@julr/sesame 0.5.1 → 0.6.0

package/build/sesame_manager-DwDZy5Vy.js

@@ -1,167 +0,0 @@
-import { n as json, t as __decorate } from "./decorate-BKZEjPRg.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { DateTime } from "luxon";
-import { BaseModel, column } from "@adonisjs/lucid/orm";
-const BUILTIN_SCOPES = new Set(["offline_access"]);
-const controllers = {
-	token: () => import("./token_controller-DzcrLMyS.js"),
-	authorize: () => import("./authorize_controller-YUfAy-R2.js"),
-	consent: () => import("./consent_controller-Dprwd1ed.js"),
-	introspect: () => import("./introspect_controller-6bRt9sZt.js"),
-	revoke: () => import("./revoke_controller-D6isoQCi.js"),
-	register: () => import("./register_controller-sIJ1rxdM.js"),
-	metadata: () => import("./metadata_controller-DeaMRnUr.js"),
-	clientInfo: () => import("./client_info_controller-BucHGx4u.js")
-};
-function registerOAuthRoutes(router) {
-	router.post("/token", [controllers.token]).as("sesame.token");
-	router.get("/authorize", [controllers.authorize]).as("sesame.authorize");
-	router.post("/consent", [controllers.consent]).as("sesame.consent");
-	router.get("/client-info", [controllers.clientInfo]).as("sesame.clientInfo");
-	router.post("/introspect", [controllers.introspect]).as("sesame.introspect");
-	router.post("/revoke", [controllers.revoke]).as("sesame.revoke");
-	router.post("/register", [controllers.register]).as("sesame.register");
-}
-function registerWellKnownRoutes(router) {
-	router.get("/.well-known/oauth-authorization-server", [controllers.metadata, "authServer"]).as("sesame.metadata.authServer");
-	router.get("/.well-known/openid-configuration", [controllers.metadata, "oidc"]).as("sesame.metadata.oidc");
-	router.get("/.well-known/oauth-protected-resource", [controllers.metadata, "protectedResource"]).as("sesame.metadata.protectedResource");
-}
-var OAuthRefreshToken = class extends BaseModel {
-	static table = "oauth_refresh_tokens";
-};
-__decorate([column({ isPrimary: true })], OAuthRefreshToken.prototype, "id", void 0);
-__decorate([column({ serializeAs: null })], OAuthRefreshToken.prototype, "token", void 0);
-__decorate([column()], OAuthRefreshToken.prototype, "accessTokenId", void 0);
-__decorate([column()], OAuthRefreshToken.prototype, "clientId", void 0);
-__decorate([column()], OAuthRefreshToken.prototype, "userId", void 0);
-__decorate([json()], OAuthRefreshToken.prototype, "scopes", void 0);
-__decorate([column.dateTime()], OAuthRefreshToken.prototype, "expiresAt", void 0);
-__decorate([column.dateTime()], OAuthRefreshToken.prototype, "revokedAt", void 0);
-__decorate([column.dateTime({ autoCreate: true })], OAuthRefreshToken.prototype, "createdAt", void 0);
-__decorate([column.dateTime({
-	autoCreate: true,
-	autoUpdate: true
-})], OAuthRefreshToken.prototype, "updatedAt", void 0);
-var OAuthAuthorizationCode = class extends BaseModel {
-	static table = "oauth_authorization_codes";
-};
-__decorate([column({ isPrimary: true })], OAuthAuthorizationCode.prototype, "id", void 0);
-__decorate([column()], OAuthAuthorizationCode.prototype, "code", void 0);
-__decorate([column()], OAuthAuthorizationCode.prototype, "clientId", void 0);
-__decorate([column()], OAuthAuthorizationCode.prototype, "userId", void 0);
-__decorate([json()], OAuthAuthorizationCode.prototype, "scopes", void 0);
-__decorate([column()], OAuthAuthorizationCode.prototype, "redirectUri", void 0);
-__decorate([column()], OAuthAuthorizationCode.prototype, "codeChallenge", void 0);
-__decorate([column()], OAuthAuthorizationCode.prototype, "codeChallengeMethod", void 0);
-__decorate([column.dateTime()], OAuthAuthorizationCode.prototype, "expiresAt", void 0);
-__decorate([column.dateTime({ autoCreate: true })], OAuthAuthorizationCode.prototype, "createdAt", void 0);
-__decorate([column.dateTime({
-	autoCreate: true,
-	autoUpdate: true
-})], OAuthAuthorizationCode.prototype, "updatedAt", void 0);
-var OAuthConsent = class extends BaseModel {
-	static table = "oauth_consents";
-};
-__decorate([column({ isPrimary: true })], OAuthConsent.prototype, "id", void 0);
-__decorate([column()], OAuthConsent.prototype, "clientId", void 0);
-__decorate([column()], OAuthConsent.prototype, "userId", void 0);
-__decorate([json()], OAuthConsent.prototype, "scopes", void 0);
-__decorate([column.dateTime({ autoCreate: true })], OAuthConsent.prototype, "createdAt", void 0);
-__decorate([column.dateTime({
-	autoCreate: true,
-	autoUpdate: true
-})], OAuthConsent.prototype, "updatedAt", void 0);
-var OAuthPendingAuthorizationRequest = class extends BaseModel {
-	static table = "oauth_pending_authorization_requests";
-};
-__decorate([column({ isPrimary: true })], OAuthPendingAuthorizationRequest.prototype, "id", void 0);
-__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "token", void 0);
-__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "userId", void 0);
-__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "clientId", void 0);
-__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "redirectUri", void 0);
-__decorate([json()], OAuthPendingAuthorizationRequest.prototype, "scopes", void 0);
-__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "state", void 0);
-__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallenge", void 0);
-__decorate([column()], OAuthPendingAuthorizationRequest.prototype, "codeChallengeMethod", void 0);
-__decorate([column.dateTime()], OAuthPendingAuthorizationRequest.prototype, "expiresAt", void 0);
-__decorate([column.dateTime({ autoCreate: true })], OAuthPendingAuthorizationRequest.prototype, "createdAt", void 0);
-var SesameManager = class {
-	#config;
-	#router;
-	constructor(config, router) {
-		this.#config = config;
-		this.#router = router;
-	}
-	get config() {
-		return this.#config;
-	}
-	hasScope(scope) {
-		return scope in this.#config.scopes;
-	}
-	validateScopes(scopes) {
-		if (Object.keys(this.#config.scopes).length === 0) return scopes.filter((s) => !BUILTIN_SCOPES.has(s));
-		return scopes.filter((s) => !BUILTIN_SCOPES.has(s) && !this.hasScope(s));
-	}
-	isGrantTypeEnabled(grantType) {
-		return this.#config.grantTypes.includes(grantType);
-	}
-	async revokeAllForUser(userId) {
-		const now = DateTime.now();
-		await OAuthAccessToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
-		await OAuthRefreshToken.query().where("userId", userId).whereNull("revokedAt").update({ revokedAt: now.toSQL() });
-		await OAuthAuthorizationCode.query().where("userId", userId).delete();
-		await OAuthPendingAuthorizationRequest.query().where("userId", userId).delete();
-		await OAuthConsent.query().where("userId", userId).delete();
-	}
-	async purgeTokens(options) {
-		const revokedOnly = options?.revokedOnly ?? false;
-		const expiredOnly = options?.expiredOnly ?? false;
-		const retentionHours = options?.retentionHours ?? 168;
-		const purgeRevoked = revokedOnly || !expiredOnly;
-		const purgeExpired = expiredOnly || !revokedOnly;
-		const cutoff = DateTime.now().minus({ hours: retentionHours });
-		let accessTokens = 0;
-		let refreshTokens = 0;
-		let authorizationCodes = 0;
-		let pendingRequests = 0;
-		if (purgeRevoked) {
-			accessTokens += await this.#deleteCount(OAuthAccessToken.query().whereNotNull("revokedAt").delete());
-			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().whereNotNull("revokedAt").delete());
-		}
-		if (purgeExpired) {
-			accessTokens += await this.#deleteCount(OAuthAccessToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
-			refreshTokens += await this.#deleteCount(OAuthRefreshToken.query().where("expiresAt", "<", cutoff.toSQL()).whereNull("revokedAt").delete());
-			authorizationCodes += await this.#deleteCount(OAuthAuthorizationCode.query().where("expiresAt", "<", cutoff.toSQL()).delete());
-		}
-		pendingRequests += await this.#deleteCount(OAuthPendingAuthorizationRequest.query().where("expiresAt", "<", DateTime.now().toSQL()).delete());
-		return {
-			accessTokens,
-			refreshTokens,
-			authorizationCodes,
-			pendingRequests
-		};
-	}
-	registerRoutes() {
-		registerOAuthRoutes(this.#router);
-	}
-	registerWellKnownRoutes() {
-		registerWellKnownRoutes(this.#router);
-	}
-	registerProtectedResource(options) {
-		const wellKnownPath = `/.well-known/oauth-protected-resource${options.resource}`;
-		this.#router.get(wellKnownPath, async (ctx) => {
-			ctx.response.header("Cache-Control", "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400");
-			return {
-				resource: `${this.#config.issuer}${options.resource}`,
-				authorization_servers: [this.#config.issuer],
-				scopes_supported: [...options.scopes ?? Object.keys(this.#config.scopes), ...BUILTIN_SCOPES],
-				bearer_methods_supported: ["header"]
-			};
-		});
-	}
-	#deleteCount(result) {
-		return result.then((r) => Array.isArray(r) ? Number(r[0] ?? 0) : Number(r));
-	}
-};
-export { OAuthRefreshToken as a, OAuthAuthorizationCode as i, OAuthPendingAuthorizationRequest as n, BUILTIN_SCOPES as o, OAuthConsent as r, SesameManager as t };

package/build/src/grants/authorization_code_grant.d.ts

@@ -1,23 +0,0 @@
-import type { HttpContext } from '@adonisjs/core/http';
-import type { SesameManager } from '../sesame_manager.ts';
-/**
- * Handle the Authorization Code Grant (RFC 6749 §4.1.3).
- *
- * Exchanges an authorization code for an access token and a refresh
- * token. A refresh token is always issued when the `refresh_token`
- * grant type is enabled on the server — the client does not need
- * to request `offline_access` explicitly.
- *
- * This matches the behavior of major OAuth providers and avoids
- * forcing MCP clients like ClaudeDesktop to know about `offline_access` to get long-lived sessions.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
- * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4.6
- */
-export declare function handleAuthorizationCodeGrant(ctx: HttpContext, manager: SesameManager): Promise<{
-    refresh_token?: string | undefined;
-    access_token: string;
-    token_type: string;
-    expires_in: number;
-    scope: string;
-}>;

package/build/src/grants/client_credentials_grant.d.ts

@@ -1,23 +0,0 @@
-import type { HttpContext } from '@adonisjs/core/http';
-import type { SesameManager } from '../sesame_manager.ts';
-/**
- * Handle the Client Credentials Grant (RFC 6749 §4.4).
- *
- * Issues an access token directly to the client for
- * machine-to-machine (M2M) communication. The client
- * authenticates with its own credentials and receives an
- * access token without an interactive user step.
- *
- * No refresh token is issued (per spec and convention).
- *
- * Built-in OIDC scopes (e.g. `offline_access`) are rejected
- * since they are user-centric and meaningless in an M2M context.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
- */
-export declare function handleClientCredentialsGrant(ctx: HttpContext, manager: SesameManager): Promise<{
-    access_token: string;
-    token_type: string;
-    expires_in: number;
-    scope: string;
-}>;

package/build/src/grants/refresh_token_grant.d.ts

@@ -1,27 +0,0 @@
-import type { HttpContext } from '@adonisjs/core/http';
-import type { SesameManager } from '../sesame_manager.ts';
-/**
- * Handle the Refresh Token Grant (RFC 6749 §6).
- *
- * Exchanges a refresh token for a new access token and a new
- * refresh token (rotation). The old refresh token is revoked
- * immediately after use.
- *
- * Implements replay detection: if a revoked refresh token is
- * presented, all tokens for that client+user pair are nuked
- * (both access and refresh tokens) to mitigate stolen token
- * reuse attacks.
- *
- * Scope narrowing is supported: the client may request a subset
- * of the originally granted scopes, but cannot request new ones.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
- * @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.14.2
- */
-export declare function handleRefreshTokenGrant(ctx: HttpContext, manager: SesameManager): Promise<{
-    access_token: string;
-    token_type: string;
-    expires_in: number;
-    scope: string;
-    refresh_token: string;
-}>;

package/build/token_controller-DzcrLMyS.js

@@ -1,194 +0,0 @@
-import { a as OAuthRefreshToken, i as OAuthAuthorizationCode, o as BUILTIN_SCOPES, t as SesameManager } from "./sesame_manager-DwDZy5Vy.js";
-import "./decorate-BKZEjPRg.js";
-import { t as OAuthAccessToken } from "./oauth_access_token-bsoM5KeU.js";
-import { a as E_INVALID_GRANT, o as E_INVALID_REQUEST, r as E_INVALID_CLIENT, s as E_INVALID_SCOPE, u as E_UNSUPPORTED_GRANT_TYPE } from "./oauth_error-CnJ3L8tf.js";
-import "./oauth_client-BIoY5jBR.js";
-import { t as TokenService } from "./token_service-fhoA4slP.js";
-import { t as ClientService } from "./client_service-WTNMqWzY.js";
-import { DateTime } from "luxon";
-import { createHash } from "node:crypto";
-import string from "@adonisjs/core/helpers/string";
-import vine from "@vinejs/vine";
-const codeVerifierValidator = vine.create({ code_verifier: vine.string().minLength(43).maxLength(128).regex(/^[A-Za-z0-9\-._~]+$/) });
-async function handleAuthorizationCodeGrant(ctx, manager) {
-	const tokenService = new TokenService(manager);
-	const clientService = new ClientService();
-	const body = ctx.request.body();
-	const code = body.code;
-	const redirectUri = body.redirect_uri;
-	const codeVerifier = body.code_verifier;
-	if (!code) throw new E_INVALID_REQUEST("Missing required parameter: code");
-	if (!redirectUri) throw new E_INVALID_REQUEST("Missing required parameter: redirect_uri");
-	const client = await clientService.authenticateClient({
-		authorizationHeader: ctx.request.header("authorization"),
-		bodyClientId: body.client_id,
-		bodyClientSecret: body.client_secret
-	});
-	if (!client.grantTypes.includes("authorization_code")) throw new E_INVALID_CLIENT("Client is not allowed to use the authorization_code grant");
-	const hashedCode = tokenService.hashToken(code);
-	const authCode = await OAuthAuthorizationCode.query().where("code", hashedCode).where("clientId", client.clientId).first();
-	if (!authCode) throw new E_INVALID_GRANT("Authorization code not found");
-	if (authCode.expiresAt < DateTime.now()) {
-		await OAuthAuthorizationCode.query().where("id", authCode.id).delete();
-		throw new E_INVALID_GRANT("Authorization code has expired");
-	}
-	if (authCode.redirectUri !== redirectUri) throw new E_INVALID_GRANT("Redirect URI mismatch");
-	const deleteResult = await OAuthAuthorizationCode.query().where("id", authCode.id).delete();
-	if ((Array.isArray(deleteResult) ? Number(deleteResult[0] ?? 0) : Number(deleteResult)) !== 1) throw new E_INVALID_GRANT("Authorization code has already been consumed");
-	const [verifierError] = await codeVerifierValidator.tryValidate({ code_verifier: codeVerifier });
-	if (verifierError) throw new E_INVALID_REQUEST("code_verifier must be 43-128 characters using only [A-Za-z0-9-._~] (RFC 7636 §4.1)");
-	if (!authCode.codeChallenge) throw new E_INVALID_GRANT("Authorization code is missing PKCE challenge");
-	if (createHash("sha256").update(codeVerifier).digest("base64url") !== authCode.codeChallenge) throw new E_INVALID_GRANT("PKCE verification failed");
-	clientService.validateClientScopes(authCode.scopes, client.scopes);
-	const { raw: accessTokenRaw, hash: tokenHash, expiresAt } = tokenService.createAccessToken();
-	await OAuthAccessToken.create({
-		id: crypto.randomUUID(),
-		tokenHash,
-		clientId: client.clientId,
-		userId: authCode.userId,
-		scopes: authCode.scopes,
-		expiresAt: DateTime.fromJSDate(expiresAt)
-	});
-	let refreshTokenRaw;
-	if (manager.isGrantTypeEnabled("refresh_token")) {
-		const { raw, hash } = tokenService.createRefreshToken();
-		const refreshTtl = string.seconds.parse(manager.config.refreshTokenTtl);
-		await OAuthRefreshToken.create({
-			id: crypto.randomUUID(),
-			token: hash,
-			accessTokenId: tokenHash,
-			clientId: client.clientId,
-			userId: authCode.userId,
-			scopes: authCode.scopes,
-			expiresAt: DateTime.now().plus({ seconds: refreshTtl })
-		});
-		refreshTokenRaw = raw;
-	}
-	return {
-		access_token: accessTokenRaw,
-		token_type: "Bearer",
-		expires_in: string.seconds.parse(manager.config.accessTokenTtl),
-		scope: authCode.scopes.join(" "),
-		...refreshTokenRaw ? { refresh_token: refreshTokenRaw } : {}
-	};
-}
-async function handleRefreshTokenGrant(ctx, manager) {
-	const tokenService = new TokenService(manager);
-	const clientService = new ClientService();
-	const body = ctx.request.body();
-	const refreshTokenRaw = body.refresh_token;
-	if (!refreshTokenRaw) throw new E_INVALID_REQUEST("Missing required parameter: refresh_token");
-	const client = await clientService.authenticateClient({
-		authorizationHeader: ctx.request.header("authorization"),
-		bodyClientId: body.client_id,
-		bodyClientSecret: body.client_secret
-	});
-	if (!client.grantTypes.includes("refresh_token")) throw new E_INVALID_CLIENT("Client is not allowed to use the refresh_token grant");
-	const hashedToken = tokenService.hashToken(refreshTokenRaw);
-	const refreshToken = await OAuthRefreshToken.query().where("token", hashedToken).where("clientId", client.clientId).first();
-	if (!refreshToken) throw new E_INVALID_GRANT("Refresh token not found");
-	if (refreshToken.revokedAt) {
-		await OAuthRefreshToken.query().where("clientId", client.clientId).where("userId", refreshToken.userId).delete();
-		await OAuthAccessToken.query().where("clientId", client.clientId).where("userId", refreshToken.userId).whereNull("revokedAt").update({ revokedAt: DateTime.now().toSQL() });
-		throw new E_INVALID_GRANT("Refresh token has been revoked (possible replay attack)");
-	}
-	if (refreshToken.expiresAt < DateTime.now()) throw new E_INVALID_GRANT("Refresh token has expired");
-	const requestedScope = body.scope;
-	let scopes = refreshToken.scopes;
-	if (requestedScope) {
-		const requested = requestedScope.split(" ");
-		const originalSet = new Set(refreshToken.scopes);
-		const invalid = requested.filter((s) => !originalSet.has(s));
-		if (invalid.length > 0) throw new E_INVALID_SCOPE(`Scope not in original grant: ${invalid.join(", ")}`);
-		scopes = requested;
-	}
-	clientService.validateClientScopes(scopes, client.scopes);
-	const revokedAt = DateTime.now();
-	const updateResult = await OAuthRefreshToken.query().where("id", refreshToken.id).whereNull("revokedAt").update({ revokedAt: revokedAt.toSQL() });
-	if ((Array.isArray(updateResult) ? Number(updateResult[0] ?? 0) : Number(updateResult)) !== 1) throw new E_INVALID_GRANT("Refresh token has already been consumed");
-	await OAuthAccessToken.query().where("tokenHash", refreshToken.accessTokenId).whereNull("revokedAt").update({ revokedAt: revokedAt.toSQL() });
-	const { raw: accessTokenRaw, hash: tokenHash, expiresAt } = tokenService.createAccessToken();
-	await OAuthAccessToken.create({
-		id: crypto.randomUUID(),
-		tokenHash,
-		clientId: client.clientId,
-		userId: refreshToken.userId,
-		scopes,
-		expiresAt: DateTime.fromJSDate(expiresAt)
-	});
-	const { raw: newRefreshTokenRaw, hash: newRefreshTokenHash } = tokenService.createRefreshToken();
-	const refreshTtl = string.seconds.parse(manager.config.refreshTokenTtl);
-	await OAuthRefreshToken.create({
-		id: crypto.randomUUID(),
-		token: newRefreshTokenHash,
-		accessTokenId: tokenHash,
-		clientId: client.clientId,
-		userId: refreshToken.userId,
-		scopes,
-		expiresAt: DateTime.now().plus({ seconds: refreshTtl })
-	});
-	return {
-		access_token: accessTokenRaw,
-		token_type: "Bearer",
-		expires_in: string.seconds.parse(manager.config.accessTokenTtl),
-		scope: scopes.join(" "),
-		refresh_token: newRefreshTokenRaw
-	};
-}
-async function handleClientCredentialsGrant(ctx, manager) {
-	const tokenService = new TokenService(manager);
-	const clientService = new ClientService();
-	const body = ctx.request.body();
-	const client = await clientService.authenticateClient({
-		authorizationHeader: ctx.request.header("authorization"),
-		bodyClientId: body.client_id,
-		bodyClientSecret: body.client_secret
-	});
-	if (client.isPublic) throw new E_INVALID_CLIENT("Public clients cannot use the client_credentials grant");
-	if (!client.grantTypes.includes("client_credentials")) throw new E_INVALID_CLIENT("Client is not allowed to use the client_credentials grant");
-	const requestedScopes = body.scope ? body.scope.split(" ") : client.scopes.filter((scope) => !BUILTIN_SCOPES.has(scope));
-	const builtinRequested = requestedScopes.filter((s) => BUILTIN_SCOPES.has(s));
-	if (builtinRequested.length > 0) throw new E_INVALID_SCOPE(`Scopes not allowed for client_credentials: ${builtinRequested.join(", ")}`);
-	const invalidScopes = manager.validateScopes(requestedScopes);
-	if (invalidScopes.length > 0) throw new E_INVALID_SCOPE(`Invalid scopes: ${invalidScopes.join(", ")}`);
-	clientService.validateClientScopes(requestedScopes, client.scopes);
-	if (!client.userId) throw new E_INVALID_CLIENT("Client must be associated with a user to use the client_credentials grant");
-	const ttlSeconds = string.seconds.parse(manager.config.clientCredentialsAccessTokenTtl);
-	const { raw: accessTokenRaw, hash: tokenHash } = tokenService.createAccessToken();
-	const expiresAt = new Date(Date.now() + ttlSeconds * 1e3);
-	await OAuthAccessToken.create({
-		id: crypto.randomUUID(),
-		tokenHash,
-		clientId: client.clientId,
-		userId: client.userId,
-		scopes: requestedScopes,
-		expiresAt: DateTime.fromJSDate(expiresAt)
-	});
-	return {
-		access_token: accessTokenRaw,
-		token_type: "Bearer",
-		expires_in: ttlSeconds,
-		scope: requestedScopes.join(" ")
-	};
-}
-const grantHandlers = {
-	authorization_code: handleAuthorizationCodeGrant,
-	refresh_token: handleRefreshTokenGrant,
-	client_credentials: handleClientCredentialsGrant
-};
-var TokenController = class TokenController {
-	static validator = vine.create({ grant_type: vine.string() });
-	async handle(ctx) {
-		const manager = await ctx.containerResolver.make(SesameManager);
-		const [error, body] = await TokenController.validator.tryValidate(ctx.request.body());
-		if (error) throw new E_UNSUPPORTED_GRANT_TYPE("Missing required parameter: grant_type");
-		if (!manager.isGrantTypeEnabled(body.grant_type)) throw new E_UNSUPPORTED_GRANT_TYPE(`Grant type "${body.grant_type}" is not enabled`);
-		const handler = grantHandlers[body.grant_type];
-		if (!handler) throw new E_UNSUPPORTED_GRANT_TYPE(`Unsupported grant type: ${body.grant_type}`);
-		const result = await handler(ctx, manager);
-		ctx.response.header("Cache-Control", "no-store");
-		ctx.response.header("Pragma", "no-cache");
-		return result;
-	}
-};
-export { TokenController as default };

package/build/token_service-fhoA4slP.js

@@ -1,31 +0,0 @@
-import { createHash, randomBytes } from "node:crypto";
-import string from "@adonisjs/core/helpers/string";
-var TokenService = class {
-	#manager;
-	constructor(manager) {
-		this.#manager = manager;
-	}
-	createAccessToken() {
-		const raw = this.generateOpaqueToken();
-		const ttlSeconds = string.seconds.parse(this.#manager.config.accessTokenTtl);
-		return {
-			raw,
-			hash: this.hashToken(raw),
-			expiresAt: new Date(Date.now() + ttlSeconds * 1e3)
-		};
-	}
-	createRefreshToken() {
-		const raw = this.generateOpaqueToken();
-		return {
-			raw,
-			hash: this.hashToken(raw)
-		};
-	}
-	generateOpaqueToken() {
-		return randomBytes(32).toString("base64url");
-	}
-	hashToken(token) {
-		return createHash("sha256").update(token).digest("base64url");
-	}
-};
-export { TokenService as t };