@soapjs/soap-auth 0.3.3 → 0.4.0

package/build/strategies/oauth2/__tests__/oauth2.strategy.test.js

@@ -0,0 +1,239 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const oauth2_strategy_1 = require("../oauth2.strategy");
+const oauth2_errors_1 = require("../oauth2.errors");
+const errors_1 = require("../../../errors");
+const mockFetch = jest.fn();
+global.fetch = mockFetch;
+function mockFetchOk(body) {
+    mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        statusText: "OK",
+        json: async () => body,
+    });
+}
+function mockFetchFail(status = 400) {
+    mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status,
+        statusText: "Bad Request",
+        json: async () => ({}),
+    });
+}
+class TestOAuth2Strategy extends oauth2_strategy_1.OAuth2Strategy {
+    name = "test-oauth2";
+    async extractAccessToken(ctx) {
+        return ctx.tokens.access;
+    }
+    async extractRefreshToken(ctx) {
+        return ctx.tokens.refresh;
+    }
+    async storeAccessToken(token, ctx) {
+        ctx.tokens.access = token;
+    }
+    async storeRefreshToken(token, ctx) {
+        ctx.tokens.refresh = token;
+    }
+    embedAccessToken(token, ctx) {
+        ctx.tokens.access = token;
+    }
+    embedRefreshToken(token, ctx) {
+        ctx.tokens.refresh = token;
+    }
+    extractAuthorizationCode(ctx) {
+        return ctx.query.code ?? null;
+    }
+    redirectUser(ctx, url) {
+        ctx.redirectTo = url;
+    }
+}
+const baseConfig = {
+    clientId: "client-id",
+    clientSecret: "client-secret",
+    redirectUri: "https://example.com/callback",
+    grantType: "authorization_code",
+    scope: ["openid", "email"],
+    endpoints: {
+        authorizationUrl: "https://provider.example/auth",
+        tokenUrl: "https://provider.example/token",
+        userInfoUrl: "https://provider.example/userinfo",
+    },
+    routes: {
+        login: { path: "/login", method: "GET" },
+        callback: { path: "/callback", method: "GET" },
+    },
+    user: {
+        fetchUser: jest.fn(),
+        validateUser: jest.fn(async (p) => ({ id: p.sub ?? p.id, email: p.email })),
+    },
+};
+function makeCtx(overrides = {}) {
+    return { tokens: {}, query: {}, ...overrides };
+}
+describe("OAuth2Strategy — state / CSRF", () => {
+    afterEach(() => jest.clearAllMocks());
+    it("validateState passes when stored === returned state", async () => {
+        let stored = "csrf-abc";
+        const config = {
+            ...baseConfig,
+            state: {
+                persistence: {
+                    store: jest.fn(async (s) => { stored = s; }),
+                    read: jest.fn(async () => stored),
+                    remove: jest.fn(async () => { stored = null; }),
+                },
+            },
+        };
+        const strategy = new TestOAuth2Strategy(config);
+        const ctx = makeCtx({ query: { code: "auth-code", state: "csrf-abc" } });
+        await expect(strategy.validateState(ctx)).resolves.toBeUndefined();
+        expect(config.state.persistence.remove).toHaveBeenCalled();
+    });
+    it("validateState throws InvalidStateError on mismatch", async () => {
+        const config = {
+            ...baseConfig,
+            state: {
+                persistence: {
+                    read: jest.fn(async () => "stored-state"),
+                    remove: jest.fn(),
+                },
+            },
+        };
+        const strategy = new TestOAuth2Strategy(config);
+        const ctx = makeCtx({ query: { state: "wrong-state" } });
+        await expect(strategy.validateState(ctx)).rejects.toThrow(oauth2_errors_1.InvalidStateError);
+    });
+    it("validateState is a no-op when config.state is absent", async () => {
+        const strategy = new TestOAuth2Strategy({ ...baseConfig, state: undefined });
+        await expect(strategy.validateState(makeCtx())).resolves.toBeUndefined();
+    });
+    it("startAuthorizationFlow generates state, stores it, and redirects", async () => {
+        const stored = [];
+        const config = {
+            ...baseConfig,
+            state: {
+                generateState: jest.fn(async () => "gen-state"),
+                persistence: {
+                    store: jest.fn(async (s) => stored.push(s)),
+                },
+            },
+        };
+        const strategy = new TestOAuth2Strategy(config);
+        const ctx = makeCtx();
+        await strategy.startAuthorizationFlow(ctx);
+        expect(stored).toContain("gen-state");
+        expect(ctx.redirectTo).toContain("https://provider.example/auth");
+        expect(ctx.redirectTo).toContain("state=gen-state");
+    });
+});
+describe("OAuth2Strategy — buildAuthorizationUrl", () => {
+    afterEach(() => jest.clearAllMocks());
+    it("includes client_id, redirect_uri, response_type, scope", async () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const url = await strategy.buildAuthorizationUrl(makeCtx());
+        expect(url).toContain("client_id=client-id");
+        expect(url).toContain("redirect_uri=");
+        expect(url).toContain("response_type=code");
+        expect(url).toContain("scope=openid+email");
+    });
+    it("embeds state when provided", async () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const url = await strategy.buildAuthorizationUrl(makeCtx(), "my-state");
+        expect(url).toContain("state=my-state");
+    });
+    it("embeds nonce when provided", async () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const url = await strategy.buildAuthorizationUrl(makeCtx(), undefined, "my-nonce");
+        expect(url).toContain("nonce=my-nonce");
+    });
+});
+describe("OAuth2Strategy — verifyAuthorizationCode", () => {
+    afterEach(() => jest.clearAllMocks());
+    it("does nothing when code is present", async () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const ctx = makeCtx();
+        await expect(strategy.verifyAuthorizationCode(ctx, "valid-code")).resolves.toBeUndefined();
+    });
+    it("redirects and throws MissingAuthorizationCodeError when code is absent", async () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const ctx = makeCtx();
+        await expect(strategy.verifyAuthorizationCode(ctx, null)).rejects.toThrow(errors_1.MissingAuthorizationCodeError);
+        expect(ctx.redirectTo).toBeDefined();
+    });
+});
+describe("OAuth2Strategy — exchangeCodeForToken", () => {
+    afterEach(() => jest.clearAllMocks());
+    it("sends correct POST body and returns tokens", async () => {
+        mockFetchOk({ access_token: "at-123", refresh_token: "rt-456" });
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const result = await strategy.exchangeCodeForToken(makeCtx(), "auth-code");
+        expect(result.accessToken).toBe("at-123");
+        expect(result.refreshToken).toBe("rt-456");
+        expect(mockFetch).toHaveBeenCalledWith("https://provider.example/token", expect.objectContaining({ method: "POST" }));
+    });
+    it("throws when token endpoint returns non-ok status", async () => {
+        mockFetchFail(401);
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        await expect(strategy.exchangeCodeForToken(makeCtx(), "bad-code")).rejects.toThrow();
+    });
+});
+describe("OAuth2Strategy — isTokenExpired", () => {
+    afterEach(() => jest.clearAllMocks());
+    it("returns false for non-JWT tokens", () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        expect(strategy.isTokenExpired("opaque-token")).toBe(false);
+    });
+    it("returns true for an expired JWT", () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const pastExp = Math.floor(Date.now() / 1000) - 3600;
+        const payload = Buffer.from(JSON.stringify({ exp: pastExp })).toString("base64");
+        const jwt = `header.${payload}.sig`;
+        expect(strategy.isTokenExpired(jwt)).toBe(true);
+    });
+    it("returns false for a non-expired JWT", () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const futureExp = Math.floor(Date.now() / 1000) + 3600;
+        const payload = Buffer.from(JSON.stringify({ exp: futureExp })).toString("base64");
+        const jwt = `header.${payload}.sig`;
+        expect(strategy.isTokenExpired(jwt)).toBe(false);
+    });
+    it("returns false when JWT payload has no exp", () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const payload = Buffer.from(JSON.stringify({ sub: "user" })).toString("base64");
+        const jwt = `header.${payload}.sig`;
+        expect(strategy.isTokenExpired(jwt)).toBe(false);
+    });
+});
+describe("OAuth2Strategy — authenticate", () => {
+    afterEach(() => jest.clearAllMocks());
+    it("exchanges code and returns AuthResult when no token in context", async () => {
+        let stored = "state-xyz";
+        const config = {
+            ...baseConfig,
+            state: {
+                persistence: {
+                    read: jest.fn(async () => stored),
+                    remove: jest.fn(async () => { stored = null; }),
+                },
+            },
+        };
+        const strategy = new TestOAuth2Strategy(config);
+        mockFetchOk({ access_token: "at-new", refresh_token: "rt-new" });
+        mockFetchOk({ sub: "u1", email: "user@example.com" });
+        const ctx = makeCtx({ query: { code: "auth-code", state: "state-xyz" } });
+        const result = await strategy.authenticate(ctx);
+        expect(result?.user).toMatchObject({ id: "u1", email: "user@example.com" });
+        expect(result?.tokens?.accessToken).toBe("at-new");
+    });
+    it("fetches user when valid access token already in context", async () => {
+        const strategy = new TestOAuth2Strategy(baseConfig);
+        const futureExp = Math.floor(Date.now() / 1000) + 3600;
+        const payload = Buffer.from(JSON.stringify({ exp: futureExp })).toString("base64");
+        const validJwt = `h.${payload}.s`;
+        mockFetchOk({ sub: "u2", email: "other@example.com" });
+        const ctx = makeCtx({ tokens: { access: validJwt } });
+        const result = await strategy.authenticate(ctx);
+        expect(result?.user).toMatchObject({ id: "u2" });
+    });
+});

package/build/strategies/oauth2/hybrid.oauth2.strategy.d.ts

@@ -1,5 +1,5 @@
-import { AuthResult } from "../../types";
+import * as Soap from "@soapjs/soap";
 import { OAuth2Strategy } from "./oauth2.strategy";
-export declare abstract class HybridOAuth2Strategy<TContext = unknown, TUser = unknown> extends OAuth2Strategy<TContext, TUser> {
-    authenticate(context: TContext): Promise<AuthResult<TUser>>;
+export declare abstract class HybridOAuth2Strategy<TContext = Soap.HttpContext, TUser extends Soap.AuthUser = Soap.AuthUser> extends OAuth2Strategy<TContext, TUser> {
+    authenticate(context: TContext): Promise<Soap.AuthResult<TUser> | null>;
 }

package/build/strategies/oauth2/hybrid.oauth2.strategy.js

@@ -3,8 +3,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.HybridOAuth2Strategy = void 0;
 const errors_1 = require("../../errors");
 const oauth2_strategy_1 = require("./oauth2.strategy");
-const oauth2_errors_1 = require("./oauth2.errors");
-const oauth2_tools_1 = require("./oauth2.tools");
 class HybridOAuth2Strategy extends oauth2_strategy_1.OAuth2Strategy {
     async authenticate(context) {
         try {
@@ -54,10 +52,7 @@ class HybridOAuth2Strategy extends oauth2_strategy_1.OAuth2Strategy {
                     this.login(context);
                     throw new errors_1.MissingAuthorizationCodeError();
                 }
-                const returnedState = oauth2_tools_1.OAuth2Tools.extractState(context);
-                if (!(await this.config.state?.validateState(context, returnedState))) {
-                    throw new oauth2_errors_1.InvalidStateError();
-                }
+                await this.validateState(context);
                 const exchangedTokens = await this.exchangeCodeForToken(context, code);
                 accessToken = exchangedTokens.accessToken;
                 refreshToken = exchangedTokens.refreshToken;

package/build/strategies/oauth2/oauth2.errors.d.ts

@@ -1,6 +1,7 @@
 export declare class InvalidNonceError extends Error {
 }
 export declare class InvalidStateError extends Error {
+    constructor(message?: string);
 }
 export declare class InvalidIdTokenError extends Error {
 }

package/build/strategies/oauth2/oauth2.errors.js

@@ -5,6 +5,10 @@ class InvalidNonceError extends Error {
 }
 exports.InvalidNonceError = InvalidNonceError;
 class InvalidStateError extends Error {
+    constructor(message = "OAuth2 state mismatch (possible CSRF).") {
+        super(message);
+        this.name = "InvalidStateError";
+    }
 }
 exports.InvalidStateError = InvalidStateError;
 class InvalidIdTokenError extends Error {

package/build/strategies/oauth2/oauth2.strategy.d.ts

@@ -1,16 +1,16 @@
 import * as Soap from "@soapjs/soap";
-import { AuthResult } from "../../types";
 import { OAuth2StrategyConfig } from "./oauth2.types";
 import { SessionHandler } from "../../session/session-handler";
 import { BaseAuthStrategy } from "../base-auth.strategy";
 import { JwtStrategy } from "../jwt/jwt.strategy";
 import { JwtService } from "../../services/jwks.service";
 import { PKCEService } from "../../services/pkce.service";
-export declare abstract class OAuth2Strategy<TContext = unknown, TUser = unknown> extends BaseAuthStrategy<TContext, TUser> {
+export declare abstract class OAuth2Strategy<TContext = Soap.HttpContext, TUser extends Soap.AuthUser = Soap.AuthUser> extends BaseAuthStrategy<TContext, TUser> {
     protected config: OAuth2StrategyConfig<TContext, TUser>;
     protected session?: SessionHandler;
     protected jwt?: JwtStrategy<TContext, TUser>;
     protected logger?: Soap.Logger;
+    abstract readonly name: string;
     protected jwks: JwtService;
     protected pkce: PKCEService<TContext>;
     protected abstract extractAccessToken(context: TContext): Promise<string | undefined>;
@@ -27,13 +27,15 @@ export declare abstract class OAuth2Strategy<TContext = unknown, TUser = unknown
         identifier: string;
         password: string;
     }>;
-    authenticate(context: TContext): Promise<AuthResult<TUser>>;
+    authenticate(context: TContext): Promise<Soap.AuthResult<TUser> | null>;
     protected processOAuthFlow(context: TContext): Promise<{
         accessToken: string;
         refreshToken?: string;
     }>;
     protected verifyAuthorizationCode(context: TContext, code: string): Promise<void>;
-    protected buildAuthorizationUrl(context: TContext): Promise<string>;
+    protected startAuthorizationFlow(context: TContext): Promise<void>;
+    protected validateState(context: TContext): Promise<void>;
+    protected buildAuthorizationUrl(context: TContext, state?: string, nonce?: string): Promise<string>;
     protected exchangeCodeForToken(context: TContext, code: string): Promise<{
         accessToken: string;
         idToken?: string;

package/build/strategies/oauth2/oauth2.strategy.js

@@ -1,10 +1,6 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuth2Strategy = void 0;
-const axios_1 = __importDefault(require("axios"));
 const errors_1 = require("../../errors");
 const oauth2_tools_1 = require("./oauth2.tools");
 const base_auth_strategy_1 = require("../base-auth.strategy");
@@ -118,7 +114,7 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             if (this.session) {
                 session = await this.session.issueSession(user, context);
             }
-            await this.role.isAuthorized(user);
+            await this.role?.isAuthorized(user);
             return { user: user, tokens: { accessToken, refreshToken }, session };
         }
         catch (error) {
@@ -133,6 +129,7 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
         if (this.config.grantType === "authorization_code") {
             const authorizationCode = this.extractAuthorizationCode(context);
             await this.verifyAuthorizationCode(context, authorizationCode);
+            await this.validateState(context);
             const tokenResult = await this.exchangeCodeForToken(context, authorizationCode);
             return tokenResult;
         }
@@ -155,13 +152,54 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     async verifyAuthorizationCode(context, code) {
         if (!code) {
             this.logger?.warn("Authorization code missing, redirecting user.");
-            const authUrl = await this.buildAuthorizationUrl(context);
-            this.redirectUser(context, authUrl);
+            await this.startAuthorizationFlow(context);
             throw new errors_1.MissingAuthorizationCodeError();
         }
     }
-    async buildAuthorizationUrl(context) {
-        let authorizationUrl = `${this.config.endpoints.authorizationUrl}?client_id=${this.config.clientId}&redirect_uri=${encodeURIComponent(this.config.redirectUri)}&response_type=code&scope=${this.config.scope ?? ""}`;
+    async startAuthorizationFlow(context) {
+        let state;
+        let nonce;
+        if (this.config.state) {
+            state = await oauth2_tools_1.OAuth2Tools.generateState(this.config);
+            await this.config.state.persistence?.store?.(state);
+        }
+        if (this.config.nonce) {
+            nonce = await oauth2_tools_1.OAuth2Tools.generateNonce(this.config);
+            await this.config.nonce.persistence?.store?.(nonce);
+        }
+        const authUrl = await this.buildAuthorizationUrl(context, state, nonce);
+        this.redirectUser(context, authUrl);
+    }
+    async validateState(context) {
+        if (!this.config.state) {
+            return;
+        }
+        const returnedState = oauth2_tools_1.OAuth2Tools.extractState(context);
+        const storedState = (await this.config.state.persistence?.read?.());
+        const valid = this.config.state.validateState
+            ? await this.config.state.validateState(storedState, returnedState)
+            : !!storedState && storedState === returnedState;
+        if (!valid) {
+            throw new oauth2_errors_1.InvalidStateError();
+        }
+        await this.config.state.persistence?.remove?.();
+    }
+    async buildAuthorizationUrl(context, state, nonce) {
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.redirectUri,
+            response_type: "code",
+            scope: Array.isArray(this.config.scope)
+                ? this.config.scope.join(" ")
+                : this.config.scope ?? "",
+        });
+        if (state) {
+            params.set("state", state);
+        }
+        if (nonce) {
+            params.set("nonce", nonce);
+        }
+        let authorizationUrl = `${this.config.endpoints.authorizationUrl}?${params.toString()}`;
         if (this.pkce) {
             const codeVerifier = await this.pkce.generateCodeVerifier(context);
             const codeChallenge = this.pkce.generateCodeChallenge(codeVerifier, context);
@@ -186,11 +224,15 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
         else if (this.config.clientSecret) {
             data.client_secret = this.config.clientSecret;
         }
-        const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
+        const response = await fetch(this.config.endpoints.tokenUrl, {
+            method: "POST",
             headers: { "Content-Type": "application/x-www-form-urlencoded" },
             body: new URLSearchParams(data).toString(),
         });
-        const tokenData = await response.data();
+        if (!response.ok) {
+            throw new Error(`Token exchange failed: ${response.status} ${response.statusText}`);
+        }
+        const tokenData = await response.json();
         return {
             accessToken: tokenData.access_token,
             refreshToken: tokenData.refresh_token,
@@ -199,12 +241,7 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
     }
     async login(context) {
         try {
-            const state = await oauth2_tools_1.OAuth2Tools.generateState(this.config);
-            const nonce = await oauth2_tools_1.OAuth2Tools.generateNonce(this.config);
-            await this.config.state?.persistence?.store?.(state);
-            await this.config.nonce?.persistence?.store?.(nonce);
-            const authUrl = await this.buildAuthorizationUrl(context);
-            this.redirectUser(context, authUrl);
+            await this.startAuthorizationFlow(context);
         }
         catch (error) {
             await this.onFailure("login", {
@@ -219,10 +256,13 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             if (!this.config.endpoints.userInfoUrl) {
                 throw new errors_1.MissingConfigError("userInfoUrl");
             }
-            const response = await axios_1.default.get(this.config.endpoints.userInfoUrl, {
+            const response = await fetch(this.config.endpoints.userInfoUrl, {
                 headers: { Authorization: `Bearer ${accessToken}` },
             });
-            return (await this.config.user.validateUser(response.data)) || null;
+            if (!response.ok) {
+                throw new Error(`User info request failed: ${response.status}`);
+            }
+            return (await this.config.user.validateUser(await response.json())) || null;
         }
         catch (error) {
             this.logger?.error("Failed to fetch user information:", error);
@@ -230,25 +270,41 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
         }
     }
     async exchangeClientCredentials() {
-        const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
-            grant_type: "client_credentials",
-            client_id: this.config.clientId,
-            client_secret: this.config.clientSecret,
+        const response = await fetch(this.config.endpoints.tokenUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "client_credentials",
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+            }).toString(),
         });
-        return { accessToken: response.data.access_token };
+        if (!response.ok) {
+            throw new Error(`Client credentials exchange failed: ${response.status}`);
+        }
+        const data = await response.json();
+        return { accessToken: data.access_token };
     }
     async exchangePasswordGrant(username, password) {
         if (!username || !password) {
             throw new errors_1.MissingCredentialsError();
         }
-        const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
-            grant_type: "password",
-            client_id: this.config.clientId,
-            client_secret: this.config.clientSecret,
-            username,
-            password,
+        const response = await fetch(this.config.endpoints.tokenUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "password",
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+                username,
+                password,
+            }).toString(),
         });
-        return { accessToken: response.data.access_token };
+        if (!response.ok) {
+            throw new Error(`Password grant failed: ${response.status}`);
+        }
+        const data = await response.json();
+        return { accessToken: data.access_token };
     }
     async refreshAccessToken(context) {
         try {
@@ -256,22 +312,27 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             if (!refreshToken) {
                 throw new errors_1.MissingTokenError("Refresh");
             }
-            const response = await axios_1.default.post(this.config.endpoints.tokenUrl, {
-                grant_type: "refresh_token",
-                client_id: this.config.clientId,
-                client_secret: this.config.clientSecret,
-                refresh_token: refreshToken,
+            const response = await fetch(this.config.endpoints.tokenUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({
+                    grant_type: "refresh_token",
+                    client_id: this.config.clientId,
+                    client_secret: this.config.clientSecret,
+                    refresh_token: refreshToken,
+                }).toString(),
             });
-            if (response.data.error) {
-                this.logger?.warn(`OAuth2 error: ${response.data.error_description || response.data.error}`);
+            const responseData = await response.json();
+            if (responseData.error) {
+                this.logger?.warn(`OAuth2 error: ${responseData.error_description || responseData.error}`);
             }
-            if (response.status !== 200 || !response.data.access_token) {
+            if (!response.ok || !responseData.access_token) {
                 throw new Error("Failed to refresh token");
             }
             const refreshedTokens = {
-                accessToken: response.data.access_token,
-                refreshToken: response.data.refresh_token,
-                idToken: response.data.id_token,
+                accessToken: responseData.access_token,
+                refreshToken: responseData.refresh_token,
+                idToken: responseData.id_token,
             };
             await this.storeAccessToken(refreshedTokens.accessToken, context);
             await this.embedAccessToken(refreshedTokens.accessToken, context);
@@ -322,11 +383,18 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             throw new errors_1.MissingConfigError("revocationUrl");
         }
         try {
-            await axios_1.default.post(this.config.endpoints.revocationUrl, {
-                token,
-                client_id: this.config.clientId,
-                client_secret: this.config.clientSecret,
+            const response = await fetch(this.config.endpoints.revocationUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({
+                    token,
+                    client_id: this.config.clientId,
+                    client_secret: this.config.clientSecret,
+                }).toString(),
             });
+            if (!response.ok) {
+                throw new Error(`Token revocation failed: ${response.status}`);
+            }
             this.logger?.info("Token revoked successfully.");
         }
         catch (error) {

package/build/strategies/oauth2/oauth2.tools.js

@@ -104,14 +104,14 @@ const prepareOAuth2Config = (config) => {
             : undefined,
         state: config.state
             ? {
-                generateState: () => Math.random().toString(36).substring(2, 15),
+                generateState: () => (0, tools_1.generateRandomString)(),
                 validateState: (storedState, returnedState) => storedState === returnedState,
                 ...config.state,
             }
             : undefined,
         nonce: config.nonce
             ? {
-                generateNonce: () => Math.random().toString(36).substring(2, 15),
+                generateNonce: () => (0, tools_1.generateRandomString)(),
                 validateNonce: (storedNonce, returnedNonce) => storedNonce === returnedNonce,
                 ...config.nonce,
             }

package/build/strategies/oauth2/oauth2.types.d.ts

@@ -1,5 +1,5 @@
 import { Algorithm } from "jsonwebtoken";
-import { CredentailsConfig, PKCEConfig, AuthRouteConfig, TokenAuthStrategyConfig, PersistenceConfig, ContextOperationConfig } from "../../types";
+import { CredentialsConfig, PKCEConfig, AuthRouteConfig, TokenAuthStrategyConfig, PersistenceConfig, ContextOperationConfig } from "../../types";
 export interface OAuth2Endpoints {
     authorizationUrl: string;
     tokenUrl: string;
@@ -36,7 +36,7 @@ export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> exten
     responseType?: "code" | "token" | "id_token" | string;
     grantType: "authorization_code" | "client_credentials" | "password" | "refresh_token" | string;
     endpoints: OAuth2Endpoints;
-    credentials?: CredentailsConfig<TContext>;
+    credentials?: CredentialsConfig<TContext>;
     pkce?: PKCEConfig<TContext>;
     routes: {
         login: AuthRouteConfig;

package/build/strategies/oauth2/providers/__tests__/social-providers.test.d.ts

@@ -0,0 +1 @@
+export {};