oauth.do 0.1.15 → 0.2.1

package/dist/hono.js

@@ -0,0 +1,599 @@
+import { getCookie, deleteCookie, setCookie } from 'hono/cookie';
+import * as jose from 'jose';
+import { Hono } from 'hono';
+
+// src/hono.ts
+
+// src/session.ts
+var defaultSessionConfig = {
+  cookieName: "session",
+  cookieMaxAge: 60 * 60 * 24 * 7,
+  // 7 days
+  cookieSecure: true,
+  cookieSameSite: "lax",
+  secret: "oauth-do-dev-secret-change-in-production"
+};
+var ALGORITHM = "AES-GCM";
+var IV_LENGTH = 12;
+var TAG_LENGTH = 128;
+async function getEncryptionKey(secret) {
+  const encoder = new TextEncoder();
+  return crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret.padEnd(32, "0").slice(0, 32)),
+    { name: ALGORITHM },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encodeSession(session, secret) {
+  const key = await getEncryptionKey(secret ?? defaultSessionConfig.secret);
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const encoder = new TextEncoder();
+  const data = encoder.encode(JSON.stringify(session));
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: ALGORITHM, iv, tagLength: TAG_LENGTH },
+    key,
+    data
+  );
+  const combined2 = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined2.set(iv, 0);
+  combined2.set(new Uint8Array(ciphertext), iv.length);
+  return btoa(String.fromCharCode(...combined2));
+}
+async function decodeSession(encoded, secret) {
+  try {
+    const key = await getEncryptionKey(secret ?? defaultSessionConfig.secret);
+    const combined2 = Uint8Array.from(atob(encoded), (c) => c.charCodeAt(0));
+    const iv = combined2.slice(0, IV_LENGTH);
+    const ciphertext = combined2.slice(IV_LENGTH);
+    const decrypted = await crypto.subtle.decrypt(
+      { name: ALGORITHM, iv, tagLength: TAG_LENGTH },
+      key,
+      ciphertext
+    );
+    const decoder = new TextDecoder();
+    const parsed = JSON.parse(decoder.decode(decrypted));
+    if (!isValidSessionData(parsed)) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function isValidSessionData(data) {
+  if (data === null || typeof data !== "object") {
+    return false;
+  }
+  const session = data;
+  if (typeof session.userId !== "string" || session.userId.length === 0) {
+    return false;
+  }
+  if (typeof session.accessToken !== "string" || session.accessToken.length === 0) {
+    return false;
+  }
+  if (session.organizationId !== void 0 && typeof session.organizationId !== "string") {
+    return false;
+  }
+  if (session.email !== void 0 && typeof session.email !== "string") {
+    return false;
+  }
+  if (session.name !== void 0 && typeof session.name !== "string") {
+    return false;
+  }
+  if (session.refreshToken !== void 0 && typeof session.refreshToken !== "string") {
+    return false;
+  }
+  if (session.expiresAt !== void 0 && typeof session.expiresAt !== "number") {
+    return false;
+  }
+  return true;
+}
+function getSessionConfig(env) {
+  const validSameSite = ["strict", "lax", "none"];
+  let cookieSameSite = defaultSessionConfig.cookieSameSite;
+  if (env?.SESSION_COOKIE_SAME_SITE) {
+    const value = env.SESSION_COOKIE_SAME_SITE;
+    if (validSameSite.includes(value)) {
+      cookieSameSite = value;
+    }
+  }
+  let cookieMaxAge = defaultSessionConfig.cookieMaxAge;
+  if (env?.SESSION_COOKIE_MAX_AGE) {
+    const parsed = parseInt(env.SESSION_COOKIE_MAX_AGE, 10);
+    if (!Number.isNaN(parsed) && parsed > 0) {
+      cookieMaxAge = parsed;
+    }
+  }
+  return {
+    secret: env?.SESSION_SECRET ?? defaultSessionConfig.secret,
+    cookieName: env?.SESSION_COOKIE_NAME ?? defaultSessionConfig.cookieName,
+    cookieMaxAge,
+    cookieSecure: env?.SESSION_COOKIE_SECURE !== "false",
+    cookieSameSite
+  };
+}
+
+// src/session-hono.ts
+async function setSessionCookie(c, session, config = defaultSessionConfig) {
+  const encoded = await encodeSession(session, config.secret);
+  setCookie(c, config.cookieName, encoded, {
+    path: "/",
+    httpOnly: true,
+    secure: config.cookieSecure,
+    sameSite: config.cookieSameSite === "none" ? "None" : config.cookieSameSite === "strict" ? "Strict" : "Lax",
+    maxAge: config.cookieMaxAge
+  });
+}
+function clearSessionCookie(c, config = defaultSessionConfig) {
+  deleteCookie(c, config.cookieName, { path: "/" });
+}
+async function getSessionFromCookie(c, config = defaultSessionConfig) {
+  const encoded = getCookie(c, config.cookieName);
+  if (!encoded) return null;
+  return decodeSession(encoded, config.secret);
+}
+function sessionAuth(options = {}) {
+  return async (c, next) => {
+    const env = c.env ?? {};
+    const config = { ...getSessionConfig(env), ...options.config };
+    const session = await getSessionFromCookie(c, config);
+    c.set("session", session);
+    c.set("sessionUser", session ? {
+      id: session.userId,
+      email: session.email,
+      name: session.name,
+      organizationId: session.organizationId
+    } : null);
+    await next();
+  };
+}
+function requireSession(options = {}) {
+  return async (c, next) => {
+    const env = c.env ?? {};
+    const config = { ...getSessionConfig(env), ...options.config };
+    const session = await getSessionFromCookie(c, config);
+    if (!session) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    if (session.expiresAt && Date.now() >= session.expiresAt) {
+      clearSessionCookie(c, config);
+      return c.json({ error: "Unauthorized", message: "Session expired" }, 401);
+    }
+    c.set("session", session);
+    c.set("sessionUser", {
+      id: session.userId,
+      email: session.email,
+      name: session.name,
+      organizationId: session.organizationId
+    });
+    await next();
+  };
+}
+function createWorkOSClient(apiKey2) {
+  const baseUrl = "https://api.workos.com";
+  return {
+    getAuthorizationUrl(options) {
+      const params = new URLSearchParams({
+        client_id: options.clientId,
+        redirect_uri: options.redirectUri,
+        response_type: "code",
+        ...options.state && { state: options.state },
+        ...options.provider && { provider: options.provider }
+      });
+      return `https://api.workos.com/sso/authorize?${params.toString()}`;
+    },
+    async authenticateWithCode(options) {
+      const response = await fetch(`${baseUrl}/user_management/authenticate`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Authorization": `Bearer ${apiKey2}`
+        },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          client_id: options.clientId,
+          code: options.code,
+          redirect_uri: options.redirectUri
+        }).toString()
+      });
+      if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`WorkOS authentication failed: ${response.status} - ${error}`);
+      }
+      return response.json();
+    },
+    async refreshToken(options) {
+      const response = await fetch(`${baseUrl}/user_management/authenticate`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Authorization": `Bearer ${apiKey2}`
+        },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          client_id: options.clientId,
+          refresh_token: options.refreshToken
+        }).toString()
+      });
+      if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Token refresh failed: ${response.status} - ${error}`);
+      }
+      return response.json();
+    }
+  };
+}
+function createOAuthRoutes(options = {}) {
+  const app = new Hono();
+  app.use("*", async (c, next) => {
+    await next();
+    const contentType = c.res.headers.get("content-type");
+    if (contentType?.includes("application/json") && !contentType.includes("charset")) {
+      c.res.headers.set("content-type", "application/json; charset=utf-8");
+    }
+  });
+  app.get("/login", (c) => {
+    const env = c.env ?? {};
+    const apiKey2 = options.workosApiKey ?? env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? env.WORKOS_CLIENT_ID;
+    if (!apiKey2) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_API_KEY not configured" }, 500);
+    }
+    if (!clientId) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_CLIENT_ID not configured" }, 500);
+    }
+    const workos = createWorkOSClient(apiKey2);
+    const url = new URL(c.req.url);
+    const baseUrl = options.redirectBaseUrl ?? env.AUTH_REDIRECT_BASE_URL ?? `${url.protocol}//${url.host}`;
+    const intendedRedirect = c.req.query("redirect_uri") || "/";
+    const provider = c.req.query("provider");
+    const state = btoa(JSON.stringify({ redirect: intendedRedirect }));
+    const authUrl = workos.getAuthorizationUrl({
+      clientId,
+      redirectUri: `${baseUrl}/auth/callback`,
+      state,
+      provider
+    });
+    return c.redirect(authUrl);
+  });
+  app.get("/callback", async (c) => {
+    const env = c.env ?? {};
+    const apiKey2 = options.workosApiKey ?? env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? env.WORKOS_CLIENT_ID;
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    const debug = options.debug ?? env.DEBUG === "true";
+    if (!apiKey2) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_API_KEY not configured" }, 500);
+    }
+    if (!clientId) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_CLIENT_ID not configured" }, 500);
+    }
+    const code = c.req.query("code");
+    const state = c.req.query("state");
+    const error = c.req.query("error");
+    const errorDescription = c.req.query("error_description");
+    if (error) {
+      if (debug) console.error("[Auth] OAuth error:", error, errorDescription);
+      return c.json({ error: "Authentication failed", message: errorDescription || error }, 400);
+    }
+    if (!code) {
+      return c.json({ error: "Missing authorization code" }, 400);
+    }
+    const workos = createWorkOSClient(apiKey2);
+    const url = new URL(c.req.url);
+    const baseUrl = options.redirectBaseUrl ?? env.AUTH_REDIRECT_BASE_URL ?? `${url.protocol}//${url.host}`;
+    try {
+      const result = await workos.authenticateWithCode({
+        clientId,
+        code,
+        redirectUri: `${baseUrl}/auth/callback`
+      });
+      const session = {
+        userId: result.user.id,
+        organizationId: result.user.organization_id,
+        email: result.user.email,
+        name: [result.user.first_name, result.user.last_name].filter(Boolean).join(" ") || void 0,
+        accessToken: result.access_token,
+        refreshToken: result.refresh_token,
+        expiresAt: result.expires_in ? Date.now() + result.expires_in * 1e3 : void 0
+      };
+      await setSessionCookie(c, session, sessionConfig);
+      await options.onLogin?.(session, c);
+      let redirectTo = "/";
+      if (state) {
+        try {
+          const stateData = JSON.parse(atob(state));
+          redirectTo = stateData.redirect || "/";
+        } catch {
+        }
+      }
+      if (!redirectTo.startsWith("/")) {
+        redirectTo = "/";
+      }
+      return c.redirect(redirectTo);
+    } catch (err) {
+      if (debug) console.error("[Auth] OAuth callback error:", err);
+      return c.json({
+        error: "Authentication failed",
+        message: err instanceof Error ? err.message : "Unknown error"
+      }, 500);
+    }
+  });
+  app.get("/logout", async (c) => {
+    const env = c.env ?? {};
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    clearSessionCookie(c, sessionConfig);
+    await options.onLogout?.(c);
+    const redirectTo = c.req.query("redirect_uri") || "/";
+    if (!redirectTo.startsWith("/")) {
+      return c.redirect("/");
+    }
+    return c.redirect(redirectTo);
+  });
+  app.post("/logout", async (c) => {
+    const env = c.env ?? {};
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    clearSessionCookie(c, sessionConfig);
+    await options.onLogout?.(c);
+    return c.json({ success: true, message: "Logged out successfully" });
+  });
+  app.get("/me", async (c) => {
+    const env = c.env ?? {};
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    const session = await getSessionFromCookie(c, sessionConfig);
+    if (!session) {
+      return c.json({ error: "Unauthorized", message: "Not authenticated" }, 401);
+    }
+    if (session.expiresAt && Date.now() >= session.expiresAt) {
+      clearSessionCookie(c, sessionConfig);
+      return c.json({ error: "Unauthorized", message: "Session expired" }, 401);
+    }
+    return c.json({
+      id: session.userId,
+      email: session.email,
+      name: session.name,
+      organizationId: session.organizationId
+    });
+  });
+  app.post("/refresh", async (c) => {
+    const env = c.env ?? {};
+    const apiKey2 = options.workosApiKey ?? env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? env.WORKOS_CLIENT_ID;
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    const debug = options.debug ?? env.DEBUG === "true";
+    if (!apiKey2) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_API_KEY not configured" }, 500);
+    }
+    if (!clientId) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_CLIENT_ID not configured" }, 500);
+    }
+    const session = await getSessionFromCookie(c, sessionConfig);
+    if (!session) {
+      return c.json({ error: "Unauthorized", message: "Not authenticated" }, 401);
+    }
+    if (!session.refreshToken) {
+      return c.json({ error: "Cannot refresh", message: "No refresh token available" }, 400);
+    }
+    const workos = createWorkOSClient(apiKey2);
+    try {
+      const result = await workos.refreshToken({
+        clientId,
+        refreshToken: session.refreshToken
+      });
+      const updatedSession = {
+        ...session,
+        accessToken: result.access_token,
+        refreshToken: result.refresh_token || session.refreshToken,
+        expiresAt: result.expires_in ? Date.now() + result.expires_in * 1e3 : void 0
+      };
+      await setSessionCookie(c, updatedSession, sessionConfig);
+      return c.json({ success: true, expiresAt: updatedSession.expiresAt });
+    } catch (err) {
+      if (debug) console.error("[Auth] Token refresh error:", err);
+      clearSessionCookie(c, sessionConfig);
+      return c.json({
+        error: "Refresh failed",
+        message: err instanceof Error ? err.message : "Unknown error"
+      }, 401);
+    }
+  });
+  return app;
+}
+
+// src/hono.ts
+var OAUTH_DO_CONFIG = {
+  clientId: "client_01JQYTRXK9ZPD8JPJTKDCRB656",
+  jwksUri: "https://api.workos.com/sso/jwks/client_01JQYTRXK9ZPD8JPJTKDCRB656"
+};
+var TOKEN_CACHE_TTL = 5 * 60;
+var CACHE_URL_PREFIX = "https://oauth.do/_cache/token/";
+async function hashToken(token) {
+  const data = new TextEncoder().encode(token);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function getCachedUser(token) {
+  try {
+    const cache = caches.default;
+    const hash = await hashToken(token);
+    const cacheKey = new Request(`${CACHE_URL_PREFIX}${hash}`);
+    const cached = await cache.match(cacheKey);
+    if (!cached) return null;
+    const data = await cached.json();
+    if (data.expiresAt < Date.now()) return null;
+    return data.user;
+  } catch {
+    return null;
+  }
+}
+async function cacheUser(token, user) {
+  try {
+    const cache = caches.default;
+    const hash = await hashToken(token);
+    const cacheKey = new Request(`${CACHE_URL_PREFIX}${hash}`);
+    const data = { user, expiresAt: Date.now() + TOKEN_CACHE_TTL * 1e3 };
+    const response = new Response(JSON.stringify(data), {
+      headers: { "Cache-Control": `max-age=${TOKEN_CACHE_TTL}` }
+    });
+    await cache.put(cacheKey, response);
+  } catch {
+  }
+}
+function extractToken(c, cookieName, headerName) {
+  const authHeader = c.req.header(headerName);
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  const cookie = getCookie(c, cookieName);
+  if (cookie) return cookie;
+  return null;
+}
+function payloadToUser(payload) {
+  return {
+    id: payload.sub || "",
+    email: payload.email,
+    name: payload.name,
+    organizationId: payload.org_id,
+    roles: payload.roles,
+    permissions: payload.permissions,
+    metadata: payload.metadata
+  };
+}
+var jwksCache = null;
+var jwksCacheExpiry = 0;
+async function getJwks(jwksUri, cacheTtl) {
+  const now = Date.now();
+  if (jwksCache && jwksCacheExpiry > now) {
+    return jwksCache;
+  }
+  jwksCache = jose.createRemoteJWKSet(new URL(jwksUri));
+  jwksCacheExpiry = now + cacheTtl * 1e3;
+  return jwksCache;
+}
+function auth(options = {}) {
+  const {
+    cookieName = "auth",
+    headerName = "Authorization",
+    clientId = OAUTH_DO_CONFIG.clientId,
+    jwksUri = OAUTH_DO_CONFIG.jwksUri,
+    skip,
+    jwksCacheTtl = 3600
+  } = options;
+  return async (c, next) => {
+    c.set("user", null);
+    c.set("userId", null);
+    c.set("isAuth", false);
+    c.set("token", null);
+    if (skip?.(c)) {
+      return next();
+    }
+    const token = extractToken(c, cookieName, headerName);
+    if (!token) {
+      return next();
+    }
+    c.set("token", token);
+    const cached = await getCachedUser(token);
+    if (cached) {
+      c.set("user", cached);
+      c.set("userId", cached.id);
+      c.set("isAuth", true);
+      return next();
+    }
+    try {
+      const jwks = await getJwks(jwksUri, jwksCacheTtl);
+      const { payload } = await jose.jwtVerify(token, jwks, {
+        audience: clientId
+      });
+      const user = payloadToUser(payload);
+      c.set("user", user);
+      c.set("userId", user.id);
+      c.set("isAuth", true);
+      await cacheUser(token, user);
+    } catch {
+    }
+    return next();
+  };
+}
+function requireAuth(options = {}) {
+  const { redirectTo, roles, permissions, ...authOptions } = options;
+  return async (c, next) => {
+    if (c.var.user === void 0) {
+      await auth(authOptions)(c, async () => {
+      });
+    }
+    if (!c.var.isAuth || !c.var.user) {
+      if (redirectTo) {
+        return c.redirect(redirectTo);
+      }
+      return c.json({ error: "Authentication required" }, 401);
+    }
+    if (roles?.length) {
+      const userRoles = c.var.user.roles || [];
+      const hasRole = roles.some((r) => userRoles.includes(r));
+      if (!hasRole) {
+        return c.json({ error: "Insufficient permissions" }, 403);
+      }
+    }
+    if (permissions?.length) {
+      const userPerms = c.var.user.permissions || [];
+      const hasAllPerms = permissions.every((p) => userPerms.includes(p));
+      if (!hasAllPerms) {
+        return c.json({ error: "Insufficient permissions" }, 403);
+      }
+    }
+    return next();
+  };
+}
+function apiKey(options) {
+  const { headerName = "X-API-Key", verify } = options;
+  return async (c, next) => {
+    c.set("user", null);
+    c.set("userId", null);
+    c.set("isAuth", false);
+    c.set("token", null);
+    const key = c.req.header(headerName);
+    if (!key) {
+      return c.json({ error: "API key required" }, 401);
+    }
+    const user = await verify(key, c);
+    if (!user) {
+      return c.json({ error: "Invalid API key" }, 401);
+    }
+    c.set("user", user);
+    c.set("userId", user.id);
+    c.set("isAuth", true);
+    c.set("token", key);
+    return next();
+  };
+}
+function combined(options) {
+  return async (c, next) => {
+    if (options.auth) {
+      await auth(options.auth)(c, async () => {
+      });
+      if (c.var.isAuth) {
+        return next();
+      }
+    }
+    if (options.apiKey) {
+      const key = c.req.header(options.apiKey.headerName || "X-API-Key");
+      if (key) {
+        const user = await options.apiKey.verify(key, c);
+        if (user) {
+          c.set("user", user);
+          c.set("userId", user.id);
+          c.set("isAuth", true);
+          c.set("token", key);
+          return next();
+        }
+      }
+    }
+    return c.json({ error: "Authentication required" }, 401);
+  };
+}
+
+export { apiKey, auth, combined, createOAuthRoutes, decodeSession, encodeSession, getSessionConfig, requireAuth, requireSession, sessionAuth };
+//# sourceMappingURL=hono.js.map
+//# sourceMappingURL=hono.js.map