@sentropic/auth-hono 0.4.0 → 0.7.0

package/src/oauth/token-handler.ts

@@ -59,6 +59,9 @@ export const createOAuthTokenHandler =
       return oauthJsonError(c, 400, 'invalid_grant', 'PKCE verification failed.');
     }
 
+    const resourceError = validateTokenResource(c, form, codePayload);
+    if (resourceError) return resourceError;
+
     const dpopJkt = await resolveDpopJkt(c, options, auth.client, codePayload);
     if (dpopJkt instanceof Response) return dpopJkt;
 
@@ -117,6 +120,30 @@ const parseClientCredentials = (
   };
 };
 
+/**
+ * RFC 8707 resource validation on the token leg of the `authorization_code` flow (BR-39l Lot 2).
+ * - C1 single-aud: more than one `resource` value ⇒ `invalid_target`.
+ * - C3 sealing: if the client re-sends `resource` on the token request (the MCP draft requires it
+ *   on both legs), it MUST equal the value sealed at authorize time, else `invalid_grant`
+ *   (audience downgrade/upgrade rejection). The `aud` is derived ONLY from the sealed value.
+ * No `resource` on the token leg is accepted (the sealed value still governs `aud`).
+ */
+const validateTokenResource = (
+  c: Context,
+  form: URLSearchParams,
+  codePayload: AuthCodePayload
+): Response | null => {
+  const requested = form.getAll('resource').filter((value) => value.length > 0);
+  if (requested.length === 0) return null;
+  if (requested.length > 1) {
+    return oauthJsonError(c, 400, 'invalid_target', 'Only a single resource indicator is supported.');
+  }
+  if (requested[0] !== (codePayload.resource ?? null)) {
+    return oauthJsonError(c, 400, 'invalid_grant', 'resource does not match the authorization request.');
+  }
+  return null;
+};
+
 const resolveDpopJkt = async (
   c: Context,
   options: OAuthTokenHandlerOptions,
@@ -316,15 +343,30 @@ const issueTokens = async (
   const idExpiresAt = options.ports.clock.addSeconds(now, idTokenTtlSeconds);
   const scopes = codePayload.scope.split(/\s+/).filter(Boolean);
   const cnf = dpopJkt ? { jkt: dpopJkt } : undefined;
+
+  // BR-39e: bind the tenant claim to a STILL-`approved` membership at token time (lifecycle
+  // gate). If the membership was suspended/revoked between authorize and token exchange, drop
+  // the claim so no tenant-scoped token is issued for a non-member.
+  let boundTenantId: string | null = codePayload.tenantId;
+  if (boundTenantId && options.ports.tenant) {
+    const stillApproved = await options.ports.tenant.isApprovedMember(codePayload.userId, boundTenantId);
+    if (!stillApproved) boundTenantId = null;
+  }
+
   const jwks = createJwksService({ clock: options.ports.clock, jwksPort: options.ports.jwks });
   const accessJti = options.ports.random.uuid();
-  const accessAudience = `${trimTrailingSlash(options.issuer)}/api/v1/auth/oauth/userinfo`;
+  // BR-39l Lot 2 (C3/C4): variable RFC 8707 audience. The access-token `aud` is the resource
+  // sealed at authorize time (single string), or the userinfo URL by default — byte-identical to
+  // auth-hono 0.5.0 when no `resource` was requested. The id_token `aud` (client_id) is untouched.
+  const accessAudience =
+    codePayload.resource ?? `${trimTrailingSlash(options.issuer)}/api/v1/auth/oauth/userinfo`;
   const accessToken = await jwks.signJwt(
     {
       acr: codePayload.acr,
       auth_time: toEpochSeconds(codePayload.authTime),
       client_id: client.clientId,
       ...(cnf ? { cnf } : {}),
+      ...(boundTenantId ? { tid: boundTenantId } : {}),
       scope: codePayload.scope,
     },
     {
@@ -368,6 +410,7 @@ const issueTokens = async (
         ...(scopes.includes('email') ? { email: user.email, email_verified: user.emailVerified } : {}),
         ...(scopes.includes('profile') ? { name: user.displayName } : {}),
         ...(codePayload.nonce ? { nonce: codePayload.nonce } : {}),
+        ...(boundTenantId ? { tid: boundTenantId } : {}),
       },
       {
         audience: client.clientId,

package/src/oauth/wellknown-handler.ts

@@ -17,7 +17,7 @@ export const createWellKnownRouter = (options: CreateWellKnownRouterOptions): Ho
   router.get('/openid-configuration', (c) =>
     c.json({
       authorization_endpoint: `${issuer}${oauthPrefix}/authorize`,
-      claims_supported: ['sub', 'aud', 'iss', 'exp', 'iat', 'nonce', 'auth_time', 'acr', 'email', 'email_verified', 'name'],
+      claims_supported: ['sub', 'aud', 'iss', 'exp', 'iat', 'nonce', 'auth_time', 'acr', 'email', 'email_verified', 'name', 'tid'],
       code_challenge_methods_supported: ['S256'],
       dpop_signing_alg_values_supported: ['EdDSA'],
       grant_types_supported: ['authorization_code', 'client_credentials'],

package/src/ports.ts

@@ -287,6 +287,37 @@ export interface AuthHonoAccountPolicyPort {
   afterUserCreated?(user: AuthHonoUserRecord): Promise<void> | void;
 }
 
+/**
+ * BR-39e: tenancy spine. OPTIONAL — when absent, auth-hono keeps the legacy behavior of
+ * sourcing the auth-code `tenantId` from the client. When present, the tenant claim (`tid`)
+ * is derived ONLY from a VALIDATED `approved` membership (never a raw request parameter),
+ * and re-checked at token time (lifecycle gate).
+ */
+export interface AuthHonoTenantPort {
+  /** Tenant ids the user is an `approved` member of, for selection + claim derivation. */
+  listApprovedTenantIds(userId: string): Promise<string[]>;
+  /** True iff (userId, tenantId) is currently an `approved` membership (binding re-check). */
+  isApprovedMember(userId: string, tenantId: string): Promise<boolean>;
+}
+
+/**
+ * Consent persistence. OPTIONAL — when absent, auth-hono keeps the legacy behavior of
+ * always re-showing the consent screen on every `/authorize`. When present, an approved
+ * grant per exact `(userId, clientId)` lets the authorize handler skip consent and issue
+ * the auth code directly, provided the stored grant's scopes are a SUPERSET of the
+ * requested scopes (scope-escalation re-consents) and `prompt !== 'consent'`.
+ */
+export interface AuthHonoConsentGrant {
+  scopes: string[];
+}
+
+export interface AuthHonoConsentStorePort {
+  /** The user's currently granted scopes for this client, or `null` if no grant exists. */
+  getGrant(userId: string, clientId: string): Promise<AuthHonoConsentGrant | null>;
+  /** Upsert the grant for `(userId, clientId)`, unioning `scopes` with any prior grant. */
+  saveGrant(userId: string, clientId: string, scopes: string[]): Promise<void>;
+}
+
 export interface AuthHonoPorts {
   users: AuthHonoUserPort;
   credentials: AuthHonoCredentialPort;
@@ -303,4 +334,8 @@ export interface AuthHonoPorts {
   accountPolicy: AuthHonoAccountPolicyPort;
   oauthStateStore: OauthStateStorePort;
   jwks: JwksPort;
+  /** BR-39e tenancy spine (optional; legacy behavior when absent). */
+  tenant?: AuthHonoTenantPort;
+  /** Consent persistence (optional; always-consent legacy behavior when absent). */
+  consentStore?: AuthHonoConsentStorePort;
 }