@keycardai/oauth 0.8.5 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/jwt/verifier.d.ts.map +1 -1
- package/dist/cjs/jwt/verifier.js +15 -6
- package/dist/cjs/jwt/verifier.js.map +1 -1
- package/dist/cjs/server/clientSecret.d.ts.map +1 -1
- package/dist/cjs/server/clientSecret.js +8 -0
- package/dist/cjs/server/clientSecret.js.map +1 -1
- package/dist/esm/jwt/verifier.d.ts.map +1 -1
- package/dist/esm/jwt/verifier.js +15 -6
- package/dist/esm/jwt/verifier.js.map +1 -1
- package/dist/esm/server/clientSecret.d.ts.map +1 -1
- package/dist/esm/server/clientSecret.js +8 -0
- package/dist/esm/server/clientSecret.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CAqGhD"}
|
package/dist/cjs/jwt/verifier.js
CHANGED
|
@@ -82,16 +82,26 @@ class JWTVerifier {
|
|
|
82
82
|
if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
|
|
83
83
|
throw new errors_js_1.InvalidTokenError("Untrusted issuer");
|
|
84
84
|
}
|
|
85
|
-
// Required claims per RFC 9068 § 2.2
|
|
85
|
+
// Required claims per RFC 9068 § 2.2: iss (above), sub, aud, exp, iat,
|
|
86
|
+
// client_id. Reject NaN / Infinity on the numeric claims explicitly —
|
|
86
87
|
// `typeof NaN === "number"` passes the type check but would make every
|
|
87
88
|
// comparison below false (and with `exp: NaN` that means effectively no
|
|
88
89
|
// expiration).
|
|
89
90
|
if (!Number.isFinite(jsonPayload.exp)) {
|
|
90
91
|
throw new errors_js_1.InvalidTokenError("JWT missing expiration (exp) claim");
|
|
91
92
|
}
|
|
93
|
+
if (!Number.isFinite(jsonPayload.iat)) {
|
|
94
|
+
throw new errors_js_1.InvalidTokenError("JWT missing issued-at (iat) claim");
|
|
95
|
+
}
|
|
96
|
+
if (!jsonPayload.sub) {
|
|
97
|
+
throw new errors_js_1.InvalidTokenError("JWT missing subject (sub) claim");
|
|
98
|
+
}
|
|
92
99
|
if (!jsonPayload.client_id) {
|
|
93
100
|
throw new errors_js_1.InvalidTokenError("JWT missing client_id claim");
|
|
94
101
|
}
|
|
102
|
+
if (jsonPayload.aud === undefined) {
|
|
103
|
+
throw new errors_js_1.InvalidTokenError("JWT missing audience (aud) claim");
|
|
104
|
+
}
|
|
95
105
|
// Time-based claims.
|
|
96
106
|
const now = Math.floor(Date.now() / 1000);
|
|
97
107
|
if (now > jsonPayload.exp) {
|
|
@@ -105,13 +115,12 @@ class JWTVerifier {
|
|
|
105
115
|
throw new errors_js_1.InvalidTokenError("Token not yet valid");
|
|
106
116
|
}
|
|
107
117
|
}
|
|
108
|
-
// Audience
|
|
109
|
-
//
|
|
118
|
+
// Audience match against the configured allowlist. Presence of `aud` is
|
|
119
|
+
// already required above; an audience-scoped verifier additionally requires
|
|
120
|
+
// it to contain one of the configured audiences (RFC 8707 resource
|
|
121
|
+
// indicators).
|
|
110
122
|
if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
|
|
111
123
|
const aud = jsonPayload.aud;
|
|
112
|
-
if (aud === undefined) {
|
|
113
|
-
throw new errors_js_1.InvalidTokenError("JWT missing audience (aud) claim");
|
|
114
|
-
}
|
|
115
124
|
const audValues = Array.isArray(aud) ? aud : [aud];
|
|
116
125
|
const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
|
|
117
126
|
if (!matched) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAa,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,6BAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,6BAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,
|
|
1
|
+
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAa,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,6BAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,6BAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,mCAAmC,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,6BAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,6BAAiB,CAAC,kCAAkC,CAAC,CAAC;QAClE,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,4EAA4E;QAC5E,mEAAmE;QACnE,eAAe;QACf,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAI,CAAC;YAC7B,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,6BAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,sBAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AA1ID,kCA0IC;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"clientSecret.d.ts","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"clientSecret.d.ts","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAiBhE,MAAM,MAAM,uBAAuB,GAC/B,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,GACxC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;AAE7D,qBAAa,YAAa,YAAW,qBAAqB;;gBAI5C,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM;gBACtC,WAAW,EAAE,uBAAuB;IA8ChD,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAYrE,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CAOjC"}
|
|
@@ -15,6 +15,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
15
15
|
exports.ClientSecret = void 0;
|
|
16
16
|
const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
|
|
17
17
|
const DEFAULT_ZONE = "__default__";
|
|
18
|
+
function requireNonEmptyCredential(clientId, clientSecret, zoneContext = "") {
|
|
19
|
+
if (clientId.length === 0 || clientSecret.length === 0) {
|
|
20
|
+
throw new TypeError(`ClientSecret: client_id and client_secret must be non-empty strings${zoneContext}`);
|
|
21
|
+
}
|
|
22
|
+
}
|
|
18
23
|
class ClientSecret {
|
|
19
24
|
constructor(arg1, arg2) {
|
|
20
25
|
_ClientSecret_zoneCredentials.set(this, void 0);
|
|
@@ -24,6 +29,7 @@ class ClientSecret {
|
|
|
24
29
|
if (typeof arg2 !== "string") {
|
|
25
30
|
throw new TypeError("ClientSecret: client_secret is required when client_id is provided as a string");
|
|
26
31
|
}
|
|
32
|
+
requireNonEmptyCredential(arg1, arg2);
|
|
27
33
|
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [arg1, arg2]);
|
|
28
34
|
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
29
35
|
return;
|
|
@@ -33,6 +39,7 @@ class ClientSecret {
|
|
|
33
39
|
if (typeof clientId !== "string" || typeof clientSecret !== "string") {
|
|
34
40
|
throw new TypeError("ClientSecret: tuple must be [clientId, clientSecret]");
|
|
35
41
|
}
|
|
42
|
+
requireNonEmptyCredential(clientId, clientSecret);
|
|
36
43
|
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [clientId, clientSecret]);
|
|
37
44
|
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
38
45
|
return;
|
|
@@ -42,6 +49,7 @@ class ClientSecret {
|
|
|
42
49
|
if (!Array.isArray(tuple) || typeof tuple[0] !== "string" || typeof tuple[1] !== "string") {
|
|
43
50
|
throw new TypeError(`ClientSecret: zone "${zoneId}" must map to [clientId, clientSecret]`);
|
|
44
51
|
}
|
|
52
|
+
requireNonEmptyCredential(tuple[0], tuple[1], ` for zone "${zoneId}"`);
|
|
45
53
|
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(zoneId, [tuple[0], tuple[1]]);
|
|
46
54
|
}
|
|
47
55
|
if (__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").size === 0) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"clientSecret.js","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAGA,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,YAAY,GAAG,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"clientSecret.js","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAGA,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,YAAY,GAAG,aAAa,CAAC;AAEnC,SAAS,yBAAyB,CAChC,QAAgB,EAChB,YAAoB,EACpB,WAAW,GAAG,EAAE;IAEhB,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CACjB,sEAAsE,WAAW,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAMD,MAAa,YAAY;IAMvB,YACE,IAAsC,EACtC,IAAa;QAPf,gDAAgD;QAChD,4CAAsB;QAQpB,uBAAA,IAAI,iCAAoB,IAAI,GAAG,EAAE,MAAA,CAAC;QAElC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,SAAS,CAAC,gFAAgF,CAAC,CAAC;YACxG,CAAC;YACD,yBAAyB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YACtC,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACtD,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC;YACtC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrE,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAC;YAC9E,CAAC;YACD,yBAAyB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YAClD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;YAClE,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC1F,MAAM,IAAI,SAAS,CAAC,uBAAuB,MAAM,wCAAwC,CAAC,CAAC;gBAC7F,CAAC;gBACD,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,cAAc,MAAM,GAAG,CAAC,CAAC;gBACvE,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,IAAI,uBAAA,IAAI,qCAAiB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,SAAS,CAAC,qEAAqE,CAAC,CAAC;YAC7F,CAAC;YACD,uBAAA,IAAI,6BAAgB,IAAI,MAAA,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,CAAC,MAAe;QACrB,IAAI,CAAC,uBAAA,IAAI,iCAAa,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,iBAAiB;SACpC,CAAC;IACJ,CAAC;CACF;AAzED,oCAyEC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CAqGhD"}
|
package/dist/esm/jwt/verifier.js
CHANGED
|
@@ -76,16 +76,26 @@ export class JWTVerifier {
|
|
|
76
76
|
if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
|
|
77
77
|
throw new InvalidTokenError("Untrusted issuer");
|
|
78
78
|
}
|
|
79
|
-
// Required claims per RFC 9068 § 2.2
|
|
79
|
+
// Required claims per RFC 9068 § 2.2: iss (above), sub, aud, exp, iat,
|
|
80
|
+
// client_id. Reject NaN / Infinity on the numeric claims explicitly —
|
|
80
81
|
// `typeof NaN === "number"` passes the type check but would make every
|
|
81
82
|
// comparison below false (and with `exp: NaN` that means effectively no
|
|
82
83
|
// expiration).
|
|
83
84
|
if (!Number.isFinite(jsonPayload.exp)) {
|
|
84
85
|
throw new InvalidTokenError("JWT missing expiration (exp) claim");
|
|
85
86
|
}
|
|
87
|
+
if (!Number.isFinite(jsonPayload.iat)) {
|
|
88
|
+
throw new InvalidTokenError("JWT missing issued-at (iat) claim");
|
|
89
|
+
}
|
|
90
|
+
if (!jsonPayload.sub) {
|
|
91
|
+
throw new InvalidTokenError("JWT missing subject (sub) claim");
|
|
92
|
+
}
|
|
86
93
|
if (!jsonPayload.client_id) {
|
|
87
94
|
throw new InvalidTokenError("JWT missing client_id claim");
|
|
88
95
|
}
|
|
96
|
+
if (jsonPayload.aud === undefined) {
|
|
97
|
+
throw new InvalidTokenError("JWT missing audience (aud) claim");
|
|
98
|
+
}
|
|
89
99
|
// Time-based claims.
|
|
90
100
|
const now = Math.floor(Date.now() / 1000);
|
|
91
101
|
if (now > jsonPayload.exp) {
|
|
@@ -99,13 +109,12 @@ export class JWTVerifier {
|
|
|
99
109
|
throw new InvalidTokenError("Token not yet valid");
|
|
100
110
|
}
|
|
101
111
|
}
|
|
102
|
-
// Audience
|
|
103
|
-
//
|
|
112
|
+
// Audience match against the configured allowlist. Presence of `aud` is
|
|
113
|
+
// already required above; an audience-scoped verifier additionally requires
|
|
114
|
+
// it to contain one of the configured audiences (RFC 8707 resource
|
|
115
|
+
// indicators).
|
|
104
116
|
if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
|
|
105
117
|
const aud = jsonPayload.aud;
|
|
106
|
-
if (aud === undefined) {
|
|
107
|
-
throw new InvalidTokenError("JWT missing audience (aud) claim");
|
|
108
|
-
}
|
|
109
118
|
const audValues = Array.isArray(aud) ? aud : [aud];
|
|
110
119
|
const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
|
|
111
120
|
if (!matched) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAM,OAAO,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,
|
|
1
|
+
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAM,OAAO,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,mCAAmC,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,iBAAiB,CAAC,kCAAkC,CAAC,CAAC;QAClE,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,4EAA4E;QAC5E,mEAAmE;QACnE,eAAe;QACf,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAI,CAAC;YAC7B,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"clientSecret.d.ts","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"clientSecret.d.ts","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAiBhE,MAAM,MAAM,uBAAuB,GAC/B,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,GACxC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;AAE7D,qBAAa,YAAa,YAAW,qBAAqB;;gBAI5C,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM;gBACtC,WAAW,EAAE,uBAAuB;IA8ChD,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAYrE,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CAOjC"}
|
|
@@ -12,6 +12,11 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
12
12
|
var _ClientSecret_zoneCredentials, _ClientSecret_isMultiZone;
|
|
13
13
|
const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
|
|
14
14
|
const DEFAULT_ZONE = "__default__";
|
|
15
|
+
function requireNonEmptyCredential(clientId, clientSecret, zoneContext = "") {
|
|
16
|
+
if (clientId.length === 0 || clientSecret.length === 0) {
|
|
17
|
+
throw new TypeError(`ClientSecret: client_id and client_secret must be non-empty strings${zoneContext}`);
|
|
18
|
+
}
|
|
19
|
+
}
|
|
15
20
|
export class ClientSecret {
|
|
16
21
|
constructor(arg1, arg2) {
|
|
17
22
|
_ClientSecret_zoneCredentials.set(this, void 0);
|
|
@@ -21,6 +26,7 @@ export class ClientSecret {
|
|
|
21
26
|
if (typeof arg2 !== "string") {
|
|
22
27
|
throw new TypeError("ClientSecret: client_secret is required when client_id is provided as a string");
|
|
23
28
|
}
|
|
29
|
+
requireNonEmptyCredential(arg1, arg2);
|
|
24
30
|
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [arg1, arg2]);
|
|
25
31
|
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
26
32
|
return;
|
|
@@ -30,6 +36,7 @@ export class ClientSecret {
|
|
|
30
36
|
if (typeof clientId !== "string" || typeof clientSecret !== "string") {
|
|
31
37
|
throw new TypeError("ClientSecret: tuple must be [clientId, clientSecret]");
|
|
32
38
|
}
|
|
39
|
+
requireNonEmptyCredential(clientId, clientSecret);
|
|
33
40
|
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(DEFAULT_ZONE, [clientId, clientSecret]);
|
|
34
41
|
__classPrivateFieldSet(this, _ClientSecret_isMultiZone, false, "f");
|
|
35
42
|
return;
|
|
@@ -39,6 +46,7 @@ export class ClientSecret {
|
|
|
39
46
|
if (!Array.isArray(tuple) || typeof tuple[0] !== "string" || typeof tuple[1] !== "string") {
|
|
40
47
|
throw new TypeError(`ClientSecret: zone "${zoneId}" must map to [clientId, clientSecret]`);
|
|
41
48
|
}
|
|
49
|
+
requireNonEmptyCredential(tuple[0], tuple[1], ` for zone "${zoneId}"`);
|
|
42
50
|
__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").set(zoneId, [tuple[0], tuple[1]]);
|
|
43
51
|
}
|
|
44
52
|
if (__classPrivateFieldGet(this, _ClientSecret_zoneCredentials, "f").size === 0) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"clientSecret.js","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":";;;;;;;;;;;;AAGA,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,YAAY,GAAG,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"clientSecret.js","sourceRoot":"","sources":["../../../src/server/clientSecret.ts"],"names":[],"mappings":";;;;;;;;;;;;AAGA,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,YAAY,GAAG,aAAa,CAAC;AAEnC,SAAS,yBAAyB,CAChC,QAAgB,EAChB,YAAoB,EACpB,WAAW,GAAG,EAAE;IAEhB,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CACjB,sEAAsE,WAAW,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAMD,MAAM,OAAO,YAAY;IAMvB,YACE,IAAsC,EACtC,IAAa;QAPf,gDAAgD;QAChD,4CAAsB;QAQpB,uBAAA,IAAI,iCAAoB,IAAI,GAAG,EAAE,MAAA,CAAC;QAElC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,SAAS,CAAC,gFAAgF,CAAC,CAAC;YACxG,CAAC;YACD,yBAAyB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YACtC,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACtD,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC;YACtC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrE,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAC;YAC9E,CAAC;YACD,yBAAyB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YAClD,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;YAClE,uBAAA,IAAI,6BAAgB,KAAK,MAAA,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC1F,MAAM,IAAI,SAAS,CAAC,uBAAuB,MAAM,wCAAwC,CAAC,CAAC;gBAC7F,CAAC;gBACD,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,cAAc,MAAM,GAAG,CAAC,CAAC;gBACvE,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,IAAI,uBAAA,IAAI,qCAAiB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,SAAS,CAAC,qEAAqE,CAAC,CAAC;YAC7F,CAAC;YACD,uBAAA,IAAI,6BAAgB,IAAI,MAAA,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,CAAC,MAAe;QACrB,IAAI,CAAC,uBAAA,IAAI,iCAAa,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,uBAAA,IAAI,qCAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,iBAAiB;SACpC,CAAC;IACJ,CAAC;CACF"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.9.1",
|
|
4
4
|
"description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|