@owox/idp-owox-better-auth 0.18.0

package/dist/config/idp-owox-config.js

@@ -0,0 +1,252 @@
+import { parseMysqlSslEnv } from '@owox/internal-helpers';
+import envPaths from 'env-paths';
+import { existsSync, mkdirSync } from 'fs';
+import ms from 'ms';
+import { dirname, join } from 'path';
+import { z } from 'zod';
+const zMsString = z
+    .string()
+    .refine((s) => ms(s) !== undefined, {
+    message: 'Invalid duration string',
+})
+    .transform(s => s);
+function normalizeOrigin(value, label) {
+    try {
+        return new URL(value).origin;
+    }
+    catch (error) {
+        throw new Error(`Invalid ${label} value: ${value}. ${error instanceof Error ? error.message : error}`);
+    }
+}
+function ensureValidUrl(value) {
+    try {
+        new URL(value);
+        return value;
+    }
+    catch {
+        throw new Error(`Invalid URL: ${value}`);
+    }
+}
+function buildAllowedRedirectOrigins(raw, signInUrl, signUpUrl) {
+    const defaults = [
+        normalizeOrigin(signInUrl, 'IDP_OWOX_PLATFORM_SIGN_IN_URL'),
+        normalizeOrigin(signUpUrl, 'IDP_OWOX_PLATFORM_SIGN_UP_URL'),
+    ];
+    const extra = raw
+        ? raw
+            .split(',')
+            .map(x => x.trim())
+            .filter(Boolean)
+            .map(origin => normalizeOrigin(origin, 'IDP_OWOX_ALLOWED_REDIRECT_ORIGINS'))
+        : [];
+    return Array.from(new Set([...defaults, ...extra]));
+}
+/** ---------- DB env (SQLite or MySQL) ---------- */
+function defaultSqlitePath() {
+    const paths = envPaths('owox', { suffix: '' });
+    const dbPath = join(paths.data, 'sqlite', 'idp-owox-better-auth.db');
+    const dbDir = dirname(dbPath);
+    if (!existsSync(dbDir)) {
+        try {
+            mkdirSync(dbDir, { recursive: true });
+        }
+        catch (error) {
+            throw new Error(`Failed to create SQLite database directory: ${dbDir}. ${error instanceof Error ? error.message : error}`);
+        }
+    }
+    return dbPath;
+}
+const MysqlEnvSchemaRaw = z.object({
+    IDP_OWOX_DB_TYPE: z.literal('mysql'),
+    IDP_OWOX_MYSQL_HOST: z.string().min(1, 'IDP_OWOX_MYSQL_HOST is required'),
+    IDP_OWOX_MYSQL_USER: z.string().min(1, 'IDP_OWOX_MYSQL_USER is required'),
+    IDP_OWOX_MYSQL_PASSWORD: z.string().min(1, 'IDP_OWOX_MYSQL_PASSWORD is required'),
+    IDP_OWOX_MYSQL_DB: z.string().min(1, 'IDP_OWOX_MYSQL_DB is required'),
+    IDP_OWOX_MYSQL_PORT: z.string().optional(),
+    IDP_OWOX_MYSQL_CONNECTION_LIMIT: z.string().optional(),
+    IDP_OWOX_MYSQL_SSL: z.string().optional(),
+});
+const SqliteEnvSchemaRaw = z.object({
+    IDP_OWOX_DB_TYPE: z.literal('sqlite'),
+    IDP_OWOX_SQLITE_DB_PATH: z.string().optional(),
+});
+const DbEnvSchema = z
+    .discriminatedUnion('IDP_OWOX_DB_TYPE', [MysqlEnvSchemaRaw, SqliteEnvSchemaRaw])
+    .transform(env => {
+    if (env.IDP_OWOX_DB_TYPE === 'mysql') {
+        const port = env.IDP_OWOX_MYSQL_PORT ? Number(env.IDP_OWOX_MYSQL_PORT) : undefined;
+        const connectionLimit = env.IDP_OWOX_MYSQL_CONNECTION_LIMIT
+            ? Number(env.IDP_OWOX_MYSQL_CONNECTION_LIMIT)
+            : undefined;
+        const ssl = parseMysqlSslEnv(env.IDP_OWOX_MYSQL_SSL);
+        return {
+            type: 'mysql',
+            host: env.IDP_OWOX_MYSQL_HOST,
+            port,
+            user: env.IDP_OWOX_MYSQL_USER,
+            password: env.IDP_OWOX_MYSQL_PASSWORD,
+            database: env.IDP_OWOX_MYSQL_DB,
+            connectionLimit,
+            ...(ssl === undefined ? {} : { ssl }),
+        };
+    }
+    return {
+        type: 'sqlite',
+        filename: env.IDP_OWOX_SQLITE_DB_PATH ?? defaultSqlitePath(),
+    };
+});
+export function loadDbConfigFromEnv(env = process.env) {
+    const IDP_OWOX_DB_TYPE = (env.IDP_OWOX_DB_TYPE ?? 'sqlite').toLowerCase();
+    return DbEnvSchema.parse({ ...env, IDP_OWOX_DB_TYPE });
+}
+/** ---------- IdentityOwox client ---------- */
+const IdentityOwoxClientEnvSchema = z
+    .object({
+    IDP_OWOX_CLIENT_BASE_URL: z
+        .string()
+        .url({ message: 'IDP_OWOX_CLIENT_BASE_URL must be a valid URL' }),
+    IDP_OWOX_DEFAULT_HEADERS: z.string().optional(),
+    IDP_OWOX_TIMEOUT: zMsString.optional(),
+    IDP_OWOX_CLIENT_BACKCHANNEL_PREFIX: z
+        .string()
+        .min(1, 'IDP_OWOX_CLIENT_BACKCHANNEL_PREFIX is required'),
+    IDP_OWOX_C2C_SERVICE_ACCOUNT: z.string().min(1, 'IDP_OWOX_C2C_SERVICE_ACCOUNT is required'),
+    IDP_OWOX_C2C_TARGET_AUDIENCE: z.string().min(1, 'IDP_OWOX_C2C_TARGET_AUDIENCE is required'),
+})
+    .transform(e => {
+    const defaultHeaders = e.IDP_OWOX_DEFAULT_HEADERS
+        ? JSON.parse(e.IDP_OWOX_DEFAULT_HEADERS)
+        : undefined;
+    return {
+        clientBaseUrl: e.IDP_OWOX_CLIENT_BASE_URL,
+        defaultHeaders,
+        clientTimeout: (e.IDP_OWOX_TIMEOUT ?? '3s'),
+        clientBackchannelPrefix: e.IDP_OWOX_CLIENT_BACKCHANNEL_PREFIX,
+        c2cServiceAccountEmail: e.IDP_OWOX_C2C_SERVICE_ACCOUNT,
+        c2cTargetAudience: e.IDP_OWOX_C2C_TARGET_AUDIENCE,
+    };
+});
+/** ---------- IDP (frontend/app) config ---------- */
+const IdpEnvSchema = z
+    .object({
+    IDP_OWOX_CLIENT_ID: z.string().min(1, 'IDP_OWOX_CLIENT_ID is required'),
+    IDP_OWOX_PLATFORM_SIGN_IN_URL: z
+        .string()
+        .url({ message: 'IDP_OWOX_PLATFORM_SIGN_IN_URL must be a valid URL' }),
+    IDP_OWOX_PLATFORM_SIGN_UP_URL: z
+        .string()
+        .url({ message: 'IDP_OWOX_PLATFORM_SIGN_UP_URL must be a valid URL' }),
+    IDP_OWOX_ALLOWED_REDIRECT_ORIGINS: z.string().optional(),
+    IDP_OWOX_SIGN_OUT_REDIRECT_URL: z
+        .string()
+        .url({ message: 'IDP_OWOX_SIGN_OUT_REDIRECT_URL must be a valid URL' })
+        .optional(),
+})
+    .transform(e => ({
+    clientId: e.IDP_OWOX_CLIENT_ID,
+    platformSignInUrl: e.IDP_OWOX_PLATFORM_SIGN_IN_URL,
+    platformSignUpUrl: e.IDP_OWOX_PLATFORM_SIGN_UP_URL,
+    signOutRedirectUrl: e.IDP_OWOX_SIGN_OUT_REDIRECT_URL,
+    allowedRedirectOrigins: buildAllowedRedirectOrigins(e.IDP_OWOX_ALLOWED_REDIRECT_ORIGINS, e.IDP_OWOX_PLATFORM_SIGN_IN_URL, e.IDP_OWOX_PLATFORM_SIGN_UP_URL),
+}));
+/** ---------- JWT config ---------- */
+const JwtEnvSchema = z
+    .object({
+    IDP_OWOX_JWT_CLOCK_TOLERANCE: zMsString.default('5s'),
+    IDP_OWOX_JWT_ISSUER: z.string().min(1, 'IDP_OWOX_JWT_ISSUER is required'),
+    IDP_OWOX_JWT_CACHE_TTL: zMsString.optional(),
+    IDP_OWOX_JWT_ALGORITHM: z.enum(['RS256']).default('RS256'),
+})
+    .transform(e => ({
+    clockTolerance: e.IDP_OWOX_JWT_CLOCK_TOLERANCE,
+    issuer: e.IDP_OWOX_JWT_ISSUER,
+    jwtKeyCacheTtl: e.IDP_OWOX_JWT_CACHE_TTL ?? '1h',
+    algorithm: e.IDP_OWOX_JWT_ALGORITHM,
+}));
+/** ---------- Better Auth (UI/auth) config ---------- */
+const DEFAULT_SESSION_MAX_AGE = 60 * 30; // 30 minutes
+const BetterAuthEnvSchema = z.object({
+    IDP_BETTER_AUTH_SECRET: z.string().min(32, 'IDP_BETTER_AUTH_SECRET is required'),
+    IDP_BETTER_AUTH_SESSION_MAX_AGE: z.string().optional(),
+    IDP_BETTER_AUTH_TRUSTED_ORIGINS: z.string().optional(),
+    IDP_BETTER_AUTH_GOOGLE_CLIENT_ID: z.string().optional(),
+    IDP_BETTER_AUTH_GOOGLE_CLIENT_SECRET: z.string().optional(),
+    IDP_BETTER_AUTH_GOOGLE_PROMPT: z.string().optional(),
+    IDP_BETTER_AUTH_GOOGLE_ACCESS_TYPE: z.string().optional(),
+});
+function resolveBaseUrl(env) {
+    const baseURL = env.PUBLIC_ORIGIN ?? (env.PORT ? `http://localhost:${env.PORT}` : '');
+    return ensureValidUrl(baseURL);
+}
+function toNumber(value, fallback) {
+    if (!value)
+        return fallback;
+    const parsed = Number(value);
+    return Number.isFinite(parsed) ? parsed : fallback;
+}
+function parseTrustedOrigins(raw, baseUrl) {
+    const origins = raw
+        ? raw
+            .split(',')
+            .map(x => x.trim())
+            .filter(Boolean)
+            .map(origin => normalizeOrigin(origin, 'IDP_BETTER_AUTH_TRUSTED_ORIGINS'))
+        : [];
+    if (baseUrl) {
+        origins.push(normalizeOrigin(baseUrl, 'IDP_BETTER_AUTH_BASE_URL'));
+    }
+    return Array.from(new Set(origins));
+}
+function buildSocialProviders(env, baseURL) {
+    const social = {};
+    if (env.IDP_BETTER_AUTH_GOOGLE_CLIENT_ID && env.IDP_BETTER_AUTH_GOOGLE_CLIENT_SECRET) {
+        social.google = {
+            clientId: env.IDP_BETTER_AUTH_GOOGLE_CLIENT_ID,
+            clientSecret: env.IDP_BETTER_AUTH_GOOGLE_CLIENT_SECRET,
+            redirectURI: baseURL
+                ? `${baseURL.replace(/\/$/, '')}/auth/better-auth/callback/google`
+                : undefined,
+            prompt: env.IDP_BETTER_AUTH_GOOGLE_PROMPT ?? 'select_account',
+            accessType: env.IDP_BETTER_AUTH_GOOGLE_ACCESS_TYPE ?? 'offline',
+        };
+    }
+    return Object.keys(social).length ? social : undefined;
+}
+/**
+ * Load the full IdpOwoxConfig from process env.
+ * Throws on validation errors; ensures JWT_ALGORITHM is RS256.
+ */
+export function loadIdpOwoxConfigFromEnv(env = process.env) {
+    const dbConfig = loadDbConfigFromEnv(env);
+    const identityOwoxClientConfig = IdentityOwoxClientEnvSchema.parse(env);
+    const idpConfig = IdpEnvSchema.parse(env);
+    const jwtConfig = JwtEnvSchema.parse(env);
+    const baseUrl = resolveBaseUrl(env);
+    if (jwtConfig.algorithm !== 'RS256') {
+        throw new Error(`Only RS256 is supported, got: ${jwtConfig.algorithm}`);
+    }
+    return {
+        baseUrl,
+        idpConfig,
+        identityOwoxClientConfig,
+        jwtConfig,
+        dbConfig,
+    };
+}
+/**
+ * Loads Better Auth + IdP OWOX config from environment.
+ */
+export function loadBetterAuthProviderConfigFromEnv(env = process.env) {
+    const idpOwox = loadIdpOwoxConfigFromEnv(env);
+    const baEnv = BetterAuthEnvSchema.parse(env);
+    const safeBaseURL = resolveBaseUrl(env);
+    const betterAuthConfig = {
+        database: idpOwox.dbConfig,
+        secret: baEnv.IDP_BETTER_AUTH_SECRET,
+        baseURL: safeBaseURL,
+        session: { maxAge: toNumber(baEnv.IDP_BETTER_AUTH_SESSION_MAX_AGE, DEFAULT_SESSION_MAX_AGE) },
+        trustedOrigins: parseTrustedOrigins(baEnv.IDP_BETTER_AUTH_TRUSTED_ORIGINS, safeBaseURL),
+        socialProviders: buildSocialProviders(baEnv, safeBaseURL),
+    };
+    return { betterAuth: betterAuthConfig, idpOwox };
+}

package/dist/config/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Re-exports configuration helpers and types.
+ */
+export { createBetterAuthConfig } from './idp-better-auth-config.js';
+export { loadBetterAuthProviderConfigFromEnv, loadIdpOwoxConfigFromEnv, type BetterAuthProviderConfig, type DbConfig, type IdpOwoxConfig, type MysqlConfig, type SqliteConfig, } from './idp-owox-config.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/config/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EACL,mCAAmC,EACnC,wBAAwB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,QAAQ,EACb,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,YAAY,GAClB,MAAM,sBAAsB,CAAC"}

package/dist/config/index.js

@@ -0,0 +1,5 @@
+/**
+ * Re-exports configuration helpers and types.
+ */
+export { createBetterAuthConfig } from './idp-better-auth-config.js';
+export { loadBetterAuthProviderConfigFromEnv, loadIdpOwoxConfigFromEnv, } from './idp-owox-config.js';

package/dist/core/constants.d.ts

@@ -0,0 +1,14 @@
+/** Cookie name for core refresh token. */
+export declare const CORE_REFRESH_TOKEN_COOKIE = "refreshToken";
+/** Cookie name for Better Auth session token. */
+export declare const BETTER_AUTH_SESSION_COOKIE = "better-auth.session_token";
+/** Cookie name for Better Auth CSRF token. */
+export declare const BETTER_AUTH_CSRF_COOKIE = "better-auth.csrf_token";
+/** Cookie name for Better Auth OAuth state. */
+export declare const BETTER_AUTH_STATE_COOKIE = "better-auth.state";
+/** Source parameter values used across IDP requests. */
+export declare const SOURCE: {
+    readonly APP: "app";
+    readonly PLATFORM: "platform";
+};
+//# sourceMappingURL=constants.d.ts.map

package/dist/core/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/core/constants.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,eAAO,MAAM,yBAAyB,iBAAiB,CAAC;AACxD,iDAAiD;AACjD,eAAO,MAAM,0BAA0B,8BAA8B,CAAC;AACtE,8CAA8C;AAC9C,eAAO,MAAM,uBAAuB,2BAA2B,CAAC;AAChE,+CAA+C;AAC/C,eAAO,MAAM,wBAAwB,sBAAsB,CAAC;AAE5D,wDAAwD;AACxD,eAAO,MAAM,MAAM;;;CAGT,CAAC"}

package/dist/core/constants.js

@@ -0,0 +1,13 @@
+/** Cookie name for core refresh token. */
+export const CORE_REFRESH_TOKEN_COOKIE = 'refreshToken';
+/** Cookie name for Better Auth session token. */
+export const BETTER_AUTH_SESSION_COOKIE = 'better-auth.session_token';
+/** Cookie name for Better Auth CSRF token. */
+export const BETTER_AUTH_CSRF_COOKIE = 'better-auth.csrf_token';
+/** Cookie name for Better Auth OAuth state. */
+export const BETTER_AUTH_STATE_COOKIE = 'better-auth.state';
+/** Source parameter values used across IDP requests. */
+export const SOURCE = {
+    APP: 'app',
+    PLATFORM: 'platform',
+};

package/dist/core/exceptions.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Error for authentication flow failures with context.
+ */
+export declare class AuthenticationException extends Error {
+    readonly cause?: unknown;
+    readonly context?: Record<string, unknown>;
+    constructor(message: string, opts?: {
+        cause?: unknown;
+        context?: Record<string, unknown>;
+    });
+}
+/**
+ * Detects "state expired" errors by a consistent marker.
+ */
+export declare function isStateExpiredError(error: unknown): boolean;
+/**
+ * Error for failed requests to Identity OWOX.
+ */
+export declare class IdpFailedException extends Error {
+    readonly cause?: unknown;
+    readonly context?: Record<string, unknown>;
+    constructor(message: string, opts?: {
+        cause?: unknown;
+        context?: Record<string, unknown>;
+    });
+}
+//# sourceMappingURL=exceptions.d.ts.map

package/dist/core/exceptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exceptions.d.ts","sourceRoot":"","sources":["../../src/core/exceptions.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;IAChD,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAE/B,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE;CAM3F;AAID;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI3D;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAE/B,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE;CAM3F"}

package/dist/core/exceptions.js

@@ -0,0 +1,36 @@
+/**
+ * Error for authentication flow failures with context.
+ */
+export class AuthenticationException extends Error {
+    cause;
+    context;
+    constructor(message, opts) {
+        super(message);
+        this.name = 'AuthenticationException';
+        this.cause = opts?.cause;
+        this.context = opts?.context;
+    }
+}
+const STATE_EXPIRED_ERROR_MARKER = 'state expired';
+/**
+ * Detects "state expired" errors by a consistent marker.
+ */
+export function isStateExpiredError(error) {
+    if (!error || typeof error !== 'object')
+        return false;
+    const message = error instanceof Error ? error.message : String(error);
+    return message.toLowerCase().includes(STATE_EXPIRED_ERROR_MARKER);
+}
+/**
+ * Error for failed requests to Identity OWOX.
+ */
+export class IdpFailedException extends Error {
+    cause;
+    context;
+    constructor(message, opts) {
+        super(message);
+        this.name = 'IdpRequestFailedException';
+        this.cause = opts?.cause;
+        this.context = opts?.context;
+    }
+}

package/dist/core/logger.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Shared logger utilities with basic redaction helpers.
+ */
+import { type Logger } from '@owox/internal-helpers';
+/**
+ * Logger instance for idp-owox-better-auth.
+ * Use Proxy to dynamically bind the logger instance to the logger methods.
+ */
+export declare const logger: Logger;
+/**
+ * Console logging with light redaction to avoid leaking tokens/PII.
+ * Keeps console.log available for temporary tracing while protecting secrets.
+ *
+ * TODO: DELETE THIS FUNCTION AFTER DEBUGGING
+ */
+export declare function safeConsoleLog(message: string, payload?: unknown): void;
+//# sourceMappingURL=logger.d.ts.map

package/dist/core/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/core/logger.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAiB,KAAK,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAWpE;;;GAGG;AACH,eAAO,MAAM,MAAM,QAWjB,CAAC;AA6BH;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAUvE"}

package/dist/core/logger.js

@@ -0,0 +1,66 @@
+/**
+ * Shared logger utilities with basic redaction helpers.
+ */
+import { LoggerFactory } from '@owox/internal-helpers';
+let _logger;
+function getLogger() {
+    if (!_logger) {
+        _logger = LoggerFactory.createNamedLogger('idp-owox-better-auth');
+    }
+    return _logger;
+}
+/**
+ * Logger instance for idp-owox-better-auth.
+ * Use Proxy to dynamically bind the logger instance to the logger methods.
+ */
+export const logger = new Proxy({}, {
+    get(_target, prop) {
+        const loggerInstance = getLogger();
+        const value = loggerInstance[prop];
+        if (typeof value === 'function') {
+            return value.bind(loggerInstance);
+        }
+        return value;
+    },
+});
+const SENSITIVE_KEYS = [
+    'token',
+    'refreshToken',
+    'accessToken',
+    'authorization',
+    'state',
+    'code',
+    'cookie',
+    'csrf',
+    'session',
+];
+function redactValue(value) {
+    if (typeof value === 'string') {
+        if (value.length <= 8)
+            return value;
+        return `${value.slice(0, 4)}...[redacted]...${value.slice(-4)}`;
+    }
+    return value;
+}
+function redactingReplacer(key, value) {
+    if (SENSITIVE_KEYS.some(k => key.toLowerCase().includes(k.toLowerCase()))) {
+        return redactValue(value);
+    }
+    return value;
+}
+/**
+ * Console logging with light redaction to avoid leaking tokens/PII.
+ * Keeps console.log available for temporary tracing while protecting secrets.
+ *
+ * TODO: DELETE THIS FUNCTION AFTER DEBUGGING
+ */
+export function safeConsoleLog(message, payload) {
+    if (payload === undefined) {
+        // eslint-disable-next-line no-console
+        console.log(message);
+        return;
+    }
+    const serialized = typeof payload === 'string' ? payload : JSON.stringify(payload, redactingReplacer, 2);
+    // eslint-disable-next-line no-console
+    console.log(message, serialized);
+}

package/dist/core/pkce.d.ts

@@ -0,0 +1,21 @@
+export interface PkceDto {
+    codeVerifier: string;
+    codeChallenge: string;
+}
+/**
+ * Generates a PKCE (Proof Key for Code Exchange) pair consisting of a code verifier and a code challenge.
+ *
+ * @param {number} [length=86] - The desired length of the code verifier. Defaults to 86 if not specified.
+ * @return {Promise<{codeVerifier: string, codeChallenge: string}>} A promise that resolves to an object containing the code verifier and code challenge.
+ */
+export declare function generatePkce(length?: number): Promise<PkceDto>;
+/**
+ * Generates a random string state encoded in Base64 URL format.
+ * Optionally allows truncation of the generated state to a specific length.
+ *
+ * @param {number} [bytes=32] - The number of random bytes to generate.
+ * @param {number} [targetLen] - The desired length of the output string. If not specified, the full generated string is returned.
+ * @return {string} - A randomly generated Base64 URL-encoded string. If targetLen is provided, returns a substring of the specified length.
+ */
+export declare function generateState(bytes?: number, targetLen?: number): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/core/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/core/pkce.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,OAAO;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,MAAM,GAAE,MAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAGxE;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,KAAK,GAAE,MAAW,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAG5E"}

package/dist/core/pkce.js

@@ -0,0 +1,27 @@
+import crypto from 'node:crypto';
+import pkceChallenge from 'pkce-challenge';
+/**
+ * Generates a PKCE (Proof Key for Code Exchange) pair consisting of a code verifier and a code challenge.
+ *
+ * @param {number} [length=86] - The desired length of the code verifier. Defaults to 86 if not specified.
+ * @return {Promise<{codeVerifier: string, codeChallenge: string}>} A promise that resolves to an object containing the code verifier and code challenge.
+ */
+export async function generatePkce(length = 86) {
+    const { code_verifier, code_challenge } = await pkceChallenge(length);
+    return { codeVerifier: code_verifier, codeChallenge: code_challenge };
+}
+/**
+ * Generates a random string state encoded in Base64 URL format.
+ * Optionally allows truncation of the generated state to a specific length.
+ *
+ * @param {number} [bytes=32] - The number of random bytes to generate.
+ * @param {number} [targetLen] - The desired length of the output string. If not specified, the full generated string is returned.
+ * @return {string} - A randomly generated Base64 URL-encoded string. If targetLen is provided, returns a substring of the specified length.
+ */
+export function generateState(bytes = 32, targetLen) {
+    const state = base64url(crypto.randomBytes(bytes));
+    return targetLen ? state.slice(0, targetLen) : state;
+}
+function base64url(buf) {
+    return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}

package/dist/facades/owox-token-facade.d.ts

@@ -0,0 +1,27 @@
+import { AuthResult, Payload } from '@owox/idp-protocol';
+import { Logger } from '@owox/internal-helpers';
+import { NextFunction, Request, Response } from 'express';
+import { IdentityOwoxClient, TokenResponse } from '../client/index.js';
+import type { IdpOwoxConfig } from '../config/idp-owox-config.js';
+import type { DatabaseStore } from '../store/database-store.js';
+/**
+ * Wraps Identity OWOX token operations and refresh-token cookies.
+ */
+export declare class OwoxTokenFacade {
+    private readonly identityClient;
+    private readonly store;
+    private readonly config;
+    private readonly logger;
+    private readonly cookieName;
+    private readonly tokenService;
+    constructor(identityClient: IdentityOwoxClient, store: DatabaseStore, config: IdpOwoxConfig, logger: Logger, cookieName?: string);
+    changeAuthCode(code: string, state: string): Promise<TokenResponse>;
+    introspectToken(token: string): Promise<Payload | null>;
+    parseToken(token: string): Promise<Payload | null>;
+    verifyToken(token: string): Promise<Payload | null>;
+    refreshToken(refreshToken: string): Promise<AuthResult>;
+    revokeToken(token: string): Promise<void>;
+    accessTokenMiddleware(req: Request, res: Response, _next: NextFunction): Promise<void | Response>;
+    setTokenToCookie(res: Response, req: Request, refreshToken: string, expiresIn: number): void;
+}
+//# sourceMappingURL=owox-token-facade.d.ts.map

package/dist/facades/owox-token-facade.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"owox-token-facade.d.ts","sourceRoot":"","sources":["../../src/facades/owox-token-facade.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EACL,kBAAkB,EAKlB,aAAa,EACd,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAKlE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAIhE;;GAEG;AACH,qBAAa,eAAe;IAIxB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAC/B,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAP7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;gBAGzB,cAAc,EAAE,kBAAkB,EAClC,KAAK,EAAE,aAAa,EACpB,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,MAAM,EACd,UAAU,GAAE,MAAkC;IAW3D,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAmBnE,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAWvD,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAIlD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAInD,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAiBvD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKzC,qBAAqB,CACzB,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC;IA4C3B,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM;CAOtF"}

package/dist/facades/owox-token-facade.js

@@ -0,0 +1,117 @@
+import { CORE_REFRESH_TOKEN_COOKIE } from '../core/constants.js';
+import { AuthenticationException, IdpFailedException } from '../core/exceptions.js';
+import { toPayload } from '../mappers/client-payload-mapper.js';
+import { TokenService } from '../services/core/token-service.js';
+import { StoreReason } from '../store/store-result.js';
+import { buildCookieOptions, clearCookie } from '../utils/cookie-policy.js';
+/**
+ * Wraps Identity OWOX token operations and refresh-token cookies.
+ */
+export class OwoxTokenFacade {
+    identityClient;
+    store;
+    config;
+    logger;
+    cookieName;
+    tokenService;
+    constructor(identityClient, store, config, logger, cookieName = CORE_REFRESH_TOKEN_COOKIE) {
+        this.identityClient = identityClient;
+        this.store = store;
+        this.config = config;
+        this.logger = logger;
+        this.cookieName = cookieName;
+        const tokenCfg = {
+            algorithm: this.config.jwtConfig.algorithm,
+            clockTolerance: this.config.jwtConfig.clockTolerance,
+            issuer: this.config.jwtConfig.issuer,
+            jwtKeyCacheTtl: this.config.jwtConfig.jwtKeyCacheTtl,
+        };
+        this.tokenService = new TokenService(this.identityClient, tokenCfg);
+    }
+    async changeAuthCode(code, state) {
+        const res = await this.store.getAuthState(state);
+        if (!res.code) {
+            if (res.reason == StoreReason.EXPIRED) {
+                throw new AuthenticationException('Code verifier has expired');
+            }
+            throw new IdpFailedException(`Code verifier is not available: ${res.reason ?? 'unknown'}`);
+        }
+        const request = {
+            grantType: 'authorization_code',
+            authCode: code,
+            codeVerifier: res.code,
+            clientId: this.config.idpConfig.clientId,
+        };
+        return await this.identityClient.getToken(request);
+    }
+    async introspectToken(token) {
+        const request = { token: token };
+        const response = await this.identityClient.introspectToken(request);
+        if (!response.isActive) {
+            return null;
+        }
+        return toPayload(response);
+    }
+    async parseToken(token) {
+        return this.tokenService.parse(token);
+    }
+    async verifyToken(token) {
+        return this.tokenService.verify(token);
+    }
+    async refreshToken(refreshToken) {
+        const request = {
+            grantType: 'refresh_token',
+            refreshToken: refreshToken,
+            clientId: this.config.idpConfig.clientId,
+        };
+        const response = await this.identityClient.getToken(request);
+        return {
+            accessToken: response.accessToken,
+            refreshToken: response.refreshToken,
+            accessTokenExpiresIn: response.accessTokenExpiresIn,
+            refreshTokenExpiresIn: response.refreshTokenExpiresIn,
+        };
+    }
+    async revokeToken(token) {
+        const request = { token: token, tokenType: 'refresh_token' };
+        await this.identityClient.revokeToken(request);
+    }
+    async accessTokenMiddleware(req, res, _next) {
+        try {
+            const refreshToken = req.cookies[this.cookieName];
+            if (!refreshToken) {
+                return res.json({ reason: 'atm1' });
+            }
+            const auth = await this.refreshToken(refreshToken);
+            const newRefreshToken = auth.refreshToken;
+            if (!newRefreshToken) {
+                return res.json({ reason: 'atm2' });
+            }
+            if (!auth.refreshTokenExpiresIn) {
+                return res.json({ reason: 'atm3' });
+            }
+            this.setTokenToCookie(res, req, newRefreshToken, auth.refreshTokenExpiresIn);
+            return res.json(auth);
+        }
+        catch (error) {
+            clearCookie(res, this.cookieName, req);
+            if (error instanceof AuthenticationException) {
+                this.logger.info(this.tokenService.formatError(error), {
+                    context: error.name,
+                    params: error.context,
+                    cause: error.cause,
+                });
+                return res.json({ reason: 'atm4' });
+            }
+            if (error instanceof IdpFailedException) {
+                this.logger.error('Access Token middleware failed with unexpected code', error.context, error.cause);
+                return res.json({ reason: 'atm5' });
+            }
+            this.logger.error(this.tokenService.formatError(error));
+            return res.json({ reason: 'atm6' });
+        }
+    }
+    setTokenToCookie(res, req, refreshToken, expiresIn) {
+        res.cookie(this.cookieName, refreshToken, buildCookieOptions(req, { maxAgeMs: expiresIn * 1000 }));
+    }
+}