wirejs-resources 0.1.166 → 0.1.168

package/dist/adapters/cookie-jar.d.ts

@@ -4,6 +4,7 @@ export type Cookie = {
     httpOnly?: boolean;
     secure?: boolean;
     maxAge?: number;
+    path?: string;
 };
 export declare class CookieJar {
     #private;
@@ -18,6 +19,7 @@ export declare class CookieJar {
         httpOnly?: boolean;
         secure?: boolean;
         maxAge?: number;
+        path?: string;
     } | undefined;
     delete(name: string): void;
     /**

package/dist/adapters/signed-cookie.js

@@ -56,7 +56,8 @@ export class SignedCookie {
                 value: jwt,
                 httpOnly,
                 secure,
-                maxAge: duration
+                maxAge: duration,
+                path: '/',
             });
         }
     }

package/dist/hosting/client.d.ts

@@ -0,0 +1 @@
+export declare function apiTree(INTERNAL_API_URL: string, path?: string[]): () => void;

package/dist/hosting/client.js

@@ -0,0 +1,68 @@
+async function callApi(INTERNAL_API_URL, method, ...args) {
+    function isNode() {
+        return typeof args[0]?.cookies?.getAll === 'function';
+    }
+    function apiUrl() {
+        if (isNode()) {
+            return INTERNAL_API_URL;
+        }
+        else {
+            return "/api";
+        }
+    }
+    let cookieHeader = {};
+    if (isNode()) {
+        const context = args[0];
+        const cookies = context.cookies.getAll();
+        cookieHeader = typeof cookies === 'object'
+            ? {
+                Cookie: Object.entries(cookies).map(kv => kv.join('=')).join('; ')
+            }
+            : {};
+    }
+    const response = await fetch(apiUrl(), {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            ...cookieHeader
+        },
+        body: JSON.stringify([{ method, args: [...args] }]),
+    });
+    const body = await response.json();
+    if (isNode()) {
+        const context = args[0];
+        for (const c of response.headers.getSetCookie()) {
+            const parts = c.split(';').map(p => p.trim());
+            const flags = parts.slice(1);
+            const [name, value] = parts[0].split('=').map(decodeURIComponent);
+            const httpOnly = flags.includes('HttpOnly');
+            const secure = flags.includes('Secure');
+            const maxAgePart = flags.find(f => f.startsWith('Max-Age='))?.split('=')[1];
+            context.cookies.set({
+                name,
+                value,
+                httpOnly,
+                secure,
+                maxAge: maxAgePart ? parseInt(maxAgePart) : undefined
+            });
+        }
+    }
+    const error = body[0].error;
+    if (error) {
+        throw new Error(error);
+    }
+    const value = body[0].data;
+    return value;
+}
+;
+export function apiTree(INTERNAL_API_URL, path = []) {
+    return new Proxy(function () { }, {
+        apply(_target, _thisArg, args) {
+            return callApi(INTERNAL_API_URL, path, ...args);
+        },
+        get(_target, prop) {
+            return apiTree(INTERNAL_API_URL, [...path, prop]);
+        }
+    });
+}
+;

package/dist/index.d.ts

@@ -1,5 +1,6 @@
 export { FileService } from './services/file.js';
 export { AuthenticationService } from './services/authentication.js';
+export * from './services/oidc-providers.js';
 export { CookieJar } from './adapters/cookie-jar.js';
 export { SignedCookie } from './adapters/signed-cookie.js';
 export { withContext, requiresContext, Context, ContextWrapped } from './adapters/context.js';

package/dist/index.js

@@ -1,5 +1,6 @@
 export { FileService } from './services/file.js';
 export { AuthenticationService } from './services/authentication.js';
+export * from './services/oidc-providers.js';
 export { CookieJar } from './adapters/cookie-jar.js';
 export { SignedCookie } from './adapters/signed-cookie.js';
 export { withContext, requiresContext, Context } from './adapters/context.js';

package/dist/internal/client.d.ts

@@ -0,0 +1 @@
+export declare function apiTree(INTERNAL_API_URL: string, path?: string[]): () => void;

package/dist/internal/client.js

@@ -0,0 +1,68 @@
+async function callApi(INTERNAL_API_URL, method, ...args) {
+    function isNode() {
+        return typeof args[0]?.cookies?.getAll === 'function';
+    }
+    function apiUrl() {
+        if (isNode()) {
+            return INTERNAL_API_URL;
+        }
+        else {
+            return "/api";
+        }
+    }
+    let cookieHeader = {};
+    if (isNode()) {
+        const context = args[0];
+        const cookies = context.cookies.getAll();
+        cookieHeader = typeof cookies === 'object'
+            ? {
+                Cookie: Object.entries(cookies).map(kv => kv.join('=')).join('; ')
+            }
+            : {};
+    }
+    const response = await fetch(apiUrl(), {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            ...cookieHeader
+        },
+        body: JSON.stringify([{ method, args: [...args] }]),
+    });
+    const body = await response.json();
+    if (isNode()) {
+        const context = args[0];
+        for (const c of response.headers.getSetCookie()) {
+            const parts = c.split(';').map(p => p.trim());
+            const flags = parts.slice(1);
+            const [name, value] = parts[0].split('=').map(decodeURIComponent);
+            const httpOnly = flags.includes('HttpOnly');
+            const secure = flags.includes('Secure');
+            const maxAgePart = flags.find(f => f.startsWith('Max-Age='))?.split('=')[1];
+            context.cookies.set({
+                name,
+                value,
+                httpOnly,
+                secure,
+                maxAge: maxAgePart ? parseInt(maxAgePart) : undefined
+            });
+        }
+    }
+    const error = body[0].error;
+    if (error) {
+        throw new Error(error);
+    }
+    const value = body[0].data;
+    return value;
+}
+;
+export function apiTree(INTERNAL_API_URL, path = []) {
+    return new Proxy(function () { }, {
+        apply(_target, _thisArg, args) {
+            return callApi(INTERNAL_API_URL, path, ...args);
+        },
+        get(_target, prop) {
+            return apiTree(INTERNAL_API_URL, [...path, prop]);
+        }
+    });
+}
+;

package/dist/resources/secret.d.ts

@@ -1,7 +1,13 @@
 import { Resource } from '../resource.js';
 export declare class Secret extends Resource {
-    #private;
     constructor(scope: Resource | string, id: string);
-    read(): Promise<any>;
-    write(data: any): Promise<void>;
+    read(): Promise<string>;
+    write(value: string, options?: {
+        onlyIfNotExists?: boolean;
+    }): Promise<void | undefined>;
+    scan(): AsyncGenerator<never, AsyncGenerator<{
+        key: string;
+        value: string;
+    }, any, any> | undefined, unknown>;
+    isAlreadyExistsError(error: any): boolean | undefined;
 }

package/dist/resources/secret.js

@@ -1,28 +1,38 @@
-import crypto from 'crypto';
+import * as crypto from 'crypto';
 import { Resource } from '../resource.js';
-import { FileService } from '../services/file.js';
+import { KeyValueStore } from './key-value-store.js';
 import { overrides } from '../overrides.js';
-const FILENAME = 'secret';
+let secrets;
 export class Secret extends Resource {
-    #fileService;
-    #initPromise;
     constructor(scope, id) {
         super(scope, id);
-        this.#fileService = new (overrides.FileService || FileService)(this, 'files');
-    }
-    #initialize() {
-        this.#initPromise = this.#initPromise || this.#fileService.write(FILENAME, JSON.stringify(crypto.randomBytes(64).toString('base64url')), { onlyIfNotExists: true }).catch(error => {
-            if (!this.#fileService.isAlreadyExistsError(error))
-                throw error;
-        });
-        return this.#initPromise;
+        secrets = new (overrides.KeyValueStore || KeyValueStore)('wirejs', 'secrets');
     }
     async read() {
-        await this.#initialize();
-        return JSON.parse(await this.#fileService.read(FILENAME));
+        const existingValue = await secrets?.get(this.absoluteId);
+        if (!existingValue) {
+            try {
+                const initValue = crypto.randomBytes(64).toString('base64url');
+                await this.write(initValue, { onlyIfNotExists: true });
+                return initValue;
+            }
+            catch (error) {
+                if (!this.isAlreadyExistsError(error))
+                    throw error;
+                return this.read();
+            }
+        }
+        else {
+            return existingValue;
+        }
+    }
+    async write(value, options) {
+        return secrets?.set(this.absoluteId, value, { onlyIfNotExists: options?.onlyIfNotExists });
+    }
+    async *scan() {
+        return secrets?.scan();
     }
-    async write(data) {
-        await this.#initialize();
-        await this.#fileService.write(FILENAME, JSON.stringify(data));
+    isAlreadyExistsError(error) {
+        return secrets?.isAlreadyExistsError(error);
     }
 }

package/dist/services/authentication.d.ts

@@ -1,11 +1,16 @@
 import { Resource } from '../resource.js';
 import { ContextWrapped } from '../adapters/context.js';
 import type { CookieJar } from '../adapters/cookie-jar.js';
-import type { User, AuthenticationError, AuthenticationMachineInput, AuthenticationMachineState, AuthenticationServiceOptions } from '../types/index.js';
+import type { User, AuthenticationError, AuthenticationMachineAction, AuthenticationMachineInput, AuthenticationMachineState, AuthenticationServiceOptions } from '../types/index.js';
 export declare class AuthenticationService extends Resource {
     #private;
-    constructor(scope: Resource | string, id: string, { duration, keepalive, cookie }?: AuthenticationServiceOptions);
+    constructor(scope: Resource | string, id: string, { duration, keepalive, cookie, oidcProviders }?: AuthenticationServiceOptions);
     private getState;
+    /**
+     * Returns machine actions for every configured and enabled OIDC provider.
+     * Subclasses should merge this into their own `getMachineState` result.
+     */
+    protected getOidcMachineActions(): Promise<Record<string, AuthenticationMachineAction>>;
     getMachineState(cookies: CookieJar): Promise<AuthenticationMachineState>;
     private setState;
     missingFieldErrors(input: Record<string, string | number | boolean>, fields: string[]): AuthenticationError[] | undefined;

package/dist/services/authentication.js

@@ -2,9 +2,12 @@ import { scrypt, randomBytes, randomUUID } from 'crypto';
 import { Resource } from '../resource.js';
 import { FileService } from './file.js';
 import { Setting } from '../resources/setting.js';
+import { Endpoint } from '../resources/endpoint.js';
+import { DistributedTable } from '../resources/distributed-table.js';
 import { SignedCookie } from '../adapters/signed-cookie.js';
 import { withContext } from '../adapters/context.js';
 import { overrides } from '../overrides.js';
+import { OIDCManager } from './oidc.js';
 function newId() {
     return randomUUID();
 }
@@ -184,7 +187,8 @@ export class AuthenticationService extends Resource {
     #keepalive;
     #users;
     #cookie;
-    constructor(scope, id, { duration, keepalive, cookie } = {}) {
+    #oidcManager;
+    constructor(scope, id, { duration, keepalive, cookie, oidcProviders } = {}) {
         super(scope, id);
         this.#keepalive = !!keepalive;
         const SettingCtor = overrides.Setting || Setting;
@@ -200,6 +204,13 @@ export class AuthenticationService extends Resource {
         // exclusively for development purposes.
         { maxAge: ONE_WEEK, secure: false });
         this.#users = new UserStore(fileService);
+        if (oidcProviders && oidcProviders.length > 0) {
+            this.#oidcManager = new OIDCManager(this, oidcProviders, this.#cookie, {
+                Setting: SettingCtor,
+                Endpoint: overrides.Endpoint || Endpoint,
+                DistributedTable: overrides.DistributedTable || DistributedTable,
+            });
+        }
     }
     async getState(cookies) {
         const cookieState = await this.#cookie.read(cookies);
@@ -208,25 +219,33 @@ export class AuthenticationService extends Resource {
             user: undefined
         };
     }
+    /**
+     * Returns machine actions for every configured and enabled OIDC provider.
+     * Subclasses should merge this into their own `getMachineState` result.
+     */
+    async getOidcMachineActions() {
+        return this.#oidcManager?.getMachineActions() ?? {};
+    }
     async getMachineState(cookies) {
         const state = await this.getState(cookies);
         if (state.state === 'authenticated') {
             if (this.#keepalive)
                 this.setState(cookies, state.user);
-            return {
-                ...state,
-                actions: {
-                    changepassword: machineAction('changepassword'),
-                    signout: machineAction('signout'),
-                }
-            };
+            const actions = {};
+            if (!state.user.oidcProvider) {
+                actions.changepassword = machineAction('changepassword');
+            }
+            actions.signout = machineAction('signout');
+            return { ...state, actions };
         }
         else {
+            const oidcActions = await this.getOidcMachineActions();
             return {
                 ...state,
                 actions: {
                     signin: machineAction('signin'),
                     signup: machineAction('signup'),
+                    ...oidcActions,
                 }
             };
         }

package/dist/services/llm.d.ts

@@ -30,12 +30,11 @@ export type AssistantMessage = {
 export type ToolMessage = {
     /** Always 'tool' for tool execution results */
     role: 'tool';
-    /** Result content from the tool execution */
-    content: string;
-    /** Name of the tool that was executed */
-    tool_name: string;
-    /** ID linking this result to the original tool call */
-    tool_call_id: string;
+    content: {
+        id: string;
+        content: string;
+        isError?: boolean;
+    }[];
 };
 /** Union of all possible message types in conversation history */
 export type LLMMessage = UserMessage | AssistantMessage | ToolMessage;

package/dist/services/llm.js

@@ -141,7 +141,10 @@ export class LLM extends Resource {
                                     content: finalSystemPrompt
                                 }
                             ] : []),
-                            ...history
+                            ...history.map(m => m.role === 'tool' ? {
+                                role: 'tool',
+                                content: JSON.stringify(m.content, null, 2)
+                            } : m)
                         ],
                         stream,
                         ...(ollamaTools.length > 0 ? { tools: ollamaTools } : {}),
@@ -166,11 +169,7 @@ export class LLM extends Resource {
                             return message;
                         }
                         else {
-                            // Fallback: create assistant message
-                            return {
-                                role: 'assistant',
-                                content: message.content
-                            };
+                            throw new Error(`Unexpected message format: ${message}`);
                         }
                     }
                 }

package/dist/services/oidc-providers.d.ts

@@ -0,0 +1,15 @@
+import type { OIDCProviderConfig } from '../types/index.js';
+export type { OIDCProviderConfig };
+/** Google OIDC provider configuration. */
+export declare const GoogleOIDCProvider: OIDCProviderConfig;
+/** Facebook OIDC provider configuration. */
+export declare const FacebookOIDCProvider: OIDCProviderConfig;
+/**
+ * GitHub OAuth provider configuration.
+ *
+ * Note: GitHub does not fully implement OIDC (no id_token is returned).
+ * User info is fetched from the GitHub API using the access token.
+ */
+export declare const GitHubOIDCProvider: OIDCProviderConfig;
+/** Apple Sign In OIDC provider configuration. */
+export declare const AppleOIDCProvider: OIDCProviderConfig;

package/dist/services/oidc-providers.js

@@ -0,0 +1,63 @@
+/** Google OIDC provider configuration. */
+export const GoogleOIDCProvider = {
+    id: 'google',
+    name: 'Google',
+    authorizationEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
+    tokenEndpoint: 'https://oauth2.googleapis.com/token',
+    jwksUri: 'https://www.googleapis.com/oauth2/v3/certs',
+    issuer: 'https://accounts.google.com',
+    scopes: ['openid', 'email', 'profile'],
+    buttonStyle: 'background: #fff; color: #3c4043; border: 1px solid #dadce0;',
+    icon: `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18">
+		<path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"/>
+		<path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"/>
+		<path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l3.66-2.84z"/>
+		<path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"/>
+	</svg>`,
+};
+/** Facebook OIDC provider configuration. */
+export const FacebookOIDCProvider = {
+    id: 'facebook',
+    name: 'Facebook',
+    authorizationEndpoint: 'https://www.facebook.com/v18.0/dialog/oauth',
+    tokenEndpoint: 'https://graph.facebook.com/v18.0/oauth/access_token',
+    jwksUri: 'https://www.facebook.com/.well-known/oauth/openid/jwks/',
+    issuer: 'https://www.facebook.com',
+    scopes: ['openid', 'email', 'public_profile'],
+    buttonStyle: 'background: #1877F2; color: #fff; border: none;',
+    icon: `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18" fill="#fff">
+		<path d="M24 12.073C24 5.405 18.627 0 12 0S0 5.405 0 12.073c0 6.027 4.388 11.02 10.125 11.927v-8.437H7.078v-3.49h3.047V9.43c0-3.007 1.792-4.669 4.533-4.669 1.312 0 2.686.235 2.686.235v2.953H15.83c-1.491 0-1.956.925-1.956 1.874v2.25h3.328l-.532 3.49h-2.796v8.437C19.612 23.093 24 18.1 24 12.073z"/>
+	</svg>`,
+};
+/**
+ * GitHub OAuth provider configuration.
+ *
+ * Note: GitHub does not fully implement OIDC (no id_token is returned).
+ * User info is fetched from the GitHub API using the access token.
+ */
+export const GitHubOIDCProvider = {
+    id: 'github',
+    name: 'GitHub',
+    authorizationEndpoint: 'https://github.com/login/oauth/authorize',
+    tokenEndpoint: 'https://github.com/login/oauth/access_token',
+    userInfoEndpoint: 'https://api.github.com/user',
+    scopes: ['read:user', 'user:email'],
+    buttonStyle: 'background: #24292e; color: #fff; border: none;',
+    icon: `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18" fill="#fff">
+		<path d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"/>
+	</svg>`,
+};
+/** Apple Sign In OIDC provider configuration. */
+export const AppleOIDCProvider = {
+    id: 'apple',
+    name: 'Apple',
+    authorizationEndpoint: 'https://appleid.apple.com/auth/authorize',
+    tokenEndpoint: 'https://appleid.apple.com/auth/token',
+    jwksUri: 'https://appleid.apple.com/auth/keys',
+    issuer: 'https://appleid.apple.com',
+    scopes: ['openid', 'email', 'name'],
+    buttonStyle: 'background: #000; color: #fff; border: none;',
+    icon: `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="18" height="18" fill="#fff">
+		<path d="M12.152 6.896c-.948 0-2.415-1.078-3.96-1.04-2.04.027-3.91 1.183-4.961 3.014-2.117 3.675-.546 9.103 1.519 12.09 1.013 1.454 2.208 3.09 3.792 3.039 1.52-.065 2.09-.987 3.935-.987 1.831 0 2.35.987 3.96.948 1.637-.026 2.676-1.48 3.676-2.948 1.156-1.688 1.636-3.325 1.662-3.415-.039-.013-3.182-1.221-3.22-4.857-.026-3.04 2.48-4.494 2.597-4.559-1.429-2.09-3.623-2.324-4.39-2.376-2-.156-3.675 1.09-4.61 1.09zM15.53 3.83c.843-1.012 1.4-2.427 1.245-3.83-1.207.052-2.662.805-3.532 1.818-.78.896-1.454 2.338-1.273 3.714 1.338.104 2.715-.688 3.559-1.701"/>
+	</svg>`,
+};

package/dist/services/oidc.d.ts

@@ -0,0 +1,16 @@
+import { Endpoint } from '../resources/endpoint.js';
+import { DistributedTable } from '../resources/distributed-table.js';
+import { Setting } from '../resources/setting.js';
+import type { Resource } from '../resource.js';
+import type { SignedCookie } from '../adapters/signed-cookie.js';
+import type { AuthenticationMachineAction, AuthenticationState, OIDCProviderConfig } from '../types/index.js';
+export type OIDCCtors = {
+    Setting: typeof Setting;
+    Endpoint: typeof Endpoint;
+    DistributedTable: typeof DistributedTable;
+};
+export declare class OIDCManager {
+    #private;
+    constructor(scope: Resource | string, providers: OIDCProviderConfig[], cookie: SignedCookie<AuthenticationState>, ctors: OIDCCtors);
+    getMachineActions(): Promise<Record<string, AuthenticationMachineAction>>;
+}

package/dist/services/oidc.js

@@ -0,0 +1,212 @@
+import { randomBytes, createHash } from 'crypto';
+import * as jose from 'jose';
+import { PassThruParser } from '../resources/distributed-table.js';
+const PKCE_TTL_SECONDS = 10 * 60; // 10 minutes
+function fallbackDisplayName(email) {
+    const emailUser = email.split('@')[0] || 'user';
+    return `${emailUser}-${randomBytes(3).toString('hex')}`;
+}
+async function extractIdentityFromIdToken(idToken, clientId, provider) {
+    let payload;
+    if (provider.jwksUri) {
+        const JWKS = jose.createRemoteJWKSet(new URL(provider.jwksUri));
+        const result = await jose.jwtVerify(idToken, JWKS, {
+            issuer: provider.issuer,
+            audience: clientId,
+        });
+        payload = result.payload;
+    }
+    else {
+        payload = jose.decodeJwt(idToken);
+    }
+    return {
+        sub: String(payload.sub ?? ''),
+        email: String(payload.email ?? ''),
+        displayName: String(payload.name ?? payload.preferred_username ?? ''),
+    };
+}
+async function extractIdentityFromUserInfo(accessToken, userInfoEndpoint) {
+    const resp = await fetch(userInfoEndpoint, {
+        headers: {
+            'Authorization': `Bearer ${accessToken}`,
+            'Accept': 'application/json',
+            'User-Agent': 'wirejs-resources',
+        },
+    });
+    if (!resp.ok) {
+        throw new Error(`UserInfo request failed: ${resp.status} ${resp.statusText}`);
+    }
+    const info = await resp.json();
+    return {
+        sub: String(info.id ?? info.sub ?? ''),
+        email: String(info.email ?? ''),
+        displayName: String(info.name ?? info.login ?? info.preferred_username ?? ''),
+    };
+}
+async function exchangeCode(provider, params) {
+    const resp = await fetch(provider.tokenEndpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        },
+        body: new URLSearchParams({
+            grant_type: 'authorization_code',
+            code: params.code,
+            redirect_uri: params.redirectUri,
+            client_id: params.clientId,
+            client_secret: params.clientSecret,
+            code_verifier: params.codeVerifier,
+        }).toString(),
+    });
+    if (!resp.ok) {
+        throw new Error(`Token exchange failed: ${resp.status} ${resp.statusText}`);
+    }
+    return resp.json();
+}
+async function extractIdentity(tokens, clientId, provider) {
+    if (tokens.id_token) {
+        return extractIdentityFromIdToken(tokens.id_token, clientId, provider);
+    }
+    else if (tokens.access_token && provider.userInfoEndpoint) {
+        return extractIdentityFromUserInfo(tokens.access_token, provider.userInfoEndpoint);
+    }
+    return null;
+}
+export class OIDCManager {
+    #pkceTable;
+    #oidcUsersTable;
+    #providers = new Map();
+    #cookie;
+    constructor(scope, providers, cookie, ctors) {
+        this.#cookie = cookie;
+        this.#pkceTable = new ctors.DistributedTable(scope, 'oidc-pkce', {
+            parse: (PassThruParser),
+            key: { partition: { field: 'state', type: 'string' } },
+            ttlAttribute: 'ttl',
+        });
+        this.#oidcUsersTable = new ctors.DistributedTable(scope, 'oidc-users', {
+            parse: (PassThruParser),
+            key: {
+                partition: { field: 'providerId', type: 'string' },
+                sort: { field: 'sub', type: 'string' },
+            },
+        });
+        for (const provider of providers) {
+            this.#registerProvider(scope, provider, ctors);
+        }
+    }
+    #registerProvider(scope, provider, ctors) {
+        const clientIdSetting = new ctors.Setting(scope, `oidc-${provider.id}-client-id`, {
+            private: true, init: () => '',
+            description: `Client ID for the ${provider.name} OIDC provider.`,
+        });
+        const clientSecretSetting = new ctors.Setting(scope, `oidc-${provider.id}-client-secret`, {
+            private: true, init: () => '',
+            description: `Client secret for the ${provider.name} OIDC provider.`,
+        });
+        const callbackEndpoint = new ctors.Endpoint(scope, `oidc-${provider.id}-callback`, {
+            description: `OIDC callback endpoint for ${provider.name}.`,
+            handle: (ctx) => this.#handleCallback(ctx, provider, clientIdSetting, clientSecretSetting),
+        });
+        const startEndpoint = new ctors.Endpoint(scope, `oidc-${provider.id}-start`, {
+            description: `Initiates OIDC sign-in with ${provider.name}.`,
+            handle: (ctx) => this.#handleStart(ctx, provider, clientIdSetting, callbackEndpoint),
+        });
+        this.#providers.set(provider.id, { provider, clientIdSetting, startEndpoint });
+    }
+    async #handleStart(context, provider, clientIdSetting, callbackEndpoint) {
+        const clientId = await clientIdSetting.read() || '';
+        if (!clientId) {
+            context.responseCode = 302;
+            context.responseHeaders['Location'] = '/';
+            return '';
+        }
+        const codeVerifier = randomBytes(32).toString('base64url');
+        const codeChallenge = createHash('sha256').update(codeVerifier).digest('base64url');
+        const state = randomBytes(16).toString('hex');
+        const now = Date.now();
+        const redirectUri = await callbackEndpoint.determineUrl();
+        const referer = context.requestHeaders['referer'] ?? context.requestHeaders['Referer'];
+        const returnTo = (Array.isArray(referer) ? referer[0] : referer) || '/';
+        await this.#pkceTable.save({
+            state, codeVerifier, redirectUri, returnTo, providerId: provider.id,
+            createdAt: now, ttl: Math.floor(now / 1000) + PKCE_TTL_SECONDS,
+        });
+        const scopes = provider.scopes ?? ['openid', 'email', 'profile'];
+        const params = new URLSearchParams({
+            response_type: 'code', client_id: clientId, redirect_uri: redirectUri,
+            scope: scopes.join(' '), state, code_challenge: codeChallenge,
+            code_challenge_method: 'S256',
+        });
+        context.responseCode = 302;
+        context.responseHeaders['Location'] = `${provider.authorizationEndpoint}?${params}`;
+        return '';
+    }
+    async #handleCallback(context, provider, clientIdSetting, clientSecretSetting) {
+        const code = context.location.searchParams.get('code');
+        const state = context.location.searchParams.get('state');
+        const fail = () => {
+            context.responseCode = 302;
+            context.responseHeaders['Location'] = '/';
+            return '';
+        };
+        if (!code || !state)
+            return fail();
+        const pkceRecord = await this.#pkceTable.get({ state });
+        if (!pkceRecord || pkceRecord.providerId !== provider.id)
+            return fail();
+        if (pkceRecord.createdAt < Date.now() - PKCE_TTL_SECONDS * 1000)
+            return fail();
+        await this.#pkceTable.delete({ state });
+        const clientId = await clientIdSetting.read() || '';
+        const clientSecret = await clientSecretSetting.read() || '';
+        const tokens = await exchangeCode(provider, {
+            code, codeVerifier: pkceRecord.codeVerifier, clientId, clientSecret,
+            redirectUri: pkceRecord.redirectUri,
+        });
+        const identity = await extractIdentity(tokens, clientId, provider);
+        if (!identity?.sub)
+            return fail();
+        if (!identity.displayName)
+            identity.displayName = fallbackDisplayName(identity.email);
+        const user = await this.#upsertUser(provider.id, identity);
+        await this.#cookie.write(context.cookies, {
+            state: 'authenticated',
+            user: { id: `${provider.id}:${user.sub}`, username: user.email || user.sub, displayName: user.displayName, oidcProvider: provider.id },
+        });
+        context.responseCode = 302;
+        context.responseHeaders['Location'] = pkceRecord.returnTo || '/';
+        return '';
+    }
+    async #upsertUser(providerId, identity) {
+        const now = Date.now();
+        const existing = await this.#oidcUsersTable.get({ providerId, sub: identity.sub });
+        const record = {
+            providerId, sub: identity.sub, email: identity.email,
+            displayName: existing?.displayName || identity.displayName,
+            createdAt: existing?.createdAt ?? now,
+            updatedAt: now,
+        };
+        await this.#oidcUsersTable.save(record);
+        return record;
+    }
+    async getMachineActions() {
+        const actions = {};
+        for (const [, { provider, clientIdSetting, startEndpoint }] of this.#providers) {
+            const clientId = await clientIdSetting.read();
+            if (!clientId)
+                continue;
+            const href = await startEndpoint.determineUrl();
+            const key = `signin-with-${provider.id}`;
+            actions[key] = {
+                key,
+                name: `Sign in with ${provider.name}`,
+                href,
+                icon: provider.icon,
+                buttonStyle: provider.buttonStyle,
+            };
+        }
+        return actions;
+    }
+}

package/dist/setup/index.d.ts

@@ -0,0 +1 @@
+export declare function prebuildApi(): Promise<void>;

package/dist/setup/index.js

@@ -0,0 +1,27 @@
+import process from 'process';
+import fs from 'fs';
+import path from 'path';
+export async function prebuildApi() {
+    const CWD = process.cwd();
+    let API_URL = '/api';
+    const indexModule = await import(path.join(CWD, 'index.js'));
+    try {
+        const backendConfigModule = await import(path.join(CWD, 'config.js'));
+        const backendConfig = backendConfigModule.default;
+        console.log("backend config found", backendConfig);
+        if (backendConfig.apiUrl) {
+            API_URL = backendConfig.apiUrl;
+        }
+    }
+    catch {
+        console.log("No backend API config found.");
+    }
+    const apiCode = Object.keys(indexModule)
+        .map(k => `export const ${k} = apiTree(INTERNAL_API_URL, ${JSON.stringify([k])});`)
+        .join('\n');
+    const baseClient = [
+        `import { apiTree } from "wirejs-resources/hosting/client.js";`,
+        `const INTERNAL_API_URL = ${JSON.stringify(API_URL)};`,
+    ].join('\n');
+    await fs.promises.writeFile(path.join(CWD, 'index.client.js'), [baseClient, apiCode].join('\n\n'));
+}

package/dist/types/index.d.ts

@@ -13,6 +13,48 @@ export type User = {
      * The name this user will be known by to other users.
      */
     displayName: string;
+    /**
+     * When set, indicates that this user authenticated via an OIDC/OAuth2
+     * provider. The value is the provider id (e.g. `'google'`).
+     */
+    oidcProvider?: string;
+};
+/**
+ * Configuration for an OIDC (OpenID Connect) or OAuth2 provider.
+ */
+export type OIDCProviderConfig = {
+    /** Unique identifier for the provider (e.g., 'google', 'facebook'). */
+    id: string;
+    /** Display name shown to users (e.g., 'Google'). */
+    name: string;
+    /** The provider's authorization endpoint URL. */
+    authorizationEndpoint: string;
+    /** The provider's token endpoint URL. */
+    tokenEndpoint: string;
+    /**
+     * The provider's JWKS URI for ID token verification.
+     * Required for OIDC-compliant providers that return an id_token.
+     */
+    jwksUri?: string;
+    /** Expected issuer claim in ID tokens. */
+    issuer?: string;
+    /** OAuth scopes to request. Defaults to ['openid', 'email', 'profile']. */
+    scopes?: string[];
+    /**
+     * URL for fetching user info via Bearer token.
+     * Used for non-OIDC OAuth providers (e.g., GitHub) that do not return an id_token.
+     */
+    userInfoEndpoint?: string;
+    /**
+     * Inline SVG markup for the provider's brand icon.
+     * Displayed inside the sign-in button when provided.
+     */
+    icon?: string;
+    /**
+     * Inline CSS applied to the sign-in button for this provider.
+     * Allows brand-colour backgrounds, text colours, etc.
+     */
+    buttonStyle?: string;
 };
 export type AuthenticationField = {
     label: string;
@@ -36,6 +78,19 @@ export type AuthenticationState = {
 };
 export type AuthenticationMachineAction = Readonly<AuthenticationAction & {
     key: string;
+    /**
+     * If present, the action should be rendered as a direct navigation link
+     * rather than triggering the state machine (e.g., OIDC sign-in buttons).
+     */
+    href?: string;
+    /**
+     * Inline SVG markup for an icon to display inside the action button/link.
+     */
+    icon?: string;
+    /**
+     * Inline CSS applied to the action button/link element.
+     */
+    buttonStyle?: string;
 }>;
 export type AuthenticationMachineState = AuthenticationState & {
     message?: string;
@@ -71,4 +126,10 @@ export type AuthenticationServiceOptions = {
      * The name of the cookie to use to store the authentication state JWT.
      */
     cookie?: string;
+    /**
+     * OIDC / OAuth2 providers to enable for sign-in.
+     * For each provider, a pair of Settings (client-id and client-secret) will be created,
+     * along with start and callback Endpoints.
+     */
+    oidcProviders?: OIDCProviderConfig[];
 };

package/dist/types/resources/distributed-table.d.ts

@@ -117,4 +117,10 @@ export type TableDefinition = {
     partitionKey: KeyFieldDefinition;
     sortKey?: KeyFieldDefinition;
     indexes?: Index<any>[];
+    /**
+     * The name of the attribute to use as the TTL (time-to-live) field.
+     * When set, the underlying provider (e.g., DynamoDB) will automatically
+     * expire records whose TTL value (epoch seconds) is in the past.
+     */
+    ttlAttribute?: string;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "wirejs-resources",
-	"version": "0.1.166",
+	"version": "0.1.168",
 	"description": "Basic services and server-side resources for wirejs apps",
 	"type": "module",
 	"main": "./dist/index.js",