@soapjs/soap-auth 0.1.0 → 0.2.0

package/build/strategies/jwt/jwt.types.d.ts

@@ -1,4 +1,4 @@
-import { TokenBasedAuthStrategyConfig, TokenHandlerConfig } from "../../types";
+import { TokenAuthStrategyConfig } from "../../types";
 export interface JwtVerifyOptions {
     algorithms?: string[];
     notBefore?: string | number;
@@ -12,22 +12,12 @@ export interface JwtVerifyOptions {
 export interface JwtSignOptions {
     algorithm?: "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "none";
     notBefore?: string | number;
-    jwtid?: string;
+    jti?: string;
     issuedAt?: number;
     mutatePayload?: (payload: Record<string, any>) => Record<string, any>;
     noTimestamp?: boolean;
     keyid?: string;
     allowUnsafe?: boolean;
 }
-export type JwtAccessTokenHandlerConfig = {
-    verifyOptions?: JwtVerifyOptions;
-    signOptions: JwtSignOptions;
-} & TokenHandlerConfig;
-export type JwtRefreshTokenHandlerConfig = {
-    verifyOptions?: JwtVerifyOptions;
-    signOptions: JwtSignOptions;
-} & TokenHandlerConfig;
-export type JwtConfig<TContext = unknown, TUser = unknown> = {
-    access: JwtAccessTokenHandlerConfig;
-    refresh?: JwtRefreshTokenHandlerConfig;
-} & TokenBasedAuthStrategyConfig<TContext, TUser>;
+export interface JwtConfig<TContext = unknown, TUser = unknown> extends TokenAuthStrategyConfig<TContext, TUser> {
+}

package/build/strategies/local/local.strategy.d.ts

@@ -1,8 +1,8 @@
 import * as Soap from "@soapjs/soap";
-import { CredentialBasedAuthStrategy } from "../credential-based-auth.strategy";
+import { CredentialAuthStrategy } from "../credential-auth.strategy";
 import { LocalStrategyConfig } from "./local.types";
 import { SessionHandler } from "../../session/session-handler";
-export declare class LocalStrategy<TContext = unknown, TUser = unknown> extends CredentialBasedAuthStrategy<TContext, TUser> {
+export declare class LocalStrategy<TContext = unknown, TUser = unknown> extends CredentialAuthStrategy<TContext, TUser> {
     protected config: LocalStrategyConfig<TContext, TUser>;
     protected session?: SessionHandler;
     protected logger?: Soap.Logger;
@@ -11,15 +11,9 @@ export declare class LocalStrategy<TContext = unknown, TUser = unknown> extends
         identifier: string;
         password: string;
     }>;
-    protected verifyCredentials(credentials: {
-        identifier: string;
-        password: string;
-    }): Promise<boolean>;
+    protected verifyCredentials(identifier: string, password: string): Promise<boolean>;
     protected retrieveUser(credentials: {
         identifier: string;
         password: string;
     }): Promise<TUser | null>;
-    requestPasswordReset(email: string): Promise<void>;
-    resetPassword(email: string, token: string, newPassword: string): Promise<void>;
-    changePassword(email: string, oldPassword: string, newPassword: string): Promise<void>;
 }

package/build/strategies/local/local.strategy.js

@@ -1,9 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.LocalStrategy = void 0;
-const errors_1 = require("../../errors");
-const credential_based_auth_strategy_1 = require("../credential-based-auth.strategy");
-class LocalStrategy extends credential_based_auth_strategy_1.CredentialBasedAuthStrategy {
+const credential_auth_strategy_1 = require("../credential-auth.strategy");
+class LocalStrategy extends credential_auth_strategy_1.CredentialAuthStrategy {
     config;
     session;
     logger;
@@ -13,64 +12,14 @@ class LocalStrategy extends credential_based_auth_strategy_1.CredentialBasedAuth
         this.session = session;
         this.logger = logger;
     }
-    async extractCredentials(context) {
-        return this.config.login.extractCredentials(context);
+    extractCredentials(context) {
+        return this.config.credentials.extractCredentials(context);
     }
-    async verifyCredentials(credentials) {
-        return this.config.login.verifyUserCredentials(credentials.identifier, credentials.password);
+    async verifyCredentials(identifier, password) {
+        return this.config.credentials.verifyCredentials(identifier, password);
     }
     async retrieveUser(credentials) {
-        return this.config.login.retrieveUserData(credentials.identifier);
-    }
-    async requestPasswordReset(email) {
-        try {
-            if (!this.config.passwordReset?.generateResetToken) {
-                throw new Error("Password reset token generation is not configured.");
-            }
-            const token = await this.config.passwordReset.generateResetToken(email);
-            await this.config.passwordReset.sendResetEmail?.(email, token);
-            this.logger?.info(`Password reset requested for email: ${email}`);
-            await this.config.passwordReset.onSuccess?.({ email });
-        }
-        catch (error) {
-            this.logger?.error("Password reset request error:", error);
-            await this.config.passwordReset.onFailure?.({ email, error });
-            throw new errors_1.AuthError(error, "Password reset request failed.");
-        }
-    }
-    async resetPassword(email, token, newPassword) {
-        try {
-            if (!this.config.passwordReset?.validateResetToken) {
-                throw new Error("Password reset token validation is not configured.");
-            }
-            const isValid = await this.config.passwordReset.validateResetToken(token);
-            if (!isValid)
-                throw new Error("Invalid or expired reset token.");
-            await this.config.passwordReset.updatePassword(email, newPassword);
-            this.logger?.info(`Password reset successful for email: ${email}`);
-            await this.config.passwordReset.onSuccess?.({ email });
-        }
-        catch (error) {
-            this.logger?.error("Password reset error:", error);
-            await this.config.passwordReset.onFailure?.({ email, error });
-            throw new errors_1.AuthError(error, "Password reset failed.");
-        }
-    }
-    async changePassword(email, oldPassword, newPassword) {
-        try {
-            const isAuthenticated = await this.config.login.verifyUserCredentials(email, oldPassword);
-            if (!isAuthenticated) {
-                throw new errors_1.InvalidCredentialsError();
-            }
-            await this.config.passwordReset?.updatePassword?.(email, newPassword);
-            this.logger?.info(`Password changed successfully for email: ${email}`);
-            await this.config.passwordReset?.onSuccess?.({ email });
-        }
-        catch (error) {
-            this.logger?.error("Change password error:", error);
-            await this.config.passwordReset?.onFailure?.({ email, error });
-            throw new errors_1.AuthError(error, "Change password failed.");
-        }
+        return this.config.user.getUserData(credentials.identifier);
     }
 }
 exports.LocalStrategy = LocalStrategy;

package/build/strategies/local/local.types.d.ts

@@ -1,3 +1,3 @@
-import { CredentialBasedAuthStrategyConfig } from "../../types";
-export interface LocalStrategyConfig<TContext = unknown, TUser = unknown> extends CredentialBasedAuthStrategyConfig<TContext, TUser> {
+import { CredentialAuthStrategyConfig } from "../../types";
+export interface LocalStrategyConfig<TContext = unknown, TUser = unknown> extends CredentialAuthStrategyConfig<TContext, TUser> {
 }

package/build/strategies/oauth2/oauth2.strategy.d.ts

@@ -1,16 +1,30 @@
 import * as Soap from "@soapjs/soap";
-import { TokenHandlerConfig, AuthResult } from "../../types";
-import { TokenBasedAuthStrategy } from "../token-based-auth.strategy";
+import { AuthResult } from "../../types";
 import { OAuth2StrategyConfig } from "./oauth2.types";
 import { SessionHandler } from "../../session/session-handler";
-export declare class OAuth2Strategy<TContext = unknown, TUser = unknown> extends TokenBasedAuthStrategy<TContext, TUser> {
+import { BaseAuthStrategy } from "../base-auth.strategy";
+export declare class OAuth2Strategy<TContext = unknown, TUser = unknown> extends BaseAuthStrategy<TContext, TUser> {
     protected config: OAuth2StrategyConfig<TContext, TUser>;
-    protected accessTokenHandler: TokenHandlerConfig;
-    protected refreshTokenHandler?: TokenHandlerConfig;
     protected session?: SessionHandler;
     protected logger?: Soap.Logger;
-    constructor(config: OAuth2StrategyConfig<TContext, TUser>, accessTokenHandler: TokenHandlerConfig, refreshTokenHandler?: TokenHandlerConfig, session?: SessionHandler, logger?: Soap.Logger);
+    constructor(config: OAuth2StrategyConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
+    logout(context: TContext): Promise<void>;
+    protected getCredentialsForPasswordGrant(context: TContext): Promise<{
+        identifier: string;
+        password: string;
+    }>;
+    protected retrieveAccessToken(context: TContext): Promise<string | undefined>;
+    protected retrieveRefreshToken(context: TContext): Promise<string | undefined>;
+    protected storeAccessToken(token: string, context: TContext): Promise<void>;
+    protected storeRefreshToken(token: string, context: TContext): Promise<void>;
+    protected embedAccessToken(token: string, context: TContext): void;
+    protected embedRefreshToken(token: string, context: TContext): void;
+    isTokenExpired(token: string): Promise<boolean>;
     authenticate(context: TContext): Promise<AuthResult<TUser>>;
+    protected processOAuthFlow(context: TContext): Promise<{
+        accessToken: string;
+        refreshToken?: string;
+    }>;
     protected verifyAuthorizationCode(context: TContext, code: string): void;
     protected extractAuthorizationCode(context: TContext): string | null;
     protected redirectUser(context: TContext, authUrl: string): void;
@@ -24,7 +38,7 @@ export declare class OAuth2Strategy<TContext = unknown, TUser = unknown> extends
     protected exchangeClientCredentials(): Promise<{
         accessToken: string;
     }>;
-    protected exchangePasswordGrant(): Promise<{
+    protected exchangePasswordGrant(username: string, password: string): Promise<{
         accessToken: string;
     }>;
     refreshAccessToken(context: TContext): Promise<{

package/build/strategies/oauth2/oauth2.strategy.js

@@ -6,85 +6,163 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuth2Strategy = void 0;
 const axios_1 = __importDefault(require("axios"));
 const errors_1 = require("../../errors");
-const token_based_auth_strategy_1 = require("../token-based-auth.strategy");
 const oauth2_tools_1 = require("./oauth2.tools");
-class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy {
+const base_auth_strategy_1 = require("../base-auth.strategy");
+class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     config;
-    accessTokenHandler;
-    refreshTokenHandler;
     session;
     logger;
-    constructor(config, accessTokenHandler, refreshTokenHandler, session, logger) {
-        super(config, accessTokenHandler, refreshTokenHandler, session, logger);
+    constructor(config, session, logger) {
+        super(config, session, logger);
         this.config = config;
-        this.accessTokenHandler = accessTokenHandler;
-        this.refreshTokenHandler = refreshTokenHandler;
         this.session = session;
         this.logger = logger;
-        this.config.scope = this.config.scope ?? "openid profile email";
+        this.config.scope = this.config.scope ?? "email";
+    }
+    async logout(context) {
+        try {
+            await this.storeAccessToken("", context);
+            await this.storeRefreshToken("", context);
+            if (this.config.endpoints.logoutUrl) {
+                this.logger?.info("Redirecting to OAuth2 logout endpoint.");
+                this.redirectUser(context, this.config.endpoints.logoutUrl);
+            }
+        }
+        catch (error) {
+            this.logger?.error("Logout failed:", error);
+            throw new Error("Logout failed.");
+        }
+    }
+    async getCredentialsForPasswordGrant(context) {
+        if (this.config.credentials?.extractCredentials) {
+            return this.config.credentials.extractCredentials(context);
+        }
+        else if (typeof context === "object" && "body" in context) {
+            const body = context.body;
+            if (body.username && body.password) {
+                return {
+                    identifier: body.username,
+                    password: body.password,
+                };
+            }
+        }
+        throw new Error("Missing credentials for password grant.");
+    }
+    retrieveAccessToken(context) {
+        if (this.config.accessToken?.retrieve) {
+            return this.config.accessToken.retrieve(context);
+        }
+        if (typeof context === "object" && "headers" in context) {
+            const authHeader = context.headers?.authorization;
+            if (authHeader?.startsWith("Bearer ")) {
+                return authHeader.split(" ")[1];
+            }
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            return context.cookies?.access_token;
+        }
+        return undefined;
+    }
+    retrieveRefreshToken(context) {
+        if (this.config.refreshToken?.retrieve) {
+            return this.config.refreshToken.retrieve(context);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            return context.cookies?.refresh_token;
+        }
+        return undefined;
+    }
+    storeAccessToken(token, context) {
+        if (this.config.accessToken?.persistence?.store) {
+            return this.config.accessToken.persistence.store(token, context, this.config.accessToken.issuer.options.expiresIn);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("access_token", token, { httpOnly: true });
+        }
+    }
+    storeRefreshToken(token, context) {
+        if (this.config.refreshToken?.persistence?.store) {
+            return this.config.refreshToken.persistence.store(token, context, this.config.refreshToken.issuer.options.expiresIn);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("refresh_token", token, { httpOnly: true });
+        }
+    }
+    embedAccessToken(token, context) {
+        if (this.config.accessToken?.embed) {
+            this.config.accessToken.embed(context, token);
+        }
+        else if (typeof context === "object" && "response" in context) {
+            context.response.setHeader("Authorization", `Bearer ${token}`);
+        }
+    }
+    embedRefreshToken(token, context) {
+        if (this.config.refreshToken?.embed) {
+            return this.config.refreshToken.embed(context, token);
+        }
+        else if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("refresh_token", token, { httpOnly: true });
+        }
+    }
+    async isTokenExpired(token) {
+        try {
+            const parts = token.split(".");
+            if (parts.length !== 3) {
+                this.logger?.warn("Non-JWT token provided, cannot determine expiration.");
+                return false;
+            }
+            const decoded = JSON.parse(Buffer.from(parts[1], "base64").toString());
+            if (!decoded.exp)
+                return false;
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch (error) {
+            this.logger?.warn("Failed to decode token:", error);
+            return false;
+        }
     }
     async authenticate(context) {
         try {
             let user;
             let refreshToken;
-            let accessToken = await this.accessTokenHandler.retrieve?.(context);
+            let accessToken = await this.retrieveAccessToken(context);
             if (!accessToken) {
                 this.logger?.info("No access token found, checking for refresh token.");
-                refreshToken = await this.refreshTokenHandler?.retrieve?.(context);
+                refreshToken = await this.retrieveRefreshToken(context);
                 if (refreshToken) {
                     this.logger?.info("Found refresh token, attempting to refresh access token.");
                     const newTokens = await this.refreshAccessToken(context);
                     accessToken = newTokens.accessToken;
-                    this.accessTokenHandler.embed?.(context, accessToken);
+                    this.embedAccessToken(accessToken, context);
                     if (newTokens.refreshToken) {
                         refreshToken = newTokens.refreshToken;
-                        this.refreshTokenHandler?.embed?.(context, newTokens.refreshToken);
+                        this.embedRefreshToken(newTokens.refreshToken, context);
                     }
                 }
                 else {
                     this.logger?.info("No refresh token found, attempting authentication using grant type.");
-                    switch (this.config.grantType) {
-                        case "authorization_code":
-                            const authorizationCode = this.extractAuthorizationCode(context);
-                            this.verifyAuthorizationCode(context, authorizationCode);
-                            const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
-                            accessToken = tokenResult.accessToken;
-                            refreshToken = tokenResult.refreshToken;
-                            break;
-                        case "client_credentials":
-                            this.logger?.info("Using client credentials grant.");
-                            const clientCredResult = await this.exchangeClientCredentials();
-                            accessToken = clientCredResult.accessToken;
-                            break;
-                        case "password":
-                            this.logger?.info("Using password grant.");
-                            if (!this.config.credentials) {
-                                throw new Error("Missing credentials for password grant.");
-                            }
-                            const passwordResult = await this.exchangePasswordGrant();
-                            accessToken = passwordResult.accessToken;
-                            break;
-                        default:
-                            throw new Error(`Unsupported grant type: ${this.config.grantType}`);
-                    }
-                    this.accessTokenHandler.embed?.(context, accessToken);
+                    const tokens = await this.processOAuthFlow(context);
+                    accessToken = tokens.accessToken;
+                    refreshToken = tokens.refreshToken;
+                    this.embedAccessToken(accessToken, context);
                     if (refreshToken) {
-                        this.refreshTokenHandler?.embed?.(context, refreshToken);
+                        this.embedRefreshToken(refreshToken, context);
                     }
                 }
             }
             else if (accessToken && (await this.isTokenExpired(accessToken))) {
                 this.logger?.info("Access token expired, attempting refresh.");
-                refreshToken = await this.refreshTokenHandler?.retrieve?.(context);
+                refreshToken = await this.retrieveRefreshToken(context);
                 if (!refreshToken) {
                     throw new errors_1.MissingTokenError("Refresh");
                 }
                 const newTokens = await this.refreshAccessToken(context);
                 accessToken = newTokens.accessToken;
-                this.accessTokenHandler.embed?.(context, accessToken);
+                this.embedAccessToken(accessToken, context);
                 if (newTokens.refreshToken && newTokens.refreshToken !== refreshToken) {
                     refreshToken = newTokens.refreshToken;
-                    this.refreshTokenHandler?.embed?.(context, newTokens.refreshToken);
+                    this.embedRefreshToken(newTokens.refreshToken, context);
                 }
             }
             if (!accessToken) {
@@ -92,6 +170,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             }
             user = await this.retrieveUser(accessToken);
             if (!user) {
+                this.logger?.error("User retrieval failed: No user found for access token.");
                 throw new errors_1.UserNotFoundError();
             }
             await this.isAuthorized(user);
@@ -102,6 +181,29 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             throw new errors_1.AuthError(error, "OAuth2 authentication failed.");
         }
     }
+    async processOAuthFlow(context) {
+        if (this.config.grantType === "authorization_code") {
+            const authorizationCode = this.extractAuthorizationCode(context);
+            this.verifyAuthorizationCode(context, authorizationCode);
+            const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
+            return tokenResult;
+        }
+        if (this.config.grantType === "client_credentials") {
+            this.logger?.info("Using client credentials grant.");
+            const clientCredResult = await this.exchangeClientCredentials();
+            return { accessToken: clientCredResult.accessToken };
+        }
+        if (this.config.grantType === "password") {
+            this.logger?.info("Using password grant.");
+            const credentials = await this.getCredentialsForPasswordGrant(context);
+            if (!credentials) {
+                throw new Error("Missing credentials for password grant.");
+            }
+            const passwordResult = await this.exchangePasswordGrant(credentials.identifier, credentials.password);
+            return { accessToken: passwordResult.accessToken };
+        }
+        throw new Error(`Unsupported grant type: ${this.config.grantType}`);
+    }
     verifyAuthorizationCode(context, code) {
         if (!code) {
             this.logger?.warn("Authorization code missing, redirecting user.");
@@ -126,7 +228,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
     }
     buildAuthorizationUrl(context) {
         let authorizationUrl = `${this.config.endpoints.authorizationUrl}?client_id=${this.config.clientId}&redirect_uri=${encodeURIComponent(this.config.redirectUri)}&response_type=code&scope=${this.config.scope ?? ""}`;
-        if (this.config.pkce?.enabled) {
+        if (this.config.pkce) {
             const codeVerifier = this.config.pkce.generateCodeVerifier
                 ? this.config.pkce.generateCodeVerifier()
                 : oauth2_tools_1.OAuth2Tools.generateCodeVerifier();
@@ -143,7 +245,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             code,
             redirect_uri: this.config.redirectUri,
         };
-        if (this.config.pkce?.enabled) {
+        if (this.config.pkce) {
             const codeVerifier = this.config.pkce.retrieveCodeVerifier?.(context);
             if (!codeVerifier) {
                 throw new Error("Missing PKCE code verifier in context.");
@@ -185,7 +287,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             const response = await axios_1.default.get(this.config.endpoints.userInfoUrl, {
                 headers: { Authorization: `Bearer ${accessToken}` },
             });
-            return (await this.config.validateUser?.(response.data)) || null;
+            return (await this.config.user.validateUser(response.data)) || null;
         }
         catch (error) {
             this.logger?.error("Failed to fetch user information:", error);
@@ -200,22 +302,22 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
         });
         return { accessToken: response.data.access_token };
     }
-    async exchangePasswordGrant() {
-        if (!this.config.credentials) {
+    async exchangePasswordGrant(username, password) {
+        if (!username || !password) {
             throw new Error("Missing credentials for password grant.");
         }
         const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
             grant_type: "password",
             client_id: this.config.clientId,
             client_secret: this.config.clientSecret,
-            username: this.config.credentials.username,
-            password: this.config.credentials.password,
+            username,
+            password,
         });
         return { accessToken: response.data.access_token };
     }
     async refreshAccessToken(context) {
         try {
-            const refreshToken = await this.refreshTokenHandler?.retrieve?.(context);
+            const refreshToken = await this.retrieveRefreshToken(context);
             if (!refreshToken) {
                 throw new errors_1.MissingTokenError("Refresh");
             }
@@ -225,13 +327,20 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
                 client_secret: this.config.clientSecret,
                 refresh_token: refreshToken,
             });
+            if (response.status !== 200 || !response.data.access_token) {
+                throw new Error("Failed to refresh token");
+            }
             const refreshedTokens = {
                 accessToken: response.data.access_token,
                 refreshToken: response.data.refresh_token,
             };
-            await this.accessTokenHandler.embed?.(context, refreshedTokens.accessToken);
+            await this.storeAccessToken(refreshedTokens.accessToken, context);
+            if (refreshedTokens.refreshToken) {
+                await this.storeRefreshToken(refreshedTokens.refreshToken, context);
+            }
+            await this.embedAccessToken(refreshedTokens.accessToken, context);
             if (refreshedTokens.refreshToken) {
-                await this.refreshTokenHandler?.embed?.(context, refreshedTokens.refreshToken);
+                await this.embedRefreshToken(refreshedTokens.refreshToken, context);
             }
             return refreshedTokens;
         }

package/build/strategies/oauth2/oauth2.types.d.ts

@@ -1,29 +1,21 @@
-import { TokenBasedAuthStrategyConfig } from "../../types";
+import { CredentailsConfig, PKCEConfig, TokenAuthStrategyConfig } from "../../types";
 export interface OAuth2Endpoints {
     authorizationUrl: string;
     tokenUrl: string;
     userInfoUrl?: string;
     introspectionUrl?: string;
     revocationUrl?: string;
+    logoutUrl?: string;
 }
-export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> extends TokenBasedAuthStrategyConfig<TContext, TUser>, PKCEConfig<TContext> {
+export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> extends TokenAuthStrategyConfig<TContext, TUser> {
     clientId: string;
     clientSecret: string;
     redirectUri: string;
-    scope?: string;
-    grantType: "authorization_code" | "client_credentials" | "password" | "refresh_token";
+    scope?: string | string[];
+    audience?: string;
+    responseType?: "code" | "token" | "id_token" | string;
+    grantType: "authorization_code" | "client_credentials" | "password" | "refresh_token" | string;
     endpoints: OAuth2Endpoints;
-    validateUser?: (tokenPayload: any) => Promise<TUser | null>;
-    credentials?: {
-        username: string;
-        password: string;
-    };
-}
-export interface PKCEConfig<TContext> {
-    pkce?: {
-        enabled?: boolean;
-        generateCodeVerifier?: () => string;
-        storeCodeVerifier?: (context: TContext, codeVerifier: string) => void;
-        retrieveCodeVerifier?: (context: TContext) => string | null;
-    };
+    credentials?: CredentailsConfig<TContext>;
+    pkce?: PKCEConfig<TContext>;
 }

package/build/strategies/token-auth.strategy.d.ts

@@ -0,0 +1,25 @@
+import * as Soap from "@soapjs/soap";
+import { AuthResult, TokenAuthStrategyConfig } from "../types";
+import { BaseAuthStrategy } from "./base-auth.strategy";
+import { SessionHandler } from "../session/session-handler";
+export declare abstract class TokenAuthStrategy<TContext = unknown, TUser = unknown> extends BaseAuthStrategy<TContext, TUser> {
+    protected config: TokenAuthStrategyConfig<TContext, TUser>;
+    protected session?: SessionHandler;
+    protected logger?: Soap.Logger;
+    constructor(config: TokenAuthStrategyConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
+    protected abstract retrieveAccessToken(context: TContext): Promise<string | undefined>;
+    protected abstract retrieveRefreshToken(context: TContext): Promise<string | undefined>;
+    protected abstract verifyAccessToken(token: string): Promise<any>;
+    protected abstract verifyRefreshToken(token: string): Promise<any>;
+    protected abstract generateAccessToken(payload: any): Promise<string>;
+    protected abstract generateRefreshToken(payload: any): Promise<string>;
+    protected abstract storeAccessToken(token: string, context: TContext): Promise<void>;
+    protected abstract storeRefreshToken(token: string, context: TContext): Promise<void>;
+    protected abstract embedAccessToken(token: string, context: TContext): void;
+    protected abstract embedRefreshToken(token: string, context: TContext): void;
+    authenticate(context: TContext): Promise<AuthResult<TUser>>;
+    rotateTokens(context: TContext): Promise<{
+        accessToken: string;
+        refreshToken?: string;
+    }>;
+}

package/build/strategies/token-auth.strategy.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenAuthStrategy = void 0;
+const base_auth_strategy_1 = require("./base-auth.strategy");
+const errors_1 = require("../errors");
+class TokenAuthStrategy extends base_auth_strategy_1.BaseAuthStrategy {
+    config;
+    session;
+    logger;
+    constructor(config, session, logger) {
+        super(config, session, logger);
+        this.config = config;
+        this.session = session;
+        this.logger = logger;
+    }
+    async authenticate(context) {
+        try {
+            let accessToken = await this.retrieveAccessToken(context);
+            let refreshToken;
+            await this.checkRateLimit(context);
+            if (accessToken) {
+                try {
+                    const decoded = await this.verifyAccessToken(accessToken);
+                    const user = await this.config.user.getUserData(decoded);
+                    if (!user)
+                        throw new errors_1.UserNotFoundError();
+                    await this.isAuthorized(user);
+                    return { user, tokens: { accessToken } };
+                }
+                catch (error) {
+                    this.logger?.warn("Access token is invalid or expired, trying refresh token...");
+                }
+            }
+            refreshToken = await this.retrieveRefreshToken(context);
+            if (!refreshToken)
+                throw new errors_1.MissingTokenError("Refresh");
+            const newTokens = await this.rotateTokens(context);
+            accessToken = newTokens.accessToken;
+            refreshToken = newTokens.refreshToken;
+            if (!accessToken)
+                throw new errors_1.MissingTokenError("Access");
+            const decoded = await this.verifyAccessToken(accessToken);
+            const user = await this.config.user.getUserData(decoded);
+            if (!user)
+                throw new errors_1.UserNotFoundError();
+            await this.isAuthorized(user);
+            return { user, tokens: { accessToken, refreshToken } };
+        }
+        catch (error) {
+            this.logger?.error("Authentication failed:", error);
+            throw new errors_1.AuthError(error, "Authentication failed.");
+        }
+    }
+    async rotateTokens(context) {
+        try {
+            const refreshToken = await this.retrieveRefreshToken(context);
+            if (!refreshToken)
+                throw new errors_1.MissingTokenError("Refresh");
+            const payload = await this.verifyRefreshToken(refreshToken);
+            if (!payload)
+                throw new errors_1.InvalidTokenError("Refresh");
+            const newAccessToken = await this.generateAccessToken(payload);
+            let newRefreshToken = await this.generateRefreshToken(payload);
+            await this.storeAccessToken(newAccessToken, context);
+            if (newRefreshToken) {
+                await this.storeRefreshToken(newRefreshToken, context);
+            }
+            this.embedAccessToken(newAccessToken, context);
+            this.embedRefreshToken(newRefreshToken, context);
+            return { accessToken: newAccessToken, refreshToken: newRefreshToken };
+        }
+        catch (error) {
+            this.logger?.error("Token rotation failed:", error);
+            throw new errors_1.InvalidTokenError("Refresh");
+        }
+    }
+}
+exports.TokenAuthStrategy = TokenAuthStrategy;