@rudderjs/passport 0.0.1

package/dist/middleware/scope.d.ts

@@ -0,0 +1,11 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+/**
+ * Middleware that requires specific OAuth scopes on the Bearer token.
+ * Must be used after BearerMiddleware or RequireBearer.
+ *
+ * @example
+ * router.get('/admin', [RequireBearer(), scope('admin')], handler)
+ * router.post('/orders', [RequireBearer(), scope('write', 'place-orders')], handler)
+ */
+export declare function scope(...requiredScopes: string[]): MiddlewareHandler;
+//# sourceMappingURL=scope.d.ts.map

package/dist/middleware/scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../../src/middleware/scope.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAE5D;;;;;;;GAOG;AACH,wBAAgB,KAAK,CAAC,GAAG,cAAc,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAiCpE"}

package/dist/middleware/scope.js

@@ -0,0 +1,39 @@
+/**
+ * Middleware that requires specific OAuth scopes on the Bearer token.
+ * Must be used after BearerMiddleware or RequireBearer.
+ *
+ * @example
+ * router.get('/admin', [RequireBearer(), scope('admin')], handler)
+ * router.post('/orders', [RequireBearer(), scope('write', 'place-orders')], handler)
+ */
+export function scope(...requiredScopes) {
+    return async function ScopeMiddleware(req, res, next) {
+        const raw = req.raw;
+        const tokenScopes = raw['__passport_scopes'];
+        if (!tokenScopes) {
+            res.status(403).json({
+                error: 'insufficient_scope',
+                message: 'Token does not have the required scopes.',
+                required: requiredScopes,
+            });
+            return;
+        }
+        // Wildcard scope grants everything
+        if (tokenScopes.includes('*')) {
+            await next();
+            return;
+        }
+        const missing = requiredScopes.filter(s => !tokenScopes.includes(s));
+        if (missing.length > 0) {
+            res.status(403).json({
+                error: 'insufficient_scope',
+                message: `Token is missing scope(s): ${missing.join(', ')}`,
+                required: requiredScopes,
+                missing,
+            });
+            return;
+        }
+        await next();
+    };
+}
+//# sourceMappingURL=scope.js.map

package/dist/middleware/scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.js","sourceRoot":"","sources":["../../src/middleware/scope.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,MAAM,UAAU,KAAK,CAAC,GAAG,cAAwB;IAC/C,OAAO,KAAK,UAAU,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAClD,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;QAC9C,MAAM,WAAW,GAAG,GAAG,CAAC,mBAAmB,CAAyB,CAAA;QAEpE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,0CAA0C;gBACnD,QAAQ,EAAE,cAAc;aACzB,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,mCAAmC;QACnC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACpE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC3D,QAAQ,EAAE,cAAc;gBACxB,OAAO;aACR,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC"}

package/dist/models/AccessToken.d.ts

@@ -0,0 +1,23 @@
+import { Model } from '@rudderjs/orm';
+export declare class AccessToken extends Model {
+    static table: string;
+    static fillable: string[];
+    userId: string | null;
+    clientId: string;
+    name: string | null;
+    revoked: boolean;
+    expiresAt: Date;
+    /** Parsed scopes array. */
+    getScopes(): string[];
+    /** Check if the token has a specific scope. */
+    can(scope: string): boolean;
+    /** Check if the token is missing a specific scope. */
+    cant(scope: string): boolean;
+    /** Revoke this token. */
+    revoke(): Promise<void>;
+    /** Whether this token has expired. */
+    isExpired(): boolean;
+    /** Whether this token is valid (not revoked and not expired). */
+    isValid(): boolean;
+}
+//# sourceMappingURL=AccessToken.d.ts.map

package/dist/models/AccessToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AccessToken.d.ts","sourceRoot":"","sources":["../../src/models/AccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,qBAAa,WAAY,SAAQ,KAAK;IACpC,OAAgB,KAAK,SAAwB;IAE7C,OAAgB,QAAQ,WAAmE;IAEnF,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,IAAI,CAAA;IAEvB,2BAA2B;IAC3B,SAAS,IAAI,MAAM,EAAE;IAMrB,+CAA+C;IAC/C,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAK3B,sDAAsD;IACtD,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAI5B,yBAAyB;IACnB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAK7B,sCAAsC;IACtC,SAAS,IAAI,OAAO;IAIpB,iEAAiE;IACjE,OAAO,IAAI,OAAO;CAGnB"}

package/dist/models/AccessToken.js

@@ -0,0 +1,35 @@
+import { Model } from '@rudderjs/orm';
+export class AccessToken extends Model {
+    static table = 'oauth_access_tokens';
+    static fillable = ['userId', 'clientId', 'name', 'scopes', 'revoked', 'expiresAt'];
+    /** Parsed scopes array. */
+    getScopes() {
+        const raw = this['scopes'];
+        if (typeof raw === 'string')
+            return JSON.parse(raw);
+        return raw ?? [];
+    }
+    /** Check if the token has a specific scope. */
+    can(scope) {
+        const scopes = this.getScopes();
+        return scopes.includes('*') || scopes.includes(scope);
+    }
+    /** Check if the token is missing a specific scope. */
+    cant(scope) {
+        return !this.can(scope);
+    }
+    /** Revoke this token. */
+    async revoke() {
+        this.revoked = true;
+        await this.constructor.update(this.id, { revoked: true });
+    }
+    /** Whether this token has expired. */
+    isExpired() {
+        return new Date(this.expiresAt).getTime() <= Date.now();
+    }
+    /** Whether this token is valid (not revoked and not expired). */
+    isValid() {
+        return !this.revoked && !this.isExpired();
+    }
+}
+//# sourceMappingURL=AccessToken.js.map

package/dist/models/AccessToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AccessToken.js","sourceRoot":"","sources":["../../src/models/AccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,MAAM,CAAU,KAAK,GAAG,qBAAqB,CAAA;IAE7C,MAAM,CAAU,QAAQ,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAA;IAQ3F,2BAA2B;IAC3B,SAAS;QACP,MAAM,GAAG,GAAI,IAA2C,CAAC,QAAQ,CAAC,CAAA;QAClE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,+CAA+C;IAC/C,GAAG,CAAC,KAAa;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAA;QAC/B,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACvD,CAAC;IAED,sDAAsD;IACtD,IAAI,CAAC,KAAa;QAChB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IACzB,CAAC;IAED,yBAAyB;IACzB,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,OAAO,GAAG,IAAI,CAAA;QACnB,MAAO,IAAI,CAAC,WAAkC,CAAC,MAAM,CAAE,IAAY,CAAC,EAAY,EAAE,EAAE,OAAO,EAAE,IAAI,EAAS,CAAC,CAAA;IAC7G,CAAC;IAED,sCAAsC;IACtC,SAAS;QACP,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;IACzD,CAAC;IAED,iEAAiE;IACjE,OAAO;QACL,OAAO,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAA;IAC3C,CAAC"}

package/dist/models/AuthCode.d.ts

@@ -0,0 +1,18 @@
+import { Model } from '@rudderjs/orm';
+export declare class AuthCode extends Model {
+    static table: string;
+    static fillable: string[];
+    userId: string;
+    clientId: string;
+    revoked: boolean;
+    expiresAt: Date;
+    codeChallenge: string | null;
+    codeChallengeMethod: string | null;
+    /** Parsed scopes array. */
+    getScopes(): string[];
+    /** Whether this auth code has expired. */
+    isExpired(): boolean;
+    /** Whether PKCE was used. */
+    isPkce(): boolean;
+}
+//# sourceMappingURL=AuthCode.d.ts.map

package/dist/models/AuthCode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthCode.d.ts","sourceRoot":"","sources":["../../src/models/AuthCode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,qBAAa,QAAS,SAAQ,KAAK;IACjC,OAAgB,KAAK,SAAqB;IAE1C,OAAgB,QAAQ,WAAmG;IAEnH,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,IAAI,CAAA;IACf,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;IAC5B,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAA;IAE1C,2BAA2B;IAC3B,SAAS,IAAI,MAAM,EAAE;IAMrB,0CAA0C;IAC1C,SAAS,IAAI,OAAO;IAIpB,6BAA6B;IAC7B,MAAM,IAAI,OAAO;CAGlB"}

package/dist/models/AuthCode.js

@@ -0,0 +1,21 @@
+import { Model } from '@rudderjs/orm';
+export class AuthCode extends Model {
+    static table = 'oauth_auth_codes';
+    static fillable = ['userId', 'clientId', 'scopes', 'revoked', 'expiresAt', 'codeChallenge', 'codeChallengeMethod'];
+    /** Parsed scopes array. */
+    getScopes() {
+        const raw = this['scopes'];
+        if (typeof raw === 'string')
+            return JSON.parse(raw);
+        return raw ?? [];
+    }
+    /** Whether this auth code has expired. */
+    isExpired() {
+        return new Date(this.expiresAt).getTime() <= Date.now();
+    }
+    /** Whether PKCE was used. */
+    isPkce() {
+        return this.codeChallenge !== null;
+    }
+}
+//# sourceMappingURL=AuthCode.js.map

package/dist/models/AuthCode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthCode.js","sourceRoot":"","sources":["../../src/models/AuthCode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,MAAM,OAAO,QAAS,SAAQ,KAAK;IACjC,MAAM,CAAU,KAAK,GAAG,kBAAkB,CAAA;IAE1C,MAAM,CAAU,QAAQ,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,qBAAqB,CAAC,CAAA;IAS3H,2BAA2B;IAC3B,SAAS;QACP,MAAM,GAAG,GAAI,IAA2C,CAAC,QAAQ,CAAC,CAAA;QAClE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,0CAA0C;IAC1C,SAAS;QACP,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;IACzD,CAAC;IAED,6BAA6B;IAC7B,MAAM;QACJ,OAAO,IAAI,CAAC,aAAa,KAAK,IAAI,CAAA;IACpC,CAAC"}

package/dist/models/DeviceCode.d.ts

@@ -0,0 +1,23 @@
+import { Model } from '@rudderjs/orm';
+export declare class DeviceCode extends Model {
+    static table: string;
+    static fillable: string[];
+    clientId: string;
+    userCode: string;
+    deviceCode: string;
+    userId: string | null;
+    approved: boolean | null;
+    expiresAt: Date;
+    lastPolledAt: Date | null;
+    /** Parsed scopes array. */
+    getScopes(): string[];
+    /** Whether this device code has expired. */
+    isExpired(): boolean;
+    /** Whether the user has approved this device. */
+    isApproved(): boolean;
+    /** Whether the user has denied this device. */
+    isDenied(): boolean;
+    /** Whether the user hasn't responded yet. */
+    isPending(): boolean;
+}
+//# sourceMappingURL=DeviceCode.d.ts.map

package/dist/models/DeviceCode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeviceCode.d.ts","sourceRoot":"","sources":["../../src/models/DeviceCode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,qBAAa,UAAW,SAAQ,KAAK;IACnC,OAAgB,KAAK,SAAuB;IAE5C,OAAgB,QAAQ,WAAsG;IAEtH,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAA;IACxB,SAAS,EAAE,IAAI,CAAA;IACf,YAAY,EAAE,IAAI,GAAG,IAAI,CAAA;IAEjC,2BAA2B;IAC3B,SAAS,IAAI,MAAM,EAAE;IAMrB,4CAA4C;IAC5C,SAAS,IAAI,OAAO;IAIpB,iDAAiD;IACjD,UAAU,IAAI,OAAO;IAIrB,+CAA+C;IAC/C,QAAQ,IAAI,OAAO;IAInB,6CAA6C;IAC7C,SAAS,IAAI,OAAO;CAGrB"}

package/dist/models/DeviceCode.js

@@ -0,0 +1,29 @@
+import { Model } from '@rudderjs/orm';
+export class DeviceCode extends Model {
+    static table = 'oauth_device_codes';
+    static fillable = ['clientId', 'userCode', 'deviceCode', 'scopes', 'userId', 'approved', 'expiresAt', 'lastPolledAt'];
+    /** Parsed scopes array. */
+    getScopes() {
+        const raw = this['scopes'];
+        if (typeof raw === 'string')
+            return JSON.parse(raw);
+        return raw ?? [];
+    }
+    /** Whether this device code has expired. */
+    isExpired() {
+        return new Date(this.expiresAt).getTime() <= Date.now();
+    }
+    /** Whether the user has approved this device. */
+    isApproved() {
+        return this.approved === true;
+    }
+    /** Whether the user has denied this device. */
+    isDenied() {
+        return this.approved === false;
+    }
+    /** Whether the user hasn't responded yet. */
+    isPending() {
+        return this.approved === null;
+    }
+}
+//# sourceMappingURL=DeviceCode.js.map

package/dist/models/DeviceCode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeviceCode.js","sourceRoot":"","sources":["../../src/models/DeviceCode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,MAAM,CAAU,KAAK,GAAG,oBAAoB,CAAA;IAE5C,MAAM,CAAU,QAAQ,GAAG,CAAC,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,CAAC,CAAA;IAU9H,2BAA2B;IAC3B,SAAS;QACP,MAAM,GAAG,GAAI,IAA2C,CAAC,QAAQ,CAAC,CAAA;QAClE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,4CAA4C;IAC5C,SAAS;QACP,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;IACzD,CAAC;IAED,iDAAiD;IACjD,UAAU;QACR,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAA;IAC/B,CAAC;IAED,+CAA+C;IAC/C,QAAQ;QACN,OAAO,IAAI,CAAC,QAAQ,KAAK,KAAK,CAAA;IAChC,CAAC;IAED,6CAA6C;IAC7C,SAAS;QACP,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAA;IAC/B,CAAC"}

package/dist/models/OAuthClient.d.ts

@@ -0,0 +1,22 @@
+import { Model } from '@rudderjs/orm';
+export declare class OAuthClient extends Model {
+    static table: string;
+    static fillable: string[];
+    secret: string | null;
+    name: string;
+    confidential: boolean;
+    revoked: boolean;
+    /** Parsed redirect URIs. */
+    getRedirectUris(): string[];
+    /** Parsed grant types. */
+    getGrantTypes(): string[];
+    /** Parsed scopes. */
+    getScopes(): string[];
+    /** Check if client supports a specific grant type. */
+    hasGrantType(type: string): boolean;
+    /** Check if a redirect URI is registered for this client. */
+    hasRedirectUri(uri: string): boolean;
+    /** Whether this is a first-party (non-confidential / PKCE) client. */
+    isPublic(): boolean;
+}
+//# sourceMappingURL=OAuthClient.d.ts.map

package/dist/models/OAuthClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OAuthClient.d.ts","sourceRoot":"","sources":["../../src/models/OAuthClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAU,MAAM,eAAe,CAAA;AAE7C,qBAAa,WAAY,SAAQ,KAAK;IACpC,OAAgB,KAAK,SAAkB;IAEvC,OAAgB,QAAQ,WAA6E;IAG7F,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IAErB,IAAI,EAAE,MAAM,CAAA;IACZ,YAAY,EAAE,OAAO,CAAA;IACrB,OAAO,EAAE,OAAO,CAAA;IAExB,4BAA4B;IAC5B,eAAe,IAAI,MAAM,EAAE;IAM3B,0BAA0B;IAC1B,aAAa,IAAI,MAAM,EAAE;IAMzB,qBAAqB;IACrB,SAAS,IAAI,MAAM,EAAE;IAMrB,sDAAsD;IACtD,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAInC,6DAA6D;IAC7D,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAIpC,sEAAsE;IACtE,QAAQ,IAAI,OAAO;CAGpB"}

package/dist/models/OAuthClient.js

@@ -0,0 +1,52 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Model, Hidden } from '@rudderjs/orm';
+export class OAuthClient extends Model {
+    static table = 'oauth_clients';
+    static fillable = ['name', 'secret', 'redirectUris', 'grantTypes', 'scopes', 'confidential'];
+    /** Parsed redirect URIs. */
+    getRedirectUris() {
+        const raw = this['redirectUris'];
+        if (typeof raw === 'string')
+            return JSON.parse(raw);
+        return raw ?? [];
+    }
+    /** Parsed grant types. */
+    getGrantTypes() {
+        const raw = this['grantTypes'];
+        if (typeof raw === 'string')
+            return JSON.parse(raw);
+        return raw ?? [];
+    }
+    /** Parsed scopes. */
+    getScopes() {
+        const raw = this['scopes'];
+        if (typeof raw === 'string')
+            return JSON.parse(raw);
+        return raw ?? [];
+    }
+    /** Check if client supports a specific grant type. */
+    hasGrantType(type) {
+        return this.getGrantTypes().includes(type);
+    }
+    /** Check if a redirect URI is registered for this client. */
+    hasRedirectUri(uri) {
+        return this.getRedirectUris().includes(uri);
+    }
+    /** Whether this is a first-party (non-confidential / PKCE) client. */
+    isPublic() {
+        return !this.confidential;
+    }
+}
+__decorate([
+    Hidden,
+    __metadata("design:type", Object)
+], OAuthClient.prototype, "secret", void 0);
+//# sourceMappingURL=OAuthClient.js.map

package/dist/models/OAuthClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OAuthClient.js","sourceRoot":"","sources":["../../src/models/OAuthClient.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAA;AAE7C,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,MAAM,CAAU,KAAK,GAAG,eAAe,CAAA;IAEvC,MAAM,CAAU,QAAQ,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,YAAY,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;IASrG,4BAA4B;IAC5B,eAAe;QACb,MAAM,GAAG,GAAI,IAA2C,CAAC,cAAc,CAAC,CAAA;QACxE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,0BAA0B;IAC1B,aAAa;QACX,MAAM,GAAG,GAAI,IAA2C,CAAC,YAAY,CAAC,CAAA;QACtE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,qBAAqB;IACrB,SAAS;QACP,MAAM,GAAG,GAAI,IAA2C,CAAC,QAAQ,CAAC,CAAA;QAClE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,sDAAsD;IACtD,YAAY,CAAC,IAAY;QACvB,OAAO,IAAI,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;IAC5C,CAAC;IAED,6DAA6D;IAC7D,cAAc,CAAC,GAAW;QACxB,OAAO,IAAI,CAAC,eAAe,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;IAC7C,CAAC;IAED,sEAAsE;IACtE,QAAQ;QACN,OAAO,CAAC,IAAI,CAAC,YAAY,CAAA;IAC3B,CAAC;;AAxCO;IADP,MAAM;;2CACsB"}

package/dist/models/RefreshToken.d.ts

@@ -0,0 +1,13 @@
+import { Model } from '@rudderjs/orm';
+export declare class RefreshToken extends Model {
+    static table: string;
+    static fillable: string[];
+    accessTokenId: string;
+    revoked: boolean;
+    expiresAt: Date;
+    /** Revoke this refresh token. */
+    revoke(): Promise<void>;
+    /** Whether this token has expired. */
+    isExpired(): boolean;
+}
+//# sourceMappingURL=RefreshToken.d.ts.map

package/dist/models/RefreshToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RefreshToken.d.ts","sourceRoot":"","sources":["../../src/models/RefreshToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,qBAAa,YAAa,SAAQ,KAAK;IACrC,OAAgB,KAAK,SAAyB;IAE9C,OAAgB,QAAQ,WAA4C;IAE5D,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,IAAI,CAAA;IAEvB,iCAAiC;IAC3B,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAK7B,sCAAsC;IACtC,SAAS,IAAI,OAAO;CAGrB"}

package/dist/models/RefreshToken.js

@@ -0,0 +1,15 @@
+import { Model } from '@rudderjs/orm';
+export class RefreshToken extends Model {
+    static table = 'oauth_refresh_tokens';
+    static fillable = ['accessTokenId', 'revoked', 'expiresAt'];
+    /** Revoke this refresh token. */
+    async revoke() {
+        this.revoked = true;
+        await this.constructor.update(this.id, { revoked: true });
+    }
+    /** Whether this token has expired. */
+    isExpired() {
+        return new Date(this.expiresAt).getTime() <= Date.now();
+    }
+}
+//# sourceMappingURL=RefreshToken.js.map

package/dist/models/RefreshToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RefreshToken.js","sourceRoot":"","sources":["../../src/models/RefreshToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,MAAM,OAAO,YAAa,SAAQ,KAAK;IACrC,MAAM,CAAU,KAAK,GAAG,sBAAsB,CAAA;IAE9C,MAAM,CAAU,QAAQ,GAAG,CAAC,eAAe,EAAE,SAAS,EAAE,WAAW,CAAC,CAAA;IAMpE,iCAAiC;IACjC,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,OAAO,GAAG,IAAI,CAAA;QACnB,MAAO,IAAI,CAAC,WAAmC,CAAC,MAAM,CAAE,IAAY,CAAC,EAAY,EAAE,EAAE,OAAO,EAAE,IAAI,EAAS,CAAC,CAAA;IAC9G,CAAC;IAED,sCAAsC;IACtC,SAAS;QACP,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;IACzD,CAAC"}

package/dist/token.d.ts

@@ -0,0 +1,40 @@
+export interface JwtHeader {
+    alg: 'RS256';
+    typ: 'JWT';
+}
+export interface JwtPayload {
+    /** Token ID */
+    jti: string;
+    /** Subject — user ID (null for client credentials) */
+    sub: string | null;
+    /** Audience — client ID */
+    aud: string;
+    /** Issued at (seconds) */
+    iat: number;
+    /** Expiration (seconds) */
+    exp: number;
+    /** Scopes */
+    scopes: string[];
+}
+/**
+ * Create a signed JWT using RSA-SHA256.
+ * Uses the private key from Passport configuration.
+ */
+export declare function createToken(payload: {
+    tokenId: string;
+    userId: string | null;
+    clientId: string;
+    scopes: string[];
+    expiresAt: Date;
+}): Promise<string>;
+/**
+ * Verify and decode a JWT using RSA-SHA256.
+ * Returns the payload if valid, throws if invalid.
+ */
+export declare function verifyToken(jwt: string): Promise<JwtPayload>;
+/**
+ * Decode a JWT payload without verifying the signature.
+ * Useful for reading token metadata (e.g., jti for revocation check).
+ */
+export declare function decodeToken(jwt: string): JwtPayload;
+//# sourceMappingURL=token.d.ts.map

package/dist/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../src/token.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,OAAO,CAAA;IACZ,GAAG,EAAE,KAAK,CAAA;CACX;AAED,MAAM,WAAW,UAAU;IACzB,eAAe;IACf,GAAG,EAAM,MAAM,CAAA;IACf,sDAAsD;IACtD,GAAG,EAAM,MAAM,GAAG,IAAI,CAAA;IACtB,2BAA2B;IAC3B,GAAG,EAAM,MAAM,CAAA;IACf,0BAA0B;IAC1B,GAAG,EAAM,MAAM,CAAA;IACf,2BAA2B;IAC3B,GAAG,EAAM,MAAM,CAAA;IACf,aAAa;IACb,MAAM,EAAG,MAAM,EAAE,CAAA;CAClB;AAeD;;;GAGG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE;IACzC,OAAO,EAAG,MAAM,CAAA;IAChB,MAAM,EAAI,MAAM,GAAG,IAAI,CAAA;IACvB,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAI,MAAM,EAAE,CAAA;IAClB,SAAS,EAAE,IAAI,CAAA;CAChB,GAAG,OAAO,CAAC,MAAM,CAAC,CA2BlB;AAID;;;GAGG;AACH,wBAAsB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CA+BlE;AAID;;;GAGG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAMnD"}

package/dist/token.js

@@ -0,0 +1,80 @@
+import { Passport } from './Passport.js';
+// ─── Helpers ──────────────────────────────────────────────
+function base64url(data) {
+    const buf = typeof data === 'string' ? Buffer.from(data, 'utf8') : data;
+    return buf.toString('base64url');
+}
+function base64urlDecode(str) {
+    return Buffer.from(str, 'base64url').toString('utf8');
+}
+// ─── Create JWT ───────────────────────────────────────────
+/**
+ * Create a signed JWT using RSA-SHA256.
+ * Uses the private key from Passport configuration.
+ */
+export async function createToken(payload) {
+    const { createSign } = await import('node:crypto');
+    const { privateKey } = await Passport.keys();
+    const header = { alg: 'RS256', typ: 'JWT' };
+    const now = Math.floor(Date.now() / 1000);
+    const jwtPayload = {
+        jti: payload.tokenId,
+        sub: payload.userId,
+        aud: payload.clientId,
+        iat: now,
+        exp: Math.floor(payload.expiresAt.getTime() / 1000),
+        scopes: payload.scopes,
+    };
+    const segments = [
+        base64url(JSON.stringify(header)),
+        base64url(JSON.stringify(jwtPayload)),
+    ];
+    const signingInput = segments.join('.');
+    const sign = createSign('RSA-SHA256');
+    sign.update(signingInput);
+    const signature = sign.sign(privateKey, 'base64url');
+    return `${signingInput}.${signature}`;
+}
+// ─── Verify JWT ───────────────────────────────────────────
+/**
+ * Verify and decode a JWT using RSA-SHA256.
+ * Returns the payload if valid, throws if invalid.
+ */
+export async function verifyToken(jwt) {
+    const { createVerify } = await import('node:crypto');
+    const { publicKey } = await Passport.keys();
+    const parts = jwt.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid JWT: expected 3 segments');
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Verify signature
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const verify = createVerify('RSA-SHA256');
+    verify.update(signingInput);
+    const valid = verify.verify(publicKey, signatureB64, 'base64url');
+    if (!valid) {
+        throw new Error('Invalid JWT: signature verification failed');
+    }
+    // Decode payload
+    const payload = JSON.parse(base64urlDecode(payloadB64));
+    // Check expiration
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp <= now) {
+        throw new Error('Invalid JWT: token has expired');
+    }
+    return payload;
+}
+// ─── Decode without verification (for inspection) ─────────
+/**
+ * Decode a JWT payload without verifying the signature.
+ * Useful for reading token metadata (e.g., jti for revocation check).
+ */
+export function decodeToken(jwt) {
+    const parts = jwt.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid JWT: expected 3 segments');
+    }
+    return JSON.parse(base64urlDecode(parts[1]));
+}
+//# sourceMappingURL=token.js.map

package/dist/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../src/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAwBxC,6DAA6D;AAE7D,SAAS,SAAS,CAAC,IAAqB;IACtC,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACvE,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AAClC,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AACvD,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAMjC;IACC,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IAClD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAE5C,MAAM,MAAM,GAAc,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAA;IAEtD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IACzC,MAAM,UAAU,GAAe;QAC7B,GAAG,EAAK,OAAO,CAAC,OAAO;QACvB,GAAG,EAAK,OAAO,CAAC,MAAM;QACtB,GAAG,EAAK,OAAO,CAAC,QAAQ;QACxB,GAAG,EAAK,GAAG;QACX,GAAG,EAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;QACtD,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAA;IAED,MAAM,QAAQ,GAAG;QACf,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACjC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;KACtC,CAAA;IAED,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACvC,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAA;IACrC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACzB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA;IAEpD,OAAO,GAAG,YAAY,IAAI,SAAS,EAAE,CAAA;AACvC,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAW;IAC3C,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IACpD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAE3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAiC,CAAA;IAE/E,mBAAmB;IACnB,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAA;IACjD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAA;IACzC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,CAAA;IAEjE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;IAC/D,CAAC;IAED,iBAAiB;IACjB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAe,CAAA;IAErE,mBAAmB;IACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IACzC,IAAI,OAAO,CAAC,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAA;IACrD,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAe,CAAA;AAC7D,CAAC"}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@rudderjs/passport",
+  "version": "0.0.1",
+  "rudderjs": {
+    "provider": "PassportProvider",
+    "stage": "infrastructure",
+    "depends": [
+      "@rudderjs/auth",
+      "@rudderjs/orm-prisma"
+    ]
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/rudderjs/rudder",
+    "directory": "packages/passport"
+  },
+  "type": "module",
+  "files": [
+    "dist",
+    "schema"
+  ],
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "dependencies": {
+    "@rudderjs/core": "0.0.8",
+    "@rudderjs/contracts": "0.0.3",
+    "@rudderjs/orm": "0.0.6"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.4.0",
+    "tsx": "^4.0.0",
+    "@rudderjs/rudder": "0.0.2"
+  },
+  "author": "Suleiman Shahbari",
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "dev": "tsc -p tsconfig.build.json --watch",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src",
+    "clean": "rm -rf dist",
+    "test": "tsc -p tsconfig.test.json && node --test dist-test/index.test.js; EXIT=$?; rm -rf dist-test; exit $EXIT"
+  }
+}

package/schema/passport.prisma

@@ -0,0 +1,75 @@
+model OAuthClient {
+  id            String   @id @default(cuid())
+  name          String
+  secret        String?
+  redirectUris  String   @default("[]")
+  grantTypes    String   @default("[\"authorization_code\"]")
+  scopes        String   @default("[]")
+  confidential  Boolean  @default(true)
+  revoked       Boolean  @default(false)
+  createdAt     DateTime @default(now())
+  updatedAt     DateTime @updatedAt
+
+  accessTokens  OAuthAccessToken[]
+  authCodes     OAuthAuthCode[]
+
+  @@map("oauth_clients")
+}
+
+model OAuthAccessToken {
+  id        String    @id @default(cuid())
+  userId    String?
+  clientId  String
+  name      String?
+  scopes    String    @default("[]")
+  revoked   Boolean   @default(false)
+  expiresAt DateTime
+  createdAt DateTime  @default(now())
+
+  client       OAuthClient        @relation(fields: [clientId], references: [id], onDelete: Cascade)
+  refreshToken OAuthRefreshToken?
+
+  @@index([userId])
+  @@map("oauth_access_tokens")
+}
+
+model OAuthRefreshToken {
+  id            String   @id @default(cuid())
+  accessTokenId String   @unique
+  revoked       Boolean  @default(false)
+  expiresAt     DateTime
+
+  accessToken OAuthAccessToken @relation(fields: [accessTokenId], references: [id], onDelete: Cascade)
+
+  @@map("oauth_refresh_tokens")
+}
+
+model OAuthAuthCode {
+  id                String   @id @default(cuid())
+  userId            String
+  clientId          String
+  scopes            String   @default("[]")
+  revoked           Boolean  @default(false)
+  expiresAt         DateTime
+  codeChallenge     String?
+  codeChallengeMethod String?
+
+  client OAuthClient @relation(fields: [clientId], references: [id], onDelete: Cascade)
+
+  @@map("oauth_auth_codes")
+}
+
+model OAuthDeviceCode {
+  id             String    @id @default(cuid())
+  clientId       String
+  userCode       String    @unique
+  deviceCode     String    @unique
+  scopes         String    @default("[]")
+  userId         String?
+  approved       Boolean?
+  expiresAt      DateTime
+  lastPolledAt   DateTime?
+  createdAt      DateTime  @default(now())
+
+  @@map("oauth_device_codes")
+}