@portel/photon 1.22.0 → 1.23.0

package/dist/serv/auth/auth-store.js

@@ -0,0 +1,240 @@
+/**
+ * Authorization Server state stores.
+ *
+ * Holds the short-lived + persistent state the OAuth 2.1 authorization server
+ * needs: authorization codes, refresh tokens, registered clients (DCR),
+ * remembered user consents, and in-flight authorization requests that are
+ * paused awaiting user consent.
+ *
+ * In-memory implementations are suitable for single-instance self-host.
+ * For multi-instance deployments swap with a shared-store implementation
+ * (Redis/D1) that implements the same interfaces.
+ */
+import { randomBytes, createHash, timingSafeEqual } from 'crypto';
+export class MemoryAuthCodeStore {
+    codes = new Map();
+    async save(code) {
+        if (this.codes.has(code.code)) {
+            throw new Error('authorization code collision');
+        }
+        this.codes.set(code.code, code);
+    }
+    async peek(code) {
+        const entry = this.codes.get(code);
+        if (!entry)
+            return null;
+        if (entry.expiresAt.getTime() < Date.now())
+            return null;
+        return entry;
+    }
+    async consume(code) {
+        const entry = this.codes.get(code);
+        if (!entry)
+            return null;
+        this.codes.delete(code); // single-use: delete even if expired
+        if (entry.expiresAt.getTime() < Date.now())
+            return null;
+        return entry;
+    }
+    async sweep(now = new Date()) {
+        let removed = 0;
+        for (const [k, v] of this.codes) {
+            if (v.expiresAt.getTime() < now.getTime()) {
+                this.codes.delete(k);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    size() {
+        return this.codes.size;
+    }
+}
+export class MemoryRefreshTokenStore {
+    tokens = new Map();
+    async save(token) {
+        this.tokens.set(token.token, token);
+    }
+    async find(token) {
+        const entry = this.tokens.get(token);
+        if (!entry)
+            return null;
+        if (entry.expiresAt.getTime() < Date.now())
+            return null;
+        return entry;
+    }
+    async rotate(oldToken, newToken) {
+        const existing = this.tokens.get(oldToken);
+        if (!existing)
+            return null;
+        if (existing.expiresAt.getTime() < Date.now()) {
+            this.tokens.delete(oldToken);
+            return null;
+        }
+        this.tokens.delete(oldToken);
+        this.tokens.set(newToken.token, newToken);
+        return newToken;
+    }
+    async revoke(token) {
+        return this.tokens.delete(token);
+    }
+    async sweep(now = new Date()) {
+        let removed = 0;
+        for (const [k, v] of this.tokens) {
+            if (v.expiresAt.getTime() < now.getTime()) {
+                this.tokens.delete(k);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    size() {
+        return this.tokens.size;
+    }
+}
+export class MemoryClientRegistry {
+    clients = new Map();
+    async save(client) {
+        this.clients.set(client.clientId, client);
+    }
+    async find(clientId) {
+        return this.clients.get(clientId) ?? null;
+    }
+    async touch(clientId, now = new Date()) {
+        const entry = this.clients.get(clientId);
+        if (entry)
+            entry.lastUsedAt = now;
+    }
+    async delete(clientId) {
+        return this.clients.delete(clientId);
+    }
+    async sweep(maxIdleMs, now = new Date()) {
+        let removed = 0;
+        const threshold = now.getTime() - maxIdleMs;
+        for (const [k, v] of this.clients) {
+            if (v.lastUsedAt.getTime() < threshold) {
+                this.clients.delete(k);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    size() {
+        return this.clients.size;
+    }
+}
+export class MemoryConsentStore {
+    records = new Map();
+    key(userId, tenantId, clientId) {
+        return `${tenantId}::${userId}::${clientId}`;
+    }
+    async save(record) {
+        const k = this.key(record.userId, record.tenantId, record.clientId);
+        this.records.set(k, record);
+    }
+    async covers(userId, tenantId, clientId, scopes) {
+        const k = this.key(userId, tenantId, clientId);
+        const entry = this.records.get(k);
+        if (!entry)
+            return false;
+        if (entry.expiresAt.getTime() < Date.now()) {
+            this.records.delete(k);
+            return false;
+        }
+        const stored = new Set(entry.scopes.split(' ').filter(Boolean));
+        return scopes.every((s) => stored.has(s));
+    }
+    async revoke(userId, tenantId, clientId) {
+        return this.records.delete(this.key(userId, tenantId, clientId));
+    }
+    async sweep(now = new Date()) {
+        let removed = 0;
+        for (const [k, v] of this.records) {
+            if (v.expiresAt.getTime() < now.getTime()) {
+                this.records.delete(k);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    size() {
+        return this.records.size;
+    }
+}
+export class MemoryPendingAuthorizationStore {
+    pending = new Map();
+    async save(req) {
+        this.pending.set(req.id, req);
+    }
+    async peek(id) {
+        const entry = this.pending.get(id);
+        if (!entry)
+            return null;
+        if (entry.expiresAt.getTime() < Date.now())
+            return null;
+        return entry;
+    }
+    async consume(id) {
+        const entry = this.pending.get(id);
+        if (!entry)
+            return null;
+        this.pending.delete(id);
+        if (entry.expiresAt.getTime() < Date.now())
+            return null;
+        return entry;
+    }
+    async sweep(now = new Date()) {
+        let removed = 0;
+        for (const [k, v] of this.pending) {
+            if (v.expiresAt.getTime() < now.getTime()) {
+                this.pending.delete(k);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    size() {
+        return this.pending.size;
+    }
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+/**
+ * Generate a URL-safe random string of the given byte-length.
+ */
+export function generateSecureToken(bytes = 32) {
+    return randomBytes(bytes).toString('base64url');
+}
+/**
+ * Hash a secret with SHA-256 for storage. Not a password; client_secret
+ * is high-entropy and rotated, so sha256 is acceptable and avoids bcrypt's
+ * 72-byte limit and pbkdf2's latency on every token request.
+ */
+export function hashClientSecret(secret) {
+    return createHash('sha256').update(secret).digest('base64url');
+}
+/**
+ * Timing-safe comparison of a presented secret against a stored hash.
+ */
+export function verifyClientSecret(presented, storedHash) {
+    const presentedHash = hashClientSecret(presented);
+    const a = Buffer.from(presentedHash);
+    const b = Buffer.from(storedHash);
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(a, b);
+}
+/**
+ * Normalise a scope string into a sorted, deduped, space-joined key. Used
+ * for consent-record keys so `"read write"` and `"write read"` match.
+ */
+export function normalizeScopes(scope) {
+    if (!scope)
+        return '';
+    const parts = scope.split(/\s+/).filter(Boolean);
+    const unique = Array.from(new Set(parts));
+    unique.sort();
+    return unique.join(' ');
+}
+//# sourceMappingURL=auth-store.js.map

package/dist/serv/auth/auth-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.js","sourceRoot":"","sources":["../../../src/serv/auth/auth-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AA2BlE,MAAM,OAAO,mBAAmB;IACtB,KAAK,GAAG,IAAI,GAAG,EAA6B,CAAC;IAErD,KAAK,CAAC,IAAI,CAAC,IAAuB;QAChC,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAY;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,qCAAqC;QAC9D,IAAI,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACrB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;CACF;AAeD,MAAM,OAAO,uBAAuB;IAC1B,MAAM,GAAG,IAAI,GAAG,EAAwB,CAAC;IAEjD,KAAK,CAAC,IAAI,CAAC,KAAmB;QAC5B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa;QACtB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,QAAsB;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3B,IAAI,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC9C,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACtB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;CACF;AAgBD,MAAM,OAAO,oBAAoB;IACvB,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;IAEtD,KAAK,CAAC,IAAI,CAAC,MAAwB;QACjC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAgB;QACzB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,QAAgB,EAAE,MAAY,IAAI,IAAI,EAAE;QAClD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzC,IAAI,KAAK;YAAE,KAAK,CAAC,UAAU,GAAG,GAAG,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,SAAiB,EAAE,MAAY,IAAI,IAAI,EAAE;QACnD,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC;QAC5C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,SAAS,EAAE,CAAC;gBACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACvB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;CACF;AAmBD,MAAM,OAAO,kBAAkB;IACrB,OAAO,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE3C,GAAG,CAAC,MAAc,EAAE,QAAgB,EAAE,QAAgB;QAC5D,OAAO,GAAG,QAAQ,KAAK,MAAM,KAAK,QAAQ,EAAE,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAqB;QAC9B,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,MAAM,CACV,MAAc,EACd,QAAgB,EAChB,QAAgB,EAChB,MAAgB;QAEhB,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,IAAI,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC3C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAChE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAc,EAAE,QAAgB,EAAE,QAAgB;QAC7D,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACvB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;CACF;AA4CD,MAAM,OAAO,+BAA+B;IAClC,OAAO,GAAG,IAAI,GAAG,EAAgC,CAAC;IAE1D,KAAK,CAAC,IAAI,CAAC,GAAyB;QAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAU;QACtB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACxB,IAAI,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAY,IAAI,IAAI,EAAE;QAChC,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACvB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;CACF;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAK,GAAG,EAAE;IAC5C,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB,EAAE,UAAkB;IACtE,MAAM,aAAa,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,KAAgC;IAC9D,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1C,MAAM,CAAC,IAAI,EAAE,CAAC;IACd,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC"}

package/dist/serv/auth/endpoints.d.ts

@@ -0,0 +1,113 @@
+/**
+ * OAuth 2.1 Authorization Server HTTP handlers.
+ *
+ * Pure functions (no HTTP framework coupling): each handler takes an
+ * `AuthRequest` describing the inbound HTTP request, plus a `Deps` object
+ * with the stores it needs, and returns an `AuthResponse` `{status, headers, body}`.
+ *
+ * The HTTP-framework adapter (Express/Fetch/Cloudflare Worker) is responsible
+ * for parsing the request, authenticating the user session (if any), and
+ * translating the response back to its native HTTP primitive.
+ *
+ * Implements:
+ * - `/authorize`                  — RFC 6749 §4.1 authorization code grant (PKCE required)
+ * - `/token`                      — RFC 6749 §4.1.3 / §6 / §4.4 (code, refresh, client_credentials)
+ * - `/register`                   — RFC 7591 dynamic client registration
+ * - `/consent`                    — HTML consent screen + POST approve/deny
+ *
+ * CIMD (HTTPS client_id) is resolved via `resolveClientMetadata` from
+ * `./well-known.js`. Both CIMD and DCR clients are accepted at `/authorize`
+ * and `/token`; `/register` writes DCR-only.
+ */
+import type { Tenant } from '../types/index.js';
+import type { AuthCodeStore, RefreshTokenStore, ClientRegistry, ConsentStore, PendingAuthorizationStore } from './auth-store.js';
+import { JwtService } from './jwt.js';
+import { CimdCache } from './well-known.js';
+export interface AuthRequest {
+    method: string;
+    url: string;
+    headers: Record<string, string | string[] | undefined>;
+    /** Raw body for POST — form-urlencoded or JSON depending on endpoint. */
+    body?: string;
+    /**
+     * Resolved authenticated user id. The HTTP adapter fills this in from
+     * its session middleware before invoking the handler. `undefined` means
+     * no valid session; `/authorize` will redirect to login.
+     */
+    userId?: string;
+}
+export interface AuthResponse {
+    status: number;
+    headers: Record<string, string>;
+    body: string;
+}
+export interface EndpointConfig {
+    /** Absolute base URL of this AS; used for `iss` claim + building login redirect. */
+    issuer: string;
+    /** Absolute URL of this AS's `/authorize` endpoint; used for login return_to. */
+    authorizeUrl: string;
+    /** Absolute URL of this AS's `/consent` endpoint. */
+    consentUrl: string;
+    /** Absolute URL of the login/federated-auth entry point. */
+    loginUrl: string;
+    /** First-party clients that bypass the consent screen. */
+    firstPartyClientIds: Set<string>;
+    /** Default scopes granted if client omits scope parameter. */
+    defaultScopes: string[];
+    /** Consent-record TTL. Default 30 days. */
+    consentTtlDays: number;
+    /** Authorization code TTL in seconds. Default 60 per RFC 6749. */
+    codeTtlSeconds: number;
+    /** Access-token TTL in seconds. Default 15 min. */
+    accessTokenTtlSeconds: number;
+    /** Refresh-token TTL in seconds. Default 30 days. */
+    refreshTokenTtlSeconds: number;
+    /** Pending-authorization TTL in seconds. Default 10 min. */
+    pendingTtlSeconds: number;
+    /** DCR client idle-TTL in milliseconds. Default 30 days. */
+    clientIdleTtlMs: number;
+    /** PHOTON_SINGLE_USER self-host mode: always treat caller as this user id. */
+    singleUserId?: string;
+}
+export declare const DEFAULT_ENDPOINT_CONFIG: Omit<EndpointConfig, 'issuer' | 'authorizeUrl' | 'consentUrl' | 'loginUrl'>;
+export interface EndpointDeps {
+    tenant: Tenant;
+    config: EndpointConfig;
+    codeStore: AuthCodeStore;
+    refreshTokenStore: RefreshTokenStore;
+    clientRegistry: ClientRegistry;
+    consentStore: ConsentStore;
+    pendingStore: PendingAuthorizationStore;
+    jwtService: JwtService;
+    cimdCache: CimdCache;
+    /** Optional override for testing. */
+    now?: () => Date;
+    /** Optional logger hook. */
+    log?: (level: 'info' | 'warn' | 'error', msg: string, meta?: Record<string, unknown>) => void;
+}
+export declare function handleAuthorize(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
+export declare function handleConsent(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
+export declare function handleToken(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
+export declare function handleRegister(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
+/**
+ * Token revocation endpoint per RFC 7009.
+ *
+ * Accepts `token` + `token_type_hint` (access_token|refresh_token).
+ * Always returns 200 even if the token didn't exist (spec §2.2 — prevents
+ * token scanning). Access tokens are JWTs so we can't actively revoke them
+ * without a denylist; we revoke the refresh token and rely on the 15-min
+ * access-token TTL for cleanup.
+ */
+export declare function handleRevoke(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
+/**
+ * Token introspection endpoint per RFC 7662.
+ *
+ * Accepts `token` and returns metadata: active (boolean), scope, client_id,
+ * sub, exp, iat. Returns `{active: false}` for unknown/expired/revoked
+ * tokens without leaking why.
+ *
+ * Caller must be an authenticated confidential client (§2.1 — "protected
+ * resource"); this prevents arbitrary callers from probing token validity.
+ */
+export declare function handleIntrospect(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
+//# sourceMappingURL=endpoints.d.ts.map

package/dist/serv/auth/endpoints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"endpoints.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/endpoints.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAKV,MAAM,EACP,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EACV,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,yBAAyB,EAE1B,MAAM,iBAAiB,CAAC;AAOzB,OAAO,EAAE,UAAU,EAAuB,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAyB,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAOnE,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,yEAAyE;IACzE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd;AAMD,MAAM,WAAW,cAAc;IAC7B,oFAAoF;IACpF,MAAM,EAAE,MAAM,CAAC;IACf,iFAAiF;IACjF,YAAY,EAAE,MAAM,CAAC;IACrB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IACnB,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,CAAC;IACjB,0DAA0D;IAC1D,mBAAmB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,8DAA8D;IAC9D,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,2CAA2C;IAC3C,cAAc,EAAE,MAAM,CAAC;IACvB,kEAAkE;IAClE,cAAc,EAAE,MAAM,CAAC;IACvB,mDAAmD;IACnD,qBAAqB,EAAE,MAAM,CAAC;IAC9B,qDAAqD;IACrD,sBAAsB,EAAE,MAAM,CAAC;IAC/B,4DAA4D;IAC5D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,4DAA4D;IAC5D,eAAe,EAAE,MAAM,CAAC;IACxB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,eAAO,MAAM,uBAAuB,EAAE,IAAI,CACxC,cAAc,EACd,QAAQ,GAAG,cAAc,GAAG,YAAY,GAAG,UAAU,CAUtD,CAAC;AAEF,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,cAAc,CAAC;IACvB,SAAS,EAAE,aAAa,CAAC;IACzB,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,EAAE,YAAY,CAAC;IAC3B,YAAY,EAAE,yBAAyB,CAAC;IACxC,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,SAAS,CAAC;IACrB,qCAAqC;IACrC,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IACjB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAC/F;AAuED,wBAAsB,eAAe,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAIjG;AAgLD,wBAAsB,aAAa,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAI/F;AA8FD,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAM7F;AAgZD,wBAAsB,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAIhG;AA4HD;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAI9F;AAiDD;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,YAAY,CAAC,CAIvB"}