {
 		};
 	}
 };
+//#endregion
 export { MetadataController as default };

package/build/{oauth_access_token-bsoM5KeU.js → oauth_access_token-Cz_5gNBx.js}

@@ -1,5 +1,15 @@
-import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
+import { n as __decorate, r as json } from "./oauth_client-BSanvSql.js";
 import { BaseModel, column } from "@adonisjs/lucid/orm";
+//#region src/models/oauth_access_token.ts
+/**
+* Database record for an issued OAuth 2.0 access token.
+*
+* Access tokens are opaque random values. Only the SHA-256 hash
+* is stored so raw tokens cannot be reconstructed from a DB leak.
+* A token is considered revoked when `revokedAt` is set.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7662
+*/
 var OAuthAccessToken = class extends BaseModel {
 	static table = "oauth_access_tokens";
 };
@@ -15,4 +25,5 @@ __decorate([column.dateTime({
 	autoCreate: true,
 	autoUpdate: true
 })], OAuthAccessToken.prototype, "updatedAt", void 0);
+//#endregion
 export { OAuthAccessToken as t };

package/build/oauth_client-BSanvSql.js

@@ -0,0 +1,63 @@
+import { BaseModel, column } from "@adonisjs/lucid/orm";
+//#region src/decorators.ts
+/**
+* Column decorator for JSON values (arrays, objects).
+*
+* Lucid ORM doesn't handle JSON serialization automatically —
+* `prepare` stringifies before INSERT/UPDATE, `consume` parses
+* after SELECT. The typeof check in consume handles both drivers
+* that return strings (SQLite, MySQL) and parsed objects (PostgreSQL JSONB).
+*/
+function json(options) {
+	return column({
+		...options,
+		prepare: (value) => value == null ? null : JSON.stringify(value),
+		consume: (value) => value == null ? null : typeof value === "string" ? JSON.parse(value) : value
+	});
+}
+//#endregion
+//#region \0@oxc-project+runtime@0.115.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+//#endregion
+//#region src/models/oauth_client.ts
+/**
+* Represents a registered OAuth 2.0 client (RFC 6749 §2).
+*
+* Clients can be either confidential (with a hashed secret) or
+* public (no secret, e.g. SPAs, native apps). Public clients must
+* use PKCE (RFC 7636) for authorization code exchanges.
+*
+* Clients may be created manually or via dynamic client registration
+* (RFC 7591) through the `/oauth/register` endpoint.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-2
+* @see https://datatracker.ietf.org/doc/html/rfc7591
+*/
+var OAuthClient = class extends BaseModel {
+	static table = "oauth_clients";
+};
+__decorate([column({ isPrimary: true })], OAuthClient.prototype, "id", void 0);
+__decorate([column()], OAuthClient.prototype, "clientId", void 0);
+__decorate([column({ serializeAs: null })], OAuthClient.prototype, "clientSecret", void 0);
+__decorate([column()], OAuthClient.prototype, "name", void 0);
+__decorate([json()], OAuthClient.prototype, "redirectUris", void 0);
+__decorate([json()], OAuthClient.prototype, "scopes", void 0);
+__decorate([json()], OAuthClient.prototype, "grantTypes", void 0);
+__decorate([column()], OAuthClient.prototype, "isPublic", void 0);
+__decorate([column()], OAuthClient.prototype, "isDisabled", void 0);
+__decorate([column()], OAuthClient.prototype, "requirePkce", void 0);
+__decorate([column()], OAuthClient.prototype, "type", void 0);
+__decorate([json()], OAuthClient.prototype, "metadata", void 0);
+__decorate([column()], OAuthClient.prototype, "userId", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthClient.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthClient.prototype, "updatedAt", void 0);
+//#endregion
+export { __decorate as n, json as r, OAuthClient as t };

package/build/oauth_error-C7UhDb2q.js

@@ -0,0 +1,189 @@
+import { Exception } from "@adonisjs/core/exceptions";
+//#region src/oauth_error.ts
+/**
+* OAuth 2.0 error classes following the error codes defined in
+* RFC 6749 §5.2 (https://datatracker.ietf.org/doc/html/rfc6749#section-5.2)
+* and RFC 7591 §3.2.2 (https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2).
+*
+* Each error class extends AdonisJS Exception and self-renders via
+* the `handle()` method, producing a standard OAuth JSON error response.
+*/
+/**
+* Base class for all OAuth errors. Extends AdonisJS Exception
+* and renders the standard OAuth error response format:
+* `{ error: "<oauth_code>", error_description: "<message>" }`.
+*
+* Subclasses declare a static `oauthCode` matching the `error` field
+* defined by the OAuth 2.0 spec (e.g. `invalid_request`, `invalid_client`).
+*/
+var OAuthError = class extends Exception {
+	static oauthCode;
+	get oauthCode() {
+		return this.constructor.oauthCode;
+	}
+	handle(error, ctx) {
+		ctx.response.status(error.status).json({
+			error: error.oauthCode,
+			error_description: error.message
+		});
+	}
+};
+/**
+* The request is missing a required parameter, includes an unsupported
+* parameter value, repeats a parameter, or is otherwise malformed.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+*/
+const E_INVALID_REQUEST = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_REQUEST";
+	static message = "Invalid request";
+	static oauthCode = "invalid_request";
+};
+/**
+* Client authentication failed (e.g. unknown client, no client
+* authentication included, or unsupported authentication method).
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+*/
+const E_INVALID_CLIENT = class extends OAuthError {
+	static status = 401;
+	static code = "E_INVALID_CLIENT";
+	static message = "Invalid client";
+	static oauthCode = "invalid_client";
+	/**
+	* If the client attempted to authenticate via the Authorization header
+	* (Basic auth), the server MUST include WWW-Authenticate: Basic.
+	*
+	* @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-3.2.4
+	*/
+	handle(error, ctx) {
+		if (ctx.request.header("authorization")?.startsWith("Basic ")) ctx.response.header("WWW-Authenticate", "Basic");
+		super.handle(error, ctx);
+	}
+};
+/**
+* The provided authorization grant (authorization code, refresh token,
+* resource owner credentials) is invalid, expired, revoked, or does
+* not match the redirection URI used in the authorization request.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+*/
+const E_INVALID_GRANT = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_GRANT";
+	static message = "Invalid grant";
+	static oauthCode = "invalid_grant";
+};
+/**
+* The requested scope is invalid, unknown, malformed, or exceeds
+* the scope granted by the resource owner.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+*/
+const E_INVALID_SCOPE = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_SCOPE";
+	static message = "Invalid scope";
+	static oauthCode = "invalid_scope";
+};
+/**
+* The access token provided is expired, revoked, malformed,
+* or invalid for other reasons.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
+*/
+const E_INVALID_TOKEN = class extends OAuthError {
+	static status = 401;
+	static code = "E_INVALID_TOKEN";
+	static message = "Invalid token";
+	static oauthCode = "invalid_token";
+	handle(error, ctx) {
+		ctx.response.header("WWW-Authenticate", `Bearer error="invalid_token", error_description="${error.message}"`);
+		super.handle(error, ctx);
+	}
+};
+/**
+* The authorization grant type is not supported by the
+* authorization server.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+*/
+const E_UNSUPPORTED_GRANT_TYPE = class extends OAuthError {
+	static status = 400;
+	static code = "E_UNSUPPORTED_GRANT_TYPE";
+	static message = "Unsupported grant type";
+	static oauthCode = "unsupported_grant_type";
+};
+/**
+* The authorization server does not support obtaining an
+* authorization code using this response type.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+*/
+const E_UNSUPPORTED_RESPONSE_TYPE = class extends OAuthError {
+	static status = 400;
+	static code = "E_UNSUPPORTED_RESPONSE_TYPE";
+	static message = "Unsupported response type";
+	static oauthCode = "unsupported_response_type";
+};
+/**
+* The resource owner or authorization server denied the request.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+*/
+const E_ACCESS_DENIED = class extends OAuthError {
+	static status = 403;
+	static code = "E_ACCESS_DENIED";
+	static message = "Access denied";
+	static oauthCode = "access_denied";
+};
+/**
+* The client metadata value is invalid, as defined in the dynamic
+* client registration protocol.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2
+*/
+const E_INVALID_CLIENT_METADATA = class extends OAuthError {
+	static status = 400;
+	static code = "E_INVALID_CLIENT_METADATA";
+	static message = "Invalid client metadata";
+	static oauthCode = "invalid_client_metadata";
+};
+/**
+* The authorization server encountered an unexpected condition
+* that prevented it from fulfilling the request.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+*/
+const E_SERVER_ERROR = class extends OAuthError {
+	static status = 500;
+	static code = "E_SERVER_ERROR";
+	static message = "Server error";
+	static oauthCode = "server_error";
+};
+/**
+* The access token does not have the required scope(s) to access
+* the protected resource. Returns 403 with a WWW-Authenticate header
+* per RFC 6750 §3.1.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
+*/
+const E_INSUFFICIENT_SCOPE = class extends OAuthError {
+	static status = 403;
+	static code = "E_INSUFFICIENT_SCOPE";
+	static message = "Insufficient scope";
+	static oauthCode = "insufficient_scope";
+	missingScopes;
+	constructor(missingScopes, message) {
+		super(message ?? "The token does not have the required scope(s)");
+		this.missingScopes = missingScopes;
+	}
+	handle(error, ctx) {
+		const scope = error.missingScopes.join(" ");
+		ctx.response.header("WWW-Authenticate", `Bearer error="insufficient_scope", error_description="${error.message}", scope="${scope}"`);
+		super.handle(error, ctx);
+	}
+};
+//#endregion
+export { E_INVALID_GRANT as a, E_INVALID_TOKEN as c, E_UNSUPPORTED_RESPONSE_TYPE as d, E_INVALID_CLIENT_METADATA as i, E_SERVER_ERROR as l, E_INSUFFICIENT_SCOPE as n, E_INVALID_REQUEST as o, E_INVALID_CLIENT as r, E_INVALID_SCOPE as s, E_ACCESS_DENIED as t, E_UNSUPPORTED_GRANT_TYPE as u };

package/build/providers/sesame_provider.js

@@ -1,14 +1,25 @@
-import { t as SesameManager } from "../sesame_manager-DwDZy5Vy.js";
-import "../decorate-BKZEjPRg.js";
-import "../oauth_access_token-bsoM5KeU.js";
+import "../chunk-DF48asd8.js";
+import { t as SesameManager } from "../sesame_manager-DYUSZ0NC.js";
+import "../oauth_client-BSanvSql.js";
+import "../oauth_error-C7UhDb2q.js";
+import "../oauth_access_token-Cz_5gNBx.js";
+//#region providers/sesame_provider.ts
+/**
+* AdonisJS service provider for the Sésame OAuth 2.1 server.
+*/
 var SesameProvider = class {
 	constructor(app) {
 		this.app = app;
 	}
+	/**
+	* Register `SesameManager` as a singleton binding.
+	* The manager is resolved from the `sesame` config key.
+	*/
 	register() {
 		this.app.container.singleton(SesameManager, async () => {
 			return new SesameManager(this.app.config.get("sesame"), await this.app.container.make("router"));
 		});
 	}
 };
+//#endregion
 export { SesameProvider as default };