npm - @nwire/auth-logto - Versions diffs - 0.7.0 - Mend

@nwire/auth-logto 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/LICENSE +21 -0
package/README.md +71 -0
package/dist/__tests__/auth-logto.test.d.ts +16 -0
package/dist/__tests__/auth-logto.test.d.ts.map +1 -0
package/dist/__tests__/auth-logto.test.js +233 -0
package/dist/__tests__/auth-logto.test.js.map +1 -0
package/dist/auth-logto.d.ts +85 -0
package/dist/auth-logto.d.ts.map +1 -0
package/dist/auth-logto.js +159 -0
package/dist/auth-logto.js.map +1 -0
package/package.json +44 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Alex Gefter / 200apps Ltd.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,71 @@
+# @nwire/auth-logto
+> IdP adapter for [Logto](https://logto.io) — hosted OIDC provider with JWKS verification.
+## What it does
+Verifies Logto-issued JWTs against JWKS (issuer + audience checks), maps claims to the `User` type (id, email, name, roles, scopes), and handles refresh + sign-out via Logto's OIDC endpoints. `signIn` intentionally throws — Logto owns the password/social/MFA flows via its hosted UI; apps redirect users there.
+## Install
+```bash
+pnpm add @nwire/auth-logto @nwire/auth jose
+```
+## Quick start
+```ts
+import { logtoAdapter } from "@nwire/auth-logto";
+import { identityPlugin } from "@nwire/auth";
+import { defineApp } from "@nwire/forge";
+defineApp("my-app", {
+  plugins: [
+    identityPlugin({
+      adapter: logtoAdapter({
+        endpoint: process.env.LOGTO_ENDPOINT!, // https://my-org.logto.app
+        audience: process.env.LOGTO_AUDIENCE!, // https://api.my-app.com
+        clientId: process.env.LOGTO_CLIENT_ID,
+        clientSecret: process.env.LOGTO_SECRET,
+        fetchUserInfo: true,
+      }),
+    }),
+  ],
+});
+```
+## API surface
+- `logtoAdapter({ endpoint, audience, clientId?, clientSecret?, fetchUserInfo? })` — produces an `IdpAdapter`.
+## When to use
+When you want a managed IdP and don't want to own user storage / MFA / passkeys. Fits L3 and up.
+## Standalone use
+For developers using `@nwire/auth-logto` **without the rest of Nwire** — pair it with any TypeScript project, any container, any HTTP framework.
+```ts
+// See the package's main entry (src/) for the standalone surface.
+// The exports below work without @nwire/app or @nwire/forge.
+import {} from /* ...standalone exports... */ "@nwire/auth-logto";
+```
+## Within nwire-app
+For developers using this package as part of the Nwire stack — register it via `app.use(...)` or it auto-wires when you compose `createApp({ modules })`.
+```ts
+import { createApp } from "@nwire/forge";
+const app = createApp({
+  /* ...config... */
+});
+// Adapter/plugin wiring happens here when applicable.
+```
+## See also
+- [Architecture sketch §05 — Adapters tier](../../architecture-sketch.html#packages)
+- Sibling packages: [@nwire/auth](../nwire-auth), [@nwire/auth-better-auth](../nwire-auth-better-auth), [@nwire/rbac](../nwire-rbac)

package/dist/__tests__/auth-logto.test.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Logto adapter — unit tests against locally-minted JWTs.
+ *
+ * We don't need a real Logto running for these. We do need:
+ *   - a private/public keypair we generate at test setup
+ *   - a fake `fetch` that:
+ *       a) serves the JWKS at GET <endpoint>/oidc/jwks
+ *       b) serves the userinfo at GET <endpoint>/oidc/me
+ *       c) handles the refresh + signOut POSTs
+ *
+ * That covers every path in the adapter without booting a container. The
+ * real-Logto e2e (gated behind LOGTO_E2E=1) runs against the docker-compose
+ * Logto in Phase 62.3.3.
+ */
+export {};
+//# sourceMappingURL=auth-logto.test.d.ts.map

package/dist/__tests__/auth-logto.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"auth-logto.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/auth-logto.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG"}

package/dist/__tests__/auth-logto.test.js ADDED Viewed

@@ -0,0 +1,233 @@
+/**
+ * Logto adapter — unit tests against locally-minted JWTs.
+ *
+ * We don't need a real Logto running for these. We do need:
+ *   - a private/public keypair we generate at test setup
+ *   - a fake `fetch` that:
+ *       a) serves the JWKS at GET <endpoint>/oidc/jwks
+ *       b) serves the userinfo at GET <endpoint>/oidc/me
+ *       c) handles the refresh + signOut POSTs
+ *
+ * That covers every path in the adapter without booting a container. The
+ * real-Logto e2e (gated behind LOGTO_E2E=1) runs against the docker-compose
+ * Logto in Phase 62.3.3.
+ */
+import { describe, it, expect, beforeAll } from "vitest";
+import { exportJWK, generateKeyPair, SignJWT } from "jose";
+import { logtoAdapter } from "../auth-logto.js";
+const ENDPOINT = "https://test-logto.example.com";
+const AUDIENCE = "https://api.test.example.com";
+const ISSUER = `${ENDPOINT}/oidc`;
+const KID = "test-kid-1";
+// jose returns CryptoKey-like objects; we don't need the DOM lib for the
+// test, so type them as `unknown` and let jose handle them internally.
+let privateKey;
+let publicJwk;
+beforeAll(async () => {
+    const kp = await generateKeyPair("ES256");
+    privateKey = kp.privateKey;
+    publicJwk = { ...(await exportJWK(kp.publicKey)), kid: KID, alg: "ES256", use: "sig" };
+});
+async function mintToken(input) {
+    return new SignJWT({
+        scope: input.scope,
+        roles: input.roles,
+    })
+        .setProtectedHeader({ alg: "ES256", kid: KID })
+        .setSubject(input.sub)
+        .setIssuer(input.issuer ?? ISSUER)
+        .setAudience(input.aud ?? AUDIENCE)
+        .setIssuedAt()
+        .setExpirationTime(input.expiresIn ?? "5m")
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        .sign(privateKey);
+}
+function fakeFetch(overrides = {}) {
+    return (async (input, init) => {
+        const url = typeof input === "string"
+            ? input
+            : input instanceof URL
+                ? input.toString()
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                : input?.url;
+        if (overrides[url])
+            return overrides[url]();
+        // Default: serve JWKS.
+        if (url.endsWith("/oidc/jwks")) {
+            return new Response(JSON.stringify({ keys: [publicJwk] }), {
+                status: 200,
+                headers: { "content-type": "application/json" },
+            });
+        }
+        // Default: userinfo.
+        if (url.endsWith("/oidc/me")) {
+            const auth = init?.headers && init.headers["Authorization"];
+            if (!auth?.startsWith("Bearer ")) {
+                return new Response("Unauthorized", { status: 401 });
+            }
+            return new Response(JSON.stringify({
+                sub: "user_42",
+                email: "alex@example.com",
+                name: "Alex",
+            }), { status: 200, headers: { "content-type": "application/json" } });
+        }
+        // Default: refresh
+        if (url.endsWith("/oidc/token")) {
+            return new Response(JSON.stringify({
+                access_token: "new-access-token",
+                refresh_token: "new-refresh-token",
+                expires_in: 3600,
+                token_type: "Bearer",
+            }), { status: 200, headers: { "content-type": "application/json" } });
+        }
+        // Default: session/end
+        if (url.endsWith("/oidc/session/end")) {
+            return new Response(null, { status: 204 });
+        }
+        return new Response("Not Found", { status: 404 });
+    });
+}
+describe("logtoAdapter — verifyToken", () => {
+    it("returns User for a valid token (no userinfo fetch)", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        const token = await mintToken({
+            sub: "user_42",
+            scope: "read:posts write:posts",
+            roles: ["editor"],
+        });
+        const user = await adapter.verifyToken(token);
+        expect(user?.id).toBe("user_42");
+        expect(user?.scopes).toEqual(["read:posts", "write:posts"]);
+        expect(user?.roles).toEqual(["editor"]);
+        expect(user?.email).toBeUndefined();
+    });
+    it("enriches with /oidc/me when fetchUserInfo is true", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            fetchUserInfo: true,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        const token = await mintToken({ sub: "user_42", scope: "openid" });
+        const user = await adapter.verifyToken(token);
+        expect(user?.email).toBe("alex@example.com");
+        expect(user?.name).toBe("Alex");
+    });
+    it("returns null for a wrong-audience token", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        const token = await mintToken({ sub: "user_42", aud: "https://different.audience" });
+        expect(await adapter.verifyToken(token)).toBeNull();
+    });
+    it("returns null for an expired token", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            clockTolerance: 0,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        const token = await mintToken({ sub: "user_42", expiresIn: "-1s" });
+        expect(await adapter.verifyToken(token)).toBeNull();
+    });
+    it("returns null for a wrong-issuer token", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        const token = await mintToken({
+            sub: "user_42",
+            issuer: "https://attacker.example.com/oidc",
+        });
+        expect(await adapter.verifyToken(token)).toBeNull();
+    });
+    it("returns null for a garbage token", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        expect(await adapter.verifyToken("not.a.jwt")).toBeNull();
+    });
+    it("falls back to base user when /oidc/me errors (non-fatal)", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            fetchUserInfo: true,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch({
+                [`${ENDPOINT}/oidc/me`]: () => new Response("boom", { status: 500 }),
+            }),
+        });
+        const token = await mintToken({ sub: "user_42", scope: "read:posts" });
+        const user = await adapter.verifyToken(token);
+        expect(user?.id).toBe("user_42");
+        expect(user?.scopes).toEqual(["read:posts"]);
+        expect(user?.email).toBeUndefined();
+    });
+});
+describe("logtoAdapter — refresh", () => {
+    it("posts to /oidc/token + returns new tokens", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            clientId: "test-client",
+            fetch: fakeFetch(),
+        });
+        const tokens = await adapter.refresh("old-refresh");
+        expect(tokens.accessToken).toBe("new-access-token");
+        expect(tokens.refreshToken).toBe("new-refresh-token");
+        expect(tokens.tokenType).toBe("Bearer");
+    });
+    it("throws when clientId is missing", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        await expect(adapter.refresh("x")).rejects.toThrow(/clientId/);
+    });
+});
+describe("logtoAdapter — signOut", () => {
+    it("posts to /oidc/session/end", async () => {
+        let called = false;
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            fetch: fakeFetch({
+                [`${ENDPOINT}/oidc/session/end`]: () => {
+                    called = true;
+                    return new Response(null, { status: 204 });
+                },
+            }),
+        });
+        await adapter.signOut("some-id-token");
+        expect(called).toBe(true);
+    });
+});
+describe("logtoAdapter — signIn intentionally rejects", () => {
+    it("throws because Logto uses OIDC redirect flow", async () => {
+        const adapter = logtoAdapter({
+            endpoint: ENDPOINT,
+            audience: AUDIENCE,
+            jwks: { keys: [publicJwk] },
+            fetch: fakeFetch(),
+        });
+        await expect(adapter.signIn({ email: "a@x", password: "x" })).rejects.toThrow(/redirect flow/i);
+    });
+});
+//# sourceMappingURL=auth-logto.test.js.map

package/dist/__tests__/auth-logto.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-logto.test.js","sourceRoot":"","sources":["../../src/__tests__/auth-logto.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,OAAO,EAAY,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,QAAQ,GAAG,gCAAgC,CAAC;AAClD,MAAM,QAAQ,GAAG,8BAA8B,CAAC;AAChD,MAAM,MAAM,GAAK,GAAG,QAAQ,OAAO,CAAC;AACpC,MAAM,GAAG,GAAQ,YAAY,CAAC;AAE9B,yEAAyE;AACzE,uEAAuE;AACvE,IAAI,UAAmB,CAAC;AACxB,IAAI,SAAe,CAAC;AAEpB,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,UAAU,GAAG,EAAE,CAAC,UAAU,CAAC;IAC3B,SAAS,GAAI,EAAE,GAAG,CAAC,MAAM,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;AAC1F,CAAC,CAAC,CAAC;AAWH,KAAK,UAAU,SAAS,CAAC,KAAgB;IACvC,OAAO,IAAI,OAAO,CAAC;QACjB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,KAAK,EAAE,KAAK,CAAC,KAAK;KACnB,CAAC;SACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;SAC9C,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC;SACrB,SAAS,CAAC,KAAK,CAAC,MAAM,IAAI,MAAM,CAAC;SACjC,WAAW,CAAC,KAAK,CAAC,GAAG,IAAI,QAAQ,CAAC;SAClC,WAAW,EAAE;SACb,iBAAiB,CAAC,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC;QAC3C,8DAA8D;SAC7D,IAAI,CAAC,UAAiB,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,SAAS,CAAC,YAA4C,EAAE;IAC/D,OAAO,CAAC,KAAK,EAAE,KAAc,EAAE,IAAkB,EAAqB,EAAE;QACtE,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ;YACnC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,KAAK,YAAY,GAAG;gBACpB,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE;gBAClB,8DAA8D;gBAC9D,CAAC,CAAG,KAAa,EAAE,GAAc,CAAC;QACtC,IAAI,SAAS,CAAC,GAAG,CAAC;YAAE,OAAO,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;QAE5C,uBAAuB;QACvB,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE;gBACzD,MAAM,EAAG,GAAG;gBACZ,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CAAC,CAAC;QACL,CAAC;QACD,qBAAqB;QACrB,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,IAAI,EAAE,OAAO,IAAK,IAAI,CAAC,OAAkC,CAAC,eAAe,CAAC,CAAC;YACxF,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,QAAQ,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACvD,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;gBACjC,GAAG,EAAI,SAAS;gBAChB,KAAK,EAAE,kBAAkB;gBACzB,IAAI,EAAG,MAAM;aACd,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;QACxE,CAAC;QACD,mBAAmB;QACnB,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAChC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;gBACjC,YAAY,EAAG,kBAAkB;gBACjC,aAAa,EAAE,mBAAmB;gBAClC,UAAU,EAAK,IAAI;gBACnB,UAAU,EAAK,QAAQ;aACxB,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;QACxE,CAAC;QACD,uBAAuB;QACvB,IAAI,GAAG,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,CAAC;QACD,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACpD,CAAC,CAAiB,CAAC;AACrB,CAAC;AAED,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAM,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YAC/B,KAAK,EAAK,SAAS,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC;YAC5B,GAAG,EAAI,SAAS;YAChB,KAAK,EAAE,wBAAwB;YAC/B,KAAK,EAAE,CAAC,QAAQ,CAAC;SAClB,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC,CAAC;QAC5D,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,aAAa,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAO,QAAQ;YACvB,QAAQ,EAAO,QAAQ;YACvB,aAAa,EAAE,IAAI;YACnB,IAAI,EAAW,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YACpC,KAAK,EAAU,SAAS,EAAE;SAC3B,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QACnE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAM,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YAC/B,KAAK,EAAK,SAAS,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,4BAA4B,EAAE,CAAC,CAAC;QACrF,MAAM,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAQ,QAAQ;YACxB,QAAQ,EAAQ,QAAQ;YACxB,cAAc,EAAE,CAAC;YACjB,IAAI,EAAY,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YACrC,KAAK,EAAW,SAAS,EAAE;SAC5B,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,MAAM,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAM,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YAC/B,KAAK,EAAK,SAAS,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC;YAC5B,GAAG,EAAK,SAAS;YACjB,MAAM,EAAE,mCAAmC;SAC5C,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAM,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YAC/B,KAAK,EAAK,SAAS,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,OAAO,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAO,QAAQ;YACvB,QAAQ,EAAO,QAAQ;YACvB,aAAa,EAAE,IAAI;YACnB,IAAI,EAAW,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YACpC,KAAK,EAAE,SAAS,CAAC;gBACf,CAAC,GAAG,QAAQ,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;aACrE,CAAC;SACH,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;QACvE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,aAAa,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAK,SAAS,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAQ,CAAC,aAAa,CAAC,CAAC;QACrD,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACpD,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAM,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YAC/B,KAAK,EAAK,SAAS,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAAC,OAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QAC1C,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,SAAS,CAAC;gBACf,CAAC,GAAG,QAAQ,mBAAmB,CAAC,EAAE,GAAG,EAAE;oBACrC,MAAM,GAAG,IAAI,CAAC;oBACd,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC7C,CAAC;aACF,CAAC;SACH,CAAC,CAAC;QACH,MAAM,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6CAA6C,EAAE,GAAG,EAAE;IAC3D,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAM,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;YAC/B,KAAK,EAAK,SAAS,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAClG,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth-logto.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * `@nwire/auth-logto` — IdP adapter for Logto.
+ *
+ *   import { logtoAdapter }   from "@nwire/auth-logto";
+ *   import { identityPlugin } from "@nwire/auth";
+ *
+ *   defineApp("my-app", {
+ *     plugins: [
+ *       identityPlugin({
+ *         adapter: logtoAdapter({
+ *           endpoint: process.env.LOGTO_ENDPOINT!,    // https://my-org.logto.app
+ *           audience: process.env.LOGTO_AUDIENCE!,    // https://api.my-app.com
+ *           clientId: process.env.LOGTO_CLIENT_ID,    // for refresh + logout
+ *           clientSecret: process.env.LOGTO_SECRET,
+ *           fetchUserInfo: true,                       // call /oidc/me to enrich
+ *         }),
+ *       }),
+ *     ],
+ *   });
+ *
+ * What it does:
+ *   - `verifyToken(jwt)` — verifies signature against Logto's JWKS,
+ *     checks issuer + audience, maps claims to User (id, email, name,
+ *     roles, scopes).
+ *   - `signOut(token)` — POSTs to Logto's session-end endpoint.
+ *   - `refresh(refreshToken)` — POSTs to Logto's `/oidc/token` with the
+ *     `refresh_token` grant; returns the new access token bundle.
+ *   - `signIn` intentionally throws — Logto is an OIDC IdP that owns
+ *     password / social / MFA flows via its hosted UI. Apps redirect
+ *     users there, not through this adapter. (The OIDC redirect-flow
+ *     resolvers — startSignIn / completeSignIn — are a future addition.)
+ *
+ * Why glue: we do JWT verification + userinfo with `jose`, the standard
+ * Node JWT library. No big SDK. The adapter is ~150 lines because Logto
+ * itself owns 99% of the complexity (user database, password hashing,
+ * social providers, MFA, role management, audit log, admin console).
+ */
+import { type JSONWebKeySet } from "jose";
+import type { IdpAdapter } from "@nwire/auth";
+export interface LogtoAdapterOptions {
+    /** Logto endpoint — `https://your-tenant.logto.app` or your self-hosted URL. */
+    readonly endpoint: string;
+    /**
+     * API resource indicator — the same string you used when registering
+     * the API resource in Logto's admin console. Logto issues tokens with
+     * `aud: audience`; we enforce that on verification. Omit only if you
+     * accept tokens issued for the management API.
+     */
+    readonly audience?: string;
+    /**
+     * Application client id — required for the `refresh_token` grant + the
+     * `end_session` endpoint. Get it from Logto's admin console.
+     */
+    readonly clientId?: string;
+    /** Application client secret — needed by confidential clients. */
+    readonly clientSecret?: string;
+    /**
+     * If true, the adapter calls Logto's `/oidc/me` endpoint after verifying
+     * a token and merges the userinfo into the User (email, name, picture,
+     * custom fields). Costs one extra HTTP request per `verifyToken` call;
+     * disable if your JWT claims already carry everything you need.
+     */
+    readonly fetchUserInfo?: boolean;
+    /** Optional clock skew tolerance for `exp`/`nbf` in seconds. Default 30. */
+    readonly clockTolerance?: number;
+    /**
+     * Inject a fetch impl for tests + the `signOut` / `refresh` / userinfo
+     * calls. The remote JWKS fetch uses this when supplied, but jose's
+     * `createRemoteJWKSet` doesn't accept a fetch override — so for the
+     * JWKS path, prefer the `jwks` option below.
+     */
+    readonly fetch?: typeof fetch;
+    /**
+     * Pass a pre-fetched `JSONWebKeySet` to skip the remote fetch entirely.
+     * Used in tests + in production setups that mirror Logto's JWKS into
+     * memory/Redis on a refresh schedule.
+     */
+    readonly jwks?: JSONWebKeySet;
+}
+/**
+ * Build a Logto IdP adapter. Constructs the JWKS reference lazily (no
+ * HTTP call at boot — the first `verifyToken` lazy-loads keys).
+ */
+export declare function logtoAdapter(options: LogtoAdapterOptions): IdpAdapter;
+//# sourceMappingURL=auth-logto.d.ts.map

package/dist/auth-logto.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-logto.d.ts","sourceRoot":"","sources":["../src/auth-logto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,EAIL,KAAK,aAAa,EAGnB,MAAM,MAAM,CAAC;AACd,OAAO,KAAK,EAAc,UAAU,EAAqB,MAAM,aAAa,CAAC;AAE7E,MAAM,WAAW,mBAAmB;IAClC,gFAAgF;IAChF,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;;OAKG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC,4EAA4E;IAC5E,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC;CAC/B;AAaD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,UAAU,CAiIrE"}

package/dist/auth-logto.js ADDED Viewed

@@ -0,0 +1,159 @@
+/**
+ * `@nwire/auth-logto` — IdP adapter for Logto.
+ *
+ *   import { logtoAdapter }   from "@nwire/auth-logto";
+ *   import { identityPlugin } from "@nwire/auth";
+ *
+ *   defineApp("my-app", {
+ *     plugins: [
+ *       identityPlugin({
+ *         adapter: logtoAdapter({
+ *           endpoint: process.env.LOGTO_ENDPOINT!,    // https://my-org.logto.app
+ *           audience: process.env.LOGTO_AUDIENCE!,    // https://api.my-app.com
+ *           clientId: process.env.LOGTO_CLIENT_ID,    // for refresh + logout
+ *           clientSecret: process.env.LOGTO_SECRET,
+ *           fetchUserInfo: true,                       // call /oidc/me to enrich
+ *         }),
+ *       }),
+ *     ],
+ *   });
+ *
+ * What it does:
+ *   - `verifyToken(jwt)` — verifies signature against Logto's JWKS,
+ *     checks issuer + audience, maps claims to User (id, email, name,
+ *     roles, scopes).
+ *   - `signOut(token)` — POSTs to Logto's session-end endpoint.
+ *   - `refresh(refreshToken)` — POSTs to Logto's `/oidc/token` with the
+ *     `refresh_token` grant; returns the new access token bundle.
+ *   - `signIn` intentionally throws — Logto is an OIDC IdP that owns
+ *     password / social / MFA flows via its hosted UI. Apps redirect
+ *     users there, not through this adapter. (The OIDC redirect-flow
+ *     resolvers — startSignIn / completeSignIn — are a future addition.)
+ *
+ * Why glue: we do JWT verification + userinfo with `jose`, the standard
+ * Node JWT library. No big SDK. The adapter is ~150 lines because Logto
+ * itself owns 99% of the complexity (user database, password hashing,
+ * social providers, MFA, role management, audit log, admin console).
+ */
+import { createLocalJWKSet, createRemoteJWKSet, jwtVerify, } from "jose";
+/**
+ * Build a Logto IdP adapter. Constructs the JWKS reference lazily (no
+ * HTTP call at boot — the first `verifyToken` lazy-loads keys).
+ */
+export function logtoAdapter(options) {
+    const endpoint = options.endpoint.replace(/\/$/, "");
+    const fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
+    const issuer = `${endpoint}/oidc`;
+    const jwks = options.jwks
+        ? createLocalJWKSet(options.jwks)
+        : createRemoteJWKSet(new URL(`${endpoint}/oidc/jwks`));
+    const verifyOpts = {
+        issuer,
+        audience: options.audience,
+        clockTolerance: options.clockTolerance ?? 30,
+    };
+    async function payloadToUser(payload) {
+        const sub = String(payload.sub ?? "");
+        if (!sub)
+            throw new Error("Logto JWT has no `sub` claim");
+        const scopes = typeof payload.scope === "string"
+            ? payload.scope.split(/\s+/).filter(Boolean)
+            : Array.isArray(payload.scope) ? payload.scope : [];
+        const claimRoles = payload.roles;
+        const roles = Array.isArray(claimRoles)
+            ? claimRoles
+            : [];
+        let user = {
+            id: sub,
+            roles,
+            scopes,
+        };
+        if (options.fetchUserInfo && payload.iss) {
+            // /oidc/me must be called with the same access token in Authorization.
+            // We don't have the raw JWT here — verifyToken passes it via closure.
+            // See verifyToken below for the wiring.
+        }
+        return user;
+    }
+    return {
+        async verifyToken(token) {
+            try {
+                const { payload } = await jwtVerify(token, jwks, verifyOpts);
+                const base = await payloadToUser(payload);
+                if (!options.fetchUserInfo)
+                    return base;
+                // Enrich with userinfo. Failures are logged but non-fatal — the
+                // token verified successfully, so the user identity is established
+                // even if the userinfo fetch hiccups.
+                try {
+                    const res = await fetchImpl(`${endpoint}/oidc/me`, {
+                        headers: { Authorization: `Bearer ${token}` },
+                    });
+                    if (!res.ok)
+                        return base;
+                    const info = (await res.json());
+                    return {
+                        ...base,
+                        email: info.email,
+                        name: info.name ?? info.username,
+                        roles: info.roles ?? base.roles,
+                    };
+                }
+                catch {
+                    return base;
+                }
+            }
+            catch {
+                // Bad signature, expired, wrong audience, malformed — all "no user".
+                return null;
+            }
+        },
+        async signIn(_input) {
+            throw new Error("@nwire/auth-logto: signIn() is not supported — Logto uses the OIDC " +
+                "redirect flow (hosted sign-in UI). Mount a redirect endpoint that " +
+                "sends users to Logto's authorize URL; verify the access token they " +
+                "return with via verifyToken().");
+        },
+        async signOut(token) {
+            // Logto's RFC 8414 logout endpoint accepts an `id_token_hint` to end
+            // the session. If callers pass a refresh token instead, we revoke it.
+            const res = await fetchImpl(`${endpoint}/oidc/session/end`, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({ id_token_hint: token }).toString(),
+            });
+            if (!res.ok && res.status !== 302) {
+                throw new Error(`Logto signOut failed: ${res.status} ${res.statusText}`);
+            }
+        },
+        async refresh(refreshToken) {
+            if (!options.clientId) {
+                throw new Error("@nwire/auth-logto: refresh() requires `clientId`");
+            }
+            const body = new URLSearchParams({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+                client_id: options.clientId,
+            });
+            if (options.clientSecret)
+                body.set("client_secret", options.clientSecret);
+            const res = await fetchImpl(`${endpoint}/oidc/token`, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: body.toString(),
+            });
+            if (!res.ok) {
+                throw new Error(`Logto refresh failed: ${res.status} ${res.statusText}`);
+            }
+            const data = (await res.json());
+            return {
+                accessToken: data.access_token,
+                refreshToken: data.refresh_token,
+                idToken: data.id_token,
+                expiresAt: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+                tokenType: "Bearer",
+            };
+        },
+    };
+}
+//# sourceMappingURL=auth-logto.js.map

package/dist/auth-logto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-logto.js","sourceRoot":"","sources":["../src/auth-logto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,SAAS,GAIV,MAAM,MAAM,CAAC;AAuDd;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,OAA4B;IACvD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrE,MAAM,MAAM,GAAG,GAAG,QAAQ,OAAO,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI;QACvB,CAAC,CAAC,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC,CAAC,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,GAAG,QAAQ,YAAY,CAAC,CAAC,CAAC;IAEzD,MAAM,UAAU,GAAqB;QACnC,MAAM;QACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,EAAE;KAC7C,CAAC;IAEF,KAAK,UAAU,aAAa,CAAC,OAAmB;QAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAE1D,MAAM,MAAM,GAAsB,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;YACjE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;YAC5C,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,OAAO,CAAC,KAAkB,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,MAAM,UAAU,GAAG,OAAO,CAAC,KAAgB,CAAC;QAC5C,MAAM,KAAK,GAAsB,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC;YACxD,CAAC,CAAE,UAAuB;YAC1B,CAAC,CAAC,EAAE,CAAC;QAEP,IAAI,IAAI,GAAS;YACf,EAAE,EAAE,GAAG;YACP,KAAK;YACL,MAAM;SACP,CAAC;QAEF,IAAI,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YACzC,uEAAuE;YACvE,sEAAsE;YACtE,wCAAwC;QAC1C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,KAAK,CAAC,WAAW,CAAC,KAAa;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBAC7D,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;gBAE1C,IAAI,CAAC,OAAO,CAAC,aAAa;oBAAE,OAAO,IAAI,CAAC;gBAExC,gEAAgE;gBAChE,mEAAmE;gBACnE,sCAAsC;gBACtC,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ,UAAU,EAAE;wBACjD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;qBAC9C,CAAC,CAAC;oBACH,IAAI,CAAC,GAAG,CAAC,EAAE;wBAAE,OAAO,IAAI,CAAC;oBACzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;oBACjD,OAAO;wBACL,GAAG,IAAI;wBACP,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,IAAI,EAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ;wBACjC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK;qBAChC,CAAC;gBACJ,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,qEAAqE;gBACrE,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,MAAmB;YAC9B,MAAM,IAAI,KAAK,CACb,qEAAqE;gBACrE,oEAAoE;gBACpE,qEAAqE;gBACrE,gCAAgC,CACjC,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,KAAa;YACzB,qEAAqE;YACrE,sEAAsE;YACtE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ,mBAAmB,EAAE;gBAC1D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC,QAAQ,EAAE;aAC/D,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,YAAoB;YAChC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;YACtE,CAAC;YACD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;gBAC/B,UAAU,EAAK,eAAe;gBAC9B,aAAa,EAAE,YAAY;gBAC3B,SAAS,EAAM,OAAO,CAAC,QAAQ;aAChC,CAAC,CAAC;YACH,IAAI,OAAO,CAAC,YAAY;gBAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;YAE1E,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ,aAAa,EAAE;gBACpD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAK,IAAI,CAAC,QAAQ,EAAE;aACzB,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;YAC3E,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAC;YACF,OAAO;gBACL,WAAW,EAAG,IAAI,CAAC,YAAY;gBAC/B,YAAY,EAAE,IAAI,CAAC,aAAa;gBAChC,OAAO,EAAO,IAAI,CAAC,QAAQ;gBAC3B,SAAS,EAAK,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;gBAC/E,SAAS,EAAK,QAAQ;aACvB,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,44 @@
+{
+  "name": "@nwire/auth-logto",
+  "version": "0.7.0",
+  "description": "Nwire — Logto auth adapter. Verifies Logto-issued JWTs via JWKS; maps Logto claims (sub, email, roles, scope) to the canonical User; runs sign-out + refresh via Logto's OIDC endpoints. Sign-in is the hosted UI redirect flow; this adapter does not implement password grant.",
+  "keywords": [
+    "adapter",
+    "auth",
+    "idp",
+    "jwt",
+    "logto",
+    "nwire",
+    "oidc"
+  ],
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "type": "module",
+  "main": "./dist/auth-logto.js",
+  "types": "./dist/auth-logto.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/auth-logto.js",
+      "types": "./dist/auth-logto.d.ts"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "jose": "^6.2.3",
+    "@nwire/auth": "0.7.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.19.9",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.6"
+  },
+  "scripts": {
+    "build": "tsc && node ../../scripts/fix-dist-extensions.mjs dist",
+    "dev": "tsc --watch",
+    "typecheck": "tsc --noEmit"
+  }
+}