Function oauthSessionModule

oauthSessionModule(
    params: {
        config: {
            cors: { allowedOrigins: string[] };
            endpoints: { login: { url: string } };
            federations: z.ZodRecord<
                z.ZodString,
                z.ZodObject<
                    {
                        enabled: z.ZodPreprocess<z.ZodBoolean>;
                        type: z.ZodOptional<z.ZodString>;
                    },
                    z.core.$loose,
                >,
            >;
            http: { port: number; trustProxy: boolean };
            memoryRateLimiter?: {
                defaultLimit?: { limit: number; windowSeconds: number };
                limits?: Record<string, { limit: number; windowSeconds: number }>;
                maxBuckets?: number;
            };
            oauth: {
                accessToken: { expiresIn: number };
                code?: { adapter?: "redis" | "memory" };
                grants: { [key: string]: unknown };
                jwt: {
                    issuer?: string;
                    legacyTypAccept?: boolean;
                    signingKey: {
                        local?:
                            | {
                                algorithm: "HS256";
                                kid: string;
                                previousSecrets?: { expiresAt: string; kid: string; secret: string }[];
                                secret?: string;
                            }
                            | {
                                algorithm: "RS256"
                                | "ES256"
                                | "EdDSA";
                                kid: string;
                                previousKeys?: {
                                    expiresAt: string;
                                    kid: string;
                                    publicKey?: (...) | (...);
                                    publicKeyPath?: (...) | (...);
                                }[];
                                privateKey?: string;
                                privateKeyPath?: string;
                                publicKey?: string;
                                publicKeyPath?: string;
                                [key: string]: unknown;
                            };
                        provider: string;
                        [key: string]: unknown;
                    };
                };
                nonce?: { maxLength: number };
                oidcMode: "oidc-required" | "dual";
                refreshToken: {
                    expiresIn: number;
                    legacyRtPolicy: "reject";
                    unknownFamilyPolicy: "accept" | "reject";
                };
                resourceIndicator?: { enabled: boolean };
                tokenExchange?: { maxActorChainDepth: number };
            };
            rateLimit: {
                failMode: "open"
                | "closed";
                login: { limit: number; windowMs: number };
            };
            rateLimiter?: { adapter?: "redis"
            | "memory" };
            redisCodeRepository?: { defaultExpiresIn?: number; keyPrefix?: string };
            redisRefreshTokenFamilyStore?: {
                casRetryLimit?: number;
                keyPrefix?: string;
            };
            redisSessionStores?: { keyPrefix?: string };
            refreshTokenFamilyStore?: { redis?: { password?: string; url: string } };
            repositories: {
                client: { type: string; [key: string]: unknown };
                code: { type: string; [key: string]: unknown };
                user: { type: string; [key: string]: unknown };
            };
            session: {
                domain: string
                | null;
                maxAge: number;
                name: string;
                sameSite: "none" | "lax" | "strict";
                secret: string;
                secure: boolean;
                storage: {
                    redis?: { password?: string; url: string };
                    type: string;
                    [key: string]: unknown;
                };
            };
            userSessionStores?: { adapter?: "redis"
            | "memory" };
        };
    },
): Module
Declarative manifest for the session grant.

Per A2-γ §3.2.3: the v0.4.x oauthSessionModule({ clientRepository }) factory whose init(ctx) conditionally called ctx.grantRegistry.register("session", ...) is replaced by a defineModule(...) factory whose contributes.grants.session entry the boot planner registers automatically.

Caller surface: oauthSessionModule({ clientRepository }) → oauthSessionModule({ config }). clientRepository and keyStore now flow through requires from the DI graph.

Per the secure-default opt-in discipline (matches oauthAuthorizationModule): the session grant registers only when config.oauth.grants.session.enabled is explicitly truthy (boolean true or string "true"). Absent keys and other values are treated as not-enabled and the factory returns a no-op module. A2-α §7.5 permits a module with no contributes map.
Parameters
- params: {
      config: {
          cors: { allowedOrigins: string[] };
          endpoints: { login: { url: string } };
          federations: z.ZodRecord<
              z.ZodString,
              z.ZodObject<
                  {
                      enabled: z.ZodPreprocess<z.ZodBoolean>;
                      type: z.ZodOptional<z.ZodString>;
                  },
                  z.core.$loose,
              >,
          >;
          http: { port: number; trustProxy: boolean };
          memoryRateLimiter?: {
              defaultLimit?: { limit: number; windowSeconds: number };
              limits?: Record<string, { limit: number; windowSeconds: number }>;
              maxBuckets?: number;
          };
          oauth: {
              accessToken: { expiresIn: number };
              code?: { adapter?: "redis" | "memory" };
              grants: { [key: string]: unknown };
              jwt: {
                  issuer?: string;
                  legacyTypAccept?: boolean;
                  signingKey: {
                      local?:
                          | {
                              algorithm: "HS256";
                              kid: string;
                              previousSecrets?: { expiresAt: string; kid: string; secret: string }[];
                              secret?: string;
                          }
                          | {
                              algorithm: "RS256"
                              | "ES256"
                              | "EdDSA";
                              kid: string;
                              previousKeys?: {
                                  expiresAt: string;
                                  kid: string;
                                  publicKey?: (...) | (...);
                                  publicKeyPath?: (...) | (...);
                              }[];
                              privateKey?: string;
                              privateKeyPath?: string;
                              publicKey?: string;
                              publicKeyPath?: string;
                              [key: string]: unknown;
                          };
                      provider: string;
                      [key: string]: unknown;
                  };
              };
              nonce?: { maxLength: number };
              oidcMode: "oidc-required" | "dual";
              refreshToken: {
                  expiresIn: number;
                  legacyRtPolicy: "reject";
                  unknownFamilyPolicy: "accept" | "reject";
              };
              resourceIndicator?: { enabled: boolean };
              tokenExchange?: { maxActorChainDepth: number };
          };
          rateLimit: {
              failMode: "open"
              | "closed";
              login: { limit: number; windowMs: number };
          };
          rateLimiter?: { adapter?: "redis"
          | "memory" };
          redisCodeRepository?: { defaultExpiresIn?: number; keyPrefix?: string };
          redisRefreshTokenFamilyStore?: {
              casRetryLimit?: number;
              keyPrefix?: string;
          };
          redisSessionStores?: { keyPrefix?: string };
          refreshTokenFamilyStore?: { redis?: { password?: string; url: string } };
          repositories: {
              client: { type: string; [key: string]: unknown };
              code: { type: string; [key: string]: unknown };
              user: { type: string; [key: string]: unknown };
          };
          session: {
              domain: string
              | null;
              maxAge: number;
              name: string;
              sameSite: "none" | "lax" | "strict";
              secret: string;
              secure: boolean;
              storage: {
                  redis?: { password?: string; url: string };
                  type: string;
                  [key: string]: unknown;
              };
          };
          userSessionStores?: { adapter?: "redis"
          | "memory" };
      };
  }
Returns Module
- Defined in oauth/src/oauthSession.mts:52

Function oauthSessionModule

Parameters

Returns Module

Settings