@ministryofmany/client 0.1.0

package/dist/index.js

@@ -0,0 +1,231 @@
+import {
+  MinisterTokenError,
+  OidcError,
+  VcVerificationError,
+  buildDid,
+  claimsFromPayload,
+  didFromIssuer,
+  verifyIdTokenPayload,
+  verifyMinisterBadge,
+  verifyMinisterBadges,
+  verifyMinisterIdToken
+} from "./chunk-CSD6YO64.js";
+import "./chunk-R4XGCZVA.js";
+import {
+  AGE_THRESHOLDS,
+  AgeOverClaimsFor,
+  BADGE_TYPES,
+  EmailDomainClaims,
+  EmailExactClaims,
+  InviteCodeClaims,
+  OAUTH_PROVIDERS,
+  OAuthAccountClaims,
+  ResidencyCityClaims,
+  ResidencyCountryClaims,
+  ResidencyStateClaims,
+  TlsnAttestationClaims,
+  badgeScope,
+  badgeScopes,
+  badgeTypeOf,
+  defineBadgeType,
+  getBadgeClaimSchema,
+  knownBadgeTypes,
+  slugForCredentialType
+} from "./chunk-U2JFQKFV.js";
+
+// src/oidc.ts
+import { createRemoteJWKSet } from "jose";
+var discoveryCache = /* @__PURE__ */ new Map();
+var idTokenJwksCache = /* @__PURE__ */ new Map();
+async function discover(issuer) {
+  const cached = discoveryCache.get(issuer);
+  if (cached) return cached;
+  const p = fetch(`${issuer}/.well-known/openid-configuration`).then(async (res) => {
+    if (!res.ok) {
+      throw new OidcError(`OIDC discovery failed: HTTP ${res.status}`);
+    }
+    const doc = await res.json();
+    if (doc.issuer?.replace(/\/$/, "") !== issuer.replace(/\/$/, "")) {
+      throw new OidcError(
+        `OIDC discovery issuer mismatch: configured ${issuer}, document ${doc.issuer}`
+      );
+    }
+    return doc;
+  }).catch((cause) => {
+    discoveryCache.delete(issuer);
+    throw cause instanceof OidcError ? cause : new OidcError(
+      `OIDC discovery failed: ${cause instanceof Error ? cause.message : String(cause)}`
+    );
+  });
+  discoveryCache.set(issuer, p);
+  return p;
+}
+function idTokenJwks(issuer, jwksUri) {
+  let set = idTokenJwksCache.get(issuer);
+  if (!set) {
+    set = createRemoteJWKSet(new URL(jwksUri));
+    idTokenJwksCache.set(issuer, set);
+  }
+  return set;
+}
+var OidcCore = class {
+  issuer;
+  clientId;
+  clientSecret;
+  redirectUri;
+  constructor(config) {
+    if (!config.issuer) throw new OidcError("issuer is required");
+    if (!config.clientId) throw new OidcError("clientId is required");
+    if (!config.redirectUri) throw new OidcError("redirectUri is required");
+    this.issuer = config.issuer.replace(/\/$/, "");
+    this.clientId = config.clientId;
+    this.clientSecret = config.clientSecret;
+    this.redirectUri = config.redirectUri;
+  }
+  // Discover the authorization endpoint and build the redirect URL with
+  // caller-supplied scopes and PKCE S256.
+  async getAuthorizationUrl(args) {
+    if (args.scopes.length === 0) {
+      throw new OidcError("at least one scope is required");
+    }
+    const d = await discover(this.issuer);
+    const u = new URL(d.authorization_endpoint);
+    u.searchParams.set("response_type", "code");
+    u.searchParams.set("client_id", this.clientId);
+    u.searchParams.set("redirect_uri", this.redirectUri);
+    u.searchParams.set("scope", args.scopes.join(" "));
+    u.searchParams.set("state", args.state);
+    u.searchParams.set("nonce", args.nonce);
+    u.searchParams.set("code_challenge", args.codeChallenge);
+    u.searchParams.set("code_challenge_method", "S256");
+    for (const [key, value] of Object.entries(args.extraParams ?? {})) {
+      if (u.searchParams.has(key)) continue;
+      u.searchParams.set(key, value);
+    }
+    return u.toString();
+  }
+  // Exchange the authorization code for tokens, verify the id_token
+  // (signature via JWKS, iss/aud/nonce), then extract and verify each
+  // disclosed badge. Throws on any failure — the caller maps that to a
+  // 401.
+  async exchangeCode(args) {
+    const d = await discover(this.issuer);
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      code: args.code,
+      redirect_uri: this.redirectUri,
+      client_id: this.clientId,
+      code_verifier: args.codeVerifier
+    });
+    if (this.clientSecret) body.set("client_secret", this.clientSecret);
+    const res = await fetch(d.token_endpoint, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body
+    });
+    if (!res.ok) {
+      const detail = await res.text().catch(() => "");
+      throw new OidcError(`token exchange failed: HTTP ${res.status} ${detail}`);
+    }
+    const tokens = await res.json();
+    if (typeof tokens.id_token !== "string") {
+      throw new OidcError("token response missing id_token");
+    }
+    const idKey = args.idTokenKey ?? idTokenJwks(this.issuer, d.jwks_uri);
+    const payload = await verifyIdTokenPayload(tokens.id_token, {
+      issuer: d.issuer,
+      clientId: this.clientId,
+      nonce: args.expectedNonce,
+      key: idKey
+    });
+    const claims = claimsFromPayload(payload, tokens.id_token);
+    const { badges, rejected } = await verifyMinisterBadges(payload, {
+      issuer: this.issuer,
+      key: args.badgeKey
+    });
+    return { claims, badges, rejected };
+  }
+};
+
+// src/pkce.ts
+function b64url(bytes) {
+  let str = "";
+  for (const b of bytes) str += String.fromCharCode(b);
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/u, "");
+}
+function randomBytes(length) {
+  const buf = new Uint8Array(length);
+  crypto.getRandomValues(buf);
+  return buf;
+}
+async function sha256(input) {
+  const data = new TextEncoder().encode(input);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(digest);
+}
+async function generatePkce() {
+  const verifier = b64url(randomBytes(32));
+  const challenge = b64url(await sha256(verifier));
+  return { verifier, challenge };
+}
+function randomUrlToken(bytes = 16) {
+  return b64url(randomBytes(bytes));
+}
+
+// src/client.ts
+function createMinisterClient(config) {
+  const core = new OidcCore(config);
+  const issuer = config.issuer.replace(/\/$/, "");
+  return {
+    getAuthorizationUrl: (args) => core.getAuthorizationUrl(args),
+    exchangeCode: (args) => core.exchangeCode(args),
+    verifyMinisterBadge: (vcJwt, options) => verifyMinisterBadge(vcJwt, { issuer, key: options?.key }),
+    generatePkce: () => generatePkce(),
+    randomToken: (bytes) => randomUrlToken(bytes),
+    badgeScope: (slug) => badgeScope(slug)
+  };
+}
+
+// src/verifier.ts
+function createMinisterVerifier(config) {
+  const { issuer, clientId, jwks } = config;
+  return {
+    verifyIdToken: (idToken, opts) => verifyMinisterIdToken(idToken, { issuer, clientId, key: jwks, nonce: opts?.nonce }),
+    verifyBadges: (tokenOrPayload) => verifyMinisterBadges(tokenOrPayload, { issuer, clientId, key: jwks }),
+    verifyBadge: (vcJwt) => verifyMinisterBadge(vcJwt, { issuer, key: jwks })
+  };
+}
+export {
+  AGE_THRESHOLDS,
+  AgeOverClaimsFor,
+  BADGE_TYPES,
+  EmailDomainClaims,
+  EmailExactClaims,
+  InviteCodeClaims,
+  MinisterTokenError,
+  OAUTH_PROVIDERS,
+  OAuthAccountClaims,
+  OidcError,
+  ResidencyCityClaims,
+  ResidencyCountryClaims,
+  ResidencyStateClaims,
+  TlsnAttestationClaims,
+  VcVerificationError,
+  badgeScope,
+  badgeScopes,
+  badgeTypeOf,
+  buildDid,
+  createMinisterClient,
+  createMinisterVerifier,
+  defineBadgeType,
+  didFromIssuer,
+  generatePkce,
+  getBadgeClaimSchema,
+  knownBadgeTypes,
+  randomUrlToken,
+  slugForCredentialType,
+  verifyMinisterBadge,
+  verifyMinisterBadges,
+  verifyMinisterIdToken
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/oidc.ts","../src/pkce.ts","../src/client.ts","../src/verifier.ts"],"sourcesContent":["import { createRemoteJWKSet } from \"jose\";\n\nimport { OidcError } from \"./errors\";\nimport { verifyIdTokenPayload, claimsFromPayload } from \"./verify-id-token\";\nimport { verifyMinisterBadges } from \"./verify-badges\";\nimport type {\n  ExchangeResult,\n  KeyInput,\n  MinisterClientConfig,\n} from \"./types\";\n\n// The fields of the OIDC discovery document this SDK relies on.\ninterface Discovery {\n  issuer: string;\n  authorization_endpoint: string;\n  token_endpoint: string;\n  jwks_uri: string;\n}\n\n// Cache the discovery doc + id_token JWKS per issuer for the process\n// lifetime. The JWKS set fetches lazily and rotates keys on its own.\nconst discoveryCache = new Map<string, Promise<Discovery>>();\nconst idTokenJwksCache = new Map<\n  string,\n  ReturnType<typeof createRemoteJWKSet>\n>();\n\nasync function discover(issuer: string): Promise<Discovery> {\n  const cached = discoveryCache.get(issuer);\n  if (cached) return cached;\n  const p = fetch(`${issuer}/.well-known/openid-configuration`)\n      .then(async (res) => {\n        if (!res.ok) {\n          throw new OidcError(`OIDC discovery failed: HTTP ${res.status}`);\n        }\n        const doc = (await res.json()) as Discovery;\n        if (doc.issuer?.replace(/\\/$/, \"\") !== issuer.replace(/\\/$/, \"\")) {\n          throw new OidcError(\n            `OIDC discovery issuer mismatch: configured ${issuer}, document ${doc.issuer}`,\n          );\n        }\n        return doc;\n      })\n      .catch((cause) => {\n        // Don't poison the cache with a rejected promise.\n        discoveryCache.delete(issuer);\n        throw cause instanceof OidcError\n          ? cause\n          : new OidcError(\n              `OIDC discovery failed: ${cause instanceof Error ? cause.message : String(cause)}`,\n            );\n      });\n  discoveryCache.set(issuer, p);\n  return p;\n}\n\nfunction idTokenJwks(\n  issuer: string,\n  jwksUri: string,\n): ReturnType<typeof createRemoteJWKSet> {\n  let set = idTokenJwksCache.get(issuer);\n  if (!set) {\n    set = createRemoteJWKSet(new URL(jwksUri));\n    idTokenJwksCache.set(issuer, set);\n  }\n  return set;\n}\n\nexport interface GetAuthorizationUrlArgs {\n  // Requested scopes, e.g. [\"openid\", \"profile\", \"badge:age-over-21\"].\n  // `openid` is required by OIDC; this SDK does not inject it for you.\n  scopes: string[];\n  state: string;\n  nonce: string;\n  // PKCE S256 code challenge (from `generatePkce().challenge`).\n  codeChallenge: string;\n  // Extra authorize-request params appended alongside the standard ones\n  // (e.g. `{ minister_policy: \"<b64url>\" }`). Keys that collide with a\n  // standard param the SDK sets (response_type, client_id, redirect_uri,\n  // scope, state, nonce, code_challenge, code_challenge_method) are\n  // ignored, so it can never clobber them. Optional; omitting it is a\n  // no-op.\n  extraParams?: Record<string, string>;\n}\n\nexport interface ExchangeCodeArgs {\n  // The `code` query param from the callback.\n  code: string;\n  // The PKCE verifier persisted from flow start.\n  codeVerifier: string;\n  // The `nonce` persisted from flow start; the verified id_token's\n  // `nonce` must equal this.\n  expectedNonce: string;\n  // Inject the id_token verification key source (defaults to the remote\n  // JWKS at the discovery `jwks_uri`). Tests pass a public key so\n  // verification never touches the network.\n  idTokenKey?: KeyInput;\n  // Inject the badge verification key source (defaults to the remote\n  // JWKS at `${issuer}/.well-known/jwks.json`).\n  badgeKey?: KeyInput;\n}\n\n// Internal: the OIDC operations bound to a normalized config.\nexport class OidcCore {\n  private readonly issuer: string;\n  private readonly clientId: string;\n  private readonly clientSecret?: string;\n  private readonly redirectUri: string;\n\n  constructor(config: MinisterClientConfig) {\n    if (!config.issuer) throw new OidcError(\"issuer is required\");\n    if (!config.clientId) throw new OidcError(\"clientId is required\");\n    if (!config.redirectUri) throw new OidcError(\"redirectUri is required\");\n    this.issuer = config.issuer.replace(/\\/$/, \"\");\n    this.clientId = config.clientId;\n    this.clientSecret = config.clientSecret;\n    this.redirectUri = config.redirectUri;\n  }\n\n  // Discover the authorization endpoint and build the redirect URL with\n  // caller-supplied scopes and PKCE S256.\n  async getAuthorizationUrl(args: GetAuthorizationUrlArgs): Promise<string> {\n    if (args.scopes.length === 0) {\n      throw new OidcError(\"at least one scope is required\");\n    }\n    const d = await discover(this.issuer);\n    const u = new URL(d.authorization_endpoint);\n    u.searchParams.set(\"response_type\", \"code\");\n    u.searchParams.set(\"client_id\", this.clientId);\n    u.searchParams.set(\"redirect_uri\", this.redirectUri);\n    u.searchParams.set(\"scope\", args.scopes.join(\" \"));\n    u.searchParams.set(\"state\", args.state);\n    u.searchParams.set(\"nonce\", args.nonce);\n    u.searchParams.set(\"code_challenge\", args.codeChallenge);\n    u.searchParams.set(\"code_challenge_method\", \"S256\");\n    // Append caller-supplied extra params last, but never let one\n    // override a standard param the SDK just set.\n    for (const [key, value] of Object.entries(args.extraParams ?? {})) {\n      if (u.searchParams.has(key)) continue;\n      u.searchParams.set(key, value);\n    }\n    return u.toString();\n  }\n\n  // Exchange the authorization code for tokens, verify the id_token\n  // (signature via JWKS, iss/aud/nonce), then extract and verify each\n  // disclosed badge. Throws on any failure — the caller maps that to a\n  // 401.\n  async exchangeCode(args: ExchangeCodeArgs): Promise<ExchangeResult> {\n    const d = await discover(this.issuer);\n\n    const body = new URLSearchParams({\n      grant_type: \"authorization_code\",\n      code: args.code,\n      redirect_uri: this.redirectUri,\n      client_id: this.clientId,\n      code_verifier: args.codeVerifier,\n    });\n    if (this.clientSecret) body.set(\"client_secret\", this.clientSecret);\n\n    const res = await fetch(d.token_endpoint, {\n      method: \"POST\",\n      headers: { \"content-type\": \"application/x-www-form-urlencoded\" },\n      body,\n    });\n    if (!res.ok) {\n      const detail = await res.text().catch(() => \"\");\n      throw new OidcError(`token exchange failed: HTTP ${res.status} ${detail}`);\n    }\n    const tokens = (await res.json()) as { id_token?: unknown };\n    if (typeof tokens.id_token !== \"string\") {\n      throw new OidcError(\"token response missing id_token\");\n    }\n\n    const idKey = args.idTokenKey ?? idTokenJwks(this.issuer, d.jwks_uri);\n    const payload = await verifyIdTokenPayload(tokens.id_token, {\n      issuer: d.issuer,\n      clientId: this.clientId,\n      nonce: args.expectedNonce,\n      key: idKey,\n    });\n    const claims = claimsFromPayload(payload, tokens.id_token);\n    const { badges, rejected } = await verifyMinisterBadges(payload, {\n      issuer: this.issuer,\n      key: args.badgeKey,\n    });\n    return { claims, badges, rejected };\n  }\n}\n\n// Test seam: clear the discovery + id_token JWKS caches.\nexport function _resetOidcCaches(issuer?: string): void {\n  if (issuer) {\n    const normalized = issuer.replace(/\\/$/, \"\");\n    discoveryCache.delete(normalized);\n    idTokenJwksCache.delete(normalized);\n  } else {\n    discoveryCache.clear();\n    idTokenJwksCache.clear();\n  }\n}\n","import type { PkcePair } from \"./types\";\n\n// PKCE + random-token helpers built on the Web Crypto API\n// (`globalThis.crypto`), so the SDK runs unchanged on Node 20+, Deno,\n// and edge runtimes (Vercel Edge, Cloudflare Workers) — the same\n// environments jose targets. No `node:crypto` import.\n\nfunction b64url(bytes: Uint8Array): string {\n  let str = \"\";\n  for (const b of bytes) str += String.fromCharCode(b);\n  return btoa(str).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/u, \"\");\n}\n\nfunction randomBytes(length: number): Uint8Array {\n  const buf = new Uint8Array(length);\n  crypto.getRandomValues(buf);\n  return buf;\n}\n\nasync function sha256(input: string): Promise<Uint8Array> {\n  const data = new TextEncoder().encode(input);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return new Uint8Array(digest);\n}\n\n// Generate a PKCE verifier/challenge pair (RFC 7636, S256). The verifier\n// is 32 random bytes base64url-encoded; the challenge is its SHA-256.\nexport async function generatePkce(): Promise<PkcePair> {\n  const verifier = b64url(randomBytes(32));\n  const challenge = b64url(await sha256(verifier));\n  return { verifier, challenge };\n}\n\n// A URL-safe random token, used for `state` and `nonce`. 16 bytes\n// (128 bits) of entropy by default.\nexport function randomUrlToken(bytes = 16): string {\n  return b64url(randomBytes(bytes));\n}\n","import { badgeScope } from \"./badges\";\nimport {\n  OidcCore,\n  type ExchangeCodeArgs,\n  type GetAuthorizationUrlArgs,\n} from \"./oidc\";\nimport { generatePkce, randomUrlToken } from \"./pkce\";\nimport type {\n  ExchangeResult,\n  KeyInput,\n  MinisterClientConfig,\n  PkcePair,\n} from \"./types\";\nimport { verifyMinisterBadge } from \"./verify-badge\";\n\n// The relying-party client surface returned by createMinisterClient.\nexport interface MinisterClient {\n  // Discover the authorization endpoint and build the redirect URL.\n  // Pass the scopes you want, e.g. [\"openid\",\"profile\",\"badge:age-over-21\"].\n  getAuthorizationUrl(args: GetAuthorizationUrlArgs): Promise<string>;\n\n  // Exchange the callback `code` for verified id_token claims plus\n  // signature-verified, holder-bound badges.\n  exchangeCode(args: ExchangeCodeArgs): Promise<ExchangeResult>;\n\n  // Verify a single received VC badge against Minister's public keys.\n  // Useful for badges received out of band (e.g. share links), not just\n  // those returned from exchangeCode. The client supplies its own issuer.\n  verifyMinisterBadge(\n    vcJwt: string,\n    options?: { key?: KeyInput },\n  ): ReturnType<typeof verifyMinisterBadge>;\n\n  // PKCE S256 pair. Keep `verifier` server-side; put `challenge` in the\n  // auth URL.\n  generatePkce(): Promise<PkcePair>;\n\n  // 128-bit URL-safe random token for `state` / `nonce`.\n  randomToken(bytes?: number): string;\n\n  // Build a `badge:<slug>` scope string.\n  badgeScope(slug: string): string;\n}\n\n// Create a Minister relying-party client. `issuer` is Minister's origin\n// (e.g. \"https://ministry.id\"). The SDK stores no state: persistence of\n// the per-request OidcFlowState is the app's responsibility.\nexport function createMinisterClient(\n  config: MinisterClientConfig,\n): MinisterClient {\n  const core = new OidcCore(config);\n  const issuer = config.issuer.replace(/\\/$/, \"\");\n\n  return {\n    getAuthorizationUrl: (args) => core.getAuthorizationUrl(args),\n    exchangeCode: (args) => core.exchangeCode(args),\n    verifyMinisterBadge: (vcJwt, options) =>\n      verifyMinisterBadge(vcJwt, { issuer, key: options?.key }),\n    generatePkce: () => generatePkce(),\n    randomToken: (bytes) => randomUrlToken(bytes),\n    badgeScope: (slug) => badgeScope(slug),\n  };\n}\n","import { verifyMinisterIdToken } from \"./verify-id-token\";\nimport { verifyMinisterBadges } from \"./verify-badges\";\nimport { verifyMinisterBadge } from \"./verify-badge\";\nimport type { JWTPayload } from \"jose\";\nimport type { KeyInput, MinisterClaims, VerifiedBadge, BadgesResult } from \"./types\";\n\nexport interface MinisterVerifierConfig {\n  // Minister origin, e.g. \"https://ministry.id\".\n  issuer: string;\n  // When set, id_token `aud` is checked against it. Recommended.\n  clientId?: string;\n  // Inject the verification key. When omitted, each verifier fetches\n  // Minister's remote JWKS on demand. Accepts a single public key too;\n  // pass a public JWK in tests so verification stays offline.\n  jwks?: KeyInput;\n}\n\nexport interface MinisterVerifier {\n  verifyIdToken(idToken: string, opts?: { nonce?: string }): Promise<MinisterClaims>;\n  verifyBadges(tokenOrPayload: string | JWTPayload): Promise<BadgesResult>;\n  verifyBadge(vcJwt: string): Promise<VerifiedBadge>;\n}\n\n// Configure-once, reuse: binds issuer/clientId/key so the three operations\n// share one configuration. When `jwks` is injected, all three use that exact\n// key. When omitted, each underlying verifier keeps its OWN per-issuer\n// remote-JWKS cache (the id_token and badge verifiers cache independently -\n// they do NOT share a JWKSet), so expect at most one fetch per verifier per\n// issuer, not a single shared fetch.\nexport function createMinisterVerifier(config: MinisterVerifierConfig): MinisterVerifier {\n  const { issuer, clientId, jwks } = config;\n  return {\n    verifyIdToken: (idToken, opts) =>\n      verifyMinisterIdToken(idToken, { issuer, clientId, key: jwks, nonce: opts?.nonce }),\n    verifyBadges: (tokenOrPayload) =>\n      verifyMinisterBadges(tokenOrPayload, { issuer, clientId, key: jwks }),\n    verifyBadge: (vcJwt) => verifyMinisterBadge(vcJwt, { issuer, key: jwks }),\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,0BAA0B;AAqBnC,IAAM,iBAAiB,oBAAI,IAAgC;AAC3D,IAAM,mBAAmB,oBAAI,IAG3B;AAEF,eAAe,SAAS,QAAoC;AAC1D,QAAM,SAAS,eAAe,IAAI,MAAM;AACxC,MAAI,OAAQ,QAAO;AACnB,QAAM,IAAI,MAAM,GAAG,MAAM,mCAAmC,EACvD,KAAK,OAAO,QAAQ;AACnB,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,UAAU,+BAA+B,IAAI,MAAM,EAAE;AAAA,IACjE;AACA,UAAM,MAAO,MAAM,IAAI,KAAK;AAC5B,QAAI,IAAI,QAAQ,QAAQ,OAAO,EAAE,MAAM,OAAO,QAAQ,OAAO,EAAE,GAAG;AAChE,YAAM,IAAI;AAAA,QACR,8CAA8C,MAAM,cAAc,IAAI,MAAM;AAAA,MAC9E;AAAA,IACF;AACA,WAAO;AAAA,EACT,CAAC,EACA,MAAM,CAAC,UAAU;AAEhB,mBAAe,OAAO,MAAM;AAC5B,UAAM,iBAAiB,YACnB,QACA,IAAI;AAAA,MACF,0BAA0B,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAClF;AAAA,EACN,CAAC;AACL,iBAAe,IAAI,QAAQ,CAAC;AAC5B,SAAO;AACT;AAEA,SAAS,YACP,QACA,SACuC;AACvC,MAAI,MAAM,iBAAiB,IAAI,MAAM;AACrC,MAAI,CAAC,KAAK;AACR,UAAM,mBAAmB,IAAI,IAAI,OAAO,CAAC;AACzC,qBAAiB,IAAI,QAAQ,GAAG;AAAA,EAClC;AACA,SAAO;AACT;AAqCO,IAAM,WAAN,MAAe;AAAA,EACH;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,QAA8B;AACxC,QAAI,CAAC,OAAO,OAAQ,OAAM,IAAI,UAAU,oBAAoB;AAC5D,QAAI,CAAC,OAAO,SAAU,OAAM,IAAI,UAAU,sBAAsB;AAChE,QAAI,CAAC,OAAO,YAAa,OAAM,IAAI,UAAU,yBAAyB;AACtE,SAAK,SAAS,OAAO,OAAO,QAAQ,OAAO,EAAE;AAC7C,SAAK,WAAW,OAAO;AACvB,SAAK,eAAe,OAAO;AAC3B,SAAK,cAAc,OAAO;AAAA,EAC5B;AAAA;AAAA;AAAA,EAIA,MAAM,oBAAoB,MAAgD;AACxE,QAAI,KAAK,OAAO,WAAW,GAAG;AAC5B,YAAM,IAAI,UAAU,gCAAgC;AAAA,IACtD;AACA,UAAM,IAAI,MAAM,SAAS,KAAK,MAAM;AACpC,UAAM,IAAI,IAAI,IAAI,EAAE,sBAAsB;AAC1C,MAAE,aAAa,IAAI,iBAAiB,MAAM;AAC1C,MAAE,aAAa,IAAI,aAAa,KAAK,QAAQ;AAC7C,MAAE,aAAa,IAAI,gBAAgB,KAAK,WAAW;AACnD,MAAE,aAAa,IAAI,SAAS,KAAK,OAAO,KAAK,GAAG,CAAC;AACjD,MAAE,aAAa,IAAI,SAAS,KAAK,KAAK;AACtC,MAAE,aAAa,IAAI,SAAS,KAAK,KAAK;AACtC,MAAE,aAAa,IAAI,kBAAkB,KAAK,aAAa;AACvD,MAAE,aAAa,IAAI,yBAAyB,MAAM;AAGlD,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,KAAK,eAAe,CAAC,CAAC,GAAG;AACjE,UAAI,EAAE,aAAa,IAAI,GAAG,EAAG;AAC7B,QAAE,aAAa,IAAI,KAAK,KAAK;AAAA,IAC/B;AACA,WAAO,EAAE,SAAS;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAa,MAAiD;AAClE,UAAM,IAAI,MAAM,SAAS,KAAK,MAAM;AAEpC,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,MAAM,KAAK;AAAA,MACX,cAAc,KAAK;AAAA,MACnB,WAAW,KAAK;AAAA,MAChB,eAAe,KAAK;AAAA,IACtB,CAAC;AACD,QAAI,KAAK,aAAc,MAAK,IAAI,iBAAiB,KAAK,YAAY;AAElE,UAAM,MAAM,MAAM,MAAM,EAAE,gBAAgB;AAAA,MACxC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D;AAAA,IACF,CAAC;AACD,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,SAAS,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC9C,YAAM,IAAI,UAAU,+BAA+B,IAAI,MAAM,IAAI,MAAM,EAAE;AAAA,IAC3E;AACA,UAAM,SAAU,MAAM,IAAI,KAAK;AAC/B,QAAI,OAAO,OAAO,aAAa,UAAU;AACvC,YAAM,IAAI,UAAU,iCAAiC;AAAA,IACvD;AAEA,UAAM,QAAQ,KAAK,cAAc,YAAY,KAAK,QAAQ,EAAE,QAAQ;AACpE,UAAM,UAAU,MAAM,qBAAqB,OAAO,UAAU;AAAA,MAC1D,QAAQ,EAAE;AAAA,MACV,UAAU,KAAK;AAAA,MACf,OAAO,KAAK;AAAA,MACZ,KAAK;AAAA,IACP,CAAC;AACD,UAAM,SAAS,kBAAkB,SAAS,OAAO,QAAQ;AACzD,UAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,qBAAqB,SAAS;AAAA,MAC/D,QAAQ,KAAK;AAAA,MACb,KAAK,KAAK;AAAA,IACZ,CAAC;AACD,WAAO,EAAE,QAAQ,QAAQ,SAAS;AAAA,EACpC;AACF;;;ACrLA,SAAS,OAAO,OAA2B;AACzC,MAAI,MAAM;AACV,aAAW,KAAK,MAAO,QAAO,OAAO,aAAa,CAAC;AACnD,SAAO,KAAK,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,QAAQ,EAAE;AAC7E;AAEA,SAAS,YAAY,QAA4B;AAC/C,QAAM,MAAM,IAAI,WAAW,MAAM;AACjC,SAAO,gBAAgB,GAAG;AAC1B,SAAO;AACT;AAEA,eAAe,OAAO,OAAoC;AACxD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,KAAK;AAC3C,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACzD,SAAO,IAAI,WAAW,MAAM;AAC9B;AAIA,eAAsB,eAAkC;AACtD,QAAM,WAAW,OAAO,YAAY,EAAE,CAAC;AACvC,QAAM,YAAY,OAAO,MAAM,OAAO,QAAQ,CAAC;AAC/C,SAAO,EAAE,UAAU,UAAU;AAC/B;AAIO,SAAS,eAAe,QAAQ,IAAY;AACjD,SAAO,OAAO,YAAY,KAAK,CAAC;AAClC;;;ACUO,SAAS,qBACd,QACgB;AAChB,QAAM,OAAO,IAAI,SAAS,MAAM;AAChC,QAAM,SAAS,OAAO,OAAO,QAAQ,OAAO,EAAE;AAE9C,SAAO;AAAA,IACL,qBAAqB,CAAC,SAAS,KAAK,oBAAoB,IAAI;AAAA,IAC5D,cAAc,CAAC,SAAS,KAAK,aAAa,IAAI;AAAA,IAC9C,qBAAqB,CAAC,OAAO,YAC3B,oBAAoB,OAAO,EAAE,QAAQ,KAAK,SAAS,IAAI,CAAC;AAAA,IAC1D,cAAc,MAAM,aAAa;AAAA,IACjC,aAAa,CAAC,UAAU,eAAe,KAAK;AAAA,IAC5C,YAAY,CAAC,SAAS,WAAW,IAAI;AAAA,EACvC;AACF;;;ACjCO,SAAS,uBAAuB,QAAkD;AACvF,QAAM,EAAE,QAAQ,UAAU,KAAK,IAAI;AACnC,SAAO;AAAA,IACL,eAAe,CAAC,SAAS,SACvB,sBAAsB,SAAS,EAAE,QAAQ,UAAU,KAAK,MAAM,OAAO,MAAM,MAAM,CAAC;AAAA,IACpF,cAAc,CAAC,mBACb,qBAAqB,gBAAgB,EAAE,QAAQ,UAAU,KAAK,KAAK,CAAC;AAAA,IACtE,aAAa,CAAC,UAAU,oBAAoB,OAAO,EAAE,QAAQ,KAAK,KAAK,CAAC;AAAA,EAC1E;AACF;","names":[]}

package/dist/types-BHY-mOJf.d.ts

@@ -0,0 +1,56 @@
+import { KeyLike, JWTVerifyGetKey } from 'jose';
+
+declare class VcVerificationError extends Error {
+    constructor(message: string);
+}
+declare class OidcError extends Error {
+    constructor(message: string);
+}
+declare class MinisterTokenError extends Error {
+    constructor(message: string);
+}
+
+interface MinisterClientConfig {
+    issuer: string;
+    clientId: string;
+    clientSecret?: string;
+    redirectUri: string;
+}
+interface PkcePair {
+    verifier: string;
+    challenge: string;
+}
+interface OidcFlowState {
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    expiresAt: number;
+}
+interface MinisterClaims {
+    sub: string;
+    name?: string;
+    picture?: string;
+    raw: string;
+}
+interface VerifiedBadge {
+    type: string;
+    claims: Record<string, unknown>;
+    subject: string;
+    raw: string;
+}
+interface RejectedBadge {
+    raw: string;
+    error: VcVerificationError;
+}
+interface BadgesResult {
+    badges: VerifiedBadge[];
+    rejected: RejectedBadge[];
+}
+interface ExchangeResult {
+    claims: MinisterClaims;
+    badges: VerifiedBadge[];
+    rejected: RejectedBadge[];
+}
+type KeyInput = KeyLike | Uint8Array | JWTVerifyGetKey;
+
+export { type BadgesResult as B, type ExchangeResult as E, type KeyInput as K, type MinisterClientConfig as M, OidcError as O, type PkcePair as P, type RejectedBadge as R, type VerifiedBadge as V, type MinisterClaims as a, MinisterTokenError as b, type OidcFlowState as c, VcVerificationError as d };

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@ministryofmany/client",
+  "version": "0.1.0",
+  "description": "TypeScript SDK for OIDC relying parties authenticating users via Minister and consuming W3C verifiable-credential badges.",
+  "type": "module",
+  "license": "MIT OR Apache-2.0",
+  "author": "AtHeartEngineer",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./auth-js": {
+      "types": "./dist/auth-js.d.ts",
+      "import": "./dist/auth-js.js"
+    },
+    "./badges": {
+      "types": "./dist/badges/index.d.ts",
+      "import": "./dist/badges/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "sideEffects": false,
+  "dependencies": {
+    "jose": "^5.9.6",
+    "zod": "^3.24.1"
+  },
+  "peerDependencies": {
+    "@auth/core": "^0.37.0"
+  },
+  "peerDependenciesMeta": {
+    "@auth/core": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@auth/core": "^0.37.0",
+    "tsup": "^8.3.5",
+    "typescript": "^5.6.3",
+    "vitest": "^2.1.8"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run"
+  }
+}