binoauth 0.0.11 → 0.0.12

package/dist/core/src/oauth/client.js

@@ -0,0 +1,491 @@
+import { createAuthConfigFromIssuer } from "./types";
+import { TokenStorage } from "./storage";
+import { AuthorizationCodeFlow } from "./flows/authorization-code";
+import { RefreshTokenFlow } from "./flows/refresh-token";
+import { DeviceCodeFlow } from "./flows/device-code";
+import { ClientCredentialsFlow } from "./flows/client-credentials";
+import { isJWT } from "./utils";
+import { AuthError, ErrorCode } from "./error";
+import { Configuration } from "@binoauth/tenant-sdk";
+/**
+ * BinoAuth OAuth 2.0 Client
+ *
+ * A comprehensive OAuth 2.0 client that supports multiple grant types
+ * including Authorization Code, Device Code, Client Credentials, and Refresh Token flows.
+ *
+ * Features:
+ * - Automatic token refresh and management
+ * - PKCE support for secure authentication
+ * - Device authorization for IoT and limited-input devices
+ * - Server-to-server authentication with client credentials
+ * - Secure token storage with encryption
+ * - Rate limiting and CSRF protection
+ *
+ * @example
+ * ```typescript
+ * import { BinoAuthOAuth, InMemoryTokenStorage } from 'binoauth';
+ *
+ * // Simple configuration using issuer
+ * const client = new BinoAuthOAuth({
+ *   issuer: 'https://auth.binoauth.com',
+ *   clientId: 'your_client_id',
+ *   redirectUri: 'https://yourapp.com/callback',
+ *   scope: 'openid profile email'
+ * }, {
+ *   storage: new InMemoryTokenStorage(),
+ *   clientId: 'your_client_id'
+ * });
+ *
+ * // Authorization Code Flow (for web/mobile apps)
+ * const loginUrl = await client.getLoginUrl();
+ * window.location.href = loginUrl;
+ *
+ * // Handle callback after user returns
+ * const urlParams = new URLSearchParams(window.location.search);
+ * await client.handleCallback(
+ *   urlParams.get('code')!,
+ *   urlParams.get('state')!
+ * );
+ *
+ * // Check authentication status
+ * const isLoggedIn = await client.isAuthenticated();
+ * if (isLoggedIn) {
+ *   const userInfo = await client.getUserInfo();
+ *   console.log('Logged in as:', userInfo.email);
+ * }
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // Device Code Flow (for TVs, IoT devices, CLI tools)
+ * const deviceAuth = await client.requestDeviceCode();
+ * console.log(`Visit: ${deviceAuth.verification_uri}`);
+ * console.log(`Enter code: ${deviceAuth.user_code}`);
+ *
+ * // Poll for authorization
+ * const pollInterval = deviceAuth.interval * 1000;
+ * while (true) {
+ *   try {
+ *     await client.pollForToken(deviceAuth.device_code);
+ *     console.log('Device authorized successfully!');
+ *     break;
+ *   } catch (error) {
+ *     if (error.code === 'authorization_pending') {
+ *       await new Promise(resolve => setTimeout(resolve, pollInterval));
+ *       continue;
+ *     }
+ *     throw error;
+ *   }
+ * }
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // Client Credentials Flow (for server-to-server)
+ * client.initializeClientCredentials('your_client_secret');
+ * await client.getClientCredentialsTokens();
+ *
+ * // Use token for API calls
+ * const accessToken = await client.getAccessToken();
+ * const response = await fetch('/api/protected', {
+ *   headers: { 'Authorization': `Bearer ${accessToken}` }
+ * });
+ * ```
+ */
+export class BinoAuthOAuth {
+    config;
+    storage;
+    oauthApi;
+    authCodeFlow;
+    refreshFlow;
+    deviceFlow;
+    clientCredentialsFlow;
+    /**
+     * Creates a new BinoAuth OAuth client
+     *
+     * @param config - OAuth configuration (can use simplified BinoAuthConfig with issuer)
+     * @param storageConfig - Token storage configuration
+     *
+     * @example
+     * ```typescript
+     * // Simple configuration with issuer
+     * const client = new BinoAuthOAuth({
+     *   issuer: 'https://auth.binoauth.com',
+     *   clientId: 'your_client_id',
+     *   redirectUri: 'https://yourapp.com/callback'
+     * }, {
+     *   storage: new InMemoryTokenStorage(),
+     *   clientId: 'your_client_id'
+     * });
+     *
+     * // Full configuration
+     * const client = new BinoAuthOAuth({
+     *   clientId: 'your_client_id',
+     *   redirectUri: 'https://yourapp.com/callback',
+     *   authorizeEndpoint: 'https://auth.binoauth.com/api/v1/oauth/authorize',
+     *   tokenEndpoint: 'https://auth.binoauth.com/api/v1/oauth/token',
+     *   userInfoEndpoint: 'https://auth.binoauth.com/api/v1/oauth/userinfo'
+     * }, storageConfig);
+     * ```
+     */
+    constructor(config, storageConfig) {
+        // Convert BinoAuthConfig to AuthConfig if needed
+        this.config = 'issuer' in config ? createAuthConfigFromIssuer(config) : config;
+        this.storage = new TokenStorage({
+            ...storageConfig,
+            clientId: storageConfig.clientId || this.config.clientId,
+        });
+        // Create tenant-SDK OAuth API if we have issuer-based config
+        if ('issuer' in config) {
+            try {
+                const { OAuth2Api } = require("@binoauth/tenant-sdk");
+                const tenantConfig = new Configuration({
+                    basePath: config.issuer,
+                });
+                this.oauthApi = new OAuth2Api(tenantConfig);
+            }
+            catch (error) {
+                console.warn("Failed to initialize tenant-SDK OAuth API:", error);
+            }
+        }
+        this.authCodeFlow = new AuthorizationCodeFlow(this.config, this.storage, this.oauthApi);
+        this.refreshFlow = new RefreshTokenFlow(this.config, this.storage, this.oauthApi);
+        this.deviceFlow = new DeviceCodeFlow(this.config, this.storage, this.oauthApi);
+    }
+    /**
+     * Initializes client credentials flow for server-to-server authentication
+     *
+     * @param clientSecret - The client secret for authentication
+     *
+     * @example
+     * ```typescript
+     * client.initializeClientCredentials('your_client_secret');
+     * await client.getClientCredentialsTokens();
+     * ```
+     */
+    initializeClientCredentials(clientSecret) {
+        this.clientCredentialsFlow = new ClientCredentialsFlow({ ...this.config, clientSecret }, this.storage, this.oauthApi);
+    }
+    /**
+     * Updates the token storage instance
+     *
+     * @param tokenStorage - New token storage instance
+     */
+    setTokenStorage(tokenStorage) {
+        this.storage = tokenStorage;
+    }
+    /**
+     * Gets the current token storage instance
+     *
+     * @returns The current token storage
+     */
+    getTokenStorage() {
+        return this.storage;
+    }
+    // Authorization Code Flow methods
+    /**
+     * Generates the authorization URL for the OAuth flow
+     *
+     * @returns Promise resolving to the authorization URL
+     *
+     * @example
+     * ```typescript
+     * const loginUrl = await client.getLoginUrl();
+     * window.location.href = loginUrl; // Redirect user to BinoAuth
+     * ```
+     */
+    async getLoginUrl() {
+        return this.authCodeFlow.getLoginUrl();
+    }
+    /**
+     * Handles the OAuth callback and exchanges code for tokens
+     *
+     * @param code - Authorization code from callback
+     * @param state - State parameter from callback
+     *
+     * @example
+     * ```typescript
+     * const urlParams = new URLSearchParams(window.location.search);
+     * await client.handleCallback(
+     *   urlParams.get('code')!,
+     *   urlParams.get('state')!
+     * );
+     * ```
+     */
+    async handleCallback(code, state) {
+        return this.authCodeFlow.handleCallback(code, state);
+    }
+    /**
+     * Generates the logout URL
+     *
+     * @returns Promise resolving to the logout URL
+     */
+    async getLogoutUrl() {
+        return this.authCodeFlow.getLogoutUrl();
+    }
+    /**
+     * Generates the logout page URL with optional return URL
+     *
+     * @param returnTo - Optional URL to redirect to after logout
+     * @returns Promise resolving to the logout page URL
+     */
+    async getLogoutPageUrl(returnTo) {
+        return this.authCodeFlow.getLogoutPageUrl(returnTo);
+    }
+    // Device Code Flow methods
+    /**
+     * Initiates device authorization flow
+     *
+     * @returns Promise resolving to device authorization response
+     *
+     * @example
+     * ```typescript
+     * const deviceAuth = await client.requestDeviceCode();
+     * console.log(`Visit: ${deviceAuth.verification_uri}`);
+     * console.log(`Enter code: ${deviceAuth.user_code}`);
+     * ```
+     */
+    async requestDeviceCode() {
+        return this.deviceFlow.requestDeviceCode();
+    }
+    /**
+     * Polls for token using device code
+     *
+     * @param deviceCode - Device code from requestDeviceCode()
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   await client.pollForToken(deviceAuth.device_code);
+     *   console.log('Device authorized!');
+     * } catch (error) {
+     *   if (error.code === 'authorization_pending') {
+     *     // User hasn't entered code yet, continue polling
+     *   }
+     * }
+     * ```
+     */
+    async pollForToken(deviceCode) {
+        return this.deviceFlow.pollForToken(deviceCode);
+    }
+    // Client Credentials Flow methods
+    /**
+     * Requests tokens using client credentials flow
+     *
+     * @example
+     * ```typescript
+     * client.initializeClientCredentials('your_client_secret');
+     * await client.getClientCredentialsTokens();
+     *
+     * const accessToken = await client.getAccessToken();
+     * // Use token for server-to-server API calls
+     * ```
+     *
+     * @throws {AuthError} When client credentials flow is not initialized
+     */
+    async getClientCredentialsTokens() {
+        if (!this.clientCredentialsFlow) {
+            throw new AuthError("Client credentials flow not initialized. Call initializeClientCredentials() first.", ErrorCode.InvalidConfig);
+        }
+        return this.clientCredentialsFlow.getTokens();
+    }
+    // Token management
+    /**
+     * Gets a valid access token, automatically refreshing if needed
+     *
+     * @returns Promise resolving to access token or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const accessToken = await client.getAccessToken();
+     * if (accessToken) {
+     *   const response = await fetch('/api/protected', {
+     *     headers: { 'Authorization': `Bearer ${accessToken}` }
+     *   });
+     * }
+     * ```
+     */
+    async getAccessToken() {
+        const token = await this.storage.getAccessToken();
+        if (!token || this.storage.isTokenExpired(token)) {
+            const refreshToken = await this.storage.getRefreshToken();
+            if (refreshToken && !this.storage.isTokenExpired(refreshToken)) {
+                try {
+                    await this.refreshFlow.refreshTokens();
+                    const newToken = await this.storage.getAccessToken();
+                    return newToken?.value || null;
+                }
+                catch {
+                    return null;
+                }
+            }
+            return null;
+        }
+        return token.value;
+    }
+    /**
+     * Manually refreshes access tokens using refresh token
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   await client.refreshTokens();
+     *   console.log('Tokens refreshed successfully');
+     * } catch (error) {
+     *   console.log('Token refresh failed:', error.message);
+     * }
+     * ```
+     */
+    async refreshTokens() {
+        return this.refreshFlow.refreshTokens();
+    }
+    // User information
+    /**
+     * Fetches authenticated user information
+     *
+     * @returns Promise resolving to user info or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * const userInfo = await client.getUserInfo();
+     * if (userInfo) {
+     *   console.log(`Welcome, ${userInfo.name}!`);
+     *   console.log(`Email: ${userInfo.email}`);
+     * }
+     * ```
+     *
+     * @throws {AuthError} When userInfoEndpoint is missing from config
+     */
+    async getUserInfo() {
+        if (!this.config.userInfoEndpoint) {
+            throw new AuthError("Missing userInfoEndpoint in config", ErrorCode.InvalidConfig);
+        }
+        let token = await this.storage.getAccessToken();
+        if (!token || this.storage.isTokenExpired(token)) {
+            const refreshToken = await this.storage.getRefreshToken();
+            if (refreshToken && !this.storage.isTokenExpired(refreshToken)) {
+                try {
+                    await this.refreshFlow.refreshTokens();
+                    const newToken = await this.storage.getAccessToken();
+                    if (!newToken || this.storage.isTokenExpired(newToken)) {
+                        return null;
+                    }
+                    token = newToken;
+                }
+                catch (e) {
+                    return null;
+                }
+            }
+            else {
+                return null;
+            }
+        }
+        if (!isJWT(token.value)) {
+            return null;
+        }
+        const response = await fetch(this.config.userInfoEndpoint, {
+            headers: {
+                Authorization: `Bearer ${token.value}`,
+            },
+            credentials: "include",
+        });
+        if (response.ok)
+            return response.json();
+        return null;
+    }
+    // Authentication status
+    /**
+     * Checks if the user is currently authenticated
+     *
+     * Automatically attempts token refresh if access token is expired
+     * but refresh token is still valid.
+     *
+     * @returns Promise resolving to true if authenticated, false otherwise
+     *
+     * @example
+     * ```typescript
+     * if (await client.isAuthenticated()) {
+     *   // User is logged in, show authenticated content
+     *   const userInfo = await client.getUserInfo();
+     * } else {
+     *   // User needs to log in
+     *   const loginUrl = await client.getLoginUrl();
+     *   window.location.href = loginUrl;
+     * }
+     * ```
+     */
+    async isAuthenticated() {
+        const token = await this.storage.getAccessToken();
+        if (!token || this.storage.isTokenExpired(token) || !isJWT(token.value)) {
+            const refreshToken = await this.storage.getRefreshToken();
+            if (refreshToken && !this.storage.isTokenExpired(refreshToken)) {
+                if (!isJWT(refreshToken.value)) {
+                    return false;
+                }
+                try {
+                    await this.refreshFlow.refreshTokens();
+                    return true;
+                }
+                catch {
+                    return false;
+                }
+            }
+            return false;
+        }
+        return true;
+    }
+    // Logout
+    /**
+     * Logs out the user and revokes tokens
+     *
+     * Attempts to revoke tokens on the server if revoke endpoint is configured,
+     * then clears local token storage.
+     *
+     * @example
+     * ```typescript
+     * await client.logout();
+     * console.log('User logged out successfully');
+     *
+     * // Redirect to login page
+     * const loginUrl = await client.getLoginUrl();
+     * window.location.href = loginUrl;
+     * ```
+     */
+    async logout() {
+        if (!this.config.revokeEndpoint) {
+            this.storage.clearTokens();
+            return;
+        }
+        const accessToken = await this.storage.getAccessToken();
+        const refreshToken = await this.storage.getRefreshToken();
+        const accessTokenValue = accessToken?.value;
+        const refreshTokenValue = refreshToken?.value;
+        try {
+            if (accessTokenValue && isJWT(accessTokenValue)) {
+                const body = JSON.stringify({
+                    client_id: this.config.clientId,
+                    access_token: accessTokenValue,
+                    refresh_token: refreshTokenValue,
+                });
+                const response = await fetch(this.config.revokeEndpoint, {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                        Authorization: `Bearer ${accessTokenValue}`,
+                    },
+                    body,
+                });
+                if (!response.ok) {
+                    console.debug("Token revocation returned non-OK response:", await response.text());
+                }
+            }
+        }
+        catch (e) {
+            console.debug("Failed to revoke tokens:", e);
+        }
+        finally {
+            this.storage.clearTokens();
+        }
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/core/src/oauth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/oauth/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,0BAA0B,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAiB,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAEpE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoFG;AACH,MAAM,OAAO,aAAa;IAChB,MAAM,CAAa;IACnB,OAAO,CAAe;IACtB,QAAQ,CAAa;IACrB,YAAY,CAAwB;IACpC,WAAW,CAAmB;IAC9B,UAAU,CAAiB;IAC3B,qBAAqB,CAAyB;IAEtD;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,YAAY,MAAmC,EAAE,aAA4B;QAC3E,iDAAiD;QACjD,IAAI,CAAC,MAAM,GAAG,QAAQ,IAAI,MAAM,CAAC,CAAC,CAAC,0BAA0B,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QAE/E,IAAI,CAAC,OAAO,GAAG,IAAI,YAAY,CAAC;YAC9B,GAAG,aAAa;YAChB,QAAQ,EAAE,aAAa,CAAC,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ;SACzD,CAAC,CAAC;QAEH,6DAA6D;QAC7D,IAAI,QAAQ,IAAI,MAAM,EAAE,CAAC;YACvB,IAAI,CAAC;gBACH,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;gBACtD,MAAM,YAAY,GAAG,IAAI,aAAa,CAAC;oBACrC,QAAQ,EAAE,MAAM,CAAC,MAAM;iBACxB,CAAC,CAAC;gBACH,IAAI,CAAC,QAAQ,GAAG,IAAI,SAAS,CAAC,YAAY,CAAC,CAAC;YAC9C,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,YAAY,GAAG,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxF,IAAI,CAAC,WAAW,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAClF,IAAI,CAAC,UAAU,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjF,CAAC;IAED;;;;;;;;;;OAUG;IACH,2BAA2B,CAAC,YAAoB;QAC9C,IAAI,CAAC,qBAAqB,GAAG,IAAI,qBAAqB,CACpD,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,EAChC,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,QAAQ,CACd,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,eAAe,CAAC,YAA0B;QACxC,IAAI,CAAC,OAAO,GAAG,YAAY,CAAC;IAC9B,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,kCAAkC;IAElC;;;;;;;;;;OAUG;IACH,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC;IACzC,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,cAAc,CAAC,IAAY,EAAE,KAAa;QAC9C,OAAO,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY;QAChB,OAAO,IAAI,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC;IAC1C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CAAC,QAAiB;QACtC,OAAO,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACtD,CAAC;IAED,2BAA2B;IAE3B;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,iBAAiB;QACrB,OAAO,IAAI,CAAC,UAAU,CAAC,iBAAiB,EAAE,CAAC;IAC7C,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,OAAO,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC;IAED,kCAAkC;IAElC;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,0BAA0B;QAC9B,IAAI,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAChC,MAAM,IAAI,SAAS,CACjB,oFAAoF,EACpF,SAAS,CAAC,aAAa,CACxB,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,qBAAqB,CAAC,SAAS,EAAE,CAAC;IAChD,CAAC;IAED,mBAAmB;IAEnB;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,cAAc;QAClB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAClD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YACjD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAC1D,IAAI,YAAY,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC/D,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;oBACvC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;oBACrD,OAAO,QAAQ,EAAE,KAAK,IAAI,IAAI,CAAC;gBACjC,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,aAAa;QACjB,OAAO,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;IAC1C,CAAC;IAED,mBAAmB;IAEnB;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CACjB,oCAAoC,EACpC,SAAS,CAAC,aAAa,CACxB,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAChD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YACjD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAC1D,IAAI,YAAY,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC/D,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;oBACvC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;oBACrD,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACvD,OAAO,IAAI,CAAC;oBACd,CAAC;oBACD,KAAK,GAAG,QAAQ,CAAC;gBACnB,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE;YACzD,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,CAAC,KAAK,EAAE;aACvC;YACD,WAAW,EAAE,SAAS;SACvB,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,EAAE;YAAE,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wBAAwB;IAExB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,KAAK,CAAC,eAAe;QACnB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAClD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACxE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAE1D,IAAI,YAAY,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC/D,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC/B,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;oBACvC,OAAO,IAAI,CAAC;gBACd,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS;IAET;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAChC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QACxD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;QAE1D,MAAM,gBAAgB,GAAG,WAAW,EAAE,KAAK,CAAC;QAC5C,MAAM,iBAAiB,GAAG,YAAY,EAAE,KAAK,CAAC;QAE9C,IAAI,CAAC;YACH,IAAI,gBAAgB,IAAI,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC1B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;oBAC/B,YAAY,EAAE,gBAAgB;oBAC9B,aAAa,EAAE,iBAAiB;iBACjC,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE;oBACvD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,kBAAkB;wBAClC,aAAa,EAAE,UAAU,gBAAgB,EAAE;qBAC5C;oBACD,IAAI;iBACL,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,OAAO,CAAC,KAAK,CACX,4CAA4C,EAC5C,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,CAAC,CAAC,CAAC;QAC/C,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QAC7B,CAAC;IACH,CAAC;CACF"}

package/dist/core/src/oauth/error.d.ts

@@ -0,0 +1,18 @@
+export declare enum ErrorCode {
+    InvalidConfig = "invalid_config",
+    InvalidState = "invalid_state",
+    MissingVerifier = "missing_verifier",
+    TokenExchangeFailed = "token_exchange_failed",
+    TokenRefreshFailed = "token_refresh_failed",
+    MissingRefreshToken = "missing_refresh_token",
+    RateLimitExceeded = "rate_limit_exceeded",
+    InvalidToken = "invalid_token",
+    NetworkError = "network_error",
+    UnknownError = "unknown_error"
+}
+export declare class AuthError extends Error {
+    code: ErrorCode;
+    description?: string;
+    constructor(message: string, code: ErrorCode, description?: string);
+}
+//# sourceMappingURL=error.d.ts.map

package/dist/core/src/oauth/error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error.d.ts","sourceRoot":"","sources":["../../../../src/oauth/error.ts"],"names":[],"mappings":"AAAA,oBAAY,SAAS;IACnB,aAAa,mBAAmB;IAChC,YAAY,kBAAkB;IAC9B,eAAe,qBAAqB;IACpC,mBAAmB,0BAA0B;IAC7C,kBAAkB,yBAAyB;IAC3C,mBAAmB,0BAA0B;IAC7C,iBAAiB,wBAAwB;IACzC,YAAY,kBAAkB;IAC9B,YAAY,kBAAkB;IAC9B,YAAY,kBAAkB;CAC/B;AAED,qBAAa,SAAU,SAAQ,KAAK;IAClC,IAAI,EAAE,SAAS,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;gBAET,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,CAAC,EAAE,MAAM;CAMnE"}

package/dist/core/src/oauth/error.js

@@ -0,0 +1,24 @@
+export var ErrorCode;
+(function (ErrorCode) {
+    ErrorCode["InvalidConfig"] = "invalid_config";
+    ErrorCode["InvalidState"] = "invalid_state";
+    ErrorCode["MissingVerifier"] = "missing_verifier";
+    ErrorCode["TokenExchangeFailed"] = "token_exchange_failed";
+    ErrorCode["TokenRefreshFailed"] = "token_refresh_failed";
+    ErrorCode["MissingRefreshToken"] = "missing_refresh_token";
+    ErrorCode["RateLimitExceeded"] = "rate_limit_exceeded";
+    ErrorCode["InvalidToken"] = "invalid_token";
+    ErrorCode["NetworkError"] = "network_error";
+    ErrorCode["UnknownError"] = "unknown_error";
+})(ErrorCode || (ErrorCode = {}));
+export class AuthError extends Error {
+    code;
+    description;
+    constructor(message, code, description) {
+        super(message);
+        this.name = "AuthError";
+        this.code = code;
+        this.description = description;
+    }
+}
+//# sourceMappingURL=error.js.map

package/dist/core/src/oauth/error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error.js","sourceRoot":"","sources":["../../../../src/oauth/error.ts"],"names":[],"mappings":"AAAA,MAAM,CAAN,IAAY,SAWX;AAXD,WAAY,SAAS;IACnB,6CAAgC,CAAA;IAChC,2CAA8B,CAAA;IAC9B,iDAAoC,CAAA;IACpC,0DAA6C,CAAA;IAC7C,wDAA2C,CAAA;IAC3C,0DAA6C,CAAA;IAC7C,sDAAyC,CAAA;IACzC,2CAA8B,CAAA;IAC9B,2CAA8B,CAAA;IAC9B,2CAA8B,CAAA;AAChC,CAAC,EAXW,SAAS,KAAT,SAAS,QAWpB;AAED,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC,IAAI,CAAY;IAChB,WAAW,CAAU;IAErB,YAAY,OAAe,EAAE,IAAe,EAAE,WAAoB;QAChE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;CACF"}

package/dist/core/src/oauth/flows/authorization-code.d.ts

@@ -0,0 +1,122 @@
+import type { AuthConfig } from "../types";
+import { TokenStorage } from "../storage";
+import { BaseFlow } from "./base-flow";
+import type { OAuth2Api } from "@binoauth/tenant-sdk";
+/**
+ * OAuth 2.0 Authorization Code Flow with PKCE support
+ *
+ * This flow is designed for browser-based applications (SPAs) and mobile apps
+ * where the client cannot securely store a client secret. It uses PKCE
+ * (Proof Key for Code Exchange) for enhanced security.
+ *
+ * @example
+ * ```typescript
+ * const flow = new AuthorizationCodeFlow(config, storage, oauthApi);
+ *
+ * // Step 1: Get authorization URL
+ * const loginUrl = await flow.getLoginUrl();
+ * window.location.href = loginUrl; // Redirect user to BinoAuth
+ *
+ * // Step 2: Handle callback (after user returns from BinoAuth)
+ * const urlParams = new URLSearchParams(window.location.search);
+ * const code = urlParams.get('code');
+ * const state = urlParams.get('state');
+ *
+ * if (code && state) {
+ *   await flow.handleCallback(code, state);
+ *   // User is now authenticated, tokens are stored
+ * }
+ * ```
+ */
+export declare class AuthorizationCodeFlow extends BaseFlow {
+    private loginUrlGenerationInProgress;
+    constructor(config: AuthConfig, storage: TokenStorage, oauthApi?: OAuth2Api);
+    /**
+     * Generates the authorization URL for initiating the OAuth flow
+     *
+     * This method creates a secure authorization URL with PKCE parameters
+     * and stores the necessary state and verifier tokens for later validation.
+     *
+     * @returns Promise resolving to the authorization URL
+     *
+     * @example
+     * ```typescript
+     * const loginUrl = await flow.getLoginUrl();
+     * // Returns: "https://auth.binoauth.com/api/v1/oauth/authorize?response_type=code&client_id=..."
+     *
+     * // Redirect user to the authorization server
+     * window.location.href = loginUrl;
+     * ```
+     *
+     * @throws {AuthError} When authorization endpoint is missing from config
+     */
+    getLoginUrl(): Promise<string>;
+    /**
+     * Handles the OAuth callback and exchanges the authorization code for tokens
+     *
+     * This method validates the state parameter for CSRF protection, then exchanges
+     * the authorization code for access and refresh tokens using PKCE verification.
+     *
+     * @param code - The authorization code returned from the authorization server
+     * @param state - The state parameter returned from the authorization server
+     *
+     * @example
+     * ```typescript
+     * // Extract parameters from callback URL
+     * const urlParams = new URLSearchParams(window.location.search);
+     * const code = urlParams.get('code')!;
+     * const state = urlParams.get('state')!;
+     *
+     * // Exchange code for tokens
+     * await flow.handleCallback(code, state);
+     *
+     * // Tokens are now stored and user is authenticated
+     * const accessToken = await storage.getAccessToken();
+     * ```
+     *
+     * @throws {AuthError} When state validation fails (CSRF protection)
+     * @throws {AuthError} When state or verifier tokens are missing/expired
+     * @throws {AuthError} When token exchange fails
+     */
+    handleCallback(code: string, state: string): Promise<void>;
+    /**
+     * Generates the logout URL for ending the OAuth session
+     *
+     * @returns Promise resolving to the logout URL
+     *
+     * @example
+     * ```typescript
+     * const logoutUrl = await flow.getLogoutUrl();
+     * // Returns: "https://auth.binoauth.com/api/v1/oauth/logout?client_id=..."
+     *
+     * window.location.href = logoutUrl; // Redirect to logout
+     * ```
+     *
+     * @throws {AuthError} When logout endpoint is missing from config
+     */
+    getLogoutUrl(): Promise<string>;
+    /**
+     * Generates the logout page URL with optional return URL
+     *
+     * This URL points to the BinoAuth logout page where the user can
+     * terminate their session and optionally be redirected back.
+     *
+     * @param returnTo - Optional URL to redirect to after logout
+     * @returns Promise resolving to the logout page URL
+     *
+     * @example
+     * ```typescript
+     * // Simple logout
+     * const logoutPageUrl = await flow.getLogoutPageUrl();
+     * // Returns: "https://auth.binoauth.com/auth/logout?client_id=..."
+     *
+     * // Logout with return URL
+     * const logoutPageUrl = await flow.getLogoutPageUrl('https://myapp.com/goodbye');
+     * // Returns: "https://auth.binoauth.com/auth/logout?client_id=...&return_to=..."
+     *
+     * window.location.href = logoutPageUrl;
+     * ```
+     */
+    getLogoutPageUrl(returnTo?: string): Promise<string>;
+}
+//# sourceMappingURL=authorization-code.d.ts.map

package/dist/core/src/oauth/flows/authorization-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-code.d.ts","sourceRoot":"","sources":["../../../../../src/oauth/flows/authorization-code.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAY,MAAM,UAAU,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,qBAAsB,SAAQ,QAAQ;IACjD,OAAO,CAAC,4BAA4B,CAAS;gBAEjC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,SAAS;IAkB3E;;;;;;;;;;;;;;;;;;OAkBG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IA6DpC;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACG,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgHhE;;;;;;;;;;;;;;OAcG;IACG,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAgBrC;;;;;;;;;;;;;;;;;;;;;OAqBG;IACG,gBAAgB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAQ3D"}