@stonyx/oauth 0.1.1-beta.9 → 0.1.1-beta.91

package/src/{main.js → main.ts}

@@ -1,22 +1,46 @@
 import config from 'stonyx/config';
 import log from 'stonyx/log';
 import { waitForModule } from 'stonyx';
+import { setup, emit } from '@stonyx/events';
 import RestServer from '@stonyx/rest-server';
 import TokenManager from './token-manager.js';
 import SessionManager from './session-manager.js';
 import AuthRequest from './auth-request.js';
+import type OAuthFlow from './oauth-flow.js';
+
+setup(['authenticate']);
+
+interface ProviderEntry {
+  flow: OAuthFlow;
+  tokenManager: TokenManager;
+}
+
+interface ProviderConfig {
+  module?: string;
+  [key: string]: unknown;
+}
 
 export default class OAuth {
-  providers = new Map();
-  pendingStates = new Map();
+  static instance: OAuth | null;
+
+  providers = new Map<string, ProviderEntry>();
+  pendingStates = new Map<string, number>();
+  sessionManager!: SessionManager;
+  frontendCallbackUrl?: string;
 
   constructor() {
     if (OAuth.instance) return OAuth.instance;
     OAuth.instance = this;
   }
 
-  async init() {
-    const { providers, sessionDuration, frontendCallbackUrl } = config.oauth;
+  async init(): Promise<void> {
+    // Self-register so log.oauth works even when @stonyx/oauth is in the
+    // consumer's `dependencies` (stonyx loader only merges devDependencies).
+    const { logColor = 'magenta', logMethod = 'oauth' } = config.oauth;
+    log.defineType(logMethod, logColor);
+
+    const oauthConfig = config.oauth;
+    const { providers, sessionDuration, frontendCallbackUrl } = oauthConfig;
     this.frontendCallbackUrl = frontendCallbackUrl;
 
     for (const [name, providerConfig] of Object.entries(providers)) {
@@ -24,7 +48,7 @@ export default class OAuth {
         ? `${config.rootPath}/${providerConfig.module}`
         : `./providers/${name}.js`;
       const { default: Provider } = await import(modulePath);
-      const flow = new Provider(providerConfig);
+      const flow: OAuthFlow = new Provider(providerConfig);
       this.providers.set(name, { flow, tokenManager: new TokenManager(flow) });
     }
 
@@ -36,25 +60,26 @@ export default class OAuth {
     log.oauth?.('OAuth module initialized');
   }
 
-  getProvider(name) {
+  getProvider(name: string): ProviderEntry {
     const provider = this.providers.get(name);
     if (!provider) throw new Error(`OAuth provider "${name}" is not configured`);
     return provider;
   }
 
-  getAuthorizationUrl(providerName) {
+  getAuthorizationUrl(providerName: string): string {
     const { flow } = this.getProvider(providerName);
     const stateToken = crypto.randomUUID();
     this.pendingStates.set(stateToken, Date.now());
     return flow.buildAuthorizationUrl(stateToken);
   }
 
-  async handleCallback(providerName, code, stateToken) {
+  async handleCallback(providerName: string, code: string, stateToken: string) {
     if (!stateToken || !this.pendingStates.has(stateToken)) {
       throw new Error('Invalid or missing state token');
     }
 
     const stateCreatedAt = this.pendingStates.get(stateToken);
+    if (stateCreatedAt === undefined) throw new Error('State token not found in pending states');
     this.pendingStates.delete(stateToken);
 
     const TEN_MINUTES = 10 * 60 * 1000;
@@ -66,14 +91,15 @@ export default class OAuth {
     const tokens = await tokenManager.getTokens(code);
     const rawUser = await flow.fetchUserInfo(tokens.accessToken);
     const user = flow.normalizeUser(rawUser);
+    await emit('authenticate', user);
     return this.sessionManager.create(user, tokens);
   }
 
-  getSession(sessionId) {
+  getSession(sessionId: string) {
     return this.sessionManager.validate(sessionId);
   }
 
-  logout(sessionId) {
+  logout(sessionId: string): void {
     this.sessionManager.destroy(sessionId);
   }
 }

package/src/{oauth-flow.js → oauth-flow.ts}

@@ -1,5 +1,29 @@
+export interface OAuthConfig {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+  scopes?: string[];
+  authorizationUrl: string;
+  tokenUrl: string;
+  userInfoUrl: string;
+}
+
+export interface TokenResult {
+  accessToken: string;
+  refreshToken: string | null;
+  expiresIn: number;
+}
+
 export default class OAuthFlow {
-  constructor({ clientId, clientSecret, redirectUri, scopes, authorizationUrl, tokenUrl, userInfoUrl }) {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+  scopes: string[];
+  authorizationUrl: string;
+  tokenUrl: string;
+  userInfoUrl: string;
+
+  constructor({ clientId, clientSecret, redirectUri, scopes, authorizationUrl, tokenUrl, userInfoUrl }: OAuthConfig) {
     this.clientId = clientId;
     this.clientSecret = clientSecret;
     this.redirectUri = redirectUri;
@@ -9,7 +33,7 @@ export default class OAuthFlow {
     this.userInfoUrl = userInfoUrl;
   }
 
-  buildAuthorizationUrl(stateToken) {
+  buildAuthorizationUrl(stateToken: string): string {
     const params = new URLSearchParams({
       client_id: this.clientId,
       redirect_uri: this.redirectUri,
@@ -21,7 +45,7 @@ export default class OAuthFlow {
     return `${this.authorizationUrl}?${params.toString()}`;
   }
 
-  async exchangeCode(code) {
+  async exchangeCode(code: string): Promise<TokenResult> {
     const response = await fetch(this.tokenUrl, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
@@ -45,7 +69,7 @@ export default class OAuthFlow {
     };
   }
 
-  async refreshAccessToken(refreshToken) {
+  async refreshAccessToken(refreshToken: string): Promise<TokenResult> {
     const response = await fetch(this.tokenUrl, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
@@ -68,7 +92,7 @@ export default class OAuthFlow {
     };
   }
 
-  async fetchUserInfo(accessToken) {
+  async fetchUserInfo(accessToken: string): Promise<unknown> {
     const response = await fetch(this.userInfoUrl, {
       headers: { Authorization: `Bearer ${accessToken}` },
     });
@@ -78,11 +102,11 @@ export default class OAuthFlow {
     return response.json();
   }
 
-  normalizeUser(rawUser) {
+  normalizeUser(rawUser: unknown): unknown {
     return { raw: rawUser };
   }
 
-  async revokeToken(_accessToken) {
+  async revokeToken(_accessToken: string): Promise<void> {
     // Optional — providers override if supported
   }
 }

package/src/providers/{discord.js → discord.ts}

@@ -1,7 +1,33 @@
 import OAuthFlow from '../oauth-flow.js';
+import type { TokenResult } from '../oauth-flow.js';
+
+interface DiscordProviderConfig {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+  scopes?: string[];
+  [key: string]: unknown;
+}
+
+interface DiscordUser {
+  id: string;
+  username: string;
+  global_name?: string;
+  avatar: string | null;
+  email?: string | null;
+}
+
+interface NormalizedDiscordUser {
+  id: string;
+  username: string;
+  displayName: string;
+  avatar: string | null;
+  email: string | null;
+  raw: DiscordUser;
+}
 
 export default class DiscordProvider extends OAuthFlow {
-  constructor(config) {
+  constructor(config: DiscordProviderConfig) {
     super({
       ...config,
       authorizationUrl: 'https://discord.com/oauth2/authorize',
@@ -10,7 +36,7 @@ export default class DiscordProvider extends OAuthFlow {
     });
   }
 
-  async exchangeCode(code) {
+  async exchangeCode(code: string): Promise<TokenResult> {
     const response = await fetch(this.tokenUrl, {
       method: 'POST',
       headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
@@ -34,7 +60,7 @@ export default class DiscordProvider extends OAuthFlow {
     };
   }
 
-  normalizeUser(rawUser) {
+  override normalizeUser(rawUser: DiscordUser): NormalizedDiscordUser {
     const { id, username, global_name, avatar, email } = rawUser;
 
     return {

package/src/{session-manager.js → session-manager.ts}

@@ -1,13 +1,26 @@
 import { randomUUID } from 'node:crypto';
 
+interface SessionData {
+  user: unknown;
+  tokens: unknown;
+  expiresAt: number;
+}
+
+export interface SessionResult {
+  sessionId: string;
+  user: unknown;
+  expiresAt: number;
+}
+
 export default class SessionManager {
-  sessions = new Map();
+  sessions = new Map<string, SessionData>();
+  duration: number;
 
-  constructor(duration) {
+  constructor(duration: number) {
     this.duration = duration;
   }
 
-  create(user, tokens) {
+  create(user: unknown, tokens: unknown): SessionResult {
     const sessionId = randomUUID();
     const expiresAt = Date.now() + (this.duration * 1000);
 
@@ -16,15 +29,15 @@ export default class SessionManager {
     return { sessionId, user, expiresAt };
   }
 
-  get(sessionId) {
+  get(sessionId: string): SessionData | null {
     return this.sessions.get(sessionId) || null;
   }
 
-  destroy(sessionId) {
+  destroy(sessionId: string): void {
     this.sessions.delete(sessionId);
   }
 
-  validate(sessionId) {
+  validate(sessionId: string): unknown {
     const session = this.get(sessionId);
     if (!session) return null;
 

package/src/token-manager.ts

@@ -0,0 +1,35 @@
+import type OAuthFlow from './oauth-flow.js';
+import type { TokenResult } from './oauth-flow.js';
+
+export interface TokenData extends TokenResult {
+  expiresAt: number;
+}
+
+export default class TokenManager {
+  flow: OAuthFlow;
+
+  constructor(flow: OAuthFlow) {
+    this.flow = flow;
+  }
+
+  async getTokens(code: string): Promise<TokenData> {
+    const tokens = await this.flow.exchangeCode(code) as TokenData;
+    tokens.expiresAt = Date.now() + (tokens.expiresIn * 1000);
+    return tokens;
+  }
+
+  async refresh(refreshToken: string): Promise<TokenData> {
+    const tokens = await this.flow.refreshAccessToken(refreshToken) as TokenData;
+    tokens.expiresAt = Date.now() + (tokens.expiresIn * 1000);
+    return tokens;
+  }
+
+  async revoke(accessToken: string): Promise<void> {
+    return this.flow.revokeToken(accessToken);
+  }
+
+  isExpired(tokenData: { expiresAt?: number } | null | undefined): boolean {
+    if (!tokenData?.expiresAt) return true;
+    return Date.now() >= tokenData.expiresAt;
+  }
+}

package/src/types/node.d.ts

@@ -0,0 +1,3 @@
+declare module 'node:crypto' {
+  export function randomUUID(): string;
+}

package/src/types/stonyx-events.d.ts

@@ -0,0 +1,4 @@
+declare module '@stonyx/events' {
+  export function setup(events: string[]): void;
+  export function emit(event: string, ...args: unknown[]): Promise<void>;
+}

package/src/types/stonyx-rest-server.d.ts

@@ -0,0 +1,11 @@
+declare module '@stonyx/rest-server' {
+  export class Request {
+    constructor();
+  }
+
+  export default class RestServer {
+    static instance: RestServer;
+    static close(): void;
+    mountRoute(RequestClass: unknown, options: { name: string; options?: unknown }): void;
+  }
+}

package/src/types/stonyx.d.ts

@@ -0,0 +1,37 @@
+declare module 'stonyx/config' {
+  interface OAuthConfig {
+    providers: Record<string, { module?: string; [key: string]: unknown }>;
+    sessionDuration: number;
+    frontendCallbackUrl?: string;
+    logColor?: string;
+    logMethod?: string;
+  }
+  interface Config {
+    oauth: OAuthConfig;
+    rootPath: string;
+    [key: string]: unknown;
+  }
+  const config: Config;
+  export default config;
+}
+
+declare module 'stonyx/log' {
+  interface Log {
+    oauth(message: string): void;
+    defineType(type: string, setting: string, options?: Record<string, unknown> | null): void;
+    [key: string]: unknown;
+  }
+  const log: Log;
+  export default log;
+}
+
+declare module 'stonyx' {
+  export function waitForModule(name: string): Promise<void>;
+}
+
+declare module 'stonyx/test-helpers' {
+  export function setupIntegrationTests(hooks: {
+    before(fn: () => void | Promise<void>): void;
+    after(fn: () => void | Promise<void>): void;
+  }): void;
+}

package/.github/workflows/ci.yml

@@ -1,16 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-    branches: [dev, main]
-
-concurrency:
-  group: ci-${{ github.head_ref || github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    uses: abofs/stonyx-workflows/.github/workflows/ci.yml@main

package/.github/workflows/publish.yml

@@ -1,51 +0,0 @@
-name: Publish to NPM
-
-on:
-  repository_dispatch:
-    types: [cascade-publish]
-  workflow_dispatch:
-    inputs:
-      version-type:
-        description: 'Version type'
-        required: true
-        type: choice
-        options:
-          - patch
-          - minor
-          - major
-      custom-version:
-        description: 'Custom version (optional, overrides version-type)'
-        required: false
-        type: string
-  pull_request:
-    types: [opened, synchronize, reopened]
-    branches: [main]
-  push:
-    branches: [main]
-
-concurrency:
-  group: ${{ github.event_name == 'repository_dispatch' && 'cascade-update' || format('publish-{0}', github.ref) }}
-  cancel-in-progress: false
-
-permissions:
-  contents: write
-  id-token: write
-  pull-requests: write
-
-jobs:
-  publish:
-    if: "!contains(github.event.head_commit.message, '[skip ci]')"
-    uses: abofs/stonyx-workflows/.github/workflows/npm-publish.yml@main
-    with:
-      version-type: ${{ github.event.inputs.version-type }}
-      custom-version: ${{ github.event.inputs.custom-version }}
-      cascade-source: ${{ github.event.client_payload.source_package || '' }}
-    secrets: inherit
-
-  cascade:
-    needs: publish
-    uses: abofs/stonyx-workflows/.github/workflows/cascade.yml@main
-    with:
-      package-name: ${{ needs.publish.outputs.package-name }}
-      published-version: ${{ needs.publish.outputs.published-version }}
-    secrets: inherit

package/src/token-manager.js

@@ -1,26 +0,0 @@
-export default class TokenManager {
-  constructor(flow) {
-    this.flow = flow;
-  }
-
-  async getTokens(code) {
-    const tokens = await this.flow.exchangeCode(code);
-    tokens.expiresAt = Date.now() + (tokens.expiresIn * 1000);
-    return tokens;
-  }
-
-  async refresh(refreshToken) {
-    const tokens = await this.flow.refreshAccessToken(refreshToken);
-    tokens.expiresAt = Date.now() + (tokens.expiresIn * 1000);
-    return tokens;
-  }
-
-  async revoke(accessToken) {
-    return this.flow.revokeToken(accessToken);
-  }
-
-  isExpired(tokenData) {
-    if (!tokenData?.expiresAt) return true;
-    return Date.now() >= tokenData.expiresAt;
-  }
-}

package/test/config/environment.js

@@ -1,18 +0,0 @@
-export default {
-  restServer: {
-    dir: './test/sample/requests',
-  },
-  oauth: {
-    providers: {
-      mock: {
-        clientId: 'test-client-id',
-        clientSecret: 'test-client-secret',
-        redirectUri: 'http://localhost:2666/auth/callback/mock',
-        scopes: ['identify'],
-        module: './test/sample/providers/mock.js',
-      }
-    },
-    sessionDuration: 3600,
-    frontendCallbackUrl: 'http://localhost:4200/auth/callback',
-  }
-};

package/test/integration/oauth-test.js

@@ -1,149 +0,0 @@
-import QUnit from 'qunit';
-import RestServer from '@stonyx/rest-server';
-import config from 'stonyx/config';
-import { setupIntegrationTests } from 'stonyx/test-helpers';
-import OAuth from '../../src/main.js';
-
-const { module, test } = QUnit;
-let endpoint;
-
-async function getValidState(endpoint) {
-  const loginResponse = await fetch(`${endpoint}/auth/login/mock`, { redirect: 'manual' });
-  const location = loginResponse.headers.get('location');
-  const url = new URL(location);
-  return url.searchParams.get('state');
-}
-
-module('[Integration] OAuth', function(hooks) {
-  setupIntegrationTests(hooks);
-
-  hooks.before(function() {
-    endpoint = `http://localhost:${config.restServer.port}`;
-  });
-
-  hooks.after(function() {
-    RestServer.close();
-  });
-
-  test('GET /auth/login/mock redirects to provider auth URL', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/login/mock`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-
-    const location = response.headers.get('location');
-    assert.ok(location.startsWith('https://mock.provider/oauth/authorize?'));
-    assert.ok(location.includes('client_id=test-client-id'));
-    assert.ok(location.includes('response_type=code'));
-  });
-
-  test('GET /auth/login/nonexistent returns 404', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/login/nonexistent`, { redirect: 'manual' });
-
-    assert.equal(response.status, 404);
-  });
-
-  test('GET /auth/callback/mock with valid state redirects to frontend with session', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code&state=${stateToken}`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.origin + redirectUrl.pathname, 'http://localhost:4200/auth/callback');
-    assert.ok(redirectUrl.searchParams.get('sessionId'), 'redirect includes sessionId');
-    assert.ok(redirectUrl.searchParams.get('expiresAt'), 'redirect includes expiresAt');
-  });
-
-  test('GET /auth with valid session returns user', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    const location = callbackResponse.headers.get('location');
-    const sessionId = new URL(location).searchParams.get('sessionId');
-
-    const response = await fetch(`${endpoint}/auth`, {
-      headers: { 'session-id': sessionId },
-    });
-    const data = await response.json();
-
-    assert.equal(response.status, 200);
-    assert.equal(data.id, 'mock-user-123');
-  });
-
-  test('GET /auth without session returns 401', async function(assert) {
-    const response = await fetch(`${endpoint}/auth`);
-
-    assert.equal(response.status, 401);
-  });
-
-  test('GET /auth with invalid session returns 401', async function(assert) {
-    const response = await fetch(`${endpoint}/auth`, {
-      headers: { 'session-id': 'invalid-session' },
-    });
-
-    assert.equal(response.status, 401);
-  });
-
-  test('GET /auth/logout invalidates session', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-    const callbackResponse = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    const location = callbackResponse.headers.get('location');
-    const sessionId = new URL(location).searchParams.get('sessionId');
-
-    // Logout
-    const logoutResponse = await fetch(`${endpoint}/auth/logout`, {
-      headers: { 'session-id': sessionId },
-    });
-    assert.equal(logoutResponse.status, 200);
-
-    // Verify session is invalid
-    const authResponse = await fetch(`${endpoint}/auth`, {
-      headers: { 'session-id': sessionId },
-    });
-    assert.equal(authResponse.status, 401);
-  });
-
-  test('GET /auth/callback/mock rejects missing state token', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.searchParams.get('error'), 'auth_failed');
-  });
-
-  test('GET /auth/callback/mock rejects invalid state token', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/callback/mock?code=test-auth-code&state=bogus-state`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.searchParams.get('error'), 'auth_failed');
-  });
-
-  test('GET /auth/callback/mock with error param redirects with error', async function(assert) {
-    const response = await fetch(`${endpoint}/auth/callback/mock?error=access_denied`, { redirect: 'manual' });
-
-    assert.equal(response.status, 302);
-    const location = response.headers.get('location');
-    const redirectUrl = new URL(location);
-    assert.equal(redirectUrl.origin + redirectUrl.pathname, 'http://localhost:4200/auth/callback');
-    assert.equal(redirectUrl.searchParams.get('error'), 'access_denied');
-  });
-
-  test('GET /auth/callback/mock state token cannot be reused', async function(assert) {
-    const stateToken = await getValidState(endpoint);
-
-    // First use succeeds
-    const first = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    assert.equal(first.status, 302);
-    const firstLocation = new URL(first.headers.get('location'));
-    assert.ok(firstLocation.searchParams.get('sessionId'), 'first use succeeds');
-
-    // Second use fails
-    const second = await fetch(`${endpoint}/auth/callback/mock?code=test-code&state=${stateToken}`, { redirect: 'manual' });
-    assert.equal(second.status, 302);
-    const secondLocation = new URL(second.headers.get('location'));
-    assert.equal(secondLocation.searchParams.get('error'), 'auth_failed', 'reuse is rejected');
-  });
-});