@atproto/oauth-provider 0.1.2-rc.2 → 0.1.3

package/src/lib/http/stream.ts

@@ -7,6 +7,7 @@ import {
   KnownNames,
   KnownParser,
   KnownTypes,
+  parseContentType,
   ParserForType,
   ParserResult,
   parsers,
@@ -64,9 +65,11 @@ export async function parseStream(
     throw createHttpError(400, 'Invalid content-type')
   }
 
+  const type = parseContentType(contentType)
+
   const parser = parsers.find(
     (parser) =>
-      allow?.includes(parser.name) !== false && parser.test(contentType),
+      allow?.includes(parser.name) !== false && parser.test(type.mime),
   )
 
   if (!parser) {
@@ -74,5 +77,5 @@ export async function parseStream(
   }
 
   const buffer = await readStream(req)
-  return parser.parse(buffer)
+  return parser.parse(buffer, type)
 }

package/src/metadata/build-metadata.ts

@@ -127,28 +127,14 @@ export function buildMetadata(
     token_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
 
     revocation_endpoint: new URL('/oauth/revoke', issuer).href,
-    revocation_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    revocation_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
 
     introspection_endpoint: new URL('/oauth/introspect', issuer).href,
-    introspection_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    introspection_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
 
     userinfo_endpoint: new URL('/oauth/userinfo', issuer).href,
     // end_session_endpoint: new URL('/oauth/logout', issuer).href,
 
     // https://datatracker.ietf.org/doc/html/rfc9126#section-5
     pushed_authorization_request_endpoint: new URL('/oauth/par', issuer).href,
-    pushed_authorization_request_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    pushed_authorization_request_endpoint_auth_signing_alg_values_supported: [
-      ...VERIFY_ALGOS,
-    ],
 
     require_pushed_authorization_requests: true,
 

package/src/oauth-provider.ts

@@ -9,7 +9,6 @@ import {
   OAuthAuthorizationServerMetadata,
   OAuthClientIdentification,
   OAuthClientMetadata,
-  OAuthEndpointName,
   OAuthTokenResponse,
   OAuthTokenType,
   atprotoLoopbackClientMetadata,
@@ -339,14 +338,11 @@ export class OAuthProvider extends OAuthVerifier {
 
   protected async authenticateClient(
     client: Client,
-    endpoint: OAuthEndpointName,
     credentials: OAuthClientIdentification,
   ): Promise<ClientAuth> {
-    const { clientAuth, nonce } = await client.verifyCredentials(
-      credentials,
-      endpoint,
-      { audience: this.issuer },
-    )
+    const { clientAuth, nonce } = await client.verifyCredentials(credentials, {
+      audience: this.issuer,
+    })
 
     if (nonce != null) {
       const unique = await this.replayManager.uniqueAuth(nonce, client.id)
@@ -424,11 +420,7 @@ export class OAuthProvider extends OAuthVerifier {
   ) {
     try {
       const client = await this.clientManager.getClient(input.client_id)
-      const clientAuth = await this.authenticateClient(
-        client,
-        'pushed_authorization_request',
-        input,
-      )
+      const clientAuth = await this.authenticateClient(client, input)
 
       const { payload: parameters } =
         'request' in input // Handle JAR
@@ -767,7 +759,7 @@ export class OAuthProvider extends OAuthVerifier {
     dpopJkt: null | string,
   ): Promise<OAuthTokenResponse> {
     const client = await this.clientManager.getClient(input.client_id)
-    const clientAuth = await this.authenticateClient(client, 'token', input)
+    const clientAuth = await this.authenticateClient(client, input)
 
     if (!client.metadata.grant_types.includes(input.grant_type)) {
       throw new InvalidGrantError(
@@ -851,11 +843,7 @@ export class OAuthProvider extends OAuthVerifier {
     input: Introspect,
   ): Promise<IntrospectionResponse> {
     const client = await this.clientManager.getClient(input.client_id)
-    const clientAuth = await this.authenticateClient(
-      client,
-      'introspection',
-      input,
-    )
+    const clientAuth = await this.authenticateClient(client, input)
 
     // RFC7662 states the following:
     //

package/dist/output/send-authorize-page.d.ts

@@ -1,43 +0,0 @@
-/// <reference types="node" />
-import { OAuthAuthenticationRequestParameters, OAuthClientMetadata } from '@atproto/oauth-types';
-import { ServerResponse } from 'node:http';
-import { DeviceAccountInfo } from '../account/account-store.js';
-import { Account } from '../account/account.js';
-import { Client } from '../client/client.js';
-import { RequestUri } from '../request/request-uri.js';
-import { Customization } from './customization.js';
-export type AuthorizationResultAuthorize = {
-    issuer: string;
-    client: Client;
-    parameters: OAuthAuthenticationRequestParameters;
-    authorize: {
-        uri: RequestUri;
-        sessions: readonly {
-            account: Account;
-            info: DeviceAccountInfo;
-            selected: boolean;
-            loginRequired: boolean;
-            consentRequired: boolean;
-        }[];
-    };
-};
-type Session = {
-    account: Account;
-    info?: never;
-    selected: boolean;
-    loginRequired: boolean;
-    consentRequired: boolean;
-};
-export type AuthorizeData = {
-    clientId: string;
-    clientMetadata: OAuthClientMetadata;
-    clientTrusted: boolean;
-    requestUri: string;
-    csrfCookie: string;
-    loginHint?: string;
-    newSessionsRequireConsent: boolean;
-    sessions: Session[];
-};
-export declare function sendAuthorizePage(res: ServerResponse, data: AuthorizationResultAuthorize, customization?: Customization): Promise<void>;
-export {};
-//# sourceMappingURL=send-authorize-page.d.ts.map

package/dist/output/send-authorize-page.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"send-authorize-page.d.ts","sourceRoot":"","sources":["../../src/output/send-authorize-page.ts"],"names":[],"mappings":";AAAA,OAAO,EACL,oCAAoC,EACpC,mBAAmB,EACpB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAE1C,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAA;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAE/C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAE5C,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EACL,aAAa,EAGd,MAAM,oBAAoB,CAAA;AAG3B,MAAM,MAAM,4BAA4B,GAAG;IACzC,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,EAAE,oCAAoC,CAAA;IAChD,SAAS,EAAE;QACT,GAAG,EAAE,UAAU,CAAA;QACf,QAAQ,EAAE,SAAS;YACjB,OAAO,EAAE,OAAO,CAAA;YAChB,IAAI,EAAE,iBAAiB,CAAA;YAEvB,QAAQ,EAAE,OAAO,CAAA;YACjB,aAAa,EAAE,OAAO,CAAA;YACtB,eAAe,EAAE,OAAO,CAAA;SACzB,EAAE,CAAA;KACJ,CAAA;CACF,CAAA;AAKD,KAAK,OAAO,GAAG;IACb,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,CAAC,EAAE,KAAK,CAAA;IAEZ,QAAQ,EAAE,OAAO,CAAA;IACjB,aAAa,EAAE,OAAO,CAAA;IACtB,eAAe,EAAE,OAAO,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,MAAM,CAAA;IAChB,cAAc,EAAE,mBAAmB,CAAA;IACnC,aAAa,EAAE,OAAO,CAAA;IACtB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,yBAAyB,EAAE,OAAO,CAAA;IAClC,QAAQ,EAAE,OAAO,EAAE,CAAA;CACpB,CAAA;AAsBD,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,4BAA4B,EAClC,aAAa,CAAC,EAAE,aAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CA2Bf"}

package/dist/output/send-authorize-page.js

@@ -1,49 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sendAuthorizePage = void 0;
-const index_js_1 = require("../assets/index.js");
-const index_js_2 = require("../lib/html/index.js");
-const customization_js_1 = require("./customization.js");
-const send_web_page_js_1 = require("./send-web-page.js");
-function buildAuthorizeData(data) {
-    return {
-        clientId: data.client.id,
-        clientMetadata: data.client.metadata,
-        clientTrusted: data.client.info.isTrusted,
-        requestUri: data.authorize.uri,
-        csrfCookie: `csrf-${data.authorize.uri}`,
-        loginHint: data.parameters.login_hint,
-        newSessionsRequireConsent: data.parameters.prompt === 'consent',
-        sessions: data.authorize.sessions.map((session) => ({
-            account: session.account,
-            selected: session.selected,
-            loginRequired: session.loginRequired,
-            consentRequired: session.consentRequired,
-        })),
-    };
-}
-async function sendAuthorizePage(res, data, customization) {
-    res.setHeader('Cache-Control', 'no-store');
-    res.setHeader('Permissions-Policy', 'otp-credentials=*, document-domain=()');
-    const [jsAsset, cssAsset] = await Promise.all([
-        (0, index_js_1.getAsset)('main.js'),
-        (0, index_js_1.getAsset)('main.css'),
-    ]);
-    return (0, send_web_page_js_1.sendWebPage)(res, {
-        scripts: [
-            (0, send_web_page_js_1.declareBackendData)('__customizationData', (0, customization_js_1.buildCustomizationData)(customization)),
-            (0, send_web_page_js_1.declareBackendData)('__authorizeData', buildAuthorizeData(data)),
-            jsAsset, // Last (to be able to read the global variables)
-        ],
-        styles: [
-            cssAsset, // First (to be overridden by customization)
-            (0, index_js_2.cssCode)((0, customization_js_1.buildCustomizationCss)(customization)),
-        ],
-        links: customization?.links,
-        htmlAttrs: { lang: 'en' },
-        title: 'Authorize',
-        body: (0, index_js_2.html) `<div id="root"></div>`,
-    });
-}
-exports.sendAuthorizePage = sendAuthorizePage;
-//# sourceMappingURL=send-authorize-page.js.map

package/dist/output/send-authorize-page.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"send-authorize-page.js","sourceRoot":"","sources":["../../src/output/send-authorize-page.ts"],"names":[],"mappings":";;;AAQA,iDAA6C;AAE7C,mDAAoD;AAEpD,yDAI2B;AAC3B,yDAAoE;AA0CpE,SAAS,kBAAkB,CAAC,IAAkC;IAC5D,OAAO;QACL,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;QACxB,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;QACpC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS;QACzC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG;QAC9B,UAAU,EAAE,QAAQ,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;QACxC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,UAAU;QACrC,yBAAyB,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,SAAS;QAC/D,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CACnC,CAAC,OAAO,EAAW,EAAE,CAAC,CAAC;YACrB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,eAAe,EAAE,OAAO,CAAC,eAAe;SACzC,CAAC,CACH;KACF,CAAA;AACH,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,GAAmB,EACnB,IAAkC,EAClC,aAA6B;IAE7B,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAC1C,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,uCAAuC,CAAC,CAAA;IAE5E,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5C,IAAA,mBAAQ,EAAC,SAAS,CAAC;QACnB,IAAA,mBAAQ,EAAC,UAAU,CAAC;KACrB,CAAC,CAAA;IAEF,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;QACtB,OAAO,EAAE;YACP,IAAA,qCAAkB,EAChB,qBAAqB,EACrB,IAAA,yCAAsB,EAAC,aAAa,CAAC,CACtC;YACD,IAAA,qCAAkB,EAAC,iBAAiB,EAAE,kBAAkB,CAAC,IAAI,CAAC,CAAC;YAC/D,OAAO,EAAE,iDAAiD;SAC3D;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,4CAA4C;YACtD,IAAA,kBAAO,EAAC,IAAA,wCAAqB,EAAC,aAAa,CAAC,CAAC;SAC9C;QACD,KAAK,EAAE,aAAa,EAAE,KAAK;QAC3B,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;QACzB,KAAK,EAAE,WAAW;QAClB,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;KAClC,CAAC,CAAA;AACJ,CAAC;AA/BD,8CA+BC"}

package/dist/output/send-error-page.d.ts

@@ -1,5 +0,0 @@
-/// <reference types="node" />
-import { ServerResponse } from 'node:http';
-import { Customization } from './customization.js';
-export declare function sendErrorPage(res: ServerResponse, err: unknown, customization?: Customization): Promise<void>;
-//# sourceMappingURL=send-error-page.d.ts.map

package/dist/output/send-error-page.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"send-error-page.d.ts","sourceRoot":"","sources":["../../src/output/send-error-page.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAK1C,OAAO,EACL,aAAa,EAGd,MAAM,oBAAoB,CAAA;AAG3B,wBAAsB,aAAa,CACjC,GAAG,EAAE,cAAc,EACnB,GAAG,EAAE,OAAO,EACZ,aAAa,CAAC,EAAE,aAAa,GAC5B,OAAO,CAAC,IAAI,CAAC,CAwBf"}

package/dist/output/send-error-page.js

@@ -1,31 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sendErrorPage = void 0;
-const index_js_1 = require("../assets/index.js");
-const index_js_2 = require("../lib/html/index.js");
-const build_error_payload_js_1 = require("./build-error-payload.js");
-const customization_js_1 = require("./customization.js");
-const send_web_page_js_1 = require("./send-web-page.js");
-async function sendErrorPage(res, err, customization) {
-    const [jsAsset, cssAsset] = await Promise.all([
-        (0, index_js_1.getAsset)('main.js'),
-        (0, index_js_1.getAsset)('main.css'),
-    ]);
-    return (0, send_web_page_js_1.sendWebPage)(res, {
-        status: (0, build_error_payload_js_1.buildErrorStatus)(err),
-        scripts: [
-            (0, send_web_page_js_1.declareBackendData)('__customizationData', (0, customization_js_1.buildCustomizationData)(customization)),
-            (0, send_web_page_js_1.declareBackendData)('__errorData', (0, build_error_payload_js_1.buildErrorPayload)(err)),
-            jsAsset, // Last (to be able to read the global variables)
-        ],
-        styles: [
-            cssAsset, // First (to be overridden by customization)
-            (0, index_js_2.cssCode)((0, customization_js_1.buildCustomizationCss)(customization)),
-        ],
-        htmlAttrs: { lang: 'en' },
-        title: 'Error',
-        body: (0, index_js_2.html) `<div id="root"></div>`,
-    });
-}
-exports.sendErrorPage = sendErrorPage;
-//# sourceMappingURL=send-error-page.js.map

package/dist/output/send-error-page.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"send-error-page.js","sourceRoot":"","sources":["../../src/output/send-error-page.ts"],"names":[],"mappings":";;;AAEA,iDAA6C;AAC7C,mDAAoD;AACpD,qEAA8E;AAC9E,yDAI2B;AAC3B,yDAAoE;AAE7D,KAAK,UAAU,aAAa,CACjC,GAAmB,EACnB,GAAY,EACZ,aAA6B;IAE7B,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5C,IAAA,mBAAQ,EAAC,SAAS,CAAC;QACnB,IAAA,mBAAQ,EAAC,UAAU,CAAC;KACrB,CAAC,CAAA;IAEF,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;QACtB,MAAM,EAAE,IAAA,yCAAgB,EAAC,GAAG,CAAC;QAC7B,OAAO,EAAE;YACP,IAAA,qCAAkB,EAChB,qBAAqB,EACrB,IAAA,yCAAsB,EAAC,aAAa,CAAC,CACtC;YACD,IAAA,qCAAkB,EAAC,aAAa,EAAE,IAAA,0CAAiB,EAAC,GAAG,CAAC,CAAC;YACzD,OAAO,EAAE,iDAAiD;SAC3D;QACD,MAAM,EAAE;YACN,QAAQ,EAAE,4CAA4C;YACtD,IAAA,kBAAO,EAAC,IAAA,wCAAqB,EAAC,aAAa,CAAC,CAAC;SAC9C;QACD,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;QACzB,KAAK,EAAE,OAAO;QACd,IAAI,EAAE,IAAA,eAAI,EAAA,uBAAuB;KAClC,CAAC,CAAA;AACJ,CAAC;AA5BD,sCA4BC"}