@julr/sesame 0.5.1 → 0.6.0

package/build/token_service-DwnfAR9F.js

@@ -0,0 +1,59 @@
+import { createHash, randomBytes } from "node:crypto";
+import string from "@adonisjs/core/helpers/string";
+//#region src/services/token_service.ts
+/**
+* Handles opaque token generation for access tokens, refresh tokens,
+* and authorization codes.
+*
+* All tokens are random opaque values. Only their SHA-256 hashes
+* are stored in the database, so the raw tokens cannot be
+* reconstructed from a database leak.
+*/
+var TokenService = class {
+	#manager;
+	constructor(manager) {
+		this.#manager = manager;
+	}
+	/**
+	* Create an opaque access token. Returns the raw token
+	* (sent to the client), its SHA-256 hash (stored in DB),
+	* and the computed expiration date.
+	*/
+	createAccessToken() {
+		const raw = this.generateOpaqueToken();
+		const ttlSeconds = string.seconds.parse(this.#manager.config.accessTokenTtl);
+		return {
+			raw,
+			hash: this.hashToken(raw),
+			expiresAt: new Date(Date.now() + ttlSeconds * 1e3)
+		};
+	}
+	/**
+	* Create an opaque refresh token. Returns the raw token
+	* (sent to the client) and its SHA-256 hash (stored in DB).
+	*/
+	createRefreshToken() {
+		const raw = this.generateOpaqueToken();
+		return {
+			raw,
+			hash: this.hashToken(raw)
+		};
+	}
+	/**
+	* Generate a cryptographically random opaque token
+	* (32 bytes, base64url-encoded).
+	*/
+	generateOpaqueToken() {
+		return randomBytes(32).toString("base64url");
+	}
+	/**
+	* SHA-256 hash a token value for secure storage.
+	* All tokens (codes, access tokens, refresh tokens) are stored
+	* as hashes so raw values cannot be reconstructed from a DB leak.
+	*/
+	hashToken(token) {
+		return createHash("sha256").update(token).digest("base64url");
+	}
+};
+//#endregion
+export { TokenService as t };

package/build/userinfo_controller-RLk8cN_o.js

@@ -0,0 +1,40 @@
+import "./chunk-DF48asd8.js";
+import { t as SesameManager } from "./sesame_manager-DYUSZ0NC.js";
+import "./oauth_client-BSanvSql.js";
+import { c as E_INVALID_TOKEN, n as E_INSUFFICIENT_SCOPE, o as E_INVALID_REQUEST } from "./oauth_error-C7UhDb2q.js";
+import { t as OAuthAccessToken } from "./oauth_access_token-Cz_5gNBx.js";
+import { t as TokenService } from "./token_service-DwnfAR9F.js";
+import { t as IdTokenService } from "./id_token_service-CpTzOUDe.js";
+//#region src/controllers/userinfo_controller.ts
+/**
+* OpenID Connect UserInfo endpoint (OIDC Core §5.3).
+*
+* Returns claims about the authenticated user based on the
+* access token's scopes. Supports both GET and POST.
+*
+* @see https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+*/
+var UserinfoController = class {
+	async handle(ctx) {
+		const manager = await ctx.containerResolver.make(SesameManager);
+		const authHeader = ctx.request.header("authorization");
+		const rawToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : ctx.request.body().access_token;
+		if (!rawToken) throw new E_INVALID_REQUEST("Missing Bearer token");
+		const hashed = new TokenService(manager).hashToken(rawToken);
+		const token = await OAuthAccessToken.query().where("tokenHash", hashed).first();
+		if (!token) throw new E_INVALID_TOKEN("Invalid access token");
+		if (token.revokedAt) throw new E_INVALID_TOKEN("Access token has been revoked");
+		if (token.expiresAt.toJSDate() < /* @__PURE__ */ new Date()) throw new E_INVALID_TOKEN("Access token has expired");
+		if (!token.scopes.includes("openid")) throw new E_INSUFFICIENT_SCOPE(["openid"], "Token does not have openid scope");
+		const user = await manager.findUserById(token.userId);
+		if (!user) throw new E_INVALID_TOKEN("Invalid access token");
+		const userClaims = await IdTokenService.resolveUserClaims(user, token.scopes);
+		ctx.response.header("Content-Type", "application/json");
+		return {
+			sub: token.userId,
+			...userClaims
+		};
+	}
+};
+//#endregion
+export { UserinfoController as default };

package/build/vite.config.d.ts

@@ -0,0 +1,2 @@
+declare const _default: UserConfig;
+export default _default;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@julr/sesame",
   "description": "OAuth 2.1 + OIDC server for AdonisJS",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "engines": {
     "node": ">=24.0.0"
   },
@@ -15,6 +15,7 @@
   "main": "build/index.js",
   "exports": {
     ".": "./build/index.js",
+    "./exceptions": "./build/src/oauth_error.js",
     "./types": "./build/src/types.js",
     "./sesame_provider": "./build/providers/sesame_provider.js",
     "./guard": "./build/src/guard/main.js",
@@ -25,21 +26,15 @@
     "./commands": "./build/commands/main.js"
   },
   "scripts": {
-    "copy:templates": "copyfiles \"stubs/**/*.stub\" build",
-    "typecheck": "tsc --noEmit",
-    "lint": "oxlint .",
-    "format": "oxfmt --write .",
+    "check": "vp check",
+    "format": "vp fmt --write .",
     "quick:test": "node --import=@poppinss/ts-exec --enable-source-maps bin/test.ts",
-    "pretest": "npm run lint",
     "test": "c8 npm run quick:test",
-    "precompile": "npm run lint",
-    "index:commands": "adonis-kit index build/commands",
-    "compile": "tsdown && tsc --emitDeclarationOnly --declaration",
-    "postcompile": "npm run copy:templates && npm run index:commands",
-    "build": "npm run compile",
+    "build": "vp pack && tsc --emitDeclarationOnly --declaration && adonis-kit index build/commands",
     "release": "release-it",
     "version": "npm run build",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "prepare": "vp config"
   },
   "repository": {
     "type": "git",
@@ -49,7 +44,17 @@
     "url": "https://github.com/Julien-R44/sesame/issues"
   },
   "homepage": "https://github.com/Julien-R44/sesame#readme",
-  "keywords": [],
+  "keywords": [
+    "adonisjs",
+    "adonis",
+    "oauth",
+    "oauth2.1",
+    "oidc",
+    "openid-connect",
+    "authorization-server",
+    "mcp",
+    "pkce"
+  ],
   "author": "Julien Ripouteau",
   "license": "MIT",
   "devDependencies": {
@@ -57,8 +62,8 @@
     "@adonisjs/auth": "^10.0.0",
     "@adonisjs/core": "^7.0.0",
     "@adonisjs/lucid": "^22.0.0",
-    "@adonisjs/prettier-config": "^1.4.5",
     "@adonisjs/tsconfig": "^2.0.0",
+    "@japa/api-client": "^3.2.1",
     "@japa/assert": "^4.2.0",
     "@japa/expect-type": "^2.0.4",
     "@japa/runner": "^5.3.0",
@@ -69,50 +74,29 @@
     "@vinejs/vine": "^4.3.0",
     "better-sqlite3": "^12.6.2",
     "c8": "^11.0.0",
-    "copyfiles": "^2.4.1",
     "cross-env": "^10.1.0",
-    "oxfmt": "^0.36.0",
-    "oxlint": "^1.51.0",
     "release-it": "^19.2.4",
-    "tsdown": "^0.20.3",
-    "typescript": "^5.9.3"
+    "typescript": "^5.9.3",
+    "vite-plus": "catalog:"
   },
   "peerDependencies": {
     "@adonisjs/assembler": "^8.0.0",
     "@adonisjs/auth": "^10.0.0",
     "@adonisjs/core": "^7.0.0",
-    "@adonisjs/lucid": "^21.0.0",
+    "@adonisjs/lucid": "^21.0.0 || ^22.0.0",
     "@vinejs/vine": "^4.0.0"
   },
   "peerDependenciesMeta": {
     "@adonisjs/assembler": {
       "optional": true
+    },
+    "@adonisjs/auth": {
+      "optional": true
     }
   },
   "publishConfig": {
     "access": "public"
   },
-  "tsdown": {
-    "entry": [
-      "./index.ts",
-      "./configure.ts",
-      "./providers/sesame_provider.ts",
-      "./services/main.ts",
-      "./src/guard/main.ts",
-      "./commands/sesame_purge.ts",
-      "./src/middleware/scope_middleware.ts",
-      "./src/middleware/any_scope_middleware.ts"
-    ],
-    "outDir": "./build",
-    "clean": true,
-    "format": "esm",
-    "minify": "dce-only",
-    "fixedExtension": false,
-    "dts": false,
-    "treeshake": false,
-    "sourcemaps": false,
-    "target": "esnext"
-  },
   "release-it": {
     "git": {
       "requireCleanWorkingDir": true,
@@ -147,6 +131,7 @@
     ]
   },
   "dependencies": {
+    "jose": "^6.2.1",
     "luxon": "^3.7.2"
   }
 }

package/build/authorize_controller-YUfAy-R2.js

@@ -1,138 +0,0 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import "./oauth_access_token-bsoM5KeU.js";
-import { d as E_UNSUPPORTED_RESPONSE_TYPE, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-WTNMqWzY.js";
-import { DateTime } from "luxon";
-import string from "@adonisjs/core/helpers/string";
-import vine from "@vinejs/vine";
-var AuthorizeController = class AuthorizeController {
-	static validator = vine.create({
-		client_id: vine.string(),
-		response_type: vine.string(),
-		redirect_uri: vine.string(),
-		scope: vine.string().optional(),
-		state: vine.string().optional(),
-		code_challenge: vine.string().optional(),
-		code_challenge_method: vine.string().optional()
-	});
-	#redirectWithError(ctx, manager, redirectUri, error, description, state) {
-		const url = new URL(redirectUri);
-		url.searchParams.set("error", error);
-		url.searchParams.set("error_description", description);
-		if (state) url.searchParams.set("state", state);
-		url.searchParams.set("iss", manager.config.issuer);
-		return ctx.response.redirect().toPath(url.toString());
-	}
-	async #buildAuthorizationRequestParams(manager, options) {
-		const tokenService = new TokenService(manager);
-		const rawRequestToken = tokenService.generateOpaqueToken();
-		const ttl = string.seconds.parse(manager.config.authorizationRequestTtl);
-		await OAuthPendingAuthorizationRequest.create({
-			id: crypto.randomUUID(),
-			token: tokenService.hashToken(rawRequestToken),
-			userId: options.userId,
-			clientId: options.clientId,
-			redirectUri: options.redirectUri,
-			scopes: options.scopes,
-			state: options.state ?? null,
-			codeChallenge: options.codeChallenge ?? null,
-			codeChallengeMethod: options.codeChallengeMethod ?? null,
-			expiresAt: DateTime.now().plus({ seconds: ttl })
-		});
-		const params = new URLSearchParams();
-		params.set("auth_token", rawRequestToken);
-		return params;
-	}
-	#copyAuthorizeDisplayParams(params, query) {
-		for (const [key, value] of Object.entries(query)) {
-			if (key === "auth_token") continue;
-			if (value != null) params.set(key, String(value));
-		}
-	}
-	#resolvePageUrl(page, ctx, params) {
-		if (typeof page === "function") return page(ctx, params);
-		return `${page}?${params.toString()}`;
-	}
-	async #issueAuthorizationCode(ctx, manager, options) {
-		const tokenService = new TokenService(manager);
-		const raw = tokenService.generateOpaqueToken();
-		const hashed = tokenService.hashToken(raw);
-		const ttl = string.seconds.parse(manager.config.authorizationCodeTtl);
-		await OAuthAuthorizationCode.create({
-			id: crypto.randomUUID(),
-			code: hashed,
-			clientId: options.client.clientId,
-			userId: options.userId,
-			scopes: options.scopes,
-			redirectUri: options.redirectUri,
-			codeChallenge: options.codeChallenge ?? null,
-			codeChallengeMethod: options.codeChallengeMethod ?? null,
-			expiresAt: DateTime.now().plus({ seconds: ttl })
-		});
-		const url = new URL(options.redirectUri);
-		url.searchParams.set("code", raw);
-		if (options.state) url.searchParams.set("state", options.state);
-		url.searchParams.set("iss", manager.config.issuer);
-		return ctx.response.redirect().toPath(url.toString());
-	}
-	async handle(ctx) {
-		const manager = await ctx.containerResolver.make(SesameManager);
-		const clientService = new ClientService();
-		const [error, query] = await AuthorizeController.validator.tryValidate(ctx.request.qs());
-		if (error) throw new E_INVALID_REQUEST("Invalid authorization request parameters");
-		if (query.response_type !== "code") throw new E_UNSUPPORTED_RESPONSE_TYPE("Only \"code\" is supported");
-		const client = await OAuthClient.query().where("clientId", query.client_id).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.redirectUris.includes(query.redirect_uri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
-		if (!client.grantTypes.includes("authorization_code")) return this.#redirectWithError(ctx, manager, query.redirect_uri, "unauthorized_client", "Client is not allowed to use the authorization_code grant", query.state);
-		const requestedScopes = query.scope ? query.scope.split(" ") : manager.config.defaultScopes;
-		const invalidScopes = manager.validateScopes(requestedScopes);
-		if (invalidScopes.length > 0) return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_scope", `Invalid scopes: ${invalidScopes.join(", ")}`, query.state);
-		try {
-			clientService.validateClientScopes(requestedScopes, client.scopes);
-		} catch (error) {
-			return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_scope", error.message, query.state);
-		}
-		if (!query.code_challenge) return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_request", "PKCE code_challenge is required", query.state);
-		if (query.code_challenge_method !== "S256") return this.#redirectWithError(ctx, manager, query.redirect_uri, "invalid_request", "Only S256 code_challenge_method is supported", query.state);
-		await ctx.auth.check();
-		const user = ctx.auth.user;
-		if (!user) {
-			const params = new URLSearchParams();
-			this.#copyAuthorizeDisplayParams(params, ctx.request.qs());
-			const loginPage = this.#resolvePageUrl(manager.config.loginPage, ctx, params);
-			return ctx.response.redirect().toPath(loginPage);
-		}
-		const existingConsent = await OAuthConsent.query().where("clientId", client.clientId).where("userId", String(user.id)).first();
-		if (existingConsent) {
-			const consentedSet = new Set(existingConsent.scopes);
-			if (requestedScopes.every((s) => consentedSet.has(s))) return this.#issueAuthorizationCode(ctx, manager, {
-				client,
-				userId: String(user.id),
-				scopes: requestedScopes,
-				redirectUri: query.redirect_uri,
-				codeChallenge: query.code_challenge,
-				codeChallengeMethod: query.code_challenge_method,
-				state: query.state
-			});
-		}
-		const params = await this.#buildAuthorizationRequestParams(manager, {
-			userId: String(user.id),
-			clientId: client.clientId,
-			redirectUri: query.redirect_uri,
-			scopes: requestedScopes,
-			state: query.state,
-			codeChallenge: query.code_challenge,
-			codeChallengeMethod: query.code_challenge_method
-		});
-		this.#copyAuthorizeDisplayParams(params, ctx.request.qs());
-		params.set("scope", requestedScopes.join(" "));
-		const consentPage = this.#resolvePageUrl(manager.config.consentPage, ctx, params);
-		return ctx.response.redirect().toPath(consentPage);
-	}
-};
-export { AuthorizeController as default };

package/build/client_service-WTNMqWzY.js

@@ -1,65 +0,0 @@
-import { o as BUILTIN_SCOPES } from "./sesame_manager-DwDZy5Vy.js";
-import { o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
-var ClientService = class {
-	parseBasicAuth(header) {
-		if (!header.startsWith("Basic ")) return null;
-		try {
-			const decoded = Buffer.from(header.slice(6), "base64").toString("utf-8");
-			const colonIndex = decoded.indexOf(":");
-			if (colonIndex === -1) return null;
-			return {
-				clientId: decodeURIComponent(decoded.slice(0, colonIndex)),
-				clientSecret: decodeURIComponent(decoded.slice(colonIndex + 1))
-			};
-		} catch {
-			return null;
-		}
-	}
-	extractCredentials(options) {
-		const basic = options.authorizationHeader ? this.parseBasicAuth(options.authorizationHeader) : null;
-		if (basic && options.bodyClientId) throw new E_INVALID_REQUEST("Multiple client authentication methods are not allowed");
-		if (basic) return basic;
-		if (options.bodyClientId) return {
-			clientId: options.bodyClientId,
-			clientSecret: options.bodyClientSecret
-		};
-		return null;
-	}
-	async authenticateClient(options) {
-		const credentials = this.extractCredentials(options);
-		if (!credentials) throw new E_INVALID_CLIENT("Client authentication failed");
-		const client = await OAuthClient.query().where("clientId", credentials.clientId).first();
-		if (!client || client.isDisabled) throw new E_INVALID_CLIENT("Client authentication failed");
-		if (!client.isPublic) {
-			if (!credentials.clientSecret || !this.verifySecret(credentials.clientSecret, client.clientSecret)) throw new E_INVALID_CLIENT("Client authentication failed");
-		}
-		return client;
-	}
-	validateClientScopes(requestedScopes, clientScopes) {
-		const nonBuiltinScopes = requestedScopes.filter((s) => !BUILTIN_SCOPES.has(s));
-		if (clientScopes.length === 0 && nonBuiltinScopes.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${nonBuiltinScopes.join(", ")}`);
-		const allowedSet = new Set(clientScopes);
-		const invalid = nonBuiltinScopes.filter((s) => !allowedSet.has(s));
-		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not allowed: ${invalid.join(", ")}`);
-	}
-	hashSecret(secret) {
-		return createHash("sha256").update(secret).digest("base64url");
-	}
-	verifySecret(secret, storedHash) {
-		const hash = this.hashSecret(secret);
-		try {
-			return timingSafeEqual(Buffer.from(hash), Buffer.from(storedHash));
-		} catch {
-			return false;
-		}
-	}
-	generateClientId() {
-		return randomBytes(16).toString("hex");
-	}
-	generateClientSecret() {
-		return randomBytes(32).toString("base64url");
-	}
-};
-export { ClientService as t };

package/build/consent_controller-Dprwd1ed.js

@@ -1,85 +0,0 @@
-import { i as OAuthAuthorizationCode, n as OAuthPendingAuthorizationRequest, r as OAuthConsent, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import "./oauth_access_token-bsoM5KeU.js";
-import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT } from "./oauth_error-CnJ3L8tf.js";
-import { t as OAuthClient } from "./oauth_client-BIoY5jBR.js";
-import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { DateTime } from "luxon";
-import string from "@adonisjs/core/helpers/string";
-import vine from "@vinejs/vine";
-var ConsentController = class ConsentController {
-	static validator = vine.create({ auth_token: vine.string() });
-	async #consumePendingRequest(hashedToken, userId) {
-		const row = await OAuthPendingAuthorizationRequest.query().where("token", hashedToken).where("userId", userId).where("expiresAt", ">", DateTime.now().toSQL()).first();
-		if (!row) return null;
-		const deleted = await OAuthPendingAuthorizationRequest.query().where("id", row.id).delete();
-		if ((Array.isArray(deleted) ? Number(deleted[0]) : Number(deleted)) === 0) return null;
-		return row;
-	}
-	async #issueAuthorizationCode(ctx, manager, options) {
-		const tokenService = new TokenService(manager);
-		const raw = tokenService.generateOpaqueToken();
-		const hashed = tokenService.hashToken(raw);
-		const ttl = string.seconds.parse(manager.config.authorizationCodeTtl);
-		await OAuthAuthorizationCode.create({
-			id: crypto.randomUUID(),
-			code: hashed,
-			clientId: options.client.clientId,
-			userId: options.userId,
-			scopes: options.scopes,
-			redirectUri: options.redirectUri,
-			codeChallenge: options.codeChallenge ?? null,
-			codeChallengeMethod: options.codeChallengeMethod ?? null,
-			expiresAt: DateTime.now().plus({ seconds: ttl })
-		});
-		const url = new URL(options.redirectUri);
-		url.searchParams.set("code", raw);
-		if (options.state) url.searchParams.set("state", options.state);
-		url.searchParams.set("iss", manager.config.issuer);
-		return ctx.response.redirect().toPath(url.toString());
-	}
-	async handle(ctx) {
-		const manager = await ctx.containerResolver.make(SesameManager);
-		await ctx.auth.check();
-		const user = ctx.auth.user;
-		if (!user) throw new E_INVALID_REQUEST("User must be authenticated");
-		const [error, body] = await ConsentController.validator.tryValidate(ctx.request.body());
-		if (error) throw new E_INVALID_REQUEST("Missing required parameter: auth_token");
-		const accept = ctx.request.body().accept;
-		const hashedToken = new TokenService(manager).hashToken(body.auth_token);
-		const pendingRequest = await this.#consumePendingRequest(hashedToken, String(user.id));
-		if (!pendingRequest) throw new E_INVALID_GRANT("Authorization request not found or expired");
-		const client = await OAuthClient.query().where("clientId", pendingRequest.clientId).first();
-		if (!client) throw new E_INVALID_CLIENT("Client not found");
-		if (client.isDisabled) throw new E_INVALID_CLIENT("Client is disabled");
-		if (!client.redirectUris.includes(pendingRequest.redirectUri)) throw new E_INVALID_REQUEST("Invalid redirect_uri");
-		if (!accept) {
-			const url = new URL(pendingRequest.redirectUri);
-			url.searchParams.set("error", "access_denied");
-			url.searchParams.set("error_description", "The user denied the authorization request");
-			if (pendingRequest.state) url.searchParams.set("state", pendingRequest.state);
-			url.searchParams.set("iss", manager.config.issuer);
-			return ctx.response.redirect().toPath(url.toString());
-		}
-		const existingConsent = await OAuthConsent.query().where("clientId", client.clientId).where("userId", String(user.id)).first();
-		if (existingConsent) {
-			existingConsent.scopes = [...new Set([...existingConsent.scopes, ...pendingRequest.scopes])];
-			await existingConsent.save();
-		} else await OAuthConsent.create({
-			id: crypto.randomUUID(),
-			clientId: client.clientId,
-			userId: String(user.id),
-			scopes: pendingRequest.scopes
-		});
-		return this.#issueAuthorizationCode(ctx, manager, {
-			client,
-			userId: String(user.id),
-			scopes: pendingRequest.scopes,
-			redirectUri: pendingRequest.redirectUri,
-			codeChallenge: pendingRequest.codeChallenge ?? void 0,
-			codeChallengeMethod: pendingRequest.codeChallengeMethod ?? void 0,
-			state: pendingRequest.state ?? void 0
-		});
-	}
-};
-export { ConsentController as default };

package/build/decorate-BKZEjPRg.js

@@ -1,15 +0,0 @@
-import { column } from "@adonisjs/lucid/orm";
-function json(options) {
-	return column({
-		...options,
-		prepare: (value) => value == null ? null : JSON.stringify(value),
-		consume: (value) => value == null ? null : typeof value === "string" ? JSON.parse(value) : value
-	});
-}
-function __decorate(decorators, target, key, desc) {
-	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-	return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-export { json as n, __decorate as t };

package/build/oauth_client-BIoY5jBR.js

@@ -1,24 +0,0 @@
-import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
-import { BaseModel, column } from "@adonisjs/lucid/orm";
-var OAuthClient = class extends BaseModel {
-	static table = "oauth_clients";
-};
-__decorate([column({ isPrimary: true })], OAuthClient.prototype, "id", void 0);
-__decorate([column()], OAuthClient.prototype, "clientId", void 0);
-__decorate([column({ serializeAs: null })], OAuthClient.prototype, "clientSecret", void 0);
-__decorate([column()], OAuthClient.prototype, "name", void 0);
-__decorate([json()], OAuthClient.prototype, "redirectUris", void 0);
-__decorate([json()], OAuthClient.prototype, "scopes", void 0);
-__decorate([json()], OAuthClient.prototype, "grantTypes", void 0);
-__decorate([column()], OAuthClient.prototype, "isPublic", void 0);
-__decorate([column()], OAuthClient.prototype, "isDisabled", void 0);
-__decorate([column()], OAuthClient.prototype, "requirePkce", void 0);
-__decorate([column()], OAuthClient.prototype, "type", void 0);
-__decorate([json()], OAuthClient.prototype, "metadata", void 0);
-__decorate([column()], OAuthClient.prototype, "userId", void 0);
-__decorate([column.dateTime({ autoCreate: true })], OAuthClient.prototype, "createdAt", void 0);
-__decorate([column.dateTime({
-	autoCreate: true,
-	autoUpdate: true
-})], OAuthClient.prototype, "updatedAt", void 0);
-export { OAuthClient as t };

package/build/oauth_error-CnJ3L8tf.js

@@ -1,94 +0,0 @@
-import { Exception } from "@adonisjs/core/exceptions";
-var OAuthError = class extends Exception {
-	static oauthCode;
-	get oauthCode() {
-		return this.constructor.oauthCode;
-	}
-	handle(error, ctx) {
-		ctx.response.status(error.status).json({
-			error: error.oauthCode,
-			error_description: error.message
-		});
-	}
-};
-const E_INVALID_REQUEST = class extends OAuthError {
-	static status = 400;
-	static code = "E_INVALID_REQUEST";
-	static message = "Invalid request";
-	static oauthCode = "invalid_request";
-};
-const E_INVALID_CLIENT = class extends OAuthError {
-	static status = 401;
-	static code = "E_INVALID_CLIENT";
-	static message = "Invalid client";
-	static oauthCode = "invalid_client";
-	handle(error, ctx) {
-		if (ctx.request.header("authorization")?.startsWith("Basic ")) ctx.response.header("WWW-Authenticate", "Basic");
-		super.handle(error, ctx);
-	}
-};
-const E_INVALID_GRANT = class extends OAuthError {
-	static status = 400;
-	static code = "E_INVALID_GRANT";
-	static message = "Invalid grant";
-	static oauthCode = "invalid_grant";
-};
-const E_INVALID_SCOPE = class extends OAuthError {
-	static status = 400;
-	static code = "E_INVALID_SCOPE";
-	static message = "Invalid scope";
-	static oauthCode = "invalid_scope";
-};
-const E_INVALID_TOKEN = class extends OAuthError {
-	static status = 401;
-	static code = "E_INVALID_TOKEN";
-	static message = "Invalid token";
-	static oauthCode = "invalid_token";
-};
-const E_UNSUPPORTED_GRANT_TYPE = class extends OAuthError {
-	static status = 400;
-	static code = "E_UNSUPPORTED_GRANT_TYPE";
-	static message = "Unsupported grant type";
-	static oauthCode = "unsupported_grant_type";
-};
-const E_UNSUPPORTED_RESPONSE_TYPE = class extends OAuthError {
-	static status = 400;
-	static code = "E_UNSUPPORTED_RESPONSE_TYPE";
-	static message = "Unsupported response type";
-	static oauthCode = "unsupported_response_type";
-};
-const E_ACCESS_DENIED = class extends OAuthError {
-	static status = 403;
-	static code = "E_ACCESS_DENIED";
-	static message = "Access denied";
-	static oauthCode = "access_denied";
-};
-const E_INVALID_CLIENT_METADATA = class extends OAuthError {
-	static status = 400;
-	static code = "E_INVALID_CLIENT_METADATA";
-	static message = "Invalid client metadata";
-	static oauthCode = "invalid_client_metadata";
-};
-const E_SERVER_ERROR = class extends OAuthError {
-	static status = 500;
-	static code = "E_SERVER_ERROR";
-	static message = "Server error";
-	static oauthCode = "server_error";
-};
-const E_INSUFFICIENT_SCOPE = class extends OAuthError {
-	static status = 403;
-	static code = "E_INSUFFICIENT_SCOPE";
-	static message = "Insufficient scope";
-	static oauthCode = "insufficient_scope";
-	missingScopes;
-	constructor(missingScopes, message) {
-		super(message ?? "The token does not have the required scope(s)");
-		this.missingScopes = missingScopes;
-	}
-	handle(error, ctx) {
-		const scope = error.missingScopes.join(" ");
-		ctx.response.header("WWW-Authenticate", `Bearer error="insufficient_scope", error_description="${error.message}", scope="${scope}"`);
-		super.handle(error, ctx);
-	}
-};
-export { E_INVALID_GRANT as a, E_INVALID_TOKEN as c, E_UNSUPPORTED_RESPONSE_TYPE as d, OAuthError as f, E_INVALID_CLIENT_METADATA as i, E_SERVER_ERROR as l, E_INSUFFICIENT_SCOPE as n, E_INVALID_REQUEST as o, E_INVALID_CLIENT as r, E_INVALID_SCOPE as s, E_ACCESS_DENIED as t, E_UNSUPPORTED_GRANT_TYPE as u };

package/build/sesame_manager-Bu4MHqZV.js

@@ -1,4 +0,0 @@
-import { t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import "./oauth_access_token-bsoM5KeU.js";
-export { SesameManager };