@stravigor/oauth2 0.4.5

package/src/utils.ts

@@ -0,0 +1,15 @@
+/**
+ * Extract a user ID from any user object.
+ *
+ * Unlike `extractUserId` from `@stravigor/core/helpers` which requires a
+ * BaseModel instance, this helper works with plain objects (e.g. `{ id: 1 }`)
+ * so that `@stravigor/oauth2` stays user-type agnostic.
+ */
+export function getUserId(user: unknown): string {
+  if (typeof user === 'string') return user
+  if (typeof user === 'number') return String(user)
+  if (user && typeof user === 'object' && 'id' in user) {
+    return String((user as Record<string, unknown>).id)
+  }
+  throw new Error('Cannot extract user ID: user must have an "id" property or be a string/number.')
+}

package/stubs/actions/oauth2.ts

@@ -0,0 +1,28 @@
+import { defineActions } from '@stravigor/oauth2'
+// import { User } from '../models/user'
+
+export default defineActions({
+  /**
+   * Find a user by their primary key.
+   * Used to load the resource owner for token-protected routes.
+   */
+  async findById(id) {
+    // return User.find(id)
+    throw new Error('Implement findById in actions/oauth2.ts')
+  },
+
+  /**
+   * Return the user's display identifier.
+   * Shown on the consent screen for third-party clients.
+   */
+  identifierOf(user) {
+    // return user.email
+    throw new Error('Implement identifierOf in actions/oauth2.ts')
+  },
+
+  // ─── Optional: Custom consent screen ─────────────────────────────────
+  //
+  // renderAuthorization(ctx, client, scopes) {
+  //   return ctx.view('oauth/authorize', { client, scopes })
+  // },
+})

package/stubs/config/oauth2.ts

@@ -0,0 +1,35 @@
+import { env } from '@stravigor/core/helpers'
+
+export default {
+  // Token lifetimes (in minutes)
+  accessTokenLifetime: 60, // 1 hour
+  refreshTokenLifetime: 43_200, // 30 days
+  authCodeLifetime: 10, // 10 minutes
+  personalAccessTokenLifetime: 525_600, // 1 year
+
+  // Route prefix for all OAuth2 endpoints
+  prefix: '/oauth',
+
+  // Available scopes — define your app's scopes here
+  scopes: {
+    // 'read': 'Read access to your data',
+    // 'write': 'Write access to your data',
+    // 'repos:read': 'Read your repositories',
+    // 'repos:write': 'Create and update repositories',
+  },
+
+  // Scopes granted when none are explicitly requested
+  defaultScopes: [] as string[],
+
+  // Client ID for personal access tokens (created by `strav oauth2:setup`)
+  personalAccessClient: env('OAUTH2_PERSONAL_CLIENT') ?? null,
+
+  // Rate limiting
+  rateLimit: {
+    authorize: { max: 30, window: 60 }, // 30 requests per 60 seconds
+    token: { max: 20, window: 60 }, // 20 requests per 60 seconds
+  },
+
+  // Cleanup: delete revoked tokens older than this many days
+  pruneRevokedAfterDays: 7,
+}

package/stubs/schemas/oauth_auth_code.ts

@@ -0,0 +1,16 @@
+import { defineSchema, t, Archetype } from '@stravigor/core/schema'
+
+export default defineSchema('oauth_auth_code', {
+  archetype: Archetype.Event,
+  fields: {
+    clientId: t.uuid().required().index(),
+    userId: t.varchar(255).required().index(),
+    code: t.varchar(255).required().unique(),
+    redirectUri: t.varchar(2048).required(),
+    scopes: t.jsonb().required(),
+    codeChallenge: t.varchar(255).nullable(),
+    codeChallengeMethod: t.varchar(10).nullable(),
+    expiresAt: t.timestamptz().required(),
+    usedAt: t.timestamptz().nullable(),
+  },
+})

package/stubs/schemas/oauth_client.ts

@@ -0,0 +1,15 @@
+import { defineSchema, t, Archetype } from '@stravigor/core/schema'
+
+export default defineSchema('oauth_client', {
+  archetype: Archetype.Entity,
+  fields: {
+    name: t.varchar(255).required(),
+    secret: t.varchar(255).nullable(),
+    redirectUris: t.jsonb().required(),
+    scopes: t.jsonb().nullable(),
+    grantTypes: t.jsonb().required(),
+    confidential: t.boolean().required(),
+    firstParty: t.boolean().required(),
+    revoked: t.boolean().required(),
+  },
+})

package/stubs/schemas/oauth_token.ts

@@ -0,0 +1,17 @@
+import { defineSchema, t, Archetype } from '@stravigor/core/schema'
+
+export default defineSchema('oauth_token', {
+  archetype: Archetype.Component,
+  parent: 'user',
+  fields: {
+    clientId: t.uuid().required().index(),
+    name: t.varchar(255).nullable(),
+    scopes: t.jsonb().required(),
+    token: t.varchar(255).required().unique(),
+    refreshToken: t.varchar(255).nullable().unique(),
+    expiresAt: t.timestamptz().required(),
+    refreshExpiresAt: t.timestamptz().nullable(),
+    lastUsedAt: t.timestamptz().nullable(),
+    revokedAt: t.timestamptz().nullable(),
+  },
+})

package/tsconfig.json

@@ -0,0 +1,4 @@
+{
+  "extends": "../../tsconfig.json",
+  "include": ["src/**/*.ts"]
+}