@qlover/oauth-wrapper 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/core.d.ts ADDED
@@ -0,0 +1,460 @@
1
+ import { z } from 'zod';
2
+ import { ValueOf } from '@qlover/fe-corekit';
3
+
4
+ /**
5
+ * Accepts HTTPS/HTTP URLs and custom URL schemes (e.g. mobile deep links).
6
+ */
7
+ declare function isOAuthRedirectUri(value: string): boolean;
8
+ declare const OAuthClientRowSchema: z.ZodObject<{
9
+ id: z.ZodNumber;
10
+ client_id: z.ZodString;
11
+ client_secret_hash: z.ZodOptional<z.ZodNullable<z.ZodString>>;
12
+ client_name: z.ZodString;
13
+ client_uri: z.ZodOptional<z.ZodNullable<z.ZodString>>;
14
+ logo_uri: z.ZodOptional<z.ZodNullable<z.ZodString>>;
15
+ redirect_uris: z.ZodArray<z.ZodString>;
16
+ grant_types: z.ZodArray<z.ZodString>;
17
+ scopes: z.ZodArray<z.ZodString>;
18
+ confidential: z.ZodBoolean;
19
+ owner_user_id: z.ZodNumber;
20
+ created_at: z.ZodString;
21
+ updated_at: z.ZodString;
22
+ }, z.core.$strip>;
23
+ type OAuthClientRow = z.infer<typeof OAuthClientRowSchema>;
24
+ declare const OAuthClientListItemSchema: z.ZodObject<{
25
+ client_id: z.ZodString;
26
+ client_name: z.ZodString;
27
+ client_uri: z.ZodOptional<z.ZodNullable<z.ZodString>>;
28
+ logo_uri: z.ZodOptional<z.ZodNullable<z.ZodString>>;
29
+ redirect_uris: z.ZodArray<z.ZodString>;
30
+ confidential: z.ZodBoolean;
31
+ created_at: z.ZodString;
32
+ updated_at: z.ZodString;
33
+ }, z.core.$strip>;
34
+ type OAuthClientListItem = z.infer<typeof OAuthClientListItemSchema>;
35
+ declare const OAuthClientDetailSchema: z.ZodObject<{
36
+ client_id: z.ZodString;
37
+ client_name: z.ZodString;
38
+ client_uri: z.ZodOptional<z.ZodNullable<z.ZodString>>;
39
+ logo_uri: z.ZodOptional<z.ZodNullable<z.ZodString>>;
40
+ redirect_uris: z.ZodArray<z.ZodString>;
41
+ grant_types: z.ZodArray<z.ZodString>;
42
+ scopes: z.ZodArray<z.ZodString>;
43
+ confidential: z.ZodBoolean;
44
+ created_at: z.ZodString;
45
+ updated_at: z.ZodString;
46
+ }, z.core.$strip>;
47
+ type OAuthClientDetail = z.infer<typeof OAuthClientDetailSchema>;
48
+ declare const OAuthClientCreateSchema: z.ZodObject<{
49
+ client_name: z.ZodString;
50
+ client_uri: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>;
51
+ redirect_uris: z.ZodArray<z.ZodString>;
52
+ confidential: z.ZodDefault<z.ZodBoolean>;
53
+ }, z.core.$strip>;
54
+ type OAuthClientCreate = z.infer<typeof OAuthClientCreateSchema>;
55
+ declare const OAuthClientUpdateSchema: z.ZodObject<{
56
+ client_name: z.ZodString;
57
+ client_uri: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>;
58
+ redirect_uris: z.ZodArray<z.ZodString>;
59
+ }, z.core.$strip>;
60
+ type OAuthClientUpdate = z.infer<typeof OAuthClientUpdateSchema>;
61
+ declare const OAuthClientCreateResponseSchema: z.ZodObject<{
62
+ client_id: z.ZodString;
63
+ client_secret: z.ZodOptional<z.ZodString>;
64
+ confidential: z.ZodBoolean;
65
+ client_name: z.ZodString;
66
+ client_uri: z.ZodOptional<z.ZodNullable<z.ZodString>>;
67
+ redirect_uris: z.ZodArray<z.ZodString>;
68
+ created_at: z.ZodString;
69
+ }, z.core.$strip>;
70
+ type OAuthClientCreateResponse = z.infer<typeof OAuthClientCreateResponseSchema>;
71
+ declare const OAuthClientSecretRotateResponseSchema: z.ZodObject<{
72
+ client_id: z.ZodString;
73
+ client_secret: z.ZodString;
74
+ }, z.core.$strip>;
75
+ type OAuthClientSecretRotateResponse = z.infer<typeof OAuthClientSecretRotateResponseSchema>;
76
+ declare const OAuthAuthorizeQuerySchema: z.ZodObject<{
77
+ response_type: z.ZodLiteral<"code">;
78
+ client_id: z.ZodString;
79
+ redirect_uri: z.ZodString;
80
+ scope: z.ZodOptional<z.ZodString>;
81
+ state: z.ZodOptional<z.ZodString>;
82
+ code_challenge: z.ZodOptional<z.ZodString>;
83
+ code_challenge_method: z.ZodOptional<z.ZodLiteral<"S256">>;
84
+ }, z.core.$strip>;
85
+ type OAuthAuthorizeQuery = z.infer<typeof OAuthAuthorizeQuerySchema>;
86
+ declare const OAuthConsentBodySchema: z.ZodObject<{
87
+ action: z.ZodEnum<{
88
+ allow: "allow";
89
+ deny: "deny";
90
+ }>;
91
+ client_id: z.ZodString;
92
+ redirect_uri: z.ZodString;
93
+ scope: z.ZodOptional<z.ZodString>;
94
+ state: z.ZodOptional<z.ZodString>;
95
+ trust: z.ZodOptional<z.ZodBoolean>;
96
+ code_challenge: z.ZodOptional<z.ZodString>;
97
+ code_challenge_method: z.ZodOptional<z.ZodLiteral<"S256">>;
98
+ }, z.core.$strip>;
99
+ type OAuthConsentBody = z.infer<typeof OAuthConsentBodySchema>;
100
+ declare const OAuthAuthorizationCodeRowSchema: z.ZodObject<{
101
+ code: z.ZodString;
102
+ client_id: z.ZodString;
103
+ user_id: z.ZodNumber;
104
+ redirect_uri: z.ZodString;
105
+ scope: z.ZodOptional<z.ZodNullable<z.ZodString>>;
106
+ code_challenge: z.ZodOptional<z.ZodNullable<z.ZodString>>;
107
+ code_challenge_method: z.ZodOptional<z.ZodNullable<z.ZodString>>;
108
+ expires_at: z.ZodString;
109
+ used: z.ZodBoolean;
110
+ created_at: z.ZodString;
111
+ }, z.core.$strip>;
112
+ type OAuthAuthorizationCodeRow = z.infer<typeof OAuthAuthorizationCodeRowSchema>;
113
+
114
+ interface OAuthClientsInterface {
115
+ listForOwner(ownerUserId: number): Promise<OAuthClientListItem[]>;
116
+ getByClientId(ownerUserId: number, clientId: string): Promise<OAuthClientDetail>;
117
+ create(ownerUserId: number, input: OAuthClientCreate): Promise<OAuthClientCreateResponse>;
118
+ update(ownerUserId: number, clientId: string, input: OAuthClientUpdate): Promise<OAuthClientDetail>;
119
+ rotateSecret(ownerUserId: number, clientId: string): Promise<OAuthClientSecretRotateResponse>;
120
+ delete(ownerUserId: number, clientId: string): Promise<void>;
121
+ }
122
+
123
+ /**
124
+ * Reads and manages registered OAuth clients from Supabase (service role).
125
+ */
126
+ interface OAuthClientsRepositoryInterface {
127
+ findClientById(clientId: string): Promise<OAuthClientRow | null>;
128
+ listClientByOwner(ownerUserId: number): Promise<OAuthClientListItem[]>;
129
+ createClient(ownerUserId: number, input: OAuthClientCreate): Promise<{
130
+ client: OAuthClientRow;
131
+ clientSecret?: string;
132
+ }>;
133
+ updateClient(ownerUserId: number, clientId: string, input: OAuthClientUpdate): Promise<OAuthClientDetail>;
134
+ rotateClientSecret(ownerUserId: number, clientId: string): Promise<{
135
+ clientSecret: string;
136
+ }>;
137
+ deleteClient(ownerUserId: number, clientId: string): Promise<void>;
138
+ verifyClientCredentials(clientId: string, clientSecret: string | undefined): Promise<OAuthClientRow>;
139
+ }
140
+
141
+ type OAuthSessionPayload = {
142
+ userId: number;
143
+ email: string;
144
+ name: string;
145
+ providerSessionToken: string;
146
+ };
147
+ interface OAuthSessionInterface<Payload extends OAuthSessionPayload> {
148
+ getSession(): Promise<Payload | null>;
149
+ hasSession(): Promise<boolean>;
150
+ setSession(payload: Payload): Promise<void>;
151
+ clearSession(): Promise<void>;
152
+ }
153
+
154
+ declare const OAuthTokenAuthorizationCodeSchema: z.ZodObject<{
155
+ grant_type: z.ZodLiteral<"authorization_code">;
156
+ code: z.ZodString;
157
+ redirect_uri: z.ZodString;
158
+ client_id: z.ZodString;
159
+ client_secret: z.ZodOptional<z.ZodString>;
160
+ code_verifier: z.ZodOptional<z.ZodString>;
161
+ }, z.core.$strip>;
162
+ type OAuthTokenAuthorizationCodeRequest = z.infer<typeof OAuthTokenAuthorizationCodeSchema>;
163
+ declare const OAuthTokenRefreshSchema: z.ZodObject<{
164
+ grant_type: z.ZodLiteral<"refresh_token">;
165
+ refresh_token: z.ZodString;
166
+ client_id: z.ZodString;
167
+ client_secret: z.ZodOptional<z.ZodString>;
168
+ }, z.core.$strip>;
169
+ type OAuthTokenRefreshRequest = z.infer<typeof OAuthTokenRefreshSchema>;
170
+ declare const OAuthTokenRequestSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
171
+ grant_type: z.ZodLiteral<"authorization_code">;
172
+ code: z.ZodString;
173
+ redirect_uri: z.ZodString;
174
+ client_id: z.ZodString;
175
+ client_secret: z.ZodOptional<z.ZodString>;
176
+ code_verifier: z.ZodOptional<z.ZodString>;
177
+ }, z.core.$strip>, z.ZodObject<{
178
+ grant_type: z.ZodLiteral<"refresh_token">;
179
+ refresh_token: z.ZodString;
180
+ client_id: z.ZodString;
181
+ client_secret: z.ZodOptional<z.ZodString>;
182
+ }, z.core.$strip>], "grant_type">;
183
+ type OAuthTokenRequest = z.infer<typeof OAuthTokenRequestSchema>;
184
+ declare const OAuthTokenErrorResponseSchema: z.ZodObject<{
185
+ error: z.ZodString;
186
+ error_id: z.ZodOptional<z.ZodString>;
187
+ error_description: z.ZodOptional<z.ZodString>;
188
+ }, z.core.$strip>;
189
+ type OAuthTokenErrorResponse = z.infer<typeof OAuthTokenErrorResponseSchema>;
190
+ /** RFC 7009 token revocation request (refresh_token only in this wrapper). */
191
+ declare const OAuthTokenRevokeSchema: z.ZodObject<{
192
+ token: z.ZodString;
193
+ token_type_hint: z.ZodOptional<z.ZodEnum<{
194
+ refresh_token: "refresh_token";
195
+ access_token: "access_token";
196
+ }>>;
197
+ client_id: z.ZodString;
198
+ client_secret: z.ZodOptional<z.ZodString>;
199
+ }, z.core.$strip>;
200
+ type OAuthTokenRevokeRequest = z.infer<typeof OAuthTokenRevokeSchema>;
201
+
202
+ /**
203
+ * OAuth user adapter profile shape.
204
+ *
205
+ * Significance: Keeps OAuth services independent from provider SDK user models.
206
+ * Core idea: Represent only the profile fields required by OAuth login and userinfo.
207
+ * Main function: Provide a canonical user profile contract for adapters.
208
+ * Main purpose: Let the OAuth wrapper switch user providers without changing services.
209
+ *
210
+ * @example
211
+ * const sub = String(profile.id);
212
+ */
213
+ type OAuthUserProfile = {
214
+ id: string | number;
215
+ email?: string | null;
216
+ name?: string | null;
217
+ first_name?: string | null;
218
+ last_name?: string | null;
219
+ roles?: string[];
220
+ [key: string]: unknown;
221
+ };
222
+ /**
223
+ * OAuth provider login credentials result.
224
+ *
225
+ * Significance: Normalizes provider login responses for middleware sessions.
226
+ * Core idea: Require a session token while allowing provider-specific metadata.
227
+ * Main function: Carry the provider session token after credential verification.
228
+ * Main purpose: Persist the token needed to mint OAuth access tokens later.
229
+ *
230
+ * @example
231
+ * const sessionToken = credentials.token;
232
+ */
233
+ type OAuthUserCredentials = {
234
+ token: string;
235
+ [key: string]: unknown;
236
+ };
237
+ /**
238
+ * OAuth provider access token result.
239
+ *
240
+ * Significance: Normalizes provider token exchange responses.
241
+ * Core idea: OAuth token services only need access, expiry, and optional refresh token.
242
+ * Main function: Return a provider access token for third-party OAuth clients.
243
+ * Main purpose: Hide provider SDK response details behind the adapter contract.
244
+ *
245
+ * @example
246
+ * return { access_token: token.access_token, expires_in: token.expires_in };
247
+ */
248
+ type OAuthUserAccessToken = {
249
+ access_token: string;
250
+ expires_in: number;
251
+ refresh_token?: string | null;
252
+ [key: string]: unknown;
253
+ };
254
+ /**
255
+ * User adapter contract for the OAuth wrapper.
256
+ *
257
+ * Significance: Defines the boundary between OAuth core services and user providers.
258
+ * Core idea: Keep provider-specific login, token exchange, and profile lookup behind one port.
259
+ * Main function: Verify credentials, exchange provider tokens, and load user profiles.
260
+ * Main purpose: Allow any upstream user API to be swapped without changing OAuth services.
261
+ *
262
+ * @example
263
+ * const access = await adapter.exchangeAccessToken({ token: sessionToken });
264
+ */
265
+ interface OAuthUserAdapterInterface {
266
+ /**
267
+ * Verifies user credentials with the backing user provider.
268
+ *
269
+ * @param email - User email or username accepted by the provider.
270
+ * @param password - Plain credential submitted by the login form.
271
+ * @returns Provider credentials containing a session token.
272
+ */
273
+ login(email: string, password: string): Promise<OAuthUserCredentials>;
274
+ /**
275
+ * Exchanges a provider session token for a provider access token.
276
+ *
277
+ * @param params - Session token and optional language preference.
278
+ * @returns Provider access token payload used as the OAuth access token response.
279
+ */
280
+ exchangeAccessToken(params: {
281
+ token: string;
282
+ lang?: string;
283
+ }): Promise<OAuthUserAccessToken>;
284
+ /**
285
+ * Loads profile information using a provider session token.
286
+ *
287
+ * @param sessionToken - Provider session token from a successful login.
288
+ * @returns Canonical user profile for session creation.
289
+ */
290
+ getUserInfo(sessionToken: string): Promise<OAuthUserProfile>;
291
+ /**
292
+ * Loads profile information using a provider access token.
293
+ *
294
+ * @param accessToken - Bearer access token presented to the userinfo endpoint.
295
+ * @returns Canonical user profile for OIDC userinfo claims.
296
+ */
297
+ getUserInfoByAccessToken(accessToken: string): Promise<OAuthUserProfile>;
298
+ }
299
+
300
+ declare const OAuthUserCredentialsSchema: z.ZodObject<{
301
+ user_id: z.ZodNumber;
302
+ provider_refresh_token: z.ZodOptional<z.ZodNullable<z.ZodString>>;
303
+ provider_session_token: z.ZodOptional<z.ZodNullable<z.ZodString>>;
304
+ updated_at: z.ZodString;
305
+ }, z.core.$strip>;
306
+ type OAuthUserCredentialsRow = z.infer<typeof OAuthUserCredentialsSchema>;
307
+ declare const OAuthRefreshTokenSchema: z.ZodObject<{
308
+ id: z.ZodNumber;
309
+ refresh_token: z.ZodString;
310
+ client_id: z.ZodString;
311
+ user_id: z.ZodNumber;
312
+ expires_at: z.ZodString;
313
+ revoked: z.ZodBoolean;
314
+ created_at: z.ZodString;
315
+ }, z.core.$strip>;
316
+ type OAuthRefreshTokenRow = z.infer<typeof OAuthRefreshTokenSchema>;
317
+ declare const OAuthTokenResponseSchema: z.ZodObject<{
318
+ access_token: z.ZodString;
319
+ token_type: z.ZodLiteral<"Bearer">;
320
+ expires_in: z.ZodNumber;
321
+ refresh_token: z.ZodOptional<z.ZodString>;
322
+ scope: z.ZodOptional<z.ZodString>;
323
+ }, z.core.$strip>;
324
+ type OAuthTokenResponse = z.infer<typeof OAuthTokenResponseSchema>;
325
+
326
+ type CreateAuthorizationCodeInput = {
327
+ code: string;
328
+ client_id: string;
329
+ user_id: number;
330
+ redirect_uri: string;
331
+ scope: string | null;
332
+ code_challenge: string | null;
333
+ code_challenge_method: string | null;
334
+ expires_at: string;
335
+ };
336
+ type CreateOAuthRefreshTokenInput = {
337
+ refresh_token: string;
338
+ client_id: string;
339
+ user_id: number;
340
+ expires_at: string;
341
+ };
342
+ interface OAuthWrapperRepositoryInterface extends OAuthClientsRepositoryInterface {
343
+ create(input: CreateAuthorizationCodeInput): Promise<void>;
344
+ consumeCode(code: string): Promise<OAuthAuthorizationCodeRow | null>;
345
+ getUserCredentials(userId: number): Promise<OAuthUserCredentialsRow | null>;
346
+ upsertUserCredentials(userId: number, fields: {
347
+ provider_refresh_token?: string | null;
348
+ provider_session_token?: string | null;
349
+ }): Promise<void>;
350
+ findRefreshToken(tokenHash: string): Promise<OAuthRefreshTokenRow | null>;
351
+ upsertRefreshToken(input: {
352
+ refresh_token: string;
353
+ client_id: string;
354
+ user_id: number;
355
+ expires_at: string;
356
+ }): Promise<void>;
357
+ revokeRefreshToken(tokenHash: string): Promise<void>;
358
+ findByTokenHash(tokenHash: string): Promise<OAuthRefreshTokenRow | null>;
359
+ createRefreshToken(input: CreateOAuthRefreshTokenInput): Promise<void>;
360
+ revokeByTokenHash(tokenHash: string): Promise<void>;
361
+ /** Revoke all active refresh tokens issued for the given user. */
362
+ revokeRefreshTokensByUserId(userId: number): Promise<void>;
363
+ }
364
+
365
+ declare const OAuthUserInfoResponseSchema: z.ZodObject<{
366
+ sub: z.ZodString;
367
+ email: z.ZodString;
368
+ name: z.ZodString;
369
+ roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
370
+ }, z.core.$strip>;
371
+ type OAuthUserInfoResponse = z.infer<typeof OAuthUserInfoResponseSchema>;
372
+ declare const OAuthUserInfoErrorResponseSchema: z.ZodObject<{
373
+ error: z.ZodLiteral<"invalid_token">;
374
+ error_id: z.ZodOptional<z.ZodString>;
375
+ }, z.core.$strip>;
376
+ type OAuthUserInfoErrorResponse = z.infer<typeof OAuthUserInfoErrorResponseSchema>;
377
+
378
+ /**
379
+ * OAuth authorize page data shared by server rendering and client UI.
380
+ *
381
+ * Significance: Prevents UI components from importing server-only services for types.
382
+ * Core idea: Keep the authorize page view model in the shared contract layer.
383
+ * Main function: Describe client metadata and request parameters for consent rendering.
384
+ * Main purpose: Let OAuth server modules move independently from UI code.
385
+ *
386
+ * @example
387
+ * const clientId = data.clientId;
388
+ */
389
+ interface OAuthAuthorizePageData {
390
+ clientId: string;
391
+ clientName: string;
392
+ clientUri: string | null;
393
+ logoUri: string | null;
394
+ redirectUri: string;
395
+ scopes: string[];
396
+ state?: string;
397
+ responseType: 'code';
398
+ codeChallenge?: string;
399
+ codeChallengeMethod?: 'S256';
400
+ confidential: boolean;
401
+ }
402
+ type OAuthAuthorizeValidationError = {
403
+ errorKey: string;
404
+ message: string;
405
+ };
406
+ type OAuthConsentResult = {
407
+ redirectUrl: string;
408
+ };
409
+ interface OAuthTokenServiceInterface {
410
+ exchangeToken(rawFields: Record<string, string> | OAuthTokenRequest): Promise<OAuthTokenResponse>;
411
+ /**
412
+ * RFC 7009 token revocation. Revokes middleware refresh tokens when present.
413
+ * Always resolves (idempotent) per RFC guidance.
414
+ */
415
+ revokeToken(rawFields: Record<string, string>): Promise<void>;
416
+ }
417
+ interface OAuthServiceInterface<SessionPayload extends OAuthSessionPayload> extends OAuthTokenServiceInterface {
418
+ resolveAuthorizePage(rawQuery: Record<string, string | string[] | undefined>): Promise<{
419
+ ok: true;
420
+ data: OAuthAuthorizePageData;
421
+ } | {
422
+ ok: false;
423
+ error: OAuthAuthorizeValidationError;
424
+ }>;
425
+ processConsent(requestBody: unknown): Promise<OAuthConsentResult>;
426
+ getUserInfo(accessToken: string): Promise<OAuthUserInfoResponse>;
427
+ getOAuthSession(): OAuthSessionInterface<SessionPayload>;
428
+ getOAuthAdapter(): OAuthUserAdapterInterface;
429
+ getOAuthTokenService(): OAuthTokenServiceInterface;
430
+ getOAuthRepo(): OAuthWrapperRepositoryInterface;
431
+ /**
432
+ * Application logout: revoke issued refresh tokens, clear stored provider
433
+ * credentials, and clear the authorization-server session cookie.
434
+ */
435
+ logoutUser(userId: number): Promise<void>;
436
+ }
437
+
438
+ declare const OAuthRfcCodes: {
439
+ readonly INVALID_REQUEST: "invalid_request";
440
+ readonly INVALID_CLIENT: "invalid_client";
441
+ readonly INVALID_GRANT: "invalid_grant";
442
+ readonly INVALID_TOKEN: "invalid_token";
443
+ readonly UNAUTHORIZED_CLIENT: "unauthorized_client";
444
+ readonly INVALID_SCOPE: "invalid_scope";
445
+ readonly ACCESS_DENIED: "access_denied";
446
+ readonly UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type";
447
+ readonly UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type";
448
+ readonly OAUTH_ERROR: "oauth_error";
449
+ };
450
+ type OAuthRfcErrorCodesType = typeof OAuthRfcCodes;
451
+ /**
452
+ * OAuth 2.0 RFC 6749 `error` parameter values used in redirects and token responses.
453
+ */
454
+ type OAuthRfcCodeType = ValueOf<OAuthRfcErrorCodesType>;
455
+
456
+ declare function generatePkceVerifier(length?: number): string;
457
+ declare function computePkceS256Challenge(verifier: string): Promise<string>;
458
+ declare function randomOAuthState(): string;
459
+
460
+ export { type CreateAuthorizationCodeInput, type CreateOAuthRefreshTokenInput, type OAuthAuthorizationCodeRow, OAuthAuthorizationCodeRowSchema, type OAuthAuthorizePageData, type OAuthAuthorizeQuery, OAuthAuthorizeQuerySchema, type OAuthAuthorizeValidationError, type OAuthClientCreate, type OAuthClientCreateResponse, OAuthClientCreateResponseSchema, OAuthClientCreateSchema, type OAuthClientDetail, OAuthClientDetailSchema, type OAuthClientListItem, OAuthClientListItemSchema, type OAuthClientRow, OAuthClientRowSchema, type OAuthClientSecretRotateResponse, OAuthClientSecretRotateResponseSchema, type OAuthClientUpdate, OAuthClientUpdateSchema, type OAuthClientsInterface, type OAuthClientsRepositoryInterface, type OAuthConsentBody, OAuthConsentBodySchema, type OAuthConsentResult, type OAuthRefreshTokenRow, OAuthRefreshTokenSchema, type OAuthRfcCodeType, OAuthRfcCodes, type OAuthRfcErrorCodesType, type OAuthServiceInterface, type OAuthSessionInterface, type OAuthSessionPayload, type OAuthTokenAuthorizationCodeRequest, OAuthTokenAuthorizationCodeSchema, type OAuthTokenErrorResponse, OAuthTokenErrorResponseSchema, type OAuthTokenRefreshRequest, OAuthTokenRefreshSchema, type OAuthTokenRequest, OAuthTokenRequestSchema, type OAuthTokenResponse, OAuthTokenResponseSchema, type OAuthTokenRevokeRequest, OAuthTokenRevokeSchema, type OAuthTokenServiceInterface, type OAuthUserAccessToken, type OAuthUserAdapterInterface, type OAuthUserCredentials, type OAuthUserCredentialsRow, OAuthUserCredentialsSchema, type OAuthUserInfoErrorResponse, OAuthUserInfoErrorResponseSchema, type OAuthUserInfoResponse, OAuthUserInfoResponseSchema, type OAuthUserProfile, type OAuthWrapperRepositoryInterface, computePkceS256Challenge, generatePkceVerifier, isOAuthRedirectUri, randomOAuthState };