@atproto/oauth-provider 0.1.0

package/dist/signer/signed-token-payload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signed-token-payload.d.ts","sourceRoot":"","sources":["../../src/signer/signed-token-payload.ts"],"names":[],"mappings":"AACA,OAAO,CAAC,MAAM,KAAK,CAAA;AAGnB,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAI9C,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsBpC,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CACvC,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CACzC,CAAA"}

package/dist/signer/signed-token-payload.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signedTokenPayloadSchema = void 0;
+const jwk_1 = require("@atproto/jwk");
+const zod_1 = __importDefault(require("zod"));
+const client_id_js_1 = require("../client/client-id.js");
+const sub_js_1 = require("../oidc/sub.js");
+const token_id_js_1 = require("../token/token-id.js");
+exports.signedTokenPayloadSchema = zod_1.default.intersection(jwk_1.jwtPayloadSchema
+    .pick({
+    exp: true,
+    iat: true,
+    iss: true,
+    aud: true,
+})
+    .required(), jwk_1.jwtPayloadSchema
+    .omit({
+    exp: true,
+    iat: true,
+    iss: true,
+    aud: true,
+})
+    .partial()
+    .extend({
+    jti: token_id_js_1.tokenIdSchema,
+    sub: sub_js_1.subSchema,
+    client_id: client_id_js_1.clientIdSchema,
+}));
+//# sourceMappingURL=signed-token-payload.js.map

package/dist/signer/signed-token-payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signed-token-payload.js","sourceRoot":"","sources":["../../src/signer/signed-token-payload.ts"],"names":[],"mappings":";;;;;;AAAA,sCAA+C;AAC/C,8CAAmB;AAEnB,yDAAuD;AAEvD,2CAA0C;AAC1C,sDAAoD;AAEvC,QAAA,wBAAwB,GAAG,aAAC,CAAC,YAAY,CACpD,sBAAgB;KACb,IAAI,CAAC;IACJ,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;CACV,CAAC;KACD,QAAQ,EAAE,EACb,sBAAgB;KACb,IAAI,CAAC;IACJ,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;CACV,CAAC;KACD,OAAO,EAAE;KACT,MAAM,CAAC;IACN,GAAG,EAAE,2BAAa;IAClB,GAAG,EAAE,kBAAS;IACd,SAAS,EAAE,6BAAc;CAC1B,CAAC,CACL,CAAA"}

package/dist/signer/signer.d.ts

@@ -0,0 +1,193 @@
+import { JwtPayload, JwtPayloadGetter, JwtSignHeader, Keyset, SignedJwt, VerifyOptions } from '@atproto/jwk';
+import { OAuthAuthenticationRequestParameters, OAuthAuthorizationDetails } from '@atproto/oauth-types';
+import { Account } from '../account/account.js';
+import { Client } from '../client/client.js';
+import { TokenId } from '../token/token-id.js';
+export type SignPayload = Omit<JwtPayload, 'iss'>;
+export declare class Signer {
+    readonly issuer: string;
+    readonly keyset: Keyset;
+    constructor(issuer: string, keyset: Keyset);
+    verify<P extends Record<string, unknown> = JwtPayload>(token: SignedJwt, options?: Omit<VerifyOptions, 'issuer'>): Promise<import("@atproto/jwk").VerifyResult<P, string> & {
+        key: import("@atproto/jwk").Key;
+    }>;
+    sign(signHeader: JwtSignHeader, payload: SignPayload | JwtPayloadGetter<SignPayload>): Promise<SignedJwt>;
+    accessToken(client: Client, parameters: OAuthAuthenticationRequestParameters, account: Account, extra: {
+        jti: TokenId;
+        exp: Date;
+        iat?: Date;
+        alg?: string;
+        cnf?: Record<string, string>;
+        authorization_details?: OAuthAuthorizationDetails;
+    }): Promise<SignedJwt>;
+    verifyAccessToken(token: SignedJwt): Promise<import("@atproto/jwk").VerifyResult<{
+        iat: number;
+        exp: number;
+        iss: string;
+        aud: string | [string, ...string[]];
+        jti: `tok-${string}`;
+        sub: string;
+        client_id: string;
+        nonce?: string | undefined;
+        name?: string | undefined;
+        htm?: string | undefined;
+        htu?: string | undefined;
+        ath?: string | undefined;
+        email?: string | undefined;
+        email_verified?: boolean | undefined;
+        phone_number?: string | undefined;
+        phone_number_verified?: boolean | undefined;
+        address?: {
+            formatted?: string | undefined;
+            street_address?: string | undefined;
+            locality?: string | undefined;
+            region?: string | undefined;
+            postal_code?: string | undefined;
+            country?: string | undefined;
+        } | undefined;
+        profile?: string | undefined;
+        family_name?: string | undefined;
+        given_name?: string | undefined;
+        middle_name?: string | undefined;
+        nickname?: string | undefined;
+        preferred_username?: string | undefined;
+        gender?: string | undefined;
+        picture?: string | undefined;
+        website?: string | undefined;
+        birthdate?: string | undefined;
+        zoneinfo?: string | undefined;
+        locale?: string | undefined;
+        updated_at?: number | undefined;
+        nbf?: number | undefined;
+        acr?: string | undefined;
+        azp?: string | undefined;
+        amr?: string[] | undefined;
+        cnf?: {
+            kid?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            jku?: string | undefined;
+            jwk?: {
+                kty: "RSA";
+                n: string;
+                e: string;
+                alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                'x5t#S256'?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+                p?: string | undefined;
+                q?: string | undefined;
+                dp?: string | undefined;
+                dq?: string | undefined;
+                qi?: string | undefined;
+                oth?: [{
+                    d?: string | undefined;
+                    r?: string | undefined;
+                    t?: string | undefined;
+                }, ...{
+                    d?: string | undefined;
+                    r?: string | undefined;
+                    t?: string | undefined;
+                }[]] | undefined;
+            } | {
+                kty: "EC";
+                crv: "P-256" | "P-384" | "P-521";
+                x: string;
+                y: string;
+                alg?: "ES256" | "ES384" | "ES512" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                'x5t#S256'?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+            } | {
+                kty: "EC";
+                crv: "secp256k1";
+                x: string;
+                y: string;
+                alg?: "ES256K" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                'x5t#S256'?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+            } | {
+                kty: "OKP";
+                crv: "Ed25519" | "Ed448";
+                x: string;
+                alg?: "EdDSA" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                'x5t#S256'?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+            } | {
+                kty: "oct";
+                k: string;
+                alg?: "HS256" | "HS384" | "HS512" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                'x5t#S256'?: string | undefined;
+                x5u?: string | undefined;
+            } | {
+                kty: string;
+                alg?: string | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                'x5t#S256'?: string | undefined;
+                x5u?: string | undefined;
+            } | undefined;
+            jwe?: string | undefined;
+            jkt?: string | undefined;
+            osc?: string | undefined;
+        } | undefined;
+        scope?: string | undefined;
+        at_hash?: string | undefined;
+        c_hash?: string | undefined;
+        s_hash?: string | undefined;
+        auth_time?: number | undefined;
+        authorization_details?: import("zod").objectOutputType<{
+            type: import("zod").ZodString;
+            locations: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
+            actions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
+            datatypes: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
+            identifier: import("zod").ZodOptional<import("zod").ZodString>;
+            privileges: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString, "many">>;
+        }, import("zod").ZodTypeAny, "passthrough">[] | undefined;
+    }, string> & {
+        key: import("@atproto/jwk").Key;
+    }>;
+    idToken(client: Client, params: OAuthAuthenticationRequestParameters, account: Account, extra: {
+        exp: Date;
+        iat?: Date;
+        auth_time?: Date;
+        code?: string;
+        access_token?: string;
+    }): Promise<SignedJwt>;
+}
+//# sourceMappingURL=signer.d.ts.map

package/dist/signer/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/signer/signer.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,aAAa,EACb,MAAM,EACN,SAAS,EACT,aAAa,EACd,MAAM,cAAc,CAAA;AACrB,OAAO,EACL,oCAAoC,EACpC,yBAAyB,EAC1B,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAK5C,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAA;AAM9C,MAAM,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;AAEjD,qBAAa,MAAM;aAEC,MAAM,EAAE,MAAM;aACd,MAAM,EAAE,MAAM;gBADd,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM;IAG1B,MAAM,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU,EACzD,KAAK,EAAE,SAAS,EAChB,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC;;;IAQ5B,IAAI,CACf,UAAU,EAAE,aAAa,EACzB,OAAO,EAAE,WAAW,GAAG,gBAAgB,CAAC,WAAW,CAAC,GACnD,OAAO,CAAC,SAAS,CAAC;IASf,WAAW,CACf,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,oCAAoC,EAChD,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE;QACL,GAAG,EAAE,OAAO,CAAA;QACZ,GAAG,EAAE,IAAI,CAAA;QACT,GAAG,CAAC,EAAE,IAAI,CAAA;QACV,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAC5B,qBAAqB,CAAC,EAAE,yBAAyB,CAAA;KAClD,GACA,OAAO,CAAC,SAAS,CAAC;IAuBf,iBAAiB,CAAC,KAAK,EAAE,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAelC,OAAO,CACX,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,oCAAoC,EAC5C,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE;QACL,GAAG,EAAE,IAAI,CAAA;QACT,GAAG,CAAC,EAAE,IAAI,CAAA;QACV,SAAS,CAAC,EAAE,IAAI,CAAA;QAChB,IAAI,CAAC,EAAE,MAAM,CAAA;QACb,YAAY,CAAC,EAAE,MAAM,CAAA;KACtB,GACA,OAAO,CAAC,SAAS,CAAC;CA6CtB"}

package/dist/signer/signer.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Signer = void 0;
+const node_crypto_1 = require("node:crypto");
+const oidc_token_hash_1 = require("oidc-token-hash");
+const invalid_client_metadata_error_js_1 = require("../errors/invalid-client-metadata-error.js");
+const date_js_1 = require("../lib/util/date.js");
+const claims_requested_js_1 = require("../parameters/claims-requested.js");
+const oidc_payload_js_1 = require("../parameters/oidc-payload.js");
+const signed_token_payload_js_1 = require("./signed-token-payload.js");
+class Signer {
+    issuer;
+    keyset;
+    constructor(issuer, keyset) {
+        this.issuer = issuer;
+        this.keyset = keyset;
+    }
+    async verify(token, options) {
+        return this.keyset.verifyJwt(token, {
+            ...options,
+            issuer: [this.issuer],
+        });
+    }
+    async sign(signHeader, payload) {
+        return this.keyset.createJwt(signHeader, async (protectedHeader, key) => ({
+            ...(typeof payload === 'function'
+                ? await payload(protectedHeader, key)
+                : payload),
+            iss: this.issuer,
+        }));
+    }
+    async accessToken(client, parameters, account, extra) {
+        const header = {
+            // https://datatracker.ietf.org/doc/html/rfc9068#section-2.1
+            alg: extra.alg,
+            typ: 'at+jwt',
+        };
+        const payload = {
+            aud: account.aud,
+            iat: (0, date_js_1.dateToEpoch)(extra?.iat),
+            exp: (0, date_js_1.dateToEpoch)(extra.exp),
+            sub: account.sub,
+            jti: extra.jti,
+            cnf: extra.cnf,
+            // https://datatracker.ietf.org/doc/html/rfc8693#section-4.3
+            client_id: client.id,
+            scope: parameters.scope || client.metadata.scope,
+            authorization_details: extra.authorization_details,
+        };
+        return this.sign(header, payload);
+    }
+    async verifyAccessToken(token) {
+        const result = await this.verify(token, {
+            typ: 'at+jwt',
+        });
+        // The result is already type casted as an AccessTokenPayload, but we need
+        // to actually verify this. That should already be covered by the fact that
+        // we don't sign 'at+jwt' tokens without a valid token ID. Let's double
+        // check in case another version/implementation was used to generate the
+        // token.
+        signed_token_payload_js_1.signedTokenPayloadSchema.parse(result.payload);
+        return result;
+    }
+    async idToken(client, params, account, extra) {
+        // This can happen when a client is using password_grant. If a client is
+        // using password_grant, it should not set "require_auth_time" to true.
+        if (client.metadata.require_auth_time && extra.auth_time == null) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('"require_auth_time" metadata is not compatible with "password_grant" flow');
+        }
+        return this.sign({
+            alg: client.metadata.id_token_signed_response_alg,
+            typ: 'JWT',
+        }, async ({ alg }, key) => ({
+            ...(0, oidc_payload_js_1.oidcPayload)(params, account),
+            aud: client.id,
+            iat: (0, date_js_1.dateToEpoch)(extra.iat),
+            exp: (0, date_js_1.dateToEpoch)(extra.exp),
+            sub: account.sub,
+            jti: (0, node_crypto_1.randomBytes)(16).toString('hex'),
+            scope: params.scope,
+            nonce: params.nonce,
+            s_hash: params.state //
+                ? await (0, oidc_token_hash_1.generate)(params.state, alg, key.crv)
+                : undefined,
+            c_hash: extra.code //
+                ? await (0, oidc_token_hash_1.generate)(extra.code, alg, key.crv)
+                : undefined,
+            at_hash: extra.access_token //
+                ? await (0, oidc_token_hash_1.generate)(extra.access_token, alg, key.crv)
+                : undefined,
+            // https://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#rfc.section.5.2
+            auth_time: client.metadata.require_auth_time ||
+                (extra.auth_time != null && params.max_age != null) ||
+                (0, claims_requested_js_1.claimRequested)(params, 'id_token', 'auth_time', extra.auth_time)
+                ? (0, date_js_1.dateToEpoch)(extra.auth_time)
+                : undefined,
+        }));
+    }
+}
+exports.Signer = Signer;
+//# sourceMappingURL=signer.js.map

package/dist/signer/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../src/signer/signer.ts"],"names":[],"mappings":";;;AAAA,6CAAyC;AAczC,qDAAkD;AAIlD,iGAAuF;AACvF,iDAAiD;AACjD,2EAAkE;AAClE,mEAA2D;AAE3D,uEAGkC;AAIlC,MAAa,MAAM;IAEC;IACA;IAFlB,YACkB,MAAc,EACd,MAAc;QADd,WAAM,GAAN,MAAM,CAAQ;QACd,WAAM,GAAN,MAAM,CAAQ;IAC7B,CAAC;IAEJ,KAAK,CAAC,MAAM,CACV,KAAgB,EAChB,OAAuC;QAEvC,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAI,KAAK,EAAE;YACrC,GAAG,OAAO;YACV,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,UAAyB,EACzB,OAAoD;QAEpD,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,eAAe,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACxE,GAAG,CAAC,OAAO,OAAO,KAAK,UAAU;gBAC/B,CAAC,CAAC,MAAM,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC;gBACrC,CAAC,CAAC,OAAO,CAAC;YACZ,GAAG,EAAE,IAAI,CAAC,MAAM;SACjB,CAAC,CAAC,CAAA;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAc,EACd,UAAgD,EAChD,OAAgB,EAChB,KAOC;QAED,MAAM,MAAM,GAAkB;YAC5B,4DAA4D;YAC5D,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,GAAG,EAAE,QAAQ;SACd,CAAA;QAED,MAAM,OAAO,GAAoC;YAC/C,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,CAAC;YAC5B,GAAG,EAAE,IAAA,qBAAW,EAAC,KAAK,CAAC,GAAG,CAAC;YAC3B,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,4DAA4D;YAC5D,SAAS,EAAE,MAAM,CAAC,EAAE;YACpB,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK;YAChD,qBAAqB,EAAE,KAAK,CAAC,qBAAqB;SACnD,CAAA;QAED,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAgB;QACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAqB,KAAK,EAAE;YAC1D,GAAG,EAAE,QAAQ;SACd,CAAC,CAAA;QAEF,0EAA0E;QAC1E,2EAA2E;QAC3E,uEAAuE;QACvE,wEAAwE;QACxE,SAAS;QACT,kDAAwB,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAE9C,OAAO,MAAM,CAAA;IACf,CAAC;IAED,KAAK,CAAC,OAAO,CACX,MAAc,EACd,MAA4C,EAC5C,OAAgB,EAChB,KAMC;QAED,wEAAwE;QACxE,uEAAuE;QACvE,IAAI,MAAM,CAAC,QAAQ,CAAC,iBAAiB,IAAI,KAAK,CAAC,SAAS,IAAI,IAAI,EAAE,CAAC;YACjE,MAAM,IAAI,6DAA0B,CAClC,2EAA2E,CAC5E,CAAA;QACH,CAAC;QAED,OAAO,IAAI,CAAC,IAAI,CACd;YACE,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,4BAA4B;YACjD,GAAG,EAAE,KAAK;SACX,EACD,KAAK,EAAE,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACvB,GAAG,IAAA,6BAAW,EAAC,MAAM,EAAE,OAAO,CAAC;YAE/B,GAAG,EAAE,MAAM,CAAC,EAAE;YACd,GAAG,EAAE,IAAA,qBAAW,EAAC,KAAK,CAAC,GAAG,CAAC;YAC3B,GAAG,EAAE,IAAA,qBAAW,EAAC,KAAK,CAAC,GAAG,CAAC;YAC3B,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACpC,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,KAAK,EAAE,MAAM,CAAC,KAAK;YAEnB,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE;gBACrB,CAAC,CAAC,MAAM,IAAA,0BAAI,EAAC,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC;gBACxC,CAAC,CAAC,SAAS;YACb,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE;gBACnB,CAAC,CAAC,MAAM,IAAA,0BAAI,EAAC,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC;gBACtC,CAAC,CAAC,SAAS;YACb,OAAO,EAAE,KAAK,CAAC,YAAY,CAAC,EAAE;gBAC5B,CAAC,CAAC,MAAM,IAAA,0BAAI,EAAC,KAAK,CAAC,YAAY,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC;gBAC9C,CAAC,CAAC,SAAS;YAEb,oGAAoG;YACpG,SAAS,EACP,MAAM,CAAC,QAAQ,CAAC,iBAAiB;gBACjC,CAAC,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC;gBACnD,IAAA,oCAAc,EAAC,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC;gBAC9D,CAAC,CAAC,IAAA,qBAAW,EAAC,KAAK,CAAC,SAAU,CAAC;gBAC/B,CAAC,CAAC,SAAS;SAChB,CAAC,CACH,CAAA;IACH,CAAC;CACF;AAtID,wBAsIC"}

package/dist/token/refresh-token.d.ts

@@ -0,0 +1,7 @@
+import { z } from 'zod';
+export declare const REFRESH_TOKEN_LENGTH: number;
+export declare const refreshTokenSchema: z.ZodEffects<z.ZodString, `ref-${string}`, string>;
+export declare const isRefreshToken: (data: unknown) => data is `ref-${string}`;
+export type RefreshToken = z.infer<typeof refreshTokenSchema>;
+export declare const generateRefreshToken: () => Promise<RefreshToken>;
+//# sourceMappingURL=refresh-token.d.ts.map

package/dist/token/refresh-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.d.ts","sourceRoot":"","sources":["../../src/token/refresh-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAQvB,eAAO,MAAM,oBAAoB,QAC6B,CAAA;AAE9D,eAAO,MAAM,kBAAkB,oDAS5B,CAAA;AAEH,eAAO,MAAM,cAAc,SAAU,OAAO,4BACA,CAAA;AAE5C,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAC7D,eAAO,MAAM,oBAAoB,QAAa,QAAQ,YAAY,CAIjE,CAAA"}

package/dist/token/refresh-token.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateRefreshToken = exports.isRefreshToken = exports.refreshTokenSchema = exports.REFRESH_TOKEN_LENGTH = void 0;
+const zod_1 = require("zod");
+const constants_js_1 = require("../constants.js");
+const crypto_js_1 = require("../lib/util/crypto.js");
+exports.REFRESH_TOKEN_LENGTH = constants_js_1.REFRESH_TOKEN_PREFIX.length + constants_js_1.REFRESH_TOKEN_BYTES_LENGTH * 2; // hex encoding
+exports.refreshTokenSchema = zod_1.z
+    .string()
+    .length(exports.REFRESH_TOKEN_LENGTH)
+    .refine((v) => v.startsWith(constants_js_1.REFRESH_TOKEN_PREFIX), {
+    message: `Invalid refresh token format`,
+});
+const isRefreshToken = (data) => exports.refreshTokenSchema.safeParse(data).success;
+exports.isRefreshToken = isRefreshToken;
+const generateRefreshToken = async () => {
+    return `${constants_js_1.REFRESH_TOKEN_PREFIX}${await (0, crypto_js_1.randomHexId)(constants_js_1.REFRESH_TOKEN_BYTES_LENGTH)}`;
+};
+exports.generateRefreshToken = generateRefreshToken;
+//# sourceMappingURL=refresh-token.js.map

package/dist/token/refresh-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.js","sourceRoot":"","sources":["../../src/token/refresh-token.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,kDAGwB;AACxB,qDAAmD;AAEtC,QAAA,oBAAoB,GAC/B,mCAAoB,CAAC,MAAM,GAAG,yCAA0B,GAAG,CAAC,CAAA,CAAC,eAAe;AAEjE,QAAA,kBAAkB,GAAG,OAAC;KAChC,MAAM,EAAE;KACR,MAAM,CAAC,4BAAoB,CAAC;KAC5B,MAAM,CACL,CAAC,CAAC,EAAkD,EAAE,CACpD,CAAC,CAAC,UAAU,CAAC,mCAAoB,CAAC,EACpC;IACE,OAAO,EAAE,8BAA8B;CACxC,CACF,CAAA;AAEI,MAAM,cAAc,GAAG,CAAC,IAAa,EAAwB,EAAE,CACpE,0BAAkB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAD/B,QAAA,cAAc,kBACiB;AAGrC,MAAM,oBAAoB,GAAG,KAAK,IAA2B,EAAE;IACpE,OAAO,GAAG,mCAAoB,GAAG,MAAM,IAAA,uBAAW,EAChD,yCAA0B,CAC3B,EAAE,CAAA;AACL,CAAC,CAAA;AAJY,QAAA,oBAAoB,wBAIhC"}