OAuth phishing-resistance: consent screen, HMAC nonce, redirect policy, client cap

[jpr5]

Summary

Adds a server-rendered consent screen between GET /authorize and code issuance, replacing auto-approval. This makes the OAuth flow phishing-resistant — the consent screen, not DCR authentication, is the security boundary.

Commits (5, logical)

1. OAuth observability, config plumbing, trusted-IP resolver — [oauth] log vocabulary, oauthConsentHmacKeys config (fail-loud in prod, dev ephemeral key, multi-key rotation), trusted-IP setter-injection seam with bootstrap assertion.

2. HMAC consent-nonce + redirect_uri policy — SHA-256 over canonical length-prefixed encoding of {client_id, redirect_uri, state, code_challenge, code_challenge_method, response_type, scope, resource, exp}; multi-key verify; MAC-then-exp ordering. Policy rejects 0.0.0.0/8, RFC1918, link-local (fe80::/10 numeric prefix), ULA, IPv4-mapped private; treats 127.0.0.0/8 + localhost + [::1] as loopback (http permitted only here).

3. Client cap with TTL eviction — 10,000 total / 100 per-IP; lazy sweep on register() (>30d unused / >7d never-used-after-registration); touch() bumps lastUsedAt on consent-approve and token-grant success.

4. Consent screen template + POST /authorize/consent handler — server-rendered HTML with CSP default-src 'none'; frame-ancestors 'none', X-Frame-Options: DENY, Referrer-Policy: no-referrer; every interpolation HTML-escaped (5 chars). POST handler runs an 8-step pipeline (rate-limit, nonce HMAC verify, field-by-field equality, client lookup, policy + exact-match re-check, scope/response_type/PKCE re-check, decision branch). Final redirect URL is built from the nonce-bound payload, never the form body — that's the phishing-resistance invariant, positive- and negative-proven in tests.

5. Handlers + server wiring — registerHandler enforces policy + cap (429 per-IP / 503 total + Retry-After); authorizeHandler mints HMAC nonce and renders consent (no longer touches the client on GET); tokenHandler touches the client on both grant branches; originOf() gates X-Forwarded-Proto on the trust-proxy boundary; server.ts mounts the consent route, wires setTrustingProxy, and asserts the OAuth IP resolver was injected at boot.

Tests

• 222/222 oauth tests pass across 11 files
• tsc --noEmit clean
• Build clean

Out of scope — follow-up PRs

Real load-bearing issues with subjects distinct from this PR's:

• Refresh-token aud rejects RFC 8707 resource-bound tokens (issueTokenPair mints aud = resource || origin; refresh verifies {aud: origin} strict — incompatible)
• Bearer middleware observability + RFC 9728 resource_metadata discovery hint (dead unauthorizedWithDiscovery helper exists, never wired)
• OAuth rate-limiter buckets Map has no eviction (memory growth under IP rotation)
• /revoke is a no-op stub (no revocation list; leaked refresh tokens survive ~30 days)
• Bearer middleware aud accept-set + client_secret enforcement against advertised token_endpoint_auth_method
• Server bootstrap / config-loader pre-existing debt (PORT loose parseInt, formatErrorForConfigLog duplication, etc.)

Test plan

• CI green (tsc, tests, build)
• Reviewer can trace the phishing-resistance boundary commit-by-commit
• Verify CSP/X-Frame headers on the live /authorize 200 response