npm - @nekm/sveltekit-armor - Versions diffs - 0.1.0 - Mend

@nekm/sveltekit-armor 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/LICENSE.md +20 -0
package/README.md +1 -0
package/dist/contracts.d.ts +38 -0
package/dist/index.d.ts +7 -0
package/dist/index.esm.js +221 -0
package/dist/index.esm.js.map +1 -0
package/dist/index.js +224 -0
package/dist/index.js.map +1 -0
package/dist/routes/login.d.ts +3 -0
package/dist/routes/logout.d.ts +3 -0
package/dist/routes/redirect-login.d.ts +3 -0
package/dist/routes/redirect-logout.d.ts +3 -0
package/dist/routes/routes.d.ts +8 -0
package/dist/utils/cookie.d.ts +6 -0
package/dist/utils/jwt.d.ts +4 -0
package/dist/utils/utils.d.ts +3 -0
package/dist/utils/utils.test.d.ts +1 -0
package/package.json +80 -0
package/src/contracts.ts +51 -0
package/src/index.ts +44 -0
package/src/routes/login.ts +31 -0
package/src/routes/logout.ts +29 -0
package/src/routes/redirect-login.ts +103 -0
package/src/routes/redirect-logout.ts +25 -0
package/src/routes/routes.ts +30 -0
package/src/utils/cookie.ts +41 -0
package/src/utils/jwt.ts +35 -0
package/src/utils/utils.test.ts +18 -0
package/src/utils/utils.ts +23 -0

package/LICENSE.md ADDED Viewed

@@ -0,0 +1,20 @@
+MIT License
+Copyright (c) 2025 Niklas Ekman
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ # SvelteKit Armor

package/dist/contracts.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import type { RequestEvent } from "@sveltejs/kit";
+import type { JWTPayload } from "jose";
+export interface ArmorTokenExchange {
+    readonly access_token: string;
+    readonly id_token: string;
+    readonly token_type: "Bearer";
+    readonly expires_in: number;
+    readonly refresh_token?: string;
+    readonly scope?: string;
+}
+export type ArmorIdToken = Required<Pick<JWTPayload, "iss" | "sub" | "aud" | "exp" | "iat">> & Omit<JWTPayload, "iss" | "sub" | "aud" | "exp" | "iat">;
+export interface ArmorAccessToken extends JWTPayload {
+    client_id?: string;
+    scope?: string;
+    version?: number;
+}
+export interface ArmorTokens {
+    readonly exchange: ArmorTokenExchange;
+    readonly idToken: ArmorIdToken;
+    readonly accessToken: ArmorAccessToken;
+}
+export interface ArmorConfig {
+    readonly session: {
+        readonly exists?: (event: RequestEvent) => Promise<boolean> | boolean;
+        readonly login?: (event: RequestEvent, tokens: ArmorTokens) => Promise<void> | void;
+        readonly logout?: (event: RequestEvent) => Promise<void> | void;
+    };
+    readonly oauth: {
+        readonly clientId: string;
+        readonly clientSecret: string;
+        readonly baseUrl: string;
+        readonly jwksUrl?: string;
+        readonly issuer: string;
+        readonly authorizePath?: string;
+        readonly logoutPath?: string;
+        readonly tokenPath?: string;
+    };
+}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { type Handle, Cookies } from "@sveltejs/kit";
+import type { ArmorConfig, ArmorTokens } from "./contracts";
+export type { ArmorConfig, ArmorTokens };
+export declare const ARMOR_LOGIN = "/_auth/login";
+export declare const ARMOR_LOGOUT = "/_auth/logout";
+export declare function armor(config: ArmorConfig): Handle;
+export declare function armorCookiesGetTokens(cookies: Cookies): ArmorTokens;

package/dist/index.esm.js ADDED Viewed

@@ -0,0 +1,221 @@
+import { redirect, error } from '@sveltejs/kit';
+import { strTrimEnd, throwIfUndefined, queryParamsCreate, noop } from '@nekm/core';
+import { jwtVerify, createRemoteJWKSet } from 'jose';
+import { randomUUID } from 'node:crypto';
+function urlConcat(origin, path) {
+  return `${strTrimEnd(origin, "/")}/${path}`;
+}
+function isTokenExchange(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const obj = value;
+  return typeof obj.access_token === "string" && obj.token_type === "Bearer" && typeof obj.expires_in === "number" && (
+  // Optional fields
+  typeof obj.id_token === "string" || obj.id_token === undefined) && (typeof obj.refresh_token === "string" || obj.refresh_token === undefined) && (typeof obj.scope === "string" || obj.scope === undefined);
+}
+const COOKIE_TOKENS = "tokens";
+const COOKIE_STATE = "state";
+const cookieDeleteOptions = Object.freeze({
+  path: "/"
+});
+const cookieSetOptions = Object.freeze({
+  ...cookieDeleteOptions,
+  httpOnly: true,
+  secure: true,
+  sameSite: "lax",
+  maxAge: 1800 // 30 minutes
+});
+function cookieSet(cookies, key, value) {
+  cookies.set(key, JSON.stringify(value), cookieSetOptions);
+}
+function cookieGetAndDelete(cookies, key) {
+  const value = cookieGet(cookies, key);
+  if (value) {
+    cookies.delete(key, cookieDeleteOptions);
+  }
+  return value;
+}
+function cookieGet(cookies, key) {
+  const value = cookies.get(key);
+  return !value ? undefined : JSON.parse(value);
+}
+function jwtVerifyIdToken(config, jwks, idToken) {
+  return jwtVerifyToken(jwks, {
+    issuer: config.oauth.issuer,
+    audience: config.oauth.clientId
+  }, idToken);
+}
+function jwtVerifyAccessToken(config, jwks, accessToken) {
+  return jwtVerifyToken(jwks, {
+    issuer: config.oauth.issuer
+  }, accessToken);
+}
+async function jwtVerifyToken(jwks, options, token) {
+  const {
+    payload
+  } = await jwtVerify(token, jwks, options);
+  return payload;
+}
+const ROUTE_PATH_REDIRECT_LOGIN = "/_auth/redirect/login";
+const routeRedirectLoginFactory = config => {
+  var _config$oauth$jwksUrl, _config$oauth$tokenPa, _config$session$login;
+  const jwksUrl = new URL((_config$oauth$jwksUrl = config.oauth.jwksUrl) != null ? _config$oauth$jwksUrl : `${strTrimEnd(config.oauth.issuer, "/")}/.well-known/jwks.json`);
+  const tokenUrl = `${config.oauth.baseUrl}/${(_config$oauth$tokenPa = config.oauth.tokenPath) != null ? _config$oauth$tokenPa : "oauth2/token"}`;
+  const sessionLogin = (_config$session$login = config.session.login) != null ? _config$session$login : (event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens);
+  async function exchangeCodeForToken(fetch, origin, code) {
+    const response = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: config.oauth.clientId,
+        client_secret: config.oauth.clientSecret,
+        code,
+        redirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN)
+      }).toString()
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Token exchange failed: ${error}`);
+    }
+    const token = await response.json();
+    if (!isTokenExchange(token)) {
+      throw new Error("Response is not a valid token exchange.");
+    }
+    return token;
+  }
+  return {
+    path: ROUTE_PATH_REDIRECT_LOGIN,
+    async handle({
+      event
+    }) {
+      var _event$url$searchPara, _event$url$searchPara2;
+      const state = (_event$url$searchPara = event.url.searchParams.get("state")) != null ? _event$url$searchPara : undefined;
+      const stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);
+      if (state !== stateCookie) {
+        throw new Error("State do not match");
+      }
+      const code = (_event$url$searchPara2 = event.url.searchParams.get("code")) != null ? _event$url$searchPara2 : undefined;
+      throwIfUndefined(code);
+      const exchange = await exchangeCodeForToken(fetch, event.url.origin, code);
+      const jwks = createRemoteJWKSet(jwksUrl);
+      const [idToken, accessToken] = await Promise.all([jwtVerifyIdToken(config, jwks, exchange.id_token), jwtVerifyAccessToken(config, jwks, exchange.access_token)]);
+      await sessionLogin(event, {
+        exchange,
+        idToken: idToken,
+        accessToken
+      });
+      throw redirect(302, "/");
+    }
+  };
+};
+const ROUTE_PATH_LOGIN = "/_auth/login";
+const routeLoginFactory = config => {
+  var _config$oauth$authori;
+  const authorizeUrl = `${config.oauth.baseUrl}/${(_config$oauth$authori = config.oauth.authorizePath) != null ? _config$oauth$authori : "/oauth2/authorize"}`;
+  return {
+    path: ROUTE_PATH_LOGIN,
+    async handle({
+      event
+    }) {
+      const state = randomUUID();
+      cookieSet(event.cookies, COOKIE_STATE, state);
+      const params = queryParamsCreate({
+        client_id: config.oauth.clientId,
+        response_type: "code",
+        redirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),
+        state
+      });
+      throw redirect(302, `${authorizeUrl}?${params}`);
+    }
+  };
+};
+const ROUTE_PATH_REDIRECT_LOGOUT = "/_auth/redirect/logout";
+const routeRedirectLogoutFactory = config => {
+  var _config$session$logou;
+  // Check if the oauth provider supports a logout path.
+  if (!config.oauth.logoutPath) {
+    return undefined;
+  }
+  const logout = (_config$session$logou = config.session.logout) != null ? _config$session$logou : noop;
+  return {
+    path: ROUTE_PATH_REDIRECT_LOGOUT,
+    async handle({
+      event
+    }) {
+      await logout(event);
+      throw redirect(302, "/");
+    }
+  };
+};
+const ROUTE_PATH_LOGOUT = "/_auth/logout";
+const routeLogoutFactory = config => {
+  // Check if the oauth provider supports a logout path.
+  if (!config.oauth.logoutPath) {
+    return undefined;
+  }
+  const logoutUrl = `${config.oauth.baseUrl}/${config.oauth.logoutPath}`;
+  return {
+    path: ROUTE_PATH_LOGOUT,
+    async handle({
+      event
+    }) {
+      const params = queryParamsCreate({
+        logout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),
+        client_id: config.oauth.clientId
+      });
+      throw redirect(302, `${logoutUrl}?${params}`);
+    }
+  };
+};
+const routeFactories = Object.freeze([routeLoginFactory, routeLogoutFactory, routeRedirectLoginFactory, routeRedirectLogoutFactory]);
+function routeCreate(config) {
+  return new Map(routeFactories.map(routeFactory => routeFactory(config)).filter(route => Boolean(route))
+  // @ts-expect-error Incorrect typing error.
+  .map(route => [route.path, route.handle]));
+}
+const ARMOR_LOGIN = ROUTE_PATH_LOGIN;
+const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;
+function armor(config) {
+  var _config$session$exist;
+  const routes = routeCreate(config);
+  const sessionExists = (_config$session$exist = config.session.exists) != null ? _config$session$exist : event => Boolean(event.cookies.get(COOKIE_TOKENS));
+  return async ({
+    event,
+    resolve
+  }) => {
+    const routeHandle = routes.get(event.url.pathname);
+    if (routeHandle) {
+      await routeHandle({
+        event,
+        resolve
+      });
+      // Handle should redirect. If it doesn't, something is wrong.
+      throw error(500, "Illegal state");
+    }
+    const exists = await sessionExists(event);
+    if (!exists) {
+      throw redirect(302, ROUTE_PATH_LOGIN);
+    }
+    return resolve(event);
+  };
+}
+function armorCookiesGetTokens(cookies) {
+  const tokens = cookieGet(cookies, COOKIE_TOKENS);
+  throwIfUndefined(tokens);
+  return tokens;
+}
+export { ARMOR_LOGIN, ARMOR_LOGOUT, armor, armorCookiesGetTokens };
+//# sourceMappingURL=index.esm.js.map

package/dist/index.esm.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.esm.js","sources":["../src/utils/utils.ts","../src/utils/cookie.ts","../src/utils/jwt.ts","../src/routes/redirect-login.ts","../src/routes/login.ts","../src/routes/redirect-logout.ts","../src/routes/logout.ts","../src/routes/routes.ts","../src/index.ts"],"sourcesContent":["import { strTrimEnd } from \"@nekm/core\";\nimport type { ArmorTokenExchange } from \"../contracts\";\n\nexport function urlConcat(origin: string, path: string): string {\n\treturn `${strTrimEnd(origin, \"/\")}/${path}`;\n}\n\nexport function isTokenExchange(value: unknown): value is ArmorTokenExchange {\n\tif (typeof value !== \"object\" || value === null) return false;\n\n\tconst obj = value as Record<string, unknown>;\n\n\treturn (\n\t\ttypeof obj.access_token === \"string\" &&\n\t\tobj.token_type === \"Bearer\" &&\n\t\ttypeof obj.expires_in === \"number\" &&\n\t\t// Optional fields\n\t\t(typeof obj.id_token === \"string\" || obj.id_token === undefined) &&\n\t\t(typeof obj.refresh_token === \"string\" ||\n\t\t\tobj.refresh_token === undefined) &&\n\t\t(typeof obj.scope === \"string\" || obj.scope === undefined)\n\t);\n}\n","import { Cookies } from \"@sveltejs/kit\";\n\nexport const COOKIE_TOKENS = \"tokens\";\nexport const COOKIE_STATE = \"state\";\n\nconst cookieDeleteOptions = Object.freeze({ path: \"/\" });\n\nconst cookieSetOptions = Object.freeze({\n\t...cookieDeleteOptions,\n\thttpOnly: true,\n\tsecure: true,\n\tsameSite: \"lax\",\n\tmaxAge: 1800, // 30 minutes\n});\n\nexport function cookieSet(\n\tcookies: Cookies,\n\tkey: string,\n\tvalue: string | object,\n) {\n\tcookies.set(key, JSON.stringify(value), cookieSetOptions);\n}\n\nexport function cookieGetAndDelete<T>(\n\tcookies: Cookies,\n\tkey: string,\n): T | undefined {\n\tconst value = cookieGet<T>(cookies, key);\n\n\tif (value) {\n\t\tcookies.delete(key, cookieDeleteOptions);\n\t}\n\n\treturn value;\n}\n\nexport function cookieGet<T>(cookies: Cookies, key: string): T | undefined {\n\tconst value = cookies.get(key);\n\n\treturn !value ? undefined : JSON.parse(value);\n}\n","import { ArmorConfig } from \"../contracts\";\nimport { jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from \"jose\";\n\nexport function jwtVerifyIdToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\tidToken: string,\n) {\n\treturn jwtVerifyToken(\n\t\tjwks,\n\t\t{\n\t\t\tissuer: config.oauth.issuer,\n\t\t\taudience: config.oauth.clientId,\n\t\t},\n\t\tidToken,\n\t);\n}\n\nexport function jwtVerifyAccessToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\taccessToken: string,\n) {\n\treturn jwtVerifyToken(jwks, { issuer: config.oauth.issuer }, accessToken);\n}\n\nasync function jwtVerifyToken(\n\tjwks: JWTVerifyGetKey,\n\toptions: JWTVerifyOptions,\n\ttoken: string,\n) {\n\tconst { payload } = await jwtVerify(token, jwks, options);\n\n\treturn payload;\n}\n","import { redirect } from \"@sveltejs/kit\";\nimport type {\n\tArmorConfig,\n\tArmorIdToken,\n\tArmorTokenExchange,\n} from \"../contracts\";\nimport { strTrimEnd, throwIfUndefined } from \"@nekm/core\";\nimport { createRemoteJWKSet } from \"jose\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat, isTokenExchange } from \"../utils/utils\";\nimport {\n\tCOOKIE_STATE,\n\tCOOKIE_TOKENS,\n\tcookieGetAndDelete,\n\tcookieSet,\n} from \"../utils/cookie\";\nimport { jwtVerifyAccessToken, jwtVerifyIdToken } from \"../utils/jwt\";\n\nexport const ROUTE_PATH_REDIRECT_LOGIN = \"/_auth/redirect/login\";\n\nexport const routeRedirectLoginFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\tconst jwksUrl = new URL(\n\t\tconfig.oauth.jwksUrl ??\n\t\t\t`${strTrimEnd(config.oauth.issuer, \"/\")}/.well-known/jwks.json`,\n\t);\n\tconst tokenUrl = `${config.oauth.baseUrl}/${config.oauth.tokenPath ?? \"oauth2/token\"}`;\n\n\tconst sessionLogin =\n\t\tconfig.session.login ??\n\t\t((event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens));\n\n\tasync function exchangeCodeForToken(\n\t\tfetch: typeof global.fetch,\n\t\torigin: string,\n\t\tcode: string,\n\t): Promise<ArmorTokenExchange> {\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t\tAccept: \"application/json\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams({\n\t\t\t\tgrant_type: \"authorization_code\",\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tclient_secret: config.oauth.clientSecret,\n\t\t\t\tcode,\n\t\t\t\tredirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t}).toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tconst error = await response.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst token = await response.json();\n\n\t\tif (!isTokenExchange(token)) {\n\t\t\tthrow new Error(\"Response is not a valid token exchange.\");\n\t\t}\n\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = event.url.searchParams.get(\"state\") ?? undefined;\n\t\t\tconst stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);\n\n\t\t\tif (state !== stateCookie) {\n\t\t\t\tthrow new Error(\"State do not match\");\n\t\t\t}\n\n\t\t\tconst code = event.url.searchParams.get(\"code\") ?? undefined;\n\t\t\tthrowIfUndefined(code);\n\n\t\t\tconst exchange = await exchangeCodeForToken(\n\t\t\t\tfetch,\n\t\t\t\tevent.url.origin,\n\t\t\t\tcode,\n\t\t\t);\n\n\t\t\tconst jwks = createRemoteJWKSet(jwksUrl);\n\n\t\t\tconst [idToken, accessToken] = await Promise.all([\n\t\t\t\tjwtVerifyIdToken(config, jwks, exchange.id_token),\n\t\t\t\tjwtVerifyAccessToken(config, jwks, exchange.access_token),\n\t\t\t]);\n\n\t\t\tawait sessionLogin(event, {\n\t\t\t\texchange,\n\t\t\t\tidToken: idToken as ArmorIdToken,\n\t\t\t\taccessToken,\n\t\t\t});\n\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGIN } from \"./redirect-login\";\nimport { randomUUID } from \"node:crypto\";\nimport type { RouteFactory } from \"./routes\";\nimport { COOKIE_STATE, cookieSet } from \"../utils/cookie\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGIN = \"/_auth/login\";\n\nexport const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {\n\tconst authorizeUrl = `${config.oauth.baseUrl}/${config.oauth.authorizePath ?? \"/oauth2/authorize\"}`;\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = randomUUID();\n\t\t\tcookieSet(event.cookies, COOKIE_STATE, state);\n\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tresponse_type: \"code\",\n\t\t\t\tredirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t\tstate,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${authorizeUrl}?${params}`);\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { noop } from \"@nekm/core\";\nimport type { RouteFactory } from \"./routes\";\n\nexport const ROUTE_PATH_REDIRECT_LOGOUT = \"/_auth/redirect/logout\";\n\nexport const routeRedirectLogoutFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutPath) {\n\t\treturn undefined;\n\t}\n\n\tconst logout = config.session.logout ?? noop;\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tawait logout(event);\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGOUT } from \"./redirect-logout\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGOUT = \"/_auth/logout\";\n\nexport const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutPath) {\n\t\treturn undefined;\n\t}\n\n\tconst logoutUrl = `${config.oauth.baseUrl}/${config.oauth.logoutPath}`;\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tlogout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${logoutUrl}?${params}`);\n\t\t},\n\t};\n};\n","import type { Handle } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { routeLoginFactory } from \"./login\";\nimport { routeLogoutFactory } from \"./logout\";\nimport { routeRedirectLogoutFactory } from \"./redirect-logout\";\nimport { routeRedirectLoginFactory } from \"./redirect-login\";\n\nexport interface Route {\n\treadonly path: string;\n\treadonly handle: Handle;\n}\n\nexport type RouteFactory = (config: ArmorConfig) => Route | undefined;\n\nconst routeFactories = Object.freeze([\n\trouteLoginFactory,\n\trouteLogoutFactory,\n\trouteRedirectLoginFactory,\n\trouteRedirectLogoutFactory,\n]);\n\nexport function routeCreate(config: ArmorConfig): Map<string, Handle> {\n\treturn new Map(\n\t\trouteFactories\n\t\t\t.map((routeFactory) => routeFactory(config))\n\t\t\t.filter((route) => Boolean(route))\n\t\t\t// @ts-expect-error Incorrect typing error.\n\t\t\t.map((route) => [route.path, route.handle]),\n\t);\n}\n","import { error, redirect, type Handle, Cookies } from \"@sveltejs/kit\";\nimport { ROUTE_PATH_LOGIN } from \"./routes/login\";\nimport type { ArmorConfig, ArmorTokens } from \"./contracts\";\nimport { ROUTE_PATH_LOGOUT } from \"./routes/logout\";\nimport { routeCreate } from \"./routes/routes\";\nimport { COOKIE_TOKENS, cookieGet } from \"./utils/cookie\";\nimport { throwIfUndefined } from \"@nekm/core\";\n\nexport type { ArmorConfig, ArmorTokens };\n\nexport const ARMOR_LOGIN = ROUTE_PATH_LOGIN;\nexport const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;\n\nexport function armor(config: ArmorConfig): Handle {\n\tconst routes = routeCreate(config);\n\tconst sessionExists =\n\t\tconfig.session.exists ??\n\t\t((event) => Boolean(event.cookies.get(COOKIE_TOKENS)));\n\n\treturn async ({ event, resolve }) => {\n\t\tconst routeHandle = routes.get(event.url.pathname);\n\n\t\tif (routeHandle) {\n\t\t\tawait routeHandle({ event, resolve });\n\n\t\t\t// Handle should redirect. If it doesn't, something is wrong.\n\t\t\tthrow error(500, \"Illegal state\");\n\t\t}\n\n\t\tconst exists = await sessionExists(event);\n\n\t\tif (!exists) {\n\t\t\tthrow redirect(302, ROUTE_PATH_LOGIN);\n\t\t}\n\n\t\treturn resolve(event);\n\t};\n}\n\nexport function armorCookiesGetTokens(cookies: Cookies): ArmorTokens {\n\tconst tokens = cookieGet<ArmorTokens>(cookies, COOKIE_TOKENS);\n\tthrowIfUndefined(tokens);\n\treturn tokens;\n}\n"],"names":["urlConcat","origin","path","strTrimEnd","isTokenExchange","value","obj","access_token","token_type","expires_in","id_token","undefined","refresh_token","scope","COOKIE_TOKENS","COOKIE_STATE","cookieDeleteOptions","Object","freeze","cookieSetOptions","httpOnly","secure","sameSite","maxAge","cookieSet","cookies","key","set","JSON","stringify","cookieGetAndDelete","cookieGet","delete","get","parse","jwtVerifyIdToken","config","jwks","idToken","jwtVerifyToken","issuer","oauth","audience","clientId","jwtVerifyAccessToken","accessToken","options","token","payload","jwtVerify","ROUTE_PATH_REDIRECT_LOGIN","routeRedirectLoginFactory","_config$oauth$jwksUrl","_config$oauth$tokenPa","_config$session$login","jwksUrl","URL","tokenUrl","baseUrl","tokenPath","sessionLogin","session","login","event","tokens","exchangeCodeForToken","fetch","code","response","method","headers","Accept","body","URLSearchParams","grant_type","client_id","client_secret","clientSecret","redirect_uri","toString","ok","error","text","Error","json","handle","_event$url$searchPara","_event$url$searchPara2","state","url","searchParams","stateCookie","throwIfUndefined","exchange","createRemoteJWKSet","Promise","all","redirect","ROUTE_PATH_LOGIN","routeLoginFactory","_config$oauth$authori","authorizeUrl","authorizePath","randomUUID","params","queryParamsCreate","response_type","ROUTE_PATH_REDIRECT_LOGOUT","routeRedirectLogoutFactory","_config$session$logou","logoutPath","logout","noop","ROUTE_PATH_LOGOUT","routeLogoutFactory","logoutUrl","logout_uri","routeFactories","routeCreate","Map","map","routeFactory","filter","route","Boolean","ARMOR_LOGIN","ARMOR_LOGOUT","armor","_config$session$exist","routes","sessionExists","exists","resolve","routeHandle","pathname","armorCookiesGetTokens"],"mappings":";;;;;AAGgB,SAAAA,SAASA,CAACC,MAAc,EAAEC,IAAY,EAAA;EACrD,OAAO,CAAA,EAAGC,UAAU,CAACF,MAAM,EAAE,GAAG,CAAC,CAAIC,CAAAA,EAAAA,IAAI,CAAE,CAAA,CAAA;AAC5C,CAAA;AAEM,SAAUE,eAAeA,CAACC,KAAc,EAAA;EAC7C,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAIA,KAAK,KAAK,IAAI,EAAE,OAAO,KAAK,CAAA;EAE7D,MAAMC,GAAG,GAAGD,KAAgC,CAAA;AAE5C,EAAA,OACC,OAAOC,GAAG,CAACC,YAAY,KAAK,QAAQ,IACpCD,GAAG,CAACE,UAAU,KAAK,QAAQ,IAC3B,OAAOF,GAAG,CAACG,UAAU,KAAK,QAAQ;AAClC;AACC,EAAA,OAAOH,GAAG,CAACI,QAAQ,KAAK,QAAQ,IAAIJ,GAAG,CAACI,QAAQ,KAAKC,SAAS,CAAC,KAC/D,OAAOL,GAAG,CAACM,aAAa,KAAK,QAAQ,IACrCN,GAAG,CAACM,aAAa,KAAKD,SAAS,CAAC,KAChC,OAAOL,GAAG,CAACO,KAAK,KAAK,QAAQ,IAAIP,GAAG,CAACO,KAAK,KAAKF,SAAS,CAAC,CAAA;AAE5D;;ACpBO,MAAMG,aAAa,GAAG,QAAQ,CAAA;AAC9B,MAAMC,YAAY,GAAG,OAAO,CAAA;AAEnC,MAAMC,mBAAmB,GAAGC,MAAM,CAACC,MAAM,CAAC;AAAEhB,EAAAA,IAAI,EAAE,GAAA;AAAK,CAAA,CAAC,CAAA;AAExD,MAAMiB,gBAAgB,GAAGF,MAAM,CAACC,MAAM,CAAC;AACtC,EAAA,GAAGF,mBAAmB;AACtBI,EAAAA,QAAQ,EAAE,IAAI;AACdC,EAAAA,MAAM,EAAE,IAAI;AACZC,EAAAA,QAAQ,EAAE,KAAK;EACfC,MAAM,EAAE,IAAI;AACZ,CAAA,CAAC,CAAA;SAEcC,SAASA,CACxBC,OAAgB,EAChBC,GAAW,EACXrB,KAAsB,EAAA;AAEtBoB,EAAAA,OAAO,CAACE,GAAG,CAACD,GAAG,EAAEE,IAAI,CAACC,SAAS,CAACxB,KAAK,CAAC,EAAEc,gBAAgB,CAAC,CAAA;AAC1D,CAAA;AAEgB,SAAAW,kBAAkBA,CACjCL,OAAgB,EAChBC,GAAW,EAAA;AAEX,EAAA,MAAMrB,KAAK,GAAG0B,SAAS,CAAIN,OAAO,EAAEC,GAAG,CAAC,CAAA;AAExC,EAAA,IAAIrB,KAAK,EAAE;AACVoB,IAAAA,OAAO,CAACO,MAAM,CAACN,GAAG,EAAEV,mBAAmB,CAAC,CAAA;AACzC,GAAA;AAEA,EAAA,OAAOX,KAAK,CAAA;AACb,CAAA;AAEgB,SAAA0B,SAASA,CAAIN,OAAgB,EAAEC,GAAW,EAAA;AACzD,EAAA,MAAMrB,KAAK,GAAGoB,OAAO,CAACQ,GAAG,CAACP,GAAG,CAAC,CAAA;EAE9B,OAAO,CAACrB,KAAK,GAAGM,SAAS,GAAGiB,IAAI,CAACM,KAAK,CAAC7B,KAAK,CAAC,CAAA;AAC9C;;SCrCgB8B,gBAAgBA,CAC/BC,MAAmB,EACnBC,IAAqB,EACrBC,OAAe,EAAA;EAEf,OAAOC,cAAc,CACpBF,IAAI,EACJ;AACCG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAM;AAC3BE,IAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACE,QAAAA;GACvB,EACDL,OAAO,CACP,CAAA;AACF,CAAA;SAEgBM,oBAAoBA,CACnCR,MAAmB,EACnBC,IAAqB,EACrBQ,WAAmB,EAAA;EAEnB,OAAON,cAAc,CAACF,IAAI,EAAE;AAAEG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAAA;GAAQ,EAAEK,WAAW,CAAC,CAAA;AAC1E,CAAA;AAEA,eAAeN,cAAcA,CAC5BF,IAAqB,EACrBS,OAAyB,EACzBC,KAAa,EAAA;EAEb,MAAM;AAAEC,IAAAA,OAAAA;GAAS,GAAG,MAAMC,SAAS,CAACF,KAAK,EAAEV,IAAI,EAAES,OAAO,CAAC,CAAA;AAEzD,EAAA,OAAOE,OAAO,CAAA;AACf;;AChBO,MAAME,yBAAyB,GAAG,uBAAuB,CAAA;AAEzD,MAAMC,yBAAyB,GACrCf,MAAmB,IAChB;AAAA,EAAA,IAAAgB,qBAAA,EAAAC,qBAAA,EAAAC,qBAAA,CAAA;EACH,MAAMC,OAAO,GAAG,IAAIC,GAAG,CAAA,CAAAJ,qBAAA,GACtBhB,MAAM,CAACK,KAAK,CAACc,OAAO,KAAA,IAAA,GAAAH,qBAAA,GACnB,CAAGjD,EAAAA,UAAU,CAACiC,MAAM,CAACK,KAAK,CAACD,MAAM,EAAE,GAAG,CAAC,CAAA,sBAAA,CAAwB,CAChE,CAAA;EACD,MAAMiB,QAAQ,GAAG,CAAGrB,EAAAA,MAAM,CAACK,KAAK,CAACiB,OAAO,CAAAL,CAAAA,EAAAA,CAAAA,qBAAA,GAAIjB,MAAM,CAACK,KAAK,CAACkB,SAAS,YAAAN,qBAAA,GAAI,cAAc,CAAE,CAAA,CAAA;EAEtF,MAAMO,YAAY,GAAAN,CAAAA,qBAAA,GACjBlB,MAAM,CAACyB,OAAO,CAACC,KAAK,KAAAR,IAAAA,GAAAA,qBAAA,GACnB,CAACS,KAAK,EAAEC,MAAM,KAAKxC,SAAS,CAACuC,KAAK,CAACtC,OAAO,EAAEX,aAAa,EAAEkD,MAAM,CAAE,CAAA;AAErE,EAAA,eAAeC,oBAAoBA,CAClCC,KAA0B,EAC1BjE,MAAc,EACdkE,IAAY,EAAA;AAEZ,IAAA,MAAMC,QAAQ,GAAG,MAAMF,KAAK,CAACT,QAAQ,EAAE;AACtCY,MAAAA,MAAM,EAAE,MAAM;AACdC,MAAAA,OAAO,EAAE;AACR,QAAA,cAAc,EAAE,mCAAmC;AACnDC,QAAAA,MAAM,EAAE,kBAAA;OACR;MACDC,IAAI,EAAE,IAAIC,eAAe,CAAC;AACzBC,QAAAA,UAAU,EAAE,oBAAoB;AAChCC,QAAAA,SAAS,EAAEvC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChCiC,QAAAA,aAAa,EAAExC,MAAM,CAACK,KAAK,CAACoC,YAAY;QACxCV,IAAI;AACJW,QAAAA,YAAY,EAAE9E,SAAS,CAACC,MAAM,EAAEiD,yBAAyB,CAAA;OACzD,CAAC,CAAC6B,QAAQ,EAAE;AACb,KAAA,CAAC,CAAA;AAEF,IAAA,IAAI,CAACX,QAAQ,CAACY,EAAE,EAAE;AACjB,MAAA,MAAMC,KAAK,GAAG,MAAMb,QAAQ,CAACc,IAAI,EAAE,CAAA;AACnC,MAAA,MAAM,IAAIC,KAAK,CAAC,CAA0BF,uBAAAA,EAAAA,KAAK,EAAE,CAAC,CAAA;AACnD,KAAA;AAEA,IAAA,MAAMlC,KAAK,GAAG,MAAMqB,QAAQ,CAACgB,IAAI,EAAE,CAAA;AAEnC,IAAA,IAAI,CAAChF,eAAe,CAAC2C,KAAK,CAAC,EAAE;AAC5B,MAAA,MAAM,IAAIoC,KAAK,CAAC,yCAAyC,CAAC,CAAA;AAC3D,KAAA;AAEA,IAAA,OAAOpC,KAAK,CAAA;AACb,GAAA;EAEA,OAAO;AACN7C,IAAAA,IAAI,EAAEgD,yBAAyB;AAC/B,IAAA,MAAMmC,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MAAA,IAAAuB,qBAAA,EAAAC,sBAAA,CAAA;AACrB,MAAA,MAAMC,KAAK,GAAAF,CAAAA,qBAAA,GAAGvB,KAAK,CAAC0B,GAAG,CAACC,YAAY,CAACzD,GAAG,CAAC,OAAO,CAAC,KAAAqD,IAAAA,GAAAA,qBAAA,GAAI3E,SAAS,CAAA;MAC9D,MAAMgF,WAAW,GAAG7D,kBAAkB,CAACiC,KAAK,CAACtC,OAAO,EAAEV,YAAY,CAAC,CAAA;MAEnE,IAAIyE,KAAK,KAAKG,WAAW,EAAE;AAC1B,QAAA,MAAM,IAAIR,KAAK,CAAC,oBAAoB,CAAC,CAAA;AACtC,OAAA;AAEA,MAAA,MAAMhB,IAAI,GAAAoB,CAAAA,sBAAA,GAAGxB,KAAK,CAAC0B,GAAG,CAACC,YAAY,CAACzD,GAAG,CAAC,MAAM,CAAC,KAAAsD,IAAAA,GAAAA,sBAAA,GAAI5E,SAAS,CAAA;MAC5DiF,gBAAgB,CAACzB,IAAI,CAAC,CAAA;AAEtB,MAAA,MAAM0B,QAAQ,GAAG,MAAM5B,oBAAoB,CAC1CC,KAAK,EACLH,KAAK,CAAC0B,GAAG,CAACxF,MAAM,EAChBkE,IAAI,CACJ,CAAA;AAED,MAAA,MAAM9B,IAAI,GAAGyD,kBAAkB,CAACvC,OAAO,CAAC,CAAA;AAExC,MAAA,MAAM,CAACjB,OAAO,EAAEO,WAAW,CAAC,GAAG,MAAMkD,OAAO,CAACC,GAAG,CAAC,CAChD7D,gBAAgB,CAACC,MAAM,EAAEC,IAAI,EAAEwD,QAAQ,CAACnF,QAAQ,CAAC,EACjDkC,oBAAoB,CAACR,MAAM,EAAEC,IAAI,EAAEwD,QAAQ,CAACtF,YAAY,CAAC,CACzD,CAAC,CAAA;MAEF,MAAMqD,YAAY,CAACG,KAAK,EAAE;QACzB8B,QAAQ;AACRvD,QAAAA,OAAO,EAAEA,OAAuB;AAChCO,QAAAA,WAAAA;AACA,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMoD,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;AC7FM,MAAMC,gBAAgB,GAAG,cAAc,CAAA;AAEvC,MAAMC,iBAAiB,GAAkB/D,MAAmB,IAAI;AAAA,EAAA,IAAAgE,qBAAA,CAAA;EACtE,MAAMC,YAAY,GAAG,CAAGjE,EAAAA,MAAM,CAACK,KAAK,CAACiB,OAAO,CAAA0C,CAAAA,EAAAA,CAAAA,qBAAA,GAAIhE,MAAM,CAACK,KAAK,CAAC6D,aAAa,YAAAF,qBAAA,GAAI,mBAAmB,CAAE,CAAA,CAAA;EAEnG,OAAO;AACNlG,IAAAA,IAAI,EAAEgG,gBAAgB;AACtB,IAAA,MAAMb,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;AACrB,MAAA,MAAMyB,KAAK,GAAGe,UAAU,EAAE,CAAA;MAC1B/E,SAAS,CAACuC,KAAK,CAACtC,OAAO,EAAEV,YAAY,EAAEyE,KAAK,CAAC,CAAA;MAE7C,MAAMgB,MAAM,GAAGC,iBAAiB,CAAC;AAChC9B,QAAAA,SAAS,EAAEvC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChC+D,QAAAA,aAAa,EAAE,MAAM;QACrB5B,YAAY,EAAE9E,SAAS,CAAC+D,KAAK,CAAC0B,GAAG,CAACxF,MAAM,EAAEiD,yBAAyB,CAAC;AACpEsC,QAAAA,KAAAA;AACA,OAAA,CAAC,CAAA;MAEF,MAAMS,QAAQ,CAAC,GAAG,EAAE,GAAGI,YAAY,CAAA,CAAA,EAAIG,MAAM,CAAA,CAAE,CAAC,CAAA;AACjD,KAAA;GACA,CAAA;AACF,CAAC;;ACzBM,MAAMG,0BAA0B,GAAG,wBAAwB,CAAA;AAE3D,MAAMC,0BAA0B,GACtCxE,MAAmB,IAChB;AAAA,EAAA,IAAAyE,qBAAA,CAAA;AACH;AACA,EAAA,IAAI,CAACzE,MAAM,CAACK,KAAK,CAACqE,UAAU,EAAE;AAC7B,IAAA,OAAOnG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMoG,MAAM,GAAA,CAAAF,qBAAA,GAAGzE,MAAM,CAACyB,OAAO,CAACkD,MAAM,KAAA,IAAA,GAAAF,qBAAA,GAAIG,IAAI,CAAA;EAE5C,OAAO;AACN9G,IAAAA,IAAI,EAAEyG,0BAA0B;AAChC,IAAA,MAAMtB,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMgD,MAAM,CAAChD,KAAK,CAAC,CAAA;AACnB,MAAA,MAAMkC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACjBM,MAAMgB,iBAAiB,GAAG,eAAe,CAAA;AAEzC,MAAMC,kBAAkB,GAAkB9E,MAAmB,IAAI;AACvE;AACA,EAAA,IAAI,CAACA,MAAM,CAACK,KAAK,CAACqE,UAAU,EAAE;AAC7B,IAAA,OAAOnG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMwG,SAAS,GAAG,CAAG/E,EAAAA,MAAM,CAACK,KAAK,CAACiB,OAAO,CAAA,CAAA,EAAItB,MAAM,CAACK,KAAK,CAACqE,UAAU,CAAE,CAAA,CAAA;EAEtE,OAAO;AACN5G,IAAAA,IAAI,EAAE+G,iBAAiB;AACvB,IAAA,MAAM5B,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMyC,MAAM,GAAGC,iBAAiB,CAAC;QAChCW,UAAU,EAAEpH,SAAS,CAAC+D,KAAK,CAAC0B,GAAG,CAACxF,MAAM,EAAE0G,0BAA0B,CAAC;AACnEhC,QAAAA,SAAS,EAAEvC,MAAM,CAACK,KAAK,CAACE,QAAAA;AACxB,OAAA,CAAC,CAAA;MAEF,MAAMsD,QAAQ,CAAC,GAAG,EAAE,GAAGkB,SAAS,CAAA,CAAA,EAAIX,MAAM,CAAA,CAAE,CAAC,CAAA;AAC9C,KAAA;GACA,CAAA;AACF,CAAC;;ACdD,MAAMa,cAAc,GAAGpG,MAAM,CAACC,MAAM,CAAC,CACpCiF,iBAAiB,EACjBe,kBAAkB,EAClB/D,yBAAyB,EACzByD,0BAA0B,CAC1B,CAAC,CAAA;AAEI,SAAUU,WAAWA,CAAClF,MAAmB,EAAA;EAC9C,OAAO,IAAImF,GAAG,CACbF,cAAc,CACZG,GAAG,CAAEC,YAAY,IAAKA,YAAY,CAACrF,MAAM,CAAC,CAAC,CAC3CsF,MAAM,CAAEC,KAAK,IAAKC,OAAO,CAACD,KAAK,CAAC,CAAA;AACjC;AAAA,GACCH,GAAG,CAAEG,KAAK,IAAK,CAACA,KAAK,CAACzH,IAAI,EAAEyH,KAAK,CAACtC,MAAM,CAAC,CAAC,CAC5C,CAAA;AACF;;ACnBO,MAAMwC,WAAW,GAAG3B,iBAAgB;AACpC,MAAM4B,YAAY,GAAGb,kBAAiB;AAEvC,SAAUc,KAAKA,CAAC3F,MAAmB,EAAA;AAAA,EAAA,IAAA4F,qBAAA,CAAA;AACxC,EAAA,MAAMC,MAAM,GAAGX,WAAW,CAAClF,MAAM,CAAC,CAAA;EAClC,MAAM8F,aAAa,GAAAF,CAAAA,qBAAA,GAClB5F,MAAM,CAACyB,OAAO,CAACsE,MAAM,KAAA,IAAA,GAAAH,qBAAA,GACnBjE,KAAK,IAAK6D,OAAO,CAAC7D,KAAK,CAACtC,OAAO,CAACQ,GAAG,CAACnB,aAAa,CAAC,CAAE,CAAA;AAEvD,EAAA,OAAO,OAAO;IAAEiD,KAAK;AAAEqE,IAAAA,OAAAA;AAAO,GAAE,KAAI;IACnC,MAAMC,WAAW,GAAGJ,MAAM,CAAChG,GAAG,CAAC8B,KAAK,CAAC0B,GAAG,CAAC6C,QAAQ,CAAC,CAAA;AAElD,IAAA,IAAID,WAAW,EAAE;AAChB,MAAA,MAAMA,WAAW,CAAC;QAAEtE,KAAK;AAAEqE,QAAAA,OAAAA;AAAO,OAAE,CAAC,CAAA;AAErC;AACA,MAAA,MAAMnD,KAAK,CAAC,GAAG,EAAE,eAAe,CAAC,CAAA;AAClC,KAAA;AAEA,IAAA,MAAMkD,MAAM,GAAG,MAAMD,aAAa,CAACnE,KAAK,CAAC,CAAA;IAEzC,IAAI,CAACoE,MAAM,EAAE;AACZ,MAAA,MAAMlC,QAAQ,CAAC,GAAG,EAAEC,gBAAgB,CAAC,CAAA;AACtC,KAAA;IAEA,OAAOkC,OAAO,CAACrE,KAAK,CAAC,CAAA;GACrB,CAAA;AACF,CAAA;AAEM,SAAUwE,qBAAqBA,CAAC9G,OAAgB,EAAA;AACrD,EAAA,MAAMuC,MAAM,GAAGjC,SAAS,CAAcN,OAAO,EAAEX,aAAa,CAAC,CAAA;EAC7D8E,gBAAgB,CAAC5B,MAAM,CAAC,CAAA;AACxB,EAAA,OAAOA,MAAM,CAAA;AACd;;;;"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,224 @@
+var kit = require('@sveltejs/kit');
+var core = require('@nekm/core');
+var jose = require('jose');
+var node_crypto = require('node:crypto');
+function urlConcat(origin, path) {
+  return `${core.strTrimEnd(origin, "/")}/${path}`;
+}
+function isTokenExchange(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const obj = value;
+  return typeof obj.access_token === "string" && obj.token_type === "Bearer" && typeof obj.expires_in === "number" && (
+  // Optional fields
+  typeof obj.id_token === "string" || obj.id_token === undefined) && (typeof obj.refresh_token === "string" || obj.refresh_token === undefined) && (typeof obj.scope === "string" || obj.scope === undefined);
+}
+const COOKIE_TOKENS = "tokens";
+const COOKIE_STATE = "state";
+const cookieDeleteOptions = Object.freeze({
+  path: "/"
+});
+const cookieSetOptions = Object.freeze({
+  ...cookieDeleteOptions,
+  httpOnly: true,
+  secure: true,
+  sameSite: "lax",
+  maxAge: 1800 // 30 minutes
+});
+function cookieSet(cookies, key, value) {
+  cookies.set(key, JSON.stringify(value), cookieSetOptions);
+}
+function cookieGetAndDelete(cookies, key) {
+  const value = cookieGet(cookies, key);
+  if (value) {
+    cookies.delete(key, cookieDeleteOptions);
+  }
+  return value;
+}
+function cookieGet(cookies, key) {
+  const value = cookies.get(key);
+  return !value ? undefined : JSON.parse(value);
+}
+function jwtVerifyIdToken(config, jwks, idToken) {
+  return jwtVerifyToken(jwks, {
+    issuer: config.oauth.issuer,
+    audience: config.oauth.clientId
+  }, idToken);
+}
+function jwtVerifyAccessToken(config, jwks, accessToken) {
+  return jwtVerifyToken(jwks, {
+    issuer: config.oauth.issuer
+  }, accessToken);
+}
+async function jwtVerifyToken(jwks, options, token) {
+  const {
+    payload
+  } = await jose.jwtVerify(token, jwks, options);
+  return payload;
+}
+const ROUTE_PATH_REDIRECT_LOGIN = "/_auth/redirect/login";
+const routeRedirectLoginFactory = config => {
+  var _config$oauth$jwksUrl, _config$oauth$tokenPa, _config$session$login;
+  const jwksUrl = new URL((_config$oauth$jwksUrl = config.oauth.jwksUrl) != null ? _config$oauth$jwksUrl : `${core.strTrimEnd(config.oauth.issuer, "/")}/.well-known/jwks.json`);
+  const tokenUrl = `${config.oauth.baseUrl}/${(_config$oauth$tokenPa = config.oauth.tokenPath) != null ? _config$oauth$tokenPa : "oauth2/token"}`;
+  const sessionLogin = (_config$session$login = config.session.login) != null ? _config$session$login : (event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens);
+  async function exchangeCodeForToken(fetch, origin, code) {
+    const response = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: config.oauth.clientId,
+        client_secret: config.oauth.clientSecret,
+        code,
+        redirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN)
+      }).toString()
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Token exchange failed: ${error}`);
+    }
+    const token = await response.json();
+    if (!isTokenExchange(token)) {
+      throw new Error("Response is not a valid token exchange.");
+    }
+    return token;
+  }
+  return {
+    path: ROUTE_PATH_REDIRECT_LOGIN,
+    async handle({
+      event
+    }) {
+      var _event$url$searchPara, _event$url$searchPara2;
+      const state = (_event$url$searchPara = event.url.searchParams.get("state")) != null ? _event$url$searchPara : undefined;
+      const stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);
+      if (state !== stateCookie) {
+        throw new Error("State do not match");
+      }
+      const code = (_event$url$searchPara2 = event.url.searchParams.get("code")) != null ? _event$url$searchPara2 : undefined;
+      core.throwIfUndefined(code);
+      const exchange = await exchangeCodeForToken(fetch, event.url.origin, code);
+      const jwks = jose.createRemoteJWKSet(jwksUrl);
+      const [idToken, accessToken] = await Promise.all([jwtVerifyIdToken(config, jwks, exchange.id_token), jwtVerifyAccessToken(config, jwks, exchange.access_token)]);
+      await sessionLogin(event, {
+        exchange,
+        idToken: idToken,
+        accessToken
+      });
+      throw kit.redirect(302, "/");
+    }
+  };
+};
+const ROUTE_PATH_LOGIN = "/_auth/login";
+const routeLoginFactory = config => {
+  var _config$oauth$authori;
+  const authorizeUrl = `${config.oauth.baseUrl}/${(_config$oauth$authori = config.oauth.authorizePath) != null ? _config$oauth$authori : "/oauth2/authorize"}`;
+  return {
+    path: ROUTE_PATH_LOGIN,
+    async handle({
+      event
+    }) {
+      const state = node_crypto.randomUUID();
+      cookieSet(event.cookies, COOKIE_STATE, state);
+      const params = core.queryParamsCreate({
+        client_id: config.oauth.clientId,
+        response_type: "code",
+        redirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),
+        state
+      });
+      throw kit.redirect(302, `${authorizeUrl}?${params}`);
+    }
+  };
+};
+const ROUTE_PATH_REDIRECT_LOGOUT = "/_auth/redirect/logout";
+const routeRedirectLogoutFactory = config => {
+  var _config$session$logou;
+  // Check if the oauth provider supports a logout path.
+  if (!config.oauth.logoutPath) {
+    return undefined;
+  }
+  const logout = (_config$session$logou = config.session.logout) != null ? _config$session$logou : core.noop;
+  return {
+    path: ROUTE_PATH_REDIRECT_LOGOUT,
+    async handle({
+      event
+    }) {
+      await logout(event);
+      throw kit.redirect(302, "/");
+    }
+  };
+};
+const ROUTE_PATH_LOGOUT = "/_auth/logout";
+const routeLogoutFactory = config => {
+  // Check if the oauth provider supports a logout path.
+  if (!config.oauth.logoutPath) {
+    return undefined;
+  }
+  const logoutUrl = `${config.oauth.baseUrl}/${config.oauth.logoutPath}`;
+  return {
+    path: ROUTE_PATH_LOGOUT,
+    async handle({
+      event
+    }) {
+      const params = core.queryParamsCreate({
+        logout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),
+        client_id: config.oauth.clientId
+      });
+      throw kit.redirect(302, `${logoutUrl}?${params}`);
+    }
+  };
+};
+const routeFactories = Object.freeze([routeLoginFactory, routeLogoutFactory, routeRedirectLoginFactory, routeRedirectLogoutFactory]);
+function routeCreate(config) {
+  return new Map(routeFactories.map(routeFactory => routeFactory(config)).filter(route => Boolean(route))
+  // @ts-expect-error Incorrect typing error.
+  .map(route => [route.path, route.handle]));
+}
+const ARMOR_LOGIN = ROUTE_PATH_LOGIN;
+const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;
+function armor(config) {
+  var _config$session$exist;
+  const routes = routeCreate(config);
+  const sessionExists = (_config$session$exist = config.session.exists) != null ? _config$session$exist : event => Boolean(event.cookies.get(COOKIE_TOKENS));
+  return async ({
+    event,
+    resolve
+  }) => {
+    const routeHandle = routes.get(event.url.pathname);
+    if (routeHandle) {
+      await routeHandle({
+        event,
+        resolve
+      });
+      // Handle should redirect. If it doesn't, something is wrong.
+      throw kit.error(500, "Illegal state");
+    }
+    const exists = await sessionExists(event);
+    if (!exists) {
+      throw kit.redirect(302, ROUTE_PATH_LOGIN);
+    }
+    return resolve(event);
+  };
+}
+function armorCookiesGetTokens(cookies) {
+  const tokens = cookieGet(cookies, COOKIE_TOKENS);
+  core.throwIfUndefined(tokens);
+  return tokens;
+}
+exports.ARMOR_LOGIN = ARMOR_LOGIN;
+exports.ARMOR_LOGOUT = ARMOR_LOGOUT;
+exports.armor = armor;
+exports.armorCookiesGetTokens = armorCookiesGetTokens;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sources":["../src/utils/utils.ts","../src/utils/cookie.ts","../src/utils/jwt.ts","../src/routes/redirect-login.ts","../src/routes/login.ts","../src/routes/redirect-logout.ts","../src/routes/logout.ts","../src/routes/routes.ts","../src/index.ts"],"sourcesContent":["import { strTrimEnd } from \"@nekm/core\";\nimport type { ArmorTokenExchange } from \"../contracts\";\n\nexport function urlConcat(origin: string, path: string): string {\n\treturn `${strTrimEnd(origin, \"/\")}/${path}`;\n}\n\nexport function isTokenExchange(value: unknown): value is ArmorTokenExchange {\n\tif (typeof value !== \"object\" || value === null) return false;\n\n\tconst obj = value as Record<string, unknown>;\n\n\treturn (\n\t\ttypeof obj.access_token === \"string\" &&\n\t\tobj.token_type === \"Bearer\" &&\n\t\ttypeof obj.expires_in === \"number\" &&\n\t\t// Optional fields\n\t\t(typeof obj.id_token === \"string\" || obj.id_token === undefined) &&\n\t\t(typeof obj.refresh_token === \"string\" ||\n\t\t\tobj.refresh_token === undefined) &&\n\t\t(typeof obj.scope === \"string\" || obj.scope === undefined)\n\t);\n}\n","import { Cookies } from \"@sveltejs/kit\";\n\nexport const COOKIE_TOKENS = \"tokens\";\nexport const COOKIE_STATE = \"state\";\n\nconst cookieDeleteOptions = Object.freeze({ path: \"/\" });\n\nconst cookieSetOptions = Object.freeze({\n\t...cookieDeleteOptions,\n\thttpOnly: true,\n\tsecure: true,\n\tsameSite: \"lax\",\n\tmaxAge: 1800, // 30 minutes\n});\n\nexport function cookieSet(\n\tcookies: Cookies,\n\tkey: string,\n\tvalue: string | object,\n) {\n\tcookies.set(key, JSON.stringify(value), cookieSetOptions);\n}\n\nexport function cookieGetAndDelete<T>(\n\tcookies: Cookies,\n\tkey: string,\n): T | undefined {\n\tconst value = cookieGet<T>(cookies, key);\n\n\tif (value) {\n\t\tcookies.delete(key, cookieDeleteOptions);\n\t}\n\n\treturn value;\n}\n\nexport function cookieGet<T>(cookies: Cookies, key: string): T | undefined {\n\tconst value = cookies.get(key);\n\n\treturn !value ? undefined : JSON.parse(value);\n}\n","import { ArmorConfig } from \"../contracts\";\nimport { jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from \"jose\";\n\nexport function jwtVerifyIdToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\tidToken: string,\n) {\n\treturn jwtVerifyToken(\n\t\tjwks,\n\t\t{\n\t\t\tissuer: config.oauth.issuer,\n\t\t\taudience: config.oauth.clientId,\n\t\t},\n\t\tidToken,\n\t);\n}\n\nexport function jwtVerifyAccessToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\taccessToken: string,\n) {\n\treturn jwtVerifyToken(jwks, { issuer: config.oauth.issuer }, accessToken);\n}\n\nasync function jwtVerifyToken(\n\tjwks: JWTVerifyGetKey,\n\toptions: JWTVerifyOptions,\n\ttoken: string,\n) {\n\tconst { payload } = await jwtVerify(token, jwks, options);\n\n\treturn payload;\n}\n","import { redirect } from \"@sveltejs/kit\";\nimport type {\n\tArmorConfig,\n\tArmorIdToken,\n\tArmorTokenExchange,\n} from \"../contracts\";\nimport { strTrimEnd, throwIfUndefined } from \"@nekm/core\";\nimport { createRemoteJWKSet } from \"jose\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat, isTokenExchange } from \"../utils/utils\";\nimport {\n\tCOOKIE_STATE,\n\tCOOKIE_TOKENS,\n\tcookieGetAndDelete,\n\tcookieSet,\n} from \"../utils/cookie\";\nimport { jwtVerifyAccessToken, jwtVerifyIdToken } from \"../utils/jwt\";\n\nexport const ROUTE_PATH_REDIRECT_LOGIN = \"/_auth/redirect/login\";\n\nexport const routeRedirectLoginFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\tconst jwksUrl = new URL(\n\t\tconfig.oauth.jwksUrl ??\n\t\t\t`${strTrimEnd(config.oauth.issuer, \"/\")}/.well-known/jwks.json`,\n\t);\n\tconst tokenUrl = `${config.oauth.baseUrl}/${config.oauth.tokenPath ?? \"oauth2/token\"}`;\n\n\tconst sessionLogin =\n\t\tconfig.session.login ??\n\t\t((event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens));\n\n\tasync function exchangeCodeForToken(\n\t\tfetch: typeof global.fetch,\n\t\torigin: string,\n\t\tcode: string,\n\t): Promise<ArmorTokenExchange> {\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t\tAccept: \"application/json\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams({\n\t\t\t\tgrant_type: \"authorization_code\",\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tclient_secret: config.oauth.clientSecret,\n\t\t\t\tcode,\n\t\t\t\tredirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t}).toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tconst error = await response.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst token = await response.json();\n\n\t\tif (!isTokenExchange(token)) {\n\t\t\tthrow new Error(\"Response is not a valid token exchange.\");\n\t\t}\n\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = event.url.searchParams.get(\"state\") ?? undefined;\n\t\t\tconst stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);\n\n\t\t\tif (state !== stateCookie) {\n\t\t\t\tthrow new Error(\"State do not match\");\n\t\t\t}\n\n\t\t\tconst code = event.url.searchParams.get(\"code\") ?? undefined;\n\t\t\tthrowIfUndefined(code);\n\n\t\t\tconst exchange = await exchangeCodeForToken(\n\t\t\t\tfetch,\n\t\t\t\tevent.url.origin,\n\t\t\t\tcode,\n\t\t\t);\n\n\t\t\tconst jwks = createRemoteJWKSet(jwksUrl);\n\n\t\t\tconst [idToken, accessToken] = await Promise.all([\n\t\t\t\tjwtVerifyIdToken(config, jwks, exchange.id_token),\n\t\t\t\tjwtVerifyAccessToken(config, jwks, exchange.access_token),\n\t\t\t]);\n\n\t\t\tawait sessionLogin(event, {\n\t\t\t\texchange,\n\t\t\t\tidToken: idToken as ArmorIdToken,\n\t\t\t\taccessToken,\n\t\t\t});\n\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGIN } from \"./redirect-login\";\nimport { randomUUID } from \"node:crypto\";\nimport type { RouteFactory } from \"./routes\";\nimport { COOKIE_STATE, cookieSet } from \"../utils/cookie\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGIN = \"/_auth/login\";\n\nexport const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {\n\tconst authorizeUrl = `${config.oauth.baseUrl}/${config.oauth.authorizePath ?? \"/oauth2/authorize\"}`;\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = randomUUID();\n\t\t\tcookieSet(event.cookies, COOKIE_STATE, state);\n\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tresponse_type: \"code\",\n\t\t\t\tredirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t\tstate,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${authorizeUrl}?${params}`);\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { noop } from \"@nekm/core\";\nimport type { RouteFactory } from \"./routes\";\n\nexport const ROUTE_PATH_REDIRECT_LOGOUT = \"/_auth/redirect/logout\";\n\nexport const routeRedirectLogoutFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutPath) {\n\t\treturn undefined;\n\t}\n\n\tconst logout = config.session.logout ?? noop;\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tawait logout(event);\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGOUT } from \"./redirect-logout\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGOUT = \"/_auth/logout\";\n\nexport const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutPath) {\n\t\treturn undefined;\n\t}\n\n\tconst logoutUrl = `${config.oauth.baseUrl}/${config.oauth.logoutPath}`;\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tlogout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${logoutUrl}?${params}`);\n\t\t},\n\t};\n};\n","import type { Handle } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { routeLoginFactory } from \"./login\";\nimport { routeLogoutFactory } from \"./logout\";\nimport { routeRedirectLogoutFactory } from \"./redirect-logout\";\nimport { routeRedirectLoginFactory } from \"./redirect-login\";\n\nexport interface Route {\n\treadonly path: string;\n\treadonly handle: Handle;\n}\n\nexport type RouteFactory = (config: ArmorConfig) => Route | undefined;\n\nconst routeFactories = Object.freeze([\n\trouteLoginFactory,\n\trouteLogoutFactory,\n\trouteRedirectLoginFactory,\n\trouteRedirectLogoutFactory,\n]);\n\nexport function routeCreate(config: ArmorConfig): Map<string, Handle> {\n\treturn new Map(\n\t\trouteFactories\n\t\t\t.map((routeFactory) => routeFactory(config))\n\t\t\t.filter((route) => Boolean(route))\n\t\t\t// @ts-expect-error Incorrect typing error.\n\t\t\t.map((route) => [route.path, route.handle]),\n\t);\n}\n","import { error, redirect, type Handle, Cookies } from \"@sveltejs/kit\";\nimport { ROUTE_PATH_LOGIN } from \"./routes/login\";\nimport type { ArmorConfig, ArmorTokens } from \"./contracts\";\nimport { ROUTE_PATH_LOGOUT } from \"./routes/logout\";\nimport { routeCreate } from \"./routes/routes\";\nimport { COOKIE_TOKENS, cookieGet } from \"./utils/cookie\";\nimport { throwIfUndefined } from \"@nekm/core\";\n\nexport type { ArmorConfig, ArmorTokens };\n\nexport const ARMOR_LOGIN = ROUTE_PATH_LOGIN;\nexport const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;\n\nexport function armor(config: ArmorConfig): Handle {\n\tconst routes = routeCreate(config);\n\tconst sessionExists =\n\t\tconfig.session.exists ??\n\t\t((event) => Boolean(event.cookies.get(COOKIE_TOKENS)));\n\n\treturn async ({ event, resolve }) => {\n\t\tconst routeHandle = routes.get(event.url.pathname);\n\n\t\tif (routeHandle) {\n\t\t\tawait routeHandle({ event, resolve });\n\n\t\t\t// Handle should redirect. If it doesn't, something is wrong.\n\t\t\tthrow error(500, \"Illegal state\");\n\t\t}\n\n\t\tconst exists = await sessionExists(event);\n\n\t\tif (!exists) {\n\t\t\tthrow redirect(302, ROUTE_PATH_LOGIN);\n\t\t}\n\n\t\treturn resolve(event);\n\t};\n}\n\nexport function armorCookiesGetTokens(cookies: Cookies): ArmorTokens {\n\tconst tokens = cookieGet<ArmorTokens>(cookies, COOKIE_TOKENS);\n\tthrowIfUndefined(tokens);\n\treturn tokens;\n}\n"],"names":["urlConcat","origin","path","strTrimEnd","isTokenExchange","value","obj","access_token","token_type","expires_in","id_token","undefined","refresh_token","scope","COOKIE_TOKENS","COOKIE_STATE","cookieDeleteOptions","Object","freeze","cookieSetOptions","httpOnly","secure","sameSite","maxAge","cookieSet","cookies","key","set","JSON","stringify","cookieGetAndDelete","cookieGet","delete","get","parse","jwtVerifyIdToken","config","jwks","idToken","jwtVerifyToken","issuer","oauth","audience","clientId","jwtVerifyAccessToken","accessToken","options","token","payload","jwtVerify","ROUTE_PATH_REDIRECT_LOGIN","routeRedirectLoginFactory","_config$oauth$jwksUrl","_config$oauth$tokenPa","_config$session$login","jwksUrl","URL","tokenUrl","baseUrl","tokenPath","sessionLogin","session","login","event","tokens","exchangeCodeForToken","fetch","code","response","method","headers","Accept","body","URLSearchParams","grant_type","client_id","client_secret","clientSecret","redirect_uri","toString","ok","error","text","Error","json","handle","_event$url$searchPara","_event$url$searchPara2","state","url","searchParams","stateCookie","throwIfUndefined","exchange","createRemoteJWKSet","Promise","all","redirect","ROUTE_PATH_LOGIN","routeLoginFactory","_config$oauth$authori","authorizeUrl","authorizePath","randomUUID","params","queryParamsCreate","response_type","ROUTE_PATH_REDIRECT_LOGOUT","routeRedirectLogoutFactory","_config$session$logou","logoutPath","logout","noop","ROUTE_PATH_LOGOUT","routeLogoutFactory","logoutUrl","logout_uri","routeFactories","routeCreate","Map","map","routeFactory","filter","route","Boolean","ARMOR_LOGIN","ARMOR_LOGOUT","armor","_config$session$exist","routes","sessionExists","exists","resolve","routeHandle","pathname","armorCookiesGetTokens"],"mappings":";;;;;AAGgB,SAAAA,SAASA,CAACC,MAAc,EAAEC,IAAY,EAAA;EACrD,OAAO,CAAA,EAAGC,eAAU,CAACF,MAAM,EAAE,GAAG,CAAC,CAAIC,CAAAA,EAAAA,IAAI,CAAE,CAAA,CAAA;AAC5C,CAAA;AAEM,SAAUE,eAAeA,CAACC,KAAc,EAAA;EAC7C,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAIA,KAAK,KAAK,IAAI,EAAE,OAAO,KAAK,CAAA;EAE7D,MAAMC,GAAG,GAAGD,KAAgC,CAAA;AAE5C,EAAA,OACC,OAAOC,GAAG,CAACC,YAAY,KAAK,QAAQ,IACpCD,GAAG,CAACE,UAAU,KAAK,QAAQ,IAC3B,OAAOF,GAAG,CAACG,UAAU,KAAK,QAAQ;AAClC;AACC,EAAA,OAAOH,GAAG,CAACI,QAAQ,KAAK,QAAQ,IAAIJ,GAAG,CAACI,QAAQ,KAAKC,SAAS,CAAC,KAC/D,OAAOL,GAAG,CAACM,aAAa,KAAK,QAAQ,IACrCN,GAAG,CAACM,aAAa,KAAKD,SAAS,CAAC,KAChC,OAAOL,GAAG,CAACO,KAAK,KAAK,QAAQ,IAAIP,GAAG,CAACO,KAAK,KAAKF,SAAS,CAAC,CAAA;AAE5D;;ACpBO,MAAMG,aAAa,GAAG,QAAQ,CAAA;AAC9B,MAAMC,YAAY,GAAG,OAAO,CAAA;AAEnC,MAAMC,mBAAmB,GAAGC,MAAM,CAACC,MAAM,CAAC;AAAEhB,EAAAA,IAAI,EAAE,GAAA;AAAK,CAAA,CAAC,CAAA;AAExD,MAAMiB,gBAAgB,GAAGF,MAAM,CAACC,MAAM,CAAC;AACtC,EAAA,GAAGF,mBAAmB;AACtBI,EAAAA,QAAQ,EAAE,IAAI;AACdC,EAAAA,MAAM,EAAE,IAAI;AACZC,EAAAA,QAAQ,EAAE,KAAK;EACfC,MAAM,EAAE,IAAI;AACZ,CAAA,CAAC,CAAA;SAEcC,SAASA,CACxBC,OAAgB,EAChBC,GAAW,EACXrB,KAAsB,EAAA;AAEtBoB,EAAAA,OAAO,CAACE,GAAG,CAACD,GAAG,EAAEE,IAAI,CAACC,SAAS,CAACxB,KAAK,CAAC,EAAEc,gBAAgB,CAAC,CAAA;AAC1D,CAAA;AAEgB,SAAAW,kBAAkBA,CACjCL,OAAgB,EAChBC,GAAW,EAAA;AAEX,EAAA,MAAMrB,KAAK,GAAG0B,SAAS,CAAIN,OAAO,EAAEC,GAAG,CAAC,CAAA;AAExC,EAAA,IAAIrB,KAAK,EAAE;AACVoB,IAAAA,OAAO,CAACO,MAAM,CAACN,GAAG,EAAEV,mBAAmB,CAAC,CAAA;AACzC,GAAA;AAEA,EAAA,OAAOX,KAAK,CAAA;AACb,CAAA;AAEgB,SAAA0B,SAASA,CAAIN,OAAgB,EAAEC,GAAW,EAAA;AACzD,EAAA,MAAMrB,KAAK,GAAGoB,OAAO,CAACQ,GAAG,CAACP,GAAG,CAAC,CAAA;EAE9B,OAAO,CAACrB,KAAK,GAAGM,SAAS,GAAGiB,IAAI,CAACM,KAAK,CAAC7B,KAAK,CAAC,CAAA;AAC9C;;SCrCgB8B,gBAAgBA,CAC/BC,MAAmB,EACnBC,IAAqB,EACrBC,OAAe,EAAA;EAEf,OAAOC,cAAc,CACpBF,IAAI,EACJ;AACCG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAM;AAC3BE,IAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACE,QAAAA;GACvB,EACDL,OAAO,CACP,CAAA;AACF,CAAA;SAEgBM,oBAAoBA,CACnCR,MAAmB,EACnBC,IAAqB,EACrBQ,WAAmB,EAAA;EAEnB,OAAON,cAAc,CAACF,IAAI,EAAE;AAAEG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAAA;GAAQ,EAAEK,WAAW,CAAC,CAAA;AAC1E,CAAA;AAEA,eAAeN,cAAcA,CAC5BF,IAAqB,EACrBS,OAAyB,EACzBC,KAAa,EAAA;EAEb,MAAM;AAAEC,IAAAA,OAAAA;GAAS,GAAG,MAAMC,cAAS,CAACF,KAAK,EAAEV,IAAI,EAAES,OAAO,CAAC,CAAA;AAEzD,EAAA,OAAOE,OAAO,CAAA;AACf;;AChBO,MAAME,yBAAyB,GAAG,uBAAuB,CAAA;AAEzD,MAAMC,yBAAyB,GACrCf,MAAmB,IAChB;AAAA,EAAA,IAAAgB,qBAAA,EAAAC,qBAAA,EAAAC,qBAAA,CAAA;EACH,MAAMC,OAAO,GAAG,IAAIC,GAAG,CAAA,CAAAJ,qBAAA,GACtBhB,MAAM,CAACK,KAAK,CAACc,OAAO,KAAA,IAAA,GAAAH,qBAAA,GACnB,CAAGjD,EAAAA,eAAU,CAACiC,MAAM,CAACK,KAAK,CAACD,MAAM,EAAE,GAAG,CAAC,CAAA,sBAAA,CAAwB,CAChE,CAAA;EACD,MAAMiB,QAAQ,GAAG,CAAGrB,EAAAA,MAAM,CAACK,KAAK,CAACiB,OAAO,CAAAL,CAAAA,EAAAA,CAAAA,qBAAA,GAAIjB,MAAM,CAACK,KAAK,CAACkB,SAAS,YAAAN,qBAAA,GAAI,cAAc,CAAE,CAAA,CAAA;EAEtF,MAAMO,YAAY,GAAAN,CAAAA,qBAAA,GACjBlB,MAAM,CAACyB,OAAO,CAACC,KAAK,KAAAR,IAAAA,GAAAA,qBAAA,GACnB,CAACS,KAAK,EAAEC,MAAM,KAAKxC,SAAS,CAACuC,KAAK,CAACtC,OAAO,EAAEX,aAAa,EAAEkD,MAAM,CAAE,CAAA;AAErE,EAAA,eAAeC,oBAAoBA,CAClCC,KAA0B,EAC1BjE,MAAc,EACdkE,IAAY,EAAA;AAEZ,IAAA,MAAMC,QAAQ,GAAG,MAAMF,KAAK,CAACT,QAAQ,EAAE;AACtCY,MAAAA,MAAM,EAAE,MAAM;AACdC,MAAAA,OAAO,EAAE;AACR,QAAA,cAAc,EAAE,mCAAmC;AACnDC,QAAAA,MAAM,EAAE,kBAAA;OACR;MACDC,IAAI,EAAE,IAAIC,eAAe,CAAC;AACzBC,QAAAA,UAAU,EAAE,oBAAoB;AAChCC,QAAAA,SAAS,EAAEvC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChCiC,QAAAA,aAAa,EAAExC,MAAM,CAACK,KAAK,CAACoC,YAAY;QACxCV,IAAI;AACJW,QAAAA,YAAY,EAAE9E,SAAS,CAACC,MAAM,EAAEiD,yBAAyB,CAAA;OACzD,CAAC,CAAC6B,QAAQ,EAAE;AACb,KAAA,CAAC,CAAA;AAEF,IAAA,IAAI,CAACX,QAAQ,CAACY,EAAE,EAAE;AACjB,MAAA,MAAMC,KAAK,GAAG,MAAMb,QAAQ,CAACc,IAAI,EAAE,CAAA;AACnC,MAAA,MAAM,IAAIC,KAAK,CAAC,CAA0BF,uBAAAA,EAAAA,KAAK,EAAE,CAAC,CAAA;AACnD,KAAA;AAEA,IAAA,MAAMlC,KAAK,GAAG,MAAMqB,QAAQ,CAACgB,IAAI,EAAE,CAAA;AAEnC,IAAA,IAAI,CAAChF,eAAe,CAAC2C,KAAK,CAAC,EAAE;AAC5B,MAAA,MAAM,IAAIoC,KAAK,CAAC,yCAAyC,CAAC,CAAA;AAC3D,KAAA;AAEA,IAAA,OAAOpC,KAAK,CAAA;AACb,GAAA;EAEA,OAAO;AACN7C,IAAAA,IAAI,EAAEgD,yBAAyB;AAC/B,IAAA,MAAMmC,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MAAA,IAAAuB,qBAAA,EAAAC,sBAAA,CAAA;AACrB,MAAA,MAAMC,KAAK,GAAAF,CAAAA,qBAAA,GAAGvB,KAAK,CAAC0B,GAAG,CAACC,YAAY,CAACzD,GAAG,CAAC,OAAO,CAAC,KAAAqD,IAAAA,GAAAA,qBAAA,GAAI3E,SAAS,CAAA;MAC9D,MAAMgF,WAAW,GAAG7D,kBAAkB,CAACiC,KAAK,CAACtC,OAAO,EAAEV,YAAY,CAAC,CAAA;MAEnE,IAAIyE,KAAK,KAAKG,WAAW,EAAE;AAC1B,QAAA,MAAM,IAAIR,KAAK,CAAC,oBAAoB,CAAC,CAAA;AACtC,OAAA;AAEA,MAAA,MAAMhB,IAAI,GAAAoB,CAAAA,sBAAA,GAAGxB,KAAK,CAAC0B,GAAG,CAACC,YAAY,CAACzD,GAAG,CAAC,MAAM,CAAC,KAAAsD,IAAAA,GAAAA,sBAAA,GAAI5E,SAAS,CAAA;MAC5DiF,qBAAgB,CAACzB,IAAI,CAAC,CAAA;AAEtB,MAAA,MAAM0B,QAAQ,GAAG,MAAM5B,oBAAoB,CAC1CC,KAAK,EACLH,KAAK,CAAC0B,GAAG,CAACxF,MAAM,EAChBkE,IAAI,CACJ,CAAA;AAED,MAAA,MAAM9B,IAAI,GAAGyD,uBAAkB,CAACvC,OAAO,CAAC,CAAA;AAExC,MAAA,MAAM,CAACjB,OAAO,EAAEO,WAAW,CAAC,GAAG,MAAMkD,OAAO,CAACC,GAAG,CAAC,CAChD7D,gBAAgB,CAACC,MAAM,EAAEC,IAAI,EAAEwD,QAAQ,CAACnF,QAAQ,CAAC,EACjDkC,oBAAoB,CAACR,MAAM,EAAEC,IAAI,EAAEwD,QAAQ,CAACtF,YAAY,CAAC,CACzD,CAAC,CAAA;MAEF,MAAMqD,YAAY,CAACG,KAAK,EAAE;QACzB8B,QAAQ;AACRvD,QAAAA,OAAO,EAAEA,OAAuB;AAChCO,QAAAA,WAAAA;AACA,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMoD,YAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;AC7FM,MAAMC,gBAAgB,GAAG,cAAc,CAAA;AAEvC,MAAMC,iBAAiB,GAAkB/D,MAAmB,IAAI;AAAA,EAAA,IAAAgE,qBAAA,CAAA;EACtE,MAAMC,YAAY,GAAG,CAAGjE,EAAAA,MAAM,CAACK,KAAK,CAACiB,OAAO,CAAA0C,CAAAA,EAAAA,CAAAA,qBAAA,GAAIhE,MAAM,CAACK,KAAK,CAAC6D,aAAa,YAAAF,qBAAA,GAAI,mBAAmB,CAAE,CAAA,CAAA;EAEnG,OAAO;AACNlG,IAAAA,IAAI,EAAEgG,gBAAgB;AACtB,IAAA,MAAMb,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;AACrB,MAAA,MAAMyB,KAAK,GAAGe,sBAAU,EAAE,CAAA;MAC1B/E,SAAS,CAACuC,KAAK,CAACtC,OAAO,EAAEV,YAAY,EAAEyE,KAAK,CAAC,CAAA;MAE7C,MAAMgB,MAAM,GAAGC,sBAAiB,CAAC;AAChC9B,QAAAA,SAAS,EAAEvC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChC+D,QAAAA,aAAa,EAAE,MAAM;QACrB5B,YAAY,EAAE9E,SAAS,CAAC+D,KAAK,CAAC0B,GAAG,CAACxF,MAAM,EAAEiD,yBAAyB,CAAC;AACpEsC,QAAAA,KAAAA;AACA,OAAA,CAAC,CAAA;MAEF,MAAMS,YAAQ,CAAC,GAAG,EAAE,GAAGI,YAAY,CAAA,CAAA,EAAIG,MAAM,CAAA,CAAE,CAAC,CAAA;AACjD,KAAA;GACA,CAAA;AACF,CAAC;;ACzBM,MAAMG,0BAA0B,GAAG,wBAAwB,CAAA;AAE3D,MAAMC,0BAA0B,GACtCxE,MAAmB,IAChB;AAAA,EAAA,IAAAyE,qBAAA,CAAA;AACH;AACA,EAAA,IAAI,CAACzE,MAAM,CAACK,KAAK,CAACqE,UAAU,EAAE;AAC7B,IAAA,OAAOnG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMoG,MAAM,GAAA,CAAAF,qBAAA,GAAGzE,MAAM,CAACyB,OAAO,CAACkD,MAAM,KAAA,IAAA,GAAAF,qBAAA,GAAIG,SAAI,CAAA;EAE5C,OAAO;AACN9G,IAAAA,IAAI,EAAEyG,0BAA0B;AAChC,IAAA,MAAMtB,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMgD,MAAM,CAAChD,KAAK,CAAC,CAAA;AACnB,MAAA,MAAMkC,YAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACjBM,MAAMgB,iBAAiB,GAAG,eAAe,CAAA;AAEzC,MAAMC,kBAAkB,GAAkB9E,MAAmB,IAAI;AACvE;AACA,EAAA,IAAI,CAACA,MAAM,CAACK,KAAK,CAACqE,UAAU,EAAE;AAC7B,IAAA,OAAOnG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMwG,SAAS,GAAG,CAAG/E,EAAAA,MAAM,CAACK,KAAK,CAACiB,OAAO,CAAA,CAAA,EAAItB,MAAM,CAACK,KAAK,CAACqE,UAAU,CAAE,CAAA,CAAA;EAEtE,OAAO;AACN5G,IAAAA,IAAI,EAAE+G,iBAAiB;AACvB,IAAA,MAAM5B,MAAMA,CAAC;AAAEtB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMyC,MAAM,GAAGC,sBAAiB,CAAC;QAChCW,UAAU,EAAEpH,SAAS,CAAC+D,KAAK,CAAC0B,GAAG,CAACxF,MAAM,EAAE0G,0BAA0B,CAAC;AACnEhC,QAAAA,SAAS,EAAEvC,MAAM,CAACK,KAAK,CAACE,QAAAA;AACxB,OAAA,CAAC,CAAA;MAEF,MAAMsD,YAAQ,CAAC,GAAG,EAAE,GAAGkB,SAAS,CAAA,CAAA,EAAIX,MAAM,CAAA,CAAE,CAAC,CAAA;AAC9C,KAAA;GACA,CAAA;AACF,CAAC;;ACdD,MAAMa,cAAc,GAAGpG,MAAM,CAACC,MAAM,CAAC,CACpCiF,iBAAiB,EACjBe,kBAAkB,EAClB/D,yBAAyB,EACzByD,0BAA0B,CAC1B,CAAC,CAAA;AAEI,SAAUU,WAAWA,CAAClF,MAAmB,EAAA;EAC9C,OAAO,IAAImF,GAAG,CACbF,cAAc,CACZG,GAAG,CAAEC,YAAY,IAAKA,YAAY,CAACrF,MAAM,CAAC,CAAC,CAC3CsF,MAAM,CAAEC,KAAK,IAAKC,OAAO,CAACD,KAAK,CAAC,CAAA;AACjC;AAAA,GACCH,GAAG,CAAEG,KAAK,IAAK,CAACA,KAAK,CAACzH,IAAI,EAAEyH,KAAK,CAACtC,MAAM,CAAC,CAAC,CAC5C,CAAA;AACF;;ACnBO,MAAMwC,WAAW,GAAG3B,iBAAgB;AACpC,MAAM4B,YAAY,GAAGb,kBAAiB;AAEvC,SAAUc,KAAKA,CAAC3F,MAAmB,EAAA;AAAA,EAAA,IAAA4F,qBAAA,CAAA;AACxC,EAAA,MAAMC,MAAM,GAAGX,WAAW,CAAClF,MAAM,CAAC,CAAA;EAClC,MAAM8F,aAAa,GAAAF,CAAAA,qBAAA,GAClB5F,MAAM,CAACyB,OAAO,CAACsE,MAAM,KAAA,IAAA,GAAAH,qBAAA,GACnBjE,KAAK,IAAK6D,OAAO,CAAC7D,KAAK,CAACtC,OAAO,CAACQ,GAAG,CAACnB,aAAa,CAAC,CAAE,CAAA;AAEvD,EAAA,OAAO,OAAO;IAAEiD,KAAK;AAAEqE,IAAAA,OAAAA;AAAO,GAAE,KAAI;IACnC,MAAMC,WAAW,GAAGJ,MAAM,CAAChG,GAAG,CAAC8B,KAAK,CAAC0B,GAAG,CAAC6C,QAAQ,CAAC,CAAA;AAElD,IAAA,IAAID,WAAW,EAAE;AAChB,MAAA,MAAMA,WAAW,CAAC;QAAEtE,KAAK;AAAEqE,QAAAA,OAAAA;AAAO,OAAE,CAAC,CAAA;AAErC;AACA,MAAA,MAAMnD,SAAK,CAAC,GAAG,EAAE,eAAe,CAAC,CAAA;AAClC,KAAA;AAEA,IAAA,MAAMkD,MAAM,GAAG,MAAMD,aAAa,CAACnE,KAAK,CAAC,CAAA;IAEzC,IAAI,CAACoE,MAAM,EAAE;AACZ,MAAA,MAAMlC,YAAQ,CAAC,GAAG,EAAEC,gBAAgB,CAAC,CAAA;AACtC,KAAA;IAEA,OAAOkC,OAAO,CAACrE,KAAK,CAAC,CAAA;GACrB,CAAA;AACF,CAAA;AAEM,SAAUwE,qBAAqBA,CAAC9G,OAAgB,EAAA;AACrD,EAAA,MAAMuC,MAAM,GAAGjC,SAAS,CAAcN,OAAO,EAAEX,aAAa,CAAC,CAAA;EAC7D8E,qBAAgB,CAAC5B,MAAM,CAAC,CAAA;AACxB,EAAA,OAAOA,MAAM,CAAA;AACd;;;;;;;"}

package/dist/routes/login.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { RouteFactory } from "./routes";
+export declare const ROUTE_PATH_LOGIN = "/_auth/login";
+export declare const routeLoginFactory: RouteFactory;

package/dist/routes/logout.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { RouteFactory } from "./routes";
+export declare const ROUTE_PATH_LOGOUT = "/_auth/logout";
+export declare const routeLogoutFactory: RouteFactory;

package/dist/routes/redirect-login.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { RouteFactory } from "./routes";
+export declare const ROUTE_PATH_REDIRECT_LOGIN = "/_auth/redirect/login";
+export declare const routeRedirectLoginFactory: RouteFactory;

package/dist/routes/redirect-logout.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { RouteFactory } from "./routes";
+export declare const ROUTE_PATH_REDIRECT_LOGOUT = "/_auth/redirect/logout";
+export declare const routeRedirectLogoutFactory: RouteFactory;

package/dist/routes/routes.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { Handle } from "@sveltejs/kit";
+import type { ArmorConfig } from "../contracts";
+export interface Route {
+    readonly path: string;
+    readonly handle: Handle;
+}
+export type RouteFactory = (config: ArmorConfig) => Route | undefined;
+export declare function routeCreate(config: ArmorConfig): Map<string, Handle>;

package/dist/utils/cookie.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { Cookies } from "@sveltejs/kit";
+export declare const COOKIE_TOKENS = "tokens";
+export declare const COOKIE_STATE = "state";
+export declare function cookieSet(cookies: Cookies, key: string, value: string | object): void;
+export declare function cookieGetAndDelete<T>(cookies: Cookies, key: string): T | undefined;
+export declare function cookieGet<T>(cookies: Cookies, key: string): T | undefined;

package/dist/utils/jwt.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import { ArmorConfig } from "../contracts";
+import { JWTVerifyGetKey } from "jose";
+export declare function jwtVerifyIdToken(config: ArmorConfig, jwks: JWTVerifyGetKey, idToken: string): Promise<import("jose").JWTPayload>;
+export declare function jwtVerifyAccessToken(config: ArmorConfig, jwks: JWTVerifyGetKey, accessToken: string): Promise<import("jose").JWTPayload>;

package/dist/utils/utils.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { ArmorTokenExchange } from "../contracts";
+export declare function urlConcat(origin: string, path: string): string;
+export declare function isTokenExchange(value: unknown): value is ArmorTokenExchange;

package/dist/utils/utils.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/package.json ADDED Viewed

@@ -0,0 +1,80 @@
+{
+  "name": "@nekm/sveltekit-armor",
+  "version": "0.1.0",
+  "description": "Zero-config OAuth protection for SvelteKit",
+  "license": "MIT",
+  "source": "./src/index.ts",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    "import": "./dist/index.esm.js",
+    "types": "./dist/index.d.ts",
+    "default": "./dist/index.js"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.esm.js",
+  "scripts": {
+    "build": "microbundle --format esm,cjs --target node",
+    "test": "jest"
+  },
+  "maintainers": [
+    {
+      "email": "niklas@niklasekman.solutions",
+      "name": "Niklas Ekman",
+      "url": "https://www.niklasekman.solutions"
+    }
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Ekman/TypeScript-Core.git"
+  },
+  "homepage": "https://github.com/Ekman/TypeScript-Core#readme",
+  "files": [
+    "dist",
+    "src"
+  ],
+  "author": {
+    "name": "Niklas Ekman",
+    "email": "niklas@niklasekman.solutions"
+  },
+  "keywords": [
+    "sveltekit",
+    "svelte",
+    "auth",
+    "authentication",
+    "oauth",
+    "oauth2",
+    "oidc",
+    "openid-connect",
+    "cognito",
+    "auth0",
+    "keycloak",
+    "security",
+    "protect",
+    "session",
+    "authorization",
+    "sveltekit-auth",
+    "sveltekit-oauth"
+  ],
+  "sideEffects": false,
+  "devDependencies": {
+    "@tsconfig/recommended": "^1.0.13",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^25.0.10",
+    "@typescript-eslint/eslint-plugin": "^8.53.1",
+    "@typescript-eslint/parser": "^8.53.1",
+    "eslint": "^9.39.2",
+    "globals": "^17.1.0",
+    "jest": "^30.2.0",
+    "jest-junit": "^16.0.0",
+    "microbundle": "^0.15.1",
+    "prettier": "^3.8.1",
+    "ts-jest": "^29.4.6",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.9.3"
+  },
+  "dependencies": {
+    "@nekm/core": "^1.7.0",
+    "@sveltejs/kit": "^2.50.1",
+    "jose": "^6.1.3"
+  }
+}

package/src/contracts.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import type { RequestEvent } from "@sveltejs/kit";
+import type { JWTPayload } from "jose";
+// OAuth 2.0 Token Response (RFC 6749 §5.1)
+export interface ArmorTokenExchange {
+	readonly access_token: string;
+	readonly id_token: string;
+	readonly token_type: "Bearer";
+	readonly expires_in: number;
+	readonly refresh_token?: string;
+	readonly scope?: string;
+}
+// Generic OIDC ID Token Claims
+export type ArmorIdToken = Required<
+	Pick<JWTPayload, "iss" | "sub" | "aud" | "exp" | "iat">
+> &
+	Omit<JWTPayload, "iss" | "sub" | "aud" | "exp" | "iat">;
+export interface ArmorAccessToken extends JWTPayload {
+	client_id?: string;
+	scope?: string;
+	version?: number;
+}
+export interface ArmorTokens {
+	readonly exchange: ArmorTokenExchange;
+	readonly idToken: ArmorIdToken;
+	readonly accessToken: ArmorAccessToken;
+}
+export interface ArmorConfig {
+	readonly session: {
+		readonly exists?: (event: RequestEvent) => Promise<boolean> | boolean;
+		readonly login?: (
+			event: RequestEvent,
+			tokens: ArmorTokens,
+		) => Promise<void> | void;
+		readonly logout?: (event: RequestEvent) => Promise<void> | void;
+	};
+	readonly oauth: {
+		readonly clientId: string;
+		readonly clientSecret: string;
+		readonly baseUrl: string;
+		readonly jwksUrl?: string;
+		readonly issuer: string;
+		readonly authorizePath?: string;
+		readonly logoutPath?: string;
+		readonly tokenPath?: string;
+	};
+}

package/src/index.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import { error, redirect, type Handle, Cookies } from "@sveltejs/kit";
+import { ROUTE_PATH_LOGIN } from "./routes/login";
+import type { ArmorConfig, ArmorTokens } from "./contracts";
+import { ROUTE_PATH_LOGOUT } from "./routes/logout";
+import { routeCreate } from "./routes/routes";
+import { COOKIE_TOKENS, cookieGet } from "./utils/cookie";
+import { throwIfUndefined } from "@nekm/core";
+export type { ArmorConfig, ArmorTokens };
+export const ARMOR_LOGIN = ROUTE_PATH_LOGIN;
+export const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;
+export function armor(config: ArmorConfig): Handle {
+	const routes = routeCreate(config);
+	const sessionExists =
+		config.session.exists ??
+		((event) => Boolean(event.cookies.get(COOKIE_TOKENS)));
+	return async ({ event, resolve }) => {
+		const routeHandle = routes.get(event.url.pathname);
+		if (routeHandle) {
+			await routeHandle({ event, resolve });
+			// Handle should redirect. If it doesn't, something is wrong.
+			throw error(500, "Illegal state");
+		}
+		const exists = await sessionExists(event);
+		if (!exists) {
+			throw redirect(302, ROUTE_PATH_LOGIN);
+		}
+		return resolve(event);
+	};
+}
+export function armorCookiesGetTokens(cookies: Cookies): ArmorTokens {
+	const tokens = cookieGet<ArmorTokens>(cookies, COOKIE_TOKENS);
+	throwIfUndefined(tokens);
+	return tokens;
+}

package/src/routes/login.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { redirect } from "@sveltejs/kit";
+import type { ArmorConfig } from "../contracts";
+import { queryParamsCreate } from "@nekm/core";
+import { ROUTE_PATH_REDIRECT_LOGIN } from "./redirect-login";
+import { randomUUID } from "node:crypto";
+import type { RouteFactory } from "./routes";
+import { COOKIE_STATE, cookieSet } from "../utils/cookie";
+import { urlConcat } from "../utils/utils";
+export const ROUTE_PATH_LOGIN = "/_auth/login";
+export const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {
+	const authorizeUrl = `${config.oauth.baseUrl}/${config.oauth.authorizePath ?? "/oauth2/authorize"}`;
+	return {
+		path: ROUTE_PATH_LOGIN,
+		async handle({ event }) {
+			const state = randomUUID();
+			cookieSet(event.cookies, COOKIE_STATE, state);
+			const params = queryParamsCreate({
+				client_id: config.oauth.clientId,
+				response_type: "code",
+				redirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),
+				state,
+			});
+			throw redirect(302, `${authorizeUrl}?${params}`);
+		},
+	};
+};

package/src/routes/logout.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { redirect } from "@sveltejs/kit";
+import type { ArmorConfig } from "../contracts";
+import { queryParamsCreate } from "@nekm/core";
+import { ROUTE_PATH_REDIRECT_LOGOUT } from "./redirect-logout";
+import type { RouteFactory } from "./routes";
+import { urlConcat } from "../utils/utils";
+export const ROUTE_PATH_LOGOUT = "/_auth/logout";
+export const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {
+	// Check if the oauth provider supports a logout path.
+	if (!config.oauth.logoutPath) {
+		return undefined;
+	}
+	const logoutUrl = `${config.oauth.baseUrl}/${config.oauth.logoutPath}`;
+	return {
+		path: ROUTE_PATH_LOGOUT,
+		async handle({ event }) {
+			const params = queryParamsCreate({
+				logout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),
+				client_id: config.oauth.clientId,
+			});
+			throw redirect(302, `${logoutUrl}?${params}`);
+		},
+	};
+};

package/src/routes/redirect-login.ts ADDED Viewed

@@ -0,0 +1,103 @@
+import { redirect } from "@sveltejs/kit";
+import type {
+	ArmorConfig,
+	ArmorIdToken,
+	ArmorTokenExchange,
+} from "../contracts";
+import { strTrimEnd, throwIfUndefined } from "@nekm/core";
+import { createRemoteJWKSet } from "jose";
+import type { RouteFactory } from "./routes";
+import { urlConcat, isTokenExchange } from "../utils/utils";
+import {
+	COOKIE_STATE,
+	COOKIE_TOKENS,
+	cookieGetAndDelete,
+	cookieSet,
+} from "../utils/cookie";
+import { jwtVerifyAccessToken, jwtVerifyIdToken } from "../utils/jwt";
+export const ROUTE_PATH_REDIRECT_LOGIN = "/_auth/redirect/login";
+export const routeRedirectLoginFactory: RouteFactory = (
+	config: ArmorConfig,
+) => {
+	const jwksUrl = new URL(
+		config.oauth.jwksUrl ??
+			`${strTrimEnd(config.oauth.issuer, "/")}/.well-known/jwks.json`,
+	);
+	const tokenUrl = `${config.oauth.baseUrl}/${config.oauth.tokenPath ?? "oauth2/token"}`;
+	const sessionLogin =
+		config.session.login ??
+		((event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens));
+	async function exchangeCodeForToken(
+		fetch: typeof global.fetch,
+		origin: string,
+		code: string,
+	): Promise<ArmorTokenExchange> {
+		const response = await fetch(tokenUrl, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded",
+				Accept: "application/json",
+			},
+			body: new URLSearchParams({
+				grant_type: "authorization_code",
+				client_id: config.oauth.clientId,
+				client_secret: config.oauth.clientSecret,
+				code,
+				redirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN),
+			}).toString(),
+		});
+		if (!response.ok) {
+			const error = await response.text();
+			throw new Error(`Token exchange failed: ${error}`);
+		}
+		const token = await response.json();
+		if (!isTokenExchange(token)) {
+			throw new Error("Response is not a valid token exchange.");
+		}
+		return token;
+	}
+	return {
+		path: ROUTE_PATH_REDIRECT_LOGIN,
+		async handle({ event }) {
+			const state = event.url.searchParams.get("state") ?? undefined;
+			const stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);
+			if (state !== stateCookie) {
+				throw new Error("State do not match");
+			}
+			const code = event.url.searchParams.get("code") ?? undefined;
+			throwIfUndefined(code);
+			const exchange = await exchangeCodeForToken(
+				fetch,
+				event.url.origin,
+				code,
+			);
+			const jwks = createRemoteJWKSet(jwksUrl);
+			const [idToken, accessToken] = await Promise.all([
+				jwtVerifyIdToken(config, jwks, exchange.id_token),
+				jwtVerifyAccessToken(config, jwks, exchange.access_token),
+			]);
+			await sessionLogin(event, {
+				exchange,
+				idToken: idToken as ArmorIdToken,
+				accessToken,
+			});
+			throw redirect(302, "/");
+		},
+	};
+};

package/src/routes/redirect-logout.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { redirect } from "@sveltejs/kit";
+import type { ArmorConfig } from "../contracts";
+import { noop } from "@nekm/core";
+import type { RouteFactory } from "./routes";
+export const ROUTE_PATH_REDIRECT_LOGOUT = "/_auth/redirect/logout";
+export const routeRedirectLogoutFactory: RouteFactory = (
+	config: ArmorConfig,
+) => {
+	// Check if the oauth provider supports a logout path.
+	if (!config.oauth.logoutPath) {
+		return undefined;
+	}
+	const logout = config.session.logout ?? noop;
+	return {
+		path: ROUTE_PATH_REDIRECT_LOGOUT,
+		async handle({ event }) {
+			await logout(event);
+			throw redirect(302, "/");
+		},
+	};
+};

package/src/routes/routes.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import type { Handle } from "@sveltejs/kit";
+import type { ArmorConfig } from "../contracts";
+import { routeLoginFactory } from "./login";
+import { routeLogoutFactory } from "./logout";
+import { routeRedirectLogoutFactory } from "./redirect-logout";
+import { routeRedirectLoginFactory } from "./redirect-login";
+export interface Route {
+	readonly path: string;
+	readonly handle: Handle;
+}
+export type RouteFactory = (config: ArmorConfig) => Route | undefined;
+const routeFactories = Object.freeze([
+	routeLoginFactory,
+	routeLogoutFactory,
+	routeRedirectLoginFactory,
+	routeRedirectLogoutFactory,
+]);
+export function routeCreate(config: ArmorConfig): Map<string, Handle> {
+	return new Map(
+		routeFactories
+			.map((routeFactory) => routeFactory(config))
+			.filter((route) => Boolean(route))
+			// @ts-expect-error Incorrect typing error.
+			.map((route) => [route.path, route.handle]),
+	);
+}

package/src/utils/cookie.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import { Cookies } from "@sveltejs/kit";
+export const COOKIE_TOKENS = "tokens";
+export const COOKIE_STATE = "state";
+const cookieDeleteOptions = Object.freeze({ path: "/" });
+const cookieSetOptions = Object.freeze({
+	...cookieDeleteOptions,
+	httpOnly: true,
+	secure: true,
+	sameSite: "lax",
+	maxAge: 1800, // 30 minutes
+});
+export function cookieSet(
+	cookies: Cookies,
+	key: string,
+	value: string | object,
+) {
+	cookies.set(key, JSON.stringify(value), cookieSetOptions);
+}
+export function cookieGetAndDelete<T>(
+	cookies: Cookies,
+	key: string,
+): T | undefined {
+	const value = cookieGet<T>(cookies, key);
+	if (value) {
+		cookies.delete(key, cookieDeleteOptions);
+	}
+	return value;
+}
+export function cookieGet<T>(cookies: Cookies, key: string): T | undefined {
+	const value = cookies.get(key);
+	return !value ? undefined : JSON.parse(value);
+}

package/src/utils/jwt.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { ArmorConfig } from "../contracts";
+import { jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from "jose";
+export function jwtVerifyIdToken(
+	config: ArmorConfig,
+	jwks: JWTVerifyGetKey,
+	idToken: string,
+) {
+	return jwtVerifyToken(
+		jwks,
+		{
+			issuer: config.oauth.issuer,
+			audience: config.oauth.clientId,
+		},
+		idToken,
+	);
+}
+export function jwtVerifyAccessToken(
+	config: ArmorConfig,
+	jwks: JWTVerifyGetKey,
+	accessToken: string,
+) {
+	return jwtVerifyToken(jwks, { issuer: config.oauth.issuer }, accessToken);
+}
+async function jwtVerifyToken(
+	jwks: JWTVerifyGetKey,
+	options: JWTVerifyOptions,
+	token: string,
+) {
+	const { payload } = await jwtVerify(token, jwks, options);
+	return payload;
+}

package/src/utils/utils.test.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { isTokenExchange, urlConcat } from "./utils";
+describe("utils", () => {
+	it("should be able to concat URL with path", () => {
+		expect(urlConcat("https://foo.example/", "bar")).toBe(
+			"https://foo.example/bar",
+		);
+	});
+	it("can detect a valid ArmorTokenExchange", () => {
+		const token = {
+			access_token: "abc123",
+			token_type: "Bearer",
+			expires_in: 3600,
+		};
+		expect(isTokenExchange(token)).toBe(true);
+	});
+});

package/src/utils/utils.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { strTrimEnd } from "@nekm/core";
+import type { ArmorTokenExchange } from "../contracts";
+export function urlConcat(origin: string, path: string): string {
+	return `${strTrimEnd(origin, "/")}/${path}`;
+}
+export function isTokenExchange(value: unknown): value is ArmorTokenExchange {
+	if (typeof value !== "object" || value === null) return false;
+	const obj = value as Record<string, unknown>;
+	return (
+		typeof obj.access_token === "string" &&
+		obj.token_type === "Bearer" &&
+		typeof obj.expires_in === "number" &&
+		// Optional fields
+		(typeof obj.id_token === "string" || obj.id_token === undefined) &&
+		(typeof obj.refresh_token === "string" ||
+			obj.refresh_token === undefined) &&
+		(typeof obj.scope === "string" || obj.scope === undefined)
+	);
+}