@rudderjs/passport 1.1.0 → 1.1.2

package/dist/routes/token.js

@@ -0,0 +1,121 @@
+import { report } from '@rudderjs/core';
+import { exchangeAuthCode, clientCredentialsGrant, refreshTokenGrant, pollDeviceCode, OAuthError, } from '../grants/index.js';
+import { resolveClientCredentials } from './helpers.js';
+/**
+ * Register `POST /oauth/token` — the OAuth 2 token endpoint.
+ *
+ * Dispatches to one of the four supported grants:
+ *   - `authorization_code` — exchanges an auth code for tokens
+ *   - `client_credentials` — machine-to-machine, confidential clients only
+ *   - `refresh_token`      — rotates an access+refresh pair
+ *   - `urn:ietf:params:oauth:grant-type:device_code` — polls device flow
+ *
+ * `mw` runs ahead of the handler. The token endpoint is the canonical
+ * brute-force target for client_secret guessing — every production app
+ * SHOULD pass a per-route rate limiter here. See
+ * `PassportRouteOptions.tokenMiddleware` jsdoc for the recommended config.
+ *
+ * RFC 6749 §5.2 — client-auth failures (HTTP 401) are signalled with a
+ * `WWW-Authenticate: Basic` header alongside the body. RFC 8628 §3.5 —
+ * device-flow polling errors (`authorization_pending`, `slow_down`,
+ * `expired_token`, `access_denied`) return HTTP 400; 429 is for transport-
+ * level rate-limiting, not the OAuth `slow_down` signal.
+ */
+export function registerTokenRoute(router, prefix, mw) {
+    router.post(`${prefix}/token`, async (req, res) => {
+        try {
+            const body = req.body ?? {};
+            const grantType = body['grant_type'];
+            // RFC 6749 §2.3.1 — confidential clients MUST be able to
+            // authenticate via HTTP Basic; body params are an alternative.
+            // §2.3 forbids using both at once. Resolve credentials once for
+            // all grants instead of repeating the parsing in each branch.
+            const credentials = resolveClientCredentials(req, body);
+            let result;
+            switch (grantType) {
+                case 'authorization_code':
+                    result = await exchangeAuthCode({
+                        grantType,
+                        code: body['code'],
+                        ...credentials,
+                        redirectUri: body['redirect_uri'],
+                        codeVerifier: body['code_verifier'],
+                    });
+                    break;
+                case 'client_credentials':
+                    // ClientCredentialsRequest requires clientSecret (the grant
+                    // is confidential-only by spec). Surface the missing-secret
+                    // case as invalid_request rather than letting it surface
+                    // downstream as "Invalid client secret."
+                    if (credentials.clientSecret === undefined) {
+                        throw new OAuthError('invalid_request', 'client_secret is required for the client_credentials grant.', 401);
+                    }
+                    result = await clientCredentialsGrant({
+                        grantType,
+                        clientId: credentials.clientId,
+                        clientSecret: credentials.clientSecret,
+                        scope: body['scope'],
+                    });
+                    break;
+                case 'refresh_token':
+                    result = await refreshTokenGrant({
+                        grantType,
+                        refreshToken: body['refresh_token'],
+                        ...credentials,
+                        scope: body['scope'],
+                    });
+                    break;
+                case 'urn:ietf:params:oauth:grant-type:device_code': {
+                    const pollResult = await pollDeviceCode({
+                        grantType,
+                        deviceCode: body['device_code'],
+                        clientId: credentials.clientId,
+                    });
+                    if (pollResult.status === 'authorized') {
+                        result = pollResult.tokens;
+                    }
+                    else {
+                        // RFC 8628 §3.5 — device-flow polling errors (including
+                        // slow_down) are §5.2-shaped errors and MUST return HTTP
+                        // 400. 429 is for transport-level rate-limiting, not the
+                        // OAuth `slow_down` signal.
+                        //
+                        // On slow_down, forward the escalated `interval` so a
+                        // well-behaved client uses the new value instead of having
+                        // to add 5 itself. Other variants don't need it.
+                        if (pollResult.status === 'slow_down') {
+                            res.status(400).json({ error: 'slow_down', interval: pollResult.interval });
+                        }
+                        else {
+                            res.status(400).json({ error: pollResult.status });
+                        }
+                        return;
+                    }
+                    break;
+                }
+                default:
+                    res.status(400).json({
+                        error: 'unsupported_grant_type',
+                        error_description: `Grant type "${grantType}" is not supported.`,
+                    });
+                    return;
+            }
+            res.json(result);
+        }
+        catch (e) {
+            if (e instanceof OAuthError) {
+                // RFC 6749 §5.2 — client-auth failures at the token endpoint
+                // are signalled with WWW-Authenticate alongside the 401 status.
+                if (e.statusCode === 401 && typeof res.header === 'function') {
+                    res.header('WWW-Authenticate', 'Basic realm="oauth"');
+                }
+                res.status(e.statusCode).json(e.toJSON());
+            }
+            else {
+                report(e);
+                res.status(500).json({ error: 'server_error', error_description: 'Internal server error.' });
+            }
+        }
+    }, mw);
+}
+//# sourceMappingURL=token.js.map

package/dist/routes/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/routes/token.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AACvC,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,iBAAiB,EACjB,cAAc,EACd,UAAU,GACX,MAAM,oBAAoB,CAAA;AAE3B,OAAO,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAA;AAEvD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IACxF,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,QAAQ,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC1D,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;YAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAW,CAAA;YAE9C,yDAAyD;YACzD,+DAA+D;YAC/D,gEAAgE;YAChE,8DAA8D;YAC9D,MAAM,WAAW,GAAG,wBAAwB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YAEvD,IAAI,MAAM,CAAA;YAEV,QAAQ,SAAS,EAAE,CAAC;gBAClB,KAAK,oBAAoB;oBACvB,MAAM,GAAG,MAAM,gBAAgB,CAAC;wBAC9B,SAAS;wBACT,IAAI,EAAW,IAAI,CAAC,MAAM,CAAC;wBAC3B,GAAG,WAAW;wBACd,WAAW,EAAI,IAAI,CAAC,cAAc,CAAC;wBACnC,YAAY,EAAG,IAAI,CAAC,eAAe,CAAC;qBACrC,CAAC,CAAA;oBACF,MAAK;gBAEP,KAAK,oBAAoB;oBACvB,4DAA4D;oBAC5D,4DAA4D;oBAC5D,yDAAyD;oBACzD,yCAAyC;oBACzC,IAAI,WAAW,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;wBAC3C,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,6DAA6D,EAAE,GAAG,CAAC,CAAA;oBAC7G,CAAC;oBACD,MAAM,GAAG,MAAM,sBAAsB,CAAC;wBACpC,SAAS;wBACT,QAAQ,EAAM,WAAW,CAAC,QAAQ;wBAClC,YAAY,EAAE,WAAW,CAAC,YAAY;wBACtC,KAAK,EAAS,IAAI,CAAC,OAAO,CAAC;qBAC5B,CAAC,CAAA;oBACF,MAAK;gBAEP,KAAK,eAAe;oBAClB,MAAM,GAAG,MAAM,iBAAiB,CAAC;wBAC/B,SAAS;wBACT,YAAY,EAAE,IAAI,CAAC,eAAe,CAAC;wBACnC,GAAG,WAAW;wBACd,KAAK,EAAS,IAAI,CAAC,OAAO,CAAC;qBAC5B,CAAC,CAAA;oBACF,MAAK;gBAEP,KAAK,8CAA8C,CAAC,CAAC,CAAC;oBACpD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC;wBACtC,SAAS;wBACT,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC;wBAC/B,QAAQ,EAAI,WAAW,CAAC,QAAQ;qBACjC,CAAC,CAAA;oBACF,IAAI,UAAU,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;wBACvC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAA;oBAC5B,CAAC;yBAAM,CAAC;wBACN,wDAAwD;wBACxD,yDAAyD;wBACzD,yDAAyD;wBACzD,4BAA4B;wBAC5B,EAAE;wBACF,sDAAsD;wBACtD,2DAA2D;wBAC3D,iDAAiD;wBACjD,IAAI,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;4BACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAA;wBAC7E,CAAC;6BAAM,CAAC;4BACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAA;wBACpD,CAAC;wBACD,OAAM;oBACR,CAAC;oBACD,MAAK;gBACP,CAAC;gBAED;oBACE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBACnB,KAAK,EAAE,wBAAwB;wBAC/B,iBAAiB,EAAE,eAAe,SAAS,qBAAqB;qBACjE,CAAC,CAAA;oBACF,OAAM;YACV,CAAC;YAED,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;gBAC5B,6DAA6D;gBAC7D,gEAAgE;gBAChE,IAAI,CAAC,CAAC,UAAU,KAAK,GAAG,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;oBAC7D,GAAG,CAAC,MAAM,CAAC,kBAAkB,EAAE,qBAAqB,CAAC,CAAA;gBACvD,CAAC;gBACD,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAA;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC,CAAC,CAAA;gBACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,CAAC,CAAA;YAC9F,CAAC;QACH,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}

package/dist/routes/types.d.ts

@@ -0,0 +1,132 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+/**
+ * Minimal handler signature. Kept `any`-typed because passport routes are
+ * mounted on arbitrary Router implementations (Hono adapter, express-style,
+ * test fakes) — pinning a concrete request/response type here would force
+ * downstream casts everywhere a handler is implemented.
+ */
+export type RouteHandler = (req: any, res: any) => Promise<any> | any;
+/**
+ * Minimal Router contract passport's `register*Routes()` functions accept.
+ * The `@rudderjs/router` instance satisfies this, as do simple test fakes —
+ * we don't import the concrete class here to keep this package usable from
+ * apps that bring their own router.
+ */
+export interface Router {
+    get(path: string, handler: RouteHandler, ...middleware: any[]): void;
+    post(path: string, handler: RouteHandler, ...middleware: any[]): void;
+    delete(path: string, handler: RouteHandler, ...middleware: any[]): void;
+}
+/** Groups of routes that can be selectively excluded. */
+export type PassportRouteGroup = 'authorize' | 'token' | 'revoke' | 'scopes' | 'device';
+export interface PassportRouteOptions {
+    /** Base path for OAuth routes (default: '/oauth') */
+    prefix?: string;
+    /** Verification URI for device auth (default: '{origin}/oauth/device') */
+    verificationUri?: string;
+    /** Route groups to skip when registering. */
+    except?: PassportRouteGroup[];
+    /**
+     * Middleware applied to `POST /oauth/token`. The token endpoint is the
+     * canonical brute-force target for client_secret guessing — every
+     * production app SHOULD mount a per-route rate limiter here.
+     *
+     * Recommended setup:
+     *
+     * ```ts
+     * import { RateLimit } from '@rudderjs/middleware'
+     * import { registerPassportRoutes } from '@rudderjs/passport'
+     *
+     * registerPassportRoutes(router, {
+     *   tokenMiddleware: [
+     *     RateLimit.perMinute(10).by((req) => `${req.ip}:${req.body?.client_id}`),
+     *   ],
+     * })
+     * ```
+     *
+     * The composite key (`ip + client_id`) prevents one noisy client from
+     * exhausting the budget for legitimate co-tenants behind a shared NAT,
+     * and prevents a single IP from churning through every client_id in the
+     * registry. RateLimit also requires a cache provider to be registered —
+     * see `@rudderjs/cache`. Without one the middleware silently passes
+     * through.
+     *
+     * Accepts a single handler or an array. Empty / omitted means no
+     * additional middleware is applied (the same as before this option
+     * existed).
+     */
+    tokenMiddleware?: MiddlewareHandler | MiddlewareHandler[];
+    /**
+     * Middleware applied to the consent endpoints — `GET/POST/DELETE
+     * /oauth/authorize` and `DELETE /oauth/tokens/:id`. POST /oauth/authorize
+     * is the canonical CSRF target (an attacker page that auto-submits a
+     * hidden form would mint authorization codes for the victim's logged-in
+     * session).
+     *
+     * Most apps should NOT use this option. The recommended pattern is to
+     * mount CSRF on the entire web group from `bootstrap/app.ts`:
+     *
+     * ```ts
+     * .withMiddleware((m) => m.web(CsrfMiddleware()))
+     * ```
+     *
+     * which automatically covers `/oauth/authorize` along with every other
+     * state-changing web route. `authorizeMiddleware` is the per-route
+     * fallback for apps that do NOT mount CSRF at the group level:
+     *
+     * ```ts
+     * import { CsrfMiddleware } from '@rudderjs/middleware'
+     * import { registerPassportWebRoutes } from '@rudderjs/passport'
+     *
+     * registerPassportWebRoutes(router, {
+     *   authorizeMiddleware: [CsrfMiddleware()],
+     * })
+     * ```
+     *
+     * Don't do both — CsrfMiddleware running twice on the same request
+     * emits duplicate `Set-Cookie`s on GETs and runs validation twice on
+     * POSTs.
+     *
+     * Accepts a single handler or an array. Empty / omitted means no
+     * additional middleware is applied — the typical case for apps that
+     * already CSRF-guard at the group level.
+     */
+    authorizeMiddleware?: MiddlewareHandler | MiddlewareHandler[];
+    /**
+     * Middleware applied to the device-flow endpoints — `POST /oauth/device/code`
+     * and `POST /oauth/device/approve`. RFC 8628 §5.2 calls for brute-force
+     * protection on the user_code surface (8-char alphabet → 32^8 ≈ 1.1×10^12
+     * keyspace; per-IP throttling makes exhaustion infeasible).
+     *
+     * Most apps should NOT need this option. The recommended pattern is to
+     * mount a rate limiter on the entire api group from `bootstrap/app.ts`
+     * (`withMiddleware((m) => m.api(RateLimit.perMinute(60)))`) — that single
+     * hook covers the device endpoints alongside every other api route, and
+     * 60/min per-IP is already enough that exhausting the user_code keyspace
+     * would take tens of thousands of years.
+     *
+     * `deviceMiddleware` is the per-route fallback for apps that want a
+     * tighter device-specific limit (e.g. `RateLimit.perMinute(5)`) on top of
+     * — or in place of — the group default:
+     *
+     * ```ts
+     * import { RateLimit } from '@rudderjs/middleware'
+     * import { registerPassportApiRoutes } from '@rudderjs/passport'
+     *
+     * registerPassportApiRoutes(router, {
+     *   deviceMiddleware: [RateLimit.perMinute(5).by((req) => req.ip)],
+     * })
+     * ```
+     *
+     * Layered limits compose in sequence — group + per-route both run, with
+     * the tightest budget winning. Locking individual user_codes after N
+     * misses (the stateful half of the original RFC 8628 §5.2 guidance)
+     * isn't covered by RateLimit; if you need it, wrap your own middleware.
+     *
+     * Accepts a single handler or an array. Empty / omitted means no
+     * additional middleware is applied — the typical case for apps that
+     * already throttle the api group.
+     */
+    deviceMiddleware?: MiddlewareHandler | MiddlewareHandler[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/routes/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/routes/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAE5D;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;AAErE;;;;;GAKG;AACH,MAAM,WAAW,MAAM;IACrB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,UAAU,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;IACpE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,UAAU,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;IACrE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,UAAU,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;CACxE;AAED,yDAAyD;AACzD,MAAM,MAAM,kBAAkB,GAC1B,WAAW,GACX,OAAO,GACP,QAAQ,GACR,QAAQ,GACR,QAAQ,CAAA;AAEZ,MAAM,WAAW,oBAAoB;IACnC,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,0EAA0E;IAC1E,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,6CAA6C;IAC7C,MAAM,CAAC,EAAE,kBAAkB,EAAE,CAAA;IAC7B;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,eAAe,CAAC,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,CAAA;IACzD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,mBAAmB,CAAC,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,CAAA;IAC7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,gBAAgB,CAAC,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,CAAA;CAC3D"}

package/dist/routes/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/routes/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/routes/types.ts"],"names":[],"mappings":""}

package/dist/routes.d.ts

@@ -1,122 +1,5 @@
-import type { MiddlewareHandler } from '@rudderjs/contracts';
-type RouteHandler = (req: any, res: any) => Promise<any> | any;
-interface Router {
-    get(path: string, handler: RouteHandler, ...middleware: any[]): void;
-    post(path: string, handler: RouteHandler, ...middleware: any[]): void;
-    delete(path: string, handler: RouteHandler, ...middleware: any[]): void;
-}
-/** Groups of routes that can be selectively excluded. */
-export type PassportRouteGroup = 'authorize' | 'token' | 'revoke' | 'scopes' | 'device';
-export interface PassportRouteOptions {
-    /** Base path for OAuth routes (default: '/oauth') */
-    prefix?: string;
-    /** Verification URI for device auth (default: '{origin}/oauth/device') */
-    verificationUri?: string;
-    /** Route groups to skip when registering. */
-    except?: PassportRouteGroup[];
-    /**
-     * Middleware applied to `POST /oauth/token`. The token endpoint is the
-     * canonical brute-force target for client_secret guessing — every
-     * production app SHOULD mount a per-route rate limiter here.
-     *
-     * Recommended setup:
-     *
-     * ```ts
-     * import { RateLimit } from '@rudderjs/middleware'
-     * import { registerPassportRoutes } from '@rudderjs/passport'
-     *
-     * registerPassportRoutes(router, {
-     *   tokenMiddleware: [
-     *     RateLimit.perMinute(10).by((req) => `${req.ip}:${req.body?.client_id}`),
-     *   ],
-     * })
-     * ```
-     *
-     * The composite key (`ip + client_id`) prevents one noisy client from
-     * exhausting the budget for legitimate co-tenants behind a shared NAT,
-     * and prevents a single IP from churning through every client_id in the
-     * registry. RateLimit also requires a cache provider to be registered —
-     * see `@rudderjs/cache`. Without one the middleware silently passes
-     * through.
-     *
-     * Accepts a single handler or an array. Empty / omitted means no
-     * additional middleware is applied (the same as before this option
-     * existed).
-     */
-    tokenMiddleware?: MiddlewareHandler | MiddlewareHandler[];
-    /**
-     * Middleware applied to the consent endpoints — `GET/POST/DELETE
-     * /oauth/authorize` and `DELETE /oauth/tokens/:id`. POST /oauth/authorize
-     * is the canonical CSRF target (an attacker page that auto-submits a
-     * hidden form would mint authorization codes for the victim's logged-in
-     * session).
-     *
-     * Most apps should NOT use this option. The recommended pattern is to
-     * mount CSRF on the entire web group from `bootstrap/app.ts`:
-     *
-     * ```ts
-     * .withMiddleware((m) => m.web(CsrfMiddleware()))
-     * ```
-     *
-     * which automatically covers `/oauth/authorize` along with every other
-     * state-changing web route. `authorizeMiddleware` is the per-route
-     * fallback for apps that do NOT mount CSRF at the group level:
-     *
-     * ```ts
-     * import { CsrfMiddleware } from '@rudderjs/middleware'
-     * import { registerPassportWebRoutes } from '@rudderjs/passport'
-     *
-     * registerPassportWebRoutes(router, {
-     *   authorizeMiddleware: [CsrfMiddleware()],
-     * })
-     * ```
-     *
-     * Don't do both — CsrfMiddleware running twice on the same request
-     * emits duplicate `Set-Cookie`s on GETs and runs validation twice on
-     * POSTs.
-     *
-     * Accepts a single handler or an array. Empty / omitted means no
-     * additional middleware is applied — the typical case for apps that
-     * already CSRF-guard at the group level.
-     */
-    authorizeMiddleware?: MiddlewareHandler | MiddlewareHandler[];
-    /**
-     * Middleware applied to the device-flow endpoints — `POST /oauth/device/code`
-     * and `POST /oauth/device/approve`. RFC 8628 §5.2 calls for brute-force
-     * protection on the user_code surface (8-char alphabet → 32^8 ≈ 1.1×10^12
-     * keyspace; per-IP throttling makes exhaustion infeasible).
-     *
-     * Most apps should NOT need this option. The recommended pattern is to
-     * mount a rate limiter on the entire api group from `bootstrap/app.ts`
-     * (`withMiddleware((m) => m.api(RateLimit.perMinute(60)))`) — that single
-     * hook covers the device endpoints alongside every other api route, and
-     * 60/min per-IP is already enough that exhausting the user_code keyspace
-     * would take tens of thousands of years.
-     *
-     * `deviceMiddleware` is the per-route fallback for apps that want a
-     * tighter device-specific limit (e.g. `RateLimit.perMinute(5)`) on top of
-     * — or in place of — the group default:
-     *
-     * ```ts
-     * import { RateLimit } from '@rudderjs/middleware'
-     * import { registerPassportApiRoutes } from '@rudderjs/passport'
-     *
-     * registerPassportApiRoutes(router, {
-     *   deviceMiddleware: [RateLimit.perMinute(5).by((req) => req.ip)],
-     * })
-     * ```
-     *
-     * Layered limits compose in sequence — group + per-route both run, with
-     * the tightest budget winning. Locking individual user_codes after N
-     * misses (the stateful half of the original RFC 8628 §5.2 guidance)
-     * isn't covered by RateLimit; if you need it, wrap your own middleware.
-     *
-     * Accepts a single handler or an array. Empty / omitted means no
-     * additional middleware is applied — the typical case for apps that
-     * already throttle the api group.
-     */
-    deviceMiddleware?: MiddlewareHandler | MiddlewareHandler[];
-}
+import type { PassportRouteOptions, Router } from './routes/types.js';
+export type { PassportRouteGroup, PassportRouteOptions } from './routes/types.js';
 /**
  * Register all Passport OAuth routes on the given router.
  *
@@ -178,5 +61,4 @@ export declare function registerPassportWebRoutes(router: Router, opts?: Passpor
  * stateful half on the web group.
  */
 export declare function registerPassportApiRoutes(router: Router, opts?: PassportRouteOptions): void;
-export {};
 //# sourceMappingURL=routes.d.ts.map

package/dist/routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../src/routes.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAiK5D,KAAK,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;AAE9D,UAAU,MAAM;IACd,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,UAAU,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;IACpE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,UAAU,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;IACrE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,UAAU,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;CACxE;AAED,yDAAyD;AACzD,MAAM,MAAM,kBAAkB,GAC1B,WAAW,GACX,OAAO,GACP,QAAQ,GACR,QAAQ,GACR,QAAQ,CAAA;AAEZ,MAAM,WAAW,oBAAoB;IACnC,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,0EAA0E;IAC1E,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,6CAA6C;IAC7C,MAAM,CAAC,EAAE,kBAAkB,EAAE,CAAA;IAC7B;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,eAAe,CAAC,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,CAAA;IACzD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,mBAAmB,CAAC,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,CAAA;IAC7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,gBAAgB,CAAC,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,CAAA;CAC3D;AAOD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI,CAsS5F;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI,CAG/F;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI,CAG/F"}
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../src/routes.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAsB,oBAAoB,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAQzF,YAAY,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAEjF;;;;;;;;;;;;;GAaG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI,CAc5F;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI,CAG/F;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI,CAG/F"}