@sentropic/auth-hono 0.2.1 → 0.4.0

package/README.md

@@ -68,13 +68,180 @@ All package handlers emit structured responses to keep contracts predictable acr
 - **Sentropic-style app** with a Drizzle/Postgres backend, WebAuthn-only login, and workspace-scoped sessions: implement `AuthHonoCredentialPort`, an `AuthHonoSessionService` adapter (or the package's `createAuthSessionService` when the full `AuthHonoPorts` bundle is wired), an `AuthHonoWebAuthnRegistrationService`/`AuthHonoWebAuthnAuthenticationService` adapter, and provide `prepareRegistrationOptions`/`resolveRegistrationUser` for first-admin + account-status policy and `finalizeRegistration`/`finalizeAuthentication` for session creation and cookie issuance. Sentropic's `api/src/services/auth/*-adapter.ts` modules show this end-to-end.
 - **DB-less admin flow** (e.g. `spa-transpose-cv` mounting at `/admin/auth/*`): use a file- or memory-backed implementation of `AuthHonoCredentialPort` and the relevant ports, skip workspace bootstrap entirely, and either rely on the default verify response or supply a minimal `finalizeAuthentication` that issues a host-managed session cookie. The package never touches workspace state, so no DB schema is required.
 
+## OAuth2 / OpenID Connect Identity Provider (since 0.3.0)
+
+`@sentropic/auth-hono` ships a complete OAuth2 Authorization Server + OIDC Identity Provider built on the same ports-and-adapters model as the existing WebAuthn routes.
+
+### Endpoints
+
+| Endpoint | Description |
+| --- | --- |
+| `GET /oauth/authorize` | Authorization Code + PKCE entry point (S256 required) |
+| `POST /oauth/token` | Token issuance (`grant_type=authorization_code` and `client_credentials` since 0.4.0) |
+| `GET\|POST /oauth/userinfo` | Returns claims for a valid access token |
+| `POST /oauth/revoke` | Revokes an access token (RFC 7009) |
+| `POST /oauth/introspect` | Token introspection (RFC 7662, client-auth required) |
+| `POST /oauth/consent/decision` | Host-private consent approval/denial — NOT in discovery doc |
+| `GET /.well-known/openid-configuration` | OIDC discovery document |
+| `GET /.well-known/jwks.json` | Public Ed25519 signing keys (RFC 7517) |
+
+### Wiring the OAuth router
+
+```ts
+import { createOAuthRouter, createWellKnownRouter } from '@sentropic/auth-hono';
+import { Hono } from 'hono';
+
+// Router mounted under /api/v1/auth
+const authRouter = new Hono();
+authRouter.route('/oauth', createOAuthRouter({
+  ports,           // AuthHonoPorts — includes oauthStateStore + jwks
+  issuer,          // e.g. 'https://api.example.com'
+  loginUrl,        // e.g. 'https://app.example.com/auth/login'
+  consentUrl,      // e.g. 'https://app.example.com/auth/oauth/consent'
+}));
+
+// Well-known router mounted at root level
+const app = new Hono();
+app.route('/.well-known', createWellKnownRouter({ ports, issuer }));
+app.route('/api/v1/auth', authRouter);
+```
+
+### JwksService and signing
+
+`createJwksService({ jwksPort, clock })` returns `{ signJwt, verifyJwt, getPublicJwks }`:
+
+```ts
+import { createJwksService } from '@sentropic/auth-hono';
+
+const jwksService = createJwksService({ jwksPort: hostJwksPort, clock: Date.now });
+
+// Sign an access token
+const accessToken = await jwksService.signJwt(
+  { sub: userId, scope: 'openid profile', iss: issuer, aud: `${issuer}/userinfo` },
+  { expiresIn: 3600 }
+);
+
+// Verify any token (looks up kid from JWKS, accepts active and rotated keys)
+const payload = await jwksService.verifyJwt(incomingJwt);
+```
+
+Signing algorithm: EdDSA (Ed25519) only. No RS256 fallback. JWKS response includes the active key and all rotated keys for at least `access_token TTL + JWKS cache TTL` (≥ 65 minutes). Discovery response sends `Cache-Control: public, max-age=300` on JWKS.
+
+### Key rotation policy
+
+1. The active signing key is created once via the host's `make exec-api CMD="npm run oauth:init-keys"` (or `make oauth-init-keys`).
+2. Rotate via `make oauth-rotate-keys` (calls `JwksService.rotateKey()` through `api/src/scripts/oauth-rotate-keys.ts`).
+3. Rotated keys remain in JWKS for ≥ 65 minutes so in-flight tokens stay verifiable.
+4. Rotate the KEK (`OAUTH_SIGNING_KEK`) separately, every 90 days; re-encrypt stored private keys.
+
+### OauthStateStorePort
+
+`AuthHonoPorts.oauthStateStore` must implement:
+
+```ts
+interface OauthStateStorePort {
+  findClient(clientId: string): Promise<OauthClientRecord | null>;
+  saveAuthCode(code: string, payload: AuthCodePayload, ttlSec: number): Promise<void>;
+  consumeAuthCode(code: string): Promise<AuthCodePayload | null>; // atomic single-use
+  saveTokenMeta(jti: string, meta: TokenMeta, ttlSec: number): Promise<void>;
+  findTokenMeta(jti: string): Promise<TokenMeta | null>;
+  revokeToken(jti: string): Promise<void>;
+  isTokenRevoked(jti: string): Promise<boolean>;
+  recordDpopJti(jti: string, expiresAt: Date): Promise<boolean>; // false = duplicate
+  purgeExpired(): Promise<number>;
+}
+```
+
+The package never imports Postgres or any persistence library. Sentropic supplies `api/src/services/auth/oauth-state-adapter.ts` (Drizzle/Postgres). Package tests use the in-memory fixture at `packages/auth-hono/tests/__fixtures__/memory-oauth-state-store.ts`.
+
+### DPoP opt-in (RFC 9449)
+
+Set `dpop_bound_access_tokens: true` on the OAuth client record. Bound clients must send a `DPoP: <proof-jwt>` header on `/token`, `/userinfo`, and `/revoke`. The IdP verifies `htm`, `htu`, `iat` skew, unique proof `jti`, and `ath` on resource calls. Access and ID tokens include `cnf.jkt`.
+
+### Service-to-service auth — `client_credentials` (since 0.4.0)
+
+Backend services mint scoped, audience-bound, **stateless** access tokens without
+a human via the `client_credentials` grant.
+
+- **Service clients** are a separate record type, `ServiceClientRecord`, looked up
+  through an **optional** `findServiceClient?(clientId)` method on
+  `OauthStateStorePort`. Existing implementors of the `0.3.0` contract keep
+  compiling; if the method is absent, `client_credentials` returns
+  `unsupported_grant_type`.
+- **Auth methods**: `client_secret_basic` and `client_secret_post`, verified via
+  `ports.tokens.hashSecret`.
+- **Scopes**: empty/absent `scope` grants the client's full `allowed_scopes`;
+  otherwise the request must be a subset (else `invalid_scope`).
+- **RFC 8707 resource indicators**: the issued token `aud` is the resolved
+  `resource`, which must be in the client's `resource_indicators`. Resolution: 1
+  indicator + no `resource` ⇒ use it; >1 + no `resource` ⇒ `invalid_target`; 0
+  indicators ⇒ `resource` required else `invalid_target`; unknown `resource` ⇒
+  `invalid_target`.
+- **Stateless** (no `saveTokenMeta`, no `oauth_tokens` row): security relies on a
+  short TTL (`serviceAccessTokenTtlSeconds`, default `900`) + secret rotation.
+  Service-token revocation/introspection are deferred to BR-39h.
+- **DPoP** is opt-in via `dpop_bound_access_tokens` and strongly recommended for
+  production S2S.
+
+Resource servers verify these tokens with `createRequireServiceAuth`:
+
+```ts
+import { createRequireServiceAuth, type ServiceAuthPorts } from '@sentropic/auth-hono';
+
+const ports: ServiceAuthPorts = {
+  clock,                                   // AuthHonoClockPort
+  jwks,                                    // JwksPort
+  dpopReplay: { recordDpopJti },           // optional, required to enforce DPoP replay
+};
+
+app.get(
+  '/internal/ping',
+  createRequireServiceAuth({ issuer, resource, requiredScopes: ['service:ping'], ports }),
+  (c) => c.json({ ok: true, client: c.get('serviceClient') }),
+);
+```
+
+`ServiceAuthPorts` is a **narrow** port (`Pick<AuthHonoPorts,'jwks'|'clock'> & { dpopReplay? }`):
+resource servers do not construct user/credential/session/email ports just to
+verify a token. The middleware validates `iss`, `aud === resource`, `exp`, and
+`scope ⊇ requiredScopes`; for `cnf.jkt`-bound tokens it requires a DPoP proof,
+enforces `ath` (RFC 9449 §4.3), and records the proof `jti` for replay defense.
+On failure it returns 401/403 with a `WWW-Authenticate` header.
+
+### Claims and ACR levels
+
+| Claim | Source | Notes |
+| --- | --- | --- |
+| `acr` | Session type | `urn:sentropic:loa:passkey-fresh` (passkey session), `urn:sentropic:loa:bearer` (magic-link session) |
+| `auth_time` | `session.createdAt` | Strong-auth timestamp tracking lands in BR-39j |
+| `tenant_id` | `oauth_clients.tenant_id` | Forward-compat column; real tenants in BR-39e |
+
+### Required environment variables
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `OAUTH_SIGNING_KEK` | Passphrase for Postgres `pgp_sym_encrypt` of private key | **Required in production** — see `docs/secrets.md` |
+| `OAUTH_ISSUER_URL` | Override issuer claim | Derived from `AUTH_CALLBACK_BASE_URL` |
+| `OAUTH_ACCESS_TOKEN_TTL_SEC` | Access token lifetime | `3600` |
+| `OAUTH_ID_TOKEN_TTL_SEC` | ID token lifetime | `3600` |
+| `OAUTH_AUTHORIZATION_CODE_TTL_SEC` | Authorization code TTL | `60` |
+| `OAUTH_DPOP_IAT_SKEW_SEC` | DPoP proof `iat` tolerance | `60` |
+| `OAUTH_SERVICE_ACCESS_TOKEN_TTL_SEC` | Stateless service token TTL (`client_credentials`) | `900` |
+| `OAUTH_SERVICE_RESOURCE_URI` | Service token `aud` this API accepts/advertises | Derived from issuer |
+
+### End-to-end example
+
+See `packages/auth-hono/tests/example-oauth-rp.test.ts` for a complete in-process test that walks the full flow: authorize → consent → callback → token → userinfo → revoke → userinfo 401.
+
 ## First Publish
 
 This is a brand-new public package. First publish requires the one-shot bootstrap flow from `rules/workflow.md`: trigger `ci.yml` with `bootstrap_publish_target=auth-hono`, handle any npm token or 2FA requirement with the npm owner, then attach the npm OIDC trusted publisher for `rhanka/sentropic` workflow `ci.yml`. Steady-state publishes should use trusted publishing and skip if the version already exists.
 
 ## Versioning
 
-This branch ships `0.2.1`:
+This branch ships `0.4.0`:
 
 - `0.2.0` adds `AuthHonoRouteHandlerError` short-circuit on WebAuthn prepare/resolve hooks and the `finalizeRegistration`/`finalizeAuthentication` post-verify hooks. Additive; existing handler signatures stay valid.
 - `0.2.1` patches `extractChallenge` (both WebAuthn handlers) to handle `credential.response === null` defensively (returns 400 `invalid_credential` instead of throwing 500).
+- `0.3.0` adds the OAuth2/OIDC IdP surface: `createOAuthRouter`, `createWellKnownRouter`, `createJwksService`, `OauthStateStorePort`, `JwksPort`, Ed25519 signing, DPoP opt-in, and all six OAuth endpoints. Additive; existing WebAuthn/session handler signatures unchanged.
+- `0.4.0` adds the S2S `client_credentials` grant (stateless service tokens), `createRequireServiceAuth` + `ServiceAuthPorts`, the optional `findServiceClient?` on `OauthStateStorePort`, `ServiceClientRecord`, and RFC 8707 resource indicators. Discovery now advertises `client_credentials` and `client_secret_post`. Additive and non-breaking — existing `0.3.0` implementors keep compiling.

package/dist/contracts.d.ts

@@ -59,6 +59,6 @@ export declare const AUTH_HONO_ROUTE_MAP: {
         readonly path: "/credentials/:id";
     };
 };
-export declare const AUTH_HONO_REQUIRED_PORTS: readonly ["users", "credentials", "challenges", "sessions", "emailVerification", "magicLinks", "emailDelivery", "cookies", "tokens", "auditLog", "clock", "random", "accountPolicy"];
+export declare const AUTH_HONO_REQUIRED_PORTS: readonly ["users", "credentials", "challenges", "sessions", "emailVerification", "magicLinks", "emailDelivery", "cookies", "tokens", "auditLog", "clock", "random", "accountPolicy", "oauthStateStore", "jwks"];
 export type AuthHonoRequiredPort = (typeof AUTH_HONO_REQUIRED_PORTS)[number];
 //# sourceMappingURL=contracts.d.ts.map

package/dist/contracts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"contracts.d.ts","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,yBAAyB,sTAc5B,CAAC;AAEX,MAAM,MAAM,oBAAoB,GAAG,CAAC,OAAO,yBAAyB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE9E,MAAM,MAAM,kBAAkB,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;AAEnE,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqDwC,CAAC;AAEzE,eAAO,MAAM,wBAAwB,sLAcgB,CAAC;AAEtD,MAAM,MAAM,oBAAoB,GAAG,CAAC,OAAO,wBAAwB,CAAC,CAAC,MAAM,CAAC,CAAC"}
+{"version":3,"file":"contracts.d.ts","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,yBAAyB,sTAc5B,CAAC;AAEX,MAAM,MAAM,oBAAoB,GAAG,CAAC,OAAO,yBAAyB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE9E,MAAM,MAAM,kBAAkB,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;AAEnE,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqDwC,CAAC;AAEzE,eAAO,MAAM,wBAAwB,iNAgBgB,CAAC;AAEtD,MAAM,MAAM,oBAAoB,GAAG,CAAC,OAAO,wBAAwB,CAAC,CAAC,MAAM,CAAC,CAAC"}

package/dist/contracts.js

@@ -81,5 +81,7 @@ export const AUTH_HONO_REQUIRED_PORTS = [
     'clock',
     'random',
     'accountPolicy',
+    'oauthStateStore',
+    'jwks',
 ];
 //# sourceMappingURL=contracts.js.map

package/dist/contracts.js.map

@@ -1 +1 @@
-{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,yBAAyB,GAAG;IACvC,kBAAkB;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,iBAAiB;IACjB,kCAAkC;IAClC,2BAA2B;IAC3B,oCAAoC;IACpC,6BAA6B;IAC7B,gBAAgB;IAChB,QAAQ;IACR,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAWX,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,gBAAgB,EAAE;QAChB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,uBAAuB;KAC9B;IACD,eAAe,EAAE;QACf,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,oBAAoB;KAC3B;IACD,gBAAgB,EAAE;QAChB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,qBAAqB;KAC5B;IACD,eAAe,EAAE;QACf,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,oBAAoB;KAC3B;IACD,gCAAgC,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,mBAAmB;KAC1B;IACD,yBAAyB,EAAE;QACzB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,kBAAkB;KACzB;IACD,kCAAkC,EAAE;QAClC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,gBAAgB;KACvB;IACD,2BAA2B,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,eAAe;KACtB;IACD,cAAc,EAAE;QACd,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,kBAAkB;KACzB;IACD,MAAM,EAAE;QACN,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,UAAU;KACjB;IACD,eAAe,EAAE;QACf,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,cAAc;KACrB;IACD,gBAAgB,EAAE;QAChB,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,kBAAkB;KACzB;IACD,gBAAgB,EAAE;QAChB,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,kBAAkB;KACzB;CACqE,CAAC;AAEzE,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,OAAO;IACP,aAAa;IACb,YAAY;IACZ,UAAU;IACV,mBAAmB;IACnB,YAAY;IACZ,eAAe;IACf,SAAS;IACT,QAAQ;IACR,UAAU;IACV,OAAO;IACP,QAAQ;IACR,eAAe;CACoC,CAAC"}
+{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,yBAAyB,GAAG;IACvC,kBAAkB;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,iBAAiB;IACjB,kCAAkC;IAClC,2BAA2B;IAC3B,oCAAoC;IACpC,6BAA6B;IAC7B,gBAAgB;IAChB,QAAQ;IACR,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAWX,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,gBAAgB,EAAE;QAChB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,uBAAuB;KAC9B;IACD,eAAe,EAAE;QACf,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,oBAAoB;KAC3B;IACD,gBAAgB,EAAE;QAChB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,qBAAqB;KAC5B;IACD,eAAe,EAAE;QACf,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,oBAAoB;KAC3B;IACD,gCAAgC,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,mBAAmB;KAC1B;IACD,yBAAyB,EAAE;QACzB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,kBAAkB;KACzB;IACD,kCAAkC,EAAE;QAClC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,gBAAgB;KACvB;IACD,2BAA2B,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,eAAe;KACtB;IACD,cAAc,EAAE;QACd,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,kBAAkB;KACzB;IACD,MAAM,EAAE;QACN,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,UAAU;KACjB;IACD,eAAe,EAAE;QACf,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,cAAc;KACrB;IACD,gBAAgB,EAAE;QAChB,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,kBAAkB;KACzB;IACD,gBAAgB,EAAE;QAChB,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,kBAAkB;KACzB;CACqE,CAAC;AAEzE,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,OAAO;IACP,aAAa;IACb,YAAY;IACZ,UAAU;IACV,mBAAmB;IACnB,YAAY;IACZ,eAAe;IACf,SAAS;IACT,QAAQ;IACR,UAAU;IACV,OAAO;IACP,QAAQ;IACR,eAAe;IACf,iBAAiB;IACjB,MAAM;CAC6C,CAAC"}

package/dist/index.d.ts

@@ -3,6 +3,22 @@ export * from './credential-route-handlers.js';
 export * from './email-verification.js';
 export * from './magic-link.js';
 export * from './middleware.js';
+export * from './oauth/authorize-handler.js';
+export * from './oauth/consent-decision-handler.js';
+export * from './oauth/crypto-utils.js';
+export * from './oauth/dpop.js';
+export * from './oauth/http-utils.js';
+export * from './oauth/introspect-handler.js';
+export * from './oauth/jwks-service.js';
+export * from './oauth/router.js';
+export * from './oauth/revoke-handler.js';
+export * from './oauth/service-auth-middleware.js';
+export * from './oauth/session-resolver.js';
+export * from './oauth/state-store-types.js';
+export * from './oauth/state-codec.js';
+export * from './oauth/token-handler.js';
+export * from './oauth/userinfo-handler.js';
+export * from './oauth/wellknown-handler.js';
 export * from './ports.js';
 export * from './route-handlers.js';
 export * from './router.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,6CAA6C,CAAC;AAC5D,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2CAA2C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,qCAAqC,CAAC;AACpD,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oCAAoC,CAAC;AACnD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AACzC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,6CAA6C,CAAC;AAC5D,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2CAA2C,CAAC"}

package/dist/index.js

@@ -3,6 +3,22 @@ export * from './credential-route-handlers.js';
 export * from './email-verification.js';
 export * from './magic-link.js';
 export * from './middleware.js';
+export * from './oauth/authorize-handler.js';
+export * from './oauth/consent-decision-handler.js';
+export * from './oauth/crypto-utils.js';
+export * from './oauth/dpop.js';
+export * from './oauth/http-utils.js';
+export * from './oauth/introspect-handler.js';
+export * from './oauth/jwks-service.js';
+export * from './oauth/router.js';
+export * from './oauth/revoke-handler.js';
+export * from './oauth/service-auth-middleware.js';
+export * from './oauth/session-resolver.js';
+export * from './oauth/state-store-types.js';
+export * from './oauth/state-codec.js';
+export * from './oauth/token-handler.js';
+export * from './oauth/userinfo-handler.js';
+export * from './oauth/wellknown-handler.js';
 export * from './ports.js';
 export * from './route-handlers.js';
 export * from './router.js';

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,6CAA6C,CAAC;AAC5D,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2CAA2C,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,qCAAqC,CAAC;AACpD,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oCAAoC,CAAC;AACnD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AACzC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,6CAA6C,CAAC;AAC5D,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2CAA2C,CAAC"}

package/dist/oauth/authorize-handler.d.ts

@@ -0,0 +1,13 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+import type { OAuthContinuationCodec } from './state-codec.js';
+export interface OAuthAuthorizeHandlerOptions {
+    consentUrl: string;
+    issuer: string;
+    loginUrl: string;
+    ports: AuthHonoPorts;
+    stateCodec: OAuthContinuationCodec;
+    stateTtlSeconds?: number;
+}
+export declare const createOAuthAuthorizeHandler: (options: OAuthAuthorizeHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=authorize-handler.d.ts.map

package/dist/oauth/authorize-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/authorize-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,KAAK,EAAE,sBAAsB,EAA0B,MAAM,kBAAkB,CAAC;AAIvF,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,aAAa,CAAC;IACrB,UAAU,EAAE,sBAAsB,CAAC;IACnC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAYD,eAAO,MAAM,2BAA2B,YAC5B,4BAA4B,SAC5B,OAAO,KAAG,QAAQ,QAAQ,CAgCnC,CAAC"}

package/dist/oauth/authorize-handler.js

@@ -0,0 +1,143 @@
+import { appendParams, oauthJsonError, redirectWithOAuthError } from './http-utils.js';
+import { resolveOAuthAcr, resolveOAuthSession } from './session-resolver.js';
+export const createOAuthAuthorizeHandler = (options) => async (c) => {
+    const continuation = c.req.query('continue');
+    if (continuation) {
+        return resumeLoginContinuation(c, options, continuation);
+    }
+    const validation = await validateAuthorizeRequest(c, options.ports);
+    if (validation instanceof Response)
+        return validation;
+    const prompt = c.req.query('prompt') ?? '';
+    const session = await resolveOAuthSession(c.req.raw, options.ports);
+    if (!session || prompt === 'login') {
+        if (prompt === 'none') {
+            return redirectWithOAuthError(validation.redirectUri, 'login_required', validation.state, c.req.url);
+        }
+        const continuation = await sealContinuation(c, options, validation);
+        return c.redirect(appendParams(options.loginUrl, { continue: continuation }, c.req.url), 302);
+    }
+    if (prompt === 'none') {
+        return redirectWithOAuthError(validation.redirectUri, 'consent_required', validation.state, c.req.url);
+    }
+    const sealedState = await sealContinuation(c, options, validation, {
+        acr: resolveOAuthAcr(session.sessionRecord),
+        authTime: session.sessionRecord.createdAt.toISOString(),
+        userId: session.user.id,
+    });
+    return c.redirect(appendParams(options.consentUrl, { state: sealedState }, c.req.url), 302);
+};
+const resumeLoginContinuation = async (c, options, continuation) => {
+    const payload = await options.stateCodec.unseal(continuation);
+    const now = options.ports.clock.now();
+    if (!payload || payload.userId || payload.codeChallengeMethod !== 'S256' || new Date(payload.expiresAt) <= now) {
+        return oauthJsonError(c, 400, 'invalid_request', 'OAuth continuation is invalid or expired.');
+    }
+    const client = await options.ports.oauthStateStore.findClient(payload.clientId);
+    if (!client)
+        return oauthJsonError(c, 400, 'invalid_request', 'Unknown OAuth client.');
+    const redirectError = validateRedirectUri(client, payload.redirectUri);
+    if (redirectError)
+        return oauthJsonError(c, 400, 'invalid_request', redirectError);
+    const scopeResult = validateScope(payload.scope, client, payload.redirectUri, payload.state, c.req.url);
+    if (scopeResult instanceof Response)
+        return scopeResult;
+    const session = await resolveOAuthSession(c.req.raw, options.ports);
+    if (!session) {
+        return c.redirect(appendParams(options.loginUrl, { continue: continuation }, c.req.url), 302);
+    }
+    const expiresAt = options.ports.clock.addSeconds(now, options.stateTtlSeconds ?? 10 * 60);
+    const sealedState = await options.stateCodec.seal({
+        ...payload,
+        acr: resolveOAuthAcr(session.sessionRecord),
+        authTime: session.sessionRecord.createdAt.toISOString(),
+        createdAt: now.toISOString(),
+        expiresAt: expiresAt.toISOString(),
+        scope: scopeResult,
+        userId: session.user.id,
+    });
+    return c.redirect(appendParams(options.consentUrl, { state: sealedState }, c.req.url), 302);
+};
+const validateAuthorizeRequest = async (c, ports) => {
+    const clientId = c.req.query('client_id');
+    const client = clientId ? await ports.oauthStateStore.findClient(clientId) : null;
+    if (!client) {
+        return oauthJsonError(c, 400, 'invalid_request', 'Unknown OAuth client.');
+    }
+    const redirectUri = c.req.query('redirect_uri') ?? '';
+    const redirectError = validateRedirectUri(client, redirectUri);
+    if (redirectError) {
+        return oauthJsonError(c, 400, 'invalid_request', redirectError);
+    }
+    const state = c.req.query('state') ?? null;
+    if (c.req.query('response_type') !== 'code') {
+        return redirectWithOAuthError(redirectUri, 'unsupported_response_type', state, c.req.url);
+    }
+    const codeChallenge = c.req.query('code_challenge') ?? '';
+    if (!codeChallenge || c.req.query('code_challenge_method') !== 'S256') {
+        return redirectWithOAuthError(redirectUri, 'invalid_request', state, c.req.url);
+    }
+    const scopeResult = validateScope(c.req.query('scope') ?? '', client, redirectUri, state, c.req.url);
+    if (scopeResult instanceof Response)
+        return scopeResult;
+    return {
+        client,
+        codeChallenge,
+        dpopJkt: c.req.query('dpop_jkt') ?? null,
+        nonce: c.req.query('nonce') ?? null,
+        redirectUri,
+        scope: scopeResult,
+        state,
+    };
+};
+const validateRedirectUri = (client, redirectUri) => {
+    if (!client.redirectUris.includes(redirectUri))
+        return 'redirect_uri is not registered for this client.';
+    let parsed;
+    try {
+        parsed = new URL(redirectUri);
+    }
+    catch {
+        return 'redirect_uri must be an absolute URI.';
+    }
+    if (parsed.hash)
+        return 'redirect_uri must not contain a fragment.';
+    if (parsed.username || parsed.password)
+        return 'redirect_uri must not contain credentials.';
+    if (parsed.protocol === 'https:')
+        return null;
+    if (parsed.protocol === 'http:' && ['localhost', '127.0.0.1'].includes(parsed.hostname))
+        return null;
+    return 'redirect_uri must use https except for localhost development callbacks.';
+};
+const validateScope = (scope, client, redirectUri, state, baseUrl) => {
+    const requestedScopes = scope.split(/\s+/).filter(Boolean);
+    if (requestedScopes.includes('offline_access')) {
+        return redirectWithOAuthError(redirectUri, 'invalid_scope', state, baseUrl);
+    }
+    if (requestedScopes.some((requestedScope) => !client.allowedScopes.includes(requestedScope))) {
+        return redirectWithOAuthError(redirectUri, 'invalid_scope', state, baseUrl);
+    }
+    return requestedScopes.join(' ');
+};
+const sealContinuation = async (c, options, request, session) => {
+    const now = options.ports.clock.now();
+    const expiresAt = options.ports.clock.addSeconds(now, options.stateTtlSeconds ?? 10 * 60);
+    return options.stateCodec.seal({
+        acr: session?.acr,
+        authTime: session?.authTime,
+        clientId: request.client.clientId,
+        codeChallenge: request.codeChallenge,
+        codeChallengeMethod: 'S256',
+        createdAt: now.toISOString(),
+        dpopJkt: request.dpopJkt,
+        expiresAt: expiresAt.toISOString(),
+        nonce: request.nonce,
+        redirectUri: request.redirectUri,
+        scope: request.scope,
+        state: request.state,
+        tenantId: request.client.tenantId,
+        userId: session?.userId,
+    });
+};
+//# sourceMappingURL=authorize-handler.js.map

package/dist/oauth/authorize-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize-handler.js","sourceRoot":"","sources":["../../src/oauth/authorize-handler.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACvF,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAqB7E,MAAM,CAAC,MAAM,2BAA2B,GACtC,CAAC,OAAqC,EAAE,EAAE,CAC1C,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,uBAAuB,CAAC,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACpE,IAAI,UAAU,YAAY,QAAQ;QAAE,OAAO,UAAU,CAAC;IAEtD,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAEpE,IAAI,CAAC,OAAO,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACnC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,sBAAsB,CAAC,UAAU,CAAC,WAAW,EAAE,gBAAgB,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvG,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACpE,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAChG,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,sBAAsB,CAAC,UAAU,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzG,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE;QACjE,GAAG,EAAE,eAAe,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,QAAQ,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,WAAW,EAAE;QACvD,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;KACxB,CAAC,CAAC;IAEH,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;AAC9F,CAAC,CAAC;AAEJ,MAAM,uBAAuB,GAAG,KAAK,EACnC,CAAU,EACV,OAAqC,EACrC,YAAoB,EACD,EAAE;IACrB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,mBAAmB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,GAAG,EAAE,CAAC;QAC/G,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,2CAA2C,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChF,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;IAEvF,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IACvE,IAAI,aAAa;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAEnF,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACxG,IAAI,WAAW,YAAY,QAAQ;QAAE,OAAO,WAAW,CAAC;IAExD,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,eAAe,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1F,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QAChD,GAAG,OAAO;QACV,GAAG,EAAE,eAAe,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,QAAQ,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,WAAW,EAAE;QACvD,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;QAClC,KAAK,EAAE,WAAW;QAClB,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;KACxB,CAAC,CAAC;IAEH,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;AAC9F,CAAC,CAAC;AAEF,MAAM,wBAAwB,GAAG,KAAK,EACpC,CAAU,EACV,KAAoB,EAC2B,EAAE;IACjD,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAClF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACtD,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC/D,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC;IAC3C,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,MAAM,EAAE,CAAC;QAC5C,OAAO,sBAAsB,CAAC,WAAW,EAAE,2BAA2B,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,MAAM,EAAE,CAAC;QACtE,OAAO,sBAAsB,CAAC,WAAW,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACrG,IAAI,WAAW,YAAY,QAAQ;QAAE,OAAO,WAAW,CAAC;IAExD,OAAO;QACL,MAAM;QACN,aAAa;QACb,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,IAAI;QACxC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI;QACnC,WAAW;QACX,KAAK,EAAE,WAAW;QAClB,KAAK;KACN,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,CAAC,MAAyB,EAAE,WAAmB,EAAiB,EAAE;IAC5F,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,iDAAiD,CAAC;IAEzG,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,uCAAuC,CAAC;IACjD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI;QAAE,OAAO,2CAA2C,CAAC;IACpE,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ;QAAE,OAAO,4CAA4C,CAAC;IAC5F,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACrG,OAAO,yEAAyE,CAAC;AACnF,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CACpB,KAAa,EACb,MAAyB,EACzB,WAAmB,EACnB,KAAoB,EACpB,OAAe,EACI,EAAE;IACrB,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3D,IAAI,eAAe,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC/C,OAAO,sBAAsB,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;QAC7F,OAAO,sBAAsB,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACnC,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,KAAK,EAC5B,CAAU,EACV,OAAqC,EACrC,OAAkC,EAClC,OAAqE,EACpD,EAAE;IACnB,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,eAAe,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1F,OAAO,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QAC7B,GAAG,EAAE,OAAO,EAAE,GAAG;QACjB,QAAQ,EAAE,OAAO,EAAE,QAAQ;QAC3B,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ;QACjC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,mBAAmB,EAAE,MAAM;QAC3B,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ;QACjC,MAAM,EAAE,OAAO,EAAE,MAAM;KACxB,CAAC,CAAC;AACL,CAAC,CAAC"}

package/dist/oauth/consent-decision-handler.d.ts

@@ -0,0 +1,11 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+import type { OAuthContinuationCodec } from './state-codec.js';
+export interface OAuthConsentHandlerOptions {
+    authorizationCodeTtlSeconds?: number;
+    ports: AuthHonoPorts;
+    stateCodec: OAuthContinuationCodec;
+}
+export declare const createOAuthConsentDetailsHandler: (options: OAuthConsentHandlerOptions) => (c: Context) => Promise<Response>;
+export declare const createOAuthConsentDecisionHandler: (options: OAuthConsentHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=consent-decision-handler.d.ts.map

package/dist/oauth/consent-decision-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent-decision-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/consent-decision-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,KAAK,EAAE,sBAAsB,EAA0B,MAAM,kBAAkB,CAAC;AAGvF,MAAM,WAAW,0BAA0B;IACzC,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,KAAK,EAAE,aAAa,CAAC;IACrB,UAAU,EAAE,sBAAsB,CAAC;CACpC;AAED,eAAO,MAAM,gCAAgC,YACjC,0BAA0B,SAC1B,OAAO,KAAG,QAAQ,QAAQ,CAanC,CAAC;AAEJ,eAAO,MAAM,iCAAiC,YAClC,0BAA0B,SAC1B,OAAO,KAAG,QAAQ,QAAQ,CA0CnC,CAAC"}

package/dist/oauth/consent-decision-handler.js

@@ -0,0 +1,58 @@
+import { appendParams, oauthJsonError, redirectOrJson } from './http-utils.js';
+import { resolveOAuthSession } from './session-resolver.js';
+export const createOAuthConsentDetailsHandler = (options) => async (c) => {
+    const state = c.req.query('state') ?? '';
+    const payload = await validateConsentState(c, options, state);
+    if (payload instanceof Response)
+        return payload;
+    const client = await options.ports.oauthStateStore.findClient(payload.clientId);
+    if (!client)
+        return oauthJsonError(c, 400, 'invalid_request', 'Unknown OAuth client.');
+    return c.json({
+        clientName: client.name,
+        redirectUri: payload.redirectUri,
+        scopes: payload.scope.split(/\s+/).filter(Boolean),
+    });
+};
+export const createOAuthConsentDecisionHandler = (options) => async (c) => {
+    const body = await c.req.json().catch(() => null);
+    if (!body?.state || !['approve', 'deny'].includes(body.decision ?? '')) {
+        return oauthJsonError(c, 400, 'invalid_request', 'Consent decision and state are required.');
+    }
+    const payload = await validateConsentState(c, options, body.state);
+    if (payload instanceof Response)
+        return payload;
+    if (body.decision === 'deny') {
+        return redirectOrJson(c, appendParams(payload.redirectUri, { error: 'access_denied', state: payload.state }, c.req.url));
+    }
+    const code = options.ports.random.token(32);
+    const now = options.ports.clock.now();
+    await options.ports.oauthStateStore.saveAuthCode(code, {
+        acr: payload.acr ?? 'urn:sentropic:loa:bearer',
+        authTime: new Date(payload.authTime ?? now.toISOString()),
+        clientId: payload.clientId,
+        codeChallenge: payload.codeChallenge,
+        codeChallengeMethod: 'S256',
+        createdAt: now,
+        dpopJkt: payload.dpopJkt,
+        expiresAt: options.ports.clock.addSeconds(now, options.authorizationCodeTtlSeconds ?? 60),
+        nonce: payload.nonce,
+        redirectUri: payload.redirectUri,
+        scope: payload.scope,
+        tenantId: payload.tenantId,
+        userId: payload.userId ?? '',
+    }, options.authorizationCodeTtlSeconds ?? 60);
+    return redirectOrJson(c, appendParams(payload.redirectUri, { code, state: payload.state }, c.req.url));
+};
+const validateConsentState = async (c, options, sealedState) => {
+    const payload = await options.stateCodec.unseal(sealedState);
+    if (!payload || !payload.userId || new Date(payload.expiresAt) <= options.ports.clock.now()) {
+        return oauthJsonError(c, 400, 'invalid_request', 'OAuth consent state is invalid or expired.');
+    }
+    const session = await resolveOAuthSession(c.req.raw, options.ports);
+    if (!session || session.user.id !== payload.userId) {
+        return oauthJsonError(c, 401, 'login_required', 'A valid user session is required.');
+    }
+    return payload;
+};
+//# sourceMappingURL=consent-decision-handler.js.map

package/dist/oauth/consent-decision-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent-decision-handler.js","sourceRoot":"","sources":["../../src/oauth/consent-decision-handler.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAE/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAQ5D,MAAM,CAAC,MAAM,gCAAgC,GAC3C,CAAC,OAAmC,EAAE,EAAE,CACxC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9D,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChF,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;IAEvF,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;KACnD,CAAC,CAAC;AACL,CAAC,CAAC;AAEJ,MAAM,CAAC,MAAM,iCAAiC,GAC5C,CAAC,OAAmC,EAAE,EAAE,CACxC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAyC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzF,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;QACvE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,0CAA0C,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IACnE,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC7B,OAAO,cAAc,CACnB,CAAC,EACD,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,YAAY,CAC9C,IAAI,EACJ;QACE,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,0BAA0B;QAC9C,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACzD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,mBAAmB,EAAE,MAAM;QAC3B,SAAS,EAAE,GAAG;QACd,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,2BAA2B,IAAI,EAAE,CAAC;QACzF,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;KAC7B,EACD,OAAO,CAAC,2BAA2B,IAAI,EAAE,CAC1C,CAAC;IAEF,OAAO,cAAc,CACnB,CAAC,EACD,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAC7E,CAAC;AACJ,CAAC,CAAC;AAEJ,MAAM,oBAAoB,GAAG,KAAK,EAChC,CAAU,EACV,OAAmC,EACnC,WAAmB,EACyB,EAAE;IAC9C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7D,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5F,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,4CAA4C,CAAC,CAAC;IACjG,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACnD,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,mCAAmC,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/oauth/crypto-utils.d.ts

@@ -0,0 +1,3 @@
+export declare const sha256Base64url: (value: string) => Promise<string>;
+export declare const base64urlEncode: (bytes: Uint8Array) => string;
+//# sourceMappingURL=crypto-utils.d.ts.map

package/dist/oauth/crypto-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-utils.d.ts","sourceRoot":"","sources":["../../src/oauth/crypto-utils.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,eAAe,UAAiB,MAAM,KAAG,QAAQ,MAAM,CAGnE,CAAC;AAEF,eAAO,MAAM,eAAe,UAAW,UAAU,KAAG,MAMnD,CAAC"}

package/dist/oauth/crypto-utils.js

@@ -0,0 +1,13 @@
+const textEncoder = new TextEncoder();
+export const sha256Base64url = async (value) => {
+    const digest = await crypto.subtle.digest('SHA-256', textEncoder.encode(value));
+    return base64urlEncode(new Uint8Array(digest));
+};
+export const base64urlEncode = (bytes) => {
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/u, '');
+};
+//# sourceMappingURL=crypto-utils.js.map

package/dist/oauth/crypto-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-utils.js","sourceRoot":"","sources":["../../src/oauth/crypto-utils.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAEtC,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,EAAE,KAAa,EAAmB,EAAE;IACtE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAChF,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACjD,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,KAAiB,EAAU,EAAE;IAC3D,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpF,CAAC,CAAC"}

package/dist/oauth/dpop.d.ts

@@ -0,0 +1,18 @@
+import type { AuthHonoPorts } from '../ports.js';
+export interface VerifyDpopProofOptions {
+    accessToken?: string;
+    htm: string;
+    htu: string;
+    iatSkewSeconds?: number;
+    ports: AuthHonoPorts;
+    proof: string;
+}
+export interface VerifiedDpopProof {
+    jkt: string;
+    jti: string;
+}
+export declare class OAuthDpopProofError extends Error {
+    constructor(message: string);
+}
+export declare const verifyOAuthDpopProof: (options: VerifyDpopProofOptions) => Promise<VerifiedDpopProof>;
+//# sourceMappingURL=dpop.d.ts.map

package/dist/oauth/dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../../src/oauth/dpop.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD,MAAM,WAAW,sBAAsB;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,EAAE,aAAa,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,mBAAoB,SAAQ,KAAK;gBAChC,OAAO,EAAE,MAAM;CAI5B;AAED,eAAO,MAAM,oBAAoB,YACtB,sBAAsB,KAC9B,QAAQ,iBAAiB,CAwB3B,CAAC"}