@julr/sesame 0.5.1 → 0.6.0

package/build/sesame_manager-DYUSZ0NC.js

@@ -0,0 +1,693 @@
+import { n as __decorate, r as json, t as OAuthClient } from "./oauth_client-BSanvSql.js";
+import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE } from "./oauth_error-C7UhDb2q.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-Cz_5gNBx.js";
+import { DateTime } from "luxon";
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+import { BaseModel, column } from "@adonisjs/lucid/orm";
+import { SignJWT, importJWK } from "jose";
+//#region src/types.ts
+/**
+* Standard OAuth/OIDC scopes that are always valid regardless
+* of server or client scope configuration.
+*
+* These scopes are:
+* - Accepted during scope validation (client and server level)
+* - Advertised in `scopes_supported` of all metadata endpoints
+*   (protected resource, OIDC discovery) so MCP clients know
+*   they can request them
+*
+* - `offline_access`: signals that the client needs a refresh token
+*   (OIDC Core §11). Note: Sesame issues refresh tokens by default
+*   when the `refresh_token` grant is enabled, regardless of whether
+*   the client requests this scope (per RFC 6749 §5.1). This scope
+*   is still advertised for clients that check metadata before
+*   building their authorization request.
+*
+* @see https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+*/
+const BUILTIN_SCOPES = new Set(["offline_access"]);
+/**
+* OIDC-recognized scopes that are accepted by server-level validation
+* without needing to be declared in the config `scopes` map.
+*
+* Unlike `BUILTIN_SCOPES`, these still require explicit client authorization
+* via `ClientService.validateClientScopes()`.
+*/
+const OIDC_SCOPES = new Set([
+	"openid",
+	"profile",
+	"email"
+]);
+/**
+* Protocol-managed claims that must never be overridden by `getOidcClaims()`.
+*/
+const RESERVED_OIDC_CLAIMS = new Set([
+	"sub",
+	"iss",
+	"aud",
+	"exp",
+	"iat",
+	"nbf",
+	"jti",
+	"nonce",
+	"at_hash",
+	"auth_time",
+	"acr",
+	"azp",
+	"sid"
+]);
+//#endregion
+//#region src/services/client_service.ts
+/**
+* Handles OAuth client authentication and credential management.
+*
+* Supports the client authentication methods defined in RFC 6749 §2.3:
+* - `client_secret_basic`: HTTP Basic auth with client_id:client_secret
+* - `client_secret_post`: credentials in the request body
+* - `none`: public clients (no secret)
+*
+* Client secrets are stored as SHA-256 hashes and compared using
+* timing-safe equality to prevent timing attacks.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3
+*/
+var ClientService = class {
+	/**
+	* Parse an HTTP Basic Authorization header into client credentials.
+	* Follows RFC 6749 §2.3.1 — the client_id and client_secret are
+	* URL-decoded after base64 decoding.
+	*
+	* @see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
+	*/
+	parseBasicAuth(header) {
+		if (!header.startsWith("Basic ")) return null;
+		try {
+			const decoded = Buffer.from(header.slice(6), "base64").toString("utf-8");
+			const colonIndex = decoded.indexOf(":");
+			if (colonIndex === -1) return null;
+			return {
+				clientId: decodeURIComponent(decoded.slice(0, colonIndex)),
+				clientSecret: decodeURIComponent(decoded.slice(colonIndex + 1))
+			};
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Extract client credentials from a request. Checks the
+	* Authorization header first (Basic auth), then falls back
+	* to POST body parameters (`client_id` / `client_secret`).
+	*/
+	extractCredentials(options) {
+		const basic = options.authorizationHeader ? this.parseBasicAuth(options.authorizationHeader) : null;
+		if (basic && options.bodyClientId) throw new E_INVALID_REQUEST("Multiple client authentication methods are not allowed");
+		if (basic) return basic;
+		if (options.bodyClientId) return {
+			clientId: options.bodyClientId,
+			clientSecret: options.bodyClientSecret
+		};
+		return null;
+	}
+	/**
+	* Authenticate a client from request credentials.
+	* Extracts credentials, looks up the client in DB, and verifies the secret
+	* for confidential clients.
+	*/
+	async authenticateClient(options) {
+		const credentials = this.extractCredentials(options);
+		if (!credentials) throw new E_INVALID_CLIENT("Client authentication failed");
+		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
+		if (!client || client.isDisabled) throw new E_INVALID_CLIENT("Client authentication failed");
+		if (!client.isPublic) {
+			if (!credentials.clientSecret || !this.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Client authentication failed");
+		}
+		return client;
+	}
+	/**
+	* Validate that requested scopes are within the client's
+	* allowed scopes. Throws `E_INVALID_SCOPE` if any scope
+	* is not permitted. An empty `clientScopes` array means the
+	* client has no scope permissions (RFC 6749 §2, §3.3).
+	*
+	* @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
+	*/
+	validateClientScopes(requestedScopes, clientScopes) {
+		const nonBuiltinScopes = requestedScopes.filter((s) => !BUILTIN_SCOPES.has(s));
+		if (clientScopes.length === 0 && nonBuiltinScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${nonBuiltinScopes.join(", ")}`);
+		const allowedSet = new Set(clientScopes);
+		const invalid = nonBuiltinScopes.filter((s) => !allowedSet.has(s));
+		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${invalid.join(", ")}`);
+	}
+	/**
+	* Hash a client secret for storage using SHA-256
+	* (base64url-encoded).
+	*/
+	hashSecret(secret) {
+		return createHash("sha256").update(secret).digest("base64url");
+	}
+	/**
+	* Verify a client secret against its stored hash using
+	* timing-safe comparison to prevent timing attacks.
+	*/
+	verifySecret(secret, storedHash) {
+		const hash = this.hashSecret(secret);
+		try {
+			return timingSafeEqual(Buffer.from(hash), Buffer.from(storedHash));
+		} catch {
+			return false;
+		}
+	}
+	/**
+	* Generate a random client ID (16 bytes, hex-encoded).
+	*/
+	generateClientId() {
+		return randomBytes(16).toString("hex");
+	}
+	/**
+	* Generate a random client secret (32 bytes, base64url-encoded).
+	*/
+	generateClientSecret() {
+		return randomBytes(32).toString("base64url");
+	}
+};
+//#endregion
+//#region src/services/key_service.ts
+/**
+* Manages the RSA key pair used to sign ID tokens.
+* Accepts a JWK from config, caches the imported private key
+* and public JWK for JWKS export.
+*/
+var KeyService = class KeyService {
+	#privateKey = null;
+	#publicJwk;
+	#kid;
+	#jwk;
+	constructor(jwk) {
+		this.#jwk = jwk;
+		this.#kid = jwk.kid ?? KeyService.computeKid(jwk);
+		this.#publicJwk = {
+			kty: jwk.kty,
+			n: jwk.n,
+			e: jwk.e,
+			kid: this.#kid,
+			use: "sig",
+			alg: "RS256"
+		};
+	}
+	/**
+	* Compute a `kid` from public key components (SHA-256, base64url).
+	* Same approach as node-oidc-provider.
+	*/
+	static computeKid(jwk) {
+		const components = JSON.stringify({
+			e: jwk.e,
+			kty: jwk.kty,
+			n: jwk.n
+		});
+		return createHash("sha256").update(components).digest("base64url");
+	}
+	async #getPrivateKey() {
+		if (this.#privateKey) return this.#privateKey;
+		this.#privateKey = await importJWK(this.#jwk, "RS256");
+		return this.#privateKey;
+	}
+	async sign(payload) {
+		const key = await this.#getPrivateKey();
+		return new SignJWT(payload).setProtectedHeader({
+			alg: "RS256",
+			kid: this.#kid,
+			typ: "JWT"
+		}).sign(key);
+	}
+	getPublicJwks() {
+		return { keys: [this.#publicJwk] };
+	}
+	get kid() {
+		return this.#kid;
+	}
+};
+//#endregion
+//#region src/routes.ts
+/**
+* Lazy-loaded controller imports for all OAuth 2.1 endpoints.
+* Using lazy imports ensures controllers are only loaded when
+* their routes are hit.
+*/
+const controllers = {
+	token: () => import("./token_controller-DyI7oy-U.js"),
+	authorize: () => import("./authorize_controller-BiycO4be.js"),
+	consent: () => import("./consent_controller-Dsdhv6-f.js"),
+	introspect: () => import("./introspect_controller-DvOp9scr.js"),
+	revoke: () => import("./revoke_controller-z_ghrEB7.js"),
+	register: () => import("./register_controller-gbq7p8a5.js"),
+	metadata: () => import("./metadata_controller-BVsTo0Gp.js"),
+	clientInfo: () => import("./client_info_controller-AcOG8lWu.js"),
+	jwks: () => import("./jwks_controller-keo4kBZc.js"),
+	userinfo: () => import("./userinfo_controller-RLk8cN_o.js")
+};
+/**
+* Register OAuth 2.1 endpoint routes on the given router.
+*
+* Paths are relative (no prefix) — the user wraps the call
+* in a `router.group().prefix('/oauth')` to control the mount point.
+*
+* Endpoints registered:
+* - `POST /token` — Token endpoint (RFC 6749 §3.2)
+* - `GET /authorize` — Authorization endpoint (RFC 6749 §3.1)
+* - `POST /consent` — User consent submission
+* - `POST /introspect` — Token introspection (RFC 7662)
+* - `POST /revoke` — Token revocation (RFC 7009)
+* - `POST /register` — Dynamic client registration (RFC 7591)
+* - `GET /client-info` — Public client information (RFC 6819 §4.4.1.4)
+*/
+function registerOAuthRoutes(router) {
+	router.post("/token", [controllers.token]).as("sesame.token");
+	router.get("/authorize", [controllers.authorize]).as("sesame.authorize");
+	router.post("/consent", [controllers.consent]).as("sesame.consent");
+	router.get("/client-info", [controllers.clientInfo]).as("sesame.clientInfo");
+	router.post("/introspect", [controllers.introspect]).as("sesame.introspect");
+	router.post("/revoke", [controllers.revoke]).as("sesame.revoke");
+	router.post("/register", [controllers.register]).as("sesame.register");
+	router.get("/userinfo", [controllers.userinfo]).as("sesame.userinfo");
+	router.post("/userinfo", [controllers.userinfo]).as("sesame.userinfo.post");
+}
+/**
+* Register well-known discovery routes at the root level.
+*
+* These must be registered outside any prefix group so they
+* remain at `/.well-known/...`.
+*
+* Endpoints registered:
+* - `GET /.well-known/oauth-authorization-server` — Server metadata (RFC 8414)
+* - `GET /.well-known/openid-configuration` — OpenID Connect discovery
+* - `GET /.well-known/oauth-protected-resource` — Protected resource metadata (RFC 9728)
+*/
+function registerWellKnownRoutes(router, options) {
+	const jwksPath = options?.jwksPath ?? "/jwks";
+	router.get("/.well-known/oauth-authorization-server", [controllers.metadata, "authServer"]).as("sesame.metadata.authServer");
+	router.get("/.well-known/openid-configuration", [controllers.metadata, "oidc"]).as("sesame.metadata.oidc");
+	router.get("/.well-known/oauth-protected-resource", [controllers.metadata, "protectedResource"]).as("sesame.metadata.protectedResource");
+	router.get(jwksPath, [controllers.jwks]).as("sesame.jwks");
+}
+//#endregion
+//#region src/models/oauth_refresh_token.ts
+/**
+* Database record for an OAuth 2.0 refresh token (RFC 6749 §6).
+*
+* The `token` column stores the SHA-256 hash of the raw refresh
+* token value. Refresh token rotation is enforced: each use
+* produces a new token and revokes the old one.
+*
+* Replay detection is implemented by checking `revokedAt` —
+* if a revoked token is presented, all tokens for that
+* client+user pair are deleted as a security measure.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
+* @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.14.2
+*/
+var OAuthRefreshToken = class extends BaseModel {
+	static table = "oauth_refresh_tokens";
+};
+__decorate([column({ isPrimary: true })], OAuthRefreshToken.prototype, "id", void 0);
+__decorate([column({ serializeAs: null })], OAuthRefreshToken.prototype, "token", void 0);
+__decorate([column()], OAuthRefreshToken.prototype, "accessTokenId", void 0);
+__decorate([column()], OAuthRefreshToken.prototype, "clientId", void 0);
+__decorate([column()], OAuthRefreshToken.prototype, "userId", void 0);
+__decorate([json()], OAuthRefreshToken.prototype, "scopes", void 0);
+__decorate([column.dateTime()], OAuthRefreshToken.prototype, "expiresAt", void 0);
+__decorate([column.dateTime()], OAuthRefreshToken.prototype, "revokedAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthRefreshToken.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthRefreshToken.prototype, "updatedAt", void 0);
+//#endregion
+//#region src/models/oauth_authorization_code.ts
+/**
+* Database record for an OAuth 2.0 authorization code (RFC 6749 §4.1.2).
+*
+* Authorization codes are short-lived, single-use tokens issued
+* during the authorization flow. The `code` column stores the
+* SHA-256 hash of the raw code value sent to the client.
+*
+* When PKCE (RFC 7636) is used, the `codeChallenge` and
+* `codeChallengeMethod` (always S256) are stored alongside the
+* code for verification at the token endpoint.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
+* @see https://datatracker.ietf.org/doc/html/rfc7636
+*/
+var OAuthAuthorizationCode = class extends BaseModel {
+	static table = "oauth_authorization_codes";
+};
+__decorate([column({ isPrimary: true })], OAuthAuthorizationCode.prototype, "id", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "code", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "clientId", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "userId", void 0);
+__decorate([json()], OAuthAuthorizationCode.prototype, "scopes", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "redirectUri", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "codeChallenge", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "codeChallengeMethod", void 0);
+__decorate([column()], OAuthAuthorizationCode.prototype, "nonce", void 0);
+__decorate([column.dateTime()], OAuthAuthorizationCode.prototype, "expiresAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthAuthorizationCode.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthAuthorizationCode.prototype, "updatedAt", void 0);
+//#endregion
+//#region src/models/oauth_consent.ts
+/**
+* Tracks which scopes a user has approved for a given client.
+*
+* When a user grants consent during the authorization flow,
+* the approved scopes are persisted here. On subsequent
+* authorization requests, if the requested scopes are a subset
+* of previously approved scopes, the user is not prompted again.
+*
+* New scopes are merged into the existing record when the user
+* approves additional permissions.
+*/
+var OAuthConsent = class extends BaseModel {
+	static table = "oauth_consents";
+};
+__decorate([column({ isPrimary: true })], OAuthConsent.prototype, "id", void 0);
+__decorate([column()], OAuthConsent.prototype, "clientId", void 0);
+__decorate([column()], OAuthConsent.prototype, "userId", void 0);
+__decorate([json()], OAuthConsent.prototype, "scopes", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthConsent.prototype, "createdAt", void 0);
+__decorate([column.dateTime({
+	autoCreate: true,
+	autoUpdate: true
+})], OAuthConsent.prototype, "updatedAt", void 0);
+//#endregion
+//#region src/models/oauth_pending_authorization_request.ts
+/**
+* Temporary server-side record for an in-flight OAuth authorization
+* request, created when the user is redirected to the consent page
+* and consumed (deleted) when the user approves or denies.
+*
+* Stored in the database instead of the HTTP session to avoid
+* last-write-wins race conditions when concurrent SPA requests
+* overwrite session data.
+*
+* The `token` column stores a SHA-256 hash of the raw auth_token
+* sent to the consent page, consistent with how authorization
+* codes are stored.
+*/
+var OAuthPendingAuthorizationRequest = class extends BaseModel {
+	static table = "oauth_pending_authorization_requests";
+};
+__decorate([column({ isPrimary: true })], OAuthPendingAuthorizationRequest.prototype, "id", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "token", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "userId", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "clientId", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "redirectUri", void 0);
+__decorate([json()], OAuthPendingAuthorizationRequest.prototype, "scopes", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "state", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallenge", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallengeMethod", void 0);
+__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "nonce", void 0);
+__decorate([column.dateTime()], OAuthPendingAuthorizationRequest.prototype, "expiresAt", void 0);
+__decorate([column.dateTime({ autoCreate: true })], OAuthPendingAuthorizationRequest.prototype, "createdAt", void 0);
+//#endregion
+//#region src/sesame_manager.ts
+/**
+* Central manager for the Sésame OAuth 2.1 server.
+*
+* Holds the resolved configuration. Registered as a singleton
+* in the AdonisJS IoC container by `SesameProvider`.
+*/
+var SesameManager = class {
+	#config;
+	#router;
+	#keyService;
+	constructor(config, router) {
+		this.#config = config;
+		this.#router = router;
+		this.#keyService = config.jwk ? new KeyService(config.jwk) : null;
+	}
+	get config() {
+		return this.#config;
+	}
+	get keyService() {
+		if (!this.#keyService) throw new Error("OIDC requires a JWK. Set the `jwk` option in defineConfig().");
+		return this.#keyService;
+	}
+	get isOidcEnabled() {
+		return this.#keyService !== null && this.#config.oidcProvider !== void 0;
+	}
+	/**
+	* Load a user by ID using the configured user provider.
+	* Returns the original user model instance, or null if not found.
+	*/
+	async findUserById(userId) {
+		if (!this.#config.oidcProvider) return null;
+		return (await this.#config.oidcProvider.findById(userId))?.getOriginal() ?? null;
+	}
+	/**
+	* Check if a scope is registered in the server configuration.
+	*
+	* @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
+	*/
+	hasScope(scope) {
+		return scope in this.#config.scopes;
+	}
+	/**
+	* Check if the requested scope list uses any OIDC-specific scopes.
+	*/
+	usesOidcScopes(scopes) {
+		return scopes.some((scope) => OIDC_SCOPES.has(scope));
+	}
+	/**
+	* Return the list of scopes that are not registered in the
+	* server configuration. When no scopes are configured, all
+	* requested scopes are considered unknown per RFC 6749 §3.3
+	* (`invalid_scope` — "The requested scope is invalid, unknown,
+	* or malformed").
+	*
+	* @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
+	* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+	*/
+	validateScopes(scopes) {
+		const invalidScopes = /* @__PURE__ */ new Set();
+		if (!scopes.includes("openid")) scopes.filter((scope) => scope !== "openid" && OIDC_SCOPES.has(scope)).forEach((scope) => invalidScopes.add(scope));
+		if (Object.keys(this.#config.scopes).length === 0) {
+			scopes.filter((scope) => !BUILTIN_SCOPES.has(scope) && !OIDC_SCOPES.has(scope)).forEach((scope) => invalidScopes.add(scope));
+			return [...invalidScopes];
+		}
+		scopes.filter((scope) => !BUILTIN_SCOPES.has(scope) && !OIDC_SCOPES.has(scope) && !this.hasScope(scope)).forEach((scope) => invalidScopes.add(scope));
+		return [...invalidScopes];
+	}
+	/**
+	* Check if a grant type is enabled in the server configuration.
+	*/
+	isGrantTypeEnabled(grantType) {
+		return this.#config.grantTypes.includes(grantType);
+	}
+	/**
+	* Revoke all OAuth artifacts for a given user.
+	*
+	* Call this when a user is deleted or deactivated to ensure
+	* none of their tokens remain usable. Revokes access tokens
+	* and refresh tokens, and deletes authorization codes and
+	* consent records.
+	*/
+	async revokeAllForUser(userId) {
+		const now = DateTime.now();
+		await OAuthAccessToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
+		await OAuthRefreshToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
+		await OAuthAuthorizationCode.query().where("userId", userId).delete();
+		await OAuthPendingAuthorizationRequest.query().where("userId", userId).delete();
+		await OAuthConsent.query().where("userId", userId).delete();
+	}
+	/**
+	* Purge revoked and/or expired tokens and authorization codes.
+	*
+	* Returns the total number of deleted records. Expired tokens are
+	* retained for `retentionHours` (default 168 = 7 days) to allow
+	* for debugging and audit trails.
+	*/
+	async purgeTokens(options) {
+		const revokedOnly = options?.revokedOnly ?? false;
+		const expiredOnly = options?.expiredOnly ?? false;
+		const retentionHours = options?.retentionHours ?? 168;
+		const purgeRevoked = revokedOnly || !expiredOnly;
+		const purgeExpired = expiredOnly || !revokedOnly;
+		const cutoff = DateTime.now().minus({ hours: retentionHours });
+		let accessTokens = 0;
+		let refreshTokens = 0;
+		let authorizationCodes = 0;
+		let pendingRequests = 0;
+		if (purgeRevoked) {
+			accessTokens += await this.#deleteCount(OAuthAccessToken.query().whereNotNull("revokedAt").delete());
+			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().whereNotNull("revokedAt").delete());
+		}
+		if (purgeExpired) {
+			accessTokens += await this.#deleteCount(OAuthAccessToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
+			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
+			authorizationCodes += await this.#deleteCount(OAuthAuthorizationCode.query().where("expiresAt", "<", cutoff.toSQL()).delete());
+		}
+		pendingRequests += await this.#deleteCount(OAuthPendingAuthorizationRequest.query().where("expiresAt", "<", DateTime.now().toSQL()).delete());
+		return {
+			accessTokens,
+			refreshTokens,
+			authorizationCodes,
+			pendingRequests
+		};
+	}
+	/**
+	* Create a new OAuth client programmatically.
+	* Returns the client and the raw secret (only available at creation time).
+	*/
+	async createClient(options) {
+		const clientService = new ClientService();
+		const isPublic = options.isPublic ?? false;
+		const grantTypes = options.grantTypes ?? ["authorization_code"];
+		const scopes = options.scopes ?? this.#config.defaultScopes;
+		const clientId = clientService.generateClientId();
+		const clientSecret = isPublic ? null : clientService.generateClientSecret();
+		const hashedSecret = clientSecret ? clientService.hashSecret(clientSecret) : null;
+		return {
+			client: await OAuthClient.create({
+				id: crypto.randomUUID(),
+				clientId,
+				clientSecret: hashedSecret,
+				name: options.name,
+				redirectUris: options.redirectUris,
+				scopes,
+				grantTypes,
+				isPublic,
+				isDisabled: false,
+				requirePkce: options.requirePkce ?? true,
+				type: isPublic ? "public" : "confidential",
+				metadata: options.metadata ?? null,
+				userId: options.userId ?? null
+			}),
+			clientSecret
+		};
+	}
+	/**
+	* Find a client by its public client_id.
+	*/
+	async findClient(clientId) {
+		return OAuthClient.query().where("clientId", clientId).first();
+	}
+	/**
+	* List all clients, optionally filtered by userId.
+	*/
+	async listClients(options) {
+		const query = OAuthClient.query().orderBy("createdAt", "desc");
+		if (options?.userId) query.where("userId", options.userId);
+		return query;
+	}
+	/**
+	* Update an existing client by its public client_id.
+	* Returns the updated client, or null if not found.
+	*/
+	async updateClient(clientId, options) {
+		const client = await OAuthClient.query().where("clientId", clientId).first();
+		if (!client) return null;
+		if (options.name !== void 0) client.name = options.name;
+		if (options.redirectUris !== void 0) client.redirectUris = options.redirectUris;
+		if (options.scopes !== void 0) client.scopes = options.scopes;
+		if (options.grantTypes !== void 0) client.grantTypes = options.grantTypes;
+		if (options.isDisabled !== void 0) client.isDisabled = options.isDisabled;
+		if (options.requirePkce !== void 0) client.requirePkce = options.requirePkce;
+		if (options.metadata !== void 0) client.metadata = options.metadata;
+		await client.save();
+		return client;
+	}
+	/**
+	* Delete a client and all its associated tokens, codes, and consents.
+	* Returns true if the client was found and deleted.
+	*/
+	async deleteClient(clientId) {
+		const client = await OAuthClient.query().where("clientId", clientId).first();
+		if (!client) return false;
+		await OAuthClient.transaction(async (trx) => {
+			await Promise.all([
+				OAuthRefreshToken.query({ client: trx }).where("clientId", clientId).delete(),
+				OAuthAccessToken.query({ client: trx }).where("clientId", clientId).delete(),
+				OAuthAuthorizationCode.query({ client: trx }).where("clientId", clientId).delete(),
+				OAuthPendingAuthorizationRequest.query({ client: trx }).where("clientId", clientId).delete(),
+				OAuthConsent.query({ client: trx }).where("clientId", clientId).delete()
+			]);
+			await client.useTransaction(trx).delete();
+		});
+		return true;
+	}
+	/**
+	* Rotate the secret of a confidential client.
+	* Returns the new raw secret, or null if the client is public or not found.
+	*/
+	async rotateClientSecret(clientId) {
+		const client = await OAuthClient.query().where("clientId", clientId).first();
+		if (!client || client.isPublic) return null;
+		const clientService = new ClientService();
+		const newSecret = clientService.generateClientSecret();
+		client.clientSecret = clientService.hashSecret(newSecret);
+		await client.save();
+		return newSecret;
+	}
+	/**
+	* Register OAuth 2.1 endpoint routes (token, authorize, consent, etc.).
+	*
+	* Paths are relative — wrap the call in a `router.group().prefix()`
+	* to control the mount point.
+	*
+	* Do not apply session-auth middleware to the entire OAuth group.
+	* Endpoints like `/token`, `/introspect`, `/revoke`, and `/register`
+	* must stay callable without a browser session.
+	*
+	* @example
+	* ```ts
+	* router.group(() => {
+	*   sesame.registerRoutes()
+	* }).prefix('/oauth')
+	* ```
+	*/
+	registerRoutes() {
+		registerOAuthRoutes(this.#router);
+	}
+	/**
+	* Register discovery routes at the root level.
+	*
+	* Must be called outside any prefix group so endpoints
+	* remain at `/.well-known/...`.
+	*/
+	registerDiscoveryRoutes(options) {
+		registerWellKnownRoutes(this.#router, options);
+	}
+	/**
+	* @deprecated Use `registerDiscoveryRoutes()` instead.
+	*/
+	registerWellKnownRoutes(options) {
+		this.registerDiscoveryRoutes(options);
+	}
+	/**
+	* Register a `/.well-known/oauth-protected-resource` endpoint
+	* for a specific resource path (RFC 9728). Useful for MCP
+	* servers that need per-resource discovery.
+	*
+	* @see https://datatracker.ietf.org/doc/html/rfc9728
+	*/
+	registerProtectedResource(options) {
+		const wellKnownPath = `/.well-known/oauth-protected-resource${options.resource}`;
+		this.#router.get(wellKnownPath, async (ctx) => {
+			ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
+			return {
+				resource: `${this.#config.issuer}${options.resource}`,
+				authorization_servers: [this.#config.issuer],
+				scopes_supported: [...options.scopes ?? Object.keys(this.#config.scopes), ...BUILTIN_SCOPES],
+				bearer_methods_supported: ["header"]
+			};
+		});
+	}
+	#deleteCount(result) {
+		return result.then((r) => Array.isArray(r) ? Number(r[0] ?? 0) : Number(r));
+	}
+};
+//#endregion
+export { OAuthRefreshToken as a, OIDC_SCOPES as c, OAuthAuthorizationCode as i, RESERVED_OIDC_CLAIMS as l, OAuthPendingAuthorizationRequest as n, ClientService as o, OAuthConsent as r, BUILTIN_SCOPES as s, SesameManager as t };