@mantiq/oauth 0.1.0

package/src/routes/AuthorizationController.ts

@@ -0,0 +1,132 @@
+import type { MantiqRequest } from '@mantiq/core'
+import type { OAuthServer } from '../OAuthServer.ts'
+import { Client } from '../models/Client.ts'
+import { AuthCode } from '../models/AuthCode.ts'
+import { OAuthError } from '../errors/OAuthError.ts'
+
+/**
+ * Handles the authorization code flow endpoints:
+ * - GET  /oauth/authorize — show authorization form / validate params
+ * - POST /oauth/authorize — approve the authorization request
+ * - DELETE /oauth/authorize — deny the authorization request
+ */
+export class AuthorizationController {
+  constructor(private readonly server: OAuthServer) {}
+
+  /**
+   * GET /oauth/authorize
+   * Validates the authorization request parameters and returns client info + requested scopes.
+   */
+  async authorize(request: MantiqRequest): Promise<Response> {
+    const clientId = request.query('client_id')
+    const redirectUri = request.query('redirect_uri')
+    const responseType = request.query('response_type')
+    const scopeParam = request.query('scope')
+    const state = request.query('state')
+
+    if (!clientId) throw new OAuthError('The client_id parameter is required.', 'invalid_request')
+    if (!redirectUri) throw new OAuthError('The redirect_uri parameter is required.', 'invalid_request')
+    if (responseType !== 'code') throw new OAuthError('Only response_type=code is supported.', 'unsupported_response_type')
+
+    const client = await Client.find(clientId)
+    if (!client) throw new OAuthError('Client not found.', 'invalid_client')
+
+    // Validate redirect URI
+    const allowedRedirect = client.getAttribute('redirect') as string
+    if (allowedRedirect && redirectUri !== allowedRedirect) {
+      throw new OAuthError('Invalid redirect URI.', 'invalid_request')
+    }
+
+    const scopes = scopeParam ? scopeParam.split(' ').filter(Boolean) : []
+    const scopeDetails = scopes.map((s) => ({
+      id: s,
+      description: this.server.scopes().find((sc) => sc.id === s)?.description ?? s,
+    }))
+
+    return new Response(JSON.stringify({
+      client: {
+        id: client.getKey(),
+        name: client.getAttribute('name'),
+      },
+      scopes: scopeDetails,
+      state,
+      redirect_uri: redirectUri,
+    }), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  /**
+   * POST /oauth/authorize
+   * Approve the authorization request and issue an authorization code.
+   */
+  async approve(request: MantiqRequest): Promise<Response> {
+    const user = request.user<any>()
+    if (!user) throw new OAuthError('User must be authenticated.', 'invalid_request', 401)
+
+    const clientId = await request.input('client_id') as string | undefined
+    const redirectUri = await request.input('redirect_uri') as string | undefined
+    const scopeParam = await request.input('scope') as string | undefined
+    const state = await request.input('state') as string | undefined
+    const codeChallenge = await request.input('code_challenge') as string | undefined
+    const codeChallengeMethod = await request.input('code_challenge_method') as string | undefined
+
+    if (!clientId) throw new OAuthError('The client_id parameter is required.', 'invalid_request')
+    if (!redirectUri) throw new OAuthError('The redirect_uri parameter is required.', 'invalid_request')
+
+    const client = await Client.find(clientId)
+    if (!client) throw new OAuthError('Client not found.', 'invalid_client')
+
+    const userId = typeof user.getAuthIdentifier === 'function'
+      ? user.getAuthIdentifier()
+      : user.id ?? user.getAttribute?.('id')
+
+    const scopes = scopeParam ? scopeParam.split(' ').filter(Boolean) : []
+    const codeId = crypto.randomUUID()
+    const now = new Date()
+    const expiresAt = new Date(now.getTime() + 10 * 60 * 1000) // 10 minutes
+
+    await AuthCode.create({
+      id: codeId,
+      user_id: String(userId),
+      client_id: clientId,
+      scopes: JSON.stringify(scopes),
+      revoked: false,
+      expires_at: expiresAt.toISOString(),
+      code_challenge: codeChallenge ?? null,
+      code_challenge_method: codeChallengeMethod ?? null,
+    })
+
+    // Build redirect URL with code
+    const url = new URL(redirectUri)
+    url.searchParams.set('code', codeId)
+    if (state) url.searchParams.set('state', state)
+
+    return new Response(null, {
+      status: 302,
+      headers: { 'Location': url.toString() },
+    })
+  }
+
+  /**
+   * DELETE /oauth/authorize
+   * Deny the authorization request.
+   */
+  async deny(request: MantiqRequest): Promise<Response> {
+    const redirectUri = await request.input('redirect_uri') as string | undefined
+    const state = await request.input('state') as string | undefined
+
+    if (!redirectUri) throw new OAuthError('The redirect_uri parameter is required.', 'invalid_request')
+
+    const url = new URL(redirectUri)
+    url.searchParams.set('error', 'access_denied')
+    url.searchParams.set('error_description', 'The user denied the authorization request.')
+    if (state) url.searchParams.set('state', state)
+
+    return new Response(null, {
+      status: 302,
+      headers: { 'Location': url.toString() },
+    })
+  }
+}

package/src/routes/ClientController.ts

@@ -0,0 +1,138 @@
+import type { MantiqRequest } from '@mantiq/core'
+import { Client } from '../models/Client.ts'
+import { OAuthError } from '../errors/OAuthError.ts'
+
+/**
+ * CRUD controller for OAuth clients.
+ * All endpoints require authentication.
+ */
+export class ClientController {
+  /**
+   * GET /oauth/clients
+   * List all clients for the authenticated user.
+   */
+  async index(request: MantiqRequest): Promise<Response> {
+    const user = request.user<any>()
+    if (!user) throw new OAuthError('Unauthenticated.', 'invalid_request', 401)
+
+    const userId = typeof user.getAuthIdentifier === 'function'
+      ? user.getAuthIdentifier()
+      : user.id ?? user.getAttribute?.('id')
+
+    const clients = await Client.where('user_id', userId).get()
+    const data = clients.map((c) => c.toJSON())
+
+    return new Response(JSON.stringify(data), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  /**
+   * POST /oauth/clients
+   * Create a new OAuth client.
+   */
+  async store(request: MantiqRequest): Promise<Response> {
+    const user = request.user<any>()
+    if (!user) throw new OAuthError('Unauthenticated.', 'invalid_request', 401)
+
+    const name = await request.input('name') as string | undefined
+    const redirect = await request.input('redirect') as string | undefined
+
+    if (!name) throw new OAuthError('The name field is required.', 'invalid_request')
+    if (!redirect) throw new OAuthError('The redirect field is required.', 'invalid_request')
+
+    const userId = typeof user.getAuthIdentifier === 'function'
+      ? user.getAuthIdentifier()
+      : user.id ?? user.getAttribute?.('id')
+
+    const clientId = crypto.randomUUID()
+    const secret = crypto.randomUUID()
+
+    const client = await Client.create({
+      id: clientId,
+      user_id: String(userId),
+      name,
+      secret,
+      redirect,
+      personal_access_client: false,
+      password_client: false,
+      revoked: false,
+    })
+
+    // Include the secret in the creation response (only time it's visible)
+    const data = {
+      ...client.toJSON(),
+      secret,
+    }
+
+    return new Response(JSON.stringify(data), {
+      status: 201,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  /**
+   * PUT /oauth/clients/:id
+   * Update an existing OAuth client.
+   */
+  async update(request: MantiqRequest): Promise<Response> {
+    const user = request.user<any>()
+    if (!user) throw new OAuthError('Unauthenticated.', 'invalid_request', 401)
+
+    const clientId = request.param('id')
+    if (!clientId) throw new OAuthError('Client ID is required.', 'invalid_request')
+
+    const client = await Client.find(clientId)
+    if (!client) throw new OAuthError('Client not found.', 'invalid_client', 404)
+
+    const userId = typeof user.getAuthIdentifier === 'function'
+      ? user.getAuthIdentifier()
+      : user.id ?? user.getAttribute?.('id')
+
+    if (client.getAttribute('user_id') !== String(userId)) {
+      throw new OAuthError('This client does not belong to you.', 'invalid_client', 403)
+    }
+
+    const name = await request.input('name') as string | undefined
+    const redirect = await request.input('redirect') as string | undefined
+
+    if (name) client.setAttribute('name', name)
+    if (redirect) client.setAttribute('redirect', redirect)
+
+    await client.save()
+
+    return new Response(JSON.stringify(client.toJSON()), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  /**
+   * DELETE /oauth/clients/:id
+   * Delete an OAuth client.
+   */
+  async destroy(request: MantiqRequest): Promise<Response> {
+    const user = request.user<any>()
+    if (!user) throw new OAuthError('Unauthenticated.', 'invalid_request', 401)
+
+    const clientId = request.param('id')
+    if (!clientId) throw new OAuthError('Client ID is required.', 'invalid_request')
+
+    const client = await Client.find(clientId)
+    if (!client) throw new OAuthError('Client not found.', 'invalid_client', 404)
+
+    const userId = typeof user.getAuthIdentifier === 'function'
+      ? user.getAuthIdentifier()
+      : user.id ?? user.getAttribute?.('id')
+
+    if (client.getAttribute('user_id') !== String(userId)) {
+      throw new OAuthError('This client does not belong to you.', 'invalid_client', 403)
+    }
+
+    client.setAttribute('revoked', true)
+    await client.save()
+
+    return new Response(null, { status: 204 })
+  }
+}

package/src/routes/ScopeController.ts

@@ -0,0 +1,19 @@
+import type { MantiqRequest } from '@mantiq/core'
+import type { OAuthServer } from '../OAuthServer.ts'
+
+/**
+ * GET /oauth/scopes
+ * Returns all registered OAuth scopes.
+ */
+export class ScopeController {
+  constructor(private readonly server: OAuthServer) {}
+
+  async index(_request: MantiqRequest): Promise<Response> {
+    const scopes = this.server.scopes()
+
+    return new Response(JSON.stringify(scopes), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+}

package/src/routes/TokenController.ts

@@ -0,0 +1,38 @@
+import type { MantiqRequest } from '@mantiq/core'
+import type { GrantHandler, OAuthTokenResponse } from '../grants/GrantHandler.ts'
+import { OAuthError } from '../errors/OAuthError.ts'
+
+/**
+ * POST /oauth/token
+ * Dispatches to the appropriate grant handler based on grant_type.
+ */
+export class TokenController {
+  private readonly grants = new Map<string, GrantHandler>()
+
+  registerGrant(grant: GrantHandler): void {
+    this.grants.set(grant.grantType, grant)
+  }
+
+  async issueToken(request: MantiqRequest): Promise<Response> {
+    const grantType = await request.input('grant_type') as string | undefined
+    if (!grantType) {
+      throw new OAuthError('The grant_type parameter is required.', 'invalid_request')
+    }
+
+    const handler = this.grants.get(grantType)
+    if (!handler) {
+      throw new OAuthError(`Unsupported grant type: ${grantType}`, 'unsupported_grant_type')
+    }
+
+    const tokenResponse: OAuthTokenResponse = await handler.handle(request)
+
+    return new Response(JSON.stringify(tokenResponse), {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json',
+        'Cache-Control': 'no-store',
+        'Pragma': 'no-cache',
+      },
+    })
+  }
+}

package/src/routes/oauthRoutes.ts

@@ -0,0 +1,55 @@
+import type { Router } from '@mantiq/core'
+import type { OAuthServer } from '../OAuthServer.ts'
+import { TokenController } from './TokenController.ts'
+import { AuthorizationController } from './AuthorizationController.ts'
+import { ClientController } from './ClientController.ts'
+import { ScopeController } from './ScopeController.ts'
+import type { GrantHandler } from '../grants/GrantHandler.ts'
+
+export interface OAuthRouteOptions {
+  server: OAuthServer
+  grants: GrantHandler[]
+}
+
+/**
+ * Register all OAuth routes on a Router instance.
+ */
+export function oauthRoutes(router: Router, options: OAuthRouteOptions): void {
+  const { server, grants } = options
+
+  // Token controller
+  const tokenController = new TokenController()
+  for (const grant of grants) {
+    tokenController.registerGrant(grant)
+  }
+
+  // Authorization controller
+  const authorizationController = new AuthorizationController(server)
+
+  // Client controller
+  const clientController = new ClientController()
+
+  // Scope controller
+  const scopeController = new ScopeController(server)
+
+  // ── Token endpoint (public) ─────────────────────────────────────────────
+  router.post('/oauth/token', (req) => tokenController.issueToken(req))
+
+  // ── Authorization endpoints ─────────────────────────────────────────────
+  router.get('/oauth/authorize', (req) => authorizationController.authorize(req))
+  router.post('/oauth/authorize', (req) => authorizationController.approve(req))
+    .middleware('auth:oauth')
+  router.delete('/oauth/authorize', (req) => authorizationController.deny(req))
+    .middleware('auth:oauth')
+
+  // ── Client CRUD (requires auth) ────────────────────────────────────────
+  router.group({ prefix: '/oauth', middleware: ['auth:oauth'] }, (r) => {
+    r.get('/clients', (req) => clientController.index(req))
+    r.post('/clients', (req) => clientController.store(req))
+    r.put('/clients/:id', (req) => clientController.update(req))
+    r.delete('/clients/:id', (req) => clientController.destroy(req))
+  })
+
+  // ── Scopes endpoint ────────────────────────────────────────────────────
+  router.get('/oauth/scopes', (req) => scopeController.index(req))
+}