@oa2/core/dist/utils.d.ts

A comprehensive, RFC-compliant OAuth 2.0 authorization server implementation in TypeScript

import { Client, OAuth2Request } from './types.js';

/**
 * Generates a cryptographically strong random string.
 * Compliant with RFC 7636 for PKCE code verifiers.
 */
declare function generateSecureRandomString(length: number): string;
/**
 * Creates a SHA256 hash and encodes it in Base64 URL-safe format.
 * Used for PKCE S256 code challenge verification.
 */
declare function createS256Challenge(verifier: string): string;
/**
 * Hashes a client secret using SHA-256 with a salt.
 * Provides protection against rainbow table attacks.
 */
declare function hashClientSecret(secret: string, salt?: string): {
    hashedSecret: string;
    salt: string;
};
/**
 * Verifies a client secret against a hashed secret using timing-safe comparison.
 * Prevents timing attacks while maintaining backward compatibility.
 */
declare function verifyClientSecret(plainSecret: string, hashedSecret: string): boolean;
/**
 * Validates PKCE code verifier length and character set according to RFC 7636.
 * Ensures the code verifier meets security requirements.
 */
declare function validateCodeVerifier(codeVerifier: string, minLength?: number, maxLength?: number): boolean;
/**
 * Validates a PKCE code challenge against a code verifier.
 * Supports both 'plain' and 'S256' challenge methods.
 */
declare function validatePkceChallenge(codeVerifier: string, codeChallenge: string, codeChallengeMethod: 'plain' | 'S256'): boolean;
/**
 * Parses a space-delimited scope string into an array of individual scopes.
 * Filters out empty strings and normalizes the input.
 */
declare function parseScopes(scopeString: string | undefined): string[];
/**
 * Validates that all requested scopes are supported by the server.
 * Throws an error if any scope is not in the predefined list.
 */
declare function validateScopeSupport(requestedScopes: string[], predefinedScopes: string[]): void;
/**
 * Validates that the client is allowed to request the specified scopes.
 * Throws an error if the client doesn't have permission for any scope.
 */
declare function validateClientScopePermission(requestedScopes: string[], client: Client): void;
/**
 * Validates the requested scopes against predefined and client-specific allowed scopes.
 * Returns the validated, space-delimited scope string.
 */
declare function validateScope(requestedScope: string | undefined, predefinedScopes: string[], client: Client): string;
/**
 * Validates a redirect URI against a client's registered URIs.
 * Handles the case where no redirect URI is provided but the client has exactly one registered.
 */
declare function validateRedirectUri(client: {
    redirectUris: string[];
}, redirectUri?: string): string;
/**
 * Takes an OAuth2Request and returns the parsed body as a record.
 * Handles both JSON and form-urlencoded content types.
 *
 * @see RFC 6749, Section 4.1.3 Access Token Request
 * @see RFC 6749, Appendix B Use of application/x-www-form-urlencoded Media Type
 */
declare function parseRequestBody(request: OAuth2Request): Record<string, any>;
/**
 * Generates a cryptographically strong random string.
 * Uses Node.js crypto module for secure random generation.
 */
declare function generateRandomString(length: number): string;
/**
 * Extracts client credentials from Basic authentication header.
 * Returns null if no Basic auth header is present.
 */
declare function extractBasicAuthCredentials(authHeader?: string): {
    clientId: string;
    clientSecret: string;
} | null;

export { createS256Challenge, extractBasicAuthCredentials, generateRandomString, generateSecureRandomString, hashClientSecret, parseRequestBody, parseScopes, validateClientScopePermission, validateCodeVerifier, validatePkceChallenge, validateRedirectUri, validateScope, validateScopeSupport, verifyClientSecret };
//# sourceMappingURL=utils.d.ts.map