@atproto/oauth-provider-api 0.0.1 → 0.1.0

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @atproto/oauth-provider-api
 
+## 0.1.0
+
+### Minor Changes
+
+- [#3659](https://github.com/bluesky-social/atproto/pull/3659) [`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Various adaptations
+
+### Patch Changes
+
+- Updated dependencies [[`371e04aad`](https://github.com/bluesky-social/atproto/commit/371e04aad2a3e8ae3fe185ce15fc8eb051cab78e), [`26a077716`](https://github.com/bluesky-social/atproto/commit/26a07771673bf1090a61efb7c970235f0b2509fc)]:
+  - @atproto/oauth-types@0.2.5
+  - @atproto/jwk@0.1.5
+
 ## 0.0.1
 
 ### Patch Changes

package/dist/api-endpoints.d.ts

@@ -0,0 +1,203 @@
+import type { SignedJwt } from '@atproto/jwk';
+import type { OAuthClientMetadata } from '@atproto/oauth-types';
+import type { Account, DeviceMetadata, ISODateString } from './types.js';
+export type ApiEndpoints = {
+    '/verify-handle-availability': {
+        method: 'POST';
+        input: VerifyHandleAvailabilityInput;
+        output: {
+            available: true;
+        };
+    };
+    '/sign-up': {
+        method: 'POST';
+        input: SignUpInput;
+        output: SignUpOutput;
+    };
+    '/sign-in': {
+        method: 'POST';
+        input: SignInInput;
+        output: SignInOutput;
+    };
+    '/reset-password-request': {
+        method: 'POST';
+        input: InitiatePasswordResetInput;
+        output: {
+            success: true;
+        };
+    };
+    '/reset-password-confirm': {
+        method: 'POST';
+        input: ConfirmResetPasswordInput;
+        output: {
+            success: true;
+        };
+    };
+    '/sign-out': {
+        method: 'POST';
+        input: SignOutInput;
+        output: {
+            success: true;
+        };
+    };
+    /**
+     * Lists all the accounts that are currently active, on the current device.
+     */
+    '/device-sessions': {
+        method: 'GET';
+        output: ActiveDeviceSession[];
+    };
+    /**
+     * Lists all the active OAuth sessions (access/refresh tokens) that where
+     * issued to OAuth clients (apps).
+     *
+     * @NOTE can be revoked using the oauth revocation endpoint (json or form
+     * encoded)
+     *
+     * ```http
+     * POST /oauth/revoke
+     * Content-Type: application/x-www-form-urlencoded
+     *
+     * token=<tokenId>
+     * ```
+     */
+    '/oauth-sessions': {
+        method: 'GET';
+        params: {
+            sub: string;
+        };
+        output: ActiveOAuthSession[];
+    };
+    '/revoke-oauth-session': {
+        method: 'POST';
+        input: RevokeOAuthSessionInput;
+        output: {
+            success: true;
+        };
+    };
+    /**
+     * Lists all the sessions that are currently active for a particular user, on
+     * other devices.
+     */
+    '/account-sessions': {
+        method: 'GET';
+        params: {
+            sub: string;
+        };
+        output: ActiveAccountSession[];
+    };
+    '/revoke-account-session': {
+        method: 'POST';
+        input: RevokeAccountSessionInput;
+        output: {
+            success: true;
+        };
+    };
+    '/accept': {
+        method: 'POST';
+        input: AcceptInput;
+        output: {
+            url: string;
+        };
+    };
+    '/reject': {
+        method: 'POST';
+        input: RejectInput;
+        output: {
+            url: string;
+        };
+    };
+};
+/**
+ * When a user signs in without the "remember me" option, the server returns an
+ * ephemeral token. When used as `Bearer` authorization header, the token will
+ * be used in order to authenticate the users in place of using the user's
+ * cookie based session (which are only created when "remember me" is checked).
+ *
+ * Only include this token in the `Authorization` header when making requests to
+ * the OAuth provider API, **FOR THE ACCOUNT IT WAS GENERATED FOR**.
+ */
+export type EphemeralToken = SignedJwt;
+export type SignInInput = {
+    locale: string;
+    username: string;
+    password: string;
+    emailOtp?: string;
+    remember?: boolean;
+};
+export type SignInOutput = {
+    account: Account;
+    ephemeralToken?: EphemeralToken;
+    consentRequired?: boolean;
+};
+export type SignUpInput = {
+    locale: string;
+    handle: string;
+    email: string;
+    password: string;
+    inviteCode?: string;
+    hcaptchaToken?: string;
+};
+export type SignUpOutput = {
+    account: Account;
+    ephemeralToken?: EphemeralToken;
+};
+export type SignOutInput = {
+    sub: string | string[];
+};
+export type InitiatePasswordResetInput = {
+    locale: string;
+    email: string;
+};
+export type ConfirmResetPasswordInput = {
+    token: string;
+    password: string;
+};
+export type VerifyHandleAvailabilityInput = {
+    handle: string;
+};
+export type RevokeAccountSessionInput = {
+    sub: string;
+    deviceId: string;
+};
+export type RevokeOAuthSessionInput = {
+    sub: string;
+    tokenId: string;
+};
+export type AcceptInput = {
+    sub: string;
+};
+export type RejectInput = Record<string, never>;
+/**
+ * Represents an account that is currently signed-in to the Authorization
+ * Server. If the session was created too long ago, the user may be required to
+ * re-authenticate ({@link ActiveDeviceSession.loginRequired}).
+ */
+export type ActiveDeviceSession = {
+    account: Account;
+    /**
+     * The session is too old and the user must re-authenticate.
+     */
+    loginRequired: boolean;
+};
+/**
+ * Represents another device on which an account is currently signed-in.
+ */
+export type ActiveAccountSession = {
+    deviceId: string;
+    deviceMetadata: DeviceMetadata;
+    isCurrentDevice: boolean;
+};
+/**
+ * Represents an active OAuth session (access token).
+ */
+export type ActiveOAuthSession = {
+    tokenId: string;
+    createdAt: ISODateString;
+    updatedAt: ISODateString;
+    clientId: string;
+    /** An "undefined" value means that the client metadata could not be fetched */
+    clientMetadata?: OAuthClientMetadata;
+    scope?: string;
+};
+//# sourceMappingURL=api-endpoints.d.ts.map

package/dist/api-endpoints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-endpoints.d.ts","sourceRoot":"","sources":["../src/api-endpoints.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AAC7C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAC/D,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAKxE,MAAM,MAAM,YAAY,GAAG;IACzB,6BAA6B,EAAE;QAC7B,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,6BAA6B,CAAA;QACpC,MAAM,EAAE;YAAE,SAAS,EAAE,IAAI,CAAA;SAAE,CAAA;KAC5B,CAAA;IACD,UAAU,EAAE;QACV,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,WAAW,CAAA;QAClB,MAAM,EAAE,YAAY,CAAA;KACrB,CAAA;IACD,UAAU,EAAE;QACV,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,WAAW,CAAA;QAClB,MAAM,EAAE,YAAY,CAAA;KACrB,CAAA;IACD,yBAAyB,EAAE;QACzB,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,0BAA0B,CAAA;QACjC,MAAM,EAAE;YAAE,OAAO,EAAE,IAAI,CAAA;SAAE,CAAA;KAC1B,CAAA;IACD,yBAAyB,EAAE;QACzB,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,yBAAyB,CAAA;QAChC,MAAM,EAAE;YAAE,OAAO,EAAE,IAAI,CAAA;SAAE,CAAA;KAC1B,CAAA;IACD,WAAW,EAAE;QACX,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,YAAY,CAAA;QACnB,MAAM,EAAE;YAAE,OAAO,EAAE,IAAI,CAAA;SAAE,CAAA;KAC1B,CAAA;IACD;;OAEG;IACH,kBAAkB,EAAE;QAClB,MAAM,EAAE,KAAK,CAAA;QACb,MAAM,EAAE,mBAAmB,EAAE,CAAA;KAC9B,CAAA;IACD;;;;;;;;;;;;;OAaG;IACH,iBAAiB,EAAE;QACjB,MAAM,EAAE,KAAK,CAAA;QACb,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;QACvB,MAAM,EAAE,kBAAkB,EAAE,CAAA;KAC7B,CAAA;IACD,uBAAuB,EAAE;QACvB,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,uBAAuB,CAAA;QAC9B,MAAM,EAAE;YAAE,OAAO,EAAE,IAAI,CAAA;SAAE,CAAA;KAC1B,CAAA;IACD;;;OAGG;IACH,mBAAmB,EAAE;QACnB,MAAM,EAAE,KAAK,CAAA;QACb,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;QACvB,MAAM,EAAE,oBAAoB,EAAE,CAAA;KAC/B,CAAA;IACD,yBAAyB,EAAE;QACzB,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,yBAAyB,CAAA;QAChC,MAAM,EAAE;YAAE,OAAO,EAAE,IAAI,CAAA;SAAE,CAAA;KAC1B,CAAA;IACD,SAAS,EAAE;QACT,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,WAAW,CAAA;QAClB,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KACxB,CAAA;IACD,SAAS,EAAE;QACT,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,WAAW,CAAA;QAClB,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KACxB,CAAA;CACF,CAAA;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,cAAc,GAAG,SAAS,CAAA;AAEtC,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAA;CACnB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,cAAc,CAAA;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B,CAAA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,CAAC,EAAE,cAAc,CAAA;CAChC,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;CACd,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,6BAA6B,GAAG;IAC1C,MAAM,EAAE,MAAM,CAAA;CACf,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,EAAE,MAAM,CAAA;IACX,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA;AAED,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;AAE/C;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,OAAO,CAAA;IAEhB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAA;CACvB,CAAA;AAED;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,cAAc,EAAE,cAAc,CAAA;IAE9B,eAAe,EAAE,OAAO,CAAA;CACzB,CAAA;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,OAAO,EAAE,MAAM,CAAA;IAEf,SAAS,EAAE,aAAa,CAAA;IACxB,SAAS,EAAE,aAAa,CAAA;IAExB,QAAQ,EAAE,MAAM,CAAA;IAChB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,mBAAmB,CAAA;IAEpC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAA"}

package/dist/{api.js → api-endpoints.js}

@@ -1,3 +1,3 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=api.js.map
+//# sourceMappingURL=api-endpoints.js.map

package/dist/api-endpoints.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-endpoints.js","sourceRoot":"","sources":["../src/api-endpoints.ts"],"names":[],"mappings":""}

package/dist/backend-types.d.ts

@@ -1,6 +1,4 @@
-import type { OAuthClientMetadata } from '@atproto/oauth-types';
-import type { LinkDefinition, ScopeDetail, Session } from './types.js';
-export type AvailableLocales = readonly string[];
+import type { LinkDefinition } from './types.js';
 export type CustomizationData = {
     hcaptchaSiteKey?: string;
     inviteCodeRequired?: boolean;
@@ -9,18 +7,4 @@ export type CustomizationData = {
     logo?: string;
     links?: LinkDefinition[];
 };
-export type ErrorData = {
-    error: string;
-    error_description: string;
-};
-export type AuthorizeData = {
-    clientId: string;
-    clientMetadata: OAuthClientMetadata;
-    clientTrusted: boolean;
-    requestUri: string;
-    loginHint?: string;
-    scopeDetails?: ScopeDetail[];
-    newSessionsRequireConsent: boolean;
-    sessions: Session[];
-};
 //# sourceMappingURL=backend-types.d.ts.map

package/dist/backend-types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"backend-types.d.ts","sourceRoot":"","sources":["../src/backend-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAC/D,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAKtE,MAAM,MAAM,gBAAgB,GAAG,SAAS,MAAM,EAAE,CAAA;AAEhD,MAAM,MAAM,iBAAiB,GAAG;IAE9B,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAA;IAG/B,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,cAAc,EAAE,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,KAAK,EAAE,MAAM,CAAA;IACb,iBAAiB,EAAE,MAAM,CAAA;CAC1B,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,MAAM,CAAA;IAChB,cAAc,EAAE,mBAAmB,CAAA;IACnC,aAAa,EAAE,OAAO,CAAA;IACtB,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAA;IAC5B,yBAAyB,EAAE,OAAO,CAAA;IAClC,QAAQ,EAAE,OAAO,EAAE,CAAA;CACpB,CAAA"}
+{"version":3,"file":"backend-types.d.ts","sourceRoot":"","sources":["../src/backend-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAKhD,MAAM,MAAM,iBAAiB,GAAG;IAE9B,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAA;IAG/B,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,cAAc,EAAE,CAAA;CACzB,CAAA"}

package/dist/contants.d.ts

@@ -0,0 +1,4 @@
+export declare const CSRF_COOKIE_NAME = "csrf-token";
+export declare const CSRF_HEADER_NAME = "x-csrf-token";
+export declare const API_ENDPOINT_PREFIX = "/@atproto/oauth-provider/~api";
+//# sourceMappingURL=contants.d.ts.map

package/dist/contants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"contants.d.ts","sourceRoot":"","sources":["../src/contants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gBAAgB,eAAe,CAAA;AAC5C,eAAO,MAAM,gBAAgB,iBAAiB,CAAA;AAE9C,eAAO,MAAM,mBAAmB,kCAAkC,CAAA"}

package/dist/contants.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.API_ENDPOINT_PREFIX = exports.CSRF_HEADER_NAME = exports.CSRF_COOKIE_NAME = void 0;
+exports.CSRF_COOKIE_NAME = 'csrf-token';
+exports.CSRF_HEADER_NAME = 'x-csrf-token';
+exports.API_ENDPOINT_PREFIX = '/@atproto/oauth-provider/~api';
+//# sourceMappingURL=contants.js.map

package/dist/contants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contants.js","sourceRoot":"","sources":["../src/contants.ts"],"names":[],"mappings":";;;AAAa,QAAA,gBAAgB,GAAG,YAAY,CAAA;AAC/B,QAAA,gBAAgB,GAAG,cAAc,CAAA;AAEjC,QAAA,mBAAmB,GAAG,+BAA+B,CAAA"}

package/dist/index.d.ts

@@ -1,4 +1,5 @@
-export type * from './api.js';
+export type * from './api-endpoints.js';
 export type * from './backend-types.js';
 export type * from './types.js';
+export * from './contants.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,mBAAmB,UAAU,CAAA;AAC7B,mBAAmB,oBAAoB,CAAA;AACvC,mBAAmB,YAAY,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,mBAAmB,oBAAoB,CAAA;AACvC,mBAAmB,oBAAoB,CAAA;AACvC,mBAAmB,YAAY,CAAA;AAE/B,cAAc,eAAe,CAAA"}

package/dist/index.js

@@ -1,3 +1,18 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./contants.js"), exports);
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAIA,gDAA6B"}

package/dist/types.d.ts

@@ -14,9 +14,10 @@ export type Session = {
     loginRequired: boolean;
     consentRequired: boolean;
 };
-export type LocalizedString = string | ({
+export type MultiLangString = {
     en: string;
-} & Record<string, string | undefined>);
+} & Record<string, string | undefined>;
+export type LocalizedString = string | MultiLangString;
 export type LinkDefinition = {
     title: LocalizedString;
     href: string;
@@ -24,6 +25,12 @@ export type LinkDefinition = {
 };
 export type ScopeDetail = {
     scope: string;
-    description?: string;
+    description?: LocalizedString;
 };
+export type DeviceMetadata = {
+    userAgent: string | null;
+    ipAddress: string;
+    lastSeenAt: ISODateString;
+};
+export type ISODateString = `${string}T${string}Z`;
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,OAAO,GAAG;IACpB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IAEnC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,OAAO,GAAG;IACpB,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,CAAC,EAAE,KAAK,CAAA;IAEZ,QAAQ,EAAE,OAAO,CAAA;IACjB,aAAa,EAAE,OAAO,CAAA;IACtB,eAAe,EAAE,OAAO,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,eAAe,GACvB,MAAM,GACN,CAAC;IAAE,EAAE,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAA;AAEzD,MAAM,MAAM,cAAc,GAAG;IAC3B,KAAK,EAAE,eAAe,CAAA;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb,CAAA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB,CAAA"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,OAAO,GAAG;IACpB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IAEnC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,OAAO,GAAG;IACpB,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,CAAC,EAAE,KAAK,CAAA;IAEZ,QAAQ,EAAE,OAAO,CAAA;IACjB,aAAa,EAAE,OAAO,CAAA;IACtB,eAAe,EAAE,OAAO,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAAE,EAAE,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CACnD,MAAM,EACN,MAAM,GAAG,SAAS,CACnB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,eAAe,CAAA;AAEtD,MAAM,MAAM,cAAc,GAAG;IAC3B,KAAK,EAAE,eAAe,CAAA;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb,CAAA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,CAAC,EAAE,eAAe,CAAA;CAC9B,CAAA;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACxB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,aAAa,CAAA;CAC1B,CAAA;AAED,MAAM,MAAM,aAAa,GAAG,GAAG,MAAM,IAAI,MAAM,GAAG,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-provider-api",
-  "version": "0.0.1",
+  "version": "0.1.0",
   "license": "MIT",
   "description": "Shared data types for the @atproto/oauth-provider and @atproto/oauth-provider-ui packages",
   "keywords": [
@@ -25,7 +25,8 @@
     }
   },
   "dependencies": {
-    "@atproto/oauth-types": "0.2.4"
+    "@atproto/jwk": "0.1.5",
+    "@atproto/oauth-types": "0.2.5"
   },
   "devDependencies": {
     "typescript": "^5.6.3"

package/src/api-endpoints.ts

@@ -0,0 +1,207 @@
+import type { SignedJwt } from '@atproto/jwk'
+import type { OAuthClientMetadata } from '@atproto/oauth-types'
+import type { Account, DeviceMetadata, ISODateString } from './types.js'
+
+// These are the endpoints implemented by the OAuth provider, for its UI to
+// call.
+
+export type ApiEndpoints = {
+  '/verify-handle-availability': {
+    method: 'POST'
+    input: VerifyHandleAvailabilityInput
+    output: { available: true }
+  }
+  '/sign-up': {
+    method: 'POST'
+    input: SignUpInput
+    output: SignUpOutput
+  }
+  '/sign-in': {
+    method: 'POST'
+    input: SignInInput
+    output: SignInOutput
+  }
+  '/reset-password-request': {
+    method: 'POST'
+    input: InitiatePasswordResetInput
+    output: { success: true }
+  }
+  '/reset-password-confirm': {
+    method: 'POST'
+    input: ConfirmResetPasswordInput
+    output: { success: true }
+  }
+  '/sign-out': {
+    method: 'POST'
+    input: SignOutInput
+    output: { success: true }
+  }
+  /**
+   * Lists all the accounts that are currently active, on the current device.
+   */
+  '/device-sessions': {
+    method: 'GET'
+    output: ActiveDeviceSession[]
+  }
+  /**
+   * Lists all the active OAuth sessions (access/refresh tokens) that where
+   * issued to OAuth clients (apps).
+   *
+   * @NOTE can be revoked using the oauth revocation endpoint (json or form
+   * encoded)
+   *
+   * ```http
+   * POST /oauth/revoke
+   * Content-Type: application/x-www-form-urlencoded
+   *
+   * token=<tokenId>
+   * ```
+   */
+  '/oauth-sessions': {
+    method: 'GET'
+    params: { sub: string }
+    output: ActiveOAuthSession[]
+  }
+  '/revoke-oauth-session': {
+    method: 'POST'
+    input: RevokeOAuthSessionInput
+    output: { success: true }
+  }
+  /**
+   * Lists all the sessions that are currently active for a particular user, on
+   * other devices.
+   */
+  '/account-sessions': {
+    method: 'GET'
+    params: { sub: string }
+    output: ActiveAccountSession[]
+  }
+  '/revoke-account-session': {
+    method: 'POST'
+    input: RevokeAccountSessionInput
+    output: { success: true }
+  }
+  '/accept': {
+    method: 'POST'
+    input: AcceptInput
+    output: { url: string }
+  }
+  '/reject': {
+    method: 'POST'
+    input: RejectInput
+    output: { url: string }
+  }
+}
+
+/**
+ * When a user signs in without the "remember me" option, the server returns an
+ * ephemeral token. When used as `Bearer` authorization header, the token will
+ * be used in order to authenticate the users in place of using the user's
+ * cookie based session (which are only created when "remember me" is checked).
+ *
+ * Only include this token in the `Authorization` header when making requests to
+ * the OAuth provider API, **FOR THE ACCOUNT IT WAS GENERATED FOR**.
+ */
+export type EphemeralToken = SignedJwt
+
+export type SignInInput = {
+  locale: string
+  username: string
+  password: string
+  emailOtp?: string
+  remember?: boolean
+}
+
+export type SignInOutput = {
+  account: Account
+  ephemeralToken?: EphemeralToken
+  consentRequired?: boolean
+}
+
+export type SignUpInput = {
+  locale: string
+  handle: string
+  email: string
+  password: string
+  inviteCode?: string
+  hcaptchaToken?: string
+}
+
+export type SignUpOutput = {
+  account: Account
+  ephemeralToken?: EphemeralToken
+}
+
+export type SignOutInput = {
+  sub: string | string[]
+}
+
+export type InitiatePasswordResetInput = {
+  locale: string
+  email: string
+}
+
+export type ConfirmResetPasswordInput = {
+  token: string
+  password: string
+}
+
+export type VerifyHandleAvailabilityInput = {
+  handle: string
+}
+
+export type RevokeAccountSessionInput = {
+  sub: string
+  deviceId: string
+}
+
+export type RevokeOAuthSessionInput = {
+  sub: string
+  tokenId: string
+}
+
+export type AcceptInput = {
+  sub: string
+}
+
+export type RejectInput = Record<string, never>
+
+/**
+ * Represents an account that is currently signed-in to the Authorization
+ * Server. If the session was created too long ago, the user may be required to
+ * re-authenticate ({@link ActiveDeviceSession.loginRequired}).
+ */
+export type ActiveDeviceSession = {
+  account: Account
+
+  /**
+   * The session is too old and the user must re-authenticate.
+   */
+  loginRequired: boolean
+}
+
+/**
+ * Represents another device on which an account is currently signed-in.
+ */
+export type ActiveAccountSession = {
+  deviceId: string
+  deviceMetadata: DeviceMetadata
+
+  isCurrentDevice: boolean
+}
+
+/**
+ * Represents an active OAuth session (access token).
+ */
+export type ActiveOAuthSession = {
+  tokenId: string
+
+  createdAt: ISODateString
+  updatedAt: ISODateString
+
+  clientId: string
+  /** An "undefined" value means that the client metadata could not be fetched */
+  clientMetadata?: OAuthClientMetadata
+
+  scope?: string
+}

package/src/backend-types.ts

@@ -1,11 +1,8 @@
-import type { OAuthClientMetadata } from '@atproto/oauth-types'
-import type { LinkDefinition, ScopeDetail, Session } from './types.js'
+import type { LinkDefinition } from './types.js'
 
 // These are the types of the variables that are injected into the HTML by the
 // backend. They are used to configure the frontend.
 
-export type AvailableLocales = readonly string[]
-
 export type CustomizationData = {
   // Functional customization
   hcaptchaSiteKey?: string
@@ -17,19 +14,3 @@ export type CustomizationData = {
   logo?: string
   links?: LinkDefinition[]
 }
-
-export type ErrorData = {
-  error: string
-  error_description: string
-}
-
-export type AuthorizeData = {
-  clientId: string
-  clientMetadata: OAuthClientMetadata
-  clientTrusted: boolean
-  requestUri: string
-  loginHint?: string
-  scopeDetails?: ScopeDetail[]
-  newSessionsRequireConsent: boolean
-  sessions: Session[]
-}

package/src/contants.ts

@@ -0,0 +1,4 @@
+export const CSRF_COOKIE_NAME = 'csrf-token'
+export const CSRF_HEADER_NAME = 'x-csrf-token'
+
+export const API_ENDPOINT_PREFIX = '/@atproto/oauth-provider/~api'

package/src/index.ts

@@ -1,3 +1,5 @@
-export type * from './api.js'
+export type * from './api-endpoints.js'
 export type * from './backend-types.js'
 export type * from './types.js'
+
+export * from './contants.js'

package/src/types.ts

@@ -18,9 +18,12 @@ export type Session = {
   consentRequired: boolean
 }
 
-export type LocalizedString =
-  | string
-  | ({ en: string } & Record<string, string | undefined>)
+export type MultiLangString = { en: string } & Record<
+  string,
+  string | undefined
+>
+
+export type LocalizedString = string | MultiLangString
 
 export type LinkDefinition = {
   title: LocalizedString
@@ -30,5 +33,13 @@ export type LinkDefinition = {
 
 export type ScopeDetail = {
   scope: string
-  description?: string
+  description?: LocalizedString
+}
+
+export type DeviceMetadata = {
+  userAgent: string | null
+  ipAddress: string
+  lastSeenAt: ISODateString
 }
+
+export type ISODateString = `${string}T${string}Z`

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/api.ts","./src/backend-types.ts","./src/index.ts","./src/types.ts"],"version":"5.6.3"}
+{"root":["./src/api-endpoints.ts","./src/backend-types.ts","./src/contants.ts","./src/index.ts","./src/types.ts"],"version":"5.8.2"}

package/dist/api.d.ts

@@ -1,62 +0,0 @@
-import type { Account } from './types.js';
-export type ApiEndpoints = {
-    '/verify-handle-availability': {
-        input: VerifyHandleAvailabilityData;
-        output: {
-            available: true;
-        };
-    };
-    '/sign-up': {
-        input: SignUpData;
-        output: {
-            account: Account;
-            consentRequired: boolean;
-        };
-    };
-    '/sign-in': {
-        input: SignInData;
-        output: {
-            account: Account;
-            consentRequired: boolean;
-        };
-    };
-    '/reset-password-request': {
-        input: InitiatePasswordResetData;
-        output: {
-            success: true;
-        };
-    };
-    '/reset-password-confirm': {
-        input: ConfirmResetPasswordData;
-        output: {
-            success: true;
-        };
-    };
-};
-export type SignInData = {
-    locale: string;
-    username: string;
-    password: string;
-    emailOtp?: string;
-    remember?: boolean;
-};
-export type SignUpData = {
-    locale: string;
-    handle: string;
-    email: string;
-    password: string;
-    inviteCode?: string;
-    hcaptchaToken?: string;
-};
-export type InitiatePasswordResetData = {
-    locale: string;
-    email: string;
-};
-export type ConfirmResetPasswordData = {
-    token: string;
-    password: string;
-};
-export type VerifyHandleAvailabilityData = {
-    handle: string;
-};
-//# sourceMappingURL=api.d.ts.map

package/dist/api.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAKzC,MAAM,MAAM,YAAY,GAAG;IACzB,6BAA6B,EAAE;QAC7B,KAAK,EAAE,4BAA4B,CAAA;QACnC,MAAM,EAAE;YAAE,SAAS,EAAE,IAAI,CAAA;SAAE,CAAA;KAC5B,CAAA;IACD,UAAU,EAAE;QACV,KAAK,EAAE,UAAU,CAAA;QACjB,MAAM,EAAE;YACN,OAAO,EAAE,OAAO,CAAA;YAChB,eAAe,EAAE,OAAO,CAAA;SACzB,CAAA;KACF,CAAA;IACD,UAAU,EAAE;QACV,KAAK,EAAE,UAAU,CAAA;QACjB,MAAM,EAAE;YACN,OAAO,EAAE,OAAO,CAAA;YAChB,eAAe,EAAE,OAAO,CAAA;SACzB,CAAA;KACF,CAAA;IACD,yBAAyB,EAAE;QACzB,KAAK,EAAE,yBAAyB,CAAA;QAChC,MAAM,EAAE;YAAE,OAAO,EAAE,IAAI,CAAA;SAAE,CAAA;KAC1B,CAAA;IACD,yBAAyB,EAAE;QACzB,KAAK,EAAE,wBAAwB,CAAA;QAC/B,MAAM,EAAE;YAAE,OAAO,EAAE,IAAI,CAAA;SAAE,CAAA;KAC1B,CAAA;CACF,CAAA;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAA;CACnB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;CACd,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,4BAA4B,GAAG;IACzC,MAAM,EAAE,MAAM,CAAA;CACf,CAAA"}

package/dist/api.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":""}

package/src/api.ts

@@ -1,64 +0,0 @@
-import type { Account } from './types.js'
-
-// These are the endpoints implemented by the OAuth provider, for it's UI to
-// call.
-
-export type ApiEndpoints = {
-  '/verify-handle-availability': {
-    input: VerifyHandleAvailabilityData
-    output: { available: true }
-  }
-  '/sign-up': {
-    input: SignUpData
-    output: {
-      account: Account
-      consentRequired: boolean
-    }
-  }
-  '/sign-in': {
-    input: SignInData
-    output: {
-      account: Account
-      consentRequired: boolean
-    }
-  }
-  '/reset-password-request': {
-    input: InitiatePasswordResetData
-    output: { success: true }
-  }
-  '/reset-password-confirm': {
-    input: ConfirmResetPasswordData
-    output: { success: true }
-  }
-}
-
-export type SignInData = {
-  locale: string
-  username: string
-  password: string
-  emailOtp?: string
-  remember?: boolean
-}
-
-export type SignUpData = {
-  locale: string
-  handle: string
-  email: string
-  password: string
-  inviteCode?: string
-  hcaptchaToken?: string
-}
-
-export type InitiatePasswordResetData = {
-  locale: string
-  email: string
-}
-
-export type ConfirmResetPasswordData = {
-  token: string
-  password: string
-}
-
-export type VerifyHandleAvailabilityData = {
-  handle: string
-}