@shin1ohno/sage 0.3.0 → 0.5.3

package/dist/oauth/oauth-server.js

@@ -0,0 +1,489 @@
+/**
+ * OAuth 2.1 Server
+ * Requirements: 21-31 (OAuth 2.1 Authentication)
+ *
+ * Main OAuth server that coordinates all OAuth components and handles requests.
+ */
+import { randomBytes, createHash } from 'crypto';
+import { SCOPE_DEFINITIONS, DEFAULT_TOKEN_EXPIRY, CLAUDE_CALLBACK_URLS, } from './types.js';
+import { createTokenService, generateKeyPair } from './token-service.js';
+import { createAuthorizationCodeStore } from './code-store.js';
+import { createRefreshTokenStore } from './refresh-token-store.js';
+import { createClientStore } from './client-store.js';
+import { verifyCodeChallenge } from './pkce.js';
+/**
+ * In-memory Session Store
+ */
+class InMemorySessionStore {
+    sessions = new Map();
+    sessionExpiryMs = 24 * 60 * 60 * 1000; // 24 hours
+    createSession(userId) {
+        const sessionId = randomBytes(32).toString('hex');
+        const now = Date.now();
+        const session = {
+            sessionId,
+            userId,
+            createdAt: now,
+            expiresAt: now + this.sessionExpiryMs,
+        };
+        this.sessions.set(sessionId, session);
+        return session;
+    }
+    getSession(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session)
+            return null;
+        if (Date.now() > session.expiresAt) {
+            this.sessions.delete(sessionId);
+            return null;
+        }
+        return session;
+    }
+    deleteSession(sessionId) {
+        this.sessions.delete(sessionId);
+    }
+}
+/**
+ * OAuth Server Class
+ */
+export class OAuthServer {
+    config;
+    tokenService;
+    codeStore;
+    refreshTokenStore;
+    clientStore;
+    sessionStore;
+    users;
+    pendingAuthRequests = new Map();
+    loginAttempts = new Map();
+    privateKey;
+    publicKey;
+    constructor(config, keys) {
+        this.config = config;
+        this.privateKey = keys?.privateKey || '';
+        this.publicKey = keys?.publicKey || '';
+        // Parse expiry durations to seconds
+        const refreshTokenExpirySec = this.parseExpiryToSeconds(config.refreshTokenExpiry || DEFAULT_TOKEN_EXPIRY.refreshToken);
+        const authCodeExpirySec = this.parseExpiryToSeconds(config.authorizationCodeExpiry || DEFAULT_TOKEN_EXPIRY.authorizationCode);
+        // Initialize stores
+        this.codeStore = createAuthorizationCodeStore({ expirySeconds: authCodeExpirySec });
+        this.refreshTokenStore = createRefreshTokenStore({ expirySeconds: refreshTokenExpirySec });
+        this.clientStore = createClientStore({
+            allowedRedirectUris: [...(config.allowedRedirectUris || []), ...CLAUDE_CALLBACK_URLS],
+        });
+        this.sessionStore = new InMemorySessionStore();
+        // Initialize token service (will be updated when keys are available)
+        this.tokenService = createTokenService({
+            issuer: config.issuer,
+            privateKey: this.privateKey,
+            publicKey: this.publicKey,
+            accessTokenExpiry: config.accessTokenExpiry || DEFAULT_TOKEN_EXPIRY.accessToken,
+        });
+        // Store users
+        this.users = new Map();
+        for (const user of config.users || []) {
+            this.users.set(user.username, user);
+        }
+    }
+    /**
+     * Initialize the server with generated keys if not provided
+     */
+    async initialize() {
+        if (!this.privateKey || !this.publicKey) {
+            const keys = await generateKeyPair();
+            this.privateKey = keys.privateKey;
+            this.publicKey = keys.publicKey;
+            // Recreate token service with new keys
+            this.tokenService = createTokenService({
+                issuer: this.config.issuer,
+                privateKey: this.privateKey,
+                publicKey: this.publicKey,
+                accessTokenExpiry: this.config.accessTokenExpiry || DEFAULT_TOKEN_EXPIRY.accessToken,
+            });
+        }
+    }
+    parseExpiryToSeconds(expiry) {
+        const match = expiry.match(/^(\d+)([smhdw])$/);
+        if (!match)
+            return 3600;
+        const value = parseInt(match[1], 10);
+        const unit = match[2];
+        switch (unit) {
+            case 's': return value;
+            case 'm': return value * 60;
+            case 'h': return value * 3600;
+            case 'd': return value * 86400;
+            case 'w': return value * 604800;
+            default: return 3600;
+        }
+    }
+    /**
+     * Get Protected Resource Metadata (RFC 9728)
+     * Requirement 22.1-22.3
+     */
+    getProtectedResourceMetadata() {
+        return {
+            resource: this.config.issuer,
+            authorization_servers: [this.config.issuer],
+            scopes_supported: Object.keys(SCOPE_DEFINITIONS),
+            bearer_methods_supported: ['header'],
+        };
+    }
+    /**
+     * Get Authorization Server Metadata (RFC 8414)
+     * Requirement 23.1-23.9
+     */
+    getAuthorizationServerMetadata() {
+        return {
+            issuer: this.config.issuer,
+            authorization_endpoint: `${this.config.issuer}/oauth/authorize`,
+            token_endpoint: `${this.config.issuer}/oauth/token`,
+            registration_endpoint: `${this.config.issuer}/oauth/register`,
+            scopes_supported: Object.keys(SCOPE_DEFINITIONS),
+            response_types_supported: ['code'],
+            response_modes_supported: ['query'],
+            grant_types_supported: ['authorization_code', 'refresh_token'],
+            token_endpoint_auth_methods_supported: ['none', 'client_secret_post'],
+            code_challenge_methods_supported: ['S256'],
+            service_documentation: 'https://github.com/shin1ohno/sage',
+        };
+    }
+    /**
+     * Get WWW-Authenticate header for 401 responses
+     * Requirement 22.4, 22.5
+     */
+    getWWWAuthenticateHeader() {
+        return `Bearer realm="sage", resource_metadata="${this.config.issuer}/.well-known/oauth-protected-resource"`;
+    }
+    /**
+     * Register a new client (Dynamic Client Registration)
+     * Requirement 24.1-24.7
+     */
+    async registerClient(request) {
+        return this.clientStore.registerClient(request);
+    }
+    /**
+     * Get a registered client
+     */
+    async getClient(clientId) {
+        return this.clientStore.getClient(clientId);
+    }
+    /**
+     * Delete a client (Requirement 24.8)
+     */
+    async deleteClient(clientId) {
+        // Also revoke all refresh tokens for this client
+        await this.refreshTokenStore.revokeAllForClient(clientId);
+        return this.clientStore.deleteClient(clientId);
+    }
+    /**
+     * Validate an authorization request
+     * Requirement 25.1-25.8
+     */
+    async validateAuthorizationRequest(request) {
+        // Requirement 25.2: Only support response_type=code
+        if (request.response_type !== 'code') {
+            return {
+                valid: false,
+                error: {
+                    error: 'unsupported_response_type',
+                    error_description: 'Only response_type=code is supported',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.3: client_id is required
+        const client = await this.clientStore.getClient(request.client_id);
+        if (!client) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_client',
+                    error_description: 'Unknown client_id',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.4: Validate redirect_uri
+        if (!await this.clientStore.isValidRedirectUri(request.client_id, request.redirect_uri)) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'Invalid redirect_uri',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.5, 25.6: PKCE is required, only S256
+        if (!request.code_challenge) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'code_challenge is required',
+                    state: request.state,
+                },
+            };
+        }
+        if (request.code_challenge_method !== 'S256') {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'Only code_challenge_method=S256 is supported',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.7: state is required
+        if (!request.state) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'state is required',
+                },
+            };
+        }
+        return { valid: true, client };
+    }
+    /**
+     * Store a pending authorization request (for consent flow)
+     */
+    storePendingAuthRequest(requestId, request, client) {
+        this.pendingAuthRequests.set(requestId, {
+            request,
+            client,
+            createdAt: Date.now(),
+        });
+        // Cleanup old requests (older than 10 minutes)
+        const cutoff = Date.now() - 10 * 60 * 1000;
+        for (const [id, pending] of this.pendingAuthRequests.entries()) {
+            if (pending.createdAt < cutoff) {
+                this.pendingAuthRequests.delete(id);
+            }
+        }
+    }
+    /**
+     * Get a pending authorization request
+     */
+    getPendingAuthRequest(requestId) {
+        return this.pendingAuthRequests.get(requestId) || null;
+    }
+    /**
+     * Complete authorization and generate code
+     * Requirement 25.9, 25.10
+     */
+    async completeAuthorization(request, userId) {
+        const code = await this.codeStore.generateCode({
+            clientId: request.client_id,
+            redirectUri: request.redirect_uri,
+            scope: request.scope || '',
+            codeChallenge: request.code_challenge,
+            codeChallengeMethod: request.code_challenge_method,
+            userId,
+            resource: request.resource,
+        });
+        return code;
+    }
+    /**
+     * Exchange authorization code for tokens
+     * Requirement 26.1-26.7
+     */
+    async exchangeAuthorizationCode(code, clientId, redirectUri, codeVerifier, resource) {
+        // Consume code (marks it as used)
+        const codeResult = await this.codeStore.consumeCode(code, clientId);
+        if (!codeResult.valid || !codeResult.codeData) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid or expired authorization code',
+                },
+            };
+        }
+        // Verify redirect_uri matches
+        if (codeResult.codeData.redirect_uri !== redirectUri) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'redirect_uri does not match',
+                },
+            };
+        }
+        // Verify PKCE code_verifier (Requirement 26.4)
+        if (!verifyCodeChallenge(codeVerifier, codeResult.codeData.code_challenge, 'S256')) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid code_verifier',
+                },
+            };
+        }
+        // Verify resource if specified (Requirement 26.5)
+        if (resource && codeResult.codeData.resource && resource !== codeResult.codeData.resource) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'resource does not match',
+                },
+            };
+        }
+        // Generate access token
+        const accessTokenResponse = await this.tokenService.generateAccessToken({
+            clientId,
+            userId: codeResult.codeData.user_id,
+            scope: codeResult.codeData.scope,
+            audience: resource || this.config.issuer,
+        });
+        // Generate refresh token (Requirement 21.6)
+        const refreshToken = await this.refreshTokenStore.generateToken({
+            clientId,
+            userId: codeResult.codeData.user_id,
+            scope: codeResult.codeData.scope,
+        });
+        return {
+            success: true,
+            tokens: {
+                ...accessTokenResponse,
+                refresh_token: refreshToken,
+            },
+        };
+    }
+    /**
+     * Exchange refresh token for new tokens
+     * Requirement 26.3, 26.8
+     */
+    async exchangeRefreshToken(refreshToken, clientId, scope) {
+        // Rotate refresh token (Requirement 26.8)
+        const newRefreshToken = await this.refreshTokenStore.rotateToken(refreshToken, clientId);
+        if (!newRefreshToken) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid or expired refresh token',
+                },
+            };
+        }
+        // Get the original token data before it was rotated
+        const tokenResult = await this.refreshTokenStore.validateToken(newRefreshToken, clientId);
+        if (!tokenResult.valid || !tokenResult.tokenData) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid refresh token',
+                },
+            };
+        }
+        // Use requested scope or original scope
+        const effectiveScope = scope || tokenResult.tokenData.scope;
+        // Generate new access token
+        const accessTokenResponse = await this.tokenService.generateAccessToken({
+            clientId,
+            userId: tokenResult.tokenData.user_id,
+            scope: effectiveScope,
+            audience: this.config.issuer,
+        });
+        return {
+            success: true,
+            tokens: {
+                ...accessTokenResponse,
+                refresh_token: newRefreshToken,
+            },
+        };
+    }
+    /**
+     * Verify an access token
+     * Requirement 27.1-27.5
+     */
+    async verifyAccessToken(token, expectedAudience) {
+        return this.tokenService.verifyAccessToken(token, expectedAudience);
+    }
+    /**
+     * Extract token from Authorization header
+     * Requirement 27.1
+     */
+    extractTokenFromHeader(header) {
+        return this.tokenService.extractTokenFromHeader(header);
+    }
+    /**
+     * Authenticate a user (Requirement 29.1-29.5)
+     */
+    async authenticateUser(username, password) {
+        // Rate limiting (Requirement 29.5)
+        const key = username;
+        const attempts = this.loginAttempts.get(key) || { count: 0, lastAttempt: 0 };
+        // Reset attempts after 15 minutes
+        if (Date.now() - attempts.lastAttempt > 15 * 60 * 1000) {
+            attempts.count = 0;
+        }
+        if (attempts.count >= 5) {
+            return { success: false, error: 'Too many login attempts. Please try again later.' };
+        }
+        const user = this.users.get(username);
+        if (!user) {
+            attempts.count++;
+            attempts.lastAttempt = Date.now();
+            this.loginAttempts.set(key, attempts);
+            return { success: false, error: 'Invalid username or password' };
+        }
+        // Verify password (Requirement 29.4: passwords should be hashed)
+        // For simplicity, we'll compare against the stored hash
+        // In production, use bcrypt or similar
+        const passwordHash = createHash('sha256').update(password).digest('hex');
+        if (passwordHash !== user.passwordHash) {
+            attempts.count++;
+            attempts.lastAttempt = Date.now();
+            this.loginAttempts.set(key, attempts);
+            return { success: false, error: 'Invalid username or password' };
+        }
+        // Reset login attempts on success
+        this.loginAttempts.delete(key);
+        // Create session
+        const session = this.sessionStore.createSession(user.id);
+        return { success: true, session };
+    }
+    /**
+     * Validate a session
+     */
+    validateSession(sessionId) {
+        return this.sessionStore.getSession(sessionId);
+    }
+    /**
+     * Logout user
+     */
+    logout(sessionId) {
+        this.sessionStore.deleteSession(sessionId);
+    }
+    /**
+     * Check if a scope includes another scope
+     */
+    hasScope(tokenScope, requiredScope) {
+        const tokenScopes = tokenScope.split(' ');
+        return tokenScopes.includes(requiredScope);
+    }
+    /**
+     * Get scope descriptions for consent UI
+     */
+    getScopeDescriptions(scopes) {
+        return scopes.split(' ').filter(s => s in SCOPE_DEFINITIONS).map(scope => ({
+            scope,
+            description: SCOPE_DEFINITIONS[scope],
+        }));
+    }
+}
+/**
+ * Create an OAuth Server instance
+ */
+export async function createOAuthServer(config) {
+    const server = new OAuthServer(config);
+    await server.initialize();
+    return server;
+}
+//# sourceMappingURL=oauth-server.js.map

package/dist/oauth/oauth-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-server.js","sourceRoot":"","sources":["../../src/oauth/oauth-server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAWL,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,kBAAkB,EAAgB,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACvF,OAAO,EAAE,4BAA4B,EAA0B,MAAM,iBAAiB,CAAC;AACvF,OAAO,EAAE,uBAAuB,EAAqB,MAAM,0BAA0B,CAAC;AACtF,OAAO,EAAE,iBAAiB,EAAyC,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAyBhD;;GAEG;AACH,MAAM,oBAAoB;IAChB,QAAQ,GAA6B,IAAI,GAAG,EAAE,CAAC;IAC/C,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;IAE1D,aAAa,CAAC,MAAc;QAC1B,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAgB;YAC3B,SAAS;YACT,MAAM;YACN,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,eAAe;SACtC,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACtC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,UAAU,CAAC,SAAiB;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAC1B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YACnC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,aAAa,CAAC,SAAiB;QAC7B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;CACF;AAWD;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,MAAM,CAAoB;IAC1B,YAAY,CAAe;IAC3B,SAAS,CAAyB;IAClC,iBAAiB,CAAoB;IACrC,WAAW,CAAc;IACzB,YAAY,CAAe;IAC3B,KAAK,CAAyB;IAC9B,mBAAmB,GAAoC,IAAI,GAAG,EAAE,CAAC;IACjE,aAAa,GAAwD,IAAI,GAAG,EAAE,CAAC;IAE/E,UAAU,CAAS;IACnB,SAAS,CAAS;IAE1B,YAAY,MAAyB,EAAE,IAAgD;QACrF,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,EAAE,SAAS,IAAI,EAAE,CAAC;QAEvC,oCAAoC;QACpC,MAAM,qBAAqB,GAAG,IAAI,CAAC,oBAAoB,CACrD,MAAM,CAAC,kBAAkB,IAAI,oBAAoB,CAAC,YAAY,CAC/D,CAAC;QACF,MAAM,iBAAiB,GAAG,IAAI,CAAC,oBAAoB,CACjD,MAAM,CAAC,uBAAuB,IAAI,oBAAoB,CAAC,iBAAiB,CACzE,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC,SAAS,GAAG,4BAA4B,CAAC,EAAE,aAAa,EAAE,iBAAiB,EAAE,CAAC,CAAC;QACpF,IAAI,CAAC,iBAAiB,GAAG,uBAAuB,CAAC,EAAE,aAAa,EAAE,qBAAqB,EAAE,CAAC,CAAC;QAC3F,IAAI,CAAC,WAAW,GAAG,iBAAiB,CAAC;YACnC,mBAAmB,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,IAAI,EAAE,CAAC,EAAE,GAAG,oBAAoB,CAAC;SACtF,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAE/C,qEAAqE;QACrE,IAAI,CAAC,YAAY,GAAG,kBAAkB,CAAC;YACrC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,oBAAoB,CAAC,WAAW;SAChF,CAAC,CAAC;QAEH,cAAc;QACd,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,MAAM,eAAe,EAAE,CAAC;YACrC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YAClC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAEhC,uCAAuC;YACvC,IAAI,CAAC,YAAY,GAAG,kBAAkB,CAAC;gBACrC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,oBAAoB,CAAC,WAAW;aACrF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,oBAAoB,CAAC,MAAc;QACzC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC;YACvB,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,EAAE,CAAC;YAC5B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC;YAC9B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,KAAK,CAAC;YAC/B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,MAAM,CAAC;YAChC,OAAO,CAAC,CAAC,OAAO,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,4BAA4B;QAC1B,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC5B,qBAAqB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YAC3C,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,8BAA8B;QAC5B,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,sBAAsB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,kBAAkB;YAC/D,cAAc,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,cAAc;YACnD,qBAAqB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,iBAAiB;YAC7D,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;YAChD,wBAAwB,EAAE,CAAC,MAAM,CAAC;YAClC,wBAAwB,EAAE,CAAC,OAAO,CAAC;YACnC,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YAC9D,qCAAqC,EAAE,CAAC,MAAM,EAAE,oBAAoB,CAAC;YACrE,gCAAgC,EAAE,CAAC,MAAM,CAAC;YAC1C,qBAAqB,EAAE,mCAAmC;SAC3D,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,wBAAwB;QACtB,OAAO,2CAA2C,IAAI,CAAC,MAAM,CAAC,MAAM,wCAAwC,CAAC;IAC/G,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc,CAAC,OAAkC;QACrD,OAAO,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,iDAAiD;QACjD,MAAM,IAAI,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,4BAA4B,CAAC,OAA6B;QAK9D,oDAAoD;QACpD,IAAI,OAAO,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;YACrC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,2BAA2B;oBAClC,iBAAiB,EAAE,sCAAsC;oBACzD,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,0CAA0C;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACnE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,gBAAgB;oBACvB,iBAAiB,EAAE,mBAAmB;oBACtC,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,0CAA0C;QAC1C,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACxF,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,sBAAsB;oBACzC,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAC5B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,4BAA4B;oBAC/C,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAC7C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,8CAA8C;oBACjE,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACnB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,mBAAmB;iBACvC;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,uBAAuB,CAAC,SAAiB,EAAE,OAA6B,EAAE,MAAmB;QAC3F,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,SAAS,EAAE;YACtC,OAAO;YACP,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,+CAA+C;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC3C,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/D,IAAI,OAAO,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;gBAC/B,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,SAAiB;QACrC,OAAO,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IACzD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,qBAAqB,CACzB,OAA6B,EAC7B,MAAc;QAEd,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;YAC7C,QAAQ,EAAE,OAAO,CAAC,SAAS;YAC3B,WAAW,EAAE,OAAO,CAAC,YAAY;YACjC,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;YAC1B,aAAa,EAAE,OAAO,CAAC,cAAc;YACrC,mBAAmB,EAAE,OAAO,CAAC,qBAAqB;YAClD,MAAM;YACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,yBAAyB,CAC7B,IAAY,EACZ,QAAgB,EAChB,WAAmB,EACnB,YAAoB,EACpB,QAAiB;QAEjB,kCAAkC;QAClC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAEpE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC9C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,uCAAuC;iBAC3D;aACF,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,UAAU,CAAC,QAAQ,CAAC,YAAY,KAAK,WAAW,EAAE,CAAC;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,6BAA6B;iBACjD;aACF,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,UAAU,CAAC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,uBAAuB;iBAC3C;aACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,QAAQ,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,IAAI,QAAQ,KAAK,UAAU,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC1F,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,yBAAyB;iBAC7C;aACF,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC;YACtE,QAAQ;YACR,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,OAAO;YACnC,KAAK,EAAE,UAAU,CAAC,QAAQ,CAAC,KAAK;YAChC,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM;SACzC,CAAC,CAAC;QAEH,4CAA4C;QAC5C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC;YAC9D,QAAQ;YACR,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,OAAO;YACnC,KAAK,EAAE,UAAU,CAAC,QAAQ,CAAC,KAAK;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE;gBACN,GAAG,mBAAmB;gBACtB,aAAa,EAAE,YAAY;aAC5B;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CACxB,YAAoB,EACpB,QAAgB,EAChB,KAAc;QAEd,0CAA0C;QAC1C,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QAEzF,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,kCAAkC;iBACtD;aACF,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAE1F,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YACjD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,uBAAuB;iBAC3C;aACF,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,MAAM,cAAc,GAAG,KAAK,IAAI,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC;QAE5D,4BAA4B;QAC5B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC;YACtE,QAAQ;YACR,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC,OAAO;YACrC,KAAK,EAAE,cAAc;YACrB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;SAC7B,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE;gBACN,GAAG,mBAAmB;gBACtB,aAAa,EAAE,eAAe;aAC/B;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,KAAa,EAAE,gBAAyB;QAC9D,OAAO,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACtE,CAAC;IAED;;;OAGG;IACH,sBAAsB,CAAC,MAA0B;QAC/C,OAAO,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAC1D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,QAAgB,EAChB,QAAgB;QAEhB,mCAAmC;QACnC,MAAM,GAAG,GAAG,QAAQ,CAAC;QACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;QAE7E,kCAAkC;QAClC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACvD,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC;QACrB,CAAC;QAED,IAAI,QAAQ,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,kDAAkD,EAAE,CAAC;QACvF,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,QAAQ,CAAC,KAAK,EAAE,CAAC;YACjB,QAAQ,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;QACnE,CAAC;QAED,iEAAiE;QACjE,wDAAwD;QACxD,uCAAuC;QACvC,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzE,IAAI,YAAY,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YACvC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACjB,QAAQ,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;QACnE,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAE/B,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,SAAiB;QAC/B,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,SAAiB;QACtB,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,UAAkB,EAAE,aAAqB;QAChD,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,oBAAoB,CAAC,MAAc;QACjC,OAAO,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACzE,KAAK;YACL,WAAW,EAAE,iBAAiB,CAAC,KAAuC,CAAC;SACxE,CAAC,CAAC,CAAC;IACN,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAyB;IAEzB,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/oauth/pkce.d.ts

@@ -0,0 +1,48 @@
+/**
+ * OAuth PKCE (S256) Implementation
+ * Requirements: 21.2, 26.4
+ *
+ * Implements PKCE (Proof Key for Code Exchange) using S256 method.
+ * Based on RFC 7636.
+ */
+import { CodeChallengeMethod } from './types.js';
+/**
+ * Generate a cryptographically random code verifier
+ *
+ * @param length - Length of the verifier (default: 64, min: 43, max: 128)
+ * @returns A random code verifier string
+ */
+export declare function generateCodeVerifier(length?: number): string;
+/**
+ * Generate a code challenge from a code verifier using S256 method
+ *
+ * S256: BASE64URL(SHA256(code_verifier))
+ *
+ * @param codeVerifier - The code verifier to hash
+ * @returns Base64URL encoded SHA256 hash of the verifier
+ */
+export declare function generateCodeChallenge(codeVerifier: string): string;
+/**
+ * Verify a code verifier against a code challenge
+ *
+ * @param codeVerifier - The code verifier from the token request
+ * @param codeChallenge - The code challenge from the authorization request
+ * @param method - The code challenge method (only 'S256' is supported)
+ * @returns True if the verifier matches the challenge
+ */
+export declare function verifyCodeChallenge(codeVerifier: string, codeChallenge: string, method: CodeChallengeMethod): boolean;
+/**
+ * Validate code verifier format
+ *
+ * @param codeVerifier - The code verifier to validate
+ * @returns True if the verifier has valid format
+ */
+export declare function isValidCodeVerifier(codeVerifier: string): boolean;
+/**
+ * Validate code challenge format
+ *
+ * @param codeChallenge - The code challenge to validate
+ * @returns True if the challenge has valid format
+ */
+export declare function isValidCodeChallenge(codeChallenge: string): boolean;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/oauth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/oauth/pkce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAkBjD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,GAAE,MAAgC,GAAG,MAAM,CAYrF;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CASlE;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAQT;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAajE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAanE"}

package/dist/oauth/pkce.js

@@ -0,0 +1,106 @@
+/**
+ * OAuth PKCE (S256) Implementation
+ * Requirements: 21.2, 26.4
+ *
+ * Implements PKCE (Proof Key for Code Exchange) using S256 method.
+ * Based on RFC 7636.
+ */
+import { createHash, randomBytes } from 'crypto';
+/**
+ * Characters allowed in code verifier (unreserved characters per RFC 7636)
+ */
+const UNRESERVED_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+/**
+ * Default code verifier length
+ */
+const DEFAULT_VERIFIER_LENGTH = 64;
+/**
+ * Minimum and maximum verifier length per RFC 7636
+ */
+const MIN_VERIFIER_LENGTH = 43;
+const MAX_VERIFIER_LENGTH = 128;
+/**
+ * Generate a cryptographically random code verifier
+ *
+ * @param length - Length of the verifier (default: 64, min: 43, max: 128)
+ * @returns A random code verifier string
+ */
+export function generateCodeVerifier(length = DEFAULT_VERIFIER_LENGTH) {
+    // Clamp length to valid range
+    const validLength = Math.max(MIN_VERIFIER_LENGTH, Math.min(MAX_VERIFIER_LENGTH, length));
+    const bytes = randomBytes(validLength);
+    let verifier = '';
+    for (let i = 0; i < validLength; i++) {
+        verifier += UNRESERVED_CHARS[bytes[i] % UNRESERVED_CHARS.length];
+    }
+    return verifier;
+}
+/**
+ * Generate a code challenge from a code verifier using S256 method
+ *
+ * S256: BASE64URL(SHA256(code_verifier))
+ *
+ * @param codeVerifier - The code verifier to hash
+ * @returns Base64URL encoded SHA256 hash of the verifier
+ */
+export function generateCodeChallenge(codeVerifier) {
+    // Calculate SHA256 hash
+    const hash = createHash('sha256').update(codeVerifier, 'ascii').digest();
+    // Convert to base64url encoding (no padding)
+    const base64 = hash.toString('base64');
+    const base64url = base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+    return base64url;
+}
+/**
+ * Verify a code verifier against a code challenge
+ *
+ * @param codeVerifier - The code verifier from the token request
+ * @param codeChallenge - The code challenge from the authorization request
+ * @param method - The code challenge method (only 'S256' is supported)
+ * @returns True if the verifier matches the challenge
+ */
+export function verifyCodeChallenge(codeVerifier, codeChallenge, method) {
+    if (method !== 'S256') {
+        throw new Error('Only S256 code challenge method is supported');
+    }
+    // Generate challenge from verifier and compare
+    const expectedChallenge = generateCodeChallenge(codeVerifier);
+    return expectedChallenge === codeChallenge;
+}
+/**
+ * Validate code verifier format
+ *
+ * @param codeVerifier - The code verifier to validate
+ * @returns True if the verifier has valid format
+ */
+export function isValidCodeVerifier(codeVerifier) {
+    if (!codeVerifier) {
+        return false;
+    }
+    // Check length
+    if (codeVerifier.length < MIN_VERIFIER_LENGTH || codeVerifier.length > MAX_VERIFIER_LENGTH) {
+        return false;
+    }
+    // Check characters (unreserved characters only)
+    const validPattern = /^[A-Za-z0-9\-._~]+$/;
+    return validPattern.test(codeVerifier);
+}
+/**
+ * Validate code challenge format
+ *
+ * @param codeChallenge - The code challenge to validate
+ * @returns True if the challenge has valid format
+ */
+export function isValidCodeChallenge(codeChallenge) {
+    if (!codeChallenge) {
+        return false;
+    }
+    // S256 challenge should be base64url encoded SHA256 hash (43 characters)
+    if (codeChallenge.length !== 43) {
+        return false;
+    }
+    // Check base64url format (no padding)
+    const validPattern = /^[A-Za-z0-9\-_]+$/;
+    return validPattern.test(codeChallenge);
+}
+//# sourceMappingURL=pkce.js.map

package/dist/oauth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/oauth/pkce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAGjD;;GAEG;AACH,MAAM,gBAAgB,GAAG,oEAAoE,CAAC;AAE9F;;GAEG;AACH,MAAM,uBAAuB,GAAG,EAAE,CAAC;AAEnC;;GAEG;AACH,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,SAAiB,uBAAuB;IAC3E,8BAA8B;IAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,CAAC;IAEzF,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACvC,IAAI,QAAQ,GAAG,EAAE,CAAC;IAElB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,QAAQ,IAAI,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,YAAoB;IACxD,wBAAwB;IACxB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IAEzE,6CAA6C;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAEpF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,YAAoB,EACpB,aAAqB,EACrB,MAA2B;IAE3B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,+CAA+C;IAC/C,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC9D,OAAO,iBAAiB,KAAK,aAAa,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,eAAe;IACf,IAAI,YAAY,CAAC,MAAM,GAAG,mBAAmB,IAAI,YAAY,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAC3F,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gDAAgD;IAChD,MAAM,YAAY,GAAG,qBAAqB,CAAC;IAC3C,OAAO,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACzC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,aAAqB;IACxD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,yEAAyE;IACzE,IAAI,aAAa,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,sCAAsC;IACtC,MAAM,YAAY,GAAG,mBAAmB,CAAC;IACzC,OAAO,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;AAC1C,CAAC"}