takos-control 1.0.0

package/src/application/services/oauth/consent.ts

@@ -0,0 +1,244 @@
+import type { D1Database } from '../../../shared/types/bindings.ts';
+import type { SelectOf } from '../../../shared/types/drizzle-helpers';
+import { oauthConsents, oauthClients } from '../../../infra/db';
+import type { OAuthConsent } from '../../../shared/types/oauth';
+import { generateId } from './pkce';
+import { safeJsonParseOrDefault, toIsoString } from '../../../shared/utils';
+import { getDb } from '../../../infra/db';
+import { eq, and, inArray, desc } from 'drizzle-orm';
+import { revokeAllUserClientTokens } from './token';
+
+type OAuthConsentRow = SelectOf<typeof oauthConsents>;
+
+function toApiConsent(row: OAuthConsentRow): OAuthConsent {
+  return {
+    id: row.id,
+    user_id: row.accountId,
+    client_id: row.clientId,
+    scopes: row.scopes,
+    status: row.status as 'active' | 'revoked',
+    granted_at: toIsoString(row.grantedAt),
+    updated_at: toIsoString(row.updatedAt),
+  };
+}
+
+export async function getConsent(
+  dbBinding: D1Database,
+  userId: string,
+  clientId: string
+): Promise<OAuthConsent | null> {
+  const db = getDb(dbBinding);
+
+  const consent = await db.select().from(oauthConsents).where(
+    and(
+      eq(oauthConsents.accountId, userId),
+      eq(oauthConsents.clientId, clientId),
+      eq(oauthConsents.status, 'active'),
+    )
+  ).get();
+
+  if (!consent) {
+    return null;
+  }
+
+  return toApiConsent(consent);
+}
+
+function parseGrantedScopes(consent: OAuthConsent): Set<string> {
+  return new Set(safeJsonParseOrDefault<string[]>(consent.scopes, []));
+}
+
+export async function hasFullConsent(
+  dbBinding: D1Database,
+  userId: string,
+  clientId: string,
+  requestedScopes: string[]
+): Promise<boolean> {
+  const consent = await getConsent(dbBinding, userId, clientId);
+  if (!consent) return false;
+
+  const granted = parseGrantedScopes(consent);
+  return requestedScopes.every((scope) => granted.has(scope));
+}
+
+export async function getNewScopes(
+  dbBinding: D1Database,
+  userId: string,
+  clientId: string,
+  requestedScopes: string[]
+): Promise<string[]> {
+  const consent = await getConsent(dbBinding, userId, clientId);
+  if (!consent) return requestedScopes;
+
+  const granted = parseGrantedScopes(consent);
+  return requestedScopes.filter((scope) => !granted.has(scope));
+}
+
+export async function grantConsent(
+  dbBinding: D1Database,
+  userId: string,
+  clientId: string,
+  scopes: string[]
+): Promise<OAuthConsent> {
+  const db = getDb(dbBinding);
+  const now = new Date().toISOString();
+
+  const existing = await getConsent(dbBinding, userId, clientId);
+
+  if (existing) {
+    const existingScopes = safeJsonParseOrDefault<string[]>(existing.scopes, []);
+    const mergedScopes = Array.from(new Set([...existingScopes, ...scopes]));
+
+    await db.update(oauthConsents).set({
+      scopes: JSON.stringify(mergedScopes),
+      updatedAt: now,
+    }).where(eq(oauthConsents.id, existing.id));
+
+    return {
+      ...existing,
+      scopes: JSON.stringify(mergedScopes),
+      updated_at: now,
+    };
+  }
+
+  const id = generateId();
+
+  await db.insert(oauthConsents).values({
+    id,
+    accountId: userId,
+    clientId,
+    scopes: JSON.stringify(scopes),
+    status: 'active',
+    grantedAt: now,
+    updatedAt: now,
+  });
+
+  return {
+    id,
+    user_id: userId,
+    client_id: clientId,
+    scopes: JSON.stringify(scopes),
+    status: 'active',
+    granted_at: now,
+    updated_at: now,
+  };
+}
+
+export async function revokeConsent(
+  dbBinding: D1Database,
+  userId: string,
+  clientId: string
+): Promise<boolean> {
+  const db = getDb(dbBinding);
+
+  try {
+    const result = await db.update(oauthConsents).set({
+      status: 'revoked',
+      updatedAt: new Date().toISOString(),
+    }).where(
+      and(
+        eq(oauthConsents.accountId, userId),
+        eq(oauthConsents.clientId, clientId),
+      )
+    );
+
+    if ((result.meta.changes ?? 0) > 0) {
+      await revokeAllUserClientTokens(dbBinding, userId, clientId);
+    }
+
+    return (result.meta.changes ?? 0) > 0;
+  } catch {
+    return false;
+  }
+}
+
+export async function removeConsentScopes(
+  dbBinding: D1Database,
+  userId: string,
+  clientId: string,
+  scopesToRemove: string[]
+): Promise<boolean> {
+  const db = getDb(dbBinding);
+
+  const consent = await getConsent(dbBinding, userId, clientId);
+  if (!consent) {
+    return false;
+  }
+
+  const currentScopes = safeJsonParseOrDefault<string[]>(consent.scopes, []);
+  const removeSet = new Set(scopesToRemove);
+  const remainingScopes = currentScopes.filter((s) => !removeSet.has(s));
+
+  if (remainingScopes.length === 0) {
+      return revokeConsent(dbBinding, userId, clientId);
+  }
+
+  await db.update(oauthConsents).set({
+    scopes: JSON.stringify(remainingScopes),
+    updatedAt: new Date().toISOString(),
+  }).where(eq(oauthConsents.id, consent.id));
+
+  return true;
+}
+
+export async function getUserConsents(
+  dbBinding: D1Database,
+  userId: string
+): Promise<OAuthConsent[]> {
+  const db = getDb(dbBinding);
+
+  const consents = await db.select().from(oauthConsents).where(
+    and(
+      eq(oauthConsents.accountId, userId),
+      eq(oauthConsents.status, 'active'),
+    )
+  ).orderBy(desc(oauthConsents.grantedAt)).all();
+
+  return consents.map(toApiConsent);
+}
+
+export interface ConsentWithClient extends OAuthConsent {
+  client_name?: string;
+  client_logo?: string;
+  client_uri?: string;
+}
+
+export async function getUserConsentsWithClients(
+  dbBinding: D1Database,
+  userId: string
+): Promise<ConsentWithClient[]> {
+  const db = getDb(dbBinding);
+
+  const consents = await db.select().from(oauthConsents).where(
+    and(
+      eq(oauthConsents.accountId, userId),
+      eq(oauthConsents.status, 'active'),
+    )
+  ).orderBy(desc(oauthConsents.grantedAt)).all();
+
+  if (consents.length === 0) {
+    return [];
+  }
+
+  const clientIds = Array.from(new Set(consents.map((c) => c.clientId)));
+  const clients = await db.select({
+    clientId: oauthClients.clientId,
+    name: oauthClients.name,
+    logoUri: oauthClients.logoUri,
+    clientUri: oauthClients.clientUri,
+  }).from(oauthClients).where(
+    inArray(oauthClients.clientId, clientIds)
+  ).all();
+
+  const clientMap = new Map(clients.map((c) => [c.clientId, c]));
+
+  return consents.map((consent): ConsentWithClient => {
+    const client = clientMap.get(consent.clientId);
+    return {
+      ...toApiConsent(consent),
+      client_name: client?.name,
+      client_logo: client?.logoUri ?? undefined,
+      client_uri: client?.clientUri ?? undefined,
+    };
+  });
+}

package/src/application/services/oauth/device.ts

@@ -0,0 +1,295 @@
+import type { D1Database } from '../../../shared/types/bindings.ts';
+import type { SelectOf } from '../../../shared/types/drizzle-helpers';
+import { oauthDeviceCodes } from '../../../infra/db';
+import type { OAuthDeviceCode } from '../../../shared/types/oauth';
+import { OAUTH_CONSTANTS } from '../../../shared/types/oauth';
+import { generateId, generateRandomString } from './pkce';
+import { computeSHA256 } from '../../../shared/utils/hash';
+import { getDb } from '../../../infra/db';
+import { eq, and, isNull } from 'drizzle-orm';
+import { toIsoString } from '../../../shared/utils';
+
+type OAuthDeviceCodeRow = SelectOf<typeof oauthDeviceCodes>;
+
+function toOptionalIsoString(value: string | Date | null | undefined): string | null {
+  return toIsoString(value);
+}
+
+function toApiDeviceCode(row: OAuthDeviceCodeRow): OAuthDeviceCode {
+  return {
+    id: row.id,
+    device_code_hash: row.deviceCodeHash,
+    user_code_hash: row.userCodeHash,
+    client_id: row.clientId,
+    scope: row.scope,
+    status: row.status as OAuthDeviceCode['status'],
+    user_id: row.accountId ?? null,
+    interval_seconds: row.intervalSeconds,
+    last_polled_at: toOptionalIsoString(row.lastPolledAt),
+    approved_at: toOptionalIsoString(row.approvedAt),
+    denied_at: toOptionalIsoString(row.deniedAt),
+    used_at: toOptionalIsoString(row.usedAt),
+    expires_at: toIsoString(row.expiresAt),
+    created_at: toIsoString(row.createdAt),
+    updated_at: toIsoString(row.updatedAt),
+  };
+}
+
+const USER_CODE_ALPHABET = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+
+export function normalizeUserCode(raw: string): string {
+  return String(raw || '')
+    .trim()
+    .toUpperCase()
+    .replace(/[^A-Z0-9]/g, '');
+}
+
+function formatUserCode(normalized: string): string {
+  const size = OAUTH_CONSTANTS.DEVICE_USER_CODE_LENGTH;
+  const value = normalized.slice(0, size);
+  const group = 4;
+  const parts: string[] = [];
+  for (let i = 0; i < value.length; i += group) {
+    parts.push(value.slice(i, i + group));
+  }
+  return parts.join('-');
+}
+
+function generateUserCodeNormalized(): string {
+  const size = OAUTH_CONSTANTS.DEVICE_USER_CODE_LENGTH;
+  const out: string[] = [];
+  const bytes = new Uint8Array(size);
+  crypto.getRandomValues(bytes);
+  for (let i = 0; i < size; i++) {
+    const idx = bytes[i] % USER_CODE_ALPHABET.length;
+    out.push(USER_CODE_ALPHABET[idx]!);
+  }
+  return out.join('');
+}
+
+export interface CreatedDeviceAuthorization {
+  id: string;
+  deviceCode: string;
+  userCode: string; // human display (e.g. "ABCD-EFGH")
+  expiresIn: number;
+  interval: number;
+  expiresAt: string;
+}
+
+export async function createDeviceAuthorization(
+  dbBinding: D1Database,
+  params: {
+    clientId: string;
+    scope: string;
+    expiresInSeconds?: number;
+    intervalSeconds?: number;
+  }
+): Promise<CreatedDeviceAuthorization> {
+  const db = getDb(dbBinding);
+  const expiresIn = params.expiresInSeconds ?? OAUTH_CONSTANTS.DEVICE_CODE_EXPIRES_IN;
+  const interval = params.intervalSeconds ?? OAUTH_CONSTANTS.DEVICE_POLL_INTERVAL_SECONDS;
+
+  for (let attempt = 0; attempt < 5; attempt++) {
+    const id = generateId();
+    const deviceCode = generateRandomString(OAUTH_CONSTANTS.DEVICE_CODE_LENGTH);
+    const userCodeNormalized = generateUserCodeNormalized();
+    const userCode = formatUserCode(userCodeNormalized);
+
+    const deviceCodeHash = await computeSHA256(deviceCode);
+    const userCodeHash = await computeSHA256(userCodeNormalized);
+    const now = new Date().toISOString();
+    const expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString();
+
+    try {
+      await db.insert(oauthDeviceCodes).values({
+        id,
+        deviceCodeHash,
+        userCodeHash,
+        clientId: params.clientId,
+        scope: params.scope,
+        status: 'pending',
+        accountId: null,
+        intervalSeconds: interval,
+        lastPolledAt: null,
+        approvedAt: null,
+        deniedAt: null,
+        usedAt: null,
+        expiresAt,
+        createdAt: now,
+        updatedAt: now,
+      });
+
+      return {
+        id,
+        deviceCode,
+        userCode,
+        expiresIn,
+        interval,
+        expiresAt,
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      if (message.includes('UNIQUE') || message.includes('unique')) {
+        continue;
+      }
+      throw err;
+    }
+  }
+
+  throw new Error('Failed to generate unique device authorization codes');
+}
+
+export async function getDeviceAuthorizationByUserCode(
+  dbBinding: D1Database,
+  rawUserCode: string
+): Promise<OAuthDeviceCode | null> {
+  const db = getDb(dbBinding);
+  const normalized = normalizeUserCode(rawUserCode);
+  if (!normalized) return null;
+  const userCodeHash = await computeSHA256(normalized);
+
+  const result = await db.select().from(oauthDeviceCodes)
+    .where(eq(oauthDeviceCodes.userCodeHash, userCodeHash)).get();
+  if (!result) return null;
+  return toApiDeviceCode(result);
+}
+
+export async function getDeviceAuthorizationByDeviceCode(
+  dbBinding: D1Database,
+  deviceCode: string
+): Promise<OAuthDeviceCode | null> {
+  const db = getDb(dbBinding);
+  if (!deviceCode) return null;
+  const deviceCodeHash = await computeSHA256(deviceCode);
+
+  const result = await db.select().from(oauthDeviceCodes)
+    .where(eq(oauthDeviceCodes.deviceCodeHash, deviceCodeHash)).get();
+  if (!result) return null;
+  return toApiDeviceCode(result);
+}
+
+async function resolveDeviceAuthorization(
+  dbBinding: D1Database,
+  params: { id: string; userId: string },
+  decision: 'approved' | 'denied',
+): Promise<boolean> {
+  const db = getDb(dbBinding);
+  const now = new Date().toISOString();
+  const timestampField = decision === 'approved' ? 'approvedAt' : 'deniedAt';
+
+  const result = await db.update(oauthDeviceCodes).set({
+    status: decision,
+    accountId: params.userId,
+    [timestampField]: now,
+    updatedAt: now,
+  }).where(
+    and(
+      eq(oauthDeviceCodes.id, params.id),
+      eq(oauthDeviceCodes.status, 'pending'),
+    )
+  );
+
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function approveDeviceAuthorization(
+  dbBinding: D1Database,
+  params: { id: string; userId: string }
+): Promise<boolean> {
+  return resolveDeviceAuthorization(dbBinding, params, 'approved');
+}
+
+export async function denyDeviceAuthorization(
+  dbBinding: D1Database,
+  params: { id: string; userId: string }
+): Promise<boolean> {
+  return resolveDeviceAuthorization(dbBinding, params, 'denied');
+}
+
+export type DeviceCodePollResult =
+  | { kind: 'not_found' }
+  | { kind: 'client_mismatch' }
+  | { kind: 'expired' }
+  | { kind: 'denied' }
+  | { kind: 'used' }
+  | { kind: 'pending'; slowDown: boolean; intervalSeconds: number }
+  | { kind: 'approved'; id: string; userId: string; scope: string };
+
+export async function pollDeviceAuthorization(
+  dbBinding: D1Database,
+  params: { deviceCode: string; clientId: string }
+): Promise<DeviceCodePollResult> {
+  const db = getDb(dbBinding);
+  const deviceCode = params.deviceCode;
+  if (!deviceCode) return { kind: 'not_found' };
+  const deviceCodeHash = await computeSHA256(deviceCode);
+
+  const record = await db.select().from(oauthDeviceCodes)
+    .where(eq(oauthDeviceCodes.deviceCodeHash, deviceCodeHash)).get();
+  if (!record) return { kind: 'not_found' };
+
+  const api = toApiDeviceCode(record);
+
+  if (api.client_id !== params.clientId) {
+    return { kind: 'client_mismatch' };
+  }
+
+  const nowMs = Date.now();
+  if (new Date(api.expires_at).getTime() <= nowMs) {
+    return { kind: 'expired' };
+  }
+
+  const lastMs = api.last_polled_at ? new Date(api.last_polled_at).getTime() : null;
+  const currentInterval = Number.isFinite(api.interval_seconds) ? api.interval_seconds : OAUTH_CONSTANTS.DEVICE_POLL_INTERVAL_SECONDS;
+
+  let slowDown = false;
+  let nextInterval = currentInterval;
+  if (lastMs !== null && nowMs - lastMs < currentInterval * 1000) {
+    slowDown = true;
+    nextInterval = Math.min(currentInterval + 5, 60);
+  }
+
+  const nowIso = new Date(nowMs).toISOString();
+  await db.update(oauthDeviceCodes).set({
+    lastPolledAt: nowIso,
+    intervalSeconds: nextInterval,
+    updatedAt: nowIso,
+  }).where(eq(oauthDeviceCodes.id, api.id));
+
+  switch (api.status) {
+    case 'pending':
+      return { kind: 'pending', slowDown, intervalSeconds: nextInterval };
+    case 'denied':
+      return { kind: 'denied' };
+    case 'used':
+      return { kind: 'used' };
+    case 'approved':
+      // Fail-close if user_id is unexpectedly missing
+      if (!api.user_id) return { kind: 'not_found' };
+      return { kind: 'approved', id: api.id, userId: api.user_id, scope: api.scope };
+    default:
+      return { kind: 'not_found' };
+  }
+}
+
+export async function consumeApprovedDeviceAuthorization(
+  dbBinding: D1Database,
+  id: string
+): Promise<boolean> {
+  const db = getDb(dbBinding);
+  const now = new Date().toISOString();
+
+  const result = await db.update(oauthDeviceCodes).set({
+    status: 'used',
+    usedAt: now,
+    updatedAt: now,
+  }).where(
+    and(
+      eq(oauthDeviceCodes.id, id),
+      eq(oauthDeviceCodes.status, 'approved'),
+      isNull(oauthDeviceCodes.usedAt),
+    )
+  );
+
+  return (result.meta.changes ?? 0) > 0;
+}

package/src/application/services/oauth/pkce.ts

@@ -0,0 +1,60 @@
+import type { CodeChallengeMethod } from '../../../shared/types/oauth';
+import { constantTimeEqual } from '../../../shared/utils/hash';
+import { base64UrlEncode, bytesToHex } from '../../../shared/utils';
+
+export function generateCodeVerifier(): string {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return base64UrlEncode(bytes);
+}
+
+export async function generateCodeChallenge(
+  verifier: string,
+  method: CodeChallengeMethod = 'S256'
+): Promise<string> {
+  if (method !== 'S256') {
+    throw new Error('Unsupported PKCE code challenge method');
+  }
+
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest('SHA-256', data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+
+export async function verifyCodeChallenge(
+  codeVerifier: string,
+  codeChallenge: string,
+  method: CodeChallengeMethod = 'S256'
+): Promise<boolean> {
+  const computedChallenge = await generateCodeChallenge(codeVerifier, method);
+  return constantTimeEqual(computedChallenge, codeChallenge);
+}
+
+export function isValidCodeVerifier(verifier: string): boolean {
+  if (verifier.length < 43 || verifier.length > 128) {
+    return false;
+  }
+  return /^[A-Za-z0-9\-._~]+$/.test(verifier);
+}
+
+export function isValidCodeChallenge(challenge: string): boolean {
+  if (challenge.length !== 43) {
+    return false;
+  }
+  return /^[A-Za-z0-9\-_]+$/.test(challenge);
+}
+
+
+export function generateRandomString(length: number): string {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return base64UrlEncode(bytes);
+}
+
+export function generateId(): string {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  const hex = bytesToHex(bytes);
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}

package/src/application/services/oauth/scopes.ts

@@ -0,0 +1,61 @@
+import { OAUTH_SCOPES } from '../../../shared/types/oauth';
+
+export function parseScopes(scopeString: string): string[] {
+  if (!scopeString || !scopeString.trim()) {
+    return [];
+  }
+  return scopeString
+    .split(/\s+/)
+    .map((s) => s.trim())
+    .filter((s) => s.length > 0);
+}
+
+export function validateScopes(scopes: string[]): { valid: boolean; unknown: string[] } {
+  const unknown = scopes.filter((s) => !OAUTH_SCOPES[s]);
+  return {
+    valid: unknown.length === 0,
+    unknown,
+  };
+}
+
+export function areScopesAllowed(requested: string[], allowed: string[]): boolean {
+  return requested.every((scope) => allowed.includes(scope));
+}
+
+export function hasAccess(
+  grantedScopes: string[],
+  resource: string,
+  action: 'read' | 'write' | 'execute'
+): boolean {
+  const exactScope = `${resource}:${action}`;
+  if (grantedScopes.includes(exactScope)) {
+    return true;
+  }
+
+  if (action === 'read') {
+    const writeScope = `${resource}:write`;
+    if (grantedScopes.includes(writeScope)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+export function getScopeSummary(scopes: string[]): { identity: string[]; resources: string[] } {
+  const identity: string[] = [];
+  const resources: string[] = [];
+
+  for (const scope of scopes) {
+    const info = OAUTH_SCOPES[scope];
+    if (info) {
+      if (info.category === 'identity') {
+        identity.push(info.description);
+      } else {
+        resources.push(info.description);
+      }
+    }
+  }
+
+  return { identity, resources };
+}