@pureq/auth 0.2.0

package/dist/middleware/tokenLifecycle.js

@@ -0,0 +1,52 @@
+import { markPolicyMiddleware } from "@pureq/pureq";
+import { buildAuthError } from "../shared";
+import { decodeJwt } from "../jwt";
+export function withTokenLifecycle(options) {
+    const refreshThresholdMs = options.refreshThresholdMs ?? 5 * 60000;
+    let refreshPromise = null;
+    const ensureRefresh = async () => {
+        if (!refreshPromise) {
+            refreshPromise = options.onRefreshNeeded().finally(() => {
+                refreshPromise = null;
+            });
+        }
+        return refreshPromise;
+    };
+    const middleware = async (req, next) => {
+        const token = await options.storage.get();
+        if (token) {
+            let claims;
+            try {
+                claims = decodeJwt(token);
+            }
+            catch (error) {
+                throw buildAuthError("PUREQ_AUTH_INVALID_TOKEN", "pureq: failed to inspect token lifecycle", error);
+            }
+            if (typeof claims.exp === "number") {
+                const now = Date.now();
+                const expMs = claims.exp * 1000;
+                if (expMs <= now) {
+                    options.onExpired?.();
+                    try {
+                        await options.storage.set(await ensureRefresh());
+                    }
+                    catch (error) {
+                        throw buildAuthError("PUREQ_AUTH_EXPIRED", "pureq: token expired", error);
+                    }
+                }
+                else if (expMs - now <= refreshThresholdMs) {
+                    options.onStale?.();
+                    try {
+                        await options.storage.set(await ensureRefresh());
+                    }
+                    catch (error) {
+                        throw buildAuthError("PUREQ_AUTH_REFRESH_FAILED", "pureq: token refresh failed", error);
+                    }
+                }
+            }
+        }
+        return next(req);
+    };
+    return markPolicyMiddleware(middleware, { name: "withTokenLifecycle", kind: "auth" });
+}
+//# sourceMappingURL=tokenLifecycle.js.map

package/dist/middleware/tokenLifecycle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenLifecycle.js","sourceRoot":"","sources":["../../src/middleware/tokenLifecycle.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAEpD,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAEnC,MAAM,UAAU,kBAAkB,CAAC,OAA8B;IAC/D,MAAM,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,CAAC,GAAG,KAAM,CAAC;IACpE,IAAI,cAAc,GAA2B,IAAI,CAAC;IAElD,MAAM,aAAa,GAAG,KAAK,IAAqB,EAAE;QAChD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;gBACtD,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,cAAc,CAAC;IACxB,CAAC,CAAC;IAEF,MAAM,UAAU,GAAe,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACjD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAC1C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,MAAiC,CAAC;YAEtC,IAAI,CAAC;gBACH,MAAM,GAAG,SAAS,CAA4B,KAAK,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,cAAc,CAAC,0BAA0B,EAAE,0CAA0C,EAAE,KAAK,CAAC,CAAC;YACtG,CAAC;YAED,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACvB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC;gBAChC,IAAI,KAAK,IAAI,GAAG,EAAE,CAAC;oBACjB,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;oBACtB,IAAI,CAAC;wBACH,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,aAAa,EAAE,CAAC,CAAC;oBACnD,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,MAAM,cAAc,CAAC,oBAAoB,EAAE,sBAAsB,EAAE,KAAK,CAAC,CAAC;oBAC5E,CAAC;gBACH,CAAC;qBAAM,IAAI,KAAK,GAAG,GAAG,IAAI,kBAAkB,EAAE,CAAC;oBAC7C,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;oBACpB,IAAI,CAAC;wBACH,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,aAAa,EAAE,CAAC,CAAC;oBACnD,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,MAAM,cAAc,CAAC,2BAA2B,EAAE,6BAA6B,EAAE,KAAK,CAAC,CAAC;oBAC1F,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC,CAAC;IAEF,OAAO,oBAAoB,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;AACxF,CAAC"}

package/dist/migration/index.d.ts

@@ -0,0 +1,40 @@
+import type { AuthSessionManager, AuthSessionState, AuthStore, AuthTokens } from "../shared";
+export interface AuthLegacyTokenSnapshot {
+    readonly accessToken?: string | null;
+    readonly access_token?: string | null;
+    readonly token?: string | null;
+    readonly refreshToken?: string | null;
+    readonly refresh_token?: string | null;
+    readonly refresh?: string | null;
+    readonly tokens?: AuthLegacyTokenSnapshot | null;
+}
+export interface AuthMigrationResult {
+    readonly tokens: AuthTokens | null;
+    readonly source: "legacy-object" | "legacy-string" | "legacy-nested" | "empty";
+}
+export type AuthMigrationParityStatus = "covered" | "partial" | "missing";
+export interface AuthMigrationAnalysisInput {
+    readonly legacyInput?: unknown;
+    readonly hasProviders?: boolean;
+    readonly hasAdapter?: boolean;
+    readonly hasCallbacks?: boolean;
+    readonly hasSsrBridge?: boolean;
+    readonly enableCsrf?: boolean;
+    readonly enableRevocation?: boolean;
+}
+export interface AuthMigrationAnalysis {
+    readonly normalized: AuthMigrationResult;
+    readonly parity: Readonly<Record<string, AuthMigrationParityStatus>>;
+    readonly cutoverChecklist: readonly string[];
+    readonly rollbackChecklist: readonly string[];
+}
+export declare function normalizeLegacyAuthTokens(input: unknown): AuthMigrationResult;
+export declare function migrateLegacyTokensToStore(store: AuthStore, input: unknown): Promise<AuthMigrationResult>;
+export declare function hydrateSessionManagerFromLegacy(session: AuthSessionManager, input: unknown): Promise<AuthSessionState>;
+export declare function analyzeAuthMigration(input?: AuthMigrationAnalysisInput): AuthMigrationAnalysis;
+export declare function formatMigrationParityReport(analysis: AuthMigrationAnalysis): string;
+export declare function generateMigrationChecklists(analysis: AuthMigrationAnalysis): {
+    readonly cutover: readonly string[];
+    readonly rollback: readonly string[];
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/migration/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAE7F,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,uBAAuB,GAAG,IAAI,CAAC;CAClD;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,eAAe,GAAG,eAAe,GAAG,OAAO,CAAC;CAChF;AAED,MAAM,MAAM,yBAAyB,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CACrC;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,UAAU,EAAE,mBAAmB,CAAC;IACzC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC,CAAC;IACrE,QAAQ,CAAC,gBAAgB,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7C,QAAQ,CAAC,iBAAiB,EAAE,SAAS,MAAM,EAAE,CAAC;CAC/C;AAiBD,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB,CA6C7E;AAED,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,SAAS,EAChB,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,mBAAmB,CAAC,CAiB9B;AAED,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,kBAAkB,EAC3B,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,gBAAgB,CAAC,CAU3B;AAED,wBAAgB,oBAAoB,CAAC,KAAK,GAAE,0BAA+B,GAAG,qBAAqB,CA6ClG;AAED,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,qBAAqB,GAAG,MAAM,CAOnF;AAED,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,qBAAqB,GAAG;IAC5E,QAAQ,CAAC,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;CACtC,CAKA"}

package/dist/migration/index.js

@@ -0,0 +1,136 @@
+function isRecord(value) {
+    return typeof value === "object" && value !== null;
+}
+function readLegacyField(snapshot, keys) {
+    for (const key of keys) {
+        const candidate = snapshot[key];
+        if (typeof candidate === "string" && candidate.trim()) {
+            return candidate;
+        }
+    }
+    return null;
+}
+export function normalizeLegacyAuthTokens(input) {
+    if (typeof input === "string" && input.trim()) {
+        return {
+            tokens: {
+                accessToken: input,
+            },
+            source: "legacy-string",
+        };
+    }
+    if (!isRecord(input)) {
+        return {
+            tokens: null,
+            source: "empty",
+        };
+    }
+    const nested = input.tokens;
+    if (isRecord(nested)) {
+        const nestedResult = normalizeLegacyAuthTokens(nested);
+        if (nestedResult.tokens) {
+            return {
+                tokens: nestedResult.tokens,
+                source: "legacy-nested",
+            };
+        }
+    }
+    const accessToken = readLegacyField(input, ["accessToken", "access_token", "token"]);
+    const refreshToken = readLegacyField(input, ["refreshToken", "refresh_token", "refresh"]);
+    if (!accessToken) {
+        return {
+            tokens: null,
+            source: "empty",
+        };
+    }
+    return {
+        tokens: {
+            accessToken,
+            ...(refreshToken ? { refreshToken } : {}),
+        },
+        source: "legacy-object",
+    };
+}
+export async function migrateLegacyTokensToStore(store, input) {
+    const result = normalizeLegacyAuthTokens(input);
+    if (!result.tokens) {
+        await store.clear();
+        await store.clearRefresh();
+        return result;
+    }
+    await store.set(result.tokens.accessToken);
+    if (result.tokens.refreshToken) {
+        await store.setRefresh(result.tokens.refreshToken);
+    }
+    else {
+        await store.clearRefresh();
+    }
+    return result;
+}
+export async function hydrateSessionManagerFromLegacy(session, input) {
+    const result = normalizeLegacyAuthTokens(input);
+    if (!result.tokens) {
+        await session.clear();
+        return session.getState();
+    }
+    await session.setTokens(result.tokens);
+    return session.getState();
+}
+export function analyzeAuthMigration(input = {}) {
+    const normalized = normalizeLegacyAuthTokens(input.legacyInput ?? null);
+    const parity = {
+        providers: input.hasProviders ? "covered" : "missing",
+        adapter: input.hasAdapter ? "covered" : "missing",
+        callbacks: input.hasCallbacks ? "covered" : "partial",
+        ssrBridge: input.hasSsrBridge ? "covered" : "partial",
+        csrf: input.enableCsrf ? "covered" : "partial",
+        revocation: input.enableRevocation ? "covered" : "partial",
+        legacyTokens: normalized.tokens ? "covered" : "partial",
+    };
+    const cutoverChecklist = [];
+    if (parity.providers !== "covered") {
+        cutoverChecklist.push("Configure provider set and callback route mapping");
+    }
+    if (parity.adapter !== "covered") {
+        cutoverChecklist.push("Wire a production adapter and verify capability probe level");
+    }
+    if (parity.callbacks === "partial") {
+        cutoverChecklist.push("Define signIn/session/signOut callback policy contracts");
+    }
+    if (parity.ssrBridge === "partial") {
+        cutoverChecklist.push("Add SSR/BFF bridge bootstrap and response cookie handoff");
+    }
+    if (parity.csrf === "partial") {
+        cutoverChecklist.push("Enable CSRF protection for browser-mutating routes");
+    }
+    if (parity.revocation === "partial") {
+        cutoverChecklist.push("Enable revocation guard and jti/sid invalidation flow");
+    }
+    const rollbackChecklist = [
+        "Keep legacy token/session parser active behind feature flag",
+        "Retain previous auth route handlers for one release window",
+        "Gate AuthKit activation with environment toggle",
+        "Capture migration parity report in deployment artifact",
+    ];
+    return {
+        normalized,
+        parity,
+        cutoverChecklist,
+        rollbackChecklist,
+    };
+}
+export function formatMigrationParityReport(analysis) {
+    const lines = [
+        "| Area | Status |",
+        "| --- | --- |",
+        ...Object.entries(analysis.parity).map(([area, status]) => `| ${area} | ${status} |`),
+    ];
+    return lines.join("\n");
+}
+export function generateMigrationChecklists(analysis) {
+    return {
+        cutover: analysis.cutoverChecklist,
+        rollback: analysis.rollbackChecklist,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/migration/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAoCA,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC;AACrD,CAAC;AAED,SAAS,eAAe,CAAC,QAA2C,EAAE,IAAuB;IAC3F,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC;YACtD,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,OAAO;YACL,MAAM,EAAE;gBACN,WAAW,EAAE,KAAK;aACnB;YACD,MAAM,EAAE,eAAe;SACxB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,OAAO;SAChB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC5B,IAAI,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACrB,MAAM,YAAY,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;YACxB,OAAO;gBACL,MAAM,EAAE,YAAY,CAAC,MAAM;gBAC3B,MAAM,EAAE,eAAe;aACxB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,EAAE,CAAC,aAAa,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC,CAAC;IAE1F,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,OAAO;SAChB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE;YACN,WAAW;YACX,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1C;QACD,MAAM,EAAE,eAAe;KACxB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,KAAgB,EAChB,KAAc;IAEd,MAAM,MAAM,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;IAEhD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;QACpB,MAAM,KAAK,CAAC,YAAY,EAAE,CAAC;QAC3B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QAC/B,MAAM,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,CAAC,YAAY,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAA2B,EAC3B,KAAc;IAEd,MAAM,MAAM,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;IAEhD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,OAAO,CAAC,QAAQ,EAAE,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,QAAoC,EAAE;IACzE,MAAM,UAAU,GAAG,yBAAyB,CAAC,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC;IACxE,MAAM,MAAM,GAA8C;QACxD,SAAS,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACrD,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACjD,SAAS,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACrD,SAAS,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACrD,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAC9C,UAAU,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAC1D,YAAY,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;IAEF,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,gBAAgB,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,gBAAgB,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,gBAAgB,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,gBAAgB,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IACpF,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,gBAAgB,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACpC,gBAAgB,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,iBAAiB,GAAa;QAClC,6DAA6D;QAC7D,4DAA4D;QAC5D,iDAAiD;QACjD,wDAAwD;KACzD,CAAC;IAEF,OAAO;QACL,UAAU;QACV,MAAM;QACN,gBAAgB;QAChB,iBAAiB;KAClB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,QAA+B;IACzE,MAAM,KAAK,GAAG;QACZ,mBAAmB;QACnB,eAAe;QACf,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI,MAAM,MAAM,IAAI,CAAC;KACtF,CAAC;IACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,QAA+B;IAIzE,OAAO;QACL,OAAO,EAAE,QAAQ,CAAC,gBAAgB;QAClC,QAAQ,EAAE,QAAQ,CAAC,iBAAiB;KACrC,CAAC;AACJ,CAAC"}

package/dist/oidc/index.d.ts

@@ -0,0 +1,25 @@
+import type { OIDCCallbackParams, OIDCFlow, OIDCFlowOptions, OIDCProviderDefinition } from "../shared";
+import { oidcProviders } from "./providers";
+export declare function parseOIDCCallbackParams(callback: string | URL | URLSearchParams, expectedState?: string): OIDCCallbackParams;
+/**
+ * Create an OIDC authorization code flow.
+ *
+ * SEC-C5: getAuthorizationUrl returns { url, state, codeVerifier, nonce }.
+ * SEC-H1: No singleton codeVerifier — returned to caller for explicit management.
+ * SEC-H5: id_token validation (iss, aud, exp, nonce).
+ * SEC-H6: nonce support.
+ * SEC-M5: tokenEndpointAuthMethod support.
+ * FEAT-M4: Full OIDC metadata extraction.
+ * FEAT-M5: getLogoutUrl.
+ * FEAT-L4: introspect.
+ */
+export declare function createOIDCFlow(options: OIDCFlowOptions): OIDCFlow;
+/** @deprecated Use `createOIDCFlow` (capital F) instead. */
+export declare const createOIDCflow: typeof createOIDCFlow;
+export declare function createOIDCFlowFromProvider(provider: OIDCProviderDefinition, options: Omit<OIDCFlowOptions, "discoveryUrl" | "defaultScope"> & {
+    readonly defaultScope?: readonly string[];
+}): OIDCFlow;
+/** @deprecated Use `createOIDCFlowFromProvider` (capital F) instead. */
+export declare const createOIDCflowFromProvider: typeof createOIDCFlowFromProvider;
+export { oidcProviders };
+//# sourceMappingURL=index.d.ts.map

package/dist/oidc/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oidc/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAGV,kBAAkB,EAClB,QAAQ,EACR,eAAe,EACf,sBAAsB,EAGvB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AA2I5C,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,GAAG,GAAG,GAAG,eAAe,EACxC,aAAa,CAAC,EAAE,MAAM,GACrB,kBAAkB,CAmDpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CA+NjE;AAED,4DAA4D;AAC5D,eAAO,MAAM,cAAc,uBAAiB,CAAC;AAE7C,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,sBAAsB,EAChC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,cAAc,GAAG,cAAc,CAAC,GAAG;IAAE,QAAQ,CAAC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CAAE,GAC9G,QAAQ,CAsCV;AAED,wEAAwE;AACxE,eAAO,MAAM,0BAA0B,mCAA6B,CAAC;AAErE,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/dist/oidc/index.js

@@ -0,0 +1,392 @@
+import { generateSecureId } from "@pureq/pureq";
+import { base64UrlEncode, base64Encode, createAuthError } from "../shared";
+import { decodeJwt } from "../jwt";
+import { oidcProviders } from "./providers";
+const MAX_CALLBACK_VALUE_LENGTH = 4096;
+const REPLAY_TTL_MS = 10 * 60 * 1000; // 10 minutes
+const MAX_REPLAY_ENTRIES = 10000;
+function toTokenResponse(raw) {
+    const accessToken = raw.access_token ?? raw.accessToken;
+    if (typeof accessToken !== "string" || !accessToken.trim()) {
+        throw createAuthError("PUREQ_OIDC_INVALID_TOKEN_RESPONSE", "pureq: OIDC token response is missing access_token", {
+            details: { keys: Object.keys(raw).sort().join(",") },
+        });
+    }
+    return {
+        accessToken,
+        ...(typeof raw.id_token === "string" ? { idToken: raw.id_token } : {}),
+        ...(typeof raw.refresh_token === "string" ? { refreshToken: raw.refresh_token } : {}),
+        ...(typeof raw.token_type === "string" ? { tokenType: raw.token_type } : {}),
+        ...(typeof raw.expires_in === "number" ? { expiresIn: raw.expires_in } : {}),
+        ...(typeof raw.scope === "string" ? { scope: raw.scope } : {}),
+        raw,
+    };
+}
+async function fetchMetadata(discoveryUrl) {
+    const response = await fetch(discoveryUrl);
+    if (!response.ok) {
+        throw createAuthError("PUREQ_OIDC_DISCOVERY_FAILED", `pureq: failed to load OIDC metadata (${response.status})`, {
+            details: { status: response.status, discoveryUrl },
+        });
+    }
+    const json = (await response.json());
+    if (!json.authorization_endpoint || !json.token_endpoint) {
+        throw createAuthError("PUREQ_OIDC_INVALID_DISCOVERY_DOCUMENT", "pureq: invalid OIDC discovery document", {
+            details: { discoveryUrl },
+        });
+    }
+    return {
+        authorization_endpoint: json.authorization_endpoint,
+        token_endpoint: json.token_endpoint,
+        ...(json.userinfo_endpoint !== undefined ? { userinfo_endpoint: json.userinfo_endpoint } : {}),
+        ...(json.jwks_uri !== undefined ? { jwks_uri: json.jwks_uri } : {}),
+        ...(json.end_session_endpoint !== undefined ? { end_session_endpoint: json.end_session_endpoint } : {}),
+        ...(json.revocation_endpoint !== undefined ? { revocation_endpoint: json.revocation_endpoint } : {}),
+        ...(json.introspection_endpoint !== undefined ? { introspection_endpoint: json.introspection_endpoint } : {}),
+        ...(json.issuer !== undefined ? { issuer: json.issuer } : {}),
+    };
+}
+async function createCodeChallenge(verifier) {
+    const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+    return base64UrlEncode(new Uint8Array(digest));
+}
+function toSearchParams(callback) {
+    if (callback instanceof URLSearchParams) {
+        return callback;
+    }
+    if (callback instanceof URL) {
+        return callback.searchParams;
+    }
+    if (callback.startsWith("http://") || callback.startsWith("https://")) {
+        return new URL(callback).searchParams;
+    }
+    if (callback.startsWith("?")) {
+        return new URLSearchParams(callback.slice(1));
+    }
+    return new URLSearchParams(callback);
+}
+function sweepReplayCache(cache, now) {
+    if (cache.size <= MAX_REPLAY_ENTRIES) {
+        return;
+    }
+    for (const [key, ts] of cache) {
+        if (now - ts > REPLAY_TTL_MS || cache.size > MAX_REPLAY_ENTRIES) {
+            cache.delete(key);
+        }
+    }
+}
+/** Validate id_token claims (iss, aud, exp, nonce). */
+function validateIdTokenClaims(idToken, expectedIssuer, expectedAudience, expectedNonce) {
+    let claims;
+    try {
+        claims = decodeJwt(idToken);
+    }
+    catch {
+        throw createAuthError("PUREQ_OIDC_INVALID_ID_TOKEN", "pureq: failed to decode id_token");
+    }
+    if (expectedIssuer && claims.iss !== expectedIssuer) {
+        throw createAuthError("PUREQ_OIDC_ID_TOKEN_ISSUER_MISMATCH", "pureq: id_token issuer mismatch", {
+            details: { expected: expectedIssuer, actual: claims.iss ?? "undefined" },
+        });
+    }
+    const aud = Array.isArray(claims.aud) ? claims.aud : [claims.aud];
+    if (!aud.includes(expectedAudience)) {
+        throw createAuthError("PUREQ_OIDC_ID_TOKEN_AUDIENCE_MISMATCH", "pureq: id_token audience mismatch", {
+            details: { expected: expectedAudience },
+        });
+    }
+    if (typeof claims.exp === "number" && claims.exp * 1000 < Date.now()) {
+        throw createAuthError("PUREQ_OIDC_ID_TOKEN_EXPIRED", "pureq: id_token has expired");
+    }
+    if (expectedNonce && claims.nonce !== expectedNonce) {
+        throw createAuthError("PUREQ_OIDC_ID_TOKEN_NONCE_MISMATCH", "pureq: id_token nonce mismatch");
+    }
+}
+function buildAuthHeader(clientId, clientSecret) {
+    return `Basic ${base64Encode(`${clientId}:${clientSecret}`)}`;
+}
+export function parseOIDCCallbackParams(callback, expectedState) {
+    const params = toSearchParams(callback);
+    const readSingle = (name) => {
+        const values = params.getAll(name).filter((value) => value.length > 0);
+        if (values.length > 1) {
+            throw createAuthError("PUREQ_OIDC_INVALID_CALLBACK", `pureq: OIDC callback has duplicated ${name} parameter`, {
+                details: { parameter: name },
+            });
+        }
+        const value = values[0] ?? null;
+        if (value !== null && value.length > MAX_CALLBACK_VALUE_LENGTH) {
+            throw createAuthError("PUREQ_OIDC_INVALID_CALLBACK", `pureq: OIDC callback ${name} is too large`, {
+                details: { parameter: name, length: value.length },
+            });
+        }
+        return value;
+    };
+    const error = readSingle("error");
+    if (error) {
+        const description = readSingle("error_description");
+        throw createAuthError("PUREQ_OIDC_CALLBACK_ERROR", description ? `pureq: OIDC callback error (${error}): ${description}` : `pureq: OIDC callback error (${error})`, {
+            details: {
+                error,
+                ...(description ? { description } : {}),
+            },
+        });
+    }
+    const code = readSingle("code");
+    if (!code) {
+        throw createAuthError("PUREQ_OIDC_MISSING_CODE", "pureq: OIDC callback is missing authorization code", {
+            details: { callback: String(callback) },
+        });
+    }
+    const state = readSingle("state") ?? undefined;
+    if (expectedState && state !== expectedState) {
+        throw createAuthError("PUREQ_OIDC_STATE_MISMATCH", "pureq: OIDC state mismatch", {
+            details: {
+                expectedState,
+                ...(state !== undefined ? { state } : {}),
+            },
+        });
+    }
+    return {
+        code,
+        ...(state ? { state } : {}),
+    };
+}
+/**
+ * Create an OIDC authorization code flow.
+ *
+ * SEC-C5: getAuthorizationUrl returns { url, state, codeVerifier, nonce }.
+ * SEC-H1: No singleton codeVerifier — returned to caller for explicit management.
+ * SEC-H5: id_token validation (iss, aud, exp, nonce).
+ * SEC-H6: nonce support.
+ * SEC-M5: tokenEndpointAuthMethod support.
+ * FEAT-M4: Full OIDC metadata extraction.
+ * FEAT-M5: getLogoutUrl.
+ * FEAT-L4: introspect.
+ */
+export function createOIDCFlow(options) {
+    if (!options.clientId.trim()) {
+        throw createAuthError("PUREQ_OIDC_INVALID_CONFIGURATION", "pureq: OIDC clientId is required", {
+            details: { field: "clientId" },
+        });
+    }
+    if (!options.discoveryUrl.trim()) {
+        throw createAuthError("PUREQ_OIDC_INVALID_CONFIGURATION", "pureq: OIDC discoveryUrl is required", {
+            details: { field: "discoveryUrl" },
+        });
+    }
+    if (!options.redirectUri.trim()) {
+        throw createAuthError("PUREQ_OIDC_INVALID_CONFIGURATION", "pureq: OIDC redirectUri is required", {
+            details: { field: "redirectUri" },
+        });
+    }
+    let metadataPromise = null;
+    // SEC-H2: TTL-based replay detection
+    const consumedCallbackCodes = new Map();
+    const authMethod = options.tokenEndpointAuthMethod ?? "client_secret_post";
+    const getMetadata = () => {
+        if (!metadataPromise) {
+            metadataPromise = fetchMetadata(options.discoveryUrl);
+        }
+        return metadataPromise;
+    };
+    const buildTokenHeaders = () => {
+        const headers = { "Content-Type": "application/x-www-form-urlencoded" };
+        if (authMethod === "client_secret_basic" && options.clientSecret) {
+            headers["Authorization"] = buildAuthHeader(options.clientId, options.clientSecret);
+        }
+        return headers;
+    };
+    const appendClientCredentials = (body) => {
+        body.set("client_id", options.clientId);
+        if (authMethod === "client_secret_post" && options.clientSecret) {
+            body.set("client_secret", options.clientSecret);
+        }
+    };
+    return {
+        async getAuthorizationUrl(authorizationOptions = {}) {
+            const metadata = await getMetadata();
+            const url = new URL(metadata.authorization_endpoint);
+            const state = authorizationOptions.state ?? generateSecureId("oidc-state");
+            const nonce = authorizationOptions.nonce ?? generateSecureId("oidc-nonce");
+            const scope = authorizationOptions.scope ?? options.defaultScope ?? ["openid"];
+            const codeVerifier = generateSecureId("pkce");
+            const codeChallengeMethod = authorizationOptions.codeChallengeMethod ?? "S256";
+            const codeChallenge = authorizationOptions.codeChallenge ??
+                (codeChallengeMethod === "plain" ? codeVerifier : await createCodeChallenge(codeVerifier));
+            url.searchParams.set("response_type", "code");
+            url.searchParams.set("client_id", options.clientId);
+            url.searchParams.set("redirect_uri", options.redirectUri);
+            url.searchParams.set("scope", scope.join(" "));
+            url.searchParams.set("state", state);
+            url.searchParams.set("nonce", nonce);
+            url.searchParams.set("code_challenge", codeChallenge);
+            url.searchParams.set("code_challenge_method", codeChallengeMethod);
+            if (authorizationOptions.prompt) {
+                url.searchParams.set("prompt", authorizationOptions.prompt);
+            }
+            for (const [key, value] of Object.entries(authorizationOptions.extraParams ?? {})) {
+                url.searchParams.set(key, value);
+            }
+            return { url: url.toString(), state, codeVerifier, nonce };
+        },
+        async exchangeCode(code, requestOptions) {
+            const metadata = await getMetadata();
+            const body = new URLSearchParams({
+                grant_type: "authorization_code",
+                code,
+                redirect_uri: options.redirectUri,
+                code_verifier: requestOptions.codeVerifier,
+            });
+            appendClientCredentials(body);
+            const response = await fetch(metadata.token_endpoint, {
+                method: "POST",
+                headers: buildTokenHeaders(),
+                body: body.toString(),
+            });
+            if (!response.ok) {
+                throw createAuthError("PUREQ_OIDC_TOKEN_EXCHANGE_FAILED", `pureq: OIDC code exchange failed (${response.status})`, {
+                    details: { status: response.status, tokenEndpoint: metadata.token_endpoint },
+                });
+            }
+            const tokenResponse = toTokenResponse((await response.json()));
+            // SEC-H5: validate id_token if present
+            if (tokenResponse.idToken) {
+                validateIdTokenClaims(tokenResponse.idToken, metadata.issuer, options.clientId, undefined);
+            }
+            return tokenResponse;
+        },
+        async exchangeCallback(callback, requestOptions) {
+            const params = parseOIDCCallbackParams(callback, requestOptions.expectedState);
+            // SEC-H2: TTL-based replay detection
+            const now = Date.now();
+            sweepReplayCache(consumedCallbackCodes, now);
+            const existingTs = consumedCallbackCodes.get(params.code);
+            if (existingTs !== undefined && now - existingTs < REPLAY_TTL_MS) {
+                throw createAuthError("PUREQ_OIDC_CALLBACK_REPLAY", "pureq: OIDC callback code replay detected", {
+                    details: { code: params.code },
+                });
+            }
+            consumedCallbackCodes.set(params.code, now);
+            const tokenResponse = await this.exchangeCode(params.code, {
+                codeVerifier: requestOptions.codeVerifier,
+            });
+            // SEC-H5 + SEC-H6: validate id_token nonce
+            if (tokenResponse.idToken && requestOptions.expectedNonce) {
+                const metadata = await getMetadata();
+                validateIdTokenClaims(tokenResponse.idToken, metadata.issuer, options.clientId, requestOptions.expectedNonce);
+            }
+            return tokenResponse;
+        },
+        async refresh(refreshToken) {
+            const metadata = await getMetadata();
+            const body = new URLSearchParams({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+            });
+            appendClientCredentials(body);
+            const response = await fetch(metadata.token_endpoint, {
+                method: "POST",
+                headers: buildTokenHeaders(),
+                body: body.toString(),
+            });
+            if (!response.ok) {
+                throw createAuthError("PUREQ_OIDC_TOKEN_REFRESH_FAILED", `pureq: OIDC token refresh failed (${response.status})`, {
+                    details: { status: response.status, tokenEndpoint: metadata.token_endpoint },
+                });
+            }
+            return toTokenResponse((await response.json()));
+        },
+        /** Fetch user profile from the OIDC userinfo endpoint (FEAT-M4). */
+        async getUserInfo(accessToken) {
+            const metadata = await getMetadata();
+            if (!metadata.userinfo_endpoint) {
+                throw createAuthError("PUREQ_OIDC_NO_USERINFO_ENDPOINT", "pureq: OIDC provider does not expose a userinfo endpoint");
+            }
+            const response = await fetch(metadata.userinfo_endpoint, {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            if (!response.ok) {
+                throw createAuthError("PUREQ_OIDC_USERINFO_FAILED", `pureq: OIDC userinfo request failed (${response.status})`);
+            }
+            return (await response.json());
+        },
+        /** Build a logout URL for RP-initiated logout (FEAT-M5). */
+        async getLogoutUrl(logoutOptions) {
+            const metadata = await getMetadata();
+            if (!metadata.end_session_endpoint) {
+                throw createAuthError("PUREQ_OIDC_NO_END_SESSION_ENDPOINT", "pureq: OIDC provider does not expose an end_session_endpoint");
+            }
+            const url = new URL(metadata.end_session_endpoint);
+            if (logoutOptions?.idTokenHint) {
+                url.searchParams.set("id_token_hint", logoutOptions.idTokenHint);
+            }
+            if (logoutOptions?.postLogoutRedirectUri) {
+                url.searchParams.set("post_logout_redirect_uri", logoutOptions.postLogoutRedirectUri);
+            }
+            url.searchParams.set("client_id", options.clientId);
+            return url.toString();
+        },
+        /** Introspect a token via RFC 7662 (FEAT-L4). */
+        async introspect(token) {
+            const metadata = await getMetadata();
+            if (!metadata.introspection_endpoint) {
+                throw createAuthError("PUREQ_OIDC_NO_INTROSPECTION_ENDPOINT", "pureq: OIDC provider does not expose an introspection endpoint");
+            }
+            const body = new URLSearchParams({ token });
+            appendClientCredentials(body);
+            const response = await fetch(metadata.introspection_endpoint, {
+                method: "POST",
+                headers: buildTokenHeaders(),
+                body: body.toString(),
+            });
+            if (!response.ok) {
+                throw createAuthError("PUREQ_OIDC_INTROSPECTION_FAILED", `pureq: OIDC token introspection failed (${response.status})`);
+            }
+            return (await response.json());
+        },
+    };
+}
+/** @deprecated Use `createOIDCFlow` (capital F) instead. */
+export const createOIDCflow = createOIDCFlow;
+export function createOIDCFlowFromProvider(provider, options) {
+    if (!provider.name.trim()) {
+        throw createAuthError("PUREQ_OIDC_INVALID_PROVIDER", "pureq: OIDC provider name is required", {
+            details: { field: "name" },
+        });
+    }
+    if (!provider.discoveryUrl.trim()) {
+        throw createAuthError("PUREQ_OIDC_INVALID_PROVIDER", "pureq: OIDC provider discoveryUrl is required", {
+            details: { field: "discoveryUrl", provider: provider.name },
+        });
+    }
+    const flow = createOIDCFlow({
+        ...options,
+        discoveryUrl: provider.discoveryUrl,
+        ...(options.defaultScope !== undefined || provider.defaultScope !== undefined
+            ? { defaultScope: options.defaultScope ?? provider.defaultScope }
+            : {}),
+    });
+    return {
+        async getAuthorizationUrl(authorizationOptions = {}) {
+            provider.validateAuthorizationOptions?.(authorizationOptions);
+            return flow.getAuthorizationUrl({
+                ...authorizationOptions,
+                extraParams: {
+                    ...(provider.authorizationDefaults ?? {}),
+                    ...(authorizationOptions.extraParams ?? {}),
+                },
+            });
+        },
+        exchangeCode: flow.exchangeCode.bind(flow),
+        exchangeCallback: flow.exchangeCallback.bind(flow),
+        refresh: flow.refresh.bind(flow),
+        ...(flow.getUserInfo ? { getUserInfo: flow.getUserInfo.bind(flow) } : {}),
+        ...(flow.getLogoutUrl ? { getLogoutUrl: flow.getLogoutUrl.bind(flow) } : {}),
+        ...(flow.introspect ? { introspect: flow.introspect.bind(flow) } : {}),
+    };
+}
+/** @deprecated Use `createOIDCFlowFromProvider` (capital F) instead. */
+export const createOIDCflowFromProvider = createOIDCFlowFromProvider;
+export { oidcProviders };
+//# sourceMappingURL=index.js.map