@tinyrack/tinyauth-server 0.0.7

package/dist/services/oauth-authorize.service.d.ts

@@ -0,0 +1,91 @@
+import type z from 'zod';
+import type { TinyAuthRuntimeConfig } from '../lib/config/index.ts';
+import type { f } from '../schemas/field.ts';
+import type { MikroService } from './mikro.service.ts';
+import type { OAuthClientService } from './oauth-client.service.ts';
+import type { SecurityService } from './security.service.ts';
+import type { UserConsentService } from './user-consent.service.ts';
+/**
+ * OAuth authorization request parameters (RFC 6749 §4.1.1)
+ * Also includes OpenID Connect parameters (OIDC Core 1.0 §3.1.2.1)
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+ * @see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+ */
+export interface AuthorizeParams {
+    /** OAuth response type (e.g., "code" for authorization code flow) */
+    response_type: string;
+    /** Redirect URI where the authorization response will be sent */
+    redirect_uri: string;
+    /** Opaque value used to maintain state between request and callback (CSRF protection) */
+    state?: string | undefined;
+    /** OAuth client identifier */
+    client_id: string;
+    /** PKCE code challenge derived from code verifier (RFC 7636) */
+    code_challenge?: string | undefined;
+    /** PKCE code challenge method (S256 or plain) */
+    code_challenge_method?: 'S256' | 'plain' | undefined;
+    /** Space-separated list of requested scopes */
+    scope?: string | undefined;
+    /** OIDC nonce for replay attack prevention */
+    nonce?: string | undefined;
+    /** OIDC prompt parameter to control authentication/consent UI */
+    prompt?: z.infer<typeof f.prompt> | undefined;
+    /** OIDC max authentication age in seconds */
+    max_age?: number | undefined;
+    /** OIDC display mode for authentication UI */
+    display?: z.infer<typeof f.display> | undefined;
+}
+/**
+ * OAuth authorization result
+ * Currently only supports redirect type
+ */
+export interface AuthorizeResult {
+    /** Result type discriminator */
+    type: 'redirect';
+    /** URL to redirect the user agent to */
+    url: string;
+}
+export declare class OAuthAuthorizeService {
+    private readonly config;
+    private readonly mikro;
+    private readonly oauthClientService;
+    private readonly userConsentService;
+    private readonly securityService;
+    constructor(config: TinyAuthRuntimeConfig, mikro: MikroService, oauthClientService: OAuthClientService, userConsentService: UserConsentService, securityService: SecurityService);
+    /**
+     * Handle OAuth authorization request
+     */
+    authorize(params: {
+        query: AuthorizeParams;
+        userSession?: {
+            sub: string;
+            /** OIDC: Time when End-User authentication occurred (Unix timestamp) */
+            authenticated_at: number;
+        };
+    }): Promise<AuthorizeResult>;
+    /**
+     * Validate PKCE parameters
+     */
+    private validatePKCE;
+    /**
+     * Build login redirect URL
+     */
+    private buildLoginRedirectUrl;
+    /**
+     * Build consent redirect URL
+     */
+    private buildConsentRedirectUrl;
+    /**
+     * Build error redirect URL (for OAuth errors that should redirect back)
+     */
+    private buildErrorRedirectUrl;
+    /**
+     * Build callback URL with authorization code
+     */
+    private buildCallbackUrl;
+    /**
+     * Generate authorization code
+     */
+    private generateAuthorizationCode;
+}
+//# sourceMappingURL=oauth-authorize.service.d.ts.map

package/dist/services/oauth-authorize.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authorize.service.d.ts","sourceRoot":"","sources":["../../src/services/oauth-authorize.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAEzB,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAEpE,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,aAAa,EAAE,MAAM,CAAC;IACtB,iEAAiE;IACjE,YAAY,EAAE,MAAM,CAAC;IACrB,yFAAyF;IACzF,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,cAAc,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACpC,iDAAiD;IACjD,qBAAqB,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;IACrD,+CAA+C;IAC/C,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,8CAA8C;IAC9C,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,iEAAiE;IACjE,MAAM,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC;IAC9C,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,8CAA8C;IAC9C,OAAO,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC;CACjD;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,gCAAgC;IAChC,IAAI,EAAE,UAAU,CAAC;IACjB,wCAAwC;IACxC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,qBAAqB;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAqB;IACxD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAqB;IACxD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;gBAEhD,MAAM,EAAE,qBAAqB,EAC7B,KAAK,EAAE,YAAY,EACnB,kBAAkB,EAAE,kBAAkB,EACtC,kBAAkB,EAAE,kBAAkB,EACtC,eAAe,EAAE,eAAe;IASlC;;OAEG;IACU,SAAS,CAAC,MAAM,EAAE;QAC7B,KAAK,EAAE,eAAe,CAAC;QACvB,WAAW,CAAC,EAAE;YACZ,GAAG,EAAE,MAAM,CAAC;YACZ,wEAAwE;YACxE,gBAAgB,EAAE,MAAM,CAAC;SAC1B,CAAC;KACH,GAAG,OAAO,CAAC,eAAe,CAAC;IAkI5B;;OAEG;IACH,OAAO,CAAC,YAAY;IAMpB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAqC7B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAqC/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiB7B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAexB;;OAEG;YACW,yBAAyB;CAqDxC"}

package/dist/services/oauth-authorize.service.js

@@ -0,0 +1,237 @@
+import { getRandomBytes, toBase64Url } from "../lib/base64url.js";
+import { e } from "../schemas/error.js";
+export class OAuthAuthorizeService {
+    config;
+    mikro;
+    oauthClientService;
+    userConsentService;
+    securityService;
+    constructor(config, mikro, oauthClientService, userConsentService, securityService) {
+        this.config = config;
+        this.mikro = mikro;
+        this.oauthClientService = oauthClientService;
+        this.userConsentService = userConsentService;
+        this.securityService = securityService;
+    }
+    /**
+     * Handle OAuth authorization request
+     */
+    async authorize(params) {
+        const { query, userSession } = params;
+        // 1. Validate and fetch OAuth client DTO for validation methods
+        const client = await this.oauthClientService.findByClientId(query.client_id);
+        // 2. Validate client is enabled
+        this.oauthClientService.validateEnabled(client);
+        // 3. Validate redirect_uri
+        this.oauthClientService.validateRedirectUri(client, query.redirect_uri);
+        // 4. Validate response_type
+        this.oauthClientService.validateResponseType(client, query.response_type);
+        // 5. Validate and parse scope
+        const requestedScopes = query.scope ? query.scope.split(' ') : [];
+        this.oauthClientService.validateScopes(client, requestedScopes);
+        // 6. Validate PKCE
+        if (query.code_challenge) {
+            this.validatePKCE(query.code_challenge_method || 'S256');
+        }
+        // 7. Check user session
+        if (!userSession?.sub) {
+            // Handle prompt=none - must return error if not logged in
+            if (query.prompt === 'none') {
+                return {
+                    type: 'redirect',
+                    url: this.buildErrorRedirectUrl(query.redirect_uri, 'login_required', 'The Authorization Server requires End-User authentication.', query.state),
+                };
+            }
+            // User not logged in - redirect to login page
+            const loginUrl = this.buildLoginRedirectUrl(query);
+            return {
+                type: 'redirect',
+                url: loginUrl,
+            };
+        }
+        // 8. User is logged in - Verify user exists
+        const userCount = await this.mikro.user.count({ sub: userSession.sub });
+        if (userCount === 0) {
+            throw new e.UserNotFound.Error();
+        }
+        // 9. Check if consent is required (using IDs, not entities)
+        const requiresConsent = await this.userConsentService.requiresConsent({
+            userSub: userSession.sub,
+            clientId: client.id,
+            requestedScopes,
+            prompt: query.prompt,
+        });
+        if (requiresConsent) {
+            // Handle prompt=none - must return error if consent is required
+            if (query.prompt === 'none') {
+                return {
+                    type: 'redirect',
+                    url: this.buildErrorRedirectUrl(query.redirect_uri, 'consent_required', 'The Authorization Server requires End-User consent.', query.state),
+                };
+            }
+            // Redirect to consent page
+            const consentUrl = this.buildConsentRedirectUrl(query);
+            return {
+                type: 'redirect',
+                url: consentUrl,
+            };
+        }
+        const codeParams = {
+            clientId: client.id,
+            userSub: userSession.sub,
+            redirectUri: query.redirect_uri,
+            scope: requestedScopes,
+        };
+        if (query.nonce) {
+            codeParams.nonce = query.nonce;
+        }
+        if (query.code_challenge) {
+            codeParams.codeChallenge = query.code_challenge;
+        }
+        if (query.code_challenge_method) {
+            codeParams.codeChallengeMethod = query.code_challenge_method;
+        }
+        // Include OIDC authentication metadata from session
+        if (userSession) {
+            codeParams.authTime = userSession.authenticated_at;
+        }
+        const code = await this.generateAuthorizationCode(codeParams);
+        // 10. Redirect back to client with authorization code
+        const callbackUrl = this.buildCallbackUrl(code, query.state, query.redirect_uri);
+        return {
+            type: 'redirect',
+            url: callbackUrl,
+        };
+    }
+    /**
+     * Validate PKCE parameters
+     */
+    validatePKCE(codeChallengeMethod) {
+        if (codeChallengeMethod !== 'S256' && codeChallengeMethod !== 'plain') {
+            throw new e.InvalidCodeChallengeMethod.Error();
+        }
+    }
+    /**
+     * Build login redirect URL
+     */
+    buildLoginRedirectUrl(query) {
+        const loginUrl = new URL('/login', this.config.server.public_origin);
+        loginUrl.searchParams.set('client_id', query.client_id);
+        loginUrl.searchParams.set('redirect_uri', query.redirect_uri);
+        loginUrl.searchParams.set('response_type', query.response_type);
+        if (query.scope) {
+            loginUrl.searchParams.set('scope', query.scope);
+        }
+        if (query.state) {
+            loginUrl.searchParams.set('state', query.state);
+        }
+        if (query.nonce) {
+            loginUrl.searchParams.set('nonce', query.nonce);
+        }
+        if (query.code_challenge) {
+            loginUrl.searchParams.set('code_challenge', query.code_challenge);
+        }
+        if (query.code_challenge_method) {
+            loginUrl.searchParams.set('code_challenge_method', query.code_challenge_method);
+        }
+        if (query.prompt) {
+            loginUrl.searchParams.set('prompt', query.prompt);
+        }
+        if (query.max_age !== undefined) {
+            loginUrl.searchParams.set('max_age', query.max_age.toString());
+        }
+        if (query.display) {
+            loginUrl.searchParams.set('display', query.display);
+        }
+        return loginUrl.toString();
+    }
+    /**
+     * Build consent redirect URL
+     */
+    buildConsentRedirectUrl(query) {
+        const consentUrl = new URL('/consent', this.config.server.public_origin);
+        consentUrl.searchParams.set('client_id', query.client_id);
+        consentUrl.searchParams.set('redirect_uri', query.redirect_uri);
+        consentUrl.searchParams.set('response_type', query.response_type);
+        if (query.scope) {
+            consentUrl.searchParams.set('scope', query.scope);
+        }
+        if (query.state) {
+            consentUrl.searchParams.set('state', query.state);
+        }
+        if (query.nonce) {
+            consentUrl.searchParams.set('nonce', query.nonce);
+        }
+        if (query.code_challenge) {
+            consentUrl.searchParams.set('code_challenge', query.code_challenge);
+        }
+        if (query.code_challenge_method) {
+            consentUrl.searchParams.set('code_challenge_method', query.code_challenge_method);
+        }
+        if (query.prompt) {
+            consentUrl.searchParams.set('prompt', query.prompt);
+        }
+        if (query.max_age !== undefined) {
+            consentUrl.searchParams.set('max_age', query.max_age.toString());
+        }
+        if (query.display) {
+            consentUrl.searchParams.set('display', query.display);
+        }
+        return consentUrl.toString();
+    }
+    /**
+     * Build error redirect URL (for OAuth errors that should redirect back)
+     */
+    buildErrorRedirectUrl(redirectUri, error, errorDescription, state) {
+        const errorUrl = new URL(redirectUri);
+        errorUrl.searchParams.set('error', error);
+        errorUrl.searchParams.set('error_description', errorDescription);
+        if (state) {
+            errorUrl.searchParams.set('state', state);
+        }
+        return errorUrl.toString();
+    }
+    /**
+     * Build callback URL with authorization code
+     */
+    buildCallbackUrl(code, state, redirectUri) {
+        const callbackUrl = new URL(redirectUri);
+        callbackUrl.searchParams.set('code', code);
+        if (state) {
+            callbackUrl.searchParams.set('state', state);
+        }
+        return callbackUrl.toString();
+    }
+    /**
+     * Generate authorization code
+     */
+    async generateAuthorizationCode(params) {
+        const codeParams = {
+            clientId: params.clientId,
+            userSub: params.userSub,
+            redirectUri: params.redirectUri,
+            scope: params.scope,
+        };
+        if (params.nonce) {
+            codeParams.nonce = params.nonce;
+        }
+        if (params.codeChallenge) {
+            codeParams.codeChallenge = params.codeChallenge;
+        }
+        if (params.codeChallengeMethod) {
+            codeParams.codeChallengeMethod = params.codeChallengeMethod;
+        }
+        // Include OIDC authentication metadata
+        if (params.authTime !== undefined) {
+            codeParams.authTime = params.authTime;
+        }
+        const code = toBase64Url(getRandomBytes(32));
+        const codeHash = await this.securityService.hashOpaqueToken('oauth-code', code);
+        await this.mikro.oauthCode.createAuthorizationCode({
+            ...codeParams,
+            codeHash,
+        });
+        return code;
+    }
+}
+//# sourceMappingURL=oauth-authorize.service.js.map

package/dist/services/oauth-authorize.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-authorize.service.js","sourceRoot":"","sources":["../../src/services/oauth-authorize.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAiDxC,MAAM,OAAO,qBAAqB;IACf,MAAM,CAAwB;IAC9B,KAAK,CAAe;IACpB,kBAAkB,CAAqB;IACvC,kBAAkB,CAAqB;IACvC,eAAe,CAAkB;IAClD,YACE,MAA6B,EAC7B,KAAmB,EACnB,kBAAsC,EACtC,kBAAsC,EACtC,eAAgC;QAEhC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;QAC7C,IAAI,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;QAC7C,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,SAAS,CAAC,MAOtB;QACC,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAEtC,gEAAgE;QAChE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,cAAc,CACzD,KAAK,CAAC,SAAS,CAChB,CAAC;QAEF,gCAAgC;QAChC,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAEhD,2BAA2B;QAC3B,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;QAExE,4BAA4B;QAC5B,IAAI,CAAC,kBAAkB,CAAC,oBAAoB,CAAC,MAAM,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;QAE1E,8BAA8B;QAC9B,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAEhE,mBAAmB;QACnB,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;YACzB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,qBAAqB,IAAI,MAAM,CAAC,CAAC;QAC3D,CAAC;QAED,wBAAwB;QACxB,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC;YACtB,0DAA0D;YAC1D,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC5B,OAAO;oBACL,IAAI,EAAE,UAAU;oBAChB,GAAG,EAAE,IAAI,CAAC,qBAAqB,CAC7B,KAAK,CAAC,YAAY,EAClB,gBAAgB,EAChB,4DAA4D,EAC5D,KAAK,CAAC,KAAK,CACZ;iBACF,CAAC;YACJ,CAAC;YAED,8CAA8C;YAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;YACnD,OAAO;gBACL,IAAI,EAAE,UAAU;gBAChB,GAAG,EAAE,QAAQ;aACd,CAAC;QACJ,CAAC;QAED,4CAA4C;QAC5C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC;QACxE,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QAED,4DAA4D;QAC5D,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC;YACpE,OAAO,EAAE,WAAW,CAAC,GAAG;YACxB,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,eAAe;YACf,MAAM,EAAE,KAAK,CAAC,MAAM;SACrB,CAAC,CAAC;QAEH,IAAI,eAAe,EAAE,CAAC;YACpB,gEAAgE;YAChE,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC5B,OAAO;oBACL,IAAI,EAAE,UAAU;oBAChB,GAAG,EAAE,IAAI,CAAC,qBAAqB,CAC7B,KAAK,CAAC,YAAY,EAClB,kBAAkB,EAClB,qDAAqD,EACrD,KAAK,CAAC,KAAK,CACZ;iBACF,CAAC;YACJ,CAAC;YAED,2BAA2B;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC;YACvD,OAAO;gBACL,IAAI,EAAE,UAAU;gBAChB,GAAG,EAAE,UAAU;aAChB,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GASZ;YACF,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,OAAO,EAAE,WAAW,CAAC,GAAG;YACxB,WAAW,EAAE,KAAK,CAAC,YAAY;YAC/B,KAAK,EAAE,eAAe;SACvB,CAAC;QAEF,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;QACjC,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;YACzB,UAAU,CAAC,aAAa,GAAG,KAAK,CAAC,cAAc,CAAC;QAClD,CAAC;QACD,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;YAChC,UAAU,CAAC,mBAAmB,GAAG,KAAK,CAAC,qBAAqB,CAAC;QAC/D,CAAC;QACD,oDAAoD;QACpD,IAAI,WAAW,EAAE,CAAC;YAChB,UAAU,CAAC,QAAQ,GAAG,WAAW,CAAC,gBAAgB,CAAC;QACrD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,UAAU,CAAC,CAAC;QAE9D,sDAAsD;QACtD,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,CACvC,IAAI,EACJ,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,YAAY,CACnB,CAAC;QAEF,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,WAAW;SACjB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,mBAA2B;QAC9C,IAAI,mBAAmB,KAAK,MAAM,IAAI,mBAAmB,KAAK,OAAO,EAAE,CAAC;YACtE,MAAM,IAAI,CAAC,CAAC,0BAA0B,CAAC,KAAK,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IAED;;OAEG;IACK,qBAAqB,CAAC,KAAsB;QAClD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACrE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QACxD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;QAC9D,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;QAEhE,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;YACzB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;YAChC,QAAQ,CAAC,YAAY,CAAC,GAAG,CACvB,uBAAuB,EACvB,KAAK,CAAC,qBAAqB,CAC5B,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAChC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAClB,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACtD,CAAC;QAED,OAAO,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACK,uBAAuB,CAAC,KAAsB;QACpD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACzE,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC1D,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;QAChE,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;QAElE,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;YACzB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;QACtE,CAAC;QACD,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;YAChC,UAAU,CAAC,YAAY,CAAC,GAAG,CACzB,uBAAuB,EACvB,KAAK,CAAC,qBAAqB,CAC5B,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAChC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAClB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,UAAU,CAAC,QAAQ,EAAE,CAAC;IAC/B,CAAC;IAED;;OAEG;IACK,qBAAqB,CAC3B,WAAmB,EACnB,KAAa,EACb,gBAAwB,EACxB,KAAc;QAEd,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC1C,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,gBAAgB,CAAC,CAAC;QAEjE,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACK,gBAAgB,CACtB,IAAY,EACZ,KAAyB,EACzB,WAAmB;QAEnB,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACzC,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAE3C,IAAI,KAAK,EAAE,CAAC;YACV,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,WAAW,CAAC,QAAQ,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,yBAAyB,CAAC,MASvC;QACC,MAAM,UAAU,GASZ;YACF,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,UAAU,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAClC,CAAC;QACD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzB,UAAU,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QAClD,CAAC;QACD,IAAI,MAAM,CAAC,mBAAmB,EAAE,CAAC;YAC/B,UAAU,CAAC,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,CAAC;QAC9D,CAAC;QACD,uCAAuC;QACvC,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAClC,UAAU,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QACxC,CAAC;QAED,MAAM,IAAI,GAAG,WAAW,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,eAAe,CACzD,YAAY,EACZ,IAAI,CACL,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,uBAAuB,CAAC;YACjD,GAAG,UAAU;YACb,QAAQ;SACT,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/services/oauth-client.service.d.ts

@@ -0,0 +1,38 @@
+import type z from 'zod';
+import type { r } from '../schemas/response.ts';
+import type { MikroService } from './mikro.service.ts';
+import type { SecurityService } from './security.service.ts';
+export declare class OAuthClientService {
+    private readonly mikro;
+    private readonly securityService;
+    constructor(mikro: MikroService, securityService: SecurityService);
+    /**
+     * Find OAuth client by client_id from database.
+     * Config clients are now synced to DB via ConfigSeeder.
+     */
+    findByClientId(clientId: string): Promise<z.infer<typeof r.OAuthClient>>;
+    /**
+     * Validate redirect URI
+     */
+    validateRedirectUri(client: z.infer<typeof r.OAuthClient>, redirectUri: string): void;
+    /**
+     * Validate response type
+     */
+    validateResponseType(client: z.infer<typeof r.OAuthClient>, responseType: string): void;
+    /**
+     * Validate scopes
+     */
+    validateScopes(client: z.infer<typeof r.OAuthClient>, requestedScopes: string[]): void;
+    /**
+     * Check if client is enabled
+     */
+    validateEnabled(client: z.infer<typeof r.OAuthClient>): void;
+    /**
+     * Verify client secret using the current PBKDF2 hash format.
+     * All clients (including config clients) now have hashed secrets in DB.
+     * Public clients (PKCE-only) have null clientSecretHash.
+     * @returns true if valid, false otherwise
+     */
+    verifyClientSecret(clientId: string, clientSecret: string): Promise<boolean>;
+}
+//# sourceMappingURL=oauth-client.service.d.ts.map

package/dist/services/oauth-client.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.service.d.ts","sourceRoot":"","sources":["../../src/services/oauth-client.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAEzB,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;gBAC/B,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe;IAKxE;;;OAGG;IACU,cAAc,CACzB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAqBzC;;OAEG;IACI,mBAAmB,CACxB,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,EACrC,WAAW,EAAE,MAAM,GAClB,IAAI;IAMP;;OAEG;IACI,oBAAoB,CACzB,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,EACrC,YAAY,EAAE,MAAM,GACnB,IAAI;IAMP;;OAEG;IACI,cAAc,CACnB,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,EACrC,eAAe,EAAE,MAAM,EAAE,GACxB,IAAI;IAUP;;OAEG;IACI,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,GAAG,IAAI;IAMnE;;;;;OAKG;IACU,kBAAkB,CAC7B,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC;CAoBpB"}

package/dist/services/oauth-client.service.js

@@ -0,0 +1,80 @@
+import { e } from "../schemas/error.js";
+export class OAuthClientService {
+    mikro;
+    securityService;
+    constructor(mikro, securityService) {
+        this.mikro = mikro;
+        this.securityService = securityService;
+    }
+    /**
+     * Find OAuth client by client_id from database.
+     * Config clients are now synced to DB via ConfigSeeder.
+     */
+    async findByClientId(clientId) {
+        const client = await this.mikro.oauthClient.findOneOrFail({ clientId }, {
+            failHandler: () => new e.OAuthClientNotFound.Error(),
+        });
+        return {
+            id: client.id,
+            clientId: client.clientId,
+            name: client.name,
+            managed_by: client.managed_by,
+            enabled: client.enabled,
+            redirectUris: client.redirectUris,
+            responseTypes: client.responseTypes,
+            scopes: client.scopes,
+            grantTypes: client.grantTypes,
+        };
+    }
+    /**
+     * Validate redirect URI
+     */
+    validateRedirectUri(client, redirectUri) {
+        if (!client.redirectUris.includes(redirectUri)) {
+            throw new e.InvalidRedirectUri.Error();
+        }
+    }
+    /**
+     * Validate response type
+     */
+    validateResponseType(client, responseType) {
+        if (!client.responseTypes.includes(responseType)) {
+            throw new e.UnsupportedResponseType.Error();
+        }
+    }
+    /**
+     * Validate scopes
+     */
+    validateScopes(client, requestedScopes) {
+        const invalidScopes = requestedScopes.filter((scope) => !client.scopes.includes(scope));
+        if (invalidScopes.length > 0) {
+            throw new e.InvalidScope.Error({ invalidScopes });
+        }
+    }
+    /**
+     * Check if client is enabled
+     */
+    validateEnabled(client) {
+        if (!client.enabled) {
+            throw new e.OAuthClientDisabled.Error();
+        }
+    }
+    /**
+     * Verify client secret using the current PBKDF2 hash format.
+     * All clients (including config clients) now have hashed secrets in DB.
+     * Public clients (PKCE-only) have null clientSecretHash.
+     * @returns true if valid, false otherwise
+     */
+    async verifyClientSecret(clientId, clientSecret) {
+        const client = await this.mikro.oauthClient.findOne({ clientId }, { populate: ['clientSecretHash'] });
+        if (!client) {
+            return false;
+        }
+        // Public clients don't have a secret - cannot verify
+        if (!client.clientSecretHash) {
+            return false;
+        }
+        return this.securityService.verifyClientSecret(client.clientSecretHash, clientSecret);
+    }
+}
+//# sourceMappingURL=oauth-client.service.js.map

package/dist/services/oauth-client.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.service.js","sourceRoot":"","sources":["../../src/services/oauth-client.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAKxC,MAAM,OAAO,kBAAkB;IACZ,KAAK,CAAe;IACpB,eAAe,CAAkB;IAClD,YAAmB,KAAmB,EAAE,eAAgC;QACtE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,cAAc,CACzB,QAAgB;QAEhB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,aAAa,CACvD,EAAE,QAAQ,EAAE,EACZ;YACE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE;SACrD,CACF,CAAC;QAEF,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,mBAAmB,CACxB,MAAqC,EACrC,WAAmB;QAEnB,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAED;;OAEG;IACI,oBAAoB,CACzB,MAAqC,EACrC,YAAoB;QAEpB,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,CAAC,CAAC,uBAAuB,CAAC,KAAK,EAAE,CAAC;QAC9C,CAAC;IACH,CAAC;IAED;;OAEG;IACI,cAAc,CACnB,MAAqC,EACrC,eAAyB;QAEzB,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAC1C,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAC1C,CAAC;QAEF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED;;OAEG;IACI,eAAe,CAAC,MAAqC;QAC1D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAC7B,QAAgB,EAChB,YAAoB;QAEpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CACjD,EAAE,QAAQ,EAAE,EACZ,EAAE,QAAQ,EAAE,CAAC,kBAAkB,CAAC,EAAE,CACnC,CAAC;QAEF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,KAAK,CAAC;QACf,CAAC;QAED,qDAAqD;QACrD,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC,eAAe,CAAC,kBAAkB,CAC5C,MAAM,CAAC,gBAAgB,EACvB,YAAY,CACb,CAAC;IACJ,CAAC;CACF"}

package/dist/services/oauth-connect.service.d.ts

@@ -0,0 +1,182 @@
+import z from 'zod';
+import type { IdentityProviderConfig, TinyAuthRuntimeConfig } from '../lib/config/index.ts';
+import type { f } from '../schemas/field.ts';
+import type { r } from '../schemas/response.ts';
+import type { MikroService } from './mikro.service.ts';
+import type { TermsService } from './terms.service.ts';
+import type { UserService } from './user.service.ts';
+/**
+ * OAuth user info returned from provider
+ * Normalized user information from external OAuth providers
+ */
+export interface OAuthUserInfo {
+    /** Provider's user ID */
+    id: string;
+    /** User's email address */
+    email: string;
+    /** Whether the email is verified by the provider */
+    email_verified: boolean;
+    /** User's display name */
+    name?: string | undefined;
+    /** User's profile picture URL */
+    picture?: string | undefined;
+}
+/**
+ * Token response from OAuth provider
+ * Standard OAuth 2.0 token response structure
+ */
+declare const OAuthTokensSchema: z.ZodObject<{
+    access_token: z.ZodString;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    token_type: z.ZodString;
+    id_token: z.ZodOptional<z.ZodString>;
+}, z.z.core.$strip>;
+export type OAuthTokens = z.infer<typeof OAuthTokensSchema>;
+/**
+ * OAuth session data stored in secure session
+ * Used to maintain state during OAuth flow
+ */
+export interface OAuthSessionData {
+    /** State parameter for CSRF protection */
+    state: string;
+    /** PKCE code verifier */
+    codeVerifier: string;
+    /** OAuth provider ID */
+    providerId: string;
+    /** Authentication mode */
+    mode: z.infer<typeof f.oauthConnectMode>;
+    /** URL to return to after authentication */
+    returnUrl?: string | undefined;
+}
+/**
+ * Result of OAuth authentication
+ * Returned after successful OAuth login/registration
+ */
+export interface OAuthAuthResult {
+    /** Whether this is a newly created user */
+    isNewUser: boolean;
+    /** Authenticated user session data */
+    user: z.infer<typeof r.UserSession>;
+}
+/**
+ * Result of processing an OAuth callback.
+ * Each variant tells the handler what session changes and redirect to perform.
+ */
+export type OAuthCallbackResult = {
+    action: 'error_redirect';
+    url: string;
+} | {
+    action: 'link_complete';
+    returnUrl: string;
+} | {
+    action: 'terms_redirect';
+    url: string;
+} | {
+    action: 'login_complete';
+    userSub: string;
+    returnUrl: string | undefined;
+} | {
+    action: 'login_terms_redirect';
+    userSub: string;
+    termsUrl: string;
+};
+export declare class OAuthConnectService {
+    private readonly config;
+    private readonly userService;
+    private readonly mikro;
+    private readonly termsService;
+    constructor(config: TinyAuthRuntimeConfig, userService: UserService, mikro: MikroService, termsService: TermsService);
+    /**
+     * Process an OAuth callback: validate session, exchange tokens, and
+     * determine the appropriate next action (redirect, login, link, terms).
+     * Pure business logic — no session writes or HTTP responses.
+     */
+    processOAuthCallback(params: {
+        provider: string;
+        code: string;
+        state: string;
+        oauthSession: OAuthSessionData;
+        userSub?: string | undefined;
+        requestUrl: string;
+    }): Promise<OAuthCallbackResult>;
+    /**
+     * Get all enabled OAuth providers
+     */
+    getEnabledProviders(): Array<{
+        id: string;
+        display_name: string;
+        icon_url?: string | undefined;
+    }>;
+    /**
+     * Get OAuth provider config by id
+     */
+    getProvider(id: string): IdentityProviderConfig;
+    /**
+     * Generate authorization URL with state and PKCE
+     */
+    generateAuthorizationUrl(providerId: string, mode: z.infer<typeof f.oauthConnectMode>, returnUrl?: string): Promise<{
+        url: string;
+        sessionData: OAuthSessionData;
+    }>;
+    /**
+     * Exchange authorization code for tokens
+     */
+    exchangeCodeForTokens(providerId: string, code: string, codeVerifier: string): Promise<OAuthTokens>;
+    /**
+     * Fetch user info from OAuth provider.
+     * For providers without a userinfo endpoint (e.g. Apple), decodes the ID token.
+     */
+    fetchUserInfo(providerId: string, accessToken: string, idToken?: string): Promise<OAuthUserInfo>;
+    /**
+     * Extract user info from an ID token JWT (used by Apple).
+     * Decodes without verification since the token was received directly
+     * from the provider's token endpoint over TLS.
+     */
+    private extractUserInfoFromIdToken;
+    /**
+     * Map provider-specific field names to normalized OAuthUserInfo
+     * using the provider's userinfo_mapping configuration.
+     */
+    private mapUserInfo;
+    /**
+     * Authenticate with OAuth - login or register user
+     */
+    authenticateWithOAuth(providerId: string, tokens: OAuthTokens, userInfo: OAuthUserInfo): Promise<OAuthAuthResult>;
+    /**
+     * Check if a user would be new (not existing) for OAuth authentication
+     * Used to determine if we should defer registration until terms consent
+     */
+    isNewOAuthUser(providerId: string, userInfo: OAuthUserInfo): Promise<boolean>;
+    /**
+     * Complete OAuth registration with terms consent
+     * Called after user agrees to terms on /terms page
+     * This creates the user in DB only after consent is given (GDPR compliant)
+     */
+    completeOAuthRegistration(params: {
+        providerId: string;
+        tokens: OAuthTokens;
+        userInfo: OAuthUserInfo;
+        consents: Array<{
+            termsId: string;
+            agreed: boolean;
+        }>;
+    }): Promise<OAuthAuthResult>;
+    /**
+     * Link OAuth account to existing user
+     */
+    linkOAuthAccount(userSub: string, providerId: string, tokens: OAuthTokens, userInfo: OAuthUserInfo): Promise<void>;
+    /**
+     * Unlink OAuth account from user
+     */
+    unlinkOAuthAccount(userSub: string, providerId: string): Promise<void>;
+    /**
+     * Get all OAuth accounts linked to a user
+     */
+    getLinkedAccounts(userSub: string): Promise<Array<{
+        provider_name: string;
+        linked_at: Date;
+    }>>;
+}
+export {};
+//# sourceMappingURL=oauth-connect.service.d.ts.map

package/dist/services/oauth-connect.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-connect.service.d.ts","sourceRoot":"","sources":["../../src/services/oauth-connect.service.ts"],"names":[],"mappings":"AACA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,KAAK,EACV,sBAAsB,EACtB,qBAAqB,EACtB,MAAM,wBAAwB,CAAC;AAIhC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,oDAAoD;IACpD,cAAc,EAAE,OAAO,CAAC;IACxB,0BAA0B;IAC1B,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,iCAAiC;IACjC,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC9B;AAED;;;GAGG;AACH,QAAA,MAAM,iBAAiB;;;;;;mBAMrB,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0CAA0C;IAC1C,KAAK,EAAE,MAAM,CAAC;IACd,yBAAyB;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,wBAAwB;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,gBAAgB,CAAC,CAAC;IACzC,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAChC;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,2CAA2C;IAC3C,SAAS,EAAE,OAAO,CAAC;IACnB,sCAAsC;IACtC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;CACrC;AAED;;;GAGG;AACH,MAAM,MAAM,mBAAmB,GAC3B;IAAE,MAAM,EAAE,gBAAgB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GACzC;IAAE,MAAM,EAAE,eAAe,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAC9C;IACE,MAAM,EAAE,gBAAgB,CAAC;IACzB,GAAG,EAAE,MAAM,CAAC;CACb,GACD;IACE,MAAM,EAAE,gBAAgB,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;CAC/B,GACD;IACE,MAAM,EAAE,sBAAsB,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAKN,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;gBAE1C,MAAM,EAAE,qBAAqB,EAC7B,WAAW,EAAE,WAAW,EACxB,KAAK,EAAE,YAAY,EACnB,YAAY,EAAE,YAAY;IAQ5B;;;;OAIG;IACU,oBAAoB,CAAC,MAAM,EAAE;QACxC,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,gBAAgB,CAAC;QAC/B,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC;KACpB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAuJhC;;OAEG;IACI,mBAAmB,IAAI,KAAK,CAAC;QAClC,EAAE,EAAE,MAAM,CAAC;QACX,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;KAC/B,CAAC;IAoBF;;OAEG;IACI,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,sBAAsB;IAYtD;;OAEG;IACU,wBAAwB,CACnC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,gBAAgB,CAAC,EACxC,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC;QACT,GAAG,EAAE,MAAM,CAAC;QACZ,WAAW,EAAE,gBAAgB,CAAC;KAC/B,CAAC;IAiCF;;OAEG;IACU,qBAAqB,CAChC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,WAAW,CAAC;IA8BvB;;;OAGG;IACU,aAAa,CACxB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC;IAuBzB;;;;OAIG;IACH,OAAO,CAAC,0BAA0B;IAalC;;;OAGG;IACH,OAAO,CAAC,WAAW;IAoCnB;;OAEG;IACU,qBAAqB,CAChC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,aAAa,GACtB,OAAO,CAAC,eAAe,CAAC;IA8H3B;;;OAGG;IACU,cAAc,CACzB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,aAAa,GACtB,OAAO,CAAC,OAAO,CAAC;IAmBnB;;;;OAIG;IACU,yBAAyB,CAAC,MAAM,EAAE;QAC7C,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,WAAW,CAAC;QACpB,QAAQ,EAAE,aAAa,CAAC;QACxB,QAAQ,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,OAAO,CAAA;SAAE,CAAC,CAAC;KACvD,GAAG,OAAO,CAAC,eAAe,CAAC;IAoI5B;;OAEG;IACU,gBAAgB,CAC3B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,aAAa,GACtB,OAAO,CAAC,IAAI,CAAC;IAgDhB;;OAEG;IACU,kBAAkB,CAC7B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,IAAI,CAAC;IAgChB;;OAEG;IACU,iBAAiB,CAC5B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,KAAK,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC;CAc9D"}