@monocloud/auth-core 0.1.7 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -1,4 +1,4 @@
1
- import { A as SecurityAlgorithms, C as Prompt, D as RefreshSessionOptions, E as RefreshGrantOptions, M as UserinfoResponse, O as ResponseModes, S as ParResponse, T as RefetchUserInfoOptions, _ as JwsHeaderParameters, a as Authenticators, b as MonoCloudUser, c as ClientAuthMethod, d as EndSessionParameters, f as Group, g as Jwks, h as Jwk, i as AuthenticateOptions, j as Tokens, k as ResponseTypes, l as CodeChallengeMethod, m as IssuerMetadata, n as Address, o as AuthorizationParams, p as IdTokenClaims, r as AuthState, s as CallbackParams, t as AccessToken, u as DisplayOptions, v as MonoCloudClientOptions, w as PushedAuthorizationParams, x as OnSessionCreating, y as MonoCloudSession } from "./types-DmlJMcTH.mjs";
1
+ import { A as PushedAuthorizationParams, B as ValidateJwtAccessTokenOptions, C as MonoCloudOidcBackendClientOptions, D as OnSessionCreating, E as MonoCloudUser, F as ResponseTypes, I as SecurityAlgorithms, L as TokenValidationOptionsBase, M as RefreshGrantOptions, N as RefreshSessionOptions, O as ParResponse, P as ResponseModes, R as Tokens, S as MonoCloudClientOptionsBase, T as MonoCloudSession, _ as IssuerMetadata, a as AuthenticateOptions, b as JwsHeaderParameters, c as CallbackParams, d as DisplayOptions, f as EndSessionParameters, g as IsUserInGroupOptions, h as IntrospectOptions, i as AuthState, j as RefetchUserInfoOptions, k as Prompt, l as ClientAuthMethod, m as IdTokenClaims, n as AccessTokenClaims, o as Authenticators, p as Group, r as Address, s as AuthorizationParams, t as AccessToken, u as CodeChallengeMethod, v as Jwk, w as MonoCloudOidcClientOptions, x as JwtClaims, y as Jwks, z as UserinfoResponse } from "./types-txr_P9Iq.mjs";
2
2
 
3
3
  //#region src/errors/monocloud-auth-base-error.d.ts
4
4
  /**
@@ -52,40 +52,55 @@ declare class MonoCloudTokenError extends MonoCloudAuthBaseError {}
52
52
  */
53
53
  declare class MonoCloudValidationError extends MonoCloudAuthBaseError {}
54
54
  //#endregion
55
- //#region src/monocloud-oidc-client.d.ts
55
+ //#region src/monocloud-oidc-client-base.d.ts
56
56
  /**
57
57
  * @category Classes
58
58
  */
59
- declare class MonoCloudOidcClient {
60
- private readonly tenantDomain;
61
- private readonly clientId;
62
- private readonly clientSecret?;
63
- private readonly authMethod;
64
- private readonly idTokenSigningAlgorithm;
65
- private jwks?;
66
- private jwksCacheExpiry;
67
- private jwksCacheDuration;
68
- private metadata?;
69
- private metadataCacheExpiry;
70
- private metadataCacheDuration;
71
- constructor(tenantDomain: string, clientId: string, options?: MonoCloudClientOptions);
59
+ declare class MonoCloudOidcClientBase {
72
60
  /**
73
- * Generates an authorization URL with specified parameters.
74
- *
75
- * If no values are provided for `responseType`, or `codeChallengeMethod`, they default to `code`, and `S256`, respectively.
76
- *
77
- * @param params - Authorization URL parameters.
78
- *
79
- * @returns Tenant's authorization URL.
80
- *
81
- * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
82
- * unexpected status code during the request or a serialization error while processing the response.
61
+ * The normalized tenant domain URL used as the base for discovery endpoints.
62
+ */
63
+ protected readonly tenantDomain: string;
64
+ /**
65
+ * Cached JSON Web Key Set retrieved from the issuer's JWKS endpoint.
66
+ */
67
+ protected jwks?: Jwks;
68
+ /**
69
+ * Timestamp (in seconds) when the cached JWKS expires.
70
+ */
71
+ protected jwksCacheExpiry: number;
72
+ /**
73
+ * Duration (in seconds) for which the JWKS is cached. Defaults to 300 (5 minutes).
74
+ */
75
+ protected jwksCacheDuration: number;
76
+ /**
77
+ * Cached issuer metadata retrieved from the OpenID Connect discovery endpoint.
78
+ */
79
+ protected metadata?: IssuerMetadata;
80
+ /**
81
+ * Timestamp (in seconds) when the cached metadata expires.
82
+ */
83
+ protected metadataCacheExpiry: number;
84
+ /**
85
+ * Duration (in seconds) for which the metadata is cached. Defaults to 300 (5 minutes).
86
+ */
87
+ protected metadataCacheDuration: number;
88
+ /**
89
+ * Custom fetch implementation used for making HTTP requests. Falls back to the global `fetch` if not provided.
90
+ */
91
+ protected fetcher?: typeof fetch;
92
+ /**
93
+ * Creates a new instance of MonoCloudOidcClientBase.
83
94
  *
95
+ * @param tenantDomain - The tenant domain URL.
96
+ * @param metadataCacheDuration - Duration (in seconds) to cache OpenID Connect discovery metadata. Defaults to 300 (5 minutes).
97
+ * @param jwksCacheDuration - Duration (in seconds) to cache the JSON Web Key Set (JWKS). Defaults to 300 (5 minutes).
98
+ * @param fetcher - Custom `fetch` implementation used for making HTTP requests. Falls back to the global `fetch` if not provided.
84
99
  */
85
- authorizationUrl(params: AuthorizationParams): Promise<string>;
100
+ constructor(tenantDomain: string, metadataCacheDuration?: number, jwksCacheDuration?: number, fetcher?: typeof fetch);
86
101
  /**
87
102
  * Fetches the authorization server metadata from the .well-known endpoint.
88
- * The metadata is cached for 1 minute.
103
+ * The metadata is cached for 5 minutes by default.
89
104
  *
90
105
  * @param forceRefresh - If `true`, bypasses the cache and fetches fresh metadata from the server.
91
106
  *
@@ -98,7 +113,7 @@ declare class MonoCloudOidcClient {
98
113
  getMetadata(forceRefresh?: boolean): Promise<IssuerMetadata>;
99
114
  /**
100
115
  * Fetches the JSON Web Keys used to sign the ID token.
101
- * The JWKS is cached for 1 minute.
116
+ * The JWKS is cached for 5 minutes by default.
102
117
  *
103
118
  * @param forceRefresh - If `true`, bypasses the cache and fetches fresh set of JWKS from the server.
104
119
  *
@@ -109,6 +124,52 @@ declare class MonoCloudOidcClient {
109
124
  *
110
125
  */
111
126
  getJwks(forceRefresh?: boolean): Promise<Jwks>;
127
+ /**
128
+ * Decodes the payload of a JSON Web Token (JWT) and returns it as an object.
129
+ *
130
+ * >Note: THIS METHOD DOES NOT VERIFY JWT TOKENS.
131
+ *
132
+ * @param jwt - JWT to decode.
133
+ *
134
+ * @returns Decoded payload.
135
+ *
136
+ * @throws {@link MonoCloudTokenError} - If decoding fails
137
+ *
138
+ */
139
+ static decodeJwt(jwt: string): JwtClaims;
140
+ }
141
+ //#endregion
142
+ //#region src/monocloud-oidc-client.d.ts
143
+ /**
144
+ * @category Classes
145
+ */
146
+ declare class MonoCloudOidcClient extends MonoCloudOidcClientBase {
147
+ private readonly clientId;
148
+ private readonly clientSecret?;
149
+ private readonly authMethod;
150
+ private readonly idTokenSigningAlgorithm;
151
+ /**
152
+ * Creates a new instance of MonoCloudOidcClient.
153
+ *
154
+ * @param tenantDomain - The tenant domain URL.
155
+ * @param clientId - Client id of the application registered in MonoCloud.
156
+ * @param options - Additional client configuration options.
157
+ */
158
+ constructor(tenantDomain: string, clientId: string, options?: MonoCloudOidcClientOptions);
159
+ /**
160
+ * Generates an authorization URL with specified parameters.
161
+ *
162
+ * If no values are provided for `responseType`, or `codeChallengeMethod`, they default to `code`, and `S256`, respectively.
163
+ *
164
+ * @param params - Authorization URL parameters.
165
+ *
166
+ * @returns Tenant's authorization URL.
167
+ *
168
+ * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
169
+ * unexpected status code during the request or a serialization error while processing the response.
170
+ *
171
+ */
172
+ authorizationUrl(params: AuthorizationParams): Promise<string>;
112
173
  /**
113
174
  * Performs a pushed authorization request.
114
175
  *
@@ -292,20 +353,87 @@ declare class MonoCloudOidcClient {
292
353
  *
293
354
  */
294
355
  validateIdToken(idToken: string, jwks: Jwk[], clockSkew: number, clockTolerance: number, maxAge?: number, nonce?: string): Promise<IdTokenClaims>;
356
+ }
357
+ //#endregion
358
+ //#region src/monocloud-oidc-backend-client.d.ts
359
+ /**
360
+ * @category Classes
361
+ */
362
+ declare class MonoCloudOidcBackendClient extends MonoCloudOidcClientBase {
363
+ private readonly clientId?;
364
+ private readonly clientSecret?;
365
+ private readonly authMethod;
366
+ private readonly audience;
367
+ private readonly groupOptions?;
295
368
  /**
296
- * Decodes the payload of a JSON Web Token (JWT) and returns it as an object.
369
+ * Number of seconds to adjust the current time to account for clock differences between the client and server during time-based claim validation. Defaults to 0.
370
+ */
371
+ protected clockSkew: number;
372
+ /**
373
+ * Additional time tolerance in seconds applied when validating time-based claims (`exp`, `nbf`). Defaults to 300 (5 minutes).
374
+ */
375
+ protected clockTolerance: number;
376
+ /**
377
+ * Creates a new instance of MonoCloudOidcBackendClient.
297
378
  *
298
- * >Note: THIS METHOD DOES NOT VERIFY JWT TOKENS.
379
+ * @param tenantDomain - The tenant domain URL.
380
+ * @param audience - The expected audience value used to validate the `aud` claim in access tokens.
381
+ * @param options - Additional client configuration options.
382
+ */
383
+ constructor(tenantDomain: string, audience: string, options?: MonoCloudOidcBackendClientOptions);
384
+ /**
385
+ * Validates an opaque access token using the OAuth 2.0 Token Introspection endpoint (RFC 7662).
299
386
  *
300
- * @param jwt - JWT to decode.
387
+ * @param accessToken - The access token string to introspect.
388
+ * @param options - Claims validation options.
301
389
  *
302
- * @returns Decoded payload.
390
+ * @returns Validated access token claims (without the `active` field).
303
391
  *
304
- * @throws {@link MonoCloudTokenError} - If decoding fails
392
+ * @throws {@link MonoCloudTokenError} - If the token is not active or claim validation fails.
393
+ *
394
+ * @throws {@link MonoCloudOPError} - When the introspection endpoint returns a standardized
395
+ * OAuth 2.0 error response.
396
+ *
397
+ * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
398
+ * unexpected status code during the request or a serialization error while processing the response.
399
+ *
400
+ * @throws {@link MonoCloudValidationError} - When the access token is empty or the introspection
401
+ * endpoint is not available in the issuer metadata or claims validation fails.
402
+ *
403
+ */
404
+ introspectAccessToken(accessToken: string, options?: IntrospectOptions): Promise<AccessTokenClaims>;
405
+ /**
406
+ * Validates a JWT access token by verifying the signature and claims.
407
+ *
408
+ * @param accessToken - The access token JWT string to validate.
409
+ * @param options - Validation options.
305
410
  *
411
+ * @returns Validated access token claims.
412
+ *
413
+ * @throws {@link MonoCloudTokenError} - If JWT parsing, signature verification, or claim validation fails.
414
+ *
415
+ * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
416
+ * unexpected status code during the request or a serialization error while processing the response.
417
+ *
418
+ * @throws {@link MonoCloudValidationError} - When the access token is empty or claims validation fails.
419
+ *
420
+ */
421
+ validateJwtAccessToken(accessToken: string, options?: ValidateJwtAccessTokenOptions): Promise<AccessTokenClaims>;
422
+ /**
423
+ * Sets clock skew used for access token time-based claim validation.
424
+ *
425
+ * @param clockSkew - Number of seconds to adjust the current time to account for clock differences.
426
+ */
427
+ setClockSkew(clockSkew: number): void;
428
+ /**
429
+ * Sets clock tolerance used for access token time-based claim validation.
430
+ *
431
+ * @param clockTolerance - Additional time tolerance in seconds for time-based claim validation.
306
432
  */
307
- static decodeJwt(jwt: string): IdTokenClaims;
433
+ setClockTolerance(clockTolerance: number): void;
434
+ private validateAccessTokenClaims;
435
+ private validateCertificateBinding;
308
436
  }
309
437
  //#endregion
310
- export { type AccessToken, type Address, type AuthState, type AuthenticateOptions, type Authenticators, type AuthorizationParams, type CallbackParams, type ClientAuthMethod, type CodeChallengeMethod, type DisplayOptions, type EndSessionParameters, type Group, type IdTokenClaims, type IssuerMetadata, type Jwk, type Jwks, type JwsHeaderParameters, MonoCloudAuthBaseError, type MonoCloudClientOptions, MonoCloudHttpError, MonoCloudOPError, MonoCloudOidcClient, type MonoCloudSession, MonoCloudTokenError, type MonoCloudUser, MonoCloudValidationError, type OnSessionCreating, type ParResponse, type Prompt, type PushedAuthorizationParams, type RefetchUserInfoOptions, type RefreshGrantOptions, type RefreshSessionOptions, type ResponseModes, type ResponseTypes, type SecurityAlgorithms, type Tokens, type UserinfoResponse };
438
+ export { type AccessToken, type AccessTokenClaims, type Address, type AuthState, type AuthenticateOptions, type Authenticators, type AuthorizationParams, type CallbackParams, type ClientAuthMethod, type CodeChallengeMethod, type DisplayOptions, type EndSessionParameters, type Group, type IdTokenClaims, type IntrospectOptions, type IsUserInGroupOptions, type IssuerMetadata, type Jwk, type Jwks, type JwsHeaderParameters, type JwtClaims, MonoCloudAuthBaseError, type MonoCloudClientOptionsBase, MonoCloudHttpError, MonoCloudOPError, MonoCloudOidcBackendClient, type MonoCloudOidcBackendClientOptions, MonoCloudOidcClient, MonoCloudOidcClientBase, type MonoCloudOidcClientOptions, type MonoCloudSession, MonoCloudTokenError, type MonoCloudUser, MonoCloudValidationError, type OnSessionCreating, type ParResponse, type Prompt, type PushedAuthorizationParams, type RefetchUserInfoOptions, type RefreshGrantOptions, type RefreshSessionOptions, type ResponseModes, type ResponseTypes, type SecurityAlgorithms, type TokenValidationOptionsBase, type Tokens, type UserinfoResponse, type ValidateJwtAccessTokenOptions };
311
439
  //# sourceMappingURL=index.d.mts.map