@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/server/interaction.js

@@ -0,0 +1,172 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var interaction_exports = {};
+__export(interaction_exports, {
+  handleInteractionGet: () => handleInteractionGet,
+  handleInteractionPost: () => handleInteractionPost
+});
+module.exports = __toCommonJS(interaction_exports);
+var import_provider_dispatch = require("./provider-dispatch");
+function asStringArray(value) {
+  return Array.isArray(value) ? value.filter((item) => typeof item === "string") : [];
+}
+function getPromptDetails(details) {
+  return details.prompt.details || {};
+}
+function getInteractionPromptDetails(details) {
+  const promptDetails = getPromptDetails(details);
+  const missingScope = asStringArray(promptDetails.missingOIDCScope).join(" ");
+  const missingClaims = asStringArray(promptDetails.missingOIDCClaims).join(", ");
+  const missingResourceScopes = Object.entries(promptDetails.missingResourceScopes || {}).map(([resource, scopes]) => `${resource}: ${asStringArray(scopes).join(" ")}`).join("; ");
+  return [missingScope, missingClaims, missingResourceScopes].filter(Boolean).join(" | ");
+}
+async function getInteractionRedirect(ctx, provider, service, result, mergeWithLastSubmission) {
+  const redirectTo = await provider.interactionResult(ctx.req, ctx.res, result, {
+    mergeWithLastSubmission
+  });
+  return (0, import_provider_dispatch.rewriteProviderLocationHeader)(ctx, service, redirectTo);
+}
+async function completeLogin(ctx, provider, service, accountId) {
+  return getInteractionRedirect(
+    ctx,
+    provider,
+    service,
+    {
+      login: {
+        accountId
+      }
+    },
+    false
+  );
+}
+async function handleInteractionGet(ctx, provider, user, service) {
+  var _a;
+  const details = await provider.interactionDetails(ctx.req, ctx.res);
+  const interactionUser = user || await service.resolveInteractionSessionUser((_a = details.session) == null ? void 0 : _a.accountId);
+  if (details.prompt.name === "login") {
+    if (!interactionUser) {
+      ctx.body = {
+        prompt: "login"
+      };
+      return;
+    }
+    ctx.body = {
+      redirectTo: await completeLogin(ctx, provider, service, String(interactionUser.id))
+    };
+    return;
+  }
+  if (details.prompt.name === "consent") {
+    const clientId = String(details.params.client_id || "");
+    const client = await provider.Client.find(clientId);
+    ctx.body = {
+      prompt: "consent",
+      clientName: (client == null ? void 0 : client.clientName) || (client == null ? void 0 : client.clientId) || clientId,
+      details: getInteractionPromptDetails(details)
+    };
+    return;
+  }
+  ctx.throw(501, `Unsupported interaction prompt: ${details.prompt.name}`);
+}
+async function handleInteractionPost(ctx, provider, user, service) {
+  var _a, _b;
+  const details = await provider.interactionDetails(ctx.req, ctx.res);
+  const interactionUser = user || await service.resolveInteractionSessionUser((_a = details.session) == null ? void 0 : _a.accountId);
+  if ((_b = ctx.request.body) == null ? void 0 : _b.cancel) {
+    ctx.body = {
+      redirectTo: await getInteractionRedirect(
+        ctx,
+        provider,
+        service,
+        {
+          error: "access_denied",
+          error_description: "End-User aborted interaction"
+        },
+        false
+      )
+    };
+    return;
+  }
+  if (!interactionUser) {
+    ctx.body = {
+      prompt: "login"
+    };
+    return;
+  }
+  if (details.prompt.name === "login") {
+    ctx.body = {
+      redirectTo: await completeLogin(ctx, provider, service, String(interactionUser.id))
+    };
+    return;
+  }
+  if (details.prompt.name === "consent") {
+    const promptDetails = getPromptDetails(details);
+    const clientId = String(details.params.client_id || "");
+    let grant;
+    if (details.grantId) {
+      grant = await provider.Grant.find(details.grantId);
+    } else {
+      grant = new provider.Grant({
+        accountId: String(interactionUser.id),
+        clientId
+      });
+    }
+    const missingOIDCScope = asStringArray(promptDetails.missingOIDCScope);
+    if (missingOIDCScope.length) {
+      grant.addOIDCScope(missingOIDCScope.join(" "));
+    }
+    const missingOIDCClaims = asStringArray(promptDetails.missingOIDCClaims);
+    if (missingOIDCClaims.length) {
+      grant.addOIDCClaims(missingOIDCClaims);
+    }
+    const missingResourceScopes = promptDetails.missingResourceScopes || {};
+    if (Object.keys(missingResourceScopes).length) {
+      for (const [indicator, scopes] of Object.entries(missingResourceScopes)) {
+        grant.addResourceScope(indicator, asStringArray(scopes).join(" "));
+      }
+    }
+    ctx.body = {
+      redirectTo: await getInteractionRedirect(
+        ctx,
+        provider,
+        service,
+        {
+          consent: {
+            grantId: await grant.save()
+          }
+        },
+        true
+      )
+    };
+    return;
+  }
+  ctx.throw(501, `Unsupported interaction prompt: ${details.prompt.name}`);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  handleInteractionGet,
+  handleInteractionPost
+});

package/dist/server/paths.d.ts

@@ -0,0 +1,19 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export type IdpOauthPaths = ReturnType<typeof createIdpOauthPaths>;
+export declare function createIdpOauthPaths(apiBasePath?: string): {
+    apiBasePath: string;
+    providerPathPrefix: string;
+    interactionPathPrefix: string;
+    oauthMetadataPath: string;
+    openidMetadataPath: string;
+    isProviderPath(path: string): boolean;
+    isDiscoveryPath(path: string): boolean;
+};
+export declare function getProviderInternalPath(pathname: string, apiBasePath: string): string;

package/dist/server/paths.js

@@ -0,0 +1,64 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var paths_exports = {};
+__export(paths_exports, {
+  createIdpOauthPaths: () => createIdpOauthPaths,
+  getProviderInternalPath: () => getProviderInternalPath
+});
+module.exports = __toCommonJS(paths_exports);
+var import_utils = require("./utils");
+function createIdpOauthPaths(apiBasePath = process.env.API_BASE_PATH || "/api") {
+  const normalizedApiBasePath = (0, import_utils.normalizeBasePath)(apiBasePath);
+  const providerPathPrefix = `${normalizedApiBasePath}/idpOAuth/`;
+  const interactionPathPrefix = `${providerPathPrefix}interaction/`;
+  const oauthMetadataPath = `${normalizedApiBasePath}/.well-known/oauth-authorization-server`;
+  const openidMetadataPath = `${normalizedApiBasePath}/.well-known/openid-configuration`;
+  return {
+    apiBasePath: normalizedApiBasePath,
+    providerPathPrefix,
+    interactionPathPrefix,
+    oauthMetadataPath,
+    openidMetadataPath,
+    isProviderPath(path) {
+      return path.startsWith(providerPathPrefix) || path === oauthMetadataPath || path === openidMetadataPath;
+    },
+    isDiscoveryPath(path) {
+      return path === oauthMetadataPath || path === openidMetadataPath;
+    }
+  };
+}
+function getProviderInternalPath(pathname, apiBasePath) {
+  if (pathname.startsWith(`${apiBasePath}/`)) {
+    return pathname.slice(apiBasePath.length) || "/";
+  }
+  return pathname;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createIdpOauthPaths,
+  getProviderInternalPath
+});

package/dist/server/plugin.d.ts

@@ -0,0 +1,16 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Plugin } from '@nocobase/server';
+import { IdpOauthService } from './service';
+export declare class PluginIdpOauthServer extends Plugin {
+    service: IdpOauthService;
+    load(): Promise<void>;
+    remove(): Promise<void>;
+}
+export default PluginIdpOauthServer;

package/dist/server/plugin.js

@@ -0,0 +1,108 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var plugin_exports = {};
+__export(plugin_exports, {
+  PluginIdpOauthServer: () => PluginIdpOauthServer,
+  default: () => plugin_default
+});
+module.exports = __toCommonJS(plugin_exports);
+var import_server = require("@nocobase/server");
+var import_interaction = require("./interaction");
+var import_paths = require("./paths");
+var import_provider_dispatch = require("./provider-dispatch");
+var import_service = require("./service");
+var import_utils = require("./utils");
+class PluginIdpOauthServer extends import_server.Plugin {
+  service;
+  async load() {
+    const bridgeTokenCache = await this.app.cacheManager.createCache({
+      name: "idp-oauth-token",
+      prefix: "idp-oauth:token",
+      store: "memory"
+    });
+    this.service = new import_service.IdpOauthService(this.app, bridgeTokenCache);
+    const paths = (0, import_paths.createIdpOauthPaths)();
+    this.app.use(
+      async (ctx, next) => {
+        if (ctx.path.startsWith(paths.interactionPathPrefix)) {
+          await next();
+          return;
+        }
+        if (paths.isProviderPath(ctx.path)) {
+          await (0, import_provider_dispatch.dispatchCurrentRequestToProvider)(ctx, this.service, paths.apiBasePath);
+          return;
+        }
+        await next();
+      },
+      {
+        tag: "idp-oauth-provider",
+        before: "dataSource"
+      }
+    );
+    this.app.use(
+      async (ctx, next) => {
+        await this.service.authenticateResourceRequest(ctx);
+        await next();
+      },
+      {
+        tag: "idp-oauth-resource-auth",
+        before: "dataSource"
+      }
+    );
+    this.app.use(
+      async (ctx, next) => {
+        if (!ctx.path.startsWith(paths.interactionPathPrefix)) {
+          await next();
+          return;
+        }
+        ctx.withoutDataWrapping = true;
+        const provider = await this.service.ensureProviderForContext(ctx);
+        const user = await (0, import_utils.resolveCurrentUser)(ctx, this.service);
+        if (ctx.method === "GET") {
+          await (0, import_interaction.handleInteractionGet)(ctx, provider, user, this.service);
+          return;
+        }
+        if (ctx.method === "POST") {
+          await (0, import_interaction.handleInteractionPost)(ctx, provider, user, this.service);
+          return;
+        }
+        ctx.throw(405);
+      },
+      {
+        tag: "idp-oauth-interaction",
+        before: "dataSource"
+      }
+    );
+  }
+  async remove() {
+  }
+}
+var plugin_default = PluginIdpOauthServer;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PluginIdpOauthServer
+});

package/dist/server/provider-dispatch.d.ts

@@ -0,0 +1,32 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import type { IdpOauthService } from './service';
+type Provider = import('oidc-provider').Provider;
+type DispatchContext = {
+    method: string;
+    path: string;
+    querystring?: string;
+    headers: Record<string, string | string[] | undefined>;
+    logger?: {
+        debug?: (message: string, meta?: Record<string, any>) => void;
+        warn?: (message: string, meta?: Record<string, any>) => void;
+    };
+    request: {
+        body?: Record<string, any> | string | null;
+    };
+    get(name: string): string;
+    set(name: string, value: string | string[]): void;
+    body?: unknown;
+    status?: number;
+    withoutDataWrapping?: boolean;
+};
+export declare function rewriteProviderLocationHeader(ctx: DispatchContext, service: IdpOauthService, location: string): string;
+export declare function dispatchToProvider(ctx: DispatchContext, provider: Provider, pathname: string, service: IdpOauthService): Promise<void>;
+export declare function dispatchCurrentRequestToProvider(ctx: DispatchContext, service: IdpOauthService, apiBasePath: string): Promise<void>;
+export {};

package/dist/server/provider-dispatch.js

@@ -0,0 +1,252 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var provider_dispatch_exports = {};
+__export(provider_dispatch_exports, {
+  dispatchCurrentRequestToProvider: () => dispatchCurrentRequestToProvider,
+  dispatchToProvider: () => dispatchToProvider,
+  rewriteProviderLocationHeader: () => rewriteProviderLocationHeader
+});
+module.exports = __toCommonJS(provider_dispatch_exports);
+var import_light_my_request = __toESM(require("light-my-request"));
+var import_paths = require("./paths");
+function buildPayload(ctx) {
+  const body = ctx.request.body;
+  if (body === void 0 || body === null) {
+    return void 0;
+  }
+  const contentType = String(ctx.get("content-type") || "").toLowerCase();
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    return new URLSearchParams(body).toString();
+  }
+  if (contentType.includes("application/json")) {
+    return typeof body === "string" ? body : JSON.stringify(body);
+  }
+  return body;
+}
+function buildHeaders(ctx, service) {
+  const publicOrigin = service.getProviderContext(ctx).origin;
+  const headers = { ...ctx.headers, host: new URL(publicOrigin).host };
+  delete headers["content-length"];
+  delete headers["Content-Length"];
+  delete headers["transfer-encoding"];
+  delete headers["Transfer-Encoding"];
+  return headers;
+}
+function rewriteProviderPathname(ctx, service, pathname) {
+  const { issuerPath } = service.getProviderContext(ctx);
+  const externalPathPrefix = `${issuerPath}/idpOAuth/`;
+  const internalPathPrefix = "/idpOAuth/";
+  const metadataPrefixes = ["/.well-known/oauth-authorization-server", "/.well-known/openid-configuration"];
+  if (pathname.startsWith(externalPathPrefix) || pathname === issuerPath) {
+    return pathname;
+  }
+  if (pathname.startsWith(internalPathPrefix)) {
+    return `${issuerPath}${pathname}`;
+  }
+  if (metadataPrefixes.some((prefix) => pathname.startsWith(prefix))) {
+    return `${issuerPath}${pathname}`;
+  }
+  return pathname;
+}
+function rewriteProviderUrl(ctx, service, value) {
+  const { origin } = service.getProviderContext(ctx);
+  const publicOriginUrl = new URL(origin);
+  if (value.startsWith("/")) {
+    const url = new URL(value, origin);
+    url.pathname = rewriteProviderPathname(ctx, service, url.pathname);
+    return url.pathname + url.search + url.hash;
+  }
+  try {
+    const url = new URL(value);
+    const rewrittenPathname = rewriteProviderPathname(ctx, service, url.pathname);
+    if (rewrittenPathname === url.pathname && url.origin !== origin) {
+      return value;
+    }
+    url.protocol = publicOriginUrl.protocol;
+    url.host = publicOriginUrl.host;
+    url.pathname = rewrittenPathname;
+    return url.toString();
+  } catch (error) {
+    return value;
+  }
+}
+function rewriteProviderLocationHeader(ctx, service, location) {
+  return rewriteProviderUrl(ctx, service, location);
+}
+function getFrontendInteractionCookiePath(originalPath) {
+  const match = originalPath.match(/^\/idp-oauth\/interaction\/([^/]+)\/([^/]+)$/);
+  if (!match) {
+    return void 0;
+  }
+  const [, appName, uid] = match;
+  return { appName, uid };
+}
+function rewriteProviderSetCookieHeader(ctx, service, cookie) {
+  const pathMatch = cookie.match(/;\s*path=([^;]+)/i);
+  if (!pathMatch) {
+    return cookie;
+  }
+  const originalPath = pathMatch[1];
+  let rewrittenPath = rewriteProviderLocationHeader(ctx, service, originalPath);
+  const providerContext = service.getProviderContext(ctx);
+  if (originalPath.startsWith("/idpOAuth/interaction/")) {
+    rewrittenPath = `${providerContext.issuerPath}${originalPath}`;
+  }
+  const frontendInteractionPath = getFrontendInteractionCookiePath(originalPath);
+  if (frontendInteractionPath) {
+    rewrittenPath = `${service.getIssuerPath(frontendInteractionPath.appName)}/idpOAuth/interaction/${frontendInteractionPath.uid}`;
+  }
+  if (rewrittenPath === originalPath) {
+    return cookie;
+  }
+  return cookie.replace(pathMatch[0], `; path=${rewrittenPath}`);
+}
+function rewriteProviderJsonBody(ctx, service, body) {
+  const { issuer } = service.getProviderContext(ctx);
+  const metadataPaths = [
+    "/idpOAuth/authorize",
+    "/idpOAuth/token",
+    "/idpOAuth/register",
+    "/idpOAuth/revoke",
+    "/idpOAuth/jwks",
+    "/idpOAuth/me",
+    "/idpOAuth/introspection",
+    "/idpOAuth/end-session"
+  ];
+  const metadataKeys = [
+    "authorization_endpoint",
+    "token_endpoint",
+    "registration_endpoint",
+    "revocation_endpoint",
+    "jwks_uri",
+    "userinfo_endpoint",
+    "introspection_endpoint",
+    "end_session_endpoint"
+  ];
+  if (ctx.path.endsWith("/.well-known/oauth-authorization-server") || ctx.path.endsWith("/.well-known/openid-configuration")) {
+    body.issuer = issuer;
+    body.scopes_supported = service.getSupportedScopes();
+    metadataKeys.forEach((key, index) => {
+      body[key] = `${issuer}${metadataPaths[index]}`;
+    });
+  }
+  if (typeof body.registration_client_uri === "string") {
+    const registrationClientUri = new URL(body.registration_client_uri, issuer);
+    const clientId = body.client_id || registrationClientUri.pathname.split("/").pop();
+    body.registration_client_uri = `${issuer}/idpOAuth/register/${clientId}`;
+  }
+  return body;
+}
+function rewriteProviderResponseHeaders(ctx, service, headers) {
+  for (const [name, value] of Object.entries(headers)) {
+    if (value === void 0) {
+      continue;
+    }
+    if (name.toLowerCase() === "location") {
+      const originalLocation = Array.isArray(value) ? String(value[0]) : String(value);
+      ctx.set(name, rewriteProviderLocationHeader(ctx, service, originalLocation));
+      continue;
+    }
+    if (name.toLowerCase() === "set-cookie") {
+      const cookies = Array.isArray(value) ? value.map(String) : [String(value)];
+      ctx.set(
+        name,
+        cookies.map((cookie) => rewriteProviderSetCookieHeader(ctx, service, cookie))
+      );
+      continue;
+    }
+    ctx.set(name, Array.isArray(value) ? value.map(String) : String(value));
+  }
+}
+async function dispatchToProvider(ctx, provider, pathname, service) {
+  var _a, _b, _c, _d, _e, _f;
+  ctx.withoutDataWrapping = true;
+  const search = ctx.querystring ? `?${ctx.querystring}` : "";
+  (_b = (_a = ctx.logger) == null ? void 0 : _a.debug) == null ? void 0 : _b.call(_a, "idp-oauth provider request", {
+    method: ctx.method,
+    externalPath: ctx.path,
+    internalPath: pathname,
+    search,
+    issuer: provider.issuer
+  });
+  const response = await (0, import_light_my_request.default)(provider.callback(), {
+    method: ctx.method,
+    url: `${pathname}${search}`,
+    headers: buildHeaders(ctx, service),
+    payload: buildPayload(ctx)
+  });
+  ctx.status = response.statusCode;
+  rewriteProviderResponseHeaders(ctx, service, response.headers);
+  const payload = response.rawPayload;
+  const contentType = String(response.headers["content-type"] || "").toLowerCase();
+  (_d = (_c = ctx.logger) == null ? void 0 : _c.debug) == null ? void 0 : _d.call(_c, "idp-oauth provider response", {
+    method: ctx.method,
+    externalPath: ctx.path,
+    internalPath: pathname,
+    status: response.statusCode,
+    contentType,
+    location: response.headers.location
+  });
+  if (payload.length && (contentType.includes("application/json") || contentType.includes("+json"))) {
+    try {
+      const body = rewriteProviderJsonBody(ctx, service, JSON.parse(payload.toString("utf8")));
+      ctx.body = body;
+      return;
+    } catch (error) {
+      (_f = (_e = ctx.logger) == null ? void 0 : _e.warn) == null ? void 0 : _f.call(_e, "idp-oauth provider json parse failed", {
+        method: ctx.method,
+        externalPath: ctx.path,
+        internalPath: pathname,
+        status: response.statusCode,
+        contentType,
+        error: error instanceof Error ? error.message : String(error),
+        payloadPreview: payload.toString("utf8").slice(0, 500)
+      });
+    }
+  }
+  ctx.body = payload.length ? payload : void 0;
+}
+async function dispatchCurrentRequestToProvider(ctx, service, apiBasePath) {
+  const provider = await service.ensureProviderForContext(ctx);
+  return dispatchToProvider(ctx, provider, (0, import_paths.getProviderInternalPath)(ctx.path, apiBasePath), service);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  dispatchCurrentRequestToProvider,
+  dispatchToProvider,
+  rewriteProviderLocationHeader
+});