@atcute/oauth-types 0.1.0

package/LICENSE

@@ -0,0 +1,14 @@
+BSD Zero Clause License
+
+Copyright (c) 2025 Mary
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,48 @@
+# @atcute/oauth-types
+
+OAuth types and schemas for AT Protocol.
+
+```sh
+npm install @atcute/oauth-types
+```
+
+## usage
+
+### building client metadata
+
+```ts
+import { buildClientMetadata } from '@atcute/oauth-types';
+import { Keyset } from '@atcute/oauth-keyset';
+
+const metadata = buildClientMetadata(
+	{
+		client_id: 'https://example.com/client-metadata.json',
+		redirect_uris: ['https://example.com/callback'],
+		scope: 'atproto transition:generic',
+		client_name: 'my app',
+	},
+	keyset,
+);
+```
+
+### validating data
+
+```ts
+import {
+	confidentialClientMetadataSchema,
+	oauthTokenResponseSchema,
+	atprotoAuthorizationServerMetadataSchema,
+} from '@atcute/oauth-types';
+
+// validate client metadata
+const result = confidentialClientMetadataSchema.try(input);
+if (result.ok) {
+	console.log(result.value);
+}
+
+// validate token response
+const tokenResult = oauthTokenResponseSchema.try(response);
+
+// validate authorization server metadata
+const asResult = atprotoAuthorizationServerMetadataSchema.try(metadata);
+```

package/dist/build-client-metadata.d.ts

@@ -0,0 +1,168 @@
+import type { Keyset } from '@atcute/oauth-keyset';
+/**
+ * builds an atproto client metadata
+ *
+ *
+ * @param input client metadata
+ * @param keyset available keys
+ * @returns built client metadata
+ */
+export declare const buildClientMetadata: (input: {
+    client_id: string;
+    redirect_uris: string[];
+    scope: string | string[];
+    client_uri?: string | undefined;
+    client_name?: string | undefined;
+    policy_uri?: string | undefined;
+    tos_uri?: string | undefined;
+    logo_uri?: string | undefined;
+    jwks_uri?: string | undefined;
+}, keyset: Keyset) => {
+    redirect_uris: string[];
+    response_types?: ("code" | "code id_token" | "code id_token token" | "code token" | "id_token" | "id_token token" | "none" | "token")[] | undefined;
+    grant_types?: ("authorization_code" | "client_credentials" | "implicit" | "password" | "refresh_token" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[] | undefined;
+    scope?: string | undefined;
+    token_endpoint_auth_method?: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
+    token_endpoint_auth_signing_alg?: string | undefined;
+    userinfo_signed_response_alg?: string | undefined;
+    userinfo_encrypted_response_alg?: string | undefined;
+    jwks_uri?: string | undefined;
+    jwks?: {
+        keys: ({
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "RSA";
+            alg?: "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" | undefined;
+            n: string;
+            e: string;
+            d?: string | undefined;
+            p?: string | undefined;
+            q?: string | undefined;
+            dp?: string | undefined;
+            dq?: string | undefined;
+            qi?: string | undefined;
+            oth?: {
+                r?: string | undefined;
+                d?: string | undefined;
+                t?: string | undefined;
+            }[] | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "EC";
+            alg?: "ES256" | "ES384" | "ES512" | undefined;
+            crv: "P-256" | "P-384" | "P-521";
+            x: string;
+            y: string;
+            d?: string | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "EC";
+            alg?: "ES256K" | undefined;
+            crv: "secp256k1";
+            x: string;
+            y: string;
+            d?: string | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "OKP";
+            alg?: "EdDSA" | undefined;
+            crv: "Ed25519" | "Ed448";
+            x: string;
+            d?: string | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "oct";
+            alg?: "HS256" | "HS384" | "HS512" | undefined;
+            k: string;
+        })[];
+    } | undefined;
+    application_type?: "native" | "web" | undefined;
+    subject_type?: "pairwise" | "public" | undefined;
+    request_object_signing_alg?: string | undefined;
+    id_token_signed_response_alg?: string | undefined;
+    authorization_signed_response_alg?: string | undefined;
+    authorization_encrypted_response_enc?: "A128CBC-HS256" | undefined;
+    authorization_encrypted_response_alg?: string | undefined;
+    client_id?: string | undefined;
+    client_name?: string | undefined;
+    client_uri?: string | undefined;
+    policy_uri?: string | undefined;
+    tos_uri?: string | undefined;
+    logo_uri?: string | undefined;
+    default_max_age?: number | undefined;
+    require_auth_time?: boolean | undefined;
+    contacts?: string[] | undefined;
+    tls_client_certificate_bound_access_tokens?: boolean | undefined;
+    dpop_bound_access_tokens?: boolean | undefined;
+    authorization_details_types?: string[] | undefined;
+};
+//# sourceMappingURL=build-client-metadata.d.ts.map

package/dist/build-client-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-client-metadata.d.ts","sourceRoot":"","sources":["../lib/build-client-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AASnD;;;;;;;GAOG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsD/B,CAAC"}

package/dist/build-client-metadata.js

@@ -0,0 +1,53 @@
+import { FALLBACK_ALG } from './constants.js';
+import { confidentialClientMetadataSchema, } from './schemas/atcute-confidential-client-metadata.js';
+/**
+ * builds an atproto client metadata
+ *
+ *
+ * @param input client metadata
+ * @param keyset available keys
+ * @returns built client metadata
+ */
+export const buildClientMetadata = (input, keyset) => {
+    // validate user-facing schema is correct
+    const conf = confidentialClientMetadataSchema.parse(input, { mode: 'passthrough' });
+    // build full OAuth client metadata (atproto defaults and requirements)
+    const metadata = {
+        client_id: conf.client_id,
+        client_name: conf.client_name,
+        client_uri: conf.client_uri,
+        policy_uri: conf.policy_uri,
+        tos_uri: conf.tos_uri,
+        logo_uri: conf.logo_uri,
+        redirect_uris: conf.redirect_uris,
+        scope: Array.isArray(conf.scope) ? conf.scope.join(' ') : conf.scope,
+        application_type: 'web',
+        subject_type: 'public',
+        response_types: ['code'],
+        grant_types: ['authorization_code', 'refresh_token'],
+        token_endpoint_auth_method: 'private_key_jwt',
+        token_endpoint_auth_signing_alg: FALLBACK_ALG,
+        dpop_bound_access_tokens: true,
+        jwks_uri: conf.jwks_uri,
+        jwks: conf.jwks_uri ? undefined : keyset.publicJwks,
+    };
+    // ensure at least one key supports the fallback algorithm
+    const signingKeys = Array.from(keyset);
+    if (!signingKeys.some((key) => key.alg === FALLBACK_ALG)) {
+        throw new TypeError(`"private_key_jwt" requires at least one "${FALLBACK_ALG}" signing key`);
+    }
+    // if jwks provided inline, ensure ALL signing keys are present
+    if (metadata.jwks) {
+        const jwksKids = new Set(metadata.jwks.keys
+            .filter((k) => !k.revoked)
+            .map((k) => k.kid)
+            .filter(Boolean));
+        for (const key of signingKeys) {
+            if (!jwksKids.has(key.kid)) {
+                throw new TypeError(`signing key "${key.kid}" not found in jwks`);
+            }
+        }
+    }
+    return metadata;
+};
+//# sourceMappingURL=build-client-metadata.js.map

package/dist/build-client-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-client-metadata.js","sourceRoot":"","sources":["../lib/build-client-metadata.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EACN,gCAAgC,GAEhC,MAAM,kDAAkD,CAAC;AAG1D;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAClC,KAAiC,EACjC,MAAc,EACQ,EAAE,CAAC;IACzB,yCAAyC;IACzC,MAAM,IAAI,GAAG,gCAAgC,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IAEpF,uEAAuE;IACvE,MAAM,QAAQ,GAAwB;QACrC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK;QAEpE,gBAAgB,EAAE,KAAK;QACvB,YAAY,EAAE,QAAQ;QACtB,cAAc,EAAE,CAAC,MAAM,CAAC;QACxB,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAEpD,0BAA0B,EAAE,iBAAiB;QAC7C,+BAA+B,EAAE,YAAY;QAC7C,wBAAwB,EAAE,IAAI;QAE9B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAE,MAAM,CAAC,UAA0C;KACpF,CAAC;IAEF,0DAA0D;IAC1D,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,YAAY,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,SAAS,CAAC,4CAA4C,YAAY,eAAe,CAAC,CAAC;IAC9F,CAAC;IAED,+DAA+D;IAC/D,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnB,MAAM,QAAQ,GAAG,IAAI,GAAG,CACvB,QAAQ,CAAC,IAAI,CAAC,IAAI;aAChB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;aACzB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;aACjB,MAAM,CAAC,OAAO,CAAC,CACjB,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,SAAS,CAAC,gBAAgB,GAAG,CAAC,GAAG,qBAAqB,CAAC,CAAC;YACnE,CAAC;QACF,CAAC;IACF,CAAC;IAED,OAAO,QAAQ,CAAC;AAAA,CAChB,CAAC"}

package/dist/constants.d.ts

@@ -0,0 +1,5 @@
+/** default algorithm per atproto spec */
+export declare const FALLBACK_ALG = "ES256";
+/** JWT bearer assertion type for `private_key_jwt` authentication */
+export declare const CLIENT_ASSERTION_TYPE_JWT_BEARER = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../lib/constants.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,eAAO,MAAM,YAAY,UAAU,CAAC;AAEpC,qEAAqE;AACrE,eAAO,MAAM,gCAAgC,2DAA2D,CAAC"}

package/dist/constants.js

@@ -0,0 +1,5 @@
+/** default algorithm per atproto spec */
+export const FALLBACK_ALG = 'ES256';
+/** JWT bearer assertion type for `private_key_jwt` authentication */
+export const CLIENT_ASSERTION_TYPE_JWT_BEARER = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../lib/constants.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,MAAM,CAAC,MAAM,YAAY,GAAG,OAAO,CAAC;AAEpC,qEAAqE;AACrE,MAAM,CAAC,MAAM,gCAAgC,GAAG,wDAAwD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,31 @@
+export { buildClientMetadata } from './build-client-metadata.js';
+export { CLIENT_ASSERTION_TYPE_JWT_BEARER, FALLBACK_ALG } from './constants.js';
+export * as scope from './scope.js';
+export { confidentialClientMetadataSchema, type ConfidentialClientMetadata, } from './schemas/atcute-confidential-client-metadata.js';
+export { atprotoOAuthScopeSchema, ATPROTO_SCOPE_VALUE, DEFAULT_ATPROTO_OAUTH_SCOPE, type AtprotoOAuthScope, } from './schemas/atproto-oauth-scope.js';
+export { jwkPubSchema, jwkSchema, keyUsageSchema, publicKeyUsageSchema, type Jwk, type JwkPub, type KeyUsage, } from './schemas/jwk.js';
+export { jwksPubSchema, jwksSchema, type Jwks, type JwksPub } from './schemas/jwks.js';
+export { oauthClientIdDiscoverableSchema } from './schemas/oauth-client-id-discoverable.js';
+export { oauthClientIdSchema, type OAuthClientId } from './schemas/oauth-client-id.js';
+export { oauthClientMetadataSchema, type OAuthClientMetadata } from './schemas/oauth-client-metadata.js';
+export { oauthEndpointAuthMethodSchema, type OAuthEndpointAuthMethod, } from './schemas/oauth-endpoint-auth-method.js';
+export { oauthGrantTypeSchema, type OAuthGrantType } from './schemas/oauth-grant-type.js';
+export { loopbackRedirectUriSchema, oauthRedirectUriSchema, type LoopbackRedirectUri, type OAuthRedirectUri, } from './schemas/oauth-redirect-uri.js';
+export { oauthResponseTypeSchema, type OAuthResponseType } from './schemas/oauth-response-type.js';
+export { isOAuthScope, OAUTH_SCOPE_REGEXP, oauthScopeSchema, type OAuthScope, } from './schemas/oauth-scope.js';
+export { httpsUriSchema, loopbackUriSchema, nonLocalWebUriSchema, privateUseUriSchema, urlSchema, webUriSchema, } from './schemas/uri.js';
+export { extractUrlPath, isHostnameIP, isLastOccurrence, isLocalHostname, isLoopbackHost, isSpaceSeparatedValue, } from './schemas/utils.js';
+export { oauthTokenTypeSchema, type OAuthTokenType } from './schemas/oauth-token-type.js';
+export { oauthTokenResponseSchema, type OAuthTokenResponse } from './schemas/oauth-token-response.js';
+export { atprotoOAuthTokenResponseSchema, type AtprotoOAuthTokenResponse, } from './schemas/atproto-oauth-token-response.js';
+export { oauthParResponseSchema, type OAuthParResponse } from './schemas/oauth-par-response.js';
+export { oauthCodeChallengeMethodSchema, type OAuthCodeChallengeMethod, } from './schemas/oauth-code-challenge-method.js';
+export { oauthResponseModeSchema, type OAuthResponseMode } from './schemas/oauth-response-mode.js';
+export { oauthPromptSchema, type OAuthPrompt } from './schemas/oauth-prompt.js';
+export { oauthAuthorizationDetailSchema, oauthAuthorizationDetailsSchema, type OAuthAuthorizationDetail, type OAuthAuthorizationDetails, } from './schemas/oauth-authorization-details.js';
+export { oauthIssuerIdentifierSchema, type OAuthIssuerIdentifier, } from './schemas/oauth-issuer-identifier.js';
+export { oauthAuthorizationServerMetadataSchema, oauthAuthorizationServerMetadataValidator, type OAuthAuthorizationServerMetadata, } from './schemas/oauth-authorization-server-metadata.js';
+export { atprotoAuthorizationServerMetadataValidator, type AtprotoAuthorizationServerMetadata, } from './schemas/atproto-authorization-server-metadata.js';
+export { oauthBearerMethodSchema, oauthProtectedResourceMetadataSchema, oauthProtectedResourceMetadataValidator, type OAuthBearerMethod, type OAuthProtectedResourceMetadata, } from './schemas/oauth-protected-resource-metadata.js';
+export { atprotoProtectedResourceMetadataValidator, type AtprotoProtectedResourceMetadata, } from './schemas/atproto-protected-resource-metadata.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,gCAAgC,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAEhF,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AAGpC,OAAO,EACN,gCAAgC,EAChC,KAAK,0BAA0B,GAC/B,MAAM,kDAAkD,CAAC;AAC1D,OAAO,EACN,uBAAuB,EACvB,mBAAmB,EACnB,2BAA2B,EAC3B,KAAK,iBAAiB,GACtB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACN,YAAY,EACZ,SAAS,EACT,cAAc,EACd,oBAAoB,EACpB,KAAK,GAAG,EACR,KAAK,MAAM,EACX,KAAK,QAAQ,GACb,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,KAAK,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACvF,OAAO,EAAE,+BAA+B,EAAE,MAAM,2CAA2C,CAAC;AAC5F,OAAO,EAAE,mBAAmB,EAAE,KAAK,aAAa,EAAE,MAAM,8BAA8B,CAAC;AACvF,OAAO,EAAE,yBAAyB,EAAE,KAAK,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AACzG,OAAO,EACN,6BAA6B,EAC7B,KAAK,uBAAuB,GAC5B,MAAM,yCAAyC,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,KAAK,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC1F,OAAO,EACN,yBAAyB,EACzB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,GACrB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,KAAK,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACnG,OAAO,EACN,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,UAAU,GACf,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACN,cAAc,EACd,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,SAAS,EACT,YAAY,GACZ,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACN,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,qBAAqB,GACrB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,oBAAoB,EAAE,KAAK,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC1F,OAAO,EAAE,wBAAwB,EAAE,KAAK,kBAAkB,EAAE,MAAM,mCAAmC,CAAC;AACtG,OAAO,EACN,+BAA+B,EAC/B,KAAK,yBAAyB,GAC9B,MAAM,2CAA2C,CAAC;AAGnD,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAChG,OAAO,EACN,8BAA8B,EAC9B,KAAK,wBAAwB,GAC7B,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,uBAAuB,EAAE,KAAK,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACnG,OAAO,EAAE,iBAAiB,EAAE,KAAK,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAGhF,OAAO,EACN,8BAA8B,EAC9B,+BAA+B,EAC/B,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,GAC9B,MAAM,0CAA0C,CAAC;AAGlD,OAAO,EACN,2BAA2B,EAC3B,KAAK,qBAAqB,GAC1B,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACN,sCAAsC,EACtC,yCAAyC,EACzC,KAAK,gCAAgC,GACrC,MAAM,kDAAkD,CAAC;AAC1D,OAAO,EACN,2CAA2C,EAC3C,KAAK,kCAAkC,GACvC,MAAM,oDAAoD,CAAC;AAG5D,OAAO,EACN,uBAAuB,EACvB,oCAAoC,EACpC,uCAAuC,EACvC,KAAK,iBAAiB,EACtB,KAAK,8BAA8B,GACnC,MAAM,gDAAgD,CAAC;AACxD,OAAO,EACN,yCAAyC,EACzC,KAAK,gCAAgC,GACrC,MAAM,kDAAkD,CAAC"}

package/dist/index.js

@@ -0,0 +1,37 @@
+export { buildClientMetadata } from './build-client-metadata.js';
+export { CLIENT_ASSERTION_TYPE_JWT_BEARER, FALLBACK_ALG } from './constants.js';
+export * as scope from './scope.js';
+// schemas
+export { confidentialClientMetadataSchema, } from './schemas/atcute-confidential-client-metadata.js';
+export { atprotoOAuthScopeSchema, ATPROTO_SCOPE_VALUE, DEFAULT_ATPROTO_OAUTH_SCOPE, } from './schemas/atproto-oauth-scope.js';
+export { jwkPubSchema, jwkSchema, keyUsageSchema, publicKeyUsageSchema, } from './schemas/jwk.js';
+export { jwksPubSchema, jwksSchema } from './schemas/jwks.js';
+export { oauthClientIdDiscoverableSchema } from './schemas/oauth-client-id-discoverable.js';
+export { oauthClientIdSchema } from './schemas/oauth-client-id.js';
+export { oauthClientMetadataSchema } from './schemas/oauth-client-metadata.js';
+export { oauthEndpointAuthMethodSchema, } from './schemas/oauth-endpoint-auth-method.js';
+export { oauthGrantTypeSchema } from './schemas/oauth-grant-type.js';
+export { loopbackRedirectUriSchema, oauthRedirectUriSchema, } from './schemas/oauth-redirect-uri.js';
+export { oauthResponseTypeSchema } from './schemas/oauth-response-type.js';
+export { isOAuthScope, OAUTH_SCOPE_REGEXP, oauthScopeSchema, } from './schemas/oauth-scope.js';
+export { httpsUriSchema, loopbackUriSchema, nonLocalWebUriSchema, privateUseUriSchema, urlSchema, webUriSchema, } from './schemas/uri.js';
+export { extractUrlPath, isHostnameIP, isLastOccurrence, isLocalHostname, isLoopbackHost, isSpaceSeparatedValue, } from './schemas/utils.js';
+// token schemas
+export { oauthTokenTypeSchema } from './schemas/oauth-token-type.js';
+export { oauthTokenResponseSchema } from './schemas/oauth-token-response.js';
+export { atprotoOAuthTokenResponseSchema, } from './schemas/atproto-oauth-token-response.js';
+// PAR schemas
+export { oauthParResponseSchema } from './schemas/oauth-par-response.js';
+export { oauthCodeChallengeMethodSchema, } from './schemas/oauth-code-challenge-method.js';
+export { oauthResponseModeSchema } from './schemas/oauth-response-mode.js';
+export { oauthPromptSchema } from './schemas/oauth-prompt.js';
+// authorization details
+export { oauthAuthorizationDetailSchema, oauthAuthorizationDetailsSchema, } from './schemas/oauth-authorization-details.js';
+// server metadata
+export { oauthIssuerIdentifierSchema, } from './schemas/oauth-issuer-identifier.js';
+export { oauthAuthorizationServerMetadataSchema, oauthAuthorizationServerMetadataValidator, } from './schemas/oauth-authorization-server-metadata.js';
+export { atprotoAuthorizationServerMetadataValidator, } from './schemas/atproto-authorization-server-metadata.js';
+// protected resource metadata
+export { oauthBearerMethodSchema, oauthProtectedResourceMetadataSchema, oauthProtectedResourceMetadataValidator, } from './schemas/oauth-protected-resource-metadata.js';
+export { atprotoProtectedResourceMetadataValidator, } from './schemas/atproto-protected-resource-metadata.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,gCAAgC,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAEhF,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AAEpC,UAAU;AACV,OAAO,EACN,gCAAgC,GAEhC,MAAM,kDAAkD,CAAC;AAC1D,OAAO,EACN,uBAAuB,EACvB,mBAAmB,EACnB,2BAA2B,GAE3B,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACN,YAAY,EACZ,SAAS,EACT,cAAc,EACd,oBAAoB,GAIpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,aAAa,EAAE,UAAU,EAA2B,MAAM,mBAAmB,CAAC;AACvF,OAAO,EAAE,+BAA+B,EAAE,MAAM,2CAA2C,CAAC;AAC5F,OAAO,EAAE,mBAAmB,EAAsB,MAAM,8BAA8B,CAAC;AACvF,OAAO,EAAE,yBAAyB,EAA4B,MAAM,oCAAoC,CAAC;AACzG,OAAO,EACN,6BAA6B,GAE7B,MAAM,yCAAyC,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAuB,MAAM,+BAA+B,CAAC;AAC1F,OAAO,EACN,yBAAyB,EACzB,sBAAsB,GAGtB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAA0B,MAAM,kCAAkC,CAAC;AACnG,OAAO,EACN,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,GAEhB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACN,cAAc,EACd,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,SAAS,EACT,YAAY,GACZ,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACN,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,qBAAqB,GACrB,MAAM,oBAAoB,CAAC;AAE5B,gBAAgB;AAChB,OAAO,EAAE,oBAAoB,EAAuB,MAAM,+BAA+B,CAAC;AAC1F,OAAO,EAAE,wBAAwB,EAA2B,MAAM,mCAAmC,CAAC;AACtG,OAAO,EACN,+BAA+B,GAE/B,MAAM,2CAA2C,CAAC;AAEnD,cAAc;AACd,OAAO,EAAE,sBAAsB,EAAyB,MAAM,iCAAiC,CAAC;AAChG,OAAO,EACN,8BAA8B,GAE9B,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,uBAAuB,EAA0B,MAAM,kCAAkC,CAAC;AACnG,OAAO,EAAE,iBAAiB,EAAoB,MAAM,2BAA2B,CAAC;AAEhF,wBAAwB;AACxB,OAAO,EACN,8BAA8B,EAC9B,+BAA+B,GAG/B,MAAM,0CAA0C,CAAC;AAElD,kBAAkB;AAClB,OAAO,EACN,2BAA2B,GAE3B,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACN,sCAAsC,EACtC,yCAAyC,GAEzC,MAAM,kDAAkD,CAAC;AAC1D,OAAO,EACN,2CAA2C,GAE3C,MAAM,oDAAoD,CAAC;AAE5D,8BAA8B;AAC9B,OAAO,EACN,uBAAuB,EACvB,oCAAoC,EACpC,uCAAuC,GAGvC,MAAM,gDAAgD,CAAC;AACxD,OAAO,EACN,yCAAyC,GAEzC,MAAM,kDAAkD,CAAC"}

package/dist/schemas/atcute-confidential-client-metadata.d.ts

@@ -0,0 +1,21 @@
+import * as v from '@badrap/valita';
+/**
+ * user-facing client metadata for configuring a confidential OAuth client.
+ *
+ * this is a lean subset of OAuth client metadata, focused on what you actually provide.
+ * the library will fill in atproto-required values like `dpop_bound_access_tokens`,
+ * `token_endpoint_auth_method`, and default `grant_types` / `response_types`.
+ */
+export declare const confidentialClientMetadataSchema: v.Type<{
+    client_id: string;
+    redirect_uris: string[];
+    scope: string | string[];
+    client_uri?: string | undefined;
+    client_name?: string | undefined;
+    policy_uri?: string | undefined;
+    tos_uri?: string | undefined;
+    logo_uri?: string | undefined;
+    jwks_uri?: string | undefined;
+}>;
+export type ConfidentialClientMetadata = v.Infer<typeof confidentialClientMetadataSchema>;
+//# sourceMappingURL=atcute-confidential-client-metadata.d.ts.map

package/dist/schemas/atcute-confidential-client-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atcute-confidential-client-metadata.d.ts","sourceRoot":"","sources":["../../lib/schemas/atcute-confidential-client-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAWpC;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;EAsH1C,CAAC;AAEJ,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC"}

package/dist/schemas/atcute-confidential-client-metadata.js

@@ -0,0 +1,112 @@
+import * as v from '@badrap/valita';
+import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.js';
+import { oauthClientIdDiscoverableSchema } from './oauth-client-id-discoverable.js';
+import { httpsUriSchema, nonLocalWebUriSchema, webUriSchema } from './uri.js';
+import { isLocalHostname } from './utils.js';
+const SINGLE_SCOPE_RE = /^[\x21\x23-\x5B\x5D-\x7E]+$/;
+const singleScopeSchema = v.string().assert((input) => SINGLE_SCOPE_RE.test(input), `invalid OAuth scope`);
+/**
+ * user-facing client metadata for configuring a confidential OAuth client.
+ *
+ * this is a lean subset of OAuth client metadata, focused on what you actually provide.
+ * the library will fill in atproto-required values like `dpop_bound_access_tokens`,
+ * `token_endpoint_auth_method`, and default `grant_types` / `response_types`.
+ */
+export const confidentialClientMetadataSchema = v
+    .object({
+    /** discoverable https client_id URL (where metadata is hosted) */
+    client_id: oauthClientIdDiscoverableSchema,
+    /** redirect URIs for authorization responses (must be https) */
+    redirect_uris: v
+        .array(httpsUriSchema)
+        .assert((arr) => arr.length > 0, `must have at least one redirect URI`)
+        .assert((arr) => {
+        for (const uri of arr) {
+            const url = new URL(uri);
+            if (url.username || url.password) {
+                return false;
+            }
+        }
+        return true;
+    }, `redirect URIs must not contain credentials`),
+    /**
+     * OAuth scope - either:
+     * - a space-separated string (must include "atproto")
+     * - an array of scope strings ('atproto' is added automatically)
+     */
+    scope: v.union(atprotoOAuthScopeSchema.chain((input) => {
+        const scopes = input.split(/\s+/);
+        for (let i = 0, len = scopes.length; i < len; i++) {
+            const aka = scopes[i];
+            for (let j = 0; j < i; j++) {
+                if (aka === scopes[j]) {
+                    return v.err(`duplicate "${aka}" scope`);
+                }
+            }
+        }
+        return v.ok(input);
+    }), v.array(singleScopeSchema).chain((input) => {
+        if (!input.includes('atproto')) {
+            input = ['atproto', ...input];
+        }
+        for (let i = 0, len = input.length; i < len; i++) {
+            const aka = input[i];
+            for (let j = 0; j < i; j++) {
+                if (aka === input[j]) {
+                    return v.err(`duplicate "${aka}" scope`);
+                }
+            }
+        }
+        return v.ok(input);
+    })),
+    /** optional client homepage */
+    client_uri: webUriSchema.optional(),
+    /** optional display name */
+    client_name: v.string().optional(),
+    /** optional policy url */
+    policy_uri: nonLocalWebUriSchema.optional(),
+    /** optional terms of service url */
+    tos_uri: nonLocalWebUriSchema.optional(),
+    /** optional logo url */
+    logo_uri: nonLocalWebUriSchema.optional(),
+    /** optional JWKS URL; if omitted, the library will inline jwks from the keyset */
+    jwks_uri: httpsUriSchema.optional(),
+})
+    .chain((input) => {
+    const clientIdUrl = new URL(input.client_id);
+    if (isLocalHostname(clientIdUrl.hostname)) {
+        return v.err({ message: `client_id hostname is invalid`, path: ['client_id'] });
+    }
+    if (input.jwks_uri) {
+        const jwksUrl = new URL(input.jwks_uri);
+        if (jwksUrl.username || jwksUrl.password) {
+            return v.err({ message: `jwks_uri must not contain credentials`, path: ['jwks_uri'] });
+        }
+        if (isLocalHostname(jwksUrl.hostname)) {
+            return v.err({ message: `jwks_uri hostname is invalid`, path: ['jwks_uri'] });
+        }
+    }
+    // for discoverable clients, client_uri (if provided) must be same-origin parent of client_id
+    if (input.client_uri) {
+        const clientUriUrl = new URL(input.client_uri);
+        if (isLocalHostname(clientUriUrl.hostname)) {
+            return v.err({ message: `client_uri hostname is invalid`, path: ['client_uri'] });
+        }
+        if (clientUriUrl.origin !== clientIdUrl.origin) {
+            return v.err({
+                message: `client_uri must have the same origin as the client_id`,
+                path: ['client_uri'],
+            });
+        }
+        if (clientIdUrl.pathname !== clientUriUrl.pathname) {
+            const prefix = clientUriUrl.pathname.endsWith('/')
+                ? clientUriUrl.pathname
+                : `${clientUriUrl.pathname}/`;
+            if (!clientIdUrl.pathname.startsWith(prefix)) {
+                return v.err({ message: `client_uri must be a parent URL of the client_id`, path: ['client_uri'] });
+            }
+        }
+    }
+    return v.ok(input);
+});
+//# sourceMappingURL=atcute-confidential-client-metadata.js.map

package/dist/schemas/atcute-confidential-client-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atcute-confidential-client-metadata.js","sourceRoot":"","sources":["../../lib/schemas/atcute-confidential-client-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,+BAA+B,EAAE,MAAM,mCAAmC,CAAC;AACpF,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,eAAe,GAAG,6BAA6B,CAAC;AAEtD,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,qBAAqB,CAAC,CAAC;AAE3G;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG,CAAC;KAC/C,MAAM,CAAC;IACP,kEAAkE;IAClE,SAAS,EAAE,+BAA+B;IAE1C,gEAAgE;IAChE,aAAa,EAAE,CAAC;SACd,KAAK,CAAC,cAAc,CAAC;SACrB,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,qCAAqC,CAAC;SACtE,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC;QAChB,KAAK,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAClC,OAAO,KAAK,CAAC;YACd,CAAC;QACF,CAAC;QACD,OAAO,IAAI,CAAC;IAAA,CACZ,EAAE,4CAA4C,CAAC;IAEjD;;;;OAIG;IACH,KAAK,EAAE,CAAC,CAAC,KAAK,CACb,uBAAuB,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5B,IAAI,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvB,OAAO,CAAC,CAAC,GAAG,CAAC,cAAc,GAAG,SAAS,CAAC,CAAC;gBAC1C,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IAAA,CACnB,CAAC,EACF,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;QAC3C,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,KAAK,GAAG,CAAC,SAAS,EAAE,GAAG,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YAClD,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5B,IAAI,GAAG,KAAK,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtB,OAAO,CAAC,CAAC,GAAG,CAAC,cAAc,GAAG,SAAS,CAAC,CAAC;gBAC1C,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IAAA,CACnB,CAAC,CACF;IAED,+BAA+B;IAC/B,UAAU,EAAE,YAAY,CAAC,QAAQ,EAAE;IACnC,4BAA4B;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,0BAA0B;IAC1B,UAAU,EAAE,oBAAoB,CAAC,QAAQ,EAAE;IAC3C,oCAAoC;IACpC,OAAO,EAAE,oBAAoB,CAAC,QAAQ,EAAE;IACxC,wBAAwB;IACxB,QAAQ,EAAE,oBAAoB,CAAC,QAAQ,EAAE;IAEzC,kFAAkF;IAClF,QAAQ,EAAE,cAAc,CAAC,QAAQ,EAAE;CACnC,CAAC;KACD,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;IACjB,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,eAAe,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3C,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAExC,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC1C,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,uCAAuC,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,IAAI,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,8BAA8B,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;IACF,CAAC;IAED,6FAA6F;IAC7F,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAE/C,IAAI,eAAe,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5C,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACnF,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;YAChD,OAAO,CAAC,CAAC,GAAG,CAAC;gBACZ,OAAO,EAAE,uDAAuD;gBAChE,IAAI,EAAE,CAAC,YAAY,CAAC;aACpB,CAAC,CAAC;QACJ,CAAC;QAED,IAAI,WAAW,CAAC,QAAQ,KAAK,YAAY,CAAC,QAAQ,EAAE,CAAC;YACpD,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;gBACjD,CAAC,CAAC,YAAY,CAAC,QAAQ;gBACvB,CAAC,CAAC,GAAG,YAAY,CAAC,QAAQ,GAAG,CAAC;YAE/B,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC9C,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,kDAAkD,EAAE,IAAI,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACrG,CAAC;QACF,CAAC;IACF,CAAC;IAED,OAAO,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;AAAA,CACnB,CAAC,CAAC"}

package/dist/schemas/atproto-authorization-server-metadata.d.ts

@@ -0,0 +1,55 @@
+import * as v from '@badrap/valita';
+/**
+ * AT Protocol authorization server metadata with required fields and assertions.
+ *
+ * @see {@link https://atproto.com/specs/oauth}
+ */
+export declare const atprotoAuthorizationServerMetadataValidator: v.Type<{
+    issuer: string;
+    claims_supported?: string[] | undefined;
+    claims_locales_supported?: string[] | undefined;
+    claims_parameter_supported?: boolean | undefined;
+    request_parameter_supported?: boolean | undefined;
+    request_uri_parameter_supported?: boolean | undefined;
+    require_request_uri_registration?: boolean | undefined;
+    scopes_supported?: string[] | undefined;
+    subject_types_supported?: string[] | undefined;
+    response_types_supported?: string[] | undefined;
+    response_modes_supported?: string[] | undefined;
+    grant_types_supported?: string[] | undefined;
+    code_challenge_methods_supported?: ("S256" | "plain")[] | undefined;
+    ui_locales_supported?: string[] | undefined;
+    id_token_signing_alg_values_supported?: string[] | undefined;
+    display_values_supported?: string[] | undefined;
+    prompt_values_supported?: ("consent" | "create" | "login" | "none" | "select_account")[] | undefined;
+    request_object_signing_alg_values_supported?: string[] | undefined;
+    authorization_response_iss_parameter_supported?: boolean | undefined;
+    authorization_details_types_supported?: string[] | undefined;
+    request_object_encryption_alg_values_supported?: string[] | undefined;
+    request_object_encryption_enc_values_supported?: string[] | undefined;
+    jwks_uri?: string | undefined;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    token_endpoint_auth_methods_supported?: string[] | undefined;
+    token_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+    revocation_endpoint?: string | undefined;
+    revocation_endpoint_auth_methods_supported?: string[] | undefined;
+    revocation_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+    introspection_endpoint?: string | undefined;
+    introspection_endpoint_auth_methods_supported?: string[] | undefined;
+    introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+    pushed_authorization_request_endpoint?: string | undefined;
+    pushed_authorization_request_endpoint_auth_methods_supported?: string[] | undefined;
+    pushed_authorization_request_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
+    require_pushed_authorization_requests?: boolean | undefined;
+    userinfo_endpoint?: string | undefined;
+    end_session_endpoint?: string | undefined;
+    registration_endpoint?: string | undefined;
+    dpop_signing_alg_values_supported?: string[] | undefined;
+    protected_resources?: string[] | undefined;
+    client_id_metadata_document_supported?: boolean | undefined;
+} & {
+    pushed_authorization_request_endpoint: string;
+}>;
+export type AtprotoAuthorizationServerMetadata = v.Infer<typeof atprotoAuthorizationServerMetadataValidator>;
+//# sourceMappingURL=atproto-authorization-server-metadata.d.ts.map

package/dist/schemas/atproto-authorization-server-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-authorization-server-metadata.d.ts","sourceRoot":"","sources":["../../lib/schemas/atproto-authorization-server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAIpC;;;;GAIG;AACH,eAAO,MAAM,2CAA2C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoBvD,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2CAA2C,CAAC,CAAC"}

package/dist/schemas/atproto-authorization-server-metadata.js

@@ -0,0 +1,25 @@
+import * as v from '@badrap/valita';
+import { oauthAuthorizationServerMetadataValidator } from './oauth-authorization-server-metadata.js';
+/**
+ * AT Protocol authorization server metadata with required fields and assertions.
+ *
+ * @see {@link https://atproto.com/specs/oauth}
+ */
+export const atprotoAuthorizationServerMetadataValidator = oauthAuthorizationServerMetadataValidator.chain((data) => {
+    // atproto requires client_id_metadata_document support
+    if (data.client_id_metadata_document_supported !== true) {
+        return v.err({
+            message: `atproto requires client_id_metadata_document_supported to be true`,
+            path: ['client_id_metadata_document_supported'],
+        });
+    }
+    // atproto requires PAR
+    if (!data.pushed_authorization_request_endpoint) {
+        return v.err({
+            message: `atproto requires pushed_authorization_request_endpoint to be true`,
+            path: ['pushed_authorization_request_endpoint'],
+        });
+    }
+    return v.ok(data);
+});
+//# sourceMappingURL=atproto-authorization-server-metadata.js.map

package/dist/schemas/atproto-authorization-server-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-authorization-server-metadata.js","sourceRoot":"","sources":["../../lib/schemas/atproto-authorization-server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,yCAAyC,EAAE,MAAM,0CAA0C,CAAC;AAErG;;;;GAIG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAG,yCAAyC,CAAC,KAAK,CACzG,CAAC,IAAI,EAAE,EAAE,CAAC;IACT,uDAAuD;IACvD,IAAI,IAAI,CAAC,qCAAqC,KAAK,IAAI,EAAE,CAAC;QACzD,OAAO,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,EAAE,mEAAmE;YAC5E,IAAI,EAAE,CAAC,uCAAuC,CAAC;SAC/C,CAAC,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC,IAAI,CAAC,qCAAqC,EAAE,CAAC;QACjD,OAAO,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,EAAE,mEAAmE;YAC5E,IAAI,EAAE,CAAC,uCAAuC,CAAC;SAC/C,CAAC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,CAAC,EAAE,CAAC,IAAuE,CAAC,CAAC;AAAA,CACrF,CACD,CAAC"}