@atproto/oauth-client 0.1.7 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +43 -0
- package/README.md +128 -7
- package/dist/index.d.ts +1 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -2
- package/dist/index.js.map +1 -1
- package/dist/oauth-client.d.ts +8 -8
- package/dist/oauth-client.d.ts.map +1 -1
- package/dist/oauth-client.js +13 -27
- package/dist/oauth-client.js.map +1 -1
- package/dist/oauth-server-agent.d.ts +2 -3
- package/dist/oauth-server-agent.d.ts.map +1 -1
- package/dist/oauth-server-agent.js +11 -6
- package/dist/oauth-server-agent.js.map +1 -1
- package/dist/{oauth-agent.d.ts → oauth-session.d.ts} +14 -14
- package/dist/oauth-session.d.ts.map +1 -0
- package/dist/{oauth-agent.js → oauth-session.js} +19 -18
- package/dist/oauth-session.js.map +1 -0
- package/dist/runtime.d.ts +1 -10
- package/dist/runtime.d.ts.map +1 -1
- package/dist/runtime.js +0 -70
- package/dist/runtime.js.map +1 -1
- package/dist/state-store.d.ts +0 -1
- package/dist/state-store.d.ts.map +1 -1
- package/dist/types.d.ts +14 -16
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/package.json +7 -8
- package/src/index.ts +1 -2
- package/src/oauth-client.ts +15 -43
- package/src/oauth-server-agent.ts +17 -9
- package/src/{oauth-agent.ts → oauth-session.ts} +27 -24
- package/src/runtime.ts +2 -94
- package/src/state-store.ts +0 -1
- package/src/types.ts +1 -3
- package/dist/oauth-agent.d.ts.map +0 -1
- package/dist/oauth-agent.js.map +0 -1
- package/dist/oauth-atp-agent.d.ts +0 -11
- package/dist/oauth-atp-agent.d.ts.map +0 -1
- package/dist/oauth-atp-agent.js +0 -51
- package/dist/oauth-atp-agent.js.map +0 -1
- package/src/oauth-atp-agent.ts +0 -48
package/CHANGELOG.md
CHANGED
@@ -1,5 +1,48 @@
|
|
1
1
|
# @atproto/oauth-client
|
2
2
|
|
3
|
+
## 0.2.1
|
4
|
+
|
5
|
+
### Patch Changes
|
6
|
+
|
7
|
+
- Updated dependencies [[`cb4abbb67`](https://github.com/bluesky-social/atproto/commit/cb4abbb673c69a8a89b49dca5c038f3da2153c6c), [`cb4abbb67`](https://github.com/bluesky-social/atproto/commit/cb4abbb673c69a8a89b49dca5c038f3da2153c6c), [`cb4abbb67`](https://github.com/bluesky-social/atproto/commit/cb4abbb673c69a8a89b49dca5c038f3da2153c6c), [`98711a147`](https://github.com/bluesky-social/atproto/commit/98711a147a8674337f605c6368f39fc10c2fae93)]:
|
8
|
+
- @atproto/did@0.1.2
|
9
|
+
- @atproto/xrpc@0.6.2
|
10
|
+
- @atproto-labs/did-resolver@0.1.3
|
11
|
+
- @atproto-labs/handle-resolver@0.1.3
|
12
|
+
- @atproto-labs/identity-resolver@0.1.3
|
13
|
+
|
14
|
+
## 0.2.0
|
15
|
+
|
16
|
+
### Minor Changes
|
17
|
+
|
18
|
+
- [#2714](https://github.com/bluesky-social/atproto/pull/2714) [`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c) Thanks [@matthieusieben](https://github.com/matthieusieben)! - The `OAuthClient` (and runtime specific sub-classes) no longer return @atproto/api `Agent` instances. Instead, they return `OAuthSession` instances that can be used to instantiate the `Agent` class.
|
19
|
+
|
20
|
+
- [#2734](https://github.com/bluesky-social/atproto/pull/2734) [`dee817b6e`](https://github.com/bluesky-social/atproto/commit/dee817b6e0fc02351d51ce310b5e65239b7c5ed7) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove "nonce" from authorization request
|
21
|
+
|
22
|
+
- [#2734](https://github.com/bluesky-social/atproto/pull/2734) [`dee817b6e`](https://github.com/bluesky-social/atproto/commit/dee817b6e0fc02351d51ce310b5e65239b7c5ed7) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Mandate the use of "atproto" scope
|
23
|
+
|
24
|
+
- [#2734](https://github.com/bluesky-social/atproto/pull/2734) [`dee817b6e`](https://github.com/bluesky-social/atproto/commit/dee817b6e0fc02351d51ce310b5e65239b7c5ed7) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove "openid" compatibility. The reason is that although we were technically "openid" compatible, ATProto identifiers are distributed identifiers. When a client relies on OpenID to authenticate users, it will use the auth provider in combination with the identifier to uniquely identify the user. Since ATProto identifiers are meant to be able to move from one provider to the other, OpenID compatibility could break authentication after a user was migrated to a different provider.
|
25
|
+
|
26
|
+
The way OpenID compliant clients would adapt to this particularity would typically be to remove the provider + identifier combination and use the identifier alone. While this is indeed the right way to handle ATProto identifiers, it requires more work to avoid impersonation. In particular, when obtaining a user identifier, the client **must** verify that the issuer of the identity token is indeed the server responsible for that user. This mechanism being not enforced by the OpenID standard, OpenID compatibility could lead to security issues. For this reason, we decided to remove OpenID compatibility from the OAuth provider.
|
27
|
+
|
28
|
+
Note that a trusted central authority could still offer OpenID compatibility by relying on ATProto's regular OAuth flow under the hood. This capability is out of the scope of this library.
|
29
|
+
|
30
|
+
- [#2714](https://github.com/bluesky-social/atproto/pull/2714) [`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Rename OAuthAgent into OAuthSession
|
31
|
+
|
32
|
+
- [#2714](https://github.com/bluesky-social/atproto/pull/2714) [`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Rename `OAuthSession`'s `request` method to `fetchHandler`. The goal of this change is to allow `OAuthSession` to be used in order to instantiate `XrpcClient` by implementing the `FetchHandlerObject` interface.
|
33
|
+
|
34
|
+
### Patch Changes
|
35
|
+
|
36
|
+
- [#2714](https://github.com/bluesky-social/atproto/pull/2714) [`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add `getTokenInfo()` method to `OAuthSession`.
|
37
|
+
|
38
|
+
- [#2734](https://github.com/bluesky-social/atproto/pull/2734) [`dee817b6e`](https://github.com/bluesky-social/atproto/commit/dee817b6e0fc02351d51ce310b5e65239b7c5ed7) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.
|
39
|
+
|
40
|
+
- [#2714](https://github.com/bluesky-social/atproto/pull/2714) [`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Make `getTokenSet()` method public in `OAuthSession`.
|
41
|
+
|
42
|
+
- Updated dependencies [[`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c), [`dee817b6e`](https://github.com/bluesky-social/atproto/commit/dee817b6e0fc02351d51ce310b5e65239b7c5ed7), [`dee817b6e`](https://github.com/bluesky-social/atproto/commit/dee817b6e0fc02351d51ce310b5e65239b7c5ed7), [`dee817b6e`](https://github.com/bluesky-social/atproto/commit/dee817b6e0fc02351d51ce310b5e65239b7c5ed7), [`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c), [`d9ffa3c46`](https://github.com/bluesky-social/atproto/commit/d9ffa3c460924010d7002b616cb7a0c66111cc6c)]:
|
43
|
+
- @atproto/xrpc@0.6.1
|
44
|
+
- @atproto/oauth-types@0.1.4
|
45
|
+
|
3
46
|
## 0.1.7
|
4
47
|
|
5
48
|
### Patch Changes
|
package/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# @atproto/oauth-client: atproto flavoured OAuth client
|
2
2
|
|
3
|
-
Core library for implementing [ATPROTO] OAuth clients.
|
3
|
+
Core library for implementing [atproto][ATPROTO] OAuth clients.
|
4
4
|
|
5
5
|
For a browser specific implementation, see [@atproto/oauth-client-browser](https://www.npmjs.com/package/@atproto/oauth-client-browser).
|
6
6
|
For a node specific implementation, see
|
@@ -147,7 +147,35 @@ const result = await client.callback(params)
|
|
147
147
|
// Verify the state (e.g. to link to an internal user)
|
148
148
|
result.state === '434321' // true
|
149
149
|
|
150
|
-
const
|
150
|
+
const oauthSession = result.session
|
151
|
+
```
|
152
|
+
|
153
|
+
The sign-in process results in an `OAuthSession` instance that can be used to make
|
154
|
+
authenticated requests to the resource server. This instance will automatically
|
155
|
+
refresh the credentials when needed.
|
156
|
+
|
157
|
+
### Making authenticated requests
|
158
|
+
|
159
|
+
The `OAuthSession` instance obtained after signing in can be used to make
|
160
|
+
authenticated requests to the user's PDS. There are two main use-cases:
|
161
|
+
|
162
|
+
1. Making authenticated request to Bluesky's AppView in order to fetch and
|
163
|
+
manipulate data from the `app.bsky` lexicon.
|
164
|
+
|
165
|
+
2. Making authenticated request to your own AppView, in order to fetch and
|
166
|
+
manipulate data from your own lexicon.
|
167
|
+
|
168
|
+
#### Making authenticated requests to Bluesky's AppView
|
169
|
+
|
170
|
+
The `@atproto/oauth-client` package provides a `OAuthSession` class that can be
|
171
|
+
used to make authenticated requests to Bluesky's AppView. This can be achieved
|
172
|
+
by constructing an `Agent` (from `@atproto/api`) instance using the
|
173
|
+
`OAuthSession` instance.
|
174
|
+
|
175
|
+
```ts
|
176
|
+
import { Agent } from '@atproto/api'
|
177
|
+
|
178
|
+
const agent = new Agent(oauthSession)
|
151
179
|
|
152
180
|
// Make an authenticated request to the server. New credentials will be
|
153
181
|
// automatically fetched if needed (causing sessionStore.set() to be called).
|
@@ -155,12 +183,106 @@ await agent.post({
|
|
155
183
|
text: 'Hello, world!',
|
156
184
|
})
|
157
185
|
|
158
|
-
|
159
|
-
|
160
|
-
await agent.logout()
|
161
|
-
}
|
186
|
+
// revoke credentials on the server (causing sessionStore.del() to be called)
|
187
|
+
await agent.signOut()
|
162
188
|
```
|
163
189
|
|
190
|
+
#### Making authenticated requests to your own AppView
|
191
|
+
|
192
|
+
The `OAuthSession` instance obtained after signing in can be used to instantiate
|
193
|
+
the `XrpcClient` class from the `@atproto/xrpc` package.
|
194
|
+
|
195
|
+
```ts
|
196
|
+
import { Lexicons } from '@atproto/lexicon'
|
197
|
+
import { OAuthClient } from '@atproto/oauth-client' // or "@atproto/oauth-client-browser" or "@atproto/oauth-client-node"
|
198
|
+
import { XrpcClient } from '@atproto/xrpc'
|
199
|
+
|
200
|
+
// Define your lexicons
|
201
|
+
const myLexicon = new Lexicons([
|
202
|
+
{
|
203
|
+
lexicon: 1,
|
204
|
+
id: 'com.example.query',
|
205
|
+
defs: {
|
206
|
+
main: {
|
207
|
+
// ...
|
208
|
+
},
|
209
|
+
},
|
210
|
+
},
|
211
|
+
])
|
212
|
+
|
213
|
+
// Describe your app's oauth client
|
214
|
+
const oauthClient = new OAuthClient({
|
215
|
+
// ...
|
216
|
+
})
|
217
|
+
|
218
|
+
// Authenticate the user
|
219
|
+
const oauthSession = await oauthClient.restore('did:plc:123')
|
220
|
+
|
221
|
+
// Instantiate a client using the `oauthSession` as fetch handler object
|
222
|
+
const client = new XrpcClient(oauthSession, myLexicon)
|
223
|
+
|
224
|
+
// Make authenticated calls
|
225
|
+
const response = await client.call('com.example.query')
|
226
|
+
```
|
227
|
+
|
228
|
+
Note that the user's PDS might not know about your lexicon, or what to do with
|
229
|
+
those calls (PDS' are only mandated to implement the `com.atproto` lexicon). In
|
230
|
+
order to process your calls, you need to have a backend that will process those
|
231
|
+
calls. You can then instruct your PDS to forward those calls to your backend.
|
232
|
+
|
233
|
+
```ts
|
234
|
+
const response = await client.call(
|
235
|
+
'com.example.query',
|
236
|
+
{
|
237
|
+
// Params
|
238
|
+
},
|
239
|
+
{
|
240
|
+
headers: {
|
241
|
+
// The PDS will proxy calls to the specified service in did:plc:xyz's did document.
|
242
|
+
// These calls will be authenticated using "service auth", a single use JWT Bearer token, signed with the logged-in user's private key.
|
243
|
+
'atproto-proxy': 'did:plc:xyz#serviceId',
|
244
|
+
},
|
245
|
+
},
|
246
|
+
)
|
247
|
+
```
|
248
|
+
|
249
|
+
You can also instantiate the `XrpcClient` class with a custom `fetch` function
|
250
|
+
that will provide the `atproto-proxy` header on all calls:
|
251
|
+
|
252
|
+
```ts
|
253
|
+
const boundClient = new XrpcClient((url, init) => {
|
254
|
+
const headers = new Headers(init?.headers)
|
255
|
+
|
256
|
+
// Add the atproto-proxy header if it is not already present
|
257
|
+
if (!headers.has('atproto-proxy')) {
|
258
|
+
headers.set('atproto-proxy', 'did:plc:xyz#serviceId')
|
259
|
+
}
|
260
|
+
|
261
|
+
return oauthSession.fetchHandler(url, { ...init, headers })
|
262
|
+
}, myLexicon)
|
263
|
+
|
264
|
+
// No need to specify the atproto-proxy header anymore
|
265
|
+
const response = await boundClient.call('com.example.query')
|
266
|
+
```
|
267
|
+
|
268
|
+
> [!NOTE]
|
269
|
+
>
|
270
|
+
> Proxying every call through the PDS is not recommended for performance
|
271
|
+
> reasons, as it will increase the latency of readonly calls to your lexicon.
|
272
|
+
> Doing so will also prevent your backend from being able to anticipate writes
|
273
|
+
> on the network. Indeed, write calls will be sent to the PDS, which will then
|
274
|
+
> propagate them on the network through a relay (a.k.a. "firehose"). This will
|
275
|
+
> introduce a delay between the time the write is made and the time it is
|
276
|
+
> processed by your backend.
|
277
|
+
>
|
278
|
+
> In order to avoid those issues, it is recommended that you implement your
|
279
|
+
> backend using a backend-for-frontend pattern. This backend will be responsible
|
280
|
+
> for processing the calls made by the client, and will be able to anticipate
|
281
|
+
> writes on the network.
|
282
|
+
>
|
283
|
+
> Read more about the backend-for-frontend pattern in the [atproto][ATPROTO]
|
284
|
+
> documentation website.
|
285
|
+
|
164
286
|
## Advances use-cases
|
165
287
|
|
166
288
|
### Listening for session updates and deletion
|
@@ -219,7 +341,6 @@ or
|
|
219
341
|
```ts
|
220
342
|
const url = await client.authorize(handle, {
|
221
343
|
state,
|
222
|
-
max_age: 600, // Require re-authentication after 10 minutes
|
223
344
|
})
|
224
345
|
```
|
225
346
|
|
package/dist/index.d.ts
CHANGED
@@ -3,8 +3,6 @@ export { FetchError, FetchRequestError, FetchResponseError, } from '@atproto-lab
|
|
3
3
|
export * from '@atproto-labs/handle-resolver';
|
4
4
|
export * from '@atproto/did';
|
5
5
|
export * from '@atproto/oauth-types';
|
6
|
-
export * from './oauth-agent.js';
|
7
|
-
export * from './oauth-atp-agent.js';
|
8
6
|
export * from './oauth-authorization-server-metadata-resolver.js';
|
9
7
|
export * from './oauth-callback-error.js';
|
10
8
|
export * from './oauth-client.js';
|
@@ -13,6 +11,7 @@ export * from './oauth-resolver-error.js';
|
|
13
11
|
export * from './oauth-response-error.js';
|
14
12
|
export * from './oauth-server-agent.js';
|
15
13
|
export * from './oauth-server-factory.js';
|
14
|
+
export * from './oauth-session.js';
|
16
15
|
export * from './runtime-implementation.js';
|
17
16
|
export * from './session-getter.js';
|
18
17
|
export * from './state-store.js';
|
package/dist/index.d.ts.map
CHANGED
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,4BAA4B,CAAA;AAC1C,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,+BAA+B,CAAA;AAE7C,cAAc,cAAc,CAAA;AAC5B,cAAc,sBAAsB,CAAA;AAEpC,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,oBAAoB,CAAA;AAClC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,kBAAkB,CAAA;AAChC,cAAc,YAAY,CAAA;AAE1B,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iCAAiC,CAAA"}
|
package/dist/index.js
CHANGED
@@ -23,8 +23,6 @@ Object.defineProperty(exports, "FetchResponseError", { enumerable: true, get: fu
|
|
23
23
|
__exportStar(require("@atproto-labs/handle-resolver"), exports);
|
24
24
|
__exportStar(require("@atproto/did"), exports);
|
25
25
|
__exportStar(require("@atproto/oauth-types"), exports);
|
26
|
-
__exportStar(require("./oauth-agent.js"), exports);
|
27
|
-
__exportStar(require("./oauth-atp-agent.js"), exports);
|
28
26
|
__exportStar(require("./oauth-authorization-server-metadata-resolver.js"), exports);
|
29
27
|
__exportStar(require("./oauth-callback-error.js"), exports);
|
30
28
|
__exportStar(require("./oauth-client.js"), exports);
|
@@ -33,6 +31,7 @@ __exportStar(require("./oauth-resolver-error.js"), exports);
|
|
33
31
|
__exportStar(require("./oauth-response-error.js"), exports);
|
34
32
|
__exportStar(require("./oauth-server-agent.js"), exports);
|
35
33
|
__exportStar(require("./oauth-server-factory.js"), exports);
|
34
|
+
__exportStar(require("./oauth-session.js"), exports);
|
36
35
|
__exportStar(require("./runtime-implementation.js"), exports);
|
37
36
|
__exportStar(require("./session-getter.js"), exports);
|
38
37
|
__exportStar(require("./state-store.js"), exports);
|
package/dist/index.js.map
CHANGED
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6DAA0C;AAC1C,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,gEAA6C;AAE7C,+CAA4B;AAC5B,uDAAoC;AAEpC,
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6DAA0C;AAC1C,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,gEAA6C;AAE7C,+CAA4B;AAC5B,uDAAoC;AAEpC,oFAAiE;AACjE,4DAAyC;AACzC,oDAAiC;AACjC,kFAA+D;AAC/D,4DAAyC;AACzC,4DAAyC;AACzC,0DAAuC;AACvC,4DAAyC;AACzC,qDAAkC;AAClC,8DAA2C;AAC3C,sDAAmC;AACnC,mDAAgC;AAChC,6CAA0B;AAE1B,kEAA+C;AAC/C,kEAA+C;AAC/C,kEAA+C"}
|
package/dist/oauth-client.d.ts
CHANGED
@@ -4,12 +4,12 @@ import { HandleCache, HandleResolver } from '@atproto-labs/handle-resolver';
|
|
4
4
|
import { IdentityResolver } from '@atproto-labs/identity-resolver';
|
5
5
|
import { Key, Keyset } from '@atproto/jwk';
|
6
6
|
import { OAuthClientIdDiscoverable, OAuthClientMetadata, OAuthClientMetadataInput, OAuthResponseMode } from '@atproto/oauth-types';
|
7
|
-
import { OAuthAtpAgent } from './oauth-atp-agent.js';
|
8
7
|
import { AuthorizationServerMetadataCache } from './oauth-authorization-server-metadata-resolver.js';
|
9
8
|
import { ProtectedResourceMetadataCache } from './oauth-protected-resource-metadata-resolver.js';
|
10
9
|
import { OAuthResolver } from './oauth-resolver.js';
|
11
10
|
import { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js';
|
12
11
|
import { OAuthServerFactory } from './oauth-server-factory.js';
|
12
|
+
import { OAuthSession } from './oauth-session.js';
|
13
13
|
import { RuntimeImplementation } from './runtime-implementation.js';
|
14
14
|
import { Runtime } from './runtime.js';
|
15
15
|
import { SessionEventMap, SessionGetter, SessionStore } from './session-getter.js';
|
@@ -55,7 +55,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
55
55
|
kty: "RSA";
|
56
56
|
n: string;
|
57
57
|
e: string;
|
58
|
-
alg?: "RS256" | "
|
58
|
+
alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
59
59
|
kid?: string | undefined;
|
60
60
|
ext?: boolean | undefined;
|
61
61
|
use?: "sig" | "enc" | undefined;
|
@@ -186,7 +186,7 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
186
186
|
readonly kty: "RSA";
|
187
187
|
readonly n: string;
|
188
188
|
readonly e: string;
|
189
|
-
readonly alg?: "RS256" | "
|
189
|
+
readonly alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
|
190
190
|
readonly kid?: string | undefined;
|
191
191
|
readonly ext?: boolean | undefined;
|
192
192
|
readonly use?: "sig" | "enc" | undefined;
|
@@ -286,17 +286,17 @@ export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap>
|
|
286
286
|
*/
|
287
287
|
abortRequest(authorizeUrl: URL): Promise<void>;
|
288
288
|
callback(params: URLSearchParams): Promise<{
|
289
|
-
|
289
|
+
session: OAuthSession;
|
290
290
|
state: string | null;
|
291
291
|
}>;
|
292
292
|
/**
|
293
|
-
*
|
294
|
-
*
|
293
|
+
* Load a stored session. This will refresh the token only if needed (about to
|
294
|
+
* expire) by default.
|
295
295
|
*
|
296
296
|
* @param refresh See {@link SessionGetter.getSession}
|
297
297
|
*/
|
298
|
-
restore(sub: string, refresh?: boolean): Promise<
|
298
|
+
restore(sub: string, refresh?: boolean): Promise<OAuthSession>;
|
299
299
|
revoke(sub: string): Promise<void>;
|
300
|
-
|
300
|
+
protected createSession(server: OAuthServerAgent, sub: string): OAuthSession;
|
301
301
|
}
|
302
302
|
//# sourceMappingURL=oauth-client.d.ts.map
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EAGT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;
|
1
|
+
{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EAGT,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAC3C,OAAO,EAGL,WAAW,EACX,cAAc,EACf,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAElE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,gCAAgC,EAEjC,MAAM,mDAAmD,CAAA;AAE1D,OAAO,EAEL,8BAA8B,EAC/B,MAAM,iDAAiD,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAA;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,YAAY,EACb,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAI7C,YAAY,EACV,gCAAgC,EAChC,QAAQ,EACR,cAAc,EACd,KAAK,EACL,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,GAAG,EACH,MAAM,EACN,mBAAmB,EACnB,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,EAC9B,qBAAqB,EACrB,YAAY,EACZ,UAAU,GACX,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAE/B,YAAY,EAAE,iBAAiB,CAAA;IAC/B,cAAc,EAAE,QAAQ,CAAC,wBAAwB,CAAC,CAAA;IAClD,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,GAAG,GAAG,SAAS,GAAG,IAAI,GAAG,KAAK,CAAC,CAAA;IAG1D,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,gCAAgC,CAAC,EAAE,gCAAgC,CAAA;IACnE,8BAA8B,CAAC,EAAE,8BAA8B,CAAA;IAC/D,cAAc,CAAC,EAAE,cAAc,CAAA;IAG/B,cAAc,EAAE,cAAc,GAAG,GAAG,GAAG,MAAM,CAAA;IAC7C,eAAe,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IAC9B,qBAAqB,EAAE,qBAAqB,CAAA;IAC5C,KAAK,CAAC,EAAE,KAAK,CAAA;CACd,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG,eAAe,CAAA;AAEjD,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,EAAE,yBAAyB,CAAA;IACnC,KAAK,CAAC,EAAE,KAAK,CAAA;IACb,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAY,SAAQ,iBAAiB,CAAC,mBAAmB,CAAC;WACxD,aAAa,CAAC,EACzB,QAAQ,EACR,KAAwB,EACxB,MAAM,GACP,EAAE,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA6BlC,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,YAAY,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IAGxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;IACrB,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,aAAa,EAAE,kBAAkB,CAAA;IAG1C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAA;gBAEnB,EACV,KAAwB,EAExB,UAAU,EACV,YAAY,EAEZ,QAAoB,EACpB,cAA+D,EAC/D,WAAuB,EACvB,gCAGE,EACF,8BAGE,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACP,EAAE,kBAAkB;IA4DrB,IAAI,gBAAgB,qBAEnB;IAGD,IAAI,WAAW,qHAEd;IAGD,IAAI,cAAc,mBAEjB;IAED,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAEP;IAEK,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC;IAwFxE;;;OAGG;IACG,YAAY,CAAC,YAAY,EAAE,GAAG;IAY9B,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC;QAC/C,OAAO,EAAE,YAAY,CAAA;QACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KACrB,CAAC;IA2FF;;;;;OAKG;IACG,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC;IAc9D,MAAM,CAAC,GAAG,EAAE,MAAM;IAiBxB,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,GAAG,YAAY;CAG7E"}
|
package/dist/oauth-client.js
CHANGED
@@ -9,13 +9,12 @@ const jwk_1 = require("@atproto/jwk");
|
|
9
9
|
const oauth_types_1 = require("@atproto/oauth-types");
|
10
10
|
const constants_js_1 = require("./constants.js");
|
11
11
|
const token_revoked_error_js_1 = require("./errors/token-revoked-error.js");
|
12
|
-
const oauth_agent_js_1 = require("./oauth-agent.js");
|
13
|
-
const oauth_atp_agent_js_1 = require("./oauth-atp-agent.js");
|
14
12
|
const oauth_authorization_server_metadata_resolver_js_1 = require("./oauth-authorization-server-metadata-resolver.js");
|
15
13
|
const oauth_callback_error_js_1 = require("./oauth-callback-error.js");
|
16
14
|
const oauth_protected_resource_metadata_resolver_js_1 = require("./oauth-protected-resource-metadata-resolver.js");
|
17
15
|
const oauth_resolver_js_1 = require("./oauth-resolver.js");
|
18
16
|
const oauth_server_factory_js_1 = require("./oauth-server-factory.js");
|
17
|
+
const oauth_session_js_1 = require("./oauth-session.js");
|
19
18
|
const runtime_js_1 = require("./runtime.js");
|
20
19
|
const session_getter_js_1 = require("./session-getter.js");
|
21
20
|
const util_js_1 = require("./util.js");
|
@@ -151,23 +150,20 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
151
150
|
throw new TypeError('Invalid redirect_uri');
|
152
151
|
}
|
153
152
|
const { identity, metadata } = await this.oauthResolver.resolve(input, options);
|
154
|
-
const nonce = await this.runtime.generateNonce();
|
155
153
|
const pkce = await this.runtime.generatePKCE();
|
156
154
|
const dpopKey = await this.runtime.generateKey(metadata.dpop_signing_alg_values_supported || [constants_js_1.FALLBACK_ALG]);
|
157
155
|
const state = await this.runtime.generateNonce();
|
158
156
|
await this.stateStore.set(state, {
|
159
157
|
iss: metadata.issuer,
|
160
158
|
dpopKey,
|
161
|
-
|
162
|
-
verifier: pkce?.verifier,
|
159
|
+
verifier: pkce.verifier,
|
163
160
|
appState: options?.state,
|
164
161
|
});
|
165
162
|
const parameters = {
|
166
163
|
client_id: this.clientMetadata.client_id,
|
167
164
|
redirect_uri: redirectUri,
|
168
|
-
code_challenge: pkce
|
169
|
-
code_challenge_method: pkce
|
170
|
-
nonce,
|
165
|
+
code_challenge: pkce.challenge,
|
166
|
+
code_challenge_method: pkce.method,
|
171
167
|
state,
|
172
168
|
login_hint: identity
|
173
169
|
? input // If input is a handle or a DID, use it as a login_hint
|
@@ -177,13 +173,8 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
177
173
|
// Negotiate by using the order in the client metadata
|
178
174
|
this.clientMetadata.response_types?.find((t) => metadata['response_types_supported']?.includes(t)) ?? 'code',
|
179
175
|
display: options?.display,
|
180
|
-
id_token_hint: options?.id_token_hint,
|
181
|
-
max_age: options?.max_age, // this.clientMetadata.default_max_age
|
182
176
|
prompt: options?.prompt,
|
183
|
-
scope: options?.scope
|
184
|
-
?.split(' ')
|
185
|
-
.filter((s) => metadata.scopes_supported?.includes(s))
|
186
|
-
.join(' '),
|
177
|
+
scope: options?.scope || undefined,
|
187
178
|
ui_locales: options?.ui_locales,
|
188
179
|
};
|
189
180
|
if (metadata.pushed_authorization_request_endpoint) {
|
@@ -270,16 +261,12 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
270
261
|
}
|
271
262
|
const tokenSet = await server.exchangeCode(codeParam, stateData.verifier);
|
272
263
|
try {
|
273
|
-
|
274
|
-
await this.runtime.validateIdTokenClaims(tokenSet.id_token, stateParam, stateData.nonce, codeParam, tokenSet.access_token);
|
275
|
-
}
|
276
|
-
const { sub } = tokenSet;
|
277
|
-
await this.sessionGetter.setStored(sub, {
|
264
|
+
await this.sessionGetter.setStored(tokenSet.sub, {
|
278
265
|
dpopKey: stateData.dpopKey,
|
279
266
|
tokenSet,
|
280
267
|
});
|
281
|
-
const
|
282
|
-
return {
|
268
|
+
const session = this.createSession(server, tokenSet.sub);
|
269
|
+
return { session, state: stateData.appState ?? null };
|
283
270
|
}
|
284
271
|
catch (err) {
|
285
272
|
await server.revoke(tokenSet.access_token);
|
@@ -293,8 +280,8 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
293
280
|
}
|
294
281
|
}
|
295
282
|
/**
|
296
|
-
*
|
297
|
-
*
|
283
|
+
* Load a stored session. This will refresh the token only if needed (about to
|
284
|
+
* expire) by default.
|
298
285
|
*
|
299
286
|
* @param refresh See {@link SessionGetter.getSession}
|
300
287
|
*/
|
@@ -304,7 +291,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
304
291
|
noCache: refresh === true,
|
305
292
|
allowStale: refresh === false,
|
306
293
|
});
|
307
|
-
return this.
|
294
|
+
return this.createSession(server, sub);
|
308
295
|
}
|
309
296
|
async revoke(sub) {
|
310
297
|
const { dpopKey, tokenSet } = await this.sessionGetter.getSession(sub, false);
|
@@ -319,9 +306,8 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
319
306
|
await this.sessionGetter.delStored(sub, new token_revoked_error_js_1.TokenRevokedError(sub));
|
320
307
|
}
|
321
308
|
}
|
322
|
-
|
323
|
-
|
324
|
-
return new oauth_atp_agent_js_1.OAuthAtpAgent(oauthAgent);
|
309
|
+
createSession(server, sub) {
|
310
|
+
return new oauth_session_js_1.OAuthSession(server, sub, this.sessionGetter, this.fetch);
|
325
311
|
}
|
326
312
|
}
|
327
313
|
exports.OAuthClient = OAuthClient;
|
package/dist/oauth-client.js.map
CHANGED
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,6DAImC;AAEnC,mEAKsC;AACtC,uEAAkE;AAClE,2EAAqE;AACrE,sCAA0C;AAC1C,sDAM6B;AAE7B,iDAA6C;AAC7C,4EAAmE;AACnE,
|
1
|
+
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,6DAImC;AAEnC,mEAKsC;AACtC,uEAAkE;AAClE,2EAAqE;AACrE,sCAA0C;AAC1C,sDAM6B;AAE7B,iDAA6C;AAC7C,4EAAmE;AACnE,uHAG0D;AAC1D,uEAA8D;AAC9D,mHAGwD;AACxD,2DAAmD;AAEnD,uEAA8D;AAC9D,yDAAiD;AAEjD,6CAAsC;AACtC,2DAI4B;AAG5B,uCAA6C;AAC7C,+EAAsE;AAoDtE,MAAa,WAAY,SAAQ,2BAAsC;IACrE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EACzB,QAAQ,EACR,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,MAAM,GAC0B;QAChC,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,MAAM;SACf,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;QAErC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,8IAA8I;QAC9I,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvE,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,yCAAyC,IAAI,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAE3C,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,OAAO,uCAAyB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9C,CAAC;IAiBD,YAAY,EACV,KAAK,GAAG,UAAU,CAAC,KAAK,EAExB,UAAU,EACV,YAAY,EAEZ,QAAQ,GAAG,SAAS,EACpB,cAAc,GAAG,IAAI,uCAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,WAAW,GAAG,SAAS,EACvB,gCAAgC,GAAG,IAAI,uCAAiB,CAAC;QACvD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EACF,8BAA8B,GAAG,IAAI,uCAAiB,CAAC;QACrD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACa;QACnB,KAAK,EAAE,CAAA;QAxCT,SAAS;QACA;;;;;WAA8B;QAC9B;;;;;WAA+B;QAC/B;;;;;WAAe;QAExB,WAAW;QACF;;;;;WAAgB;QAChB;;;;;WAAY;QACZ;;;;;WAA4B;QAC5B;;;;;WAAiC;QAE1C,SAAS;QACA;;;;;WAA4B;QAC5B;;;;;WAAsB;QA6B7B,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,YAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,YAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,IAAA,oDAAsB,EAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;QAClB,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,oCAAgB,CAClB,IAAI,gCAAiB,CACnB,IAAI,gCAAiB,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,EACjD,QAAQ,CACT,EACD,IAAI,sCAAoB,CACtB,uCAAqB,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EACrD,WAAW,CACZ,CACF,EACD,IAAI,sFAAsC,CACxC,8BAA8B,EAC9B,KAAK,CACN,EACD,IAAI,0FAAwC,CAC1C,gCAAgC,EAChC,KAAK,CACN,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,4CAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,CACb,CAAA;QACD,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;QAE5B,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,SAAS,CAAU,EAAE,CAAC;YACnD,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,KAAK,CAAC,cAAc,EAAE,CAAA;gBACxB,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,wCAAwC;IACxC,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAA;IAC1C,CAAC;IAED,wCAAwC;IACxC,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAA;IAC7C,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,EAAE,UAAU,IAAK,EAAE,IAAI,EAAE,EAAW,EAAY,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,OAA0B;QACvD,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAC7D,KAAK,EACL,OAAO,CACR,CAAA;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,2BAAY,CAAC,CAC7D,CAAA;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG;YACjB,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;YAClC,KAAK;YACL,UAAU,EAAE,QAAQ;gBAClB,CAAC,CAAC,KAAK,CAAC,wDAAwD;gBAChE,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa;YACX,sDAAsD;YACtD,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7C,QAAQ,CAAC,0BAA0B,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAClD,IAAI,MAAM;YAEb,OAAO,EAAE,OAAO,EAAE,OAAO;YACzB,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,SAAS;YAClC,UAAU,EAAE,OAAO,EAAE,UAAU;SAChC,CAAA;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;YACvE,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAiB;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAM;QAEvB,2EAA2E;QAC3E,4EAA4E;QAC5E,uEAAuE;QACvE,8CAA8C;QAE9C,mEAAmE;IACrE,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAAuB;QAIpC,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG,EACb,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC;oBAClC,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBACjD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACzE,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;oBAC/C,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;gBAExD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACvD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAE1C,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,4CAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,OAAiB;QAC1C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAC/D,GAAG,EACH,OAAO,CACR,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE;YACxE,OAAO,EAAE,OAAO,KAAK,IAAI;YACzB,UAAU,EAAE,OAAO,KAAK,KAAK;SAC9B,CAAC,CAAA;QAEF,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAC/D,GAAG,EACH,KAAK,CACN,CAAA;QAED,0EAA0E;QAC1E,2EAA2E;QAC3E,QAAQ;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;YACzE,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC5C,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,0CAAiB,CAAC,GAAG,CAAC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAES,aAAa,CAAC,MAAwB,EAAE,GAAW;QAC3D,OAAO,IAAI,+BAAY,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACtE,CAAC;CACF;AApYD,kCAoYC"}
|
@@ -1,6 +1,6 @@
|
|
1
1
|
import { Fetch, Json } from '@atproto-labs/fetch';
|
2
2
|
import { SimpleStore } from '@atproto-labs/simple-store';
|
3
|
-
import { Key, Keyset
|
3
|
+
import { Key, Keyset } from '@atproto/jwk';
|
4
4
|
import { OAuthAuthorizationServerMetadata, OAuthClientIdentification, OAuthEndpointName, OAuthParResponse, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
|
5
5
|
import { OAuthResolver } from './oauth-resolver.js';
|
6
6
|
import { Runtime } from './runtime.js';
|
@@ -9,8 +9,7 @@ export type TokenSet = {
|
|
9
9
|
iss: string;
|
10
10
|
sub: string;
|
11
11
|
aud: string;
|
12
|
-
scope
|
13
|
-
id_token?: SignedJwt;
|
12
|
+
scope: string;
|
14
13
|
refresh_token?: string;
|
15
14
|
access_token: string;
|
16
15
|
token_type: OAuthTokenType;
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-server-agent.d.ts","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,IAAI,EAAiC,MAAM,qBAAqB,CAAA;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,
|
1
|
+
{"version":3,"file":"oauth-server-agent.d.ts","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,IAAI,EAAiC,MAAM,qBAAqB,CAAA;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,gCAAgC,EAChC,yBAAyB,EACzB,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAK7B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAG3C,MAAM,MAAM,QAAQ,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IAEb,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,cAAc,CAAA;IAC1B,eAAe;IACf,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;AAExD,qBAAa,gBAAgB;IAIzB,QAAQ,CAAC,OAAO,EAAE,GAAG;IACrB,QAAQ,CAAC,cAAc,EAAE,gCAAgC;IACzD,QAAQ,CAAC,cAAc,EAAE,cAAc;IACvC,QAAQ,CAAC,UAAU,EAAE,cAAc;IACnC,QAAQ,CAAC,aAAa,EAAE,aAAa;IACrC,QAAQ,CAAC,OAAO,EAAE,OAAO;IACzB,QAAQ,CAAC,MAAM,CAAC;IATlB,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGxB,OAAO,EAAE,GAAG,EACZ,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,cAAc,EAC1B,aAAa,EAAE,aAAa,EAC5B,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,yBAAQ,EACxB,KAAK,CAAC,EAAE,KAAK;IAaT,MAAM,CAAC,KAAK,EAAE,MAAM;IAQpB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAiBhE,OAAO,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IA6BpD;;;;;;;OAOG;YACW,oBAAoB;IA+C5B,OAAO,CACX,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,kBAAkB,CAAC;IACxB,OAAO,CACX,QAAQ,EAAE,8BAA8B,EACxC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,gBAAgB,CAAC;IACtB,OAAO,CACX,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,IAAI,CAAC;IA4BV,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAC1D,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAChC,OAAO,EAAE,yBAAyB,CAAA;KACnC,CAAC;CA+DH"}
|
@@ -170,26 +170,31 @@ class OAuthServerAgent {
|
|
170
170
|
const env_1 = { stack: [], error: void 0, hasError: false };
|
171
171
|
try {
|
172
172
|
const { sub } = tokenResponse;
|
173
|
-
|
174
|
-
|
175
|
-
|
173
|
+
if (!sub || typeof sub !== 'string') {
|
174
|
+
throw new TypeError(`Unexpected ${typeof sub} "sub" in token response`);
|
175
|
+
}
|
176
|
+
// Using an array to check for the presence of the "atproto" scope (we don't
|
177
|
+
// want atproto to be a substring of another scope)
|
178
|
+
const scopes = tokenResponse.scope?.split(' ');
|
179
|
+
if (!scopes?.includes('atproto')) {
|
180
|
+
throw new TypeError('Missing "atproto" scope in token response');
|
181
|
+
}
|
176
182
|
// @TODO (?) make timeout configurable
|
177
183
|
const signal = __addDisposableResource(env_1, (0, util_js_1.timeoutSignal)(10e3), false);
|
178
184
|
const resolved = await this.oauthResolver.resolveFromIdentity(sub, {
|
179
185
|
signal,
|
180
186
|
});
|
181
|
-
if (
|
187
|
+
if (this.serverMetadata.issuer !== resolved.metadata.issuer) {
|
182
188
|
// Best case scenario; the user switched PDS. Worst case scenario; a bad
|
183
189
|
// actor is trying to impersonate a user. In any case, we must not allow
|
184
190
|
// this token to be used.
|
185
191
|
throw new TypeError('Issuer mismatch');
|
186
192
|
}
|
187
193
|
return {
|
188
|
-
sub,
|
189
194
|
aud: resolved.identity.pds.href,
|
190
195
|
iss: resolved.metadata.issuer,
|
196
|
+
sub,
|
191
197
|
scope: tokenResponse.scope,
|
192
|
-
id_token: tokenResponse.id_token,
|
193
198
|
refresh_token: tokenResponse.refresh_token,
|
194
199
|
access_token: tokenResponse.access_token,
|
195
200
|
token_type: tokenResponse.token_type ?? 'Bearer',
|
@@ -1 +1 @@
|
|
1
|
-
{"version":3,"file":"oauth-server-agent.js","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAgF;AAGhF,sDAU6B;AAE7B,iDAA6C;AAC7C,4EAAmE;AACnE,mDAAkD;AAElD,uEAA8D;AAG9D,uCAAyC;
|
1
|
+
{"version":3,"file":"oauth-server-agent.js","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAgF;AAGhF,sDAU6B;AAE7B,iDAA6C;AAC7C,4EAAmE;AACnE,mDAAkD;AAElD,uEAA8D;AAG9D,uCAAyC;AAiBzC,MAAa,gBAAgB;IAG3B,YACW,OAAY,EACZ,cAAgD,EAChD,cAA8B,EAC9B,UAA0B,EAC1B,aAA4B,EAC5B,OAAgB,EAChB,MAAe,EACxB,KAAa;QAPb;;;;mBAAS,OAAO;WAAK;QACrB;;;;mBAAS,cAAc;WAAkC;QACzD;;;;mBAAS,cAAc;WAAgB;QACvC;;;;mBAAS,UAAU;WAAgB;QACnC;;;;mBAAS,aAAa;WAAe;QACrC;;;;mBAAS,OAAO;WAAS;QACzB;;;;mBAAS,MAAM;WAAS;QAThB;;;;;WAAyB;QAYjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,cAAc,CAAC,SAAS;YAC7B,GAAG,EAAE,OAAO;YACZ,aAAa,EAAE,cAAc,CAAC,iCAAiC;YAC/D,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,UAAU;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,QAAiB;QAChD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAE;YACnD,IAAI;YACJ,aAAa,EAAE,QAAQ;SACxB,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;YAE7C,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAkB;QAC9B,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;YAC5B,MAAM,IAAI,0CAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAA;QACzE,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,QAAQ,CAAC,aAAa;SACtC,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,QAAQ,CAAC,GAAG,KAAK,aAAa,CAAC,GAAG,EAAE,CAAC;gBACvC,MAAM,IAAI,0CAAiB,CACzB,QAAQ,CAAC,GAAG,EACZ,uCAAuC,aAAa,CAAC,GAAG,GAAG,CAC5D,CAAA;YACH,CAAC;YACD,IAAI,QAAQ,CAAC,GAAG,KAAK,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC;gBAChD,MAAM,IAAI,0CAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAA;YAC9D,CAAC;YAED,OAAO,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;YAE7C,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,oBAAoB,CAChC,aAAiC;;;YAEjC,MAAM,EAAE,GAAG,EAAE,GAAG,aAAa,CAAA;YAE7B,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACpC,MAAM,IAAI,SAAS,CAAC,cAAc,OAAO,GAAG,0BAA0B,CAAC,CAAA;YACzE,CAAC;YAED,4EAA4E;YAC5E,mDAAmD;YACnD,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;YAC9C,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,MAAM,IAAI,SAAS,CAAC,2CAA2C,CAAC,CAAA;YAClE,CAAC;YAED,sCAAsC;YACtC,MAAM,MAAM,kCAAG,IAAA,uBAAa,EAAC,IAAI,CAAC,QAAA,CAAA;YAElC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,GAAG,EAAE;gBACjE,MAAM;aACP,CAAC,CAAA;YAEF,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC5D,wEAAwE;gBACxE,wEAAwE;gBACxE,yBAAyB;gBACzB,MAAM,IAAI,SAAS,CAAC,iBAAiB,CAAC,CAAA;YACxC,CAAC;YAED,OAAO;gBACL,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI;gBAC/B,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,MAAM;gBAE7B,GAAG;gBAEH,KAAK,EAAE,aAAa,CAAC,KAAM;gBAC3B,aAAa,EAAE,aAAa,CAAC,aAAa;gBAC1C,YAAY,EAAE,aAAa,CAAC,YAAY;gBACxC,UAAU,EAAE,aAAa,CAAC,UAAU,IAAI,QAAQ;gBAChD,UAAU,EACR,OAAO,aAAa,CAAC,UAAU,KAAK,QAAQ;oBAC1C,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;oBACtE,CAAC,CAAC,SAAS;aAChB,CAAA;;;;;;;;;KACF;IAeD,KAAK,CAAC,OAAO,CAAC,QAA2B,EAAE,OAAgC;QACzE,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAA;QACvD,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,MAAM,QAAQ,qBAAqB,CAAC,CAAA;QAE9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAA;QAEjD,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;SACtD,CAAC,CAAC,IAAI,CAAC,IAAA,0BAAkB,GAAE,CAAC,CAAA;QAE7B,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,QAAQ,QAAQ,EAAE,CAAC;gBACjB,KAAK,OAAO;oBACV,OAAO,sCAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC7C,KAAK,8BAA8B;oBACjC,OAAO,oCAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC3C;oBACE,OAAO,IAAI,CAAA;YACf,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,QAA2B;QAI/C,MAAM,eAAe,GACnB,IAAI,CAAC,cAAc,CAAC,uCAAuC,CAAC,CAAA;QAE9D,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,4BAA4B,CAAC,CAAA;QAEhE,IACE,MAAM,KAAK,iBAAiB;YAC5B,CAAC,IAAI,CAAC,MAAM;gBACV,CAAC,MAAM;gBACP,CAAC,eAAe,EAAE,QAAQ,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,CAAC,EAC1D,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;YAExD,IAAI,CAAC;gBACH,MAAM,GAAG,GACP,IAAI,CAAC,cAAc,CACjB,kDAAkD,CACnD,IAAI,2BAAY,CAAA;gBAEnB,wEAAwE;gBACxE,wEAAwE;gBACxE,wDAAwD;gBACxD,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI;qBACvC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC;qBACrB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAA;gBAEpD,OAAO;oBACL,OAAO,EAAE;wBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;wBACxC,qBAAqB,EAAE,8CAAgC;wBACvD,gBAAgB,EAAE,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAC3C,EAAE,GAAG,EAAE,GAAG,EAAE,EACZ;4BACE,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM;4BAC/B,GAAG,EAAE,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE;4BACvC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;yBACnC,CACF;qBACF;iBACF,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,MAAM,KAAK,iBAAiB;oBAAE,MAAM,GAAG,CAAA;gBAE3C,uBAAuB;YACzB,CAAC;QACH,CAAC;QAED,IACE,MAAM,KAAK,MAAM;YACjB,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC,EACxD,CAAC;YACD,OAAO;gBACL,OAAO,EAAE;oBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;iBACzC;aACF,CAAA;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,eAAe,QAAQ,wBAAwB,CAAC,CAAA;IAClE,CAAC;CACF;AA9OD,4CA8OC"}
|