bezzie 0.1.1 → 0.1.4

package/README.md

@@ -2,6 +2,8 @@
 
 **Bezzie** — your BFF's BFF. Handles the Backend for Frontend OAuth pattern so you don't have to.
 
+[![npm downloads](https://img.shields.io/npm/dw/bezzie)](https://www.npmjs.com/package/bezzie)
+
 A BFF (Backend for Frontend) OAuth 2.0 auth library for Cloudflare Workers.
 
 Implements the [OAuth 2.0 for Browser-Based Apps (BCP212)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps) pattern — JWTs never touch the browser. The BFF owns the OAuth flow and issues a session cookie to the frontend instead.
@@ -10,6 +12,48 @@ Implements the [OAuth 2.0 for Browser-Based Apps (BCP212)](https://datatracker.i
 npm install bezzie
 ```
 
+## Get started in 5 minutes
+
+**1. Install:**
+```sh
+npm install bezzie
+```
+
+**2. Add a KV namespace to `wrangler.toml`:**
+```toml
+[[kv_namespaces]]
+binding = "SESSION_KV"
+id = "<your-kv-namespace-id>"
+```
+
+**3. Add your client secret:**
+```sh
+wrangler secret put AUTH0_CLIENT_SECRET
+```
+
+**4. Wire it up:**
+```typescript
+import { createBezzie, providers, cloudflareKV } from 'bezzie'
+
+const auth = createBezzie({
+  ...providers.auth0('your-tenant.auth0.com'),
+  clientId: 'xxx',
+  clientSecret: env.AUTH0_CLIENT_SECRET,
+  adapter: cloudflareKV(env.SESSION_KV),
+  baseUrl: 'https://app.yourproject.com',
+})
+
+app.route('/auth', auth.routes())
+app.use('/api/*', auth.middleware())
+```
+
+**5. Protect a route:**
+```typescript
+app.get('/api/me', (c) => c.json(c.var.user))
+```
+
+Done. Your app now has BCP212-compliant BFF auth.
+
 ---
 
 ## Why
@@ -47,7 +91,7 @@ This gives you:
 |---|---|
 | `GET /auth/login` | Redirects to provider, initiates Authorization Code + PKCE flow. Supports `returnTo` query param for post-login redirect. |
 | `GET /auth/callback` | Exchanges code for tokens, stores session in KV, sets cookie. |
-| `GET /auth/logout` | Clears session, clears cookie, redirects to provider logout. |
+| `POST /auth/logout` | Clears session, clears cookie, redirects to provider logout. |
 
 ---
 

package/dist/src/adapters/cloudflare-kv.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloudflare-kv.d.ts","sourceRoot":"","sources":["../../../src/adapters/cloudflare-kv.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAEnD,qBAAa,mBAAoB,YAAW,cAAc;IAC5C,OAAO,CAAC,EAAE;gBAAF,EAAE,EAAE,WAAW;IAE7B,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC;IAK3D,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASvF,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}

package/dist/src/adapters/cloudflare-kv.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloudflare-kv.js","sourceRoot":"","sources":["../../../src/adapters/cloudflare-kv.ts"],"names":[],"mappings":"AAGA,MAAM,OAAO,mBAAmB;IACV;IAApB,YAAoB,EAAe;QAAf,OAAE,GAAF,EAAE,CAAa;IAAG,CAAC;IAEvC,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,GAAG,CAAsB,SAAS,EAAE,MAAM,CAAC,CAAA;QACzE,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAA4B,EAAE,UAAkB;QAC3E,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;QAC/D,CAAC;QACD,MAAM,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE;YACpD,aAAa,EAAE,UAAU;SAC1B,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IACjC,CAAC;CACF"}

package/dist/src/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAA;AACvB,cAAc,iBAAiB,CAAA;AAC/B,cAAc,SAAS,CAAA;AACvB,cAAc,UAAU,CAAA"}

package/dist/src/adapters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAA;AACvB,cAAc,iBAAiB,CAAA;AAC/B,cAAc,SAAS,CAAA;AACvB,cAAc,UAAU,CAAA"}

package/dist/src/adapters/memory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../../src/adapters/memory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAOnD,qBAAa,aAAc,YAAW,cAAc;IAClD,OAAO,CAAC,KAAK,CAAmC;IAE1C,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC;IAU3D,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvF,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}

package/dist/src/adapters/memory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory.js","sourceRoot":"","sources":["../../../src/adapters/memory.ts"],"names":[],"mappings":"AAQA,MAAM,OAAO,aAAa;IAChB,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAA;IAEhD,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YAC5B,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,KAAK,CAAC,OAAO,CAAA;IACtB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAA4B,EAAE,UAAkB;QAC3E,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE;YACxB,OAAO;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI;SAC1C,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IAC9B,CAAC;CACF"}

package/dist/src/adapters/redis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis.d.ts","sourceRoot":"","sources":["../../../src/adapters/redis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AACpC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAEnD,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IACxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAC5E,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACnC;AAED,qBAAa,YAAa,YAAW,cAAc;IACrC,OAAO,CAAC,KAAK;gBAAL,KAAK,EAAE,WAAW;IAEhC,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC;IAM3D,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvF,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}

package/dist/src/adapters/redis.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis.js","sourceRoot":"","sources":["../../../src/adapters/redis.ts"],"names":[],"mappings":"AASA,MAAM,OAAO,YAAY;IACH;IAApB,YAAoB,KAAkB;QAAlB,UAAK,GAAL,KAAK,CAAa;IAAG,CAAC;IAE1C,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QAC/C,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QACzB,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAwB,CAAA;IACnD,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAA4B,EAAE,UAAkB;QAC3E,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,CAAA;IAC9E,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IACjC,CAAC;CACF"}

package/dist/src/adapters/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/adapters/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAEpC;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IACpB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC,CAAA;IAE3D;;;;;;OAMG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEvF;;;;OAIG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACzC"}

package/dist/{adapters → src/adapters}/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/adapters/types.ts"],"names":[],"mappings":""}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/adapters/types.ts"],"names":[],"mappings":""}

package/dist/src/discovery.d.ts

@@ -0,0 +1,10 @@
+import * as oauth from 'oauth4webapi';
+import type { BezzieConfig } from './index';
+export interface DiscoveryCache {
+    cachedAS: oauth.AuthorizationServer | null;
+    cacheExpiresAt: number;
+    jwksCache: oauth.JWKSCacheInput;
+}
+export declare function createDiscoveryCache(): DiscoveryCache;
+export declare function getAuthorizationServer(config: BezzieConfig, cache: DiscoveryCache): Promise<oauth.AuthorizationServer>;
+//# sourceMappingURL=discovery.d.ts.map

package/dist/src/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AACrC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAE3C,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAA;IAC1C,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,KAAK,CAAC,cAAc,CAAA;CAChC;AAED,wBAAgB,oBAAoB,IAAI,cAAc,CAErD;AAED,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,YAAY,EACpB,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAapC"}

package/dist/src/discovery.js

@@ -0,0 +1,19 @@
+import * as oauth from 'oauth4webapi';
+export function createDiscoveryCache() {
+    return { cachedAS: null, cacheExpiresAt: 0, jwksCache: {} };
+}
+export async function getAuthorizationServer(config, cache) {
+    if (cache.cachedAS && Date.now() < cache.cacheExpiresAt) {
+        return cache.cachedAS;
+    }
+    const issuer = new URL(config.issuer);
+    const response = await oauth.discoveryRequest(issuer);
+    const as = await oauth.processDiscoveryResponse(issuer, response);
+    const cachedAS = config.providerHints?.tokenEndpoint
+        ? { ...as, token_endpoint: config.providerHints.tokenEndpoint }
+        : as;
+    cache.cachedAS = cachedAS;
+    cache.cacheExpiresAt = Date.now() + 60 * 60 * 1000;
+    return cachedAS;
+}
+//# sourceMappingURL=discovery.js.map

package/dist/src/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AASrC,MAAM,UAAU,oBAAoB;IAClC,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAA;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,MAAoB,EACpB,KAAqB;IAErB,IAAI,KAAK,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;QACxD,OAAO,KAAK,CAAC,QAAQ,CAAA;IACvB,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACrC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAA;IACrD,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,aAAa,EAAE,aAAa;QAClD,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,CAAC,aAAa,CAAC,aAAa,EAAE;QAC/D,CAAC,CAAC,EAAE,CAAA;IACN,KAAK,CAAC,QAAQ,GAAG,QAAQ,CAAA;IACzB,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;IAClD,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/dist/{index.d.ts → src/index.d.ts}

@@ -1,5 +1,6 @@
 import { Hono, type MiddlewareHandler } from 'hono';
 import { type Variables } from './middleware';
+import { type DiscoveryCache } from './discovery';
 import { type SessionAdapter } from './session';
 /**
  * Configuration for Bezzie.
@@ -29,6 +30,14 @@ export interface BezzieConfig {
      * Base URL of your application (used for callback and redirects).
      */
     baseUrl: string;
+    /**
+     * Optional path to the login route (defaults to /auth/login).
+     */
+    loginPath?: string;
+    /**
+     * Whether to validate the access token (defaults to true).
+     */
+    validateAccessToken?: boolean;
     /**
      * Optional tweaks for specific providers.
      */
@@ -42,6 +51,31 @@ export interface BezzieConfig {
          */
         tokenEndpoint?: string;
     };
+    /**
+     * Session TTL in seconds.
+     * @default 60 * 60 * 24 * 30 (30 days)
+     */
+    sessionTtlSeconds?: number;
+    /**
+     * PKCE state TTL in seconds.
+     * @default 60 * 10 (10 minutes)
+     */
+    pkceStateTtlSeconds?: number;
+    /**
+     * Session cookie name.
+     * @default '__Host-session'
+     */
+    cookieName?: string;
+    /**
+     * OAuth scopes to request.
+     * @default ['openid', 'profile', 'email', 'offline_access']
+     */
+    scopes?: string[];
+    /**
+     * Buffer in seconds for refreshing the access token before it expires.
+     * @default 60
+     */
+    refreshBufferSeconds?: number;
 }
 /**
  * Common OIDC provider configurations.
@@ -93,6 +127,11 @@ export interface Bezzie {
     middleware: () => MiddlewareHandler<{
         Variables: Variables;
     }>;
+    /**
+     * Internal discovery cache.
+     * @internal
+     */
+    cache: DiscoveryCache;
 }
 /**
  * Creates a new Bezzie instance.

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,KAAK,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAEnD,OAAO,EAAc,KAAK,SAAS,EAAE,MAAM,cAAc,CAAA;AACzD,OAAO,EAAwB,KAAK,cAAc,EAAE,MAAM,aAAa,CAAA;AAEvE,OAAO,EAAuB,KAAK,cAAc,EAAE,MAAM,WAAW,CAAA;AAEpE;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B;;OAEG;IACH,MAAM,EAAE,MAAM,CAAA;IAEd;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IAEpB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,OAAO,EAAE,cAAc,CAAA;IAEvB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB;;OAEG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAE7B;;OAEG;IACH,aAAa,CAAC,EAAE;QACd;;WAEG;QACH,SAAS,CAAC,EAAE,MAAM,CAAA;QAElB;;WAEG;QACH,aAAa,CAAC,EAAE,MAAM,CAAA;KACvB,CAAA;IAED;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAE1B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAE5B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IAEjB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAA;CAC9B;AAED;;GAEG;AACH,eAAO,MAAM,SAAS;IACpB;;OAEG;oBACa,MAAM;;;;;;IAOtB;;OAEG;mBACY,MAAM;;;IAIrB;;OAEG;wBACiB,MAAM,SAAS,MAAM;;;IAIzC;;OAEG;;;;CAIJ,CAAA;AAED;;GAEG;AACH,iBAAS,YAAY,CAAC,EAAE,EAAE,WAAW,GAAG,cAAc,CAErD;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB;;OAEG;IACH,MAAM,EAAE,MAAM,IAAI,CAAA;IAElB;;OAEG;IACH,UAAU,EAAE,MAAM,iBAAiB,CAAC;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,CAAC,CAAA;IAE7D;;;OAGG;IACH,KAAK,EAAE,cAAc,CAAA;CACtB;AAED;;;;;;GAMG;AACH,iBAAS,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CA0BlD;AAED,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,CAAA;AACrC,YAAY,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AAC7C,YAAY,EAAE,cAAc,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnE,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,WAAW,CAAA"}

package/dist/{index.js → src/index.js}

@@ -1,5 +1,6 @@
 import { authRoutes } from './routes';
 import { middleware } from './middleware';
+import { createDiscoveryCache } from './discovery';
 import { CloudflareKVAdapter } from './session';
 /**
  * Common OIDC provider configurations.
@@ -59,13 +60,15 @@ function createBezzie(config) {
     try {
         new URL(config.issuer);
     }
-    catch (e) {
+    catch {
         throw new Error('Bezzie: issuer must be a valid URL');
     }
-    const router = authRoutes(config);
+    const cache = createDiscoveryCache();
+    const router = authRoutes(config, cache);
     return {
         routes: () => router,
-        middleware: () => middleware(config),
+        middleware: () => middleware(config, cache),
+        cache,
     };
 }
 export { createBezzie, cloudflareKV };

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AACrC,OAAO,EAAE,UAAU,EAAkB,MAAM,cAAc,CAAA;AACzD,OAAO,EAAE,oBAAoB,EAAuB,MAAM,aAAa,CAAA;AAEvE,OAAO,EAAE,mBAAmB,EAAuB,MAAM,WAAW,CAAA;AA4FpE;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB;;OAEG;IACH,KAAK,EAAE,CAAC,MAAc,EAAE,EAAE,CAAC,CAAC;QAC1B,MAAM,EAAE,WAAW,MAAM,EAAE;QAC3B,aAAa,EAAE;YACb,SAAS,EAAE,WAAW,MAAM,YAAY;SACzC;KACF,CAAC;IAEF;;OAEG;IACH,IAAI,EAAE,CAAC,MAAc,EAAE,EAAE,CAAC,CAAC;QACzB,MAAM,EAAE,WAAW,MAAM,iBAAiB;KAC3C,CAAC;IAEF;;OAEG;IACH,QAAQ,EAAE,CAAC,OAAe,EAAE,KAAa,EAAE,EAAE,CAAC,CAAC;QAC7C,MAAM,EAAE,GAAG,OAAO,WAAW,KAAK,EAAE;KACrC,CAAC;IAEF;;OAEG;IACH,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACb,MAAM,EAAE,6BAA6B;KACtC,CAAC;CACH,CAAA;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,EAAe;IACnC,OAAO,IAAI,mBAAmB,CAAC,EAAE,CAAC,CAAA;AACpC,CAAC;AAuBD;;;;;;GAMG;AACH,SAAS,YAAY,CAAC,MAAoB;IACxC,MAAM,QAAQ,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;IAC7E,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,GAAyB,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,oCAAoC,GAAG,EAAE,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;IAC5D,CAAC;IAED,IAAI,CAAC;QACH,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IAED,MAAM,KAAK,GAAG,oBAAoB,EAAE,CAAA;IACpC,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IAExC,OAAO;QACL,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM;QACpB,UAAU,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,KAAK,CAAC;QAC3C,KAAK;KACN,CAAA;AACH,CAAC;AAED,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,CAAA;AAGrC,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,WAAW,CAAA"}

package/dist/{middleware.d.ts → src/middleware.d.ts}

@@ -1,4 +1,5 @@
 import type { MiddlewareHandler } from 'hono';
+import { type DiscoveryCache } from './discovery';
 import type { Session } from './session';
 import type { BezzieConfig } from './index';
 /**
@@ -15,8 +16,7 @@ export type Variables = {
      */
     accessToken: string;
 };
-export declare function _resetDiscoveryCache(): void;
-export declare function middleware(config: BezzieConfig): MiddlewareHandler<{
+export declare function middleware(config: BezzieConfig, cache: DiscoveryCache): MiddlewareHandler<{
     Variables: Variables;
 }>;
 //# sourceMappingURL=middleware.d.ts.map

package/dist/src/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAG7C,OAAO,EAA0B,KAAK,cAAc,EAAE,MAAM,aAAa,CAAA;AACzE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACxC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAE3C;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG;IACtB;;OAEG;IACH,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;IACrB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;CACpB,CAAA;AAGD,wBAAgB,UAAU,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,GAAG,iBAAiB,CAAC;IAAE,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,CAqGnH"}

package/dist/src/middleware.js

@@ -0,0 +1,95 @@
+import { getCookie } from 'hono/cookie';
+import * as oauth from 'oauth4webapi';
+import { getAuthorizationServer } from './discovery';
+export function middleware(config, cache) {
+    const sessionStore = config.adapter;
+    return async (c, next) => {
+        // 1. Read the sessionId cookie from the request
+        const sessionId = getCookie(c, config.cookieName ?? '__Host-session');
+        // 2. If no cookie → return 401
+        if (!sessionId) {
+            return c.text('Unauthorized', 401);
+        }
+        // 3. Look up the session in KV using SessionStore
+        let session = await sessionStore.get(sessionId);
+        // 4. If no session found or it's a PKCE state → return 401
+        if (!session || 'codeVerifier' in session) {
+            return c.text('Unauthorized', 401);
+        }
+        // 4.5 Check for absolute session expiry (90 days)
+        const MAX_SESSION_AGE = 90 * 24 * 60 * 60; // 90 days
+        if (Math.floor(Date.now() / 1000) - session.createdAt > MAX_SESSION_AGE) {
+            await sessionStore.delete(sessionId);
+            return c.redirect(config.loginPath ?? '/auth/login');
+        }
+        const as = await getAuthorizationServer(config, cache);
+        // 5. Check if the access token is expired (with configurable buffer)
+        if (session.expiresAt < (Date.now() / 1000) + (config.refreshBufferSeconds ?? 60)) {
+            if (session.refreshToken) {
+                try {
+                    // 6. If expired → use oauth4webapi to perform a refresh token grant
+                    const client = { client_id: config.clientId };
+                    const clientAuth = oauth.ClientSecretPost(config.clientSecret);
+                    const response = await oauth.refreshTokenGrantRequest(as, client, clientAuth, session.refreshToken);
+                    try {
+                        const result = await oauth.processRefreshTokenResponse(as, client, response);
+                        // Update the session in KV with new tokens and new expiresAt
+                        session.accessToken = result.access_token;
+                        if (result.refresh_token) {
+                            session.refreshToken = result.refresh_token;
+                        }
+                        session.expiresAt = Math.floor(Date.now() / 1000) + (result.expires_in || 3600);
+                        await sessionStore.set(sessionId, session, config.sessionTtlSeconds ?? 30 * 24 * 60 * 60); // 30 days, matches initial session TTL
+                    }
+                    catch (err) {
+                        if (err instanceof oauth.ResponseBodyError && err.error === 'invalid_grant') {
+                            // Potential race condition: another request might have already refreshed this token
+                            const refreshedSession = await sessionStore.get(sessionId);
+                            if (refreshedSession &&
+                                !('codeVerifier' in refreshedSession) &&
+                                refreshedSession.accessToken !== session.accessToken) {
+                                // Someone else already refreshed it! Use that session.
+                                session = refreshedSession;
+                            }
+                            else {
+                                // Truly failed
+                                await sessionStore.delete(sessionId);
+                                return c.text('Unauthorized', 401);
+                            }
+                        }
+                        else {
+                            await sessionStore.delete(sessionId);
+                            return c.text('Unauthorized', 401);
+                        }
+                    }
+                }
+                catch {
+                    await sessionStore.delete(sessionId);
+                    return c.text('Unauthorized', 401);
+                }
+            }
+        }
+        // 8. Validate the JWT using JWKS (only if audience is set and validation is enabled)
+        if (config.validateAccessToken !== false && config.audience) {
+            try {
+                // We need a Request object that has the Authorization header for validateJwtAccessToken
+                const mockReq = new Request(c.req.raw.url, {
+                    headers: {
+                        Authorization: `Bearer ${session.accessToken}`,
+                    },
+                });
+                await oauth.validateJwtAccessToken(as, mockReq, config.audience, { [oauth.jwksCache]: cache.jwksCache });
+            }
+            catch {
+                // 9. If JWT invalid → return 401
+                return c.text('Unauthorized', 401);
+            }
+        }
+        // 10. Attach the user and accessToken to Hono context
+        c.set('user', session.user);
+        c.set('accessToken', session.accessToken);
+        // 12. Call next()
+        await next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/src/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AACvC,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AACrC,OAAO,EAAE,sBAAsB,EAAuB,MAAM,aAAa,CAAA;AAoBzE,MAAM,UAAU,UAAU,CAAC,MAAoB,EAAE,KAAqB;IACpE,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,CAAA;IAEnC,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,gDAAgD;QAChD,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,UAAU,IAAI,gBAAgB,CAAC,CAAA;QAErE,+BAA+B;QAC/B,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;QACpC,CAAC;QAED,kDAAkD;QAClD,IAAI,OAAO,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QAE/C,2DAA2D;QAC3D,IAAI,CAAC,OAAO,IAAI,cAAc,IAAI,OAAO,EAAE,CAAC;YAC1C,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;QACpC,CAAC;QAED,kDAAkD;QAClD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAA,CAAC,UAAU;QACpD,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;YACxE,MAAM,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YACpC,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,IAAI,aAAa,CAAC,CAAA;QACtD,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAEtD,qEAAqE;QACrE,IAAI,OAAO,CAAC,SAAS,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,oBAAoB,IAAI,EAAE,CAAC,EAAE,CAAC;YAClF,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,oEAAoE;oBACpE,MAAM,MAAM,GAAiB,EAAE,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAA;oBAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;oBAE9D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,wBAAwB,CAAC,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,YAAY,CAAC,CAAA;oBAEnG,IAAI,CAAC;wBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,2BAA2B,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;wBAC5E,6DAA6D;wBAC7D,OAAO,CAAC,WAAW,GAAG,MAAM,CAAC,YAAY,CAAA;wBACzC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;4BACzB,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,aAAa,CAAA;wBAC7C,CAAC;wBACD,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAA;wBAE/E,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,iBAAiB,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA,CAAC,uCAAuC;oBACnI,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,IAAI,GAAG,YAAY,KAAK,CAAC,iBAAiB,IAAI,GAAG,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;4BAC5E,oFAAoF;4BACpF,MAAM,gBAAgB,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;4BAC1D,IACE,gBAAgB;gCAChB,CAAC,CAAC,cAAc,IAAI,gBAAgB,CAAC;gCACrC,gBAAgB,CAAC,WAAW,KAAK,OAAO,CAAC,WAAW,EACpD,CAAC;gCACD,uDAAuD;gCACvD,OAAO,GAAG,gBAAgB,CAAA;4BAC5B,CAAC;iCAAM,CAAC;gCACN,eAAe;gCACf,MAAM,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;gCACpC,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;4BACpC,CAAC;wBACH,CAAC;6BAAM,CAAC;4BACN,MAAM,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;4BACpC,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;wBACpC,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;oBACpC,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QAED,qFAAqF;QACrF,IAAI,MAAM,CAAC,mBAAmB,KAAK,KAAK,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC5D,IAAI,CAAC;gBACH,wFAAwF;gBACxF,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE;oBACzC,OAAO,EAAE;wBACP,aAAa,EAAE,UAAU,OAAO,CAAC,WAAW,EAAE;qBAC/C;iBACF,CAAC,CAAA;gBAEF,MAAM,KAAK,CAAC,sBAAsB,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAA;YAC1G,CAAC;YAAC,MAAM,CAAC;gBACP,iCAAiC;gBACjC,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;YACpC,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAA;QAC3B,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,WAAW,CAAC,CAAA;QAEzC,kBAAkB;QAClB,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC"}

package/dist/src/routes.d.ts

@@ -0,0 +1,5 @@
+import { Hono } from 'hono';
+import { type DiscoveryCache } from './discovery';
+import type { BezzieConfig } from './index';
+export declare function authRoutes(config: BezzieConfig, cache: DiscoveryCache): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;
+//# sourceMappingURL=routes.d.ts.map

package/dist/src/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAG3B,OAAO,EAA0B,KAAK,cAAc,EAAE,MAAM,aAAa,CAAA;AAEzE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAE3C,wBAAgB,UAAU,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,8EAmKrE"}

package/dist/{routes.js → src/routes.js}

@@ -1,25 +1,8 @@
 import { Hono } from 'hono';
 import { getCookie, setCookie, deleteCookie } from 'hono/cookie';
 import * as oauth from 'oauth4webapi';
-let cachedAS = null;
-let cacheExpiresAt = 0;
-async function getAuthorizationServer(config) {
-    if (cachedAS && Date.now() < cacheExpiresAt)
-        return cachedAS;
-    const issuerUrl = new URL(config.issuer);
-    const response = await oauth.discoveryRequest(issuerUrl);
-    const as = await oauth.processDiscoveryResponse(issuerUrl, response);
-    cachedAS = config.providerHints?.tokenEndpoint
-        ? { ...as, token_endpoint: config.providerHints.tokenEndpoint }
-        : as;
-    cacheExpiresAt = Date.now() + 60 * 60 * 1000; // 1 hour
-    return cachedAS;
-}
-export function _resetDiscoveryCache() {
-    cachedAS = null;
-    cacheExpiresAt = 0;
-}
-export function authRoutes(config) {
+import { getAuthorizationServer } from './discovery';
+export function authRoutes(config, cache) {
     const router = new Hono();
     const sessionStore = config.adapter;
     router.get('/login', async (c) => {
@@ -28,8 +11,8 @@ export function authRoutes(config) {
         const state = oauth.generateRandomState();
         const returnTo = c.req.query('returnTo');
         // Store state and codeVerifier in adapter
-        await config.adapter.set(`pkce:${state}`, { codeVerifier: code_verifier, returnTo }, 600); // 10 minutes
-        const as = await getAuthorizationServer(config);
+        await config.adapter.set(`pkce:${state}`, { codeVerifier: code_verifier, returnTo }, config.pkceStateTtlSeconds ?? 600); // 10 minutes
+        const as = await getAuthorizationServer(config, cache);
         if (!as.authorization_endpoint) {
             return c.text('Missing authorization_endpoint', 500);
         }
@@ -37,7 +20,7 @@ export function authRoutes(config) {
         authorizationUrl.searchParams.set('client_id', config.clientId);
         authorizationUrl.searchParams.set('response_type', 'code');
         authorizationUrl.searchParams.set('redirect_uri', `${config.baseUrl}/auth/callback`);
-        authorizationUrl.searchParams.set('scope', 'openid profile email offline_access');
+        authorizationUrl.searchParams.set('scope', (config.scopes ?? ['openid', 'profile', 'email', 'offline_access']).join(' '));
         authorizationUrl.searchParams.set('state', state);
         authorizationUrl.searchParams.set('code_challenge', code_challenge);
         authorizationUrl.searchParams.set('code_challenge_method', 'S256');
@@ -62,24 +45,35 @@ export function authRoutes(config) {
         }
         const { codeVerifier, returnTo } = stored;
         await config.adapter.delete(`pkce:${state}`);
-        const as = await getAuthorizationServer(config);
-        const client = {
-            client_id: config.clientId,
-            client_secret: config.clientSecret,
-            token_endpoint_auth_method: 'client_secret_post',
-        };
-        const response = await oauth.authorizationCodeGrantRequest(as, client, new URL(c.req.url).searchParams, `${config.baseUrl}/auth/callback`, codeVerifier);
-        const result = await oauth.processAuthorizationCodeOpenIDResponse(as, client, response);
-        if (oauth.isOAuth2Error(result)) {
-            return c.text('OAuth 2.0 error', 400);
+        const as = await getAuthorizationServer(config, cache);
+        const client = { client_id: config.clientId };
+        const clientAuth = oauth.ClientSecretPost(config.clientSecret);
+        const response = await oauth.authorizationCodeGrantRequest(as, client, clientAuth, new URL(c.req.url).searchParams, `${config.baseUrl}/auth/callback`, codeVerifier);
+        let result;
+        try {
+            result = await oauth.processAuthorizationCodeResponse(as, client, response);
         }
-        const { access_token, refresh_token, expires_in } = result;
+        catch (err) {
+            if (err instanceof oauth.ResponseBodyError) {
+                return c.text('OAuth 2.0 error', 400);
+            }
+            throw err;
+        }
+        const { access_token, refresh_token, expires_in, id_token } = result;
         const claims = oauth.getValidatedIdTokenClaims(result);
+        if (!claims) {
+            return c.json({ error: 'id_token missing from token response' }, 500);
+        }
+        if (!refresh_token) {
+            console.warn('Bezzie: refresh_token is missing from the token response. offline_access may not be enabled or supported by the provider.');
+        }
         const sessionId = crypto.randomUUID();
         const session = {
             accessToken: access_token,
-            refreshToken: refresh_token || '',
+            refreshToken: refresh_token,
+            idToken: id_token,
             expiresAt: Math.floor(Date.now() / 1000) + (expires_in || 3600),
+            createdAt: Math.floor(Date.now() / 1000),
             user: {
                 ...claims,
                 sub: claims.sub,
@@ -87,38 +81,50 @@ export function authRoutes(config) {
             },
         };
         // TTL for session in KV. Set to 30 days as per bug fix 3.
-        await sessionStore.set(sessionId, session, 30 * 24 * 60 * 60);
-        setCookie(c, 'sessionId', sessionId, {
+        await sessionStore.set(sessionId, session, config.sessionTtlSeconds ?? 30 * 24 * 60 * 60);
+        setCookie(c, config.cookieName ?? '__Host-session', sessionId, {
             httpOnly: true,
             secure: true,
             sameSite: 'Strict',
             path: '/',
+            maxAge: config.sessionTtlSeconds ?? 30 * 24 * 60 * 60, // 30 days, matches KV session TTL
         });
         if (returnTo && returnTo.startsWith('/') && !returnTo.startsWith('//')) {
             return c.redirect(returnTo);
         }
         return c.redirect('/');
     });
-    router.get('/logout', async (c) => {
-        const sessionId = getCookie(c, 'sessionId');
+    router.post('/logout', async (c) => {
+        const sessionId = getCookie(c, config.cookieName ?? '__Host-session');
+        let idToken;
         if (sessionId) {
+            const session = await sessionStore.get(sessionId);
+            if (session && !('codeVerifier' in session)) {
+                idToken = session.idToken;
+            }
             await sessionStore.delete(sessionId);
         }
-        deleteCookie(c, 'sessionId', {
+        deleteCookie(c, config.cookieName ?? '__Host-session', {
             path: '/',
             secure: true,
         });
-        const as = await getAuthorizationServer(config);
+        const as = await getAuthorizationServer(config, cache);
         let logoutUrl;
         if (config.providerHints?.logoutUrl) {
             logoutUrl = new URL(config.providerHints.logoutUrl);
             logoutUrl.searchParams.set('client_id', config.clientId);
             logoutUrl.searchParams.set('returnTo', config.baseUrl);
+            if (idToken) {
+                logoutUrl.searchParams.set('id_token_hint', idToken);
+            }
         }
         else if (as.end_session_endpoint) {
             logoutUrl = new URL(as.end_session_endpoint);
             logoutUrl.searchParams.set('client_id', config.clientId);
             logoutUrl.searchParams.set('post_logout_redirect_uri', config.baseUrl);
+            if (idToken) {
+                logoutUrl.searchParams.set('id_token_hint', idToken);
+            }
         }
         else {
             // If no endpoint found, we just redirect to base URL

package/dist/src/routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAChE,OAAO,KAAK,KAAK,MAAM,cAAc,CAAA;AACrC,OAAO,EAAE,sBAAsB,EAAuB,MAAM,aAAa,CAAA;AAIzE,MAAM,UAAU,UAAU,CAAC,MAAoB,EAAE,KAAqB;IACpE,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAA;IACzB,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,CAAA;IAEnC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC/B,MAAM,aAAa,GAAG,KAAK,CAAC,0BAA0B,EAAE,CAAA;QACxD,MAAM,cAAc,GAAG,MAAM,KAAK,CAAC,0BAA0B,CAAC,aAAa,CAAC,CAAA;QAC5E,MAAM,KAAK,GAAG,KAAK,CAAC,mBAAmB,EAAE,CAAA;QAEzC,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;QAExC,0CAA0C;QAC1C,MAAM,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAe,EAAE,MAAM,CAAC,mBAAmB,IAAI,GAAG,CAAC,CAAA,CAAC,aAAa;QAElJ,MAAM,EAAE,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QACtD,IAAI,CAAC,EAAE,CAAC,sBAAsB,EAAE,CAAC;YAC/B,OAAO,CAAC,CAAC,IAAI,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAA;QACtD,CAAC;QAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,sBAAsB,CAAC,CAAA;QAC3D,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;QAC/D,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAA;QAC1D,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,GAAG,MAAM,CAAC,OAAO,gBAAgB,CAAC,CAAA;QACpF,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;QACzH,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QACjD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAA;QACnE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAA;QAClE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;QAED,OAAO,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,QAAQ,EAAE,CAAC,CAAA;IAChD,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAClC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAClC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,KAAK,EAAE,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;QACD,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAClC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACpB,OAAO,CAAC,CAAC,IAAI,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,EAAE,CAAc,CAAA;QACrE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,CAAC,IAAI,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAA;QAChD,CAAC;QACD,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAA;QAEzC,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,KAAK,EAAE,CAAC,CAAA;QAE5C,MAAM,EAAE,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAEtD,MAAM,MAAM,GAAiB,EAAE,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAA;QAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;QAE9D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6BAA6B,CACxD,EAAE,EACF,MAAM,EACN,UAAU,EACV,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,YAAY,EAC/B,GAAG,MAAM,CAAC,OAAO,gBAAgB,EACjC,YAAY,CACb,CAAA;QAED,IAAI,MAAmC,CAAA;QACvC,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,KAAK,CAAC,gCAAgC,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;QAC7E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,KAAK,CAAC,iBAAiB,EAAE,CAAC;gBAC3C,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;YACvC,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAA;QACpE,MAAM,MAAM,GAAG,KAAK,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAA;QAEtD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sCAAsC,EAAE,EAAE,GAAG,CAAC,CAAA;QACvE,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CAAC,2HAA2H,CAAC,CAAA;QAC3I,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QACrC,MAAM,OAAO,GAAY;YACvB,WAAW,EAAE,YAAY;YACzB,YAAY,EAAE,aAAa;YAC3B,OAAO,EAAE,QAAQ;YACjB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,IAAI,CAAC;YAC/D,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YACxC,IAAI,EAAE;gBACJ,GAAG,MAAM;gBACT,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAA2B;aAC1C;SACF,CAAA;QAED,0DAA0D;QAC1D,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,iBAAiB,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA;QAEzF,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,UAAU,IAAI,gBAAgB,EAAE,SAAS,EAAE;YAC7D,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,MAAM,CAAC,iBAAiB,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,kCAAkC;SAC1F,CAAC,CAAA;QAEF,IAAI,QAAQ,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;QAC7B,CAAC;QAED,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACjC,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,UAAU,IAAI,gBAAgB,CAAC,CAAA;QACrE,IAAI,OAA2B,CAAA;QAC/B,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;YACjD,IAAI,OAAO,IAAI,CAAC,CAAC,cAAc,IAAI,OAAO,CAAC,EAAE,CAAC;gBAC5C,OAAO,GAAI,OAAmB,CAAC,OAAO,CAAA;YACxC,CAAC;YACD,MAAM,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QACtC,CAAC;QAED,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,UAAU,IAAI,gBAAgB,EAAE;YACrD,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI;SACb,CAAC,CAAA;QAEF,MAAM,EAAE,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAEtD,IAAI,SAAc,CAAA;QAClB,IAAI,MAAM,CAAC,aAAa,EAAE,SAAS,EAAE,CAAC;YACpC,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;YACnD,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;YACxD,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;YACtD,IAAI,OAAO,EAAE,CAAC;gBACZ,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,CAAA;YACtD,CAAC;QACH,CAAC;aAAM,IAAI,EAAE,CAAC,oBAAoB,EAAE,CAAC;YACnC,SAAS,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAA;YAC5C,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAA;YACxD,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,0BAA0B,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;YACtE,IAAI,OAAO,EAAE,CAAC;gBACZ,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,CAAA;YACtD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qDAAqD;YACrD,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;QACxB,CAAC;QAED,OAAO,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAA;IACzC,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/{session.d.ts → src/session.d.ts}

@@ -9,11 +9,19 @@ export interface Session {
     /**
      * OAuth refresh token.
      */
-    refreshToken: string;
+    refreshToken?: string;
+    /**
+     * OAuth ID token.
+     */
+    idToken?: string;
     /**
      * Expiration time of the access token as a Unix timestamp (seconds).
      */
     expiresAt: number;
+    /**
+     * Creation time of the session as a Unix timestamp (seconds).
+     */
+    createdAt: number;
     /**
      * User information from the ID token or userinfo endpoint.
      */

package/dist/src/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IACjB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IACjB;;OAEG;IACH,IAAI,EAAE;QACJ;;WAEG;QACH,GAAG,EAAE,MAAM,CAAA;QACX;;WAEG;QACH,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KACvB,CAAA;CACF;AAED,cAAc,YAAY,CAAA"}

package/dist/src/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/session.ts"],"names":[],"mappings":"AAwCA,cAAc,YAAY,CAAA"}

package/dist/test/index.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/dist/test/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../test/index.test.ts"],"names":[],"mappings":""}