binoauth 0.0.11 → 0.0.12

package/dist/core/src/oauth/flows/device-code.d.ts

@@ -0,0 +1,108 @@
+import type { AuthConfig, DeviceCodeResponse } from "../types";
+import { TokenStorage } from "../storage";
+import { BaseFlow } from "./base-flow";
+import type { OAuth2Api } from "@binoauth/tenant-sdk";
+/**
+ * OAuth 2.0 Device Authorization Grant (Device Code Flow)
+ *
+ * This flow is designed for devices that either lack a browser or have
+ * limited input capabilities (smart TVs, IoT devices, CLI tools).
+ *
+ * @example
+ * ```typescript
+ * const flow = new DeviceCodeFlow(config, storage, oauthApi);
+ *
+ * // Step 1: Request device code
+ * const deviceAuth = await flow.requestDeviceCode();
+ * console.log(`Go to: ${deviceAuth.verification_uri}`);
+ * console.log(`Enter code: ${deviceAuth.user_code}`);
+ *
+ * // Step 2: Poll for token (user enters code on another device)
+ * const pollInterval = deviceAuth.interval * 1000; // Convert to milliseconds
+ * const maxAttempts = Math.floor(deviceAuth.expires_in / deviceAuth.interval);
+ *
+ * for (let i = 0; i < maxAttempts; i++) {
+ *   try {
+ *     await flow.pollForToken(deviceAuth.device_code);
+ *     console.log('Device authenticated successfully!');
+ *     break;
+ *   } catch (error) {
+ *     if (error.code === 'authorization_pending') {
+ *       await new Promise(resolve => setTimeout(resolve, pollInterval));
+ *       continue;
+ *     }
+ *     throw error; // Other errors should not be retried
+ *   }
+ * }
+ * ```
+ */
+export declare class DeviceCodeFlow extends BaseFlow {
+    constructor(config: AuthConfig, storage: TokenStorage, oauthApi?: OAuth2Api);
+    /**
+     * Initiates the device authorization flow
+     *
+     * Requests a device code and user code from the authorization server.
+     * The user will need to visit the verification URI and enter the user code.
+     *
+     * @returns Promise resolving to device authorization response
+     *
+     * @example
+     * ```typescript
+     * const deviceAuth = await flow.requestDeviceCode();
+     *
+     * console.log(`Please visit: ${deviceAuth.verification_uri}`);
+     * console.log(`And enter this code: ${deviceAuth.user_code}`);
+     * console.log(`This code expires in ${deviceAuth.expires_in} seconds`);
+     *
+     * // Example response:
+     * // {
+     * //   device_code: "GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS",
+     * //   user_code: "WDJB-MJHT",
+     * //   verification_uri: "https://auth.binoauth.com/auth/device",
+     * //   expires_in: 1800,
+     * //   interval: 5
+     * // }
+     * ```
+     *
+     * @throws {AuthError} When device code request fails
+     */
+    requestDeviceCode(): Promise<DeviceCodeResponse>;
+    /**
+     * Polls for token using the device code
+     *
+     * Continuously checks if the user has authorized the device by entering
+     * the user code. Should be called in a loop with appropriate intervals.
+     *
+     * @param deviceCode - The device code received from requestDeviceCode()
+     *
+     * @example
+     * ```typescript
+     * const deviceAuth = await flow.requestDeviceCode();
+     * const pollInterval = deviceAuth.interval * 1000; // Convert to milliseconds
+     *
+     * // Poll until authorized or expired
+     * while (true) {
+     *   try {
+     *     await flow.pollForToken(deviceAuth.device_code);
+     *     console.log('Authorization successful!');
+     *     break;
+     *   } catch (error) {
+     *     if (error.code === 'authorization_pending') {
+     *       console.log('Waiting for user authorization...');
+     *       await new Promise(resolve => setTimeout(resolve, pollInterval));
+     *       continue;
+     *     } else if (error.code === 'slow_down') {
+     *       console.log('Polling too fast, slowing down...');
+     *       await new Promise(resolve => setTimeout(resolve, pollInterval * 2));
+     *       continue;
+     *     }
+     *     throw error; // Other errors are terminal
+     *   }
+     * }
+     * ```
+     *
+     * @throws {AuthError} When token polling fails or device code expires
+     */
+    pollForToken(deviceCode: string): Promise<void>;
+}
+//# sourceMappingURL=device-code.d.ts.map

package/dist/core/src/oauth/flows/device-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.d.ts","sourceRoot":"","sources":["../../../../../src/oauth/flows/device-code.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,qBAAa,cAAe,SAAQ,QAAQ;gBAC9B,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,SAAS;IAI3E;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACG,iBAAiB,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAkFtD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAmCG;IACG,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAiCtD"}

package/dist/core/src/oauth/flows/device-code.js

@@ -0,0 +1,193 @@
+import { TokenStorage } from "../storage";
+import { AuthError, ErrorCode } from "../error";
+import { BaseFlow } from "./base-flow";
+/**
+ * OAuth 2.0 Device Authorization Grant (Device Code Flow)
+ *
+ * This flow is designed for devices that either lack a browser or have
+ * limited input capabilities (smart TVs, IoT devices, CLI tools).
+ *
+ * @example
+ * ```typescript
+ * const flow = new DeviceCodeFlow(config, storage, oauthApi);
+ *
+ * // Step 1: Request device code
+ * const deviceAuth = await flow.requestDeviceCode();
+ * console.log(`Go to: ${deviceAuth.verification_uri}`);
+ * console.log(`Enter code: ${deviceAuth.user_code}`);
+ *
+ * // Step 2: Poll for token (user enters code on another device)
+ * const pollInterval = deviceAuth.interval * 1000; // Convert to milliseconds
+ * const maxAttempts = Math.floor(deviceAuth.expires_in / deviceAuth.interval);
+ *
+ * for (let i = 0; i < maxAttempts; i++) {
+ *   try {
+ *     await flow.pollForToken(deviceAuth.device_code);
+ *     console.log('Device authenticated successfully!');
+ *     break;
+ *   } catch (error) {
+ *     if (error.code === 'authorization_pending') {
+ *       await new Promise(resolve => setTimeout(resolve, pollInterval));
+ *       continue;
+ *     }
+ *     throw error; // Other errors should not be retried
+ *   }
+ * }
+ * ```
+ */
+export class DeviceCodeFlow extends BaseFlow {
+    constructor(config, storage, oauthApi) {
+        super(config, storage, oauthApi);
+    }
+    /**
+     * Initiates the device authorization flow
+     *
+     * Requests a device code and user code from the authorization server.
+     * The user will need to visit the verification URI and enter the user code.
+     *
+     * @returns Promise resolving to device authorization response
+     *
+     * @example
+     * ```typescript
+     * const deviceAuth = await flow.requestDeviceCode();
+     *
+     * console.log(`Please visit: ${deviceAuth.verification_uri}`);
+     * console.log(`And enter this code: ${deviceAuth.user_code}`);
+     * console.log(`This code expires in ${deviceAuth.expires_in} seconds`);
+     *
+     * // Example response:
+     * // {
+     * //   device_code: "GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS",
+     * //   user_code: "WDJB-MJHT",
+     * //   verification_uri: "https://auth.binoauth.com/auth/device",
+     * //   expires_in: 1800,
+     * //   interval: 5
+     * // }
+     * ```
+     *
+     * @throws {AuthError} When device code request fails
+     */
+    async requestDeviceCode() {
+        if (this.oauthApi) {
+            try {
+                const response = await this.oauthApi.deviceAuthorizationApiV1OauthDeviceCodePost({
+                    deviceAuthorizationRequest: {
+                        clientId: this.config.clientId,
+                    }
+                });
+                return {
+                    device_code: response.deviceCode,
+                    user_code: response.userCode,
+                    verification_uri: `${this.getIssuerFromEndpoint()}/auth/device`,
+                    verification_uri_complete: `${this.getIssuerFromEndpoint()}/auth/device?user_code=${response.userCode}`,
+                    expires_in: response.expiresIn,
+                    interval: response.interval || 5,
+                };
+            }
+            catch (error) {
+                throw new AuthError("Device code request failed", ErrorCode.TokenExchangeFailed, error.message || "Tenant SDK request failed");
+            }
+        }
+        // Fallback to manual implementation
+        if (!this.config.authorizeEndpoint) {
+            throw new AuthError("Missing authorizeEndpoint in config", ErrorCode.InvalidConfig);
+        }
+        const deviceEndpoint = this.config.authorizeEndpoint.replace('/oauth/authorize', '/oauth/device/code');
+        const response = await fetch(deviceEndpoint, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            body: new URLSearchParams({
+                client_id: this.config.clientId,
+                scope: this.config.scope,
+            }).toString(),
+        });
+        if (!response.ok) {
+            let errorDetail = "Device code request failed";
+            try {
+                const error = await response.json();
+                errorDetail = error.detail || error.error_description || error.error || errorDetail;
+            }
+            catch (e) {
+                errorDetail = await response.text();
+            }
+            throw new AuthError("Device code request failed", ErrorCode.TokenExchangeFailed, errorDetail);
+        }
+        const deviceCode = await response.json();
+        if (!deviceCode.device_code || !deviceCode.user_code || !deviceCode.verification_uri) {
+            throw new AuthError("Invalid device code response", ErrorCode.TokenExchangeFailed);
+        }
+        return {
+            device_code: deviceCode.device_code,
+            user_code: deviceCode.user_code,
+            verification_uri: deviceCode.verification_uri,
+            verification_uri_complete: deviceCode.verification_uri_complete,
+            expires_in: deviceCode.expires_in || 600,
+            interval: deviceCode.interval || 5,
+        };
+    }
+    /**
+     * Polls for token using the device code
+     *
+     * Continuously checks if the user has authorized the device by entering
+     * the user code. Should be called in a loop with appropriate intervals.
+     *
+     * @param deviceCode - The device code received from requestDeviceCode()
+     *
+     * @example
+     * ```typescript
+     * const deviceAuth = await flow.requestDeviceCode();
+     * const pollInterval = deviceAuth.interval * 1000; // Convert to milliseconds
+     *
+     * // Poll until authorized or expired
+     * while (true) {
+     *   try {
+     *     await flow.pollForToken(deviceAuth.device_code);
+     *     console.log('Authorization successful!');
+     *     break;
+     *   } catch (error) {
+     *     if (error.code === 'authorization_pending') {
+     *       console.log('Waiting for user authorization...');
+     *       await new Promise(resolve => setTimeout(resolve, pollInterval));
+     *       continue;
+     *     } else if (error.code === 'slow_down') {
+     *       console.log('Polling too fast, slowing down...');
+     *       await new Promise(resolve => setTimeout(resolve, pollInterval * 2));
+     *       continue;
+     *     }
+     *     throw error; // Other errors are terminal
+     *   }
+     * }
+     * ```
+     *
+     * @throws {AuthError} When token polling fails or device code expires
+     */
+    async pollForToken(deviceCode) {
+        if (this.oauthApi) {
+            try {
+                const response = await this.oauthApi.getTokensApiV1OauthTokenPost({
+                    tokenRequest: {
+                        grantType: "urn:ietf:params:oauth:grant-type:device_code",
+                        deviceCode: deviceCode,
+                        clientId: this.config.clientId,
+                    }
+                });
+                const tokenSet = this.convertTenantTokenResponse(response);
+                await this.storage.setTokens(tokenSet);
+                return;
+            }
+            catch (error) {
+                throw new AuthError("Device token polling failed", ErrorCode.TokenExchangeFailed, error.message || "Tenant SDK request failed");
+            }
+        }
+        // Fallback to base implementation
+        const tokenSet = await this.makeTokenRequest({
+            grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+            device_code: deviceCode,
+            client_id: this.config.clientId,
+        });
+        await this.storage.setTokens(tokenSet);
+    }
+}
+//# sourceMappingURL=device-code.js.map

package/dist/core/src/oauth/flows/device-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.js","sourceRoot":"","sources":["../../../../../src/oauth/flows/device-code.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,MAAM,OAAO,cAAe,SAAQ,QAAQ;IAC1C,YAAY,MAAkB,EAAE,OAAqB,EAAE,QAAoB;QACzE,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,2CAA2C,CAAC;oBAC/E,0BAA0B,EAAE;wBAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;qBAC/B;iBACF,CAAC,CAAC;gBAEH,OAAO;oBACL,WAAW,EAAE,QAAQ,CAAC,UAAU;oBAChC,SAAS,EAAE,QAAQ,CAAC,QAAQ;oBAC5B,gBAAgB,EAAE,GAAG,IAAI,CAAC,qBAAqB,EAAE,cAAc;oBAC/D,yBAAyB,EAAE,GAAG,IAAI,CAAC,qBAAqB,EAAE,0BAA0B,QAAQ,CAAC,QAAQ,EAAE;oBACvG,UAAU,EAAE,QAAQ,CAAC,SAAS;oBAC9B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,CAAC;iBACjC,CAAC;YACJ,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,4BAA4B,EAC5B,SAAS,CAAC,mBAAmB,EAC7B,KAAK,CAAC,OAAO,IAAI,2BAA2B,CAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YACnC,MAAM,IAAI,SAAS,CACjB,qCAAqC,EACrC,SAAS,CAAC,aAAa,CACxB,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,kBAAkB,EAAE,oBAAoB,CAAC,CAAC;QAEvG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE;YAC3C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;aACzB,CAAC,CAAC,QAAQ,EAAE;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,WAAW,GAAG,4BAA4B,CAAC;YAC/C,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACpC,WAAW,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,KAAK,IAAI,WAAW,CAAC;YACtF,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,WAAW,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,4BAA4B,EAC5B,SAAS,CAAC,mBAAmB,EAC7B,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEzC,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,CAAC,UAAU,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YACrF,MAAM,IAAI,SAAS,CACjB,8BAA8B,EAC9B,SAAS,CAAC,mBAAmB,CAC9B,CAAC;QACJ,CAAC;QAED,OAAO;YACL,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,SAAS,EAAE,UAAU,CAAC,SAAS;YAC/B,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;YAC7C,yBAAyB,EAAE,UAAU,CAAC,yBAAyB;YAC/D,UAAU,EAAE,UAAU,CAAC,UAAU,IAAI,GAAG;YACxC,QAAQ,EAAE,UAAU,CAAC,QAAQ,IAAI,CAAC;SACnC,CAAC;IACJ,CAAC;IAGD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAmCG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC;oBAChE,YAAY,EAAE;wBACZ,SAAS,EAAE,8CAA8C;wBACzD,UAAU,EAAE,UAAU;wBACtB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;qBAC/B;iBACF,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,0BAA0B,CAAC,QAAQ,CAAC,CAAC;gBAC3D,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACvC,OAAO;YACT,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,6BAA6B,EAC7B,SAAS,CAAC,mBAAmB,EAC7B,KAAK,CAAC,OAAO,IAAI,2BAA2B,CAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;YAC3C,UAAU,EAAE,8CAA8C;YAC1D,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SAChC,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;CAEF"}

package/dist/core/src/oauth/flows/refresh-token.d.ts

@@ -0,0 +1,59 @@
+import type { AuthConfig } from "../types";
+import { TokenStorage } from "../storage";
+import { BaseFlow } from "./base-flow";
+import type { OAuth2Api } from "@binoauth/tenant-sdk";
+/**
+ * OAuth 2.0 Refresh Token Flow
+ *
+ * Handles refreshing expired access tokens using refresh tokens.
+ * Implements automatic retry logic and prevents concurrent refresh operations.
+ *
+ * @example
+ * ```typescript
+ * const flow = new RefreshTokenFlow(config, storage, oauthApi);
+ *
+ * // Manual refresh
+ * await flow.refreshTokens();
+ *
+ * // Refresh with specific token
+ * await flow.refreshTokens('existing_refresh_token');
+ *
+ * // The flow automatically handles:
+ * // - Rate limiting
+ * // - Concurrent request prevention
+ * // - Token storage updates
+ * ```
+ */
+export declare class RefreshTokenFlow extends BaseFlow {
+    private refreshPromise;
+    constructor(config: AuthConfig, storage: TokenStorage, oauthApi?: OAuth2Api);
+    /**
+     * Refreshes access tokens using a refresh token
+     *
+     * If no refresh token is provided, it will attempt to use the stored refresh token.
+     * Prevents concurrent refresh operations by reusing in-flight requests.
+     *
+     * @param refreshToken - Optional refresh token to use (uses stored token if not provided)
+     *
+     * @example
+     * ```typescript
+     * // Use stored refresh token
+     * await flow.refreshTokens();
+     *
+     * // Use specific refresh token
+     * await flow.refreshTokens('refresh_token_value');
+     *
+     * // Check if token was refreshed successfully
+     * const accessToken = await storage.getAccessToken();
+     * if (accessToken && !storage.isTokenExpired(accessToken)) {
+     *   console.log('Token refreshed successfully');
+     * }
+     * ```
+     *
+     * @throws {AuthError} When no refresh token is available
+     * @throws {AuthError} When token refresh fails
+     */
+    refreshTokens(refreshToken?: string): Promise<void>;
+    private performTokenRefresh;
+}
+//# sourceMappingURL=refresh-token.d.ts.map

package/dist/core/src/oauth/flows/refresh-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.d.ts","sourceRoot":"","sources":["../../../../../src/oauth/flows/refresh-token.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,gBAAiB,SAAQ,QAAQ;IAC5C,OAAO,CAAC,cAAc,CAA8B;gBAExC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,SAAS;IAI3E;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACG,aAAa,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAuB3C,mBAAmB;CAyClC"}

package/dist/core/src/oauth/flows/refresh-token.js

@@ -0,0 +1,105 @@
+import { TokenStorage } from "../storage";
+import { AuthError, ErrorCode } from "../error";
+import { BaseFlow } from "./base-flow";
+/**
+ * OAuth 2.0 Refresh Token Flow
+ *
+ * Handles refreshing expired access tokens using refresh tokens.
+ * Implements automatic retry logic and prevents concurrent refresh operations.
+ *
+ * @example
+ * ```typescript
+ * const flow = new RefreshTokenFlow(config, storage, oauthApi);
+ *
+ * // Manual refresh
+ * await flow.refreshTokens();
+ *
+ * // Refresh with specific token
+ * await flow.refreshTokens('existing_refresh_token');
+ *
+ * // The flow automatically handles:
+ * // - Rate limiting
+ * // - Concurrent request prevention
+ * // - Token storage updates
+ * ```
+ */
+export class RefreshTokenFlow extends BaseFlow {
+    refreshPromise = null;
+    constructor(config, storage, oauthApi) {
+        super(config, storage, oauthApi);
+    }
+    /**
+     * Refreshes access tokens using a refresh token
+     *
+     * If no refresh token is provided, it will attempt to use the stored refresh token.
+     * Prevents concurrent refresh operations by reusing in-flight requests.
+     *
+     * @param refreshToken - Optional refresh token to use (uses stored token if not provided)
+     *
+     * @example
+     * ```typescript
+     * // Use stored refresh token
+     * await flow.refreshTokens();
+     *
+     * // Use specific refresh token
+     * await flow.refreshTokens('refresh_token_value');
+     *
+     * // Check if token was refreshed successfully
+     * const accessToken = await storage.getAccessToken();
+     * if (accessToken && !storage.isTokenExpired(accessToken)) {
+     *   console.log('Token refreshed successfully');
+     * }
+     * ```
+     *
+     * @throws {AuthError} When no refresh token is available
+     * @throws {AuthError} When token refresh fails
+     */
+    async refreshTokens(refreshToken) {
+        if (this.refreshPromise) {
+            await this.refreshPromise;
+            return;
+        }
+        const tokenToUse = refreshToken || (await this.storage.getRefreshToken())?.value;
+        if (!tokenToUse) {
+            throw new AuthError("No refresh token available", ErrorCode.MissingRefreshToken);
+        }
+        this.refreshPromise = this.performTokenRefresh(tokenToUse);
+        try {
+            await this.refreshPromise;
+        }
+        finally {
+            this.refreshPromise = null;
+        }
+    }
+    async performTokenRefresh(refreshToken) {
+        if (!refreshToken) {
+            throw new AuthError("No refresh token provided", ErrorCode.MissingRefreshToken);
+        }
+        this.checkRateLimit("refresh", 5, 10 * 60 * 1000);
+        if (this.oauthApi) {
+            try {
+                const response = await this.oauthApi.getTokensApiV1OauthTokenPost({
+                    tokenRequest: {
+                        grantType: "refresh_token",
+                        refreshToken: refreshToken,
+                        clientId: this.config.clientId,
+                    }
+                });
+                const tokenSet = this.convertTenantTokenResponse(response);
+                await this.storage.setTokens(tokenSet);
+                return;
+            }
+            catch (error) {
+                throw new AuthError("Token refresh failed", ErrorCode.TokenRefreshFailed, error.message || "Tenant SDK request failed");
+            }
+        }
+        // Fallback to manual implementation
+        const tokenSet = await this.makeTokenRequest({
+            grant_type: "refresh_token",
+            refresh_token: refreshToken,
+            client_id: this.config.clientId,
+        });
+        await this.storage.setTokens(tokenSet);
+    }
+}
+//# sourceMappingURL=refresh-token.js.map

package/dist/core/src/oauth/flows/refresh-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.js","sourceRoot":"","sources":["../../../../../src/oauth/flows/refresh-token.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,OAAO,gBAAiB,SAAQ,QAAQ;IACpC,cAAc,GAAyB,IAAI,CAAC;IAEpD,YAAY,MAAkB,EAAE,OAAqB,EAAE,QAAoB;QACzE,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACH,KAAK,CAAC,aAAa,CAAC,YAAqB;QACvC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,cAAc,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,YAAY,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,EAAE,KAAK,CAAC;QACjF,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CACjB,4BAA4B,EAC5B,SAAS,CAAC,mBAAmB,CAC9B,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;QAE3D,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,cAAc,CAAC;QAC5B,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,YAAoB;QACpD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,SAAS,CACjB,2BAA2B,EAC3B,SAAS,CAAC,mBAAmB,CAC9B,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAElD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC;oBAChE,YAAY,EAAE;wBACZ,SAAS,EAAE,eAAe;wBAC1B,YAAY,EAAE,YAAY;wBAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;qBAC/B;iBACF,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,0BAA0B,CAAC,QAAQ,CAAC,CAAC;gBAC3D,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;gBACvC,OAAO;YACT,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,IAAI,SAAS,CACjB,sBAAsB,EACtB,SAAS,CAAC,kBAAkB,EAC5B,KAAK,CAAC,OAAO,IAAI,2BAA2B,CAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;YAC3C,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,YAAY;YAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SAChC,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;CACF"}

package/dist/core/src/oauth/index.d.ts

@@ -0,0 +1,12 @@
+export * from "./types";
+export * from "./error";
+export * from "./utils";
+export { TokenStorage } from "./storage";
+export { BinoAuthOAuth } from "./client";
+export { AuthorizationCodeFlow } from "./flows/authorization-code";
+export { RefreshTokenFlow } from "./flows/refresh-token";
+export { DeviceCodeFlow } from "./flows/device-code";
+export { ClientCredentialsFlow } from "./flows/client-credentials";
+export type { BinoAuthConfig } from "./types";
+export { createAuthConfigFromIssuer } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/core/src/oauth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/oauth/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,SAAS,CAAC;AACxB,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAE,0BAA0B,EAAE,MAAM,SAAS,CAAC"}

package/dist/core/src/oauth/index.js

@@ -0,0 +1,11 @@
+export * from "./types";
+export * from "./error";
+export * from "./utils";
+export { TokenStorage } from "./storage";
+export { BinoAuthOAuth } from "./client";
+export { AuthorizationCodeFlow } from "./flows/authorization-code";
+export { RefreshTokenFlow } from "./flows/refresh-token";
+export { DeviceCodeFlow } from "./flows/device-code";
+export { ClientCredentialsFlow } from "./flows/client-credentials";
+export { createAuthConfigFromIssuer } from "./types";
+//# sourceMappingURL=index.js.map

package/dist/core/src/oauth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/oauth/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,SAAS,CAAC;AACxB,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,SAAS,CAAC"}

package/dist/core/src/oauth/storage/encryption.d.ts

@@ -0,0 +1,12 @@
+export declare class Encryptor {
+    private key;
+    private crypto;
+    initialize(key: string): Promise<void>;
+    private hashKey;
+    private importKey;
+    encrypt(data: string): Promise<string>;
+    decrypt(encryptedData: string): Promise<string>;
+    private base64Encode;
+    private base64Decode;
+}
+//# sourceMappingURL=encryption.d.ts.map

package/dist/core/src/oauth/storage/encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../../../../../src/oauth/storage/encryption.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAS;IACpB,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,MAAM,CAAkD;IAEnD,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAqCrC,OAAO;YAMP,SAAS;IAWjB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IActC,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAgBrD,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,YAAY;CAUrB"}

package/dist/core/src/oauth/storage/encryption.js

@@ -0,0 +1,76 @@
+export class Encryptor {
+    key = null;
+    crypto = null;
+    async initialize(key) {
+        if (typeof globalThis !== "undefined" && globalThis.crypto) {
+            this.crypto = globalThis.crypto;
+        }
+        else if (typeof window !== "undefined" && window.crypto) {
+            this.crypto = window.crypto;
+        }
+        else {
+            try {
+                const nodeCrypto = await import("crypto");
+                this.crypto = nodeCrypto.webcrypto;
+            }
+            catch (error) {
+                throw new Error("Crypto API is not available in this environment. Cannot initialize encryption.");
+            }
+        }
+        if (!this.crypto) {
+            throw new Error("Crypto API initialization failed.");
+        }
+        if (!this.crypto.subtle) {
+            throw new Error("crypto.subtle is not available. Cannot perform encryption operations.");
+        }
+        if (!this.crypto.getRandomValues) {
+            throw new Error("crypto.getRandomValues is not available. Cannot generate secure random values for encryption.");
+        }
+        const encoder = new TextEncoder();
+        const hash = await this.hashKey(encoder.encode(key));
+        this.key = await this.importKey(hash);
+    }
+    async hashKey(keyData) {
+        if (!this.crypto)
+            throw new Error("Encryptor not initialized");
+        const hashBuffer = await this.crypto.subtle.digest("SHA-256", keyData);
+        return new Uint8Array(hashBuffer);
+    }
+    async importKey(keyData) {
+        if (!this.crypto)
+            throw new Error("Encryptor not initialized");
+        return this.crypto.subtle.importKey("raw", keyData, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+    }
+    async encrypt(data) {
+        if (!this.key || !this.crypto)
+            throw new Error("Encryptor not initialized");
+        const iv = this.crypto.getRandomValues(new Uint8Array(12));
+        const encryptedData = await this.crypto.subtle.encrypt({ name: "AES-GCM", iv }, this.key, new TextEncoder().encode(data));
+        const combined = new Uint8Array([...iv, ...new Uint8Array(encryptedData)]);
+        return this.base64Encode(combined);
+    }
+    async decrypt(encryptedData) {
+        if (!this.key || !this.crypto)
+            throw new Error("Encryptor not initialized");
+        const combined = this.base64Decode(encryptedData);
+        const iv = combined.slice(0, 12);
+        const data = combined.slice(12);
+        const decrypted = await this.crypto.subtle.decrypt({ name: "AES-GCM", iv }, this.key, data);
+        return new TextDecoder().decode(decrypted);
+    }
+    base64Encode(buffer) {
+        if (typeof Buffer !== "undefined") {
+            return Buffer.from(buffer).toString("base64");
+        }
+        return btoa(String.fromCharCode(...buffer));
+    }
+    base64Decode(base64) {
+        if (typeof Buffer !== "undefined") {
+            return Buffer.from(base64, "base64");
+        }
+        return new Uint8Array(atob(base64)
+            .split("")
+            .map((c) => c.charCodeAt(0)));
+    }
+}
+//# sourceMappingURL=encryption.js.map

package/dist/core/src/oauth/storage/encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../../../../src/oauth/storage/encryption.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAS;IACZ,GAAG,GAAqB,IAAI,CAAC;IAC7B,MAAM,GAA6C,IAAI,CAAC;IAEzD,KAAK,CAAC,UAAU,CAAC,GAAW;QACjC,IAAI,OAAO,UAAU,KAAK,WAAW,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YAC3D,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QAClC,CAAC;aAAM,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC1D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;gBAC1C,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,SAA8B,CAAC;YAC1D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACb,gFAAgF,CACjF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,uEAAuE,CACxE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,+FAA+F,CAChG,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,OAAmB;QACvC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACvE,OAAO,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,OAAqB;QAC3C,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CACjC,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAE5E,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CACpD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,IAAI,CAAC,GAAG,EACR,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAC/B,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QAC3E,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,aAAqB;QACjC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAE5E,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAClD,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAEhC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAChD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,IAAI,CAAC,GAAG,EACR,IAAI,CACL,CAAC;QAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAEO,YAAY,CAAC,MAAkB;QACrC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;IAC9C,CAAC;IAEO,YAAY,CAAC,MAAc;QACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,MAAM,CAAC;aACT,KAAK,CAAC,EAAE,CAAC;aACT,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAC/B,CAAC;IACJ,CAAC;CACF"}