@atproto/oauth-provider 0.1.0

package/dist/client/client-utils.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseLoopbackClientId = exports.parseDiscoverableClientId = exports.parseRedirectUri = void 0;
+const oauth_types_1 = require("@atproto/oauth-types");
+const invalid_client_id_error_js_1 = require("../errors/invalid-client-id-error.js");
+const invalid_redirect_uri_error_js_1 = require("../errors/invalid-redirect-uri-error.js");
+const hostname_js_1 = require("../lib/util/hostname.js");
+function parseRedirectUri(redirectUri) {
+    try {
+        return new URL(redirectUri);
+    }
+    catch (err) {
+        throw invalid_redirect_uri_error_js_1.InvalidRedirectUriError.from(err);
+    }
+}
+exports.parseRedirectUri = parseRedirectUri;
+function parseDiscoverableClientId(clientId) {
+    try {
+        const url = (0, oauth_types_1.parseOAuthDiscoverableClientId)(clientId);
+        // Extra validation, prevent usage of invalid internet domain names.
+        if (!(0, hostname_js_1.isInternetHost)(url.hostname)) {
+            throw new invalid_client_id_error_js_1.InvalidClientIdError('ClientID is not a valid internet address');
+        }
+        return url;
+    }
+    catch (err) {
+        throw invalid_client_id_error_js_1.InvalidClientIdError.from(err);
+    }
+}
+exports.parseDiscoverableClientId = parseDiscoverableClientId;
+function parseLoopbackClientId(clientId) {
+    try {
+        return (0, oauth_types_1.parseOAuthLoopbackClientId)(clientId);
+    }
+    catch (err) {
+        throw invalid_client_id_error_js_1.InvalidClientIdError.from(err);
+    }
+}
+exports.parseLoopbackClientId = parseLoopbackClientId;
+//# sourceMappingURL=client-utils.js.map

package/dist/client/client-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-utils.js","sourceRoot":"","sources":["../../src/client/client-utils.ts"],"names":[],"mappings":";;;AAAA,sDAK6B;AAE7B,qFAA2E;AAC3E,2FAAiF;AACjF,yDAAwD;AAExD,SAAgB,gBAAgB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,WAAW,CAAC,CAAA;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,uDAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzC,CAAC;AACH,CAAC;AAND,4CAMC;AAED,SAAgB,yBAAyB,CACvC,QAAmC;IAEnC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4CAA8B,EAAC,QAAQ,CAAC,CAAA;QAEpD,oEAAoE;QACpE,IAAI,CAAC,IAAA,4BAAc,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,iDAAoB,CAAC,0CAA0C,CAAC,CAAA;QAC5E,CAAC;QAED,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,iDAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACtC,CAAC;AACH,CAAC;AAfD,8DAeC;AAED,SAAgB,qBAAqB,CAAC,QAA+B;IACnE,IAAI,CAAC;QACH,OAAO,IAAA,wCAA0B,EAAC,QAAQ,CAAC,CAAA;IAC7C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,iDAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACtC,CAAC;AACH,CAAC;AAND,sDAMC"}

package/dist/client/client.d.ts

@@ -0,0 +1,41 @@
+import { Jwks } from '@atproto/jwk';
+import { OAuthClientIdentification, OAuthClientMetadata, OAuthEndpointName } from '@atproto/oauth-types';
+import { type JWTPayload, type JWTVerifyOptions, type JWTVerifyResult, type KeyLike, type ResolvedKey, type UnsecuredResult } from 'jose';
+import { ClientAuth } from './client-auth.js';
+import { ClientId } from './client-id.js';
+import { ClientInfo } from './client-info.js';
+export declare class Client {
+    readonly id: ClientId;
+    readonly metadata: OAuthClientMetadata;
+    readonly jwks: undefined | Jwks;
+    readonly info: ClientInfo;
+    /**
+     * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}
+     */
+    static readonly AUTH_METHODS_SUPPORTED: readonly ["none", "private_key_jwt"];
+    private readonly keyGetter;
+    constructor(id: ClientId, metadata: OAuthClientMetadata, jwks: undefined | Jwks, info: ClientInfo);
+    decodeRequestObject(jar: string): Promise<UnsecuredResult<JWTPayload> | (JWTVerifyResult<JWTPayload> & ResolvedKey<KeyLike>)>;
+    protected jwtVerifyUnsecured<PayloadType = JWTPayload>(token: string, options?: Omit<JWTVerifyOptions, 'issuer'>): Promise<UnsecuredResult<PayloadType>>;
+    protected jwtVerify<PayloadType = JWTPayload>(token: string, options?: Omit<JWTVerifyOptions, 'issuer'>): Promise<JWTVerifyResult<PayloadType> & ResolvedKey<KeyLike>>;
+    protected getAuthMethod(endpoint: OAuthEndpointName): "none" | "private_key_jwt" | "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1}
+     * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
+     * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}
+     */
+    verifyCredentials(input: OAuthClientIdentification, endpoint: OAuthEndpointName, checks: {
+        audience: string;
+    }): Promise<{
+        clientAuth: ClientAuth;
+        nonce?: string;
+    }>;
+    /**
+     * Ensures that a {@link ClientAuth} generated in the past is still valid wrt
+     * the current client metadata & jwks. This is used to invalidate tokens when
+     * the client stops advertising the key that it used to authenticate itself
+     * during the initial token request.
+     */
+    validateClientAuth(clientAuth: ClientAuth): Promise<boolean>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAA;AACnC,OAAO,EAEL,yBAAyB,EACzB,mBAAmB,EACnB,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAKL,KAAK,UAAU,EAEf,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,OAAO,EACZ,KAAK,WAAW,EAChB,KAAK,eAAe,EACrB,MAAM,MAAM,CAAA;AAOb,OAAO,EAAE,UAAU,EAAqB,MAAM,kBAAkB,CAAA;AAChE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,qBAAa,MAAM;aASC,EAAE,EAAE,QAAQ;aACZ,QAAQ,EAAE,mBAAmB;aAC7B,IAAI,EAAE,SAAS,GAAG,IAAI;aACtB,IAAI,EAAE,UAAU;IAXlC;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,sBAAsB,uCAAuC;IAE7E,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAiB;gBAGzB,EAAE,EAAE,QAAQ,EACZ,QAAQ,EAAE,mBAAmB,EAC7B,IAAI,EAAE,SAAS,GAAG,IAAoB,EACtC,IAAI,EAAE,UAAU;IASrB,mBAAmB,CAAC,GAAG,EAAE,MAAM;cA8B5B,kBAAkB,CAAC,WAAW,GAAG,UAAU,EACzD,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,GACzC,OAAO,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;cAOxB,SAAS,CAAC,WAAW,GAAG,UAAU,EAChD,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,GACzC,OAAO,CAAC,eAAe,CAAC,WAAW,CAAC,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAO/D,SAAS,CAAC,aAAa,CAAC,QAAQ,EAAE,iBAAiB;IAOnD;;;;OAIG;IACU,iBAAiB,CAC5B,KAAK,EAAE,yBAAyB,EAChC,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE;QACN,QAAQ,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC;QACT,UAAU,EAAE,UAAU,CAAA;QAEtB,KAAK,CAAC,EAAE,MAAM,CAAA;KACf,CAAC;IAyEF;;;;;OAKG;IACU,kBAAkB,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC;CA4B1E"}

package/dist/client/client.js

@@ -0,0 +1,163 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Client = void 0;
+const oauth_types_1 = require("@atproto/oauth-types");
+const jose_1 = require("jose");
+const errors_1 = require("jose/errors");
+const constants_js_1 = require("../constants.js");
+const invalid_client_error_js_1 = require("../errors/invalid-client-error.js");
+const invalid_client_metadata_error_js_1 = require("../errors/invalid-client-metadata-error.js");
+const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
+const client_auth_js_1 = require("./client-auth.js");
+class Client {
+    id;
+    metadata;
+    jwks;
+    info;
+    /**
+     * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}
+     */
+    static AUTH_METHODS_SUPPORTED = ['none', 'private_key_jwt'];
+    keyGetter;
+    constructor(id, metadata, jwks = metadata.jwks, info) {
+        this.id = id;
+        this.metadata = metadata;
+        this.jwks = jwks;
+        this.info = info;
+        // If the remote JWKS content is provided, we don't need to fetch it again.
+        this.keyGetter =
+            jwks || !metadata.jwks_uri
+                ? (0, jose_1.createLocalJWKSet)(jwks || { keys: [] })
+                : (0, jose_1.createRemoteJWKSet)(new URL(metadata.jwks_uri), {});
+    }
+    async decodeRequestObject(jar) {
+        try {
+            switch (this.metadata.request_object_signing_alg) {
+                case 'none':
+                    return await this.jwtVerifyUnsecured(jar, {
+                        maxTokenAge: constants_js_1.JAR_MAX_AGE / 1000,
+                    });
+                case undefined:
+                    // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+                    // > The default, if omitted, is that any algorithm supported by the OP
+                    // > and the RP MAY be used.
+                    return await this.jwtVerify(jar, {
+                        maxTokenAge: constants_js_1.JAR_MAX_AGE / 1000,
+                    });
+                default:
+                    return await this.jwtVerify(jar, {
+                        maxTokenAge: constants_js_1.JAR_MAX_AGE / 1000,
+                        algorithms: [this.metadata.request_object_signing_alg],
+                    });
+            }
+        }
+        catch (err) {
+            const message = err instanceof errors_1.JOSEError
+                ? `Invalid "request" object: ${err.message}`
+                : `Invalid "request" object`;
+            throw new invalid_request_error_js_1.InvalidRequestError(message, err);
+        }
+    }
+    async jwtVerifyUnsecured(token, options) {
+        return jose_1.UnsecuredJWT.decode(token, {
+            ...options,
+            issuer: this.id,
+        });
+    }
+    async jwtVerify(token, options) {
+        return (0, jose_1.jwtVerify)(token, this.keyGetter, {
+            ...options,
+            issuer: this.id,
+        });
+    }
+    getAuthMethod(endpoint) {
+        return (this.metadata[`${endpoint}_endpoint_auth_method`] ||
+            this.metadata[`token_endpoint_auth_method`]);
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1}
+     * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
+     * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}
+     */
+    async verifyCredentials(input, endpoint, checks) {
+        const method = this.getAuthMethod(endpoint);
+        if (method === 'none') {
+            const clientAuth = { method: 'none' };
+            return { clientAuth };
+        }
+        if (method === 'private_key_jwt') {
+            if (!('client_assertion_type' in input) || !input.client_assertion_type) {
+                throw new invalid_request_error_js_1.InvalidRequestError(`client_assertion_type required for "${method}"`);
+            }
+            else if (!input.client_assertion) {
+                throw new invalid_request_error_js_1.InvalidRequestError(`client_assertion required for "${method}"`);
+            }
+            if (input.client_assertion_type === oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER) {
+                const result = await this.jwtVerify(input.client_assertion, {
+                    audience: checks.audience,
+                    subject: this.id,
+                    maxTokenAge: constants_js_1.CLIENT_ASSERTION_MAX_AGE / 1000,
+                }).catch((err) => {
+                    if (err instanceof errors_1.JOSEError) {
+                        const msg = `Validation of "client_assertion" failed: ${err.message}`;
+                        throw new invalid_client_error_js_1.InvalidClientError(msg, err);
+                    }
+                    throw err;
+                });
+                if (!result.protectedHeader.kid) {
+                    throw new invalid_client_error_js_1.InvalidClientError(`"kid" required in client_assertion`);
+                }
+                if (!result.payload.jti) {
+                    throw new invalid_client_error_js_1.InvalidClientError(`"jti" required in client_assertion`);
+                }
+                const clientAuth = {
+                    method: oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER,
+                    jkt: await (0, client_auth_js_1.authJwkThumbprint)(result.key),
+                    alg: result.protectedHeader.alg,
+                    kid: result.protectedHeader.kid,
+                };
+                return { clientAuth, nonce: result.payload.jti };
+            }
+            throw new invalid_client_error_js_1.InvalidClientError(`Unsupported client_assertion_type "${input.client_assertion_type}"`);
+        }
+        // @ts-expect-error Ensure to keep Client.AUTH_METHODS_SUPPORTED in sync
+        // with the implementation of this function.
+        if (Client.AUTH_METHODS_SUPPORTED.includes(method)) {
+            throw new Error(`verifyCredentials() should implement all of ${[
+                Client.AUTH_METHODS_SUPPORTED,
+            ]}`);
+        }
+        throw new invalid_client_metadata_error_js_1.InvalidClientMetadataError(`Unsupported ${endpoint}_endpoint_auth_method "${method}"`);
+    }
+    /**
+     * Ensures that a {@link ClientAuth} generated in the past is still valid wrt
+     * the current client metadata & jwks. This is used to invalidate tokens when
+     * the client stops advertising the key that it used to authenticate itself
+     * during the initial token request.
+     */
+    async validateClientAuth(clientAuth) {
+        if (clientAuth.method === 'none') {
+            return this.getAuthMethod('token') === 'none';
+        }
+        if (clientAuth.method === oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER) {
+            if (this.getAuthMethod('token') !== 'private_key_jwt') {
+                return false;
+            }
+            try {
+                const key = await this.keyGetter({
+                    kid: clientAuth.kid,
+                    alg: clientAuth.alg,
+                }, { payload: '', signature: '' });
+                const jtk = await (0, client_auth_js_1.authJwkThumbprint)(key);
+                return jtk === clientAuth.jkt;
+            }
+            catch (e) {
+                return false;
+            }
+        }
+        // @ts-expect-error
+        throw new Error(`Invalid method "${clientAuth.method}"`);
+    }
+}
+exports.Client = Client;
+//# sourceMappingURL=client.js.map

package/dist/client/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client/client.ts"],"names":[],"mappings":";;;AACA,sDAK6B;AAC7B,+BAYa;AACb,wCAAuC;AAEvC,kDAAuE;AACvE,+EAAsE;AACtE,iGAAuF;AACvF,iFAAwE;AACxE,qDAAgE;AAIhE,MAAa,MAAM;IASC;IACA;IACA;IACA;IAXlB;;OAEG;IACH,MAAM,CAAU,sBAAsB,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAU,CAAA;IAE5D,SAAS,CAAiB;IAE3C,YACkB,EAAY,EACZ,QAA6B,EAC7B,OAAyB,QAAQ,CAAC,IAAI,EACtC,IAAgB;QAHhB,OAAE,GAAF,EAAE,CAAU;QACZ,aAAQ,GAAR,QAAQ,CAAqB;QAC7B,SAAI,GAAJ,IAAI,CAAkC;QACtC,SAAI,GAAJ,IAAI,CAAY;QAEhC,2EAA2E;QAC3E,IAAI,CAAC,SAAS;YACZ,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ;gBACxB,CAAC,CAAC,IAAA,wBAAiB,EAAC,IAAI,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;gBACzC,CAAC,CAAC,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAA;IAC1D,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,GAAW;QAC1C,IAAI,CAAC;YACH,QAAQ,IAAI,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC;gBACjD,KAAK,MAAM;oBACT,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;wBACxC,WAAW,EAAE,0BAAW,GAAG,IAAI;qBAChC,CAAC,CAAA;gBACJ,KAAK,SAAS;oBACZ,8EAA8E;oBAC9E,uEAAuE;oBACvE,4BAA4B;oBAC5B,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;wBAC/B,WAAW,EAAE,0BAAW,GAAG,IAAI;qBAChC,CAAC,CAAA;gBACJ;oBACE,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;wBAC/B,WAAW,EAAE,0BAAW,GAAG,IAAI;wBAC/B,UAAU,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAC;qBACvD,CAAC,CAAA;YACN,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,kBAAS;gBACtB,CAAC,CAAC,6BAA6B,GAAG,CAAC,OAAO,EAAE;gBAC5C,CAAC,CAAC,0BAA0B,CAAA;YAEhC,MAAM,IAAI,8CAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;IACH,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,KAAa,EACb,OAA0C;QAE1C,OAAO,mBAAY,CAAC,MAAM,CAAC,KAAK,EAAE;YAChC,GAAG,OAAO;YACV,MAAM,EAAE,IAAI,CAAC,EAAE;SAChB,CAAC,CAAA;IACJ,CAAC;IAES,KAAK,CAAC,SAAS,CACvB,KAAa,EACb,OAA0C;QAE1C,OAAO,IAAA,gBAAS,EAAc,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE;YACnD,GAAG,OAAO;YACV,MAAM,EAAE,IAAI,CAAC,EAAE;SAChB,CAAC,CAAA;IACJ,CAAC;IAES,aAAa,CAAC,QAA2B;QACjD,OAAO,CACL,IAAI,CAAC,QAAQ,CAAC,GAAG,QAAQ,uBAAuB,CAAC;YACjD,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAC5C,CAAA;IACH,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,iBAAiB,CAC5B,KAAgC,EAChC,QAA2B,EAC3B,MAEC;QAMD,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAA;QAE3C,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,MAAM,UAAU,GAAe,EAAE,MAAM,EAAE,MAAM,EAAE,CAAA;YACjD,OAAO,EAAE,UAAU,EAAE,CAAA;QACvB,CAAC;QAED,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,uBAAuB,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,qBAAqB,EAAE,CAAC;gBACxE,MAAM,IAAI,8CAAmB,CAC3B,uCAAuC,MAAM,GAAG,CACjD,CAAA;YACH,CAAC;iBAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;gBACnC,MAAM,IAAI,8CAAmB,CAC3B,kCAAkC,MAAM,GAAG,CAC5C,CAAA;YACH,CAAC;YAED,IAAI,KAAK,CAAC,qBAAqB,KAAK,8CAAgC,EAAE,CAAC;gBACrE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAEhC,KAAK,CAAC,gBAAgB,EAAE;oBACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,OAAO,EAAE,IAAI,CAAC,EAAE;oBAChB,WAAW,EAAE,uCAAwB,GAAG,IAAI;iBAC7C,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBACf,IAAI,GAAG,YAAY,kBAAS,EAAE,CAAC;wBAC7B,MAAM,GAAG,GAAG,4CAA4C,GAAG,CAAC,OAAO,EAAE,CAAA;wBACrE,MAAM,IAAI,4CAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;oBACxC,CAAC;oBAED,MAAM,GAAG,CAAA;gBACX,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;oBAChC,MAAM,IAAI,4CAAkB,CAAC,oCAAoC,CAAC,CAAA;gBACpE,CAAC;gBAED,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;oBACxB,MAAM,IAAI,4CAAkB,CAAC,oCAAoC,CAAC,CAAA;gBACpE,CAAC;gBAED,MAAM,UAAU,GAAe;oBAC7B,MAAM,EAAE,8CAAgC;oBACxC,GAAG,EAAE,MAAM,IAAA,kCAAiB,EAAC,MAAM,CAAC,GAAG,CAAC;oBACxC,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,GAAG;oBAC/B,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,GAAG;iBAChC,CAAA;gBAED,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;YAClD,CAAC;YAED,MAAM,IAAI,4CAAkB,CAC1B,sCAAsC,KAAK,CAAC,qBAAqB,GAAG,CACrE,CAAA;QACH,CAAC;QAED,wEAAwE;QACxE,4CAA4C;QAC5C,IAAI,MAAM,CAAC,sBAAsB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+CAA+C;gBAC7C,MAAM,CAAC,sBAAsB;aAC9B,EAAE,CACJ,CAAA;QACH,CAAC;QAED,MAAM,IAAI,6DAA0B,CAClC,eAAe,QAAQ,0BAA0B,MAAM,GAAG,CAC3D,CAAA;IACH,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,kBAAkB,CAAC,UAAsB;QACpD,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,MAAM,CAAA;QAC/C,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,8CAAgC,EAAE,CAAC;YAC3D,IAAI,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,iBAAiB,EAAE,CAAC;gBACtD,OAAO,KAAK,CAAA;YACd,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAC9B;oBACE,GAAG,EAAE,UAAU,CAAC,GAAG;oBACnB,GAAG,EAAE,UAAU,CAAC,GAAG;iBACpB,EACD,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAC/B,CAAA;gBACD,MAAM,GAAG,GAAG,MAAM,IAAA,kCAAiB,EAAC,GAAG,CAAC,CAAA;gBAExC,OAAO,GAAG,KAAK,UAAU,CAAC,GAAG,CAAA;YAC/B,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,MAAM,IAAI,KAAK,CAAC,mBAAmB,UAAU,CAAC,MAAM,GAAG,CAAC,CAAA;IAC1D,CAAC;;AAvMH,wBAwMC"}

package/dist/constants.d.ts

@@ -0,0 +1,42 @@
+export declare const DEVICE_ID_PREFIX = "dev-";
+export declare const DEVICE_ID_BYTES_LENGTH = 16;
+export declare const SESSION_ID_PREFIX = "ses-";
+export declare const SESSION_ID_BYTES_LENGTH = 16;
+export declare const REFRESH_TOKEN_PREFIX = "ref-";
+export declare const REFRESH_TOKEN_BYTES_LENGTH = 32;
+export declare const TOKEN_ID_PREFIX = "tok-";
+export declare const TOKEN_ID_BYTES_LENGTH = 16;
+export declare const REQUEST_ID_PREFIX = "req-";
+export declare const REQUEST_ID_BYTES_LENGTH = 16;
+export declare const CODE_PREFIX = "cod-";
+export declare const CODE_BYTES_LENGTH = 32;
+export declare const ALLOW_LOOPBACK_CLIENT_REFRESH_TOKEN = true;
+/** 7 days */
+export declare const AUTHENTICATION_MAX_AGE: number;
+/** 60 minutes */
+export declare const TOKEN_MAX_AGE: number;
+/** 5 minutes */
+export declare const AUTHORIZATION_INACTIVITY_TIMEOUT: number;
+/** 1 months */
+export declare const AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT: number;
+/** 2 days */
+export declare const UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT: number;
+/** 1 week */
+export declare const UNAUTHENTICATED_REFRESH_LIFETIME: number;
+/** 1 year */
+export declare const AUTHENTICATED_REFRESH_LIFETIME: number;
+/** 5 minutes */
+export declare const PAR_EXPIRES_IN: number;
+/**
+ * 59 seconds (should be less than a minute)
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9101#section-10.2}
+ */
+export declare const JAR_MAX_AGE: number;
+/** 1 minute */
+export declare const CLIENT_ASSERTION_MAX_AGE: number;
+/** 3 minutes */
+export declare const DPOP_NONCE_MAX_AGE: number;
+/** 5 seconds */
+export declare const SESSION_FIXATION_MAX_AGE: number;
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,gBAAgB,SAAS,CAAA;AACtC,eAAO,MAAM,sBAAsB,KAAK,CAAA;AAExC,eAAO,MAAM,iBAAiB,SAAS,CAAA;AACvC,eAAO,MAAM,uBAAuB,KAAK,CAAA;AAEzC,eAAO,MAAM,oBAAoB,SAAS,CAAA;AAC1C,eAAO,MAAM,0BAA0B,KAAK,CAAA;AAE5C,eAAO,MAAM,eAAe,SAAS,CAAA;AACrC,eAAO,MAAM,qBAAqB,KAAK,CAAA;AAEvC,eAAO,MAAM,iBAAiB,SAAS,CAAA;AACvC,eAAO,MAAM,uBAAuB,KAAK,CAAA;AAEzC,eAAO,MAAM,WAAW,SAAS,CAAA;AACjC,eAAO,MAAM,iBAAiB,KAAK,CAAA;AAEnC,eAAO,MAAM,mCAAmC,OAAO,CAAA;AAUvD,aAAa;AACb,eAAO,MAAM,sBAAsB,QAAU,CAAA;AAE7C,iBAAiB;AACjB,eAAO,MAAM,aAAa,QAAc,CAAA;AAExC,gBAAgB;AAChB,eAAO,MAAM,gCAAgC,QAAa,CAAA;AAE1D,eAAe;AACf,eAAO,MAAM,wCAAwC,QAAY,CAAA;AAEjE,aAAa;AACb,eAAO,MAAM,0CAA0C,QAAU,CAAA;AAEjE,aAAa;AACb,eAAO,MAAM,gCAAgC,QAAW,CAAA;AAExD,aAAa;AACb,eAAO,MAAM,8BAA8B,QAAW,CAAA;AAEtD,gBAAgB;AAChB,eAAO,MAAM,cAAc,QAAa,CAAA;AAExC;;;;GAIG;AACH,eAAO,MAAM,WAAW,QAAc,CAAA;AAEtC,eAAe;AACf,eAAO,MAAM,wBAAwB,QAAa,CAAA;AAElD,gBAAgB;AAChB,eAAO,MAAM,kBAAkB,QAAa,CAAA;AAE5C,gBAAgB;AAChB,eAAO,MAAM,wBAAwB,QAAa,CAAA"}

package/dist/constants.js

@@ -0,0 +1,53 @@
+"use strict";
+// The purpose of the prefix is to provide type safety
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SESSION_FIXATION_MAX_AGE = exports.DPOP_NONCE_MAX_AGE = exports.CLIENT_ASSERTION_MAX_AGE = exports.JAR_MAX_AGE = exports.PAR_EXPIRES_IN = exports.AUTHENTICATED_REFRESH_LIFETIME = exports.UNAUTHENTICATED_REFRESH_LIFETIME = exports.UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT = exports.AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT = exports.AUTHORIZATION_INACTIVITY_TIMEOUT = exports.TOKEN_MAX_AGE = exports.AUTHENTICATION_MAX_AGE = exports.ALLOW_LOOPBACK_CLIENT_REFRESH_TOKEN = exports.CODE_BYTES_LENGTH = exports.CODE_PREFIX = exports.REQUEST_ID_BYTES_LENGTH = exports.REQUEST_ID_PREFIX = exports.TOKEN_ID_BYTES_LENGTH = exports.TOKEN_ID_PREFIX = exports.REFRESH_TOKEN_BYTES_LENGTH = exports.REFRESH_TOKEN_PREFIX = exports.SESSION_ID_BYTES_LENGTH = exports.SESSION_ID_PREFIX = exports.DEVICE_ID_BYTES_LENGTH = exports.DEVICE_ID_PREFIX = void 0;
+exports.DEVICE_ID_PREFIX = 'dev-';
+exports.DEVICE_ID_BYTES_LENGTH = 16; // 128 bits
+exports.SESSION_ID_PREFIX = 'ses-';
+exports.SESSION_ID_BYTES_LENGTH = 16; // 128 bits - only valid if device id is valid
+exports.REFRESH_TOKEN_PREFIX = 'ref-';
+exports.REFRESH_TOKEN_BYTES_LENGTH = 32; // 256 bits
+exports.TOKEN_ID_PREFIX = 'tok-';
+exports.TOKEN_ID_BYTES_LENGTH = 16; // 128 bits - used as `jti` in JWTs (cannot be forged)
+exports.REQUEST_ID_PREFIX = 'req-';
+exports.REQUEST_ID_BYTES_LENGTH = 16; // 128 bits
+exports.CODE_PREFIX = 'cod-';
+exports.CODE_BYTES_LENGTH = 32;
+exports.ALLOW_LOOPBACK_CLIENT_REFRESH_TOKEN = true;
+const SECOND = 1e3;
+const MINUTE = 60 * SECOND;
+const HOUR = 60 * MINUTE;
+const DAY = 24 * HOUR;
+const WEEK = 7 * DAY;
+const YEAR = 365.25 * DAY;
+const MONTH = YEAR / 12;
+/** 7 days */
+exports.AUTHENTICATION_MAX_AGE = 7 * DAY;
+/** 60 minutes */
+exports.TOKEN_MAX_AGE = 60 * MINUTE;
+/** 5 minutes */
+exports.AUTHORIZATION_INACTIVITY_TIMEOUT = 5 * MINUTE;
+/** 1 months */
+exports.AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT = 1 * MONTH;
+/** 2 days */
+exports.UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT = 2 * DAY;
+/** 1 week */
+exports.UNAUTHENTICATED_REFRESH_LIFETIME = 1 * WEEK;
+/** 1 year */
+exports.AUTHENTICATED_REFRESH_LIFETIME = 1 * YEAR;
+/** 5 minutes */
+exports.PAR_EXPIRES_IN = 5 * MINUTE;
+/**
+ * 59 seconds (should be less than a minute)
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9101#section-10.2}
+ */
+exports.JAR_MAX_AGE = 59 * SECOND;
+/** 1 minute */
+exports.CLIENT_ASSERTION_MAX_AGE = 1 * MINUTE;
+/** 3 minutes */
+exports.DPOP_NONCE_MAX_AGE = 3 * MINUTE;
+/** 5 seconds */
+exports.SESSION_FIXATION_MAX_AGE = 5 * SECOND;
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA,sDAAsD;;;AAEzC,QAAA,gBAAgB,GAAG,MAAM,CAAA;AACzB,QAAA,sBAAsB,GAAG,EAAE,CAAA,CAAC,WAAW;AAEvC,QAAA,iBAAiB,GAAG,MAAM,CAAA;AAC1B,QAAA,uBAAuB,GAAG,EAAE,CAAA,CAAC,8CAA8C;AAE3E,QAAA,oBAAoB,GAAG,MAAM,CAAA;AAC7B,QAAA,0BAA0B,GAAG,EAAE,CAAA,CAAC,WAAW;AAE3C,QAAA,eAAe,GAAG,MAAM,CAAA;AACxB,QAAA,qBAAqB,GAAG,EAAE,CAAA,CAAC,sDAAsD;AAEjF,QAAA,iBAAiB,GAAG,MAAM,CAAA;AAC1B,QAAA,uBAAuB,GAAG,EAAE,CAAA,CAAC,WAAW;AAExC,QAAA,WAAW,GAAG,MAAM,CAAA;AACpB,QAAA,iBAAiB,GAAG,EAAE,CAAA;AAEtB,QAAA,mCAAmC,GAAG,IAAI,CAAA;AAEvD,MAAM,MAAM,GAAG,GAAG,CAAA;AAClB,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,CAAA;AAC1B,MAAM,IAAI,GAAG,EAAE,GAAG,MAAM,CAAA;AACxB,MAAM,GAAG,GAAG,EAAE,GAAG,IAAI,CAAA;AACrB,MAAM,IAAI,GAAG,CAAC,GAAG,GAAG,CAAA;AACpB,MAAM,IAAI,GAAG,MAAM,GAAG,GAAG,CAAA;AACzB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAE,CAAA;AAEvB,aAAa;AACA,QAAA,sBAAsB,GAAG,CAAC,GAAG,GAAG,CAAA;AAE7C,iBAAiB;AACJ,QAAA,aAAa,GAAG,EAAE,GAAG,MAAM,CAAA;AAExC,gBAAgB;AACH,QAAA,gCAAgC,GAAG,CAAC,GAAG,MAAM,CAAA;AAE1D,eAAe;AACF,QAAA,wCAAwC,GAAG,CAAC,GAAG,KAAK,CAAA;AAEjE,aAAa;AACA,QAAA,0CAA0C,GAAG,CAAC,GAAG,GAAG,CAAA;AAEjE,aAAa;AACA,QAAA,gCAAgC,GAAG,CAAC,GAAG,IAAI,CAAA;AAExD,aAAa;AACA,QAAA,8BAA8B,GAAG,CAAC,GAAG,IAAI,CAAA;AAEtD,gBAAgB;AACH,QAAA,cAAc,GAAG,CAAC,GAAG,MAAM,CAAA;AAExC;;;;GAIG;AACU,QAAA,WAAW,GAAG,EAAE,GAAG,MAAM,CAAA;AAEtC,eAAe;AACF,QAAA,wBAAwB,GAAG,CAAC,GAAG,MAAM,CAAA;AAElD,gBAAgB;AACH,QAAA,kBAAkB,GAAG,CAAC,GAAG,MAAM,CAAA;AAE5C,gBAAgB;AACH,QAAA,wBAAwB,GAAG,CAAC,GAAG,MAAM,CAAA"}

package/dist/device/device-data.d.ts

@@ -0,0 +1,20 @@
+import { z } from 'zod';
+export declare const deviceDataSchema: z.ZodObject<z.objectUtil.extendShape<{
+    userAgent: z.ZodNullable<z.ZodString>;
+    ipAddress: z.ZodString;
+}, {
+    sessionId: z.ZodEffects<z.ZodString, `ses-${string}`, string>;
+    lastSeenAt: z.ZodDate;
+}>, "strip", z.ZodTypeAny, {
+    userAgent: string | null;
+    ipAddress: string;
+    sessionId: `ses-${string}`;
+    lastSeenAt: Date;
+}, {
+    userAgent: string | null;
+    ipAddress: string;
+    sessionId: string;
+    lastSeenAt: Date;
+}>;
+export type DeviceData = z.infer<typeof deviceDataSchema>;
+//# sourceMappingURL=device-data.d.ts.map

package/dist/device/device-data.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-data.d.ts","sourceRoot":"","sources":["../../src/device/device-data.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;EAG3B,CAAA;AAEF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA"}

package/dist/device/device-data.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deviceDataSchema = void 0;
+const zod_1 = require("zod");
+const device_details_js_1 = require("./device-details.js");
+const session_id_js_1 = require("./session-id.js");
+exports.deviceDataSchema = device_details_js_1.deviceDetailsSchema.extend({
+    sessionId: session_id_js_1.sessionIdSchema,
+    lastSeenAt: zod_1.z.date(),
+});
+//# sourceMappingURL=device-data.js.map

package/dist/device/device-data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-data.js","sourceRoot":"","sources":["../../src/device/device-data.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,2DAAyD;AACzD,mDAAiD;AAEpC,QAAA,gBAAgB,GAAG,uCAAmB,CAAC,MAAM,CAAC;IACzD,SAAS,EAAE,+BAAe;IAC1B,UAAU,EAAE,OAAC,CAAC,IAAI,EAAE;CACrB,CAAC,CAAA"}

package/dist/device/device-details.d.ts

@@ -0,0 +1,17 @@
+/// <reference types="node" />
+import { IncomingMessage } from 'node:http';
+import { z } from 'zod';
+export declare const deviceDetailsSchema: z.ZodObject<{
+    userAgent: z.ZodNullable<z.ZodString>;
+    ipAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    userAgent: string | null;
+    ipAddress: string;
+}, {
+    userAgent: string | null;
+    ipAddress: string;
+}>;
+export type DeviceDetails = z.infer<typeof deviceDetailsSchema>;
+export declare function extractDeviceDetails(req: IncomingMessage, trustProxy: boolean): DeviceDetails;
+export declare function extractIpAddress(req: IncomingMessage, trustProxy: boolean): string | undefined;
+//# sourceMappingURL=device-details.d.ts.map

package/dist/device/device-details.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-details.d.ts","sourceRoot":"","sources":["../../src/device/device-details.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAE3C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,mBAAmB;;;;;;;;;EAG9B,CAAA;AACF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,eAAe,EACpB,UAAU,EAAE,OAAO,GAClB,aAAa,CASf;AAED,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,eAAe,EACpB,UAAU,EAAE,OAAO,GAClB,MAAM,GAAG,SAAS,CAepB"}

package/dist/device/device-details.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractIpAddress = exports.extractDeviceDetails = exports.deviceDetailsSchema = void 0;
+const zod_1 = require("zod");
+exports.deviceDetailsSchema = zod_1.z.object({
+    userAgent: zod_1.z.string().nullable(),
+    ipAddress: zod_1.z.string(),
+});
+function extractDeviceDetails(req, trustProxy) {
+    const userAgent = req.headers['user-agent'] || null;
+    const ipAddress = extractIpAddress(req, trustProxy) || null;
+    if (!ipAddress) {
+        throw new Error('Could not determine IP address');
+    }
+    return { userAgent, ipAddress };
+}
+exports.extractDeviceDetails = extractDeviceDetails;
+function extractIpAddress(req, trustProxy) {
+    // Express app compatibility
+    if ('ip' in req && typeof req.ip === 'string') {
+        return req.ip;
+    }
+    if (trustProxy) {
+        const forwardedFor = req.headers['x-forwarded-for'];
+        if (typeof forwardedFor === 'string') {
+            const firstForward = forwardedFor.split(',')[0].trim();
+            if (firstForward)
+                return firstForward;
+        }
+    }
+    return req.socket.remoteAddress;
+}
+exports.extractIpAddress = extractIpAddress;
+//# sourceMappingURL=device-details.js.map

package/dist/device/device-details.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-details.js","sourceRoot":"","sources":["../../src/device/device-details.ts"],"names":[],"mappings":";;;AAEA,6BAAuB;AAEV,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;CACtB,CAAC,CAAA;AAGF,SAAgB,oBAAoB,CAClC,GAAoB,EACpB,UAAmB;IAEnB,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,IAAI,CAAA;IACnD,MAAM,SAAS,GAAG,gBAAgB,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,IAAI,CAAA;IAE3D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAA;AACjC,CAAC;AAZD,oDAYC;AAED,SAAgB,gBAAgB,CAC9B,GAAoB,EACpB,UAAmB;IAEnB,4BAA4B;IAC5B,IAAI,IAAI,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,GAAG,CAAC,EAAE,CAAA;IACf,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAA;QACnD,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAA;YACvD,IAAI,YAAY;gBAAE,OAAO,YAAY,CAAA;QACvC,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC,MAAM,CAAC,aAAa,CAAA;AACjC,CAAC;AAlBD,4CAkBC"}

package/dist/device/device-id.d.ts

@@ -0,0 +1,6 @@
+import { z } from 'zod';
+export declare const DEVICE_ID_LENGTH: number;
+export declare const deviceIdSchema: z.ZodEffects<z.ZodString, `dev-${string}`, string>;
+export type DeviceId = z.infer<typeof deviceIdSchema>;
+export declare const generateDeviceId: () => Promise<DeviceId>;
+//# sourceMappingURL=device-id.d.ts.map

package/dist/device/device-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-id.d.ts","sourceRoot":"","sources":["../../src/device/device-id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB,eAAO,MAAM,gBAAgB,QACyB,CAAA;AAEtD,eAAO,MAAM,cAAc,oDASxB,CAAA;AAEH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAA;AACrD,eAAO,MAAM,gBAAgB,QAAa,QAAQ,QAAQ,CAEzD,CAAA"}

package/dist/device/device-id.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateDeviceId = exports.deviceIdSchema = exports.DEVICE_ID_LENGTH = void 0;
+const zod_1 = require("zod");
+const constants_js_1 = require("../constants.js");
+const crypto_js_1 = require("../lib/util/crypto.js");
+exports.DEVICE_ID_LENGTH = constants_js_1.DEVICE_ID_PREFIX.length + constants_js_1.DEVICE_ID_BYTES_LENGTH * 2; // hex encoding
+exports.deviceIdSchema = zod_1.z
+    .string()
+    .length(exports.DEVICE_ID_LENGTH)
+    .refine((v) => v.startsWith(constants_js_1.DEVICE_ID_PREFIX), {
+    message: `Invalid device ID format`,
+});
+const generateDeviceId = async () => {
+    return `${constants_js_1.DEVICE_ID_PREFIX}${await (0, crypto_js_1.randomHexId)(constants_js_1.DEVICE_ID_BYTES_LENGTH)}`;
+};
+exports.generateDeviceId = generateDeviceId;
+//# sourceMappingURL=device-id.js.map

package/dist/device/device-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-id.js","sourceRoot":"","sources":["../../src/device/device-id.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,kDAA0E;AAC1E,qDAAmD;AAEtC,QAAA,gBAAgB,GAC3B,+BAAgB,CAAC,MAAM,GAAG,qCAAsB,GAAG,CAAC,CAAA,CAAC,eAAe;AAEzD,QAAA,cAAc,GAAG,OAAC;KAC5B,MAAM,EAAE;KACR,MAAM,CAAC,wBAAgB,CAAC;KACxB,MAAM,CACL,CAAC,CAAC,EAA8C,EAAE,CAChD,CAAC,CAAC,UAAU,CAAC,+BAAgB,CAAC,EAChC;IACE,OAAO,EAAE,0BAA0B;CACpC,CACF,CAAA;AAGI,MAAM,gBAAgB,GAAG,KAAK,IAAuB,EAAE;IAC5D,OAAO,GAAG,+BAAgB,GAAG,MAAM,IAAA,uBAAW,EAAC,qCAAsB,CAAC,EAAE,CAAA;AAC1E,CAAC,CAAA;AAFY,QAAA,gBAAgB,oBAE5B"}

package/dist/device/device-manager.d.ts

@@ -0,0 +1,88 @@
+/// <reference types="node" />
+import { IncomingMessage, ServerResponse } from 'node:http';
+import type Keygrip from 'keygrip';
+import { DeviceData } from './device-data.js';
+import { DeviceId } from './device-id.js';
+import { DeviceStore } from './device-store.js';
+export declare const DEFAULT_OPTIONS: {
+    /**
+     * Controls whether the IP address is read from the `X-Forwarded-For` header
+     * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).
+     *
+     * @default true // (nowadays, most requests are proxied)
+     */
+    trustProxy: boolean;
+    /**
+     * Amount of time (in ms) after which session IDs will be rotated
+     *
+     * @default 300e3 // (5 minutes)
+     */
+    rotationRate: number;
+    /**
+     * Cookie options
+     */
+    cookie: {
+        keys: Keygrip | undefined;
+        /**
+         * Name of the cookie used to identify the device
+         *
+         * @default 'session-id'
+         */
+        device: string;
+        /**
+         * Name of the cookie used to identify the session
+         *
+         * @default 'session-id'
+         */
+        session: string;
+        /**
+         * Url path for the cookie
+         *
+         * @default '/oauth/authorize'
+         */
+        path: string;
+        /**
+         * Amount of time (in ms) after which the session cookie will expire.
+         * If set to `null`, the cookie will be a session cookie (deleted when the
+         * browser is closed).
+         *
+         * @default 10 * 365.2 * 24 * 60 * 60e3 // 10 years (in ms)
+         */
+        age: number | null;
+        /**
+         * Controls whether the cookie is only sent over HTTPS (if `true`), or also
+         * over HTTP (if `false`). This should **NOT** be set to `false` in
+         * production.
+         */
+        secure: boolean;
+        /**
+         * Controls whether the cookie is sent along with cross-site requests.
+         *
+         * @default 'lax'
+         */
+        sameSite: "lax" | "strict";
+    };
+};
+export type DeviceDeviceManagerOptions = typeof DEFAULT_OPTIONS;
+/**
+ * This class provides an abstraction for keeping track of DEVICE sessions. It
+ * relies on a {@link DeviceStore} to persist session data and a cookie to
+ * identify the session.
+ */
+export declare class DeviceManager {
+    private readonly store;
+    private readonly options;
+    constructor(store: DeviceStore, options?: DeviceDeviceManagerOptions);
+    load(req: IncomingMessage, res: ServerResponse): Promise<{
+        deviceId: DeviceId;
+    }>;
+    private create;
+    private refresh;
+    rotate(req: IncomingMessage, res: ServerResponse, deviceId: DeviceId, data?: Partial<Omit<DeviceData, 'sessionId' | 'lastSeenAt'>>): Promise<void>;
+    private getCookie;
+    private parseCookie;
+    private setCookie;
+    private writeCookie;
+    private getDeviceDetails;
+}
+//# sourceMappingURL=device-manager.d.ts.map

package/dist/device/device-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-manager.d.ts","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAG3D,OAAO,KAAK,OAAO,MAAM,SAAS,CAAA;AAMlC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,QAAQ,EAAoC,MAAM,gBAAgB,CAAA;AAC3E,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG/C,eAAO,MAAM,eAAe;IAC1B;;;;;OAKG;;IAGH;;;;OAIG;;IAGH;;OAEG;;;QAID;;;;WAIG;;QAGH;;;;WAIG;;QAGH;;;;WAIG;;QAGH;;;;;;WAMG;;QAGH;;;;WAIG;;QAGH;;;;WAIG;;;CAGN,CAAA;AAED,MAAM,MAAM,0BAA0B,GAAG,OAAO,eAAe,CAAA;AAK/D;;;;GAIG;AACH,qBAAa,aAAa;IAEtB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO;gBADP,KAAK,EAAE,WAAW,EAClB,OAAO,GAAE,0BAA4C;IAG3D,IAAI,CACf,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC;QAAE,QAAQ,EAAE,QAAQ,CAAA;KAAE,CAAC;YASpB,MAAM;YAuBN,OAAO;IAyCR,MAAM,CACjB,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,QAAQ,EAClB,IAAI,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,GAAG,YAAY,CAAC,CAAC,GAC3D,OAAO,CAAC,IAAI,CAAC;YAYF,SAAS;IA+BvB,OAAO,CAAC,WAAW;IAuBnB,OAAO,CAAC,SAAS;IAKjB,OAAO,CAAC,WAAW;IAgCnB,OAAO,CAAC,gBAAgB;CAGzB"}