npm - @atproto/oauth-provider - Versions diffs - 0.1.0 - Mend

@atproto/oauth-provider 0.1.0

Files changed (631) hide show

package/.postcssrc.yml +3 -0
package/CHANGELOG.md +19 -0
package/LICENSE.txt +7 -0
package/dist/access-token/access-token-type.d.ts +6 -0
package/dist/access-token/access-token-type.d.ts.map +1 -0
package/dist/access-token/access-token-type.js +10 -0
package/dist/access-token/access-token-type.js.map +1 -0
package/dist/account/account-manager.d.ts +14 -0
package/dist/account/account-manager.d.ts.map +1 -0
package/dist/account/account-manager.js +39 -0
package/dist/account/account-manager.js.map +1 -0
package/dist/account/account-store.d.ts +39 -0
package/dist/account/account-store.d.ts.map +1 -0
package/dist/account/account-store.js +19 -0
package/dist/account/account-store.js.map +1 -0
package/dist/account/account.d.ts +8 -0
package/dist/account/account.d.ts.map +1 -0
package/dist/account/account.js +3 -0
package/dist/account/account.js.map +1 -0
package/dist/assets/app/bundle-manifest.json +22 -0
package/dist/assets/app/main.css +3 -0
package/dist/assets/app/main.js +20 -0
package/dist/assets/app/main.js.map +1 -0
package/dist/assets/asset.d.ts +9 -0
package/dist/assets/asset.d.ts.map +1 -0
package/dist/assets/asset.js +3 -0
package/dist/assets/asset.js.map +1 -0
package/dist/assets/assets-middleware.d.ts +2 -0
package/dist/assets/assets-middleware.d.ts.map +1 -0
package/dist/assets/assets-middleware.js +30 -0
package/dist/assets/assets-middleware.js.map +1 -0
package/dist/assets/index.d.ts +4 -0
package/dist/assets/index.d.ts.map +1 -0
package/dist/assets/index.js +65 -0
package/dist/assets/index.js.map +1 -0
package/dist/client/client-auth.d.ts +13 -0
package/dist/client/client-auth.d.ts.map +1 -0
package/dist/client/client-auth.js +35 -0
package/dist/client/client-auth.js.map +1 -0
package/dist/client/client-data.d.ts +8 -0
package/dist/client/client-data.d.ts.map +1 -0
package/dist/client/client-data.js +3 -0
package/dist/client/client-data.js.map +1 -0
package/dist/client/client-id.d.ts +4 -0
package/dist/client/client-id.d.ts.map +1 -0
package/dist/client/client-id.js +6 -0
package/dist/client/client-id.js.map +1 -0
package/dist/client/client-info.d.ts +13 -0
package/dist/client/client-info.d.ts.map +1 -0
package/dist/client/client-info.js +3 -0
package/dist/client/client-info.js.map +1 -0
package/dist/client/client-manager.d.ts +38 -0
package/dist/client/client-manager.d.ts.map +1 -0
package/dist/client/client-manager.js +534 -0
package/dist/client/client-manager.js.map +1 -0
package/dist/client/client-store.d.ts +13 -0
package/dist/client/client-store.d.ts.map +1 -0
package/dist/client/client-store.js +39 -0
package/dist/client/client-store.js.map +1 -0
package/dist/client/client-utils.d.ts +6 -0
package/dist/client/client-utils.d.ts.map +1 -0
package/dist/client/client-utils.js +40 -0
package/dist/client/client-utils.js.map +1 -0
package/dist/client/client.d.ts +41 -0
package/dist/client/client.d.ts.map +1 -0
package/dist/client/client.js +163 -0
package/dist/client/client.js.map +1 -0
package/dist/constants.d.ts +42 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +53 -0
package/dist/constants.js.map +1 -0
package/dist/device/device-data.d.ts +20 -0
package/dist/device/device-data.d.ts.map +1 -0
package/dist/device/device-data.js +11 -0
package/dist/device/device-data.js.map +1 -0
package/dist/device/device-details.d.ts +17 -0
package/dist/device/device-details.d.ts.map +1 -0
package/dist/device/device-details.js +34 -0
package/dist/device/device-details.js.map +1 -0
package/dist/device/device-id.d.ts +6 -0
package/dist/device/device-id.d.ts.map +1 -0
package/dist/device/device-id.js +18 -0
package/dist/device/device-id.js.map +1 -0
package/dist/device/device-manager.d.ts +88 -0
package/dist/device/device-manager.d.ts.map +1 -0
package/dist/device/device-manager.js +206 -0
package/dist/device/device-manager.js.map +1 -0
package/dist/device/device-store.d.ts +15 -0
package/dist/device/device-store.d.ts.map +1 -0
package/dist/device/device-store.js +36 -0
package/dist/device/device-store.js.map +1 -0
package/dist/device/session-id.d.ts +6 -0
package/dist/device/session-id.d.ts.map +1 -0
package/dist/device/session-id.js +18 -0
package/dist/device/session-id.js.map +1 -0
package/dist/dpop/dpop-manager.d.ts +33 -0
package/dist/dpop/dpop-manager.d.ts.map +1 -0
package/dist/dpop/dpop-manager.js +115 -0
package/dist/dpop/dpop-manager.js.map +1 -0
package/dist/dpop/dpop-nonce.d.ts +13 -0
package/dist/dpop/dpop-nonce.d.ts.map +1 -0
package/dist/dpop/dpop-nonce.js +94 -0
package/dist/dpop/dpop-nonce.js.map +1 -0
package/dist/errors/access-denied-error.d.ts +8 -0
package/dist/errors/access-denied-error.d.ts.map +1 -0
package/dist/errors/access-denied-error.js +21 -0
package/dist/errors/access-denied-error.js.map +1 -0
package/dist/errors/account-selection-required-error.d.ts +6 -0
package/dist/errors/account-selection-required-error.d.ts.map +1 -0
package/dist/errors/account-selection-required-error.js +11 -0
package/dist/errors/account-selection-required-error.js.map +1 -0
package/dist/errors/consent-required-error.d.ts +6 -0
package/dist/errors/consent-required-error.d.ts.map +1 -0
package/dist/errors/consent-required-error.js +11 -0
package/dist/errors/consent-required-error.js.map +1 -0
package/dist/errors/invalid-authorization-details-error.d.ts +20 -0
package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -0
package/dist/errors/invalid-authorization-details-error.js +26 -0
package/dist/errors/invalid-authorization-details-error.js.map +1 -0
package/dist/errors/invalid-client-error.d.ts +18 -0
package/dist/errors/invalid-client-error.d.ts.map +1 -0
package/dist/errors/invalid-client-error.js +24 -0
package/dist/errors/invalid-client-error.js.map +1 -0
package/dist/errors/invalid-client-id-error.d.ts +13 -0
package/dist/errors/invalid-client-id-error.d.ts.map +1 -0
package/dist/errors/invalid-client-id-error.js +25 -0
package/dist/errors/invalid-client-id-error.js.map +1 -0
package/dist/errors/invalid-client-metadata-error.d.ts +13 -0
package/dist/errors/invalid-client-metadata-error.d.ts.map +1 -0
package/dist/errors/invalid-client-metadata-error.js +23 -0
package/dist/errors/invalid-client-metadata-error.js.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts +12 -0
package/dist/errors/invalid-dpop-key-binding-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-key-binding-error.js +20 -0
package/dist/errors/invalid-dpop-key-binding-error.js.map +1 -0
package/dist/errors/invalid-dpop-proof-error.d.ts +5 -0
package/dist/errors/invalid-dpop-proof-error.d.ts.map +1 -0
package/dist/errors/invalid-dpop-proof-error.js +12 -0
package/dist/errors/invalid-dpop-proof-error.js.map +1 -0
package/dist/errors/invalid-grant-error.d.ts +14 -0
package/dist/errors/invalid-grant-error.d.ts.map +1 -0
package/dist/errors/invalid-grant-error.js +20 -0
package/dist/errors/invalid-grant-error.js.map +1 -0
package/dist/errors/invalid-parameters-error.d.ts +6 -0
package/dist/errors/invalid-parameters-error.d.ts.map +1 -0
package/dist/errors/invalid-parameters-error.js +11 -0
package/dist/errors/invalid-parameters-error.js.map +1 -0
package/dist/errors/invalid-redirect-uri-error.d.ts +11 -0
package/dist/errors/invalid-redirect-uri-error.d.ts.map +1 -0
package/dist/errors/invalid-redirect-uri-error.js +21 -0
package/dist/errors/invalid-redirect-uri-error.js.map +1 -0
package/dist/errors/invalid-request-error.d.ts +28 -0
package/dist/errors/invalid-request-error.d.ts.map +1 -0
package/dist/errors/invalid-request-error.js +34 -0
package/dist/errors/invalid-request-error.js.map +1 -0
package/dist/errors/invalid-token-error.d.ts +16 -0
package/dist/errors/invalid-token-error.d.ts.map +1 -0
package/dist/errors/invalid-token-error.js +45 -0
package/dist/errors/invalid-token-error.js.map +1 -0
package/dist/errors/login-required-error.d.ts +6 -0
package/dist/errors/login-required-error.d.ts.map +1 -0
package/dist/errors/login-required-error.js +11 -0
package/dist/errors/login-required-error.js.map +1 -0
package/dist/errors/oauth-error.d.ts +13 -0
package/dist/errors/oauth-error.d.ts.map +1 -0
package/dist/errors/oauth-error.js +29 -0
package/dist/errors/oauth-error.js.map +1 -0
package/dist/errors/unauthorized-client-error.d.ts +18 -0
package/dist/errors/unauthorized-client-error.d.ts.map +1 -0
package/dist/errors/unauthorized-client-error.js +24 -0
package/dist/errors/unauthorized-client-error.js.map +1 -0
package/dist/errors/use-dpop-nonce-error.d.ts +18 -0
package/dist/errors/use-dpop-nonce-error.d.ts.map +1 -0
package/dist/errors/use-dpop-nonce-error.js +27 -0
package/dist/errors/use-dpop-nonce-error.js.map +1 -0
package/dist/errors/www-authenticate-error.d.ts +9 -0
package/dist/errors/www-authenticate-error.d.ts.map +1 -0
package/dist/errors/www-authenticate-error.js +46 -0
package/dist/errors/www-authenticate-error.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +31 -0
package/dist/index.js.map +1 -0
package/dist/lib/html/build-document.d.ts +32 -0
package/dist/lib/html/build-document.d.ts.map +1 -0
package/dist/lib/html/build-document.js +61 -0
package/dist/lib/html/build-document.js.map +1 -0
package/dist/lib/html/escapers.d.ts +9 -0
package/dist/lib/html/escapers.d.ts.map +1 -0
package/dist/lib/html/escapers.js +66 -0
package/dist/lib/html/escapers.js.map +1 -0
package/dist/lib/html/html.d.ts +13 -0
package/dist/lib/html/html.d.ts.map +1 -0
package/dist/lib/html/html.js +53 -0
package/dist/lib/html/html.js.map +1 -0
package/dist/lib/html/index.d.ts +4 -0
package/dist/lib/html/index.d.ts.map +1 -0
package/dist/lib/html/index.js +21 -0
package/dist/lib/html/index.js.map +1 -0
package/dist/lib/html/tags.d.ts +34 -0
package/dist/lib/html/tags.d.ts.map +1 -0
package/dist/lib/html/tags.js +47 -0
package/dist/lib/html/tags.js.map +1 -0
package/dist/lib/html/util.d.ts +4 -0
package/dist/lib/html/util.d.ts.map +1 -0
package/dist/lib/html/util.js +20 -0
package/dist/lib/html/util.js.map +1 -0
package/dist/lib/http/accept.d.ts +29 -0
package/dist/lib/http/accept.d.ts.map +1 -0
package/dist/lib/http/accept.js +67 -0
package/dist/lib/http/accept.js.map +1 -0
package/dist/lib/http/context.d.ts +5 -0
package/dist/lib/http/context.d.ts.map +1 -0
package/dist/lib/http/context.js +10 -0
package/dist/lib/http/context.js.map +1 -0
package/dist/lib/http/index.d.ts +10 -0
package/dist/lib/http/index.d.ts.map +1 -0
package/dist/lib/http/index.js +26 -0
package/dist/lib/http/index.js.map +1 -0
package/dist/lib/http/method.d.ts +6 -0
package/dist/lib/http/method.d.ts.map +1 -0
package/dist/lib/http/method.js +19 -0
package/dist/lib/http/method.js.map +1 -0
package/dist/lib/http/middleware.d.ts +18 -0
package/dist/lib/http/middleware.d.ts.map +1 -0
package/dist/lib/http/middleware.js +118 -0
package/dist/lib/http/middleware.js.map +1 -0
package/dist/lib/http/parser.d.ts +33 -0
package/dist/lib/http/parser.d.ts.map +1 -0
package/dist/lib/http/parser.js +48 -0
package/dist/lib/http/parser.js.map +1 -0
package/dist/lib/http/path.d.ts +9 -0
package/dist/lib/http/path.d.ts.map +1 -0
package/dist/lib/http/path.js +54 -0
package/dist/lib/http/path.js.map +1 -0
package/dist/lib/http/request.d.ts +33 -0
package/dist/lib/http/request.d.ts.map +1 -0
package/dist/lib/http/request.js +86 -0
package/dist/lib/http/request.js.map +1 -0
package/dist/lib/http/response.d.ts +13 -0
package/dist/lib/http/response.d.ts.map +1 -0
package/dist/lib/http/response.js +98 -0
package/dist/lib/http/response.js.map +1 -0
package/dist/lib/http/route.d.ts +25 -0
package/dist/lib/http/route.d.ts.map +1 -0
package/dist/lib/http/route.js +39 -0
package/dist/lib/http/route.js.map +1 -0
package/dist/lib/http/router.d.ts +32 -0
package/dist/lib/http/router.d.ts.map +1 -0
package/dist/lib/http/router.js +74 -0
package/dist/lib/http/router.js.map +1 -0
package/dist/lib/http/stream.d.ts +13 -0
package/dist/lib/http/stream.d.ts.map +1 -0
package/dist/lib/http/stream.js +46 -0
package/dist/lib/http/stream.js.map +1 -0
package/dist/lib/http/types.d.ts +7 -0
package/dist/lib/http/types.d.ts.map +1 -0
package/dist/lib/http/types.js +3 -0
package/dist/lib/http/types.js.map +1 -0
package/dist/lib/http/url.d.ts +8 -0
package/dist/lib/http/url.d.ts.map +1 -0
package/dist/lib/http/url.js +22 -0
package/dist/lib/http/url.js.map +1 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.d.ts.map +1 -0
package/dist/lib/redis.js +22 -0
package/dist/lib/redis.js.map +1 -0
package/dist/lib/util/authorization-header.d.ts +4 -0
package/dist/lib/util/authorization-header.d.ts.map +1 -0
package/dist/lib/util/authorization-header.js +23 -0
package/dist/lib/util/authorization-header.js.map +1 -0
package/dist/lib/util/cast.d.ts +2 -0
package/dist/lib/util/cast.d.ts.map +1 -0
package/dist/lib/util/cast.js +10 -0
package/dist/lib/util/cast.js.map +1 -0
package/dist/lib/util/crypto.d.ts +3 -0
package/dist/lib/util/crypto.d.ts.map +1 -0
package/dist/lib/util/crypto.js +29 -0
package/dist/lib/util/crypto.js.map +1 -0
package/dist/lib/util/date.d.ts +3 -0
package/dist/lib/util/date.d.ts.map +1 -0
package/dist/lib/util/date.js +12 -0
package/dist/lib/util/date.js.map +1 -0
package/dist/lib/util/hostname.d.ts +6 -0
package/dist/lib/util/hostname.d.ts.map +1 -0
package/dist/lib/util/hostname.js +24 -0
package/dist/lib/util/hostname.js.map +1 -0
package/dist/lib/util/redirect-uri.d.ts +7 -0
package/dist/lib/util/redirect-uri.d.ts.map +1 -0
package/dist/lib/util/redirect-uri.js +44 -0
package/dist/lib/util/redirect-uri.js.map +1 -0
package/dist/lib/util/time.d.ts +6 -0
package/dist/lib/util/time.d.ts.map +1 -0
package/dist/lib/util/time.js +28 -0
package/dist/lib/util/time.js.map +1 -0
package/dist/lib/util/type.d.ts +6 -0
package/dist/lib/util/type.d.ts.map +1 -0
package/dist/lib/util/type.js +3 -0
package/dist/lib/util/type.js.map +1 -0
package/dist/lib/util/well-known.d.ts +3 -0
package/dist/lib/util/well-known.d.ts.map +1 -0
package/dist/lib/util/well-known.js +11 -0
package/dist/lib/util/well-known.js.map +1 -0
package/dist/metadata/build-metadata.d.ts +14 -0
package/dist/metadata/build-metadata.d.ts.map +1 -0
package/dist/metadata/build-metadata.js +132 -0
package/dist/metadata/build-metadata.js.map +1 -0
package/dist/oauth-client.d.ts +4 -0
package/dist/oauth-client.d.ts.map +1 -0
package/dist/oauth-client.js +19 -0
package/dist/oauth-client.js.map +1 -0
package/dist/oauth-dpop.d.ts +3 -0
package/dist/oauth-dpop.d.ts.map +1 -0
package/dist/oauth-dpop.js +19 -0
package/dist/oauth-dpop.js.map +1 -0
package/dist/oauth-errors.d.ts +20 -0
package/dist/oauth-errors.d.ts.map +1 -0
package/dist/oauth-errors.js +43 -0
package/dist/oauth-errors.js.map +1 -0
package/dist/oauth-hooks.d.ts +42 -0
package/dist/oauth-hooks.d.ts.map +1 -0
package/dist/oauth-hooks.js +3 -0
package/dist/oauth-hooks.js.map +1 -0
package/dist/oauth-provider.d.ts +179 -0
package/dist/oauth-provider.d.ts.map +1 -0
package/dist/oauth-provider.js +748 -0
package/dist/oauth-provider.js.map +1 -0
package/dist/oauth-store.d.ts +11 -0
package/dist/oauth-store.d.ts.map +1 -0
package/dist/oauth-store.js +27 -0
package/dist/oauth-store.js.map +1 -0
package/dist/oauth-verifier.d.ts +66 -0
package/dist/oauth-verifier.d.ts.map +1 -0
package/dist/oauth-verifier.js +94 -0
package/dist/oauth-verifier.js.map +1 -0
package/dist/oidc/claims.d.ts +16 -0
package/dist/oidc/claims.d.ts.map +1 -0
package/dist/oidc/claims.js +29 -0
package/dist/oidc/claims.js.map +1 -0
package/dist/oidc/sub.d.ts +4 -0
package/dist/oidc/sub.d.ts.map +1 -0
package/dist/oidc/sub.js +6 -0
package/dist/oidc/sub.js.map +1 -0
package/dist/oidc/userinfo.d.ts +7 -0
package/dist/oidc/userinfo.d.ts.map +1 -0
package/dist/oidc/userinfo.js +3 -0
package/dist/oidc/userinfo.js.map +1 -0
package/dist/output/build-error-payload.d.ts +6 -0
package/dist/output/build-error-payload.d.ts.map +1 -0
package/dist/output/build-error-payload.js +108 -0
package/dist/output/build-error-payload.js.map +1 -0
package/dist/output/customization.d.ts +37 -0
package/dist/output/customization.d.ts.map +1 -0
package/dist/output/customization.js +62 -0
package/dist/output/customization.js.map +1 -0
package/dist/output/send-authorize-page.d.ts +43 -0
package/dist/output/send-authorize-page.d.ts.map +1 -0
package/dist/output/send-authorize-page.js +49 -0
package/dist/output/send-authorize-page.js.map +1 -0
package/dist/output/send-authorize-redirect.d.ts +25 -0
package/dist/output/send-authorize-redirect.d.ts.map +1 -0
package/dist/output/send-authorize-redirect.js +72 -0
package/dist/output/send-authorize-redirect.js.map +1 -0
package/dist/output/send-error-page.d.ts +5 -0
package/dist/output/send-error-page.d.ts.map +1 -0
package/dist/output/send-error-page.js +31 -0
package/dist/output/send-error-page.js.map +1 -0
package/dist/output/send-web-page.d.ts +8 -0
package/dist/output/send-web-page.d.ts.map +1 -0
package/dist/output/send-web-page.js +48 -0
package/dist/output/send-web-page.js.map +1 -0
package/dist/parameters/claims-requested.d.ts +3 -0
package/dist/parameters/claims-requested.d.ts.map +1 -0
package/dist/parameters/claims-requested.js +77 -0
package/dist/parameters/claims-requested.js.map +1 -0
package/dist/parameters/oidc-payload.d.ts +31 -0
package/dist/parameters/oidc-payload.d.ts.map +1 -0
package/dist/parameters/oidc-payload.js +25 -0
package/dist/parameters/oidc-payload.js.map +1 -0
package/dist/replay/replay-manager.d.ts +10 -0
package/dist/replay/replay-manager.d.ts.map +1 -0
package/dist/replay/replay-manager.js +23 -0
package/dist/replay/replay-manager.js.map +1 -0
package/dist/replay/replay-store-memory.d.ts +11 -0
package/dist/replay/replay-store-memory.d.ts.map +1 -0
package/dist/replay/replay-store-memory.js +30 -0
package/dist/replay/replay-store-memory.js.map +1 -0
package/dist/replay/replay-store-redis.d.ts +16 -0
package/dist/replay/replay-store-redis.d.ts.map +1 -0
package/dist/replay/replay-store-redis.js +20 -0
package/dist/replay/replay-store-redis.js.map +1 -0
package/dist/replay/replay-store.d.ts +16 -0
package/dist/replay/replay-store.d.ts.map +1 -0
package/dist/replay/replay-store.js +22 -0
package/dist/replay/replay-store.js.map +1 -0
package/dist/request/code.d.ts +7 -0
package/dist/request/code.d.ts.map +1 -0
package/dist/request/code.js +20 -0
package/dist/request/code.js.map +1 -0
package/dist/request/request-data.d.ts +21 -0
package/dist/request/request-data.d.ts.map +1 -0
package/dist/request/request-data.js +6 -0
package/dist/request/request-data.js.map +1 -0
package/dist/request/request-id.d.ts +6 -0
package/dist/request/request-id.d.ts.map +1 -0
package/dist/request/request-id.js +18 -0
package/dist/request/request-id.js.map +1 -0
package/dist/request/request-info.d.ts +12 -0
package/dist/request/request-info.d.ts.map +1 -0
package/dist/request/request-info.js +3 -0
package/dist/request/request-info.js.map +1 -0
package/dist/request/request-manager.d.ts +40 -0
package/dist/request/request-manager.d.ts.map +1 -0
package/dist/request/request-manager.js +310 -0
package/dist/request/request-manager.js.map +1 -0
package/dist/request/request-store-memory.d.ts +16 -0
package/dist/request/request-store-memory.d.ts.map +1 -0
package/dist/request/request-store-memory.js +31 -0
package/dist/request/request-store-memory.js.map +1 -0
package/dist/request/request-store-redis.d.ts +24 -0
package/dist/request/request-store-redis.d.ts.map +1 -0
package/dist/request/request-store-redis.js +58 -0
package/dist/request/request-store-redis.js.map +1 -0
package/dist/request/request-store.d.ts +27 -0
package/dist/request/request-store.d.ts.map +1 -0
package/dist/request/request-store.js +37 -0
package/dist/request/request-store.js.map +1 -0
package/dist/request/request-uri.d.ts +8 -0
package/dist/request/request-uri.d.ts.map +1 -0
package/dist/request/request-uri.js +24 -0
package/dist/request/request-uri.js.map +1 -0
package/dist/request/types.d.ts +328 -0
package/dist/request/types.d.ts.map +1 -0
package/dist/request/types.js +27 -0
package/dist/request/types.js.map +1 -0
package/dist/signer/signed-token-payload.d.ts +1694 -0
package/dist/signer/signed-token-payload.d.ts.map +1 -0
package/dist/signer/signed-token-payload.js +32 -0
package/dist/signer/signed-token-payload.js.map +1 -0
package/dist/signer/signer.d.ts +193 -0
package/dist/signer/signer.d.ts.map +1 -0
package/dist/signer/signer.js +101 -0
package/dist/signer/signer.js.map +1 -0
package/dist/token/refresh-token.d.ts +7 -0
package/dist/token/refresh-token.d.ts.map +1 -0
package/dist/token/refresh-token.js +20 -0
package/dist/token/refresh-token.js.map +1 -0
package/dist/token/token-claims.d.ts +1687 -0
package/dist/token/token-claims.d.ts.map +1 -0
package/dist/token/token-claims.js +30 -0
package/dist/token/token-claims.js.map +1 -0
package/dist/token/token-data.d.ts +20 -0
package/dist/token/token-data.d.ts.map +1 -0
package/dist/token/token-data.js +3 -0
package/dist/token/token-data.js.map +1 -0
package/dist/token/token-id.d.ts +7 -0
package/dist/token/token-id.d.ts.map +1 -0
package/dist/token/token-id.js +20 -0
package/dist/token/token-id.js.map +1 -0
package/dist/token/token-manager.d.ts +48 -0
package/dist/token/token-manager.d.ts.map +1 -0
package/dist/token/token-manager.js +421 -0
package/dist/token/token-manager.js.map +1 -0
package/dist/token/token-store.d.ts +35 -0
package/dist/token/token-store.d.ts.map +1 -0
package/dist/token/token-store.js +38 -0
package/dist/token/token-store.js.map +1 -0
package/dist/token/types.d.ts +250 -0
package/dist/token/types.d.ts.map +1 -0
package/dist/token/types.js +36 -0
package/dist/token/types.js.map +1 -0
package/dist/token/verify-token-claims.d.ts +17 -0
package/dist/token/verify-token-claims.d.ts.map +1 -0
package/dist/token/verify-token-claims.js +39 -0
package/dist/token/verify-token-claims.js.map +1 -0
package/package.json +83 -0
package/rollup.config.js +55 -0
package/src/access-token/access-token-type.ts +5 -0
package/src/account/account-manager.ts +55 -0
package/src/account/account-store.ts +74 -0
package/src/account/account.ts +10 -0
package/src/assets/app/app.tsx +28 -0
package/src/assets/app/backend-data.ts +65 -0
package/src/assets/app/components/accept-form.tsx +112 -0
package/src/assets/app/components/account-identifier.tsx +18 -0
package/src/assets/app/components/account-picker.tsx +108 -0
package/src/assets/app/components/client-identifier.tsx +32 -0
package/src/assets/app/components/client-name.tsx +30 -0
package/src/assets/app/components/error-card.tsx +41 -0
package/src/assets/app/components/help-card.tsx +42 -0
package/src/assets/app/components/layout-title-page.tsx +43 -0
package/src/assets/app/components/layout-welcome.tsx +58 -0
package/src/assets/app/components/sign-in-form.tsx +290 -0
package/src/assets/app/components/sign-up-account-form.tsx +210 -0
package/src/assets/app/components/sign-up-disclaimer.tsx +44 -0
package/src/assets/app/components/url-viewer.tsx +70 -0
package/src/assets/app/cookies.ts +11 -0
package/src/assets/app/hooks/use-api.ts +104 -0
package/src/assets/app/hooks/use-bound-dispatch.ts +5 -0
package/src/assets/app/hooks/use-csrf-token.ts +5 -0
package/src/assets/app/lib/api.ts +64 -0
package/src/assets/app/lib/clsx.ts +4 -0
package/src/assets/app/lib/util.ts +10 -0
package/src/assets/app/main.css +11 -0
package/src/assets/app/main.tsx +28 -0
package/src/assets/app/views/accept-view.tsx +51 -0
package/src/assets/app/views/authorize-view.tsx +101 -0
package/src/assets/app/views/error-view.tsx +27 -0
package/src/assets/app/views/sign-in-view.tsx +121 -0
package/src/assets/app/views/sign-up-view.tsx +93 -0
package/src/assets/app/views/welcome-view.tsx +61 -0
package/src/assets/asset.ts +8 -0
package/src/assets/assets-middleware.ts +32 -0
package/src/assets/index.ts +74 -0
package/src/client/client-auth.ts +45 -0
package/src/client/client-data.ts +9 -0
package/src/client/client-id.ts +4 -0
package/src/client/client-info.ts +13 -0
package/src/client/client-manager.ts +818 -0
package/src/client/client-store.ts +38 -0
package/src/client/client-utils.ts +43 -0
package/src/client/client.ts +231 -0
package/src/constants.ts +69 -0
package/src/device/device-data.ts +11 -0
package/src/device/device-details.ts +43 -0
package/src/device/device-id.ts +23 -0
package/src/device/device-manager.ts +287 -0
package/src/device/device-store.ts +35 -0
package/src/device/session-id.ts +22 -0
package/src/dpop/dpop-manager.ts +147 -0
package/src/dpop/dpop-nonce.ts +104 -0
package/src/errors/access-denied-error.ts +26 -0
package/src/errors/account-selection-required-error.ts +12 -0
package/src/errors/consent-required-error.ts +12 -0
package/src/errors/invalid-authorization-details-error.ts +22 -0
package/src/errors/invalid-client-error.ts +20 -0
package/src/errors/invalid-client-id-error.ts +20 -0
package/src/errors/invalid-client-metadata-error.ts +19 -0
package/src/errors/invalid-dpop-key-binding-error.ts +21 -0
package/src/errors/invalid-dpop-proof-error.ts +13 -0
package/src/errors/invalid-grant-error.ts +16 -0
package/src/errors/invalid-parameters-error.ts +12 -0
package/src/errors/invalid-redirect-uri-error.ts +17 -0
package/src/errors/invalid-request-error.ts +30 -0
package/src/errors/invalid-token-error.ts +59 -0
package/src/errors/login-required-error.ts +12 -0
package/src/errors/oauth-error.ts +28 -0
package/src/errors/unauthorized-client-error.ts +20 -0
package/src/errors/use-dpop-nonce-error.ts +32 -0
package/src/errors/www-authenticate-error.ts +65 -0
package/src/index.ts +15 -0
package/src/lib/html/README.md +9 -0
package/src/lib/html/build-document.ts +98 -0
package/src/lib/html/escapers.ts +66 -0
package/src/lib/html/html.ts +61 -0
package/src/lib/html/index.ts +5 -0
package/src/lib/html/tags.ts +58 -0
package/src/lib/html/util.ts +21 -0
package/src/lib/http/README.md +11 -0
package/src/lib/http/accept.ts +91 -0
package/src/lib/http/context.ts +11 -0
package/src/lib/http/index.ts +9 -0
package/src/lib/http/method.ts +18 -0
package/src/lib/http/middleware.ts +183 -0
package/src/lib/http/parser.ts +64 -0
package/src/lib/http/path.ts +82 -0
package/src/lib/http/request.ts +141 -0
package/src/lib/http/response.ts +133 -0
package/src/lib/http/route.ts +56 -0
package/src/lib/http/router.ts +118 -0
package/src/lib/http/stream.ts +78 -0
package/src/lib/http/types.ts +22 -0
package/src/lib/http/url.ts +23 -0
package/src/lib/redis.ts +23 -0
package/src/lib/util/authorization-header.ts +26 -0
package/src/lib/util/cast.ts +4 -0
package/src/lib/util/crypto.ts +27 -0
package/src/lib/util/date.ts +7 -0
package/src/lib/util/hostname.ts +19 -0
package/src/lib/util/redirect-uri.ts +46 -0
package/src/lib/util/time.ts +33 -0
package/src/lib/util/type.ts +4 -0
package/src/lib/util/well-known.ts +8 -0
package/src/metadata/build-metadata.ts +165 -0
package/src/oauth-client.ts +3 -0
package/src/oauth-dpop.ts +2 -0
package/src/oauth-errors.ts +21 -0
package/src/oauth-hooks.ts +66 -0
package/src/oauth-provider.ts +1409 -0
package/src/oauth-store.ts +11 -0
package/src/oauth-verifier.ts +219 -0
package/src/oidc/claims.ts +35 -0
package/src/oidc/sub.ts +4 -0
package/src/oidc/userinfo.ts +11 -0
package/src/output/build-error-payload.ts +143 -0
package/src/output/customization.ts +96 -0
package/src/output/send-authorize-page.ts +111 -0
package/src/output/send-authorize-redirect.ts +130 -0
package/src/output/send-error-page.ts +41 -0
package/src/output/send-web-page.ts +66 -0
package/src/parameters/claims-requested.ts +106 -0
package/src/parameters/oidc-payload.ts +28 -0
package/src/replay/replay-manager.ts +38 -0
package/src/replay/replay-store-memory.ts +36 -0
package/src/replay/replay-store-redis.ts +31 -0
package/src/replay/replay-store.ts +44 -0
package/src/request/code.ts +24 -0
package/src/request/request-data.ts +26 -0
package/src/request/request-id.ts +23 -0
package/src/request/request-info.ts +12 -0
package/src/request/request-manager.ts +479 -0
package/src/request/request-store-memory.ts +39 -0
package/src/request/request-store-redis.ts +71 -0
package/src/request/request-store.ts +54 -0
package/src/request/request-uri.ts +29 -0
package/src/request/types.ts +48 -0
package/src/signer/signed-token-payload.ts +35 -0
package/src/signer/signer.ts +165 -0
package/src/token/refresh-token.ts +31 -0
package/src/token/token-claims.ts +31 -0
package/src/token/token-data.ts +33 -0
package/src/token/token-id.ts +26 -0
package/src/token/token-manager.ts +591 -0
package/src/token/token-store.ts +78 -0
package/src/token/types.ts +86 -0
package/src/token/verify-token-claims.ts +65 -0
package/tailwind.config.js +13 -0
package/tsconfig.backend.json +9 -0
package/tsconfig.frontend.json +11 -0
package/tsconfig.json +8 -0
package/tsconfig.tools.json +8 -0

package/src/request/request-manager.ts ADDED Viewed

@@ -0,0 +1,479 @@
+import {
+  CLIENT_ASSERTION_TYPE_JWT_BEARER,
+  OAuthAuthenticationRequestParameters,
+  OAuthAuthorizationServerMetadata,
+} from '@atproto/oauth-types'
+import { DeviceAccountInfo } from '../account/account-store.js'
+import { Account } from '../account/account.js'
+import { ClientAuth } from '../client/client-auth.js'
+import { ClientId } from '../client/client-id.js'
+import { Client } from '../client/client.js'
+import {
+  AUTHORIZATION_INACTIVITY_TIMEOUT,
+  PAR_EXPIRES_IN,
+  TOKEN_MAX_AGE,
+} from '../constants.js'
+import { DeviceId } from '../device/device-id.js'
+import { AccessDeniedError } from '../errors/access-denied-error.js'
+import { ConsentRequiredError } from '../errors/consent-required-error.js'
+import { InvalidGrantError } from '../errors/invalid-grant-error.js'
+import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
+import { InvalidRequestError } from '../errors/invalid-request-error.js'
+import { compareRedirectUri } from '../lib/util/redirect-uri.js'
+import { OAuthHooks } from '../oauth-hooks.js'
+import { OIDC_SCOPE_CLAIMS } from '../oidc/claims.js'
+import { Signer } from '../signer/signer.js'
+import { Code, generateCode } from './code.js'
+import {
+  isRequestDataAuthorized,
+  RequestDataAuthorized,
+} from './request-data.js'
+import { generateRequestId } from './request-id.js'
+import { RequestInfo } from './request-info.js'
+import { RequestStore, UpdateRequestData } from './request-store.js'
+import {
+  decodeRequestUri,
+  encodeRequestUri,
+  RequestUri,
+} from './request-uri.js'
+export class RequestManager {
+  constructor(
+    protected readonly store: RequestStore,
+    protected readonly signer: Signer,
+    protected readonly metadata: OAuthAuthorizationServerMetadata,
+    protected readonly hooks: OAuthHooks,
+    protected readonly pkceRequired = true,
+    protected readonly tokenMaxAge = TOKEN_MAX_AGE,
+  ) {}
+  protected createTokenExpiry() {
+    return new Date(Date.now() + this.tokenMaxAge)
+  }
+  async createAuthorizationRequest(
+    client: Client,
+    clientAuth: ClientAuth,
+    input: Readonly<OAuthAuthenticationRequestParameters>,
+    deviceId: null | DeviceId,
+    dpopJkt: null | string,
+  ): Promise<RequestInfo> {
+    const parameters = await this.validate(client, clientAuth, input, dpopJkt)
+    return this.create(client, clientAuth, parameters, deviceId)
+  }
+  protected async create(
+    client: Client,
+    clientAuth: ClientAuth,
+    parameters: Readonly<OAuthAuthenticationRequestParameters>,
+    deviceId: null | DeviceId = null,
+  ): Promise<RequestInfo> {
+    const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN)
+    const id = await generateRequestId()
+    await this.store.createRequest(id, {
+      clientId: client.id,
+      clientAuth,
+      parameters,
+      expiresAt,
+      deviceId,
+      sub: null,
+      code: null,
+    })
+    const uri = encodeRequestUri(id)
+    return { id, uri, expiresAt, parameters, clientAuth }
+  }
+  async validate(
+    client: Client,
+    clientAuth: ClientAuth,
+    parameters: Readonly<OAuthAuthenticationRequestParameters>,
+    dpopJkt: null | string,
+    pkceRequired = this.pkceRequired,
+  ): Promise<Readonly<OAuthAuthenticationRequestParameters>> {
+    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-1.4.1
+    // > The authorization server MAY fully or partially ignore the scope
+    // > requested by the client, based on the authorization server policy or
+    // > the resource owner's instructions. If the issued access token scope is
+    // > different from the one requested by the client, the authorization
+    // > server MUST include the scope response parameter in the token response
+    // > (Section 3.2.3) to inform the client of the actual scope granted.
+    const cScopes = client.metadata.scope?.split(' ')
+    const sScopes = this.metadata.scopes_supported
+    const scopes =
+      (parameters.scope || client.metadata.scope)
+        ?.split(' ')
+        .filter((scope) => !!scope && (sScopes?.includes(scope) ?? true)) ?? []
+    for (const scope of scopes) {
+      if (!cScopes?.includes(scope)) {
+        throw new InvalidParametersError(
+          parameters,
+          `Scope "${scope}" is not registered for this client`,
+        )
+      }
+    }
+    for (const [scope, claims] of Object.entries(OIDC_SCOPE_CLAIMS)) {
+      for (const claim of claims) {
+        if (
+          parameters?.claims?.id_token?.[claim]?.essential === true ||
+          parameters?.claims?.userinfo?.[claim]?.essential === true
+        ) {
+          if (!scopes?.includes(scope)) {
+            throw new InvalidParametersError(
+              parameters,
+              `Essential ${claim} claim requires "${scope}" scope`,
+            )
+          }
+        }
+      }
+    }
+    parameters = { ...parameters, scope: scopes.join(' ') }
+    const responseTypes = parameters.response_type.split(' ')
+    if (parameters.authorization_details) {
+      const clientAuthDetailsTypes = client.metadata.authorization_details_types
+      if (!clientAuthDetailsTypes) {
+        throw new InvalidParametersError(
+          parameters,
+          'Client Metadata does not declare any "authorization_details"',
+        )
+      }
+      for (const detail of parameters.authorization_details) {
+        if (!clientAuthDetailsTypes?.includes(detail.type)) {
+          throw new InvalidParametersError(
+            parameters,
+            `Unsupported "authorization_details" type "${detail.type}"`,
+          )
+        }
+      }
+    }
+    const { redirect_uri } = parameters
+    if (
+      redirect_uri &&
+      !client.metadata.redirect_uris.some((uri) =>
+        compareRedirectUri(uri, redirect_uri),
+      )
+    ) {
+      throw new InvalidParametersError(
+        parameters,
+        `Invalid redirect_uri ${redirect_uri} (allowed: ${client.metadata.redirect_uris.join(' ')})`,
+      )
+    }
+    // https://datatracker.ietf.org/doc/html/rfc9449#section-10
+    if (!parameters.dpop_jkt) {
+      if (dpopJkt) parameters = { ...parameters, dpop_jkt: dpopJkt }
+    } else if (parameters.dpop_jkt !== dpopJkt) {
+      throw new InvalidParametersError(
+        parameters,
+        'DPoP header and dpop_jkt do not match',
+      )
+    }
+    if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
+      if (parameters.dpop_jkt && clientAuth.jkt === parameters.dpop_jkt) {
+        throw new InvalidParametersError(
+          parameters,
+          'The DPoP proof must be signed with a different key than the client assertion',
+        )
+      }
+    }
+    if (!client.metadata.response_types.includes(parameters.response_type)) {
+      throw new InvalidParametersError(
+        parameters,
+        `Unsupported response_type "${parameters.response_type}"`,
+        'unsupported_response_type',
+      )
+    }
+    if (pkceRequired && responseTypes.includes('token')) {
+      throw new InvalidParametersError(
+        parameters,
+        `Response type "${parameters.response_type}" is incompatible with PKCE`,
+        'unsupported_response_type',
+      )
+    }
+    // https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
+    if (pkceRequired && !parameters.code_challenge) {
+      throw new InvalidParametersError(parameters, 'code_challenge is required')
+    }
+    if (
+      parameters.code_challenge &&
+      clientAuth.method === 'none' &&
+      (parameters.code_challenge_method ?? 'plain') === 'plain'
+    ) {
+      throw new InvalidParametersError(
+        parameters,
+        'code_challenge_method=plain requires client authentication',
+      )
+    }
+    // https://datatracker.ietf.org/doc/html/rfc7636#section-4.3
+    if (parameters.code_challenge_method && !parameters.code_challenge) {
+      throw new InvalidParametersError(
+        parameters,
+        'code_challenge_method requires code_challenge',
+      )
+    }
+    // https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
+    //
+    // > nonce: REQUIRED if the Response Type of the request is "code id_token" or
+    // >   "code id_token token" and OPTIONAL when the Response Type of the
+    // >   request is "code token". It is a string value used to associate a
+    // >   Client session with an ID Token, and to mitigate replay attacks. The
+    // >   value is passed through unmodified from the Authentication Request to
+    // >   the ID Token. Sufficient entropy MUST be present in the nonce values
+    // >   used to prevent attackers from guessing values. For implementation
+    // >   notes, see Section 15.5.2.
+    if (responseTypes.includes('id_token') && !parameters.nonce) {
+      throw new InvalidParametersError(
+        parameters,
+        'nonce is required for implicit and hybrid flows',
+      )
+    }
+    // Make "expensive" checks after the "cheaper" checks
+    if (parameters.id_token_hint != null) {
+      const { payload } = await this.signer.verify(parameters.id_token_hint, {
+        // these are meant to be outdated when used as a hint
+        clockTolerance: Infinity,
+      })
+      if (!payload.sub) {
+        throw new InvalidParametersError(
+          parameters,
+          `Unexpected empty id_token_hint "sub"`,
+        )
+      } else if (parameters.login_hint == null) {
+        parameters = { ...parameters, login_hint: payload.sub }
+      } else if (parameters.login_hint !== payload.sub) {
+        throw new InvalidParametersError(
+          parameters,
+          'login_hint does not match "sub" of id_token_hint',
+        )
+      }
+    }
+    // ATPROTO extension: if the client is not trusted, force users to consent
+    // to authorization requests. We do this to avoid unauthenticated clients
+    // from being able to silently re-authenticate users.
+    if (clientAuth.method === 'none' && !client.info.isFirstParty) {
+      if (parameters.prompt === 'none') {
+        throw new ConsentRequiredError(
+          parameters,
+          'Public clients are not allowed to use silent-sign-on',
+        )
+      }
+      // force "consent" for unauthenticated, third party clients
+      parameters = { ...parameters, prompt: 'consent' }
+    }
+    return parameters
+  }
+  async get(
+    uri: RequestUri,
+    clientId: ClientId,
+    deviceId: DeviceId,
+  ): Promise<RequestInfo> {
+    const id = decodeRequestUri(uri)
+    const data = await this.store.readRequest(id)
+    if (!data) throw new InvalidRequestError(`Unknown request_uri "${uri}"`)
+    const updates: UpdateRequestData = {}
+    try {
+      if (data.sub || data.code) {
+        // If an account was linked to the request, the next step is to exchange
+        // the code for a token.
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was already authorized',
+        )
+      }
+      if (data.expiresAt < new Date()) {
+        throw new AccessDeniedError(data.parameters, 'This request has expired')
+      } else {
+        updates.expiresAt = new Date(
+          Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT,
+        )
+      }
+      if (data.clientId !== clientId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was initiated for another client',
+        )
+      }
+      if (!data.deviceId) {
+        updates.deviceId = deviceId
+      } else if (data.deviceId !== deviceId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was initiated from another device',
+        )
+      }
+    } catch (err) {
+      await this.store.deleteRequest(id)
+      throw err
+    }
+    if (Object.keys(updates).length > 0) {
+      await this.store.updateRequest(id, updates)
+    }
+    return {
+      id,
+      uri,
+      expiresAt: updates.expiresAt || data.expiresAt,
+      parameters: data.parameters,
+      clientAuth: data.clientAuth,
+    }
+  }
+  async setAuthorized(
+    client: Client,
+    uri: RequestUri,
+    deviceId: DeviceId,
+    account: Account,
+    info: DeviceAccountInfo,
+  ): Promise<{ code?: Code; token?: string; id_token?: string }> {
+    const id = decodeRequestUri(uri)
+    const data = await this.store.readRequest(id)
+    if (!data) throw new InvalidRequestError(`Unknown request_uri "${uri}"`)
+    try {
+      if (data.expiresAt < new Date()) {
+        throw new AccessDeniedError(data.parameters, 'This request has expired')
+      }
+      if (!data.deviceId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was not initiated',
+        )
+      }
+      if (data.deviceId !== deviceId) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was initiated from another device',
+        )
+      }
+      if (data.sub || data.code) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'This request was already authorized',
+        )
+      }
+      const responseType = data.parameters.response_type.split(' ')
+      if (responseType.includes('token')) {
+        throw new AccessDeniedError(
+          data.parameters,
+          'Implicit "token" forbidden (use "code" with PKCE instead)',
+        )
+      }
+      const code = responseType.includes('code')
+        ? await generateCode()
+        : undefined
+      // Bind the request to the account, preventing it from being used again.
+      await this.store.updateRequest(id, {
+        sub: account.sub,
+        code,
+        // Allow the client to exchange the code for a token within the next 60 seconds.
+        expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),
+      })
+      const id_token = responseType.includes('id_token')
+        ? await this.signer.idToken(client, data.parameters, account, {
+            auth_time: info.authenticatedAt,
+            exp: this.createTokenExpiry(),
+            code,
+          })
+        : undefined
+      return { code, id_token }
+    } catch (err) {
+      await this.store.deleteRequest(id)
+      throw err
+    }
+  }
+  /**
+   * @note If this method throws an error, any token previously generated from
+   * the same `code` **must** me revoked.
+   */
+  public async findCode(
+    client: Client,
+    clientAuth: ClientAuth,
+    code: Code,
+  ): Promise<RequestDataAuthorized> {
+    const result = await this.store.findRequestByCode(code)
+    if (!result) throw new InvalidGrantError('Invalid code')
+    try {
+      const { data } = result
+      if (!isRequestDataAuthorized(data)) {
+        // Should never happen: maybe the store implementation is faulty ?
+        throw new Error('Unexpected request state')
+      }
+      if (data.clientId !== client.id) {
+        throw new InvalidGrantError('This code was issued for another client')
+      }
+      if (data.expiresAt < new Date()) {
+        throw new InvalidGrantError('This code has expired')
+      }
+      if (data.clientAuth.method === 'none') {
+        // If the client did not use PAR, it was not authenticated when the
+        // request was created (see authorize() method above). Since PAR is not
+        // mandatory, and since the token exchange currently taking place *is*
+        // authenticated (`clientAuth`), we allow "upgrading" the authentication
+        // method (the token created will be bound to the current clientAuth).
+      } else {
+        if (clientAuth.method !== data.clientAuth.method) {
+          throw new InvalidGrantError('Invalid client authentication')
+        }
+        if (!(await client.validateClientAuth(data.clientAuth))) {
+          throw new InvalidGrantError('Invalid client authentication')
+        }
+      }
+      return data
+    } finally {
+      // A "code" can only be used once
+      await this.store.deleteRequest(result.id)
+    }
+  }
+  async delete(uri: RequestUri): Promise<void> {
+    const id = decodeRequestUri(uri)
+    await this.store.deleteRequest(id)
+  }
+}

package/src/request/request-store-memory.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { Code } from './code.js'
+import { RequestId } from './request-id.js'
+import { RequestData } from './request-data.js'
+import { RequestStore } from './request-store.js'
+export class RequestStoreMemory implements RequestStore {
+  #requests = new Map<RequestId, RequestData>()
+  async readRequest(id: RequestId): Promise<RequestData | null> {
+    return this.#requests.get(id) ?? null
+  }
+  async createRequest(id: RequestId, data: RequestData): Promise<void> {
+    this.#requests.set(id, data)
+  }
+  async updateRequest(
+    id: RequestId,
+    data: Partial<RequestData>,
+  ): Promise<void> {
+    const current = this.#requests.get(id)
+    if (!current) throw new Error('Request not found')
+    const newData = { ...current, ...data }
+    this.#requests.set(id, newData)
+  }
+  async deleteRequest(id: RequestId): Promise<void> {
+    this.#requests.delete(id)
+  }
+  async findRequestByCode(
+    code: Code,
+  ): Promise<{ id: RequestId; data: RequestData } | null> {
+    for (const [id, data] of this.#requests) {
+      if (data.code === code) return { id, data }
+    }
+    return null
+  }
+}

package/src/request/request-store-redis.ts ADDED Viewed

@@ -0,0 +1,71 @@
+import { Redis } from 'ioredis'
+import { CreateRedisOptions, createRedis } from '../lib/redis.js'
+import { Code } from './code.js'
+import { RequestData } from './request-data.js'
+import { RequestId, requestIdSchema } from './request-id.js'
+import { RequestStore } from './request-store.js'
+export type { Redis, CreateRedisOptions }
+export type ReplayStoreRedisOptions = {
+  redis: CreateRedisOptions
+}
+export class RequestStoreRedis implements RequestStore {
+  private readonly redis: Redis
+  constructor(options: ReplayStoreRedisOptions) {
+    this.redis = createRedis(options.redis)
+  }
+  async readRequest(id: RequestId): Promise<RequestData | null> {
+    const data = await this.redis.get(id)
+    return data ? JSON.parse(data) : null
+  }
+  async createRequest(id: RequestId, data: RequestData): Promise<void> {
+    const timeFrame = data.expiresAt.getTime() - Date.now()
+    await this.redis.set(id, JSON.stringify(data), 'PX', timeFrame)
+    if (data.code) await this.redis.set(data.code, id, 'PX', timeFrame)
+  }
+  async updateRequest(
+    id: RequestId,
+    data: Partial<RequestData>,
+  ): Promise<void> {
+    const current = await this.readRequest(id)
+    if (!current) throw new Error('Request not found')
+    if (current.code) await this.redis.del(current.code)
+    const newData = { ...current, ...data }
+    await this.createRequest(id, newData)
+  }
+  async deleteRequest(id: RequestId): Promise<void> {
+    const data = await this.readRequest(id)
+    if (!data) return
+    if (data.code) await this.redis.del(data.code)
+    await this.redis.del(id)
+  }
+  private async findRequestIdByCode(code: Code): Promise<RequestId | null> {
+    const value = await this.redis.get(code)
+    if (!value) return null
+    const parsed = requestIdSchema.safeParse(value)
+    if (!parsed.success) return null
+    return parsed.data
+  }
+  async findRequestByCode(
+    code: Code,
+  ): Promise<{ id: RequestId; data: RequestData } | null> {
+    const id = await this.findRequestIdByCode(code)
+    if (!id) return null
+    const data = await this.readRequest(id)
+    if (!data) return null
+    return { id, data }
+  }
+}

package/src/request/request-store.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { Awaitable } from '../lib/util/type.js'
+import { Code } from './code.js'
+import { RequestData } from './request-data.js'
+import { RequestId } from './request-id.js'
+// Export all types needed to implement the RequestStore interface
+export * from './code.js'
+export * from './request-id.js'
+export * from './request-data.js'
+export type { Awaitable }
+export type UpdateRequestData = Pick<
+  Partial<RequestData>,
+  'sub' | 'code' | 'deviceId' | 'expiresAt'
+>
+export type FoundRequestResult = {
+  id: RequestId
+  data: RequestData
+}
+export interface RequestStore {
+  createRequest(id: RequestId, data: RequestData): Awaitable<void>
+  /**
+   * Note that expired requests **can** be returned to yield a different error
+   * message than if the request was not found.
+   */
+  readRequest(id: RequestId): Awaitable<RequestData | null>
+  updateRequest(id: RequestId, data: UpdateRequestData): Awaitable<void>
+  deleteRequest(id: RequestId): void | Awaitable<void>
+  findRequestByCode(code: Code): Awaitable<FoundRequestResult | null>
+}
+export function isRequestStore(
+  implementation: Record<string, unknown> & Partial<RequestStore>,
+): implementation is Record<string, unknown> & RequestStore {
+  return (
+    typeof implementation.createRequest === 'function' &&
+    typeof implementation.readRequest === 'function' &&
+    typeof implementation.updateRequest === 'function' &&
+    typeof implementation.deleteRequest === 'function' &&
+    typeof implementation.findRequestByCode === 'function'
+  )
+}
+export function ifRequestStore(
+  implementation?: Record<string, unknown> & Partial<RequestStore>,
+): RequestStore | undefined {
+  if (implementation && isRequestStore(implementation)) {
+    return implementation
+  }
+  return undefined
+}

package/src/request/request-uri.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { z } from 'zod'
+import { RequestId, requestIdSchema } from './request-id.js'
+export const REQUEST_URI_PREFIX = 'urn:ietf:params:oauth:request_uri:'
+export const requestUriSchema = z
+  .string()
+  .url()
+  .refinement(
+    (data): data is `${typeof REQUEST_URI_PREFIX}${RequestId}` =>
+      data.startsWith(REQUEST_URI_PREFIX) &&
+      requestIdSchema.safeParse(decodeRequestUri(data as any)).success,
+    {
+      code: z.ZodIssueCode.custom,
+      message: 'Invalid request_uri format',
+    },
+  )
+export type RequestUri = z.infer<typeof requestUriSchema>
+export function encodeRequestUri(requestId: RequestId): RequestUri {
+  return `${REQUEST_URI_PREFIX}${encodeURIComponent(requestId) as RequestId}`
+}
+export function decodeRequestUri(requestUri: RequestUri): RequestId {
+  const requestIdEnc = requestUri.slice(REQUEST_URI_PREFIX.length)
+  return decodeURIComponent(requestIdEnc) as RequestId
+}