@sentropic/auth-hono 0.2.1 → 0.4.0

package/dist/oauth/userinfo-handler.js

@@ -0,0 +1,93 @@
+import { OAuthDpopProofError, verifyOAuthDpopProof } from './dpop.js';
+import { oauthJsonError } from './http-utils.js';
+import { createJwksService } from './jwks-service.js';
+export const createOAuthUserInfoHandler = (options) => async (c) => {
+    const authorization = parseAccessToken(c.req.header('authorization'));
+    if (!authorization)
+        return unauthorized(c, 'Access token is required.');
+    const payload = await verifyAccessToken(c, options, authorization.token);
+    if (payload instanceof Response)
+        return payload;
+    const meta = await resolveActiveTokenMeta(c, options.ports, payload);
+    if (meta instanceof Response)
+        return meta;
+    if (meta.dpopJkt) {
+        const dpop = await verifyBoundDpop(c, options, authorization, meta);
+        if (dpop instanceof Response)
+            return dpop;
+    }
+    const scopes = meta.scope.split(/\s+/).filter(Boolean);
+    if (scopes.some((scope) => !['openid', 'profile', 'email'].includes(scope))) {
+        return unauthorized(c, 'Access token contains unsupported scopes.');
+    }
+    const user = await options.ports.users.findById(meta.userId);
+    if (!user)
+        return unauthorized(c, 'Access token user is invalid.');
+    return c.json({
+        sub: user.id,
+        ...(scopes.includes('profile') ? { name: user.displayName } : {}),
+        ...(scopes.includes('email') ? { email: user.email, email_verified: user.emailVerified } : {}),
+    });
+};
+const verifyAccessToken = async (c, options, token) => {
+    try {
+        const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+        const result = await jwks.verifyJwt(token, {
+            audience: `${trimTrailingSlash(options.issuer)}/api/v1/auth/oauth/userinfo`,
+            currentDate: options.ports.clock.now(),
+            issuer: trimTrailingSlash(options.issuer),
+        });
+        return result.payload;
+    }
+    catch {
+        return unauthorized(c, 'Access token is invalid.');
+    }
+};
+const resolveActiveTokenMeta = async (c, ports, payload) => {
+    const jti = payload.jti;
+    if (!jti)
+        return unauthorized(c, 'Access token jti is missing.');
+    const meta = await ports.oauthStateStore.findTokenMeta(jti);
+    if (!meta ||
+        meta.tokenType !== 'access_token' ||
+        meta.expiresAt <= ports.clock.now() ||
+        (await ports.oauthStateStore.isTokenRevoked(jti))) {
+        return unauthorized(c, 'Access token is inactive.');
+    }
+    return meta;
+};
+const verifyBoundDpop = async (c, options, authorization, meta) => {
+    const proof = c.req.header('dpop');
+    if (authorization.scheme !== 'DPoP' || !proof) {
+        return unauthorized(c, 'DPoP proof is required for this access token.');
+    }
+    try {
+        const verified = await verifyOAuthDpopProof({
+            accessToken: authorization.token,
+            htm: c.req.method,
+            htu: c.req.url,
+            iatSkewSeconds: options.dpopIatSkewSeconds,
+            ports: options.ports,
+            proof,
+        });
+        if (verified.jkt !== meta.dpopJkt) {
+            return unauthorized(c, 'DPoP proof key does not match the access token.');
+        }
+        return null;
+    }
+    catch (error) {
+        if (error instanceof OAuthDpopProofError) {
+            return unauthorized(c, error.message);
+        }
+        throw error;
+    }
+};
+const parseAccessToken = (authorization) => {
+    const [scheme, token, extra] = authorization?.split(/\s+/) ?? [];
+    if (extra || !token || (scheme !== 'Bearer' && scheme !== 'DPoP'))
+        return null;
+    return { scheme, token };
+};
+const unauthorized = (c, message) => oauthJsonError(c, 401, 'invalid_token', message);
+const trimTrailingSlash = (value) => value.replace(/\/+$/u, '');
+//# sourceMappingURL=userinfo-handler.js.map

package/dist/oauth/userinfo-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userinfo-handler.js","sourceRoot":"","sources":["../../src/oauth/userinfo-handler.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAStD,MAAM,CAAC,MAAM,0BAA0B,GACrC,CAAC,OAAoC,EAAE,EAAE,CACzC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,aAAa,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;IACtE,IAAI,CAAC,aAAa;QAAE,OAAO,YAAY,CAAC,CAAC,EAAE,2BAA2B,CAAC,CAAC;IAExE,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,CAAC,EAAE,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC;IACzE,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,MAAM,IAAI,GAAG,MAAM,sBAAsB,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACrE,IAAI,IAAI,YAAY,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,CAAC,CAAC;QACpE,IAAI,IAAI,YAAY,QAAQ;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QAC5E,OAAO,YAAY,CAAC,CAAC,EAAE,2CAA2C,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,CAAC,IAAI;QAAE,OAAO,YAAY,CAAC,CAAC,EAAE,+BAA+B,CAAC,CAAC;IAEnE,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,GAAG,EAAE,IAAI,CAAC,EAAE;QACZ,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,cAAc,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/F,CAAC,CAAC;AACL,CAAC,CAAC;AAEJ,MAAM,iBAAiB,GAAG,KAAK,EAC7B,CAAU,EACV,OAAoC,EACpC,KAAa,EACmB,EAAE;IAClC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7F,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;YACzC,QAAQ,EAAE,GAAG,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,6BAA6B;YAC3E,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;YACtC,MAAM,EAAE,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC;SAC1C,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,YAAY,CAAC,CAAC,EAAE,0BAA0B,CAAC,CAAC;IACrD,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,sBAAsB,GAAG,KAAK,EAClC,CAAU,EACV,KAAoB,EACpB,OAAmB,EACY,EAAE;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,IAAI,CAAC,GAAG;QAAE,OAAO,YAAY,CAAC,CAAC,EAAE,8BAA8B,CAAC,CAAC;IAEjE,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IAC5D,IACE,CAAC,IAAI;QACL,IAAI,CAAC,SAAS,KAAK,cAAc;QACjC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;QACnC,CAAC,MAAM,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,EACjD,CAAC;QACD,OAAO,YAAY,CAAC,CAAC,EAAE,2BAA2B,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,KAAK,EAC3B,CAAU,EACV,OAAoC,EACpC,aAA2D,EAC3D,IAAe,EACW,EAAE;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,aAAa,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QAC9C,OAAO,YAAY,CAAC,CAAC,EAAE,+CAA+C,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC;YAC1C,WAAW,EAAE,aAAa,CAAC,KAAK;YAChC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM;YACjB,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;YACd,cAAc,EAAE,OAAO,CAAC,kBAAkB;YAC1C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK;SACN,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,OAAO,YAAY,CAAC,CAAC,EAAE,iDAAiD,CAAC,CAAC;QAC5E,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACzC,OAAO,YAAY,CAAC,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,CACvB,aAAiC,EACoB,EAAE;IACvD,MAAM,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,GAAG,aAAa,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IACjE,IAAI,KAAK,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/E,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,CAAU,EAAE,OAAe,EAAY,EAAE,CAC7D,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;AAEnD,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAU,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC"}

package/dist/oauth/wellknown-handler.d.ts

@@ -0,0 +1,9 @@
+import { Hono } from 'hono';
+import type { AuthHonoPorts } from '../ports.js';
+export interface CreateWellKnownRouterOptions {
+    issuer: string;
+    oauthPathPrefix?: string;
+    ports: AuthHonoPorts;
+}
+export declare const createWellKnownRouter: (options: CreateWellKnownRouterOptions) => Hono;
+//# sourceMappingURL=wellknown-handler.d.ts.map

package/dist/oauth/wellknown-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wellknown-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/wellknown-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,EAAE,aAAa,CAAC;CACtB;AAED,eAAO,MAAM,qBAAqB,YAAa,4BAA4B,KAAG,IAiC7E,CAAC"}

package/dist/oauth/wellknown-handler.js

@@ -0,0 +1,37 @@
+import { Hono } from 'hono';
+import { createJwksService } from './jwks-service.js';
+export const createWellKnownRouter = (options) => {
+    const router = new Hono();
+    const issuer = trimTrailingSlash(options.issuer);
+    const oauthPrefix = normalizePathPrefix(options.oauthPathPrefix ?? '/api/v1/auth/oauth');
+    router.get('/openid-configuration', (c) => c.json({
+        authorization_endpoint: `${issuer}${oauthPrefix}/authorize`,
+        claims_supported: ['sub', 'aud', 'iss', 'exp', 'iat', 'nonce', 'auth_time', 'acr', 'email', 'email_verified', 'name'],
+        code_challenge_methods_supported: ['S256'],
+        dpop_signing_alg_values_supported: ['EdDSA'],
+        grant_types_supported: ['authorization_code', 'client_credentials'],
+        id_token_signing_alg_values_supported: ['EdDSA'],
+        introspection_endpoint: `${issuer}${oauthPrefix}/introspect`,
+        issuer,
+        jwks_uri: `${issuer}/.well-known/jwks.json`,
+        response_types_supported: ['code'],
+        revocation_endpoint: `${issuer}${oauthPrefix}/revoke`,
+        scopes_supported: ['openid', 'profile', 'email'],
+        subject_types_supported: ['public'],
+        token_endpoint: `${issuer}${oauthPrefix}/token`,
+        token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post', 'none'],
+        userinfo_endpoint: `${issuer}${oauthPrefix}/userinfo`,
+    }));
+    router.get('/jwks.json', async (c) => {
+        const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
+        c.header('Cache-Control', 'public, max-age=300');
+        return c.json(await jwks.getPublicJwks());
+    });
+    return router;
+};
+const trimTrailingSlash = (value) => value.replace(/\/+$/u, '');
+const normalizePathPrefix = (value) => {
+    const trimmed = value.replace(/^\/+|\/+$/gu, '');
+    return trimmed ? `/${trimmed}` : '';
+};
+//# sourceMappingURL=wellknown-handler.js.map

package/dist/oauth/wellknown-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wellknown-handler.js","sourceRoot":"","sources":["../../src/oauth/wellknown-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAQtD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,OAAqC,EAAQ,EAAE;IACnF,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,mBAAmB,CAAC,OAAO,CAAC,eAAe,IAAI,oBAAoB,CAAC,CAAC;IAEzF,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,CAAC,CAAC,EAAE,EAAE,CACxC,CAAC,CAAC,IAAI,CAAC;QACL,sBAAsB,EAAE,GAAG,MAAM,GAAG,WAAW,YAAY;QAC3D,gBAAgB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACrH,gCAAgC,EAAE,CAAC,MAAM,CAAC;QAC1C,iCAAiC,EAAE,CAAC,OAAO,CAAC;QAC5C,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,oBAAoB,CAAC;QACnE,qCAAqC,EAAE,CAAC,OAAO,CAAC;QAChD,sBAAsB,EAAE,GAAG,MAAM,GAAG,WAAW,aAAa;QAC5D,MAAM;QACN,QAAQ,EAAE,GAAG,MAAM,wBAAwB;QAC3C,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAClC,mBAAmB,EAAE,GAAG,MAAM,GAAG,WAAW,SAAS;QACrD,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;QAChD,uBAAuB,EAAE,CAAC,QAAQ,CAAC;QACnC,cAAc,EAAE,GAAG,MAAM,GAAG,WAAW,QAAQ;QAC/C,qCAAqC,EAAE,CAAC,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,CAAC;QAC5F,iBAAiB,EAAE,GAAG,MAAM,GAAG,WAAW,WAAW;KACtD,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACnC,MAAM,IAAI,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7F,CAAC,CAAC,MAAM,CAAC,eAAe,EAAE,qBAAqB,CAAC,CAAC;QACjD,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAU,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAEhF,MAAM,mBAAmB,GAAG,CAAC,KAAa,EAAU,EAAE;IACpD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;IACjD,OAAO,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACtC,CAAC,CAAC"}

package/dist/ports.d.ts

@@ -1,3 +1,5 @@
+import type { JwksPort, OauthStateStorePort } from './oauth/state-store-types.js';
+export type { AuthCodePayload, DpopProofRecord, JwksKeyRecord, JwksPort, JwksPublicJwk, OauthClientRecord, OauthStateStorePort, OauthTokenType, ServiceClientRecord, TokenMeta, } from './oauth/state-store-types.js';
 export type AuthHonoAccountStatus = 'active' | 'pending_admin_approval' | 'approval_expired_readonly' | 'disabled_by_user' | 'disabled_by_admin' | (string & {});
 export type AuthHonoChallengeType = 'registration' | 'authentication';
 export interface AuthHonoDeviceInfo {
@@ -275,5 +277,7 @@ export interface AuthHonoPorts {
     clock: AuthHonoClockPort;
     random: AuthHonoRandomPort;
     accountPolicy: AuthHonoAccountPolicyPort;
+    oauthStateStore: OauthStateStorePort;
+    jwks: JwksPort;
 }
 //# sourceMappingURL=ports.d.ts.map

package/dist/ports.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../src/ports.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAC7B,QAAQ,GACR,wBAAwB,GACxB,2BAA2B,GAC3B,kBAAkB,GAClB,mBAAmB,GACnB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,qBAAqB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEtE,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,qBAAqB,CAAC;IACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC3F,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC/E,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IACnF,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,EAAE,CAAC,CAAC;IACjE,MAAM,CAAC,KAAK,EAAE,6BAA6B,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IAChF,aAAa,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvF,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC3G,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACtE;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE,4BAA4B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC9E,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IACnG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,YAAY,CAAC,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,cAAc,EAAE,IAAI,CAAC;IACrB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,kBAAkB,CAAC;IAChC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,GAAG,EAAE,IAAI,CAAC;CACX;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,KAAK,EAAE,0BAA0B,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC1E,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACnE,eAAe,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACjF,sBAAsB,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACxF,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,YAAY,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,IAAI,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,gBAAgB,EAAE,MAAM,CAAC;KAC1B,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,+BAA+B;IAC9C,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC5C,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzD,UAAU,CAAC,KAAK,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;IAC7C,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,+BAA+B,GAAG,IAAI,CAAC,CAAC;IACjH,6BAA6B,CAAC,EAAE,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACpF;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACvB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrC,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IAC5F,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7D;AAED,MAAM,WAAW,yBAAyB;IACxC,oBAAoB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,aAAa,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrG;AAED,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,6BAA6B,IAAI,MAAM,CAAC;IACxC,6BAA6B,IAAI,MAAM,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACrD,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,EAAE,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACzE,qBAAqB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACnF;AAED,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAErE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,KAAK,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC1G;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,IAAI,IAAI,CAAC;IACZ,UAAU,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/C;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,IAAI,MAAM,CAAC;IACf,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAClC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,yBAAyB;IACxC,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACtC,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACzC,uBAAuB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;IAC7F,cAAc,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACzF,gBAAgB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAC;QAAC,GAAG,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC;QACnF,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC,GAAG;QACH,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC;IACF,eAAe,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,6BAA6B,CAAC,GAAG,6BAA6B,CAAC;IAC7H,kBAAkB,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAClF,gBAAgB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACnE;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,gBAAgB,CAAC;IACxB,WAAW,EAAE,sBAAsB,CAAC;IACpC,UAAU,EAAE,qBAAqB,CAAC;IAClC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,iBAAiB,EAAE,6BAA6B,CAAC;IACjD,UAAU,EAAE,qBAAqB,CAAC;IAClC,aAAa,EAAE,yBAAyB,CAAC;IACzC,OAAO,EAAE,kBAAkB,CAAC;IAC5B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,KAAK,EAAE,iBAAiB,CAAC;IACzB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,aAAa,EAAE,yBAAyB,CAAC;CAC1C"}
+{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../src/ports.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAElF,YAAY,EACV,eAAe,EACf,eAAe,EACf,aAAa,EACb,QAAQ,EACR,aAAa,EACb,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,EACd,mBAAmB,EACnB,SAAS,GACV,MAAM,8BAA8B,CAAC;AAEtC,MAAM,MAAM,qBAAqB,GAC7B,QAAQ,GACR,wBAAwB,GACxB,2BAA2B,GAC3B,kBAAkB,GAClB,mBAAmB,GACnB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,qBAAqB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEtE,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,qBAAqB,CAAC;IACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC3F,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC/E,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IACnF,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,EAAE,CAAC,CAAC;IACjE,MAAM,CAAC,KAAK,EAAE,6BAA6B,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IAChF,aAAa,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvF,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC3G,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACtE;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE,4BAA4B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC9E,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IACnG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,YAAY,CAAC,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,cAAc,EAAE,IAAI,CAAC;IACrB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,kBAAkB,CAAC;IAChC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,GAAG,EAAE,IAAI,CAAC;CACX;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,KAAK,EAAE,0BAA0B,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC1E,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACnE,eAAe,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACjF,sBAAsB,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACxF,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,YAAY,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,IAAI,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,gBAAgB,EAAE,MAAM,CAAC;KAC1B,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,+BAA+B;IAC9C,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC5C,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzD,UAAU,CAAC,KAAK,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;IAC7C,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,+BAA+B,GAAG,IAAI,CAAC,CAAC;IACjH,6BAA6B,CAAC,EAAE,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACpF;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACvB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrC,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IAC5F,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7D;AAED,MAAM,WAAW,yBAAyB;IACxC,oBAAoB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,aAAa,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrG;AAED,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,6BAA6B,IAAI,MAAM,CAAC;IACxC,6BAA6B,IAAI,MAAM,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACrD,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,EAAE,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACzE,qBAAqB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACnF;AAED,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAErE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,KAAK,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC1G;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,IAAI,IAAI,CAAC;IACZ,UAAU,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/C;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,IAAI,MAAM,CAAC;IACf,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAClC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,yBAAyB;IACxC,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACtC,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACzC,uBAAuB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;IAC7F,cAAc,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACzF,gBAAgB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAC;QAAC,GAAG,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC;QACnF,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC,GAAG;QACH,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC;IACF,eAAe,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,6BAA6B,CAAC,GAAG,6BAA6B,CAAC;IAC7H,kBAAkB,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAClF,gBAAgB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACnE;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,gBAAgB,CAAC;IACxB,WAAW,EAAE,sBAAsB,CAAC;IACpC,UAAU,EAAE,qBAAqB,CAAC;IAClC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,iBAAiB,EAAE,6BAA6B,CAAC;IACjD,UAAU,EAAE,qBAAqB,CAAC;IAClC,aAAa,EAAE,yBAAyB,CAAC;IACzC,OAAO,EAAE,kBAAkB,CAAC;IAC5B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,KAAK,EAAE,iBAAiB,CAAC;IACzB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,aAAa,EAAE,yBAAyB,CAAC;IACzC,eAAe,EAAE,mBAAmB,CAAC;IACrC,IAAI,EAAE,QAAQ,CAAC;CAChB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentropic/auth-hono",
-  "version": "0.2.1",
+  "version": "0.4.0",
   "description": "Reusable Hono authentication route factories, contracts, and server-side auth helpers for Sentropic-compatible apps.",
   "type": "module",
   "license": "MIT",

package/src/contracts.ts

@@ -94,6 +94,8 @@ export const AUTH_HONO_REQUIRED_PORTS = [
   'clock',
   'random',
   'accountPolicy',
+  'oauthStateStore',
+  'jwks',
 ] as const satisfies readonly (keyof AuthHonoPorts)[];
 
 export type AuthHonoRequiredPort = (typeof AUTH_HONO_REQUIRED_PORTS)[number];

package/src/index.ts

@@ -3,6 +3,22 @@ export * from './credential-route-handlers.js';
 export * from './email-verification.js';
 export * from './magic-link.js';
 export * from './middleware.js';
+export * from './oauth/authorize-handler.js';
+export * from './oauth/consent-decision-handler.js';
+export * from './oauth/crypto-utils.js';
+export * from './oauth/dpop.js';
+export * from './oauth/http-utils.js';
+export * from './oauth/introspect-handler.js';
+export * from './oauth/jwks-service.js';
+export * from './oauth/router.js';
+export * from './oauth/revoke-handler.js';
+export * from './oauth/service-auth-middleware.js';
+export * from './oauth/session-resolver.js';
+export * from './oauth/state-store-types.js';
+export * from './oauth/state-codec.js';
+export * from './oauth/token-handler.js';
+export * from './oauth/userinfo-handler.js';
+export * from './oauth/wellknown-handler.js';
 export * from './ports.js';
 export * from './route-handlers.js';
 export * from './router.js';

package/src/oauth/authorize-handler.ts

@@ -0,0 +1,201 @@
+import type { Context } from 'hono';
+
+import type { AuthHonoPorts } from '../ports.js';
+import type { OauthClientRecord } from './state-store-types.js';
+import type { OAuthContinuationCodec, OAuthContinuationState } from './state-codec.js';
+import { appendParams, oauthJsonError, redirectWithOAuthError } from './http-utils.js';
+import { resolveOAuthAcr, resolveOAuthSession } from './session-resolver.js';
+
+export interface OAuthAuthorizeHandlerOptions {
+  consentUrl: string;
+  issuer: string;
+  loginUrl: string;
+  ports: AuthHonoPorts;
+  stateCodec: OAuthContinuationCodec;
+  stateTtlSeconds?: number;
+}
+
+interface ValidatedAuthorizeRequest {
+  client: OauthClientRecord;
+  codeChallenge: string;
+  dpopJkt: string | null;
+  nonce: string | null;
+  redirectUri: string;
+  scope: string;
+  state: string | null;
+}
+
+export const createOAuthAuthorizeHandler =
+  (options: OAuthAuthorizeHandlerOptions) =>
+  async (c: Context): Promise<Response> => {
+    const continuation = c.req.query('continue');
+    if (continuation) {
+      return resumeLoginContinuation(c, options, continuation);
+    }
+
+    const validation = await validateAuthorizeRequest(c, options.ports);
+    if (validation instanceof Response) return validation;
+
+    const prompt = c.req.query('prompt') ?? '';
+    const session = await resolveOAuthSession(c.req.raw, options.ports);
+
+    if (!session || prompt === 'login') {
+      if (prompt === 'none') {
+        return redirectWithOAuthError(validation.redirectUri, 'login_required', validation.state, c.req.url);
+      }
+
+      const continuation = await sealContinuation(c, options, validation);
+      return c.redirect(appendParams(options.loginUrl, { continue: continuation }, c.req.url), 302);
+    }
+
+    if (prompt === 'none') {
+      return redirectWithOAuthError(validation.redirectUri, 'consent_required', validation.state, c.req.url);
+    }
+
+    const sealedState = await sealContinuation(c, options, validation, {
+      acr: resolveOAuthAcr(session.sessionRecord),
+      authTime: session.sessionRecord.createdAt.toISOString(),
+      userId: session.user.id,
+    });
+
+    return c.redirect(appendParams(options.consentUrl, { state: sealedState }, c.req.url), 302);
+  };
+
+const resumeLoginContinuation = async (
+  c: Context,
+  options: OAuthAuthorizeHandlerOptions,
+  continuation: string
+): Promise<Response> => {
+  const payload = await options.stateCodec.unseal(continuation);
+  const now = options.ports.clock.now();
+  if (!payload || payload.userId || payload.codeChallengeMethod !== 'S256' || new Date(payload.expiresAt) <= now) {
+    return oauthJsonError(c, 400, 'invalid_request', 'OAuth continuation is invalid or expired.');
+  }
+
+  const client = await options.ports.oauthStateStore.findClient(payload.clientId);
+  if (!client) return oauthJsonError(c, 400, 'invalid_request', 'Unknown OAuth client.');
+
+  const redirectError = validateRedirectUri(client, payload.redirectUri);
+  if (redirectError) return oauthJsonError(c, 400, 'invalid_request', redirectError);
+
+  const scopeResult = validateScope(payload.scope, client, payload.redirectUri, payload.state, c.req.url);
+  if (scopeResult instanceof Response) return scopeResult;
+
+  const session = await resolveOAuthSession(c.req.raw, options.ports);
+  if (!session) {
+    return c.redirect(appendParams(options.loginUrl, { continue: continuation }, c.req.url), 302);
+  }
+
+  const expiresAt = options.ports.clock.addSeconds(now, options.stateTtlSeconds ?? 10 * 60);
+  const sealedState = await options.stateCodec.seal({
+    ...payload,
+    acr: resolveOAuthAcr(session.sessionRecord),
+    authTime: session.sessionRecord.createdAt.toISOString(),
+    createdAt: now.toISOString(),
+    expiresAt: expiresAt.toISOString(),
+    scope: scopeResult,
+    userId: session.user.id,
+  });
+
+  return c.redirect(appendParams(options.consentUrl, { state: sealedState }, c.req.url), 302);
+};
+
+const validateAuthorizeRequest = async (
+  c: Context,
+  ports: AuthHonoPorts
+): Promise<ValidatedAuthorizeRequest | Response> => {
+  const clientId = c.req.query('client_id');
+  const client = clientId ? await ports.oauthStateStore.findClient(clientId) : null;
+  if (!client) {
+    return oauthJsonError(c, 400, 'invalid_request', 'Unknown OAuth client.');
+  }
+
+  const redirectUri = c.req.query('redirect_uri') ?? '';
+  const redirectError = validateRedirectUri(client, redirectUri);
+  if (redirectError) {
+    return oauthJsonError(c, 400, 'invalid_request', redirectError);
+  }
+
+  const state = c.req.query('state') ?? null;
+  if (c.req.query('response_type') !== 'code') {
+    return redirectWithOAuthError(redirectUri, 'unsupported_response_type', state, c.req.url);
+  }
+
+  const codeChallenge = c.req.query('code_challenge') ?? '';
+  if (!codeChallenge || c.req.query('code_challenge_method') !== 'S256') {
+    return redirectWithOAuthError(redirectUri, 'invalid_request', state, c.req.url);
+  }
+
+  const scopeResult = validateScope(c.req.query('scope') ?? '', client, redirectUri, state, c.req.url);
+  if (scopeResult instanceof Response) return scopeResult;
+
+  return {
+    client,
+    codeChallenge,
+    dpopJkt: c.req.query('dpop_jkt') ?? null,
+    nonce: c.req.query('nonce') ?? null,
+    redirectUri,
+    scope: scopeResult,
+    state,
+  };
+};
+
+const validateRedirectUri = (client: OauthClientRecord, redirectUri: string): string | null => {
+  if (!client.redirectUris.includes(redirectUri)) return 'redirect_uri is not registered for this client.';
+
+  let parsed: URL;
+  try {
+    parsed = new URL(redirectUri);
+  } catch {
+    return 'redirect_uri must be an absolute URI.';
+  }
+
+  if (parsed.hash) return 'redirect_uri must not contain a fragment.';
+  if (parsed.username || parsed.password) return 'redirect_uri must not contain credentials.';
+  if (parsed.protocol === 'https:') return null;
+  if (parsed.protocol === 'http:' && ['localhost', '127.0.0.1'].includes(parsed.hostname)) return null;
+  return 'redirect_uri must use https except for localhost development callbacks.';
+};
+
+const validateScope = (
+  scope: string,
+  client: OauthClientRecord,
+  redirectUri: string,
+  state: string | null,
+  baseUrl: string
+): string | Response => {
+  const requestedScopes = scope.split(/\s+/).filter(Boolean);
+  if (requestedScopes.includes('offline_access')) {
+    return redirectWithOAuthError(redirectUri, 'invalid_scope', state, baseUrl);
+  }
+  if (requestedScopes.some((requestedScope) => !client.allowedScopes.includes(requestedScope))) {
+    return redirectWithOAuthError(redirectUri, 'invalid_scope', state, baseUrl);
+  }
+  return requestedScopes.join(' ');
+};
+
+const sealContinuation = async (
+  c: Context,
+  options: OAuthAuthorizeHandlerOptions,
+  request: ValidatedAuthorizeRequest,
+  session?: Pick<OAuthContinuationState, 'acr' | 'authTime' | 'userId'>
+): Promise<string> => {
+  const now = options.ports.clock.now();
+  const expiresAt = options.ports.clock.addSeconds(now, options.stateTtlSeconds ?? 10 * 60);
+  return options.stateCodec.seal({
+    acr: session?.acr,
+    authTime: session?.authTime,
+    clientId: request.client.clientId,
+    codeChallenge: request.codeChallenge,
+    codeChallengeMethod: 'S256',
+    createdAt: now.toISOString(),
+    dpopJkt: request.dpopJkt,
+    expiresAt: expiresAt.toISOString(),
+    nonce: request.nonce,
+    redirectUri: request.redirectUri,
+    scope: request.scope,
+    state: request.state,
+    tenantId: request.client.tenantId,
+    userId: session?.userId,
+  });
+};

package/src/oauth/consent-decision-handler.ts

@@ -0,0 +1,93 @@
+import type { Context } from 'hono';
+
+import type { AuthHonoPorts } from '../ports.js';
+import { appendParams, oauthJsonError, redirectOrJson } from './http-utils.js';
+import type { OAuthContinuationCodec, OAuthContinuationState } from './state-codec.js';
+import { resolveOAuthSession } from './session-resolver.js';
+
+export interface OAuthConsentHandlerOptions {
+  authorizationCodeTtlSeconds?: number;
+  ports: AuthHonoPorts;
+  stateCodec: OAuthContinuationCodec;
+}
+
+export const createOAuthConsentDetailsHandler =
+  (options: OAuthConsentHandlerOptions) =>
+  async (c: Context): Promise<Response> => {
+    const state = c.req.query('state') ?? '';
+    const payload = await validateConsentState(c, options, state);
+    if (payload instanceof Response) return payload;
+
+    const client = await options.ports.oauthStateStore.findClient(payload.clientId);
+    if (!client) return oauthJsonError(c, 400, 'invalid_request', 'Unknown OAuth client.');
+
+    return c.json({
+      clientName: client.name,
+      redirectUri: payload.redirectUri,
+      scopes: payload.scope.split(/\s+/).filter(Boolean),
+    });
+  };
+
+export const createOAuthConsentDecisionHandler =
+  (options: OAuthConsentHandlerOptions) =>
+  async (c: Context): Promise<Response> => {
+    const body = await c.req.json<{ decision?: string; state?: string }>().catch(() => null);
+    if (!body?.state || !['approve', 'deny'].includes(body.decision ?? '')) {
+      return oauthJsonError(c, 400, 'invalid_request', 'Consent decision and state are required.');
+    }
+
+    const payload = await validateConsentState(c, options, body.state);
+    if (payload instanceof Response) return payload;
+
+    if (body.decision === 'deny') {
+      return redirectOrJson(
+        c,
+        appendParams(payload.redirectUri, { error: 'access_denied', state: payload.state }, c.req.url)
+      );
+    }
+
+    const code = options.ports.random.token(32);
+    const now = options.ports.clock.now();
+    await options.ports.oauthStateStore.saveAuthCode(
+      code,
+      {
+        acr: payload.acr ?? 'urn:sentropic:loa:bearer',
+        authTime: new Date(payload.authTime ?? now.toISOString()),
+        clientId: payload.clientId,
+        codeChallenge: payload.codeChallenge,
+        codeChallengeMethod: 'S256',
+        createdAt: now,
+        dpopJkt: payload.dpopJkt,
+        expiresAt: options.ports.clock.addSeconds(now, options.authorizationCodeTtlSeconds ?? 60),
+        nonce: payload.nonce,
+        redirectUri: payload.redirectUri,
+        scope: payload.scope,
+        tenantId: payload.tenantId,
+        userId: payload.userId ?? '',
+      },
+      options.authorizationCodeTtlSeconds ?? 60
+    );
+
+    return redirectOrJson(
+      c,
+      appendParams(payload.redirectUri, { code, state: payload.state }, c.req.url)
+    );
+  };
+
+const validateConsentState = async (
+  c: Context,
+  options: OAuthConsentHandlerOptions,
+  sealedState: string
+): Promise<OAuthContinuationState | Response> => {
+  const payload = await options.stateCodec.unseal(sealedState);
+  if (!payload || !payload.userId || new Date(payload.expiresAt) <= options.ports.clock.now()) {
+    return oauthJsonError(c, 400, 'invalid_request', 'OAuth consent state is invalid or expired.');
+  }
+
+  const session = await resolveOAuthSession(c.req.raw, options.ports);
+  if (!session || session.user.id !== payload.userId) {
+    return oauthJsonError(c, 401, 'login_required', 'A valid user session is required.');
+  }
+
+  return payload;
+};

package/src/oauth/crypto-utils.ts

@@ -0,0 +1,14 @@
+const textEncoder = new TextEncoder();
+
+export const sha256Base64url = async (value: string): Promise<string> => {
+  const digest = await crypto.subtle.digest('SHA-256', textEncoder.encode(value));
+  return base64urlEncode(new Uint8Array(digest));
+};
+
+export const base64urlEncode = (bytes: Uint8Array): string => {
+  let binary = '';
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/u, '');
+};