/** * @dotdo/oauth - PKCE (Proof Key for Code Exchange) utilities * * OAuth 2.1 requires PKCE for all authorization code flows. * Only S256 is supported (plain is deprecated in OAuth 2.1). */ /** * Generate a cryptographically random code verifier * * Per RFC 7636, the verifier must be: * - Between 43 and 128 characters long * - Using only unreserved URI characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" * * @param length - Length of the verifier (default: 64) * @returns Random code verifier string */ export declare function generateCodeVerifier(length?: number): string; /** * Generate a code challenge from a code verifier using S256 method * * S256: BASE64URL(SHA256(code_verifier)) * * @param verifier - The code verifier * @returns Base64URL-encoded SHA-256 hash of the verifier */ export declare function generateCodeChallenge(verifier: string): Promise; /** * Verify a code verifier against a code challenge * * @param verifier - The code verifier from the token request * @param challenge - The code challenge from the authorization request * @param method - The challenge method (must be 'S256' for OAuth 2.1) * @returns True if the verifier matches the challenge */ export declare function verifyCodeChallenge(verifier: string, challenge: string, method?: string): Promise; /** * Generate a PKCE pair (verifier and challenge) * * @param length - Length of the verifier (default: 64) * @returns Object with verifier and challenge */ export declare function generatePkce(length?: number): Promise<{ verifier: string; challenge: string; }>; /** * Base64URL encode an ArrayBuffer * * @param buffer - The buffer to encode * @returns Base64URL-encoded string (no padding) */ export declare function base64UrlEncode(buffer: ArrayBuffer): string; /** * Base64URL decode a string to ArrayBuffer * * @param str - Base64URL-encoded string * @returns Decoded ArrayBuffer */ export declare function base64UrlDecode(str: string): ArrayBuffer; /** * Constant-time string comparison to prevent timing attacks * * @param a - First string * @param b - Second string * @returns True if strings are equal */ export declare function constantTimeEqual(a: string, b: string): boolean; /** * Generate a random state parameter for CSRF protection * * @param length - Length of the state (default: 32) * @returns Random state string */ export declare function generateState(length?: number): string; /** * Generate a random token (for access tokens, refresh tokens, etc.) * * @param length - Length of the token (default: 32) * @returns Random token string */ export declare function generateToken(length?: number): string; /** * Generate a unique authorization code * * @returns Random authorization code */ export declare function generateAuthorizationCode(): string; /** * Hash a client secret for storage * * @param secret - The client secret to hash * @returns SHA-256 hash of the secret */ export declare function hashClientSecret(secret: string): Promise; /** * Verify a client secret against a hash * * @param secret - The client secret to verify * @param hash - The stored hash * @returns True if the secret matches the hash */ export declare function verifyClientSecret(secret: string, hash: string): Promise; //# sourceMappingURL=pkce.d.ts.map