@atproto/oauth-provider 0.13.1 → 0.13.3

package/src/account/account-manager.ts

@@ -258,7 +258,18 @@ export class AccountManager {
     })
 
     return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
-      await this.store.resetPasswordRequest(input)
+      const account = await this.store.resetPasswordRequest(input)
+
+      if (!account) {
+        return // Silently ignore to prevent user enumeration
+      }
+
+      await this.hooks.onResetPasswordRequested?.call(null, {
+        input,
+        deviceId,
+        deviceMetadata,
+        account,
+      })
     })
   }
 
@@ -274,7 +285,18 @@ export class AccountManager {
     })
 
     return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
-      await this.store.resetPasswordConfirm(input)
+      const account = await this.store.resetPasswordConfirm(input)
+
+      if (!account) {
+        throw new InvalidRequestError('Invalid token')
+      }
+
+      await this.hooks.onResetPasswordConfirmed?.call(null, {
+        input,
+        deviceId,
+        deviceMetadata,
+        account,
+      })
     })
   }
 

package/src/account/account-store.ts

@@ -171,8 +171,13 @@ export interface AccountStore {
     filter: { sub: Sub } | { deviceId: DeviceId },
   ): Awaitable<DeviceAccount[]>
 
-  resetPasswordRequest(data: ResetPasswordRequestInput): Awaitable<void>
-  resetPasswordConfirm(data: ResetPasswordConfirmInput): Awaitable<void>
+  resetPasswordRequest(
+    data: ResetPasswordRequestInput,
+  ): Awaitable<null | Account>
+
+  resetPasswordConfirm(
+    data: ResetPasswordConfirmInput,
+  ): Awaitable<null | Account>
 
   /**
    * @throws {HandleUnavailableError} - To indicate that the handle is already taken

package/src/client/client-manager.ts

@@ -5,7 +5,7 @@ import {
   OAuthClientIdLoopback,
   OAuthClientMetadata,
   OAuthClientMetadataInput,
-  isLoopbackHost,
+  isLocalHostname,
   isOAuthClientIdDiscoverable,
   isOAuthClientIdLoopback,
   oauthClientMetadataSchema,
@@ -17,7 +17,6 @@ import {
   fetchJsonZodProcessor,
   fetchOkProcessor,
 } from '@atproto-labs/fetch'
-import { isLocalHostname } from '@atproto-labs/fetch-node'
 import { pipe } from '@atproto-labs/pipe'
 import {
   CachedGetter,
@@ -36,7 +35,7 @@ import { Client } from './client.js'
 
 const fetchMetadataHandler = pipe(
   fetchOkProcessor(),
-  // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html#section-4.1
+  // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html#section-4.1
   fetchJsonProcessor('application/json', true),
   fetchJsonZodProcessor(oauthClientMetadataSchema),
 )
@@ -176,10 +175,24 @@ export class ClientManager {
       throw new InvalidClientMetadataError('Loopback clients are not allowed')
     }
 
-    const metadata = oauthClientMetadataSchema.parse(
-      await loopbackMetadata(clientId),
+    const metadataRaw = await callAsync(loopbackMetadata, clientId).catch(
+      (err) => {
+        throw InvalidClientMetadataError.from(
+          err,
+          `Invalid loopback client id "${clientId}"`,
+        )
+      },
     )
 
+    const metadata = await oauthClientMetadataSchema
+      .parseAsync(metadataRaw)
+      .catch((err) => {
+        throw InvalidClientMetadataError.from(
+          err,
+          `Invalid loopback client metadata for "${clientId}"`,
+        )
+      })
+
     return this.validateClientMetadata(clientId, metadata)
   }
 
@@ -218,6 +231,10 @@ export class ClientManager {
     clientId: ClientId,
     metadata: OAuthClientMetadata,
   ): OAuthClientMetadata {
+    // @TODO This method should only check for rules that are specific to this
+    // implementation or the ATPROTO specification. All generic validation rules
+    // should be moved to the @atproto/oauth-types package.
+
     if (metadata.jwks && metadata.jwks_uri) {
       throw new InvalidClientMetadataError(
         'jwks_uri and jwks are mutually exclusive',
@@ -590,56 +607,12 @@ export class ClientManager {
         }
 
         case isPrivateUseUriScheme(url): {
-          // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
-          //
-          // > When choosing a URI scheme to associate with the app, apps MUST
-          // > use a URI scheme based on a domain name under their control,
-          // > expressed in reverse order, as recommended by Section 3.8 of
-          // > [RFC7595] for private-use URI schemes.
-
           if (metadata.application_type !== 'native') {
             throw new InvalidRedirectUriError(
               `Private-Use URI Scheme redirect URI are only allowed for native apps`,
             )
           }
 
-          // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
-          //
-          // > In addition to the collision-resistant properties, requiring a
-          // > URI scheme based on a domain name that is under the control of
-          // > the app can help to prove ownership in the event of a dispute
-          // > where two apps claim the same private-use URI scheme (where one
-          // > app is acting maliciously).
-          //
-          // We can't check for ownership here (as there is no concept of
-          // proven ownership in the generic client validation), but we can
-          // check that the domain is a valid domain name.
-
-          const urlDomain = reverseDomain(url.protocol.slice(0, -1))
-
-          if (isLocalHostname(urlDomain)) {
-            throw new InvalidRedirectUriError(
-              `Private-use URI Scheme redirect URI must not be a local hostname`,
-            )
-          }
-
-          // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
-          //
-          // > Following the requirements of Section 3.2 of [RFC3986], as there
-          // > is no naming authority for private-use URI scheme redirects, only
-          // > a single slash ("/") appears after the scheme component.
-          if (
-            url.href.startsWith(`${url.protocol}//`) ||
-            url.username ||
-            url.password ||
-            url.hostname ||
-            url.port
-          ) {
-            throw new InvalidRedirectUriError(
-              `Private-Use URI Scheme must be in the form ${url.protocol}/<path>`,
-            )
-          }
-
           break
         }
 
@@ -686,22 +659,6 @@ export class ClientManager {
       )
     }
 
-    for (const redirectUri of metadata.redirect_uris) {
-      const url = parseRedirectUri(redirectUri)
-
-      if (url.protocol !== 'http:') {
-        throw new InvalidRedirectUriError(
-          `Loopback clients must use HTTP redirect URIs`,
-        )
-      }
-
-      if (!isLoopbackHost(url.hostname)) {
-        throw new InvalidRedirectUriError(
-          `Loopback clients must use loopback redirect URIs`,
-        )
-      }
-    }
-
     return metadata
   }
 
@@ -710,7 +667,7 @@ export class ClientManager {
     metadata: OAuthClientMetadata,
   ): OAuthClientMetadata {
     if (!metadata.client_id) {
-      // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+      // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
       throw new InvalidClientMetadataError(
         `client_id is required for discoverable clients`,
       )
@@ -719,7 +676,7 @@ export class ClientManager {
     const clientIdUrl = parseDiscoverableClientId(clientId)
 
     if (metadata.client_uri) {
-      // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+      // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
       //
       // The client_uri must be a parent of the client_id URL. This might be
       // relaxed in the future.
@@ -748,9 +705,19 @@ export class ClientManager {
     }
 
     for (const redirectUri of metadata.redirect_uris) {
+      // @NOTE at this point, all redirect URIs have already been validated by
+      // oauthRedirectUriSchema
+
       const url = parseRedirectUri(redirectUri)
 
       if (isPrivateUseUriScheme(url)) {
+        // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
+        //
+        // > When choosing a URI scheme to associate with the app, apps MUST use
+        // > a URI scheme based on a domain name under their control, expressed
+        // > in reverse order, as recommended by Section 3.8 of [RFC7595] for
+        // > private-use URI schemes.
+
         // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
         //
         // > In addition to the collision-resistant properties, requiring a
@@ -759,11 +726,14 @@ export class ClientManager {
         // > where two apps claim the same private-use URI scheme (where one
         // > app is acting maliciously).
 
-        // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+        // https://atproto.com/specs/oauth
         //
-        // Fully qualified domain name (FQDN) of the client_id, in reverse
-        // order. This could be relaxed to allow same apex domain names, or
-        // parent domains, but for now we require an exact match.
+        // > Any custom scheme must match the client_id hostname in
+        // > reverse-domain order. The URI scheme must be followed by a single
+        // > colon (:) then a single forward slash (/) and then a URI path
+        // > component. For example, an app with client_id
+        // > https://app.example.com/client-metadata.json could have a
+        // > redirect_uri of com.example.app:/callback.
         const protocol = `${reverseDomain(clientIdUrl.hostname)}:`
         if (url.protocol !== protocol) {
           throw new InvalidRedirectUriError(

package/src/client/client-utils.ts

@@ -1,8 +1,8 @@
 import {
   OAuthClientIdDiscoverable,
+  isLocalHostname,
   parseOAuthDiscoverableClientId,
 } from '@atproto/oauth-types'
-import { isLocalHostname } from '@atproto-labs/fetch-node'
 import { InvalidClientIdError } from '../errors/invalid-client-id-error.js'
 import { InvalidRedirectUriError } from '../errors/invalid-redirect-uri-error.js'
 

package/src/metadata/build-metadata.ts

@@ -106,8 +106,8 @@ export function buildMetadata(
 
     revocation_endpoint: new URL('/oauth/revoke', issuer).href,
 
-    introspection_endpoint: new URL('/oauth/introspect', issuer).href,
-
+    // @TODO Should we implement these endpoints?
+    // introspection_endpoint: new URL('/oauth/introspect', issuer).href,
     // end_session_endpoint: new URL('/oauth/logout', issuer).href,
 
     // https://datatracker.ietf.org/doc/html/rfc9126#section-5
@@ -122,10 +122,10 @@ export function buildMetadata(
     authorization_details_types_supported:
       customMetadata?.authorization_details_types_supported,
 
-    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
+    // https://www.rfc-editor.org/rfc/rfc9728.html#section-4
     protected_resources: customMetadata?.protected_resources,
 
-    // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
+    // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
     client_id_metadata_document_supported: true,
   })
 }

package/src/oauth-hooks.ts

@@ -115,6 +115,17 @@ export type OAuthHooks = {
     deviceMetadata: RequestMetadata
   }) => Awaitable<void>
 
+  /**
+   * This hook is called when a user requests a password reset, before the
+   * reset password request is triggered on the account store.
+   */
+  onResetPasswordRequested?: (data: {
+    input: ResetPasswordRequestInput
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+    account: Account
+  }) => Awaitable<void>
+
   /**
    * This hook is called when a user confirms a password reset, before the
    * password is actually reset on the account store.
@@ -125,6 +136,17 @@ export type OAuthHooks = {
     deviceMetadata: RequestMetadata
   }) => Awaitable<void>
 
+  /**
+   * This hook is called after a user confirms a password reset, and the
+   * password was successfully reset on the account store.
+   */
+  onResetPasswordConfirmed?: (data: {
+    input: ResetPasswordConfirmInput
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+    account: Account
+  }) => Awaitable<void>
+
   /**
    * This hook is called when a user successfully signs up.
    *