npm - @atproto/oauth-provider - Versions diffs - 0.1.0 - Mend

@atproto/oauth-provider 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (631) hide show

package/.postcssrc.yml +3 -0
package/CHANGELOG.md +19 -0
package/LICENSE.txt +7 -0
package/dist/access-token/access-token-type.d.ts +6 -0
package/dist/access-token/access-token-type.d.ts.map +1 -0
package/dist/access-token/access-token-type.js +10 -0
package/dist/access-token/access-token-type.js.map +1 -0
package/dist/account/account-manager.d.ts +14 -0
package/dist/account/account-manager.d.ts.map +1 -0
package/dist/account/account-manager.js +39 -0
package/dist/account/account-manager.js.map +1 -0
package/dist/account/account-store.d.ts +39 -0
package/dist/account/account-store.d.ts.map +1 -0
package/dist/account/account-store.js +19 -0
package/dist/account/account-store.js.map +1 -0
package/dist/account/account.d.ts +8 -0
package/dist/account/account.d.ts.map +1 -0
package/dist/account/account.js +3 -0
package/dist/account/account.js.map +1 -0
package/dist/assets/app/bundle-manifest.json +22 -0
package/dist/assets/app/main.css +3 -0
package/dist/assets/app/main.js +20 -0
package/dist/assets/app/main.js.map +1 -0
package/dist/assets/asset.d.ts +9 -0
package/dist/assets/asset.d.ts.map +1 -0
package/dist/assets/asset.js +3 -0
package/dist/assets/asset.js.map +1 -0
package/dist/assets/assets-middleware.d.ts +2 -0
package/dist/assets/assets-middleware.d.ts.map +1 -0
package/dist/assets/assets-middleware.js +30 -0
package/dist/assets/assets-middleware.js.map +1 -0
package/dist/assets/index.d.ts +4 -0
package/dist/assets/index.d.ts.map +1 -0
package/dist/assets/index.js +65 -0
package/dist/assets/index.js.map +1 -0
package/dist/client/client-auth.d.ts +13 -0
package/dist/client/client-auth.d.ts.map +1 -0
package/dist/client/client-auth.js +35 -0
package/dist/client/client-auth.js.map +1 -0
package/dist/client/client-data.d.ts +8 -0
package/dist/client/client-data.d.ts.map +1 -0
package/dist/client/client-data.js +3 -0
package/dist/client/client-data.js.map +1 -0
package/dist/client/client-id.d.ts +4 -0
package/dist/client/client-id.d.ts.map +1 -0
package/dist/client/client-id.js +6 -0
package/dist/client/client-id.js.map +1 -0
package/dist/client/client-info.d.ts +13 -0
package/dist/client/client-info.d.ts.map +1 -0
package/dist/client/client-info.js +3 -0
package/dist/client/client-info.js.map +1 -0
package/dist/client/client-manager.d.ts +38 -0
package/dist/client/client-manager.d.ts.map +1 -0
package/dist/client/client-manager.js +534 -0
package/dist/client/client-manager.js.map +1 -0
package/dist/client/client-store.d.ts +13 -0
package/dist/client/client-store.d.ts.map +1 -0
package/dist/client/client-store.js +39 -0
package/dist/client/client-store.js.map +1 -0
package/dist/client/client-utils.d.ts +6 -0
package/dist/client/client-utils.d.ts.map +1 -0
package/dist/client/client-utils.js +40 -0
package/dist/client/client-utils.js.map +1 -0
package/dist/client/client.d.ts +41 -0
package/dist/client/client.d.ts.map +1 -0
package/dist/client/client.js +163 -0
package/dist/client/client.js.map +1 -0
package/dist/constants.d.ts +42 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +53 -0
package/dist/constants.js.map +1 -0
package/dist/device/device-data.d.ts +20 -0
package/dist/device/device-data.d.ts.map +1 -0
package/dist/device/device-data.js +11 -0
package/dist/device/device-data.js.map +1 -0
package/dist/device/device-details.d.ts +17 -0
package/dist/device/device-details.d.ts.map +1 -0
package/dist/device/device-details.js +34 -0
package/dist/device/device-details.js.map +1 -0
package/dist/device/device-id.d.ts +6 -0
package/dist/device/device-id.d.ts.map +1 -0
package/dist/device/device-id.js +18 -0
package/dist/device/device-id.js.map +1 -0
package/dist/device/device-manager.d.ts +88 -0
package/dist/device/device-manager.d.ts.map +1 -0
package/dist/device/device-manager.js +206 -0
package/dist/device/device-manager.js.map +1 -0
package/dist/device/device-store.d.ts +15 -0
package/dist/device/device-store.d.ts.map +1 -0
package/dist/device/device-store.js +36 -0
package/dist/device/device-store.js.map +1 -0
package/dist/device/session-id.d.ts +6 -0
package/dist/device/session-id.d.ts.map +1 -0
package/dist/device/session-id.js +18 -0
package/dist/device/session-id.js.map +1 -0
package/dist/dpop/dpop-manager.d.ts +33 -0
package/dist/dpop/dpop-manager.d.ts.map +1 -0
package/dist/dpop/dpop-manager.js +115 -0
package/dist/dpop/dpop-manager.js.map +1 -0
package/dist/dpop/dpop-nonce.d.ts +13 -0
package/dist/dpop/dpop-nonce.d.ts.map +1 -0
package/dist/dpop/dpop-nonce.js +94 -0
package/dist/dpop/dpop-nonce.js.map +1 -0
package/dist/errors/access-denied-error.d.ts +8 -0
package/dist/errors/access-denied-error.d.ts.map +1 -0
package/dist/errors/access-denied-error.js +21 -0
package/dist/errors/access-denied-error.js.map +1 -0
package/dist/errors/account-selection-required-error.d.ts +6 -0
package/dist/errors/account-selection-required-error.d.ts.map +1 -0
package/dist/errors/account-selection-required-error.js +11 -0
package/dist/errors/account-selection-required-error.js.map +1 -0
package/dist/errors/consent-required-error.d.ts +6 -0
package/dist/errors/consent-required-error.d.ts.map +1 -0
package/dist/errors/consent-required-error.js +11 -0
package/dist/errors/consent-required-error.js.map +1 -0
package/dist/errors/invalid-authorization-details-error.d.ts +20 -0
package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -0
package/dist/errors/invalid-authorization-details-error.js +26 -0
package/dist/errors/invalid-authorization-details-error.js.map +1 -0
package/dist/errors/invalid-client-error.d.ts +18 -0
package/dist/errors/invalid-client-error.d.ts.map +1 -0
package/dist/errors/invalid-client-error.js +24 -0
package/dist/errors/invalid-client-error.js.map +1 -0
package/dist/errors/invalid-client-id-error.d.ts +13 -0
package/dist/errors/invalid-client-id-error.d.ts.map +1 -0
package/dist/errors/invalid-client-id-error.js +25 -0
package/dist/errors/invalid-client-id-error.js.map +1 -0
package/dist/errors/invalid-client-metadata-error.d.ts +13 -0
package/dist/errors/invalid-client-metadata-error.d.ts.map +1 -0
package/dist/errors/invalid-client-metadata-error.js +23 -0
package/dist/errors/invalid-client-metadata-error.js.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts +12 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.js +20 -0
package/dist/errors/invalid-dpop-key-binding-error.js.map +1 -0
package/dist/errors/invalid-dpop-proof-error.d.ts +5 -0
package/dist/errors/invalid-dpop-proof-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-proof-error.js +12 -0
package/dist/errors/invalid-dpop-proof-error.js.map +1 -0
package/dist/errors/invalid-grant-error.d.ts +14 -0
package/dist/errors/invalid-grant-error.d.ts.map +1 -0
package/dist/errors/invalid-grant-error.js +20 -0
package/dist/errors/invalid-grant-error.js.map +1 -0
package/dist/errors/invalid-parameters-error.d.ts +6 -0
package/dist/errors/invalid-parameters-error.d.ts.map +1 -0
package/dist/errors/invalid-parameters-error.js +11 -0
package/dist/errors/invalid-parameters-error.js.map +1 -0
package/dist/errors/invalid-redirect-uri-error.d.ts +11 -0
package/dist/errors/invalid-redirect-uri-error.d.ts.map +1 -0
package/dist/errors/invalid-redirect-uri-error.js +21 -0
package/dist/errors/invalid-redirect-uri-error.js.map +1 -0
package/dist/errors/invalid-request-error.d.ts +28 -0
package/dist/errors/invalid-request-error.d.ts.map +1 -0
package/dist/errors/invalid-request-error.js +34 -0
package/dist/errors/invalid-request-error.js.map +1 -0
package/dist/errors/invalid-token-error.d.ts +16 -0
package/dist/errors/invalid-token-error.d.ts.map +1 -0
package/dist/errors/invalid-token-error.js +45 -0
package/dist/errors/invalid-token-error.js.map +1 -0
package/dist/errors/login-required-error.d.ts +6 -0
package/dist/errors/login-required-error.d.ts.map +1 -0
package/dist/errors/login-required-error.js +11 -0
package/dist/errors/login-required-error.js.map +1 -0
package/dist/errors/oauth-error.d.ts +13 -0
package/dist/errors/oauth-error.d.ts.map +1 -0
package/dist/errors/oauth-error.js +29 -0
package/dist/errors/oauth-error.js.map +1 -0
package/dist/errors/unauthorized-client-error.d.ts +18 -0
package/dist/errors/unauthorized-client-error.d.ts.map +1 -0
package/dist/errors/unauthorized-client-error.js +24 -0
package/dist/errors/unauthorized-client-error.js.map +1 -0
package/dist/errors/use-dpop-nonce-error.d.ts +18 -0
package/dist/errors/use-dpop-nonce-error.d.ts.map +1 -0
package/dist/errors/use-dpop-nonce-error.js +27 -0
package/dist/errors/use-dpop-nonce-error.js.map +1 -0
package/dist/errors/www-authenticate-error.d.ts +9 -0
package/dist/errors/www-authenticate-error.d.ts.map +1 -0
package/dist/errors/www-authenticate-error.js +46 -0
package/dist/errors/www-authenticate-error.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +31 -0
package/dist/index.js.map +1 -0
package/dist/lib/html/build-document.d.ts +32 -0
package/dist/lib/html/build-document.d.ts.map +1 -0
package/dist/lib/html/build-document.js +61 -0
package/dist/lib/html/build-document.js.map +1 -0
package/dist/lib/html/escapers.d.ts +9 -0
package/dist/lib/html/escapers.d.ts.map +1 -0
package/dist/lib/html/escapers.js +66 -0
package/dist/lib/html/escapers.js.map +1 -0
package/dist/lib/html/html.d.ts +13 -0
package/dist/lib/html/html.d.ts.map +1 -0
package/dist/lib/html/html.js +53 -0
package/dist/lib/html/html.js.map +1 -0
package/dist/lib/html/index.d.ts +4 -0
package/dist/lib/html/index.d.ts.map +1 -0
package/dist/lib/html/index.js +21 -0
package/dist/lib/html/index.js.map +1 -0
package/dist/lib/html/tags.d.ts +34 -0
package/dist/lib/html/tags.d.ts.map +1 -0
package/dist/lib/html/tags.js +47 -0
package/dist/lib/html/tags.js.map +1 -0
package/dist/lib/html/util.d.ts +4 -0
package/dist/lib/html/util.d.ts.map +1 -0
package/dist/lib/html/util.js +20 -0
package/dist/lib/html/util.js.map +1 -0
package/dist/lib/http/accept.d.ts +29 -0
package/dist/lib/http/accept.d.ts.map +1 -0
package/dist/lib/http/accept.js +67 -0
package/dist/lib/http/accept.js.map +1 -0
package/dist/lib/http/context.d.ts +5 -0
package/dist/lib/http/context.d.ts.map +1 -0
package/dist/lib/http/context.js +10 -0
package/dist/lib/http/context.js.map +1 -0
package/dist/lib/http/index.d.ts +10 -0
package/dist/lib/http/index.d.ts.map +1 -0
package/dist/lib/http/index.js +26 -0
package/dist/lib/http/index.js.map +1 -0
package/dist/lib/http/method.d.ts +6 -0
package/dist/lib/http/method.d.ts.map +1 -0
package/dist/lib/http/method.js +19 -0
package/dist/lib/http/method.js.map +1 -0
package/dist/lib/http/middleware.d.ts +18 -0
package/dist/lib/http/middleware.d.ts.map +1 -0
package/dist/lib/http/middleware.js +118 -0
package/dist/lib/http/middleware.js.map +1 -0
package/dist/lib/http/parser.d.ts +33 -0
package/dist/lib/http/parser.d.ts.map +1 -0
package/dist/lib/http/parser.js +48 -0
package/dist/lib/http/parser.js.map +1 -0
package/dist/lib/http/path.d.ts +9 -0
package/dist/lib/http/path.d.ts.map +1 -0
package/dist/lib/http/path.js +54 -0
package/dist/lib/http/path.js.map +1 -0
package/dist/lib/http/request.d.ts +33 -0
package/dist/lib/http/request.d.ts.map +1 -0
package/dist/lib/http/request.js +86 -0
package/dist/lib/http/request.js.map +1 -0
package/dist/lib/http/response.d.ts +13 -0
package/dist/lib/http/response.d.ts.map +1 -0
package/dist/lib/http/response.js +98 -0
package/dist/lib/http/response.js.map +1 -0
package/dist/lib/http/route.d.ts +25 -0
package/dist/lib/http/route.d.ts.map +1 -0
package/dist/lib/http/route.js +39 -0
package/dist/lib/http/route.js.map +1 -0
package/dist/lib/http/router.d.ts +32 -0
package/dist/lib/http/router.d.ts.map +1 -0
package/dist/lib/http/router.js +74 -0
package/dist/lib/http/router.js.map +1 -0
package/dist/lib/http/stream.d.ts +13 -0
package/dist/lib/http/stream.d.ts.map +1 -0
package/dist/lib/http/stream.js +46 -0
package/dist/lib/http/stream.js.map +1 -0
package/dist/lib/http/types.d.ts +7 -0
package/dist/lib/http/types.d.ts.map +1 -0
package/dist/lib/http/types.js +3 -0
package/dist/lib/http/types.js.map +1 -0
package/dist/lib/http/url.d.ts +8 -0
package/dist/lib/http/url.d.ts.map +1 -0
package/dist/lib/http/url.js +22 -0
package/dist/lib/http/url.js.map +1 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.d.ts.map +1 -0
package/dist/lib/redis.js +22 -0
package/dist/lib/redis.js.map +1 -0
package/dist/lib/util/authorization-header.d.ts +4 -0
package/dist/lib/util/authorization-header.d.ts.map +1 -0
package/dist/lib/util/authorization-header.js +23 -0
package/dist/lib/util/authorization-header.js.map +1 -0
package/dist/lib/util/cast.d.ts +2 -0
package/dist/lib/util/cast.d.ts.map +1 -0
package/dist/lib/util/cast.js +10 -0
package/dist/lib/util/cast.js.map +1 -0
package/dist/lib/util/crypto.d.ts +3 -0
package/dist/lib/util/crypto.d.ts.map +1 -0
package/dist/lib/util/crypto.js +29 -0
package/dist/lib/util/crypto.js.map +1 -0
package/dist/lib/util/date.d.ts +3 -0
package/dist/lib/util/date.d.ts.map +1 -0
package/dist/lib/util/date.js +12 -0
package/dist/lib/util/date.js.map +1 -0
package/dist/lib/util/hostname.d.ts +6 -0
package/dist/lib/util/hostname.d.ts.map +1 -0
package/dist/lib/util/hostname.js +24 -0
package/dist/lib/util/hostname.js.map +1 -0
package/dist/lib/util/redirect-uri.d.ts +7 -0
package/dist/lib/util/redirect-uri.d.ts.map +1 -0
package/dist/lib/util/redirect-uri.js +44 -0
package/dist/lib/util/redirect-uri.js.map +1 -0
package/dist/lib/util/time.d.ts +6 -0
package/dist/lib/util/time.d.ts.map +1 -0
package/dist/lib/util/time.js +28 -0
package/dist/lib/util/time.js.map +1 -0
package/dist/lib/util/type.d.ts +6 -0
package/dist/lib/util/type.d.ts.map +1 -0
package/dist/lib/util/type.js +3 -0
package/dist/lib/util/type.js.map +1 -0
package/dist/lib/util/well-known.d.ts +3 -0
package/dist/lib/util/well-known.d.ts.map +1 -0
package/dist/lib/util/well-known.js +11 -0
package/dist/lib/util/well-known.js.map +1 -0
package/dist/metadata/build-metadata.d.ts +14 -0
package/dist/metadata/build-metadata.d.ts.map +1 -0
package/dist/metadata/build-metadata.js +132 -0
package/dist/metadata/build-metadata.js.map +1 -0
package/dist/oauth-client.d.ts +4 -0
package/dist/oauth-client.d.ts.map +1 -0
package/dist/oauth-client.js +19 -0
package/dist/oauth-client.js.map +1 -0
package/dist/oauth-dpop.d.ts +3 -0
package/dist/oauth-dpop.d.ts.map +1 -0
package/dist/oauth-dpop.js +19 -0
package/dist/oauth-dpop.js.map +1 -0
package/dist/oauth-errors.d.ts +20 -0
package/dist/oauth-errors.d.ts.map +1 -0
package/dist/oauth-errors.js +43 -0
package/dist/oauth-errors.js.map +1 -0
package/dist/oauth-hooks.d.ts +42 -0
package/dist/oauth-hooks.d.ts.map +1 -0
package/dist/oauth-hooks.js +3 -0
package/dist/oauth-hooks.js.map +1 -0
package/dist/oauth-provider.d.ts +179 -0
package/dist/oauth-provider.d.ts.map +1 -0
package/dist/oauth-provider.js +748 -0
package/dist/oauth-provider.js.map +1 -0
package/dist/oauth-store.d.ts +11 -0
package/dist/oauth-store.d.ts.map +1 -0
package/dist/oauth-store.js +27 -0
package/dist/oauth-store.js.map +1 -0
package/dist/oauth-verifier.d.ts +66 -0
package/dist/oauth-verifier.d.ts.map +1 -0
package/dist/oauth-verifier.js +94 -0
package/dist/oauth-verifier.js.map +1 -0
package/dist/oidc/claims.d.ts +16 -0
package/dist/oidc/claims.d.ts.map +1 -0
package/dist/oidc/claims.js +29 -0
package/dist/oidc/claims.js.map +1 -0
package/dist/oidc/sub.d.ts +4 -0
package/dist/oidc/sub.d.ts.map +1 -0
package/dist/oidc/sub.js +6 -0
package/dist/oidc/sub.js.map +1 -0
package/dist/oidc/userinfo.d.ts +7 -0
package/dist/oidc/userinfo.d.ts.map +1 -0
package/dist/oidc/userinfo.js +3 -0
package/dist/oidc/userinfo.js.map +1 -0
package/dist/output/build-error-payload.d.ts +6 -0
package/dist/output/build-error-payload.d.ts.map +1 -0
package/dist/output/build-error-payload.js +108 -0
package/dist/output/build-error-payload.js.map +1 -0
package/dist/output/customization.d.ts +37 -0
package/dist/output/customization.d.ts.map +1 -0
package/dist/output/customization.js +62 -0
package/dist/output/customization.js.map +1 -0
package/dist/output/send-authorize-page.d.ts +43 -0
package/dist/output/send-authorize-page.d.ts.map +1 -0
package/dist/output/send-authorize-page.js +49 -0
package/dist/output/send-authorize-page.js.map +1 -0
package/dist/output/send-authorize-redirect.d.ts +25 -0
package/dist/output/send-authorize-redirect.d.ts.map +1 -0
package/dist/output/send-authorize-redirect.js +72 -0
package/dist/output/send-authorize-redirect.js.map +1 -0
package/dist/output/send-error-page.d.ts +5 -0
package/dist/output/send-error-page.d.ts.map +1 -0
package/dist/output/send-error-page.js +31 -0
package/dist/output/send-error-page.js.map +1 -0
package/dist/output/send-web-page.d.ts +8 -0
package/dist/output/send-web-page.d.ts.map +1 -0
package/dist/output/send-web-page.js +48 -0
package/dist/output/send-web-page.js.map +1 -0
package/dist/parameters/claims-requested.d.ts +3 -0
package/dist/parameters/claims-requested.d.ts.map +1 -0
package/dist/parameters/claims-requested.js +77 -0
package/dist/parameters/claims-requested.js.map +1 -0
package/dist/parameters/oidc-payload.d.ts +31 -0
package/dist/parameters/oidc-payload.d.ts.map +1 -0
package/dist/parameters/oidc-payload.js +25 -0
package/dist/parameters/oidc-payload.js.map +1 -0
package/dist/replay/replay-manager.d.ts +10 -0
package/dist/replay/replay-manager.d.ts.map +1 -0
package/dist/replay/replay-manager.js +23 -0
package/dist/replay/replay-manager.js.map +1 -0
package/dist/replay/replay-store-memory.d.ts +11 -0
package/dist/replay/replay-store-memory.d.ts.map +1 -0
package/dist/replay/replay-store-memory.js +30 -0
package/dist/replay/replay-store-memory.js.map +1 -0
package/dist/replay/replay-store-redis.d.ts +16 -0
package/dist/replay/replay-store-redis.d.ts.map +1 -0
package/dist/replay/replay-store-redis.js +20 -0
package/dist/replay/replay-store-redis.js.map +1 -0
package/dist/replay/replay-store.d.ts +16 -0
package/dist/replay/replay-store.d.ts.map +1 -0
package/dist/replay/replay-store.js +22 -0
package/dist/replay/replay-store.js.map +1 -0
package/dist/request/code.d.ts +7 -0
package/dist/request/code.d.ts.map +1 -0
package/dist/request/code.js +20 -0
package/dist/request/code.js.map +1 -0
package/dist/request/request-data.d.ts +21 -0
package/dist/request/request-data.d.ts.map +1 -0
package/dist/request/request-data.js +6 -0
package/dist/request/request-data.js.map +1 -0
package/dist/request/request-id.d.ts +6 -0
package/dist/request/request-id.d.ts.map +1 -0
package/dist/request/request-id.js +18 -0
package/dist/request/request-id.js.map +1 -0
package/dist/request/request-info.d.ts +12 -0
package/dist/request/request-info.d.ts.map +1 -0
package/dist/request/request-info.js +3 -0
package/dist/request/request-info.js.map +1 -0
package/dist/request/request-manager.d.ts +40 -0
package/dist/request/request-manager.d.ts.map +1 -0
package/dist/request/request-manager.js +310 -0
package/dist/request/request-manager.js.map +1 -0
package/dist/request/request-store-memory.d.ts +16 -0
package/dist/request/request-store-memory.d.ts.map +1 -0
package/dist/request/request-store-memory.js +31 -0
package/dist/request/request-store-memory.js.map +1 -0
package/dist/request/request-store-redis.d.ts +24 -0
package/dist/request/request-store-redis.d.ts.map +1 -0
package/dist/request/request-store-redis.js +58 -0
package/dist/request/request-store-redis.js.map +1 -0
package/dist/request/request-store.d.ts +27 -0
package/dist/request/request-store.d.ts.map +1 -0
package/dist/request/request-store.js +37 -0
package/dist/request/request-store.js.map +1 -0
package/dist/request/request-uri.d.ts +8 -0
package/dist/request/request-uri.d.ts.map +1 -0
package/dist/request/request-uri.js +24 -0
package/dist/request/request-uri.js.map +1 -0
package/dist/request/types.d.ts +328 -0
package/dist/request/types.d.ts.map +1 -0
package/dist/request/types.js +27 -0
package/dist/request/types.js.map +1 -0
package/dist/signer/signed-token-payload.d.ts +1694 -0
package/dist/signer/signed-token-payload.d.ts.map +1 -0
package/dist/signer/signed-token-payload.js +32 -0
package/dist/signer/signed-token-payload.js.map +1 -0
package/dist/signer/signer.d.ts +193 -0
package/dist/signer/signer.d.ts.map +1 -0
package/dist/signer/signer.js +101 -0
package/dist/signer/signer.js.map +1 -0
package/dist/token/refresh-token.d.ts +7 -0
package/dist/token/refresh-token.d.ts.map +1 -0
package/dist/token/refresh-token.js +20 -0
package/dist/token/refresh-token.js.map +1 -0
package/dist/token/token-claims.d.ts +1687 -0
package/dist/token/token-claims.d.ts.map +1 -0
package/dist/token/token-claims.js +30 -0
package/dist/token/token-claims.js.map +1 -0
package/dist/token/token-data.d.ts +20 -0
package/dist/token/token-data.d.ts.map +1 -0
package/dist/token/token-data.js +3 -0
package/dist/token/token-data.js.map +1 -0
package/dist/token/token-id.d.ts +7 -0
package/dist/token/token-id.d.ts.map +1 -0
package/dist/token/token-id.js +20 -0
package/dist/token/token-id.js.map +1 -0
package/dist/token/token-manager.d.ts +48 -0
package/dist/token/token-manager.d.ts.map +1 -0
package/dist/token/token-manager.js +421 -0
package/dist/token/token-manager.js.map +1 -0
package/dist/token/token-store.d.ts +35 -0
package/dist/token/token-store.d.ts.map +1 -0
package/dist/token/token-store.js +38 -0
package/dist/token/token-store.js.map +1 -0
package/dist/token/types.d.ts +250 -0
package/dist/token/types.d.ts.map +1 -0
package/dist/token/types.js +36 -0
package/dist/token/types.js.map +1 -0
package/dist/token/verify-token-claims.d.ts +17 -0
package/dist/token/verify-token-claims.d.ts.map +1 -0
package/dist/token/verify-token-claims.js +39 -0
package/dist/token/verify-token-claims.js.map +1 -0
package/package.json +83 -0
package/rollup.config.js +55 -0
package/src/access-token/access-token-type.ts +5 -0
package/src/account/account-manager.ts +55 -0
package/src/account/account-store.ts +74 -0
package/src/account/account.ts +10 -0
package/src/assets/app/app.tsx +28 -0
package/src/assets/app/backend-data.ts +65 -0
package/src/assets/app/components/accept-form.tsx +112 -0
package/src/assets/app/components/account-identifier.tsx +18 -0
package/src/assets/app/components/account-picker.tsx +108 -0
package/src/assets/app/components/client-identifier.tsx +32 -0
package/src/assets/app/components/client-name.tsx +30 -0
package/src/assets/app/components/error-card.tsx +41 -0
package/src/assets/app/components/help-card.tsx +42 -0
package/src/assets/app/components/layout-title-page.tsx +43 -0
package/src/assets/app/components/layout-welcome.tsx +58 -0
package/src/assets/app/components/sign-in-form.tsx +290 -0
package/src/assets/app/components/sign-up-account-form.tsx +210 -0
package/src/assets/app/components/sign-up-disclaimer.tsx +44 -0
package/src/assets/app/components/url-viewer.tsx +70 -0
package/src/assets/app/cookies.ts +11 -0
package/src/assets/app/hooks/use-api.ts +104 -0
package/src/assets/app/hooks/use-bound-dispatch.ts +5 -0
package/src/assets/app/hooks/use-csrf-token.ts +5 -0
package/src/assets/app/lib/api.ts +64 -0
package/src/assets/app/lib/clsx.ts +4 -0
package/src/assets/app/lib/util.ts +10 -0
package/src/assets/app/main.css +11 -0
package/src/assets/app/main.tsx +28 -0
package/src/assets/app/views/accept-view.tsx +51 -0
package/src/assets/app/views/authorize-view.tsx +101 -0
package/src/assets/app/views/error-view.tsx +27 -0
package/src/assets/app/views/sign-in-view.tsx +121 -0
package/src/assets/app/views/sign-up-view.tsx +93 -0
package/src/assets/app/views/welcome-view.tsx +61 -0
package/src/assets/asset.ts +8 -0
package/src/assets/assets-middleware.ts +32 -0
package/src/assets/index.ts +74 -0
package/src/client/client-auth.ts +45 -0
package/src/client/client-data.ts +9 -0
package/src/client/client-id.ts +4 -0
package/src/client/client-info.ts +13 -0
package/src/client/client-manager.ts +818 -0
package/src/client/client-store.ts +38 -0
package/src/client/client-utils.ts +43 -0
package/src/client/client.ts +231 -0
package/src/constants.ts +69 -0
package/src/device/device-data.ts +11 -0
package/src/device/device-details.ts +43 -0
package/src/device/device-id.ts +23 -0
package/src/device/device-manager.ts +287 -0
package/src/device/device-store.ts +35 -0
package/src/device/session-id.ts +22 -0
package/src/dpop/dpop-manager.ts +147 -0
package/src/dpop/dpop-nonce.ts +104 -0
package/src/errors/access-denied-error.ts +26 -0
package/src/errors/account-selection-required-error.ts +12 -0
package/src/errors/consent-required-error.ts +12 -0
package/src/errors/invalid-authorization-details-error.ts +22 -0
package/src/errors/invalid-client-error.ts +20 -0
package/src/errors/invalid-client-id-error.ts +20 -0
package/src/errors/invalid-client-metadata-error.ts +19 -0
package/src/errors/invalid-dpop-key-binding-error.ts +21 -0
package/src/errors/invalid-dpop-proof-error.ts +13 -0
package/src/errors/invalid-grant-error.ts +16 -0
package/src/errors/invalid-parameters-error.ts +12 -0
package/src/errors/invalid-redirect-uri-error.ts +17 -0
package/src/errors/invalid-request-error.ts +30 -0
package/src/errors/invalid-token-error.ts +59 -0
package/src/errors/login-required-error.ts +12 -0
package/src/errors/oauth-error.ts +28 -0
package/src/errors/unauthorized-client-error.ts +20 -0
package/src/errors/use-dpop-nonce-error.ts +32 -0
package/src/errors/www-authenticate-error.ts +65 -0
package/src/index.ts +15 -0
package/src/lib/html/README.md +9 -0
package/src/lib/html/build-document.ts +98 -0
package/src/lib/html/escapers.ts +66 -0
package/src/lib/html/html.ts +61 -0
package/src/lib/html/index.ts +5 -0
package/src/lib/html/tags.ts +58 -0
package/src/lib/html/util.ts +21 -0
package/src/lib/http/README.md +11 -0
package/src/lib/http/accept.ts +91 -0
package/src/lib/http/context.ts +11 -0
package/src/lib/http/index.ts +9 -0
package/src/lib/http/method.ts +18 -0
package/src/lib/http/middleware.ts +183 -0
package/src/lib/http/parser.ts +64 -0
package/src/lib/http/path.ts +82 -0
package/src/lib/http/request.ts +141 -0
package/src/lib/http/response.ts +133 -0
package/src/lib/http/route.ts +56 -0
package/src/lib/http/router.ts +118 -0
package/src/lib/http/stream.ts +78 -0
package/src/lib/http/types.ts +22 -0
package/src/lib/http/url.ts +23 -0
package/src/lib/redis.ts +23 -0
package/src/lib/util/authorization-header.ts +26 -0
package/src/lib/util/cast.ts +4 -0
package/src/lib/util/crypto.ts +27 -0
package/src/lib/util/date.ts +7 -0
package/src/lib/util/hostname.ts +19 -0
package/src/lib/util/redirect-uri.ts +46 -0
package/src/lib/util/time.ts +33 -0
package/src/lib/util/type.ts +4 -0
package/src/lib/util/well-known.ts +8 -0
package/src/metadata/build-metadata.ts +165 -0
package/src/oauth-client.ts +3 -0
package/src/oauth-dpop.ts +2 -0
package/src/oauth-errors.ts +21 -0
package/src/oauth-hooks.ts +66 -0
package/src/oauth-provider.ts +1409 -0
package/src/oauth-store.ts +11 -0
package/src/oauth-verifier.ts +219 -0
package/src/oidc/claims.ts +35 -0
package/src/oidc/sub.ts +4 -0
package/src/oidc/userinfo.ts +11 -0
package/src/output/build-error-payload.ts +143 -0
package/src/output/customization.ts +96 -0
package/src/output/send-authorize-page.ts +111 -0
package/src/output/send-authorize-redirect.ts +130 -0
package/src/output/send-error-page.ts +41 -0
package/src/output/send-web-page.ts +66 -0
package/src/parameters/claims-requested.ts +106 -0
package/src/parameters/oidc-payload.ts +28 -0
package/src/replay/replay-manager.ts +38 -0
package/src/replay/replay-store-memory.ts +36 -0
package/src/replay/replay-store-redis.ts +31 -0
package/src/replay/replay-store.ts +44 -0
package/src/request/code.ts +24 -0
package/src/request/request-data.ts +26 -0
package/src/request/request-id.ts +23 -0
package/src/request/request-info.ts +12 -0
package/src/request/request-manager.ts +479 -0
package/src/request/request-store-memory.ts +39 -0
package/src/request/request-store-redis.ts +71 -0
package/src/request/request-store.ts +54 -0
package/src/request/request-uri.ts +29 -0
package/src/request/types.ts +48 -0
package/src/signer/signed-token-payload.ts +35 -0
package/src/signer/signer.ts +165 -0
package/src/token/refresh-token.ts +31 -0
package/src/token/token-claims.ts +31 -0
package/src/token/token-data.ts +33 -0
package/src/token/token-id.ts +26 -0
package/src/token/token-manager.ts +591 -0
package/src/token/token-store.ts +78 -0
package/src/token/types.ts +86 -0
package/src/token/verify-token-claims.ts +65 -0
package/tailwind.config.js +13 -0
package/tsconfig.backend.json +9 -0
package/tsconfig.frontend.json +11 -0
package/tsconfig.json +8 -0
package/tsconfig.tools.json +8 -0

package/dist/oauth-provider.js ADDED Viewed

@@ -0,0 +1,748 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthProvider = exports.Keyset = void 0;
+const fetch_node_1 = require("@atproto-labs/fetch-node");
+const simple_store_memory_1 = require("@atproto-labs/simple-store-memory");
+const jwk_1 = require("@atproto/jwk");
+Object.defineProperty(exports, "Keyset", { enumerable: true, get: function () { return jwk_1.Keyset; } });
+const oauth_types_1 = require("@atproto/oauth-types");
+const zod_1 = require("zod");
+const access_token_type_js_1 = require("./access-token/access-token-type.js");
+const account_manager_js_1 = require("./account/account-manager.js");
+const account_store_js_1 = require("./account/account-store.js");
+const assets_middleware_js_1 = require("./assets/assets-middleware.js");
+const client_auth_js_1 = require("./client/client-auth.js");
+const client_id_js_1 = require("./client/client-id.js");
+const client_manager_js_1 = require("./client/client-manager.js");
+const client_store_js_1 = require("./client/client-store.js");
+const constants_js_1 = require("./constants.js");
+const device_manager_js_1 = require("./device/device-manager.js");
+const device_store_js_1 = require("./device/device-store.js");
+const access_denied_error_js_1 = require("./errors/access-denied-error.js");
+const account_selection_required_error_js_1 = require("./errors/account-selection-required-error.js");
+const consent_required_error_js_1 = require("./errors/consent-required-error.js");
+const invalid_client_error_js_1 = require("./errors/invalid-client-error.js");
+const invalid_grant_error_js_1 = require("./errors/invalid-grant-error.js");
+const invalid_parameters_error_js_1 = require("./errors/invalid-parameters-error.js");
+const invalid_request_error_js_1 = require("./errors/invalid-request-error.js");
+const login_required_error_js_1 = require("./errors/login-required-error.js");
+const oauth_error_js_1 = require("./errors/oauth-error.js");
+const unauthorized_client_error_js_1 = require("./errors/unauthorized-client-error.js");
+const www_authenticate_error_js_1 = require("./errors/www-authenticate-error.js");
+const index_js_1 = require("./lib/http/index.js");
+const date_js_1 = require("./lib/util/date.js");
+const build_metadata_js_1 = require("./metadata/build-metadata.js");
+const oauth_verifier_js_1 = require("./oauth-verifier.js");
+const build_error_payload_js_1 = require("./output/build-error-payload.js");
+const send_authorize_page_js_1 = require("./output/send-authorize-page.js");
+const send_authorize_redirect_js_1 = require("./output/send-authorize-redirect.js");
+const send_error_page_js_1 = require("./output/send-error-page.js");
+const oidc_payload_js_1 = require("./parameters/oidc-payload.js");
+const replay_store_js_1 = require("./replay/replay-store.js");
+const request_manager_js_1 = require("./request/request-manager.js");
+const request_store_memory_js_1 = require("./request/request-store-memory.js");
+const request_store_redis_js_1 = require("./request/request-store-redis.js");
+const request_store_js_1 = require("./request/request-store.js");
+const request_uri_js_1 = require("./request/request-uri.js");
+const types_js_1 = require("./request/types.js");
+const token_id_js_1 = require("./token/token-id.js");
+const token_manager_js_1 = require("./token/token-manager.js");
+const token_store_js_1 = require("./token/token-store.js");
+const types_js_2 = require("./token/types.js");
+class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
+    metadata;
+    customization;
+    authenticationMaxAge;
+    accountManager;
+    deviceStore;
+    clientManager;
+    requestManager;
+    tokenManager;
+    constructor({ metadata, customization = undefined, authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, safeFetch = (0, fetch_node_1.safeFetchWrap)(), redis, store, // compound store implementation
+    // Requires stores
+    accountStore = (0, account_store_js_1.asAccountStore)(store), deviceStore = (0, device_store_js_1.asDeviceStore)(store), tokenStore = (0, token_store_js_1.asTokenStore)(store),
+    // These are optional
+    clientStore = (0, client_store_js_1.ifClientStore)(store), replayStore = (0, replay_store_js_1.ifReplayStore)(store), requestStore = (0, request_store_js_1.ifRequestStore)(store), clientJwksCache = new simple_store_memory_1.SimpleStoreMemory({
+        maxSize: 50_000_000,
+        ttl: 600e3,
+    }), clientMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
+        maxSize: 50_000_000,
+        ttl: 600e3,
+    }), loopbackMetadata = oauth_types_1.atprotoLoopbackClientMetadata,
+    // OAuthHooks & OAuthVerifierOptions
+    ...rest }) {
+        super({ replayStore, redis, ...rest });
+        requestStore ??= redis
+            ? new request_store_redis_js_1.RequestStoreRedis({ redis })
+            : new request_store_memory_js_1.RequestStoreMemory();
+        this.authenticationMaxAge = authenticationMaxAge;
+        this.metadata = (0, build_metadata_js_1.buildMetadata)(this.issuer, this.keyset, metadata);
+        this.customization = customization;
+        this.deviceStore = deviceStore;
+        this.accountManager = new account_manager_js_1.AccountManager(accountStore);
+        this.clientManager = new client_manager_js_1.ClientManager(this.keyset, rest, clientStore || null, loopbackMetadata || null, safeFetch, clientJwksCache, clientMetadataCache);
+        this.requestManager = new request_manager_js_1.RequestManager(requestStore, this.signer, this.metadata, rest);
+        this.tokenManager = new token_manager_js_1.TokenManager(tokenStore, this.signer, rest, this.accessTokenType, tokenMaxAge);
+    }
+    get jwks() {
+        return this.keyset.publicJwks;
+    }
+    loginRequired(client, parameters, info) {
+        /** in seconds */
+        const authAge = (Date.now() - info.authenticatedAt.getTime()) / 1e3;
+        // Fool-proof (invalid date, or suspiciously in the future)
+        if (!Number.isFinite(authAge) || authAge < 0) {
+            return true;
+        }
+        /** in seconds */
+        const maxAge = parameters.max_age ?? client.metadata.default_max_age;
+        if (maxAge != null && maxAge < this.authenticationMaxAge) {
+            return authAge >= maxAge;
+        }
+        else {
+            return authAge >= this.authenticationMaxAge;
+        }
+    }
+    async authenticateClient(client, endpoint, credentials) {
+        const { clientAuth, nonce } = await client.verifyCredentials(credentials, endpoint, { audience: this.issuer });
+        if (nonce != null) {
+            const unique = await this.replayManager.uniqueAuth(nonce, client.id);
+            if (!unique) {
+                throw new invalid_client_error_js_1.InvalidClientError(`${clientAuth.method} jti reused`);
+            }
+        }
+        return clientAuth;
+    }
+    async decodeJAR(client, input) {
+        const result = await client.decodeRequestObject(input.request);
+        const payload = oauth_types_1.oauthAuthenticationRequestParametersSchema.parse(result.payload);
+        if (!result.payload.jti) {
+            throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Request object must contain a jti claim');
+        }
+        if (!(await this.replayManager.uniqueJar(result.payload.jti, client.id))) {
+            throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Request object jti is not unique');
+        }
+        if ('protectedHeader' in result) {
+            if (!result.protectedHeader.kid) {
+                throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Missing "kid" in header');
+            }
+            return {
+                jkt: await (0, client_auth_js_1.authJwkThumbprint)(result.key),
+                payload,
+                protectedHeader: result.protectedHeader,
+            };
+        }
+        if ('header' in result) {
+            return {
+                payload,
+            };
+        }
+        // Should never happen
+        throw new Error('Invalid request object');
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9126}
+     */
+    async pushedAuthorizationRequest(input, dpopJkt) {
+        try {
+            const client = await this.clientManager.getClient(input.client_id);
+            const clientAuth = await this.authenticateClient(client, 'pushed_authorization_request', input);
+            const { payload: parameters } = 'request' in input // Handle JAR
+                ? await this.decodeJAR(client, input)
+                : { payload: input };
+            const { uri, expiresAt } = await this.requestManager.createAuthorizationRequest(client, clientAuth, parameters, null, dpopJkt);
+            return {
+                request_uri: uri,
+                expires_in: (0, date_js_1.dateToRelativeSeconds)(expiresAt),
+            };
+        }
+        catch (err) {
+            // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3-1
+            // > Since initial processing of the pushed authorization request does not
+            // > involve resource owner interaction, error codes related to user
+            // > interaction, such as consent_required defined by [OIDC], are never
+            // > returned.
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                throw new invalid_request_error_js_1.InvalidRequestError(err.error_description, err);
+            }
+            throw err;
+        }
+    }
+    async loadAuthorizationRequest(client, deviceId, input) {
+        // Load PAR
+        if ('request_uri' in input) {
+            return this.requestManager.get(input.request_uri, client.id, deviceId);
+        }
+        // Handle JAR
+        if ('request' in input) {
+            const requestObject = await this.decodeJAR(client, input);
+            if ('protectedHeader' in requestObject && requestObject.protectedHeader) {
+                // Allow using signed JAR during "/authorize" as client authentication.
+                // This allows clients to skip PAR to initiate trusted sessions.
+                const clientAuth = {
+                    method: oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER,
+                    kid: requestObject.protectedHeader.kid,
+                    alg: requestObject.protectedHeader.alg,
+                    jkt: requestObject.jkt,
+                };
+                return this.requestManager.createAuthorizationRequest(client, clientAuth, requestObject.payload, deviceId, null);
+            }
+            return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, requestObject.payload, deviceId, null);
+        }
+        return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, input, deviceId, null);
+    }
+    async deleteRequest(uri, parameters) {
+        try {
+            await this.requestManager.delete(uri);
+        }
+        catch (err) {
+            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
+        }
+    }
+    async authorize(deviceId, input) {
+        const { issuer } = this;
+        const client = await this.clientManager.getClient(input.client_id);
+        try {
+            const { uri, parameters, clientAuth } = await this.loadAuthorizationRequest(client, deviceId, input);
+            try {
+                const sessions = await this.getSessions(client, clientAuth, deviceId, parameters);
+                if (parameters.prompt === 'none') {
+                    const ssoSessions = sessions.filter((s) => s.matchesHint);
+                    if (ssoSessions.length > 1) {
+                        throw new account_selection_required_error_js_1.AccountSelectionRequiredError(parameters);
+                    }
+                    if (ssoSessions.length < 1) {
+                        throw new login_required_error_js_1.LoginRequiredError(parameters);
+                    }
+                    const ssoSession = ssoSessions[0];
+                    if (ssoSession.loginRequired) {
+                        throw new login_required_error_js_1.LoginRequiredError(parameters);
+                    }
+                    if (ssoSession.consentRequired) {
+                        throw new consent_required_error_js_1.ConsentRequiredError(parameters);
+                    }
+                    const redirect = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account, ssoSession.info);
+                    return { issuer, client, parameters, redirect };
+                }
+                // Automatic SSO when a did was provided
+                if (parameters.prompt == null && parameters.login_hint != null) {
+                    const ssoSessions = sessions.filter((s) => s.matchesHint);
+                    if (ssoSessions.length === 1) {
+                        const ssoSession = ssoSessions[0];
+                        if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
+                            const redirect = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account, ssoSession.info);
+                            return { issuer, client, parameters, redirect };
+                        }
+                    }
+                }
+                return {
+                    issuer,
+                    client,
+                    parameters,
+                    authorize: { uri, sessions },
+                };
+            }
+            catch (err) {
+                await this.deleteRequest(uri, parameters);
+                // Transform into an AccessDeniedError to allow redirecting the user
+                // to the client with the error details.
+                throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
+            }
+        }
+        catch (err) {
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                return {
+                    issuer,
+                    client,
+                    parameters: err.parameters,
+                    redirect: err.toJSON(),
+                };
+            }
+            throw err;
+        }
+    }
+    async getSessions(client, clientAuth, deviceId, parameters) {
+        const accounts = await this.accountManager.list(deviceId);
+        return accounts.map(({ account, info }) => ({
+            account,
+            info,
+            selected: parameters.prompt !== 'select_account' &&
+                parameters.login_hint === account.sub,
+            loginRequired: parameters.prompt === 'login' ||
+                this.loginRequired(client, parameters, info),
+            consentRequired: parameters.prompt === 'consent' ||
+                !info.authorizedClients.includes(client.id),
+            matchesHint: parameters.login_hint === account.sub || parameters.login_hint == null,
+        }));
+    }
+    async signIn(deviceId, credentials) {
+        return this.accountManager.signIn(credentials, deviceId);
+    }
+    async acceptRequest(deviceId, uri, clientId, sub) {
+        const { issuer } = this;
+        const client = await this.clientManager.getClient(clientId);
+        try {
+            const { parameters, clientAuth } = await this.requestManager.get(uri, clientId, deviceId);
+            try {
+                const { account, info } = await this.accountManager.get(deviceId, sub);
+                // The user is trying to authorize without a fresh login
+                if (this.loginRequired(client, parameters, info)) {
+                    throw new login_required_error_js_1.LoginRequiredError(parameters, 'Account authentication required.');
+                }
+                const redirect = await this.requestManager.setAuthorized(client, uri, deviceId, account, info);
+                await this.accountManager.addAuthorizedClient(deviceId, account, client, clientAuth);
+                return { issuer, client, parameters, redirect };
+            }
+            catch (err) {
+                await this.deleteRequest(uri, parameters);
+                // throw AccessDeniedError.from(parameters, err)
+                throw err;
+            }
+        }
+        catch (err) {
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                const { parameters } = err;
+                return { issuer, client, parameters, redirect: err.toJSON() };
+            }
+            throw err;
+        }
+    }
+    async rejectRequest(deviceId, uri, clientId) {
+        try {
+            const { parameters } = await this.requestManager.get(uri, clientId, deviceId);
+            await this.deleteRequest(uri, parameters);
+            // Trigger redirect (see catch block)
+            throw new access_denied_error_js_1.AccessDeniedError(parameters, 'Access denied');
+        }
+        catch (err) {
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                return {
+                    issuer: this.issuer,
+                    client: await this.clientManager.getClient(clientId),
+                    parameters: err.parameters,
+                    redirect: err.toJSON(),
+                };
+            }
+            throw err;
+        }
+    }
+    async token(input, dpopJkt) {
+        const client = await this.clientManager.getClient(input.client_id);
+        const clientAuth = await this.authenticateClient(client, 'token', input);
+        if (!client.metadata.grant_types.includes(input.grant_type)) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`"${input.grant_type}" grant type is not allowed for this client`);
+        }
+        if (input.grant_type === 'authorization_code') {
+            return this.codeGrant(client, clientAuth, input, dpopJkt);
+        }
+        if (input.grant_type === 'refresh_token') {
+            return this.refreshTokenGrant(client, clientAuth, input, dpopJkt);
+        }
+        throw new invalid_grant_error_js_1.InvalidGrantError(
+        // @ts-expect-error: fool proof
+        `Grant type "${input.grant_type}" not supported`);
+    }
+    async codeGrant(client, clientAuth, input, dpopJkt) {
+        try {
+            const { sub, deviceId, parameters } = await this.requestManager.findCode(client, clientAuth, input.code);
+            const { account, info } = await this.accountManager.get(deviceId, sub);
+            return await this.tokenManager.create(client, clientAuth, account, { id: deviceId, info }, parameters, input, dpopJkt);
+        }
+        catch (err) {
+            // If a token is replayed, requestManager.findCode will throw. In that
+            // case, we need to revoke any token that was issued for this code.
+            await this.tokenManager.revoke(input.code);
+            // @TODO (?) in order to protect the user, we should maybe also mark the
+            // account-device association as expired ?
+            throw err;
+        }
+    }
+    async refreshTokenGrant(client, clientAuth, input, dpopJkt) {
+        return this.tokenManager.refresh(client, clientAuth, input, dpopJkt);
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}
+     */
+    async revoke(input) {
+        // @TODO this should also remove the account-device association (or, at
+        // least, mark it as expired)
+        await this.tokenManager.revoke(input.token);
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7662#section-2.1 rfc7662}
+     */
+    async introspect(input) {
+        const client = await this.clientManager.getClient(input.client_id);
+        const clientAuth = await this.authenticateClient(client, 'introspection', input);
+        // RFC7662 states the following:
+        //
+        // > To prevent token scanning attacks, the endpoint MUST also require some
+        // > form of authorization to access this endpoint, such as client
+        // > authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth
+        // > 2.0 access token such as the bearer token described in OAuth 2.0 Bearer
+        // > Token Usage [RFC6750]. The methods of managing and validating these
+        // > authentication credentials are out of scope of this specification.
+        if (clientAuth.method === 'none') {
+            throw new unauthorized_client_error_js_1.UnauthorizedClientError('Client authentication required');
+        }
+        const start = Date.now();
+        try {
+            const tokenInfo = await this.tokenManager.clientTokenInfo(client, clientAuth, input.token);
+            return {
+                active: true,
+                scope: tokenInfo.data.parameters.scope,
+                client_id: tokenInfo.data.clientId,
+                username: tokenInfo.account.preferred_username,
+                token_type: tokenInfo.data.parameters.dpop_jkt ? 'DPoP' : 'Bearer',
+                authorization_details: tokenInfo.data.details ?? undefined,
+                aud: tokenInfo.account.aud,
+                exp: (0, date_js_1.dateToEpoch)(tokenInfo.data.expiresAt),
+                iat: (0, date_js_1.dateToEpoch)(tokenInfo.data.updatedAt),
+                iss: this.signer.issuer,
+                jti: tokenInfo.id,
+                sub: tokenInfo.account.sub,
+            };
+        }
+        catch (err) {
+            // Prevent brute force & timing attack (only for inactive tokens)
+            await new Promise((r) => setTimeout(r, 750 - (Date.now() - start)));
+            return {
+                active: false,
+            };
+        }
+    }
+    /**
+     * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.3.2 Successful UserInfo Response}
+     */
+    async userinfo({ data, account }) {
+        return {
+            ...(0, oidc_payload_js_1.oidcPayload)(data.parameters, account),
+            sub: account.sub,
+            client_id: data.clientId,
+            username: account.preferred_username,
+        };
+    }
+    async signUserinfo(userinfo) {
+        const client = await this.clientManager.getClient(userinfo.client_id);
+        return this.signer.sign({
+            alg: client.metadata.userinfo_signed_response_alg,
+            typ: 'JWT',
+        }, userinfo);
+    }
+    async authenticateToken(tokenType, token, dpopJkt, verifyOptions) {
+        if ((0, token_id_js_1.isTokenId)(token)) {
+            this.assertTokenTypeAllowed(tokenType, access_token_type_js_1.AccessTokenType.id);
+            return this.tokenManager.authenticateTokenId(tokenType, token, dpopJkt, verifyOptions);
+        }
+        return super.authenticateToken(tokenType, token, dpopJkt, verifyOptions);
+    }
+    /**
+     * @returns An http request handler that can be used with node's http server
+     * or as a middleware with express / connect.
+     */
+    httpHandler(options) {
+        const router = this.buildRouter(options);
+        return router.buildHandler();
+    }
+    buildRouter({ onError = process.env['NODE_ENV'] === 'development'
+        ? (req, res, err, msg) => console.error(`OAuthProvider error (${msg}):`, err)
+        : undefined, } = {}) {
+        const deviceManager = new device_manager_js_1.DeviceManager(this.deviceStore);
+        // eslint-disable-next-line @typescript-eslint/no-this-alias
+        const server = this;
+        const issuerUrl = new URL(server.issuer);
+        const issuerOrigin = issuerUrl.origin;
+        const router = new index_js_1.Router(issuerUrl);
+        // Utils
+        const csrfCookie = (uri) => `csrf-${uri}`;
+        /**
+         * Creates a middleware that will serve static JSON content.
+         */
+        const staticJson = (json) => (0, index_js_1.combineMiddlewares)([
+            function (req, res, next) {
+                res.setHeader('Access-Control-Allow-Origin', '*');
+                res.setHeader('Cache-Control', 'max-age=300');
+                next();
+            },
+            (0, index_js_1.staticJsonHandler)(json),
+        ]);
+        /**
+         * Wrap an OAuth endpoint in a middleware that will set the appropriate
+         * response headers and format the response as JSON.
+         */
+        const dynamicJson = (buildJson, status) => async function (req, res) {
+            res.setHeader('Access-Control-Allow-Origin', '*');
+            // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
+            res.setHeader('Cache-Control', 'no-store');
+            res.setHeader('Pragma', 'no-cache');
+            // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
+            const dpopNonce = server.nextDpopNonce();
+            if (dpopNonce) {
+                const name = 'DPoP-Nonce';
+                res.setHeader(name, dpopNonce);
+                res.appendHeader('Access-Control-Expose-Headers', name);
+            }
+            try {
+                const result = await buildJson.call(this, req, res);
+                if (result !== undefined)
+                    (0, index_js_1.writeJson)(res, result, status);
+                else if (!res.headersSent)
+                    res.writeHead(status ?? 204).end();
+            }
+            catch (err) {
+                if (!res.headersSent) {
+                    if (err instanceof www_authenticate_error_js_1.WWWAuthenticateError) {
+                        const name = 'WWW-Authenticate';
+                        res.setHeader(name, err.wwwAuthenticateHeader);
+                        res.appendHeader('Access-Control-Expose-Headers', name);
+                    }
+                    (0, index_js_1.writeJson)(res, (0, build_error_payload_js_1.buildErrorPayload)(err), (0, build_error_payload_js_1.buildErrorStatus)(err));
+                }
+                else {
+                    res.destroy();
+                }
+                // OAuthError are used to build expected responses, so we don't log
+                // them as errors.
+                if (!(err instanceof oauth_error_js_1.OAuthError) || err.statusCode >= 500) {
+                    await onError?.(req, res, err, 'Unexpected error');
+                }
+            }
+        };
+        //- Public OAuth endpoints
+        /*
+         * Although OpenID compatibility is not required to implement the Atproto
+         * OAuth2 specification, we do support OIDC discovery in this
+         * implementation as we believe this may:
+         * 1) Make the implementation of Atproto clients easier (since lots of
+         *    libraries support OIDC discovery)
+         * 2) Allow self hosted PDS' to not implement authentication themselves
+         *    but rely on a trusted Atproto actor to act as their OIDC providers.
+         *    By supporting OIDC in the current implementation, Bluesky's
+         *    Authorization Server server can be used as an OIDC provider for
+         *    these users.
+         */
+        router.get('/.well-known/openid-configuration', staticJson(server.metadata));
+        router.get('/.well-known/oauth-authorization-server', staticJson(server.metadata));
+        // CORS preflight
+        router.options(/^\/oauth\/(?<endpoint>jwks|par|token|revoke|introspect|userinfo)$/, function (req, res, _next) {
+            res
+                .writeHead(204, {
+                'Access-Control-Allow-Origin': req.headers['origin'] || '*',
+                'Access-Control-Allow-Methods': this.params.endpoint === 'jwks' ? 'GET' : 'POST',
+                'Access-Control-Allow-Headers': 'Content-Type,Authorization,DPoP',
+                'Access-Control-Max-Age': '86400', // 1 day
+            })
+                .end();
+        });
+        router.get('/oauth/jwks', staticJson(server.jwks));
+        router.post('/oauth/par', dynamicJson(async function (req, _res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_1.pushedAuthorizationRequestSchema);
+            const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
+            return server.pushedAuthorizationRequest(input, dpopJkt);
+        }, 201));
+        // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3
+        router.addRoute('*', '/oauth/par', (req, res) => {
+            res.writeHead(405).end();
+        });
+        router.post('/oauth/token', dynamicJson(async function (req, _res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_2.tokenRequestSchema);
+            const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
+            return server.token(input, dpopJkt);
+        }));
+        router.post('/oauth/revoke', dynamicJson(async function (req, res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_2.revokeSchema);
+            try {
+                await server.revoke(input);
+            }
+            catch (err) {
+                onError?.(req, res, err, 'Failed to revoke token');
+            }
+        }));
+        router.get('/oauth/revoke', dynamicJson(async function (req, res) {
+            (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+            (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+            const query = Object.fromEntries(this.url.searchParams);
+            const input = types_js_2.revokeSchema.parse(query, { path: ['query'] });
+            try {
+                await server.revoke(input);
+            }
+            catch (err) {
+                onError?.(req, res, err, 'Failed to revoke token');
+            }
+            // Same as POST + redirect to callback URL
+            // todo: generate JSONP response (if "callback" is provided)
+            throw new Error('You are successfully logged out. Redirect not implemented');
+        }));
+        router.post('/oauth/introspect', dynamicJson(async function (req, _res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_2.introspectSchema);
+            return server.introspect(input);
+        }));
+        const userinfoBodySchema = zod_1.z.object({
+            access_token: jwk_1.signedJwtSchema.optional(),
+        });
+        router.addRoute(['GET', 'POST'], '/oauth/userinfo', (0, index_js_1.acceptMiddleware)(async function (req, _res) {
+            const body = req.method === 'POST'
+                ? await (0, index_js_1.validateRequestPayload)(req, userinfoBodySchema)
+                : null;
+            if (body?.access_token && req.headers['authorization']) {
+                throw new invalid_request_error_js_1.InvalidRequestError('access token must be provided in either the authorization header or the request body');
+            }
+            const auth = await server.authenticateRequest(req.method, this.url, body?.access_token // Allow credentials to be parsed from body.
+                ? {
+                    authorization: `Bearer ${body.access_token}`,
+                    dpop: undefined, // DPoP can only be used with headers
+                }
+                : req.headers, {
+                scope: ['profile'],
+            });
+            const tokenInfo = 'tokenInfo' in auth
+                ? auth.tokenInfo
+                : await server.tokenManager.getTokenInfo(auth.tokenType, auth.tokenId);
+            return server.userinfo(tokenInfo);
+        }, {
+            '': 'application/json',
+            'application/json': dynamicJson(async function (_req, _res) {
+                return this.data;
+            }),
+            'application/jwt': dynamicJson(async function (_req, res) {
+                const jwt = await server.signUserinfo(this.data);
+                res.writeHead(200, { 'Content-Type': 'application/jwt' }).end(jwt);
+                return undefined;
+            }),
+        }));
+        //- Private authorization endpoints
+        router.use((0, assets_middleware_js_1.authorizeAssetsMiddleware)());
+        router.get('/oauth/authorize', async function (req, res) {
+            try {
+                res.setHeader('Cache-Control', 'no-store');
+                (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+                (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+                const query = Object.fromEntries(this.url.searchParams);
+                const input = await types_js_1.authorizationRequestQuerySchema.parseAsync(query, {
+                    path: ['query'],
+                });
+                const { deviceId } = await deviceManager.load(req, res);
+                const data = await server.authorize(deviceId, input);
+                switch (true) {
+                    case 'redirect' in data: {
+                        return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
+                    }
+                    case 'authorize' in data: {
+                        await (0, index_js_1.setupCsrfToken)(req, res, csrfCookie(data.authorize.uri));
+                        return await (0, send_authorize_page_js_1.sendAuthorizePage)(res, data, server.customization);
+                    }
+                    default: {
+                        // Should never happen
+                        throw new Error('Unexpected authorization result');
+                    }
+                }
+            }
+            catch (err) {
+                await onError?.(req, res, err, 'Failed to setup authorize');
+                if (!res.headersSent) {
+                    await (0, send_error_page_js_1.sendErrorPage)(res, err, server.customization);
+                }
+            }
+        });
+        const signInPayloadSchema = zod_1.z.object({
+            csrf_token: zod_1.z.string(),
+            request_uri: request_uri_js_1.requestUriSchema,
+            client_id: client_id_js_1.clientIdSchema,
+            credentials: zod_1.z.object({
+                username: zod_1.z.string(),
+                password: zod_1.z.string(),
+                remember: zod_1.z.boolean().optional().default(false),
+            }),
+        });
+        router.post('/oauth/authorize/sign-in', async function (req, res) {
+            (0, index_js_1.validateFetchMode)(req, res, ['same-origin']);
+            (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+            const input = await (0, index_js_1.validateRequestPayload)(req, signInPayloadSchema);
+            (0, index_js_1.validateReferer)(req, res, {
+                origin: issuerOrigin,
+                pathname: '/oauth/authorize',
+            });
+            (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri));
+            const { deviceId } = await deviceManager.load(req, res);
+            const { account, info } = await server.signIn(deviceId, input.credentials);
+            // Prevent fixation attacks
+            await deviceManager.rotate(req, res, deviceId);
+            return (0, index_js_1.writeJson)(res, {
+                account,
+                consentRequired: !info.authorizedClients.includes(input.client_id),
+            });
+        });
+        const acceptQuerySchema = zod_1.z.object({
+            csrf_token: zod_1.z.string(),
+            request_uri: request_uri_js_1.requestUriSchema,
+            client_id: client_id_js_1.clientIdSchema,
+            account_sub: zod_1.z.string(),
+        });
+        router.get('/oauth/authorize/accept', async function (req, res) {
+            try {
+                res.setHeader('Cache-Control', 'no-store');
+                (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+                (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+                const query = Object.fromEntries(this.url.searchParams);
+                const input = await acceptQuerySchema.parseAsync(query, {
+                    path: ['query'],
+                });
+                (0, index_js_1.validateReferer)(req, res, {
+                    origin: issuerOrigin,
+                    pathname: '/oauth/authorize',
+                    searchParams: [
+                        ['request_uri', input.request_uri],
+                        ['client_id', input.client_id],
+                    ],
+                });
+                (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
+                const { deviceId } = await deviceManager.load(req, res);
+                const data = await server.acceptRequest(deviceId, input.request_uri, input.client_id, input.account_sub);
+                return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
+            }
+            catch (err) {
+                await onError?.(req, res, err, 'Failed to accept authorization request');
+                if (!res.headersSent) {
+                    await (0, send_error_page_js_1.sendErrorPage)(res, err, server.customization);
+                }
+            }
+        });
+        const rejectQuerySchema = zod_1.z.object({
+            csrf_token: zod_1.z.string(),
+            request_uri: request_uri_js_1.requestUriSchema,
+            client_id: client_id_js_1.clientIdSchema,
+        });
+        router.get('/oauth/authorize/reject', async function (req, res) {
+            try {
+                res.setHeader('Cache-Control', 'no-store');
+                (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+                (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+                const query = Object.fromEntries(this.url.searchParams);
+                const input = await rejectQuerySchema.parseAsync(query, {
+                    path: ['query'],
+                });
+                (0, index_js_1.validateReferer)(req, res, {
+                    origin: issuerOrigin,
+                    pathname: '/oauth/authorize',
+                    searchParams: [
+                        ['request_uri', input.request_uri],
+                        ['client_id', input.client_id],
+                    ],
+                });
+                (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
+                const { deviceId } = await deviceManager.load(req, res);
+                const data = await server.rejectRequest(deviceId, input.request_uri, input.client_id);
+                return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
+            }
+            catch (err) {
+                await onError?.(req, res, err, 'Failed to reject authorization request');
+                if (!res.headersSent) {
+                    await (0, send_error_page_js_1.sendErrorPage)(res, err, server.customization);
+                }
+            }
+        });
+        return router;
+    }
+}
+exports.OAuthProvider = OAuthProvider;
+//# sourceMappingURL=oauth-provider.js.map