npm - @nya-account/node-sdk - Versions diffs - 2.0.1 → 2.0.2 - Mend

@nya-account/node-sdk 2.0.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +187 -173
package/dist/{express-yO7hxKKd.d.ts → express-Bn8IUnft.d.ts} +10 -4
package/dist/express-Bn8IUnft.d.ts.map +1 -0
package/dist/express.d.ts +1 -1
package/dist/index.d.ts +53 -6
package/dist/index.d.ts.map +1 -1
package/dist/index.js +95 -81
package/dist/index.js.map +1 -1
package/package.json +1 -1
package/dist/express-yO7hxKKd.d.ts.map +0 -1

package/README.md CHANGED Viewed

@@ -1,173 +1,187 @@
-# @nya-account/node-sdk
-Official Node.js SDK for [Nya Account](https://account.lolinya.net) SSO system.
-Provides a complete OAuth 2.1 / OIDC client with PKCE, JWT verification, and Express middleware.
-## Installation
-```bash
-npm install @nya-account/node-sdk
-# or
-pnpm add @nya-account/node-sdk
-# or
-yarn add @nya-account/node-sdk
-```
-## Quick Start
-```typescript
-import { NyaAccountClient } from '@nya-account/node-sdk'
-const client = new NyaAccountClient({
-    // See https://account.lolinya.net/docs/developer/service-endpoints#integration-endpoints
-    issuer: 'https://account-api.edge.lolinya.net',
-    clientId: 'my-app',
-    clientSecret: 'my-secret',
-})
-// Create authorization URL (with PKCE)
-const { url, codeVerifier, state } = await client.createAuthorizationUrl({
-    redirectUri: 'https://myapp.com/callback',
-    scope: 'openid profile email',
-})
-// Exchange code for tokens
-const tokens = await client.exchangeCode({
-    code: callbackCode,
-    redirectUri: 'https://myapp.com/callback',
-    codeVerifier,
-})
-// Get user info
-const userInfo = await client.getUserInfo(tokens.accessToken)
-```
-## Express Middleware
-```typescript
-import express from 'express'
-import { NyaAccountClient } from '@nya-account/node-sdk'
-import { getAuth } from '@nya-account/node-sdk/express'
-const app = express()
-const client = new NyaAccountClient({
-    issuer: 'https://account-api.edge.lolinya.net',
-    clientId: 'my-app',
-    clientSecret: 'my-secret',
-})
-// Protect all /api routes
-app.use('/api', client.authenticate())
-app.get('/api/me', (req, res) => {
-    const auth = getAuth(req)
-    res.json({ userId: auth?.sub, scopes: auth?.scope })
-})
-// Require specific scopes
-app.get('/api/profile',
-    client.authenticate(),
-    client.requireScopes('profile'),
-    (req, res) => {
-        const auth = getAuth(req)
-        res.json({ name: auth?.sub })
-    }
-)
-// Use introspection for sensitive operations
-app.post('/api/sensitive',
-    client.authenticate({ strategy: 'introspection' }),
-    handler
-)
-```
-## Configuration
-| Option | Type | Default | Description |
-|---|---|---|---|
-| `issuer` | `string` | `'https://account-api.edge.lolinya.net'` | SSO service URL (Issuer URL). See [Service Endpoints](https://account.lolinya.net/docs/developer/service-endpoints#integration-endpoints) for available endpoints. |
-| `clientId` | `string` | *required* | OAuth client ID |
-| `clientSecret` | `string` | *required* | OAuth client secret |
-| `timeout` | `number` | `10000` | HTTP request timeout in milliseconds |
-| `discoveryCacheTtl` | `number` | `3600000` | Discovery document cache TTL in milliseconds (default: 1 hour) |
-| `endpoints` | `EndpointConfig` | — | Explicitly specify endpoint URLs (auto-discovered via OIDC Discovery if omitted) |
-## API Reference
-### `NyaAccountClient`
-#### Authorization
-- **`createAuthorizationUrl(options)`** — Create an OAuth authorization URL with PKCE
-#### Token Operations
-- **`exchangeCode(options)`** — Exchange an authorization code for tokens
-- **`refreshToken(refreshToken)`** — Refresh an Access Token
-- **`revokeToken(token)`** — Revoke a token (RFC 7009)
-- **`introspectToken(token)`** — Token introspection (RFC 7662)
-#### User Info
-- **`getUserInfo(accessToken)`** — Get user info via OIDC UserInfo endpoint
-#### JWT Verification
-- **`verifyAccessToken(token, options?)`** — Locally verify a JWT Access Token (RFC 9068)
-- **`verifyIdToken(token, options?)`** — Locally verify an OIDC ID Token
-#### Express Middleware
-- **`authenticate(options?)`** — Middleware to verify Bearer Token (`local` or `introspection` strategy)
-- **`requireScopes(...scopes)`** — Middleware to validate token scopes
-#### Cache
-- **`discover()`** — Fetch OIDC Discovery document (cached with TTL)
-- **`clearCache()`** — Clear Discovery and JWT verifier cache
-### Express Helpers
-Available from `@nya-account/node-sdk/express`:
-- **`getAuth(req)`** — Retrieve the verified Access Token payload from a request
-- **`extractBearerToken(req)`** — Extract Bearer token from the Authorization header
-- **`sendOAuthError(res, statusCode, error, errorDescription)`** — Send an OAuth-standard error response
-### PKCE Utilities
-- **`generatePkce()`** — Generate a code_verifier and code_challenge pair
-- **`generateCodeVerifier()`** — Generate a PKCE code_verifier
-- **`generateCodeChallenge(codeVerifier)`** — Generate an S256 code_challenge
-## Error Handling
-The SDK provides typed error classes:
-```typescript
-import {
-    NyaAccountError,       // Base error class
-    OAuthError,            // OAuth protocol errors from the server
-    TokenVerificationError, // JWT verification failures
-    DiscoveryError,        // OIDC Discovery failures
-} from '@nya-account/node-sdk'
-try {
-    await client.verifyAccessToken(token)
-} catch (error) {
-    if (error instanceof TokenVerificationError) {
-        console.log(error.code)        // 'token_verification_failed'
-        console.log(error.description) // Human-readable description
-    }
-}
-```
-## Requirements
-- Node.js >= 20.0.0
-- Express 4.x or 5.x (optional, for middleware features)
-## License
-[MIT](./LICENSE)
+# @nya-account/node-sdk
+Official Node.js SDK for [Nya Account](https://account.lolinya.net) SSO system.
+Provides a complete OAuth 2.1 / OIDC client with PKCE, JWT verification, and Express middleware.
+## Installation
+```bash
+npm install @nya-account/node-sdk
+# or
+pnpm add @nya-account/node-sdk
+# or
+yarn add @nya-account/node-sdk
+```
+## Quick Start
+```typescript
+import { NyaAccountClient } from '@nya-account/node-sdk'
+const client = new NyaAccountClient({
+    // See https://account.lolinya.net/docs/developer/service-endpoints#integration-endpoints
+    issuer: 'https://account-api.edge.lolinya.net',
+    clientId: 'my-app',
+    clientSecret: 'my-secret'
+})
+// Create authorization URL (with PKCE)
+const { url, codeVerifier, state } = await client.createAuthorizationUrl({
+    redirectUri: 'https://myapp.com/callback',
+    scope: 'openid profile email'
+})
+// Exchange code for tokens
+const tokens = await client.exchangeCode({
+    code: callbackCode,
+    redirectUri: 'https://myapp.com/callback',
+    codeVerifier
+})
+// Get user info
+const userInfo = await client.getUserInfo(tokens.accessToken)
+// Revoke refresh token on logout
+await client.revokeToken(tokens.refreshToken, { tokenTypeHint: 'refresh_token' })
+// Build RP-initiated logout URL
+const logoutUrl = await client.createEndSessionUrl({
+    idTokenHint: tokens.idToken,
+    postLogoutRedirectUri: 'https://myapp.com/logout/callback',
+    state: 'logout-csrf-state'
+})
+```
+## Express Middleware
+```typescript
+import express from 'express'
+import { NyaAccountClient } from '@nya-account/node-sdk'
+import { getAuth } from '@nya-account/node-sdk/express'
+const app = express()
+const client = new NyaAccountClient({
+    issuer: 'https://account-api.edge.lolinya.net',
+    clientId: 'my-app',
+    clientSecret: 'my-secret'
+})
+// Protect all /api routes
+app.use('/api', client.authenticate())
+app.get('/api/me', (req, res) => {
+    const auth = getAuth(req)
+    res.json({ userId: auth?.sub, scopes: auth?.scope })
+})
+// Require specific scopes
+app.get(
+    '/api/profile',
+    client.authenticate(),
+    client.requireScopes('profile'),
+    (req, res) => {
+        const auth = getAuth(req)
+        res.json({ name: auth?.sub })
+    }
+)
+// Use introspection for sensitive operations
+app.post('/api/sensitive', client.authenticate({ strategy: 'introspection' }), handler)
+```
+## Configuration
+| Option              | Type             | Default                                  | Description                                                                                                                                                        |
+| ------------------- | ---------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `issuer`            | `string`         | `'https://account-api.edge.lolinya.net'` | SSO service URL (Issuer URL). See [Service Endpoints](https://account.lolinya.net/docs/developer/service-endpoints#integration-endpoints) for available endpoints. |
+| `clientId`          | `string`         | _required_                               | OAuth client ID                                                                                                                                                    |
+| `clientSecret`      | `string`         | _required_                               | OAuth client secret                                                                                                                                                |
+| `timeout`           | `number`         | `10000`                                  | HTTP request timeout in milliseconds                                                                                                                               |
+| `discoveryCacheTtl` | `number`         | `3600000`                                | Discovery document cache TTL in milliseconds (default: 1 hour)                                                                                                     |
+| `endpoints`         | `EndpointConfig` | —                                        | Explicitly specify endpoint URLs (auto-discovered via OIDC Discovery if omitted)                                                                                   |
+## API Reference
+### `NyaAccountClient`
+#### Authorization
+- **`createAuthorizationUrl(options)`** — Create an OAuth authorization URL with PKCE
+- **`pushAuthorizationRequest(options)`** — Push authorization request to PAR endpoint (RFC 9126)
+- **`createAuthorizationUrlWithPar(options)`** — Create authorization URL using PAR `request_uri`
+#### Token Operations
+- **`exchangeCode(options)`** — Exchange an authorization code for tokens
+- **`refreshToken(refreshToken)`** — Refresh an Access Token
+- **`revokeToken(token, options?)`** — Revoke a token (RFC 7009)
+- **`introspectToken(token, options?)`** — Token introspection (RFC 7662)
+#### User Info
+- **`getUserInfo(accessToken)`** — Get user info via OIDC UserInfo endpoint
+#### JWT Verification
+- **`verifyAccessToken(token, options?)`** — Locally verify a JWT Access Token (RFC 9068)
+- **`verifyIdToken(token, options?)`** — Locally verify an OIDC ID Token
+#### Express Middleware
+- **`authenticate(options?)`** — Middleware to verify Bearer Token (`local` or `introspection` strategy)
+- **`requireScopes(...scopes)`** — Middleware to validate token scopes
+#### Cache
+- **`discover()`** — Fetch OIDC Discovery document (cached with TTL)
+- **`clearCache()`** — Clear Discovery and JWT verifier cache
+#### OIDC Logout
+- **`createEndSessionUrl(options?)`** — Create OIDC RP-initiated logout URL (`end_session_endpoint`)
+### Express Helpers
+Available from `@nya-account/node-sdk/express`:
+- **`getAuth(req)`** — Retrieve the verified Access Token payload from a request
+- **`extractBearerToken(req)`** — Extract Bearer token from the Authorization header
+- **`sendOAuthError(res, statusCode, error, errorDescription)`** — Send an OAuth-standard error response
+### PKCE Utilities
+- **`generatePkce()`** — Generate a code_verifier and code_challenge pair
+- **`generateCodeVerifier()`** — Generate a PKCE code_verifier
+- **`generateCodeChallenge(codeVerifier)`** — Generate an S256 code_challenge
+## Error Handling
+The SDK provides typed error classes:
+```typescript
+import {
+    NyaAccountError, // Base error class
+    OAuthError, // OAuth protocol errors from the server
+    TokenVerificationError, // JWT verification failures
+    DiscoveryError // OIDC Discovery failures
+} from '@nya-account/node-sdk'
+try {
+    await client.verifyAccessToken(token)
+} catch (error) {
+    if (error instanceof TokenVerificationError) {
+        console.log(error.code) // 'token_verification_failed'
+        console.log(error.description) // Human-readable description
+    }
+}
+```
+## Requirements
+- Node.js >= 20.0.0
+- Express 4.x or 5.x (optional, for middleware features)
+## License
+[MIT](./LICENSE)

package/dist/{express-yO7hxKKd.d.ts → express-Bn8IUnft.d.ts} RENAMED Viewed

@@ -9,6 +9,8 @@ declare const AccessTokenPayloadSchema: z.ZodObject<{
   aud: z.ZodString;
   scope: z.ZodString;
   ver: z.ZodString;
+  sid: z.ZodString;
+  sv: z.ZodNumber;
   iat: z.ZodNumber;
   exp: z.ZodNumber;
   jti: z.ZodString;
@@ -27,6 +29,8 @@ declare const AccessTokenPayloadSchema: z.ZodObject<{
   aud: string;
   iss: string;
   jti: string;
+  sid: string;
+  sv: number;
   ver: string;
   cnf?: {
     jkt: string;
@@ -39,6 +43,8 @@ declare const AccessTokenPayloadSchema: z.ZodObject<{
   aud: string;
   iss: string;
   jti: string;
+  sid: string;
+  sv: number;
   ver: string;
   cnf?: {
     jkt: string;
@@ -49,11 +55,11 @@ declare const IdTokenPayloadSchema: z.ZodObject<{
   iss: z.ZodString;
   sub: z.ZodString;
   aud: z.ZodString;
+  sid: z.ZodOptional<z.ZodString>;
   iat: z.ZodNumber;
   exp: z.ZodNumber;
   nonce: z.ZodOptional<z.ZodString>;
   name: z.ZodOptional<z.ZodString>;
-  preferred_username: z.ZodOptional<z.ZodString>;
   email: z.ZodOptional<z.ZodString>;
   email_verified: z.ZodOptional<z.ZodBoolean>;
   updated_at: z.ZodOptional<z.ZodNumber>;
@@ -63,8 +69,8 @@ declare const IdTokenPayloadSchema: z.ZodObject<{
   sub: string;
   aud: string;
   iss: string;
+  sid?: string | undefined;
   name?: string | undefined;
-  preferred_username?: string | undefined;
   email?: string | undefined;
   email_verified?: boolean | undefined;
   updated_at?: number | undefined;
@@ -75,8 +81,8 @@ declare const IdTokenPayloadSchema: z.ZodObject<{
   sub: string;
   aud: string;
   iss: string;
+  sid?: string | undefined;
   name?: string | undefined;
-  preferred_username?: string | undefined;
   email?: string | undefined;
   email_verified?: boolean | undefined;
   updated_at?: number | undefined;
@@ -115,4 +121,4 @@ declare function sendOAuthError(res: Response, statusCode: number, error: string
 //#endregion
 export { AccessTokenPayload, IdTokenPayload, extractBearerToken as extractBearerToken$1, getAuth as getAuth$1, sendOAuthError as sendOAuthError$1 };
-//# sourceMappingURL=express-yO7hxKKd.d.ts.map
+//# sourceMappingURL=express-Bn8IUnft.d.ts.map

package/dist/express-Bn8IUnft.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"express-Bn8IUnft.d.ts","names":[],"sources":["../src/core/schemas.d.ts","../src/middleware/express.d.ts"],"sourcesContent":null,"mappings":";;;;AAcA,IAAW,2BAAM;CAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;AAAA;AACjB,IAAW,qBAAqB;CAAC;CAAA,MAAA;CAAA,MAAA,EAAA;AAAA;AACjC,IAAG,uBAAA;CAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;AAAA;AACH,IAAW,iBAAa;CAAA;CAAA,MAAA;CAAA,MAAA,EAAA;AAAA;;;;;;;;;;;;;;;;;;;ACAxB,IAAW,UAAU,CAAC,GAAG,MAAM,kBAAmB;;;;AAQlD,IAAW,qBAAqB,CAAC,GAAG,MAAM,OAAQ;;;;AAIlD,IAAW,iBAAiB,CAAC,GAAG,MAAM,QAAS"}

package/dist/express.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { extractBearerToken$1 as extractBearerToken, getAuth$1 as getAuth, sendOAuthError$1 as sendOAuthError } from "./express-yO7hxKKd.js";
+import { extractBearerToken$1 as extractBearerToken, getAuth$1 as getAuth, sendOAuthError$1 as sendOAuthError } from "./express-Bn8IUnft.js";
 export { extractBearerToken, getAuth, sendOAuthError };

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { AccessTokenPayload, IdTokenPayload, getAuth$1 as getAuth } from "./express-yO7hxKKd.js";
+import { AccessTokenPayload, IdTokenPayload, getAuth$1 as getAuth } from "./express-Bn8IUnft.js";
 import { NextFunction, Request, Response } from "express";
 //#region src/core/types.d.ts
@@ -22,6 +22,7 @@ interface NyaAccountConfig {
 }
 interface EndpointConfig {
   authorization?: string;
+  pushedAuthorizationRequest?: string;
   token?: string;
   userinfo?: string;
   revocation?: string;
@@ -40,7 +41,6 @@ interface TokenResponse {
 interface UserInfo {
   sub: string;
   name?: string;
-  preferredUsername?: string;
   picture?: string;
   email?: string;
   emailVerified?: boolean;
@@ -58,6 +58,8 @@ interface IntrospectionResponse {
   aud?: string;
   iss?: string;
   jti?: string;
+  sid?: string;
+  sv?: number;
 }
 interface DiscoveryDocument {
   issuer: string;
@@ -88,6 +90,20 @@ interface CreateAuthorizationUrlOptions {
   /** ID Token replay protection parameter */
   nonce?: string;
 }
+interface PushAuthorizationRequestOptions extends CreateAuthorizationUrlOptions {
+  /** Optional JAR request object */
+  request?: string;
+}
+interface PushAuthorizationRequestResult {
+  /** PAR request URI */
+  requestUri: string;
+  /** PAR request URI lifetime in seconds */
+  expiresIn: number;
+  /** PKCE code_verifier, must be stored in session for later token exchange */
+  codeVerifier: string;
+  /** State parameter, must be stored in session for CSRF validation */
+  state: string;
+}
 interface AuthorizationUrlResult {
   /** Full authorization URL to redirect the user to */
   url: string;
@@ -96,6 +112,16 @@ interface AuthorizationUrlResult {
   /** State parameter, must be stored in session for CSRF validation */
   state: string;
 }
+interface CreateEndSessionUrlOptions {
+  /** Previously issued ID Token */
+  idTokenHint?: string;
+  /** Redirect URL after logout, must match registered post-logout URI */
+  postLogoutRedirectUri?: string;
+  /** Opaque state value returned to post_logout_redirect_uri */
+  state?: string;
+  /** Optional client ID override (defaults to configured clientId) */
+  clientId?: string;
+}
 interface ExchangeCodeOptions {
   /** Authorization code received in the callback */
   code: string;
@@ -136,6 +162,23 @@ declare class NyaAccountClient {
    * for later use in token exchange and CSRF validation.
    */
   createAuthorizationUrl(options: CreateAuthorizationUrlOptions): Promise<AuthorizationUrlResult>;
+  /**
+   * Push authorization parameters to PAR endpoint (RFC 9126).
+   *
+   * Returns a `request_uri` that can be used in the authorization endpoint.
+   */
+  pushAuthorizationRequest(options: PushAuthorizationRequestOptions): Promise<PushAuthorizationRequestResult>;
+  /**
+   * Create an authorization URL using PAR `request_uri`.
+   */
+  createAuthorizationUrlWithPar(options: PushAuthorizationRequestOptions): Promise<AuthorizationUrlResult & {
+    requestUri: string;
+    expiresIn: number;
+  }>;
+  /**
+   * Create OIDC RP-Initiated Logout URL (`end_session_endpoint`).
+   */
+  createEndSessionUrl(options?: CreateEndSessionUrlOptions): Promise<string>;
   /**
    * Exchange an authorization code for tokens (Authorization Code Grant).
    */
@@ -150,18 +193,22 @@ declare class NyaAccountClient {
    * Supports revoking Access Tokens or Refresh Tokens.
    * Revoking a Refresh Token also revokes its entire token family.
    */
-  revokeToken(token: string): Promise<void>;
+  revokeToken(token: string, options?: {
+    tokenTypeHint?: 'access_token' | 'refresh_token';
+  }): Promise<void>;
   /**
    * Token introspection (RFC 7662).
    *
    * Query the server for the current state of a token (active status, associated user info, etc.).
    */
-  introspectToken(token: string): Promise<IntrospectionResponse>;
+  introspectToken(token: string, options?: {
+    tokenTypeHint?: 'access_token' | 'refresh_token';
+  }): Promise<IntrospectionResponse>;
   /**
    * Get user info using an Access Token (OIDC UserInfo Endpoint).
    *
    * The returned fields depend on the scopes included in the token:
-   * - `profile`: name, preferredUsername, picture, updatedAt
+   * - `profile`: name, picture, updatedAt
    * - `email`: email, emailVerified
    */
   getUserInfo(accessToken: string): Promise<UserInfo>;
@@ -271,5 +318,5 @@ declare function generateCodeChallenge(codeVerifier: string): string;
 declare function generatePkce(): PkcePair;
 //#endregion
-export { AccessTokenPayload, AuthenticateOptions, AuthorizationUrlResult, CreateAuthorizationUrlOptions, DiscoveryDocument, DiscoveryError, EndpointConfig, ExchangeCodeOptions, IdTokenPayload, IntrospectionResponse, NyaAccountClient, NyaAccountConfig, NyaAccountError, OAuthError, PkcePair, TokenResponse, TokenVerificationError, UserInfo, generateCodeChallenge, generateCodeVerifier, generatePkce, getAuth };
+export { AccessTokenPayload, AuthenticateOptions, AuthorizationUrlResult, CreateAuthorizationUrlOptions, CreateEndSessionUrlOptions, DiscoveryDocument, DiscoveryError, EndpointConfig, ExchangeCodeOptions, IdTokenPayload, IntrospectionResponse, NyaAccountClient, NyaAccountConfig, NyaAccountError, OAuthError, PkcePair, PushAuthorizationRequestOptions, PushAuthorizationRequestResult, TokenResponse, TokenVerificationError, UserInfo, generateCodeChallenge, generateCodeVerifier, generatePkce, getAuth };
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/core/types.d.ts","../src/client.d.ts","../src/core/errors.d.ts","../src/utils/pkce.d.ts"],"sourcesContent":null,"mappings":";;;;AAEA,IAAW,mBAAmB,CAAC,IAAG,MAAA,cAAA;AAClC,IAAM,iBAAA,CAAA,EAAA;AACN,IAAW,gBAAgB,CAAC,EAAG;AAC/B,IAAK,WAAA,CAAA,EAAA;AACL,IAAW,wBAAwB,CAAC,EAAG;AACvC,IAAM,oBAAA,CAAA,EAAA;AACN,IAAW,gCAAQ,CAAA,EAAA;AACnB,IAAW,~~yBAAc~~,CAAA,~~EAAA~~;AACzB,IAAW,~~sBAAS~~,CAAA,EAAA;AACpB,IAAW,~~sBAAkB~~,CAAA,EAAA;AAC7B,IAAW,WAAW,CAAC,~~EAAC~~;;;;~~ACTxB~~,IAAW,mBAAmB;CAAC;CAAG,MAAI;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;AAAA;;;;;;;ACAtC,IAAW,kBAAkB,CAAC,IAAI,MAAM,KAAM;;;;AAI9C,IAAA,aAAA,CAAA,IAAA,MAAA,eAAA;;;;AAIA,IAAW,yBAAyB,CAAC,IAAI,MAAM,eAAS;;;;AAIxD,IAAW,iBAAc,CAAA,IAAA,MAAA,eAAA;;;;;;;ACXzB,IAAW,uBAAuB,CAAC,EAAG;;;;AAItC,IAAW,wBAAwB,CAAC,EAAG;;;;AAIvC,IAAW,eAAe,CAAC,IAAI,MAAM,QAAS"}
1	+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/core/types.d.ts","../src/client.d.ts","../src/core/errors.d.ts","../src/utils/pkce.d.ts"],"sourcesContent":null,"mappings":";;;;AAEA,IAAW,mBAAmB,CAAC,IAAG,MAAA,cAAA;AAClC,IAAM,iBAAA,CAAA,EAAA;AACN,IAAW,gBAAgB,CAAC,EAAG;AAC/B,IAAK,WAAA,CAAA,EAAA;AACL,IAAW,wBAAwB,CAAC,EAAG;AACvC,IAAM,oBAAA,CAAA,EAAA;AACN,IAAW,gCAAQ,CAAA,EAAA;AACnB,IAAW,kCAAc,CAAA,IAAA,MAAA,6BAAA;AACzB,IAAW,iCAAS,CAAA,EAAA;AACpB,IAAW,yBAAkB,CAAA,EAAA;AAC7B,IAAW,6BAAa,CAAA,EAAA;AACxB,IAAW,sBAAsB,CAAC,EAAG;AACrC,IAAW,sBAAS,CAAA,EAAA;AACpB,IAAW,WAAW,CAAC,EAAG;;;;ACZ1B,IAAW,mBAAmB;CAAC;CAAG,MAAI;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;CAAA,MAAA;AAAA;;;;;;;ACAtC,IAAW,kBAAkB,CAAC,IAAI,MAAM,KAAM;;;;AAI9C,IAAA,aAAA,CAAA,IAAA,MAAA,eAAA;;;;AAIA,IAAW,yBAAyB,CAAC,IAAI,MAAM,eAAS;;;;AAIxD,IAAW,iBAAc,CAAA,IAAA,MAAA,eAAA;;;;;;;ACXzB,IAAW,uBAAuB,CAAC,EAAG;;;;AAItC,IAAW,wBAAwB,CAAC,EAAG;;;;AAIvC,IAAW,eAAe,CAAC,IAAI,MAAM,QAAS"}

package/dist/index.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { z } from "zod";
 import { createRemoteJWKSet, errors, jwtVerify } from "jose";
 //#region src/core/schemas.ts
+const TokenTypeHintSchema = z.enum(["access_token", "refresh_token"]);
 const TokenResponseSchema = z.object({
 	access_token: z.string(),
 	token_type: z.string(),
@@ -28,12 +29,13 @@ const IntrospectionResponseSchema = z.object({
 	sub: z.string().optional(),
 	aud: z.string().optional(),
 	iss: z.string().optional(),
-	jti: z.string().optional()
+	jti: z.string().optional(),
+	sid: z.string().optional(),
+	sv: z.number().optional()
 });
 const UserInfoSchema = z.object({
 	sub: z.string(),
 	name: z.string().optional(),
-	preferred_username: z.string().optional(),
 	picture: z.string().optional(),
 	email: z.string().optional(),
 	email_verified: z.boolean().optional(),
@@ -61,12 +63,18 @@ const DiscoveryDocumentSchema = z.object({
 	request_parameter_supported: z.boolean().optional(),
 	request_uri_parameter_supported: z.boolean().optional()
 });
+const PushedAuthorizationResponseSchema = z.object({
+	request_uri: z.string().min(1),
+	expires_in: z.number().int().positive()
+});
 const AccessTokenPayloadSchema = z.object({
 	iss: z.string(),
 	sub: z.string(),
 	aud: z.string(),
 	scope: z.string(),
 	ver: z.string(),
+	sid: z.string(),
+	sv: z.number().int().nonnegative(),
 	iat: z.number(),
 	exp: z.number(),
 	jti: z.string(),
@@ -76,11 +84,11 @@ const IdTokenPayloadSchema = z.object({
 	iss: z.string(),
 	sub: z.string(),
 	aud: z.string(),
+	sid: z.string().optional(),
 	iat: z.number(),
 	exp: z.number(),
 	nonce: z.string().optional(),
 	name: z.string().optional(),
-	preferred_username: z.string().optional(),
 	email: z.string().optional(),
 	email_verified: z.boolean().optional(),
 	updated_at: z.number().optional()
@@ -236,6 +244,7 @@ var JwtVerifier = class {
 //#region src/client.ts
 const DISCOVERY_ENDPOINT_MAP = {
 	authorization: "authorizationEndpoint",
+	pushedAuthorizationRequest: "pushedAuthorizationRequestEndpoint",
 	token: "tokenEndpoint",
 	userinfo: "userinfoEndpoint",
 	revocation: "revocationEndpoint",
@@ -263,9 +272,7 @@ var NyaAccountClient = class {
 		this.httpClient = axios.create({ timeout: config.timeout ?? 1e4 });
 	}
 	/**
 	* Fetch the OIDC Discovery document. Results are cached with a configurable TTL.
 	*/
 	async discover() {
 		if (this.discoveryCache && Date.now() - this.discoveryCacheTimestamp < this.discoveryCacheTtl) return this.discoveryCache;
@@ -301,9 +308,7 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Clear the cached Discovery document and JWT verifier, forcing a re-fetch on next use.
 	*/
 	clearCache() {
 		this.discoveryCache = null;
@@ -311,15 +316,10 @@ var NyaAccountClient = class {
 		this.jwtVerifier = null;
 	}
 	/**
 	* Create an OAuth authorization URL (automatically includes PKCE).
 	*
 	* The returned `codeVerifier` and `state` must be saved to the session
 	* for later use in token exchange and CSRF validation.
 	*/
 	async createAuthorizationUrl(options) {
 		const authorizationEndpoint = await this.resolveEndpoint("authorization");
@@ -343,9 +343,72 @@ var NyaAccountClient = class {
 		};
 	}
 	/**
+	* Push authorization parameters to PAR endpoint (RFC 9126).
+	*
+	* Returns a `request_uri` that can be used in the authorization endpoint.
+	*/
+	async pushAuthorizationRequest(options) {
+		const parEndpoint = await this.resolveEndpoint("pushedAuthorizationRequest");
+		const codeVerifier = generateCodeVerifier();
+		const codeChallenge = generateCodeChallenge(codeVerifier);
+		const state = options.state ?? randomBytes(16).toString("base64url");
+		const payload = {
+			client_id: this.config.clientId,
+			client_secret: this.config.clientSecret,
+			redirect_uri: options.redirectUri,
+			response_type: "code",
+			scope: options.scope ?? "openid",
+			state,
+			code_challenge: codeChallenge,
+			code_challenge_method: "S256"
+		};
+		if (options.nonce) payload.nonce = options.nonce;
+		if (options.request) payload.request = options.request;
+		try {
+			const response = await this.httpClient.post(parEndpoint, payload);
+			const raw = PushedAuthorizationResponseSchema.parse(response.data);
+			return {
+				requestUri: raw.request_uri,
+				expiresIn: raw.expires_in,
+				codeVerifier,
+				state
+			};
+		} catch (error) {
+			throw this.handleTokenError(error);
+		}
+	}
+	/**
+	* Create an authorization URL using PAR `request_uri`.
+	*/
+	async createAuthorizationUrlWithPar(options) {
+		const authorizationEndpoint = await this.resolveEndpoint("authorization");
+		const pushed = await this.pushAuthorizationRequest(options);
+		const params = new URLSearchParams({
+			client_id: this.config.clientId,
+			request_uri: pushed.requestUri
+		});
+		return {
+			url: `${authorizationEndpoint}?${params.toString()}`,
+			codeVerifier: pushed.codeVerifier,
+			state: pushed.state,
+			requestUri: pushed.requestUri,
+			expiresIn: pushed.expiresIn
+		};
+	}
+	/**
+	* Create OIDC RP-Initiated Logout URL (`end_session_endpoint`).
+	*/
+	async createEndSessionUrl(options) {
+		const endSessionEndpoint = await this.resolveEndpoint("endSession");
+		const params = new URLSearchParams();
+		if (options?.idTokenHint) params.set("id_token_hint", options.idTokenHint);
+		if (options?.postLogoutRedirectUri) params.set("post_logout_redirect_uri", options.postLogoutRedirectUri);
+		if (options?.state) params.set("state", options.state);
+		params.set("client_id", options?.clientId ?? this.config.clientId);
+		return `${endSessionEndpoint}?${params.toString()}`;
+	}
+	/**
 	* Exchange an authorization code for tokens (Authorization Code Grant).
 	*/
 	async exchangeCode(options) {
 		const tokenEndpoint = await this.resolveEndpoint("token");
@@ -364,9 +427,7 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Refresh an Access Token using a Refresh Token.
 	*/
 	async refreshToken(refreshToken) {
 		const tokenEndpoint = await this.resolveEndpoint("token");
@@ -383,40 +444,35 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Revoke a token (RFC 7009).
 	*
 	* Supports revoking Access Tokens or Refresh Tokens.
 	* Revoking a Refresh Token also revokes its entire token family.
 	*/
-	async revokeToken(token) {
+	async revokeToken(token, options) {
 		const revocationEndpoint = await this.resolveEndpoint("revocation");
 		try {
+			const tokenTypeHint = options?.tokenTypeHint ? TokenTypeHintSchema.parse(options.tokenTypeHint) : void 0;
 			await this.httpClient.post(revocationEndpoint, {
 				token,
+				token_type_hint: tokenTypeHint,
 				client_id: this.config.clientId,
 				client_secret: this.config.clientSecret
 			});
 		} catch {}
 	}
 	/**
 	* Token introspection (RFC 7662).
 	*
 	* Query the server for the current state of a token (active status, associated user info, etc.).
 	*/
-	async introspectToken(token) {
+	async introspectToken(token, options) {
 		const introspectionEndpoint = await this.resolveEndpoint("introspection");
 		try {
+			const tokenTypeHint = options?.tokenTypeHint ? TokenTypeHintSchema.parse(options.tokenTypeHint) : void 0;
 			const response = await this.httpClient.post(introspectionEndpoint, {
 				token,
+				token_type_hint: tokenTypeHint,
 				client_id: this.config.clientId,
 				client_secret: this.config.clientSecret
 			});
@@ -432,24 +488,20 @@ var NyaAccountClient = class {
 				sub: raw.sub,
 				aud: raw.aud,
 				iss: raw.iss,
-				jti: raw.jti
+				jti: raw.jti,
+				sid: raw.sid,
+				sv: raw.sv
 			};
 		} catch (error) {
 			throw this.handleTokenError(error);
 		}
 	}
 	/**
 	* Get user info using an Access Token (OIDC UserInfo Endpoint).
 	*
 	* The returned fields depend on the scopes included in the token:
-	* - `profile`: name, preferredUsername, picture, updatedAt
+	* - `profile`: name, picture, updatedAt
 	* - `email`: email, emailVerified
 	*/
 	async getUserInfo(accessToken) {
 		const userinfoEndpoint = await this.resolveEndpoint("userinfo");
@@ -459,7 +511,6 @@ var NyaAccountClient = class {
 			return {
 				sub: raw.sub,
 				name: raw.name,
-				preferredUsername: raw.preferred_username,
 				picture: raw.picture,
 				email: raw.email,
 				emailVerified: raw.email_verified,
@@ -470,77 +521,46 @@ var NyaAccountClient = class {
 		}
 	}
 	/**
 	* Locally verify a JWT Access Token (RFC 9068).
 	*
 	* Uses remote JWKS for signature verification, and validates issuer, audience, expiry, etc.
 	*
 	* @param token JWT Access Token string
 	* @param options.audience Custom audience validation value (defaults to clientId)
 	*/
 	async verifyAccessToken(token, options) {
 		const verifier = await this.getJwtVerifier();
 		return verifier.verifyAccessToken(token, options?.audience);
 	}
 	/**
 	* Locally verify an OIDC ID Token.
 	*
 	* @param token JWT ID Token string
 	* @param options.audience Custom audience validation value (defaults to clientId)
 	* @param options.nonce Validate the nonce claim (required if nonce was sent during authorization)
 	*/
 	async verifyIdToken(token, options) {
 		const verifier = await this.getJwtVerifier();
 		return verifier.verifyIdToken(token, options);
 	}
 	/**
 	* Express middleware: verify the Bearer Token in the request.
 	*
 	* After successful verification, use `getAuth(req)` to retrieve the token payload.
 	*
 	* @param options.strategy Verification strategy: 'local' (default, JWT local verification) or 'introspection' (remote introspection)
 	*
 	* @example
 	* ```typescript
 	* import { getAuth } from '@nya-account/node-sdk/express'
 	*
 	* app.use('/api', client.authenticate())
 	*
 	* app.get('/api/me', (req, res) => {
 	*     const auth = getAuth(req)
 	*     res.json({ userId: auth?.sub })
 	* })
 	* ```
 	*/
 	authenticate(options) {
 		const strategy = options?.strategy ?? "local";
@@ -558,6 +578,11 @@ var NyaAccountClient = class {
 						sendOAuthError(res, 401, "invalid_token", "Token is not active");
 						return;
 					}
+					const tokenType = introspection.tokenType?.toLowerCase();
+					if (tokenType && tokenType !== "bearer" && tokenType !== "access_token") {
+						sendOAuthError(res, 401, "invalid_token", "Token is not an access token");
+						return;
+					}
 					payload = {
 						iss: introspection.iss ?? "",
 						sub: introspection.sub ?? "",
@@ -566,7 +591,9 @@ var NyaAccountClient = class {
 						ver: "1",
 						iat: introspection.iat ?? 0,
 						exp: introspection.exp ?? 0,
-						jti: introspection.jti ?? ""
+						jti: introspection.jti ?? "",
+						sid: introspection.sid ?? "",
+						sv: introspection.sv ?? 0
 					};
 				} else payload = await this.verifyAccessToken(token);
 				setAuth(req, payload);
@@ -578,31 +605,18 @@ var NyaAccountClient = class {
 		};
 	}
 	/**
 	* Express middleware: validate that the token in the request contains the specified scopes.
 	*
 	* Must be used after the `authenticate()` middleware.
 	*
 	* @example
 	* ```typescript
 	* app.get('/api/profile',
 	*     client.authenticate(),
 	*     client.requireScopes('profile'),
 	*     (req, res) => { ... }
 	* )
 	* ```
 	*/
 	requireScopes(...scopes) {
 		return (req, res, next) => {

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["code: string","description: string","error: string","errorDescription: string","codeVerifier: string","jwksUri: string","issuer: string","defaultAudience: string","token: string","audience?: string","options?: { audience?: string; nonce?: string }","error: unknown","tokenType: string","DISCOVERY_ENDPOINT_MAP: Record<EndpointName, keyof DiscoveryDocument>","config: NyaAccountConfig","options: CreateAuthorizationUrlOptions","options: ExchangeCodeOptions","refreshToken: string","token: string","accessToken: string","options?: { audience?: string }","options?: { audience?: string; nonce?: string }","options?: AuthenticateOptions","req: Request","res: Response","next: NextFunction","payload: AccessTokenPayload","name: EndpointName","data: unknown","error: unknown"],"sources":["../src/core/schemas.ts","../src/core/errors.ts","../src/utils/pkce.ts","../src/utils/jwt.ts","../src/client.ts"],"sourcesContent":["import { z } from 'zod'\r\n\r\n// ============================================================\r\n// OAuth Token Response\r\n// ============================================================\r\n\r\nexport const TokenResponseSchema = z.object({\r\n access_token: z.string(),\r\n token_type: z.string(),\r\n expires_in: z.number(),\r\n refresh_token: z.string(),\r\n scope: z.string(),\r\n id_token: z.string().optional(),\r\n})\r\n\r\nexport type TokenResponseRaw = z.infer<typeof TokenResponseSchema>\r\n\r\n// ============================================================\r\n// OAuth Error Response\r\n// ============================================================\r\n\r\nexport const OAuthErrorSchema = z.object({\r\n error: z.string(),\r\n error_description: z.string().optional(),\r\n})\r\n\r\nexport type OAuthErrorRaw = z.infer<typeof OAuthErrorSchema>\r\n\r\n// ============================================================\r\n// Token Introspection Response (RFC 7662)\r\n// ============================================================\r\n\r\nexport const IntrospectionResponseSchema = z.object({\r\n active: z.boolean(),\r\n scope: z.string().optional(),\r\n client_id: z.string().optional(),\r\n username: z.string().optional(),\r\n token_type: z.string().optional(),\r\n exp: z.number().optional(),\r\n iat: z.number().optional(),\r\n sub: z.string().optional(),\r\n aud: z.string().optional(),\r\n iss: z.string().optional(),\r\n jti: z.string().optional(),\r\n})\r\n\r\nexport type IntrospectionResponseRaw = z.infer<typeof IntrospectionResponseSchema>\r\n\r\n// ============================================================\r\n// OIDC UserInfo Response\r\n// ============================================================\r\n\r\nexport const UserInfoSchema = z.object({\r\n sub: z.string(),\r\n name: z.string().optional(),\r\n preferred_username: z.string().optional(),\r\n picture: z.string().optional(),\r\n email: z.string().optional(),\r\n email_verified: z.boolean().optional(),\r\n updated_at: z.number().optional(),\r\n})\r\n\r\nexport type UserInfoRaw = z.infer<typeof UserInfoSchema>\r\n\r\n// ============================================================\r\n// OIDC Discovery Document\r\n// ============================================================\r\n\r\nexport const DiscoveryDocumentSchema = z.object({\r\n issuer: z.string(),\r\n authorization_endpoint: z.string(),\r\n token_endpoint: z.string(),\r\n userinfo_endpoint: z.string().optional(),\r\n jwks_uri: z.string(),\r\n revocation_endpoint: z.string().optional(),\r\n introspection_endpoint: z.string().optional(),\r\n pushed_authorization_request_endpoint: z.string().optional(),\r\n end_session_endpoint: z.string().optional(),\r\n response_types_supported: z.array(z.string()),\r\n grant_types_supported: z.array(z.string()),\r\n id_token_signing_alg_values_supported: z.array(z.string()),\r\n scopes_supported: z.array(z.string()),\r\n subject_types_supported: z.array(z.string()),\r\n token_endpoint_auth_methods_supported: z.array(z.string()),\r\n code_challenge_methods_supported: z.array(z.string()).optional(),\r\n claims_supported: z.array(z.string()).optional(),\r\n dpop_signing_alg_values_supported: z.array(z.string()).optional(),\r\n request_parameter_supported: z.boolean().optional(),\r\n request_uri_parameter_supported: z.boolean().optional(),\r\n})\r\n\r\nexport type DiscoveryDocumentRaw = z.infer<typeof DiscoveryDocumentSchema>\r\n\r\n// ============================================================\r\n// JWT Access Token Payload (RFC 9068)\r\n// ============================================================\r\n\r\nexport const AccessTokenPayloadSchema = z.object({\r\n iss: z.string(),\r\n sub: z.string(),\r\n aud: z.string(),\r\n scope: z.string(),\r\n ver: z.string(),\r\n iat: z.number(),\r\n exp: z.number(),\r\n jti: z.string(),\r\n cnf: z.object({ jkt: z.string() }).optional(),\r\n})\r\n\r\nexport type AccessTokenPayload = z.infer<typeof AccessTokenPayloadSchema>\r\n\r\n// ============================================================\r\n// JWT ID Token Payload (OIDC Core)\r\n// ============================================================\r\n\r\nexport const IdTokenPayloadSchema = z.object({\r\n iss: z.string(),\r\n sub: z.string(),\r\n aud: z.string(),\r\n iat: z.number(),\r\n exp: z.number(),\r\n nonce: z.string().optional(),\r\n name: z.string().optional(),\r\n preferred_username: z.string().optional(),\r\n email: z.string().optional(),\r\n email_verified: z.boolean().optional(),\r\n updated_at: z.number().optional(),\r\n})\r\n\r\nexport type IdTokenPayload = z.infer<typeof IdTokenPayloadSchema>\r\n","/*\r\n Base error class for the SDK.\r\n /\r\nexport class NyaAccountError extends Error {\r\n readonly code: string\r\n readonly description: string\r\n\r\n constructor(code: string, description: string) {\r\n super(`[${code}] ${description}`)\r\n this.name = 'NyaAccountError'\r\n this.code = code\r\n this.description = description\r\n }\r\n}\r\n\r\n/\r\n OAuth protocol error (from server error / error_description response).\r\n /\r\nexport class OAuthError extends NyaAccountError {\r\n constructor(error: string, errorDescription: string) {\r\n super(error, errorDescription)\r\n this.name = 'OAuthError'\r\n }\r\n}\r\n\r\n/\r\n JWT verification error.\r\n /\r\nexport class TokenVerificationError extends NyaAccountError {\r\n constructor(description: string) {\r\n super('token_verification_failed', description)\r\n this.name = 'TokenVerificationError'\r\n }\r\n}\r\n\r\n/\r\n OIDC Discovery error.\r\n /\r\nexport class DiscoveryError extends NyaAccountError {\r\n constructor(description: string) {\r\n super('discovery_error', description)\r\n this.name = 'DiscoveryError'\r\n }\r\n}\r\n","import { randomBytes, createHash } from 'node:crypto'\r\nimport type { PkcePair } from '@/core/types'\r\n\r\n/\r\n Generate a PKCE code_verifier (43-128 character random string).\r\n /\r\nexport function generateCodeVerifier(): string {\r\n return randomBytes(32).toString('base64url')\r\n}\r\n\r\n/\r\n Generate an S256 code_challenge from a code_verifier.\r\n /\r\nexport function generateCodeChallenge(codeVerifier: string): string {\r\n return createHash('sha256').update(codeVerifier).digest('base64url')\r\n}\r\n\r\n/\r\n Generate a PKCE code_verifier and code_challenge pair.\r\n /\r\nexport function generatePkce(): PkcePair {\r\n const codeVerifier = generateCodeVerifier()\r\n const codeChallenge = generateCodeChallenge(codeVerifier)\r\n return { codeVerifier, codeChallenge }\r\n}\r\n","import { createRemoteJWKSet, jwtVerify, errors as joseErrors } from 'jose'\r\nimport {\r\n AccessTokenPayloadSchema,\r\n IdTokenPayloadSchema,\r\n type AccessTokenPayload,\r\n type IdTokenPayload,\r\n} from '@/core/schemas'\r\nimport { TokenVerificationError } from '@/core/errors'\r\n\r\n/\r\n JWT verifier using remote JWKS for signature verification.\r\n /\r\nexport class JwtVerifier {\r\n private jwks: ReturnType<typeof createRemoteJWKSet>\r\n private issuer: string\r\n private defaultAudience: string\r\n\r\n constructor(jwksUri: string, issuer: string, defaultAudience: string) {\r\n this.jwks = createRemoteJWKSet(new URL(jwksUri))\r\n this.issuer = issuer\r\n this.defaultAudience = defaultAudience\r\n }\r\n\r\n /\r\n Verify an OAuth 2.0 Access Token (JWT, RFC 9068).\r\n /\r\n async verifyAccessToken(token: string, audience?: string): Promise<AccessTokenPayload> {\r\n try {\r\n const { payload } = await jwtVerify(token, this.jwks, {\r\n algorithms: ['RS256'],\r\n issuer: this.issuer,\r\n audience: audience ?? this.defaultAudience,\r\n })\r\n return AccessTokenPayloadSchema.parse(payload)\r\n } catch (error) {\r\n throw this.wrapError(error, 'Access Token')\r\n }\r\n }\r\n\r\n /\r\n Verify an OIDC ID Token.\r\n /\r\n async verifyIdToken(token: string, options?: { audience?: string; nonce?: string }): Promise<IdTokenPayload> {\r\n try {\r\n const { payload } = await jwtVerify(token, this.jwks, {\r\n algorithms: ['RS256'],\r\n issuer: this.issuer,\r\n audience: options?.audience ?? this.defaultAudience,\r\n })\r\n\r\n const parsed = IdTokenPayloadSchema.parse(payload)\r\n\r\n if (options?.nonce !== undefined && parsed.nonce !== options.nonce) {\r\n throw new TokenVerificationError('ID Token nonce mismatch')\r\n }\r\n\r\n return parsed\r\n } catch (error) {\r\n if (error instanceof TokenVerificationError) {\r\n throw error\r\n }\r\n throw this.wrapError(error, 'ID Token')\r\n }\r\n }\r\n\r\n private wrapError(error: unknown, tokenType: string): TokenVerificationError {\r\n if (error instanceof TokenVerificationError) {\r\n return error\r\n }\r\n if (error instanceof joseErrors.JWTExpired) {\r\n return new TokenVerificationError(`${tokenType} has expired`)\r\n }\r\n if (error instanceof joseErrors.JWTClaimValidationFailed) {\r\n return new TokenVerificationError(`${tokenType} claim validation failed: ${error.message}`)\r\n }\r\n if (error instanceof joseErrors.JWSSignatureVerificationFailed) {\r\n return new TokenVerificationError(`${tokenType} signature verification failed`)\r\n }\r\n const message = error instanceof Error ? error.message : 'Unknown error'\r\n return new TokenVerificationError(`${tokenType} verification failed: ${message}`)\r\n }\r\n}\r\n","import axios, { AxiosError, type AxiosInstance } from 'axios'\r\nimport type { Request, Response, NextFunction } from 'express'\r\nimport { randomBytes } from 'node:crypto'\r\nimport {\r\n TokenResponseSchema,\r\n OAuthErrorSchema,\r\n IntrospectionResponseSchema,\r\n UserInfoSchema,\r\n DiscoveryDocumentSchema,\r\n type AccessTokenPayload,\r\n type IdTokenPayload,\r\n} from '@/core/schemas'\r\nimport type {\r\n NyaAccountConfig,\r\n TokenResponse,\r\n UserInfo,\r\n IntrospectionResponse,\r\n DiscoveryDocument,\r\n AuthorizationUrlResult,\r\n CreateAuthorizationUrlOptions,\r\n ExchangeCodeOptions,\r\n AuthenticateOptions,\r\n EndpointConfig,\r\n} from '@/core/types'\r\nimport { OAuthError, DiscoveryError, NyaAccountError } from '@/core/errors'\r\nimport { generateCodeVerifier, generateCodeChallenge } from '@/utils/pkce'\r\nimport { JwtVerifier } from '@/utils/jwt'\r\nimport { setAuth, getAuth, extractBearerToken, sendOAuthError } from '@/middleware/express'\r\n\r\ntype EndpointName = keyof EndpointConfig\r\n\r\nconst DISCOVERY_ENDPOINT_MAP: Record<EndpointName, keyof DiscoveryDocument> = {\r\n authorization: 'authorizationEndpoint',\r\n token: 'tokenEndpoint',\r\n userinfo: 'userinfoEndpoint',\r\n revocation: 'revocationEndpoint',\r\n introspection: 'introspectionEndpoint',\r\n jwks: 'jwksUri',\r\n endSession: 'endSessionEndpoint',\r\n}\r\n\r\n/* Default issuer URL /\r\nconst DEFAULT_ISSUER = 'https://account-api.edge.lolinya.net'\r\n\r\n/* Default discovery cache TTL: 1 hour /\r\nconst DEFAULT_DISCOVERY_CACHE_TTL = 3600000\r\n\r\n/\r\n Nya Account Node.js SDK client.\r\n \r\n Provides full OAuth 2.1 / OIDC flow support:\r\n * - Authorization Code + PKCE\r\n * - Token exchange / refresh / revocation / introspection\r\n * - Local JWT verification (via JWKS)\r\n * - OIDC UserInfo\r\n * - OIDC Discovery auto-discovery\r\n * - Express middleware (Bearer Token auth + scope validation)\r\n \r\n @example\r\n * ```typescript\r\n * const client = new NyaAccountClient({\r\n * issuer: 'https://account.example.com',\r\n * clientId: 'my-app',\r\n * clientSecret: 'my-secret',\r\n * })\r\n \r\n // Create authorization URL (with PKCE)\r\n * const { url, codeVerifier, state } = await client.createAuthorizationUrl({\r\n * redirectUri: 'https://myapp.com/callback',\r\n * scope: 'openid profile email',\r\n * })\r\n \r\n // Exchange code for tokens\r\n * const tokens = await client.exchangeCode({\r\n * code: callbackCode,\r\n * redirectUri: 'https://myapp.com/callback',\r\n * codeVerifier,\r\n * })\r\n \r\n // Get user info\r\n * const userInfo = await client.getUserInfo(tokens.accessToken)\r\n * ```\r\n /\r\ntype ResolvedConfig = NyaAccountConfig & { issuer: string }\r\n\r\nexport class NyaAccountClient {\r\n private httpClient: AxiosInstance\r\n private config: ResolvedConfig\r\n private discoveryCache: DiscoveryDocument \| null = null\r\n private discoveryCacheTimestamp = 0\r\n private readonly discoveryCacheTtl: number\r\n private jwtVerifier: JwtVerifier \| null = null\r\n\r\n constructor(config: NyaAccountConfig) {\r\n this.config = {\r\n ...config,\r\n issuer: config.issuer ?? DEFAULT_ISSUER,\r\n }\r\n this.discoveryCacheTtl = config.discoveryCacheTtl ?? DEFAULT_DISCOVERY_CACHE_TTL\r\n this.httpClient = axios.create({\r\n timeout: config.timeout ?? 10000,\r\n })\r\n }\r\n\r\n // ============================================================\r\n // OIDC Discovery\r\n // ============================================================\r\n\r\n /\r\n Fetch the OIDC Discovery document. Results are cached with a configurable TTL.\r\n /\r\n async discover(): Promise<DiscoveryDocument> {\r\n if (this.discoveryCache && Date.now() - this.discoveryCacheTimestamp < this.discoveryCacheTtl) {\r\n return this.discoveryCache\r\n }\r\n\r\n try {\r\n const url = `${this.config.issuer}/.well-known/openid-configuration`\r\n const response = await this.httpClient.get(url)\r\n const raw = DiscoveryDocumentSchema.parse(response.data)\r\n\r\n this.discoveryCache = {\r\n issuer: raw.issuer,\r\n authorizationEndpoint: raw.authorization_endpoint,\r\n tokenEndpoint: raw.token_endpoint,\r\n userinfoEndpoint: raw.userinfo_endpoint,\r\n jwksUri: raw.jwks_uri,\r\n revocationEndpoint: raw.revocation_endpoint,\r\n introspectionEndpoint: raw.introspection_endpoint,\r\n pushedAuthorizationRequestEndpoint: raw.pushed_authorization_request_endpoint,\r\n endSessionEndpoint: raw.end_session_endpoint,\r\n responseTypesSupported: raw.response_types_supported,\r\n grantTypesSupported: raw.grant_types_supported,\r\n idTokenSigningAlgValuesSupported: raw.id_token_signing_alg_values_supported,\r\n scopesSupported: raw.scopes_supported,\r\n subjectTypesSupported: raw.subject_types_supported,\r\n tokenEndpointAuthMethodsSupported: raw.token_endpoint_auth_methods_supported,\r\n codeChallengeMethodsSupported: raw.code_challenge_methods_supported,\r\n claimsSupported: raw.claims_supported,\r\n }\r\n this.discoveryCacheTimestamp = Date.now()\r\n\r\n return this.discoveryCache\r\n } catch (error) {\r\n if (error instanceof DiscoveryError) throw error\r\n const message = error instanceof Error ? error.message : 'Unknown error'\r\n throw new DiscoveryError(`Failed to fetch OIDC Discovery document: ${message}`)\r\n }\r\n }\r\n\r\n /\r\n Clear the cached Discovery document and JWT verifier, forcing a re-fetch on next use.\r\n /\r\n clearCache(): void {\r\n this.discoveryCache = null\r\n this.discoveryCacheTimestamp = 0\r\n this.jwtVerifier = null\r\n }\r\n\r\n // ============================================================\r\n // Authorization URL\r\n // ============================================================\r\n\r\n /\r\n Create an OAuth authorization URL (automatically includes PKCE).\r\n \r\n The returned `codeVerifier` and `state` must be saved to the session\r\n * for later use in token exchange and CSRF validation.\r\n /\r\n async createAuthorizationUrl(options: CreateAuthorizationUrlOptions): Promise<AuthorizationUrlResult> {\r\n const authorizationEndpoint = await this.resolveEndpoint('authorization')\r\n\r\n const codeVerifier = generateCodeVerifier()\r\n const codeChallenge = generateCodeChallenge(codeVerifier)\r\n const state = options.state ?? randomBytes(16).toString('base64url')\r\n\r\n const params = new URLSearchParams({\r\n client_id: this.config.clientId,\r\n redirect_uri: options.redirectUri,\r\n response_type: 'code',\r\n scope: options.scope ?? 'openid',\r\n state,\r\n code_challenge: codeChallenge,\r\n code_challenge_method: 'S256',\r\n })\r\n\r\n if (options.nonce) {\r\n params.set('nonce', options.nonce)\r\n }\r\n\r\n return {\r\n url: `${authorizationEndpoint}?${params.toString()}`,\r\n codeVerifier,\r\n state,\r\n }\r\n }\r\n\r\n // ============================================================\r\n // Token Operations\r\n // ============================================================\r\n\r\n /\r\n Exchange an authorization code for tokens (Authorization Code Grant).\r\n /\r\n async exchangeCode(options: ExchangeCodeOptions): Promise<TokenResponse> {\r\n const tokenEndpoint = await this.resolveEndpoint('token')\r\n\r\n try {\r\n const response = await this.httpClient.post(tokenEndpoint, {\r\n grant_type: 'authorization_code',\r\n code: options.code,\r\n redirect_uri: options.redirectUri,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n code_verifier: options.codeVerifier,\r\n })\r\n\r\n return this.mapTokenResponse(response.data)\r\n } catch (error) {\r\n throw this.handleTokenError(error)\r\n }\r\n }\r\n\r\n /\r\n Refresh an Access Token using a Refresh Token.\r\n /\r\n async refreshToken(refreshToken: string): Promise<TokenResponse> {\r\n const tokenEndpoint = await this.resolveEndpoint('token')\r\n\r\n try {\r\n const response = await this.httpClient.post(tokenEndpoint, {\r\n grant_type: 'refresh_token',\r\n refresh_token: refreshToken,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n })\r\n\r\n return this.mapTokenResponse(response.data)\r\n } catch (error) {\r\n throw this.handleTokenError(error)\r\n }\r\n }\r\n\r\n /\r\n Revoke a token (RFC 7009).\r\n \r\n Supports revoking Access Tokens or Refresh Tokens.\r\n * Revoking a Refresh Token also revokes its entire token family.\r\n /\r\n async revokeToken(token: string): Promise<void> {\r\n const revocationEndpoint = await this.resolveEndpoint('revocation')\r\n\r\n try {\r\n await this.httpClient.post(revocationEndpoint, {\r\n token,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n })\r\n } catch {\r\n // RFC 7009: revocation endpoint always returns 200, ignore errors\r\n }\r\n }\r\n\r\n /\r\n Token introspection (RFC 7662).\r\n \r\n Query the server for the current state of a token (active status, associated user info, etc.).\r\n /\r\n async introspectToken(token: string): Promise<IntrospectionResponse> {\r\n const introspectionEndpoint = await this.resolveEndpoint('introspection')\r\n\r\n try {\r\n const response = await this.httpClient.post(introspectionEndpoint, {\r\n token,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n })\r\n\r\n const raw = IntrospectionResponseSchema.parse(response.data)\r\n return {\r\n active: raw.active,\r\n scope: raw.scope,\r\n clientId: raw.client_id,\r\n username: raw.username,\r\n tokenType: raw.token_type,\r\n exp: raw.exp,\r\n iat: raw.iat,\r\n sub: raw.sub,\r\n aud: raw.aud,\r\n iss: raw.iss,\r\n jti: raw.jti,\r\n }\r\n } catch (error) {\r\n throw this.handleTokenError(error)\r\n }\r\n }\r\n\r\n // ============================================================\r\n // OIDC UserInfo\r\n // ============================================================\r\n\r\n /\r\n Get user info using an Access Token (OIDC UserInfo Endpoint).\r\n \r\n The returned fields depend on the scopes included in the token:\r\n * - `profile`: name, preferredUsername, picture, updatedAt\r\n * - `email`: email, emailVerified\r\n /\r\n async getUserInfo(accessToken: string): Promise<UserInfo> {\r\n const userinfoEndpoint = await this.resolveEndpoint('userinfo')\r\n\r\n try {\r\n const response = await this.httpClient.get(userinfoEndpoint, {\r\n headers: { Authorization: `Bearer ${accessToken}` },\r\n })\r\n\r\n const raw = UserInfoSchema.parse(response.data)\r\n return {\r\n sub: raw.sub,\r\n name: raw.name,\r\n preferredUsername: raw.preferred_username,\r\n picture: raw.picture,\r\n email: raw.email,\r\n emailVerified: raw.email_verified,\r\n updatedAt: raw.updated_at,\r\n }\r\n } catch (error) {\r\n throw this.handleTokenError(error)\r\n }\r\n }\r\n\r\n // ============================================================\r\n // Local JWT Verification\r\n // ============================================================\r\n\r\n /\r\n Locally verify a JWT Access Token (RFC 9068).\r\n \r\n Uses remote JWKS for signature verification, and validates issuer, audience, expiry, etc.\r\n \r\n @param token JWT Access Token string\r\n * @param options.audience Custom audience validation value (defaults to clientId)\r\n /\r\n async verifyAccessToken(token: string, options?: { audience?: string }): Promise<AccessTokenPayload> {\r\n const verifier = await this.getJwtVerifier()\r\n return verifier.verifyAccessToken(token, options?.audience)\r\n }\r\n\r\n /\r\n Locally verify an OIDC ID Token.\r\n \r\n @param token JWT ID Token string\r\n * @param options.audience Custom audience validation value (defaults to clientId)\r\n * @param options.nonce Validate the nonce claim (required if nonce was sent during authorization)\r\n /\r\n async verifyIdToken(token: string, options?: { audience?: string; nonce?: string }): Promise<IdTokenPayload> {\r\n const verifier = await this.getJwtVerifier()\r\n return verifier.verifyIdToken(token, options)\r\n }\r\n\r\n // ============================================================\r\n // Express Middleware\r\n // ============================================================\r\n\r\n /\r\n Express middleware: verify the Bearer Token in the request.\r\n \r\n After successful verification, use `getAuth(req)` to retrieve the token payload.\r\n \r\n @param options.strategy Verification strategy: 'local' (default, JWT local verification) or 'introspection' (remote introspection)\r\n \r\n @example\r\n * ```typescript\r\n * import { getAuth } from '@nya-account/node-sdk/express'\r\n \r\n app.use('/api', client.authenticate())\r\n \r\n app.get('/api/me', (req, res) => {\r\n * const auth = getAuth(req)\r\n * res.json({ userId: auth?.sub })\r\n * })\r\n * ```\r\n /\r\n authenticate(options?: AuthenticateOptions): (req: Request, res: Response, next: NextFunction) => void {\r\n const strategy = options?.strategy ?? 'local'\r\n\r\n return (req: Request, res: Response, next: NextFunction) => {\r\n const token = extractBearerToken(req)\r\n if (!token) {\r\n sendOAuthError(res, 401, 'invalid_token', 'Missing Bearer token in Authorization header')\r\n return\r\n }\r\n\r\n const handleVerification = async (): Promise<void> => {\r\n let payload: AccessTokenPayload\r\n\r\n if (strategy === 'introspection') {\r\n const introspection = await this.introspectToken(token)\r\n if (!introspection.active) {\r\n sendOAuthError(res, 401, 'invalid_token', 'Token is not active')\r\n return\r\n }\r\n payload = {\r\n iss: introspection.iss ?? '',\r\n sub: introspection.sub ?? '',\r\n aud: introspection.aud ?? '',\r\n scope: introspection.scope ?? '',\r\n ver: '1',\r\n iat: introspection.iat ?? 0,\r\n exp: introspection.exp ?? 0,\r\n jti: introspection.jti ?? '',\r\n }\r\n } else {\r\n payload = await this.verifyAccessToken(token)\r\n }\r\n\r\n setAuth(req, payload)\r\n next()\r\n }\r\n\r\n handleVerification().catch(() => {\r\n sendOAuthError(res, 401, 'invalid_token', 'Invalid or expired access token')\r\n })\r\n }\r\n }\r\n\r\n /\r\n Express middleware: validate that the token in the request contains the specified scopes.\r\n \r\n Must be used after the `authenticate()` middleware.\r\n \r\n @example\r\n * ```typescript\r\n * app.get('/api/profile',\r\n * client.authenticate(),\r\n * client.requireScopes('profile'),\r\n * (req, res) => { ... }\r\n * )\r\n * ```\r\n */\r\n requireScopes(...scopes: string[]): (req: Request, res: Response, next: NextFunction) => void {\r\n return (req: Request, res: Response, next: NextFunction) => {\r\n const auth = getAuth(req)\r\n if (!auth) {\r\n sendOAuthError(res, 401, 'invalid_token', 'Request not authenticated')\r\n return\r\n }\r\n\r\n const tokenScopes = auth.scope.split(' ')\r\n const missingScopes = scopes.filter(s => !tokenScopes.includes(s))\r\n\r\n if (missingScopes.length > 0) {\r\n sendOAuthError(res, 403, 'insufficient_scope', `Missing required scopes: ${missingScopes.join(' ')}`)\r\n return\r\n }\r\n\r\n next()\r\n }\r\n }\r\n\r\n // ============================================================\r\n // Private Methods\r\n // ============================================================\r\n\r\n private async resolveEndpoint(name: EndpointName): Promise<string> {\r\n const explicit = this.config.endpoints?.[name]\r\n if (explicit) {\r\n return explicit\r\n }\r\n\r\n const discovery = await this.discover()\r\n const discoveryKey = DISCOVERY_ENDPOINT_MAP[name]\r\n const endpoint = discovery[discoveryKey]\r\n\r\n if (!endpoint \|\| typeof endpoint !== 'string') {\r\n throw new NyaAccountError(\r\n 'endpoint_not_found',\r\n `Endpoint '${name}' not found in Discovery document`,\r\n )\r\n }\r\n\r\n return endpoint\r\n }\r\n\r\n private async getJwtVerifier(): Promise<JwtVerifier> {\r\n if (this.jwtVerifier) {\r\n return this.jwtVerifier\r\n }\r\n\r\n const jwksUri = await this.resolveEndpoint('jwks')\r\n const discovery = await this.discover()\r\n\r\n this.jwtVerifier = new JwtVerifier(jwksUri, discovery.issuer, this.config.clientId)\r\n return this.jwtVerifier\r\n }\r\n\r\n private mapTokenResponse(data: unknown): TokenResponse {\r\n const raw = TokenResponseSchema.parse(data)\r\n return {\r\n accessToken: raw.access_token,\r\n tokenType: raw.token_type,\r\n expiresIn: raw.expires_in,\r\n refreshToken: raw.refresh_token,\r\n scope: raw.scope,\r\n idToken: raw.id_token,\r\n }\r\n }\r\n\r\n private handleTokenError(error: unknown): NyaAccountError {\r\n if (error instanceof NyaAccountError) {\r\n return error\r\n }\r\n\r\n if (error instanceof AxiosError && error.response) {\r\n const parsed = OAuthErrorSchema.safeParse(error.response.data)\r\n if (parsed.success) {\r\n return new OAuthError(\r\n parsed.data.error,\r\n parsed.data.error_description ?? 'Unknown error',\r\n )\r\n }\r\n }\r\n\r\n const message = error instanceof Error ? error.message : 'Unknown error'\r\n return new NyaAccountError('request_failed', `Request failed: ${message}`)\r\n }\r\n}\r\n"],"mappings":";;;;;;;AAMA,MAAa,sBAAsB,EAAE,OAAO;CACxC,cAAc,EAAE,QAAQ;CACxB,YAAY,EAAE,QAAQ;CACtB,YAAY,EAAE,QAAQ;CACtB,eAAe,EAAE,QAAQ;CACzB,OAAO,EAAE,QAAQ;CACjB,UAAU,EAAE,QAAQ,CAAC,UAAU;AAClC,EAAC;AAQF,MAAa,mBAAmB,EAAE,OAAO;CACrC,OAAO,EAAE,QAAQ;CACjB,mBAAmB,EAAE,QAAQ,CAAC,UAAU;AAC3C,EAAC;AAQF,MAAa,8BAA8B,EAAE,OAAO;CAChD,QAAQ,EAAE,SAAS;CACnB,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,WAAW,EAAE,QAAQ,CAAC,UAAU;CAChC,UAAU,EAAE,QAAQ,CAAC,UAAU;CAC/B,YAAY,EAAE,QAAQ,CAAC,UAAU;CACjC,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;AAC7B,EAAC;AAQF,MAAa,iBAAiB,EAAE,OAAO;CACnC,KAAK,EAAE,QAAQ;CACf,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,oBAAoB,EAAE,QAAQ,CAAC,UAAU;CACzC,SAAS,EAAE,QAAQ,CAAC,UAAU;CAC9B,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,gBAAgB,EAAE,SAAS,CAAC,UAAU;CACtC,YAAY,EAAE,QAAQ,CAAC,UAAU;AACpC,EAAC;AAQF,MAAa,0BAA0B,EAAE,OAAO;CAC5C,QAAQ,EAAE,QAAQ;CAClB,wBAAwB,EAAE,QAAQ;CAClC,gBAAgB,EAAE,QAAQ;CAC1B,mBAAmB,EAAE,QAAQ,CAAC,UAAU;CACxC,UAAU,EAAE,QAAQ;CACpB,qBAAqB,EAAE,QAAQ,CAAC,UAAU;CAC1C,wBAAwB,EAAE,QAAQ,CAAC,UAAU;CAC7C,uCAAuC,EAAE,QAAQ,CAAC,UAAU;CAC5D,sBAAsB,EAAE,QAAQ,CAAC,UAAU;CAC3C,0BAA0B,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC7C,uBAAuB,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC1C,uCAAuC,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC1D,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC;CACrC,yBAAyB,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC5C,uCAAuC,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC1D,kCAAkC,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CAChE,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CAChD,mCAAmC,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CACjE,6BAA6B,EAAE,SAAS,CAAC,UAAU;CACnD,iCAAiC,EAAE,SAAS,CAAC,UAAU;AAC1D,EAAC;AAQF,MAAa,2BAA2B,EAAE,OAAO;CAC7C,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,OAAO,EAAE,QAAQ;CACjB,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAE,EAAC,CAAC,UAAU;AAChD,EAAC;AAQF,MAAa,uBAAuB,EAAE,OAAO;CACzC,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,oBAAoB,EAAE,QAAQ,CAAC,UAAU;CACzC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,gBAAgB,EAAE,SAAS,CAAC,UAAU;CACtC,YAAY,EAAE,QAAQ,CAAC,UAAU;AACpC,EAAC;;;;;;;;;AC5HF,IAAa,kBAAb,cAAqC,MAAM;CAIvC,YAAYA,MAAcC,aAAqB;AAC3C,SAAO,GAAG,KAAK,IAAI,YAAY,EAAE;OAJ5B,YAAA;OACA,mBAAA;AAIL,OAAK,OAAO;AACZ,OAAK,OAAO;AACZ,OAAK,cAAc;CACtB;AACJ;;;;;;AAKD,IAAa,aAAb,cAAgC,gBAAgB;CAC5C,YAAYC,OAAeC,kBAA0B;AACjD,QAAM,OAAO,iBAAiB;AAC9B,OAAK,OAAO;CACf;AACJ;;;;;;AAKD,IAAa,yBAAb,cAA4C,gBAAgB;CACxD,YAAYF,aAAqB;AAC7B,QAAM,6BAA6B,YAAY;AAC/C,OAAK,OAAO;CACf;AACJ;;;;;;AAKD,IAAa,iBAAb,cAAoC,gBAAgB;CAChD,YAAYA,aAAqB;AAC7B,QAAM,mBAAmB,YAAY;AACrC,OAAK,OAAO;CACf;AACJ;;;;;;;;;ACrCD,SAAgB,uBAA+B;AAC3C,QAAO,YAAY,GAAG,CAAC,SAAS,YAAY;AAC/C;;;;;;AAKD,SAAgB,sBAAsBG,cAA8B;AAChE,QAAO,WAAW,SAAS,CAAC,OAAO,aAAa,CAAC,OAAO,YAAY;AACvE;;;;;;AAKD,SAAgB,eAAyB;CACrC,MAAM,eAAe,sBAAsB;CAC3C,MAAM,gBAAgB,sBAAsB,aAAa;AACzD,QAAO;EAAE;EAAc;CAAe;AACzC;;;;;;;;;ACZD,IAAa,cAAb,MAAyB;CAKrB,YAAYC,SAAiBC,QAAgBC,iBAAyB;OAJ9D,YAAA;OACA,cAAA;OACA,uBAAA;AAGJ,OAAK,OAAO,mBAAmB,IAAI,IAAI,SAAS;AAChD,OAAK,SAAS;AACd,OAAK,kBAAkB;CAC1B;;;;;;CAKD,MAAM,kBAAkBC,OAAeC,UAAgD;AACnF,MAAI;GACA,MAAM,EAAE,SAAS,GAAG,MAAM,UAAU,OAAO,KAAK,MAAM;IAClD,YAAY,CAAC,OAAQ;IACrB,QAAQ,KAAK;IACb,UAAU,YAAY,KAAK;GAC9B,EAAC;AACF,UAAO,yBAAyB,MAAM,QAAQ;EACjD,SAAQ,OAAO;AACZ,SAAM,KAAK,UAAU,OAAO,eAAe;EAC9C;CACJ;;;;;;CAKD,MAAM,cAAcD,OAAeE,SAA0E;AACzG,MAAI;GACA,MAAM,EAAE,SAAS,GAAG,MAAM,UAAU,OAAO,KAAK,MAAM;IAClD,YAAY,CAAC,OAAQ;IACrB,QAAQ,KAAK;IACb,UAAU,SAAS,YAAY,KAAK;GACvC,EAAC;GAEF,MAAM,SAAS,qBAAqB,MAAM,QAAQ;AAElD,OAAI,SAAS,oBAAuB,OAAO,UAAU,QAAQ,MACzD,OAAM,IAAI,uBAAuB;AAGrC,UAAO;EACV,SAAQ,OAAO;AACZ,OAAI,iBAAiB,uBACjB,OAAM;AAEV,SAAM,KAAK,UAAU,OAAO,WAAW;EAC1C;CACJ;CAED,UAAkBC,OAAgBC,WAA2C;AACzE,MAAI,iBAAiB,uBACjB,QAAO;AAEX,MAAI,iBAAiB,OAAW,WAC5B,QAAO,IAAI,wBAAwB,EAAE,UAAU;AAEnD,MAAI,iBAAiB,OAAW,yBAC5B,QAAO,IAAI,wBAAwB,EAAE,UAAU,4BAA4B,MAAM,QAAQ;AAE7F,MAAI,iBAAiB,OAAW,+BAC5B,QAAO,IAAI,wBAAwB,EAAE,UAAU;EAEnD,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,SAAO,IAAI,wBAAwB,EAAE,UAAU,wBAAwB,QAAQ;CAClF;AACJ;;;;AClDD,MAAMC,yBAAwE;CAC1E,eAAe;CACf,OAAO;CACP,UAAU;CACV,YAAY;CACZ,eAAe;CACf,MAAM;CACN,YAAY;AACf;;AAGD,MAAM,iBAAiB;;AAGvB,MAAM,8BAA8B;AAwCpC,IAAa,mBAAb,MAA8B;CAQ1B,YAAYC,QAA0B;OAP9B,kBAAA;OACA,cAAA;OACA,iBAA2C;OAC3C,0BAA0B;OACjB,yBAAA;OACT,cAAkC;AAGtC,OAAK,SAAS;GACV,GAAG;GACH,QAAQ,OAAO,UAAU;EAC5B;AACD,OAAK,oBAAoB,OAAO,qBAAqB;AACrD,OAAK,aAAa,MAAM,OAAO,EAC3B,SAAS,OAAO,WAAW,IAC9B,EAAC;CACL;;;;;;CASD,MAAM,WAAuC;AACzC,MAAI,KAAK,kBAAkB,KAAK,KAAK,GAAG,KAAK,0BAA0B,KAAK,kBACxE,QAAO,KAAK;AAGhB,MAAI;GACA,MAAM,OAAO,EAAE,KAAK,OAAO,OAAO;GAClC,MAAM,WAAW,MAAM,KAAK,WAAW,IAAI,IAAI;GAC/C,MAAM,MAAM,wBAAwB,MAAM,SAAS,KAAK;AAExD,QAAK,iBAAiB;IAClB,QAAQ,IAAI;IACZ,uBAAuB,IAAI;IAC3B,eAAe,IAAI;IACnB,kBAAkB,IAAI;IACtB,SAAS,IAAI;IACb,oBAAoB,IAAI;IACxB,uBAAuB,IAAI;IAC3B,oCAAoC,IAAI;IACxC,oBAAoB,IAAI;IACxB,wBAAwB,IAAI;IAC5B,qBAAqB,IAAI;IACzB,kCAAkC,IAAI;IACtC,iBAAiB,IAAI;IACrB,uBAAuB,IAAI;IAC3B,mCAAmC,IAAI;IACvC,+BAA+B,IAAI;IACnC,iBAAiB,IAAI;GACxB;AACD,QAAK,0BAA0B,KAAK,KAAK;AAEzC,UAAO,KAAK;EACf,SAAQ,OAAO;AACZ,OAAI,iBAAiB,eAAgB,OAAM;GAC3C,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,SAAM,IAAI,gBAAgB,2CAA2C,QAAQ;EAChF;CACJ;;;;;;CAKD,aAAmB;AACf,OAAK,iBAAiB;AACtB,OAAK,0BAA0B;AAC/B,OAAK,cAAc;CACtB;;;;;;;;;;;;CAYD,MAAM,uBAAuBC,SAAyE;EAClG,MAAM,wBAAwB,MAAM,KAAK,gBAAgB,gBAAgB;EAEzE,MAAM,eAAe,sBAAsB;EAC3C,MAAM,gBAAgB,sBAAsB,aAAa;EACzD,MAAM,QAAQ,QAAQ,SAAS,YAAY,GAAG,CAAC,SAAS,YAAY;EAEpE,MAAM,SAAS,IAAI,gBAAgB;GAC/B,WAAW,KAAK,OAAO;GACvB,cAAc,QAAQ;GACtB,eAAe;GACf,OAAO,QAAQ,SAAS;GACxB;GACA,gBAAgB;GAChB,uBAAuB;EAC1B;AAED,MAAI,QAAQ,MACR,QAAO,IAAI,SAAS,QAAQ,MAAM;AAGtC,SAAO;GACH,MAAM,EAAE,sBAAsB,GAAG,OAAO,UAAU,CAAC;GACnD;GACA;EACH;CACJ;;;;;;CASD,MAAM,aAAaC,SAAsD;EACrE,MAAM,gBAAgB,MAAM,KAAK,gBAAgB,QAAQ;AAEzD,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,KAAK,eAAe;IACvD,YAAY;IACZ,MAAM,QAAQ;IACd,cAAc,QAAQ;IACtB,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;IAC3B,eAAe,QAAQ;GAC1B,EAAC;AAEF,UAAO,KAAK,iBAAiB,SAAS,KAAK;EAC9C,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;;;CAKD,MAAM,aAAaC,cAA8C;EAC7D,MAAM,gBAAgB,MAAM,KAAK,gBAAgB,QAAQ;AAEzD,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,KAAK,eAAe;IACvD,YAAY;IACZ,eAAe;IACf,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;GAC9B,EAAC;AAEF,UAAO,KAAK,iBAAiB,SAAS,KAAK;EAC9C,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;;;;;;;;;CAQD,MAAM,YAAYC,OAA8B;EAC5C,MAAM,qBAAqB,MAAM,KAAK,gBAAgB,aAAa;AAEnE,MAAI;AACA,SAAM,KAAK,WAAW,KAAK,oBAAoB;IAC3C;IACA,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;GAC9B,EAAC;EACL,QAAO,CAEP;CACJ;;;;;;;;;;CAOD,MAAM,gBAAgBA,OAA+C;EACjE,MAAM,wBAAwB,MAAM,KAAK,gBAAgB,gBAAgB;AAEzE,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,KAAK,uBAAuB;IAC/D;IACA,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;GAC9B,EAAC;GAEF,MAAM,MAAM,4BAA4B,MAAM,SAAS,KAAK;AAC5D,UAAO;IACH,QAAQ,IAAI;IACZ,OAAO,IAAI;IACX,UAAU,IAAI;IACd,UAAU,IAAI;IACd,WAAW,IAAI;IACf,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;GACZ;EACJ,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;;;;;;;;;;;CAaD,MAAM,YAAYC,aAAwC;EACtD,MAAM,mBAAmB,MAAM,KAAK,gBAAgB,WAAW;AAE/D,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,IAAI,kBAAkB,EACzD,SAAS,EAAE,gBAAgB,SAAS,YAAY,EAAG,EACtD,EAAC;GAEF,MAAM,MAAM,eAAe,MAAM,SAAS,KAAK;AAC/C,UAAO;IACH,KAAK,IAAI;IACT,MAAM,IAAI;IACV,mBAAmB,IAAI;IACvB,SAAS,IAAI;IACb,OAAO,IAAI;IACX,eAAe,IAAI;IACnB,WAAW,IAAI;GAClB;EACJ,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;;;;;;;;;;;;;CAcD,MAAM,kBAAkBD,OAAeE,SAA8D;EACjG,MAAM,WAAW,MAAM,KAAK,gBAAgB;AAC5C,SAAO,SAAS,kBAAkB,OAAO,SAAS,SAAS;CAC9D;;;;;;;;;;;;;;CASD,MAAM,cAAcF,OAAeG,SAA0E;EACzG,MAAM,WAAW,MAAM,KAAK,gBAAgB;AAC5C,SAAO,SAAS,cAAc,OAAO,QAAQ;CAChD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyBD,aAAaC,SAA0F;EACnG,MAAM,WAAW,SAAS,YAAY;AAEtC,SAAO,CAACC,KAAcC,KAAeC,SAAuB;GACxD,MAAM,QAAQ,mBAAmB,IAAI;AACrC,QAAK,OAAO;AACR,mBAAe,KAAK,KAAK,iBAAiB,+CAA+C;AACzF;GACH;GAED,MAAM,qBAAqB,YAA2B;IAClD,IAAIC;AAEJ,QAAI,aAAa,iBAAiB;KAC9B,MAAM,gBAAgB,MAAM,KAAK,gBAAgB,MAAM;AACvD,UAAK,cAAc,QAAQ;AACvB,qBAAe,KAAK,KAAK,iBAAiB,sBAAsB;AAChE;KACH;AACD,eAAU;MACN,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,OAAO,cAAc,SAAS;MAC9B,KAAK;MACL,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;KAC7B;IACJ,MACG,WAAU,MAAM,KAAK,kBAAkB,MAAM;AAGjD,YAAQ,KAAK,QAAQ;AACrB,UAAM;GACT;AAED,uBAAoB,CAAC,MAAM,MAAM;AAC7B,mBAAe,KAAK,KAAK,iBAAiB,kCAAkC;GAC/E,EAAC;EACL;CACJ;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgBD,cAAc,GAAG,QAA6E;AAC1F,SAAO,CAACH,KAAcC,KAAeC,SAAuB;GACxD,MAAM,OAAO,QAAQ,IAAI;AACzB,QAAK,MAAM;AACP,mBAAe,KAAK,KAAK,iBAAiB,4BAA4B;AACtE;GACH;GAED,MAAM,cAAc,KAAK,MAAM,MAAM,IAAI;GACzC,MAAM,gBAAgB,OAAO,OAAO,CAAA,OAAM,YAAY,SAAS,EAAE,CAAC;AAElE,OAAI,cAAc,SAAS,GAAG;AAC1B,mBAAe,KAAK,KAAK,uBAAuB,2BAA2B,cAAc,KAAK,IAAI,CAAC,EAAE;AACrG;GACH;AAED,SAAM;EACT;CACJ;CAMD,MAAc,gBAAgBE,MAAqC;EAC/D,MAAM,WAAW,KAAK,OAAO,YAAY;AACzC,MAAI,SACA,QAAO;EAGX,MAAM,YAAY,MAAM,KAAK,UAAU;EACvC,MAAM,eAAe,uBAAuB;EAC5C,MAAM,WAAW,UAAU;AAE3B,OAAK,mBAAmB,aAAa,SACjC,OAAM,IAAI,gBACN,uBACC,YAAY,KAAK;AAI1B,SAAO;CACV;CAED,MAAc,iBAAuC;AACjD,MAAI,KAAK,YACL,QAAO,KAAK;EAGhB,MAAM,UAAU,MAAM,KAAK,gBAAgB,OAAO;EAClD,MAAM,YAAY,MAAM,KAAK,UAAU;AAEvC,OAAK,cAAc,IAAI,YAAY,SAAS,UAAU,QAAQ,KAAK,OAAO;AAC1E,SAAO,KAAK;CACf;CAED,iBAAyBC,MAA8B;EACnD,MAAM,MAAM,oBAAoB,MAAM,KAAK;AAC3C,SAAO;GACH,aAAa,IAAI;GACjB,WAAW,IAAI;GACf,WAAW,IAAI;GACf,cAAc,IAAI;GAClB,OAAO,IAAI;GACX,SAAS,IAAI;EAChB;CACJ;CAED,iBAAyBC,OAAiC;AACtD,MAAI,iBAAiB,gBACjB,QAAO;AAGX,MAAI,iBAAiB,cAAc,MAAM,UAAU;GAC/C,MAAM,SAAS,iBAAiB,UAAU,MAAM,SAAS,KAAK;AAC9D,OAAI,OAAO,QACP,QAAO,IAAI,WACP,OAAO,KAAK,OACZ,OAAO,KAAK,qBAAqB;EAG5C;EAED,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,SAAO,IAAI,gBAAgB,mBAAmB,kBAAkB,QAAQ;CAC3E;AACJ"}
1	+ {"version":3,"file":"index.js","names":["code: string","description: string","error: string","errorDescription: string","codeVerifier: string","jwksUri: string","issuer: string","defaultAudience: string","token: string","audience?: string","options?: { audience?: string; nonce?: string }","error: unknown","tokenType: string","DISCOVERY_ENDPOINT_MAP: Record<EndpointName, keyof DiscoveryDocument>","config: NyaAccountConfig","options: CreateAuthorizationUrlOptions","options: PushAuthorizationRequestOptions","payload: Record<string, string>","options?: CreateEndSessionUrlOptions","options: ExchangeCodeOptions","refreshToken: string","token: string","options?: { tokenTypeHint?: 'access_token' \| 'refresh_token' }","accessToken: string","options?: { audience?: string }","options?: { audience?: string; nonce?: string }","options?: AuthenticateOptions","req: Request","res: Response","next: NextFunction","payload: AccessTokenPayload","name: EndpointName","data: unknown","error: unknown"],"sources":["../src/core/schemas.ts","../src/core/errors.ts","../src/utils/pkce.ts","../src/utils/jwt.ts","../src/client.ts"],"sourcesContent":["import { z } from 'zod'\n\nexport const TokenTypeHintSchema = z.enum(['access_token', 'refresh_token'])\n\n// ============================================================\n// OAuth Token Response\n// ============================================================\n\nexport const TokenResponseSchema = z.object({\n access_token: z.string(),\n token_type: z.string(),\n expires_in: z.number(),\n refresh_token: z.string(),\n scope: z.string(),\n id_token: z.string().optional()\n})\n\nexport type TokenResponseRaw = z.infer<typeof TokenResponseSchema>\n\n// ============================================================\n// OAuth Error Response\n// ============================================================\n\nexport const OAuthErrorSchema = z.object({\n error: z.string(),\n error_description: z.string().optional()\n})\n\nexport type OAuthErrorRaw = z.infer<typeof OAuthErrorSchema>\n\n// ============================================================\n// Token Introspection Response (RFC 7662)\n// ============================================================\n\nexport const IntrospectionResponseSchema = z.object({\n active: z.boolean(),\n scope: z.string().optional(),\n client_id: z.string().optional(),\n username: z.string().optional(),\n token_type: z.string().optional(),\n exp: z.number().optional(),\n iat: z.number().optional(),\n sub: z.string().optional(),\n aud: z.string().optional(),\n iss: z.string().optional(),\n jti: z.string().optional(),\n sid: z.string().optional(),\n sv: z.number().optional()\n})\n\nexport type IntrospectionResponseRaw = z.infer<typeof IntrospectionResponseSchema>\n\n// ============================================================\n// OIDC UserInfo Response\n// ============================================================\n\nexport const UserInfoSchema = z.object({\n sub: z.string(),\n name: z.string().optional(),\n picture: z.string().optional(),\n email: z.string().optional(),\n email_verified: z.boolean().optional(),\n updated_at: z.number().optional()\n})\n\nexport type UserInfoRaw = z.infer<typeof UserInfoSchema>\n\n// ============================================================\n// OIDC Discovery Document\n// ============================================================\n\nexport const DiscoveryDocumentSchema = z.object({\n issuer: z.string(),\n authorization_endpoint: z.string(),\n token_endpoint: z.string(),\n userinfo_endpoint: z.string().optional(),\n jwks_uri: z.string(),\n revocation_endpoint: z.string().optional(),\n introspection_endpoint: z.string().optional(),\n pushed_authorization_request_endpoint: z.string().optional(),\n end_session_endpoint: z.string().optional(),\n response_types_supported: z.array(z.string()),\n grant_types_supported: z.array(z.string()),\n id_token_signing_alg_values_supported: z.array(z.string()),\n scopes_supported: z.array(z.string()),\n subject_types_supported: z.array(z.string()),\n token_endpoint_auth_methods_supported: z.array(z.string()),\n code_challenge_methods_supported: z.array(z.string()).optional(),\n claims_supported: z.array(z.string()).optional(),\n dpop_signing_alg_values_supported: z.array(z.string()).optional(),\n request_parameter_supported: z.boolean().optional(),\n request_uri_parameter_supported: z.boolean().optional()\n})\n\nexport type DiscoveryDocumentRaw = z.infer<typeof DiscoveryDocumentSchema>\n\nexport const PushedAuthorizationResponseSchema = z.object({\n request_uri: z.string().min(1),\n expires_in: z.number().int().positive()\n})\n\nexport type PushedAuthorizationResponseRaw = z.infer<\n typeof PushedAuthorizationResponseSchema\n>\n\n// ============================================================\n// JWT Access Token Payload (RFC 9068)\n// ============================================================\n\nexport const AccessTokenPayloadSchema = z.object({\n iss: z.string(),\n sub: z.string(),\n aud: z.string(),\n scope: z.string(),\n ver: z.string(),\n sid: z.string(),\n sv: z.number().int().nonnegative(),\n iat: z.number(),\n exp: z.number(),\n jti: z.string(),\n cnf: z.object({ jkt: z.string() }).optional()\n})\n\nexport type AccessTokenPayload = z.infer<typeof AccessTokenPayloadSchema>\n\n// ============================================================\n// JWT ID Token Payload (OIDC Core)\n// ============================================================\n\nexport const IdTokenPayloadSchema = z.object({\n iss: z.string(),\n sub: z.string(),\n aud: z.string(),\n sid: z.string().optional(),\n iat: z.number(),\n exp: z.number(),\n nonce: z.string().optional(),\n name: z.string().optional(),\n email: z.string().optional(),\n email_verified: z.boolean().optional(),\n updated_at: z.number().optional()\n})\n\nexport type IdTokenPayload = z.infer<typeof IdTokenPayloadSchema>\n","/*\r\n Base error class for the SDK.\r\n /\r\nexport class NyaAccountError extends Error {\r\n readonly code: string\r\n readonly description: string\r\n\r\n constructor(code: string, description: string) {\r\n super(`[${code}] ${description}`)\r\n this.name = 'NyaAccountError'\r\n this.code = code\r\n this.description = description\r\n }\r\n}\r\n\r\n/\r\n OAuth protocol error (from server error / error_description response).\r\n /\r\nexport class OAuthError extends NyaAccountError {\r\n constructor(error: string, errorDescription: string) {\r\n super(error, errorDescription)\r\n this.name = 'OAuthError'\r\n }\r\n}\r\n\r\n/\r\n JWT verification error.\r\n /\r\nexport class TokenVerificationError extends NyaAccountError {\r\n constructor(description: string) {\r\n super('token_verification_failed', description)\r\n this.name = 'TokenVerificationError'\r\n }\r\n}\r\n\r\n/\r\n OIDC Discovery error.\r\n /\r\nexport class DiscoveryError extends NyaAccountError {\r\n constructor(description: string) {\r\n super('discovery_error', description)\r\n this.name = 'DiscoveryError'\r\n }\r\n}\r\n","import { randomBytes, createHash } from 'node:crypto'\r\nimport type { PkcePair } from '@/core/types'\r\n\r\n/\r\n Generate a PKCE code_verifier (43-128 character random string).\r\n /\r\nexport function generateCodeVerifier(): string {\r\n return randomBytes(32).toString('base64url')\r\n}\r\n\r\n/\r\n Generate an S256 code_challenge from a code_verifier.\r\n /\r\nexport function generateCodeChallenge(codeVerifier: string): string {\r\n return createHash('sha256').update(codeVerifier).digest('base64url')\r\n}\r\n\r\n/\r\n Generate a PKCE code_verifier and code_challenge pair.\r\n /\r\nexport function generatePkce(): PkcePair {\r\n const codeVerifier = generateCodeVerifier()\r\n const codeChallenge = generateCodeChallenge(codeVerifier)\r\n return { codeVerifier, codeChallenge }\r\n}\r\n","import { createRemoteJWKSet, jwtVerify, errors as joseErrors } from 'jose'\r\nimport {\r\n AccessTokenPayloadSchema,\r\n IdTokenPayloadSchema,\r\n type AccessTokenPayload,\r\n type IdTokenPayload,\r\n} from '@/core/schemas'\r\nimport { TokenVerificationError } from '@/core/errors'\r\n\r\n/\r\n JWT verifier using remote JWKS for signature verification.\r\n /\r\nexport class JwtVerifier {\r\n private jwks: ReturnType<typeof createRemoteJWKSet>\r\n private issuer: string\r\n private defaultAudience: string\r\n\r\n constructor(jwksUri: string, issuer: string, defaultAudience: string) {\r\n this.jwks = createRemoteJWKSet(new URL(jwksUri))\r\n this.issuer = issuer\r\n this.defaultAudience = defaultAudience\r\n }\r\n\r\n /\r\n Verify an OAuth 2.0 Access Token (JWT, RFC 9068).\r\n /\r\n async verifyAccessToken(token: string, audience?: string): Promise<AccessTokenPayload> {\r\n try {\r\n const { payload } = await jwtVerify(token, this.jwks, {\r\n algorithms: ['RS256'],\r\n issuer: this.issuer,\r\n audience: audience ?? this.defaultAudience,\r\n })\r\n return AccessTokenPayloadSchema.parse(payload)\r\n } catch (error) {\r\n throw this.wrapError(error, 'Access Token')\r\n }\r\n }\r\n\r\n /\r\n Verify an OIDC ID Token.\r\n /\r\n async verifyIdToken(token: string, options?: { audience?: string; nonce?: string }): Promise<IdTokenPayload> {\r\n try {\r\n const { payload } = await jwtVerify(token, this.jwks, {\r\n algorithms: ['RS256'],\r\n issuer: this.issuer,\r\n audience: options?.audience ?? this.defaultAudience,\r\n })\r\n\r\n const parsed = IdTokenPayloadSchema.parse(payload)\r\n\r\n if (options?.nonce !== undefined && parsed.nonce !== options.nonce) {\r\n throw new TokenVerificationError('ID Token nonce mismatch')\r\n }\r\n\r\n return parsed\r\n } catch (error) {\r\n if (error instanceof TokenVerificationError) {\r\n throw error\r\n }\r\n throw this.wrapError(error, 'ID Token')\r\n }\r\n }\r\n\r\n private wrapError(error: unknown, tokenType: string): TokenVerificationError {\r\n if (error instanceof TokenVerificationError) {\r\n return error\r\n }\r\n if (error instanceof joseErrors.JWTExpired) {\r\n return new TokenVerificationError(`${tokenType} has expired`)\r\n }\r\n if (error instanceof joseErrors.JWTClaimValidationFailed) {\r\n return new TokenVerificationError(`${tokenType} claim validation failed: ${error.message}`)\r\n }\r\n if (error instanceof joseErrors.JWSSignatureVerificationFailed) {\r\n return new TokenVerificationError(`${tokenType} signature verification failed`)\r\n }\r\n const message = error instanceof Error ? error.message : 'Unknown error'\r\n return new TokenVerificationError(`${tokenType} verification failed: ${message}`)\r\n }\r\n}\r\n","import axios, { AxiosError, type AxiosInstance } from 'axios'\nimport type { Request, Response, NextFunction } from 'express'\nimport { randomBytes } from 'node:crypto'\nimport {\n TokenResponseSchema,\n OAuthErrorSchema,\n IntrospectionResponseSchema,\n UserInfoSchema,\n DiscoveryDocumentSchema,\n PushedAuthorizationResponseSchema,\n TokenTypeHintSchema,\n type AccessTokenPayload,\n type IdTokenPayload\n} from '@/core/schemas'\nimport type {\n NyaAccountConfig,\n TokenResponse,\n UserInfo,\n IntrospectionResponse,\n DiscoveryDocument,\n AuthorizationUrlResult,\n CreateAuthorizationUrlOptions,\n PushAuthorizationRequestOptions,\n PushAuthorizationRequestResult,\n CreateEndSessionUrlOptions,\n ExchangeCodeOptions,\n AuthenticateOptions,\n EndpointConfig\n} from '@/core/types'\nimport { OAuthError, DiscoveryError, NyaAccountError } from '@/core/errors'\nimport { generateCodeVerifier, generateCodeChallenge } from '@/utils/pkce'\nimport { JwtVerifier } from '@/utils/jwt'\nimport {\n setAuth,\n getAuth,\n extractBearerToken,\n sendOAuthError\n} from '@/middleware/express'\n\ntype EndpointName = keyof EndpointConfig\n\nconst DISCOVERY_ENDPOINT_MAP: Record<EndpointName, keyof DiscoveryDocument> = {\n authorization: 'authorizationEndpoint',\n pushedAuthorizationRequest: 'pushedAuthorizationRequestEndpoint',\n token: 'tokenEndpoint',\n userinfo: 'userinfoEndpoint',\n revocation: 'revocationEndpoint',\n introspection: 'introspectionEndpoint',\n jwks: 'jwksUri',\n endSession: 'endSessionEndpoint'\n}\n\n/* Default issuer URL /\nconst DEFAULT_ISSUER = 'https://account-api.edge.lolinya.net'\n\n/* Default discovery cache TTL: 1 hour /\nconst DEFAULT_DISCOVERY_CACHE_TTL = 3600000\n\n/\n Nya Account Node.js SDK client.\n \n Provides full OAuth 2.1 / OIDC flow support:\n * - Authorization Code + PKCE\n * - Token exchange / refresh / revocation / introspection\n * - Local JWT verification (via JWKS)\n * - OIDC UserInfo\n * - OIDC Discovery auto-discovery\n * - Express middleware (Bearer Token auth + scope validation)\n \n @example\n * ```typescript\n * const client = new NyaAccountClient({\n * issuer: 'https://account.example.com',\n * clientId: 'my-app',\n * clientSecret: 'my-secret',\n * })\n \n // Create authorization URL (with PKCE)\n * const { url, codeVerifier, state } = await client.createAuthorizationUrl({\n * redirectUri: 'https://myapp.com/callback',\n * scope: 'openid profile email',\n * })\n \n // Exchange code for tokens\n * const tokens = await client.exchangeCode({\n * code: callbackCode,\n * redirectUri: 'https://myapp.com/callback',\n * codeVerifier,\n * })\n \n // Get user info\n * const userInfo = await client.getUserInfo(tokens.accessToken)\n * ```\n /\ntype ResolvedConfig = NyaAccountConfig & { issuer: string }\n\nexport class NyaAccountClient {\n private httpClient: AxiosInstance\n private config: ResolvedConfig\n private discoveryCache: DiscoveryDocument \| null = null\n private discoveryCacheTimestamp = 0\n private readonly discoveryCacheTtl: number\n private jwtVerifier: JwtVerifier \| null = null\n\n constructor(config: NyaAccountConfig) {\n this.config = {\n ...config,\n issuer: config.issuer ?? DEFAULT_ISSUER\n }\n this.discoveryCacheTtl = config.discoveryCacheTtl ?? DEFAULT_DISCOVERY_CACHE_TTL\n this.httpClient = axios.create({\n timeout: config.timeout ?? 10000\n })\n }\n\n // ============================================================\n // OIDC Discovery\n // ============================================================\n\n /\n Fetch the OIDC Discovery document. Results are cached with a configurable TTL.\n /\n async discover(): Promise<DiscoveryDocument> {\n if (\n this.discoveryCache &&\n Date.now() - this.discoveryCacheTimestamp < this.discoveryCacheTtl\n ) {\n return this.discoveryCache\n }\n\n try {\n const url = `${this.config.issuer}/.well-known/openid-configuration`\n const response = await this.httpClient.get(url)\n const raw = DiscoveryDocumentSchema.parse(response.data)\n\n this.discoveryCache = {\n issuer: raw.issuer,\n authorizationEndpoint: raw.authorization_endpoint,\n tokenEndpoint: raw.token_endpoint,\n userinfoEndpoint: raw.userinfo_endpoint,\n jwksUri: raw.jwks_uri,\n revocationEndpoint: raw.revocation_endpoint,\n introspectionEndpoint: raw.introspection_endpoint,\n pushedAuthorizationRequestEndpoint:\n raw.pushed_authorization_request_endpoint,\n endSessionEndpoint: raw.end_session_endpoint,\n responseTypesSupported: raw.response_types_supported,\n grantTypesSupported: raw.grant_types_supported,\n idTokenSigningAlgValuesSupported:\n raw.id_token_signing_alg_values_supported,\n scopesSupported: raw.scopes_supported,\n subjectTypesSupported: raw.subject_types_supported,\n tokenEndpointAuthMethodsSupported:\n raw.token_endpoint_auth_methods_supported,\n codeChallengeMethodsSupported: raw.code_challenge_methods_supported,\n claimsSupported: raw.claims_supported\n }\n this.discoveryCacheTimestamp = Date.now()\n\n return this.discoveryCache\n } catch (error) {\n if (error instanceof DiscoveryError) throw error\n const message = error instanceof Error ? error.message : 'Unknown error'\n throw new DiscoveryError(\n `Failed to fetch OIDC Discovery document: ${message}`\n )\n }\n }\n\n /\n Clear the cached Discovery document and JWT verifier, forcing a re-fetch on next use.\n /\n clearCache(): void {\n this.discoveryCache = null\n this.discoveryCacheTimestamp = 0\n this.jwtVerifier = null\n }\n\n // ============================================================\n // Authorization URL\n // ============================================================\n\n /\n Create an OAuth authorization URL (automatically includes PKCE).\n \n The returned `codeVerifier` and `state` must be saved to the session\n * for later use in token exchange and CSRF validation.\n /\n async createAuthorizationUrl(\n options: CreateAuthorizationUrlOptions\n ): Promise<AuthorizationUrlResult> {\n const authorizationEndpoint = await this.resolveEndpoint('authorization')\n\n const codeVerifier = generateCodeVerifier()\n const codeChallenge = generateCodeChallenge(codeVerifier)\n const state = options.state ?? randomBytes(16).toString('base64url')\n\n const params = new URLSearchParams({\n client_id: this.config.clientId,\n redirect_uri: options.redirectUri,\n response_type: 'code',\n scope: options.scope ?? 'openid',\n state,\n code_challenge: codeChallenge,\n code_challenge_method: 'S256'\n })\n\n if (options.nonce) {\n params.set('nonce', options.nonce)\n }\n\n return {\n url: `${authorizationEndpoint}?${params.toString()}`,\n codeVerifier,\n state\n }\n }\n\n /\n Push authorization parameters to PAR endpoint (RFC 9126).\n \n Returns a `request_uri` that can be used in the authorization endpoint.\n /\n async pushAuthorizationRequest(\n options: PushAuthorizationRequestOptions\n ): Promise<PushAuthorizationRequestResult> {\n const parEndpoint = await this.resolveEndpoint('pushedAuthorizationRequest')\n\n const codeVerifier = generateCodeVerifier()\n const codeChallenge = generateCodeChallenge(codeVerifier)\n const state = options.state ?? randomBytes(16).toString('base64url')\n\n const payload: Record<string, string> = {\n client_id: this.config.clientId,\n client_secret: this.config.clientSecret,\n redirect_uri: options.redirectUri,\n response_type: 'code',\n scope: options.scope ?? 'openid',\n state,\n code_challenge: codeChallenge,\n code_challenge_method: 'S256'\n }\n\n if (options.nonce) {\n payload.nonce = options.nonce\n }\n if (options.request) {\n payload.request = options.request\n }\n\n try {\n const response = await this.httpClient.post(parEndpoint, payload)\n const raw = PushedAuthorizationResponseSchema.parse(response.data)\n\n return {\n requestUri: raw.request_uri,\n expiresIn: raw.expires_in,\n codeVerifier,\n state\n }\n } catch (error) {\n throw this.handleTokenError(error)\n }\n }\n\n /\n Create an authorization URL using PAR `request_uri`.\n /\n async createAuthorizationUrlWithPar(\n options: PushAuthorizationRequestOptions\n ): Promise<AuthorizationUrlResult & { requestUri: string; expiresIn: number }> {\n const authorizationEndpoint = await this.resolveEndpoint('authorization')\n const pushed = await this.pushAuthorizationRequest(options)\n\n const params = new URLSearchParams({\n client_id: this.config.clientId,\n request_uri: pushed.requestUri\n })\n\n return {\n url: `${authorizationEndpoint}?${params.toString()}`,\n codeVerifier: pushed.codeVerifier,\n state: pushed.state,\n requestUri: pushed.requestUri,\n expiresIn: pushed.expiresIn\n }\n }\n\n /\n Create OIDC RP-Initiated Logout URL (`end_session_endpoint`).\n /\n async createEndSessionUrl(options?: CreateEndSessionUrlOptions): Promise<string> {\n const endSessionEndpoint = await this.resolveEndpoint('endSession')\n const params = new URLSearchParams()\n\n if (options?.idTokenHint) {\n params.set('id_token_hint', options.idTokenHint)\n }\n if (options?.postLogoutRedirectUri) {\n params.set('post_logout_redirect_uri', options.postLogoutRedirectUri)\n }\n if (options?.state) {\n params.set('state', options.state)\n }\n\n // 帮助服务端在未提供 id_token_hint 时识别客户端\n params.set('client_id', options?.clientId ?? this.config.clientId)\n\n return `${endSessionEndpoint}?${params.toString()}`\n }\n\n // ============================================================\n // Token Operations\n // ============================================================\n\n /\n Exchange an authorization code for tokens (Authorization Code Grant).\n /\n async exchangeCode(options: ExchangeCodeOptions): Promise<TokenResponse> {\n const tokenEndpoint = await this.resolveEndpoint('token')\n\n try {\n const response = await this.httpClient.post(tokenEndpoint, {\n grant_type: 'authorization_code',\n code: options.code,\n redirect_uri: options.redirectUri,\n client_id: this.config.clientId,\n client_secret: this.config.clientSecret,\n code_verifier: options.codeVerifier\n })\n\n return this.mapTokenResponse(response.data)\n } catch (error) {\n throw this.handleTokenError(error)\n }\n }\n\n /\n Refresh an Access Token using a Refresh Token.\n /\n async refreshToken(refreshToken: string): Promise<TokenResponse> {\n const tokenEndpoint = await this.resolveEndpoint('token')\n\n try {\n const response = await this.httpClient.post(tokenEndpoint, {\n grant_type: 'refresh_token',\n refresh_token: refreshToken,\n client_id: this.config.clientId,\n client_secret: this.config.clientSecret\n })\n\n return this.mapTokenResponse(response.data)\n } catch (error) {\n throw this.handleTokenError(error)\n }\n }\n\n /\n Revoke a token (RFC 7009).\n \n Supports revoking Access Tokens or Refresh Tokens.\n * Revoking a Refresh Token also revokes its entire token family.\n /\n async revokeToken(\n token: string,\n options?: { tokenTypeHint?: 'access_token' \| 'refresh_token' }\n ): Promise<void> {\n const revocationEndpoint = await this.resolveEndpoint('revocation')\n\n try {\n const tokenTypeHint = options?.tokenTypeHint\n ? TokenTypeHintSchema.parse(options.tokenTypeHint)\n : undefined\n await this.httpClient.post(revocationEndpoint, {\n token,\n token_type_hint: tokenTypeHint,\n client_id: this.config.clientId,\n client_secret: this.config.clientSecret\n })\n } catch {\n // RFC 7009: revocation endpoint always returns 200, ignore errors\n }\n }\n\n /\n Token introspection (RFC 7662).\n \n Query the server for the current state of a token (active status, associated user info, etc.).\n /\n async introspectToken(\n token: string,\n options?: { tokenTypeHint?: 'access_token' \| 'refresh_token' }\n ): Promise<IntrospectionResponse> {\n const introspectionEndpoint = await this.resolveEndpoint('introspection')\n\n try {\n const tokenTypeHint = options?.tokenTypeHint\n ? TokenTypeHintSchema.parse(options.tokenTypeHint)\n : undefined\n const response = await this.httpClient.post(introspectionEndpoint, {\n token,\n token_type_hint: tokenTypeHint,\n client_id: this.config.clientId,\n client_secret: this.config.clientSecret\n })\n\n const raw = IntrospectionResponseSchema.parse(response.data)\n return {\n active: raw.active,\n scope: raw.scope,\n clientId: raw.client_id,\n username: raw.username,\n tokenType: raw.token_type,\n exp: raw.exp,\n iat: raw.iat,\n sub: raw.sub,\n aud: raw.aud,\n iss: raw.iss,\n jti: raw.jti,\n sid: raw.sid,\n sv: raw.sv\n }\n } catch (error) {\n throw this.handleTokenError(error)\n }\n }\n\n // ============================================================\n // OIDC UserInfo\n // ============================================================\n\n /\n Get user info using an Access Token (OIDC UserInfo Endpoint).\n \n The returned fields depend on the scopes included in the token:\n * - `profile`: name, picture, updatedAt\n * - `email`: email, emailVerified\n /\n async getUserInfo(accessToken: string): Promise<UserInfo> {\n const userinfoEndpoint = await this.resolveEndpoint('userinfo')\n\n try {\n const response = await this.httpClient.get(userinfoEndpoint, {\n headers: { Authorization: `Bearer ${accessToken}` }\n })\n\n const raw = UserInfoSchema.parse(response.data)\n return {\n sub: raw.sub,\n name: raw.name,\n picture: raw.picture,\n email: raw.email,\n emailVerified: raw.email_verified,\n updatedAt: raw.updated_at\n }\n } catch (error) {\n throw this.handleTokenError(error)\n }\n }\n\n // ============================================================\n // Local JWT Verification\n // ============================================================\n\n /\n Locally verify a JWT Access Token (RFC 9068).\n \n Uses remote JWKS for signature verification, and validates issuer, audience, expiry, etc.\n \n @param token JWT Access Token string\n * @param options.audience Custom audience validation value (defaults to clientId)\n /\n async verifyAccessToken(\n token: string,\n options?: { audience?: string }\n ): Promise<AccessTokenPayload> {\n const verifier = await this.getJwtVerifier()\n return verifier.verifyAccessToken(token, options?.audience)\n }\n\n /\n Locally verify an OIDC ID Token.\n \n @param token JWT ID Token string\n * @param options.audience Custom audience validation value (defaults to clientId)\n * @param options.nonce Validate the nonce claim (required if nonce was sent during authorization)\n /\n async verifyIdToken(\n token: string,\n options?: { audience?: string; nonce?: string }\n ): Promise<IdTokenPayload> {\n const verifier = await this.getJwtVerifier()\n return verifier.verifyIdToken(token, options)\n }\n\n // ============================================================\n // Express Middleware\n // ============================================================\n\n /\n Express middleware: verify the Bearer Token in the request.\n \n After successful verification, use `getAuth(req)` to retrieve the token payload.\n \n @param options.strategy Verification strategy: 'local' (default, JWT local verification) or 'introspection' (remote introspection)\n \n @example\n * ```typescript\n * import { getAuth } from '@nya-account/node-sdk/express'\n \n app.use('/api', client.authenticate())\n \n app.get('/api/me', (req, res) => {\n * const auth = getAuth(req)\n * res.json({ userId: auth?.sub })\n * })\n * ```\n /\n authenticate(\n options?: AuthenticateOptions\n ): (req: Request, res: Response, next: NextFunction) => void {\n const strategy = options?.strategy ?? 'local'\n\n return (req: Request, res: Response, next: NextFunction) => {\n const token = extractBearerToken(req)\n if (!token) {\n sendOAuthError(\n res,\n 401,\n 'invalid_token',\n 'Missing Bearer token in Authorization header'\n )\n return\n }\n\n const handleVerification = async (): Promise<void> => {\n let payload: AccessTokenPayload\n\n if (strategy === 'introspection') {\n const introspection = await this.introspectToken(token)\n if (!introspection.active) {\n sendOAuthError(res, 401, 'invalid_token', 'Token is not active')\n return\n }\n const tokenType = introspection.tokenType?.toLowerCase()\n if (\n tokenType &&\n tokenType !== 'bearer' &&\n tokenType !== 'access_token'\n ) {\n sendOAuthError(\n res,\n 401,\n 'invalid_token',\n 'Token is not an access token'\n )\n return\n }\n payload = {\n iss: introspection.iss ?? '',\n sub: introspection.sub ?? '',\n aud: introspection.aud ?? '',\n scope: introspection.scope ?? '',\n ver: '1',\n iat: introspection.iat ?? 0,\n exp: introspection.exp ?? 0,\n jti: introspection.jti ?? '',\n sid: introspection.sid ?? '',\n sv: introspection.sv ?? 0\n }\n } else {\n payload = await this.verifyAccessToken(token)\n }\n\n setAuth(req, payload)\n next()\n }\n\n handleVerification().catch(() => {\n sendOAuthError(\n res,\n 401,\n 'invalid_token',\n 'Invalid or expired access token'\n )\n })\n }\n }\n\n /\n Express middleware: validate that the token in the request contains the specified scopes.\n \n Must be used after the `authenticate()` middleware.\n \n @example\n * ```typescript\n * app.get('/api/profile',\n * client.authenticate(),\n * client.requireScopes('profile'),\n * (req, res) => { ... }\n * )\n * ```\n */\n requireScopes(\n ...scopes: string[]\n ): (req: Request, res: Response, next: NextFunction) => void {\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req)\n if (!auth) {\n sendOAuthError(res, 401, 'invalid_token', 'Request not authenticated')\n return\n }\n\n const tokenScopes = auth.scope.split(' ')\n const missingScopes = scopes.filter((s) => !tokenScopes.includes(s))\n\n if (missingScopes.length > 0) {\n sendOAuthError(\n res,\n 403,\n 'insufficient_scope',\n `Missing required scopes: ${missingScopes.join(' ')}`\n )\n return\n }\n\n next()\n }\n }\n\n // ============================================================\n // Private Methods\n // ============================================================\n\n private async resolveEndpoint(name: EndpointName): Promise<string> {\n const explicit = this.config.endpoints?.[name]\n if (explicit) {\n return explicit\n }\n\n const discovery = await this.discover()\n const discoveryKey = DISCOVERY_ENDPOINT_MAP[name]\n const endpoint = discovery[discoveryKey]\n\n if (!endpoint \|\| typeof endpoint !== 'string') {\n throw new NyaAccountError(\n 'endpoint_not_found',\n `Endpoint '${name}' not found in Discovery document`\n )\n }\n\n return endpoint\n }\n\n private async getJwtVerifier(): Promise<JwtVerifier> {\n if (this.jwtVerifier) {\n return this.jwtVerifier\n }\n\n const jwksUri = await this.resolveEndpoint('jwks')\n const discovery = await this.discover()\n\n this.jwtVerifier = new JwtVerifier(\n jwksUri,\n discovery.issuer,\n this.config.clientId\n )\n return this.jwtVerifier\n }\n\n private mapTokenResponse(data: unknown): TokenResponse {\n const raw = TokenResponseSchema.parse(data)\n return {\n accessToken: raw.access_token,\n tokenType: raw.token_type,\n expiresIn: raw.expires_in,\n refreshToken: raw.refresh_token,\n scope: raw.scope,\n idToken: raw.id_token\n }\n }\n\n private handleTokenError(error: unknown): NyaAccountError {\n if (error instanceof NyaAccountError) {\n return error\n }\n\n if (error instanceof AxiosError && error.response) {\n const parsed = OAuthErrorSchema.safeParse(error.response.data)\n if (parsed.success) {\n return new OAuthError(\n parsed.data.error,\n parsed.data.error_description ?? 'Unknown error'\n )\n }\n }\n\n const message = error instanceof Error ? error.message : 'Unknown error'\n return new NyaAccountError('request_failed', `Request failed: ${message}`)\n }\n}\n"],"mappings":";;;;;;;AAEA,MAAa,sBAAsB,EAAE,KAAK,CAAC,gBAAgB,eAAgB,EAAC;AAM5E,MAAa,sBAAsB,EAAE,OAAO;CACxC,cAAc,EAAE,QAAQ;CACxB,YAAY,EAAE,QAAQ;CACtB,YAAY,EAAE,QAAQ;CACtB,eAAe,EAAE,QAAQ;CACzB,OAAO,EAAE,QAAQ;CACjB,UAAU,EAAE,QAAQ,CAAC,UAAU;AAClC,EAAC;AAQF,MAAa,mBAAmB,EAAE,OAAO;CACrC,OAAO,EAAE,QAAQ;CACjB,mBAAmB,EAAE,QAAQ,CAAC,UAAU;AAC3C,EAAC;AAQF,MAAa,8BAA8B,EAAE,OAAO;CAChD,QAAQ,EAAE,SAAS;CACnB,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,WAAW,EAAE,QAAQ,CAAC,UAAU;CAChC,UAAU,EAAE,QAAQ,CAAC,UAAU;CAC/B,YAAY,EAAE,QAAQ,CAAC,UAAU;CACjC,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,IAAI,EAAE,QAAQ,CAAC,UAAU;AAC5B,EAAC;AAQF,MAAa,iBAAiB,EAAE,OAAO;CACnC,KAAK,EAAE,QAAQ;CACf,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,SAAS,EAAE,QAAQ,CAAC,UAAU;CAC9B,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,gBAAgB,EAAE,SAAS,CAAC,UAAU;CACtC,YAAY,EAAE,QAAQ,CAAC,UAAU;AACpC,EAAC;AAQF,MAAa,0BAA0B,EAAE,OAAO;CAC5C,QAAQ,EAAE,QAAQ;CAClB,wBAAwB,EAAE,QAAQ;CAClC,gBAAgB,EAAE,QAAQ;CAC1B,mBAAmB,EAAE,QAAQ,CAAC,UAAU;CACxC,UAAU,EAAE,QAAQ;CACpB,qBAAqB,EAAE,QAAQ,CAAC,UAAU;CAC1C,wBAAwB,EAAE,QAAQ,CAAC,UAAU;CAC7C,uCAAuC,EAAE,QAAQ,CAAC,UAAU;CAC5D,sBAAsB,EAAE,QAAQ,CAAC,UAAU;CAC3C,0BAA0B,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC7C,uBAAuB,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC1C,uCAAuC,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC1D,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC;CACrC,yBAAyB,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC5C,uCAAuC,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC1D,kCAAkC,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CAChE,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CAChD,mCAAmC,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;CACjE,6BAA6B,EAAE,SAAS,CAAC,UAAU;CACnD,iCAAiC,EAAE,SAAS,CAAC,UAAU;AAC1D,EAAC;AAIF,MAAa,oCAAoC,EAAE,OAAO;CACtD,aAAa,EAAE,QAAQ,CAAC,IAAI,EAAE;CAC9B,YAAY,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU;AAC1C,EAAC;AAUF,MAAa,2BAA2B,EAAE,OAAO;CAC7C,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,OAAO,EAAE,QAAQ;CACjB,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,aAAa;CAClC,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAE,EAAC,CAAC,UAAU;AAChD,EAAC;AAQF,MAAa,uBAAuB,EAAE,OAAO;CACzC,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ,CAAC,UAAU;CAC1B,KAAK,EAAE,QAAQ;CACf,KAAK,EAAE,QAAQ;CACf,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,gBAAgB,EAAE,SAAS,CAAC,UAAU;CACtC,YAAY,EAAE,QAAQ,CAAC,UAAU;AACpC,EAAC;;;;;;;;;AC1IF,IAAa,kBAAb,cAAqC,MAAM;CAIvC,YAAYA,MAAcC,aAAqB;AAC3C,SAAO,GAAG,KAAK,IAAI,YAAY,EAAE;OAJ5B,YAAA;OACA,mBAAA;AAIL,OAAK,OAAO;AACZ,OAAK,OAAO;AACZ,OAAK,cAAc;CACtB;AACJ;;;;;;AAKD,IAAa,aAAb,cAAgC,gBAAgB;CAC5C,YAAYC,OAAeC,kBAA0B;AACjD,QAAM,OAAO,iBAAiB;AAC9B,OAAK,OAAO;CACf;AACJ;;;;;;AAKD,IAAa,yBAAb,cAA4C,gBAAgB;CACxD,YAAYF,aAAqB;AAC7B,QAAM,6BAA6B,YAAY;AAC/C,OAAK,OAAO;CACf;AACJ;;;;;;AAKD,IAAa,iBAAb,cAAoC,gBAAgB;CAChD,YAAYA,aAAqB;AAC7B,QAAM,mBAAmB,YAAY;AACrC,OAAK,OAAO;CACf;AACJ;;;;;;;;;ACrCD,SAAgB,uBAA+B;AAC3C,QAAO,YAAY,GAAG,CAAC,SAAS,YAAY;AAC/C;;;;;;AAKD,SAAgB,sBAAsBG,cAA8B;AAChE,QAAO,WAAW,SAAS,CAAC,OAAO,aAAa,CAAC,OAAO,YAAY;AACvE;;;;;;AAKD,SAAgB,eAAyB;CACrC,MAAM,eAAe,sBAAsB;CAC3C,MAAM,gBAAgB,sBAAsB,aAAa;AACzD,QAAO;EAAE;EAAc;CAAe;AACzC;;;;;;;;;ACZD,IAAa,cAAb,MAAyB;CAKrB,YAAYC,SAAiBC,QAAgBC,iBAAyB;OAJ9D,YAAA;OACA,cAAA;OACA,uBAAA;AAGJ,OAAK,OAAO,mBAAmB,IAAI,IAAI,SAAS;AAChD,OAAK,SAAS;AACd,OAAK,kBAAkB;CAC1B;;;;;;CAKD,MAAM,kBAAkBC,OAAeC,UAAgD;AACnF,MAAI;GACA,MAAM,EAAE,SAAS,GAAG,MAAM,UAAU,OAAO,KAAK,MAAM;IAClD,YAAY,CAAC,OAAQ;IACrB,QAAQ,KAAK;IACb,UAAU,YAAY,KAAK;GAC9B,EAAC;AACF,UAAO,yBAAyB,MAAM,QAAQ;EACjD,SAAQ,OAAO;AACZ,SAAM,KAAK,UAAU,OAAO,eAAe;EAC9C;CACJ;;;;;;CAKD,MAAM,cAAcD,OAAeE,SAA0E;AACzG,MAAI;GACA,MAAM,EAAE,SAAS,GAAG,MAAM,UAAU,OAAO,KAAK,MAAM;IAClD,YAAY,CAAC,OAAQ;IACrB,QAAQ,KAAK;IACb,UAAU,SAAS,YAAY,KAAK;GACvC,EAAC;GAEF,MAAM,SAAS,qBAAqB,MAAM,QAAQ;AAElD,OAAI,SAAS,oBAAuB,OAAO,UAAU,QAAQ,MACzD,OAAM,IAAI,uBAAuB;AAGrC,UAAO;EACV,SAAQ,OAAO;AACZ,OAAI,iBAAiB,uBACjB,OAAM;AAEV,SAAM,KAAK,UAAU,OAAO,WAAW;EAC1C;CACJ;CAED,UAAkBC,OAAgBC,WAA2C;AACzE,MAAI,iBAAiB,uBACjB,QAAO;AAEX,MAAI,iBAAiB,OAAW,WAC5B,QAAO,IAAI,wBAAwB,EAAE,UAAU;AAEnD,MAAI,iBAAiB,OAAW,yBAC5B,QAAO,IAAI,wBAAwB,EAAE,UAAU,4BAA4B,MAAM,QAAQ;AAE7F,MAAI,iBAAiB,OAAW,+BAC5B,QAAO,IAAI,wBAAwB,EAAE,UAAU;EAEnD,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,SAAO,IAAI,wBAAwB,EAAE,UAAU,wBAAwB,QAAQ;CAClF;AACJ;;;;ACxCD,MAAMC,yBAAwE;CAC1E,eAAe;CACf,4BAA4B;CAC5B,OAAO;CACP,UAAU;CACV,YAAY;CACZ,eAAe;CACf,MAAM;CACN,YAAY;AACf;;AAGD,MAAM,iBAAiB;;AAGvB,MAAM,8BAA8B;AAwCpC,IAAa,mBAAb,MAA8B;CAQ1B,YAAYC,QAA0B;OAP9B,kBAAA;OACA,cAAA;OACA,iBAA2C;OAC3C,0BAA0B;OACjB,yBAAA;OACT,cAAkC;AAGtC,OAAK,SAAS;GACV,GAAG;GACH,QAAQ,OAAO,UAAU;EAC5B;AACD,OAAK,oBAAoB,OAAO,qBAAqB;AACrD,OAAK,aAAa,MAAM,OAAO,EAC3B,SAAS,OAAO,WAAW,IAC9B,EAAC;CACL;;;;CASD,MAAM,WAAuC;AACzC,MACI,KAAK,kBACL,KAAK,KAAK,GAAG,KAAK,0BAA0B,KAAK,kBAEjD,QAAO,KAAK;AAGhB,MAAI;GACA,MAAM,OAAO,EAAE,KAAK,OAAO,OAAO;GAClC,MAAM,WAAW,MAAM,KAAK,WAAW,IAAI,IAAI;GAC/C,MAAM,MAAM,wBAAwB,MAAM,SAAS,KAAK;AAExD,QAAK,iBAAiB;IAClB,QAAQ,IAAI;IACZ,uBAAuB,IAAI;IAC3B,eAAe,IAAI;IACnB,kBAAkB,IAAI;IACtB,SAAS,IAAI;IACb,oBAAoB,IAAI;IACxB,uBAAuB,IAAI;IAC3B,oCACI,IAAI;IACR,oBAAoB,IAAI;IACxB,wBAAwB,IAAI;IAC5B,qBAAqB,IAAI;IACzB,kCACI,IAAI;IACR,iBAAiB,IAAI;IACrB,uBAAuB,IAAI;IAC3B,mCACI,IAAI;IACR,+BAA+B,IAAI;IACnC,iBAAiB,IAAI;GACxB;AACD,QAAK,0BAA0B,KAAK,KAAK;AAEzC,UAAO,KAAK;EACf,SAAQ,OAAO;AACZ,OAAI,iBAAiB,eAAgB,OAAM;GAC3C,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,SAAM,IAAI,gBACL,2CAA2C,QAAQ;EAE3D;CACJ;;;;CAKD,aAAmB;AACf,OAAK,iBAAiB;AACtB,OAAK,0BAA0B;AAC/B,OAAK,cAAc;CACtB;;;;;;;CAYD,MAAM,uBACFC,SAC+B;EAC/B,MAAM,wBAAwB,MAAM,KAAK,gBAAgB,gBAAgB;EAEzE,MAAM,eAAe,sBAAsB;EAC3C,MAAM,gBAAgB,sBAAsB,aAAa;EACzD,MAAM,QAAQ,QAAQ,SAAS,YAAY,GAAG,CAAC,SAAS,YAAY;EAEpE,MAAM,SAAS,IAAI,gBAAgB;GAC/B,WAAW,KAAK,OAAO;GACvB,cAAc,QAAQ;GACtB,eAAe;GACf,OAAO,QAAQ,SAAS;GACxB;GACA,gBAAgB;GAChB,uBAAuB;EAC1B;AAED,MAAI,QAAQ,MACR,QAAO,IAAI,SAAS,QAAQ,MAAM;AAGtC,SAAO;GACH,MAAM,EAAE,sBAAsB,GAAG,OAAO,UAAU,CAAC;GACnD;GACA;EACH;CACJ;;;;;;CAOD,MAAM,yBACFC,SACuC;EACvC,MAAM,cAAc,MAAM,KAAK,gBAAgB,6BAA6B;EAE5E,MAAM,eAAe,sBAAsB;EAC3C,MAAM,gBAAgB,sBAAsB,aAAa;EACzD,MAAM,QAAQ,QAAQ,SAAS,YAAY,GAAG,CAAC,SAAS,YAAY;EAEpE,MAAMC,UAAkC;GACpC,WAAW,KAAK,OAAO;GACvB,eAAe,KAAK,OAAO;GAC3B,cAAc,QAAQ;GACtB,eAAe;GACf,OAAO,QAAQ,SAAS;GACxB;GACA,gBAAgB;GAChB,uBAAuB;EAC1B;AAED,MAAI,QAAQ,MACR,SAAQ,QAAQ,QAAQ;AAE5B,MAAI,QAAQ,QACR,SAAQ,UAAU,QAAQ;AAG9B,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,KAAK,aAAa,QAAQ;GACjE,MAAM,MAAM,kCAAkC,MAAM,SAAS,KAAK;AAElE,UAAO;IACH,YAAY,IAAI;IAChB,WAAW,IAAI;IACf;IACA;GACH;EACJ,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;CAKD,MAAM,8BACFD,SAC2E;EAC3E,MAAM,wBAAwB,MAAM,KAAK,gBAAgB,gBAAgB;EACzE,MAAM,SAAS,MAAM,KAAK,yBAAyB,QAAQ;EAE3D,MAAM,SAAS,IAAI,gBAAgB;GAC/B,WAAW,KAAK,OAAO;GACvB,aAAa,OAAO;EACvB;AAED,SAAO;GACH,MAAM,EAAE,sBAAsB,GAAG,OAAO,UAAU,CAAC;GACnD,cAAc,OAAO;GACrB,OAAO,OAAO;GACd,YAAY,OAAO;GACnB,WAAW,OAAO;EACrB;CACJ;;;;CAKD,MAAM,oBAAoBE,SAAuD;EAC7E,MAAM,qBAAqB,MAAM,KAAK,gBAAgB,aAAa;EACnE,MAAM,SAAS,IAAI;AAEnB,MAAI,SAAS,YACT,QAAO,IAAI,iBAAiB,QAAQ,YAAY;AAEpD,MAAI,SAAS,sBACT,QAAO,IAAI,4BAA4B,QAAQ,sBAAsB;AAEzE,MAAI,SAAS,MACT,QAAO,IAAI,SAAS,QAAQ,MAAM;AAItC,SAAO,IAAI,aAAa,SAAS,YAAY,KAAK,OAAO,SAAS;AAElE,UAAQ,EAAE,mBAAmB,GAAG,OAAO,UAAU,CAAC;CACrD;;;;CASD,MAAM,aAAaC,SAAsD;EACrE,MAAM,gBAAgB,MAAM,KAAK,gBAAgB,QAAQ;AAEzD,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,KAAK,eAAe;IACvD,YAAY;IACZ,MAAM,QAAQ;IACd,cAAc,QAAQ;IACtB,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;IAC3B,eAAe,QAAQ;GAC1B,EAAC;AAEF,UAAO,KAAK,iBAAiB,SAAS,KAAK;EAC9C,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;CAKD,MAAM,aAAaC,cAA8C;EAC7D,MAAM,gBAAgB,MAAM,KAAK,gBAAgB,QAAQ;AAEzD,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,KAAK,eAAe;IACvD,YAAY;IACZ,eAAe;IACf,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;GAC9B,EAAC;AAEF,UAAO,KAAK,iBAAiB,SAAS,KAAK;EAC9C,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;;;;CAQD,MAAM,YACFC,OACAC,SACa;EACb,MAAM,qBAAqB,MAAM,KAAK,gBAAgB,aAAa;AAEnE,MAAI;GACA,MAAM,gBAAgB,SAAS,gBACzB,oBAAoB,MAAM,QAAQ,cAAc;AAEtD,SAAM,KAAK,WAAW,KAAK,oBAAoB;IAC3C;IACA,iBAAiB;IACjB,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;GAC9B,EAAC;EACL,QAAO,CAEP;CACJ;;;;;;CAOD,MAAM,gBACFD,OACAC,SAC8B;EAC9B,MAAM,wBAAwB,MAAM,KAAK,gBAAgB,gBAAgB;AAEzE,MAAI;GACA,MAAM,gBAAgB,SAAS,gBACzB,oBAAoB,MAAM,QAAQ,cAAc;GAEtD,MAAM,WAAW,MAAM,KAAK,WAAW,KAAK,uBAAuB;IAC/D;IACA,iBAAiB;IACjB,WAAW,KAAK,OAAO;IACvB,eAAe,KAAK,OAAO;GAC9B,EAAC;GAEF,MAAM,MAAM,4BAA4B,MAAM,SAAS,KAAK;AAC5D,UAAO;IACH,QAAQ,IAAI;IACZ,OAAO,IAAI;IACX,UAAU,IAAI;IACd,UAAU,IAAI;IACd,WAAW,IAAI;IACf,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,KAAK,IAAI;IACT,IAAI,IAAI;GACX;EACJ,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;;;;;CAaD,MAAM,YAAYC,aAAwC;EACtD,MAAM,mBAAmB,MAAM,KAAK,gBAAgB,WAAW;AAE/D,MAAI;GACA,MAAM,WAAW,MAAM,KAAK,WAAW,IAAI,kBAAkB,EACzD,SAAS,EAAE,gBAAgB,SAAS,YAAY,EAAG,EACtD,EAAC;GAEF,MAAM,MAAM,eAAe,MAAM,SAAS,KAAK;AAC/C,UAAO;IACH,KAAK,IAAI;IACT,MAAM,IAAI;IACV,SAAS,IAAI;IACb,OAAO,IAAI;IACX,eAAe,IAAI;IACnB,WAAW,IAAI;GAClB;EACJ,SAAQ,OAAO;AACZ,SAAM,KAAK,iBAAiB,MAAM;EACrC;CACJ;;;;;;;;;CAcD,MAAM,kBACFF,OACAG,SAC2B;EAC3B,MAAM,WAAW,MAAM,KAAK,gBAAgB;AAC5C,SAAO,SAAS,kBAAkB,OAAO,SAAS,SAAS;CAC9D;;;;;;;;CASD,MAAM,cACFH,OACAI,SACuB;EACvB,MAAM,WAAW,MAAM,KAAK,gBAAgB;AAC5C,SAAO,SAAS,cAAc,OAAO,QAAQ;CAChD;;;;;;;;;;;;;;;;;;;;CAyBD,aACIC,SACyD;EACzD,MAAM,WAAW,SAAS,YAAY;AAEtC,SAAO,CAACC,KAAcC,KAAeC,SAAuB;GACxD,MAAM,QAAQ,mBAAmB,IAAI;AACrC,QAAK,OAAO;AACR,mBACI,KACA,KACA,iBACA,+CACH;AACD;GACH;GAED,MAAM,qBAAqB,YAA2B;IAClD,IAAIC;AAEJ,QAAI,aAAa,iBAAiB;KAC9B,MAAM,gBAAgB,MAAM,KAAK,gBAAgB,MAAM;AACvD,UAAK,cAAc,QAAQ;AACvB,qBAAe,KAAK,KAAK,iBAAiB,sBAAsB;AAChE;KACH;KACD,MAAM,YAAY,cAAc,WAAW,aAAa;AACxD,SACI,aACA,cAAc,YACd,cAAc,gBAChB;AACE,qBACI,KACA,KACA,iBACA,+BACH;AACD;KACH;AACD,eAAU;MACN,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,OAAO,cAAc,SAAS;MAC9B,KAAK;MACL,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,KAAK,cAAc,OAAO;MAC1B,IAAI,cAAc,MAAM;KAC3B;IACJ,MACG,WAAU,MAAM,KAAK,kBAAkB,MAAM;AAGjD,YAAQ,KAAK,QAAQ;AACrB,UAAM;GACT;AAED,uBAAoB,CAAC,MAAM,MAAM;AAC7B,mBACI,KACA,KACA,iBACA,kCACH;GACJ,EAAC;EACL;CACJ;;;;;;;;;;;;;;;CAgBD,cACI,GAAG,QACsD;AACzD,SAAO,CAACH,KAAcC,KAAeC,SAAuB;GACxD,MAAM,OAAO,QAAQ,IAAI;AACzB,QAAK,MAAM;AACP,mBAAe,KAAK,KAAK,iBAAiB,4BAA4B;AACtE;GACH;GAED,MAAM,cAAc,KAAK,MAAM,MAAM,IAAI;GACzC,MAAM,gBAAgB,OAAO,OAAO,CAAC,OAAO,YAAY,SAAS,EAAE,CAAC;AAEpE,OAAI,cAAc,SAAS,GAAG;AAC1B,mBACI,KACA,KACA,uBACC,2BAA2B,cAAc,KAAK,IAAI,CAAC,EACvD;AACD;GACH;AAED,SAAM;EACT;CACJ;CAMD,MAAc,gBAAgBE,MAAqC;EAC/D,MAAM,WAAW,KAAK,OAAO,YAAY;AACzC,MAAI,SACA,QAAO;EAGX,MAAM,YAAY,MAAM,KAAK,UAAU;EACvC,MAAM,eAAe,uBAAuB;EAC5C,MAAM,WAAW,UAAU;AAE3B,OAAK,mBAAmB,aAAa,SACjC,OAAM,IAAI,gBACN,uBACC,YAAY,KAAK;AAI1B,SAAO;CACV;CAED,MAAc,iBAAuC;AACjD,MAAI,KAAK,YACL,QAAO,KAAK;EAGhB,MAAM,UAAU,MAAM,KAAK,gBAAgB,OAAO;EAClD,MAAM,YAAY,MAAM,KAAK,UAAU;AAEvC,OAAK,cAAc,IAAI,YACnB,SACA,UAAU,QACV,KAAK,OAAO;AAEhB,SAAO,KAAK;CACf;CAED,iBAAyBC,MAA8B;EACnD,MAAM,MAAM,oBAAoB,MAAM,KAAK;AAC3C,SAAO;GACH,aAAa,IAAI;GACjB,WAAW,IAAI;GACf,WAAW,IAAI;GACf,cAAc,IAAI;GAClB,OAAO,IAAI;GACX,SAAS,IAAI;EAChB;CACJ;CAED,iBAAyBC,OAAiC;AACtD,MAAI,iBAAiB,gBACjB,QAAO;AAGX,MAAI,iBAAiB,cAAc,MAAM,UAAU;GAC/C,MAAM,SAAS,iBAAiB,UAAU,MAAM,SAAS,KAAK;AAC9D,OAAI,OAAO,QACP,QAAO,IAAI,WACP,OAAO,KAAK,OACZ,OAAO,KAAK,qBAAqB;EAG5C;EAED,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,SAAO,IAAI,gBAAgB,mBAAmB,kBAAkB,QAAQ;CAC3E;AACJ"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@nya-account/node-sdk",
-    "version": "2.0.1",
+    "version": "2.0.2",
     "description": "Official Node.js SDK for Nya Account SSO — OAuth 2.1 / OIDC client with PKCE, JWT verification, and Express middleware",
     "license": "MIT",
     "author": {

package/dist/express-yO7hxKKd.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"express-yO7hxKKd.d.ts","names":[],"sources":["../src/core/schemas.d.ts","../src/middleware/express.d.ts"],"sourcesContent":null,"mappings":";;;;AAWA,IAAW,2BAAW;CAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;AAAA;AACtB,IAAW,qBAAc;CAAA;CAAA,MAAA;CAAA,MAAA,EAAA;AAAA;AACzB,IAAW,uBAAM;CAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;CAAA,MAAA,EAAA;AAAA;AACjB,IAAW,iBAAiB;CAAC;CAAI,MAAA;CAAA,MAAA,EAAA;AAAA;;;;;;;;;;;;;;;;;;;ACGjC,IAAW,UAAU,CAAC,GAAG,MAAM,kBAAmB;;;;AAQlD,IAAW,qBAAqB,CAAC,GAAG,MAAM,OAAQ;;;;AAIlD,IAAW,iBAAiB,CAAC,GAAG,MAAM,QAAS"}