npm - @nya-account/node-sdk - Versions diffs - 2.0.0 → 2.0.2 - Mend

@nya-account/node-sdk 2.0.0 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +187 -172
package/dist/{express-yO7hxKKd.d.ts → express-Bn8IUnft.d.ts} +10 -4
package/dist/express-Bn8IUnft.d.ts.map +1 -0
package/dist/express.d.ts +1 -1
package/dist/index.d.ts +60 -45
package/dist/index.d.ts.map +1 -1
package/dist/index.js +103 -153
package/dist/index.js.map +1 -1
package/package.json +2 -2
package/dist/express-yO7hxKKd.d.ts.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { z } from "zod";
 import { createRemoteJWKSet, errors, jwtVerify } from "jose";
 //#region src/core/schemas.ts
+const TokenTypeHintSchema = z.enum(["access_token", "refresh_token"]);
 const TokenResponseSchema = z.object({
 	access_token: z.string(),
 	token_type: z.string(),
@@ -28,12 +29,14 @@ const IntrospectionResponseSchema = z.object({
 	sub: z.string().optional(),
 	aud: z.string().optional(),
 	iss: z.string().optional(),
-	jti: z.string().optional()
+	jti: z.string().optional(),
+	sid: z.string().optional(),
+	sv: z.number().optional()
 });
 const UserInfoSchema = z.object({
 	sub: z.string(),
 	name: z.string().optional(),
-	preferred_username: z.string().optional(),
+	picture: z.string().optional(),
 	email: z.string().optional(),
 	email_verified: z.boolean().optional(),
 	updated_at: z.number().optional()
@@ -60,12 +63,18 @@ const DiscoveryDocumentSchema = z.object({
 	request_parameter_supported: z.boolean().optional(),
 	request_uri_parameter_supported: z.boolean().optional()
 });
+const PushedAuthorizationResponseSchema = z.object({
+	request_uri: z.string().min(1),
+	expires_in: z.number().int().positive()
+});
 const AccessTokenPayloadSchema = z.object({
 	iss: z.string(),
 	sub: z.string(),
 	aud: z.string(),
 	scope: z.string(),
 	ver: z.string(),
+	sid: z.string(),
+	sv: z.number().int().nonnegative(),
 	iat: z.number(),
 	exp: z.number(),
 	jti: z.string(),
@@ -75,11 +84,11 @@ const IdTokenPayloadSchema = z.object({
 	iss: z.string(),
 	sub: z.string(),
 	aud: z.string(),
+	sid: z.string().optional(),
 	iat: z.number(),
 	exp: z.number(),
 	nonce: z.string().optional(),
 	name: z.string().optional(),
-	preferred_username: z.string().optional(),
 	email: z.string().optional(),
 	email_verified: z.boolean().optional(),
 	updated_at: z.number().optional()
@@ -235,6 +244,7 @@ var JwtVerifier = class {
 //#region src/client.ts
 const DISCOVERY_ENDPOINT_MAP = {
 	authorization: "authorizationEndpoint",
+	pushedAuthorizationRequest: "pushedAuthorizationRequestEndpoint",
 	token: "tokenEndpoint",
 	userinfo: "userinfoEndpoint",
 	revocation: "revocationEndpoint",
@@ -242,79 +252,10 @@ const DISCOVERY_ENDPOINT_MAP = {
 	jwks: "jwksUri",
 	endSession: "endSessionEndpoint"
 };
+/** Default issuer URL */
+const DEFAULT_ISSUER = "https://account-api.edge.lolinya.net";
 /** Default discovery cache TTL: 1 hour */
 const DEFAULT_DISCOVERY_CACHE_TTL = 36e5;
-/**
-* Nya Account Node.js SDK client.
-*
-* Provides full OAuth 2.1 / OIDC flow support:
-* - Authorization Code + PKCE
-* - Token exchange / refresh / revocation / introspection
-* - Local JWT verification (via JWKS)
-* - OIDC UserInfo
-* - OIDC Discovery auto-discovery
-* - Express middleware (Bearer Token auth + scope validation)
-*
-* @example
-* ```typescript
-* const client = new NyaAccountClient({
-*     issuer: 'https://account.example.com',
-*     clientId: 'my-app',
-*     clientSecret: 'my-secret',
-* })
-*
-* // Create authorization URL (with PKCE)
-* const { url, codeVerifier, state } = await client.createAuthorizationUrl({
-*     redirectUri: 'https://myapp.com/callback',
-*     scope: 'openid profile email',
-* })
-*
-* // Exchange code for tokens
-* const tokens = await client.exchangeCode({
-*     code: callbackCode,
-*     redirectUri: 'https://myapp.com/callback',
-*     codeVerifier,
-* })
-*
-* // Get user info
-* const userInfo = await client.getUserInfo(tokens.accessToken)
-* ```
-*/
 var NyaAccountClient = class {
 	constructor(config) {
 		this.httpClient = void 0;
@@ -323,14 +264,15 @@ var NyaAccountClient = class {
 		this.discoveryCacheTimestamp = 0;
 		this.discoveryCacheTtl = void 0;
 		this.jwtVerifier = null;
-		this.config = config;
+		this.config = {
+			...config,
+			issuer: config.issuer ?? DEFAULT_ISSUER
+		};
 		this.discoveryCacheTtl = config.discoveryCacheTtl ?? DEFAULT_DISCOVERY_CACHE_TTL;
 		this.httpClient = axios.create({ timeout: config.timeout ?? 1e4 });
 	}
 	/**
 	* Fetch the OIDC Discovery document. Results are cached with a configurable TTL.
 	*/
 	async discover() {
 		if (this.discoveryCache && Date.now() - this.discoveryCacheTimestamp < this.discoveryCacheTtl) return this.discoveryCache;
@@ -366,9 +308,7 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Clear the cached Discovery document and JWT verifier, forcing a re-fetch on next use.
 	*/
 	clearCache() {
 		this.discoveryCache = null;
@@ -376,15 +316,10 @@ var NyaAccountClient = class {
 		this.jwtVerifier = null;
 	}
 	/**
 	* Create an OAuth authorization URL (automatically includes PKCE).
 	*
 	* The returned `codeVerifier` and `state` must be saved to the session
 	* for later use in token exchange and CSRF validation.
 	*/
 	async createAuthorizationUrl(options) {
 		const authorizationEndpoint = await this.resolveEndpoint("authorization");
@@ -408,9 +343,72 @@ var NyaAccountClient = class {
 		};
 	}
 	/**
+	* Push authorization parameters to PAR endpoint (RFC 9126).
+	*
+	* Returns a `request_uri` that can be used in the authorization endpoint.
+	*/
+	async pushAuthorizationRequest(options) {
+		const parEndpoint = await this.resolveEndpoint("pushedAuthorizationRequest");
+		const codeVerifier = generateCodeVerifier();
+		const codeChallenge = generateCodeChallenge(codeVerifier);
+		const state = options.state ?? randomBytes(16).toString("base64url");
+		const payload = {
+			client_id: this.config.clientId,
+			client_secret: this.config.clientSecret,
+			redirect_uri: options.redirectUri,
+			response_type: "code",
+			scope: options.scope ?? "openid",
+			state,
+			code_challenge: codeChallenge,
+			code_challenge_method: "S256"
+		};
+		if (options.nonce) payload.nonce = options.nonce;
+		if (options.request) payload.request = options.request;
+		try {
+			const response = await this.httpClient.post(parEndpoint, payload);
+			const raw = PushedAuthorizationResponseSchema.parse(response.data);
+			return {
+				requestUri: raw.request_uri,
+				expiresIn: raw.expires_in,
+				codeVerifier,
+				state
+			};
+		} catch (error) {
+			throw this.handleTokenError(error);
+		}
+	}
+	/**
+	* Create an authorization URL using PAR `request_uri`.
+	*/
+	async createAuthorizationUrlWithPar(options) {
+		const authorizationEndpoint = await this.resolveEndpoint("authorization");
+		const pushed = await this.pushAuthorizationRequest(options);
+		const params = new URLSearchParams({
+			client_id: this.config.clientId,
+			request_uri: pushed.requestUri
+		});
+		return {
+			url: `${authorizationEndpoint}?${params.toString()}`,
+			codeVerifier: pushed.codeVerifier,
+			state: pushed.state,
+			requestUri: pushed.requestUri,
+			expiresIn: pushed.expiresIn
+		};
+	}
+	/**
+	* Create OIDC RP-Initiated Logout URL (`end_session_endpoint`).
+	*/
+	async createEndSessionUrl(options) {
+		const endSessionEndpoint = await this.resolveEndpoint("endSession");
+		const params = new URLSearchParams();
+		if (options?.idTokenHint) params.set("id_token_hint", options.idTokenHint);
+		if (options?.postLogoutRedirectUri) params.set("post_logout_redirect_uri", options.postLogoutRedirectUri);
+		if (options?.state) params.set("state", options.state);
+		params.set("client_id", options?.clientId ?? this.config.clientId);
+		return `${endSessionEndpoint}?${params.toString()}`;
+	}
+	/**
 	* Exchange an authorization code for tokens (Authorization Code Grant).
 	*/
 	async exchangeCode(options) {
 		const tokenEndpoint = await this.resolveEndpoint("token");
@@ -429,9 +427,7 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Refresh an Access Token using a Refresh Token.
 	*/
 	async refreshToken(refreshToken) {
 		const tokenEndpoint = await this.resolveEndpoint("token");
@@ -448,40 +444,35 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Revoke a token (RFC 7009).
 	*
 	* Supports revoking Access Tokens or Refresh Tokens.
 	* Revoking a Refresh Token also revokes its entire token family.
 	*/
-	async revokeToken(token) {
+	async revokeToken(token, options) {
 		const revocationEndpoint = await this.resolveEndpoint("revocation");
 		try {
+			const tokenTypeHint = options?.tokenTypeHint ? TokenTypeHintSchema.parse(options.tokenTypeHint) : void 0;
 			await this.httpClient.post(revocationEndpoint, {
 				token,
+				token_type_hint: tokenTypeHint,
 				client_id: this.config.clientId,
 				client_secret: this.config.clientSecret
 			});
 		} catch {}
 	}
 	/**
 	* Token introspection (RFC 7662).
 	*
 	* Query the server for the current state of a token (active status, associated user info, etc.).
 	*/
-	async introspectToken(token) {
+	async introspectToken(token, options) {
 		const introspectionEndpoint = await this.resolveEndpoint("introspection");
 		try {
+			const tokenTypeHint = options?.tokenTypeHint ? TokenTypeHintSchema.parse(options.tokenTypeHint) : void 0;
 			const response = await this.httpClient.post(introspectionEndpoint, {
 				token,
+				token_type_hint: tokenTypeHint,
 				client_id: this.config.clientId,
 				client_secret: this.config.clientSecret
 			});
@@ -497,24 +488,20 @@ var NyaAccountClient = class {
 				sub: raw.sub,
 				aud: raw.aud,
 				iss: raw.iss,
-				jti: raw.jti
+				jti: raw.jti,
+				sid: raw.sid,
+				sv: raw.sv
 			};
 		} catch (error) {
 			throw this.handleTokenError(error);
 		}
 	}
 	/**
 	* Get user info using an Access Token (OIDC UserInfo Endpoint).
 	*
 	* The returned fields depend on the scopes included in the token:
-	* - `profile`: name, preferredUsername, updatedAt
+	* - `profile`: name, picture, updatedAt
 	* - `email`: email, emailVerified
 	*/
 	async getUserInfo(accessToken) {
 		const userinfoEndpoint = await this.resolveEndpoint("userinfo");
@@ -524,7 +511,7 @@ var NyaAccountClient = class {
 			return {
 				sub: raw.sub,
 				name: raw.name,
-				preferredUsername: raw.preferred_username,
+				picture: raw.picture,
 				email: raw.email,
 				emailVerified: raw.email_verified,
 				updatedAt: raw.updated_at
@@ -534,77 +521,46 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Locally verify a JWT Access Token (RFC 9068).
 	*
 	* Uses remote JWKS for signature verification, and validates issuer, audience, expiry, etc.
 	*
 	* @param token JWT Access Token string
 	* @param options.audience Custom audience validation value (defaults to clientId)
 	*/
 	async verifyAccessToken(token, options) {
 		const verifier = await this.getJwtVerifier();
 		return verifier.verifyAccessToken(token, options?.audience);
 	}
 	/**
 	* Locally verify an OIDC ID Token.
 	*
 	* @param token JWT ID Token string
 	* @param options.audience Custom audience validation value (defaults to clientId)
 	* @param options.nonce Validate the nonce claim (required if nonce was sent during authorization)
 	*/
 	async verifyIdToken(token, options) {
 		const verifier = await this.getJwtVerifier();
 		return verifier.verifyIdToken(token, options);
 	}
 	/**
 	* Express middleware: verify the Bearer Token in the request.
 	*
 	* After successful verification, use `getAuth(req)` to retrieve the token payload.
 	*
 	* @param options.strategy Verification strategy: 'local' (default, JWT local verification) or 'introspection' (remote introspection)
 	*
 	* @example
 	* ```typescript
 	* import { getAuth } from '@nya-account/node-sdk/express'
 	*
 	* app.use('/api', client.authenticate())
 	*
 	* app.get('/api/me', (req, res) => {
 	*     const auth = getAuth(req)
 	*     res.json({ userId: auth?.sub })
 	* })
 	* ```
 	*/
 	authenticate(options) {
 		const strategy = options?.strategy ?? "local";
@@ -622,6 +578,11 @@ var NyaAccountClient = class {
 						sendOAuthError(res, 401, "invalid_token", "Token is not active");
 						return;
 					}
+					const tokenType = introspection.tokenType?.toLowerCase();
+					if (tokenType && tokenType !== "bearer" && tokenType !== "access_token") {
+						sendOAuthError(res, 401, "invalid_token", "Token is not an access token");
+						return;
+					}
 					payload = {
 						iss: introspection.iss ?? "",
 						sub: introspection.sub ?? "",
@@ -630,7 +591,9 @@ var NyaAccountClient = class {
 						ver: "1",
 						iat: introspection.iat ?? 0,
 						exp: introspection.exp ?? 0,
-						jti: introspection.jti ?? ""
+						jti: introspection.jti ?? "",
+						sid: introspection.sid ?? "",
+						sv: introspection.sv ?? 0
 					};
 				} else payload = await this.verifyAccessToken(token);
 				setAuth(req, payload);
@@ -642,31 +605,18 @@ var NyaAccountClient = class {
 		};
 	}
 	/**
 	* Express middleware: validate that the token in the request contains the specified scopes.
 	*
 	* Must be used after the `authenticate()` middleware.
 	*
 	* @example
 	* ```typescript
 	* app.get('/api/profile',
 	*     client.authenticate(),
 	*     client.requireScopes('profile'),
 	*     (req, res) => { ... }
 	* )
 	* ```
 	*/
 	requireScopes(...scopes) {
 		return (req, res, next) => {