@rudderjs/passport 0.0.1 → 0.0.3

package/dist/grants/authorization-code.d.ts

@@ -0,0 +1,56 @@
+import { OAuthClient } from '../models/OAuthClient.js';
+import { type IssuedTokens } from './issue-tokens.js';
+export interface AuthorizationRequest {
+    clientId: string;
+    redirectUri: string;
+    responseType: string;
+    scope: string;
+    state?: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: string;
+}
+export interface ValidatedAuthRequest {
+    client: OAuthClient;
+    redirectUri: string;
+    scopes: string[];
+    state?: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: string;
+}
+/**
+ * Validate an authorization request (GET /oauth/authorize).
+ * Returns the validated request or throws with an error message.
+ */
+export declare function validateAuthorizationRequest(params: AuthorizationRequest): Promise<ValidatedAuthRequest>;
+/**
+ * Create an authorization code after user approval.
+ * The code is short-lived (10 minutes) and single-use.
+ */
+export declare function issueAuthCode(opts: {
+    userId: string;
+    clientId: string;
+    scopes: string[];
+    redirectUri: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: string;
+}): Promise<string>;
+export interface TokenExchangeRequest {
+    grantType: string;
+    code: string;
+    clientId: string;
+    clientSecret?: string;
+    redirectUri: string;
+    codeVerifier?: string;
+}
+/**
+ * Exchange an authorization code for access + refresh tokens.
+ */
+export declare function exchangeAuthCode(params: TokenExchangeRequest): Promise<IssuedTokens>;
+export declare class OAuthError extends Error {
+    readonly error: string;
+    readonly errorDescription: string;
+    readonly statusCode: number;
+    constructor(error: string, errorDescription: string, statusCode?: number);
+    toJSON(): Record<string, string>;
+}
+//# sourceMappingURL=authorization-code.d.ts.map

package/dist/grants/authorization-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-code.d.ts","sourceRoot":"","sources":["../../src/grants/authorization-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAGtD,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAIlE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAO,MAAM,CAAA;IACrB,WAAW,EAAI,MAAM,CAAA;IACrB,YAAY,EAAG,MAAM,CAAA;IACrB,KAAK,EAAU,MAAM,CAAA;IACrB,KAAK,CAAC,EAAS,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAS,WAAW,CAAA;IAC1B,WAAW,EAAI,MAAM,CAAA;IACrB,MAAM,EAAS,MAAM,EAAE,CAAA;IACvB,KAAK,CAAC,EAAS,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED;;;GAGG;AACH,wBAAsB,4BAA4B,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAyC9G;AAID;;;GAGG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,MAAM,EAAK,MAAM,CAAA;IACjB,QAAQ,EAAG,MAAM,CAAA;IACjB,MAAM,EAAK,MAAM,EAAE,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B,GAAG,OAAO,CAAC,MAAM,CAAC,CAclB;AAID,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAK,MAAM,CAAA;IACpB,IAAI,EAAU,MAAM,CAAA;IACpB,QAAQ,EAAM,MAAM,CAAA;IACpB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,WAAW,EAAG,MAAM,CAAA;IACpB,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,CAuE1F;AAID,qBAAa,UAAW,SAAQ,KAAK;aAEjB,KAAK,EAAE,MAAM;aACb,gBAAgB,EAAE,MAAM;aACxB,UAAU,EAAE,MAAM;gBAFlB,KAAK,EAAE,MAAM,EACb,gBAAgB,EAAE,MAAM,EACxB,UAAU,GAAE,MAAY;IAM1C,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAMjC"}

package/dist/grants/authorization-code.js

@@ -0,0 +1,152 @@
+import { OAuthClient } from '../models/OAuthClient.js';
+import { AuthCode } from '../models/AuthCode.js';
+import { clientHelpers, authCodeHelpers } from '../models/helpers.js';
+import { issueTokens } from './issue-tokens.js';
+/**
+ * Validate an authorization request (GET /oauth/authorize).
+ * Returns the validated request or throws with an error message.
+ */
+export async function validateAuthorizationRequest(params) {
+    if (params.responseType !== 'code') {
+        throw new OAuthError('unsupported_response_type', 'Only response_type=code is supported.');
+    }
+    const client = await OAuthClient.where('id', params.clientId).first();
+    if (!client || client.revoked) {
+        throw new OAuthError('invalid_client', 'Client not found.');
+    }
+    if (!clientHelpers.hasGrantType(client, 'authorization_code')) {
+        throw new OAuthError('unauthorized_client', 'Client is not authorized for authorization_code grant.');
+    }
+    if (!clientHelpers.hasRedirectUri(client, params.redirectUri)) {
+        throw new OAuthError('invalid_request', 'Invalid redirect_uri.');
+    }
+    // PKCE validation
+    if (params.codeChallenge) {
+        if (params.codeChallengeMethod && params.codeChallengeMethod !== 'S256' && params.codeChallengeMethod !== 'plain') {
+            throw new OAuthError('invalid_request', 'Unsupported code_challenge_method. Use S256 or plain.');
+        }
+    }
+    else if (clientHelpers.isPublic(client)) {
+        // Public clients MUST use PKCE
+        throw new OAuthError('invalid_request', 'Public clients must use PKCE (code_challenge required).');
+    }
+    const scopes = params.scope ? params.scope.split(' ').filter(Boolean) : [];
+    const result = {
+        client,
+        redirectUri: params.redirectUri,
+        scopes,
+    };
+    if (params.state !== undefined)
+        result.state = params.state;
+    if (params.codeChallenge !== undefined)
+        result.codeChallenge = params.codeChallenge;
+    const method = params.codeChallengeMethod ?? (params.codeChallenge ? 'S256' : undefined);
+    if (method !== undefined)
+        result.codeChallengeMethod = method;
+    return result;
+}
+// ─── Issue Authorization Code ─────────────────────────────
+/**
+ * Create an authorization code after user approval.
+ * The code is short-lived (10 minutes) and single-use.
+ */
+export async function issueAuthCode(opts) {
+    const expiresAt = new Date(Date.now() + 10 * 60 * 1000); // 10 minutes
+    const code = await AuthCode.create({
+        userId: opts.userId,
+        clientId: opts.clientId,
+        scopes: JSON.stringify(opts.scopes),
+        revoked: false,
+        expiresAt,
+        codeChallenge: opts.codeChallenge ?? null,
+        codeChallengeMethod: opts.codeChallengeMethod ?? null,
+    });
+    return code.id;
+}
+/**
+ * Exchange an authorization code for access + refresh tokens.
+ */
+export async function exchangeAuthCode(params) {
+    if (params.grantType !== 'authorization_code') {
+        throw new OAuthError('unsupported_grant_type', 'Expected grant_type=authorization_code.');
+    }
+    // Validate client
+    const client = await OAuthClient.where('id', params.clientId).first();
+    if (!client || client.revoked) {
+        throw new OAuthError('invalid_client', 'Client not found.');
+    }
+    // Confidential clients must provide a valid secret
+    if (client.confidential) {
+        if (!params.clientSecret) {
+            throw new OAuthError('invalid_client', 'Client secret required.');
+        }
+        const { createHash } = await import('node:crypto');
+        const hashed = createHash('sha256').update(params.clientSecret).digest('hex');
+        if (hashed !== client.secret) {
+            throw new OAuthError('invalid_client', 'Invalid client secret.');
+        }
+    }
+    // Validate auth code
+    const authCode = await AuthCode.where('id', params.code).first();
+    if (!authCode) {
+        throw new OAuthError('invalid_grant', 'Authorization code not found.');
+    }
+    if (authCode.revoked) {
+        throw new OAuthError('invalid_grant', 'Authorization code has been revoked.');
+    }
+    if (authCodeHelpers.isExpired(authCode)) {
+        throw new OAuthError('invalid_grant', 'Authorization code has expired.');
+    }
+    if (authCode.clientId !== params.clientId) {
+        throw new OAuthError('invalid_grant', 'Authorization code was not issued to this client.');
+    }
+    // PKCE verification
+    if (authCode.codeChallenge) {
+        if (!params.codeVerifier) {
+            throw new OAuthError('invalid_grant', 'PKCE code_verifier required.');
+        }
+        const { createHash } = await import('node:crypto');
+        let expected;
+        if (authCode.codeChallengeMethod === 'S256') {
+            expected = createHash('sha256')
+                .update(params.codeVerifier)
+                .digest('base64url');
+        }
+        else {
+            // plain
+            expected = params.codeVerifier;
+        }
+        if (expected !== authCode.codeChallenge) {
+            throw new OAuthError('invalid_grant', 'PKCE code_verifier does not match.');
+        }
+    }
+    // Revoke the auth code (single-use)
+    await AuthCode.update(authCode.id, { revoked: true });
+    // Issue tokens
+    return issueTokens({
+        userId: authCode.userId,
+        clientId: params.clientId,
+        scopes: authCodeHelpers.getScopes(authCode),
+        includeRefresh: true,
+    });
+}
+// ─── OAuth Error ──────────────────────────────────────────
+export class OAuthError extends Error {
+    error;
+    errorDescription;
+    statusCode;
+    constructor(error, errorDescription, statusCode = 400) {
+        super(errorDescription);
+        this.error = error;
+        this.errorDescription = errorDescription;
+        this.statusCode = statusCode;
+        this.name = 'OAuthError';
+    }
+    toJSON() {
+        return {
+            error: this.error,
+            error_description: this.errorDescription,
+        };
+    }
+}
+//# sourceMappingURL=authorization-code.js.map

package/dist/grants/authorization-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-code.js","sourceRoot":"","sources":["../../src/grants/authorization-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACrE,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAuBlE;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,MAA4B;IAC7E,IAAI,MAAM,CAAC,YAAY,KAAK,MAAM,EAAE,CAAC;QACnC,MAAM,IAAI,UAAU,CAAC,2BAA2B,EAAE,uCAAuC,CAAC,CAAA;IAC5F,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IAC3F,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAa,EAAE,oBAAoB,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,wDAAwD,CAAC,CAAA;IACvG,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,MAAa,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,uBAAuB,CAAC,CAAA;IAClE,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,IAAI,MAAM,CAAC,mBAAmB,IAAI,MAAM,CAAC,mBAAmB,KAAK,MAAM,IAAI,MAAM,CAAC,mBAAmB,KAAK,OAAO,EAAE,CAAC;YAClH,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,uDAAuD,CAAC,CAAA;QAClG,CAAC;IACH,CAAC;SAAM,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAa,CAAC,EAAE,CAAC;QACjD,+BAA+B;QAC/B,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,yDAAyD,CAAC,CAAA;IACpG,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAE1E,MAAM,MAAM,GAAyB;QACnC,MAAM;QACN,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,MAAM;KACP,CAAA;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAA;IAC3D,IAAI,MAAM,CAAC,aAAa,KAAK,SAAS;QAAE,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAA;IACnF,MAAM,MAAM,GAAG,MAAM,CAAC,mBAAmB,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IACxF,IAAI,MAAM,KAAK,SAAS;QAAE,MAAM,CAAC,mBAAmB,GAAG,MAAM,CAAA;IAE7D,OAAO,MAAM,CAAA;AACf,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAOnC;IACC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA,CAAC,aAAa;IAErE,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;QACjC,MAAM,EAAe,IAAI,CAAC,MAAM;QAChC,QAAQ,EAAa,IAAI,CAAC,QAAQ;QAClC,MAAM,EAAe,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,OAAO,EAAc,KAAK;QAC1B,SAAS;QACT,aAAa,EAAQ,IAAI,CAAC,aAAa,IAAI,IAAI;QAC/C,mBAAmB,EAAE,IAAI,CAAC,mBAAmB,IAAI,IAAI;KAC3B,CAAa,CAAA;IAEzC,OAAQ,IAAY,CAAC,EAAY,CAAA;AACnC,CAAC;AAaD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAA4B;IACjE,IAAI,MAAM,CAAC,SAAS,KAAK,oBAAoB,EAAE,CAAC;QAC9C,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,yCAAyC,CAAC,CAAA;IAC3F,CAAC;IAED,kBAAkB;IAClB,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IAC3F,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,yBAAyB,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QAClD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAC7E,IAAI,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;YAC7B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,wBAAwB,CAAC,CAAA;QAClE,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAqB,CAAA;IACnF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAA;IACxE,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,sCAAsC,CAAC,CAAA;IAC/E,CAAC;IACD,IAAI,eAAe,CAAC,SAAS,CAAC,QAAe,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,iCAAiC,CAAC,CAAA;IAC1E,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,mDAAmD,CAAC,CAAA;IAC5F,CAAC;IAED,oBAAoB;IACpB,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,8BAA8B,CAAC,CAAA;QACvE,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QAClD,IAAI,QAAgB,CAAA;QAEpB,IAAI,QAAQ,CAAC,mBAAmB,KAAK,MAAM,EAAE,CAAC;YAC5C,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC;iBAC5B,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;iBAC3B,MAAM,CAAC,WAAW,CAAC,CAAA;QACxB,CAAC;aAAM,CAAC;YACN,QAAQ;YACR,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAA;QAChC,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,CAAC,aAAa,EAAE,CAAC;YACxC,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,oCAAoC,CAAC,CAAA;QAC7E,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,MAAM,QAAQ,CAAC,MAAM,CAAE,QAAgB,CAAC,EAAY,EAAE,EAAE,OAAO,EAAE,IAAI,EAAS,CAAC,CAAA;IAE/E,eAAe;IACf,OAAO,WAAW,CAAC;QACjB,MAAM,EAAI,QAAQ,CAAC,MAAM;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAI,eAAe,CAAC,SAAS,CAAC,QAAe,CAAC;QACpD,cAAc,EAAE,IAAI;KACrB,CAAC,CAAA;AACJ,CAAC;AAED,6DAA6D;AAE7D,MAAM,OAAO,UAAW,SAAQ,KAAK;IAEjB;IACA;IACA;IAHlB,YACkB,KAAa,EACb,gBAAwB,EACxB,aAAqB,GAAG;QAExC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QAJP,UAAK,GAAL,KAAK,CAAQ;QACb,qBAAgB,GAAhB,gBAAgB,CAAQ;QACxB,eAAU,GAAV,UAAU,CAAc;QAGxC,IAAI,CAAC,IAAI,GAAG,YAAY,CAAA;IAC1B,CAAC;IAED,MAAM;QACJ,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,iBAAiB,EAAE,IAAI,CAAC,gBAAgB;SACzC,CAAA;IACH,CAAC;CACF"}

package/dist/grants/client-credentials.d.ts

@@ -0,0 +1,13 @@
+import { type IssuedTokens } from './issue-tokens.js';
+export interface ClientCredentialsRequest {
+    grantType: string;
+    clientId: string;
+    clientSecret: string;
+    scope?: string;
+}
+/**
+ * Client credentials grant — machine-to-machine, no user context.
+ * Issues an access token (no refresh token).
+ */
+export declare function clientCredentialsGrant(params: ClientCredentialsRequest): Promise<IssuedTokens>;
+//# sourceMappingURL=client-credentials.d.ts.map

package/dist/grants/client-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials.d.ts","sourceRoot":"","sources":["../../src/grants/client-credentials.ts"],"names":[],"mappings":"AAEA,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAGlE,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAK,MAAM,CAAA;IACpB,QAAQ,EAAM,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,CAAC,EAAQ,MAAM,CAAA;CACrB;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,YAAY,CAAC,CAiCpG"}

package/dist/grants/client-credentials.js

@@ -0,0 +1,37 @@
+import { OAuthClient } from '../models/OAuthClient.js';
+import { clientHelpers } from '../models/helpers.js';
+import { issueTokens } from './issue-tokens.js';
+import { OAuthError } from './authorization-code.js';
+/**
+ * Client credentials grant — machine-to-machine, no user context.
+ * Issues an access token (no refresh token).
+ */
+export async function clientCredentialsGrant(params) {
+    if (params.grantType !== 'client_credentials') {
+        throw new OAuthError('unsupported_grant_type', 'Expected grant_type=client_credentials.');
+    }
+    const client = await OAuthClient.where('id', params.clientId).first();
+    if (!client || client.revoked) {
+        throw new OAuthError('invalid_client', 'Client not found.', 401);
+    }
+    if (!clientHelpers.hasGrantType(client, 'client_credentials')) {
+        throw new OAuthError('unauthorized_client', 'Client is not authorized for client_credentials grant.');
+    }
+    if (!client.confidential) {
+        throw new OAuthError('invalid_client', 'Client credentials grant requires a confidential client.');
+    }
+    // Verify secret
+    const { createHash } = await import('node:crypto');
+    const hashed = createHash('sha256').update(params.clientSecret).digest('hex');
+    if (hashed !== client.secret) {
+        throw new OAuthError('invalid_client', 'Invalid client secret.', 401);
+    }
+    const scopes = params.scope ? params.scope.split(' ').filter(Boolean) : [];
+    return issueTokens({
+        userId: null, // no user context
+        clientId: params.clientId,
+        scopes,
+        includeRefresh: false, // client credentials don't get refresh tokens
+    });
+}
+//# sourceMappingURL=client-credentials.js.map

package/dist/grants/client-credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials.js","sourceRoot":"","sources":["../../src/grants/client-credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AASpD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAAgC;IAC3E,IAAI,MAAM,CAAC,SAAS,KAAK,oBAAoB,EAAE,CAAC;QAC9C,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,yCAAyC,CAAC,CAAA;IAC3F,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IAC3F,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAA;IAClE,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAa,EAAE,oBAAoB,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,wDAAwD,CAAC,CAAA;IACvG,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,0DAA0D,CAAC,CAAA;IACpG,CAAC;IAED,gBAAgB;IAChB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IAClD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7E,IAAI,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QAC7B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,wBAAwB,EAAE,GAAG,CAAC,CAAA;IACvE,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAE1E,OAAO,WAAW,CAAC;QACjB,MAAM,EAAU,IAAI,EAAE,kBAAkB;QACxC,QAAQ,EAAQ,MAAM,CAAC,QAAQ;QAC/B,MAAM;QACN,cAAc,EAAE,KAAK,EAAE,8CAA8C;KACtE,CAAC,CAAA;AACJ,CAAC"}

package/dist/grants/device-code.d.ts

@@ -0,0 +1,43 @@
+import { type IssuedTokens } from './issue-tokens.js';
+export interface DeviceAuthorizationResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete?: string;
+    expires_in: number;
+    interval: number;
+}
+/**
+ * Step 1: Device requests authorization codes.
+ * Returns device_code + user_code for the user to enter.
+ */
+export declare function requestDeviceCode(params: {
+    clientId: string;
+    scope?: string;
+    verificationUri: string;
+}): Promise<DeviceAuthorizationResponse>;
+/**
+ * Step 2: User approves or denies the device (on the verification page).
+ */
+export declare function approveDeviceCode(userCode: string, userId: string, approved: boolean): Promise<void>;
+export type DevicePollResult = {
+    status: 'authorized';
+    tokens: IssuedTokens;
+} | {
+    status: 'authorization_pending';
+} | {
+    status: 'slow_down';
+} | {
+    status: 'access_denied';
+} | {
+    status: 'expired_token';
+};
+/**
+ * Step 3: Device polls for tokens using the device_code.
+ */
+export declare function pollDeviceCode(params: {
+    grantType: string;
+    deviceCode: string;
+    clientId: string;
+}): Promise<DevicePollResult>;
+//# sourceMappingURL=device-code.d.ts.map

package/dist/grants/device-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.d.ts","sourceRoot":"","sources":["../../src/grants/device-code.ts"],"names":[],"mappings":"AAGA,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAKlE,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAiB,MAAM,CAAA;IAClC,SAAS,EAAmB,MAAM,CAAA;IAClC,gBAAgB,EAAY,MAAM,CAAA;IAClC,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,UAAU,EAAkB,MAAM,CAAA;IAClC,QAAQ,EAAoB,MAAM,CAAA;CACnC;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAI,MAAM,CAAA;IAChB,eAAe,EAAE,MAAM,CAAA;CACxB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAmCvC;AAID;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAgB1G;AAID,MAAM,MAAM,gBAAgB,GACxB;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,GAC9C;IAAE,MAAM,EAAE,uBAAuB,CAAA;CAAE,GACnC;IAAE,MAAM,EAAE,WAAW,CAAA;CAAE,GACvB;IAAE,MAAM,EAAE,eAAe,CAAA;CAAE,GAC3B;IAAE,MAAM,EAAE,eAAe,CAAA;CAAE,CAAA;AAE/B;;GAEG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE;IAC3C,SAAS,EAAG,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAI,MAAM,CAAA;CACnB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAiD5B"}

package/dist/grants/device-code.js

@@ -0,0 +1,120 @@
+import { OAuthClient } from '../models/OAuthClient.js';
+import { DeviceCode } from '../models/DeviceCode.js';
+import { clientHelpers, deviceCodeHelpers } from '../models/helpers.js';
+import { issueTokens } from './issue-tokens.js';
+import { OAuthError } from './authorization-code.js';
+/**
+ * Step 1: Device requests authorization codes.
+ * Returns device_code + user_code for the user to enter.
+ */
+export async function requestDeviceCode(params) {
+    const client = await OAuthClient.where('id', params.clientId).first();
+    if (!client || client.revoked) {
+        throw new OAuthError('invalid_client', 'Client not found.');
+    }
+    if (!clientHelpers.hasGrantType(client, 'urn:ietf:params:oauth:grant-type:device_code')) {
+        throw new OAuthError('unauthorized_client', 'Client is not authorized for device authorization grant.');
+    }
+    const { randomBytes } = await import('node:crypto');
+    const deviceCode = randomBytes(32).toString('hex');
+    const userCode = await generateUserCode();
+    const scopes = params.scope ? params.scope.split(' ').filter(Boolean) : [];
+    const expiresAt = new Date(Date.now() + 15 * 60 * 1000); // 15 minutes
+    await DeviceCode.create({
+        clientId: params.clientId,
+        deviceCode,
+        userCode,
+        scopes: JSON.stringify(scopes),
+        userId: null,
+        approved: null,
+        expiresAt,
+        lastPolledAt: null,
+    });
+    return {
+        device_code: deviceCode,
+        user_code: userCode,
+        verification_uri: params.verificationUri,
+        verification_uri_complete: `${params.verificationUri}?user_code=${userCode}`,
+        expires_in: 15 * 60, // 15 minutes in seconds
+        interval: 5, // poll every 5 seconds
+    };
+}
+// ─── User Approval ────────────────────────────────────────
+/**
+ * Step 2: User approves or denies the device (on the verification page).
+ */
+export async function approveDeviceCode(userCode, userId, approved) {
+    const device = await DeviceCode.where('userCode', userCode).first();
+    if (!device) {
+        throw new OAuthError('invalid_request', 'Device code not found.');
+    }
+    if (deviceCodeHelpers.isExpired(device)) {
+        throw new OAuthError('expired_token', 'Device code has expired.');
+    }
+    if (!deviceCodeHelpers.isPending(device)) {
+        throw new OAuthError('invalid_request', 'Device code has already been used.');
+    }
+    await DeviceCode.update(device.id, {
+        userId,
+        approved,
+    });
+}
+/**
+ * Step 3: Device polls for tokens using the device_code.
+ */
+export async function pollDeviceCode(params) {
+    if (params.grantType !== 'urn:ietf:params:oauth:grant-type:device_code') {
+        throw new OAuthError('unsupported_grant_type', 'Expected grant_type=urn:ietf:params:oauth:grant-type:device_code.');
+    }
+    const device = await DeviceCode.where('deviceCode', params.deviceCode).first();
+    if (!device) {
+        throw new OAuthError('invalid_grant', 'Device code not found.');
+    }
+    if (device.clientId !== params.clientId) {
+        throw new OAuthError('invalid_grant', 'Device code was not issued to this client.');
+    }
+    if (deviceCodeHelpers.isExpired(device)) {
+        return { status: 'expired_token' };
+    }
+    // Rate limiting: enforce 5-second interval
+    if (device.lastPolledAt) {
+        const elapsed = Date.now() - new Date(device.lastPolledAt).getTime();
+        if (elapsed < 5000) {
+            return { status: 'slow_down' };
+        }
+    }
+    // Update last polled time
+    await DeviceCode.update(device.id, {
+        lastPolledAt: new Date(),
+    });
+    if (deviceCodeHelpers.isPending(device)) {
+        return { status: 'authorization_pending' };
+    }
+    if (deviceCodeHelpers.isDenied(device)) {
+        return { status: 'access_denied' };
+    }
+    // Approved — issue tokens
+    const tokens = await issueTokens({
+        userId: device.userId,
+        clientId: params.clientId,
+        scopes: deviceCodeHelpers.getScopes(device),
+        includeRefresh: true,
+    });
+    // Clean up the device code
+    await DeviceCode.delete(device.id);
+    return { status: 'authorized', tokens };
+}
+// ─── Helpers ──────────────────────────────────────────────
+/** Generate a human-readable user code (8 chars, uppercase, no ambiguous chars). */
+async function generateUserCode() {
+    const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'; // no I, O, 0, 1
+    const { randomInt } = await import('node:crypto');
+    let code = '';
+    for (let i = 0; i < 8; i++) {
+        if (i === 4)
+            code += '-'; // XXXX-XXXX format
+        code += chars[randomInt(chars.length)];
+    }
+    return code;
+}
+//# sourceMappingURL=device-code.js.map

package/dist/grants/device-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.js","sourceRoot":"","sources":["../../src/grants/device-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AACvE,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAapD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAIvC;IACC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IAC3F,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAa,EAAE,8CAA8C,CAAC,EAAE,CAAC;QAC/F,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,0DAA0D,CAAC,CAAA;IACzG,CAAC;IAED,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IACnD,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAClD,MAAM,QAAQ,GAAK,MAAM,gBAAgB,EAAE,CAAA;IAC3C,MAAM,MAAM,GAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC9E,MAAM,SAAS,GAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA,CAAC,aAAa;IAEtE,MAAM,UAAU,CAAC,MAAM,CAAC;QACtB,QAAQ,EAAI,MAAM,CAAC,QAAQ;QAC3B,UAAU;QACV,QAAQ;QACR,MAAM,EAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;QAClC,MAAM,EAAM,IAAI;QAChB,QAAQ,EAAI,IAAI;QAChB,SAAS;QACT,YAAY,EAAE,IAAI;KACQ,CAAC,CAAA;IAE7B,OAAO;QACL,WAAW,EAAO,UAAU;QAC5B,SAAS,EAAS,QAAQ;QAC1B,gBAAgB,EAAE,MAAM,CAAC,eAAe;QACxC,yBAAyB,EAAE,GAAG,MAAM,CAAC,eAAe,cAAc,QAAQ,EAAE;QAC5E,UAAU,EAAQ,EAAE,GAAG,EAAE,EAAE,wBAAwB;QACnD,QAAQ,EAAU,CAAC,EAAQ,uBAAuB;KACnD,CAAA;AACH,CAAC;AAED,6DAA6D;AAE7D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,QAAgB,EAAE,MAAc,EAAE,QAAiB;IACzF,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,KAAK,EAAuB,CAAA;IACxF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAa,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,0BAA0B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,MAAa,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,oCAAoC,CAAC,CAAA;IAC/E,CAAC;IAED,MAAM,UAAU,CAAC,MAAM,CAAE,MAAc,CAAC,EAAY,EAAE;QACpD,MAAM;QACN,QAAQ;KACF,CAAC,CAAA;AACX,CAAC;AAWD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAIpC;IACC,IAAI,MAAM,CAAC,SAAS,KAAK,8CAA8C,EAAE,CAAC;QACxE,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,mEAAmE,CAAC,CAAA;IACrH,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,KAAK,EAAuB,CAAA;IACnG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,wBAAwB,CAAC,CAAA;IACjE,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,4CAA4C,CAAC,CAAA;IACrF,CAAC;IACD,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAa,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACpC,CAAC;IAED,2CAA2C;IAC3C,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAA;QACpE,IAAI,OAAO,GAAG,IAAI,EAAE,CAAC;YACnB,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;QAChC,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,CAAC,MAAM,CAAE,MAAc,CAAC,EAAY,EAAE;QACpD,YAAY,EAAE,IAAI,IAAI,EAAE;KAClB,CAAC,CAAA;IAET,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAa,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAA;IAC5C,CAAC;IAED,IAAI,iBAAiB,CAAC,QAAQ,CAAC,MAAa,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACpC,CAAC;IAED,0BAA0B;IAC1B,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC;QAC/B,MAAM,EAAI,MAAM,CAAC,MAAM;QACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAI,iBAAiB,CAAC,SAAS,CAAC,MAAa,CAAC;QACpD,cAAc,EAAE,IAAI;KACrB,CAAC,CAAA;IAEF,2BAA2B;IAC3B,MAAM,UAAU,CAAC,MAAM,CAAE,MAAc,CAAC,EAAY,CAAC,CAAA;IAErD,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,CAAA;AACzC,CAAC;AAED,6DAA6D;AAE7D,oFAAoF;AACpF,KAAK,UAAU,gBAAgB;IAC7B,MAAM,KAAK,GAAG,kCAAkC,CAAA,CAAC,gBAAgB;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IACjD,IAAI,IAAI,GAAG,EAAE,CAAA;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,IAAI,CAAC,KAAK,CAAC;YAAE,IAAI,IAAI,GAAG,CAAA,CAAC,mBAAmB;QAC5C,IAAI,IAAI,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;IACxC,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/grants/index.d.ts

@@ -0,0 +1,11 @@
+export { issueTokens } from './issue-tokens.js';
+export type { IssuedTokens } from './issue-tokens.js';
+export { validateAuthorizationRequest, issueAuthCode, exchangeAuthCode, OAuthError, } from './authorization-code.js';
+export type { AuthorizationRequest, ValidatedAuthRequest, TokenExchangeRequest, } from './authorization-code.js';
+export { clientCredentialsGrant } from './client-credentials.js';
+export type { ClientCredentialsRequest } from './client-credentials.js';
+export { refreshTokenGrant } from './refresh-token.js';
+export type { RefreshTokenRequest } from './refresh-token.js';
+export { requestDeviceCode, approveDeviceCode, pollDeviceCode, } from './device-code.js';
+export type { DeviceAuthorizationResponse, DevicePollResult, } from './device-code.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/grants/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/grants/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAErD,OAAO,EACL,4BAA4B,EAC5B,aAAa,EACb,gBAAgB,EAChB,UAAU,GACX,MAAM,yBAAyB,CAAA;AAChC,YAAY,EACV,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,yBAAyB,CAAA;AAEhC,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA;AAChE,YAAY,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAA;AAEvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AACtD,YAAY,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AAE7D,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,kBAAkB,CAAA;AACzB,YAAY,EACV,2BAA2B,EAC3B,gBAAgB,GACjB,MAAM,kBAAkB,CAAA"}

package/dist/grants/index.js

@@ -0,0 +1,6 @@
+export { issueTokens } from './issue-tokens.js';
+export { validateAuthorizationRequest, issueAuthCode, exchangeAuthCode, OAuthError, } from './authorization-code.js';
+export { clientCredentialsGrant } from './client-credentials.js';
+export { refreshTokenGrant } from './refresh-token.js';
+export { requestDeviceCode, approveDeviceCode, pollDeviceCode, } from './device-code.js';
+//# sourceMappingURL=index.js.map

package/dist/grants/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/grants/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG/C,OAAO,EACL,4BAA4B,EAC5B,aAAa,EACb,gBAAgB,EAChB,UAAU,GACX,MAAM,yBAAyB,CAAA;AAOhC,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA;AAGhE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAGtD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,kBAAkB,CAAA"}

package/dist/grants/issue-tokens.d.ts

@@ -0,0 +1,18 @@
+export interface IssuedTokens {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    refresh_token?: string;
+}
+/**
+ * Issue an access token (+ optional refresh token) and persist to DB.
+ */
+export declare function issueTokens(opts: {
+    userId: string | null;
+    clientId: string;
+    scopes: string[];
+    includeRefresh?: boolean;
+    /** Override access token lifetime in ms */
+    lifetime?: number;
+}): Promise<IssuedTokens>;
+//# sourceMappingURL=issue-tokens.d.ts.map

package/dist/grants/issue-tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue-tokens.d.ts","sourceRoot":"","sources":["../../src/grants/issue-tokens.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAG,MAAM,CAAA;IACrB,UAAU,EAAK,QAAQ,CAAA;IACvB,UAAU,EAAK,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE;IACtC,MAAM,EAAQ,MAAM,GAAG,IAAI,CAAA;IAC3B,QAAQ,EAAM,MAAM,CAAA;IACpB,MAAM,EAAQ,MAAM,EAAE,CAAA;IACtB,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,2CAA2C;IAC3C,QAAQ,CAAC,EAAK,MAAM,CAAA;CACrB,GAAG,OAAO,CAAC,YAAY,CAAC,CA2CxB"}

package/dist/grants/issue-tokens.js

@@ -0,0 +1,45 @@
+import { Passport } from '../Passport.js';
+import { AccessToken } from '../models/AccessToken.js';
+import { RefreshToken } from '../models/RefreshToken.js';
+import { createToken } from '../token.js';
+/**
+ * Issue an access token (+ optional refresh token) and persist to DB.
+ */
+export async function issueTokens(opts) {
+    const lifetime = opts.lifetime ?? Passport.tokenLifetime();
+    const expiresAt = new Date(Date.now() + lifetime);
+    // Create DB record
+    const tokenRecord = await AccessToken.create({
+        userId: opts.userId,
+        clientId: opts.clientId,
+        scopes: JSON.stringify(opts.scopes),
+        revoked: false,
+        expiresAt,
+    });
+    const tokenId = tokenRecord.id;
+    // Sign JWT
+    const jwt = await createToken({
+        tokenId,
+        userId: opts.userId,
+        clientId: opts.clientId,
+        scopes: opts.scopes,
+        expiresAt,
+    });
+    const result = {
+        access_token: jwt,
+        token_type: 'Bearer',
+        expires_in: Math.floor(lifetime / 1000),
+    };
+    // Issue refresh token
+    if (opts.includeRefresh !== false) {
+        const refreshExpiresAt = new Date(Date.now() + Passport.refreshTokenLifetime());
+        const refreshRecord = await RefreshToken.create({
+            accessTokenId: tokenId,
+            revoked: false,
+            expiresAt: refreshExpiresAt,
+        });
+        result.refresh_token = refreshRecord.id;
+    }
+    return result;
+}
+//# sourceMappingURL=issue-tokens.js.map

package/dist/grants/issue-tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue-tokens.js","sourceRoot":"","sources":["../../src/grants/issue-tokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AASzC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAOjC;IACC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAA;IAC1D,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,CAAA;IAEjD,mBAAmB;IACnB,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC;QAC3C,MAAM,EAAK,IAAI,CAAC,MAAM;QACtB,QAAQ,EAAG,IAAI,CAAC,QAAQ;QACxB,MAAM,EAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;QACtC,OAAO,EAAI,KAAK;QAChB,SAAS;KACiB,CAAgB,CAAA;IAE5C,MAAM,OAAO,GAAI,WAAmB,CAAC,EAAY,CAAA;IAEjD,WAAW;IACX,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC;QAC5B,OAAO;QACP,MAAM,EAAI,IAAI,CAAC,MAAM;QACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,MAAM,EAAI,IAAI,CAAC,MAAM;QACrB,SAAS;KACV,CAAC,CAAA;IAEF,MAAM,MAAM,GAAiB;QAC3B,YAAY,EAAE,GAAG;QACjB,UAAU,EAAI,QAAQ;QACtB,UAAU,EAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC;KAC1C,CAAA;IAED,sBAAsB;IACtB,IAAI,IAAI,CAAC,cAAc,KAAK,KAAK,EAAE,CAAC;QAClC,MAAM,gBAAgB,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,oBAAoB,EAAE,CAAC,CAAA;QAC/E,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC;YAC9C,aAAa,EAAE,OAAO;YACtB,OAAO,EAAQ,KAAK;YACpB,SAAS,EAAM,gBAAgB;SACL,CAAiB,CAAA;QAE7C,MAAM,CAAC,aAAa,GAAI,aAAqB,CAAC,EAAY,CAAA;IAC5D,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/grants/refresh-token.d.ts

@@ -0,0 +1,14 @@
+import { type IssuedTokens } from './issue-tokens.js';
+export interface RefreshTokenRequest {
+    grantType: string;
+    refreshToken: string;
+    clientId: string;
+    clientSecret?: string;
+    scope?: string;
+}
+/**
+ * Refresh token grant — exchange a refresh token for a new access + refresh token pair.
+ * The old refresh token is revoked.
+ */
+export declare function refreshTokenGrant(params: RefreshTokenRequest): Promise<IssuedTokens>;
+//# sourceMappingURL=refresh-token.d.ts.map

package/dist/grants/refresh-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.d.ts","sourceRoot":"","sources":["../../src/grants/refresh-token.ts"],"names":[],"mappings":"AAIA,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAGlE,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAK,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAM,MAAM,CAAA;IACpB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,KAAK,CAAC,EAAQ,MAAM,CAAA;CACrB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CAmE1F"}