@stravigor/oauth2 0.4.5

package/src/oauth2_manager.ts

@@ -0,0 +1,217 @@
+import { inject } from '@stravigor/core/core'
+import Configuration from '@stravigor/core/config/configuration'
+import Database from '@stravigor/core/database/database'
+import Router from '@stravigor/core/http/router'
+import { compose } from '@stravigor/core/http/middleware'
+import type { Handler, Middleware } from '@stravigor/core/http/middleware'
+import { rateLimit } from '@stravigor/core/http/rate_limit'
+import { auth } from '@stravigor/core/auth/middleware/authenticate'
+import { csrf } from '@stravigor/core/auth/middleware/csrf'
+import { ConfigurationError } from '@stravigor/core/exceptions/errors'
+import ScopeRegistry from './scopes.ts'
+import type { OAuth2Actions, OAuth2Config } from './types.ts'
+import { authorizeHandler, approveHandler } from './handlers/authorize.ts'
+import { tokenHandler } from './handlers/token.ts'
+import { revokeHandler } from './handlers/revoke.ts'
+import { introspectHandler } from './handlers/introspect.ts'
+import { listClientsHandler, createClientHandler, deleteClientHandler } from './handlers/clients.ts'
+import {
+  createPersonalTokenHandler,
+  listPersonalTokensHandler,
+  revokePersonalTokenHandler,
+} from './handlers/personal_tokens.ts'
+
+// ---------------------------------------------------------------------------
+// Default config
+// ---------------------------------------------------------------------------
+
+const DEFAULTS: OAuth2Config = {
+  accessTokenLifetime: 60,
+  refreshTokenLifetime: 43_200,
+  authCodeLifetime: 10,
+  personalAccessTokenLifetime: 525_600,
+  prefix: '/oauth',
+  scopes: {},
+  defaultScopes: [],
+  personalAccessClient: null,
+  rateLimit: {
+    authorize: { max: 30, window: 60 },
+    token: { max: 20, window: 60 },
+  },
+  pruneRevokedAfterDays: 7,
+}
+
+// ---------------------------------------------------------------------------
+// Manager
+// ---------------------------------------------------------------------------
+
+function withMiddleware(mw: Middleware[], handler: Handler): Handler {
+  return mw.length > 0 ? compose(mw, handler) : handler
+}
+
+@inject
+export default class OAuth2Manager {
+  private static _config: OAuth2Config
+  private static _db: Database
+  private static _actions: OAuth2Actions
+
+  constructor(db: Database, config: Configuration) {
+    const raw = config.get('oauth2', {}) as Partial<OAuth2Config>
+    OAuth2Manager._db = db
+    OAuth2Manager._config = { ...DEFAULTS, ...raw } as OAuth2Config
+
+    // Register scopes from config
+    if (OAuth2Manager._config.scopes) {
+      ScopeRegistry.define(OAuth2Manager._config.scopes)
+    }
+  }
+
+  // ── Accessors ────────────────────────────────────────────────────────
+
+  static get config(): OAuth2Config {
+    if (!OAuth2Manager._config) {
+      throw new ConfigurationError(
+        'OAuth2Manager not configured. Resolve it through the container first.'
+      )
+    }
+    return OAuth2Manager._config
+  }
+
+  static get db(): Database {
+    if (!OAuth2Manager._db) {
+      throw new ConfigurationError(
+        'OAuth2Manager not configured. Resolve it through the container first.'
+      )
+    }
+    return OAuth2Manager._db
+  }
+
+  static get actions(): OAuth2Actions {
+    if (!OAuth2Manager._actions) {
+      throw new ConfigurationError('OAuth2 actions not set. Pass actions to OAuth2Provider.')
+    }
+    return OAuth2Manager._actions
+  }
+
+  /** Set the user-defined actions contract. */
+  static useActions(actions: OAuth2Actions): void {
+    OAuth2Manager._actions = actions
+  }
+
+  // ── Table management ─────────────────────────────────────────────────
+
+  /** Create the required database tables if they don't exist. */
+  static async ensureTables(): Promise<void> {
+    const db = OAuth2Manager.db
+
+    await db.sql`
+      CREATE TABLE IF NOT EXISTS "_strav_oauth_clients" (
+        "id" UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        "name" VARCHAR(255) NOT NULL,
+        "secret" VARCHAR(255),
+        "redirect_uris" JSONB NOT NULL DEFAULT '[]',
+        "scopes" JSONB,
+        "grant_types" JSONB NOT NULL DEFAULT '[]',
+        "confidential" BOOLEAN NOT NULL DEFAULT true,
+        "first_party" BOOLEAN NOT NULL DEFAULT false,
+        "revoked" BOOLEAN NOT NULL DEFAULT false,
+        "created_at" TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+        "updated_at" TIMESTAMPTZ NOT NULL DEFAULT NOW()
+      )
+    `
+
+    await db.sql`
+      CREATE TABLE IF NOT EXISTS "_strav_oauth_tokens" (
+        "id" UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        "user_id" VARCHAR(255),
+        "client_id" UUID NOT NULL REFERENCES "_strav_oauth_clients"("id") ON DELETE CASCADE,
+        "name" VARCHAR(255),
+        "scopes" JSONB NOT NULL DEFAULT '[]',
+        "token" VARCHAR(255) NOT NULL UNIQUE,
+        "refresh_token" VARCHAR(255) UNIQUE,
+        "expires_at" TIMESTAMPTZ NOT NULL,
+        "refresh_expires_at" TIMESTAMPTZ,
+        "last_used_at" TIMESTAMPTZ,
+        "revoked_at" TIMESTAMPTZ,
+        "created_at" TIMESTAMPTZ NOT NULL DEFAULT NOW()
+      )
+    `
+
+    await db.sql`
+      CREATE TABLE IF NOT EXISTS "_strav_oauth_auth_codes" (
+        "id" UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        "client_id" UUID NOT NULL REFERENCES "_strav_oauth_clients"("id") ON DELETE CASCADE,
+        "user_id" VARCHAR(255) NOT NULL,
+        "code" VARCHAR(255) NOT NULL UNIQUE,
+        "redirect_uri" VARCHAR(2048) NOT NULL,
+        "scopes" JSONB NOT NULL DEFAULT '[]',
+        "code_challenge" VARCHAR(255),
+        "code_challenge_method" VARCHAR(10),
+        "expires_at" TIMESTAMPTZ NOT NULL,
+        "used_at" TIMESTAMPTZ,
+        "created_at" TIMESTAMPTZ NOT NULL DEFAULT NOW()
+      )
+    `
+
+    // Indexes for common queries
+    await db.sql`
+      CREATE INDEX IF NOT EXISTS "idx_oauth_tokens_user_id"
+      ON "_strav_oauth_tokens" ("user_id")
+    `
+    await db.sql`
+      CREATE INDEX IF NOT EXISTS "idx_oauth_tokens_client_id"
+      ON "_strav_oauth_tokens" ("client_id")
+    `
+    await db.sql`
+      CREATE INDEX IF NOT EXISTS "idx_oauth_auth_codes_client_id"
+      ON "_strav_oauth_auth_codes" ("client_id")
+    `
+  }
+
+  // ── Route registration ───────────────────────────────────────────────
+
+  private static rl(key: keyof OAuth2Config['rateLimit']): Middleware {
+    const cfg = OAuth2Manager._config.rateLimit[key]
+    return rateLimit({ max: cfg.max, window: cfg.window * 1000 })
+  }
+
+  /**
+   * Register all OAuth2 routes on the given router.
+   */
+  static routes(router: Router): void {
+    const prefix = OAuth2Manager._config.prefix
+
+    router.group({ prefix }, r => {
+      // Authorization code flow
+      r.get('/authorize', withMiddleware([auth(), OAuth2Manager.rl('authorize')], authorizeHandler))
+      r.post('/authorize', withMiddleware([auth(), csrf()], approveHandler))
+
+      // Token endpoint (all grant types)
+      r.post('/token', withMiddleware([OAuth2Manager.rl('token')], tokenHandler))
+
+      // Revocation (RFC 7009)
+      r.post('/revoke', revokeHandler)
+
+      // Introspection (RFC 7662)
+      r.post('/introspect', introspectHandler)
+
+      // Client management
+      r.get('/clients', withMiddleware([auth()], listClientsHandler))
+      r.post('/clients', withMiddleware([auth()], createClientHandler))
+      r.delete('/clients/:id', withMiddleware([auth()], deleteClientHandler))
+
+      // Personal access tokens
+      r.post('/personal-tokens', withMiddleware([auth()], createPersonalTokenHandler))
+      r.get('/personal-tokens', withMiddleware([auth()], listPersonalTokensHandler))
+      r.delete('/personal-tokens/:id', withMiddleware([auth()], revokePersonalTokenHandler))
+    })
+  }
+
+  /** Clear all state. For testing. */
+  static reset(): void {
+    OAuth2Manager._config = undefined as any
+    OAuth2Manager._db = undefined as any
+    OAuth2Manager._actions = undefined as any
+    ScopeRegistry.reset()
+  }
+}

package/src/oauth2_provider.ts

@@ -0,0 +1,29 @@
+import { ServiceProvider } from '@stravigor/core/core'
+import type { Application } from '@stravigor/core/core'
+import Router from '@stravigor/core/http/router'
+import OAuth2Manager from './oauth2_manager.ts'
+import type { OAuth2Actions } from './types.ts'
+
+export default class OAuth2Provider extends ServiceProvider {
+  readonly name = 'oauth2'
+  override readonly dependencies = ['auth', 'session', 'encryption', 'database']
+
+  constructor(private actions: OAuth2Actions) {
+    super()
+  }
+
+  override register(app: Application): void {
+    app.singleton(OAuth2Manager)
+  }
+
+  override async boot(app: Application): Promise<void> {
+    app.resolve(OAuth2Manager)
+    OAuth2Manager.useActions(this.actions)
+    await OAuth2Manager.ensureTables()
+    OAuth2Manager.routes(app.resolve(Router))
+  }
+
+  override shutdown(): void {
+    OAuth2Manager.reset()
+  }
+}

package/src/scopes.ts

@@ -0,0 +1,77 @@
+import { InvalidScopeError } from './errors.ts'
+import type { ScopeDescription } from './types.ts'
+
+/**
+ * Scope registry — manages available OAuth2 scopes and their descriptions.
+ *
+ * Scopes are loaded from config on boot and can be extended at runtime.
+ */
+export default class ScopeRegistry {
+  private static _scopes = new Map<string, string>()
+
+  /** Register scopes from a name→description record. */
+  static define(scopes: Record<string, string>): void {
+    for (const [name, description] of Object.entries(scopes)) {
+      ScopeRegistry._scopes.set(name, description)
+    }
+  }
+
+  /** Check if a scope is registered. */
+  static has(name: string): boolean {
+    return ScopeRegistry._scopes.has(name)
+  }
+
+  /** Get all registered scopes. */
+  static all(): ScopeDescription[] {
+    return Array.from(ScopeRegistry._scopes.entries()).map(([name, description]) => ({
+      name,
+      description,
+    }))
+  }
+
+  /** Get descriptions for a list of scope names. */
+  static describe(names: string[]): ScopeDescription[] {
+    return names.map(name => ({
+      name,
+      description: ScopeRegistry._scopes.get(name) ?? name,
+    }))
+  }
+
+  /**
+   * Validate requested scopes against registered scopes and client-allowed scopes.
+   *
+   * - If no scopes are requested, returns defaultScopes.
+   * - Throws InvalidScopeError if a scope is not registered.
+   * - Throws InvalidScopeError if a scope is not allowed for the client.
+   */
+  static validate(
+    requested: string[],
+    clientAllowed: string[] | null,
+    defaultScopes: string[]
+  ): string[] {
+    const scopes = requested.length > 0 ? requested : defaultScopes
+    if (scopes.length === 0) return []
+
+    for (const scope of scopes) {
+      if (!ScopeRegistry._scopes.has(scope)) {
+        throw new InvalidScopeError(`Unknown scope: "${scope}".`)
+      }
+    }
+
+    // If client has restricted scopes, ensure all requested are allowed
+    if (clientAllowed !== null) {
+      for (const scope of scopes) {
+        if (!clientAllowed.includes(scope)) {
+          throw new InvalidScopeError(`Scope "${scope}" is not allowed for this client.`)
+        }
+      }
+    }
+
+    return scopes
+  }
+
+  /** Clear all registered scopes. For testing. */
+  static reset(): void {
+    ScopeRegistry._scopes.clear()
+  }
+}

package/src/token.ts

@@ -0,0 +1,231 @@
+import OAuth2Manager from './oauth2_manager.ts'
+import { randomHex } from '@stravigor/core/helpers'
+import type { OAuthTokenData } from './types.ts'
+
+function hashToken(plain: string): string {
+  return new Bun.CryptoHasher('sha256').update(plain).digest('hex')
+}
+
+/**
+ * Static helper for managing OAuth2 tokens.
+ *
+ * Access tokens and refresh tokens are SHA-256 hashed before storage.
+ * The plain-text tokens are returned exactly once at creation time.
+ *
+ * @example
+ * const { accessToken, refreshToken, tokenData } = await OAuthToken.create({ ... })
+ * const record = await OAuthToken.validate(plainAccessToken)
+ * await OAuthToken.revoke(tokenId)
+ */
+export default class OAuthToken {
+  /**
+   * Issue a new access token (and optionally a refresh token).
+   * Returns plain-text tokens (shown once) and the database record.
+   */
+  static async create(params: {
+    userId: string | null
+    clientId: string
+    scopes: string[]
+    name?: string | null
+    includeRefreshToken?: boolean
+    accessTokenLifetime?: number // minutes
+    refreshTokenLifetime?: number // minutes
+  }): Promise<{
+    accessToken: string
+    refreshToken: string | null
+    tokenData: OAuthTokenData
+  }> {
+    const config = OAuth2Manager.config
+
+    const plainAccess = randomHex(40)
+    const hashedAccess = hashToken(plainAccess)
+
+    const accessLifetime = params.accessTokenLifetime ?? config.accessTokenLifetime
+    const expiresAt = new Date(Date.now() + accessLifetime * 60_000)
+
+    let plainRefresh: string | null = null
+    let hashedRefresh: string | null = null
+    let refreshExpiresAt: Date | null = null
+
+    if (params.includeRefreshToken !== false && params.userId !== null) {
+      const refreshLifetime = params.refreshTokenLifetime ?? config.refreshTokenLifetime
+      plainRefresh = randomHex(40)
+      hashedRefresh = hashToken(plainRefresh)
+      refreshExpiresAt = new Date(Date.now() + refreshLifetime * 60_000)
+    }
+
+    const rows = await OAuth2Manager.db.sql`
+      INSERT INTO "_strav_oauth_tokens" (
+        "user_id", "client_id", "name", "scopes", "token",
+        "refresh_token", "expires_at", "refresh_expires_at"
+      )
+      VALUES (
+        ${params.userId},
+        ${params.clientId},
+        ${params.name ?? null},
+        ${JSON.stringify(params.scopes)},
+        ${hashedAccess},
+        ${hashedRefresh},
+        ${expiresAt},
+        ${refreshExpiresAt}
+      )
+      RETURNING *
+    `
+
+    return {
+      accessToken: plainAccess,
+      refreshToken: plainRefresh,
+      tokenData: OAuthToken.hydrate(rows[0] as Record<string, unknown>),
+    }
+  }
+
+  /**
+   * Validate a plain-text access token.
+   * Returns the token record if valid, null if invalid/expired/revoked.
+   * Updates `last_used_at` (fire-and-forget).
+   */
+  static async validate(plainToken: string): Promise<OAuthTokenData | null> {
+    const hash = hashToken(plainToken)
+
+    const rows = await OAuth2Manager.db.sql`
+      SELECT * FROM "_strav_oauth_tokens"
+      WHERE "token" = ${hash} LIMIT 1
+    `
+    if (rows.length === 0) return null
+
+    const record = OAuthToken.hydrate(rows[0] as Record<string, unknown>)
+
+    // Reject revoked tokens
+    if (record.revokedAt) return null
+
+    // Reject expired tokens
+    if (record.expiresAt.getTime() < Date.now()) return null
+
+    // Update last_used_at (fire-and-forget)
+    OAuth2Manager.db.sql`
+      UPDATE "_strav_oauth_tokens"
+      SET "last_used_at" = NOW()
+      WHERE "id" = ${record.id}
+    `.then(
+      () => {},
+      () => {}
+    )
+
+    return record
+  }
+
+  /**
+   * Validate a plain-text refresh token.
+   * Returns the token record if valid, null if invalid/expired/revoked.
+   */
+  static async validateRefreshToken(plainRefresh: string): Promise<OAuthTokenData | null> {
+    const hash = hashToken(plainRefresh)
+
+    const rows = await OAuth2Manager.db.sql`
+      SELECT * FROM "_strav_oauth_tokens"
+      WHERE "refresh_token" = ${hash} LIMIT 1
+    `
+    if (rows.length === 0) return null
+
+    const record = OAuthToken.hydrate(rows[0] as Record<string, unknown>)
+
+    // Reject revoked tokens
+    if (record.revokedAt) return null
+
+    // Reject expired refresh tokens
+    if (record.refreshExpiresAt && record.refreshExpiresAt.getTime() < Date.now()) return null
+
+    return record
+  }
+
+  /** Revoke a token by ID (soft-revoke with timestamp). */
+  static async revoke(id: string): Promise<void> {
+    await OAuth2Manager.db.sql`
+      UPDATE "_strav_oauth_tokens"
+      SET "revoked_at" = NOW()
+      WHERE "id" = ${id}
+    `
+  }
+
+  /** Revoke all tokens for a user. */
+  static async revokeAllFor(userId: string): Promise<void> {
+    await OAuth2Manager.db.sql`
+      UPDATE "_strav_oauth_tokens"
+      SET "revoked_at" = NOW()
+      WHERE "user_id" = ${userId} AND "revoked_at" IS NULL
+    `
+  }
+
+  /** Revoke all tokens for a user on a specific client. */
+  static async revokeAllForClient(userId: string, clientId: string): Promise<void> {
+    await OAuth2Manager.db.sql`
+      UPDATE "_strav_oauth_tokens"
+      SET "revoked_at" = NOW()
+      WHERE "user_id" = ${userId} AND "client_id" = ${clientId} AND "revoked_at" IS NULL
+    `
+  }
+
+  /** List all active tokens for a user. */
+  static async allForUser(userId: string): Promise<OAuthTokenData[]> {
+    const rows = await OAuth2Manager.db.sql`
+      SELECT * FROM "_strav_oauth_tokens"
+      WHERE "user_id" = ${userId} AND "revoked_at" IS NULL AND "expires_at" > NOW()
+      ORDER BY "created_at" DESC
+    `
+    return (rows as Record<string, unknown>[]).map(OAuthToken.hydrate)
+  }
+
+  /** List personal access tokens for a user. */
+  static async personalTokensFor(userId: string): Promise<OAuthTokenData[]> {
+    const patClientId = OAuth2Manager.config.personalAccessClient
+    if (!patClientId) return []
+
+    const rows = await OAuth2Manager.db.sql`
+      SELECT * FROM "_strav_oauth_tokens"
+      WHERE "user_id" = ${userId}
+        AND "client_id" = ${patClientId}
+        AND "revoked_at" IS NULL
+        AND "expires_at" > NOW()
+      ORDER BY "created_at" DESC
+    `
+    return (rows as Record<string, unknown>[]).map(OAuthToken.hydrate)
+  }
+
+  /** Prune expired and old revoked tokens. Returns the number of deleted rows. */
+  static async prune(revokedOlderThanDays: number): Promise<number> {
+    const cutoff = new Date(Date.now() - revokedOlderThanDays * 86_400_000)
+
+    const result = await OAuth2Manager.db.sql`
+      DELETE FROM "_strav_oauth_tokens"
+      WHERE ("expires_at" < NOW() AND "refresh_expires_at" IS NULL)
+        OR ("refresh_expires_at" IS NOT NULL AND "refresh_expires_at" < NOW())
+        OR ("revoked_at" IS NOT NULL AND "revoked_at" < ${cutoff})
+    `
+    return result.count ?? 0
+  }
+
+  // ---------------------------------------------------------------------------
+  // Internal
+  // ---------------------------------------------------------------------------
+
+  static hydrate(row: Record<string, unknown>): OAuthTokenData {
+    return {
+      id: String(row.id),
+      userId: row.user_id as string | null,
+      clientId: String(row.client_id),
+      name: (row.name as string) ?? null,
+      scopes: parseJsonb(row.scopes) as string[],
+      expiresAt: row.expires_at as Date,
+      refreshExpiresAt: (row.refresh_expires_at as Date) ?? null,
+      lastUsedAt: (row.last_used_at as Date) ?? null,
+      revokedAt: (row.revoked_at as Date) ?? null,
+      createdAt: row.created_at as Date,
+    }
+  }
+}
+
+function parseJsonb(value: unknown): unknown {
+  if (value === null || value === undefined) return []
+  if (typeof value === 'string') return JSON.parse(value)
+  return value
+}

package/src/types.ts

@@ -0,0 +1,137 @@
+import type Context from '@stravigor/core/http/context'
+
+// ---------------------------------------------------------------------------
+// Grant types
+// ---------------------------------------------------------------------------
+
+export type GrantType = 'authorization_code' | 'client_credentials' | 'refresh_token'
+
+// ---------------------------------------------------------------------------
+// Actions — the user-provided contract
+// ---------------------------------------------------------------------------
+
+export interface OAuth2Actions<TUser = unknown> {
+  /** Find a user by primary key. Used to load the resource owner. */
+  findById(id: string | number): Promise<TUser | null>
+
+  /** Extract the user's display identifier (shown on consent screen). */
+  identifierOf(user: TUser): string
+
+  /**
+   * Render the consent/authorization screen for third-party clients.
+   * Return a Response (HTML page, view render, or redirect to your SPA).
+   *
+   * When not provided, the handler returns a JSON payload with the
+   * authorization details so an SPA can render its own UI.
+   */
+  renderAuthorization?(
+    ctx: Context,
+    client: OAuthClientData,
+    scopes: ScopeDescription[]
+  ): Promise<Response>
+}
+
+// ---------------------------------------------------------------------------
+// Data types
+// ---------------------------------------------------------------------------
+
+export interface OAuthClientData {
+  id: string
+  name: string
+  redirectUris: string[]
+  scopes: string[] | null
+  grantTypes: GrantType[]
+  confidential: boolean
+  firstParty: boolean
+  revoked: boolean
+  createdAt: Date
+  updatedAt: Date
+}
+
+export interface OAuthTokenData {
+  id: string
+  userId: string | null
+  clientId: string
+  name: string | null
+  scopes: string[]
+  expiresAt: Date
+  refreshExpiresAt: Date | null
+  lastUsedAt: Date | null
+  revokedAt: Date | null
+  createdAt: Date
+}
+
+export interface OAuthAuthCodeData {
+  id: string
+  clientId: string
+  userId: string
+  redirectUri: string
+  scopes: string[]
+  codeChallenge: string | null
+  codeChallengeMethod: string | null
+  expiresAt: Date
+  usedAt: Date | null
+  createdAt: Date
+}
+
+export interface ScopeDescription {
+  name: string
+  description: string
+}
+
+// ---------------------------------------------------------------------------
+// Input types
+// ---------------------------------------------------------------------------
+
+export interface CreateClientInput {
+  name: string
+  redirectUris: string[]
+  confidential?: boolean
+  firstParty?: boolean
+  scopes?: string[] | null
+  grantTypes?: GrantType[]
+}
+
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+
+export interface RateLimitConfig {
+  max: number
+  window: number // seconds
+}
+
+export interface OAuth2Config {
+  accessTokenLifetime: number // minutes
+  refreshTokenLifetime: number // minutes
+  authCodeLifetime: number // minutes
+  personalAccessTokenLifetime: number // minutes
+  prefix: string
+  scopes: Record<string, string>
+  defaultScopes: string[]
+  personalAccessClient: string | null
+  rateLimit: {
+    authorize: RateLimitConfig
+    token: RateLimitConfig
+  }
+  pruneRevokedAfterDays: number
+}
+
+// ---------------------------------------------------------------------------
+// Events
+// ---------------------------------------------------------------------------
+
+export interface OAuth2Event {
+  ctx?: Context
+  [key: string]: unknown
+}
+
+export const OAuth2Events = {
+  TOKEN_ISSUED: 'oauth2:token-issued',
+  TOKEN_REVOKED: 'oauth2:token-revoked',
+  TOKEN_REFRESHED: 'oauth2:token-refreshed',
+  CODE_ISSUED: 'oauth2:code-issued',
+  CLIENT_CREATED: 'oauth2:client-created',
+  CLIENT_REVOKED: 'oauth2:client-revoked',
+  ACCESS_DENIED: 'oauth2:access-denied',
+} as const