@keycardai/express 0.1.0

package/dist/esm/wellKnown.js

@@ -0,0 +1,70 @@
+import { Router } from "express";
+/**
+ * Returns an Express Router that serves the two OAuth discovery endpoints
+ * required by RFC 9728 and RFC 8414:
+ *
+ * - `GET /.well-known/oauth-protected-resource` (RFC 9728 §2)
+ * - `GET /.well-known/oauth-authorization-server` (RFC 8414 §3, proxied)
+ *
+ * Mount it at the application root:
+ * ```ts
+ * import express from "express";
+ * import { keycardMetadataRouter } from "@keycardai/express";
+ *
+ * const app = express();
+ * app.use(keycardMetadataRouter({ issuer: "https://zone.keycard.cloud" }));
+ * ```
+ *
+ * These paths must remain publicly accessible (no bearer auth) per their
+ * respective specs. Per the security guidance in
+ * `@keycardai/starlette` and the feedback_specific_path_bypass rule:
+ * only bypass auth for these exact paths, never a broad `/.well-known/` prefix.
+ */
+export function keycardMetadataRouter(options) {
+    const router = Router();
+    router.get("/.well-known/oauth-protected-resource", protectedResourceHandler(options));
+    router.get("/.well-known/oauth-authorization-server", authorizationServerHandler(options.issuer, options.asMetadataTimeoutMs ?? 10_000));
+    return router;
+}
+function protectedResourceHandler(options) {
+    return (req, res) => {
+        const resource = `${req.protocol}://${req.host}`;
+        const metadata = {
+            resource,
+            authorization_servers: [options.issuer],
+        };
+        if (options.resourceName)
+            metadata.resource_name = options.resourceName;
+        if (options.scopesSupported)
+            metadata.scopes_supported = [...options.scopesSupported];
+        if (options.resourceDocumentation)
+            metadata.resource_documentation = options.resourceDocumentation;
+        res.set("Access-Control-Allow-Origin", "*");
+        res.status(200).json(metadata);
+    };
+}
+function authorizationServerHandler(issuer, timeoutMs) {
+    return async (req, res, next) => {
+        try {
+            const upstream = await fetch(`${issuer}/.well-known/oauth-authorization-server`, { signal: AbortSignal.timeout(timeoutMs) });
+            if (!upstream.ok) {
+                res.status(502).json({ error: "Failed to fetch AS metadata from issuer" });
+                return;
+            }
+            const metadata = await upstream.json();
+            // Rewrite authorization_endpoint to include a `resource` param pointing
+            // at this server's origin so the AS knows which resource is being accessed.
+            if (typeof metadata.authorization_endpoint === "string") {
+                const authUrl = new URL(metadata.authorization_endpoint);
+                authUrl.searchParams.set("resource", `${req.protocol}://${req.host}`);
+                metadata.authorization_endpoint = authUrl.toString();
+            }
+            res.set("Access-Control-Allow-Origin", "*");
+            res.status(200).json(metadata);
+        }
+        catch (e) {
+            next(e);
+        }
+    };
+}
+//# sourceMappingURL=wellKnown.js.map

package/dist/esm/wellKnown.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AA4BjC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAA6B;IACjE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB,MAAM,CAAC,GAAG,CACR,uCAAuC,EACvC,wBAAwB,CAAC,OAAO,CAAC,CAClC,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,yCAAyC,EACzC,0BAA0B,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,IAAI,MAAM,CAAC,CAClF,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,wBAAwB,CAAC,OAA6B;IAC7D,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,QAAQ,GAA4B;YACxC,QAAQ;YACR,qBAAqB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACxC,CAAC;QACF,IAAI,OAAO,CAAC,YAAY;YAAE,QAAQ,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;QACxE,IAAI,OAAO,CAAC,eAAe;YAAE,QAAQ,CAAC,gBAAgB,GAAG,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,qBAAqB;YAAE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC;QAEnG,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAc,EAAE,SAAiB;IACnE,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,MAAM,yCAAyC,EAClD,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAC3C,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;gBAC3E,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;YAElE,wEAAwE;YACxE,4EAA4E;YAC5E,IAAI,OAAO,QAAQ,CAAC,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;gBACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YACvD,CAAC;YAED,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,CAAC,CAAC,CAAC;QACV,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@keycardai/express",
+  "version": "0.1.0",
+  "description": "[Preview] Keycard auth middleware for Express: bearer token validation, RFC 6750 challenges, delegated token exchange, and OAuth discovery routes",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/keycardai/typescript-sdk.git",
+    "directory": "packages/express"
+  },
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/esm/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "typesVersions": {
+    "*": {
+      "*": [
+        "./dist/esm/*"
+      ]
+    }
+  },
+  "scripts": {
+    "build": "pnpm run build:esm && pnpm run build:cjs",
+    "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
+    "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
+    "test": "NODE_OPTIONS='--experimental-vm-modules' jest",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@keycardai/oauth": "workspace:*"
+  },
+  "peerDependencies": {
+    "express": ">=4.0.0"
+  },
+  "devDependencies": {
+    "@jest/globals": "^30.0.4",
+    "@types/express": "^5.0.3",
+    "@types/supertest": "^6.0.3",
+    "express": "^5.0.0",
+    "jest": "^30.0.4",
+    "supertest": "^7.1.1",
+    "ts-jest": "^29.4.0",
+    "typescript": "^5.8.3"
+  }
+}