@atcute/xrpc-server 0.1.12 → 2.0.0

package/README.md

@@ -135,7 +135,7 @@ router.addQuery(ComExampleGetPost, {
 
 		const post = await db.getPost(params.uri);
 		if (!post) {
-			throw new XRPCError({ status: 400, error: 'InvalidRequest', description: `post not found` });
+			throw new XRPCError({ status: 400, error: 'InvalidRequest', message: `post not found` });
 		}
 
 		return json(post);
@@ -147,6 +147,50 @@ convenience subclasses are also available: `InvalidRequestError`, `AuthRequiredE
 `ForbiddenError`, `RateLimitExceededError`, `InternalServerError`, `UpstreamFailureError`,
 `NotEnoughResourcesError`, `UpstreamTimeoutError`.
 
+`AuthRequiredError` accepts a `wwwAuthenticate` option that auto-formats an RFC 7235
+`WWW-Authenticate` header on the response (and appends `access-control-expose-headers` so browsers
+can read it from CORS responses):
+
+```ts
+import { AuthRequiredError } from '@atcute/xrpc-server';
+
+throw new AuthRequiredError({
+	message: 'invalid token',
+	wwwAuthenticate: { scheme: 'Bearer', params: { error: 'BadJwtSignature' } },
+});
+```
+
+### observing errors
+
+for logs or metrics, use the `onError` / `onSocketError` router options. these are fire-and-forget
+hooks invoked alongside response generation, and they are NOT called for client-induced errors
+(aborted requests, `XRPCError`, `XRPCSubscriptionError`) — only for bugs worth reporting:
+
+```ts
+const router = new XRPCRouter({
+	onError({ error, request }) {
+		reportToSentry(error, { url: request.url });
+	},
+	onSocketError({ error, request }) {
+		reportToSentry(error, { url: request.url, subscription: true });
+	},
+});
+```
+
+### health check
+
+the router can optionally answer `/xrpc/_health` if you pass `handleHealthCheck`. this endpoint is
+non-standard — consumers decide the response shape and status.
+
+```ts
+const router = new XRPCRouter({
+	async handleHealthCheck() {
+		const healthy = await pingDatabase();
+		return Response.json({ status: healthy ? 'ok' : 'degraded' }, { status: healthy ? 200 : 503 });
+	},
+});
+```
+
 ### subscriptions
 
 subscriptions provide real-time streaming over WebSocket. they require a runtime-specific adapter:
@@ -201,7 +245,7 @@ router.addSubscription(ComExampleSubscribe, {
 		if (params.cursor && isCursorTooOld(params.cursor)) {
 			throw new XRPCSubscriptionError({
 				error: 'FutureCursor',
-				description: `cursor is too old`,
+				message: `cursor is too old`,
 			});
 		}
 
@@ -210,6 +254,11 @@ router.addSubscription(ComExampleSubscribe, {
 });
 ```
 
+backpressure is handled per adapter: each adapter's `create*WebSocket()` factory accepts
+`highWaterMark` / `lowWaterMark` options (default 250 KB / 50 KB) that throttle the send loop when
+the outgoing buffer grows. the Cloudflare Workers adapter does not apply backpressure — the runtime
+does not expose the outgoing WebSocket buffer.
+
 ### service authentication
 
 the `@atcute/xrpc-server/auth` subpackage provides utilities for service-to-service authentication
@@ -218,8 +267,7 @@ using JWTs.
 verifying incoming JWTs:
 
 ```ts
-import { AuthRequiredError } from '@atcute/xrpc-server';
-import { ServiceJwtVerifier, type VerifiedJwt } from '@atcute/xrpc-server/auth';
+import { ServiceJwtVerifier } from '@atcute/xrpc-server/auth';
 import {
 	CompositeDidDocumentResolver,
 	PlcDidDocumentResolver,
@@ -227,7 +275,10 @@ import {
 } from '@atcute/identity-resolver';
 
 const jwtVerifier = new ServiceJwtVerifier({
-	serviceDid: 'did:web:my-service.example.com',
+	// list of audience values this service accepts. during the transition to proposal 0014
+	// (atproto service auth audience), configure both the bare DID and the DID-with-service-ref
+	// form so that tokens from older issuers keep working alongside new ones.
+	acceptAudiences: ['did:web:my-service.example.com', 'did:web:my-service.example.com#atproto_pds'],
 	resolver: new CompositeDidDocumentResolver({
 		methods: {
 			plc: new PlcDidDocumentResolver(),
@@ -236,28 +287,38 @@ const jwtVerifier = new ServiceJwtVerifier({
 	}),
 });
 
-const verifyServiceAuth = async (request: Request, lxm: string): Promise<VerifiedJwt> => {
-	const authHeader = request.headers.get('authorization');
-	if (!authHeader?.startsWith('Bearer ')) {
-		throw new AuthRequiredError({ description: `missing or invalid authorization header` });
-	}
-
-	const result = await jwtVerifier.verify(authHeader.slice(7), { lxm });
-	if (!result.ok) {
-		throw new AuthRequiredError({ description: result.error.description });
-	}
-
-	return result.value;
-};
-
 router.addQuery(ComExampleProtectedEndpoint, {
 	async handler({ request }) {
-		const auth = await verifyServiceAuth(request, 'com.example.protectedEndpoint');
+		const auth = await jwtVerifier.verifyRequest(request, { lxm: 'com.example.protectedEndpoint' });
 		return json({ caller: auth.issuer });
 	},
 });
 ```
 
+`verifyRequest` parses the `Authorization: Bearer` header, verifies the token, and throws an
+`AuthRequiredError` with a populated `WWW-Authenticate: Bearer error="…"` challenge on every failure
+path. it forwards `request.signal` into DID resolution so aborted requests don't keep network calls
+alive.
+
+additional options tune verification:
+
+```ts
+const jwtVerifier = new ServiceJwtVerifier({
+	acceptAudiences: [...],
+	resolver: ...,
+	maxAge: 300,       // max token lifetime window in seconds (default 300)
+	clockLeeway: 5,    // leeway applied to nbf/exp comparisons (default 5)
+	replayStore: {     // optional replay protection; requires jti in tokens
+		async check({ iss, jti }, ttlSeconds) {
+			const key = `${iss}:${jti}`;
+			const isNew = await redis.setnx(key, '1');
+			if (isNew === 1) await redis.expire(key, ttlSeconds);
+			return isNew === 1;
+		},
+	},
+});
+```
+
 creating outgoing JWTs:
 
 ```ts

package/dist/auth/jwt-creator.d.ts

@@ -1,10 +1,12 @@
 import type { PrivateKey } from '@atcute/crypto';
 import type { Did, Nsid } from '@atcute/lexicons';
+import type { AtprotoAudience } from '@atcute/lexicons/syntax';
 export interface CreateServiceJwtOptions {
     keypair: PrivateKey;
     issuer: Did;
-    audience: Did;
-    lxm: Nsid | null;
+    /** audience is either a bare DID or a DID with service fragment (e.g. `did:web:x.example#svc`) */
+    audience: Did | AtprotoAudience;
+    lxm: Nsid;
     issuedAt?: number;
     expiresIn?: number;
 }

package/dist/auth/jwt-creator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-creator.d.ts","sourceRoot":"","sources":["../../lib/auth/jwt-creator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAQlD,MAAM,WAAW,uBAAuB;IACvC,OAAO,EAAE,UAAU,CAAC;IACpB,MAAM,EAAE,GAAG,CAAC;IACZ,QAAQ,EAAE,GAAG,CAAC;IACd,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,eAAO,MAAM,gBAAgB,YAAmB,uBAAuB,KAAG,OAAO,CAAC,MAAM,CA4BvF,CAAC"}
+{"version":3,"file":"jwt-creator.d.ts","sourceRoot":"","sources":["../../lib/auth/jwt-creator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAQ/D,MAAM,WAAW,uBAAuB;IACvC,OAAO,EAAE,UAAU,CAAC;IACpB,MAAM,EAAE,GAAG,CAAC;IACZ,kGAAkG;IAClG,QAAQ,EAAE,GAAG,GAAG,eAAe,CAAC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,eAAO,MAAM,gBAAgB,YAAmB,uBAAuB,KAAG,OAAO,CAAC,MAAM,CA4BvF,CAAC"}

package/dist/auth/jwt-creator.js

@@ -15,7 +15,7 @@ export const createServiceJwt = async (options) => {
         iat: issuedAt,
         iss: options.issuer,
         jti: nanoid(24),
-        lxm: options.lxm ?? undefined,
+        lxm: options.lxm,
     };
     const headerB64 = encodeJwtPortion(header);
     const payloadB64 = encodeJwtPortion(payload);

package/dist/auth/jwt-creator.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-creator.js","sourceRoot":"","sources":["../../lib/auth/jwt-creator.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAahC,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EAAE,OAAgC,EAAmB,EAAE;IAC3F,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAEhC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;IACpE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IAEtD,MAAM,MAAM,GAAc;QACzB,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO,CAAC,MAAM;KACnB,CAAC;IAEF,MAAM,OAAO,GAAe;QAC3B,GAAG,EAAE,OAAO,CAAC,QAAQ;QACrB,GAAG,EAAE,QAAQ,GAAG,SAAS;QACzB,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,OAAO,CAAC,MAAM;QACnB,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;QACf,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,SAAS;KAC7B,CAAC;IAEF,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAE7C,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1D,MAAM,YAAY,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAE5C,OAAO,GAAG,OAAO,IAAI,YAAY,EAAE,CAAC;AACrC,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,CAAC,IAAa,EAAU,EAAE;IAClD,OAAO,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACtD,CAAC,CAAC"}
+{"version":3,"file":"jwt-creator.js","sourceRoot":"","sources":["../../lib/auth/jwt-creator.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAchC,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EAAE,OAAgC,EAAmB,EAAE;IAC3F,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAEhC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;IACpE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IAEtD,MAAM,MAAM,GAAc;QACzB,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,OAAO,CAAC,MAAM;KACnB,CAAC;IAEF,MAAM,OAAO,GAAe;QAC3B,GAAG,EAAE,OAAO,CAAC,QAAQ;QACrB,GAAG,EAAE,QAAQ,GAAG,SAAS;QACzB,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,OAAO,CAAC,MAAM;QACnB,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;QACf,GAAG,EAAE,OAAO,CAAC,GAAG;KAChB,CAAC;IAEF,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAE7C,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1D,MAAM,YAAY,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAE5C,OAAO,GAAG,OAAO,IAAI,YAAY,EAAE,CAAC;AACrC,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,CAAC,IAAa,EAAU,EAAE;IAClD,OAAO,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACtD,CAAC,CAAC"}

package/dist/auth/jwt-verifier.d.ts

@@ -1,24 +1,85 @@
 import { type DidDocumentResolver } from '@atcute/identity-resolver';
 import type { Did, Nsid } from '@atcute/lexicons';
-import type { Result } from '../types/misc.ts';
-import type { AuthError } from './types.ts';
+import type { AtprotoAudience } from '@atcute/lexicons/syntax';
+/**
+ * replay-protection store for service JWTs. when configured on a verifier,
+ * tokens must carry a `jti` claim and the verifier consults this store to
+ * reject duplicates.
+ */
+export interface ReplayStore {
+    /**
+     * record a `(iss, jti)` pair seen now.
+     *
+     * @param key issuer + token identifier; implementations decide how to
+     *   encode this into a storage key.
+     * @param ttlSeconds how long the entry must be retained. implementations
+     *   are free to retain it for longer.
+     * @returns `true` if the pair was previously unseen (token is unique),
+     *   `false` if the pair has been recorded before (replay).
+     */
+    check(key: {
+        iss: Did;
+        jti: string;
+    }, ttlSeconds: number): Promise<boolean>;
+}
 export interface ServiceJwtVerifierOptions {
-    serviceDid: Did | null;
+    /**
+     * list of `aud` values accepted by this service; each entry is a bare DID or a DID with
+     * service fragment (e.g. `did:web:x.example#svc`), and incoming tokens must exact-match any entry.
+     *
+     * pass `null` to skip audience validation (accept any audience). an empty array rejects every
+     * audience, which is useful when a service wants to fail closed until configured.
+     */
+    acceptAudiences: (Did | AtprotoAudience)[] | null;
     resolver: DidDocumentResolver;
+    /**
+     * maximum token lifetime window in seconds. rejects tokens whose `exp` is
+     * more than this far in the future or whose `iat` is more than this far in
+     * the past. defaults to 300 (5 minutes), matching atproto convention.
+     */
+    maxAge?: number;
+    /**
+     * clock-skew leeway in seconds applied to `exp` and `nbf` comparisons.
+     * defaults to 5 seconds.
+     */
+    clockLeeway?: number;
+    /**
+     * optional replay-protection store. when provided, tokens must carry a
+     * `jti` claim and the verifier rejects any `(iss, jti)` the store reports
+     * as previously seen.
+     */
+    replayStore?: ReplayStore;
 }
 export interface VerifyJwtOptions {
-    lxm: Nsid | Nsid[] | null;
+    lxm: Nsid | Nsid[];
+    /** abort signal forwarded to DID resolution; falls back to `request.signal` in `verifyRequest`. */
+    signal?: AbortSignal;
 }
 export interface VerifiedJwt {
     issuer: Did;
-    audience: Did;
-    lxm: string | undefined;
+    audience: Did | AtprotoAudience;
+    lxm: Nsid;
 }
 export declare class ServiceJwtVerifier {
     #private;
     didDocResolver: DidDocumentResolver;
-    serviceDid: Did | null;
+    acceptAudiences: (Did | AtprotoAudience)[] | null;
+    maxAge: number;
+    clockLeeway: number;
+    replayStore?: ReplayStore;
     constructor(options: ServiceJwtVerifierOptions);
-    verify(jwtString: string, options?: VerifyJwtOptions): Promise<Result<VerifiedJwt, AuthError>>;
+    /**
+     * parse the Authorization header, verify the bearer token, and return the
+     * validated claims. throws {@link AuthRequiredError} with a populated
+     * `WWW-Authenticate: Bearer` challenge on every failure path.
+     *
+     * @param request incoming request; `request.signal` is forwarded to DID
+     *   resolution unless `options.signal` overrides it.
+     * @param options verification options; `lxm` restricts which lexicon
+     *   methods the token is allowed to invoke.
+     * @throws {AuthRequiredError} on missing header, malformed token,
+     *   signature mismatch, audience/lxm rejection, replay, or expiry.
+     */
+    verifyRequest(request: Request, options: VerifyJwtOptions): Promise<VerifiedJwt>;
 }
 //# sourceMappingURL=jwt-verifier.d.ts.map

package/dist/auth/jwt-verifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-verifier.d.ts","sourceRoot":"","sources":["../../lib/auth/jwt-verifier.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAGlD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAG/C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C,MAAM,WAAW,yBAAyB;IACzC,UAAU,EAAE,GAAG,GAAG,IAAI,CAAC;IACvB,QAAQ,EAAE,mBAAmB,CAAC;CAC9B;AAED,MAAM,WAAW,gBAAgB;IAChC,GAAG,EAAE,IAAI,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,WAAW;IAC3B,MAAM,EAAE,GAAG,CAAC;IACZ,QAAQ,EAAE,GAAG,CAAC;IACd,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;CACxB;AAED,qBAAa,kBAAkB;;IAC9B,cAAc,EAAE,mBAAmB,CAAC;IACpC,UAAU,EAAE,GAAG,GAAG,IAAI,CAAC;IAEvB,YAAY,OAAO,EAAE,yBAAyB,EAG7C;IA6DK,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,CAuHnG;CACD"}
+{"version":3,"file":"jwt-verifier.d.ts","sourceRoot":"","sources":["../../lib/auth/jwt-verifier.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAa/D;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC3B;;;;;;;;;OASG;IACH,KAAK,CAAC,GAAG,EAAE;QAAE,GAAG,EAAE,GAAG,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC5E;AAED,MAAM,WAAW,yBAAyB;IACzC;;;;;;OAMG;IACH,eAAe,EAAE,CAAC,GAAG,GAAG,eAAe,CAAC,EAAE,GAAG,IAAI,CAAC;IAClD,QAAQ,EAAE,mBAAmB,CAAC;IAC9B;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAChC,GAAG,EAAE,IAAI,GAAG,IAAI,EAAE,CAAC;IACnB,mGAAmG;IACnG,MAAM,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC3B,MAAM,EAAE,GAAG,CAAC;IACZ,QAAQ,EAAE,GAAG,GAAG,eAAe,CAAC;IAChC,GAAG,EAAE,IAAI,CAAC;CACV;AAID,qBAAa,kBAAkB;;IAC9B,cAAc,EAAE,mBAAmB,CAAC;IACpC,eAAe,EAAE,CAAC,GAAG,GAAG,eAAe,CAAC,EAAE,GAAG,IAAI,CAAC;IAClD,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B,YAAY,OAAO,EAAE,yBAAyB,EAM7C;IAED;;;;;;;;;;;OAWG;IACG,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,WAAW,CAAC,CAsBrF;CAmQD"}

package/dist/auth/jwt-verifier.js

@@ -1,37 +1,78 @@
 import { getPublicKeyFromDidController, verifySig } from '@atcute/crypto';
-import { getAtprotoVerificationMaterial } from '@atcute/identity';
+import { getVerificationMaterial } from '@atcute/identity';
 import {} from '@atcute/identity-resolver';
 import * as uint8arrays from '@atcute/uint8array';
+import { AuthRequiredError } from '../main/xrpc-error.js';
 import { parseJwt } from './jwt.js';
+/** only `#atproto` is accepted as a signing key identifier for now */
+const DEFAULT_KID = '#atproto';
+const BEARER_PREFIX = 'Bearer ';
 export class ServiceJwtVerifier {
     didDocResolver;
-    serviceDid;
+    acceptAudiences;
+    maxAge;
+    clockLeeway;
+    replayStore;
     constructor(options) {
         this.didDocResolver = options.resolver;
-        this.serviceDid = options.serviceDid;
+        this.acceptAudiences = options.acceptAudiences;
+        this.maxAge = options.maxAge ?? 5 * 60;
+        this.clockLeeway = options.clockLeeway ?? 5;
+        this.replayStore = options.replayStore;
     }
-    async #getSigningKey(issuer, noCache) {
+    /**
+     * parse the Authorization header, verify the bearer token, and return the
+     * validated claims. throws {@link AuthRequiredError} with a populated
+     * `WWW-Authenticate: Bearer` challenge on every failure path.
+     *
+     * @param request incoming request; `request.signal` is forwarded to DID
+     *   resolution unless `options.signal` overrides it.
+     * @param options verification options; `lxm` restricts which lexicon
+     *   methods the token is allowed to invoke.
+     * @throws {AuthRequiredError} on missing header, malformed token,
+     *   signature mismatch, audience/lxm rejection, replay, or expiry.
+     */
+    async verifyRequest(request, options) {
+        const authorization = request.headers.get('authorization');
+        if (authorization === null) {
+            throw new AuthRequiredError({
+                message: 'authorization header required',
+                wwwAuthenticate: { scheme: 'Bearer' },
+            });
+        }
+        if (!authorization.startsWith(BEARER_PREFIX)) {
+            throw authError({ error: 'MissingBearer', description: 'expected a bearer token' });
+        }
+        const token = authorization.slice(BEARER_PREFIX.length).trim();
+        const signal = options.signal ?? request.signal;
+        const result = await this.#verifyToken(token, { lxm: options.lxm, signal });
+        if (!result.ok) {
+            throw authError(result.error);
+        }
+        return result.value;
+    }
+    async #getSigningKey(issuer, kid, noCache, signal) {
         let didDocument;
         let key;
         try {
-            didDocument = await this.didDocResolver.resolve(issuer, { noCache });
+            didDocument = await this.didDocResolver.resolve(issuer, { noCache, signal });
         }
         catch {
             return {
                 ok: false,
                 error: {
-                    error: 'UnresolvedDidDocument',
+                    error: 'DidResolutionFailed',
                     description: `failed to retrieve did document for ${issuer}`,
                 },
             };
         }
-        const controller = getAtprotoVerificationMaterial(didDocument);
+        const controller = getVerificationMaterial(didDocument, kid);
         if (!controller) {
             return {
                 ok: false,
                 error: {
                     error: 'BadJwtIssuer',
-                    description: `${issuer} does not have an atproto verification material`,
+                    description: `${issuer} does not have a ${kid} verification material`,
                 },
             };
         }
@@ -43,7 +84,7 @@ export class ServiceJwtVerifier {
                 ok: false,
                 error: {
                     error: 'BadJwtIssuer',
-                    description: `${issuer} has invalid atproto verification material`,
+                    description: `${issuer} has invalid ${kid} verification material`,
                 },
             };
         }
@@ -66,8 +107,8 @@ export class ServiceJwtVerifier {
             };
         }
     }
-    async verify(jwtString, options) {
-        const parsed = parseJwt(jwtString);
+    async #verifyToken(token, options) {
+        const parsed = parseJwt(token);
         if (!parsed.ok) {
             return parsed;
         }
@@ -85,7 +126,30 @@ export class ServiceJwtVerifier {
                 };
             }
         }
-        if (Date.now() / 1_000 > payload.exp) {
+        // resolve the `kid` header (defaulting to `#atproto`) and restrict to the set of
+        // identifiers this verifier knows how to look up in the issuer's DID document.
+        // matches proposal 0014's "safe default" for SDKs.
+        const kid = header.kid ?? DEFAULT_KID;
+        if (kid !== DEFAULT_KID) {
+            return {
+                ok: false,
+                error: {
+                    error: 'BadJwtIssuer',
+                    description: `unsupported signing key identifier (${kid})`,
+                },
+            };
+        }
+        const now = Math.floor(Date.now() / 1_000);
+        if (payload.nbf !== undefined && now < payload.nbf - this.clockLeeway) {
+            return {
+                ok: false,
+                error: {
+                    error: 'JwtNotYetValid',
+                    description: `jwt is not yet valid`,
+                },
+            };
+        }
+        if (now > payload.exp + this.clockLeeway) {
             return {
                 ok: false,
                 error: {
@@ -94,17 +158,30 @@ export class ServiceJwtVerifier {
                 },
             };
         }
-        if (this.serviceDid !== null && this.serviceDid !== payload.aud) {
+        // prevent issuers from minting very long-lived tokens: the configured max-age
+        // window bounds how far `exp` can be in the future and how far `iat` can be in
+        // the past.
+        if (payload.exp - now > this.maxAge || (payload.iat !== undefined && now - payload.iat > this.maxAge)) {
             return {
                 ok: false,
                 error: {
-                    error: 'BadJwtAudience',
-                    description: `jwt audience does not match (expected ${this.serviceDid})`,
+                    error: 'JwtTooOld',
+                    description: `jwt exceeds maximum age (${this.maxAge}s)`,
                 },
             };
         }
-        if (options?.lxm != null &&
-            (typeof options.lxm === 'string' ? options.lxm !== payload.lxm : !options.lxm.includes(payload.lxm))) {
+        if (this.acceptAudiences !== null && !this.acceptAudiences.includes(payload.aud)) {
+            return {
+                ok: false,
+                error: {
+                    error: 'InvalidAudience',
+                    description: this.acceptAudiences.length === 0
+                        ? `jwt audience does not match (no audiences accepted)`
+                        : `jwt audience does not match (expected one of: ${this.acceptAudiences.join(', ')})`,
+                },
+            };
+        }
+        if (typeof options.lxm === 'string' ? options.lxm !== payload.lxm : !options.lxm.includes(payload.lxm)) {
             return {
                 ok: false,
                 error: {
@@ -113,7 +190,20 @@ export class ServiceJwtVerifier {
                 },
             };
         }
-        const key = await this.#getSigningKey(payload.iss, false);
+        let jti;
+        if (this.replayStore !== undefined) {
+            if (payload.jti === undefined) {
+                return {
+                    ok: false,
+                    error: {
+                        error: 'BadJwt',
+                        description: `jwt is missing the jti claim (required for replay protection)`,
+                    },
+                };
+            }
+            jti = payload.jti;
+        }
+        const key = await this.#getSigningKey(payload.iss, kid, false, options.signal);
         if (!key.ok) {
             return key;
         }
@@ -127,7 +217,7 @@ export class ServiceJwtVerifier {
         }
         if (!isValid) {
             // try again, uncached
-            const freshKey = await this.#getSigningKey(payload.iss, true);
+            const freshKey = await this.#getSigningKey(payload.iss, kid, true, options.signal);
             if (!freshKey.ok) {
                 return freshKey;
             }
@@ -160,6 +250,21 @@ export class ServiceJwtVerifier {
                 },
             };
         }
+        // replay-store check runs after signature verification so forged tokens
+        // can't burn entries (memory dos) or evict legitimate `(iss, jti)` pairs
+        // before the real request lands.
+        if (this.replayStore !== undefined && jti !== undefined) {
+            const unique = await this.replayStore.check({ iss: payload.iss, jti }, this.maxAge);
+            if (!unique) {
+                return {
+                    ok: false,
+                    error: {
+                        error: 'NonceNotUnique',
+                        description: `jwt has been used before`,
+                    },
+                };
+            }
+        }
         return {
             ok: true,
             value: {
@@ -170,4 +275,10 @@ export class ServiceJwtVerifier {
         };
     }
 }
+const authError = (err) => {
+    return new AuthRequiredError({
+        message: err.description,
+        wwwAuthenticate: { scheme: 'Bearer', params: { error: err.error } },
+    });
+};
 //# sourceMappingURL=jwt-verifier.js.map

package/dist/auth/jwt-verifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-verifier.js","sourceRoot":"","sources":["../../lib/auth/jwt-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,6BAA6B,EAAE,SAAS,EAAuB,MAAM,gBAAgB,CAAC;AAC/F,OAAO,EAAE,8BAA8B,EAAoB,MAAM,kBAAkB,CAAC;AACpF,OAAO,EAA4B,MAAM,2BAA2B,CAAC;AAErE,OAAO,KAAK,WAAW,MAAM,oBAAoB,CAAC;AAIlD,OAAO,EAAE,QAAQ,EAAkB,MAAM,UAAU,CAAC;AAkBpD,MAAM,OAAO,kBAAkB;IAC9B,cAAc,CAAsB;IACpC,UAAU,CAAa;IAEvB,YAAY,OAAkC;QAC7C,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC;QACvC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAW,EAAE,OAAgB;QACjD,IAAI,WAAwB,CAAC;QAC7B,IAAI,GAAmB,CAAC;QAExB,IAAI,CAAC;YACJ,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;QAAC,MAAM,CAAC;YACR,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,uBAAuB;oBAC9B,WAAW,EAAE,uCAAuC,MAAM,EAAE;iBAC5D;aACD,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,8BAA8B,CAAC,WAAW,CAAC,CAAC;QAC/D,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,cAAc;oBACrB,WAAW,EAAE,GAAG,MAAM,iDAAiD;iBACvE;aACD,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACJ,GAAG,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACR,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,cAAc;oBACrB,WAAW,EAAE,GAAG,MAAM,4CAA4C;iBAClE;aACD,CAAC;QACH,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,GAAmB,EAAE,GAAc;QACzD,IAAI,CAAC;YACJ,OAAO;gBACN,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE,MAAM,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC;aACpF,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACR,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,iBAAiB;oBACxB,WAAW,EAAE,gCAAgC;iBAC7C;aACD,CAAC;QACH,CAAC;IACF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,OAA0B;QACzD,MAAM,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YAChB,OAAO,MAAM,CAAC;QACf,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC;QAEzC,QAAQ,MAAM,CAAC,GAAG,EAAE,CAAC;YACpB,KAAK,QAAQ,CAAC;YACd,KAAK,aAAa,CAAC;YACnB,KAAK,UAAU,EAAE,CAAC;gBACjB,OAAO;oBACN,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACN,KAAK,EAAE,YAAY;wBACnB,WAAW,EAAE,kBAAkB;qBAC/B;iBACD,CAAC;YACH,CAAC;QACF,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;YACtC,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,YAAY;oBACnB,WAAW,EAAE,gBAAgB;iBAC7B;aACD,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,IAAI,IAAI,CAAC,UAAU,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;YACjE,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,gBAAgB;oBACvB,WAAW,EAAE,yCAAyC,IAAI,CAAC,UAAU,GAAG;iBACxE;aACD,CAAC;QACH,CAAC;QAED,IACC,OAAO,EAAE,GAAG,IAAI,IAAI;YACpB,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAI,CAAC,CAAC,EACpG,CAAC;YACF,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,qBAAqB;oBAC5B,WAAW,EAAE,+CAA+C,OAAO,CAAC,GAAG,GAAG;iBAC1E;aACD,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1D,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACb,OAAO,GAAG,CAAC;QACZ,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YACpE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO,MAAM,CAAC;YACf,CAAC;YAED,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;QACxB,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,sBAAsB;YACtB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC9D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAClB,OAAO,QAAQ,CAAC;YACjB,CAAC;YAED,uDAAuD;YACvD,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC;gBAC1C,OAAO;oBACN,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACN,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,gDAAgD,MAAM,CAAC,GAAG,GAAG;qBAC1E;iBACD,CAAC;YACH,CAAC;YAED,0CAA0C;YAC1C,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;gBAClF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBACzE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;oBAChB,OAAO,MAAM,CAAC;gBACf,CAAC;gBAED,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;YACxB,CAAC;QACF,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,UAAU;YACV,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,iBAAiB;oBACxB,WAAW,EAAE,uBAAuB;iBACpC;aACD,CAAC;QACH,CAAC;QAED,OAAO;YACN,EAAE,EAAE,IAAI;YACR,KAAK,EAAE;gBACN,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,QAAQ,EAAE,OAAO,CAAC,GAAG;gBACrB,GAAG,EAAE,OAAO,CAAC,GAAG;aAChB;SACD,CAAC;IACH,CAAC;CACD"}
+{"version":3,"file":"jwt-verifier.js","sourceRoot":"","sources":["../../lib/auth/jwt-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,6BAA6B,EAAE,SAAS,EAAuB,MAAM,gBAAgB,CAAC;AAC/F,OAAO,EAAE,uBAAuB,EAAoB,MAAM,kBAAkB,CAAC;AAC7E,OAAO,EAA4B,MAAM,2BAA2B,CAAC;AAGrE,OAAO,KAAK,WAAW,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAG1D,OAAO,EAAE,QAAQ,EAAkB,MAAM,UAAU,CAAC;AAIpD,sEAAsE;AACtE,MAAM,WAAW,GAAiB,UAAU,CAAC;AA8D7C,MAAM,aAAa,GAAG,SAAS,CAAC;AAEhC,MAAM,OAAO,kBAAkB;IAC9B,cAAc,CAAsB;IACpC,eAAe,CAAmC;IAClD,MAAM,CAAS;IACf,WAAW,CAAS;IACpB,WAAW,CAAe;IAE1B,YAAY,OAAkC;QAC7C,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC;QACvC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QACvC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACxC,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,aAAa,CAAC,OAAgB,EAAE,OAAyB;QAC9D,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC3D,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC5B,MAAM,IAAI,iBAAiB,CAAC;gBAC3B,OAAO,EAAE,+BAA+B;gBACxC,eAAe,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;aACrC,CAAC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9C,MAAM,SAAS,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,yBAAyB,EAAE,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;QAEhD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,OAAO,MAAM,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,cAAc,CACnB,MAAW,EACX,GAAiB,EACjB,OAAgB,EAChB,MAAmB;QAEnB,IAAI,WAAwB,CAAC;QAC7B,IAAI,GAAmB,CAAC;QAExB,IAAI,CAAC;YACJ,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9E,CAAC;QAAC,MAAM,CAAC;YACR,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,qBAAqB;oBAC5B,WAAW,EAAE,uCAAuC,MAAM,EAAE;iBAC5D;aACD,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,uBAAuB,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAC7D,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,cAAc;oBACrB,WAAW,EAAE,GAAG,MAAM,oBAAoB,GAAG,wBAAwB;iBACrE;aACD,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACJ,GAAG,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACR,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,cAAc;oBACrB,WAAW,EAAE,GAAG,MAAM,gBAAgB,GAAG,wBAAwB;iBACjE;aACD,CAAC;QACH,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,GAAmB,EAAE,GAAc;QACzD,IAAI,CAAC;YACJ,OAAO;gBACN,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE,MAAM,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC;aACpF,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACR,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,iBAAiB;oBACxB,WAAW,EAAE,gCAAgC;iBAC7C;aACD,CAAC;QACH,CAAC;IACF,CAAC;IAED,KAAK,CAAC,YAAY,CACjB,KAAa,EACb,OAAoD;QAEpD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC/B,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YAChB,OAAO,MAAM,CAAC;QACf,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC;QAEzC,QAAQ,MAAM,CAAC,GAAG,EAAE,CAAC;YACpB,KAAK,QAAQ,CAAC;YACd,KAAK,aAAa,CAAC;YACnB,KAAK,UAAU,EAAE,CAAC;gBACjB,OAAO;oBACN,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACN,KAAK,EAAE,YAAY;wBACnB,WAAW,EAAE,kBAAkB;qBAC/B;iBACD,CAAC;YACH,CAAC;QACF,CAAC;QAED,iFAAiF;QACjF,+EAA+E;QAC/E,mDAAmD;QACnD,MAAM,GAAG,GAAW,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC;QAC9C,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;YACzB,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,cAAc;oBACrB,WAAW,EAAE,uCAAuC,GAAG,GAAG;iBAC1D;aACD,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;QAE3C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACvE,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,gBAAgB;oBACvB,WAAW,EAAE,sBAAsB;iBACnC;aACD,CAAC;QACH,CAAC;QAED,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC1C,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,YAAY;oBACnB,WAAW,EAAE,gBAAgB;iBAC7B;aACD,CAAC;QACH,CAAC;QAED,8EAA8E;QAC9E,+EAA+E;QAC/E,YAAY;QACZ,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACvG,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,WAAW;oBAClB,WAAW,EAAE,4BAA4B,IAAI,CAAC,MAAM,IAAI;iBACxD;aACD,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,KAAK,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAClF,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,iBAAiB;oBACxB,WAAW,EACV,IAAI,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;wBAChC,CAAC,CAAC,qDAAqD;wBACvD,CAAC,CAAC,iDAAiD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;iBACvF;aACD,CAAC;QACH,CAAC;QAED,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACxG,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,qBAAqB;oBAC5B,WAAW,EAAE,+CAA+C,OAAO,CAAC,GAAG,GAAG;iBAC1E;aACD,CAAC;QACH,CAAC;QAED,IAAI,GAAuB,CAAC;QAC5B,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACpC,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;gBAC/B,OAAO;oBACN,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACN,KAAK,EAAE,QAAQ;wBACf,WAAW,EAAE,+DAA+D;qBAC5E;iBACD,CAAC;YACH,CAAC;YAED,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACnB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAC/E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACb,OAAO,GAAG,CAAC;QACZ,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YACpE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO,MAAM,CAAC;YACf,CAAC;YAED,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;QACxB,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,sBAAsB;YACtB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACnF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAClB,OAAO,QAAQ,CAAC;YACjB,CAAC;YAED,uDAAuD;YACvD,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC;gBAC1C,OAAO;oBACN,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACN,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,gDAAgD,MAAM,CAAC,GAAG,GAAG;qBAC1E;iBACD,CAAC;YACH,CAAC;YAED,0CAA0C;YAC1C,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;gBAClF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBACzE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;oBAChB,OAAO,MAAM,CAAC;gBACf,CAAC;gBAED,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;YACxB,CAAC;QACF,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,UAAU;YACV,OAAO;gBACN,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACN,KAAK,EAAE,iBAAiB;oBACxB,WAAW,EAAE,uBAAuB;iBACpC;aACD,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,yEAAyE;QACzE,iCAAiC;QACjC,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACzD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACpF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,OAAO;oBACN,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACN,KAAK,EAAE,gBAAgB;wBACvB,WAAW,EAAE,0BAA0B;qBACvC;iBACD,CAAC;YACH,CAAC;QACF,CAAC;QAED,OAAO;YACN,EAAE,EAAE,IAAI;YACR,KAAK,EAAE;gBACN,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,QAAQ,EAAE,OAAO,CAAC,GAAG;gBACrB,GAAG,EAAE,OAAO,CAAC,GAAG;aAChB;SACD,CAAC;IACH,CAAC;CACD;AAED,MAAM,SAAS,GAAG,CAAC,GAAc,EAAqB,EAAE;IACvD,OAAO,IAAI,iBAAiB,CAAC;QAC5B,OAAO,EAAE,GAAG,CAAC,WAAW;QACxB,eAAe,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,EAAE;KACnE,CAAC,CAAC;AACJ,CAAC,CAAC"}

package/dist/auth/jwt.d.ts

@@ -1,16 +1,21 @@
 import type { Did, Nsid } from '@atcute/lexicons';
+import { type AtprotoAudience } from '@atcute/lexicons/syntax';
 import type { Result } from '../types/misc.ts';
 import type { AuthError } from './types.ts';
 export interface JwtHeader {
     typ?: string;
     alg: string;
+    /** signing key identifier; a DID fragment, defaults to `#atproto` when absent */
+    kid?: string;
 }
 export interface JwtPayload {
     iss: Did;
-    aud: Did;
+    aud: Did | AtprotoAudience;
     exp: number;
     iat?: number;
-    lxm?: Nsid;
+    /** not-before time; token is invalid before this unix timestamp */
+    nbf?: number;
+    lxm: Nsid;
     jti?: string;
 }
 export interface ParsedJwt {

package/dist/auth/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../lib/auth/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAOlD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE/C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAO5C,MAAM,WAAW,SAAS;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;CACZ;AAOD,MAAM,WAAW,UAAU;IAC1B,GAAG,EAAE,GAAG,CAAC;IACT,GAAG,EAAE,GAAG,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,IAAI,CAAC;IACX,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAsBD,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,UAAU,CAAC;IACpB,OAAO,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC;IACjC,SAAS,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC;CACnC;AAoCD,eAAO,MAAM,QAAQ,cAAe,MAAM,KAAG,MAAM,CAAC,SAAS,EAAE,SAAS,CAsCvE,CAAC"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../lib/auth/jwt.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAiB,KAAK,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAM9E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE/C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAW5C,MAAM,WAAW,SAAS;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,iFAAiF;IACjF,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAQD,MAAM,WAAW,UAAU;IAC1B,GAAG,EAAE,GAAG,CAAC;IACT,GAAG,EAAE,GAAG,GAAG,eAAe,CAAC;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,IAAI,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAyBD,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,UAAU,CAAC;IACpB,OAAO,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC;IACjC,SAAS,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC;CACnC;AAoCD,eAAO,MAAM,QAAQ,cAAe,MAAM,KAAG,MAAM,CAAC,SAAS,EAAE,SAAS,CAsCvE,CAAC"}