@sentropic/auth-hono 0.2.1 → 0.4.0

package/dist/oauth/service-auth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-auth-middleware.js","sourceRoot":"","sources":["../../src/oauth/service-auth-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,SAAS,EACT,SAAS,GAGV,MAAM,MAAM,CAAC;AAId,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AA+BpD,MAAM,gBAAiB,SAAQ,KAAK;IAEvB;IACA;IAEA;IAJX,YACW,MAAiB,EACjB,IAAY,EACrB,OAAe,EACN,SAA4B,QAAQ;QAE7C,KAAK,CAAC,OAAO,CAAC,CAAC;QALN,WAAM,GAAN,MAAM,CAAW;QACjB,SAAI,GAAJ,IAAI,CAAQ;QAEZ,WAAM,GAAN,MAAM,CAA8B;QAG7C,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,wBAAwB,GAAG,CACtC,OAAwC,EACrB,EAAE;IACrB,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IACpD,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,eAAe,CAAC;IAEzD,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;YAC5E,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YACxF,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC1C,YAAY,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;YAErC,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YAElE,MAAM,cAAc,GAAuB;gBACzC,QAAQ,EAAE,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;gBAC/F,GAAG;gBACH,MAAM;aACP,CAAC;YACF,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAElC,MAAM,IAAI,EAAE,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,gBAAgB,EAAE,CAAC;gBACtC,OAAO,wBAAwB,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YAC5C,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAC,MAA0B,EAAgD,EAAE;IACtG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,mCAAmC,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,oCAAoC,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC5D,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACxD,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,mCAAmC,CAAC,CAAC;AACxF,CAAC,CAAC;AAEF,MAAM,iBAAiB,GAAG,KAAK,EAC7B,KAAa,EACb,KAAuB,EACvB,MAAc,EACd,QAAgB,EACwE,EAAE;IAC1F,IAAI,GAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,GAAG,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,iCAAiC,CAAC,CAAC;IACtF,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,mCAAmC,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IAC/C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,sCAAsC,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE;YACpD,QAAQ,EAAE,QAAQ;YAClB,WAAW;YACX,MAAM;SACP,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,8DAA8D,CAAC,CAAC;IACnH,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,CAAC,KAAc,EAAY,EAAE,CAC/C,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAEtE,MAAM,YAAY,GAAG,CAAC,MAAgB,EAAE,cAAwB,EAAQ,EAAE;IACxE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,2BAA2B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzG,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,KAAK,EACvB,CAAU,EACV,OAAmC,EACnC,WAAmB,EACnB,MAAyB,EACzB,OAAwC,EAChB,EAAE;IAC1B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,0DAA0D,EAAE,MAAM,CAAC,CAAC;IACvH,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,MAAM,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,sBAAsB,CAAC;QAC/C,WAAW;QACX,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM;QACjB,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;QACd,cAAc,EAAE,OAAO,CAAC,kBAAkB;QAC1C,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,KAAK;KACN,CAAC,CAAC;IAEH,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,gDAAgD,EAAE,MAAM,CAAC,CAAC;IAClH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC,CAAC;AAWF,MAAM,sBAAsB,GAAG,KAAK,EAAE,OAAsC,EAAmB,EAAE;IAC/F,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,CAAC,GAAsB,CAAC;IAChD,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAC3D,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,+BAA+B,EAAE,MAAM,CAAC,CAAC;IACjG,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IACnD,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,CAAC,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;IACpG,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IAC1C,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;QAC9C,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,mDAAmD,EAAE,MAAM,CAAC,CAAC;IACrH,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,gDAAgD,EAAE,MAAM,CAAC,CAAC;IAClH,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,MAAM,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,MAAM,CAAC,CAAC;IAC/F,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1E,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,GAAG,UAAU,CAAC,GAAG,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,6CAA6C,EAAE,MAAM,CAAC,CAAC;IAC/G,CAAC;IAED,gEAAgE;IAChE,IAAI,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,eAAe,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,iDAAiD,EAAE,MAAM,CAAC,CAAC;IACnH,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QAClF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACtF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;QACpG,CAAC;IACH,CAAC;IAED,OAAO,sBAAsB,CAAC,SAAS,CAAC,CAAC;AAC3C,CAAC,CAAC;AAEF,MAAM,wBAAwB,GAAG,CAAC,CAAU,EAAE,KAAuB,EAAY,EAAE;IACjF,CAAC,CAAC,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1D,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;AACvF,CAAC,CAAC;AAEF,MAAM,oBAAoB,GAAG,CAAC,KAAuB,EAAU,EAAE;IAC/D,MAAM,MAAM,GAAG,CAAC,UAAU,KAAK,CAAC,IAAI,GAAG,EAAE,sBAAsB,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;IACjF,OAAO,GAAG,KAAK,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAU,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC"}

package/dist/oauth/session-resolver.d.ts

@@ -0,0 +1,9 @@
+import type { AuthHonoPorts, AuthHonoSessionClaims, AuthHonoSessionRecord, AuthHonoUserRecord } from '../ports.js';
+export interface OAuthResolvedSession {
+    claims: AuthHonoSessionClaims;
+    sessionRecord: AuthHonoSessionRecord;
+    user: AuthHonoUserRecord;
+}
+export declare const resolveOAuthSession: (request: Request, ports: AuthHonoPorts) => Promise<OAuthResolvedSession | null>;
+export declare const resolveOAuthAcr: (session: AuthHonoSessionRecord) => string;
+//# sourceMappingURL=session-resolver.d.ts.map

package/dist/oauth/session-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-resolver.d.ts","sourceRoot":"","sources":["../../src/oauth/session-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EACb,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EACnB,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,qBAAqB,CAAC;IAC9B,aAAa,EAAE,qBAAqB,CAAC;IACrC,IAAI,EAAE,kBAAkB,CAAC;CAC1B;AAED,eAAO,MAAM,mBAAmB,YACrB,OAAO,SACT,aAAa,KACnB,QAAQ,oBAAoB,GAAG,IAAI,CA4BrC,CAAC;AAEF,eAAO,MAAM,eAAe,YAAa,qBAAqB,KAAG,MACqB,CAAC"}

package/dist/oauth/session-resolver.js

@@ -0,0 +1,28 @@
+export const resolveOAuthSession = async (request, ports) => {
+    const token = ports.cookies.readSessionToken(request);
+    if (!token)
+        return null;
+    const claims = await ports.tokens.verifySessionToken(token);
+    if (!claims)
+        return null;
+    const tokenHash = await ports.tokens.hashSecret(token);
+    const sessionRecord = await ports.sessions.findByTokenHash(tokenHash);
+    const now = ports.clock.now();
+    if (!sessionRecord ||
+        sessionRecord.id !== claims.sessionId ||
+        sessionRecord.userId !== claims.userId ||
+        sessionRecord.revokedAt ||
+        sessionRecord.expiresAt <= now) {
+        return null;
+    }
+    const user = await ports.users.findById(claims.userId);
+    if (!user)
+        return null;
+    const decision = await ports.accountPolicy.canAuthenticate(user, now);
+    if (!decision.allowed)
+        return null;
+    await ports.sessions.touch(sessionRecord.id, now);
+    return { claims, sessionRecord, user };
+};
+export const resolveOAuthAcr = (session) => session.mfaVerified ? 'urn:sentropic:loa:passkey-fresh' : 'urn:sentropic:loa:bearer';
+//# sourceMappingURL=session-resolver.js.map

package/dist/oauth/session-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-resolver.js","sourceRoot":"","sources":["../../src/oauth/session-resolver.ts"],"names":[],"mappings":"AAaA,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,EACtC,OAAgB,EAChB,KAAoB,EACkB,EAAE;IACxC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACtD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACvD,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IAC9B,IACE,CAAC,aAAa;QACd,aAAa,CAAC,EAAE,KAAK,MAAM,CAAC,SAAS;QACrC,aAAa,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QACtC,aAAa,CAAC,SAAS;QACvB,aAAa,CAAC,SAAS,IAAI,GAAG,EAC9B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACvD,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,eAAe,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACtE,IAAI,CAAC,QAAQ,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAEnC,MAAM,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACzC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAA8B,EAAU,EAAE,CACxE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,iCAAiC,CAAC,CAAC,CAAC,0BAA0B,CAAC"}

package/dist/oauth/state-codec.d.ts

@@ -0,0 +1,25 @@
+export interface OAuthContinuationState {
+    acr?: string;
+    authTime?: string;
+    clientId: string;
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
+    createdAt: string;
+    dpopJkt: string | null;
+    expiresAt: string;
+    nonce: string | null;
+    redirectUri: string;
+    scope: string;
+    state: string | null;
+    tenantId: string | null;
+    userId?: string;
+}
+export interface OAuthContinuationCodec {
+    seal(payload: OAuthContinuationState): Promise<string> | string;
+    unseal(token: string): Promise<OAuthContinuationState | null> | OAuthContinuationState | null;
+}
+export interface CreateOAuthHmacStateCodecOptions {
+    secret: string;
+}
+export declare const createOAuthHmacStateCodec: ({ secret, }: CreateOAuthHmacStateCodecOptions) => OAuthContinuationCodec;
+//# sourceMappingURL=state-codec.d.ts.map

package/dist/oauth/state-codec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state-codec.d.ts","sourceRoot":"","sources":["../../src/oauth/state-codec.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,sBAAsB;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAChE,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,GAAG,sBAAsB,GAAG,IAAI,CAAC;CAC/F;AAED,MAAM,WAAW,gCAAgC;IAC/C,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,eAAO,MAAM,yBAAyB,gBAEnC,gCAAgC,KAAG,sBA2BrC,CAAC"}

package/dist/oauth/state-codec.js

@@ -0,0 +1,60 @@
+export const createOAuthHmacStateCodec = ({ secret, }) => {
+    if (!secret) {
+        throw new Error('OAuth state codec secret is required.');
+    }
+    return {
+        async seal(payload) {
+            const body = base64urlEncode(textEncoder.encode(JSON.stringify(payload)));
+            return `${body}.${await sign(body, secret)}`;
+        },
+        async unseal(token) {
+            const [body, signature, extra] = token.split('.');
+            if (!body || !signature || extra !== undefined)
+                return null;
+            const expected = await sign(body, secret);
+            const actualBytes = base64urlDecode(signature);
+            const expectedBytes = base64urlDecode(expected);
+            if (!timingSafeEqual(actualBytes, expectedBytes))
+                return null;
+            try {
+                return JSON.parse(textDecoder.decode(base64urlDecode(body)));
+            }
+            catch {
+                return null;
+            }
+        },
+    };
+};
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+const sign = async (body, secret) => {
+    const key = await crypto.subtle.importKey('raw', textEncoder.encode(secret), { hash: 'SHA-256', name: 'HMAC' }, false, ['sign']);
+    const signature = await crypto.subtle.sign('HMAC', key, textEncoder.encode(body));
+    return base64urlEncode(new Uint8Array(signature));
+};
+const timingSafeEqual = (actual, expected) => {
+    if (actual.byteLength !== expected.byteLength)
+        return false;
+    let diff = 0;
+    for (let index = 0; index < actual.byteLength; index += 1) {
+        diff |= actual[index] ^ expected[index];
+    }
+    return diff === 0;
+};
+const base64urlEncode = (bytes) => {
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/u, '');
+};
+const base64urlDecode = (value) => {
+    const base64 = value.replaceAll('-', '+').replaceAll('_', '/').padEnd(Math.ceil(value.length / 4) * 4, '=');
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let index = 0; index < binary.length; index += 1) {
+        bytes[index] = binary.charCodeAt(index);
+    }
+    return bytes;
+};
+//# sourceMappingURL=state-codec.js.map

package/dist/oauth/state-codec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state-codec.js","sourceRoot":"","sources":["../../src/oauth/state-codec.ts"],"names":[],"mappings":"AA0BA,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,EACxC,MAAM,GAC2B,EAA0B,EAAE;IAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO;QACL,KAAK,CAAC,IAAI,CAAC,OAAO;YAChB,MAAM,IAAI,GAAG,eAAe,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAC1E,OAAO,GAAG,IAAI,IAAI,MAAM,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC;QAC/C,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClD,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,IAAI,CAAC;YAE5D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC1C,MAAM,WAAW,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,aAAa,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,aAAa,CAAC;gBAAE,OAAO,IAAI,CAAC;YAE9D,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAA2B,CAAC;YACzF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AACtC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAEtC,MAAM,IAAI,GAAG,KAAK,EAAE,IAAY,EAAE,MAAc,EAAmB,EAAE;IACnE,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,EAC1B,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAClF,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AACpD,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,MAAkB,EAAE,QAAoB,EAAW,EAAE;IAC5E,IAAI,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC5D,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QAC1D,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,KAAiB,EAAU,EAAE;IACpD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpF,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,KAAa,EAAc,EAAE;IACpD,MAAM,MAAM,GAAG,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5G,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACtD,KAAK,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC"}

package/dist/oauth/state-store-types.d.ts

@@ -0,0 +1,100 @@
+import type { JWK, KeyLike } from 'jose';
+export type OauthTokenType = 'access_token' | 'id_token';
+export interface OauthClientRecord {
+    id: string;
+    clientId: string;
+    clientSecretHash: string | null;
+    name: string;
+    redirectUris: string[];
+    allowedScopes: string[];
+    grantTypes: string[];
+    responseTypes: string[];
+    tokenEndpointAuthMethod: 'client_secret_basic' | 'none' | (string & {});
+    dpopBoundAccessTokens: boolean;
+    requirePkce: boolean;
+    tenantId: string | null;
+    ownerUserId: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export interface AuthCodePayload {
+    clientId: string;
+    userId: string;
+    tenantId: string | null;
+    redirectUri: string;
+    scope: string;
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
+    dpopJkt: string | null;
+    nonce: string | null;
+    acr: string;
+    authTime: Date;
+    expiresAt: Date;
+    createdAt: Date;
+}
+export interface TokenMeta {
+    jti: string;
+    tokenType: OauthTokenType;
+    clientId: string;
+    userId: string;
+    tenantId: string | null;
+    scope: string;
+    audience: string;
+    dpopJkt: string | null;
+    expiresAt: Date;
+    createdAt: Date;
+}
+export interface DpopProofRecord {
+    jti: string;
+    expiresAt: Date;
+    createdAt: Date;
+}
+export interface ServiceClientRecord {
+    id: string;
+    clientId: string;
+    clientSecretHash: string;
+    displayName: string | null;
+    allowedScopes: string[];
+    resourceIndicators: string[];
+    dpopBoundAccessTokens: boolean;
+    tenantId: string | null;
+    secretRotatedAt: Date | null;
+    createdAt: Date;
+    revokedAt: Date | null;
+}
+export interface OauthStateStorePort {
+    findClient(clientId: string): Promise<OauthClientRecord | null>;
+    findServiceClient?(clientId: string): Promise<ServiceClientRecord | null>;
+    saveAuthCode(code: string, payload: AuthCodePayload, ttlSec: number): Promise<void>;
+    consumeAuthCode(code: string): Promise<AuthCodePayload | null>;
+    saveTokenMeta(jti: string, meta: TokenMeta, ttlSec: number): Promise<void>;
+    findTokenMeta(jti: string): Promise<TokenMeta | null>;
+    revokeToken(jti: string): Promise<boolean>;
+    isTokenRevoked(jti: string): Promise<boolean>;
+    recordDpopJti(jti: string, expiresAt: Date): Promise<boolean>;
+    purgeExpired(): Promise<number>;
+}
+export type JwksPublicJwk = JWK & {
+    alg?: 'EdDSA' | (string & {});
+    crv: 'Ed25519' | (string & {});
+    kid?: string;
+    kty: 'OKP' | (string & {});
+    use?: 'sig' | (string & {});
+    x: string;
+};
+export interface JwksKeyRecord {
+    kid: string;
+    alg: 'EdDSA' | (string & {});
+    crv: 'Ed25519' | (string & {});
+    publicJwk: JwksPublicJwk;
+    privateKey?: KeyLike | Uint8Array;
+    active: boolean;
+    createdAt: Date;
+    rotatedAt: Date | null;
+}
+export interface JwksPort {
+    getActiveKey(): Promise<JwksKeyRecord | null>;
+    findKeyByKid(kid: string): Promise<JwksKeyRecord | null>;
+    listPublicKeys(): Promise<JwksKeyRecord[]>;
+}
+//# sourceMappingURL=state-store-types.d.ts.map

package/dist/oauth/state-store-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state-store-types.d.ts","sourceRoot":"","sources":["../../src/oauth/state-store-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEzC,MAAM,MAAM,cAAc,GAAG,cAAc,GAAG,UAAU,CAAC;AAEzD,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,uBAAuB,EAAE,qBAAqB,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACxE,qBAAqB,EAAE,OAAO,CAAC;IAC/B,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,IAAI,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,cAAc,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,qBAAqB,EAAE,OAAO,CAAC;IAC/B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;IAChE,iBAAiB,CAAC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;IAC1E,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IAC/D,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IACtD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3C,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9C,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACjC;AAED,MAAM,MAAM,aAAa,GAAG,GAAG,GAAG;IAChC,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC9B,GAAG,EAAE,SAAS,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC/B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC3B,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC5B,CAAC,EAAE,MAAM,CAAC;CACX,CAAC;AAEF,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,OAAO,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC7B,GAAG,EAAE,SAAS,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC/B,SAAS,EAAE,aAAa,CAAC;IACzB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAClC,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,QAAQ;IACvB,YAAY,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC9C,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IACzD,cAAc,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;CAC5C"}

package/dist/oauth/state-store-types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=state-store-types.js.map

package/dist/oauth/state-store-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state-store-types.js","sourceRoot":"","sources":["../../src/oauth/state-store-types.ts"],"names":[],"mappings":""}

package/dist/oauth/token-handler.d.ts

@@ -0,0 +1,12 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface OAuthTokenHandlerOptions {
+    accessTokenTtlSeconds?: number;
+    dpopIatSkewSeconds?: number;
+    idTokenTtlSeconds?: number;
+    issuer: string;
+    ports: AuthHonoPorts;
+    serviceAccessTokenTtlSeconds?: number;
+}
+export declare const createOAuthTokenHandler: (options: OAuthTokenHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=token-handler.d.ts.map

package/dist/oauth/token-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/token-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAsB,MAAM,aAAa,CAAC;AASrE,MAAM,WAAW,wBAAwB;IACvC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;IACrB,4BAA4B,CAAC,EAAE,MAAM,CAAC;CACvC;AAYD,eAAO,MAAM,uBAAuB,YACxB,wBAAwB,SACxB,OAAO,KAAG,QAAQ,QAAQ,CAqCnC,CAAC"}

package/dist/oauth/token-handler.js

@@ -0,0 +1,294 @@
+import { createJwksService } from './jwks-service.js';
+import { oauthJsonError } from './http-utils.js';
+import { sha256Base64url } from './crypto-utils.js';
+import { OAuthDpopProofError, verifyOAuthDpopProof } from './dpop.js';
+const DEFAULT_SERVICE_ACCESS_TOKEN_TTL_SECONDS = 900;
+export const createOAuthTokenHandler = (options) => async (c) => {
+    const form = new URLSearchParams(await c.req.text());
+    const grantType = form.get('grant_type');
+    if (grantType === 'client_credentials') {
+        return handleClientCredentials(c, form, options);
+    }
+    if (grantType !== 'authorization_code') {
+        return oauthJsonError(c, 400, 'unsupported_grant_type', 'Only authorization_code and client_credentials grants are supported.');
+    }
+    const auth = await authenticateClient(c, form, options.ports);
+    if (auth instanceof Response)
+        return auth;
+    const codePayload = await options.ports.oauthStateStore.consumeAuthCode(form.get('code') ?? '');
+    if (!codePayload || codePayload.clientId !== auth.client.clientId) {
+        return oauthJsonError(c, 400, 'invalid_grant', 'Authorization code is invalid or already used.');
+    }
+    if (form.get('redirect_uri') !== codePayload.redirectUri) {
+        return oauthJsonError(c, 400, 'invalid_grant', 'redirect_uri does not match the authorization request.');
+    }
+    if ((await sha256Base64url(form.get('code_verifier') ?? '')) !== codePayload.codeChallenge) {
+        return oauthJsonError(c, 400, 'invalid_grant', 'PKCE verification failed.');
+    }
+    const dpopJkt = await resolveDpopJkt(c, options, auth.client, codePayload);
+    if (dpopJkt instanceof Response)
+        return dpopJkt;
+    const user = await options.ports.users.findById(codePayload.userId);
+    if (!user)
+        return oauthJsonError(c, 400, 'invalid_grant', 'Authorization code user is invalid.');
+    const tokens = await issueTokens(options, auth.client, codePayload, user, dpopJkt);
+    return c.json(tokens);
+};
+const authenticateClient = async (c, form, ports) => {
+    const credentials = parseClientCredentials(c.req.header('authorization'), form);
+    if (!credentials.clientId) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication is required.');
+    }
+    const client = await ports.oauthStateStore.findClient(credentials.clientId);
+    if (!client)
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication failed.');
+    if (client.tokenEndpointAuthMethod === 'none') {
+        return { client };
+    }
+    if (!credentials.secret || !client.clientSecretHash) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client secret is required.');
+    }
+    const secretHash = await ports.tokens.hashSecret(credentials.secret);
+    if (secretHash !== client.clientSecretHash) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication failed.');
+    }
+    return { client, secret: credentials.secret };
+};
+const parseClientCredentials = (authorization, form) => {
+    if (authorization?.startsWith('Basic ')) {
+        const decoded = atob(authorization.slice('Basic '.length));
+        const separator = decoded.indexOf(':');
+        return {
+            clientId: separator >= 0 ? decoded.slice(0, separator) : decoded,
+            secret: separator >= 0 ? decoded.slice(separator + 1) : '',
+        };
+    }
+    return {
+        clientId: form.get('client_id'),
+        secret: form.get('client_secret') ?? undefined,
+    };
+};
+const resolveDpopJkt = async (c, options, client, codePayload) => {
+    if (!client.dpopBoundAccessTokens)
+        return null;
+    const proof = c.req.header('dpop');
+    if (!proof)
+        return oauthJsonError(c, 400, 'invalid_dpop_proof', 'DPoP proof is required.');
+    try {
+        const verified = await verifyOAuthDpopProof({
+            htm: 'POST',
+            htu: c.req.url,
+            iatSkewSeconds: options.dpopIatSkewSeconds,
+            ports: options.ports,
+            proof,
+        });
+        if (codePayload.dpopJkt && codePayload.dpopJkt !== verified.jkt) {
+            return oauthJsonError(c, 400, 'invalid_grant', 'DPoP key does not match the authorization code.');
+        }
+        return verified.jkt;
+    }
+    catch (error) {
+        if (error instanceof OAuthDpopProofError) {
+            return oauthJsonError(c, 400, 'invalid_dpop_proof', error.message);
+        }
+        throw error;
+    }
+};
+const handleClientCredentials = async (c, form, options) => {
+    const findServiceClient = options.ports.oauthStateStore.findServiceClient;
+    if (!findServiceClient) {
+        return oauthJsonError(c, 400, 'unsupported_grant_type', 'The client_credentials grant is not supported.');
+    }
+    const auth = await authenticateServiceClient(c, form, options.ports, findServiceClient);
+    if (auth instanceof Response)
+        return auth;
+    const scope = resolveServiceScope(c, form, auth.client);
+    if (scope instanceof Response)
+        return scope;
+    const resource = resolveResourceIndicator(c, form, auth.client);
+    if (resource instanceof Response)
+        return resource;
+    const dpopJkt = await resolveServiceDpopJkt(c, options, auth.client);
+    if (dpopJkt instanceof Response)
+        return dpopJkt;
+    const tokens = await issueServiceToken(options, auth.client, scope, resource, dpopJkt);
+    return c.json(tokens);
+};
+const authenticateServiceClient = async (c, form, ports, findServiceClient) => {
+    const credentials = parseClientCredentials(c.req.header('authorization'), form);
+    if (!credentials.clientId || !credentials.secret) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication is required.');
+    }
+    const client = await findServiceClient(credentials.clientId);
+    if (!client)
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication failed.');
+    const secretHash = await ports.tokens.hashSecret(credentials.secret);
+    if (secretHash !== client.clientSecretHash) {
+        return oauthJsonError(c, 401, 'invalid_client', 'Client authentication failed.');
+    }
+    return { client, secret: credentials.secret };
+};
+const resolveServiceScope = (c, form, client) => {
+    const requested = (form.get('scope') ?? '').split(/\s+/).filter(Boolean);
+    if (requested.length === 0) {
+        return client.allowedScopes.join(' ');
+    }
+    const allowed = new Set(client.allowedScopes);
+    const unauthorized = requested.filter((scope) => !allowed.has(scope));
+    if (unauthorized.length > 0) {
+        return oauthJsonError(c, 400, 'invalid_scope', `Scope not allowed: ${unauthorized.join(' ')}.`);
+    }
+    return requested.join(' ');
+};
+const resolveResourceIndicator = (c, form, client) => {
+    const requested = form.get('resource');
+    const indicators = client.resourceIndicators;
+    if (requested) {
+        if (!indicators.includes(requested)) {
+            return oauthJsonError(c, 400, 'invalid_target', 'Requested resource is not allowed for this client.');
+        }
+        return requested;
+    }
+    if (indicators.length === 1) {
+        return indicators[0];
+    }
+    if (indicators.length === 0) {
+        return oauthJsonError(c, 400, 'invalid_target', 'A resource indicator is required for this client.');
+    }
+    return oauthJsonError(c, 400, 'invalid_target', 'A resource indicator must be specified when multiple are allowed.');
+};
+const resolveServiceDpopJkt = async (c, options, client) => {
+    if (!client.dpopBoundAccessTokens)
+        return null;
+    const proof = c.req.header('dpop');
+    if (!proof)
+        return oauthJsonError(c, 400, 'invalid_dpop_proof', 'DPoP proof is required.');
+    try {
+        const verified = await verifyOAuthDpopProof({
+            htm: 'POST',
+            htu: c.req.url,
+            iatSkewSeconds: options.dpopIatSkewSeconds,
+            ports: options.ports,
+            proof,
+        });
+        return verified.jkt;
+    }
+    catch (error) {
+        if (error instanceof OAuthDpopProofError) {
+            return oauthJsonError(c, 400, 'invalid_dpop_proof', error.message);
+        }
+        throw error;
+    }
+};
+const issueServiceToken = async (options, client, scope, resource, dpopJkt) => {
+    const ttlSeconds = options.serviceAccessTokenTtlSeconds ?? DEFAULT_SERVICE_ACCESS_TOKEN_TTL_SECONDS;
+    const now = options.ports.clock.now();
+    const expiresAt = options.ports.clock.addSeconds(now, ttlSeconds);
+    const cnf = dpopJkt ? { jkt: dpopJkt } : undefined;
+    const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+    const accessJti = options.ports.random.uuid();
+    const accessToken = await jwks.signJwt({
+        client_id: client.clientId,
+        ...(cnf ? { cnf } : {}),
+        scope,
+    }, {
+        audience: resource,
+        expiresAt,
+        issuer: trimTrailingSlash(options.issuer),
+        jti: accessJti,
+        subject: client.clientId,
+        type: 'JWT',
+    });
+    // Service tokens are stateless (BR39d-D5): no saveTokenMeta, no oauth_tokens row.
+    return {
+        access_token: accessToken,
+        expires_in: ttlSeconds,
+        scope,
+        token_type: dpopJkt ? 'DPoP' : 'Bearer',
+    };
+};
+const issueTokens = async (options, client, codePayload, user, dpopJkt) => {
+    const accessTokenTtlSeconds = options.accessTokenTtlSeconds ?? 3600;
+    const idTokenTtlSeconds = options.idTokenTtlSeconds ?? 3600;
+    const now = options.ports.clock.now();
+    const accessExpiresAt = options.ports.clock.addSeconds(now, accessTokenTtlSeconds);
+    const idExpiresAt = options.ports.clock.addSeconds(now, idTokenTtlSeconds);
+    const scopes = codePayload.scope.split(/\s+/).filter(Boolean);
+    const cnf = dpopJkt ? { jkt: dpopJkt } : undefined;
+    const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+    const accessJti = options.ports.random.uuid();
+    const accessAudience = `${trimTrailingSlash(options.issuer)}/api/v1/auth/oauth/userinfo`;
+    const accessToken = await jwks.signJwt({
+        acr: codePayload.acr,
+        auth_time: toEpochSeconds(codePayload.authTime),
+        client_id: client.clientId,
+        ...(cnf ? { cnf } : {}),
+        scope: codePayload.scope,
+    }, {
+        audience: accessAudience,
+        expiresAt: accessExpiresAt,
+        issuer: trimTrailingSlash(options.issuer),
+        jti: accessJti,
+        subject: codePayload.userId,
+        type: 'JWT',
+    });
+    await options.ports.oauthStateStore.saveTokenMeta(accessJti, tokenMeta({
+        audience: accessAudience,
+        client,
+        codePayload,
+        dpopJkt,
+        expiresAt: accessExpiresAt,
+        jti: accessJti,
+        tokenType: 'access_token',
+    }), accessTokenTtlSeconds);
+    const response = {
+        access_token: accessToken,
+        expires_in: accessTokenTtlSeconds,
+        scope: codePayload.scope,
+        token_type: dpopJkt ? 'DPoP' : 'Bearer',
+    };
+    if (scopes.includes('openid')) {
+        const idJti = options.ports.random.uuid();
+        const idToken = await jwks.signJwt({
+            acr: codePayload.acr,
+            auth_time: toEpochSeconds(codePayload.authTime),
+            ...(cnf ? { cnf } : {}),
+            ...(scopes.includes('email') ? { email: user.email, email_verified: user.emailVerified } : {}),
+            ...(scopes.includes('profile') ? { name: user.displayName } : {}),
+            ...(codePayload.nonce ? { nonce: codePayload.nonce } : {}),
+        }, {
+            audience: client.clientId,
+            expiresAt: idExpiresAt,
+            issuer: trimTrailingSlash(options.issuer),
+            jti: idJti,
+            subject: codePayload.userId,
+            type: 'JWT',
+        });
+        response.id_token = idToken;
+        await options.ports.oauthStateStore.saveTokenMeta(idJti, tokenMeta({
+            audience: client.clientId,
+            client,
+            codePayload,
+            dpopJkt,
+            expiresAt: idExpiresAt,
+            jti: idJti,
+            tokenType: 'id_token',
+        }), idTokenTtlSeconds);
+    }
+    return response;
+};
+const tokenMeta = (input) => ({
+    audience: input.audience,
+    clientId: input.client.clientId,
+    createdAt: input.codePayload.createdAt,
+    dpopJkt: input.dpopJkt,
+    expiresAt: input.expiresAt,
+    jti: input.jti,
+    scope: input.codePayload.scope,
+    tenantId: input.codePayload.tenantId,
+    tokenType: input.tokenType,
+    userId: input.codePayload.userId,
+});
+const toEpochSeconds = (date) => Math.floor(date.getTime() / 1000);
+const trimTrailingSlash = (value) => value.replace(/\/+$/u, '');
+//# sourceMappingURL=token-handler.js.map

package/dist/oauth/token-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-handler.js","sourceRoot":"","sources":["../../src/oauth/token-handler.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAGtE,MAAM,wCAAwC,GAAG,GAAG,CAAC;AAqBrD,MAAM,CAAC,MAAM,uBAAuB,GAClC,CAAC,OAAiC,EAAE,EAAE,CACtC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACzC,IAAI,SAAS,KAAK,oBAAoB,EAAE,CAAC;QACvC,OAAO,uBAAuB,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,SAAS,KAAK,oBAAoB,EAAE,CAAC;QACvC,OAAO,cAAc,CACnB,CAAC,EACD,GAAG,EACH,wBAAwB,EACxB,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9D,IAAI,IAAI,YAAY,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAChG,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,QAAQ,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,gDAAgD,CAAC,CAAC;IACnG,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,WAAW,CAAC,WAAW,EAAE,CAAC;QACzD,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,wDAAwD,CAAC,CAAC;IAC3G,CAAC;IACD,IAAI,CAAC,MAAM,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,WAAW,CAAC,aAAa,EAAE,CAAC;QAC3F,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,2BAA2B,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC3E,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACpE,IAAI,CAAC,IAAI;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,qCAAqC,CAAC,CAAC;IAEjG,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACnF,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACxB,CAAC,CAAC;AAEJ,MAAM,kBAAkB,GAAG,KAAK,EAC9B,CAAU,EACV,IAAqB,EACrB,KAAoB,EACsB,EAAE;IAC5C,MAAM,WAAW,GAAG,sBAAsB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,IAAI,CAAC,CAAC;IAChF,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC1B,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,oCAAoC,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC5E,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,+BAA+B,CAAC,CAAC;IAE9F,IAAI,MAAM,CAAC,uBAAuB,KAAK,MAAM,EAAE,CAAC;QAC9C,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACpD,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,4BAA4B,CAAC,CAAC;IAChF,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACrE,IAAI,UAAU,KAAK,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC3C,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,+BAA+B,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,sBAAsB,GAAG,CAC7B,aAAiC,EACjC,IAAqB,EACyB,EAAE;IAChD,IAAI,aAAa,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO;YACL,QAAQ,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO;YAChE,MAAM,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE;SAC3D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;QAC/B,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,SAAS;KAC/C,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,KAAK,EAC1B,CAAU,EACV,OAAiC,EACjC,MAAyB,EACzB,WAA4B,EACO,EAAE;IACrC,IAAI,CAAC,MAAM,CAAC,qBAAqB;QAAE,OAAO,IAAI,CAAC;IAE/C,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,yBAAyB,CAAC,CAAC;IAE3F,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC;YAC1C,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;YACd,cAAc,EAAE,OAAO,CAAC,kBAAkB;YAC1C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK;SACN,CAAC,CAAC;QACH,IAAI,WAAW,CAAC,OAAO,IAAI,WAAW,CAAC,OAAO,KAAK,QAAQ,CAAC,GAAG,EAAE,CAAC;YAChE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,iDAAiD,CAAC,CAAC;QACpG,CAAC;QACD,OAAO,QAAQ,CAAC,GAAG,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,uBAAuB,GAAG,KAAK,EACnC,CAAU,EACV,IAAqB,EACrB,OAAiC,EACd,EAAE;IACrB,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,iBAAiB,CAAC;IAC1E,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,wBAAwB,EAAE,gDAAgD,CAAC,CAAC;IAC5G,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,yBAAyB,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;IACxF,IAAI,IAAI,YAAY,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,KAAK,GAAG,mBAAmB,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,KAAK,YAAY,QAAQ;QAAE,OAAO,KAAK,CAAC;IAE5C,MAAM,QAAQ,GAAG,wBAAwB,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,QAAQ,YAAY,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAElD,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACrE,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvF,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACxB,CAAC,CAAC;AAEF,MAAM,yBAAyB,GAAG,KAAK,EACrC,CAAU,EACV,IAAqB,EACrB,KAAoB,EACpB,iBAAqF,EACpC,EAAE;IACnD,MAAM,WAAW,GAAG,sBAAsB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,IAAI,CAAC,CAAC;IAChF,IAAI,CAAC,WAAW,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;QACjD,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,oCAAoC,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC7D,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,+BAA+B,CAAC,CAAC;IAE9F,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACrE,IAAI,UAAU,KAAK,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC3C,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,+BAA+B,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,CAC1B,CAAU,EACV,IAAqB,EACrB,MAA2B,EACR,EAAE;IACrB,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzE,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,sBAAsB,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClG,CAAC;IACD,OAAO,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC,CAAC;AAEF,MAAM,wBAAwB,GAAG,CAC/B,CAAU,EACV,IAAqB,EACrB,MAA2B,EACR,EAAE;IACrB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,MAAM,CAAC,kBAAkB,CAAC;IAE7C,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,oDAAoD,CAAC,CAAC;QACxG,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,mDAAmD,CAAC,CAAC;IACvG,CAAC;IACD,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,mEAAmE,CAAC,CAAC;AACvH,CAAC,CAAC;AAEF,MAAM,qBAAqB,GAAG,KAAK,EACjC,CAAU,EACV,OAAiC,EACjC,MAA2B,EACQ,EAAE;IACrC,IAAI,CAAC,MAAM,CAAC,qBAAqB;QAAE,OAAO,IAAI,CAAC;IAE/C,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,yBAAyB,CAAC,CAAC;IAE3F,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC;YAC1C,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;YACd,cAAc,EAAE,OAAO,CAAC,kBAAkB;YAC1C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK;SACN,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,GAAG,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,iBAAiB,GAAG,KAAK,EAC7B,OAAiC,EACjC,MAA2B,EAC3B,KAAa,EACb,QAAgB,EAChB,OAAsB,EACtB,EAAE;IACF,MAAM,UAAU,GAAG,OAAO,CAAC,4BAA4B,IAAI,wCAAwC,CAAC;IACpG,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IACnD,MAAM,IAAI,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7F,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CACpC;QACE,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvB,KAAK;KACN,EACD;QACE,QAAQ,EAAE,QAAQ;QAClB,SAAS;QACT,MAAM,EAAE,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC;QACzC,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,MAAM,CAAC,QAAQ;QACxB,IAAI,EAAE,KAAK;KACZ,CACF,CAAC;IAEF,kFAAkF;IAClF,OAAO;QACL,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,UAAU;QACtB,KAAK;QACL,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;KACxC,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,KAAK,EACvB,OAAiC,EACjC,MAAyB,EACzB,WAA4B,EAC5B,IAAwB,EACxB,OAAsB,EACtB,EAAE;IACF,MAAM,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,IAAI,IAAI,CAAC;IACpE,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,IAAI,CAAC;IAC5D,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAC;IACnF,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC;IAC3E,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IACnD,MAAM,IAAI,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7F,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9C,MAAM,cAAc,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,6BAA6B,CAAC;IACzF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CACpC;QACE,GAAG,EAAE,WAAW,CAAC,GAAG;QACpB,SAAS,EAAE,cAAc,CAAC,WAAW,CAAC,QAAQ,CAAC;QAC/C,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvB,KAAK,EAAE,WAAW,CAAC,KAAK;KACzB,EACD;QACE,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,eAAe;QAC1B,MAAM,EAAE,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC;QACzC,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,WAAW,CAAC,MAAM;QAC3B,IAAI,EAAE,KAAK;KACZ,CACF,CAAC;IAEF,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAC/C,SAAS,EACT,SAAS,CAAC;QACR,QAAQ,EAAE,cAAc;QACxB,MAAM;QACN,WAAW;QACX,OAAO;QACP,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,SAAS;QACd,SAAS,EAAE,cAAc;KAC1B,CAAC,EACF,qBAAqB,CACtB,CAAC;IAEF,MAAM,QAAQ,GAA4B;QACxC,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,qBAAqB;QACjC,KAAK,EAAE,WAAW,CAAC,KAAK;QACxB,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;KACxC,CAAC;IAEF,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAChC;YACE,GAAG,EAAE,WAAW,CAAC,GAAG;YACpB,SAAS,EAAE,cAAc,CAAC,WAAW,CAAC,QAAQ,CAAC;YAC/C,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,cAAc,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9F,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC3D,EACD;YACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,WAAW;YACtB,MAAM,EAAE,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC;YACzC,GAAG,EAAE,KAAK;YACV,OAAO,EAAE,WAAW,CAAC,MAAM;YAC3B,IAAI,EAAE,KAAK;SACZ,CACF,CAAC;QACF,QAAQ,CAAC,QAAQ,GAAG,OAAO,CAAC;QAC5B,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAC/C,KAAK,EACL,SAAS,CAAC;YACR,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,MAAM;YACN,WAAW;YACX,OAAO;YACP,SAAS,EAAE,WAAW;YACtB,GAAG,EAAE,KAAK;YACV,SAAS,EAAE,UAAU;SACtB,CAAC,EACF,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAEF,MAAM,SAAS,GAAG,CAAC,KAQlB,EAAa,EAAE,CAAC,CAAC;IAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;IACxB,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,QAAQ;IAC/B,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC,SAAS;IACtC,OAAO,EAAE,KAAK,CAAC,OAAO;IACtB,SAAS,EAAE,KAAK,CAAC,SAAS;IAC1B,GAAG,EAAE,KAAK,CAAC,GAAG;IACd,KAAK,EAAE,KAAK,CAAC,WAAW,CAAC,KAAK;IAC9B,QAAQ,EAAE,KAAK,CAAC,WAAW,CAAC,QAAQ;IACpC,SAAS,EAAE,KAAK,CAAC,SAAS;IAC1B,MAAM,EAAE,KAAK,CAAC,WAAW,CAAC,MAAM;CACjC,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,IAAU,EAAU,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;AAEjF,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAU,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC"}

package/dist/oauth/userinfo-handler.d.ts

@@ -0,0 +1,9 @@
+import type { Context } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface OAuthUserInfoHandlerOptions {
+    dpopIatSkewSeconds?: number;
+    issuer: string;
+    ports: AuthHonoPorts;
+}
+export declare const createOAuthUserInfoHandler: (options: OAuthUserInfoHandlerOptions) => (c: Context) => Promise<Response>;
+//# sourceMappingURL=userinfo-handler.d.ts.map

package/dist/oauth/userinfo-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"userinfo-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/userinfo-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAMjD,MAAM,WAAW,2BAA2B;IAC1C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;CACtB;AAED,eAAO,MAAM,0BAA0B,YAC3B,2BAA2B,SAC3B,OAAO,KAAG,QAAQ,QAAQ,CA2BnC,CAAC"}