@atproto/oauth-provider 0.11.2 → 0.12.0

package/src/token/token-manager.ts

@@ -4,6 +4,7 @@ import type { Account } from '@atproto/oauth-provider-api'
 import {
   OAuthAccessToken,
   OAuthAuthorizationRequestParameters,
+  OAuthScope,
   OAuthTokenResponse,
   OAuthTokenType,
 } from '@atproto/oauth-types'
@@ -20,26 +21,21 @@ import { RequestMetadata } from '../lib/http/request.js'
 import { dateToEpoch, dateToRelativeSeconds } from '../lib/util/date.js'
 import { callAsync } from '../lib/util/function.js'
 import { OAuthHooks } from '../oauth-hooks.js'
-import { DpopProof } from '../oauth-verifier.js'
 import { Sub } from '../oidc/sub.js'
 import { Code, isCode } from '../request/code.js'
-import { SignedTokenPayload } from '../signer/signed-token-payload.js'
+import { AccessTokenPayload } from '../signer/access-token-payload.js'
 import { Signer } from '../signer/signer.js'
 import {
   RefreshToken,
   generateRefreshToken,
   isRefreshToken,
 } from './refresh-token.js'
+import { TokenClaims } from './token-claims.js'
 import { TokenId, generateTokenId, isTokenId } from './token-id.js'
 import { CreateTokenData, TokenInfo, TokenStore } from './token-store.js'
-import {
-  VerifyTokenClaimsOptions,
-  VerifyTokenClaimsResult,
-  verifyTokenClaims,
-} from './verify-token-claims.js'
 
 export { AccessTokenMode, Signer }
-export type { OAuthHooks, TokenStore, VerifyTokenClaimsResult }
+export type { OAuthHooks, TokenStore }
 
 export class TokenManager {
   constructor(
@@ -55,29 +51,44 @@ export class TokenManager {
     return new Date(now.getTime() + this.tokenMaxAge)
   }
 
-  protected async buildAccessToken(
+  protected async createAccessToken(
     tokenId: TokenId,
-    account: Account,
     client: Client,
+    account: Account,
     parameters: OAuthAuthorizationRequestParameters,
-    createdAt: Date,
+    issuedAt: Date,
     expiresAt: Date,
-    scope: string,
+    scope: OAuthScope,
   ): Promise<OAuthAccessToken> {
-    return this.signer.createAccessToken({
+    const claims: TokenClaims = {
       jti: tokenId,
       sub: account.sub,
+      iat: dateToEpoch(issuedAt),
       exp: dateToEpoch(expiresAt),
-      iat: dateToEpoch(createdAt),
-      cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
+      aud: account.aud,
 
+      ...(parameters.dpop_jkt && {
+        cnf: { jkt: parameters.dpop_jkt },
+      }),
+
+      // Because tokens can end-up being quite big, we only include the scope in
+      // stateless mode.
       ...(this.accessTokenMode === AccessTokenMode.stateless && {
-        aud: account.aud,
         scope,
-        // https://datatracker.ietf.org/doc/html/rfc8693#section-4.3
-        client_id: client.id,
       }),
+
+      // https://datatracker.ietf.org/doc/html/rfc8693#section-4.3
+      client_id: client.id,
+    }
+
+    const claimsOverride = await callAsync(this.hooks.onCreateToken, {
+      client,
+      account,
+      parameters,
+      claims,
     })
+
+    return this.signer.createAccessToken(claimsOverride ?? claims)
   }
 
   async createToken(
@@ -111,10 +122,10 @@ export class TokenManager {
         throw err
       })
 
-    const accessToken = await this.buildAccessToken(
+    const accessToken = await this.createAccessToken(
       tokenId,
-      account,
       client,
+      account,
       parameters,
       now,
       expiresAt,
@@ -238,10 +249,10 @@ export class TokenManager {
       scope,
     })
 
-    const accessToken = await this.buildAccessToken(
+    const accessToken = await this.createAccessToken(
       nextTokenId,
-      account,
       client,
+      account,
       parameters,
       now,
       expiresAt,
@@ -350,13 +361,16 @@ export class TokenManager {
     return this.store.readToken(tokenId)
   }
 
-  async verifyToken(
-    token: OAuthAccessToken,
+  /**
+   * This method is called to when decoding a token that was encoded in
+   * {@link AccessTokenMode.light} mode, using data from the store to fill the
+   * data that was omitted in the token itself.
+   */
+  async loadTokenClaims(
     tokenType: OAuthTokenType,
-    tokenId: TokenId,
-    dpopProof: null | DpopProof,
-    verifyOptions?: VerifyTokenClaimsOptions,
-  ): Promise<VerifyTokenClaimsResult> {
+    tokenPayload: AccessTokenPayload,
+  ): Promise<TokenClaims> {
+    const tokenId = tokenPayload.jti
     const tokenInfo = await this.getTokenInfo(tokenId).catch((err) => {
       throw InvalidTokenError.from(err, tokenType)
     })
@@ -365,40 +379,31 @@ export class TokenManager {
       throw new InvalidTokenError(tokenType, `Invalid token`)
     }
 
+    const { account, data } = tokenInfo
+
+    // Fool proof, make sure that the database & token payload are consistent.
+    // These should both be either undefined or a string so it's safe to compare
+    // the values directly.
+    if (tokenPayload.cnf?.jkt !== data.parameters.dpop_jkt) {
+      await this.deleteToken(tokenId)
+      throw new InvalidTokenError(tokenType, `Invalid token`)
+    }
+
     if (isCurrentTokenExpired(tokenInfo)) {
       await this.deleteToken(tokenId)
       throw new InvalidTokenError(tokenType, `Token expired`)
     }
 
-    const { account, data } = tokenInfo
-    const { parameters } = data
-
-    // Construct a list of claim, as if the token was a JWT.
-    const tokenClaims: SignedTokenPayload = {
-      iss: this.signer.issuer,
+    return {
       jti: tokenId,
       sub: account.sub,
-      exp: dateToEpoch(data.expiresAt),
       iat: dateToEpoch(data.updatedAt),
-      cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
-
-      // These are not stored in the JWT access token in "light" access token
-      // mode. See `buildAccessToken`.
+      exp: dateToEpoch(data.expiresAt),
       aud: account.aud,
-      // Note we fallback to parameters.scope for sessions created before
-      // TokenData.scope was introduced.
-      scope: data.scope ?? parameters.scope,
+      scope: data.scope ?? data.parameters.scope,
+      // https://datatracker.ietf.org/doc/html/rfc8693#section-4.3
       client_id: data.clientId,
     }
-
-    return verifyTokenClaims(
-      token,
-      tokenId,
-      tokenType,
-      tokenClaims,
-      dpopProof,
-      verifyOptions,
-    )
   }
 
   async listAccountTokens(sub: Sub): Promise<TokenInfo[]> {

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/authorization-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lexicon/lexicon-data.ts","./src/lexicon/lexicon-getter.ts","./src/lexicon/lexicon-manager.ts","./src/lexicon/lexicon-store.ts","./src/lib/hcaptcha.ts","./src/lib/nsid.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/error.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-manager.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/api-token-payload.ts","./src/signer/signed-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/token/verify-token-claims.ts","./src/types/authorization-response-error.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/par-response-error.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}
+{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/authorization-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lexicon/lexicon-data.ts","./src/lexicon/lexicon-getter.ts","./src/lexicon/lexicon-manager.ts","./src/lexicon/lexicon-store.ts","./src/lib/hcaptcha.ts","./src/lib/nsid.ts","./src/lib/redis.ts","./src/lib/send-web-page.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/error.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-manager.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/send-redirect.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-error-page.ts","./src/signer/access-token-payload.ts","./src/signer/api-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-claims.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/types/authorization-response-error.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/par-response-error.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}

package/dist/token/verify-token-claims.d.ts

@@ -1,20 +0,0 @@
-import { OAuthAccessToken, OAuthTokenType } from '@atproto/oauth-types';
-import { DpopProof } from '../oauth-verifier.js';
-import { SignedTokenPayload } from '../signer/signed-token-payload.js';
-import { TokenId } from './token-id.js';
-export type { DpopProof, OAuthAccessToken, OAuthTokenType, SignedTokenPayload, TokenId, };
-export type VerifyTokenClaimsOptions = {
-    /** One of these audience must be included in the token audience(s) */
-    audience?: [string, ...string[]];
-    /** One of these scope must be included in the token scope(s) */
-    scope?: [string, ...string[]];
-};
-export type VerifyTokenClaimsResult = {
-    token: OAuthAccessToken;
-    tokenId: TokenId;
-    tokenType: OAuthTokenType;
-    tokenClaims: SignedTokenPayload;
-    dpopProof: null | DpopProof;
-};
-export declare function verifyTokenClaims(token: OAuthAccessToken, tokenId: TokenId, tokenType: OAuthTokenType, tokenClaims: SignedTokenPayload, dpopProof: null | DpopProof, options?: VerifyTokenClaimsOptions): VerifyTokenClaimsResult;
-//# sourceMappingURL=verify-token-claims.d.ts.map

package/dist/token/verify-token-claims.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify-token-claims.d.ts","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAKvE,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,mCAAmC,CAAA;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAA;AAKvC,YAAY,EACV,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,OAAO,GACR,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,sEAAsE;IACtE,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IAChC,gEAAgE;IAChE,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;CAC9B,CAAA;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,EAAE,gBAAgB,CAAA;IACvB,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,cAAc,CAAA;IACzB,WAAW,EAAE,kBAAkB,CAAA;IAC/B,SAAS,EAAE,IAAI,GAAG,SAAS,CAAA;CAC5B,CAAA;AAED,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,gBAAgB,EACvB,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,cAAc,EACzB,WAAW,EAAE,kBAAkB,EAC/B,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,CAAC,EAAE,wBAAwB,GACjC,uBAAuB,CA0DzB"}

package/dist/token/verify-token-claims.js

@@ -1,53 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyTokenClaims = verifyTokenClaims;
-const invalid_dpop_key_binding_error_js_1 = require("../errors/invalid-dpop-key-binding-error.js");
-const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
-const cast_js_1 = require("../lib/util/cast.js");
-const oauth_errors_js_1 = require("../oauth-errors.js");
-const BEARER = 'Bearer';
-const DPOP = 'DPoP';
-function verifyTokenClaims(token, tokenId, tokenType, tokenClaims, dpopProof, options) {
-    const dateReference = Date.now();
-    if (tokenClaims.cnf?.jkt) {
-        // An access token with a cnf.jkt claim must be a DPoP token
-        if (tokenType !== DPOP) {
-            throw new oauth_errors_js_1.InvalidTokenError(DPOP, `Access token is bound to a DPoP proof, but token type is ${tokenType}`);
-        }
-        // DPoP token type must be used with a DPoP proof
-        if (!dpopProof) {
-            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError(`DPoP proof required`);
-        }
-        // DPoP proof must be signed with the key that matches the "cnf" claim
-        if (tokenClaims.cnf.jkt !== dpopProof.jkt) {
-            throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
-        }
-    }
-    else {
-        // An access token without a cnf.jkt claim must be a Bearer token
-        if (tokenType !== BEARER) {
-            throw new oauth_errors_js_1.InvalidTokenError(BEARER, `Bearer token type must be used without a DPoP proof`);
-        }
-        // Unexpected DPoP proof received for a Bearer token
-        if (dpopProof) {
-            throw new oauth_errors_js_1.InvalidTokenError(BEARER, `DPoP proof not expected for Bearer token type`);
-        }
-    }
-    if (options?.audience) {
-        const aud = (0, cast_js_1.asArray)(tokenClaims.aud);
-        if (!options.audience.some((v) => aud.includes(v))) {
-            throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Invalid audience`);
-        }
-    }
-    if (options?.scope) {
-        const scopes = tokenClaims.scope?.split(' ');
-        if (!scopes || !options.scope.some((v) => scopes.includes(v))) {
-            throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Invalid scope`);
-        }
-    }
-    if (tokenClaims.exp != null && tokenClaims.exp * 1000 <= dateReference) {
-        throw new oauth_errors_js_1.InvalidTokenError(tokenType, `Token expired`);
-    }
-    return { token, tokenId, tokenType, tokenClaims, dpopProof };
-}
-//# sourceMappingURL=verify-token-claims.js.map

package/dist/token/verify-token-claims.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify-token-claims.js","sourceRoot":"","sources":["../../src/token/verify-token-claims.ts"],"names":[],"mappings":";;AAmCA,8CAiEC;AAnGD,mGAAwF;AACxF,uFAA6E;AAC7E,iDAA6C;AAC7C,wDAAsD;AAKtD,MAAM,MAAM,GAAG,QAAiC,CAAA;AAChD,MAAM,IAAI,GAAG,MAA+B,CAAA;AAyB5C,SAAgB,iBAAiB,CAC/B,KAAuB,EACvB,OAAgB,EAChB,SAAyB,EACzB,WAA+B,EAC/B,SAA2B,EAC3B,OAAkC;IAElC,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAEhC,IAAI,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,4DAA4D;QAC5D,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,mCAAiB,CACzB,IAAI,EACJ,4DAA4D,SAAS,EAAE,CACxE,CAAA;QACH,CAAC;QAED,iDAAiD;QACjD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,sEAAsE;QACtE,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,8DAA0B,EAAE,CAAA;QACxC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACzB,MAAM,IAAI,mCAAiB,CACzB,MAAM,EACN,qDAAqD,CACtD,CAAA;QACH,CAAC;QAED,oDAAoD;QACpD,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,IAAI,mCAAiB,CACzB,MAAM,EACN,+CAA+C,CAChD,CAAA;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,WAAW,CAAC,GAAG,CAAC,CAAA;QACpC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QAC5C,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,IAAI,WAAW,CAAC,GAAG,IAAI,IAAI,IAAI,WAAW,CAAC,GAAG,GAAG,IAAI,IAAI,aAAa,EAAE,CAAC;QACvE,MAAM,IAAI,mCAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,CAAA;AAC9D,CAAC"}

package/src/token/verify-token-claims.ts

@@ -1,101 +0,0 @@
-import { OAuthAccessToken, OAuthTokenType } from '@atproto/oauth-types'
-import { InvalidDpopKeyBindingError } from '../errors/invalid-dpop-key-binding-error.js'
-import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
-import { asArray } from '../lib/util/cast.js'
-import { InvalidTokenError } from '../oauth-errors.js'
-import { DpopProof } from '../oauth-verifier.js'
-import { SignedTokenPayload } from '../signer/signed-token-payload.js'
-import { TokenId } from './token-id.js'
-
-const BEARER = 'Bearer' satisfies OAuthTokenType
-const DPOP = 'DPoP' satisfies OAuthTokenType
-
-export type {
-  DpopProof,
-  OAuthAccessToken,
-  OAuthTokenType,
-  SignedTokenPayload,
-  TokenId,
-}
-
-export type VerifyTokenClaimsOptions = {
-  /** One of these audience must be included in the token audience(s) */
-  audience?: [string, ...string[]]
-  /** One of these scope must be included in the token scope(s) */
-  scope?: [string, ...string[]]
-}
-
-export type VerifyTokenClaimsResult = {
-  token: OAuthAccessToken
-  tokenId: TokenId
-  tokenType: OAuthTokenType
-  tokenClaims: SignedTokenPayload
-  dpopProof: null | DpopProof
-}
-
-export function verifyTokenClaims(
-  token: OAuthAccessToken,
-  tokenId: TokenId,
-  tokenType: OAuthTokenType,
-  tokenClaims: SignedTokenPayload,
-  dpopProof: null | DpopProof,
-  options?: VerifyTokenClaimsOptions,
-): VerifyTokenClaimsResult {
-  const dateReference = Date.now()
-
-  if (tokenClaims.cnf?.jkt) {
-    // An access token with a cnf.jkt claim must be a DPoP token
-    if (tokenType !== DPOP) {
-      throw new InvalidTokenError(
-        DPOP,
-        `Access token is bound to a DPoP proof, but token type is ${tokenType}`,
-      )
-    }
-
-    // DPoP token type must be used with a DPoP proof
-    if (!dpopProof) {
-      throw new InvalidDpopProofError(`DPoP proof required`)
-    }
-
-    // DPoP proof must be signed with the key that matches the "cnf" claim
-    if (tokenClaims.cnf.jkt !== dpopProof.jkt) {
-      throw new InvalidDpopKeyBindingError()
-    }
-  } else {
-    // An access token without a cnf.jkt claim must be a Bearer token
-    if (tokenType !== BEARER) {
-      throw new InvalidTokenError(
-        BEARER,
-        `Bearer token type must be used without a DPoP proof`,
-      )
-    }
-
-    // Unexpected DPoP proof received for a Bearer token
-    if (dpopProof) {
-      throw new InvalidTokenError(
-        BEARER,
-        `DPoP proof not expected for Bearer token type`,
-      )
-    }
-  }
-
-  if (options?.audience) {
-    const aud = asArray(tokenClaims.aud)
-    if (!options.audience.some((v) => aud.includes(v))) {
-      throw new InvalidTokenError(tokenType, `Invalid audience`)
-    }
-  }
-
-  if (options?.scope) {
-    const scopes = tokenClaims.scope?.split(' ')
-    if (!scopes || !options.scope.some((v) => scopes.includes(v))) {
-      throw new InvalidTokenError(tokenType, `Invalid scope`)
-    }
-  }
-
-  if (tokenClaims.exp != null && tokenClaims.exp * 1000 <= dateReference) {
-    throw new InvalidTokenError(tokenType, `Token expired`)
-  }
-
-  return { token, tokenId, tokenType, tokenClaims, dpopProof }
-}