@platf/bridge 0.0.17 → 0.0.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/lib/discoveryRoutes.d.ts +2 -2
- package/dist/lib/discoveryRoutes.js +6 -6
- package/dist/lib/discoveryRoutes.js.map +1 -1
- package/dist/lib/oauthProxy.d.ts +3 -3
- package/dist/lib/oauthProxy.js +9 -9
- package/dist/lib/oauthProxy.js.map +1 -1
- package/package.json +1 -1
- package/src/lib/discoveryRoutes.ts +6 -6
- package/src/lib/oauthProxy.ts +9 -9
|
@@ -4,9 +4,9 @@
|
|
|
4
4
|
* When auth is enabled these routes expose:
|
|
5
5
|
* - GET /.well-known/oauth-protected-resource[/*] (RFC 9728)
|
|
6
6
|
* - GET /.well-known/oauth-authorization-server[/*] (RFC 8414 — proxied from issuer)
|
|
7
|
-
* - POST /
|
|
7
|
+
* - POST /register (Pseudo-DCR — RFC 7591)
|
|
8
8
|
*
|
|
9
|
-
* OAuth proxy routes (/
|
|
9
|
+
* OAuth proxy routes (/authorize, /token, /jwks) are in oauthProxy.ts.
|
|
10
10
|
*
|
|
11
11
|
* These endpoints are unauthenticated — they must be accessible to
|
|
12
12
|
* any client performing OAuth discovery before obtaining a token.
|
|
@@ -4,9 +4,9 @@
|
|
|
4
4
|
* When auth is enabled these routes expose:
|
|
5
5
|
* - GET /.well-known/oauth-protected-resource[/*] (RFC 9728)
|
|
6
6
|
* - GET /.well-known/oauth-authorization-server[/*] (RFC 8414 — proxied from issuer)
|
|
7
|
-
* - POST /
|
|
7
|
+
* - POST /register (Pseudo-DCR — RFC 7591)
|
|
8
8
|
*
|
|
9
|
-
* OAuth proxy routes (/
|
|
9
|
+
* OAuth proxy routes (/authorize, /token, /jwks) are in oauthProxy.ts.
|
|
10
10
|
*
|
|
11
11
|
* These endpoints are unauthenticated — they must be accessible to
|
|
12
12
|
* any client performing OAuth discovery before obtaining a token.
|
|
@@ -85,9 +85,9 @@ export function createDiscoveryRouter(auth, logger) {
|
|
|
85
85
|
const host = req.get('host');
|
|
86
86
|
const bridgeOrigin = `${scheme}://${host}`;
|
|
87
87
|
metadata.issuer = bridgeOrigin;
|
|
88
|
-
metadata.authorization_endpoint = `${bridgeOrigin}/
|
|
89
|
-
metadata.token_endpoint = `${bridgeOrigin}/
|
|
90
|
-
metadata.registration_endpoint = `${bridgeOrigin}/
|
|
88
|
+
metadata.authorization_endpoint = `${bridgeOrigin}/authorize`;
|
|
89
|
+
metadata.token_endpoint = `${bridgeOrigin}/token`;
|
|
90
|
+
metadata.registration_endpoint = `${bridgeOrigin}/register`;
|
|
91
91
|
metadata.jwks_uri = `${bridgeOrigin}/jwks`;
|
|
92
92
|
res.json(metadata);
|
|
93
93
|
}
|
|
@@ -104,7 +104,7 @@ export function createDiscoveryRouter(auth, logger) {
|
|
|
104
104
|
* (e.g., VS Code Copilot) discover the correct client_id through
|
|
105
105
|
* the normal DCR flow without requiring out-of-band configuration.
|
|
106
106
|
*/
|
|
107
|
-
router.post('/
|
|
107
|
+
router.post('/register', (req, res) => {
|
|
108
108
|
const body = req.body ?? {};
|
|
109
109
|
res.status(201).json({
|
|
110
110
|
client_id: auth.clientId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAClF,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,MAAM;YAC/B,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpF,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,GAAG,YAAY,EAAE;YAC1C,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,GAAG,CAAC,0CAA0C,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,yCAAyC,CAAA;YAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;gBAC3E,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;YAEnE,kDAAkD;YAClD,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;YAC1C,QAAQ,CAAC,MAAM,GAAG,YAAY,CAAA;YAC9B,QAAQ,CAAC,sBAAsB,GAAG,GAAG,YAAY,
|
|
1
|
+
{"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAClF,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,MAAM;YAC/B,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpF,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,GAAG,YAAY,EAAE;YAC1C,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,GAAG,CAAC,0CAA0C,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,yCAAyC,CAAA;YAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;gBAC3E,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;YAEnE,kDAAkD;YAClD,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;YAC1C,QAAQ,CAAC,MAAM,GAAG,YAAY,CAAA;YAC9B,QAAQ,CAAC,sBAAsB,GAAG,GAAG,YAAY,YAAY,CAAA;YAC7D,QAAQ,CAAC,cAAc,GAAG,GAAG,YAAY,QAAQ,CAAA;YACjD,QAAQ,CAAC,qBAAqB,GAAG,GAAG,YAAY,WAAW,CAAA;YAC3D,QAAQ,CAAC,QAAQ,GAAG,GAAG,YAAY,OAAO,CAAA;YAE1C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACpB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC3E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACvD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,WAAW,EAAE,cAAc;YAC3B,8CAA8C;YAC9C,0BAA0B,EAAE,MAAM;YAClC,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;SAC3E,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}
|
package/dist/lib/oauthProxy.d.ts
CHANGED
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
* OAuth 2.0 proxy routes for the bridge.
|
|
3
3
|
*
|
|
4
4
|
* These routes proxy OAuth endpoints to the upstream authorization server:
|
|
5
|
-
* - GET /
|
|
6
|
-
* - POST /
|
|
7
|
-
* - GET /jwks
|
|
5
|
+
* - GET /authorize → Redirect to upstream (preserves query params)
|
|
6
|
+
* - POST /token → Proxy to upstream
|
|
7
|
+
* - GET /jwks → Proxy JWKS for token verification
|
|
8
8
|
*
|
|
9
9
|
* This separation allows the bridge to advertise itself as the authorization
|
|
10
10
|
* server while delegating actual auth operations to the upstream issuer.
|
package/dist/lib/oauthProxy.js
CHANGED
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
* OAuth 2.0 proxy routes for the bridge.
|
|
3
3
|
*
|
|
4
4
|
* These routes proxy OAuth endpoints to the upstream authorization server:
|
|
5
|
-
* - GET /
|
|
6
|
-
* - POST /
|
|
7
|
-
* - GET /jwks
|
|
5
|
+
* - GET /authorize → Redirect to upstream (preserves query params)
|
|
6
|
+
* - POST /token → Proxy to upstream
|
|
7
|
+
* - GET /jwks → Proxy JWKS for token verification
|
|
8
8
|
*
|
|
9
9
|
* This separation allows the bridge to advertise itself as the authorization
|
|
10
10
|
* server while delegating actual auth operations to the upstream issuer.
|
|
@@ -16,10 +16,10 @@ export function createOAuthProxyRouter(auth, logger) {
|
|
|
16
16
|
* OAuth Authorization Endpoint — Redirect to upstream
|
|
17
17
|
*
|
|
18
18
|
* Since the bridge advertises itself as the authorization_server,
|
|
19
|
-
* clients will attempt to call /
|
|
19
|
+
* clients will attempt to call /authorize here. We redirect
|
|
20
20
|
* to the upstream auth server, preserving all query parameters.
|
|
21
21
|
*/
|
|
22
|
-
router.get('/
|
|
22
|
+
router.get('/authorize', (req, res) => {
|
|
23
23
|
const upstreamUrl = new URL(`${auth.issuer}/oauth/authorize`);
|
|
24
24
|
// Copy all query params to upstream
|
|
25
25
|
for (const [key, value] of Object.entries(req.query)) {
|
|
@@ -27,7 +27,7 @@ export function createOAuthProxyRouter(auth, logger) {
|
|
|
27
27
|
upstreamUrl.searchParams.set(key, value);
|
|
28
28
|
}
|
|
29
29
|
}
|
|
30
|
-
logger.info(`[oauth-proxy] Redirecting /
|
|
30
|
+
logger.info(`[oauth-proxy] Redirecting /authorize to upstream`);
|
|
31
31
|
res.redirect(upstreamUrl.toString());
|
|
32
32
|
});
|
|
33
33
|
/**
|
|
@@ -35,10 +35,10 @@ export function createOAuthProxyRouter(auth, logger) {
|
|
|
35
35
|
*
|
|
36
36
|
* Proxies token exchange requests to the upstream auth server.
|
|
37
37
|
*/
|
|
38
|
-
router.post('/
|
|
38
|
+
router.post('/token', async (req, res) => {
|
|
39
39
|
try {
|
|
40
40
|
const upstreamUrl = `${auth.issuer}/oauth/token`;
|
|
41
|
-
logger.info('[oauth-proxy] Proxying /
|
|
41
|
+
logger.info('[oauth-proxy] Proxying /token to upstream');
|
|
42
42
|
const upstreamRes = await fetch(upstreamUrl, {
|
|
43
43
|
method: 'POST',
|
|
44
44
|
headers: {
|
|
@@ -54,7 +54,7 @@ export function createOAuthProxyRouter(auth, logger) {
|
|
|
54
54
|
res.send(data);
|
|
55
55
|
}
|
|
56
56
|
catch (err) {
|
|
57
|
-
logger.error('[oauth-proxy] Error proxying /
|
|
57
|
+
logger.error('[oauth-proxy] Error proxying /token:', err.message ?? err);
|
|
58
58
|
res.status(502).json({ error: 'upstream_error' });
|
|
59
59
|
}
|
|
60
60
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauthProxy.js","sourceRoot":"","sources":["../../src/lib/oauthProxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,sBAAsB,CAAC,IAAgB,EAAE,MAAc;IACrE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;OAMG;IACH,MAAM,CAAC,GAAG,CAAC,
|
|
1
|
+
{"version":3,"file":"oauthProxy.js","sourceRoot":"","sources":["../../src/lib/oauthProxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,sBAAsB,CAAC,IAAgB,EAAE,MAAc;IACrE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;OAMG;IACH,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACvD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,kBAAkB,CAAC,CAAA;QAC7D,oCAAoC;QACpC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACrD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAC1C,CAAC;QACH,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAA;QAC/D,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAA;IACtC,CAAC,CAAC,CAAA;IAEF;;;;OAIG;IACH,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC1D,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,cAAc,CAAA;YAChD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;YAExD,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE;gBAC3C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,mCAAmC;iBAC/E;gBACD,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,QAAQ,CAAC,kBAAkB,CAAC;oBACzD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;oBAC1B,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,IAA8B,CAAC,CAAC,QAAQ,EAAE;aACvE,CAAC,CAAA;YAEF,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAA;YACrC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAA;YAC9B,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,kBAAkB,CAAC,CAAA;YACtF,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;OAIG;IACH,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;QACzD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,OAAO,CAAA;YACzC,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAC5C,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAA;YACrC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YACvE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}
|
package/package.json
CHANGED
|
@@ -4,9 +4,9 @@
|
|
|
4
4
|
* When auth is enabled these routes expose:
|
|
5
5
|
* - GET /.well-known/oauth-protected-resource[/*] (RFC 9728)
|
|
6
6
|
* - GET /.well-known/oauth-authorization-server[/*] (RFC 8414 — proxied from issuer)
|
|
7
|
-
* - POST /
|
|
7
|
+
* - POST /register (Pseudo-DCR — RFC 7591)
|
|
8
8
|
*
|
|
9
|
-
* OAuth proxy routes (/
|
|
9
|
+
* OAuth proxy routes (/authorize, /token, /jwks) are in oauthProxy.ts.
|
|
10
10
|
*
|
|
11
11
|
* These endpoints are unauthenticated — they must be accessible to
|
|
12
12
|
* any client performing OAuth discovery before obtaining a token.
|
|
@@ -94,9 +94,9 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
94
94
|
const host = req.get('host')
|
|
95
95
|
const bridgeOrigin = `${scheme}://${host}`
|
|
96
96
|
metadata.issuer = bridgeOrigin
|
|
97
|
-
metadata.authorization_endpoint = `${bridgeOrigin}/
|
|
98
|
-
metadata.token_endpoint = `${bridgeOrigin}/
|
|
99
|
-
metadata.registration_endpoint = `${bridgeOrigin}/
|
|
97
|
+
metadata.authorization_endpoint = `${bridgeOrigin}/authorize`
|
|
98
|
+
metadata.token_endpoint = `${bridgeOrigin}/token`
|
|
99
|
+
metadata.registration_endpoint = `${bridgeOrigin}/register`
|
|
100
100
|
metadata.jwks_uri = `${bridgeOrigin}/jwks`
|
|
101
101
|
|
|
102
102
|
res.json(metadata)
|
|
@@ -114,7 +114,7 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
114
114
|
* (e.g., VS Code Copilot) discover the correct client_id through
|
|
115
115
|
* the normal DCR flow without requiring out-of-band configuration.
|
|
116
116
|
*/
|
|
117
|
-
router.post('/
|
|
117
|
+
router.post('/register', (req: Request, res: Response) => {
|
|
118
118
|
const body = req.body ?? {}
|
|
119
119
|
res.status(201).json({
|
|
120
120
|
client_id: auth.clientId,
|
package/src/lib/oauthProxy.ts
CHANGED
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
* OAuth 2.0 proxy routes for the bridge.
|
|
3
3
|
*
|
|
4
4
|
* These routes proxy OAuth endpoints to the upstream authorization server:
|
|
5
|
-
* - GET /
|
|
6
|
-
* - POST /
|
|
7
|
-
* - GET /jwks
|
|
5
|
+
* - GET /authorize → Redirect to upstream (preserves query params)
|
|
6
|
+
* - POST /token → Proxy to upstream
|
|
7
|
+
* - GET /jwks → Proxy JWKS for token verification
|
|
8
8
|
*
|
|
9
9
|
* This separation allows the bridge to advertise itself as the authorization
|
|
10
10
|
* server while delegating actual auth operations to the upstream issuer.
|
|
@@ -20,10 +20,10 @@ export function createOAuthProxyRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
20
20
|
* OAuth Authorization Endpoint — Redirect to upstream
|
|
21
21
|
*
|
|
22
22
|
* Since the bridge advertises itself as the authorization_server,
|
|
23
|
-
* clients will attempt to call /
|
|
23
|
+
* clients will attempt to call /authorize here. We redirect
|
|
24
24
|
* to the upstream auth server, preserving all query parameters.
|
|
25
25
|
*/
|
|
26
|
-
router.get('/
|
|
26
|
+
router.get('/authorize', (req: Request, res: Response) => {
|
|
27
27
|
const upstreamUrl = new URL(`${auth.issuer}/oauth/authorize`)
|
|
28
28
|
// Copy all query params to upstream
|
|
29
29
|
for (const [key, value] of Object.entries(req.query)) {
|
|
@@ -31,7 +31,7 @@ export function createOAuthProxyRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
31
31
|
upstreamUrl.searchParams.set(key, value)
|
|
32
32
|
}
|
|
33
33
|
}
|
|
34
|
-
logger.info(`[oauth-proxy] Redirecting /
|
|
34
|
+
logger.info(`[oauth-proxy] Redirecting /authorize to upstream`)
|
|
35
35
|
res.redirect(upstreamUrl.toString())
|
|
36
36
|
})
|
|
37
37
|
|
|
@@ -40,10 +40,10 @@ export function createOAuthProxyRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
40
40
|
*
|
|
41
41
|
* Proxies token exchange requests to the upstream auth server.
|
|
42
42
|
*/
|
|
43
|
-
router.post('/
|
|
43
|
+
router.post('/token', async (req: Request, res: Response) => {
|
|
44
44
|
try {
|
|
45
45
|
const upstreamUrl = `${auth.issuer}/oauth/token`
|
|
46
|
-
logger.info('[oauth-proxy] Proxying /
|
|
46
|
+
logger.info('[oauth-proxy] Proxying /token to upstream')
|
|
47
47
|
|
|
48
48
|
const upstreamRes = await fetch(upstreamUrl, {
|
|
49
49
|
method: 'POST',
|
|
@@ -60,7 +60,7 @@ export function createOAuthProxyRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
60
60
|
res.set('Content-Type', upstreamRes.headers.get('Content-Type') || 'application/json')
|
|
61
61
|
res.send(data)
|
|
62
62
|
} catch (err: any) {
|
|
63
|
-
logger.error('[oauth-proxy] Error proxying /
|
|
63
|
+
logger.error('[oauth-proxy] Error proxying /token:', err.message ?? err)
|
|
64
64
|
res.status(502).json({ error: 'upstream_error' })
|
|
65
65
|
}
|
|
66
66
|
})
|