@peterbud/nuxt-aegis 1.1.0-alpha

package/dist/runtime/server/providers/oauthBase.d.ts

@@ -0,0 +1,72 @@
+import type { OAuthConfig, OAuthProviderConfig } from '../../types/index.js';
+type ProviderKey = 'google' | 'microsoft' | 'github' | 'auth0' | 'mock';
+/**
+ * Type mapping from provider keys to their configuration types
+ */
+type ProviderConfigMap = {
+    google: import('../../types').GoogleProviderConfig;
+    microsoft: import('../../types').MicrosoftProviderConfig;
+    github: import('../../types').GithubProviderConfig;
+    auth0: import('../../types').Auth0ProviderConfig;
+    mock: import('../../types').MockProviderConfig;
+};
+/**
+ * Validates and filters custom authorization parameters
+ * Removes protected OAuth parameters and logs warnings when they are attempted
+ *
+ * @param authorizationParams - Custom parameters from configuration
+ * @param providerKey - Provider identifier for logging
+ * @returns Filtered parameters safe to merge with OAuth query
+ */
+export declare function validateAuthorizationParams(authorizationParams: Record<string, string> | undefined, providerKey: string): Record<string, string>;
+/**
+ * OAuth provider implementation interface
+ * Defines the structure required for OAuth provider implementations
+ */
+export interface OAuthProviderImplementation<TKey extends ProviderKey = ProviderKey> {
+    /** Default configuration for the provider */
+    defaultConfig: Partial<OAuthProviderConfig>;
+    /** Authorization URL for the provider */
+    authorizeUrl: string;
+    /** Token exchange URL for the provider */
+    tokenUrl: string;
+    /** User info URL for the provider */
+    userInfoUrl: string;
+    /** Runtime config key for this provider (e.g., 'google', 'microsoft') */
+    runtimeConfigKey: TKey;
+    /** Extract user info from provider response */
+    extractUser: (userResponse: unknown) => {
+        [key: string]: unknown;
+    };
+    /** Build authorization URL query parameters */
+    buildAuthQuery: (config: OAuthProviderConfig, redirectUri: string, state?: string) => Record<string, string>;
+    /** Build token exchange body parameters */
+    buildTokenBody: (config: OAuthProviderConfig, code: string, redirectUri: string) => Record<string, string>;
+}
+/**
+ * Helper function to create a properly typed OAuth provider implementation
+ * Infers the provider key from the runtimeConfigKey property
+ */
+export declare function defineOAuthProvider<TKey extends ProviderKey>(implementation: OAuthProviderImplementation<TKey>): OAuthProviderImplementation<TKey>;
+/**
+ * Base OAuth event handler that provides common OAuth flow functionality
+ *
+ * Handles the complete OAuth 2.0 authorization code flow with CODE-based token delivery:
+ *
+ * Initial Request (no code parameter):
+ * - Redirect user to provider's authorization page
+ * - Initiate OAuth flow
+ *
+ * Callback Request (with code parameter from provider):
+ * 1. Exchange authorization code for provider tokens
+ * 2. Validate tokens and extract user information
+ * 3. Generate cryptographically secure authorization CODE
+ * 4. Store CODE with user data (60s expiration, configurable)
+ * 5. Redirect to /auth/callback with CODE as query parameter
+ *
+ * Error Handling:
+ * - Generic error redirect to prevent information leakage
+ * - Security event logging for all failures
+ */
+export declare function defineOAuthEventHandler<TKey extends ProviderKey, TConfig extends ProviderConfigMap[TKey] = ProviderConfigMap[TKey]>(implementation: OAuthProviderImplementation<TKey>, { config, onError, customClaims: _customClaims, onUserInfo: _onUserInfo, onSuccess: _onSuccess, }: OAuthConfig<TConfig>): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export {};

package/dist/runtime/server/providers/oauthBase.js

@@ -0,0 +1,183 @@
+import { eventHandler, getRequestURL, getQuery, sendRedirect, createError } from "h3";
+import { defu } from "defu";
+import { useNitroApp, useRuntimeConfig } from "#imports";
+import { withQuery } from "ufo";
+import { generateAuthCode, storeAuthCode } from "../utils/authCodeStore.js";
+import { createLogger } from "../utils/logger.js";
+import { useAegisHandler } from "../utils/handler.js";
+const logger = createLogger("OAuth");
+const PROTECTED_PARAMS = ["client_id", "redirect_uri", "code", "grant_type"];
+export function validateAuthorizationParams(authorizationParams, providerKey) {
+  if (!authorizationParams) {
+    return {};
+  }
+  const filtered = {};
+  const protectedFound = [];
+  for (const [key, value] of Object.entries(authorizationParams)) {
+    if (PROTECTED_PARAMS.includes(key)) {
+      protectedFound.push(key);
+    } else {
+      filtered[key] = value;
+    }
+  }
+  if (protectedFound.length > 0) {
+    logger.warn(`Protected OAuth parameters cannot be overridden in authorizationParams for ${providerKey}:`, {
+      attempted: protectedFound,
+      protected: PROTECTED_PARAMS,
+      message: "These parameters are ignored for security reasons"
+    });
+  }
+  return filtered;
+}
+export function defineOAuthProvider(implementation) {
+  return implementation;
+}
+function getOAuthRedirectUri(event) {
+  const requestURL = getRequestURL(event);
+  return `${requestURL.protocol}//${requestURL.host}${requestURL.pathname}`;
+}
+export function defineOAuthEventHandler(implementation, {
+  config,
+  onError,
+  customClaims: _customClaims,
+  onUserInfo: _onUserInfo,
+  onSuccess: _onSuccess
+}) {
+  return eventHandler(async (event) => {
+    try {
+      const runtimeConfig = useRuntimeConfig(event).nuxtAegis;
+      const providerRuntimeConfig = runtimeConfig.providers?.[implementation.runtimeConfigKey] || {};
+      const mergedConfig = defu(config, providerRuntimeConfig, implementation.defaultConfig);
+      if (!mergedConfig.clientId || !mergedConfig.clientSecret) {
+        throw createError({
+          statusCode: 500,
+          statusMessage: "Internal Server Error",
+          message: `OAuth provider ${implementation.runtimeConfigKey} is not properly configured`
+        });
+      }
+      const query = getQuery(event);
+      if (query.error) {
+        throw createError({
+          statusCode: 400,
+          statusMessage: "OAuth Error",
+          message: `OAuth provider returned error: ${query.error}`
+        });
+      }
+      const redirectUri = mergedConfig.redirectUri || getOAuthRedirectUri(event);
+      if (!query.code) {
+        const authQuery = implementation.buildAuthQuery(mergedConfig, redirectUri, query.state);
+        return sendRedirect(event, withQuery(implementation.authorizeUrl, authQuery));
+      }
+      const tokenBody = implementation.buildTokenBody(mergedConfig, query.code, redirectUri);
+      const tokenResponse = await $fetch(implementation.tokenUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Accept": "application/json"
+        },
+        body: new URLSearchParams(tokenBody)
+      });
+      const { access_token, refresh_token, id_token, expires_in } = tokenResponse;
+      if (!access_token) {
+        throw createError({
+          statusCode: 400,
+          statusMessage: "OAuth Token Error",
+          message: "Failed to obtain access token from provider"
+        });
+      }
+      const userResponse = await $fetch(implementation.userInfoUrl, {
+        headers: {
+          Authorization: `Bearer ${access_token}`
+        }
+      });
+      let providerUserInfo = implementation.extractUser(userResponse);
+      const tokens = { access_token, refresh_token, id_token, expires_in };
+      if (_onUserInfo) {
+        providerUserInfo = await _onUserInfo(providerUserInfo, tokens, event);
+      } else {
+        const handler = useAegisHandler();
+        if (handler?.onUserInfo) {
+          const hookPayload = {
+            providerUserInfo,
+            tokens,
+            provider: implementation.runtimeConfigKey,
+            event
+          };
+          const transformedUser = await handler.onUserInfo(hookPayload);
+          if (transformedUser) {
+            providerUserInfo = transformedUser;
+          }
+        }
+      }
+      let resolvedCustomClaims;
+      if (_customClaims) {
+        if (typeof _customClaims === "function") {
+          resolvedCustomClaims = await _customClaims(providerUserInfo, tokens);
+        } else {
+          resolvedCustomClaims = _customClaims;
+        }
+      }
+      if (_onSuccess) {
+        await _onSuccess({
+          providerUserInfo,
+          tokens,
+          provider: implementation.runtimeConfigKey,
+          event
+        });
+      }
+      const nitroApp = useNitroApp();
+      const successPayload = {
+        providerUserInfo,
+        tokens,
+        provider: implementation.runtimeConfigKey,
+        event
+      };
+      await nitroApp.hooks.callHook("nuxt-aegis:success", successPayload);
+      try {
+        const authCode = generateAuthCode();
+        const authCodeExpiresIn = runtimeConfig.authCode?.expiresIn || 60;
+        await storeAuthCode(
+          authCode,
+          providerUserInfo,
+          tokens,
+          implementation.runtimeConfigKey,
+          resolvedCustomClaims,
+          authCodeExpiresIn,
+          event
+        );
+        logger.security("OAuth authentication successful, redirecting with CODE", {
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          event: "OAUTH_SUCCESS_REDIRECT",
+          codePrefix: `${authCode.substring(0, 8)}...`
+        });
+        const callbackUrl = new URL(runtimeConfig.endpoints?.callbackPath || "/auth/callback", getOAuthRedirectUri(event));
+        callbackUrl.searchParams.set("code", authCode);
+        return sendRedirect(event, callbackUrl.href);
+      } catch (codeError) {
+        logger.error("Authorization code generation/storage failed", {
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          event: "CODE_GENERATION_ERROR",
+          error: import.meta.dev ? codeError : "Error details hidden in production",
+          severity: "error"
+        });
+        const errorUrl = new URL(runtimeConfig.endpoints?.callbackPath || "/auth/callback", getOAuthRedirectUri(event));
+        errorUrl.searchParams.set("error", "authentication_failed");
+        return sendRedirect(event, errorUrl.href);
+      }
+    } catch (error) {
+      logger.error("OAuth authentication error", {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        event: "OAUTH_AUTH_ERROR",
+        error: import.meta.dev ? error : "Error details hidden in production",
+        severity: "error"
+      });
+      if (onError) {
+        return await onError(event, error);
+      }
+      const runtimeConfig = useRuntimeConfig(event).nuxtAegis;
+      const errorUrl = new URL(runtimeConfig.endpoints?.callbackPath || "/auth/callback", getOAuthRedirectUri(event));
+      errorUrl.searchParams.set("error", "authentication_failed");
+      return sendRedirect(event, errorUrl.href);
+    }
+  });
+}

package/dist/runtime/server/routes/impersonate.post.d.ts

@@ -0,0 +1,21 @@
+/**
+ * POST /auth/impersonate
+ * Allows privileged users (admins) to impersonate another user
+ *
+ * Request body:
+ * - targetUserId: string (required) - The ID of the user to impersonate
+ * - reason: string (optional) - Reason for impersonation
+ *
+ * Response:
+ * - accessToken: string - JWT for impersonated session (no refresh token)
+ *
+ * Requirements:
+ * - Impersonation feature must be enabled in config
+ * - Requester must pass permission check (default: admin role)
+ * - Target user must exist
+ * - Cannot impersonate while already impersonating
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    accessToken: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/impersonate.post.js

@@ -0,0 +1,68 @@
+import { defineEventHandler, readBody, createError, getHeader } from "h3";
+import { verifyToken } from "../utils/jwt.js";
+import { startImpersonation } from "../utils/impersonation.js";
+import { useRuntimeConfig } from "#imports";
+import { createLogger } from "../utils/logger.js";
+const logger = createLogger("Impersonate");
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  if (!config.nuxtAegis?.impersonation?.enabled) {
+    throw createError({
+      statusCode: 404,
+      message: "Impersonation feature is not enabled"
+    });
+  }
+  try {
+    const authHeader = getHeader(event, "authorization");
+    if (!authHeader?.startsWith("Bearer ")) {
+      throw createError({
+        statusCode: 401,
+        message: "Authentication required"
+      });
+    }
+    const token = authHeader.substring(7);
+    const tokenConfig = config.nuxtAegis?.token;
+    if (!tokenConfig?.secret) {
+      throw createError({
+        statusCode: 500,
+        message: "Token configuration is missing"
+      });
+    }
+    const currentUser = await verifyToken(token, tokenConfig.secret);
+    if (!currentUser) {
+      throw createError({
+        statusCode: 401,
+        message: "Invalid or expired token"
+      });
+    }
+    const body = await readBody(event);
+    if (!body || !body.targetUserId) {
+      throw createError({
+        statusCode: 400,
+        message: "targetUserId is required"
+      });
+    }
+    const accessToken = await startImpersonation(
+      currentUser,
+      body.targetUserId,
+      body.reason,
+      event
+    );
+    logger.security("Impersonation started", {
+      admin: currentUser.sub,
+      target: body.targetUserId,
+      reason: body.reason
+    });
+    return { accessToken };
+  } catch (error) {
+    logger.error("Impersonation failed:", error);
+    const err = error;
+    if (err.statusCode) {
+      throw error;
+    }
+    throw createError({
+      statusCode: 500,
+      message: err.message || "Failed to start impersonation"
+    });
+  }
+});

package/dist/runtime/server/routes/logout.post.d.ts

@@ -0,0 +1,9 @@
+/**
+ * POST /auth/logout
+ * Ends the user session by clearing authentication cookies and revoking refresh token
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    message: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/logout.post.js

@@ -0,0 +1,24 @@
+import { defineEventHandler, getCookie } from "h3";
+import { hashRefreshToken, revokeRefreshToken } from "../utils/refreshToken.js";
+import { clearToken } from "../utils/cookies.js";
+import { useRuntimeConfig } from "#imports";
+import { createLogger } from "../utils/logger.js";
+const logger = createLogger("Logout");
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event);
+  const cookieConfig = config.nuxtAegis?.tokenRefresh?.cookie;
+  try {
+    const cookieName = cookieConfig?.cookieName || "nuxt-aegis-refresh";
+    const refreshToken = getCookie(event, cookieName);
+    if (refreshToken) {
+      const hashedRefreshToken = hashRefreshToken(refreshToken);
+      await revokeRefreshToken(hashedRefreshToken, event);
+    }
+    clearToken(event, cookieConfig);
+    return { success: true, message: "Logout successful" };
+  } catch (error) {
+    logger.error("Logout error:", error);
+    clearToken(event, cookieConfig);
+    return { success: true, message: "Logout completed" };
+  }
+});

package/dist/runtime/server/routes/me.get.d.ts

@@ -0,0 +1,6 @@
+/**
+ * GET /api/user/me
+ * Returns the current authenticated user's information
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<import("../../types/index.js").TokenPayload>>;
+export default _default;

package/dist/runtime/server/routes/me.get.js

@@ -0,0 +1,11 @@
+import { defineEventHandler, createError } from "h3";
+export default defineEventHandler(async (event) => {
+  if (event.context.user) {
+    return event.context.user;
+  }
+  throw createError({
+    statusCode: 401,
+    statusMessage: "Unauthorized",
+    message: "Authentication required"
+  });
+});

package/dist/runtime/server/routes/mock/authorize.get.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Mock OAuth Authorization Endpoint
+ * Simulates: OAuth provider's authorization endpoint
+ *
+ * DEVELOPMENT/TEST ONLY
+ *
+ * This simulates an OAuth provider's authorization flow.
+ * In real OAuth, users would see a login/consent page.
+ * For testing, we auto-approve and redirect back immediately.
+ *
+ * Query Parameters:
+ * - response_type: Should be 'code'
+ * - client_id: OAuth client ID
+ * - redirect_uri: Where to redirect back
+ * - scope: Requested scopes
+ * - state: Optional state parameter for CSRF protection
+ * - user: (Optional) User persona identifier from mockUsers config
+ * - mock_error: (Optional) Simulate OAuth error response
+ *
+ * Error Simulation:
+ * - ?mock_error=access_denied - User denied access
+ * - ?mock_error=invalid_request - Invalid request parameters
+ * - ?mock_error=unauthorized_client - Client not authorized
+ * - ?mock_error=invalid_scope - Invalid scope requested
+ * - ?mock_error=server_error - Server error
+ * - ?mock_error=temporarily_unavailable - Service temporarily unavailable
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export default _default;

package/dist/runtime/server/routes/mock/authorize.get.js

@@ -0,0 +1,103 @@
+import { defineEventHandler, getQuery, sendRedirect, createError } from "h3";
+import { withQuery } from "ufo";
+import { useRuntimeConfig } from "#imports";
+import { generateMockCode, storeMockCode } from "../../utils/mockCodeStore.js";
+import { createLogger } from "../../utils/logger.js";
+const logger = createLogger("MockAuthorize");
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  const runtimeConfig = useRuntimeConfig(event);
+  const mockConfig = runtimeConfig.nuxtAegis?.providers?.mock;
+  if (!mockConfig) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "[nuxt-aegis] Mock provider not configured"
+    });
+  }
+  if (!query.client_id) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Bad Request",
+      message: "Missing required parameter: client_id"
+    });
+  }
+  if (!query.redirect_uri || typeof query.redirect_uri !== "string") {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Bad Request",
+      message: "Missing required parameter: redirect_uri"
+    });
+  }
+  if (query.response_type !== "code") {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Bad Request",
+      message: 'Invalid response_type. Must be "code"'
+    });
+  }
+  if (query.mock_error) {
+    const validErrors = [
+      "access_denied",
+      "invalid_request",
+      "unauthorized_client",
+      "invalid_scope",
+      "server_error",
+      "temporarily_unavailable"
+    ];
+    const errorCode = query.mock_error;
+    const errorDescription = getErrorDescription(errorCode);
+    if (!validErrors.includes(errorCode)) {
+      console.warn(`[nuxt-aegis] Invalid mock_error: ${errorCode}. Valid errors:`, validErrors);
+    }
+    return sendRedirect(event, withQuery(query.redirect_uri, {
+      error: errorCode,
+      error_description: errorDescription,
+      state: query.state || ""
+    }));
+  }
+  const userParam = query.user;
+  const userId = userParam || mockConfig.defaultUser || Object.keys(mockConfig.mockUsers)[0];
+  if (!userId) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "[nuxt-aegis] Mock provider has no users configured"
+    });
+  }
+  if (!mockConfig.mockUsers[userId]) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Bad Request",
+      message: `[nuxt-aegis] Invalid user persona: ${userId}. Available: ${Object.keys(mockConfig.mockUsers).join(", ")}`
+    });
+  }
+  const code = generateMockCode();
+  storeMockCode({
+    code,
+    userId,
+    // Store the user persona identifier
+    clientId: query.client_id,
+    redirectUri: query.redirect_uri
+  });
+  logger.debug("Generated authorization code:", {
+    code: code.substring(0, 20) + "...",
+    user: userId,
+    clientId: query.client_id
+  });
+  return sendRedirect(event, withQuery(query.redirect_uri, {
+    code,
+    state: query.state || ""
+  }));
+});
+function getErrorDescription(errorCode) {
+  const descriptions = {
+    access_denied: "The user denied the authorization request",
+    invalid_request: "The request is missing a required parameter or is otherwise malformed",
+    unauthorized_client: "The client is not authorized to request an authorization code",
+    invalid_scope: "The requested scope is invalid, unknown, or malformed",
+    server_error: "The authorization server encountered an unexpected error",
+    temporarily_unavailable: "The authorization server is currently unable to handle the request"
+  };
+  return descriptions[errorCode] || "Mock OAuth error for testing";
+}

package/dist/runtime/server/routes/mock/token.post.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Mock OAuth Token Endpoint
+ * Simulates: OAuth provider's token exchange endpoint
+ *
+ * DEVELOPMENT/TEST ONLY
+ *
+ * Exchanges authorization code for OAuth tokens.
+ *
+ * Request Body:
+ * - code: Authorization code from authorize endpoint
+ * - client_id: OAuth client ID
+ * - client_secret: OAuth client secret
+ * - redirect_uri: Same redirect_uri used in authorize
+ * - grant_type: Should be 'authorization_code'
+ *
+ * Response:
+ * - access_token: OAuth access token
+ * - refresh_token: OAuth refresh token
+ * - id_token: JWT ID token (optional)
+ * - expires_in: Token lifetime in seconds
+ * - token_type: Always 'Bearer'
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    access_token: string;
+    refresh_token: string;
+    id_token: string;
+    expires_in: number;
+    token_type: string;
+    scope: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/mock/token.post.js

@@ -0,0 +1,88 @@
+import { defineEventHandler, readBody, createError } from "h3";
+import { useRuntimeConfig } from "#imports";
+import { retrieveAndDeleteMockCode, storeMockToken } from "../../utils/mockCodeStore.js";
+import { createLogger } from "../../utils/logger.js";
+const logger = createLogger("MockToken");
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event);
+  const runtimeConfig = useRuntimeConfig(event);
+  const mockConfig = runtimeConfig.nuxtAegis?.providers?.mock;
+  if (!mockConfig) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "[nuxt-aegis] Mock provider not configured"
+    });
+  }
+  if (!body.code) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "invalid_request",
+      message: "Missing required parameter: code"
+    });
+  }
+  if (!body.client_id) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "invalid_request",
+      message: "Missing required parameter: client_id"
+    });
+  }
+  if (!body.client_secret) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "invalid_request",
+      message: "Missing required parameter: client_secret"
+    });
+  }
+  if (body.grant_type !== "authorization_code") {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "unsupported_grant_type",
+      message: 'Invalid grant_type. Must be "authorization_code"'
+    });
+  }
+  const codeData = retrieveAndDeleteMockCode(body.code);
+  if (!codeData) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "invalid_grant",
+      message: "Invalid authorization code"
+    });
+  }
+  if (codeData.clientId !== body.client_id) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "invalid_grant",
+      message: "Client ID mismatch"
+    });
+  }
+  if (codeData.redirectUri !== body.redirect_uri) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "invalid_grant",
+      message: "Redirect URI mismatch"
+    });
+  }
+  if (body.client_secret !== mockConfig.clientSecret) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "invalid_client",
+      message: "Invalid client credentials"
+    });
+  }
+  logger.debug("Token exchange successful for user:", codeData.userId);
+  const randomBytes = crypto.getRandomValues(new Uint8Array(32));
+  const randomHex = Array.from(randomBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const accessToken = `mock_aegis_access_${randomHex}`;
+  storeMockToken(accessToken, codeData.userId);
+  return {
+    access_token: accessToken,
+    refresh_token: `mock_aegis_refresh_${randomHex.slice(0, 32)}`,
+    id_token: `mock.aegis.idtoken.${randomHex.slice(0, 24)}`,
+    expires_in: 3600,
+    // 1 hour
+    token_type: "Bearer",
+    scope: mockConfig.scopes?.join(" ") || "openid profile email"
+  };
+});

package/dist/runtime/server/routes/mock/userinfo.get.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Mock OAuth UserInfo Endpoint
+ * Simulates: OAuth provider's user profile endpoint
+ *
+ * DEVELOPMENT/TEST ONLY
+ *
+ * Returns user information based on the access token.
+ * The user data is retrieved from the mockUsers configuration
+ * using the token->user mapping stored during token exchange.
+ *
+ * Headers:
+ * - Authorization: Bearer <access_token>
+ *
+ * Response:
+ * User profile data from mockUsers configuration, including:
+ * - sub: User subject identifier (required)
+ * - email: User's email address (required)
+ * - name: User's full name (required)
+ * - Additional custom claims as defined in mockUsers
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    [key: string]: unknown;
+    sub: string;
+    email: string;
+    name: string;
+}>>;
+export default _default;