@sentropic/auth-hono 0.4.0 → 0.6.0

package/src/oauth/service-auth-middleware.ts

@@ -1,15 +1,21 @@
+// COMPAT WRAPPER (architect verdict E2/F8). The CANONICAL home of this RS middleware is now
+// `@sentropic/mcp-auth/hono` (`createRequireServiceAuth`). auth-hono keeps this signature-stable
+// wrapper — same behavior, sharing the SAME verification core (`@sentropic/oauth-verify`), no
+// fourth copy of verify code — for ≥1 minor so pinned RPs are not forced to bump; it is dropped
+// at auth-hono 1.0. The wrapper builds on oauth-verify primitives directly (NOT on mcp-auth) to
+// respect the dependency DAG (auth-hono and mcp-auth never import each other).
 import {
-  calculateJwkThumbprint,
-  decodeProtectedHeader,
-  importJWK,
-  jwtVerify,
-  type JWK,
-  type JWTPayload,
-} from 'jose';
+  DpopVerifyError,
+  fromJwksPort,
+  parseScopes,
+  TokenVerifyError,
+  verifyAccessToken,
+  verifyDpopProof,
+  type AccessTokenClaims,
+} from '@sentropic/oauth-verify';
 import type { Context, MiddlewareHandler } from 'hono';
 
 import type { AuthHonoClockPort } from '../ports.js';
-import { sha256Base64url } from './crypto-utils.js';
 import type { JwksPort, OauthStateStorePort } from './state-store-types.js';
 
 /**
@@ -62,7 +68,7 @@ export const createRequireServiceAuth = (
   return async (c, next) => {
     try {
       const { scheme, token } = parseAuthorization(c.req.header('authorization'));
-      const payload = await verifyAccessToken(token, options.ports, issuer, options.resource);
+      const payload = await verifyServiceAccessToken(token, options.ports, issuer, options.resource);
       const scopes = parseScopes(payload.scope);
       assertScopes(scopes, requiredScopes);
 
@@ -98,44 +104,33 @@ const parseAuthorization = (header: string | undefined): { scheme: 'Bearer' | 'D
   throw new ServiceAuthError(401, 'invalid_token', 'Unsupported authorization scheme.');
 };
 
-const verifyAccessToken = async (
+/**
+ * RS-side access-token verification. Delegates to `@sentropic/oauth-verify`'s shared
+ * `verifyAccessToken` over an in-process JWKS key source, mapping any failure onto the
+ * RFC 6750 `invalid_token` 401 the middleware emits.
+ */
+const verifyServiceAccessToken = async (
   token: string,
   ports: ServiceAuthPorts,
   issuer: string,
   resource: string
-): Promise<JWTPayload & { scope?: unknown; client_id?: unknown; cnf?: { jkt?: string } }> => {
-  let kid: string | undefined;
+): Promise<AccessTokenClaims> => {
   try {
-    kid = decodeProtectedHeader(token).kid;
-  } catch {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token header is invalid.');
-  }
-  if (!kid) {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token is missing a key id.');
-  }
-
-  const key = await ports.jwks.findKeyByKid(kid);
-  if (!key) {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token signing key is unknown.');
-  }
-
-  const publicKey = await importJWK(key.publicJwk, key.alg);
-  const currentDate = ports.clock.now();
-  try {
-    const { payload } = await jwtVerify(token, publicKey, {
+    return await verifyAccessToken({
       audience: resource,
-      currentDate,
       issuer,
+      keySource: fromJwksPort(ports.jwks),
+      now: ports.clock.now(),
+      token,
     });
-    return payload;
-  } catch {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token is invalid, expired, or has the wrong audience.');
+  } catch (error) {
+    if (error instanceof TokenVerifyError) {
+      throw new ServiceAuthError(401, 'invalid_token', 'Access token is invalid, expired, or has the wrong audience.');
+    }
+    throw error;
   }
 };
 
-const parseScopes = (scope: unknown): string[] =>
-  typeof scope === 'string' ? scope.split(/\s+/).filter(Boolean) : [];
-
 const assertScopes = (scopes: string[], requiredScopes: string[]): void => {
   const granted = new Set(scopes);
   const missing = requiredScopes.filter((scope) => !granted.has(scope));
@@ -146,7 +141,7 @@ const assertScopes = (scopes: string[], requiredScopes: string[]): void => {
 
 const enforceDpop = async (
   c: Context,
-  payload: { cnf?: { jkt?: string } },
+  payload: { cnf?: { jkt: string } },
   accessToken: string,
   scheme: 'Bearer' | 'DPoP',
   options: CreateRequireServiceAuthOptions
@@ -188,53 +183,37 @@ interface VerifyServiceDpopProofOptions {
   proof: string;
 }
 
+/**
+ * RS-side DPoP proof verification. Delegates to `@sentropic/oauth-verify`'s shared
+ * `verifyDpopProof`, wiring the optional RS replay port and remapping failures onto the
+ * RFC 9449 `invalid_dpop_proof` 401. The `jkt`↔`cnf.jkt` binding is enforced by the caller
+ * (`enforceDpop`) AFTER replay recording, preserving the original consume-then-compare order.
+ */
 const verifyServiceDpopProof = async (options: VerifyServiceDpopProofOptions): Promise<string> => {
-  const header = decodeProtectedHeader(options.proof);
-  const publicJwk = header.jwk as JWK | undefined;
-  if (!publicJwk || !header.alg || header.typ !== 'dpop+jwt') {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof header is invalid.', 'DPoP');
-  }
-
-  const key = await importJWK(publicJwk, header.alg);
-  let payload: JWTPayload;
+  const iatSkewSec = options.iatSkewSeconds ?? 60;
   try {
-    ({ payload } = await jwtVerify(options.proof, key));
-  } catch {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof signature is invalid.', 'DPoP');
-  }
-
-  const skew = options.iatSkewSeconds ?? 60;
-  if (payload.htm !== options.htm.toUpperCase()) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP htm claim does not match the request method.', 'DPoP');
-  }
-  if (payload.htu !== options.htu) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP htu claim does not match the request URL.', 'DPoP');
-  }
-  if (!payload.jti || typeof payload.jti !== 'string') {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP jti claim is required.', 'DPoP');
-  }
-  if (typeof payload.iat !== 'number') {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP iat claim is required.', 'DPoP');
-  }
-  const nowSeconds = Math.floor(options.ports.clock.now().getTime() / 1000);
-  if (Math.abs(payload.iat - nowSeconds) > skew) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP iat claim is outside the allowed skew.', 'DPoP');
-  }
-
-  // RFC 9449 §4.3: bind the proof to the access token (BR39d-D7).
-  if (payload.ath !== (await sha256Base64url(options.accessToken))) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP ath claim does not match the access token.', 'DPoP');
-  }
-
-  if (options.ports.dpopReplay) {
-    const expiresAt = options.ports.clock.addSeconds(options.ports.clock.now(), skew);
-    const recorded = await options.ports.dpopReplay.recordDpopJti(payload.jti, expiresAt);
-    if (!recorded) {
-      throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof jti was already used.', 'DPoP');
+    const { jkt } = await verifyDpopProof({
+      accessToken: options.accessToken,
+      htm: options.htm,
+      htu: options.htu,
+      iatSkewSec,
+      now: options.ports.clock.now(),
+      proof: options.proof,
+      replay: options.ports.dpopReplay
+        ? (jti) =>
+            options.ports.dpopReplay!.recordDpopJti(
+              jti,
+              options.ports.clock.addSeconds(options.ports.clock.now(), iatSkewSec)
+            )
+        : undefined,
+    });
+    return jkt;
+  } catch (error) {
+    if (error instanceof DpopVerifyError) {
+      throw new ServiceAuthError(401, 'invalid_dpop_proof', error.message, 'DPoP');
     }
+    throw error;
   }
-
-  return calculateJwkThumbprint(publicJwk);
 };
 
 const serviceAuthErrorResponse = (c: Context, error: ServiceAuthError): Response => {

package/src/oauth/state-codec.ts

@@ -9,6 +9,8 @@ export interface OAuthContinuationState {
   expiresAt: string;
   nonce: string | null;
   redirectUri: string;
+  /** RFC 8707 resource sealed at authorize time (BR-39l Lot 2); carried authorize → consent → code. */
+  resource?: string | null;
   scope: string;
   state: string | null;
   tenantId: string | null;

package/src/oauth/state-store-types.ts

@@ -16,6 +16,12 @@ export interface OauthClientRecord {
   requirePkce: boolean;
   tenantId: string | null;
   ownerUserId: string | null;
+  /**
+   * RFC 8707 resource-indicator allowlist for the `authorization_code` flow (BR-39l Lot 2).
+   * Additive, default-deny: an empty/absent allowlist means the client may NOT request any
+   * `resource` (any value ⇒ `invalid_target`). Mirrors `ServiceClientRecord.resourceIndicators`.
+   */
+  resourceIndicators?: string[];
   createdAt: Date;
   updatedAt: Date;
 }
@@ -30,6 +36,12 @@ export interface AuthCodePayload {
   codeChallengeMethod: 'S256';
   dpopJkt: string | null;
   nonce: string | null;
+  /**
+   * RFC 8707 resource sealed at authorize time (BR-39l Lot 2). When present, it becomes the
+   * access-token `aud`; the token-leg `resource` (if sent) MUST equal it. Absent ⇒ default-aud
+   * (userinfo URL), byte-identical to auth-hono 0.5.0.
+   */
+  resource?: string | null;
   acr: string;
   authTime: Date;
   expiresAt: Date;

package/src/oauth/token-handler.ts

@@ -59,6 +59,9 @@ export const createOAuthTokenHandler =
       return oauthJsonError(c, 400, 'invalid_grant', 'PKCE verification failed.');
     }
 
+    const resourceError = validateTokenResource(c, form, codePayload);
+    if (resourceError) return resourceError;
+
     const dpopJkt = await resolveDpopJkt(c, options, auth.client, codePayload);
     if (dpopJkt instanceof Response) return dpopJkt;
 
@@ -117,6 +120,30 @@ const parseClientCredentials = (
   };
 };
 
+/**
+ * RFC 8707 resource validation on the token leg of the `authorization_code` flow (BR-39l Lot 2).
+ * - C1 single-aud: more than one `resource` value ⇒ `invalid_target`.
+ * - C3 sealing: if the client re-sends `resource` on the token request (the MCP draft requires it
+ *   on both legs), it MUST equal the value sealed at authorize time, else `invalid_grant`
+ *   (audience downgrade/upgrade rejection). The `aud` is derived ONLY from the sealed value.
+ * No `resource` on the token leg is accepted (the sealed value still governs `aud`).
+ */
+const validateTokenResource = (
+  c: Context,
+  form: URLSearchParams,
+  codePayload: AuthCodePayload
+): Response | null => {
+  const requested = form.getAll('resource').filter((value) => value.length > 0);
+  if (requested.length === 0) return null;
+  if (requested.length > 1) {
+    return oauthJsonError(c, 400, 'invalid_target', 'Only a single resource indicator is supported.');
+  }
+  if (requested[0] !== (codePayload.resource ?? null)) {
+    return oauthJsonError(c, 400, 'invalid_grant', 'resource does not match the authorization request.');
+  }
+  return null;
+};
+
 const resolveDpopJkt = async (
   c: Context,
   options: OAuthTokenHandlerOptions,
@@ -316,15 +343,30 @@ const issueTokens = async (
   const idExpiresAt = options.ports.clock.addSeconds(now, idTokenTtlSeconds);
   const scopes = codePayload.scope.split(/\s+/).filter(Boolean);
   const cnf = dpopJkt ? { jkt: dpopJkt } : undefined;
+
+  // BR-39e: bind the tenant claim to a STILL-`approved` membership at token time (lifecycle
+  // gate). If the membership was suspended/revoked between authorize and token exchange, drop
+  // the claim so no tenant-scoped token is issued for a non-member.
+  let boundTenantId: string | null = codePayload.tenantId;
+  if (boundTenantId && options.ports.tenant) {
+    const stillApproved = await options.ports.tenant.isApprovedMember(codePayload.userId, boundTenantId);
+    if (!stillApproved) boundTenantId = null;
+  }
+
   const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
   const accessJti = options.ports.random.uuid();
-  const accessAudience = `${trimTrailingSlash(options.issuer)}/api/v1/auth/oauth/userinfo`;
+  // BR-39l Lot 2 (C3/C4): variable RFC 8707 audience. The access-token `aud` is the resource
+  // sealed at authorize time (single string), or the userinfo URL by default — byte-identical to
+  // auth-hono 0.5.0 when no `resource` was requested. The id_token `aud` (client_id) is untouched.
+  const accessAudience =
+    codePayload.resource ?? `${trimTrailingSlash(options.issuer)}/api/v1/auth/oauth/userinfo`;
   const accessToken = await jwks.signJwt(
     {
       acr: codePayload.acr,
       auth_time: toEpochSeconds(codePayload.authTime),
       client_id: client.clientId,
       ...(cnf ? { cnf } : {}),
+      ...(boundTenantId ? { tid: boundTenantId } : {}),
       scope: codePayload.scope,
     },
     {
@@ -368,6 +410,7 @@ const issueTokens = async (
         ...(scopes.includes('email') ? { email: user.email, email_verified: user.emailVerified } : {}),
         ...(scopes.includes('profile') ? { name: user.displayName } : {}),
         ...(codePayload.nonce ? { nonce: codePayload.nonce } : {}),
+        ...(boundTenantId ? { tid: boundTenantId } : {}),
       },
       {
         audience: client.clientId,

package/src/oauth/wellknown-handler.ts

@@ -17,7 +17,7 @@ export const createWellKnownRouter = (options: CreateWellKnownRouterOptions): Ho
   router.get('/openid-configuration', (c) =>
     c.json({
       authorization_endpoint: `${issuer}${oauthPrefix}/authorize`,
-      claims_supported: ['sub', 'aud', 'iss', 'exp', 'iat', 'nonce', 'auth_time', 'acr', 'email', 'email_verified', 'name'],
+      claims_supported: ['sub', 'aud', 'iss', 'exp', 'iat', 'nonce', 'auth_time', 'acr', 'email', 'email_verified', 'name', 'tid'],
       code_challenge_methods_supported: ['S256'],
       dpop_signing_alg_values_supported: ['EdDSA'],
       grant_types_supported: ['authorization_code', 'client_credentials'],

package/src/ports.ts

@@ -287,6 +287,19 @@ export interface AuthHonoAccountPolicyPort {
   afterUserCreated?(user: AuthHonoUserRecord): Promise<void> | void;
 }
 
+/**
+ * BR-39e: tenancy spine. OPTIONAL — when absent, auth-hono keeps the legacy behavior of
+ * sourcing the auth-code `tenantId` from the client. When present, the tenant claim (`tid`)
+ * is derived ONLY from a VALIDATED `approved` membership (never a raw request parameter),
+ * and re-checked at token time (lifecycle gate).
+ */
+export interface AuthHonoTenantPort {
+  /** Tenant ids the user is an `approved` member of, for selection + claim derivation. */
+  listApprovedTenantIds(userId: string): Promise<string[]>;
+  /** True iff (userId, tenantId) is currently an `approved` membership (binding re-check). */
+  isApprovedMember(userId: string, tenantId: string): Promise<boolean>;
+}
+
 export interface AuthHonoPorts {
   users: AuthHonoUserPort;
   credentials: AuthHonoCredentialPort;
@@ -303,4 +316,6 @@ export interface AuthHonoPorts {
   accountPolicy: AuthHonoAccountPolicyPort;
   oauthStateStore: OauthStateStorePort;
   jwks: JwksPort;
+  /** BR-39e tenancy spine (optional; legacy behavior when absent). */
+  tenant?: AuthHonoTenantPort;
 }