Merge pull request #194 from tobiasdcl/extra-args

jasonraimondi · web-flow · commit 6ca9b01b87e9 · 2025-10-30T21:30:30.000-04:00
feat: provide originatingAuthCodeId as an argument to extraTokenFields
diff --git a/src/grants/abstract/abstract.grant.ts b/src/grants/abstract/abstract.grant.ts
@@ -318,8 +318,9 @@ export abstract class AbstractGrant implements GrantInterface {
     req: RequestInterface,
     client: OAuthClient,
     user?: OAuthUser | null,
+    originatingAuthCodeId?: string,
   ): Promise<ExtraAccessTokenFields> {
-    const extraJwtFields = await this.jwt.extraTokenFields?.({ user, client });
+    const extraJwtFields = await this.jwt.extraTokenFields?.({ user, client, originatingAuthCodeId });
     const aud: string[] | string | undefined =
       this.getQueryStringParameter("audience", req) ??
       this.getRequestParameter("audience", req) ??
diff --git a/src/grants/auth_code.grant.ts b/src/grants/auth_code.grant.ts
@@ -138,7 +138,7 @@ export class AuthCodeGrant extends AbstractAuthorizedGrant {
 
     await this.authCodeRepository.revoke(validatedPayload.auth_code_id);
 
-    const extraJwtFields = await this.extraJwtFields(req, client, user);
+    const extraJwtFields = await this.extraJwtFields(req, client, user, accessToken.originatingAuthCodeId);
 
     return await this.makeBearerTokenResponse(client, accessToken, scopes, extraJwtFields);
   }
diff --git a/src/grants/refresh_token.grant.ts b/src/grants/refresh_token.grant.ts
@@ -40,7 +40,7 @@ export class RefreshTokenGrant extends AbstractGrant {
 
     newToken = await this.issueRefreshToken(newToken, client);
 
-    const extraJwtFields = await this.extraJwtFields(req, client, user);
+    const extraJwtFields = await this.extraJwtFields(req, client, user, newToken.originatingAuthCodeId);
 
     return await this.makeBearerTokenResponse(client, newToken, scopes, extraJwtFields);
   }
diff --git a/src/utils/jwt.ts b/src/utils/jwt.ts
@@ -6,6 +6,7 @@ export type ExtraAccessTokenFields = Record<string, string | number | boolean |
 export type ExtraAccessTokenFieldArgs = {
   user?: OAuthUser | null;
   client: OAuthClient;
+  originatingAuthCodeId?: string;
 };
 export interface JwtInterface {
   verify(token: string, options?: VerifyOptions): Promise<Record<string, unknown>>;
diff --git a/test/e2e/grants/auth_code.grant.spec.ts b/test/e2e/grants/auth_code.grant.spec.ts
@@ -471,6 +471,25 @@ describe("authorization_code grant", () => {
       authorizationCode = String(authorizeResponseQuery.get("code"));
     });
 
+    it("provides originatingAuthCodeId as argument to extraJwtFields", async () => {
+      request = new OAuthRequest({
+        body: {
+          grant_type: "authorization_code",
+          code: authorizationCode,
+          redirect_uri: authorizationRequest.redirectUri,
+          client_id: client.id,
+          code_verifier: codeVerifier,
+        },
+      });
+
+      const extraJwtFieldsSpy = vi.spyOn(grant as any, "extraJwtFields");
+
+      const accessTokenResponse = await grant.respondToAccessTokenRequest(request, new DateInterval("1h"));
+
+      expectTokenResponse(accessTokenResponse);
+      expect(extraJwtFieldsSpy).toHaveBeenCalledWith(request, client, user, "my-super-secret-auth-code");
+    });
+
     it("is successful with pkce S256", async () => {
       // act
       request = new OAuthRequest({
diff --git a/test/e2e/grants/refresh_token.grant.spec.ts b/test/e2e/grants/refresh_token.grant.spec.ts
@@ -97,7 +97,30 @@ describe("refresh_token grant", () => {
     expectTokenResponse(tokenResponse);
     expect(tokenResponse.body.scope).toBe("scope-1");
     expect(tokenResponse.body.refresh_token).toMatch(REGEX_ACCESS_TOKEN);
-    expect(extraJwtFieldsSpy).toHaveBeenCalledWith(request, client, user);
+    expect(extraJwtFieldsSpy).toHaveBeenCalledWith(request, client, user, undefined);
+  });
+
+  it("provides originatingAuthCodeId as argument to extraJwtFields", async () => {
+    accessToken.originatingAuthCodeId = "my-super-secret-auth-code";
+
+    // arrange
+    const bearerResponse = await grant.makeBearerTokenResponse(client, accessToken);
+    request = new OAuthRequest({
+      body: {
+        grant_type: "refresh_token",
+        client_id: client.id,
+        client_secret: client.secret,
+        refresh_token: bearerResponse.body.refresh_token,
+        scope: "scope-1",
+      },
+    });
+    const accessTokenTTL = new DateInterval("1h");
+
+    const extraJwtFieldsSpy = vi.spyOn(grant as any, "extraJwtFields");
+
+    await grant.respondToAccessTokenRequest(request, accessTokenTTL);
+
+    expect(extraJwtFieldsSpy).toHaveBeenCalledWith(request, client, user, "my-super-secret-auth-code");
   });
 
   it("populates originatingAuthCodeId property in OAuthToken object", async () => {

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ export class AuthCodeGrant extends AbstractAuthorizedGrant {`
`138`	`138`
`139`	`139`	`await this.authCodeRepository.revoke(validatedPayload.auth_code_id);`
`140`	`140`
`141`		`- const extraJwtFields = await this.extraJwtFields(req, client, user);`
	`141`	`+ const extraJwtFields = await this.extraJwtFields(req, client, user, accessToken.originatingAuthCodeId);`
`142`	`142`
`143`	`143`	`return await this.makeBearerTokenResponse(client, accessToken, scopes, extraJwtFields);`
`144`	`144`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ export class RefreshTokenGrant extends AbstractGrant {`
`40`	`40`
`41`	`41`	`newToken = await this.issueRefreshToken(newToken, client);`
`42`	`42`
`43`		`- const extraJwtFields = await this.extraJwtFields(req, client, user);`
	`43`	`+ const extraJwtFields = await this.extraJwtFields(req, client, user, newToken.originatingAuthCodeId);`
`44`	`44`
`45`	`45`	`return await this.makeBearerTokenResponse(client, newToken, scopes, extraJwtFields);`
`46`	`46`	`}`