@keycardai/oauth 0.1.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/discovery.d.ts +3 -1
- package/dist/cjs/discovery.d.ts.map +1 -1
- package/dist/cjs/discovery.js +2 -2
- package/dist/cjs/discovery.js.map +1 -1
- package/dist/cjs/index.d.ts +1 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/keyring.d.ts +11 -0
- package/dist/cjs/keyring.d.ts.map +1 -1
- package/dist/cjs/keyring.js +139 -19
- package/dist/cjs/keyring.js.map +1 -1
- package/dist/cjs/tokenExchange.d.ts.map +1 -1
- package/dist/cjs/tokenExchange.js +16 -9
- package/dist/cjs/tokenExchange.js.map +1 -1
- package/dist/esm/discovery.d.ts +3 -1
- package/dist/esm/discovery.d.ts.map +1 -1
- package/dist/esm/discovery.js +2 -2
- package/dist/esm/discovery.js.map +1 -1
- package/dist/esm/index.d.ts +1 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/keyring.d.ts +11 -0
- package/dist/esm/keyring.d.ts.map +1 -1
- package/dist/esm/keyring.js +138 -18
- package/dist/esm/keyring.js.map +1 -1
- package/dist/esm/tokenExchange.d.ts.map +1 -1
- package/dist/esm/tokenExchange.js +16 -9
- package/dist/esm/tokenExchange.js.map +1 -1
- package/package.json +5 -1
package/dist/cjs/discovery.d.ts
CHANGED
|
@@ -22,6 +22,8 @@ declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
|
|
|
22
22
|
token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
23
23
|
}, z.ZodTypeAny, "passthrough">>;
|
|
24
24
|
export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
|
|
25
|
-
export declare function fetchAuthorizationServerMetadata(issuer: string
|
|
25
|
+
export declare function fetchAuthorizationServerMetadata(issuer: string, options?: {
|
|
26
|
+
signal?: AbortSignal;
|
|
27
|
+
}): Promise<OAuthAuthorizationServerMetadata>;
|
|
26
28
|
export {};
|
|
27
29
|
//# sourceMappingURL=discovery.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,
|
|
1
|
+
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CACpD,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAA;CAAE,GACjC,OAAO,CAAC,gCAAgC,CAAC,CAsB3C"}
|
package/dist/cjs/discovery.js
CHANGED
|
@@ -10,14 +10,14 @@ const OAuthAuthorizationServerMetadataSchema = zod_1.z.object({
|
|
|
10
10
|
registration_endpoint: zod_1.z.string().optional(),
|
|
11
11
|
token_endpoint_auth_methods_supported: zod_1.z.array(zod_1.z.string()).optional(),
|
|
12
12
|
}).passthrough();
|
|
13
|
-
async function fetchAuthorizationServerMetadata(issuer) {
|
|
13
|
+
async function fetchAuthorizationServerMetadata(issuer, options) {
|
|
14
14
|
const issuerURL = new URL(issuer);
|
|
15
15
|
let path = issuerURL.pathname;
|
|
16
16
|
if (path.endsWith("/")) {
|
|
17
17
|
path = path.slice(0, -1);
|
|
18
18
|
}
|
|
19
19
|
const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
|
|
20
|
-
const response = await fetch(url);
|
|
20
|
+
const response = await fetch(url, { signal: options?.signal });
|
|
21
21
|
if (!response.ok) {
|
|
22
22
|
throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
|
|
23
23
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;AAaA,
|
|
1
|
+
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;AAaA,4EAyBC;AAtCD,6BAAwB;AAExB,MAAM,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIV,KAAK,UAAU,gCAAgC,CACpD,MAAc,EACd,OAAkC;IAElC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
|
|
1
|
+
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey, JWKSOAuthKeyringOptions } from "./keyring.js";
|
|
2
2
|
export { JWKSOAuthKeyring } from "./keyring.js";
|
|
3
3
|
export { default as base64url } from "./base64url.js";
|
|
4
4
|
export { fetchAuthorizationServerMetadata } from "./discovery.js";
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
|
package/dist/cjs/keyring.d.ts
CHANGED
|
@@ -9,7 +9,18 @@ export type IdentifiableKey = {
|
|
|
9
9
|
export interface PrivateKeyring {
|
|
10
10
|
key(usage: string): Promise<IdentifiableKey>;
|
|
11
11
|
}
|
|
12
|
+
export interface JWKSOAuthKeyringOptions {
|
|
13
|
+
/** TTL for cached CryptoKeys. Default: 5 minutes. */
|
|
14
|
+
keyTtlMs?: number;
|
|
15
|
+
/** TTL for cached discovery (issuer → jwks_uri) mappings. Default: 1 hour. */
|
|
16
|
+
discoveryTtlMs?: number;
|
|
17
|
+
/** Timeout for both discovery and JWKS fetch requests. Default: 10 seconds. */
|
|
18
|
+
fetchTimeoutMs?: number;
|
|
19
|
+
}
|
|
12
20
|
export declare class JWKSOAuthKeyring implements OAuthKeyring {
|
|
21
|
+
#private;
|
|
22
|
+
constructor(options?: JWKSOAuthKeyringOptions);
|
|
13
23
|
key(issuer: string, kid: string): Promise<CryptoKey>;
|
|
24
|
+
invalidate(issuer: string, kid: string): void;
|
|
14
25
|
}
|
|
15
26
|
//# sourceMappingURL=keyring.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;
|
|
1
|
+
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}
|
package/dist/cjs/keyring.js
CHANGED
|
@@ -1,4 +1,16 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _JWKSOAuthKeyring_instances, _JWKSOAuthKeyring_keyTtlMs, _JWKSOAuthKeyring_discoveryTtlMs, _JWKSOAuthKeyring_fetchTimeoutMs, _JWKSOAuthKeyring_discoveryCache, _JWKSOAuthKeyring_keyCache, _JWKSOAuthKeyring_discoveryInflight, _JWKSOAuthKeyring_keyInflight, _JWKSOAuthKeyring_resolveJwksUri, _JWKSOAuthKeyring_resolveKey, _JWKSOAuthKeyring_getCached;
|
|
2
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
15
|
exports.JWKSOAuthKeyring = void 0;
|
|
4
16
|
const zod_1 = require("zod");
|
|
@@ -21,29 +33,137 @@ const ECJWKSchema = JWKSchema.extend({
|
|
|
21
33
|
const JWKSetSchema = zod_1.z.object({
|
|
22
34
|
keys: zod_1.z.array(zod_1.z.union([RSAJWKSchema, ECJWKSchema])),
|
|
23
35
|
});
|
|
36
|
+
const DEFAULT_KEY_TTL_MS = 5 * 60 * 1000; // 5 minutes
|
|
37
|
+
const DEFAULT_DISCOVERY_TTL_MS = 60 * 60 * 1000; // 1 hour
|
|
38
|
+
const DEFAULT_FETCH_TIMEOUT_MS = 10_000; // 10 seconds
|
|
39
|
+
function assertSameOrigin(issuer, jwksUri) {
|
|
40
|
+
const issuerOrigin = new URL(issuer).origin;
|
|
41
|
+
const jwksOrigin = new URL(jwksUri).origin;
|
|
42
|
+
if (issuerOrigin !== jwksOrigin) {
|
|
43
|
+
throw new Error(`JWKS URI origin "${jwksOrigin}" does not match issuer origin "${issuerOrigin}" for "${issuer}"`);
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
function keyCacheKey(issuer, kid) {
|
|
47
|
+
return `${issuer}::${kid}`;
|
|
48
|
+
}
|
|
49
|
+
// ---------------------------------------------------------------------------
|
|
50
|
+
// JWKSOAuthKeyring — two-level cached keyring
|
|
51
|
+
// ---------------------------------------------------------------------------
|
|
24
52
|
class JWKSOAuthKeyring {
|
|
53
|
+
constructor(options) {
|
|
54
|
+
_JWKSOAuthKeyring_instances.add(this);
|
|
55
|
+
_JWKSOAuthKeyring_keyTtlMs.set(this, void 0);
|
|
56
|
+
_JWKSOAuthKeyring_discoveryTtlMs.set(this, void 0);
|
|
57
|
+
_JWKSOAuthKeyring_fetchTimeoutMs.set(this, void 0);
|
|
58
|
+
_JWKSOAuthKeyring_discoveryCache.set(this, new Map());
|
|
59
|
+
_JWKSOAuthKeyring_keyCache.set(this, new Map());
|
|
60
|
+
_JWKSOAuthKeyring_discoveryInflight.set(this, new Map());
|
|
61
|
+
_JWKSOAuthKeyring_keyInflight.set(this, new Map());
|
|
62
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_keyTtlMs, options?.keyTtlMs ?? DEFAULT_KEY_TTL_MS, "f");
|
|
63
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_discoveryTtlMs, options?.discoveryTtlMs ?? DEFAULT_DISCOVERY_TTL_MS, "f");
|
|
64
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_fetchTimeoutMs, options?.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS, "f");
|
|
65
|
+
}
|
|
25
66
|
async key(issuer, kid) {
|
|
26
|
-
const
|
|
27
|
-
|
|
28
|
-
|
|
67
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
68
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f"), cacheKey);
|
|
69
|
+
if (cached) {
|
|
70
|
+
return cached;
|
|
29
71
|
}
|
|
30
|
-
const
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
const
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
}
|
|
40
|
-
// TODO: make this more robust to uses and algs
|
|
41
|
-
const key = await crypto.subtle.importKey('jwk', jwk, {
|
|
42
|
-
name: 'RSASSA-PKCS1-v1_5',
|
|
43
|
-
hash: { name: 'SHA-256' },
|
|
44
|
-
}, true, ['verify']);
|
|
45
|
-
return key;
|
|
72
|
+
const jwksUri = await __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveJwksUri).call(this, issuer);
|
|
73
|
+
return __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveKey).call(this, issuer, kid, jwksUri, cacheKey);
|
|
74
|
+
}
|
|
75
|
+
invalidate(issuer, kid) {
|
|
76
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
77
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").delete(cacheKey);
|
|
78
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
79
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
|
|
80
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
46
81
|
}
|
|
47
82
|
}
|
|
48
83
|
exports.JWKSOAuthKeyring = JWKSOAuthKeyring;
|
|
84
|
+
_JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri =
|
|
85
|
+
// -------------------------------------------------------
|
|
86
|
+
// Discovery resolution with cache + dedup
|
|
87
|
+
// -------------------------------------------------------
|
|
88
|
+
async function _JWKSOAuthKeyring_resolveJwksUri(issuer) {
|
|
89
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f"), issuer);
|
|
90
|
+
if (cached) {
|
|
91
|
+
return cached;
|
|
92
|
+
}
|
|
93
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").get(issuer);
|
|
94
|
+
if (inflight) {
|
|
95
|
+
return inflight;
|
|
96
|
+
}
|
|
97
|
+
const promise = (async () => {
|
|
98
|
+
try {
|
|
99
|
+
const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuer, {
|
|
100
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
101
|
+
});
|
|
102
|
+
if (!metadata.jwks_uri) {
|
|
103
|
+
throw new Error(`No JSON Web Key Set available for "${issuer}"`);
|
|
104
|
+
}
|
|
105
|
+
assertSameOrigin(issuer, metadata.jwks_uri);
|
|
106
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").set(issuer, {
|
|
107
|
+
value: metadata.jwks_uri,
|
|
108
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryTtlMs, "f"),
|
|
109
|
+
});
|
|
110
|
+
return metadata.jwks_uri;
|
|
111
|
+
}
|
|
112
|
+
finally {
|
|
113
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
114
|
+
}
|
|
115
|
+
})();
|
|
116
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").set(issuer, promise);
|
|
117
|
+
return promise;
|
|
118
|
+
}, _JWKSOAuthKeyring_resolveKey =
|
|
119
|
+
// -------------------------------------------------------
|
|
120
|
+
// Key resolution with cache + dedup
|
|
121
|
+
// -------------------------------------------------------
|
|
122
|
+
async function _JWKSOAuthKeyring_resolveKey(issuer, kid, jwksUri, cacheKey) {
|
|
123
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").get(cacheKey);
|
|
124
|
+
if (inflight) {
|
|
125
|
+
return inflight;
|
|
126
|
+
}
|
|
127
|
+
const promise = (async () => {
|
|
128
|
+
try {
|
|
129
|
+
const response = await fetch(jwksUri, {
|
|
130
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
131
|
+
});
|
|
132
|
+
if (!response.ok) {
|
|
133
|
+
throw new Error(`Failed to fetch JWKS from "${jwksUri}" for "${issuer}" (HTTP ${response.status})`);
|
|
134
|
+
}
|
|
135
|
+
const json = await response.json();
|
|
136
|
+
const jwkSet = JWKSetSchema.parse(json);
|
|
137
|
+
const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
|
|
138
|
+
if (!jwk) {
|
|
139
|
+
throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
|
|
140
|
+
}
|
|
141
|
+
// TODO: make this more robust to uses and algs
|
|
142
|
+
const key = await crypto.subtle.importKey('jwk', jwk, {
|
|
143
|
+
name: 'RSASSA-PKCS1-v1_5',
|
|
144
|
+
hash: { name: 'SHA-256' },
|
|
145
|
+
}, true, ['verify']);
|
|
146
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").set(cacheKey, {
|
|
147
|
+
value: key,
|
|
148
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyTtlMs, "f"),
|
|
149
|
+
});
|
|
150
|
+
return key;
|
|
151
|
+
}
|
|
152
|
+
finally {
|
|
153
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
154
|
+
}
|
|
155
|
+
})();
|
|
156
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").set(cacheKey, promise);
|
|
157
|
+
return promise;
|
|
158
|
+
}, _JWKSOAuthKeyring_getCached = function _JWKSOAuthKeyring_getCached(cache, key) {
|
|
159
|
+
const entry = cache.get(key);
|
|
160
|
+
if (!entry) {
|
|
161
|
+
return undefined;
|
|
162
|
+
}
|
|
163
|
+
if (Date.now() >= entry.expiresAt) {
|
|
164
|
+
cache.delete(key);
|
|
165
|
+
return undefined;
|
|
166
|
+
}
|
|
167
|
+
return entry.value;
|
|
168
|
+
};
|
|
49
169
|
//# sourceMappingURL=keyring.js.map
|
package/dist/cjs/keyring.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6BAAwB;AACxB,iDAAkE;AAyBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAa,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;AAxJD,4CAwJC;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAkDD,qBAAa,mBAAmB;;gBAOlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAM7D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;CAgE3E"}
|
|
@@ -14,6 +14,7 @@ var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchan
|
|
|
14
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
15
|
exports.TokenExchangeClient = void 0;
|
|
16
16
|
const discovery_js_1 = require("./discovery.js");
|
|
17
|
+
const errors_js_1 = require("./errors.js");
|
|
17
18
|
// =============================================================================
|
|
18
19
|
// Wire format helpers (camelCase <-> snake_case at the boundary)
|
|
19
20
|
// =============================================================================
|
|
@@ -91,19 +92,25 @@ class TokenExchangeClient {
|
|
|
91
92
|
body: body.toString(),
|
|
92
93
|
});
|
|
93
94
|
if (!response.ok) {
|
|
94
|
-
let errorDetail = "";
|
|
95
95
|
try {
|
|
96
96
|
const errorBody = await response.json();
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
? errorBody.
|
|
101
|
-
:
|
|
97
|
+
if (typeof errorBody.error === "string") {
|
|
98
|
+
const errorCode = errorBody.error;
|
|
99
|
+
const description = typeof errorBody.error_description === "string"
|
|
100
|
+
? errorBody.error_description
|
|
101
|
+
: errorCode;
|
|
102
|
+
const errorUri = typeof errorBody.error_uri === "string"
|
|
103
|
+
? errorBody.error_uri
|
|
104
|
+
: undefined;
|
|
105
|
+
throw new errors_js_1.OAuthError(errorCode, description, errorUri);
|
|
106
|
+
}
|
|
102
107
|
}
|
|
103
|
-
catch {
|
|
104
|
-
|
|
108
|
+
catch (e) {
|
|
109
|
+
if (e instanceof errors_js_1.OAuthError)
|
|
110
|
+
throw e;
|
|
111
|
+
// non-JSON or no "error" key — fall through
|
|
105
112
|
}
|
|
106
|
-
throw new Error(`Token exchange failed (HTTP ${response.status})
|
|
113
|
+
throw new Error(`Token exchange failed (HTTP ${response.status})`);
|
|
107
114
|
}
|
|
108
115
|
const json = await response.json();
|
|
109
116
|
return deserializeResponse(json);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;
|
|
1
|
+
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAClE,2CAAyC;AAkCzC,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAa,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,sBAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,sBAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;AA7ED,kDA6EC;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
|
package/dist/esm/discovery.d.ts
CHANGED
|
@@ -22,6 +22,8 @@ declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
|
|
|
22
22
|
token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
23
23
|
}, z.ZodTypeAny, "passthrough">>;
|
|
24
24
|
export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
|
|
25
|
-
export declare function fetchAuthorizationServerMetadata(issuer: string
|
|
25
|
+
export declare function fetchAuthorizationServerMetadata(issuer: string, options?: {
|
|
26
|
+
signal?: AbortSignal;
|
|
27
|
+
}): Promise<OAuthAuthorizationServerMetadata>;
|
|
26
28
|
export {};
|
|
27
29
|
//# sourceMappingURL=discovery.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,
|
|
1
|
+
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CACpD,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAA;CAAE,GACjC,OAAO,CAAC,gCAAgC,CAAC,CAsB3C"}
|
package/dist/esm/discovery.js
CHANGED
|
@@ -7,14 +7,14 @@ const OAuthAuthorizationServerMetadataSchema = z.object({
|
|
|
7
7
|
registration_endpoint: z.string().optional(),
|
|
8
8
|
token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
|
|
9
9
|
}).passthrough();
|
|
10
|
-
export async function fetchAuthorizationServerMetadata(issuer) {
|
|
10
|
+
export async function fetchAuthorizationServerMetadata(issuer, options) {
|
|
11
11
|
const issuerURL = new URL(issuer);
|
|
12
12
|
let path = issuerURL.pathname;
|
|
13
13
|
if (path.endsWith("/")) {
|
|
14
14
|
path = path.slice(0, -1);
|
|
15
15
|
}
|
|
16
16
|
const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
|
|
17
|
-
const response = await fetch(url);
|
|
17
|
+
const response = await fetch(url, { signal: options?.signal });
|
|
18
18
|
if (!response.ok) {
|
|
19
19
|
throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
|
|
20
20
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,MAAM,CAAC,KAAK,UAAU,gCAAgC,
|
|
1
|
+
{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,MAAc,EACd,OAAkC;IAElC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
|
|
1
|
+
export type { OAuthKeyring, PrivateKeyring, IdentifiableKey, JWKSOAuthKeyringOptions } from "./keyring.js";
|
|
2
2
|
export { JWKSOAuthKeyring } from "./keyring.js";
|
|
3
3
|
export { default as base64url } from "./base64url.js";
|
|
4
4
|
export { fetchAuthorizationServerMetadata } from "./discovery.js";
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
|
package/dist/esm/keyring.d.ts
CHANGED
|
@@ -9,7 +9,18 @@ export type IdentifiableKey = {
|
|
|
9
9
|
export interface PrivateKeyring {
|
|
10
10
|
key(usage: string): Promise<IdentifiableKey>;
|
|
11
11
|
}
|
|
12
|
+
export interface JWKSOAuthKeyringOptions {
|
|
13
|
+
/** TTL for cached CryptoKeys. Default: 5 minutes. */
|
|
14
|
+
keyTtlMs?: number;
|
|
15
|
+
/** TTL for cached discovery (issuer → jwks_uri) mappings. Default: 1 hour. */
|
|
16
|
+
discoveryTtlMs?: number;
|
|
17
|
+
/** Timeout for both discovery and JWKS fetch requests. Default: 10 seconds. */
|
|
18
|
+
fetchTimeoutMs?: number;
|
|
19
|
+
}
|
|
12
20
|
export declare class JWKSOAuthKeyring implements OAuthKeyring {
|
|
21
|
+
#private;
|
|
22
|
+
constructor(options?: JWKSOAuthKeyringOptions);
|
|
13
23
|
key(issuer: string, kid: string): Promise<CryptoKey>;
|
|
24
|
+
invalidate(issuer: string, kid: string): void;
|
|
14
25
|
}
|
|
15
26
|
//# sourceMappingURL=keyring.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;
|
|
1
|
+
{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACtC,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAuDD,qBAAa,gBAAiB,YAAW,YAAY;;gBAWvC,OAAO,CAAC,EAAE,uBAAuB;IAMvC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW1D,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CA4H9C"}
|
package/dist/esm/keyring.js
CHANGED
|
@@ -1,3 +1,15 @@
|
|
|
1
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
2
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
3
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
4
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
5
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
6
|
+
};
|
|
7
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
8
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
9
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
10
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
11
|
+
};
|
|
12
|
+
var _JWKSOAuthKeyring_instances, _JWKSOAuthKeyring_keyTtlMs, _JWKSOAuthKeyring_discoveryTtlMs, _JWKSOAuthKeyring_fetchTimeoutMs, _JWKSOAuthKeyring_discoveryCache, _JWKSOAuthKeyring_keyCache, _JWKSOAuthKeyring_discoveryInflight, _JWKSOAuthKeyring_keyInflight, _JWKSOAuthKeyring_resolveJwksUri, _JWKSOAuthKeyring_resolveKey, _JWKSOAuthKeyring_getCached;
|
|
1
13
|
import { z } from "zod";
|
|
2
14
|
import { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
3
15
|
const JWKSchema = z.object({
|
|
@@ -18,28 +30,136 @@ const ECJWKSchema = JWKSchema.extend({
|
|
|
18
30
|
const JWKSetSchema = z.object({
|
|
19
31
|
keys: z.array(z.union([RSAJWKSchema, ECJWKSchema])),
|
|
20
32
|
});
|
|
33
|
+
const DEFAULT_KEY_TTL_MS = 5 * 60 * 1000; // 5 minutes
|
|
34
|
+
const DEFAULT_DISCOVERY_TTL_MS = 60 * 60 * 1000; // 1 hour
|
|
35
|
+
const DEFAULT_FETCH_TIMEOUT_MS = 10_000; // 10 seconds
|
|
36
|
+
function assertSameOrigin(issuer, jwksUri) {
|
|
37
|
+
const issuerOrigin = new URL(issuer).origin;
|
|
38
|
+
const jwksOrigin = new URL(jwksUri).origin;
|
|
39
|
+
if (issuerOrigin !== jwksOrigin) {
|
|
40
|
+
throw new Error(`JWKS URI origin "${jwksOrigin}" does not match issuer origin "${issuerOrigin}" for "${issuer}"`);
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
function keyCacheKey(issuer, kid) {
|
|
44
|
+
return `${issuer}::${kid}`;
|
|
45
|
+
}
|
|
46
|
+
// ---------------------------------------------------------------------------
|
|
47
|
+
// JWKSOAuthKeyring — two-level cached keyring
|
|
48
|
+
// ---------------------------------------------------------------------------
|
|
21
49
|
export class JWKSOAuthKeyring {
|
|
50
|
+
constructor(options) {
|
|
51
|
+
_JWKSOAuthKeyring_instances.add(this);
|
|
52
|
+
_JWKSOAuthKeyring_keyTtlMs.set(this, void 0);
|
|
53
|
+
_JWKSOAuthKeyring_discoveryTtlMs.set(this, void 0);
|
|
54
|
+
_JWKSOAuthKeyring_fetchTimeoutMs.set(this, void 0);
|
|
55
|
+
_JWKSOAuthKeyring_discoveryCache.set(this, new Map());
|
|
56
|
+
_JWKSOAuthKeyring_keyCache.set(this, new Map());
|
|
57
|
+
_JWKSOAuthKeyring_discoveryInflight.set(this, new Map());
|
|
58
|
+
_JWKSOAuthKeyring_keyInflight.set(this, new Map());
|
|
59
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_keyTtlMs, options?.keyTtlMs ?? DEFAULT_KEY_TTL_MS, "f");
|
|
60
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_discoveryTtlMs, options?.discoveryTtlMs ?? DEFAULT_DISCOVERY_TTL_MS, "f");
|
|
61
|
+
__classPrivateFieldSet(this, _JWKSOAuthKeyring_fetchTimeoutMs, options?.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS, "f");
|
|
62
|
+
}
|
|
22
63
|
async key(issuer, kid) {
|
|
23
|
-
const
|
|
24
|
-
|
|
25
|
-
|
|
64
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
65
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f"), cacheKey);
|
|
66
|
+
if (cached) {
|
|
67
|
+
return cached;
|
|
68
|
+
}
|
|
69
|
+
const jwksUri = await __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveJwksUri).call(this, issuer);
|
|
70
|
+
return __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_resolveKey).call(this, issuer, kid, jwksUri, cacheKey);
|
|
71
|
+
}
|
|
72
|
+
invalidate(issuer, kid) {
|
|
73
|
+
const cacheKey = keyCacheKey(issuer, kid);
|
|
74
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").delete(cacheKey);
|
|
75
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
76
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").delete(issuer);
|
|
77
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
_JWKSOAuthKeyring_keyTtlMs = new WeakMap(), _JWKSOAuthKeyring_discoveryTtlMs = new WeakMap(), _JWKSOAuthKeyring_fetchTimeoutMs = new WeakMap(), _JWKSOAuthKeyring_discoveryCache = new WeakMap(), _JWKSOAuthKeyring_keyCache = new WeakMap(), _JWKSOAuthKeyring_discoveryInflight = new WeakMap(), _JWKSOAuthKeyring_keyInflight = new WeakMap(), _JWKSOAuthKeyring_instances = new WeakSet(), _JWKSOAuthKeyring_resolveJwksUri =
|
|
81
|
+
// -------------------------------------------------------
|
|
82
|
+
// Discovery resolution with cache + dedup
|
|
83
|
+
// -------------------------------------------------------
|
|
84
|
+
async function _JWKSOAuthKeyring_resolveJwksUri(issuer) {
|
|
85
|
+
const cached = __classPrivateFieldGet(this, _JWKSOAuthKeyring_instances, "m", _JWKSOAuthKeyring_getCached).call(this, __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f"), issuer);
|
|
86
|
+
if (cached) {
|
|
87
|
+
return cached;
|
|
88
|
+
}
|
|
89
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").get(issuer);
|
|
90
|
+
if (inflight) {
|
|
91
|
+
return inflight;
|
|
92
|
+
}
|
|
93
|
+
const promise = (async () => {
|
|
94
|
+
try {
|
|
95
|
+
const metadata = await fetchAuthorizationServerMetadata(issuer, {
|
|
96
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
97
|
+
});
|
|
98
|
+
if (!metadata.jwks_uri) {
|
|
99
|
+
throw new Error(`No JSON Web Key Set available for "${issuer}"`);
|
|
100
|
+
}
|
|
101
|
+
assertSameOrigin(issuer, metadata.jwks_uri);
|
|
102
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryCache, "f").set(issuer, {
|
|
103
|
+
value: metadata.jwks_uri,
|
|
104
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryTtlMs, "f"),
|
|
105
|
+
});
|
|
106
|
+
return metadata.jwks_uri;
|
|
26
107
|
}
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
|
|
108
|
+
finally {
|
|
109
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").delete(issuer);
|
|
30
110
|
}
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
111
|
+
})();
|
|
112
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_discoveryInflight, "f").set(issuer, promise);
|
|
113
|
+
return promise;
|
|
114
|
+
}, _JWKSOAuthKeyring_resolveKey =
|
|
115
|
+
// -------------------------------------------------------
|
|
116
|
+
// Key resolution with cache + dedup
|
|
117
|
+
// -------------------------------------------------------
|
|
118
|
+
async function _JWKSOAuthKeyring_resolveKey(issuer, kid, jwksUri, cacheKey) {
|
|
119
|
+
const inflight = __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").get(cacheKey);
|
|
120
|
+
if (inflight) {
|
|
121
|
+
return inflight;
|
|
122
|
+
}
|
|
123
|
+
const promise = (async () => {
|
|
124
|
+
try {
|
|
125
|
+
const response = await fetch(jwksUri, {
|
|
126
|
+
signal: AbortSignal.timeout(__classPrivateFieldGet(this, _JWKSOAuthKeyring_fetchTimeoutMs, "f")),
|
|
127
|
+
});
|
|
128
|
+
if (!response.ok) {
|
|
129
|
+
throw new Error(`Failed to fetch JWKS from "${jwksUri}" for "${issuer}" (HTTP ${response.status})`);
|
|
130
|
+
}
|
|
131
|
+
const json = await response.json();
|
|
132
|
+
const jwkSet = JWKSetSchema.parse(json);
|
|
133
|
+
const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
|
|
134
|
+
if (!jwk) {
|
|
135
|
+
throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
|
|
136
|
+
}
|
|
137
|
+
// TODO: make this more robust to uses and algs
|
|
138
|
+
const key = await crypto.subtle.importKey('jwk', jwk, {
|
|
139
|
+
name: 'RSASSA-PKCS1-v1_5',
|
|
140
|
+
hash: { name: 'SHA-256' },
|
|
141
|
+
}, true, ['verify']);
|
|
142
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyCache, "f").set(cacheKey, {
|
|
143
|
+
value: key,
|
|
144
|
+
expiresAt: Date.now() + __classPrivateFieldGet(this, _JWKSOAuthKeyring_keyTtlMs, "f"),
|
|
145
|
+
});
|
|
146
|
+
return key;
|
|
36
147
|
}
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
148
|
+
finally {
|
|
149
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").delete(cacheKey);
|
|
150
|
+
}
|
|
151
|
+
})();
|
|
152
|
+
__classPrivateFieldGet(this, _JWKSOAuthKeyring_keyInflight, "f").set(cacheKey, promise);
|
|
153
|
+
return promise;
|
|
154
|
+
}, _JWKSOAuthKeyring_getCached = function _JWKSOAuthKeyring_getCached(cache, key) {
|
|
155
|
+
const entry = cache.get(key);
|
|
156
|
+
if (!entry) {
|
|
157
|
+
return undefined;
|
|
43
158
|
}
|
|
44
|
-
|
|
159
|
+
if (Date.now() >= entry.expiresAt) {
|
|
160
|
+
cache.delete(key);
|
|
161
|
+
return undefined;
|
|
162
|
+
}
|
|
163
|
+
return entry.value;
|
|
164
|
+
};
|
|
45
165
|
//# sourceMappingURL=keyring.js.map
|
package/dist/esm/keyring.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAyBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAWH,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAQ,YAAY;AAC7D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,SAAS;AAC3D,MAAM,wBAAwB,GAAG,MAAM,CAAC,CAAW,aAAa;AAEhE,SAAS,gBAAgB,CAAC,MAAc,EAAE,OAAe;IACvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,mCAAmC,YAAY,UAAU,MAAM,GAAG,CACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,GAAW;IAC9C,OAAO,GAAG,MAAM,KAAK,GAAG,EAAE,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IAW3B,YAAY,OAAiC;;QAV7C,6CAAkB;QAClB,mDAAwB;QACxB,mDAAwB;QAExB,2CAAkB,IAAI,GAAG,EAA8B,EAAC;QACxD,qCAAY,IAAI,GAAG,EAAiC,EAAC;QAErD,8CAAqB,IAAI,GAAG,EAA2B,EAAC;QACxD,wCAAe,IAAI,GAAG,EAA8B,EAAC;QAGnD,uBAAA,IAAI,8BAAa,OAAO,EAAE,QAAQ,IAAI,kBAAkB,MAAA,CAAC;QACzD,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;QAC3E,uBAAA,IAAI,oCAAmB,OAAO,EAAE,cAAc,IAAI,wBAAwB,MAAA,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,kCAAU,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,uBAAA,IAAI,qEAAgB,MAApB,IAAI,EAAiB,MAAM,CAAC,CAAC;QACnD,OAAO,uBAAA,IAAI,iEAAY,MAAhB,IAAI,EAAa,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,uBAAA,IAAI,kCAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,uBAAA,IAAI,wCAAgB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;CAsHF;;AApHC,0DAA0D;AAC1D,0CAA0C;AAC1C,0DAA0D;AAE1D,KAAK,2CAAiB,MAAc;IAClC,MAAM,MAAM,GAAG,uBAAA,IAAI,gEAAW,MAAf,IAAI,EAAY,uBAAA,IAAI,wCAAgB,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;gBAC9D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE5C,uBAAA,IAAI,wCAAgB,CAAC,GAAG,CAAC,MAAM,EAAE;gBAC/B,KAAK,EAAE,QAAQ,CAAC,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,wCAAgB;aAC7C,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,QAAQ,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,2CAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,2CAAmB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0DAA0D;AAC1D,oCAAoC;AACpC,0DAA0D;AAE1D,KAAK,uCACH,MAAc,EACd,GAAW,EACX,OAAe,EACf,QAAgB;IAEhB,MAAM,QAAQ,GAAG,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;gBACpC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAA,IAAI,wCAAgB,CAAC;aAClD,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,UAAU,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;gBACE,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;aAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;YAEF,uBAAA,IAAI,kCAAU,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC3B,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,kCAAU;aACvC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,uBAAA,IAAI,qCAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,uBAAA,IAAI,qCAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC;AACjB,CAAC,qEAMa,KAAiC,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC;AACrB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAkDD,qBAAa,mBAAmB;;gBAOlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAM7D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;CAgE3E"}
|
|
@@ -11,6 +11,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
11
11
|
};
|
|
12
12
|
var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_getTokenEndpoint;
|
|
13
13
|
import { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
14
|
+
import { OAuthError } from "./errors.js";
|
|
14
15
|
// =============================================================================
|
|
15
16
|
// Wire format helpers (camelCase <-> snake_case at the boundary)
|
|
16
17
|
// =============================================================================
|
|
@@ -88,19 +89,25 @@ export class TokenExchangeClient {
|
|
|
88
89
|
body: body.toString(),
|
|
89
90
|
});
|
|
90
91
|
if (!response.ok) {
|
|
91
|
-
let errorDetail = "";
|
|
92
92
|
try {
|
|
93
93
|
const errorBody = await response.json();
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
? errorBody.
|
|
98
|
-
:
|
|
94
|
+
if (typeof errorBody.error === "string") {
|
|
95
|
+
const errorCode = errorBody.error;
|
|
96
|
+
const description = typeof errorBody.error_description === "string"
|
|
97
|
+
? errorBody.error_description
|
|
98
|
+
: errorCode;
|
|
99
|
+
const errorUri = typeof errorBody.error_uri === "string"
|
|
100
|
+
? errorBody.error_uri
|
|
101
|
+
: undefined;
|
|
102
|
+
throw new OAuthError(errorCode, description, errorUri);
|
|
103
|
+
}
|
|
99
104
|
}
|
|
100
|
-
catch {
|
|
101
|
-
|
|
105
|
+
catch (e) {
|
|
106
|
+
if (e instanceof OAuthError)
|
|
107
|
+
throw e;
|
|
108
|
+
// non-JSON or no "error" key — fall through
|
|
102
109
|
}
|
|
103
|
-
throw new Error(`Token exchange failed (HTTP ${response.status})
|
|
110
|
+
throw new Error(`Token exchange failed (HTTP ${response.status})`);
|
|
104
111
|
}
|
|
105
112
|
const json = await response.json();
|
|
106
113
|
return deserializeResponse(json);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAkCzC,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,OAAO,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,UAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.2.0",
|
|
4
4
|
"description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -65,12 +65,16 @@
|
|
|
65
65
|
"zod": "^3.25.74"
|
|
66
66
|
},
|
|
67
67
|
"devDependencies": {
|
|
68
|
+
"@jest/globals": "^30.0.4",
|
|
69
|
+
"jest": "^30.0.4",
|
|
70
|
+
"ts-jest": "^29.4.0",
|
|
68
71
|
"typescript": "^5.8.3"
|
|
69
72
|
},
|
|
70
73
|
"scripts": {
|
|
71
74
|
"build": "pnpm run build:esm && pnpm run build:cjs",
|
|
72
75
|
"build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
|
|
73
76
|
"build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
|
|
77
|
+
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
|
|
74
78
|
"typecheck": "tsc --noEmit",
|
|
75
79
|
"clean": "rm -rf dist"
|
|
76
80
|
}
|