Scoped OAuth 2 tokens

2026-03-31 14:33:18 +02:00 · 2025-07-23 22:03:03 -07:00
parent a258a80fbd
commit 20681e5be3
14 changed files with 232 additions and 86 deletions
--- a/plugins/auth-oauth2/src/grants/authorizationCode.ts
+++ b/plugins/auth-oauth2/src/grants/authorizationCode.ts
@@ -2,7 +2,7 @@ import type { Context } from '@yaakapp/api';
 import { createHash, randomBytes } from 'node:crypto';
 import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import type { AccessToken } from '../store';
+import type { AccessToken, TokenStoreArgs } from '../store';
 import { getDataDirKey, storeToken } from '../store';

 export const PKCE_SHA256 = 'S256';
@@ -41,7 +41,14 @@ export async function getAuthorizationCode(
    tokenName: 'access_token' | 'id_token';
  },
 ): Promise<AccessToken> {
-  const token = await getOrRefreshAccessToken(ctx, contextId, {
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: authorizationUrlRaw,
+  };
+
+  const token = await getOrRefreshAccessToken(ctx, tokenArgs, {
    accessTokenUrl,
    scope,
    clientId,
@@ -128,7 +135,7 @@ export async function getAuthorizationCode(
    ],
  });

-  return storeToken(ctx, contextId, response, tokenName);
+  return storeToken(ctx, tokenArgs, response, tokenName);
 }

 export function genPkceCodeVerifier() {
--- a/plugins/auth-oauth2/src/grants/clientCredentials.ts
+++ b/plugins/auth-oauth2/src/grants/clientCredentials.ts
@@ -1,7 +1,8 @@
 import type { Context } from '@yaakapp/api';
 import { fetchAccessToken } from '../fetchAccessToken';
-import { isTokenExpired } from '../getAccessTokenIfNotExpired';
+import type { TokenStoreArgs } from '../store';
 import { getToken, storeToken } from '../store';
+import { isTokenExpired } from '../util';

 export async function getClientCredentials(
  ctx: Context,
@@ -22,7 +23,13 @@ export async function getClientCredentials(
    credentialsInBody: boolean;
  },
 ) {
-  const token = await getToken(ctx, contextId);
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: null,
+  };
+  const token = await getToken(ctx, tokenArgs);
  if (token && !isTokenExpired(token)) {
    return token;
  }
@@ -38,5 +45,5 @@ export async function getClientCredentials(
    params: [],
  });

-  return storeToken(ctx, contextId, response);
+  return storeToken(ctx, tokenArgs, response);
 }
--- a/plugins/auth-oauth2/src/grants/implicit.ts
+++ b/plugins/auth-oauth2/src/grants/implicit.ts
@@ -1,7 +1,7 @@
 import type { Context } from '@yaakapp/api';
-import { isTokenExpired } from '../getAccessTokenIfNotExpired';
-import type { AccessToken, AccessTokenRawResponse} from '../store';
+import type { AccessToken, AccessTokenRawResponse } from '../store';
 import { getToken, storeToken } from '../store';
+import { isTokenExpired } from '../util';

 export async function getImplicit(
  ctx: Context,
@@ -26,7 +26,13 @@ export async function getImplicit(
    tokenName: 'access_token' | 'id_token';
  },
 ): Promise<AccessToken> {
-  const token = await getToken(ctx, contextId);
+  const tokenArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl: null,
+    authorizationUrl: authorizationUrlRaw,
+  };
+  const token = await getToken(ctx, tokenArgs);
  if (token != null && !isTokenExpired(token)) {
    return token;
  }
@@ -82,7 +88,7 @@ export async function getImplicit(

        const response = Object.fromEntries(params) as unknown as AccessTokenRawResponse;
        try {
-          resolve(storeToken(ctx, contextId, response));
+          resolve(storeToken(ctx, tokenArgs, response));
        } catch (err) {
          reject(err);
        }
--- a/plugins/auth-oauth2/src/grants/password.ts
+++ b/plugins/auth-oauth2/src/grants/password.ts
@@ -1,7 +1,7 @@
 import type { Context } from '@yaakapp/api';
 import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import type { AccessToken} from '../store';
+import type { AccessToken, TokenStoreArgs } from '../store';
 import { storeToken } from '../store';

 export async function getPassword(
@@ -27,7 +27,13 @@ export async function getPassword(
    credentialsInBody: boolean;
  },
 ): Promise<AccessToken> {
-  const token = await getOrRefreshAccessToken(ctx, contextId, {
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: null,
+  };
+  const token = await getOrRefreshAccessToken(ctx, tokenArgs, {
    accessTokenUrl,
    scope,
    clientId,
@@ -52,5 +58,5 @@ export async function getPassword(
    ],
  });

-  return storeToken(ctx, contextId, response);
+  return storeToken(ctx, tokenArgs, response);
 }