@atcute/oauth-types 0.1.0

package/dist/schemas/atproto-oauth-scope.d.ts

@@ -0,0 +1,8 @@
+import * as v from '@badrap/valita';
+export declare const ATPROTO_SCOPE_VALUE = "atproto";
+/** atproto OAuth scope (must include "atproto") */
+export declare const atprotoOAuthScopeSchema: v.Type<string>;
+export type AtprotoOAuthScope = v.Infer<typeof atprotoOAuthScopeSchema>;
+/** default scope is for reading identity (did) only */
+export declare const DEFAULT_ATPROTO_OAUTH_SCOPE: AtprotoOAuthScope;
+//# sourceMappingURL=atproto-oauth-scope.d.ts.map

package/dist/schemas/atproto-oauth-scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-oauth-scope.d.ts","sourceRoot":"","sources":["../../lib/schemas/atproto-oauth-scope.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAKpC,eAAO,MAAM,mBAAmB,YAAY,CAAC;AAM7C,mDAAmD;AACnD,eAAO,MAAM,uBAAuB,gBAAwE,CAAC;AAE7G,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE,uDAAuD;AACvD,eAAO,MAAM,2BAA2B,EAAE,iBAAuC,CAAC"}

package/dist/schemas/atproto-oauth-scope.js

@@ -0,0 +1,12 @@
+import * as v from '@badrap/valita';
+import { isOAuthScope } from './oauth-scope.js';
+import { isSpaceSeparatedValue } from './utils.js';
+export const ATPROTO_SCOPE_VALUE = 'atproto';
+const isAtprotoOAuthScope = (input) => {
+    return isOAuthScope(input) && isSpaceSeparatedValue(ATPROTO_SCOPE_VALUE, input);
+};
+/** atproto OAuth scope (must include "atproto") */
+export const atprotoOAuthScopeSchema = v.string().assert(isAtprotoOAuthScope, `invalid atproto OAuth scope`);
+/** default scope is for reading identity (did) only */
+export const DEFAULT_ATPROTO_OAUTH_SCOPE = ATPROTO_SCOPE_VALUE;
+//# sourceMappingURL=atproto-oauth-scope.js.map

package/dist/schemas/atproto-oauth-scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-oauth-scope.js","sourceRoot":"","sources":["../../lib/schemas/atproto-oauth-scope.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAEnD,MAAM,CAAC,MAAM,mBAAmB,GAAG,SAAS,CAAC;AAE7C,MAAM,mBAAmB,GAAG,CAAC,KAAa,EAAW,EAAE,CAAC;IACvD,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,qBAAqB,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;AAAA,CAChF,CAAC;AAEF,mDAAmD;AACnD,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,mBAAmB,EAAE,6BAA6B,CAAC,CAAC;AAI7G,uDAAuD;AACvD,MAAM,CAAC,MAAM,2BAA2B,GAAsB,mBAAmB,CAAC"}

package/dist/schemas/atproto-oauth-token-response.d.ts

@@ -0,0 +1,19 @@
+import * as v from '@badrap/valita';
+export declare const atprotoOAuthTokenResponseSchema: v.ObjectType<{
+    access_token: v.Type<string>;
+    token_type: v.Type<"DPoP">;
+    sub: v.Type<`did:plc:${string}` | `did:web:${string}`>;
+    scope: v.Type<string>;
+    refresh_token: v.Optional<string>;
+    expires_in: v.Optional<number>;
+    authorization_details: v.Optional<{
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }[]>;
+}, undefined>;
+export type AtprotoOAuthTokenResponse = v.Infer<typeof atprotoOAuthTokenResponseSchema>;
+//# sourceMappingURL=atproto-oauth-token-response.d.ts.map

package/dist/schemas/atproto-oauth-token-response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-oauth-token-response.d.ts","sourceRoot":"","sources":["../../lib/schemas/atproto-oauth-token-response.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAKpC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;aAU1C,CAAC;AAEH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC"}

package/dist/schemas/atproto-oauth-token-response.js

@@ -0,0 +1,16 @@
+import { isAtprotoDid } from '@atcute/identity';
+import * as v from '@badrap/valita';
+import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.js';
+import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js';
+export const atprotoOAuthTokenResponseSchema = v.object({
+    access_token: v.string(),
+    token_type: v.literal('DPoP'),
+    sub: v.string().assert(isAtprotoDid, `must be a did:plc or did:web`),
+    scope: atprotoOAuthScopeSchema,
+    refresh_token: v.string().optional(),
+    expires_in: v.number().optional(),
+    // https://datatracker.ietf.org/doc/html/rfc9396#name-enriched-authorization-deta
+    authorization_details: oauthAuthorizationDetailsSchema.optional(),
+    // OpenID is not compatible with atproto identities
+});
+//# sourceMappingURL=atproto-oauth-token-response.js.map

package/dist/schemas/atproto-oauth-token-response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-oauth-token-response.js","sourceRoot":"","sources":["../../lib/schemas/atproto-oauth-token-response.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,+BAA+B,EAAE,MAAM,kCAAkC,CAAC;AAEnF,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CAAC;IACvD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,8BAA8B,CAAC;IACpE,KAAK,EAAE,uBAAuB;IAC9B,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,iFAAiF;IACjF,qBAAqB,EAAE,+BAA+B,CAAC,QAAQ,EAAE;IACjE,mDAAmD;CACnD,CAAC,CAAC"}

package/dist/schemas/atproto-protected-resource-metadata.d.ts

@@ -0,0 +1,21 @@
+import * as v from '@badrap/valita';
+/**
+ * AT Protocol protected resource metadata with required fields.
+ *
+ * @see {@link https://atproto.com/specs/oauth}
+ */
+export declare const atprotoProtectedResourceMetadataValidator: v.Type<{
+    resource: string;
+    authorization_servers?: string[] | undefined;
+    jwks_uri?: string | undefined;
+    scopes_supported?: string[] | undefined;
+    bearer_methods_supported?: ("body" | "header" | "query")[] | undefined;
+    resource_signing_alg_values_supported?: string[] | undefined;
+    resource_documentation?: string | undefined;
+    resource_policy_uri?: string | undefined;
+    resource_tos_uri?: string | undefined;
+} & {
+    authorization_servers: [string];
+}>;
+export type AtprotoProtectedResourceMetadata = v.Infer<typeof atprotoProtectedResourceMetadataValidator>;
+//# sourceMappingURL=atproto-protected-resource-metadata.d.ts.map

package/dist/schemas/atproto-protected-resource-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-protected-resource-metadata.d.ts","sourceRoot":"","sources":["../../lib/schemas/atproto-protected-resource-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAIpC;;;;GAIG;AACH,eAAO,MAAM,yCAAyC;;;;;;;;;;;;EAYrD,CAAC;AAEF,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yCAAyC,CAAC,CAAC"}

package/dist/schemas/atproto-protected-resource-metadata.js

@@ -0,0 +1,18 @@
+import * as v from '@badrap/valita';
+import { oauthProtectedResourceMetadataValidator } from './oauth-protected-resource-metadata.js';
+/**
+ * AT Protocol protected resource metadata with required fields.
+ *
+ * @see {@link https://atproto.com/specs/oauth}
+ */
+export const atprotoProtectedResourceMetadataValidator = oauthProtectedResourceMetadataValidator.chain((data) => {
+    // atproto requires exactly one authorization server
+    if (data.authorization_servers?.length !== 1) {
+        return v.err({
+            message: `atproto requires exactly one authorization server`,
+            path: ['authorization_servers'],
+        });
+    }
+    return v.ok(data);
+});
+//# sourceMappingURL=atproto-protected-resource-metadata.js.map

package/dist/schemas/atproto-protected-resource-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atproto-protected-resource-metadata.js","sourceRoot":"","sources":["../../lib/schemas/atproto-protected-resource-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,uCAAuC,EAAE,MAAM,wCAAwC,CAAC;AAEjG;;;;GAIG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAG,uCAAuC,CAAC,KAAK,CACrG,CAAC,IAAI,EAAE,EAAE,CAAC;IACT,oDAAoD;IACpD,IAAI,IAAI,CAAC,qBAAqB,EAAE,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,EAAE,mDAAmD;YAC5D,IAAI,EAAE,CAAC,uBAAuB,CAAC;SAC/B,CAAC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,CAAC,EAAE,CAAC,IAAyD,CAAC,CAAC;AAAA,CACvE,CACD,CAAC"}

package/dist/schemas/jwk.d.ts

@@ -0,0 +1,241 @@
+import * as v from '@badrap/valita';
+export declare const keyUsageSchema: v.UnionType<[v.Type<"verify">, v.Type<"encrypt">, v.Type<"wrapKey">, v.Type<"sign">, v.Type<"decrypt">, v.Type<"unwrapKey">, v.Type<"deriveKey">, v.Type<"deriveBits">]>;
+export declare const publicKeyUsageSchema: v.UnionType<[v.Type<"verify">, v.Type<"encrypt">, v.Type<"wrapKey">]>;
+/** JWK schema for known key types */
+export declare const jwkSchema: v.Type<{
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "RSA";
+    alg?: "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" | undefined;
+    n: string;
+    e: string;
+    d?: string | undefined;
+    p?: string | undefined;
+    q?: string | undefined;
+    dp?: string | undefined;
+    dq?: string | undefined;
+    qi?: string | undefined;
+    oth?: {
+        r?: string | undefined;
+        d?: string | undefined;
+        t?: string | undefined;
+    }[] | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "EC";
+    alg?: "ES256" | "ES384" | "ES512" | undefined;
+    crv: "P-256" | "P-384" | "P-521";
+    x: string;
+    y: string;
+    d?: string | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "EC";
+    alg?: "ES256K" | undefined;
+    crv: "secp256k1";
+    x: string;
+    y: string;
+    d?: string | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "OKP";
+    alg?: "EdDSA" | undefined;
+    crv: "Ed25519" | "Ed448";
+    x: string;
+    d?: string | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "oct";
+    alg?: "HS256" | "HS384" | "HS512" | undefined;
+    k: string;
+}>;
+/** public JWK schema (kid required, no private keys) */
+export declare const jwkPubSchema: v.Type<{
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "RSA";
+    alg?: "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" | undefined;
+    n: string;
+    e: string;
+    d?: string | undefined;
+    p?: string | undefined;
+    q?: string | undefined;
+    dp?: string | undefined;
+    dq?: string | undefined;
+    qi?: string | undefined;
+    oth?: {
+        r?: string | undefined;
+        d?: string | undefined;
+        t?: string | undefined;
+    }[] | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "EC";
+    alg?: "ES256" | "ES384" | "ES512" | undefined;
+    crv: "P-256" | "P-384" | "P-521";
+    x: string;
+    y: string;
+    d?: string | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "EC";
+    alg?: "ES256K" | undefined;
+    crv: "secp256k1";
+    x: string;
+    y: string;
+    d?: string | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "OKP";
+    alg?: "EdDSA" | undefined;
+    crv: "Ed25519" | "Ed448";
+    x: string;
+    d?: string | undefined;
+} | {
+    kid?: string | undefined;
+    use?: "enc" | "sig" | undefined;
+    key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+    x5c?: string[] | undefined;
+    x5t?: string | undefined;
+    'x5t#S256'?: string | undefined;
+    x5u?: string | undefined;
+    ext?: boolean | undefined;
+    iat?: number | undefined;
+    exp?: number | undefined;
+    nbf?: number | undefined;
+    revoked?: {
+        revoked_at: number;
+        reason?: string | undefined;
+    } | undefined;
+    kty: "oct";
+    alg?: "HS256" | "HS384" | "HS512" | undefined;
+    k: string;
+}>;
+export type KeyUsage = v.Infer<typeof keyUsageSchema>;
+export type Jwk = v.Infer<typeof jwkSchema>;
+export type JwkPub = v.Infer<typeof jwkPubSchema>;
+//# sourceMappingURL=jwk.d.ts.map

package/dist/schemas/jwk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwk.d.ts","sourceRoot":"","sources":["../../lib/schemas/jwk.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAsBpC,eAAO,MAAM,cAAc,0KAS1B,CAAC;AAEF,eAAO,MAAM,oBAAoB,uEAA2E,CAAC;AAqG7G,qCAAqC;AACrC,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA6BnB,CAAC;AAEJ,wDAAwD;AACxD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiBvB,CAAC;AAEH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AACtD,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAC5C,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC"}

package/dist/schemas/jwk.js

@@ -0,0 +1,138 @@
+import * as v from '@badrap/valita';
+import { isLastOccurrence } from './utils.js';
+// key usage constants
+const PUBLIC_KEY_USAGE = ['verify', 'encrypt', 'wrapKey'];
+const PRIVATE_KEY_USAGE = ['sign', 'decrypt', 'unwrapKey', 'deriveKey', 'deriveBits'];
+const KEY_USAGE = [...PRIVATE_KEY_USAGE, ...PUBLIC_KEY_USAGE];
+const isPublicKeyUsage = (usage) => {
+    return PUBLIC_KEY_USAGE.includes(usage);
+};
+const isPrivateKeyUsage = (usage) => {
+    return PRIVATE_KEY_USAGE.includes(usage);
+};
+const isSigKeyUsage = (v) => v === 'verify';
+const isEncKeyUsage = (v) => v === 'encrypt' || v === 'wrapKey';
+export const keyUsageSchema = v.union(v.literal('verify'), v.literal('encrypt'), v.literal('wrapKey'), v.literal('sign'), v.literal('decrypt'), v.literal('unwrapKey'), v.literal('deriveKey'), v.literal('deriveBits'));
+export const publicKeyUsageSchema = v.union(v.literal('verify'), v.literal('encrypt'), v.literal('wrapKey'));
+const jwkBaseSchema = v.object({
+    kty: v.string(),
+    alg: v.string().optional(),
+    kid: v.string().optional(),
+    use: v.union(v.literal('sig'), v.literal('enc')).optional(),
+    key_ops: v.array(keyUsageSchema).optional(),
+    // X.509
+    x5c: v.array(v.string()).optional(),
+    x5t: v.string().optional(),
+    'x5t#S256': v.string().optional(),
+    x5u: v.string().optional(),
+    // WebCrypto
+    ext: v.boolean().optional(),
+    // Federation Historical Keys Response
+    iat: v.number().optional(),
+    exp: v.number().optional(),
+    nbf: v.number().optional(),
+    revoked: v
+        .object({
+        revoked_at: v.number(),
+        reason: v.string().optional(),
+    })
+        .optional(),
+});
+const jwkRsaKeySchema = jwkBaseSchema.extend({
+    kty: v.literal('RSA'),
+    alg: v
+        .union(v.literal('RS256'), v.literal('RS384'), v.literal('RS512'), v.literal('PS256'), v.literal('PS384'), v.literal('PS512'))
+        .optional(),
+    n: v.string(),
+    e: v.string(),
+    d: v.string().optional(),
+    p: v.string().optional(),
+    q: v.string().optional(),
+    dp: v.string().optional(),
+    dq: v.string().optional(),
+    qi: v.string().optional(),
+    oth: v
+        .array(v.object({
+        r: v.string().optional(),
+        d: v.string().optional(),
+        t: v.string().optional(),
+    }))
+        .optional(),
+});
+const jwkEcKeySchema = jwkBaseSchema.extend({
+    kty: v.literal('EC'),
+    alg: v.union(v.literal('ES256'), v.literal('ES384'), v.literal('ES512')).optional(),
+    crv: v.union(v.literal('P-256'), v.literal('P-384'), v.literal('P-521')),
+    x: v.string(),
+    y: v.string(),
+    d: v.string().optional(),
+});
+const jwkEcSecp256k1KeySchema = jwkBaseSchema.extend({
+    kty: v.literal('EC'),
+    alg: v.literal('ES256K').optional(),
+    crv: v.literal('secp256k1'),
+    x: v.string(),
+    y: v.string(),
+    d: v.string().optional(),
+});
+const jwkOkpKeySchema = jwkBaseSchema.extend({
+    kty: v.literal('OKP'),
+    alg: v.literal('EdDSA').optional(),
+    crv: v.union(v.literal('Ed25519'), v.literal('Ed448')),
+    x: v.string(),
+    d: v.string().optional(),
+});
+const jwkSymKeySchema = jwkBaseSchema.extend({
+    kty: v.literal('oct'),
+    alg: v.union(v.literal('HS256'), v.literal('HS384'), v.literal('HS512')).optional(),
+    k: v.string(),
+});
+const hasPrivateSecret = (jwk) => {
+    return ('d' in jwk && jwk.d != null) || ('k' in jwk && jwk.k != null);
+};
+const isPublicJwk = (jwk) => {
+    return !hasPrivateSecret(jwk);
+};
+/** JWK schema for known key types */
+export const jwkSchema = v
+    .union(jwkRsaKeySchema, jwkEcKeySchema, jwkEcSecp256k1KeySchema, jwkOkpKeySchema, jwkSymKeySchema)
+    .chain((k) => {
+    // "use" can only be used with public keys
+    if (k.use != null && !isPublicJwk(k)) {
+        return v.err({ message: `"use" can only be used with public keys`, path: ['use'] });
+    }
+    // private key usage not allowed for public keys
+    if (k.key_ops?.some(isPrivateKeyUsage) && isPublicJwk(k)) {
+        return v.err({ message: `private key usage not allowed for public keys`, path: ['key_ops'] });
+    }
+    // key_ops must not contain duplicates
+    if (k.key_ops && !k.key_ops.every(isLastOccurrence)) {
+        return v.err({ message: `key_ops must not contain duplicates`, path: ['key_ops'] });
+    }
+    // "use" and "key_ops" must be consistent
+    if (k.use != null && k.key_ops != null) {
+        const consistent = (k.use === 'sig' && k.key_ops.every(isSigKeyUsage)) ||
+            (k.use === 'enc' && k.key_ops.every(isEncKeyUsage));
+        if (!consistent) {
+            return v.err({ message: `"key_ops" must be consistent with "use"`, path: ['key_ops'] });
+        }
+    }
+    return v.ok(k);
+});
+/** public JWK schema (kid required, no private keys) */
+export const jwkPubSchema = jwkSchema.chain((k) => {
+    if (k.kid == null) {
+        return v.err({ message: `"kid" is required`, path: ['kid'] });
+    }
+    if (!isPublicJwk(k)) {
+        return v.err({ message: `private key not allowed` });
+    }
+    if (k.key_ops && !k.key_ops.every(isPublicKeyUsage)) {
+        return v.err({
+            message: `"key_ops" must not contain private key usage for public keys`,
+            path: ['key_ops'],
+        });
+    }
+    return v.ok(k);
+});
+//# sourceMappingURL=jwk.js.map

package/dist/schemas/jwk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwk.js","sourceRoot":"","sources":["../../lib/schemas/jwk.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,sBAAsB;AACtB,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAU,CAAC;AACnE,MAAM,iBAAiB,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,CAAU,CAAC;AAC/F,MAAM,SAAS,GAAG,CAAC,GAAG,iBAAiB,EAAE,GAAG,gBAAgB,CAAU,CAAC;AAIvE,MAAM,gBAAgB,GAAG,CAAC,KAAc,EAA8C,EAAE,CAAC;IACxF,OAAQ,gBAAuC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAAA,CAChE,CAAC;AAEF,MAAM,iBAAiB,GAAG,CAAC,KAAc,EAA+C,EAAE,CAAC;IAC1F,OAAQ,iBAAwC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAAA,CACjE,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,CAAmB,EAAW,EAAE,CAAC,CAAC,KAAK,QAAQ,CAAC;AACvE,MAAM,aAAa,GAAG,CAAC,CAAmB,EAAW,EAAE,CAAC,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,SAAS,CAAC;AAE3F,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CACpC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EACnB,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EACpB,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EACpB,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EACjB,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EACpB,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EACtB,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EACtB,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CACvB,CAAC;AAEF,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;AAE7G,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC3D,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;IAE3C,QAAQ;IACR,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE1B,YAAY;IACZ,GAAG,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE3B,sCAAsC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,OAAO,EAAE,CAAC;SACR,MAAM,CAAC;QACP,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC7B,CAAC;SACD,QAAQ,EAAE;CACZ,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC5C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,CAAC;SACJ,KAAK,CACL,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAClB;SACA,QAAQ,EAAE;IACZ,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxB,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,GAAG,EAAE,CAAC;SACJ,KAAK,CACL,CAAC,CAAC,MAAM,CAAC;QACR,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACxB,CAAC,CACF;SACA,QAAQ,EAAE;CACZ,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnF,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACxE,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACxB,CAAC,CAAC;AAEH,MAAM,uBAAuB,GAAG,aAAa,CAAC,MAAM,CAAC;IACpD,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE;IACnC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAC3B,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACxB,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC5C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE;IAClC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACtD,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACxB,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC5C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnF,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACb,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,CAAmB,GAAM,EAAW,EAAE,CAAC;IAC/D,OAAO,CAAC,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;AAAA,CACtE,CAAC;AAEF,MAAM,WAAW,GAAG,CAAmB,GAAM,EAAW,EAAE,CAAC;IAC1D,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;AAAA,CAC9B,CAAC;AAEF,qCAAqC;AACrC,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC;KACxB,KAAK,CAAC,eAAe,EAAE,cAAc,EAAE,uBAAuB,EAAE,eAAe,EAAE,eAAe,CAAC;KACjG,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACb,0CAA0C;IAC1C,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,yCAAyC,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,gDAAgD;IAChD,IAAI,CAAC,CAAC,OAAO,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,+CAA+C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,sCAAsC;IACtC,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACrD,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,qCAAqC,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,yCAAyC;IACzC,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,CAAC,OAAO,IAAI,IAAI,EAAE,CAAC;QACxC,MAAM,UAAU,GACf,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YACnD,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,yCAAyC,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACzF,CAAC;IACF,CAAC;IAED,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAAA,CACf,CAAC,CAAC;AAEJ,wDAAwD;AACxD,MAAM,CAAC,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAClD,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;QACnB,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACrD,OAAO,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,EAAE,8DAA8D;YACvE,IAAI,EAAE,CAAC,SAAS,CAAC;SACjB,CAAC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAAA,CACf,CAAC,CAAC"}