@atproto/oauth-provider 0.1.0

package/dist/request/request-store-redis.d.ts

@@ -0,0 +1,24 @@
+import { Redis } from 'ioredis';
+import { CreateRedisOptions } from '../lib/redis.js';
+import { Code } from './code.js';
+import { RequestData } from './request-data.js';
+import { RequestId } from './request-id.js';
+import { RequestStore } from './request-store.js';
+export type { Redis, CreateRedisOptions };
+export type ReplayStoreRedisOptions = {
+    redis: CreateRedisOptions;
+};
+export declare class RequestStoreRedis implements RequestStore {
+    private readonly redis;
+    constructor(options: ReplayStoreRedisOptions);
+    readRequest(id: RequestId): Promise<RequestData | null>;
+    createRequest(id: RequestId, data: RequestData): Promise<void>;
+    updateRequest(id: RequestId, data: Partial<RequestData>): Promise<void>;
+    deleteRequest(id: RequestId): Promise<void>;
+    private findRequestIdByCode;
+    findRequestByCode(code: Code): Promise<{
+        id: RequestId;
+        data: RequestData;
+    } | null>;
+}
+//# sourceMappingURL=request-store-redis.d.ts.map

package/dist/request/request-store-redis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-store-redis.d.ts","sourceRoot":"","sources":["../../src/request/request-store-redis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAA;AAC/B,OAAO,EAAE,kBAAkB,EAAe,MAAM,iBAAiB,CAAA;AACjE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,SAAS,EAAmB,MAAM,iBAAiB,CAAA;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEjD,YAAY,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAA;AAEzC,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,kBAAkB,CAAA;CAC1B,CAAA;AAED,qBAAa,iBAAkB,YAAW,YAAY;IACpD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAO;gBAEjB,OAAO,EAAE,uBAAuB;IAItC,WAAW,CAAC,EAAE,EAAE,SAAS,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAKvD,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAM9D,aAAa,CACjB,EAAE,EAAE,SAAS,EACb,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GACzB,OAAO,CAAC,IAAI,CAAC;IAQV,aAAa,CAAC,EAAE,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;YAOnC,mBAAmB;IAU3B,iBAAiB,CACrB,IAAI,EAAE,IAAI,GACT,OAAO,CAAC;QAAE,EAAE,EAAE,SAAS,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,GAAG,IAAI,CAAC;CASxD"}

package/dist/request/request-store-redis.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequestStoreRedis = void 0;
+const redis_js_1 = require("../lib/redis.js");
+const request_id_js_1 = require("./request-id.js");
+class RequestStoreRedis {
+    redis;
+    constructor(options) {
+        this.redis = (0, redis_js_1.createRedis)(options.redis);
+    }
+    async readRequest(id) {
+        const data = await this.redis.get(id);
+        return data ? JSON.parse(data) : null;
+    }
+    async createRequest(id, data) {
+        const timeFrame = data.expiresAt.getTime() - Date.now();
+        await this.redis.set(id, JSON.stringify(data), 'PX', timeFrame);
+        if (data.code)
+            await this.redis.set(data.code, id, 'PX', timeFrame);
+    }
+    async updateRequest(id, data) {
+        const current = await this.readRequest(id);
+        if (!current)
+            throw new Error('Request not found');
+        if (current.code)
+            await this.redis.del(current.code);
+        const newData = { ...current, ...data };
+        await this.createRequest(id, newData);
+    }
+    async deleteRequest(id) {
+        const data = await this.readRequest(id);
+        if (!data)
+            return;
+        if (data.code)
+            await this.redis.del(data.code);
+        await this.redis.del(id);
+    }
+    async findRequestIdByCode(code) {
+        const value = await this.redis.get(code);
+        if (!value)
+            return null;
+        const parsed = request_id_js_1.requestIdSchema.safeParse(value);
+        if (!parsed.success)
+            return null;
+        return parsed.data;
+    }
+    async findRequestByCode(code) {
+        const id = await this.findRequestIdByCode(code);
+        if (!id)
+            return null;
+        const data = await this.readRequest(id);
+        if (!data)
+            return null;
+        return { id, data };
+    }
+}
+exports.RequestStoreRedis = RequestStoreRedis;
+//# sourceMappingURL=request-store-redis.js.map

package/dist/request/request-store-redis.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-store-redis.js","sourceRoot":"","sources":["../../src/request/request-store-redis.ts"],"names":[],"mappings":";;;AACA,8CAAiE;AAGjE,mDAA4D;AAS5D,MAAa,iBAAiB;IACX,KAAK,CAAO;IAE7B,YAAY,OAAgC;QAC1C,IAAI,CAAC,KAAK,GAAG,IAAA,sBAAW,EAAC,OAAO,CAAC,KAAK,CAAC,CAAA;IACzC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,EAAa;QAC7B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACrC,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACvC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAa,EAAE,IAAiB;QAClD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACvD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,CAAA;QAC/D,IAAI,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,CAAC,CAAA;IACrE,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,EAAa,EACb,IAA0B;QAE1B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;QAC1C,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAClD,IAAI,OAAO,CAAC,IAAI;YAAE,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACpD,MAAM,OAAO,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,EAAE,CAAA;QACvC,MAAM,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,OAAO,CAAC,CAAA;IACvC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAa;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,IAAI;YAAE,OAAM;QACjB,IAAI,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC9C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAC1B,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,IAAU;QAC1C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,MAAM,GAAG,+BAAe,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC/C,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,IAAU;QAEV,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAA;QAC/C,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAEpB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAA;QAEtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;IACrB,CAAC;CACF;AAzDD,8CAyDC"}

package/dist/request/request-store.d.ts

@@ -0,0 +1,27 @@
+import { Awaitable } from '../lib/util/type.js';
+import { Code } from './code.js';
+import { RequestData } from './request-data.js';
+import { RequestId } from './request-id.js';
+export * from './code.js';
+export * from './request-id.js';
+export * from './request-data.js';
+export type { Awaitable };
+export type UpdateRequestData = Pick<Partial<RequestData>, 'sub' | 'code' | 'deviceId' | 'expiresAt'>;
+export type FoundRequestResult = {
+    id: RequestId;
+    data: RequestData;
+};
+export interface RequestStore {
+    createRequest(id: RequestId, data: RequestData): Awaitable<void>;
+    /**
+     * Note that expired requests **can** be returned to yield a different error
+     * message than if the request was not found.
+     */
+    readRequest(id: RequestId): Awaitable<RequestData | null>;
+    updateRequest(id: RequestId, data: UpdateRequestData): Awaitable<void>;
+    deleteRequest(id: RequestId): void | Awaitable<void>;
+    findRequestByCode(code: Code): Awaitable<FoundRequestResult | null>;
+}
+export declare function isRequestStore(implementation: Record<string, unknown> & Partial<RequestStore>): implementation is Record<string, unknown> & RequestStore;
+export declare function ifRequestStore(implementation?: Record<string, unknown> & Partial<RequestStore>): RequestStore | undefined;
+//# sourceMappingURL=request-store.d.ts.map

package/dist/request/request-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-store.d.ts","sourceRoot":"","sources":["../../src/request/request-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAG3C,cAAc,WAAW,CAAA;AACzB,cAAc,iBAAiB,CAAA;AAC/B,cAAc,mBAAmB,CAAA;AACjC,YAAY,EAAE,SAAS,EAAE,CAAA;AAEzB,MAAM,MAAM,iBAAiB,GAAG,IAAI,CAClC,OAAO,CAAC,WAAW,CAAC,EACpB,KAAK,GAAG,MAAM,GAAG,UAAU,GAAG,WAAW,CAC1C,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,EAAE,EAAE,SAAS,CAAA;IACb,IAAI,EAAE,WAAW,CAAA;CAClB,CAAA;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAChE;;;OAGG;IACH,WAAW,CAAC,EAAE,EAAE,SAAS,GAAG,SAAS,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IACzD,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACtE,aAAa,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACpD,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,SAAS,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAA;CACpE;AAED,wBAAgB,cAAc,CAC5B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,GAC9D,cAAc,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,YAAY,CAQ1D;AAED,wBAAgB,cAAc,CAC5B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,GAC/D,YAAY,GAAG,SAAS,CAM1B"}

package/dist/request/request-store.js

@@ -0,0 +1,37 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ifRequestStore = exports.isRequestStore = void 0;
+// Export all types needed to implement the RequestStore interface
+__exportStar(require("./code.js"), exports);
+__exportStar(require("./request-id.js"), exports);
+__exportStar(require("./request-data.js"), exports);
+function isRequestStore(implementation) {
+    return (typeof implementation.createRequest === 'function' &&
+        typeof implementation.readRequest === 'function' &&
+        typeof implementation.updateRequest === 'function' &&
+        typeof implementation.deleteRequest === 'function' &&
+        typeof implementation.findRequestByCode === 'function');
+}
+exports.isRequestStore = isRequestStore;
+function ifRequestStore(implementation) {
+    if (implementation && isRequestStore(implementation)) {
+        return implementation;
+    }
+    return undefined;
+}
+exports.ifRequestStore = ifRequestStore;
+//# sourceMappingURL=request-store.js.map

package/dist/request/request-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-store.js","sourceRoot":"","sources":["../../src/request/request-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAKA,kEAAkE;AAClE,4CAAyB;AACzB,kDAA+B;AAC/B,oDAAiC;AAyBjC,SAAgB,cAAc,CAC5B,cAA+D;IAE/D,OAAO,CACL,OAAO,cAAc,CAAC,aAAa,KAAK,UAAU;QAClD,OAAO,cAAc,CAAC,WAAW,KAAK,UAAU;QAChD,OAAO,cAAc,CAAC,aAAa,KAAK,UAAU;QAClD,OAAO,cAAc,CAAC,aAAa,KAAK,UAAU;QAClD,OAAO,cAAc,CAAC,iBAAiB,KAAK,UAAU,CACvD,CAAA;AACH,CAAC;AAVD,wCAUC;AAED,SAAgB,cAAc,CAC5B,cAAgE;IAEhE,IAAI,cAAc,IAAI,cAAc,CAAC,cAAc,CAAC,EAAE,CAAC;QACrD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AARD,wCAQC"}

package/dist/request/request-uri.d.ts

@@ -0,0 +1,8 @@
+import { z } from 'zod';
+import { RequestId } from './request-id.js';
+export declare const REQUEST_URI_PREFIX = "urn:ietf:params:oauth:request_uri:";
+export declare const requestUriSchema: z.ZodEffects<z.ZodString, `urn:ietf:params:oauth:request_uri:req-${string}`, string>;
+export type RequestUri = z.infer<typeof requestUriSchema>;
+export declare function encodeRequestUri(requestId: RequestId): RequestUri;
+export declare function decodeRequestUri(requestUri: RequestUri): RequestId;
+//# sourceMappingURL=request-uri.d.ts.map

package/dist/request/request-uri.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-uri.d.ts","sourceRoot":"","sources":["../../src/request/request-uri.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAAE,SAAS,EAAmB,MAAM,iBAAiB,CAAA;AAE5D,eAAO,MAAM,kBAAkB,uCAAuC,CAAA;AAEtE,eAAO,MAAM,gBAAgB,sFAW1B,CAAA;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,SAAS,GAAG,UAAU,CAEjE;AAED,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,UAAU,GAAG,SAAS,CAGlE"}

package/dist/request/request-uri.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decodeRequestUri = exports.encodeRequestUri = exports.requestUriSchema = exports.REQUEST_URI_PREFIX = void 0;
+const zod_1 = require("zod");
+const request_id_js_1 = require("./request-id.js");
+exports.REQUEST_URI_PREFIX = 'urn:ietf:params:oauth:request_uri:';
+exports.requestUriSchema = zod_1.z
+    .string()
+    .url()
+    .refinement((data) => data.startsWith(exports.REQUEST_URI_PREFIX) &&
+    request_id_js_1.requestIdSchema.safeParse(decodeRequestUri(data)).success, {
+    code: zod_1.z.ZodIssueCode.custom,
+    message: 'Invalid request_uri format',
+});
+function encodeRequestUri(requestId) {
+    return `${exports.REQUEST_URI_PREFIX}${encodeURIComponent(requestId)}`;
+}
+exports.encodeRequestUri = encodeRequestUri;
+function decodeRequestUri(requestUri) {
+    const requestIdEnc = requestUri.slice(exports.REQUEST_URI_PREFIX.length);
+    return decodeURIComponent(requestIdEnc);
+}
+exports.decodeRequestUri = decodeRequestUri;
+//# sourceMappingURL=request-uri.js.map

package/dist/request/request-uri.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-uri.js","sourceRoot":"","sources":["../../src/request/request-uri.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,mDAA4D;AAE/C,QAAA,kBAAkB,GAAG,oCAAoC,CAAA;AAEzD,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,EAAE;KACR,GAAG,EAAE;KACL,UAAU,CACT,CAAC,IAAI,EAAsD,EAAE,CAC3D,IAAI,CAAC,UAAU,CAAC,0BAAkB,CAAC;IACnC,+BAAe,CAAC,SAAS,CAAC,gBAAgB,CAAC,IAAW,CAAC,CAAC,CAAC,OAAO,EAClE;IACE,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;IAC3B,OAAO,EAAE,4BAA4B;CACtC,CACF,CAAA;AAIH,SAAgB,gBAAgB,CAAC,SAAoB;IACnD,OAAO,GAAG,0BAAkB,GAAG,kBAAkB,CAAC,SAAS,CAAc,EAAE,CAAA;AAC7E,CAAC;AAFD,4CAEC;AAED,SAAgB,gBAAgB,CAAC,UAAsB;IACrD,MAAM,YAAY,GAAG,UAAU,CAAC,KAAK,CAAC,0BAAkB,CAAC,MAAM,CAAC,CAAA;IAChE,OAAO,kBAAkB,CAAC,YAAY,CAAc,CAAA;AACtD,CAAC;AAHD,4CAGC"}

package/dist/request/types.d.ts

@@ -0,0 +1,328 @@
+import { z } from 'zod';
+export declare const authorizationRequestJarSchema: z.ZodObject<{
+    /**
+     * AuthorizationRequest inside a JWT:
+     * - "iat" is required and **MUST** be less than one minute
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9101}
+     */
+    request: z.ZodUnion<[z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>, z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}`, string>]>;
+}, "strip", z.ZodTypeAny, {
+    request: `${string}.${string}.${string}` | `${string}.${string}`;
+}, {
+    request: string;
+}>;
+export type AuthorizationRequestJar = z.infer<typeof authorizationRequestJarSchema>;
+export declare const pushedAuthorizationRequestSchema: z.ZodIntersection<z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
+    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: `${string}.${string}.${string}`;
+}, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: string;
+}>, z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_secret: string;
+}, {
+    client_id: string;
+    client_secret: string;
+}>]>, z.ZodObject<{
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+}, {
+    client_id: string;
+}>]>, z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    state: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    dpop_jkt: z.ZodOptional<z.ZodString>;
+    response_type: z.ZodEnum<["code", "token", "id_token", "none", "code token", "code id_token", "id_token token", "code id_token token"]>;
+    response_mode: z.ZodOptional<z.ZodEnum<["query", "fragment", "form_post"]>>;
+    code_challenge: z.ZodOptional<z.ZodString>;
+    code_challenge_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<["S256", "plain"]>>>;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+    max_age: z.ZodOptional<z.ZodNumber>;
+    claims: z.ZodOptional<z.ZodRecord<z.ZodEnum<["userinfo", "id_token"]>, z.ZodRecord<z.ZodEnum<["auth_time", "nonce", "acr", "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "gender", "picture", "profile", "website", "birthdate", "zoneinfo", "locale", "updated_at", "email", "email_verified", "phone_number", "phone_number_verified", "address"]>, z.ZodUnion<[z.ZodLiteral<null>, z.ZodObject<{
+        essential: z.ZodOptional<z.ZodBoolean>;
+        value: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>>;
+        values: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    }, {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    }>]>>>>;
+    login_hint: z.ZodOptional<z.ZodString>;
+    ui_locales: z.ZodOptional<z.ZodString>;
+    id_token_hint: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    display: z.ZodOptional<z.ZodEnum<["page", "popup", "touch"]>>;
+    prompt: z.ZodOptional<z.ZodEnum<["none", "login", "consent", "select_account"]>>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    response_type: "none" | "token" | "code" | "id_token" | "code id_token token" | "code id_token" | "code token" | "id_token token";
+    scope?: string | undefined;
+    redirect_uri?: string | undefined;
+    nonce?: string | undefined;
+    state?: string | undefined;
+    dpop_jkt?: string | undefined;
+    response_mode?: "query" | "fragment" | "form_post" | undefined;
+    code_challenge?: string | undefined;
+    code_challenge_method?: "S256" | "plain" | undefined;
+    max_age?: number | undefined;
+    claims?: Partial<Record<"id_token" | "userinfo", Partial<Record<"nonce" | "name" | "email" | "email_verified" | "phone_number" | "phone_number_verified" | "address" | "profile" | "family_name" | "given_name" | "middle_name" | "nickname" | "preferred_username" | "gender" | "picture" | "website" | "birthdate" | "zoneinfo" | "locale" | "updated_at" | "acr" | "auth_time", {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    } | null>>>> | undefined;
+    login_hint?: string | undefined;
+    ui_locales?: string | undefined;
+    id_token_hint?: `${string}.${string}.${string}` | undefined;
+    display?: "page" | "popup" | "touch" | undefined;
+    prompt?: "none" | "login" | "consent" | "select_account" | undefined;
+    authorization_details?: {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }[] | undefined;
+}, {
+    client_id: string;
+    response_type: "none" | "token" | "code" | "id_token" | "code id_token token" | "code id_token" | "code token" | "id_token token";
+    scope?: string | undefined;
+    redirect_uri?: string | undefined;
+    nonce?: string | undefined;
+    state?: string | undefined;
+    dpop_jkt?: string | undefined;
+    response_mode?: "query" | "fragment" | "form_post" | undefined;
+    code_challenge?: string | undefined;
+    code_challenge_method?: "S256" | "plain" | undefined;
+    max_age?: number | undefined;
+    claims?: Partial<Record<"id_token" | "userinfo", Partial<Record<"nonce" | "name" | "email" | "email_verified" | "phone_number" | "phone_number_verified" | "address" | "profile" | "family_name" | "given_name" | "middle_name" | "nickname" | "preferred_username" | "gender" | "picture" | "website" | "birthdate" | "zoneinfo" | "locale" | "updated_at" | "acr" | "auth_time", {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    } | null>>>> | undefined;
+    login_hint?: string | undefined;
+    ui_locales?: string | undefined;
+    id_token_hint?: string | undefined;
+    display?: "page" | "popup" | "touch" | undefined;
+    prompt?: "none" | "login" | "consent" | "select_account" | undefined;
+    authorization_details?: {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }[] | undefined;
+}>, z.ZodObject<{
+    /**
+     * AuthorizationRequest inside a JWT:
+     * - "iat" is required and **MUST** be less than one minute
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9101}
+     */
+    request: z.ZodUnion<[z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>, z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}`, string>]>;
+}, "strip", z.ZodTypeAny, {
+    request: `${string}.${string}.${string}` | `${string}.${string}`;
+}, {
+    request: string;
+}>]>>;
+export type PushedAuthorizationRequest = z.infer<typeof pushedAuthorizationRequestSchema>;
+export declare const authorizationRequestQuerySchema: z.ZodIntersection<z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
+    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: `${string}.${string}.${string}`;
+}, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: string;
+}>, z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_secret: string;
+}, {
+    client_id: string;
+    client_secret: string;
+}>]>, z.ZodObject<{
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+}, {
+    client_id: string;
+}>]>, z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    state: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    dpop_jkt: z.ZodOptional<z.ZodString>;
+    response_type: z.ZodEnum<["code", "token", "id_token", "none", "code token", "code id_token", "id_token token", "code id_token token"]>;
+    response_mode: z.ZodOptional<z.ZodEnum<["query", "fragment", "form_post"]>>;
+    code_challenge: z.ZodOptional<z.ZodString>;
+    code_challenge_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<["S256", "plain"]>>>;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+    max_age: z.ZodOptional<z.ZodNumber>;
+    claims: z.ZodOptional<z.ZodRecord<z.ZodEnum<["userinfo", "id_token"]>, z.ZodRecord<z.ZodEnum<["auth_time", "nonce", "acr", "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "gender", "picture", "profile", "website", "birthdate", "zoneinfo", "locale", "updated_at", "email", "email_verified", "phone_number", "phone_number_verified", "address"]>, z.ZodUnion<[z.ZodLiteral<null>, z.ZodObject<{
+        essential: z.ZodOptional<z.ZodBoolean>;
+        value: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>>;
+        values: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    }, {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    }>]>>>>;
+    login_hint: z.ZodOptional<z.ZodString>;
+    ui_locales: z.ZodOptional<z.ZodString>;
+    id_token_hint: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
+    display: z.ZodOptional<z.ZodEnum<["page", "popup", "touch"]>>;
+    prompt: z.ZodOptional<z.ZodEnum<["none", "login", "consent", "select_account"]>>;
+    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        locations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        identifier: z.ZodOptional<z.ZodString>;
+        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }, {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    response_type: "none" | "token" | "code" | "id_token" | "code id_token token" | "code id_token" | "code token" | "id_token token";
+    scope?: string | undefined;
+    redirect_uri?: string | undefined;
+    nonce?: string | undefined;
+    state?: string | undefined;
+    dpop_jkt?: string | undefined;
+    response_mode?: "query" | "fragment" | "form_post" | undefined;
+    code_challenge?: string | undefined;
+    code_challenge_method?: "S256" | "plain" | undefined;
+    max_age?: number | undefined;
+    claims?: Partial<Record<"id_token" | "userinfo", Partial<Record<"nonce" | "name" | "email" | "email_verified" | "phone_number" | "phone_number_verified" | "address" | "profile" | "family_name" | "given_name" | "middle_name" | "nickname" | "preferred_username" | "gender" | "picture" | "website" | "birthdate" | "zoneinfo" | "locale" | "updated_at" | "acr" | "auth_time", {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    } | null>>>> | undefined;
+    login_hint?: string | undefined;
+    ui_locales?: string | undefined;
+    id_token_hint?: `${string}.${string}.${string}` | undefined;
+    display?: "page" | "popup" | "touch" | undefined;
+    prompt?: "none" | "login" | "consent" | "select_account" | undefined;
+    authorization_details?: {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }[] | undefined;
+}, {
+    client_id: string;
+    response_type: "none" | "token" | "code" | "id_token" | "code id_token token" | "code id_token" | "code token" | "id_token token";
+    scope?: string | undefined;
+    redirect_uri?: string | undefined;
+    nonce?: string | undefined;
+    state?: string | undefined;
+    dpop_jkt?: string | undefined;
+    response_mode?: "query" | "fragment" | "form_post" | undefined;
+    code_challenge?: string | undefined;
+    code_challenge_method?: "S256" | "plain" | undefined;
+    max_age?: number | undefined;
+    claims?: Partial<Record<"id_token" | "userinfo", Partial<Record<"nonce" | "name" | "email" | "email_verified" | "phone_number" | "phone_number_verified" | "address" | "profile" | "family_name" | "given_name" | "middle_name" | "nickname" | "preferred_username" | "gender" | "picture" | "website" | "birthdate" | "zoneinfo" | "locale" | "updated_at" | "acr" | "auth_time", {
+        values?: (string | number | boolean)[] | undefined;
+        value?: string | number | boolean | undefined;
+        essential?: boolean | undefined;
+    } | null>>>> | undefined;
+    login_hint?: string | undefined;
+    ui_locales?: string | undefined;
+    id_token_hint?: string | undefined;
+    display?: "page" | "popup" | "touch" | undefined;
+    prompt?: "none" | "login" | "consent" | "select_account" | undefined;
+    authorization_details?: {
+        type: string;
+        locations?: string[] | undefined;
+        actions?: string[] | undefined;
+        datatypes?: string[] | undefined;
+        identifier?: string | undefined;
+        privileges?: string[] | undefined;
+    }[] | undefined;
+}>, z.ZodObject<{
+    /**
+     * AuthorizationRequest inside a JWT:
+     * - "iat" is required and **MUST** be less than one minute
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9101}
+     */
+    request: z.ZodUnion<[z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>, z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}`, string>]>;
+}, "strip", z.ZodTypeAny, {
+    request: `${string}.${string}.${string}` | `${string}.${string}`;
+}, {
+    request: string;
+}>, z.ZodObject<{
+    request_uri: z.ZodEffects<z.ZodString, `urn:ietf:params:oauth:request_uri:req-${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    request_uri: `urn:ietf:params:oauth:request_uri:req-${string}`;
+}, {
+    request_uri: string;
+}>]>>;
+export type AuthorizationRequestQuery = z.infer<typeof authorizationRequestQuerySchema>;
+//# sourceMappingURL=types.d.ts.map

package/dist/request/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/request/types.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,eAAO,MAAM,6BAA6B;IACxC;;;;;OAKG;;;;;;EAEH,CAAA;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAC3C,OAAO,6BAA6B,CACrC,CAAA;AAED,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAb3C;;;;;OAKG;;;;;;KAeJ,CAAA;AAED,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAC9C,OAAO,gCAAgC,CACxC,CAAA;AAED,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA1B1C;;;;;OAKG;;;;;;;;;;;;KA4BJ,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAC7C,OAAO,+BAA+B,CACvC,CAAA"}

package/dist/request/types.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorizationRequestQuerySchema = exports.pushedAuthorizationRequestSchema = exports.authorizationRequestJarSchema = void 0;
+const jwk_1 = require("@atproto/jwk");
+const oauth_types_1 = require("@atproto/oauth-types");
+const zod_1 = require("zod");
+const request_uri_js_1 = require("./request-uri.js");
+exports.authorizationRequestJarSchema = zod_1.z.object({
+    /**
+     * AuthorizationRequest inside a JWT:
+     * - "iat" is required and **MUST** be less than one minute
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9101}
+     */
+    request: zod_1.z.union([jwk_1.signedJwtSchema, jwk_1.unsignedJwtSchema]),
+});
+exports.pushedAuthorizationRequestSchema = zod_1.z.intersection(oauth_types_1.oauthClientIdentificationSchema, zod_1.z.union([
+    oauth_types_1.oauthAuthenticationRequestParametersSchema,
+    exports.authorizationRequestJarSchema,
+    //
+]));
+exports.authorizationRequestQuerySchema = zod_1.z.intersection(oauth_types_1.oauthClientIdentificationSchema, zod_1.z.union([
+    oauth_types_1.oauthAuthenticationRequestParametersSchema,
+    exports.authorizationRequestJarSchema,
+    zod_1.z.object({ request_uri: request_uri_js_1.requestUriSchema }),
+]));
+//# sourceMappingURL=types.js.map

package/dist/request/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/request/types.ts"],"names":[],"mappings":";;;AAAA,sCAAiE;AACjE,sDAG6B;AAC7B,6BAAuB;AAEvB,qDAAmD;AAEtC,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD;;;;;OAKG;IACH,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,qBAAe,EAAE,uBAAiB,CAAC,CAAC;CACvD,CAAC,CAAA;AAMW,QAAA,gCAAgC,GAAG,OAAC,CAAC,YAAY,CAC5D,6CAA+B,EAC/B,OAAC,CAAC,KAAK,CAAC;IACN,wDAA0C;IAC1C,qCAA6B;IAC7B,EAAE;CACH,CAAC,CACH,CAAA;AAMY,QAAA,+BAA+B,GAAG,OAAC,CAAC,YAAY,CAC3D,6CAA+B,EAC/B,OAAC,CAAC,KAAK,CAAC;IACN,wDAA0C;IAC1C,qCAA6B;IAC7B,OAAC,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,iCAAgB,EAAE,CAAC;CAC5C,CAAC,CACH,CAAA"}