couchloop-eq-mcp 1.0.0

package/dist/server/oauth/dpop.js

@@ -0,0 +1,338 @@
+import { createHash, generateKeyPairSync } from 'crypto';
+import { SignJWT, jwtVerify, importJWK, exportJWK } from 'jose';
+import { logger } from '../../utils/logger.js';
+/**
+ * DPoP Manager for Demonstration of Proof of Possession
+ * Implements sender-constrained tokens to prevent token theft
+ * Based on OAuth 2.0 DPoP draft specification
+ */
+export class DPoPManager {
+    jtiCache = new Map();
+    nonceCache = new Map();
+    JTI_TTL = 3600000; // 1 hour
+    NONCE_TTL = 600000; // 10 minutes
+    MAX_TIME_SKEW = 300; // 5 minutes in seconds
+    /**
+     * Generate a DPoP key pair for client
+     */
+    generateKeyPair(algorithm = 'ES256') {
+        let keyPair;
+        if (algorithm === 'RS256') {
+            keyPair = generateKeyPairSync('rsa', {
+                modulusLength: 2048,
+                publicKeyEncoding: { type: 'spki', format: 'pem' },
+                privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+            });
+        }
+        else {
+            keyPair = generateKeyPairSync('ec', {
+                namedCurve: 'P-256',
+                publicKeyEncoding: { type: 'spki', format: 'pem' },
+                privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+            });
+        }
+        const publicKey = keyPair.publicKey;
+        const privateKey = keyPair.privateKey;
+        logger.info(`Generated DPoP ${algorithm} key pair`);
+        return {
+            publicKey,
+            privateKey,
+            jwk: {} // Would need to convert to JWK format
+        };
+    }
+    /**
+     * Create a DPoP proof JWT
+     */
+    async createDPoPProof(privateKey, httpMethod, httpUri, options) {
+        const algorithm = options?.algorithm || 'ES256';
+        const jti = this.generateJti();
+        const now = Math.floor(Date.now() / 1000);
+        // Create JWK from public key
+        const jwk = await exportJWK(privateKey);
+        const payload = {
+            jti,
+            htm: httpMethod.toUpperCase(),
+            htu: this.normalizeUri(httpUri),
+            iat: now,
+        };
+        // Add access token hash if provided
+        if (options?.accessToken) {
+            payload.ath = await this.hashToken(options.accessToken);
+        }
+        // Add nonce if provided
+        if (options?.nonce) {
+            payload.nonce = options.nonce;
+        }
+        // Create the proof JWT
+        const proof = await new SignJWT(payload)
+            .setProtectedHeader({
+            typ: 'dpop+jwt',
+            alg: algorithm,
+            jwk,
+        })
+            .sign(privateKey);
+        logger.debug(`Created DPoP proof for ${httpMethod} ${httpUri}`);
+        return proof;
+    }
+    /**
+     * Validate a DPoP proof
+     */
+    async validateDPoPProof(dpopProof, httpMethod, httpUri, options) {
+        try {
+            // Parse the JWT header to get the public key
+            const [headerB64] = dpopProof.split('.');
+            const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
+            if (header.typ !== 'dpop+jwt') {
+                return { valid: false, error: 'Invalid typ header' };
+            }
+            if (!header.jwk) {
+                return { valid: false, error: 'Missing jwk in header' };
+            }
+            // Import the public key from JWK
+            const publicKey = await importJWK(header.jwk, header.alg);
+            // Verify the signature
+            const { payload } = await jwtVerify(dpopProof, publicKey, {
+                algorithms: [header.alg],
+            });
+            const claims = payload;
+            // Validate HTTP method
+            if (claims.htm !== httpMethod.toUpperCase()) {
+                return { valid: false, error: `HTTP method mismatch: expected ${httpMethod}, got ${claims.htm}` };
+            }
+            // Validate HTTP URI
+            if (claims.htu !== this.normalizeUri(httpUri)) {
+                return { valid: false, error: `HTTP URI mismatch` };
+            }
+            // Check time window (prevent replay)
+            const now = Math.floor(Date.now() / 1000);
+            if (Math.abs(now - claims.iat) > this.MAX_TIME_SKEW) {
+                return { valid: false, error: 'DPoP proof too old or from future' };
+            }
+            // Check JTI uniqueness (prevent replay)
+            if (await this.isJtiUsed(claims.jti)) {
+                return { valid: false, error: 'DPoP proof jti already used (replay attack)' };
+            }
+            // Validate access token binding if provided
+            if (options?.accessToken) {
+                const expectedAth = await this.hashToken(options.accessToken);
+                if (claims.ath !== expectedAth) {
+                    return { valid: false, error: 'Access token hash mismatch' };
+                }
+            }
+            else if (claims.ath) {
+                return { valid: false, error: 'Unexpected access token hash in proof' };
+            }
+            // Validate nonce if required
+            if (options?.requireNonce || options?.expectedNonce) {
+                if (!claims.nonce) {
+                    return { valid: false, error: 'Missing required nonce' };
+                }
+                if (options.expectedNonce && claims.nonce !== options.expectedNonce) {
+                    return { valid: false, error: 'Nonce mismatch' };
+                }
+                if (!await this.validateNonce(claims.nonce)) {
+                    return { valid: false, error: 'Invalid or expired nonce' };
+                }
+            }
+            // Store JTI to prevent replay
+            await this.storeJti(claims.jti);
+            // Calculate JWK thumbprint for token binding
+            const jkt = await this.calculateJwkThumbprint(header.jwk);
+            logger.info(`DPoP proof validated successfully`);
+            return { valid: true, jkt };
+        }
+        catch (error) {
+            logger.error('DPoP validation error:', error);
+            return { valid: false, error: 'DPoP validation failed' };
+        }
+    }
+    /**
+     * Generate a server nonce for enhanced security
+     */
+    generateNonce() {
+        const nonce = Buffer.from(crypto.randomUUID()).toString('base64url');
+        const expires = Date.now() + this.NONCE_TTL;
+        this.nonceCache.set(nonce, expires);
+        this.cleanupExpiredNonces();
+        logger.debug('Generated DPoP nonce');
+        return nonce;
+    }
+    /**
+     * Validate a nonce
+     */
+    async validateNonce(nonce) {
+        const expires = this.nonceCache.get(nonce);
+        if (!expires) {
+            return false;
+        }
+        if (Date.now() > expires) {
+            this.nonceCache.delete(nonce);
+            return false;
+        }
+        // Nonce is valid, remove it (single use)
+        this.nonceCache.delete(nonce);
+        return true;
+    }
+    /**
+     * Bind an access token to a DPoP key
+     */
+    createDPoPBoundToken(token, jkt) {
+        return {
+            ...token,
+            cnf: {
+                jkt, // JWK thumbprint
+            },
+            token_type: 'DPoP', // Instead of 'Bearer'
+        };
+    }
+    /**
+     * Validate that a token is bound to the correct DPoP key
+     */
+    validateTokenBinding(token, dpopJkt) {
+        if (!token.cnf?.jkt) {
+            logger.warn('Token missing DPoP binding');
+            return false;
+        }
+        if (token.cnf.jkt !== dpopJkt) {
+            logger.warn('DPoP key mismatch');
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Hash a token for the 'ath' claim
+     */
+    async hashToken(token) {
+        const hash = createHash('sha256')
+            .update(token, 'ascii')
+            .digest('base64url');
+        return hash;
+    }
+    /**
+     * Calculate JWK thumbprint (RFC 7638)
+     */
+    async calculateJwkThumbprint(jwk) {
+        // Create canonical JSON representation
+        const canonical = {};
+        // Required members in lexicographic order
+        if (jwk.kty === 'RSA') {
+            canonical.e = jwk.e;
+            canonical.kty = jwk.kty;
+            canonical.n = jwk.n;
+        }
+        else if (jwk.kty === 'EC') {
+            canonical.crv = jwk.crv;
+            canonical.kty = jwk.kty;
+            canonical.x = jwk.x;
+            canonical.y = jwk.y;
+        }
+        const json = JSON.stringify(canonical);
+        const hash = createHash('sha256')
+            .update(json, 'utf8')
+            .digest('base64url');
+        return hash;
+    }
+    /**
+     * Normalize URI for comparison
+     */
+    normalizeUri(uri) {
+        const url = new URL(uri);
+        // Remove fragment, normalize path
+        return `${url.protocol}//${url.host}${url.pathname}${url.search}`;
+    }
+    /**
+     * Generate unique JTI
+     */
+    generateJti() {
+        return crypto.randomUUID();
+    }
+    /**
+     * Check if JTI has been used
+     */
+    async isJtiUsed(jti) {
+        return this.jtiCache.has(jti);
+    }
+    /**
+     * Store JTI to prevent replay
+     */
+    async storeJti(jti) {
+        const expires = Date.now() + this.JTI_TTL;
+        this.jtiCache.set(jti, expires);
+        this.cleanupExpiredJtis();
+    }
+    /**
+     * Clean up expired JTIs
+     */
+    cleanupExpiredJtis() {
+        const now = Date.now();
+        for (const [jti, expires] of this.jtiCache.entries()) {
+            if (now > expires) {
+                this.jtiCache.delete(jti);
+            }
+        }
+    }
+    /**
+     * Clean up expired nonces
+     */
+    cleanupExpiredNonces() {
+        const now = Date.now();
+        for (const [nonce, expires] of this.nonceCache.entries()) {
+            if (now > expires) {
+                this.nonceCache.delete(nonce);
+            }
+        }
+    }
+    /**
+     * Middleware for Express to validate DPoP proofs
+     */
+    middleware(options) {
+        return async (req, res, next) => {
+            const dpopHeader = req.headers['dpop'];
+            if (!dpopHeader) {
+                if (options?.requireDPoP) {
+                    return res.status(401).json({ error: 'DPoP proof required' });
+                }
+                return next();
+            }
+            // Get access token from Authorization header
+            const authHeader = req.headers['authorization'];
+            const accessToken = authHeader?.replace(/^DPoP /, '');
+            // Validate DPoP proof
+            const validation = await this.validateDPoPProof(dpopHeader, req.method, `${req.protocol}://${req.get('host')}${req.originalUrl}`, {
+                accessToken,
+                expectedNonce: req.headers['dpop-nonce'],
+                requireNonce: options?.requireNonce,
+            });
+            if (!validation.valid) {
+                logger.warn(`DPoP validation failed: ${validation.error}`);
+                // If nonce is required, send one in response
+                if (validation.error?.includes('nonce')) {
+                    const nonce = this.generateNonce();
+                    res.setHeader('DPoP-Nonce', nonce);
+                }
+                return res.status(401).json({
+                    error: 'Invalid DPoP proof',
+                    detail: validation.error
+                });
+            }
+            // Add JKT to request for token binding validation
+            req.dpopJkt = validation.jkt;
+            next();
+        };
+    }
+    /**
+     * Get statistics about DPoP usage
+     */
+    getStats() {
+        this.cleanupExpiredJtis();
+        this.cleanupExpiredNonces();
+        return {
+            activeJtis: this.jtiCache.size,
+            activeNonces: this.nonceCache.size,
+            totalValidations: 0, // Would need to track this
+        };
+    }
+}
+// Export singleton instance
+export const dpopManager = new DPoPManager();
+//# sourceMappingURL=dpop.js.map

package/dist/server/oauth/dpop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.js","sourceRoot":"","sources":["../../../src/server/oauth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAA2B,MAAM,QAAQ,CAAC;AAClF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAO,SAAS,EAAE,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAiC/C;;;;GAIG;AACH,MAAM,OAAO,WAAW;IACL,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IACrC,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,OAAO,GAAG,OAAO,CAAC,CAAC,SAAS;IAC5B,SAAS,GAAG,MAAM,CAAC,CAAC,aAAa;IACjC,aAAa,GAAG,GAAG,CAAC,CAAC,uBAAuB;IAE7D;;OAEG;IACH,eAAe,CAAC,YAA+B,OAAO;QAKpD,IAAI,OAAO,CAAC;QAEZ,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,GAAG,mBAAmB,CAAC,KAAK,EAAE;gBACnC,aAAa,EAAE,IAAI;gBACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;gBAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,mBAAmB,CAAC,IAAI,EAAE;gBAClC,UAAU,EAAE,OAAO;gBACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;gBAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAiC,CAAC;QAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAkC,CAAC;QAE9D,MAAM,CAAC,IAAI,CAAC,kBAAkB,SAAS,WAAW,CAAC,CAAC;QAEpD,OAAO;YACL,SAAS;YACT,UAAU;YACV,GAAG,EAAE,EAAS,CAAC,sCAAsC;SACtD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,UAAqB,EACrB,UAAkB,EAClB,OAAe,EACf,OAIC;QAED,MAAM,SAAS,GAAG,OAAO,EAAE,SAAS,IAAI,OAAO,CAAC;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,6BAA6B;QAC7B,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC;QAExC,MAAM,OAAO,GAAgB;YAC3B,GAAG;YACH,GAAG,EAAE,UAAU,CAAC,WAAW,EAAE;YAC7B,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC;YAC/B,GAAG,EAAE,GAAG;SACT,CAAC;QAEF,oCAAoC;QACpC,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAC1D,CAAC;QAED,wBAAwB;QACxB,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAChC,CAAC;QAED,uBAAuB;QACvB,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC;aACrC,kBAAkB,CAAC;YAClB,GAAG,EAAE,UAAU;YACf,GAAG,EAAE,SAAS;YACd,GAAG;SACJ,CAAC;aACD,IAAI,CAAC,UAAU,CAAC,CAAC;QAEpB,MAAM,CAAC,KAAK,CAAC,0BAA0B,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB,CACrB,SAAiB,EACjB,UAAkB,EAClB,OAAe,EACf,OAIC;QAED,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YAE1E,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACvD,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;YAC1D,CAAC;YAED,iCAAiC;YACjC,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;YAE1D,uBAAuB;YACvB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,SAAS,EAAE;gBACxD,UAAU,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC;aACzB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAAiC,CAAC;YAEjD,uBAAuB;YACvB,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,UAAU,SAAS,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC;YACpG,CAAC;YAED,oBAAoB;YACpB,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;YACtD,CAAC;YAED,qCAAqC;YACrC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;gBACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACtE,CAAC;YAED,wCAAwC;YACxC,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAC;YAChF,CAAC;YAED,4CAA4C;YAC5C,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;gBACzB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;gBAC9D,IAAI,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;oBAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;gBAC/D,CAAC;YACH,CAAC;iBAAM,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;gBACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC;YAC1E,CAAC;YAED,6BAA6B;YAC7B,IAAI,OAAO,EAAE,YAAY,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;gBACpD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;oBAClB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;gBAC3D,CAAC;gBACD,IAAI,OAAO,CAAC,aAAa,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC;oBACpE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;gBACnD,CAAC;gBACD,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;gBAC7D,CAAC;YACH,CAAC;YAED,8BAA8B;YAC9B,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAEhC,6CAA6C;YAC7C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAE1D,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACjD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;QAE9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;YAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,aAAa;QACX,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;QAE5C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAE5B,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACrC,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAE3C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,KAAU,EACV,GAAW;QAEX,OAAO;YACL,GAAG,KAAK;YACR,GAAG,EAAE;gBACH,GAAG,EAAE,iBAAiB;aACvB;YACD,UAAU,EAAE,MAAM,EAAE,sBAAsB;SAC3C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,KAAU,EACV,OAAe;QAEf,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACjC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,KAAa;QACnC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC;aAC9B,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC;aACtB,MAAM,CAAC,WAAW,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAAC,GAAQ;QAC3C,uCAAuC;QACvC,MAAM,SAAS,GAAQ,EAAE,CAAC;QAE1B,0CAA0C;QAC1C,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACtB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YACpB,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;YACxB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YAC5B,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;YACxB,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;YACxB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YACpB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QACtB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC;aAC9B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;aACpB,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,GAAW;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACzB,kCAAkC;QAClC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;IACpE,CAAC;IAED;;OAEG;IACK,WAAW;QACjB,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,GAAW;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,QAAQ,CAAC,GAAW;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAChC,IAAI,CAAC,kBAAkB,EAAE,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,kBAAkB;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACrD,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,oBAAoB;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YACzD,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAA2D;QACpE,OAAO,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;YAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAEvC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;oBACzB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;gBAChE,CAAC;gBACD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YAED,6CAA6C;YAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YAChD,MAAM,WAAW,GAAG,UAAU,EAAE,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAEtD,sBAAsB;YACtB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAC7C,UAAU,EACV,GAAG,CAAC,MAAM,EACV,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,EACxD;gBACE,WAAW;gBACX,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC;gBACxC,YAAY,EAAE,OAAO,EAAE,YAAY;aACpC,CACF,CAAC;YAEF,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,MAAM,CAAC,IAAI,CAAC,2BAA2B,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;gBAE3D,6CAA6C;gBAC7C,IAAI,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBACxC,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnC,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACrC,CAAC;gBAED,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,oBAAoB;oBAC3B,MAAM,EAAE,UAAU,CAAC,KAAK;iBACzB,CAAC,CAAC;YACL,CAAC;YAED,kDAAkD;YAClD,GAAG,CAAC,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC;YAE7B,IAAI,EAAE,CAAC;QACT,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,QAAQ;QAKN,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAE5B,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YAC9B,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YAClC,gBAAgB,EAAE,CAAC,EAAE,2BAA2B;SACjD,CAAC;IACJ,CAAC;CACF;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/server/oauth/gdpr/consent.d.ts

@@ -0,0 +1,173 @@
+/**
+ * Consent types as per GDPR Article 6
+ */
+export declare enum ConsentType {
+    NECESSARY = "necessary",// Contract fulfillment
+    LEGITIMATE_INTEREST = "legitimate",// Legitimate business interest
+    CONSENT = "consent",// Explicit user consent
+    LEGAL_OBLIGATION = "legal",// Legal requirement
+    VITAL_INTERESTS = "vital",// Protect vital interests
+    PUBLIC_TASK = "public"
+}
+/**
+ * Processing purposes requiring consent
+ */
+export declare enum ProcessingPurpose {
+    AUTHENTICATION = "authentication",
+    PROFILE_DATA = "profile_data",
+    ANALYTICS = "analytics",
+    MARKETING = "marketing",
+    THIRD_PARTY_SHARING = "third_party",
+    DATA_RETENTION = "data_retention",
+    COOKIES = "cookies",
+    LOCATION = "location",
+    BIOMETRIC = "biometric",
+    HEALTH_DATA = "health_data"
+}
+/**
+ * Consent record structure
+ */
+export interface ConsentRecord {
+    id: string;
+    userId: string;
+    purpose: ProcessingPurpose;
+    lawfulBasis: ConsentType;
+    granted: boolean;
+    grantedAt?: Date;
+    revokedAt?: Date;
+    expiresAt?: Date;
+    version: string;
+    ipAddress?: string;
+    userAgent?: string;
+    parentalConsent?: boolean;
+    metadata?: {
+        consentText: string;
+        privacyPolicyVersion: string;
+        termsVersion: string;
+        language: string;
+        channel: 'web' | 'mobile' | 'api';
+    };
+}
+/**
+ * Consent preferences
+ */
+export interface ConsentPreferences {
+    userId: string;
+    consents: Map<ProcessingPurpose, ConsentRecord>;
+    globalOptOut: boolean;
+    communicationPreferences: {
+        email: boolean;
+        sms: boolean;
+        push: boolean;
+        phone: boolean;
+    };
+    dataRetentionPeriod?: number;
+    lastUpdated: Date;
+}
+/**
+ * GDPR Consent Manager
+ * Manages user consent per GDPR Articles 6, 7, and 8
+ */
+export declare class ConsentManager {
+    private readonly CONSENT_VERSION;
+    private readonly PRIVACY_POLICY_VERSION;
+    private readonly MINIMUM_AGE_EU;
+    private readonly MINIMUM_AGE_US;
+    private readonly CONSENT_EXPIRY_DAYS;
+    private consentCache;
+    private readonly CACHE_TTL;
+    /**
+     * Record user consent
+     */
+    recordConsent(userId: string, purpose: ProcessingPurpose, granted: boolean, options?: {
+        ipAddress?: string;
+        userAgent?: string;
+        parentalConsent?: boolean;
+        expiryDays?: number;
+        metadata?: ConsentRecord['metadata'];
+    }): Promise<ConsentRecord>;
+    /**
+     * Bulk consent update
+     */
+    updateBulkConsent(userId: string, consents: Map<ProcessingPurpose, boolean>, context?: {
+        ipAddress?: string;
+        userAgent?: string;
+    }): Promise<ConsentPreferences>;
+    /**
+     * Check if user has valid consent for purpose
+     */
+    hasValidConsent(userId: string, purpose: ProcessingPurpose): Promise<boolean>;
+    /**
+     * Get all user consents
+     */
+    getUserConsents(userId: string): Promise<ConsentPreferences>;
+    /**
+     * Withdraw consent
+     */
+    withdrawConsent(userId: string, purpose: ProcessingPurpose, reason?: string): Promise<void>;
+    /**
+     * Withdraw all consents (global opt-out)
+     */
+    withdrawAllConsents(userId: string): Promise<void>;
+    /**
+     * Check parental consent requirement
+     */
+    requiresParentalConsent(birthDate: Date, country: string): Promise<boolean>;
+    /**
+     * Verify parental consent
+     */
+    verifyParentalConsent(childUserId: string, parentEmail: string, verificationCode: string): Promise<boolean>;
+    /**
+     * Generate consent request for special category data
+     */
+    requestSpecialCategoryConsent(userId: string, dataTypes: string[], justification: string): Promise<string>;
+    /**
+     * Export consent history for data portability
+     */
+    exportConsentHistory(userId: string): Promise<{
+        consents: ConsentRecord[];
+        preferences: ConsentPreferences;
+        exportDate: Date;
+    }>;
+    /**
+     * Check consent validity
+     */
+    private isConsentValid;
+    /**
+     * Determine lawful basis for processing purpose
+     */
+    private determineLawfulBasis;
+    /**
+     * Get consent text for purpose
+     */
+    private getConsentText;
+    /**
+     * Check if purpose requires confirmation
+     */
+    private requiresConfirmation;
+    /**
+     * Check if withdrawal requires data deletion
+     */
+    private requiresDataDeletion;
+    /**
+     * Generate consent ID
+     */
+    private generateConsentId;
+    /**
+     * Calculate age from birthdate
+     */
+    private calculateAge;
+    /**
+     * Check if country is in EU
+     */
+    private isEUCountry;
+    private storeConsentRecord;
+    private loadUserConsents;
+    private loadAllUserConsentHistory;
+    private storeSpecialConsentRequest;
+    private checkParentalVerification;
+    private triggerDataDeletion;
+    private sendConsentConfirmation;
+}
+export declare const consentManager: ConsentManager;
+//# sourceMappingURL=consent.d.ts.map

package/dist/server/oauth/gdpr/consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent.d.ts","sourceRoot":"","sources":["../../../../src/server/oauth/gdpr/consent.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,oBAAY,WAAW;IAErB,SAAS,cAAc,CAAY,uBAAuB;IAC1D,mBAAmB,eAAe,CAAE,+BAA+B;IACnE,OAAO,YAAY,CAAgB,wBAAwB;IAC3D,gBAAgB,UAAU,CAAS,oBAAoB;IACvD,eAAe,UAAU,CAAU,0BAA0B;IAC7D,WAAW,WAAW;CACvB;AAED;;GAEG;AACH,oBAAY,iBAAiB;IAC3B,cAAc,mBAAmB;IACjC,YAAY,iBAAiB;IAC7B,SAAS,cAAc;IACvB,SAAS,cAAc;IACvB,mBAAmB,gBAAgB;IACnC,cAAc,mBAAmB;IACjC,OAAO,YAAY;IACnB,QAAQ,aAAa;IACrB,SAAS,cAAc;IACvB,WAAW,gBAAgB;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,iBAAiB,CAAC;IAC3B,WAAW,EAAE,WAAW,CAAC;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,EAAE;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,CAAC;KACnC,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAChD,YAAY,EAAE,OAAO,CAAC;IACtB,wBAAwB,EAAE;QACxB,KAAK,EAAE,OAAO,CAAC;QACf,GAAG,EAAE,OAAO,CAAC;QACb,IAAI,EAAE,OAAO,CAAC;QACd,KAAK,EAAE,OAAO,CAAC;KAChB,CAAC;IACF,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,WAAW,EAAE,IAAI,CAAC;CACnB;AAED;;;GAGG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAW;IAC3C,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAW;IAClD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAM;IACrC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAM;IACrC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAO;IAG3C,OAAO,CAAC,YAAY,CAAyC;IAC7D,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IAEpC;;OAEG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;KACtC,GACA,OAAO,CAAC,aAAa,CAAC;IA6CzB;;OAEG;IACG,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,EACzC,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,kBAAkB,CAAC;IAW9B;;OAEG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,OAAO,CAAC;IA4BnB;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA6BlE;;OAEG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,iBAAiB,EAC1B,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAmBhB;;OAEG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAaxD;;OAEG;IACG,uBAAuB,CAC3B,SAAS,EAAE,IAAI,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC;IAiBnB;;OAEG;IACG,qBAAqB,CACzB,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,OAAO,CAAC;IAyBnB;;OAEG;IACG,6BAA6B,CACjC,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EAAE,EACnB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC;IAsBlB;;OAEG;IACG,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAClD,QAAQ,EAAE,aAAa,EAAE,CAAC;QAC1B,WAAW,EAAE,kBAAkB,CAAC;QAChC,UAAU,EAAE,IAAI,CAAC;KAClB,CAAC;IAWF;;OAEG;IACH,OAAO,CAAC,cAAc;IAgBtB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAiBtB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAS5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAS5B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAOzB;;OAEG;IACH,OAAO,CAAC,YAAY;IAYpB;;OAEG;IACH,OAAO,CAAC,WAAW;YAUL,kBAAkB;YAKlB,gBAAgB;YAKhB,yBAAyB;YAKzB,0BAA0B;YAI1B,yBAAyB;YAKzB,mBAAmB;YAKnB,uBAAuB;CAItC;AAGD,eAAO,MAAM,cAAc,gBAAuB,CAAC"}