@atproto/oauth-provider 0.1.0

package/dist/token/token-store.d.ts

@@ -0,0 +1,35 @@
+import { DeviceAccountInfo } from '../account/account-store.js';
+import { Account } from '../account/account.js';
+import { Awaitable } from '../lib/util/type.js';
+import { Code } from '../request/code.js';
+import { RefreshToken } from './refresh-token.js';
+import { TokenData } from './token-data.js';
+import { TokenId } from './token-id.js';
+export * from './token-id.js';
+export * from './token-data.js';
+export * from './refresh-token.js';
+export type { Awaitable };
+export type TokenInfo = {
+    id: TokenId;
+    data: TokenData;
+    account: Account;
+    info?: DeviceAccountInfo;
+    currentRefreshToken: null | RefreshToken;
+};
+export type NewTokenData = Pick<TokenData, 'clientAuth' | 'expiresAt' | 'updatedAt'>;
+export interface TokenStore {
+    createToken(tokenId: TokenId, data: TokenData, refreshToken?: RefreshToken): Awaitable<void>;
+    readToken(tokenId: TokenId): Awaitable<null | TokenInfo>;
+    deleteToken(tokenId: TokenId): Awaitable<void>;
+    rotateToken(tokenId: TokenId, newTokenId: TokenId, newRefreshToken: RefreshToken, newData: NewTokenData): Awaitable<void>;
+    /**
+     * Find a token by its refresh token. Note that previous refresh tokens
+     * should also return the token. The data model is reponsible for storing
+     * old refresh tokens when a new one is issued.
+     */
+    findTokenByRefreshToken(refreshToken: RefreshToken): Awaitable<null | TokenInfo>;
+    findTokenByCode(code: Code): Awaitable<null | TokenInfo>;
+}
+export declare function isTokenStore(implementation: Record<string, unknown> & Partial<TokenStore>): implementation is Record<string, unknown> & TokenStore;
+export declare function asTokenStore(implementation?: Record<string, unknown> & Partial<TokenStore>): TokenStore;
+//# sourceMappingURL=token-store.d.ts.map

package/dist/token/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/token/token-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAA;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAA;AAGvC,cAAc,eAAe,CAAA;AAC7B,cAAc,iBAAiB,CAAA;AAC/B,cAAc,oBAAoB,CAAA;AAClC,YAAY,EAAE,SAAS,EAAE,CAAA;AAEzB,MAAM,MAAM,SAAS,GAAG;IACtB,EAAE,EAAE,OAAO,CAAA;IACX,IAAI,EAAE,SAAS,CAAA;IACf,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,CAAC,EAAE,iBAAiB,CAAA;IACxB,mBAAmB,EAAE,IAAI,GAAG,YAAY,CAAA;CACzC,CAAA;AAED,MAAM,MAAM,YAAY,GAAG,IAAI,CAC7B,SAAS,EACT,YAAY,GAAG,WAAW,GAAG,WAAW,CACzC,CAAA;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,CACT,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,SAAS,EACf,YAAY,CAAC,EAAE,YAAY,GAC1B,SAAS,CAAC,IAAI,CAAC,CAAA;IAElB,SAAS,CAAC,OAAO,EAAE,OAAO,GAAG,SAAS,CAAC,IAAI,GAAG,SAAS,CAAC,CAAA;IAExD,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAE9C,WAAW,CACT,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,OAAO,EACnB,eAAe,EAAE,YAAY,EAC7B,OAAO,EAAE,YAAY,GACpB,SAAS,CAAC,IAAI,CAAC,CAAA;IAElB;;;;OAIG;IACH,uBAAuB,CACrB,YAAY,EAAE,YAAY,GACzB,SAAS,CAAC,IAAI,GAAG,SAAS,CAAC,CAAA;IAE9B,eAAe,CAAC,IAAI,EAAE,IAAI,GAAG,SAAS,CAAC,IAAI,GAAG,SAAS,CAAC,CAAA;CACzD;AAED,wBAAgB,YAAY,CAC1B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,GAC5D,cAAc,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU,CASxD;AAED,wBAAgB,YAAY,CAC1B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,GAC7D,UAAU,CAKZ"}

package/dist/token/token-store.js

@@ -0,0 +1,38 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.asTokenStore = exports.isTokenStore = void 0;
+// Export all types needed to implement the TokenStore interface
+__exportStar(require("./token-id.js"), exports);
+__exportStar(require("./token-data.js"), exports);
+__exportStar(require("./refresh-token.js"), exports);
+function isTokenStore(implementation) {
+    return (typeof implementation.createToken === 'function' &&
+        typeof implementation.readToken === 'function' &&
+        typeof implementation.rotateToken === 'function' &&
+        typeof implementation.deleteToken === 'function' &&
+        typeof implementation.findTokenByCode === 'function' &&
+        typeof implementation.findTokenByRefreshToken === 'function');
+}
+exports.isTokenStore = isTokenStore;
+function asTokenStore(implementation) {
+    if (!implementation || !isTokenStore(implementation)) {
+        throw new Error('Invalid TokenStore implementation');
+    }
+    return implementation;
+}
+exports.asTokenStore = asTokenStore;
+//# sourceMappingURL=token-store.js.map

package/dist/token/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/token/token-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAQA,gEAAgE;AAChE,gDAA6B;AAC7B,kDAA+B;AAC/B,qDAAkC;AA8ClC,SAAgB,YAAY,CAC1B,cAA6D;IAE7D,OAAO,CACL,OAAO,cAAc,CAAC,WAAW,KAAK,UAAU;QAChD,OAAO,cAAc,CAAC,SAAS,KAAK,UAAU;QAC9C,OAAO,cAAc,CAAC,WAAW,KAAK,UAAU;QAChD,OAAO,cAAc,CAAC,WAAW,KAAK,UAAU;QAChD,OAAO,cAAc,CAAC,eAAe,KAAK,UAAU;QACpD,OAAO,cAAc,CAAC,uBAAuB,KAAK,UAAU,CAC7D,CAAA;AACH,CAAC;AAXD,oCAWC;AAED,SAAgB,YAAY,CAC1B,cAA8D;IAE9D,IAAI,CAAC,cAAc,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;IACtD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC;AAPD,oCAOC"}

package/dist/token/types.d.ts

@@ -0,0 +1,250 @@
+import { OAuthAuthorizationDetails, OAuthTokenType } from '@atproto/oauth-types';
+import { z } from 'zod';
+export declare const codeGrantRequestSchema: z.ZodIntersection<z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
+    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: `${string}.${string}.${string}`;
+}, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: string;
+}>, z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_secret: string;
+}, {
+    client_id: string;
+    client_secret: string;
+}>]>, z.ZodObject<{
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+}, {
+    client_id: string;
+}>]>, z.ZodObject<{
+    grant_type: z.ZodLiteral<"authorization_code">;
+    code: z.ZodEffects<z.ZodString, `cod-${string}`, string>;
+    /** @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1} */
+    code_verifier: z.ZodString;
+    redirect_uri: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    code: `cod-${string}`;
+    redirect_uri: string;
+    grant_type: "authorization_code";
+    code_verifier: string;
+}, {
+    code: string;
+    redirect_uri: string;
+    grant_type: "authorization_code";
+    code_verifier: string;
+}>>;
+export type CodeGrantRequest = z.infer<typeof codeGrantRequestSchema>;
+export declare const refreshGrantRequestSchema: z.ZodIntersection<z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
+    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: `${string}.${string}.${string}`;
+}, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: string;
+}>, z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_secret: string;
+}, {
+    client_id: string;
+    client_secret: string;
+}>]>, z.ZodObject<{
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+}, {
+    client_id: string;
+}>]>, z.ZodObject<{
+    grant_type: z.ZodLiteral<"refresh_token">;
+    refresh_token: z.ZodEffects<z.ZodString, `ref-${string}`, string>;
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    refresh_token: `ref-${string}`;
+    grant_type: "refresh_token";
+}, {
+    client_id: string;
+    refresh_token: string;
+    grant_type: "refresh_token";
+}>>;
+export type RefreshGrantRequest = z.infer<typeof refreshGrantRequestSchema>;
+export declare const tokenRequestSchema: z.ZodUnion<[z.ZodIntersection<z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
+    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: `${string}.${string}.${string}`;
+}, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: string;
+}>, z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_secret: string;
+}, {
+    client_id: string;
+    client_secret: string;
+}>]>, z.ZodObject<{
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+}, {
+    client_id: string;
+}>]>, z.ZodObject<{
+    grant_type: z.ZodLiteral<"authorization_code">;
+    code: z.ZodEffects<z.ZodString, `cod-${string}`, string>;
+    /** @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1} */
+    code_verifier: z.ZodString;
+    redirect_uri: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    code: `cod-${string}`;
+    redirect_uri: string;
+    grant_type: "authorization_code";
+    code_verifier: string;
+}, {
+    code: string;
+    redirect_uri: string;
+    grant_type: "authorization_code";
+    code_verifier: string;
+}>>, z.ZodIntersection<z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
+    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: `${string}.${string}.${string}`;
+}, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: string;
+}>, z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_secret: string;
+}, {
+    client_id: string;
+    client_secret: string;
+}>]>, z.ZodObject<{
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+}, {
+    client_id: string;
+}>]>, z.ZodObject<{
+    grant_type: z.ZodLiteral<"refresh_token">;
+    refresh_token: z.ZodEffects<z.ZodString, `ref-${string}`, string>;
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    refresh_token: `ref-${string}`;
+    grant_type: "refresh_token";
+}, {
+    client_id: string;
+    refresh_token: string;
+    grant_type: "refresh_token";
+}>>]>;
+export type TokenRequest = z.infer<typeof tokenRequestSchema>;
+export declare const tokenIdentification: z.ZodObject<{
+    token: z.ZodUnion<[z.ZodString, z.ZodEffects<z.ZodString, `ref-${string}`, string>]>;
+    token_type_hint: z.ZodOptional<z.ZodEnum<["access_token", "refresh_token"]>>;
+}, "strip", z.ZodTypeAny, {
+    token: string;
+    token_type_hint?: "access_token" | "refresh_token" | undefined;
+}, {
+    token: string;
+    token_type_hint?: "access_token" | "refresh_token" | undefined;
+}>;
+export type TokenIdentification = z.infer<typeof tokenIdentification>;
+export declare const revokeSchema: z.ZodObject<{
+    token: z.ZodUnion<[z.ZodString, z.ZodEffects<z.ZodString, `ref-${string}`, string>]>;
+    token_type_hint: z.ZodOptional<z.ZodEnum<["access_token", "refresh_token"]>>;
+}, "strip", z.ZodTypeAny, {
+    token: string;
+    token_type_hint?: "access_token" | "refresh_token" | undefined;
+}, {
+    token: string;
+    token_type_hint?: "access_token" | "refresh_token" | undefined;
+}>;
+export type Revoke = z.infer<typeof revokeSchema>;
+export declare const introspectSchema: z.ZodIntersection<z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    client_id: z.ZodString;
+    client_assertion_type: z.ZodLiteral<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">;
+    client_assertion: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: `${string}.${string}.${string}`;
+}, {
+    client_id: string;
+    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    client_assertion: string;
+}>, z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    client_secret: string;
+}, {
+    client_id: string;
+    client_secret: string;
+}>]>, z.ZodObject<{
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+}, {
+    client_id: string;
+}>]>, z.ZodObject<{
+    token: z.ZodUnion<[z.ZodString, z.ZodEffects<z.ZodString, `ref-${string}`, string>]>;
+    token_type_hint: z.ZodOptional<z.ZodEnum<["access_token", "refresh_token"]>>;
+}, "strip", z.ZodTypeAny, {
+    token: string;
+    token_type_hint?: "access_token" | "refresh_token" | undefined;
+}, {
+    token: string;
+    token_type_hint?: "access_token" | "refresh_token" | undefined;
+}>>;
+export type Introspect = z.infer<typeof introspectSchema>;
+export type IntrospectionResponse = {
+    active: false;
+} | {
+    active: true;
+    scope?: string;
+    client_id?: string;
+    username?: string;
+    token_type?: OAuthTokenType;
+    authorization_details?: OAuthAuthorizationDetails;
+    aud?: string | [string, ...string[]];
+    exp?: number;
+    iat?: number;
+    iss?: string;
+    jti?: string;
+    nbf?: number;
+    sub?: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/token/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/token/types.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAK/B,6EAA6E;;;;;;;;;;;;;GAShF,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA;AAErE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAOrC,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA;AAE3E,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAxB3B,6EAA6E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KA2B/E,CAAA;AAEF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAE7D,eAAO,MAAM,mBAAmB;;;;;;;;;EAG9B,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAErE,eAAO,MAAM,YAAY;;;;;;;;;EAAsB,CAAA;AAE/C,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAEjD,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAG5B,CAAA;AAED,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAGzD,MAAM,MAAM,qBAAqB,GAC7B;IAAE,MAAM,EAAE,KAAK,CAAA;CAAE,GACjB;IACE,MAAM,EAAE,IAAI,CAAA;IAEZ,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B,qBAAqB,CAAC,EAAE,yBAAyB,CAAA;IAEjD,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IACpC,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb,CAAA"}

package/dist/token/types.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.introspectSchema = exports.revokeSchema = exports.tokenIdentification = exports.tokenRequestSchema = exports.refreshGrantRequestSchema = exports.codeGrantRequestSchema = void 0;
+const oauth_types_1 = require("@atproto/oauth-types");
+const zod_1 = require("zod");
+const client_id_js_1 = require("../client/client-id.js");
+const code_js_1 = require("../request/code.js");
+const refresh_token_js_1 = require("./refresh-token.js");
+exports.codeGrantRequestSchema = zod_1.z.intersection(oauth_types_1.oauthClientIdentificationSchema, zod_1.z.object({
+    grant_type: zod_1.z.literal('authorization_code'),
+    code: code_js_1.codeSchema,
+    /** @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1} */
+    code_verifier: zod_1.z
+        .string()
+        .min(43)
+        .max(128)
+        .regex(/^[a-zA-Z0-9-._~]+$/),
+    redirect_uri: zod_1.z.string().url(),
+    // request_uri ???
+}));
+exports.refreshGrantRequestSchema = zod_1.z.intersection(oauth_types_1.oauthClientIdentificationSchema, zod_1.z.object({
+    grant_type: zod_1.z.literal('refresh_token'),
+    refresh_token: refresh_token_js_1.refreshTokenSchema,
+    client_id: client_id_js_1.clientIdSchema,
+}));
+exports.tokenRequestSchema = zod_1.z.union([
+    exports.codeGrantRequestSchema,
+    exports.refreshGrantRequestSchema,
+]);
+exports.tokenIdentification = zod_1.z.object({
+    token: zod_1.z.union([oauth_types_1.accessTokenSchema, refresh_token_js_1.refreshTokenSchema]),
+    token_type_hint: zod_1.z.enum(['access_token', 'refresh_token']).optional(),
+});
+exports.revokeSchema = exports.tokenIdentification;
+exports.introspectSchema = zod_1.z.intersection(oauth_types_1.oauthClientIdentificationSchema, exports.tokenIdentification);
+//# sourceMappingURL=types.js.map

package/dist/token/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/token/types.ts"],"names":[],"mappings":";;;AAAA,sDAK6B;AAC7B,6BAAuB;AAEvB,yDAAuD;AACvD,gDAA+C;AAC/C,yDAAuD;AAE1C,QAAA,sBAAsB,GAAG,OAAC,CAAC,YAAY,CAClD,6CAA+B,EAC/B,OAAC,CAAC,MAAM,CAAC;IACP,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC;IAC3C,IAAI,EAAE,oBAAU;IAChB,6EAA6E;IAC7E,aAAa,EAAE,OAAC;SACb,MAAM,EAAE;SACR,GAAG,CAAC,EAAE,CAAC;SACP,GAAG,CAAC,GAAG,CAAC;SACR,KAAK,CAAC,oBAAoB,CAAC;IAC9B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC9B,kBAAkB;CACnB,CAAC,CACH,CAAA;AAIY,QAAA,yBAAyB,GAAG,OAAC,CAAC,YAAY,CACrD,6CAA+B,EAC/B,OAAC,CAAC,MAAM,CAAC;IACP,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IACtC,aAAa,EAAE,qCAAkB;IACjC,SAAS,EAAE,6BAAc;CAC1B,CAAC,CACH,CAAA;AAIY,QAAA,kBAAkB,GAAG,OAAC,CAAC,KAAK,CAAC;IACxC,8BAAsB;IACtB,iCAAyB;CAC1B,CAAC,CAAA;AAIW,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,+BAAiB,EAAE,qCAAkB,CAAC,CAAC;IACvD,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAA;AAIW,QAAA,YAAY,GAAG,2BAAmB,CAAA;AAIlC,QAAA,gBAAgB,GAAG,OAAC,CAAC,YAAY,CAC5C,6CAA+B,EAC/B,2BAAmB,CACpB,CAAA"}

package/dist/token/verify-token-claims.d.ts

@@ -0,0 +1,17 @@
+import { AccessToken, OAuthTokenType } from '@atproto/oauth-types';
+import { TokenClaims } from './token-claims.js';
+import { TokenId } from './token-id.js';
+export type VerifyTokenClaimsOptions = {
+    /** One of these audience must be included in the token audience(s) */
+    audience?: [string, ...string[]];
+    /** One of these scope must be included in the token scope(s) */
+    scope?: [string, ...string[]];
+};
+export type VerifyTokenClaimsResult = {
+    token: AccessToken;
+    tokenId: TokenId;
+    tokenType: OAuthTokenType;
+    claims: TokenClaims;
+};
+export declare function verifyTokenClaims(token: AccessToken, tokenId: TokenId, tokenType: OAuthTokenType, dpopJkt: string | null, claims: TokenClaims, options?: VerifyTokenClaimsOptions): VerifyTokenClaimsResult;
+//# sourceMappingURL=verify-token-claims.d.ts.map

package/dist/token/verify-token-claims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-token-claims.d.ts","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAMlE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAA;AAEvC,MAAM,MAAM,wBAAwB,GAAG;IACrC,sEAAsE;IACtE,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IAChC,gEAAgE;IAChE,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;CAC9B,CAAA;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,WAAW,CAAA;IAClB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,cAAc,CAAA;IACzB,MAAM,EAAE,WAAW,CAAA;CACpB,CAAA;AAED,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,cAAc,EACzB,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,MAAM,EAAE,WAAW,EACnB,OAAO,CAAC,EAAE,wBAAwB,GACjC,uBAAuB,CAkCzB"}

package/dist/token/verify-token-claims.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyTokenClaims = void 0;
+const invalid_dpop_key_binding_error_js_1 = require("../errors/invalid-dpop-key-binding-error.js");
+const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
+const cast_js_1 = require("../lib/util/cast.js");
+const oauth_errors_js_1 = require("../oauth-errors.js");
+function verifyTokenClaims(token, tokenId, tokenType, dpopJkt, claims, options) {
+    const dateReference = Date.now();
+    const claimsJkt = claims.cnf?.jkt ?? null;
+    const expectedTokenType = claimsJkt ? 'DPoP' : 'Bearer';
+    if (expectedTokenType !== tokenType) {
+        throw new oauth_errors_js_1.InvalidTokenError(expectedTokenType, `Invalid token type`);
+    }
+    if (tokenType === 'DPoP' && !dpopJkt) {
+        throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(`jkt is required for DPoP tokens`);
+    }
+    if (claimsJkt !== dpopJkt) {
+        throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
+    }
+    if (options?.audience) {
+        const aud = (0, cast_js_1.asArray)(claims.aud);
+        if (!options.audience.some((v) => aud.includes(v))) {
+            throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Invalid audience`);
+        }
+    }
+    if (options?.scope) {
+        const scopes = claims.scope?.split(' ');
+        if (!scopes || !options.scope.some((v) => scopes.includes(v))) {
+            throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Invalid scope`);
+        }
+    }
+    if (claims.exp && claims.exp * 1000 <= dateReference) {
+        throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Token expired`);
+    }
+    return { token, tokenId, tokenType, claims };
+}
+exports.verifyTokenClaims = verifyTokenClaims;
+//# sourceMappingURL=verify-token-claims.js.map

package/dist/token/verify-token-claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-token-claims.js","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":";;;AAEA,mGAAwF;AACxF,uFAA6E;AAC7E,iDAA6C;AAC7C,wDAAsD;AAkBtD,SAAgB,iBAAiB,CAC/B,KAAkB,EAClB,OAAgB,EAChB,SAAyB,EACzB,OAAsB,EACtB,MAAmB,EACnB,OAAkC;IAElC,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAChC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAA;IAEzC,MAAM,iBAAiB,GAAmB,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;IACvE,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,IAAI,mCAAiB,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,CAAA;IACtE,CAAC;IACD,IAAI,SAAS,KAAK,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,IAAI,mDAAqB,CAAC,iCAAiC,CAAC,CAAA;IACpE,CAAC;IACD,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAC1B,MAAM,IAAI,8DAA0B,EAAE,CAAA;IACxC,CAAC;IAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAC/B,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,IAAI,aAAa,EAAE,CAAC;QACrD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;AAC9C,CAAC;AAzCD,8CAyCC"}

package/package.json

@@ -0,0 +1,83 @@
+{
+  "name": "@atproto/oauth-provider",
+  "version": "0.1.0",
+  "license": "MIT",
+  "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
+  "keywords": [
+    "atproto",
+    "oauth",
+    "oauth2",
+    "open id connect",
+    "oidc",
+    "provider",
+    "oidc provider"
+  ],
+  "homepage": "https://atproto.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bluesky-social/atproto",
+    "directory": "packages/oauth/oauth-provider"
+  },
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "dependencies": {
+    "@hapi/accept": "^6.0.3",
+    "@hapi/bourne": "^3.0.0",
+    "cookie": "^0.6.0",
+    "http-errors": "^2.0.0",
+    "ioredis": "^5.3.2",
+    "jose": "^5.2.0",
+    "keygrip": "^1.1.0",
+    "oidc-token-hash": "^5.0.3",
+    "psl": "^1.9.0",
+    "zod": "^3.23.8",
+    "@atproto-labs/fetch": "0.1.0",
+    "@atproto-labs/fetch-node": "0.1.0",
+    "@atproto-labs/pipe": "0.1.0",
+    "@atproto-labs/simple-store": "0.1.0",
+    "@atproto-labs/simple-store-memory": "0.1.0",
+    "@atproto/jwk": "0.1.0",
+    "@atproto/jwk-jose": "0.1.0",
+    "@atproto/oauth-types": "0.1.0"
+  },
+  "devDependencies": {
+    "@rollup/plugin-commonjs": "^25.0.7",
+    "@rollup/plugin-node-resolve": "^15.2.3",
+    "@rollup/plugin-replace": "^5.0.5",
+    "@rollup/plugin-terser": "^0.4.4",
+    "@rollup/plugin-typescript": "^11.1.6",
+    "@types/cookie": "^0.6.0",
+    "@types/keygrip": "^1.0.6",
+    "@types/psl": "1.1.3",
+    "@types/react": "^18.2.50",
+    "@types/react-dom": "^18.2.18",
+    "@types/send": "^0.17.4",
+    "@web/rollup-plugin-import-meta-assets": "^2.2.1",
+    "autoprefixer": "^10.4.17",
+    "postcss": "^8.4.33",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
+    "rollup": "^4.13.0",
+    "rollup-plugin-postcss": "^4.0.2",
+    "tailwindcss": "^3.4.1",
+    "typescript": "^5.3.3",
+    "@atproto-labs/rollup-plugin-bundle-manifest": "0.1.0"
+  },
+  "optionalDependencies": {
+    "ioredis": "^5.3.2",
+    "keygrip": "^1.1.0"
+  },
+  "scripts": {
+    "build:frontend": "rollup --config rollup.config.js",
+    "build:backend": "tsc --build --force tsconfig.backend.json",
+    "build": "pnpm --parallel --stream '/^build:.+$/'",
+    "dev": "rollup --config rollup.config.js --watch"
+  }
+}

package/rollup.config.js

@@ -0,0 +1,55 @@
+/* eslint-env node */
+
+const { defineConfig } = require('rollup')
+
+const {
+  default: manifest,
+} = require('@atproto-labs/rollup-plugin-bundle-manifest')
+const { default: commonjs } = require('@rollup/plugin-commonjs')
+const { default: nodeResolve } = require('@rollup/plugin-node-resolve')
+const { default: replace } = require('@rollup/plugin-replace')
+const { default: terser } = require('@rollup/plugin-terser')
+const { default: typescript } = require('@rollup/plugin-typescript')
+const postcss = ((m) => m.default || m)(require('rollup-plugin-postcss'))
+
+module.exports = defineConfig((commandLineArguments) => {
+  const NODE_ENV =
+    process.env['NODE_ENV'] ??
+    (commandLineArguments.watch ? 'development' : 'production')
+
+  const minify = NODE_ENV !== 'development'
+
+  return {
+    input: 'src/assets/app/main.tsx',
+    output: {
+      manualChunks: undefined,
+      sourcemap: true,
+      file: 'dist/assets/app/main.js',
+      format: 'iife',
+    },
+    plugins: [
+      nodeResolve({ preferBuiltins: false, browser: true }),
+      commonjs(),
+      postcss({ config: true, extract: true, minimize: minify }),
+      typescript({
+        tsconfig: './tsconfig.frontend.json',
+        outputToFilesystem: true,
+      }),
+      replace({
+        preventAssignment: true,
+        values: { 'process.env.NODE_ENV': JSON.stringify(NODE_ENV) },
+      }),
+      // Change `data` to `true` to include assets data in the manifest,
+      // allowing for easier bundling of the backend code (eg. using esbuild) as
+      // bundlers know how to bundle JSON files but not how to bundle assets
+      // referenced at runtime.
+      manifest({ data: false }),
+      minify && terser({}),
+    ],
+    onwarn(warning, warn) {
+      // 'use client' directives are fine
+      if (warning.code === 'MODULE_LEVEL_DIRECTIVE') return
+      warn(warning)
+    },
+  }
+})

package/src/access-token/access-token-type.ts

@@ -0,0 +1,5 @@
+export enum AccessTokenType {
+  auto = 'auto',
+  jwt = 'jwt',
+  id = 'id',
+}

package/src/account/account-manager.ts

@@ -0,0 +1,55 @@
+import { isOAuthClientIdLoopback } from '@atproto/oauth-types'
+import { Client } from '../client/client.js'
+import { DeviceId } from '../device/device-id.js'
+import { constantTime } from '../lib/util/time.js'
+import { InvalidRequestError } from '../oauth-errors.js'
+import { Sub } from '../oidc/sub.js'
+import { ClientAuth } from '../token/token-store.js'
+import {
+  Account,
+  AccountInfo,
+  AccountStore,
+  LoginCredentials,
+} from './account-store.js'
+
+const TIMING_ATTACK_MITIGATION_DELAY = 400
+
+export class AccountManager {
+  constructor(protected readonly store: AccountStore) {}
+
+  public async signIn(
+    credentials: LoginCredentials,
+    deviceId: DeviceId,
+  ): Promise<AccountInfo> {
+    return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
+      const result = await this.store.authenticateAccount(credentials, deviceId)
+      if (result) return result
+
+      throw new InvalidRequestError('Invalid credentials')
+    })
+  }
+
+  public async get(deviceId: DeviceId, sub: Sub): Promise<AccountInfo> {
+    const result = await this.store.getDeviceAccount(deviceId, sub)
+    if (result) return result
+
+    throw new InvalidRequestError(`Account not found`)
+  }
+
+  public async addAuthorizedClient(
+    deviceId: DeviceId,
+    account: Account,
+    client: Client,
+    _clientAuth: ClientAuth,
+  ): Promise<void> {
+    // "Loopback" clients are not distinguishable from one another.
+    if (isOAuthClientIdLoopback(client.id)) return
+
+    await this.store.addAuthorizedClient(deviceId, account.sub, client.id)
+  }
+
+  public async list(deviceId: DeviceId): Promise<AccountInfo[]> {
+    const results = await this.store.listDeviceAccounts(deviceId)
+    return results.filter((result) => result.info.remembered)
+  }
+}