@qlover/oauth-wrapper 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +27 -0
- package/README.md +313 -0
- package/README_EN.md +313 -0
- package/dist/client.cjs +835 -0
- package/dist/client.d.ts +341 -0
- package/dist/client.js +791 -0
- package/dist/core.cjs +301 -0
- package/dist/core.d.ts +460 -0
- package/dist/core.js +250 -0
- package/dist/index.cjs +1043 -0
- package/dist/index.d.ts +194 -0
- package/dist/index.js +977 -0
- package/package.json +72 -0
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,194 @@
|
|
|
1
|
+
import { OAuthClientsInterface, OAuthClientsRepositoryInterface, OAuthClientListItem, OAuthClientDetail, OAuthClientCreate, OAuthClientCreateResponse, OAuthClientUpdate, OAuthClientSecretRotateResponse, OAuthTokenServiceInterface, OAuthUserAdapterInterface, OAuthWrapperRepositoryInterface, OAuthTokenResponse, OAuthTokenRequest, OAuthSessionPayload, OAuthServiceInterface, OAuthSessionInterface, OAuthAuthorizeQuery, OAuthConsentBody, OAuthAuthorizePageData, OAuthAuthorizeValidationError, OAuthConsentResult, OAuthUserInfoResponse, OAuthUserProfile, OAuthRfcCodeType, OAuthClientRow } from './core.js';
|
|
2
|
+
export { CreateAuthorizationCodeInput, CreateOAuthRefreshTokenInput, OAuthAuthorizationCodeRow, OAuthAuthorizationCodeRowSchema, OAuthAuthorizeQuerySchema, OAuthClientCreateResponseSchema, OAuthClientCreateSchema, OAuthClientDetailSchema, OAuthClientListItemSchema, OAuthClientRowSchema, OAuthClientSecretRotateResponseSchema, OAuthClientUpdateSchema, OAuthConsentBodySchema, OAuthRefreshTokenRow, OAuthRefreshTokenSchema, OAuthRfcCodes, OAuthRfcErrorCodesType, OAuthTokenAuthorizationCodeRequest, OAuthTokenAuthorizationCodeSchema, OAuthTokenErrorResponse, OAuthTokenErrorResponseSchema, OAuthTokenRefreshRequest, OAuthTokenRefreshSchema, OAuthTokenRequestSchema, OAuthTokenResponseSchema, OAuthTokenRevokeRequest, OAuthTokenRevokeSchema, OAuthUserAccessToken, OAuthUserCredentials, OAuthUserCredentialsRow, OAuthUserCredentialsSchema, OAuthUserInfoErrorResponse, OAuthUserInfoErrorResponseSchema, OAuthUserInfoResponseSchema, computePkceS256Challenge, generatePkceVerifier, isOAuthRedirectUri, randomOAuthState } from './core.js';
|
|
3
|
+
import { EncryptorInterface, ExecutorError } from '@qlover/fe-corekit';
|
|
4
|
+
import 'zod';
|
|
5
|
+
|
|
6
|
+
/**
|
|
7
|
+
* Business logic for OAuth client management in developer console.
|
|
8
|
+
*/
|
|
9
|
+
declare class OAuthClientsService implements OAuthClientsInterface {
|
|
10
|
+
protected clientsRepo: OAuthClientsRepositoryInterface;
|
|
11
|
+
constructor(clientsRepo: OAuthClientsRepositoryInterface);
|
|
12
|
+
/**
|
|
13
|
+
* List all OAuth clients owned by a user
|
|
14
|
+
* @override
|
|
15
|
+
*/
|
|
16
|
+
listForOwner(ownerUserId: number): Promise<OAuthClientListItem[]>;
|
|
17
|
+
/**
|
|
18
|
+
* Get detailed information about a specific OAuth client
|
|
19
|
+
* @override
|
|
20
|
+
*/
|
|
21
|
+
getByClientId(ownerUserId: number, clientId: string): Promise<OAuthClientDetail>;
|
|
22
|
+
/**
|
|
23
|
+
* Create a new OAuth client
|
|
24
|
+
* @override
|
|
25
|
+
*/
|
|
26
|
+
create(ownerUserId: number, input: OAuthClientCreate): Promise<OAuthClientCreateResponse>;
|
|
27
|
+
/**
|
|
28
|
+
* Update an existing OAuth client
|
|
29
|
+
* @override
|
|
30
|
+
*/
|
|
31
|
+
update(ownerUserId: number, clientId: string, input: OAuthClientUpdate): Promise<OAuthClientDetail>;
|
|
32
|
+
/**
|
|
33
|
+
* Rotate the client secret
|
|
34
|
+
* @override
|
|
35
|
+
*/
|
|
36
|
+
rotateSecret(ownerUserId: number, clientId: string): Promise<OAuthClientSecretRotateResponse>;
|
|
37
|
+
/**
|
|
38
|
+
* Delete an OAuth client
|
|
39
|
+
* @override
|
|
40
|
+
*/
|
|
41
|
+
delete(ownerUserId: number, clientId: string): Promise<void>;
|
|
42
|
+
private mapToDetail;
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
/**
|
|
46
|
+
* OAuth 2.0 token endpoint (`POST /oauth/token`).
|
|
47
|
+
*
|
|
48
|
+
* Significance: Exchanges authorization codes and refresh tokens for provider access tokens.
|
|
49
|
+
* Core idea: Validate client + grant, consume codes, proxy user adapter token APIs.
|
|
50
|
+
* Main purpose: Standard token endpoint for third-party OAuth clients.
|
|
51
|
+
*
|
|
52
|
+
* @example
|
|
53
|
+
* const tokens = await service.exchangeToken(formFields);
|
|
54
|
+
*/
|
|
55
|
+
declare class OAuthTokenService implements OAuthTokenServiceInterface {
|
|
56
|
+
protected tokenEncryption: EncryptorInterface<string, string>;
|
|
57
|
+
protected userAdapter: OAuthUserAdapterInterface;
|
|
58
|
+
protected oauthRepo: OAuthWrapperRepositoryInterface;
|
|
59
|
+
protected static REFRESH_TOKEN_TTL_MS: number;
|
|
60
|
+
constructor(tokenEncryption: EncryptorInterface<string, string>, userAdapter: OAuthUserAdapterInterface, oauthRepo: OAuthWrapperRepositoryInterface);
|
|
61
|
+
/**
|
|
62
|
+
* @override
|
|
63
|
+
*/
|
|
64
|
+
exchangeToken(rawFields: Record<string, string>): Promise<OAuthTokenResponse>;
|
|
65
|
+
protected exchangeAuthorizationCode(request: Extract<OAuthTokenRequest, {
|
|
66
|
+
grant_type: 'authorization_code';
|
|
67
|
+
}>, verifiedClientId: string): Promise<OAuthTokenResponse>;
|
|
68
|
+
protected assertPkceForAuthorizationCode(request: Extract<OAuthTokenRequest, {
|
|
69
|
+
grant_type: 'authorization_code';
|
|
70
|
+
}>, authCode: {
|
|
71
|
+
code_challenge?: string | null;
|
|
72
|
+
code_challenge_method?: string | null;
|
|
73
|
+
}): void;
|
|
74
|
+
protected exchangeRefreshToken(request: Extract<OAuthTokenRequest, {
|
|
75
|
+
grant_type: 'refresh_token';
|
|
76
|
+
}>, verifiedClientId: string): Promise<OAuthTokenResponse>;
|
|
77
|
+
protected fetchProviderAccessToken(userId: number): Promise<{
|
|
78
|
+
access_token: string;
|
|
79
|
+
expires_in: number;
|
|
80
|
+
}>;
|
|
81
|
+
protected issueMiddlewareRefreshToken(clientId: string, userId: number): Promise<string>;
|
|
82
|
+
/**
|
|
83
|
+
* @override
|
|
84
|
+
* RFC 7009 — revoke middleware refresh tokens. Idempotent: unknown tokens are ignored.
|
|
85
|
+
*/
|
|
86
|
+
revokeToken(rawFields: Record<string, string>): Promise<void>;
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
declare class OAuthWrapperService<SessionPayload extends OAuthSessionPayload = OAuthSessionPayload> implements OAuthServiceInterface<SessionPayload> {
|
|
90
|
+
protected oauthSession: OAuthSessionInterface<SessionPayload>;
|
|
91
|
+
protected userAdapter: OAuthUserAdapterInterface;
|
|
92
|
+
protected tokenService: OAuthTokenServiceInterface;
|
|
93
|
+
protected oauthRepo: OAuthWrapperRepositoryInterface;
|
|
94
|
+
constructor(oauthSession: OAuthSessionInterface<SessionPayload>, userAdapter: OAuthUserAdapterInterface, tokenService: OAuthTokenServiceInterface, oauthRepo: OAuthWrapperRepositoryInterface);
|
|
95
|
+
/**
|
|
96
|
+
* @override
|
|
97
|
+
*/
|
|
98
|
+
getOAuthSession(): OAuthSessionInterface<SessionPayload>;
|
|
99
|
+
/**
|
|
100
|
+
* @override
|
|
101
|
+
*/
|
|
102
|
+
getOAuthAdapter(): OAuthUserAdapterInterface;
|
|
103
|
+
/**
|
|
104
|
+
* @override
|
|
105
|
+
*/
|
|
106
|
+
getOAuthTokenService(): OAuthTokenServiceInterface;
|
|
107
|
+
/**
|
|
108
|
+
* @override
|
|
109
|
+
*/
|
|
110
|
+
getOAuthRepo(): OAuthWrapperRepositoryInterface;
|
|
111
|
+
protected isQuery(query: unknown): query is OAuthAuthorizeQuery;
|
|
112
|
+
protected isValidateConsent(value: unknown): value is OAuthConsentBody;
|
|
113
|
+
/**
|
|
114
|
+
* @override
|
|
115
|
+
*/
|
|
116
|
+
resolveAuthorizePage(rawQuery: Record<string, string | string[] | undefined>): Promise<{
|
|
117
|
+
ok: true;
|
|
118
|
+
data: OAuthAuthorizePageData;
|
|
119
|
+
} | {
|
|
120
|
+
ok: false;
|
|
121
|
+
error: OAuthAuthorizeValidationError;
|
|
122
|
+
}>;
|
|
123
|
+
/**
|
|
124
|
+
* @override
|
|
125
|
+
*/
|
|
126
|
+
processConsent(requestBody: unknown): Promise<OAuthConsentResult>;
|
|
127
|
+
/**
|
|
128
|
+
* @override
|
|
129
|
+
*/
|
|
130
|
+
exchangeToken(rawFields: Record<string, string>): Promise<OAuthTokenResponse>;
|
|
131
|
+
/**
|
|
132
|
+
* @override
|
|
133
|
+
*/
|
|
134
|
+
revokeToken(rawFields: Record<string, string>): Promise<void>;
|
|
135
|
+
/**
|
|
136
|
+
* @override
|
|
137
|
+
*/
|
|
138
|
+
logoutUser(userId: number): Promise<void>;
|
|
139
|
+
/**
|
|
140
|
+
* @override
|
|
141
|
+
*/
|
|
142
|
+
getUserInfo(accessToken: string): Promise<OAuthUserInfoResponse>;
|
|
143
|
+
protected toUserInfoResponse(profile: OAuthUserProfile): OAuthUserInfoResponse;
|
|
144
|
+
}
|
|
145
|
+
|
|
146
|
+
declare class OAuthWrapperError extends ExecutorError {
|
|
147
|
+
readonly status: number;
|
|
148
|
+
readonly name = "OAuthWrapperError";
|
|
149
|
+
constructor(id: OAuthRfcCodeType, status: number, cause?: unknown);
|
|
150
|
+
}
|
|
151
|
+
|
|
152
|
+
declare function validatePkceParams(parsed: {
|
|
153
|
+
code_challenge?: string;
|
|
154
|
+
code_challenge_method?: 'S256';
|
|
155
|
+
}, confidential: boolean): OAuthAuthorizeValidationError | null;
|
|
156
|
+
declare function normalizeQuery(raw: Record<string, string | string[] | undefined>): Record<string, string | undefined>;
|
|
157
|
+
declare function isRedirectUriAllowed(redirectUri: string, client: OAuthClientRow): boolean;
|
|
158
|
+
|
|
159
|
+
/**
|
|
160
|
+
* Hashes OAuth client secrets for storage (scrypt, Node built-in).
|
|
161
|
+
*
|
|
162
|
+
* @example
|
|
163
|
+
* const hash = await hashClientSecret('my-secret');
|
|
164
|
+
*/
|
|
165
|
+
declare function hashClientSecret(secret: string): Promise<string>;
|
|
166
|
+
/**
|
|
167
|
+
* Verifies a plaintext client secret against a stored scrypt hash.
|
|
168
|
+
*/
|
|
169
|
+
declare function verifyClientSecret(secret: string, storedHash: string): Promise<boolean>;
|
|
170
|
+
|
|
171
|
+
/**
|
|
172
|
+
* Builds OAuth 2.0 redirect URLs for authorization responses.
|
|
173
|
+
*/
|
|
174
|
+
declare function buildOAuthRedirectUrl(redirectUri: string, params: Record<string, string | undefined>): string;
|
|
175
|
+
declare function parseScopeList(scope: string | undefined): string[];
|
|
176
|
+
|
|
177
|
+
/**
|
|
178
|
+
* PKCE helpers for RFC 7636 (S256 only).
|
|
179
|
+
*
|
|
180
|
+
* Significance: Validates and verifies code_verifier against stored code_challenge.
|
|
181
|
+
* Main purpose: Secure authorization code exchange for public OAuth clients.
|
|
182
|
+
*/
|
|
183
|
+
declare function isValidCodeVerifier(verifier: string): boolean;
|
|
184
|
+
declare function isValidCodeChallenge(challenge: string): boolean;
|
|
185
|
+
/**
|
|
186
|
+
* Computes the S256 code_challenge for a code_verifier.
|
|
187
|
+
*/
|
|
188
|
+
declare function computeS256CodeChallenge(verifier: string): string;
|
|
189
|
+
/**
|
|
190
|
+
* Returns true when {@link verifier} matches the stored S256 {@link challenge}.
|
|
191
|
+
*/
|
|
192
|
+
declare function verifyPkceS256(verifier: string, challenge: string): boolean;
|
|
193
|
+
|
|
194
|
+
export { OAuthAuthorizePageData, OAuthAuthorizeQuery, OAuthAuthorizeValidationError, OAuthClientCreate, OAuthClientCreateResponse, OAuthClientDetail, OAuthClientListItem, OAuthClientRow, OAuthClientSecretRotateResponse, OAuthClientUpdate, OAuthClientsInterface, OAuthClientsRepositoryInterface, OAuthClientsService, OAuthConsentBody, OAuthConsentResult, OAuthRfcCodeType, OAuthServiceInterface, OAuthSessionInterface, OAuthSessionPayload, OAuthTokenRequest, OAuthTokenResponse, OAuthTokenService, OAuthTokenServiceInterface, OAuthUserAdapterInterface, OAuthUserInfoResponse, OAuthUserProfile, OAuthWrapperError, OAuthWrapperRepositoryInterface, OAuthWrapperService, buildOAuthRedirectUrl, computeS256CodeChallenge, hashClientSecret, isRedirectUriAllowed, isValidCodeChallenge, isValidCodeVerifier, normalizeQuery, parseScopeList, validatePkceParams, verifyClientSecret, verifyPkceS256 };
|