@kaapi/oauth2-auth-design 0.0.13

package/lib/utils/in-memory-cache.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InMemoryTmpCache = void 0;
+const tslib_1 = require("tslib");
+class InMemoryTmpCache {
+    constructor() {
+        this.values = {};
+    }
+    has(value) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            if (this.values[`${value}`]) {
+                return true;
+            }
+            return false;
+        });
+    }
+    set(value, ttlSeconds) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const to = this.values[`${value}`];
+            if (to) {
+                clearTimeout(to);
+            }
+            this.values[`${value}`] = setTimeout(() => {
+                delete this.values[`${value}`];
+            }, ttlSeconds * 1000);
+        });
+    }
+}
+exports.InMemoryTmpCache = InMemoryTmpCache;
+//# sourceMappingURL=in-memory-cache.js.map

package/lib/utils/in-memory-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"in-memory-cache.js","sourceRoot":"","sources":["../../src/utils/in-memory-cache.ts"],"names":[],"mappings":";;;;AAEA,MAAa,gBAAgB;IAA7B;QACY,WAAM,GAAmC,EAAE,CAAA;IAkBvD,CAAC;IAhBS,GAAG,CAAC,KAAQ;;YACd,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,CAAA;YACf,CAAC;YACD,OAAO,KAAK,CAAA;QAChB,CAAC;KAAA;IAEK,GAAG,CAAC,KAAQ,EAAE,UAAkB;;YAClC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,CAAC,CAAA;YAClC,IAAI,EAAE,EAAE,CAAC;gBACL,YAAY,CAAC,EAAE,CAAC,CAAA;YACpB,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;gBACtC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,CAAC,CAAA;YAClC,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC,CAAA;QACzB,CAAC;KAAA;CACJ;AAnBD,4CAmBC"}

package/lib/utils/in-memory-jwks-store.d.ts

@@ -0,0 +1,12 @@
+import { JWKSStore, JWKS } from './jwks-store';
+/**
+ * InMemoryJWKSStore class
+ */
+export declare class InMemoryJWKSStore implements JWKSStore {
+    private jwks?;
+    private expiresAt?;
+    private timeout?;
+    get(): Promise<JWKS | undefined>;
+    set(jwks: JWKS, ttlSeconds?: number): Promise<void>;
+}
+export declare function getInMemoryJWKSStore(): InMemoryJWKSStore;

package/lib/utils/in-memory-jwks-store.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InMemoryJWKSStore = void 0;
+exports.getInMemoryJWKSStore = getInMemoryJWKSStore;
+const tslib_1 = require("tslib");
+/**
+ * InMemoryJWKSStore class
+ */
+class InMemoryJWKSStore {
+    get() {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            if (this.expiresAt && Date.now() > this.expiresAt) {
+                this.jwks = undefined;
+                this.expiresAt = undefined;
+            }
+            return this.jwks;
+        });
+    }
+    set(jwks, ttlSeconds) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            this.jwks = jwks;
+            if (this.timeout) {
+                clearTimeout(this.timeout);
+            }
+            if (ttlSeconds) {
+                this.expiresAt = Date.now() + ttlSeconds * 1000;
+                this.timeout = setTimeout(() => {
+                    this.jwks = undefined;
+                    this.expiresAt = undefined;
+                }, ttlSeconds * 1000);
+            }
+            else {
+                this.expiresAt = undefined;
+            }
+        });
+    }
+}
+exports.InMemoryJWKSStore = InMemoryJWKSStore;
+let inMemoryJWKSStore;
+function getInMemoryJWKSStore() {
+    if (!inMemoryJWKSStore) {
+        inMemoryJWKSStore = new InMemoryJWKSStore();
+    }
+    return inMemoryJWKSStore;
+}
+//# sourceMappingURL=in-memory-jwks-store.js.map

package/lib/utils/in-memory-jwks-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"in-memory-jwks-store.js","sourceRoot":"","sources":["../../src/utils/in-memory-jwks-store.ts"],"names":[],"mappings":";;;AAqCA,oDAKC;;AAxCD;;GAEG;AACH,MAAa,iBAAiB;IAKpB,GAAG;;YACL,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChD,IAAI,CAAC,IAAI,GAAG,SAAS,CAAA;gBACrB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;YAC9B,CAAC;YACD,OAAO,IAAI,CAAC,IAAI,CAAA;QACpB,CAAC;KAAA;IAEK,GAAG,CAAC,IAAU,EAAE,UAAmB;;YACrC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;YAChB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACf,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAC9B,CAAC;YACD,IAAI,UAAU,EAAE,CAAC;gBACb,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAA;gBAC/C,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC3B,IAAI,CAAC,IAAI,GAAG,SAAS,CAAA;oBACrB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;gBAC9B,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC,CAAA;YACzB,CAAC;iBAAM,CAAC;gBACJ,IAAI,CAAC,SAAS,GAAG,SAAS,CAAA;YAC9B,CAAC;QACL,CAAC;KAAA;CACJ;AA5BD,8CA4BC;AAED,IAAI,iBAAoC,CAAC;AAEzC,SAAgB,oBAAoB;IAChC,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACrB,iBAAiB,GAAG,IAAI,iBAAiB,EAAE,CAAA;IAC/C,CAAC;IACD,OAAO,iBAAiB,CAAA;AAC5B,CAAC"}

package/lib/utils/jwks-generator.d.ts

@@ -0,0 +1,58 @@
+import { JwtPayload } from 'jsonwebtoken';
+import jwktopem from 'jwk-to-pem';
+import { JWKSStore } from './jwks-store';
+export { JwtPayload } from 'jsonwebtoken';
+export interface OAuth2JwtPayload extends JwtPayload {
+    /**
+     * Identifier of the Identity Provider (IdP), usually a URL
+     */
+    iss: string;
+    /**
+     * Identifier for the authenticated user (unique per iss)
+     */
+    sub: string;
+    /**
+     * Client ID of the relying party (the app that receives the token)
+     */
+    aud: string | string[];
+    /**
+     *  Must be present if a nonce was included in the original request (used to prevent replay attacks)
+     */
+    nonce?: string;
+    /**
+     * Time when the user actually authenticated. Required if the max_age parameter was used in the auth request
+     */
+    auth_time?: number;
+}
+export declare function createIDToken(generator: JWKSGenerator, payload: OAuth2JwtPayload): Promise<string>;
+/**
+ * JWKSGenerator class
+ */
+export declare class JWKSGenerator {
+    #private;
+    /**
+     * ttl in seconds
+     */
+    get ttl(): number | undefined;
+    /**
+     * ttl in seconds
+     */
+    set ttl(ttlSeconds: number | undefined);
+    constructor(store: JWKSStore, ttlSeconds?: number);
+    private _retrieveKeyStore;
+    private _saveKeyStore;
+    private _generateIfEmpty;
+    generateIfEmpty(): Promise<object>;
+    /**
+     * Generate a new key pair
+     */
+    generate(): Promise<void>;
+    sign(payload: JwtPayload): Promise<string>;
+    /**
+     * Get public keys
+     */
+    get(): Promise<object>;
+    getPublicKey(kid: string): Promise<jwktopem.RSA>;
+    getPublicKeyAsPem(kid: string): Promise<string>;
+    verify(token: string): Promise<string | JwtPayload>;
+}

package/lib/utils/jwks-generator.js

@@ -0,0 +1,141 @@
+"use strict";
+var _JWKSGenerator_store, _JWKSGenerator_ttlSeconds;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWKSGenerator = void 0;
+exports.createIDToken = createIDToken;
+const tslib_1 = require("tslib");
+const jsonwebtoken_1 = require("jsonwebtoken");
+const node_jose_1 = tslib_1.__importDefault(require("node-jose"));
+const jwk_to_pem_1 = tslib_1.__importDefault(require("jwk-to-pem"));
+function createIDToken(generator, payload) {
+    return tslib_1.__awaiter(this, void 0, void 0, function* () {
+        const ttlSeconds = generator.ttl;
+        const now = Math.floor(Date.now() / 1000);
+        return yield generator.sign(Object.assign(Object.assign({}, (payload)), { exp: typeof ttlSeconds === 'number' ? now + ttlSeconds : payload === null || payload === void 0 ? void 0 : payload.exp, iat: now }));
+    });
+}
+/**
+ * JWKSGenerator class
+ */
+class JWKSGenerator {
+    /**
+     * ttl in seconds
+     */
+    get ttl() {
+        return tslib_1.__classPrivateFieldGet(this, _JWKSGenerator_ttlSeconds, "f");
+    }
+    /**
+     * ttl in seconds
+     */
+    set ttl(ttlSeconds) {
+        if (['number', 'undefined'].includes(typeof ttlSeconds))
+            tslib_1.__classPrivateFieldSet(this, _JWKSGenerator_ttlSeconds, ttlSeconds, "f");
+    }
+    constructor(store, ttlSeconds) {
+        _JWKSGenerator_store.set(this, void 0);
+        _JWKSGenerator_ttlSeconds.set(this, void 0);
+        tslib_1.__classPrivateFieldSet(this, _JWKSGenerator_store, store, "f");
+        tslib_1.__classPrivateFieldSet(this, _JWKSGenerator_ttlSeconds, ttlSeconds, "f");
+    }
+    _retrieveKeyStore() {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            var _a;
+            const ks = yield tslib_1.__classPrivateFieldGet(this, _JWKSGenerator_store, "f").get();
+            if ((_a = ks === null || ks === void 0 ? void 0 : ks.keys) === null || _a === void 0 ? void 0 : _a.length) {
+                return yield node_jose_1.default.JWK.asKeyStore(JSON.stringify(ks));
+            }
+            else {
+                return node_jose_1.default.JWK.createKeyStore();
+            }
+        });
+    }
+    _saveKeyStore(keyStore) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const json = keyStore.toJSON(true);
+            if (json && 'keys' in json && Array.isArray(json.keys)) {
+                yield tslib_1.__classPrivateFieldGet(this, _JWKSGenerator_store, "f").set({ keys: json.keys }, tslib_1.__classPrivateFieldGet(this, _JWKSGenerator_ttlSeconds, "f"));
+            }
+        });
+    }
+    _generateIfEmpty() {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const keyStore = yield this._retrieveKeyStore();
+            const arr = keyStore.all({ use: 'sig' });
+            if (!arr.length) {
+                yield keyStore.generate('RSA', 2048, { alg: 'RS256', use: 'sig' });
+                yield this._saveKeyStore(keyStore);
+            }
+            return keyStore;
+        });
+    }
+    generateIfEmpty() {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const keyStore = yield this._generateIfEmpty();
+            const json = keyStore.toJSON();
+            if (json && 'keys' in json && Array.isArray(json.keys)) {
+                json.keys.reverse();
+            }
+            return json;
+        });
+    }
+    /**
+     * Generate a new key pair
+     */
+    generate() {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const keyStore = yield this._retrieveKeyStore();
+            yield keyStore.generate('RSA', 2048, { alg: 'RS256', use: 'sig' });
+            yield this._saveKeyStore(keyStore);
+        });
+    }
+    sign(payload) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const keyStore = yield this._generateIfEmpty();
+            const key = keyStore.all({ use: 'sig' })
+                .pop();
+            if (!key)
+                throw new Error('sign: KEY STORE IS EMPTY');
+            const result = yield node_jose_1.default.JWS.createSign({ compact: true, fields: { typ: 'jwt' } }, key)
+                .update(typeof payload === 'string' || payload instanceof Buffer ? payload : JSON.stringify(payload))
+                .final();
+            return `${result}`;
+        });
+    }
+    /**
+     * Get public keys
+     */
+    get() {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const keyStore = yield this._retrieveKeyStore();
+            const json = keyStore.toJSON();
+            if (json && 'keys' in json && Array.isArray(json.keys)) {
+                json.keys.reverse();
+            }
+            return json;
+        });
+    }
+    getPublicKey(kid) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const keyStore = yield this._retrieveKeyStore();
+            return keyStore.get(kid).toJSON();
+        });
+    }
+    getPublicKeyAsPem(kid) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const key = yield this.getPublicKey(kid);
+            return (0, jwk_to_pem_1.default)(key);
+        });
+    }
+    verify(token) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            var _a;
+            const [header] = token.split('.');
+            const kid = (_a = JSON.parse(Buffer.from(header, 'base64url').toString())) === null || _a === void 0 ? void 0 : _a.kid;
+            const publicKey = yield this.getPublicKeyAsPem(kid);
+            return (0, jsonwebtoken_1.verify)(token, publicKey);
+        });
+    }
+}
+exports.JWKSGenerator = JWKSGenerator;
+_JWKSGenerator_store = new WeakMap(), _JWKSGenerator_ttlSeconds = new WeakMap();
+//# sourceMappingURL=jwks-generator.js.map

package/lib/utils/jwks-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-generator.js","sourceRoot":"","sources":["../../src/utils/jwks-generator.ts"],"names":[],"mappings":";;;;AA8BA,sCAaC;;AA3CD,+CAAiD;AACjD,kEAA4B;AAC5B,oEAAiC;AA4BjC,SAAsB,aAAa,CAC/B,SAAwB,EACxB,OAAyB;;QAGzB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAA;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QAEzC,OAAO,MAAM,SAAS,CAAC,IAAI,iCACpB,CAAE,OAAO,CAAE,KACd,GAAG,EAAE,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,GAAG,EACrE,GAAG,EAAE,GAAG,IACV,CAAA;IACN,CAAC;CAAA;AAED;;GAEG;AACH,MAAa,aAAa;IAMtB;;OAEG;IACH,IAAI,GAAG;QACH,OAAO,+BAAA,IAAI,iCAAY,CAAA;IAC3B,CAAC;IAED;;OAEG;IACH,IAAI,GAAG,CAAC,UAA8B;QAClC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,UAAU,CAAC;YACnD,+BAAA,IAAI,6BAAe,UAAU,MAAA,CAAA;IACrC,CAAC;IAED,YAAY,KAAgB,EAAE,UAAmB;QAnBjD,uCAAiB;QAEjB,4CAAoB;QAkBhB,+BAAA,IAAI,wBAAU,KAAK,MAAA,CAAA;QACnB,+BAAA,IAAI,6BAAe,UAAU,MAAA,CAAA;IACjC,CAAC;IAEa,iBAAiB;;;YAC3B,MAAM,EAAE,GAAG,MAAM,+BAAA,IAAI,4BAAO,CAAC,GAAG,EAAE,CAAA;YAClC,IAAI,MAAA,EAAE,aAAF,EAAE,uBAAF,EAAE,CAAE,IAAI,0CAAE,MAAM,EAAE,CAAC;gBACnB,OAAO,MAAM,mBAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACJ,OAAO,mBAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAA;YACpC,CAAC;QACL,CAAC;KAAA;IAEa,aAAa,CAAC,QAA2B;;YACnD,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;YAElC,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrD,MAAM,+BAAA,IAAI,4BAAO,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,+BAAA,IAAI,iCAAY,CAAC,CAAA;YAChE,CAAC;QACL,CAAC;KAAA;IAEa,gBAAgB;;YAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAA;YAC/C,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;YACxC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;gBACd,MAAM,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;gBAClE,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAA;YACtC,CAAC;YACD,OAAO,QAAQ,CAAA;QACnB,CAAC;KAAA;IAEK,eAAe;;YACjB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAA;YAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAA;YAC9B,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAA;YACvB,CAAC;YACD,OAAO,IAAI,CAAA;QACf,CAAC;KAAA;IAED;;OAEG;IACG,QAAQ;;YACV,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAA;YAC/C,MAAM,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAA;YAClE,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAA;QACtC,CAAC;KAAA;IAEK,IAAI,CAAC,OAAmB;;YAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAA;YAC9C,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;iBACnC,GAAG,EAAE,CAAA;YAEV,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;YAErD,MAAM,MAAM,GAAG,MAAM,mBAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,CAAC;iBACnF,MAAM,CAAC,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,YAAY,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;iBACpG,KAAK,EAAE,CAAA;YACZ,OAAO,GAAG,MAAM,EAAE,CAAA;QACtB,CAAC;KAAA;IAED;;OAEG;IACG,GAAG;;YACL,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAA;YAC/C,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAA;YAC9B,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAA;YACvB,CAAC;YACD,OAAO,IAAI,CAAA;QACf,CAAC;KAAA;IAEK,YAAY,CAAC,GAAW;;YAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAA;YAC/C,OAAO,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,EAAkB,CAAA;QACrD,CAAC;KAAA;IAEK,iBAAiB,CAAC,GAAW;;YAC/B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAA;YACxC,OAAO,IAAA,oBAAQ,EAAC,GAAG,CAAC,CAAA;QACxB,CAAC;KAAA;IAEK,MAAM,CAAC,KAAa;;;YACtB,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YACjC,MAAM,GAAG,GAAG,MAAA,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,0CAAE,GAAG,CAAA;YACxE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;YACnD,OAAO,IAAA,qBAAM,EAAC,KAAK,EAAE,SAAS,CAAC,CAAA;QACnC,CAAC;KAAA;CACJ;AAhHD,sCAgHC"}

package/lib/utils/jwks-store.d.ts

@@ -0,0 +1,13 @@
+/**
+ * JWKS interface
+ */
+export interface JWKS {
+    keys: Array<Record<string, unknown>>;
+}
+/**
+ * JWKSStore interface
+ */
+export interface JWKSStore {
+    get(): Promise<JWKS | undefined>;
+    set(jwks: JWKS, ttlSeconds?: number): Promise<void>;
+}

package/lib/utils/jwks-store.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=jwks-store.js.map

package/lib/utils/jwks-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-store.js","sourceRoot":"","sources":["../../src/utils/jwks-store.ts"],"names":[],"mappings":""}

package/lib/utils/token-types.d.ts

@@ -0,0 +1,46 @@
+import { ReqRef, ReqRefDefaults, Request } from '@kaapi/kaapi';
+import { StringCacheSet } from './cache-set';
+export type TokenTypeValidationResponse = {
+    isValid?: boolean;
+    message?: string;
+};
+export type TokenTypeValidation<Refs extends ReqRef = ReqRefDefaults> = (req: Request<Refs>, token: string, ttl: number) => TokenTypeValidationResponse | Promise<TokenTypeValidationResponse>;
+export type TokenRequestValidation<Refs extends ReqRef = ReqRefDefaults> = (req: Request<Refs>, ttl: number) => TokenTypeValidationResponse | Promise<TokenTypeValidationResponse>;
+export interface TokenType<Refs extends ReqRef = ReqRefDefaults> {
+    readonly prefix: string;
+    /**
+     * 401 if not valid
+     */
+    isValid: (req: Request<Refs>, token: string) => TokenTypeValidationResponse | Promise<TokenTypeValidationResponse>;
+    isValidTokenRequest?: (req: Request<Refs>) => TokenTypeValidationResponse | Promise<TokenTypeValidationResponse>;
+}
+export interface IBearerToken<Refs extends ReqRef = ReqRefDefaults> extends TokenType<Refs> {
+    readonly prefix: 'Bearer';
+}
+export interface IDPoPToken<Refs extends ReqRef = ReqRefDefaults> extends TokenType<Refs> {
+    readonly prefix: 'DPoP';
+}
+export declare class BearerToken<Refs extends ReqRef = ReqRefDefaults> implements IBearerToken<Refs> {
+    #private;
+    get prefix(): 'Bearer';
+    get configuration(): {};
+    constructor();
+    validate(handler: TokenTypeValidation<Refs>): this;
+    isValid(req: Request<any>, token: string): Promise<TokenTypeValidationResponse>;
+}
+export declare class DPoPToken<Refs extends ReqRef = ReqRefDefaults> implements IDPoPToken<Refs> {
+    #private;
+    get prefix(): 'DPoP';
+    get configuration(): {
+        dpop_signing_alg_values_supported: string[];
+        require_dpop: boolean;
+    };
+    constructor();
+    private _handleDefault;
+    setCacheSet(value: StringCacheSet): this;
+    setTTL(value: number): this;
+    validateTokenRequest(handler: TokenRequestValidation<Refs>): this;
+    validate(handler: TokenTypeValidation<Refs>): this;
+    isValidTokenRequest(req: Request<any>): Promise<TokenTypeValidationResponse>;
+    isValid(req: Request<any>, token: string): Promise<TokenTypeValidationResponse>;
+}

package/lib/utils/token-types.js

@@ -0,0 +1,143 @@
+"use strict";
+var _BearerToken_ttl, _BearerToken__handler, _DPoPToken_handler, _DPoPToken_tokenRequestHandler, _DPoPToken_ttl, _DPoPToken_cache;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DPoPToken = exports.BearerToken = void 0;
+const tslib_1 = require("tslib");
+const jose_1 = require("jose");
+const cache_set_1 = require("./cache-set");
+class BearerToken {
+    get prefix() {
+        return 'Bearer';
+    }
+    get configuration() {
+        return {};
+    }
+    constructor() {
+        _BearerToken_ttl.set(this, 300);
+        _BearerToken__handler.set(this, void 0);
+        tslib_1.__classPrivateFieldSet(this, _BearerToken__handler, (_, token) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+            if (!token)
+                return {};
+            return { isValid: true };
+        }), "f");
+    }
+    validate(handler) {
+        tslib_1.__classPrivateFieldSet(this, _BearerToken__handler, handler, "f");
+        return this;
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    isValid(req, token) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            return yield tslib_1.__classPrivateFieldGet(this, _BearerToken__handler, "f").call(this, req, token, tslib_1.__classPrivateFieldGet(this, _BearerToken_ttl, "f"));
+        });
+    }
+}
+exports.BearerToken = BearerToken;
+_BearerToken_ttl = new WeakMap(), _BearerToken__handler = new WeakMap();
+class DPoPToken {
+    get prefix() {
+        return 'DPoP';
+    }
+    get configuration() {
+        return {
+            dpop_signing_alg_values_supported: ['ES256'],
+            require_dpop: true
+        };
+    }
+    constructor() {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        _DPoPToken_handler.set(this, void 0);
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        _DPoPToken_tokenRequestHandler.set(this, void 0);
+        _DPoPToken_ttl.set(this, 300);
+        _DPoPToken_cache.set(this, new cache_set_1.InMemoryTmpCache());
+        tslib_1.__classPrivateFieldSet(this, _DPoPToken_handler, (req, token, ttl) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+            if (!token)
+                return {};
+            return yield this._handleDefault(req, ttl);
+        }), "f");
+        tslib_1.__classPrivateFieldSet(this, _DPoPToken_tokenRequestHandler, (req, ttl) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+            return yield this._handleDefault(req, ttl);
+        }), "f");
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    _handleDefault(req, ttl) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            const dpopHeader = req.raw.req.headers.dpop;
+            if (!dpopHeader || typeof dpopHeader != 'string')
+                return { message: 'Missing Demonstration of Proof-of-Possession' };
+            try {
+                const { payload, protectedHeader } = yield (0, jose_1.jwtVerify)(dpopHeader, (header) => tslib_1.__awaiter(this, void 0, void 0, function* () {
+                    if (!header.jwk)
+                        throw new Error('Missing JWK');
+                    return (0, jose_1.importJWK)(header.jwk, header.alg);
+                }), { algorithms: ['ES256'] });
+                if (payload.htm !== req.method.toUpperCase())
+                    throw new Error('HTM mismatch');
+                const forwardedProto = req.headers['x-forwarded-proto'];
+                const protocol = forwardedProto ? forwardedProto : req.server.info.protocol;
+                const fullUrl = protocol
+                    + '://'
+                    + req.info.host
+                    + req.path;
+                if (payload.htu !== fullUrl)
+                    throw new Error('HTU mismatch');
+                const now = Math.floor(Date.now() / 1000);
+                if (!payload.iat)
+                    throw new Error('Missing IAT');
+                if (Math.abs(now - payload.iat) > ttl)
+                    throw new Error('Proof expired');
+                if (!payload.jti)
+                    throw new Error('Missing JTI');
+                if (yield tslib_1.__classPrivateFieldGet(this, _DPoPToken_cache, "f").has(payload.jti))
+                    throw new Error('Replay detected');
+                yield tslib_1.__classPrivateFieldGet(this, _DPoPToken_cache, "f").add(payload.jti, ttl);
+                req.app.oauth2 = req.app.oauth2 || {};
+                req.app.oauth2.dpopPayload = payload;
+                // Optional: bind proof to access token
+                if (protectedHeader.jwk) {
+                    // const tokenThumbprint = ... extract from token cnf.jkt
+                    const dpopThumbprint = yield (0, jose_1.calculateJwkThumbprint)(protectedHeader.jwk, 'sha256');
+                    req.app.oauth2.dpopThumbprint = dpopThumbprint;
+                    // if (tokenThumbprint !== proofThumbprint) throw new Error('Token binding mismatch');
+                }
+                return { isValid: true };
+            }
+            catch (err) {
+                console.error('Invalid DPoP proof:', err);
+                return { message: `${err}` };
+            }
+        });
+    }
+    setCacheSet(value) {
+        tslib_1.__classPrivateFieldSet(this, _DPoPToken_cache, value, "f");
+        return this;
+    }
+    setTTL(value) {
+        tslib_1.__classPrivateFieldSet(this, _DPoPToken_ttl, value, "f");
+        return this;
+    }
+    validateTokenRequest(handler) {
+        tslib_1.__classPrivateFieldSet(this, _DPoPToken_tokenRequestHandler, handler, "f");
+        return this;
+    }
+    validate(handler) {
+        tslib_1.__classPrivateFieldSet(this, _DPoPToken_handler, handler, "f");
+        return this;
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    isValidTokenRequest(req) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            return yield tslib_1.__classPrivateFieldGet(this, _DPoPToken_tokenRequestHandler, "f").call(this, req, tslib_1.__classPrivateFieldGet(this, _DPoPToken_ttl, "f"));
+        });
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    isValid(req, token) {
+        return tslib_1.__awaiter(this, void 0, void 0, function* () {
+            return yield tslib_1.__classPrivateFieldGet(this, _DPoPToken_handler, "f").call(this, req, token, tslib_1.__classPrivateFieldGet(this, _DPoPToken_ttl, "f"));
+        });
+    }
+}
+exports.DPoPToken = DPoPToken;
+_DPoPToken_handler = new WeakMap(), _DPoPToken_tokenRequestHandler = new WeakMap(), _DPoPToken_ttl = new WeakMap(), _DPoPToken_cache = new WeakMap();
+//# sourceMappingURL=token-types.js.map

package/lib/utils/token-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-types.js","sourceRoot":"","sources":["../../src/utils/token-types.ts"],"names":[],"mappings":";;;;;AAKA,+BAIc;AACd,2CAA+D;AAuC/D,MAAa,WAAW;IAMpB,IAAI,MAAM;QACN,OAAO,QAAQ,CAAA;IACnB,CAAC;IAED,IAAI,aAAa;QACb,OAAO,EAAE,CAAA;IACb,CAAC;IAED;QAXA,2BAAe,GAAG,EAAA;QAClB,wCAAoC;QAWhC,+BAAA,IAAI,yBAAa,CAAO,CAAC,EAAE,KAAK,EAAE,EAAE;YAChC,IAAI,CAAC,KAAK;gBAAE,OAAO,EAAE,CAAA;YAErB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC5B,CAAC,CAAA,MAAA,CAAA;IACL,CAAC;IAED,QAAQ,CAAC,OAAkC;QACvC,+BAAA,IAAI,yBAAa,OAAO,MAAA,CAAA;QACxB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,8DAA8D;IACxD,OAAO,CAAC,GAAiB,EAAE,KAAa;;YAC1C,OAAO,MAAM,+BAAA,IAAI,6BAAU,MAAd,IAAI,EAAW,GAAG,EAAE,KAAK,EAAE,+BAAA,IAAI,wBAAK,CAAC,CAAA;QACtD,CAAC;KAAA;CACJ;AA/BD,kCA+BC;;AAED,MAAa,SAAS;IAUlB,IAAI,MAAM;QACN,OAAO,MAAM,CAAA;IACjB,CAAC;IAED,IAAI,aAAa;QACb,OAAO;YACH,iCAAiC,EAAE,CAAC,OAAO,CAAC;YAC5C,YAAY,EAAE,IAAI;SACrB,CAAA;IACL,CAAC;IAED;QAlBA,8DAA8D;QAC9D,qCAAkC;QAClC,8DAA8D;QAC9D,iDAAiD;QACjD,yBAAe,GAAG,EAAA;QAClB,2BAAyB,IAAI,4BAAgB,EAAU,EAAA;QAcnD,+BAAA,IAAI,sBAAY,CAAO,GAA4B,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;YAC/D,IAAI,CAAC,KAAK;gBAAE,OAAO,EAAE,CAAA;YACrB,OAAO,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9C,CAAC,CAAA,MAAA,CAAA;QAED,+BAAA,IAAI,kCAAwB,CAAO,GAA4B,EAAE,GAAG,EAAE,EAAE;YACpE,OAAO,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9C,CAAC,CAAA,MAAA,CAAA;IACL,CAAC;IAED,8DAA8D;IAChD,cAAc,CAAC,GAAiB,EAAE,GAAW;;YACvD,MAAM,UAAU,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;YACxC,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,IAAI,QAAQ;gBAAE,OAAO,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAA;YAEpH,IAAI,CAAC;gBACD,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,UAAU,EAAE,CAAO,MAAM,EAAE,EAAE;oBAC9E,IAAI,CAAC,MAAM,CAAC,GAAG;wBAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;oBAChD,OAAO,IAAA,gBAAS,EAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7C,CAAC,CAAA,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;gBAE9B,IAAI,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE;oBAAE,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;gBAE9E,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;gBACxD,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAC5E,MAAM,OAAO,GAAG,QAAQ;sBAClB,KAAK;sBACL,GAAG,CAAC,IAAI,CAAC,IAAI;sBACb,GAAG,CAAC,IAAI,CAAC;gBACf,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO;oBAAE,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;gBAE7D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;gBAE1C,IAAI,CAAC,OAAO,CAAC,GAAG;oBAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;gBACjD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG;oBAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;gBAExE,IAAI,CAAC,OAAO,CAAC,GAAG;oBAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;gBAEjD,IAAI,MAAM,+BAAA,IAAI,wBAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC;oBAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;gBAC3E,MAAM,+BAAA,IAAI,wBAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBAExC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAA;gBACrC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,GAAG,OAAO,CAAC;gBAErC,uCAAuC;gBACvC,IAAI,eAAe,CAAC,GAAG,EAAE,CAAC;oBACtB,yDAAyD;oBACzD,MAAM,cAAc,GAAG,MAAM,IAAA,6BAAsB,EAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;oBACnF,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,GAAG,cAAc,CAAA;oBAC9C,sFAAsF;gBAC1F,CAAC;gBAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC5B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAA;gBACzC,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,EAAE,EAAE,CAAA;YAChC,CAAC;QACT,CAAC;KAAA;IAED,WAAW,CAAC,KAAqB;QAC7B,+BAAA,IAAI,oBAAU,KAAK,MAAA,CAAA;QACnB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,MAAM,CAAC,KAAa;QAChB,+BAAA,IAAI,kBAAQ,KAAK,MAAA,CAAA;QACjB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,oBAAoB,CAAC,OAAqC;QACtD,+BAAA,IAAI,kCAAwB,OAAO,MAAA,CAAA;QACnC,OAAO,IAAI,CAAA;IACf,CAAC;IAED,QAAQ,CAAC,OAAkC;QACvC,+BAAA,IAAI,sBAAY,OAAO,MAAA,CAAA;QACvB,OAAO,IAAI,CAAA;IACf,CAAC;IAED,8DAA8D;IACxD,mBAAmB,CAAC,GAAiB;;YACvC,OAAO,MAAM,+BAAA,IAAI,sCAAqB,MAAzB,IAAI,EAAsB,GAAG,EAAE,+BAAA,IAAI,sBAAK,CAAC,CAAA;QAC1D,CAAC;KAAA;IAED,8DAA8D;IACxD,OAAO,CAAC,GAAiB,EAAE,KAAa;;YAC1C,OAAO,MAAM,+BAAA,IAAI,0BAAS,MAAb,IAAI,EAAU,GAAG,EAAE,KAAK,EAAE,+BAAA,IAAI,sBAAK,CAAC,CAAA;QACrD,CAAC;KAAA;CACJ;AA9GD,8BA8GC"}

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@kaapi/oauth2-auth-design",
+  "version": "0.0.13",
+  "private": false,
+  "description": "OAuth2 auth design for kaapi",
+  "main": "lib/index.js",
+  "exports": {
+    ".": {
+      "types": "./lib/index.d.ts",
+      "default": "./lib/index.js"
+    }
+  },
+  "author": "demingongo",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/demingongo/kaapi.git",
+    "directory": "packages/oauth2-auth-design"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "@hapi/boom": "^10.0.1",
+    "@hapi/hoek": "^11.0.7",
+    "@novice1/api-doc-generator": "^1.0.2",
+    "html-entities": "^2.6.0",
+    "jose": "^6.0.12",
+    "jsonwebtoken": "^9.0.2",
+    "jwk-to-pem": "^2.0.7",
+    "node-jose": "^2.2.0",
+    "tslib": "^2.8.1",
+    "@kaapi/kaapi": "^0.0.13"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/jwk-to-pem": "^2.0.3",
+    "@types/node-jose": "^1.1.13",
+    "kaukau": "^4.1.6",
+    "uuid": "^11.1.0"
+  },
+  "scripts": {
+    "lint": "eslint .",
+    "build": "tsc && node ./scripts/buildDT.mjs",
+    "test": "kaukau --require ts-node/register --config kaukau-src.mjs"
+  }
+}

package/types/overrides.d.ts

@@ -0,0 +1,14 @@
+import {
+    JWTPayload
+} from 'jose';
+
+declare module '@kaapi/kaapi' {
+  interface RequestApplicationState {
+    oauth2?: {
+      dpopPayload?: JWTPayload;
+      dpopThumbprint?: string;
+    };
+  }
+}
+
+export {}