couchloop-eq-mcp 1.0.4 → 1.1.0

package/dist/server/oauth/dpop.js

@@ -1,338 +0,0 @@
-import { createHash, generateKeyPairSync } from 'crypto';
-import { SignJWT, jwtVerify, importJWK, exportJWK } from 'jose';
-import { logger } from '../../utils/logger.js';
-/**
- * DPoP Manager for Demonstration of Proof of Possession
- * Implements sender-constrained tokens to prevent token theft
- * Based on OAuth 2.0 DPoP draft specification
- */
-export class DPoPManager {
-    jtiCache = new Map();
-    nonceCache = new Map();
-    JTI_TTL = 3600000; // 1 hour
-    NONCE_TTL = 600000; // 10 minutes
-    MAX_TIME_SKEW = 300; // 5 minutes in seconds
-    /**
-     * Generate a DPoP key pair for client
-     */
-    generateKeyPair(algorithm = 'ES256') {
-        let keyPair;
-        if (algorithm === 'RS256') {
-            keyPair = generateKeyPairSync('rsa', {
-                modulusLength: 2048,
-                publicKeyEncoding: { type: 'spki', format: 'pem' },
-                privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
-            });
-        }
-        else {
-            keyPair = generateKeyPairSync('ec', {
-                namedCurve: 'P-256',
-                publicKeyEncoding: { type: 'spki', format: 'pem' },
-                privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
-            });
-        }
-        const publicKey = keyPair.publicKey;
-        const privateKey = keyPair.privateKey;
-        logger.info(`Generated DPoP ${algorithm} key pair`);
-        return {
-            publicKey,
-            privateKey,
-            jwk: {} // Would need to convert to JWK format
-        };
-    }
-    /**
-     * Create a DPoP proof JWT
-     */
-    async createDPoPProof(privateKey, httpMethod, httpUri, options) {
-        const algorithm = options?.algorithm || 'ES256';
-        const jti = this.generateJti();
-        const now = Math.floor(Date.now() / 1000);
-        // Create JWK from public key
-        const jwk = await exportJWK(privateKey);
-        const payload = {
-            jti,
-            htm: httpMethod.toUpperCase(),
-            htu: this.normalizeUri(httpUri),
-            iat: now,
-        };
-        // Add access token hash if provided
-        if (options?.accessToken) {
-            payload.ath = await this.hashToken(options.accessToken);
-        }
-        // Add nonce if provided
-        if (options?.nonce) {
-            payload.nonce = options.nonce;
-        }
-        // Create the proof JWT
-        const proof = await new SignJWT(payload)
-            .setProtectedHeader({
-            typ: 'dpop+jwt',
-            alg: algorithm,
-            jwk,
-        })
-            .sign(privateKey);
-        logger.debug(`Created DPoP proof for ${httpMethod} ${httpUri}`);
-        return proof;
-    }
-    /**
-     * Validate a DPoP proof
-     */
-    async validateDPoPProof(dpopProof, httpMethod, httpUri, options) {
-        try {
-            // Parse the JWT header to get the public key
-            const [headerB64] = dpopProof.split('.');
-            const header = JSON.parse(Buffer.from(headerB64, 'base64url').toString());
-            if (header.typ !== 'dpop+jwt') {
-                return { valid: false, error: 'Invalid typ header' };
-            }
-            if (!header.jwk) {
-                return { valid: false, error: 'Missing jwk in header' };
-            }
-            // Import the public key from JWK
-            const publicKey = await importJWK(header.jwk, header.alg);
-            // Verify the signature
-            const { payload } = await jwtVerify(dpopProof, publicKey, {
-                algorithms: [header.alg],
-            });
-            const claims = payload;
-            // Validate HTTP method
-            if (claims.htm !== httpMethod.toUpperCase()) {
-                return { valid: false, error: `HTTP method mismatch: expected ${httpMethod}, got ${claims.htm}` };
-            }
-            // Validate HTTP URI
-            if (claims.htu !== this.normalizeUri(httpUri)) {
-                return { valid: false, error: `HTTP URI mismatch` };
-            }
-            // Check time window (prevent replay)
-            const now = Math.floor(Date.now() / 1000);
-            if (Math.abs(now - claims.iat) > this.MAX_TIME_SKEW) {
-                return { valid: false, error: 'DPoP proof too old or from future' };
-            }
-            // Check JTI uniqueness (prevent replay)
-            if (await this.isJtiUsed(claims.jti)) {
-                return { valid: false, error: 'DPoP proof jti already used (replay attack)' };
-            }
-            // Validate access token binding if provided
-            if (options?.accessToken) {
-                const expectedAth = await this.hashToken(options.accessToken);
-                if (claims.ath !== expectedAth) {
-                    return { valid: false, error: 'Access token hash mismatch' };
-                }
-            }
-            else if (claims.ath) {
-                return { valid: false, error: 'Unexpected access token hash in proof' };
-            }
-            // Validate nonce if required
-            if (options?.requireNonce || options?.expectedNonce) {
-                if (!claims.nonce) {
-                    return { valid: false, error: 'Missing required nonce' };
-                }
-                if (options.expectedNonce && claims.nonce !== options.expectedNonce) {
-                    return { valid: false, error: 'Nonce mismatch' };
-                }
-                if (!await this.validateNonce(claims.nonce)) {
-                    return { valid: false, error: 'Invalid or expired nonce' };
-                }
-            }
-            // Store JTI to prevent replay
-            await this.storeJti(claims.jti);
-            // Calculate JWK thumbprint for token binding
-            const jkt = await this.calculateJwkThumbprint(header.jwk);
-            logger.info(`DPoP proof validated successfully`);
-            return { valid: true, jkt };
-        }
-        catch (error) {
-            logger.error('DPoP validation error:', error);
-            return { valid: false, error: 'DPoP validation failed' };
-        }
-    }
-    /**
-     * Generate a server nonce for enhanced security
-     */
-    generateNonce() {
-        const nonce = Buffer.from(crypto.randomUUID()).toString('base64url');
-        const expires = Date.now() + this.NONCE_TTL;
-        this.nonceCache.set(nonce, expires);
-        this.cleanupExpiredNonces();
-        logger.debug('Generated DPoP nonce');
-        return nonce;
-    }
-    /**
-     * Validate a nonce
-     */
-    async validateNonce(nonce) {
-        const expires = this.nonceCache.get(nonce);
-        if (!expires) {
-            return false;
-        }
-        if (Date.now() > expires) {
-            this.nonceCache.delete(nonce);
-            return false;
-        }
-        // Nonce is valid, remove it (single use)
-        this.nonceCache.delete(nonce);
-        return true;
-    }
-    /**
-     * Bind an access token to a DPoP key
-     */
-    createDPoPBoundToken(token, jkt) {
-        return {
-            ...token,
-            cnf: {
-                jkt, // JWK thumbprint
-            },
-            token_type: 'DPoP', // Instead of 'Bearer'
-        };
-    }
-    /**
-     * Validate that a token is bound to the correct DPoP key
-     */
-    validateTokenBinding(token, dpopJkt) {
-        if (!token.cnf?.jkt) {
-            logger.warn('Token missing DPoP binding');
-            return false;
-        }
-        if (token.cnf.jkt !== dpopJkt) {
-            logger.warn('DPoP key mismatch');
-            return false;
-        }
-        return true;
-    }
-    /**
-     * Hash a token for the 'ath' claim
-     */
-    async hashToken(token) {
-        const hash = createHash('sha256')
-            .update(token, 'ascii')
-            .digest('base64url');
-        return hash;
-    }
-    /**
-     * Calculate JWK thumbprint (RFC 7638)
-     */
-    async calculateJwkThumbprint(jwk) {
-        // Create canonical JSON representation
-        const canonical = {};
-        // Required members in lexicographic order
-        if (jwk.kty === 'RSA') {
-            canonical.e = jwk.e;
-            canonical.kty = jwk.kty;
-            canonical.n = jwk.n;
-        }
-        else if (jwk.kty === 'EC') {
-            canonical.crv = jwk.crv;
-            canonical.kty = jwk.kty;
-            canonical.x = jwk.x;
-            canonical.y = jwk.y;
-        }
-        const json = JSON.stringify(canonical);
-        const hash = createHash('sha256')
-            .update(json, 'utf8')
-            .digest('base64url');
-        return hash;
-    }
-    /**
-     * Normalize URI for comparison
-     */
-    normalizeUri(uri) {
-        const url = new URL(uri);
-        // Remove fragment, normalize path
-        return `${url.protocol}//${url.host}${url.pathname}${url.search}`;
-    }
-    /**
-     * Generate unique JTI
-     */
-    generateJti() {
-        return crypto.randomUUID();
-    }
-    /**
-     * Check if JTI has been used
-     */
-    async isJtiUsed(jti) {
-        return this.jtiCache.has(jti);
-    }
-    /**
-     * Store JTI to prevent replay
-     */
-    async storeJti(jti) {
-        const expires = Date.now() + this.JTI_TTL;
-        this.jtiCache.set(jti, expires);
-        this.cleanupExpiredJtis();
-    }
-    /**
-     * Clean up expired JTIs
-     */
-    cleanupExpiredJtis() {
-        const now = Date.now();
-        for (const [jti, expires] of this.jtiCache.entries()) {
-            if (now > expires) {
-                this.jtiCache.delete(jti);
-            }
-        }
-    }
-    /**
-     * Clean up expired nonces
-     */
-    cleanupExpiredNonces() {
-        const now = Date.now();
-        for (const [nonce, expires] of this.nonceCache.entries()) {
-            if (now > expires) {
-                this.nonceCache.delete(nonce);
-            }
-        }
-    }
-    /**
-     * Middleware for Express to validate DPoP proofs
-     */
-    middleware(options) {
-        return async (req, res, next) => {
-            const dpopHeader = req.headers['dpop'];
-            if (!dpopHeader) {
-                if (options?.requireDPoP) {
-                    return res.status(401).json({ error: 'DPoP proof required' });
-                }
-                return next();
-            }
-            // Get access token from Authorization header
-            const authHeader = req.headers['authorization'];
-            const accessToken = authHeader?.replace(/^DPoP /, '');
-            // Validate DPoP proof
-            const validation = await this.validateDPoPProof(dpopHeader, req.method, `${req.protocol}://${req.get('host')}${req.originalUrl}`, {
-                accessToken,
-                expectedNonce: req.headers['dpop-nonce'],
-                requireNonce: options?.requireNonce,
-            });
-            if (!validation.valid) {
-                logger.warn(`DPoP validation failed: ${validation.error}`);
-                // If nonce is required, send one in response
-                if (validation.error?.includes('nonce')) {
-                    const nonce = this.generateNonce();
-                    res.setHeader('DPoP-Nonce', nonce);
-                }
-                return res.status(401).json({
-                    error: 'Invalid DPoP proof',
-                    detail: validation.error
-                });
-            }
-            // Add JKT to request for token binding validation
-            req.dpopJkt = validation.jkt;
-            next();
-        };
-    }
-    /**
-     * Get statistics about DPoP usage
-     */
-    getStats() {
-        this.cleanupExpiredJtis();
-        this.cleanupExpiredNonces();
-        return {
-            activeJtis: this.jtiCache.size,
-            activeNonces: this.nonceCache.size,
-            totalValidations: 0, // Would need to track this
-        };
-    }
-}
-// Export singleton instance
-export const dpopManager = new DPoPManager();
-//# sourceMappingURL=dpop.js.map

package/dist/server/oauth/dpop.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"dpop.js","sourceRoot":"","sources":["../../../src/server/oauth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAA2B,MAAM,QAAQ,CAAC;AAClF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAO,SAAS,EAAE,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAiC/C;;;;GAIG;AACH,MAAM,OAAO,WAAW;IACL,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IACrC,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,OAAO,GAAG,OAAO,CAAC,CAAC,SAAS;IAC5B,SAAS,GAAG,MAAM,CAAC,CAAC,aAAa;IACjC,aAAa,GAAG,GAAG,CAAC,CAAC,uBAAuB;IAE7D;;OAEG;IACH,eAAe,CAAC,YAA+B,OAAO;QAKpD,IAAI,OAAO,CAAC;QAEZ,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,GAAG,mBAAmB,CAAC,KAAK,EAAE;gBACnC,aAAa,EAAE,IAAI;gBACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;gBAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,mBAAmB,CAAC,IAAI,EAAE;gBAClC,UAAU,EAAE,OAAO;gBACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;gBAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAiC,CAAC;QAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAkC,CAAC;QAE9D,MAAM,CAAC,IAAI,CAAC,kBAAkB,SAAS,WAAW,CAAC,CAAC;QAEpD,OAAO;YACL,SAAS;YACT,UAAU;YACV,GAAG,EAAE,EAAS,CAAC,sCAAsC;SACtD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,UAAqB,EACrB,UAAkB,EAClB,OAAe,EACf,OAIC;QAED,MAAM,SAAS,GAAG,OAAO,EAAE,SAAS,IAAI,OAAO,CAAC;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1C,6BAA6B;QAC7B,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC;QAExC,MAAM,OAAO,GAAgB;YAC3B,GAAG;YACH,GAAG,EAAE,UAAU,CAAC,WAAW,EAAE;YAC7B,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC;YAC/B,GAAG,EAAE,GAAG;SACT,CAAC;QAEF,oCAAoC;QACpC,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAC1D,CAAC;QAED,wBAAwB;QACxB,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAChC,CAAC;QAED,uBAAuB;QACvB,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC;aACrC,kBAAkB,CAAC;YAClB,GAAG,EAAE,UAAU;YACf,GAAG,EAAE,SAAS;YACd,GAAG;SACJ,CAAC;aACD,IAAI,CAAC,UAAU,CAAC,CAAC;QAEpB,MAAM,CAAC,KAAK,CAAC,0BAA0B,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB,CACrB,SAAiB,EACjB,UAAkB,EAClB,OAAe,EACf,OAIC;QAED,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YAE1E,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACvD,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;YAC1D,CAAC;YAED,iCAAiC;YACjC,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;YAE1D,uBAAuB;YACvB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,SAAS,EAAE;gBACxD,UAAU,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC;aACzB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAAiC,CAAC;YAEjD,uBAAuB;YACvB,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,UAAU,SAAS,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC;YACpG,CAAC;YAED,oBAAoB;YACpB,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;YACtD,CAAC;YAED,qCAAqC;YACrC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;gBACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACtE,CAAC;YAED,wCAAwC;YACxC,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAC;YAChF,CAAC;YAED,4CAA4C;YAC5C,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;gBACzB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;gBAC9D,IAAI,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;oBAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;gBAC/D,CAAC;YACH,CAAC;iBAAM,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;gBACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC;YAC1E,CAAC;YAED,6BAA6B;YAC7B,IAAI,OAAO,EAAE,YAAY,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;gBACpD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;oBAClB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;gBAC3D,CAAC;gBACD,IAAI,OAAO,CAAC,aAAa,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC;oBACpE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;gBACnD,CAAC;gBACD,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;gBAC7D,CAAC;YACH,CAAC;YAED,8BAA8B;YAC9B,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAEhC,6CAA6C;YAC7C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAE1D,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACjD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;QAE9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;YAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,aAAa;QACX,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;QAE5C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAE5B,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACrC,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAE3C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,KAAU,EACV,GAAW;QAEX,OAAO;YACL,GAAG,KAAK;YACR,GAAG,EAAE;gBACH,GAAG,EAAE,iBAAiB;aACvB;YACD,UAAU,EAAE,MAAM,EAAE,sBAAsB;SAC3C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,KAAU,EACV,OAAe;QAEf,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACjC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,KAAa;QACnC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC;aAC9B,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC;aACtB,MAAM,CAAC,WAAW,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAAC,GAAQ;QAC3C,uCAAuC;QACvC,MAAM,SAAS,GAAQ,EAAE,CAAC;QAE1B,0CAA0C;QAC1C,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACtB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YACpB,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;YACxB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QACtB,CAAC;aAAM,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YAC5B,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;YACxB,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;YACxB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YACpB,SAAS,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QACtB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC;aAC9B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;aACpB,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,GAAW;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACzB,kCAAkC;QAClC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;IACpE,CAAC;IAED;;OAEG;IACK,WAAW;QACjB,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,GAAW;QACjC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,QAAQ,CAAC,GAAW;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAChC,IAAI,CAAC,kBAAkB,EAAE,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,kBAAkB;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACrD,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,oBAAoB;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YACzD,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAA2D;QACpE,OAAO,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;YAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAEvC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,OAAO,EAAE,WAAW,EAAE,CAAC;oBACzB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;gBAChE,CAAC;gBACD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YAED,6CAA6C;YAC7C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YAChD,MAAM,WAAW,GAAG,UAAU,EAAE,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAEtD,sBAAsB;YACtB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAC7C,UAAU,EACV,GAAG,CAAC,MAAM,EACV,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,EACxD;gBACE,WAAW;gBACX,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC;gBACxC,YAAY,EAAE,OAAO,EAAE,YAAY;aACpC,CACF,CAAC;YAEF,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,MAAM,CAAC,IAAI,CAAC,2BAA2B,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;gBAE3D,6CAA6C;gBAC7C,IAAI,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBACxC,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnC,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;gBACrC,CAAC;gBAED,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,oBAAoB;oBAC3B,MAAM,EAAE,UAAU,CAAC,KAAK;iBACzB,CAAC,CAAC;YACL,CAAC;YAED,kDAAkD;YAClD,GAAG,CAAC,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC;YAE7B,IAAI,EAAE,CAAC;QACT,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,QAAQ;QAKN,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAE5B,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YAC9B,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YAClC,gBAAgB,EAAE,CAAC,EAAE,2BAA2B;SACjD,CAAC;IACJ,CAAC;CACF;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/server/oauth/gdpr/consent.d.ts

@@ -1,173 +0,0 @@
-/**
- * Consent types as per GDPR Article 6
- */
-export declare enum ConsentType {
-    NECESSARY = "necessary",// Contract fulfillment
-    LEGITIMATE_INTEREST = "legitimate",// Legitimate business interest
-    CONSENT = "consent",// Explicit user consent
-    LEGAL_OBLIGATION = "legal",// Legal requirement
-    VITAL_INTERESTS = "vital",// Protect vital interests
-    PUBLIC_TASK = "public"
-}
-/**
- * Processing purposes requiring consent
- */
-export declare enum ProcessingPurpose {
-    AUTHENTICATION = "authentication",
-    PROFILE_DATA = "profile_data",
-    ANALYTICS = "analytics",
-    MARKETING = "marketing",
-    THIRD_PARTY_SHARING = "third_party",
-    DATA_RETENTION = "data_retention",
-    COOKIES = "cookies",
-    LOCATION = "location",
-    BIOMETRIC = "biometric",
-    HEALTH_DATA = "health_data"
-}
-/**
- * Consent record structure
- */
-export interface ConsentRecord {
-    id: string;
-    userId: string;
-    purpose: ProcessingPurpose;
-    lawfulBasis: ConsentType;
-    granted: boolean;
-    grantedAt?: Date;
-    revokedAt?: Date;
-    expiresAt?: Date;
-    version: string;
-    ipAddress?: string;
-    userAgent?: string;
-    parentalConsent?: boolean;
-    metadata?: {
-        consentText: string;
-        privacyPolicyVersion: string;
-        termsVersion: string;
-        language: string;
-        channel: 'web' | 'mobile' | 'api';
-    };
-}
-/**
- * Consent preferences
- */
-export interface ConsentPreferences {
-    userId: string;
-    consents: Map<ProcessingPurpose, ConsentRecord>;
-    globalOptOut: boolean;
-    communicationPreferences: {
-        email: boolean;
-        sms: boolean;
-        push: boolean;
-        phone: boolean;
-    };
-    dataRetentionPeriod?: number;
-    lastUpdated: Date;
-}
-/**
- * GDPR Consent Manager
- * Manages user consent per GDPR Articles 6, 7, and 8
- */
-export declare class ConsentManager {
-    private readonly CONSENT_VERSION;
-    private readonly PRIVACY_POLICY_VERSION;
-    private readonly MINIMUM_AGE_EU;
-    private readonly MINIMUM_AGE_US;
-    private readonly CONSENT_EXPIRY_DAYS;
-    private consentCache;
-    private readonly CACHE_TTL;
-    /**
-     * Record user consent
-     */
-    recordConsent(userId: string, purpose: ProcessingPurpose, granted: boolean, options?: {
-        ipAddress?: string;
-        userAgent?: string;
-        parentalConsent?: boolean;
-        expiryDays?: number;
-        metadata?: ConsentRecord['metadata'];
-    }): Promise<ConsentRecord>;
-    /**
-     * Bulk consent update
-     */
-    updateBulkConsent(userId: string, consents: Map<ProcessingPurpose, boolean>, context?: {
-        ipAddress?: string;
-        userAgent?: string;
-    }): Promise<ConsentPreferences>;
-    /**
-     * Check if user has valid consent for purpose
-     */
-    hasValidConsent(userId: string, purpose: ProcessingPurpose): Promise<boolean>;
-    /**
-     * Get all user consents
-     */
-    getUserConsents(userId: string): Promise<ConsentPreferences>;
-    /**
-     * Withdraw consent
-     */
-    withdrawConsent(userId: string, purpose: ProcessingPurpose, reason?: string): Promise<void>;
-    /**
-     * Withdraw all consents (global opt-out)
-     */
-    withdrawAllConsents(userId: string): Promise<void>;
-    /**
-     * Check parental consent requirement
-     */
-    requiresParentalConsent(birthDate: Date, country: string): Promise<boolean>;
-    /**
-     * Verify parental consent
-     */
-    verifyParentalConsent(childUserId: string, parentEmail: string, verificationCode: string): Promise<boolean>;
-    /**
-     * Generate consent request for special category data
-     */
-    requestSpecialCategoryConsent(userId: string, dataTypes: string[], justification: string): Promise<string>;
-    /**
-     * Export consent history for data portability
-     */
-    exportConsentHistory(userId: string): Promise<{
-        consents: ConsentRecord[];
-        preferences: ConsentPreferences;
-        exportDate: Date;
-    }>;
-    /**
-     * Check consent validity
-     */
-    private isConsentValid;
-    /**
-     * Determine lawful basis for processing purpose
-     */
-    private determineLawfulBasis;
-    /**
-     * Get consent text for purpose
-     */
-    private getConsentText;
-    /**
-     * Check if purpose requires confirmation
-     */
-    private requiresConfirmation;
-    /**
-     * Check if withdrawal requires data deletion
-     */
-    private requiresDataDeletion;
-    /**
-     * Generate consent ID
-     */
-    private generateConsentId;
-    /**
-     * Calculate age from birthdate
-     */
-    private calculateAge;
-    /**
-     * Check if country is in EU
-     */
-    private isEUCountry;
-    private storeConsentRecord;
-    private loadUserConsents;
-    private loadAllUserConsentHistory;
-    private storeSpecialConsentRequest;
-    private checkParentalVerification;
-    private triggerDataDeletion;
-    private sendConsentConfirmation;
-}
-export declare const consentManager: ConsentManager;
-//# sourceMappingURL=consent.d.ts.map

package/dist/server/oauth/gdpr/consent.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"consent.d.ts","sourceRoot":"","sources":["../../../../src/server/oauth/gdpr/consent.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,oBAAY,WAAW;IAErB,SAAS,cAAc,CAAY,uBAAuB;IAC1D,mBAAmB,eAAe,CAAE,+BAA+B;IACnE,OAAO,YAAY,CAAgB,wBAAwB;IAC3D,gBAAgB,UAAU,CAAS,oBAAoB;IACvD,eAAe,UAAU,CAAU,0BAA0B;IAC7D,WAAW,WAAW;CACvB;AAED;;GAEG;AACH,oBAAY,iBAAiB;IAC3B,cAAc,mBAAmB;IACjC,YAAY,iBAAiB;IAC7B,SAAS,cAAc;IACvB,SAAS,cAAc;IACvB,mBAAmB,gBAAgB;IACnC,cAAc,mBAAmB;IACjC,OAAO,YAAY;IACnB,QAAQ,aAAa;IACrB,SAAS,cAAc;IACvB,WAAW,gBAAgB;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,iBAAiB,CAAC;IAC3B,WAAW,EAAE,WAAW,CAAC;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,EAAE;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,CAAC;KACnC,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAChD,YAAY,EAAE,OAAO,CAAC;IACtB,wBAAwB,EAAE;QACxB,KAAK,EAAE,OAAO,CAAC;QACf,GAAG,EAAE,OAAO,CAAC;QACb,IAAI,EAAE,OAAO,CAAC;QACd,KAAK,EAAE,OAAO,CAAC;KAChB,CAAC;IACF,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,WAAW,EAAE,IAAI,CAAC;CACnB;AAED;;;GAGG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAW;IAC3C,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAW;IAClD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAM;IACrC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAM;IACrC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAO;IAG3C,OAAO,CAAC,YAAY,CAAyC;IAC7D,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IAEpC;;OAEG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;KACtC,GACA,OAAO,CAAC,aAAa,CAAC;IA6CzB;;OAEG;IACG,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,EACzC,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,kBAAkB,CAAC;IAW9B;;OAEG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,OAAO,CAAC;IA4BnB;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA6BlE;;OAEG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,iBAAiB,EAC1B,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAmBhB;;OAEG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAaxD;;OAEG;IACG,uBAAuB,CAC3B,SAAS,EAAE,IAAI,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC;IAiBnB;;OAEG;IACG,qBAAqB,CACzB,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,OAAO,CAAC;IAyBnB;;OAEG;IACG,6BAA6B,CACjC,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EAAE,EACnB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC;IAsBlB;;OAEG;IACG,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAClD,QAAQ,EAAE,aAAa,EAAE,CAAC;QAC1B,WAAW,EAAE,kBAAkB,CAAC;QAChC,UAAU,EAAE,IAAI,CAAC;KAClB,CAAC;IAWF;;OAEG;IACH,OAAO,CAAC,cAAc;IAgBtB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAiBtB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAS5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAS5B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAOzB;;OAEG;IACH,OAAO,CAAC,YAAY;IAYpB;;OAEG;IACH,OAAO,CAAC,WAAW;YAUL,kBAAkB;YAKlB,gBAAgB;YAKhB,yBAAyB;YAKzB,0BAA0B;YAI1B,yBAAyB;YAKzB,mBAAmB;YAKnB,uBAAuB;CAItC;AAGD,eAAO,MAAM,cAAc,gBAAuB,CAAC"}