@julr/sesame 0.5.1 → 0.6.0

package/build/{register_controller-sIJ1rxdM.js → register_controller-gbq7p8a5.js}

@@ -1,10 +1,10 @@
-import { t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import "./oauth_access_token-bsoM5KeU.js";
-import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as ClientService } from "./client_service-WTNMqWzY.js";
+import "./chunk-DF48asd8.js";
+import { o as ClientService, t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import { t as OAuthClient } from "./oauth_client-BSanvSql.js";
+import { i as E_INVALID_CLIENT_METADATA, o as E_INVALID_REQUEST, s as E_INVALID_SCOPE, t as E_ACCESS_DENIED } from "./oauth_error-C7UhDb2q.js";
+import "./oauth_access_token-Cz_5gNBx.js";
 import vine from "@vinejs/vine";
+//#region src/rules.ts
 const DANGEROUS_SCHEMES = [
 	"javascript:",
 	"data:",
@@ -15,6 +15,10 @@ const LOCALHOST_HOSTS = [
 	"127.0.0.1",
 	"[::1]"
 ];
+/**
+* Validates a redirect URI per OAuth 2.1 / RFC 8252 rules.
+* Blocks fragments, dangerous schemes, and requires HTTPS for non-localhost hosts.
+*/
 const redirectUriRule = vine.createRule((value, _options, field) => {
 	let parsed;
 	try {
@@ -33,11 +37,40 @@ const redirectUriRule = vine.createRule((value, _options, field) => {
 	}
 	if (parsed.protocol === "http:" && !LOCALHOST_HOSTS.includes(parsed.hostname)) field.report("Redirect URI must use HTTPS for non-localhost hosts", "redirectUri", field);
 });
+/**
+* Blocks dangerous URI schemes for metadata URIs (client_uri, logo_uri, etc.).
+*
+* RFC 7591 §5 says the server MAY verify that metadata URIs match the
+* host+scheme of redirect_uris, but this is NOT required.
+*
+* We intentionally skip this check because it breaks legitimate CLI/desktop clients
+* (e.g. OpenCode, Claude Code) that use localhost redirect URIs but have a
+* different `client_uri` pointing to their website.
+*
+* Maybe we can add an option to enable this check in the future if needed.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7591#section-5
+*/
 const metadataUriRule = vine.createRule((value, _options, field) => {
 	const parsed = new URL(value);
 	if (DANGEROUS_SCHEMES.includes(parsed.protocol)) field.report("{{ field }} uses a disallowed scheme", "metadataUri", field);
 });
+//#endregion
+//#region src/controllers/register_controller.ts
 const metadataUrl = vine.string().url({ require_protocol: true }).use(metadataUriRule()).optional();
+/**
+* Handles the OAuth 2.0 Dynamic Client Registration Endpoint (RFC 7591).
+*
+* Allows clients to register themselves with the authorization server
+* by providing metadata such as `redirect_uris`, `grant_types`, and
+* `token_endpoint_auth_method`. Returns the assigned `client_id` and
+* optionally a `client_secret` for confidential clients.
+*
+* Can be configured to require authentication or allow public
+* registration (useful for MCP where clients self-register).
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7591
+*/
 var RegisterController = class RegisterController {
 	static validator = vine.create(vine.object({
 		redirect_uris: vine.array(vine.string().use(redirectUriRule())).minLength(1),
@@ -72,11 +105,12 @@ var RegisterController = class RegisterController {
 		const clientService = new ClientService();
 		const tokenEndpointAuthMethod = body.token_endpoint_auth_method ?? "client_secret_basic";
 		const isPublic = tokenEndpointAuthMethod === "none";
-		const grantTypes = body.grant_types ?? ["authorization_code"];
+		const grantTypes = body.grant_types ?? ["authorization_code", "refresh_token"];
 		const responseTypes = body.response_types ?? ["code"];
 		const scopes = body.scope ? body.scope.split(" ") : manager.config.defaultScopes;
 		const invalidScopes = manager.validateScopes(scopes);
 		if (invalidScopes.length > 0) throw new E_INVALID_SCOPE(`Unknown scopes: ${invalidScopes.join(", ")}`);
+		if (manager.usesOidcScopes(scopes) && !manager.isOidcEnabled) throw new E_INVALID_SCOPE("OIDC scopes require OIDC to be configured (set jwk and oidcProvider in config)");
 		const clientName = body.client_name ?? "Unnamed Client";
 		for (const gt of grantTypes) if (!manager.isGrantTypeEnabled(gt)) throw new E_INVALID_CLIENT_METADATA(`Unsupported grant type: ${gt}`);
 		if (responseTypes.some((rt) => rt !== "code")) throw new E_INVALID_CLIENT_METADATA("Only \"code\" response type is supported");
@@ -111,6 +145,10 @@ var RegisterController = class RegisterController {
 		});
 		ctx.response.header("Cache-Control", "no-store");
 		ctx.response.status(201);
+		/**
+		* RFC 7591 §3.2.1 requires the response to include ALL registered
+		* metadata about this client, including fields provisioned by the server.
+		*/
 		return {
 			client_id: clientId,
 			...clientSecret ? { client_secret: clientSecret } : {},
@@ -123,4 +161,5 @@ var RegisterController = class RegisterController {
 		};
 	}
 };
+//#endregion
 export { RegisterController as default };

package/build/{revoke_controller-D6isoQCi.js → revoke_controller-z_ghrEB7.js}

@@ -1,11 +1,23 @@
-import { a as OAuthRefreshToken, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import "./oauth_error-CnJ3L8tf.js";
-import "./oauth_client-BIoY5jBR.js";
-import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-WTNMqWzY.js";
+import "./chunk-DF48asd8.js";
+import { a as OAuthRefreshToken, o as ClientService, t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import "./oauth_client-BSanvSql.js";
+import "./oauth_error-C7UhDb2q.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-Cz_5gNBx.js";
+import { t as TokenService } from "./token_service-DwnfAR9F.js";
 import { DateTime } from "luxon";
+//#region src/controllers/revoke_controller.ts
+/**
+* Handles the OAuth 2.0 Token Revocation Endpoint (RFC 7009).
+*
+* Allows an authenticated client to revoke an access token or
+* refresh token. Always responds with HTTP 200, even if the token
+* was already revoked or not found (to prevent information leakage).
+*
+* When revoking a refresh token, the associated access token is
+* also revoked as recommended by RFC 7009 §2.1.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7009
+*/
 var RevokeController = class {
 	async handle(ctx) {
 		const manager = await ctx.containerResolver.make(SesameManager);
@@ -32,10 +44,11 @@ var RevokeController = class {
 			if (refreshToken && !refreshToken.revokedAt) {
 				refreshToken.revokedAt = DateTime.now();
 				await refreshToken.save();
-				await OAuthAccessToken.query().where("tokenHash", refreshToken.accessTokenId).whereNull("revokedAt").update({ revokedAt: DateTime.now().toSQL() });
+				await OAuthAccessToken.query().where("id", refreshToken.accessTokenId).whereNull("revokedAt").update({ revokedAt: DateTime.now().toSQL() });
 			}
 		}
 		return ctx.response.ok({});
 	}
 };
+//#endregion
 export { RevokeController as default };

package/build/services/main.js

@@ -1,9 +1,13 @@
-import { t as SesameManager } from "../sesame_manager-DwDZy5Vy.js";
-import "../decorate-BKZEjPRg.js";
-import "../oauth_access_token-bsoM5KeU.js";
+import "../chunk-DF48asd8.js";
+import { t as SesameManager } from "../sesame_manager-DYUSZ0NC.js";
+import "../oauth_client-BSanvSql.js";
+import "../oauth_error-C7UhDb2q.js";
+import "../oauth_access_token-Cz_5gNBx.js";
 import app from "@adonisjs/core/services/app";
+//#region services/main.ts
 let sesame;
 await app.booted(async () => {
 	sesame = await app.container.make(SesameManager);
 });
+//#endregion
 export { sesame as default };

package/build/sesame_manager-B1Jgq1v2.js

@@ -0,0 +1,6 @@
+import "./chunk-DF48asd8.js";
+import { t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import "./oauth_client-BSanvSql.js";
+import "./oauth_error-C7UhDb2q.js";
+import "./oauth_access_token-Cz_5gNBx.js";
+export { SesameManager };