@atproto/oauth-provider 0.1.2 → 0.2.0

package/dist/parameters/claims-requested.js

@@ -1,77 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.claimRequested = void 0;
-const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
-function claimRequested(parameters, entityType, claimName, value) {
-    if (claimAvailable(parameters, entityType, claimName, value)) {
-        return true;
-    }
-    const entityClaims = parameters.claims?.[entityType];
-    if (entityClaims?.[claimName]?.essential === true) {
-        // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.5.1
-        //
-        // > By requesting Claims as Essential Claims, the RP indicates to the
-        // > End-User that releasing these Claims will ensure a smooth
-        // > authorization for the specific task requested by the End-User. Note
-        // > that even if the Claims are not available because the End-User did
-        // > not authorize their release or they are not present, the
-        // > Authorization Server MUST NOT generate an error when Claims are not
-        // > returned, whether they are Essential or Voluntary, unless otherwise
-        // > specified in the description of the specific claim.
-        switch (claimName) {
-            case 'acr':
-                // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.5.1.1
-                //
-                // > If this is an Essential Claim and the requirement cannot be met,
-                // > then the Authorization Server MUST treat that outcome as a failed
-                // > authentication attempt.
-                throw new invalid_request_error_js_1.InvalidRequestError(`Unable to provide essential claim: ${claimName}`);
-        }
-    }
-    return false;
-}
-exports.claimRequested = claimRequested;
-function claimAvailable(parameters, entityType, claimName, value) {
-    if (value === undefined)
-        return false;
-    if (parameters.claims) {
-        const entityClaims = parameters.claims[entityType];
-        if (entityClaims === undefined)
-            return false;
-        const claimConfig = entityClaims[claimName];
-        if (claimConfig === undefined)
-            return false;
-        if (claimConfig === null)
-            return true;
-        if (claimConfig.value !== undefined &&
-            !compareClaimValue(claimConfig.value, value)) {
-            return false;
-        }
-        if (claimConfig?.values !== undefined &&
-            !claimConfig.values.some((v) => compareClaimValue(v, value))) {
-            return false;
-        }
-    }
-    return true;
-}
-function compareClaimValue(expectedValue, value) {
-    const expectedType = typeof expectedValue;
-    const valueType = typeof value;
-    if (expectedType !== valueType)
-        return false;
-    switch (typeof expectedValue) {
-        case 'undefined':
-        case 'string':
-        case 'number':
-        case 'boolean':
-            return expectedValue === value;
-        case 'object':
-            if (expectedValue === null)
-                return value === null;
-        // @TODO (?): allow object comparison
-        // falls through
-        default:
-            throw new invalid_request_error_js_1.InvalidRequestError(`Unable to compare claim value of type ${expectedType}`);
-    }
-}
-//# sourceMappingURL=claims-requested.js.map

package/dist/parameters/claims-requested.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"claims-requested.js","sourceRoot":"","sources":["../../src/parameters/claims-requested.ts"],"names":[],"mappings":";;;AAKA,iFAAwE;AAExE,SAAgB,cAAc,CAC5B,UAAgD,EAChD,UAA0B,EAC1B,SAA8B,EAC9B,KAAc;IAEd,IAAI,cAAc,CAAC,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;QAC7D,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,CAAA;IACpD,IAAI,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,SAAS,KAAK,IAAI,EAAE,CAAC;QAClD,0EAA0E;QAC1E,EAAE;QACF,sEAAsE;QACtE,8DAA8D;QAC9D,wEAAwE;QACxE,uEAAuE;QACvE,6DAA6D;QAC7D,wEAAwE;QACxE,wEAAwE;QACxE,wDAAwD;QACxD,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,KAAK;gBACR,4EAA4E;gBAC5E,EAAE;gBACF,qEAAqE;gBACrE,sEAAsE;gBACtE,4BAA4B;gBAC5B,MAAM,IAAI,8CAAmB,CAC3B,sCAAsC,SAAS,EAAE,CAClD,CAAA;QACL,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AApCD,wCAoCC;AAED,SAAS,cAAc,CACrB,UAAgD,EAChD,UAA0B,EAC1B,SAA8B,EAC9B,KAAc;IAEd,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAA;IAErC,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;QAClD,IAAI,YAAY,KAAK,SAAS;YAAE,OAAO,KAAK,CAAA;QAE5C,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,CAAA;QAC3C,IAAI,WAAW,KAAK,SAAS;YAAE,OAAO,KAAK,CAAA;QAC3C,IAAI,WAAW,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QAErC,IACE,WAAW,CAAC,KAAK,KAAK,SAAS;YAC/B,CAAC,iBAAiB,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,EAC5C,CAAC;YACD,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IACE,WAAW,EAAE,MAAM,KAAK,SAAS;YACjC,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,EAC5D,CAAC;YACD,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAID,SAAS,iBAAiB,CACxB,aAA2B,EAC3B,KAAmB;IAEnB,MAAM,YAAY,GAAG,OAAO,aAAa,CAAA;IACzC,MAAM,SAAS,GAAG,OAAO,KAAK,CAAA;IAE9B,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,KAAK,CAAA;IAE5C,QAAQ,OAAO,aAAa,EAAE,CAAC;QAC7B,KAAK,WAAW,CAAC;QACjB,KAAK,QAAQ,CAAC;QACd,KAAK,QAAQ,CAAC;QACd,KAAK,SAAS;YACZ,OAAO,aAAa,KAAK,KAAK,CAAA;QAChC,KAAK,QAAQ;YACX,IAAI,aAAa,KAAK,IAAI;gBAAE,OAAO,KAAK,KAAK,IAAI,CAAA;QACnD,qCAAqC;QACrC,gBAAgB;QAChB;YACE,MAAM,IAAI,8CAAmB,CAC3B,yCAAyC,YAAY,EAAE,CACxD,CAAA;IACL,CAAC;AACH,CAAC"}

package/dist/parameters/oidc-payload.d.ts

@@ -1,31 +0,0 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types';
-import { Account } from '../account/account.js';
-export declare function oidcPayload(params: OAuthAuthenticationRequestParameters, account: Account): Partial<{
-    name?: string | undefined;
-    email?: string | undefined;
-    email_verified?: boolean | undefined;
-    phone_number?: string | undefined;
-    phone_number_verified?: boolean | undefined;
-    address?: {
-        formatted?: string | undefined;
-        street_address?: string | undefined;
-        locality?: string | undefined;
-        region?: string | undefined;
-        postal_code?: string | undefined;
-        country?: string | undefined;
-    } | undefined;
-    profile?: string | undefined;
-    family_name?: string | undefined;
-    given_name?: string | undefined;
-    middle_name?: string | undefined;
-    nickname?: string | undefined;
-    preferred_username?: string | undefined;
-    gender?: string | undefined;
-    picture?: string | undefined;
-    website?: string | undefined;
-    birthdate?: string | undefined;
-    zoneinfo?: string | undefined;
-    locale?: string | undefined;
-    updated_at?: number | undefined;
-}>;
-//# sourceMappingURL=oidc-payload.d.ts.map

package/dist/parameters/oidc-payload.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oidc-payload.d.ts","sourceRoot":"","sources":["../../src/parameters/oidc-payload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oCAAoC,EAAE,MAAM,sBAAsB,CAAA;AAC3E,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAI/C,wBAAgB,WAAW,CACzB,MAAM,EAAE,oCAAoC,EAC5C,OAAO,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoBjB"}

package/dist/parameters/oidc-payload.js

@@ -1,25 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.oidcPayload = void 0;
-const claims_js_1 = require("../oidc/claims.js");
-const claims_requested_js_1 = require("./claims-requested.js");
-function oidcPayload(params, account) {
-    const payload = {};
-    const scopes = params.scope ? params.scope?.split(' ') : undefined;
-    if (scopes) {
-        for (const [scope, claims] of Object.entries(claims_js_1.OIDC_SCOPE_CLAIMS)) {
-            const allowed = scopes.includes(scope);
-            for (const claim of claims) {
-                const value = allowed ? account[claim] : undefined;
-                // Should not throw as RequestManager should have already checked
-                // that all the essential claims are available.
-                if ((0, claims_requested_js_1.claimRequested)(params, 'id_token', claim, value)) {
-                    payload[claim] = value; // All good as long as the account props match the claims
-                }
-            }
-        }
-    }
-    return payload;
-}
-exports.oidcPayload = oidcPayload;
-//# sourceMappingURL=oidc-payload.js.map

package/dist/parameters/oidc-payload.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oidc-payload.js","sourceRoot":"","sources":["../../src/parameters/oidc-payload.ts"],"names":[],"mappings":";;;AAEA,iDAA0E;AAC1E,+DAAsD;AAEtD,SAAgB,WAAW,CACzB,MAA4C,EAC5C,OAAgB;IAEhB,MAAM,OAAO,GAAwB,EAAE,CAAA;IAEvC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAClE,IAAI,MAAM,EAAE,CAAC;QACX,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,6BAAiB,CAAC,EAAE,CAAC;YAChE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;YACtC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;gBAClD,iEAAiE;gBACjE,+CAA+C;gBAC/C,IAAI,IAAA,oCAAc,EAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;oBACrD,OAAO,CAAC,KAAK,CAAC,GAAG,KAAY,CAAA,CAAC,yDAAyD;gBACzF,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAtBD,kCAsBC"}

package/src/assets/app/components/client-identifier.tsx

@@ -1,31 +0,0 @@
-import {
-  isOAuthClientIdDiscoverable,
-  isOAuthClientIdLoopback,
-  OAuthClientMetadata,
-} from '@atproto/oauth-types'
-import { HTMLAttributes } from 'react'
-
-import { UrlViewer } from './url-viewer'
-
-export type ClientIdentifierProps = {
-  clientId: string
-  clientMetadata: OAuthClientMetadata
-  as?: keyof JSX.IntrinsicElements
-}
-
-export function ClientIdentifier({
-  clientId,
-  clientMetadata,
-  as: As = 'span',
-  ...attrs
-}: ClientIdentifierProps & HTMLAttributes<Element>) {
-  if (isOAuthClientIdLoopback(clientId)) {
-    return <As {...attrs}>An application on your device</As>
-  }
-
-  if (isOAuthClientIdDiscoverable(clientId)) {
-    return <UrlViewer as={As} {...attrs} url={clientId} proto path />
-  }
-
-  return <As {...attrs}>{clientMetadata.client_name || clientId}</As>
-}

package/src/oidc/claims.ts

@@ -1,35 +0,0 @@
-import { JwtPayload } from '@atproto/jwk'
-
-/**
- * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values}
- */
-export const OIDC_SCOPE_CLAIMS = Object.freeze({
-  email: Object.freeze(['email', 'email_verified'] as const),
-  phone: Object.freeze(['phone_number', 'phone_number_verified'] as const),
-  address: Object.freeze(['address'] as const),
-  profile: Object.freeze([
-    'name',
-    'family_name',
-    'given_name',
-    'middle_name',
-    'nickname',
-    'preferred_username',
-    'gender',
-    'picture',
-    'profile',
-    'website',
-    'birthdate',
-    'zoneinfo',
-    'locale',
-    'updated_at',
-  ] as const),
-})
-
-export const OIDC_STANDARD_CLAIMS = Object.freeze(
-  Object.values(OIDC_SCOPE_CLAIMS).flat(),
-)
-
-export type OIDCStandardClaim = (typeof OIDC_STANDARD_CLAIMS)[number]
-export type OIDCStandardPayload = Partial<{
-  [K in OIDCStandardClaim]?: JwtPayload[K]
-}>

package/src/oidc/userinfo.ts

@@ -1,11 +0,0 @@
-import { OIDCStandardPayload } from './claims.js'
-
-export type Userinfo = OIDCStandardPayload & {
-  // "The sub (subject) Claim MUST always be returned in the UserInfo Response."
-  sub: string
-
-  // client_id is not mandatory per spec, but we require it here for convenience
-  client_id: string
-
-  username?: string
-}

package/src/parameters/claims-requested.ts

@@ -1,106 +0,0 @@
-import {
-  OAuthAuthenticationRequestParameters,
-  OidcClaimsParameter,
-  OidcEntityType,
-} from '@atproto/oauth-types'
-import { InvalidRequestError } from '../errors/invalid-request-error.js'
-
-export function claimRequested(
-  parameters: OAuthAuthenticationRequestParameters,
-  entityType: OidcEntityType,
-  claimName: OidcClaimsParameter,
-  value: unknown,
-): boolean {
-  if (claimAvailable(parameters, entityType, claimName, value)) {
-    return true
-  }
-
-  const entityClaims = parameters.claims?.[entityType]
-  if (entityClaims?.[claimName]?.essential === true) {
-    // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.5.1
-    //
-    // > By requesting Claims as Essential Claims, the RP indicates to the
-    // > End-User that releasing these Claims will ensure a smooth
-    // > authorization for the specific task requested by the End-User. Note
-    // > that even if the Claims are not available because the End-User did
-    // > not authorize their release or they are not present, the
-    // > Authorization Server MUST NOT generate an error when Claims are not
-    // > returned, whether they are Essential or Voluntary, unless otherwise
-    // > specified in the description of the specific claim.
-    switch (claimName) {
-      case 'acr':
-        // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.5.1.1
-        //
-        // > If this is an Essential Claim and the requirement cannot be met,
-        // > then the Authorization Server MUST treat that outcome as a failed
-        // > authentication attempt.
-        throw new InvalidRequestError(
-          `Unable to provide essential claim: ${claimName}`,
-        )
-    }
-  }
-
-  return false
-}
-
-function claimAvailable(
-  parameters: OAuthAuthenticationRequestParameters,
-  entityType: OidcEntityType,
-  claimName: OidcClaimsParameter,
-  value: unknown,
-): boolean {
-  if (value === undefined) return false
-
-  if (parameters.claims) {
-    const entityClaims = parameters.claims[entityType]
-    if (entityClaims === undefined) return false
-
-    const claimConfig = entityClaims[claimName]
-    if (claimConfig === undefined) return false
-    if (claimConfig === null) return true
-
-    if (
-      claimConfig.value !== undefined &&
-      !compareClaimValue(claimConfig.value, value)
-    ) {
-      return false
-    }
-
-    if (
-      claimConfig?.values !== undefined &&
-      !claimConfig.values.some((v) => compareClaimValue(v, value))
-    ) {
-      return false
-    }
-  }
-
-  return true
-}
-
-type DefinedValue = NonNullable<unknown> | null
-
-function compareClaimValue(
-  expectedValue: DefinedValue,
-  value: DefinedValue,
-): boolean {
-  const expectedType = typeof expectedValue
-  const valueType = typeof value
-
-  if (expectedType !== valueType) return false
-
-  switch (typeof expectedValue) {
-    case 'undefined':
-    case 'string':
-    case 'number':
-    case 'boolean':
-      return expectedValue === value
-    case 'object':
-      if (expectedValue === null) return value === null
-    // @TODO (?): allow object comparison
-    // falls through
-    default:
-      throw new InvalidRequestError(
-        `Unable to compare claim value of type ${expectedType}`,
-      )
-  }
-}

package/src/parameters/oidc-payload.ts

@@ -1,28 +0,0 @@
-import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
-import { Account } from '../account/account.js'
-import { OIDCStandardPayload, OIDC_SCOPE_CLAIMS } from '../oidc/claims.js'
-import { claimRequested } from './claims-requested.js'
-
-export function oidcPayload(
-  params: OAuthAuthenticationRequestParameters,
-  account: Account,
-) {
-  const payload: OIDCStandardPayload = {}
-
-  const scopes = params.scope ? params.scope?.split(' ') : undefined
-  if (scopes) {
-    for (const [scope, claims] of Object.entries(OIDC_SCOPE_CLAIMS)) {
-      const allowed = scopes.includes(scope)
-      for (const claim of claims) {
-        const value = allowed ? account[claim] : undefined
-        // Should not throw as RequestManager should have already checked
-        // that all the essential claims are available.
-        if (claimRequested(params, 'id_token', claim, value)) {
-          payload[claim] = value as any // All good as long as the account props match the claims
-        }
-      }
-    }
-  }
-
-  return payload
-}