npm - @atcute/oauth-types - Versions diffs - 0.1.0 → 1.0.0 - Mend

@atcute/oauth-types 0.1.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/README.md +6 -5
package/dist/build-client-metadata.d.ts +18 -160
package/dist/build-client-metadata.d.ts.map +1 -1
package/dist/build-client-metadata.js +73 -3
package/dist/build-client-metadata.js.map +1 -1
package/dist/index.d.ts +31 -30
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -1
package/dist/index.js.map +1 -1
package/dist/schemas/atcute-client-shared.d.ts +8 -0
package/dist/schemas/atcute-client-shared.d.ts.map +1 -0
package/dist/schemas/atcute-client-shared.js +15 -0
package/dist/schemas/atcute-client-shared.js.map +1 -0
package/dist/schemas/atcute-confidential-client-metadata.d.ts +228 -4
package/dist/schemas/atcute-confidential-client-metadata.d.ts.map +1 -1
package/dist/schemas/atcute-confidential-client-metadata.js +48 -88
package/dist/schemas/atcute-confidential-client-metadata.js.map +1 -1
package/dist/schemas/atcute-public-client-metadata.d.ts +95 -0
package/dist/schemas/atcute-public-client-metadata.d.ts.map +1 -0
package/dist/schemas/atcute-public-client-metadata.js +74 -0
package/dist/schemas/atcute-public-client-metadata.js.map +1 -0
package/dist/schemas/atproto-authorization-server-metadata.d.ts +786 -4
package/dist/schemas/atproto-authorization-server-metadata.d.ts.map +1 -1
package/dist/schemas/atproto-authorization-server-metadata.js +2 -18
package/dist/schemas/atproto-authorization-server-metadata.js.map +1 -1
package/dist/schemas/atproto-oauth-scope.d.ts +3 -3
package/dist/schemas/atproto-oauth-scope.d.ts.map +1 -1
package/dist/schemas/atproto-oauth-scope.js +2 -2
package/dist/schemas/atproto-oauth-scope.js.map +1 -1
package/dist/schemas/atproto-oauth-token-response.d.ts +17 -17
package/dist/schemas/atproto-oauth-token-response.d.ts.map +1 -1
package/dist/schemas/atproto-oauth-token-response.js +6 -6
package/dist/schemas/atproto-oauth-token-response.js.map +1 -1
package/dist/schemas/atproto-protected-resource-metadata.d.ts +100 -4
package/dist/schemas/atproto-protected-resource-metadata.d.ts.map +1 -1
package/dist/schemas/atproto-protected-resource-metadata.js +2 -11
package/dist/schemas/atproto-protected-resource-metadata.js.map +1 -1
package/dist/schemas/jwk.d.ts +4289 -42
package/dist/schemas/jwk.d.ts.map +1 -1
package/dist/schemas/jwk.js +58 -91
package/dist/schemas/jwk.js.map +1 -1
package/dist/schemas/jwks.d.ts +87 -42
package/dist/schemas/jwks.d.ts.map +1 -1
package/dist/schemas/jwks.js +13 -29
package/dist/schemas/jwks.js.map +1 -1
package/dist/schemas/oauth-authorization-details.d.ts +18 -18
package/dist/schemas/oauth-authorization-details.d.ts.map +1 -1
package/dist/schemas/oauth-authorization-details.js +7 -7
package/dist/schemas/oauth-authorization-details.js.map +1 -1
package/dist/schemas/oauth-authorization-server-metadata.d.ts +462 -48
package/dist/schemas/oauth-authorization-server-metadata.d.ts.map +1 -1
package/dist/schemas/oauth-authorization-server-metadata.js +46 -65
package/dist/schemas/oauth-authorization-server-metadata.js.map +1 -1
package/dist/schemas/oauth-client-id-discoverable.d.ts +2 -2
package/dist/schemas/oauth-client-id-discoverable.d.ts.map +1 -1
package/dist/schemas/oauth-client-id-discoverable.js +20 -22
package/dist/schemas/oauth-client-id-discoverable.js.map +1 -1
package/dist/schemas/oauth-client-id.d.ts +3 -3
package/dist/schemas/oauth-client-id.d.ts.map +1 -1
package/dist/schemas/oauth-client-id.js +2 -2
package/dist/schemas/oauth-client-id.js.map +1 -1
package/dist/schemas/oauth-client-metadata.d.ts +73 -51
package/dist/schemas/oauth-client-metadata.d.ts.map +1 -1
package/dist/schemas/oauth-client-metadata.js +33 -40
package/dist/schemas/oauth-client-metadata.js.map +1 -1
package/dist/schemas/oauth-code-challenge-method.d.ts +3 -3
package/dist/schemas/oauth-code-challenge-method.d.ts.map +1 -1
package/dist/schemas/oauth-code-challenge-method.js +2 -2
package/dist/schemas/oauth-code-challenge-method.js.map +1 -1
package/dist/schemas/oauth-endpoint-auth-method.d.ts +3 -3
package/dist/schemas/oauth-endpoint-auth-method.d.ts.map +1 -1
package/dist/schemas/oauth-endpoint-auth-method.js +10 -2
package/dist/schemas/oauth-endpoint-auth-method.js.map +1 -1
package/dist/schemas/oauth-grant-type.d.ts +3 -3
package/dist/schemas/oauth-grant-type.d.ts.map +1 -1
package/dist/schemas/oauth-grant-type.js +10 -3
package/dist/schemas/oauth-grant-type.js.map +1 -1
package/dist/schemas/oauth-issuer-identifier.d.ts +3 -3
package/dist/schemas/oauth-issuer-identifier.d.ts.map +1 -1
package/dist/schemas/oauth-issuer-identifier.js +16 -9
package/dist/schemas/oauth-issuer-identifier.js.map +1 -1
package/dist/schemas/oauth-par-response.d.ts +5 -5
package/dist/schemas/oauth-par-response.d.ts.map +1 -1
package/dist/schemas/oauth-par-response.js +3 -3
package/dist/schemas/oauth-par-response.js.map +1 -1
package/dist/schemas/oauth-prompt.d.ts +3 -3
package/dist/schemas/oauth-prompt.d.ts.map +1 -1
package/dist/schemas/oauth-prompt.js +2 -2
package/dist/schemas/oauth-prompt.js.map +1 -1
package/dist/schemas/oauth-protected-resource-metadata.d.ts +88 -16
package/dist/schemas/oauth-protected-resource-metadata.d.ts.map +1 -1
package/dist/schemas/oauth-protected-resource-metadata.js +14 -26
package/dist/schemas/oauth-protected-resource-metadata.js.map +1 -1
package/dist/schemas/oauth-redirect-uri.d.ts +5 -5
package/dist/schemas/oauth-redirect-uri.d.ts.map +1 -1
package/dist/schemas/oauth-redirect-uri.js +3 -16
package/dist/schemas/oauth-redirect-uri.js.map +1 -1
package/dist/schemas/oauth-response-mode.d.ts +3 -3
package/dist/schemas/oauth-response-mode.d.ts.map +1 -1
package/dist/schemas/oauth-response-mode.js +2 -2
package/dist/schemas/oauth-response-mode.js.map +1 -1
package/dist/schemas/oauth-response-type.d.ts +3 -3
package/dist/schemas/oauth-response-type.d.ts.map +1 -1
package/dist/schemas/oauth-response-type.js +13 -7
package/dist/schemas/oauth-response-type.js.map +1 -1
package/dist/schemas/oauth-scope.d.ts +3 -3
package/dist/schemas/oauth-scope.d.ts.map +1 -1
package/dist/schemas/oauth-scope.js +2 -2
package/dist/schemas/oauth-scope.js.map +1 -1
package/dist/schemas/oauth-token-response.d.ts +17 -17
package/dist/schemas/oauth-token-response.d.ts.map +1 -1
package/dist/schemas/oauth-token-response.js +7 -7
package/dist/schemas/oauth-token-response.js.map +1 -1
package/dist/schemas/oauth-token-type.d.ts +3 -3
package/dist/schemas/oauth-token-type.d.ts.map +1 -1
package/dist/schemas/oauth-token-type.js +8 -7
package/dist/schemas/oauth-token-type.js.map +1 -1
package/dist/schemas/uri.d.ts +7 -7
package/dist/schemas/uri.d.ts.map +1 -1
package/dist/schemas/uri.js +44 -44
package/dist/schemas/uri.js.map +1 -1
package/dist/schemas/utils.d.ts.map +1 -1
package/dist/schemas/utils.js.map +1 -1
package/dist/scope.d.ts.map +1 -1
package/dist/scope.js.map +1 -1
package/lib/build-client-metadata.ts +92 -6
package/lib/index.ts +38 -30
package/lib/schemas/atcute-client-shared.ts +25 -0
package/lib/schemas/atcute-confidential-client-metadata.ts +81 -111
package/lib/schemas/atcute-public-client-metadata.ts +101 -0
package/lib/schemas/atproto-authorization-server-metadata.ts +22 -23
package/lib/schemas/atproto-oauth-scope.ts +8 -5
package/lib/schemas/atproto-oauth-token-response.ts +10 -9
package/lib/schemas/atproto-protected-resource-metadata.ts +15 -15
package/lib/schemas/jwk.ts +104 -120
package/lib/schemas/jwks.ts +28 -40
package/lib/schemas/oauth-authorization-details.ts +10 -10
package/lib/schemas/oauth-authorization-server-metadata.ts +72 -74
package/lib/schemas/oauth-client-id-discoverable.ts +43 -48
package/lib/schemas/oauth-client-id.ts +3 -3
package/lib/schemas/oauth-client-metadata.ts +45 -49
package/lib/schemas/oauth-code-challenge-method.ts +3 -3
package/lib/schemas/oauth-endpoint-auth-method.ts +11 -11
package/lib/schemas/oauth-grant-type.ts +11 -11
package/lib/schemas/oauth-issuer-identifier.ts +35 -27
package/lib/schemas/oauth-par-response.ts +4 -4
package/lib/schemas/oauth-prompt.ts +3 -9
package/lib/schemas/oauth-protected-resource-metadata.ts +26 -35
package/lib/schemas/oauth-redirect-uri.ts +15 -23
package/lib/schemas/oauth-response-mode.ts +3 -7
package/lib/schemas/oauth-response-type.ts +12 -12
package/lib/schemas/oauth-scope.ts +3 -3
package/lib/schemas/oauth-token-response.ts +10 -10
package/lib/schemas/oauth-token-type.ts +16 -12
package/lib/schemas/uri.ts +89 -76
package/package.json +9 -8

package/lib/schemas/oauth-authorization-server-metadata.ts CHANGED Viewed

@@ -1,101 +1,99 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js';
-import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js';
-import { oauthPromptSchema } from './oauth-prompt.js';
-import { webUriSchema } from './uri.js';
+import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.ts';
+import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.ts';
+import { oauthPromptSchema } from './oauth-prompt.ts';
+import { webUriSchema } from './uri.ts';
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
  */
-export const oauthAuthorizationServerMetadataSchema = v.object({
+export const oauthAuthorizationServerMetadataSchema = v.looseObject({
 	issuer: oauthIssuerIdentifierSchema,
-	claims_supported: v.array(v.string()).optional(),
-	claims_locales_supported: v.array(v.string()).optional(),
-	claims_parameter_supported: v.boolean().optional(),
-	request_parameter_supported: v.boolean().optional(),
-	request_uri_parameter_supported: v.boolean().optional(),
-	require_request_uri_registration: v.boolean().optional(),
-	scopes_supported: v.array(v.string()).optional(),
-	subject_types_supported: v.array(v.string()).optional(),
-	response_types_supported: v.array(v.string()).optional(),
-	response_modes_supported: v.array(v.string()).optional(),
-	grant_types_supported: v.array(v.string()).optional(),
-	code_challenge_methods_supported: v.array(oauthCodeChallengeMethodSchema).optional(),
-	ui_locales_supported: v.array(v.string()).optional(),
-	id_token_signing_alg_values_supported: v.array(v.string()).optional(),
-	display_values_supported: v.array(v.string()).optional(),
-	prompt_values_supported: v.array(oauthPromptSchema).optional(),
-	request_object_signing_alg_values_supported: v.array(v.string()).optional(),
-	authorization_response_iss_parameter_supported: v.boolean().optional(),
-	authorization_details_types_supported: v.array(v.string()).optional(),
-	request_object_encryption_alg_values_supported: v.array(v.string()).optional(),
-	request_object_encryption_enc_values_supported: v.array(v.string()).optional(),
-	jwks_uri: webUriSchema.optional(),
+	claims_supported: v.optional(v.array(v.string())),
+	claims_locales_supported: v.optional(v.array(v.string())),
+	claims_parameter_supported: v.optional(v.boolean()),
+	request_parameter_supported: v.optional(v.boolean()),
+	request_uri_parameter_supported: v.optional(v.boolean()),
+	require_request_uri_registration: v.optional(v.boolean()),
+	scopes_supported: v.optional(v.array(v.string())),
+	subject_types_supported: v.optional(v.array(v.string())),
+	response_types_supported: v.optional(v.array(v.string())),
+	response_modes_supported: v.optional(v.array(v.string())),
+	grant_types_supported: v.optional(v.array(v.string())),
+	code_challenge_methods_supported: v.optional(v.array(oauthCodeChallengeMethodSchema)),
+	ui_locales_supported: v.optional(v.array(v.string())),
+	id_token_signing_alg_values_supported: v.optional(v.array(v.string())),
+	display_values_supported: v.optional(v.array(v.string())),
+	prompt_values_supported: v.optional(v.array(oauthPromptSchema)),
+	request_object_signing_alg_values_supported: v.optional(v.array(v.string())),
+	authorization_response_iss_parameter_supported: v.optional(v.boolean()),
+	authorization_details_types_supported: v.optional(v.array(v.string())),
+	request_object_encryption_alg_values_supported: v.optional(v.array(v.string())),
+	request_object_encryption_enc_values_supported: v.optional(v.array(v.string())),
+	jwks_uri: v.optional(webUriSchema),
 	authorization_endpoint: webUriSchema,
 	token_endpoint: webUriSchema,
 	// https://www.rfc-editor.org/rfc/rfc8414.html#section-2
-	token_endpoint_auth_methods_supported: v.array(v.string()).optional(),
-	token_endpoint_auth_signing_alg_values_supported: v.array(v.string()).optional(),
+	token_endpoint_auth_methods_supported: v.optional(v.array(v.string())),
+	token_endpoint_auth_signing_alg_values_supported: v.optional(v.array(v.string())),
-	revocation_endpoint: webUriSchema.optional(),
-	revocation_endpoint_auth_methods_supported: v.array(v.string()).optional(),
-	revocation_endpoint_auth_signing_alg_values_supported: v.array(v.string()).optional(),
+	revocation_endpoint: v.optional(webUriSchema),
+	revocation_endpoint_auth_methods_supported: v.optional(v.array(v.string())),
+	revocation_endpoint_auth_signing_alg_values_supported: v.optional(v.array(v.string())),
-	introspection_endpoint: webUriSchema.optional(),
-	introspection_endpoint_auth_methods_supported: v.array(v.string()).optional(),
-	introspection_endpoint_auth_signing_alg_values_supported: v.array(v.string()).optional(),
+	introspection_endpoint: v.optional(webUriSchema),
+	introspection_endpoint_auth_methods_supported: v.optional(v.array(v.string())),
+	introspection_endpoint_auth_signing_alg_values_supported: v.optional(v.array(v.string())),
-	pushed_authorization_request_endpoint: webUriSchema.optional(),
-	pushed_authorization_request_endpoint_auth_methods_supported: v.array(v.string()).optional(),
-	pushed_authorization_request_endpoint_auth_signing_alg_values_supported: v.array(v.string()).optional(),
-	require_pushed_authorization_requests: v.boolean().optional(),
+	pushed_authorization_request_endpoint: v.optional(webUriSchema),
+	pushed_authorization_request_endpoint_auth_methods_supported: v.optional(v.array(v.string())),
+	pushed_authorization_request_endpoint_auth_signing_alg_values_supported: v.optional(v.array(v.string())),
+	require_pushed_authorization_requests: v.optional(v.boolean()),
-	userinfo_endpoint: webUriSchema.optional(),
-	end_session_endpoint: webUriSchema.optional(),
-	registration_endpoint: webUriSchema.optional(),
+	userinfo_endpoint: v.optional(webUriSchema),
+	end_session_endpoint: v.optional(webUriSchema),
+	registration_endpoint: v.optional(webUriSchema),
 	// https://datatracker.ietf.org/doc/html/rfc9449#section-5.1
-	dpop_signing_alg_values_supported: v.array(v.string()).optional(),
+	dpop_signing_alg_values_supported: v.optional(v.array(v.string())),
 	// https://www.rfc-editor.org/rfc/rfc9728.html#section-4
-	protected_resources: v.array(webUriSchema).optional(),
+	protected_resources: v.optional(v.array(webUriSchema)),
 	// https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
-	client_id_metadata_document_supported: v.boolean().optional(),
+	client_id_metadata_document_supported: v.optional(v.boolean()),
 });
-export type OAuthAuthorizationServerMetadata = v.Infer<typeof oauthAuthorizationServerMetadataSchema>;
-export const oauthAuthorizationServerMetadataValidator = oauthAuthorizationServerMetadataSchema.chain(
-	(data) => {
-		if (data.require_pushed_authorization_requests && !data.pushed_authorization_request_endpoint) {
-			return v.err({
-				message: `"pushed_authorization_request_endpoint" required when "require_pushed_authorization_requests" is true`,
-				path: ['pushed_authorization_request_endpoint'],
-			});
-		}
-		if (data.response_types_supported && !data.response_types_supported.includes('code')) {
-			return v.err({
-				message: `response type "code" is required`,
-				path: ['response_types_supported'],
-			});
-		}
-		if (data.token_endpoint_auth_signing_alg_values_supported?.includes('none')) {
+export type OAuthAuthorizationServerMetadata = v.InferOutput<typeof oauthAuthorizationServerMetadataSchema>;
+export const oauthAuthorizationServerMetadataValidator = v.pipe(
+	oauthAuthorizationServerMetadataSchema,
+	v.forward(
+		v.check(
+			(data) => !data.require_pushed_authorization_requests || !!data.pushed_authorization_request_endpoint,
+			`"pushed_authorization_request_endpoint" required when "require_pushed_authorization_requests" is true`,
+		),
+		['pushed_authorization_request_endpoint'],
+	),
+	v.forward(
+		v.check(
+			(data) => !data.response_types_supported || data.response_types_supported.includes('code'),
+			`response type "code" is required`,
+		),
+		['response_types_supported'],
+	),
+	v.forward(
+		v.check(
+			(data) => !data.token_endpoint_auth_signing_alg_values_supported?.includes('none'),
 			// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
 			// > The value `none` MUST NOT be used.
-			return v.err({
-				message: `client authentication method "none" is not allowed`,
-				path: ['token_endpoint_auth_signing_alg_values_supported'],
-			});
-		}
-		return v.ok(data);
-	},
+			`client authentication method "none" is not allowed`,
+		),
+		['token_endpoint_auth_signing_alg_values_supported'],
+	),
 );

package/lib/schemas/oauth-client-id-discoverable.ts CHANGED Viewed

@@ -1,53 +1,48 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { oauthClientIdSchema } from './oauth-client-id.js';
-import { httpsUriSchema } from './uri.js';
-import { extractUrlPath, isHostnameIP } from './utils.js';
+import { oauthClientIdSchema } from './oauth-client-id.ts';
+import { httpsUriSchema } from './uri.ts';
+import { extractUrlPath, isHostnameIP } from './utils.ts';
 /**
  * @see {@link https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html}
  */
-export const oauthClientIdDiscoverableSchema = v.string().chain((input, options) => {
-	// first validate as base client ID
-	const clientIdResult = oauthClientIdSchema.try(input, options);
-	if (!clientIdResult.ok) {
-		return clientIdResult;
-	}
-	// then validate as https URI
-	const httpsResult = httpsUriSchema.try(input, options);
-	if (!httpsResult.ok) {
-		return httpsResult;
-	}
-	const url = new URL(input);
-	if (url.username || url.password) {
-		return v.err(`client ID must not contain credentials`);
-	}
-	if (url.hash) {
-		return v.err(`client ID must not contain a fragment`);
-	}
-	if (url.pathname === '/') {
-		return v.err(`client ID must contain a path component (e.g. "/client-metadata.json")`);
-	}
-	if (url.pathname.endsWith('/')) {
-		return v.err(`client ID path must not end with a trailing slash`);
-	}
-	if (isHostnameIP(url.hostname)) {
-		return v.err(`client ID hostname must not be an IP address`);
-	}
-	// URL constructor normalizes the URL, so we extract the path manually to
-	// avoid normalization, then compare it to the normalized path to ensure
-	// that the URL does not contain path traversal or other unexpected characters
-	if (extractUrlPath(input) !== url.pathname) {
-		return v.err(`client ID must be in canonical form ("${url.href}", got "${input}")`);
-	}
-	return v.ok(input);
-});
+export const oauthClientIdDiscoverableSchema = v.pipe(
+	oauthClientIdSchema,
+	httpsUriSchema,
+	v.rawCheck(({ dataset, addIssue }) => {
+		if (!dataset.typed) {
+			return;
+		}
+		const input = dataset.value;
+		const url = new URL(input);
+		if (url.username || url.password) {
+			addIssue({ message: `client ID must not contain credentials` });
+			return;
+		}
+		if (url.hash) {
+			addIssue({ message: `client ID must not contain a fragment` });
+			return;
+		}
+		if (url.pathname === '/') {
+			addIssue({ message: `client ID must contain a path component (e.g. "/client-metadata.json")` });
+			return;
+		}
+		if (url.pathname.endsWith('/')) {
+			addIssue({ message: `client ID path must not end with a trailing slash` });
+			return;
+		}
+		if (isHostnameIP(url.hostname)) {
+			addIssue({ message: `client ID hostname must not be an IP address` });
+			return;
+		}
+		// URL constructor normalizes the URL, so we extract the path manually to avoid
+		// normalization, then compare it to the normalized path to ensure that the URL does not
+		// contain path traversal or other unexpected characters
+		if (extractUrlPath(input) !== url.pathname) {
+			addIssue({ message: `client ID must be in canonical form ("${url.href}", got "${input}")` });
+		}
+	}),
+);

package/lib/schemas/oauth-client-id.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 /** base OAuth client ID (any non-empty string) */
-export const oauthClientIdSchema = v.string().assert((input) => input.length > 0, `must not be empty`);
+export const oauthClientIdSchema = v.pipe(v.string(), v.nonEmpty(`must not be empty`));
-export type OAuthClientId = v.Infer<typeof oauthClientIdSchema>;
+export type OAuthClientId = v.InferOutput<typeof oauthClientIdSchema>;

package/lib/schemas/oauth-client-metadata.ts CHANGED Viewed

@@ -1,17 +1,17 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { jwksPubSchema } from './jwks.js';
-import { oauthClientIdSchema } from './oauth-client-id.js';
-import { oauthEndpointAuthMethodSchema } from './oauth-endpoint-auth-method.js';
-import { oauthGrantTypeSchema } from './oauth-grant-type.js';
-import { oauthRedirectUriSchema } from './oauth-redirect-uri.js';
-import { oauthResponseTypeSchema } from './oauth-response-type.js';
-import { oauthScopeSchema } from './oauth-scope.js';
-import { webUriSchema } from './uri.js';
+import { jwksPubSchema } from './jwks.ts';
+import { oauthClientIdSchema } from './oauth-client-id.ts';
+import { oauthEndpointAuthMethodSchema } from './oauth-endpoint-auth-method.ts';
+import { oauthGrantTypeSchema } from './oauth-grant-type.ts';
+import { oauthRedirectUriSchema } from './oauth-redirect-uri.ts';
+import { oauthResponseTypeSchema } from './oauth-response-type.ts';
+import { oauthScopeSchema } from './oauth-scope.ts';
+import { webUriSchema } from './uri.ts';
-const oauthApplicationTypeSchema = v.union(v.literal('web'), v.literal('native'));
+const oauthApplicationTypeSchema = v.picklist(['web', 'native']);
-const oauthSubjectTypeSchema = v.union(v.literal('public'), v.literal('pairwise'));
+const oauthSubjectTypeSchema = v.picklist(['public', 'pairwise']);
 // simple email validation
 const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
@@ -22,44 +22,40 @@ const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
  * @see {@link https://openid.net/specs/openid-connect-registration-1_0.html}
  * @see {@link https://datatracker.ietf.org/doc/html/rfc7591}
  */
-export const oauthClientMetadataSchema = v.object({
+export const oauthClientMetadataSchema = v.looseObject({
 	// https://www.rfc-editor.org/rfc/rfc7591.html#section-2
-	redirect_uris: v
-		.array(oauthRedirectUriSchema)
-		.assert((arr) => arr.length > 0, `must have at least one redirect URI`),
-	response_types: v.array(oauthResponseTypeSchema).optional(),
+	redirect_uris: v.pipe(
+		v.array(oauthRedirectUriSchema),
+		v.minLength(1, `must have at least one redirect URI`),
+	),
+	response_types: v.optional(v.array(oauthResponseTypeSchema)),
 	// > If omitted, the default is that the client will use only the "code"
 	// > response type.
-	// .optional((): OAuthResponseType[] => ['code'])
-	grant_types: v.array(oauthGrantTypeSchema).optional(),
+	grant_types: v.optional(v.array(oauthGrantTypeSchema)),
 	// > If omitted, the default behavior is that the client will use only the
 	// > "authorization_code" Grant Type.
-	// .optional((): OAuthGrantType[] => ['authorization_code']),
-	scope: oauthScopeSchema.optional(),
+	scope: v.optional(oauthScopeSchema),
 	// https://www.rfc-editor.org/rfc/rfc7591.html#section-2
-	token_endpoint_auth_method: oauthEndpointAuthMethodSchema.optional(),
+	token_endpoint_auth_method: v.optional(oauthEndpointAuthMethodSchema),
 	// > If unspecified or omitted, the default is "client_secret_basic" [...].
-	// .optional((): OAuthEndpointAuthMethod => 'client_secret_basic'),
-	token_endpoint_auth_signing_alg: v.string().optional(),
-	userinfo_signed_response_alg: v.string().optional(),
-	userinfo_encrypted_response_alg: v.string().optional(),
-	jwks_uri: webUriSchema.optional(),
-	jwks: jwksPubSchema.optional(),
-	application_type: oauthApplicationTypeSchema.optional(),
-	// .optional((): OAuthApplicationType => 'web'),
-	subject_type: oauthSubjectTypeSchema.optional(),
-	// .optional((): OAuthSubjectType => 'public'),
-	request_object_signing_alg: v.string().optional(),
-	id_token_signed_response_alg: v.string().optional(),
-	authorization_signed_response_alg: v.string().optional(),
-	authorization_encrypted_response_enc: v.literal('A128CBC-HS256').optional(),
-	authorization_encrypted_response_alg: v.string().optional(),
-	client_id: oauthClientIdSchema.optional(),
-	client_name: v.string().optional(),
-	client_uri: webUriSchema.optional(),
-	policy_uri: webUriSchema.optional(),
-	tos_uri: webUriSchema.optional(),
-	logo_uri: webUriSchema.optional(),
+	token_endpoint_auth_signing_alg: v.optional(v.string()),
+	userinfo_signed_response_alg: v.optional(v.string()),
+	userinfo_encrypted_response_alg: v.optional(v.string()),
+	jwks_uri: v.optional(webUriSchema),
+	jwks: v.optional(jwksPubSchema),
+	application_type: v.optional(oauthApplicationTypeSchema),
+	subject_type: v.optional(oauthSubjectTypeSchema),
+	request_object_signing_alg: v.optional(v.string()),
+	id_token_signed_response_alg: v.optional(v.string()),
+	authorization_signed_response_alg: v.optional(v.string()),
+	authorization_encrypted_response_enc: v.optional(v.literal('A128CBC-HS256')),
+	authorization_encrypted_response_alg: v.optional(v.string()),
+	client_id: v.optional(oauthClientIdSchema),
+	client_name: v.optional(v.string()),
+	client_uri: v.optional(webUriSchema),
+	policy_uri: v.optional(webUriSchema),
+	tos_uri: v.optional(webUriSchema),
+	logo_uri: v.optional(webUriSchema),
 	/**
 	 * default Maximum Authentication Age. specifies that the End-User MUST be
@@ -68,16 +64,16 @@ export const oauthClientMetadataSchema = v.object({
 	 * this default value. if omitted, no default Maximum Authentication Age is
 	 * specified.
 	 */
-	default_max_age: v.number().optional(),
-	require_auth_time: v.boolean().optional(),
-	contacts: v.array(v.string().assert((s) => EMAIL_RE.test(s), `must be a valid email`)).optional(),
-	tls_client_certificate_bound_access_tokens: v.boolean().optional(),
+	default_max_age: v.optional(v.number()),
+	require_auth_time: v.optional(v.boolean()),
+	contacts: v.optional(v.array(v.pipe(v.string(), v.regex(EMAIL_RE, `must be a valid email`)))),
+	tls_client_certificate_bound_access_tokens: v.optional(v.boolean()),
 	// https://datatracker.ietf.org/doc/html/rfc9449#section-5.2
-	dpop_bound_access_tokens: v.boolean().optional(),
+	dpop_bound_access_tokens: v.optional(v.boolean()),
 	// https://datatracker.ietf.org/doc/html/rfc9396#section-14.5
-	authorization_details_types: v.array(v.string()).optional(),
+	authorization_details_types: v.optional(v.array(v.string())),
 });
-export type OAuthClientMetadata = v.Infer<typeof oauthClientMetadataSchema>;
+export type OAuthClientMetadata = v.InferOutput<typeof oauthClientMetadataSchema>;

package/lib/schemas/oauth-code-challenge-method.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-export const oauthCodeChallengeMethodSchema = v.union(v.literal('S256'), v.literal('plain'));
+export const oauthCodeChallengeMethodSchema = v.picklist(['S256', 'plain']);
-export type OAuthCodeChallengeMethod = v.Infer<typeof oauthCodeChallengeMethodSchema>;
+export type OAuthCodeChallengeMethod = v.InferOutput<typeof oauthCodeChallengeMethodSchema>;

package/lib/schemas/oauth-endpoint-auth-method.ts CHANGED Viewed

@@ -1,13 +1,13 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-export const oauthEndpointAuthMethodSchema = v.union(
-	v.literal('client_secret_basic'),
-	v.literal('client_secret_jwt'),
-	v.literal('client_secret_post'),
-	v.literal('none'),
-	v.literal('private_key_jwt'),
-	v.literal('self_signed_tls_client_auth'),
-	v.literal('tls_client_auth'),
-);
+export const oauthEndpointAuthMethodSchema = v.picklist([
+	'client_secret_basic',
+	'client_secret_jwt',
+	'client_secret_post',
+	'none',
+	'private_key_jwt',
+	'self_signed_tls_client_auth',
+	'tls_client_auth',
+]);
-export type OAuthEndpointAuthMethod = v.Infer<typeof oauthEndpointAuthMethodSchema>;
+export type OAuthEndpointAuthMethod = v.InferOutput<typeof oauthEndpointAuthMethodSchema>;

package/lib/schemas/oauth-grant-type.ts CHANGED Viewed

@@ -1,13 +1,13 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-export const oauthGrantTypeSchema = v.union(
-	v.literal('authorization_code'),
-	v.literal('implicit'),
-	v.literal('refresh_token'),
-	v.literal('password'), // not part of OAuth 2.1
-	v.literal('client_credentials'),
-	v.literal('urn:ietf:params:oauth:grant-type:jwt-bearer'),
-	v.literal('urn:ietf:params:oauth:grant-type:saml2-bearer'),
-);
+export const oauthGrantTypeSchema = v.picklist([
+	'authorization_code',
+	'implicit',
+	'refresh_token',
+	'password', // not part of OAuth 2.1
+	'client_credentials',
+	'urn:ietf:params:oauth:grant-type:jwt-bearer',
+	'urn:ietf:params:oauth:grant-type:saml2-bearer',
+]);
-export type OAuthGrantType = v.Infer<typeof oauthGrantTypeSchema>;
+export type OAuthGrantType = v.InferOutput<typeof oauthGrantTypeSchema>;

package/lib/schemas/oauth-issuer-identifier.ts CHANGED Viewed

@@ -1,30 +1,38 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { webUriSchema } from './uri.js';
+import { webUriSchema } from './uri.ts';
-export const oauthIssuerIdentifierSchema = webUriSchema.chain((input) => {
+export const oauthIssuerIdentifierSchema = v.pipe(
+	webUriSchema,
 	// validate the issuer (MIX-UP attacks)
-	if (input.endsWith('/')) {
-		return v.err(`issuer URL must not end with a slash`);
-	}
-	const url = new URL(input);
-	if (url.username || url.password) {
-		return v.err(`issuer URL must not contain a username or password`);
-	}
-	if (url.hash || url.search) {
-		return v.err(`issuer URL must not contain a query or fragment`);
-	}
-	const canonicalValue = url.pathname === '/' ? url.origin : url.href;
-	if (input !== canonicalValue) {
-		return v.err(`issuer URL must be in the canonical form`);
-	}
-	return v.ok(input);
-});
-export type OAuthIssuerIdentifier = v.Infer<typeof oauthIssuerIdentifierSchema>;
+	v.rawCheck(({ dataset, addIssue }) => {
+		if (!dataset.typed) {
+			return;
+		}
+		const input = dataset.value;
+		if (input.endsWith('/')) {
+			addIssue({ message: `issuer URL must not end with a slash` });
+			return;
+		}
+		const url = new URL(input);
+		if (url.username || url.password) {
+			addIssue({ message: `issuer URL must not contain a username or password` });
+			return;
+		}
+		if (url.hash || url.search) {
+			addIssue({ message: `issuer URL must not contain a query or fragment` });
+			return;
+		}
+		const canonicalValue = url.pathname === '/' ? url.origin : url.href;
+		if (input !== canonicalValue) {
+			addIssue({ message: `issuer URL must be in the canonical form` });
+		}
+	}),
+);
+export type OAuthIssuerIdentifier = v.InferOutput<typeof oauthIssuerIdentifierSchema>;

package/lib/schemas/oauth-par-response.ts CHANGED Viewed

@@ -1,10 +1,10 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 const isPositiveInteger = (n: number): boolean => Number.isInteger(n) && n > 0;
-export const oauthParResponseSchema = v.object({
+export const oauthParResponseSchema = v.looseObject({
 	request_uri: v.string(),
-	expires_in: v.number().assert(isPositiveInteger, `must be a positive integer`),
+	expires_in: v.pipe(v.number(), v.check(isPositiveInteger, `must be a positive integer`)),
 });
-export type OAuthParResponse = v.Infer<typeof oauthParResponseSchema>;
+export type OAuthParResponse = v.InferOutput<typeof oauthParResponseSchema>;

package/lib/schemas/oauth-prompt.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 /**
  * OAuth prompt mode values.
@@ -9,12 +9,6 @@ import * as v from '@badrap/valita';
  * - `select_account`: force account selection
  * - `create`: force user registration screen
  */
-export const oauthPromptSchema = v.union(
-	v.literal('none'),
-	v.literal('login'),
-	v.literal('consent'),
-	v.literal('select_account'),
-	v.literal('create'),
-);
+export const oauthPromptSchema = v.picklist(['none', 'login', 'consent', 'select_account', 'create']);
-export type OAuthPrompt = v.Infer<typeof oauthPromptSchema>;
+export type OAuthPrompt = v.InferOutput<typeof oauthPromptSchema>;