@atproto/oauth-provider 0.11.2 → 0.12.1

package/dist/token/token-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":";;;AAAA,sCAAqD;AACrD,gEAAkE;AAQlE,+EAAsE;AA+B7D,gGA/BA,sCAAe,OA+BA;AA5BxB,kDAA+C;AAE/C,6EAAoE;AACpE,iFAAwE;AACxE,6EAAoE;AAGpE,iDAAwE;AACxE,yDAAmD;AAInD,gDAAiD;AAEjD,mDAA4C;AAclB,uFAdjB,kBAAM,OAciB;AAbhC,yDAI2B;AAC3B,+CAAmE;AAEnE,qEAIiC;AAKjC,MAAa,YAAY;IAEF;IACA;IACA;IACA;IACA;IACA;IANrB,YACqB,KAAiB,EACjB,cAA8B,EAC9B,MAAc,EACd,KAAiB,EACjB,eAAgC,EAChC,cAAc,4BAAa;QAL3B,UAAK,GAAL,KAAK,CAAY;QACjB,mBAAc,GAAd,cAAc,CAAgB;QAC9B,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAY;QACjB,oBAAe,GAAf,eAAe,CAAiB;QAChC,gBAAW,GAAX,WAAW,CAAgB;IAC7C,CAAC;IAEM,iBAAiB,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE;QAC1C,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;IAES,KAAK,CAAC,gBAAgB,CAC9B,OAAgB,EAChB,OAAgB,EAChB,MAAc,EACd,UAA+C,EAC/C,SAAe,EACf,SAAe,EACf,KAAa;QAEb,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YACnC,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,SAAS,CAAC;YAC3B,GAAG,EAAE,IAAA,qBAAW,EAAC,SAAS,CAAC;YAC3B,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;YAEnE,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,IAAI;gBACxD,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,KAAK;gBACL,4DAA4D;gBAC5D,SAAS,EAAE,MAAM,CAAC,EAAE;aACrB,CAAC;SACH,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,OAAgB,EAChB,QAAyB,EACzB,UAA+C,EAC/C,IAAU;QAEV,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QACvC,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC;YACxE,CAAC,CAAC,MAAM,IAAA,uCAAoB,GAAE;YAC9B,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc;aACpC,eAAe,CAAC,UAAU,CAAC,KAAM,CAAC;aAClC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,wBAAwB;YACxB,IAAI,GAAG,YAAY,yCAAsB,EAAE,CAAC;gBAC1C,MAAM,IAAI,8CAAmB,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;YACjD,CAAC;YAED,mBAAmB;YACnB,MAAM,GAAG,CAAA;QACX,CAAC,CAAC,CAAA;QAEJ,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,OAAO,EACP,OAAO,EACP,MAAM,EACN,UAAU,EACV,GAAG,EACH,SAAS,EACT,KAAK,CACN,CAAA;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CACtC,cAAc,CAAC,UAAU,CAAC,EAC1B,WAAW,EACX,YAAY,EACZ,SAAS,EACT,OAAO,CAAC,GAAG,EACX,KAAK,CACN,CAAA;QAED,MAAM,SAAS,GAAoB;YACjC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,SAAS;YACT,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,UAAU;YACV,QAAQ;YACR,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,UAAU;YACV,OAAO,EAAE,IAAI;YACb,KAAK;YACL,IAAI;SACL,CAAA;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,YAAY,CAAC,CAAA;QAE9D,IAAI,CAAC;YACH,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE;gBACzC,MAAM;gBACN,UAAU;gBACV,cAAc;gBACd,OAAO;gBACP,UAAU;aACX,CAAC,CAAA;YAEF,OAAO,QAAQ,CAAA;QACjB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qEAAqE;YACrE,sBAAsB;YACtB,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAES,KAAK,CAAC,mBAAmB,CACjC,MAAc,EACd,UAAsB,EACtB,UAA+C;QAE/C,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YACrE,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,CACpD,CAAA;QACH,CAAC;IACH,CAAC;IAES,kBAAkB,CAC1B,SAAyB,EACzB,WAA6B,EAC7B,YAAgC,EAChC,SAAe,EACf,GAAQ,EACR,KAAa;QAEb,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,SAAS;YACrB,aAAa,EAAE,YAAY;YAC3B,KAAK;YAEL,qEAAqE;YACrE,0EAA0E;YAC1E,IAAI,UAAU;gBACZ,OAAO,IAAA,+BAAqB,EAAC,SAAS,CAAC,CAAA;YACzC,CAAC;YAED,sEAAsE;YACtE,qEAAqE;YACrE,aAAa;YACb,GAAG;SACJ,CAAA;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,SAAoB;QAEpB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACnC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,WAAW,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QAC3C,MAAM,gBAAgB,GAAG,MAAM,IAAA,uCAAoB,GAAE,CAAA;QAErD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,oEAAoE;QACpE,wEAAwE;QACxE,iCAAiC;QACjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,UAAU,CAAC,KAAM,CAAC,CAAA;QAE1E,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,EAAE,WAAW,EAAE,gBAAgB,EAAE;YACxE,SAAS,EAAE,GAAG;YACd,SAAS;YACT,qEAAqE;YACrE,cAAc;YACd,qEAAqE;YACrE,kBAAkB;YAClB,mEAAmE;YACnE,aAAa;YACb,UAAU;YACV,KAAK;SACN,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAC7C,WAAW,EACX,OAAO,EACP,MAAM,EACN,UAAU,EACV,GAAG,EACH,SAAS,EACT,KAAK,CACN,CAAA;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CACtC,cAAc,CAAC,UAAU,CAAC,EAC1B,WAAW,EACX,gBAAgB,EAChB,SAAS,EACT,OAAO,CAAC,GAAG,EACX,KAAK,CACN,CAAA;QAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;YAC3C,MAAM;YACN,UAAU;YACV,cAAc;YACd,OAAO;YACP,UAAU;SACX,CAAC,CAAA;QAEF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,SAAS,CAAC,KAAa;QAClC,IAAI,IAAA,uBAAS,EAAC,KAAK,CAAC,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QACjC,CAAC;aAAM,IAAI,IAAA,gBAAM,EAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;QAC/B,CAAC;aAAM,IAAI,IAAA,iCAAc,EAAC,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QACvC,CAAC;aAAM,IAAI,IAAA,iBAAW,EAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,8CAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAAC,KAAgB;QAC7C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE;YAC7D,cAAc,EAAE,QAAQ;SACzB,CAAC,CAAA;QAEF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QACtD,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAE3B,6CAA6C;QAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YACpC,MAAM,IAAI,KAAK,CACb,gBAAgB,SAAS,CAAC,OAAO,CAAC,GAAG,+BAA+B,OAAO,CAAC,GAAG,GAAG,CACnF,CAAA;QACH,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,KAAmB;QAEnB,OAAO,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAA;IAClD,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,KAAmB;QAClD,2EAA2E;QAC3E,0EAA0E;QAC1E,4EAA4E;QAC5E,yEAAyE;QACzE,oEAAoE;QACpE,yEAAyE;QACzE,uEAAuE;QAEvE,4EAA4E;QAC5E,eAAe;QACf,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACnE,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAA;QAC5D,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,SAAS,CAAC,mBAAmB,KAAK,KAAK,EAAE,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YACpC,MAAM,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,CAAA;QACvD,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,IAAU;QAChC,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;IACzC,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,OAAgB;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAgB;QACjC,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtC,CAAC;IAED,KAAK,CAAC,WAAW,CACf,KAAuB,EACvB,SAAyB,EACzB,OAAgB,EAChB,SAA2B,EAC3B,aAAwC;QAExC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC/D,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;QAC9C,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,IAAI,qBAAqB,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACnC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,wDAAwD;QACxD,MAAM,WAAW,GAAuB;YACtC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;YAEnE,uEAAuE;YACvE,gCAAgC;YAChC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,mEAAmE;YACnE,kCAAkC;YAClC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK;YACrC,SAAS,EAAE,IAAI,CAAC,QAAQ;SACzB,CAAA;QAED,OAAO,IAAA,0CAAiB,EACtB,KAAK,EACL,OAAO,EACP,SAAS,EACT,WAAW,EACX,SAAS,EACT,aAAa,CACd,CAAA;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAQ;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QACvD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,aAAa;aAClE,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D,CAAC;CACF;AA9WD,oCA8WC;AAED,SAAS,qBAAqB,CAAC,SAAoB;IACjD,OAAO,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;AACxD,CAAC;AAED,SAAS,cAAc,CACrB,UAA+C;IAE/C,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QACxB,OAAO,MAAM,CAAA;IACf,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC"}
+{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":";;;AAAA,sCAAqD;AACrD,gEAAkE;AASlE,+EAAsE;AA0B7D,gGA1BA,sCAAe,OA0BA;AAvBxB,kDAA+C;AAE/C,6EAAoE;AACpE,iFAAwE;AACxE,6EAAoE;AAGpE,iDAAwE;AACxE,yDAAmD;AAGnD,gDAAiD;AAEjD,mDAA4C;AAUlB,uFAVjB,kBAAM,OAUiB;AAThC,yDAI2B;AAE3B,+CAAmE;AAMnE,MAAa,YAAY;IAEF;IACA;IACA;IACA;IACA;IACA;IANrB,YACqB,KAAiB,EACjB,cAA8B,EAC9B,MAAc,EACd,KAAiB,EACjB,eAAgC,EAChC,cAAc,4BAAa;QAL3B,UAAK,GAAL,KAAK,CAAY;QACjB,mBAAc,GAAd,cAAc,CAAgB;QAC9B,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAY;QACjB,oBAAe,GAAf,eAAe,CAAiB;QAChC,gBAAW,GAAX,WAAW,CAAgB;IAC7C,CAAC;IAEM,iBAAiB,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE;QAC1C,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,OAAgB,EAChB,MAAc,EACd,OAAgB,EAChB,UAA+C,EAC/C,QAAc,EACd,SAAe,EACf,KAAiB;QAEjB,MAAM,MAAM,GAAgB;YAC1B,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,QAAQ,CAAC;YAC1B,GAAG,EAAE,IAAA,qBAAW,EAAC,SAAS,CAAC;YAC3B,GAAG,EAAE,OAAO,CAAC,GAAG;YAEhB,GAAG,CAAC,UAAU,CAAC,QAAQ,IAAI;gBACzB,GAAG,EAAE,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE;aAClC,CAAC;YAEF,0EAA0E;YAC1E,kBAAkB;YAClB,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,IAAI;gBACxD,KAAK;aACN,CAAC;YAEF,4DAA4D;YAC5D,SAAS,EAAE,MAAM,CAAC,EAAE;SACrB,CAAA;QAED,MAAM,cAAc,GAAG,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE;YAC/D,MAAM;YACN,OAAO;YACP,UAAU;YACV,MAAM;SACP,CAAC,CAAA;QAEF,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,cAAc,IAAI,MAAM,CAAC,CAAA;IAChE,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,OAAgB,EAChB,QAAyB,EACzB,UAA+C,EAC/C,IAAU;QAEV,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QACvC,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC;YACxE,CAAC,CAAC,MAAM,IAAA,uCAAoB,GAAE;YAC9B,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc;aACpC,eAAe,CAAC,UAAU,CAAC,KAAM,CAAC;aAClC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,wBAAwB;YACxB,IAAI,GAAG,YAAY,yCAAsB,EAAE,CAAC;gBAC1C,MAAM,IAAI,8CAAmB,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;YACjD,CAAC;YAED,mBAAmB;YACnB,MAAM,GAAG,CAAA;QACX,CAAC,CAAC,CAAA;QAEJ,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAC9C,OAAO,EACP,MAAM,EACN,OAAO,EACP,UAAU,EACV,GAAG,EACH,SAAS,EACT,KAAK,CACN,CAAA;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CACtC,cAAc,CAAC,UAAU,CAAC,EAC1B,WAAW,EACX,YAAY,EACZ,SAAS,EACT,OAAO,CAAC,GAAG,EACX,KAAK,CACN,CAAA;QAED,MAAM,SAAS,GAAoB;YACjC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,SAAS;YACT,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,UAAU;YACV,QAAQ;YACR,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,UAAU;YACV,OAAO,EAAE,IAAI;YACb,KAAK;YACL,IAAI;SACL,CAAA;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,YAAY,CAAC,CAAA;QAE9D,IAAI,CAAC;YACH,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE;gBACzC,MAAM;gBACN,UAAU;gBACV,cAAc;gBACd,OAAO;gBACP,UAAU;aACX,CAAC,CAAA;YAEF,OAAO,QAAQ,CAAA;QACjB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qEAAqE;YACrE,sBAAsB;YACtB,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAES,KAAK,CAAC,mBAAmB,CACjC,MAAc,EACd,UAAsB,EACtB,UAA+C;QAE/C,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YACrE,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,CACpD,CAAA;QACH,CAAC;IACH,CAAC;IAES,kBAAkB,CAC1B,SAAyB,EACzB,WAA6B,EAC7B,YAAgC,EAChC,SAAe,EACf,GAAQ,EACR,KAAa;QAEb,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,SAAS;YACrB,aAAa,EAAE,YAAY;YAC3B,KAAK;YAEL,qEAAqE;YACrE,0EAA0E;YAC1E,IAAI,UAAU;gBACZ,OAAO,IAAA,+BAAqB,EAAC,SAAS,CAAC,CAAA;YACzC,CAAC;YAED,sEAAsE;YACtE,qEAAqE;YACrE,aAAa;YACb,GAAG;SACJ,CAAA;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CACf,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,SAAoB;QAEpB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACnC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;QAE9D,MAAM,WAAW,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QAC3C,MAAM,gBAAgB,GAAG,MAAM,IAAA,uCAAoB,GAAE,CAAA;QAErD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,oEAAoE;QACpE,wEAAwE;QACxE,iCAAiC;QACjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,UAAU,CAAC,KAAM,CAAC,CAAA;QAE1E,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,EAAE,WAAW,EAAE,gBAAgB,EAAE;YACxE,SAAS,EAAE,GAAG;YACd,SAAS;YACT,qEAAqE;YACrE,cAAc;YACd,qEAAqE;YACrE,kBAAkB;YAClB,mEAAmE;YACnE,aAAa;YACb,UAAU;YACV,KAAK;SACN,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAC9C,WAAW,EACX,MAAM,EACN,OAAO,EACP,UAAU,EACV,GAAG,EACH,SAAS,EACT,KAAK,CACN,CAAA;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CACtC,cAAc,CAAC,UAAU,CAAC,EAC1B,WAAW,EACX,gBAAgB,EAChB,SAAS,EACT,OAAO,CAAC,GAAG,EACX,KAAK,CACN,CAAA;QAED,MAAM,IAAA,uBAAS,EAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE;YAC3C,MAAM;YACN,UAAU;YACV,cAAc;YACd,OAAO;YACP,UAAU;SACX,CAAC,CAAA;QAEF,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,SAAS,CAAC,KAAa;QAClC,IAAI,IAAA,uBAAS,EAAC,KAAK,CAAC,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QACjC,CAAC;aAAM,IAAI,IAAA,gBAAM,EAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;QAC/B,CAAC;aAAM,IAAI,IAAA,iCAAc,EAAC,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QACvC,CAAC;aAAM,IAAI,IAAA,iBAAW,EAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,8CAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAAC,KAAgB;QAC7C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE;YAC7D,cAAc,EAAE,QAAQ;SACzB,CAAC,CAAA;QAEF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QACtD,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAE3B,6CAA6C;QAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YACpC,MAAM,IAAI,KAAK,CACb,gBAAgB,SAAS,CAAC,OAAO,CAAC,GAAG,+BAA+B,OAAO,CAAC,GAAG,GAAG,CACnF,CAAA;QACH,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,KAAmB;QAEnB,OAAO,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAA;IAClD,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,KAAmB;QAClD,2EAA2E;QAC3E,0EAA0E;QAC1E,4EAA4E;QAC5E,yEAAyE;QACzE,oEAAoE;QACpE,yEAAyE;QACzE,uEAAuE;QAEvE,4EAA4E;QAC5E,eAAe;QACf,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACnE,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAA;QAC5D,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,SAAS,CAAC,mBAAmB,KAAK,KAAK,EAAE,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YACpC,MAAM,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,CAAA;QACvD,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,IAAU;QAChC,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;IACzC,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,OAAgB;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAgB;QACjC,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CACnB,SAAyB,EACzB,YAAgC;QAEhC,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAA;QAChC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC/D,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;QAC9C,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QAEnC,0EAA0E;QAC1E,4EAA4E;QAC5E,uBAAuB;QACvB,IAAI,YAAY,CAAC,GAAG,EAAE,GAAG,KAAK,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YACvD,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,IAAI,qBAAqB,CAAC,SAAS,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;YAC/B,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,OAAO;YACL,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,IAAA,qBAAW,EAAC,IAAI,CAAC,SAAS,CAAC;YAChC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK;YAC1C,4DAA4D;YAC5D,SAAS,EAAE,IAAI,CAAC,QAAQ;SACzB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAQ;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QACvD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,aAAa;aAClE,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D,CAAC;CACF;AAvXD,oCAuXC;AAED,SAAS,qBAAqB,CAAC,SAAoB;IACjD,OAAO,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;AACxD,CAAC;AAED,SAAS,cAAc,CACrB,UAA+C;IAE/C,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QACxB,OAAO,MAAM,CAAA;IACf,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-provider",
-  "version": "0.11.2",
+  "version": "0.12.1",
   "license": "MIT",
   "description": "Generic OAuth2 and OpenID Connect provider for Node.js. Currently only supports features needed for Atproto.",
   "keywords": [
@@ -47,17 +47,17 @@
     "@atproto-labs/pipe": "0.1.1",
     "@atproto-labs/simple-store": "0.3.0",
     "@atproto-labs/simple-store-memory": "0.1.4",
-    "@atproto/common": "^0.4.11",
+    "@atproto/common": "^0.4.12",
     "@atproto/did": "0.2.0",
     "@atproto/jwk": "0.5.0",
     "@atproto/jwk-jose": "0.1.10",
-    "@atproto/lexicon": "0.5.0",
-    "@atproto/lexicon-resolver": "0.2.0",
+    "@atproto/lexicon": "0.5.1",
+    "@atproto/lexicon-resolver": "0.2.1",
     "@atproto/oauth-types": "0.4.1",
     "@atproto/oauth-provider-api": "0.3.0",
-    "@atproto/oauth-provider-frontend": "0.2.0",
-    "@atproto/oauth-provider-ui": "0.3.0",
-    "@atproto/oauth-scopes": "0.1.0",
+    "@atproto/oauth-provider-frontend": "0.2.1",
+    "@atproto/oauth-provider-ui": "0.3.1",
+    "@atproto/oauth-scopes": "0.2.0",
     "@atproto/syntax": "0.4.1"
   },
   "devDependencies": {

package/src/access-token/access-token-mode.ts

@@ -1,4 +1,4 @@
 export enum AccessTokenMode {
   stateless = 'stateless',
-  light = 'light',
+  stateful = 'stateful',
 }

package/src/dpop/dpop-manager.ts

@@ -136,7 +136,9 @@ export class DpopManager {
       throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt')
     })
 
-    return { jti, jkt, htm, htu }
+    // @NOTE We freeze the proof to prevent accidental modification (esp. from
+    // hooks).
+    return Object.freeze({ jti, jkt, htm, htu })
   }
 }
 

package/src/dpop/dpop-proof.ts

@@ -1,6 +1,6 @@
-export type DpopProof = {
+export type DpopProof = Readonly<{
   jti: string
   jkt: string
   htm: string
   htu: string
-}
+}>

package/src/lib/util/function.ts

@@ -33,3 +33,7 @@ export function invokeOnce<T extends (this: any, ...a: any[]) => any>(
     throw new Error('Function called multiple times')
   } as T
 }
+
+export function includedIn<T>(this: readonly T[], value: T): boolean {
+  return this.includes(value)
+}

package/src/oauth-hooks.ts

@@ -1,10 +1,12 @@
 import { Jwks } from '@atproto/jwk'
 import type { Account } from '@atproto/oauth-provider-api'
 import {
+  OAuthAccessToken,
   OAuthAuthorizationDetails,
   OAuthAuthorizationRequestParameters,
   OAuthClientMetadata,
   OAuthTokenResponse,
+  OAuthTokenType,
 } from '@atproto/oauth-types'
 import { SignInData } from './account/sign-in-data.js'
 import { SignUpInput } from './account/sign-up-input.js'
@@ -12,6 +14,7 @@ import { ClientAuth } from './client/client-auth.js'
 import { ClientId } from './client/client-id.js'
 import { ClientInfo } from './client/client-info.js'
 import { Client } from './client/client.js'
+import { DpopProof } from './dpop/dpop-proof.js'
 import { AccessDeniedError } from './errors/access-denied-error.js'
 import { AuthorizationError } from './errors/authorization-error.js'
 import { InvalidRequestError } from './errors/invalid-request-error.js'
@@ -22,13 +25,16 @@ import {
   HcaptchaVerifyResult,
 } from './lib/hcaptcha.js'
 import { RequestMetadata } from './lib/http/request.js'
-import { Awaitable } from './lib/util/type.js'
+import { Awaitable, OmitKey } from './lib/util/type.js'
 import { DeviceId, SignUpData } from './oauth-store.js'
 import { RequestId } from './request/request-id.js'
+import { AccessTokenPayload } from './signer/access-token-payload.js'
+import { TokenClaims } from './token/token-claims.js'
 
 // Make sure all types needed to implement the OAuthHooks are exported
 export {
   AccessDeniedError,
+  type AccessTokenPayload,
   type Account,
   AuthorizationError,
   type Awaitable,
@@ -37,20 +43,24 @@ export {
   type ClientId,
   type ClientInfo,
   type DeviceId,
+  type DpopProof,
   type HcaptchaClientTokens,
   type HcaptchaConfig,
   type HcaptchaVerifyResult,
   InvalidRequestError,
   type Jwks,
+  type OAuthAccessToken,
   type OAuthAuthorizationDetails,
   type OAuthAuthorizationRequestParameters,
   type OAuthClientMetadata,
   OAuthError,
   type OAuthTokenResponse,
+  type OAuthTokenType,
   type RequestMetadata,
   type SignInData,
   type SignUpData,
   type SignUpInput,
+  type TokenClaims,
 }
 
 export type OAuthHooks = {
@@ -151,6 +161,38 @@ export type OAuthHooks = {
     requestId: RequestId
   }) => Awaitable<void>
 
+  /**
+   * This hook is called whenever a token is about to be created. You can use
+   * it to modify the token claims or perform additional validation.
+   *
+   * This hook should never throw an error.
+   */
+  onCreateToken?: (data: {
+    client: Client
+    account: Account
+    parameters: OAuthAuthorizationRequestParameters
+    claims: TokenClaims
+  }) => Awaitable<void | OmitKey<AccessTokenPayload, 'iss'>>
+
+  /**
+   * This hook is called whenever a token was just decoded, and basic validation
+   * was performed (signature, expiration, not-before).
+   *
+   * It can be used to modify the payload (e.g., to add custom claims), or to
+   * perform additional validation.
+   *
+   * This hook is called when authenticating requests through the
+   * `authenticateRequest()` method in `OAuthVerifier` and `OAuthProvider`.
+   *
+   * Any error thrown here will be propagated.
+   */
+  onDecodeToken?: (data: {
+    tokenType: OAuthTokenType
+    token: OAuthAccessToken
+    payload: AccessTokenPayload
+    dpopProof: null | DpopProof
+  }) => Promise<AccessTokenPayload | void>
+
   /**
    * This hook is called when an authorized client exchanges an authorization
    * code for an access token.

package/src/oauth-provider.ts

@@ -85,6 +85,7 @@ import {
   DpopProof,
   OAuthVerifier,
   OAuthVerifierOptions,
+  VerifyTokenPayloadOptions,
 } from './oauth-verifier.js'
 import { ReplayStore, ifReplayStore } from './replay/replay-store.js'
 import { codeSchema } from './request/code.js'
@@ -95,6 +96,7 @@ import { AuthorizationRedirectParameters } from './result/authorization-redirect
 import { AuthorizationResultAuthorizePage } from './result/authorization-result-authorize-page.js'
 import { AuthorizationResultRedirect } from './result/authorization-result-redirect.js'
 import { ErrorHandler } from './router/error-handler.js'
+import { AccessTokenPayload } from './signer/access-token-payload.js'
 import { TokenData } from './token/token-data.js'
 import { TokenManager } from './token/token-manager.js'
 import {
@@ -102,14 +104,11 @@ import {
   asTokenStore,
   refreshTokenSchema,
 } from './token/token-store.js'
-import {
-  VerifyTokenClaimsOptions,
-  VerifyTokenClaimsResult,
-} from './token/verify-token-claims.js'
 import { isPARResponseError } from './types/par-response-error.js'
 
 export { AccessTokenMode, Keyset }
 export type {
+  AccessTokenPayload,
   AuthorizationRedirectParameters,
   AuthorizationResultAuthorizePage as AuthorizationResultAuthorize,
   AuthorizationResultRedirect,
@@ -123,6 +122,7 @@ export type {
   LexiconResolver,
   MultiLangString,
   OAuthAuthorizationServerMetadata,
+  VerifyTokenPayloadOptions,
 }
 
 type OAuthProviderConfig = {
@@ -295,11 +295,7 @@ export class OAuthProvider extends OAuthVerifier {
     const deviceManagerOptions: DeviceManagerOptions =
       deviceManagerOptionsSchema.parse(rest)
 
-    // @NOTE: validation of super params (if we wanted to implement it) should
-    // be the responsibility of the super class.
-    const superOptions: OAuthVerifierOptions = rest
-
-    super({ replayStore, ...superOptions })
+    super({ replayStore, ...rest })
 
     // @NOTE: hooks don't really need a type parser, as all zod can actually
     // check at runtime is the fact that the values are functions. The only way
@@ -1075,41 +1071,27 @@ export class OAuthProvider extends OAuthVerifier {
     }
   }
 
-  protected override async verifyToken(
+  protected override async decodeToken(
     tokenType: OAuthTokenType,
     token: OAuthAccessToken,
     dpopProof: null | DpopProof,
-    verifyOptions?: VerifyTokenClaimsOptions,
-  ): Promise<VerifyTokenClaimsResult> {
-    if (this.accessTokenMode === AccessTokenMode.stateless) {
-      return super.verifyToken(tokenType, token, dpopProof, verifyOptions)
-    }
+  ): Promise<AccessTokenPayload> {
+    const tokenPayload = await super.decodeToken(tokenType, token, dpopProof)
 
-    if (this.accessTokenMode === AccessTokenMode.light) {
-      const { tokenClaims } = await super.verifyToken(
-        tokenType,
-        token,
-        dpopProof,
-        // Do not verify the scope and audience in case of "light" tokens.
-        // these will be checked through the tokenManager hereafter.
-        undefined,
-      )
-
-      const tokenId = tokenClaims.jti
+    if (this.accessTokenMode !== AccessTokenMode.stateless) {
+      // @NOTE in non stateless mode, some claims can be omitted (most notably
+      // "scope"). We load the token claims here (allowing to ensure that the
+      // token is still valid, and to retrieve a (potentially updated) set of
+      // claims).
 
-      // In addition to verifying the signature (through the verifier above), we
-      // also verify the tokenId is still valid using a database to fetch
-      // missing data from "light" token.
-      return this.tokenManager.verifyToken(
-        token,
+      const tokenClaims = await this.tokenManager.loadTokenClaims(
         tokenType,
-        tokenId,
-        dpopProof,
-        verifyOptions,
+        tokenPayload,
       )
+
+      Object.assign(tokenPayload, tokenClaims)
     }
 
-    // Fool-proof
-    throw new Error('Invalid access token mode')
+    return tokenPayload
   }
 }

package/src/oauth-verifier.ts

@@ -9,53 +9,65 @@ import {
 import { DpopManager, DpopManagerOptions } from './dpop/dpop-manager.js'
 import { DpopNonce } from './dpop/dpop-nonce.js'
 import { DpopProof } from './dpop/dpop-proof.js'
+import { InvalidDpopKeyBindingError } from './errors/invalid-dpop-key-binding-error.js'
 import { InvalidDpopProofError } from './errors/invalid-dpop-proof-error.js'
 import { InvalidTokenError } from './errors/invalid-token-error.js'
 import { UseDpopNonceError } from './errors/use-dpop-nonce-error.js'
 import { WWWAuthenticateError } from './errors/www-authenticate-error.js'
 import { parseAuthorizationHeader } from './lib/util/authorization-header.js'
-import { Override } from './lib/util/type.js'
+import { includedIn } from './lib/util/function.js'
+import { OAuthHooks } from './oauth-hooks.js'
 import { ReplayManager } from './replay/replay-manager.js'
 import { ReplayStoreMemory } from './replay/replay-store-memory.js'
 import { ReplayStoreRedis } from './replay/replay-store-redis.js'
 import { ReplayStore } from './replay/replay-store.js'
+import { AccessTokenPayload } from './signer/access-token-payload.js'
 import { Signer } from './signer/signer.js'
-import {
-  VerifyTokenClaimsOptions,
-  VerifyTokenClaimsResult,
-  verifyTokenClaims,
-} from './token/verify-token-claims.js'
-
-export type * from './token/verify-token-claims.js'
-
-export type OAuthVerifierOptions = Override<
-  DpopManagerOptions,
-  {
-    /**
-     * The "issuer" identifier of the OAuth provider, this is the base URL of the
-     * OAuth provider.
-     */
-    issuer: URL | string
-
-    /**
-     * The keyset used to sign access tokens.
-     */
-    keyset: Keyset | Iterable<Key | undefined | null | false>
-
-    /**
-     * A redis instance to use for replay protection. If not provided, replay
-     * protection will use memory storage.
-     */
-    redis?: Redis | RedisOptions | string
-
-    replayStore?: ReplayStore
-  }
->
+
+export type DecodeTokenHook = OAuthHooks['onDecodeToken']
+
+export type OAuthVerifierOptions = DpopManagerOptions & {
+  /**
+   * The "issuer" identifier of the OAuth provider, this is the base URL of the
+   * OAuth provider.
+   */
+  issuer: URL | string
+
+  /**
+   * The keyset used to sign access tokens.
+   */
+  keyset: Keyset | Iterable<Key | undefined | null | false>
+
+  /**
+   * A redis instance to use for replay protection. If not provided, replay
+   * protection will use memory storage.
+   */
+  redis?: Redis | RedisOptions | string
+
+  replayStore?: ReplayStore
+
+  onDecodeToken?: DecodeTokenHook
+}
+
+export type VerifyTokenPayloadOptions = {
+  /** One of these audience must be included in the token audience(s) */
+  audience?: [string, ...string[]]
+  /** One of these scope must be included in the token scope(s) */
+  scope?: [string, ...string[]]
+}
 
 export { DpopNonce, Key, Keyset }
-export type { DpopProof, RedisOptions, ReplayStore }
+export type {
+  AccessTokenPayload,
+  DpopProof,
+  OAuthTokenType,
+  RedisOptions,
+  ReplayStore,
+}
 
 export class OAuthVerifier {
+  private readonly onDecodeToken?: DecodeTokenHook
+
   public readonly issuer: OAuthIssuerIdentifier
   public readonly keyset: Keyset
 
@@ -70,6 +82,7 @@ export class OAuthVerifier {
     replayStore = redis != null
       ? new ReplayStoreRedis({ redis })
       : new ReplayStoreMemory(),
+    onDecodeToken,
 
     ...rest
   }: OAuthVerifierOptions) {
@@ -91,6 +104,8 @@ export class OAuthVerifier {
     this.dpopManager = new DpopManager(dpopMgrOptions)
     this.replayManager = new ReplayManager(replayStore)
     this.signer = new Signer(this.issuer, this.keyset)
+
+    this.onDecodeToken = onDecodeToken
   }
 
   public nextDpopNonce() {
@@ -118,12 +133,11 @@ export class OAuthVerifier {
     return dpopProof
   }
 
-  protected async verifyToken(
+  protected async decodeToken(
     tokenType: OAuthTokenType,
     token: OAuthAccessToken,
     dpopProof: null | DpopProof,
-    verifyOptions?: VerifyTokenClaimsOptions,
-  ): Promise<VerifyTokenClaimsResult> {
+  ): Promise<AccessTokenPayload> {
     if (!isSignedJwt(token)) {
       throw new InvalidTokenError(tokenType, `Malformed token`)
     }
@@ -134,22 +148,56 @@ export class OAuthVerifier {
         throw InvalidTokenError.from(err, tokenType)
       })
 
-    return verifyTokenClaims(
-      token,
-      payload.jti,
+    if (payload.cnf?.jkt) {
+      // An access token with a cnf.jkt claim must be a DPoP token
+      if (tokenType !== 'DPoP') {
+        throw new InvalidTokenError(
+          'DPoP',
+          `Access token is bound to a DPoP proof, but token type is ${tokenType}`,
+        )
+      }
+
+      // DPoP token type must be used with a DPoP proof
+      if (!dpopProof) {
+        throw new InvalidDpopProofError(`DPoP proof required`)
+      }
+
+      // DPoP proof must be signed with the key that matches the "cnf" claim
+      if (payload.cnf.jkt !== dpopProof.jkt) {
+        throw new InvalidDpopKeyBindingError()
+      }
+    } else {
+      // An access token without a cnf.jkt claim must be a Bearer token
+      if (tokenType !== 'Bearer') {
+        throw new InvalidTokenError(
+          'Bearer',
+          `Bearer token type must be used without a DPoP proof`,
+        )
+      }
+
+      // @NOTE We ignore (but allow) DPoP proofs for Bearer tokens
+    }
+
+    const payloadOverride = await this.onDecodeToken?.call(null, {
       tokenType,
+      token,
       payload,
       dpopProof,
-      verifyOptions,
-    )
+    })
+
+    return payloadOverride ?? payload
   }
 
+  /**
+   * @throws {WWWAuthenticateError}
+   * @throws {InvalidTokenError}
+   */
   public async authenticateRequest(
     httpMethod: string,
     httpUrl: Readonly<URL>,
     httpHeaders: Record<string, undefined | string | string[]>,
-    verifyOptions?: VerifyTokenClaimsOptions,
-  ): Promise<VerifyTokenClaimsResult> {
+    verifyOptions?: VerifyTokenPayloadOptions,
+  ): Promise<AccessTokenPayload> {
     const [tokenType, token] = parseAuthorizationHeader(
       httpHeaders['authorization'],
     )
@@ -161,14 +209,11 @@ export class OAuthVerifier {
         token,
       )
 
-      const tokenResult = await this.verifyToken(
-        tokenType,
-        token,
-        dpopProof,
-        verifyOptions,
-      )
+      const tokenPayload = await this.decodeToken(tokenType, token, dpopProof)
 
-      return tokenResult
+      this.verifyTokenPayload(tokenType, tokenPayload, verifyOptions)
+
+      return tokenPayload
     } catch (err) {
       if (err instanceof UseDpopNonceError) throw err.toWwwAuthenticateError()
       if (err instanceof WWWAuthenticateError) throw err
@@ -176,4 +221,40 @@ export class OAuthVerifier {
       throw InvalidTokenError.from(err, tokenType)
     }
   }
+
+  protected verifyTokenPayload(
+    tokenType: OAuthTokenType,
+    tokenPayload: AccessTokenPayload,
+    options?: VerifyTokenPayloadOptions,
+  ): void {
+    if (options?.audience) {
+      const { aud } = tokenPayload
+      const hasMatch =
+        aud != null &&
+        (Array.isArray(aud)
+          ? options.audience.some(includedIn, aud)
+          : options.audience.includes(aud))
+      if (!hasMatch) {
+        const details = `(got: ${aud}, expected one of: ${options.audience})`
+        throw new InvalidTokenError(tokenType, `Invalid audience ${details}`)
+      }
+    }
+
+    if (options?.scope) {
+      const { scope } = tokenPayload
+      const scopes = scope?.split(' ')
+      if (!scopes || !options.scope.some(includedIn, scopes)) {
+        const details = `(got: ${scope}, expected one of: ${options.scope})`
+        throw new InvalidTokenError(tokenType, `Invalid scope ${details}`)
+      }
+    }
+
+    if (tokenPayload.exp != null && tokenPayload.exp * 1000 <= Date.now()) {
+      const expirationDate = new Date(tokenPayload.exp * 1000).toISOString()
+      throw new InvalidTokenError(
+        tokenType,
+        `Token expired at ${expirationDate}`,
+      )
+    }
+  }
 }

package/src/signer/{signed-token-payload.ts → access-token-payload.ts}

@@ -4,7 +4,7 @@ import { clientIdSchema } from '../client/client-id.js'
 import { subSchema } from '../oidc/sub.js'
 import { tokenIdSchema } from '../token/token-id.js'
 
-export const signedTokenPayloadSchema = jwtPayloadSchema
+export const accessTokenPayloadSchema = jwtPayloadSchema
   .partial()
   .extend({
     // Following are required
@@ -22,4 +22,4 @@ export const signedTokenPayloadSchema = jwtPayloadSchema
   })
   .passthrough()
 
-export type SignedTokenPayload = z.infer<typeof signedTokenPayloadSchema>
+export type AccessTokenPayload = z.infer<typeof accessTokenPayloadSchema>

package/src/signer/signer.ts

@@ -9,11 +9,11 @@ import {
 import { EPHEMERAL_SESSION_MAX_AGE } from '../constants.js'
 import { dateToEpoch } from '../lib/util/date.js'
 import { OmitKey, RequiredKey } from '../lib/util/type.js'
-import { ApiTokenPayload, apiTokenPayloadSchema } from './api-token-payload.js'
 import {
-  SignedTokenPayload,
-  signedTokenPayloadSchema,
-} from './signed-token-payload.js'
+  AccessTokenPayload,
+  accessTokenPayloadSchema,
+} from './access-token-payload.js'
+import { ApiTokenPayload, apiTokenPayloadSchema } from './api-token-payload.js'
 
 export type SignPayload = JwtPayload & { iss?: never }
 
@@ -49,7 +49,7 @@ export class Signer {
   }
 
   async createAccessToken(
-    payload: OmitKey<SignedTokenPayload, 'iss'>,
+    payload: OmitKey<AccessTokenPayload, 'iss'>,
   ): Promise<SignedJwt> {
     return this.sign(
       {
@@ -68,8 +68,8 @@ export class Signer {
     const result = await this.verify<C>(token, { ...options, typ: 'at+jwt' })
     return {
       protectedHeader: result.protectedHeader,
-      payload: signedTokenPayloadSchema.parse(result.payload) as RequiredKey<
-        SignedTokenPayload,
+      payload: accessTokenPayloadSchema.parse(result.payload) as RequiredKey<
+        AccessTokenPayload,
         C
       >,
     }

package/src/token/token-claims.ts

@@ -0,0 +1,21 @@
+import { OAuthScope } from '@atproto/oauth-types'
+import { ClientId } from '../client/client-id.js'
+import { TokenId } from './token-id.js'
+
+/**
+ * The access token claims that will be set by the {@link TokenManager} and that
+ * will be passed to the "onCreateToken" hook.
+ *
+ * @note "iss" is missing here because it cannot be altered and will always be
+ * set to the Authorization Server's identifier.
+ */
+export type TokenClaims = {
+  jti: TokenId
+  sub: string
+  iat: number
+  exp: number
+  aud: string | [string, ...string[]]
+  cnf?: { jkt: string }
+  scope?: OAuthScope
+  client_id: ClientId
+}