@keycardai/oauth 0.1.2 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -2
- package/dist/cjs/credentials.d.ts +18 -0
- package/dist/cjs/credentials.d.ts.map +1 -0
- package/dist/cjs/credentials.js +3 -0
- package/dist/cjs/credentials.js.map +1 -0
- package/dist/cjs/index.d.ts +1 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/jwt/verifier.d.ts +22 -1
- package/dist/cjs/jwt/verifier.d.ts.map +1 -1
- package/dist/cjs/jwt/verifier.js +101 -9
- package/dist/cjs/jwt/verifier.js.map +1 -1
- package/dist/cjs/tokenExchange.d.ts.map +1 -1
- package/dist/cjs/tokenExchange.js +16 -9
- package/dist/cjs/tokenExchange.js.map +1 -1
- package/dist/esm/credentials.d.ts +18 -0
- package/dist/esm/credentials.d.ts.map +1 -0
- package/dist/esm/credentials.js +2 -0
- package/dist/esm/credentials.js.map +1 -0
- package/dist/esm/index.d.ts +1 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/jwt/verifier.d.ts +22 -1
- package/dist/esm/jwt/verifier.d.ts.map +1 -1
- package/dist/esm/jwt/verifier.js +101 -9
- package/dist/esm/jwt/verifier.js.map +1 -1
- package/dist/esm/tokenExchange.d.ts.map +1 -1
- package/dist/esm/tokenExchange.js +16 -9
- package/dist/esm/tokenExchange.js.map +1 -1
- package/package.json +6 -1
package/README.md
CHANGED
|
@@ -28,8 +28,13 @@ const token = await signer.sign({
|
|
|
28
28
|
scope: "read write",
|
|
29
29
|
});
|
|
30
30
|
|
|
31
|
-
// Verify a JWT
|
|
32
|
-
|
|
31
|
+
// Verify a JWT. `issuers` is required — it binds the verifier to the
|
|
32
|
+
// authorization server(s) you trust. Tokens with any other `iss` are
|
|
33
|
+
// rejected before the keyring is consulted.
|
|
34
|
+
const verifier = new JWTVerifier(keyring, {
|
|
35
|
+
issuers: "https://your-zone.keycard.cloud",
|
|
36
|
+
// audiences: "https://api.example.com", // optional
|
|
37
|
+
});
|
|
33
38
|
const claims = await verifier.verify(token);
|
|
34
39
|
```
|
|
35
40
|
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import type { TokenExchangeRequest } from "./tokenExchange.js";
|
|
2
|
+
/**
|
|
3
|
+
* Common interface for application-level credentials used in token exchange.
|
|
4
|
+
*
|
|
5
|
+
* Implementations live in downstream packages (@keycardai/mcp, @keycardai/cloudflare)
|
|
6
|
+
* because they depend on platform-specific APIs (Node.js fs, Cloudflare Workers, etc.).
|
|
7
|
+
*/
|
|
8
|
+
export interface ApplicationCredential {
|
|
9
|
+
getAuth(): {
|
|
10
|
+
clientId: string;
|
|
11
|
+
clientSecret: string;
|
|
12
|
+
} | null;
|
|
13
|
+
prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
|
|
14
|
+
tokenEndpoint?: string;
|
|
15
|
+
authInfo?: Record<string, string>;
|
|
16
|
+
}): Promise<TokenExchangeRequest>;
|
|
17
|
+
}
|
|
18
|
+
//# sourceMappingURL=credentials.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC7D,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":""}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -9,4 +9,5 @@ export type { JWTClaims } from "./jwt/signer.js";
|
|
|
9
9
|
export { JWTVerifier } from "./jwt/verifier.js";
|
|
10
10
|
export { TokenExchangeClient } from "./tokenExchange.js";
|
|
11
11
|
export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
|
|
12
|
+
export type { ApplicationCredential } from "./credentials.js";
|
|
12
13
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAC1G,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC"}
|
|
@@ -1,8 +1,29 @@
|
|
|
1
1
|
import { OAuthKeyring } from "../keyring.js";
|
|
2
2
|
import type { JWTClaims } from "./signer.js";
|
|
3
|
+
export interface JWTVerifierOptions {
|
|
4
|
+
/**
|
|
5
|
+
* Issuer(s) this verifier will accept. The `iss` claim in a presented token
|
|
6
|
+
* must exactly match (string equality) one of these values. Tokens with any
|
|
7
|
+
* other issuer are rejected before any key lookup or network I/O runs.
|
|
8
|
+
*/
|
|
9
|
+
issuers: string | readonly string[];
|
|
10
|
+
/**
|
|
11
|
+
* Audience(s) the token must be intended for. When configured, the token's
|
|
12
|
+
* `aud` claim must be present and contain at least one of these values.
|
|
13
|
+
* When omitted, audience is not validated.
|
|
14
|
+
*/
|
|
15
|
+
audiences?: string | readonly string[];
|
|
16
|
+
/**
|
|
17
|
+
* Allowed JWT algorithms. Defaults to `["RS256"]`. The `alg` header of a
|
|
18
|
+
* presented token must be a member. `"none"` is always rejected. Values
|
|
19
|
+
* must be in the set the verifier actually implements (currently only
|
|
20
|
+
* `"RS256"`).
|
|
21
|
+
*/
|
|
22
|
+
algorithms?: readonly string[];
|
|
23
|
+
}
|
|
3
24
|
export declare class JWTVerifier {
|
|
4
25
|
#private;
|
|
5
|
-
constructor(keyring: OAuthKeyring);
|
|
26
|
+
constructor(keyring: OAuthKeyring, options: JWTVerifierOptions);
|
|
6
27
|
verify(token: string): Promise<JWTClaims>;
|
|
7
28
|
}
|
|
8
29
|
//# sourceMappingURL=verifier.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,qBAAa,WAAW;;
|
|
1
|
+
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA4FhD"}
|
package/dist/cjs/jwt/verifier.js
CHANGED
|
@@ -13,27 +13,119 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
13
13
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
14
14
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
15
15
|
};
|
|
16
|
-
var _JWTVerifier_keyring;
|
|
16
|
+
var _JWTVerifier_keyring, _JWTVerifier_issuers, _JWTVerifier_audiences, _JWTVerifier_algorithms;
|
|
17
17
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
18
18
|
exports.JWTVerifier = void 0;
|
|
19
19
|
const errors_js_1 = require("../errors.js");
|
|
20
20
|
const base64url_js_1 = __importDefault(require("../base64url.js"));
|
|
21
|
+
// The single `crypto.subtle.verify` call in `verify()` is hardcoded to
|
|
22
|
+
// RSASSA-PKCS1-v1_5 + SHA-256, so the `algorithms` option is only meaningful
|
|
23
|
+
// as an allowlist that's a subset of what we actually implement. Used both
|
|
24
|
+
// as the default when the option is omitted and to validate user-supplied
|
|
25
|
+
// values at construction time.
|
|
26
|
+
const SUPPORTED_ALGORITHMS = ["RS256"];
|
|
27
|
+
const SUPPORTED_ALGORITHM_SET = new Set(SUPPORTED_ALGORITHMS);
|
|
21
28
|
class JWTVerifier {
|
|
22
|
-
constructor(keyring) {
|
|
29
|
+
constructor(keyring, options) {
|
|
23
30
|
_JWTVerifier_keyring.set(this, void 0);
|
|
31
|
+
_JWTVerifier_issuers.set(this, void 0);
|
|
32
|
+
_JWTVerifier_audiences.set(this, void 0);
|
|
33
|
+
_JWTVerifier_algorithms.set(this, void 0);
|
|
34
|
+
const rawIssuers = typeof options?.issuers === "string" ? [options.issuers] : options?.issuers ?? [];
|
|
35
|
+
if (rawIssuers.length === 0) {
|
|
36
|
+
throw new Error("JWTVerifier requires at least one trusted issuer");
|
|
37
|
+
}
|
|
38
|
+
const rawAudiences = typeof options.audiences === "string"
|
|
39
|
+
? [options.audiences]
|
|
40
|
+
: options.audiences ?? [];
|
|
41
|
+
const rawAlgorithms = options.algorithms ?? SUPPORTED_ALGORITHMS;
|
|
42
|
+
for (const alg of rawAlgorithms) {
|
|
43
|
+
if (!SUPPORTED_ALGORITHM_SET.has(alg)) {
|
|
44
|
+
throw new Error(`JWTVerifier does not implement signature verification for "${alg}". ` +
|
|
45
|
+
`Supported: ${SUPPORTED_ALGORITHMS.join(", ")}.`);
|
|
46
|
+
}
|
|
47
|
+
}
|
|
24
48
|
__classPrivateFieldSet(this, _JWTVerifier_keyring, keyring, "f");
|
|
49
|
+
__classPrivateFieldSet(this, _JWTVerifier_issuers, new Set(rawIssuers), "f");
|
|
50
|
+
// An empty `audiences` list means "unconfigured" — matches the ergonomic
|
|
51
|
+
// intent of passing `audiences: []`. A non-empty list switches audience
|
|
52
|
+
// validation on; a missing `aud` fails closed.
|
|
53
|
+
__classPrivateFieldSet(this, _JWTVerifier_audiences, rawAudiences.length > 0 ? new Set(rawAudiences) : undefined, "f");
|
|
54
|
+
__classPrivateFieldSet(this, _JWTVerifier_algorithms, new Set(rawAlgorithms), "f");
|
|
25
55
|
}
|
|
26
56
|
async verify(token) {
|
|
27
|
-
const
|
|
28
|
-
|
|
29
|
-
|
|
57
|
+
const parts = token.split(".");
|
|
58
|
+
if (parts.length !== 3) {
|
|
59
|
+
throw new errors_js_1.InvalidTokenError("Malformed JWT");
|
|
60
|
+
}
|
|
61
|
+
const [header, payload, signature] = parts;
|
|
62
|
+
let jsonHeader;
|
|
63
|
+
let jsonPayload;
|
|
64
|
+
try {
|
|
65
|
+
jsonHeader = JSON.parse(autob(header));
|
|
66
|
+
jsonPayload = JSON.parse(autob(payload));
|
|
67
|
+
}
|
|
68
|
+
catch {
|
|
69
|
+
throw new errors_js_1.InvalidTokenError("Malformed JWT");
|
|
70
|
+
}
|
|
71
|
+
// Algorithm allowlist. Reject "none" and anything outside the allowlist
|
|
72
|
+
// before any other work.
|
|
73
|
+
if (!jsonHeader.alg || jsonHeader.alg === "none" || !__classPrivateFieldGet(this, _JWTVerifier_algorithms, "f").has(jsonHeader.alg)) {
|
|
74
|
+
throw new errors_js_1.InvalidTokenError(`Unsupported JWT algorithm: ${jsonHeader.alg ?? "none"}`);
|
|
75
|
+
}
|
|
76
|
+
// Issuer allowlist. Rejected BEFORE any keyring call — guarantees a token
|
|
77
|
+
// with an attacker-controlled `iss` can't trigger discovery against an
|
|
78
|
+
// untrusted URL.
|
|
30
79
|
if (!jsonPayload.iss) {
|
|
31
80
|
throw new errors_js_1.InvalidTokenError("JWT missing issuer (iss) claim");
|
|
32
81
|
}
|
|
82
|
+
if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
|
|
83
|
+
throw new errors_js_1.InvalidTokenError("Untrusted issuer");
|
|
84
|
+
}
|
|
85
|
+
// Required claims per RFC 9068 § 2.2. Reject NaN / Infinity explicitly —
|
|
86
|
+
// `typeof NaN === "number"` passes the type check but would make every
|
|
87
|
+
// comparison below false (and with `exp: NaN` that means effectively no
|
|
88
|
+
// expiration).
|
|
89
|
+
if (!Number.isFinite(jsonPayload.exp)) {
|
|
90
|
+
throw new errors_js_1.InvalidTokenError("JWT missing expiration (exp) claim");
|
|
91
|
+
}
|
|
92
|
+
if (!jsonPayload.client_id) {
|
|
93
|
+
throw new errors_js_1.InvalidTokenError("JWT missing client_id claim");
|
|
94
|
+
}
|
|
95
|
+
// Time-based claims.
|
|
96
|
+
const now = Math.floor(Date.now() / 1000);
|
|
97
|
+
if (now > jsonPayload.exp) {
|
|
98
|
+
throw new errors_js_1.InvalidTokenError("Token expired");
|
|
99
|
+
}
|
|
100
|
+
if (jsonPayload.nbf !== undefined) {
|
|
101
|
+
if (!Number.isFinite(jsonPayload.nbf)) {
|
|
102
|
+
throw new errors_js_1.InvalidTokenError("JWT has invalid not-before (nbf) claim");
|
|
103
|
+
}
|
|
104
|
+
if (now < jsonPayload.nbf) {
|
|
105
|
+
throw new errors_js_1.InvalidTokenError("Token not yet valid");
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
// Audience check, if configured. Missing `aud` fails closed when audiences
|
|
109
|
+
// are required — matches RFC 8707 resource-indicator expectations.
|
|
110
|
+
if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
|
|
111
|
+
const aud = jsonPayload.aud;
|
|
112
|
+
if (aud === undefined) {
|
|
113
|
+
throw new errors_js_1.InvalidTokenError("JWT missing audience (aud) claim");
|
|
114
|
+
}
|
|
115
|
+
const audValues = Array.isArray(aud) ? aud : [aud];
|
|
116
|
+
const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
|
|
117
|
+
if (!matched) {
|
|
118
|
+
throw new errors_js_1.InvalidTokenError("Audience mismatch");
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
// Only after all cheap policy checks do we touch the keyring.
|
|
122
|
+
if (!jsonHeader.kid) {
|
|
123
|
+
throw new errors_js_1.InvalidTokenError("JWT missing key id (kid) header");
|
|
124
|
+
}
|
|
33
125
|
const key = await __classPrivateFieldGet(this, _JWTVerifier_keyring, "f").key(jsonPayload.iss, jsonHeader.kid);
|
|
34
126
|
const verified = await crypto.subtle.verify({
|
|
35
|
-
name:
|
|
36
|
-
hash: { name:
|
|
127
|
+
name: "RSASSA-PKCS1-v1_5",
|
|
128
|
+
hash: { name: "SHA-256" },
|
|
37
129
|
}, key, base64url_js_1.default.decode(signature), new TextEncoder().encode(`${header}.${payload}`));
|
|
38
130
|
if (!verified) {
|
|
39
131
|
throw new errors_js_1.InvalidTokenError("Invalid signature");
|
|
@@ -42,8 +134,8 @@ class JWTVerifier {
|
|
|
42
134
|
}
|
|
43
135
|
}
|
|
44
136
|
exports.JWTVerifier = JWTVerifier;
|
|
45
|
-
_JWTVerifier_keyring = new WeakMap();
|
|
137
|
+
_JWTVerifier_keyring = new WeakMap(), _JWTVerifier_issuers = new WeakMap(), _JWTVerifier_audiences = new WeakMap(), _JWTVerifier_algorithms = new WeakMap();
|
|
46
138
|
function autob(data) {
|
|
47
|
-
return atob(data.replace(/-/g,
|
|
139
|
+
return atob(data.replace(/-/g, "+").replace(/_/g, "/"));
|
|
48
140
|
}
|
|
49
141
|
//# sourceMappingURL=verifier.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;
|
|
1
|
+
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAa,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,6BAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,6BAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,yEAAyE;QACzE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,6BAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,mEAAmE;QACnE,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC;YAC5B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,MAAM,IAAI,6BAAiB,CAAC,kCAAkC,CAAC,CAAC;YAClE,CAAC;YACD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,6BAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,sBAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AAjID,kCAiIC;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAkDD,qBAAa,mBAAmB;;gBAOlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAM7D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;CAgE3E"}
|
|
@@ -14,6 +14,7 @@ var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchan
|
|
|
14
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
15
|
exports.TokenExchangeClient = void 0;
|
|
16
16
|
const discovery_js_1 = require("./discovery.js");
|
|
17
|
+
const errors_js_1 = require("./errors.js");
|
|
17
18
|
// =============================================================================
|
|
18
19
|
// Wire format helpers (camelCase <-> snake_case at the boundary)
|
|
19
20
|
// =============================================================================
|
|
@@ -91,19 +92,25 @@ class TokenExchangeClient {
|
|
|
91
92
|
body: body.toString(),
|
|
92
93
|
});
|
|
93
94
|
if (!response.ok) {
|
|
94
|
-
let errorDetail = "";
|
|
95
95
|
try {
|
|
96
96
|
const errorBody = await response.json();
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
? errorBody.
|
|
101
|
-
:
|
|
97
|
+
if (typeof errorBody.error === "string") {
|
|
98
|
+
const errorCode = errorBody.error;
|
|
99
|
+
const description = typeof errorBody.error_description === "string"
|
|
100
|
+
? errorBody.error_description
|
|
101
|
+
: errorCode;
|
|
102
|
+
const errorUri = typeof errorBody.error_uri === "string"
|
|
103
|
+
? errorBody.error_uri
|
|
104
|
+
: undefined;
|
|
105
|
+
throw new errors_js_1.OAuthError(errorCode, description, errorUri);
|
|
106
|
+
}
|
|
102
107
|
}
|
|
103
|
-
catch {
|
|
104
|
-
|
|
108
|
+
catch (e) {
|
|
109
|
+
if (e instanceof errors_js_1.OAuthError)
|
|
110
|
+
throw e;
|
|
111
|
+
// non-JSON or no "error" key — fall through
|
|
105
112
|
}
|
|
106
|
-
throw new Error(`Token exchange failed (HTTP ${response.status})
|
|
113
|
+
throw new Error(`Token exchange failed (HTTP ${response.status})`);
|
|
107
114
|
}
|
|
108
115
|
const json = await response.json();
|
|
109
116
|
return deserializeResponse(json);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;
|
|
1
|
+
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAClE,2CAAyC;AAkCzC,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAa,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,sBAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,sBAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;AA7ED,kDA6EC;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import type { TokenExchangeRequest } from "./tokenExchange.js";
|
|
2
|
+
/**
|
|
3
|
+
* Common interface for application-level credentials used in token exchange.
|
|
4
|
+
*
|
|
5
|
+
* Implementations live in downstream packages (@keycardai/mcp, @keycardai/cloudflare)
|
|
6
|
+
* because they depend on platform-specific APIs (Node.js fs, Cloudflare Workers, etc.).
|
|
7
|
+
*/
|
|
8
|
+
export interface ApplicationCredential {
|
|
9
|
+
getAuth(): {
|
|
10
|
+
clientId: string;
|
|
11
|
+
clientSecret: string;
|
|
12
|
+
} | null;
|
|
13
|
+
prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
|
|
14
|
+
tokenEndpoint?: string;
|
|
15
|
+
authInfo?: Record<string, string>;
|
|
16
|
+
}): Promise<TokenExchangeRequest>;
|
|
17
|
+
}
|
|
18
|
+
//# sourceMappingURL=credentials.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC7D,2BAA2B,CACzB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAClC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":""}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -9,4 +9,5 @@ export type { JWTClaims } from "./jwt/signer.js";
|
|
|
9
9
|
export { JWTVerifier } from "./jwt/verifier.js";
|
|
10
10
|
export { TokenExchangeClient } from "./tokenExchange.js";
|
|
11
11
|
export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
|
|
12
|
+
export type { ApplicationCredential } from "./credentials.js";
|
|
12
13
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAC1G,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC"}
|
|
@@ -1,8 +1,29 @@
|
|
|
1
1
|
import { OAuthKeyring } from "../keyring.js";
|
|
2
2
|
import type { JWTClaims } from "./signer.js";
|
|
3
|
+
export interface JWTVerifierOptions {
|
|
4
|
+
/**
|
|
5
|
+
* Issuer(s) this verifier will accept. The `iss` claim in a presented token
|
|
6
|
+
* must exactly match (string equality) one of these values. Tokens with any
|
|
7
|
+
* other issuer are rejected before any key lookup or network I/O runs.
|
|
8
|
+
*/
|
|
9
|
+
issuers: string | readonly string[];
|
|
10
|
+
/**
|
|
11
|
+
* Audience(s) the token must be intended for. When configured, the token's
|
|
12
|
+
* `aud` claim must be present and contain at least one of these values.
|
|
13
|
+
* When omitted, audience is not validated.
|
|
14
|
+
*/
|
|
15
|
+
audiences?: string | readonly string[];
|
|
16
|
+
/**
|
|
17
|
+
* Allowed JWT algorithms. Defaults to `["RS256"]`. The `alg` header of a
|
|
18
|
+
* presented token must be a member. `"none"` is always rejected. Values
|
|
19
|
+
* must be in the set the verifier actually implements (currently only
|
|
20
|
+
* `"RS256"`).
|
|
21
|
+
*/
|
|
22
|
+
algorithms?: readonly string[];
|
|
23
|
+
}
|
|
3
24
|
export declare class JWTVerifier {
|
|
4
25
|
#private;
|
|
5
|
-
constructor(keyring: OAuthKeyring);
|
|
26
|
+
constructor(keyring: OAuthKeyring, options: JWTVerifierOptions);
|
|
6
27
|
verify(token: string): Promise<JWTClaims>;
|
|
7
28
|
}
|
|
8
29
|
//# sourceMappingURL=verifier.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,qBAAa,WAAW;;
|
|
1
|
+
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA4FhD"}
|
package/dist/esm/jwt/verifier.js
CHANGED
|
@@ -9,25 +9,117 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
9
9
|
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
10
10
|
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
11
11
|
};
|
|
12
|
-
var _JWTVerifier_keyring;
|
|
12
|
+
var _JWTVerifier_keyring, _JWTVerifier_issuers, _JWTVerifier_audiences, _JWTVerifier_algorithms;
|
|
13
13
|
import { InvalidTokenError } from "../errors.js";
|
|
14
14
|
import base64url from "../base64url.js";
|
|
15
|
+
// The single `crypto.subtle.verify` call in `verify()` is hardcoded to
|
|
16
|
+
// RSASSA-PKCS1-v1_5 + SHA-256, so the `algorithms` option is only meaningful
|
|
17
|
+
// as an allowlist that's a subset of what we actually implement. Used both
|
|
18
|
+
// as the default when the option is omitted and to validate user-supplied
|
|
19
|
+
// values at construction time.
|
|
20
|
+
const SUPPORTED_ALGORITHMS = ["RS256"];
|
|
21
|
+
const SUPPORTED_ALGORITHM_SET = new Set(SUPPORTED_ALGORITHMS);
|
|
15
22
|
export class JWTVerifier {
|
|
16
|
-
constructor(keyring) {
|
|
23
|
+
constructor(keyring, options) {
|
|
17
24
|
_JWTVerifier_keyring.set(this, void 0);
|
|
25
|
+
_JWTVerifier_issuers.set(this, void 0);
|
|
26
|
+
_JWTVerifier_audiences.set(this, void 0);
|
|
27
|
+
_JWTVerifier_algorithms.set(this, void 0);
|
|
28
|
+
const rawIssuers = typeof options?.issuers === "string" ? [options.issuers] : options?.issuers ?? [];
|
|
29
|
+
if (rawIssuers.length === 0) {
|
|
30
|
+
throw new Error("JWTVerifier requires at least one trusted issuer");
|
|
31
|
+
}
|
|
32
|
+
const rawAudiences = typeof options.audiences === "string"
|
|
33
|
+
? [options.audiences]
|
|
34
|
+
: options.audiences ?? [];
|
|
35
|
+
const rawAlgorithms = options.algorithms ?? SUPPORTED_ALGORITHMS;
|
|
36
|
+
for (const alg of rawAlgorithms) {
|
|
37
|
+
if (!SUPPORTED_ALGORITHM_SET.has(alg)) {
|
|
38
|
+
throw new Error(`JWTVerifier does not implement signature verification for "${alg}". ` +
|
|
39
|
+
`Supported: ${SUPPORTED_ALGORITHMS.join(", ")}.`);
|
|
40
|
+
}
|
|
41
|
+
}
|
|
18
42
|
__classPrivateFieldSet(this, _JWTVerifier_keyring, keyring, "f");
|
|
43
|
+
__classPrivateFieldSet(this, _JWTVerifier_issuers, new Set(rawIssuers), "f");
|
|
44
|
+
// An empty `audiences` list means "unconfigured" — matches the ergonomic
|
|
45
|
+
// intent of passing `audiences: []`. A non-empty list switches audience
|
|
46
|
+
// validation on; a missing `aud` fails closed.
|
|
47
|
+
__classPrivateFieldSet(this, _JWTVerifier_audiences, rawAudiences.length > 0 ? new Set(rawAudiences) : undefined, "f");
|
|
48
|
+
__classPrivateFieldSet(this, _JWTVerifier_algorithms, new Set(rawAlgorithms), "f");
|
|
19
49
|
}
|
|
20
50
|
async verify(token) {
|
|
21
|
-
const
|
|
22
|
-
|
|
23
|
-
|
|
51
|
+
const parts = token.split(".");
|
|
52
|
+
if (parts.length !== 3) {
|
|
53
|
+
throw new InvalidTokenError("Malformed JWT");
|
|
54
|
+
}
|
|
55
|
+
const [header, payload, signature] = parts;
|
|
56
|
+
let jsonHeader;
|
|
57
|
+
let jsonPayload;
|
|
58
|
+
try {
|
|
59
|
+
jsonHeader = JSON.parse(autob(header));
|
|
60
|
+
jsonPayload = JSON.parse(autob(payload));
|
|
61
|
+
}
|
|
62
|
+
catch {
|
|
63
|
+
throw new InvalidTokenError("Malformed JWT");
|
|
64
|
+
}
|
|
65
|
+
// Algorithm allowlist. Reject "none" and anything outside the allowlist
|
|
66
|
+
// before any other work.
|
|
67
|
+
if (!jsonHeader.alg || jsonHeader.alg === "none" || !__classPrivateFieldGet(this, _JWTVerifier_algorithms, "f").has(jsonHeader.alg)) {
|
|
68
|
+
throw new InvalidTokenError(`Unsupported JWT algorithm: ${jsonHeader.alg ?? "none"}`);
|
|
69
|
+
}
|
|
70
|
+
// Issuer allowlist. Rejected BEFORE any keyring call — guarantees a token
|
|
71
|
+
// with an attacker-controlled `iss` can't trigger discovery against an
|
|
72
|
+
// untrusted URL.
|
|
24
73
|
if (!jsonPayload.iss) {
|
|
25
74
|
throw new InvalidTokenError("JWT missing issuer (iss) claim");
|
|
26
75
|
}
|
|
76
|
+
if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
|
|
77
|
+
throw new InvalidTokenError("Untrusted issuer");
|
|
78
|
+
}
|
|
79
|
+
// Required claims per RFC 9068 § 2.2. Reject NaN / Infinity explicitly —
|
|
80
|
+
// `typeof NaN === "number"` passes the type check but would make every
|
|
81
|
+
// comparison below false (and with `exp: NaN` that means effectively no
|
|
82
|
+
// expiration).
|
|
83
|
+
if (!Number.isFinite(jsonPayload.exp)) {
|
|
84
|
+
throw new InvalidTokenError("JWT missing expiration (exp) claim");
|
|
85
|
+
}
|
|
86
|
+
if (!jsonPayload.client_id) {
|
|
87
|
+
throw new InvalidTokenError("JWT missing client_id claim");
|
|
88
|
+
}
|
|
89
|
+
// Time-based claims.
|
|
90
|
+
const now = Math.floor(Date.now() / 1000);
|
|
91
|
+
if (now > jsonPayload.exp) {
|
|
92
|
+
throw new InvalidTokenError("Token expired");
|
|
93
|
+
}
|
|
94
|
+
if (jsonPayload.nbf !== undefined) {
|
|
95
|
+
if (!Number.isFinite(jsonPayload.nbf)) {
|
|
96
|
+
throw new InvalidTokenError("JWT has invalid not-before (nbf) claim");
|
|
97
|
+
}
|
|
98
|
+
if (now < jsonPayload.nbf) {
|
|
99
|
+
throw new InvalidTokenError("Token not yet valid");
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
// Audience check, if configured. Missing `aud` fails closed when audiences
|
|
103
|
+
// are required — matches RFC 8707 resource-indicator expectations.
|
|
104
|
+
if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
|
|
105
|
+
const aud = jsonPayload.aud;
|
|
106
|
+
if (aud === undefined) {
|
|
107
|
+
throw new InvalidTokenError("JWT missing audience (aud) claim");
|
|
108
|
+
}
|
|
109
|
+
const audValues = Array.isArray(aud) ? aud : [aud];
|
|
110
|
+
const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
|
|
111
|
+
if (!matched) {
|
|
112
|
+
throw new InvalidTokenError("Audience mismatch");
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
// Only after all cheap policy checks do we touch the keyring.
|
|
116
|
+
if (!jsonHeader.kid) {
|
|
117
|
+
throw new InvalidTokenError("JWT missing key id (kid) header");
|
|
118
|
+
}
|
|
27
119
|
const key = await __classPrivateFieldGet(this, _JWTVerifier_keyring, "f").key(jsonPayload.iss, jsonHeader.kid);
|
|
28
120
|
const verified = await crypto.subtle.verify({
|
|
29
|
-
name:
|
|
30
|
-
hash: { name:
|
|
121
|
+
name: "RSASSA-PKCS1-v1_5",
|
|
122
|
+
hash: { name: "SHA-256" },
|
|
31
123
|
}, key, base64url.decode(signature), new TextEncoder().encode(`${header}.${payload}`));
|
|
32
124
|
if (!verified) {
|
|
33
125
|
throw new InvalidTokenError("Invalid signature");
|
|
@@ -35,8 +127,8 @@ export class JWTVerifier {
|
|
|
35
127
|
return jsonPayload;
|
|
36
128
|
}
|
|
37
129
|
}
|
|
38
|
-
_JWTVerifier_keyring = new WeakMap();
|
|
130
|
+
_JWTVerifier_keyring = new WeakMap(), _JWTVerifier_issuers = new WeakMap(), _JWTVerifier_audiences = new WeakMap(), _JWTVerifier_algorithms = new WeakMap();
|
|
39
131
|
function autob(data) {
|
|
40
|
-
return atob(data.replace(/-/g,
|
|
132
|
+
return atob(data.replace(/-/g, "+").replace(/_/g, "/"));
|
|
41
133
|
}
|
|
42
134
|
//# sourceMappingURL=verifier.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAM,OAAO,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,yEAAyE;QACzE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,mEAAmE;QACnE,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC;YAC5B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,MAAM,IAAI,iBAAiB,CAAC,kCAAkC,CAAC,CAAC;YAClE,CAAC;YACD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAkDD,qBAAa,mBAAmB;;gBAOlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAM7D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;CAgE3E"}
|
|
@@ -11,6 +11,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
11
11
|
};
|
|
12
12
|
var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_getTokenEndpoint;
|
|
13
13
|
import { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
14
|
+
import { OAuthError } from "./errors.js";
|
|
14
15
|
// =============================================================================
|
|
15
16
|
// Wire format helpers (camelCase <-> snake_case at the boundary)
|
|
16
17
|
// =============================================================================
|
|
@@ -88,19 +89,25 @@ export class TokenExchangeClient {
|
|
|
88
89
|
body: body.toString(),
|
|
89
90
|
});
|
|
90
91
|
if (!response.ok) {
|
|
91
|
-
let errorDetail = "";
|
|
92
92
|
try {
|
|
93
93
|
const errorBody = await response.json();
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
? errorBody.
|
|
98
|
-
:
|
|
94
|
+
if (typeof errorBody.error === "string") {
|
|
95
|
+
const errorCode = errorBody.error;
|
|
96
|
+
const description = typeof errorBody.error_description === "string"
|
|
97
|
+
? errorBody.error_description
|
|
98
|
+
: errorCode;
|
|
99
|
+
const errorUri = typeof errorBody.error_uri === "string"
|
|
100
|
+
? errorBody.error_uri
|
|
101
|
+
: undefined;
|
|
102
|
+
throw new OAuthError(errorCode, description, errorUri);
|
|
103
|
+
}
|
|
99
104
|
}
|
|
100
|
-
catch {
|
|
101
|
-
|
|
105
|
+
catch (e) {
|
|
106
|
+
if (e instanceof OAuthError)
|
|
107
|
+
throw e;
|
|
108
|
+
// non-JSON or no "error" key — fall through
|
|
102
109
|
}
|
|
103
|
-
throw new Error(`Token exchange failed (HTTP ${response.status})
|
|
110
|
+
throw new Error(`Token exchange failed (HTTP ${response.status})`);
|
|
104
111
|
}
|
|
105
112
|
const json = await response.json();
|
|
106
113
|
return deserializeResponse(json);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAkCzC,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,OAAO,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,UAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.3.0",
|
|
4
4
|
"description": "Pure OAuth 2.0 primitives for Keycard — JWKS key management, JWT signing/verification, and authorization server discovery",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -49,6 +49,11 @@
|
|
|
49
49
|
"import": "./dist/esm/tokenExchange.js",
|
|
50
50
|
"require": "./dist/cjs/tokenExchange.js",
|
|
51
51
|
"types": "./dist/esm/tokenExchange.d.ts"
|
|
52
|
+
},
|
|
53
|
+
"./credentials": {
|
|
54
|
+
"import": "./dist/esm/credentials.js",
|
|
55
|
+
"require": "./dist/cjs/credentials.js",
|
|
56
|
+
"types": "./dist/esm/credentials.d.ts"
|
|
52
57
|
}
|
|
53
58
|
},
|
|
54
59
|
"files": [
|