@atproto/oauth-provider 0.1.0

package/dist/client/client-manager.js

@@ -0,0 +1,534 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientManager = void 0;
+const fetch_1 = require("@atproto-labs/fetch");
+const pipe_1 = require("@atproto-labs/pipe");
+const simple_store_1 = require("@atproto-labs/simple-store");
+const jwk_1 = require("@atproto/jwk");
+const oauth_types_1 = require("@atproto/oauth-types");
+const constants_js_1 = require("../constants.js");
+const invalid_client_metadata_error_js_1 = require("../errors/invalid-client-metadata-error.js");
+const invalid_redirect_uri_error_js_1 = require("../errors/invalid-redirect-uri-error.js");
+const oauth_error_js_1 = require("../errors/oauth-error.js");
+const hostname_js_1 = require("../lib/util/hostname.js");
+const client_utils_js_1 = require("./client-utils.js");
+const client_js_1 = require("./client.js");
+const fetchMetadataHandler = (0, pipe_1.pipe)((0, fetch_1.fetchOkProcessor)(), (0, fetch_1.fetchJsonProcessor)('application/json', false), (0, fetch_1.fetchJsonZodProcessor)(oauth_types_1.oauthClientMetadataSchema));
+const fetchJwksHandler = (0, pipe_1.pipe)((0, fetch_1.fetchOkProcessor)(), (0, fetch_1.fetchJsonProcessor)('application/json', false), (0, fetch_1.fetchJsonZodProcessor)(jwk_1.jwksSchema));
+class ClientManager {
+    keyset;
+    hooks;
+    store;
+    loopbackMetadata;
+    jwks;
+    metadata;
+    constructor(keyset, hooks, store, loopbackMetadata = null, safeFetch, clientJwksCache, clientMetadataCache) {
+        this.keyset = keyset;
+        this.hooks = hooks;
+        this.store = store;
+        this.loopbackMetadata = loopbackMetadata;
+        const fetch = (0, fetch_1.bindFetch)(safeFetch);
+        this.jwks = new simple_store_1.CachedGetter(async (uri, options) => {
+            const jwks = await fetch(buildJsonGetRequest(uri, options)).then(fetchJwksHandler);
+            return jwks;
+        }, clientJwksCache);
+        this.metadata = new simple_store_1.CachedGetter(async (uri, options) => {
+            const metadata = await fetch(buildJsonGetRequest(uri, options)).then(fetchMetadataHandler);
+            // Validate within the getter to avoid caching invalid metadata
+            return this.validateClientMetadata(uri, metadata);
+        }, clientMetadataCache);
+    }
+    /**
+     *
+     * @see {@link https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2 OIDC Client Registration}
+     */
+    async getClient(clientId) {
+        try {
+            const metadata = await this.getClientMetadata(clientId);
+            const jwks = metadata.jwks_uri
+                ? await this.jwks.get(metadata.jwks_uri)
+                : undefined;
+            const partialInfo = await this.hooks.onClientInfo?.(clientId, {
+                metadata,
+                jwks,
+            });
+            const isFirstParty = partialInfo?.isFirstParty ?? false;
+            const isTrusted = partialInfo?.isTrusted ??
+                (isFirstParty ||
+                    // If the client was loaded from the store, we consider it trusted:
+                    (!(0, oauth_types_1.isOAuthClientIdLoopback)(clientId) &&
+                        !(0, oauth_types_1.isOAuthClientIdDiscoverable)(clientId)));
+            return new client_js_1.Client(clientId, metadata, jwks, { isFirstParty, isTrusted });
+        }
+        catch (err) {
+            if (err instanceof oauth_error_js_1.OAuthError)
+                throw err;
+            if (err?.['code'] === 'DEPTH_ZERO_SELF_SIGNED_CERT') {
+                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Self-signed certificate', err);
+            }
+            throw invalid_client_metadata_error_js_1.InvalidClientMetadataError.from(err);
+        }
+    }
+    async getClientMetadata(clientId) {
+        if ((0, oauth_types_1.isOAuthClientIdLoopback)(clientId)) {
+            return this.getLoopbackClientMetadata(clientId);
+        }
+        else if ((0, oauth_types_1.isOAuthClientIdDiscoverable)(clientId)) {
+            return this.getDiscoverableClientMetadata(clientId);
+        }
+        else if (this.store) {
+            return this.getStoredClientMetadata(clientId);
+        }
+        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Invalid client ID "${clientId}"`);
+    }
+    async getLoopbackClientMetadata(clientId) {
+        const { loopbackMetadata } = this;
+        if (!loopbackMetadata) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Loopback clients are not allowed');
+        }
+        const result = oauth_types_1.oauthClientMetadataSchema.safeParse(await loopbackMetadata(clientId));
+        if (!result.success) {
+            throw invalid_client_metadata_error_js_1.InvalidClientMetadataError.from(result.error);
+        }
+        return this.validateClientMetadata(clientId, result.data);
+    }
+    async getDiscoverableClientMetadata(clientId) {
+        const metadataUrl = (0, client_utils_js_1.parseDiscoverableClientId)(clientId);
+        const metadata = await this.metadata.get(metadataUrl.href);
+        // Note: we do *not* re-validate the metadata here, as the metadata is
+        // validated within the getter. This is to avoid double validation.
+        //
+        // return this.validateClientMetadata(metadataUrl.href, metadata)
+        return metadata;
+    }
+    async getStoredClientMetadata(clientId) {
+        if (this.store) {
+            const metadata = await this.store.findClient(clientId);
+            return this.validateClientMetadata(clientId, metadata);
+        }
+        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Invalid client ID "${clientId}"`);
+    }
+    /**
+     * This method will ensure that the client metadata is valid w.r.t. the OAuth
+     * and OIDC specifications. It will also ensure that the metadata is
+     * compatible with the implementation of this library, and ATPROTO's
+     * requirements.
+     */
+    validateClientMetadata(clientId, metadata) {
+        if (metadata.jwks && metadata.jwks_uri) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('jwks_uri and jwks are mutually exclusive');
+        }
+        const clientUriUrl = metadata.client_uri
+            ? new URL(metadata.client_uri)
+            : null;
+        const clientUriParsed = clientUriUrl ? (0, hostname_js_1.parseUrlDomain)(clientUriUrl) : null;
+        if (clientUriUrl && !clientUriParsed) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_uri must be a valid URL');
+        }
+        const scopes = metadata.scope?.split(' ');
+        if (metadata.grant_types.includes('refresh_token') !==
+            (scopes?.includes('offline_access') ?? false)) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Grant type "refresh_token" requires scope "offline_access" (and vice versa)');
+        }
+        for (const grantType of metadata.grant_types) {
+            switch (grantType) {
+                case 'authorization_code':
+                case 'refresh_token':
+                case 'implicit': // Required by OIDC (for id_token)
+                    continue;
+                case 'password':
+                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Grant type "${grantType}" is not allowed`);
+                default:
+                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Grant type "${grantType}" is not supported`);
+            }
+        }
+        if (metadata.client_id && metadata.client_id !== clientId) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_id does not match');
+        }
+        if (metadata.subject_type && metadata.subject_type !== 'public') {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Only "public" subject_type is supported');
+        }
+        if (metadata.userinfo_signed_response_alg &&
+            !this.keyset.signAlgorithms.includes(metadata.userinfo_signed_response_alg)) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Unsupported "userinfo_signed_response_alg" ${metadata.userinfo_signed_response_alg}`);
+        }
+        if (metadata.id_token_signed_response_alg &&
+            !this.keyset.signAlgorithms.includes(metadata.id_token_signed_response_alg)) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Unsupported "id_token_signed_response_alg" ${metadata.id_token_signed_response_alg}`);
+        }
+        if (metadata.userinfo_encrypted_response_alg) {
+            // We only support signature for now.
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Encrypted userinfo response is not supported');
+        }
+        if (!metadata[`token_endpoint_auth_method`]) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Missing token_endpoint_auth_method client metadata');
+        }
+        for (const endpoint of oauth_types_1.OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
+            const method = metadata[`${endpoint}_endpoint_auth_method`] ||
+                metadata[`token_endpoint_auth_method`];
+            switch (method) {
+                case 'none':
+                    if (metadata.token_endpoint_auth_signing_alg) {
+                        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`${endpoint}_endpoint_auth_method "none" must not have ${endpoint}_endpoint_auth_signing_alg`);
+                    }
+                    break;
+                case 'private_key_jwt':
+                    if (!metadata.jwks && !metadata.jwks_uri) {
+                        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`private_key_jwt auth method requires jwks or jwks_uri`);
+                    }
+                    if (metadata.jwks?.keys.length === 0) {
+                        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`private_key_jwt auth method requires at least one key in jwks`);
+                    }
+                    if (!metadata.token_endpoint_auth_signing_alg) {
+                        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Missing token_endpoint_auth_signing_alg client metadata`);
+                    }
+                    break;
+                default:
+                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`${method} is not a supported "${endpoint}_endpoint_auth_method". Use "private_key_jwt" or "none".`);
+            }
+        }
+        if (metadata.authorization_encrypted_response_enc) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Encrypted authorization response is not supported');
+        }
+        if (metadata.tls_client_certificate_bound_access_tokens) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Mutual-TLS bound access tokens are not supported');
+        }
+        if (metadata.authorization_encrypted_response_enc &&
+            !metadata.authorization_encrypted_response_alg) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('authorization_encrypted_response_enc requires authorization_encrypted_response_alg');
+        }
+        // ATPROTO spec requires the use of DPoP (OAuth spec defaults to false)
+        if (metadata.dpop_bound_access_tokens !== true) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('"dpop_bound_access_tokens" must be true');
+        }
+        for (const responseType of metadata.response_types) {
+            const rt = responseType.split(' ');
+            // ATPROTO spec requires the use of PKCE
+            if (rt.includes('token')) {
+                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('"token" response type is not compatible with PKCE (use "code" instead)');
+            }
+            // Consistency check
+            if (rt.includes('code') &&
+                !metadata.grant_types.includes('authorization_code')) {
+                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Response type "${responseType}" requires the "authorization_code" grant type`);
+            }
+            // Asking for "code token" or "code id_token" is fine (as long as the
+            // grant_types includes "authorization_code" and the scope includes
+            // "openid"). Asking for "token" or "id_token" (without "code") requires
+            // the "implicit" grant type.
+            if ((rt.includes('token') || rt.includes('id_token')) &&
+                !metadata.grant_types.includes('implicit')) {
+                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Response type "${responseType}" requires the "implicit" grant type`);
+            }
+        }
+        if (metadata.application_type === 'native') {
+            // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+            //
+            // > Except when using a mechanism like Dynamic Client Registration
+            // > [RFC7591] to provision per-instance secrets, native apps are
+            // > classified as public clients, as defined by Section 2.1 of OAuth 2.0
+            // > [RFC6749]; they MUST be registered with the authorization server as
+            // > such.  Authorization servers MUST record the client type in the
+            // > client registration details in order to identify and process requests
+            // > accordingly.
+        }
+        if (!metadata.redirect_uris?.length) {
+            // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+            //
+            // >  OPs can require that request_uri values used be pre-registered with
+            // > the require_request_uri_registration discovery parameter.
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('At least one redirect_uri is required');
+        }
+        if (metadata.application_type === 'web' &&
+            metadata.grant_types.includes('implicit')) {
+            // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+            //
+            // > Web Clients [as defined by "application_type"] using the OAuth
+            // > Implicit Grant Type MUST only register URLs using the https
+            // > scheme as redirect_uris; they MUST NOT use localhost as the
+            // > hostname.
+            for (const redirectUri of metadata.redirect_uris) {
+                const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+                if (url.protocol !== 'https:') {
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Web clients must use HTTPS redirect URIs`);
+                }
+                if (url.hostname === 'localhost') {
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Web clients must not use localhost as the hostname`);
+                }
+            }
+        }
+        if (metadata.application_type === 'native') {
+            // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+            //
+            // > Native Clients [as defined by "application_type"] MUST only
+            // > register redirect_uris using custom URI schemes or loopback URLs
+            // > using the http scheme; loopback URLs use localhost or the IP
+            // > loopback literals 127.0.0.1 or [::1] as the hostname.
+            for (const redirectUri of metadata.redirect_uris) {
+                const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+                if (url.protocol !== 'http:') {
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Native clients must use HTTP redirect URIs (got ${url})`);
+                }
+                if (!(0, oauth_types_1.isLoopbackHost)(url.hostname) && !isPrivateUseUriScheme(url)) {
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError('Loopback redirect URIs are only allowed for native apps');
+                }
+            }
+        }
+        if (metadata.application_type === 'native') {
+            // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+            //
+            // > Authorization Servers MAY reject Redirection URI values using
+            // > the http scheme, other than the loopback case for Native
+            // > Clients.
+            for (const redirectUri of metadata.redirect_uris) {
+                const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+                if (url.protocol === 'http:' && !(0, oauth_types_1.isLoopbackUrl)(url)) {
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Native clients must not use HTTP redirect URIs (got ${url})`);
+                }
+            }
+        }
+        for (const redirectUri of metadata.redirect_uris) {
+            const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+            if (url.username || url.password) {
+                // Is this a valid concern? Should we allow credentials in the URI?
+                throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Redirect URI ${url} must not contain credentials`);
+            }
+            switch (true) {
+                // FIRST: Loopback redirect URI exception (only for native apps)
+                case url.hostname === 'localhost': {
+                    // https://datatracker.ietf.org/doc/html/rfc8252#section-8.3
+                    //
+                    // > While redirect URIs using localhost (i.e.,
+                    // > "http://localhost:{port}/{path}") function similarly to loopback IP
+                    // > redirects described in Section 7.3, the use of localhost is NOT
+                    // > RECOMMENDED. Specifying a redirect URI with the loopback IP literal
+                    // > rather than localhost avoids inadvertently listening on network
+                    // > interfaces other than the loopback interface. It is also less
+                    // > susceptible to client-side firewalls and misconfigured host name
+                    // > resolution on the user's device.
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback redirect URI ${url} is not allowed (use explicit IPs instead)`);
+                }
+                // falls through
+                case url.hostname === '127.0.0.1':
+                case url.hostname === '[::1]': {
+                    // https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
+                    //
+                    // > Loopback redirect URIs use the "http" scheme and are constructed
+                    // > with the loopback IP literal and whatever port the client is
+                    // > listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4,
+                    // > and "http://[::1]:{port}/{path}" for IPv6.
+                    if (metadata.application_type !== 'native') {
+                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback redirect URIs are only allowed for native apps`);
+                    }
+                    if (url.port) {
+                        // https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
+                        //
+                        // > The authorization server MUST allow any port to be specified at
+                        // > the time of the request for loopback IP redirect URIs, to
+                        // > accommodate clients that obtain an available ephemeral port
+                        // > from the operating system at the time of the request.
+                        //
+                        // Note: although validation of the redirect_uri will ignore the
+                        // port we still allow it to be specified, as the spec does not
+                        // forbid it. If a port number is specified, ports will need to
+                        // match when validating authorization requests. See
+                        // "compareRedirectUri()".
+                    }
+                    if (url.protocol !== 'http:') {
+                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback redirect URI ${url} must use HTTP`);
+                    }
+                    break;
+                }
+                // SECOND: Protocol-based URI Redirection
+                case url.protocol === 'http:': {
+                    // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+                    //
+                    // > request_uri [...] URLs MUST use the https scheme unless the
+                    // > target Request Object is signed in a way that is verifiable by
+                    // > the OP.
+                    //
+                    // TODO: Should we allow this (and check for signed request objects)?
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Non loopback redirect URI ${url} must use HTTPS`);
+                }
+                case url.protocol === 'https:': {
+                    const redirectUriDomain = (0, hostname_js_1.parseUrlDomain)(url);
+                    if (!redirectUriDomain) {
+                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Redirect URI ${url} must be a valid URL`);
+                    }
+                    // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+                    //
+                    // > In addition to the collision-resistant properties, requiring a
+                    // > URI scheme based on a domain name that is under the control of
+                    // > the app can help to prove ownership in the event of a dispute
+                    // > where two apps claim the same private-use URI scheme (where one
+                    // > app is acting maliciously).
+                    //
+                    // Although this only applies to "native" clients (extract being from
+                    // rfc8252), we apply this rule to "web" clients as well.
+                    if (!clientUriParsed) {
+                        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_uri is required for HTTPS redirect URIs');
+                    }
+                    else {
+                        if (redirectUriDomain.domain !== clientUriParsed.domain) {
+                            throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Redirect URI ${url} must be under the same domain as client_uri ${metadata.client_uri}`);
+                        }
+                    }
+                    break;
+                }
+                case isPrivateUseUriScheme(url): {
+                    // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
+                    //
+                    // > When choosing a URI scheme to associate with the app, apps MUST
+                    // > use a URI scheme based on a domain name under their control,
+                    // > expressed in reverse order, as recommended by Section 3.8 of
+                    // > [RFC7595] for private-use URI schemes.
+                    if (metadata.application_type !== 'native') {
+                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Private-Use URI Scheme redirect URI are only allowed for native apps`);
+                    }
+                    const redirectUriDomain = (0, hostname_js_1.parseDomain)(reverseDomain(url.protocol.slice(0, -1)));
+                    if (!redirectUriDomain) {
+                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Private-use URI Scheme redirect URI must be based on a valid domain name`);
+                    }
+                    // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+                    //
+                    // > In addition to the collision-resistant properties, requiring a
+                    // > URI scheme based on a domain name that is under the control of
+                    // > the app can help to prove ownership in the event of a dispute
+                    // > where two apps claim the same private-use URI scheme (where one
+                    // > app is acting maliciously).
+                    if (!clientUriParsed) {
+                        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_uri is required for native apps using private-use URI Scheme redirect URIs');
+                    }
+                    else {
+                        if (redirectUriDomain.domain !== clientUriParsed.domain) {
+                            throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Private-Use URI Scheme redirect URI ${url} must be under the same domain as client_uri ${metadata.client_uri}`);
+                        }
+                    }
+                    // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
+                    //
+                    // > Following the requirements of Section 3.2 of [RFC3986], as there
+                    // > is no naming authority for private-use URI scheme redirects, only
+                    // > a single slash ("/") appears after the scheme component.
+                    if (url.href.startsWith(`${url.protocol}//`) ||
+                        url.username ||
+                        url.password ||
+                        url.hostname ||
+                        url.port) {
+                        throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Private-Use URI Scheme must be in the form ${url.protocol}/<path>`);
+                    }
+                    break;
+                }
+                default:
+                    // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+                    //
+                    // > At a minimum, any private-use URI scheme that doesn't contain a
+                    // > period character (".") SHOULD be rejected.
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Invalid redirect URI scheme "${url.protocol}"`);
+            }
+        }
+        if ((0, oauth_types_1.isOAuthClientIdLoopback)(clientId)) {
+            return this.validateLoopbackClientMetadata(clientId, metadata);
+        }
+        else if ((0, oauth_types_1.isOAuthClientIdDiscoverable)(clientId)) {
+            return this.validateDiscoverableClientMetadata(clientId, metadata);
+        }
+        else {
+            return metadata;
+        }
+    }
+    validateLoopbackClientMetadata(clientId, metadata) {
+        if (metadata.client_uri) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('client_uri is not allowed for loopback clients');
+        }
+        if (metadata.application_type !== 'native') {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Loopback clients must have application_type "native"');
+        }
+        if (!constants_js_1.ALLOW_LOOPBACK_CLIENT_REFRESH_TOKEN &&
+            metadata.grant_types.includes('refresh_token')) {
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError('Loopback clients are not allowed to use the "refresh_token" grant type');
+        }
+        for (const endpoint of oauth_types_1.OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
+            const method = metadata[`${endpoint}_endpoint_auth_method`] ||
+                metadata[`token_endpoint_auth_method`];
+            if (method !== 'none') {
+                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Loopback clients are not allowed to use "${endpoint}_endpoint_auth_method" ${method}`);
+            }
+        }
+        for (const redirectUri of metadata.redirect_uris) {
+            const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+            if (url.protocol !== 'http:') {
+                throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback clients must use HTTP redirect URIs`);
+            }
+            if (!(0, oauth_types_1.isLoopbackHost)(url.hostname)) {
+                throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Loopback clients must use loopback redirect URIs`);
+            }
+        }
+        return metadata;
+    }
+    validateDiscoverableClientMetadata(clientId, metadata) {
+        if (!metadata.client_id) {
+            // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+            throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`client_id is required for discoverable clients`);
+        }
+        const clientIdUrl = (0, client_utils_js_1.parseDiscoverableClientId)(clientId);
+        if (metadata.client_uri) {
+            // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+            //
+            // The client_uri must be a parent of the client_id URL. This might be
+            // relaxed in the future.
+            const clientUriUrl = new URL(metadata.client_uri);
+            if (clientUriUrl.origin !== clientIdUrl.origin) {
+                throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`client_uri must have the same origin as the client_id`);
+            }
+            if (clientIdUrl.pathname !== clientUriUrl.pathname) {
+                if (!clientIdUrl.pathname.startsWith(clientUriUrl.pathname.endsWith('/')
+                    ? clientUriUrl.pathname
+                    : `${clientUriUrl.pathname}/`)) {
+                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`client_uri must be a parent URL of the client_id`);
+                }
+            }
+        }
+        for (const endpoint of oauth_types_1.OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
+            const method = metadata[`${endpoint}_endpoint_auth_method`];
+            switch (method) {
+                case 'client_secret_post':
+                case 'client_secret_basic':
+                case 'client_secret_jwt':
+                    throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Client authentication method "${method}" is not allowed for discoverable clients`);
+            }
+        }
+        for (const redirectUri of metadata.redirect_uris) {
+            const url = (0, client_utils_js_1.parseRedirectUri)(redirectUri);
+            if (isPrivateUseUriScheme(url)) {
+                // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+                //
+                // Fully qualified domain name (FQDN) of the client_id, in reverse
+                // order. This could be relaxed to allow same apex domain names, or
+                // parent domains, but for now we require an exact match.
+                const protocol = `${reverseDomain(clientIdUrl.hostname)}:`;
+                if (url.protocol !== protocol) {
+                    throw new invalid_redirect_uri_error_js_1.InvalidRedirectUriError(`Private-Use URI Scheme redirect URI, for discoverable client metadata, must be the fully qualified domain name (FQDN) of the client_id, in reverse order (${protocol})`);
+                }
+            }
+        }
+        return metadata;
+    }
+}
+exports.ClientManager = ClientManager;
+function reverseDomain(domain) {
+    return domain.split('.').reverse().join('.');
+}
+function isPrivateUseUriScheme(uri) {
+    return uri.protocol.includes('.');
+}
+function buildJsonGetRequest(uri, options) {
+    const headers = new Headers([['accept', 'application/json']]);
+    if (options?.noCache)
+        headers.set('cache-control', 'no-cache');
+    return new Request(uri, {
+        headers,
+        signal: options?.signal,
+        redirect: 'error',
+    });
+}
+//# sourceMappingURL=client-manager.js.map

package/dist/client/client-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-manager.js","sourceRoot":"","sources":["../../src/client/client-manager.ts"],"names":[],"mappings":";;;AAAA,+CAM4B;AAC5B,6CAAyC;AACzC,6DAImC;AACnC,sCAAuD;AACvD,sDAW6B;AAE7B,kDAAqE;AACrE,iGAAuF;AACvF,2FAAiF;AACjF,6DAAqD;AACrD,yDAAqE;AAKrE,uDAA+E;AAC/E,2CAAoC;AAEpC,MAAM,oBAAoB,GAAG,IAAA,WAAI,EAC/B,IAAA,wBAAgB,GAAE,EAClB,IAAA,0BAAkB,EAAC,kBAAkB,EAAE,KAAK,CAAC,EAC7C,IAAA,6BAAqB,EAAC,uCAAyB,CAAC,CACjD,CAAA;AAED,MAAM,gBAAgB,GAAG,IAAA,WAAI,EAC3B,IAAA,wBAAgB,GAAE,EAClB,IAAA,0BAAkB,EAAC,kBAAkB,EAAE,KAAK,CAAC,EAC7C,IAAA,6BAAqB,EAAC,gBAAU,CAAC,CAClC,CAAA;AAMD,MAAa,aAAa;IAKH;IACA;IACA;IACA;IAPF,IAAI,CAA4B;IAChC,QAAQ,CAA2C;IAEtE,YACqB,MAAc,EACd,KAAiB,EACjB,KAAyB,EACzB,mBAAkD,IAAI,EACzE,SAAgB,EAChB,eAA0C,EAC1C,mBAA6D;QAN1C,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAY;QACjB,UAAK,GAAL,KAAK,CAAoB;QACzB,qBAAgB,GAAhB,gBAAgB,CAAsC;QAKzE,MAAM,KAAK,GAAG,IAAA,iBAAS,EAAC,SAAS,CAAC,CAAA;QAElC,IAAI,CAAC,IAAI,GAAG,IAAI,2BAAY,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE;YAClD,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAC9D,gBAAgB,CACjB,CAAA;YAED,OAAO,IAAI,CAAA;QACb,CAAC,EAAE,eAAe,CAAC,CAAA;QAEnB,IAAI,CAAC,QAAQ,GAAG,IAAI,2BAAY,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE;YACtD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAClE,oBAAoB,CACrB,CAAA;YAED,+DAA+D;YAC/D,OAAO,IAAI,CAAC,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QACnD,CAAC,EAAE,mBAAmB,CAAC,CAAA;IACzB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,SAAS,CAAC,QAAgB;QACrC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAA;YAEvD,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ;gBAC5B,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACxC,CAAC,CAAC,SAAS,CAAA;YAEb,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,QAAQ,EAAE;gBAC5D,QAAQ;gBACR,IAAI;aACL,CAAC,CAAA;YAEF,MAAM,YAAY,GAAG,WAAW,EAAE,YAAY,IAAI,KAAK,CAAA;YACvD,MAAM,SAAS,GACb,WAAW,EAAE,SAAS;gBACtB,CAAC,YAAY;oBACX,mEAAmE;oBACnE,CAAC,CAAC,IAAA,qCAAuB,EAAC,QAAQ,CAAC;wBACjC,CAAC,IAAA,yCAA2B,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;YAE9C,OAAO,IAAI,kBAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC,CAAA;QAC1E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,2BAAU;gBAAE,MAAM,GAAG,CAAA;YACxC,IAAI,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,6BAA6B,EAAE,CAAC;gBACpD,MAAM,IAAI,6DAA0B,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAA;YACtE,CAAC;YACD,MAAM,6DAA0B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC5C,CAAC;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,QAAkB;QAElB,IAAI,IAAA,qCAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC;aAAM,IAAI,IAAA,yCAA2B,EAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC,6BAA6B,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;aAAM,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAA;QAC/C,CAAC;QAED,MAAM,IAAI,6DAA0B,CAAC,sBAAsB,QAAQ,GAAG,CAAC,CAAA;IACzE,CAAC;IAES,KAAK,CAAC,yBAAyB,CACvC,QAA+B;QAE/B,MAAM,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAA;QACjC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,IAAI,6DAA0B,CAAC,kCAAkC,CAAC,CAAA;QAC1E,CAAC;QAED,MAAM,MAAM,GAAG,uCAAyB,CAAC,SAAS,CAChD,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CACjC,CAAA;QAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,6DAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QACrD,CAAC;QAED,OAAO,IAAI,CAAC,sBAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAA;IAC3D,CAAC;IAES,KAAK,CAAC,6BAA6B,CAC3C,QAAmC;QAEnC,MAAM,WAAW,GAAG,IAAA,2CAAyB,EAAC,QAAQ,CAAC,CAAA;QAEvD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAE1D,sEAAsE;QACtE,mEAAmE;QACnE,EAAE;QACF,iEAAiE;QACjE,OAAO,QAAQ,CAAA;IACjB,CAAC;IAES,KAAK,CAAC,uBAAuB,CACrC,QAAkB;QAElB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;YACtD,OAAO,IAAI,CAAC,sBAAsB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACxD,CAAC;QAED,MAAM,IAAI,6DAA0B,CAAC,sBAAsB,QAAQ,GAAG,CAAC,CAAA;IACzE,CAAC;IAED;;;;;OAKG;IACO,sBAAsB,CAC9B,QAAkB,EAClB,QAA6B;QAE7B,IAAI,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACvC,MAAM,IAAI,6DAA0B,CAClC,0CAA0C,CAC3C,CAAA;QACH,CAAC;QAED,MAAM,YAAY,GAAG,QAAQ,CAAC,UAAU;YACtC,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC9B,CAAC,CAAC,IAAI,CAAA;QACR,MAAM,eAAe,GAAG,YAAY,CAAC,CAAC,CAAC,IAAA,4BAAc,EAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QAE1E,IAAI,YAAY,IAAI,CAAC,eAAe,EAAE,CAAC;YACrC,MAAM,IAAI,6DAA0B,CAAC,gCAAgC,CAAC,CAAA;QACxE,CAAC;QAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACzC,IACE,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC9C,CAAC,MAAM,EAAE,QAAQ,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC,EAC7C,CAAC;YACD,MAAM,IAAI,6DAA0B,CAClC,6EAA6E,CAC9E,CAAA;QACH,CAAC;QAED,KAAK,MAAM,SAAS,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC7C,QAAQ,SAAS,EAAE,CAAC;gBAClB,KAAK,oBAAoB,CAAC;gBAC1B,KAAK,eAAe,CAAC;gBACrB,KAAK,UAAU,EAAE,kCAAkC;oBACjD,SAAQ;gBACV,KAAK,UAAU;oBACb,MAAM,IAAI,6DAA0B,CAClC,eAAe,SAAS,kBAAkB,CAC3C,CAAA;gBACH;oBACE,MAAM,IAAI,6DAA0B,CAClC,eAAe,SAAS,oBAAoB,CAC7C,CAAA;YACL,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC1D,MAAM,IAAI,6DAA0B,CAAC,0BAA0B,CAAC,CAAA;QAClE,CAAC;QAED,IAAI,QAAQ,CAAC,YAAY,IAAI,QAAQ,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YAChE,MAAM,IAAI,6DAA0B,CAClC,yCAAyC,CAC1C,CAAA;QACH,CAAC;QAED,IACE,QAAQ,CAAC,4BAA4B;YACrC,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAClC,QAAQ,CAAC,4BAA4B,CACtC,EACD,CAAC;YACD,MAAM,IAAI,6DAA0B,CAClC,8CAA8C,QAAQ,CAAC,4BAA4B,EAAE,CACtF,CAAA;QACH,CAAC;QAED,IACE,QAAQ,CAAC,4BAA4B;YACrC,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAClC,QAAQ,CAAC,4BAA4B,CACtC,EACD,CAAC;YACD,MAAM,IAAI,6DAA0B,CAClC,8CAA8C,QAAQ,CAAC,4BAA4B,EAAE,CACtF,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,+BAA+B,EAAE,CAAC;YAC7C,qCAAqC;YACrC,MAAM,IAAI,6DAA0B,CAClC,8CAA8C,CAC/C,CAAA;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,6DAA0B,CAClC,oDAAoD,CACrD,CAAA;QACH,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,gDAAkC,EAAE,CAAC;YAC1D,MAAM,MAAM,GACV,QAAQ,CAAC,GAAG,QAAQ,uBAAuB,CAAC;gBAC5C,QAAQ,CAAC,4BAA4B,CAAC,CAAA;YAExC,QAAQ,MAAM,EAAE,CAAC;gBACf,KAAK,MAAM;oBACT,IAAI,QAAQ,CAAC,+BAA+B,EAAE,CAAC;wBAC7C,MAAM,IAAI,6DAA0B,CAClC,GAAG,QAAQ,8CAA8C,QAAQ,4BAA4B,CAC9F,CAAA;oBACH,CAAC;oBACD,MAAK;gBAEP,KAAK,iBAAiB;oBACpB,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;wBACzC,MAAM,IAAI,6DAA0B,CAClC,uDAAuD,CACxD,CAAA;oBACH,CAAC;oBACD,IAAI,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACrC,MAAM,IAAI,6DAA0B,CAClC,+DAA+D,CAChE,CAAA;oBACH,CAAC;oBACD,IAAI,CAAC,QAAQ,CAAC,+BAA+B,EAAE,CAAC;wBAC9C,MAAM,IAAI,6DAA0B,CAClC,yDAAyD,CAC1D,CAAA;oBACH,CAAC;oBACD,MAAK;gBAEP;oBACE,MAAM,IAAI,6DAA0B,CAClC,GAAG,MAAM,wBAAwB,QAAQ,0DAA0D,CACpG,CAAA;YACL,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,oCAAoC,EAAE,CAAC;YAClD,MAAM,IAAI,6DAA0B,CAClC,mDAAmD,CACpD,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,0CAA0C,EAAE,CAAC;YACxD,MAAM,IAAI,6DAA0B,CAClC,kDAAkD,CACnD,CAAA;QACH,CAAC;QAED,IACE,QAAQ,CAAC,oCAAoC;YAC7C,CAAC,QAAQ,CAAC,oCAAoC,EAC9C,CAAC;YACD,MAAM,IAAI,6DAA0B,CAClC,oFAAoF,CACrF,CAAA;QACH,CAAC;QAED,uEAAuE;QACvE,IAAI,QAAQ,CAAC,wBAAwB,KAAK,IAAI,EAAE,CAAC;YAC/C,MAAM,IAAI,6DAA0B,CAClC,yCAAyC,CAC1C,CAAA;QACH,CAAC;QAED,KAAK,MAAM,YAAY,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YACnD,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAElC,wCAAwC;YACxC,IAAI,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzB,MAAM,IAAI,6DAA0B,CAClC,wEAAwE,CACzE,CAAA;YACH,CAAC;YAED,oBAAoB;YACpB,IACE,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACnB,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EACpD,CAAC;gBACD,MAAM,IAAI,6DAA0B,CAClC,kBAAkB,YAAY,gDAAgD,CAC/E,CAAA;YACH,CAAC;YAED,qEAAqE;YACrE,mEAAmE;YACnE,wEAAwE;YACxE,6BAA6B;YAC7B,IACE,CAAC,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;gBACjD,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAC1C,CAAC;gBACD,MAAM,IAAI,6DAA0B,CAClC,kBAAkB,YAAY,sCAAsC,CACrE,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,gBAAgB,KAAK,QAAQ,EAAE,CAAC;YAC3C,4DAA4D;YAC5D,EAAE;YACF,mEAAmE;YACnE,iEAAiE;YACjE,yEAAyE;YACzE,wEAAwE;YACxE,oEAAoE;YACpE,0EAA0E;YAC1E,iBAAiB;QACnB,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,MAAM,EAAE,CAAC;YACpC,8EAA8E;YAC9E,EAAE;YACF,yEAAyE;YACzE,8DAA8D;YAE9D,MAAM,IAAI,6DAA0B,CAClC,uCAAuC,CACxC,CAAA;QACH,CAAC;QAED,IACE,QAAQ,CAAC,gBAAgB,KAAK,KAAK;YACnC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EACzC,CAAC;YACD,8EAA8E;YAC9E,EAAE;YACF,mEAAmE;YACnE,gEAAgE;YAChE,gEAAgE;YAChE,cAAc;YAEd,KAAK,MAAM,WAAW,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;gBACjD,MAAM,GAAG,GAAG,IAAA,kCAAgB,EAAC,WAAW,CAAC,CAAA;gBACzC,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAC9B,MAAM,IAAI,uDAAuB,CAC/B,0CAA0C,CAC3C,CAAA;gBACH,CAAC;gBAED,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;oBACjC,MAAM,IAAI,uDAAuB,CAC/B,oDAAoD,CACrD,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,gBAAgB,KAAK,QAAQ,EAAE,CAAC;YAC3C,8EAA8E;YAC9E,EAAE;YACF,gEAAgE;YAChE,qEAAqE;YACrE,iEAAiE;YACjE,0DAA0D;YAE1D,KAAK,MAAM,WAAW,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;gBACjD,MAAM,GAAG,GAAG,IAAA,kCAAgB,EAAC,WAAW,CAAC,CAAA;gBACzC,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;oBAC7B,MAAM,IAAI,uDAAuB,CAC/B,mDAAmD,GAAG,GAAG,CAC1D,CAAA;gBACH,CAAC;gBAED,IAAI,CAAC,IAAA,4BAAc,EAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjE,MAAM,IAAI,uDAAuB,CAC/B,yDAAyD,CAC1D,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,gBAAgB,KAAK,QAAQ,EAAE,CAAC;YAC3C,8EAA8E;YAC9E,EAAE;YACF,kEAAkE;YAClE,6DAA6D;YAC7D,aAAa;YAEb,KAAK,MAAM,WAAW,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;gBACjD,MAAM,GAAG,GAAG,IAAA,kCAAgB,EAAC,WAAW,CAAC,CAAA;gBACzC,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAA,2BAAa,EAAC,GAAG,CAAC,EAAE,CAAC;oBACpD,MAAM,IAAI,uDAAuB,CAC/B,uDAAuD,GAAG,GAAG,CAC9D,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,MAAM,WAAW,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;YACjD,MAAM,GAAG,GAAG,IAAA,kCAAgB,EAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACjC,mEAAmE;gBACnE,MAAM,IAAI,uDAAuB,CAC/B,gBAAgB,GAAG,+BAA+B,CACnD,CAAA;YACH,CAAC;YAED,QAAQ,IAAI,EAAE,CAAC;gBACb,gEAAgE;gBAEhE,KAAK,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC,CAAC,CAAC;oBAClC,4DAA4D;oBAC5D,EAAE;oBACF,+CAA+C;oBAC/C,wEAAwE;oBACxE,oEAAoE;oBACpE,wEAAwE;oBACxE,oEAAoE;oBACpE,kEAAkE;oBAClE,qEAAqE;oBACrE,qCAAqC;oBACrC,MAAM,IAAI,uDAAuB,CAC/B,yBAAyB,GAAG,4CAA4C,CACzE,CAAA;gBACH,CAAC;gBACD,gBAAgB;gBAChB,KAAK,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC;gBAClC,KAAK,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC;oBAC9B,4DAA4D;oBAC5D,EAAE;oBACF,qEAAqE;oBACrE,iEAAiE;oBACjE,sEAAsE;oBACtE,+CAA+C;oBAE/C,IAAI,QAAQ,CAAC,gBAAgB,KAAK,QAAQ,EAAE,CAAC;wBAC3C,MAAM,IAAI,uDAAuB,CAC/B,yDAAyD,CAC1D,CAAA;oBACH,CAAC;oBAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;wBACb,4DAA4D;wBAC5D,EAAE;wBACF,oEAAoE;wBACpE,8DAA8D;wBAC9D,gEAAgE;wBAChE,0DAA0D;wBAC1D,EAAE;wBACF,gEAAgE;wBAChE,+DAA+D;wBAC/D,+DAA+D;wBAC/D,oDAAoD;wBACpD,0BAA0B;oBAC5B,CAAC;oBAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;wBAC7B,MAAM,IAAI,uDAAuB,CAC/B,yBAAyB,GAAG,gBAAgB,CAC7C,CAAA;oBACH,CAAC;oBAED,MAAK;gBACP,CAAC;gBAED,yCAAyC;gBAEzC,KAAK,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC;oBAC9B,8EAA8E;oBAC9E,EAAE;oBACF,gEAAgE;oBAChE,mEAAmE;oBACnE,YAAY;oBACZ,EAAE;oBACF,qEAAqE;oBACrE,MAAM,IAAI,uDAAuB,CAC/B,6BAA6B,GAAG,iBAAiB,CAClD,CAAA;gBACH,CAAC;gBAED,KAAK,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC;oBAC/B,MAAM,iBAAiB,GAAG,IAAA,4BAAc,EAAC,GAAG,CAAC,CAAA;oBAC7C,IAAI,CAAC,iBAAiB,EAAE,CAAC;wBACvB,MAAM,IAAI,uDAAuB,CAC/B,gBAAgB,GAAG,sBAAsB,CAC1C,CAAA;oBACH,CAAC;oBAED,4DAA4D;oBAC5D,EAAE;oBACF,mEAAmE;oBACnE,mEAAmE;oBACnE,kEAAkE;oBAClE,oEAAoE;oBACpE,gCAAgC;oBAChC,EAAE;oBACF,qEAAqE;oBACrE,yDAAyD;oBACzD,IAAI,CAAC,eAAe,EAAE,CAAC;wBACrB,MAAM,IAAI,6DAA0B,CAClC,gDAAgD,CACjD,CAAA;oBACH,CAAC;yBAAM,CAAC;wBACN,IAAI,iBAAiB,CAAC,MAAM,KAAK,eAAe,CAAC,MAAM,EAAE,CAAC;4BACxD,MAAM,IAAI,uDAAuB,CAC/B,gBAAgB,GAAG,gDAAgD,QAAQ,CAAC,UAAU,EAAE,CACzF,CAAA;wBACH,CAAC;oBACH,CAAC;oBAED,MAAK;gBACP,CAAC;gBAED,KAAK,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBAChC,4DAA4D;oBAC5D,EAAE;oBACF,oEAAoE;oBACpE,iEAAiE;oBACjE,iEAAiE;oBACjE,2CAA2C;oBAE3C,IAAI,QAAQ,CAAC,gBAAgB,KAAK,QAAQ,EAAE,CAAC;wBAC3C,MAAM,IAAI,uDAAuB,CAC/B,sEAAsE,CACvE,CAAA;oBACH,CAAC;oBAED,MAAM,iBAAiB,GAAG,IAAA,yBAAW,EACnC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CACzC,CAAA;oBAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;wBACvB,MAAM,IAAI,uDAAuB,CAC/B,0EAA0E,CAC3E,CAAA;oBACH,CAAC;oBAED,4DAA4D;oBAC5D,EAAE;oBACF,mEAAmE;oBACnE,mEAAmE;oBACnE,kEAAkE;oBAClE,oEAAoE;oBACpE,gCAAgC;oBAChC,IAAI,CAAC,eAAe,EAAE,CAAC;wBACrB,MAAM,IAAI,6DAA0B,CAClC,mFAAmF,CACpF,CAAA;oBACH,CAAC;yBAAM,CAAC;wBACN,IAAI,iBAAiB,CAAC,MAAM,KAAK,eAAe,CAAC,MAAM,EAAE,CAAC;4BACxD,MAAM,IAAI,uDAAuB,CAC/B,uCAAuC,GAAG,gDAAgD,QAAQ,CAAC,UAAU,EAAE,CAChH,CAAA;wBACH,CAAC;oBACH,CAAC;oBAED,4DAA4D;oBAC5D,EAAE;oBACF,qEAAqE;oBACrE,sEAAsE;oBACtE,6DAA6D;oBAC7D,IACE,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,GAAG,CAAC,QAAQ,IAAI,CAAC;wBACxC,GAAG,CAAC,QAAQ;wBACZ,GAAG,CAAC,QAAQ;wBACZ,GAAG,CAAC,QAAQ;wBACZ,GAAG,CAAC,IAAI,EACR,CAAC;wBACD,MAAM,IAAI,uDAAuB,CAC/B,8CAA8C,GAAG,CAAC,QAAQ,SAAS,CACpE,CAAA;oBACH,CAAC;oBAED,MAAK;gBACP,CAAC;gBAED;oBACE,4DAA4D;oBAC5D,EAAE;oBACF,oEAAoE;oBACpE,+CAA+C;oBAC/C,MAAM,IAAI,uDAAuB,CAC/B,gCAAgC,GAAG,CAAC,QAAQ,GAAG,CAChD,CAAA;YACL,CAAC;QACH,CAAC;QAED,IAAI,IAAA,qCAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC,8BAA8B,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;QAChE,CAAC;aAAM,IAAI,IAAA,yCAA2B,EAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC,kCAAkC,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,QAAQ,CAAA;QACjB,CAAC;IACH,CAAC;IAED,8BAA8B,CAC5B,QAA+B,EAC/B,QAA6B;QAE7B,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACxB,MAAM,IAAI,6DAA0B,CAClC,gDAAgD,CACjD,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,gBAAgB,KAAK,QAAQ,EAAE,CAAC;YAC3C,MAAM,IAAI,6DAA0B,CAClC,sDAAsD,CACvD,CAAA;QACH,CAAC;QAED,IACE,CAAC,kDAAmC;YACpC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,EAC9C,CAAC;YACD,MAAM,IAAI,6DAA0B,CAClC,wEAAwE,CACzE,CAAA;QACH,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,gDAAkC,EAAE,CAAC;YAC1D,MAAM,MAAM,GACV,QAAQ,CAAC,GAAG,QAAQ,uBAAuB,CAAC;gBAC5C,QAAQ,CAAC,4BAA4B,CAAC,CAAA;YAExC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,MAAM,IAAI,6DAA0B,CAClC,4CAA4C,QAAQ,0BAA0B,MAAM,EAAE,CACvF,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,MAAM,WAAW,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;YACjD,MAAM,GAAG,GAAG,IAAA,kCAAgB,EAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAC7B,MAAM,IAAI,uDAAuB,CAC/B,8CAA8C,CAC/C,CAAA;YACH,CAAC;YAED,IAAI,CAAC,IAAA,4BAAc,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,uDAAuB,CAC/B,kDAAkD,CACnD,CAAA;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,kCAAkC,CAChC,QAAmC,EACnC,QAA6B;QAE7B,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,kIAAkI;YAClI,MAAM,IAAI,6DAA0B,CAClC,gDAAgD,CACjD,CAAA;QACH,CAAC;QAED,MAAM,WAAW,GAAG,IAAA,2CAAyB,EAAC,QAAQ,CAAC,CAAA;QAEvD,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACxB,kIAAkI;YAClI,EAAE;YACF,sEAAsE;YACtE,yBAAyB;YAEzB,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;YAEjD,IAAI,YAAY,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;gBAC/C,MAAM,IAAI,6DAA0B,CAClC,uDAAuD,CACxD,CAAA;YACH,CAAC;YAED,IAAI,WAAW,CAAC,QAAQ,KAAK,YAAY,CAAC,QAAQ,EAAE,CAAC;gBACnD,IACE,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAC9B,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;oBACjC,CAAC,CAAC,YAAY,CAAC,QAAQ;oBACvB,CAAC,CAAC,GAAG,YAAY,CAAC,QAAQ,GAAG,CAChC,EACD,CAAC;oBACD,MAAM,IAAI,6DAA0B,CAClC,kDAAkD,CACnD,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,gDAAkC,EAAE,CAAC;YAC1D,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,QAAQ,uBAAuB,CAAC,CAAA;YAC3D,QAAQ,MAAM,EAAE,CAAC;gBACf,KAAK,oBAAoB,CAAC;gBAC1B,KAAK,qBAAqB,CAAC;gBAC3B,KAAK,mBAAmB;oBACtB,MAAM,IAAI,6DAA0B,CAClC,iCAAiC,MAAM,2CAA2C,CACnF,CAAA;YACL,CAAC;QACH,CAAC;QAED,KAAK,MAAM,WAAW,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;YACjD,MAAM,GAAG,GAAG,IAAA,kCAAgB,EAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,kIAAkI;gBAClI,EAAE;gBACF,kEAAkE;gBAClE,mEAAmE;gBACnE,yDAAyD;gBACzD,MAAM,QAAQ,GAAG,GAAG,aAAa,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAA;gBAC1D,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAC9B,MAAM,IAAI,uDAAuB,CAC/B,6JAA6J,QAAQ,GAAG,CACzK,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;CACF;AAxuBD,sCAwuBC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAQ;IACrC,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;AACnC,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW,EAAE,OAA0B;IAClE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAA;IAC7D,IAAI,OAAO,EAAE,OAAO;QAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAC9D,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE;QACtB,OAAO;QACP,MAAM,EAAE,OAAO,EAAE,MAAM;QACvB,QAAQ,EAAE,OAAO;KAClB,CAAC,CAAA;AACJ,CAAC"}

package/dist/client/client-store.d.ts

@@ -0,0 +1,13 @@
+import { OAuthClientMetadata } from '@atproto/oauth-types';
+import { Awaitable } from '../lib/util/type.js';
+import { ClientId } from './client-id.js';
+export * from './client-data.js';
+export * from './client-id.js';
+export type { Awaitable };
+export interface ClientStore {
+    findClient(clientId: ClientId): Awaitable<OAuthClientMetadata>;
+}
+export declare function isClientStore(implementation: Record<string, unknown> & Partial<ClientStore>): implementation is Record<string, unknown> & ClientStore;
+export declare function ifClientStore(implementation?: Record<string, unknown> & Partial<ClientStore>): ClientStore | undefined;
+export declare function asClientStore(implementation?: Record<string, unknown> & Partial<ClientStore>): ClientStore;
+//# sourceMappingURL=client-store.d.ts.map

package/dist/client/client-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-store.d.ts","sourceRoot":"","sources":["../../src/client/client-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAE1D,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC,cAAc,kBAAkB,CAAA;AAChC,cAAc,gBAAgB,CAAA;AAC9B,YAAY,EAAE,SAAS,EAAE,CAAA;AAEzB,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC,mBAAmB,CAAC,CAAA;CAC/D;AAED,wBAAgB,aAAa,CAC3B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,GAC7D,cAAc,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,CAEzD;AAED,wBAAgB,aAAa,CAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,GAC9D,WAAW,GAAG,SAAS,CAMzB;AAED,wBAAgB,aAAa,CAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,GAC9D,WAAW,CAKb"}

package/dist/client/client-store.js

@@ -0,0 +1,39 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.asClientStore = exports.ifClientStore = exports.isClientStore = void 0;
+// Export all types needed to implement the ClientStore interface
+__exportStar(require("./client-data.js"), exports);
+__exportStar(require("./client-id.js"), exports);
+function isClientStore(implementation) {
+    return typeof implementation.findClient === 'function';
+}
+exports.isClientStore = isClientStore;
+function ifClientStore(implementation) {
+    if (implementation && isClientStore(implementation)) {
+        return implementation;
+    }
+    return undefined;
+}
+exports.ifClientStore = ifClientStore;
+function asClientStore(implementation) {
+    const store = ifClientStore(implementation);
+    if (store)
+        return store;
+    throw new Error('Invalid ClientStore implementation');
+}
+exports.asClientStore = asClientStore;
+//# sourceMappingURL=client-store.js.map

package/dist/client/client-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-store.js","sourceRoot":"","sources":["../../src/client/client-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAKA,iEAAiE;AACjE,mDAAgC;AAChC,iDAA8B;AAO9B,SAAgB,aAAa,CAC3B,cAA8D;IAE9D,OAAO,OAAO,cAAc,CAAC,UAAU,KAAK,UAAU,CAAA;AACxD,CAAC;AAJD,sCAIC;AAED,SAAgB,aAAa,CAC3B,cAA+D;IAE/D,IAAI,cAAc,IAAI,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;QACpD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AARD,sCAQC;AAED,SAAgB,aAAa,CAC3B,cAA+D;IAE/D,MAAM,KAAK,GAAG,aAAa,CAAC,cAAc,CAAC,CAAA;IAC3C,IAAI,KAAK;QAAE,OAAO,KAAK,CAAA;IAEvB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;AACvD,CAAC;AAPD,sCAOC"}

package/dist/client/client-utils.d.ts

@@ -0,0 +1,6 @@
+/// <reference types="node" />
+import { OAuthClientIdDiscoverable, OAuthClientIdLoopback } from '@atproto/oauth-types';
+export declare function parseRedirectUri(redirectUri: string): URL;
+export declare function parseDiscoverableClientId(clientId: OAuthClientIdDiscoverable): URL;
+export declare function parseLoopbackClientId(clientId: OAuthClientIdLoopback): URL;
+//# sourceMappingURL=client-utils.d.ts.map

package/dist/client/client-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-utils.d.ts","sourceRoot":"","sources":["../../src/client/client-utils.ts"],"names":[],"mappings":";AAAA,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EAGtB,MAAM,sBAAsB,CAAA;AAM7B,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,GAAG,CAMzD;AAED,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,yBAAyB,GAClC,GAAG,CAaL;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,qBAAqB,GAAG,GAAG,CAM1E"}