@atproto/oauth-provider 0.1.0

package/dist/device/device-manager.js

@@ -0,0 +1,206 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeviceManager = exports.DEFAULT_OPTIONS = void 0;
+const cookie_1 = require("cookie");
+const zod_1 = require("zod");
+const index_js_1 = require("../lib/http/index.js");
+const constants_js_1 = require("../constants.js");
+const device_details_js_1 = require("./device-details.js");
+const device_id_js_1 = require("./device-id.js");
+const session_id_js_1 = require("./session-id.js");
+exports.DEFAULT_OPTIONS = {
+    /**
+     * Controls whether the IP address is read from the `X-Forwarded-For` header
+     * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).
+     *
+     * @default true // (nowadays, most requests are proxied)
+     */
+    trustProxy: true,
+    /**
+     * Amount of time (in ms) after which session IDs will be rotated
+     *
+     * @default 300e3 // (5 minutes)
+     */
+    rotationRate: 5 * 60e3,
+    /**
+     * Cookie options
+     */
+    cookie: {
+        keys: undefined,
+        /**
+         * Name of the cookie used to identify the device
+         *
+         * @default 'session-id'
+         */
+        device: 'device-id',
+        /**
+         * Name of the cookie used to identify the session
+         *
+         * @default 'session-id'
+         */
+        session: 'session-id',
+        /**
+         * Url path for the cookie
+         *
+         * @default '/oauth/authorize'
+         */
+        path: '/oauth/authorize',
+        /**
+         * Amount of time (in ms) after which the session cookie will expire.
+         * If set to `null`, the cookie will be a session cookie (deleted when the
+         * browser is closed).
+         *
+         * @default 10 * 365.2 * 24 * 60 * 60e3 // 10 years (in ms)
+         */
+        age: (10 * 365.2 * 24 * 60 * 60e3),
+        /**
+         * Controls whether the cookie is only sent over HTTPS (if `true`), or also
+         * over HTTP (if `false`). This should **NOT** be set to `false` in
+         * production.
+         */
+        secure: true,
+        /**
+         * Controls whether the cookie is sent along with cross-site requests.
+         *
+         * @default 'lax'
+         */
+        sameSite: 'lax',
+    },
+};
+const cookieValueSchema = zod_1.z.tuple([device_id_js_1.deviceIdSchema, session_id_js_1.sessionIdSchema]);
+/**
+ * This class provides an abstraction for keeping track of DEVICE sessions. It
+ * relies on a {@link DeviceStore} to persist session data and a cookie to
+ * identify the session.
+ */
+class DeviceManager {
+    store;
+    options;
+    constructor(store, options = exports.DEFAULT_OPTIONS) {
+        this.store = store;
+        this.options = options;
+    }
+    async load(req, res) {
+        const cookie = await this.getCookie(req);
+        if (cookie) {
+            return this.refresh(req, res, cookie.value, cookie.mustRotate);
+        }
+        else {
+            return this.create(req, res);
+        }
+    }
+    async create(req, res) {
+        const { userAgent, ipAddress } = this.getDeviceDetails(req);
+        const [deviceId, sessionId] = await Promise.all([
+            (0, device_id_js_1.generateDeviceId)(),
+            (0, session_id_js_1.generateSessionId)(),
+        ]);
+        await this.store.createDevice(deviceId, {
+            sessionId,
+            lastSeenAt: new Date(),
+            userAgent,
+            ipAddress,
+        });
+        this.setCookie(res, [deviceId, sessionId]);
+        return { deviceId };
+    }
+    async refresh(req, res, [deviceId, sessionId], forceRotate = false) {
+        const data = await this.store.readDevice(deviceId);
+        if (!data)
+            return this.create(req, res);
+        const lastSeenAt = new Date(data.lastSeenAt);
+        const age = Date.now() - lastSeenAt.getTime();
+        if (sessionId !== data.sessionId) {
+            if (age <= constants_js_1.SESSION_FIXATION_MAX_AGE) {
+                // The cookie was probably rotated by a concurrent request. Let's
+                // update the cookie with the new sessionId.
+                forceRotate = true;
+            }
+            else {
+                // Something's wrong. Let's create a new session.
+                await this.store.deleteDevice(deviceId);
+                return this.create(req, res);
+            }
+        }
+        const details = this.getDeviceDetails(req);
+        if (forceRotate ||
+            details.ipAddress !== data.ipAddress ||
+            details.userAgent !== data.userAgent ||
+            age > this.options.rotationRate) {
+            await this.rotate(req, res, deviceId, {
+                ipAddress: details.ipAddress,
+                userAgent: details.userAgent || data.userAgent,
+            });
+        }
+        return { deviceId };
+    }
+    async rotate(req, res, deviceId, data) {
+        const sessionId = await (0, session_id_js_1.generateSessionId)();
+        await this.store.updateDevice(deviceId, {
+            ...data,
+            sessionId,
+            lastSeenAt: new Date(),
+        });
+        this.setCookie(res, [deviceId, sessionId]);
+    }
+    async getCookie(req) {
+        const cookies = (0, index_js_1.parseHttpCookies)(req);
+        if (!cookies)
+            return null;
+        const device = this.parseCookie(cookies, this.options.cookie.device, device_id_js_1.deviceIdSchema);
+        const session = this.parseCookie(cookies, this.options.cookie.session, session_id_js_1.sessionIdSchema);
+        // Silently ignore invalid cookies
+        if (!device || !session) {
+            // If the device cookie is valid, let's cleanup the DB
+            if (device)
+                await this.store.deleteDevice(device.value);
+            return null;
+        }
+        return {
+            value: [device.value, session.value],
+            mustRotate: device.mustRotate || session.mustRotate,
+        };
+    }
+    parseCookie(cookies, name, schema) {
+        const result = schema.safeParse(cookies[name], { path: ['cookie', name] });
+        if (!result.success)
+            return null;
+        const value = result.data;
+        if (this.options.cookie.keys) {
+            const hash = cookies[`${name}:hash`];
+            if (!hash)
+                return null;
+            const idx = this.options.cookie.keys.index(value, hash);
+            if (idx < 0)
+                return null;
+            return { value, mustRotate: idx !== 0 };
+        }
+        return { value, mustRotate: false };
+    }
+    setCookie(res, cookieValue) {
+        this.writeCookie(res, this.options.cookie.device, cookieValue?.[0]);
+        this.writeCookie(res, this.options.cookie.session, cookieValue?.[1]);
+    }
+    writeCookie(res, name, value) {
+        const cookieOptions = {
+            maxAge: value
+                ? this.options.cookie.age == null
+                    ? undefined
+                    : this.options.cookie.age / 1000
+                : 0,
+            httpOnly: true,
+            path: this.options.cookie.path,
+            secure: this.options.cookie.secure !== false,
+            sameSite: this.options.cookie.sameSite === 'lax' ? 'lax' : 'strict',
+        };
+        (0, index_js_1.appendHeader)(res, 'Set-Cookie', (0, cookie_1.serialize)(name, value || '', cookieOptions));
+        if (this.options.cookie.keys) {
+            (0, index_js_1.appendHeader)(res, 'Set-Cookie', (0, cookie_1.serialize)(`${name}:hash`, value ? this.options.cookie.keys.sign(value) : '', cookieOptions));
+        }
+    }
+    getDeviceDetails(req) {
+        return (0, device_details_js_1.extractDeviceDetails)(req, this.options.trustProxy);
+    }
+}
+exports.DeviceManager = DeviceManager;
+//# sourceMappingURL=device-manager.js.map

package/dist/device/device-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-manager.js","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":";;;AAEA,mCAAqD;AAErD,6BAAuB;AAEvB,mDAAqE;AAErE,kDAA0D;AAE1D,2DAA0D;AAC1D,iDAA2E;AAE3E,mDAAoE;AAEvD,QAAA,eAAe,GAAG;IAC7B;;;;;OAKG;IACH,UAAU,EAAE,IAAI;IAEhB;;;;OAIG;IACH,YAAY,EAAE,CAAC,GAAG,IAAI;IAEtB;;OAEG;IACH,MAAM,EAAE;QACN,IAAI,EAAE,SAAgC;QAEtC;;;;WAIG;QACH,MAAM,EAAE,WAAW;QAEnB;;;;WAIG;QACH,OAAO,EAAE,YAAY;QAErB;;;;WAIG;QACH,IAAI,EAAE,kBAAkB;QAExB;;;;;;WAMG;QACH,GAAG,EAAiB,CAAC,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAEjD;;;;WAIG;QACH,MAAM,EAAE,IAAI;QAEZ;;;;WAIG;QACH,QAAQ,EAAE,KAAyB;KACpC;CACF,CAAA;AAID,MAAM,iBAAiB,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,6BAAc,EAAE,+BAAe,CAAC,CAAC,CAAA;AAGpE;;;;GAIG;AACH,MAAa,aAAa;IAEL;IACA;IAFnB,YACmB,KAAkB,EAClB,UAAsC,uBAAe;QADrD,UAAK,GAAL,KAAK,CAAa;QAClB,YAAO,GAAP,OAAO,CAA8C;IACrE,CAAC;IAEG,KAAK,CAAC,IAAI,CACf,GAAoB,EACpB,GAAmB;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAA;QAChE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAE3D,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC9C,IAAA,+BAAgB,GAAE;YAClB,IAAA,iCAAiB,GAAE;SACX,CAAC,CAAA;QAEX,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,SAAS;YACT,SAAS;SACV,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAA;QAE1C,OAAO,EAAE,QAAQ,EAAE,CAAA;IACrB,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAoB,EACpB,GAAmB,EACnB,CAAC,QAAQ,EAAE,SAAS,CAAc,EAClC,WAAW,GAAG,KAAK;QAEnB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAEvC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAA;QAE7C,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,GAAG,IAAI,uCAAwB,EAAE,CAAC;gBACpC,iEAAiE;gBACjE,4CAA4C;gBAC5C,WAAW,GAAG,IAAI,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;QAE1C,IACE,WAAW;YACX,OAAO,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YACpC,OAAO,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YACpC,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAC/B,CAAC;YACD,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE;gBACpC,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;aAC/C,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAA;IACrB,CAAC;IAEM,KAAK,CAAC,MAAM,CACjB,GAAoB,EACpB,GAAmB,EACnB,QAAkB,EAClB,IAA4D;QAE5D,MAAM,SAAS,GAAG,MAAM,IAAA,iCAAiB,GAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,GAAG,IAAI;YACP,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAA;IAC5C,CAAC;IAEO,KAAK,CAAC,SAAS,CACrB,GAAoB;QAEpB,MAAM,OAAO,GAAG,IAAA,2BAAgB,EAAC,GAAG,CAAC,CAAA;QACrC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEzB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAC7B,OAAO,EACP,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAC1B,6BAAc,CACf,CAAA;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAC9B,OAAO,EACP,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAC3B,+BAAe,CAChB,CAAA;QAED,kCAAkC;QAClC,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YACxB,sDAAsD;YACtD,IAAI,MAAM;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;YAEvD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,KAAK,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;YACpC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;SACpD,CAAA;IACH,CAAC;IAEO,WAAW,CACjB,OAA2C,EAC3C,IAAY,EACZ,MAA4D;QAE5D,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAA;QAC1E,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,CAAA;YACpC,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;YACvD,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC,EAAE,CAAA;QACzC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;IACrC,CAAC;IAEO,SAAS,CAAC,GAAmB,EAAE,WAA+B;QACpE,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;QACnE,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;IACtE,CAAC;IAEO,WAAW,CAAC,GAAmB,EAAE,IAAY,EAAE,KAAc;QACnE,MAAM,aAAa,GAAG;YACpB,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI;oBAC/B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI;gBAClC,CAAC,CAAC,CAAC;YACL,QAAQ,EAAE,IAAI;YACd,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI;YAC9B,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK;YAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ;SAC3D,CAAA;QAEV,IAAA,uBAAY,EACV,GAAG,EACH,YAAY,EACZ,IAAA,kBAAe,EAAC,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,aAAa,CAAC,CAClD,CAAA;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,IAAA,uBAAY,EACV,GAAG,EACH,YAAY,EACZ,IAAA,kBAAe,EACb,GAAG,IAAI,OAAO,EACd,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EACjD,aAAa,CACd,CACF,CAAA;QACH,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,GAAoB;QAC3C,OAAO,IAAA,wCAAoB,EAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;IAC3D,CAAC;CACF;AAjMD,sCAiMC"}

package/dist/device/device-store.d.ts

@@ -0,0 +1,15 @@
+import { Awaitable } from '../lib/util/type.js';
+import { DeviceData } from './device-data.js';
+import { DeviceId } from './device-id.js';
+export * from './device-id.js';
+export * from './device-data.js';
+export * from './session-id.js';
+export interface DeviceStore {
+    createDevice(deviceId: DeviceId, data: DeviceData): Awaitable<void>;
+    readDevice(deviceId: DeviceId): Awaitable<DeviceData | null>;
+    updateDevice(deviceId: DeviceId, data: Partial<DeviceData>): Awaitable<void>;
+    deleteDevice(deviceId: DeviceId): Awaitable<void>;
+}
+export declare function isDeviceStore(implementation: Record<string, unknown> & Partial<DeviceStore>): implementation is Record<string, unknown> & DeviceStore;
+export declare function asDeviceStore(implementation?: Record<string, unknown> & Partial<DeviceStore>): DeviceStore;
+//# sourceMappingURL=device-store.d.ts.map

package/dist/device/device-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-store.d.ts","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,kBAAkB,CAAA;AAChC,cAAc,iBAAiB,CAAA;AAE/B,MAAM,WAAW,WAAW;IAC1B,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACnE,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC,UAAU,GAAG,IAAI,CAAC,CAAA;IAC5D,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAC5E,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;CAClD;AAED,wBAAgB,aAAa,CAC3B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,GAC7D,cAAc,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,CAOzD;AAED,wBAAgB,aAAa,CAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,GAC9D,WAAW,CAKb"}

package/dist/device/device-store.js

@@ -0,0 +1,36 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.asDeviceStore = exports.isDeviceStore = void 0;
+// Export all types needed to implement the DeviceStore interface
+__exportStar(require("./device-id.js"), exports);
+__exportStar(require("./device-data.js"), exports);
+__exportStar(require("./session-id.js"), exports);
+function isDeviceStore(implementation) {
+    return (typeof implementation.createDevice === 'function' &&
+        typeof implementation.readDevice === 'function' &&
+        typeof implementation.updateDevice === 'function' &&
+        typeof implementation.deleteDevice === 'function');
+}
+exports.isDeviceStore = isDeviceStore;
+function asDeviceStore(implementation) {
+    if (!implementation || !isDeviceStore(implementation)) {
+        throw new Error('Invalid DeviceStore implementation');
+    }
+    return implementation;
+}
+exports.asDeviceStore = asDeviceStore;
+//# sourceMappingURL=device-store.js.map

package/dist/device/device-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-store.js","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAIA,iEAAiE;AACjE,iDAA8B;AAC9B,mDAAgC;AAChC,kDAA+B;AAS/B,SAAgB,aAAa,CAC3B,cAA8D;IAE9D,OAAO,CACL,OAAO,cAAc,CAAC,YAAY,KAAK,UAAU;QACjD,OAAO,cAAc,CAAC,UAAU,KAAK,UAAU;QAC/C,OAAO,cAAc,CAAC,YAAY,KAAK,UAAU;QACjD,OAAO,cAAc,CAAC,YAAY,KAAK,UAAU,CAClD,CAAA;AACH,CAAC;AATD,sCASC;AAED,SAAgB,aAAa,CAC3B,cAA+D;IAE/D,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC;AAPD,sCAOC"}

package/dist/device/session-id.d.ts

@@ -0,0 +1,6 @@
+import { z } from 'zod';
+export declare const SESSION_ID_LENGTH: number;
+export declare const sessionIdSchema: z.ZodEffects<z.ZodString, `ses-${string}`, string>;
+export type SessionId = z.infer<typeof sessionIdSchema>;
+export declare const generateSessionId: () => Promise<SessionId>;
+//# sourceMappingURL=session-id.d.ts.map

package/dist/device/session-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-id.d.ts","sourceRoot":"","sources":["../../src/device/session-id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB,eAAO,MAAM,iBAAiB,QAC0B,CAAA;AAExD,eAAO,MAAM,eAAe,oDASzB,CAAA;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAA;AACvD,eAAO,MAAM,iBAAiB,QAAa,QAAQ,SAAS,CAE3D,CAAA"}

package/dist/device/session-id.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSessionId = exports.sessionIdSchema = exports.SESSION_ID_LENGTH = void 0;
+const zod_1 = require("zod");
+const constants_js_1 = require("../constants.js");
+const crypto_js_1 = require("../lib/util/crypto.js");
+exports.SESSION_ID_LENGTH = constants_js_1.SESSION_ID_PREFIX.length + constants_js_1.SESSION_ID_BYTES_LENGTH * 2; // hex encoding
+exports.sessionIdSchema = zod_1.z
+    .string()
+    .length(exports.SESSION_ID_LENGTH)
+    .refine((v) => v.startsWith(constants_js_1.SESSION_ID_PREFIX), {
+    message: `Invalid session ID format`,
+});
+const generateSessionId = async () => {
+    return `${constants_js_1.SESSION_ID_PREFIX}${await (0, crypto_js_1.randomHexId)(constants_js_1.SESSION_ID_BYTES_LENGTH)}`;
+};
+exports.generateSessionId = generateSessionId;
+//# sourceMappingURL=session-id.js.map

package/dist/device/session-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-id.js","sourceRoot":"","sources":["../../src/device/session-id.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,kDAA4E;AAC5E,qDAAmD;AAEtC,QAAA,iBAAiB,GAC5B,gCAAiB,CAAC,MAAM,GAAG,sCAAuB,GAAG,CAAC,CAAA,CAAC,eAAe;AAE3D,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,MAAM,CAAC,yBAAiB,CAAC;KACzB,MAAM,CACL,CAAC,CAAC,EAA+C,EAAE,CACjD,CAAC,CAAC,UAAU,CAAC,gCAAiB,CAAC,EACjC;IACE,OAAO,EAAE,2BAA2B;CACrC,CACF,CAAA;AAEI,MAAM,iBAAiB,GAAG,KAAK,IAAwB,EAAE;IAC9D,OAAO,GAAG,gCAAiB,GAAG,MAAM,IAAA,uBAAW,EAAC,sCAAuB,CAAC,EAAE,CAAA;AAC5E,CAAC,CAAA;AAFY,QAAA,iBAAiB,qBAE7B"}

package/dist/dpop/dpop-manager.d.ts

@@ -0,0 +1,33 @@
+/// <reference types="node" />
+import { DpopNonce, DpopNonceInput } from './dpop-nonce.js';
+export { DpopNonce, type DpopNonceInput };
+export type DpopManagerOptions = {
+    /**
+     * Set this to `false` to disable the use of nonces in DPoP proofs. Set this
+     * to a secret Uint8Array or hex encoded string to use a predictable seed for
+     * all nonces (typically useful when multiple instances are running). Leave
+     * undefined to generate a random seed at startup.
+     */
+    dpopSecret?: false | DpopNonceInput;
+    dpopStep?: number;
+};
+export declare class DpopManager {
+    protected readonly dpopNonce?: DpopNonce;
+    constructor({ dpopSecret, dpopStep }?: DpopManagerOptions);
+    nextNonce(): string | undefined;
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
+     */
+    checkProof(proof: unknown, htm: string, // HTTP Method
+    htu: string | URL, // HTTP URL
+    accessToken?: string): Promise<{
+        protectedHeader: import("jose").JWTHeaderParameters;
+        payload: {
+            iat: number;
+            exp: number;
+            jti: string;
+        } & import("jose").JWTPayload;
+        jkt: string;
+    }>;
+}
+//# sourceMappingURL=dpop-manager.d.ts.map

package/dist/dpop/dpop-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-manager.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";AAQA,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAE3D,OAAO,EAAE,SAAS,EAAE,KAAK,cAAc,EAAE,CAAA;AACzC,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,KAAK,GAAG,cAAc,CAAA;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,qBAAa,WAAW;IACtB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAA;gBAE5B,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAE,kBAAuB;IAK7D,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;OAEG;IACG,UAAU,CACd,KAAK,EAAE,OAAO,EACd,GAAG,EAAE,MAAM,EAAE,cAAc;IAC3B,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,WAAW;IAC9B,WAAW,CAAC,EAAE,MAAM;;;iBAWb,MAAM;iBACN,MAAM;iBACN,MAAM;;;;CAoEhB"}

package/dist/dpop/dpop-manager.js

@@ -0,0 +1,115 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DpopManager = exports.DpopNonce = void 0;
+const node_crypto_1 = require("node:crypto");
+const jose_1 = require("jose");
+const errors_1 = require("jose/errors");
+const constants_js_1 = require("../constants.js");
+const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
+const use_dpop_nonce_error_js_1 = require("../errors/use-dpop-nonce-error.js");
+const dpop_nonce_js_1 = require("./dpop-nonce.js");
+Object.defineProperty(exports, "DpopNonce", { enumerable: true, get: function () { return dpop_nonce_js_1.DpopNonce; } });
+class DpopManager {
+    dpopNonce;
+    constructor({ dpopSecret, dpopStep } = {}) {
+        this.dpopNonce =
+            dpopSecret === false ? undefined : dpop_nonce_js_1.DpopNonce.from(dpopSecret, dpopStep);
+    }
+    nextNonce() {
+        return this.dpopNonce?.next();
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
+     */
+    async checkProof(proof, htm, // HTTP Method
+    htu, // HTTP URL
+    accessToken) {
+        if (Array.isArray(proof) && proof.length === 1) {
+            proof = proof[0];
+        }
+        if (!proof || typeof proof !== 'string') {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
+        }
+        const { protectedHeader, payload } = await (0, jose_1.jwtVerify)(proof, jose_1.EmbeddedJWK, {
+            typ: 'dpop+jwt',
+            maxTokenAge: 10,
+            clockTolerance: constants_js_1.DPOP_NONCE_MAX_AGE / 1e3,
+            requiredClaims: ['iat', 'exp', 'jti'],
+        }).catch((err) => {
+            const message = err instanceof errors_1.JOSEError
+                ? `Invalid DPoP proof (${err.message})`
+                : 'Invalid DPoP proof';
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(message, err);
+        });
+        if (!payload.jti || typeof payload.jti !== 'string') {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('Invalid or missing jti property');
+        }
+        if (payload.exp - payload.iat > constants_js_1.DPOP_NONCE_MAX_AGE / 3 / 1e3) {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof validity too long');
+        }
+        // Note rfc9110#section-9.1 states that the method name is case-sensitive
+        if (!htm || htm !== payload['htm']) {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP htm mismatch');
+        }
+        if (payload['nonce'] !== undefined &&
+            typeof payload['nonce'] !== 'string') {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP nonce must be a string');
+        }
+        if (!payload['nonce'] && this.dpopNonce) {
+            throw new use_dpop_nonce_error_js_1.UseDpopNonceError();
+        }
+        if (payload['nonce'] && !this.dpopNonce?.check(payload['nonce'])) {
+            throw new use_dpop_nonce_error_js_1.UseDpopNonceError();
+        }
+        const htuNorm = normalizeHtu(htu);
+        if (!htuNorm || htuNorm !== normalizeHtu(payload['htu'])) {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP htu mismatch');
+        }
+        if (accessToken) {
+            const athBuffer = (0, node_crypto_1.createHash)('sha256').update(accessToken).digest();
+            if (payload['ath'] !== athBuffer.toString('base64url')) {
+                throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP ath mismatch');
+            }
+        }
+        else if (payload['ath']) {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP ath not allowed');
+        }
+        try {
+            return {
+                protectedHeader,
+                payload,
+                jkt: await (0, jose_1.calculateJwkThumbprint)(protectedHeader['jwk'], 'sha256'), // EmbeddedJWK
+            };
+        }
+        catch (err) {
+            const message = err instanceof errors_1.JOSEError ? err.message : 'Failed to calculate jkt';
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(message, err);
+        }
+    }
+}
+exports.DpopManager = DpopManager;
+/**
+ * @note
+ * > The htu claim matches the HTTP URI value for the HTTP request in which the
+ * > JWT was received, ignoring any query and fragment parts.
+ *
+ * > To reduce the likelihood of false negatives, servers SHOULD employ
+ * > syntax-based normalization (Section 6.2.2 of [RFC3986]) and scheme-based
+ * > normalization (Section 6.2.3 of [RFC3986]) before comparing the htu claim.
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3 | RFC9449 section 4.3. Checking DPoP Proofs}
+ */
+function normalizeHtu(htu) {
+    // Optimization
+    if (!htu)
+        return null;
+    try {
+        const url = new URL(String(htu));
+        url.hash = '';
+        url.search = '';
+        return url.href;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=dpop-manager.js.map

package/dist/dpop/dpop-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AAExC,+BAAqE;AACrE,wCAAuC;AAEvC,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,mDAA2D;AAElD,0FAFA,yBAAS,OAEA;AAYlB,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,EAAE,UAAU,EAAE,QAAQ,KAAyB,EAAE;QAC3D,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,yBAAS,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;IAC3E,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,KAAc,EACd,GAAW,EAAE,cAAc;IAC3B,GAAiB,EAAE,WAAW;IAC9B,WAAoB;QAEpB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/C,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAIjD,KAAK,EAAE,kBAAW,EAAE;YACrB,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE;YACf,cAAc,EAAE,iCAAkB,GAAG,GAAG;YACxC,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;SACtC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,OAAO,GACX,GAAG,YAAY,kBAAS;gBACtB,CAAC,CAAC,uBAAuB,GAAG,CAAC,OAAO,GAAG;gBACvC,CAAC,CAAC,oBAAoB,CAAA;YAC1B,MAAM,IAAI,mDAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC/C,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpD,MAAM,IAAI,mDAAqB,CAAC,iCAAiC,CAAC,CAAA;QACpE,CAAC;QAED,IAAI,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,iCAAkB,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC;YAC7D,MAAM,IAAI,mDAAqB,CAAC,8BAA8B,CAAC,CAAA;QACjE,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;QACtD,CAAC;QAED,IACE,OAAO,CAAC,OAAO,CAAC,KAAK,SAAS;YAC9B,OAAO,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ,EACpC,CAAC;YACD,MAAM,IAAI,mDAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACjE,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;QACjC,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACnE,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvD,MAAM,IAAI,mDAAqB,CAAC,mBAAmB,CAAC,CAAA;YACtD,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,mDAAqB,CAAC,sBAAsB,CAAC,CAAA;QACzD,CAAC;QAED,IAAI,CAAC;YACH,OAAO;gBACL,eAAe;gBACf,OAAO;gBACP,GAAG,EAAE,MAAM,IAAA,6BAAsB,EAAC,eAAe,CAAC,KAAK,CAAE,EAAE,QAAQ,CAAC,EAAE,cAAc;aACrF,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,kBAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAA;YACpE,MAAM,IAAI,mDAAqB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC/C,CAAC;IACH,CAAC;CACF;AApGD,kCAoGC;AAED;;;;;;;;;GASG;AACH,SAAS,YAAY,CAAC,GAAY;IAChC,eAAe;IACf,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IAErB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;QAChC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAA;QACb,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;QACf,OAAO,GAAG,CAAC,IAAI,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/dpop/dpop-nonce.d.ts

@@ -0,0 +1,13 @@
+export type DpopNonceInput = string | Uint8Array | DpopNonce;
+export declare class DpopNonce {
+    #private;
+    protected readonly secret: Uint8Array;
+    protected readonly step: number;
+    constructor(secret: Uint8Array, step: number);
+    protected rotate(): void;
+    protected compute(counter: number): string;
+    next(): string;
+    check(nonce: string): boolean;
+    static from(input?: DpopNonceInput, step?: number): DpopNonce;
+}
+//# sourceMappingURL=dpop-nonce.d.ts.map

package/dist/dpop/dpop-nonce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-nonce.d.ts","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":"AAiBA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,UAAU,GAAG,SAAS,CAAA;AAE5D,qBAAa,SAAS;;IASlB,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU;IACrC,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM;gBADZ,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE,MAAM;IAejC,SAAS,CAAC,MAAM;IA4BhB,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM;IAO1B,IAAI;IAKJ,KAAK,CAAC,KAAK,EAAE,MAAM;IAI1B,MAAM,CAAC,IAAI,CACT,KAAK,GAAE,cAAgC,EACvC,IAAI,SAAyB,GAC5B,SAAS;CAYb"}

package/dist/dpop/dpop-nonce.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DpopNonce = void 0;
+const node_crypto_1 = require("node:crypto");
+const constants_js_1 = require("../constants.js");
+function numTo64bits(num) {
+    const arr = new Uint8Array(8);
+    arr[7] = (num = num | 0) & 0xff;
+    arr[6] = (num >>= 8) & 0xff;
+    arr[5] = (num >>= 8) & 0xff;
+    arr[4] = (num >>= 8) & 0xff;
+    arr[3] = (num >>= 8) & 0xff;
+    arr[2] = (num >>= 8) & 0xff;
+    arr[1] = (num >>= 8) & 0xff;
+    arr[0] = (num >>= 8) & 0xff;
+    return arr;
+}
+class DpopNonce {
+    secret;
+    step;
+    #secret;
+    #counter;
+    #prev;
+    #now;
+    #next;
+    constructor(secret, step) {
+        this.secret = secret;
+        this.step = step;
+        if (secret.length !== 32)
+            throw new TypeError('Expected 32 bytes');
+        if (this.step < 0 || this.step > constants_js_1.DPOP_NONCE_MAX_AGE / 3) {
+            throw new TypeError('Invalid step');
+        }
+        this.#secret = Uint8Array.from(secret);
+        this.#counter = (Date.now() / step) | 0;
+        this.#prev = this.compute(this.#counter - 1);
+        this.#now = this.compute(this.#counter);
+        this.#next = this.compute(this.#counter + 1);
+    }
+    rotate() {
+        const counter = (Date.now() / this.step) | 0;
+        switch (counter - this.#counter) {
+            case 0:
+                // counter === this.#counter => nothing to do
+                return;
+            case 1:
+                // Optimization: avoid recomputing #prev & #now
+                this.#prev = this.#now;
+                this.#now = this.#next;
+                this.#next = this.compute(counter + 1);
+                break;
+            case 2:
+                // Optimization: avoid recomputing #prev
+                this.#prev = this.#next;
+                this.#now = this.compute(counter);
+                this.#next = this.compute(counter + 1);
+                break;
+            default:
+                // All nonces are outdated, so we recompute all of them
+                this.#prev = this.compute(counter - 1);
+                this.#now = this.compute(counter);
+                this.#next = this.compute(counter + 1);
+                break;
+        }
+        this.#counter = counter;
+    }
+    compute(counter) {
+        return (0, node_crypto_1.createHmac)('sha256', this.#secret)
+            .update(numTo64bits(counter))
+            .digest()
+            .toString('base64url');
+    }
+    next() {
+        this.rotate();
+        return this.#next;
+    }
+    check(nonce) {
+        return this.#next === nonce || this.#now === nonce || this.#prev === nonce;
+    }
+    static from(input = (0, node_crypto_1.randomBytes)(32), step = constants_js_1.DPOP_NONCE_MAX_AGE / 3) {
+        if (input instanceof DpopNonce) {
+            return input;
+        }
+        if (input instanceof Uint8Array) {
+            return new DpopNonce(input, step);
+        }
+        if (typeof input === 'string') {
+            return new DpopNonce(Buffer.from(input, 'hex'), step);
+        }
+        return new DpopNonce(input, step);
+    }
+}
+exports.DpopNonce = DpopNonce;
+//# sourceMappingURL=dpop-nonce.js.map

package/dist/dpop/dpop-nonce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop-nonce.js","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":";;;AAAA,6CAAqD;AAErD,kDAAoD;AAEpD,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC,GAAG,IAAI,CAAA;IAC/B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3B,OAAO,GAAG,CAAA;AACZ,CAAC;AAID,MAAa,SAAS;IASC;IACA;IATrB,OAAO,CAAY;IACnB,QAAQ,CAAQ;IAEhB,KAAK,CAAQ;IACb,IAAI,CAAQ;IACZ,KAAK,CAAQ;IAEb,YACqB,MAAkB,EAClB,IAAY;QADZ,WAAM,GAAN,MAAM,CAAY;QAClB,SAAI,GAAJ,IAAI,CAAQ;QAE/B,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE;YAAE,MAAM,IAAI,SAAS,CAAC,mBAAmB,CAAC,CAAA;QAClE,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,GAAG,iCAAkB,GAAG,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CAAC,cAAc,CAAC,CAAA;QACrC,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QACtC,IAAI,CAAC,QAAQ,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAA;QAEvC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;IAC9C,CAAC;IAES,MAAM;QACd,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC5C,QAAQ,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC;gBACJ,6CAA6C;gBAC7C,OAAM;YACR,KAAK,CAAC;gBACJ,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;gBACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAA;gBACtB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP,KAAK,CAAC;gBACJ,wCAAwC;gBACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;gBACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP;gBACE,uDAAuD;gBACvD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;IACzB,CAAC;IAES,OAAO,CAAC,OAAe;QAC/B,OAAO,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC;aACtC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;aAC5B,MAAM,EAAE;aACR,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC1B,CAAC;IAEM,IAAI;QACT,IAAI,CAAC,MAAM,EAAE,CAAA;QACb,OAAO,IAAI,CAAC,KAAK,CAAA;IACnB,CAAC;IAEM,KAAK,CAAC,KAAa;QACxB,OAAO,IAAI,CAAC,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAA;IAC5E,CAAC;IAED,MAAM,CAAC,IAAI,CACT,QAAwB,IAAA,yBAAW,EAAC,EAAE,CAAC,EACvC,IAAI,GAAG,iCAAkB,GAAG,CAAC;QAE7B,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,OAAO,KAAK,CAAA;QACd,CAAC;QACD,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;YAChC,OAAO,IAAI,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QACnC,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,IAAI,CAAC,CAAA;QACvD,CAAC;QACD,OAAO,IAAI,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;IACnC,CAAC;CACF;AApFD,8BAoFC"}

package/dist/errors/access-denied-error.d.ts

@@ -0,0 +1,8 @@
+import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types';
+import { OAuthError } from './oauth-error.js';
+export declare class AccessDeniedError extends OAuthError {
+    readonly parameters: OAuthAuthenticationRequestParameters;
+    constructor(parameters: OAuthAuthenticationRequestParameters, error_description: string, error?: string, cause?: unknown);
+    static from(parameters: OAuthAuthenticationRequestParameters, cause?: unknown): AccessDeniedError;
+}
+//# sourceMappingURL=access-denied-error.d.ts.map

package/dist/errors/access-denied-error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-denied-error.d.ts","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oCAAoC,EAAE,MAAM,sBAAsB,CAAA;AAE3E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,qBAAa,iBAAkB,SAAQ,UAAU;aAE7B,UAAU,EAAE,oCAAoC;gBAAhD,UAAU,EAAE,oCAAoC,EAChE,iBAAiB,EAAE,MAAM,EACzB,KAAK,SAAkB,EACvB,KAAK,CAAC,EAAE,OAAO;IAKjB,MAAM,CAAC,IAAI,CACT,UAAU,EAAE,oCAAoC,EAChD,KAAK,CAAC,EAAE,OAAO;CASlB"}

package/dist/errors/access-denied-error.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessDeniedError = void 0;
+const build_error_payload_js_1 = require("../output/build-error-payload.js");
+const oauth_error_js_1 = require("./oauth-error.js");
+class AccessDeniedError extends oauth_error_js_1.OAuthError {
+    parameters;
+    constructor(parameters, error_description, error = 'access_denied', cause) {
+        super(error, error_description, 400, cause);
+        this.parameters = parameters;
+    }
+    static from(parameters, cause) {
+        if (cause && cause instanceof AccessDeniedError) {
+            return cause;
+        }
+        const { error, error_description } = (0, build_error_payload_js_1.buildErrorPayload)(cause);
+        return new AccessDeniedError(parameters, error_description, error, cause);
+    }
+}
+exports.AccessDeniedError = AccessDeniedError;
+//# sourceMappingURL=access-denied-error.js.map

package/dist/errors/access-denied-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-denied-error.js","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":";;;AACA,6EAAoE;AACpE,qDAA6C;AAE7C,MAAa,iBAAkB,SAAQ,2BAAU;IAE7B;IADlB,YACkB,UAAgD,EAChE,iBAAyB,EACzB,KAAK,GAAG,eAAe,EACvB,KAAe;QAEf,KAAK,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAL3B,eAAU,GAAV,UAAU,CAAsC;IAMlE,CAAC;IAED,MAAM,CAAC,IAAI,CACT,UAAgD,EAChD,KAAe;QAEf,IAAI,KAAK,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;YAChD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,IAAA,0CAAiB,EAAC,KAAK,CAAC,CAAA;QAC7D,OAAO,IAAI,iBAAiB,CAAC,UAAU,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,CAAC,CAAA;IAC3E,CAAC;CACF;AArBD,8CAqBC"}

package/dist/errors/account-selection-required-error.d.ts

@@ -0,0 +1,6 @@
+import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types';
+import { AccessDeniedError } from './access-denied-error.js';
+export declare class AccountSelectionRequiredError extends AccessDeniedError {
+    constructor(parameters: OAuthAuthenticationRequestParameters, error_description?: string, cause?: unknown);
+}
+//# sourceMappingURL=account-selection-required-error.d.ts.map