unotoken 0.1.0

package/dist/oauth/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/oauth/provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/oauth/providers/github.d.ts

@@ -0,0 +1,75 @@
+/**
+ * GitHub OAuth provider for unotoken.
+ *
+ * Implements the OAuthProvider interface using GitHub's OAuth 2.0 protocol.
+ * Unlike Google, GitHub does NOT support OIDC — there is no id_token.
+ * Instead, after token exchange, we call the GitHub user API to get identity.
+ *
+ * GitHub OAuth also requires a client_secret for token exchange, even with PKCE.
+ * This is standard for GitHub OAuth apps (same pattern as VS Code, GitHub CLI).
+ *
+ * @see https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
+ * @see https://docs.github.com/en/rest/users/users#get-the-authenticated-user
+ */
+import type { OAuthProvider } from '../provider.js';
+/** GitHub OAuth authorize URL */
+declare const AUTHORIZE_URL = "https://github.com/login/oauth/authorize";
+/** GitHub OAuth token endpoint */
+declare const TOKEN_ENDPOINT = "https://github.com/login/oauth/access_token";
+/** GitHub API base URL for user info */
+declare const USER_API_URL = "https://api.github.com/user";
+/**
+ * Built-in Indigo-hosted GitHub OAuth app client ID.
+ *
+ * Registered at github.com/settings/developers under the Indigo organization.
+ * App type: OAuth App (not GitHub App).
+ * Authorization callback URL: http://localhost/callback
+ *
+ * GitHub OAuth requires a client_secret for token exchange, even for
+ * native/CLI apps using PKCE. This is the same pattern used by VS Code,
+ * GitHub CLI, and other desktop OAuth apps — the secret is shipped in
+ * the package and is NOT a security boundary (it's a public client).
+ */
+declare const DEFAULT_CLIENT_ID = "unotoken-github-client-id";
+/**
+ * Built-in client secret for the Indigo-hosted GitHub OAuth app.
+ *
+ * This ships in the package intentionally — GitHub requires a client_secret
+ * for ALL OAuth token exchanges, even public/native clients. This is
+ * industry-standard (GitHub CLI, VS Code, etc. all ship their secrets).
+ * The actual security boundary is the PKCE verifier + redirect to localhost.
+ */
+declare const DEFAULT_CLIENT_SECRET = "unotoken-github-client-secret";
+/** Default scopes — minimal read:user for identity */
+declare const DEFAULT_SCOPES: string[];
+/** GitHub user API response (subset of fields we need) */
+export interface GitHubUser {
+    /** Unique numeric user ID */
+    id: number;
+    /** GitHub username (login handle) */
+    login: string;
+    /** Display name (may be null) */
+    name: string | null;
+    /** Email address (may be null if private) */
+    email: string | null;
+    /** Avatar URL */
+    avatar_url: string;
+}
+export interface GitHubProviderOptions {
+    /** Override the default GitHub OAuth client ID */
+    clientId?: string;
+    /** Override the default GitHub OAuth client secret */
+    clientSecret?: string;
+    /** Custom fetch function (for testing) */
+    fetch?: typeof globalThis.fetch;
+}
+/**
+ * Create a GitHub OAuth provider instance.
+ *
+ * After token exchange, calls the GitHub user API (GET /user) to
+ * retrieve the authenticated user's identity. This is necessary
+ * because GitHub does not issue OIDC id_tokens.
+ */
+export declare function createGitHubProvider(options?: GitHubProviderOptions): OAuthProvider;
+export { AUTHORIZE_URL, TOKEN_ENDPOINT, USER_API_URL, DEFAULT_CLIENT_ID, DEFAULT_CLIENT_SECRET, DEFAULT_SCOPES, };
+//# sourceMappingURL=github.d.ts.map

package/dist/oauth/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/oauth/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAgC,MAAM,gBAAgB,CAAC;AAKlF,iCAAiC;AACjC,QAAA,MAAM,aAAa,6CAA6C,CAAC;AAEjE,kCAAkC;AAClC,QAAA,MAAM,cAAc,gDAAgD,CAAC;AAErE,wCAAwC;AACxC,QAAA,MAAM,YAAY,gCAAgC,CAAC;AAEnD;;;;;;;;;;;GAWG;AACH,QAAA,MAAM,iBAAiB,8BAA8B,CAAC;AAEtD;;;;;;;GAOG;AACH,QAAA,MAAM,qBAAqB,kCAAkC,CAAC;AAE9D,sDAAsD;AACtD,QAAA,MAAM,cAAc,UAAgB,CAAC;AAIrC,0DAA0D;AAC1D,MAAM,WAAW,UAAU;IACzB,6BAA6B;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,iCAAiC;IACjC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,6CAA6C;IAC7C,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,iBAAiB;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sDAAsD;IACtD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,aAAa,CA8EnF;AAID,OAAO,EACL,aAAa,EACb,cAAc,EACd,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,cAAc,GACf,CAAC"}

package/dist/oauth/providers/github.js

@@ -0,0 +1,119 @@
+/**
+ * GitHub OAuth provider for unotoken.
+ *
+ * Implements the OAuthProvider interface using GitHub's OAuth 2.0 protocol.
+ * Unlike Google, GitHub does NOT support OIDC — there is no id_token.
+ * Instead, after token exchange, we call the GitHub user API to get identity.
+ *
+ * GitHub OAuth also requires a client_secret for token exchange, even with PKCE.
+ * This is standard for GitHub OAuth apps (same pattern as VS Code, GitHub CLI).
+ *
+ * @see https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
+ * @see https://docs.github.com/en/rest/users/users#get-the-authenticated-user
+ */
+// ─── Constants ────────────────────────────────────────────────────────
+/** GitHub OAuth authorize URL */
+const AUTHORIZE_URL = 'https://github.com/login/oauth/authorize';
+/** GitHub OAuth token endpoint */
+const TOKEN_ENDPOINT = 'https://github.com/login/oauth/access_token';
+/** GitHub API base URL for user info */
+const USER_API_URL = 'https://api.github.com/user';
+/**
+ * Built-in Indigo-hosted GitHub OAuth app client ID.
+ *
+ * Registered at github.com/settings/developers under the Indigo organization.
+ * App type: OAuth App (not GitHub App).
+ * Authorization callback URL: http://localhost/callback
+ *
+ * GitHub OAuth requires a client_secret for token exchange, even for
+ * native/CLI apps using PKCE. This is the same pattern used by VS Code,
+ * GitHub CLI, and other desktop OAuth apps — the secret is shipped in
+ * the package and is NOT a security boundary (it's a public client).
+ */
+const DEFAULT_CLIENT_ID = 'unotoken-github-client-id';
+/**
+ * Built-in client secret for the Indigo-hosted GitHub OAuth app.
+ *
+ * This ships in the package intentionally — GitHub requires a client_secret
+ * for ALL OAuth token exchanges, even public/native clients. This is
+ * industry-standard (GitHub CLI, VS Code, etc. all ship their secrets).
+ * The actual security boundary is the PKCE verifier + redirect to localhost.
+ */
+const DEFAULT_CLIENT_SECRET = 'unotoken-github-client-secret';
+/** Default scopes — minimal read:user for identity */
+const DEFAULT_SCOPES = ['read:user'];
+/**
+ * Create a GitHub OAuth provider instance.
+ *
+ * After token exchange, calls the GitHub user API (GET /user) to
+ * retrieve the authenticated user's identity. This is necessary
+ * because GitHub does not issue OIDC id_tokens.
+ */
+export function createGitHubProvider(options) {
+    const clientId = options?.clientId ?? DEFAULT_CLIENT_ID;
+    const clientSecret = options?.clientSecret ?? DEFAULT_CLIENT_SECRET;
+    const fetchFn = options?.fetch ?? globalThis.fetch;
+    const provider = {
+        name: 'github',
+        clientId,
+        scopes: DEFAULT_SCOPES,
+        get tokenEndpoint() {
+            return TOKEN_ENDPOINT;
+        },
+        authorizeUrl(redirectUri, state, pkce) {
+            const params = new URLSearchParams({
+                client_id: clientId,
+                redirect_uri: redirectUri,
+                scope: DEFAULT_SCOPES.join(' '),
+                state,
+                // GitHub supports PKCE but still requires client_secret in token exchange
+                code_challenge: pkce.challenge,
+                code_challenge_method: pkce.method,
+            });
+            return `${AUTHORIZE_URL}?${params}`;
+        },
+        tokenRequestBody(code, redirectUri, pkce) {
+            return new URLSearchParams({
+                grant_type: 'authorization_code',
+                code,
+                redirect_uri: redirectUri,
+                client_id: clientId,
+                client_secret: clientSecret,
+                code_verifier: pkce.verifier,
+            });
+        },
+        async verifyIdentity(tokenResponse) {
+            const accessToken = tokenResponse.access_token;
+            if (!accessToken) {
+                throw new Error('GitHub token response missing access_token.');
+            }
+            // GitHub does NOT return an id_token — call the user API instead
+            const response = await fetchFn(USER_API_URL, {
+                headers: {
+                    'Authorization': `Bearer ${accessToken}`,
+                    'Accept': 'application/vnd.github+json',
+                    'X-GitHub-Api-Version': '2022-11-28',
+                    'User-Agent': 'unotoken-oauth',
+                },
+            });
+            if (!response.ok) {
+                const text = await response.text();
+                throw new Error(`GitHub user API request failed (${response.status}): ${text}`);
+            }
+            const user = await response.json();
+            if (!user.id) {
+                throw new Error('GitHub user API response missing user ID.');
+            }
+            return {
+                provider: 'github',
+                subjectId: String(user.id),
+                email: user.email ?? undefined,
+                name: user.login,
+            };
+        },
+    };
+    return provider;
+}
+// ─── Exports for testing ──────────────────────────────────────────────
+export { AUTHORIZE_URL, TOKEN_ENDPOINT, USER_API_URL, DEFAULT_CLIENT_ID, DEFAULT_CLIENT_SECRET, DEFAULT_SCOPES, };
+//# sourceMappingURL=github.js.map

package/dist/oauth/providers/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../../src/oauth/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,yEAAyE;AAEzE,iCAAiC;AACjC,MAAM,aAAa,GAAG,0CAA0C,CAAC;AAEjE,kCAAkC;AAClC,MAAM,cAAc,GAAG,6CAA6C,CAAC;AAErE,wCAAwC;AACxC,MAAM,YAAY,GAAG,6BAA6B,CAAC;AAEnD;;;;;;;;;;;GAWG;AACH,MAAM,iBAAiB,GAAG,2BAA2B,CAAC;AAEtD;;;;;;;GAOG;AACH,MAAM,qBAAqB,GAAG,+BAA+B,CAAC;AAE9D,sDAAsD;AACtD,MAAM,cAAc,GAAG,CAAC,WAAW,CAAC,CAAC;AA6BrC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA+B;IAClE,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,iBAAiB,CAAC;IACxD,MAAM,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,qBAAqB,CAAC;IACpE,MAAM,OAAO,GAAG,OAAO,EAAE,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC;IAEnD,MAAM,QAAQ,GAAkB;QAC9B,IAAI,EAAE,QAAQ;QACd,QAAQ;QACR,MAAM,EAAE,cAAc;QAEtB,IAAI,aAAa;YACf,OAAO,cAAc,CAAC;QACxB,CAAC;QAED,YAAY,CAAC,WAAmB,EAAE,KAAa,EAAE,IAAc;YAC7D,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,QAAQ;gBACnB,YAAY,EAAE,WAAW;gBACzB,KAAK,EAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;gBAC/B,KAAK;gBACL,0EAA0E;gBAC1E,cAAc,EAAE,IAAI,CAAC,SAAS;gBAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;aACnC,CAAC,CAAC;YAEH,OAAO,GAAG,aAAa,IAAI,MAAM,EAAE,CAAC;QACtC,CAAC;QAED,gBAAgB,CAAC,IAAY,EAAE,WAAmB,EAAE,IAAc;YAChE,OAAO,IAAI,eAAe,CAAC;gBACzB,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,SAAS,EAAE,QAAQ;gBACnB,aAAa,EAAE,YAAY;gBAC3B,aAAa,EAAE,IAAI,CAAC,QAAQ;aAC7B,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,aAA4B;YAC/C,MAAM,WAAW,GAAG,aAAa,CAAC,YAAY,CAAC;YAC/C,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;YACjE,CAAC;YAED,iEAAiE;YACjE,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE;gBAC3C,OAAO,EAAE;oBACP,eAAe,EAAE,UAAU,WAAW,EAAE;oBACxC,QAAQ,EAAE,6BAA6B;oBACvC,sBAAsB,EAAE,YAAY;oBACpC,YAAY,EAAE,gBAAgB;iBAC/B;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CACb,mCAAmC,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAC/D,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAgB,CAAC;YAEjD,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC/D,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,QAAQ;gBAClB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS;gBAC9B,IAAI,EAAE,IAAI,CAAC,KAAK;aACjB,CAAC;QACJ,CAAC;KACF,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,yEAAyE;AAEzE,OAAO,EACL,aAAa,EACb,cAAc,EACd,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,EACrB,cAAc,GACf,CAAC"}

package/dist/oauth/providers/google.d.ts

@@ -0,0 +1,115 @@
+/**
+ * Google OIDC provider for unotoken OAuth.
+ *
+ * Implements the OAuthProvider interface using Google's OpenID Connect protocol.
+ * Uses the OIDC discovery document to resolve endpoints dynamically, and
+ * verifies ID tokens using Google's JWKS (RS256 signatures).
+ *
+ * @see https://accounts.google.com/.well-known/openid-configuration
+ * @see https://developers.google.com/identity/protocols/oauth2/native-app
+ */
+import type { OAuthProvider } from '../provider.js';
+/** Google OIDC discovery endpoint */
+declare const DISCOVERY_URL = "https://accounts.google.com/.well-known/openid-configuration";
+/** Expected issuers for Google ID tokens */
+declare const VALID_ISSUERS: string[];
+/**
+ * Built-in Indigo-hosted Google OAuth client ID.
+ *
+ * Registered at console.cloud.google.com under the Indigo GCP project.
+ * App type: Web application.
+ * Authorized redirect URIs: http://localhost (Google allows any port on localhost for native apps).
+ *
+ * Public clients (native/CLI apps) do NOT need a client secret for PKCE flows.
+ */
+declare const DEFAULT_CLIENT_ID = "unotoken-google-client.apps.googleusercontent.com";
+/** Default scopes for Google OIDC */
+declare const DEFAULT_SCOPES: string[];
+/** Google OIDC discovery document (subset of fields we need) */
+export interface GoogleDiscoveryDocument {
+    authorization_endpoint: string;
+    token_endpoint: string;
+    jwks_uri: string;
+    issuer: string;
+}
+/** JSON Web Key from Google's JWKS endpoint */
+export interface JWK {
+    kty: string;
+    alg: string;
+    use: string;
+    kid: string;
+    n: string;
+    e: string;
+}
+/** JWKS response from Google */
+export interface JWKSResponse {
+    keys: JWK[];
+}
+/** Decoded JWT header */
+interface JWTHeader {
+    alg: string;
+    kid: string;
+    typ?: string;
+}
+/** Google ID token claims */
+export interface GoogleIdTokenClaims {
+    iss: string;
+    sub: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+    at_hash?: string;
+    nonce?: string;
+}
+/**
+ * Base64url decode (RFC 4648 section 5).
+ * Handles both with and without padding.
+ */
+declare function base64urlDecode(input: string): Buffer;
+/**
+ * Decode a JWT without verifying its signature.
+ * Used to extract the header (for kid lookup) and payload (for claims).
+ */
+declare function decodeJwt(token: string): {
+    header: JWTHeader;
+    payload: GoogleIdTokenClaims;
+    signature: string;
+};
+/**
+ * Convert a JWK RSA public key to PEM format for Node's crypto module.
+ *
+ * Builds a DER-encoded PKCS#1 RSAPublicKey structure, then wraps it in PEM.
+ */
+declare function jwkToPem(jwk: JWK): string;
+/**
+ * Verify an RS256 JWT signature against a JWK.
+ *
+ * @param token - The raw JWT string
+ * @param jwk - The matching JWK from Google's JWKS
+ * @returns true if the signature is valid
+ */
+declare function verifyRS256Signature(token: string, jwk: JWK): boolean;
+/**
+ * Clear cached discovery and JWKS data.
+ * Primarily used in tests to ensure clean state.
+ */
+export declare function clearGoogleCaches(): void;
+export interface GoogleProviderOptions {
+    /** Override the default Google OAuth client ID */
+    clientId?: string;
+    /** Custom fetch function (for testing) */
+    fetch?: typeof globalThis.fetch;
+}
+/**
+ * Create a Google OIDC provider instance.
+ *
+ * Lazily fetches the OIDC discovery document and JWKS on first use,
+ * with in-memory caching for subsequent calls.
+ */
+export declare function createGoogleProvider(options?: GoogleProviderOptions): OAuthProvider;
+export { decodeJwt, jwkToPem, verifyRS256Signature, base64urlDecode, DISCOVERY_URL, VALID_ISSUERS, DEFAULT_CLIENT_ID, DEFAULT_SCOPES, };
+//# sourceMappingURL=google.d.ts.map

package/dist/oauth/providers/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/oauth/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAgC,MAAM,gBAAgB,CAAC;AAKlF,qCAAqC;AACrC,QAAA,MAAM,aAAa,iEAAiE,CAAC;AAErF,4CAA4C;AAC5C,QAAA,MAAM,aAAa,UAAyD,CAAC;AAE7E;;;;;;;;GAQG;AACH,QAAA,MAAM,iBAAiB,sDAAsD,CAAC;AAE9E,qCAAqC;AACrC,QAAA,MAAM,cAAc,UAAiC,CAAC;AAItD,gEAAgE;AAChE,MAAM,WAAW,uBAAuB;IACtC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,+CAA+C;AAC/C,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;CACX;AAED,gCAAgC;AAChC,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAED,yBAAyB;AACzB,UAAU,SAAS;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,6BAA6B;AAC7B,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID;;;GAGG;AACH,iBAAS,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQ9C;AAED;;;GAGG;AACH,iBAAS,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,mBAAmB,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAUxG;AAED;;;;GAIG;AACH,iBAAS,QAAQ,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,CAkClC;AAkCD;;;;;;GAMG;AACH,iBAAS,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAS9D;AAcD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAKxC;AAID,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,aAAa,CAmJnF;AAID,OAAO,EACL,SAAS,EACT,QAAQ,EACR,oBAAoB,EACpB,eAAe,EACf,aAAa,EACb,aAAa,EACb,iBAAiB,EACjB,cAAc,GACf,CAAC"}

package/dist/oauth/providers/google.js

@@ -0,0 +1,285 @@
+/**
+ * Google OIDC provider for unotoken OAuth.
+ *
+ * Implements the OAuthProvider interface using Google's OpenID Connect protocol.
+ * Uses the OIDC discovery document to resolve endpoints dynamically, and
+ * verifies ID tokens using Google's JWKS (RS256 signatures).
+ *
+ * @see https://accounts.google.com/.well-known/openid-configuration
+ * @see https://developers.google.com/identity/protocols/oauth2/native-app
+ */
+import { createVerify } from 'node:crypto';
+// ─── Constants ────────────────────────────────────────────────────────
+/** Google OIDC discovery endpoint */
+const DISCOVERY_URL = 'https://accounts.google.com/.well-known/openid-configuration';
+/** Expected issuers for Google ID tokens */
+const VALID_ISSUERS = ['https://accounts.google.com', 'accounts.google.com'];
+/**
+ * Built-in Indigo-hosted Google OAuth client ID.
+ *
+ * Registered at console.cloud.google.com under the Indigo GCP project.
+ * App type: Web application.
+ * Authorized redirect URIs: http://localhost (Google allows any port on localhost for native apps).
+ *
+ * Public clients (native/CLI apps) do NOT need a client secret for PKCE flows.
+ */
+const DEFAULT_CLIENT_ID = 'unotoken-google-client.apps.googleusercontent.com';
+/** Default scopes for Google OIDC */
+const DEFAULT_SCOPES = ['openid', 'email', 'profile'];
+// ─── JWT Verification Helpers ─────────────────────────────────────────
+/**
+ * Base64url decode (RFC 4648 section 5).
+ * Handles both with and without padding.
+ */
+function base64urlDecode(input) {
+    // Replace base64url chars with standard base64
+    let base64 = input.replace(/-/g, '+').replace(/_/g, '/');
+    // Add padding if needed
+    const padding = base64.length % 4;
+    if (padding === 2)
+        base64 += '==';
+    else if (padding === 3)
+        base64 += '=';
+    return Buffer.from(base64, 'base64');
+}
+/**
+ * Decode a JWT without verifying its signature.
+ * Used to extract the header (for kid lookup) and payload (for claims).
+ */
+function decodeJwt(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid JWT: expected 3 parts separated by dots');
+    }
+    const header = JSON.parse(base64urlDecode(parts[0]).toString('utf8'));
+    const payload = JSON.parse(base64urlDecode(parts[1]).toString('utf8'));
+    return { header, payload, signature: parts[2] };
+}
+/**
+ * Convert a JWK RSA public key to PEM format for Node's crypto module.
+ *
+ * Builds a DER-encoded PKCS#1 RSAPublicKey structure, then wraps it in PEM.
+ */
+function jwkToPem(jwk) {
+    const n = base64urlDecode(jwk.n);
+    const e = base64urlDecode(jwk.e);
+    // Build PKCS#1 RSAPublicKey ASN.1 structure
+    const nEncoded = encodeASN1Integer(n);
+    const eEncoded = encodeASN1Integer(e);
+    const rsaPublicKey = encodeASN1Sequence(Buffer.concat([nEncoded, eEncoded]));
+    // Wrap in PKCS#8 SubjectPublicKeyInfo
+    // AlgorithmIdentifier for RSA: OID 1.2.840.113549.1.1.1 + NULL
+    const rsaOid = Buffer.from([
+        0x30, 0x0d, // SEQUENCE
+        0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, // OID
+        0x05, 0x00, // NULL
+    ]);
+    // BIT STRING wrapping the RSAPublicKey
+    const bitString = Buffer.concat([
+        Buffer.from([0x03]),
+        encodeASN1Length(rsaPublicKey.length + 1),
+        Buffer.from([0x00]), // padding bits = 0
+        rsaPublicKey,
+    ]);
+    const spki = encodeASN1Sequence(Buffer.concat([rsaOid, bitString]));
+    const b64 = spki.toString('base64');
+    const lines = [];
+    for (let i = 0; i < b64.length; i += 64) {
+        lines.push(b64.substring(i, i + 64));
+    }
+    return `-----BEGIN PUBLIC KEY-----\n${lines.join('\n')}\n-----END PUBLIC KEY-----`;
+}
+/** Encode a buffer as an ASN.1 INTEGER */
+function encodeASN1Integer(buf) {
+    // If high bit is set, prepend a 0x00 byte
+    const needsPadding = buf[0] & 0x80;
+    const content = needsPadding ? Buffer.concat([Buffer.from([0x00]), buf]) : buf;
+    return Buffer.concat([
+        Buffer.from([0x02]), // INTEGER tag
+        encodeASN1Length(content.length),
+        content,
+    ]);
+}
+/** Encode a buffer as an ASN.1 SEQUENCE */
+function encodeASN1Sequence(content) {
+    return Buffer.concat([
+        Buffer.from([0x30]), // SEQUENCE tag
+        encodeASN1Length(content.length),
+        content,
+    ]);
+}
+/** Encode an ASN.1 length (DER encoding) */
+function encodeASN1Length(length) {
+    if (length < 0x80) {
+        return Buffer.from([length]);
+    }
+    if (length < 0x100) {
+        return Buffer.from([0x81, length]);
+    }
+    return Buffer.from([0x82, (length >> 8) & 0xff, length & 0xff]);
+}
+/**
+ * Verify an RS256 JWT signature against a JWK.
+ *
+ * @param token - The raw JWT string
+ * @param jwk - The matching JWK from Google's JWKS
+ * @returns true if the signature is valid
+ */
+function verifyRS256Signature(token, jwk) {
+    const parts = token.split('.');
+    const signedContent = `${parts[0]}.${parts[1]}`;
+    const signature = base64urlDecode(parts[2]);
+    const pem = jwkToPem(jwk);
+    const verifier = createVerify('RSA-SHA256');
+    verifier.update(signedContent);
+    return verifier.verify(pem, signature);
+}
+// ─── Discovery Cache ──────────────────────────────────────────────────
+/** Cached discovery document (refreshed per-session, not persisted) */
+let cachedDiscovery = null;
+let discoveryFetchTime = 0;
+const DISCOVERY_CACHE_MS = 5 * 60 * 1000; // 5 minutes
+/** Cached JWKS (refreshed per-session) */
+let cachedJWKS = null;
+let jwksFetchTime = 0;
+const JWKS_CACHE_MS = 5 * 60 * 1000; // 5 minutes
+/**
+ * Clear cached discovery and JWKS data.
+ * Primarily used in tests to ensure clean state.
+ */
+export function clearGoogleCaches() {
+    cachedDiscovery = null;
+    discoveryFetchTime = 0;
+    cachedJWKS = null;
+    jwksFetchTime = 0;
+}
+/**
+ * Create a Google OIDC provider instance.
+ *
+ * Lazily fetches the OIDC discovery document and JWKS on first use,
+ * with in-memory caching for subsequent calls.
+ */
+export function createGoogleProvider(options) {
+    const clientId = options?.clientId ?? DEFAULT_CLIENT_ID;
+    const fetchFn = options?.fetch ?? globalThis.fetch;
+    // Token endpoint resolved lazily from discovery document
+    let resolvedTokenEndpoint = null;
+    /**
+     * Fetch (or return cached) Google OIDC discovery document.
+     */
+    async function getDiscovery() {
+        const now = Date.now();
+        if (cachedDiscovery && (now - discoveryFetchTime) < DISCOVERY_CACHE_MS) {
+            return cachedDiscovery;
+        }
+        const response = await fetchFn(DISCOVERY_URL);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch Google OIDC discovery: ${response.status} ${response.statusText}`);
+        }
+        cachedDiscovery = await response.json();
+        discoveryFetchTime = now;
+        return cachedDiscovery;
+    }
+    /**
+     * Fetch (or return cached) Google JWKS.
+     */
+    async function getJWKS(jwksUri) {
+        const now = Date.now();
+        if (cachedJWKS && (now - jwksFetchTime) < JWKS_CACHE_MS) {
+            return cachedJWKS;
+        }
+        const response = await fetchFn(jwksUri);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch Google JWKS: ${response.status} ${response.statusText}`);
+        }
+        cachedJWKS = await response.json();
+        jwksFetchTime = now;
+        return cachedJWKS;
+    }
+    const provider = {
+        name: 'google',
+        clientId,
+        scopes: DEFAULT_SCOPES,
+        // Token endpoint getter — resolves lazily from discovery
+        // We use a getter so it can be resolved after discovery fetch
+        get tokenEndpoint() {
+            // Return cached endpoint, or the standard fallback
+            return resolvedTokenEndpoint ?? 'https://oauth2.googleapis.com/token';
+        },
+        authorizeUrl(redirectUri, state, pkce) {
+            // Use a synchronous fallback for the authorize endpoint
+            // The discovery doc normally returns https://accounts.google.com/o/oauth2/v2/auth
+            const params = new URLSearchParams({
+                client_id: clientId,
+                redirect_uri: redirectUri,
+                response_type: 'code',
+                scope: DEFAULT_SCOPES.join(' '),
+                state,
+                code_challenge: pkce.challenge,
+                code_challenge_method: pkce.method,
+                access_type: 'offline',
+                prompt: 'consent',
+            });
+            return `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+        },
+        tokenRequestBody(code, redirectUri, pkce) {
+            return new URLSearchParams({
+                grant_type: 'authorization_code',
+                code,
+                redirect_uri: redirectUri,
+                client_id: clientId,
+                code_verifier: pkce.verifier,
+            });
+        },
+        async verifyIdentity(tokenResponse) {
+            const idToken = tokenResponse.id_token;
+            if (!idToken) {
+                throw new Error('Google token response missing id_token. Ensure "openid" scope is requested.');
+            }
+            // Decode JWT to get header (kid) and claims
+            const { header, payload } = decodeJwt(idToken);
+            if (header.alg !== 'RS256') {
+                throw new Error(`Unsupported JWT algorithm: ${header.alg}. Expected RS256.`);
+            }
+            // Fetch discovery document to get JWKS URI
+            const discovery = await getDiscovery();
+            resolvedTokenEndpoint = discovery.token_endpoint;
+            // Fetch JWKS and find the matching key
+            const jwks = await getJWKS(discovery.jwks_uri);
+            const key = jwks.keys.find(k => k.kid === header.kid);
+            if (!key) {
+                throw new Error(`No matching JWK found for kid "${header.kid}". ` +
+                    `Available kids: ${jwks.keys.map(k => k.kid).join(', ')}`);
+            }
+            // Verify RS256 signature
+            const signatureValid = verifyRS256Signature(idToken, key);
+            if (!signatureValid) {
+                throw new Error('Google ID token signature verification failed');
+            }
+            // Verify issuer
+            if (!VALID_ISSUERS.includes(payload.iss)) {
+                throw new Error(`Invalid issuer: "${payload.iss}". Expected one of: ${VALID_ISSUERS.join(', ')}`);
+            }
+            // Verify audience (must match our client ID)
+            if (payload.aud !== clientId) {
+                throw new Error(`Invalid audience: "${payload.aud}". Expected: "${clientId}"`);
+            }
+            // Verify expiry
+            const now = Math.floor(Date.now() / 1000);
+            if (payload.exp < now) {
+                throw new Error(`ID token expired at ${new Date(payload.exp * 1000).toISOString()}. ` +
+                    `Current time: ${new Date(now * 1000).toISOString()}.`);
+            }
+            return {
+                provider: 'google',
+                subjectId: payload.sub,
+                email: payload.email,
+                name: payload.name,
+            };
+        },
+    };
+    return provider;
+}
+// ─── Exports for testing ──────────────────────────────────────────────
+export { decodeJwt, jwkToPem, verifyRS256Signature, base64urlDecode, DISCOVERY_URL, VALID_ISSUERS, DEFAULT_CLIENT_ID, DEFAULT_SCOPES, };
+//# sourceMappingURL=google.js.map

package/dist/oauth/providers/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../../src/oauth/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAI3C,yEAAyE;AAEzE,qCAAqC;AACrC,MAAM,aAAa,GAAG,8DAA8D,CAAC;AAErF,4CAA4C;AAC5C,MAAM,aAAa,GAAG,CAAC,6BAA6B,EAAE,qBAAqB,CAAC,CAAC;AAE7E;;;;;;;;GAQG;AACH,MAAM,iBAAiB,GAAG,mDAAmD,CAAC;AAE9E,qCAAqC;AACrC,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;AAiDtD,yEAAyE;AAEzE;;;GAGG;AACH,SAAS,eAAe,CAAC,KAAa;IACpC,+CAA+C;IAC/C,IAAI,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,wBAAwB;IACxB,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IAClC,IAAI,OAAO,KAAK,CAAC;QAAE,MAAM,IAAI,IAAI,CAAC;SAC7B,IAAI,OAAO,KAAK,CAAC;QAAE,MAAM,IAAI,GAAG,CAAC;IACtC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAc,CAAC;IACnF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAwB,CAAC;IAE9F,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AAClD,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,GAAQ;IACxB,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACjC,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAEjC,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;IACtC,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;IAE7E,sCAAsC;IACtC,+DAA+D;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;QACzB,IAAI,EAAE,IAAI,EAA8C,WAAW;QACnE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM;QACxE,IAAI,EAAE,IAAI,EAA8C,OAAO;KAChE,CAAC,CAAC;IAEH,uCAAuC;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QACnB,gBAAgB,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,mBAAmB;QACxC,YAAY;KACb,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IAEpE,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,+BAA+B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC;AACrF,CAAC;AAED,0CAA0C;AAC1C,SAAS,iBAAiB,CAAC,GAAW;IACpC,0CAA0C;IAC1C,MAAM,YAAY,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IACnC,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC/E,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,cAAc;QACnC,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC;QAChC,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,2CAA2C;AAC3C,SAAS,kBAAkB,CAAC,OAAe;IACzC,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,eAAe;QACpC,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC;QAChC,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,4CAA4C;AAC5C,SAAS,gBAAgB,CAAC,MAAc;IACtC,IAAI,MAAM,GAAG,IAAI,EAAE,CAAC;QAClB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/B,CAAC;IACD,IAAI,MAAM,GAAG,KAAK,EAAE,CAAC;QACnB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,KAAa,EAAE,GAAQ;IACnD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,aAAa,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IAChD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAE1B,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IAC5C,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC/B,OAAO,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;AACzC,CAAC;AAED,yEAAyE;AAEzE,uEAAuE;AACvE,IAAI,eAAe,GAAmC,IAAI,CAAC;AAC3D,IAAI,kBAAkB,GAAG,CAAC,CAAC;AAC3B,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEtD,0CAA0C;AAC1C,IAAI,UAAU,GAAwB,IAAI,CAAC;AAC3C,IAAI,aAAa,GAAG,CAAC,CAAC;AACtB,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEjD;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,eAAe,GAAG,IAAI,CAAC;IACvB,kBAAkB,GAAG,CAAC,CAAC;IACvB,UAAU,GAAG,IAAI,CAAC;IAClB,aAAa,GAAG,CAAC,CAAC;AACpB,CAAC;AAWD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA+B;IAClE,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,iBAAiB,CAAC;IACxD,MAAM,OAAO,GAAG,OAAO,EAAE,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC;IAEnD,yDAAyD;IACzD,IAAI,qBAAqB,GAAkB,IAAI,CAAC;IAEhD;;OAEG;IACH,KAAK,UAAU,YAAY;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,eAAe,IAAI,CAAC,GAAG,GAAG,kBAAkB,CAAC,GAAG,kBAAkB,EAAE,CAAC;YACvE,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0CAA0C,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACtG,CAAC;QAED,eAAe,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QACnE,kBAAkB,GAAG,GAAG,CAAC;QACzB,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,OAAO,CAAC,OAAe;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,UAAU,IAAI,CAAC,GAAG,GAAG,aAAa,CAAC,GAAG,aAAa,EAAE,CAAC;YACxD,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5F,CAAC;QAED,UAAU,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAkB,CAAC;QACnD,aAAa,GAAG,GAAG,CAAC;QACpB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,IAAI,EAAE,QAAQ;QACd,QAAQ;QACR,MAAM,EAAE,cAAc;QAEtB,yDAAyD;QACzD,8DAA8D;QAC9D,IAAI,aAAa;YACf,mDAAmD;YACnD,OAAO,qBAAqB,IAAI,qCAAqC,CAAC;QACxE,CAAC;QAED,YAAY,CAAC,WAAmB,EAAE,KAAa,EAAE,IAAc;YAC7D,wDAAwD;YACxD,kFAAkF;YAClF,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,QAAQ;gBACnB,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,MAAM;gBACrB,KAAK,EAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;gBAC/B,KAAK;gBACL,cAAc,EAAE,IAAI,CAAC,SAAS;gBAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;gBAClC,WAAW,EAAE,SAAS;gBACtB,MAAM,EAAE,SAAS;aAClB,CAAC,CAAC;YAEH,OAAO,gDAAgD,MAAM,EAAE,CAAC;QAClE,CAAC;QAED,gBAAgB,CAAC,IAAY,EAAE,WAAmB,EAAE,IAAc;YAChE,OAAO,IAAI,eAAe,CAAC;gBACzB,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,SAAS,EAAE,QAAQ;gBACnB,aAAa,EAAE,IAAI,CAAC,QAAQ;aAC7B,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,aAA4B;YAC/C,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,CAAC;YACvC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC;YACjG,CAAC;YAED,4CAA4C;YAC5C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;YAE/C,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,8BAA8B,MAAM,CAAC,GAAG,mBAAmB,CAAC,CAAC;YAC/E,CAAC;YAED,2CAA2C;YAC3C,MAAM,SAAS,GAAG,MAAM,YAAY,EAAE,CAAC;YACvC,qBAAqB,GAAG,SAAS,CAAC,cAAc,CAAC;YAEjD,uCAAuC;YACvC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC,CAAC;YACtD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CACb,kCAAkC,MAAM,CAAC,GAAG,KAAK;oBACjD,mBAAmB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1D,CAAC;YACJ,CAAC;YAED,yBAAyB;YACzB,MAAM,cAAc,GAAG,oBAAoB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAC1D,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACnE,CAAC;YAED,gBAAgB;YAChB,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CAAC,oBAAoB,OAAO,CAAC,GAAG,uBAAuB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpG,CAAC;YAED,6CAA6C;YAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,sBAAsB,OAAO,CAAC,GAAG,iBAAiB,QAAQ,GAAG,CAAC,CAAC;YACjF,CAAC;YAED,gBAAgB;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CACb,uBAAuB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,IAAI;oBACrE,iBAAiB,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,GAAG,CACvD,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,QAAQ;gBAClB,SAAS,EAAE,OAAO,CAAC,GAAG;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC;QACJ,CAAC;KACF,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,yEAAyE;AAEzE,OAAO,EACL,SAAS,EACT,QAAQ,EACR,oBAAoB,EACpB,eAAe,EACf,aAAa,EACb,aAAa,EACb,iBAAiB,EACjB,cAAc,GACf,CAAC"}

package/dist/sdk.d.ts

@@ -0,0 +1,8 @@
+/**
+ * unotoken/sdk — re-exports yokotoken/sdk.
+ *
+ * Drop-in replacement: `import { getSecret } from 'unotoken/sdk'`
+ * works identically to `import { getSecret } from 'yokotoken/sdk'`.
+ */
+export { getSecret, storeSecret, listSecrets, VaultSdkError, type SecretEntry, type SecretMetadata, type VaultSdkConfig, } from 'yokotoken/sdk';
+//# sourceMappingURL=sdk.d.ts.map

package/dist/sdk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../src/sdk.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,SAAS,EACT,WAAW,EACX,WAAW,EACX,aAAa,EACb,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,cAAc,GACpB,MAAM,eAAe,CAAC"}

package/dist/sdk.js

@@ -0,0 +1,8 @@
+/**
+ * unotoken/sdk — re-exports yokotoken/sdk.
+ *
+ * Drop-in replacement: `import { getSecret } from 'unotoken/sdk'`
+ * works identically to `import { getSecret } from 'yokotoken/sdk'`.
+ */
+export { getSecret, storeSecret, listSecrets, VaultSdkError, } from 'yokotoken/sdk';
+//# sourceMappingURL=sdk.js.map

package/dist/sdk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sdk.js","sourceRoot":"","sources":["../src/sdk.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,SAAS,EACT,WAAW,EACX,WAAW,EACX,aAAa,GAId,MAAM,eAAe,CAAC"}