npm - @unireq/oauth - Versions diffs - 0.0.1 - Mend

@unireq/oauth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2025 Olivier Orabona
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,268 @@
+import { Policy } from '@unireq/core';
+/**
+ * OAuth 2.0 Bearer token authentication (RFC 6750)
+ * @see https://datatracker.ietf.org/doc/html/rfc6750
+ */
+/** Token supplier function (lazy evaluation) */
+type TokenSupplier = () => string | Promise<string>;
+/**
+ * JWKS (JSON Web Key Set) for JWT verification
+ * Can be a URL to fetch JWKS or a static key
+ */
+type JWKSSource = {
+    type: 'url';
+    url: string;
+} | {
+    type: 'key';
+    key: string;
+};
+/**
+ * OAuth Bearer options
+ */
+interface OAuthBearerOptions {
+    /** Token supplier function (lazy evaluation) */
+    readonly tokenSupplier: TokenSupplier;
+    /** JWKS source for secure JWT verification (highly recommended for production) */
+    readonly jwks?: JWKSSource;
+    /** Clock skew tolerance in seconds (default: 60) */
+    readonly skew?: number;
+    /** Auto-refresh on 401 (default: true) */
+    readonly autoRefresh?: boolean;
+    /** Callback before token refresh */
+    readonly onRefresh?: () => void | Promise<void>;
+    /**
+     * Allow unsafe mode without JWKS verification (NOT RECOMMENDED FOR PRODUCTION)
+     * When false (default), throws error if jwks is not provided
+     * When true, only logs warning and checks expiration without signature verification
+     * @security OWASP A02:2021 - Enabling this bypasses cryptographic verification
+     * @default false
+     */
+    readonly allowUnsafeMode?: boolean;
+}
+/**
+ * Creates an OAuth 2.0 Bearer token authentication policy
+ * - Lazy token evaluation via supplier
+ * - JWT exp + skew validation
+ * - Optional secure JWT verification with jose (RECOMMENDED)
+ * - Single-flight refresh on 401
+ * - Single replay after refresh
+ *
+ * @param options - OAuth Bearer options
+ * @returns Policy that handles Bearer authentication
+ *
+ * @example
+ * ```ts
+ * // Secure verification with JWKS URL
+ * const authPolicy = oauthBearer({
+ *   tokenSupplier: async () => 'eyJhbGci...',
+ *   jwks: { type: 'url', url: 'https://example.com/.well-known/jwks.json' },
+ *   skew: 60,
+ *   onRefresh: () => console.log('Refreshing token...')
+ * });
+ *
+ * // Secure verification with static public key
+ * const authPolicy = oauthBearer({
+ *   tokenSupplier: async () => 'eyJhbGci...',
+ *   jwks: { type: 'key', key: publicKeyPEM },
+ *   skew: 60
+ * });
+ * ```
+ *
+ * @security IMPORTANT: Provide `jwks` option for secure JWT signature verification.
+ * Without it, only expiration is checked (no signature validation).
+ */
+declare function oauthBearer(options: OAuthBearerOptions): Policy;
+/**
+ * OAuth 2.0 DX helpers - transparent utility functions
+ * These helpers make common OAuth configurations easier without hiding complexity.
+ * You can always use the raw oauthBearer() options directly for full control.
+ */
+/**
+ * Creates a JWKS source from a URL
+ * This is the most common approach for production - fetch keys from identity provider
+ *
+ * @example
+ * ```ts
+ * const auth = oauthBearer({
+ *   tokenSupplier: myTokenSupplier,
+ *   jwks: jwksFromUrl('https://login.example.com/.well-known/jwks.json'),
+ * });
+ * ```
+ */
+declare function jwksFromUrl(url: string): JWKSSource;
+/**
+ * Creates a JWKS source from a static PEM public key
+ * Use this when you have the signing key directly (e.g., from config/secrets)
+ *
+ * @example
+ * ```ts
+ * const publicKeyPEM = `-----BEGIN PUBLIC KEY-----
+ * MIIBIjANBgkqh...
+ * -----END PUBLIC KEY-----`;
+ *
+ * const auth = oauthBearer({
+ *   tokenSupplier: myTokenSupplier,
+ *   jwks: jwksFromKey(publicKeyPEM),
+ * });
+ * ```
+ */
+declare function jwksFromKey(pemKey: string): JWKSSource;
+/**
+ * Derives JWKS URL from OpenID Connect issuer
+ * Follows the standard .well-known/openid-configuration path
+ *
+ * @example
+ * ```ts
+ * // For Auth0: https://your-tenant.auth0.com/.well-known/jwks.json
+ * // For Okta: https://your-domain.okta.com/oauth2/default/v1/keys
+ * const auth = oauthBearer({
+ *   tokenSupplier: myTokenSupplier,
+ *   jwks: jwksFromIssuer('https://your-tenant.auth0.com/'),
+ * });
+ * ```
+ */
+declare function jwksFromIssuer(issuerUrl: string): JWKSSource;
+/**
+ * Creates a token supplier from an environment variable
+ * Useful for static tokens (API keys) or tokens set at process startup
+ *
+ * @example
+ * ```ts
+ * // Reads process.env.MY_API_TOKEN on each request
+ * const auth = oauthBearer({
+ *   tokenSupplier: tokenFromEnv('MY_API_TOKEN'),
+ *   allowUnsafeMode: true, // Static tokens often don't have JWKS
+ * });
+ * ```
+ */
+declare function tokenFromEnv(varName: string): TokenSupplier;
+/**
+ * Token refresh endpoint response (standard OAuth2)
+ */
+interface TokenResponse {
+    access_token: string;
+    token_type?: string;
+    expires_in?: number;
+    refresh_token?: string;
+}
+/**
+ * Options for creating a refresh-based token supplier
+ */
+interface RefreshTokenOptions {
+    /** Token endpoint URL (e.g., https://auth.example.com/oauth/token) */
+    readonly tokenEndpoint: string;
+    /** OAuth client ID */
+    readonly clientId: string;
+    /** OAuth client secret (optional for public clients) */
+    readonly clientSecret?: string;
+    /** Refresh token - can be a string or a function that returns one */
+    readonly refreshToken: string | (() => string | Promise<string>);
+    /** Additional parameters to send (e.g., scope, audience) */
+    readonly additionalParams?: Record<string, string>;
+    /** Callback when new tokens are received (for storing refresh token) */
+    readonly onTokens?: (tokens: TokenResponse) => void | Promise<void>;
+}
+/**
+ * Creates a token supplier that fetches tokens using a refresh token
+ * Handles the OAuth2 refresh_token grant type automatically
+ *
+ * This is NOT a black box - you control:
+ * - The token endpoint URL
+ * - Credentials (client ID/secret)
+ * - How refresh tokens are obtained and stored
+ * - Additional parameters (scope, audience)
+ *
+ * @example
+ * ```ts
+ * // Basic refresh token flow
+ * const auth = oauthBearer({
+ *   tokenSupplier: tokenFromRefresh({
+ *     tokenEndpoint: 'https://auth.example.com/oauth/token',
+ *     clientId: 'my-app',
+ *     clientSecret: process.env.CLIENT_SECRET,
+ *     refreshToken: () => getStoredRefreshToken(),
+ *     onTokens: async (tokens) => {
+ *       // Store the new refresh token if rotated
+ *       if (tokens.refresh_token) {
+ *         await storeRefreshToken(tokens.refresh_token);
+ *       }
+ *     },
+ *   }),
+ *   jwks: jwksFromIssuer('https://auth.example.com/'),
+ * });
+ * ```
+ */
+declare function tokenFromRefresh(options: RefreshTokenOptions): TokenSupplier;
+/**
+ * Options for client credentials grant
+ */
+interface ClientCredentialsOptions {
+    /** Token endpoint URL */
+    readonly tokenEndpoint: string;
+    /** OAuth client ID */
+    readonly clientId: string;
+    /** OAuth client secret */
+    readonly clientSecret: string;
+    /** Requested scopes (optional) */
+    readonly scope?: string;
+    /** Additional parameters */
+    readonly additionalParams?: Record<string, string>;
+}
+/**
+ * Creates a token supplier using client credentials grant
+ * Ideal for server-to-server authentication (machine-to-machine)
+ *
+ * @example
+ * ```ts
+ * const auth = oauthBearer({
+ *   tokenSupplier: tokenFromClientCredentials({
+ *     tokenEndpoint: 'https://auth.example.com/oauth/token',
+ *     clientId: process.env.CLIENT_ID,
+ *     clientSecret: process.env.CLIENT_SECRET,
+ *     scope: 'read:api write:api',
+ *   }),
+ *   jwks: jwksFromIssuer('https://auth.example.com/'),
+ * });
+ * ```
+ */
+declare function tokenFromClientCredentials(options: ClientCredentialsOptions): TokenSupplier;
+/**
+ * Creates a simple token supplier from a static string
+ * Useful for testing or when token is known at startup
+ *
+ * @example
+ * ```ts
+ * // For testing
+ * const auth = oauthBearer({
+ *   tokenSupplier: tokenFromStatic('test-token'),
+ *   allowUnsafeMode: true,
+ * });
+ * ```
+ */
+declare function tokenFromStatic(token: string): TokenSupplier;
+/**
+ * Creates a token supplier that caches the result of another supplier
+ * Reduces calls to expensive token operations
+ *
+ * @param supplier - The underlying token supplier
+ * @param ttlMs - Cache TTL in milliseconds (default: 5 minutes)
+ *
+ * @example
+ * ```ts
+ * const auth = oauthBearer({
+ *   // Cache client credentials token for 5 minutes
+ *   tokenSupplier: tokenWithCache(
+ *     tokenFromClientCredentials({ ... }),
+ *     5 * 60 * 1000
+ *   ),
+ *   jwks: jwksFromIssuer('https://auth.example.com/'),
+ * });
+ * ```
+ */
+declare function tokenWithCache(supplier: TokenSupplier, ttlMs?: number): TokenSupplier;
+export { type ClientCredentialsOptions, type JWKSSource, type OAuthBearerOptions, type RefreshTokenOptions, type TokenSupplier, jwksFromIssuer, jwksFromKey, jwksFromUrl, oauthBearer, tokenFromClientCredentials, tokenFromEnv, tokenFromRefresh, tokenFromStatic, tokenWithCache };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+import {OAUTH_CONFIG}from'@unireq/config';import {policy,getHeader}from'@unireq/core';import {createRemoteJWKSet,jwtVerify,importSPKI}from'jose';function R(e){try{let r=e.split(".");if(r.length!==3)return null;let t=r[1];if(!t)return null;let n=atob(t.replace(/-/g,"+").replace(/_/g,"/"));return JSON.parse(n)}catch{return null}}async function P(e,r){if(r.type==="url"){let o=createRemoteJWKSet(new URL(r.url)),{payload:s}=await jwtVerify(e,o);return s}let t=await importSPKI(r.key,"RS256"),{payload:n}=await jwtVerify(e,t);return n}async function O(e,r,t){let n;if(t?n=await P(e,t):(console.warn("[SECURITY WARNING] JWT signature not verified. Provide JWKS for secure verification."),n=R(e)),!n?.exp)return  false;let o=Math.floor(Date.now()/1e3);return n.exp<=o+r}var d=new Map,f=new Map,W=3e4;async function k(e){let r=d.get(e);if(r)return r;let t=setTimeout(()=>{d.delete(e),f.delete(e);},W);f.set(e,t);let n=Promise.resolve(e()).finally(()=>{d.delete(e);let o=f.get(e);o&&(clearTimeout(o),f.delete(e));});return d.set(e,n),n}function x(e){let{tokenSupplier:r,jwks:t,skew:n=OAUTH_CONFIG.JWT_CLOCK_SKEW,autoRefresh:o=OAUTH_CONFIG.AUTO_REFRESH,onRefresh:s,allowUnsafeMode:c=false}=e;if(!t&&!c)throw new Error('[SECURITY ERROR] JWT signature verification disabled without explicit acknowledgment. Either provide "jwks" option for secure verification OR set "allowUnsafeMode: true" (NOT RECOMMENDED FOR PRODUCTION). See OWASP A02:2021 - Cryptographic Failures: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/');!t&&c&&console.error('[SECURITY WARNING] Running in UNSAFE MODE. JWT signatures NOT verified. Tokens can be forged by attackers. DO NOT use in production! Provide "jwks" option for secure JWT verification.');let i=null;return policy(async(p,l)=>{let a=i;a||(a=await k(r),i=a),await O(a,n,t)&&(s&&await Promise.resolve(s()),a=await k(r),i=a);let u=await l({...p,headers:{...p.headers,authorization:`Bearer ${a}`}});if(u.status===401&&o&&getHeader(u.headers,"www-authenticate")?.toLowerCase().includes("bearer")){s&&await Promise.resolve(s());let y=await k(r);return i=y,l({...p,headers:{...p.headers,authorization:`Bearer ${y}`}})}return u},{name:"oauthBearer",kind:"auth",options:{jwks:t?`[${t.type}]`:void 0,skew:n,autoRefresh:o,allowUnsafeMode:c}})}function E(e){return {type:"url",url:e}}function C(e){return {type:"key",key:e}}function J(e){return {type:"url",url:`${e.replace(/\/$/,"")}/.well-known/jwks.json`}}function _(e){return ()=>{let r=process.env[e];if(!r)throw new Error(`Environment variable ${e} is not set`);return r}}function b(e){let{tokenEndpoint:r,clientId:t,clientSecret:n,refreshToken:o,additionalParams:s={},onTokens:c}=e;return async()=>{let i=typeof o=="function"?await o():o,p=new URLSearchParams({grant_type:"refresh_token",client_id:t,refresh_token:i,...s});n&&p.append("client_secret",n);let l=await fetch(r,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:p.toString()});if(!l.ok){let u=await l.text().catch(()=>"Unknown error");throw new Error(`Token refresh failed: ${l.status} - ${u}`)}let a=await l.json();return c&&await c(a),a.access_token}}function v(e){let{tokenEndpoint:r,clientId:t,clientSecret:n,scope:o,additionalParams:s={}}=e;return async()=>{let c=new URLSearchParams({grant_type:"client_credentials",client_id:t,client_secret:n,...s});o&&c.append("scope",o);let i=await fetch(r,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:c.toString()});if(!i.ok){let l=await i.text().catch(()=>"Unknown error");throw new Error(`Client credentials grant failed: ${i.status} - ${l}`)}return (await i.json()).access_token}}function F(e){return ()=>e}function U(e,r=300*1e3){let t=null,n=0;return async()=>{if(t&&Date.now()<n)return t;let o=await e();return t=o,n=Date.now()+r,o}}
+export{J as jwksFromIssuer,C as jwksFromKey,E as jwksFromUrl,x as oauthBearer,v as tokenFromClientCredentials,_ as tokenFromEnv,b as tokenFromRefresh,F as tokenFromStatic,U as tokenWithCache};//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/bearer.ts","../src/helpers.ts"],"names":["decodeJWTUnsafe","token","parts","payload","decoded","verifyJWT","jwks","getKey","createRemoteJWKSet","jwtVerify","key","importSPKI","isJWTExpired","skewSeconds","now","refreshLocks","refreshTimeouts","REFRESH_LOCK_TIMEOUT","getTokenWithRefresh","supplier","existingRefresh","timeoutId","refreshPromise","timeout","oauthBearer","options","tokenSupplier","skew","OAUTH_CONFIG","autoRefresh","onRefresh","allowUnsafeMode","cachedToken","policy","ctx","next","response","getHeader","newToken","jwksFromUrl","url","jwksFromKey","pemKey","jwksFromIssuer","issuerUrl","tokenFromEnv","varName","tokenFromRefresh","tokenEndpoint","clientId","clientSecret","refreshToken","additionalParams","onTokens","currentRefreshToken","body","errorText","tokens","tokenFromClientCredentials","scope","tokenFromStatic","tokenWithCache","ttlMs","expiresAt"],"mappings":"iJAgCA,SAASA,EAAgBC,CAAAA,CAAkC,CACzD,GAAI,CACF,IAAMC,EAAQD,CAAAA,CAAM,KAAA,CAAM,GAAG,CAAA,CAC7B,GAAIC,EAAM,MAAA,GAAW,CAAA,CAAG,OAAO,IAAA,CAE/B,IAAMC,EAAUD,CAAAA,CAAM,CAAC,EACvB,GAAI,CAACC,EAAS,OAAO,IAAA,CAErB,IAAMC,CAAAA,CAAU,KAAKD,CAAAA,CAAQ,OAAA,CAAQ,KAAM,GAAG,CAAA,CAAE,QAAQ,IAAA,CAAM,GAAG,CAAC,CAAA,CAClE,OAAO,KAAK,KAAA,CAAMC,CAAO,CAC3B,CAAA,KAAQ,CACN,OAAO,IACT,CACF,CASA,eAAeC,CAAAA,CAAUJ,EAAeK,CAAAA,CAA8C,CACpF,GAAIA,CAAAA,CAAK,IAAA,GAAS,MAAO,CAEvB,IAAMC,EAASC,kBAAAA,CAAmB,IAAI,IAAIF,CAAAA,CAAK,GAAG,CAAC,CAAA,CAC7C,CAAE,QAAAH,CAAQ,CAAA,CAAI,MAAMM,SAAAA,CAAUR,EAAOM,CAAM,CAAA,CACjD,OAAOJ,CACT,CAGA,IAAMO,CAAAA,CAAM,MAAMC,WAAWL,CAAAA,CAAK,GAAA,CAAK,OAAO,CAAA,CACxC,CAAE,QAAAH,CAAQ,CAAA,CAAI,MAAMM,SAAAA,CAAUR,CAAAA,CAAOS,CAAG,CAAA,CAC9C,OAAOP,CACT,CASA,eAAeS,EAAaX,CAAAA,CAAeY,CAAAA,CAAqBP,EAAqC,CACnG,IAAIH,EAWJ,GATIG,CAAAA,CAEFH,EAAU,MAAME,CAAAA,CAAUJ,EAAOK,CAAI,CAAA,EAGrC,QAAQ,IAAA,CAAK,sFAAsF,CAAA,CACnGH,CAAAA,CAAUH,EAAgBC,CAAK,CAAA,CAAA,CAG7B,CAACE,CAAAA,EAAS,GAAA,CAAK,OAAO,MAAA,CAE1B,IAAMW,EAAM,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,CAAI,GAAI,CAAA,CACxC,OAAOX,EAAQ,GAAA,EAAOW,CAAAA,CAAMD,CAC9B,CA2BA,IAAME,EAAe,IAAI,GAAA,CACnBC,EAAkB,IAAI,GAAA,CAGtBC,EAAuB,GAAA,CAO7B,eAAeC,EAAoBC,CAAAA,CAA0C,CAE3E,IAAMC,CAAAA,CAAkBL,CAAAA,CAAa,IAAII,CAAQ,CAAA,CACjD,GAAIC,CAAAA,CACF,OAAOA,CAAAA,CAKT,IAAMC,EAAY,UAAA,CAAW,IAAM,CACjCN,CAAAA,CAAa,MAAA,CAAOI,CAAQ,CAAA,CAC5BH,CAAAA,CAAgB,OAAOG,CAAQ,EACjC,EAAGF,CAAoB,CAAA,CAGvBD,EAAgB,GAAA,CAAIG,CAAAA,CAAUE,CAAS,CAAA,CAGvC,IAAMC,EAAiB,OAAA,CAAQ,OAAA,CAAQH,GAAU,CAAA,CAAE,QAAQ,IAAM,CAG/DJ,EAAa,MAAA,CAAOI,CAAQ,EAC5B,IAAMI,CAAAA,CAAUP,EAAgB,GAAA,CAAIG,CAAQ,EACxCI,CAAAA,GACF,YAAA,CAAaA,CAAO,CAAA,CACpBP,CAAAA,CAAgB,MAAA,CAAOG,CAAQ,GAEnC,CAAC,CAAA,CAED,OAAAJ,CAAAA,CAAa,GAAA,CAAII,EAAUG,CAAc,CAAA,CAClCA,CACT,CAkCO,SAASE,EAAYC,CAAAA,CAAqC,CAC/D,GAAM,CACJ,aAAA,CAAAC,EACA,IAAA,CAAApB,CAAAA,CACA,KAAAqB,CAAAA,CAAOC,YAAAA,CAAa,eACpB,WAAA,CAAAC,CAAAA,CAAcD,aAAa,YAAA,CAC3B,SAAA,CAAAE,EACA,eAAA,CAAAC,CAAAA,CAAkB,KACpB,CAAA,CAAIN,CAAAA,CAGJ,GAAI,CAACnB,CAAAA,EAAQ,CAACyB,CAAAA,CACZ,MAAM,IAAI,KAAA,CACR,mTAIF,CAAA,CAIE,CAACzB,GAAQyB,CAAAA,EACX,OAAA,CAAQ,MACN,yLAGF,CAAA,CAIF,IAAIC,CAAAA,CAA6B,IAAA,CAEjC,OAAOC,MAAAA,CACL,MAAOC,EAAKC,CAAAA,GAAS,CAEnB,IAAIlC,CAAAA,CAAQ+B,CAAAA,CACP/B,IAEHA,CAAAA,CAAQ,MAAMiB,EAAoBQ,CAAa,CAAA,CAC/CM,EAAc/B,CAAAA,CAAAA,CAIZ,MAAMW,EAAaX,CAAAA,CAAO0B,CAAAA,CAAMrB,CAAI,CAAA,GAClCwB,CAAAA,EACF,MAAM,OAAA,CAAQ,OAAA,CAAQA,GAAW,CAAA,CAEnC7B,EAAQ,MAAMiB,CAAAA,CAAoBQ,CAAa,CAAA,CAC/CM,CAAAA,CAAc/B,CAAAA,CAAAA,CAIhB,IAAMmC,EAAW,MAAMD,CAAAA,CAAK,CAC1B,GAAGD,CAAAA,CACH,QAAS,CACP,GAAGA,EAAI,OAAA,CACP,aAAA,CAAe,UAAUjC,CAAK,CAAA,CAChC,CACF,CAAC,CAAA,CAGD,GAAImC,CAAAA,CAAS,MAAA,GAAW,KAAOP,CAAAA,EAEbQ,SAAAA,CAAUD,EAAS,OAAA,CAAS,kBAAkB,GAEjD,WAAA,EAAY,CAAE,SAAS,QAAQ,CAAA,CAAG,CACzCN,CAAAA,EACF,MAAM,QAAQ,OAAA,CAAQA,CAAAA,EAAW,CAAA,CAInC,IAAMQ,EAAW,MAAMpB,CAAAA,CAAoBQ,CAAa,CAAA,CACxD,OAAAM,CAAAA,CAAcM,CAAAA,CAGPH,EAAK,CACV,GAAGD,EACH,OAAA,CAAS,CACP,GAAGA,CAAAA,CAAI,OAAA,CACP,cAAe,CAAA,OAAA,EAAUI,CAAQ,EACnC,CACF,CAAC,CACH,CAGF,OAAOF,CACT,CAAA,CACA,CACE,KAAM,aAAA,CACN,IAAA,CAAM,OACN,OAAA,CAAS,CACP,KAAM9B,CAAAA,CAAO,CAAA,CAAA,EAAIA,EAAK,IAAI,CAAA,CAAA,CAAA,CAAM,OAChC,IAAA,CAAAqB,CAAAA,CACA,YAAAE,CAAAA,CACA,eAAA,CAAAE,CACF,CACF,CACF,CACF,CChRO,SAASQ,CAAAA,CAAYC,CAAAA,CAAyB,CACnD,OAAO,CAAE,KAAM,KAAA,CAAO,GAAA,CAAAA,CAAI,CAC5B,CAkBO,SAASC,CAAAA,CAAYC,CAAAA,CAA4B,CACtD,OAAO,CAAE,KAAM,KAAA,CAAO,GAAA,CAAKA,CAAO,CACpC,CAgBO,SAASC,CAAAA,CAAeC,CAAAA,CAA+B,CAG5D,OAAO,CAAE,KAAM,KAAA,CAAO,GAAA,CAAK,GADXA,CAAAA,CAAU,OAAA,CAAQ,MAAO,EAAE,CACN,wBAAyB,CAChE,CAeO,SAASC,CAAAA,CAAaC,CAAAA,CAAgC,CAC3D,OAAO,IAAM,CACX,IAAM7C,EAAQ,OAAA,CAAQ,GAAA,CAAI6C,CAAO,CAAA,CACjC,GAAI,CAAC7C,CAAAA,CACH,MAAM,IAAI,KAAA,CAAM,CAAA,qBAAA,EAAwB6C,CAAO,CAAA,WAAA,CAAa,CAAA,CAE9D,OAAO7C,CACT,CACF,CA4DO,SAAS8C,CAAAA,CAAiBtB,EAA6C,CAC5E,GAAM,CAAE,aAAA,CAAAuB,CAAAA,CAAe,SAAAC,CAAAA,CAAU,YAAA,CAAAC,EAAc,YAAA,CAAAC,CAAAA,CAAc,iBAAAC,CAAAA,CAAmB,GAAI,QAAA,CAAAC,CAAS,EAAI5B,CAAAA,CAEjG,OAAO,SAA6B,CAElC,IAAM6B,CAAAA,CAAsB,OAAOH,GAAiB,UAAA,CAAa,MAAMA,GAAa,CAAIA,CAAAA,CAGlFI,EAAO,IAAI,eAAA,CAAgB,CAC/B,UAAA,CAAY,eAAA,CACZ,UAAWN,CAAAA,CACX,aAAA,CAAeK,EACf,GAAGF,CACL,CAAC,CAAA,CAEGF,CAAAA,EACFK,EAAK,MAAA,CAAO,eAAA,CAAiBL,CAAY,CAAA,CAI3C,IAAMd,EAAW,MAAM,KAAA,CAAMY,EAAe,CAC1C,MAAA,CAAQ,OACR,OAAA,CAAS,CACP,eAAgB,mCAClB,CAAA,CACA,KAAMO,CAAAA,CAAK,QAAA,EACb,CAAC,EAED,GAAI,CAACnB,EAAS,EAAA,CAAI,CAChB,IAAMoB,CAAAA,CAAY,MAAMpB,EAAS,IAAA,EAAK,CAAE,MAAM,IAAM,eAAe,EACnE,MAAM,IAAI,MAAM,CAAA,sBAAA,EAAyBA,CAAAA,CAAS,MAAM,CAAA,GAAA,EAAMoB,CAAS,EAAE,CAC3E,CAEA,IAAMC,CAAAA,CAAU,MAAMrB,EAAS,IAAA,EAAK,CAGpC,OAAIiB,CAAAA,EACF,MAAMA,EAASI,CAAM,CAAA,CAGhBA,EAAO,YAChB,CACF,CAmCO,SAASC,CAAAA,CAA2BjC,CAAAA,CAAkD,CAC3F,GAAM,CAAE,aAAA,CAAAuB,EAAe,QAAA,CAAAC,CAAAA,CAAU,aAAAC,CAAAA,CAAc,KAAA,CAAAS,EAAO,gBAAA,CAAAP,CAAAA,CAAmB,EAAG,CAAA,CAAI3B,EAEhF,OAAO,SAA6B,CAClC,IAAM8B,CAAAA,CAAO,IAAI,eAAA,CAAgB,CAC/B,WAAY,oBAAA,CACZ,SAAA,CAAWN,EACX,aAAA,CAAeC,CAAAA,CACf,GAAGE,CACL,CAAC,EAEGO,CAAAA,EACFJ,CAAAA,CAAK,OAAO,OAAA,CAASI,CAAK,EAG5B,IAAMvB,CAAAA,CAAW,MAAM,KAAA,CAAMY,CAAAA,CAAe,CAC1C,MAAA,CAAQ,OACR,OAAA,CAAS,CACP,eAAgB,mCAClB,CAAA,CACA,KAAMO,CAAAA,CAAK,QAAA,EACb,CAAC,CAAA,CAED,GAAI,CAACnB,CAAAA,CAAS,GAAI,CAChB,IAAMoB,EAAY,MAAMpB,CAAAA,CAAS,MAAK,CAAE,KAAA,CAAM,IAAM,eAAe,CAAA,CACnE,MAAM,IAAI,KAAA,CAAM,oCAAoCA,CAAAA,CAAS,MAAM,MAAMoB,CAAS,CAAA,CAAE,CACtF,CAGA,OAAA,CADgB,MAAMpB,CAAAA,CAAS,IAAA,IACjB,YAChB,CACF,CAeO,SAASwB,CAAAA,CAAgB3D,EAA8B,CAC5D,OAAO,IAAMA,CACf,CAqBO,SAAS4D,CAAAA,CAAe1C,CAAAA,CAAyB2C,EAAQ,GAAA,CAAS,GAAA,CAAqB,CAC5F,IAAI9B,CAAAA,CAA6B,KAC7B+B,CAAAA,CAAY,CAAA,CAEhB,OAAO,SAA6B,CAClC,GAAI/B,CAAAA,EAAe,IAAA,CAAK,KAAI,CAAI+B,CAAAA,CAC9B,OAAO/B,CAAAA,CAGT,IAAM/B,EAAQ,MAAMkB,CAAAA,GACpB,OAAAa,CAAAA,CAAc/B,EACd8D,CAAAA,CAAY,IAAA,CAAK,KAAI,CAAID,CAAAA,CAClB7D,CACT,CACF","file":"index.js","sourcesContent":["/**\n * OAuth 2.0 Bearer token authentication (RFC 6750)\n * @see https://datatracker.ietf.org/doc/html/rfc6750\n */\n\nimport { OAUTH_CONFIG } from '@unireq/config';\nimport type { Policy } from '@unireq/core';\nimport { getHeader, policy } from '@unireq/core';\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from 'jose';\n\n/** Token supplier function (lazy evaluation) */\nexport type TokenSupplier = () => string | Promise<string>;\n\n/** JWT payload structure (minimal) */\ninterface JWTPayload {\n exp?: number;\n iat?: number;\n [key: string]: unknown;\n}\n\n/**\n * JWKS (JSON Web Key Set) for JWT verification\n * Can be a URL to fetch JWKS or a static key\n */\nexport type JWKSSource = { type: 'url'; url: string } | { type: 'key'; key: string };\n\n/**\n * Decodes JWT payload without verification (INSECURE - for exp check only)\n * @param token - JWT token\n * @returns Decoded payload\n * @deprecated Use verifyJWT with JWKS for secure verification\n */\nfunction decodeJWTUnsafe(token: string): JWTPayload | null {\n try {\n const parts = token.split('.');\n if (parts.length !== 3) return null;\n\n const payload = parts[1];\n if (!payload) return null;\n\n const decoded = atob(payload.replace(/-/g, '+').replace(/_/g, '/'));\n return JSON.parse(decoded) as JWTPayload;\n } catch {\n return null;\n }\n}\n\n/**\n * Verifies JWT with jose library (SECURE)\n * @param token - JWT token\n * @param jwks - JWKS source for verification\n * @returns Decoded and verified payload\n * @throws Error if jose library is not installed\n */\nasync function verifyJWT(token: string, jwks: JWKSSource): Promise<JWTPayload | null> {\n if (jwks.type === 'url') {\n // JWKS URL - jose will fetch and cache\n const getKey = createRemoteJWKSet(new URL(jwks.url));\n const { payload } = await jwtVerify(token, getKey);\n return payload as JWTPayload;\n }\n\n // Static PEM key (RS256)\n const key = await importSPKI(jwks.key, 'RS256');\n const { payload } = await jwtVerify(token, key);\n return payload as JWTPayload;\n}\n\n/**\n * Checks if JWT is expired with clock skew tolerance\n * @param token - JWT token\n * @param skewSeconds - Clock skew tolerance in seconds\n * @param jwks - Optional JWKS for secure verification\n * @returns True if token is expired or about to expire\n */\nasync function isJWTExpired(token: string, skewSeconds: number, jwks?: JWKSSource): Promise<boolean> {\n let payload: JWTPayload | null;\n\n if (jwks) {\n // Secure verification with jose\n payload = await verifyJWT(token, jwks);\n } else {\n // Fallback: unsafe decode (no signature verification)\n console.warn('[SECURITY WARNING] JWT signature not verified. Provide JWKS for secure verification.');\n payload = decodeJWTUnsafe(token);\n }\n\n if (!payload?.exp) return false;\n\n const now = Math.floor(Date.now() / 1000);\n return payload.exp <= now + skewSeconds;\n}\n\n/**\n * OAuth Bearer options\n */\nexport interface OAuthBearerOptions {\n /** Token supplier function (lazy evaluation) */\n readonly tokenSupplier: TokenSupplier;\n /** JWKS source for secure JWT verification (highly recommended for production) */\n readonly jwks?: JWKSSource;\n /** Clock skew tolerance in seconds (default: 60) */\n readonly skew?: number;\n /** Auto-refresh on 401 (default: true) */\n readonly autoRefresh?: boolean;\n /** Callback before token refresh */\n readonly onRefresh?: () => void | Promise<void>;\n /**\n * Allow unsafe mode without JWKS verification (NOT RECOMMENDED FOR PRODUCTION)\n * When false (default), throws error if jwks is not provided\n * When true, only logs warning and checks expiration without signature verification\n * @security OWASP A02:2021 - Enabling this bypasses cryptographic verification\n * @default false\n */\n readonly allowUnsafeMode?: boolean;\n}\n\n// Single-flight refresh lock with timeout cleanup\nconst refreshLocks = new Map<TokenSupplier, Promise<string>>();\nconst refreshTimeouts = new Map<TokenSupplier, ReturnType<typeof setTimeout>>();\n\n// Lock timeout duration (30 seconds - if refresh takes longer, something is wrong)\nconst REFRESH_LOCK_TIMEOUT = 30000;\n\n/**\n * Gets token with single-flight refresh guarantee\n * Ensures only one refresh happens at a time per supplier\n * Includes timeout cleanup to prevent memory leaks\n */\nasync function getTokenWithRefresh(supplier: TokenSupplier): Promise<string> {\n // Check if refresh is already in progress\n const existingRefresh = refreshLocks.get(supplier);\n if (existingRefresh) {\n return existingRefresh;\n }\n\n // Set timeout to cleanup lock in case of long-running or crashed refresh\n /* v8 ignore start - timeout cleanup path, difficult to test reliably */\n const timeoutId = setTimeout(() => {\n refreshLocks.delete(supplier);\n refreshTimeouts.delete(supplier);\n }, REFRESH_LOCK_TIMEOUT);\n /* v8 ignore stop */\n\n refreshTimeouts.set(supplier, timeoutId);\n\n // Start new refresh\n const refreshPromise = Promise.resolve(supplier()).finally(() => {\n // Clean up lock and timeout on success or failure\n // .finally() runs for both resolved and rejected promises\n refreshLocks.delete(supplier);\n const timeout = refreshTimeouts.get(supplier);\n if (timeout) {\n clearTimeout(timeout);\n refreshTimeouts.delete(supplier);\n }\n });\n\n refreshLocks.set(supplier, refreshPromise);\n return refreshPromise;\n}\n\n/**\n * Creates an OAuth 2.0 Bearer token authentication policy\n * - Lazy token evaluation via supplier\n * - JWT exp + skew validation\n * - Optional secure JWT verification with jose (RECOMMENDED)\n * - Single-flight refresh on 401\n * - Single replay after refresh\n *\n * @param options - OAuth Bearer options\n * @returns Policy that handles Bearer authentication\n *\n * @example\n * ```ts\n * // Secure verification with JWKS URL\n * const authPolicy = oauthBearer({\n * tokenSupplier: async () => 'eyJhbGci...',\n * jwks: { type: 'url', url: 'https://example.com/.well-known/jwks.json' },\n * skew: 60,\n * onRefresh: () => console.log('Refreshing token...')\n * });\n *\n * // Secure verification with static public key\n * const authPolicy = oauthBearer({\n * tokenSupplier: async () => 'eyJhbGci...',\n * jwks: { type: 'key', key: publicKeyPEM },\n * skew: 60\n * });\n * ```\n *\n * @security IMPORTANT: Provide `jwks` option for secure JWT signature verification.\n * Without it, only expiration is checked (no signature validation).\n */\nexport function oauthBearer(options: OAuthBearerOptions): Policy {\n const {\n tokenSupplier,\n jwks,\n skew = OAUTH_CONFIG.JWT_CLOCK_SKEW,\n autoRefresh = OAUTH_CONFIG.AUTO_REFRESH,\n onRefresh,\n allowUnsafeMode = false,\n } = options;\n\n // Security validation: Require JWKS or explicit unsafe mode acknowledgment\n if (!jwks && !allowUnsafeMode) {\n throw new Error(\n '[SECURITY ERROR] JWT signature verification disabled without explicit acknowledgment. ' +\n 'Either provide \"jwks\" option for secure verification OR set \"allowUnsafeMode: true\" ' +\n '(NOT RECOMMENDED FOR PRODUCTION). ' +\n 'See OWASP A02:2021 - Cryptographic Failures: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',\n );\n }\n\n // Log security warning if unsafe mode is explicitly enabled\n if (!jwks && allowUnsafeMode) {\n console.error(\n '[SECURITY WARNING] Running in UNSAFE MODE. JWT signatures NOT verified. ' +\n 'Tokens can be forged by attackers. DO NOT use in production! ' +\n 'Provide \"jwks\" option for secure JWT verification.',\n );\n }\n\n // Cache token in closure to avoid re-fetching on every request\n let cachedToken: string | null = null;\n\n return policy(\n async (ctx, next) => {\n // Get initial token (use cached if available)\n let token = cachedToken;\n if (!token) {\n // Use single-flight mechanism for initial fetch to handle concurrent requests\n token = await getTokenWithRefresh(tokenSupplier);\n cachedToken = token;\n }\n\n // Check if token is expired\n if (await isJWTExpired(token, skew, jwks)) {\n if (onRefresh) {\n await Promise.resolve(onRefresh());\n }\n token = await getTokenWithRefresh(tokenSupplier);\n cachedToken = token;\n }\n\n // Add Authorization header\n const response = await next({\n ...ctx,\n headers: {\n ...ctx.headers,\n authorization: `Bearer ${token}`,\n },\n });\n\n // Handle 401 Unauthorized - single refresh and replay\n if (response.status === 401 && autoRefresh) {\n // Check WWW-Authenticate header for Bearer realm\n const wwwAuth = getHeader(response.headers, 'www-authenticate');\n\n if (wwwAuth?.toLowerCase().includes('bearer')) {\n if (onRefresh) {\n await Promise.resolve(onRefresh());\n }\n\n // Refresh token (single-flight)\n const newToken = await getTokenWithRefresh(tokenSupplier);\n cachedToken = newToken;\n\n // Single replay\n return next({\n ...ctx,\n headers: {\n ...ctx.headers,\n authorization: `Bearer ${newToken}`,\n },\n });\n }\n }\n\n return response;\n },\n {\n name: 'oauthBearer',\n kind: 'auth',\n options: {\n jwks: jwks ? `[${jwks.type}]` : undefined,\n skew,\n autoRefresh,\n allowUnsafeMode,\n },\n },\n );\n}\n","/**\n * OAuth 2.0 DX helpers - transparent utility functions\n * These helpers make common OAuth configurations easier without hiding complexity.\n * You can always use the raw oauthBearer() options directly for full control.\n */\n\nimport type { JWKSSource, TokenSupplier } from './bearer.js';\n\n/**\n * Creates a JWKS source from a URL\n * This is the most common approach for production - fetch keys from identity provider\n *\n * @example\n * ```ts\n * const auth = oauthBearer({\n * tokenSupplier: myTokenSupplier,\n * jwks: jwksFromUrl('https://login.example.com/.well-known/jwks.json'),\n * });\n * ```\n */\nexport function jwksFromUrl(url: string): JWKSSource {\n return { type: 'url', url };\n}\n\n/**\n * Creates a JWKS source from a static PEM public key\n * Use this when you have the signing key directly (e.g., from config/secrets)\n *\n * @example\n * ```ts\n * const publicKeyPEM = `-----BEGIN PUBLIC KEY-----\n * MIIBIjANBgkqh...\n * -----END PUBLIC KEY-----`;\n *\n * const auth = oauthBearer({\n * tokenSupplier: myTokenSupplier,\n * jwks: jwksFromKey(publicKeyPEM),\n * });\n * ```\n */\nexport function jwksFromKey(pemKey: string): JWKSSource {\n return { type: 'key', key: pemKey };\n}\n\n/**\n * Derives JWKS URL from OpenID Connect issuer\n * Follows the standard .well-known/openid-configuration path\n *\n * @example\n * ```ts\n * // For Auth0: https://your-tenant.auth0.com/.well-known/jwks.json\n * // For Okta: https://your-domain.okta.com/oauth2/default/v1/keys\n * const auth = oauthBearer({\n * tokenSupplier: myTokenSupplier,\n * jwks: jwksFromIssuer('https://your-tenant.auth0.com/'),\n * });\n * ```\n */\nexport function jwksFromIssuer(issuerUrl: string): JWKSSource {\n // Normalize issuer URL (remove trailing slash)\n const baseUrl = issuerUrl.replace(/\\/$/, '');\n return { type: 'url', url: `${baseUrl}/.well-known/jwks.json` };\n}\n\n/**\n * Creates a token supplier from an environment variable\n * Useful for static tokens (API keys) or tokens set at process startup\n *\n * @example\n * ```ts\n * // Reads process.env.MY_API_TOKEN on each request\n * const auth = oauthBearer({\n * tokenSupplier: tokenFromEnv('MY_API_TOKEN'),\n * allowUnsafeMode: true, // Static tokens often don't have JWKS\n * });\n * ```\n */\nexport function tokenFromEnv(varName: string): TokenSupplier {\n return () => {\n const token = process.env[varName];\n if (!token) {\n throw new Error(`Environment variable ${varName} is not set`);\n }\n return token;\n };\n}\n\n/**\n * Token refresh endpoint response (standard OAuth2)\n */\ninterface TokenResponse {\n access_token: string;\n token_type?: string;\n expires_in?: number;\n refresh_token?: string;\n}\n\n/**\n * Options for creating a refresh-based token supplier\n */\nexport interface RefreshTokenOptions {\n /** Token endpoint URL (e.g., https://auth.example.com/oauth/token) */\n readonly tokenEndpoint: string;\n /** OAuth client ID */\n readonly clientId: string;\n /** OAuth client secret (optional for public clients) */\n readonly clientSecret?: string;\n /** Refresh token - can be a string or a function that returns one */\n readonly refreshToken: string | (() => string | Promise<string>);\n /** Additional parameters to send (e.g., scope, audience) */\n readonly additionalParams?: Record<string, string>;\n /** Callback when new tokens are received (for storing refresh token) */\n readonly onTokens?: (tokens: TokenResponse) => void | Promise<void>;\n}\n\n/**\n * Creates a token supplier that fetches tokens using a refresh token\n * Handles the OAuth2 refresh_token grant type automatically\n *\n * This is NOT a black box - you control:\n * - The token endpoint URL\n * - Credentials (client ID/secret)\n * - How refresh tokens are obtained and stored\n * - Additional parameters (scope, audience)\n *\n * @example\n * ```ts\n * // Basic refresh token flow\n * const auth = oauthBearer({\n * tokenSupplier: tokenFromRefresh({\n * tokenEndpoint: 'https://auth.example.com/oauth/token',\n * clientId: 'my-app',\n * clientSecret: process.env.CLIENT_SECRET,\n * refreshToken: () => getStoredRefreshToken(),\n * onTokens: async (tokens) => {\n * // Store the new refresh token if rotated\n * if (tokens.refresh_token) {\n * await storeRefreshToken(tokens.refresh_token);\n * }\n * },\n * }),\n * jwks: jwksFromIssuer('https://auth.example.com/'),\n * });\n * ```\n */\nexport function tokenFromRefresh(options: RefreshTokenOptions): TokenSupplier {\n const { tokenEndpoint, clientId, clientSecret, refreshToken, additionalParams = {}, onTokens } = options;\n\n return async (): Promise<string> => {\n // Get refresh token (can be dynamic)\n const currentRefreshToken = typeof refreshToken === 'function' ? await refreshToken() : refreshToken;\n\n // Build form body\n const body = new URLSearchParams({\n grant_type: 'refresh_token',\n client_id: clientId,\n refresh_token: currentRefreshToken,\n ...additionalParams,\n });\n\n if (clientSecret) {\n body.append('client_secret', clientSecret);\n }\n\n // Make token request\n const response = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n body: body.toString(),\n });\n\n if (!response.ok) {\n const errorText = await response.text().catch(() => 'Unknown error');\n throw new Error(`Token refresh failed: ${response.status} - ${errorText}`);\n }\n\n const tokens = (await response.json()) as TokenResponse;\n\n // Notify caller of new tokens (for refresh token rotation)\n if (onTokens) {\n await onTokens(tokens);\n }\n\n return tokens.access_token;\n };\n}\n\n/**\n * Options for client credentials grant\n */\nexport interface ClientCredentialsOptions {\n /** Token endpoint URL */\n readonly tokenEndpoint: string;\n /** OAuth client ID */\n readonly clientId: string;\n /** OAuth client secret */\n readonly clientSecret: string;\n /** Requested scopes (optional) */\n readonly scope?: string;\n /** Additional parameters */\n readonly additionalParams?: Record<string, string>;\n}\n\n/**\n * Creates a token supplier using client credentials grant\n * Ideal for server-to-server authentication (machine-to-machine)\n *\n * @example\n * ```ts\n * const auth = oauthBearer({\n * tokenSupplier: tokenFromClientCredentials({\n * tokenEndpoint: 'https://auth.example.com/oauth/token',\n * clientId: process.env.CLIENT_ID,\n * clientSecret: process.env.CLIENT_SECRET,\n * scope: 'read:api write:api',\n * }),\n * jwks: jwksFromIssuer('https://auth.example.com/'),\n * });\n * ```\n */\nexport function tokenFromClientCredentials(options: ClientCredentialsOptions): TokenSupplier {\n const { tokenEndpoint, clientId, clientSecret, scope, additionalParams = {} } = options;\n\n return async (): Promise<string> => {\n const body = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: clientId,\n client_secret: clientSecret,\n ...additionalParams,\n });\n\n if (scope) {\n body.append('scope', scope);\n }\n\n const response = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n body: body.toString(),\n });\n\n if (!response.ok) {\n const errorText = await response.text().catch(() => 'Unknown error');\n throw new Error(`Client credentials grant failed: ${response.status} - ${errorText}`);\n }\n\n const tokens = (await response.json()) as TokenResponse;\n return tokens.access_token;\n };\n}\n\n/**\n * Creates a simple token supplier from a static string\n * Useful for testing or when token is known at startup\n *\n * @example\n * ```ts\n * // For testing\n * const auth = oauthBearer({\n * tokenSupplier: tokenFromStatic('test-token'),\n * allowUnsafeMode: true,\n * });\n * ```\n */\nexport function tokenFromStatic(token: string): TokenSupplier {\n return () => token;\n}\n\n/**\n * Creates a token supplier that caches the result of another supplier\n * Reduces calls to expensive token operations\n *\n * @param supplier - The underlying token supplier\n * @param ttlMs - Cache TTL in milliseconds (default: 5 minutes)\n *\n * @example\n * ```ts\n * const auth = oauthBearer({\n * // Cache client credentials token for 5 minutes\n * tokenSupplier: tokenWithCache(\n * tokenFromClientCredentials({ ... }),\n * 5 * 60 * 1000\n * ),\n * jwks: jwksFromIssuer('https://auth.example.com/'),\n * });\n * ```\n */\nexport function tokenWithCache(supplier: TokenSupplier, ttlMs = 5 * 60 * 1000): TokenSupplier {\n let cachedToken: string | null = null;\n let expiresAt = 0;\n\n return async (): Promise<string> => {\n if (cachedToken && Date.now() < expiresAt) {\n return cachedToken;\n }\n\n const token = await supplier();\n cachedToken = token;\n expiresAt = Date.now() + ttlMs;\n return token;\n };\n}\n"]}

package/package.json ADDED Viewed

@@ -0,0 +1,67 @@
+{
+  "name": "@unireq/oauth",
+  "version": "0.0.1",
+  "description": "OAuth Bearer authentication with JWT validation and auto-refresh for unireq",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "oauth",
+    "bearer",
+    "jwt",
+    "authentication"
+  ],
+  "author": "Olivier Orabona",
+  "license": "MIT",
+  "dependencies": {
+    "@unireq/core": "0.0.1",
+    "@unireq/config": "0.0.1"
+  },
+  "peerDependencies": {
+    "openid-client": "^6.1.3",
+    "jose": "^5.9.6"
+  },
+  "peerDependenciesMeta": {
+    "openid-client": {
+      "optional": true
+    },
+    "jose": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "typescript": "^5.9.3",
+    "tsup": "^8.5.1",
+    "vitest": "^4.0.16",
+    "jose": "^5.9.6"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/oorabona/unireq",
+    "directory": "packages/oauth"
+  },
+  "bugs": {
+    "url": "https://github.com/oorabona/unireq/issues"
+  },
+  "homepage": "https://github.com/oorabona/unireq/tree/main/packages/oauth",
+  "scripts": {
+    "build": "tsup",
+    "type-check": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist *.tsbuildinfo"
+  }
+}