@rudderjs/passport 1.1.0 → 1.1.2

package/dist/routes/authorize.d.ts

@@ -0,0 +1,17 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { Router } from './types.js';
+/**
+ * Register `GET/POST/DELETE /oauth/authorize` — the consent flow.
+ *
+ * - `GET` validates the authorization request and renders the consent screen
+ *   (custom via `Passport.authorizationView()` or JSON by default).
+ * - `POST` requires a signed-in user and issues an authorization code on
+ *   approval, redirecting back to `redirect_uri` with `code` + `state`.
+ * - `DELETE` issues an `access_denied` redirect on rejection.
+ *
+ * The redirect_uri on POST/DELETE bodies is attacker-controlled and is
+ * re-validated against the client's registered list (see
+ * `validateClientRedirect` in `helpers.ts`).
+ */
+export declare function registerAuthorizeRoutes(router: Router, prefix: string, mw: MiddlewareHandler[]): void;
+//# sourceMappingURL=authorize.d.ts.map

package/dist/routes/authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CA+FrG"}

package/dist/routes/authorize.js

@@ -0,0 +1,107 @@
+import { Passport } from '../Passport.js';
+import { validateAuthorizationRequest, issueAuthCode } from '../grants/index.js';
+import { authErrorResponse, requesterIdFrom, validateClientRedirect } from './helpers.js';
+/**
+ * Register `GET/POST/DELETE /oauth/authorize` — the consent flow.
+ *
+ * - `GET` validates the authorization request and renders the consent screen
+ *   (custom via `Passport.authorizationView()` or JSON by default).
+ * - `POST` requires a signed-in user and issues an authorization code on
+ *   approval, redirecting back to `redirect_uri` with `code` + `state`.
+ * - `DELETE` issues an `access_denied` redirect on rejection.
+ *
+ * The redirect_uri on POST/DELETE bodies is attacker-controlled and is
+ * re-validated against the client's registered list (see
+ * `validateClientRedirect` in `helpers.ts`).
+ */
+export function registerAuthorizeRoutes(router, prefix, mw) {
+    // GET /oauth/authorize — show consent (returns JSON or renders custom view)
+    router.get(`${prefix}/authorize`, async (req, res) => {
+        const query = req.query ?? {};
+        try {
+            const validated = await validateAuthorizationRequest({
+                clientId: query['client_id'] ?? '',
+                redirectUri: query['redirect_uri'] ?? '',
+                responseType: query['response_type'] ?? '',
+                scope: query['scope'] ?? '',
+                state: query['state'],
+                codeChallenge: query['code_challenge'],
+                codeChallengeMethod: query['code_challenge_method'],
+            });
+            const ctx = {
+                client: {
+                    id: validated.client.id,
+                    name: validated.client.name,
+                },
+                scopes: validated.scopes,
+                redirectUri: validated.redirectUri,
+                ...(validated.state !== undefined ? { state: validated.state } : {}),
+                ...(validated.codeChallenge !== undefined ? { codeChallenge: validated.codeChallenge } : {}),
+                ...(validated.codeChallengeMethod !== undefined ? { codeChallengeMethod: validated.codeChallengeMethod } : {}),
+                request: req,
+            };
+            const viewFn = Passport.authorizationViewFn();
+            if (viewFn) {
+                return await viewFn(ctx);
+            }
+            // Default: JSON response — the app's consent screen reads this
+            res.json({
+                client: ctx.client,
+                scopes: ctx.scopes,
+                state: ctx.state,
+                redirectUri: ctx.redirectUri,
+            });
+        }
+        catch (e) {
+            authErrorResponse(res, e, query['state']);
+        }
+    }, mw);
+    // POST /oauth/authorize — user approves
+    router.post(`${prefix}/authorize`, async (req, res) => {
+        const body = req.body ?? {};
+        try {
+            const userId = requesterIdFrom(req);
+            if (!userId) {
+                // Echo state on the unauthenticated branch too — the consent UI
+                // round-trips the same payload regardless of the auth gate result.
+                const stateEcho = typeof body['state'] === 'string' && body['state'] ? { state: body['state'] } : {};
+                res.status(401).json({ error: 'unauthenticated', error_description: 'User must be signed in.', ...stateEcho });
+                return;
+            }
+            await validateClientRedirect(body['client_id'], body['redirect_uri']);
+            const code = await issueAuthCode({
+                userId,
+                clientId: body['client_id'],
+                scopes: body['scopes'] ?? [],
+                redirectUri: body['redirect_uri'],
+                codeChallenge: body['code_challenge'],
+                codeChallengeMethod: body['code_challenge_method'],
+            });
+            const redirectUri = new URL(body['redirect_uri']);
+            redirectUri.searchParams.set('code', code);
+            if (body['state'])
+                redirectUri.searchParams.set('state', body['state']);
+            res.json({ redirect_uri: redirectUri.toString() });
+        }
+        catch (e) {
+            authErrorResponse(res, e, body['state']);
+        }
+    }, mw);
+    // DELETE /oauth/authorize — user denies
+    router.delete(`${prefix}/authorize`, async (req, res) => {
+        const body = req.body ?? {};
+        try {
+            await validateClientRedirect(body['client_id'], body['redirect_uri']);
+            const redirectUri = new URL(body['redirect_uri']);
+            redirectUri.searchParams.set('error', 'access_denied');
+            redirectUri.searchParams.set('error_description', 'The user denied the request.');
+            if (body['state'])
+                redirectUri.searchParams.set('state', body['state']);
+            res.json({ redirect_uri: redirectUri.toString() });
+        }
+        catch (e) {
+            authErrorResponse(res, e, body['state']);
+        }
+    }, mw);
+}
+//# sourceMappingURL=authorize.js.map

package/dist/routes/authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,4BAA4B,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAEhF,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAEzF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IAC7F,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,EAAE,CAAA;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC;gBACnD,QAAQ,EAAa,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE;gBAC7C,WAAW,EAAU,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE;gBAChD,YAAY,EAAS,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE;gBACjD,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE;gBACzC,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC;gBACnC,aAAa,EAAQ,KAAK,CAAC,gBAAgB,CAAC;gBAC5C,mBAAmB,EAAE,KAAK,CAAC,uBAAuB,CAAC;aACpD,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG;gBACV,MAAM,EAAE;oBACN,EAAE,EAAI,SAAS,CAAC,MAAM,CAAC,EAAE;oBACzB,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,IAAI;iBAC5B;gBACD,MAAM,EAAO,SAAS,CAAC,MAAM;gBAC7B,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,GAAG,CAAC,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5F,GAAG,CAAC,SAAS,CAAC,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9G,OAAO,EAAE,GAAG;aACb,CAAA;YAED,MAAM,MAAM,GAAG,QAAQ,CAAC,mBAAmB,EAAE,CAAA;YAC7C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;YAC1B,CAAC;YAED,+DAA+D;YAC/D,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,KAAK,EAAQ,GAAG,CAAC,KAAK;gBACtB,WAAW,EAAE,GAAG,CAAC,WAAW;aAC7B,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QAC3C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC9D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,gEAAgE;gBAChE,mEAAmE;gBACnE,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;gBACpG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;gBAC9G,OAAM;YACR,CAAC;YAED,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;gBAC/B,MAAM;gBACN,QAAQ,EAAa,IAAI,CAAC,WAAW,CAAC;gBACtC,MAAM,EAAe,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE;gBACzC,WAAW,EAAU,IAAI,CAAC,cAAc,CAAC;gBACzC,aAAa,EAAQ,IAAI,CAAC,gBAAgB,CAAC;gBAC3C,mBAAmB,EAAE,IAAI,CAAC,uBAAuB,CAAC;aACnD,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAChE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;YACtD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,8BAA8B,CAAC,CAAA;YACjF,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}

package/dist/routes/device.d.ts

@@ -0,0 +1,23 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { PassportRouteOptions, Router } from './types.js';
+/**
+ * Register `POST /oauth/device/code` + `POST /oauth/device/approve` — the
+ * RFC 8628 device authorization flow.
+ *
+ * - `POST /oauth/device/code` is stateless: a device requests a `device_code`
+ *   + `user_code` pair, plus the `verification_uri` for the user to visit.
+ * - `POST /oauth/device/approve` is session-backed: the signed-in user
+ *   approves or denies the device after typing the user_code.
+ *
+ * `mw` runs ahead of both handlers. The RFC 8628 §5.2 brute-force concern
+ * on user_code is already covered by a typical 60/min api-group rate
+ * limiter; pass a tighter per-route limiter via `deviceMiddleware` if your
+ * threat model warrants it.
+ *
+ * `verification_uri` resolution priority: explicit `opts.verificationUri`
+ * > `config('app.url')` > `req.protocol + req.hostname` (last resort with
+ * a one-shot warning, since `Host` is attacker-controlled behind a
+ * reverse proxy without trust-proxy).
+ */
+export declare function registerDeviceRoutes(router: Router, opts: PassportRouteOptions, prefix: string, mw: MiddlewareHandler[]): void;
+//# sourceMappingURL=device.d.ts.map

package/dist/routes/device.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.d.ts","sourceRoot":"","sources":["../../src/routes/device.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAG9D;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,iBAAiB,EAAE,GACtB,IAAI,CA0CN"}

package/dist/routes/device.js

@@ -0,0 +1,69 @@
+import { report } from '@rudderjs/core';
+import { requestDeviceCode, approveDeviceCode, OAuthError } from '../grants/index.js';
+import { requesterIdFrom, resolveVerificationUri } from './helpers.js';
+/**
+ * Register `POST /oauth/device/code` + `POST /oauth/device/approve` — the
+ * RFC 8628 device authorization flow.
+ *
+ * - `POST /oauth/device/code` is stateless: a device requests a `device_code`
+ *   + `user_code` pair, plus the `verification_uri` for the user to visit.
+ * - `POST /oauth/device/approve` is session-backed: the signed-in user
+ *   approves or denies the device after typing the user_code.
+ *
+ * `mw` runs ahead of both handlers. The RFC 8628 §5.2 brute-force concern
+ * on user_code is already covered by a typical 60/min api-group rate
+ * limiter; pass a tighter per-route limiter via `deviceMiddleware` if your
+ * threat model warrants it.
+ *
+ * `verification_uri` resolution priority: explicit `opts.verificationUri`
+ * > `config('app.url')` > `req.protocol + req.hostname` (last resort with
+ * a one-shot warning, since `Host` is attacker-controlled behind a
+ * reverse proxy without trust-proxy).
+ */
+export function registerDeviceRoutes(router, opts, prefix, mw) {
+    // POST /oauth/device/code — request device authorization
+    router.post(`${prefix}/device/code`, async (req, res) => {
+        try {
+            const body = req.body ?? {};
+            const verificationUri = resolveVerificationUri(opts, req, prefix);
+            const result = await requestDeviceCode({
+                clientId: body['client_id'],
+                scope: body['scope'],
+                verificationUri,
+            });
+            res.json(result);
+        }
+        catch (e) {
+            if (e instanceof OAuthError) {
+                res.status(e.statusCode).json(e.toJSON());
+            }
+            else {
+                report(e);
+                res.status(500).json({ error: 'server_error', error_description: 'Internal server error.' });
+            }
+        }
+    }, mw);
+    // POST /oauth/device/approve — user approves/denies device
+    router.post(`${prefix}/device/approve`, async (req, res) => {
+        try {
+            const body = req.body ?? {};
+            const userId = requesterIdFrom(req);
+            if (!userId) {
+                res.status(401).json({ error: 'unauthenticated', error_description: 'User must be signed in.' });
+                return;
+            }
+            await approveDeviceCode(body['user_code'], userId, body['approved'] !== false);
+            res.json({ status: 'ok' });
+        }
+        catch (e) {
+            if (e instanceof OAuthError) {
+                res.status(e.statusCode).json(e.toJSON());
+            }
+            else {
+                report(e);
+                res.status(500).json({ error: 'server_error', error_description: 'Internal server error.' });
+            }
+        }
+    }, mw);
+}
+//# sourceMappingURL=device.js.map

package/dist/routes/device.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.js","sourceRoot":"","sources":["../../src/routes/device.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AACvC,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAErF,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAEtE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAc,EACd,IAA0B,EAC1B,MAAc,EACd,EAAuB;IAEvB,yDAAyD;IACzD,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,cAAc,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAChE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;YAC3B,MAAM,eAAe,GAAG,sBAAsB,CAAC,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;YACjE,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC;gBACrC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC;gBAC3B,KAAK,EAAK,IAAI,CAAC,OAAO,CAAC;gBACvB,eAAe;aAChB,CAAC,CAAA;YACF,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;gBAC5B,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAA;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC,CAAC,CAAA;gBACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,CAAC,CAAA;YAC9F,CAAC;QACH,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,2DAA2D;IAC3D,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,iBAAiB,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QACnE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;YAC3B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,CAAC,CAAA;gBAChG,OAAM;YACR,CAAC;YACD,MAAM,iBAAiB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,KAAK,CAAC,CAAA;YAC9E,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;QAC5B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;gBAC5B,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAA;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC,CAAC,CAAA;gBACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,CAAC,CAAA;YAC9F,CAAC;QACH,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}

package/dist/routes/helpers.d.ts

@@ -0,0 +1,64 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { OAuthClient } from '../models/OAuthClient.js';
+import type { PassportRouteOptions } from './types.js';
+/**
+ * Re-validate that `redirect_uri` is on the requesting client's whitelist.
+ * The consent UI sees the validated URI from `GET /oauth/authorize`, but the
+ * subsequent POST/DELETE bodies are attacker-controlled and must be
+ * re-checked — otherwise the response leaks an authorization code (POST) or
+ * an open redirect (DELETE) to a host the client never registered.
+ * Throws `OAuthError` so the surrounding try/catch returns the correct
+ * status + payload.
+ */
+export declare function validateClientRedirect(clientId: unknown, redirectUri: unknown): Promise<OAuthClient>;
+/**
+ * Resolve client credentials at the token endpoint per RFC 6749 §2.3.
+ *
+ * Confidential clients can authenticate via:
+ *   1. `Authorization: Basic base64(client_id:client_secret)` (§2.3.1, MUST support)
+ *   2. `client_id` + `client_secret` in the request body (alternative)
+ *
+ * §2.3 forbids using both at once — clients MUST NOT pass credentials in
+ * the body when the header is present. We reject that combination with
+ * `invalid_request` so SDK bugs surface loudly instead of silently
+ * accepting one set and ignoring the other.
+ *
+ * Public clients send only `client_id` in the body; both Basic creds and
+ * a body `client_id` mismatch is also rejected.
+ */
+export declare function resolveClientCredentials(req: {
+    headers?: Record<string, unknown>;
+}, body: Record<string, unknown>): {
+    clientId: string;
+    clientSecret?: string;
+};
+export declare function resolveVerificationUri(opts: PassportRouteOptions, req: {
+    protocol?: string;
+    hostname?: string;
+}, prefix: string): string;
+/**
+ * Render an error response from a `/oauth/authorize` handler. RFC 6749
+ * §4.1.2.1 requires that `state` is echoed back on errors (so the client
+ * can reconcile the response against its own session) — independent of
+ * whether the response shape is a redirect or JSON, and independent of
+ * the underlying error code.
+ *
+ * We additionally call `report()` on non-`OAuthError` throws so the root
+ * cause surfaces through the configured exception reporter instead of
+ * being silently collapsed under `server_error`.
+ */
+export declare function authErrorResponse(res: any, err: unknown, state: unknown): void;
+/**
+ * Resolve the authenticated requester's id from a passport-route request,
+ * checking both the `__rjs_user` raw-bag stamp (set by server-hono's auth
+ * middleware) and the plain `req.user` fallback (set on the universal
+ * middleware bridge). Returns `null` when neither is populated — typically
+ * means no session / not signed in, and the caller should respond 401.
+ */
+export declare function requesterIdFrom(req: {
+    raw?: unknown;
+    user?: unknown;
+}): string | null;
+/** Normalize an optional middleware option into an array, dropping `undefined`. */
+export declare function asMiddlewareArray(input: MiddlewareHandler | MiddlewareHandler[] | undefined): MiddlewareHandler[];
+//# sourceMappingURL=helpers.d.ts.map

package/dist/routes/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/routes/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAG3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAEtD;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,CAgB1G;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,wBAAwB,CACtC,GAAG,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC1C,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,CA4C7C;AAcD,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,oBAAoB,EAAE,GAAG,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAiBxI;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAQ9E;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE;IAAE,GAAG,CAAC,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,MAAM,GAAG,IAAI,CAKrF;AAED,mFAAmF;AACnF,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,GAAG,SAAS,GAAG,iBAAiB,EAAE,CAGjH"}

package/dist/routes/helpers.js

@@ -0,0 +1,154 @@
+import { config, report } from '@rudderjs/core';
+import { Passport } from '../Passport.js';
+import { clientHelpers } from '../models/helpers.js';
+import { OAuthError } from '../grants/index.js';
+/**
+ * Re-validate that `redirect_uri` is on the requesting client's whitelist.
+ * The consent UI sees the validated URI from `GET /oauth/authorize`, but the
+ * subsequent POST/DELETE bodies are attacker-controlled and must be
+ * re-checked — otherwise the response leaks an authorization code (POST) or
+ * an open redirect (DELETE) to a host the client never registered.
+ * Throws `OAuthError` so the surrounding try/catch returns the correct
+ * status + payload.
+ */
+export async function validateClientRedirect(clientId, redirectUri) {
+    if (typeof clientId !== 'string' || !clientId) {
+        throw new OAuthError('invalid_request', 'client_id is required.');
+    }
+    if (typeof redirectUri !== 'string' || !redirectUri) {
+        throw new OAuthError('invalid_request', 'redirect_uri is required.');
+    }
+    const ClientCls = await Passport.clientModel();
+    const client = await ClientCls.where('id', clientId).first();
+    if (!client || client.revoked) {
+        throw new OAuthError('invalid_client', 'Client not found.');
+    }
+    if (!clientHelpers.hasRedirectUri(client, redirectUri)) {
+        throw new OAuthError('invalid_request', 'Invalid redirect_uri.');
+    }
+    return client;
+}
+/**
+ * Resolve client credentials at the token endpoint per RFC 6749 §2.3.
+ *
+ * Confidential clients can authenticate via:
+ *   1. `Authorization: Basic base64(client_id:client_secret)` (§2.3.1, MUST support)
+ *   2. `client_id` + `client_secret` in the request body (alternative)
+ *
+ * §2.3 forbids using both at once — clients MUST NOT pass credentials in
+ * the body when the header is present. We reject that combination with
+ * `invalid_request` so SDK bugs surface loudly instead of silently
+ * accepting one set and ignoring the other.
+ *
+ * Public clients send only `client_id` in the body; both Basic creds and
+ * a body `client_id` mismatch is also rejected.
+ */
+export function resolveClientCredentials(req, body) {
+    const authHeader = req.headers?.['authorization'];
+    const bodyClientId = body['client_id'];
+    const bodyClientSecret = body['client_secret'];
+    if (typeof authHeader === 'string' && authHeader.length >= 6 && authHeader.slice(0, 6).toLowerCase() === 'basic ') {
+        const encoded = authHeader.slice(6).trim();
+        let decoded;
+        try {
+            decoded = Buffer.from(encoded, 'base64').toString('utf8');
+        }
+        catch {
+            throw new OAuthError('invalid_request', 'Malformed HTTP Basic credentials.', 401);
+        }
+        const sep = decoded.indexOf(':');
+        if (sep === -1) {
+            throw new OAuthError('invalid_request', 'Malformed HTTP Basic credentials.', 401);
+        }
+        // RFC 6749 §2.3.1 — client_id and client_secret in Basic are
+        // application/x-www-form-urlencoded-encoded before base64. SDKs in
+        // the wild often skip the percent-encoding step; we accept the raw
+        // form because requiring percent-decoding here would reject every
+        // ASCII-only credential pair (which is the overwhelming majority).
+        const headerClientId = decoded.slice(0, sep);
+        const headerClientSecret = decoded.slice(sep + 1);
+        if (!headerClientId) {
+            throw new OAuthError('invalid_request', 'Malformed HTTP Basic credentials.', 401);
+        }
+        if (bodyClientSecret !== undefined) {
+            throw new OAuthError('invalid_request', 'client_secret must not be sent in both Authorization header and request body.', 401);
+        }
+        if (bodyClientId !== undefined && bodyClientId !== headerClientId) {
+            throw new OAuthError('invalid_request', 'client_id in Authorization header does not match request body.', 401);
+        }
+        return { clientId: headerClientId, clientSecret: headerClientSecret };
+    }
+    if (typeof bodyClientId !== 'string' || !bodyClientId) {
+        throw new OAuthError('invalid_request', 'client_id is required.');
+    }
+    return bodyClientSecret !== undefined
+        ? { clientId: bodyClientId, clientSecret: bodyClientSecret }
+        : { clientId: bodyClientId };
+}
+/**
+ * Resolve the device-flow verification URI in this priority order:
+ *
+ *   1. `opts.verificationUri` — explicit caller override.
+ *   2. `config('app.url')` — `${appUrl}${prefix}/device`. Trailing slash on
+ *      the configured value is tolerated.
+ *   3. `req.protocol` + `req.hostname` — last-resort fallback for dev / when
+ *      neither knob is configured. The `Host` header is attacker-controlled
+ *      behind a reverse proxy without trust-proxy, so we emit a one-shot
+ *      warning the first time we land here. Documented in CLAUDE.md.
+ */
+let _hostHeaderFallbackWarned = false;
+export function resolveVerificationUri(opts, req, prefix) {
+    if (opts.verificationUri)
+        return opts.verificationUri;
+    const appUrl = config('app.url', undefined);
+    if (typeof appUrl === 'string' && appUrl) {
+        return `${appUrl.replace(/\/$/, '')}${prefix}/device`;
+    }
+    if (!_hostHeaderFallbackWarned) {
+        _hostHeaderFallbackWarned = true;
+        console.warn('[@rudderjs/passport] Falling back to req.protocol/req.hostname for the device-flow verification URI. ' +
+            'The Host header is attacker-controlled behind a reverse proxy without trust-proxy. ' +
+            'Set APP_URL (config(\'app.url\')) or pass an explicit `verificationUri` to registerPassportRoutes() to silence this.');
+    }
+    return `${req.protocol}://${req.hostname}${prefix}/device`;
+}
+/**
+ * Render an error response from a `/oauth/authorize` handler. RFC 6749
+ * §4.1.2.1 requires that `state` is echoed back on errors (so the client
+ * can reconcile the response against its own session) — independent of
+ * whether the response shape is a redirect or JSON, and independent of
+ * the underlying error code.
+ *
+ * We additionally call `report()` on non-`OAuthError` throws so the root
+ * cause surfaces through the configured exception reporter instead of
+ * being silently collapsed under `server_error`.
+ */
+export function authErrorResponse(res, err, state) {
+    const stateEcho = typeof state === 'string' && state ? { state } : {};
+    if (err instanceof OAuthError) {
+        res.status(err.statusCode).json({ ...err.toJSON(), ...stateEcho });
+        return;
+    }
+    report(err);
+    res.status(500).json({ error: 'server_error', error_description: 'Internal server error.', ...stateEcho });
+}
+/**
+ * Resolve the authenticated requester's id from a passport-route request,
+ * checking both the `__rjs_user` raw-bag stamp (set by server-hono's auth
+ * middleware) and the plain `req.user` fallback (set on the universal
+ * middleware bridge). Returns `null` when neither is populated — typically
+ * means no session / not signed in, and the caller should respond 401.
+ */
+export function requesterIdFrom(req) {
+    const fromRaw = req.raw?.__rjs_user?.id;
+    const fromReq = req.user?.id;
+    const id = fromRaw ?? fromReq;
+    return typeof id === 'string' && id ? id : null;
+}
+/** Normalize an optional middleware option into an array, dropping `undefined`. */
+export function asMiddlewareArray(input) {
+    if (!input)
+        return [];
+    return Array.isArray(input) ? input : [input];
+}
+//# sourceMappingURL=helpers.js.map

package/dist/routes/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/routes/helpers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAEzC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAG/C;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,QAAiB,EAAE,WAAoB;IAClF,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,2BAA2B,CAAC,CAAA;IACtE,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IAC9C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IAClF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,uBAAuB,CAAC,CAAA;IAClE,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,wBAAwB,CACtC,GAA0C,EAC1C,IAA6B;IAE7B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,eAAe,CAAC,CAAA;IACjD,MAAM,YAAY,GAAO,IAAI,CAAC,WAAW,CAA2B,CAAA;IACpE,MAAM,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAuB,CAAA;IAEpE,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,IAAI,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;QAClH,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QAC1C,IAAI,OAAe,CAAA;QACnB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACnF,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAChC,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YACf,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACnF,CAAC;QACD,6DAA6D;QAC7D,mEAAmE;QACnE,mEAAmE;QACnE,kEAAkE;QAClE,mEAAmE;QACnE,MAAM,cAAc,GAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;QAChD,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;QAEjD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACnF,CAAC;QACD,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,+EAA+E,EAAE,GAAG,CAAC,CAAA;QAC/H,CAAC;QACD,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,cAAc,EAAE,CAAC;YAClE,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,gEAAgE,EAAE,GAAG,CAAC,CAAA;QAChH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;IACvE,CAAC;IAED,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAA;IACnE,CAAC;IACD,OAAO,gBAAgB,KAAK,SAAS;QACnC,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE;QAC5D,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;AAChC,CAAC;AAED;;;;;;;;;;GAUG;AACH,IAAI,yBAAyB,GAAG,KAAK,CAAA;AACrC,MAAM,UAAU,sBAAsB,CAAC,IAA0B,EAAE,GAA6C,EAAE,MAAc;IAC9H,IAAI,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC,eAAe,CAAA;IAErD,MAAM,MAAM,GAAG,MAAM,CAAqB,SAAS,EAAE,SAAS,CAAC,CAAA;IAC/D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,EAAE,CAAC;QACzC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,MAAM,SAAS,CAAA;IACvD,CAAC;IAED,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC/B,yBAAyB,GAAG,IAAI,CAAA;QAChC,OAAO,CAAC,IAAI,CACV,uGAAuG;YACvG,qFAAqF;YACrF,sHAAsH,CACvH,CAAA;IACH,CAAC;IACD,OAAO,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,GAAG,MAAM,SAAS,CAAA;AAC5D,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAQ,EAAE,GAAY,EAAE,KAAc;IACtE,MAAM,SAAS,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IACrE,IAAI,GAAG,YAAY,UAAU,EAAE,CAAC;QAC9B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;QAClE,OAAM;IACR,CAAC;IACD,MAAM,CAAC,GAAG,CAAC,CAAA;IACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;AAC5G,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,GAAsC;IACpE,MAAM,OAAO,GAAI,GAAG,CAAC,GAAqD,EAAE,UAAU,EAAE,EAAE,CAAA;IAC1F,MAAM,OAAO,GAAI,GAAG,CAAC,IAAqC,EAAE,EAAE,CAAA;IAC9D,MAAM,EAAE,GAAG,OAAO,IAAI,OAAO,CAAA;IAC7B,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;AACjD,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,iBAAiB,CAAC,KAA0D;IAC1F,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAA;IACrB,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AAC/C,CAAC"}

package/dist/routes/revoke.d.ts

@@ -0,0 +1,16 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { Router } from './types.js';
+/**
+ * Register `DELETE /oauth/tokens/:id` — revoke a specific access token.
+ *
+ * Requires a valid bearer token AND ownership of the token being revoked.
+ * Token ids appear in JWT `jti` claims (semi-public), so without an
+ * ownership check anyone with a single captured JWT could DoS arbitrary
+ * users. Returns 404 (not 403) on ownership mismatch to avoid leaking
+ * whether a given id exists.
+ *
+ * `mw` is the `authorizeMiddleware` array — typically empty or CSRF when
+ * the app doesn't mount CSRF at the web-group level.
+ */
+export declare function registerRevokeRoute(router: Router, prefix: string, mw: MiddlewareHandler[]): void;
+//# sourceMappingURL=revoke.d.ts.map

package/dist/routes/revoke.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAI5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAkBjG"}

package/dist/routes/revoke.js

@@ -0,0 +1,33 @@
+import { Passport } from '../Passport.js';
+import { RequireBearer } from '../middleware/bearer.js';
+import { requesterIdFrom } from './helpers.js';
+/**
+ * Register `DELETE /oauth/tokens/:id` — revoke a specific access token.
+ *
+ * Requires a valid bearer token AND ownership of the token being revoked.
+ * Token ids appear in JWT `jti` claims (semi-public), so without an
+ * ownership check anyone with a single captured JWT could DoS arbitrary
+ * users. Returns 404 (not 403) on ownership mismatch to avoid leaking
+ * whether a given id exists.
+ *
+ * `mw` is the `authorizeMiddleware` array — typically empty or CSRF when
+ * the app doesn't mount CSRF at the web-group level.
+ */
+export function registerRevokeRoute(router, prefix, mw) {
+    router.delete(`${prefix}/tokens/:id`, async (req, res) => {
+        const tokenId = req.params?.['id'] ?? '';
+        const AccessTokenCls = await Passport.tokenModel();
+        const token = await AccessTokenCls.where('id', tokenId).first();
+        const requesterId = requesterIdFrom(req);
+        if (!token || !requesterId || token.userId !== requesterId) {
+            res.status(404).json({ error: 'not_found', error_description: 'Token not found.' });
+            return;
+        }
+        // QueryBuilder.updateAll() bypasses the mass-assignment filter;
+        // `revoked` is no longer in `AccessToken.fillable`.
+        await AccessTokenCls.where('id', token.id)
+            .updateAll({ revoked: true });
+        res.status(204).send();
+    }, [RequireBearer(), ...mw]);
+}
+//# sourceMappingURL=revoke.js.map

package/dist/routes/revoke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAEzC,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAA;AAEvD,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAE9C;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IACzF,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,aAAa,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QACjE,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;QACxC,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;QAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,EAAwB,CAAA;QAErF,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC3D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,CAAC,CAAA;YACnF,OAAM;QACR,CAAC;QAED,gEAAgE;QAChE,oDAAoD;QACpD,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;aACvC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;QAC1D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACxB,CAAC,EAAE,CAAC,aAAa,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAA;AAC9B,CAAC"}

package/dist/routes/scopes.d.ts

@@ -0,0 +1,9 @@
+import type { Router } from './types.js';
+/**
+ * Register `GET /oauth/scopes` — list the OAuth scopes the app has declared
+ * via `Passport.tokensCan({...})`. Stateless, no auth required — useful for
+ * client SDKs that want to render the consent screen's scope list without
+ * round-tripping `/oauth/authorize`.
+ */
+export declare function registerScopesRoute(router: Router, prefix: string): void;
+//# sourceMappingURL=scopes.d.ts.map

package/dist/routes/scopes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.d.ts","sourceRoot":"","sources":["../../src/routes/scopes.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAExC;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAIxE"}

package/dist/routes/scopes.js

@@ -0,0 +1,13 @@
+import { Passport } from '../Passport.js';
+/**
+ * Register `GET /oauth/scopes` — list the OAuth scopes the app has declared
+ * via `Passport.tokensCan({...})`. Stateless, no auth required — useful for
+ * client SDKs that want to render the consent screen's scope list without
+ * round-tripping `/oauth/authorize`.
+ */
+export function registerScopesRoute(router, prefix) {
+    router.get(`${prefix}/scopes`, async (_req, res) => {
+        res.json(Passport.scopes());
+    });
+}
+//# sourceMappingURL=scopes.js.map

package/dist/routes/scopes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.js","sourceRoot":"","sources":["../../src/routes/scopes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,MAAc;IAChE,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,SAAS,EAAE,KAAK,EAAE,IAAS,EAAE,GAAQ,EAAE,EAAE;QAC3D,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;IAC7B,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/routes/token.d.ts

@@ -0,0 +1,24 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { Router } from './types.js';
+/**
+ * Register `POST /oauth/token` — the OAuth 2 token endpoint.
+ *
+ * Dispatches to one of the four supported grants:
+ *   - `authorization_code` — exchanges an auth code for tokens
+ *   - `client_credentials` — machine-to-machine, confidential clients only
+ *   - `refresh_token`      — rotates an access+refresh pair
+ *   - `urn:ietf:params:oauth:grant-type:device_code` — polls device flow
+ *
+ * `mw` runs ahead of the handler. The token endpoint is the canonical
+ * brute-force target for client_secret guessing — every production app
+ * SHOULD pass a per-route rate limiter here. See
+ * `PassportRouteOptions.tokenMiddleware` jsdoc for the recommended config.
+ *
+ * RFC 6749 §5.2 — client-auth failures (HTTP 401) are signalled with a
+ * `WWW-Authenticate: Basic` header alongside the body. RFC 8628 §3.5 —
+ * device-flow polling errors (`authorization_pending`, `slow_down`,
+ * `expired_token`, `access_denied`) return HTTP 400; 429 is for transport-
+ * level rate-limiting, not the OAuth `slow_down` signal.
+ */
+export declare function registerTokenRoute(router: Router, prefix: string, mw: MiddlewareHandler[]): void;
+//# sourceMappingURL=token.d.ts.map

package/dist/routes/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/routes/token.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAS5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAoGhG"}