@keycardai/oauth 0.12.0 → 0.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/pkce.d.ts +9 -7
- package/dist/cjs/pkce.d.ts.map +1 -1
- package/dist/cjs/pkce.js +27 -13
- package/dist/cjs/pkce.js.map +1 -1
- package/dist/esm/pkce.d.ts +9 -7
- package/dist/esm/pkce.d.ts.map +1 -1
- package/dist/esm/pkce.js +27 -13
- package/dist/esm/pkce.js.map +1 -1
- package/package.json +1 -1
package/dist/cjs/pkce.d.ts
CHANGED
|
@@ -7,11 +7,11 @@ export interface Pkce {
|
|
|
7
7
|
/**
|
|
8
8
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
9
9
|
*
|
|
10
|
-
* Returns a
|
|
11
|
-
* uses the global `crypto.getRandomValues`
|
|
12
|
-
* Cloudflare Workers, and browsers.
|
|
10
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
11
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
12
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
13
13
|
*/
|
|
14
|
-
export declare function generateCodeVerifier(): string;
|
|
14
|
+
export declare function generateCodeVerifier(length?: number): string;
|
|
15
15
|
/**
|
|
16
16
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
17
17
|
*
|
|
@@ -23,7 +23,7 @@ export declare function generateCodeChallenge(verifier: string, method?: "S256"
|
|
|
23
23
|
/**
|
|
24
24
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
25
25
|
*/
|
|
26
|
-
export declare function generatePkcePair(method?: "S256" | "plain"): Promise<Pkce>;
|
|
26
|
+
export declare function generatePkcePair(method?: "S256" | "plain", verifierLength?: number): Promise<Pkce>;
|
|
27
27
|
export interface ExchangeAuthorizationCodeOptions {
|
|
28
28
|
codeVerifier: string;
|
|
29
29
|
redirectUri: string;
|
|
@@ -44,14 +44,16 @@ export interface AuthenticateOptions {
|
|
|
44
44
|
clientId: string;
|
|
45
45
|
/** Default: "http://localhost:{port}/callback" */
|
|
46
46
|
redirectUri?: string;
|
|
47
|
-
/** Default:
|
|
47
|
+
/** Default: 8765 */
|
|
48
48
|
port?: number;
|
|
49
49
|
scopes?: readonly string[];
|
|
50
50
|
clientSecret?: string;
|
|
51
|
-
/** Default:
|
|
51
|
+
/** Default: 300_000 ms */
|
|
52
52
|
timeoutMs?: number;
|
|
53
53
|
/** RFC 8707 resource indicator. Scopes the issued token's audience to this resource URL, enabling token exchange against it. */
|
|
54
54
|
resource?: string;
|
|
55
|
+
/** Opens the authorization URL. Default: the platform browser launcher. */
|
|
56
|
+
openBrowser?: (url: string) => void | Promise<void>;
|
|
55
57
|
}
|
|
56
58
|
/**
|
|
57
59
|
* Full authorization-code-with-PKCE flow for local/CLI contexts.
|
package/dist/cjs/pkce.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,
|
|
1
|
+
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,SAAM,GAAG,MAAM,CASzD;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,MAAM,GAAG,OAAgB,GAChC,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,GAAE,MAAM,GAAG,OAAgB,EACjC,cAAc,SAAM,GACnB,OAAO,CAAC,IAAI,CAAC,CAIf;AAMD,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qGAAqG;IACrG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,aAAa,CAAC,CA0ExB;AAMD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0BAA0B;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gIAAgI;IAChI,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CA6CxB"}
|
package/dist/cjs/pkce.js
CHANGED
|
@@ -47,14 +47,19 @@ const errors_js_1 = require("./errors.js");
|
|
|
47
47
|
/**
|
|
48
48
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
49
49
|
*
|
|
50
|
-
* Returns a
|
|
51
|
-
* uses the global `crypto.getRandomValues`
|
|
52
|
-
* Cloudflare Workers, and browsers.
|
|
50
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
51
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
52
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
53
53
|
*/
|
|
54
|
-
function generateCodeVerifier() {
|
|
55
|
-
|
|
54
|
+
function generateCodeVerifier(length = 128) {
|
|
55
|
+
if (length < 43 || length > 128) {
|
|
56
|
+
throw new RangeError("Code verifier length must be between 43 and 128 characters");
|
|
57
|
+
}
|
|
58
|
+
// base64url yields 4 characters per 3 bytes; generate enough bytes to
|
|
59
|
+
// cover the requested length, then trim.
|
|
60
|
+
const bytes = new Uint8Array(Math.ceil((length * 3) / 4));
|
|
56
61
|
crypto.getRandomValues(bytes);
|
|
57
|
-
return base64url_js_1.default.encode(bytes.buffer);
|
|
62
|
+
return base64url_js_1.default.encode(bytes.buffer).slice(0, length);
|
|
58
63
|
}
|
|
59
64
|
/**
|
|
60
65
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
@@ -73,8 +78,8 @@ async function generateCodeChallenge(verifier, method = "S256") {
|
|
|
73
78
|
/**
|
|
74
79
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
75
80
|
*/
|
|
76
|
-
async function generatePkcePair(method = "S256") {
|
|
77
|
-
const codeVerifier = generateCodeVerifier();
|
|
81
|
+
async function generatePkcePair(method = "S256", verifierLength = 128) {
|
|
82
|
+
const codeVerifier = generateCodeVerifier(verifierLength);
|
|
78
83
|
const codeChallenge = await generateCodeChallenge(codeVerifier, method);
|
|
79
84
|
return { codeVerifier, codeChallenge, codeChallengeMethod: method };
|
|
80
85
|
}
|
|
@@ -167,10 +172,15 @@ async function exchangeAuthorizationCode(issuer, code, options) {
|
|
|
167
172
|
* *calling* `authenticate()` requires Node.js.
|
|
168
173
|
*/
|
|
169
174
|
async function authenticate(issuer, options) {
|
|
170
|
-
const port = options.port ??
|
|
175
|
+
const port = options.port ?? 8765;
|
|
171
176
|
const redirectUri = options.redirectUri ?? `http://localhost:${port}/callback`;
|
|
172
|
-
const timeoutMs = options.timeoutMs ??
|
|
177
|
+
const timeoutMs = options.timeoutMs ?? 300_000;
|
|
173
178
|
const { codeVerifier, codeChallenge } = await generatePkcePair("S256");
|
|
179
|
+
// CSRF protection (RFC 6749 §10.12): bind the loopback callback to this
|
|
180
|
+
// authorization request.
|
|
181
|
+
const stateBytes = new Uint8Array(32);
|
|
182
|
+
crypto.getRandomValues(stateBytes);
|
|
183
|
+
const state = base64url_js_1.default.encode(stateBytes.buffer);
|
|
174
184
|
const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuer);
|
|
175
185
|
if (!metadata.authorization_endpoint) {
|
|
176
186
|
throw new Error(`Authorization server "${issuer}" does not advertise an authorization_endpoint`);
|
|
@@ -181,14 +191,15 @@ async function authenticate(issuer, options) {
|
|
|
181
191
|
authUrl.searchParams.set("redirect_uri", redirectUri);
|
|
182
192
|
authUrl.searchParams.set("code_challenge", codeChallenge);
|
|
183
193
|
authUrl.searchParams.set("code_challenge_method", "S256");
|
|
194
|
+
authUrl.searchParams.set("state", state);
|
|
184
195
|
if (options.scopes && options.scopes.length > 0) {
|
|
185
196
|
authUrl.searchParams.set("scope", options.scopes.join(" "));
|
|
186
197
|
}
|
|
187
198
|
if (options.resource) {
|
|
188
199
|
authUrl.searchParams.set("resource", options.resource);
|
|
189
200
|
}
|
|
190
|
-
await openBrowser(authUrl.toString());
|
|
191
|
-
const code = await waitForCode(port, redirectUri, timeoutMs);
|
|
201
|
+
await (options.openBrowser ?? openBrowser)(authUrl.toString());
|
|
202
|
+
const code = await waitForCode(port, redirectUri, timeoutMs, state);
|
|
192
203
|
return exchangeAuthorizationCode(issuer, code, {
|
|
193
204
|
codeVerifier,
|
|
194
205
|
redirectUri,
|
|
@@ -210,7 +221,7 @@ async function openBrowser(url) {
|
|
|
210
221
|
execFile("xdg-open", [url]);
|
|
211
222
|
}
|
|
212
223
|
}
|
|
213
|
-
async function waitForCode(port, redirectUri, timeoutMs) {
|
|
224
|
+
async function waitForCode(port, redirectUri, timeoutMs, expectedState) {
|
|
214
225
|
// Import before entering the Promise constructor to avoid the async-executor
|
|
215
226
|
// anti-pattern: if the dynamic import throws, the rejection propagates through
|
|
216
227
|
// this async function rather than escaping an async Promise constructor.
|
|
@@ -232,6 +243,9 @@ async function waitForCode(port, redirectUri, timeoutMs) {
|
|
|
232
243
|
if (error) {
|
|
233
244
|
reject(new errors_js_1.OAuthError(error, reqUrl.searchParams.get("error_description") ?? error));
|
|
234
245
|
}
|
|
246
|
+
else if (reqUrl.searchParams.get("state") !== expectedState) {
|
|
247
|
+
reject(new Error("State mismatch in redirect: possible CSRF attack"));
|
|
248
|
+
}
|
|
235
249
|
else if (code) {
|
|
236
250
|
resolve(code);
|
|
237
251
|
}
|
package/dist/cjs/pkce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsBA,
|
|
1
|
+
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsBA,oDASC;AASD,sDAYC;AAKD,4CAOC;AAsBD,8DA8EC;AAiCD,oCAgDC;AArPD,kEAAuC;AACvC,iDAAkE;AAClE,2CAAyC;AAazC;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,MAAM,GAAG,GAAG;IAC/C,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,UAAU,CAAC,4DAA4D,CAAC,CAAC;IACrF,CAAC;IACD,sEAAsE;IACtE,yCAAyC;IACzC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,sBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,sBAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,gBAAgB,CACpC,SAA2B,MAAM,EACjC,cAAc,GAAG,GAAG;IAEpB,MAAM,YAAY,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAgBD;;;;;GAKG;AACI,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;QAC9D,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,uCAAuC,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,sBAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAsBD;;;;;;;;;;GAUG;AACI,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC;IAE/C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,wEAAwE;IACxE,yBAAyB;IACzB,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,sBAAS,CAAC,MAAM,CAAC,UAAU,CAAC,MAAqB,CAAC,CAAC;IAEjE,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,gDAAgD,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI,WAAW,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE/D,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IAEpE,OAAO,yBAAyB,CAAC,MAAM,EAAE,IAAI,EAAE;QAC7C,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,oBAAoB,GAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,IAAY,EACZ,WAAmB,EACnB,SAAiB,EACjB,aAAqB;IAErB,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,WAAW,GAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,sBAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,aAAa,EAAE,CAAC;oBAC9D,MAAM,CAAC,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC,CAAC;gBACxE,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
package/dist/esm/pkce.d.ts
CHANGED
|
@@ -7,11 +7,11 @@ export interface Pkce {
|
|
|
7
7
|
/**
|
|
8
8
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
9
9
|
*
|
|
10
|
-
* Returns a
|
|
11
|
-
* uses the global `crypto.getRandomValues`
|
|
12
|
-
* Cloudflare Workers, and browsers.
|
|
10
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
11
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
12
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
13
13
|
*/
|
|
14
|
-
export declare function generateCodeVerifier(): string;
|
|
14
|
+
export declare function generateCodeVerifier(length?: number): string;
|
|
15
15
|
/**
|
|
16
16
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
17
17
|
*
|
|
@@ -23,7 +23,7 @@ export declare function generateCodeChallenge(verifier: string, method?: "S256"
|
|
|
23
23
|
/**
|
|
24
24
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
25
25
|
*/
|
|
26
|
-
export declare function generatePkcePair(method?: "S256" | "plain"): Promise<Pkce>;
|
|
26
|
+
export declare function generatePkcePair(method?: "S256" | "plain", verifierLength?: number): Promise<Pkce>;
|
|
27
27
|
export interface ExchangeAuthorizationCodeOptions {
|
|
28
28
|
codeVerifier: string;
|
|
29
29
|
redirectUri: string;
|
|
@@ -44,14 +44,16 @@ export interface AuthenticateOptions {
|
|
|
44
44
|
clientId: string;
|
|
45
45
|
/** Default: "http://localhost:{port}/callback" */
|
|
46
46
|
redirectUri?: string;
|
|
47
|
-
/** Default:
|
|
47
|
+
/** Default: 8765 */
|
|
48
48
|
port?: number;
|
|
49
49
|
scopes?: readonly string[];
|
|
50
50
|
clientSecret?: string;
|
|
51
|
-
/** Default:
|
|
51
|
+
/** Default: 300_000 ms */
|
|
52
52
|
timeoutMs?: number;
|
|
53
53
|
/** RFC 8707 resource indicator. Scopes the issued token's audience to this resource URL, enabling token exchange against it. */
|
|
54
54
|
resource?: string;
|
|
55
|
+
/** Opens the authorization URL. Default: the platform browser launcher. */
|
|
56
|
+
openBrowser?: (url: string) => void | Promise<void>;
|
|
55
57
|
}
|
|
56
58
|
/**
|
|
57
59
|
* Full authorization-code-with-PKCE flow for local/CLI contexts.
|
package/dist/esm/pkce.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,
|
|
1
|
+
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,SAAM,GAAG,MAAM,CASzD;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,MAAM,GAAG,OAAgB,GAChC,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,GAAE,MAAM,GAAG,OAAgB,EACjC,cAAc,SAAM,GACnB,OAAO,CAAC,IAAI,CAAC,CAIf;AAMD,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qGAAqG;IACrG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,aAAa,CAAC,CA0ExB;AAMD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0BAA0B;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gIAAgI;IAChI,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CA6CxB"}
|
package/dist/esm/pkce.js
CHANGED
|
@@ -4,14 +4,19 @@ import { OAuthError } from "./errors.js";
|
|
|
4
4
|
/**
|
|
5
5
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
6
6
|
*
|
|
7
|
-
* Returns a
|
|
8
|
-
* uses the global `crypto.getRandomValues`
|
|
9
|
-
* Cloudflare Workers, and browsers.
|
|
7
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
8
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
9
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
10
10
|
*/
|
|
11
|
-
export function generateCodeVerifier() {
|
|
12
|
-
|
|
11
|
+
export function generateCodeVerifier(length = 128) {
|
|
12
|
+
if (length < 43 || length > 128) {
|
|
13
|
+
throw new RangeError("Code verifier length must be between 43 and 128 characters");
|
|
14
|
+
}
|
|
15
|
+
// base64url yields 4 characters per 3 bytes; generate enough bytes to
|
|
16
|
+
// cover the requested length, then trim.
|
|
17
|
+
const bytes = new Uint8Array(Math.ceil((length * 3) / 4));
|
|
13
18
|
crypto.getRandomValues(bytes);
|
|
14
|
-
return base64url.encode(bytes.buffer);
|
|
19
|
+
return base64url.encode(bytes.buffer).slice(0, length);
|
|
15
20
|
}
|
|
16
21
|
/**
|
|
17
22
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
@@ -30,8 +35,8 @@ export async function generateCodeChallenge(verifier, method = "S256") {
|
|
|
30
35
|
/**
|
|
31
36
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
32
37
|
*/
|
|
33
|
-
export async function generatePkcePair(method = "S256") {
|
|
34
|
-
const codeVerifier = generateCodeVerifier();
|
|
38
|
+
export async function generatePkcePair(method = "S256", verifierLength = 128) {
|
|
39
|
+
const codeVerifier = generateCodeVerifier(verifierLength);
|
|
35
40
|
const codeChallenge = await generateCodeChallenge(codeVerifier, method);
|
|
36
41
|
return { codeVerifier, codeChallenge, codeChallengeMethod: method };
|
|
37
42
|
}
|
|
@@ -124,10 +129,15 @@ export async function exchangeAuthorizationCode(issuer, code, options) {
|
|
|
124
129
|
* *calling* `authenticate()` requires Node.js.
|
|
125
130
|
*/
|
|
126
131
|
export async function authenticate(issuer, options) {
|
|
127
|
-
const port = options.port ??
|
|
132
|
+
const port = options.port ?? 8765;
|
|
128
133
|
const redirectUri = options.redirectUri ?? `http://localhost:${port}/callback`;
|
|
129
|
-
const timeoutMs = options.timeoutMs ??
|
|
134
|
+
const timeoutMs = options.timeoutMs ?? 300_000;
|
|
130
135
|
const { codeVerifier, codeChallenge } = await generatePkcePair("S256");
|
|
136
|
+
// CSRF protection (RFC 6749 §10.12): bind the loopback callback to this
|
|
137
|
+
// authorization request.
|
|
138
|
+
const stateBytes = new Uint8Array(32);
|
|
139
|
+
crypto.getRandomValues(stateBytes);
|
|
140
|
+
const state = base64url.encode(stateBytes.buffer);
|
|
131
141
|
const metadata = await fetchAuthorizationServerMetadata(issuer);
|
|
132
142
|
if (!metadata.authorization_endpoint) {
|
|
133
143
|
throw new Error(`Authorization server "${issuer}" does not advertise an authorization_endpoint`);
|
|
@@ -138,14 +148,15 @@ export async function authenticate(issuer, options) {
|
|
|
138
148
|
authUrl.searchParams.set("redirect_uri", redirectUri);
|
|
139
149
|
authUrl.searchParams.set("code_challenge", codeChallenge);
|
|
140
150
|
authUrl.searchParams.set("code_challenge_method", "S256");
|
|
151
|
+
authUrl.searchParams.set("state", state);
|
|
141
152
|
if (options.scopes && options.scopes.length > 0) {
|
|
142
153
|
authUrl.searchParams.set("scope", options.scopes.join(" "));
|
|
143
154
|
}
|
|
144
155
|
if (options.resource) {
|
|
145
156
|
authUrl.searchParams.set("resource", options.resource);
|
|
146
157
|
}
|
|
147
|
-
await openBrowser(authUrl.toString());
|
|
148
|
-
const code = await waitForCode(port, redirectUri, timeoutMs);
|
|
158
|
+
await (options.openBrowser ?? openBrowser)(authUrl.toString());
|
|
159
|
+
const code = await waitForCode(port, redirectUri, timeoutMs, state);
|
|
149
160
|
return exchangeAuthorizationCode(issuer, code, {
|
|
150
161
|
codeVerifier,
|
|
151
162
|
redirectUri,
|
|
@@ -167,7 +178,7 @@ async function openBrowser(url) {
|
|
|
167
178
|
execFile("xdg-open", [url]);
|
|
168
179
|
}
|
|
169
180
|
}
|
|
170
|
-
async function waitForCode(port, redirectUri, timeoutMs) {
|
|
181
|
+
async function waitForCode(port, redirectUri, timeoutMs, expectedState) {
|
|
171
182
|
// Import before entering the Promise constructor to avoid the async-executor
|
|
172
183
|
// anti-pattern: if the dynamic import throws, the rejection propagates through
|
|
173
184
|
// this async function rather than escaping an async Promise constructor.
|
|
@@ -189,6 +200,9 @@ async function waitForCode(port, redirectUri, timeoutMs) {
|
|
|
189
200
|
if (error) {
|
|
190
201
|
reject(new OAuthError(error, reqUrl.searchParams.get("error_description") ?? error));
|
|
191
202
|
}
|
|
203
|
+
else if (reqUrl.searchParams.get("state") !== expectedState) {
|
|
204
|
+
reject(new Error("State mismatch in redirect: possible CSRF attack"));
|
|
205
|
+
}
|
|
192
206
|
else if (code) {
|
|
193
207
|
resolve(code);
|
|
194
208
|
}
|
package/dist/esm/pkce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;
|
|
1
|
+
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAM,GAAG,GAAG;IAC/C,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,UAAU,CAAC,4DAA4D,CAAC,CAAC;IACrF,CAAC;IACD,sEAAsE;IACtE,yCAAyC;IACzC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,SAA2B,MAAM,EACjC,cAAc,GAAG,GAAG;IAEpB,MAAM,YAAY,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAgBD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;QAC9D,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,uCAAuC,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAsBD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC;IAE/C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,wEAAwE;IACxE,yBAAyB;IACzB,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,MAAqB,CAAC,CAAC;IAEjE,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,gDAAgD,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI,WAAW,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE/D,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IAEpE,OAAO,yBAAyB,CAAC,MAAM,EAAE,IAAI,EAAE;QAC7C,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,IAAY,EACZ,WAAmB,EACnB,SAAiB,EACjB,aAAqB;IAErB,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,aAAa,EAAE,CAAC;oBAC9D,MAAM,CAAC,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC,CAAC;gBACxE,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.13.0",
|
|
4
4
|
"description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|