@keycardai/oauth 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/discovery.d.ts +3 -1
- package/dist/cjs/discovery.d.ts.map +1 -1
- package/dist/cjs/discovery.js +2 -2
- package/dist/cjs/discovery.js.map +1 -1
- package/dist/cjs/index.d.ts +1 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/keyring.d.ts +11 -0
- package/dist/cjs/keyring.d.ts.map +1 -1
- package/dist/cjs/keyring.js +139 -19
- package/dist/cjs/keyring.js.map +1 -1
- package/dist/esm/discovery.d.ts +3 -1
- package/dist/esm/discovery.d.ts.map +1 -1
- package/dist/esm/discovery.js +2 -2
- package/dist/esm/discovery.js.map +1 -1
- package/dist/esm/index.d.ts +1 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/keyring.d.ts +11 -0
- package/dist/esm/keyring.d.ts.map +1 -1
- package/dist/esm/keyring.js +138 -18
- package/dist/esm/keyring.js.map +1 -1
- package/package.json +5 -1
package/dist/cjs/discovery.d.ts
CHANGED
|
@@ -22,6 +22,8 @@ declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
|
|
|
22
22
|
token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
23
23
|
}, z.ZodTypeAny, "passthrough">>;
|
|
24
24
|
export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
|
|
25
|
-
export declare function fetchAuthorizationServerMetadata(issuer: string
|
|
25
|
+
export declare function fetchAuthorizationServerMetadata(issuer: string, options?: {
|
|
26
|
+
signal?: AbortSignal;
|
|
27
|
+
}): Promise<OAuthAuthorizationServerMetadata>;
|
|
26
28
|
export {};
|
|
27
29
|
//# sourceMappingURL=discovery.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,
|
|
1
|
+
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CACpD,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAA;CAAE,GACjC,OAAO,CAAC,gCAAgC,CAAC,CAsB3C"}
|
package/dist/cjs/discovery.js
CHANGED
|
@@ -10,14 +10,14 @@ const OAuthAuthorizationServerMetadataSchema = zod_1.z.object({
|
|
|
10
10
|
registration_endpoint: zod_1.z.string().optional(),
|
|
11
11
|
token_endpoint_auth_methods_supported: zod_1.z.array(zod_1.z.string()).optional(),
|
|
12
12
|
}).passthrough();
|
|
13
|
-
async function fetchAuthorizationServerMetadata(issuer) {
|
|
13
|
+
async function fetchAuthorizationServerMetadata(issuer, options) {
|
|
14
14
|
const issuerURL = new URL(issuer);
|
|
15
15
|
let path = issuerURL.pathname;
|
|
16
16
|
if (path.endsWith("/")) {
|
|
17
17
|
path = path.slice(0, -1);
|
|
18
18
|
}
|
|
19
19
|
const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
|
|
20
|
-
const response = await fetch(url);
|
|
20
|
+
const response = await fetch(url, { signal: options?.signal });
|
|
21
21
|
if (!response.ok) {
|
|
22
22
|
throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
|
|
23
23
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;AAaA,
|
|
1
|
+
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;AAaA,4EAyBC;AAtCD,6BAAwB;AAExB,MAAM,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIV,KAAK,UAAU,gCAAgC,CACpD,MAAc,EACd,OAAkC;IAElC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
|
|
1
|
+
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey, JWKSOAuthKeyringOptions } from "./keyring.js";
|
|
2
2
|
export { JWKSOAuthKeyring } from "./keyring.js";
|
|
3
3
|
export { default as base64url } from "./base64url.js";
|
|
4
4
|
export { fetchAuthorizationServerMetadata } from "./discovery.js";
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
|
package/dist/cjs/keyring.d.ts
CHANGED
|
@@ -9,7 +9,18 @@ export type IdentifiableKey = {
|
|
|
9
9
|
export interface PrivateKeyring {
|
|
10
10
|
key(usage: string): Promise<IdentifiableKey>;
|
|
11
11
|
}
|
|
12
|
+
export interface JWKSOAuthKeyringOptions {
|
|
13
|
+
/** TTL for cached CryptoKeys. Default: 5 minutes. */
|
|
14
|
+
keyTtlMs?: number;
|
|
15
|
+
/** TTL for cached discovery (issuer → jwks_uri) mappings. Default: 1 hour. */
|
|
16
|
+
discoveryTtlMs?: number;
|
|
17
|
+
/** Timeout for both discovery and JWKS fetch requests. Default: 10 seconds. */
|
|
18
|
+
fetchTimeoutMs?: number;
|
|
19
|
+
}
|
|
12
20
|
export declare class JWKSOAuthKeyring implements OAuthKeyring {
|
|
21
|
+
#private;
|
|
22
|
+
constructor(options?: JWKSOAuthKeyringOptions);
|
|
13
23
|
key(issuer: string, kid: string): Promise<CryptoKey>;
|
|
24
|
+
invalidate(issuer: string, kid: string): void;
|
|
14
25
|
}
|
|
15
26
|
//# sourceMappingURL=keyring.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;
|
|
1
|
+
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}
|
package/dist/cjs/keyring.js
CHANGED
|
@@ -1,4 +1,16 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _JWKSOAuthKeyring_instances, _JWKSOAuthKeyring_keyTtlMs, _JWKSOAuthKeyring_discoveryTtlMs, _JWKSOAuthKeyring_fetchTimeoutMs, _JWKSOAuthKeyring_discoveryCache, _JWKSOAuthKeyring_keyCache, _JWKSOAuthKeyring_discoveryInflight, _JWKSOAuthKeyring_keyInflight, _JWKSOAuthKeyring_resolveJwksUri, _JWKSOAuthKeyring_resolveKey, _JWKSOAuthKeyring_getCached;
|
|
2
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
15
|
exports.JWKSOAuthKeyring = void 0;
|
|
4
16
|
const zod_1 = require("zod");
|
|
@@ -21,29 +33,137 @@ const ECJWKSchema = JWKSchema.extend({
|
|
|
21
33
|
const JWKSetSchema = zod_1.z.object({
|
|
22
34
|
keys: zod_1.z.array(zod_1.z.union([RSAJWKSchema, ECJWKSchema])),
|
|
23
35
|
});
|
|
36
|
+
const DEFAULT_KEY_TTL_MS = 5 * 60 * 1000; // 5 minutes
|
|
37
|
+
const DEFAULT_DISCOVERY_TTL_MS = 60 * 60 * 1000; // 1 hour
|
|
38
|
+
const DEFAULT_FETCH_TIMEOUT_MS = 10_000; // 10 seconds
|
|
39
|
+
function assertSameOrigin(issuer, jwksUri) {
|
|
40
|
+
const issuerOrigin = new URL(issuer).origin;
|
|
41
|
+
const jwksOrigin = new URL(jwksUri).origin;
|
|
42
|
+
if (issuerOrigin !== jwksOrigin) {
|
|
43
|
+
throw new Error(`JWKS URI origin "${jwksOrigin}" does not match issuer origin "${issuerOrigin}" for "${issuer}"`);
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
function keyCacheKey(issuer, kid) {
|
|
47
|
+
return `${issuer}::${kid}`;
|
|
48
|
+
}
|
|
49
|
+
// ---------------------------------------------------------------------------
|
|
50
|
+
// JWKSOAuthKeyring — two-level cached keyring
|
|
51
|
+
// ---------------------------------------------------------------------------
|
|
24
52
|
class JWKSOAuthKeyring {
|
|
53
|
+
constructor(options) {
|
|
54
|
+
_JWKSOAuthKeyring_instances.add(this);
|
|
55
|
+
_JWKSOAuthKeyring_keyTtlMs.set(this, void 0);
|
|
56
|
+
_JWKSOAuthKeyring_discoveryTtlMs.set(this, void 0);
|
|
57
|
+
_JWKSOAuthKeyring_fetchTimeoutMs.set(this, void 0);
|
|
58
|
+
_JWKSOAuthKeyring_discoveryCache.set(this, new Map());
|
|
59
|
+
_JWKSOAuthKeyring_keyCache.set(this, new Map());
|
|
60
|
+
_JWKSOAuthKeyring_discoveryInflight.set(this, new Map());
|
|
61
|
+
_JWKSOAuthKeyring_keyInflight.set(this, new Map());
|
|
62
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_keyTtlMs, options?.keyTtlMs ?? DEFAULT_KEY_TTL_MS, "f");
|
|
63
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_discoveryTtlMs, options?.discoveryTtlMs ?? DEFAULT_DISCOVERY_TTL_MS, "f");
|
|
64
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_fetchTimeoutMs, options?.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS, "f");
|
|
65
|
+
}
|
|
25
66
|
async key(issuer, kid) {
|
|
26
|
-
const
|
|
27
|
-
|
|
28
|
-
|
|
67
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
68
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f"), cacheKey);
|
|
69
|
+
if (cached) {
|
|
70
|
+
return cached;
|
|
29
71
|
}
|
|
30
|
-
const
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
const
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
}
|
|
40
|
-
// TODO: make this more robust to uses and algs
|
|
41
|
-
const key = await crypto.subtle.importKey('jwk', jwk, {
|
|
42
|
-
name: 'RSASSA-PKCS1-v1_5',
|
|
43
|
-
hash: { name: 'SHA-256' },
|
|
44
|
-
}, true, ['verify']);
|
|
45
|
-
return key;
|
|
72
|
+
const jwksUri = await __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveJwksUri).call(this, issuer);
|
|
73
|
+
return __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveKey).call(this, issuer, kid, jwksUri, cacheKey);
|
|
74
|
+
}
|
|
75
|
+
invalidate(issuer, kid) {
|
|
76
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
77
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").delete(cacheKey);
|
|
78
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
79
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
|
|
80
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
46
81
|
}
|
|
47
82
|
}
|
|
48
83
|
exports.JWKSOAuthKeyring = JWKSOAuthKeyring;
|
|
84
|
+
_JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri =
|
|
85
|
+
// -------------------------------------------------------
|
|
86
|
+
// Discovery resolution with cache + dedup
|
|
87
|
+
// -------------------------------------------------------
|
|
88
|
+
async function _JWKSOAuthKeyring_resolveJwksUri(issuer) {
|
|
89
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f"), issuer);
|
|
90
|
+
if (cached) {
|
|
91
|
+
return cached;
|
|
92
|
+
}
|
|
93
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").get(issuer);
|
|
94
|
+
if (inflight) {
|
|
95
|
+
return inflight;
|
|
96
|
+
}
|
|
97
|
+
const promise = (async () => {
|
|
98
|
+
try {
|
|
99
|
+
const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuer, {
|
|
100
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
101
|
+
});
|
|
102
|
+
if (!metadata.jwks_uri) {
|
|
103
|
+
throw new Error(`No JSON Web Key Set available for "${issuer}"`);
|
|
104
|
+
}
|
|
105
|
+
assertSameOrigin(issuer, metadata.jwks_uri);
|
|
106
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").set(issuer, {
|
|
107
|
+
value: metadata.jwks_uri,
|
|
108
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryTtlMs, "f"),
|
|
109
|
+
});
|
|
110
|
+
return metadata.jwks_uri;
|
|
111
|
+
}
|
|
112
|
+
finally {
|
|
113
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
114
|
+
}
|
|
115
|
+
})();
|
|
116
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").set(issuer, promise);
|
|
117
|
+
return promise;
|
|
118
|
+
}, _JWKSOAuthKeyring_resolveKey =
|
|
119
|
+
// -------------------------------------------------------
|
|
120
|
+
// Key resolution with cache + dedup
|
|
121
|
+
// -------------------------------------------------------
|
|
122
|
+
async function _JWKSOAuthKeyring_resolveKey(issuer, kid, jwksUri, cacheKey) {
|
|
123
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").get(cacheKey);
|
|
124
|
+
if (inflight) {
|
|
125
|
+
return inflight;
|
|
126
|
+
}
|
|
127
|
+
const promise = (async () => {
|
|
128
|
+
try {
|
|
129
|
+
const response = await fetch(jwksUri, {
|
|
130
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
131
|
+
});
|
|
132
|
+
if (!response.ok) {
|
|
133
|
+
throw new Error(`Failed to fetch JWKS from "${jwksUri}" for "${issuer}" (HTTP ${response.status})`);
|
|
134
|
+
}
|
|
135
|
+
const json = await response.json();
|
|
136
|
+
const jwkSet = JWKSetSchema.parse(json);
|
|
137
|
+
const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
|
|
138
|
+
if (!jwk) {
|
|
139
|
+
throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
|
|
140
|
+
}
|
|
141
|
+
// TODO: make this more robust to uses and algs
|
|
142
|
+
const key = await crypto.subtle.importKey('jwk', jwk, {
|
|
143
|
+
name: 'RSASSA-PKCS1-v1_5',
|
|
144
|
+
hash: { name: 'SHA-256' },
|
|
145
|
+
}, true, ['verify']);
|
|
146
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").set(cacheKey, {
|
|
147
|
+
value: key,
|
|
148
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyTtlMs, "f"),
|
|
149
|
+
});
|
|
150
|
+
return key;
|
|
151
|
+
}
|
|
152
|
+
finally {
|
|
153
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
154
|
+
}
|
|
155
|
+
})();
|
|
156
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").set(cacheKey, promise);
|
|
157
|
+
return promise;
|
|
158
|
+
}, _JWKSOAuthKeyring_getCached = function _JWKSOAuthKeyring_getCached(cache, key) {
|
|
159
|
+
const entry = cache.get(key);
|
|
160
|
+
if (!entry) {
|
|
161
|
+
return undefined;
|
|
162
|
+
}
|
|
163
|
+
if (Date.now() >= entry.expiresAt) {
|
|
164
|
+
cache.delete(key);
|
|
165
|
+
return undefined;
|
|
166
|
+
}
|
|
167
|
+
return entry.value;
|
|
168
|
+
};
|
|
49
169
|
//# sourceMappingURL=keyring.js.map
|
package/dist/cjs/keyring.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6BAAwB;AACxB,iDAAkE;AAyBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAa,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;AAxJD,4CAwJC;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
|
package/dist/esm/discovery.d.ts
CHANGED
|
@@ -22,6 +22,8 @@ declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
|
|
|
22
22
|
token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
23
23
|
}, z.ZodTypeAny, "passthrough">>;
|
|
24
24
|
export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
|
|
25
|
-
export declare function fetchAuthorizationServerMetadata(issuer: string
|
|
25
|
+
export declare function fetchAuthorizationServerMetadata(issuer: string, options?: {
|
|
26
|
+
signal?: AbortSignal;
|
|
27
|
+
}): Promise<OAuthAuthorizationServerMetadata>;
|
|
26
28
|
export {};
|
|
27
29
|
//# sourceMappingURL=discovery.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,
|
|
1
|
+
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CACpD,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAA;CAAE,GACjC,OAAO,CAAC,gCAAgC,CAAC,CAsB3C"}
|
package/dist/esm/discovery.js
CHANGED
|
@@ -7,14 +7,14 @@ const OAuthAuthorizationServerMetadataSchema = z.object({
|
|
|
7
7
|
registration_endpoint: z.string().optional(),
|
|
8
8
|
token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
|
|
9
9
|
}).passthrough();
|
|
10
|
-
export async function fetchAuthorizationServerMetadata(issuer) {
|
|
10
|
+
export async function fetchAuthorizationServerMetadata(issuer, options) {
|
|
11
11
|
const issuerURL = new URL(issuer);
|
|
12
12
|
let path = issuerURL.pathname;
|
|
13
13
|
if (path.endsWith("/")) {
|
|
14
14
|
path = path.slice(0, -1);
|
|
15
15
|
}
|
|
16
16
|
const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
|
|
17
|
-
const response = await fetch(url);
|
|
17
|
+
const response = await fetch(url, { signal: options?.signal });
|
|
18
18
|
if (!response.ok) {
|
|
19
19
|
throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
|
|
20
20
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,MAAM,CAAC,KAAK,UAAU,gCAAgC,
|
|
1
|
+
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,MAAc,EACd,OAAkC;IAElC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
|
|
1
|
+
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey, JWKSOAuthKeyringOptions } from "./keyring.js";
|
|
2
2
|
export { JWKSOAuthKeyring } from "./keyring.js";
|
|
3
3
|
export { default as base64url } from "./base64url.js";
|
|
4
4
|
export { fetchAuthorizationServerMetadata } from "./discovery.js";
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
|
package/dist/esm/keyring.d.ts
CHANGED
|
@@ -9,7 +9,18 @@ export type IdentifiableKey = {
|
|
|
9
9
|
export interface PrivateKeyring {
|
|
10
10
|
key(usage: string): Promise<IdentifiableKey>;
|
|
11
11
|
}
|
|
12
|
+
export interface JWKSOAuthKeyringOptions {
|
|
13
|
+
/** TTL for cached CryptoKeys. Default: 5 minutes. */
|
|
14
|
+
keyTtlMs?: number;
|
|
15
|
+
/** TTL for cached discovery (issuer → jwks_uri) mappings. Default: 1 hour. */
|
|
16
|
+
discoveryTtlMs?: number;
|
|
17
|
+
/** Timeout for both discovery and JWKS fetch requests. Default: 10 seconds. */
|
|
18
|
+
fetchTimeoutMs?: number;
|
|
19
|
+
}
|
|
12
20
|
export declare class JWKSOAuthKeyring implements OAuthKeyring {
|
|
21
|
+
#private;
|
|
22
|
+
constructor(options?: JWKSOAuthKeyringOptions);
|
|
13
23
|
key(issuer: string, kid: string): Promise<CryptoKey>;
|
|
24
|
+
invalidate(issuer: string, kid: string): void;
|
|
14
25
|
}
|
|
15
26
|
//# sourceMappingURL=keyring.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;
|
|
1
|
+
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}
|
package/dist/esm/keyring.js
CHANGED
|
@@ -1,3 +1,15 @@
|
|
|
1
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
2
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
3
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
4
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
5
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
6
|
+
};
|
|
7
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
8
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
9
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
10
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
11
|
+
};
|
|
12
|
+
var _JWKSOAuthKeyring_instances, _JWKSOAuthKeyring_keyTtlMs, _JWKSOAuthKeyring_discoveryTtlMs, _JWKSOAuthKeyring_fetchTimeoutMs, _JWKSOAuthKeyring_discoveryCache, _JWKSOAuthKeyring_keyCache, _JWKSOAuthKeyring_discoveryInflight, _JWKSOAuthKeyring_keyInflight, _JWKSOAuthKeyring_resolveJwksUri, _JWKSOAuthKeyring_resolveKey, _JWKSOAuthKeyring_getCached;
|
|
1
13
|
import { z } from "zod";
|
|
2
14
|
import { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
3
15
|
const JWKSchema = z.object({
|
|
@@ -18,28 +30,136 @@ const ECJWKSchema = JWKSchema.extend({
|
|
|
18
30
|
const JWKSetSchema = z.object({
|
|
19
31
|
keys: z.array(z.union([RSAJWKSchema, ECJWKSchema])),
|
|
20
32
|
});
|
|
33
|
+
const DEFAULT_KEY_TTL_MS = 5 * 60 * 1000; // 5 minutes
|
|
34
|
+
const DEFAULT_DISCOVERY_TTL_MS = 60 * 60 * 1000; // 1 hour
|
|
35
|
+
const DEFAULT_FETCH_TIMEOUT_MS = 10_000; // 10 seconds
|
|
36
|
+
function assertSameOrigin(issuer, jwksUri) {
|
|
37
|
+
const issuerOrigin = new URL(issuer).origin;
|
|
38
|
+
const jwksOrigin = new URL(jwksUri).origin;
|
|
39
|
+
if (issuerOrigin !== jwksOrigin) {
|
|
40
|
+
throw new Error(`JWKS URI origin "${jwksOrigin}" does not match issuer origin "${issuerOrigin}" for "${issuer}"`);
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
function keyCacheKey(issuer, kid) {
|
|
44
|
+
return `${issuer}::${kid}`;
|
|
45
|
+
}
|
|
46
|
+
// ---------------------------------------------------------------------------
|
|
47
|
+
// JWKSOAuthKeyring — two-level cached keyring
|
|
48
|
+
// ---------------------------------------------------------------------------
|
|
21
49
|
export class JWKSOAuthKeyring {
|
|
50
|
+
constructor(options) {
|
|
51
|
+
_JWKSOAuthKeyring_instances.add(this);
|
|
52
|
+
_JWKSOAuthKeyring_keyTtlMs.set(this, void 0);
|
|
53
|
+
_JWKSOAuthKeyring_discoveryTtlMs.set(this, void 0);
|
|
54
|
+
_JWKSOAuthKeyring_fetchTimeoutMs.set(this, void 0);
|
|
55
|
+
_JWKSOAuthKeyring_discoveryCache.set(this, new Map());
|
|
56
|
+
_JWKSOAuthKeyring_keyCache.set(this, new Map());
|
|
57
|
+
_JWKSOAuthKeyring_discoveryInflight.set(this, new Map());
|
|
58
|
+
_JWKSOAuthKeyring_keyInflight.set(this, new Map());
|
|
59
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_keyTtlMs, options?.keyTtlMs ?? DEFAULT_KEY_TTL_MS, "f");
|
|
60
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_discoveryTtlMs, options?.discoveryTtlMs ?? DEFAULT_DISCOVERY_TTL_MS, "f");
|
|
61
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_fetchTimeoutMs, options?.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS, "f");
|
|
62
|
+
}
|
|
22
63
|
async key(issuer, kid) {
|
|
23
|
-
const
|
|
24
|
-
|
|
25
|
-
|
|
64
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
65
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f"), cacheKey);
|
|
66
|
+
if (cached) {
|
|
67
|
+
return cached;
|
|
68
|
+
}
|
|
69
|
+
const jwksUri = await __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveJwksUri).call(this, issuer);
|
|
70
|
+
return __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveKey).call(this, issuer, kid, jwksUri, cacheKey);
|
|
71
|
+
}
|
|
72
|
+
invalidate(issuer, kid) {
|
|
73
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
74
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").delete(cacheKey);
|
|
75
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
76
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
|
|
77
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
_JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri =
|
|
81
|
+
// -------------------------------------------------------
|
|
82
|
+
// Discovery resolution with cache + dedup
|
|
83
|
+
// -------------------------------------------------------
|
|
84
|
+
async function _JWKSOAuthKeyring_resolveJwksUri(issuer) {
|
|
85
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f"), issuer);
|
|
86
|
+
if (cached) {
|
|
87
|
+
return cached;
|
|
88
|
+
}
|
|
89
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").get(issuer);
|
|
90
|
+
if (inflight) {
|
|
91
|
+
return inflight;
|
|
92
|
+
}
|
|
93
|
+
const promise = (async () => {
|
|
94
|
+
try {
|
|
95
|
+
const metadata = await fetchAuthorizationServerMetadata(issuer, {
|
|
96
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
97
|
+
});
|
|
98
|
+
if (!metadata.jwks_uri) {
|
|
99
|
+
throw new Error(`No JSON Web Key Set available for "${issuer}"`);
|
|
100
|
+
}
|
|
101
|
+
assertSameOrigin(issuer, metadata.jwks_uri);
|
|
102
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").set(issuer, {
|
|
103
|
+
value: metadata.jwks_uri,
|
|
104
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryTtlMs, "f"),
|
|
105
|
+
});
|
|
106
|
+
return metadata.jwks_uri;
|
|
26
107
|
}
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
|
|
108
|
+
finally {
|
|
109
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
30
110
|
}
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
111
|
+
})();
|
|
112
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").set(issuer, promise);
|
|
113
|
+
return promise;
|
|
114
|
+
}, _JWKSOAuthKeyring_resolveKey =
|
|
115
|
+
// -------------------------------------------------------
|
|
116
|
+
// Key resolution with cache + dedup
|
|
117
|
+
// -------------------------------------------------------
|
|
118
|
+
async function _JWKSOAuthKeyring_resolveKey(issuer, kid, jwksUri, cacheKey) {
|
|
119
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").get(cacheKey);
|
|
120
|
+
if (inflight) {
|
|
121
|
+
return inflight;
|
|
122
|
+
}
|
|
123
|
+
const promise = (async () => {
|
|
124
|
+
try {
|
|
125
|
+
const response = await fetch(jwksUri, {
|
|
126
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
127
|
+
});
|
|
128
|
+
if (!response.ok) {
|
|
129
|
+
throw new Error(`Failed to fetch JWKS from "${jwksUri}" for "${issuer}" (HTTP ${response.status})`);
|
|
130
|
+
}
|
|
131
|
+
const json = await response.json();
|
|
132
|
+
const jwkSet = JWKSetSchema.parse(json);
|
|
133
|
+
const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
|
|
134
|
+
if (!jwk) {
|
|
135
|
+
throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
|
|
136
|
+
}
|
|
137
|
+
// TODO: make this more robust to uses and algs
|
|
138
|
+
const key = await crypto.subtle.importKey('jwk', jwk, {
|
|
139
|
+
name: 'RSASSA-PKCS1-v1_5',
|
|
140
|
+
hash: { name: 'SHA-256' },
|
|
141
|
+
}, true, ['verify']);
|
|
142
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").set(cacheKey, {
|
|
143
|
+
value: key,
|
|
144
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyTtlMs, "f"),
|
|
145
|
+
});
|
|
146
|
+
return key;
|
|
36
147
|
}
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
148
|
+
finally {
|
|
149
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
150
|
+
}
|
|
151
|
+
})();
|
|
152
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").set(cacheKey, promise);
|
|
153
|
+
return promise;
|
|
154
|
+
}, _JWKSOAuthKeyring_getCached = function _JWKSOAuthKeyring_getCached(cache, key) {
|
|
155
|
+
const entry = cache.get(key);
|
|
156
|
+
if (!entry) {
|
|
157
|
+
return undefined;
|
|
43
158
|
}
|
|
44
|
-
|
|
159
|
+
if (Date.now() >= entry.expiresAt) {
|
|
160
|
+
cache.delete(key);
|
|
161
|
+
return undefined;
|
|
162
|
+
}
|
|
163
|
+
return entry.value;
|
|
164
|
+
};
|
|
45
165
|
//# sourceMappingURL=keyring.js.map
|
package/dist/esm/keyring.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAyBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.2",
|
|
4
4
|
"description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -65,12 +65,16 @@
|
|
|
65
65
|
"zod": "^3.25.74"
|
|
66
66
|
},
|
|
67
67
|
"devDependencies": {
|
|
68
|
+
"@jest/globals": "^30.0.4",
|
|
69
|
+
"jest": "^30.0.4",
|
|
70
|
+
"ts-jest": "^29.4.0",
|
|
68
71
|
"typescript": "^5.8.3"
|
|
69
72
|
},
|
|
70
73
|
"scripts": {
|
|
71
74
|
"build": "pnpm run build:esm && pnpm run build:cjs",
|
|
72
75
|
"build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
|
|
73
76
|
"build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
|
|
77
|
+
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
|
|
74
78
|
"typecheck": "tsc --noEmit",
|
|
75
79
|
"clean": "rm -rf dist"
|
|
76
80
|
}
|