@keycardai/oauth 0.1.0

package/dist/esm/tokenExchange.js

@@ -0,0 +1,126 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_getTokenEndpoint;
+import { fetchAuthorizationServerMetadata } from "./discovery.js";
+// =============================================================================
+// Wire format helpers (camelCase <-> snake_case at the boundary)
+// =============================================================================
+function serializeRequest(request) {
+    const params = new URLSearchParams();
+    params.set("grant_type", request.grantType ?? "urn:ietf:params:oauth:grant-type:token-exchange");
+    params.set("subject_token", request.subjectToken);
+    params.set("subject_token_type", request.subjectTokenType ?? "urn:ietf:params:oauth:token-type:access_token");
+    if (request.resource)
+        params.set("resource", request.resource);
+    if (request.audience)
+        params.set("audience", request.audience);
+    if (request.scope)
+        params.set("scope", request.scope);
+    if (request.requestedTokenType)
+        params.set("requested_token_type", request.requestedTokenType);
+    if (request.actorToken)
+        params.set("actor_token", request.actorToken);
+    if (request.actorTokenType)
+        params.set("actor_token_type", request.actorTokenType);
+    if (request.clientAssertion)
+        params.set("client_assertion", request.clientAssertion);
+    if (request.clientAssertionType)
+        params.set("client_assertion_type", request.clientAssertionType);
+    return params;
+}
+function deserializeResponse(json) {
+    const accessToken = json.access_token;
+    if (typeof accessToken !== "string" || !accessToken) {
+        throw new Error("Token exchange response missing access_token");
+    }
+    const response = {
+        accessToken,
+        tokenType: typeof json.token_type === "string" ? json.token_type : "bearer",
+    };
+    if (typeof json.expires_in === "number")
+        response.expiresIn = json.expires_in;
+    if (typeof json.refresh_token === "string")
+        response.refreshToken = json.refresh_token;
+    if (typeof json.issued_token_type === "string")
+        response.issuedTokenType = json.issued_token_type;
+    if (typeof json.scope === "string") {
+        response.scope = json.scope.split(" ").filter(Boolean);
+    }
+    return response;
+}
+// =============================================================================
+// Token Exchange Client
+// =============================================================================
+export class TokenExchangeClient {
+    constructor(issuerUrl, options) {
+        _TokenExchangeClient_instances.add(this);
+        _TokenExchangeClient_issuerUrl.set(this, void 0);
+        _TokenExchangeClient_clientId.set(this, void 0);
+        _TokenExchangeClient_clientSecret.set(this, void 0);
+        _TokenExchangeClient_tokenEndpoint.set(this, void 0);
+        _TokenExchangeClient_discoveryPromise.set(this, void 0);
+        __classPrivateFieldSet(this, _TokenExchangeClient_issuerUrl, issuerUrl, "f");
+        __classPrivateFieldSet(this, _TokenExchangeClient_clientId, options?.clientId, "f");
+        __classPrivateFieldSet(this, _TokenExchangeClient_clientSecret, options?.clientSecret, "f");
+    }
+    async exchangeToken(request) {
+        const tokenEndpoint = await __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_getTokenEndpoint).call(this);
+        const body = serializeRequest(request);
+        const headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+        };
+        if (__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f") && __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")) {
+            const credentials = btoa(`${__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f")}:${__classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")}`);
+            headers["Authorization"] = `Basic ${credentials}`;
+        }
+        const response = await fetch(tokenEndpoint, {
+            method: "POST",
+            headers,
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            let errorDetail = "";
+            try {
+                const errorBody = await response.json();
+                errorDetail = typeof errorBody.error_description === "string"
+                    ? errorBody.error_description
+                    : typeof errorBody.error === "string"
+                        ? errorBody.error
+                        : "";
+            }
+            catch {
+                // ignore parse errors
+            }
+            throw new Error(`Token exchange failed (HTTP ${response.status})${errorDetail ? `: ${errorDetail}` : ""}`);
+        }
+        const json = await response.json();
+        return deserializeResponse(json);
+    }
+}
+_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(), _TokenExchangeClient_getTokenEndpoint = async function _TokenExchangeClient_getTokenEndpoint() {
+    if (__classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f")) {
+        return __classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f");
+    }
+    // Promise-based lock: only one concurrent discovery
+    if (!__classPrivateFieldGet(this, _TokenExchangeClient_discoveryPromise, "f")) {
+        __classPrivateFieldSet(this, _TokenExchangeClient_discoveryPromise, (async () => {
+            const metadata = await fetchAuthorizationServerMetadata(__classPrivateFieldGet(this, _TokenExchangeClient_issuerUrl, "f"));
+            if (!metadata.token_endpoint) {
+                throw new Error(`Authorization server "${__classPrivateFieldGet(this, _TokenExchangeClient_issuerUrl, "f")}" does not advertise a token_endpoint`);
+            }
+            __classPrivateFieldSet(this, _TokenExchangeClient_tokenEndpoint, metadata.token_endpoint, "f");
+            return __classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f");
+        })(), "f");
+    }
+    return __classPrivateFieldGet(this, _TokenExchangeClient_discoveryPromise, "f");
+};
+//# sourceMappingURL=tokenExchange.js.map

package/dist/esm/tokenExchange.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAkClE,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,OAAO,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,WAAW,GAAG,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;oBAC3D,CAAC,CAAC,SAAS,CAAC,iBAAiB;oBAC7B,CAAC,CAAC,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ;wBACnC,CAAC,CAAC,SAAS,CAAC,KAAK;wBACjB,CAAC,CAAC,EAAE,CAAC;YACX,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}

package/package.json

@@ -0,0 +1,70 @@
+{
+  "name": "@keycardai/oauth",
+  "version": "0.1.0",
+  "description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
+  "license": "MIT",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/esm/index.d.ts"
+    },
+    "./keyring": {
+      "import": "./dist/esm/keyring.js",
+      "require": "./dist/cjs/keyring.js",
+      "types": "./dist/esm/keyring.d.ts"
+    },
+    "./base64url": {
+      "import": "./dist/esm/base64url.js",
+      "require": "./dist/cjs/base64url.js",
+      "types": "./dist/esm/base64url.d.ts"
+    },
+    "./discovery": {
+      "import": "./dist/esm/discovery.js",
+      "require": "./dist/cjs/discovery.js",
+      "types": "./dist/esm/discovery.d.ts"
+    },
+    "./errors": {
+      "import": "./dist/esm/errors.js",
+      "require": "./dist/cjs/errors.js",
+      "types": "./dist/esm/errors.d.ts"
+    },
+    "./jwt/signer": {
+      "import": "./dist/esm/jwt/signer.js",
+      "require": "./dist/cjs/jwt/signer.js",
+      "types": "./dist/esm/jwt/signer.d.ts"
+    },
+    "./jwt/verifier": {
+      "import": "./dist/esm/jwt/verifier.js",
+      "require": "./dist/cjs/jwt/verifier.js",
+      "types": "./dist/esm/jwt/verifier.d.ts"
+    },
+    "./tokenExchange": {
+      "import": "./dist/esm/tokenExchange.js",
+      "require": "./dist/cjs/tokenExchange.js",
+      "types": "./dist/esm/tokenExchange.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "typesVersions": {
+    "*": {
+      "*": ["./dist/esm/*"]
+    }
+  },
+  "scripts": {
+    "build": "pnpm run build:esm && pnpm run build:cjs",
+    "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
+    "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "zod": "^3.25.74"
+  },
+  "devDependencies": {
+    "typescript": "^5.8.3"
+  }
+}