@soapjs/soap-auth 0.1.1 → 0.2.0

package/build/strategies/jwt/jwt.tools.js

@@ -23,57 +23,96 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.prepareRefreshTokenConfig = exports.prepareAccessTokenConfig = void 0;
+exports.clearDefaultJwtCookie = exports.clearDefaultJwtHeader = exports.setDefaultJwtHeader = exports.setDefaultJwtCookie = exports.prepareRefreshTokenConfig = exports.prepareAccessTokenConfig = void 0;
 const Soap = __importStar(require("@soapjs/soap"));
 const prepareAccessTokenConfig = (config) => {
     return Soap.removeUndefinedProperties({
-        ...config.accessToken,
-        tokenType: "Access",
-        expiresIn: config.accessToken.expiresIn || "1h",
-        signOptions: {
-            ...config.accessToken.signOptions,
-            algorithm: config.accessToken.signOptions.algorithm || "HS256",
-            expiresIn: config.accessToken.expiresIn || "1h",
-            audience: config.accessToken.audience,
-            issuer: config.accessToken.issuer,
-            subject: config.accessToken.subject,
+        ...config,
+        generation: {
+            ...config.issuer.options,
+            expiresIn: config.issuer.options.expiresIn || "1h",
+            algorithm: config.issuer.options.algorithm || "HS256",
+        },
+        verification: {
+            ...config.verifier.options,
+            algorithms: config.verifier.options.algorithms || ["HS256"],
+            expiresIn: config.verifier.options.expiresIn || "1h",
         },
-        verifyOptions: config.accessToken.verifyOptions
-            ? {
-                ...config.accessToken.verifyOptions,
-                algorithms: config.accessToken.verifyOptions.algorithms || ["HS256"],
-                expiresIn: config.accessToken.expiresIn || "1h",
-                audience: config.accessToken.audience,
-                issuer: config.accessToken.issuer,
-                subject: config.accessToken.subject,
-            }
-            : {},
     });
 };
 exports.prepareAccessTokenConfig = prepareAccessTokenConfig;
 const prepareRefreshTokenConfig = (config) => {
     return Soap.removeUndefinedProperties({
-        ...config.refreshToken,
-        secretKey: config.refreshToken.secretKey,
-        tokenType: "Refresh",
-        signOptions: {
-            ...config.refreshToken.signOptions,
-            algorithm: config.refreshToken.signOptions.algorithm || "HS256",
-            expiresIn: config.refreshToken.expiresIn || "7d",
-            audience: config.refreshToken.audience,
-            issuer: config.refreshToken.issuer,
-            subject: config.refreshToken.subject,
+        ...config,
+        generation: {
+            ...config.issuer,
+            expiresIn: config.issuer.options.expiresIn || "7d",
+            algorithm: config.issuer.options.algorithm || "HS256",
+        },
+        verification: {
+            ...config.verifier.options,
+            algorithms: config.verifier.options.algorithms || ["HS256"],
+            expiresIn: config.verifier.options.expiresIn || "7d",
         },
-        verifyOptions: config.refreshToken.verifyOptions
-            ? {
-                ...config.refreshToken.verifyOptions,
-                algorithm: config.refreshToken.verifyOptions.algorithms || ["HS256"],
-                expiresIn: config.refreshToken.expiresIn || "7d",
-                audience: config.refreshToken.audience,
-                issuer: config.refreshToken.issuer,
-                subject: config.refreshToken.subject,
-            }
-            : {},
     });
 };
 exports.prepareRefreshTokenConfig = prepareRefreshTokenConfig;
+const setDefaultJwtCookie = (token, context) => {
+    const options = {
+        httpOnly: true,
+        secure: true,
+        sameSite: "Strict",
+        maxAge: 7 * 24 * 60 * 60 * 1000,
+    };
+    if (context?.res) {
+        context.res.cookie("refreshToken", token, options);
+    }
+    else if (context?.response) {
+        context.response.cookie("refreshToken", token, options);
+    }
+    else if (context?.cookie) {
+        context.cookie("refreshToken", token, options);
+    }
+};
+exports.setDefaultJwtCookie = setDefaultJwtCookie;
+const setDefaultJwtHeader = (token, context) => {
+    if (typeof context?.res?.setHeader === "function") {
+        context.res.setHeader("Authorization", `Bearer ${token}`);
+    }
+    else if (typeof context?.response?.setHeader === "function") {
+        context.response.setHeader("Authorization", `Bearer ${token}`);
+    }
+    else if (typeof context?.setHeader === "function") {
+        context.setHeader("Authorization", `Bearer ${token}`);
+    }
+};
+exports.setDefaultJwtHeader = setDefaultJwtHeader;
+const clearDefaultJwtHeader = (context) => {
+    if (typeof context?.res?.setHeader === "function") {
+        context.res.setHeader("Authorization", ``);
+    }
+    else if (typeof context?.response?.setHeader === "function") {
+        context.response.setHeader("Authorization", ``);
+    }
+    else if (typeof context?.setHeader === "function") {
+        context.setHeader("Authorization", ``);
+    }
+};
+exports.clearDefaultJwtHeader = clearDefaultJwtHeader;
+const clearDefaultJwtCookie = (context) => {
+    const options = {
+        httpOnly: true,
+        secure: true,
+        sameSite: "Strict",
+    };
+    if (typeof context?.res?.clearCookie === "function") {
+        context.res.clearCookie("refreshToken", options);
+    }
+    else if (typeof context?.response?.clearCookie === "function") {
+        context.response.clearCookie("refreshToken", options);
+    }
+    else if (typeof context?.clearCookie === "function") {
+        context.clearCookie("refreshToken", options);
+    }
+};
+exports.clearDefaultJwtCookie = clearDefaultJwtCookie;

package/build/strategies/jwt/jwt.types.d.ts

@@ -1,4 +1,4 @@
-import { TokenBasedAuthStrategyConfig, TokenConfig } from "../../types";
+import { TokenAuthStrategyConfig } from "../../types";
 export interface JwtVerifyOptions {
     algorithms?: string[];
     notBefore?: string | number;
@@ -12,36 +12,12 @@ export interface JwtVerifyOptions {
 export interface JwtSignOptions {
     algorithm?: "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "none";
     notBefore?: string | number;
-    jwtid?: string;
+    jti?: string;
     issuedAt?: number;
     mutatePayload?: (payload: Record<string, any>) => Record<string, any>;
     noTimestamp?: boolean;
     keyid?: string;
     allowUnsafe?: boolean;
 }
-export type JwtAccessTokenConfig = {
-    verifyOptions?: JwtVerifyOptions;
-    signOptions: JwtSignOptions;
-} & TokenConfig;
-export type JwtRefreshTokenConfig = {
-    verifyOptions?: JwtVerifyOptions;
-    signOptions: JwtSignOptions;
-} & TokenConfig;
-export interface JwtConfig<TContext = unknown, TUser = unknown> extends TokenBasedAuthStrategyConfig<TContext, TUser> {
-    accessToken: JwtAccessTokenConfig;
-    refreshToken?: JwtRefreshTokenConfig;
-    routes?: {
-        login?: {
-            path: string;
-            method?: "POST" | "GET";
-        };
-        logout?: {
-            path: string;
-            method?: "POST" | "GET";
-        };
-        refresh?: {
-            path: string;
-            method?: "POST" | "GET";
-        };
-    };
+export interface JwtConfig<TContext = unknown, TUser = unknown> extends TokenAuthStrategyConfig<TContext, TUser> {
 }

package/build/strategies/local/local.strategy.d.ts

@@ -1,8 +1,8 @@
 import * as Soap from "@soapjs/soap";
-import { CredentialBasedAuthStrategy } from "../credential-based-auth.strategy";
+import { CredentialAuthStrategy } from "../credential-auth.strategy";
 import { LocalStrategyConfig } from "./local.types";
 import { SessionHandler } from "../../session/session-handler";
-export declare class LocalStrategy<TContext = unknown, TUser = unknown> extends CredentialBasedAuthStrategy<TContext, TUser> {
+export declare class LocalStrategy<TContext = unknown, TUser = unknown> extends CredentialAuthStrategy<TContext, TUser> {
     protected config: LocalStrategyConfig<TContext, TUser>;
     protected session?: SessionHandler;
     protected logger?: Soap.Logger;
@@ -11,15 +11,9 @@ export declare class LocalStrategy<TContext = unknown, TUser = unknown> extends
         identifier: string;
         password: string;
     }>;
-    protected verifyCredentials(credentials: {
-        identifier: string;
-        password: string;
-    }): Promise<boolean>;
+    protected verifyCredentials(identifier: string, password: string): Promise<boolean>;
     protected retrieveUser(credentials: {
         identifier: string;
         password: string;
     }): Promise<TUser | null>;
-    requestPasswordReset(email: string): Promise<void>;
-    resetPassword(email: string, token: string, newPassword: string): Promise<void>;
-    changePassword(email: string, oldPassword: string, newPassword: string): Promise<void>;
 }

package/build/strategies/local/local.strategy.js

@@ -1,9 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.LocalStrategy = void 0;
-const errors_1 = require("../../errors");
-const credential_based_auth_strategy_1 = require("../credential-based-auth.strategy");
-class LocalStrategy extends credential_based_auth_strategy_1.CredentialBasedAuthStrategy {
+const credential_auth_strategy_1 = require("../credential-auth.strategy");
+class LocalStrategy extends credential_auth_strategy_1.CredentialAuthStrategy {
     config;
     session;
     logger;
@@ -13,64 +12,14 @@ class LocalStrategy extends credential_based_auth_strategy_1.CredentialBasedAuth
         this.session = session;
         this.logger = logger;
     }
-    async extractCredentials(context) {
-        return this.config.login.extractCredentials(context);
+    extractCredentials(context) {
+        return this.config.credentials.extractCredentials(context);
     }
-    async verifyCredentials(credentials) {
-        return this.config.login.verifyUserCredentials(credentials.identifier, credentials.password);
+    async verifyCredentials(identifier, password) {
+        return this.config.credentials.verifyCredentials(identifier, password);
     }
     async retrieveUser(credentials) {
-        return this.config.login.retrieveUserData(credentials.identifier);
-    }
-    async requestPasswordReset(email) {
-        try {
-            if (!this.config.passwordReset?.generateResetToken) {
-                throw new Error("Password reset token generation is not configured.");
-            }
-            const token = await this.config.passwordReset.generateResetToken(email);
-            await this.config.passwordReset.sendResetEmail?.(email, token);
-            this.logger?.info(`Password reset requested for email: ${email}`);
-            await this.config.passwordReset.onSuccess?.({ email });
-        }
-        catch (error) {
-            this.logger?.error("Password reset request error:", error);
-            await this.config.passwordReset.onFailure?.({ email, error });
-            throw new errors_1.AuthError(error, "Password reset request failed.");
-        }
-    }
-    async resetPassword(email, token, newPassword) {
-        try {
-            if (!this.config.passwordReset?.validateResetToken) {
-                throw new Error("Password reset token validation is not configured.");
-            }
-            const isValid = await this.config.passwordReset.validateResetToken(token);
-            if (!isValid)
-                throw new Error("Invalid or expired reset token.");
-            await this.config.passwordReset.updatePassword(email, newPassword);
-            this.logger?.info(`Password reset successful for email: ${email}`);
-            await this.config.passwordReset.onSuccess?.({ email });
-        }
-        catch (error) {
-            this.logger?.error("Password reset error:", error);
-            await this.config.passwordReset.onFailure?.({ email, error });
-            throw new errors_1.AuthError(error, "Password reset failed.");
-        }
-    }
-    async changePassword(email, oldPassword, newPassword) {
-        try {
-            const isAuthenticated = await this.config.login.verifyUserCredentials(email, oldPassword);
-            if (!isAuthenticated) {
-                throw new errors_1.InvalidCredentialsError();
-            }
-            await this.config.passwordReset?.updatePassword?.(email, newPassword);
-            this.logger?.info(`Password changed successfully for email: ${email}`);
-            await this.config.passwordReset?.onSuccess?.({ email });
-        }
-        catch (error) {
-            this.logger?.error("Change password error:", error);
-            await this.config.passwordReset?.onFailure?.({ email, error });
-            throw new errors_1.AuthError(error, "Change password failed.");
-        }
+        return this.config.user.getUserData(credentials.identifier);
     }
 }
 exports.LocalStrategy = LocalStrategy;

package/build/strategies/local/local.types.d.ts

@@ -1,3 +1,3 @@
-import { CredentialBasedAuthStrategyConfig } from "../../types";
-export interface LocalStrategyConfig<TContext = unknown, TUser = unknown> extends CredentialBasedAuthStrategyConfig<TContext, TUser> {
+import { CredentialAuthStrategyConfig } from "../../types";
+export interface LocalStrategyConfig<TContext = unknown, TUser = unknown> extends CredentialAuthStrategyConfig<TContext, TUser> {
 }

package/build/strategies/oauth2/oauth2.strategy.d.ts

@@ -1,16 +1,30 @@
 import * as Soap from "@soapjs/soap";
-import { TokenConfig, AuthResult } from "../../types";
-import { TokenBasedAuthStrategy } from "../token-based-auth.strategy";
+import { AuthResult } from "../../types";
 import { OAuth2StrategyConfig } from "./oauth2.types";
 import { SessionHandler } from "../../session/session-handler";
-export declare class OAuth2Strategy<TContext = unknown, TUser = unknown> extends TokenBasedAuthStrategy<TContext, TUser> {
+import { BaseAuthStrategy } from "../base-auth.strategy";
+export declare class OAuth2Strategy<TContext = unknown, TUser = unknown> extends BaseAuthStrategy<TContext, TUser> {
     protected config: OAuth2StrategyConfig<TContext, TUser>;
-    protected accessTokenConfig: TokenConfig;
-    protected refreshTokenConfig?: TokenConfig;
     protected session?: SessionHandler;
     protected logger?: Soap.Logger;
-    constructor(config: OAuth2StrategyConfig<TContext, TUser>, accessTokenConfig: TokenConfig, refreshTokenConfig?: TokenConfig, session?: SessionHandler, logger?: Soap.Logger);
+    constructor(config: OAuth2StrategyConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
+    logout(context: TContext): Promise<void>;
+    protected getCredentialsForPasswordGrant(context: TContext): Promise<{
+        identifier: string;
+        password: string;
+    }>;
+    protected retrieveAccessToken(context: TContext): Promise<string | undefined>;
+    protected retrieveRefreshToken(context: TContext): Promise<string | undefined>;
+    protected storeAccessToken(token: string, context: TContext): Promise<void>;
+    protected storeRefreshToken(token: string, context: TContext): Promise<void>;
+    protected embedAccessToken(token: string, context: TContext): void;
+    protected embedRefreshToken(token: string, context: TContext): void;
+    isTokenExpired(token: string): Promise<boolean>;
     authenticate(context: TContext): Promise<AuthResult<TUser>>;
+    protected processOAuthFlow(context: TContext): Promise<{
+        accessToken: string;
+        refreshToken?: string;
+    }>;
     protected verifyAuthorizationCode(context: TContext, code: string): void;
     protected extractAuthorizationCode(context: TContext): string | null;
     protected redirectUser(context: TContext, authUrl: string): void;
@@ -24,7 +38,7 @@ export declare class OAuth2Strategy<TContext = unknown, TUser = unknown> extends
     protected exchangeClientCredentials(): Promise<{
         accessToken: string;
     }>;
-    protected exchangePasswordGrant(): Promise<{
+    protected exchangePasswordGrant(username: string, password: string): Promise<{
         accessToken: string;
     }>;
     refreshAccessToken(context: TContext): Promise<{

package/build/strategies/oauth2/oauth2.strategy.js

@@ -6,85 +6,163 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuth2Strategy = void 0;
 const axios_1 = __importDefault(require("axios"));
 const errors_1 = require("../../errors");
-const token_based_auth_strategy_1 = require("../token-based-auth.strategy");
 const oauth2_tools_1 = require("./oauth2.tools");
-class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy {
+const base_auth_strategy_1 = require("../base-auth.strategy");
+class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     config;
-    accessTokenConfig;
-    refreshTokenConfig;
     session;
     logger;
-    constructor(config, accessTokenConfig, refreshTokenConfig, session, logger) {
-        super(config, accessTokenConfig, refreshTokenConfig, session, logger);
+    constructor(config, session, logger) {
+        super(config, session, logger);
         this.config = config;
-        this.accessTokenConfig = accessTokenConfig;
-        this.refreshTokenConfig = refreshTokenConfig;
         this.session = session;
         this.logger = logger;
         this.config.scope = this.config.scope ?? "email";
     }
+    async logout(context) {
+        try {
+            await this.storeAccessToken("", context);
+            await this.storeRefreshToken("", context);
+            if (this.config.endpoints.logoutUrl) {
+                this.logger?.info("Redirecting to OAuth2 logout endpoint.");
+                this.redirectUser(context, this.config.endpoints.logoutUrl);
+            }
+        }
+        catch (error) {
+            this.logger?.error("Logout failed:", error);
+            throw new Error("Logout failed.");
+        }
+    }
+    async getCredentialsForPasswordGrant(context) {
+        if (this.config.credentials?.extractCredentials) {
+            return this.config.credentials.extractCredentials(context);
+        }
+        else if (typeof context === "object" && "body" in context) {
+            const body = context.body;
+            if (body.username && body.password) {
+                return {
+                    identifier: body.username,
+                    password: body.password,
+                };
+            }
+        }
+        throw new Error("Missing credentials for password grant.");
+    }
+    retrieveAccessToken(context) {
+        if (this.config.accessToken?.retrieve) {
+            return this.config.accessToken.retrieve(context);
+        }
+        if (typeof context === "object" && "headers" in context) {
+            const authHeader = context.headers?.authorization;
+            if (authHeader?.startsWith("Bearer ")) {
+                return authHeader.split(" ")[1];
+            }
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            return context.cookies?.access_token;
+        }
+        return undefined;
+    }
+    retrieveRefreshToken(context) {
+        if (this.config.refreshToken?.retrieve) {
+            return this.config.refreshToken.retrieve(context);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            return context.cookies?.refresh_token;
+        }
+        return undefined;
+    }
+    storeAccessToken(token, context) {
+        if (this.config.accessToken?.persistence?.store) {
+            return this.config.accessToken.persistence.store(token, context, this.config.accessToken.issuer.options.expiresIn);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("access_token", token, { httpOnly: true });
+        }
+    }
+    storeRefreshToken(token, context) {
+        if (this.config.refreshToken?.persistence?.store) {
+            return this.config.refreshToken.persistence.store(token, context, this.config.refreshToken.issuer.options.expiresIn);
+        }
+        if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("refresh_token", token, { httpOnly: true });
+        }
+    }
+    embedAccessToken(token, context) {
+        if (this.config.accessToken?.embed) {
+            this.config.accessToken.embed(context, token);
+        }
+        else if (typeof context === "object" && "response" in context) {
+            context.response.setHeader("Authorization", `Bearer ${token}`);
+        }
+    }
+    embedRefreshToken(token, context) {
+        if (this.config.refreshToken?.embed) {
+            return this.config.refreshToken.embed(context, token);
+        }
+        else if (typeof context === "object" && "cookies" in context) {
+            context.cookies.set("refresh_token", token, { httpOnly: true });
+        }
+    }
+    async isTokenExpired(token) {
+        try {
+            const parts = token.split(".");
+            if (parts.length !== 3) {
+                this.logger?.warn("Non-JWT token provided, cannot determine expiration.");
+                return false;
+            }
+            const decoded = JSON.parse(Buffer.from(parts[1], "base64").toString());
+            if (!decoded.exp)
+                return false;
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch (error) {
+            this.logger?.warn("Failed to decode token:", error);
+            return false;
+        }
+    }
     async authenticate(context) {
         try {
             let user;
             let refreshToken;
-            let accessToken = await this.accessTokenConfig.retrieve?.(context);
+            let accessToken = await this.retrieveAccessToken(context);
             if (!accessToken) {
                 this.logger?.info("No access token found, checking for refresh token.");
-                refreshToken = await this.refreshTokenConfig?.retrieve?.(context);
+                refreshToken = await this.retrieveRefreshToken(context);
                 if (refreshToken) {
                     this.logger?.info("Found refresh token, attempting to refresh access token.");
                     const newTokens = await this.refreshAccessToken(context);
                     accessToken = newTokens.accessToken;
-                    this.accessTokenConfig.embed?.(context, accessToken);
+                    this.embedAccessToken(accessToken, context);
                     if (newTokens.refreshToken) {
                         refreshToken = newTokens.refreshToken;
-                        this.refreshTokenConfig?.embed?.(context, newTokens.refreshToken);
+                        this.embedRefreshToken(newTokens.refreshToken, context);
                     }
                 }
                 else {
                     this.logger?.info("No refresh token found, attempting authentication using grant type.");
-                    switch (this.config.grantType) {
-                        case "authorization_code":
-                            const authorizationCode = this.extractAuthorizationCode(context);
-                            this.verifyAuthorizationCode(context, authorizationCode);
-                            const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
-                            accessToken = tokenResult.accessToken;
-                            refreshToken = tokenResult.refreshToken;
-                            break;
-                        case "client_credentials":
-                            this.logger?.info("Using client credentials grant.");
-                            const clientCredResult = await this.exchangeClientCredentials();
-                            accessToken = clientCredResult.accessToken;
-                            break;
-                        case "password":
-                            this.logger?.info("Using password grant.");
-                            if (!this.config.credentials) {
-                                throw new Error("Missing credentials for password grant.");
-                            }
-                            const passwordResult = await this.exchangePasswordGrant();
-                            accessToken = passwordResult.accessToken;
-                            break;
-                        default:
-                            throw new Error(`Unsupported grant type: ${this.config.grantType}`);
-                    }
-                    this.accessTokenConfig.embed?.(context, accessToken);
+                    const tokens = await this.processOAuthFlow(context);
+                    accessToken = tokens.accessToken;
+                    refreshToken = tokens.refreshToken;
+                    this.embedAccessToken(accessToken, context);
                     if (refreshToken) {
-                        this.refreshTokenConfig?.embed?.(context, refreshToken);
+                        this.embedRefreshToken(refreshToken, context);
                     }
                 }
             }
             else if (accessToken && (await this.isTokenExpired(accessToken))) {
                 this.logger?.info("Access token expired, attempting refresh.");
-                refreshToken = await this.refreshTokenConfig?.retrieve?.(context);
+                refreshToken = await this.retrieveRefreshToken(context);
                 if (!refreshToken) {
                     throw new errors_1.MissingTokenError("Refresh");
                 }
                 const newTokens = await this.refreshAccessToken(context);
                 accessToken = newTokens.accessToken;
-                this.accessTokenConfig.embed?.(context, accessToken);
+                this.embedAccessToken(accessToken, context);
                 if (newTokens.refreshToken && newTokens.refreshToken !== refreshToken) {
                     refreshToken = newTokens.refreshToken;
-                    this.refreshTokenConfig?.embed?.(context, newTokens.refreshToken);
+                    this.embedRefreshToken(newTokens.refreshToken, context);
                 }
             }
             if (!accessToken) {
@@ -92,6 +170,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             }
             user = await this.retrieveUser(accessToken);
             if (!user) {
+                this.logger?.error("User retrieval failed: No user found for access token.");
                 throw new errors_1.UserNotFoundError();
             }
             await this.isAuthorized(user);
@@ -102,6 +181,29 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             throw new errors_1.AuthError(error, "OAuth2 authentication failed.");
         }
     }
+    async processOAuthFlow(context) {
+        if (this.config.grantType === "authorization_code") {
+            const authorizationCode = this.extractAuthorizationCode(context);
+            this.verifyAuthorizationCode(context, authorizationCode);
+            const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
+            return tokenResult;
+        }
+        if (this.config.grantType === "client_credentials") {
+            this.logger?.info("Using client credentials grant.");
+            const clientCredResult = await this.exchangeClientCredentials();
+            return { accessToken: clientCredResult.accessToken };
+        }
+        if (this.config.grantType === "password") {
+            this.logger?.info("Using password grant.");
+            const credentials = await this.getCredentialsForPasswordGrant(context);
+            if (!credentials) {
+                throw new Error("Missing credentials for password grant.");
+            }
+            const passwordResult = await this.exchangePasswordGrant(credentials.identifier, credentials.password);
+            return { accessToken: passwordResult.accessToken };
+        }
+        throw new Error(`Unsupported grant type: ${this.config.grantType}`);
+    }
     verifyAuthorizationCode(context, code) {
         if (!code) {
             this.logger?.warn("Authorization code missing, redirecting user.");
@@ -185,7 +287,7 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
             const response = await axios_1.default.get(this.config.endpoints.userInfoUrl, {
                 headers: { Authorization: `Bearer ${accessToken}` },
             });
-            return (await this.config.validateUser?.(response.data)) || null;
+            return (await this.config.user.validateUser(response.data)) || null;
         }
         catch (error) {
             this.logger?.error("Failed to fetch user information:", error);
@@ -200,22 +302,22 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
         });
         return { accessToken: response.data.access_token };
     }
-    async exchangePasswordGrant() {
-        if (!this.config.credentials) {
+    async exchangePasswordGrant(username, password) {
+        if (!username || !password) {
             throw new Error("Missing credentials for password grant.");
         }
         const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
             grant_type: "password",
             client_id: this.config.clientId,
             client_secret: this.config.clientSecret,
-            username: this.config.credentials.username,
-            password: this.config.credentials.password,
+            username,
+            password,
         });
         return { accessToken: response.data.access_token };
     }
     async refreshAccessToken(context) {
         try {
-            const refreshToken = await this.refreshTokenConfig?.retrieve?.(context);
+            const refreshToken = await this.retrieveRefreshToken(context);
             if (!refreshToken) {
                 throw new errors_1.MissingTokenError("Refresh");
             }
@@ -225,13 +327,20 @@ class OAuth2Strategy extends token_based_auth_strategy_1.TokenBasedAuthStrategy
                 client_secret: this.config.clientSecret,
                 refresh_token: refreshToken,
             });
+            if (response.status !== 200 || !response.data.access_token) {
+                throw new Error("Failed to refresh token");
+            }
             const refreshedTokens = {
                 accessToken: response.data.access_token,
                 refreshToken: response.data.refresh_token,
             };
-            await this.accessTokenConfig.embed?.(context, refreshedTokens.accessToken);
+            await this.storeAccessToken(refreshedTokens.accessToken, context);
+            if (refreshedTokens.refreshToken) {
+                await this.storeRefreshToken(refreshedTokens.refreshToken, context);
+            }
+            await this.embedAccessToken(refreshedTokens.accessToken, context);
             if (refreshedTokens.refreshToken) {
-                await this.refreshTokenConfig?.embed?.(context, refreshedTokens.refreshToken);
+                await this.embedRefreshToken(refreshedTokens.refreshToken, context);
             }
             return refreshedTokens;
         }