@atcute/oauth-types 0.1.1 → 1.0.0

package/lib/schemas/oauth-client-id-discoverable.ts

@@ -1,53 +1,48 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { oauthClientIdSchema } from './oauth-client-id.js';
-import { httpsUriSchema } from './uri.js';
-import { extractUrlPath, isHostnameIP } from './utils.js';
+import { oauthClientIdSchema } from './oauth-client-id.ts';
+import { httpsUriSchema } from './uri.ts';
+import { extractUrlPath, isHostnameIP } from './utils.ts';
 
 /**
  * @see {@link https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html}
  */
-export const oauthClientIdDiscoverableSchema = v.string().chain((input, options) => {
-	// first validate as base client ID
-	const clientIdResult = oauthClientIdSchema.try(input, options);
-	if (!clientIdResult.ok) {
-		return clientIdResult;
-	}
-
-	// then validate as https URI
-	const httpsResult = httpsUriSchema.try(input, options);
-	if (!httpsResult.ok) {
-		return httpsResult;
-	}
-
-	const url = new URL(input);
-
-	if (url.username || url.password) {
-		return v.err(`client ID must not contain credentials`);
-	}
-
-	if (url.hash) {
-		return v.err(`client ID must not contain a fragment`);
-	}
-
-	if (url.pathname === '/') {
-		return v.err(`client ID must contain a path component (e.g. "/client-metadata.json")`);
-	}
-
-	if (url.pathname.endsWith('/')) {
-		return v.err(`client ID path must not end with a trailing slash`);
-	}
-
-	if (isHostnameIP(url.hostname)) {
-		return v.err(`client ID hostname must not be an IP address`);
-	}
-
-	// URL constructor normalizes the URL, so we extract the path manually to
-	// avoid normalization, then compare it to the normalized path to ensure
-	// that the URL does not contain path traversal or other unexpected characters
-	if (extractUrlPath(input) !== url.pathname) {
-		return v.err(`client ID must be in canonical form ("${url.href}", got "${input}")`);
-	}
-
-	return v.ok(input);
-});
+export const oauthClientIdDiscoverableSchema = v.pipe(
+	oauthClientIdSchema,
+	httpsUriSchema,
+	v.rawCheck(({ dataset, addIssue }) => {
+		if (!dataset.typed) {
+			return;
+		}
+		const input = dataset.value;
+		const url = new URL(input);
+
+		if (url.username || url.password) {
+			addIssue({ message: `client ID must not contain credentials` });
+			return;
+		}
+		if (url.hash) {
+			addIssue({ message: `client ID must not contain a fragment` });
+			return;
+		}
+		if (url.pathname === '/') {
+			addIssue({ message: `client ID must contain a path component (e.g. "/client-metadata.json")` });
+			return;
+		}
+		if (url.pathname.endsWith('/')) {
+			addIssue({ message: `client ID path must not end with a trailing slash` });
+			return;
+		}
+		if (isHostnameIP(url.hostname)) {
+			addIssue({ message: `client ID hostname must not be an IP address` });
+			return;
+		}
+
+		// URL constructor normalizes the URL, so we extract the path manually to avoid
+		// normalization, then compare it to the normalized path to ensure that the URL does not
+		// contain path traversal or other unexpected characters
+		if (extractUrlPath(input) !== url.pathname) {
+			addIssue({ message: `client ID must be in canonical form ("${url.href}", got "${input}")` });
+		}
+	}),
+);

package/lib/schemas/oauth-client-id.ts

@@ -1,6 +1,6 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
 /** base OAuth client ID (any non-empty string) */
-export const oauthClientIdSchema = v.string().assert((input) => input.length > 0, `must not be empty`);
+export const oauthClientIdSchema = v.pipe(v.string(), v.nonEmpty(`must not be empty`));
 
-export type OAuthClientId = v.Infer<typeof oauthClientIdSchema>;
+export type OAuthClientId = v.InferOutput<typeof oauthClientIdSchema>;

package/lib/schemas/oauth-client-metadata.ts

@@ -1,17 +1,17 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { jwksPubSchema } from './jwks.js';
-import { oauthClientIdSchema } from './oauth-client-id.js';
-import { oauthEndpointAuthMethodSchema } from './oauth-endpoint-auth-method.js';
-import { oauthGrantTypeSchema } from './oauth-grant-type.js';
-import { oauthRedirectUriSchema } from './oauth-redirect-uri.js';
-import { oauthResponseTypeSchema } from './oauth-response-type.js';
-import { oauthScopeSchema } from './oauth-scope.js';
-import { webUriSchema } from './uri.js';
+import { jwksPubSchema } from './jwks.ts';
+import { oauthClientIdSchema } from './oauth-client-id.ts';
+import { oauthEndpointAuthMethodSchema } from './oauth-endpoint-auth-method.ts';
+import { oauthGrantTypeSchema } from './oauth-grant-type.ts';
+import { oauthRedirectUriSchema } from './oauth-redirect-uri.ts';
+import { oauthResponseTypeSchema } from './oauth-response-type.ts';
+import { oauthScopeSchema } from './oauth-scope.ts';
+import { webUriSchema } from './uri.ts';
 
-const oauthApplicationTypeSchema = v.union(v.literal('web'), v.literal('native'));
+const oauthApplicationTypeSchema = v.picklist(['web', 'native']);
 
-const oauthSubjectTypeSchema = v.union(v.literal('public'), v.literal('pairwise'));
+const oauthSubjectTypeSchema = v.picklist(['public', 'pairwise']);
 
 // simple email validation
 const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
@@ -22,44 +22,40 @@ const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
  * @see {@link https://openid.net/specs/openid-connect-registration-1_0.html}
  * @see {@link https://datatracker.ietf.org/doc/html/rfc7591}
  */
-export const oauthClientMetadataSchema = v.object({
+export const oauthClientMetadataSchema = v.looseObject({
 	// https://www.rfc-editor.org/rfc/rfc7591.html#section-2
-	redirect_uris: v
-		.array(oauthRedirectUriSchema)
-		.assert((arr) => arr.length > 0, `must have at least one redirect URI`),
-	response_types: v.array(oauthResponseTypeSchema).optional(),
+	redirect_uris: v.pipe(
+		v.array(oauthRedirectUriSchema),
+		v.minLength(1, `must have at least one redirect URI`),
+	),
+	response_types: v.optional(v.array(oauthResponseTypeSchema)),
 	// > If omitted, the default is that the client will use only the "code"
 	// > response type.
-	// .optional((): OAuthResponseType[] => ['code'])
-	grant_types: v.array(oauthGrantTypeSchema).optional(),
+	grant_types: v.optional(v.array(oauthGrantTypeSchema)),
 	// > If omitted, the default behavior is that the client will use only the
 	// > "authorization_code" Grant Type.
-	// .optional((): OAuthGrantType[] => ['authorization_code']),
-	scope: oauthScopeSchema.optional(),
+	scope: v.optional(oauthScopeSchema),
 	// https://www.rfc-editor.org/rfc/rfc7591.html#section-2
-	token_endpoint_auth_method: oauthEndpointAuthMethodSchema.optional(),
+	token_endpoint_auth_method: v.optional(oauthEndpointAuthMethodSchema),
 	// > If unspecified or omitted, the default is "client_secret_basic" [...].
-	// .optional((): OAuthEndpointAuthMethod => 'client_secret_basic'),
-	token_endpoint_auth_signing_alg: v.string().optional(),
-	userinfo_signed_response_alg: v.string().optional(),
-	userinfo_encrypted_response_alg: v.string().optional(),
-	jwks_uri: webUriSchema.optional(),
-	jwks: jwksPubSchema.optional(),
-	application_type: oauthApplicationTypeSchema.optional(),
-	// .optional((): OAuthApplicationType => 'web'),
-	subject_type: oauthSubjectTypeSchema.optional(),
-	// .optional((): OAuthSubjectType => 'public'),
-	request_object_signing_alg: v.string().optional(),
-	id_token_signed_response_alg: v.string().optional(),
-	authorization_signed_response_alg: v.string().optional(),
-	authorization_encrypted_response_enc: v.literal('A128CBC-HS256').optional(),
-	authorization_encrypted_response_alg: v.string().optional(),
-	client_id: oauthClientIdSchema.optional(),
-	client_name: v.string().optional(),
-	client_uri: webUriSchema.optional(),
-	policy_uri: webUriSchema.optional(),
-	tos_uri: webUriSchema.optional(),
-	logo_uri: webUriSchema.optional(),
+	token_endpoint_auth_signing_alg: v.optional(v.string()),
+	userinfo_signed_response_alg: v.optional(v.string()),
+	userinfo_encrypted_response_alg: v.optional(v.string()),
+	jwks_uri: v.optional(webUriSchema),
+	jwks: v.optional(jwksPubSchema),
+	application_type: v.optional(oauthApplicationTypeSchema),
+	subject_type: v.optional(oauthSubjectTypeSchema),
+	request_object_signing_alg: v.optional(v.string()),
+	id_token_signed_response_alg: v.optional(v.string()),
+	authorization_signed_response_alg: v.optional(v.string()),
+	authorization_encrypted_response_enc: v.optional(v.literal('A128CBC-HS256')),
+	authorization_encrypted_response_alg: v.optional(v.string()),
+	client_id: v.optional(oauthClientIdSchema),
+	client_name: v.optional(v.string()),
+	client_uri: v.optional(webUriSchema),
+	policy_uri: v.optional(webUriSchema),
+	tos_uri: v.optional(webUriSchema),
+	logo_uri: v.optional(webUriSchema),
 
 	/**
 	 * default Maximum Authentication Age. specifies that the End-User MUST be
@@ -68,16 +64,16 @@ export const oauthClientMetadataSchema = v.object({
 	 * this default value. if omitted, no default Maximum Authentication Age is
 	 * specified.
 	 */
-	default_max_age: v.number().optional(),
-	require_auth_time: v.boolean().optional(),
-	contacts: v.array(v.string().assert((s) => EMAIL_RE.test(s), `must be a valid email`)).optional(),
-	tls_client_certificate_bound_access_tokens: v.boolean().optional(),
+	default_max_age: v.optional(v.number()),
+	require_auth_time: v.optional(v.boolean()),
+	contacts: v.optional(v.array(v.pipe(v.string(), v.regex(EMAIL_RE, `must be a valid email`)))),
+	tls_client_certificate_bound_access_tokens: v.optional(v.boolean()),
 
 	// https://datatracker.ietf.org/doc/html/rfc9449#section-5.2
-	dpop_bound_access_tokens: v.boolean().optional(),
+	dpop_bound_access_tokens: v.optional(v.boolean()),
 
 	// https://datatracker.ietf.org/doc/html/rfc9396#section-14.5
-	authorization_details_types: v.array(v.string()).optional(),
+	authorization_details_types: v.optional(v.array(v.string())),
 });
 
-export type OAuthClientMetadata = v.Infer<typeof oauthClientMetadataSchema>;
+export type OAuthClientMetadata = v.InferOutput<typeof oauthClientMetadataSchema>;

package/lib/schemas/oauth-code-challenge-method.ts

@@ -1,5 +1,5 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-export const oauthCodeChallengeMethodSchema = v.union(v.literal('S256'), v.literal('plain'));
+export const oauthCodeChallengeMethodSchema = v.picklist(['S256', 'plain']);
 
-export type OAuthCodeChallengeMethod = v.Infer<typeof oauthCodeChallengeMethodSchema>;
+export type OAuthCodeChallengeMethod = v.InferOutput<typeof oauthCodeChallengeMethodSchema>;

package/lib/schemas/oauth-endpoint-auth-method.ts

@@ -1,13 +1,13 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-export const oauthEndpointAuthMethodSchema = v.union(
-	v.literal('client_secret_basic'),
-	v.literal('client_secret_jwt'),
-	v.literal('client_secret_post'),
-	v.literal('none'),
-	v.literal('private_key_jwt'),
-	v.literal('self_signed_tls_client_auth'),
-	v.literal('tls_client_auth'),
-);
+export const oauthEndpointAuthMethodSchema = v.picklist([
+	'client_secret_basic',
+	'client_secret_jwt',
+	'client_secret_post',
+	'none',
+	'private_key_jwt',
+	'self_signed_tls_client_auth',
+	'tls_client_auth',
+]);
 
-export type OAuthEndpointAuthMethod = v.Infer<typeof oauthEndpointAuthMethodSchema>;
+export type OAuthEndpointAuthMethod = v.InferOutput<typeof oauthEndpointAuthMethodSchema>;

package/lib/schemas/oauth-grant-type.ts

@@ -1,13 +1,13 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-export const oauthGrantTypeSchema = v.union(
-	v.literal('authorization_code'),
-	v.literal('implicit'),
-	v.literal('refresh_token'),
-	v.literal('password'), // not part of OAuth 2.1
-	v.literal('client_credentials'),
-	v.literal('urn:ietf:params:oauth:grant-type:jwt-bearer'),
-	v.literal('urn:ietf:params:oauth:grant-type:saml2-bearer'),
-);
+export const oauthGrantTypeSchema = v.picklist([
+	'authorization_code',
+	'implicit',
+	'refresh_token',
+	'password', // not part of OAuth 2.1
+	'client_credentials',
+	'urn:ietf:params:oauth:grant-type:jwt-bearer',
+	'urn:ietf:params:oauth:grant-type:saml2-bearer',
+]);
 
-export type OAuthGrantType = v.Infer<typeof oauthGrantTypeSchema>;
+export type OAuthGrantType = v.InferOutput<typeof oauthGrantTypeSchema>;

package/lib/schemas/oauth-issuer-identifier.ts

@@ -1,30 +1,38 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { webUriSchema } from './uri.js';
+import { webUriSchema } from './uri.ts';
 
-export const oauthIssuerIdentifierSchema = webUriSchema.chain((input) => {
+export const oauthIssuerIdentifierSchema = v.pipe(
+	webUriSchema,
 	// validate the issuer (MIX-UP attacks)
-
-	if (input.endsWith('/')) {
-		return v.err(`issuer URL must not end with a slash`);
-	}
-
-	const url = new URL(input);
-
-	if (url.username || url.password) {
-		return v.err(`issuer URL must not contain a username or password`);
-	}
-
-	if (url.hash || url.search) {
-		return v.err(`issuer URL must not contain a query or fragment`);
-	}
-
-	const canonicalValue = url.pathname === '/' ? url.origin : url.href;
-	if (input !== canonicalValue) {
-		return v.err(`issuer URL must be in the canonical form`);
-	}
-
-	return v.ok(input);
-});
-
-export type OAuthIssuerIdentifier = v.Infer<typeof oauthIssuerIdentifierSchema>;
+	v.rawCheck(({ dataset, addIssue }) => {
+		if (!dataset.typed) {
+			return;
+		}
+		const input = dataset.value;
+
+		if (input.endsWith('/')) {
+			addIssue({ message: `issuer URL must not end with a slash` });
+			return;
+		}
+
+		const url = new URL(input);
+
+		if (url.username || url.password) {
+			addIssue({ message: `issuer URL must not contain a username or password` });
+			return;
+		}
+
+		if (url.hash || url.search) {
+			addIssue({ message: `issuer URL must not contain a query or fragment` });
+			return;
+		}
+
+		const canonicalValue = url.pathname === '/' ? url.origin : url.href;
+		if (input !== canonicalValue) {
+			addIssue({ message: `issuer URL must be in the canonical form` });
+		}
+	}),
+);
+
+export type OAuthIssuerIdentifier = v.InferOutput<typeof oauthIssuerIdentifierSchema>;

package/lib/schemas/oauth-par-response.ts

@@ -1,10 +1,10 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
 const isPositiveInteger = (n: number): boolean => Number.isInteger(n) && n > 0;
 
-export const oauthParResponseSchema = v.object({
+export const oauthParResponseSchema = v.looseObject({
 	request_uri: v.string(),
-	expires_in: v.number().assert(isPositiveInteger, `must be a positive integer`),
+	expires_in: v.pipe(v.number(), v.check(isPositiveInteger, `must be a positive integer`)),
 });
 
-export type OAuthParResponse = v.Infer<typeof oauthParResponseSchema>;
+export type OAuthParResponse = v.InferOutput<typeof oauthParResponseSchema>;

package/lib/schemas/oauth-prompt.ts

@@ -1,4 +1,4 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
 /**
  * OAuth prompt mode values.
@@ -9,12 +9,6 @@ import * as v from '@badrap/valita';
  * - `select_account`: force account selection
  * - `create`: force user registration screen
  */
-export const oauthPromptSchema = v.union(
-	v.literal('none'),
-	v.literal('login'),
-	v.literal('consent'),
-	v.literal('select_account'),
-	v.literal('create'),
-);
+export const oauthPromptSchema = v.picklist(['none', 'login', 'consent', 'select_account', 'create']);
 
-export type OAuthPrompt = v.Infer<typeof oauthPromptSchema>;
+export type OAuthPrompt = v.InferOutput<typeof oauthPromptSchema>;

package/lib/schemas/oauth-protected-resource-metadata.ts

@@ -1,16 +1,16 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js';
-import { webUriSchema } from './uri.js';
+import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.ts';
+import { webUriSchema } from './uri.ts';
 
-export const oauthBearerMethodSchema = v.union(v.literal('header'), v.literal('body'), v.literal('query'));
+export const oauthBearerMethodSchema = v.picklist(['header', 'body', 'query']);
 
-export type OAuthBearerMethod = v.Infer<typeof oauthBearerMethodSchema>;
+export type OAuthBearerMethod = v.InferOutput<typeof oauthBearerMethodSchema>;
 
 /**
  * @see {@link https://www.rfc-editor.org/rfc/rfc9728.html#section-3.2}
  */
-export const oauthProtectedResourceMetadataSchema = v.object({
+export const oauthProtectedResourceMetadataSchema = v.looseObject({
 	/**
 	 * REQUIRED. the protected resource's resource identifier, which is a URL that
 	 * uses the https scheme and has no query or fragment components.
@@ -22,68 +22,59 @@ export const oauthProtectedResourceMetadataSchema = v.object({
 	 * identifiers, as defined in RFC8414, for authorization servers that can be
 	 * used with this protected resource.
 	 */
-	authorization_servers: v.array(oauthIssuerIdentifierSchema).optional(),
+	authorization_servers: v.optional(v.array(oauthIssuerIdentifierSchema)),
 
 	/**
 	 * OPTIONAL. URL of the protected resource's JWK Set document.
 	 */
-	jwks_uri: webUriSchema.optional(),
+	jwks_uri: v.optional(webUriSchema),
 
 	/**
 	 * RECOMMENDED. JSON array containing a list of the OAuth 2.0 scope values that
 	 * are used in authorization requests to request access to this protected resource.
 	 */
-	scopes_supported: v.array(v.string()).optional(),
+	scopes_supported: v.optional(v.array(v.string())),
 
 	/**
 	 * OPTIONAL. JSON array containing a list of the supported methods of sending
 	 * an OAuth 2.0 Bearer Token to the protected resource.
 	 */
-	bearer_methods_supported: v.array(oauthBearerMethodSchema).optional(),
+	bearer_methods_supported: v.optional(v.array(oauthBearerMethodSchema)),
 
 	/**
 	 * OPTIONAL. JSON array containing a list of the JWS signing algorithms
 	 * supported by the protected resource for signing resource responses.
 	 */
-	resource_signing_alg_values_supported: v.array(v.string()).optional(),
+	resource_signing_alg_values_supported: v.optional(v.array(v.string())),
 
 	/**
 	 * OPTIONAL. URL of a page containing human-readable information that
 	 * developers might want or need to know when using the protected resource.
 	 */
-	resource_documentation: webUriSchema.optional(),
+	resource_documentation: v.optional(webUriSchema),
 
 	/**
 	 * OPTIONAL. URL that the protected resource provides to read about the
 	 * protected resource's requirements on how the client can use the data.
 	 */
-	resource_policy_uri: webUriSchema.optional(),
+	resource_policy_uri: v.optional(webUriSchema),
 
 	/**
 	 * OPTIONAL. URL that the protected resource provides to read about the
 	 * protected resource's terms of service.
 	 */
-	resource_tos_uri: webUriSchema.optional(),
+	resource_tos_uri: v.optional(webUriSchema),
 });
 
-export const oauthProtectedResourceMetadataValidator = oauthProtectedResourceMetadataSchema.chain((data) => {
-	const url = new URL(data.resource);
-
-	if (url.search) {
-		return v.err({
-			message: `resource URL must not contain query parameters`,
-			path: ['resource'],
-		});
-	}
-
-	if (url.hash) {
-		return v.err({
-			message: `resource URL must not contain a fragment`,
-			path: ['resource'],
-		});
-	}
-
-	return v.ok(data);
-});
-
-export type OAuthProtectedResourceMetadata = v.Infer<typeof oauthProtectedResourceMetadataSchema>;
+export const oauthProtectedResourceMetadataValidator = v.pipe(
+	oauthProtectedResourceMetadataSchema,
+	v.forward(
+		v.check((data) => {
+			const url = new URL(data.resource);
+			return !url.search && !url.hash;
+		}, `resource URL must not contain query parameters or a fragment`),
+		['resource'],
+	),
+);
+
+export type OAuthProtectedResourceMetadata = v.InferOutput<typeof oauthProtectedResourceMetadataSchema>;

package/lib/schemas/oauth-redirect-uri.ts

@@ -1,6 +1,6 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { httpsUriSchema, loopbackUriSchema, privateUseUriSchema } from './uri.js';
+import { httpsUriSchema, loopbackUriSchema, privateUseUriSchema } from './uri.ts';
 
 /**
  * this is a loopback URI with the additional restriction that the hostname
@@ -16,27 +16,19 @@ import { httpsUriSchema, loopbackUriSchema, privateUseUriSchema } from './uri.js
  * > than the loopback interface. It is also less susceptible to client-side
  * > firewalls and misconfigured host name resolution on the user's device.
  */
-export const loopbackRedirectUriSchema = loopbackUriSchema.chain((input) => {
-	if (input.startsWith('http://localhost')) {
-		return v.err(
-			`use of "localhost" hostname is not allowed (RFC 8252), use a loopback IP such as "127.0.0.1" instead`,
-		);
-	}
-	return v.ok(input);
-});
+export const loopbackRedirectUriSchema = v.pipe(
+	loopbackUriSchema,
+	v.check(
+		(input) => !input.startsWith('http://localhost'),
+		`use of "localhost" hostname is not allowed (RFC 8252), use a loopback IP such as "127.0.0.1" instead`,
+	),
+);
 
-export type LoopbackRedirectUri = v.Infer<typeof loopbackRedirectUriSchema>;
+export type LoopbackRedirectUri = v.InferOutput<typeof loopbackRedirectUriSchema>;
 
-export const oauthRedirectUriSchema = v.string().chain((input, options) => {
-	if (input.startsWith('http://')) {
-		return loopbackRedirectUriSchema.try(input, options);
-	}
+export const oauthRedirectUriSchema = v.union(
+	[loopbackRedirectUriSchema, httpsUriSchema, privateUseUriSchema],
+	`url must use http: loopback, https:, or a private-use scheme`,
+);
 
-	if (input.startsWith('https://')) {
-		return httpsUriSchema.try(input, options);
-	}
-
-	return privateUseUriSchema.try(input, options);
-});
-
-export type OAuthRedirectUri = v.Infer<typeof oauthRedirectUriSchema>;
+export type OAuthRedirectUri = v.InferOutput<typeof oauthRedirectUriSchema>;

package/lib/schemas/oauth-response-mode.ts

@@ -1,9 +1,5 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-export const oauthResponseModeSchema = v.union(
-	v.literal('query'),
-	v.literal('fragment'),
-	v.literal('form_post'),
-);
+export const oauthResponseModeSchema = v.picklist(['query', 'fragment', 'form_post']);
 
-export type OAuthResponseMode = v.Infer<typeof oauthResponseModeSchema>;
+export type OAuthResponseMode = v.InferOutput<typeof oauthResponseModeSchema>;

package/lib/schemas/oauth-response-type.ts

@@ -1,17 +1,17 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-export const oauthResponseTypeSchema = v.union(
+export const oauthResponseTypeSchema = v.picklist([
 	// OAuth2 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.1)
-	v.literal('code'), // Authorization Code Grant
-	v.literal('token'), // Implicit Grant
+	'code', // Authorization Code Grant
+	'token', // Implicit Grant
 
 	// OIDC (https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
-	v.literal('none'),
-	v.literal('code id_token token'),
-	v.literal('code id_token'),
-	v.literal('code token'),
-	v.literal('id_token token'),
-	v.literal('id_token'),
-);
+	'none',
+	'code id_token token',
+	'code id_token',
+	'code token',
+	'id_token token',
+	'id_token',
+]);
 
-export type OAuthResponseType = v.Infer<typeof oauthResponseTypeSchema>;
+export type OAuthResponseType = v.InferOutput<typeof oauthResponseTypeSchema>;

package/lib/schemas/oauth-scope.ts

@@ -1,4 +1,4 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
 // scope       = scope-token *( SP scope-token )
 // scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
@@ -13,6 +13,6 @@ export const isOAuthScope = (input: string): boolean => OAUTH_SCOPE_REGEXP.test(
  *
  * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1}
  */
-export const oauthScopeSchema = v.string().assert(isOAuthScope, `invalid OAuth scope`);
+export const oauthScopeSchema = v.pipe(v.string(), v.check(isOAuthScope, `invalid OAuth scope`));
 
-export type OAuthScope = v.Infer<typeof oauthScopeSchema>;
+export type OAuthScope = v.InferOutput<typeof oauthScopeSchema>;