npm - @atcute/oauth-types - Versions diffs - 0.1.1 → 1.0.0 - Mend

@atcute/oauth-types 0.1.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/README.md +6 -5
package/dist/build-client-metadata.d.ts +5 -320
package/dist/build-client-metadata.d.ts.map +1 -1
package/dist/build-client-metadata.js +3 -2
package/dist/build-client-metadata.js.map +1 -1
package/dist/index.d.ts +31 -31
package/dist/schemas/atcute-client-shared.d.ts +8 -0
package/dist/schemas/atcute-client-shared.d.ts.map +1 -0
package/dist/schemas/atcute-client-shared.js +15 -0
package/dist/schemas/atcute-client-shared.js.map +1 -0
package/dist/schemas/atcute-confidential-client-metadata.d.ts +228 -4
package/dist/schemas/atcute-confidential-client-metadata.d.ts.map +1 -1
package/dist/schemas/atcute-confidential-client-metadata.js +48 -88
package/dist/schemas/atcute-confidential-client-metadata.js.map +1 -1
package/dist/schemas/atcute-public-client-metadata.d.ts +75 -35
package/dist/schemas/atcute-public-client-metadata.d.ts.map +1 -1
package/dist/schemas/atcute-public-client-metadata.js +25 -110
package/dist/schemas/atcute-public-client-metadata.js.map +1 -1
package/dist/schemas/atproto-authorization-server-metadata.d.ts +786 -4
package/dist/schemas/atproto-authorization-server-metadata.d.ts.map +1 -1
package/dist/schemas/atproto-authorization-server-metadata.js +2 -18
package/dist/schemas/atproto-authorization-server-metadata.js.map +1 -1
package/dist/schemas/atproto-oauth-scope.d.ts +3 -3
package/dist/schemas/atproto-oauth-scope.d.ts.map +1 -1
package/dist/schemas/atproto-oauth-scope.js +2 -2
package/dist/schemas/atproto-oauth-scope.js.map +1 -1
package/dist/schemas/atproto-oauth-token-response.d.ts +17 -17
package/dist/schemas/atproto-oauth-token-response.d.ts.map +1 -1
package/dist/schemas/atproto-oauth-token-response.js +6 -6
package/dist/schemas/atproto-oauth-token-response.js.map +1 -1
package/dist/schemas/atproto-protected-resource-metadata.d.ts +100 -4
package/dist/schemas/atproto-protected-resource-metadata.d.ts.map +1 -1
package/dist/schemas/atproto-protected-resource-metadata.js +2 -11
package/dist/schemas/atproto-protected-resource-metadata.js.map +1 -1
package/dist/schemas/jwk.d.ts +4289 -42
package/dist/schemas/jwk.d.ts.map +1 -1
package/dist/schemas/jwk.js +58 -91
package/dist/schemas/jwk.js.map +1 -1
package/dist/schemas/jwks.d.ts +87 -42
package/dist/schemas/jwks.d.ts.map +1 -1
package/dist/schemas/jwks.js +13 -29
package/dist/schemas/jwks.js.map +1 -1
package/dist/schemas/oauth-authorization-details.d.ts +18 -18
package/dist/schemas/oauth-authorization-details.d.ts.map +1 -1
package/dist/schemas/oauth-authorization-details.js +7 -7
package/dist/schemas/oauth-authorization-details.js.map +1 -1
package/dist/schemas/oauth-authorization-server-metadata.d.ts +462 -48
package/dist/schemas/oauth-authorization-server-metadata.d.ts.map +1 -1
package/dist/schemas/oauth-authorization-server-metadata.js +46 -65
package/dist/schemas/oauth-authorization-server-metadata.js.map +1 -1
package/dist/schemas/oauth-client-id-discoverable.d.ts +2 -2
package/dist/schemas/oauth-client-id-discoverable.d.ts.map +1 -1
package/dist/schemas/oauth-client-id-discoverable.js +20 -22
package/dist/schemas/oauth-client-id-discoverable.js.map +1 -1
package/dist/schemas/oauth-client-id.d.ts +3 -3
package/dist/schemas/oauth-client-id.d.ts.map +1 -1
package/dist/schemas/oauth-client-id.js +2 -2
package/dist/schemas/oauth-client-id.js.map +1 -1
package/dist/schemas/oauth-client-metadata.d.ts +73 -51
package/dist/schemas/oauth-client-metadata.d.ts.map +1 -1
package/dist/schemas/oauth-client-metadata.js +33 -40
package/dist/schemas/oauth-client-metadata.js.map +1 -1
package/dist/schemas/oauth-code-challenge-method.d.ts +3 -3
package/dist/schemas/oauth-code-challenge-method.d.ts.map +1 -1
package/dist/schemas/oauth-code-challenge-method.js +2 -2
package/dist/schemas/oauth-code-challenge-method.js.map +1 -1
package/dist/schemas/oauth-endpoint-auth-method.d.ts +3 -3
package/dist/schemas/oauth-endpoint-auth-method.d.ts.map +1 -1
package/dist/schemas/oauth-endpoint-auth-method.js +10 -2
package/dist/schemas/oauth-endpoint-auth-method.js.map +1 -1
package/dist/schemas/oauth-grant-type.d.ts +3 -3
package/dist/schemas/oauth-grant-type.d.ts.map +1 -1
package/dist/schemas/oauth-grant-type.js +10 -3
package/dist/schemas/oauth-grant-type.js.map +1 -1
package/dist/schemas/oauth-issuer-identifier.d.ts +3 -3
package/dist/schemas/oauth-issuer-identifier.d.ts.map +1 -1
package/dist/schemas/oauth-issuer-identifier.js +16 -9
package/dist/schemas/oauth-issuer-identifier.js.map +1 -1
package/dist/schemas/oauth-par-response.d.ts +5 -5
package/dist/schemas/oauth-par-response.d.ts.map +1 -1
package/dist/schemas/oauth-par-response.js +3 -3
package/dist/schemas/oauth-par-response.js.map +1 -1
package/dist/schemas/oauth-prompt.d.ts +3 -3
package/dist/schemas/oauth-prompt.d.ts.map +1 -1
package/dist/schemas/oauth-prompt.js +2 -2
package/dist/schemas/oauth-prompt.js.map +1 -1
package/dist/schemas/oauth-protected-resource-metadata.d.ts +88 -16
package/dist/schemas/oauth-protected-resource-metadata.d.ts.map +1 -1
package/dist/schemas/oauth-protected-resource-metadata.js +14 -26
package/dist/schemas/oauth-protected-resource-metadata.js.map +1 -1
package/dist/schemas/oauth-redirect-uri.d.ts +5 -5
package/dist/schemas/oauth-redirect-uri.d.ts.map +1 -1
package/dist/schemas/oauth-redirect-uri.js +3 -16
package/dist/schemas/oauth-redirect-uri.js.map +1 -1
package/dist/schemas/oauth-response-mode.d.ts +3 -3
package/dist/schemas/oauth-response-mode.d.ts.map +1 -1
package/dist/schemas/oauth-response-mode.js +2 -2
package/dist/schemas/oauth-response-mode.js.map +1 -1
package/dist/schemas/oauth-response-type.d.ts +3 -3
package/dist/schemas/oauth-response-type.d.ts.map +1 -1
package/dist/schemas/oauth-response-type.js +13 -7
package/dist/schemas/oauth-response-type.js.map +1 -1
package/dist/schemas/oauth-scope.d.ts +3 -3
package/dist/schemas/oauth-scope.d.ts.map +1 -1
package/dist/schemas/oauth-scope.js +2 -2
package/dist/schemas/oauth-scope.js.map +1 -1
package/dist/schemas/oauth-token-response.d.ts +17 -17
package/dist/schemas/oauth-token-response.d.ts.map +1 -1
package/dist/schemas/oauth-token-response.js +7 -7
package/dist/schemas/oauth-token-response.js.map +1 -1
package/dist/schemas/oauth-token-type.d.ts +3 -3
package/dist/schemas/oauth-token-type.d.ts.map +1 -1
package/dist/schemas/oauth-token-type.js +8 -7
package/dist/schemas/oauth-token-type.js.map +1 -1
package/dist/schemas/uri.d.ts +7 -7
package/dist/schemas/uri.d.ts.map +1 -1
package/dist/schemas/uri.js +44 -44
package/dist/schemas/uri.js.map +1 -1
package/dist/schemas/utils.d.ts.map +1 -1
package/dist/schemas/utils.js.map +1 -1
package/dist/scope.d.ts.map +1 -1
package/dist/scope.js.map +1 -1
package/lib/build-client-metadata.ts +9 -7
package/lib/index.ts +31 -31
package/lib/schemas/atcute-client-shared.ts +25 -0
package/lib/schemas/atcute-confidential-client-metadata.ts +81 -111
package/lib/schemas/atcute-public-client-metadata.ts +70 -166
package/lib/schemas/atproto-authorization-server-metadata.ts +22 -23
package/lib/schemas/atproto-oauth-scope.ts +8 -5
package/lib/schemas/atproto-oauth-token-response.ts +10 -9
package/lib/schemas/atproto-protected-resource-metadata.ts +15 -15
package/lib/schemas/jwk.ts +104 -120
package/lib/schemas/jwks.ts +28 -40
package/lib/schemas/oauth-authorization-details.ts +10 -10
package/lib/schemas/oauth-authorization-server-metadata.ts +72 -74
package/lib/schemas/oauth-client-id-discoverable.ts +43 -48
package/lib/schemas/oauth-client-id.ts +3 -3
package/lib/schemas/oauth-client-metadata.ts +45 -49
package/lib/schemas/oauth-code-challenge-method.ts +3 -3
package/lib/schemas/oauth-endpoint-auth-method.ts +11 -11
package/lib/schemas/oauth-grant-type.ts +11 -11
package/lib/schemas/oauth-issuer-identifier.ts +35 -27
package/lib/schemas/oauth-par-response.ts +4 -4
package/lib/schemas/oauth-prompt.ts +3 -9
package/lib/schemas/oauth-protected-resource-metadata.ts +26 -35
package/lib/schemas/oauth-redirect-uri.ts +15 -23
package/lib/schemas/oauth-response-mode.ts +3 -7
package/lib/schemas/oauth-response-type.ts +12 -12
package/lib/schemas/oauth-scope.ts +3 -3
package/lib/schemas/oauth-token-response.ts +10 -10
package/lib/schemas/oauth-token-type.ts +16 -12
package/lib/schemas/uri.ts +89 -76
package/package.json +9 -8

package/lib/schemas/atcute-public-client-metadata.ts CHANGED Viewed

@@ -1,66 +1,30 @@
-import * as v from '@badrap/valita';
-import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.js';
-import { oauthClientIdDiscoverableSchema } from './oauth-client-id-discoverable.js';
-import { loopbackRedirectUriSchema, oauthRedirectUriSchema } from './oauth-redirect-uri.js';
-import { nonLocalWebUriSchema, privateUseUriSchema, webUriSchema } from './uri.js';
-import { isLoopbackHost } from './utils.js';
-const SINGLE_SCOPE_RE = /^[\x21\x23-\x5B\x5D-\x7E]+$/;
-const singleScopeSchema = v.string().assert((input) => SINGLE_SCOPE_RE.test(input), `invalid OAuth scope`);
-const scopeSchema = v.union(
-	atprotoOAuthScopeSchema.chain((input) => {
-		const scopes = input.split(/\s+/);
-		for (let i = 0, len = scopes.length; i < len; i++) {
-			const aka = scopes[i];
-			for (let j = 0; j < i; j++) {
-				if (aka === scopes[j]) {
-					return v.err(`duplicate "${aka}" scope`);
-				}
-			}
-		}
-		return v.ok(input);
-	}),
-	v.array(singleScopeSchema).chain((input) => {
-		if (!input.includes('atproto')) {
-			input = ['atproto', ...input];
+import * as v from 'valibot';
+import { scopeSchema } from './atcute-client-shared.ts';
+import { oauthClientIdDiscoverableSchema } from './oauth-client-id-discoverable.ts';
+import { loopbackRedirectUriSchema, oauthRedirectUriSchema } from './oauth-redirect-uri.ts';
+import { nonLocalWebUriSchema, webUriSchema } from './uri.ts';
+const redirectUrisSchema = v.pipe(
+	v.array(oauthRedirectUriSchema),
+	v.minLength(1, `must have at least one redirect URI`),
+	v.checkItems((uri) => {
+		// private-use URIs don't have URL-style credentials
+		if (!uri.includes('://')) {
+			return true;
 		}
-		for (let i = 0, len = input.length; i < len; i++) {
-			const aka = input[i];
-			for (let j = 0; j < i; j++) {
-				if (aka === input[j]) {
-					return v.err(`duplicate "${aka}" scope`);
-				}
-			}
-		}
-		return v.ok(input);
-	}),
+		const url = new URL(uri);
+		return !url.username && !url.password;
+	}, `redirect URI must not contain credentials`),
 );
-const redirectUrisSchema = v
-	.array(oauthRedirectUriSchema)
-	.assert((arr) => arr.length > 0, `must have at least one redirect URI`)
-	.assert((arr) => {
-		for (const uri of arr) {
-			// private-use URIs don't have URL-style credentials
-			if (!uri.includes('://')) {
-				continue;
-			}
-			const url = new URL(uri);
-			if (url.username || url.password) {
-				return false;
-			}
-		}
-		return true;
-	}, `redirect URIs must not contain credentials`);
+const loopbackRedirectUrisSchema = v.pipe(
+	redirectUrisSchema,
+	v.checkItems(
+		(uri) => v.is(loopbackRedirectUriSchema, uri),
+		`loopback clients require loopback redirect URIs (127.0.0.1 or [::1])`,
+	),
+);
 /**
  * user-facing client metadata for configuring a loopback public OAuth client.
@@ -69,48 +33,24 @@ const redirectUrisSchema = v
  * `http://localhost` as the client_id origin, which is built automatically
  * from the redirect_uris and scope.
  */
-export const loopbackClientMetadataSchema = v
-	.object({
-		/** must not be provided for loopback clients */
-		client_id: v.undefined().optional(),
+export const loopbackClientMetadataSchema = v.looseObject({
+	/** must not be provided for loopback clients */
+	client_id: v.optional(v.undefined()),
-		/**
-		 * redirect URIs for authorization responses.
-		 *
-		 * must be loopback IP addresses (127.0.0.1 or [::1]).
-		 * per RFC 8252, port numbers are ignored during redirect URI matching,
-		 * allowing ephemeral ports.
-		 */
-		redirect_uris: redirectUrisSchema,
+	/**
+	 * redirect URIs for authorization responses.
+	 *
+	 * must be loopback IP addresses (127.0.0.1 or [::1]).
+	 * per RFC 8252, port numbers are ignored during redirect URI matching,
+	 * allowing ephemeral ports.
+	 */
+	redirect_uris: loopbackRedirectUrisSchema,
-		/** OAuth scope (must include "atproto") */
-		scope: scopeSchema,
-	})
-	.chain((input) => {
-		// validate all redirect URIs are loopback
-		for (let i = 0; i < input.redirect_uris.length; i++) {
-			const uri = input.redirect_uris[i];
-			const result = loopbackRedirectUriSchema.try(uri, { mode: 'strict' });
-			if (!result.ok) {
-				return v.err({
-					message: `loopback clients require loopback redirect URIs (127.0.0.1 or [::1]): ${result.message}`,
-					path: ['redirect_uris', i],
-				});
-			}
+	/** OAuth scope (must include "atproto") */
+	scope: scopeSchema,
+});
-			const url = new URL(uri);
-			if (!isLoopbackHost(url.hostname) || url.hostname === 'localhost') {
-				return v.err({
-					message: `loopback redirect URIs must use 127.0.0.1 or [::1], not ${url.hostname}`,
-					path: ['redirect_uris', i],
-				});
-			}
-		}
-		return v.ok(input);
-	});
-export type LoopbackClientMetadata = v.Infer<typeof loopbackClientMetadataSchema>;
+export type LoopbackClientMetadata = v.InferOutput<typeof loopbackClientMetadataSchema>;
 /**
  * user-facing client metadata for configuring a discoverable public OAuth client.
@@ -118,70 +58,34 @@ export type LoopbackClientMetadata = v.Infer<typeof loopbackClientMetadataSchema
  * discoverable public clients have an HTTPS client_id URL where metadata is hosted,
  * but don't use a keyset (token_endpoint_auth_method: 'none').
  */
-export const discoverablePublicClientMetadataSchema = v
-	.object({
-		/** discoverable HTTPS client_id URL */
-		client_id: oauthClientIdDiscoverableSchema,
-		/** redirect URIs for authorization responses */
-		redirect_uris: redirectUrisSchema,
-		/** OAuth scope (must include "atproto") */
-		scope: scopeSchema,
-		/**
-		 * application type - defaults to 'web'.
-		 */
-		application_type: v.union(v.literal('web'), v.literal('native')).optional(),
-		/** optional client homepage */
-		client_uri: webUriSchema.optional(),
-		/** optional display name */
-		client_name: v.string().optional(),
-		/** optional policy url */
-		policy_uri: nonLocalWebUriSchema.optional(),
-		/** optional terms of service url */
-		tos_uri: nonLocalWebUriSchema.optional(),
-		/** optional logo url */
-		logo_uri: nonLocalWebUriSchema.optional(),
-	})
-	.chain((input) => {
-		// validate redirect URIs are HTTPS, loopback, or private-use
-		for (let i = 0; i < input.redirect_uris.length; i++) {
-			const uri = input.redirect_uris[i];
-			// private-use URIs are allowed
-			if (!uri.includes('://')) {
-				const result = privateUseUriSchema.try(uri, { mode: 'strict' });
-				if (!result.ok) {
-					return v.err({
-						message: `invalid redirect URI: ${result.message}`,
-						path: ['redirect_uris', i],
-					});
-				}
-				continue;
-			}
-			const url = new URL(uri);
-			// loopback http URIs are allowed for native apps
-			if (url.protocol === 'http:' && isLoopbackHost(url.hostname)) {
-				continue;
-			}
-			// otherwise must be https
-			if (url.protocol !== 'https:') {
-				return v.err({
-					message: `redirect URI must use https:, http: loopback, or private-use scheme`,
-					path: ['redirect_uris', i],
-				});
-			}
-		}
-		return v.ok(input);
-	});
-export type DiscoverablePublicClientMetadata = v.Infer<typeof discoverablePublicClientMetadataSchema>;
+export const discoverablePublicClientMetadataSchema = v.looseObject({
+	/** discoverable HTTPS client_id URL */
+	client_id: oauthClientIdDiscoverableSchema,
+	/** redirect URIs for authorization responses */
+	redirect_uris: redirectUrisSchema,
+	/** OAuth scope (must include "atproto") */
+	scope: scopeSchema,
+	/**
+	 * application type - defaults to 'web'.
+	 */
+	application_type: v.optional(v.picklist(['web', 'native'])),
+	/** optional client homepage */
+	client_uri: v.optional(webUriSchema),
+	/** optional display name */
+	client_name: v.optional(v.string()),
+	/** optional policy url */
+	policy_uri: v.optional(nonLocalWebUriSchema),
+	/** optional terms of service url */
+	tos_uri: v.optional(nonLocalWebUriSchema),
+	/** optional logo url */
+	logo_uri: v.optional(nonLocalWebUriSchema),
+});
+export type DiscoverablePublicClientMetadata = v.InferOutput<typeof discoverablePublicClientMetadataSchema>;
 /**
  * user-facing client metadata for configuring a public OAuth client.
@@ -189,9 +93,9 @@ export type DiscoverablePublicClientMetadata = v.Infer<typeof discoverablePublic
  * - if `client_id` is omitted: loopback client (for localhost dev / CLI tools)
  * - if `client_id` is provided: discoverable public client (HTTPS URL)
  */
-export const publicClientMetadataSchema = v.union(
+export const publicClientMetadataSchema = v.union([
 	loopbackClientMetadataSchema,
 	discoverablePublicClientMetadataSchema,
-);
+]);
-export type PublicClientMetadata = v.Infer<typeof publicClientMetadataSchema>;
+export type PublicClientMetadata = v.InferOutput<typeof publicClientMetadataSchema>;

package/lib/schemas/atproto-authorization-server-metadata.ts CHANGED Viewed

@@ -1,32 +1,31 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { oauthAuthorizationServerMetadataValidator } from './oauth-authorization-server-metadata.js';
+import { oauthAuthorizationServerMetadataValidator } from './oauth-authorization-server-metadata.ts';
 /**
  * AT Protocol authorization server metadata with required fields and assertions.
  *
  * @see {@link https://atproto.com/specs/oauth}
  */
-export const atprotoAuthorizationServerMetadataValidator = oauthAuthorizationServerMetadataValidator.chain(
-	(data) => {
-		// atproto requires client_id_metadata_document support
-		if (data.client_id_metadata_document_supported !== true) {
-			return v.err({
-				message: `atproto requires client_id_metadata_document_supported to be true`,
-				path: ['client_id_metadata_document_supported'],
-			});
-		}
-		// atproto requires PAR
-		if (!data.pushed_authorization_request_endpoint) {
-			return v.err({
-				message: `atproto requires pushed_authorization_request_endpoint to be true`,
-				path: ['pushed_authorization_request_endpoint'],
-			});
-		}
-		return v.ok(data as typeof data & { pushed_authorization_request_endpoint: string });
-	},
+export const atprotoAuthorizationServerMetadataValidator = v.pipe(
+	oauthAuthorizationServerMetadataValidator,
+	v.forward(
+		v.check(
+			(data) => data.client_id_metadata_document_supported === true,
+			`atproto requires client_id_metadata_document_supported to be true`,
+		),
+		['client_id_metadata_document_supported'],
+	),
+	v.forward(
+		v.check(
+			(data) => !!data.pushed_authorization_request_endpoint,
+			`atproto requires pushed_authorization_request_endpoint to be true`,
+		),
+		['pushed_authorization_request_endpoint'],
+	),
+	v.transform((data) => data as typeof data & { pushed_authorization_request_endpoint: string }),
 );
-export type AtprotoAuthorizationServerMetadata = v.Infer<typeof atprotoAuthorizationServerMetadataValidator>;
+export type AtprotoAuthorizationServerMetadata = v.InferOutput<
+	typeof atprotoAuthorizationServerMetadataValidator
+>;

package/lib/schemas/atproto-oauth-scope.ts CHANGED Viewed

@@ -1,7 +1,7 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { isOAuthScope } from './oauth-scope.js';
-import { isSpaceSeparatedValue } from './utils.js';
+import { isOAuthScope } from './oauth-scope.ts';
+import { isSpaceSeparatedValue } from './utils.ts';
 export const ATPROTO_SCOPE_VALUE = 'atproto';
@@ -10,9 +10,12 @@ const isAtprotoOAuthScope = (input: string): boolean => {
 };
 /** atproto OAuth scope (must include "atproto") */
-export const atprotoOAuthScopeSchema = v.string().assert(isAtprotoOAuthScope, `invalid atproto OAuth scope`);
+export const atprotoOAuthScopeSchema = v.pipe(
+	v.string(),
+	v.check(isAtprotoOAuthScope, `invalid atproto OAuth scope`),
+);
-export type AtprotoOAuthScope = v.Infer<typeof atprotoOAuthScopeSchema>;
+export type AtprotoOAuthScope = v.InferOutput<typeof atprotoOAuthScopeSchema>;
 /** default scope is for reading identity (did) only */
 export const DEFAULT_ATPROTO_OAUTH_SCOPE: AtprotoOAuthScope = ATPROTO_SCOPE_VALUE;

package/lib/schemas/atproto-oauth-token-response.ts CHANGED Viewed

@@ -1,20 +1,21 @@
 import { isAtprotoDid } from '@atcute/identity';
+import type { Did } from '@atcute/lexicons/syntax';
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.js';
-import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js';
+import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.ts';
+import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.ts';
-export const atprotoOAuthTokenResponseSchema = v.object({
+export const atprotoOAuthTokenResponseSchema = v.looseObject({
 	access_token: v.string(),
 	token_type: v.literal('DPoP'),
-	sub: v.string().assert(isAtprotoDid, `must be a did:plc or did:web`),
+	sub: v.custom<Did>(isAtprotoDid, `must be a did:plc or did:web`),
 	scope: atprotoOAuthScopeSchema,
-	refresh_token: v.string().optional(),
-	expires_in: v.number().optional(),
+	refresh_token: v.optional(v.string()),
+	expires_in: v.optional(v.number()),
 	// https://datatracker.ietf.org/doc/html/rfc9396#name-enriched-authorization-deta
-	authorization_details: oauthAuthorizationDetailsSchema.optional(),
+	authorization_details: v.optional(oauthAuthorizationDetailsSchema),
 	// OpenID is not compatible with atproto identities
 });
-export type AtprotoOAuthTokenResponse = v.Infer<typeof atprotoOAuthTokenResponseSchema>;
+export type AtprotoOAuthTokenResponse = v.InferOutput<typeof atprotoOAuthTokenResponseSchema>;

package/lib/schemas/atproto-protected-resource-metadata.ts CHANGED Viewed

@@ -1,24 +1,24 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
-import { oauthProtectedResourceMetadataValidator } from './oauth-protected-resource-metadata.js';
+import { oauthProtectedResourceMetadataValidator } from './oauth-protected-resource-metadata.ts';
 /**
  * AT Protocol protected resource metadata with required fields.
  *
  * @see {@link https://atproto.com/specs/oauth}
  */
-export const atprotoProtectedResourceMetadataValidator = oauthProtectedResourceMetadataValidator.chain(
-	(data) => {
-		// atproto requires exactly one authorization server
-		if (data.authorization_servers?.length !== 1) {
-			return v.err({
-				message: `atproto requires exactly one authorization server`,
-				path: ['authorization_servers'],
-			});
-		}
-		return v.ok(data as typeof data & { authorization_servers: [string] });
-	},
+export const atprotoProtectedResourceMetadataValidator = v.pipe(
+	oauthProtectedResourceMetadataValidator,
+	v.forward(
+		v.check(
+			(data) => data.authorization_servers?.length === 1,
+			`atproto requires exactly one authorization server`,
+		),
+		['authorization_servers'],
+	),
+	v.transform((data) => data as typeof data & { authorization_servers: [string] }),
 );
-export type AtprotoProtectedResourceMetadata = v.Infer<typeof atprotoProtectedResourceMetadataValidator>;
+export type AtprotoProtectedResourceMetadata = v.InferOutput<
+	typeof atprotoProtectedResourceMetadataValidator
+>;