@sentropic/auth-hono 0.3.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +55 -2
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/oauth/authorize-handler.d.ts.map +1 -1
- package/dist/oauth/authorize-handler.js +46 -1
- package/dist/oauth/authorize-handler.js.map +1 -1
- package/dist/oauth/consent-decision-handler.d.ts.map +1 -1
- package/dist/oauth/consent-decision-handler.js +1 -0
- package/dist/oauth/consent-decision-handler.js.map +1 -1
- package/dist/oauth/dpop.d.ts +7 -4
- package/dist/oauth/dpop.d.ts.map +1 -1
- package/dist/oauth/dpop.js +23 -44
- package/dist/oauth/dpop.js.map +1 -1
- package/dist/oauth/jwks-service.d.ts.map +1 -1
- package/dist/oauth/jwks-service.js +6 -8
- package/dist/oauth/jwks-service.js.map +1 -1
- package/dist/oauth/service-auth-middleware.d.ts +30 -0
- package/dist/oauth/service-auth-middleware.d.ts.map +1 -0
- package/dist/oauth/service-auth-middleware.js +152 -0
- package/dist/oauth/service-auth-middleware.js.map +1 -0
- package/dist/oauth/state-codec.d.ts +2 -0
- package/dist/oauth/state-codec.d.ts.map +1 -1
- package/dist/oauth/state-codec.js.map +1 -1
- package/dist/oauth/state-store-types.d.ts +26 -0
- package/dist/oauth/state-store-types.d.ts.map +1 -1
- package/dist/oauth/token-handler.d.ts +1 -0
- package/dist/oauth/token-handler.d.ts.map +1 -1
- package/dist/oauth/token-handler.js +158 -3
- package/dist/oauth/token-handler.js.map +1 -1
- package/dist/oauth/wellknown-handler.js +3 -3
- package/dist/oauth/wellknown-handler.js.map +1 -1
- package/dist/ports.d.ts +15 -1
- package/dist/ports.d.ts.map +1 -1
- package/package.json +4 -1
- package/src/index.ts +11 -0
- package/src/oauth/authorize-handler.ts +55 -1
- package/src/oauth/consent-decision-handler.ts +1 -0
- package/src/oauth/dpop.ts +30 -67
- package/src/oauth/jwks-service.ts +5 -9
- package/src/oauth/service-auth-middleware.ts +229 -0
- package/src/oauth/state-codec.ts +2 -0
- package/src/oauth/state-store-types.ts +27 -0
- package/src/oauth/token-handler.ts +218 -4
- package/src/oauth/wellknown-handler.ts +3 -3
- package/src/ports.ts +16 -0
package/README.md
CHANGED
|
@@ -77,7 +77,7 @@ All package handlers emit structured responses to keep contracts predictable acr
|
|
|
77
77
|
| Endpoint | Description |
|
|
78
78
|
| --- | --- |
|
|
79
79
|
| `GET /oauth/authorize` | Authorization Code + PKCE entry point (S256 required) |
|
|
80
|
-
| `POST /oauth/token` | Token issuance (`grant_type=authorization_code`
|
|
80
|
+
| `POST /oauth/token` | Token issuance (`grant_type=authorization_code` and `client_credentials` since 0.4.0) |
|
|
81
81
|
| `GET\|POST /oauth/userinfo` | Returns claims for a valid access token |
|
|
82
82
|
| `POST /oauth/revoke` | Revokes an access token (RFC 7009) |
|
|
83
83
|
| `POST /oauth/introspect` | Token introspection (RFC 7662, client-auth required) |
|
|
@@ -158,6 +158,56 @@ The package never imports Postgres or any persistence library. Sentropic supplie
|
|
|
158
158
|
|
|
159
159
|
Set `dpop_bound_access_tokens: true` on the OAuth client record. Bound clients must send a `DPoP: <proof-jwt>` header on `/token`, `/userinfo`, and `/revoke`. The IdP verifies `htm`, `htu`, `iat` skew, unique proof `jti`, and `ath` on resource calls. Access and ID tokens include `cnf.jkt`.
|
|
160
160
|
|
|
161
|
+
### Service-to-service auth — `client_credentials` (since 0.4.0)
|
|
162
|
+
|
|
163
|
+
Backend services mint scoped, audience-bound, **stateless** access tokens without
|
|
164
|
+
a human via the `client_credentials` grant.
|
|
165
|
+
|
|
166
|
+
- **Service clients** are a separate record type, `ServiceClientRecord`, looked up
|
|
167
|
+
through an **optional** `findServiceClient?(clientId)` method on
|
|
168
|
+
`OauthStateStorePort`. Existing implementors of the `0.3.0` contract keep
|
|
169
|
+
compiling; if the method is absent, `client_credentials` returns
|
|
170
|
+
`unsupported_grant_type`.
|
|
171
|
+
- **Auth methods**: `client_secret_basic` and `client_secret_post`, verified via
|
|
172
|
+
`ports.tokens.hashSecret`.
|
|
173
|
+
- **Scopes**: empty/absent `scope` grants the client's full `allowed_scopes`;
|
|
174
|
+
otherwise the request must be a subset (else `invalid_scope`).
|
|
175
|
+
- **RFC 8707 resource indicators**: the issued token `aud` is the resolved
|
|
176
|
+
`resource`, which must be in the client's `resource_indicators`. Resolution: 1
|
|
177
|
+
indicator + no `resource` ⇒ use it; >1 + no `resource` ⇒ `invalid_target`; 0
|
|
178
|
+
indicators ⇒ `resource` required else `invalid_target`; unknown `resource` ⇒
|
|
179
|
+
`invalid_target`.
|
|
180
|
+
- **Stateless** (no `saveTokenMeta`, no `oauth_tokens` row): security relies on a
|
|
181
|
+
short TTL (`serviceAccessTokenTtlSeconds`, default `900`) + secret rotation.
|
|
182
|
+
Service-token revocation/introspection are deferred to BR-39h.
|
|
183
|
+
- **DPoP** is opt-in via `dpop_bound_access_tokens` and strongly recommended for
|
|
184
|
+
production S2S.
|
|
185
|
+
|
|
186
|
+
Resource servers verify these tokens with `createRequireServiceAuth`:
|
|
187
|
+
|
|
188
|
+
```ts
|
|
189
|
+
import { createRequireServiceAuth, type ServiceAuthPorts } from '@sentropic/auth-hono';
|
|
190
|
+
|
|
191
|
+
const ports: ServiceAuthPorts = {
|
|
192
|
+
clock, // AuthHonoClockPort
|
|
193
|
+
jwks, // JwksPort
|
|
194
|
+
dpopReplay: { recordDpopJti }, // optional, required to enforce DPoP replay
|
|
195
|
+
};
|
|
196
|
+
|
|
197
|
+
app.get(
|
|
198
|
+
'/internal/ping',
|
|
199
|
+
createRequireServiceAuth({ issuer, resource, requiredScopes: ['service:ping'], ports }),
|
|
200
|
+
(c) => c.json({ ok: true, client: c.get('serviceClient') }),
|
|
201
|
+
);
|
|
202
|
+
```
|
|
203
|
+
|
|
204
|
+
`ServiceAuthPorts` is a **narrow** port (`Pick<AuthHonoPorts,'jwks'|'clock'> & { dpopReplay? }`):
|
|
205
|
+
resource servers do not construct user/credential/session/email ports just to
|
|
206
|
+
verify a token. The middleware validates `iss`, `aud === resource`, `exp`, and
|
|
207
|
+
`scope ⊇ requiredScopes`; for `cnf.jkt`-bound tokens it requires a DPoP proof,
|
|
208
|
+
enforces `ath` (RFC 9449 §4.3), and records the proof `jti` for replay defense.
|
|
209
|
+
On failure it returns 401/403 with a `WWW-Authenticate` header.
|
|
210
|
+
|
|
161
211
|
### Claims and ACR levels
|
|
162
212
|
|
|
163
213
|
| Claim | Source | Notes |
|
|
@@ -176,6 +226,8 @@ Set `dpop_bound_access_tokens: true` on the OAuth client record. Bound clients m
|
|
|
176
226
|
| `OAUTH_ID_TOKEN_TTL_SEC` | ID token lifetime | `3600` |
|
|
177
227
|
| `OAUTH_AUTHORIZATION_CODE_TTL_SEC` | Authorization code TTL | `60` |
|
|
178
228
|
| `OAUTH_DPOP_IAT_SKEW_SEC` | DPoP proof `iat` tolerance | `60` |
|
|
229
|
+
| `OAUTH_SERVICE_ACCESS_TOKEN_TTL_SEC` | Stateless service token TTL (`client_credentials`) | `900` |
|
|
230
|
+
| `OAUTH_SERVICE_RESOURCE_URI` | Service token `aud` this API accepts/advertises | Derived from issuer |
|
|
179
231
|
|
|
180
232
|
### End-to-end example
|
|
181
233
|
|
|
@@ -187,8 +239,9 @@ This is a brand-new public package. First publish requires the one-shot bootstra
|
|
|
187
239
|
|
|
188
240
|
## Versioning
|
|
189
241
|
|
|
190
|
-
This branch ships `0.
|
|
242
|
+
This branch ships `0.4.0`:
|
|
191
243
|
|
|
192
244
|
- `0.2.0` adds `AuthHonoRouteHandlerError` short-circuit on WebAuthn prepare/resolve hooks and the `finalizeRegistration`/`finalizeAuthentication` post-verify hooks. Additive; existing handler signatures stay valid.
|
|
193
245
|
- `0.2.1` patches `extractChallenge` (both WebAuthn handlers) to handle `credential.response === null` defensively (returns 400 `invalid_credential` instead of throwing 500).
|
|
194
246
|
- `0.3.0` adds the OAuth2/OIDC IdP surface: `createOAuthRouter`, `createWellKnownRouter`, `createJwksService`, `OauthStateStorePort`, `JwksPort`, Ed25519 signing, DPoP opt-in, and all six OAuth endpoints. Additive; existing WebAuthn/session handler signatures unchanged.
|
|
247
|
+
- `0.4.0` adds the S2S `client_credentials` grant (stateless service tokens), `createRequireServiceAuth` + `ServiceAuthPorts`, the optional `findServiceClient?` on `OauthStateStorePort`, `ServiceClientRecord`, and RFC 8707 resource indicators. Discovery now advertises `client_credentials` and `client_secret_post`. Additive and non-breaking — existing `0.3.0` implementors keep compiling.
|
package/dist/index.d.ts
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
export type { AccessTokenClaims, ActClaim, IdentityType, TokenKeySource, } from '@sentropic/oauth-verify';
|
|
1
2
|
export * from './contracts.js';
|
|
2
3
|
export * from './credential-route-handlers.js';
|
|
3
4
|
export * from './email-verification.js';
|
|
@@ -12,6 +13,7 @@ export * from './oauth/introspect-handler.js';
|
|
|
12
13
|
export * from './oauth/jwks-service.js';
|
|
13
14
|
export * from './oauth/router.js';
|
|
14
15
|
export * from './oauth/revoke-handler.js';
|
|
16
|
+
export * from './oauth/service-auth-middleware.js';
|
|
15
17
|
export * from './oauth/session-resolver.js';
|
|
16
18
|
export * from './oauth/state-store-types.js';
|
|
17
19
|
export * from './oauth/state-codec.js';
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,YAAY,EACV,iBAAiB,EACjB,QAAQ,EACR,YAAY,EACZ,cAAc,GACf,MAAM,yBAAyB,CAAC;AAEjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,qCAAqC,CAAC;AACpD,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oCAAoC,CAAC;AACnD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AACzC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,6CAA6C,CAAC;AAC5D,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2CAA2C,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -12,6 +12,7 @@ export * from './oauth/introspect-handler.js';
|
|
|
12
12
|
export * from './oauth/jwks-service.js';
|
|
13
13
|
export * from './oauth/router.js';
|
|
14
14
|
export * from './oauth/revoke-handler.js';
|
|
15
|
+
export * from './oauth/service-auth-middleware.js';
|
|
15
16
|
export * from './oauth/session-resolver.js';
|
|
16
17
|
export * from './oauth/state-store-types.js';
|
|
17
18
|
export * from './oauth/state-codec.js';
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAUA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,qCAAqC,CAAC;AACpD,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oCAAoC,CAAC;AACnD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,wBAAwB,CAAC;AACvC,cAAc,0BAA0B,CAAC;AACzC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,6CAA6C,CAAC;AAC5D,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2CAA2C,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/authorize-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,KAAK,EAAE,sBAAsB,EAA0B,MAAM,kBAAkB,CAAC;AAIvF,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,aAAa,CAAC;IACrB,UAAU,EAAE,sBAAsB,CAAC;IACnC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;
|
|
1
|
+
{"version":3,"file":"authorize-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/authorize-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,KAAK,EAAE,sBAAsB,EAA0B,MAAM,kBAAkB,CAAC;AAIvF,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,aAAa,CAAC;IACrB,UAAU,EAAE,sBAAsB,CAAC;IACnC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAaD,eAAO,MAAM,2BAA2B,YAC5B,4BAA4B,SAC5B,OAAO,KAAG,QAAQ,QAAQ,CAgCnC,CAAC"}
|
|
@@ -80,12 +80,16 @@ const validateAuthorizeRequest = async (c, ports) => {
|
|
|
80
80
|
const scopeResult = validateScope(c.req.query('scope') ?? '', client, redirectUri, state, c.req.url);
|
|
81
81
|
if (scopeResult instanceof Response)
|
|
82
82
|
return scopeResult;
|
|
83
|
+
const resourceResult = validateResource(c.req.queries('resource'), client, redirectUri, state, c.req.url);
|
|
84
|
+
if (resourceResult instanceof Response)
|
|
85
|
+
return resourceResult;
|
|
83
86
|
return {
|
|
84
87
|
client,
|
|
85
88
|
codeChallenge,
|
|
86
89
|
dpopJkt: c.req.query('dpop_jkt') ?? null,
|
|
87
90
|
nonce: c.req.query('nonce') ?? null,
|
|
88
91
|
redirectUri,
|
|
92
|
+
resource: resourceResult,
|
|
89
93
|
scope: scopeResult,
|
|
90
94
|
state,
|
|
91
95
|
};
|
|
@@ -120,9 +124,49 @@ const validateScope = (scope, client, redirectUri, state, baseUrl) => {
|
|
|
120
124
|
}
|
|
121
125
|
return requestedScopes.join(' ');
|
|
122
126
|
};
|
|
127
|
+
/**
|
|
128
|
+
* RFC 8707 resource indicator validation on the `authorization_code` flow (BR-39l Lot 2).
|
|
129
|
+
* - C1 single-aud: more than one `resource` value ⇒ `invalid_target` (no multi-audience tokens).
|
|
130
|
+
* - C2 default-deny allowlist: a requested `resource` must be in `client.resourceIndicators`,
|
|
131
|
+
* else `invalid_target`. No `resource` ⇒ `null` (default-aud = userinfo, byte-identical to 0.5.0).
|
|
132
|
+
* The validated value is sealed into the continuation and becomes the access-token `aud`.
|
|
133
|
+
*/
|
|
134
|
+
const validateResource = (resources, client, redirectUri, state, baseUrl) => {
|
|
135
|
+
const requested = (resources ?? []).filter((value) => value.length > 0);
|
|
136
|
+
if (requested.length === 0)
|
|
137
|
+
return null;
|
|
138
|
+
if (requested.length > 1) {
|
|
139
|
+
return redirectWithOAuthError(redirectUri, 'invalid_target', state, baseUrl);
|
|
140
|
+
}
|
|
141
|
+
const value = requested[0];
|
|
142
|
+
const allowlist = client.resourceIndicators ?? [];
|
|
143
|
+
if (!allowlist.includes(value)) {
|
|
144
|
+
return redirectWithOAuthError(redirectUri, 'invalid_target', state, baseUrl);
|
|
145
|
+
}
|
|
146
|
+
return value;
|
|
147
|
+
};
|
|
123
148
|
const sealContinuation = async (c, options, request, session) => {
|
|
124
149
|
const now = options.ports.clock.now();
|
|
125
150
|
const expiresAt = options.ports.clock.addSeconds(now, options.stateTtlSeconds ?? 10 * 60);
|
|
151
|
+
// BR-39e: derive the tenant bound to this auth code from the user's VALIDATED membership,
|
|
152
|
+
// never from the raw client/param. Legacy behavior (client tenant) when no tenancy spine is
|
|
153
|
+
// wired. An explicit `?tenant=` selection is honored ONLY if it is an approved membership.
|
|
154
|
+
let tenantId = request.client.tenantId;
|
|
155
|
+
if (options.ports.tenant) {
|
|
156
|
+
tenantId = null;
|
|
157
|
+
if (session?.userId) {
|
|
158
|
+
const approved = await options.ports.tenant.listApprovedTenantIds(session.userId);
|
|
159
|
+
const requested = c.req.query('tenant') ?? null;
|
|
160
|
+
if (requested) {
|
|
161
|
+
tenantId = approved.includes(requested) ? requested : null;
|
|
162
|
+
}
|
|
163
|
+
else if (approved.length === 1) {
|
|
164
|
+
tenantId = approved[0];
|
|
165
|
+
}
|
|
166
|
+
// 0 or >1 approved tenants without a valid explicit selection → no tenant claim
|
|
167
|
+
// (a multi-tenant selection screen is deferred; the RP may re-request with ?tenant=).
|
|
168
|
+
}
|
|
169
|
+
}
|
|
126
170
|
return options.stateCodec.seal({
|
|
127
171
|
acr: session?.acr,
|
|
128
172
|
authTime: session?.authTime,
|
|
@@ -134,9 +178,10 @@ const sealContinuation = async (c, options, request, session) => {
|
|
|
134
178
|
expiresAt: expiresAt.toISOString(),
|
|
135
179
|
nonce: request.nonce,
|
|
136
180
|
redirectUri: request.redirectUri,
|
|
181
|
+
resource: request.resource,
|
|
137
182
|
scope: request.scope,
|
|
138
183
|
state: request.state,
|
|
139
|
-
tenantId
|
|
184
|
+
tenantId,
|
|
140
185
|
userId: session?.userId,
|
|
141
186
|
});
|
|
142
187
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize-handler.js","sourceRoot":"","sources":["../../src/oauth/authorize-handler.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACvF,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"authorize-handler.js","sourceRoot":"","sources":["../../src/oauth/authorize-handler.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACvF,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAsB7E,MAAM,CAAC,MAAM,2BAA2B,GACtC,CAAC,OAAqC,EAAE,EAAE,CAC1C,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,uBAAuB,CAAC,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACpE,IAAI,UAAU,YAAY,QAAQ;QAAE,OAAO,UAAU,CAAC;IAEtD,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAEpE,IAAI,CAAC,OAAO,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACnC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,sBAAsB,CAAC,UAAU,CAAC,WAAW,EAAE,gBAAgB,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvG,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACpE,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAChG,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,sBAAsB,CAAC,UAAU,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzG,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE;QACjE,GAAG,EAAE,eAAe,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,QAAQ,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,WAAW,EAAE;QACvD,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;KACxB,CAAC,CAAC;IAEH,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;AAC9F,CAAC,CAAC;AAEJ,MAAM,uBAAuB,GAAG,KAAK,EACnC,CAAU,EACV,OAAqC,EACrC,YAAoB,EACD,EAAE;IACrB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,mBAAmB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,GAAG,EAAE,CAAC;QAC/G,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,2CAA2C,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChF,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;IAEvF,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IACvE,IAAI,aAAa;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAEnF,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACxG,IAAI,WAAW,YAAY,QAAQ;QAAE,OAAO,WAAW,CAAC;IAExD,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,eAAe,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1F,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QAChD,GAAG,OAAO;QACV,GAAG,EAAE,eAAe,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,QAAQ,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,WAAW,EAAE;QACvD,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;QAClC,KAAK,EAAE,WAAW;QAClB,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;KACxB,CAAC,CAAC;IAEH,OAAO,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;AAC9F,CAAC,CAAC;AAEF,MAAM,wBAAwB,GAAG,KAAK,EACpC,CAAU,EACV,KAAoB,EAC2B,EAAE;IACjD,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAClF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACtD,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC/D,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC;IAC3C,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,MAAM,EAAE,CAAC;QAC5C,OAAO,sBAAsB,CAAC,WAAW,EAAE,2BAA2B,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,MAAM,EAAE,CAAC;QACtE,OAAO,sBAAsB,CAAC,WAAW,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACrG,IAAI,WAAW,YAAY,QAAQ;QAAE,OAAO,WAAW,CAAC;IAExD,MAAM,cAAc,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1G,IAAI,cAAc,YAAY,QAAQ;QAAE,OAAO,cAAc,CAAC;IAE9D,OAAO;QACL,MAAM;QACN,aAAa;QACb,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,IAAI;QACxC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI;QACnC,WAAW;QACX,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,WAAW;QAClB,KAAK;KACN,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,CAAC,MAAyB,EAAE,WAAmB,EAAiB,EAAE;IAC5F,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,iDAAiD,CAAC;IAEzG,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,uCAAuC,CAAC;IACjD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI;QAAE,OAAO,2CAA2C,CAAC;IACpE,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ;QAAE,OAAO,4CAA4C,CAAC;IAC5F,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACrG,OAAO,yEAAyE,CAAC;AACnF,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CACpB,KAAa,EACb,MAAyB,EACzB,WAAmB,EACnB,KAAoB,EACpB,OAAe,EACI,EAAE;IACrB,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3D,IAAI,eAAe,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC/C,OAAO,sBAAsB,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;QAC7F,OAAO,sBAAsB,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACnC,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,gBAAgB,GAAG,CACvB,SAA+B,EAC/B,MAAyB,EACzB,WAAmB,EACnB,KAAoB,EACpB,OAAe,EACW,EAAE;IAC5B,MAAM,SAAS,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACxE,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC/E,CAAC;IAED,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,SAAS,GAAG,MAAM,CAAC,kBAAkB,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,KAAK,EAC5B,CAAU,EACV,OAAqC,EACrC,OAAkC,EAClC,OAAqE,EACpD,EAAE;IACnB,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,eAAe,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAE1F,0FAA0F;IAC1F,4FAA4F;IAC5F,2FAA2F;IAC3F,IAAI,QAAQ,GAAkB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;IACtD,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QACzB,QAAQ,GAAG,IAAI,CAAC;QAChB,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;YACpB,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAClF,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;YAChD,IAAI,SAAS,EAAE,CAAC;gBACd,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;YAC7D,CAAC;iBAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;YACzB,CAAC;YACD,gFAAgF;YAChF,sFAAsF;QACxF,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QAC7B,GAAG,EAAE,OAAO,EAAE,GAAG;QACjB,QAAQ,EAAE,OAAO,EAAE,QAAQ;QAC3B,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ;QACjC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,mBAAmB,EAAE,MAAM;QAC3B,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ;QACR,MAAM,EAAE,OAAO,EAAE,MAAM;KACxB,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"consent-decision-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/consent-decision-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,KAAK,EAAE,sBAAsB,EAA0B,MAAM,kBAAkB,CAAC;AAGvF,MAAM,WAAW,0BAA0B;IACzC,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,KAAK,EAAE,aAAa,CAAC;IACrB,UAAU,EAAE,sBAAsB,CAAC;CACpC;AAED,eAAO,MAAM,gCAAgC,YACjC,0BAA0B,SAC1B,OAAO,KAAG,QAAQ,QAAQ,CAanC,CAAC;AAEJ,eAAO,MAAM,iCAAiC,YAClC,0BAA0B,SAC1B,OAAO,KAAG,QAAQ,QAAQ,
|
|
1
|
+
{"version":3,"file":"consent-decision-handler.d.ts","sourceRoot":"","sources":["../../src/oauth/consent-decision-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,KAAK,EAAE,sBAAsB,EAA0B,MAAM,kBAAkB,CAAC;AAGvF,MAAM,WAAW,0BAA0B;IACzC,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,KAAK,EAAE,aAAa,CAAC;IACrB,UAAU,EAAE,sBAAsB,CAAC;CACpC;AAED,eAAO,MAAM,gCAAgC,YACjC,0BAA0B,SAC1B,OAAO,KAAG,QAAQ,QAAQ,CAanC,CAAC;AAEJ,eAAO,MAAM,iCAAiC,YAClC,0BAA0B,SAC1B,OAAO,KAAG,QAAQ,QAAQ,CA2CnC,CAAC"}
|
|
@@ -38,6 +38,7 @@ export const createOAuthConsentDecisionHandler = (options) => async (c) => {
|
|
|
38
38
|
expiresAt: options.ports.clock.addSeconds(now, options.authorizationCodeTtlSeconds ?? 60),
|
|
39
39
|
nonce: payload.nonce,
|
|
40
40
|
redirectUri: payload.redirectUri,
|
|
41
|
+
resource: payload.resource ?? null,
|
|
41
42
|
scope: payload.scope,
|
|
42
43
|
tenantId: payload.tenantId,
|
|
43
44
|
userId: payload.userId ?? '',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"consent-decision-handler.js","sourceRoot":"","sources":["../../src/oauth/consent-decision-handler.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAE/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAQ5D,MAAM,CAAC,MAAM,gCAAgC,GAC3C,CAAC,OAAmC,EAAE,EAAE,CACxC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9D,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChF,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;IAEvF,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;KACnD,CAAC,CAAC;AACL,CAAC,CAAC;AAEJ,MAAM,CAAC,MAAM,iCAAiC,GAC5C,CAAC,OAAmC,EAAE,EAAE,CACxC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAyC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzF,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;QACvE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,0CAA0C,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IACnE,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC7B,OAAO,cAAc,CACnB,CAAC,EACD,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,YAAY,CAC9C,IAAI,EACJ;QACE,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,0BAA0B;QAC9C,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACzD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,mBAAmB,EAAE,MAAM;QAC3B,SAAS,EAAE,GAAG;QACd,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,2BAA2B,IAAI,EAAE,CAAC;QACzF,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;KAC7B,EACD,OAAO,CAAC,2BAA2B,IAAI,EAAE,CAC1C,CAAC;IAEF,OAAO,cAAc,CACnB,CAAC,EACD,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAC7E,CAAC;AACJ,CAAC,CAAC;AAEJ,MAAM,oBAAoB,GAAG,KAAK,EAChC,CAAU,EACV,OAAmC,EACnC,WAAmB,EACyB,EAAE;IAC9C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7D,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5F,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,4CAA4C,CAAC,CAAC;IACjG,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACnD,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,mCAAmC,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"consent-decision-handler.js","sourceRoot":"","sources":["../../src/oauth/consent-decision-handler.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAE/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAQ5D,MAAM,CAAC,MAAM,gCAAgC,GAC3C,CAAC,OAAmC,EAAE,EAAE,CACxC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9D,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChF,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;IAEvF,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;KACnD,CAAC,CAAC;AACL,CAAC,CAAC;AAEJ,MAAM,CAAC,MAAM,iCAAiC,GAC5C,CAAC,OAAmC,EAAE,EAAE,CACxC,KAAK,EAAE,CAAU,EAAqB,EAAE;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAyC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzF,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;QACvE,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,0CAA0C,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IACnE,IAAI,OAAO,YAAY,QAAQ;QAAE,OAAO,OAAO,CAAC;IAEhD,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC7B,OAAO,cAAc,CACnB,CAAC,EACD,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,YAAY,CAC9C,IAAI,EACJ;QACE,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,0BAA0B;QAC9C,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACzD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,mBAAmB,EAAE,MAAM;QAC3B,SAAS,EAAE,GAAG;QACd,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,2BAA2B,IAAI,EAAE,CAAC;QACzF,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;KAC7B,EACD,OAAO,CAAC,2BAA2B,IAAI,EAAE,CAC1C,CAAC;IAEF,OAAO,cAAc,CACnB,CAAC,EACD,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAC7E,CAAC;AACJ,CAAC,CAAC;AAEJ,MAAM,oBAAoB,GAAG,KAAK,EAChC,CAAU,EACV,OAAmC,EACnC,WAAmB,EACyB,EAAE;IAC9C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7D,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5F,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,4CAA4C,CAAC,CAAC;IACjG,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;QACnD,OAAO,cAAc,CAAC,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,mCAAmC,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}
|
package/dist/oauth/dpop.d.ts
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { type VerifiedDpop } from '@sentropic/oauth-verify';
|
|
1
2
|
import type { AuthHonoPorts } from '../ports.js';
|
|
2
3
|
export interface VerifyDpopProofOptions {
|
|
3
4
|
accessToken?: string;
|
|
@@ -7,12 +8,14 @@ export interface VerifyDpopProofOptions {
|
|
|
7
8
|
ports: AuthHonoPorts;
|
|
8
9
|
proof: string;
|
|
9
10
|
}
|
|
10
|
-
export
|
|
11
|
-
jkt: string;
|
|
12
|
-
jti: string;
|
|
13
|
-
}
|
|
11
|
+
export type VerifiedDpopProof = VerifiedDpop;
|
|
14
12
|
export declare class OAuthDpopProofError extends Error {
|
|
15
13
|
constructor(message: string);
|
|
16
14
|
}
|
|
15
|
+
/**
|
|
16
|
+
* AS-side DPoP proof verification. Thin adapter over `@sentropic/oauth-verify`'s shared
|
|
17
|
+
* `verifyDpopProof`: it binds the IdP's clock + replay store and re-maps verification
|
|
18
|
+
* failures onto `OAuthDpopProofError` for the OAuth handlers (token/userinfo/revoke).
|
|
19
|
+
*/
|
|
17
20
|
export declare const verifyOAuthDpopProof: (options: VerifyDpopProofOptions) => Promise<VerifiedDpopProof>;
|
|
18
21
|
//# sourceMappingURL=dpop.d.ts.map
|
package/dist/oauth/dpop.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../../src/oauth/dpop.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../../src/oauth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,YAAY,EAClB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,WAAW,sBAAsB;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,EAAE,aAAa,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,MAAM,iBAAiB,GAAG,YAAY,CAAC;AAE7C,qBAAa,mBAAoB,SAAQ,KAAK;gBAChC,OAAO,EAAE,MAAM;CAI5B;AAED;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,YACtB,sBAAsB,KAC9B,QAAQ,iBAAiB,CAsB3B,CAAC"}
|
package/dist/oauth/dpop.js
CHANGED
|
@@ -1,54 +1,33 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { sha256Base64url } from './crypto-utils.js';
|
|
1
|
+
import { DpopVerifyError, verifyDpopProof, } from '@sentropic/oauth-verify';
|
|
3
2
|
export class OAuthDpopProofError extends Error {
|
|
4
3
|
constructor(message) {
|
|
5
4
|
super(message);
|
|
6
5
|
this.name = 'OAuthDpopProofError';
|
|
7
6
|
}
|
|
8
7
|
}
|
|
8
|
+
/**
|
|
9
|
+
* AS-side DPoP proof verification. Thin adapter over `@sentropic/oauth-verify`'s shared
|
|
10
|
+
* `verifyDpopProof`: it binds the IdP's clock + replay store and re-maps verification
|
|
11
|
+
* failures onto `OAuthDpopProofError` for the OAuth handlers (token/userinfo/revoke).
|
|
12
|
+
*/
|
|
9
13
|
export const verifyOAuthDpopProof = async (options) => {
|
|
10
|
-
const
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
};
|
|
28
|
-
const validateDpopPayload = async (payload, options) => {
|
|
29
|
-
if (payload.htm !== options.htm.toUpperCase()) {
|
|
30
|
-
throw new OAuthDpopProofError('DPoP htm claim does not match the request method.');
|
|
31
|
-
}
|
|
32
|
-
if (payload.htu !== options.htu) {
|
|
33
|
-
throw new OAuthDpopProofError('DPoP htu claim does not match the request URL.');
|
|
34
|
-
}
|
|
35
|
-
if (!payload.jti || typeof payload.jti !== 'string') {
|
|
36
|
-
throw new OAuthDpopProofError('DPoP jti claim is required.');
|
|
37
|
-
}
|
|
38
|
-
if (typeof payload.iat !== 'number') {
|
|
39
|
-
throw new OAuthDpopProofError('DPoP iat claim is required.');
|
|
40
|
-
}
|
|
41
|
-
const nowSeconds = Math.floor(options.ports.clock.now().getTime() / 1000);
|
|
42
|
-
if (Math.abs(payload.iat - nowSeconds) > (options.iatSkewSeconds ?? 60)) {
|
|
43
|
-
throw new OAuthDpopProofError('DPoP iat claim is outside the allowed skew.');
|
|
44
|
-
}
|
|
45
|
-
if (options.accessToken) {
|
|
46
|
-
await validateAth(payload, options.accessToken);
|
|
47
|
-
}
|
|
48
|
-
};
|
|
49
|
-
const validateAth = async (payload, accessToken) => {
|
|
50
|
-
if (payload.ath !== (await sha256Base64url(accessToken))) {
|
|
51
|
-
throw new OAuthDpopProofError('DPoP ath claim does not match the access token.');
|
|
14
|
+
const iatSkewSec = options.iatSkewSeconds ?? 60;
|
|
15
|
+
try {
|
|
16
|
+
return await verifyDpopProof({
|
|
17
|
+
accessToken: options.accessToken,
|
|
18
|
+
htm: options.htm,
|
|
19
|
+
htu: options.htu,
|
|
20
|
+
iatSkewSec,
|
|
21
|
+
now: options.ports.clock.now(),
|
|
22
|
+
proof: options.proof,
|
|
23
|
+
replay: (jti) => options.ports.oauthStateStore.recordDpopJti(jti, options.ports.clock.addSeconds(options.ports.clock.now(), iatSkewSec)),
|
|
24
|
+
});
|
|
25
|
+
}
|
|
26
|
+
catch (error) {
|
|
27
|
+
if (error instanceof DpopVerifyError) {
|
|
28
|
+
throw new OAuthDpopProofError(error.message);
|
|
29
|
+
}
|
|
30
|
+
throw error;
|
|
52
31
|
}
|
|
53
32
|
};
|
|
54
33
|
//# sourceMappingURL=dpop.js.map
|
package/dist/oauth/dpop.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dpop.js","sourceRoot":"","sources":["../../src/oauth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"dpop.js","sourceRoot":"","sources":["../../src/oauth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,eAAe,GAEhB,MAAM,yBAAyB,CAAC;AAejC,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAC5C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,KAAK,EACvC,OAA+B,EACH,EAAE;IAC9B,MAAM,UAAU,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IAChD,IAAI,CAAC;QACH,OAAO,MAAM,eAAe,CAAC;YAC3B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,UAAU;YACV,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;YAC9B,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,CACd,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CACzC,GAAG,EACH,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CACtE;SACJ,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,eAAe,EAAE,CAAC;YACrC,MAAM,IAAI,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwks-service.d.ts","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"jwks-service.d.ts","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,MAAM,CAAC;AAEd,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAEvD,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,iBAAiB,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzE,SAAS,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACzC,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;CAChC;AAED,eAAO,MAAM,iBAAiB,wBAAyB,wBAAwB,KAAG,WAwDhF,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { fromJwksPort } from '@sentropic/oauth-verify';
|
|
2
|
+
import { decodeProtectedHeader, jwtVerify, SignJWT, } from 'jose';
|
|
2
3
|
export const createJwksService = ({ clock, jwksPort }) => ({
|
|
3
4
|
async getPublicJwks() {
|
|
4
5
|
const keys = await jwksPort.listPublicKeys();
|
|
@@ -45,15 +46,12 @@ export const createJwksService = ({ clock, jwksPort }) => ({
|
|
|
45
46
|
},
|
|
46
47
|
async verifyJwt(jwt, options = {}) {
|
|
47
48
|
const protectedHeader = decodeProtectedHeader(jwt);
|
|
48
|
-
|
|
49
|
-
if (!kid) {
|
|
49
|
+
if (!protectedHeader.kid) {
|
|
50
50
|
throw new Error('JWT protected header is missing kid.');
|
|
51
51
|
}
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
}
|
|
56
|
-
const publicKey = await importJWK(key.publicJwk, key.alg);
|
|
52
|
+
// Key resolution is shared with @sentropic/oauth-verify (single verify core); the
|
|
53
|
+
// AS-side claim assertions (iss/aud/currentDate) stay here via jose JWTVerifyOptions.
|
|
54
|
+
const publicKey = await fromJwksPort(jwksPort).resolveKey(protectedHeader);
|
|
57
55
|
return jwtVerify(jwt, publicKey, options);
|
|
58
56
|
},
|
|
59
57
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwks-service.js","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,SAAS,EACT,
|
|
1
|
+
{"version":3,"file":"jwks-service.js","sourceRoot":"","sources":["../../src/oauth/jwks-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,qBAAqB,EACrB,SAAS,EACT,OAAO,GAIR,MAAM,MAAM,CAAC;AAgCd,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,EAAE,KAAK,EAAE,QAAQ,EAA4B,EAAe,EAAE,CAAC,CAAC;IAChG,KAAK,CAAC,aAAa;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC;QAE7C,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBACrB,MAAM,EAAE,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;gBAC5D,OAAO;oBACL,GAAG,SAAS;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,EAAE,SAAS,CAAC,GAAG;oBAClB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;oBACzC,GAAG,EAAE,KAAK;iBACX,CAAC;YACJ,CAAC,CAAC;SACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,GAAG,EAAE;QACjC,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAC;QAChD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,2BAA2B,SAAS,CAAC,GAAG,+BAA+B,CAAC,CAAC;QAC3F,CAAC;QAED,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,kBAAkB,CAAC;YAChD,GAAG,EAAE,SAAS,CAAC,GAAG;YAClB,GAAG,EAAE,SAAS,CAAC,GAAG;YAClB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/C,CAAC,CAAC;QAEH,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,OAAO,CAAC,QAAQ;YAAE,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9D,IAAI,OAAO,CAAC,SAAS;YAAE,GAAG,GAAG,GAAG,CAAC,iBAAiB,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,MAAM;YAAE,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACxD,IAAI,OAAO,CAAC,GAAG;YAAE,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/C,IAAI,OAAO,CAAC,OAAO;YAAE,GAAG,GAAG,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAE3D,OAAO,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,EAAE;QAC/B,MAAM,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACnD,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,kFAAkF;QAClF,sFAAsF;QACtF,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;QAC3E,OAAO,SAAS,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,IAAU,EAAU,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC"}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
import type { MiddlewareHandler } from 'hono';
|
|
2
|
+
import type { AuthHonoClockPort } from '../ports.js';
|
|
3
|
+
import type { JwksPort, OauthStateStorePort } from './state-store-types.js';
|
|
4
|
+
/**
|
|
5
|
+
* Narrow port set for resource-server verification (BR39d-D6). Resource servers
|
|
6
|
+
* must not construct users/credentials/sessions/email ports just to verify a
|
|
7
|
+
* bearer or DPoP-bound access token.
|
|
8
|
+
*/
|
|
9
|
+
export interface ServiceAuthPorts {
|
|
10
|
+
clock: AuthHonoClockPort;
|
|
11
|
+
jwks: JwksPort;
|
|
12
|
+
dpopReplay?: Pick<OauthStateStorePort, 'recordDpopJti'>;
|
|
13
|
+
}
|
|
14
|
+
export interface ServiceAuthContext {
|
|
15
|
+
clientId: string;
|
|
16
|
+
scopes: string[];
|
|
17
|
+
jkt: string | null;
|
|
18
|
+
}
|
|
19
|
+
export interface CreateRequireServiceAuthOptions {
|
|
20
|
+
issuer: string;
|
|
21
|
+
requiredScopes?: string[];
|
|
22
|
+
resource: string;
|
|
23
|
+
ports: ServiceAuthPorts;
|
|
24
|
+
/** DPoP proof iat acceptance window in seconds (default 60). */
|
|
25
|
+
dpopIatSkewSeconds?: number;
|
|
26
|
+
/** Context key the verified service-client context is stored under (default 'serviceClient'). */
|
|
27
|
+
contextKey?: string;
|
|
28
|
+
}
|
|
29
|
+
export declare const createRequireServiceAuth: (options: CreateRequireServiceAuthOptions) => MiddlewareHandler;
|
|
30
|
+
//# sourceMappingURL=service-auth-middleware.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"service-auth-middleware.d.ts","sourceRoot":"","sources":["../../src/oauth/service-auth-middleware.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAW,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAEvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAE5E;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,iBAAiB,CAAC;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,UAAU,CAAC,EAAE,IAAI,CAAC,mBAAmB,EAAE,eAAe,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;CACpB;AAED,MAAM,WAAW,+BAA+B;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,gBAAgB,CAAC;IACxB,gEAAgE;IAChE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iGAAiG;IACjG,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAcD,eAAO,MAAM,wBAAwB,YAC1B,+BAA+B,KACvC,iBA6BF,CAAC"}
|