npm - @abtnode/blocklet-services - Versions diffs - 1.16.42-beta-20250412-084444-20b0cf19 → 1.16.42-beta-20250415-222652-04c5d2fe - Mend

@abtnode/blocklet-services 1.16.42-beta-20250412-084444-20b0cf19 → 1.16.42-beta-20250415-222652-04c5d2fe

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (340) hide show

package/api/index.js CHANGED Viewed

@@ -12,7 +12,6 @@ const httpProxy = require('@arcblock/http-proxy');
 const { minimatch } = require('minimatch');
 const helmet = require('helmet');
 const isUrl = require('is-url');
 const { WELLKNOWN_SERVICE_PATH_PREFIX, EVENTS } = require('@abtnode/constant');
 const {
   BlockletEvents,
@@ -62,7 +61,8 @@ const StudioService = require('./services/studio');
 const AnalyticService = require('./services/analytics');
 const DidSpaceService = require('./services/did-space');
 const createEnvRoutes = require('./routes/env');
-const createOAuthRoutes = require('./routes/oauth');
+const createOauthClientRoutes = require('./routes/oauth/client');
+const createOAuthServerRoutes = require('./routes/oauth/server');
 const createFederatedRoutes = require('./routes/federated');
 const createUserRoutes = require('./routes/user');
 const createOcapRoutes = require('./routes/ocap');
@@ -234,6 +234,36 @@ module.exports = function createServer(node, serverOptions = {}) {
       }
     });
   });
+  [BlockletEvents.removed].forEach((name) => {
+    eventHub.on(name, (data) => {
+      const did = get(data, 'appDid') || get(data, 'meta.did');
+      if (did) {
+        node
+          .destroyTeamStates(did)
+          .then(() => {
+            logger.info('destroy team states on blocklet removed', { name, did });
+          })
+          .catch((error) => {
+            logger.error('Failed to destroy team states on blocklet removed', { name, did, error });
+          });
+      }
+    });
+  });
+  [BlockletEvents.installed, BlockletInternalEvents.componentInstalled].forEach((name) => {
+    eventHub.on(name, (data) => {
+      const did = get(data, 'appDid') || get(data, 'meta.did');
+      if (did) {
+        node
+          .createTeamStates(did)
+          .then(() => {
+            logger.info('create team states on blocklet installed', { name, did });
+          })
+          .catch((error) => {
+            logger.error('Failed to create team states on blocklet installed', { name, did, error });
+          });
+      }
+    });
+  });
   eventHub.on(BlockletEvents.securityConfigUpdated, ({ did }) => {
     // 检测到安全配置更新后，需要批量删除指定前缀的 cache（会包含整个 blocklet 所有的 security cache）
     logger.info('blocklet securityConfig update', { did, pid: process.pid });
@@ -362,8 +392,7 @@ module.exports = function createServer(node, serverOptions = {}) {
             ...whitelist.official,
             ...iconifyDomains,
           ].filter(Boolean),
-          // 支持 google 字体
-          fontSrc: ["'self'", 'https://fonts.gstatic.com'],
+          fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com'],
           connectSrc: uniq(
             [
               "'self'",
@@ -599,6 +628,7 @@ self.blocklet = {
   // Auth: login token and user info
   server.use(authMiddlewares.sessionBearerToken);
+  // FIXME: @zhanghan 这里的逻辑会导致对当前会话的校验是否强制注销失败，暂时先只在 req.ensureUser 进行增强处理。后续需要考虑完整的 auth 鉴权层
   server.use(authMiddlewares.userInfo);
   // API: gql
@@ -692,7 +722,8 @@ self.blocklet = {
   createMCPRoutes.init(server, node);
   // API: auth
-  createOAuthRoutes.init(server, node, options);
+  createOauthClientRoutes.init(server, node, options);
+  createOAuthServerRoutes.init(server, node, options);
   createFederatedRoutes.init(server, node, options);
   createUserRoutes.init(server, node, options);
   createOcapRoutes.init(server);

package/api/libs/auth/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const { default: axios } = require('axios');
 const logger = require('../logger')('blocklet-services:oauth');
-const { verifyIdToken } = require('../../services/oauth');
+const { verifyIdToken } = require('../../services/oauth/client');
 /**
  * @typedef {Object} Provider
@@ -53,7 +53,7 @@ function getUrl(urlLike, params) {
   return url.toString();
 }
-class OAuthClient {
+class OauthClient {
   /**
    * Constructor for initializing providers.
    * @param {Object} options
@@ -120,7 +120,7 @@ class OAuthClient {
   async getUserInfo(tokens) {
     try {
       if (tokens.id_token) {
-        const cliams = await verifyIdToken({
+        const claims = await verifyIdToken({
           clientId:
             this.provider?.getClientList?.() || this.provider?.getClientId?.() || this.provider.options.clientId,
           idToken: tokens.id_token,
@@ -128,7 +128,7 @@ class OAuthClient {
           jwksUri: this.provider.jwks_uri,
           nonce: tokens.nonce,
         });
-        return cliams;
+        return claims;
       }
       if (this.provider.userinfo?.request) {
         return this.provider.userinfo.request({ tokens });
@@ -169,5 +169,5 @@ class OAuthClient {
 }
 module.exports = {
-  OAuthClient,
+  OauthClient,
 };

package/api/libs/connect/session.js CHANGED Viewed

@@ -48,11 +48,12 @@ const { getDidSpacesInfoByClaims, silentAuthorizationInConnect } = require('@abt
 const getRequestIP = require('@abtnode/util/lib/get-request-ip');
 const { PASSPORT_LOG_ACTION, PASSPORT_SOURCE, PASSPORT_STATUS } = require('@abtnode/constant');
 const { getDeviceData } = require('@abtnode/util/lib/device');
+const { getVerifyAccessClaims } = require('@abtnode/auth/lib/server');
 const logger = require('../logger')('connect');
 const { createTokenFn, getDidConnectVersion } = require('../../util');
 const { transferPassport, PASSPORT_VC_TYPES } = require('../auth/utils');
-const { migrateAccount, declareAccount } = require('../../services/oauth');
+const { migrateAccount, declareAccount } = require('../../services/oauth/client');
 const { getKycClaims, verifyKycClaims, getPassportVc, getProfileItems } = require('../kyc');
 const { getTrustedIssuers, getFederatedTrustedIssuers } = require('../../util/blocklet-utils');
 const {
@@ -64,6 +65,7 @@ const {
   syncFederatedUser,
 } = require('../../util/federated');
 const { Profile } = require('../../state/profile');
+const { getDefaultPassport } = require('../../util/user-util');
 // do some check if the passport issued by the blocklet itself
 const validateLocalPassport = async ({ vc, node, locale, blocklet, teamDid, userDid }) => {
@@ -184,6 +186,29 @@ const checkAppOwner = async ({ node, role, blocklet, userDid, locale = 'en' }) =
   throw new Error(messages.notAppOwner[locale]);
 };
+const checkUserRole = async ({ node, userDid, locale, request, roles }) => {
+  const blocklet = await request.getBlocklet();
+  const user = await node.getUser({ teamDid: blocklet.appPid, user: { did: userDid } });
+  if (!user) {
+    throw new Error(messages.notAllowed[locale]);
+  }
+  if (!user.approved) {
+    throw new Error(messages.notAuthorized[locale]);
+  }
+  const sourceAppPid = getSourceAppPid(request);
+  return {
+    verifiableCredential: getVerifyAccessClaims({
+      node,
+      passports: user.passports,
+      roles,
+      types: PASSPORT_VC_TYPES,
+      source: 'blocklet',
+      trustedIssuers: await getTrustedIssuers(blocklet, { sourceAppPid }),
+    }),
+  };
+};
 /**
  * @description
  * @param {import('@abtnode/client').BlockletState} blocklet
@@ -519,7 +544,7 @@ module.exports = {
       let fullName = currentUser?.fullName;
       // Update profile
-      const passportForLog = passport || { name: 'Guest', role: 'guest' };
+      const passportForLog = passport || getDefaultPassport();
       const connectAccount = { provider, did: userDid, pk: userPk };
@@ -1039,7 +1064,7 @@ module.exports = {
       });
       // Audit log
-      const passportForLog = passport || { name: 'Guest', role: 'guest' };
+      const passportForLog = passport || getDefaultPassport();
       await node.createAuditLog(
         {
           action: 'switchPassport',
@@ -1390,5 +1415,6 @@ module.exports = {
   utils: {
     checkAppOwner,
+    checkUserRole,
   },
 };

package/api/libs/jwt.js CHANGED Viewed

@@ -17,6 +17,24 @@ const initJwt = (node, options) => {
   // 保持默认有效期为 1 天
   const ttl = options.sessionTtl || '1d';
+  /**
+   * Creates a JWT session token for a user
+   * @param {string} did - The DID of the user
+   * @param {Object} options - Token creation options
+   * @param {string} options.role - User's role
+   * @param {string} options.secret - Secret key used to sign the token
+   * @param {Object} [options.passport] - User's passport information
+   * @param {string} [options.expiresIn] - Token expiration time, defaults to configured ttl
+   * @param {string} [options.tokenType] - Type of token being created
+   * @param {string} [options.fullName] - User's full name
+   * @param {string} [options.provider=LOGIN_PROVIDER.WALLET] - Authentication provider
+   * @param {string} [options.walletOS] - User's wallet operating system
+   * @param {boolean} [options.emailVerified=false] - Whether user's email is verified
+   * @param {boolean} [options.phoneVerified=false] - Whether user's phone is verified
+   * @param {boolean} [options.elevated=false] - Whether the session has elevated privileges
+   * @param {Object} [options.oauth=null] - OAuth related information
+   * @returns {Object} The created token object
+   */
   const createSessionToken = (
     did,
     {
@@ -31,6 +49,7 @@ const initJwt = (node, options) => {
       emailVerified = false,
       phoneVerified = false,
       elevated = false,
+      oauth = null,
     }
   ) =>
     createAuthToken({
@@ -45,8 +64,20 @@ const initJwt = (node, options) => {
       walletOS,
       kyc: encodeKycStatus(emailVerified, phoneVerified),
       elevated,
+      oauth,
     });
+  /**
+   * Verifies a JWT session token
+   * @param {string} token - The JWT token to verify
+   * @param {string} secret - Secret key used to verify the token
+   * @param {Object} [options={}] - Verification options
+   * @param {boolean|Function} options.checkFromDb - Whether to check user from database or a function that returns boolean
+   * @param {string} options.teamDid - The DID of the team/application
+   * @param {Function} options.checkToken - Optional function to perform additional token validation
+   * @param {string} [options.locale='en'] - Locale for error messages, defaults to 'en'
+   * @returns {Promise<Object>} - Resolves with decoded token data if valid
+   */
   const verifySessionToken = (token, secret, { checkFromDb, teamDid, checkToken, locale = 'en' } = {}) =>
     // eslint-disable-next-line implicit-arrow-linebreak
     new Promise((resolve, reject) => {
@@ -72,6 +103,8 @@ const initJwt = (node, options) => {
           walletOS,
           kyc = 0,
           elevated = false,
+          oauth = null,
+          exp,
         } = decoded;
         let user;
         if (!did) {
@@ -107,9 +140,11 @@ const initJwt = (node, options) => {
           user.walletOS = walletOS;
           user.kyc = encodeKycStatus(user.emailVerified, user.phoneVerified);
           user.elevated = elevated;
+          user.oauth = oauth;
+          user.exp = exp;
         } else {
           user = Object.assign(
-            { did, role, passport, fullName, provider, walletOS, kyc, elevated },
+            { did, role, passport, fullName, provider, walletOS, kyc, elevated, oauth, exp },
             decodeKycStatus(kyc)
           );
         }

package/api/libs/push-kit/index.js CHANGED Viewed

@@ -3,7 +3,7 @@ const { getSignData } = require('@blocklet/sdk/lib/util/verify-sign');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
 const { joinURL } = require('ufo');
 const pRetry = require('p-retry');
+const pMap = require('p-map');
 const { api } = require('../api');
 const logger = require('../logger')('blocklet-services:notification');
@@ -42,18 +42,23 @@ async function sendPush(receiver, notification, { node, teamDid }) {
     throw new Error(`Invalid push kit endpoint: ${config.endpoint}`);
   }
-  const { users = [] } = await node.getUsers({
-    teamDid,
-    dids: receiver,
-    query: {
-      approved: true,
-      includeUserSessions: true,
+  const userSessionList = await pMap(
+    receiver,
+    async (x) => {
+      const result = await node.getUserSessions({
+        teamDid,
+        query: {
+          userDid: x,
+        },
+      });
+      return result.list;
     },
-  });
+    { concurrency: 10 }
+  );
-  const targets = users.reduce((acc, user) => {
-    if (user.userSessions?.length > 0) {
-      user.userSessions.forEach((x) => {
+  const targets = userSessionList.reduce((acc, userSessions) => {
+    if (userSessions?.length > 0) {
+      userSessions.forEach((x) => {
         // NOTICE: 这里需要转为小写来判断
         const platform = x?.extra?.walletOS?.toLowerCase();
         // 兼容处理，支持读取 walletDeviceMessageToken

package/api/routes/federated.js CHANGED Viewed

@@ -27,7 +27,7 @@ const {
   getUserWithinFederated,
   getTrustedDomains,
 } = require('../util/federated');
-const { declareAccount, migrateAccount } = require('../services/oauth');
+const { declareAccount, migrateAccount } = require('../services/oauth/client');
 const { checkFederatedCall } = require('../middlewares/check-federated');
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;

package/api/routes/mcp.js CHANGED Viewed

@@ -1,18 +1,20 @@
-/* eslint-disable no-console */
 const { WELLKNOWN_SERVICE_PATH_PREFIX, SECURITY_RULE_DEFAULT_ID } = require('@abtnode/constant');
 const { joinURL } = require('ufo');
 const get = require('lodash/get');
 const getBlockletInfo = require('@blocklet/meta/lib/info');
 const { checkPublicAccess } = require('@blocklet/meta/lib/util');
 // eslint-disable-next-line import/no-unresolved
-const { SSEServerTransport } = require('@modelcontextprotocol/sdk/server/sse.js');
+const { SSEServerTransport } = require('@blocklet/mcp/server/sse.js');
-const { mcpServer } = require('../services/mcp/server');
+const { initMcpServer } = require('../services/mcp/server');
+const logger = require('../libs/logger')('mcp:server:routes');
 const isMCPSupported = (b) => get(b.meta, 'capabilities.mcp', false);
 module.exports = {
   init(server, node) {
+    const mcpServer = initMcpServer(node);
     // Return all MCP servers
     server.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/servers'), async (req, res) => {
       const blocklet = await req.getBlocklet();
@@ -50,7 +52,7 @@ module.exports = {
         }
       });
-      // TODO: should we include official services? such as chain, did-spaces, name-service, etc.
+      // TODO: @wangshijun should we include official services? such as chain, did-spaces, name-service, etc.
       res.json({
         version: info.version,
         servers: mcpServers,
@@ -61,27 +63,38 @@ module.exports = {
     // to support multiple simultaneous connections we have a lookup object from sessionId to transport
     const transports = {};
-    server.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/sse'), async (_, res) => {
+    server.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/sse'), async (req, res) => {
+      if (!req.user) {
+        res.status(401).json({ error: 'Unauthorized' });
+        return;
+      }
       // Set required headers for SSE
       res.header('X-Accel-Buffering', 'no');
       const transport = new SSEServerTransport(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/messages'), res);
-      transports[transport.sessionId] = transport;
+      transport.authContext = Object.assign({ user: req.user || {} }, { blockletDid: req.getBlockletDid() });
+      const { sessionId } = transport;
+      transports[sessionId] = transport;
+      logger.debug('Client connected', sessionId);
       res.on('close', () => {
-        delete transports[transport.sessionId];
+        logger.debug('Client Disconnected', sessionId);
+        delete transports[sessionId];
       });
       await mcpServer.connect(transport);
     });
     server.post(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/messages'), async (req, res) => {
       const { sessionId } = req.query;
-      const transport = transports[sessionId];
-      if (transport) {
-        // Send the body to the transport since we have already parsed it
-        await transport.handlePostMessage(req, res, req.body);
-      } else {
-        res.status(400).send('No transport found for sessionId');
+      logger.debug('Client Message', { sessionId, body: req.body });
+      let transport = transports[sessionId];
+      if (!transport) {
+        transport = new SSEServerTransport(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/mcp/messages'), res);
       }
+      // Send the body to the transport since we have already parsed it
+      transport.authContext = Object.assign({ user: req.user || {} }, { blockletDid: req.getBlockletDid() });
+      await transport.handlePostMessage(req, res, req.body);
     });
   },
 };

package/api/routes/{oauth.js → oauth/client.js} RENAMED Viewed

@@ -13,22 +13,23 @@ const createTranslator = require('@abtnode/util/lib/translate');
 const CustomError = require('@abtnode/util/lib/custom-error');
 const { LOGIN_PROVIDER } = require('@blocklet/constant');
 const { withHttps, withTrailingSlash } = require('ufo');
-const logger = require('../libs/logger')('oauth');
-const { OAuthClient } = require('../libs/auth');
-const OAuthAuth0 = require('../libs/auth/adapters/auth0');
-const OAuthAuth0Legacy = require('../libs/auth/adapters/auth0-legacy');
-const OAuthGithub = require('../libs/auth/adapters/github');
-const OAuthGoogle = require('../libs/auth/adapters/google');
-const OAuthApple = require('../libs/auth/adapters/apple');
-const { getAvatarByEmail, transferPassport, getAvatarByUrl } = require('../libs/auth/utils');
-const initJwt = require('../libs/jwt');
-const { sendToUser } = require('../libs/notification');
-const { createTokenFn, getDidConnectVersion, redirectWithoutCache } = require('../util');
-const federatedUtil = require('../util/federated');
-const userUtil = require('../util/user-util');
-const { isOAuthEmailVerified, isEmailUniqueRequired, isEmailKycRequired, isSameEmail } = require('../libs/kyc');
-const checkUser = require('../middlewares/check-user');
+const { getLastUsedPassport } = require('@abtnode/auth/lib/passport');
+const logger = require('../../libs/logger')('oauth:client');
+const { OauthClient } = require('../../libs/auth');
+const OAuthAuth0 = require('../../libs/auth/adapters/auth0');
+const OAuthAuth0Legacy = require('../../libs/auth/adapters/auth0-legacy');
+const OAuthGithub = require('../../libs/auth/adapters/github');
+const OAuthGoogle = require('../../libs/auth/adapters/google');
+const OAuthApple = require('../../libs/auth/adapters/apple');
+const { getAvatarByEmail, transferPassport, getAvatarByUrl } = require('../../libs/auth/utils');
+const initJwt = require('../../libs/jwt');
+const { sendToUser } = require('../../libs/notification');
+const { createTokenFn, getDidConnectVersion, redirectWithoutCache } = require('../../util');
+const federatedUtil = require('../../util/federated');
+const userUtil = require('../../util/user-util');
+const { isOAuthEmailVerified, isEmailUniqueRequired, isEmailKycRequired, isSameEmail } = require('../../libs/kyc');
+const checkUser = require('../../middlewares/check-user');
 const PREFIX = WELLKNOWN_SERVICE_PATH_PREFIX;
@@ -143,7 +144,7 @@ function getAuthClient(blocklet, provider, { legacy = false, appPid } = {}) {
     if (!providerConfig.clientSecret) {
       throw new Error('missing client secret');
     }
-    return new OAuthClient({
+    return new OauthClient({
       provider: OAuthAuth0({
         // HACK: auth0 比较奇葩，它的 issuer 有斜杠后缀
         issuer: withTrailingSlash(withHttps(providerConfig.domain)),
@@ -155,13 +156,13 @@ function getAuthClient(blocklet, provider, { legacy = false, appPid } = {}) {
   }
   if (provider === 'github') {
-    return new OAuthClient({ provider: OAuthGithub(providerConfig) });
+    return new OauthClient({ provider: OAuthGithub(providerConfig) });
   }
   if (provider === 'google') {
-    return new OAuthClient({ provider: OAuthGoogle(providerConfig) });
+    return new OauthClient({ provider: OAuthGoogle(providerConfig) });
   }
   if (provider === 'apple') {
-    return new OAuthClient({ provider: OAuthApple(providerConfig) });
+    return new OauthClient({ provider: OAuthApple(providerConfig) });
   }
   return null;
 }
@@ -193,7 +194,7 @@ async function login(req, node, options) {
     userInfo: oauthInfo,
   };
   let profile;
-  const lastUsedPassport = userUtil.getLastUsedPassport({ passports: currentUser?.passports });
+  const lastUsedPassport = getLastUsedPassport(currentUser?.passports, '', { useFallback: false });
   if (!currentUser) {
     currentUser = {
       did: userDid,

package/api/routes/oauth/server.js ADDED Viewed

@@ -0,0 +1,95 @@
+/* eslint-disable import/no-unresolved */
+const { joinURL } = require('ufo');
+const { OAUTH_ENDPOINTS, OAUTH_CLIENT_SECRET_TTL, WELLKNOWN_SERVICE_PATH_PREFIX } = require('@abtnode/constant');
+const { authorizationHandler } = require('@blocklet/mcp/server/auth/handlers/authorize.js');
+const { tokenHandler } = require('@blocklet/mcp/server/auth/handlers/token.js');
+const { revocationHandler } = require('@blocklet/mcp/server/auth/handlers/revoke.js');
+const { clientRegistrationHandler } = require('@blocklet/mcp/server/auth/handlers/register.js');
+const { createBlockletOAuthServerProvider } = require('../../services/oauth/server');
+const { redirectWithoutCache, getRedirectUrl } = require('../../util');
+const logger = require('../../libs/logger')('oauth:server:routes');
+module.exports = {
+  init(router, node, options) {
+    const prefix = `${WELLKNOWN_SERVICE_PATH_PREFIX}/oauth`;
+    const ensureOAuthProvider = async (req, res, next) => {
+      const [blocklet, info] = await Promise.all([req.getBlocklet(), req.getBlockletInfo()]);
+      if (!blocklet) {
+        return res.status(404).json({ error: 'Blocklet not found' });
+      }
+      // TODO: @wangshijun check if oauth server service is enabled, make it configurable
+      req.provider = createBlockletOAuthServerProvider(node, options, blocklet, info);
+      return next();
+    };
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.AUTHORIZATION), ensureOAuthProvider, (req, res, next) => {
+      if (req.method === 'GET') {
+        if (req.user) {
+          logger.debug('User already logged in, send to consent page');
+          // Send to oauth consent page
+          next();
+        } else {
+          logger.debug('User not logged in, send to login page');
+          // redirect to login page and redirect back once login success
+          redirectWithoutCache(
+            res,
+            getRedirectUrl({
+              req,
+              pagePath: '/login',
+              params: {
+                redirect: req.originalUrl,
+              },
+            })
+          );
+        }
+      } else if (req.method === 'POST') {
+        logger.debug('Handle oauth authorization request', req.body);
+        if (req.body.action === 'deny') {
+          logger.debug('User denied oauth authorization, redirect to redirect_uri');
+          const errorUrl = new URL(req.body.redirect_uri);
+          errorUrl.searchParams.set('error', 'access_denied');
+          errorUrl.searchParams.set('error_description', 'The user denied the request');
+          if (req.body.state) errorUrl.searchParams.set('state', req.body.state);
+          res.redirect(errorUrl.toString());
+          return;
+        }
+        authorizationHandler({ provider: req.provider, rateLimit: false })(req, res, next);
+      } else {
+        res.status(405).json({ error: 'Method not allowed' });
+      }
+    });
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.TOKEN), ensureOAuthProvider, (req, res, next) => {
+      tokenHandler({ provider: req.provider, rateLimit: false })(req, res, next);
+    });
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.REGISTRATION), ensureOAuthProvider, (req, res, next) => {
+      clientRegistrationHandler({
+        clientsStore: req.provider.clientsStore,
+        clientSecretExpirySeconds: OAUTH_CLIENT_SECRET_TTL,
+        rateLimit: false,
+      })(req, res, next);
+    });
+    router.use(joinURL(prefix, OAUTH_ENDPOINTS.REVOCATION), ensureOAuthProvider, (req, res, next) => {
+      revocationHandler({ provider: req.provider, rateLimit: false })(req, res, next);
+    });
+    router.get(joinURL(WELLKNOWN_SERVICE_PATH_PREFIX, '/api/oauth/client'), ensureOAuthProvider, async (req, res) => {
+      const { clientId } = req.query;
+      if (!clientId) {
+        res.status(400).json({ error: 'clientId is required' });
+        return;
+      }
+      const client = await req.provider.clientsStore.getClient(clientId);
+      res.json(client);
+    });
+  },
+};