npm - @naylence/runtime - Versions diffs - 0.3.5-test.924 → 0.3.5-test.926 - Mend

@naylence/runtime 0.3.5-test.924 → 0.3.5-test.926

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/browser/index.cjs +39 -54
package/dist/browser/index.mjs +39 -54
package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider.js +31 -50
package/dist/cjs/naylence/fame/security/default-security-manager-factory.js +6 -2
package/dist/cjs/version.js +2 -2
package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider.js +31 -50
package/dist/esm/naylence/fame/security/default-security-manager-factory.js +6 -2
package/dist/esm/version.js +2 -2
package/dist/node/index.cjs +39 -54
package/dist/node/index.mjs +39 -54
package/dist/node/node.cjs +39 -54
package/dist/node/node.mjs +39 -54
package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider.d.ts +5 -0
package/dist/types/version.d.ts +1 -1
package/package.json +1 -1

package/dist/browser/index.cjs CHANGED Viewed

@@ -98,12 +98,12 @@ installProcessEnvShim();
 // --- END ENV SHIM ---
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.924';
+const VERSION = '0.3.5-test.926';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -34891,7 +34891,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -35147,7 +35147,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -35160,8 +35160,12 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {
@@ -39004,14 +39008,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -39063,57 +39071,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39414,6 +39388,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/browser/index.mjs CHANGED Viewed

@@ -96,12 +96,12 @@ installProcessEnvShim();
 // --- END ENV SHIM ---
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.924';
+const VERSION = '0.3.5-test.926';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -34889,7 +34889,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -35145,7 +35145,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -35158,8 +35158,12 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {
@@ -39002,14 +39006,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -39061,57 +39069,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39412,6 +39386,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider.js CHANGED Viewed

@@ -145,14 +145,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -204,57 +208,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -556,5 +526,16 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 exports.OAuth2PkceTokenProvider = OAuth2PkceTokenProvider;

package/dist/cjs/naylence/fame/security/default-security-manager-factory.js CHANGED Viewed

@@ -168,7 +168,7 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new default_security_manager_js_1.DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -424,7 +424,7 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -437,8 +437,12 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await certificate_manager_factory_js_1.CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {

package/dist/cjs/version.js CHANGED Viewed

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.5-test.924';
+exports.VERSION = '0.3.5-test.926';

package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider.js CHANGED Viewed

@@ -142,14 +142,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -201,57 +205,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -552,4 +522,15 @@ export class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }

package/dist/esm/naylence/fame/security/default-security-manager-factory.js CHANGED Viewed

@@ -165,7 +165,7 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -421,7 +421,7 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -434,8 +434,12 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {

package/dist/esm/version.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.3.5-test.924';
+export const VERSION = '0.3.5-test.926';

package/dist/node/index.cjs CHANGED Viewed

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.924';
+const VERSION = '0.3.5-test.926';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -33613,7 +33613,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -33869,7 +33869,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -33882,8 +33882,12 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {
@@ -38918,14 +38922,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -38977,57 +38985,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39328,6 +39302,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/node/index.mjs CHANGED Viewed

@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.924';
+const VERSION = '0.3.5-test.926';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -33612,7 +33612,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -33868,7 +33868,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -33881,8 +33881,12 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {
@@ -38917,14 +38921,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -38976,57 +38984,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39327,6 +39301,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/node/node.cjs CHANGED Viewed

@@ -5372,12 +5372,12 @@ for (const [name, config] of Object.entries(SQLITE_PROFILES)) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.924';
+const VERSION = '0.3.5-test.926';
 /**
  * Fame errors module - Fame protocol specific error classes
@@ -38173,7 +38173,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -38429,7 +38429,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -38442,8 +38442,12 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {
@@ -41136,14 +41140,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -41195,57 +41203,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -41546,6 +41520,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/node/node.mjs CHANGED Viewed

@@ -5371,12 +5371,12 @@ for (const [name, config] of Object.entries(SQLITE_PROFILES)) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.924
+// Generated from package.json version: 0.3.5-test.926
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.924';
+const VERSION = '0.3.5-test.926';
 /**
  * Fame errors module - Fame protocol specific error classes
@@ -38172,7 +38172,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!certificateManager) {
             certificateManager =
-                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createCertificateManagerFromConfig(config, policy, trustStoreProvider);
         }
         return new DefaultSecurityManager(policy, envelopeSigner, envelopeVerifier, encryptionManager, keyManager, authorizer, certificateManager, secureChannelManager, keyValidator ?? null);
     }
@@ -38428,7 +38428,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             throw error instanceof Error ? error : new Error(String(error));
         }
     }
-    static async createCertificateManagerFromConfig(config, policy) {
+    static async createCertificateManagerFromConfig(config, policy, trustStoreProvider) {
         const certificateConfig = config.certificate_manager ?? null;
         if (certificateConfig &&
             DefaultSecurityManagerFactory.isConfigLike(certificateConfig)) {
@@ -38441,8 +38441,12 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
                 return null;
             }
             const signing = policy.signing ?? null;
+            const trustStorePem = trustStoreProvider
+                ? async () => await trustStoreProvider.getTrustStorePem()
+                : null;
             return await CertificateManagerFactory.createCertificateManager(null, {
                 signing: signing ?? null,
+                factoryArgs: trustStorePem ? [trustStorePem] : [],
             });
         }
         catch (error) {
@@ -41135,14 +41139,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -41194,57 +41202,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -41545,6 +41519,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider.d.ts CHANGED Viewed

@@ -38,5 +38,10 @@ export declare class OAuth2PkceTokenProvider implements TokenProvider {
     private resolveFetch;
     private resolveOptionalSecret;
     private exchangeToken;
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken(): void;
 }
 export {};

package/dist/types/version.d.ts CHANGED Viewed

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.3.5-test.924";
+export declare const VERSION = "0.3.5-test.926";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.3.5-test.924",
+  "version": "0.3.5-test.926",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",