@rudderjs/passport 1.0.0 → 1.1.0

package/dist/index.js

@@ -1,23 +1,26 @@
 import { ServiceProvider, config } from '@rudderjs/core';
 // ─── Re-exports ───────────────────────────────────────────
 export { Passport } from './Passport.js';
-export { createToken, verifyToken, decodeToken } from './token.js';
+export { createToken, verifyToken, unsafeDecodeToken, decodeToken } from './token.js';
 export { OAuthClient } from './models/OAuthClient.js';
 export { AccessToken } from './models/AccessToken.js';
 export { RefreshToken } from './models/RefreshToken.js';
 export { AuthCode } from './models/AuthCode.js';
 export { DeviceCode } from './models/DeviceCode.js';
 export { BearerMiddleware, RequireBearer } from './middleware/bearer.js';
-export { scope } from './middleware/scope.js';
+export { scope, scopeAny } from './middleware/scope.js';
 export { generateKeys } from './commands/keys.js';
-export { createClient } from './commands/client.js';
+export { createClient, resolveClientGrantTypes } from './commands/client.js';
 export { purgeTokens } from './commands/purge.js';
+export { hashClientSecret, verifyClientSecret } from './client-secret.js';
+export { hashDeviceSecret } from './device-code-secret.js';
+export { hashOpaqueToken, newOpaqueToken } from './opaque-token.js';
 // Grants
-export { issueTokens, validateAuthorizationRequest, issueAuthCode, exchangeAuthCode, OAuthError, clientCredentialsGrant, refreshTokenGrant, requestDeviceCode, approveDeviceCode, pollDeviceCode, } from './grants/index.js';
+export { issueTokens, validateAuthorizationRequest, issueAuthCode, exchangeAuthCode, validateScopes, OAuthError, clientCredentialsGrant, refreshTokenGrant, requestDeviceCode, approveDeviceCode, pollDeviceCode, } from './grants/index.js';
 // Personal access tokens
 export { HasApiTokens, resetPersonalAccessClient } from './personal-access-tokens.js';
 // Routes
-export { registerPassportRoutes } from './routes.js';
+export { registerPassportRoutes, registerPassportWebRoutes, registerPassportApiRoutes } from './routes.js';
 // ─── Service Provider ─────────────────────────────────────
 export class PassportProvider extends ServiceProvider {
     register() { }
@@ -31,6 +34,15 @@ export class PassportProvider extends ServiceProvider {
         else if (cfg.keyPath) {
             Passport.loadKeysFrom(cfg.keyPath);
         }
+        // Surface a startup warning when no keys are reachable — env vars
+        // unset AND no keypair on disk under the configured path. Without this,
+        // the first `/oauth/*` request fails deep inside `Passport.keys()` with
+        // a generic ENOENT that doesn't point at the missing-bootstrap-step.
+        if (!(await Passport.keysAvailable())) {
+            console.warn(`[@rudderjs/passport] No RSA keypair found at "${Passport.keyPath()}/oauth-{private,public}.key" ` +
+                `and no PASSPORT_PRIVATE_KEY / PASSPORT_PUBLIC_KEY env vars set. ` +
+                `Run \`rudder passport:keys\` to generate one — token issuance and verification will fail until keys are present.`);
+        }
         // Configure lifetimes
         if (cfg.tokensExpireIn)
             Passport.tokensExpireIn(cfg.tokensExpireIn);
@@ -41,64 +53,111 @@ export class PassportProvider extends ServiceProvider {
         // Configure scopes
         if (cfg.scopes)
             Passport.tokensCan(cfg.scopes);
+        // Configure issuer (P7) — see PassportConfig.issuer jsdoc.
+        if (cfg.issuer)
+            Passport.useIssuer(cfg.issuer);
+        // Device-flow polling cap — see PassportConfig.deviceMaxInterval jsdoc.
+        if (cfg.deviceMaxInterval !== undefined)
+            Passport.deviceMaxInterval(cfg.deviceMaxInterval);
         this.app.instance('passport', Passport);
-        // Register CLI commands
-        try {
-            const { rudder } = await import('@rudderjs/core');
-            rudder.command('passport:keys', async (args) => {
-                const force = args.includes('--force');
-                const { generateKeys } = await import('./commands/keys.js');
-                const { privatePath, publicPath } = await generateKeys({ force });
-                console.log(`  RSA keys generated:`);
-                console.log(`    Private: ${privatePath}`);
-                console.log(`    Public:  ${publicPath}`);
-            }).description('Generate RSA encryption keys for OAuth tokens');
-            rudder.command('passport:client', async (args) => {
-                const name = args[0] ?? 'My App';
-                const isPublic = args.includes('--public');
-                const isDevice = args.includes('--device');
-                const isPersonal = args.includes('--personal');
-                const isM2M = args.includes('--client-credentials');
-                const grantTypes = isDevice
-                    ? ['urn:ietf:params:oauth:grant-type:device_code']
-                    : isPersonal
-                        ? ['personal_access']
-                        : isM2M
-                            ? ['client_credentials']
-                            : ['authorization_code', 'refresh_token'];
-                const { createClient } = await import('./commands/client.js');
-                const { client, secret } = await createClient({
-                    name,
-                    confidential: !isPublic && !isDevice,
-                    grantTypes,
-                });
-                console.log(`  OAuth client created:`);
-                console.log(`    Client ID: ${client.id}`);
-                console.log(`    Name:      ${client.name}`);
-                if (secret) {
-                    console.log(`    Secret:    ${secret}`);
-                    console.log(`    (Store this secret — it won't be shown again.)`);
+        // Register the four token models with the ORM ModelRegistry so the
+        // `model:prune` scheduler picks up their `static prunable()` definitions
+        // on day-1 fresh apps — without this, the registry only learns about
+        // the models lazily on the first oauth flow that hits them, so a fresh
+        // install running `model:prune` before any client/token activity would
+        // silently skip passport rows. Resolves through the `Passport.*Model()`
+        // accessors so app-level model overrides (`Passport.useTokenModel(...)`)
+        // are respected.
+        const { ModelRegistry } = await import('@rudderjs/orm');
+        ModelRegistry.register(await Passport.clientModel());
+        ModelRegistry.register(await Passport.tokenModel());
+        ModelRegistry.register(await Passport.refreshTokenModel());
+        ModelRegistry.register(await Passport.authCodeModel());
+        ModelRegistry.register(await Passport.deviceCodeModel());
+        // Register CLI commands. `@rudderjs/core` (which re-exports `rudder`)
+        // and `@rudderjs/console` (which exports `registerMakeSpecs`) are both
+        // hard deps via the `@rudderjs/core` → `@rudderjs/console` dependency
+        // chain, so the dynamic imports are guaranteed to resolve. We do NOT
+        // wrap registration in a catch-all — duplicate-registration bugs after
+        // HMR or stub-validation errors should surface, not get swallowed
+        // under a misleading "rudder not available" comment.
+        const { rudder } = await import('@rudderjs/core');
+        rudder.command('passport:keys', async (args) => {
+            const force = args.includes('--force');
+            const { generateKeys } = await import('./commands/keys.js');
+            const { privatePath, publicPath, backup, previousPublicPath } = await generateKeys({ force });
+            console.log(`  RSA keys generated:`);
+            console.log(`    Private: ${privatePath}`);
+            console.log(`    Public:  ${publicPath}`);
+            if (backup) {
+                console.log(`  Previous keys backed up to:`);
+                console.log(`    Private: ${backup.privatePath}`);
+                console.log(`    Public:  ${backup.publicPath}`);
+                if (previousPublicPath) {
+                    console.log(`  Previous public key retained for grace verification at:`);
+                    console.log(`    ${previousPublicPath}`);
+                    console.log(`  JWTs signed by the old key continue verifying until they expire.`);
+                    console.log(`  Delete this file once the old tokens have expired to drop the grace window.`);
                 }
-            }).description('Create a new OAuth client');
-            rudder.command('passport:purge', async () => {
-                const { purgeTokens } = await import('./commands/purge.js');
-                const counts = await purgeTokens();
-                const total = counts.accessTokens + counts.refreshTokens + counts.authCodes + counts.deviceCodes;
-                console.log(`  Purged ${total} expired/revoked record(s):`);
-                console.log(`    Access tokens:  ${counts.accessTokens}`);
-                console.log(`    Refresh tokens: ${counts.refreshTokens}`);
-                console.log(`    Auth codes:     ${counts.authCodes}`);
-                console.log(`    Device codes:   ${counts.deviceCodes}`);
-            }).description('Remove expired tokens and auth codes');
-            // Register make:* scaffolder for passport
-            try {
-                const { registerMakeSpecs } = await import('@rudderjs/console');
-                registerMakeSpecs({
-                    command: 'make:passport-client',
-                    description: 'Create a new OAuth client seeder',
-                    label: 'Passport client seeder created',
-                    directory: 'app/Seeders',
-                    stub: (className) => `import { createClient } from '@rudderjs/passport'
+            }
+        }).description('Generate RSA encryption keys for OAuth tokens');
+        rudder.command('passport:client', async (args) => {
+            const name = args[0] ?? 'My App';
+            const isPublic = args.includes('--public');
+            const isDevice = args.includes('--device');
+            const isPersonal = args.includes('--personal');
+            const isM2M = args.includes('--client-credentials');
+            // `--personal` previously created an OAuth client with `personal_access`
+            // as the only grant type — but `personal_access` is not an HTTP grant
+            // (`/oauth/token` rejects it), and personal access tokens go through
+            // `HasApiTokens.createToken()` which auto-manages an internal
+            // `__personal_access__` client. So the row a user got from
+            // `passport:client --personal` was an orphan — present in the DB,
+            // never reachable through any flow. Print a hint instead of creating
+            // it; this is a CLI ergonomics fix, no user-data migration needed.
+            if (isPersonal) {
+                console.log('Personal access tokens don\'t need a hand-rolled OAuth client.');
+                console.log('They\'re minted by HasApiTokens.createToken() against an auto-managed');
+                console.log('internal client; mix `HasApiTokens` into your User model and call:');
+                console.log('');
+                console.log('  const { plainTextToken } = await user.createToken(\'cli\', [\'read\'])');
+                console.log('');
+                console.log('See packages/passport/CLAUDE.md for the full setup.');
+                return;
+            }
+            const { createClient, resolveClientGrantTypes } = await import('./commands/client.js');
+            const grantTypes = resolveClientGrantTypes({ isDevice, isM2M });
+            const { client, secret } = await createClient({
+                name,
+                confidential: !isPublic && !isDevice,
+                grantTypes,
+            });
+            console.log(`  OAuth client created:`);
+            console.log(`    Client ID: ${client.id}`);
+            console.log(`    Name:      ${client.name}`);
+            if (secret) {
+                console.log(`    Secret:    ${secret}`);
+                console.log(`    (Store this secret — it won't be shown again.)`);
+            }
+        }).description('Create a new OAuth client');
+        rudder.command('passport:purge', async () => {
+            const { purgeTokens } = await import('./commands/purge.js');
+            const counts = await purgeTokens();
+            const total = counts.accessTokens + counts.refreshTokens + counts.authCodes + counts.deviceCodes;
+            console.log(`  Purged ${total} expired/revoked record(s):`);
+            console.log(`    Access tokens:  ${counts.accessTokens}`);
+            console.log(`    Refresh tokens: ${counts.refreshTokens}`);
+            console.log(`    Auth codes:     ${counts.authCodes}`);
+            console.log(`    Device codes:   ${counts.deviceCodes}`);
+        }).description('Remove expired tokens and auth codes');
+        // Register make:* scaffolder for passport
+        const { registerMakeSpecs } = await import('@rudderjs/console');
+        registerMakeSpecs({
+            command: 'make:passport-client',
+            description: 'Create a new OAuth client seeder',
+            label: 'Passport client seeder created',
+            directory: 'app/Seeders',
+            stub: (className) => `import { createClient } from '@rudderjs/passport'
 
 export async function ${className.replace(/Seeder$/, '').toLowerCase()}Clients(): Promise<void> {
   // Create a confidential client (server-side apps)
@@ -107,15 +166,11 @@ export async function ${className.replace(/Seeder$/, '').toLowerCase()}Clients()
     redirectUri: 'http://localhost:3000/callback',
     grantTypes: ['authorization_code', 'refresh_token'],
   })
-  console.log('Client ID:', (client as any).id)
+  console.log('Client ID:', client.id)
   console.log('Secret:', secret)
 }
 `,
-                });
-            }
-            catch { /* rudder not available */ }
-        }
-        catch { /* rudder not available */ }
+        });
     }
 }
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAExD,6DAA6D;AAE7D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAGxC,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAGlE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AAEnD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AACxE,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAA;AAE7C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AAEnD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AAEjD,SAAS;AACT,OAAO,EACL,WAAW,EACX,4BAA4B,EAC5B,aAAa,EACb,gBAAgB,EAChB,UAAU,EACV,sBAAsB,EACtB,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,mBAAmB,CAAA;AAY1B,yBAAyB;AACzB,OAAO,EAAE,YAAY,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAA;AAGrF,SAAS;AACT,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAA;AAqBpD,6DAA6D;AAE7D,MAAM,OAAO,gBAAiB,SAAQ,eAAe;IACnD,QAAQ,KAAU,CAAC;IAEnB,KAAK,CAAC,IAAI;QACR,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAA;QAElD,MAAM,GAAG,GAAG,MAAM,CAAiB,UAAU,CAAC,CAAA;QAE9C,iBAAiB;QACjB,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YACpC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,SAAS,CAAC,CAAA;QACjD,CAAC;aAAM,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YACvB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACpC,CAAC;QAED,sBAAsB;QACtB,IAAI,GAAG,CAAC,cAAc;YAAE,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;QACnE,IAAI,GAAG,CAAC,qBAAqB;YAAE,QAAQ,CAAC,qBAAqB,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;QACxF,IAAI,GAAG,CAAC,4BAA4B;YAAE,QAAQ,CAAC,4BAA4B,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;QAE7G,mBAAmB;QACnB,IAAI,GAAG,CAAC,MAAM;YAAE,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAE9C,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QAEvC,wBAAwB;QACxB,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAA;YAEjD,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,EAAE,IAAc,EAAE,EAAE;gBACvD,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;gBACtC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAA;gBAC3D,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;gBACjE,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;gBACpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,WAAW,EAAE,CAAC,CAAA;gBAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,UAAU,EAAE,CAAC,CAAA;YAC3C,CAAC,CAAC,CAAC,WAAW,CAAC,+CAA+C,CAAC,CAAA;YAE/D,MAAM,CAAC,OAAO,CAAC,iBAAiB,EAAE,KAAK,EAAE,IAAc,EAAE,EAAE;gBACzD,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAA;gBAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;gBAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;gBAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;gBAEnD,MAAM,UAAU,GAAG,QAAQ;oBACzB,CAAC,CAAC,CAAC,8CAA8C,CAAC;oBAClD,CAAC,CAAC,UAAU;wBACV,CAAC,CAAC,CAAC,iBAAiB,CAAC;wBACrB,CAAC,CAAC,KAAK;4BACL,CAAC,CAAC,CAAC,oBAAoB,CAAC;4BACxB,CAAC,CAAC,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAA;gBAE/C,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAA;gBAC7D,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,YAAY,CAAC;oBAC5C,IAAI;oBACJ,YAAY,EAAE,CAAC,QAAQ,IAAI,CAAC,QAAQ;oBACpC,UAAU;iBACX,CAAC,CAAA;gBAEF,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAA;gBACtC,OAAO,CAAC,GAAG,CAAC,kBAAmB,MAAc,CAAC,EAAE,EAAE,CAAC,CAAA;gBACnD,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;gBAC5C,IAAI,MAAM,EAAE,CAAC;oBACX,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,EAAE,CAAC,CAAA;oBACvC,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAA;gBACnE,CAAC;YACH,CAAC,CAAC,CAAC,WAAW,CAAC,2BAA2B,CAAC,CAAA;YAE3C,MAAM,CAAC,OAAO,CAAC,gBAAgB,EAAE,KAAK,IAAI,EAAE;gBAC1C,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;gBAC3D,MAAM,MAAM,GAAG,MAAM,WAAW,EAAE,CAAA;gBAClC,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,WAAW,CAAA;gBAChG,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,6BAA6B,CAAC,CAAA;gBAC3D,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,YAAY,EAAE,CAAC,CAAA;gBACzD,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAA;gBAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAA;gBACtD,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;YAC1D,CAAC,CAAC,CAAC,WAAW,CAAC,sCAAsC,CAAC,CAAA;YAEtD,0CAA0C;YAC1C,IAAI,CAAC;gBACH,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;gBAC/D,iBAAiB,CAAC;oBAChB,OAAO,EAAM,sBAAsB;oBACnC,WAAW,EAAE,kCAAkC;oBAC/C,KAAK,EAAQ,gCAAgC;oBAC7C,SAAS,EAAI,aAAa;oBAC1B,IAAI,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC;;wBAEP,SAAS,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE;;;;;;;;;;CAUrE;iBACQ,CAAC,CAAA;YACJ,CAAC;YAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;IACxC,CAAC;CACF"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAExD,6DAA6D;AAE7D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAGxC,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAGrF,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AAEnD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AACxE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAEvD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAA;AAE5E,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AACjD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AACzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAEnE,SAAS;AACT,OAAO,EACL,WAAW,EACX,4BAA4B,EAC5B,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,sBAAsB,EACtB,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,mBAAmB,CAAA;AAY1B,yBAAyB;AACzB,OAAO,EAAE,YAAY,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAA;AAGrF,SAAS;AACT,OAAO,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAA;AAuC1G,6DAA6D;AAE7D,MAAM,OAAO,gBAAiB,SAAQ,eAAe;IACnD,QAAQ,KAAU,CAAC;IAEnB,KAAK,CAAC,IAAI;QACR,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAA;QAElD,MAAM,GAAG,GAAG,MAAM,CAAiB,UAAU,CAAC,CAAA;QAE9C,iBAAiB;QACjB,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YACpC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,SAAS,CAAC,CAAA;QACjD,CAAC;aAAM,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YACvB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACpC,CAAC;QAED,kEAAkE;QAClE,wEAAwE;QACxE,wEAAwE;QACxE,qEAAqE;QACrE,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAC,EAAE,CAAC;YACtC,OAAO,CAAC,IAAI,CACV,iDAAiD,QAAQ,CAAC,OAAO,EAAE,+BAA+B;gBAClG,kEAAkE;gBAClE,kHAAkH,CACnH,CAAA;QACH,CAAC;QAED,sBAAsB;QACtB,IAAI,GAAG,CAAC,cAAc;YAAE,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;QACnE,IAAI,GAAG,CAAC,qBAAqB;YAAE,QAAQ,CAAC,qBAAqB,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;QACxF,IAAI,GAAG,CAAC,4BAA4B;YAAE,QAAQ,CAAC,4BAA4B,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;QAE7G,mBAAmB;QACnB,IAAI,GAAG,CAAC,MAAM;YAAE,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAE9C,2DAA2D;QAC3D,IAAI,GAAG,CAAC,MAAM;YAAE,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAE9C,wEAAwE;QACxE,IAAI,GAAG,CAAC,iBAAiB,KAAK,SAAS;YAAE,QAAQ,CAAC,iBAAiB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;QAE1F,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QAEvC,mEAAmE;QACnE,yEAAyE;QACzE,qEAAqE;QACrE,uEAAuE;QACvE,uEAAuE;QACvE,wEAAwE;QACxE,yEAAyE;QACzE,iBAAiB;QACjB,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAA;QACvD,aAAa,CAAC,QAAQ,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAA;QACpD,aAAa,CAAC,QAAQ,CAAC,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;QACnD,aAAa,CAAC,QAAQ,CAAC,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAC,CAAA;QAC1D,aAAa,CAAC,QAAQ,CAAC,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAA;QACtD,aAAa,CAAC,QAAQ,CAAC,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAC,CAAA;QAExD,sEAAsE;QACtE,uEAAuE;QACvE,sEAAsE;QACtE,qEAAqE;QACrE,uEAAuE;QACvE,kEAAkE;QAClE,qDAAqD;QACrD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAA;QAEjD,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,EAAE,IAAc,EAAE,EAAE;YACvD,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;YACtC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAA;YAC3D,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,YAAY,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;YAC7F,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;YACpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,WAAW,EAAE,CAAC,CAAA;YAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,UAAU,EAAE,CAAC,CAAA;YACzC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAA;gBAC5C,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;gBACjD,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;gBAChD,IAAI,kBAAkB,EAAE,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAA;oBACxE,OAAO,CAAC,GAAG,CAAC,OAAO,kBAAkB,EAAE,CAAC,CAAA;oBACxC,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAA;oBACjF,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAA;gBAC9F,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC,WAAW,CAAC,+CAA+C,CAAC,CAAA;QAE/D,MAAM,CAAC,OAAO,CAAC,iBAAiB,EAAE,KAAK,EAAE,IAAc,EAAE,EAAE;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAA;YAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;YAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;YAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;YAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YAEnD,yEAAyE;YACzE,sEAAsE;YACtE,qEAAqE;YACrE,8DAA8D;YAC9D,2DAA2D;YAC3D,kEAAkE;YAClE,qEAAqE;YACrE,mEAAmE;YACnE,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAA;gBAC7E,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAA;gBACpF,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAA;gBACjF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;gBACf,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAA;gBACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;gBACf,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;gBAClE,OAAM;YACR,CAAC;YAED,MAAM,EAAE,YAAY,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAA;YACtF,MAAM,UAAU,GAAG,uBAAuB,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAA;YAC/D,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,YAAY,CAAC;gBAC5C,IAAI;gBACJ,YAAY,EAAE,CAAC,QAAQ,IAAI,CAAC,QAAQ;gBACpC,UAAU;aACX,CAAC,CAAA;YAEF,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAA;YACtC,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,EAAE,EAAE,CAAC,CAAA;YAC1C,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;YAC5C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,EAAE,CAAC,CAAA;gBACvC,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAA;YACnE,CAAC;QACH,CAAC,CAAC,CAAC,WAAW,CAAC,2BAA2B,CAAC,CAAA;QAE3C,MAAM,CAAC,OAAO,CAAC,gBAAgB,EAAE,KAAK,IAAI,EAAE;YAC1C,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAA;YAC3D,MAAM,MAAM,GAAG,MAAM,WAAW,EAAE,CAAA;YAClC,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,WAAW,CAAA;YAChG,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,6BAA6B,CAAC,CAAA;YAC3D,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,YAAY,EAAE,CAAC,CAAA;YACzD,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAA;YAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAA;YACtD,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;QAC1D,CAAC,CAAC,CAAC,WAAW,CAAC,sCAAsC,CAAC,CAAA;QAEtD,0CAA0C;QAC1C,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;QAC/D,iBAAiB,CAAC;YAChB,OAAO,EAAM,sBAAsB;YACnC,WAAW,EAAE,kCAAkC;YAC/C,KAAK,EAAQ,gCAAgC;YAC7C,SAAS,EAAI,aAAa;YAC1B,IAAI,EAAE,CAAC,SAAS,EAAE,EAAE,CAAC;;wBAEH,SAAS,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE;;;;;;;;;;CAUrE;SACI,CAAC,CAAA;IACJ,CAAC;CACF"}

package/dist/middleware/bearer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bearer.d.ts","sourceRoot":"","sources":["../../src/middleware/bearer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAK5D;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,iBAAiB,CAmDpD;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,iBAAiB,CAiDjD"}
+{"version":3,"file":"bearer.d.ts","sourceRoot":"","sources":["../../src/middleware/bearer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAmB5D;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,iBAAiB,CAyDpD;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,iBAAiB,CAuDjD"}

package/dist/middleware/bearer.js

@@ -1,5 +1,21 @@
 import { verifyToken } from '../token.js';
 import { Passport } from '../Passport.js';
+/**
+ * Extract the Bearer-scheme credential from an Authorization header.
+ * RFC 6750 §2.1 / RFC 7235 §2.1 — the auth scheme is a token and must be
+ * matched case-insensitively, so `bearer xyz` and `BEARER xyz` are valid.
+ * Returns the trimmed credential, or null if the header is absent or the
+ * scheme is not "Bearer".
+ */
+function extractBearer(authHeader) {
+    if (!authHeader)
+        return null;
+    if (authHeader.length < 7)
+        return null;
+    if (authHeader.slice(0, 7).toLowerCase() !== 'bearer ')
+        return null;
+    return authHeader.slice(7).trim() || null;
+}
 /**
  * Middleware that authenticates via Bearer token (JWT).
  * Validates the JWT signature, checks expiration, checks revocation in DB.
@@ -8,13 +24,18 @@ import { Passport } from '../Passport.js';
 export function BearerMiddleware() {
     return async function BearerMiddleware(req, _res, next) {
         const authHeader = req.headers['authorization'];
-        if (!authHeader?.startsWith('Bearer ')) {
+        const jwt = extractBearer(authHeader);
+        if (!jwt) {
             await next();
             return;
         }
-        const jwt = authHeader.slice(7).trim();
         try {
-            const payload = await verifyToken(jwt);
+            // Pass expectedIssuer when configured so verifyToken rejects
+            // tokens minted by an unrelated issuer sharing the same keypair
+            // (multi-tenant / staging+prod). Tokens with no `iss` claim are
+            // legacy and exempt — see verifyToken jsdoc.
+            const issuer = Passport.issuer();
+            const payload = await verifyToken(jwt, issuer ? { expectedIssuer: issuer } : undefined);
             // Check revocation in DB
             const AccessTokenCls = await Passport.tokenModel();
             const token = await AccessTokenCls.query()
@@ -36,6 +57,8 @@ export function BearerMiddleware() {
                     const manager = app().make('auth.manager');
                     const user = await manager.guard().provider.retrieveById(payload.sub);
                     if (user) {
+                        ;
+                        user['__passport_token'] = token;
                         const plain = {};
                         for (const [k, v] of Object.entries(user)) {
                             if (typeof v !== 'function' && k !== 'password')
@@ -63,13 +86,18 @@ export function BearerMiddleware() {
 export function RequireBearer() {
     return async function RequireBearer(req, res, next) {
         const authHeader = req.headers['authorization'];
-        if (!authHeader?.startsWith('Bearer ')) {
+        const jwt = extractBearer(authHeader);
+        if (!jwt) {
             res.status(401).json({ error: 'unauthenticated', message: 'Bearer token required.' });
             return;
         }
-        const jwt = authHeader.slice(7).trim();
         try {
-            const payload = await verifyToken(jwt);
+            // Pass expectedIssuer when configured so verifyToken rejects
+            // tokens minted by an unrelated issuer sharing the same keypair
+            // (multi-tenant / staging+prod). Tokens with no `iss` claim are
+            // legacy and exempt — see verifyToken jsdoc.
+            const issuer = Passport.issuer();
+            const payload = await verifyToken(jwt, issuer ? { expectedIssuer: issuer } : undefined);
             // Check revocation
             const AccessTokenCls = await Passport.tokenModel();
             const token = await AccessTokenCls.query()
@@ -89,6 +117,8 @@ export function RequireBearer() {
                     const manager = app().make('auth.manager');
                     const user = await manager.guard().provider.retrieveById(payload.sub);
                     if (user) {
+                        ;
+                        user['__passport_token'] = token;
                         const plain = {};
                         for (const [k, v] of Object.entries(user)) {
                             if (typeof v !== 'function' && k !== 'password')

package/dist/middleware/bearer.js.map

@@ -1 +1 @@
-{"version":3,"file":"bearer.js","sourceRoot":"","sources":["../../src/middleware/bearer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC;;;;GAIG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,KAAK,UAAU,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI;QACpD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAuB,CAAA;QACrE,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACtC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,CAAA;YAEtC,yBAAyB;YACzB,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;YAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE;iBACvC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;iBACxB,KAAK,EAAwB,CAAA;YAEhC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,EAAE,CAAA;gBACZ,OAAM;YACR,CAAC;YAED,uCAAuC;YACvC,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;YAC9C,GAAG,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAA;YAC/B,GAAG,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC,MAAM,CAAA;YACzC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,GAAG,CAAA;YAEvC,mCAAmC;YACnC,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAA;oBAC9C,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAA4E,cAAc,CAAC,CAAA;oBACrH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBACrE,IAAI,IAAI,EAAE,CAAC;wBACT,MAAM,KAAK,GAA4B,EAAE,CAAA;wBACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAA+B,CAAC,EAAE,CAAC;4BACrE,IAAI,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,UAAU;gCAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;wBAC/D,CAAC;wBACD,GAAG,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;wBACzB,IAAI,CAAC;4BAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;wBAAC,CAAC;wBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;oBAC/F,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAC,wBAAwB,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;QAED,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,KAAK,UAAU,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAChD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAuB,CAAA;QACrE,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAA;YACrF,OAAM;QACR,CAAC;QAED,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACtC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,CAAA;YAEtC,mBAAmB;YACnB,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;YAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE;iBACvC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;iBACxB,KAAK,EAAwB,CAAA;YAEhC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAA;gBACtF,OAAM;YACR,CAAC;YAED,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;YAC9C,GAAG,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAA;YAC/B,GAAG,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC,MAAM,CAAA;YACzC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,GAAG,CAAA;YAEvC,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAA;oBAC9C,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAA4E,cAAc,CAAC,CAAA;oBACrH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBACrE,IAAI,IAAI,EAAE,CAAC;wBACT,MAAM,KAAK,GAA4B,EAAE,CAAA;wBACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAA+B,CAAC,EAAE,CAAC;4BACrE,IAAI,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,UAAU;gCAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;wBAC/D,CAAC;wBACD,GAAG,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;wBACzB,IAAI,CAAC;4BAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;wBAAC,CAAC;wBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;oBAC/F,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAC,wBAAwB,CAAC,CAAC;YACtC,CAAC;YAED,MAAM,IAAI,EAAE,CAAA;QACd,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"file":"bearer.js","sourceRoot":"","sources":["../../src/middleware/bearer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,UAA8B;IACnD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAA;IAC5B,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACtC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,SAAS;QAAE,OAAO,IAAI,CAAA;IACnE,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAA;AAC3C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,KAAK,UAAU,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI;QACpD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAuB,CAAA;QACrE,MAAM,GAAG,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;QACrC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,IAAI,CAAC;YACH,6DAA6D;YAC7D,gEAAgE;YAChE,gEAAgE;YAChE,6CAA6C;YAC7C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;YAEvF,yBAAyB;YACzB,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;YAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE;iBACvC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;iBACxB,KAAK,EAAwB,CAAA;YAEhC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,EAAE,CAAA;gBACZ,OAAM;YACR,CAAC;YAED,uCAAuC;YACvC,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;YAC9C,GAAG,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAA;YAC/B,GAAG,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC,MAAM,CAAA;YACzC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,GAAG,CAAA;YAEvC,mCAAmC;YACnC,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAA;oBAC9C,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAA4E,cAAc,CAAC,CAAA;oBACrH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBACrE,IAAI,IAAI,EAAE,CAAC;wBACT,CAAC;wBAAC,IAAgC,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAA;wBAC9D,MAAM,KAAK,GAA4B,EAAE,CAAA;wBACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAA+B,CAAC,EAAE,CAAC;4BACrE,IAAI,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,UAAU;gCAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;wBAC/D,CAAC;wBACD,GAAG,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;wBACzB,IAAI,CAAC;4BAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;wBAAC,CAAC;wBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;oBAC/F,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAC,wBAAwB,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;QAED,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,KAAK,UAAU,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAChD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAuB,CAAA;QACrE,MAAM,GAAG,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;QACrC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAA;YACrF,OAAM;QACR,CAAC;QAED,IAAI,CAAC;YACH,6DAA6D;YAC7D,gEAAgE;YAChE,gEAAgE;YAChE,6CAA6C;YAC7C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAA;YAChC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;YAEvF,mBAAmB;YACnB,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;YAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE;iBACvC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;iBACxB,KAAK,EAAwB,CAAA;YAEhC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAA;gBACtF,OAAM;YACR,CAAC;YAED,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;YAC9C,GAAG,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAA;YAC/B,GAAG,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC,MAAM,CAAA;YACzC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,GAAG,CAAA;YAEvC,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAA;oBAC9C,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAA4E,cAAc,CAAC,CAAA;oBACrH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBACrE,IAAI,IAAI,EAAE,CAAC;wBACT,CAAC;wBAAC,IAAgC,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAA;wBAC9D,MAAM,KAAK,GAA4B,EAAE,CAAA;wBACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAA+B,CAAC,EAAE,CAAC;4BACrE,IAAI,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,UAAU;gCAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;wBAC/D,CAAC;wBACD,GAAG,CAAC,YAAY,CAAC,GAAG,KAAK,CAAA;wBACzB,IAAI,CAAC;4BAAE,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;wBAAC,CAAC;wBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;oBAC/F,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAC,wBAAwB,CAAC,CAAC;YACtC,CAAC;YAED,MAAM,IAAI,EAAE,CAAA;QACd,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}

package/dist/middleware/scope.d.ts

@@ -1,11 +1,21 @@
 import type { MiddlewareHandler } from '@rudderjs/contracts';
 /**
- * Middleware that requires specific OAuth scopes on the Bearer token.
- * Must be used after BearerMiddleware or RequireBearer.
+ * Middleware that requires **all** listed OAuth scopes on the Bearer token
+ * (AND semantics). Must be used after BearerMiddleware or RequireBearer.
  *
  * @example
  * router.get('/admin', [RequireBearer(), scope('admin')], handler)
  * router.post('/orders', [RequireBearer(), scope('write', 'place-orders')], handler)
  */
 export declare function scope(...requiredScopes: string[]): MiddlewareHandler;
+/**
+ * Middleware that requires **any** of the listed OAuth scopes on the Bearer
+ * token (OR semantics — Laravel's `scopes` vs `scope` middleware). Must be
+ * used after BearerMiddleware or RequireBearer.
+ *
+ * @example
+ * // Either scope is enough
+ * router.get('/orders', [RequireBearer(), scopeAny('orders:read', 'orders:write')], handler)
+ */
+export declare function scopeAny(...allowedScopes: string[]): MiddlewareHandler;
 //# sourceMappingURL=scope.d.ts.map

package/dist/middleware/scope.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../../src/middleware/scope.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAE5D;;;;;;;GAOG;AACH,wBAAgB,KAAK,CAAC,GAAG,cAAc,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAiCpE"}
+{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../../src/middleware/scope.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAE5D;;;;;;;GAOG;AACH,wBAAgB,KAAK,CAAC,GAAG,cAAc,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAiCpE;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CAAC,GAAG,aAAa,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAuCtE"}

package/dist/middleware/scope.js

@@ -1,6 +1,6 @@
 /**
- * Middleware that requires specific OAuth scopes on the Bearer token.
- * Must be used after BearerMiddleware or RequireBearer.
+ * Middleware that requires **all** listed OAuth scopes on the Bearer token
+ * (AND semantics). Must be used after BearerMiddleware or RequireBearer.
  *
  * @example
  * router.get('/admin', [RequireBearer(), scope('admin')], handler)
@@ -36,4 +36,48 @@ export function scope(...requiredScopes) {
         await next();
     };
 }
+/**
+ * Middleware that requires **any** of the listed OAuth scopes on the Bearer
+ * token (OR semantics — Laravel's `scopes` vs `scope` middleware). Must be
+ * used after BearerMiddleware or RequireBearer.
+ *
+ * @example
+ * // Either scope is enough
+ * router.get('/orders', [RequireBearer(), scopeAny('orders:read', 'orders:write')], handler)
+ */
+export function scopeAny(...allowedScopes) {
+    return async function ScopeAnyMiddleware(req, res, next) {
+        const raw = req.raw;
+        const tokenScopes = raw['__passport_scopes'];
+        if (!tokenScopes) {
+            res.status(403).json({
+                error: 'insufficient_scope',
+                message: 'Token does not have any of the required scopes.',
+                required: allowedScopes,
+            });
+            return;
+        }
+        // Wildcard scope grants everything
+        if (tokenScopes.includes('*')) {
+            await next();
+            return;
+        }
+        // Calling scopeAny() with no arguments is a no-op safety net rather than
+        // an instant 403 — mirrors Laravel's behavior when the dev forgets the list.
+        if (allowedScopes.length === 0) {
+            await next();
+            return;
+        }
+        const matched = allowedScopes.some(s => tokenScopes.includes(s));
+        if (!matched) {
+            res.status(403).json({
+                error: 'insufficient_scope',
+                message: `Token must have at least one of: ${allowedScopes.join(', ')}`,
+                required: allowedScopes,
+            });
+            return;
+        }
+        await next();
+    };
+}
 //# sourceMappingURL=scope.js.map

package/dist/middleware/scope.js.map

@@ -1 +1 @@
-{"version":3,"file":"scope.js","sourceRoot":"","sources":["../../src/middleware/scope.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,MAAM,UAAU,KAAK,CAAC,GAAG,cAAwB;IAC/C,OAAO,KAAK,UAAU,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAClD,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;QAC9C,MAAM,WAAW,GAAG,GAAG,CAAC,mBAAmB,CAAyB,CAAA;QAEpE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,0CAA0C;gBACnD,QAAQ,EAAE,cAAc;aACzB,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,mCAAmC;QACnC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACpE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC3D,QAAQ,EAAE,cAAc;gBACxB,OAAO;aACR,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"file":"scope.js","sourceRoot":"","sources":["../../src/middleware/scope.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,MAAM,UAAU,KAAK,CAAC,GAAG,cAAwB;IAC/C,OAAO,KAAK,UAAU,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAClD,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;QAC9C,MAAM,WAAW,GAAG,GAAG,CAAC,mBAAmB,CAAyB,CAAA;QAEpE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,0CAA0C;gBACnD,QAAQ,EAAE,cAAc;aACzB,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,mCAAmC;QACnC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACpE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC3D,QAAQ,EAAE,cAAc;gBACxB,OAAO;aACR,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAG,aAAuB;IACjD,OAAO,KAAK,UAAU,kBAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QACrD,MAAM,GAAG,GAAG,GAAG,CAAC,GAA8B,CAAA;QAC9C,MAAM,WAAW,GAAG,GAAG,CAAC,mBAAmB,CAAyB,CAAA;QAEpE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,iDAAiD;gBAC1D,QAAQ,EAAE,aAAa;aACxB,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,mCAAmC;QACnC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,yEAAyE;QACzE,6EAA6E;QAC7E,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QAChE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,oCAAoC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACvE,QAAQ,EAAE,aAAa;aACxB,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC"}

package/dist/models/AccessToken.d.ts

@@ -1,7 +1,39 @@
 import { Model } from '@rudderjs/orm';
+/**
+ * Why we don't store hashed access tokens
+ * ----------------------------------------
+ * Unlike `@rudderjs/sanctum` (which stores SHA-256 hashes of opaque tokens),
+ * Passport access tokens are JWTs signed with RS256. The DB row records
+ * metadata only (`userId`, `clientId`, `scopes`, `revoked`, `expiresAt`); the
+ * JWT itself is never persisted. The signature is the secrecy boundary —
+ * anyone holding the JWT can verify it offline against the public key, and
+ * the only way to mint a valid one is with the private key.
+ *
+ * Practical consequences:
+ *   - A DB dump does NOT leak usable bearer tokens. It leaks the audit trail
+ *     (which user/client owns which token id, when it expires) but not the
+ *     credential itself.
+ *   - Revocation works by flipping `revoked = true`; bearer middleware checks
+ *     the row on every request. JWT-only verification is intentionally not
+ *     supported — we want revocation to be authoritative.
+ *   - Rotating the signing keypair (`rudder passport:keys --force`) instantly
+ *     invalidates every outstanding access token, since their signatures no
+ *     longer verify under the new public key. See CLAUDE.md "Pitfalls".
+ *
+ * This matches Laravel Passport. If you want hashed-token semantics with
+ * no JWT verification step, use `@rudderjs/sanctum` instead.
+ */
 export declare class AccessToken extends Model {
     static table: string;
     static fillable: string[];
+    /** `MassPrunable` — bulk `deleteAll()` per chunk; mirrors `passport:purge`. */
+    static pruneMode: "mass";
+    /** Rows safe to remove: expired OR revoked. Same predicate as `passport:purge`. */
+    static prunable(): import("@rudderjs/contracts").QueryBuilder<AccessToken> & {
+        scope(name: string, ...args: unknown[]): import("@rudderjs/contracts").QueryBuilder<AccessToken>;
+        withoutGlobalScope(name: string): import("@rudderjs/contracts").QueryBuilder<AccessToken>;
+    };
+    id: string;
     userId: string | null;
     clientId: string;
     name: string | null;

package/dist/models/AccessToken.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AccessToken.d.ts","sourceRoot":"","sources":["../../src/models/AccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,qBAAa,WAAY,SAAQ,KAAK;IACpC,OAAgB,KAAK,SAAqB;IAE1C,OAAgB,QAAQ,WAAmE;IAEnF,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,IAAI,CAAA;IAEvB,2BAA2B;IAC3B,SAAS,IAAI,MAAM,EAAE;IAMrB,+CAA+C;IAC/C,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAK3B,sDAAsD;IACtD,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAI5B,yBAAyB;IACnB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAK7B,sCAAsC;IACtC,SAAS,IAAI,OAAO;IAIpB,iEAAiE;IACjE,OAAO,IAAI,OAAO;CAGnB"}
+{"version":3,"file":"AccessToken.d.ts","sourceRoot":"","sources":["../../src/models/AccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAU,MAAM,eAAe,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,WAAY,SAAQ,KAAK;IACpC,OAAgB,KAAK,SAAqB;IAQ1C,OAAgB,QAAQ,WAAwD;IAEhF,+EAA+E;IAC/E,MAAM,CAAC,SAAS,EAAG,MAAM,CAAS;IAElC,mFAAmF;IACnF,MAAM,CAAC,QAAQ;;;;IAMP,EAAE,EAAE,MAAM,CAAA;IAQV,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IAGrB,QAAQ,EAAE,MAAM,CAAA;IAEhB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,IAAI,CAAA;IAEvB,2BAA2B;IAC3B,SAAS,IAAI,MAAM,EAAE;IAMrB,+CAA+C;IAC/C,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAK3B,sDAAsD;IACtD,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAI5B,yBAAyB;IACnB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAU7B,sCAAsC;IACtC,SAAS,IAAI,OAAO;IAIpB,iEAAiE;IACjE,OAAO,IAAI,OAAO;CAGnB"}

package/dist/models/AccessToken.js

@@ -1,7 +1,54 @@
-import { Model } from '@rudderjs/orm';
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Model, Hidden } from '@rudderjs/orm';
+/**
+ * Why we don't store hashed access tokens
+ * ----------------------------------------
+ * Unlike `@rudderjs/sanctum` (which stores SHA-256 hashes of opaque tokens),
+ * Passport access tokens are JWTs signed with RS256. The DB row records
+ * metadata only (`userId`, `clientId`, `scopes`, `revoked`, `expiresAt`); the
+ * JWT itself is never persisted. The signature is the secrecy boundary —
+ * anyone holding the JWT can verify it offline against the public key, and
+ * the only way to mint a valid one is with the private key.
+ *
+ * Practical consequences:
+ *   - A DB dump does NOT leak usable bearer tokens. It leaks the audit trail
+ *     (which user/client owns which token id, when it expires) but not the
+ *     credential itself.
+ *   - Revocation works by flipping `revoked = true`; bearer middleware checks
+ *     the row on every request. JWT-only verification is intentionally not
+ *     supported — we want revocation to be authoritative.
+ *   - Rotating the signing keypair (`rudder passport:keys --force`) instantly
+ *     invalidates every outstanding access token, since their signatures no
+ *     longer verify under the new public key. See CLAUDE.md "Pitfalls".
+ *
+ * This matches Laravel Passport. If you want hashed-token semantics with
+ * no JWT verification step, use `@rudderjs/sanctum` instead.
+ */
 export class AccessToken extends Model {
     static table = 'oAuthAccessToken';
-    static fillable = ['userId', 'clientId', 'name', 'scopes', 'revoked', 'expiresAt'];
+    // `revoked` is intentionally NOT fillable — flipping it is a privileged
+    // lifecycle operation that should only happen through `revoke()` (instance
+    // method) or `forceFill({ revoked: true })`. Allowing mass-assignment here
+    // would let any caller-controlled payload pre-mark a token as revoked
+    // before it ever sees real traffic. Defense-in-depth — no current route
+    // exposes this surface today.
+    static fillable = ['userId', 'clientId', 'name', 'scopes', 'expiresAt'];
+    /** `MassPrunable` — bulk `deleteAll()` per chunk; mirrors `passport:purge`. */
+    static pruneMode = 'mass';
+    /** Rows safe to remove: expired OR revoked. Same predicate as `passport:purge`. */
+    static prunable() {
+        return this.query()
+            .where('expiresAt', '<', new Date())
+            .orWhere('revoked', true);
+    }
     /** Parsed scopes array. */
     getScopes() {
         const raw = this['scopes'];
@@ -20,8 +67,13 @@ export class AccessToken extends Model {
     }
     /** Revoke this token. */
     async revoke() {
+        // Direct property assignment + save() bypasses the mass-assignment filter
+        // (`revoked` is no longer in `fillable`). Cleaner than the prior static
+        // `Model.update(id, ...)` pattern: observers fire normally, the in-memory
+        // instance reflects the new state without a re-read, and there's no
+        // `(this as any).id` cast that future refactors might silently break.
         this.revoked = true;
-        await this.constructor.update(this.id, { revoked: true });
+        await this.save();
     }
     /** Whether this token has expired. */
     isExpired() {
@@ -32,4 +84,12 @@ export class AccessToken extends Model {
         return !this.revoked && !this.isExpired();
     }
 }
+__decorate([
+    Hidden,
+    __metadata("design:type", Object)
+], AccessToken.prototype, "userId", void 0);
+__decorate([
+    Hidden,
+    __metadata("design:type", String)
+], AccessToken.prototype, "clientId", void 0);
 //# sourceMappingURL=AccessToken.js.map

package/dist/models/AccessToken.js.map

@@ -1 +1 @@
-{"version":3,"file":"AccessToken.js","sourceRoot":"","sources":["../../src/models/AccessToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AAErC,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,MAAM,CAAU,KAAK,GAAG,kBAAkB,CAAA;IAE1C,MAAM,CAAU,QAAQ,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAA;IAQ3F,2BAA2B;IAC3B,SAAS;QACP,MAAM,GAAG,GAAI,IAA2C,CAAC,QAAQ,CAAC,CAAA;QAClE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,+CAA+C;IAC/C,GAAG,CAAC,KAAa;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAA;QAC/B,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACvD,CAAC;IAED,sDAAsD;IACtD,IAAI,CAAC,KAAa;QAChB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IACzB,CAAC;IAED,yBAAyB;IACzB,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,OAAO,GAAG,IAAI,CAAA;QACnB,MAAO,IAAI,CAAC,WAAkC,CAAC,MAAM,CAAE,IAAY,CAAC,EAAY,EAAE,EAAE,OAAO,EAAE,IAAI,EAAS,CAAC,CAAA;IAC7G,CAAC;IAED,sCAAsC;IACtC,SAAS;QACP,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;IACzD,CAAC;IAED,iEAAiE;IACjE,OAAO;QACL,OAAO,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAA;IAC3C,CAAC"}
+{"version":3,"file":"AccessToken.js","sourceRoot":"","sources":["../../src/models/AccessToken.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAA;AAE7C;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,MAAM,CAAU,KAAK,GAAG,kBAAkB,CAAA;IAE1C,wEAAwE;IACxE,2EAA2E;IAC3E,2EAA2E;IAC3E,sEAAsE;IACtE,wEAAwE;IACxE,8BAA8B;IAC9B,MAAM,CAAU,QAAQ,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAA;IAEhF,+EAA+E;IAC/E,MAAM,CAAC,SAAS,GAAG,MAAe,CAAA;IAElC,mFAAmF;IACnF,MAAM,CAAC,QAAQ;QACb,OAAO,IAAI,CAAC,KAAK,EAAE;aAChB,KAAK,CAAC,WAAW,EAAE,GAAG,EAAE,IAAI,IAAI,EAAE,CAAC;aACnC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC7B,CAAC;IAmBD,2BAA2B;IAC3B,SAAS;QACP,MAAM,GAAG,GAAI,IAA2C,CAAC,QAAQ,CAAC,CAAA;QAClE,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAC/D,OAAQ,GAAgB,IAAI,EAAE,CAAA;IAChC,CAAC;IAED,+CAA+C;IAC/C,GAAG,CAAC,KAAa;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAA;QAC/B,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACvD,CAAC;IAED,sDAAsD;IACtD,IAAI,CAAC,KAAa;QAChB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IACzB,CAAC;IAED,yBAAyB;IACzB,KAAK,CAAC,MAAM;QACV,0EAA0E;QAC1E,wEAAwE;QACxE,0EAA0E;QAC1E,oEAAoE;QACpE,sEAAsE;QACtE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAA;QACnB,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;IACnB,CAAC;IAED,sCAAsC;IACtC,SAAS;QACP,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;IACzD,CAAC;IAED,iEAAiE;IACjE,OAAO;QACL,OAAO,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAA;IAC3C,CAAC;;AA9CO;IADP,MAAM;;2CACsB;AAGrB;IADP,MAAM;;6CACiB"}