Auth Server
Classes
Classes
FilesystemStorageAdapter
Properties
| Property | Type | Required | Description |
|---|---|---|---|
initialize | jest.Mock<any, any, any> | Yes | |
createUser | jest.Mock<any, any, any> | Yes | |
getUser | jest.Mock<any, any, any> | Yes | |
getUserByEmail | jest.Mock<any, any, any> | Yes | |
updateUser | jest.Mock<any, any, any> | Yes | |
deleteUser | jest.Mock<any, any, any> | Yes | |
createSession | jest.Mock<any, any, any> | Yes | |
getSession | jest.Mock<any, any, any> | Yes | |
updateSession | jest.Mock<any, any, any> | Yes | |
deleteSession | jest.Mock<any, any, any> | Yes | |
createVerificationToken | jest.Mock<any, any, any> | Yes | |
useVerificationToken | jest.Mock<any, any, any> | Yes | |
createApiToken | jest.Mock<any, any, any> | Yes | |
getApiToken | jest.Mock<any, any, any> | Yes | |
updateApiToken | jest.Mock<any, any, any> | Yes | |
getApiTokensByServiceAccount | jest.Mock<any, any, any> | Yes | |
getApiTokensByPrefix | jest.Mock<any, any, any> | Yes | |
getServiceAccount | jest.Mock<any, any, any> | Yes |
MailService
Mock for
Constructor
constructor(_config: any)
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
_config | any | Yes |
Properties
| Property | Type | Required | Description |
|---|---|---|---|
send | jest.Mock<any, any, any> | Yes | |
sendTemplate | jest.Mock<any, any, any> | Yes | |
renderTemplate | jest.Mock<any, any, any> | Yes |
ConsoleAdapter
Constructor
constructor(_config: any)
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
_config | any | Yes |
Properties
| Property | Type | Required | Description |
|---|---|---|---|
send | jest.Mock<any, any, any> | Yes |
SendGridAdapter
Constructor
constructor(_config: any)
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
_config | any | Yes |
Properties
| Property | Type | Required | Description |
|---|---|---|---|
send | jest.Mock<any, any, any> | Yes |
OAuthService
OAuth service implementing PKCE (Proof Key for Code Exchange) validation. Provides core OAuth 2.0 Authorization Code Flow functionality.
Constructor
constructor(storage: OAuthStorage)
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
storage | OAuthStorage | Yes | - Storage implementation for OAuth codes |
Methods
validatePKCE
Validate PKCE code verifier against the stored code challenge.
For S256 method:
- Hash the code verifier with SHA-256
- Base64url encode the hash
- Compare with the stored code challenge
For plain method (testing only):
- Direct string comparison
validatePKCE(codeVerifier: string, codeChallenge: string, method: CodeChallengeMethod): boolean
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
codeVerifier | string | Yes | - The code verifier from the token request |
codeChallenge | string | Yes | - The code challenge from the authorization request |
method | CodeChallengeMethod | Yes | - The challenge method ('S256' or 'plain') |
Returns:
boolean - True if verification passes, false otherwise
generateCodeChallenge
Generate a code challenge from a code verifier.
generateCodeChallenge(codeVerifier: string, method: CodeChallengeMethod): string | null
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
codeVerifier | string | Yes | - The code verifier to hash |
method | CodeChallengeMethod | Yes | - The challenge method ('S256' or 'plain') |
Returns:
string \| null - The computed code challenge, or null for unknown methods
validateClient
Validate an OAuth client ID.
validateClient(clientId: string): ClientValidationResult
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
clientId | string | Yes | - The client ID to validate |
Returns:
ClientValidationResult - Validation result with client details if valid
validateRedirectUri
Validate a redirect URI against a client's allowed patterns.
Security: Uses proper URL parsing to prevent bypass attacks. Validates scheme, host, and port components separately rather than regex matching the full string (which can be bypassed with userinfo tricks).
validateRedirectUri(clientId: string, redirectUri: string): boolean
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
clientId | string | Yes | - The OAuth client ID |
redirectUri | string | Yes | - The redirect URI to validate |
Returns:
boolean - True if the URI matches an allowed pattern
createAuthorizationCode
Create a new authorization code.
The code is stored with a 10-minute expiration and all the data needed for validation during token exchange.
createAuthorizationCode(params: CreateCodeParams): Promise<OAuthCodeData>
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
params | CreateCodeParams | Yes | - Authorization code parameters |
Returns:
Promise<OAuthCodeData> - The created code data including the generated code value
exchangeCode
Exchange an authorization code for token data.
Validates:
- Code exists and is not expired
- Client ID matches
- Redirect URI matches
- PKCE code verifier is correct
The code is deleted after use (single-use).
exchangeCode(code: string, codeVerifier: string, clientId: string, redirectUri: string): Promise<ExchangeCodeResult>
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
code | string | Yes | - The authorization code |
codeVerifier | string | Yes | - The PKCE code verifier |
clientId | string | Yes | - The OAuth client ID |
redirectUri | string | Yes | - The redirect URI (must match original) |
Returns:
Promise<ExchangeCodeResult> - Exchange result with user data or error details
Examples:
const storage = new MemoryOAuthStorage()
const oauth = new OAuthService(storage)
// Validate PKCE during token exchange
const isValid = oauth.validatePKCE(codeVerifier, codeChallenge, 'S256')
// Create authorization code
const { code } = await oauth.createAuthorizationCode({
clientId: 'claude-code',
userId: 'user_123',
// ... other params
})