@atproto/oauth-client 0.2.1 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +42 -0
- package/README.md +12 -6
- package/dist/atproto-token-response.d.ts +110 -0
- package/dist/atproto-token-response.d.ts.map +1 -0
- package/dist/atproto-token-response.js +20 -0
- package/dist/atproto-token-response.js.map +1 -0
- package/dist/fetch-dpop.js +1 -2
- package/dist/fetch-dpop.js.map +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.d.ts +6 -2
- package/dist/oauth-authorization-server-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-authorization-server-metadata-resolver.js +18 -9
- package/dist/oauth-authorization-server-metadata-resolver.js.map +1 -1
- package/dist/oauth-callback-error.d.ts.map +1 -1
- package/dist/oauth-client.d.ts +30 -15
- package/dist/oauth-client.d.ts.map +1 -1
- package/dist/oauth-client.js +24 -17
- package/dist/oauth-client.js.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.d.ts +5 -1
- package/dist/oauth-protected-resource-metadata-resolver.d.ts.map +1 -1
- package/dist/oauth-protected-resource-metadata-resolver.js +18 -11
- package/dist/oauth-protected-resource-metadata-resolver.js.map +1 -1
- package/dist/oauth-resolver.d.ts +2 -2
- package/dist/oauth-server-agent.d.ts +15 -12
- package/dist/oauth-server-agent.d.ts.map +1 -1
- package/dist/oauth-server-agent.js +66 -47
- package/dist/oauth-server-agent.js.map +1 -1
- package/dist/oauth-session.d.ts +13 -8
- package/dist/oauth-session.d.ts.map +1 -1
- package/dist/oauth-session.js +12 -7
- package/dist/oauth-session.js.map +1 -1
- package/dist/runtime.d.ts +1 -1
- package/dist/runtime.js.map +1 -1
- package/dist/session-getter.d.ts +5 -4
- package/dist/session-getter.d.ts.map +1 -1
- package/dist/session-getter.js +52 -32
- package/dist/session-getter.js.map +1 -1
- package/dist/types.d.ts +98 -102
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/util.d.ts +6 -1
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +56 -2
- package/dist/util.js.map +1 -1
- package/dist/validate-client-metadata.d.ts.map +1 -1
- package/dist/validate-client-metadata.js +17 -7
- package/dist/validate-client-metadata.js.map +1 -1
- package/package.json +9 -9
- package/src/atproto-token-response.ts +22 -0
- package/src/oauth-authorization-server-metadata-resolver.ts +22 -8
- package/src/oauth-client.ts +62 -32
- package/src/oauth-protected-resource-metadata-resolver.ts +22 -12
- package/src/oauth-server-agent.ts +89 -70
- package/src/oauth-session.ts +21 -13
- package/src/runtime.ts +1 -1
- package/src/session-getter.ts +53 -33
- package/src/types.ts +16 -11
- package/src/util.ts +78 -0
- package/src/validate-client-metadata.ts +23 -6
- package/tsconfig.build.tsbuildinfo +1 -0
package/dist/oauth-client.js
CHANGED
|
@@ -41,7 +41,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
41
41
|
signal?.throwIfAborted();
|
|
42
42
|
return oauth_types_1.oauthClientMetadataSchema.parse(json);
|
|
43
43
|
}
|
|
44
|
-
constructor({ fetch = globalThis.fetch, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
44
|
+
constructor({ fetch = globalThis.fetch, allowHttp = false, stateStore, sessionStore, didCache = undefined, dpopNonceCache = new simple_store_memory_1.SimpleStoreMemory({ ttl: 60e3, max: 100 }), handleCache = undefined, authorizationServerMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
45
45
|
ttl: 60e3,
|
|
46
46
|
max: 100,
|
|
47
47
|
}), protectedResourceMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
|
|
@@ -115,7 +115,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
115
115
|
this.responseMode = responseMode;
|
|
116
116
|
this.runtime = new runtime_js_1.Runtime(runtimeImplementation);
|
|
117
117
|
this.fetch = fetch;
|
|
118
|
-
this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch));
|
|
118
|
+
this.oauthResolver = new oauth_resolver_js_1.OAuthResolver(new identity_resolver_1.IdentityResolver(new did_resolver_1.DidResolverCached(new did_resolver_1.DidResolverCommon({ fetch, plcDirectoryUrl, allowHttp }), didCache), new handle_resolver_1.CachedHandleResolver(handle_resolver_1.AppViewHandleResolver.from(handleResolver, { fetch }), handleCache)), new oauth_protected_resource_metadata_resolver_js_1.OAuthProtectedResourceMetadataResolver(protectedResourceMetadataCache, fetch, { allowHttpResource: allowHttp }), new oauth_authorization_server_metadata_resolver_js_1.OAuthAuthorizationServerMetadataResolver(authorizationServerMetadataCache, fetch, { allowHttpIssuer: allowHttp }));
|
|
119
119
|
this.serverFactory = new oauth_server_factory_js_1.OAuthServerFactory(this.clientMetadata, this.runtime, this.oauthResolver, this.fetch, this.keyset, dpopNonceCache);
|
|
120
120
|
this.sessionGetter = new session_getter_js_1.SessionGetter(sessionStore, this.serverFactory, this.runtime);
|
|
121
121
|
this.stateStore = stateStore;
|
|
@@ -143,13 +143,15 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
143
143
|
get jwks() {
|
|
144
144
|
return this.keyset?.publicJwks ?? { keys: [] };
|
|
145
145
|
}
|
|
146
|
-
async authorize(input, options) {
|
|
146
|
+
async authorize(input, { signal, ...options } = {}) {
|
|
147
147
|
const redirectUri = options?.redirect_uri ?? this.clientMetadata.redirect_uris[0];
|
|
148
148
|
if (!this.clientMetadata.redirect_uris.includes(redirectUri)) {
|
|
149
149
|
// The server will enforce this, but let's catch it early
|
|
150
150
|
throw new TypeError('Invalid redirect_uri');
|
|
151
151
|
}
|
|
152
|
-
const { identity, metadata } = await this.oauthResolver.resolve(input,
|
|
152
|
+
const { identity, metadata } = await this.oauthResolver.resolve(input, {
|
|
153
|
+
signal,
|
|
154
|
+
});
|
|
153
155
|
const pkce = await this.runtime.generatePKCE();
|
|
154
156
|
const dpopKey = await this.runtime.generateKey(metadata.dpop_signing_alg_values_supported || [constants_js_1.FALLBACK_ALG]);
|
|
155
157
|
const state = await this.runtime.generateNonce();
|
|
@@ -160,6 +162,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
160
162
|
appState: options?.state,
|
|
161
163
|
});
|
|
162
164
|
const parameters = {
|
|
165
|
+
...options,
|
|
163
166
|
client_id: this.clientMetadata.client_id,
|
|
164
167
|
redirect_uri: redirectUri,
|
|
165
168
|
code_challenge: pkce.challenge,
|
|
@@ -169,13 +172,8 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
169
172
|
? input // If input is a handle or a DID, use it as a login_hint
|
|
170
173
|
: undefined,
|
|
171
174
|
response_mode: this.responseMode,
|
|
172
|
-
response_type:
|
|
173
|
-
|
|
174
|
-
this.clientMetadata.response_types?.find((t) => metadata['response_types_supported']?.includes(t)) ?? 'code',
|
|
175
|
-
display: options?.display,
|
|
176
|
-
prompt: options?.prompt,
|
|
177
|
-
scope: options?.scope || undefined,
|
|
178
|
-
ui_locales: options?.ui_locales,
|
|
175
|
+
response_type: 'code',
|
|
176
|
+
scope: options?.scope ?? this.clientMetadata.scope,
|
|
179
177
|
};
|
|
180
178
|
if (metadata.pushed_authorization_request_endpoint) {
|
|
181
179
|
const server = await this.serverFactory.fromMetadata(metadata, dpopKey);
|
|
@@ -249,10 +247,10 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
249
247
|
}
|
|
250
248
|
const server = await this.serverFactory.fromIssuer(stateData.iss, stateData.dpopKey);
|
|
251
249
|
if (issuerParam != null) {
|
|
252
|
-
if (!server.
|
|
250
|
+
if (!server.issuer) {
|
|
253
251
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer not found in metadata', stateData.appState);
|
|
254
252
|
}
|
|
255
|
-
if (server.
|
|
253
|
+
if (server.issuer !== issuerParam) {
|
|
256
254
|
throw new oauth_callback_error_js_1.OAuthCallbackError(params, 'Issuer mismatch', stateData.appState);
|
|
257
255
|
}
|
|
258
256
|
}
|
|
@@ -269,7 +267,7 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
269
267
|
return { session, state: stateData.appState ?? null };
|
|
270
268
|
}
|
|
271
269
|
catch (err) {
|
|
272
|
-
await server.revoke(tokenSet.access_token);
|
|
270
|
+
await server.revoke(tokenSet.refresh_token || tokenSet.access_token);
|
|
273
271
|
throw err;
|
|
274
272
|
}
|
|
275
273
|
}
|
|
@@ -285,8 +283,13 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
285
283
|
*
|
|
286
284
|
* @param refresh See {@link SessionGetter.getSession}
|
|
287
285
|
*/
|
|
288
|
-
async restore(sub, refresh) {
|
|
289
|
-
|
|
286
|
+
async restore(sub, refresh = 'auto') {
|
|
287
|
+
// sub arg is lightly typed for convenience of library user
|
|
288
|
+
(0, did_resolver_1.assertAtprotoDid)(sub);
|
|
289
|
+
const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
|
|
290
|
+
noCache: refresh === true,
|
|
291
|
+
allowStale: refresh === false,
|
|
292
|
+
});
|
|
290
293
|
const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
|
|
291
294
|
noCache: refresh === true,
|
|
292
295
|
allowStale: refresh === false,
|
|
@@ -294,7 +297,11 @@ class OAuthClient extends util_js_1.CustomEventTarget {
|
|
|
294
297
|
return this.createSession(server, sub);
|
|
295
298
|
}
|
|
296
299
|
async revoke(sub) {
|
|
297
|
-
|
|
300
|
+
// sub arg is lightly typed for convenience of library user
|
|
301
|
+
(0, did_resolver_1.assertAtprotoDid)(sub);
|
|
302
|
+
const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
|
|
303
|
+
allowStale: true,
|
|
304
|
+
});
|
|
298
305
|
// NOT using `;(await this.restore(sub, false)).signOut()` because we want
|
|
299
306
|
// the tokens to be deleted even if it was not possible to fetch the issuer
|
|
300
307
|
// data.
|
package/dist/oauth-client.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,
|
|
1
|
+
{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":";;;AAAA,6DAQmC;AAEnC,mEAKsC;AACtC,uEAAkE;AAClE,2EAAqE;AACrE,sCAA0C;AAC1C,sDAO6B;AAE7B,iDAA6C;AAC7C,4EAAmE;AACnE,uHAG0D;AAC1D,uEAA8D;AAC9D,mHAGwD;AACxD,2DAAmD;AAEnD,uEAA8D;AAC9D,yDAAiD;AAEjD,6CAAsC;AACtC,2DAI4B;AAG5B,uCAA6C;AAC7C,+EAAsE;AAmEtE,MAAa,WAAY,SAAQ,2BAAsC;IACrE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,EACzB,QAAQ,EACR,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,MAAM,GAC0B;QAChC,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,MAAM;SACf,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAA;QAErC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,8IAA8I;QAC9I,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACvE,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAA;YACzB,MAAM,IAAI,SAAS,CAAC,yCAAyC,IAAI,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAE3C,MAAM,EAAE,cAAc,EAAE,CAAA;QAExB,OAAO,uCAAyB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC9C,CAAC;IAiBD,YAAY,EACV,KAAK,GAAG,UAAU,CAAC,KAAK,EACxB,SAAS,GAAG,KAAK,EAEjB,UAAU,EACV,YAAY,EAEZ,QAAQ,GAAG,SAAS,EACpB,cAAc,GAAG,IAAI,uCAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAC/D,WAAW,GAAG,SAAS,EACvB,gCAAgC,GAAG,IAAI,uCAAiB,CAAC;QACvD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EACF,8BAA8B,GAAG,IAAI,uCAAiB,CAAC;QACrD,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,GAAG;KACT,CAAC,EAEF,YAAY,EACZ,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,MAAM,GACa;QACnB,KAAK,EAAE,CAAA;QAzCT,SAAS;QACA;;;;;WAA8B;QAC9B;;;;;WAA+B;QAC/B;;;;;WAAe;QAExB,WAAW;QACF;;;;;WAAgB;QAChB;;;;;WAAY;QACZ;;;;;WAA4B;QAC5B;;;;;WAAiC;QAE1C,SAAS;QACU;;;;;WAA4B;QAC5B;;;;;WAAsB;QA8BvC,IAAI,CAAC,MAAM,GAAG,MAAM;YAClB,CAAC,CAAC,MAAM,YAAY,YAAM;gBACxB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,YAAM,CAAC,MAAM,CAAC;YACtB,CAAC,CAAC,SAAS,CAAA;QACb,IAAI,CAAC,cAAc,GAAG,IAAA,oDAAsB,EAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QACzE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAA;QAEhC,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAO,CAAC,qBAAqB,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAA;QAClB,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,oCAAgB,CAClB,IAAI,gCAAiB,CACnB,IAAI,gCAAiB,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,CAAC,EAC5D,QAAQ,CACT,EACD,IAAI,sCAAoB,CACtB,uCAAqB,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EACrD,WAAW,CACZ,CACF,EACD,IAAI,sFAAsC,CACxC,8BAA8B,EAC9B,KAAK,EACL,EAAE,iBAAiB,EAAE,SAAS,EAAE,CACjC,EACD,IAAI,0FAAwC,CAC1C,gCAAgC,EAChC,KAAK,EACL,EAAE,eAAe,EAAE,SAAS,EAAE,CAC/B,CACF,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,4CAAkB,CACzC,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,MAAM,EACX,cAAc,CACf,CAAA;QAED,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,YAAY,EACZ,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,OAAO,CACb,CAAA;QACD,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;QAE5B,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,SAAS,CAAU,EAAE,CAAC;YACnD,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClD,KAAK,CAAC,cAAc,EAAE,CAAA;gBACxB,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAA;IAC5C,CAAC;IAED,wCAAwC;IACxC,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAA;IAC1C,CAAC;IAED,wCAAwC;IACxC,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAA;IAC7C,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,EAAE,UAAU,IAAK,EAAE,IAAI,EAAE,EAAW,EAAY,CAAA;IACpE,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,EAAE,MAAM,EAAE,GAAG,OAAO,KAAuB,EAAE;QAE7C,MAAM,WAAW,GACf,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;QAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7D,yDAAyD;YACzD,MAAM,IAAI,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC7C,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE;YACrE,MAAM;SACP,CAAC,CAAA;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAA;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAC5C,QAAQ,CAAC,iCAAiC,IAAI,CAAC,2BAAY,CAAC,CAC7D,CAAA;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAA;QAEhD,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,GAAG,EAAE,QAAQ,CAAC,MAAM;YACpB,OAAO;YACP,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,OAAO,EAAE,KAAK;SACzB,CAAC,CAAA;QAEF,MAAM,UAAU,GAAwC;YACtD,GAAG,OAAO;YAEV,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;YACxC,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;YAClC,KAAK;YACL,UAAU,EAAE,QAAQ;gBAClB,CAAC,CAAC,KAAK,CAAC,wDAAwD;gBAChE,CAAC,CAAC,SAAS;YACb,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,aAAa,EAAE,MAAe;YAC9B,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK;SACnD,CAAA;QAED,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;YACvE,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,OAAO,CACtC,8BAA8B,EAC9B,UAAU,CACX,CAAA;YAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAC/B,WAAW,EACX,IAAI,CAAC,cAAc,CAAC,SAAS,CAC9B,CAAA;YACD,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,WAAW,CAAC,CAAA;YACzE,OAAO,gBAAgB,CAAA;QACzB,CAAC;aAAM,IAAI,QAAQ,CAAC,qCAAqC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAA;QACH,CAAC;aAAM,CAAC;YACN,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAA;YACjE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,IAAI,KAAK;oBAAE,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;YAClE,CAAC;YAED,oDAAoD;YACpD,MAAM,SAAS,GACb,gBAAgB,CAAC,QAAQ,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,CAAA;YACnE,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAA;YACzB,CAAC;iBAAM,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACvC,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAiB;QAClC,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAM;QAEvB,2EAA2E;QAC3E,4EAA4E;QAC5E,uEAAuE;QACvE,8CAA8C;QAE9C,mEAAmE;IACrE,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAAuB;QAIpC,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QAC1C,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,8CAA8C;YAC9C,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;QACnE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,6BAA6B;YAC7B,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,kCAAkC,UAAU,GAAG,CAChD,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,IAAI,4CAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrE,CAAC;YAED,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,4BAA4B,EAC5B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,SAAS,CAAC,GAAG,EACb,SAAS,CAAC,OAAO,CAClB,CAAA;YAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,8BAA8B,EAC9B,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;gBACD,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;oBAClC,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,iBAAiB,EACjB,SAAS,CAAC,QAAQ,CACnB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IACL,MAAM,CAAC,cAAc,CAAC,8CAA8C,EACpE,CAAC;gBACD,MAAM,IAAI,4CAAkB,CAC1B,MAAM,EACN,+BAA+B,EAC/B,SAAS,CAAC,QAAQ,CACnB,CAAA;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;YACzE,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;oBAC/C,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,QAAQ;iBACT,CAAC,CAAA;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;gBAExD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAA;YACvD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,QAAQ,CAAC,YAAY,CAAC,CAAA;gBAEpE,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iEAAiE;YACjE,gCAAgC;YAChC,MAAM,4CAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAA;QAChE,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CACX,GAAW,EACX,UAA4B,MAAM;QAElC,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE;YAC9D,OAAO,EAAE,OAAO,KAAK,IAAI;YACzB,UAAU,EAAE,OAAO,KAAK,KAAK;SAC9B,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE;YACxE,OAAO,EAAE,OAAO,KAAK,IAAI;YACzB,UAAU,EAAE,OAAO,KAAK,KAAK;SAC9B,CAAC,CAAA;QAEF,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,2DAA2D;QAC3D,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAA;QAErB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE;YAC9D,UAAU,EAAE,IAAI;SACjB,CAAC,CAAA;QAEF,0EAA0E;QAC1E,2EAA2E;QAC3E,QAAQ;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;YACzE,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QAC5C,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,0CAAiB,CAAC,GAAG,CAAC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAES,aAAa,CACrB,MAAwB,EACxB,GAAe;QAEf,OAAO,IAAI,+BAAY,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACtE,CAAC;CACF;AA9YD,kCA8YC"}
|
|
@@ -3,12 +3,16 @@ import { CachedGetter, GetCachedOptions, SimpleStore } from '@atproto-labs/simpl
|
|
|
3
3
|
import { OAuthProtectedResourceMetadata } from '@atproto/oauth-types';
|
|
4
4
|
export type { GetCachedOptions, OAuthProtectedResourceMetadata };
|
|
5
5
|
export type ProtectedResourceMetadataCache = SimpleStore<string, OAuthProtectedResourceMetadata>;
|
|
6
|
+
export type OAuthProtectedResourceMetadataResolverConfig = {
|
|
7
|
+
allowHttpResource?: boolean;
|
|
8
|
+
};
|
|
6
9
|
/**
|
|
7
10
|
* @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05}
|
|
8
11
|
*/
|
|
9
12
|
export declare class OAuthProtectedResourceMetadataResolver extends CachedGetter<string, OAuthProtectedResourceMetadata> {
|
|
10
13
|
private readonly fetch;
|
|
11
|
-
|
|
14
|
+
private readonly allowHttpResource;
|
|
15
|
+
constructor(cache: ProtectedResourceMetadataCache, fetch?: Fetch, config?: OAuthProtectedResourceMetadataResolverConfig);
|
|
12
16
|
get(resource: string | URL, options?: GetCachedOptions): Promise<OAuthProtectedResourceMetadata>;
|
|
13
17
|
private fetchMetadata;
|
|
14
18
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,
|
|
1
|
+
{"version":3,"file":"oauth-protected-resource-metadata-resolver.d.ts","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,EAIN,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACZ,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,8BAA8B,EAE/B,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,CAAA;AAEhE,MAAM,MAAM,8BAA8B,GAAG,WAAW,CACtD,MAAM,EACN,8BAA8B,CAC/B,CAAA;AAED,MAAM,MAAM,4CAA4C,GAAG;IACzD,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B,CAAA;AAED;;GAEG;AACH,qBAAa,sCAAuC,SAAQ,YAAY,CACtE,MAAM,EACN,8BAA8B,CAC/B;IACC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;gBAGzC,KAAK,EAAE,8BAA8B,EACrC,KAAK,GAAE,KAAwB,EAC/B,MAAM,CAAC,EAAE,4CAA4C;IAQjD,GAAG,CACP,QAAQ,EAAE,MAAM,GAAG,GAAG,EACtB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,8BAA8B,CAAC;YAkB5B,aAAa;CA8C5B"}
|
|
@@ -4,12 +4,12 @@ exports.OAuthProtectedResourceMetadataResolver = void 0;
|
|
|
4
4
|
const fetch_1 = require("@atproto-labs/fetch");
|
|
5
5
|
const simple_store_1 = require("@atproto-labs/simple-store");
|
|
6
6
|
const oauth_types_1 = require("@atproto/oauth-types");
|
|
7
|
-
const
|
|
7
|
+
const util_js_1 = require("./util.js");
|
|
8
8
|
/**
|
|
9
9
|
* @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05}
|
|
10
10
|
*/
|
|
11
11
|
class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter {
|
|
12
|
-
constructor(cache, fetch = globalThis.fetch) {
|
|
12
|
+
constructor(cache, fetch = globalThis.fetch, config) {
|
|
13
13
|
super(async (origin, options) => this.fetchMetadata(origin, options), cache);
|
|
14
14
|
Object.defineProperty(this, "fetch", {
|
|
15
15
|
enumerable: true,
|
|
@@ -17,24 +17,31 @@ class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter
|
|
|
17
17
|
writable: true,
|
|
18
18
|
value: void 0
|
|
19
19
|
});
|
|
20
|
+
Object.defineProperty(this, "allowHttpResource", {
|
|
21
|
+
enumerable: true,
|
|
22
|
+
configurable: true,
|
|
23
|
+
writable: true,
|
|
24
|
+
value: void 0
|
|
25
|
+
});
|
|
20
26
|
this.fetch = (0, fetch_1.bindFetch)(fetch);
|
|
27
|
+
this.allowHttpResource = config?.allowHttpResource === true;
|
|
21
28
|
}
|
|
22
29
|
async get(resource, options) {
|
|
23
30
|
const { protocol, origin } = new URL(resource);
|
|
24
|
-
if (protocol
|
|
25
|
-
(
|
|
26
|
-
|
|
31
|
+
if (protocol !== 'https:' && protocol !== 'http:') {
|
|
32
|
+
throw new TypeError(`Invalid protected resource metadata URL protocol: ${protocol}`);
|
|
33
|
+
}
|
|
34
|
+
if (protocol === 'http:' && !this.allowHttpResource) {
|
|
35
|
+
throw new TypeError(`Unsecure resource metadata URL (${protocol}) only allowed in development and test environments`);
|
|
27
36
|
}
|
|
28
|
-
|
|
37
|
+
return super.get(origin, options);
|
|
29
38
|
}
|
|
30
39
|
async fetchMetadata(origin, options) {
|
|
31
|
-
const headers = new Headers([['accept', 'application/json']]);
|
|
32
|
-
if (options?.noCache)
|
|
33
|
-
headers.set('cache-control', 'no-cache');
|
|
34
40
|
const url = new URL(`/.well-known/oauth-protected-resource`, origin);
|
|
35
41
|
const request = new Request(url, {
|
|
36
42
|
signal: options?.signal,
|
|
37
|
-
headers,
|
|
43
|
+
headers: { accept: 'application/json' },
|
|
44
|
+
cache: options?.noCache ? 'no-cache' : undefined,
|
|
38
45
|
redirect: 'manual', // response must be 200 OK
|
|
39
46
|
});
|
|
40
47
|
const response = await this.fetch(request);
|
|
@@ -43,7 +50,7 @@ class OAuthProtectedResourceMetadataResolver extends simple_store_1.CachedGetter
|
|
|
43
50
|
await (0, fetch_1.cancelBody)(response, 'log');
|
|
44
51
|
throw await fetch_1.FetchResponseError.from(response, `Unexpected status code ${response.status} for "${url}"`, undefined, { cause: request });
|
|
45
52
|
}
|
|
46
|
-
if ((0,
|
|
53
|
+
if ((0, util_js_1.contentMime)(response.headers) !== 'application/json') {
|
|
47
54
|
await (0, fetch_1.cancelBody)(response, 'log');
|
|
48
55
|
throw await fetch_1.FetchResponseError.from(response, `Unexpected content type for "${url}"`, undefined, { cause: request });
|
|
49
56
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,
|
|
1
|
+
{"version":3,"file":"oauth-protected-resource-metadata-resolver.js","sourceRoot":"","sources":["../src/oauth-protected-resource-metadata-resolver.ts"],"names":[],"mappings":";;;AAAA,+CAK4B;AAC5B,6DAImC;AACnC,sDAG6B;AAC7B,uCAAuC;AAavC;;GAEG;AACH,MAAa,sCAAuC,SAAQ,2BAG3D;IAIC,YACE,KAAqC,EACrC,QAAe,UAAU,CAAC,KAAK,EAC/B,MAAqD;QAErD,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA;QAR7D;;;;;WAAqB;QACrB;;;;;WAA0B;QASzC,IAAI,CAAC,KAAK,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAA;QAC7B,IAAI,CAAC,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,QAAsB,EACtB,OAA0B;QAE1B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;QAE9C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,SAAS,CACjB,qDAAqD,QAAQ,EAAE,CAChE,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpD,MAAM,IAAI,SAAS,CACjB,mCAAmC,QAAQ,qDAAqD,CACjG,CAAA;QACH,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,OAA0B;QAE1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,uCAAuC,EAAE,MAAM,CAAC,CAAA;QACpE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YAC/B,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAChD,QAAQ,EAAE,QAAQ,EAAE,0BAA0B;SAC/C,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAE1C,0FAA0F;QAC1F,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,0BAA0B,QAAQ,CAAC,MAAM,SAAS,GAAG,GAAG,EACxD,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,IAAI,IAAA,qBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACzD,MAAM,IAAA,kBAAU,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;YACjC,MAAM,MAAM,0BAAkB,CAAC,IAAI,CACjC,QAAQ,EACR,gCAAgC,GAAG,GAAG,EACtC,SAAS,EACT,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,kDAAoC,CAAC,KAAK,CACzD,MAAM,QAAQ,CAAC,IAAI,EAAE,CACtB,CAAA;QAED,0FAA0F;QAC1F,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,kBAAkB,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AArFD,wFAqFC"}
|
package/dist/oauth-resolver.d.ts
CHANGED
|
@@ -30,7 +30,7 @@ export declare class OAuthResolver {
|
|
|
30
30
|
resolveIdentity(input: string, options?: ResolveIdentityOptions): Promise<ResolvedIdentity>;
|
|
31
31
|
getAuthorizationServerMetadata(issuer: string, options?: GetCachedOptions): Promise<OAuthAuthorizationServerMetadata>;
|
|
32
32
|
getResourceServerMetadata(pdsUrl: string | URL, options?: GetCachedOptions): Promise<{
|
|
33
|
-
issuer: string
|
|
33
|
+
issuer: `http://${string}` | `https://${string}`;
|
|
34
34
|
authorization_endpoint: string;
|
|
35
35
|
token_endpoint: string;
|
|
36
36
|
jwks_uri?: string | undefined;
|
|
@@ -45,7 +45,7 @@ export declare class OAuthResolver {
|
|
|
45
45
|
response_types_supported?: string[] | undefined;
|
|
46
46
|
response_modes_supported?: string[] | undefined;
|
|
47
47
|
grant_types_supported?: string[] | undefined;
|
|
48
|
-
code_challenge_methods_supported?:
|
|
48
|
+
code_challenge_methods_supported?: ("S256" | "plain")[] | undefined;
|
|
49
49
|
ui_locales_supported?: string[] | undefined;
|
|
50
50
|
id_token_signing_alg_values_supported?: string[] | undefined;
|
|
51
51
|
display_values_supported?: string[] | undefined;
|
|
@@ -1,18 +1,20 @@
|
|
|
1
1
|
import { Fetch, Json } from '@atproto-labs/fetch';
|
|
2
2
|
import { SimpleStore } from '@atproto-labs/simple-store';
|
|
3
|
+
import { AtprotoDid } from '@atproto/did';
|
|
3
4
|
import { Key, Keyset } from '@atproto/jwk';
|
|
4
|
-
import { OAuthAuthorizationServerMetadata,
|
|
5
|
+
import { OAuthAuthorizationRequestPar, OAuthAuthorizationServerMetadata, OAuthClientCredentials, OAuthEndpointName, OAuthParResponse, OAuthTokenRequest } from '@atproto/oauth-types';
|
|
6
|
+
import { AtprotoScope, AtprotoTokenResponse } from './atproto-token-response.js';
|
|
5
7
|
import { OAuthResolver } from './oauth-resolver.js';
|
|
6
8
|
import { Runtime } from './runtime.js';
|
|
7
9
|
import { ClientMetadata } from './types.js';
|
|
8
10
|
export type TokenSet = {
|
|
9
11
|
iss: string;
|
|
10
|
-
sub:
|
|
12
|
+
sub: AtprotoDid;
|
|
11
13
|
aud: string;
|
|
12
|
-
scope:
|
|
14
|
+
scope: AtprotoScope;
|
|
13
15
|
refresh_token?: string;
|
|
14
16
|
access_token: string;
|
|
15
|
-
token_type:
|
|
17
|
+
token_type: 'DPoP';
|
|
16
18
|
/** ISO Date */
|
|
17
19
|
expires_at?: string;
|
|
18
20
|
};
|
|
@@ -24,11 +26,12 @@ export declare class OAuthServerAgent {
|
|
|
24
26
|
readonly dpopNonces: DpopNonceCache;
|
|
25
27
|
readonly oauthResolver: OAuthResolver;
|
|
26
28
|
readonly runtime: Runtime;
|
|
27
|
-
readonly keyset?: Keyset
|
|
29
|
+
readonly keyset?: Keyset | undefined;
|
|
28
30
|
protected dpopFetch: Fetch<unknown>;
|
|
29
|
-
constructor(dpopKey: Key, serverMetadata: OAuthAuthorizationServerMetadata, clientMetadata: ClientMetadata, dpopNonces: DpopNonceCache, oauthResolver: OAuthResolver, runtime: Runtime, keyset?: Keyset
|
|
31
|
+
constructor(dpopKey: Key, serverMetadata: OAuthAuthorizationServerMetadata, clientMetadata: ClientMetadata, dpopNonces: DpopNonceCache, oauthResolver: OAuthResolver, runtime: Runtime, keyset?: Keyset | undefined, fetch?: Fetch);
|
|
32
|
+
get issuer(): `http://${string}` | `https://${string}`;
|
|
30
33
|
revoke(token: string): Promise<void>;
|
|
31
|
-
exchangeCode(code: string,
|
|
34
|
+
exchangeCode(code: string, codeVerifier?: string): Promise<TokenSet>;
|
|
32
35
|
refresh(tokenSet: TokenSet): Promise<TokenSet>;
|
|
33
36
|
/**
|
|
34
37
|
* VERY IMPORTANT ! Always call this to process token responses.
|
|
@@ -37,14 +40,14 @@ export declare class OAuthServerAgent {
|
|
|
37
40
|
* "sub" is a DID, whose issuer authority is indeed the server we just
|
|
38
41
|
* obtained credentials from. This check is a critical step to actually be
|
|
39
42
|
* able to use the "sub" (DID) as being the actual user's identifier.
|
|
43
|
+
*
|
|
44
|
+
* @returns The user's PDS URL (the resource server for the user)
|
|
40
45
|
*/
|
|
41
|
-
|
|
42
|
-
request(endpoint: 'token'
|
|
43
|
-
request(endpoint: 'pushed_authorization_request', payload: Record<string, unknown>): Promise<OAuthParResponse>;
|
|
44
|
-
request(endpoint: OAuthEndpointName, payload: Record<string, unknown>): Promise<Json>;
|
|
46
|
+
protected verifyIssuer(sub: AtprotoDid): Promise<string>;
|
|
47
|
+
request<Endpoint extends OAuthEndpointName>(endpoint: Endpoint, payload: Endpoint extends 'token' ? OAuthTokenRequest : Endpoint extends 'pushed_authorization_request' ? OAuthAuthorizationRequestPar : Record<string, unknown>): Promise<Endpoint extends 'token' ? AtprotoTokenResponse : Endpoint extends 'pushed_authorization_request' ? OAuthParResponse : Json>;
|
|
45
48
|
buildClientAuth(endpoint: OAuthEndpointName): Promise<{
|
|
46
49
|
headers?: Record<string, string>;
|
|
47
|
-
payload:
|
|
50
|
+
payload: OAuthClientCredentials;
|
|
48
51
|
}>;
|
|
49
52
|
}
|
|
50
53
|
//# sourceMappingURL=oauth-server-agent.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-server-agent.d.ts","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,IAAI,EAAiC,MAAM,qBAAqB,CAAA;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,gCAAgC,EAChC,
|
|
1
|
+
{"version":3,"file":"oauth-server-agent.d.ts","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,IAAI,EAAiC,MAAM,qBAAqB,CAAA;AAChF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AACzC,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC1C,OAAO,EAEL,4BAA4B,EAC5B,gCAAgC,EAChC,sBAAsB,EACtB,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EAElB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EACL,YAAY,EACZ,oBAAoB,EAErB,MAAM,6BAA6B,CAAA;AAIpC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAG3C,MAAM,MAAM,QAAQ,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,UAAU,CAAA;IACf,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,YAAY,CAAA;IAEnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,MAAM,CAAA;IAClB,eAAe;IACf,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;AAExD,qBAAa,gBAAgB;IAIzB,QAAQ,CAAC,OAAO,EAAE,GAAG;IACrB,QAAQ,CAAC,cAAc,EAAE,gCAAgC;IACzD,QAAQ,CAAC,cAAc,EAAE,cAAc;IACvC,QAAQ,CAAC,UAAU,EAAE,cAAc;IACnC,QAAQ,CAAC,aAAa,EAAE,aAAa;IACrC,QAAQ,CAAC,OAAO,EAAE,OAAO;IACzB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM;IAT1B,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGxB,OAAO,EAAE,GAAG,EACZ,cAAc,EAAE,gCAAgC,EAChD,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,cAAc,EAC1B,aAAa,EAAE,aAAa,EAC5B,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,YAAA,EACxB,KAAK,CAAC,EAAE,KAAK;IAaf,IAAI,MAAM,6CAET;IAEK,MAAM,CAAC,KAAK,EAAE,MAAM;IAQpB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAuCpE,OAAO,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAuCpD;;;;;;;;;OASG;cACa,YAAY,CAAC,GAAG,EAAE,UAAU;IAmBtC,OAAO,CAAC,QAAQ,SAAS,iBAAiB,EAC9C,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,QAAQ,SAAS,OAAO,GAC7B,iBAAiB,GACjB,QAAQ,SAAS,8BAA8B,GAC7C,4BAA4B,GAC5B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,OAAO,CACR,QAAQ,SAAS,OAAO,GACpB,oBAAoB,GACpB,QAAQ,SAAS,8BAA8B,GAC7C,gBAAgB,GAChB,IAAI,CACX;IA8BK,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAC1D,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAChC,OAAO,EAAE,sBAAsB,CAAA;KAChC,CAAC;CA+DH"}
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
var __addDisposableResource = (this && this.__addDisposableResource) || function (env, value, async) {
|
|
3
3
|
if (value !== null && value !== void 0) {
|
|
4
4
|
if (typeof value !== "object" && typeof value !== "function") throw new TypeError("Object expected.");
|
|
5
|
-
var dispose;
|
|
5
|
+
var dispose, inner;
|
|
6
6
|
if (async) {
|
|
7
7
|
if (!Symbol.asyncDispose) throw new TypeError("Symbol.asyncDispose is not defined.");
|
|
8
8
|
dispose = value[Symbol.asyncDispose];
|
|
@@ -10,8 +10,10 @@ var __addDisposableResource = (this && this.__addDisposableResource) || function
|
|
|
10
10
|
if (dispose === void 0) {
|
|
11
11
|
if (!Symbol.dispose) throw new TypeError("Symbol.dispose is not defined.");
|
|
12
12
|
dispose = value[Symbol.dispose];
|
|
13
|
+
if (async) inner = dispose;
|
|
13
14
|
}
|
|
14
15
|
if (typeof dispose !== "function") throw new TypeError("Object not disposable.");
|
|
16
|
+
if (inner) dispose = function() { try { inner.call(this); } catch (e) { return Promise.reject(e); } };
|
|
15
17
|
env.stack.push({ value: value, dispose: dispose, async: async });
|
|
16
18
|
}
|
|
17
19
|
else if (async) {
|
|
@@ -25,17 +27,22 @@ var __disposeResources = (this && this.__disposeResources) || (function (Suppres
|
|
|
25
27
|
env.error = env.hasError ? new SuppressedError(e, env.error, "An error was suppressed during disposal.") : e;
|
|
26
28
|
env.hasError = true;
|
|
27
29
|
}
|
|
30
|
+
var r, s = 0;
|
|
28
31
|
function next() {
|
|
29
|
-
while (env.stack.
|
|
30
|
-
var rec = env.stack.pop();
|
|
32
|
+
while (r = env.stack.pop()) {
|
|
31
33
|
try {
|
|
32
|
-
|
|
33
|
-
if (
|
|
34
|
+
if (!r.async && s === 1) return s = 0, env.stack.push(r), Promise.resolve().then(next);
|
|
35
|
+
if (r.dispose) {
|
|
36
|
+
var result = r.dispose.call(r.value);
|
|
37
|
+
if (r.async) return s |= 2, Promise.resolve(result).then(next, function(e) { fail(e); return next(); });
|
|
38
|
+
}
|
|
39
|
+
else s |= 1;
|
|
34
40
|
}
|
|
35
41
|
catch (e) {
|
|
36
42
|
fail(e);
|
|
37
43
|
}
|
|
38
44
|
}
|
|
45
|
+
if (s === 1) return env.hasError ? Promise.reject(env.error) : Promise.resolve();
|
|
39
46
|
if (env.hasError) throw env.error;
|
|
40
47
|
}
|
|
41
48
|
return next();
|
|
@@ -48,6 +55,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
48
55
|
exports.OAuthServerAgent = void 0;
|
|
49
56
|
const fetch_1 = require("@atproto-labs/fetch");
|
|
50
57
|
const oauth_types_1 = require("@atproto/oauth-types");
|
|
58
|
+
const atproto_token_response_js_1 = require("./atproto-token-response.js");
|
|
51
59
|
const constants_js_1 = require("./constants.js");
|
|
52
60
|
const token_refresh_error_js_1 = require("./errors/token-refresh-error.js");
|
|
53
61
|
const fetch_dpop_js_1 = require("./fetch-dpop.js");
|
|
@@ -113,6 +121,9 @@ class OAuthServerAgent {
|
|
|
113
121
|
isAuthServer: true,
|
|
114
122
|
});
|
|
115
123
|
}
|
|
124
|
+
get issuer() {
|
|
125
|
+
return this.serverMetadata.issuer;
|
|
126
|
+
}
|
|
116
127
|
async revoke(token) {
|
|
117
128
|
try {
|
|
118
129
|
await this.request('revocation', { token });
|
|
@@ -121,15 +132,32 @@ class OAuthServerAgent {
|
|
|
121
132
|
// Don't care
|
|
122
133
|
}
|
|
123
134
|
}
|
|
124
|
-
async exchangeCode(code,
|
|
135
|
+
async exchangeCode(code, codeVerifier) {
|
|
136
|
+
const now = Date.now();
|
|
125
137
|
const tokenResponse = await this.request('token', {
|
|
126
138
|
grant_type: 'authorization_code',
|
|
127
139
|
redirect_uri: this.clientMetadata.redirect_uris[0],
|
|
128
140
|
code,
|
|
129
|
-
code_verifier:
|
|
141
|
+
code_verifier: codeVerifier,
|
|
130
142
|
});
|
|
131
143
|
try {
|
|
132
|
-
|
|
144
|
+
// /!\ IMPORTANT /!\
|
|
145
|
+
//
|
|
146
|
+
// The tokenResponse MUST always be valid before the "sub" it contains
|
|
147
|
+
// can be trusted (see Atproto's OAuth spec for details).
|
|
148
|
+
const aud = await this.verifyIssuer(tokenResponse.sub);
|
|
149
|
+
return {
|
|
150
|
+
aud,
|
|
151
|
+
sub: tokenResponse.sub,
|
|
152
|
+
iss: this.issuer,
|
|
153
|
+
scope: tokenResponse.scope,
|
|
154
|
+
refresh_token: tokenResponse.refresh_token,
|
|
155
|
+
access_token: tokenResponse.access_token,
|
|
156
|
+
token_type: tokenResponse.token_type,
|
|
157
|
+
expires_at: typeof tokenResponse.expires_in === 'number'
|
|
158
|
+
? new Date(now + tokenResponse.expires_in * 1000).toISOString()
|
|
159
|
+
: undefined,
|
|
160
|
+
};
|
|
133
161
|
}
|
|
134
162
|
catch (err) {
|
|
135
163
|
await this.revoke(tokenResponse.access_token);
|
|
@@ -140,23 +168,32 @@ class OAuthServerAgent {
|
|
|
140
168
|
if (!tokenSet.refresh_token) {
|
|
141
169
|
throw new token_refresh_error_js_1.TokenRefreshError(tokenSet.sub, 'No refresh token available');
|
|
142
170
|
}
|
|
171
|
+
// /!\ IMPORTANT /!\
|
|
172
|
+
//
|
|
173
|
+
// The "sub" MUST be a DID, whose issuer authority is indeed the server we
|
|
174
|
+
// are trying to obtain credentials from. Note that we are doing this
|
|
175
|
+
// *before* we actually try to refresh the token:
|
|
176
|
+
// 1) To avoid unnecessary refresh
|
|
177
|
+
// 2) So that the refresh is the last async operation, ensuring as few
|
|
178
|
+
// async operations happen before the result gets a chance to be stored.
|
|
179
|
+
const aud = await this.verifyIssuer(tokenSet.sub);
|
|
180
|
+
const now = Date.now();
|
|
143
181
|
const tokenResponse = await this.request('token', {
|
|
144
182
|
grant_type: 'refresh_token',
|
|
145
183
|
refresh_token: tokenSet.refresh_token,
|
|
146
184
|
});
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
}
|
|
185
|
+
return {
|
|
186
|
+
aud,
|
|
187
|
+
sub: tokenSet.sub,
|
|
188
|
+
iss: this.issuer,
|
|
189
|
+
scope: tokenResponse.scope,
|
|
190
|
+
refresh_token: tokenResponse.refresh_token,
|
|
191
|
+
access_token: tokenResponse.access_token,
|
|
192
|
+
token_type: tokenResponse.token_type,
|
|
193
|
+
expires_at: typeof tokenResponse.expires_in === 'number'
|
|
194
|
+
? new Date(now + tokenResponse.expires_in * 1000).toISOString()
|
|
195
|
+
: undefined,
|
|
196
|
+
};
|
|
160
197
|
}
|
|
161
198
|
/**
|
|
162
199
|
* VERY IMPORTANT ! Always call this to process token responses.
|
|
@@ -165,43 +202,25 @@ class OAuthServerAgent {
|
|
|
165
202
|
* "sub" is a DID, whose issuer authority is indeed the server we just
|
|
166
203
|
* obtained credentials from. This check is a critical step to actually be
|
|
167
204
|
* able to use the "sub" (DID) as being the actual user's identifier.
|
|
205
|
+
*
|
|
206
|
+
* @returns The user's PDS URL (the resource server for the user)
|
|
168
207
|
*/
|
|
169
|
-
async
|
|
208
|
+
async verifyIssuer(sub) {
|
|
170
209
|
const env_1 = { stack: [], error: void 0, hasError: false };
|
|
171
210
|
try {
|
|
172
|
-
const { sub } = tokenResponse;
|
|
173
|
-
if (!sub || typeof sub !== 'string') {
|
|
174
|
-
throw new TypeError(`Unexpected ${typeof sub} "sub" in token response`);
|
|
175
|
-
}
|
|
176
|
-
// Using an array to check for the presence of the "atproto" scope (we don't
|
|
177
|
-
// want atproto to be a substring of another scope)
|
|
178
|
-
const scopes = tokenResponse.scope?.split(' ');
|
|
179
|
-
if (!scopes?.includes('atproto')) {
|
|
180
|
-
throw new TypeError('Missing "atproto" scope in token response');
|
|
181
|
-
}
|
|
182
|
-
// @TODO (?) make timeout configurable
|
|
183
211
|
const signal = __addDisposableResource(env_1, (0, util_js_1.timeoutSignal)(10e3), false);
|
|
184
212
|
const resolved = await this.oauthResolver.resolveFromIdentity(sub, {
|
|
213
|
+
noCache: true,
|
|
214
|
+
allowStale: false,
|
|
185
215
|
signal,
|
|
186
216
|
});
|
|
187
|
-
if (this.
|
|
217
|
+
if (this.issuer !== resolved.metadata.issuer) {
|
|
188
218
|
// Best case scenario; the user switched PDS. Worst case scenario; a bad
|
|
189
219
|
// actor is trying to impersonate a user. In any case, we must not allow
|
|
190
220
|
// this token to be used.
|
|
191
221
|
throw new TypeError('Issuer mismatch');
|
|
192
222
|
}
|
|
193
|
-
return
|
|
194
|
-
aud: resolved.identity.pds.href,
|
|
195
|
-
iss: resolved.metadata.issuer,
|
|
196
|
-
sub,
|
|
197
|
-
scope: tokenResponse.scope,
|
|
198
|
-
refresh_token: tokenResponse.refresh_token,
|
|
199
|
-
access_token: tokenResponse.access_token,
|
|
200
|
-
token_type: tokenResponse.token_type ?? 'Bearer',
|
|
201
|
-
expires_at: typeof tokenResponse.expires_in === 'number'
|
|
202
|
-
? new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString()
|
|
203
|
-
: undefined,
|
|
204
|
-
};
|
|
223
|
+
return resolved.identity.pds.href;
|
|
205
224
|
}
|
|
206
225
|
catch (e_1) {
|
|
207
226
|
env_1.error = e_1;
|
|
@@ -224,7 +243,7 @@ class OAuthServerAgent {
|
|
|
224
243
|
if (response.ok) {
|
|
225
244
|
switch (endpoint) {
|
|
226
245
|
case 'token':
|
|
227
|
-
return
|
|
246
|
+
return atproto_token_response_js_1.atprotoTokenResponseSchema.parse(json);
|
|
228
247
|
case 'pushed_authorization_request':
|
|
229
248
|
return oauth_types_1.oauthParResponseSchema.parse(json);
|
|
230
249
|
default:
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-server-agent.js","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"oauth-server-agent.js","sourceRoot":"","sources":["../src/oauth-server-agent.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAgF;AAIhF,sDAS6B;AAE7B,2EAIoC;AACpC,iDAA6C;AAC7C,4EAAmE;AACnE,mDAAkD;AAElD,uEAA8D;AAG9D,uCAAyC;AAiBzC,MAAa,gBAAgB;IAG3B,YACW,OAAY,EACZ,cAAgD,EAChD,cAA8B,EAC9B,UAA0B,EAC1B,aAA4B,EAC5B,OAAgB,EAChB,MAAe,EACxB,KAAa;QAPb;;;;mBAAS,OAAO;WAAK;QACrB;;;;mBAAS,cAAc;WAAkC;QACzD;;;;mBAAS,cAAc;WAAgB;QACvC;;;;mBAAS,UAAU;WAAgB;QACnC;;;;mBAAS,aAAa;WAAe;QACrC;;;;mBAAS,OAAO;WAAS;QACzB;;;;mBAAS,MAAM;WAAS;QAThB;;;;;WAAyB;QAYjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,cAAc,CAAC,SAAS;YAC7B,GAAG,EAAE,OAAO;YACZ,aAAa,EAAE,cAAc,CAAC,iCAAiC;YAC/D,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,UAAU;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,cAAc,CAAC,MAAM,CAAA;IACnC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,YAAqB;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAE;YACnD,IAAI;YACJ,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,oBAAoB;YACpB,EAAE;YACF,sEAAsE;YACtE,yDAAyD;YACzD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;YAEtD,OAAO;gBACL,GAAG;gBACH,GAAG,EAAE,aAAa,CAAC,GAAG;gBACtB,GAAG,EAAE,IAAI,CAAC,MAAM;gBAEhB,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,aAAa,EAAE,aAAa,CAAC,aAAa;gBAC1C,YAAY,EAAE,aAAa,CAAC,YAAY;gBACxC,UAAU,EAAE,aAAa,CAAC,UAAU;gBAEpC,UAAU,EACR,OAAO,aAAa,CAAC,UAAU,KAAK,QAAQ;oBAC1C,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;oBAC/D,CAAC,CAAC,SAAS;aAChB,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;YAE7C,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAkB;QAC9B,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;YAC5B,MAAM,IAAI,0CAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAA;QACzE,CAAC;QAED,oBAAoB;QACpB,EAAE;QACF,0EAA0E;QAC1E,qEAAqE;QACrE,iDAAiD;QACjD,kCAAkC;QAClC,sEAAsE;QACtE,2EAA2E;QAC3E,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;QAEjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAChD,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,QAAQ,CAAC,aAAa;SACtC,CAAC,CAAA;QAEF,OAAO;YACL,GAAG;YACH,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,IAAI,CAAC,MAAM;YAEhB,KAAK,EAAE,aAAa,CAAC,KAAK;YAC1B,aAAa,EAAE,aAAa,CAAC,aAAa;YAC1C,YAAY,EAAE,aAAa,CAAC,YAAY;YACxC,UAAU,EAAE,aAAa,CAAC,UAAU;YAEpC,UAAU,EACR,OAAO,aAAa,CAAC,UAAU,KAAK,QAAQ;gBAC1C,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;gBAC/D,CAAC,CAAC,SAAS;SAChB,CAAA;IACH,CAAC;IAED;;;;;;;;;OASG;IACO,KAAK,CAAC,YAAY,CAAC,GAAe;;;YAC1C,MAAM,MAAM,kCAAG,IAAA,uBAAa,EAAC,IAAI,CAAC,QAAA,CAAA;YAElC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAAC,GAAG,EAAE;gBACjE,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,KAAK;gBACjB,MAAM;aACP,CAAC,CAAA;YAEF,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC7C,wEAAwE;gBACxE,wEAAwE;gBACxE,yBAAyB;gBACzB,MAAM,IAAI,SAAS,CAAC,iBAAiB,CAAC,CAAA;YACxC,CAAC;YAED,OAAO,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAA;;;;;;;;;KAClC;IAgBD,KAAK,CAAC,OAAO,CACX,QAA2B,EAC3B,OAAgC;QAEhC,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAA;QACvD,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,MAAM,QAAQ,qBAAqB,CAAC,CAAA;QAE9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAA;QAEjD,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;SACtD,CAAC,CAAC,IAAI,CAAC,IAAA,0BAAkB,GAAE,CAAC,CAAA;QAE7B,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,QAAQ,QAAQ,EAAE,CAAC;gBACjB,KAAK,OAAO;oBACV,OAAO,sDAA0B,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC/C,KAAK,8BAA8B;oBACjC,OAAO,oCAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAC3C;oBACE,OAAO,IAAI,CAAA;YACf,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,4CAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,QAA2B;QAI/C,MAAM,eAAe,GACnB,IAAI,CAAC,cAAc,CAAC,uCAAuC,CAAC,CAAA;QAE9D,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,4BAA4B,CAAC,CAAA;QAEhE,IACE,MAAM,KAAK,iBAAiB;YAC5B,CAAC,IAAI,CAAC,MAAM;gBACV,CAAC,MAAM;gBACP,CAAC,eAAe,EAAE,QAAQ,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,CAAC,EAC1D,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;YAExD,IAAI,CAAC;gBACH,MAAM,GAAG,GACP,IAAI,CAAC,cAAc,CACjB,kDAAkD,CACnD,IAAI,2BAAY,CAAA;gBAEnB,wEAAwE;gBACxE,wEAAwE;gBACxE,wDAAwD;gBACxD,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI;qBACvC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC;qBACrB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAA;gBAEpD,OAAO;oBACL,OAAO,EAAE;wBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;wBACxC,qBAAqB,EAAE,8CAAgC;wBACvD,gBAAgB,EAAE,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAC3C,EAAE,GAAG,EAAE,GAAG,EAAE,EACZ;4BACE,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;4BAClC,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,MAAM;4BAC/B,GAAG,EAAE,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE;4BACvC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;yBACnC,CACF;qBACF;iBACF,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,MAAM,KAAK,iBAAiB;oBAAE,MAAM,GAAG,CAAA;gBAE3C,uBAAuB;YACzB,CAAC;QACH,CAAC;QAED,IACE,MAAM,KAAK,MAAM;YACjB,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC,EACxD,CAAC;YACD,OAAO;gBACL,OAAO,EAAE;oBACP,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS;iBACzC;aACF,CAAA;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,eAAe,QAAQ,wBAAwB,CAAC,CAAA;IAClE,CAAC;CACF;AA5PD,4CA4PC"}
|