@sentropic/auth-hono 0.3.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +55 -2
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/oauth/authorize-handler.d.ts.map +1 -1
- package/dist/oauth/authorize-handler.js +46 -1
- package/dist/oauth/authorize-handler.js.map +1 -1
- package/dist/oauth/consent-decision-handler.d.ts.map +1 -1
- package/dist/oauth/consent-decision-handler.js +1 -0
- package/dist/oauth/consent-decision-handler.js.map +1 -1
- package/dist/oauth/dpop.d.ts +7 -4
- package/dist/oauth/dpop.d.ts.map +1 -1
- package/dist/oauth/dpop.js +23 -44
- package/dist/oauth/dpop.js.map +1 -1
- package/dist/oauth/jwks-service.d.ts.map +1 -1
- package/dist/oauth/jwks-service.js +6 -8
- package/dist/oauth/jwks-service.js.map +1 -1
- package/dist/oauth/service-auth-middleware.d.ts +30 -0
- package/dist/oauth/service-auth-middleware.d.ts.map +1 -0
- package/dist/oauth/service-auth-middleware.js +152 -0
- package/dist/oauth/service-auth-middleware.js.map +1 -0
- package/dist/oauth/state-codec.d.ts +2 -0
- package/dist/oauth/state-codec.d.ts.map +1 -1
- package/dist/oauth/state-codec.js.map +1 -1
- package/dist/oauth/state-store-types.d.ts +26 -0
- package/dist/oauth/state-store-types.d.ts.map +1 -1
- package/dist/oauth/token-handler.d.ts +1 -0
- package/dist/oauth/token-handler.d.ts.map +1 -1
- package/dist/oauth/token-handler.js +158 -3
- package/dist/oauth/token-handler.js.map +1 -1
- package/dist/oauth/wellknown-handler.js +3 -3
- package/dist/oauth/wellknown-handler.js.map +1 -1
- package/dist/ports.d.ts +15 -1
- package/dist/ports.d.ts.map +1 -1
- package/package.json +4 -1
- package/src/index.ts +11 -0
- package/src/oauth/authorize-handler.ts +55 -1
- package/src/oauth/consent-decision-handler.ts +1 -0
- package/src/oauth/dpop.ts +30 -67
- package/src/oauth/jwks-service.ts +5 -9
- package/src/oauth/service-auth-middleware.ts +229 -0
- package/src/oauth/state-codec.ts +2 -0
- package/src/oauth/state-store-types.ts +27 -0
- package/src/oauth/token-handler.ts +218 -4
- package/src/oauth/wellknown-handler.ts +3 -3
- package/src/ports.ts +16 -0
package/dist/ports.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../src/ports.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAElF,YAAY,EACV,eAAe,EACf,eAAe,EACf,aAAa,EACb,QAAQ,EACR,aAAa,EACb,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,EACd,SAAS,GACV,MAAM,8BAA8B,CAAC;AAEtC,MAAM,MAAM,qBAAqB,GAC7B,QAAQ,GACR,wBAAwB,GACxB,2BAA2B,GAC3B,kBAAkB,GAClB,mBAAmB,GACnB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,qBAAqB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEtE,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,qBAAqB,CAAC;IACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC3F,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC/E,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IACnF,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,EAAE,CAAC,CAAC;IACjE,MAAM,CAAC,KAAK,EAAE,6BAA6B,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IAChF,aAAa,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvF,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC3G,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACtE;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE,4BAA4B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC9E,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IACnG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,YAAY,CAAC,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,cAAc,EAAE,IAAI,CAAC;IACrB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,kBAAkB,CAAC;IAChC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,GAAG,EAAE,IAAI,CAAC;CACX;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,KAAK,EAAE,0BAA0B,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC1E,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACnE,eAAe,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACjF,sBAAsB,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACxF,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,YAAY,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,IAAI,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,gBAAgB,EAAE,MAAM,CAAC;KAC1B,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,+BAA+B;IAC9C,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC5C,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzD,UAAU,CAAC,KAAK,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;IAC7C,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,+BAA+B,GAAG,IAAI,CAAC,CAAC;IACjH,6BAA6B,CAAC,EAAE,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACpF;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACvB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrC,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IAC5F,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7D;AAED,MAAM,WAAW,yBAAyB;IACxC,oBAAoB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,aAAa,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrG;AAED,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,6BAA6B,IAAI,MAAM,CAAC;IACxC,6BAA6B,IAAI,MAAM,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACrD,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,EAAE,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACzE,qBAAqB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACnF;AAED,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAErE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,KAAK,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC1G;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,IAAI,IAAI,CAAC;IACZ,UAAU,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/C;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,IAAI,MAAM,CAAC;IACf,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAClC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,yBAAyB;IACxC,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACtC,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACzC,uBAAuB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;IAC7F,cAAc,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACzF,gBAAgB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAC;QAAC,GAAG,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC;QACnF,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC,GAAG;QACH,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC;IACF,eAAe,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,6BAA6B,CAAC,GAAG,6BAA6B,CAAC;IAC7H,kBAAkB,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAClF,gBAAgB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACnE;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,gBAAgB,CAAC;IACxB,WAAW,EAAE,sBAAsB,CAAC;IACpC,UAAU,EAAE,qBAAqB,CAAC;IAClC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,iBAAiB,EAAE,6BAA6B,CAAC;IACjD,UAAU,EAAE,qBAAqB,CAAC;IAClC,aAAa,EAAE,yBAAyB,CAAC;IACzC,OAAO,EAAE,kBAAkB,CAAC;IAC5B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,KAAK,EAAE,iBAAiB,CAAC;IACzB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,aAAa,EAAE,yBAAyB,CAAC;IACzC,eAAe,EAAE,mBAAmB,CAAC;IACrC,IAAI,EAAE,QAAQ,CAAC;CAChB"}
|
|
1
|
+
{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../src/ports.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAElF,YAAY,EACV,eAAe,EACf,eAAe,EACf,aAAa,EACb,QAAQ,EACR,aAAa,EACb,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,EACd,mBAAmB,EACnB,SAAS,GACV,MAAM,8BAA8B,CAAC;AAEtC,MAAM,MAAM,qBAAqB,GAC7B,QAAQ,GACR,wBAAwB,GACxB,2BAA2B,GAC3B,kBAAkB,GAClB,mBAAmB,GACnB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,qBAAqB,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAEtE,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,qBAAqB,CAAC;IACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC3F,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC/E,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IACnF,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,EAAE,CAAC,CAAC;IACjE,MAAM,CAAC,KAAK,EAAE,6BAA6B,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IAChF,aAAa,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvF,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAC3G,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACtE;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,IAAI,EAAE,qBAAqB,CAAC;IAC5B,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE,4BAA4B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC9E,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IACnG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,YAAY,CAAC,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,cAAc,EAAE,IAAI,CAAC;IACrB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,kBAAkB,CAAC;IAChC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,GAAG,EAAE,IAAI,CAAC;CACX;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,KAAK,EAAE,0BAA0B,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC1E,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACnE,eAAe,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACjF,sBAAsB,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACxF,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,YAAY,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,IAAI,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,gBAAgB,EAAE,MAAM,CAAC;KAC1B,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,+BAA+B;IAC9C,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC5C,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzD,UAAU,CAAC,KAAK,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;IAC7C,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,+BAA+B,GAAG,IAAI,CAAC,CAAC;IACjH,6BAA6B,CAAC,EAAE,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACpF;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,KAAK,EAAE;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACvB,SAAS,EAAE,IAAI,CAAC;QAChB,GAAG,EAAE,IAAI,CAAC;KACX,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrC,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IAC5F,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7D;AAED,MAAM,WAAW,yBAAyB;IACxC,oBAAoB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,aAAa,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrG;AAED,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IAClD,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,sBAAsB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,MAAM,CAAC;IAC1E,6BAA6B,IAAI,MAAM,CAAC;IACxC,6BAA6B,IAAI,MAAM,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACrD,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,EAAE,SAAS,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClF,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IACzE,qBAAqB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACnF;AAED,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAErE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,KAAK,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC1G;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,IAAI,IAAI,CAAC;IACZ,UAAU,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/C;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,IAAI,MAAM,CAAC;IACf,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAClC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,yBAAyB;IACxC,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACtC,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACzC,uBAAuB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;IAC7F,cAAc,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IACzF,gBAAgB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAC;QAAC,GAAG,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC;QACnF,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC,GAAG;QACH,aAAa,EAAE,qBAAqB,CAAC;QACrC,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;KAC5B,CAAC;IACF,eAAe,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,6BAA6B,CAAC,GAAG,6BAA6B,CAAC;IAC7H,kBAAkB,CAAC,IAAI,EAAE,kBAAkB,EAAE,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAClF,gBAAgB,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACnE;AAED;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,wFAAwF;IACxF,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACzD,4FAA4F;IAC5F,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACtE;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,gBAAgB,CAAC;IACxB,WAAW,EAAE,sBAAsB,CAAC;IACpC,UAAU,EAAE,qBAAqB,CAAC;IAClC,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,iBAAiB,EAAE,6BAA6B,CAAC;IACjD,UAAU,EAAE,qBAAqB,CAAC;IAClC,aAAa,EAAE,yBAAyB,CAAC;IACzC,OAAO,EAAE,kBAAkB,CAAC;IAC5B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,KAAK,EAAE,iBAAiB,CAAC;IACzB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,aAAa,EAAE,yBAAyB,CAAC;IACzC,eAAe,EAAE,mBAAmB,CAAC;IACrC,IAAI,EAAE,QAAQ,CAAC;IACf,oEAAoE;IACpE,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sentropic/auth-hono",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.6.0",
|
|
4
4
|
"description": "Reusable Hono authentication route factories, contracts, and server-side auth helpers for Sentropic-compatible apps.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"license": "MIT",
|
|
@@ -88,6 +88,9 @@
|
|
|
88
88
|
"typecheck": "tsc --noEmit -p tsconfig.json",
|
|
89
89
|
"test": "vitest run tests"
|
|
90
90
|
},
|
|
91
|
+
"dependencies": {
|
|
92
|
+
"@sentropic/oauth-verify": "^0.1.0"
|
|
93
|
+
},
|
|
91
94
|
"peerDependencies": {
|
|
92
95
|
"@hono/zod-validator": "^0.7.5",
|
|
93
96
|
"@simplewebauthn/server": "^13.2.2",
|
package/src/index.ts
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
// Canonical verify-core claim types are re-exported for back-compat: the shared
|
|
2
|
+
// verification primitives now live in @sentropic/oauth-verify (the 4 duplicate auth-hono
|
|
3
|
+
// verify paths delegate to it). Consumers may keep importing these from @sentropic/auth-hono.
|
|
4
|
+
export type {
|
|
5
|
+
AccessTokenClaims,
|
|
6
|
+
ActClaim,
|
|
7
|
+
IdentityType,
|
|
8
|
+
TokenKeySource,
|
|
9
|
+
} from '@sentropic/oauth-verify';
|
|
10
|
+
|
|
1
11
|
export * from './contracts.js';
|
|
2
12
|
export * from './credential-route-handlers.js';
|
|
3
13
|
export * from './email-verification.js';
|
|
@@ -12,6 +22,7 @@ export * from './oauth/introspect-handler.js';
|
|
|
12
22
|
export * from './oauth/jwks-service.js';
|
|
13
23
|
export * from './oauth/router.js';
|
|
14
24
|
export * from './oauth/revoke-handler.js';
|
|
25
|
+
export * from './oauth/service-auth-middleware.js';
|
|
15
26
|
export * from './oauth/session-resolver.js';
|
|
16
27
|
export * from './oauth/state-store-types.js';
|
|
17
28
|
export * from './oauth/state-codec.js';
|
|
@@ -21,6 +21,7 @@ interface ValidatedAuthorizeRequest {
|
|
|
21
21
|
dpopJkt: string | null;
|
|
22
22
|
nonce: string | null;
|
|
23
23
|
redirectUri: string;
|
|
24
|
+
resource: string | null;
|
|
24
25
|
scope: string;
|
|
25
26
|
state: string | null;
|
|
26
27
|
}
|
|
@@ -129,12 +130,16 @@ const validateAuthorizeRequest = async (
|
|
|
129
130
|
const scopeResult = validateScope(c.req.query('scope') ?? '', client, redirectUri, state, c.req.url);
|
|
130
131
|
if (scopeResult instanceof Response) return scopeResult;
|
|
131
132
|
|
|
133
|
+
const resourceResult = validateResource(c.req.queries('resource'), client, redirectUri, state, c.req.url);
|
|
134
|
+
if (resourceResult instanceof Response) return resourceResult;
|
|
135
|
+
|
|
132
136
|
return {
|
|
133
137
|
client,
|
|
134
138
|
codeChallenge,
|
|
135
139
|
dpopJkt: c.req.query('dpop_jkt') ?? null,
|
|
136
140
|
nonce: c.req.query('nonce') ?? null,
|
|
137
141
|
redirectUri,
|
|
142
|
+
resource: resourceResult,
|
|
138
143
|
scope: scopeResult,
|
|
139
144
|
state,
|
|
140
145
|
};
|
|
@@ -174,6 +179,34 @@ const validateScope = (
|
|
|
174
179
|
return requestedScopes.join(' ');
|
|
175
180
|
};
|
|
176
181
|
|
|
182
|
+
/**
|
|
183
|
+
* RFC 8707 resource indicator validation on the `authorization_code` flow (BR-39l Lot 2).
|
|
184
|
+
* - C1 single-aud: more than one `resource` value ⇒ `invalid_target` (no multi-audience tokens).
|
|
185
|
+
* - C2 default-deny allowlist: a requested `resource` must be in `client.resourceIndicators`,
|
|
186
|
+
* else `invalid_target`. No `resource` ⇒ `null` (default-aud = userinfo, byte-identical to 0.5.0).
|
|
187
|
+
* The validated value is sealed into the continuation and becomes the access-token `aud`.
|
|
188
|
+
*/
|
|
189
|
+
const validateResource = (
|
|
190
|
+
resources: string[] | undefined,
|
|
191
|
+
client: OauthClientRecord,
|
|
192
|
+
redirectUri: string,
|
|
193
|
+
state: string | null,
|
|
194
|
+
baseUrl: string
|
|
195
|
+
): string | null | Response => {
|
|
196
|
+
const requested = (resources ?? []).filter((value) => value.length > 0);
|
|
197
|
+
if (requested.length === 0) return null;
|
|
198
|
+
if (requested.length > 1) {
|
|
199
|
+
return redirectWithOAuthError(redirectUri, 'invalid_target', state, baseUrl);
|
|
200
|
+
}
|
|
201
|
+
|
|
202
|
+
const value = requested[0];
|
|
203
|
+
const allowlist = client.resourceIndicators ?? [];
|
|
204
|
+
if (!allowlist.includes(value)) {
|
|
205
|
+
return redirectWithOAuthError(redirectUri, 'invalid_target', state, baseUrl);
|
|
206
|
+
}
|
|
207
|
+
return value;
|
|
208
|
+
};
|
|
209
|
+
|
|
177
210
|
const sealContinuation = async (
|
|
178
211
|
c: Context,
|
|
179
212
|
options: OAuthAuthorizeHandlerOptions,
|
|
@@ -182,6 +215,26 @@ const sealContinuation = async (
|
|
|
182
215
|
): Promise<string> => {
|
|
183
216
|
const now = options.ports.clock.now();
|
|
184
217
|
const expiresAt = options.ports.clock.addSeconds(now, options.stateTtlSeconds ?? 10 * 60);
|
|
218
|
+
|
|
219
|
+
// BR-39e: derive the tenant bound to this auth code from the user's VALIDATED membership,
|
|
220
|
+
// never from the raw client/param. Legacy behavior (client tenant) when no tenancy spine is
|
|
221
|
+
// wired. An explicit `?tenant=` selection is honored ONLY if it is an approved membership.
|
|
222
|
+
let tenantId: string | null = request.client.tenantId;
|
|
223
|
+
if (options.ports.tenant) {
|
|
224
|
+
tenantId = null;
|
|
225
|
+
if (session?.userId) {
|
|
226
|
+
const approved = await options.ports.tenant.listApprovedTenantIds(session.userId);
|
|
227
|
+
const requested = c.req.query('tenant') ?? null;
|
|
228
|
+
if (requested) {
|
|
229
|
+
tenantId = approved.includes(requested) ? requested : null;
|
|
230
|
+
} else if (approved.length === 1) {
|
|
231
|
+
tenantId = approved[0];
|
|
232
|
+
}
|
|
233
|
+
// 0 or >1 approved tenants without a valid explicit selection → no tenant claim
|
|
234
|
+
// (a multi-tenant selection screen is deferred; the RP may re-request with ?tenant=).
|
|
235
|
+
}
|
|
236
|
+
}
|
|
237
|
+
|
|
185
238
|
return options.stateCodec.seal({
|
|
186
239
|
acr: session?.acr,
|
|
187
240
|
authTime: session?.authTime,
|
|
@@ -193,9 +246,10 @@ const sealContinuation = async (
|
|
|
193
246
|
expiresAt: expiresAt.toISOString(),
|
|
194
247
|
nonce: request.nonce,
|
|
195
248
|
redirectUri: request.redirectUri,
|
|
249
|
+
resource: request.resource,
|
|
196
250
|
scope: request.scope,
|
|
197
251
|
state: request.state,
|
|
198
|
-
tenantId
|
|
252
|
+
tenantId,
|
|
199
253
|
userId: session?.userId,
|
|
200
254
|
});
|
|
201
255
|
};
|
|
@@ -61,6 +61,7 @@ export const createOAuthConsentDecisionHandler =
|
|
|
61
61
|
expiresAt: options.ports.clock.addSeconds(now, options.authorizationCodeTtlSeconds ?? 60),
|
|
62
62
|
nonce: payload.nonce,
|
|
63
63
|
redirectUri: payload.redirectUri,
|
|
64
|
+
resource: payload.resource ?? null,
|
|
64
65
|
scope: payload.scope,
|
|
65
66
|
tenantId: payload.tenantId,
|
|
66
67
|
userId: payload.userId ?? '',
|
package/src/oauth/dpop.ts
CHANGED
|
@@ -1,14 +1,10 @@
|
|
|
1
1
|
import {
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
type JWK,
|
|
7
|
-
type JWTPayload,
|
|
8
|
-
} from 'jose';
|
|
2
|
+
DpopVerifyError,
|
|
3
|
+
verifyDpopProof,
|
|
4
|
+
type VerifiedDpop,
|
|
5
|
+
} from '@sentropic/oauth-verify';
|
|
9
6
|
|
|
10
7
|
import type { AuthHonoPorts } from '../ports.js';
|
|
11
|
-
import { sha256Base64url } from './crypto-utils.js';
|
|
12
8
|
|
|
13
9
|
export interface VerifyDpopProofOptions {
|
|
14
10
|
accessToken?: string;
|
|
@@ -19,10 +15,7 @@ export interface VerifyDpopProofOptions {
|
|
|
19
15
|
proof: string;
|
|
20
16
|
}
|
|
21
17
|
|
|
22
|
-
export
|
|
23
|
-
jkt: string;
|
|
24
|
-
jti: string;
|
|
25
|
-
}
|
|
18
|
+
export type VerifiedDpopProof = VerifiedDpop;
|
|
26
19
|
|
|
27
20
|
export class OAuthDpopProofError extends Error {
|
|
28
21
|
constructor(message: string) {
|
|
@@ -31,63 +24,33 @@ export class OAuthDpopProofError extends Error {
|
|
|
31
24
|
}
|
|
32
25
|
}
|
|
33
26
|
|
|
27
|
+
/**
|
|
28
|
+
* AS-side DPoP proof verification. Thin adapter over `@sentropic/oauth-verify`'s shared
|
|
29
|
+
* `verifyDpopProof`: it binds the IdP's clock + replay store and re-maps verification
|
|
30
|
+
* failures onto `OAuthDpopProofError` for the OAuth handlers (token/userinfo/revoke).
|
|
31
|
+
*/
|
|
34
32
|
export const verifyOAuthDpopProof = async (
|
|
35
33
|
options: VerifyDpopProofOptions
|
|
36
34
|
): Promise<VerifiedDpopProof> => {
|
|
37
|
-
const
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
jkt: await calculateJwkThumbprint(publicJwk),
|
|
58
|
-
jti: String(payload.jti),
|
|
59
|
-
};
|
|
60
|
-
};
|
|
61
|
-
|
|
62
|
-
const validateDpopPayload = async (
|
|
63
|
-
payload: JWTPayload,
|
|
64
|
-
options: VerifyDpopProofOptions
|
|
65
|
-
): Promise<void> => {
|
|
66
|
-
if (payload.htm !== options.htm.toUpperCase()) {
|
|
67
|
-
throw new OAuthDpopProofError('DPoP htm claim does not match the request method.');
|
|
68
|
-
}
|
|
69
|
-
if (payload.htu !== options.htu) {
|
|
70
|
-
throw new OAuthDpopProofError('DPoP htu claim does not match the request URL.');
|
|
71
|
-
}
|
|
72
|
-
if (!payload.jti || typeof payload.jti !== 'string') {
|
|
73
|
-
throw new OAuthDpopProofError('DPoP jti claim is required.');
|
|
74
|
-
}
|
|
75
|
-
if (typeof payload.iat !== 'number') {
|
|
76
|
-
throw new OAuthDpopProofError('DPoP iat claim is required.');
|
|
77
|
-
}
|
|
78
|
-
|
|
79
|
-
const nowSeconds = Math.floor(options.ports.clock.now().getTime() / 1000);
|
|
80
|
-
if (Math.abs(payload.iat - nowSeconds) > (options.iatSkewSeconds ?? 60)) {
|
|
81
|
-
throw new OAuthDpopProofError('DPoP iat claim is outside the allowed skew.');
|
|
82
|
-
}
|
|
83
|
-
|
|
84
|
-
if (options.accessToken) {
|
|
85
|
-
await validateAth(payload, options.accessToken);
|
|
86
|
-
}
|
|
87
|
-
};
|
|
88
|
-
|
|
89
|
-
const validateAth = async (payload: JWTPayload, accessToken: string): Promise<void> => {
|
|
90
|
-
if (payload.ath !== (await sha256Base64url(accessToken))) {
|
|
91
|
-
throw new OAuthDpopProofError('DPoP ath claim does not match the access token.');
|
|
35
|
+
const iatSkewSec = options.iatSkewSeconds ?? 60;
|
|
36
|
+
try {
|
|
37
|
+
return await verifyDpopProof({
|
|
38
|
+
accessToken: options.accessToken,
|
|
39
|
+
htm: options.htm,
|
|
40
|
+
htu: options.htu,
|
|
41
|
+
iatSkewSec,
|
|
42
|
+
now: options.ports.clock.now(),
|
|
43
|
+
proof: options.proof,
|
|
44
|
+
replay: (jti) =>
|
|
45
|
+
options.ports.oauthStateStore.recordDpopJti(
|
|
46
|
+
jti,
|
|
47
|
+
options.ports.clock.addSeconds(options.ports.clock.now(), iatSkewSec)
|
|
48
|
+
),
|
|
49
|
+
});
|
|
50
|
+
} catch (error) {
|
|
51
|
+
if (error instanceof DpopVerifyError) {
|
|
52
|
+
throw new OAuthDpopProofError(error.message);
|
|
53
|
+
}
|
|
54
|
+
throw error;
|
|
92
55
|
}
|
|
93
56
|
};
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
+
import { fromJwksPort } from '@sentropic/oauth-verify';
|
|
1
2
|
import {
|
|
2
3
|
decodeProtectedHeader,
|
|
3
|
-
importJWK,
|
|
4
4
|
jwtVerify,
|
|
5
5
|
SignJWT,
|
|
6
6
|
type JWTVerifyOptions,
|
|
@@ -85,17 +85,13 @@ export const createJwksService = ({ clock, jwksPort }: CreateJwksServiceOptions)
|
|
|
85
85
|
|
|
86
86
|
async verifyJwt(jwt, options = {}) {
|
|
87
87
|
const protectedHeader = decodeProtectedHeader(jwt);
|
|
88
|
-
|
|
89
|
-
if (!kid) {
|
|
88
|
+
if (!protectedHeader.kid) {
|
|
90
89
|
throw new Error('JWT protected header is missing kid.');
|
|
91
90
|
}
|
|
92
91
|
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
}
|
|
97
|
-
|
|
98
|
-
const publicKey = await importJWK(key.publicJwk, key.alg);
|
|
92
|
+
// Key resolution is shared with @sentropic/oauth-verify (single verify core); the
|
|
93
|
+
// AS-side claim assertions (iss/aud/currentDate) stay here via jose JWTVerifyOptions.
|
|
94
|
+
const publicKey = await fromJwksPort(jwksPort).resolveKey(protectedHeader);
|
|
99
95
|
return jwtVerify(jwt, publicKey, options);
|
|
100
96
|
},
|
|
101
97
|
});
|
|
@@ -0,0 +1,229 @@
|
|
|
1
|
+
// COMPAT WRAPPER (architect verdict E2/F8). The CANONICAL home of this RS middleware is now
|
|
2
|
+
// `@sentropic/mcp-auth/hono` (`createRequireServiceAuth`). auth-hono keeps this signature-stable
|
|
3
|
+
// wrapper — same behavior, sharing the SAME verification core (`@sentropic/oauth-verify`), no
|
|
4
|
+
// fourth copy of verify code — for ≥1 minor so pinned RPs are not forced to bump; it is dropped
|
|
5
|
+
// at auth-hono 1.0. The wrapper builds on oauth-verify primitives directly (NOT on mcp-auth) to
|
|
6
|
+
// respect the dependency DAG (auth-hono and mcp-auth never import each other).
|
|
7
|
+
import {
|
|
8
|
+
DpopVerifyError,
|
|
9
|
+
fromJwksPort,
|
|
10
|
+
parseScopes,
|
|
11
|
+
TokenVerifyError,
|
|
12
|
+
verifyAccessToken,
|
|
13
|
+
verifyDpopProof,
|
|
14
|
+
type AccessTokenClaims,
|
|
15
|
+
} from '@sentropic/oauth-verify';
|
|
16
|
+
import type { Context, MiddlewareHandler } from 'hono';
|
|
17
|
+
|
|
18
|
+
import type { AuthHonoClockPort } from '../ports.js';
|
|
19
|
+
import type { JwksPort, OauthStateStorePort } from './state-store-types.js';
|
|
20
|
+
|
|
21
|
+
/**
|
|
22
|
+
* Narrow port set for resource-server verification (BR39d-D6). Resource servers
|
|
23
|
+
* must not construct users/credentials/sessions/email ports just to verify a
|
|
24
|
+
* bearer or DPoP-bound access token.
|
|
25
|
+
*/
|
|
26
|
+
export interface ServiceAuthPorts {
|
|
27
|
+
clock: AuthHonoClockPort;
|
|
28
|
+
jwks: JwksPort;
|
|
29
|
+
dpopReplay?: Pick<OauthStateStorePort, 'recordDpopJti'>;
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
export interface ServiceAuthContext {
|
|
33
|
+
clientId: string;
|
|
34
|
+
scopes: string[];
|
|
35
|
+
jkt: string | null;
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
export interface CreateRequireServiceAuthOptions {
|
|
39
|
+
issuer: string;
|
|
40
|
+
requiredScopes?: string[];
|
|
41
|
+
resource: string;
|
|
42
|
+
ports: ServiceAuthPorts;
|
|
43
|
+
/** DPoP proof iat acceptance window in seconds (default 60). */
|
|
44
|
+
dpopIatSkewSeconds?: number;
|
|
45
|
+
/** Context key the verified service-client context is stored under (default 'serviceClient'). */
|
|
46
|
+
contextKey?: string;
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
class ServiceAuthError extends Error {
|
|
50
|
+
constructor(
|
|
51
|
+
readonly status: 401 | 403,
|
|
52
|
+
readonly code: string,
|
|
53
|
+
message: string,
|
|
54
|
+
readonly scheme: 'Bearer' | 'DPoP' = 'Bearer'
|
|
55
|
+
) {
|
|
56
|
+
super(message);
|
|
57
|
+
this.name = 'ServiceAuthError';
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
export const createRequireServiceAuth = (
|
|
62
|
+
options: CreateRequireServiceAuthOptions
|
|
63
|
+
): MiddlewareHandler => {
|
|
64
|
+
const issuer = trimTrailingSlash(options.issuer);
|
|
65
|
+
const requiredScopes = options.requiredScopes ?? [];
|
|
66
|
+
const contextKey = options.contextKey ?? 'serviceClient';
|
|
67
|
+
|
|
68
|
+
return async (c, next) => {
|
|
69
|
+
try {
|
|
70
|
+
const { scheme, token } = parseAuthorization(c.req.header('authorization'));
|
|
71
|
+
const payload = await verifyServiceAccessToken(token, options.ports, issuer, options.resource);
|
|
72
|
+
const scopes = parseScopes(payload.scope);
|
|
73
|
+
assertScopes(scopes, requiredScopes);
|
|
74
|
+
|
|
75
|
+
const jkt = await enforceDpop(c, payload, token, scheme, options);
|
|
76
|
+
|
|
77
|
+
const serviceContext: ServiceAuthContext = {
|
|
78
|
+
clientId: typeof payload.client_id === 'string' ? payload.client_id : String(payload.sub ?? ''),
|
|
79
|
+
jkt,
|
|
80
|
+
scopes,
|
|
81
|
+
};
|
|
82
|
+
c.set(contextKey, serviceContext);
|
|
83
|
+
|
|
84
|
+
await next();
|
|
85
|
+
} catch (error) {
|
|
86
|
+
if (error instanceof ServiceAuthError) {
|
|
87
|
+
return serviceAuthErrorResponse(c, error);
|
|
88
|
+
}
|
|
89
|
+
throw error;
|
|
90
|
+
}
|
|
91
|
+
};
|
|
92
|
+
};
|
|
93
|
+
|
|
94
|
+
const parseAuthorization = (header: string | undefined): { scheme: 'Bearer' | 'DPoP'; token: string } => {
|
|
95
|
+
if (!header) {
|
|
96
|
+
throw new ServiceAuthError(401, 'invalid_token', 'Authorization header is required.');
|
|
97
|
+
}
|
|
98
|
+
const [scheme, token] = header.split(/\s+/, 2);
|
|
99
|
+
if (!token) {
|
|
100
|
+
throw new ServiceAuthError(401, 'invalid_token', 'Authorization header is malformed.');
|
|
101
|
+
}
|
|
102
|
+
if (scheme === 'Bearer') return { scheme: 'Bearer', token };
|
|
103
|
+
if (scheme === 'DPoP') return { scheme: 'DPoP', token };
|
|
104
|
+
throw new ServiceAuthError(401, 'invalid_token', 'Unsupported authorization scheme.');
|
|
105
|
+
};
|
|
106
|
+
|
|
107
|
+
/**
|
|
108
|
+
* RS-side access-token verification. Delegates to `@sentropic/oauth-verify`'s shared
|
|
109
|
+
* `verifyAccessToken` over an in-process JWKS key source, mapping any failure onto the
|
|
110
|
+
* RFC 6750 `invalid_token` 401 the middleware emits.
|
|
111
|
+
*/
|
|
112
|
+
const verifyServiceAccessToken = async (
|
|
113
|
+
token: string,
|
|
114
|
+
ports: ServiceAuthPorts,
|
|
115
|
+
issuer: string,
|
|
116
|
+
resource: string
|
|
117
|
+
): Promise<AccessTokenClaims> => {
|
|
118
|
+
try {
|
|
119
|
+
return await verifyAccessToken({
|
|
120
|
+
audience: resource,
|
|
121
|
+
issuer,
|
|
122
|
+
keySource: fromJwksPort(ports.jwks),
|
|
123
|
+
now: ports.clock.now(),
|
|
124
|
+
token,
|
|
125
|
+
});
|
|
126
|
+
} catch (error) {
|
|
127
|
+
if (error instanceof TokenVerifyError) {
|
|
128
|
+
throw new ServiceAuthError(401, 'invalid_token', 'Access token is invalid, expired, or has the wrong audience.');
|
|
129
|
+
}
|
|
130
|
+
throw error;
|
|
131
|
+
}
|
|
132
|
+
};
|
|
133
|
+
|
|
134
|
+
const assertScopes = (scopes: string[], requiredScopes: string[]): void => {
|
|
135
|
+
const granted = new Set(scopes);
|
|
136
|
+
const missing = requiredScopes.filter((scope) => !granted.has(scope));
|
|
137
|
+
if (missing.length > 0) {
|
|
138
|
+
throw new ServiceAuthError(403, 'insufficient_scope', `Missing required scope: ${missing.join(' ')}.`);
|
|
139
|
+
}
|
|
140
|
+
};
|
|
141
|
+
|
|
142
|
+
const enforceDpop = async (
|
|
143
|
+
c: Context,
|
|
144
|
+
payload: { cnf?: { jkt: string } },
|
|
145
|
+
accessToken: string,
|
|
146
|
+
scheme: 'Bearer' | 'DPoP',
|
|
147
|
+
options: CreateRequireServiceAuthOptions
|
|
148
|
+
): Promise<string | null> => {
|
|
149
|
+
const boundJkt = payload.cnf?.jkt;
|
|
150
|
+
if (!boundJkt) return null;
|
|
151
|
+
|
|
152
|
+
if (scheme !== 'DPoP') {
|
|
153
|
+
throw new ServiceAuthError(401, 'invalid_token', 'DPoP-bound token requires the DPoP authorization scheme.', 'DPoP');
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
const proof = c.req.header('dpop');
|
|
157
|
+
if (!proof) {
|
|
158
|
+
throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof is required.', 'DPoP');
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
const verifiedJkt = await verifyServiceDpopProof({
|
|
162
|
+
accessToken,
|
|
163
|
+
htm: c.req.method,
|
|
164
|
+
htu: c.req.url,
|
|
165
|
+
iatSkewSeconds: options.dpopIatSkewSeconds,
|
|
166
|
+
ports: options.ports,
|
|
167
|
+
proof,
|
|
168
|
+
});
|
|
169
|
+
|
|
170
|
+
if (verifiedJkt !== boundJkt) {
|
|
171
|
+
throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof key does not match the bound token.', 'DPoP');
|
|
172
|
+
}
|
|
173
|
+
|
|
174
|
+
return verifiedJkt;
|
|
175
|
+
};
|
|
176
|
+
|
|
177
|
+
interface VerifyServiceDpopProofOptions {
|
|
178
|
+
accessToken: string;
|
|
179
|
+
htm: string;
|
|
180
|
+
htu: string;
|
|
181
|
+
iatSkewSeconds?: number;
|
|
182
|
+
ports: ServiceAuthPorts;
|
|
183
|
+
proof: string;
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
/**
|
|
187
|
+
* RS-side DPoP proof verification. Delegates to `@sentropic/oauth-verify`'s shared
|
|
188
|
+
* `verifyDpopProof`, wiring the optional RS replay port and remapping failures onto the
|
|
189
|
+
* RFC 9449 `invalid_dpop_proof` 401. The `jkt`↔`cnf.jkt` binding is enforced by the caller
|
|
190
|
+
* (`enforceDpop`) AFTER replay recording, preserving the original consume-then-compare order.
|
|
191
|
+
*/
|
|
192
|
+
const verifyServiceDpopProof = async (options: VerifyServiceDpopProofOptions): Promise<string> => {
|
|
193
|
+
const iatSkewSec = options.iatSkewSeconds ?? 60;
|
|
194
|
+
try {
|
|
195
|
+
const { jkt } = await verifyDpopProof({
|
|
196
|
+
accessToken: options.accessToken,
|
|
197
|
+
htm: options.htm,
|
|
198
|
+
htu: options.htu,
|
|
199
|
+
iatSkewSec,
|
|
200
|
+
now: options.ports.clock.now(),
|
|
201
|
+
proof: options.proof,
|
|
202
|
+
replay: options.ports.dpopReplay
|
|
203
|
+
? (jti) =>
|
|
204
|
+
options.ports.dpopReplay!.recordDpopJti(
|
|
205
|
+
jti,
|
|
206
|
+
options.ports.clock.addSeconds(options.ports.clock.now(), iatSkewSec)
|
|
207
|
+
)
|
|
208
|
+
: undefined,
|
|
209
|
+
});
|
|
210
|
+
return jkt;
|
|
211
|
+
} catch (error) {
|
|
212
|
+
if (error instanceof DpopVerifyError) {
|
|
213
|
+
throw new ServiceAuthError(401, 'invalid_dpop_proof', error.message, 'DPoP');
|
|
214
|
+
}
|
|
215
|
+
throw error;
|
|
216
|
+
}
|
|
217
|
+
};
|
|
218
|
+
|
|
219
|
+
const serviceAuthErrorResponse = (c: Context, error: ServiceAuthError): Response => {
|
|
220
|
+
c.header('WWW-Authenticate', buildWwwAuthenticate(error));
|
|
221
|
+
return c.json({ error: { code: error.code, message: error.message } }, error.status);
|
|
222
|
+
};
|
|
223
|
+
|
|
224
|
+
const buildWwwAuthenticate = (error: ServiceAuthError): string => {
|
|
225
|
+
const params = [`error="${error.code}"`, `error_description="${error.message}"`];
|
|
226
|
+
return `${error.scheme} ${params.join(', ')}`;
|
|
227
|
+
};
|
|
228
|
+
|
|
229
|
+
const trimTrailingSlash = (value: string): string => value.replace(/\/+$/u, '');
|
package/src/oauth/state-codec.ts
CHANGED
|
@@ -9,6 +9,8 @@ export interface OAuthContinuationState {
|
|
|
9
9
|
expiresAt: string;
|
|
10
10
|
nonce: string | null;
|
|
11
11
|
redirectUri: string;
|
|
12
|
+
/** RFC 8707 resource sealed at authorize time (BR-39l Lot 2); carried authorize → consent → code. */
|
|
13
|
+
resource?: string | null;
|
|
12
14
|
scope: string;
|
|
13
15
|
state: string | null;
|
|
14
16
|
tenantId: string | null;
|
|
@@ -16,6 +16,12 @@ export interface OauthClientRecord {
|
|
|
16
16
|
requirePkce: boolean;
|
|
17
17
|
tenantId: string | null;
|
|
18
18
|
ownerUserId: string | null;
|
|
19
|
+
/**
|
|
20
|
+
* RFC 8707 resource-indicator allowlist for the `authorization_code` flow (BR-39l Lot 2).
|
|
21
|
+
* Additive, default-deny: an empty/absent allowlist means the client may NOT request any
|
|
22
|
+
* `resource` (any value ⇒ `invalid_target`). Mirrors `ServiceClientRecord.resourceIndicators`.
|
|
23
|
+
*/
|
|
24
|
+
resourceIndicators?: string[];
|
|
19
25
|
createdAt: Date;
|
|
20
26
|
updatedAt: Date;
|
|
21
27
|
}
|
|
@@ -30,6 +36,12 @@ export interface AuthCodePayload {
|
|
|
30
36
|
codeChallengeMethod: 'S256';
|
|
31
37
|
dpopJkt: string | null;
|
|
32
38
|
nonce: string | null;
|
|
39
|
+
/**
|
|
40
|
+
* RFC 8707 resource sealed at authorize time (BR-39l Lot 2). When present, it becomes the
|
|
41
|
+
* access-token `aud`; the token-leg `resource` (if sent) MUST equal it. Absent ⇒ default-aud
|
|
42
|
+
* (userinfo URL), byte-identical to auth-hono 0.5.0.
|
|
43
|
+
*/
|
|
44
|
+
resource?: string | null;
|
|
33
45
|
acr: string;
|
|
34
46
|
authTime: Date;
|
|
35
47
|
expiresAt: Date;
|
|
@@ -55,8 +67,23 @@ export interface DpopProofRecord {
|
|
|
55
67
|
createdAt: Date;
|
|
56
68
|
}
|
|
57
69
|
|
|
70
|
+
export interface ServiceClientRecord {
|
|
71
|
+
id: string;
|
|
72
|
+
clientId: string;
|
|
73
|
+
clientSecretHash: string;
|
|
74
|
+
displayName: string | null;
|
|
75
|
+
allowedScopes: string[];
|
|
76
|
+
resourceIndicators: string[];
|
|
77
|
+
dpopBoundAccessTokens: boolean;
|
|
78
|
+
tenantId: string | null;
|
|
79
|
+
secretRotatedAt: Date | null;
|
|
80
|
+
createdAt: Date;
|
|
81
|
+
revokedAt: Date | null;
|
|
82
|
+
}
|
|
83
|
+
|
|
58
84
|
export interface OauthStateStorePort {
|
|
59
85
|
findClient(clientId: string): Promise<OauthClientRecord | null>;
|
|
86
|
+
findServiceClient?(clientId: string): Promise<ServiceClientRecord | null>;
|
|
60
87
|
saveAuthCode(code: string, payload: AuthCodePayload, ttlSec: number): Promise<void>;
|
|
61
88
|
consumeAuthCode(code: string): Promise<AuthCodePayload | null>;
|
|
62
89
|
saveTokenMeta(jti: string, meta: TokenMeta, ttlSec: number): Promise<void>;
|