@soapjs/soap-auth 0.3.1 → 0.3.3

package/build/strategies/oauth2/oauth2.strategy.js

@@ -8,16 +8,28 @@ const axios_1 = __importDefault(require("axios"));
 const errors_1 = require("../../errors");
 const oauth2_tools_1 = require("./oauth2.tools");
 const base_auth_strategy_1 = require("../base-auth.strategy");
+const jwks_service_1 = require("../../services/jwks.service");
+const pkce_service_1 = require("../../services/pkce.service");
+const oauth2_errors_1 = require("./oauth2.errors");
 class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     config;
     session;
+    jwt;
     logger;
-    constructor(config, session, logger) {
-        super(config, session, logger);
+    jwks;
+    pkce;
+    constructor(config, session, jwt, logger) {
+        super((0, oauth2_tools_1.prepareOAuth2Config)(config), session, logger);
         this.config = config;
         this.session = session;
+        this.jwt = jwt;
         this.logger = logger;
-        this.config.scope = this.config.scope ?? "email";
+        if (config.jwks) {
+            this.jwks = new jwks_service_1.JwtService({ ...config.jwks, audience: config.clientId });
+        }
+        if (config.pkce) {
+            this.pkce = new pkce_service_1.PKCEService(config.pkce);
+        }
     }
     async logout(context) {
         try {
@@ -29,8 +41,11 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             }
         }
         catch (error) {
-            this.logger?.error("Logout failed:", error);
-            throw new Error("Logout failed.");
+            await this.onFailure("logout", {
+                context,
+                error,
+            });
+            throw error;
         }
     }
     async getCredentialsForPasswordGrant(context) {
@@ -46,90 +61,17 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
                 };
             }
         }
-        throw new Error("Missing credentials for password grant.");
-    }
-    retrieveAccessToken(context) {
-        if (this.config.accessToken?.retrieve) {
-            return this.config.accessToken.retrieve(context);
-        }
-        if (typeof context === "object" && "headers" in context) {
-            const authHeader = context.headers?.authorization;
-            if (authHeader?.startsWith("Bearer ")) {
-                return authHeader.split(" ")[1];
-            }
-        }
-        if (typeof context === "object" && "cookies" in context) {
-            return context.cookies?.access_token;
-        }
-        return undefined;
-    }
-    retrieveRefreshToken(context) {
-        if (this.config.refreshToken?.retrieve) {
-            return this.config.refreshToken.retrieve(context);
-        }
-        if (typeof context === "object" && "cookies" in context) {
-            return context.cookies?.refresh_token;
-        }
-        return undefined;
-    }
-    storeAccessToken(token, context) {
-        if (this.config.accessToken?.persistence?.store) {
-            return this.config.accessToken.persistence.store(token, context, this.config.accessToken.issuer.options.expiresIn);
-        }
-        if (typeof context === "object" && "cookies" in context) {
-            context.cookies.set("access_token", token, { httpOnly: true });
-        }
-    }
-    storeRefreshToken(token, context) {
-        if (this.config.refreshToken?.persistence?.store) {
-            return this.config.refreshToken.persistence.store(token, context, this.config.refreshToken.issuer.options.expiresIn);
-        }
-        if (typeof context === "object" && "cookies" in context) {
-            context.cookies.set("refresh_token", token, { httpOnly: true });
-        }
-    }
-    embedAccessToken(token, context) {
-        if (this.config.accessToken?.embed) {
-            this.config.accessToken.embed(context, token);
-        }
-        else if (typeof context === "object" && "response" in context) {
-            context.response.setHeader("Authorization", `Bearer ${token}`);
-        }
-    }
-    embedRefreshToken(token, context) {
-        if (this.config.refreshToken?.embed) {
-            return this.config.refreshToken.embed(context, token);
-        }
-        else if (typeof context === "object" && "cookies" in context) {
-            context.cookies.set("refresh_token", token, { httpOnly: true });
-        }
-    }
-    async isTokenExpired(token) {
-        try {
-            const parts = token.split(".");
-            if (parts.length !== 3) {
-                this.logger?.warn("Non-JWT token provided, cannot determine expiration.");
-                return false;
-            }
-            const decoded = JSON.parse(Buffer.from(parts[1], "base64").toString());
-            if (!decoded.exp)
-                return false;
-            const currentTime = Math.floor(Date.now() / 1000);
-            return decoded.exp < currentTime;
-        }
-        catch (error) {
-            this.logger?.warn("Failed to decode token:", error);
-            return false;
-        }
+        throw new errors_1.MissingCredentialsError();
     }
     async authenticate(context) {
         try {
             let user;
+            let session;
             let refreshToken;
-            let accessToken = await this.retrieveAccessToken(context);
+            let accessToken = await this.extractAccessToken(context);
             if (!accessToken) {
                 this.logger?.info("No access token found, checking for refresh token.");
-                refreshToken = await this.retrieveRefreshToken(context);
+                refreshToken = await this.extractRefreshToken(context);
                 if (refreshToken) {
                     this.logger?.info("Found refresh token, attempting to refresh access token.");
                     const newTokens = await this.refreshAccessToken(context);
@@ -151,9 +93,9 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
                     }
                 }
             }
-            else if (accessToken && (await this.isTokenExpired(accessToken))) {
+            else if (accessToken && this.isTokenExpired(accessToken)) {
                 this.logger?.info("Access token expired, attempting refresh.");
-                refreshToken = await this.retrieveRefreshToken(context);
+                refreshToken = await this.extractRefreshToken(context);
                 if (!refreshToken) {
                     throw new errors_1.MissingTokenError("Refresh");
                 }
@@ -168,23 +110,29 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             if (!accessToken) {
                 throw new errors_1.MissingTokenError("Access");
             }
-            user = await this.retrieveUser(accessToken);
+            user = await this.fetchUser(accessToken);
             if (!user) {
                 this.logger?.error("User retrieval failed: No user found for access token.");
                 throw new errors_1.UserNotFoundError();
             }
-            await this.isAuthorized(user);
-            return { user, tokens: { accessToken, refreshToken } };
+            if (this.session) {
+                session = await this.session.issueSession(user, context);
+            }
+            await this.role.isAuthorized(user);
+            return { user: user, tokens: { accessToken, refreshToken }, session };
         }
         catch (error) {
-            this.logger?.error("OAuth2 authentication failed:", error);
-            throw new errors_1.AuthError(error, "OAuth2 authentication failed.");
+            await this.onFailure("authenticate", {
+                context,
+                error,
+            });
+            throw error;
         }
     }
     async processOAuthFlow(context) {
         if (this.config.grantType === "authorization_code") {
             const authorizationCode = this.extractAuthorizationCode(context);
-            this.verifyAuthorizationCode(context, authorizationCode);
+            await this.verifyAuthorizationCode(context, authorizationCode);
             const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
             return tokenResult;
         }
@@ -197,43 +145,26 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             this.logger?.info("Using password grant.");
             const credentials = await this.getCredentialsForPasswordGrant(context);
             if (!credentials) {
-                throw new Error("Missing credentials for password grant.");
+                throw new errors_1.MissingCredentialsError();
             }
             const passwordResult = await this.exchangePasswordGrant(credentials.identifier, credentials.password);
             return { accessToken: passwordResult.accessToken };
         }
-        throw new Error(`Unsupported grant type: ${this.config.grantType}`);
+        throw new oauth2_errors_1.UnsupportedGrantTypeError(this.config.grantType);
     }
-    verifyAuthorizationCode(context, code) {
+    async verifyAuthorizationCode(context, code) {
         if (!code) {
             this.logger?.warn("Authorization code missing, redirecting user.");
-            const authUrl = this.buildAuthorizationUrl(context);
+            const authUrl = await this.buildAuthorizationUrl(context);
             this.redirectUser(context, authUrl);
             throw new errors_1.MissingAuthorizationCodeError();
         }
     }
-    extractAuthorizationCode(context) {
-        if (typeof context === "object" && "query" in context) {
-            return context.query.code || null;
-        }
-        return null;
-    }
-    redirectUser(context, authUrl) {
-        if (typeof context === "object" && "response" in context) {
-            context.response.redirect(authUrl);
-        }
-        else {
-            this.logger?.warn("Redirect attempted in unsupported context.");
-        }
-    }
-    buildAuthorizationUrl(context) {
+    async buildAuthorizationUrl(context) {
         let authorizationUrl = `${this.config.endpoints.authorizationUrl}?client_id=${this.config.clientId}&redirect_uri=${encodeURIComponent(this.config.redirectUri)}&response_type=code&scope=${this.config.scope ?? ""}`;
-        if (this.config.pkce) {
-            const codeVerifier = this.config.pkce.generateCodeVerifier
-                ? this.config.pkce.generateCodeVerifier()
-                : oauth2_tools_1.OAuth2Tools.generateCodeVerifier();
-            const codeChallenge = oauth2_tools_1.OAuth2Tools.generateCodeChallenge(codeVerifier);
-            this.config.pkce.storeCodeVerifier?.(context, codeVerifier);
+        if (this.pkce) {
+            const codeVerifier = await this.pkce.generateCodeVerifier(context);
+            const codeChallenge = this.pkce.generateCodeChallenge(codeVerifier, context);
             authorizationUrl += `&code_challenge=${codeChallenge}&code_challenge_method=S256`;
         }
         return authorizationUrl;
@@ -243,46 +174,50 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             grant_type: "authorization_code",
             client_id: this.config.clientId,
             code,
-            redirect_uri: this.config.redirectUri,
+            redirectUri: this.config.redirectUri,
         };
-        if (this.config.pkce) {
-            const codeVerifier = this.config.pkce.retrieveCodeVerifier?.(context);
+        if (this.pkce) {
+            const codeVerifier = this.pkce.extractCodeVerifier(context);
             if (!codeVerifier) {
-                throw new Error("Missing PKCE code verifier in context.");
+                throw new oauth2_errors_1.MissingCodeVerifierError();
             }
             data.code_verifier = codeVerifier;
         }
         else if (this.config.clientSecret) {
             data.client_secret = this.config.clientSecret;
         }
-        const response = await fetch(this.config.endpoints.tokenUrl, {
-            method: "POST",
+        const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
             headers: { "Content-Type": "application/x-www-form-urlencoded" },
             body: new URLSearchParams(data).toString(),
         });
-        if (!response.ok) {
-            throw new Error(`Token exchange failed with status: ${response.status}`);
-        }
-        const tokenData = await response.json();
+        const tokenData = await response.data();
         return {
             accessToken: tokenData.access_token,
             refreshToken: tokenData.refresh_token,
+            idToken: tokenData.id_token,
         };
     }
-    handleAuthorizationRedirect(context) {
+    async login(context) {
         try {
-            const authUrl = this.buildAuthorizationUrl(context);
+            const state = await oauth2_tools_1.OAuth2Tools.generateState(this.config);
+            const nonce = await oauth2_tools_1.OAuth2Tools.generateNonce(this.config);
+            await this.config.state?.persistence?.store?.(state);
+            await this.config.nonce?.persistence?.store?.(nonce);
+            const authUrl = await this.buildAuthorizationUrl(context);
             this.redirectUser(context, authUrl);
         }
         catch (error) {
-            this.logger?.error("Authorization redirect failed:", error);
-            throw new errors_1.AuthError(error, "Authorization redirect failed.");
+            await this.onFailure("login", {
+                context,
+                error,
+            });
+            throw error;
         }
     }
-    async retrieveUser(accessToken) {
+    async fetchUser(accessToken) {
         try {
             if (!this.config.endpoints.userInfoUrl) {
-                throw new Error("User info endpoint not configured.");
+                throw new errors_1.MissingConfigError("userInfoUrl");
             }
             const response = await axios_1.default.get(this.config.endpoints.userInfoUrl, {
                 headers: { Authorization: `Bearer ${accessToken}` },
@@ -304,7 +239,7 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     }
     async exchangePasswordGrant(username, password) {
         if (!username || !password) {
-            throw new Error("Missing credentials for password grant.");
+            throw new errors_1.MissingCredentialsError();
         }
         const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
             grant_type: "password",
@@ -317,7 +252,7 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     }
     async refreshAccessToken(context) {
         try {
-            const refreshToken = await this.retrieveRefreshToken(context);
+            const refreshToken = await this.extractRefreshToken(context);
             if (!refreshToken) {
                 throw new errors_1.MissingTokenError("Refresh");
             }
@@ -327,31 +262,65 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
                 client_secret: this.config.clientSecret,
                 refresh_token: refreshToken,
             });
+            if (response.data.error) {
+                this.logger?.warn(`OAuth2 error: ${response.data.error_description || response.data.error}`);
+            }
             if (response.status !== 200 || !response.data.access_token) {
                 throw new Error("Failed to refresh token");
             }
             const refreshedTokens = {
                 accessToken: response.data.access_token,
                 refreshToken: response.data.refresh_token,
+                idToken: response.data.id_token,
             };
             await this.storeAccessToken(refreshedTokens.accessToken, context);
-            if (refreshedTokens.refreshToken) {
-                await this.storeRefreshToken(refreshedTokens.refreshToken, context);
-            }
             await this.embedAccessToken(refreshedTokens.accessToken, context);
             if (refreshedTokens.refreshToken) {
+                await this.storeRefreshToken(refreshedTokens.refreshToken, context);
                 await this.embedRefreshToken(refreshedTokens.refreshToken, context);
             }
             return refreshedTokens;
         }
         catch (error) {
-            this.logger?.error("Token refresh failed:", error);
-            throw new errors_1.AuthError(error, "Token refresh failed.");
+            await this.handleTokenRefreshFailure(context);
+            await this.onFailure("refresh_access_token", {
+                error,
+            });
+            throw error;
+        }
+    }
+    async handleTokenRefreshFailure(context) {
+        try {
+            if (this.config.refreshToken) {
+                await this.storeRefreshToken("", context);
+            }
+            if (this.config.autoLogoutOnRefreshFailure) {
+                await this.logout(context);
+            }
+        }
+        catch (e) {
+            this.logger?.error(e);
+        }
+    }
+    async verifyIdToken(idToken) {
+        const storedNonce = await this.config?.nonce?.persistence?.read?.();
+        if (storedNonce) {
+            const decodedToken = await this.jwks.verify(idToken);
+            if (decodedToken.nonce) {
+                if ((await oauth2_tools_1.OAuth2Tools.validateNonce(storedNonce, decodedToken.nonce, this.config.nonce)) === false) {
+                    throw new oauth2_errors_1.InvalidNonceError("Invalid nonce value");
+                }
+            }
+            if (decodedToken) {
+                return this.config.user?.validateUser?.(decodedToken);
+            }
         }
+        return null;
     }
     async revokeToken(token) {
-        if (!this.config.endpoints.revocationUrl)
-            return;
+        if (!this.config.endpoints?.revocationUrl) {
+            throw new errors_1.MissingConfigError("revocationUrl");
+        }
         try {
             await axios_1.default.post(this.config.endpoints.revocationUrl, {
                 token,
@@ -361,7 +330,28 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             this.logger?.info("Token revoked successfully.");
         }
         catch (error) {
-            this.logger?.error("Failed to revoke token:", error);
+            await this.onFailure("revoke_token", {
+                error,
+            });
+            throw error;
+        }
+    }
+    isTokenExpired(token) {
+        try {
+            const parts = token.split(".");
+            if (parts.length !== 3) {
+                this.logger?.warn("Non-JWT token provided, cannot determine expiration.");
+                return false;
+            }
+            const decoded = JSON.parse(Buffer.from(parts[1], "base64").toString());
+            if (!decoded.exp)
+                return false;
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch (error) {
+            this.logger?.warn("Failed to decode token:", error);
+            return false;
         }
     }
 }

package/build/strategies/oauth2/oauth2.tools.d.ts

@@ -1,4 +1,9 @@
+import { OAuth2NonceConfig, OAuth2StrategyConfig } from "./oauth2.types";
 export declare class OAuth2Tools {
-    static generateCodeVerifier(): string;
-    static generateCodeChallenge(codeVerifier: string): string;
+    static generateState(config: OAuth2StrategyConfig): Promise<string>;
+    static generateNonce(config: OAuth2StrategyConfig): Promise<string>;
+    static validateNonce(expectedNonce: string, nonce: string, config: OAuth2NonceConfig): Promise<boolean>;
+    static extractState<TContext>(context: TContext): string | null;
+    static extractNonce(idToken: string): string | null;
 }
+export declare const prepareOAuth2Config: <TContext = any, TUser = any>(config: Partial<OAuth2StrategyConfig<TContext, TUser>>) => OAuth2StrategyConfig<TContext, TUser>;

package/build/strategies/oauth2/oauth2.tools.js

@@ -1,22 +1,127 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OAuth2Tools = void 0;
-const crypto_1 = __importDefault(require("crypto"));
+exports.prepareOAuth2Config = exports.OAuth2Tools = void 0;
+const Soap = __importStar(require("@soapjs/soap"));
+const tools_1 = require("../../tools");
 class OAuth2Tools {
-    static generateCodeVerifier() {
-        return crypto_1.default.randomBytes(32).toString("hex");
+    static async generateState(config) {
+        return (await config.state?.generateState?.()) || (0, tools_1.generateRandomString)();
+    }
+    static async generateNonce(config) {
+        return (await config.nonce?.generateNonce?.()) || (0, tools_1.generateRandomString)();
+    }
+    static async validateNonce(expectedNonce, nonce, config) {
+        if (config.validateNonce) {
+            return config.validateNonce(expectedNonce, nonce);
+        }
+        return expectedNonce === nonce;
     }
-    static generateCodeChallenge(codeVerifier) {
-        return crypto_1.default
-            .createHash("sha256")
-            .update(codeVerifier)
-            .digest("base64")
-            .replace(/\+/g, "-")
-            .replace(/\//g, "_")
-            .replace(/=+$/, "");
+    static extractState(context) {
+        return context.query?.state || null;
+    }
+    static extractNonce(idToken) {
+        const decoded = JSON.parse(Buffer.from(idToken.split(".")[1], "base64").toString());
+        return decoded.nonce || null;
     }
 }
 exports.OAuth2Tools = OAuth2Tools;
+const prepareOAuth2Config = (config) => {
+    return Soap.removeUndefinedProperties({
+        ...config,
+        grantType: config.grantType ?? "authorization_code",
+        responseType: config.responseType ?? "code",
+        scope: config.scope ?? "openid profile email",
+        autoLogoutOnRefreshFailure: config.autoLogoutOnRefreshFailure ?? false,
+        routes: {
+            login: {
+                path: "/auth/oauth2/login",
+                method: "GET",
+                ...config.routes.login,
+            },
+            callback: {
+                path: "/auth/oauth2/callback",
+                method: "GET",
+                ...config.routes.callback,
+            },
+            logout: config.routes?.logout
+                ? {
+                    path: "/auth/oauth2/logout",
+                    method: "POST",
+                    ...config.routes.logout,
+                }
+                : undefined,
+            refresh: config.routes?.refresh
+                ? {
+                    path: "/auth/oauth2/refresh",
+                    method: "POST",
+                    ...config.routes.refresh,
+                }
+                : undefined,
+            revoke: config.routes?.revoke
+                ? {
+                    path: "/auth/oauth2/revoke",
+                    method: "POST",
+                    ...config.routes.revoke,
+                }
+                : undefined,
+            ...config.routes,
+        },
+        pkce: config.pkce
+            ? {
+                challenge: {
+                    expiresIn: 300,
+                    ...config.pkce.challenge,
+                },
+                verifier: {
+                    expiresIn: 300,
+                    ...config.pkce.verifier,
+                },
+                ...config.pkce,
+            }
+            : undefined,
+        state: config.state
+            ? {
+                generateState: () => Math.random().toString(36).substring(2, 15),
+                validateState: (storedState, returnedState) => storedState === returnedState,
+                ...config.state,
+            }
+            : undefined,
+        nonce: config.nonce
+            ? {
+                generateNonce: () => Math.random().toString(36).substring(2, 15),
+                validateNonce: (storedNonce, returnedNonce) => storedNonce === returnedNonce,
+                ...config.nonce,
+            }
+            : undefined,
+        jwks: config.jwks
+            ? {
+                algorithms: ["RS256"],
+                ...config.jwks,
+            }
+            : undefined,
+    });
+};
+exports.prepareOAuth2Config = prepareOAuth2Config;

package/build/strategies/oauth2/oauth2.types.d.ts

@@ -1,4 +1,5 @@
-import { CredentailsConfig, PKCEConfig, TokenAuthStrategyConfig } from "../../types";
+import { Algorithm } from "jsonwebtoken";
+import { CredentailsConfig, PKCEConfig, AuthRouteConfig, TokenAuthStrategyConfig, PersistenceConfig, ContextOperationConfig } from "../../types";
 export interface OAuth2Endpoints {
     authorizationUrl: string;
     tokenUrl: string;
@@ -7,7 +8,26 @@ export interface OAuth2Endpoints {
     revocationUrl?: string;
     logoutUrl?: string;
 }
+export interface OAuth2StateConfig<TContext = unknown, TData = any> {
+    persistence?: PersistenceConfig;
+    context?: ContextOperationConfig<TContext, TData>;
+    generateState?: () => string | Promise<string>;
+    validateState?: (storedState: TContext, returnedState: string) => boolean | Promise<boolean>;
+}
+export interface OAuth2NonceConfig<TContext = unknown, TData = any> {
+    persistence?: PersistenceConfig;
+    context?: ContextOperationConfig<TContext, TData>;
+    generateNonce?: () => string | Promise<string>;
+    validateNonce?: (storedNonce: string | null, returnedNonce: string) => boolean | Promise<boolean>;
+}
+export type JwksConfig = {
+    jwksUri: string;
+    issuer: string;
+    algorithms?: Algorithm[];
+    audience?: string;
+};
 export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> extends TokenAuthStrategyConfig<TContext, TUser> {
+    autoLogoutOnRefreshFailure?: boolean;
     clientId: string;
     clientSecret: string;
     redirectUri: string;
@@ -18,4 +38,15 @@ export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> exten
     endpoints: OAuth2Endpoints;
     credentials?: CredentailsConfig<TContext>;
     pkce?: PKCEConfig<TContext>;
+    routes: {
+        login: AuthRouteConfig;
+        callback: AuthRouteConfig;
+        logout?: AuthRouteConfig;
+        refresh?: AuthRouteConfig;
+        revoke?: AuthRouteConfig;
+        [key: string]: AuthRouteConfig;
+    };
+    state?: OAuth2StateConfig<TContext>;
+    nonce?: OAuth2NonceConfig;
+    jwks?: JwksConfig;
 }

package/build/strategies/token-auth.strategy.d.ts

@@ -7,19 +7,25 @@ export declare abstract class TokenAuthStrategy<TContext = unknown, TUser = unkn
     protected session?: SessionHandler;
     protected logger?: Soap.Logger;
     constructor(config: TokenAuthStrategyConfig<TContext, TUser>, session?: SessionHandler, logger?: Soap.Logger);
-    protected abstract retrieveAccessToken(context: TContext): Promise<string | undefined>;
-    protected abstract retrieveRefreshToken(context: TContext): Promise<string | undefined>;
+    protected abstract extractAccessToken(context: TContext): string | undefined;
+    protected abstract extractRefreshToken(context: TContext): string | undefined;
     protected abstract verifyAccessToken(token: string): Promise<any>;
     protected abstract verifyRefreshToken(token: string): Promise<any>;
-    protected abstract generateAccessToken(payload: any): Promise<string>;
-    protected abstract generateRefreshToken(payload: any): Promise<string>;
-    protected abstract storeAccessToken(token: string, context: TContext): Promise<void>;
-    protected abstract storeRefreshToken(token: string, context: TContext): Promise<void>;
+    protected abstract generateAccessToken(data: TUser, context: TContext): Promise<string>;
+    protected abstract generateRefreshToken(data: TUser, context: TContext): Promise<string>;
+    protected abstract storeAccessToken(token: string): Promise<void>;
+    protected abstract storeRefreshToken(token: string): Promise<void>;
+    protected abstract invalidateAccessToken(token: string, context?: TContext): Promise<void>;
+    protected abstract invalidateRefreshToken(token: string, context?: TContext): Promise<void>;
     protected abstract embedAccessToken(token: string, context: TContext): void;
     protected abstract embedRefreshToken(token: string, context: TContext): void;
+    protected fetchUser(payload: unknown): Promise<TUser | null>;
     authenticate(context: TContext): Promise<AuthResult<TUser>>;
-    rotateTokens(context: TContext): Promise<{
+    private verifyAndFetchUser;
+    refreshTokens(context: TContext, existingUser?: TUser): Promise<AuthResult<TUser>>;
+    issueTokens(user: TUser, context: TContext, rotate?: boolean): Promise<{
         accessToken: string;
-        refreshToken?: string;
+        refreshToken: any;
     }>;
+    protected rotateToken(refreshToken: string, user: TUser, context: TContext): Promise<any>;
 }