@naylence/runtime 0.3.5-test.911 → 0.3.5-test.914

package/dist/cjs/naylence/fame/security/crypto/providers/default-crypto-provider.js

@@ -34,9 +34,6 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DefaultCryptoProvider = void 0;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
-const asn1_x509_1 = require("@peculiar/asn1-x509");
-const asn1_csr_1 = require("@peculiar/asn1-csr");
 const core_1 = require("@naylence/core");
 const logging_js_1 = require("../../../util/logging.js");
 const util_js_1 = require("../../../util/util.js");
@@ -52,11 +49,6 @@ const DEFAULT_AUDIENCE = 'router-dev';
 const DEFAULT_TTL_SEC = 3600;
 const DEFAULT_HMAC_SECRET_BYTES = 32;
 const ENCRYPTION_ALG = 'ECDH-ES';
-const EXTENSION_REQUEST_OID = '1.2.840.113549.1.9.14';
-const COMMON_NAME_OID = '2.5.4.3';
-const ED25519_OID = '1.3.101.112';
-const CSR_PEM_TAG = 'CERTIFICATE REQUEST';
-const LOGICAL_URI_PREFIX = 'naylence://';
 function normalizeDefaultCryptoProviderOptions(options) {
     if (!options) {
         return {};
@@ -322,76 +314,6 @@ class DefaultCryptoProvider {
             has_chain: Boolean(certificateChainPem),
         });
     }
-    async createCsr(nodeId, physicalPath, logicals, subjectName) {
-        const trimmedNodeId = assertNonEmptyString(nodeId, 'nodeId');
-        const trimmedPhysicalPath = assertNonEmptyString(physicalPath, 'physicalPath');
-        try {
-            if (this.artifacts.signing.algorithm !== 'EdDSA') {
-                throw new Error('CSR creation only supported for Ed25519 signing keys in the default crypto provider');
-            }
-            const cryptoImpl = await ensureWebCrypto();
-            const privateKey = await cryptoImpl.subtle.importKey('pkcs8', pemToArrayBuffer(this.signingPrivatePem), {
-                name: 'Ed25519',
-            }, false, ['sign']);
-            const publicKeyDer = pemToArrayBuffer(this.signingPublicPem);
-            const subjectPkInfo = asn1_schema_1.AsnConvert.parse(publicKeyDer, asn1_x509_1.SubjectPublicKeyInfo);
-            const sanitizedLogicals = Array.isArray(logicals)
-                ? logicals.filter((value) => typeof value === 'string' && value.trim().length > 0)
-                : [];
-            const commonName = typeof subjectName === 'string' && subjectName.trim().length > 0
-                ? subjectName.trim()
-                : trimmedNodeId;
-            const subject = buildSubjectName(commonName);
-            const attributes = new asn1_csr_1.Attributes();
-            if (sanitizedLogicals.length > 0) {
-                const san = new asn1_x509_1.SubjectAlternativeName(sanitizedLogicals.map((logical) => new asn1_x509_1.GeneralName({
-                    uniformResourceIdentifier: `${LOGICAL_URI_PREFIX}${logical}`,
-                })));
-                const extensions = new asn1_x509_1.Extensions([
-                    new asn1_x509_1.Extension({
-                        extnID: asn1_x509_1.id_ce_subjectAltName,
-                        critical: false,
-                        extnValue: new asn1_schema_1.OctetString(asn1_schema_1.AsnConvert.serialize(san)),
-                    }),
-                ]);
-                attributes.push(new asn1_x509_1.Attribute({
-                    type: EXTENSION_REQUEST_OID,
-                    values: [asn1_schema_1.AsnConvert.serialize(extensions)],
-                }));
-            }
-            const requestInfo = new asn1_csr_1.CertificationRequestInfo({
-                subject,
-                subjectPKInfo: subjectPkInfo,
-                attributes,
-            });
-            const requestInfoDer = asn1_schema_1.AsnConvert.serialize(requestInfo);
-            const signature = await cryptoImpl.subtle.sign('Ed25519', privateKey, requestInfoDer);
-            const certificationRequest = new asn1_csr_1.CertificationRequest({
-                certificationRequestInfo: requestInfo,
-                signatureAlgorithm: new asn1_x509_1.AlgorithmIdentifier({
-                    algorithm: ED25519_OID,
-                }),
-                signature: encodeBitString(signature),
-            });
-            certificationRequest.certificationRequestInfoRaw = requestInfoDer;
-            const csrDer = asn1_schema_1.AsnConvert.serialize(certificationRequest);
-            const csrPem = arrayBufferToPem(csrDer, CSR_PEM_TAG);
-            logger.debug('csr_created', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                logical_count: sanitizedLogicals.length,
-            });
-            return csrPem;
-        }
-        catch (error) {
-            logger.error('csr_creation_failed', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
 }
 exports.DefaultCryptoProvider = DefaultCryptoProvider;
 async function buildProviderArtifacts(options) {
@@ -628,90 +550,6 @@ function pemToDerBase64(pem) {
     // Ensure the output is valid base64 without whitespace
     return base64.replace(/\s+/g, '');
 }
-let cryptoPromise = null;
-async function ensureWebCrypto() {
-    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto?.subtle) {
-        return globalThis.crypto;
-    }
-    if (!cryptoPromise) {
-        if (typeof process !== 'undefined' &&
-            typeof process.versions?.node === 'string') {
-            cryptoPromise = Promise.resolve().then(() => __importStar(require('node:crypto'))).then((module) => {
-                const webcrypto = module.webcrypto;
-                if (!webcrypto || !webcrypto.subtle) {
-                    throw new Error('WebCrypto API is not available in this Node.js runtime');
-                }
-                globalThis.crypto = webcrypto;
-                return webcrypto;
-            });
-        }
-        else {
-            cryptoPromise = Promise.reject(new Error('WebCrypto API is not available in this environment'));
-        }
-    }
-    return cryptoPromise;
-}
-function pemToArrayBuffer(pem) {
-    const normalized = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    const bytes = base64ToBytes(normalized);
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-function base64ToBytes(base64) {
-    if (typeof Buffer !== 'undefined') {
-        const buffer = Buffer.from(base64, 'base64');
-        const bytes = new Uint8Array(buffer.length);
-        for (let i = 0; i < buffer.length; i += 1) {
-            bytes[i] = buffer[i];
-        }
-        return bytes;
-    }
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    throw new Error('No base64 decoder available in this environment');
-}
-function arrayBufferToPem(buffer, tag) {
-    const base64 = bytesToBase64(new Uint8Array(buffer));
-    return `-----BEGIN ${tag}-----\n${formatPem(base64)}\n-----END ${tag}-----\n`;
-}
-function formatPem(base64) {
-    const lines = [];
-    for (let i = 0; i < base64.length; i += 64) {
-        lines.push(base64.slice(i, i + 64));
-    }
-    return lines.join('\n');
-}
-function encodeBitString(signature) {
-    const bytes = new Uint8Array(signature);
-    const bitString = new Uint8Array(bytes.length + 1);
-    bitString.set(bytes, 1);
-    return bitString.buffer;
-}
-function buildSubjectName(commonName) {
-    const attribute = new asn1_x509_1.AttributeTypeAndValue({
-        type: COMMON_NAME_OID,
-        value: new asn1_x509_1.AttributeValue({ utf8String: commonName }),
-    });
-    return new asn1_x509_1.Name([new asn1_x509_1.RelativeDistinguishedName([attribute])]);
-}
-function assertNonEmptyString(value, name) {
-    if (typeof value !== 'string') {
-        throw new TypeError(`${name} must be a string`);
-    }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        throw new TypeError(`${name} must be a non-empty string`);
-    }
-    return trimmed;
-}
 function cloneJson(value) {
     return JSON.parse(JSON.stringify(value));
 }

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.911
+// Generated from package.json version: 0.3.5-test.914
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.5-test.911';
+exports.VERSION = '0.3.5-test.914';

package/dist/esm/naylence/fame/config/extended-fame-config.js

@@ -14,6 +14,61 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+let cachedNodeRequire = typeof require === 'function' ? require : null;
+function fileUrlToPath(url) {
+    try {
+        const parsed = new URL(url);
+        if (parsed.protocol !== 'file:') {
+            return null;
+        }
+        let pathname = parsed.pathname;
+        if (typeof process !== 'undefined' &&
+            process.platform === 'win32' &&
+            pathname.startsWith('/')) {
+            pathname = pathname.slice(1);
+        }
+        return decodeURIComponent(pathname);
+    }
+    catch {
+        return null;
+    }
+}
+function getNodeRequire() {
+    if (cachedNodeRequire) {
+        return cachedNodeRequire;
+    }
+    if (!isNode) {
+        return null;
+    }
+    const processBinding = process.binding;
+    if (typeof processBinding !== 'function') {
+        return null;
+    }
+    try {
+        const moduleWrap = processBinding('module_wrap');
+        if (typeof moduleWrap?.createRequire !== 'function') {
+            return null;
+        }
+        const modulePathFromUrl = currentModuleUrl
+            ? fileUrlToPath(currentModuleUrl)
+            : null;
+        const requireSource = modulePathFromUrl ?? `${process.cwd()}/.naylence-require-shim.js`;
+        cachedNodeRequire = moduleWrap.createRequire(requireSource);
+        return cachedNodeRequire;
+    }
+    catch {
+        return null;
+    }
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -21,9 +76,10 @@ function getFsModule() {
     if (!isNode) {
         throw new Error('File system access is not available in this environment');
     }
-    if (typeof require === 'function') {
+    const nodeRequire = typeof require === 'function' ? require : getNodeRequire();
+    if (nodeRequire) {
         try {
-            cachedFsModule = require(fsModuleSpecifier);
+            cachedFsModule = nodeRequire(fsModuleSpecifier);
             return cachedFsModule;
         }
         catch (error) {

package/dist/esm/naylence/fame/http/jwks-api-router.js

@@ -1,10 +1,9 @@
 /**
- * JWKS (JSON Web Key Set) API router for Express
+ * JWKS (JSON Web Key Set) API plugin for Fastify
  *
  * Provides /.well-known/jwks.json endpoint for public key discovery
  * Used by OAuth2/JWT token verification
  */
-import express from 'express';
 import { getLogger } from '../util/logging.js';
 const logger = getLogger('naylence.fame.http.jwks_api_router');
 const DEFAULT_PREFIX = '';
@@ -84,23 +83,22 @@ function filterKeysByType(jwksData, allowedTypes) {
     return { ...jwksData, keys: filteredKeys };
 }
 /**
- * Create an Express router that exposes JWKS at /.well-known/jwks.json
+ * Create a Fastify plugin that exposes JWKS at /.well-known/jwks.json
  *
  * @param options - Router configuration options
- * @returns Express router with JWKS endpoint
+ * @returns Fastify plugin with JWKS endpoint
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createJwksRouter } from '@naylence/runtime';
  *
- * const app = express();
+ * const app = Fastify();
  * const cryptoProvider = new MyCryptoProvider();
- * app.use(createJwksRouter({ cryptoProvider }));
+ * app.register(createJwksRouter({ cryptoProvider }));
  * ```
  */
 export function createJwksRouter(options = {}) {
-    const router = express.Router();
     const { getJwksJson, cryptoProvider, prefix = DEFAULT_PREFIX, keyTypes, } = normalizeCreateJwksRouterOptions(options);
     // Get JWKS data
     let jwks;
@@ -123,14 +121,15 @@ export function createJwksRouter(options = {}) {
         key_types: allowedKeyTypes,
         total_keys: jwks.keys.length,
     });
-    // JWKS endpoint
-    router.get(`${prefix}/.well-known/jwks.json`, (_req, res) => {
-        const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
-        logger.debug('jwks_served', {
-            total_keys: jwks.keys.length,
-            filtered_keys: filteredJwks.keys.length,
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/jwks.json`, async (_request, reply) => {
+            const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
+            logger.debug('jwks_served', {
+                total_keys: jwks.keys.length,
+                filtered_keys: filteredJwks.keys.length,
+            });
+            reply.send(filteredJwks);
         });
-        res.json(filteredJwks);
-    });
-    return router;
+    };
+    return plugin;
 }

package/dist/esm/naylence/fame/http/oauth2-server.js

@@ -21,7 +21,7 @@
  *   FAME_JWT_ISSUER: JWT issuer (default: https://auth.fame.fabric)
  *   FAME_JWT_ALGORITHM: JWT algorithm (default: EdDSA)
  */
-import express from 'express';
+import Fastify from 'fastify';
 import { createOAuth2TokenRouter } from './oauth2-token-router.js';
 import { createJwksRouter } from './jwks-api-router.js';
 import { createOpenIDConfigurationRouter } from './openid-configuration-router.js';
@@ -53,23 +53,18 @@ async function getCryptoProvider() {
     return DefaultCryptoProvider.create();
 }
 /**
- * Create and configure the OAuth2 Express application
+ * Create and configure the OAuth2 Fastify application
  */
 export async function createApp() {
-    const app = express();
-    // Middleware
-    app.use(express.json());
-    app.use(express.urlencoded({ extended: true }));
+    const app = Fastify({ logger: false });
     // Get crypto provider
     const cryptoProvider = await getCryptoProvider();
     // Add routers
-    app.use(createOAuth2TokenRouter({ cryptoProvider }));
-    app.use(createJwksRouter({ cryptoProvider }));
-    app.use(createOpenIDConfigurationRouter());
+    app.register(createOAuth2TokenRouter({ cryptoProvider }));
+    app.register(createJwksRouter({ cryptoProvider }));
+    app.register(createOpenIDConfigurationRouter());
     // Health check endpoint
-    app.get('/health', (_req, res) => {
-        res.json({ status: 'ok' });
-    });
+    app.get('/health', async () => ({ status: 'ok' }));
     return app;
 }
 /**
@@ -97,27 +92,29 @@ async function main() {
     });
     const app = await createApp();
     // Start server
-    app.listen(port, host, () => {
-        logger.info('oauth2_server_started', {
-            host,
-            port,
-            endpoints: {
-                token: '/oauth/token',
-                jwks: '/.well-known/jwks.json',
-                openid_config: '/.well-known/openid-configuration',
-                health: '/health',
-            },
-        });
+    await app.listen({ port, host });
+    logger.info('oauth2_server_started', {
+        host,
+        port,
+        endpoints: {
+            token: '/oauth/token',
+            jwks: '/.well-known/jwks.json',
+            openid_config: '/.well-known/openid-configuration',
+            health: '/health',
+        },
     });
+    const shutdown = (signal) => {
+        logger.info('oauth2_server_shutting_down', { signal });
+        app
+            .close()
+            .catch((error) => logger.error('oauth2_server_shutdown_error', {
+            error: error instanceof Error ? error.message : String(error),
+        }))
+            .finally(() => process.exit(0));
+    };
     // Graceful shutdown
-    process.on('SIGINT', () => {
-        logger.info('oauth2_server_shutting_down', { signal: 'SIGINT' });
-        process.exit(0);
-    });
-    process.on('SIGTERM', () => {
-        logger.info('oauth2_server_shutting_down', { signal: 'SIGTERM' });
-        process.exit(0);
-    });
+    process.on('SIGINT', () => shutdown('SIGINT'));
+    process.on('SIGTERM', () => shutdown('SIGTERM'));
 }
 // Export main for CLI usage
 export { main };

package/dist/esm/naylence/fame/http/oauth2-token-router.js

@@ -1,15 +1,160 @@
 /**
- * OAuth2 client credentials and authorization code (PKCE) grant router for Express
+ * OAuth2 client credentials and authorization code (PKCE) grant router for Fastify
  *
  * Provides /oauth/token and /oauth/authorize endpoints for local development and testing.
  * Implements OAuth2 client credentials grant with JWT token issuance and
  * OAuth2 authorization code grant with PKCE verification.
  */
-import express from 'express';
+import formbody from '@fastify/formbody';
 import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
 import { JWTTokenIssuer } from '../security/auth/jwt-token-issuer.js';
 import { getLogger } from '../util/logging.js';
 const logger = getLogger('naylence.fame.http.oauth2_token_router');
+class RouterCompat {
+    constructor() {
+        this.routes = [];
+    }
+    get(path, handler) {
+        this.routes.push({ method: 'GET', path, handler });
+    }
+    post(path, handler) {
+        this.routes.push({ method: 'POST', path, handler });
+    }
+    toPlugin() {
+        return async (fastify) => {
+            await fastify.register(formbody);
+            for (const route of this.routes) {
+                fastify.route({
+                    method: route.method,
+                    url: route.path,
+                    handler: async (request, reply) => {
+                        const compatRequest = toCompatRequest(request);
+                        const compatResponse = new FastifyResponseAdapter(reply);
+                        await route.handler(compatRequest, compatResponse);
+                    },
+                });
+            }
+        };
+    }
+}
+class FastifyResponseAdapter {
+    constructor(reply) {
+        this.reply = reply;
+    }
+    status(code) {
+        this.reply.status(code);
+        return this;
+    }
+    set(field, value) {
+        if (field.toLowerCase() === 'set-cookie') {
+            this.appendHeader(field, value);
+        }
+        else {
+            this.reply.header(field, value);
+        }
+        return this;
+    }
+    type(contentType) {
+        const normalized = contentType === 'html'
+            ? 'text/html'
+            : contentType === 'json'
+                ? 'application/json'
+                : contentType;
+        this.reply.type(normalized);
+        return this;
+    }
+    json(payload) {
+        this.reply.send(payload);
+    }
+    send(payload) {
+        this.reply.send(payload);
+    }
+    redirect(statusOrUrl, maybeUrl) {
+        if (typeof statusOrUrl === 'number') {
+            if (maybeUrl === undefined) {
+                throw new Error('redirect url is required when status code is provided');
+            }
+            this.reply.status(statusOrUrl);
+            this.reply.header('Location', maybeUrl);
+            this.reply.send();
+        }
+        else {
+            this.reply.redirect(statusOrUrl);
+        }
+    }
+    cookie(name, value, options) {
+        const serialized = serializeCookie(name, value, options);
+        this.appendHeader('Set-Cookie', serialized);
+    }
+    appendHeader(name, value) {
+        const existing = this.reply.getHeader(name);
+        if (Array.isArray(existing)) {
+            this.reply.header(name, [...existing, value]);
+        }
+        else if (typeof existing === 'string') {
+            this.reply.header(name, [existing, value]);
+        }
+        else if (existing === undefined) {
+            this.reply.header(name, value);
+        }
+        else {
+            this.reply.header(name, [String(existing), value]);
+        }
+    }
+}
+function toCompatRequest(request) {
+    const headers = {};
+    for (const [key, value] of Object.entries(request.headers)) {
+        if (typeof value === 'string') {
+            headers[key.toLowerCase()] = value;
+        }
+        else if (Array.isArray(value)) {
+            headers[key.toLowerCase()] = value.join(', ');
+        }
+        else if (value !== undefined && value !== null) {
+            headers[key.toLowerCase()] = String(value);
+        }
+        else {
+            headers[key.toLowerCase()] = undefined;
+        }
+    }
+    return {
+        body: request.body,
+        headers,
+        method: request.method,
+        originalUrl: request.raw.url ?? request.url,
+        query: request.query ?? {},
+    };
+}
+function serializeCookie(name, value, options) {
+    const segments = [
+        `${encodeURIComponent(name)}=${encodeURIComponent(value)}`,
+    ];
+    if (options.maxAge !== undefined) {
+        const maxAgeMs = options.maxAge;
+        const maxAgeSeconds = Math.floor(maxAgeMs / 1000);
+        segments.push(`Max-Age=${maxAgeSeconds}`);
+        const expires = new Date(Date.now() + maxAgeMs).toUTCString();
+        segments.push(`Expires=${expires}`);
+    }
+    segments.push(`Path=${options.path ?? '/'}`);
+    if (options.httpOnly) {
+        segments.push('HttpOnly');
+    }
+    if (options.secure) {
+        segments.push('Secure');
+    }
+    if (options.sameSite) {
+        const normalized = options.sameSite.toLowerCase();
+        const formatted = normalized === 'strict'
+            ? 'Strict'
+            : normalized === 'none'
+                ? 'None'
+                : 'Lax';
+        segments.push(`SameSite=${formatted}`);
+    }
+    return segments.join('; ');
+}
 const DEFAULT_PREFIX = '/oauth';
 const ENV_VAR_CLIENT_ID = 'FAME_JWT_CLIENT_ID';
 const ENV_VAR_CLIENT_SECRET = 'FAME_JWT_CLIENT_SECRET';
@@ -431,11 +576,11 @@ function respondInvalidClient(res) {
     });
 }
 /**
- * Create an Express router that implements OAuth2 token and authorization endpoints
+ * Create a Fastify plugin that implements OAuth2 token and authorization endpoints
  * with support for client credentials and authorization code (PKCE) grants.
  *
  * @param options - Router configuration options
- * @returns Express router with OAuth2 token and authorization endpoints
+ * @returns Fastify plugin with OAuth2 token and authorization endpoints
  *
  * Environment Variables:
  *   FAME_JWT_CLIENT_ID: OAuth2 client identifier
@@ -449,7 +594,7 @@ function respondInvalidClient(res) {
  *   FAME_OAUTH_CODE_TTL_SEC: Authorization code TTL in seconds (optional, default: 300)
  */
 export function createOAuth2TokenRouter(options) {
-    const router = express.Router();
+    const router = new RouterCompat();
     const { cryptoProvider, prefix = DEFAULT_PREFIX, issuer, audience, tokenTtlSec, allowedScopes: configAllowedScopes, algorithm: configAlgorithm, enablePkce: configEnablePkce, allowPublicClients: configAllowPublicClients, authorizationCodeTtlSec: configAuthorizationCodeTtlSec, enableDevLogin: configEnableDevLogin, devLoginUsername: configDevLoginUsername, devLoginPassword: configDevLoginPassword, devLoginSessionTtlSec: configDevLoginSessionTtlSec, devLoginCookieName: configDevLoginCookieName, devLoginSecureCookie: configDevLoginSecureCookie, devLoginTitle: configDevLoginTitle, } = normalizeCreateOAuth2TokenRouterOptions(options);
     if (!cryptoProvider) {
         throw new Error('cryptoProvider is required to create OAuth2 token router');
@@ -748,7 +893,7 @@ export function createOAuth2TokenRouter(options) {
     };
     router.post(`${prefix}/logout`, logoutHandler);
     router.get(`${prefix}/logout`, logoutHandler);
-    router.post(`${prefix}/token`, async (req, res, next) => {
+    router.post(`${prefix}/token`, async (req, res) => {
         try {
             cleanupAuthorizationCodes(authorizationCodes, Date.now());
             const { grant_type, client_id, client_secret, scope, audience: reqAudience, code, redirect_uri, code_verifier, } = req.body ?? {};
@@ -933,7 +1078,7 @@ export function createOAuth2TokenRouter(options) {
         }
         catch (error) {
             logger.error('oauth2_token_error', { error: error.message });
-            next(error);
+            throw error;
         }
     });
     async function issueTokenResponse(params) {
@@ -966,5 +1111,5 @@ export function createOAuth2TokenRouter(options) {
         }
         return response;
     }
-    return router;
+    return router.toPlugin();
 }