npm - @atproto/oauth-provider - Versions diffs - 0.1.2 → 0.2.0 - Mend

@atproto/oauth-provider 0.1.2 → 0.2.0

Files changed (136) hide show

package/CHANGELOG.md +46 -0
package/dist/account/account.d.ts +6 -2
package/dist/account/account.d.ts.map +1 -1
package/dist/assets/app/bundle-manifest.json +3 -3
package/dist/assets/app/main.css +1 -1
package/dist/assets/app/main.js +3 -3
package/dist/assets/app/main.js.map +1 -1
package/dist/assets/assets-middleware.d.ts +2 -1
package/dist/assets/assets-middleware.d.ts.map +1 -1
package/dist/assets/assets-middleware.js +7 -0
package/dist/assets/assets-middleware.js.map +1 -1
package/dist/client/client-manager.d.ts +4 -3
package/dist/client/client-manager.d.ts.map +1 -1
package/dist/client/client-manager.js +91 -77
package/dist/client/client-manager.js.map +1 -1
package/dist/client/client.d.ts +2 -3
package/dist/client/client.d.ts.map +1 -1
package/dist/client/client.js +6 -12
package/dist/client/client.js.map +1 -1
package/dist/constants.d.ts +2 -0
package/dist/constants.d.ts.map +1 -1
package/dist/constants.js +3 -1
package/dist/constants.js.map +1 -1
package/dist/device/device-manager.d.ts +1 -1
package/dist/device/device-manager.d.ts.map +1 -1
package/dist/device/device-manager.js +2 -2
package/dist/device/device-manager.js.map +1 -1
package/dist/dpop/dpop-manager.d.ts +0 -1
package/dist/dpop/dpop-manager.d.ts.map +1 -1
package/dist/dpop/dpop-manager.js +1 -4
package/dist/dpop/dpop-manager.js.map +1 -1
package/dist/errors/invalid-authorization-details-error.d.ts +4 -3
package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -1
package/dist/errors/invalid-authorization-details-error.js +4 -4
package/dist/errors/invalid-authorization-details-error.js.map +1 -1
package/dist/lib/http/parser.d.ts +13 -7
package/dist/lib/http/parser.d.ts.map +1 -1
package/dist/lib/http/parser.js +29 -9
package/dist/lib/http/parser.js.map +1 -1
package/dist/lib/http/request.d.ts +8 -5
package/dist/lib/http/request.d.ts.map +1 -1
package/dist/lib/http/request.js +24 -12
package/dist/lib/http/request.js.map +1 -1
package/dist/lib/http/stream.d.ts.map +1 -1
package/dist/lib/http/stream.js +3 -2
package/dist/lib/http/stream.js.map +1 -1
package/dist/metadata/build-metadata.d.ts +0 -1
package/dist/metadata/build-metadata.d.ts.map +1 -1
package/dist/metadata/build-metadata.js +9 -49
package/dist/metadata/build-metadata.js.map +1 -1
package/dist/oauth-hooks.d.ts +3 -10
package/dist/oauth-hooks.d.ts.map +1 -1
package/dist/oauth-provider.d.ts +10 -15
package/dist/oauth-provider.d.ts.map +1 -1
package/dist/oauth-provider.js +176 -114
package/dist/oauth-provider.js.map +1 -1
package/dist/oauth-verifier.d.ts +1 -2
package/dist/oauth-verifier.d.ts.map +1 -1
package/dist/oauth-verifier.js.map +1 -1
package/dist/output/build-authorize-data.d.ts +6 -0
package/dist/output/build-authorize-data.d.ts.map +1 -1
package/dist/output/build-authorize-data.js +1 -0
package/dist/output/build-authorize-data.js.map +1 -1
package/dist/replay/replay-manager.d.ts +1 -0
package/dist/replay/replay-manager.d.ts.map +1 -1
package/dist/replay/replay-manager.js +3 -0
package/dist/replay/replay-manager.js.map +1 -1
package/dist/replay/replay-store.d.ts +1 -1
package/dist/request/request-info.d.ts +2 -0
package/dist/request/request-info.d.ts.map +1 -1
package/dist/request/request-manager.d.ts +3 -9
package/dist/request/request-manager.d.ts.map +1 -1
package/dist/request/request-manager.js +52 -77
package/dist/request/request-manager.js.map +1 -1
package/dist/request/types.d.ts +10 -10
package/dist/signer/signed-token-payload.d.ts +88 -88
package/dist/signer/signer.d.ts +24 -31
package/dist/signer/signer.d.ts.map +1 -1
package/dist/signer/signer.js +0 -40
package/dist/signer/signer.js.map +1 -1
package/dist/token/token-claims.d.ts +84 -84
package/dist/token/token-manager.d.ts +1 -2
package/dist/token/token-manager.d.ts.map +1 -1
package/dist/token/token-manager.js +10 -37
package/dist/token/token-manager.js.map +1 -1
package/dist/token/types.d.ts +10 -10
package/package.json +3 -3
package/src/account/account.ts +11 -7
package/src/assets/app/backend-data.ts +9 -2
package/src/assets/app/components/accept-form.tsx +65 -51
package/src/assets/app/components/client-name.tsx +24 -16
package/src/assets/app/components/url-viewer.tsx +3 -3
package/src/assets/app/views/accept-view.tsx +7 -4
package/src/assets/app/views/authorize-view.tsx +2 -1
package/src/assets/assets-middleware.ts +14 -2
package/src/client/client-manager.ts +124 -120
package/src/client/client.ts +5 -17
package/src/constants.ts +3 -0
package/src/device/device-manager.ts +7 -1
package/src/dpop/dpop-manager.ts +1 -6
package/src/errors/invalid-authorization-details-error.ts +9 -4
package/src/lib/http/parser.ts +37 -13
package/src/lib/http/request.ts +61 -15
package/src/lib/http/stream.ts +5 -2
package/src/metadata/build-metadata.ts +9 -56
package/src/oauth-hooks.ts +3 -13
package/src/oauth-provider.ts +187 -177
package/src/oauth-verifier.ts +1 -2
package/src/output/build-authorize-data.ts +8 -0
package/src/replay/replay-manager.ts +9 -0
package/src/replay/replay-store.ts +1 -1
package/src/request/request-info.ts +2 -0
package/src/request/request-manager.ts +81 -107
package/src/signer/signer.ts +0 -63
package/src/token/token-manager.ts +8 -41
package/dist/oidc/claims.d.ts +0 -16
package/dist/oidc/claims.d.ts.map +0 -1
package/dist/oidc/claims.js +0 -29
package/dist/oidc/claims.js.map +0 -1
package/dist/oidc/userinfo.d.ts +0 -7
package/dist/oidc/userinfo.d.ts.map +0 -1
package/dist/oidc/userinfo.js +0 -3
package/dist/oidc/userinfo.js.map +0 -1
package/dist/parameters/claims-requested.d.ts +0 -3
package/dist/parameters/claims-requested.d.ts.map +0 -1
package/dist/parameters/claims-requested.js +0 -77
package/dist/parameters/claims-requested.js.map +0 -1
package/dist/parameters/oidc-payload.d.ts +0 -31
package/dist/parameters/oidc-payload.d.ts.map +0 -1
package/dist/parameters/oidc-payload.js +0 -25
package/dist/parameters/oidc-payload.js.map +0 -1
package/src/assets/app/components/client-identifier.tsx +0 -31
package/src/oidc/claims.ts +0 -35
package/src/oidc/userinfo.ts +0 -11
package/src/parameters/claims-requested.ts +0 -106
package/src/parameters/oidc-payload.ts +0 -28

package/src/client/client.ts CHANGED Viewed

@@ -3,7 +3,6 @@ import {
   CLIENT_ASSERTION_TYPE_JWT_BEARER,
   OAuthClientIdentification,
   OAuthClientMetadata,
-  OAuthEndpointName,
 } from '@atproto/oauth-types'
 import {
   UnsecuredJWT,
@@ -101,13 +100,6 @@ export class Client {
     })
   }
-  protected getAuthMethod(endpoint: OAuthEndpointName) {
-    return (
-      this.metadata[`${endpoint}_endpoint_auth_method`] ||
-      this.metadata[`token_endpoint_auth_method`]
-    )
-  }
   /**
    * @see {@link https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1}
    * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
@@ -115,7 +107,6 @@ export class Client {
    */
   public async verifyCredentials(
     input: OAuthClientIdentification,
-    endpoint: OAuthEndpointName,
     checks: {
       audience: string
     },
@@ -124,7 +115,7 @@ export class Client {
     // for replay protection
     nonce?: string
   }> {
-    const method = this.getAuthMethod(endpoint)
+    const method = this.metadata[`token_endpoint_auth_method`]
     if (method === 'none') {
       const clientAuth: ClientAuth = { method: 'none' }
@@ -149,6 +140,7 @@ export class Client {
           audience: checks.audience,
           subject: this.id,
           maxTokenAge: CLIENT_ASSERTION_MAX_AGE / 1000,
+          requiredClaims: ['jti'],
         }).catch((err) => {
           if (err instanceof JOSEError) {
             const msg = `Validation of "client_assertion" failed: ${err.message}`
@@ -162,10 +154,6 @@ export class Client {
           throw new InvalidClientError(`"kid" required in client_assertion`)
         }
-        if (!result.payload.jti) {
-          throw new InvalidClientError(`"jti" required in client_assertion`)
-        }
         const clientAuth: ClientAuth = {
           method: CLIENT_ASSERTION_TYPE_JWT_BEARER,
           jkt: await authJwkThumbprint(result.key),
@@ -192,7 +180,7 @@ export class Client {
     }
     throw new InvalidClientMetadataError(
-      `Unsupported ${endpoint}_endpoint_auth_method "${method}"`,
+      `Unsupported token_endpoint_auth_method "${method}"`,
     )
   }
@@ -204,11 +192,11 @@ export class Client {
    */
   public async validateClientAuth(clientAuth: ClientAuth): Promise<boolean> {
     if (clientAuth.method === 'none') {
-      return this.getAuthMethod('token') === 'none'
+      return this.metadata[`token_endpoint_auth_method`] === 'none'
     }
     if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
-      if (this.getAuthMethod('token') !== 'private_key_jwt') {
+      if (this.metadata[`token_endpoint_auth_method`] !== 'private_key_jwt') {
         return false
       }
       try {

package/src/constants.ts CHANGED Viewed

@@ -67,3 +67,6 @@ export const DPOP_NONCE_MAX_AGE = 3 * MINUTE
 /** 5 seconds */
 export const SESSION_FIXATION_MAX_AGE = 5 * SECOND
+/** 1 day */
+export const CODE_CHALLENGE_REPLAY_TIMEFRAME = 1 * DAY

package/src/device/device-manager.ts CHANGED Viewed

@@ -100,10 +100,16 @@ export class DeviceManager {
   public async load(
     req: IncomingMessage,
     res: ServerResponse,
+    forceRotate = false,
   ): Promise<{ deviceId: DeviceId }> {
     const cookie = await this.getCookie(req)
     if (cookie) {
-      return this.refresh(req, res, cookie.value, cookie.mustRotate)
+      return this.refresh(
+        req,
+        res,
+        cookie.value,
+        forceRotate || cookie.mustRotate,
+      )
     } else {
       return this.create(req, res)
     }

package/src/dpop/dpop-manager.ts CHANGED Viewed

@@ -52,13 +52,12 @@ export class DpopManager {
     const { protectedHeader, payload } = await jwtVerify<{
       iat: number
-      exp: number
       jti: string
     }>(proof, EmbeddedJWK, {
       typ: 'dpop+jwt',
       maxTokenAge: 10,
       clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,
-      requiredClaims: ['iat', 'exp', 'jti'],
+      requiredClaims: ['iat', 'jti'],
     }).catch((err) => {
       const message =
         err instanceof JOSEError
@@ -71,10 +70,6 @@ export class DpopManager {
       throw new InvalidDpopProofError('Invalid or missing jti property')
     }
-    if (payload.exp - payload.iat > DPOP_NONCE_MAX_AGE / 3 / 1e3) {
-      throw new InvalidDpopProofError('DPoP proof validity too long')
-    }
     // Note rfc9110#section-9.1 states that the method name is case-sensitive
     if (!htm || htm !== payload['htm']) {
       throw new InvalidDpopProofError('DPoP htm mismatch')

package/src/errors/invalid-authorization-details-error.ts CHANGED Viewed

@@ -1,4 +1,5 @@
-import { OAuthError } from './oauth-error.js'
+import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { AccessDeniedError } from './access-denied-error.js'
 /**
  * @see
@@ -15,8 +16,12 @@ import { OAuthError } from './oauth-error.js'
  *  - contains fields with invalid values for the authorization details type, or
  *  - is missing required fields for the authorization details type.
  */
-export class InvalidAuthorizationDetailsError extends OAuthError {
-  constructor(error_description: string, cause?: unknown) {
-    super('invalid_authorization_details', error_description, 400, cause)
+export class InvalidAuthorizationDetailsError extends AccessDeniedError {
+  constructor(
+    parameters: OAuthAuthenticationRequestParameters,
+    error_description: string,
+    cause?: unknown,
+  ) {
+    super(parameters, error_description, 'invalid_authorization_details', cause)
   }
 }

package/src/lib/http/parser.ts CHANGED Viewed

@@ -1,13 +1,33 @@
 import { parse as parseJson } from '@hapi/bourne'
+import { type as hapiContentType } from '@hapi/content'
 import createHttpError from 'http-errors'
 export type JsonScalar = string | number | boolean | null
 export type Json = JsonScalar | Json[] | { [_ in string]?: Json }
+export const parseContentType = (type: string): ContentType => {
+  try {
+    return hapiContentType(type)
+  } catch (err) {
+    // De-boomify the error
+    if (err?.['isBoom']) {
+      throw createHttpError(err['output']['statusCode'], err['message'])
+    }
+    throw err
+  }
+}
+export type ContentType = {
+  mime: string
+  charset?: string
+  boundary?: string
+}
 export type Parser<T extends string = string, R = unknown> = {
   readonly name: string
-  readonly test: (type: string) => type is T
-  readonly parse: (buffer: Buffer) => R
+  readonly test: (mime: string) => mime is T
+  readonly parse: (buffer: Buffer, type: ContentType) => R
 }
 export type ParserName<P extends Parser> = P extends { readonly name: infer N }
@@ -22,12 +42,13 @@ export type ParserForType<P extends Parser, T> =
 export const parsers = [
   {
     name: 'json',
-    test: (
-      type: string,
-    ): type is `application/json` | `application/${string}+json` => {
-      return /^application\/(?:.+\+)?json$/.test(type)
+    test: (mime): mime is `application/json` | `application/${string}+json` => {
+      return /^application\/(?:.+\+)?json$/.test(mime)
     },
-    parse: (buffer: Buffer): Json => {
+    parse: (buffer, { charset }): Json => {
+      if (charset != null && !/^utf-?8$/i.test(charset)) {
+        throw createHttpError(415, 'Unsupported charset')
+      }
       try {
         return parseJson(buffer.toString())
       } catch (err) {
@@ -37,10 +58,13 @@ export const parsers = [
   },
   {
     name: 'urlencoded',
-    test: (type: string): type is 'application/x-www-form-urlencoded' => {
-      return type === 'application/x-www-form-urlencoded'
+    test: (mime): mime is 'application/x-www-form-urlencoded' => {
+      return mime === 'application/x-www-form-urlencoded'
     },
-    parse: (buffer: Buffer): Partial<Record<string, string>> => {
+    parse: (buffer, { charset }): Partial<Record<string, string>> => {
+      if (charset != null && !/^utf-?8$/i.test(charset)) {
+        throw createHttpError(415, 'Unsupported charset')
+      }
       try {
         if (!buffer.length) return {}
         return Object.fromEntries(new URLSearchParams(buffer.toString()))
@@ -51,10 +75,10 @@ export const parsers = [
   },
   {
     name: 'bytes',
-    test: (type: string): type is 'application/octet-stream' => {
-      return type === 'application/octet-stream'
+    test: (mime): mime is 'application/octet-stream' => {
+      return mime === 'application/octet-stream'
     },
-    parse: (buffer: Buffer): Buffer => buffer,
+    parse: (buffer): Buffer => buffer,
   },
 ] as const satisfies Parser[]

package/src/lib/http/request.ts CHANGED Viewed

@@ -28,6 +28,27 @@ export async function validateRequestPayload<S extends z.ZodTypeAny>(
   return schema.parseAsync(payload, { path: ['body'] })
 }
+export function validateHeaderValue(
+  req: IncomingMessage,
+  name: keyof IncomingMessage['headers'],
+  allowedValues: readonly (string | null)[],
+) {
+  const value = req.headers[name] ?? null
+  if (Array.isArray(value)) {
+    throw createHttpError(400, `Invalid ${name} header`)
+  }
+  if (!allowedValues.includes(value)) {
+    throw createHttpError(
+      400,
+      value
+        ? `Forbidden ${name} header "${value}" (expected ${allowedValues})`
+        : `Missing ${name} header`,
+    )
+  }
+}
 export function validateFetchMode(
   req: IncomingMessage,
   res: ServerResponse,
@@ -39,20 +60,45 @@ export function validateFetchMode(
     | 'cors'
   )[],
 ) {
-  const reqMode = req.headers['sec-fetch-mode'] ?? null
+  validateHeaderValue(req, 'sec-fetch-mode', expectedMode)
+}
-  if (Array.isArray(reqMode)) {
-    throw createHttpError(400, `Invalid sec-fetch-mode header`)
-  }
+export function validateFetchDest(
+  req: IncomingMessage,
+  res: ServerResponse,
+  expectedDest: readonly (
+    | null
+    | 'document'
+    | 'embed'
+    | 'font'
+    | 'image'
+    | 'manifest'
+    | 'media'
+    | 'object'
+    | 'report'
+    | 'script'
+    | 'serviceworker'
+    | 'sharedworker'
+    | 'style'
+    | 'worker'
+    | 'xslt'
+  )[],
+) {
+  validateHeaderValue(req, 'sec-fetch-dest', expectedDest)
+}
-  if (!(expectedMode as (string | null)[]).includes(reqMode)) {
-    throw createHttpError(
-      403,
-      reqMode
-        ? `Forbidden sec-fetch-mode "${reqMode}" (expected ${expectedMode})`
-        : `Missing sec-fetch-mode (expected ${expectedMode})`,
-    )
-  }
+export function validateFetchSite(
+  req: IncomingMessage,
+  res: ServerResponse,
+  expectedSite: readonly (
+    | null
+    | 'same-origin'
+    | 'same-site'
+    | 'cross-site'
+    | 'none'
+  )[],
+) {
+  validateHeaderValue(req, 'sec-fetch-site', expectedSite)
 }
 export function validateReferer(
@@ -64,7 +110,7 @@ export function validateReferer(
   const referer = req.headers['referer']
   const refererUrl = referer ? new URL(referer) : null
   if (refererUrl ? !urlMatch(refererUrl, reference) : !allowNull) {
-    throw createHttpError(403, `Invalid referer ${referer}`)
+    throw createHttpError(400, `Invalid referer ${referer}`)
   }
 }
@@ -95,7 +141,7 @@ export function validateSameOrigin(
 ) {
   const reqOrigin = req.headers['origin']
   if (reqOrigin ? reqOrigin !== origin : !allowNull) {
-    throw createHttpError(403, `Invalid origin ${reqOrigin}`)
+    throw createHttpError(400, `Invalid origin ${reqOrigin}`)
   }
 }
@@ -113,7 +159,7 @@ export function validateCsrfToken(
     !cookieName ||
     cookies[cookieName] !== csrfToken
   ) {
-    throw createHttpError(403, `Invalid CSRF token`)
+    throw createHttpError(400, `Invalid CSRF token`)
   }
   if (clearCookie) {

package/src/lib/http/stream.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import {
   KnownNames,
   KnownParser,
   KnownTypes,
+  parseContentType,
   ParserForType,
   ParserResult,
   parsers,
@@ -64,9 +65,11 @@ export async function parseStream(
     throw createHttpError(400, 'Invalid content-type')
   }
+  const type = parseContentType(contentType)
   const parser = parsers.find(
     (parser) =>
-      allow?.includes(parser.name) !== false && parser.test(contentType),
+      allow?.includes(parser.name) !== false && parser.test(type.mime),
   )
   if (!parser) {
@@ -74,5 +77,5 @@ export async function parseStream(
   }
   const buffer = await readStream(req)
-  return parser.parse(buffer)
+  return parser.parse(buffer, type)
 }

package/src/metadata/build-metadata.ts CHANGED Viewed

@@ -2,11 +2,9 @@ import { Keyset } from '@atproto/jwk'
 import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types'
 import { Client } from '../client/client.js'
-import { OIDC_STANDARD_CLAIMS } from '../oidc/claims.js'
 import { VERIFY_ALGOS } from '../lib/util/crypto.js'
 export type CustomMetadata = {
-  claims_supported?: string[]
   scopes_supported?: string[]
   authorization_details_types_supported?: string[]
   protected_resources?: string[]
@@ -25,35 +23,10 @@ export function buildMetadata(
     issuer,
     scopes_supported: [
-      'offline_access',
-      'openid',
-      'email',
-      'phone',
-      'profile',
+      'atproto',
+      //
       ...(customMetadata?.scopes_supported ?? []),
     ],
-    claims_supported: [
-      /* IESG (Always provided) */
-      'sub', // did
-      'iss', // Authorization Server Origin
-      'aud',
-      'exp',
-      'iat',
-      'jti',
-      'client_id',
-      /* OpenID */
-      // 'acr', // "0"
-      // 'amr',
-      // 'azp',
-      'auth_time', // number - seconds since epoch
-      'nonce', // always required in "id_token", why would it not be supported?
-      ...(customMetadata?.claims_supported ?? OIDC_STANDARD_CLAIMS),
-    ],
     subject_types_supported: [
       //
       'public', // The same "sub" is returned for all clients
@@ -62,15 +35,15 @@ export function buildMetadata(
     response_types_supported: [
       // OAuth
       'code',
-      'token',
+      // 'token',
       // OpenID
-      'none',
-      'code id_token token',
-      'code id_token',
-      'code token',
-      'id_token token',
-      'id_token',
+      // 'none',
+      // 'code id_token token',
+      // 'code id_token',
+      // 'code token',
+      // 'id_token token',
+      // 'id_token',
     ],
     response_modes_supported: [
       // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes
@@ -93,7 +66,6 @@ export function buildMetadata(
       //
       'en-US',
     ],
-    id_token_signing_alg_values_supported: [...keyset.signAlgorithms],
     display_values_supported: [
       //
       'page',
@@ -110,10 +82,6 @@ export function buildMetadata(
     request_object_encryption_alg_values_supported: [], // None
     request_object_encryption_enc_values_supported: [], // None
-    // No claim makes sense to be translated
-    claims_locales_supported: [],
-    claims_parameter_supported: true,
     request_parameter_supported: true,
     request_uri_parameter_supported: true,
     require_request_uri_registration: true,
@@ -127,28 +95,13 @@ export function buildMetadata(
     token_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
     revocation_endpoint: new URL('/oauth/revoke', issuer).href,
-    revocation_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    revocation_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
     introspection_endpoint: new URL('/oauth/introspect', issuer).href,
-    introspection_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    introspection_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
-    userinfo_endpoint: new URL('/oauth/userinfo', issuer).href,
     // end_session_endpoint: new URL('/oauth/logout', issuer).href,
     // https://datatracker.ietf.org/doc/html/rfc9126#section-5
     pushed_authorization_request_endpoint: new URL('/oauth/par', issuer).href,
-    pushed_authorization_request_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    pushed_authorization_request_endpoint_auth_signing_alg_values_supported: [
-      ...VERIFY_ALGOS,
-    ],
     require_pushed_authorization_requests: true,

package/src/oauth-hooks.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import { ClientAuth } from './client/client-auth.js'
 import { ClientId } from './client/client-id.js'
 import { ClientInfo } from './client/client-info.js'
 import { Client } from './client/client.js'
+import { InvalidAuthorizationDetailsError } from './errors/invalid-authorization-details-error.js'
 import { Awaitable } from './lib/util/type.js'
 // Make sure all types needed to implement the OAuthHooks are exported
@@ -20,6 +21,7 @@ export type {
   ClientAuth,
   ClientId,
   ClientInfo,
+  InvalidAuthorizationDetailsError,
   Jwks,
   OAuthAuthenticationRequestParameters,
   OAuthAuthorizationDetails,
@@ -42,7 +44,7 @@ export type OAuthHooks = {
   /**
    * Allows enriching the authorization details with additional information
-   * before the tokens are issued.
+   * when the tokens are issued.
    *
    * @see {@link https://datatracker.ietf.org/doc/html/rfc9396 | RFC 9396}
    */
@@ -51,16 +53,4 @@ export type OAuthHooks = {
     parameters: OAuthAuthenticationRequestParameters
     account: Account
   }) => Awaitable<undefined | OAuthAuthorizationDetails>
-  /**
-   * Allows altering the token response before it is sent to the client.
-   */
-  onTokenResponse?: (
-    tokenResponse: OAuthTokenResponse,
-    data: {
-      client: Client
-      parameters: OAuthAuthenticationRequestParameters
-      account: Account
-    },
-  ) => Awaitable<void>
 }