@atcute/oauth-types 0.1.0

package/dist/schemas/oauth-client-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client-id.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-client-id.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,kDAAkD;AAClD,eAAO,MAAM,mBAAmB,gBAAsE,CAAC;AAEvG,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC"}

package/dist/schemas/oauth-client-id.js

@@ -0,0 +1,4 @@
+import * as v from '@badrap/valita';
+/** base OAuth client ID (any non-empty string) */
+export const oauthClientIdSchema = v.string().assert((input) => input.length > 0, `must not be empty`);
+//# sourceMappingURL=oauth-client-id.js.map

package/dist/schemas/oauth-client-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client-id.js","sourceRoot":"","sources":["../../lib/schemas/oauth-client-id.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,kDAAkD;AAClD,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,mBAAmB,CAAC,CAAC"}

package/dist/schemas/oauth-client-metadata.d.ts

@@ -0,0 +1,164 @@
+import * as v from '@badrap/valita';
+/**
+ * base OAuth client metadata schema.
+ *
+ * @see {@link https://openid.net/specs/openid-connect-registration-1_0.html}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7591}
+ */
+export declare const oauthClientMetadataSchema: v.ObjectType<{
+    redirect_uris: v.Type<string[]>;
+    response_types: v.Optional<("code" | "code id_token" | "code id_token token" | "code token" | "id_token" | "id_token token" | "none" | "token")[]>;
+    grant_types: v.Optional<("authorization_code" | "client_credentials" | "implicit" | "password" | "refresh_token" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]>;
+    scope: v.Optional<string>;
+    token_endpoint_auth_method: v.Optional<"client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth">;
+    token_endpoint_auth_signing_alg: v.Optional<string>;
+    userinfo_signed_response_alg: v.Optional<string>;
+    userinfo_encrypted_response_alg: v.Optional<string>;
+    jwks_uri: v.Optional<string>;
+    jwks: v.Optional<{
+        keys: ({
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "RSA";
+            alg?: "PS256" | "PS384" | "PS512" | "RS256" | "RS384" | "RS512" | undefined;
+            n: string;
+            e: string;
+            d?: string | undefined;
+            p?: string | undefined;
+            q?: string | undefined;
+            dp?: string | undefined;
+            dq?: string | undefined;
+            qi?: string | undefined;
+            oth?: {
+                r?: string | undefined;
+                d?: string | undefined;
+                t?: string | undefined;
+            }[] | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "EC";
+            alg?: "ES256" | "ES384" | "ES512" | undefined;
+            crv: "P-256" | "P-384" | "P-521";
+            x: string;
+            y: string;
+            d?: string | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "EC";
+            alg?: "ES256K" | undefined;
+            crv: "secp256k1";
+            x: string;
+            y: string;
+            d?: string | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "OKP";
+            alg?: "EdDSA" | undefined;
+            crv: "Ed25519" | "Ed448";
+            x: string;
+            d?: string | undefined;
+        } | {
+            kid?: string | undefined;
+            use?: "enc" | "sig" | undefined;
+            key_ops?: ("decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey")[] | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+            ext?: boolean | undefined;
+            iat?: number | undefined;
+            exp?: number | undefined;
+            nbf?: number | undefined;
+            revoked?: {
+                revoked_at: number;
+                reason?: string | undefined;
+            } | undefined;
+            kty: "oct";
+            alg?: "HS256" | "HS384" | "HS512" | undefined;
+            k: string;
+        })[];
+    }>;
+    application_type: v.Optional<"native" | "web">;
+    subject_type: v.Optional<"pairwise" | "public">;
+    request_object_signing_alg: v.Optional<string>;
+    id_token_signed_response_alg: v.Optional<string>;
+    authorization_signed_response_alg: v.Optional<string>;
+    authorization_encrypted_response_enc: v.Optional<"A128CBC-HS256">;
+    authorization_encrypted_response_alg: v.Optional<string>;
+    client_id: v.Optional<string>;
+    client_name: v.Optional<string>;
+    client_uri: v.Optional<string>;
+    policy_uri: v.Optional<string>;
+    tos_uri: v.Optional<string>;
+    logo_uri: v.Optional<string>;
+    /**
+     * default Maximum Authentication Age. specifies that the End-User MUST be
+     * actively authenticated if the End-User was authenticated longer ago than
+     * the specified number of seconds. the max_age request parameter overrides
+     * this default value. if omitted, no default Maximum Authentication Age is
+     * specified.
+     */
+    default_max_age: v.Optional<number>;
+    require_auth_time: v.Optional<boolean>;
+    contacts: v.Optional<string[]>;
+    tls_client_certificate_bound_access_tokens: v.Optional<boolean>;
+    dpop_bound_access_tokens: v.Optional<boolean>;
+    authorization_details_types: v.Optional<string[]>;
+}, undefined>;
+export type OAuthClientMetadata = v.Infer<typeof oauthClientMetadataSchema>;
+//# sourceMappingURL=oauth-client-metadata.d.ts.map

package/dist/schemas/oauth-client-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client-metadata.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-client-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAkBpC;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuCrC;;;;;;OAMG;;;;;;;aAWF,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC"}

package/dist/schemas/oauth-client-metadata.js

@@ -0,0 +1,74 @@
+import * as v from '@badrap/valita';
+import { jwksPubSchema } from './jwks.js';
+import { oauthClientIdSchema } from './oauth-client-id.js';
+import { oauthEndpointAuthMethodSchema } from './oauth-endpoint-auth-method.js';
+import { oauthGrantTypeSchema } from './oauth-grant-type.js';
+import { oauthRedirectUriSchema } from './oauth-redirect-uri.js';
+import { oauthResponseTypeSchema } from './oauth-response-type.js';
+import { oauthScopeSchema } from './oauth-scope.js';
+import { webUriSchema } from './uri.js';
+const oauthApplicationTypeSchema = v.union(v.literal('web'), v.literal('native'));
+const oauthSubjectTypeSchema = v.union(v.literal('public'), v.literal('pairwise'));
+// simple email validation
+const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+/**
+ * base OAuth client metadata schema.
+ *
+ * @see {@link https://openid.net/specs/openid-connect-registration-1_0.html}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7591}
+ */
+export const oauthClientMetadataSchema = v.object({
+    // https://www.rfc-editor.org/rfc/rfc7591.html#section-2
+    redirect_uris: v
+        .array(oauthRedirectUriSchema)
+        .assert((arr) => arr.length > 0, `must have at least one redirect URI`),
+    response_types: v.array(oauthResponseTypeSchema).optional(),
+    // > If omitted, the default is that the client will use only the "code"
+    // > response type.
+    // .optional((): OAuthResponseType[] => ['code'])
+    grant_types: v.array(oauthGrantTypeSchema).optional(),
+    // > If omitted, the default behavior is that the client will use only the
+    // > "authorization_code" Grant Type.
+    // .optional((): OAuthGrantType[] => ['authorization_code']),
+    scope: oauthScopeSchema.optional(),
+    // https://www.rfc-editor.org/rfc/rfc7591.html#section-2
+    token_endpoint_auth_method: oauthEndpointAuthMethodSchema.optional(),
+    // > If unspecified or omitted, the default is "client_secret_basic" [...].
+    // .optional((): OAuthEndpointAuthMethod => 'client_secret_basic'),
+    token_endpoint_auth_signing_alg: v.string().optional(),
+    userinfo_signed_response_alg: v.string().optional(),
+    userinfo_encrypted_response_alg: v.string().optional(),
+    jwks_uri: webUriSchema.optional(),
+    jwks: jwksPubSchema.optional(),
+    application_type: oauthApplicationTypeSchema.optional(),
+    // .optional((): OAuthApplicationType => 'web'),
+    subject_type: oauthSubjectTypeSchema.optional(),
+    // .optional((): OAuthSubjectType => 'public'),
+    request_object_signing_alg: v.string().optional(),
+    id_token_signed_response_alg: v.string().optional(),
+    authorization_signed_response_alg: v.string().optional(),
+    authorization_encrypted_response_enc: v.literal('A128CBC-HS256').optional(),
+    authorization_encrypted_response_alg: v.string().optional(),
+    client_id: oauthClientIdSchema.optional(),
+    client_name: v.string().optional(),
+    client_uri: webUriSchema.optional(),
+    policy_uri: webUriSchema.optional(),
+    tos_uri: webUriSchema.optional(),
+    logo_uri: webUriSchema.optional(),
+    /**
+     * default Maximum Authentication Age. specifies that the End-User MUST be
+     * actively authenticated if the End-User was authenticated longer ago than
+     * the specified number of seconds. the max_age request parameter overrides
+     * this default value. if omitted, no default Maximum Authentication Age is
+     * specified.
+     */
+    default_max_age: v.number().optional(),
+    require_auth_time: v.boolean().optional(),
+    contacts: v.array(v.string().assert((s) => EMAIL_RE.test(s), `must be a valid email`)).optional(),
+    tls_client_certificate_bound_access_tokens: v.boolean().optional(),
+    // https://datatracker.ietf.org/doc/html/rfc9449#section-5.2
+    dpop_bound_access_tokens: v.boolean().optional(),
+    // https://datatracker.ietf.org/doc/html/rfc9396#section-14.5
+    authorization_details_types: v.array(v.string()).optional(),
+});
+//# sourceMappingURL=oauth-client-metadata.js.map

package/dist/schemas/oauth-client-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client-metadata.js","sourceRoot":"","sources":["../../lib/schemas/oauth-client-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,6BAA6B,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;AAElF,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAEnF,0BAA0B;AAC1B,MAAM,QAAQ,GAAG,4BAA4B,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,wDAAwD;IACxD,aAAa,EAAE,CAAC;SACd,KAAK,CAAC,sBAAsB,CAAC;SAC7B,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,qCAAqC,CAAC;IACxE,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,QAAQ,EAAE;IAC3D,wEAAwE;IACxE,mBAAmB;IACnB,iDAAiD;IACjD,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,QAAQ,EAAE;IACrD,0EAA0E;IAC1E,qCAAqC;IACrC,6DAA6D;IAC7D,KAAK,EAAE,gBAAgB,CAAC,QAAQ,EAAE;IAClC,wDAAwD;IACxD,0BAA0B,EAAE,6BAA6B,CAAC,QAAQ,EAAE;IACpE,2EAA2E;IAC3E,mEAAmE;IACnE,+BAA+B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,4BAA4B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE;IACjC,IAAI,EAAE,aAAa,CAAC,QAAQ,EAAE;IAC9B,gBAAgB,EAAE,0BAA0B,CAAC,QAAQ,EAAE;IACvD,gDAAgD;IAChD,YAAY,EAAE,sBAAsB,CAAC,QAAQ,EAAE;IAC/C,+CAA+C;IAC/C,0BAA0B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,4BAA4B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,iCAAiC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxD,oCAAoC,EAAE,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,QAAQ,EAAE;IAC3E,oCAAoC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3D,SAAS,EAAE,mBAAmB,CAAC,QAAQ,EAAE;IACzC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,YAAY,CAAC,QAAQ,EAAE;IACnC,UAAU,EAAE,YAAY,CAAC,QAAQ,EAAE;IACnC,OAAO,EAAE,YAAY,CAAC,QAAQ,EAAE;IAChC,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE;IAEjC;;;;;;OAMG;IACH,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,iBAAiB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACzC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,uBAAuB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjG,0CAA0C,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAElE,4DAA4D;IAC5D,wBAAwB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEhD,6DAA6D;IAC7D,2BAA2B,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC3D,CAAC,CAAC"}

package/dist/schemas/oauth-code-challenge-method.d.ts

@@ -0,0 +1,4 @@
+import * as v from '@badrap/valita';
+export declare const oauthCodeChallengeMethodSchema: v.UnionType<[v.Type<"S256">, v.Type<"plain">]>;
+export type OAuthCodeChallengeMethod = v.Infer<typeof oauthCodeChallengeMethodSchema>;
+//# sourceMappingURL=oauth-code-challenge-method.d.ts.map

package/dist/schemas/oauth-code-challenge-method.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-code-challenge-method.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-code-challenge-method.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,eAAO,MAAM,8BAA8B,gDAAiD,CAAC;AAE7F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC"}

package/dist/schemas/oauth-code-challenge-method.js

@@ -0,0 +1,3 @@
+import * as v from '@badrap/valita';
+export const oauthCodeChallengeMethodSchema = v.union(v.literal('S256'), v.literal('plain'));
+//# sourceMappingURL=oauth-code-challenge-method.js.map

package/dist/schemas/oauth-code-challenge-method.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-code-challenge-method.js","sourceRoot":"","sources":["../../lib/schemas/oauth-code-challenge-method.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC"}

package/dist/schemas/oauth-endpoint-auth-method.d.ts

@@ -0,0 +1,4 @@
+import * as v from '@badrap/valita';
+export declare const oauthEndpointAuthMethodSchema: v.UnionType<[v.Type<"client_secret_basic">, v.Type<"client_secret_jwt">, v.Type<"client_secret_post">, v.Type<"none">, v.Type<"private_key_jwt">, v.Type<"self_signed_tls_client_auth">, v.Type<"tls_client_auth">]>;
+export type OAuthEndpointAuthMethod = v.Infer<typeof oauthEndpointAuthMethodSchema>;
+//# sourceMappingURL=oauth-endpoint-auth-method.d.ts.map

package/dist/schemas/oauth-endpoint-auth-method.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-endpoint-auth-method.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-endpoint-auth-method.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,eAAO,MAAM,6BAA6B,sNAQzC,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC"}

package/dist/schemas/oauth-endpoint-auth-method.js

@@ -0,0 +1,3 @@
+import * as v from '@badrap/valita';
+export const oauthEndpointAuthMethodSchema = v.union(v.literal('client_secret_basic'), v.literal('client_secret_jwt'), v.literal('client_secret_post'), v.literal('none'), v.literal('private_key_jwt'), v.literal('self_signed_tls_client_auth'), v.literal('tls_client_auth'));
+//# sourceMappingURL=oauth-endpoint-auth-method.js.map

package/dist/schemas/oauth-endpoint-auth-method.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-endpoint-auth-method.js","sourceRoot":"","sources":["../../lib/schemas/oauth-endpoint-auth-method.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CACnD,CAAC,CAAC,OAAO,CAAC,qBAAqB,CAAC,EAChC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAC9B,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAC/B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EACjB,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAC5B,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC,EACxC,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAC5B,CAAC"}

package/dist/schemas/oauth-grant-type.d.ts

@@ -0,0 +1,4 @@
+import * as v from '@badrap/valita';
+export declare const oauthGrantTypeSchema: v.UnionType<[v.Type<"authorization_code">, v.Type<"implicit">, v.Type<"refresh_token">, v.Type<"password">, v.Type<"client_credentials">, v.Type<"urn:ietf:params:oauth:grant-type:jwt-bearer">, v.Type<"urn:ietf:params:oauth:grant-type:saml2-bearer">]>;
+export type OAuthGrantType = v.Infer<typeof oauthGrantTypeSchema>;
+//# sourceMappingURL=oauth-grant-type.d.ts.map

package/dist/schemas/oauth-grant-type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-grant-type.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-grant-type.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,eAAO,MAAM,oBAAoB,4PAQhC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC"}

package/dist/schemas/oauth-grant-type.js

@@ -0,0 +1,4 @@
+import * as v from '@badrap/valita';
+export const oauthGrantTypeSchema = v.union(v.literal('authorization_code'), v.literal('implicit'), v.literal('refresh_token'), v.literal('password'), // not part of OAuth 2.1
+v.literal('client_credentials'), v.literal('urn:ietf:params:oauth:grant-type:jwt-bearer'), v.literal('urn:ietf:params:oauth:grant-type:saml2-bearer'));
+//# sourceMappingURL=oauth-grant-type.js.map

package/dist/schemas/oauth-grant-type.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-grant-type.js","sourceRoot":"","sources":["../../lib/schemas/oauth-grant-type.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAC1C,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAC/B,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EACrB,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,EAC1B,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,wBAAwB;AAC/C,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAC/B,CAAC,CAAC,OAAO,CAAC,6CAA6C,CAAC,EACxD,CAAC,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAC1D,CAAC"}

package/dist/schemas/oauth-issuer-identifier.d.ts

@@ -0,0 +1,4 @@
+import * as v from '@badrap/valita';
+export declare const oauthIssuerIdentifierSchema: v.Type<string>;
+export type OAuthIssuerIdentifier = v.Infer<typeof oauthIssuerIdentifierSchema>;
+//# sourceMappingURL=oauth-issuer-identifier.d.ts.map

package/dist/schemas/oauth-issuer-identifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-issuer-identifier.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-issuer-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAIpC,eAAO,MAAM,2BAA2B,gBAuBtC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC"}

package/dist/schemas/oauth-issuer-identifier.js

@@ -0,0 +1,21 @@
+import * as v from '@badrap/valita';
+import { webUriSchema } from './uri.js';
+export const oauthIssuerIdentifierSchema = webUriSchema.chain((input) => {
+    // validate the issuer (MIX-UP attacks)
+    if (input.endsWith('/')) {
+        return v.err(`issuer URL must not end with a slash`);
+    }
+    const url = new URL(input);
+    if (url.username || url.password) {
+        return v.err(`issuer URL must not contain a username or password`);
+    }
+    if (url.hash || url.search) {
+        return v.err(`issuer URL must not contain a query or fragment`);
+    }
+    const canonicalValue = url.pathname === '/' ? url.origin : url.href;
+    if (input !== canonicalValue) {
+        return v.err(`issuer URL must be in the canonical form`);
+    }
+    return v.ok(input);
+});
+//# sourceMappingURL=oauth-issuer-identifier.js.map

package/dist/schemas/oauth-issuer-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-issuer-identifier.js","sourceRoot":"","sources":["../../lib/schemas/oauth-issuer-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,MAAM,CAAC,MAAM,2BAA2B,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;IACxE,uCAAuC;IAEvC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IAE3B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAClC,OAAO,CAAC,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC5B,OAAO,CAAC,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACpE,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;AAAA,CACnB,CAAC,CAAC"}

package/dist/schemas/oauth-par-response.d.ts

@@ -0,0 +1,7 @@
+import * as v from '@badrap/valita';
+export declare const oauthParResponseSchema: v.ObjectType<{
+    request_uri: v.Type<string>;
+    expires_in: v.Type<number>;
+}, undefined>;
+export type OAuthParResponse = v.Infer<typeof oauthParResponseSchema>;
+//# sourceMappingURL=oauth-par-response.d.ts.map

package/dist/schemas/oauth-par-response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-par-response.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-par-response.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAIpC,eAAO,MAAM,sBAAsB;;;aAGjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/dist/schemas/oauth-par-response.js

@@ -0,0 +1,7 @@
+import * as v from '@badrap/valita';
+const isPositiveInteger = (n) => Number.isInteger(n) && n > 0;
+export const oauthParResponseSchema = v.object({
+    request_uri: v.string(),
+    expires_in: v.number().assert(isPositiveInteger, `must be a positive integer`),
+});
+//# sourceMappingURL=oauth-par-response.js.map

package/dist/schemas/oauth-par-response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-par-response.js","sourceRoot":"","sources":["../../lib/schemas/oauth-par-response.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,MAAM,iBAAiB,GAAG,CAAC,CAAS,EAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAE/E,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,iBAAiB,EAAE,4BAA4B,CAAC;CAC9E,CAAC,CAAC"}

package/dist/schemas/oauth-prompt.d.ts

@@ -0,0 +1,13 @@
+import * as v from '@badrap/valita';
+/**
+ * OAuth prompt mode values.
+ *
+ * - `none`: only succeed if user already authorized this client on this device
+ * - `login`: force re-authentication
+ * - `consent`: force re-consent
+ * - `select_account`: force account selection
+ * - `create`: force user registration screen
+ */
+export declare const oauthPromptSchema: v.UnionType<[v.Type<"none">, v.Type<"login">, v.Type<"consent">, v.Type<"select_account">, v.Type<"create">]>;
+export type OAuthPrompt = v.Infer<typeof oauthPromptSchema>;
+//# sourceMappingURL=oauth-prompt.d.ts.map

package/dist/schemas/oauth-prompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-prompt.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-prompt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC;;;;;;;;GAQG;AACH,eAAO,MAAM,iBAAiB,+GAM7B,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC"}

package/dist/schemas/oauth-prompt.js

@@ -0,0 +1,12 @@
+import * as v from '@badrap/valita';
+/**
+ * OAuth prompt mode values.
+ *
+ * - `none`: only succeed if user already authorized this client on this device
+ * - `login`: force re-authentication
+ * - `consent`: force re-consent
+ * - `select_account`: force account selection
+ * - `create`: force user registration screen
+ */
+export const oauthPromptSchema = v.union(v.literal('none'), v.literal('login'), v.literal('consent'), v.literal('select_account'), v.literal('create'));
+//# sourceMappingURL=oauth-prompt.js.map

package/dist/schemas/oauth-prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-prompt.js","sourceRoot":"","sources":["../../lib/schemas/oauth-prompt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CACvC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EACjB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAClB,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EACpB,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAC3B,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CACnB,CAAC"}

package/dist/schemas/oauth-protected-resource-metadata.d.ts

@@ -0,0 +1,66 @@
+import * as v from '@badrap/valita';
+export declare const oauthBearerMethodSchema: v.UnionType<[v.Type<"header">, v.Type<"body">, v.Type<"query">]>;
+export type OAuthBearerMethod = v.Infer<typeof oauthBearerMethodSchema>;
+/**
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2}
+ */
+export declare const oauthProtectedResourceMetadataSchema: v.ObjectType<{
+    /**
+     * REQUIRED. the protected resource's resource identifier, which is a URL that
+     * uses the https scheme and has no query or fragment components.
+     */
+    resource: v.Type<string>;
+    /**
+     * OPTIONAL. JSON array containing a list of OAuth authorization server issuer
+     * identifiers, as defined in RFC8414, for authorization servers that can be
+     * used with this protected resource.
+     */
+    authorization_servers: v.Optional<string[]>;
+    /**
+     * OPTIONAL. URL of the protected resource's JWK Set document.
+     */
+    jwks_uri: v.Optional<string>;
+    /**
+     * RECOMMENDED. JSON array containing a list of the OAuth 2.0 scope values that
+     * are used in authorization requests to request access to this protected resource.
+     */
+    scopes_supported: v.Optional<string[]>;
+    /**
+     * OPTIONAL. JSON array containing a list of the supported methods of sending
+     * an OAuth 2.0 Bearer Token to the protected resource.
+     */
+    bearer_methods_supported: v.Optional<("body" | "header" | "query")[]>;
+    /**
+     * OPTIONAL. JSON array containing a list of the JWS signing algorithms
+     * supported by the protected resource for signing resource responses.
+     */
+    resource_signing_alg_values_supported: v.Optional<string[]>;
+    /**
+     * OPTIONAL. URL of a page containing human-readable information that
+     * developers might want or need to know when using the protected resource.
+     */
+    resource_documentation: v.Optional<string>;
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's requirements on how the client can use the data.
+     */
+    resource_policy_uri: v.Optional<string>;
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's terms of service.
+     */
+    resource_tos_uri: v.Optional<string>;
+}, undefined>;
+export declare const oauthProtectedResourceMetadataValidator: v.Type<{
+    resource: string;
+    authorization_servers?: string[] | undefined;
+    jwks_uri?: string | undefined;
+    scopes_supported?: string[] | undefined;
+    bearer_methods_supported?: ("body" | "header" | "query")[] | undefined;
+    resource_signing_alg_values_supported?: string[] | undefined;
+    resource_documentation?: string | undefined;
+    resource_policy_uri?: string | undefined;
+    resource_tos_uri?: string | undefined;
+}>;
+export type OAuthProtectedResourceMetadata = v.Infer<typeof oauthProtectedResourceMetadataSchema>;
+//# sourceMappingURL=oauth-protected-resource-metadata.d.ts.map

package/dist/schemas/oauth-protected-resource-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-protected-resource-metadata.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-protected-resource-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAKpC,eAAO,MAAM,uBAAuB,kEAAsE,CAAC;AAE3G,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,oCAAoC;IAChD;;;OAGG;;IAGH;;;;OAIG;;IAGH;;OAEG;;IAGH;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;aAEF,CAAC;AAEH,eAAO,MAAM,uCAAuC;;;;;;;;;;EAkBlD,CAAC;AAEH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oCAAoC,CAAC,CAAC"}

package/dist/schemas/oauth-protected-resource-metadata.js

@@ -0,0 +1,71 @@
+import * as v from '@badrap/valita';
+import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js';
+import { webUriSchema } from './uri.js';
+export const oauthBearerMethodSchema = v.union(v.literal('header'), v.literal('body'), v.literal('query'));
+/**
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2}
+ */
+export const oauthProtectedResourceMetadataSchema = v.object({
+    /**
+     * REQUIRED. the protected resource's resource identifier, which is a URL that
+     * uses the https scheme and has no query or fragment components.
+     */
+    resource: webUriSchema,
+    /**
+     * OPTIONAL. JSON array containing a list of OAuth authorization server issuer
+     * identifiers, as defined in RFC8414, for authorization servers that can be
+     * used with this protected resource.
+     */
+    authorization_servers: v.array(oauthIssuerIdentifierSchema).optional(),
+    /**
+     * OPTIONAL. URL of the protected resource's JWK Set document.
+     */
+    jwks_uri: webUriSchema.optional(),
+    /**
+     * RECOMMENDED. JSON array containing a list of the OAuth 2.0 scope values that
+     * are used in authorization requests to request access to this protected resource.
+     */
+    scopes_supported: v.array(v.string()).optional(),
+    /**
+     * OPTIONAL. JSON array containing a list of the supported methods of sending
+     * an OAuth 2.0 Bearer Token to the protected resource.
+     */
+    bearer_methods_supported: v.array(oauthBearerMethodSchema).optional(),
+    /**
+     * OPTIONAL. JSON array containing a list of the JWS signing algorithms
+     * supported by the protected resource for signing resource responses.
+     */
+    resource_signing_alg_values_supported: v.array(v.string()).optional(),
+    /**
+     * OPTIONAL. URL of a page containing human-readable information that
+     * developers might want or need to know when using the protected resource.
+     */
+    resource_documentation: webUriSchema.optional(),
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's requirements on how the client can use the data.
+     */
+    resource_policy_uri: webUriSchema.optional(),
+    /**
+     * OPTIONAL. URL that the protected resource provides to read about the
+     * protected resource's terms of service.
+     */
+    resource_tos_uri: webUriSchema.optional(),
+});
+export const oauthProtectedResourceMetadataValidator = oauthProtectedResourceMetadataSchema.chain((data) => {
+    const url = new URL(data.resource);
+    if (url.search) {
+        return v.err({
+            message: `resource URL must not contain query parameters`,
+            path: ['resource'],
+        });
+    }
+    if (url.hash) {
+        return v.err({
+            message: `resource URL must not contain a fragment`,
+            path: ['resource'],
+        });
+    }
+    return v.ok(data);
+});
+//# sourceMappingURL=oauth-protected-resource-metadata.js.map

package/dist/schemas/oauth-protected-resource-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-protected-resource-metadata.js","sourceRoot":"","sources":["../../lib/schemas/oauth-protected-resource-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAI3G;;GAEG;AACH,MAAM,CAAC,MAAM,oCAAoC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5D;;;OAGG;IACH,QAAQ,EAAE,YAAY;IAEtB;;;;OAIG;IACH,qBAAqB,EAAE,CAAC,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC,QAAQ,EAAE;IAEtE;;OAEG;IACH,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE;IAEjC;;;OAGG;IACH,gBAAgB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEhD;;;OAGG;IACH,wBAAwB,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,QAAQ,EAAE;IAErE;;;OAGG;IACH,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAErE;;;OAGG;IACH,sBAAsB,EAAE,YAAY,CAAC,QAAQ,EAAE;IAE/C;;;OAGG;IACH,mBAAmB,EAAE,YAAY,CAAC,QAAQ,EAAE;IAE5C;;;OAGG;IACH,gBAAgB,EAAE,YAAY,CAAC,QAAQ,EAAE;CACzC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,uCAAuC,GAAG,oCAAoC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IAC3G,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEnC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,OAAO,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,EAAE,gDAAgD;YACzD,IAAI,EAAE,CAAC,UAAU,CAAC;SAClB,CAAC,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,EAAE,0CAA0C;YACnD,IAAI,EAAE,CAAC,UAAU,CAAC;SAClB,CAAC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;AAAA,CAClB,CAAC,CAAC"}

package/dist/schemas/oauth-redirect-uri.d.ts

@@ -0,0 +1,20 @@
+import * as v from '@badrap/valita';
+/**
+ * this is a loopback URI with the additional restriction that the hostname
+ * `localhost` is not allowed.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8252#section-8.3 Loopback Redirect Considerations} RFC8252
+ *
+ * > While redirect URIs using localhost (i.e.,
+ * > "http://localhost:{port}/{path}") function similarly to loopback IP
+ * > redirects described in Section 7.3, the use of localhost is NOT
+ * > RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather
+ * > than localhost avoids inadvertently listening on network interfaces other
+ * > than the loopback interface. It is also less susceptible to client-side
+ * > firewalls and misconfigured host name resolution on the user's device.
+ */
+export declare const loopbackRedirectUriSchema: v.Type<string>;
+export type LoopbackRedirectUri = v.Infer<typeof loopbackRedirectUriSchema>;
+export declare const oauthRedirectUriSchema: v.Type<string>;
+export type OAuthRedirectUri = v.Infer<typeof oauthRedirectUriSchema>;
+//# sourceMappingURL=oauth-redirect-uri.d.ts.map

package/dist/schemas/oauth-redirect-uri.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-redirect-uri.d.ts","sourceRoot":"","sources":["../../lib/schemas/oauth-redirect-uri.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAIpC;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,gBAOpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E,eAAO,MAAM,sBAAsB,gBAUjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/dist/schemas/oauth-redirect-uri.js

@@ -0,0 +1,32 @@
+import * as v from '@badrap/valita';
+import { httpsUriSchema, loopbackUriSchema, privateUseUriSchema } from './uri.js';
+/**
+ * this is a loopback URI with the additional restriction that the hostname
+ * `localhost` is not allowed.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8252#section-8.3 Loopback Redirect Considerations} RFC8252
+ *
+ * > While redirect URIs using localhost (i.e.,
+ * > "http://localhost:{port}/{path}") function similarly to loopback IP
+ * > redirects described in Section 7.3, the use of localhost is NOT
+ * > RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather
+ * > than localhost avoids inadvertently listening on network interfaces other
+ * > than the loopback interface. It is also less susceptible to client-side
+ * > firewalls and misconfigured host name resolution on the user's device.
+ */
+export const loopbackRedirectUriSchema = loopbackUriSchema.chain((input) => {
+    if (input.startsWith('http://localhost')) {
+        return v.err(`use of "localhost" hostname is not allowed (RFC 8252), use a loopback IP such as "127.0.0.1" instead`);
+    }
+    return v.ok(input);
+});
+export const oauthRedirectUriSchema = v.string().chain((input, options) => {
+    if (input.startsWith('http://')) {
+        return loopbackRedirectUriSchema.try(input, options);
+    }
+    if (input.startsWith('https://')) {
+        return httpsUriSchema.try(input, options);
+    }
+    return privateUseUriSchema.try(input, options);
+});
+//# sourceMappingURL=oauth-redirect-uri.js.map