@atproto/oauth-provider 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +17 -0
- package/dist/assets/app/bundle-manifest.json +2 -2
- package/dist/assets/app/main.js +3 -3
- package/dist/assets/app/main.js.map +1 -1
- package/dist/client/client-manager.d.ts.map +1 -1
- package/dist/client/client-manager.js +31 -40
- package/dist/client/client-manager.js.map +1 -1
- package/dist/client/client.d.ts +2 -3
- package/dist/client/client.d.ts.map +1 -1
- package/dist/client/client.js +5 -9
- package/dist/client/client.js.map +1 -1
- package/dist/dpop/dpop-manager.d.ts +0 -1
- package/dist/dpop/dpop-manager.d.ts.map +1 -1
- package/dist/dpop/dpop-manager.js +1 -4
- package/dist/dpop/dpop-manager.js.map +1 -1
- package/dist/lib/http/parser.d.ts +13 -7
- package/dist/lib/http/parser.d.ts.map +1 -1
- package/dist/lib/http/parser.js +29 -9
- package/dist/lib/http/parser.js.map +1 -1
- package/dist/lib/http/request.d.ts +5 -5
- package/dist/lib/http/stream.d.ts.map +1 -1
- package/dist/lib/http/stream.js +3 -2
- package/dist/lib/http/stream.js.map +1 -1
- package/dist/metadata/build-metadata.d.ts.map +1 -1
- package/dist/metadata/build-metadata.js +0 -14
- package/dist/metadata/build-metadata.js.map +1 -1
- package/dist/oauth-provider.d.ts +2 -2
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +7 -5
- package/dist/oauth-provider.js.map +1 -1
- package/dist/request/types.d.ts +4 -4
- package/dist/signer/signed-token-payload.d.ts +3 -3
- package/dist/signer/signer.d.ts +1 -1
- package/dist/token/token-claims.d.ts +3 -3
- package/package.json +3 -2
- package/src/client/client-manager.ts +46 -60
- package/src/client/client.ts +4 -13
- package/src/dpop/dpop-manager.ts +1 -6
- package/src/lib/http/parser.ts +37 -13
- package/src/lib/http/stream.ts +5 -2
- package/src/metadata/build-metadata.ts +0 -14
- package/src/oauth-provider.ts +6 -18
package/src/lib/http/stream.ts
CHANGED
|
@@ -7,6 +7,7 @@ import {
|
|
|
7
7
|
KnownNames,
|
|
8
8
|
KnownParser,
|
|
9
9
|
KnownTypes,
|
|
10
|
+
parseContentType,
|
|
10
11
|
ParserForType,
|
|
11
12
|
ParserResult,
|
|
12
13
|
parsers,
|
|
@@ -64,9 +65,11 @@ export async function parseStream(
|
|
|
64
65
|
throw createHttpError(400, 'Invalid content-type')
|
|
65
66
|
}
|
|
66
67
|
|
|
68
|
+
const type = parseContentType(contentType)
|
|
69
|
+
|
|
67
70
|
const parser = parsers.find(
|
|
68
71
|
(parser) =>
|
|
69
|
-
allow?.includes(parser.name) !== false && parser.test(
|
|
72
|
+
allow?.includes(parser.name) !== false && parser.test(type.mime),
|
|
70
73
|
)
|
|
71
74
|
|
|
72
75
|
if (!parser) {
|
|
@@ -74,5 +77,5 @@ export async function parseStream(
|
|
|
74
77
|
}
|
|
75
78
|
|
|
76
79
|
const buffer = await readStream(req)
|
|
77
|
-
return parser.parse(buffer)
|
|
80
|
+
return parser.parse(buffer, type)
|
|
78
81
|
}
|
|
@@ -127,28 +127,14 @@ export function buildMetadata(
|
|
|
127
127
|
token_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
|
|
128
128
|
|
|
129
129
|
revocation_endpoint: new URL('/oauth/revoke', issuer).href,
|
|
130
|
-
revocation_endpoint_auth_methods_supported: [
|
|
131
|
-
...Client.AUTH_METHODS_SUPPORTED,
|
|
132
|
-
],
|
|
133
|
-
revocation_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
|
|
134
130
|
|
|
135
131
|
introspection_endpoint: new URL('/oauth/introspect', issuer).href,
|
|
136
|
-
introspection_endpoint_auth_methods_supported: [
|
|
137
|
-
...Client.AUTH_METHODS_SUPPORTED,
|
|
138
|
-
],
|
|
139
|
-
introspection_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
|
|
140
132
|
|
|
141
133
|
userinfo_endpoint: new URL('/oauth/userinfo', issuer).href,
|
|
142
134
|
// end_session_endpoint: new URL('/oauth/logout', issuer).href,
|
|
143
135
|
|
|
144
136
|
// https://datatracker.ietf.org/doc/html/rfc9126#section-5
|
|
145
137
|
pushed_authorization_request_endpoint: new URL('/oauth/par', issuer).href,
|
|
146
|
-
pushed_authorization_request_endpoint_auth_methods_supported: [
|
|
147
|
-
...Client.AUTH_METHODS_SUPPORTED,
|
|
148
|
-
],
|
|
149
|
-
pushed_authorization_request_endpoint_auth_signing_alg_values_supported: [
|
|
150
|
-
...VERIFY_ALGOS,
|
|
151
|
-
],
|
|
152
138
|
|
|
153
139
|
require_pushed_authorization_requests: true,
|
|
154
140
|
|
package/src/oauth-provider.ts
CHANGED
|
@@ -9,7 +9,6 @@ import {
|
|
|
9
9
|
OAuthAuthorizationServerMetadata,
|
|
10
10
|
OAuthClientIdentification,
|
|
11
11
|
OAuthClientMetadata,
|
|
12
|
-
OAuthEndpointName,
|
|
13
12
|
OAuthTokenResponse,
|
|
14
13
|
OAuthTokenType,
|
|
15
14
|
atprotoLoopbackClientMetadata,
|
|
@@ -339,14 +338,11 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
339
338
|
|
|
340
339
|
protected async authenticateClient(
|
|
341
340
|
client: Client,
|
|
342
|
-
endpoint: OAuthEndpointName,
|
|
343
341
|
credentials: OAuthClientIdentification,
|
|
344
342
|
): Promise<ClientAuth> {
|
|
345
|
-
const { clientAuth, nonce } = await client.verifyCredentials(
|
|
346
|
-
|
|
347
|
-
|
|
348
|
-
{ audience: this.issuer },
|
|
349
|
-
)
|
|
343
|
+
const { clientAuth, nonce } = await client.verifyCredentials(credentials, {
|
|
344
|
+
audience: this.issuer,
|
|
345
|
+
})
|
|
350
346
|
|
|
351
347
|
if (nonce != null) {
|
|
352
348
|
const unique = await this.replayManager.uniqueAuth(nonce, client.id)
|
|
@@ -424,11 +420,7 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
424
420
|
) {
|
|
425
421
|
try {
|
|
426
422
|
const client = await this.clientManager.getClient(input.client_id)
|
|
427
|
-
const clientAuth = await this.authenticateClient(
|
|
428
|
-
client,
|
|
429
|
-
'pushed_authorization_request',
|
|
430
|
-
input,
|
|
431
|
-
)
|
|
423
|
+
const clientAuth = await this.authenticateClient(client, input)
|
|
432
424
|
|
|
433
425
|
const { payload: parameters } =
|
|
434
426
|
'request' in input // Handle JAR
|
|
@@ -767,7 +759,7 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
767
759
|
dpopJkt: null | string,
|
|
768
760
|
): Promise<OAuthTokenResponse> {
|
|
769
761
|
const client = await this.clientManager.getClient(input.client_id)
|
|
770
|
-
const clientAuth = await this.authenticateClient(client,
|
|
762
|
+
const clientAuth = await this.authenticateClient(client, input)
|
|
771
763
|
|
|
772
764
|
if (!client.metadata.grant_types.includes(input.grant_type)) {
|
|
773
765
|
throw new InvalidGrantError(
|
|
@@ -851,11 +843,7 @@ export class OAuthProvider extends OAuthVerifier {
|
|
|
851
843
|
input: Introspect,
|
|
852
844
|
): Promise<IntrospectionResponse> {
|
|
853
845
|
const client = await this.clientManager.getClient(input.client_id)
|
|
854
|
-
const clientAuth = await this.authenticateClient(
|
|
855
|
-
client,
|
|
856
|
-
'introspection',
|
|
857
|
-
input,
|
|
858
|
-
)
|
|
846
|
+
const clientAuth = await this.authenticateClient(client, input)
|
|
859
847
|
|
|
860
848
|
// RFC7662 states the following:
|
|
861
849
|
//
|