@atcute/oauth-types 0.1.0 → 1.0.0

package/lib/schemas/oauth-protected-resource-metadata.ts

@@ -1,16 +1,16 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js';
-import { webUriSchema } from './uri.js';
+import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.ts';
+import { webUriSchema } from './uri.ts';
 
-export const oauthBearerMethodSchema = v.union(v.literal('header'), v.literal('body'), v.literal('query'));
+export const oauthBearerMethodSchema = v.picklist(['header', 'body', 'query']);
 
-export type OAuthBearerMethod = v.Infer<typeof oauthBearerMethodSchema>;
+export type OAuthBearerMethod = v.InferOutput<typeof oauthBearerMethodSchema>;
 
 /**
  * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2}
  */
-export const oauthProtectedResourceMetadataSchema = v.object({
+export const oauthProtectedResourceMetadataSchema = v.looseObject({
 	/**
 	 * REQUIRED. the protected resource's resource identifier, which is a URL that
 	 * uses the https scheme and has no query or fragment components.
@@ -22,68 +22,59 @@ export const oauthProtectedResourceMetadataSchema = v.object({
 	 * identifiers, as defined in RFC8414, for authorization servers that can be
 	 * used with this protected resource.
 	 */
-	authorization_servers: v.array(oauthIssuerIdentifierSchema).optional(),
+	authorization_servers: v.optional(v.array(oauthIssuerIdentifierSchema)),
 
 	/**
 	 * OPTIONAL. URL of the protected resource's JWK Set document.
 	 */
-	jwks_uri: webUriSchema.optional(),
+	jwks_uri: v.optional(webUriSchema),
 
 	/**
 	 * RECOMMENDED. JSON array containing a list of the OAuth 2.0 scope values that
 	 * are used in authorization requests to request access to this protected resource.
 	 */
-	scopes_supported: v.array(v.string()).optional(),
+	scopes_supported: v.optional(v.array(v.string())),
 
 	/**
 	 * OPTIONAL. JSON array containing a list of the supported methods of sending
 	 * an OAuth 2.0 Bearer Token to the protected resource.
 	 */
-	bearer_methods_supported: v.array(oauthBearerMethodSchema).optional(),
+	bearer_methods_supported: v.optional(v.array(oauthBearerMethodSchema)),
 
 	/**
 	 * OPTIONAL. JSON array containing a list of the JWS signing algorithms
 	 * supported by the protected resource for signing resource responses.
 	 */
-	resource_signing_alg_values_supported: v.array(v.string()).optional(),
+	resource_signing_alg_values_supported: v.optional(v.array(v.string())),
 
 	/**
 	 * OPTIONAL. URL of a page containing human-readable information that
 	 * developers might want or need to know when using the protected resource.
 	 */
-	resource_documentation: webUriSchema.optional(),
+	resource_documentation: v.optional(webUriSchema),
 
 	/**
 	 * OPTIONAL. URL that the protected resource provides to read about the
 	 * protected resource's requirements on how the client can use the data.
 	 */
-	resource_policy_uri: webUriSchema.optional(),
+	resource_policy_uri: v.optional(webUriSchema),
 
 	/**
 	 * OPTIONAL. URL that the protected resource provides to read about the
 	 * protected resource's terms of service.
 	 */
-	resource_tos_uri: webUriSchema.optional(),
+	resource_tos_uri: v.optional(webUriSchema),
 });
 
-export const oauthProtectedResourceMetadataValidator = oauthProtectedResourceMetadataSchema.chain((data) => {
-	const url = new URL(data.resource);
-
-	if (url.search) {
-		return v.err({
-			message: `resource URL must not contain query parameters`,
-			path: ['resource'],
-		});
-	}
-
-	if (url.hash) {
-		return v.err({
-			message: `resource URL must not contain a fragment`,
-			path: ['resource'],
-		});
-	}
-
-	return v.ok(data);
-});
-
-export type OAuthProtectedResourceMetadata = v.Infer<typeof oauthProtectedResourceMetadataSchema>;
+export const oauthProtectedResourceMetadataValidator = v.pipe(
+	oauthProtectedResourceMetadataSchema,
+	v.forward(
+		v.check((data) => {
+			const url = new URL(data.resource);
+			return !url.search && !url.hash;
+		}, `resource URL must not contain query parameters or a fragment`),
+		['resource'],
+	),
+);
+
+export type OAuthProtectedResourceMetadata = v.InferOutput<typeof oauthProtectedResourceMetadataSchema>;

package/lib/schemas/oauth-redirect-uri.ts

@@ -1,6 +1,6 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { httpsUriSchema, loopbackUriSchema, privateUseUriSchema } from './uri.js';
+import { httpsUriSchema, loopbackUriSchema, privateUseUriSchema } from './uri.ts';
 
 /**
  * this is a loopback URI with the additional restriction that the hostname
@@ -16,27 +16,19 @@ import { httpsUriSchema, loopbackUriSchema, privateUseUriSchema } from './uri.js
  * > than the loopback interface. It is also less susceptible to client-side
  * > firewalls and misconfigured host name resolution on the user's device.
  */
-export const loopbackRedirectUriSchema = loopbackUriSchema.chain((input) => {
-	if (input.startsWith('http://localhost')) {
-		return v.err(
-			`use of "localhost" hostname is not allowed (RFC 8252), use a loopback IP such as "127.0.0.1" instead`,
-		);
-	}
-	return v.ok(input);
-});
+export const loopbackRedirectUriSchema = v.pipe(
+	loopbackUriSchema,
+	v.check(
+		(input) => !input.startsWith('http://localhost'),
+		`use of "localhost" hostname is not allowed (RFC 8252), use a loopback IP such as "127.0.0.1" instead`,
+	),
+);
 
-export type LoopbackRedirectUri = v.Infer<typeof loopbackRedirectUriSchema>;
+export type LoopbackRedirectUri = v.InferOutput<typeof loopbackRedirectUriSchema>;
 
-export const oauthRedirectUriSchema = v.string().chain((input, options) => {
-	if (input.startsWith('http://')) {
-		return loopbackRedirectUriSchema.try(input, options);
-	}
+export const oauthRedirectUriSchema = v.union(
+	[loopbackRedirectUriSchema, httpsUriSchema, privateUseUriSchema],
+	`url must use http: loopback, https:, or a private-use scheme`,
+);
 
-	if (input.startsWith('https://')) {
-		return httpsUriSchema.try(input, options);
-	}
-
-	return privateUseUriSchema.try(input, options);
-});
-
-export type OAuthRedirectUri = v.Infer<typeof oauthRedirectUriSchema>;
+export type OAuthRedirectUri = v.InferOutput<typeof oauthRedirectUriSchema>;

package/lib/schemas/oauth-response-mode.ts

@@ -1,9 +1,5 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-export const oauthResponseModeSchema = v.union(
-	v.literal('query'),
-	v.literal('fragment'),
-	v.literal('form_post'),
-);
+export const oauthResponseModeSchema = v.picklist(['query', 'fragment', 'form_post']);
 
-export type OAuthResponseMode = v.Infer<typeof oauthResponseModeSchema>;
+export type OAuthResponseMode = v.InferOutput<typeof oauthResponseModeSchema>;

package/lib/schemas/oauth-response-type.ts

@@ -1,17 +1,17 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-export const oauthResponseTypeSchema = v.union(
+export const oauthResponseTypeSchema = v.picklist([
 	// OAuth2 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.1)
-	v.literal('code'), // Authorization Code Grant
-	v.literal('token'), // Implicit Grant
+	'code', // Authorization Code Grant
+	'token', // Implicit Grant
 
 	// OIDC (https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
-	v.literal('none'),
-	v.literal('code id_token token'),
-	v.literal('code id_token'),
-	v.literal('code token'),
-	v.literal('id_token token'),
-	v.literal('id_token'),
-);
+	'none',
+	'code id_token token',
+	'code id_token',
+	'code token',
+	'id_token token',
+	'id_token',
+]);
 
-export type OAuthResponseType = v.Infer<typeof oauthResponseTypeSchema>;
+export type OAuthResponseType = v.InferOutput<typeof oauthResponseTypeSchema>;

package/lib/schemas/oauth-scope.ts

@@ -1,4 +1,4 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
 // scope       = scope-token *( SP scope-token )
 // scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
@@ -13,6 +13,6 @@ export const isOAuthScope = (input: string): boolean => OAUTH_SCOPE_REGEXP.test(
  *
  * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1}
  */
-export const oauthScopeSchema = v.string().assert(isOAuthScope, `invalid OAuth scope`);
+export const oauthScopeSchema = v.pipe(v.string(), v.check(isOAuthScope, `invalid OAuth scope`));
 
-export type OAuthScope = v.Infer<typeof oauthScopeSchema>;
+export type OAuthScope = v.InferOutput<typeof oauthScopeSchema>;

package/lib/schemas/oauth-token-response.ts

@@ -1,22 +1,22 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js';
-import { oauthTokenTypeSchema } from './oauth-token-type.js';
+import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.ts';
+import { oauthTokenTypeSchema } from './oauth-token-type.ts';
 
 /**
  * @see {@link https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1 | RFC 6749 (OAuth2), Section 5.1}
  */
-export const oauthTokenResponseSchema = v.object({
+export const oauthTokenResponseSchema = v.looseObject({
 	// https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
 	access_token: v.string(),
 	token_type: oauthTokenTypeSchema,
-	scope: v.string().optional(),
-	refresh_token: v.string().optional(),
-	expires_in: v.number().optional(),
+	scope: v.optional(v.string()),
+	refresh_token: v.optional(v.string()),
+	expires_in: v.optional(v.number()),
 	// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
-	id_token: v.string().optional(),
+	id_token: v.optional(v.string()),
 	// https://datatracker.ietf.org/doc/html/rfc9396#name-enriched-authorization-deta
-	authorization_details: oauthAuthorizationDetailsSchema.optional(),
+	authorization_details: v.optional(oauthAuthorizationDetailsSchema),
 });
 
-export type OAuthTokenResponse = v.Infer<typeof oauthTokenResponseSchema>;
+export type OAuthTokenResponse = v.InferOutput<typeof oauthTokenResponseSchema>;

package/lib/schemas/oauth-token-type.ts

@@ -1,15 +1,19 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
 /** token type (case-insensitive input, normalized output) */
-export const oauthTokenTypeSchema = v.string().chain((input) => {
-	const lower = input.toLowerCase();
-	if (lower === 'dpop') {
-		return v.ok('DPoP');
-	}
-	if (lower === 'bearer') {
-		return v.ok('Bearer');
-	}
-	return v.err(`must be "DPoP" or "Bearer"`);
-});
+export const oauthTokenTypeSchema = v.pipe(
+	v.string(),
+	v.rawTransform<string, 'DPoP' | 'Bearer'>(({ dataset, addIssue, NEVER }) => {
+		const lower = dataset.value.toLowerCase();
+		if (lower === 'dpop') {
+			return 'DPoP';
+		}
+		if (lower === 'bearer') {
+			return 'Bearer';
+		}
+		addIssue({ message: `must be "DPoP" or "Bearer"` });
+		return NEVER;
+	}),
+);
 
-export type OAuthTokenType = v.Infer<typeof oauthTokenTypeSchema>;
+export type OAuthTokenType = v.InferOutput<typeof oauthTokenTypeSchema>;

package/lib/schemas/uri.ts

@@ -1,100 +1,113 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { isHostnameIP, isLocalHostname, isLoopbackHost } from './utils.js';
+import { isHostnameIP, isLocalHostname, isLoopbackHost } from './utils.ts';
 
 /**
  * valid, but potentially dangerous URL (`data:`, `file:`, `javascript:`, etc.).
  *
  * any value that matches this schema is safe to parse using `new URL()`.
  */
-export const urlSchema = v.string().chain((input) => {
-	if (input.includes(':') && URL.canParse(input)) {
-		return v.ok(input);
-	}
-	return v.err(`must be a valid url`);
-});
+export const urlSchema = v.pipe(
+	v.string(),
+	v.check((input) => input.includes(':') && URL.canParse(input), `must be a valid url`),
+);
 
 /** loopback URL (http://localhost, http://127.0.0.1, http://[::1]) */
-export const loopbackUriSchema = urlSchema.chain((input) => {
-	if (!input.startsWith('http://')) {
-		return v.err(`loopback url must use http: protocol`);
-	}
-
-	const url = new URL(input);
-	if (!isLoopbackHost(url.hostname)) {
-		return v.err(`loopback url must use localhost, 127.0.0.1, or [::1] as hostname`);
-	}
-
-	return v.ok(input);
-});
+export const loopbackUriSchema = v.pipe(
+	urlSchema,
+	v.rawCheck(({ dataset, addIssue }) => {
+		if (!dataset.typed) {
+			return;
+		}
+		const input = dataset.value;
+		if (!input.startsWith('http://')) {
+			addIssue({ message: `loopback url must use http: protocol` });
+			return;
+		}
+		if (!isLoopbackHost(new URL(input).hostname)) {
+			addIssue({ message: `loopback url must use localhost, 127.0.0.1, or [::1] as hostname` });
+		}
+	}),
+);
 
 /** HTTPS URL with additional restrictions */
-export const httpsUriSchema = urlSchema.chain((input) => {
-	if (!input.startsWith('https://')) {
-		return v.err(`url must use https: protocol`);
-	}
-
-	const url = new URL(input);
-
-	if (isLoopbackHost(url.hostname)) {
-		return v.err(`https url must not use a loopback host`);
-	}
-
-	if (!isHostnameIP(url.hostname)) {
-		if (!url.hostname.includes('.')) {
-			return v.err(`domain name must contain at least two segments`);
+export const httpsUriSchema = v.pipe(
+	urlSchema,
+	v.rawCheck(({ dataset, addIssue }) => {
+		if (!dataset.typed) {
+			return;
 		}
-		if (url.hostname.endsWith('.local')) {
-			return v.err(`domain name must not end with .local`);
+		const input = dataset.value;
+		if (!input.startsWith('https://')) {
+			addIssue({ message: `url must use https: protocol` });
+			return;
 		}
-	}
 
-	return v.ok(input);
-});
+		const url = new URL(input);
 
-/** web URL (either loopback http or https) */
-export const webUriSchema = urlSchema.chain((input, options) => {
-	if (input.startsWith('http://')) {
-		return loopbackUriSchema.try(input, options);
-	}
+		if (isLoopbackHost(url.hostname)) {
+			addIssue({ message: `https url must not use a loopback host` });
+			return;
+		}
 
-	if (input.startsWith('https://')) {
-		return httpsUriSchema.try(input, options);
-	}
+		if (!isHostnameIP(url.hostname)) {
+			if (!url.hostname.includes('.')) {
+				addIssue({ message: `domain name must contain at least two segments` });
+				return;
+			}
+			if (url.hostname.endsWith('.local')) {
+				addIssue({ message: `domain name must not end with .local` });
+			}
+		}
+	}),
+);
 
-	return v.err(`url must use http: or https: protocol`);
-});
+/** web URL (either loopback http or https) */
+export const webUriSchema = v.union(
+	[loopbackUriSchema, httpsUriSchema],
+	`url must use http: or https: protocol`,
+);
 
 /** web URL with a non-local hostname */
-export const nonLocalWebUriSchema = webUriSchema.chain((input) => {
-	const url = new URL(input);
-	if (isLocalHostname(url.hostname)) {
-		return v.err(`hostname is invalid`);
-	}
-	return v.ok(input);
-});
+export const nonLocalWebUriSchema = v.pipe(
+	webUriSchema,
+	v.check((input) => !isLocalHostname(new URL(input).hostname), `hostname is invalid`),
+);
 
 /** private-use URI scheme (e.g., com.example.app:/callback) */
-export const privateUseUriSchema = urlSchema.chain((input) => {
-	const dotIdx = input.indexOf('.');
-	const colonIdx = input.indexOf(':');
-
-	if (dotIdx === -1 || colonIdx === -1 || dotIdx > colonIdx) {
-		return v.err(`private-use uri scheme must contain a dot in the protocol`);
-	}
-
-	const url = new URL(input);
-	const scheme = url.protocol.slice(0, -1);
-	const domain = scheme.split('.').reverse().join('.');
+export const privateUseUriSchema = v.pipe(
+	urlSchema,
+	v.rawCheck(({ dataset, addIssue }) => {
+		if (!dataset.typed) {
+			return;
+		}
+		const input = dataset.value;
 
-	if (isLocalHostname(domain)) {
-		return v.err(`private-use uri scheme must not be a local hostname`);
-	}
+		const dotIdx = input.indexOf('.');
+		const colonIdx = input.indexOf(':');
+		if (dotIdx === -1 || colonIdx === -1 || dotIdx > colonIdx) {
+			addIssue({ message: `private-use uri scheme must contain a dot in the protocol` });
+			return;
+		}
 
-	// RFC 8252: private-use URIs must use single slash after scheme
-	if (url.href.startsWith(`${url.protocol}//`) || url.username || url.password || url.hostname || url.port) {
-		return v.err(`private-use uri must be in the form scheme:/<path>`);
-	}
+		const url = new URL(input);
+		const scheme = url.protocol.slice(0, -1);
+		// oxlint-disable-next-line unicorn/no-array-reverse -- split already clones
+		const domain = scheme.split('.').reverse().join('.');
+		if (isLocalHostname(domain)) {
+			addIssue({ message: `private-use uri scheme must not be a local hostname` });
+			return;
+		}
 
-	return v.ok(input);
-});
+		// RFC 8252: private-use URIs must use single slash after scheme
+		if (
+			url.href.startsWith(`${url.protocol}//`) ||
+			url.username ||
+			url.password ||
+			url.hostname ||
+			url.port
+		) {
+			addIssue({ message: `private-use uri must be in the form scheme:/<path>` });
+		}
+	}),
+);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atcute/oauth-types",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "OAuth types and schemas for AT Protocol",
   "license": "0BSD",
   "repository": {
@@ -11,7 +11,8 @@
     "dist/",
     "lib/",
     "!lib/**/*.bench.ts",
-    "!lib/**/*.test.ts"
+    "!lib/**/*.test.ts",
+    "!dist/**/*.{test,bench}.*"
   ],
   "type": "module",
   "sideEffects": false,
@@ -22,16 +23,16 @@
     "access": "public"
   },
   "dependencies": {
-    "@badrap/valita": "^0.4.6",
-    "@atcute/identity": "^1.1.3",
-    "@atcute/oauth-keyset": "^0.1.0",
-    "@atcute/lexicons": "^1.2.7"
+    "valibot": "^1.4.0",
+    "@atcute/lexicons": "^2.0.0",
+    "@atcute/identity": "^2.0.0",
+    "@atcute/oauth-keyset": "^0.1.1"
   },
   "devDependencies": {
-    "vitest": "^4.0.16"
+    "vitest": "^4.1.5"
   },
   "scripts": {
-    "build": "tsgo --project tsconfig.build.json",
+    "build": "tsgo",
     "test": "vitest",
     "prepublish": "rm -rf dist; pnpm run build"
   }