npm - @sentropic/auth-hono - Versions diffs - 0.2.1 → 0.3.0 - Mend

@sentropic/auth-hono 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

package/README.md +115 -1
package/dist/contracts.d.ts +1 -1
package/dist/contracts.d.ts.map +1 -1
package/dist/contracts.js +2 -0
package/dist/contracts.js.map +1 -1
package/dist/index.d.ts +15 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +15 -0
package/dist/index.js.map +1 -1
package/dist/oauth/authorize-handler.d.ts +13 -0
package/dist/oauth/authorize-handler.d.ts.map +1 -0
package/dist/oauth/authorize-handler.js +143 -0
package/dist/oauth/authorize-handler.js.map +1 -0
package/dist/oauth/consent-decision-handler.d.ts +11 -0
package/dist/oauth/consent-decision-handler.d.ts.map +1 -0
package/dist/oauth/consent-decision-handler.js +58 -0
package/dist/oauth/consent-decision-handler.js.map +1 -0
package/dist/oauth/crypto-utils.d.ts +3 -0
package/dist/oauth/crypto-utils.d.ts.map +1 -0
package/dist/oauth/crypto-utils.js +13 -0
package/dist/oauth/crypto-utils.js.map +1 -0
package/dist/oauth/dpop.d.ts +18 -0
package/dist/oauth/dpop.d.ts.map +1 -0
package/dist/oauth/dpop.js +54 -0
package/dist/oauth/dpop.js.map +1 -0
package/dist/oauth/http-utils.d.ts +6 -0
package/dist/oauth/http-utils.d.ts.map +1 -0
package/dist/oauth/http-utils.js +27 -0
package/dist/oauth/http-utils.js.map +1 -0
package/dist/oauth/introspect-handler.d.ts +8 -0
package/dist/oauth/introspect-handler.d.ts.map +1 -0
package/dist/oauth/introspect-handler.js +63 -0
package/dist/oauth/introspect-handler.js.map +1 -0
package/dist/oauth/jwks-service.d.ts +25 -0
package/dist/oauth/jwks-service.d.ts.map +1 -0
package/dist/oauth/jwks-service.js +61 -0
package/dist/oauth/jwks-service.js.map +1 -0
package/dist/oauth/revoke-handler.d.ts +8 -0
package/dist/oauth/revoke-handler.d.ts.map +1 -0
package/dist/oauth/revoke-handler.js +55 -0
package/dist/oauth/revoke-handler.js.map +1 -0
package/dist/oauth/router.d.ts +8 -0
package/dist/oauth/router.d.ts.map +1 -0
package/dist/oauth/router.js +30 -0
package/dist/oauth/router.js.map +1 -0
package/dist/oauth/session-resolver.d.ts +9 -0
package/dist/oauth/session-resolver.d.ts.map +1 -0
package/dist/oauth/session-resolver.js +28 -0
package/dist/oauth/session-resolver.js.map +1 -0
package/dist/oauth/state-codec.d.ts +25 -0
package/dist/oauth/state-codec.d.ts.map +1 -0
package/dist/oauth/state-codec.js +60 -0
package/dist/oauth/state-codec.js.map +1 -0
package/dist/oauth/state-store-types.d.ts +86 -0
package/dist/oauth/state-store-types.d.ts.map +1 -0
package/dist/oauth/state-store-types.js +2 -0
package/dist/oauth/state-store-types.js.map +1 -0
package/dist/oauth/token-handler.d.ts +11 -0
package/dist/oauth/token-handler.d.ts.map +1 -0
package/dist/oauth/token-handler.js +176 -0
package/dist/oauth/token-handler.js.map +1 -0
package/dist/oauth/userinfo-handler.d.ts +9 -0
package/dist/oauth/userinfo-handler.d.ts.map +1 -0
package/dist/oauth/userinfo-handler.js +93 -0
package/dist/oauth/userinfo-handler.js.map +1 -0
package/dist/oauth/wellknown-handler.d.ts +9 -0
package/dist/oauth/wellknown-handler.d.ts.map +1 -0
package/dist/oauth/wellknown-handler.js +37 -0
package/dist/oauth/wellknown-handler.js.map +1 -0
package/dist/ports.d.ts +4 -0
package/dist/ports.d.ts.map +1 -1
package/package.json +1 -1
package/src/contracts.ts +2 -0
package/src/index.ts +15 -0
package/src/oauth/authorize-handler.ts +201 -0
package/src/oauth/consent-decision-handler.ts +93 -0
package/src/oauth/crypto-utils.ts +14 -0
package/src/oauth/dpop.ts +93 -0
package/src/oauth/http-utils.ts +58 -0
package/src/oauth/introspect-handler.ts +88 -0
package/src/oauth/jwks-service.ts +103 -0
package/src/oauth/revoke-handler.ts +70 -0
package/src/oauth/router.ts +42 -0
package/src/oauth/session-resolver.ts +48 -0
package/src/oauth/state-codec.ts +98 -0
package/src/oauth/state-store-types.ts +94 -0
package/src/oauth/token-handler.ts +252 -0
package/src/oauth/userinfo-handler.ts +129 -0
package/src/oauth/wellknown-handler.ts +52 -0
package/src/ports.ts +16 -0

package/dist/oauth/http-utils.js ADDED Viewed

@@ -0,0 +1,27 @@
+export const appendParams = (target, params, baseUrl) => {
+    const url = new URL(target, baseUrl);
+    for (const [key, value] of Object.entries(params)) {
+        if (value !== null && value !== undefined) {
+            url.searchParams.set(key, value);
+        }
+    }
+    return url.toString();
+};
+export const oauthJsonError = (c, status, code, message) => c.json({
+    error: {
+        code,
+        message,
+    },
+}, status);
+export const redirectWithOAuthError = (redirectUri, code, state, baseUrl) => Response.redirect(appendParams(redirectUri, {
+    error: code,
+    state,
+}, baseUrl), 302);
+export const redirectOrJson = (c, redirectTo) => {
+    const accept = c.req.header('accept') ?? '';
+    if (accept.includes('application/json')) {
+        return c.json({ redirectTo });
+    }
+    return c.redirect(redirectTo, 302);
+};
+//# sourceMappingURL=http-utils.js.map

package/dist/oauth/http-utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"http-utils.js","sourceRoot":"","sources":["../../src/oauth/http-utils.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAG,CAC1B,MAAc,EACd,MAAiD,EACjD,OAAe,EACP,EAAE;IACV,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAAG,CAC5B,CAAU,EACV,MAAiB,EACjB,IAAY,EACZ,OAAe,EACL,EAAE,CACZ,CAAC,CAAC,IAAI,CACJ;IACE,KAAK,EAAE;QACL,IAAI;QACJ,OAAO;KACR;CACF,EACD,MAAM,CACP,CAAC;AAEJ,MAAM,CAAC,MAAM,sBAAsB,GAAG,CACpC,WAAmB,EACnB,IAAY,EACZ,KAAoB,EACpB,OAAe,EACL,EAAE,CACZ,QAAQ,CAAC,QAAQ,CACf,YAAY,CACV,WAAW,EACX;IACE,KAAK,EAAE,IAAI;IACX,KAAK;CACN,EACD,OAAO,CACR,EACD,GAAG,CACJ,CAAC;AAEJ,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAU,EAAE,UAAkB,EAAY,EAAE;IACzE,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACrC,CAAC,CAAC"}

package/dist/oauth/introspect-handler.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface OAuthIntrospectHandlerOptions {
+    issuer: string;
+    ports: AuthHonoPorts;
+}
+export declare const createOAuthIntrospectHandler: (options: OAuthIntrospectHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=introspect-handler.d.ts.map

package/dist/oauth/introspect-handler.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"introspect-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/introspect-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;CACtB;AAED,eAAO,MAAM,4BAA4B,YAC7B,6BAA6B,SAC7B,OAAO,KAAG,QAAQ,QAAQ,CAgCnC,CAAC"}

package/dist/oauth/introspect-handler.js ADDED Viewed

@@ -0,0 +1,63 @@
+import { oauthJsonError } from './http-utils.js';
+import { createJwksService } from './jwks-service.js';
+export const createOAuthIntrospectHandler = (options) => async (c) => {
+    const authenticated = await authenticateIntrospectionClient(c, options.ports);
+    if (authenticated instanceof Response)
+        return authenticated;
+    const form = new URLSearchParams(await c.req.text());
+    const token = form.get('token');
+    if (!token)
+        return c.json({ active: false });
+    const payload = await verifyToken(options, token);
+    if (!payload?.jti)
+        return c.json({ active: false });
+    const meta = await options.ports.oauthStateStore.findTokenMeta(payload.jti);
+    if (!meta ||
+        meta.expiresAt <= options.ports.clock.now() ||
+        (await options.ports.oauthStateStore.isTokenRevoked(payload.jti))) {
+        return c.json({ active: false });
+    }
+    return c.json({
+        active: true,
+        aud: meta.audience,
+        client_id: meta.clientId,
+        ...(meta.dpopJkt ? { cnf: { jkt: meta.dpopJkt } } : {}),
+        exp: toEpochSeconds(meta.expiresAt),
+        iat: typeof payload.iat === 'number' ? payload.iat : undefined,
+        jti: meta.jti,
+        scope: meta.scope,
+        sub: meta.userId,
+        token_type: meta.tokenType,
+    });
+};
+const authenticateIntrospectionClient = async (c, ports) => {
+    const authorization = c.req.header('authorization');
+    if (!authorization?.startsWith('Basic ')) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication is required.');
+    }
+    const decoded = atob(authorization.slice('Basic '.length));
+    const separator = decoded.indexOf(':');
+    const clientId = separator >= 0 ? decoded.slice(0, separator) : decoded;
+    const secret = separator >= 0 ? decoded.slice(separator + 1) : '';
+    const client = await ports.oauthStateStore.findClient(clientId);
+    if (!client?.clientSecretHash || (await ports.tokens.hashSecret(secret)) !== client.clientSecretHash) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication failed.');
+    }
+    return true;
+};
+const verifyToken = async (options, token) => {
+    try {
+        const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+        const result = await jwks.verifyJwt(token, {
+            currentDate: options.ports.clock.now(),
+            issuer: trimTrailingSlash(options.issuer),
+        });
+        return result.payload;
+    }
+    catch {
+        return null;
+    }
+};
+const toEpochSeconds = (date) => Math.floor(date.getTime() / 1000);
+const trimTrailingSlash = (value) => value.replace(/\/+$/u, '');
+//# sourceMappingURL=introspect-handler.js.map

package/dist/oauth/introspect-handler.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"introspect-handler.js","sourceRoot":"","sources":["../../src/oauth/introspect-handler.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAOtD,MAAM,CAAC,MAAM,4BAA4B,GACvC,CAAC,OAAsC,EAAE,EAAE,CAC3C,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,aAAa,GAAG,MAAM,+BAA+B,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9E,IAAI,aAAa,YAAY,QAAQ;QAAE,OAAO,aAAa,CAAC;IAE5D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAE7C,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAClD,IAAI,CAAC,OAAO,EAAE,GAAG;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAEpD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5E,IACE,CAAC,IAAI;QACL,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;QAC3C,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EACjE,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,IAAI;QACZ,GAAG,EAAE,IAAI,CAAC,QAAQ;QAClB,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,GAAG,EAAE,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC;QACnC,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,GAAG,EAAE,IAAI,CAAC,MAAM;QAChB,UAAU,EAAE,IAAI,CAAC,SAAS;KAC3B,CAAC,CAAC;AACL,CAAC,CAAC;AAEJ,MAAM,+BAA+B,GAAG,KAAK,EAC3C,CAAU,EACV,KAAoB,EACM,EAAE;IAC5B,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,oCAAoC,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACxE,MAAM,MAAM,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAClE,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,MAAM,EAAE,gBAAgB,IAAI,CAAC,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,KAAK,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACrG,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,+BAA+B,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,KAAK,EACvB,OAAsC,EACtC,KAAa,EACe,EAAE;IAC9B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7F,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;YACzC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,MAAM,EAAE,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC;SAC1C,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,IAAU,EAAU,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;AAEjF,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAU,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC"}

package/dist/oauth/jwks-service.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { type JWTVerifyOptions, type JWTVerifyResult, type JWTPayload } from 'jose';
+import type { AuthHonoClockPort } from '../ports.js';
+import type { JwksPort } from './state-store-types.js';
+export interface CreateJwksServiceOptions {
+    clock: AuthHonoClockPort;
+    jwksPort: JwksPort;
+}
+export interface JwksSignOptions {
+    audience?: string | string[];
+    expiresAt?: Date;
+    issuer?: string;
+    jti?: string;
+    subject?: string;
+    type?: string;
+}
+export interface PublicJwks {
+    keys: Array<Record<string, unknown>>;
+}
+export interface JwksService {
+    getPublicJwks(): Promise<PublicJwks>;
+    signJwt(payload: JWTPayload, options?: JwksSignOptions): Promise<string>;
+    verifyJwt<T extends JWTPayload = JWTPayload>(jwt: string, options?: JWTVerifyOptions): Promise<JWTVerifyResult<T>>;
+}
+export declare const createJwksService: ({ clock, jwksPort }: CreateJwksServiceOptions) => JwksService;
+//# sourceMappingURL=jwks-service.d.ts.map

package/dist/oauth/jwks-service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks-service.d.ts","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAKL,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,MAAM,CAAC;AAEd,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAEvD,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,iBAAiB,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzE,SAAS,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACzC,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;CAChC;AAED,eAAO,MAAM,iBAAiB,wBAAyB,wBAAwB,KAAG,WA4DhF,CAAC"}

package/dist/oauth/jwks-service.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { decodeProtectedHeader, importJWK, jwtVerify, SignJWT, } from 'jose';
+export const createJwksService = ({ clock, jwksPort }) => ({
+    async getPublicJwks() {
+        const keys = await jwksPort.listPublicKeys();
+        return {
+            keys: keys.map((key) => {
+                const { d: _privateExponent, ...publicJwk } = key.publicJwk;
+                return {
+                    ...publicJwk,
+                    alg: key.alg,
+                    crv: key.crv,
+                    kid: key.kid,
+                    kty: publicJwk.kty,
+                    status: key.active ? 'active' : 'rotated',
+                    use: 'sig',
+                };
+            }),
+        };
+    },
+    async signJwt(payload, options = {}) {
+        const activeKey = await jwksPort.getActiveKey();
+        if (!activeKey) {
+            throw new Error('No active JWKS signing key is configured.');
+        }
+        if (!activeKey.privateKey) {
+            throw new Error(`Active JWKS signing key ${activeKey.kid} has no private key material.`);
+        }
+        let jwt = new SignJWT(payload).setProtectedHeader({
+            alg: activeKey.alg,
+            kid: activeKey.kid,
+            ...(options.type ? { typ: options.type } : {}),
+        });
+        jwt = jwt.setIssuedAt(toEpochSeconds(clock.now()));
+        if (options.audience)
+            jwt = jwt.setAudience(options.audience);
+        if (options.expiresAt)
+            jwt = jwt.setExpirationTime(toEpochSeconds(options.expiresAt));
+        if (options.issuer)
+            jwt = jwt.setIssuer(options.issuer);
+        if (options.jti)
+            jwt = jwt.setJti(options.jti);
+        if (options.subject)
+            jwt = jwt.setSubject(options.subject);
+        return jwt.sign(activeKey.privateKey);
+    },
+    async verifyJwt(jwt, options = {}) {
+        const protectedHeader = decodeProtectedHeader(jwt);
+        const kid = protectedHeader.kid;
+        if (!kid) {
+            throw new Error('JWT protected header is missing kid.');
+        }
+        const key = await jwksPort.findKeyByKid(kid);
+        if (!key) {
+            throw new Error(`Unknown JWKS kid: ${kid}`);
+        }
+        const publicKey = await importJWK(key.publicJwk, key.alg);
+        return jwtVerify(jwt, publicKey, options);
+    },
+});
+const toEpochSeconds = (date) => Math.floor(date.getTime() / 1000);
+//# sourceMappingURL=jwks-service.js.map

package/dist/oauth/jwks-service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks-service.js","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,SAAS,EACT,SAAS,EACT,OAAO,GAIR,MAAM,MAAM,CAAC;AAgCd,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,EAAE,KAAK,EAAE,QAAQ,EAA4B,EAAe,EAAE,CAAC,CAAC;IAChG,KAAK,CAAC,aAAa;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC;QAE7C,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBACrB,MAAM,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;gBAC5D,OAAO;oBACL,GAAG,SAAS;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,SAAS,CAAC,GAAG;oBAClB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;oBACzC,GAAG,EAAE,KAAK;iBACX,CAAC;YACJ,CAAC,CAAC;SACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,GAAG,EAAE;QACjC,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAC;QAChD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,2BAA2B,SAAS,CAAC,GAAG,+BAA+B,CAAC,CAAC;QAC3F,CAAC;QAED,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,kBAAkB,CAAC;YAChD,GAAG,EAAE,SAAS,CAAC,GAAG;YAClB,GAAG,EAAE,SAAS,CAAC,GAAG;YAClB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/C,CAAC,CAAC;QAEH,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,OAAO,CAAC,QAAQ;YAAE,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9D,IAAI,OAAO,CAAC,SAAS;YAAE,GAAG,GAAG,GAAG,CAAC,iBAAiB,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,MAAM;YAAE,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACxD,IAAI,OAAO,CAAC,GAAG;YAAE,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/C,IAAI,OAAO,CAAC,OAAO;YAAE,GAAG,GAAG,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAE3D,OAAO,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,EAAE;QAC/B,MAAM,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC;QAChC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1D,OAAO,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,IAAU,EAAU,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC"}

package/dist/oauth/revoke-handler.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface OAuthRevokeHandlerOptions {
+    dpopIatSkewSeconds?: number;
+    ports: AuthHonoPorts;
+}
+export declare const createOAuthRevokeHandler: (options: OAuthRevokeHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=revoke-handler.d.ts.map

package/dist/oauth/revoke-handler.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"revoke-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/revoke-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD,MAAM,WAAW,yBAAyB;IACxC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,KAAK,EAAE,aAAa,CAAC;CACtB;AAED,eAAO,MAAM,wBAAwB,YACzB,yBAAyB,SACzB,OAAO,KAAG,QAAQ,QAAQ,CAgBnC,CAAC"}

package/dist/oauth/revoke-handler.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { decodeJwt } from 'jose';
+import { OAuthDpopProofError, verifyOAuthDpopProof } from './dpop.js';
+import { oauthJsonError } from './http-utils.js';
+export const createOAuthRevokeHandler = (options) => async (c) => {
+    const form = new URLSearchParams(await c.req.text());
+    const token = form.get('token');
+    if (!token)
+        return oauthJsonError(c, 400, 'invalid_request', 'token is required.');
+    const jti = decodeTokenJti(token);
+    if (!jti)
+        return c.json({ success: true });
+    const meta = await options.ports.oauthStateStore.findTokenMeta(jti);
+    if (meta?.dpopJkt) {
+        const dpop = await validateRevokeDpop(c, options, token, meta.dpopJkt);
+        if (dpop instanceof Response)
+            return dpop;
+    }
+    await options.ports.oauthStateStore.revokeToken(jti);
+    return c.json({ success: true });
+};
+const validateRevokeDpop = async (c, options, accessToken, expectedJkt) => {
+    const proof = c.req.header('dpop');
+    if (!proof)
+        return oauthJsonError(c, 400, 'invalid_dpop_proof', 'DPoP proof is required.');
+    try {
+        const verified = await verifyOAuthDpopProof({
+            accessToken,
+            htm: 'POST',
+            htu: c.req.url,
+            iatSkewSeconds: options.dpopIatSkewSeconds,
+            ports: options.ports,
+            proof,
+        });
+        if (verified.jkt !== expectedJkt) {
+            return oauthJsonError(c, 400, 'invalid_dpop_proof', 'DPoP proof key does not match the token.');
+        }
+        return null;
+    }
+    catch (error) {
+        if (error instanceof OAuthDpopProofError) {
+            return oauthJsonError(c, 400, 'invalid_dpop_proof', error.message);
+        }
+        throw error;
+    }
+};
+const decodeTokenJti = (token) => {
+    try {
+        const payload = decodeJwt(token);
+        return typeof payload.jti === 'string' ? payload.jti : null;
+    }
+    catch {
+        return null;
+    }
+};
+//# sourceMappingURL=revoke-handler.js.map

package/dist/oauth/revoke-handler.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"revoke-handler.js","sourceRoot":"","sources":["../../src/oauth/revoke-handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAGjC,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAOjD,MAAM,CAAC,MAAM,wBAAwB,GACnC,CAAC,OAAkC,EAAE,EAAE,CACvC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,oBAAoB,CAAC,CAAC;IAEnF,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IAE3C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IACpE,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvE,IAAI,IAAI,YAAY,QAAQ;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IAED,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACrD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;AACnC,CAAC,CAAC;AAEJ,MAAM,kBAAkB,GAAG,KAAK,EAC9B,CAAU,EACV,OAAkC,EAClC,WAAmB,EACnB,WAAmB,EACO,EAAE;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,yBAAyB,CAAC,CAAC;IAE3F,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC;YAC1C,WAAW;YACX,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;YACd,cAAc,EAAE,OAAO,CAAC,kBAAkB;YAC1C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK;SACN,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACjC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,0CAA0C,CAAC,CAAC;QAClG,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,KAAa,EAAiB,EAAE;IACtD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACjC,OAAO,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC"}

package/dist/oauth/router.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { Hono } from 'hono';
+import { type OAuthAuthorizeHandlerOptions } from './authorize-handler.js';
+export interface CreateOAuthRouterOptions extends OAuthAuthorizeHandlerOptions {
+    authorizationCodeTtlSeconds?: number;
+    routePrefix?: string;
+}
+export declare const createOAuthRouter: (options: CreateOAuthRouterOptions) => Hono;
+//# sourceMappingURL=router.d.ts.map

package/dist/oauth/router.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/oauth/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAA+B,KAAK,4BAA4B,EAAE,MAAM,wBAAwB,CAAC;AAUxG,MAAM,WAAW,wBAAyB,SAAQ,4BAA4B;IAC5E,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,iBAAiB,YAAa,wBAAwB,KAAG,IAcrE,CAAC"}

package/dist/oauth/router.js ADDED Viewed

@@ -0,0 +1,30 @@
+import { Hono } from 'hono';
+import { createOAuthAuthorizeHandler } from './authorize-handler.js';
+import { createOAuthConsentDecisionHandler, createOAuthConsentDetailsHandler, } from './consent-decision-handler.js';
+import { createOAuthIntrospectHandler } from './introspect-handler.js';
+import { createOAuthRevokeHandler } from './revoke-handler.js';
+import { createOAuthTokenHandler } from './token-handler.js';
+import { createOAuthUserInfoHandler } from './userinfo-handler.js';
+export const createOAuthRouter = (options) => {
+    const router = new Hono();
+    const prefix = normalizeRoutePrefix(options.routePrefix ?? '/oauth');
+    router.get(joinRoutePath(prefix, '/authorize'), createOAuthAuthorizeHandler(options));
+    router.get(joinRoutePath(prefix, '/consent'), createOAuthConsentDetailsHandler(options));
+    router.post(joinRoutePath(prefix, '/consent/decision'), createOAuthConsentDecisionHandler(options));
+    router.post(joinRoutePath(prefix, '/token'), createOAuthTokenHandler(options));
+    router.get(joinRoutePath(prefix, '/userinfo'), createOAuthUserInfoHandler(options));
+    router.post(joinRoutePath(prefix, '/userinfo'), createOAuthUserInfoHandler(options));
+    router.post(joinRoutePath(prefix, '/revoke'), createOAuthRevokeHandler(options));
+    router.post(joinRoutePath(prefix, '/introspect'), createOAuthIntrospectHandler(options));
+    return router;
+};
+const normalizeRoutePrefix = (prefix) => {
+    if (!prefix || prefix === '/')
+        return '';
+    return `/${prefix.replace(/^\/+|\/+$/g, '')}`;
+};
+const joinRoutePath = (prefix, path) => {
+    const normalizedPath = path.startsWith('/') ? path : `/${path}`;
+    return `${prefix}${normalizedPath}`;
+};
+//# sourceMappingURL=router.js.map

package/dist/oauth/router.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/oauth/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,2BAA2B,EAAqC,MAAM,wBAAwB,CAAC;AACxG,OAAO,EACL,iCAAiC,EACjC,gCAAgC,GACjC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAC;AAOnE,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,OAAiC,EAAQ,EAAE;IAC3E,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,WAAW,IAAI,QAAQ,CAAC,CAAC;IAErE,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,2BAA2B,CAAC,OAAO,CAAC,CAAC,CAAC;IACtF,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,gCAAgC,CAAC,OAAO,CAAC,CAAC,CAAC;IACzF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,mBAAmB,CAAC,EAAE,iCAAiC,CAAC,OAAO,CAAC,CAAC,CAAC;IACpG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/E,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,0BAA0B,CAAC,OAAO,CAAC,CAAC,CAAC;IACpF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,0BAA0B,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,wBAAwB,CAAC,OAAO,CAAC,CAAC,CAAC;IACjF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,4BAA4B,CAAC,OAAO,CAAC,CAAC,CAAC;IAEzF,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,oBAAoB,GAAG,CAAC,MAAc,EAAU,EAAE;IACtD,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACzC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,MAAc,EAAE,IAAY,EAAU,EAAE;IAC7D,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAChE,OAAO,GAAG,MAAM,GAAG,cAAc,EAAE,CAAC;AACtC,CAAC,CAAC"}

package/dist/oauth/session-resolver.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { AuthHonoPorts, AuthHonoSessionClaims, AuthHonoSessionRecord, AuthHonoUserRecord } from '../ports.js';
+export interface OAuthResolvedSession {
+    claims: AuthHonoSessionClaims;
+    sessionRecord: AuthHonoSessionRecord;
+    user: AuthHonoUserRecord;
+}
+export declare const resolveOAuthSession: (request: Request, ports: AuthHonoPorts) => Promise<OAuthResolvedSession | null>;
+export declare const resolveOAuthAcr: (session: AuthHonoSessionRecord) => string;
+//# sourceMappingURL=session-resolver.d.ts.map

package/dist/oauth/session-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session-resolver.d.ts","sourceRoot":"","sources":["../../src/oauth/session-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EACb,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EACnB,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,qBAAqB,CAAC;IAC9B,aAAa,EAAE,qBAAqB,CAAC;IACrC,IAAI,EAAE,kBAAkB,CAAC;CAC1B;AAED,eAAO,MAAM,mBAAmB,YACrB,OAAO,SACT,aAAa,KACnB,QAAQ,oBAAoB,GAAG,IAAI,CA4BrC,CAAC;AAEF,eAAO,MAAM,eAAe,YAAa,qBAAqB,KAAG,MACqB,CAAC"}

package/dist/oauth/session-resolver.js ADDED Viewed

@@ -0,0 +1,28 @@
+export const resolveOAuthSession = async (request, ports) => {
+    const token = ports.cookies.readSessionToken(request);
+    if (!token)
+        return null;
+    const claims = await ports.tokens.verifySessionToken(token);
+    if (!claims)
+        return null;
+    const tokenHash = await ports.tokens.hashSecret(token);
+    const sessionRecord = await ports.sessions.findByTokenHash(tokenHash);
+    const now = ports.clock.now();
+    if (!sessionRecord ||
+        sessionRecord.id !== claims.sessionId ||
+        sessionRecord.userId !== claims.userId ||
+        sessionRecord.revokedAt ||
+        sessionRecord.expiresAt <= now) {
+        return null;
+    }
+    const user = await ports.users.findById(claims.userId);
+    if (!user)
+        return null;
+    const decision = await ports.accountPolicy.canAuthenticate(user, now);
+    if (!decision.allowed)
+        return null;
+    await ports.sessions.touch(sessionRecord.id, now);
+    return { claims, sessionRecord, user };
+};
+export const resolveOAuthAcr = (session) => session.mfaVerified ? 'urn:sentropic:loa:passkey-fresh' : 'urn:sentropic:loa:bearer';
+//# sourceMappingURL=session-resolver.js.map

package/dist/oauth/session-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session-resolver.js","sourceRoot":"","sources":["../../src/oauth/session-resolver.ts"],"names":[],"mappings":"AAaA,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,EACtC,OAAgB,EAChB,KAAoB,EACkB,EAAE;IACxC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACtD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACvD,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IAC9B,IACE,CAAC,aAAa;QACd,aAAa,CAAC,EAAE,KAAK,MAAM,CAAC,SAAS;QACrC,aAAa,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QACtC,aAAa,CAAC,SAAS;QACvB,aAAa,CAAC,SAAS,IAAI,GAAG,EAC9B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACvD,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,eAAe,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACtE,IAAI,CAAC,QAAQ,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAEnC,MAAM,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACzC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAA8B,EAAU,EAAE,CACxE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,iCAAiC,CAAC,CAAC,CAAC,0BAA0B,CAAC"}

package/dist/oauth/state-codec.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+export interface OAuthContinuationState {
+    acr?: string;
+    authTime?: string;
+    clientId: string;
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
+    createdAt: string;
+    dpopJkt: string | null;
+    expiresAt: string;
+    nonce: string | null;
+    redirectUri: string;
+    scope: string;
+    state: string | null;
+    tenantId: string | null;
+    userId?: string;
+}
+export interface OAuthContinuationCodec {
+    seal(payload: OAuthContinuationState): Promise<string> | string;
+    unseal(token: string): Promise<OAuthContinuationState | null> | OAuthContinuationState | null;
+}
+export interface CreateOAuthHmacStateCodecOptions {
+    secret: string;
+}
+export declare const createOAuthHmacStateCodec: ({ secret, }: CreateOAuthHmacStateCodecOptions) => OAuthContinuationCodec;
+//# sourceMappingURL=state-codec.d.ts.map

package/dist/oauth/state-codec.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"state-codec.d.ts","sourceRoot":"","sources":["../../src/oauth/state-codec.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,sBAAsB;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAChE,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,GAAG,sBAAsB,GAAG,IAAI,CAAC;CAC/F;AAED,MAAM,WAAW,gCAAgC;IAC/C,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,eAAO,MAAM,yBAAyB,gBAEnC,gCAAgC,KAAG,sBA2BrC,CAAC"}

package/dist/oauth/state-codec.js ADDED Viewed

@@ -0,0 +1,60 @@
+export const createOAuthHmacStateCodec = ({ secret, }) => {
+    if (!secret) {
+        throw new Error('OAuth state codec secret is required.');
+    }
+    return {
+        async seal(payload) {
+            const body = base64urlEncode(textEncoder.encode(JSON.stringify(payload)));
+            return `${body}.${await sign(body, secret)}`;
+        },
+        async unseal(token) {
+            const [body, signature, extra] = token.split('.');
+            if (!body || !signature || extra !== undefined)
+                return null;
+            const expected = await sign(body, secret);
+            const actualBytes = base64urlDecode(signature);
+            const expectedBytes = base64urlDecode(expected);
+            if (!timingSafeEqual(actualBytes, expectedBytes))
+                return null;
+            try {
+                return JSON.parse(textDecoder.decode(base64urlDecode(body)));
+            }
+            catch {
+                return null;
+            }
+        },
+    };
+};
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+const sign = async (body, secret) => {
+    const key = await crypto.subtle.importKey('raw', textEncoder.encode(secret), { hash: 'SHA-256', name: 'HMAC' }, false, ['sign']);
+    const signature = await crypto.subtle.sign('HMAC', key, textEncoder.encode(body));
+    return base64urlEncode(new Uint8Array(signature));
+};
+const timingSafeEqual = (actual, expected) => {
+    if (actual.byteLength !== expected.byteLength)
+        return false;
+    let diff = 0;
+    for (let index = 0; index < actual.byteLength; index += 1) {
+        diff |= actual[index] ^ expected[index];
+    }
+    return diff === 0;
+};
+const base64urlEncode = (bytes) => {
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/u, '');
+};
+const base64urlDecode = (value) => {
+    const base64 = value.replaceAll('-', '+').replaceAll('_', '/').padEnd(Math.ceil(value.length / 4) * 4, '=');
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let index = 0; index < binary.length; index += 1) {
+        bytes[index] = binary.charCodeAt(index);
+    }
+    return bytes;
+};
+//# sourceMappingURL=state-codec.js.map

package/dist/oauth/state-codec.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"state-codec.js","sourceRoot":"","sources":["../../src/oauth/state-codec.ts"],"names":[],"mappings":"AA0BA,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,EACxC,MAAM,GAC2B,EAA0B,EAAE;IAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO;QACL,KAAK,CAAC,IAAI,CAAC,OAAO;YAChB,MAAM,IAAI,GAAG,eAAe,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAC1E,OAAO,GAAG,IAAI,IAAI,MAAM,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC;QAC/C,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClD,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,IAAI,CAAC;YAE5D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC1C,MAAM,WAAW,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,aAAa,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,aAAa,CAAC;gBAAE,OAAO,IAAI,CAAC;YAE9D,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAA2B,CAAC;YACzF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AACtC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAEtC,MAAM,IAAI,GAAG,KAAK,EAAE,IAAY,EAAE,MAAc,EAAmB,EAAE;IACnE,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,EAC1B,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAClF,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AACpD,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,MAAkB,EAAE,QAAoB,EAAW,EAAE;IAC5E,IAAI,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC5D,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QAC1D,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,KAAiB,EAAU,EAAE;IACpD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpF,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,KAAa,EAAc,EAAE;IACpD,MAAM,MAAM,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5G,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACtD,KAAK,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC"}

package/dist/oauth/state-store-types.d.ts ADDED Viewed

@@ -0,0 +1,86 @@
+import type { JWK, KeyLike } from 'jose';
+export type OauthTokenType = 'access_token' | 'id_token';
+export interface OauthClientRecord {
+    id: string;
+    clientId: string;
+    clientSecretHash: string | null;
+    name: string;
+    redirectUris: string[];
+    allowedScopes: string[];
+    grantTypes: string[];
+    responseTypes: string[];
+    tokenEndpointAuthMethod: 'client_secret_basic' | 'none' | (string & {});
+    dpopBoundAccessTokens: boolean;
+    requirePkce: boolean;
+    tenantId: string | null;
+    ownerUserId: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export interface AuthCodePayload {
+    clientId: string;
+    userId: string;
+    tenantId: string | null;
+    redirectUri: string;
+    scope: string;
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
+    dpopJkt: string | null;
+    nonce: string | null;
+    acr: string;
+    authTime: Date;
+    expiresAt: Date;
+    createdAt: Date;
+}
+export interface TokenMeta {
+    jti: string;
+    tokenType: OauthTokenType;
+    clientId: string;
+    userId: string;
+    tenantId: string | null;
+    scope: string;
+    audience: string;
+    dpopJkt: string | null;
+    expiresAt: Date;
+    createdAt: Date;
+}
+export interface DpopProofRecord {
+    jti: string;
+    expiresAt: Date;
+    createdAt: Date;
+}
+export interface OauthStateStorePort {
+    findClient(clientId: string): Promise<OauthClientRecord | null>;
+    saveAuthCode(code: string, payload: AuthCodePayload, ttlSec: number): Promise<void>;
+    consumeAuthCode(code: string): Promise<AuthCodePayload | null>;
+    saveTokenMeta(jti: string, meta: TokenMeta, ttlSec: number): Promise<void>;
+    findTokenMeta(jti: string): Promise<TokenMeta | null>;
+    revokeToken(jti: string): Promise<boolean>;
+    isTokenRevoked(jti: string): Promise<boolean>;
+    recordDpopJti(jti: string, expiresAt: Date): Promise<boolean>;
+    purgeExpired(): Promise<number>;
+}
+export type JwksPublicJwk = JWK & {
+    alg?: 'EdDSA' | (string & {});
+    crv: 'Ed25519' | (string & {});
+    kid?: string;
+    kty: 'OKP' | (string & {});
+    use?: 'sig' | (string & {});
+    x: string;
+};
+export interface JwksKeyRecord {
+    kid: string;
+    alg: 'EdDSA' | (string & {});
+    crv: 'Ed25519' | (string & {});
+    publicJwk: JwksPublicJwk;
+    privateKey?: KeyLike | Uint8Array;
+    active: boolean;
+    createdAt: Date;
+    rotatedAt: Date | null;
+}
+export interface JwksPort {
+    getActiveKey(): Promise<JwksKeyRecord | null>;
+    findKeyByKid(kid: string): Promise<JwksKeyRecord | null>;
+    listPublicKeys(): Promise<JwksKeyRecord[]>;
+}
+//# sourceMappingURL=state-store-types.d.ts.map

package/dist/oauth/state-store-types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"state-store-types.d.ts","sourceRoot":"","sources":["../../src/oauth/state-store-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEzC,MAAM,MAAM,cAAc,GAAG,cAAc,GAAG,UAAU,CAAC;AAEzD,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,uBAAuB,EAAE,qBAAqB,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACxE,qBAAqB,EAAE,OAAO,CAAC;IAC/B,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,IAAI,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,cAAc,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;IAChE,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IAC/D,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IACtD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3C,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9C,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,MAAM,aAAa,GAAG,GAAG,GAAG;IAChC,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC9B,GAAG,EAAE,SAAS,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC/B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC3B,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC5B,CAAC,EAAE,MAAM,CAAC;CACX,CAAC;AAEF,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,OAAO,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC7B,GAAG,EAAE,SAAS,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC/B,SAAS,EAAE,aAAa,CAAC;IACzB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAClC,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,QAAQ;IACvB,YAAY,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC9C,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IACzD,cAAc,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;CAC5C"}

package/dist/oauth/state-store-types.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=state-store-types.js.map

package/dist/oauth/state-store-types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"state-store-types.js","sourceRoot":"","sources":["../../src/oauth/state-store-types.ts"],"names":[],"mappings":""}

package/dist/oauth/token-handler.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface OAuthTokenHandlerOptions {
+    accessTokenTtlSeconds?: number;
+    dpopIatSkewSeconds?: number;
+    idTokenTtlSeconds?: number;
+    issuer: string;
+    ports: AuthHonoPorts;
+}
+export declare const createOAuthTokenHandler: (options: OAuthTokenHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=token-handler.d.ts.map

package/dist/oauth/token-handler.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"token-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/token-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAsB,MAAM,aAAa,CAAC;AAOrE,MAAM,WAAW,wBAAwB;IACvC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;CACtB;AAOD,eAAO,MAAM,uBAAuB,YACxB,wBAAwB,SACxB,OAAO,KAAG,QAAQ,QAAQ,CA4BnC,CAAC"}