arc-1 0.9.18 → 0.9.19

package/dist/adt/btp.js

@@ -1,427 +0,0 @@
-/**
- * BTP Destination Service integration for ARC-1.
- *
- * When running on SAP BTP Cloud Foundry, this module:
- * 1. Parses VCAP_SERVICES to extract service binding credentials
- * 2. Fetches SAP connection details from the BTP Destination Service
- * 3. Configures an HTTP proxy through the Cloud Connector (Connectivity Service)
- *
- * Startup path (lookupDestination, resolveBTPDestination) uses direct fetch
- * to the Destination Service API. Per-user principal propagation path
- * (lookupDestinationWithUserToken) uses SAP Cloud SDK's getDestination()
- * for automatic token management and per-user caching.
- *
- * Token caching: Connectivity proxy tokens are cached and refreshed 60 seconds
- * before expiry. Per-user destination tokens are cached by the SDK.
- */
-import { getDestination, } from '@sap-cloud-sdk/connectivity';
-import { logger } from '../server/logger.js';
-import { destinationPpHint } from './errors.js';
-/**
- * Parse VCAP_SERVICES environment variable to extract BTP service credentials.
- * Returns null if not running on BTP (VCAP_SERVICES not set).
- */
-export function parseVCAPServices() {
-    const vcapJson = process.env.VCAP_SERVICES;
-    if (!vcapJson)
-        return null;
-    const vcap = JSON.parse(vcapJson);
-    const config = {
-        xsuaaUrl: '',
-        xsuaaClientId: '',
-        xsuaaSecret: '',
-        destinationUrl: '',
-        destinationClientId: '',
-        destinationSecret: '',
-        destinationTokenUrl: '',
-        connectivityProxyHost: '',
-        connectivityProxyPort: '',
-        connectivityClientId: '',
-        connectivitySecret: '',
-        connectivityTokenUrl: '',
-    };
-    // XSUAA binding
-    if (vcap.xsuaa?.[0]?.credentials) {
-        const c = vcap.xsuaa[0].credentials;
-        config.xsuaaUrl = c.url || '';
-        config.xsuaaClientId = c.clientid || '';
-        config.xsuaaSecret = c.clientsecret || '';
-    }
-    // Destination binding
-    if (vcap.destination?.[0]?.credentials) {
-        const c = vcap.destination[0].credentials;
-        config.destinationUrl = c.uri || c.url || '';
-        config.destinationClientId = c.clientid || '';
-        config.destinationSecret = c.clientsecret || '';
-        config.destinationTokenUrl = c.token_service_url || '';
-        // Fallback: construct from URL
-        if (!config.destinationTokenUrl && c.url) {
-            config.destinationTokenUrl = `${c.url.replace(/\/$/, '')}/oauth/token`;
-        }
-    }
-    // Connectivity binding
-    if (vcap.connectivity?.[0]?.credentials) {
-        const c = vcap.connectivity[0].credentials;
-        config.connectivityProxyHost = c.onpremise_proxy_host || '';
-        config.connectivityProxyPort = c.onpremise_proxy_http_port || '';
-        config.connectivityClientId = c.clientid || '';
-        config.connectivitySecret = c.clientsecret || '';
-        config.connectivityTokenUrl = c.token_service_url || '';
-        // Fallback + ensure /oauth/token suffix
-        if (!config.connectivityTokenUrl && c.url) {
-            config.connectivityTokenUrl = `${c.url.replace(/\/$/, '')}/oauth/token`;
-        }
-        else if (config.connectivityTokenUrl && !config.connectivityTokenUrl.endsWith('/oauth/token')) {
-            config.connectivityTokenUrl = `${config.connectivityTokenUrl.replace(/\/$/, '')}/oauth/token`;
-        }
-    }
-    logger.info('BTP VCAP_SERVICES parsed', {
-        hasXsuaa: !!config.xsuaaUrl,
-        hasDestination: !!config.destinationUrl,
-        hasConnectivity: !!config.connectivityProxyHost,
-    });
-    return config;
-}
-// ─── Destination Service ─────────────────────────────────────────────
-/**
- * Fetch an OAuth2 client_credentials token.
- * Used for both Destination Service and Connectivity Service tokens.
- */
-async function fetchClientCredentialsToken(tokenUrl, clientId, clientSecret) {
-    const body = new URLSearchParams({
-        grant_type: 'client_credentials',
-        client_id: clientId,
-        client_secret: clientSecret,
-    });
-    const resp = await fetch(tokenUrl, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        body: body.toString(),
-    });
-    if (!resp.ok) {
-        const text = await resp.text();
-        throw new Error(`Token endpoint returned HTTP ${resp.status}: ${text.slice(0, 200)}`);
-    }
-    const data = (await resp.json());
-    return { accessToken: data.access_token, expiresIn: data.expires_in };
-}
-/**
- * Look up a destination from the BTP Destination Service.
- * Returns SAP URL, credentials, and proxy type.
- */
-export async function lookupDestination(btpConfig, destinationName) {
-    // Get token for Destination Service API
-    const tokenUrl = btpConfig.destinationTokenUrl || `${btpConfig.xsuaaUrl}/oauth/token`;
-    const { accessToken } = await fetchClientCredentialsToken(tokenUrl, btpConfig.destinationClientId, btpConfig.destinationSecret);
-    // Call Destination Service
-    const destUrl = `${btpConfig.destinationUrl.replace(/\/$/, '')}/destination-configuration/v1/destinations/${encodeURIComponent(destinationName)}`;
-    const resp = await fetch(destUrl, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-    });
-    if (!resp.ok) {
-        const text = await resp.text();
-        throw new Error(`Destination Service returned HTTP ${resp.status}: ${text.slice(0, 200)}`);
-    }
-    const data = (await resp.json());
-    logger.info('BTP destination resolved', {
-        name: data.destinationConfiguration.Name,
-        url: data.destinationConfiguration.URL,
-        auth: data.destinationConfiguration.Authentication,
-        proxyType: data.destinationConfiguration.ProxyType,
-        locationId: data.destinationConfiguration.CloudConnectorLocationId,
-    });
-    return data.destinationConfiguration;
-}
-// ─── Connectivity Proxy ──────────────────────────────────────────────
-/**
- * Create a proxy configuration for routing through the Cloud Connector.
- *
- * Returns a BTPProxyConfig with a token getter that caches the connectivity
- * JWT and auto-refreshes it 60 seconds before expiry.
- */
-export function createConnectivityProxy(btpConfig, locationId) {
-    if (!btpConfig.connectivityProxyHost)
-        return null;
-    let cachedToken = '';
-    let expiresAt = 0;
-    return {
-        host: btpConfig.connectivityProxyHost,
-        port: Number.parseInt(btpConfig.connectivityProxyPort || '20003', 10),
-        protocol: 'http',
-        locationId,
-        getProxyToken: async () => {
-            // Return cached token if still valid (60s buffer)
-            if (cachedToken && Date.now() < expiresAt) {
-                return cachedToken;
-            }
-            const { accessToken, expiresIn } = await fetchClientCredentialsToken(btpConfig.connectivityTokenUrl, btpConfig.connectivityClientId, btpConfig.connectivitySecret);
-            cachedToken = accessToken;
-            expiresAt = Date.now() + (expiresIn - 60) * 1000;
-            return cachedToken;
-        },
-    };
-}
-/**
- * Look up a destination with the user's JWT token for principal propagation.
- *
- * Uses SAP Cloud SDK's `getDestination()` to resolve the destination with per-user
- * JWT. The SDK handles service token acquisition, X-User-Token header injection,
- * and per-user destination caching.
- *
- * This is the key API for per-user SAP authentication:
- * 1. Caller passes the user's JWT (from XSUAA/OIDC)
- * 2. SDK calls the Destination Service with X-User-Token header
- * 3. For PrincipalPropagation destinations: returns SAP-Connectivity-Authentication header
- * 4. For OAuth2SAMLBearerAssertion destinations: returns a Bearer token
- *
- * Includes a jwt-bearer fallback (Option 2) when the Destination Service returns
- * no auth tokens — uses direct fetch to the Connectivity Service token URL.
- *
- * @param btpConfig - BTP service credentials (needed for jwt-bearer fallback only)
- */
-export async function lookupDestinationWithUserToken(btpConfig, destinationName, userJwt) {
-    // Log JWT claims for PP debugging (decode payload without verification)
-    try {
-        const parts = userJwt.split('.');
-        if (parts.length === 3) {
-            const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
-            logger.debug('PP user JWT claims', {
-                destination: destinationName,
-                grantType: payload.grant_type,
-                sub: payload.sub,
-                email: payload.email,
-                userUuid: payload.user_uuid,
-                zid: payload.zid,
-                iss: payload.iss,
-                aud: Array.isArray(payload.aud) ? payload.aud.join(',') : payload.aud,
-                azp: payload.azp,
-                scope: payload.scope?.join?.(' ') ?? payload.scope,
-                origin: payload.origin,
-                exp: payload.exp,
-            });
-        }
-    }
-    catch {
-        logger.debug('PP user JWT: failed to decode claims');
-    }
-    // Use SAP Cloud SDK to resolve the destination with per-user JWT.
-    // The SDK handles: service token acquisition, X-User-Token header,
-    // and per-user destination caching (keyed by destinationName + jwt).
-    const sdkDest = await getDestination({
-        destinationName,
-        jwt: userJwt,
-        useCache: true,
-    });
-    if (!sdkDest) {
-        throw new Error(`Destination Service (per-user) returned no destination for '${destinationName}'`);
-    }
-    // Map SDK Destination → ARC-1 Destination type
-    const dest = {
-        Name: sdkDest.name ?? destinationName,
-        URL: sdkDest.url ?? '',
-        Authentication: sdkDest.authentication ?? '',
-        ProxyType: sdkDest.proxyType ?? '',
-        User: sdkDest.username ?? '',
-        Password: sdkDest.password ?? '',
-        'sap-client': sdkDest.sapClient ?? undefined,
-        CloudConnectorLocationId: sdkDest.cloudConnectorLocationId ?? undefined,
-    };
-    const tokens = {};
-    const sdkAuthTokens = sdkDest.authTokens;
-    // Log raw auth response for PP debugging.
-    // Field names avoid "token" substring to prevent logger redaction.
-    const rawEntries = sdkAuthTokens?.map((t) => ({
-        entryType: t.type,
-        httpHeaderKey: t.http_header?.key,
-        hasValue: !!t.value,
-        hasHttpHeaderValue: !!t.http_header?.value,
-        entryError: t.error,
-    }));
-    logger.debug('Destination Service PP response', {
-        destination: destinationName,
-        authentication: dest.Authentication,
-        proxyType: dest.ProxyType,
-        url: dest.URL,
-        ppEntryCount: sdkAuthTokens?.length ?? 0,
-        ppEntries: rawEntries ?? 'NONE',
-    });
-    // Extract auth tokens from the SDK response
-    if (sdkAuthTokens) {
-        for (const token of sdkAuthTokens) {
-            if (token.error) {
-                logger.error('Destination Service auth token error', {
-                    destination: destinationName,
-                    tokenType: token.type,
-                    error: token.error,
-                });
-                const hint = destinationPpHint(token.error);
-                const hintSuffix = hint ? ` — ${hint}` : '';
-                throw new Error(`Destination Service auth token error for '${destinationName}': ${token.error}${hintSuffix}`);
-            }
-            // SAP-Connectivity-Authentication header (used by Cloud Connector for PP)
-            if (token.http_header?.key === 'SAP-Connectivity-Authentication') {
-                tokens.sapConnectivityAuth = token.http_header.value;
-                logger.debug('PP: SAP-Connectivity-Authentication header extracted', {
-                    destination: destinationName,
-                    headerValueLength: token.http_header.value.length,
-                });
-            }
-            // Bearer token (OAuth2UserTokenExchange / OAuth2SAMLBearerAssertion). The SAP Cloud SDK
-            // lowercases the type ("bearer") for OAuth2UserTokenExchange and exposes the token via
-            // `value` and/or an `Authorization` http_header. Match case-insensitively and fall back to
-            // the header value (stripping the "Bearer " prefix). Verified live against a BTP ABAP
-            // Environment (#301): a capital-B-only check silently dropped the token (hasBearer:false).
-            if (token.type?.toLowerCase() === 'bearer') {
-                tokens.bearerToken = token.value || token.http_header?.value?.replace(/^Bearer\s+/i, '');
-            }
-        }
-    }
-    else {
-        logger.warn('Destination Service returned no authTokens — trying jwt-bearer exchange fallback', {
-            destination: destinationName,
-            authentication: dest.Authentication,
-        });
-    }
-    // ─── PP jwt-bearer fallback (Option 2) ─────────────────────────────
-    //
-    // Background: The BTP Destination Service SHOULD return authTokens containing
-    // the SAP-Connectivity-Authentication header for PrincipalPropagation destinations.
-    // In practice, it often returns NO authTokens (empty response). This is a known
-    // issue — the Destination Service simply omits the field.
-    //
-    // Workaround: We perform a jwt-bearer token exchange with the Connectivity
-    // Service's XSUAA to verify the user JWT is valid. If the exchange succeeds,
-    // we send the ORIGINAL user JWT as SAP-Connectivity-Authentication (Option 2
-    // per SAP docs page 211). The Cloud Connector extracts the user identity from
-    // this header and generates the X.509 certificate.
-    //
-    // Why Option 2 and not Option 1?
-    // - Option 1 sends the EXCHANGED token as Proxy-Authorization
-    // - The CC couldn't extract the principal from the exchanged token
-    //   (CC trace: "no principal available, injecting empty certificate")
-    // - Option 2 sends the ORIGINAL user JWT as SAP-Connectivity-Authentication
-    //   + regular connectivity proxy token as Proxy-Authorization
-    // - The CC successfully extracts the user email from the original JWT
-    //
-    // Reference: SAP BTP Connectivity docs page 209-213
-    // https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-principal-propagation-via-user-exchange-token
-    if (!tokens.sapConnectivityAuth && dest.Authentication === 'PrincipalPropagation' && btpConfig.connectivityClientId) {
-        logger.info('PP jwt-bearer exchange: attempting direct exchange with Connectivity Service', {
-            destination: destinationName,
-            connectivityUrl: btpConfig.connectivityTokenUrl,
-        });
-        try {
-            // Exchange user JWT via jwt-bearer grant type with Connectivity Service credentials.
-            // This validates the user JWT and proves we have a legitimate user token.
-            // The exchange itself isn't used for auth — we use the original JWT instead.
-            const exchangeResp = await fetch(btpConfig.connectivityTokenUrl, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-                body: new URLSearchParams({
-                    grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-                    client_id: btpConfig.connectivityClientId,
-                    client_secret: btpConfig.connectivitySecret,
-                    assertion: userJwt,
-                    token_format: 'jwt',
-                    response_type: 'token',
-                }).toString(),
-            });
-            if (exchangeResp.ok) {
-                await exchangeResp.json(); // consume response body
-                // Option 2: Send the ORIGINAL user JWT as SAP-Connectivity-Authentication.
-                // The CC reads this header, extracts the user identity (email), and generates
-                // a short-lived X.509 certificate with CN=${email}. The regular connectivity
-                // proxy token (from btpProxy.getProxyToken()) is sent as Proxy-Authorization.
-                tokens.sapConnectivityAuth = `Bearer ${userJwt}`;
-                logger.info('PP: using Option 2 (SAP-Connectivity-Authentication with original JWT)', {
-                    destination: destinationName,
-                });
-            }
-            else {
-                const errText = await exchangeResp.text();
-                logger.error('PP jwt-bearer exchange: failed', {
-                    destination: destinationName,
-                    status: exchangeResp.status,
-                    error: errText.slice(0, 300),
-                });
-            }
-        }
-        catch (err) {
-            logger.error('PP jwt-bearer exchange: error', {
-                destination: destinationName,
-                error: err instanceof Error ? err.message : String(err),
-            });
-        }
-    }
-    logger.info('BTP destination resolved (per-user)', {
-        name: dest.Name,
-        url: dest.URL,
-        auth: dest.Authentication,
-        hasConnectivityAuth: !!tokens.sapConnectivityAuth,
-        hasBearer: !!tokens.bearerToken,
-    });
-    return { destination: dest, authTokens: tokens };
-}
-// ─── Top-Level Resolver ──────────────────────────────────────────────
-/**
- * Resolve BTP destination and connectivity proxy.
- * Called on startup when SAP_BTP_DESTINATION env var is set.
- *
- * Returns the resolved SAP connection config to override defaults.
- */
-export async function resolveBTPDestination(destinationName) {
-    const btpConfig = parseVCAPServices();
-    if (!btpConfig) {
-        throw new Error('SAP_BTP_DESTINATION is set but VCAP_SERVICES is not available. Are you running on BTP CF?');
-    }
-    // Use direct fetch for startup — works with BasicAuth destinations without JWT.
-    // The SDK's getDestination() fails for PrincipalPropagation destinations at startup
-    // because there's no user JWT available yet.
-    const dest = await lookupDestination(btpConfig, destinationName);
-    const proxy = dest.ProxyType === 'OnPremise' ? createConnectivityProxy(btpConfig, dest.CloudConnectorLocationId) : null;
-    return {
-        url: dest.URL,
-        username: dest.User,
-        password: dest.Password,
-        client: dest['sap-client'] || '100',
-        proxy,
-    };
-}
-/**
- * Get the app's public URL.
- *
- * Priority:
- *   1. ARC1_PUBLIC_URL env var — set this when the app is reached through a
- *      reverse proxy on a different hostname (e.g. SAP Integration Suite API
- *      Management). The value flows into every absolute URL the OAuth metadata
- *      endpoints emit (issuer, authorize, token, register, revoke, resource).
- *      May include a base-path component (e.g. https://api.example.com/arc1) —
- *      the path is preserved verbatim.
- *   2. VCAP_APPLICATION.application_uris[0] — set automatically by CF, points
- *      to the app's CF route.
- *   3. undefined — caller falls back to bind-host:port.
- *
- * The trailing slash, if present, is stripped so callers can do `${url}/path`
- * consistently.
- */
-export function getAppUrl() {
-    const override = process.env.ARC1_PUBLIC_URL?.trim();
-    if (override) {
-        return override.replace(/\/$/, '');
-    }
-    const vcapApp = process.env.VCAP_APPLICATION;
-    if (!vcapApp)
-        return undefined;
-    try {
-        const app = JSON.parse(vcapApp);
-        const uris = app.application_uris ?? app.uris;
-        if (Array.isArray(uris) && uris.length > 0) {
-            return `https://${uris[0]}`;
-        }
-    }
-    catch {
-        // Not valid JSON
-    }
-    return undefined;
-}
-//# sourceMappingURL=btp.js.map

package/dist/adt/btp.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"btp.js","sourceRoot":"","sources":["../../src/adt/btp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAEL,cAAc,GAEf,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AA8DhD;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAC3C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,IAAI,GAAiB,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,MAAM,GAAc;QACxB,QAAQ,EAAE,EAAE;QACZ,aAAa,EAAE,EAAE;QACjB,WAAW,EAAE,EAAE;QACf,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;QACvB,iBAAiB,EAAE,EAAE;QACrB,mBAAmB,EAAE,EAAE;QACvB,qBAAqB,EAAE,EAAE;QACzB,qBAAqB,EAAE,EAAE;QACzB,oBAAoB,EAAE,EAAE;QACxB,kBAAkB,EAAE,EAAE;QACtB,oBAAoB,EAAE,EAAE;KACzB,CAAC;IAEF,gBAAgB;IAChB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QACpC,MAAM,CAAC,QAAQ,GAAI,CAAC,CAAC,GAAc,IAAI,EAAE,CAAC;QAC1C,MAAM,CAAC,aAAa,GAAI,CAAC,CAAC,QAAmB,IAAI,EAAE,CAAC;QACpD,MAAM,CAAC,WAAW,GAAI,CAAC,CAAC,YAAuB,IAAI,EAAE,CAAC;IACxD,CAAC;IAED,sBAAsB;IACtB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAC1C,MAAM,CAAC,cAAc,GAAI,CAAC,CAAC,GAAc,IAAK,CAAC,CAAC,GAAc,IAAI,EAAE,CAAC;QACrE,MAAM,CAAC,mBAAmB,GAAI,CAAC,CAAC,QAAmB,IAAI,EAAE,CAAC;QAC1D,MAAM,CAAC,iBAAiB,GAAI,CAAC,CAAC,YAAuB,IAAI,EAAE,CAAC;QAC5D,MAAM,CAAC,mBAAmB,GAAI,CAAC,CAAC,iBAA4B,IAAI,EAAE,CAAC;QACnE,+BAA+B;QAC/B,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;YACzC,MAAM,CAAC,mBAAmB,GAAG,GAAI,CAAC,CAAC,GAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QACrF,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAC3C,MAAM,CAAC,qBAAqB,GAAI,CAAC,CAAC,oBAA+B,IAAI,EAAE,CAAC;QACxE,MAAM,CAAC,qBAAqB,GAAI,CAAC,CAAC,yBAAoC,IAAI,EAAE,CAAC;QAC7E,MAAM,CAAC,oBAAoB,GAAI,CAAC,CAAC,QAAmB,IAAI,EAAE,CAAC;QAC3D,MAAM,CAAC,kBAAkB,GAAI,CAAC,CAAC,YAAuB,IAAI,EAAE,CAAC;QAC7D,MAAM,CAAC,oBAAoB,GAAI,CAAC,CAAC,iBAA4B,IAAI,EAAE,CAAC;QACpE,wCAAwC;QACxC,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,CAAC,oBAAoB,GAAG,GAAI,CAAC,CAAC,GAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QACtF,CAAC;aAAM,IAAI,MAAM,CAAC,oBAAoB,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAChG,MAAM,CAAC,oBAAoB,GAAG,GAAG,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QAChG,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;QACtC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;QAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,cAAc;QACvC,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,qBAAqB;KAChD,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,KAAK,UAAU,2BAA2B,CACxC,QAAgB,EAChB,QAAgB,EAChB,YAAoB;IAEpB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAiD,CAAC;IACjF,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAoB,EAAE,eAAuB;IACnF,wCAAwC;IACxC,MAAM,QAAQ,GAAG,SAAS,CAAC,mBAAmB,IAAI,GAAG,SAAS,CAAC,QAAQ,cAAc,CAAC;IACtF,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,2BAA2B,CACvD,QAAQ,EACR,SAAS,CAAC,mBAAmB,EAC7B,SAAS,CAAC,iBAAiB,CAC5B,CAAC;IAEF,2BAA2B;IAC3B,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,8CAA8C,kBAAkB,CAAC,eAAe,CAAC,EAAE,CAAC;IAClJ,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;QAChC,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA8C,CAAC;IAE9E,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;QACtC,IAAI,EAAE,IAAI,CAAC,wBAAwB,CAAC,IAAI;QACxC,GAAG,EAAE,IAAI,CAAC,wBAAwB,CAAC,GAAG;QACtC,IAAI,EAAE,IAAI,CAAC,wBAAwB,CAAC,cAAc;QAClD,SAAS,EAAE,IAAI,CAAC,wBAAwB,CAAC,SAAS;QAClD,UAAU,EAAE,IAAI,CAAC,wBAAwB,CAAC,wBAAwB;KACnE,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC,wBAAwB,CAAC;AACvC,CAAC;AAED,wEAAwE;AAExE;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,SAAoB,EAAE,UAAmB;IAC/E,IAAI,CAAC,SAAS,CAAC,qBAAqB;QAAE,OAAO,IAAI,CAAC;IAElD,IAAI,WAAW,GAAG,EAAE,CAAC;IACrB,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,qBAAqB;QACrC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,qBAAqB,IAAI,OAAO,EAAE,EAAE,CAAC;QACrE,QAAQ,EAAE,MAAM;QAChB,UAAU;QACV,aAAa,EAAE,KAAK,IAAI,EAAE;YACxB,kDAAkD;YAClD,IAAI,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,CAAC;gBAC1C,OAAO,WAAW,CAAC;YACrB,CAAC;YAED,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,MAAM,2BAA2B,CAClE,SAAS,CAAC,oBAAoB,EAC9B,SAAS,CAAC,oBAAoB,EAC9B,SAAS,CAAC,kBAAkB,CAC7B,CAAC;YAEF,WAAW,GAAG,WAAW,CAAC;YAC1B,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;YACjD,OAAO,WAAW,CAAC;QACrB,CAAC;KACF,CAAC;AACJ,CAAC;AAqBD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,SAAoB,EACpB,eAAuB,EACvB,OAAe;IAEf,wEAAwE;IACxE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE;gBACjC,WAAW,EAAE,eAAe;gBAC5B,SAAS,EAAE,OAAO,CAAC,UAAU;gBAC7B,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,SAAS;gBAC3B,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG;gBACrE,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,KAAK;gBAClD,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IACvD,CAAC;IAED,kEAAkE;IAClE,mEAAmE;IACnE,qEAAqE;IACrE,MAAM,OAAO,GAA0B,MAAM,cAAc,CAAC;QAC1D,eAAe;QACf,GAAG,EAAE,OAAO;QACZ,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+DAA+D,eAAe,GAAG,CAAC,CAAC;IACrG,CAAC;IAED,+CAA+C;IAC/C,MAAM,IAAI,GAAgB;QACxB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,eAAe;QACrC,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,EAAE;QACtB,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,EAAE;QAC5C,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE;QAClC,IAAI,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;QAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;QAChC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,SAAS;QAC5C,wBAAwB,EAAE,OAAO,CAAC,wBAAwB,IAAI,SAAS;KACxE,CAAC;IAEF,MAAM,MAAM,GAAsB,EAAE,CAAC;IACrC,MAAM,aAAa,GAA8C,OAAO,CAAC,UAAU,CAAC;IAEpF,0CAA0C;IAC1C,mEAAmE;IACnE,MAAM,UAAU,GAAG,aAAa,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC5C,SAAS,EAAE,CAAC,CAAC,IAAI;QACjB,aAAa,EAAE,CAAC,CAAC,WAAW,EAAE,GAAG;QACjC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;QACnB,kBAAkB,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK;QAC1C,UAAU,EAAE,CAAC,CAAC,KAAK;KACpB,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;QAC9C,WAAW,EAAE,eAAe;QAC5B,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;QACxC,SAAS,EAAE,UAAU,IAAI,MAAM;KAChC,CAAC,CAAC;IAEH,4CAA4C;IAC5C,IAAI,aAAa,EAAE,CAAC;QAClB,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAChB,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;oBACnD,WAAW,EAAE,eAAe;oBAC5B,SAAS,EAAE,KAAK,CAAC,IAAI;oBACrB,KAAK,EAAE,KAAK,CAAC,KAAK;iBACnB,CAAC,CAAC;gBACH,MAAM,IAAI,GAAG,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5C,MAAM,IAAI,KAAK,CAAC,6CAA6C,eAAe,MAAM,KAAK,CAAC,KAAK,GAAG,UAAU,EAAE,CAAC,CAAC;YAChH,CAAC;YAED,0EAA0E;YAC1E,IAAI,KAAK,CAAC,WAAW,EAAE,GAAG,KAAK,iCAAiC,EAAE,CAAC;gBACjE,MAAM,CAAC,mBAAmB,GAAG,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC;gBACrD,MAAM,CAAC,KAAK,CAAC,sDAAsD,EAAE;oBACnE,WAAW,EAAE,eAAe;oBAC5B,iBAAiB,EAAE,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM;iBAClD,CAAC,CAAC;YACL,CAAC;YAED,wFAAwF;YACxF,uFAAuF;YACvF,2FAA2F;YAC3F,sFAAsF;YACtF,2FAA2F;YAC3F,IAAI,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC3C,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YAC3F,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,kFAAkF,EAAE;YAC9F,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,IAAI,CAAC,cAAc;SACpC,CAAC,CAAC;IACL,CAAC;IAED,sEAAsE;IACtE,EAAE;IACF,8EAA8E;IAC9E,oFAAoF;IACpF,gFAAgF;IAChF,0DAA0D;IAC1D,EAAE;IACF,2EAA2E;IAC3E,6EAA6E;IAC7E,6EAA6E;IAC7E,8EAA8E;IAC9E,mDAAmD;IACnD,EAAE;IACF,iCAAiC;IACjC,8DAA8D;IAC9D,mEAAmE;IACnE,sEAAsE;IACtE,4EAA4E;IAC5E,8DAA8D;IAC9D,sEAAsE;IACtE,EAAE;IACF,oDAAoD;IACpD,yHAAyH;IACzH,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,IAAI,CAAC,cAAc,KAAK,sBAAsB,IAAI,SAAS,CAAC,oBAAoB,EAAE,CAAC;QACpH,MAAM,CAAC,IAAI,CAAC,8EAA8E,EAAE;YAC1F,WAAW,EAAE,eAAe;YAC5B,eAAe,EAAE,SAAS,CAAC,oBAAoB;SAChD,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,qFAAqF;YACrF,0EAA0E;YAC1E,6EAA6E;YAC7E,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,oBAAoB,EAAE;gBAC/D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,6CAA6C;oBACzD,SAAS,EAAE,SAAS,CAAC,oBAAoB;oBACzC,aAAa,EAAE,SAAS,CAAC,kBAAkB;oBAC3C,SAAS,EAAE,OAAO;oBAClB,YAAY,EAAE,KAAK;oBACnB,aAAa,EAAE,OAAO;iBACvB,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;YAEH,IAAI,YAAY,CAAC,EAAE,EAAE,CAAC;gBACpB,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC,wBAAwB;gBAEnD,2EAA2E;gBAC3E,8EAA8E;gBAC9E,6EAA6E;gBAC7E,8EAA8E;gBAC9E,MAAM,CAAC,mBAAmB,GAAG,UAAU,OAAO,EAAE,CAAC;gBAEjD,MAAM,CAAC,IAAI,CAAC,wEAAwE,EAAE;oBACpF,WAAW,EAAE,eAAe;iBAC7B,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;gBAC1C,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE;oBAC7C,WAAW,EAAE,eAAe;oBAC5B,MAAM,EAAE,YAAY,CAAC,MAAM;oBAC3B,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;gBAC5C,WAAW,EAAE,eAAe;gBAC5B,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE;QACjD,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,IAAI,EAAE,IAAI,CAAC,cAAc;QACzB,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,mBAAmB;QACjD,SAAS,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW;KAChC,CAAC,CAAC;IAEH,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;AACnD,CAAC;AAED,wEAAwE;AAExE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,eAAuB;IAOjE,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;IAC/G,CAAC;IAED,gFAAgF;IAChF,oFAAoF;IACpF,6CAA6C;IAC7C,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IACjE,MAAM,KAAK,GACT,IAAI,CAAC,SAAS,KAAK,WAAW,CAAC,CAAC,CAAC,uBAAuB,CAAC,SAAS,EAAE,IAAI,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE5G,OAAO;QACL,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,QAAQ,EAAE,IAAI,CAAC,IAAI;QACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,KAAK;QACnC,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,SAAS;IACvB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IACrD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACrC,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC7C,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAE/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,GAAG,CAAC,gBAAgB,IAAI,GAAG,CAAC,IAAI,CAAC;QAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3C,OAAO,WAAW,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/server/oauth-state.d.ts

@@ -1,92 +0,0 @@
-/**
- * Stateless, signed OAuth `state` codec for the XSUAA callback proxy.
- *
- * ── Why this exists (issue #214) ──────────────────────────────────────
- * XSUAA echoes a literal `+` (not `%2B`) for any `state` value that
- * contains `+` when it redirects back to the OAuth client. Standard base64
- * `state` values (e.g. VS Code generates `randomBytes(16).toString('base64')`)
- * contain `+` ~50% of the time. The receiving client parses the callback
- * query string with `application/x-www-form-urlencoded` semantics, where
- * `+` decodes to a space, so the round-tripped `state` no longer matches the
- * value the client generated → "State does not match" → login fails.
- *
- * ARC-1 cannot influence what XSUAA emits, and XSUAA redirects DIRECTLY to
- * the client today (ARC-1 is not in the return path). The only fix is to
- * insert ARC-1 into the return path: send XSUAA a `state` that ARC-1
- * controls and that is immune to the `+` bug, then re-emit the client's
- * ORIGINAL `state` correctly when redirecting back to the client.
- *
- * ── How this codec is immune to the `+` bug ───────────────────────────
- * The token is `base64url(payload) + "." + base64url(sig)`. base64url uses
- * the alphabet `A-Za-z0-9-_` — no `+`, no `/`. The `.` separator is an
- * RFC 3986 unreserved character. So the entire token is URL-safe: XSUAA has
- * no `+` to mangle, and Express's `+`→space query decoding is a no-op on it.
- * The client's real `state` (which may contain `+`) rides INSIDE the opaque
- * base64url payload, so it survives the XSUAA round-trip untouched.
- *
- * ── Why stateless (vs an in-memory map) ───────────────────────────────
- * Mirrors the StatelessDcrClientStore design (PR #212): the token carries
- * its own payload + HMAC signature, so any instance with the same signing
- * key can validate it. No in-memory map → survives `cf restart`, cell
- * moves, and horizontal scale-out. The signing key is derived (HKDF-style)
- * from the same secret the DCR store uses, with a distinct domain-separation
- * label so the two key spaces never overlap.
- *
- * ── Upstream tracking / when this whole module can be deleted ──────────
- * This is a WORKAROUND for an XSUAA bug. It can be removed ONLY when XSUAA
- * stops emitting a literal `+` (emits `%2B`) for `state` on the authorize
- * redirect. Tracking:
- *   - arc-1 issue:      https://github.com/marianfoo/arc-1/issues/214
- *   - XSUAA root cause: no public SAP Note as of 2026-06; the `+`→literal
- *                       echo is the actual defect and the only thing whose
- *                       fix makes this module removable.
- *   - VS Code (client): https://github.com/microsoft/vscode/issues/314715
- *                       asks VS Code to use base64url `state`. If accepted it
- *                       fixes the VS Code SYMPTOM only — other MCP clients
- *                       (Cursor, claude.ai, Copilot Studio, …) still send
- *                       base64 `state` containing `+`, so the callback proxy
- *                       stays until the XSUAA-side fix lands. Do NOT delete
- *                       this module just because vscode#314715 closes.
- * To verify whether the XSUAA bug is gone, re-run the issue #214 spectrum
- * reproducer (see the issue thread) against the target XSUAA tenant.
- */
-export type DecodeResult = {
-    kind: 'ok';
-    clientState?: string;
-    clientRedirectUri: string;
-    clientId: string;
-} | {
-    kind: 'error';
-    reason: 'malformed' | 'bad_signature' | 'invalid_payload' | 'expired';
-};
-/**
- * Signs and verifies OAuth `state` tokens for the XSUAA callback proxy.
- */
-export declare class OAuthStateCodec {
-    private readonly hmacKey;
-    private readonly ttlSeconds;
-    constructor(signingSecret: string, opts?: {
-        ttlSeconds?: number;
-    });
-    /**
-     * Encode a URL-safe, signed state token. The returned value is safe to put
-     * in a query string and round-trip through XSUAA (no `+`, no `/`).
-     *
-     * @param input.now Injectable clock (epoch ms) for deterministic tests.
-     */
-    encode(input: {
-        clientState?: string;
-        clientRedirectUri: string;
-        clientId: string;
-        now?: number;
-    }): string;
-    /**
-     * Decode and verify a state token. Never throws — returns a typed result.
-     *
-     * @param now Injectable clock (epoch ms) for deterministic tests.
-     */
-    decode(token: string, now?: number): DecodeResult;
-    private sign;
-    private verifySignature;
-}
-//# sourceMappingURL=oauth-state.d.ts.map

package/dist/server/oauth-state.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-state.d.ts","sourceRoot":"","sources":["../../src/server/oauth-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAsCH,MAAM,MAAM,YAAY,GACpB;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACjF;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,WAAW,GAAG,eAAe,GAAG,iBAAiB,GAAG,SAAS,CAAA;CAAE,CAAC;AAE7F;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,aAAa,EAAE,MAAM,EAAE,IAAI,GAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAO;IAUrE;;;;;OAKG;IACH,MAAM,CAAC,KAAK,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,MAAM;IAe1G;;;;OAIG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,GAAE,MAAmB,GAAG,YAAY;IA2B7D,OAAO,CAAC,IAAI;IAKZ,OAAO,CAAC,eAAe;CAQxB"}