@atproto/oauth-provider 0.1.0 → 0.1.2-rc.0

package/src/client/client.ts

@@ -9,6 +9,7 @@ import {
   UnsecuredJWT,
   createLocalJWKSet,
   createRemoteJWKSet,
+  errors,
   jwtVerify,
   type JWTPayload,
   type JWTVerifyGetKey,
@@ -18,7 +19,6 @@ import {
   type ResolvedKey,
   type UnsecuredResult,
 } from 'jose'
-import { JOSEError } from 'jose/errors'
 
 import { CLIENT_ASSERTION_MAX_AGE, JAR_MAX_AGE } from '../constants.js'
 import { InvalidClientError } from '../errors/invalid-client-error.js'
@@ -28,6 +28,8 @@ import { ClientAuth, authJwkThumbprint } from './client-auth.js'
 import { ClientId } from './client-id.js'
 import { ClientInfo } from './client-info.js'
 
+const { JOSEError } = errors
+
 export class Client {
   /**
    * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}

package/src/dpop/dpop-manager.ts

@@ -1,13 +1,14 @@
 import { createHash } from 'node:crypto'
 
-import { EmbeddedJWK, calculateJwkThumbprint, jwtVerify } from 'jose'
-import { JOSEError } from 'jose/errors'
+import { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'
 
 import { DPOP_NONCE_MAX_AGE } from '../constants.js'
 import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'
 import { DpopNonce, DpopNonceInput } from './dpop-nonce.js'
 
+const { JOSEError } = errors
+
 export { DpopNonce, type DpopNonceInput }
 export type DpopManagerOptions = {
   /**

package/src/errors/invalid-token-error.ts

@@ -1,10 +1,12 @@
 import { JwtVerifyError } from '@atproto/jwk'
-import { JOSEError } from 'jose/errors'
+import { errors } from 'jose'
 import { ZodError } from 'zod'
 
 import { OAuthError } from './oauth-error.js'
 import { WWWAuthenticateError } from './www-authenticate-error.js'
 
+const { JOSEError } = errors
+
 /**
  * @see
  * {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field }

package/src/errors/second-authentication-factor-required-error.ts

@@ -0,0 +1,25 @@
+import { OAuthError } from './oauth-error.js'
+
+export class SecondAuthenticationFactorRequiredError extends OAuthError {
+  constructor(
+    public type: 'emailOtp',
+    public hint: string,
+    cause?: unknown,
+  ) {
+    const error = 'second_authentication_factor_required'
+    super(
+      error,
+      `${type} authentication factor required (hint: ${hint})`,
+      401,
+      cause,
+    )
+  }
+
+  toJSON() {
+    return {
+      ...super.toJSON(),
+      type: this.type,
+      hint: this.hint,
+    } as const
+  }
+}

package/src/lib/util/authorization-header.ts

@@ -18,7 +18,7 @@ export const parseAuthorizationHeader = (header?: string) => {
     )
   }
 
-  const parsed = authorizationHeaderSchema.safeParse(header.split(' ', 2))
+  const parsed = authorizationHeaderSchema.safeParse(header.split(' '))
   if (!parsed.success) {
     throw new InvalidRequestError('Invalid authorization header')
   }

package/src/metadata/build-metadata.ts

@@ -161,5 +161,8 @@ export function buildMetadata(
 
     // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
     protected_resources: customMetadata?.protected_resources,
+
+    // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+    client_id_metadata_document_supported: true,
   }
 }

package/src/oauth-errors.ts

@@ -16,6 +16,7 @@ export { InvalidRedirectUriError } from './errors/invalid-redirect-uri-error.js'
 export { InvalidRequestError } from './errors/invalid-request-error.js'
 export { InvalidTokenError } from './errors/invalid-token-error.js'
 export { LoginRequiredError } from './errors/login-required-error.js'
+export { SecondAuthenticationFactorRequiredError } from './errors/second-authentication-factor-required-error.js'
 export { UnauthorizedClientError } from './errors/unauthorized-client-error.js'
 export { UseDpopNonceError } from './errors/use-dpop-nonce-error.js'
 export { WWWAuthenticateError } from './errors/www-authenticate-error.js'

package/src/oauth-provider.ts

@@ -24,8 +24,9 @@ import {
   AccountInfo,
   AccountStore,
   DeviceAccountInfo,
-  LoginCredentials,
+  SignInCredentials,
   asAccountStore,
+  signInCredentialsSchema,
 } from './account/account-store.js'
 import { Account } from './account/account.js'
 import { authorizeAssetsMiddleware } from './assets/assets-middleware.js'
@@ -75,20 +76,17 @@ import { CustomMetadata, buildMetadata } from './metadata/build-metadata.js'
 import { OAuthHooks } from './oauth-hooks.js'
 import { OAuthVerifier, OAuthVerifierOptions } from './oauth-verifier.js'
 import { Userinfo } from './oidc/userinfo.js'
+import { AuthorizationResultAuthorize } from './output/build-authorize-data.js'
 import {
   buildErrorPayload,
   buildErrorStatus,
 } from './output/build-error-payload.js'
 import { Customization } from './output/customization.js'
-import {
-  AuthorizationResultAuthorize,
-  sendAuthorizePage,
-} from './output/send-authorize-page.js'
+import { OutputManager } from './output/output-manager.js'
 import {
   AuthorizationResultRedirect,
   sendAuthorizeRedirect,
 } from './output/send-authorize-redirect.js'
-import { sendErrorPage } from './output/send-error-page.js'
 import { oidcPayload } from './parameters/oidc-payload.js'
 import { ReplayStore, ifReplayStore } from './replay/replay-store.js'
 import { RequestInfo } from './request/request-info.js'
@@ -312,7 +310,7 @@ export class OAuthProvider extends OAuthVerifier {
     )
   }
 
-  get jwks(): Jwks {
+  get jwks() {
     return this.keyset.publicJwks
   }
 
@@ -637,13 +635,26 @@ export class OAuthProvider extends OAuthVerifier {
   > {
     const accounts = await this.accountManager.list(deviceId)
 
+    const hint = parameters.login_hint
+    const matchesHint = (account: Account): boolean =>
+      (!!account.sub && account.sub === hint) ||
+      (!!account.preferred_username && account.preferred_username === hint)
+
     return accounts.map(({ account, info }) => ({
       account,
       info,
 
       selected:
         parameters.prompt !== 'select_account' &&
-        parameters.login_hint === account.sub,
+        matchesHint(account) &&
+        // If an account uses the sub of another account as preferred_username,
+        // there might be multiple accounts matching the hint. In that case,
+        // selecting the account automatically may have unexpected results (i.e.
+        // not able to login using desired account).
+        accounts.reduce(
+          (acc, a) => acc + (matchesHint(a.account) ? 1 : 0),
+          0,
+        ) === 1,
       loginRequired:
         parameters.prompt === 'login' ||
         this.loginRequired(client, parameters, info),
@@ -651,14 +662,13 @@ export class OAuthProvider extends OAuthVerifier {
         parameters.prompt === 'consent' ||
         !info.authorizedClients.includes(client.id),
 
-      matchesHint:
-        parameters.login_hint === account.sub || parameters.login_hint == null,
+      matchesHint: hint == null || matchesHint(account),
     }))
   }
 
   protected async signIn(
     deviceId: DeviceId,
-    credentials: LoginCredentials,
+    credentials: SignInCredentials,
   ): Promise<AccountInfo> {
     return this.accountManager.signIn(credentials, deviceId)
   }
@@ -962,6 +972,7 @@ export class OAuthProvider extends OAuthVerifier {
       : undefined,
   }: RouterOptions<Req, Res> = {}) {
     const deviceManager = new DeviceManager(this.deviceStore)
+    const outputManager = new OutputManager(this.customization)
 
     // eslint-disable-next-line @typescript-eslint/no-this-alias
     const server = this
@@ -990,7 +1001,7 @@ export class OAuthProvider extends OAuthVerifier {
      * Wrap an OAuth endpoint in a middleware that will set the appropriate
      * response headers and format the response as JSON.
      */
-    const dynamicJson = <T, TReq extends Req, TRes extends Res, Json>(
+    const jsonHandler = <T, TReq extends Req, TRes extends Res, Json>(
       buildJson: (this: T, req: TReq, res: TRes) => Json | Promise<Json>,
       status?: number,
     ): Handler<T, TReq, TRes> =>
@@ -1034,6 +1045,37 @@ export class OAuthProvider extends OAuthVerifier {
         }
       }
 
+    const navigationHandler = <T, TReq extends Req, TRes extends Res>(
+      handler: (this: T, req: TReq, res: TRes) => void | Promise<void>,
+    ): Handler<T, TReq, TRes> =>
+      async function (req, res) {
+        res.setHeader('Cache-Control', 'no-store')
+        res.setHeader('Pragma', 'no-cache')
+
+        try {
+          validateFetchMode(req, res, ['navigate'])
+          validateSameOrigin(req, res, issuerOrigin)
+
+          await handler.call(this, req, res)
+
+          // Should never happen (fool proofing)
+          if (!res.headersSent) {
+            throw new Error('Navigation handler did not send a response')
+          }
+        } catch (err) {
+          await onError?.(
+            req,
+            res,
+            err,
+            `Failed to handle navigation request to "${req.url}"`,
+          )
+
+          if (!res.headersSent) {
+            await outputManager.sendErrorPage(res, err)
+          }
+        }
+      }
+
     //- Public OAuth endpoints
 
     /*
@@ -1077,7 +1119,7 @@ export class OAuthProvider extends OAuthVerifier {
 
     router.post(
       '/oauth/par',
-      dynamicJson(async function (req, _res) {
+      jsonHandler(async function (req, _res) {
         const input = await validateRequestPayload(
           req,
           pushedAuthorizationRequestSchema,
@@ -1100,7 +1142,7 @@ export class OAuthProvider extends OAuthVerifier {
 
     router.post(
       '/oauth/token',
-      dynamicJson(async function (req, _res) {
+      jsonHandler(async function (req, _res) {
         const input = await validateRequestPayload(req, tokenRequestSchema)
 
         const dpopJkt = await server.checkDpopProof(
@@ -1115,7 +1157,7 @@ export class OAuthProvider extends OAuthVerifier {
 
     router.post(
       '/oauth/revoke',
-      dynamicJson(async function (req, res) {
+      jsonHandler(async function (req, res) {
         const input = await validateRequestPayload(req, revokeSchema)
 
         try {
@@ -1128,10 +1170,7 @@ export class OAuthProvider extends OAuthVerifier {
 
     router.get(
       '/oauth/revoke',
-      dynamicJson(async function (req, res) {
-        validateFetchMode(req, res, ['navigate'])
-        validateSameOrigin(req, res, issuerOrigin)
-
+      navigationHandler(async function (req, res) {
         const query = Object.fromEntries(this.url.searchParams)
         const input = revokeSchema.parse(query, { path: ['query'] })
 
@@ -1152,7 +1191,7 @@ export class OAuthProvider extends OAuthVerifier {
 
     router.post(
       '/oauth/introspect',
-      dynamicJson(async function (req, _res) {
+      jsonHandler(async function (req, _res) {
         const input = await validateRequestPayload(req, introspectSchema)
         return server.introspect(input)
       }),
@@ -1204,10 +1243,10 @@ export class OAuthProvider extends OAuthVerifier {
         },
         {
           '': 'application/json',
-          'application/json': dynamicJson(async function (_req, _res) {
+          'application/json': jsonHandler(async function (_req, _res) {
             return this.data
           }),
-          'application/jwt': dynamicJson(async function (_req, res) {
+          'application/jwt': jsonHandler(async function (_req, res) {
             const jwt = await server.signUserinfo(this.data)
             res.writeHead(200, { 'Content-Type': 'application/jwt' }).end(jwt)
             return undefined
@@ -1220,13 +1259,9 @@ export class OAuthProvider extends OAuthVerifier {
 
     router.use(authorizeAssetsMiddleware())
 
-    router.get('/oauth/authorize', async function (req, res) {
-      try {
-        res.setHeader('Cache-Control', 'no-store')
-
-        validateFetchMode(req, res, ['navigate'])
-        validateSameOrigin(req, res, issuerOrigin)
-
+    router.get(
+      '/oauth/authorize',
+      navigationHandler(async function (req, res) {
         const query = Object.fromEntries(this.url.searchParams)
         const input = await authorizationRequestQuerySchema.parseAsync(query, {
           path: ['query'],
@@ -1237,66 +1272,62 @@ export class OAuthProvider extends OAuthVerifier {
 
         switch (true) {
           case 'redirect' in data: {
-            return await sendAuthorizeRedirect(res, data)
+            return sendAuthorizeRedirect(res, data)
           }
           case 'authorize' in data: {
             await setupCsrfToken(req, res, csrfCookie(data.authorize.uri))
-            return await sendAuthorizePage(res, data, server.customization)
+            return outputManager.sendAuthorizePage(res, data)
           }
           default: {
             // Should never happen
             throw new Error('Unexpected authorization result')
           }
         }
-      } catch (err) {
-        await onError?.(req, res, err, 'Failed to setup authorize')
-
-        if (!res.headersSent) {
-          await sendErrorPage(res, err, server.customization)
-        }
-      }
-    })
+      }),
+    )
 
     const signInPayloadSchema = z.object({
       csrf_token: z.string(),
       request_uri: requestUriSchema,
       client_id: clientIdSchema,
-      credentials: z.object({
-        username: z.string(),
-        password: z.string(),
-        remember: z.boolean().optional().default(false),
-      }),
+      credentials: signInCredentialsSchema,
     })
 
-    router.post('/oauth/authorize/sign-in', async function (req, res) {
-      validateFetchMode(req, res, ['same-origin'])
-      validateSameOrigin(req, res, issuerOrigin)
-
-      const input = await validateRequestPayload(req, signInPayloadSchema)
-
-      validateReferer(req, res, {
-        origin: issuerOrigin,
-        pathname: '/oauth/authorize',
-      })
-      validateCsrfToken(
-        req,
-        res,
-        input.csrf_token,
-        csrfCookie(input.request_uri),
-      )
+    router.post(
+      '/oauth/authorize/sign-in',
+      jsonHandler(async function (req, res) {
+        validateFetchMode(req, res, ['same-origin'])
+        validateSameOrigin(req, res, issuerOrigin)
 
-      const { deviceId } = await deviceManager.load(req, res)
+        const input = await validateRequestPayload(req, signInPayloadSchema)
 
-      const { account, info } = await server.signIn(deviceId, input.credentials)
+        validateReferer(req, res, {
+          origin: issuerOrigin,
+          pathname: '/oauth/authorize',
+        })
+        validateCsrfToken(
+          req,
+          res,
+          input.csrf_token,
+          csrfCookie(input.request_uri),
+        )
 
-      // Prevent fixation attacks
-      await deviceManager.rotate(req, res, deviceId)
+        const { deviceId } = await deviceManager.load(req, res)
 
-      return writeJson(res, {
-        account,
-        consentRequired: !info.authorizedClients.includes(input.client_id),
-      })
-    })
+        const { account, info } = await server.signIn(
+          deviceId,
+          input.credentials,
+        )
+
+        // Prevent fixation attacks
+        await deviceManager.rotate(req, res, deviceId)
+
+        return {
+          account,
+          consentRequired: !info.authorizedClients.includes(input.client_id),
+        }
+      }),
+    )
 
     const acceptQuerySchema = z.object({
       csrf_token: z.string(),
@@ -1305,13 +1336,9 @@ export class OAuthProvider extends OAuthVerifier {
       account_sub: z.string(),
     })
 
-    router.get('/oauth/authorize/accept', async function (req, res) {
-      try {
-        res.setHeader('Cache-Control', 'no-store')
-
-        validateFetchMode(req, res, ['navigate'])
-        validateSameOrigin(req, res, issuerOrigin)
-
+    router.get(
+      '/oauth/authorize/accept',
+      navigationHandler(async function (req, res) {
         const query = Object.fromEntries(this.url.searchParams)
         const input = await acceptQuerySchema.parseAsync(query, {
           path: ['query'],
@@ -1343,14 +1370,8 @@ export class OAuthProvider extends OAuthVerifier {
         )
 
         return await sendAuthorizeRedirect(res, data)
-      } catch (err) {
-        await onError?.(req, res, err, 'Failed to accept authorization request')
-
-        if (!res.headersSent) {
-          await sendErrorPage(res, err, server.customization)
-        }
-      }
-    })
+      }),
+    )
 
     const rejectQuerySchema = z.object({
       csrf_token: z.string(),
@@ -1358,13 +1379,9 @@ export class OAuthProvider extends OAuthVerifier {
       client_id: clientIdSchema,
     })
 
-    router.get('/oauth/authorize/reject', async function (req, res) {
-      try {
-        res.setHeader('Cache-Control', 'no-store')
-
-        validateFetchMode(req, res, ['navigate'])
-        validateSameOrigin(req, res, issuerOrigin)
-
+    router.get(
+      '/oauth/authorize/reject',
+      navigationHandler(async function (req, res) {
         const query = Object.fromEntries(this.url.searchParams)
         const input = await rejectQuerySchema.parseAsync(query, {
           path: ['query'],
@@ -1395,14 +1412,8 @@ export class OAuthProvider extends OAuthVerifier {
         )
 
         return await sendAuthorizeRedirect(res, data)
-      } catch (err) {
-        await onError?.(req, res, err, 'Failed to reject authorization request')
-
-        if (!res.headersSent) {
-          await sendErrorPage(res, err, server.customization)
-        }
-      }
-    })
+      }),
+    )
 
     return router
   }

package/src/output/{send-authorize-page.ts → build-authorize-data.ts}

@@ -2,20 +2,11 @@ import {
   OAuthAuthenticationRequestParameters,
   OAuthClientMetadata,
 } from '@atproto/oauth-types'
-import { ServerResponse } from 'node:http'
 
 import { DeviceAccountInfo } from '../account/account-store.js'
 import { Account } from '../account/account.js'
-import { getAsset } from '../assets/index.js'
 import { Client } from '../client/client.js'
-import { cssCode, html } from '../lib/html/index.js'
 import { RequestUri } from '../request/request-uri.js'
-import {
-  Customization,
-  buildCustomizationCss,
-  buildCustomizationData,
-} from './customization.js'
-import { declareBackendData, sendWebPage } from './send-web-page.js'
 
 export type AuthorizationResultAuthorize = {
   issuer: string
@@ -57,7 +48,9 @@ export type AuthorizeData = {
   sessions: Session[]
 }
 
-function buildAuthorizeData(data: AuthorizationResultAuthorize): AuthorizeData {
+export function buildAuthorizeData(
+  data: AuthorizationResultAuthorize,
+): AuthorizeData {
   return {
     clientId: data.client.id,
     clientMetadata: data.client.metadata,
@@ -76,36 +69,3 @@ function buildAuthorizeData(data: AuthorizationResultAuthorize): AuthorizeData {
     ),
   }
 }
-
-export async function sendAuthorizePage(
-  res: ServerResponse,
-  data: AuthorizationResultAuthorize,
-  customization?: Customization,
-): Promise<void> {
-  res.setHeader('Cache-Control', 'no-store')
-  res.setHeader('Permissions-Policy', 'otp-credentials=*, document-domain=()')
-
-  const [jsAsset, cssAsset] = await Promise.all([
-    getAsset('main.js'),
-    getAsset('main.css'),
-  ])
-
-  return sendWebPage(res, {
-    scripts: [
-      declareBackendData(
-        '__customizationData',
-        buildCustomizationData(customization),
-      ),
-      declareBackendData('__authorizeData', buildAuthorizeData(data)),
-      jsAsset, // Last (to be able to read the global variables)
-    ],
-    styles: [
-      cssAsset, // First (to be overridden by customization)
-      cssCode(buildCustomizationCss(customization)),
-    ],
-    links: customization?.links,
-    htmlAttrs: { lang: 'en' },
-    title: 'Authorize',
-    body: html`<div id="root"></div>`,
-  })
-}

package/src/output/build-error-payload.ts

@@ -1,9 +1,11 @@
 import { JwtVerifyError } from '@atproto/jwk'
-import { JOSEError } from 'jose/errors'
+import { errors } from 'jose'
 import { ZodError } from 'zod'
 
 import { OAuthError } from '../errors/oauth-error.js'
 
+const { JOSEError } = errors
+
 const INVALID_REQUEST = 'invalid_request'
 const SERVER_ERROR = 'server_error'