@soapjs/soap-auth 0.4.4 → 1.0.1

package/build/recipes/http-context.helpers.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redirect = exports.setCookie = exports.getCookie = exports.setBearerToken = exports.extractBearerToken = void 0;
+function extractBearerToken(context) {
+    const header = context?.req?.headers?.authorization ??
+        context?.request?.headers?.authorization ??
+        context?.headers?.authorization;
+    if (typeof header === "string" && header.toLowerCase().startsWith("bearer ")) {
+        return header.slice(7);
+    }
+    return undefined;
+}
+exports.extractBearerToken = extractBearerToken;
+function setBearerToken(context, token) {
+    const value = `Bearer ${token}`;
+    if (typeof context?.res?.setHeader === "function") {
+        context.res.setHeader("Authorization", value);
+    }
+    else if (typeof context?.response?.setHeader === "function") {
+        context.response.setHeader("Authorization", value);
+    }
+    else if (typeof context?.setHeader === "function") {
+        context.setHeader("Authorization", value);
+    }
+}
+exports.setBearerToken = setBearerToken;
+function getCookie(context, name) {
+    return (context?.req?.cookies?.[name] ??
+        context?.request?.cookies?.[name] ??
+        context?.cookies?.[name]);
+}
+exports.getCookie = getCookie;
+function setCookie(context, name, value, options = {}) {
+    if (typeof context?.res?.cookie === "function") {
+        context.res.cookie(name, value, options);
+    }
+    else if (typeof context?.response?.cookie === "function") {
+        context.response.cookie(name, value, options);
+    }
+    else if (typeof context?.cookie === "function") {
+        context.cookie(name, value, options);
+    }
+}
+exports.setCookie = setCookie;
+function redirect(context, url, status = 302) {
+    if (typeof context?.res?.redirect === "function") {
+        context.res.redirect(url);
+    }
+    else if (typeof context?.response?.redirect === "function") {
+        context.response.redirect(url);
+    }
+    else if (typeof context?.redirect === "function") {
+        context.redirect(url);
+    }
+    else if (typeof context?.res?.setHeader === "function") {
+        context.res.setHeader("Location", url);
+        context.res.status?.(status);
+    }
+    else if (typeof context?.setHeader === "function") {
+        context.setHeader("Location", url);
+        context.status?.(status);
+    }
+}
+exports.redirect = redirect;

package/build/recipes/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./auth-config.recipes";
+export * from "./http-context.helpers";
+export * from "./oauth2-presets";

package/build/recipes/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auth-config.recipes"), exports);
+__exportStar(require("./http-context.helpers"), exports);
+__exportStar(require("./oauth2-presets"), exports);

package/build/recipes/oauth2-presets.d.ts

@@ -0,0 +1,20 @@
+import { OAuth2Endpoints } from "../strategies/oauth2/oauth2.types";
+export type OAuth2ProviderPreset = "auth0" | "keycloak" | "discord" | "google" | "github" | "facebook";
+export interface Auth0PresetOptions {
+    domain: string;
+}
+export interface KeycloakPresetOptions {
+    baseUrl: string;
+    realm: string;
+}
+export interface FacebookPresetOptions {
+    version?: string;
+}
+export declare const oauth2ProviderEndpoints: {
+    auth0(options: Auth0PresetOptions): OAuth2Endpoints;
+    keycloak(options: KeycloakPresetOptions): OAuth2Endpoints;
+    discord(): OAuth2Endpoints;
+    google(): OAuth2Endpoints;
+    github(): OAuth2Endpoints;
+    facebook(options?: FacebookPresetOptions): OAuth2Endpoints;
+};

package/build/recipes/oauth2-presets.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauth2ProviderEndpoints = void 0;
+function trimTrailingSlash(value) {
+    return value.replace(/\/+$/, "");
+}
+function ensureHttpsUrl(value) {
+    if (/^https?:\/\//i.test(value)) {
+        return trimTrailingSlash(value);
+    }
+    return `https://${trimTrailingSlash(value)}`;
+}
+exports.oauth2ProviderEndpoints = {
+    auth0(options) {
+        if (!options?.domain) {
+            throw new Error("Auth0 OAuth2 preset requires domain.");
+        }
+        const baseUrl = ensureHttpsUrl(options.domain);
+        return {
+            authorizationUrl: `${baseUrl}/authorize`,
+            tokenUrl: `${baseUrl}/oauth/token`,
+            userInfoUrl: `${baseUrl}/userinfo`,
+            revocationUrl: `${baseUrl}/oauth/revoke`,
+            logoutUrl: `${baseUrl}/v2/logout`,
+        };
+    },
+    keycloak(options) {
+        if (!options?.baseUrl || !options?.realm) {
+            throw new Error("Keycloak OAuth2 preset requires baseUrl and realm.");
+        }
+        const baseUrl = ensureHttpsUrl(options.baseUrl);
+        const realmUrl = `${baseUrl}/realms/${encodeURIComponent(options.realm)}`;
+        return {
+            authorizationUrl: `${realmUrl}/protocol/openid-connect/auth`,
+            tokenUrl: `${realmUrl}/protocol/openid-connect/token`,
+            userInfoUrl: `${realmUrl}/protocol/openid-connect/userinfo`,
+            revocationUrl: `${realmUrl}/protocol/openid-connect/revoke`,
+            logoutUrl: `${realmUrl}/protocol/openid-connect/logout`,
+        };
+    },
+    discord() {
+        return {
+            authorizationUrl: "https://discord.com/oauth2/authorize",
+            tokenUrl: "https://discord.com/api/oauth2/token",
+            userInfoUrl: "https://discord.com/api/users/@me",
+            revocationUrl: "https://discord.com/api/oauth2/token/revoke",
+        };
+    },
+    google() {
+        return {
+            authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+            tokenUrl: "https://oauth2.googleapis.com/token",
+            userInfoUrl: "https://openidconnect.googleapis.com/v1/userinfo",
+            revocationUrl: "https://oauth2.googleapis.com/revoke",
+        };
+    },
+    github() {
+        return {
+            authorizationUrl: "https://github.com/login/oauth/authorize",
+            tokenUrl: "https://github.com/login/oauth/access_token",
+            userInfoUrl: "https://api.github.com/user",
+            revocationUrl: "https://api.github.com/applications/{client_id}/token",
+        };
+    },
+    facebook(options = {}) {
+        const version = options.version ?? "v19.0";
+        return {
+            authorizationUrl: "https://www.facebook.com/dialog/oauth",
+            tokenUrl: `https://graph.facebook.com/${version}/oauth/access_token`,
+            userInfoUrl: `https://graph.facebook.com/${version}/me`,
+            revocationUrl: `https://graph.facebook.com/${version}/me/permissions`,
+        };
+    },
+};

package/build/services/pkce.service.js

@@ -24,8 +24,9 @@ class PKCEService {
         const cv = this.config.verifier.generate?.() || (0, tools_1.generateRandomString)();
         this.config.verifier.embed(context, cv);
         const expirationTime = Date.now() + (this.config.verifier.expiresIn ?? 300) * 1000;
-        await this.config.verifier.persistence?.store(cv, {
+        await this.config.verifier.persistence?.store(cv, context, {
             expiration: expirationTime,
+            key: "code_verifier",
         });
         return cv;
     }
@@ -37,8 +38,9 @@ class PKCEService {
             this.defaultGenerateCodeChallenge(codeVerifier);
         this.config.challenge.embed(context, challenge);
         const expirationTime = Date.now() + (this.config.challenge.expiresIn ?? 300) * 1000;
-        await this.config.challenge.persistence?.store?.(challenge, {
+        await this.config.challenge.persistence?.store?.(challenge, context, {
             expiration: expirationTime,
+            key: "code_challenge",
         });
         return challenge;
     }
@@ -49,7 +51,7 @@ class PKCEService {
         const codeVerifier = this.extractCodeVerifier(context);
         if (!codeVerifier)
             return true;
-        const stored = await this.config.verifier?.persistence?.read?.(codeVerifier);
+        const stored = await this.config.verifier?.persistence?.read?.(context, codeVerifier);
         if (!stored || !stored.expiration)
             return true;
         return Date.now() > stored.expiration;
@@ -58,7 +60,7 @@ class PKCEService {
         const challenge = this.extractCodeChallenge(context);
         if (!challenge)
             return true;
-        const stored = await this.config.challenge?.persistence?.read?.(challenge);
+        const stored = await this.config.challenge?.persistence?.read?.(context, challenge);
         if (!stored || !stored.expiration)
             return true;
         return Date.now() > stored.expiration;
@@ -66,14 +68,14 @@ class PKCEService {
     async clearCodeVerifier(context) {
         const cv = this.config.verifier.extract(context);
         if (cv) {
-            await this.config.verifier.persistence?.remove?.(cv);
+            await this.config.verifier.persistence?.remove?.(context, cv);
             this.config.verifier.embed(context, "");
         }
     }
     async clearCodeChallenge(context) {
         const challenge = this.config.challenge.extract(context);
         if (challenge) {
-            await this.config.challenge.persistence?.remove?.(challenge);
+            await this.config.challenge.persistence?.remove?.(context, challenge);
             this.config.challenge.embed(context, "");
         }
     }

package/build/soap-auth.js

@@ -7,6 +7,7 @@ const jwt_strategy_1 = require("./strategies/jwt/jwt.strategy");
 const local_strategy_1 = require("./strategies/local/local.strategy");
 const basic_strategy_1 = require("./strategies/basic/basic.strategy");
 const api_key_strategy_1 = require("./strategies/api-key/api-key.strategy");
+const providers_1 = require("./strategies/oauth2/providers");
 class SoapAuth {
     requiredStrategyMethods = ["authenticate"];
     strategies = new Map();
@@ -219,6 +220,67 @@ class SoapAuth {
             if (sharedJwt) {
                 auth.addStrategy(sharedJwt, "jwt", "http");
             }
+            if (config.http.oauth2) {
+                for (const [provider, providerConfig] of Object.entries(config.http.oauth2)) {
+                    switch (provider) {
+                        case "google":
+                            auth.addStrategy(new providers_1.GoogleStrategy(providerConfig, sessionHandler, sharedJwt, logger), "google", "http");
+                            break;
+                        case "github":
+                            auth.addStrategy(new providers_1.GitHubStrategy(providerConfig, sessionHandler, sharedJwt, logger), "github", "http");
+                            break;
+                        case "facebook":
+                            auth.addStrategy(new providers_1.FacebookStrategy(providerConfig, sessionHandler, sharedJwt, logger), "facebook", "http");
+                            break;
+                        default:
+                            if (providerConfig.endpoints?.authorizationUrl &&
+                                providerConfig.endpoints?.tokenUrl) {
+                                auth.addStrategy(new providers_1.ConfigurableOAuth2Strategy({
+                                    ...providerConfig,
+                                    name: provider,
+                                    grantType: providerConfig.grantType ?? "authorization_code",
+                                    routes: {
+                                        login: {
+                                            path: `/auth/${provider}`,
+                                            method: "GET",
+                                        },
+                                        callback: {
+                                            path: `/auth/${provider}/callback`,
+                                            method: "GET",
+                                        },
+                                        ...providerConfig.routes,
+                                    },
+                                }, sessionHandler, sharedJwt, logger), provider, "http");
+                                break;
+                            }
+                            throw new Error(`OAuth2 provider "${provider}" requires endpoints.authorizationUrl and endpoints.tokenUrl, or a custom strategy via http.custom.`);
+                    }
+                }
+            }
+            if (config.http.hybridOAuth2) {
+                for (const [provider, providerConfig] of Object.entries(config.http.hybridOAuth2)) {
+                    if (!providerConfig.endpoints?.authorizationUrl ||
+                        !providerConfig.endpoints?.tokenUrl) {
+                        throw new Error(`Hybrid OAuth2 provider "${provider}" requires endpoints.authorizationUrl and endpoints.tokenUrl, or a custom strategy via http.custom.`);
+                    }
+                    auth.addStrategy(new providers_1.ConfigurableHybridOAuth2Strategy({
+                        ...providerConfig,
+                        name: provider,
+                        grantType: providerConfig.grantType ?? "authorization_code",
+                        routes: {
+                            login: {
+                                path: `/auth/${provider}`,
+                                method: "GET",
+                            },
+                            callback: {
+                                path: `/auth/${provider}/callback`,
+                                method: "GET",
+                            },
+                            ...providerConfig.routes,
+                        },
+                    }, sessionHandler, sharedJwt, logger), provider, "http");
+                }
+            }
             if (config.http.custom) {
                 for (const [name, strategy] of Object.entries(config.http.custom)) {
                     auth.addStrategy(strategy, name, "http");

package/build/strategies/jwt/jwt.strategy.d.ts

@@ -13,8 +13,8 @@ export declare class JwtStrategy<TContext = Soap.HttpContext, TUser extends Soap
     protected verifyRefreshToken(token: string): Promise<any>;
     protected generateAccessToken(user: TUser, context: TContext): Promise<string>;
     protected generateRefreshToken(user: TUser, context: TContext): Promise<string>;
-    protected storeAccessToken(token: string): Promise<void>;
-    protected storeRefreshToken(token: string): Promise<void>;
+    protected storeAccessToken(token: string, context?: TContext): Promise<void>;
+    protected storeRefreshToken(token: string, context?: TContext): Promise<void>;
     protected embedAccessToken(token: string, context: TContext): void;
     protected embedRefreshToken(token: string, context: TContext): void;
     protected extractAccessToken(context: TContext): string | undefined;

package/build/strategies/jwt/jwt.strategy.js

@@ -104,14 +104,14 @@ class JwtStrategy extends token_auth_strategy_1.TokenAuthStrategy {
         const payload = this.buildAccessTokenPayload(user, context);
         return Promise.resolve(jwt_tools_1.JwtTools.generateRefreshToken(payload, this.refreshTokenConfig));
     }
-    async storeAccessToken(token) {
+    async storeAccessToken(token, context) {
         if (this.accessTokenConfig.persistence?.store) {
-            await this.accessTokenConfig.persistence.store(token, null, this.accessTokenConfig.issuer.options.expiresIn);
+            await this.accessTokenConfig.persistence.store(token, context ?? null, { expiresIn: this.accessTokenConfig.issuer.options.expiresIn });
         }
     }
-    async storeRefreshToken(token) {
+    async storeRefreshToken(token, context) {
         if (this.refreshTokenConfig?.persistence?.store) {
-            await this.refreshTokenConfig.persistence.store(token, null, this.refreshTokenConfig.issuer.options.expiresIn);
+            await this.refreshTokenConfig.persistence.store(token, context ?? null, { expiresIn: this.refreshTokenConfig.issuer.options.expiresIn });
         }
     }
     embedAccessToken(token, context) {
@@ -164,7 +164,7 @@ class JwtStrategy extends token_auth_strategy_1.TokenAuthStrategy {
     async invalidateRefreshToken(token, context) {
         const refreshToken = token || (await this.extractRefreshToken(context));
         if (refreshToken) {
-            await this.refreshTokenConfig?.persistence?.remove?.(refreshToken);
+            await this.refreshTokenConfig?.persistence?.remove?.(context ?? null, refreshToken);
             if (context) {
                 jwt_tools_1.JwtTools.clearDefaultJwtCookie(context);
                 jwt_tools_1.JwtTools.clearDefaultJwtHeader(context);
@@ -175,7 +175,7 @@ class JwtStrategy extends token_auth_strategy_1.TokenAuthStrategy {
     async invalidateAccessToken(token, context) {
         const accessToken = token || (await this.extractAccessToken(context));
         if (accessToken) {
-            await this.accessTokenConfig.persistence?.remove?.(accessToken);
+            await this.accessTokenConfig.persistence?.remove?.(context ?? null, accessToken);
             if (context) {
                 jwt_tools_1.JwtTools.clearDefaultJwtCookie(context);
                 jwt_tools_1.JwtTools.clearDefaultJwtHeader(context);

package/build/strategies/oauth2/hybrid.oauth2.strategy.js

@@ -49,7 +49,7 @@ class HybridOAuth2Strategy extends oauth2_strategy_1.OAuth2Strategy {
             if (!accessToken) {
                 const code = this.extractAuthorizationCode(context);
                 if (!code) {
-                    this.login(context);
+                    await this.login(context);
                     throw new errors_1.MissingAuthorizationCodeError();
                 }
                 await this.validateState(context);
@@ -59,7 +59,7 @@ class HybridOAuth2Strategy extends oauth2_strategy_1.OAuth2Strategy {
                 idToken = exchangedTokens.idToken;
             }
             const user = idToken
-                ? await this.verifyIdToken(idToken)
+                ? await this.verifyIdToken(idToken, context)
                 : await this.fetchUser(accessToken);
             if (!user)
                 throw new errors_1.UserNotFoundError();

package/build/strategies/oauth2/oauth2.strategy.d.ts

@@ -55,7 +55,7 @@ export declare abstract class OAuth2Strategy<TContext = Soap.HttpContext, TUser
         idToken?: string;
     }>;
     protected handleTokenRefreshFailure(context: TContext): Promise<void>;
-    protected verifyIdToken(idToken: string): Promise<TUser | null>;
+    protected verifyIdToken(idToken: string, context?: TContext): Promise<TUser | null>;
     revokeToken(token: string): Promise<void>;
     protected isTokenExpired(token: string): boolean;
 }

package/build/strategies/oauth2/oauth2.strategy.js

@@ -161,11 +161,15 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
         let nonce;
         if (this.config.state) {
             state = await oauth2_tools_1.OAuth2Tools.generateState(this.config);
-            await this.config.state.persistence?.store?.(state);
+            await this.config.state.persistence?.store?.(state, context, {
+                key: "state",
+            });
         }
         if (this.config.nonce) {
             nonce = await oauth2_tools_1.OAuth2Tools.generateNonce(this.config);
-            await this.config.nonce.persistence?.store?.(nonce);
+            await this.config.nonce.persistence?.store?.(nonce, context, {
+                key: "nonce",
+            });
         }
         const authUrl = await this.buildAuthorizationUrl(context, state, nonce);
         this.redirectUser(context, authUrl);
@@ -175,14 +179,14 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             return;
         }
         const returnedState = oauth2_tools_1.OAuth2Tools.extractState(context);
-        const storedState = (await this.config.state.persistence?.read?.());
+        const storedState = (await this.config.state.persistence?.read?.(context, "state"));
         const valid = this.config.state.validateState
             ? await this.config.state.validateState(storedState, returnedState)
             : !!storedState && storedState === returnedState;
         if (!valid) {
             throw new oauth2_errors_1.InvalidStateError();
         }
-        await this.config.state.persistence?.remove?.();
+        await this.config.state.persistence?.remove?.(context, "state");
     }
     async buildAuthorizationUrl(context, state, nonce) {
         const params = new URLSearchParams({
@@ -202,7 +206,7 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
         let authorizationUrl = `${this.config.endpoints.authorizationUrl}?${params.toString()}`;
         if (this.pkce) {
             const codeVerifier = await this.pkce.generateCodeVerifier(context);
-            const codeChallenge = this.pkce.generateCodeChallenge(codeVerifier, context);
+            const codeChallenge = await this.pkce.generateCodeChallenge(codeVerifier, context);
             authorizationUrl += `&code_challenge=${codeChallenge}&code_challenge_method=S256`;
         }
         return authorizationUrl;
@@ -212,7 +216,7 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             grant_type: "authorization_code",
             client_id: this.config.clientId,
             code,
-            redirectUri: this.config.redirectUri,
+            redirect_uri: this.config.redirectUri,
         };
         if (this.pkce) {
             const codeVerifier = this.pkce.extractCodeVerifier(context);
@@ -363,8 +367,8 @@ class OAuth2Strategy extends base_auth_strategy_1.BaseAuthStrategy {
             this.logger?.error(e);
         }
     }
-    async verifyIdToken(idToken) {
-        const storedNonce = await this.config?.nonce?.persistence?.read?.();
+    async verifyIdToken(idToken, context) {
+        const storedNonce = await this.config?.nonce?.persistence?.read?.(context, "nonce");
         if (storedNonce) {
             const decodedToken = await this.jwks.verify(idToken);
             if (decodedToken.nonce) {

package/build/strategies/oauth2/oauth2.types.d.ts

@@ -9,13 +9,13 @@ export interface OAuth2Endpoints {
     logoutUrl?: string;
 }
 export interface OAuth2StateConfig<TContext = unknown, TData = any> {
-    persistence?: PersistenceConfig;
+    persistence?: PersistenceConfig<TData, TContext>;
     context?: ContextOperationConfig<TContext, TData>;
     generateState?: () => string | Promise<string>;
     validateState?: (storedState: TContext, returnedState: string) => boolean | Promise<boolean>;
 }
 export interface OAuth2NonceConfig<TContext = unknown, TData = any> {
-    persistence?: PersistenceConfig;
+    persistence?: PersistenceConfig<TData, TContext>;
     context?: ContextOperationConfig<TContext, TData>;
     generateNonce?: () => string | Promise<string>;
     validateNonce?: (storedNonce: string | null, returnedNonce: string) => boolean | Promise<boolean>;
@@ -47,6 +47,11 @@ export interface OAuth2StrategyConfig<TContext = unknown, TUser = unknown> exten
         [key: string]: AuthRouteConfig;
     };
     state?: OAuth2StateConfig<TContext>;
-    nonce?: OAuth2NonceConfig;
+    nonce?: OAuth2NonceConfig<TContext>;
     jwks?: JwksConfig;
 }
+export interface OAuth2ProviderConfig<TContext = unknown, TUser = unknown> extends Omit<OAuth2StrategyConfig<TContext, TUser>, "endpoints" | "grantType" | "routes"> {
+    grantType?: "authorization_code";
+    endpoints?: Partial<OAuth2Endpoints>;
+    routes?: OAuth2StrategyConfig<TContext, TUser>["routes"];
+}

package/build/strategies/oauth2/providers/configurable-hybrid-oauth2.strategy.d.ts

@@ -0,0 +1,19 @@
+import * as Soap from "@soapjs/soap";
+import { SessionHandler } from "../../../session/session-handler";
+import { JwtStrategy } from "../../jwt/jwt.strategy";
+import { HybridOAuth2Strategy } from "../hybrid.oauth2.strategy";
+import { ConfigurableOAuth2StrategyConfig } from "./provider.types";
+export declare class ConfigurableHybridOAuth2Strategy<TUser extends Soap.AuthUser = Soap.AuthUser> extends HybridOAuth2Strategy<Soap.HttpContext, TUser> {
+    protected config: ConfigurableOAuth2StrategyConfig<TUser>;
+    readonly name: string;
+    constructor(config: ConfigurableOAuth2StrategyConfig<TUser>, session?: SessionHandler, jwt?: JwtStrategy<Soap.HttpContext, TUser>, logger?: Soap.Logger);
+    protected extractAccessToken(ctx: Soap.HttpContext): Promise<string | undefined>;
+    protected extractRefreshToken(ctx: Soap.HttpContext): Promise<string | undefined>;
+    protected storeAccessToken(_token: string, _ctx: Soap.HttpContext): Promise<void>;
+    protected storeRefreshToken(_token: string, _ctx: Soap.HttpContext): Promise<void>;
+    protected embedAccessToken(token: string, ctx: Soap.HttpContext): void;
+    protected embedRefreshToken(token: string, ctx: Soap.HttpContext): void;
+    protected extractAuthorizationCode(ctx: Soap.HttpContext): string | null;
+    protected redirectUser(ctx: Soap.HttpContext, authUrl: string): void;
+    protected fetchUser(accessToken: string): Promise<TUser | null>;
+}

package/build/strategies/oauth2/providers/configurable-hybrid-oauth2.strategy.js

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigurableHybridOAuth2Strategy = void 0;
+const errors_1 = require("../../../errors");
+const hybrid_oauth2_strategy_1 = require("../hybrid.oauth2.strategy");
+class ConfigurableHybridOAuth2Strategy extends hybrid_oauth2_strategy_1.HybridOAuth2Strategy {
+    config;
+    name;
+    constructor(config, session, jwt, logger) {
+        super(config, session, jwt, logger);
+        this.config = config;
+        this.name = config.name;
+    }
+    extractAccessToken(ctx) {
+        const auth = ctx.req.headers?.authorization;
+        if (typeof auth === "string" && auth.startsWith("Bearer ")) {
+            return Promise.resolve(auth.slice(7));
+        }
+        return Promise.resolve(ctx.req.cookies?.access_token);
+    }
+    extractRefreshToken(ctx) {
+        return Promise.resolve(ctx.req.cookies?.refresh_token);
+    }
+    storeAccessToken(_token, _ctx) {
+        return Promise.resolve();
+    }
+    storeRefreshToken(_token, _ctx) {
+        return Promise.resolve();
+    }
+    embedAccessToken(token, ctx) {
+        ctx.res.setHeader("Authorization", `Bearer ${token}`);
+    }
+    embedRefreshToken(token, ctx) {
+        ctx.res.cookie("refresh_token", token, {
+            httpOnly: true,
+            secure: true,
+            sameSite: "lax",
+            maxAge: 30 * 24 * 60 * 60 * 1000,
+        });
+    }
+    extractAuthorizationCode(ctx) {
+        return ctx.req.query?.code ?? null;
+    }
+    redirectUser(ctx, authUrl) {
+        if (typeof ctx.res.redirect === "function") {
+            ctx.res.redirect(authUrl);
+        }
+        else {
+            ctx.res.setHeader("Location", authUrl);
+            ctx.res.status(302).json({ message: "Redirecting", location: authUrl });
+        }
+    }
+    async fetchUser(accessToken) {
+        try {
+            if (!this.config.endpoints.userInfoUrl) {
+                if (this.config.user?.fetchUser) {
+                    return this.config.user.fetchUser(accessToken);
+                }
+                throw new errors_1.MissingConfigError("userInfoUrl");
+            }
+            const response = await fetch(this.config.endpoints.userInfoUrl, {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            if (!response.ok) {
+                return null;
+            }
+            const profile = await response.json();
+            if (this.config.user?.validateUser) {
+                return this.config.user.validateUser(profile);
+            }
+            return {
+                id: profile.sub ?? profile.id,
+                email: profile.email,
+                username: profile.preferred_username ?? profile.username ?? profile.name,
+                name: profile.name,
+                picture: profile.picture ?? profile.avatar_url,
+            };
+        }
+        catch (error) {
+            this.logger?.error("ConfigurableHybridOAuth2Strategy.fetchUser failed:", error);
+            return null;
+        }
+    }
+}
+exports.ConfigurableHybridOAuth2Strategy = ConfigurableHybridOAuth2Strategy;

package/build/strategies/oauth2/providers/configurable-oauth2.strategy.d.ts

@@ -0,0 +1,11 @@
+import * as Soap from "@soapjs/soap";
+import { SessionHandler } from "../../../session/session-handler";
+import { JwtStrategy } from "../../jwt/jwt.strategy";
+import { HttpOAuth2Strategy } from "./http-oauth2.strategy";
+import { ConfigurableOAuth2StrategyConfig } from "./provider.types";
+export declare class ConfigurableOAuth2Strategy<TUser extends Soap.AuthUser = Soap.AuthUser> extends HttpOAuth2Strategy<TUser> {
+    protected config: ConfigurableOAuth2StrategyConfig<TUser>;
+    readonly name: string;
+    constructor(config: ConfigurableOAuth2StrategyConfig<TUser>, session?: SessionHandler, jwt?: JwtStrategy<Soap.HttpContext, TUser>, logger?: Soap.Logger);
+    protected fetchUser(accessToken: string): Promise<TUser | null>;
+}

package/build/strategies/oauth2/providers/configurable-oauth2.strategy.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigurableOAuth2Strategy = void 0;
+const http_oauth2_strategy_1 = require("./http-oauth2.strategy");
+const errors_1 = require("../../../errors");
+class ConfigurableOAuth2Strategy extends http_oauth2_strategy_1.HttpOAuth2Strategy {
+    config;
+    name;
+    constructor(config, session, jwt, logger) {
+        super(config, session, jwt, logger);
+        this.config = config;
+        this.name = config.name;
+    }
+    async fetchUser(accessToken) {
+        try {
+            if (!this.config.endpoints.userInfoUrl) {
+                if (this.config.user?.fetchUser) {
+                    return this.config.user.fetchUser(accessToken);
+                }
+                throw new errors_1.MissingConfigError("userInfoUrl");
+            }
+            const response = await fetch(this.config.endpoints.userInfoUrl, {
+                headers: { Authorization: `Bearer ${accessToken}` },
+            });
+            if (!response.ok) {
+                return null;
+            }
+            const profile = await response.json();
+            if (this.config.user?.validateUser) {
+                return this.config.user.validateUser(profile);
+            }
+            return {
+                id: profile.sub ?? profile.id,
+                email: profile.email,
+                username: profile.preferred_username ?? profile.username ?? profile.name,
+                name: profile.name,
+                picture: profile.picture ?? profile.avatar_url,
+            };
+        }
+        catch (error) {
+            this.logger?.error("ConfigurableOAuth2Strategy.fetchUser failed:", error);
+            return null;
+        }
+    }
+}
+exports.ConfigurableOAuth2Strategy = ConfigurableOAuth2Strategy;