@usync/oauth2 0.1.4 → 0.1.5

package/README.md

@@ -1,8 +1,7 @@
 # @usync/oauth2
 
-[![NPM](https://img.shields.io/npm/v/@usync/oauth2.svg)](https://npm.im/@usync/oauth2)
+[![NPM](https://img.shields.io/npm/v/@usync/oauth2.svg)](https://npmx.dev/package/@usync/oauth2)
 ![License](https://img.shields.io/npm/l/@usync/oauth2.svg)
-[![jsDocs.io](https://img.shields.io/badge/jsDocs.io-reference-blue)](https://www.jsdocs.io/package/@usync/oauth2)
 
 OAuth2 support for provider-based authorization flows and token management.
 

package/dist/index.js

@@ -18,7 +18,18 @@ function o() {
 function s() {
 	return e(64);
 }
-async function c(e) {
+function c() {
+	return e(32);
+}
+function l(e) {
+	let t = e.split(".");
+	if (t.length !== 3) throw Error("Invalid JWT");
+	let n = atob(t[1].replace(/-/g, "+").replace(/_/g, "/")), r = new Uint8Array(n.length);
+	for (let e = 0; e < n.length; e++) r[e] = n.charCodeAt(e);
+	let i = new TextDecoder("utf-8").decode(r);
+	return JSON.parse(i);
+}
+async function u(e) {
 	let t = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(e));
 	return {
 		codeChallenge: a(new Uint8Array(t)),
@@ -27,9 +38,9 @@ async function c(e) {
 }
 //#endregion
 //#region src/providers/base.ts
-var l = class {
+var d = class {
 	constructor(e, t) {
-		this.options = e, this._accessToken = null, this._refreshToken = null, t && (this.setRefreshToken(t.refreshToken), this.setAccessToken(t.accessToken), this.session = t.session);
+		this.options = e, this._accessToken = null, this._refreshToken = null, this._idToken = null, t && (this.setRefreshToken(t.refreshToken), this.setAccessToken(t.accessToken), this.session = t.session);
 	}
 	_getValidToken(e) {
 		return e && (!e.expiresAt || Date.now() < e.expiresAt) ? e.token : void 0;
@@ -57,7 +68,13 @@ var l = class {
 	setRefreshToken(e) {
 		this._refreshToken = e ?? null;
 	}
-}, u = "https://www.dropbox.com/oauth2/authorize", d = "https://api.dropbox.com/oauth2/token", f = class extends l {
+	getClaims() {
+		if (!this._idToken) throw new i(2, "OIDC not enabled or claims not available");
+		let e = l(this._idToken);
+		if (this.session?.nonce && e.nonce !== this.session.nonce) throw new i(2, "nonce mismatch");
+		return e;
+	}
+}, f = "https://www.dropbox.com/oauth2/authorize", p = "https://api.dropbox.com/oauth2/token", m = class extends d {
 	static {
 		this.Scopes = { account: "account_info.read" };
 	}
@@ -66,7 +83,7 @@ var l = class {
 			state: o(),
 			codeVerifier: s()
 		};
-		let { codeChallenge: e, codeChallengeMethod: t } = await c(this.session.codeVerifier), n = new URL(u);
+		let { codeChallenge: e, codeChallengeMethod: t } = await u(this.session.codeVerifier), n = new URL(f);
 		return Object.entries({
 			client_id: this.options.clientId,
 			code_challenge: e,
@@ -95,7 +112,7 @@ var l = class {
 		}).forEach(([e, t]) => {
 			t != null && n.append(e, t);
 		});
-		let r = await fetch(d, {
+		let r = await fetch(p, {
 			method: "POST",
 			body: n
 		}), a = await r.json();
@@ -122,7 +139,7 @@ var l = class {
 		}).forEach(([t, n]) => {
 			n != null && e.append(t, n);
 		});
-		let n = await fetch(d, {
+		let n = await fetch(p, {
 			method: "POST",
 			body: e
 		}), r = await n.json();
@@ -135,7 +152,10 @@ var l = class {
 			expiresAt: Date.now() + r.expires_in * 1e3
 		}), r.access_token;
 	}
-}, p = "https://accounts.google.com/o/oauth2/v2/auth", m = "https://oauth2.googleapis.com/token", h = class extends l {
+	getClaims() {
+		throw new i(2, "OIDC not supported by Dropbox");
+	}
+}, h = "https://accounts.google.com/o/oauth2/v2/auth", g = "https://oauth2.googleapis.com/token", _ = class extends d {
 	static {
 		this.Scopes = {
 			account: "https://www.googleapis.com/auth/userinfo.profile",
@@ -143,19 +163,24 @@ var l = class {
 			imap: "https://mail.google.com/"
 		};
 	}
+	get isOidc() {
+		return this.options.scope?.split(/\s+/).includes("openid") ?? !1;
+	}
 	async buildAuthUrl() {
 		this.session = {
 			state: o(),
-			codeVerifier: s()
+			codeVerifier: s(),
+			...this.isOidc ? { nonce: c() } : {}
 		};
-		let { codeChallenge: e, codeChallengeMethod: t } = await c(this.session.codeVerifier), n = new URL(p);
+		let { codeChallenge: e, codeChallengeMethod: t } = await u(this.session.codeVerifier), n = new URL(h);
 		return Object.entries({
-			access_type: "offline",
+			access_type: this.options.provider?.google?.accessType,
 			client_id: this.options.clientId,
 			code_challenge: e,
 			code_challenge_method: t,
 			include_granted_scopes: "true",
-			prompt: "consent",
+			nonce: this.session.nonce,
+			prompt: this.options.provider?.google?.prompt,
 			redirect_uri: this.options.redirectUrl,
 			response_type: "code",
 			scope: this.options.scope,
@@ -179,7 +204,7 @@ var l = class {
 		}).forEach(([e, t]) => {
 			t != null && n.append(e, t);
 		});
-		let r = await fetch(m, {
+		let r = await fetch(g, {
 			method: "POST",
 			body: n
 		}), a = await r.json();
@@ -188,13 +213,17 @@ var l = class {
 			data: a
 		};
 		if (!a.refresh_token) throw new i(2, "Failed to get refresh_token");
-		return this._updateRefreshToken({
+		if (this._updateRefreshToken({
 			token: a.refresh_token,
 			scope: a.scope
 		}), this._updateAccessToken({
 			token: a.access_token,
 			expiresAt: Date.now() + a.expires_in * 1e3
-		}), a.access_token;
+		}), this.isOidc) {
+			if (!a.id_token) throw new i(2, "OIDC enabled but no id_token returned");
+			this._idToken = a.id_token;
+		}
+		return a.access_token;
 	}
 	async refreshToken() {
 		let e = new URLSearchParams(), t = this.getRefreshToken();
@@ -207,7 +236,7 @@ var l = class {
 		}).forEach(([t, n]) => {
 			n != null && e.append(t, n);
 		});
-		let n = await fetch(m, {
+		let n = await fetch(g, {
 			method: "POST",
 			body: e
 		}), r = await n.json();
@@ -220,26 +249,31 @@ var l = class {
 			expiresAt: Date.now() + r.expires_in * 1e3
 		}), r.access_token;
 	}
-}, g = class extends l {
+}, v = class extends d {
 	static {
 		this.Scopes = {
 			imap: "offline_access https://outlook.office.com/IMAP.AccessAsUser.All",
 			onedrive: "openid profile Files.ReadWrite.AppFolder offline_access"
 		};
 	}
+	get isOidc() {
+		return this.options.scope?.split(/\s+/).includes("openid") ?? !1;
+	}
 	oauth2Url(e) {
 		return `https://login.microsoftonline.com/${this.options.provider?.microsoft?.accountType ?? "common"}/oauth2/v2.0/${e}`;
 	}
 	async buildAuthUrl() {
 		this.session = {
 			state: o(),
-			codeVerifier: s()
+			codeVerifier: s(),
+			...this.isOidc ? { nonce: c() } : {}
 		};
-		let { codeChallenge: e, codeChallengeMethod: t } = await c(this.session.codeVerifier), n = new URL(this.oauth2Url("authorize"));
+		let { codeChallenge: e, codeChallengeMethod: t } = await u(this.session.codeVerifier), n = new URL(this.oauth2Url("authorize"));
 		return Object.entries({
 			client_id: this.options.clientId,
 			code_challenge: e,
 			code_challenge_method: t,
+			nonce: this.session.nonce,
 			redirect_uri: this.options.redirectUrl,
 			response_mode: "query",
 			response_type: "code",
@@ -274,13 +308,17 @@ var l = class {
 			data: a
 		};
 		if (!a.refresh_token) throw new i(2, "Failed to get refresh_token");
-		return this._updateRefreshToken({
+		if (this._updateRefreshToken({
 			token: a.refresh_token,
 			scope: a.scope
 		}), this._updateAccessToken({
 			token: a.access_token,
 			expiresAt: Date.now() + a.expires_in * 1e3
-		}), a.access_token;
+		}), this.isOidc) {
+			if (!a.id_token) throw new i(2, "OIDC enabled but no id_token returned");
+			this._idToken = a.id_token;
+		}
+		return a.access_token;
 	}
 	async refreshToken() {
 		let e = new URLSearchParams(), t = this.getRefreshToken();
@@ -306,17 +344,17 @@ var l = class {
 			expiresAt: Date.now() + r.expires_in * 1e3
 		}), r.access_token;
 	}
-}, _ = {
-	dropbox: f,
-	google: h,
-	microsoft: g
+}, y = {
+	dropbox: m,
+	google: _,
+	microsoft: v
 };
 //#endregion
 //#region src/index.ts
-function v(e, t) {
-	return new _[t.provider](e);
+function b(e, t) {
+	return new y[t.provider](e);
 }
-async function y(e, t) {
+async function x(e, t) {
 	let n;
 	try {
 		n = e.getAccessToken();
@@ -338,4 +376,4 @@ async function y(e, t) {
 	return n;
 }
 //#endregion
-export { f as DropboxAuthorizer, h as GoogleAuthorizer, g as MicrosoftAuthorizer, n as OAUTH2_AUTH_ERROR, t as OAUTH2_NEED_REFRESH, r as OAUTH2_UNAUTHORIZED, l as OAuth2Authorizer, _ as OAuth2Authorizers, i as OAuth2Error, y as ensureAccessToken, v as getAuthorizer };
+export { m as DropboxAuthorizer, _ as GoogleAuthorizer, v as MicrosoftAuthorizer, n as OAUTH2_AUTH_ERROR, t as OAUTH2_NEED_REFRESH, r as OAUTH2_UNAUTHORIZED, d as OAuth2Authorizer, y as OAuth2Authorizers, i as OAuth2Error, x as ensureAccessToken, b as getAuthorizer };

package/dist/providers/base.d.ts

@@ -1,4 +1,4 @@
-import type { OAuth2AuthorizerOptions, TokenData } from "../types";
+import type { IdTokenClaims, OAuth2AuthorizerOptions, TokenData } from "../types";
 export declare abstract class OAuth2Authorizer {
     protected options: OAuth2AuthorizerOptions;
     abstract buildAuthUrl(): Promise<string>;
@@ -6,9 +6,11 @@ export declare abstract class OAuth2Authorizer {
     abstract refreshToken(): Promise<string>;
     protected _accessToken: TokenData | null;
     protected _refreshToken: TokenData | null;
+    protected _idToken: string | null;
     session: {
         state: string;
         codeVerifier: string;
+        nonce?: string;
     } | undefined;
     constructor(options: OAuth2AuthorizerOptions, initialData?: {
         accessToken?: TokenData;
@@ -16,6 +18,7 @@ export declare abstract class OAuth2Authorizer {
         session?: {
             state: string;
             codeVerifier: string;
+            nonce?: string;
         };
     });
     protected _getValidToken(value?: TokenData | null): string | undefined;
@@ -25,4 +28,5 @@ export declare abstract class OAuth2Authorizer {
     getRefreshToken(): string;
     setAccessToken(value?: TokenData | null): void;
     setRefreshToken(value?: TokenData | null): void;
+    getClaims(): IdTokenClaims;
 }

package/dist/providers/dropbox.d.ts

@@ -1,4 +1,5 @@
 import { OAuth2Authorizer } from "./base.ts";
+import type { IdTokenClaims } from "../types.ts";
 export declare class DropboxAuthorizer extends OAuth2Authorizer {
     /**
      * Ref: https://www.dropbox.com/developers/documentation/http/documentation
@@ -9,4 +10,5 @@ export declare class DropboxAuthorizer extends OAuth2Authorizer {
     buildAuthUrl(): Promise<string>;
     finishAuth(url: URL): Promise<string>;
     refreshToken(): Promise<string>;
+    getClaims(): IdTokenClaims;
 }

package/dist/providers/google.d.ts

@@ -11,6 +11,7 @@ export declare class GoogleAuthorizer extends OAuth2Authorizer {
         "drive.appdata": string;
         imap: string;
     };
+    protected get isOidc(): boolean;
     buildAuthUrl(): Promise<string>;
     finishAuth(url: URL): Promise<string>;
     refreshToken(): Promise<string>;

package/dist/providers/microsoft.d.ts

@@ -8,6 +8,7 @@ export declare class MicrosoftAuthorizer extends OAuth2Authorizer {
         imap: string;
         onedrive: string;
     };
+    protected get isOidc(): boolean;
     private oauth2Url;
     buildAuthUrl(): Promise<string>;
     finishAuth(url: URL): Promise<string>;

package/dist/types.d.ts

@@ -4,6 +4,20 @@ export interface TokenData {
     expiresAt?: number;
     scope?: string;
 }
+export interface IdTokenClaims {
+    iss?: string;
+    sub?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+    nonce?: string;
+    email?: string;
+    name?: string;
+    picture?: string;
+    given_name?: string;
+    family_name?: string;
+    email_verified?: boolean;
+}
 export interface OAuth2Config {
     clientId: string;
     /** clientSecret may be absent for client-side apps. */
@@ -11,6 +25,10 @@ export interface OAuth2Config {
     redirectUrl: string;
     scope?: string;
     provider?: {
+        google?: {
+            accessType?: string;
+            prompt?: string;
+        };
         microsoft?: {
             /**
              * Must match the account type of the application registered in https://portal.azure.com/.

package/dist/util.d.ts

@@ -7,6 +7,8 @@ export declare function getState(): string;
  * and a maximum length of 128 characters.
  */
 export declare function getCodeVerifier(): string;
+export declare function getNonce(): string;
+export declare function decodeJwtPayload(token: string): Record<string, unknown>;
 export declare function getCodeChallenge(codeVerifier: string): Promise<{
     codeChallenge: string;
     codeChallengeMethod: string;

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@usync/oauth2",
-  "version": "0.1.4",
+  "version": "0.1.5",
+  "description": "OAuth2 support for provider-based authorization flows and token management.",
   "license": "ISC",
   "repository": {
     "type": "git",