@kaapi/oauth2-auth-design 0.0.13

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 demingongo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,3 @@
+# @kaapi/oauth2-auth-design
+
+OAuth2 Auth design in kaapi.

package/lib/flows/auth-code/authorization-route.d.ts

@@ -0,0 +1,53 @@
+import { Lifecycle, ReqRef, ReqRefDefaults, Request, ResponseToolkit } from '@kaapi/kaapi';
+import { OAuth2Error, PathValue } from '../common';
+export interface OAuth2ACAuthorizationParams {
+    clientId: string;
+    responseType: string;
+    redirectUri: string;
+    scope?: string;
+    state?: string;
+    codeChallenge?: string;
+    nonce?: string;
+}
+export type OAuth2ACAuthorizationHandler<Refs extends ReqRef = ReqRefDefaults, R extends Lifecycle.ReturnValue<any> = Lifecycle.ReturnValue<Refs>> = (params: OAuth2ACAuthorizationParams, request: Request<Refs>, h: ResponseToolkit<Refs>) => R;
+export interface IOAuth2ACAuthorizationRoute<GetRefs extends ReqRef = ReqRefDefaults, PostRefs extends ReqRef = ReqRefDefaults> {
+    path: string;
+    handler: OAuth2ACAuthorizationHandler<GetRefs>;
+    postHandler: OAuth2ACAuthorizationHandler<PostRefs>;
+}
+export declare class OAuth2ACAuthorizationRoute<GetRefs extends ReqRef = ReqRefDefaults, PostRefs extends ReqRef = ReqRefDefaults> implements IOAuth2ACAuthorizationRoute<GetRefs, PostRefs> {
+    static buildDefault<GetRefs extends ReqRef = ReqRefDefaults, PostRefs extends ReqRef = ReqRefDefaults>(): DefaultOAuth2ACAuthorizationRoute<GetRefs, PostRefs>;
+    protected _path: string;
+    protected _handler: OAuth2ACAuthorizationHandler<GetRefs>;
+    protected _postHandler: OAuth2ACAuthorizationHandler<PostRefs>;
+    get path(): string;
+    get handler(): OAuth2ACAuthorizationHandler<GetRefs, Lifecycle.ReturnValue<GetRefs>>;
+    get postHandler(): OAuth2ACAuthorizationHandler<PostRefs, Lifecycle.ReturnValue<PostRefs>>;
+    constructor(path: string, handler: OAuth2ACAuthorizationHandler<GetRefs>, postHandler: OAuth2ACAuthorizationHandler<PostRefs>);
+}
+export type AuthErrorType = OAuth2Error | 'credentials' | 'unknown';
+export type AuthResponseRenderer<Refs extends ReqRef = ReqRefDefaults> = (reason: {
+    code: number;
+    emailField: string;
+    passwordField: string;
+    error?: AuthErrorType;
+    errorMessage?: string;
+}, params: OAuth2ACAuthorizationParams, req: Request<Refs>) => Promise<string | object> | string | object;
+/**
+ * Return null for invalid code
+ */
+export type AuthCodeGenerator<Refs extends ReqRef = ReqRefDefaults> = (params: OAuth2ACAuthorizationParams, req: Request<Refs>) => Promise<string | null> | string | null;
+export declare class DefaultOAuth2ACAuthorizationRoute<GetRefs extends ReqRef = ReqRefDefaults, PostRefs extends ReqRef = ReqRefDefaults> extends OAuth2ACAuthorizationRoute<GetRefs, PostRefs> {
+    #private;
+    constructor();
+    setPath(path: PathValue): this;
+    validateGET(handler: OAuth2ACAuthorizationHandler<GetRefs>): this;
+    validatePOST(handler: OAuth2ACAuthorizationHandler<PostRefs>): this;
+    setGETResponseRenderer(renderer: AuthResponseRenderer<GetRefs>): this;
+    setPOSTResponseRenderer(renderer: AuthResponseRenderer<PostRefs>): this;
+    generateCode(handler: AuthCodeGenerator<PostRefs>): this;
+    setClientId(value: string | null): this;
+    setRedirectUri(value: string | null): this;
+    setEmailField(value: string): this;
+    setPasswordField(value: string): this;
+}

package/lib/flows/auth-code/authorization-route.js

@@ -0,0 +1,202 @@
+"use strict";
+var _DefaultOAuth2ACAuthorizationRoute_clientId, _DefaultOAuth2ACAuthorizationRoute_redirectUri, _DefaultOAuth2ACAuthorizationRoute_emailField, _DefaultOAuth2ACAuthorizationRoute_passwordField, _DefaultOAuth2ACAuthorizationRoute_generateCode, _DefaultOAuth2ACAuthorizationRoute_renderResponse, _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultOAuth2ACAuthorizationRoute = exports.OAuth2ACAuthorizationRoute = void 0;
+const tslib_1 = require("tslib");
+const html_entities_1 = require("html-entities");
+class OAuth2ACAuthorizationRoute {
+    static buildDefault() {
+        return new DefaultOAuth2ACAuthorizationRoute();
+    }
+    get path() {
+        return this._path;
+    }
+    get handler() {
+        return this._handler;
+    }
+    get postHandler() {
+        return this._postHandler;
+    }
+    constructor(path, handler, postHandler) {
+        this._path = path;
+        this._handler = handler;
+        this._postHandler = postHandler;
+    }
+}
+exports.OAuth2ACAuthorizationRoute = OAuth2ACAuthorizationRoute;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const render = ({ error, errorMessage, emailField, passwordField }) => {
+    if (error && ['invalid_client'].includes(error)) {
+        return { error, error_description: errorMessage };
+    }
+    return `<!DOCTYPE html>
+<html lang="en">
+ <head>
+  <meta charset="UTF-8">
+  <meta name="Generator" content="EditPlus®">
+  <meta name="Author" content="">
+  <meta name="Keywords" content="">
+  <meta name="Description" content="">
+  <title>Sign In</title>
+  <style>
+    .error {
+      color: red;
+      font-weight: bold;
+    }
+  </style>
+ </head>
+ <body>
+  <form method="POST">
+  <div class="error">
+    ${errorMessage || ''}
+  </div>
+  <div>
+  <input type="email" id="${emailField}" name="${emailField}" placeholder="${emailField}" autocomplete="${emailField}" />
+  <input type="password" id="${passwordField}" name="${passwordField}" placeholder="${passwordField}" />
+  </div>
+  <div>
+  <button type="submit">
+    Submit
+  </button>
+  </div>
+  </form>
+ </body>
+</html>`;
+};
+class DefaultOAuth2ACAuthorizationRoute extends OAuth2ACAuthorizationRoute {
+    constructor() {
+        super('/oauth2/authorize', (_a, req, h) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+            var { clientId, redirectUri } = _a, props = tslib_1.__rest(_a, ["clientId", "redirectUri"]);
+            if (tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_clientId, "f") && tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_clientId, "f") != clientId) {
+                return h.response(yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_renderResponse, "f").call(this, {
+                    emailField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, "f"),
+                    passwordField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, "f"),
+                    code: 400,
+                    error: 'invalid_client',
+                    errorMessage: 'Bad \'client_id\' parameter'
+                }, Object.assign({ clientId, redirectUri }, props), req)).code(400);
+            }
+            if (tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_redirectUri, "f") && tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_redirectUri, "f") != redirectUri) {
+                return h.response(yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_renderResponse, "f").call(this, {
+                    emailField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, "f"),
+                    passwordField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, "f"),
+                    code: 400,
+                    error: 'invalid_client',
+                    errorMessage: 'Bad \'redirect_uri\' parameter'
+                }, Object.assign({ clientId, redirectUri }, props), req)).code(400);
+            }
+            // render form
+            return h.response(yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_renderResponse, "f").call(this, {
+                emailField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, "f"),
+                passwordField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, "f"),
+                code: 200
+            }, Object.assign({ clientId, redirectUri }, props), req)).code(200);
+        }), (props, req, h) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+            if (tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_clientId, "f") && tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_clientId, "f") != props.clientId) {
+                return h.response(yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse, "f").call(this, {
+                    emailField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, "f"),
+                    passwordField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, "f"),
+                    code: 400,
+                    error: 'invalid_client',
+                    errorMessage: 'Bad \'client_id\' parameter'
+                }, props, req)).code(400);
+            }
+            if (tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_redirectUri, "f") && tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_redirectUri, "f") != props.redirectUri) {
+                return h.response(yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse, "f").call(this, {
+                    emailField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, "f"),
+                    passwordField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, "f"),
+                    code: 400,
+                    error: 'invalid_client',
+                    errorMessage: 'Bad \'redirect_uri\' parameter'
+                }, props, req)).code(400);
+            }
+            let error = 'unknown';
+            let errorMessage = 'someting went wrong';
+            if (props.clientId &&
+                req.payload &&
+                typeof req.payload === 'object' &&
+                tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, "f") in req.payload &&
+                tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, "f") in req.payload) {
+                const code = yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_generateCode, "f").call(this, props, req);
+                if (code) {
+                    return h.redirect(`${props.redirectUri}?code=${code}${props.state ? `&state=${props.state}` : ''}`);
+                }
+                else {
+                    error = 'credentials';
+                    errorMessage = 'wrong credentials';
+                }
+            }
+            else {
+                error = 'invalid_request';
+            }
+            // render form
+            return h.response(yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse, "f").call(this, {
+                emailField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, "f"),
+                passwordField: tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, "f"),
+                code: 400,
+                error: error,
+                errorMessage
+            }, props, req)).code(400);
+        }));
+        _DefaultOAuth2ACAuthorizationRoute_clientId.set(this, void 0);
+        _DefaultOAuth2ACAuthorizationRoute_redirectUri.set(this, void 0);
+        _DefaultOAuth2ACAuthorizationRoute_emailField.set(this, 'email');
+        _DefaultOAuth2ACAuthorizationRoute_passwordField.set(this, 'password');
+        _DefaultOAuth2ACAuthorizationRoute_generateCode.set(this, void 0);
+        _DefaultOAuth2ACAuthorizationRoute_renderResponse.set(this, void 0);
+        _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse.set(this, void 0);
+        // @TODO: generate id for user, store it in-memory, generate jwt code ?
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_generateCode, () => tslib_1.__awaiter(this, void 0, void 0, function* () { return null; }), "f");
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_renderResponse, render, "f");
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse, render, "f");
+    }
+    setPath(path) {
+        if (path)
+            this._path = path;
+        return this;
+    }
+    validateGET(handler) {
+        this._handler = handler;
+        return this;
+    }
+    validatePOST(handler) {
+        this._postHandler = handler;
+        return this;
+    }
+    setGETResponseRenderer(renderer) {
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_renderResponse, renderer, "f");
+        return this;
+    }
+    setPOSTResponseRenderer(renderer) {
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse, renderer, "f");
+        return this;
+    }
+    generateCode(handler) {
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_generateCode, handler, "f");
+        return this;
+    }
+    setClientId(value) {
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_clientId, value, "f");
+        return this;
+    }
+    setRedirectUri(value) {
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_redirectUri, value, "f");
+        return this;
+    }
+    setEmailField(value) {
+        const escaped = encodeURIComponent((0, html_entities_1.encode)(value));
+        if (escaped)
+            tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_emailField, escaped, "f");
+        return this;
+    }
+    setPasswordField(value) {
+        const escaped = encodeURIComponent((0, html_entities_1.encode)(value));
+        if (escaped)
+            tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACAuthorizationRoute_passwordField, escaped, "f");
+        return this;
+    }
+}
+exports.DefaultOAuth2ACAuthorizationRoute = DefaultOAuth2ACAuthorizationRoute;
+_DefaultOAuth2ACAuthorizationRoute_clientId = new WeakMap(), _DefaultOAuth2ACAuthorizationRoute_redirectUri = new WeakMap(), _DefaultOAuth2ACAuthorizationRoute_emailField = new WeakMap(), _DefaultOAuth2ACAuthorizationRoute_passwordField = new WeakMap(), _DefaultOAuth2ACAuthorizationRoute_generateCode = new WeakMap(), _DefaultOAuth2ACAuthorizationRoute_renderResponse = new WeakMap(), _DefaultOAuth2ACAuthorizationRoute_renderPOSTResponse = new WeakMap();
+//#endregion Defaults
+//# sourceMappingURL=authorization-route.js.map

package/lib/flows/auth-code/authorization-route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-route.js","sourceRoot":"","sources":["../../../src/flows/auth-code/authorization-route.ts"],"names":[],"mappings":";;;;;AAOA,iDAAsC;AA8BtC,MAAa,0BAA0B;IAKnC,MAAM,CAAC,YAAY;QAIf,OAAO,IAAI,iCAAiC,EAAqB,CAAA;IACrE,CAAC;IAMD,IAAI,IAAI;QACJ,OAAO,IAAI,CAAC,KAAK,CAAA;IACrB,CAAC;IAED,IAAI,OAAO;QACP,OAAO,IAAI,CAAC,QAAQ,CAAA;IACxB,CAAC;IAED,IAAI,WAAW;QACX,OAAO,IAAI,CAAC,YAAY,CAAA;IAC5B,CAAC;IAED,YACI,IAAY,EACZ,OAA8C,EAC9C,WAAmD;QAEnD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IACpC,CAAC;CACJ;AArCD,gEAqCC;AA4BD,8DAA8D;AAC9D,MAAM,MAAM,GAA8B,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,EAAE,EAAE;IAC7F,IAAI,KAAK,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,YAAY,EAAqB,CAAA;IACxE,CAAC;IACD,OAAO;;;;;;;;;;;;;;;;;;;MAmBL,YAAY,IAAI,EAAE;;;4BAGI,UAAU,WAAW,UAAU,kBAAkB,UAAU,mBAAmB,UAAU;+BACrF,aAAa,WAAW,aAAa,kBAAkB,aAAa;;;;;;;;;QAS3F,CAAA;AACR,CAAC,CAAA;AAED,MAAa,iCAGX,SAAQ,0BAA6C;IAWnD;QACI,KAAK,CAAC,mBAAmB,EAAE,CAAO,EAAmC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE;gBAA/C,EAAE,QAAQ,EAAE,WAAW,OAAY,EAAP,KAAK,sBAAjC,2BAAmC,CAAF;YAC/D,IAAI,+BAAA,IAAI,mDAAU,IAAI,+BAAA,IAAI,mDAAU,IAAI,QAAQ,EAAE,CAAC;gBAC/C,OAAO,CAAC,CAAC,QAAQ,CACb,MAAM,+BAAA,IAAI,yDAAgB,MAApB,IAAI,EACN;oBACI,UAAU,EAAE,+BAAA,IAAI,qDAAY;oBAC5B,aAAa,EAAE,+BAAA,IAAI,wDAAe;oBAClC,IAAI,EAAE,GAAG;oBACT,KAAK,EAAE,gBAAgB;oBACvB,YAAY,EAAE,6BAA6B;iBAC9C,kBACC,QAAQ,EAAE,WAAW,IAAK,KAAK,GACjC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC3B,CAAC;YACD,IAAI,+BAAA,IAAI,sDAAa,IAAI,+BAAA,IAAI,sDAAa,IAAI,WAAW,EAAE,CAAC;gBACxD,OAAO,CAAC,CAAC,QAAQ,CACb,MAAM,+BAAA,IAAI,yDAAgB,MAApB,IAAI,EACN;oBACI,UAAU,EAAE,+BAAA,IAAI,qDAAY;oBAC5B,aAAa,EAAE,+BAAA,IAAI,wDAAe;oBAClC,IAAI,EAAE,GAAG;oBACT,KAAK,EAAE,gBAAgB;oBACvB,YAAY,EAAE,gCAAgC;iBACjD,kBACC,QAAQ,EAAE,WAAW,IAAK,KAAK,GACjC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC3B,CAAC;YAED,cAAc;YACd,OAAO,CAAC,CAAC,QAAQ,CACb,MAAM,+BAAA,IAAI,yDAAgB,MAApB,IAAI,EAAiB;gBACvB,UAAU,EAAE,+BAAA,IAAI,qDAAY;gBAC5B,aAAa,EAAE,+BAAA,IAAI,wDAAe;gBAClC,IAAI,EAAE,GAAG;aACZ,kBAAI,QAAQ,EAAE,WAAW,IAAK,KAAK,GAAI,GAAG,CAAC,CAC/C,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACf,CAAC,CAAA,EAAE,CAAO,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE;YACvB,IAAI,+BAAA,IAAI,mDAAU,IAAI,+BAAA,IAAI,mDAAU,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACrD,OAAO,CAAC,CAAC,QAAQ,CACb,MAAM,+BAAA,IAAI,6DAAoB,MAAxB,IAAI,EACN;oBACI,UAAU,EAAE,+BAAA,IAAI,qDAAY;oBAC5B,aAAa,EAAE,+BAAA,IAAI,wDAAe;oBAClC,IAAI,EAAE,GAAG;oBACT,KAAK,EAAE,gBAAgB;oBACvB,YAAY,EAAE,6BAA6B;iBAC9C,EACD,KAAK,EACL,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC3B,CAAC;YACD,IAAI,+BAAA,IAAI,sDAAa,IAAI,+BAAA,IAAI,sDAAa,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;gBAC9D,OAAO,CAAC,CAAC,QAAQ,CACb,MAAM,+BAAA,IAAI,6DAAoB,MAAxB,IAAI,EACN;oBACI,UAAU,EAAE,+BAAA,IAAI,qDAAY;oBAC5B,aAAa,EAAE,+BAAA,IAAI,wDAAe;oBAClC,IAAI,EAAE,GAAG;oBACT,KAAK,EAAE,gBAAgB;oBACvB,YAAY,EAAE,gCAAgC;iBACjD,EACD,KAAK,EACL,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC3B,CAAC;YAED,IAAI,KAAK,GAAkB,SAAS,CAAA;YACpC,IAAI,YAAY,GAAG,qBAAqB,CAAA;YAExC,IACI,KAAK,CAAC,QAAQ;gBACd,GAAG,CAAC,OAAO;gBACX,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;gBAC/B,+BAAA,IAAI,qDAAY,IAAI,GAAG,CAAC,OAAO;gBAC/B,+BAAA,IAAI,wDAAe,IAAI,GAAG,CAAC,OAAO,EACpC,CAAC;gBACC,MAAM,IAAI,GAAG,MAAM,+BAAA,IAAI,uDAAc,MAAlB,IAAI,EAAe,KAAK,EAAE,GAAG,CAAC,CAAA;gBACjD,IAAI,IAAI,EAAE,CAAC;oBACP,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,WAAW,SAAS,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;gBACvG,CAAC;qBAAM,CAAC;oBACJ,KAAK,GAAG,aAAa,CAAA;oBACrB,YAAY,GAAG,mBAAmB,CAAA;gBACtC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACJ,KAAK,GAAG,iBAAiB,CAAA;YAC7B,CAAC;YAED,cAAc;YACd,OAAO,CAAC,CAAC,QAAQ,CACb,MAAM,+BAAA,IAAI,6DAAoB,MAAxB,IAAI,EACN;gBACI,UAAU,EAAE,+BAAA,IAAI,qDAAY;gBAC5B,aAAa,EAAE,+BAAA,IAAI,wDAAe;gBAClC,IAAI,EAAE,GAAG;gBACT,KAAK,EAAE,KAAK;gBACZ,YAAY;aACf,EACD,KAAK,EACL,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC3B,CAAC,CAAA,CAAC,CAAA;QA5GN,8DAAyB;QACzB,iEAA4B;QAE5B,wDAAc,OAAO,EAAA;QACrB,2DAAiB,UAAU,EAAA;QAE3B,kEAA0C;QAC1C,oEAA8C;QAC9C,wEAAmD;QAsG/C,uEAAuE;QACvE,+BAAA,IAAI,mDAAiB,GAAS,EAAE,wDAAC,OAAA,IAAI,CAAA,GAAA,MAAA,CAAA;QACrC,+BAAA,IAAI,qDAAmB,MAAM,MAAA,CAAA;QAC7B,+BAAA,IAAI,yDAAuB,MAAM,MAAA,CAAA;IACrC,CAAC;IAED,OAAO,CAAC,IAAe;QACnB,IAAI,IAAI;YACJ,IAAI,CAAC,KAAK,GAAG,IAAI,CAAA;QACrB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,WAAW,CAAC,OAA8C;QACtD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;QACvB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,YAAY,CAAC,OAA+C;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAA;QAC3B,OAAO,IAAI,CAAA;IACf,CAAC;IAED,sBAAsB,CAAC,QAAuC;QAC1D,+BAAA,IAAI,qDAAmB,QAAQ,MAAA,CAAA;QAC/B,OAAO,IAAI,CAAA;IACf,CAAC;IAED,uBAAuB,CAAC,QAAwC;QAC5D,+BAAA,IAAI,yDAAuB,QAAQ,MAAA,CAAA;QACnC,OAAO,IAAI,CAAA;IACf,CAAC;IAED,YAAY,CAAC,OAAoC;QAC7C,+BAAA,IAAI,mDAAiB,OAAO,MAAA,CAAA;QAC5B,OAAO,IAAI,CAAA;IACf,CAAC;IAED,WAAW,CAAC,KAAoB;QAC5B,+BAAA,IAAI,+CAAa,KAAK,MAAA,CAAA;QACtB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,cAAc,CAAC,KAAoB;QAC/B,+BAAA,IAAI,kDAAgB,KAAK,MAAA,CAAA;QACzB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,aAAa,CAAC,KAAa;QACvB,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAA,sBAAM,EAAC,KAAK,CAAC,CAAC,CAAA;QACjD,IAAI,OAAO;YACP,+BAAA,IAAI,iDAAe,OAAO,MAAA,CAAA;QAC9B,OAAO,IAAI,CAAA;IACf,CAAC;IAED,gBAAgB,CAAC,KAAa;QAC1B,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAA,sBAAM,EAAC,KAAK,CAAC,CAAC,CAAA;QACjD,IAAI,OAAO;YACP,+BAAA,IAAI,oDAAkB,OAAO,MAAA,CAAA;QACjC,OAAO,IAAI,CAAA;IACf,CAAC;CACJ;AA9KD,8EA8KC;;AAED,qBAAqB"}

package/lib/flows/auth-code/open-id.d.ts

@@ -0,0 +1,53 @@
+import { SecuritySchemeObject } from '@novice1/api-doc-generator/lib/generators/openapi/definitions';
+import { OAuth2Util } from '@novice1/api-doc-generator';
+import { OAuth2AuthorizationCode, OAuth2AuthorizationCodeArg } from '../authentication-code';
+import { KaapiTools, Lifecycle, ReqRef, Request, ReqRefDefaults, ResponseToolkit } from '@kaapi/kaapi';
+import { JWKS } from '../../utils/jwks-store';
+export declare class OpenIDAuthUtil extends OAuth2Util {
+    setHost(host: string): this;
+    toOpenAPI(): Record<string, SecuritySchemeObject>;
+}
+export interface OpenIDJWKSParams {
+    jwks: JWKS;
+}
+export type OpenIDJWKSHandler<Refs extends ReqRef = ReqRefDefaults, R extends Lifecycle.ReturnValue<any> = Lifecycle.ReturnValue<Refs>> = (params: OpenIDJWKSParams, request: Request<Refs>, h: ResponseToolkit<Refs>) => R;
+export interface IOpenIDJWKSRoute<Refs extends ReqRef = ReqRefDefaults> {
+    path: string;
+    handler?: OpenIDJWKSHandler<Refs>;
+}
+export declare class OpenIDJWKSRoute<Refs extends ReqRef = ReqRefDefaults> implements IOpenIDJWKSRoute<Refs> {
+    protected _path: string;
+    protected _handler: OpenIDJWKSHandler<Refs> | undefined;
+    get path(): string;
+    get handler(): OpenIDJWKSHandler<Refs, Lifecycle.ReturnValue<Refs>> | undefined;
+    constructor(path: string, handler?: OpenIDJWKSHandler<Refs>);
+}
+export type OpenIDUserInfoHandler<Refs extends ReqRef = ReqRefDefaults, R extends Lifecycle.ReturnValue<any> = Lifecycle.ReturnValue<Refs>> = (request: Request<Refs>, h: ResponseToolkit<Refs>) => R;
+export interface IOpenIDUserInfoRoute<Refs extends ReqRef = ReqRefDefaults> {
+    path: string;
+    handler: OpenIDUserInfoHandler<Refs>;
+}
+export declare class OpenIDUserInfoRoute<Refs extends ReqRef = ReqRefDefaults> implements IOpenIDUserInfoRoute<Refs> {
+    protected _path: string;
+    protected _handler: OpenIDUserInfoHandler<Refs>;
+    get path(): string;
+    get handler(): OpenIDUserInfoHandler<Refs, Lifecycle.ReturnValue<Refs>>;
+    constructor(path: string, handler: OpenIDUserInfoHandler<Refs>);
+}
+export interface OpenIDAuthDesignArg extends OAuth2AuthorizationCodeArg {
+    jwksRoute: IOpenIDJWKSRoute<any>;
+    userInfoRoute?: IOpenIDUserInfoRoute<any>;
+    /**
+     * Override the configuration served at /.well-known/openid-configuration
+     */
+    openidConfiguration?: Record<string, unknown>;
+}
+export declare class OpenIDAuthDesign extends OAuth2AuthorizationCode {
+    protected jwksRoute: IOpenIDJWKSRoute<any>;
+    protected userInfoRoute?: IOpenIDUserInfoRoute<any>;
+    protected openidConfiguration: Record<string, unknown>;
+    constructor(params: OpenIDAuthDesignArg);
+    getScopes(): Record<string, string>;
+    integrateHook(t: KaapiTools): void;
+    docs(): OAuth2Util;
+}

package/lib/flows/auth-code/open-id.js

@@ -0,0 +1,199 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenIDAuthDesign = exports.OpenIDUserInfoRoute = exports.OpenIDJWKSRoute = exports.OpenIDAuthUtil = void 0;
+const tslib_1 = require("tslib");
+const api_doc_generator_1 = require("@novice1/api-doc-generator");
+const authentication_code_1 = require("../authentication-code");
+//#region OpenIDAuthUtil
+class OpenIDAuthUtil extends api_doc_generator_1.OAuth2Util {
+    setHost(host) {
+        super.setHost(host);
+        return this;
+    }
+    toOpenAPI() {
+        const host = this.getHost();
+        return {
+            [this.securitySchemeName]: {
+                type: 'openIdConnect',
+                openIdConnectUrl: `${host || ''}/.well-known/openid-configuration`
+            }
+        };
+    }
+}
+exports.OpenIDAuthUtil = OpenIDAuthUtil;
+class OpenIDJWKSRoute {
+    get path() {
+        return this._path;
+    }
+    get handler() {
+        return this._handler;
+    }
+    constructor(path, handler) {
+        this._path = path;
+        this._handler = handler;
+    }
+}
+exports.OpenIDJWKSRoute = OpenIDJWKSRoute;
+class OpenIDUserInfoRoute {
+    get path() {
+        return this._path;
+    }
+    get handler() {
+        return this._handler;
+    }
+    constructor(path, handler) {
+        this._path = path;
+        this._handler = handler;
+    }
+}
+exports.OpenIDUserInfoRoute = OpenIDUserInfoRoute;
+class OpenIDAuthDesign extends authentication_code_1.OAuth2AuthorizationCode {
+    constructor(params) {
+        const { strategyName, openidConfiguration, jwksRoute, userInfoRoute } = params, props = tslib_1.__rest(params, ["strategyName", "openidConfiguration", "jwksRoute", "userInfoRoute"]);
+        super(props);
+        this.openidConfiguration = {};
+        this.withPkce();
+        this.strategyName = strategyName || 'open-id-auth-design';
+        this.jwksRoute = jwksRoute;
+        this.userInfoRoute = userInfoRoute;
+        if (openidConfiguration)
+            this.openidConfiguration = openidConfiguration;
+    }
+    getScopes() {
+        let scopes = {
+            openid: 'enable OpenID Connect'
+        };
+        if (this.scopes) {
+            if ('openid' in this.scopes) {
+                scopes = this.scopes;
+            }
+            else {
+                scopes = Object.assign(Object.assign({}, this.scopes), scopes);
+            }
+        }
+        return scopes;
+    }
+    integrateHook(t) {
+        var _a, _b;
+        super.integrateHook(t);
+        const docs = this.docs();
+        const challengeAlgo = docs.getChallengeAlgorithm();
+        const host = ((_a = t.postman) === null || _a === void 0 ? void 0 : _a.getHost()[0]) || '';
+        t.route({
+            path: '/.well-known/openid-configuration',
+            method: 'GET',
+            options: {
+                plugins: {
+                    kaapi: {
+                        docs: false
+                    }
+                }
+            },
+            handler: () => {
+                var _a, _b, _c, _d;
+                const wellKnownOpenIDConfig = {
+                    issuer: host,
+                    authorization_endpoint: `${host}${this.authorizationRoute.path}`,
+                    token_endpoint: `${host}${this.tokenRoute.path}`,
+                    userinfo_endpoint: this.userInfoRoute ? `${host}${this.userInfoRoute.path}` : undefined,
+                    jwks_uri: `${host}${this.jwksRoute.path}`,
+                    claims_supported: [
+                        'aud',
+                        'exp',
+                        'iat',
+                        'iss',
+                        'sub'
+                    ],
+                    grant_types_supported: [
+                        'authorization_code'
+                    ],
+                    response_types_supported: [
+                        'code',
+                        'token',
+                        'code token',
+                        'code token id_token'
+                    ],
+                    scopes_supported: Object.keys(docs.getScopes()),
+                    subject_types_supported: [
+                        'public'
+                    ],
+                    id_token_signing_alg_values_supported: [
+                        'RS256'
+                    ],
+                    code_challenge_methods_supported: challengeAlgo ? [
+                        challengeAlgo
+                    ] : [],
+                    token_endpoint_auth_methods_supported: this.getTokenEndpointAuthMethods()
+                };
+                if ((_b = (_a = this.clientAuthMethods.client_secret_jwt) === null || _a === void 0 ? void 0 : _a.algorithms) === null || _b === void 0 ? void 0 : _b.length) {
+                    wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported = wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported || [];
+                    wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported = [
+                        ...wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported,
+                        ...this.clientAuthMethods.client_secret_jwt.algorithms
+                    ];
+                }
+                if ((_d = (_c = this.clientAuthMethods.private_key_jwt) === null || _c === void 0 ? void 0 : _c.algorithms) === null || _d === void 0 ? void 0 : _d.length) {
+                    wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported = wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported || [];
+                    wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported = [
+                        ...wellKnownOpenIDConfig.token_endpoint_auth_signing_alg_values_supported,
+                        ...this.clientAuthMethods.private_key_jwt.algorithms
+                    ];
+                }
+                return Object.assign(Object.assign({}, wellKnownOpenIDConfig), this.openidConfiguration);
+            }
+        });
+        t.route({
+            path: this.jwksRoute.path,
+            method: 'GET',
+            options: {
+                plugins: {
+                    kaapi: {
+                        docs: false
+                    }
+                }
+            },
+            handler: (req, h) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+                const jwks = yield this.jwksGenerator.generateIfEmpty();
+                if (this.jwksRoute.handler) {
+                    return this.jwksRoute.handler({
+                        jwks
+                    }, req, h);
+                }
+                return jwks;
+            })
+        });
+        if ((_b = this.userInfoRoute) === null || _b === void 0 ? void 0 : _b.path) {
+            t.route({
+                path: this.userInfoRoute.path,
+                method: 'GET',
+                auth: true,
+                options: {
+                    auth: {
+                        strategy: this.strategyName,
+                        mode: 'required'
+                    }
+                },
+                handler: this.userInfoRoute.handler.bind(this.userInfoRoute)
+            });
+        }
+    }
+    docs() {
+        var _a;
+        const docs = new OpenIDAuthUtil(this.strategyName)
+            .setGrantType(this.isWithPkce() ? api_doc_generator_1.GrantType.authorizationCodeWithPkce : api_doc_generator_1.GrantType.authorizationCode)
+            .setScopes(this.getScopes())
+            .setAuthUrl(this.authorizationRoute.path)
+            .setAccessTokenUrl(this.tokenRoute.path || '')
+            .setChallengeAlgorithm(api_doc_generator_1.ChallengeAlgorithm.S256);
+        if ((_a = this.refreshTokenRoute) === null || _a === void 0 ? void 0 : _a.path) {
+            docs.setRefreshUrl(this.refreshTokenRoute.path);
+        }
+        if (this.description) {
+            docs.setDescription(this.description);
+        }
+        return docs;
+    }
+}
+exports.OpenIDAuthDesign = OpenIDAuthDesign;
+//#endregion OpenIDAuthDesign
+//# sourceMappingURL=open-id.js.map

package/lib/flows/auth-code/open-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"open-id.js","sourceRoot":"","sources":["../../../src/flows/auth-code/open-id.ts"],"names":[],"mappings":";;;;AACA,kEAAuF;AACvF,gEAA6F;AAI7F,wBAAwB;AAExB,MAAa,cAAe,SAAQ,8BAAU;IAE1C,OAAO,CAAC,IAAY;QAChB,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACnB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,SAAS;QACL,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAA;QAC3B,OAAO;YACH,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE;gBACvB,IAAI,EAAE,eAAe;gBACrB,gBAAgB,EAAE,GAAG,IAAI,IAAI,EAAE,mCAAmC;aACrE;SACJ,CAAA;IACL,CAAC;CACJ;AAhBD,wCAgBC;AAuBD,MAAa,eAAe;IAMxB,IAAI,IAAI;QACJ,OAAO,IAAI,CAAC,KAAK,CAAA;IACrB,CAAC;IAED,IAAI,OAAO;QACP,OAAO,IAAI,CAAC,QAAQ,CAAA;IACxB,CAAC;IAED,YACI,IAAY,EACZ,OAAiC;QAEjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC5B,CAAC;CACJ;AArBD,0CAqBC;AAmBD,MAAa,mBAAmB;IAM5B,IAAI,IAAI;QACJ,OAAO,IAAI,CAAC,KAAK,CAAA;IACrB,CAAC;IAED,IAAI,OAAO;QACP,OAAO,IAAI,CAAC,QAAQ,CAAA;IACxB,CAAC;IAED,YACI,IAAY,EACZ,OAAoC;QAEpC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC5B,CAAC;CACJ;AArBD,kDAqBC;AAmBD,MAAa,gBAAiB,SAAQ,6CAAuB;IASzD,YACI,MAA2B;QAE3B,MAAM,EAAE,YAAY,EAAE,mBAAmB,EAAE,SAAS,EAAE,aAAa,KAAe,MAAM,EAAhB,KAAK,kBAAK,MAAM,EAAlF,qEAAyE,CAAS,CAAA;QAExF,KAAK,CAAC,KAAK,CAAC,CAAA;QAPN,wBAAmB,GAA4B,EAAE,CAAA;QASvD,IAAI,CAAC,QAAQ,EAAE,CAAA;QACf,IAAI,CAAC,YAAY,GAAG,YAAY,IAAI,qBAAqB,CAAA;QACzD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;QAC1B,IAAI,CAAC,aAAa,GAAG,aAAa,CAAA;QAElC,IAAI,mBAAmB;YACnB,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAA;IACtD,CAAC;IAED,SAAS;QACL,IAAI,MAAM,GAA2B;YACjC,MAAM,EAAE,uBAAuB;SAClC,CAAA;QACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACd,IAAI,QAAQ,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC1B,MAAM,GAAG,IAAI,CAAC,MAAM,CAAA;YACxB,CAAC;iBAAM,CAAC;gBACJ,MAAM,mCAAQ,IAAI,CAAC,MAAM,GAAK,MAAM,CAAE,CAAA;YAC1C,CAAC;QACL,CAAC;QACD,OAAO,MAAM,CAAA;IACjB,CAAC;IAED,aAAa,CAAC,CAAa;;QACvB,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAEtB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;QACxB,MAAM,aAAa,GAAG,IAAI,CAAC,qBAAqB,EAAE,CAAA;QAClD,MAAM,IAAI,GAAG,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,OAAO,GAAG,CAAC,CAAC,KAAI,EAAE,CAAA;QAE1C,CAAC,CAAC,KAAK,CAAC;YACJ,IAAI,EAAE,mCAAmC;YACzC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACL,OAAO,EAAE;oBACL,KAAK,EAAE;wBACH,IAAI,EAAE,KAAK;qBACd;iBACJ;aACJ;YACD,OAAO,EAAE,GAAG,EAAE;;gBACV,MAAM,qBAAqB,GAAkD;oBACzE,MAAM,EAAE,IAAI;oBACZ,sBAAsB,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE;oBAChE,cAAc,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE;oBAChD,iBAAiB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS;oBACvF,QAAQ,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE;oBACzC,gBAAgB,EAAE;wBACd,KAAK;wBACL,KAAK;wBACL,KAAK;wBACL,KAAK;wBACL,KAAK;qBACR;oBACD,qBAAqB,EAAE;wBACnB,oBAAoB;qBACvB;oBACD,wBAAwB,EAAE;wBACtB,MAAM;wBACN,OAAO;wBACP,YAAY;wBACZ,qBAAqB;qBACxB;oBACD,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;oBAC/C,uBAAuB,EAAE;wBACrB,QAAQ;qBACX;oBACD,qCAAqC,EAAE;wBACnC,OAAO;qBACV;oBACD,gCAAgC,EAAE,aAAa,CAAC,CAAC,CAAC;wBAC9C,aAAa;qBAChB,CAAC,CAAC,CAAC,EAAE;oBACN,qCAAqC,EAAE,IAAI,CAAC,2BAA2B,EAAE;iBAC5E,CAAA;gBAED,IAAI,MAAA,MAAA,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,0CAAE,UAAU,0CAAE,MAAM,EAAE,CAAC;oBAC/D,qBAAqB,CAAC,gDAAgD,GAAG,qBAAqB,CAAC,gDAAgD,IAAI,EAAE,CAAA;oBACrJ,qBAAqB,CAAC,gDAAgD,GAAG;wBACrE,GAAG,qBAAqB,CAAC,gDAAgD;wBACzE,GAAG,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,UAAU;qBACzD,CAAA;gBACL,CAAC;gBACD,IAAI,MAAA,MAAA,IAAI,CAAC,iBAAiB,CAAC,eAAe,0CAAE,UAAU,0CAAE,MAAM,EAAE,CAAC;oBAC7D,qBAAqB,CAAC,gDAAgD,GAAG,qBAAqB,CAAC,gDAAgD,IAAI,EAAE,CAAA;oBACrJ,qBAAqB,CAAC,gDAAgD,GAAG;wBACrE,GAAG,qBAAqB,CAAC,gDAAgD;wBACzE,GAAG,IAAI,CAAC,iBAAiB,CAAC,eAAe,CAAC,UAAU;qBACvD,CAAA;gBACL,CAAC;gBAED,uCAAY,qBAAqB,GAAK,IAAI,CAAC,mBAAmB,EAAE;YACpE,CAAC;SACJ,CAAC,CAAA;QAEF,CAAC,CAAC,KAAK,CAAC;YACJ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI;YACzB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACL,OAAO,EAAE;oBACL,KAAK,EAAE;wBACH,IAAI,EAAE,KAAK;qBACd;iBACJ;aACJ;YACD,OAAO,EAAE,CAAO,GAAG,EAAE,CAAC,EAAE,EAAE;gBAEtB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,eAAe,EAAU,CAAA;gBAE/D,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;oBACzB,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;wBAC1B,IAAI;qBACP,EAAE,GAAG,EAAE,CAAC,CAAC,CAAA;gBACd,CAAC;gBAED,OAAO,IAAI,CAAA;YACf,CAAC,CAAA;SACJ,CAAC,CAAA;QAEF,IAAI,MAAA,IAAI,CAAC,aAAa,0CAAE,IAAI,EAAE,CAAC;YAC3B,CAAC,CAAC,KAAK,CAAC;gBACJ,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI;gBAC7B,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,IAAI;gBACV,OAAO,EAAE;oBACL,IAAI,EAAE;wBACF,QAAQ,EAAE,IAAI,CAAC,YAAY;wBAC3B,IAAI,EAAE,UAAU;qBACnB;iBACJ;gBACD,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC;aAC/D,CAAC,CAAA;QACN,CAAC;IACL,CAAC;IAED,IAAI;;QACA,MAAM,IAAI,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC;aAC7C,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,6BAAS,CAAC,yBAAyB,CAAC,CAAC,CAAC,6BAAS,CAAC,iBAAiB,CAAC;aACnG,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;aAC3B,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC;aACxC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,EAAE,CAAC;aAC7C,qBAAqB,CAAC,sCAAkB,CAAC,IAAI,CAAC,CAAC;QAEpD,IAAI,MAAA,IAAI,CAAC,iBAAiB,0CAAE,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAA;QACnD,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACnB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACzC,CAAC;QAED,OAAO,IAAI,CAAA;IACf,CAAC;CACJ;AAzKD,4CAyKC;AAED,6BAA6B"}

package/lib/flows/auth-code/token-route.d.ts

@@ -0,0 +1,35 @@
+import { Lifecycle, ReqRef, ReqRefDefaults, Request, ResponseToolkit } from '@kaapi/kaapi';
+import { IOAuth2TokenResponse, OAuth2TokenResponseBody, OAuth2ErrorBody, OpenIDHelpers, PathValue } from '../common';
+export interface OAuth2ACTokenParams extends Partial<OpenIDHelpers> {
+    grantType: string;
+    code: string;
+    clientId: string;
+    clientSecret?: string;
+    codeVerifier?: string;
+    redirectUri?: string;
+    readonly ttl?: number;
+}
+export type OAuth2ACTokenHandler<Refs extends ReqRef = ReqRefDefaults, R extends Lifecycle.ReturnValue<any> = Lifecycle.ReturnValue<Refs>> = (params: OAuth2ACTokenParams, request: Request<Refs>, h: ResponseToolkit<Refs>) => R;
+export interface IOAuth2ACTokenRoute<Refs extends ReqRef = ReqRefDefaults> {
+    path: string;
+    handler: OAuth2ACTokenHandler<Refs>;
+}
+export declare class OAuth2ACTokenRoute<Refs extends ReqRef = ReqRefDefaults> implements IOAuth2ACTokenRoute<Refs> {
+    static buildDefault<Refs extends ReqRef = ReqRefDefaults>(): DefaultOAuth2ACTokenRoute<Refs>;
+    protected _path: string;
+    protected _handler: OAuth2ACTokenHandler<Refs>;
+    get path(): string;
+    get handler(): OAuth2ACTokenHandler<Refs, Lifecycle.ReturnValue<Refs>>;
+    constructor(path: string, handler: OAuth2ACTokenHandler<Refs>);
+}
+/**
+ * Return null for invalid request
+ */
+export type AuthCodeTokenGenerator<Refs extends ReqRef = ReqRefDefaults> = (params: OAuth2ACTokenParams, req: Request<Refs>) => Promise<OAuth2TokenResponseBody | IOAuth2TokenResponse | OAuth2ErrorBody | null> | OAuth2TokenResponseBody | IOAuth2TokenResponse | OAuth2ErrorBody | null;
+export declare class DefaultOAuth2ACTokenRoute<Refs extends ReqRef = ReqRefDefaults> extends OAuth2ACTokenRoute<Refs> {
+    #private;
+    constructor();
+    setPath(path: PathValue): this;
+    validate(handler: OAuth2ACTokenHandler<Refs>): this;
+    generateToken(handler: AuthCodeTokenGenerator<Refs>): this;
+}

package/lib/flows/auth-code/token-route.js

@@ -0,0 +1,61 @@
+"use strict";
+var _DefaultOAuth2ACTokenRoute_generateToken;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultOAuth2ACTokenRoute = exports.OAuth2ACTokenRoute = void 0;
+const tslib_1 = require("tslib");
+class OAuth2ACTokenRoute {
+    static buildDefault() {
+        return new DefaultOAuth2ACTokenRoute();
+    }
+    get path() {
+        return this._path;
+    }
+    get handler() {
+        return this._handler;
+    }
+    constructor(path, handler) {
+        this._path = path;
+        this._handler = handler;
+    }
+}
+exports.OAuth2ACTokenRoute = OAuth2ACTokenRoute;
+class DefaultOAuth2ACTokenRoute extends OAuth2ACTokenRoute {
+    constructor() {
+        super('/oauth2/token', (props, req, h) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+            if (!props.clientSecret && !props.codeVerifier) {
+                return h.response({ error: 'invalid_request', error_description: 'Token request was missing \'client_secret\' or \'code_verifier\'.' }).code(400);
+            }
+            let r = null;
+            try {
+                r = yield tslib_1.__classPrivateFieldGet(this, _DefaultOAuth2ACTokenRoute_generateToken, "f").call(this, props, req);
+            }
+            catch (err) {
+                return h.response({ error: 'invalid_request', error_description: `${err}` }).code(400);
+            }
+            if (!r)
+                return h.response({ error: 'invalid_request' }).code(400);
+            if ('error' in r)
+                return h.response(r).code(400);
+            return h.response(r).code(200);
+        }));
+        _DefaultOAuth2ACTokenRoute_generateToken.set(this, void 0);
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACTokenRoute_generateToken, () => tslib_1.__awaiter(this, void 0, void 0, function* () { return ({ error: 'invalid_request' }); }), "f");
+    }
+    setPath(path) {
+        if (path)
+            this._path = path;
+        return this;
+    }
+    validate(handler) {
+        this._handler = handler;
+        return this;
+    }
+    generateToken(handler) {
+        tslib_1.__classPrivateFieldSet(this, _DefaultOAuth2ACTokenRoute_generateToken, handler, "f");
+        return this;
+    }
+}
+exports.DefaultOAuth2ACTokenRoute = DefaultOAuth2ACTokenRoute;
+_DefaultOAuth2ACTokenRoute_generateToken = new WeakMap();
+//#endregion Defaults
+//# sourceMappingURL=token-route.js.map