npm - @atproto/oauth-provider - Versions diffs - 0.1.0 - Mend

@atproto/oauth-provider 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (631) hide show

package/.postcssrc.yml +3 -0
package/CHANGELOG.md +19 -0
package/LICENSE.txt +7 -0
package/dist/access-token/access-token-type.d.ts +6 -0
package/dist/access-token/access-token-type.d.ts.map +1 -0
package/dist/access-token/access-token-type.js +10 -0
package/dist/access-token/access-token-type.js.map +1 -0
package/dist/account/account-manager.d.ts +14 -0
package/dist/account/account-manager.d.ts.map +1 -0
package/dist/account/account-manager.js +39 -0
package/dist/account/account-manager.js.map +1 -0
package/dist/account/account-store.d.ts +39 -0
package/dist/account/account-store.d.ts.map +1 -0
package/dist/account/account-store.js +19 -0
package/dist/account/account-store.js.map +1 -0
package/dist/account/account.d.ts +8 -0
package/dist/account/account.d.ts.map +1 -0
package/dist/account/account.js +3 -0
package/dist/account/account.js.map +1 -0
package/dist/assets/app/bundle-manifest.json +22 -0
package/dist/assets/app/main.css +3 -0
package/dist/assets/app/main.js +20 -0
package/dist/assets/app/main.js.map +1 -0
package/dist/assets/asset.d.ts +9 -0
package/dist/assets/asset.d.ts.map +1 -0
package/dist/assets/asset.js +3 -0
package/dist/assets/asset.js.map +1 -0
package/dist/assets/assets-middleware.d.ts +2 -0
package/dist/assets/assets-middleware.d.ts.map +1 -0
package/dist/assets/assets-middleware.js +30 -0
package/dist/assets/assets-middleware.js.map +1 -0
package/dist/assets/index.d.ts +4 -0
package/dist/assets/index.d.ts.map +1 -0
package/dist/assets/index.js +65 -0
package/dist/assets/index.js.map +1 -0
package/dist/client/client-auth.d.ts +13 -0
package/dist/client/client-auth.d.ts.map +1 -0
package/dist/client/client-auth.js +35 -0
package/dist/client/client-auth.js.map +1 -0
package/dist/client/client-data.d.ts +8 -0
package/dist/client/client-data.d.ts.map +1 -0
package/dist/client/client-data.js +3 -0
package/dist/client/client-data.js.map +1 -0
package/dist/client/client-id.d.ts +4 -0
package/dist/client/client-id.d.ts.map +1 -0
package/dist/client/client-id.js +6 -0
package/dist/client/client-id.js.map +1 -0
package/dist/client/client-info.d.ts +13 -0
package/dist/client/client-info.d.ts.map +1 -0
package/dist/client/client-info.js +3 -0
package/dist/client/client-info.js.map +1 -0
package/dist/client/client-manager.d.ts +38 -0
package/dist/client/client-manager.d.ts.map +1 -0
package/dist/client/client-manager.js +534 -0
package/dist/client/client-manager.js.map +1 -0
package/dist/client/client-store.d.ts +13 -0
package/dist/client/client-store.d.ts.map +1 -0
package/dist/client/client-store.js +39 -0
package/dist/client/client-store.js.map +1 -0
package/dist/client/client-utils.d.ts +6 -0
package/dist/client/client-utils.d.ts.map +1 -0
package/dist/client/client-utils.js +40 -0
package/dist/client/client-utils.js.map +1 -0
package/dist/client/client.d.ts +41 -0
package/dist/client/client.d.ts.map +1 -0
package/dist/client/client.js +163 -0
package/dist/client/client.js.map +1 -0
package/dist/constants.d.ts +42 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +53 -0
package/dist/constants.js.map +1 -0
package/dist/device/device-data.d.ts +20 -0
package/dist/device/device-data.d.ts.map +1 -0
package/dist/device/device-data.js +11 -0
package/dist/device/device-data.js.map +1 -0
package/dist/device/device-details.d.ts +17 -0
package/dist/device/device-details.d.ts.map +1 -0
package/dist/device/device-details.js +34 -0
package/dist/device/device-details.js.map +1 -0
package/dist/device/device-id.d.ts +6 -0
package/dist/device/device-id.d.ts.map +1 -0
package/dist/device/device-id.js +18 -0
package/dist/device/device-id.js.map +1 -0
package/dist/device/device-manager.d.ts +88 -0
package/dist/device/device-manager.d.ts.map +1 -0
package/dist/device/device-manager.js +206 -0
package/dist/device/device-manager.js.map +1 -0
package/dist/device/device-store.d.ts +15 -0
package/dist/device/device-store.d.ts.map +1 -0
package/dist/device/device-store.js +36 -0
package/dist/device/device-store.js.map +1 -0
package/dist/device/session-id.d.ts +6 -0
package/dist/device/session-id.d.ts.map +1 -0
package/dist/device/session-id.js +18 -0
package/dist/device/session-id.js.map +1 -0
package/dist/dpop/dpop-manager.d.ts +33 -0
package/dist/dpop/dpop-manager.d.ts.map +1 -0
package/dist/dpop/dpop-manager.js +115 -0
package/dist/dpop/dpop-manager.js.map +1 -0
package/dist/dpop/dpop-nonce.d.ts +13 -0
package/dist/dpop/dpop-nonce.d.ts.map +1 -0
package/dist/dpop/dpop-nonce.js +94 -0
package/dist/dpop/dpop-nonce.js.map +1 -0
package/dist/errors/access-denied-error.d.ts +8 -0
package/dist/errors/access-denied-error.d.ts.map +1 -0
package/dist/errors/access-denied-error.js +21 -0
package/dist/errors/access-denied-error.js.map +1 -0
package/dist/errors/account-selection-required-error.d.ts +6 -0
package/dist/errors/account-selection-required-error.d.ts.map +1 -0
package/dist/errors/account-selection-required-error.js +11 -0
package/dist/errors/account-selection-required-error.js.map +1 -0
package/dist/errors/consent-required-error.d.ts +6 -0
package/dist/errors/consent-required-error.d.ts.map +1 -0
package/dist/errors/consent-required-error.js +11 -0
package/dist/errors/consent-required-error.js.map +1 -0
package/dist/errors/invalid-authorization-details-error.d.ts +20 -0
package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -0
package/dist/errors/invalid-authorization-details-error.js +26 -0
package/dist/errors/invalid-authorization-details-error.js.map +1 -0
package/dist/errors/invalid-client-error.d.ts +18 -0
package/dist/errors/invalid-client-error.d.ts.map +1 -0
package/dist/errors/invalid-client-error.js +24 -0
package/dist/errors/invalid-client-error.js.map +1 -0
package/dist/errors/invalid-client-id-error.d.ts +13 -0
package/dist/errors/invalid-client-id-error.d.ts.map +1 -0
package/dist/errors/invalid-client-id-error.js +25 -0
package/dist/errors/invalid-client-id-error.js.map +1 -0
package/dist/errors/invalid-client-metadata-error.d.ts +13 -0
package/dist/errors/invalid-client-metadata-error.d.ts.map +1 -0
package/dist/errors/invalid-client-metadata-error.js +23 -0
package/dist/errors/invalid-client-metadata-error.js.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts +12 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.js +20 -0
package/dist/errors/invalid-dpop-key-binding-error.js.map +1 -0
package/dist/errors/invalid-dpop-proof-error.d.ts +5 -0
package/dist/errors/invalid-dpop-proof-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-proof-error.js +12 -0
package/dist/errors/invalid-dpop-proof-error.js.map +1 -0
package/dist/errors/invalid-grant-error.d.ts +14 -0
package/dist/errors/invalid-grant-error.d.ts.map +1 -0
package/dist/errors/invalid-grant-error.js +20 -0
package/dist/errors/invalid-grant-error.js.map +1 -0
package/dist/errors/invalid-parameters-error.d.ts +6 -0
package/dist/errors/invalid-parameters-error.d.ts.map +1 -0
package/dist/errors/invalid-parameters-error.js +11 -0
package/dist/errors/invalid-parameters-error.js.map +1 -0
package/dist/errors/invalid-redirect-uri-error.d.ts +11 -0
package/dist/errors/invalid-redirect-uri-error.d.ts.map +1 -0
package/dist/errors/invalid-redirect-uri-error.js +21 -0
package/dist/errors/invalid-redirect-uri-error.js.map +1 -0
package/dist/errors/invalid-request-error.d.ts +28 -0
package/dist/errors/invalid-request-error.d.ts.map +1 -0
package/dist/errors/invalid-request-error.js +34 -0
package/dist/errors/invalid-request-error.js.map +1 -0
package/dist/errors/invalid-token-error.d.ts +16 -0
package/dist/errors/invalid-token-error.d.ts.map +1 -0
package/dist/errors/invalid-token-error.js +45 -0
package/dist/errors/invalid-token-error.js.map +1 -0
package/dist/errors/login-required-error.d.ts +6 -0
package/dist/errors/login-required-error.d.ts.map +1 -0
package/dist/errors/login-required-error.js +11 -0
package/dist/errors/login-required-error.js.map +1 -0
package/dist/errors/oauth-error.d.ts +13 -0
package/dist/errors/oauth-error.d.ts.map +1 -0
package/dist/errors/oauth-error.js +29 -0
package/dist/errors/oauth-error.js.map +1 -0
package/dist/errors/unauthorized-client-error.d.ts +18 -0
package/dist/errors/unauthorized-client-error.d.ts.map +1 -0
package/dist/errors/unauthorized-client-error.js +24 -0
package/dist/errors/unauthorized-client-error.js.map +1 -0
package/dist/errors/use-dpop-nonce-error.d.ts +18 -0
package/dist/errors/use-dpop-nonce-error.d.ts.map +1 -0
package/dist/errors/use-dpop-nonce-error.js +27 -0
package/dist/errors/use-dpop-nonce-error.js.map +1 -0
package/dist/errors/www-authenticate-error.d.ts +9 -0
package/dist/errors/www-authenticate-error.d.ts.map +1 -0
package/dist/errors/www-authenticate-error.js +46 -0
package/dist/errors/www-authenticate-error.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +31 -0
package/dist/index.js.map +1 -0
package/dist/lib/html/build-document.d.ts +32 -0
package/dist/lib/html/build-document.d.ts.map +1 -0
package/dist/lib/html/build-document.js +61 -0
package/dist/lib/html/build-document.js.map +1 -0
package/dist/lib/html/escapers.d.ts +9 -0
package/dist/lib/html/escapers.d.ts.map +1 -0
package/dist/lib/html/escapers.js +66 -0
package/dist/lib/html/escapers.js.map +1 -0
package/dist/lib/html/html.d.ts +13 -0
package/dist/lib/html/html.d.ts.map +1 -0
package/dist/lib/html/html.js +53 -0
package/dist/lib/html/html.js.map +1 -0
package/dist/lib/html/index.d.ts +4 -0
package/dist/lib/html/index.d.ts.map +1 -0
package/dist/lib/html/index.js +21 -0
package/dist/lib/html/index.js.map +1 -0
package/dist/lib/html/tags.d.ts +34 -0
package/dist/lib/html/tags.d.ts.map +1 -0
package/dist/lib/html/tags.js +47 -0
package/dist/lib/html/tags.js.map +1 -0
package/dist/lib/html/util.d.ts +4 -0
package/dist/lib/html/util.d.ts.map +1 -0
package/dist/lib/html/util.js +20 -0
package/dist/lib/html/util.js.map +1 -0
package/dist/lib/http/accept.d.ts +29 -0
package/dist/lib/http/accept.d.ts.map +1 -0
package/dist/lib/http/accept.js +67 -0
package/dist/lib/http/accept.js.map +1 -0
package/dist/lib/http/context.d.ts +5 -0
package/dist/lib/http/context.d.ts.map +1 -0
package/dist/lib/http/context.js +10 -0
package/dist/lib/http/context.js.map +1 -0
package/dist/lib/http/index.d.ts +10 -0
package/dist/lib/http/index.d.ts.map +1 -0
package/dist/lib/http/index.js +26 -0
package/dist/lib/http/index.js.map +1 -0
package/dist/lib/http/method.d.ts +6 -0
package/dist/lib/http/method.d.ts.map +1 -0
package/dist/lib/http/method.js +19 -0
package/dist/lib/http/method.js.map +1 -0
package/dist/lib/http/middleware.d.ts +18 -0
package/dist/lib/http/middleware.d.ts.map +1 -0
package/dist/lib/http/middleware.js +118 -0
package/dist/lib/http/middleware.js.map +1 -0
package/dist/lib/http/parser.d.ts +33 -0
package/dist/lib/http/parser.d.ts.map +1 -0
package/dist/lib/http/parser.js +48 -0
package/dist/lib/http/parser.js.map +1 -0
package/dist/lib/http/path.d.ts +9 -0
package/dist/lib/http/path.d.ts.map +1 -0
package/dist/lib/http/path.js +54 -0
package/dist/lib/http/path.js.map +1 -0
package/dist/lib/http/request.d.ts +33 -0
package/dist/lib/http/request.d.ts.map +1 -0
package/dist/lib/http/request.js +86 -0
package/dist/lib/http/request.js.map +1 -0
package/dist/lib/http/response.d.ts +13 -0
package/dist/lib/http/response.d.ts.map +1 -0
package/dist/lib/http/response.js +98 -0
package/dist/lib/http/response.js.map +1 -0
package/dist/lib/http/route.d.ts +25 -0
package/dist/lib/http/route.d.ts.map +1 -0
package/dist/lib/http/route.js +39 -0
package/dist/lib/http/route.js.map +1 -0
package/dist/lib/http/router.d.ts +32 -0
package/dist/lib/http/router.d.ts.map +1 -0
package/dist/lib/http/router.js +74 -0
package/dist/lib/http/router.js.map +1 -0
package/dist/lib/http/stream.d.ts +13 -0
package/dist/lib/http/stream.d.ts.map +1 -0
package/dist/lib/http/stream.js +46 -0
package/dist/lib/http/stream.js.map +1 -0
package/dist/lib/http/types.d.ts +7 -0
package/dist/lib/http/types.d.ts.map +1 -0
package/dist/lib/http/types.js +3 -0
package/dist/lib/http/types.js.map +1 -0
package/dist/lib/http/url.d.ts +8 -0
package/dist/lib/http/url.d.ts.map +1 -0
package/dist/lib/http/url.js +22 -0
package/dist/lib/http/url.js.map +1 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.d.ts.map +1 -0
package/dist/lib/redis.js +22 -0
package/dist/lib/redis.js.map +1 -0
package/dist/lib/util/authorization-header.d.ts +4 -0
package/dist/lib/util/authorization-header.d.ts.map +1 -0
package/dist/lib/util/authorization-header.js +23 -0
package/dist/lib/util/authorization-header.js.map +1 -0
package/dist/lib/util/cast.d.ts +2 -0
package/dist/lib/util/cast.d.ts.map +1 -0
package/dist/lib/util/cast.js +10 -0
package/dist/lib/util/cast.js.map +1 -0
package/dist/lib/util/crypto.d.ts +3 -0
package/dist/lib/util/crypto.d.ts.map +1 -0
package/dist/lib/util/crypto.js +29 -0
package/dist/lib/util/crypto.js.map +1 -0
package/dist/lib/util/date.d.ts +3 -0
package/dist/lib/util/date.d.ts.map +1 -0
package/dist/lib/util/date.js +12 -0
package/dist/lib/util/date.js.map +1 -0
package/dist/lib/util/hostname.d.ts +6 -0
package/dist/lib/util/hostname.d.ts.map +1 -0
package/dist/lib/util/hostname.js +24 -0
package/dist/lib/util/hostname.js.map +1 -0
package/dist/lib/util/redirect-uri.d.ts +7 -0
package/dist/lib/util/redirect-uri.d.ts.map +1 -0
package/dist/lib/util/redirect-uri.js +44 -0
package/dist/lib/util/redirect-uri.js.map +1 -0
package/dist/lib/util/time.d.ts +6 -0
package/dist/lib/util/time.d.ts.map +1 -0
package/dist/lib/util/time.js +28 -0
package/dist/lib/util/time.js.map +1 -0
package/dist/lib/util/type.d.ts +6 -0
package/dist/lib/util/type.d.ts.map +1 -0
package/dist/lib/util/type.js +3 -0
package/dist/lib/util/type.js.map +1 -0
package/dist/lib/util/well-known.d.ts +3 -0
package/dist/lib/util/well-known.d.ts.map +1 -0
package/dist/lib/util/well-known.js +11 -0
package/dist/lib/util/well-known.js.map +1 -0
package/dist/metadata/build-metadata.d.ts +14 -0
package/dist/metadata/build-metadata.d.ts.map +1 -0
package/dist/metadata/build-metadata.js +132 -0
package/dist/metadata/build-metadata.js.map +1 -0
package/dist/oauth-client.d.ts +4 -0
package/dist/oauth-client.d.ts.map +1 -0
package/dist/oauth-client.js +19 -0
package/dist/oauth-client.js.map +1 -0
package/dist/oauth-dpop.d.ts +3 -0
package/dist/oauth-dpop.d.ts.map +1 -0
package/dist/oauth-dpop.js +19 -0
package/dist/oauth-dpop.js.map +1 -0
package/dist/oauth-errors.d.ts +20 -0
package/dist/oauth-errors.d.ts.map +1 -0
package/dist/oauth-errors.js +43 -0
package/dist/oauth-errors.js.map +1 -0
package/dist/oauth-hooks.d.ts +42 -0
package/dist/oauth-hooks.d.ts.map +1 -0
package/dist/oauth-hooks.js +3 -0
package/dist/oauth-hooks.js.map +1 -0
package/dist/oauth-provider.d.ts +179 -0
package/dist/oauth-provider.d.ts.map +1 -0
package/dist/oauth-provider.js +748 -0
package/dist/oauth-provider.js.map +1 -0
package/dist/oauth-store.d.ts +11 -0
package/dist/oauth-store.d.ts.map +1 -0
package/dist/oauth-store.js +27 -0
package/dist/oauth-store.js.map +1 -0
package/dist/oauth-verifier.d.ts +66 -0
package/dist/oauth-verifier.d.ts.map +1 -0
package/dist/oauth-verifier.js +94 -0
package/dist/oauth-verifier.js.map +1 -0
package/dist/oidc/claims.d.ts +16 -0
package/dist/oidc/claims.d.ts.map +1 -0
package/dist/oidc/claims.js +29 -0
package/dist/oidc/claims.js.map +1 -0
package/dist/oidc/sub.d.ts +4 -0
package/dist/oidc/sub.d.ts.map +1 -0
package/dist/oidc/sub.js +6 -0
package/dist/oidc/sub.js.map +1 -0
package/dist/oidc/userinfo.d.ts +7 -0
package/dist/oidc/userinfo.d.ts.map +1 -0
package/dist/oidc/userinfo.js +3 -0
package/dist/oidc/userinfo.js.map +1 -0
package/dist/output/build-error-payload.d.ts +6 -0
package/dist/output/build-error-payload.d.ts.map +1 -0
package/dist/output/build-error-payload.js +108 -0
package/dist/output/build-error-payload.js.map +1 -0
package/dist/output/customization.d.ts +37 -0
package/dist/output/customization.d.ts.map +1 -0
package/dist/output/customization.js +62 -0
package/dist/output/customization.js.map +1 -0
package/dist/output/send-authorize-page.d.ts +43 -0
package/dist/output/send-authorize-page.d.ts.map +1 -0
package/dist/output/send-authorize-page.js +49 -0
package/dist/output/send-authorize-page.js.map +1 -0
package/dist/output/send-authorize-redirect.d.ts +25 -0
package/dist/output/send-authorize-redirect.d.ts.map +1 -0
package/dist/output/send-authorize-redirect.js +72 -0
package/dist/output/send-authorize-redirect.js.map +1 -0
package/dist/output/send-error-page.d.ts +5 -0
package/dist/output/send-error-page.d.ts.map +1 -0
package/dist/output/send-error-page.js +31 -0
package/dist/output/send-error-page.js.map +1 -0
package/dist/output/send-web-page.d.ts +8 -0
package/dist/output/send-web-page.d.ts.map +1 -0
package/dist/output/send-web-page.js +48 -0
package/dist/output/send-web-page.js.map +1 -0
package/dist/parameters/claims-requested.d.ts +3 -0
package/dist/parameters/claims-requested.d.ts.map +1 -0
package/dist/parameters/claims-requested.js +77 -0
package/dist/parameters/claims-requested.js.map +1 -0
package/dist/parameters/oidc-payload.d.ts +31 -0
package/dist/parameters/oidc-payload.d.ts.map +1 -0
package/dist/parameters/oidc-payload.js +25 -0
package/dist/parameters/oidc-payload.js.map +1 -0
package/dist/replay/replay-manager.d.ts +10 -0
package/dist/replay/replay-manager.d.ts.map +1 -0
package/dist/replay/replay-manager.js +23 -0
package/dist/replay/replay-manager.js.map +1 -0
package/dist/replay/replay-store-memory.d.ts +11 -0
package/dist/replay/replay-store-memory.d.ts.map +1 -0
package/dist/replay/replay-store-memory.js +30 -0
package/dist/replay/replay-store-memory.js.map +1 -0
package/dist/replay/replay-store-redis.d.ts +16 -0
package/dist/replay/replay-store-redis.d.ts.map +1 -0
package/dist/replay/replay-store-redis.js +20 -0
package/dist/replay/replay-store-redis.js.map +1 -0
package/dist/replay/replay-store.d.ts +16 -0
package/dist/replay/replay-store.d.ts.map +1 -0
package/dist/replay/replay-store.js +22 -0
package/dist/replay/replay-store.js.map +1 -0
package/dist/request/code.d.ts +7 -0
package/dist/request/code.d.ts.map +1 -0
package/dist/request/code.js +20 -0
package/dist/request/code.js.map +1 -0
package/dist/request/request-data.d.ts +21 -0
package/dist/request/request-data.d.ts.map +1 -0
package/dist/request/request-data.js +6 -0
package/dist/request/request-data.js.map +1 -0
package/dist/request/request-id.d.ts +6 -0
package/dist/request/request-id.d.ts.map +1 -0
package/dist/request/request-id.js +18 -0
package/dist/request/request-id.js.map +1 -0
package/dist/request/request-info.d.ts +12 -0
package/dist/request/request-info.d.ts.map +1 -0
package/dist/request/request-info.js +3 -0
package/dist/request/request-info.js.map +1 -0
package/dist/request/request-manager.d.ts +40 -0
package/dist/request/request-manager.d.ts.map +1 -0
package/dist/request/request-manager.js +310 -0
package/dist/request/request-manager.js.map +1 -0
package/dist/request/request-store-memory.d.ts +16 -0
package/dist/request/request-store-memory.d.ts.map +1 -0
package/dist/request/request-store-memory.js +31 -0
package/dist/request/request-store-memory.js.map +1 -0
package/dist/request/request-store-redis.d.ts +24 -0
package/dist/request/request-store-redis.d.ts.map +1 -0
package/dist/request/request-store-redis.js +58 -0
package/dist/request/request-store-redis.js.map +1 -0
package/dist/request/request-store.d.ts +27 -0
package/dist/request/request-store.d.ts.map +1 -0
package/dist/request/request-store.js +37 -0
package/dist/request/request-store.js.map +1 -0
package/dist/request/request-uri.d.ts +8 -0
package/dist/request/request-uri.d.ts.map +1 -0
package/dist/request/request-uri.js +24 -0
package/dist/request/request-uri.js.map +1 -0
package/dist/request/types.d.ts +328 -0
package/dist/request/types.d.ts.map +1 -0
package/dist/request/types.js +27 -0
package/dist/request/types.js.map +1 -0
package/dist/signer/signed-token-payload.d.ts +1694 -0
package/dist/signer/signed-token-payload.d.ts.map +1 -0
package/dist/signer/signed-token-payload.js +32 -0
package/dist/signer/signed-token-payload.js.map +1 -0
package/dist/signer/signer.d.ts +193 -0
package/dist/signer/signer.d.ts.map +1 -0
package/dist/signer/signer.js +101 -0
package/dist/signer/signer.js.map +1 -0
package/dist/token/refresh-token.d.ts +7 -0
package/dist/token/refresh-token.d.ts.map +1 -0
package/dist/token/refresh-token.js +20 -0
package/dist/token/refresh-token.js.map +1 -0
package/dist/token/token-claims.d.ts +1687 -0
package/dist/token/token-claims.d.ts.map +1 -0
package/dist/token/token-claims.js +30 -0
package/dist/token/token-claims.js.map +1 -0
package/dist/token/token-data.d.ts +20 -0
package/dist/token/token-data.d.ts.map +1 -0
package/dist/token/token-data.js +3 -0
package/dist/token/token-data.js.map +1 -0
package/dist/token/token-id.d.ts +7 -0
package/dist/token/token-id.d.ts.map +1 -0
package/dist/token/token-id.js +20 -0
package/dist/token/token-id.js.map +1 -0
package/dist/token/token-manager.d.ts +48 -0
package/dist/token/token-manager.d.ts.map +1 -0
package/dist/token/token-manager.js +421 -0
package/dist/token/token-manager.js.map +1 -0
package/dist/token/token-store.d.ts +35 -0
package/dist/token/token-store.d.ts.map +1 -0
package/dist/token/token-store.js +38 -0
package/dist/token/token-store.js.map +1 -0
package/dist/token/types.d.ts +250 -0
package/dist/token/types.d.ts.map +1 -0
package/dist/token/types.js +36 -0
package/dist/token/types.js.map +1 -0
package/dist/token/verify-token-claims.d.ts +17 -0
package/dist/token/verify-token-claims.d.ts.map +1 -0
package/dist/token/verify-token-claims.js +39 -0
package/dist/token/verify-token-claims.js.map +1 -0
package/package.json +83 -0
package/rollup.config.js +55 -0
package/src/access-token/access-token-type.ts +5 -0
package/src/account/account-manager.ts +55 -0
package/src/account/account-store.ts +74 -0
package/src/account/account.ts +10 -0
package/src/assets/app/app.tsx +28 -0
package/src/assets/app/backend-data.ts +65 -0
package/src/assets/app/components/accept-form.tsx +112 -0
package/src/assets/app/components/account-identifier.tsx +18 -0
package/src/assets/app/components/account-picker.tsx +108 -0
package/src/assets/app/components/client-identifier.tsx +32 -0
package/src/assets/app/components/client-name.tsx +30 -0
package/src/assets/app/components/error-card.tsx +41 -0
package/src/assets/app/components/help-card.tsx +42 -0
package/src/assets/app/components/layout-title-page.tsx +43 -0
package/src/assets/app/components/layout-welcome.tsx +58 -0
package/src/assets/app/components/sign-in-form.tsx +290 -0
package/src/assets/app/components/sign-up-account-form.tsx +210 -0
package/src/assets/app/components/sign-up-disclaimer.tsx +44 -0
package/src/assets/app/components/url-viewer.tsx +70 -0
package/src/assets/app/cookies.ts +11 -0
package/src/assets/app/hooks/use-api.ts +104 -0
package/src/assets/app/hooks/use-bound-dispatch.ts +5 -0
package/src/assets/app/hooks/use-csrf-token.ts +5 -0
package/src/assets/app/lib/api.ts +64 -0
package/src/assets/app/lib/clsx.ts +4 -0
package/src/assets/app/lib/util.ts +10 -0
package/src/assets/app/main.css +11 -0
package/src/assets/app/main.tsx +28 -0
package/src/assets/app/views/accept-view.tsx +51 -0
package/src/assets/app/views/authorize-view.tsx +101 -0
package/src/assets/app/views/error-view.tsx +27 -0
package/src/assets/app/views/sign-in-view.tsx +121 -0
package/src/assets/app/views/sign-up-view.tsx +93 -0
package/src/assets/app/views/welcome-view.tsx +61 -0
package/src/assets/asset.ts +8 -0
package/src/assets/assets-middleware.ts +32 -0
package/src/assets/index.ts +74 -0
package/src/client/client-auth.ts +45 -0
package/src/client/client-data.ts +9 -0
package/src/client/client-id.ts +4 -0
package/src/client/client-info.ts +13 -0
package/src/client/client-manager.ts +818 -0
package/src/client/client-store.ts +38 -0
package/src/client/client-utils.ts +43 -0
package/src/client/client.ts +231 -0
package/src/constants.ts +69 -0
package/src/device/device-data.ts +11 -0
package/src/device/device-details.ts +43 -0
package/src/device/device-id.ts +23 -0
package/src/device/device-manager.ts +287 -0
package/src/device/device-store.ts +35 -0
package/src/device/session-id.ts +22 -0
package/src/dpop/dpop-manager.ts +147 -0
package/src/dpop/dpop-nonce.ts +104 -0
package/src/errors/access-denied-error.ts +26 -0
package/src/errors/account-selection-required-error.ts +12 -0
package/src/errors/consent-required-error.ts +12 -0
package/src/errors/invalid-authorization-details-error.ts +22 -0
package/src/errors/invalid-client-error.ts +20 -0
package/src/errors/invalid-client-id-error.ts +20 -0
package/src/errors/invalid-client-metadata-error.ts +19 -0
package/src/errors/invalid-dpop-key-binding-error.ts +21 -0
package/src/errors/invalid-dpop-proof-error.ts +13 -0
package/src/errors/invalid-grant-error.ts +16 -0
package/src/errors/invalid-parameters-error.ts +12 -0
package/src/errors/invalid-redirect-uri-error.ts +17 -0
package/src/errors/invalid-request-error.ts +30 -0
package/src/errors/invalid-token-error.ts +59 -0
package/src/errors/login-required-error.ts +12 -0
package/src/errors/oauth-error.ts +28 -0
package/src/errors/unauthorized-client-error.ts +20 -0
package/src/errors/use-dpop-nonce-error.ts +32 -0
package/src/errors/www-authenticate-error.ts +65 -0
package/src/index.ts +15 -0
package/src/lib/html/README.md +9 -0
package/src/lib/html/build-document.ts +98 -0
package/src/lib/html/escapers.ts +66 -0
package/src/lib/html/html.ts +61 -0
package/src/lib/html/index.ts +5 -0
package/src/lib/html/tags.ts +58 -0
package/src/lib/html/util.ts +21 -0
package/src/lib/http/README.md +11 -0
package/src/lib/http/accept.ts +91 -0
package/src/lib/http/context.ts +11 -0
package/src/lib/http/index.ts +9 -0
package/src/lib/http/method.ts +18 -0
package/src/lib/http/middleware.ts +183 -0
package/src/lib/http/parser.ts +64 -0
package/src/lib/http/path.ts +82 -0
package/src/lib/http/request.ts +141 -0
package/src/lib/http/response.ts +133 -0
package/src/lib/http/route.ts +56 -0
package/src/lib/http/router.ts +118 -0
package/src/lib/http/stream.ts +78 -0
package/src/lib/http/types.ts +22 -0
package/src/lib/http/url.ts +23 -0
package/src/lib/redis.ts +23 -0
package/src/lib/util/authorization-header.ts +26 -0
package/src/lib/util/cast.ts +4 -0
package/src/lib/util/crypto.ts +27 -0
package/src/lib/util/date.ts +7 -0
package/src/lib/util/hostname.ts +19 -0
package/src/lib/util/redirect-uri.ts +46 -0
package/src/lib/util/time.ts +33 -0
package/src/lib/util/type.ts +4 -0
package/src/lib/util/well-known.ts +8 -0
package/src/metadata/build-metadata.ts +165 -0
package/src/oauth-client.ts +3 -0
package/src/oauth-dpop.ts +2 -0
package/src/oauth-errors.ts +21 -0
package/src/oauth-hooks.ts +66 -0
package/src/oauth-provider.ts +1409 -0
package/src/oauth-store.ts +11 -0
package/src/oauth-verifier.ts +219 -0
package/src/oidc/claims.ts +35 -0
package/src/oidc/sub.ts +4 -0
package/src/oidc/userinfo.ts +11 -0
package/src/output/build-error-payload.ts +143 -0
package/src/output/customization.ts +96 -0
package/src/output/send-authorize-page.ts +111 -0
package/src/output/send-authorize-redirect.ts +130 -0
package/src/output/send-error-page.ts +41 -0
package/src/output/send-web-page.ts +66 -0
package/src/parameters/claims-requested.ts +106 -0
package/src/parameters/oidc-payload.ts +28 -0
package/src/replay/replay-manager.ts +38 -0
package/src/replay/replay-store-memory.ts +36 -0
package/src/replay/replay-store-redis.ts +31 -0
package/src/replay/replay-store.ts +44 -0
package/src/request/code.ts +24 -0
package/src/request/request-data.ts +26 -0
package/src/request/request-id.ts +23 -0
package/src/request/request-info.ts +12 -0
package/src/request/request-manager.ts +479 -0
package/src/request/request-store-memory.ts +39 -0
package/src/request/request-store-redis.ts +71 -0
package/src/request/request-store.ts +54 -0
package/src/request/request-uri.ts +29 -0
package/src/request/types.ts +48 -0
package/src/signer/signed-token-payload.ts +35 -0
package/src/signer/signer.ts +165 -0
package/src/token/refresh-token.ts +31 -0
package/src/token/token-claims.ts +31 -0
package/src/token/token-data.ts +33 -0
package/src/token/token-id.ts +26 -0
package/src/token/token-manager.ts +591 -0
package/src/token/token-store.ts +78 -0
package/src/token/types.ts +86 -0
package/src/token/verify-token-claims.ts +65 -0
package/tailwind.config.js +13 -0
package/tsconfig.backend.json +9 -0
package/tsconfig.frontend.json +11 -0
package/tsconfig.json +8 -0
package/tsconfig.tools.json +8 -0

package/src/request/request-manager.ts ADDED Viewed

@@ -0,0 +1,479 @@
+import {
+  CLIENT_ASSERTION_TYPE_JWT_BEARER,
+  OAuthAuthenticationRequestParameters,
+  OAuthAuthorizationServerMetadata,
+} from '@atproto/oauth-types'
+import { DeviceAccountInfo } from '../account/account-store.js'
+import { Account } from '../account/account.js'
+import { ClientAuth } from '../client/client-auth.js'
+import { ClientId } from '../client/client-id.js'
+import { Client } from '../client/client.js'
+import {
+  AUTHORIZATION_INACTIVITY_TIMEOUT,
+  PAR_EXPIRES_IN,
+  TOKEN_MAX_AGE,
+} from '../constants.js'
+import { DeviceId } from '../device/device-id.js'
+import { AccessDeniedError } from '../errors/access-denied-error.js'
+import { ConsentRequiredError } from '../errors/consent-required-error.js'
+import { InvalidGrantError } from '../errors/invalid-grant-error.js'
+import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
+import { InvalidRequestError } from '../errors/invalid-request-error.js'
+import { compareRedirectUri } from '../lib/util/redirect-uri.js'
+import { OAuthHooks } from '../oauth-hooks.js'
+import { OIDC_SCOPE_CLAIMS } from '../oidc/claims.js'
+import { Signer } from '../signer/signer.js'
+import { Code, generateCode } from './code.js'
+import {
+  isRequestDataAuthorized,
+  RequestDataAuthorized,
+} from './request-data.js'
+import { generateRequestId } from './request-id.js'
+import { RequestInfo } from './request-info.js'
+import { RequestStore, UpdateRequestData } from './request-store.js'
+import {
+  decodeRequestUri,
+  encodeRequestUri,
+  RequestUri,
+} from './request-uri.js'
+export class RequestManager {
+  constructor(
+    protected readonly store: RequestStore,
+    protected readonly signer: Signer,
+    protected readonly metadata: OAuthAuthorizationServerMetadata,
+    protected readonly hooks: OAuthHooks,
+    protected readonly pkceRequired = true,
+    protected readonly tokenMaxAge = TOKEN_MAX_AGE,
+  ) {}
+  protected createTokenExpiry() {
+    return new Date(Date.now() + this.tokenMaxAge)
+  }
+  async createAuthorizationRequest(
+    client: Client,
+    clientAuth: ClientAuth,
+    input: Readonly<OAuthAuthenticationRequestParameters>,
+    deviceId: null | DeviceId,
+    dpopJkt: null | string,
+  ): Promise<RequestInfo> {
+    const parameters = await this.validate(client, clientAuth, input, dpopJkt)
+    return this.create(client, clientAuth, parameters, deviceId)
+  }
+  protected async create(
+    client: Client,
+    clientAuth: ClientAuth,
+    parameters: Readonly<OAuthAuthenticationRequestParameters>,
+    deviceId: null | DeviceId = null,
+  ): Promise<RequestInfo> {
+    const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN)
+    const id = await generateRequestId()
+    await this.store.createRequest(id, {
+      clientId: client.id,
+      clientAuth,
+      parameters,
+      expiresAt,
+      deviceId,
+      sub: null,
+      code: null,
+    })
+    const uri = encodeRequestUri(id)
+    return { id, uri, expiresAt, parameters, clientAuth }
+  }
+  async validate(
+    client: Client,
+    clientAuth: ClientAuth,
+    parameters: Readonly<OAuthAuthenticationRequestParameters>,
+    dpopJkt: null | string,
+    pkceRequired = this.pkceRequired,
+  ): Promise<Readonly<OAuthAuthenticationRequestParameters>> {
+    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-1.4.1
+    // > The authorization server MAY fully or partially ignore the scope
+    // > requested by the client, based on the authorization server policy or
+    // > the resource owner's instructions. If the issued access token scope is
+    // > different from the one requested by the client, the authorization
+    // > server MUST include the scope response parameter in the token response
+    // > (Section 3.2.3) to inform the client of the actual scope granted.
+    const cScopes = client.metadata.scope?.split(' ')
+    const sScopes = this.metadata.scopes_supported
+    const scopes =
+      (parameters.scope || client.metadata.scope)
+        ?.split(' ')
+        .filter((scope) => !!scope && (sScopes?.includes(scope) ?? true)) ?? []
+    for (const scope of scopes) {
+      if (!cScopes?.includes(scope)) {
+        throw new InvalidParametersError(
+          parameters,
+          `Scope "${scope}" is not registered for this client`,
+        )
+      }
+    }
+    for (const [scope, claims] of Object.entries(OIDC_SCOPE_CLAIMS)) {
+      for (const claim of claims) {
+        if (
+          parameters?.claims?.id_token?.[claim]?.essential === true ||
+          parameters?.claims?.userinfo?.[claim]?.essential === true
+        ) {
+          if (!scopes?.includes(scope)) {
+            throw new InvalidParametersError(
+              parameters,
+              `Essential ${claim} claim requires "${scope}" scope`,
+            )
+          }
+        }
+      }
+    }
+    parameters = { ...parameters, scope: scopes.join(' ') }
+    const responseTypes = parameters.response_type.split(' ')
+    if (parameters.authorization_details) {
+      const clientAuthDetailsTypes = client.metadata.authorization_details_types
+      if (!clientAuthDetailsTypes) {
+        throw new InvalidParametersError(
+          parameters,
+          'Client Metadata does not declare any "authorization_details"',
+        )
+      }
+      for (const detail of parameters.authorization_details) {
+        if (!clientAuthDetailsTypes?.includes(detail.type)) {
+          throw new InvalidParametersError(
+            parameters,
+            `Unsupported "authorization_details" type "${detail.type}"`,
+          )
+        }
+      }
+    }
+    const { redirect_uri } = parameters
+    if (
+      redirect_uri &&
+      !client.metadata.redirect_uris.some((uri) =>
+        compareRedirectUri(uri, redirect_uri),
+      )
+    ) {
+      throw new InvalidParametersError(
+        parameters,
+        `Invalid redirect_uri ${redirect_uri} (allowed: ${client.metadata.redirect_uris.join(' ')})`,
+      )
+    }
+    // https://datatracker.ietf.org/doc/html/rfc9449#section-10
+    if (!parameters.dpop_jkt) {
+      if (dpopJkt) parameters = { ...parameters, dpop_jkt: dpopJkt }
+    } else if (parameters.dpop_jkt !== dpopJkt) {
+      throw new InvalidParametersError(
+        parameters,
+        'DPoP header and dpop_jkt do not match',
+      )
+    }
+    if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
+      if (parameters.dpop_jkt && clientAuth.jkt === parameters.dpop_jkt) {
+        throw new InvalidParametersError(
+          parameters,
+          'The DPoP proof must be signed with a different key than the client assertion',
+        )
+      }
+    }
+    if (!client.metadata.response_types.includes(parameters.response_type)) {
+      throw new InvalidParametersError(
+        parameters,
+        `Unsupported response_type "${parameters.response_type}"`,
+        'unsupported_response_type',
+      )
+    }
+    if (pkceRequired && responseTypes.includes('token')) {
+      throw new InvalidParametersError(
+        parameters,
+        `Response type "${parameters.response_type}" is incompatible with PKCE`,
+        'unsupported_response_type',
+      )
+    }
+    // https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
+    if (pkceRequired && !parameters.code_challenge) {
+      throw new InvalidParametersError(parameters, 'code_challenge is required')
+    }
+    if (
+      parameters.code_challenge &&
+      clientAuth.method === 'none' &&
+      (parameters.code_challenge_method ?? 'plain') === 'plain'
+    ) {
+      throw new InvalidParametersError(
+        parameters,
+        'code_challenge_method=plain requires client authentication',
+      )
+    }
+    // https://datatracker.ietf.org/doc/html/rfc7636#section-4.3
+    if (parameters.code_challenge_method && !parameters.code_challenge) {
+      throw new InvalidParametersError(
+        parameters,
+        'code_challenge_method requires code_challenge',
+      )
+    }
+    // https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
+    //
+    // > nonce: REQUIRED if the Response Type of the request is "code id_token" or
+    // >   "code id_token token" and OPTIONAL when the Response Type of the
+    // >   request is "code token". It is a string value used to associate a
+    // >   Client session with an ID Token, and to mitigate replay attacks. The
+    // >   value is passed through unmodified from the Authentication Request to
+    // >   the ID Token. Sufficient entropy MUST be present in the nonce values
+    // >   used to prevent attackers from guessing values. For implementation
+    // >   notes, see Section 15.5.2.
+    if (responseTypes.includes('id_token') && !parameters.nonce) {
+      throw new InvalidParametersError(
+        parameters,
+        'nonce is required for implicit and hybrid flows',
+      )
+    }
+    // Make "expensive" checks after the "cheaper" checks
+    if (parameters.id_token_hint != null) {
+      const { payload } = await this.signer.verify(parameters.id_token_hint, {
+        // these are meant to be outdated when used as a hint
+        clockTolerance: Infinity,
+      })
+      if (!payload.sub) {
+        throw new InvalidParametersError(
+          parameters,
+          `Unexpected empty id_token_hint "sub"`,
+        )
+      } else if (parameters.login_hint == null) {
+        parameters = { ...parameters, login_hint: payload.sub }
+      } else if (parameters.login_hint !== payload.sub) {
+        throw new InvalidParametersError(
+          parameters,
+          'login_hint does not match "sub" of id_token_hint',
+        )
+      }
+    }
+    // ATPROTO extension: if the client is not trusted, force users to consent
+    // to authorization requests. We do this to avoid unauthenticated clients
+    // from being able to silently re-authenticate users.
+    if (clientAuth.method === 'none' && !client.info.isFirstParty) {
+      if (parameters.prompt === 'none') {
+        throw new ConsentRequiredError(
+          parameters,
+          'Public clients are not allowed to use silent-sign-on',
+        )
+      }
+      // force "consent" for unauthenticated, third party clients
+      parameters = { ...parameters, prompt: 'consent' }
+    }
+    return parameters
+  }
+  async get(
+    uri: RequestUri,
+    clientId: ClientId,
+    deviceId: DeviceId,
+  ): Promise<RequestInfo> {
+    const id = decodeRequestUri(uri)
+    const data = await this.store.readRequest(id)
+    if (!data) throw new InvalidRequestError(`Unknown request_uri "${uri}"`)
+    const updates: UpdateRequestData = {}
+    try {
+      if (data.sub || data.code) {
+        // If an account was linked to the request, the next step is to exchange
+        // the code for a token.
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was already authorized',
+        )
+      }
+      if (data.expiresAt < new Date()) {
+        throw new AccessDeniedError(data.parameters, 'This request has expired')
+      } else {
+        updates.expiresAt = new Date(
+          Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT,
+        )
+      }
+      if (data.clientId !== clientId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was initiated for another client',
+        )
+      }
+      if (!data.deviceId) {
+        updates.deviceId = deviceId
+      } else if (data.deviceId !== deviceId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was initiated from another device',
+        )
+      }
+    } catch (err) {
+      await this.store.deleteRequest(id)
+      throw err
+    }
+    if (Object.keys(updates).length > 0) {
+      await this.store.updateRequest(id, updates)
+    }
+    return {
+      id,
+      uri,
+      expiresAt: updates.expiresAt || data.expiresAt,
+      parameters: data.parameters,
+      clientAuth: data.clientAuth,
+    }
+  }
+  async setAuthorized(
+    client: Client,
+    uri: RequestUri,
+    deviceId: DeviceId,
+    account: Account,
+    info: DeviceAccountInfo,
+  ): Promise<{ code?: Code; token?: string; id_token?: string }> {
+    const id = decodeRequestUri(uri)
+    const data = await this.store.readRequest(id)
+    if (!data) throw new InvalidRequestError(`Unknown request_uri "${uri}"`)
+    try {
+      if (data.expiresAt < new Date()) {
+        throw new AccessDeniedError(data.parameters, 'This request has expired')
+      }
+      if (!data.deviceId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was not initiated',
+        )
+      }
+      if (data.deviceId !== deviceId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was initiated from another device',
+        )
+      }
+      if (data.sub || data.code) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was already authorized',
+        )
+      }
+      const responseType = data.parameters.response_type.split(' ')
+      if (responseType.includes('token')) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'Implicit "token" forbidden (use "code" with PKCE instead)',
+        )
+      }
+      const code = responseType.includes('code')
+        ? await generateCode()
+        : undefined
+      // Bind the request to the account, preventing it from being used again.
+      await this.store.updateRequest(id, {
+        sub: account.sub,
+        code,
+        // Allow the client to exchange the code for a token within the next 60 seconds.
+        expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),
+      })
+      const id_token = responseType.includes('id_token')
+        ? await this.signer.idToken(client, data.parameters, account, {
+            auth_time: info.authenticatedAt,
+            exp: this.createTokenExpiry(),
+            code,
+          })
+        : undefined
+      return { code, id_token }
+    } catch (err) {
+      await this.store.deleteRequest(id)
+      throw err
+    }
+  }
+  /**
+   * @note If this method throws an error, any token previously generated from
+   * the same `code` **must** me revoked.
+   */
+  public async findCode(
+    client: Client,
+    clientAuth: ClientAuth,
+    code: Code,
+  ): Promise<RequestDataAuthorized> {
+    const result = await this.store.findRequestByCode(code)
+    if (!result) throw new InvalidGrantError('Invalid code')
+    try {
+      const { data } = result
+      if (!isRequestDataAuthorized(data)) {
+        // Should never happen: maybe the store implementation is faulty ?
+        throw new Error('Unexpected request state')
+      }
+      if (data.clientId !== client.id) {
+        throw new InvalidGrantError('This code was issued for another client')
+      }
+      if (data.expiresAt < new Date()) {
+        throw new InvalidGrantError('This code has expired')
+      }
+      if (data.clientAuth.method === 'none') {
+        // If the client did not use PAR, it was not authenticated when the
+        // request was created (see authorize() method above). Since PAR is not
+        // mandatory, and since the token exchange currently taking place *is*
+        // authenticated (`clientAuth`), we allow "upgrading" the authentication
+        // method (the token created will be bound to the current clientAuth).
+      } else {
+        if (clientAuth.method !== data.clientAuth.method) {
+          throw new InvalidGrantError('Invalid client authentication')
+        }
+        if (!(await client.validateClientAuth(data.clientAuth))) {
+          throw new InvalidGrantError('Invalid client authentication')
+        }
+      }
+      return data
+    } finally {
+      // A "code" can only be used once
+      await this.store.deleteRequest(result.id)
+    }
+  }
+  async delete(uri: RequestUri): Promise<void> {
+    const id = decodeRequestUri(uri)
+    await this.store.deleteRequest(id)
+  }
+}

package/src/request/request-store-memory.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { Code } from './code.js'
+import { RequestId } from './request-id.js'
+import { RequestData } from './request-data.js'
+import { RequestStore } from './request-store.js'
+export class RequestStoreMemory implements RequestStore {
+  #requests = new Map<RequestId, RequestData>()
+  async readRequest(id: RequestId): Promise<RequestData | null> {
+    return this.#requests.get(id) ?? null
+  }
+  async createRequest(id: RequestId, data: RequestData): Promise<void> {
+    this.#requests.set(id, data)
+  }
+  async updateRequest(
+    id: RequestId,
+    data: Partial<RequestData>,
+  ): Promise<void> {
+    const current = this.#requests.get(id)
+    if (!current) throw new Error('Request not found')
+    const newData = { ...current, ...data }
+    this.#requests.set(id, newData)
+  }
+  async deleteRequest(id: RequestId): Promise<void> {
+    this.#requests.delete(id)
+  }
+  async findRequestByCode(
+    code: Code,
+  ): Promise<{ id: RequestId; data: RequestData } | null> {
+    for (const [id, data] of this.#requests) {
+      if (data.code === code) return { id, data }
+    }
+    return null
+  }
+}

package/src/request/request-store-redis.ts ADDED Viewed

@@ -0,0 +1,71 @@
+import { Redis } from 'ioredis'
+import { CreateRedisOptions, createRedis } from '../lib/redis.js'
+import { Code } from './code.js'
+import { RequestData } from './request-data.js'
+import { RequestId, requestIdSchema } from './request-id.js'
+import { RequestStore } from './request-store.js'
+export type { Redis, CreateRedisOptions }
+export type ReplayStoreRedisOptions = {
+  redis: CreateRedisOptions
+}
+export class RequestStoreRedis implements RequestStore {
+  private readonly redis: Redis
+  constructor(options: ReplayStoreRedisOptions) {
+    this.redis = createRedis(options.redis)
+  }
+  async readRequest(id: RequestId): Promise<RequestData | null> {
+    const data = await this.redis.get(id)
+    return data ? JSON.parse(data) : null
+  }
+  async createRequest(id: RequestId, data: RequestData): Promise<void> {
+    const timeFrame = data.expiresAt.getTime() - Date.now()
+    await this.redis.set(id, JSON.stringify(data), 'PX', timeFrame)
+    if (data.code) await this.redis.set(data.code, id, 'PX', timeFrame)
+  }
+  async updateRequest(
+    id: RequestId,
+    data: Partial<RequestData>,
+  ): Promise<void> {
+    const current = await this.readRequest(id)
+    if (!current) throw new Error('Request not found')
+    if (current.code) await this.redis.del(current.code)
+    const newData = { ...current, ...data }
+    await this.createRequest(id, newData)
+  }
+  async deleteRequest(id: RequestId): Promise<void> {
+    const data = await this.readRequest(id)
+    if (!data) return
+    if (data.code) await this.redis.del(data.code)
+    await this.redis.del(id)
+  }
+  private async findRequestIdByCode(code: Code): Promise<RequestId | null> {
+    const value = await this.redis.get(code)
+    if (!value) return null
+    const parsed = requestIdSchema.safeParse(value)
+    if (!parsed.success) return null
+    return parsed.data
+  }
+  async findRequestByCode(
+    code: Code,
+  ): Promise<{ id: RequestId; data: RequestData } | null> {
+    const id = await this.findRequestIdByCode(code)
+    if (!id) return null
+    const data = await this.readRequest(id)
+    if (!data) return null
+    return { id, data }
+  }
+}

package/src/request/request-store.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { Awaitable } from '../lib/util/type.js'
+import { Code } from './code.js'
+import { RequestData } from './request-data.js'
+import { RequestId } from './request-id.js'
+// Export all types needed to implement the RequestStore interface
+export * from './code.js'
+export * from './request-id.js'
+export * from './request-data.js'
+export type { Awaitable }
+export type UpdateRequestData = Pick<
+  Partial<RequestData>,
+  'sub' | 'code' | 'deviceId' | 'expiresAt'
+>
+export type FoundRequestResult = {
+  id: RequestId
+  data: RequestData
+}
+export interface RequestStore {
+  createRequest(id: RequestId, data: RequestData): Awaitable<void>
+  /**
+   * Note that expired requests **can** be returned to yield a different error
+   * message than if the request was not found.
+   */
+  readRequest(id: RequestId): Awaitable<RequestData | null>
+  updateRequest(id: RequestId, data: UpdateRequestData): Awaitable<void>
+  deleteRequest(id: RequestId): void | Awaitable<void>
+  findRequestByCode(code: Code): Awaitable<FoundRequestResult | null>
+}
+export function isRequestStore(
+  implementation: Record<string, unknown> & Partial<RequestStore>,
+): implementation is Record<string, unknown> & RequestStore {
+  return (
+    typeof implementation.createRequest === 'function' &&
+    typeof implementation.readRequest === 'function' &&
+    typeof implementation.updateRequest === 'function' &&
+    typeof implementation.deleteRequest === 'function' &&
+    typeof implementation.findRequestByCode === 'function'
+  )
+}
+export function ifRequestStore(
+  implementation?: Record<string, unknown> & Partial<RequestStore>,
+): RequestStore | undefined {
+  if (implementation && isRequestStore(implementation)) {
+    return implementation
+  }
+  return undefined
+}

package/src/request/request-uri.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { z } from 'zod'
+import { RequestId, requestIdSchema } from './request-id.js'
+export const REQUEST_URI_PREFIX = 'urn:ietf:params:oauth:request_uri:'
+export const requestUriSchema = z
+  .string()
+  .url()
+  .refinement(
+    (data): data is `${typeof REQUEST_URI_PREFIX}${RequestId}` =>
+      data.startsWith(REQUEST_URI_PREFIX) &&
+      requestIdSchema.safeParse(decodeRequestUri(data as any)).success,
+    {
+      code: z.ZodIssueCode.custom,
+      message: 'Invalid request_uri format',
+    },
+  )
+export type RequestUri = z.infer<typeof requestUriSchema>
+export function encodeRequestUri(requestId: RequestId): RequestUri {
+  return `${REQUEST_URI_PREFIX}${encodeURIComponent(requestId) as RequestId}`
+}
+export function decodeRequestUri(requestUri: RequestUri): RequestId {
+  const requestIdEnc = requestUri.slice(REQUEST_URI_PREFIX.length)
+  return decodeURIComponent(requestIdEnc) as RequestId
+}