@sentropic/auth-hono 0.2.1 → 0.3.0

package/src/oauth/userinfo-handler.ts

@@ -0,0 +1,129 @@
+import type { Context } from 'hono';
+import type { JWTPayload } from 'jose';
+
+import type { AuthHonoPorts } from '../ports.js';
+import { OAuthDpopProofError, verifyOAuthDpopProof } from './dpop.js';
+import { oauthJsonError } from './http-utils.js';
+import { createJwksService } from './jwks-service.js';
+import type { TokenMeta } from './state-store-types.js';
+
+export interface OAuthUserInfoHandlerOptions {
+  dpopIatSkewSeconds?: number;
+  issuer: string;
+  ports: AuthHonoPorts;
+}
+
+export const createOAuthUserInfoHandler =
+  (options: OAuthUserInfoHandlerOptions) =>
+  async (c: Context): Promise<Response> => {
+    const authorization = parseAccessToken(c.req.header('authorization'));
+    if (!authorization) return unauthorized(c, 'Access token is required.');
+
+    const payload = await verifyAccessToken(c, options, authorization.token);
+    if (payload instanceof Response) return payload;
+
+    const meta = await resolveActiveTokenMeta(c, options.ports, payload);
+    if (meta instanceof Response) return meta;
+    if (meta.dpopJkt) {
+      const dpop = await verifyBoundDpop(c, options, authorization, meta);
+      if (dpop instanceof Response) return dpop;
+    }
+
+    const scopes = meta.scope.split(/\s+/).filter(Boolean);
+    if (scopes.some((scope) => !['openid', 'profile', 'email'].includes(scope))) {
+      return unauthorized(c, 'Access token contains unsupported scopes.');
+    }
+
+    const user = await options.ports.users.findById(meta.userId);
+    if (!user) return unauthorized(c, 'Access token user is invalid.');
+
+    return c.json({
+      sub: user.id,
+      ...(scopes.includes('profile') ? { name: user.displayName } : {}),
+      ...(scopes.includes('email') ? { email: user.email, email_verified: user.emailVerified } : {}),
+    });
+  };
+
+const verifyAccessToken = async (
+  c: Context,
+  options: OAuthUserInfoHandlerOptions,
+  token: string
+): Promise<JWTPayload | Response> => {
+  try {
+    const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+    const result = await jwks.verifyJwt(token, {
+      audience: `${trimTrailingSlash(options.issuer)}/api/v1/auth/oauth/userinfo`,
+      currentDate: options.ports.clock.now(),
+      issuer: trimTrailingSlash(options.issuer),
+    });
+    return result.payload;
+  } catch {
+    return unauthorized(c, 'Access token is invalid.');
+  }
+};
+
+const resolveActiveTokenMeta = async (
+  c: Context,
+  ports: AuthHonoPorts,
+  payload: JWTPayload
+): Promise<TokenMeta | Response> => {
+  const jti = payload.jti;
+  if (!jti) return unauthorized(c, 'Access token jti is missing.');
+
+  const meta = await ports.oauthStateStore.findTokenMeta(jti);
+  if (
+    !meta ||
+    meta.tokenType !== 'access_token' ||
+    meta.expiresAt <= ports.clock.now() ||
+    (await ports.oauthStateStore.isTokenRevoked(jti))
+  ) {
+    return unauthorized(c, 'Access token is inactive.');
+  }
+
+  return meta;
+};
+
+const verifyBoundDpop = async (
+  c: Context,
+  options: OAuthUserInfoHandlerOptions,
+  authorization: { scheme: 'Bearer' | 'DPoP'; token: string },
+  meta: TokenMeta
+): Promise<null | Response> => {
+  const proof = c.req.header('dpop');
+  if (authorization.scheme !== 'DPoP' || !proof) {
+    return unauthorized(c, 'DPoP proof is required for this access token.');
+  }
+
+  try {
+    const verified = await verifyOAuthDpopProof({
+      accessToken: authorization.token,
+      htm: c.req.method,
+      htu: c.req.url,
+      iatSkewSeconds: options.dpopIatSkewSeconds,
+      ports: options.ports,
+      proof,
+    });
+    if (verified.jkt !== meta.dpopJkt) {
+      return unauthorized(c, 'DPoP proof key does not match the access token.');
+    }
+    return null;
+  } catch (error) {
+    if (error instanceof OAuthDpopProofError) {
+      return unauthorized(c, error.message);
+    }
+    throw error;
+  }
+};
+
+const parseAccessToken = (
+  authorization: string | undefined
+): { scheme: 'Bearer' | 'DPoP'; token: string } | null => {
+  const [scheme, token, extra] = authorization?.split(/\s+/) ?? [];
+  if (extra || !token || (scheme !== 'Bearer' && scheme !== 'DPoP')) return null;
+  return { scheme, token };
+};
+
+const unauthorized = (c: Context, message: string): Response =>
+  oauthJsonError(c, 401, 'invalid_token', message);
+
+const trimTrailingSlash = (value: string): string => value.replace(/\/+$/u, '');

package/src/oauth/wellknown-handler.ts

@@ -0,0 +1,52 @@
+import { Hono } from 'hono';
+
+import type { AuthHonoPorts } from '../ports.js';
+import { createJwksService } from './jwks-service.js';
+
+export interface CreateWellKnownRouterOptions {
+  issuer: string;
+  oauthPathPrefix?: string;
+  ports: AuthHonoPorts;
+}
+
+export const createWellKnownRouter = (options: CreateWellKnownRouterOptions): Hono => {
+  const router = new Hono();
+  const issuer = trimTrailingSlash(options.issuer);
+  const oauthPrefix = normalizePathPrefix(options.oauthPathPrefix ?? '/api/v1/auth/oauth');
+
+  router.get('/openid-configuration', (c) =>
+    c.json({
+      authorization_endpoint: `${issuer}${oauthPrefix}/authorize`,
+      claims_supported: ['sub', 'aud', 'iss', 'exp', 'iat', 'nonce', 'auth_time', 'acr', 'email', 'email_verified', 'name'],
+      code_challenge_methods_supported: ['S256'],
+      dpop_signing_alg_values_supported: ['EdDSA'],
+      grant_types_supported: ['authorization_code'],
+      id_token_signing_alg_values_supported: ['EdDSA'],
+      introspection_endpoint: `${issuer}${oauthPrefix}/introspect`,
+      issuer,
+      jwks_uri: `${issuer}/.well-known/jwks.json`,
+      response_types_supported: ['code'],
+      revocation_endpoint: `${issuer}${oauthPrefix}/revoke`,
+      scopes_supported: ['openid', 'profile', 'email'],
+      subject_types_supported: ['public'],
+      token_endpoint: `${issuer}${oauthPrefix}/token`,
+      token_endpoint_auth_methods_supported: ['client_secret_basic', 'none'],
+      userinfo_endpoint: `${issuer}${oauthPrefix}/userinfo`,
+    })
+  );
+
+  router.get('/jwks.json', async (c) => {
+    const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+    c.header('Cache-Control', 'public, max-age=300');
+    return c.json(await jwks.getPublicJwks());
+  });
+
+  return router;
+};
+
+const trimTrailingSlash = (value: string): string => value.replace(/\/+$/u, '');
+
+const normalizePathPrefix = (value: string): string => {
+  const trimmed = value.replace(/^\/+|\/+$/gu, '');
+  return trimmed ? `/${trimmed}` : '';
+};

package/src/ports.ts

@@ -1,3 +1,17 @@
+import type { JwksPort, OauthStateStorePort } from './oauth/state-store-types.js';
+
+export type {
+  AuthCodePayload,
+  DpopProofRecord,
+  JwksKeyRecord,
+  JwksPort,
+  JwksPublicJwk,
+  OauthClientRecord,
+  OauthStateStorePort,
+  OauthTokenType,
+  TokenMeta,
+} from './oauth/state-store-types.js';
+
 export type AuthHonoAccountStatus =
   | 'active'
   | 'pending_admin_approval'
@@ -286,4 +300,6 @@ export interface AuthHonoPorts {
   clock: AuthHonoClockPort;
   random: AuthHonoRandomPort;
   accountPolicy: AuthHonoAccountPolicyPort;
+  oauthStateStore: OauthStateStorePort;
+  jwks: JwksPort;
 }