@sentropic/auth-hono 0.2.1 → 0.4.0

package/dist/oauth/dpop.js

@@ -0,0 +1,54 @@
+import { calculateJwkThumbprint, decodeProtectedHeader, importJWK, jwtVerify, } from 'jose';
+import { sha256Base64url } from './crypto-utils.js';
+export class OAuthDpopProofError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'OAuthDpopProofError';
+    }
+}
+export const verifyOAuthDpopProof = async (options) => {
+    const header = decodeProtectedHeader(options.proof);
+    const publicJwk = header.jwk;
+    if (!publicJwk || !header.alg || header.typ !== 'dpop+jwt') {
+        throw new OAuthDpopProofError('DPoP proof header is invalid.');
+    }
+    const key = await importJWK(publicJwk, header.alg);
+    const { payload } = await jwtVerify(options.proof, key);
+    await validateDpopPayload(payload, options);
+    const expiresAt = options.ports.clock.addSeconds(options.ports.clock.now(), options.iatSkewSeconds ?? 60);
+    const recorded = await options.ports.oauthStateStore.recordDpopJti(String(payload.jti), expiresAt);
+    if (!recorded) {
+        throw new OAuthDpopProofError('DPoP proof jti was already used.');
+    }
+    return {
+        jkt: await calculateJwkThumbprint(publicJwk),
+        jti: String(payload.jti),
+    };
+};
+const validateDpopPayload = async (payload, options) => {
+    if (payload.htm !== options.htm.toUpperCase()) {
+        throw new OAuthDpopProofError('DPoP htm claim does not match the request method.');
+    }
+    if (payload.htu !== options.htu) {
+        throw new OAuthDpopProofError('DPoP htu claim does not match the request URL.');
+    }
+    if (!payload.jti || typeof payload.jti !== 'string') {
+        throw new OAuthDpopProofError('DPoP jti claim is required.');
+    }
+    if (typeof payload.iat !== 'number') {
+        throw new OAuthDpopProofError('DPoP iat claim is required.');
+    }
+    const nowSeconds = Math.floor(options.ports.clock.now().getTime() / 1000);
+    if (Math.abs(payload.iat - nowSeconds) > (options.iatSkewSeconds ?? 60)) {
+        throw new OAuthDpopProofError('DPoP iat claim is outside the allowed skew.');
+    }
+    if (options.accessToken) {
+        await validateAth(payload, options.accessToken);
+    }
+};
+const validateAth = async (payload, accessToken) => {
+    if (payload.ath !== (await sha256Base64url(accessToken))) {
+        throw new OAuthDpopProofError('DPoP ath claim does not match the access token.');
+    }
+};
+//# sourceMappingURL=dpop.js.map

package/dist/oauth/dpop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.js","sourceRoot":"","sources":["../../src/oauth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,SAAS,EACT,SAAS,GAGV,MAAM,MAAM,CAAC;AAGd,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAgBpD,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAC5C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,oBAAoB,GAAG,KAAK,EACvC,OAA+B,EACH,EAAE;IAC9B,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,CAAC,GAAsB,CAAC;IAChD,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAC3D,MAAM,IAAI,mBAAmB,CAAC,+BAA+B,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACxD,MAAM,mBAAmB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAE5C,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAC9C,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,EACzB,OAAO,CAAC,cAAc,IAAI,EAAE,CAC7B,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,SAAS,CAAC,CAAC;IACnG,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,mBAAmB,CAAC,kCAAkC,CAAC,CAAC;IACpE,CAAC;IAED,OAAO;QACL,GAAG,EAAE,MAAM,sBAAsB,CAAC,SAAS,CAAC;QAC5C,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;KACzB,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,KAAK,EAC/B,OAAmB,EACnB,OAA+B,EAChB,EAAE;IACjB,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;QAC9C,MAAM,IAAI,mBAAmB,CAAC,mDAAmD,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,mBAAmB,CAAC,gDAAgD,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,IAAI,mBAAmB,CAAC,6BAA6B,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,mBAAmB,CAAC,6BAA6B,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1E,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,EAAE,CAAC;QACxE,MAAM,IAAI,mBAAmB,CAAC,6CAA6C,CAAC,CAAC;IAC/E,CAAC;IAED,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,KAAK,EAAE,OAAmB,EAAE,WAAmB,EAAiB,EAAE;IACpF,IAAI,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,mBAAmB,CAAC,iDAAiD,CAAC,CAAC;IACnF,CAAC;AACH,CAAC,CAAC"}

package/dist/oauth/http-utils.d.ts

@@ -0,0 +1,6 @@
+import type { Context } from 'hono';
+export declare const appendParams: (target: string, params: Record<string, string | null | undefined>, baseUrl: string) => string;
+export declare const oauthJsonError: (c: Context, status: 400 | 401, code: string, message: string) => Response;
+export declare const redirectWithOAuthError: (redirectUri: string, code: string, state: string | null, baseUrl: string) => Response;
+export declare const redirectOrJson: (c: Context, redirectTo: string) => Response;
+//# sourceMappingURL=http-utils.d.ts.map

package/dist/oauth/http-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-utils.d.ts","sourceRoot":"","sources":["../../src/oauth/http-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,eAAO,MAAM,YAAY,WACf,MAAM,UACN,OAAO,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,WACxC,MAAM,KACd,MAQF,CAAC;AAEF,eAAO,MAAM,cAAc,MACtB,OAAO,UACF,GAAG,GAAG,GAAG,QACX,MAAM,WACH,MAAM,KACd,QASA,CAAC;AAEJ,eAAO,MAAM,sBAAsB,gBACpB,MAAM,QACb,MAAM,SACL,MAAM,GAAG,IAAI,WACX,MAAM,KACd,QAWA,CAAC;AAEJ,eAAO,MAAM,cAAc,MAAO,OAAO,cAAc,MAAM,KAAG,QAO/D,CAAC"}

package/dist/oauth/http-utils.js

@@ -0,0 +1,27 @@
+export const appendParams = (target, params, baseUrl) => {
+    const url = new URL(target, baseUrl);
+    for (const [key, value] of Object.entries(params)) {
+        if (value !== null && value !== undefined) {
+            url.searchParams.set(key, value);
+        }
+    }
+    return url.toString();
+};
+export const oauthJsonError = (c, status, code, message) => c.json({
+    error: {
+        code,
+        message,
+    },
+}, status);
+export const redirectWithOAuthError = (redirectUri, code, state, baseUrl) => Response.redirect(appendParams(redirectUri, {
+    error: code,
+    state,
+}, baseUrl), 302);
+export const redirectOrJson = (c, redirectTo) => {
+    const accept = c.req.header('accept') ?? '';
+    if (accept.includes('application/json')) {
+        return c.json({ redirectTo });
+    }
+    return c.redirect(redirectTo, 302);
+};
+//# sourceMappingURL=http-utils.js.map

package/dist/oauth/http-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-utils.js","sourceRoot":"","sources":["../../src/oauth/http-utils.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAG,CAC1B,MAAc,EACd,MAAiD,EACjD,OAAe,EACP,EAAE;IACV,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAAG,CAC5B,CAAU,EACV,MAAiB,EACjB,IAAY,EACZ,OAAe,EACL,EAAE,CACZ,CAAC,CAAC,IAAI,CACJ;IACE,KAAK,EAAE;QACL,IAAI;QACJ,OAAO;KACR;CACF,EACD,MAAM,CACP,CAAC;AAEJ,MAAM,CAAC,MAAM,sBAAsB,GAAG,CACpC,WAAmB,EACnB,IAAY,EACZ,KAAoB,EACpB,OAAe,EACL,EAAE,CACZ,QAAQ,CAAC,QAAQ,CACf,YAAY,CACV,WAAW,EACX;IACE,KAAK,EAAE,IAAI;IACX,KAAK;CACN,EACD,OAAO,CACR,EACD,GAAG,CACJ,CAAC;AAEJ,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAU,EAAE,UAAkB,EAAY,EAAE;IACzE,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACrC,CAAC,CAAC"}

package/dist/oauth/introspect-handler.d.ts

@@ -0,0 +1,8 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface OAuthIntrospectHandlerOptions {
+    issuer: string;
+    ports: AuthHonoPorts;
+}
+export declare const createOAuthIntrospectHandler: (options: OAuthIntrospectHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=introspect-handler.d.ts.map

package/dist/oauth/introspect-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"introspect-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/introspect-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;CACtB;AAED,eAAO,MAAM,4BAA4B,YAC7B,6BAA6B,SAC7B,OAAO,KAAG,QAAQ,QAAQ,CAgCnC,CAAC"}

package/dist/oauth/introspect-handler.js

@@ -0,0 +1,63 @@
+import { oauthJsonError } from './http-utils.js';
+import { createJwksService } from './jwks-service.js';
+export const createOAuthIntrospectHandler = (options) => async (c) => {
+    const authenticated = await authenticateIntrospectionClient(c, options.ports);
+    if (authenticated instanceof Response)
+        return authenticated;
+    const form = new URLSearchParams(await c.req.text());
+    const token = form.get('token');
+    if (!token)
+        return c.json({ active: false });
+    const payload = await verifyToken(options, token);
+    if (!payload?.jti)
+        return c.json({ active: false });
+    const meta = await options.ports.oauthStateStore.findTokenMeta(payload.jti);
+    if (!meta ||
+        meta.expiresAt <= options.ports.clock.now() ||
+        (await options.ports.oauthStateStore.isTokenRevoked(payload.jti))) {
+        return c.json({ active: false });
+    }
+    return c.json({
+        active: true,
+        aud: meta.audience,
+        client_id: meta.clientId,
+        ...(meta.dpopJkt ? { cnf: { jkt: meta.dpopJkt } } : {}),
+        exp: toEpochSeconds(meta.expiresAt),
+        iat: typeof payload.iat === 'number' ? payload.iat : undefined,
+        jti: meta.jti,
+        scope: meta.scope,
+        sub: meta.userId,
+        token_type: meta.tokenType,
+    });
+};
+const authenticateIntrospectionClient = async (c, ports) => {
+    const authorization = c.req.header('authorization');
+    if (!authorization?.startsWith('Basic ')) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication is required.');
+    }
+    const decoded = atob(authorization.slice('Basic '.length));
+    const separator = decoded.indexOf(':');
+    const clientId = separator >= 0 ? decoded.slice(0, separator) : decoded;
+    const secret = separator >= 0 ? decoded.slice(separator + 1) : '';
+    const client = await ports.oauthStateStore.findClient(clientId);
+    if (!client?.clientSecretHash || (await ports.tokens.hashSecret(secret)) !== client.clientSecretHash) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication failed.');
+    }
+    return true;
+};
+const verifyToken = async (options, token) => {
+    try {
+        const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+        const result = await jwks.verifyJwt(token, {
+            currentDate: options.ports.clock.now(),
+            issuer: trimTrailingSlash(options.issuer),
+        });
+        return result.payload;
+    }
+    catch {
+        return null;
+    }
+};
+const toEpochSeconds = (date) => Math.floor(date.getTime() / 1000);
+const trimTrailingSlash = (value) => value.replace(/\/+$/u, '');
+//# sourceMappingURL=introspect-handler.js.map

package/dist/oauth/introspect-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"introspect-handler.js","sourceRoot":"","sources":["../../src/oauth/introspect-handler.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAOtD,MAAM,CAAC,MAAM,4BAA4B,GACvC,CAAC,OAAsC,EAAE,EAAE,CAC3C,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,aAAa,GAAG,MAAM,+BAA+B,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9E,IAAI,aAAa,YAAY,QAAQ;QAAE,OAAO,aAAa,CAAC;IAE5D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAE7C,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAClD,IAAI,CAAC,OAAO,EAAE,GAAG;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAEpD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5E,IACE,CAAC,IAAI;QACL,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;QAC3C,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EACjE,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,IAAI;QACZ,GAAG,EAAE,IAAI,CAAC,QAAQ;QAClB,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,GAAG,EAAE,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC;QACnC,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,GAAG,EAAE,IAAI,CAAC,MAAM;QAChB,UAAU,EAAE,IAAI,CAAC,SAAS;KAC3B,CAAC,CAAC;AACL,CAAC,CAAC;AAEJ,MAAM,+BAA+B,GAAG,KAAK,EAC3C,CAAU,EACV,KAAoB,EACM,EAAE;IAC5B,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,oCAAoC,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACxE,MAAM,MAAM,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAClE,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,MAAM,EAAE,gBAAgB,IAAI,CAAC,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,KAAK,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACrG,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,+BAA+B,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,KAAK,EACvB,OAAsC,EACtC,KAAa,EACe,EAAE;IAC9B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7F,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;YACzC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,MAAM,EAAE,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC;SAC1C,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,IAAU,EAAU,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;AAEjF,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAU,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC"}

package/dist/oauth/jwks-service.d.ts

@@ -0,0 +1,25 @@
+import { type JWTVerifyOptions, type JWTVerifyResult, type JWTPayload } from 'jose';
+import type { AuthHonoClockPort } from '../ports.js';
+import type { JwksPort } from './state-store-types.js';
+export interface CreateJwksServiceOptions {
+    clock: AuthHonoClockPort;
+    jwksPort: JwksPort;
+}
+export interface JwksSignOptions {
+    audience?: string | string[];
+    expiresAt?: Date;
+    issuer?: string;
+    jti?: string;
+    subject?: string;
+    type?: string;
+}
+export interface PublicJwks {
+    keys: Array<Record<string, unknown>>;
+}
+export interface JwksService {
+    getPublicJwks(): Promise<PublicJwks>;
+    signJwt(payload: JWTPayload, options?: JwksSignOptions): Promise<string>;
+    verifyJwt<T extends JWTPayload = JWTPayload>(jwt: string, options?: JWTVerifyOptions): Promise<JWTVerifyResult<T>>;
+}
+export declare const createJwksService: ({ clock, jwksPort }: CreateJwksServiceOptions) => JwksService;
+//# sourceMappingURL=jwks-service.d.ts.map

package/dist/oauth/jwks-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-service.d.ts","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAKL,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,MAAM,CAAC;AAEd,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAEvD,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,iBAAiB,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzE,SAAS,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACzC,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;CAChC;AAED,eAAO,MAAM,iBAAiB,wBAAyB,wBAAwB,KAAG,WA4DhF,CAAC"}

package/dist/oauth/jwks-service.js

@@ -0,0 +1,61 @@
+import { decodeProtectedHeader, importJWK, jwtVerify, SignJWT, } from 'jose';
+export const createJwksService = ({ clock, jwksPort }) => ({
+    async getPublicJwks() {
+        const keys = await jwksPort.listPublicKeys();
+        return {
+            keys: keys.map((key) => {
+                const { d: _privateExponent, ...publicJwk } = key.publicJwk;
+                return {
+                    ...publicJwk,
+                    alg: key.alg,
+                    crv: key.crv,
+                    kid: key.kid,
+                    kty: publicJwk.kty,
+                    status: key.active ? 'active' : 'rotated',
+                    use: 'sig',
+                };
+            }),
+        };
+    },
+    async signJwt(payload, options = {}) {
+        const activeKey = await jwksPort.getActiveKey();
+        if (!activeKey) {
+            throw new Error('No active JWKS signing key is configured.');
+        }
+        if (!activeKey.privateKey) {
+            throw new Error(`Active JWKS signing key ${activeKey.kid} has no private key material.`);
+        }
+        let jwt = new SignJWT(payload).setProtectedHeader({
+            alg: activeKey.alg,
+            kid: activeKey.kid,
+            ...(options.type ? { typ: options.type } : {}),
+        });
+        jwt = jwt.setIssuedAt(toEpochSeconds(clock.now()));
+        if (options.audience)
+            jwt = jwt.setAudience(options.audience);
+        if (options.expiresAt)
+            jwt = jwt.setExpirationTime(toEpochSeconds(options.expiresAt));
+        if (options.issuer)
+            jwt = jwt.setIssuer(options.issuer);
+        if (options.jti)
+            jwt = jwt.setJti(options.jti);
+        if (options.subject)
+            jwt = jwt.setSubject(options.subject);
+        return jwt.sign(activeKey.privateKey);
+    },
+    async verifyJwt(jwt, options = {}) {
+        const protectedHeader = decodeProtectedHeader(jwt);
+        const kid = protectedHeader.kid;
+        if (!kid) {
+            throw new Error('JWT protected header is missing kid.');
+        }
+        const key = await jwksPort.findKeyByKid(kid);
+        if (!key) {
+            throw new Error(`Unknown JWKS kid: ${kid}`);
+        }
+        const publicKey = await importJWK(key.publicJwk, key.alg);
+        return jwtVerify(jwt, publicKey, options);
+    },
+});
+const toEpochSeconds = (date) => Math.floor(date.getTime() / 1000);
+//# sourceMappingURL=jwks-service.js.map

package/dist/oauth/jwks-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-service.js","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,SAAS,EACT,SAAS,EACT,OAAO,GAIR,MAAM,MAAM,CAAC;AAgCd,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,EAAE,KAAK,EAAE,QAAQ,EAA4B,EAAe,EAAE,CAAC,CAAC;IAChG,KAAK,CAAC,aAAa;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC;QAE7C,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBACrB,MAAM,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;gBAC5D,OAAO;oBACL,GAAG,SAAS;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,SAAS,CAAC,GAAG;oBAClB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;oBACzC,GAAG,EAAE,KAAK;iBACX,CAAC;YACJ,CAAC,CAAC;SACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,GAAG,EAAE;QACjC,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAC;QAChD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,2BAA2B,SAAS,CAAC,GAAG,+BAA+B,CAAC,CAAC;QAC3F,CAAC;QAED,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,kBAAkB,CAAC;YAChD,GAAG,EAAE,SAAS,CAAC,GAAG;YAClB,GAAG,EAAE,SAAS,CAAC,GAAG;YAClB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/C,CAAC,CAAC;QAEH,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,OAAO,CAAC,QAAQ;YAAE,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9D,IAAI,OAAO,CAAC,SAAS;YAAE,GAAG,GAAG,GAAG,CAAC,iBAAiB,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,MAAM;YAAE,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACxD,IAAI,OAAO,CAAC,GAAG;YAAE,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/C,IAAI,OAAO,CAAC,OAAO;YAAE,GAAG,GAAG,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAE3D,OAAO,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,EAAE;QAC/B,MAAM,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC;QAChC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1D,OAAO,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,IAAU,EAAU,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC"}

package/dist/oauth/revoke-handler.d.ts

@@ -0,0 +1,8 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface OAuthRevokeHandlerOptions {
+    dpopIatSkewSeconds?: number;
+    ports: AuthHonoPorts;
+}
+export declare const createOAuthRevokeHandler: (options: OAuthRevokeHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=revoke-handler.d.ts.map

package/dist/oauth/revoke-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/revoke-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD,MAAM,WAAW,yBAAyB;IACxC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,KAAK,EAAE,aAAa,CAAC;CACtB;AAED,eAAO,MAAM,wBAAwB,YACzB,yBAAyB,SACzB,OAAO,KAAG,QAAQ,QAAQ,CAgBnC,CAAC"}

package/dist/oauth/revoke-handler.js

@@ -0,0 +1,55 @@
+import { decodeJwt } from 'jose';
+import { OAuthDpopProofError, verifyOAuthDpopProof } from './dpop.js';
+import { oauthJsonError } from './http-utils.js';
+export const createOAuthRevokeHandler = (options) => async (c) => {
+    const form = new URLSearchParams(await c.req.text());
+    const token = form.get('token');
+    if (!token)
+        return oauthJsonError(c, 400, 'invalid_request', 'token is required.');
+    const jti = decodeTokenJti(token);
+    if (!jti)
+        return c.json({ success: true });
+    const meta = await options.ports.oauthStateStore.findTokenMeta(jti);
+    if (meta?.dpopJkt) {
+        const dpop = await validateRevokeDpop(c, options, token, meta.dpopJkt);
+        if (dpop instanceof Response)
+            return dpop;
+    }
+    await options.ports.oauthStateStore.revokeToken(jti);
+    return c.json({ success: true });
+};
+const validateRevokeDpop = async (c, options, accessToken, expectedJkt) => {
+    const proof = c.req.header('dpop');
+    if (!proof)
+        return oauthJsonError(c, 400, 'invalid_dpop_proof', 'DPoP proof is required.');
+    try {
+        const verified = await verifyOAuthDpopProof({
+            accessToken,
+            htm: 'POST',
+            htu: c.req.url,
+            iatSkewSeconds: options.dpopIatSkewSeconds,
+            ports: options.ports,
+            proof,
+        });
+        if (verified.jkt !== expectedJkt) {
+            return oauthJsonError(c, 400, 'invalid_dpop_proof', 'DPoP proof key does not match the token.');
+        }
+        return null;
+    }
+    catch (error) {
+        if (error instanceof OAuthDpopProofError) {
+            return oauthJsonError(c, 400, 'invalid_dpop_proof', error.message);
+        }
+        throw error;
+    }
+};
+const decodeTokenJti = (token) => {
+    try {
+        const payload = decodeJwt(token);
+        return typeof payload.jti === 'string' ? payload.jti : null;
+    }
+    catch {
+        return null;
+    }
+};
+//# sourceMappingURL=revoke-handler.js.map

package/dist/oauth/revoke-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke-handler.js","sourceRoot":"","sources":["../../src/oauth/revoke-handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAGjC,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAOjD,MAAM,CAAC,MAAM,wBAAwB,GACnC,CAAC,OAAkC,EAAE,EAAE,CACvC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,oBAAoB,CAAC,CAAC;IAEnF,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IAE3C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IACpE,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvE,IAAI,IAAI,YAAY,QAAQ;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IAED,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACrD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;AACnC,CAAC,CAAC;AAEJ,MAAM,kBAAkB,GAAG,KAAK,EAC9B,CAAU,EACV,OAAkC,EAClC,WAAmB,EACnB,WAAmB,EACO,EAAE;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,yBAAyB,CAAC,CAAC;IAE3F,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC;YAC1C,WAAW;YACX,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;YACd,cAAc,EAAE,OAAO,CAAC,kBAAkB;YAC1C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK;SACN,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACjC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,0CAA0C,CAAC,CAAC;QAClG,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,KAAa,EAAiB,EAAE;IACtD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACjC,OAAO,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC"}

package/dist/oauth/router.d.ts

@@ -0,0 +1,8 @@
+import { Hono } from 'hono';
+import { type OAuthAuthorizeHandlerOptions } from './authorize-handler.js';
+export interface CreateOAuthRouterOptions extends OAuthAuthorizeHandlerOptions {
+    authorizationCodeTtlSeconds?: number;
+    routePrefix?: string;
+}
+export declare const createOAuthRouter: (options: CreateOAuthRouterOptions) => Hono;
+//# sourceMappingURL=router.d.ts.map

package/dist/oauth/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/oauth/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAA+B,KAAK,4BAA4B,EAAE,MAAM,wBAAwB,CAAC;AAUxG,MAAM,WAAW,wBAAyB,SAAQ,4BAA4B;IAC5E,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,iBAAiB,YAAa,wBAAwB,KAAG,IAcrE,CAAC"}

package/dist/oauth/router.js

@@ -0,0 +1,30 @@
+import { Hono } from 'hono';
+import { createOAuthAuthorizeHandler } from './authorize-handler.js';
+import { createOAuthConsentDecisionHandler, createOAuthConsentDetailsHandler, } from './consent-decision-handler.js';
+import { createOAuthIntrospectHandler } from './introspect-handler.js';
+import { createOAuthRevokeHandler } from './revoke-handler.js';
+import { createOAuthTokenHandler } from './token-handler.js';
+import { createOAuthUserInfoHandler } from './userinfo-handler.js';
+export const createOAuthRouter = (options) => {
+    const router = new Hono();
+    const prefix = normalizeRoutePrefix(options.routePrefix ?? '/oauth');
+    router.get(joinRoutePath(prefix, '/authorize'), createOAuthAuthorizeHandler(options));
+    router.get(joinRoutePath(prefix, '/consent'), createOAuthConsentDetailsHandler(options));
+    router.post(joinRoutePath(prefix, '/consent/decision'), createOAuthConsentDecisionHandler(options));
+    router.post(joinRoutePath(prefix, '/token'), createOAuthTokenHandler(options));
+    router.get(joinRoutePath(prefix, '/userinfo'), createOAuthUserInfoHandler(options));
+    router.post(joinRoutePath(prefix, '/userinfo'), createOAuthUserInfoHandler(options));
+    router.post(joinRoutePath(prefix, '/revoke'), createOAuthRevokeHandler(options));
+    router.post(joinRoutePath(prefix, '/introspect'), createOAuthIntrospectHandler(options));
+    return router;
+};
+const normalizeRoutePrefix = (prefix) => {
+    if (!prefix || prefix === '/')
+        return '';
+    return `/${prefix.replace(/^\/+|\/+$/g, '')}`;
+};
+const joinRoutePath = (prefix, path) => {
+    const normalizedPath = path.startsWith('/') ? path : `/${path}`;
+    return `${prefix}${normalizedPath}`;
+};
+//# sourceMappingURL=router.js.map

package/dist/oauth/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/oauth/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,2BAA2B,EAAqC,MAAM,wBAAwB,CAAC;AACxG,OAAO,EACL,iCAAiC,EACjC,gCAAgC,GACjC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAC;AAOnE,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,OAAiC,EAAQ,EAAE;IAC3E,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,WAAW,IAAI,QAAQ,CAAC,CAAC;IAErE,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,2BAA2B,CAAC,OAAO,CAAC,CAAC,CAAC;IACtF,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,gCAAgC,CAAC,OAAO,CAAC,CAAC,CAAC;IACzF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,mBAAmB,CAAC,EAAE,iCAAiC,CAAC,OAAO,CAAC,CAAC,CAAC;IACpG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/E,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,0BAA0B,CAAC,OAAO,CAAC,CAAC,CAAC;IACpF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,0BAA0B,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,wBAAwB,CAAC,OAAO,CAAC,CAAC,CAAC;IACjF,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,4BAA4B,CAAC,OAAO,CAAC,CAAC,CAAC;IAEzF,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,oBAAoB,GAAG,CAAC,MAAc,EAAU,EAAE;IACtD,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACzC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,MAAc,EAAE,IAAY,EAAU,EAAE;IAC7D,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAChE,OAAO,GAAG,MAAM,GAAG,cAAc,EAAE,CAAC;AACtC,CAAC,CAAC"}

package/dist/oauth/service-auth-middleware.d.ts

@@ -0,0 +1,30 @@
+import type { MiddlewareHandler } from 'hono';
+import type { AuthHonoClockPort } from '../ports.js';
+import type { JwksPort, OauthStateStorePort } from './state-store-types.js';
+/**
+ * Narrow port set for resource-server verification (BR39d-D6). Resource servers
+ * must not construct users/credentials/sessions/email ports just to verify a
+ * bearer or DPoP-bound access token.
+ */
+export interface ServiceAuthPorts {
+    clock: AuthHonoClockPort;
+    jwks: JwksPort;
+    dpopReplay?: Pick<OauthStateStorePort, 'recordDpopJti'>;
+}
+export interface ServiceAuthContext {
+    clientId: string;
+    scopes: string[];
+    jkt: string | null;
+}
+export interface CreateRequireServiceAuthOptions {
+    issuer: string;
+    requiredScopes?: string[];
+    resource: string;
+    ports: ServiceAuthPorts;
+    /** DPoP proof iat acceptance window in seconds (default 60). */
+    dpopIatSkewSeconds?: number;
+    /** Context key the verified service-client context is stored under (default 'serviceClient'). */
+    contextKey?: string;
+}
+export declare const createRequireServiceAuth: (options: CreateRequireServiceAuthOptions) => MiddlewareHandler;
+//# sourceMappingURL=service-auth-middleware.d.ts.map

package/dist/oauth/service-auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-auth-middleware.d.ts","sourceRoot":"","sources":["../../src/oauth/service-auth-middleware.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAW,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAEvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAE5E;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,iBAAiB,CAAC;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,UAAU,CAAC,EAAE,IAAI,CAAC,mBAAmB,EAAE,eAAe,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;CACpB;AAED,MAAM,WAAW,+BAA+B;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,gBAAgB,CAAC;IACxB,gEAAgE;IAChE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iGAAiG;IACjG,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAcD,eAAO,MAAM,wBAAwB,YAC1B,+BAA+B,KACvC,iBA6BF,CAAC"}

package/dist/oauth/service-auth-middleware.js

@@ -0,0 +1,170 @@
+import { calculateJwkThumbprint, decodeProtectedHeader, importJWK, jwtVerify, } from 'jose';
+import { sha256Base64url } from './crypto-utils.js';
+class ServiceAuthError extends Error {
+    status;
+    code;
+    scheme;
+    constructor(status, code, message, scheme = 'Bearer') {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.scheme = scheme;
+        this.name = 'ServiceAuthError';
+    }
+}
+export const createRequireServiceAuth = (options) => {
+    const issuer = trimTrailingSlash(options.issuer);
+    const requiredScopes = options.requiredScopes ?? [];
+    const contextKey = options.contextKey ?? 'serviceClient';
+    return async (c, next) => {
+        try {
+            const { scheme, token } = parseAuthorization(c.req.header('authorization'));
+            const payload = await verifyAccessToken(token, options.ports, issuer, options.resource);
+            const scopes = parseScopes(payload.scope);
+            assertScopes(scopes, requiredScopes);
+            const jkt = await enforceDpop(c, payload, token, scheme, options);
+            const serviceContext = {
+                clientId: typeof payload.client_id === 'string' ? payload.client_id : String(payload.sub ?? ''),
+                jkt,
+                scopes,
+            };
+            c.set(contextKey, serviceContext);
+            await next();
+        }
+        catch (error) {
+            if (error instanceof ServiceAuthError) {
+                return serviceAuthErrorResponse(c, error);
+            }
+            throw error;
+        }
+    };
+};
+const parseAuthorization = (header) => {
+    if (!header) {
+        throw new ServiceAuthError(401, 'invalid_token', 'Authorization header is required.');
+    }
+    const [scheme, token] = header.split(/\s+/, 2);
+    if (!token) {
+        throw new ServiceAuthError(401, 'invalid_token', 'Authorization header is malformed.');
+    }
+    if (scheme === 'Bearer')
+        return { scheme: 'Bearer', token };
+    if (scheme === 'DPoP')
+        return { scheme: 'DPoP', token };
+    throw new ServiceAuthError(401, 'invalid_token', 'Unsupported authorization scheme.');
+};
+const verifyAccessToken = async (token, ports, issuer, resource) => {
+    let kid;
+    try {
+        kid = decodeProtectedHeader(token).kid;
+    }
+    catch {
+        throw new ServiceAuthError(401, 'invalid_token', 'Access token header is invalid.');
+    }
+    if (!kid) {
+        throw new ServiceAuthError(401, 'invalid_token', 'Access token is missing a key id.');
+    }
+    const key = await ports.jwks.findKeyByKid(kid);
+    if (!key) {
+        throw new ServiceAuthError(401, 'invalid_token', 'Access token signing key is unknown.');
+    }
+    const publicKey = await importJWK(key.publicJwk, key.alg);
+    const currentDate = ports.clock.now();
+    try {
+        const { payload } = await jwtVerify(token, publicKey, {
+            audience: resource,
+            currentDate,
+            issuer,
+        });
+        return payload;
+    }
+    catch {
+        throw new ServiceAuthError(401, 'invalid_token', 'Access token is invalid, expired, or has the wrong audience.');
+    }
+};
+const parseScopes = (scope) => typeof scope === 'string' ? scope.split(/\s+/).filter(Boolean) : [];
+const assertScopes = (scopes, requiredScopes) => {
+    const granted = new Set(scopes);
+    const missing = requiredScopes.filter((scope) => !granted.has(scope));
+    if (missing.length > 0) {
+        throw new ServiceAuthError(403, 'insufficient_scope', `Missing required scope: ${missing.join(' ')}.`);
+    }
+};
+const enforceDpop = async (c, payload, accessToken, scheme, options) => {
+    const boundJkt = payload.cnf?.jkt;
+    if (!boundJkt)
+        return null;
+    if (scheme !== 'DPoP') {
+        throw new ServiceAuthError(401, 'invalid_token', 'DPoP-bound token requires the DPoP authorization scheme.', 'DPoP');
+    }
+    const proof = c.req.header('dpop');
+    if (!proof) {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof is required.', 'DPoP');
+    }
+    const verifiedJkt = await verifyServiceDpopProof({
+        accessToken,
+        htm: c.req.method,
+        htu: c.req.url,
+        iatSkewSeconds: options.dpopIatSkewSeconds,
+        ports: options.ports,
+        proof,
+    });
+    if (verifiedJkt !== boundJkt) {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof key does not match the bound token.', 'DPoP');
+    }
+    return verifiedJkt;
+};
+const verifyServiceDpopProof = async (options) => {
+    const header = decodeProtectedHeader(options.proof);
+    const publicJwk = header.jwk;
+    if (!publicJwk || !header.alg || header.typ !== 'dpop+jwt') {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof header is invalid.', 'DPoP');
+    }
+    const key = await importJWK(publicJwk, header.alg);
+    let payload;
+    try {
+        ({ payload } = await jwtVerify(options.proof, key));
+    }
+    catch {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof signature is invalid.', 'DPoP');
+    }
+    const skew = options.iatSkewSeconds ?? 60;
+    if (payload.htm !== options.htm.toUpperCase()) {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP htm claim does not match the request method.', 'DPoP');
+    }
+    if (payload.htu !== options.htu) {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP htu claim does not match the request URL.', 'DPoP');
+    }
+    if (!payload.jti || typeof payload.jti !== 'string') {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP jti claim is required.', 'DPoP');
+    }
+    if (typeof payload.iat !== 'number') {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP iat claim is required.', 'DPoP');
+    }
+    const nowSeconds = Math.floor(options.ports.clock.now().getTime() / 1000);
+    if (Math.abs(payload.iat - nowSeconds) > skew) {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP iat claim is outside the allowed skew.', 'DPoP');
+    }
+    // RFC 9449 §4.3: bind the proof to the access token (BR39d-D7).
+    if (payload.ath !== (await sha256Base64url(options.accessToken))) {
+        throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP ath claim does not match the access token.', 'DPoP');
+    }
+    if (options.ports.dpopReplay) {
+        const expiresAt = options.ports.clock.addSeconds(options.ports.clock.now(), skew);
+        const recorded = await options.ports.dpopReplay.recordDpopJti(payload.jti, expiresAt);
+        if (!recorded) {
+            throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof jti was already used.', 'DPoP');
+        }
+    }
+    return calculateJwkThumbprint(publicJwk);
+};
+const serviceAuthErrorResponse = (c, error) => {
+    c.header('WWW-Authenticate', buildWwwAuthenticate(error));
+    return c.json({ error: { code: error.code, message: error.message } }, error.status);
+};
+const buildWwwAuthenticate = (error) => {
+    const params = [`error="${error.code}"`, `error_description="${error.message}"`];
+    return `${error.scheme} ${params.join(', ')}`;
+};
+const trimTrailingSlash = (value) => value.replace(/\/+$/u, '');
+//# sourceMappingURL=service-auth-middleware.js.map