@qlover/oauth-wrapper 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,194 @@
1
+ import { OAuthClientsInterface, OAuthClientsRepositoryInterface, OAuthClientListItem, OAuthClientDetail, OAuthClientCreate, OAuthClientCreateResponse, OAuthClientUpdate, OAuthClientSecretRotateResponse, OAuthTokenServiceInterface, OAuthUserAdapterInterface, OAuthWrapperRepositoryInterface, OAuthTokenResponse, OAuthTokenRequest, OAuthSessionPayload, OAuthServiceInterface, OAuthSessionInterface, OAuthAuthorizeQuery, OAuthConsentBody, OAuthAuthorizePageData, OAuthAuthorizeValidationError, OAuthConsentResult, OAuthUserInfoResponse, OAuthUserProfile, OAuthRfcCodeType, OAuthClientRow } from './core.js';
2
+ export { CreateAuthorizationCodeInput, CreateOAuthRefreshTokenInput, OAuthAuthorizationCodeRow, OAuthAuthorizationCodeRowSchema, OAuthAuthorizeQuerySchema, OAuthClientCreateResponseSchema, OAuthClientCreateSchema, OAuthClientDetailSchema, OAuthClientListItemSchema, OAuthClientRowSchema, OAuthClientSecretRotateResponseSchema, OAuthClientUpdateSchema, OAuthConsentBodySchema, OAuthRefreshTokenRow, OAuthRefreshTokenSchema, OAuthRfcCodes, OAuthRfcErrorCodesType, OAuthTokenAuthorizationCodeRequest, OAuthTokenAuthorizationCodeSchema, OAuthTokenErrorResponse, OAuthTokenErrorResponseSchema, OAuthTokenRefreshRequest, OAuthTokenRefreshSchema, OAuthTokenRequestSchema, OAuthTokenResponseSchema, OAuthTokenRevokeRequest, OAuthTokenRevokeSchema, OAuthUserAccessToken, OAuthUserCredentials, OAuthUserCredentialsRow, OAuthUserCredentialsSchema, OAuthUserInfoErrorResponse, OAuthUserInfoErrorResponseSchema, OAuthUserInfoResponseSchema, computePkceS256Challenge, generatePkceVerifier, isOAuthRedirectUri, randomOAuthState } from './core.js';
3
+ import { EncryptorInterface, ExecutorError } from '@qlover/fe-corekit';
4
+ import 'zod';
5
+
6
+ /**
7
+ * Business logic for OAuth client management in developer console.
8
+ */
9
+ declare class OAuthClientsService implements OAuthClientsInterface {
10
+ protected clientsRepo: OAuthClientsRepositoryInterface;
11
+ constructor(clientsRepo: OAuthClientsRepositoryInterface);
12
+ /**
13
+ * List all OAuth clients owned by a user
14
+ * @override
15
+ */
16
+ listForOwner(ownerUserId: number): Promise<OAuthClientListItem[]>;
17
+ /**
18
+ * Get detailed information about a specific OAuth client
19
+ * @override
20
+ */
21
+ getByClientId(ownerUserId: number, clientId: string): Promise<OAuthClientDetail>;
22
+ /**
23
+ * Create a new OAuth client
24
+ * @override
25
+ */
26
+ create(ownerUserId: number, input: OAuthClientCreate): Promise<OAuthClientCreateResponse>;
27
+ /**
28
+ * Update an existing OAuth client
29
+ * @override
30
+ */
31
+ update(ownerUserId: number, clientId: string, input: OAuthClientUpdate): Promise<OAuthClientDetail>;
32
+ /**
33
+ * Rotate the client secret
34
+ * @override
35
+ */
36
+ rotateSecret(ownerUserId: number, clientId: string): Promise<OAuthClientSecretRotateResponse>;
37
+ /**
38
+ * Delete an OAuth client
39
+ * @override
40
+ */
41
+ delete(ownerUserId: number, clientId: string): Promise<void>;
42
+ private mapToDetail;
43
+ }
44
+
45
+ /**
46
+ * OAuth 2.0 token endpoint (`POST /oauth/token`).
47
+ *
48
+ * Significance: Exchanges authorization codes and refresh tokens for provider access tokens.
49
+ * Core idea: Validate client + grant, consume codes, proxy user adapter token APIs.
50
+ * Main purpose: Standard token endpoint for third-party OAuth clients.
51
+ *
52
+ * @example
53
+ * const tokens = await service.exchangeToken(formFields);
54
+ */
55
+ declare class OAuthTokenService implements OAuthTokenServiceInterface {
56
+ protected tokenEncryption: EncryptorInterface<string, string>;
57
+ protected userAdapter: OAuthUserAdapterInterface;
58
+ protected oauthRepo: OAuthWrapperRepositoryInterface;
59
+ protected static REFRESH_TOKEN_TTL_MS: number;
60
+ constructor(tokenEncryption: EncryptorInterface<string, string>, userAdapter: OAuthUserAdapterInterface, oauthRepo: OAuthWrapperRepositoryInterface);
61
+ /**
62
+ * @override
63
+ */
64
+ exchangeToken(rawFields: Record<string, string>): Promise<OAuthTokenResponse>;
65
+ protected exchangeAuthorizationCode(request: Extract<OAuthTokenRequest, {
66
+ grant_type: 'authorization_code';
67
+ }>, verifiedClientId: string): Promise<OAuthTokenResponse>;
68
+ protected assertPkceForAuthorizationCode(request: Extract<OAuthTokenRequest, {
69
+ grant_type: 'authorization_code';
70
+ }>, authCode: {
71
+ code_challenge?: string | null;
72
+ code_challenge_method?: string | null;
73
+ }): void;
74
+ protected exchangeRefreshToken(request: Extract<OAuthTokenRequest, {
75
+ grant_type: 'refresh_token';
76
+ }>, verifiedClientId: string): Promise<OAuthTokenResponse>;
77
+ protected fetchProviderAccessToken(userId: number): Promise<{
78
+ access_token: string;
79
+ expires_in: number;
80
+ }>;
81
+ protected issueMiddlewareRefreshToken(clientId: string, userId: number): Promise<string>;
82
+ /**
83
+ * @override
84
+ * RFC 7009 — revoke middleware refresh tokens. Idempotent: unknown tokens are ignored.
85
+ */
86
+ revokeToken(rawFields: Record<string, string>): Promise<void>;
87
+ }
88
+
89
+ declare class OAuthWrapperService<SessionPayload extends OAuthSessionPayload = OAuthSessionPayload> implements OAuthServiceInterface<SessionPayload> {
90
+ protected oauthSession: OAuthSessionInterface<SessionPayload>;
91
+ protected userAdapter: OAuthUserAdapterInterface;
92
+ protected tokenService: OAuthTokenServiceInterface;
93
+ protected oauthRepo: OAuthWrapperRepositoryInterface;
94
+ constructor(oauthSession: OAuthSessionInterface<SessionPayload>, userAdapter: OAuthUserAdapterInterface, tokenService: OAuthTokenServiceInterface, oauthRepo: OAuthWrapperRepositoryInterface);
95
+ /**
96
+ * @override
97
+ */
98
+ getOAuthSession(): OAuthSessionInterface<SessionPayload>;
99
+ /**
100
+ * @override
101
+ */
102
+ getOAuthAdapter(): OAuthUserAdapterInterface;
103
+ /**
104
+ * @override
105
+ */
106
+ getOAuthTokenService(): OAuthTokenServiceInterface;
107
+ /**
108
+ * @override
109
+ */
110
+ getOAuthRepo(): OAuthWrapperRepositoryInterface;
111
+ protected isQuery(query: unknown): query is OAuthAuthorizeQuery;
112
+ protected isValidateConsent(value: unknown): value is OAuthConsentBody;
113
+ /**
114
+ * @override
115
+ */
116
+ resolveAuthorizePage(rawQuery: Record<string, string | string[] | undefined>): Promise<{
117
+ ok: true;
118
+ data: OAuthAuthorizePageData;
119
+ } | {
120
+ ok: false;
121
+ error: OAuthAuthorizeValidationError;
122
+ }>;
123
+ /**
124
+ * @override
125
+ */
126
+ processConsent(requestBody: unknown): Promise<OAuthConsentResult>;
127
+ /**
128
+ * @override
129
+ */
130
+ exchangeToken(rawFields: Record<string, string>): Promise<OAuthTokenResponse>;
131
+ /**
132
+ * @override
133
+ */
134
+ revokeToken(rawFields: Record<string, string>): Promise<void>;
135
+ /**
136
+ * @override
137
+ */
138
+ logoutUser(userId: number): Promise<void>;
139
+ /**
140
+ * @override
141
+ */
142
+ getUserInfo(accessToken: string): Promise<OAuthUserInfoResponse>;
143
+ protected toUserInfoResponse(profile: OAuthUserProfile): OAuthUserInfoResponse;
144
+ }
145
+
146
+ declare class OAuthWrapperError extends ExecutorError {
147
+ readonly status: number;
148
+ readonly name = "OAuthWrapperError";
149
+ constructor(id: OAuthRfcCodeType, status: number, cause?: unknown);
150
+ }
151
+
152
+ declare function validatePkceParams(parsed: {
153
+ code_challenge?: string;
154
+ code_challenge_method?: 'S256';
155
+ }, confidential: boolean): OAuthAuthorizeValidationError | null;
156
+ declare function normalizeQuery(raw: Record<string, string | string[] | undefined>): Record<string, string | undefined>;
157
+ declare function isRedirectUriAllowed(redirectUri: string, client: OAuthClientRow): boolean;
158
+
159
+ /**
160
+ * Hashes OAuth client secrets for storage (scrypt, Node built-in).
161
+ *
162
+ * @example
163
+ * const hash = await hashClientSecret('my-secret');
164
+ */
165
+ declare function hashClientSecret(secret: string): Promise<string>;
166
+ /**
167
+ * Verifies a plaintext client secret against a stored scrypt hash.
168
+ */
169
+ declare function verifyClientSecret(secret: string, storedHash: string): Promise<boolean>;
170
+
171
+ /**
172
+ * Builds OAuth 2.0 redirect URLs for authorization responses.
173
+ */
174
+ declare function buildOAuthRedirectUrl(redirectUri: string, params: Record<string, string | undefined>): string;
175
+ declare function parseScopeList(scope: string | undefined): string[];
176
+
177
+ /**
178
+ * PKCE helpers for RFC 7636 (S256 only).
179
+ *
180
+ * Significance: Validates and verifies code_verifier against stored code_challenge.
181
+ * Main purpose: Secure authorization code exchange for public OAuth clients.
182
+ */
183
+ declare function isValidCodeVerifier(verifier: string): boolean;
184
+ declare function isValidCodeChallenge(challenge: string): boolean;
185
+ /**
186
+ * Computes the S256 code_challenge for a code_verifier.
187
+ */
188
+ declare function computeS256CodeChallenge(verifier: string): string;
189
+ /**
190
+ * Returns true when {@link verifier} matches the stored S256 {@link challenge}.
191
+ */
192
+ declare function verifyPkceS256(verifier: string, challenge: string): boolean;
193
+
194
+ export { OAuthAuthorizePageData, OAuthAuthorizeQuery, OAuthAuthorizeValidationError, OAuthClientCreate, OAuthClientCreateResponse, OAuthClientDetail, OAuthClientListItem, OAuthClientRow, OAuthClientSecretRotateResponse, OAuthClientUpdate, OAuthClientsInterface, OAuthClientsRepositoryInterface, OAuthClientsService, OAuthConsentBody, OAuthConsentResult, OAuthRfcCodeType, OAuthServiceInterface, OAuthSessionInterface, OAuthSessionPayload, OAuthTokenRequest, OAuthTokenResponse, OAuthTokenService, OAuthTokenServiceInterface, OAuthUserAdapterInterface, OAuthUserInfoResponse, OAuthUserProfile, OAuthWrapperError, OAuthWrapperRepositoryInterface, OAuthWrapperService, buildOAuthRedirectUrl, computeS256CodeChallenge, hashClientSecret, isRedirectUriAllowed, isValidCodeChallenge, isValidCodeVerifier, normalizeQuery, parseScopeList, validatePkceParams, verifyClientSecret, verifyPkceS256 };