trustline 0.0.1 → 0.1.0

package/dist/index.js

@@ -0,0 +1,537 @@
+import {
+  AuthError
+} from "./chunk-GF3NKEEK.js";
+
+// src/core/token.ts
+import { errors, jwtVerify } from "jose";
+
+// src/core/cache.ts
+import {
+  createLocalJWKSet
+} from "jose";
+var JwksCache = class {
+  ttlMs;
+  entries = /* @__PURE__ */ new Map();
+  inflight = /* @__PURE__ */ new Map();
+  constructor(options = {}) {
+    this.ttlMs = options.ttlMs ?? 10 * 60 * 1e3;
+  }
+  async get(url, forceRefresh = false) {
+    const now = Date.now();
+    const cached = this.entries.get(url);
+    if (!forceRefresh && cached && cached.expiresAt > now) {
+      return cached.jwkSet;
+    }
+    const inflight = this.inflight.get(url);
+    if (inflight) {
+      const entry = await inflight.promise;
+      return entry.jwkSet;
+    }
+    const promise = this.fetchAndCache(url);
+    this.inflight.set(url, { promise });
+    try {
+      const entry = await promise;
+      return entry.jwkSet;
+    } finally {
+      this.inflight.delete(url);
+    }
+  }
+  clear(url) {
+    if (url) {
+      this.entries.delete(url);
+      this.inflight.delete(url);
+      return;
+    }
+    this.entries.clear();
+    this.inflight.clear();
+  }
+  async fetchAndCache(url) {
+    let response;
+    try {
+      response = await fetch(url);
+    } catch (error) {
+      throw new AuthError(
+        "jwks_fetch_failed",
+        `Failed to fetch JWKS from ${url}`,
+        401,
+        error
+      );
+    }
+    if (!response.ok) {
+      throw new AuthError(
+        "jwks_fetch_failed",
+        `Failed to fetch JWKS from ${url}`,
+        401
+      );
+    }
+    const json = await response.json();
+    if (!json || !Array.isArray(json.keys)) {
+      throw new AuthError(
+        "jwks_fetch_failed",
+        `Invalid JWKS payload from ${url}`,
+        401
+      );
+    }
+    const entry = {
+      jwks: json,
+      jwkSet: createLocalJWKSet(json),
+      expiresAt: Date.now() + this.ttlMs
+    };
+    this.entries.set(url, entry);
+    return entry;
+  }
+};
+var defaultJwksCache = new JwksCache();
+
+// src/core/scopes.ts
+function parseScopes(scope) {
+  if (!scope) {
+    return [];
+  }
+  return [
+    ...new Set(
+      scope.split(/\s+/).map((value) => value.trim()).filter(Boolean)
+    )
+  ];
+}
+function hasRequiredScopes(tokenScope, requiredScopes) {
+  const tokenScopes = new Set(parseScopes(tokenScope));
+  return requiredScopes.every((scope) => tokenScopes.has(scope));
+}
+
+// src/core/token.ts
+var DEFAULT_CLOCK_TOLERANCE_SECONDS = 5;
+function deriveJwksUrl(issuer) {
+  const normalized = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${normalized}/.well-known/jwks.json`;
+}
+async function verifyToken(token, options) {
+  if (!token) {
+    throw new AuthError("missing_token", "Missing bearer token", 401);
+  }
+  const jwksUrl = options.jwksUrl ?? deriveJwksUrl(options.issuer);
+  const jwksCache = options.jwksCache ?? defaultJwksCache;
+  try {
+    return await verifyWithCache(token, options, jwksUrl, jwksCache);
+  } catch (error) {
+    if (!shouldRetryWithFreshJwks(error)) {
+      throw normalizeVerifyError(error);
+    }
+    try {
+      return await verifyWithCache(token, options, jwksUrl, jwksCache, true);
+    } catch (retryError) {
+      throw normalizeVerifyError(retryError);
+    }
+  }
+}
+async function verifyWithCache(token, options, jwksUrl, jwksCache, forceRefresh = false) {
+  const jwkSet = await jwksCache.get(jwksUrl, forceRefresh);
+  const { payload } = await jwtVerify(token, jwkSet, {
+    issuer: options.issuer,
+    audience: options.audience,
+    algorithms: ["RS256", "ES256"],
+    clockTolerance: options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS
+  });
+  if (typeof payload.sub !== "string" || payload.sub.length === 0) {
+    throw new AuthError("invalid_token", "Token subject is missing", 401);
+  }
+  if (options.env && payload.env !== options.env) {
+    throw new AuthError("invalid_env", "Token environment does not match", 403);
+  }
+  if (options.scopes?.length && !hasRequiredScopes(getScopeClaim(payload), options.scopes)) {
+    throw new AuthError(
+      "invalid_scope",
+      "Token is missing required scopes",
+      403
+    );
+  }
+  return {
+    clientId: payload.sub,
+    name: typeof payload.name === "string" ? payload.name : null,
+    scopes: parseScopes(getScopeClaim(payload)),
+    env: typeof payload.env === "string" ? payload.env : null,
+    raw: payload
+  };
+}
+function shouldRetryWithFreshJwks(error) {
+  return error instanceof errors.JWKSNoMatchingKey || error instanceof errors.JWSSignatureVerificationFailed;
+}
+function normalizeVerifyError(error) {
+  if (error instanceof AuthError) {
+    return error;
+  }
+  if (error instanceof errors.JWTClaimValidationFailed) {
+    if (error.claim === "iss") {
+      return new AuthError(
+        "invalid_issuer",
+        "Token issuer does not match",
+        401,
+        error
+      );
+    }
+    if (error.claim === "aud") {
+      return new AuthError(
+        "invalid_audience",
+        "Token audience does not match",
+        403,
+        error
+      );
+    }
+  }
+  if (error instanceof errors.JOSEError || error instanceof errors.JWTInvalid || error instanceof errors.JWTExpired) {
+    return new AuthError(
+      "invalid_token",
+      "Token verification failed",
+      401,
+      error
+    );
+  }
+  return new AuthError(
+    "invalid_token",
+    "Token verification failed",
+    401,
+    error
+  );
+}
+function getScopeClaim(payload) {
+  return typeof payload.scope === "string" ? payload.scope : void 0;
+}
+
+// src/guard/index.ts
+function createGuard(options) {
+  return {
+    verify(token) {
+      return verifyToken(token, options);
+    }
+  };
+}
+
+// src/provider/index.ts
+import { createPrivateKey as createPrivateKey2 } from "crypto";
+import { SignJWT } from "jose";
+import { v7 } from "uuid";
+
+// src/core/crypto.ts
+import { randomBytes } from "crypto";
+import { compare, hash } from "bcryptjs";
+async function hashSecret(secret) {
+  return hash(secret, 10);
+}
+async function verifySecret(secret, hashedSecret) {
+  return compare(secret, hashedSecret);
+}
+function generateSecret(length = 32) {
+  return randomBytes(length).toString("base64url");
+}
+
+// src/core/keys.ts
+import { createPrivateKey, createPublicKey, randomUUID } from "crypto";
+import {
+  exportJWK,
+  exportPKCS8,
+  exportSPKI,
+  generateKeyPair
+} from "jose";
+async function createSigningKey(options = {}) {
+  const algorithm = options.algorithm ?? "ES256";
+  const keyId = options.keyId ?? `key_${randomUUID()}`;
+  if (options.privateKey) {
+    const privateKey2 = createPrivateKey(options.privateKey);
+    const publicKey2 = createPublicKey(privateKey2);
+    return {
+      keyId,
+      algorithm,
+      privateKey: privateKey2.export({
+        type: "pkcs8",
+        format: "pem"
+      }),
+      publicKey: publicKey2.export({
+        type: "spki",
+        format: "pem"
+      }),
+      createdAt: /* @__PURE__ */ new Date(),
+      retiredAt: null
+    };
+  }
+  const { privateKey, publicKey } = await generateKeyPair(algorithm, {
+    extractable: true
+  });
+  return {
+    keyId,
+    algorithm,
+    privateKey: await exportPKCS8(privateKey),
+    publicKey: await exportSPKI(publicKey),
+    createdAt: /* @__PURE__ */ new Date(),
+    retiredAt: null
+  };
+}
+async function exportSigningKeyToJwk(signingKey) {
+  const publicKey = createPublicKey(signingKey.publicKey);
+  const jwk = await exportJWK(publicKey);
+  return {
+    ...jwk,
+    use: "sig",
+    kid: signingKey.keyId,
+    alg: signingKey.algorithm
+  };
+}
+function getActiveSigningKeys(keys) {
+  return keys.filter((key) => key.retiredAt === null);
+}
+
+// src/provider/index.ts
+var DEFAULT_TOKEN_TTL_SECONDS = 300;
+function createProvider(options) {
+  const provider = new TrustlineProvider(options);
+  return {
+    handle(request) {
+      return provider.handle(request);
+    },
+    clients: {
+      create(input) {
+        return provider.createClient(input);
+      },
+      list() {
+        return provider.listClients();
+      },
+      revoke(clientId) {
+        return provider.revokeClient(clientId);
+      }
+    }
+  };
+}
+var TrustlineProvider = class {
+  constructor(options) {
+    this.options = options;
+  }
+  async handle(request) {
+    const url = new URL(request.url);
+    if (request.method === "GET" && url.pathname.endsWith("/.well-known/jwks.json")) {
+      return this.handleJwks();
+    }
+    if (request.method === "POST" && url.pathname.endsWith("/token")) {
+      return this.handleToken(request);
+    }
+    return jsonResponse({ error: "not_found", message: "Not found" }, 404);
+  }
+  async createClient(input) {
+    const clientSecret = generateSecret();
+    const client = {
+      id: v7(),
+      clientId: `svc_${v7().replaceAll("-", "")}`,
+      clientSecret: await hashSecret(clientSecret),
+      name: input.name,
+      scopes: parseScopes(input.scopes?.join(" ")),
+      createdAt: /* @__PURE__ */ new Date(),
+      lastSeenAt: null
+    };
+    await this.options.storage.createClient(client);
+    return {
+      clientId: client.clientId,
+      clientSecret
+    };
+  }
+  listClients() {
+    return this.options.storage.listClients();
+  }
+  revokeClient(clientId) {
+    return this.options.storage.deleteClient(clientId);
+  }
+  async handleJwks() {
+    const jwks = await this.getJwks();
+    return jsonResponse(jwks);
+  }
+  async handleToken(request) {
+    const contentType = request.headers.get("content-type") ?? "";
+    if (!contentType.includes("application/x-www-form-urlencoded")) {
+      return jsonResponse(
+        {
+          error: "invalid_request",
+          error_description: "Expected application/x-www-form-urlencoded body"
+        },
+        400
+      );
+    }
+    const body = new URLSearchParams(await request.text());
+    const grantType = body.get("grant_type");
+    if (grantType !== "client_credentials") {
+      return jsonResponse(
+        {
+          error: "unsupported_grant_type",
+          error_description: "Only client_credentials is supported"
+        },
+        400
+      );
+    }
+    const credentials = getBasicCredentials(
+      request.headers.get("authorization")
+    ) ?? {
+      clientId: body.get("client_id"),
+      clientSecret: body.get("client_secret")
+    };
+    if (!credentials.clientId || !credentials.clientSecret) {
+      return jsonResponse(
+        {
+          error: "invalid_client",
+          error_description: "Missing client credentials"
+        },
+        401
+      );
+    }
+    const client = await this.options.storage.findClient(credentials.clientId);
+    if (!client || !await verifySecret(credentials.clientSecret, client.clientSecret)) {
+      return jsonResponse(
+        {
+          error: "invalid_client",
+          error_description: "Client authentication failed"
+        },
+        401
+      );
+    }
+    const token = await this.issueAccessToken({
+      audience: body.get("audience") ?? void 0,
+      client
+    });
+    await this.options.storage.touchClient(client.clientId, /* @__PURE__ */ new Date());
+    return jsonResponse({
+      access_token: token,
+      token_type: "Bearer",
+      expires_in: this.options.token?.ttl ?? DEFAULT_TOKEN_TTL_SECONDS,
+      scope: client.scopes.join(" ")
+    });
+  }
+  async issueAccessToken(input) {
+    const signingKey = await this.ensureActiveSigningKey();
+    const privateKey = createPrivateKey2(signingKey.privateKey);
+    const ttl = this.options.token?.ttl ?? DEFAULT_TOKEN_TTL_SECONDS;
+    const jwt = new SignJWT({
+      name: input.client.name,
+      scope: input.client.scopes.join(" "),
+      ...this.options.env ? { env: this.options.env } : {}
+    }).setProtectedHeader({
+      alg: signingKey.algorithm,
+      kid: signingKey.keyId
+    }).setIssuer(this.options.issuer).setSubject(input.client.clientId).setJti(v7()).setIssuedAt().setExpirationTime(`${ttl}s`);
+    if (input.audience) {
+      jwt.setAudience(input.audience);
+    }
+    return jwt.sign(privateKey);
+  }
+  async getJwks() {
+    const keys = getActiveSigningKeys(
+      await this.options.storage.getSigningKeys()
+    );
+    if (keys.length === 0) {
+      await this.ensureActiveSigningKey();
+      return this.getJwks();
+    }
+    return {
+      keys: await Promise.all(keys.map((key) => exportSigningKeyToJwk(key)))
+    };
+  }
+  async ensureActiveSigningKey() {
+    const existing = getActiveSigningKeys(
+      await this.options.storage.getSigningKeys()
+    );
+    const current = existing[0];
+    if (current) {
+      return current;
+    }
+    const key = await createSigningKey(this.options.signing);
+    await this.options.storage.addSigningKey(key);
+    return key;
+  }
+};
+function jsonResponse(body, status = 200) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "content-type": "application/json"
+    }
+  });
+}
+function getBasicCredentials(header) {
+  if (!header) {
+    return null;
+  }
+  const [scheme, value] = header.split(/\s+/, 2);
+  if (scheme?.toLowerCase() !== "basic" || !value) {
+    return null;
+  }
+  const decoded = Buffer.from(value, "base64").toString("utf8");
+  const separatorIndex = decoded.indexOf(":");
+  if (separatorIndex === -1) {
+    return null;
+  }
+  return {
+    clientId: decoded.slice(0, separatorIndex),
+    clientSecret: decoded.slice(separatorIndex + 1)
+  };
+}
+
+// src/storage/memory.ts
+function memoryStorage() {
+  const clients = /* @__PURE__ */ new Map();
+  const signingKeys = /* @__PURE__ */ new Map();
+  return {
+    async findClient(clientId) {
+      return clients.get(clientId) ?? null;
+    },
+    async createClient(client) {
+      clients.set(client.clientId, cloneClient(client));
+    },
+    async deleteClient(clientId) {
+      clients.delete(clientId);
+    },
+    async listClients() {
+      return [...clients.values()].map(cloneClient);
+    },
+    async touchClient(clientId, lastSeenAt) {
+      const client = clients.get(clientId);
+      if (!client) {
+        return;
+      }
+      clients.set(clientId, {
+        ...client,
+        lastSeenAt
+      });
+    },
+    async getSigningKeys() {
+      return [...signingKeys.values()].map(cloneSigningKey);
+    },
+    async addSigningKey(key) {
+      signingKeys.set(key.keyId, cloneSigningKey(key));
+    },
+    async retireKey(keyId) {
+      const key = signingKeys.get(keyId);
+      if (!key) {
+        return;
+      }
+      signingKeys.set(keyId, {
+        ...key,
+        retiredAt: /* @__PURE__ */ new Date()
+      });
+    }
+  };
+}
+function cloneClient(client) {
+  return {
+    ...client,
+    scopes: [...client.scopes],
+    createdAt: new Date(client.createdAt),
+    lastSeenAt: client.lastSeenAt ? new Date(client.lastSeenAt) : null
+  };
+}
+function cloneSigningKey(key) {
+  return {
+    ...key,
+    createdAt: new Date(key.createdAt),
+    retiredAt: key.retiredAt ? new Date(key.retiredAt) : null
+  };
+}
+export {
+  createGuard,
+  createProvider,
+  memoryStorage
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core/token.ts","../src/core/cache.ts","../src/core/scopes.ts","../src/guard/index.ts","../src/provider/index.ts","../src/core/crypto.ts","../src/core/keys.ts","../src/storage/memory.ts"],"sourcesContent":["import { errors, type JWTPayload, jwtVerify } from \"jose\";\n\nimport { defaultJwksCache, type JwksCache } from \"./cache\";\nimport { AuthError } from \"./errors\";\nimport { hasRequiredScopes, parseScopes } from \"./scopes\";\n\nconst DEFAULT_CLOCK_TOLERANCE_SECONDS = 5;\n\nexport interface GuardOptions {\n  issuer: string;\n  jwksUrl?: string;\n  audience?: string | string[];\n  scopes?: string[];\n  env?: string;\n  clockTolerance?: number;\n  jwksCache?: JwksCache;\n}\n\nexport interface ServiceIdentity {\n  clientId: string;\n  name: string | null;\n  scopes: string[];\n  env: string | null;\n  raw: JWTPayload & Record<string, unknown>;\n}\n\nexport function deriveJwksUrl(issuer: string): string {\n  const normalized = issuer.endsWith(\"/\") ? issuer.slice(0, -1) : issuer;\n  return `${normalized}/.well-known/jwks.json`;\n}\n\nexport async function verifyToken(\n  token: string,\n  options: GuardOptions,\n): Promise<ServiceIdentity> {\n  if (!token) {\n    throw new AuthError(\"missing_token\", \"Missing bearer token\", 401);\n  }\n\n  const jwksUrl = options.jwksUrl ?? deriveJwksUrl(options.issuer);\n  const jwksCache = options.jwksCache ?? defaultJwksCache;\n\n  try {\n    return await verifyWithCache(token, options, jwksUrl, jwksCache);\n  } catch (error) {\n    if (!shouldRetryWithFreshJwks(error)) {\n      throw normalizeVerifyError(error);\n    }\n\n    try {\n      return await verifyWithCache(token, options, jwksUrl, jwksCache, true);\n    } catch (retryError) {\n      throw normalizeVerifyError(retryError);\n    }\n  }\n}\n\nasync function verifyWithCache(\n  token: string,\n  options: GuardOptions,\n  jwksUrl: string,\n  jwksCache: JwksCache,\n  forceRefresh = false,\n): Promise<ServiceIdentity> {\n  const jwkSet = await jwksCache.get(jwksUrl, forceRefresh);\n  const { payload } = await jwtVerify(token, jwkSet, {\n    issuer: options.issuer,\n    audience: options.audience,\n    algorithms: [\"RS256\", \"ES256\"],\n    clockTolerance: options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS,\n  });\n\n  if (typeof payload.sub !== \"string\" || payload.sub.length === 0) {\n    throw new AuthError(\"invalid_token\", \"Token subject is missing\", 401);\n  }\n\n  if (options.env && payload.env !== options.env) {\n    throw new AuthError(\"invalid_env\", \"Token environment does not match\", 403);\n  }\n\n  if (\n    options.scopes?.length &&\n    !hasRequiredScopes(getScopeClaim(payload), options.scopes)\n  ) {\n    throw new AuthError(\n      \"invalid_scope\",\n      \"Token is missing required scopes\",\n      403,\n    );\n  }\n\n  return {\n    clientId: payload.sub,\n    name: typeof payload.name === \"string\" ? payload.name : null,\n    scopes: parseScopes(getScopeClaim(payload)),\n    env: typeof payload.env === \"string\" ? payload.env : null,\n    raw: payload as JWTPayload & Record<string, unknown>,\n  };\n}\n\nfunction shouldRetryWithFreshJwks(error: unknown): boolean {\n  return (\n    error instanceof errors.JWKSNoMatchingKey ||\n    error instanceof errors.JWSSignatureVerificationFailed\n  );\n}\n\nfunction normalizeVerifyError(error: unknown): AuthError {\n  if (error instanceof AuthError) {\n    return error;\n  }\n\n  if (error instanceof errors.JWTClaimValidationFailed) {\n    if (error.claim === \"iss\") {\n      return new AuthError(\n        \"invalid_issuer\",\n        \"Token issuer does not match\",\n        401,\n        error,\n      );\n    }\n\n    if (error.claim === \"aud\") {\n      return new AuthError(\n        \"invalid_audience\",\n        \"Token audience does not match\",\n        403,\n        error,\n      );\n    }\n  }\n\n  if (\n    error instanceof errors.JOSEError ||\n    error instanceof errors.JWTInvalid ||\n    error instanceof errors.JWTExpired\n  ) {\n    return new AuthError(\n      \"invalid_token\",\n      \"Token verification failed\",\n      401,\n      error,\n    );\n  }\n\n  return new AuthError(\n    \"invalid_token\",\n    \"Token verification failed\",\n    401,\n    error,\n  );\n}\n\nfunction getScopeClaim(payload: JWTPayload): string | undefined {\n  return typeof payload.scope === \"string\" ? payload.scope : undefined;\n}\n","import {\n  createLocalJWKSet,\n  type JSONWebKeySet,\n  type JWTVerifyGetKey,\n} from \"jose\";\n\nimport { AuthError } from \"./errors\";\n\ninterface CacheEntry {\n  expiresAt: number;\n  jwks: JSONWebKeySet;\n  jwkSet: JWTVerifyGetKey;\n}\n\ninterface FetchState {\n  promise: Promise<CacheEntry>;\n}\n\nexport interface JwksCacheOptions {\n  ttlMs?: number;\n}\n\nexport class JwksCache {\n  private readonly ttlMs: number;\n  private readonly entries = new Map<string, CacheEntry>();\n  private readonly inflight = new Map<string, FetchState>();\n\n  constructor(options: JwksCacheOptions = {}) {\n    this.ttlMs = options.ttlMs ?? 10 * 60 * 1000;\n  }\n\n  async get(url: string, forceRefresh = false): Promise<JWTVerifyGetKey> {\n    const now = Date.now();\n    const cached = this.entries.get(url);\n\n    if (!forceRefresh && cached && cached.expiresAt > now) {\n      return cached.jwkSet;\n    }\n\n    const inflight = this.inflight.get(url);\n    if (inflight) {\n      const entry = await inflight.promise;\n      return entry.jwkSet;\n    }\n\n    const promise = this.fetchAndCache(url);\n    this.inflight.set(url, { promise });\n\n    try {\n      const entry = await promise;\n      return entry.jwkSet;\n    } finally {\n      this.inflight.delete(url);\n    }\n  }\n\n  clear(url?: string): void {\n    if (url) {\n      this.entries.delete(url);\n      this.inflight.delete(url);\n      return;\n    }\n\n    this.entries.clear();\n    this.inflight.clear();\n  }\n\n  private async fetchAndCache(url: string): Promise<CacheEntry> {\n    let response: Response;\n\n    try {\n      response = await fetch(url);\n    } catch (error) {\n      throw new AuthError(\n        \"jwks_fetch_failed\",\n        `Failed to fetch JWKS from ${url}`,\n        401,\n        error,\n      );\n    }\n\n    if (!response.ok) {\n      throw new AuthError(\n        \"jwks_fetch_failed\",\n        `Failed to fetch JWKS from ${url}`,\n        401,\n      );\n    }\n\n    const json = (await response.json()) as JSONWebKeySet;\n    if (!json || !Array.isArray(json.keys)) {\n      throw new AuthError(\n        \"jwks_fetch_failed\",\n        `Invalid JWKS payload from ${url}`,\n        401,\n      );\n    }\n\n    const entry: CacheEntry = {\n      jwks: json,\n      jwkSet: createLocalJWKSet(json),\n      expiresAt: Date.now() + this.ttlMs,\n    };\n\n    this.entries.set(url, entry);\n\n    return entry;\n  }\n}\n\nexport const defaultJwksCache = new JwksCache();\n","export function parseScopes(scope: string | undefined): string[] {\n  if (!scope) {\n    return [];\n  }\n\n  return [\n    ...new Set(\n      scope\n        .split(/\\s+/)\n        .map((value) => value.trim())\n        .filter(Boolean),\n    ),\n  ];\n}\n\nexport function hasRequiredScopes(\n  tokenScope: string | undefined,\n  requiredScopes: string[],\n): boolean {\n  const tokenScopes = new Set(parseScopes(tokenScope));\n\n  return requiredScopes.every((scope) => tokenScopes.has(scope));\n}\n","import type { GuardOptions, ServiceIdentity } from \"../core/token\";\nimport { verifyToken } from \"../core/token\";\n\nexport type { GuardOptions, ServiceIdentity } from \"../core/token\";\n\nexport interface Guard {\n  verify(token: string): Promise<ServiceIdentity>;\n}\n\nexport function createGuard(options: GuardOptions): Guard {\n  return {\n    verify(token: string) {\n      return verifyToken(token, options);\n    },\n  };\n}\n","import { createPrivateKey } from \"node:crypto\";\n\nimport { type JSONWebKeySet, SignJWT } from \"jose\";\nimport { v7 } from \"uuid\";\n\nimport { generateSecret, hashSecret, verifySecret } from \"../core/crypto\";\nimport {\n  createSigningKey,\n  exportSigningKeyToJwk,\n  getActiveSigningKeys,\n  type SigningAlgorithm,\n} from \"../core/keys\";\nimport { parseScopes } from \"../core/scopes\";\nimport type {\n  ServiceClient,\n  SigningKey,\n  StorageAdapter,\n} from \"../storage/interface\";\n\nexport interface ProviderOptions {\n  issuer: string;\n  storage: StorageAdapter;\n  signing?: {\n    algorithm?: SigningAlgorithm;\n    privateKey?: string;\n    keyId?: string;\n  };\n  token?: {\n    ttl?: number;\n  };\n  env?: string;\n}\n\nexport interface CreateProviderClientInput {\n  name: string;\n  scopes?: string[];\n}\n\nexport interface CreatedProviderClient {\n  clientId: string;\n  clientSecret: string;\n}\n\nexport interface Provider {\n  handle(request: Request): Promise<Response>;\n  clients: {\n    create(input: CreateProviderClientInput): Promise<CreatedProviderClient>;\n    list(): Promise<ServiceClient[]>;\n    revoke(clientId: string): Promise<void>;\n  };\n}\n\nconst DEFAULT_TOKEN_TTL_SECONDS = 300;\n\nexport function createProvider(options: ProviderOptions): Provider {\n  const provider = new TrustlineProvider(options);\n\n  return {\n    handle(request) {\n      return provider.handle(request);\n    },\n    clients: {\n      create(input) {\n        return provider.createClient(input);\n      },\n      list() {\n        return provider.listClients();\n      },\n      revoke(clientId) {\n        return provider.revokeClient(clientId);\n      },\n    },\n  };\n}\n\nclass TrustlineProvider {\n  constructor(private readonly options: ProviderOptions) {}\n\n  async handle(request: Request): Promise<Response> {\n    const url = new URL(request.url);\n\n    if (\n      request.method === \"GET\" &&\n      url.pathname.endsWith(\"/.well-known/jwks.json\")\n    ) {\n      return this.handleJwks();\n    }\n\n    if (request.method === \"POST\" && url.pathname.endsWith(\"/token\")) {\n      return this.handleToken(request);\n    }\n\n    return jsonResponse({ error: \"not_found\", message: \"Not found\" }, 404);\n  }\n\n  async createClient(\n    input: CreateProviderClientInput,\n  ): Promise<CreatedProviderClient> {\n    const clientSecret = generateSecret();\n    const client: ServiceClient = {\n      id: v7(),\n      clientId: `svc_${v7().replaceAll(\"-\", \"\")}`,\n      clientSecret: await hashSecret(clientSecret),\n      name: input.name,\n      scopes: parseScopes(input.scopes?.join(\" \")),\n      createdAt: new Date(),\n      lastSeenAt: null,\n    };\n\n    await this.options.storage.createClient(client);\n\n    return {\n      clientId: client.clientId,\n      clientSecret,\n    };\n  }\n\n  listClients(): Promise<ServiceClient[]> {\n    return this.options.storage.listClients();\n  }\n\n  revokeClient(clientId: string): Promise<void> {\n    return this.options.storage.deleteClient(clientId);\n  }\n\n  private async handleJwks(): Promise<Response> {\n    const jwks = await this.getJwks();\n    return jsonResponse(jwks);\n  }\n\n  private async handleToken(request: Request): Promise<Response> {\n    const contentType = request.headers.get(\"content-type\") ?? \"\";\n    if (!contentType.includes(\"application/x-www-form-urlencoded\")) {\n      return jsonResponse(\n        {\n          error: \"invalid_request\",\n          error_description: \"Expected application/x-www-form-urlencoded body\",\n        },\n        400,\n      );\n    }\n\n    const body = new URLSearchParams(await request.text());\n    const grantType = body.get(\"grant_type\");\n\n    if (grantType !== \"client_credentials\") {\n      return jsonResponse(\n        {\n          error: \"unsupported_grant_type\",\n          error_description: \"Only client_credentials is supported\",\n        },\n        400,\n      );\n    }\n\n    const credentials = getBasicCredentials(\n      request.headers.get(\"authorization\"),\n    ) ?? {\n      clientId: body.get(\"client_id\"),\n      clientSecret: body.get(\"client_secret\"),\n    };\n\n    if (!credentials.clientId || !credentials.clientSecret) {\n      return jsonResponse(\n        {\n          error: \"invalid_client\",\n          error_description: \"Missing client credentials\",\n        },\n        401,\n      );\n    }\n\n    const client = await this.options.storage.findClient(credentials.clientId);\n    if (\n      !client ||\n      !(await verifySecret(credentials.clientSecret, client.clientSecret))\n    ) {\n      return jsonResponse(\n        {\n          error: \"invalid_client\",\n          error_description: \"Client authentication failed\",\n        },\n        401,\n      );\n    }\n\n    const token = await this.issueAccessToken({\n      audience: body.get(\"audience\") ?? undefined,\n      client,\n    });\n\n    await this.options.storage.touchClient(client.clientId, new Date());\n\n    return jsonResponse({\n      access_token: token,\n      token_type: \"Bearer\",\n      expires_in: this.options.token?.ttl ?? DEFAULT_TOKEN_TTL_SECONDS,\n      scope: client.scopes.join(\" \"),\n    });\n  }\n\n  private async issueAccessToken(input: {\n    audience?: string;\n    client: ServiceClient;\n  }): Promise<string> {\n    const signingKey = await this.ensureActiveSigningKey();\n    const privateKey = createPrivateKey(signingKey.privateKey);\n    const ttl = this.options.token?.ttl ?? DEFAULT_TOKEN_TTL_SECONDS;\n\n    const jwt = new SignJWT({\n      name: input.client.name,\n      scope: input.client.scopes.join(\" \"),\n      ...(this.options.env ? { env: this.options.env } : {}),\n    })\n      .setProtectedHeader({\n        alg: signingKey.algorithm,\n        kid: signingKey.keyId,\n      })\n      .setIssuer(this.options.issuer)\n      .setSubject(input.client.clientId)\n      .setJti(v7())\n      .setIssuedAt()\n      .setExpirationTime(`${ttl}s`);\n\n    if (input.audience) {\n      jwt.setAudience(input.audience);\n    }\n\n    return jwt.sign(privateKey);\n  }\n\n  private async getJwks(): Promise<JSONWebKeySet> {\n    const keys = getActiveSigningKeys(\n      await this.options.storage.getSigningKeys(),\n    );\n    if (keys.length === 0) {\n      await this.ensureActiveSigningKey();\n      return this.getJwks();\n    }\n\n    return {\n      keys: await Promise.all(keys.map((key) => exportSigningKeyToJwk(key))),\n    };\n  }\n\n  private async ensureActiveSigningKey(): Promise<SigningKey> {\n    const existing = getActiveSigningKeys(\n      await this.options.storage.getSigningKeys(),\n    );\n    const current = existing[0];\n    if (current) {\n      return current;\n    }\n\n    const key = await createSigningKey(this.options.signing);\n    await this.options.storage.addSigningKey(key);\n    return key;\n  }\n}\n\nfunction jsonResponse(body: unknown, status = 200): Response {\n  return new Response(JSON.stringify(body), {\n    status,\n    headers: {\n      \"content-type\": \"application/json\",\n    },\n  });\n}\n\nfunction getBasicCredentials(header: string | null): {\n  clientId: string | null;\n  clientSecret: string | null;\n} | null {\n  if (!header) {\n    return null;\n  }\n\n  const [scheme, value] = header.split(/\\s+/, 2);\n  if (scheme?.toLowerCase() !== \"basic\" || !value) {\n    return null;\n  }\n\n  const decoded = Buffer.from(value, \"base64\").toString(\"utf8\");\n  const separatorIndex = decoded.indexOf(\":\");\n\n  if (separatorIndex === -1) {\n    return null;\n  }\n\n  return {\n    clientId: decoded.slice(0, separatorIndex),\n    clientSecret: decoded.slice(separatorIndex + 1),\n  };\n}\n","import { randomBytes } from \"node:crypto\";\n\nimport { compare, hash } from \"bcryptjs\";\n\nexport async function hashSecret(secret: string): Promise<string> {\n  return hash(secret, 10);\n}\n\nexport async function verifySecret(\n  secret: string,\n  hashedSecret: string,\n): Promise<boolean> {\n  return compare(secret, hashedSecret);\n}\n\nexport function generateSecret(length = 32): string {\n  return randomBytes(length).toString(\"base64url\");\n}\n","import { createPrivateKey, createPublicKey, randomUUID } from \"node:crypto\";\n\nimport {\n  exportJWK,\n  exportPKCS8,\n  exportSPKI,\n  generateKeyPair,\n  type JWK,\n} from \"jose\";\n\nimport type { SigningKey } from \"../storage/interface\";\n\nexport type SigningAlgorithm = \"ES256\" | \"RS256\";\n\nexport interface CreateSigningKeyOptions {\n  algorithm?: SigningAlgorithm;\n  keyId?: string;\n  privateKey?: string;\n}\n\nexport async function createSigningKey(\n  options: CreateSigningKeyOptions = {},\n): Promise<SigningKey> {\n  const algorithm = options.algorithm ?? \"ES256\";\n  const keyId = options.keyId ?? `key_${randomUUID()}`;\n\n  if (options.privateKey) {\n    const privateKey = createPrivateKey(options.privateKey);\n    const publicKey = createPublicKey(privateKey);\n\n    return {\n      keyId,\n      algorithm,\n      privateKey: privateKey.export({\n        type: \"pkcs8\",\n        format: \"pem\",\n      }) as string,\n      publicKey: publicKey.export({\n        type: \"spki\",\n        format: \"pem\",\n      }) as string,\n      createdAt: new Date(),\n      retiredAt: null,\n    };\n  }\n\n  const { privateKey, publicKey } = await generateKeyPair(algorithm, {\n    extractable: true,\n  });\n\n  return {\n    keyId,\n    algorithm,\n    privateKey: await exportPKCS8(privateKey),\n    publicKey: await exportSPKI(publicKey),\n    createdAt: new Date(),\n    retiredAt: null,\n  };\n}\n\nexport async function exportSigningKeyToJwk(\n  signingKey: SigningKey,\n): Promise<JWK> {\n  const publicKey = createPublicKey(signingKey.publicKey);\n  const jwk = await exportJWK(publicKey);\n\n  return {\n    ...jwk,\n    use: \"sig\",\n    kid: signingKey.keyId,\n    alg: signingKey.algorithm,\n  };\n}\n\nexport function getActiveSigningKeys(keys: SigningKey[]): SigningKey[] {\n  return keys.filter((key) => key.retiredAt === null);\n}\n","import type { ServiceClient, SigningKey, StorageAdapter } from \"./interface\";\n\nexport function memoryStorage(): StorageAdapter {\n  const clients = new Map<string, ServiceClient>();\n  const signingKeys = new Map<string, SigningKey>();\n\n  return {\n    async findClient(clientId) {\n      return clients.get(clientId) ?? null;\n    },\n    async createClient(client) {\n      clients.set(client.clientId, cloneClient(client));\n    },\n    async deleteClient(clientId) {\n      clients.delete(clientId);\n    },\n    async listClients() {\n      return [...clients.values()].map(cloneClient);\n    },\n    async touchClient(clientId, lastSeenAt) {\n      const client = clients.get(clientId);\n      if (!client) {\n        return;\n      }\n\n      clients.set(clientId, {\n        ...client,\n        lastSeenAt,\n      });\n    },\n    async getSigningKeys() {\n      return [...signingKeys.values()].map(cloneSigningKey);\n    },\n    async addSigningKey(key) {\n      signingKeys.set(key.keyId, cloneSigningKey(key));\n    },\n    async retireKey(keyId) {\n      const key = signingKeys.get(keyId);\n      if (!key) {\n        return;\n      }\n\n      signingKeys.set(keyId, {\n        ...key,\n        retiredAt: new Date(),\n      });\n    },\n  };\n}\n\nfunction cloneClient(client: ServiceClient): ServiceClient {\n  return {\n    ...client,\n    scopes: [...client.scopes],\n    createdAt: new Date(client.createdAt),\n    lastSeenAt: client.lastSeenAt ? new Date(client.lastSeenAt) : null,\n  };\n}\n\nfunction cloneSigningKey(key: SigningKey): SigningKey {\n  return {\n    ...key,\n    createdAt: new Date(key.createdAt),\n    retiredAt: key.retiredAt ? new Date(key.retiredAt) : null,\n  };\n}\n"],"mappings":";;;;;AAAA,SAAS,QAAyB,iBAAiB;;;ACAnD;AAAA,EACE;AAAA,OAGK;AAkBA,IAAM,YAAN,MAAgB;AAAA,EACJ;AAAA,EACA,UAAU,oBAAI,IAAwB;AAAA,EACtC,WAAW,oBAAI,IAAwB;AAAA,EAExD,YAAY,UAA4B,CAAC,GAAG;AAC1C,SAAK,QAAQ,QAAQ,SAAS,KAAK,KAAK;AAAA,EAC1C;AAAA,EAEA,MAAM,IAAI,KAAa,eAAe,OAAiC;AACrE,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,QAAQ,IAAI,GAAG;AAEnC,QAAI,CAAC,gBAAgB,UAAU,OAAO,YAAY,KAAK;AACrD,aAAO,OAAO;AAAA,IAChB;AAEA,UAAM,WAAW,KAAK,SAAS,IAAI,GAAG;AACtC,QAAI,UAAU;AACZ,YAAM,QAAQ,MAAM,SAAS;AAC7B,aAAO,MAAM;AAAA,IACf;AAEA,UAAM,UAAU,KAAK,cAAc,GAAG;AACtC,SAAK,SAAS,IAAI,KAAK,EAAE,QAAQ,CAAC;AAElC,QAAI;AACF,YAAM,QAAQ,MAAM;AACpB,aAAO,MAAM;AAAA,IACf,UAAE;AACA,WAAK,SAAS,OAAO,GAAG;AAAA,IAC1B;AAAA,EACF;AAAA,EAEA,MAAM,KAAoB;AACxB,QAAI,KAAK;AACP,WAAK,QAAQ,OAAO,GAAG;AACvB,WAAK,SAAS,OAAO,GAAG;AACxB;AAAA,IACF;AAEA,SAAK,QAAQ,MAAM;AACnB,SAAK,SAAS,MAAM;AAAA,EACtB;AAAA,EAEA,MAAc,cAAc,KAAkC;AAC5D,QAAI;AAEJ,QAAI;AACF,iBAAW,MAAM,MAAM,GAAG;AAAA,IAC5B,SAAS,OAAO;AACd,YAAM,IAAI;AAAA,QACR;AAAA,QACA,6BAA6B,GAAG;AAAA,QAChC;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR;AAAA,QACA,6BAA6B,GAAG;AAAA,QAChC;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,QAAI,CAAC,QAAQ,CAAC,MAAM,QAAQ,KAAK,IAAI,GAAG;AACtC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,6BAA6B,GAAG;AAAA,QAChC;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAoB;AAAA,MACxB,MAAM;AAAA,MACN,QAAQ,kBAAkB,IAAI;AAAA,MAC9B,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,IAC/B;AAEA,SAAK,QAAQ,IAAI,KAAK,KAAK;AAE3B,WAAO;AAAA,EACT;AACF;AAEO,IAAM,mBAAmB,IAAI,UAAU;;;AC9GvC,SAAS,YAAY,OAAqC;AAC/D,MAAI,CAAC,OAAO;AACV,WAAO,CAAC;AAAA,EACV;AAEA,SAAO;AAAA,IACL,GAAG,IAAI;AAAA,MACL,MACG,MAAM,KAAK,EACX,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAC3B,OAAO,OAAO;AAAA,IACnB;AAAA,EACF;AACF;AAEO,SAAS,kBACd,YACA,gBACS;AACT,QAAM,cAAc,IAAI,IAAI,YAAY,UAAU,CAAC;AAEnD,SAAO,eAAe,MAAM,CAAC,UAAU,YAAY,IAAI,KAAK,CAAC;AAC/D;;;AFhBA,IAAM,kCAAkC;AAoBjC,SAAS,cAAc,QAAwB;AACpD,QAAM,aAAa,OAAO,SAAS,GAAG,IAAI,OAAO,MAAM,GAAG,EAAE,IAAI;AAChE,SAAO,GAAG,UAAU;AACtB;AAEA,eAAsB,YACpB,OACA,SAC0B;AAC1B,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,UAAU,iBAAiB,wBAAwB,GAAG;AAAA,EAClE;AAEA,QAAM,UAAU,QAAQ,WAAW,cAAc,QAAQ,MAAM;AAC/D,QAAM,YAAY,QAAQ,aAAa;AAEvC,MAAI;AACF,WAAO,MAAM,gBAAgB,OAAO,SAAS,SAAS,SAAS;AAAA,EACjE,SAAS,OAAO;AACd,QAAI,CAAC,yBAAyB,KAAK,GAAG;AACpC,YAAM,qBAAqB,KAAK;AAAA,IAClC;AAEA,QAAI;AACF,aAAO,MAAM,gBAAgB,OAAO,SAAS,SAAS,WAAW,IAAI;AAAA,IACvE,SAAS,YAAY;AACnB,YAAM,qBAAqB,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAEA,eAAe,gBACb,OACA,SACA,SACA,WACA,eAAe,OACW;AAC1B,QAAM,SAAS,MAAM,UAAU,IAAI,SAAS,YAAY;AACxD,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,QAAQ;AAAA,IACjD,QAAQ,QAAQ;AAAA,IAChB,UAAU,QAAQ;AAAA,IAClB,YAAY,CAAC,SAAS,OAAO;AAAA,IAC7B,gBAAgB,QAAQ,kBAAkB;AAAA,EAC5C,CAAC;AAED,MAAI,OAAO,QAAQ,QAAQ,YAAY,QAAQ,IAAI,WAAW,GAAG;AAC/D,UAAM,IAAI,UAAU,iBAAiB,4BAA4B,GAAG;AAAA,EACtE;AAEA,MAAI,QAAQ,OAAO,QAAQ,QAAQ,QAAQ,KAAK;AAC9C,UAAM,IAAI,UAAU,eAAe,oCAAoC,GAAG;AAAA,EAC5E;AAEA,MACE,QAAQ,QAAQ,UAChB,CAAC,kBAAkB,cAAc,OAAO,GAAG,QAAQ,MAAM,GACzD;AACA,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,UAAU,QAAQ;AAAA,IAClB,MAAM,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;AAAA,IACxD,QAAQ,YAAY,cAAc,OAAO,CAAC;AAAA,IAC1C,KAAK,OAAO,QAAQ,QAAQ,WAAW,QAAQ,MAAM;AAAA,IACrD,KAAK;AAAA,EACP;AACF;AAEA,SAAS,yBAAyB,OAAyB;AACzD,SACE,iBAAiB,OAAO,qBACxB,iBAAiB,OAAO;AAE5B;AAEA,SAAS,qBAAqB,OAA2B;AACvD,MAAI,iBAAiB,WAAW;AAC9B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,OAAO,0BAA0B;AACpD,QAAI,MAAM,UAAU,OAAO;AACzB,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,QAAI,MAAM,UAAU,OAAO;AACzB,aAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MACE,iBAAiB,OAAO,aACxB,iBAAiB,OAAO,cACxB,iBAAiB,OAAO,YACxB;AACA,WAAO,IAAI;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO,IAAI;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,cAAc,SAAyC;AAC9D,SAAO,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ;AAC7D;;;AGlJO,SAAS,YAAY,SAA8B;AACxD,SAAO;AAAA,IACL,OAAO,OAAe;AACpB,aAAO,YAAY,OAAO,OAAO;AAAA,IACnC;AAAA,EACF;AACF;;;ACfA,SAAS,oBAAAA,yBAAwB;AAEjC,SAA6B,eAAe;AAC5C,SAAS,UAAU;;;ACHnB,SAAS,mBAAmB;AAE5B,SAAS,SAAS,YAAY;AAE9B,eAAsB,WAAW,QAAiC;AAChE,SAAO,KAAK,QAAQ,EAAE;AACxB;AAEA,eAAsB,aACpB,QACA,cACkB;AAClB,SAAO,QAAQ,QAAQ,YAAY;AACrC;AAEO,SAAS,eAAe,SAAS,IAAY;AAClD,SAAO,YAAY,MAAM,EAAE,SAAS,WAAW;AACjD;;;ACjBA,SAAS,kBAAkB,iBAAiB,kBAAkB;AAE9D;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AAYP,eAAsB,iBACpB,UAAmC,CAAC,GACf;AACrB,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,QAAQ,QAAQ,SAAS,OAAO,WAAW,CAAC;AAElD,MAAI,QAAQ,YAAY;AACtB,UAAMC,cAAa,iBAAiB,QAAQ,UAAU;AACtD,UAAMC,aAAY,gBAAgBD,WAAU;AAE5C,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,YAAYA,YAAW,OAAO;AAAA,QAC5B,MAAM;AAAA,QACN,QAAQ;AAAA,MACV,CAAC;AAAA,MACD,WAAWC,WAAU,OAAO;AAAA,QAC1B,MAAM;AAAA,QACN,QAAQ;AAAA,MACV,CAAC;AAAA,MACD,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW;AAAA,IACb;AAAA,EACF;AAEA,QAAM,EAAE,YAAY,UAAU,IAAI,MAAM,gBAAgB,WAAW;AAAA,IACjE,aAAa;AAAA,EACf,CAAC;AAED,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,YAAY,MAAM,YAAY,UAAU;AAAA,IACxC,WAAW,MAAM,WAAW,SAAS;AAAA,IACrC,WAAW,oBAAI,KAAK;AAAA,IACpB,WAAW;AAAA,EACb;AACF;AAEA,eAAsB,sBACpB,YACc;AACd,QAAM,YAAY,gBAAgB,WAAW,SAAS;AACtD,QAAM,MAAM,MAAM,UAAU,SAAS;AAErC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,KAAK;AAAA,IACL,KAAK,WAAW;AAAA,IAChB,KAAK,WAAW;AAAA,EAClB;AACF;AAEO,SAAS,qBAAqB,MAAkC;AACrE,SAAO,KAAK,OAAO,CAAC,QAAQ,IAAI,cAAc,IAAI;AACpD;;;AFxBA,IAAM,4BAA4B;AAE3B,SAAS,eAAe,SAAoC;AACjE,QAAM,WAAW,IAAI,kBAAkB,OAAO;AAE9C,SAAO;AAAA,IACL,OAAO,SAAS;AACd,aAAO,SAAS,OAAO,OAAO;AAAA,IAChC;AAAA,IACA,SAAS;AAAA,MACP,OAAO,OAAO;AACZ,eAAO,SAAS,aAAa,KAAK;AAAA,MACpC;AAAA,MACA,OAAO;AACL,eAAO,SAAS,YAAY;AAAA,MAC9B;AAAA,MACA,OAAO,UAAU;AACf,eAAO,SAAS,aAAa,QAAQ;AAAA,MACvC;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAM,oBAAN,MAAwB;AAAA,EACtB,YAA6B,SAA0B;AAA1B;AAAA,EAA2B;AAAA,EAExD,MAAM,OAAO,SAAqC;AAChD,UAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAE/B,QACE,QAAQ,WAAW,SACnB,IAAI,SAAS,SAAS,wBAAwB,GAC9C;AACA,aAAO,KAAK,WAAW;AAAA,IACzB;AAEA,QAAI,QAAQ,WAAW,UAAU,IAAI,SAAS,SAAS,QAAQ,GAAG;AAChE,aAAO,KAAK,YAAY,OAAO;AAAA,IACjC;AAEA,WAAO,aAAa,EAAE,OAAO,aAAa,SAAS,YAAY,GAAG,GAAG;AAAA,EACvE;AAAA,EAEA,MAAM,aACJ,OACgC;AAChC,UAAM,eAAe,eAAe;AACpC,UAAM,SAAwB;AAAA,MAC5B,IAAI,GAAG;AAAA,MACP,UAAU,OAAO,GAAG,EAAE,WAAW,KAAK,EAAE,CAAC;AAAA,MACzC,cAAc,MAAM,WAAW,YAAY;AAAA,MAC3C,MAAM,MAAM;AAAA,MACZ,QAAQ,YAAY,MAAM,QAAQ,KAAK,GAAG,CAAC;AAAA,MAC3C,WAAW,oBAAI,KAAK;AAAA,MACpB,YAAY;AAAA,IACd;AAEA,UAAM,KAAK,QAAQ,QAAQ,aAAa,MAAM;AAE9C,WAAO;AAAA,MACL,UAAU,OAAO;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AAAA,EAEA,cAAwC;AACtC,WAAO,KAAK,QAAQ,QAAQ,YAAY;AAAA,EAC1C;AAAA,EAEA,aAAa,UAAiC;AAC5C,WAAO,KAAK,QAAQ,QAAQ,aAAa,QAAQ;AAAA,EACnD;AAAA,EAEA,MAAc,aAAgC;AAC5C,UAAM,OAAO,MAAM,KAAK,QAAQ;AAChC,WAAO,aAAa,IAAI;AAAA,EAC1B;AAAA,EAEA,MAAc,YAAY,SAAqC;AAC7D,UAAM,cAAc,QAAQ,QAAQ,IAAI,cAAc,KAAK;AAC3D,QAAI,CAAC,YAAY,SAAS,mCAAmC,GAAG;AAC9D,aAAO;AAAA,QACL;AAAA,UACE,OAAO;AAAA,UACP,mBAAmB;AAAA,QACrB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAO,IAAI,gBAAgB,MAAM,QAAQ,KAAK,CAAC;AACrD,UAAM,YAAY,KAAK,IAAI,YAAY;AAEvC,QAAI,cAAc,sBAAsB;AACtC,aAAO;AAAA,QACL;AAAA,UACE,OAAO;AAAA,UACP,mBAAmB;AAAA,QACrB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,cAAc;AAAA,MAClB,QAAQ,QAAQ,IAAI,eAAe;AAAA,IACrC,KAAK;AAAA,MACH,UAAU,KAAK,IAAI,WAAW;AAAA,MAC9B,cAAc,KAAK,IAAI,eAAe;AAAA,IACxC;AAEA,QAAI,CAAC,YAAY,YAAY,CAAC,YAAY,cAAc;AACtD,aAAO;AAAA,QACL;AAAA,UACE,OAAO;AAAA,UACP,mBAAmB;AAAA,QACrB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,SAAS,MAAM,KAAK,QAAQ,QAAQ,WAAW,YAAY,QAAQ;AACzE,QACE,CAAC,UACD,CAAE,MAAM,aAAa,YAAY,cAAc,OAAO,YAAY,GAClE;AACA,aAAO;AAAA,QACL;AAAA,UACE,OAAO;AAAA,UACP,mBAAmB;AAAA,QACrB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAQ,MAAM,KAAK,iBAAiB;AAAA,MACxC,UAAU,KAAK,IAAI,UAAU,KAAK;AAAA,MAClC;AAAA,IACF,CAAC;AAED,UAAM,KAAK,QAAQ,QAAQ,YAAY,OAAO,UAAU,oBAAI,KAAK,CAAC;AAElE,WAAO,aAAa;AAAA,MAClB,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,YAAY,KAAK,QAAQ,OAAO,OAAO;AAAA,MACvC,OAAO,OAAO,OAAO,KAAK,GAAG;AAAA,IAC/B,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,iBAAiB,OAGX;AAClB,UAAM,aAAa,MAAM,KAAK,uBAAuB;AACrD,UAAM,aAAaC,kBAAiB,WAAW,UAAU;AACzD,UAAM,MAAM,KAAK,QAAQ,OAAO,OAAO;AAEvC,UAAM,MAAM,IAAI,QAAQ;AAAA,MACtB,MAAM,MAAM,OAAO;AAAA,MACnB,OAAO,MAAM,OAAO,OAAO,KAAK,GAAG;AAAA,MACnC,GAAI,KAAK,QAAQ,MAAM,EAAE,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC;AAAA,IACtD,CAAC,EACE,mBAAmB;AAAA,MAClB,KAAK,WAAW;AAAA,MAChB,KAAK,WAAW;AAAA,IAClB,CAAC,EACA,UAAU,KAAK,QAAQ,MAAM,EAC7B,WAAW,MAAM,OAAO,QAAQ,EAChC,OAAO,GAAG,CAAC,EACX,YAAY,EACZ,kBAAkB,GAAG,GAAG,GAAG;AAE9B,QAAI,MAAM,UAAU;AAClB,UAAI,YAAY,MAAM,QAAQ;AAAA,IAChC;AAEA,WAAO,IAAI,KAAK,UAAU;AAAA,EAC5B;AAAA,EAEA,MAAc,UAAkC;AAC9C,UAAM,OAAO;AAAA,MACX,MAAM,KAAK,QAAQ,QAAQ,eAAe;AAAA,IAC5C;AACA,QAAI,KAAK,WAAW,GAAG;AACrB,YAAM,KAAK,uBAAuB;AAClC,aAAO,KAAK,QAAQ;AAAA,IACtB;AAEA,WAAO;AAAA,MACL,MAAM,MAAM,QAAQ,IAAI,KAAK,IAAI,CAAC,QAAQ,sBAAsB,GAAG,CAAC,CAAC;AAAA,IACvE;AAAA,EACF;AAAA,EAEA,MAAc,yBAA8C;AAC1D,UAAM,WAAW;AAAA,MACf,MAAM,KAAK,QAAQ,QAAQ,eAAe;AAAA,IAC5C;AACA,UAAM,UAAU,SAAS,CAAC;AAC1B,QAAI,SAAS;AACX,aAAO;AAAA,IACT;AAEA,UAAM,MAAM,MAAM,iBAAiB,KAAK,QAAQ,OAAO;AACvD,UAAM,KAAK,QAAQ,QAAQ,cAAc,GAAG;AAC5C,WAAO;AAAA,EACT;AACF;AAEA,SAAS,aAAa,MAAe,SAAS,KAAe;AAC3D,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG;AAAA,IACxC;AAAA,IACA,SAAS;AAAA,MACP,gBAAgB;AAAA,IAClB;AAAA,EACF,CAAC;AACH;AAEA,SAAS,oBAAoB,QAGpB;AACP,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,EACT;AAEA,QAAM,CAAC,QAAQ,KAAK,IAAI,OAAO,MAAM,OAAO,CAAC;AAC7C,MAAI,QAAQ,YAAY,MAAM,WAAW,CAAC,OAAO;AAC/C,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,OAAO,KAAK,OAAO,QAAQ,EAAE,SAAS,MAAM;AAC5D,QAAM,iBAAiB,QAAQ,QAAQ,GAAG;AAE1C,MAAI,mBAAmB,IAAI;AACzB,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,UAAU,QAAQ,MAAM,GAAG,cAAc;AAAA,IACzC,cAAc,QAAQ,MAAM,iBAAiB,CAAC;AAAA,EAChD;AACF;;;AGnSO,SAAS,gBAAgC;AAC9C,QAAM,UAAU,oBAAI,IAA2B;AAC/C,QAAM,cAAc,oBAAI,IAAwB;AAEhD,SAAO;AAAA,IACL,MAAM,WAAW,UAAU;AACzB,aAAO,QAAQ,IAAI,QAAQ,KAAK;AAAA,IAClC;AAAA,IACA,MAAM,aAAa,QAAQ;AACzB,cAAQ,IAAI,OAAO,UAAU,YAAY,MAAM,CAAC;AAAA,IAClD;AAAA,IACA,MAAM,aAAa,UAAU;AAC3B,cAAQ,OAAO,QAAQ;AAAA,IACzB;AAAA,IACA,MAAM,cAAc;AAClB,aAAO,CAAC,GAAG,QAAQ,OAAO,CAAC,EAAE,IAAI,WAAW;AAAA,IAC9C;AAAA,IACA,MAAM,YAAY,UAAU,YAAY;AACtC,YAAM,SAAS,QAAQ,IAAI,QAAQ;AACnC,UAAI,CAAC,QAAQ;AACX;AAAA,MACF;AAEA,cAAQ,IAAI,UAAU;AAAA,QACpB,GAAG;AAAA,QACH;AAAA,MACF,CAAC;AAAA,IACH;AAAA,IACA,MAAM,iBAAiB;AACrB,aAAO,CAAC,GAAG,YAAY,OAAO,CAAC,EAAE,IAAI,eAAe;AAAA,IACtD;AAAA,IACA,MAAM,cAAc,KAAK;AACvB,kBAAY,IAAI,IAAI,OAAO,gBAAgB,GAAG,CAAC;AAAA,IACjD;AAAA,IACA,MAAM,UAAU,OAAO;AACrB,YAAM,MAAM,YAAY,IAAI,KAAK;AACjC,UAAI,CAAC,KAAK;AACR;AAAA,MACF;AAEA,kBAAY,IAAI,OAAO;AAAA,QACrB,GAAG;AAAA,QACH,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAEA,SAAS,YAAY,QAAsC;AACzD,SAAO;AAAA,IACL,GAAG;AAAA,IACH,QAAQ,CAAC,GAAG,OAAO,MAAM;AAAA,IACzB,WAAW,IAAI,KAAK,OAAO,SAAS;AAAA,IACpC,YAAY,OAAO,aAAa,IAAI,KAAK,OAAO,UAAU,IAAI;AAAA,EAChE;AACF;AAEA,SAAS,gBAAgB,KAA6B;AACpD,SAAO;AAAA,IACL,GAAG;AAAA,IACH,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,IACjC,WAAW,IAAI,YAAY,IAAI,KAAK,IAAI,SAAS,IAAI;AAAA,EACvD;AACF;","names":["createPrivateKey","privateKey","publicKey","createPrivateKey"]}

package/dist/interface-BzT_DC3u.d.cts

@@ -0,0 +1,38 @@
+type SigningAlgorithm = "ES256" | "RS256";
+
+interface ServiceClient {
+    id: string;
+    clientId: string;
+    clientSecret: string;
+    name: string;
+    scopes: string[];
+    createdAt: Date;
+    lastSeenAt: Date | null;
+}
+interface SigningKey {
+    keyId: string;
+    algorithm: SigningAlgorithm;
+    privateKey: string;
+    publicKey: string;
+    createdAt: Date;
+    retiredAt: Date | null;
+}
+interface StorageAdapter {
+    findClient(clientId: string): Promise<ServiceClient | null>;
+    createClient(client: ServiceClient): Promise<void>;
+    deleteClient(clientId: string): Promise<void>;
+    listClients(): Promise<ServiceClient[]>;
+    touchClient(clientId: string, lastSeenAt: Date): Promise<void>;
+    getSigningKeys(): Promise<SigningKey[]>;
+    addSigningKey(key: SigningKey): Promise<void>;
+    retireKey(keyId: string): Promise<void>;
+}
+interface SqlStorageOptions {
+    tablePrefix?: string;
+    tables?: {
+        clients?: string;
+        signingKeys?: string;
+    };
+}
+
+export type { SqlStorageOptions as S, StorageAdapter as a, ServiceClient as b, SigningKey as c, SigningAlgorithm as d };

package/dist/interface-BzT_DC3u.d.ts

@@ -0,0 +1,38 @@
+type SigningAlgorithm = "ES256" | "RS256";
+
+interface ServiceClient {
+    id: string;
+    clientId: string;
+    clientSecret: string;
+    name: string;
+    scopes: string[];
+    createdAt: Date;
+    lastSeenAt: Date | null;
+}
+interface SigningKey {
+    keyId: string;
+    algorithm: SigningAlgorithm;
+    privateKey: string;
+    publicKey: string;
+    createdAt: Date;
+    retiredAt: Date | null;
+}
+interface StorageAdapter {
+    findClient(clientId: string): Promise<ServiceClient | null>;
+    createClient(client: ServiceClient): Promise<void>;
+    deleteClient(clientId: string): Promise<void>;
+    listClients(): Promise<ServiceClient[]>;
+    touchClient(clientId: string, lastSeenAt: Date): Promise<void>;
+    getSigningKeys(): Promise<SigningKey[]>;
+    addSigningKey(key: SigningKey): Promise<void>;
+    retireKey(keyId: string): Promise<void>;
+}
+interface SqlStorageOptions {
+    tablePrefix?: string;
+    tables?: {
+        clients?: string;
+        signingKeys?: string;
+    };
+}
+
+export type { SqlStorageOptions as S, StorageAdapter as a, ServiceClient as b, SigningKey as c, SigningAlgorithm as d };