npm - @atproto/oauth-provider - Versions diffs - 0.1.0 - Mend

@atproto/oauth-provider 0.1.0

Files changed (631) hide show

package/.postcssrc.yml +3 -0
package/CHANGELOG.md +19 -0
package/LICENSE.txt +7 -0
package/dist/access-token/access-token-type.d.ts +6 -0
package/dist/access-token/access-token-type.d.ts.map +1 -0
package/dist/access-token/access-token-type.js +10 -0
package/dist/access-token/access-token-type.js.map +1 -0
package/dist/account/account-manager.d.ts +14 -0
package/dist/account/account-manager.d.ts.map +1 -0
package/dist/account/account-manager.js +39 -0
package/dist/account/account-manager.js.map +1 -0
package/dist/account/account-store.d.ts +39 -0
package/dist/account/account-store.d.ts.map +1 -0
package/dist/account/account-store.js +19 -0
package/dist/account/account-store.js.map +1 -0
package/dist/account/account.d.ts +8 -0
package/dist/account/account.d.ts.map +1 -0
package/dist/account/account.js +3 -0
package/dist/account/account.js.map +1 -0
package/dist/assets/app/bundle-manifest.json +22 -0
package/dist/assets/app/main.css +3 -0
package/dist/assets/app/main.js +20 -0
package/dist/assets/app/main.js.map +1 -0
package/dist/assets/asset.d.ts +9 -0
package/dist/assets/asset.d.ts.map +1 -0
package/dist/assets/asset.js +3 -0
package/dist/assets/asset.js.map +1 -0
package/dist/assets/assets-middleware.d.ts +2 -0
package/dist/assets/assets-middleware.d.ts.map +1 -0
package/dist/assets/assets-middleware.js +30 -0
package/dist/assets/assets-middleware.js.map +1 -0
package/dist/assets/index.d.ts +4 -0
package/dist/assets/index.d.ts.map +1 -0
package/dist/assets/index.js +65 -0
package/dist/assets/index.js.map +1 -0
package/dist/client/client-auth.d.ts +13 -0
package/dist/client/client-auth.d.ts.map +1 -0
package/dist/client/client-auth.js +35 -0
package/dist/client/client-auth.js.map +1 -0
package/dist/client/client-data.d.ts +8 -0
package/dist/client/client-data.d.ts.map +1 -0
package/dist/client/client-data.js +3 -0
package/dist/client/client-data.js.map +1 -0
package/dist/client/client-id.d.ts +4 -0
package/dist/client/client-id.d.ts.map +1 -0
package/dist/client/client-id.js +6 -0
package/dist/client/client-id.js.map +1 -0
package/dist/client/client-info.d.ts +13 -0
package/dist/client/client-info.d.ts.map +1 -0
package/dist/client/client-info.js +3 -0
package/dist/client/client-info.js.map +1 -0
package/dist/client/client-manager.d.ts +38 -0
package/dist/client/client-manager.d.ts.map +1 -0
package/dist/client/client-manager.js +534 -0
package/dist/client/client-manager.js.map +1 -0
package/dist/client/client-store.d.ts +13 -0
package/dist/client/client-store.d.ts.map +1 -0
package/dist/client/client-store.js +39 -0
package/dist/client/client-store.js.map +1 -0
package/dist/client/client-utils.d.ts +6 -0
package/dist/client/client-utils.d.ts.map +1 -0
package/dist/client/client-utils.js +40 -0
package/dist/client/client-utils.js.map +1 -0
package/dist/client/client.d.ts +41 -0
package/dist/client/client.d.ts.map +1 -0
package/dist/client/client.js +163 -0
package/dist/client/client.js.map +1 -0
package/dist/constants.d.ts +42 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +53 -0
package/dist/constants.js.map +1 -0
package/dist/device/device-data.d.ts +20 -0
package/dist/device/device-data.d.ts.map +1 -0
package/dist/device/device-data.js +11 -0
package/dist/device/device-data.js.map +1 -0
package/dist/device/device-details.d.ts +17 -0
package/dist/device/device-details.d.ts.map +1 -0
package/dist/device/device-details.js +34 -0
package/dist/device/device-details.js.map +1 -0
package/dist/device/device-id.d.ts +6 -0
package/dist/device/device-id.d.ts.map +1 -0
package/dist/device/device-id.js +18 -0
package/dist/device/device-id.js.map +1 -0
package/dist/device/device-manager.d.ts +88 -0
package/dist/device/device-manager.d.ts.map +1 -0
package/dist/device/device-manager.js +206 -0
package/dist/device/device-manager.js.map +1 -0
package/dist/device/device-store.d.ts +15 -0
package/dist/device/device-store.d.ts.map +1 -0
package/dist/device/device-store.js +36 -0
package/dist/device/device-store.js.map +1 -0
package/dist/device/session-id.d.ts +6 -0
package/dist/device/session-id.d.ts.map +1 -0
package/dist/device/session-id.js +18 -0
package/dist/device/session-id.js.map +1 -0
package/dist/dpop/dpop-manager.d.ts +33 -0
package/dist/dpop/dpop-manager.d.ts.map +1 -0
package/dist/dpop/dpop-manager.js +115 -0
package/dist/dpop/dpop-manager.js.map +1 -0
package/dist/dpop/dpop-nonce.d.ts +13 -0
package/dist/dpop/dpop-nonce.d.ts.map +1 -0
package/dist/dpop/dpop-nonce.js +94 -0
package/dist/dpop/dpop-nonce.js.map +1 -0
package/dist/errors/access-denied-error.d.ts +8 -0
package/dist/errors/access-denied-error.d.ts.map +1 -0
package/dist/errors/access-denied-error.js +21 -0
package/dist/errors/access-denied-error.js.map +1 -0
package/dist/errors/account-selection-required-error.d.ts +6 -0
package/dist/errors/account-selection-required-error.d.ts.map +1 -0
package/dist/errors/account-selection-required-error.js +11 -0
package/dist/errors/account-selection-required-error.js.map +1 -0
package/dist/errors/consent-required-error.d.ts +6 -0
package/dist/errors/consent-required-error.d.ts.map +1 -0
package/dist/errors/consent-required-error.js +11 -0
package/dist/errors/consent-required-error.js.map +1 -0
package/dist/errors/invalid-authorization-details-error.d.ts +20 -0
package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -0
package/dist/errors/invalid-authorization-details-error.js +26 -0
package/dist/errors/invalid-authorization-details-error.js.map +1 -0
package/dist/errors/invalid-client-error.d.ts +18 -0
package/dist/errors/invalid-client-error.d.ts.map +1 -0
package/dist/errors/invalid-client-error.js +24 -0
package/dist/errors/invalid-client-error.js.map +1 -0
package/dist/errors/invalid-client-id-error.d.ts +13 -0
package/dist/errors/invalid-client-id-error.d.ts.map +1 -0
package/dist/errors/invalid-client-id-error.js +25 -0
package/dist/errors/invalid-client-id-error.js.map +1 -0
package/dist/errors/invalid-client-metadata-error.d.ts +13 -0
package/dist/errors/invalid-client-metadata-error.d.ts.map +1 -0
package/dist/errors/invalid-client-metadata-error.js +23 -0
package/dist/errors/invalid-client-metadata-error.js.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts +12 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.js +20 -0
package/dist/errors/invalid-dpop-key-binding-error.js.map +1 -0
package/dist/errors/invalid-dpop-proof-error.d.ts +5 -0
package/dist/errors/invalid-dpop-proof-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-proof-error.js +12 -0
package/dist/errors/invalid-dpop-proof-error.js.map +1 -0
package/dist/errors/invalid-grant-error.d.ts +14 -0
package/dist/errors/invalid-grant-error.d.ts.map +1 -0
package/dist/errors/invalid-grant-error.js +20 -0
package/dist/errors/invalid-grant-error.js.map +1 -0
package/dist/errors/invalid-parameters-error.d.ts +6 -0
package/dist/errors/invalid-parameters-error.d.ts.map +1 -0
package/dist/errors/invalid-parameters-error.js +11 -0
package/dist/errors/invalid-parameters-error.js.map +1 -0
package/dist/errors/invalid-redirect-uri-error.d.ts +11 -0
package/dist/errors/invalid-redirect-uri-error.d.ts.map +1 -0
package/dist/errors/invalid-redirect-uri-error.js +21 -0
package/dist/errors/invalid-redirect-uri-error.js.map +1 -0
package/dist/errors/invalid-request-error.d.ts +28 -0
package/dist/errors/invalid-request-error.d.ts.map +1 -0
package/dist/errors/invalid-request-error.js +34 -0
package/dist/errors/invalid-request-error.js.map +1 -0
package/dist/errors/invalid-token-error.d.ts +16 -0
package/dist/errors/invalid-token-error.d.ts.map +1 -0
package/dist/errors/invalid-token-error.js +45 -0
package/dist/errors/invalid-token-error.js.map +1 -0
package/dist/errors/login-required-error.d.ts +6 -0
package/dist/errors/login-required-error.d.ts.map +1 -0
package/dist/errors/login-required-error.js +11 -0
package/dist/errors/login-required-error.js.map +1 -0
package/dist/errors/oauth-error.d.ts +13 -0
package/dist/errors/oauth-error.d.ts.map +1 -0
package/dist/errors/oauth-error.js +29 -0
package/dist/errors/oauth-error.js.map +1 -0
package/dist/errors/unauthorized-client-error.d.ts +18 -0
package/dist/errors/unauthorized-client-error.d.ts.map +1 -0
package/dist/errors/unauthorized-client-error.js +24 -0
package/dist/errors/unauthorized-client-error.js.map +1 -0
package/dist/errors/use-dpop-nonce-error.d.ts +18 -0
package/dist/errors/use-dpop-nonce-error.d.ts.map +1 -0
package/dist/errors/use-dpop-nonce-error.js +27 -0
package/dist/errors/use-dpop-nonce-error.js.map +1 -0
package/dist/errors/www-authenticate-error.d.ts +9 -0
package/dist/errors/www-authenticate-error.d.ts.map +1 -0
package/dist/errors/www-authenticate-error.js +46 -0
package/dist/errors/www-authenticate-error.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +31 -0
package/dist/index.js.map +1 -0
package/dist/lib/html/build-document.d.ts +32 -0
package/dist/lib/html/build-document.d.ts.map +1 -0
package/dist/lib/html/build-document.js +61 -0
package/dist/lib/html/build-document.js.map +1 -0
package/dist/lib/html/escapers.d.ts +9 -0
package/dist/lib/html/escapers.d.ts.map +1 -0
package/dist/lib/html/escapers.js +66 -0
package/dist/lib/html/escapers.js.map +1 -0
package/dist/lib/html/html.d.ts +13 -0
package/dist/lib/html/html.d.ts.map +1 -0
package/dist/lib/html/html.js +53 -0
package/dist/lib/html/html.js.map +1 -0
package/dist/lib/html/index.d.ts +4 -0
package/dist/lib/html/index.d.ts.map +1 -0
package/dist/lib/html/index.js +21 -0
package/dist/lib/html/index.js.map +1 -0
package/dist/lib/html/tags.d.ts +34 -0
package/dist/lib/html/tags.d.ts.map +1 -0
package/dist/lib/html/tags.js +47 -0
package/dist/lib/html/tags.js.map +1 -0
package/dist/lib/html/util.d.ts +4 -0
package/dist/lib/html/util.d.ts.map +1 -0
package/dist/lib/html/util.js +20 -0
package/dist/lib/html/util.js.map +1 -0
package/dist/lib/http/accept.d.ts +29 -0
package/dist/lib/http/accept.d.ts.map +1 -0
package/dist/lib/http/accept.js +67 -0
package/dist/lib/http/accept.js.map +1 -0
package/dist/lib/http/context.d.ts +5 -0
package/dist/lib/http/context.d.ts.map +1 -0
package/dist/lib/http/context.js +10 -0
package/dist/lib/http/context.js.map +1 -0
package/dist/lib/http/index.d.ts +10 -0
package/dist/lib/http/index.d.ts.map +1 -0
package/dist/lib/http/index.js +26 -0
package/dist/lib/http/index.js.map +1 -0
package/dist/lib/http/method.d.ts +6 -0
package/dist/lib/http/method.d.ts.map +1 -0
package/dist/lib/http/method.js +19 -0
package/dist/lib/http/method.js.map +1 -0
package/dist/lib/http/middleware.d.ts +18 -0
package/dist/lib/http/middleware.d.ts.map +1 -0
package/dist/lib/http/middleware.js +118 -0
package/dist/lib/http/middleware.js.map +1 -0
package/dist/lib/http/parser.d.ts +33 -0
package/dist/lib/http/parser.d.ts.map +1 -0
package/dist/lib/http/parser.js +48 -0
package/dist/lib/http/parser.js.map +1 -0
package/dist/lib/http/path.d.ts +9 -0
package/dist/lib/http/path.d.ts.map +1 -0
package/dist/lib/http/path.js +54 -0
package/dist/lib/http/path.js.map +1 -0
package/dist/lib/http/request.d.ts +33 -0
package/dist/lib/http/request.d.ts.map +1 -0
package/dist/lib/http/request.js +86 -0
package/dist/lib/http/request.js.map +1 -0
package/dist/lib/http/response.d.ts +13 -0
package/dist/lib/http/response.d.ts.map +1 -0
package/dist/lib/http/response.js +98 -0
package/dist/lib/http/response.js.map +1 -0
package/dist/lib/http/route.d.ts +25 -0
package/dist/lib/http/route.d.ts.map +1 -0
package/dist/lib/http/route.js +39 -0
package/dist/lib/http/route.js.map +1 -0
package/dist/lib/http/router.d.ts +32 -0
package/dist/lib/http/router.d.ts.map +1 -0
package/dist/lib/http/router.js +74 -0
package/dist/lib/http/router.js.map +1 -0
package/dist/lib/http/stream.d.ts +13 -0
package/dist/lib/http/stream.d.ts.map +1 -0
package/dist/lib/http/stream.js +46 -0
package/dist/lib/http/stream.js.map +1 -0
package/dist/lib/http/types.d.ts +7 -0
package/dist/lib/http/types.d.ts.map +1 -0
package/dist/lib/http/types.js +3 -0
package/dist/lib/http/types.js.map +1 -0
package/dist/lib/http/url.d.ts +8 -0
package/dist/lib/http/url.d.ts.map +1 -0
package/dist/lib/http/url.js +22 -0
package/dist/lib/http/url.js.map +1 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.d.ts.map +1 -0
package/dist/lib/redis.js +22 -0
package/dist/lib/redis.js.map +1 -0
package/dist/lib/util/authorization-header.d.ts +4 -0
package/dist/lib/util/authorization-header.d.ts.map +1 -0
package/dist/lib/util/authorization-header.js +23 -0
package/dist/lib/util/authorization-header.js.map +1 -0
package/dist/lib/util/cast.d.ts +2 -0
package/dist/lib/util/cast.d.ts.map +1 -0
package/dist/lib/util/cast.js +10 -0
package/dist/lib/util/cast.js.map +1 -0
package/dist/lib/util/crypto.d.ts +3 -0
package/dist/lib/util/crypto.d.ts.map +1 -0
package/dist/lib/util/crypto.js +29 -0
package/dist/lib/util/crypto.js.map +1 -0
package/dist/lib/util/date.d.ts +3 -0
package/dist/lib/util/date.d.ts.map +1 -0
package/dist/lib/util/date.js +12 -0
package/dist/lib/util/date.js.map +1 -0
package/dist/lib/util/hostname.d.ts +6 -0
package/dist/lib/util/hostname.d.ts.map +1 -0
package/dist/lib/util/hostname.js +24 -0
package/dist/lib/util/hostname.js.map +1 -0
package/dist/lib/util/redirect-uri.d.ts +7 -0
package/dist/lib/util/redirect-uri.d.ts.map +1 -0
package/dist/lib/util/redirect-uri.js +44 -0
package/dist/lib/util/redirect-uri.js.map +1 -0
package/dist/lib/util/time.d.ts +6 -0
package/dist/lib/util/time.d.ts.map +1 -0
package/dist/lib/util/time.js +28 -0
package/dist/lib/util/time.js.map +1 -0
package/dist/lib/util/type.d.ts +6 -0
package/dist/lib/util/type.d.ts.map +1 -0
package/dist/lib/util/type.js +3 -0
package/dist/lib/util/type.js.map +1 -0
package/dist/lib/util/well-known.d.ts +3 -0
package/dist/lib/util/well-known.d.ts.map +1 -0
package/dist/lib/util/well-known.js +11 -0
package/dist/lib/util/well-known.js.map +1 -0
package/dist/metadata/build-metadata.d.ts +14 -0
package/dist/metadata/build-metadata.d.ts.map +1 -0
package/dist/metadata/build-metadata.js +132 -0
package/dist/metadata/build-metadata.js.map +1 -0
package/dist/oauth-client.d.ts +4 -0
package/dist/oauth-client.d.ts.map +1 -0
package/dist/oauth-client.js +19 -0
package/dist/oauth-client.js.map +1 -0
package/dist/oauth-dpop.d.ts +3 -0
package/dist/oauth-dpop.d.ts.map +1 -0
package/dist/oauth-dpop.js +19 -0
package/dist/oauth-dpop.js.map +1 -0
package/dist/oauth-errors.d.ts +20 -0
package/dist/oauth-errors.d.ts.map +1 -0
package/dist/oauth-errors.js +43 -0
package/dist/oauth-errors.js.map +1 -0
package/dist/oauth-hooks.d.ts +42 -0
package/dist/oauth-hooks.d.ts.map +1 -0
package/dist/oauth-hooks.js +3 -0
package/dist/oauth-hooks.js.map +1 -0
package/dist/oauth-provider.d.ts +179 -0
package/dist/oauth-provider.d.ts.map +1 -0
package/dist/oauth-provider.js +748 -0
package/dist/oauth-provider.js.map +1 -0
package/dist/oauth-store.d.ts +11 -0
package/dist/oauth-store.d.ts.map +1 -0
package/dist/oauth-store.js +27 -0
package/dist/oauth-store.js.map +1 -0
package/dist/oauth-verifier.d.ts +66 -0
package/dist/oauth-verifier.d.ts.map +1 -0
package/dist/oauth-verifier.js +94 -0
package/dist/oauth-verifier.js.map +1 -0
package/dist/oidc/claims.d.ts +16 -0
package/dist/oidc/claims.d.ts.map +1 -0
package/dist/oidc/claims.js +29 -0
package/dist/oidc/claims.js.map +1 -0
package/dist/oidc/sub.d.ts +4 -0
package/dist/oidc/sub.d.ts.map +1 -0
package/dist/oidc/sub.js +6 -0
package/dist/oidc/sub.js.map +1 -0
package/dist/oidc/userinfo.d.ts +7 -0
package/dist/oidc/userinfo.d.ts.map +1 -0
package/dist/oidc/userinfo.js +3 -0
package/dist/oidc/userinfo.js.map +1 -0
package/dist/output/build-error-payload.d.ts +6 -0
package/dist/output/build-error-payload.d.ts.map +1 -0
package/dist/output/build-error-payload.js +108 -0
package/dist/output/build-error-payload.js.map +1 -0
package/dist/output/customization.d.ts +37 -0
package/dist/output/customization.d.ts.map +1 -0
package/dist/output/customization.js +62 -0
package/dist/output/customization.js.map +1 -0
package/dist/output/send-authorize-page.d.ts +43 -0
package/dist/output/send-authorize-page.d.ts.map +1 -0
package/dist/output/send-authorize-page.js +49 -0
package/dist/output/send-authorize-page.js.map +1 -0
package/dist/output/send-authorize-redirect.d.ts +25 -0
package/dist/output/send-authorize-redirect.d.ts.map +1 -0
package/dist/output/send-authorize-redirect.js +72 -0
package/dist/output/send-authorize-redirect.js.map +1 -0
package/dist/output/send-error-page.d.ts +5 -0
package/dist/output/send-error-page.d.ts.map +1 -0
package/dist/output/send-error-page.js +31 -0
package/dist/output/send-error-page.js.map +1 -0
package/dist/output/send-web-page.d.ts +8 -0
package/dist/output/send-web-page.d.ts.map +1 -0
package/dist/output/send-web-page.js +48 -0
package/dist/output/send-web-page.js.map +1 -0
package/dist/parameters/claims-requested.d.ts +3 -0
package/dist/parameters/claims-requested.d.ts.map +1 -0
package/dist/parameters/claims-requested.js +77 -0
package/dist/parameters/claims-requested.js.map +1 -0
package/dist/parameters/oidc-payload.d.ts +31 -0
package/dist/parameters/oidc-payload.d.ts.map +1 -0
package/dist/parameters/oidc-payload.js +25 -0
package/dist/parameters/oidc-payload.js.map +1 -0
package/dist/replay/replay-manager.d.ts +10 -0
package/dist/replay/replay-manager.d.ts.map +1 -0
package/dist/replay/replay-manager.js +23 -0
package/dist/replay/replay-manager.js.map +1 -0
package/dist/replay/replay-store-memory.d.ts +11 -0
package/dist/replay/replay-store-memory.d.ts.map +1 -0
package/dist/replay/replay-store-memory.js +30 -0
package/dist/replay/replay-store-memory.js.map +1 -0
package/dist/replay/replay-store-redis.d.ts +16 -0
package/dist/replay/replay-store-redis.d.ts.map +1 -0
package/dist/replay/replay-store-redis.js +20 -0
package/dist/replay/replay-store-redis.js.map +1 -0
package/dist/replay/replay-store.d.ts +16 -0
package/dist/replay/replay-store.d.ts.map +1 -0
package/dist/replay/replay-store.js +22 -0
package/dist/replay/replay-store.js.map +1 -0
package/dist/request/code.d.ts +7 -0
package/dist/request/code.d.ts.map +1 -0
package/dist/request/code.js +20 -0
package/dist/request/code.js.map +1 -0
package/dist/request/request-data.d.ts +21 -0
package/dist/request/request-data.d.ts.map +1 -0
package/dist/request/request-data.js +6 -0
package/dist/request/request-data.js.map +1 -0
package/dist/request/request-id.d.ts +6 -0
package/dist/request/request-id.d.ts.map +1 -0
package/dist/request/request-id.js +18 -0
package/dist/request/request-id.js.map +1 -0
package/dist/request/request-info.d.ts +12 -0
package/dist/request/request-info.d.ts.map +1 -0
package/dist/request/request-info.js +3 -0
package/dist/request/request-info.js.map +1 -0
package/dist/request/request-manager.d.ts +40 -0
package/dist/request/request-manager.d.ts.map +1 -0
package/dist/request/request-manager.js +310 -0
package/dist/request/request-manager.js.map +1 -0
package/dist/request/request-store-memory.d.ts +16 -0
package/dist/request/request-store-memory.d.ts.map +1 -0
package/dist/request/request-store-memory.js +31 -0
package/dist/request/request-store-memory.js.map +1 -0
package/dist/request/request-store-redis.d.ts +24 -0
package/dist/request/request-store-redis.d.ts.map +1 -0
package/dist/request/request-store-redis.js +58 -0
package/dist/request/request-store-redis.js.map +1 -0
package/dist/request/request-store.d.ts +27 -0
package/dist/request/request-store.d.ts.map +1 -0
package/dist/request/request-store.js +37 -0
package/dist/request/request-store.js.map +1 -0
package/dist/request/request-uri.d.ts +8 -0
package/dist/request/request-uri.d.ts.map +1 -0
package/dist/request/request-uri.js +24 -0
package/dist/request/request-uri.js.map +1 -0
package/dist/request/types.d.ts +328 -0
package/dist/request/types.d.ts.map +1 -0
package/dist/request/types.js +27 -0
package/dist/request/types.js.map +1 -0
package/dist/signer/signed-token-payload.d.ts +1694 -0
package/dist/signer/signed-token-payload.d.ts.map +1 -0
package/dist/signer/signed-token-payload.js +32 -0
package/dist/signer/signed-token-payload.js.map +1 -0
package/dist/signer/signer.d.ts +193 -0
package/dist/signer/signer.d.ts.map +1 -0
package/dist/signer/signer.js +101 -0
package/dist/signer/signer.js.map +1 -0
package/dist/token/refresh-token.d.ts +7 -0
package/dist/token/refresh-token.d.ts.map +1 -0
package/dist/token/refresh-token.js +20 -0
package/dist/token/refresh-token.js.map +1 -0
package/dist/token/token-claims.d.ts +1687 -0
package/dist/token/token-claims.d.ts.map +1 -0
package/dist/token/token-claims.js +30 -0
package/dist/token/token-claims.js.map +1 -0
package/dist/token/token-data.d.ts +20 -0
package/dist/token/token-data.d.ts.map +1 -0
package/dist/token/token-data.js +3 -0
package/dist/token/token-data.js.map +1 -0
package/dist/token/token-id.d.ts +7 -0
package/dist/token/token-id.d.ts.map +1 -0
package/dist/token/token-id.js +20 -0
package/dist/token/token-id.js.map +1 -0
package/dist/token/token-manager.d.ts +48 -0
package/dist/token/token-manager.d.ts.map +1 -0
package/dist/token/token-manager.js +421 -0
package/dist/token/token-manager.js.map +1 -0
package/dist/token/token-store.d.ts +35 -0
package/dist/token/token-store.d.ts.map +1 -0
package/dist/token/token-store.js +38 -0
package/dist/token/token-store.js.map +1 -0
package/dist/token/types.d.ts +250 -0
package/dist/token/types.d.ts.map +1 -0
package/dist/token/types.js +36 -0
package/dist/token/types.js.map +1 -0
package/dist/token/verify-token-claims.d.ts +17 -0
package/dist/token/verify-token-claims.d.ts.map +1 -0
package/dist/token/verify-token-claims.js +39 -0
package/dist/token/verify-token-claims.js.map +1 -0
package/package.json +83 -0
package/rollup.config.js +55 -0
package/src/access-token/access-token-type.ts +5 -0
package/src/account/account-manager.ts +55 -0
package/src/account/account-store.ts +74 -0
package/src/account/account.ts +10 -0
package/src/assets/app/app.tsx +28 -0
package/src/assets/app/backend-data.ts +65 -0
package/src/assets/app/components/accept-form.tsx +112 -0
package/src/assets/app/components/account-identifier.tsx +18 -0
package/src/assets/app/components/account-picker.tsx +108 -0
package/src/assets/app/components/client-identifier.tsx +32 -0
package/src/assets/app/components/client-name.tsx +30 -0
package/src/assets/app/components/error-card.tsx +41 -0
package/src/assets/app/components/help-card.tsx +42 -0
package/src/assets/app/components/layout-title-page.tsx +43 -0
package/src/assets/app/components/layout-welcome.tsx +58 -0
package/src/assets/app/components/sign-in-form.tsx +290 -0
package/src/assets/app/components/sign-up-account-form.tsx +210 -0
package/src/assets/app/components/sign-up-disclaimer.tsx +44 -0
package/src/assets/app/components/url-viewer.tsx +70 -0
package/src/assets/app/cookies.ts +11 -0
package/src/assets/app/hooks/use-api.ts +104 -0
package/src/assets/app/hooks/use-bound-dispatch.ts +5 -0
package/src/assets/app/hooks/use-csrf-token.ts +5 -0
package/src/assets/app/lib/api.ts +64 -0
package/src/assets/app/lib/clsx.ts +4 -0
package/src/assets/app/lib/util.ts +10 -0
package/src/assets/app/main.css +11 -0
package/src/assets/app/main.tsx +28 -0
package/src/assets/app/views/accept-view.tsx +51 -0
package/src/assets/app/views/authorize-view.tsx +101 -0
package/src/assets/app/views/error-view.tsx +27 -0
package/src/assets/app/views/sign-in-view.tsx +121 -0
package/src/assets/app/views/sign-up-view.tsx +93 -0
package/src/assets/app/views/welcome-view.tsx +61 -0
package/src/assets/asset.ts +8 -0
package/src/assets/assets-middleware.ts +32 -0
package/src/assets/index.ts +74 -0
package/src/client/client-auth.ts +45 -0
package/src/client/client-data.ts +9 -0
package/src/client/client-id.ts +4 -0
package/src/client/client-info.ts +13 -0
package/src/client/client-manager.ts +818 -0
package/src/client/client-store.ts +38 -0
package/src/client/client-utils.ts +43 -0
package/src/client/client.ts +231 -0
package/src/constants.ts +69 -0
package/src/device/device-data.ts +11 -0
package/src/device/device-details.ts +43 -0
package/src/device/device-id.ts +23 -0
package/src/device/device-manager.ts +287 -0
package/src/device/device-store.ts +35 -0
package/src/device/session-id.ts +22 -0
package/src/dpop/dpop-manager.ts +147 -0
package/src/dpop/dpop-nonce.ts +104 -0
package/src/errors/access-denied-error.ts +26 -0
package/src/errors/account-selection-required-error.ts +12 -0
package/src/errors/consent-required-error.ts +12 -0
package/src/errors/invalid-authorization-details-error.ts +22 -0
package/src/errors/invalid-client-error.ts +20 -0
package/src/errors/invalid-client-id-error.ts +20 -0
package/src/errors/invalid-client-metadata-error.ts +19 -0
package/src/errors/invalid-dpop-key-binding-error.ts +21 -0
package/src/errors/invalid-dpop-proof-error.ts +13 -0
package/src/errors/invalid-grant-error.ts +16 -0
package/src/errors/invalid-parameters-error.ts +12 -0
package/src/errors/invalid-redirect-uri-error.ts +17 -0
package/src/errors/invalid-request-error.ts +30 -0
package/src/errors/invalid-token-error.ts +59 -0
package/src/errors/login-required-error.ts +12 -0
package/src/errors/oauth-error.ts +28 -0
package/src/errors/unauthorized-client-error.ts +20 -0
package/src/errors/use-dpop-nonce-error.ts +32 -0
package/src/errors/www-authenticate-error.ts +65 -0
package/src/index.ts +15 -0
package/src/lib/html/README.md +9 -0
package/src/lib/html/build-document.ts +98 -0
package/src/lib/html/escapers.ts +66 -0
package/src/lib/html/html.ts +61 -0
package/src/lib/html/index.ts +5 -0
package/src/lib/html/tags.ts +58 -0
package/src/lib/html/util.ts +21 -0
package/src/lib/http/README.md +11 -0
package/src/lib/http/accept.ts +91 -0
package/src/lib/http/context.ts +11 -0
package/src/lib/http/index.ts +9 -0
package/src/lib/http/method.ts +18 -0
package/src/lib/http/middleware.ts +183 -0
package/src/lib/http/parser.ts +64 -0
package/src/lib/http/path.ts +82 -0
package/src/lib/http/request.ts +141 -0
package/src/lib/http/response.ts +133 -0
package/src/lib/http/route.ts +56 -0
package/src/lib/http/router.ts +118 -0
package/src/lib/http/stream.ts +78 -0
package/src/lib/http/types.ts +22 -0
package/src/lib/http/url.ts +23 -0
package/src/lib/redis.ts +23 -0
package/src/lib/util/authorization-header.ts +26 -0
package/src/lib/util/cast.ts +4 -0
package/src/lib/util/crypto.ts +27 -0
package/src/lib/util/date.ts +7 -0
package/src/lib/util/hostname.ts +19 -0
package/src/lib/util/redirect-uri.ts +46 -0
package/src/lib/util/time.ts +33 -0
package/src/lib/util/type.ts +4 -0
package/src/lib/util/well-known.ts +8 -0
package/src/metadata/build-metadata.ts +165 -0
package/src/oauth-client.ts +3 -0
package/src/oauth-dpop.ts +2 -0
package/src/oauth-errors.ts +21 -0
package/src/oauth-hooks.ts +66 -0
package/src/oauth-provider.ts +1409 -0
package/src/oauth-store.ts +11 -0
package/src/oauth-verifier.ts +219 -0
package/src/oidc/claims.ts +35 -0
package/src/oidc/sub.ts +4 -0
package/src/oidc/userinfo.ts +11 -0
package/src/output/build-error-payload.ts +143 -0
package/src/output/customization.ts +96 -0
package/src/output/send-authorize-page.ts +111 -0
package/src/output/send-authorize-redirect.ts +130 -0
package/src/output/send-error-page.ts +41 -0
package/src/output/send-web-page.ts +66 -0
package/src/parameters/claims-requested.ts +106 -0
package/src/parameters/oidc-payload.ts +28 -0
package/src/replay/replay-manager.ts +38 -0
package/src/replay/replay-store-memory.ts +36 -0
package/src/replay/replay-store-redis.ts +31 -0
package/src/replay/replay-store.ts +44 -0
package/src/request/code.ts +24 -0
package/src/request/request-data.ts +26 -0
package/src/request/request-id.ts +23 -0
package/src/request/request-info.ts +12 -0
package/src/request/request-manager.ts +479 -0
package/src/request/request-store-memory.ts +39 -0
package/src/request/request-store-redis.ts +71 -0
package/src/request/request-store.ts +54 -0
package/src/request/request-uri.ts +29 -0
package/src/request/types.ts +48 -0
package/src/signer/signed-token-payload.ts +35 -0
package/src/signer/signer.ts +165 -0
package/src/token/refresh-token.ts +31 -0
package/src/token/token-claims.ts +31 -0
package/src/token/token-data.ts +33 -0
package/src/token/token-id.ts +26 -0
package/src/token/token-manager.ts +591 -0
package/src/token/token-store.ts +78 -0
package/src/token/types.ts +86 -0
package/src/token/verify-token-claims.ts +65 -0
package/tailwind.config.js +13 -0
package/tsconfig.backend.json +9 -0
package/tsconfig.frontend.json +11 -0
package/tsconfig.json +8 -0
package/tsconfig.tools.json +8 -0

package/dist/oauth-provider.js ADDED Viewed

@@ -0,0 +1,748 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthProvider = exports.Keyset = void 0;
+const fetch_node_1 = require("@atproto-labs/fetch-node");
+const simple_store_memory_1 = require("@atproto-labs/simple-store-memory");
+const jwk_1 = require("@atproto/jwk");
+Object.defineProperty(exports, "Keyset", { enumerable: true, get: function () { return jwk_1.Keyset; } });
+const oauth_types_1 = require("@atproto/oauth-types");
+const zod_1 = require("zod");
+const access_token_type_js_1 = require("./access-token/access-token-type.js");
+const account_manager_js_1 = require("./account/account-manager.js");
+const account_store_js_1 = require("./account/account-store.js");
+const assets_middleware_js_1 = require("./assets/assets-middleware.js");
+const client_auth_js_1 = require("./client/client-auth.js");
+const client_id_js_1 = require("./client/client-id.js");
+const client_manager_js_1 = require("./client/client-manager.js");
+const client_store_js_1 = require("./client/client-store.js");
+const constants_js_1 = require("./constants.js");
+const device_manager_js_1 = require("./device/device-manager.js");
+const device_store_js_1 = require("./device/device-store.js");
+const access_denied_error_js_1 = require("./errors/access-denied-error.js");
+const account_selection_required_error_js_1 = require("./errors/account-selection-required-error.js");
+const consent_required_error_js_1 = require("./errors/consent-required-error.js");
+const invalid_client_error_js_1 = require("./errors/invalid-client-error.js");
+const invalid_grant_error_js_1 = require("./errors/invalid-grant-error.js");
+const invalid_parameters_error_js_1 = require("./errors/invalid-parameters-error.js");
+const invalid_request_error_js_1 = require("./errors/invalid-request-error.js");
+const login_required_error_js_1 = require("./errors/login-required-error.js");
+const oauth_error_js_1 = require("./errors/oauth-error.js");
+const unauthorized_client_error_js_1 = require("./errors/unauthorized-client-error.js");
+const www_authenticate_error_js_1 = require("./errors/www-authenticate-error.js");
+const index_js_1 = require("./lib/http/index.js");
+const date_js_1 = require("./lib/util/date.js");
+const build_metadata_js_1 = require("./metadata/build-metadata.js");
+const oauth_verifier_js_1 = require("./oauth-verifier.js");
+const build_error_payload_js_1 = require("./output/build-error-payload.js");
+const send_authorize_page_js_1 = require("./output/send-authorize-page.js");
+const send_authorize_redirect_js_1 = require("./output/send-authorize-redirect.js");
+const send_error_page_js_1 = require("./output/send-error-page.js");
+const oidc_payload_js_1 = require("./parameters/oidc-payload.js");
+const replay_store_js_1 = require("./replay/replay-store.js");
+const request_manager_js_1 = require("./request/request-manager.js");
+const request_store_memory_js_1 = require("./request/request-store-memory.js");
+const request_store_redis_js_1 = require("./request/request-store-redis.js");
+const request_store_js_1 = require("./request/request-store.js");
+const request_uri_js_1 = require("./request/request-uri.js");
+const types_js_1 = require("./request/types.js");
+const token_id_js_1 = require("./token/token-id.js");
+const token_manager_js_1 = require("./token/token-manager.js");
+const token_store_js_1 = require("./token/token-store.js");
+const types_js_2 = require("./token/types.js");
+class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
+    metadata;
+    customization;
+    authenticationMaxAge;
+    accountManager;
+    deviceStore;
+    clientManager;
+    requestManager;
+    tokenManager;
+    constructor({ metadata, customization = undefined, authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, safeFetch = (0, fetch_node_1.safeFetchWrap)(), redis, store, // compound store implementation
+    // Requires stores
+    accountStore = (0, account_store_js_1.asAccountStore)(store), deviceStore = (0, device_store_js_1.asDeviceStore)(store), tokenStore = (0, token_store_js_1.asTokenStore)(store),
+    // These are optional
+    clientStore = (0, client_store_js_1.ifClientStore)(store), replayStore = (0, replay_store_js_1.ifReplayStore)(store), requestStore = (0, request_store_js_1.ifRequestStore)(store), clientJwksCache = new simple_store_memory_1.SimpleStoreMemory({
+        maxSize: 50_000_000,
+        ttl: 600e3,
+    }), clientMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
+        maxSize: 50_000_000,
+        ttl: 600e3,
+    }), loopbackMetadata = oauth_types_1.atprotoLoopbackClientMetadata,
+    // OAuthHooks & OAuthVerifierOptions
+    ...rest }) {
+        super({ replayStore, redis, ...rest });
+        requestStore ??= redis
+            ? new request_store_redis_js_1.RequestStoreRedis({ redis })
+            : new request_store_memory_js_1.RequestStoreMemory();
+        this.authenticationMaxAge = authenticationMaxAge;
+        this.metadata = (0, build_metadata_js_1.buildMetadata)(this.issuer, this.keyset, metadata);
+        this.customization = customization;
+        this.deviceStore = deviceStore;
+        this.accountManager = new account_manager_js_1.AccountManager(accountStore);
+        this.clientManager = new client_manager_js_1.ClientManager(this.keyset, rest, clientStore || null, loopbackMetadata || null, safeFetch, clientJwksCache, clientMetadataCache);
+        this.requestManager = new request_manager_js_1.RequestManager(requestStore, this.signer, this.metadata, rest);
+        this.tokenManager = new token_manager_js_1.TokenManager(tokenStore, this.signer, rest, this.accessTokenType, tokenMaxAge);
+    }
+    get jwks() {
+        return this.keyset.publicJwks;
+    }
+    loginRequired(client, parameters, info) {
+        /** in seconds */
+        const authAge = (Date.now() - info.authenticatedAt.getTime()) / 1e3;
+        // Fool-proof (invalid date, or suspiciously in the future)
+        if (!Number.isFinite(authAge) || authAge < 0) {
+            return true;
+        }
+        /** in seconds */
+        const maxAge = parameters.max_age ?? client.metadata.default_max_age;
+        if (maxAge != null && maxAge < this.authenticationMaxAge) {
+            return authAge >= maxAge;
+        }
+        else {
+            return authAge >= this.authenticationMaxAge;
+        }
+    }
+    async authenticateClient(client, endpoint, credentials) {
+        const { clientAuth, nonce } = await client.verifyCredentials(credentials, endpoint, { audience: this.issuer });
+        if (nonce != null) {
+            const unique = await this.replayManager.uniqueAuth(nonce, client.id);
+            if (!unique) {
+                throw new invalid_client_error_js_1.InvalidClientError(`${clientAuth.method} jti reused`);
+            }
+        }
+        return clientAuth;
+    }
+    async decodeJAR(client, input) {
+        const result = await client.decodeRequestObject(input.request);
+        const payload = oauth_types_1.oauthAuthenticationRequestParametersSchema.parse(result.payload);
+        if (!result.payload.jti) {
+            throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Request object must contain a jti claim');
+        }
+        if (!(await this.replayManager.uniqueJar(result.payload.jti, client.id))) {
+            throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Request object jti is not unique');
+        }
+        if ('protectedHeader' in result) {
+            if (!result.protectedHeader.kid) {
+                throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Missing "kid" in header');
+            }
+            return {
+                jkt: await (0, client_auth_js_1.authJwkThumbprint)(result.key),
+                payload,
+                protectedHeader: result.protectedHeader,
+            };
+        }
+        if ('header' in result) {
+            return {
+                payload,
+            };
+        }
+        // Should never happen
+        throw new Error('Invalid request object');
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9126}
+     */
+    async pushedAuthorizationRequest(input, dpopJkt) {
+        try {
+            const client = await this.clientManager.getClient(input.client_id);
+            const clientAuth = await this.authenticateClient(client, 'pushed_authorization_request', input);
+            const { payload: parameters } = 'request' in input // Handle JAR
+                ? await this.decodeJAR(client, input)
+                : { payload: input };
+            const { uri, expiresAt } = await this.requestManager.createAuthorizationRequest(client, clientAuth, parameters, null, dpopJkt);
+            return {
+                request_uri: uri,
+                expires_in: (0, date_js_1.dateToRelativeSeconds)(expiresAt),
+            };
+        }
+        catch (err) {
+            // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3-1
+            // > Since initial processing of the pushed authorization request does not
+            // > involve resource owner interaction, error codes related to user
+            // > interaction, such as consent_required defined by [OIDC], are never
+            // > returned.
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                throw new invalid_request_error_js_1.InvalidRequestError(err.error_description, err);
+            }
+            throw err;
+        }
+    }
+    async loadAuthorizationRequest(client, deviceId, input) {
+        // Load PAR
+        if ('request_uri' in input) {
+            return this.requestManager.get(input.request_uri, client.id, deviceId);
+        }
+        // Handle JAR
+        if ('request' in input) {
+            const requestObject = await this.decodeJAR(client, input);
+            if ('protectedHeader' in requestObject && requestObject.protectedHeader) {
+                // Allow using signed JAR during "/authorize" as client authentication.
+                // This allows clients to skip PAR to initiate trusted sessions.
+                const clientAuth = {
+                    method: oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER,
+                    kid: requestObject.protectedHeader.kid,
+                    alg: requestObject.protectedHeader.alg,
+                    jkt: requestObject.jkt,
+                };
+                return this.requestManager.createAuthorizationRequest(client, clientAuth, requestObject.payload, deviceId, null);
+            }
+            return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, requestObject.payload, deviceId, null);
+        }
+        return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, input, deviceId, null);
+    }
+    async deleteRequest(uri, parameters) {
+        try {
+            await this.requestManager.delete(uri);
+        }
+        catch (err) {
+            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
+        }
+    }
+    async authorize(deviceId, input) {
+        const { issuer } = this;
+        const client = await this.clientManager.getClient(input.client_id);
+        try {
+            const { uri, parameters, clientAuth } = await this.loadAuthorizationRequest(client, deviceId, input);
+            try {
+                const sessions = await this.getSessions(client, clientAuth, deviceId, parameters);
+                if (parameters.prompt === 'none') {
+                    const ssoSessions = sessions.filter((s) => s.matchesHint);
+                    if (ssoSessions.length > 1) {
+                        throw new account_selection_required_error_js_1.AccountSelectionRequiredError(parameters);
+                    }
+                    if (ssoSessions.length < 1) {
+                        throw new login_required_error_js_1.LoginRequiredError(parameters);
+                    }
+                    const ssoSession = ssoSessions[0];
+                    if (ssoSession.loginRequired) {
+                        throw new login_required_error_js_1.LoginRequiredError(parameters);
+                    }
+                    if (ssoSession.consentRequired) {
+                        throw new consent_required_error_js_1.ConsentRequiredError(parameters);
+                    }
+                    const redirect = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account, ssoSession.info);
+                    return { issuer, client, parameters, redirect };
+                }
+                // Automatic SSO when a did was provided
+                if (parameters.prompt == null && parameters.login_hint != null) {
+                    const ssoSessions = sessions.filter((s) => s.matchesHint);
+                    if (ssoSessions.length === 1) {
+                        const ssoSession = ssoSessions[0];
+                        if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
+                            const redirect = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account, ssoSession.info);
+                            return { issuer, client, parameters, redirect };
+                        }
+                    }
+                }
+                return {
+                    issuer,
+                    client,
+                    parameters,
+                    authorize: { uri, sessions },
+                };
+            }
+            catch (err) {
+                await this.deleteRequest(uri, parameters);
+                // Transform into an AccessDeniedError to allow redirecting the user
+                // to the client with the error details.
+                throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
+            }
+        }
+        catch (err) {
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                return {
+                    issuer,
+                    client,
+                    parameters: err.parameters,
+                    redirect: err.toJSON(),
+                };
+            }
+            throw err;
+        }
+    }
+    async getSessions(client, clientAuth, deviceId, parameters) {
+        const accounts = await this.accountManager.list(deviceId);
+        return accounts.map(({ account, info }) => ({
+            account,
+            info,
+            selected: parameters.prompt !== 'select_account' &&
+                parameters.login_hint === account.sub,
+            loginRequired: parameters.prompt === 'login' ||
+                this.loginRequired(client, parameters, info),
+            consentRequired: parameters.prompt === 'consent' ||
+                !info.authorizedClients.includes(client.id),
+            matchesHint: parameters.login_hint === account.sub || parameters.login_hint == null,
+        }));
+    }
+    async signIn(deviceId, credentials) {
+        return this.accountManager.signIn(credentials, deviceId);
+    }
+    async acceptRequest(deviceId, uri, clientId, sub) {
+        const { issuer } = this;
+        const client = await this.clientManager.getClient(clientId);
+        try {
+            const { parameters, clientAuth } = await this.requestManager.get(uri, clientId, deviceId);
+            try {
+                const { account, info } = await this.accountManager.get(deviceId, sub);
+                // The user is trying to authorize without a fresh login
+                if (this.loginRequired(client, parameters, info)) {
+                    throw new login_required_error_js_1.LoginRequiredError(parameters, 'Account authentication required.');
+                }
+                const redirect = await this.requestManager.setAuthorized(client, uri, deviceId, account, info);
+                await this.accountManager.addAuthorizedClient(deviceId, account, client, clientAuth);
+                return { issuer, client, parameters, redirect };
+            }
+            catch (err) {
+                await this.deleteRequest(uri, parameters);
+                // throw AccessDeniedError.from(parameters, err)
+                throw err;
+            }
+        }
+        catch (err) {
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                const { parameters } = err;
+                return { issuer, client, parameters, redirect: err.toJSON() };
+            }
+            throw err;
+        }
+    }
+    async rejectRequest(deviceId, uri, clientId) {
+        try {
+            const { parameters } = await this.requestManager.get(uri, clientId, deviceId);
+            await this.deleteRequest(uri, parameters);
+            // Trigger redirect (see catch block)
+            throw new access_denied_error_js_1.AccessDeniedError(parameters, 'Access denied');
+        }
+        catch (err) {
+            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
+                return {
+                    issuer: this.issuer,
+                    client: await this.clientManager.getClient(clientId),
+                    parameters: err.parameters,
+                    redirect: err.toJSON(),
+                };
+            }
+            throw err;
+        }
+    }
+    async token(input, dpopJkt) {
+        const client = await this.clientManager.getClient(input.client_id);
+        const clientAuth = await this.authenticateClient(client, 'token', input);
+        if (!client.metadata.grant_types.includes(input.grant_type)) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`"${input.grant_type}" grant type is not allowed for this client`);
+        }
+        if (input.grant_type === 'authorization_code') {
+            return this.codeGrant(client, clientAuth, input, dpopJkt);
+        }
+        if (input.grant_type === 'refresh_token') {
+            return this.refreshTokenGrant(client, clientAuth, input, dpopJkt);
+        }
+        throw new invalid_grant_error_js_1.InvalidGrantError(
+        // @ts-expect-error: fool proof
+        `Grant type "${input.grant_type}" not supported`);
+    }
+    async codeGrant(client, clientAuth, input, dpopJkt) {
+        try {
+            const { sub, deviceId, parameters } = await this.requestManager.findCode(client, clientAuth, input.code);
+            const { account, info } = await this.accountManager.get(deviceId, sub);
+            return await this.tokenManager.create(client, clientAuth, account, { id: deviceId, info }, parameters, input, dpopJkt);
+        }
+        catch (err) {
+            // If a token is replayed, requestManager.findCode will throw. In that
+            // case, we need to revoke any token that was issued for this code.
+            await this.tokenManager.revoke(input.code);
+            // @TODO (?) in order to protect the user, we should maybe also mark the
+            // account-device association as expired ?
+            throw err;
+        }
+    }
+    async refreshTokenGrant(client, clientAuth, input, dpopJkt) {
+        return this.tokenManager.refresh(client, clientAuth, input, dpopJkt);
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}
+     */
+    async revoke(input) {
+        // @TODO this should also remove the account-device association (or, at
+        // least, mark it as expired)
+        await this.tokenManager.revoke(input.token);
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7662#section-2.1 rfc7662}
+     */
+    async introspect(input) {
+        const client = await this.clientManager.getClient(input.client_id);
+        const clientAuth = await this.authenticateClient(client, 'introspection', input);
+        // RFC7662 states the following:
+        //
+        // > To prevent token scanning attacks, the endpoint MUST also require some
+        // > form of authorization to access this endpoint, such as client
+        // > authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth
+        // > 2.0 access token such as the bearer token described in OAuth 2.0 Bearer
+        // > Token Usage [RFC6750]. The methods of managing and validating these
+        // > authentication credentials are out of scope of this specification.
+        if (clientAuth.method === 'none') {
+            throw new unauthorized_client_error_js_1.UnauthorizedClientError('Client authentication required');
+        }
+        const start = Date.now();
+        try {
+            const tokenInfo = await this.tokenManager.clientTokenInfo(client, clientAuth, input.token);
+            return {
+                active: true,
+                scope: tokenInfo.data.parameters.scope,
+                client_id: tokenInfo.data.clientId,
+                username: tokenInfo.account.preferred_username,
+                token_type: tokenInfo.data.parameters.dpop_jkt ? 'DPoP' : 'Bearer',
+                authorization_details: tokenInfo.data.details ?? undefined,
+                aud: tokenInfo.account.aud,
+                exp: (0, date_js_1.dateToEpoch)(tokenInfo.data.expiresAt),
+                iat: (0, date_js_1.dateToEpoch)(tokenInfo.data.updatedAt),
+                iss: this.signer.issuer,
+                jti: tokenInfo.id,
+                sub: tokenInfo.account.sub,
+            };
+        }
+        catch (err) {
+            // Prevent brute force & timing attack (only for inactive tokens)
+            await new Promise((r) => setTimeout(r, 750 - (Date.now() - start)));
+            return {
+                active: false,
+            };
+        }
+    }
+    /**
+     * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.3.2 Successful UserInfo Response}
+     */
+    async userinfo({ data, account }) {
+        return {
+            ...(0, oidc_payload_js_1.oidcPayload)(data.parameters, account),
+            sub: account.sub,
+            client_id: data.clientId,
+            username: account.preferred_username,
+        };
+    }
+    async signUserinfo(userinfo) {
+        const client = await this.clientManager.getClient(userinfo.client_id);
+        return this.signer.sign({
+            alg: client.metadata.userinfo_signed_response_alg,
+            typ: 'JWT',
+        }, userinfo);
+    }
+    async authenticateToken(tokenType, token, dpopJkt, verifyOptions) {
+        if ((0, token_id_js_1.isTokenId)(token)) {
+            this.assertTokenTypeAllowed(tokenType, access_token_type_js_1.AccessTokenType.id);
+            return this.tokenManager.authenticateTokenId(tokenType, token, dpopJkt, verifyOptions);
+        }
+        return super.authenticateToken(tokenType, token, dpopJkt, verifyOptions);
+    }
+    /**
+     * @returns An http request handler that can be used with node's http server
+     * or as a middleware with express / connect.
+     */
+    httpHandler(options) {
+        const router = this.buildRouter(options);
+        return router.buildHandler();
+    }
+    buildRouter({ onError = process.env['NODE_ENV'] === 'development'
+        ? (req, res, err, msg) => console.error(`OAuthProvider error (${msg}):`, err)
+        : undefined, } = {}) {
+        const deviceManager = new device_manager_js_1.DeviceManager(this.deviceStore);
+        // eslint-disable-next-line @typescript-eslint/no-this-alias
+        const server = this;
+        const issuerUrl = new URL(server.issuer);
+        const issuerOrigin = issuerUrl.origin;
+        const router = new index_js_1.Router(issuerUrl);
+        // Utils
+        const csrfCookie = (uri) => `csrf-${uri}`;
+        /**
+         * Creates a middleware that will serve static JSON content.
+         */
+        const staticJson = (json) => (0, index_js_1.combineMiddlewares)([
+            function (req, res, next) {
+                res.setHeader('Access-Control-Allow-Origin', '*');
+                res.setHeader('Cache-Control', 'max-age=300');
+                next();
+            },
+            (0, index_js_1.staticJsonHandler)(json),
+        ]);
+        /**
+         * Wrap an OAuth endpoint in a middleware that will set the appropriate
+         * response headers and format the response as JSON.
+         */
+        const dynamicJson = (buildJson, status) => async function (req, res) {
+            res.setHeader('Access-Control-Allow-Origin', '*');
+            // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
+            res.setHeader('Cache-Control', 'no-store');
+            res.setHeader('Pragma', 'no-cache');
+            // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
+            const dpopNonce = server.nextDpopNonce();
+            if (dpopNonce) {
+                const name = 'DPoP-Nonce';
+                res.setHeader(name, dpopNonce);
+                res.appendHeader('Access-Control-Expose-Headers', name);
+            }
+            try {
+                const result = await buildJson.call(this, req, res);
+                if (result !== undefined)
+                    (0, index_js_1.writeJson)(res, result, status);
+                else if (!res.headersSent)
+                    res.writeHead(status ?? 204).end();
+            }
+            catch (err) {
+                if (!res.headersSent) {
+                    if (err instanceof www_authenticate_error_js_1.WWWAuthenticateError) {
+                        const name = 'WWW-Authenticate';
+                        res.setHeader(name, err.wwwAuthenticateHeader);
+                        res.appendHeader('Access-Control-Expose-Headers', name);
+                    }
+                    (0, index_js_1.writeJson)(res, (0, build_error_payload_js_1.buildErrorPayload)(err), (0, build_error_payload_js_1.buildErrorStatus)(err));
+                }
+                else {
+                    res.destroy();
+                }
+                // OAuthError are used to build expected responses, so we don't log
+                // them as errors.
+                if (!(err instanceof oauth_error_js_1.OAuthError) || err.statusCode >= 500) {
+                    await onError?.(req, res, err, 'Unexpected error');
+                }
+            }
+        };
+        //- Public OAuth endpoints
+        /*
+         * Although OpenID compatibility is not required to implement the Atproto
+         * OAuth2 specification, we do support OIDC discovery in this
+         * implementation as we believe this may:
+         * 1) Make the implementation of Atproto clients easier (since lots of
+         *    libraries support OIDC discovery)
+         * 2) Allow self hosted PDS' to not implement authentication themselves
+         *    but rely on a trusted Atproto actor to act as their OIDC providers.
+         *    By supporting OIDC in the current implementation, Bluesky's
+         *    Authorization Server server can be used as an OIDC provider for
+         *    these users.
+         */
+        router.get('/.well-known/openid-configuration', staticJson(server.metadata));
+        router.get('/.well-known/oauth-authorization-server', staticJson(server.metadata));
+        // CORS preflight
+        router.options(/^\/oauth\/(?<endpoint>jwks|par|token|revoke|introspect|userinfo)$/, function (req, res, _next) {
+            res
+                .writeHead(204, {
+                'Access-Control-Allow-Origin': req.headers['origin'] || '*',
+                'Access-Control-Allow-Methods': this.params.endpoint === 'jwks' ? 'GET' : 'POST',
+                'Access-Control-Allow-Headers': 'Content-Type,Authorization,DPoP',
+                'Access-Control-Max-Age': '86400', // 1 day
+            })
+                .end();
+        });
+        router.get('/oauth/jwks', staticJson(server.jwks));
+        router.post('/oauth/par', dynamicJson(async function (req, _res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_1.pushedAuthorizationRequestSchema);
+            const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
+            return server.pushedAuthorizationRequest(input, dpopJkt);
+        }, 201));
+        // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3
+        router.addRoute('*', '/oauth/par', (req, res) => {
+            res.writeHead(405).end();
+        });
+        router.post('/oauth/token', dynamicJson(async function (req, _res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_2.tokenRequestSchema);
+            const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
+            return server.token(input, dpopJkt);
+        }));
+        router.post('/oauth/revoke', dynamicJson(async function (req, res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_2.revokeSchema);
+            try {
+                await server.revoke(input);
+            }
+            catch (err) {
+                onError?.(req, res, err, 'Failed to revoke token');
+            }
+        }));
+        router.get('/oauth/revoke', dynamicJson(async function (req, res) {
+            (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+            (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+            const query = Object.fromEntries(this.url.searchParams);
+            const input = types_js_2.revokeSchema.parse(query, { path: ['query'] });
+            try {
+                await server.revoke(input);
+            }
+            catch (err) {
+                onError?.(req, res, err, 'Failed to revoke token');
+            }
+            // Same as POST + redirect to callback URL
+            // todo: generate JSONP response (if "callback" is provided)
+            throw new Error('You are successfully logged out. Redirect not implemented');
+        }));
+        router.post('/oauth/introspect', dynamicJson(async function (req, _res) {
+            const input = await (0, index_js_1.validateRequestPayload)(req, types_js_2.introspectSchema);
+            return server.introspect(input);
+        }));
+        const userinfoBodySchema = zod_1.z.object({
+            access_token: jwk_1.signedJwtSchema.optional(),
+        });
+        router.addRoute(['GET', 'POST'], '/oauth/userinfo', (0, index_js_1.acceptMiddleware)(async function (req, _res) {
+            const body = req.method === 'POST'
+                ? await (0, index_js_1.validateRequestPayload)(req, userinfoBodySchema)
+                : null;
+            if (body?.access_token && req.headers['authorization']) {
+                throw new invalid_request_error_js_1.InvalidRequestError('access token must be provided in either the authorization header or the request body');
+            }
+            const auth = await server.authenticateRequest(req.method, this.url, body?.access_token // Allow credentials to be parsed from body.
+                ? {
+                    authorization: `Bearer ${body.access_token}`,
+                    dpop: undefined, // DPoP can only be used with headers
+                }
+                : req.headers, {
+                scope: ['profile'],
+            });
+            const tokenInfo = 'tokenInfo' in auth
+                ? auth.tokenInfo
+                : await server.tokenManager.getTokenInfo(auth.tokenType, auth.tokenId);
+            return server.userinfo(tokenInfo);
+        }, {
+            '': 'application/json',
+            'application/json': dynamicJson(async function (_req, _res) {
+                return this.data;
+            }),
+            'application/jwt': dynamicJson(async function (_req, res) {
+                const jwt = await server.signUserinfo(this.data);
+                res.writeHead(200, { 'Content-Type': 'application/jwt' }).end(jwt);
+                return undefined;
+            }),
+        }));
+        //- Private authorization endpoints
+        router.use((0, assets_middleware_js_1.authorizeAssetsMiddleware)());
+        router.get('/oauth/authorize', async function (req, res) {
+            try {
+                res.setHeader('Cache-Control', 'no-store');
+                (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+                (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+                const query = Object.fromEntries(this.url.searchParams);
+                const input = await types_js_1.authorizationRequestQuerySchema.parseAsync(query, {
+                    path: ['query'],
+                });
+                const { deviceId } = await deviceManager.load(req, res);
+                const data = await server.authorize(deviceId, input);
+                switch (true) {
+                    case 'redirect' in data: {
+                        return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
+                    }
+                    case 'authorize' in data: {
+                        await (0, index_js_1.setupCsrfToken)(req, res, csrfCookie(data.authorize.uri));
+                        return await (0, send_authorize_page_js_1.sendAuthorizePage)(res, data, server.customization);
+                    }
+                    default: {
+                        // Should never happen
+                        throw new Error('Unexpected authorization result');
+                    }
+                }
+            }
+            catch (err) {
+                await onError?.(req, res, err, 'Failed to setup authorize');
+                if (!res.headersSent) {
+                    await (0, send_error_page_js_1.sendErrorPage)(res, err, server.customization);
+                }
+            }
+        });
+        const signInPayloadSchema = zod_1.z.object({
+            csrf_token: zod_1.z.string(),
+            request_uri: request_uri_js_1.requestUriSchema,
+            client_id: client_id_js_1.clientIdSchema,
+            credentials: zod_1.z.object({
+                username: zod_1.z.string(),
+                password: zod_1.z.string(),
+                remember: zod_1.z.boolean().optional().default(false),
+            }),
+        });
+        router.post('/oauth/authorize/sign-in', async function (req, res) {
+            (0, index_js_1.validateFetchMode)(req, res, ['same-origin']);
+            (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+            const input = await (0, index_js_1.validateRequestPayload)(req, signInPayloadSchema);
+            (0, index_js_1.validateReferer)(req, res, {
+                origin: issuerOrigin,
+                pathname: '/oauth/authorize',
+            });
+            (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri));
+            const { deviceId } = await deviceManager.load(req, res);
+            const { account, info } = await server.signIn(deviceId, input.credentials);
+            // Prevent fixation attacks
+            await deviceManager.rotate(req, res, deviceId);
+            return (0, index_js_1.writeJson)(res, {
+                account,
+                consentRequired: !info.authorizedClients.includes(input.client_id),
+            });
+        });
+        const acceptQuerySchema = zod_1.z.object({
+            csrf_token: zod_1.z.string(),
+            request_uri: request_uri_js_1.requestUriSchema,
+            client_id: client_id_js_1.clientIdSchema,
+            account_sub: zod_1.z.string(),
+        });
+        router.get('/oauth/authorize/accept', async function (req, res) {
+            try {
+                res.setHeader('Cache-Control', 'no-store');
+                (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+                (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+                const query = Object.fromEntries(this.url.searchParams);
+                const input = await acceptQuerySchema.parseAsync(query, {
+                    path: ['query'],
+                });
+                (0, index_js_1.validateReferer)(req, res, {
+                    origin: issuerOrigin,
+                    pathname: '/oauth/authorize',
+                    searchParams: [
+                        ['request_uri', input.request_uri],
+                        ['client_id', input.client_id],
+                    ],
+                });
+                (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
+                const { deviceId } = await deviceManager.load(req, res);
+                const data = await server.acceptRequest(deviceId, input.request_uri, input.client_id, input.account_sub);
+                return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
+            }
+            catch (err) {
+                await onError?.(req, res, err, 'Failed to accept authorization request');
+                if (!res.headersSent) {
+                    await (0, send_error_page_js_1.sendErrorPage)(res, err, server.customization);
+                }
+            }
+        });
+        const rejectQuerySchema = zod_1.z.object({
+            csrf_token: zod_1.z.string(),
+            request_uri: request_uri_js_1.requestUriSchema,
+            client_id: client_id_js_1.clientIdSchema,
+        });
+        router.get('/oauth/authorize/reject', async function (req, res) {
+            try {
+                res.setHeader('Cache-Control', 'no-store');
+                (0, index_js_1.validateFetchMode)(req, res, ['navigate']);
+                (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
+                const query = Object.fromEntries(this.url.searchParams);
+                const input = await rejectQuerySchema.parseAsync(query, {
+                    path: ['query'],
+                });
+                (0, index_js_1.validateReferer)(req, res, {
+                    origin: issuerOrigin,
+                    pathname: '/oauth/authorize',
+                    searchParams: [
+                        ['request_uri', input.request_uri],
+                        ['client_id', input.client_id],
+                    ],
+                });
+                (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
+                const { deviceId } = await deviceManager.load(req, res);
+                const data = await server.rejectRequest(deviceId, input.request_uri, input.client_id);
+                return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
+            }
+            catch (err) {
+                await onError?.(req, res, err, 'Failed to reject authorization request');
+                if (!res.headersSent) {
+                    await (0, send_error_page_js_1.sendErrorPage)(res, err, server.customization);
+                }
+            }
+        });
+        return router;
+    }
+}
+exports.OAuthProvider = OAuthProvider;
+//# sourceMappingURL=oauth-provider.js.map