@atproto/oauth-provider 0.1.2 → 0.2.0

package/src/assets/app/components/accept-form.tsx

@@ -1,22 +1,23 @@
 import { OAuthClientMetadata } from '@atproto/oauth-types'
 import { FormEvent } from 'react'
 
-import { Account } from '../backend-data'
+import { Account, ScopeDetail } from '../backend-data'
 import { Override } from '../lib/util'
 import { AccountIdentifier } from './account-identifier'
 import { Button } from './button'
-import { ClientIdentifier } from './client-identifier'
 import { ClientName } from './client-name'
 import { FormCard, FormCardProps } from './form-card'
-import { Fieldset } from './fieldset'
 
 export type AcceptFormProps = Override<
   FormCardProps,
   {
-    account: Account
     clientId: string
     clientMetadata: OAuthClientMetadata
     clientTrusted: boolean
+
+    account: Account
+    scopeDetails?: ScopeDetail[]
+
     onAccept: () => void
     acceptLabel?: string
 
@@ -29,10 +30,13 @@ export type AcceptFormProps = Override<
 >
 
 export function AcceptForm({
-  account,
   clientId,
   clientMetadata,
   clientTrusted,
+
+  account,
+  scopeDetails,
+
   onAccept,
   acceptLabel = 'Accept',
   onReject,
@@ -62,54 +66,64 @@ export function AcceptForm({
       }
       {...props}
     >
-      <Fieldset
-        title={
-          <ClientName clientId={clientId} clientMetadata={clientMetadata} />
-        }
-      >
-        {clientTrusted && clientMetadata.logo_uri && (
-          <div key="logo" className="flex items-center justify-center">
-            <img
-              crossOrigin="anonymous"
-              src={clientMetadata.logo_uri}
-              alt={clientMetadata.client_name}
-              className="w-16 h-16 rounded-full"
-            />
-          </div>
-        )}
+      {clientTrusted && clientMetadata.logo_uri && (
+        <div key="logo" className="flex items-center justify-center">
+          <img
+            crossOrigin="anonymous"
+            src={clientMetadata.logo_uri}
+            alt={clientMetadata.client_name}
+            className="w-16 h-16 rounded-full"
+          />
+        </div>
+      )}
+      <p>
+        <ClientName clientId={clientId} clientMetadata={clientMetadata} /> is
+        asking for permission to access your account (
+        <AccountIdentifier account={account} />
+        ).
+      </p>
 
-        <p>
-          <ClientIdentifier
-            clientId={clientId}
-            clientMetadata={clientMetadata}
-          />{' '}
-          is asking for permission to access your{' '}
-          <AccountIdentifier account={account} /> account.
-        </p>
+      <p>
+        By clicking <b>{acceptLabel}</b>, you allow this application to perform
+        the following actions in accordance to their{' '}
+        <a
+          href={clientMetadata.tos_uri}
+          rel="nofollow noopener"
+          target="_blank"
+          className="text-brand underline"
+        >
+          terms of service
+        </a>
+        {' and '}
+        <a
+          href={clientMetadata.policy_uri}
+          rel="nofollow noopener"
+          target="_blank"
+          className="text-brand underline"
+        >
+          privacy policy
+        </a>
+        :
+      </p>
 
-        <p>
-          By clicking <b>{acceptLabel}</b>, you allow this application to access
-          your information in accordance to their{' '}
-          <a
-            href={clientMetadata.tos_uri}
-            rel="nofollow noopener"
-            target="_blank"
-            className="text-brand underline"
-          >
-            terms of service
-          </a>
-          {' and '}
-          <a
-            href={clientMetadata.policy_uri}
-            rel="nofollow noopener"
-            target="_blank"
-            className="text-brand underline"
-          >
-            privacy policy
-          </a>
-          .
-        </p>
-      </Fieldset>
+      {scopeDetails?.length ? (
+        <ul className="list-disc list-inside">
+          {scopeDetails.map(
+            ({ scope, description = getScopeDescription(scope) }) => (
+              <li key={scope}>{description}</li>
+            ),
+          )}
+        </ul>
+      ) : null}
     </FormCard>
   )
 }
+
+function getScopeDescription(scope: string): string {
+  switch (scope) {
+    case 'atproto':
+      return 'Uniquely identify you'
+    default:
+      return scope
+  }
+}

package/src/assets/app/components/client-name.tsx

@@ -1,30 +1,38 @@
-import { OAuthClientMetadata } from '@atproto/oauth-types'
+import {
+  isOAuthClientIdDiscoverable,
+  isOAuthClientIdLoopback,
+  OAuthClientMetadata,
+} from '@atproto/oauth-types'
 import { HTMLAttributes } from 'react'
 
-import { ClientIdentifier } from './client-identifier'
+import { UrlViewer } from './url-viewer'
 
 export type ClientNameProps = {
   clientId: string
   clientMetadata: OAuthClientMetadata
-  as?: keyof JSX.IntrinsicElements
-}
+} & HTMLAttributes<Element>
 
 export function ClientName({
   clientId,
   clientMetadata,
-  as: As = 'span',
   ...attrs
-}: ClientNameProps & HTMLAttributes<Element>) {
-  if (clientMetadata.client_name) {
-    return <As {...attrs}>{clientMetadata.client_name}</As>
+}: ClientNameProps) {
+  if (isOAuthClientIdLoopback(clientId)) {
+    return <span {...attrs}>An application on your device</span>
+  }
+
+  if (isOAuthClientIdDiscoverable(clientId)) {
+    if (clientMetadata.client_name) {
+      return (
+        <span {...attrs}>
+          {clientMetadata.client_name} (
+          <UrlViewer url={clientId} path />)
+        </span>
+      )
+    }
+
+    return <UrlViewer {...attrs} url={clientId} path />
   }
 
-  return (
-    <ClientIdentifier
-      clientId={clientId}
-      clientMetadata={clientMetadata}
-      as={As}
-      {...attrs}
-    />
-  )
+  return <span {...attrs}>{clientMetadata.client_name || clientId}</span>
 }

package/src/assets/app/components/url-viewer.tsx

@@ -1,4 +1,4 @@
-import { HTMLAttributes, useMemo } from 'react'
+import { Component, HTMLAttributes, useMemo } from 'react'
 
 export type UrlPartRenderingOptions = {
   faded?: boolean
@@ -28,7 +28,7 @@ export function UrlViewer({
   const urlObj = useMemo(() => new URL(url), [url])
 
   return (
-    <As {...attrs}>
+    <Component as={As} {...attrs}>
       {proto && (
         <UrlPartViewer
           value={`${urlObj.protocol}//`}
@@ -56,7 +56,7 @@ export function UrlViewer({
       {hash && (
         <UrlPartViewer value={urlObj.hash} {...(hash === true ? null : hash)} />
       )}
-    </As>
+    </Component>
   )
 }
 

package/src/assets/app/views/accept-view.tsx

@@ -1,6 +1,6 @@
 import { OAuthClientMetadata } from '@atproto/oauth-types'
 
-import { Session } from '../backend-data'
+import { Account, ScopeDetail } from '../backend-data'
 import { AcceptForm } from '../components/accept-form'
 import { LayoutTitlePage } from '../components/layout-title-page'
 
@@ -8,7 +8,9 @@ export type AcceptViewProps = {
   clientId: string
   clientMetadata: OAuthClientMetadata
   clientTrusted: boolean
-  session: Session
+
+  account: Account
+  scopeDetails?: ScopeDetail[]
 
   onAccept: () => void
   onReject: () => void
@@ -19,12 +21,12 @@ export function AcceptView({
   clientId,
   clientMetadata,
   clientTrusted,
-  session,
+  account,
+  scopeDetails,
   onAccept,
   onReject,
   onBack,
 }: AcceptViewProps) {
-  const { account } = session
   return (
     <LayoutTitlePage
       title="Authorize"
@@ -43,6 +45,7 @@ export function AcceptView({
         clientMetadata={clientMetadata}
         clientTrusted={clientTrusted}
         account={account}
+        scopeDetails={scopeDetails}
         onBack={onBack}
         onAccept={onAccept}
         onReject={onReject}

package/src/assets/app/views/authorize-view.tsx

@@ -79,10 +79,11 @@ export function AuthorizeView({
   if (view === 'accept' && session) {
     return (
       <AcceptView
-        session={session}
         clientId={authorizeData.clientId}
         clientMetadata={authorizeData.clientMetadata}
         clientTrusted={authorizeData.clientTrusted}
+        account={session.account}
+        scopeDetails={authorizeData.scopeDetails}
         onAccept={() => doAccept(session.account)}
         onReject={doReject}
         onBack={

package/src/assets/assets-middleware.ts

@@ -1,8 +1,13 @@
-import { writeStream } from '../lib/http/index.js'
+import {
+  Middleware,
+  validateFetchDest,
+  validateFetchSite,
+  writeStream,
+} from '../lib/http/index.js'
 
 import { ASSETS_URL_PREFIX, getAsset } from './index.js'
 
-export function authorizeAssetsMiddleware() {
+export function authorizeAssetsMiddleware(): Middleware {
   return async function assetsMiddleware(req, res, next): Promise<void> {
     if (req.method !== 'GET' && req.method !== 'HEAD') return next()
     if (!req.url?.startsWith(ASSETS_URL_PREFIX)) return next()
@@ -17,6 +22,13 @@ export function authorizeAssetsMiddleware() {
     const asset = await getAsset(filename).catch(() => null)
     if (!asset) return next()
 
+    try {
+      validateFetchSite(req, res, ['same-origin'])
+      validateFetchDest(req, res, ['style', 'script'])
+    } catch (err) {
+      return next(err)
+    }
+
     if (req.headers['if-none-match'] === asset.sha256) {
       return void res.writeHead(304).end()
     }

package/src/client/client-manager.ts

@@ -17,7 +17,7 @@ import {
   isLoopbackUrl,
   isOAuthClientIdDiscoverable,
   isOAuthClientIdLoopback,
-  OAUTH_AUTHENTICATED_ENDPOINT_NAMES,
+  OAuthAuthorizationServerMetadata,
   OAuthClientIdDiscoverable,
   OAuthClientIdLoopback,
   OAuthClientMetadata,
@@ -56,9 +56,10 @@ export type LoopbackMetadataGetter = (
 
 export class ClientManager {
   protected readonly jwks: CachedGetter<string, Jwks>
-  protected readonly metadata: CachedGetter<string, OAuthClientMetadata>
+  protected readonly metadataGetter: CachedGetter<string, OAuthClientMetadata>
 
   constructor(
+    protected readonly serverMetadata: OAuthAuthorizationServerMetadata,
     protected readonly keyset: Keyset,
     protected readonly hooks: OAuthHooks,
     protected readonly store: ClientStore | null,
@@ -77,7 +78,7 @@ export class ClientManager {
       return jwks
     }, clientJwksCache)
 
-    this.metadata = new CachedGetter(async (uri, options) => {
+    this.metadataGetter = new CachedGetter(async (uri, options) => {
       const metadata = await fetch(buildJsonGetRequest(uri, options)).then(
         fetchMetadataHandler,
       )
@@ -160,7 +161,7 @@ export class ClientManager {
   ): Promise<OAuthClientMetadata> {
     const metadataUrl = parseDiscoverableClientId(clientId)
 
-    const metadata = await this.metadata.get(metadataUrl.href)
+    const metadata = await this.metadataGetter.get(metadataUrl.href)
 
     // Note: we do *not* re-validate the metadata here, as the metadata is
     // validated within the getter. This is to avoid double validation.
@@ -196,6 +197,18 @@ export class ClientManager {
       )
     }
 
+    // Known OIDC specific parameters
+    for (const k of [
+      'default_max_age',
+      'userinfo_signed_response_alg',
+      'id_token_signed_response_alg',
+      'userinfo_encrypted_response_alg',
+    ] as const) {
+      if (metadata[k] != null) {
+        throw new InvalidClientMetadataError(`Unsupported "${k}" parameter`)
+      }
+    }
+
     const clientUriUrl = metadata.client_uri
       ? new URL(metadata.client_uri)
       : null
@@ -205,13 +218,27 @@ export class ClientManager {
       throw new InvalidClientMetadataError('client_uri must be a valid URL')
     }
 
-    const scopes = metadata.scope?.split(' ')
-    if (
-      metadata.grant_types.includes('refresh_token') !==
-      (scopes?.includes('offline_access') ?? false)
-    ) {
+    const scopes = metadata.scope?.split(' ').filter(Boolean)
+
+    const dupScope = scopes?.find(isDuplicate)
+    if (dupScope) {
+      throw new InvalidClientMetadataError(`Duplicate scope "${dupScope}"`)
+    }
+
+    if (scopes) {
+      for (const scope of scopes) {
+        // Note, once we have dynamic scopes, this check will need to be
+        // updated to check against the server's supported scopes.
+        if (!this.serverMetadata.scopes_supported?.includes(scope)) {
+          throw new InvalidClientMetadataError(`Unsupported scope "${scope}"`)
+        }
+      }
+    }
+
+    const dupGrantType = metadata.grant_types.find(isDuplicate)
+    if (dupGrantType) {
       throw new InvalidClientMetadataError(
-        'Grant type "refresh_token" requires scope "offline_access" (and vice versa)',
+        `Duplicate grant type "${dupGrantType}"`,
       )
     }
 
@@ -219,8 +246,8 @@ export class ClientManager {
       switch (grantType) {
         case 'authorization_code':
         case 'refresh_token':
-        case 'implicit': // Required by OIDC (for id_token)
           continue
+        case 'implicit':
         case 'password':
           throw new InvalidClientMetadataError(
             `Grant type "${grantType}" is not allowed`,
@@ -242,78 +269,43 @@ export class ClientManager {
       )
     }
 
-    if (
-      metadata.userinfo_signed_response_alg &&
-      !this.keyset.signAlgorithms.includes(
-        metadata.userinfo_signed_response_alg,
-      )
-    ) {
-      throw new InvalidClientMetadataError(
-        `Unsupported "userinfo_signed_response_alg" ${metadata.userinfo_signed_response_alg}`,
-      )
-    }
-
-    if (
-      metadata.id_token_signed_response_alg &&
-      !this.keyset.signAlgorithms.includes(
-        metadata.id_token_signed_response_alg,
-      )
-    ) {
-      throw new InvalidClientMetadataError(
-        `Unsupported "id_token_signed_response_alg" ${metadata.id_token_signed_response_alg}`,
-      )
-    }
-
-    if (metadata.userinfo_encrypted_response_alg) {
-      // We only support signature for now.
-      throw new InvalidClientMetadataError(
-        'Encrypted userinfo response is not supported',
-      )
-    }
-
-    if (!metadata[`token_endpoint_auth_method`]) {
-      throw new InvalidClientMetadataError(
-        'Missing token_endpoint_auth_method client metadata',
-      )
-    }
-
-    for (const endpoint of OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
-      const method =
-        metadata[`${endpoint}_endpoint_auth_method`] ||
-        metadata[`token_endpoint_auth_method`]
-
-      switch (method) {
-        case 'none':
-          if (metadata.token_endpoint_auth_signing_alg) {
-            throw new InvalidClientMetadataError(
-              `${endpoint}_endpoint_auth_method "none" must not have ${endpoint}_endpoint_auth_signing_alg`,
-            )
-          }
-          break
+    const method = metadata[`token_endpoint_auth_method`]
+    switch (method) {
+      case undefined:
+        throw new InvalidClientMetadataError(
+          'Missing token_endpoint_auth_method client metadata',
+        )
 
-        case 'private_key_jwt':
-          if (!metadata.jwks && !metadata.jwks_uri) {
-            throw new InvalidClientMetadataError(
-              `private_key_jwt auth method requires jwks or jwks_uri`,
-            )
-          }
-          if (metadata.jwks?.keys.length === 0) {
-            throw new InvalidClientMetadataError(
-              `private_key_jwt auth method requires at least one key in jwks`,
-            )
-          }
-          if (!metadata.token_endpoint_auth_signing_alg) {
-            throw new InvalidClientMetadataError(
-              `Missing token_endpoint_auth_signing_alg client metadata`,
-            )
-          }
-          break
+      case 'none':
+        if (metadata.token_endpoint_auth_signing_alg) {
+          throw new InvalidClientMetadataError(
+            `token_endpoint_auth_method "none" must not have token_endpoint_auth_signing_alg`,
+          )
+        }
+        break
 
-        default:
+      case 'private_key_jwt':
+        if (!metadata.jwks && !metadata.jwks_uri) {
           throw new InvalidClientMetadataError(
-            `${method} is not a supported "${endpoint}_endpoint_auth_method". Use "private_key_jwt" or "none".`,
+            `private_key_jwt auth method requires jwks or jwks_uri`,
           )
-      }
+        }
+        if (metadata.jwks?.keys.length === 0) {
+          throw new InvalidClientMetadataError(
+            `private_key_jwt auth method requires at least one key in jwks`,
+          )
+        }
+        if (!metadata.token_endpoint_auth_signing_alg) {
+          throw new InvalidClientMetadataError(
+            `Missing token_endpoint_auth_signing_alg client metadata`,
+          )
+        }
+        break
+
+      default:
+        throw new InvalidClientMetadataError(
+          `${method} is not a supported "token_endpoint_auth_method". Use "private_key_jwt" or "none".`,
+        )
     }
 
     if (metadata.authorization_encrypted_response_enc) {
@@ -345,37 +337,28 @@ export class ClientManager {
     }
 
     for (const responseType of metadata.response_types) {
-      const rt = responseType.split(' ')
+      if (responseType.includes('id_token')) {
+        throw new InvalidClientMetadataError(
+          `OpenID Connect response type "${responseType}" is not supported`,
+        )
+      }
 
       // ATPROTO spec requires the use of PKCE
-      if (rt.includes('token')) {
+      if (responseType !== 'code') {
         throw new InvalidClientMetadataError(
-          '"token" response type is not compatible with PKCE (use "code" instead)',
+          `Unsupported response type "${responseType}"`,
         )
       }
 
       // Consistency check
       if (
-        rt.includes('code') &&
+        responseType === 'code' &&
         !metadata.grant_types.includes('authorization_code')
       ) {
         throw new InvalidClientMetadataError(
           `Response type "${responseType}" requires the "authorization_code" grant type`,
         )
       }
-
-      // Asking for "code token" or "code id_token" is fine (as long as the
-      // grant_types includes "authorization_code" and the scope includes
-      // "openid"). Asking for "token" or "id_token" (without "code") requires
-      // the "implicit" grant type.
-      if (
-        (rt.includes('token') || rt.includes('id_token')) &&
-        !metadata.grant_types.includes('implicit')
-      ) {
-        throw new InvalidClientMetadataError(
-          `Response type "${responseType}" requires the "implicit" grant type`,
-        )
-      }
     }
 
     if (metadata.application_type === 'native') {
@@ -390,11 +373,33 @@ export class ClientManager {
       // > accordingly.
     }
 
+    if (metadata.authorization_details_types?.length) {
+      const dupAuthDetailsType =
+        metadata.authorization_details_types.find(isDuplicate)
+      if (dupAuthDetailsType) {
+        throw new InvalidClientMetadataError(
+          `Duplicate authorization_details_type "${dupAuthDetailsType}"`,
+        )
+      }
+
+      const authorizationDetailsTypesSupported =
+        this.serverMetadata.authorization_details_types_supported
+      if (!authorizationDetailsTypesSupported) {
+        throw new InvalidClientMetadataError(
+          'authorization_details_types are not supported',
+        )
+      }
+      for (const type of metadata.authorization_details_types) {
+        if (!authorizationDetailsTypesSupported.includes(type)) {
+          throw new InvalidClientMetadataError(
+            `Unsupported authorization_details_type "${type}"`,
+          )
+        }
+      }
+    }
+
     if (!metadata.redirect_uris?.length) {
-      // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
-      //
-      // >  OPs can require that request_uri values used be pre-registered with
-      // > the require_request_uri_registration discovery parameter.
+      // ATPROTO spec requires that at least one redirect URI is provided
 
       throw new InvalidClientMetadataError(
         'At least one redirect_uri is required',
@@ -693,16 +698,11 @@ export class ClientManager {
       )
     }
 
-    for (const endpoint of OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
-      const method =
-        metadata[`${endpoint}_endpoint_auth_method`] ||
-        metadata[`token_endpoint_auth_method`]
-
-      if (method !== 'none') {
-        throw new InvalidClientMetadataError(
-          `Loopback clients are not allowed to use "${endpoint}_endpoint_auth_method" ${method}`,
-        )
-      }
+    const method = metadata[`token_endpoint_auth_method`]
+    if (method !== 'none') {
+      throw new InvalidClientMetadataError(
+        `Loopback clients are not allowed to use "token_endpoint_auth_method" ${method}`,
+      )
     }
 
     for (const redirectUri of metadata.redirect_uris) {
@@ -766,16 +766,14 @@ export class ClientManager {
       }
     }
 
-    for (const endpoint of OAUTH_AUTHENTICATED_ENDPOINT_NAMES) {
-      const method = metadata[`${endpoint}_endpoint_auth_method`]
-      switch (method) {
-        case 'client_secret_post':
-        case 'client_secret_basic':
-        case 'client_secret_jwt':
-          throw new InvalidClientMetadataError(
-            `Client authentication method "${method}" is not allowed for discoverable clients`,
-          )
-      }
+    const method = metadata[`token_endpoint_auth_method`]
+    switch (method) {
+      case 'client_secret_post':
+      case 'client_secret_basic':
+      case 'client_secret_jwt':
+        throw new InvalidClientMetadataError(
+          `Client authentication method "${method}" is not allowed for discoverable clients`,
+        )
     }
 
     for (const redirectUri of metadata.redirect_uris) {
@@ -800,6 +798,12 @@ export class ClientManager {
   }
 }
 
+function isDuplicate<
+  T extends string | number | boolean | null | undefined | symbol,
+>(value: T, index: number, array: T[]) {
+  return array.includes(value, index + 1)
+}
+
 function reverseDomain(domain: string) {
   return domain.split('.').reverse().join('.')
 }