@atproto/oauth-provider 0.13.1 → 0.13.3

package/dist/client/client-utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"client-utils.js","sourceRoot":"","sources":["../../src/client/client-utils.ts"],"names":[],"mappings":";;AAQA,4CAMC;AAED,8DAoBC;AApCD,sDAG6B;AAC7B,yDAA0D;AAC1D,qFAA2E;AAC3E,2FAAiF;AAEjF,SAAgB,gBAAgB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,WAAW,CAAC,CAAA;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,uDAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzC,CAAC;AACH,CAAC;AAED,SAAgB,yBAAyB,CACvC,QAAmC;IAEnC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4CAA8B,EAAC,QAAQ,CAAC,CAAA;QAEpD,oEAAoE;QACpE,IAAI,IAAA,4BAAe,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,iDAAoB,CAC5B,kDAAkD,CACnD,CAAA;QACH,CAAC;QAED,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,iDAAoB,CAAC,IAAI,CAC7B,GAAG,EACH,wCAAwC,CACzC,CAAA;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"client-utils.js","sourceRoot":"","sources":["../../src/client/client-utils.ts"],"names":[],"mappings":";;AAQA,4CAMC;AAED,8DAoBC;AApCD,sDAI6B;AAC7B,qFAA2E;AAC3E,2FAAiF;AAEjF,SAAgB,gBAAgB,CAAC,WAAmB;IAClD,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,WAAW,CAAC,CAAA;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,uDAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzC,CAAC;AACH,CAAC;AAED,SAAgB,yBAAyB,CACvC,QAAmC;IAEnC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4CAA8B,EAAC,QAAQ,CAAC,CAAA;QAEpD,oEAAoE;QACpE,IAAI,IAAA,6BAAe,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,iDAAoB,CAC5B,kDAAkD,CACnD,CAAA;QACH,CAAC;QAED,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,iDAAoB,CAAC,IAAI,CAC7B,GAAG,EACH,wCAAwC,CACzC,CAAA;IACH,CAAC;AACH,CAAC","sourcesContent":["import {\n  OAuthClientIdDiscoverable,\n  isLocalHostname,\n  parseOAuthDiscoverableClientId,\n} from '@atproto/oauth-types'\nimport { InvalidClientIdError } from '../errors/invalid-client-id-error.js'\nimport { InvalidRedirectUriError } from '../errors/invalid-redirect-uri-error.js'\n\nexport function parseRedirectUri(redirectUri: string): URL {\n  try {\n    return new URL(redirectUri)\n  } catch (err) {\n    throw InvalidRedirectUriError.from(err)\n  }\n}\n\nexport function parseDiscoverableClientId(\n  clientId: OAuthClientIdDiscoverable,\n): URL {\n  try {\n    const url = parseOAuthDiscoverableClientId(clientId)\n\n    // Extra validation, prevent usage of invalid internet domain names.\n    if (isLocalHostname(url.hostname)) {\n      throw new InvalidClientIdError(\n        \"The client_id's TLD must not be a local hostname\",\n      )\n    }\n\n    return url\n  } catch (err) {\n    throw InvalidClientIdError.from(\n      err,\n      'Invalid discoverable client identifier',\n    )\n  }\n}\n"]}

package/dist/client/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client/client.ts"],"names":[],"mappings":";;;AAiYA,8CAQC;AAzYD,+BAgBa;AAEb,sDAM6B;AAC7B,kDAAuE;AACvE,6EAAqE;AACrE,6GAAmG;AACnG,+EAAsE;AACtE,iGAAuF;AACvF,iFAAwE;AACxE,6EAAoE;AACpE,iDAA6C;AAC7C,iEAAgE;AAMhE,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAE5B,MAAa,MAAM;IAWC;IACA;IACA;IACA;IAblB;;OAEG;IACH,MAAM,CAAU,sBAAsB,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAU,CAAA;IAE5D,SAAS,CAEU;IAEpC,YACkB,EAAY,EACZ,QAA6B,EAC7B,OAAyB,QAAQ,CAAC,IAAI,EACtC,IAAgB;QAHhB,OAAE,GAAF,EAAE,CAAU;QACZ,aAAQ,GAAR,QAAQ,CAAqB;QAC7B,SAAI,GAAJ,IAAI,CAAkC;QACtC,SAAI,GAAJ,IAAI,CAAY;QAEhC,2EAA2E;QAC3E,IAAI,CAAC,SAAS;YACZ,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ;gBACxB,CAAC,CAAC,IAAA,wBAAiB,EAAC,IAAI,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;gBACzC,CAAC,CAAC,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAA;IAC1D,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,mBAAmB,CAC9B,GAA4B,EAC5B,QAAgB;QAEhB,oEAAoE;QACpE,0EAA0E;QAC1E,0EAA0E;QAC1E,yEAAyE;QACzE,wEAAwE;QACxE,mCAAmC;QACnC,IAAI,CAAC;YACH,yEAAyE;YACzE,6CAA6C;YAC7C,IAAI,IAAI,CAAC,QAAQ,CAAC,0BAA0B,KAAK,MAAM,EAAE,CAAC;gBACxD,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;oBACxC,QAAQ;oBACR,WAAW,EAAE,0BAAW,GAAG,GAAG;oBAC9B,oBAAoB,EAAE,IAAI;oBAC1B,kBAAkB,EAAE,IAAI;iBACzB,CAAC,CAAA;YACJ,CAAC;YAED,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBAC/B,QAAQ;gBACR,WAAW,EAAE,0BAAW,GAAG,GAAG;gBAC9B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,0BAA0B;oBAClD,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAC;oBAC5C,CAAC,CAAC,8EAA8E;wBAC9E,EAAE;wBACF,uEAAuE;wBACvE,4BAA4B;wBAC5B,SAAS;aACd,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,SAAS;gBACtB,CAAC,CAAC,6BAA6B,GAAG,CAAC,OAAO,EAAE;gBAC5C,CAAC,CAAC,0BAA0B,CAAA;YAEhC,MAAM,IAAI,8CAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;IACH,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,KAAa,EACb,EACE,QAAQ,EACR,oBAAoB,GAAG,KAAK,EAC5B,kBAAkB,GAAG,KAAK,EAC1B,GAAG,OAAO,KAIR,EAAE;QAEN,wEAAwE;QACxE,yEAAyE;QACzE,WAAW;QAEX,MAAM,MAAM,GAAG,mBAAY,CAAC,MAAM,CAAc,KAAK,EAAE,OAAO,CAAC,CAAA;QAE/D,IAAI,CAAC,kBAAkB,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;YACtD,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBACnC,MAAM,IAAI,SAAS,CAAC,wBAAwB,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAA;YACpE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,oBAAoB,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;YACxD,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;gBACrB,MAAM,UAAU,GAAG,IAAA,iBAAO,EAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBAC9C,IAAI,CAAC,IAAA,iBAAO,EAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;oBAC/D,MAAM,IAAI,SAAS,CAAC,wBAAwB,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAA;gBACpE,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,SAAS,CACvB,KAAa,EACb,OAA0C;QAE1C,OAAO,IAAA,gBAAS,EAAc,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE;YACnD,GAAG,OAAO;YACV,MAAM,EAAE,IAAI,CAAC,EAAE;SAChB,CAAC,CAAA;IACJ,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,YAAY,CACvB,KAA6B,EAC7B,MAEC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAA;QAEvD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAA;QAC3B,CAAC;QAED,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,kBAAkB,IAAI,KAAK,CAAC,EAAE,CAAC;gBACnC,MAAM,IAAI,8CAAmB,CAC3B,iCAAiC,MAAM,iCAAiC,CACzE,CAAA;YACH,CAAC;YAED,IAAI,KAAK,CAAC,qBAAqB,KAAK,8CAAgC,EAAE,CAAC;gBACrE,wDAAwD;gBAExD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAGhC,KAAK,CAAC,gBAAgB,EAAE;oBACzB,oEAAoE;oBACpE,6DAA6D;oBAC7D,EAAE;oBACF,iDAAiD;oBAEjD,oEAAoE;oBACpE,sEAAsE;oBACtE,oEAAoE;oBACpE,oDAAoD;oBACpD,OAAO,EAAE,IAAI,CAAC,EAAE;oBAEhB,mEAAmE;oBACnE,qEAAqE;oBACrE,oEAAoE;oBACpE,mEAAmE;oBACnE,gEAAgE;oBAChE,QAAQ,EAAE,MAAM,CAAC,6BAA6B;oBAE9C,cAAc,EAAE;wBACd,kEAAkE;wBAClE,gEAAgE;wBAChE,EAAE;wBACF,gEAAgE;wBAChE,mEAAmE;wBACnE,wDAAwD;wBACxD,mEAAmE;wBACnE,+CAA+C;wBAE/C,SAAS;wBAET,kEAAkE;wBAClE,iEAAiE;wBACjE,oEAAoE;wBACpE,iEAAiE;wBACjE,mEAAmE;wBACnE,gBAAgB;wBAChB,KAAK;qBACN;oBAED,4DAA4D;oBAC5D,8DAA8D;oBAC9D,gCAAgC;oBAChC,EAAE;oBACF,mCAAmC;oBAEnC,sEAAsE;oBACtE,4DAA4D;oBAC5D,sEAAsE;oBACtE,6CAA6C;oBAC7C,WAAW,EAAE,uCAAwB,GAAG,IAAI;iBAC7C,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBACf,MAAM,GAAG,GACP,GAAG,YAAY,SAAS;wBACtB,CAAC,CAAC,4CAA4C,GAAG,CAAC,OAAO,EAAE;wBAC3D,CAAC,CAAC,yCAAyC,CAAA;oBAE/C,MAAM,IAAI,4CAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;gBACxC,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;oBAChC,MAAM,IAAI,4CAAkB,CAAC,oCAAoC,CAAC,CAAA;gBACpE,CAAC;gBAED,OAAO;oBACL,MAAM,EAAE,iBAAiB;oBACzB,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;oBACvB,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;oBACvB,GAAG,EAAE,MAAM,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC;oBACxC,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,GAAG;oBAC/B,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,GAAG;iBAChC,CAAA;YACH,CAAC;YAED,MAAM,IAAI,4CAAkB,CAC1B,sCAAsC,KAAK,CAAC,qBAAqB,GAAG,CACrE,CAAA;QACH,CAAC;QAED,wEAAwE;QACxE,4CAA4C;QAC5C,IAAI,MAAM,CAAC,sBAAsB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+CAA+C;gBAC7C,MAAM,CAAC,sBAAsB;aAC9B,EAAE,CACJ,CAAA;QACH,CAAC;QAED,MAAM,IAAI,6DAA0B,CAClC,2CAA2C,MAAM,GAAG,CACrD,CAAA;IACH,CAAC;IAED;;OAEG;IACI,eAAe,CACpB,UAAyD;QAEzD,IAAI,UAAU,CAAC,SAAS,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,0FAA0F,CAC3F,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YACnC,qEAAqE;YACrE,YAAY;YACZ,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;YAEtD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,+CAA+C,CAChD,CAAA;YACH,CAAC;YAED,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,UAAU,KAAK,0CAA0C,CAC1D,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,0BAA0B,UAAU,CAAC,aAAa,2BAA2B,CAC9E,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBAC9D,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,uEAAuE,CACxE,CAAA;YACH,CAAC;QACH,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,GAAG,UAAU,CAAA;QACnC,IAAI,YAAY,EAAE,CAAC;YACjB,IACE,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACxC,IAAA,oCAAkB,EAAC,GAAG,EAAE,YAAY,CAAC,CACtC,EACD,CAAC;gBACD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,wBAAwB,YAAY,EAAE,CACvC,CAAA;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,kBAAkB,EAAE,GAAG,IAAI,CAAA;YACnC,IAAI,kBAAkB,EAAE,CAAC;gBACvB,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;YAClE,CAAC;iBAAM,CAAC;gBACN,uFAAuF;gBACvF,EAAE;gBACF,wEAAwE;gBACxE,4EAA4E;gBAC5E,YAAY;gBACZ,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;YACtE,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;YACrC,MAAM,EAAE,2BAA2B,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAA;YACrD,IAAI,CAAC,2BAA2B,EAAE,CAAC;gBACjC,MAAM,IAAI,yEAAgC,CACxC,UAAU,EACV,8DAA8D,CAC/D,CAAA;YACH,CAAC;YAED,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACtD,IAAI,CAAC,2BAA2B,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxD,MAAM,IAAI,yEAAgC,CACxC,UAAU,EACV,yEAAyE,MAAM,CAAC,IAAI,GAAG,CACxF,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,IAAI,kBAAkB;QACpB,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAA;QACvC,OAAO,aAAa,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAClE,CAAC;;AArVH,wBAsVC;AAEM,KAAK,UAAU,iBAAiB,CACrC,GAAyB;IAEzB,IAAI,CAAC;QACH,OAAO,MAAM,IAAA,6BAAsB,EAAC,MAAM,IAAA,gBAAS,EAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAA;IACrE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,4CAAkB,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAA;IACvE,CAAC;AACH,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client/client.ts"],"names":[],"mappings":";;;AAiYA,8CAQC;AAzYD,+BAgBa;AAEb,sDAM6B;AAC7B,kDAAuE;AACvE,6EAAqE;AACrE,6GAAmG;AACnG,+EAAsE;AACtE,iGAAuF;AACvF,iFAAwE;AACxE,6EAAoE;AACpE,iDAA6C;AAC7C,iEAAgE;AAMhE,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAE5B,MAAa,MAAM;IAWC;IACA;IACA;IACA;IAblB;;OAEG;IACH,MAAM,CAAU,sBAAsB,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAU,CAAA;IAE5D,SAAS,CAEU;IAEpC,YACkB,EAAY,EACZ,QAA6B,EAC7B,OAAyB,QAAQ,CAAC,IAAI,EACtC,IAAgB;QAHhB,OAAE,GAAF,EAAE,CAAU;QACZ,aAAQ,GAAR,QAAQ,CAAqB;QAC7B,SAAI,GAAJ,IAAI,CAAkC;QACtC,SAAI,GAAJ,IAAI,CAAY;QAEhC,2EAA2E;QAC3E,IAAI,CAAC,SAAS;YACZ,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ;gBACxB,CAAC,CAAC,IAAA,wBAAiB,EAAC,IAAI,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;gBACzC,CAAC,CAAC,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAA;IAC1D,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,mBAAmB,CAC9B,GAA4B,EAC5B,QAAgB;QAEhB,oEAAoE;QACpE,0EAA0E;QAC1E,0EAA0E;QAC1E,yEAAyE;QACzE,wEAAwE;QACxE,mCAAmC;QACnC,IAAI,CAAC;YACH,yEAAyE;YACzE,6CAA6C;YAC7C,IAAI,IAAI,CAAC,QAAQ,CAAC,0BAA0B,KAAK,MAAM,EAAE,CAAC;gBACxD,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE;oBACxC,QAAQ;oBACR,WAAW,EAAE,0BAAW,GAAG,GAAG;oBAC9B,oBAAoB,EAAE,IAAI;oBAC1B,kBAAkB,EAAE,IAAI;iBACzB,CAAC,CAAA;YACJ,CAAC;YAED,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBAC/B,QAAQ;gBACR,WAAW,EAAE,0BAAW,GAAG,GAAG;gBAC9B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,0BAA0B;oBAClD,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAC;oBAC5C,CAAC,CAAC,8EAA8E;wBAC9E,EAAE;wBACF,uEAAuE;wBACvE,4BAA4B;wBAC5B,SAAS;aACd,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,SAAS;gBACtB,CAAC,CAAC,6BAA6B,GAAG,CAAC,OAAO,EAAE;gBAC5C,CAAC,CAAC,0BAA0B,CAAA;YAEhC,MAAM,IAAI,8CAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;IACH,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,KAAa,EACb,EACE,QAAQ,EACR,oBAAoB,GAAG,KAAK,EAC5B,kBAAkB,GAAG,KAAK,EAC1B,GAAG,OAAO,KAIR,EAAE;QAEN,wEAAwE;QACxE,yEAAyE;QACzE,WAAW;QAEX,MAAM,MAAM,GAAG,mBAAY,CAAC,MAAM,CAAc,KAAK,EAAE,OAAO,CAAC,CAAA;QAE/D,IAAI,CAAC,kBAAkB,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;YACtD,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBACnC,MAAM,IAAI,SAAS,CAAC,wBAAwB,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAA;YACpE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,oBAAoB,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;YACxD,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;gBACrB,MAAM,UAAU,GAAG,IAAA,iBAAO,EAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBAC9C,IAAI,CAAC,IAAA,iBAAO,EAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;oBAC/D,MAAM,IAAI,SAAS,CAAC,wBAAwB,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAA;gBACpE,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,SAAS,CACvB,KAAa,EACb,OAA0C;QAE1C,OAAO,IAAA,gBAAS,EAAc,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE;YACnD,GAAG,OAAO;YACV,MAAM,EAAE,IAAI,CAAC,EAAE;SAChB,CAAC,CAAA;IACJ,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,YAAY,CACvB,KAA6B,EAC7B,MAEC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,0BAA0B,CAAA;QAEvD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAA;QAC3B,CAAC;QAED,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,kBAAkB,IAAI,KAAK,CAAC,EAAE,CAAC;gBACnC,MAAM,IAAI,8CAAmB,CAC3B,iCAAiC,MAAM,iCAAiC,CACzE,CAAA;YACH,CAAC;YAED,IAAI,KAAK,CAAC,qBAAqB,KAAK,8CAAgC,EAAE,CAAC;gBACrE,wDAAwD;gBAExD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAGhC,KAAK,CAAC,gBAAgB,EAAE;oBACzB,oEAAoE;oBACpE,6DAA6D;oBAC7D,EAAE;oBACF,iDAAiD;oBAEjD,oEAAoE;oBACpE,sEAAsE;oBACtE,oEAAoE;oBACpE,oDAAoD;oBACpD,OAAO,EAAE,IAAI,CAAC,EAAE;oBAEhB,mEAAmE;oBACnE,qEAAqE;oBACrE,oEAAoE;oBACpE,mEAAmE;oBACnE,gEAAgE;oBAChE,QAAQ,EAAE,MAAM,CAAC,6BAA6B;oBAE9C,cAAc,EAAE;wBACd,kEAAkE;wBAClE,gEAAgE;wBAChE,EAAE;wBACF,gEAAgE;wBAChE,mEAAmE;wBACnE,wDAAwD;wBACxD,mEAAmE;wBACnE,+CAA+C;wBAE/C,SAAS;wBAET,kEAAkE;wBAClE,iEAAiE;wBACjE,oEAAoE;wBACpE,iEAAiE;wBACjE,mEAAmE;wBACnE,gBAAgB;wBAChB,KAAK;qBACN;oBAED,4DAA4D;oBAC5D,8DAA8D;oBAC9D,gCAAgC;oBAChC,EAAE;oBACF,mCAAmC;oBAEnC,sEAAsE;oBACtE,4DAA4D;oBAC5D,sEAAsE;oBACtE,6CAA6C;oBAC7C,WAAW,EAAE,uCAAwB,GAAG,IAAI;iBAC7C,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBACf,MAAM,GAAG,GACP,GAAG,YAAY,SAAS;wBACtB,CAAC,CAAC,4CAA4C,GAAG,CAAC,OAAO,EAAE;wBAC3D,CAAC,CAAC,yCAAyC,CAAA;oBAE/C,MAAM,IAAI,4CAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;gBACxC,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;oBAChC,MAAM,IAAI,4CAAkB,CAAC,oCAAoC,CAAC,CAAA;gBACpE,CAAC;gBAED,OAAO;oBACL,MAAM,EAAE,iBAAiB;oBACzB,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;oBACvB,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;oBACvB,GAAG,EAAE,MAAM,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC;oBACxC,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,GAAG;oBAC/B,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,GAAG;iBAChC,CAAA;YACH,CAAC;YAED,MAAM,IAAI,4CAAkB,CAC1B,sCAAsC,KAAK,CAAC,qBAAqB,GAAG,CACrE,CAAA;QACH,CAAC;QAED,wEAAwE;QACxE,4CAA4C;QAC5C,IAAI,MAAM,CAAC,sBAAsB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+CAA+C;gBAC7C,MAAM,CAAC,sBAAsB;aAC9B,EAAE,CACJ,CAAA;QACH,CAAC;QAED,MAAM,IAAI,6DAA0B,CAClC,2CAA2C,MAAM,GAAG,CACrD,CAAA;IACH,CAAC;IAED;;OAEG;IACI,eAAe,CACpB,UAAyD;QAEzD,IAAI,UAAU,CAAC,SAAS,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,0FAA0F,CAC3F,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YACnC,qEAAqE;YACrE,YAAY;YACZ,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;YAEtD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,+CAA+C,CAChD,CAAA;YACH,CAAC;YAED,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,UAAU,KAAK,0CAA0C,CAC1D,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,0BAA0B,UAAU,CAAC,aAAa,2BAA2B,CAC9E,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBAC9D,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,uEAAuE,CACxE,CAAA;YACH,CAAC;QACH,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,GAAG,UAAU,CAAA;QACnC,IAAI,YAAY,EAAE,CAAC;YACjB,IACE,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACxC,IAAA,oCAAkB,EAAC,GAAG,EAAE,YAAY,CAAC,CACtC,EACD,CAAC;gBACD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,wBAAwB,YAAY,EAAE,CACvC,CAAA;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,kBAAkB,EAAE,GAAG,IAAI,CAAA;YACnC,IAAI,kBAAkB,EAAE,CAAC;gBACvB,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;YAClE,CAAC;iBAAM,CAAC;gBACN,uFAAuF;gBACvF,EAAE;gBACF,wEAAwE;gBACxE,4EAA4E;gBAC5E,YAAY;gBACZ,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;YACtE,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;YACrC,MAAM,EAAE,2BAA2B,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAA;YACrD,IAAI,CAAC,2BAA2B,EAAE,CAAC;gBACjC,MAAM,IAAI,yEAAgC,CACxC,UAAU,EACV,8DAA8D,CAC/D,CAAA;YACH,CAAC;YAED,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACtD,IAAI,CAAC,2BAA2B,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxD,MAAM,IAAI,yEAAgC,CACxC,UAAU,EACV,yEAAyE,MAAM,CAAC,IAAI,GAAG,CACxF,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,IAAI,kBAAkB;QACpB,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAA;QACvC,OAAO,aAAa,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAClE,CAAC;;AArVH,wBAsVC;AAEM,KAAK,UAAU,iBAAiB,CACrC,GAAyB;IAEzB,IAAI,CAAC;QACH,OAAO,MAAM,IAAA,6BAAsB,EAAC,MAAM,IAAA,gBAAS,EAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAA;IACrE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,4CAAkB,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAA;IACvE,CAAC;AACH,CAAC","sourcesContent":["import {\n  JWTClaimVerificationOptions,\n  type JWTHeaderParameters,\n  type JWTPayload,\n  type JWTVerifyOptions,\n  type JWTVerifyResult,\n  type KeyLike,\n  type ResolvedKey,\n  UnsecuredJWT,\n  type UnsecuredResult,\n  calculateJwkThumbprint,\n  createLocalJWKSet,\n  createRemoteJWKSet,\n  errors,\n  exportJWK,\n  jwtVerify,\n} from 'jose'\nimport { Jwks, SignedJwt, UnsignedJwt } from '@atproto/jwk'\nimport {\n  CLIENT_ASSERTION_TYPE_JWT_BEARER,\n  OAuthAuthorizationRequestParameters,\n  OAuthClientCredentials,\n  OAuthClientMetadata,\n  OAuthRedirectUri,\n} from '@atproto/oauth-types'\nimport { CLIENT_ASSERTION_MAX_AGE, JAR_MAX_AGE } from '../constants.js'\nimport { AuthorizationError } from '../errors/authorization-error.js'\nimport { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'\nimport { InvalidClientError } from '../errors/invalid-client-error.js'\nimport { InvalidClientMetadataError } from '../errors/invalid-client-metadata-error.js'\nimport { InvalidRequestError } from '../errors/invalid-request-error.js'\nimport { InvalidScopeError } from '../errors/invalid-scope-error.js'\nimport { asArray } from '../lib/util/cast.js'\nimport { compareRedirectUri } from '../lib/util/redirect-uri.js'\nimport { Awaitable } from '../lib/util/type.js'\nimport { ClientAuth } from './client-auth.js'\nimport { ClientId } from './client-id.js'\nimport { ClientInfo } from './client-info.js'\n\nconst { JOSEError } = errors\n\nexport class Client {\n  /**\n   * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}\n   */\n  static readonly AUTH_METHODS_SUPPORTED = ['none', 'private_key_jwt'] as const\n\n  private readonly keyGetter: (\n    protectedHeader: JWTHeaderParameters,\n  ) => Awaitable<KeyLike | Uint8Array>\n\n  constructor(\n    public readonly id: ClientId,\n    public readonly metadata: OAuthClientMetadata,\n    public readonly jwks: undefined | Jwks = metadata.jwks,\n    public readonly info: ClientInfo,\n  ) {\n    // If the remote JWKS content is provided, we don't need to fetch it again.\n    this.keyGetter =\n      jwks || !metadata.jwks_uri\n        ? createLocalJWKSet(jwks || { keys: [] })\n        : createRemoteJWKSet(new URL(metadata.jwks_uri), {})\n  }\n\n  /**\n   * @see {@link https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2}\n   */\n  public async decodeRequestObject(\n    jar: SignedJwt | UnsignedJwt,\n    audience: string,\n  ) {\n    // https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2\n    // > If signed, the Authorization Request Object SHOULD contain the Claims\n    // > iss (issuer) and aud (audience) as members with their semantics being\n    // > the same as defined in the JWT [RFC7519] specification. The value of\n    // > aud should be the value of the authorization server (AS) issuer, as\n    // > defined in RFC 8414 [RFC8414].\n    try {\n      // We need to special case the \"none\" algorithm, as the validation method\n      // is different for signed and unsigned JWTs.\n      if (this.metadata.request_object_signing_alg === 'none') {\n        return await this.jwtVerifyUnsecured(jar, {\n          audience,\n          maxTokenAge: JAR_MAX_AGE / 1e3,\n          allowMissingAudience: true,\n          allowMissingIssuer: true,\n        })\n      }\n\n      return await this.jwtVerify(jar, {\n        audience,\n        maxTokenAge: JAR_MAX_AGE / 1e3,\n        algorithms: this.metadata.request_object_signing_alg\n          ? [this.metadata.request_object_signing_alg]\n          : // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2\n            //\n            // > The default, if omitted, is that any algorithm supported by the OP\n            // > and the RP MAY be used.\n            undefined,\n      })\n    } catch (err) {\n      const message =\n        err instanceof JOSEError\n          ? `Invalid \"request\" object: ${err.message}`\n          : `Invalid \"request\" object`\n\n      throw new InvalidRequestError(message, err)\n    }\n  }\n\n  protected async jwtVerifyUnsecured<PayloadType = JWTPayload>(\n    token: string,\n    {\n      audience,\n      allowMissingAudience = false,\n      allowMissingIssuer = false,\n      ...options\n    }: Omit<JWTClaimVerificationOptions, 'issuer'> & {\n      allowMissingIssuer?: boolean\n      allowMissingAudience?: boolean\n    } = {},\n  ): Promise<UnsecuredResult<PayloadType>> {\n    // jose does not support `allowMissingAudience` and `allowMissingIssuer`\n    // options, so we need to handle audience and issuer checks manually (see\n    // bellow).\n\n    const result = UnsecuredJWT.decode<PayloadType>(token, options)\n\n    if (!allowMissingIssuer || result.payload.iss != null) {\n      if (result.payload.iss !== this.id) {\n        throw new JOSEError(`Invalid \"iss\" claim \"${result.payload.iss}\"`)\n      }\n    }\n\n    if (!allowMissingAudience || result.payload.aud != null) {\n      if (audience != null) {\n        const payloadAud = asArray(result.payload.aud)\n        if (!asArray(audience).some((aud) => payloadAud.includes(aud))) {\n          throw new JOSEError(`Invalid \"aud\" claim \"${result.payload.aud}\"`)\n        }\n      }\n    }\n\n    return result\n  }\n\n  protected async jwtVerify<PayloadType = JWTPayload>(\n    token: string,\n    options?: Omit<JWTVerifyOptions, 'issuer'>,\n  ): Promise<JWTVerifyResult<PayloadType> & ResolvedKey<KeyLike>> {\n    return jwtVerify<PayloadType>(token, this.keyGetter, {\n      ...options,\n      issuer: this.id,\n    })\n  }\n\n  /**\n   * @see {@link https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1}\n   * @see {@link https://datatracker.ietf.org/doc/html/rfc7523#section-3}\n   * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}\n   */\n  public async authenticate(\n    input: OAuthClientCredentials,\n    checks: {\n      authorizationServerIdentifier: string\n    },\n  ): Promise<ClientAuth> {\n    const method = this.metadata.token_endpoint_auth_method\n\n    if (method === 'none') {\n      return { method: 'none' }\n    }\n\n    if (method === 'private_key_jwt') {\n      if (!('client_assertion' in input)) {\n        throw new InvalidRequestError(\n          `client authentication method \"${method}\" required a \"client_assertion\"`,\n        )\n      }\n\n      if (input.client_assertion_type === CLIENT_ASSERTION_TYPE_JWT_BEARER) {\n        // https://www.rfc-editor.org/rfc/rfc7523.html#section-3\n\n        const result = await this.jwtVerify<{\n          jti: string\n          exp?: number\n        }>(input.client_assertion, {\n          // > 1. The JWT MUST contain an \"iss\" (issuer) claim that contains a\n          // >    unique identifier for the entity that issued the JWT.\n          //\n          // The \"issuer\" is already checked by jwtVerify()\n\n          // > 2. The JWT MUST contain a \"sub\" (subject) claim identifying the\n          // >    principal that is the subject of the JWT. Two cases need to be\n          // >    differentiated: [...] For client authentication, the subject\n          // >    MUST be the \"client_id\" of the OAuth client.\n          subject: this.id,\n\n          // > 3. The JWT MUST contain an \"aud\" (audience) claim containing a\n          // >    value that identifies the authorization server as an intended\n          // >    audience. The token endpoint URL of the authorization server\n          // >    MAY be used as a value for an \"aud\" element to identify the\n          // >    authorization server as an intended audience of the JWT.\n          audience: checks.authorizationServerIdentifier,\n\n          requiredClaims: [\n            // > 4. The JWT MUST contain an \"exp\" (expiration time) claim that\n            // >    limits the time window during which the JWT can be used.\n            //\n            // @TODO The presence of \"exp\" didn't use to be enforced by this\n            // implementation (or provided by the oauth-client). This is mostly\n            // fine because \"iat\" *is* required, but this makes this\n            // implementation non compliant with RFC7523. We can't just make it\n            // required as it might break existing clients.\n\n            // 'exp',\n\n            // > 7. The JWT MAY contain a \"jti\" (JWT ID) claim that provides a\n            // >    unique identifier for the token. The authorization server\n            // >    MAY ensure that JWTs are not replayed by maintaining the set\n            // >    of used \"jti\" values for the length of time for which the\n            // >    JWT would be considered valid based on the applicable \"exp\"\n            // >    instant.\n            'jti',\n          ],\n\n          // > 5. The JWT MAY contain an \"nbf\" (not before) claim that\n          // >    identifies the time before which the token MUST NOT be\n          // >    accepted for processing.\n          //\n          // This is already enforced by jose\n\n          // > 6. The JWT MAY contain an \"iat\" (issued at) claim that identifies\n          // >    the time at which the JWT was issued.  Note that the\n          // >    authorization server may reject JWTs with an \"iat\" claim value\n          // >    that is unreasonably far in the past.\n          maxTokenAge: CLIENT_ASSERTION_MAX_AGE / 1000,\n        }).catch((err) => {\n          const msg =\n            err instanceof JOSEError\n              ? `Validation of \"client_assertion\" failed: ${err.message}`\n              : `Unable to verify \"client_assertion\" JWT`\n\n          throw new InvalidClientError(msg, err)\n        })\n\n        if (!result.protectedHeader.kid) {\n          throw new InvalidClientError(`\"kid\" required in client_assertion`)\n        }\n\n        return {\n          method: 'private_key_jwt',\n          jti: result.payload.jti,\n          exp: result.payload.exp,\n          jkt: await authJwkThumbprint(result.key),\n          alg: result.protectedHeader.alg,\n          kid: result.protectedHeader.kid,\n        }\n      }\n\n      throw new InvalidClientError(\n        `Unsupported client_assertion_type \"${input.client_assertion_type}\"`,\n      )\n    }\n\n    // @ts-expect-error Ensure to keep Client.AUTH_METHODS_SUPPORTED in sync\n    // with the implementation of this function.\n    if (Client.AUTH_METHODS_SUPPORTED.includes(method)) {\n      throw new Error(\n        `verifyCredentials() should implement all of ${[\n          Client.AUTH_METHODS_SUPPORTED,\n        ]}`,\n      )\n    }\n\n    throw new InvalidClientMetadataError(\n      `Unsupported token_endpoint_auth_method \"${method}\"`,\n    )\n  }\n\n  /**\n   * Validates the request parameters against the client metadata.\n   */\n  public validateRequest(\n    parameters: Readonly<OAuthAuthorizationRequestParameters>,\n  ): Readonly<OAuthAuthorizationRequestParameters> {\n    if (parameters.client_id !== this.id) {\n      throw new AuthorizationError(\n        parameters,\n        'The \"client_id\" parameter field does not match the value used to authenticate the client',\n      )\n    }\n\n    if (parameters.scope !== undefined) {\n      // Any scope requested by the client must be registered in the client\n      // metadata.\n      const declaredScopes = this.metadata.scope?.split(' ')\n\n      if (!declaredScopes) {\n        throw new InvalidScopeError(\n          parameters,\n          'Client has no declared scopes in its metadata',\n        )\n      }\n\n      for (const scope of parameters.scope.split(' ')) {\n        if (!declaredScopes.includes(scope)) {\n          throw new InvalidScopeError(\n            parameters,\n            `Scope \"${scope}\" is not declared in the client metadata`,\n          )\n        }\n      }\n    }\n\n    if (!this.metadata.response_types.includes(parameters.response_type)) {\n      throw new AuthorizationError(\n        parameters,\n        `Invalid response_type \"${parameters.response_type}\" requested by the client`,\n      )\n    }\n\n    if (parameters.response_type.includes('code')) {\n      if (!this.metadata.grant_types.includes('authorization_code')) {\n        throw new AuthorizationError(\n          parameters,\n          `This client is not allowed to use the \"authorization_code\" grant type`,\n        )\n      }\n    }\n\n    const { redirect_uri } = parameters\n    if (redirect_uri) {\n      if (\n        !this.metadata.redirect_uris.some((uri) =>\n          compareRedirectUri(uri, redirect_uri),\n        )\n      ) {\n        throw new AuthorizationError(\n          parameters,\n          `Invalid redirect_uri ${redirect_uri}`,\n        )\n      }\n    } else {\n      const { defaultRedirectUri } = this\n      if (defaultRedirectUri) {\n        parameters = { ...parameters, redirect_uri: defaultRedirectUri }\n      } else {\n        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#authorization-request\n        //\n        // > \"redirect_uri\": OPTIONAL if only one redirect URI is registered for\n        // > this client. REQUIRED if multiple redirect URIs are registered for this\n        // > client.\n        throw new AuthorizationError(parameters, 'redirect_uri is required')\n      }\n    }\n\n    if (parameters.authorization_details) {\n      const { authorization_details_types } = this.metadata\n      if (!authorization_details_types) {\n        throw new InvalidAuthorizationDetailsError(\n          parameters,\n          'Client Metadata does not declare any \"authorization_details\"',\n        )\n      }\n\n      for (const detail of parameters.authorization_details) {\n        if (!authorization_details_types?.includes(detail.type)) {\n          throw new InvalidAuthorizationDetailsError(\n            parameters,\n            `Client Metadata does not declare any \"authorization_details\" of type \"${detail.type}\"`,\n          )\n        }\n      }\n    }\n\n    return parameters\n  }\n\n  get defaultRedirectUri(): OAuthRedirectUri | undefined {\n    const { redirect_uris } = this.metadata\n    return redirect_uris.length === 1 ? redirect_uris[0] : undefined\n  }\n}\n\nexport async function authJwkThumbprint(\n  key: Uint8Array | KeyLike,\n): Promise<string> {\n  try {\n    return await calculateJwkThumbprint(await exportJWK(key), 'sha512')\n  } catch (err) {\n    throw new InvalidClientError('Unable to compute JWK thumbprint', err)\n  }\n}\n"]}

package/dist/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA,sDAAsD;;;AAEzC,QAAA,gBAAgB,GAAG,MAAM,CAAA;AACzB,QAAA,sBAAsB,GAAG,EAAE,CAAA,CAAC,WAAW;AAEvC,QAAA,iBAAiB,GAAG,MAAM,CAAA;AAC1B,QAAA,uBAAuB,GAAG,EAAE,CAAA,CAAC,8CAA8C;AAE3E,QAAA,oBAAoB,GAAG,MAAM,CAAA;AAC7B,QAAA,0BAA0B,GAAG,EAAE,CAAA,CAAC,WAAW;AAE3C,QAAA,eAAe,GAAG,MAAM,CAAA;AACxB,QAAA,qBAAqB,GAAG,EAAE,CAAA,CAAC,sDAAsD;AAEjF,QAAA,iBAAiB,GAAG,MAAM,CAAA;AAC1B,QAAA,uBAAuB,GAAG,EAAE,CAAA,CAAC,WAAW;AAExC,QAAA,WAAW,GAAG,MAAM,CAAA;AACpB,QAAA,iBAAiB,GAAG,EAAE,CAAA;AAEnC,MAAM,MAAM,GAAG,GAAG,CAAA;AAClB,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,CAAA;AAC1B,MAAM,IAAI,GAAG,EAAE,GAAG,MAAM,CAAA;AACxB,MAAM,GAAG,GAAG,EAAE,GAAG,IAAI,CAAA;AACrB,MAAM,IAAI,GAAG,CAAC,GAAG,GAAG,CAAA;AACpB,MAAM,IAAI,GAAG,MAAM,GAAG,GAAG,CAAA;AACzB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAE,CAAA;AAEvB,aAAa;AACA,QAAA,sBAAsB,GAAG,CAAC,GAAG,GAAG,CAAA;AAE7C,iBAAiB;AACJ,QAAA,yBAAyB,GAAG,EAAE,GAAG,MAAM,CAAA;AAEpD,iBAAiB;AACJ,QAAA,aAAa,GAAG,EAAE,GAAG,MAAM,CAAA;AAExC,gBAAgB;AACH,QAAA,gCAAgC,GAAG,CAAC,GAAG,MAAM,CAAA;AAE1D,aAAa;AACA,QAAA,8BAA8B,GAAG,CAAC,GAAG,IAAI,CAAA;AAEtD,kDAAkD;AACrC,QAAA,8BAA8B,GAAG,sCAA8B,CAAA;AAE5E,cAAc;AACD,QAAA,oCAAoC,GAAG,CAAC,GAAG,IAAI,CAAA;AAE5D,eAAe;AACF,QAAA,oCAAoC,GAAG,CAAC,GAAG,KAAK,CAAA;AAE7D,gBAAgB;AACH,QAAA,cAAc,GAAG,CAAC,GAAG,MAAM,CAAA;AAExC;;;;;;GAMG;AACU,QAAA,WAAW,GAAG,EAAE,GAAG,MAAM,CAAA;AAEtC,eAAe;AACF,QAAA,wBAAwB,GAAG,CAAC,GAAG,MAAM,CAAA;AAElD,gBAAgB;AACH,QAAA,kBAAkB,GAAG,CAAC,GAAG,MAAM,CAAA;AAE5C,gBAAgB;AACH,QAAA,wBAAwB,GAAG,CAAC,GAAG,MAAM,CAAA;AAElD,YAAY;AACC,QAAA,+BAA+B,GAAG,CAAC,GAAG,GAAG,CAAA;AAEtD,gBAAgB;AACH,QAAA,yBAAyB,GAAG,CAAC,GAAG,MAAM,CAAA;AAEtC,QAAA,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,YAAY,CAAA"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";AAAA,sDAAsD;;;AAEzC,QAAA,gBAAgB,GAAG,MAAM,CAAA;AACzB,QAAA,sBAAsB,GAAG,EAAE,CAAA,CAAC,WAAW;AAEvC,QAAA,iBAAiB,GAAG,MAAM,CAAA;AAC1B,QAAA,uBAAuB,GAAG,EAAE,CAAA,CAAC,8CAA8C;AAE3E,QAAA,oBAAoB,GAAG,MAAM,CAAA;AAC7B,QAAA,0BAA0B,GAAG,EAAE,CAAA,CAAC,WAAW;AAE3C,QAAA,eAAe,GAAG,MAAM,CAAA;AACxB,QAAA,qBAAqB,GAAG,EAAE,CAAA,CAAC,sDAAsD;AAEjF,QAAA,iBAAiB,GAAG,MAAM,CAAA;AAC1B,QAAA,uBAAuB,GAAG,EAAE,CAAA,CAAC,WAAW;AAExC,QAAA,WAAW,GAAG,MAAM,CAAA;AACpB,QAAA,iBAAiB,GAAG,EAAE,CAAA;AAEnC,MAAM,MAAM,GAAG,GAAG,CAAA;AAClB,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,CAAA;AAC1B,MAAM,IAAI,GAAG,EAAE,GAAG,MAAM,CAAA;AACxB,MAAM,GAAG,GAAG,EAAE,GAAG,IAAI,CAAA;AACrB,MAAM,IAAI,GAAG,CAAC,GAAG,GAAG,CAAA;AACpB,MAAM,IAAI,GAAG,MAAM,GAAG,GAAG,CAAA;AACzB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAE,CAAA;AAEvB,aAAa;AACA,QAAA,sBAAsB,GAAG,CAAC,GAAG,GAAG,CAAA;AAE7C,iBAAiB;AACJ,QAAA,yBAAyB,GAAG,EAAE,GAAG,MAAM,CAAA;AAEpD,iBAAiB;AACJ,QAAA,aAAa,GAAG,EAAE,GAAG,MAAM,CAAA;AAExC,gBAAgB;AACH,QAAA,gCAAgC,GAAG,CAAC,GAAG,MAAM,CAAA;AAE1D,aAAa;AACA,QAAA,8BAA8B,GAAG,CAAC,GAAG,IAAI,CAAA;AAEtD,kDAAkD;AACrC,QAAA,8BAA8B,GAAG,sCAA8B,CAAA;AAE5E,cAAc;AACD,QAAA,oCAAoC,GAAG,CAAC,GAAG,IAAI,CAAA;AAE5D,eAAe;AACF,QAAA,oCAAoC,GAAG,CAAC,GAAG,KAAK,CAAA;AAE7D,gBAAgB;AACH,QAAA,cAAc,GAAG,CAAC,GAAG,MAAM,CAAA;AAExC;;;;;;GAMG;AACU,QAAA,WAAW,GAAG,EAAE,GAAG,MAAM,CAAA;AAEtC,eAAe;AACF,QAAA,wBAAwB,GAAG,CAAC,GAAG,MAAM,CAAA;AAElD,gBAAgB;AACH,QAAA,kBAAkB,GAAG,CAAC,GAAG,MAAM,CAAA;AAE5C,gBAAgB;AACH,QAAA,wBAAwB,GAAG,CAAC,GAAG,MAAM,CAAA;AAElD,YAAY;AACC,QAAA,+BAA+B,GAAG,CAAC,GAAG,GAAG,CAAA;AAEtD,gBAAgB;AACH,QAAA,yBAAyB,GAAG,CAAC,GAAG,MAAM,CAAA;AAEtC,QAAA,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,YAAY,CAAA","sourcesContent":["// The purpose of the prefix is to provide type safety\n\nexport const DEVICE_ID_PREFIX = 'dev-'\nexport const DEVICE_ID_BYTES_LENGTH = 16 // 128 bits\n\nexport const SESSION_ID_PREFIX = 'ses-'\nexport const SESSION_ID_BYTES_LENGTH = 16 // 128 bits - only valid if device id is valid\n\nexport const REFRESH_TOKEN_PREFIX = 'ref-'\nexport const REFRESH_TOKEN_BYTES_LENGTH = 32 // 256 bits\n\nexport const TOKEN_ID_PREFIX = 'tok-'\nexport const TOKEN_ID_BYTES_LENGTH = 16 // 128 bits - used as `jti` in JWTs (cannot be forged)\n\nexport const REQUEST_ID_PREFIX = 'req-'\nexport const REQUEST_ID_BYTES_LENGTH = 16 // 128 bits\n\nexport const CODE_PREFIX = 'cod-'\nexport const CODE_BYTES_LENGTH = 32\n\nconst SECOND = 1e3\nconst MINUTE = 60 * SECOND\nconst HOUR = 60 * MINUTE\nconst DAY = 24 * HOUR\nconst WEEK = 7 * DAY\nconst YEAR = 365.25 * DAY\nconst MONTH = YEAR / 12\n\n/** 7 days */\nexport const AUTHENTICATION_MAX_AGE = 7 * DAY\n\n/** 15 minutes */\nexport const EPHEMERAL_SESSION_MAX_AGE = 15 * MINUTE\n\n/** 60 minutes */\nexport const TOKEN_MAX_AGE = 60 * MINUTE\n\n/** 5 minutes */\nexport const AUTHORIZATION_INACTIVITY_TIMEOUT = 5 * MINUTE\n\n/** 2 week */\nexport const PUBLIC_CLIENT_SESSION_LIFETIME = 2 * WEEK\n\n/** @see {@link PUBLIC_CLIENT_SESSION_LIFETIME} */\nexport const PUBLIC_CLIENT_REFRESH_LIFETIME = PUBLIC_CLIENT_SESSION_LIFETIME\n\n/** 2 years */\nexport const CONFIDENTIAL_CLIENT_SESSION_LIFETIME = 2 * YEAR\n\n/** 3 months */\nexport const CONFIDENTIAL_CLIENT_REFRESH_LIFETIME = 3 * MONTH\n\n/** 5 minutes */\nexport const PAR_EXPIRES_IN = 5 * MINUTE\n\n/**\n * 59 seconds (should be less than a minute)\n *\n * > \"A general guidance for the validity time would be less than a minute.\"\n *\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9101#section-10.2 | JWT-Secured Authorization Request (JAR) - Section 10.2 (d)}\n */\nexport const JAR_MAX_AGE = 59 * SECOND\n\n/** 1 minute */\nexport const CLIENT_ASSERTION_MAX_AGE = 1 * MINUTE\n\n/** 3 minutes */\nexport const DPOP_NONCE_MAX_AGE = 3 * MINUTE\n\n/** 5 seconds */\nexport const SESSION_FIXATION_MAX_AGE = 5 * SECOND\n\n/** 1 day */\nexport const CODE_CHALLENGE_REPLAY_TIMEFRAME = 1 * DAY\n\n/** 5 minutes */\nexport const LEXICON_REFRESH_FREQUENCY = 5 * MINUTE\n\nexport const NODE_ENV = process.env.NODE_ENV || 'production'\n"]}

package/dist/customization/branding.js.map

@@ -1 +1 @@
-{"version":3,"file":"branding.js","sourceRoot":"","sources":["../../src/customization/branding.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,2CAA0C;AAC1C,yCAAwC;AAE3B,QAAA,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IACrC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjC,MAAM,EAAE,wBAAY,CAAC,QAAQ,EAAE;IAC/B,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,sBAAW,CAAC,CAAC,QAAQ,EAAE;CACvC,CAAC,CAAA"}
+{"version":3,"file":"branding.js","sourceRoot":"","sources":["../../src/customization/branding.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,2CAA0C;AAC1C,yCAAwC;AAE3B,QAAA,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IACrC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjC,MAAM,EAAE,wBAAY,CAAC,QAAQ,EAAE;IAC/B,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,sBAAW,CAAC,CAAC,QAAQ,EAAE;CACvC,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { colorsSchema } from './colors.js'\nimport { linksSchema } from './links.js'\n\nexport const brandingSchema = z.object({\n  name: z.string().optional(),\n  logo: z.string().url().optional(),\n  colors: colorsSchema.optional(),\n  links: z.array(linksSchema).optional(),\n})\nexport type BrandingInput = z.input<typeof brandingSchema>\nexport type Branding = z.infer<typeof brandingSchema>\n"]}

package/dist/customization/build-customization-css.js.map

@@ -1 +1 @@
-{"version":3,"file":"build-customization-css.js","sourceRoot":"","sources":["../../src/customization/build-customization-css.ts"],"names":[],"mappings":";;AAKA,sDAKC;AAVD,mDAAoE;AAEpE,2CAAyC;AAGzC,SAAgB,qBAAqB,CAAC,EACpC,QAAQ,GACM;IACd,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,CAAC,CAAA;IACzD,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,WAAW,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAA;AACvD,CAAC;AAED,QAAQ,CAAC,CAAC,sBAAsB,CAAC,QAAmB;IAClD,IAAI,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrB,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAA;QACzE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAA;QAEjE,KAAK,MAAM,IAAI,IAAI,uBAAW,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;YACnC,IAAI,CAAC,KAAK;gBAAE,SAAQ,CAAC,sBAAsB;YAE3C,MAAM,QAAQ,GACZ,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC;gBAClC,IAAA,4BAAiB,EAAC,KAAK,EAAE,aAAa,EAAE,YAAY,CAAC,CAAA;YAEvD,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,IAAA,qBAAU,EAAC,KAAK,CAAC,CAAA;YAE9D,MAAM,oBAAoB,IAAI,KAAK,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAA;YACnE,MAAM,oBAAoB,IAAI,cAAc,QAAQ,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,GAAG,CAAA;YACrF,MAAM,oBAAoB,IAAI,SAAS,GAAG,GAAG,CAAA;QAC/C,CAAC;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"build-customization-css.js","sourceRoot":"","sources":["../../src/customization/build-customization-css.ts"],"names":[],"mappings":";;AAKA,sDAKC;AAVD,mDAAoE;AAEpE,2CAAyC;AAGzC,SAAgB,qBAAqB,CAAC,EACpC,QAAQ,GACM;IACd,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,CAAC,CAAA;IACzD,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,WAAW,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAA;AACvD,CAAC;AAED,QAAQ,CAAC,CAAC,sBAAsB,CAAC,QAAmB;IAClD,IAAI,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrB,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAA;QACzE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAA;QAEjE,KAAK,MAAM,IAAI,IAAI,uBAAW,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;YACnC,IAAI,CAAC,KAAK;gBAAE,SAAQ,CAAC,sBAAsB;YAE3C,MAAM,QAAQ,GACZ,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC;gBAClC,IAAA,4BAAiB,EAAC,KAAK,EAAE,aAAa,EAAE,YAAY,CAAC,CAAA;YAEvD,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,IAAA,qBAAU,EAAC,KAAK,CAAC,CAAA;YAE9D,MAAM,oBAAoB,IAAI,KAAK,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAA;YACnE,MAAM,oBAAoB,IAAI,cAAc,QAAQ,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,GAAG,CAAA;YACrF,MAAM,oBAAoB,IAAI,SAAS,GAAG,GAAG,CAAA;QAC/C,CAAC;IACH,CAAC;AACH,CAAC","sourcesContent":["import { extractHue, pickContrastColor } from '../lib/util/color.js'\nimport { Branding } from './branding.js'\nimport { COLOR_NAMES } from './colors.js'\nimport { Customization } from './customization.js'\n\nexport function buildCustomizationCss({\n  branding,\n}: Customization): undefined | string {\n  const vars = Array.from(buildCustomizationVars(branding))\n  if (vars.length) return `:root { ${vars.join(' ')} }`\n}\n\nfunction* buildCustomizationVars(branding?: Branding): Generator<string> {\n  if (branding?.colors) {\n    const contrastLight = branding.colors.light ?? { r: 255, g: 255, b: 255 }\n    const contrastDark = branding.colors.dark ?? { r: 0, g: 0, b: 0 }\n\n    for (const name of COLOR_NAMES) {\n      const value = branding.colors[name]\n      if (!value) continue // Skip missing colors\n\n      const contrast =\n        branding.colors[`${name}Contrast`] ??\n        pickContrastColor(value, contrastLight, contrastDark)\n\n      const hue = branding.colors[`${name}Hue`] ?? extractHue(value)\n\n      yield `--branding-color-${name}: ${value.r} ${value.g} ${value.b};`\n      yield `--branding-color-${name}-contrast: ${contrast.r} ${contrast.g} ${contrast.b};`\n      yield `--branding-color-${name}-hue: ${hue};`\n    }\n  }\n}\n"]}

package/dist/customization/build-customization-data.js.map

@@ -1 +1 @@
-{"version":3,"file":"build-customization-data.js","sourceRoot":"","sources":["../../src/customization/build-customization-data.ts"],"names":[],"mappings":";;AAGA,wDAkBC;AAlBD,SAAgB,sBAAsB,CAAC,EACrC,QAAQ,EACR,oBAAoB,EACpB,kBAAkB,EAClB,QAAQ,GACM;IACd,4EAA4E;IAC5E,iBAAiB;IACjB,6EAA6E;IAC7E,6DAA6D;IAC7D,OAAO;QACL,oBAAoB;QACpB,kBAAkB;QAClB,eAAe,EAAE,QAAQ,EAAE,OAAO;QAClC,IAAI,EAAE,QAAQ,EAAE,IAAI;QACpB,IAAI,EAAE,QAAQ,EAAE,IAAI;QACpB,KAAK,EAAE,QAAQ,EAAE,KAAK;KACvB,CAAA;AACH,CAAC"}
+{"version":3,"file":"build-customization-data.js","sourceRoot":"","sources":["../../src/customization/build-customization-data.ts"],"names":[],"mappings":";;AAGA,wDAkBC;AAlBD,SAAgB,sBAAsB,CAAC,EACrC,QAAQ,EACR,oBAAoB,EACpB,kBAAkB,EAClB,QAAQ,GACM;IACd,4EAA4E;IAC5E,iBAAiB;IACjB,6EAA6E;IAC7E,6DAA6D;IAC7D,OAAO;QACL,oBAAoB;QACpB,kBAAkB;QAClB,eAAe,EAAE,QAAQ,EAAE,OAAO;QAClC,IAAI,EAAE,QAAQ,EAAE,IAAI;QACpB,IAAI,EAAE,QAAQ,EAAE,IAAI;QACpB,KAAK,EAAE,QAAQ,EAAE,KAAK;KACvB,CAAA;AACH,CAAC","sourcesContent":["import { CustomizationData } from '@atproto/oauth-provider-api'\nimport { Customization } from './customization.js'\n\nexport function buildCustomizationData({\n  branding,\n  availableUserDomains,\n  inviteCodeRequired,\n  hcaptcha,\n}: Customization): CustomizationData {\n  // @NOTE the front end does not need colors here as they will be injected as\n  // CSS variables.\n  // @NOTE We only copy the values explicitly needed to avoid leaking sensitive\n  // data (in case the caller passed more than what we expect).\n  return {\n    availableUserDomains,\n    inviteCodeRequired,\n    hcaptchaSiteKey: hcaptcha?.siteKey,\n    name: branding?.name,\n    logo: branding?.logo,\n    links: branding?.links,\n  }\n}\n"]}

package/dist/customization/colors.js.map

@@ -1 +1 @@
-{"version":3,"file":"colors.js","sourceRoot":"","sources":["../../src/customization/colors.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,wDAAsD;AACtD,wDAAsD;AAEzC,QAAA,WAAW,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,CAAU,CAAA;AAGjE,QAAA,YAAY,GAAG,OAAC;KAC1B,MAAM,CAAC;IACN,KAAK,EAAE,6BAAc,CAAC,QAAQ,EAAE;IAChC,IAAI,EAAE,6BAAc,CAAC,QAAQ,EAAE;CAChC,CAAC;KACD,MAAM,CACL,MAAM,CAAC,WAAW,CAChB,mBAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,6BAAc,CAAC,QAAQ,EAAE,CAAC,CAAC,CACF,CAC7D;KACA,MAAM,CACL,MAAM,CAAC,WAAW,CAChB,mBAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI,UAAU,EAAE,6BAAc,CAAC,QAAQ,EAAE,CAAC,CAAC,CACF,CAC1E;KACA,MAAM,CACL,MAAM,CAAC,WAAW,CAChB,mBAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI,KAAK,EAAE,6BAAc,CAAC,QAAQ,EAAE,CAAC,CAAC,CACF,CACrE,CAAA"}
+{"version":3,"file":"colors.js","sourceRoot":"","sources":["../../src/customization/colors.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,wDAAsD;AACtD,wDAAsD;AAEzC,QAAA,WAAW,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,CAAU,CAAA;AAGjE,QAAA,YAAY,GAAG,OAAC;KAC1B,MAAM,CAAC;IACN,KAAK,EAAE,6BAAc,CAAC,QAAQ,EAAE;IAChC,IAAI,EAAE,6BAAc,CAAC,QAAQ,EAAE;CAChC,CAAC;KACD,MAAM,CACL,MAAM,CAAC,WAAW,CAChB,mBAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,6BAAc,CAAC,QAAQ,EAAE,CAAC,CAAC,CACF,CAC7D;KACA,MAAM,CACL,MAAM,CAAC,WAAW,CAChB,mBAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI,UAAU,EAAE,6BAAc,CAAC,QAAQ,EAAE,CAAC,CAAC,CACF,CAC1E;KACA,MAAM,CACL,MAAM,CAAC,WAAW,CAChB,mBAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI,KAAK,EAAE,6BAAc,CAAC,QAAQ,EAAE,CAAC,CAAC,CACF,CACrE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { colorHueSchema } from '../types/color-hue.js'\nimport { rgbColorSchema } from '../types/rgb-color.js'\n\nexport const COLOR_NAMES = ['primary', 'error', 'warning', 'success'] as const\nexport type ColorName = (typeof COLOR_NAMES)[number]\n\nexport const colorsSchema = z\n  .object({\n    light: rgbColorSchema.optional(),\n    dark: rgbColorSchema.optional(),\n  })\n  .extend(\n    Object.fromEntries(\n      COLOR_NAMES.map((name) => [name, rgbColorSchema.optional()]),\n    ) as Record<ColorName, z.ZodOptional<typeof rgbColorSchema>>,\n  )\n  .extend(\n    Object.fromEntries(\n      COLOR_NAMES.map((name) => [`${name}Contrast`, rgbColorSchema.optional()]),\n    ) as Record<`${ColorName}Contrast`, z.ZodOptional<typeof rgbColorSchema>>,\n  )\n  .extend(\n    Object.fromEntries(\n      COLOR_NAMES.map((name) => [`${name}Hue`, colorHueSchema.optional()]),\n    ) as Record<`${ColorName}Hue`, z.ZodOptional<typeof colorHueSchema>>,\n  )\n\nexport type Colors = z.infer<typeof colorsSchema>\n"]}

package/dist/customization/customization.js.map

@@ -1 +1 @@
-{"version":3,"file":"customization.js","sourceRoot":"","sources":["../../src/customization/customization.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,oDAAyD;AACzD,+CAA8C;AAEjC,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C;;;OAGG;IACH,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpD;;OAEG;IACH,QAAQ,EAAE,4BAAc,CAAC,QAAQ,EAAE;IACnC;;OAEG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC1C;;OAEG;IACH,QAAQ,EAAE,kCAAoB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAA"}
+{"version":3,"file":"customization.js","sourceRoot":"","sources":["../../src/customization/customization.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,oDAAyD;AACzD,+CAA8C;AAEjC,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C;;;OAGG;IACH,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpD;;OAEG;IACH,QAAQ,EAAE,4BAAc,CAAC,QAAQ,EAAE;IACnC;;OAEG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC1C;;OAEG;IACH,QAAQ,EAAE,kCAAoB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { hcaptchaConfigSchema } from '../lib/hcaptcha.js'\nimport { brandingSchema } from './branding.js'\n\nexport const customizationSchema = z.object({\n  /**\n   * Available user domains that can be used to sign up. A non-empty array\n   * is required to enable the sign-up feature.\n   */\n  availableUserDomains: z.array(z.string()).optional(),\n  /**\n   * UI customizations\n   */\n  branding: brandingSchema.optional(),\n  /**\n   * Is an invite code required to sign up?\n   */\n  inviteCodeRequired: z.boolean().optional(),\n  /**\n   * Enables hCaptcha during sign-up.\n   */\n  hcaptcha: hcaptchaConfigSchema.optional(),\n})\nexport type CustomizationInput = z.input<typeof customizationSchema>\nexport type Customization = z.infer<typeof customizationSchema>\n"]}

package/dist/customization/links.js.map

@@ -1 +1 @@
-{"version":3,"file":"links.js","sourceRoot":"","sources":["../../src/customization/links.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,qEAAyD;AACzD,qDAA6D;AAEhD,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,iCAAqB,CAAC,CAAC;IACnD,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACtB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,6BAAS,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE;CACjE,CAAC,CAAA"}
+{"version":3,"file":"links.js","sourceRoot":"","sources":["../../src/customization/links.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,qEAAyD;AACzD,qDAA6D;AAEhD,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,iCAAqB,CAAC,CAAC;IACnD,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACtB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,6BAAS,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE;CACjE,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { isLinkRel } from '../lib/html/build-document.js'\nimport { multiLangStringSchema } from '../lib/util/locale.js'\n\nexport const linksSchema = z.object({\n  title: z.union([z.string(), multiLangStringSchema]),\n  href: z.string().url(),\n  rel: z.string().refine(isLinkRel, 'Invalid link rel').optional(),\n})\nexport type Links = z.infer<typeof linksSchema>\n"]}

package/dist/device/device-data.js.map

@@ -1 +1 @@
-{"version":3,"file":"device-data.js","sourceRoot":"","sources":["../../src/device/device-data.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,mDAAiD;AAEpC,QAAA,gBAAgB,GAAG,OAAC,CAAC,MAAM,CAAC;IACvC,SAAS,EAAE,+BAAe;IAC1B,UAAU,EAAE,OAAC,CAAC,IAAI,EAAE;IACpB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;CACtB,CAAC,CAAA"}
+{"version":3,"file":"device-data.js","sourceRoot":"","sources":["../../src/device/device-data.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,mDAAiD;AAEpC,QAAA,gBAAgB,GAAG,OAAC,CAAC,MAAM,CAAC;IACvC,SAAS,EAAE,+BAAe;IAC1B,UAAU,EAAE,OAAC,CAAC,IAAI,EAAE;IACpB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;CACtB,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { sessionIdSchema } from './session-id.js'\n\nexport const deviceDataSchema = z.object({\n  sessionId: sessionIdSchema,\n  lastSeenAt: z.date(),\n  userAgent: z.string().nullable(),\n  ipAddress: z.string(),\n})\n\nexport type DeviceData = z.infer<typeof deviceDataSchema>\n"]}

package/dist/device/device-id.js.map

@@ -1 +1 @@
-{"version":3,"file":"device-id.js","sourceRoot":"","sources":["../../src/device/device-id.ts"],"names":[],"mappings":";;;AAoBA,gCAEC;AAtBD,6BAAuB;AACvB,kDAA0E;AAC1E,qDAAmD;AAEtC,QAAA,gBAAgB,GAC3B,+BAAgB,CAAC,MAAM,GAAG,qCAAsB,GAAG,CAAC,CAAA,CAAC,eAAe;AAEzD,QAAA,cAAc,GAAG,OAAC;KAC5B,MAAM,EAAE;KACR,MAAM,CAAC,wBAAgB,CAAC;KACxB,MAAM,CACL,CAAC,CAAC,EAA8C,EAAE,CAChD,CAAC,CAAC,UAAU,CAAC,+BAAgB,CAAC,EAChC;IACE,OAAO,EAAE,0BAA0B;CACpC,CACF,CAAA;AAIH,SAAgB,UAAU,CAAC,KAAc;IACvC,OAAO,sBAAc,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,OAAO,CAAA;AAChD,CAAC;AAEM,MAAM,gBAAgB,GAAG,KAAK,IAAuB,EAAE;IAC5D,OAAO,GAAG,+BAAgB,GAAG,MAAM,IAAA,uBAAW,EAAC,qCAAsB,CAAC,EAAE,CAAA;AAC1E,CAAC,CAAA;AAFY,QAAA,gBAAgB,oBAE5B"}
+{"version":3,"file":"device-id.js","sourceRoot":"","sources":["../../src/device/device-id.ts"],"names":[],"mappings":";;;AAoBA,gCAEC;AAtBD,6BAAuB;AACvB,kDAA0E;AAC1E,qDAAmD;AAEtC,QAAA,gBAAgB,GAC3B,+BAAgB,CAAC,MAAM,GAAG,qCAAsB,GAAG,CAAC,CAAA,CAAC,eAAe;AAEzD,QAAA,cAAc,GAAG,OAAC;KAC5B,MAAM,EAAE;KACR,MAAM,CAAC,wBAAgB,CAAC;KACxB,MAAM,CACL,CAAC,CAAC,EAA8C,EAAE,CAChD,CAAC,CAAC,UAAU,CAAC,+BAAgB,CAAC,EAChC;IACE,OAAO,EAAE,0BAA0B;CACpC,CACF,CAAA;AAIH,SAAgB,UAAU,CAAC,KAAc;IACvC,OAAO,sBAAc,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,OAAO,CAAA;AAChD,CAAC;AAEM,MAAM,gBAAgB,GAAG,KAAK,IAAuB,EAAE;IAC5D,OAAO,GAAG,+BAAgB,GAAG,MAAM,IAAA,uBAAW,EAAC,qCAAsB,CAAC,EAAE,CAAA;AAC1E,CAAC,CAAA;AAFY,QAAA,gBAAgB,oBAE5B","sourcesContent":["import { z } from 'zod'\nimport { DEVICE_ID_BYTES_LENGTH, DEVICE_ID_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const DEVICE_ID_LENGTH =\n  DEVICE_ID_PREFIX.length + DEVICE_ID_BYTES_LENGTH * 2 // hex encoding\n\nexport const deviceIdSchema = z\n  .string()\n  .length(DEVICE_ID_LENGTH)\n  .refine(\n    (v): v is `${typeof DEVICE_ID_PREFIX}${string}` =>\n      v.startsWith(DEVICE_ID_PREFIX),\n    {\n      message: `Invalid device ID format`,\n    },\n  )\n\nexport type DeviceId = z.infer<typeof deviceIdSchema>\n\nexport function isDeviceId(value: unknown): value is DeviceId {\n  return deviceIdSchema.safeParse(value).success\n}\n\nexport const generateDeviceId = async (): Promise<DeviceId> => {\n  return `${DEVICE_ID_PREFIX}${await randomHexId(DEVICE_ID_BYTES_LENGTH)}`\n}\n"]}

package/dist/device/device-manager.d.ts

@@ -11,12 +11,12 @@ export declare const keygripSchema: z.ZodObject<{
     verify: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodBoolean>;
     index: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
-    sign: (args_0: any, ...args: unknown[]) => string;
     verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+    sign: (args_0: any, ...args: unknown[]) => string;
     index: (args_0: any, args_1: string, ...args: unknown[]) => number;
 }, {
-    sign: (args_0: any, ...args: unknown[]) => string;
     verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+    sign: (args_0: any, ...args: unknown[]) => string;
     index: (args_0: any, args_1: string, ...args: unknown[]) => number;
 }>;
 export declare const deviceManagerOptionsSchema: z.ZodObject<{
@@ -40,12 +40,12 @@ export declare const deviceManagerOptionsSchema: z.ZodObject<{
             verify: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodBoolean>;
             index: z.ZodFunction<z.ZodTuple<[z.ZodAny, z.ZodString], z.ZodUnknown>, z.ZodNumber>;
         }, "strip", z.ZodTypeAny, {
-            sign: (args_0: any, ...args: unknown[]) => string;
             verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+            sign: (args_0: any, ...args: unknown[]) => string;
             index: (args_0: any, args_1: string, ...args: unknown[]) => number;
         }, {
-            sign: (args_0: any, ...args: unknown[]) => string;
             verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+            sign: (args_0: any, ...args: unknown[]) => string;
             index: (args_0: any, args_1: string, ...args: unknown[]) => number;
         }>>;
         /**
@@ -73,14 +73,14 @@ export declare const deviceManagerOptionsSchema: z.ZodObject<{
         sameSite: "strict" | "lax";
         secure: boolean;
         keys?: {
-            sign: (args_0: any, ...args: unknown[]) => string;
             verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+            sign: (args_0: any, ...args: unknown[]) => string;
             index: (args_0: any, args_1: string, ...args: unknown[]) => number;
         } | undefined;
     }, {
         keys?: {
-            sign: (args_0: any, ...args: unknown[]) => string;
             verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+            sign: (args_0: any, ...args: unknown[]) => string;
             index: (args_0: any, args_1: string, ...args: unknown[]) => number;
         } | undefined;
         age?: number | null | undefined;
@@ -93,8 +93,8 @@ export declare const deviceManagerOptionsSchema: z.ZodObject<{
         sameSite: "strict" | "lax";
         secure: boolean;
         keys?: {
-            sign: (args_0: any, ...args: unknown[]) => string;
             verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+            sign: (args_0: any, ...args: unknown[]) => string;
             index: (args_0: any, args_1: string, ...args: unknown[]) => number;
         } | undefined;
     };
@@ -103,8 +103,8 @@ export declare const deviceManagerOptionsSchema: z.ZodObject<{
 }, {
     cookie?: {
         keys?: {
-            sign: (args_0: any, ...args: unknown[]) => string;
             verify: (args_0: any, args_1: string, ...args: unknown[]) => boolean;
+            sign: (args_0: any, ...args: unknown[]) => string;
             index: (args_0: any, args_1: string, ...args: unknown[]) => number;
         } | undefined;
         age?: number | null | undefined;

package/dist/device/device-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"device-manager.js","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":";;;AACA,6BAAuB;AACvB,kDAA0D;AAC1D,mDAAuD;AACvD,uDAI+B;AAE/B,iDAKuB;AAEvB,mDAAoE;AAEpE;;GAEG;AACU,QAAA,aAAa,GAAG,OAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACpD,MAAM,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC;IACnE,KAAK,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CAClE,CAAC,CAAA;AAEW,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,UAAU,EAAE,OAAC;SACV,QAAQ,EAAE;SACV,IAAI,CAAsC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC;SACjE,OAAO,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC;SACpB,QAAQ,EAAE;IAEb;;;;OAIG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC;;OAEG;IACH,MAAM,EAAE,OAAC;SACN,MAAM,CAAC;QACN,IAAI,EAAE,qBAAa,CAAC,QAAQ,EAAE;QAC9B;;;;;;WAMG;QACH,GAAG,EAAE,OAAC;aACH,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,OAAO,CAAC,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,MAAM,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC;;;;WAIG;QACH,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;KACnD,CAAC;SACD,OAAO,CAAC,EAAE,CAAC;CACf,CAAC,CAAA;AAcF;;;;GAIG;AACH,MAAa,aAAa;IAIL;IAHF,OAAO,CAA4C;IAEpE,YACmB,KAAkB,EACnC,UAAgC,EAAE;QADjB,UAAK,GAAL,KAAK,CAAa;QAGnC,IAAI,CAAC,OAAO,GAAG,kCAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IAC1D,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,GAAoB,EACpB,GAAmB,EACnB,WAAW,GAAG,KAAK;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,EACH,GAAG,EACH,MAAM,CAAC,KAAK,EACZ,WAAW,IAAI,MAAM,CAAC,UAAU,CACjC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC9C,IAAA,+BAAgB,GAAE;YAClB,IAAA,iCAAiB,GAAE;SACX,CAAC,CAAA;QAEX,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI;YAC3C,SAAS,EAAE,cAAc,CAAC,SAAS;SACpC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;QAExD,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe,EACpC,WAAW,GAAG,KAAK;QAEnB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAEvC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAA;QAE7C,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,GAAG,IAAI,uCAAwB,EAAE,CAAC;gBACpC,iEAAiE;gBACjE,4CAA4C;gBAC5C,WAAW,GAAG,IAAI,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,IACE,WAAW;YACX,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAC/B,CAAC;YACD,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE;gBACpC,SAAS,EAAE,cAAc,CAAC,SAAS;gBACnC,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;aACtD,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB,EACnB,QAAkB,EAClB,IAA4D;QAE5D,MAAM,SAAS,GAAG,MAAM,IAAA,iCAAiB,GAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,GAAG,IAAI;YACP,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;IAC1D,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,OAAO,GAAG,IAAA,2BAAgB,EAAC,GAAG,CAAC,CAAA;QAErC,yEAAyE;QACzE,oEAAoE;QACpE,2EAA2E;QAC3E,4DAA4D;QAC5D,0EAA0E;QAC1E,sEAAsE;QACtE,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,iDAAiD;QAEjD,MAAM,MAAM,GACV,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,6BAAc,CAAC;YACnD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,WAAW,EAAE,6BAAc,CAAC,CAAA;QACxD,MAAM,OAAO,GACX,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,+BAAe,CAAC;YACpD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,YAAY,EAAE,+BAAe,CAAC,CAAA;QAE1D,MAAM,QAAQ,GAAG,MAAM,EAAE,KAAK,CAAA;QAC9B,MAAM,SAAS,GAAG,OAAO,EAAE,KAAK,CAAA;QAEhC,6CAA6C;QAC7C,IAAI,IAAA,yBAAU,EAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1E,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAA;QACrD,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,CAAC,EAAW,CAAA;YAChE,IAAA,sBAAS,EAAC,GAAG,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,CAAC,CAAA;YACxC,IAAA,sBAAS,EAAC,GAAG,EAAE,YAAY,EAAE,EAAE,EAAE,OAAO,CAAC,CAAA;QAC3C,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,sDAAsD;YACtD,IAAI,QAAQ;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;YAErD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;SACpD,CAAA;IACH,CAAC;IAEO,WAAW,CACjB,OAA2C,EAC3C,IAAY,EACZ,MAA4D;QAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACpE,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAA;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,GAAG,IAAI,OAAO,CAAA;YAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACxE,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;YAC1D,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC,EAAE,CAAA;QACzC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe;QAEpC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,CAAC;IAEO,WAAW,CAAC,GAAmB,EAAE,IAAY,EAAE,KAAc;QACnE,MAAM,aAAa,GAAG;YACpB,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI;oBAC/B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI;gBAClC,CAAC,CAAC,CAAC;YACL,QAAQ,EAAE,IAAI;YACd,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK;YAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;SAC9B,CAAA;QAEV,IAAA,sBAAS,EAAC,GAAG,EAAE,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,aAAa,CAAC,CAAA;QAEhD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC9D,IAAA,sBAAS,EAAC,GAAG,EAAE,GAAG,IAAI,OAAO,EAAE,IAAI,EAAE,aAAa,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAEM,kBAAkB,CAAC,GAAoB;QAC5C,OAAO,IAAA,mCAAsB,EAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IAClD,CAAC;CACF;AA7ND,sCA6NC"}
+{"version":3,"file":"device-manager.js","sourceRoot":"","sources":["../../src/device/device-manager.ts"],"names":[],"mappings":";;;AACA,6BAAuB;AACvB,kDAA0D;AAC1D,mDAAuD;AACvD,uDAI+B;AAE/B,iDAKuB;AAEvB,mDAAoE;AAEpE;;GAEG;AACU,QAAA,aAAa,GAAG,OAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACpD,MAAM,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC;IACnE,KAAK,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,GAAG,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CAClE,CAAC,CAAA;AAEW,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,UAAU,EAAE,OAAC;SACV,QAAQ,EAAE;SACV,IAAI,CAAsC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC;SACjE,OAAO,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC;SACpB,QAAQ,EAAE;IAEb;;;;OAIG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC;;OAEG;IACH,MAAM,EAAE,OAAC;SACN,MAAM,CAAC;QACN,IAAI,EAAE,qBAAa,CAAC,QAAQ,EAAE;QAC9B;;;;;;WAMG;QACH,GAAG,EAAE,OAAC;aACH,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,OAAO,CAAC,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,MAAM,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QACjC;;;;WAIG;QACH,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;KACnD,CAAC;SACD,OAAO,CAAC,EAAE,CAAC;CACf,CAAC,CAAA;AAcF;;;;GAIG;AACH,MAAa,aAAa;IAIL;IAHF,OAAO,CAA4C;IAEpE,YACmB,KAAkB,EACnC,UAAgC,EAAE;QADjB,UAAK,GAAL,KAAK,CAAa;QAGnC,IAAI,CAAC,OAAO,GAAG,kCAA0B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IAC1D,CAAC;IAEM,KAAK,CAAC,IAAI,CACf,GAAoB,EACpB,GAAmB,EACnB,WAAW,GAAG,KAAK;QAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,EACH,GAAG,EACH,MAAM,CAAC,KAAK,EACZ,WAAW,IAAI,MAAM,CAAC,UAAU,CACjC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC9C,IAAA,+BAAgB,GAAE;YAClB,IAAA,iCAAiB,GAAE;SACX,CAAC,CAAA;QAEX,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI;YAC3C,SAAS,EAAE,cAAc,CAAC,SAAS;SACpC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;QAExD,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe,EACpC,WAAW,GAAG,KAAK;QAEnB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;QAClD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAEvC,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,CAAA;QAE7C,IAAI,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,GAAG,IAAI,uCAAwB,EAAE,CAAC;gBACpC,iEAAiE;gBACjE,4CAA4C;gBAC5C,WAAW,GAAG,IAAI,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,IACE,WAAW;YACX,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,cAAc,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAC3C,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAC/B,CAAC;YACD,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE;gBACpC,SAAS,EAAE,cAAc,CAAC,SAAS;gBACnC,SAAS,EAAE,cAAc,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;aACtD,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,GAAoB,EACpB,GAAmB,EACnB,QAAkB,EAClB,IAA4D;QAE5D,MAAM,SAAS,GAAG,MAAM,IAAA,iCAAiB,GAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE;YACtC,GAAG,IAAI;YACP,SAAS;YACT,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;IAC1D,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB;QAEnB,MAAM,OAAO,GAAG,IAAA,2BAAgB,EAAC,GAAG,CAAC,CAAA;QAErC,yEAAyE;QACzE,oEAAoE;QACpE,2EAA2E;QAC3E,4DAA4D;QAC5D,0EAA0E;QAC1E,sEAAsE;QACtE,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,iDAAiD;QAEjD,MAAM,MAAM,GACV,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,6BAAc,CAAC;YACnD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,WAAW,EAAE,6BAAc,CAAC,CAAA;QACxD,MAAM,OAAO,GACX,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,+BAAe,CAAC;YACpD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,YAAY,EAAE,+BAAe,CAAC,CAAA;QAE1D,MAAM,QAAQ,GAAG,MAAM,EAAE,KAAK,CAAA;QAC9B,MAAM,SAAS,GAAG,OAAO,EAAE,KAAK,CAAA;QAEhC,6CAA6C;QAC7C,IAAI,IAAA,yBAAU,EAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1E,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAA;QACrD,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,CAAC,EAAW,CAAA;YAChE,IAAA,sBAAS,EAAC,GAAG,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,CAAC,CAAA;YACxC,IAAA,sBAAS,EAAC,GAAG,EAAE,YAAY,EAAE,EAAE,EAAE,OAAO,CAAC,CAAA;QAC3C,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,sDAAsD;YACtD,IAAI,QAAQ;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;YAErD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO;YACL,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;SACpD,CAAA;IACH,CAAC;IAEO,WAAW,CACjB,OAA2C,EAC3C,IAAY,EACZ,MAA4D;QAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACpE,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAA;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAA;QAEhC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAA;QAEzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,GAAG,IAAI,OAAO,CAAA;YAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;YACxE,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAA;YAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;YAC1D,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAA;YAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC,EAAE,CAAA;QACzC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAA;IACrC,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,GAAoB,EACpB,GAAmB,EACnB,EAAE,QAAQ,EAAE,SAAS,EAAe;QAEpC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAA;QACzC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,CAAC;IAEO,WAAW,CAAC,GAAmB,EAAE,IAAY,EAAE,KAAc;QACnE,MAAM,aAAa,GAAG;YACpB,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI;oBAC/B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI;gBAClC,CAAC,CAAC,CAAC;YACL,QAAQ,EAAE,IAAI;YACd,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,KAAK,KAAK;YAC5C,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;SAC9B,CAAA;QAEV,IAAA,sBAAS,EAAC,GAAG,EAAE,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,aAAa,CAAC,CAAA;QAEhD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC9D,IAAA,sBAAS,EAAC,GAAG,EAAE,GAAG,IAAI,OAAO,EAAE,IAAI,EAAE,aAAa,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAEM,kBAAkB,CAAC,GAAoB;QAC5C,OAAO,IAAA,mCAAsB,EAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IAClD,CAAC;CACF;AA7ND,sCA6NC","sourcesContent":["import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { z } from 'zod'\nimport { SESSION_FIXATION_MAX_AGE } from '../constants.js'\nimport { parseHttpCookies } from '../lib/http/index.js'\nimport {\n  RequestMetadata,\n  extractRequestMetadata,\n  setCookie,\n} from '../lib/http/request.js'\nimport { DeviceData } from './device-data.js'\nimport {\n  DeviceId,\n  deviceIdSchema,\n  generateDeviceId,\n  isDeviceId,\n} from './device-id.js'\nimport { DeviceStore } from './device-store.js'\nimport { generateSessionId, sessionIdSchema } from './session-id.js'\n\n/**\n * @see {@link https://www.npmjs.com/package/keygrip | Keygrip}\n */\nexport const keygripSchema = z.object({\n  sign: z.function().args(z.any()).returns(z.string()),\n  verify: z.function().args(z.any(), z.string()).returns(z.boolean()),\n  index: z.function().args(z.any(), z.string()).returns(z.number()),\n})\n\nexport const deviceManagerOptionsSchema = z.object({\n  /**\n   * Controls whether the IP address is read from the `X-Forwarded-For` header\n   * (if `true`), or from the `req.socket.remoteAddress` property (if `false`).\n   */\n  trustProxy: z\n    .function()\n    .args<[addr: z.ZodString, i: z.ZodNumber]>(z.string(), z.number())\n    .returns(z.boolean())\n    .optional(),\n\n  /**\n   * Amount of time (in ms) after which session IDs will be rotated\n   *\n   * @default 300e3 // (5 minutes)\n   */\n  rotationRate: z.number().default(300e3),\n  /**\n   * Cookie options\n   */\n  cookie: z\n    .object({\n      keys: keygripSchema.optional(),\n      /**\n       * Amount of time (in ms) after which the session cookie will expire.\n       * If set to `null`, the cookie will be a session cookie (deleted when the\n       * browser is closed).\n       *\n       * @default 10 years\n       */\n      age: z\n        .number()\n        .nullable()\n        .default(10 * 365.2 * 24 * 60 * 60e3),\n      /**\n       * Controls whether the cookie is only sent over HTTPS (if `true`), or also\n       * over HTTP (if `false`). This should **NOT** be set to `false` in\n       * production.\n       */\n      secure: z.boolean().default(true),\n      /**\n       * Controls whether the cookie is sent along with cross-site requests.\n       *\n       * @default 'lax'\n       */\n      sameSite: z.enum(['lax', 'strict']).default('lax'),\n    })\n    .default({}),\n})\n\nexport type DeviceManagerOptions = z.input<typeof deviceManagerOptionsSchema>\n\ntype CookieValue = {\n  deviceId: DeviceId\n  sessionId: string\n}\n\nexport type DeviceInfo = {\n  deviceId: DeviceId\n  deviceMetadata: RequestMetadata\n}\n\n/**\n * This class provides an abstraction for keeping track of DEVICE sessions. It\n * relies on a {@link DeviceStore} to persist session data and a cookie to\n * identify the session.\n */\nexport class DeviceManager {\n  private readonly options: z.infer<typeof deviceManagerOptionsSchema>\n\n  constructor(\n    private readonly store: DeviceStore,\n    options: DeviceManagerOptions = {},\n  ) {\n    this.options = deviceManagerOptionsSchema.parse(options)\n  }\n\n  public async load(\n    req: IncomingMessage,\n    res: ServerResponse,\n    forceRotate = false,\n  ): Promise<DeviceInfo> {\n    const cookie = await this.getCookies(req, res)\n    if (cookie) {\n      return this.refresh(\n        req,\n        res,\n        cookie.value,\n        forceRotate || cookie.mustRotate,\n      )\n    } else {\n      return this.create(req, res)\n    }\n  }\n\n  private async create(\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<DeviceInfo> {\n    const deviceMetadata = this.getRequestMetadata(req)\n\n    const [deviceId, sessionId] = await Promise.all([\n      generateDeviceId(),\n      generateSessionId(),\n    ] as const)\n\n    await this.store.createDevice(deviceId, {\n      sessionId,\n      lastSeenAt: new Date(),\n      userAgent: deviceMetadata.userAgent ?? null,\n      ipAddress: deviceMetadata.ipAddress,\n    })\n\n    await this.setCookies(req, res, { deviceId, sessionId })\n\n    return { deviceId, deviceMetadata }\n  }\n\n  private async refresh(\n    req: IncomingMessage,\n    res: ServerResponse,\n    { deviceId, sessionId }: CookieValue,\n    forceRotate = false,\n  ): Promise<DeviceInfo> {\n    const data = await this.store.readDevice(deviceId)\n    if (!data) return this.create(req, res)\n\n    const lastSeenAt = new Date(data.lastSeenAt)\n    const age = Date.now() - lastSeenAt.getTime()\n\n    if (sessionId !== data.sessionId) {\n      if (age <= SESSION_FIXATION_MAX_AGE) {\n        // The cookie was probably rotated by a concurrent request. Let's\n        // update the cookie with the new sessionId.\n        forceRotate = true\n      } else {\n        // Something's wrong. Let's create a new session.\n        await this.store.deleteDevice(deviceId)\n        return this.create(req, res)\n      }\n    }\n\n    const deviceMetadata = this.getRequestMetadata(req)\n\n    if (\n      forceRotate ||\n      deviceMetadata.ipAddress !== data.ipAddress ||\n      deviceMetadata.userAgent !== data.userAgent ||\n      age > this.options.rotationRate\n    ) {\n      await this.rotate(req, res, deviceId, {\n        ipAddress: deviceMetadata.ipAddress,\n        userAgent: deviceMetadata.userAgent || data.userAgent,\n      })\n    }\n\n    return { deviceId, deviceMetadata }\n  }\n\n  private async rotate(\n    req: IncomingMessage,\n    res: ServerResponse,\n    deviceId: DeviceId,\n    data?: Partial<Omit<DeviceData, 'sessionId' | 'lastSeenAt'>>,\n  ): Promise<void> {\n    const sessionId = await generateSessionId()\n\n    await this.store.updateDevice(deviceId, {\n      ...data,\n      sessionId,\n      lastSeenAt: new Date(),\n    })\n\n    await this.setCookies(req, res, { deviceId, sessionId })\n  }\n\n  private async getCookies(\n    req: IncomingMessage,\n    res: ServerResponse,\n  ): Promise<{ value: CookieValue; mustRotate: boolean } | null> {\n    const cookies = parseHttpCookies(req)\n\n    // Old cookies were set for the \"/oauth/authorize\" path while new cookies\n    // need to be set for the \"/\" path (in order to be valid on the api,\n    // authorization page and account page). This means that if a user has both\n    // cookies set, the browser would use the old cookie for the\n    // \"/oauth/authorize\" path and the new cookie for all other paths. Because\n    // of this, different \"phantom\" sessions would be created for the same\n    // device. To avoid this, we needed to change the cookie name. We can still\n    // attempt to read the old cookie in order to carry over the session from\n    // the \"/oauth/authorize\" path to the \"/\" path. This will only work if the\n    // user visits the \"/oauth/authorize\" path first.\n\n    const device =\n      this.parseCookie(cookies, `dev-id`, deviceIdSchema) ||\n      this.parseCookie(cookies, 'device-id', deviceIdSchema)\n    const session =\n      this.parseCookie(cookies, `ses-id`, sessionIdSchema) ||\n      this.parseCookie(cookies, 'session-id', sessionIdSchema)\n\n    const deviceId = device?.value\n    const sessionId = session?.value\n\n    // Clear the legacy cookies, if they are set.\n    if (isDeviceId(cookies['device-id']) && cookies['device-id'] !== deviceId) {\n      await this.store.deleteDevice(cookies['device-id'])\n    }\n    if (cookies['device-id'] || cookies['session-id']) {\n      const options = { path: '/oauth/authorize', maxAge: 0 } as const\n      setCookie(res, 'device-id', '', options)\n      setCookie(res, 'session-id', '', options)\n    }\n\n    // Silently ignore invalid cookies\n    if (!deviceId || !sessionId) {\n      // If the device cookie is valid, let's cleanup the DB\n      if (deviceId) await this.store.deleteDevice(deviceId)\n\n      return null\n    }\n\n    return {\n      value: { deviceId, sessionId },\n      mustRotate: device.mustRotate || session.mustRotate,\n    }\n  }\n\n  private parseCookie<T>(\n    cookies: Record<string, string | undefined>,\n    name: string,\n    schema: z.ZodType<T> | z.ZodEffects<z.ZodTypeAny, T, string>,\n  ): null | { value: T; mustRotate: boolean } {\n    const rawValue = Object.hasOwn(cookies, name) ? cookies[name] : null\n    if (!rawValue) return null\n\n    const result = schema.safeParse(rawValue)\n    if (!result.success) return null\n\n    const value = result.data\n\n    if (this.options.cookie.keys) {\n      const hashName = `${name}:hash`\n\n      const hash = Object.hasOwn(cookies, hashName) ? cookies[hashName] : null\n      if (!hash) return null\n\n      const idx = this.options.cookie.keys.index(rawValue, hash)\n      if (idx < 0) return null\n\n      return { value, mustRotate: idx !== 0 }\n    }\n\n    return { value, mustRotate: false }\n  }\n\n  private async setCookies(\n    req: IncomingMessage,\n    res: ServerResponse,\n    { deviceId, sessionId }: CookieValue,\n  ) {\n    this.writeCookie(res, `dev-id`, deviceId)\n    this.writeCookie(res, `ses-id`, sessionId)\n  }\n\n  private writeCookie(res: ServerResponse, name: string, value?: string) {\n    const cookieOptions = {\n      maxAge: value\n        ? this.options.cookie.age == null\n          ? undefined\n          : this.options.cookie.age / 1000\n        : 0,\n      httpOnly: true,\n      path: '/',\n      secure: this.options.cookie.secure !== false,\n      sameSite: this.options.cookie.sameSite,\n    } as const\n\n    setCookie(res, name, value || '', cookieOptions)\n\n    if (this.options.cookie.keys) {\n      const hash = value ? this.options.cookie.keys.sign(value) : ''\n      setCookie(res, `${name}:hash`, hash, cookieOptions)\n    }\n  }\n\n  public getRequestMetadata(req: IncomingMessage) {\n    return extractRequestMetadata(req, this.options)\n  }\n}\n"]}

package/dist/device/device-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"device-store.js","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAyBA,sCAKC;AA9BD,iDAAsE;AAItE,iEAAiE;AACjE,mDAAgC;AAChC,iDAA8B;AAC9B,kDAA+B;AAWlB,QAAA,aAAa,GAAG,IAAA,+BAAqB,EAAc;IAC9D,cAAc;IACd,YAAY;IACZ,cAAc;IACd,cAAc;CACf,CAAC,CAAA;AAEF,SAAgB,aAAa,CAAI,cAAiB;IAChD,IAAI,CAAC,cAAc,IAAI,CAAC,IAAA,qBAAa,EAAC,cAAc,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC"}
+{"version":3,"file":"device-store.js","sourceRoot":"","sources":["../../src/device/device-store.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAyBA,sCAKC;AA9BD,iDAAsE;AAItE,iEAAiE;AACjE,mDAAgC;AAChC,iDAA8B;AAC9B,kDAA+B;AAWlB,QAAA,aAAa,GAAG,IAAA,+BAAqB,EAAc;IAC9D,cAAc;IACd,YAAY;IACZ,cAAc;IACd,cAAc;CACf,CAAC,CAAA;AAEF,SAAgB,aAAa,CAAI,cAAiB;IAChD,IAAI,CAAC,cAAc,IAAI,CAAC,IAAA,qBAAa,EAAC,cAAc,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IACvD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport { DeviceData } from './device-data.js'\nimport { DeviceId } from './device-id.js'\n\n// Export all types needed to implement the DeviceStore interface\nexport * from './device-data.js'\nexport * from './device-id.js'\nexport * from './session-id.js'\n\nexport type { Awaitable }\n\nexport interface DeviceStore {\n  createDevice(deviceId: DeviceId, data: DeviceData): Awaitable<void>\n  readDevice(deviceId: DeviceId): Awaitable<DeviceData | null>\n  updateDevice(deviceId: DeviceId, data: Partial<DeviceData>): Awaitable<void>\n  deleteDevice(deviceId: DeviceId): Awaitable<void>\n}\n\nexport const isDeviceStore = buildInterfaceChecker<DeviceStore>([\n  'createDevice',\n  'readDevice',\n  'updateDevice',\n  'deleteDevice',\n])\n\nexport function asDeviceStore<V>(implementation: V): V & DeviceStore {\n  if (!implementation || !isDeviceStore(implementation)) {\n    throw new Error('Invalid DeviceStore implementation')\n  }\n  return implementation\n}\n"]}

package/dist/device/session-id.js.map

@@ -1 +1 @@
-{"version":3,"file":"session-id.js","sourceRoot":"","sources":["../../src/device/session-id.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,kDAA4E;AAC5E,qDAAmD;AAEtC,QAAA,iBAAiB,GAC5B,gCAAiB,CAAC,MAAM,GAAG,sCAAuB,GAAG,CAAC,CAAA,CAAC,eAAe;AAE3D,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,MAAM,CAAC,yBAAiB,CAAC;KACzB,MAAM,CACL,CAAC,CAAC,EAA+C,EAAE,CACjD,CAAC,CAAC,UAAU,CAAC,gCAAiB,CAAC,EACjC;IACE,OAAO,EAAE,2BAA2B;CACrC,CACF,CAAA;AAEI,MAAM,iBAAiB,GAAG,KAAK,IAAwB,EAAE;IAC9D,OAAO,GAAG,gCAAiB,GAAG,MAAM,IAAA,uBAAW,EAAC,sCAAuB,CAAC,EAAE,CAAA;AAC5E,CAAC,CAAA;AAFY,QAAA,iBAAiB,qBAE7B"}
+{"version":3,"file":"session-id.js","sourceRoot":"","sources":["../../src/device/session-id.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,kDAA4E;AAC5E,qDAAmD;AAEtC,QAAA,iBAAiB,GAC5B,gCAAiB,CAAC,MAAM,GAAG,sCAAuB,GAAG,CAAC,CAAA,CAAC,eAAe;AAE3D,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,MAAM,CAAC,yBAAiB,CAAC;KACzB,MAAM,CACL,CAAC,CAAC,EAA+C,EAAE,CACjD,CAAC,CAAC,UAAU,CAAC,gCAAiB,CAAC,EACjC;IACE,OAAO,EAAE,2BAA2B;CACrC,CACF,CAAA;AAEI,MAAM,iBAAiB,GAAG,KAAK,IAAwB,EAAE;IAC9D,OAAO,GAAG,gCAAiB,GAAG,MAAM,IAAA,uBAAW,EAAC,sCAAuB,CAAC,EAAE,CAAA;AAC5E,CAAC,CAAA;AAFY,QAAA,iBAAiB,qBAE7B","sourcesContent":["import { z } from 'zod'\nimport { SESSION_ID_BYTES_LENGTH, SESSION_ID_PREFIX } from '../constants.js'\nimport { randomHexId } from '../lib/util/crypto.js'\n\nexport const SESSION_ID_LENGTH =\n  SESSION_ID_PREFIX.length + SESSION_ID_BYTES_LENGTH * 2 // hex encoding\n\nexport const sessionIdSchema = z\n  .string()\n  .length(SESSION_ID_LENGTH)\n  .refine(\n    (v): v is `${typeof SESSION_ID_PREFIX}${string}` =>\n      v.startsWith(SESSION_ID_PREFIX),\n    {\n      message: `Invalid session ID format`,\n    },\n  )\nexport type SessionId = z.infer<typeof sessionIdSchema>\nexport const generateSessionId = async (): Promise<SessionId> => {\n  return `${SESSION_ID_PREFIX}${await randomHexId(SESSION_ID_BYTES_LENGTH)}`\n}\n"]}

package/dist/dpop/dpop-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,+BAA6E;AAC7E,6BAAuB;AACvB,sCAA8C;AAC9C,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,iDAA2C;AAC3C,mDAKwB;AAKf,0FATP,yBAAS,OASO;AAFlB,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAIf,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sCAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,gCAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,yBAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,kBAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,iCAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,yBAAyB,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAI,mDAAqB,CAAC,2BAA2B,CAAC,CAAA;QAC9D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,mDAAqB,CAAC,oBAAoB,CAAC,CAAA;QACvD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,mDAAqB,CAAC,yBAAyB,CAAC,CAAA;QAC5D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,2CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,mDAAqB,CAAC,8BAA8B,CAAC,CAAA;QACjE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,IAAA,6BAAsB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,yBAAyB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC,CAAC,CAAA;QAEF,0EAA0E;QAC1E,UAAU;QACV,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA;IAC9C,CAAC;CACF;AA9GD,kCA8GC;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,IAAI,mDAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,IAAI,mDAAqB,CAAC,yCAAyC,CAAC,CAAA;QAC5E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,IAAA,eAAK,EAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,mDAAqB,CAAC,+BAA+B,CAAC,CAAA;IAClE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,mDAAqB,CAAC,yCAAyC,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,mDAAqB,CAAC,kCAAkC,CAAC,CAAA;IACrE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,yBAAyB,CAChC,GAAY,EACZ,KAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,qBAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,mDAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC"}
+{"version":3,"file":"dpop-manager.js","sourceRoot":"","sources":["../../src/dpop/dpop-manager.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AACxC,+BAA6E;AAC7E,6BAAuB;AACvB,sCAA8C;AAC9C,kDAAoD;AACpD,uFAA6E;AAC7E,+EAAqE;AACrE,iDAA2C;AAC3C,mDAKwB;AAKf,0FATP,yBAAS,OASO;AAFlB,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAIf,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;;;OAKG;IACH,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpE,oBAAoB,EAAE,sCAAsB,CAAC,QAAQ,EAAE;CACxD,CAAC,CAAA;AAGF,MAAa,WAAW;IACH,SAAS,CAAY;IAExC,YAAY,UAA8B,EAAE;QAC1C,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GACxC,gCAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACzC,IAAI,CAAC,SAAS;YACZ,UAAU,KAAK,KAAK;gBAClB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,yBAAS,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAA;IACvD,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAA;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,OAAsB,EACtB,WAA0D,EAC1D,WAAoB;QAEpB,4CAA4C;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,KAAK,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QAEvB,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,kBAAW,EAAE;YACvE,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,EAAE,EAAE,iDAAiD;YAClE,cAAc,EAAE,iCAAkB,GAAG,GAAG;SACzC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,yBAAyB,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEF,mEAAmE;QACnE,2EAA2E;QAC3E,4CAA4C;QAE5C,+DAA+D;QAC/D,yBAAyB;QACzB,sBAAsB;QACtB,kEAAkE;QAClE,OAAO;QAEP,2EAA2E;QAC3E,oCAAoC;QACpC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;QAE7C,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAI,mDAAqB,CAAC,2BAA2B,CAAC,CAAA;QAC9D,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,mDAAqB,CAAC,oBAAoB,CAAC,CAAA;QACvD,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,mDAAqB,CAAC,yBAAyB,CAAC,CAAA;QAC5D,CAAC;QAED,uEAAuE;QACvE,gEAAgE;QAChE,mEAAmE;QACnE,6BAA6B;QAC7B,EAAE;QACF,wGAAwG;QACxG,IAAI,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,2CAAiB,EAAE,CAAA;QAC/B,CAAC;QAED,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,2CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;YACzE,IAAI,GAAG,KAAK,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;YACxD,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,mDAAqB,CAAC,8BAA8B,CAAC,CAAA;QACjE,CAAC;QAED,oEAAoE;QACpE,oCAAoC;QACpC,MAAM,GAAG,GAAG,eAAe,CAAC,GAAI,CAAA;QAChC,MAAM,GAAG,GAAG,MAAM,IAAA,6BAAsB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,yBAAyB,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC,CAAC,CAAA;QAEF,0EAA0E;QAC1E,UAAU;QACV,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAA;IAC9C,CAAC;CACF;AA9GD,kCA8GC;AAED,SAAS,YAAY,CACnB,WAA0D;IAE1D,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACtC,QAAQ,OAAO,UAAU,EAAE,CAAC;QAC1B,KAAK,QAAQ;YACX,IAAI,UAAU;gBAAE,OAAO,UAAU,CAAA;YACjC,MAAM,IAAI,mDAAqB,CAAC,6BAA6B,CAAC,CAAA;QAChE,KAAK,QAAQ;YACX,yEAAyE;YACzE,uDAAuD;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,UAAU,CAAC,CAAC,CAAE,CAAA;YACnE,MAAM,IAAI,mDAAqB,CAAC,yCAAyC,CAAC,CAAA;QAC5E;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CAAC,GAAkB;IACzC,mEAAmE;IACnE,OAAO,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,GAAG,GAAG,IAAA,eAAK,EAAC,GAAG,CAAC,CAAA;IACtB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,mDAAqB,CAAC,+BAA+B,CAAC,CAAA;IAClE,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,0BAA0B;IAE1B,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,mDAAqB,CAAC,yCAAyC,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,mDAAqB,CAAC,kCAAkC,CAAC,CAAA;IACrE,CAAC;IAED,0EAA0E;IAC1E,2EAA2E;IAC3E,oDAAoD;IAEpD,0CAA0C;IAC1C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,yBAAyB,CAChC,GAAY,EACZ,KAAa;IAEb,MAAM,GAAG,GACP,GAAG,YAAY,SAAS,IAAI,GAAG,YAAY,qBAAe;QACxD,CAAC,CAAC,GAAG,KAAK,KAAK,GAAG,CAAC,OAAO,EAAE;QAC5B,CAAC,CAAC,KAAK,CAAA;IACX,OAAO,IAAI,mDAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC","sourcesContent":["import { createHash } from 'node:crypto'\nimport { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'\nimport { z } from 'zod'\nimport { ValidationError } from '@atproto/jwk'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\nimport { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'\nimport { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'\nimport { ifURL } from '../lib/util/cast.js'\nimport {\n  DpopNonce,\n  DpopSecret,\n  dpopSecretSchema,\n  rotationIntervalSchema,\n} from './dpop-nonce.js'\nimport { DpopProof } from './dpop-proof.js'\n\nconst { JOSEError } = errors\n\nexport { DpopNonce, type DpopSecret }\n\nexport const dpopManagerOptionsSchema = z.object({\n  /**\n   * Set this to `false` to disable the use of nonces in DPoP proofs. Set this\n   * to a secret Uint8Array or hex encoded string to use a predictable seed for\n   * all nonces (typically useful when multiple instances are running). Leave\n   * undefined to generate a random seed at startup.\n   */\n  dpopSecret: z.union([z.literal(false), dpopSecretSchema]).optional(),\n  dpopRotationInterval: rotationIntervalSchema.optional(),\n})\nexport type DpopManagerOptions = z.input<typeof dpopManagerOptionsSchema>\n\nexport class DpopManager {\n  protected readonly dpopNonce?: DpopNonce\n\n  constructor(options: DpopManagerOptions = {}) {\n    const { dpopSecret, dpopRotationInterval } =\n      dpopManagerOptionsSchema.parse(options)\n    this.dpopNonce =\n      dpopSecret === false\n        ? undefined\n        : new DpopNonce(dpopSecret, dpopRotationInterval)\n  }\n\n  nextNonce(): string | undefined {\n    return this.dpopNonce?.next()\n  }\n\n  /**\n   * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n   */\n  async checkProof(\n    httpMethod: string,\n    httpUrl: Readonly<URL>,\n    httpHeaders: Record<string, undefined | string | string[]>,\n    accessToken?: string,\n  ): Promise<null | DpopProof> {\n    // Fool proofing against use of empty string\n    if (!httpMethod) {\n      throw new TypeError('HTTP method is required')\n    }\n\n    const proof = extractProof(httpHeaders)\n    if (!proof) return null\n\n    const { protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, {\n      typ: 'dpop+jwt',\n      maxTokenAge: 10, // Will ensure presence & validity of \"iat\" claim\n      clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,\n    }).catch((err) => {\n      throw wrapInvalidDpopProofError(err, 'Failed to verify DPoP proof')\n    })\n\n    // @NOTE For legacy & backwards compatibility reason, we cannot use\n    // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query\n    // or fragment component in the \"htu\" claim.\n\n    // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema\n    //   .parseAsync(payload)\n    //   .catch((err) => {\n    //     throw buildInvalidDpopProofError('Invalid DPoP proof', err)\n    //   })\n\n    // @TODO Uncomment previous lines (and remove redundant checks bellow) once\n    // we decide to drop legacy support.\n    const { ath, htm, htu, jti, nonce } = payload\n\n    if (nonce !== undefined && typeof nonce !== 'string') {\n      throw new InvalidDpopProofError('Invalid DPoP \"nonce\" type')\n    }\n\n    if (!jti || typeof jti !== 'string') {\n      throw new InvalidDpopProofError('DPoP \"jti\" missing')\n    }\n\n    // Note rfc9110#section-9.1 states that the method name is case-sensitive\n    if (!htm || htm !== httpMethod) {\n      throw new InvalidDpopProofError('DPoP \"htm\" mismatch')\n    }\n\n    if (!htu || typeof htu !== 'string') {\n      throw new InvalidDpopProofError('Invalid DPoP \"htu\" type')\n    }\n\n    // > To reduce the likelihood of false negatives, servers SHOULD employ\n    // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and\n    // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before\n    // > comparing the htu claim.\n    //\n    // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3\n    if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {\n      throw new InvalidDpopProofError('DPoP \"htu\" mismatch')\n    }\n\n    if (!nonce && this.dpopNonce) {\n      throw new UseDpopNonceError()\n    }\n\n    if (nonce && !this.dpopNonce?.check(nonce)) {\n      throw new UseDpopNonceError('DPoP \"nonce\" mismatch')\n    }\n\n    if (accessToken) {\n      const accessTokenHash = createHash('sha256').update(accessToken).digest()\n      if (ath !== accessTokenHash.toString('base64url')) {\n        throw new InvalidDpopProofError('DPoP \"ath\" mismatch')\n      }\n    } else if (ath !== undefined) {\n      throw new InvalidDpopProofError('DPoP \"ath\" claim not allowed')\n    }\n\n    // @NOTE we can assert there is a jwk because the jwtVerify used the\n    // EmbeddedJWK key getter mechanism.\n    const jwk = protectedHeader.jwk!\n    const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {\n      throw wrapInvalidDpopProofError(err, 'Failed to calculate jkt')\n    })\n\n    // @NOTE We freeze the proof to prevent accidental modification (esp. from\n    // hooks).\n    return Object.freeze({ jti, jkt, htm, htu })\n  }\n}\n\nfunction extractProof(\n  httpHeaders: Record<string, undefined | string | string[]>,\n): string | null {\n  const dpopHeader = httpHeaders['dpop']\n  switch (typeof dpopHeader) {\n    case 'string':\n      if (dpopHeader) return dpopHeader\n      throw new InvalidDpopProofError('DPoP header cannot be empty')\n    case 'object':\n      // @NOTE the \"0\" case should never happen a node.js HTTP server will only\n      // return an array if the header is set multiple times.\n      if (dpopHeader.length === 1 && dpopHeader[0]) return dpopHeader[0]!\n      throw new InvalidDpopProofError('DPoP header must contain a single proof')\n    default:\n      return null\n  }\n}\n\n/**\n * Constructs the HTTP URI (htu) claim as defined in RFC9449.\n *\n * The htu claim is the normalized URL of the HTTP request, excluding the query\n * string and fragment. This function ensures that the URL is normalized by\n * removing the search and hash components, as well as by using an URL object to\n * simplify the pathname (e.g. removing dot segments).\n *\n * @returns The normalized URL as a string.\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}\n */\nfunction normalizeHtuUrl(url: Readonly<URL>): string {\n  // NodeJS's `URL` normalizes the pathname, so we can just use that.\n  return url.origin + url.pathname\n}\n\nfunction parseHtu(htu: string): string {\n  const url = ifURL(htu)\n  if (!url) {\n    throw new InvalidDpopProofError('DPoP \"htu\" is not a valid URL')\n  }\n\n  // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used\n  // to validate the DPoP proof payload as it already performs these checks\n  // (though the htuSchema).\n\n  if (url.password || url.username) {\n    throw new InvalidDpopProofError('DPoP \"htu\" must not contain credentials')\n  }\n\n  if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n    throw new InvalidDpopProofError('DPoP \"htu\" must be http or https')\n  }\n\n  // @NOTE For legacy & backwards compatibility reason, we allow a query and\n  // fragment in the DPoP proof's htu. This is not a standard behavior as the\n  // htu is not supposed to contain query or fragment.\n\n  // NodeJS's `URL` normalizes the pathname.\n  return normalizeHtuUrl(url)\n}\n\nfunction wrapInvalidDpopProofError(\n  err: unknown,\n  title: string,\n): InvalidDpopProofError {\n  const msg =\n    err instanceof JOSEError || err instanceof ValidationError\n      ? `${title}: ${err.message}`\n      : title\n  return new InvalidDpopProofError(msg, err)\n}\n"]}

package/dist/dpop/dpop-nonce.js.map

@@ -1 +1 @@
-{"version":3,"file":"dpop-nonce.js","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":";;;AAAA,6CAAqD;AACrD,6BAAuB;AACvB,kDAAoD;AAEpD,MAAM,qBAAqB,GAAG,iCAAkB,GAAG,CAAC,CAAA;AACpD,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAA;AAEtD,QAAA,sBAAsB,GAAG,OAAC;KACpC,MAAM,EAAE;KACR,GAAG,EAAE;KACL,GAAG,CAAC,qBAAqB,CAAC;KAC1B,GAAG,CAAC,qBAAqB,CAAC,CAAA;AAE7B,MAAM,kBAAkB,GAAG,EAAE,CAAA;AAEhB,QAAA,iBAAiB,GAAG,OAAC;KAC/B,UAAU,CAAC,UAAU,CAAC;KACtB,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,kBAAkB,EAAE;IACxD,OAAO,EAAE,0BAA0B,kBAAkB,aAAa;CACnE,CAAC,CAAA;AAES,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,KAAK,CACJ,cAAc,EACd,oBAAoB,kBAAkB,GAAG,CAAC,mBAAmB,CAC9D;KACA,MAAM,CAAC,kBAAkB,GAAG,CAAC,CAAC;KAC9B,SAAS,CAAC,CAAC,GAAG,EAAc,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;AAE7C,QAAA,gBAAgB,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,yBAAiB,EAAE,uBAAe,CAAC,CAAC,CAAA;AAG7E,MAAa,SAAS;IACX,iBAAiB,CAAQ;IACzB,OAAO,CAAY;IAE5B,cAAc;IACd,QAAQ,CAAQ;IAChB,KAAK,CAAQ;IACb,IAAI,CAAQ;IACZ,KAAK,CAAQ;IAEb,YACE,SAAqB,IAAA,yBAAW,EAAC,kBAAkB,CAAC,EACpD,gBAAgB,GAAG,qBAAqB;QAExC,IAAI,CAAC,iBAAiB,GAAG,8BAAsB,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QACvE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,wBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QAE9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED;;OAEG;IACH,IAAc,cAAc;QAC1B,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;IAClD,CAAC;IAES,MAAM;QACd,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,QAAQ,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC;gBACJ,6CAA6C;gBAC7C,OAAM;YACR,KAAK,CAAC;gBACJ,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;gBACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAA;gBACtB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP,KAAK,CAAC;gBACJ,wCAAwC;gBACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;gBACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP;gBACE,uDAAuD;gBACvD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;IACzB,CAAC;IAES,OAAO,CAAC,OAAe;QAC/B,OAAO,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC;aACtC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;aAC5B,MAAM,EAAE;aACR,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC1B,CAAC;IAEM,IAAI;QACT,IAAI,CAAC,MAAM,EAAE,CAAA;QACb,OAAO,IAAI,CAAC,KAAK,CAAA;IACnB,CAAC;IAEM,KAAK,CAAC,KAAa;QACxB,OAAO,IAAI,CAAC,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAA;IAC5E,CAAC;CACF;AAzED,8BAyEC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,iEAAiE;IACjE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;IACjB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,OAAO,GAAG,CAAA;AACZ,CAAC"}
+{"version":3,"file":"dpop-nonce.js","sourceRoot":"","sources":["../../src/dpop/dpop-nonce.ts"],"names":[],"mappings":";;;AAAA,6CAAqD;AACrD,6BAAuB;AACvB,kDAAoD;AAEpD,MAAM,qBAAqB,GAAG,iCAAkB,GAAG,CAAC,CAAA;AACpD,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAA;AAEtD,QAAA,sBAAsB,GAAG,OAAC;KACpC,MAAM,EAAE;KACR,GAAG,EAAE;KACL,GAAG,CAAC,qBAAqB,CAAC;KAC1B,GAAG,CAAC,qBAAqB,CAAC,CAAA;AAE7B,MAAM,kBAAkB,GAAG,EAAE,CAAA;AAEhB,QAAA,iBAAiB,GAAG,OAAC;KAC/B,UAAU,CAAC,UAAU,CAAC;KACtB,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,kBAAkB,EAAE;IACxD,OAAO,EAAE,0BAA0B,kBAAkB,aAAa;CACnE,CAAC,CAAA;AAES,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,KAAK,CACJ,cAAc,EACd,oBAAoB,kBAAkB,GAAG,CAAC,mBAAmB,CAC9D;KACA,MAAM,CAAC,kBAAkB,GAAG,CAAC,CAAC;KAC9B,SAAS,CAAC,CAAC,GAAG,EAAc,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;AAE7C,QAAA,gBAAgB,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,yBAAiB,EAAE,uBAAe,CAAC,CAAC,CAAA;AAG7E,MAAa,SAAS;IACX,iBAAiB,CAAQ;IACzB,OAAO,CAAY;IAE5B,cAAc;IACd,QAAQ,CAAQ;IAChB,KAAK,CAAQ;IACb,IAAI,CAAQ;IACZ,KAAK,CAAQ;IAEb,YACE,SAAqB,IAAA,yBAAW,EAAC,kBAAkB,CAAC,EACpD,gBAAgB,GAAG,qBAAqB;QAExC,IAAI,CAAC,iBAAiB,GAAG,8BAAsB,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QACvE,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,wBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;QAE9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED;;OAEG;IACH,IAAc,cAAc;QAC1B,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;IAClD,CAAC;IAES,MAAM;QACd,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAA;QACnC,QAAQ,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC;gBACJ,6CAA6C;gBAC7C,OAAM;YACR,KAAK,CAAC;gBACJ,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;gBACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAA;gBACtB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP,KAAK,CAAC;gBACJ,wCAAwC;gBACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAA;gBACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;YACP;gBACE,uDAAuD;gBACvD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;gBACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACtC,MAAK;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;IACzB,CAAC;IAES,OAAO,CAAC,OAAe;QAC/B,OAAO,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC;aACtC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;aAC5B,MAAM,EAAE;aACR,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC1B,CAAC;IAEM,IAAI;QACT,IAAI,CAAC,MAAM,EAAE,CAAA;QACb,OAAO,IAAI,CAAC,KAAK,CAAA;IACnB,CAAC;IAEM,KAAK,CAAC,KAAa;QACxB,OAAO,IAAI,CAAC,KAAK,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAA;IAC5E,CAAC;CACF;AAzED,8BAyEC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,iEAAiE;IACjE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;IACjB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAA;IAClB,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { createHmac, randomBytes } from 'node:crypto'\nimport { z } from 'zod'\nimport { DPOP_NONCE_MAX_AGE } from '../constants.js'\n\nconst MAX_ROTATION_INTERVAL = DPOP_NONCE_MAX_AGE / 3\nconst MIN_ROTATION_INTERVAL = Math.min(1000, MAX_ROTATION_INTERVAL)\n\nexport const rotationIntervalSchema = z\n  .number()\n  .int()\n  .min(MIN_ROTATION_INTERVAL)\n  .max(MAX_ROTATION_INTERVAL)\n\nconst SECRET_BYTE_LENGTH = 32\n\nexport const secretBytesSchema = z\n  .instanceof(Uint8Array)\n  .refine((secret) => secret.length === SECRET_BYTE_LENGTH, {\n    message: `Secret must be exactly ${SECRET_BYTE_LENGTH} bytes long`,\n  })\n\nexport const secretHexSchema = z\n  .string()\n  .regex(\n    /^[0-9a-f]+$/i,\n    `Secret must be a ${SECRET_BYTE_LENGTH * 2} chars hex string`,\n  )\n  .length(SECRET_BYTE_LENGTH * 2)\n  .transform((hex): Uint8Array => Buffer.from(hex, 'hex'))\n\nexport const dpopSecretSchema = z.union([secretBytesSchema, secretHexSchema])\nexport type DpopSecret = z.input<typeof dpopSecretSchema>\n\nexport class DpopNonce {\n  readonly #rotationInterval: number\n  readonly #secret: Uint8Array\n\n  // Nonce state\n  #counter: number\n  #prev: string\n  #now: string\n  #next: string\n\n  constructor(\n    secret: DpopSecret = randomBytes(SECRET_BYTE_LENGTH),\n    rotationInterval = MAX_ROTATION_INTERVAL,\n  ) {\n    this.#rotationInterval = rotationIntervalSchema.parse(rotationInterval)\n    this.#secret = Uint8Array.from(dpopSecretSchema.parse(secret))\n\n    this.#counter = this.currentCounter\n    this.#prev = this.compute(this.#counter - 1)\n    this.#now = this.compute(this.#counter)\n    this.#next = this.compute(this.#counter + 1)\n  }\n\n  /**\n   * Returns the number of full rotations since the epoch\n   */\n  protected get currentCounter() {\n    return (Date.now() / this.#rotationInterval) | 0\n  }\n\n  protected rotate() {\n    const counter = this.currentCounter\n    switch (counter - this.#counter) {\n      case 0:\n        // counter === this.#counter => nothing to do\n        return\n      case 1:\n        // Optimization: avoid recomputing #prev & #now\n        this.#prev = this.#now\n        this.#now = this.#next\n        this.#next = this.compute(counter + 1)\n        break\n      case 2:\n        // Optimization: avoid recomputing #prev\n        this.#prev = this.#next\n        this.#now = this.compute(counter)\n        this.#next = this.compute(counter + 1)\n        break\n      default:\n        // All nonces are outdated, so we recompute all of them\n        this.#prev = this.compute(counter - 1)\n        this.#now = this.compute(counter)\n        this.#next = this.compute(counter + 1)\n        break\n    }\n    this.#counter = counter\n  }\n\n  protected compute(counter: number) {\n    return createHmac('sha256', this.#secret)\n      .update(numTo64bits(counter))\n      .digest()\n      .toString('base64url')\n  }\n\n  public next() {\n    this.rotate()\n    return this.#next\n  }\n\n  public check(nonce: string) {\n    return this.#next === nonce || this.#now === nonce || this.#prev === nonce\n  }\n}\n\nfunction numTo64bits(num: number) {\n  const arr = new Uint8Array(8)\n  // @NOTE Assigning to an uint8 will only keep the last 8 int bits\n  arr[7] = num |= 0\n  arr[6] = num >>= 8\n  arr[5] = num >>= 8\n  arr[4] = num >>= 8\n  arr[3] = num >>= 8\n  arr[2] = num >>= 8\n  arr[1] = num >>= 8\n  arr[0] = num >>= 8\n  return arr\n}\n"]}

package/dist/dpop/dpop-proof.js.map

@@ -1 +1 @@
-{"version":3,"file":"dpop-proof.js","sourceRoot":"","sources":["../../src/dpop/dpop-proof.ts"],"names":[],"mappings":""}
+{"version":3,"file":"dpop-proof.js","sourceRoot":"","sources":["../../src/dpop/dpop-proof.ts"],"names":[],"mappings":"","sourcesContent":["export type DpopProof = Readonly<{\n  jti: string\n  jkt: string\n  htm: string\n  htu: string\n}>\n"]}

package/dist/errors/access-denied-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"access-denied-error.js","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D,MAAa,iBAAkB,SAAQ,2CAAkB;IACvD,YACE,UAA+C,EAC/C,iBAAiB,GAAG,eAAe,EACnC,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,eAAe,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;CACF;AARD,8CAQC"}
+{"version":3,"file":"access-denied-error.js","sourceRoot":"","sources":["../../src/errors/access-denied-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D,MAAa,iBAAkB,SAAQ,2CAAkB;IACvD,YACE,UAA+C,EAC/C,iBAAiB,GAAG,eAAe,EACnC,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,eAAe,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;CACF;AARD,8CAQC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\nexport class AccessDeniedError extends AuthorizationError {\n  constructor(\n    parameters: OAuthAuthorizationRequestParameters,\n    error_description = 'Access denied',\n    cause?: unknown,\n  ) {\n    super(parameters, error_description, 'access_denied', cause)\n  }\n}\n"]}

package/dist/errors/account-selection-required-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"account-selection-required-error.js","sourceRoot":"","sources":["../../src/errors/account-selection-required-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D,MAAa,6BAA8B,SAAQ,2CAAkB;IACnE,YACE,UAA+C,EAC/C,iBAAiB,GAAG,4BAA4B,EAChD,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,KAAK,CAAC,CAAA;IAC3E,CAAC;CACF;AARD,sEAQC"}
+{"version":3,"file":"account-selection-required-error.js","sourceRoot":"","sources":["../../src/errors/account-selection-required-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D,MAAa,6BAA8B,SAAQ,2CAAkB;IACnE,YACE,UAA+C,EAC/C,iBAAiB,GAAG,4BAA4B,EAChD,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,KAAK,CAAC,CAAA;IAC3E,CAAC;CACF;AARD,sEAQC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\nexport class AccountSelectionRequiredError extends AuthorizationError {\n  constructor(\n    parameters: OAuthAuthorizationRequestParameters,\n    error_description = 'Account selection required',\n    cause?: unknown,\n  ) {\n    super(parameters, error_description, 'account_selection_required', cause)\n  }\n}\n"]}

package/dist/errors/authorization-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-error.js","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":";;;AACA,8FAGiD;AACjD,uDAAqD;AACrD,qDAA6C;AAI7C,MAAa,kBAAmB,SAAQ,2BAAU;IAE9B;IADlB,YACkB,UAA+C,EAC/D,iBAAyB,EACzB,QAAoC,iBAAiB,EACrD,KAAe;QAEf,KAAK,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAL3B,eAAU,GAAV,UAAU,CAAqC;IAMjE,CAAC;IAED,MAAM,CAAC,IAAI,CACT,UAA+C,EAC/C,KAAc;QAEd,IAAI,KAAK,YAAY,kBAAkB;YAAE,OAAO,KAAK,CAAA;QACrD,MAAM,OAAO,GAAG,IAAA,mCAAiB,EAAC,KAAK,CAAC,CAAA;QACxC,OAAO,IAAI,kBAAkB,CAC3B,UAAU,EACV,OAAO,CAAC,iBAAiB,EACzB,IAAA,8DAA4B,EAAC,OAAO,CAAC,KAAK,CAAC;YACzC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,2CAA2C;YAC3D,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,2BAAU;gBACtC,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,cAAc,EACpB,KAAK,CACN,CAAA;IACH,CAAC;CACF;AA3BD,gDA2BC;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,OAAO,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QACjD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAA;IACjB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC"}
+{"version":3,"file":"authorization-error.js","sourceRoot":"","sources":["../../src/errors/authorization-error.ts"],"names":[],"mappings":";;;AACA,8FAGiD;AACjD,uDAAqD;AACrD,qDAA6C;AAI7C,MAAa,kBAAmB,SAAQ,2BAAU;IAE9B;IADlB,YACkB,UAA+C,EAC/D,iBAAyB,EACzB,QAAoC,iBAAiB,EACrD,KAAe;QAEf,KAAK,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAL3B,eAAU,GAAV,UAAU,CAAqC;IAMjE,CAAC;IAED,MAAM,CAAC,IAAI,CACT,UAA+C,EAC/C,KAAc;QAEd,IAAI,KAAK,YAAY,kBAAkB;YAAE,OAAO,KAAK,CAAA;QACrD,MAAM,OAAO,GAAG,IAAA,mCAAiB,EAAC,KAAK,CAAC,CAAA;QACxC,OAAO,IAAI,kBAAkB,CAC3B,UAAU,EACV,OAAO,CAAC,iBAAiB,EACzB,IAAA,8DAA4B,EAAC,OAAO,CAAC,KAAK,CAAC;YACzC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,2CAA2C;YAC3D,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,2BAAU;gBACtC,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,cAAc,EACpB,KAAK,CACN,CAAA;IACH,CAAC;CACF;AA3BD,gDA2BC;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,OAAO,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QACjD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAA;IACjB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport {\n  AuthorizationResponseError,\n  isAuthorizationResponseError,\n} from '../types/authorization-response-error.js'\nimport { buildErrorPayload } from './error-parser.js'\nimport { OAuthError } from './oauth-error.js'\n\nexport type { AuthorizationResponseError, OAuthAuthorizationRequestParameters }\n\nexport class AuthorizationError extends OAuthError {\n  constructor(\n    public readonly parameters: OAuthAuthorizationRequestParameters,\n    error_description: string,\n    error: AuthorizationResponseError = 'invalid_request',\n    cause?: unknown,\n  ) {\n    super(error, error_description, 400, cause)\n  }\n\n  static from(\n    parameters: OAuthAuthorizationRequestParameters,\n    cause: unknown,\n  ): AuthorizationError {\n    if (cause instanceof AuthorizationError) return cause\n    const payload = buildErrorPayload(cause)\n    return new AuthorizationError(\n      parameters,\n      payload.error_description,\n      isAuthorizationResponseError(payload.error)\n        ? payload.error // Propagate \"error\" derived from the cause\n        : rootCause(cause) instanceof OAuthError\n          ? 'invalid_request'\n          : 'server_error',\n      cause,\n    )\n  }\n}\n\nfunction rootCause(err: unknown): unknown {\n  while (err instanceof Error && err.cause != null) {\n    err = err.cause\n  }\n  return err\n}\n"]}

package/dist/errors/consent-required-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"consent-required-error.js","sourceRoot":"","sources":["../../src/errors/consent-required-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D,MAAa,oBAAqB,SAAQ,2CAAkB;IAC1D,YACE,UAA+C,EAC/C,iBAAiB,GAAG,uBAAuB,EAC3C,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC;CACF;AARD,oDAQC"}
+{"version":3,"file":"consent-required-error.js","sourceRoot":"","sources":["../../src/errors/consent-required-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D,MAAa,oBAAqB,SAAQ,2CAAkB;IAC1D,YACE,UAA+C,EAC/C,iBAAiB,GAAG,uBAAuB,EAC3C,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC;CACF;AARD,oDAQC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\nexport class ConsentRequiredError extends AuthorizationError {\n  constructor(\n    parameters: OAuthAuthorizationRequestParameters,\n    error_description = 'User consent required',\n    cause?: unknown,\n  ) {\n    super(parameters, error_description, 'consent_required', cause)\n  }\n}\n"]}

package/dist/errors/error-parser.js.map

@@ -1 +1 @@
-{"version":3,"file":"error-parser.js","sourceRoot":"","sources":["../../src/errors/error-parser.ts"],"names":[],"mappings":";;AAWA,4CAwCC;AAOD,8CAqDC;AA/GD,+BAA6B;AAC7B,6BAA8B;AAC9B,sCAA6C;AAC7C,2DAAyD;AACzD,qDAA6C;AAE7C,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAE5B,MAAM,eAAe,GAAG,iBAAiB,CAAA;AACzC,MAAM,YAAY,GAAG,cAAc,CAAA;AAEnC,SAAgB,gBAAgB,CAAC,KAAc;IAC7C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAED,IAAI,KAAK,YAAY,oBAAc,EAAE,CAAC;QACpC,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAA;IAChC,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,IAAI,CAAA;IACnB,CAAC;IAED,MAAM,MAAM,GAAI,KAAa,EAAE,MAAM,CAAA;IACrC,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QACvB,MAAM,IAAI,GAAG;QACb,MAAM,GAAG,GAAG,EACZ,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AAOD,SAAgB,iBAAiB,CAAC,KAAc;IAC9C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAA;IACvB,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,IAAA,6BAAc,EAAC,KAAK,EAAE,kBAAkB,CAAC;SAC7D,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACtE,iBAAiB,EACf,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG;gBAC5B,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC;oBACpC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO;oBAC9B,CAAC,CAAC,KAAK,CAAC,OAAO;gBACjB,CAAC,CAAC,cAAc;SACrB,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACzD,iBAAiB,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO;SACzC,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAA;IACtC,OAAO;QACL,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;QACpD,iBAAiB,EACf,KAAK,YAAY,KAAK,IAAK,KAAa,EAAE,MAAM,KAAK,IAAI;YACvD,CAAC,CAAC,KAAK,CAAC,OAAO;YACf,CAAC,CAAC,cAAc;KACrB,CAAA;AACH,CAAC;AAED,SAAS,MAAM,CAAC,CAAU;IAIxB,OAAO,CACL,CAAC,YAAY,KAAK;QACjB,CAAS,CAAC,MAAM,KAAK,IAAI;QAC1B,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAC7C,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAAC,CAAU;IAI7B,OAAO,CACL,CAAC,YAAY,KAAK;QAClB,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC1B,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAC5B,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,CACL,CAAC,IAAI,IAAI;QACT,OAAO,CAAC,KAAK,QAAQ;QACrB,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ;QAC9B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ,CACjC,CAAA;AACH,CAAC"}
+{"version":3,"file":"error-parser.js","sourceRoot":"","sources":["../../src/errors/error-parser.ts"],"names":[],"mappings":";;AAWA,4CAwCC;AAOD,8CAqDC;AA/GD,+BAA6B;AAC7B,6BAA8B;AAC9B,sCAA6C;AAC7C,2DAAyD;AACzD,qDAA6C;AAE7C,MAAM,EAAE,SAAS,EAAE,GAAG,aAAM,CAAA;AAE5B,MAAM,eAAe,GAAG,iBAAiB,CAAA;AACzC,MAAM,YAAY,GAAG,cAAc,CAAA;AAEnC,SAAgB,gBAAgB,CAAC,KAAc;IAC7C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAED,IAAI,KAAK,YAAY,oBAAc,EAAE,CAAC;QACpC,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAA;IAChC,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,IAAI,CAAA;IACnB,CAAC;IAED,MAAM,MAAM,GAAI,KAAa,EAAE,MAAM,CAAA;IACrC,IACE,OAAO,MAAM,KAAK,QAAQ;QAC1B,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QACvB,MAAM,IAAI,GAAG;QACb,MAAM,GAAG,GAAG,EACZ,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AAOD,SAAgB,iBAAiB,CAAC,KAAc;IAC9C,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAA;IACvB,CAAC;IAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,IAAA,6BAAc,EAAC,KAAK,EAAE,kBAAkB,CAAC;SAC7D,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,CAAC,OAAO;SACjC,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACtE,iBAAiB,EACf,KAAK,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG;gBAC5B,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC;oBACpC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO;oBAC9B,CAAC,CAAC,KAAK,CAAC,OAAO;gBACjB,CAAC,CAAC,cAAc;SACrB,CAAA;IACH,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;YACzD,iBAAiB,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO;SACzC,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAA;IACtC,OAAO;QACL,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,YAAY;QACpD,iBAAiB,EACf,KAAK,YAAY,KAAK,IAAK,KAAa,EAAE,MAAM,KAAK,IAAI;YACvD,CAAC,CAAC,KAAK,CAAC,OAAO;YACf,CAAC,CAAC,cAAc;KACrB,CAAA;AACH,CAAC;AAED,SAAS,MAAM,CAAC,CAAU;IAIxB,OAAO,CACL,CAAC,YAAY,KAAK;QACjB,CAAS,CAAC,MAAM,KAAK,IAAI;QAC1B,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAC7C,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAAC,CAAU;IAI7B,OAAO,CACL,CAAC,YAAY,KAAK;QAClB,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC1B,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAC5B,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,CACL,CAAC,IAAI,IAAI;QACT,OAAO,CAAC,KAAK,QAAQ;QACrB,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ;QAC9B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ,CACjC,CAAA;AACH,CAAC","sourcesContent":["import { errors } from 'jose'\nimport { ZodError } from 'zod'\nimport { JwtVerifyError } from '@atproto/jwk'\nimport { formatZodError } from '../lib/util/zod-error.js'\nimport { OAuthError } from './oauth-error.js'\n\nconst { JOSEError } = errors\n\nconst INVALID_REQUEST = 'invalid_request'\nconst SERVER_ERROR = 'server_error'\n\nexport function buildErrorStatus(error: unknown): number {\n  if (error instanceof OAuthError) {\n    return error.statusCode\n  }\n\n  if (error instanceof JwtVerifyError) {\n    return 400\n  }\n\n  if (error instanceof ZodError) {\n    return 400\n  }\n\n  if (error instanceof JOSEError) {\n    return 400\n  }\n\n  if (error instanceof TypeError) {\n    return 400\n  }\n\n  if (isBoom(error)) {\n    return error.output.statusCode\n  }\n\n  if (isXrpcError(error)) {\n    return error.type\n  }\n\n  const status = (error as any)?.status\n  if (\n    typeof status === 'number' &&\n    status === (status | 0) &&\n    status >= 400 &&\n    status < 600\n  ) {\n    return status\n  }\n\n  return 500\n}\n\nexport type ErrorPayload = {\n  error: string\n  error_description: string\n}\n\nexport function buildErrorPayload(error: unknown): ErrorPayload {\n  if (error instanceof OAuthError) {\n    return error.toJSON()\n  }\n\n  if (error instanceof ZodError) {\n    return {\n      error: INVALID_REQUEST,\n      error_description: formatZodError(error, 'Validation error'),\n    }\n  }\n\n  if (error instanceof JOSEError) {\n    return {\n      error: INVALID_REQUEST,\n      error_description: error.message,\n    }\n  }\n\n  if (error instanceof TypeError) {\n    return {\n      error: INVALID_REQUEST,\n      error_description: error.message,\n    }\n  }\n\n  if (isBoom(error)) {\n    return {\n      error: error.output.statusCode <= 500 ? INVALID_REQUEST : SERVER_ERROR,\n      error_description:\n        error.output.statusCode <= 500\n          ? isPayloadLike(error.output?.payload)\n            ? error.output.payload.message\n            : error.message\n          : 'Server error',\n    }\n  }\n\n  if (isXrpcError(error)) {\n    return {\n      error: error.type <= 500 ? INVALID_REQUEST : SERVER_ERROR,\n      error_description: error.payload.message,\n    }\n  }\n\n  const status = buildErrorStatus(error)\n  return {\n    error: status < 500 ? INVALID_REQUEST : SERVER_ERROR,\n    error_description:\n      error instanceof Error && (error as any)?.expose === true\n        ? error.message\n        : 'Server error',\n  }\n}\n\nfunction isBoom(v: unknown): v is Error & {\n  isBoom: true\n  output: { statusCode: number; payload: unknown }\n} {\n  return (\n    v instanceof Error &&\n    (v as any).isBoom === true &&\n    isHttpErrorCode(v['output']?.['statusCode'])\n  )\n}\n\nfunction isXrpcError(v: unknown): v is Error & {\n  type: number\n  payload: { error: string; message: string }\n} {\n  return (\n    v instanceof Error &&\n    isHttpErrorCode(v['type']) &&\n    isPayloadLike(v['payload'])\n  )\n}\n\nfunction isHttpErrorCode(v: unknown): v is number {\n  return typeof v === 'number' && v >= 400 && v < 600 && v === (v | 0)\n}\n\nfunction isPayloadLike(v: unknown): v is { error: string; message: string } {\n  return (\n    v != null &&\n    typeof v === 'object' &&\n    typeof v['error'] === 'string' &&\n    typeof v['message'] === 'string'\n  )\n}\n"]}

package/dist/errors/handle-unavailable-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"handle-unavailable-error.js","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C,MAAa,sBAAuB,SAAQ,2BAAU;IAEzC;IADX,YACW,MAA8C,EACvD,UAAkB,8BAA8B,EAChD,KAAe;QAEf,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAJvC,WAAM,GAAN,MAAM,CAAwC;IAKzD,CAAC;IAED,MAAM;QACJ,OAAO;YACL,GAAG,KAAK,CAAC,MAAM,EAAE;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;SACX,CAAA;IACZ,CAAC;CACF;AAfD,wDAeC"}
+{"version":3,"file":"handle-unavailable-error.js","sourceRoot":"","sources":["../../src/errors/handle-unavailable-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C,MAAa,sBAAuB,SAAQ,2BAAU;IAEzC;IADX,YACW,MAA8C,EACvD,UAAkB,8BAA8B,EAChD,KAAe;QAEf,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAJvC,WAAM,GAAN,MAAM,CAAwC;IAKzD,CAAC;IAED,MAAM;QACJ,OAAO;YACL,GAAG,KAAK,CAAC,MAAM,EAAE;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;SACX,CAAA;IACZ,CAAC;CACF;AAfD,wDAeC","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\nexport class HandleUnavailableError extends OAuthError {\n  constructor(\n    readonly reason: 'syntax' | 'domain' | 'slur' | 'taken',\n    details: string = 'That handle is not available',\n    cause?: unknown,\n  ) {\n    super('handle_unavailable', details, 400, cause)\n  }\n\n  toJSON() {\n    return {\n      ...super.toJSON(),\n      reason: this.reason,\n    } as const\n  }\n}\n"]}

package/dist/errors/invalid-authorization-details-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-authorization-details-error.js","sourceRoot":"","sources":["../../src/errors/invalid-authorization-details-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D;;;;;;;;;;;;;;GAcG;AACH,MAAa,gCAAiC,SAAQ,2CAAkB;IACtE,YACE,UAA+C,EAC/C,iBAAyB,EACzB,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,+BAA+B,EAAE,KAAK,CAAC,CAAA;IAC9E,CAAC;CACF;AARD,4EAQC"}
+{"version":3,"file":"invalid-authorization-details-error.js","sourceRoot":"","sources":["../../src/errors/invalid-authorization-details-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D;;;;;;;;;;;;;;GAcG;AACH,MAAa,gCAAiC,SAAQ,2CAAkB;IACtE,YACE,UAA+C,EAC/C,iBAAyB,EACzB,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,+BAA+B,EAAE,KAAK,CAAC,CAAA;IAC9E,CAAC;CACF;AARD,4EAQC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc9396#section-14.6 | RFC 9396 - OAuth Dynamic Client Registration Metadata Registration Error}\n *\n * The AS MUST refuse to process any unknown authorization details type or\n * authorization details not conforming to the respective type definition. The\n * AS MUST abort processing and respond with an error\n * invalid_authorization_details to the client if any of the following are true\n * of the objects in the authorization_details structure:\n *  - contains an unknown authorization details type value,\n *  - is an object of known type but containing unknown fields,\n *  - contains fields of the wrong type for the authorization details type,\n *  - contains fields with invalid values for the authorization details type, or\n *  - is missing required fields for the authorization details type.\n */\nexport class InvalidAuthorizationDetailsError extends AuthorizationError {\n  constructor(\n    parameters: OAuthAuthorizationRequestParameters,\n    error_description: string,\n    cause?: unknown,\n  ) {\n    super(parameters, error_description, 'invalid_authorization_details', cause)\n  }\n}\n"]}

package/dist/errors/invalid-client-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-client-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAa,kBAAmB,SAAQ,2BAAU;IAChD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACxD,CAAC;CACF;AAJD,gDAIC"}
+{"version":3,"file":"invalid-client-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAa,kBAAmB,SAAQ,2BAAU;IAChD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACxD,CAAC;CACF;AAJD,gDAIC","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token }\n *\n * Client authentication failed (e.g., unknown client, no client authentication\n * included, or unsupported authentication method). The authorization server MAY\n * return an HTTP 401 (Unauthorized) status code to indicate which HTTP\n * authentication schemes are supported.  If the client attempted to\n * authenticate via the \"Authorization\" request header field, the authorization\n * server MUST respond with an HTTP 401 (Unauthorized) status code and include\n * the \"WWW-Authenticate\" response header field matching the authentication\n * scheme used by the client.\n */\nexport class InvalidClientError extends OAuthError {\n  constructor(error_description: string, cause?: unknown) {\n    super('invalid_client', error_description, 400, cause)\n  }\n}\n"]}

package/dist/errors/invalid-client-id-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-client-id-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-id-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;GAMG;AACH,MAAa,oBAAqB,SAAQ,2BAAU;IAClD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,mBAAmB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IAC3D,CAAC;IAED,MAAM,CAAC,IAAI,CACT,KAAc,EACd,eAAe,GAAG,2BAA2B;QAE7C,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAA;QACd,CAAC;QACD,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,yEAAyE;YACzE,oEAAoE;YACpE,yEAAyE;YACzE,oCAAoC;YACpC,OAAO,IAAI,oBAAoB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QACvD,CAAC;QACD,OAAO,IAAI,oBAAoB,CAAC,eAAe,EAAE,KAAK,CAAC,CAAA;IACzD,CAAC;CACF;AArBD,oDAqBC"}
+{"version":3,"file":"invalid-client-id-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-id-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;GAMG;AACH,MAAa,oBAAqB,SAAQ,2BAAU;IAClD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,mBAAmB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IAC3D,CAAC;IAED,MAAM,CAAC,IAAI,CACT,KAAc,EACd,eAAe,GAAG,2BAA2B;QAE7C,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAA;QACd,CAAC;QACD,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,yEAAyE;YACzE,oEAAoE;YACpE,yEAAyE;YACzE,oCAAoC;YACpC,OAAO,IAAI,oBAAoB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QACvD,CAAC;QACD,OAAO,IAAI,oBAAoB,CAAC,eAAe,EAAE,KAAK,CAAC,CAAA;IACzD,CAAC;CACF;AArBD,oDAqBC","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591 - Client Registration Error Response}\n *\n * The value of one of the client metadata fields is invalid and the server has\n * rejected this request.  Note that an authorization server MAY choose to\n * substitute a valid value for any requested parameter of a client's metadata.\n */\nexport class InvalidClientIdError extends OAuthError {\n  constructor(error_description: string, cause?: unknown) {\n    super('invalid_client_id', error_description, 400, cause)\n  }\n\n  static from(\n    cause: unknown,\n    fallbackMessage = 'Invalid client identifier',\n  ): InvalidClientIdError {\n    if (cause instanceof InvalidClientIdError) {\n      return cause\n    }\n    if (cause instanceof TypeError) {\n      // This method is meant to be used in the context of parsing & validating\n      // a client client metadata. In that context, a TypeError would more\n      // likely represent a problem with the data (e.g. invalid URL constructor\n      // arg) and not a programming error.\n      return new InvalidClientIdError(cause.message, cause)\n    }\n    return new InvalidClientIdError(fallbackMessage, cause)\n  }\n}\n"]}

package/dist/errors/invalid-client-metadata-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-client-metadata-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-metadata-error.ts"],"names":[],"mappings":";;;AAAA,6BAA8B;AAC9B,+CAAgD;AAChD,qDAA6C;AAE7C;;;;;;GAMG;AACH,MAAa,0BAA2B,SAAQ,2BAAU;IACxD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,yBAAyB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,OAAO,GAAG,yBAAyB;QAC7D,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,KAAK,YAAY,kBAAU,EAAE,CAAC;YAChC,MAAM,IAAI,0BAA0B,CAClC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,EACvD,KAAK,CACN,CAAA;QACH,CAAC;QAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;YAC9B,MAAM,YAAY,GAChB,KAAK,CAAC,MAAM;iBACT,GAAG,CACF,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CACpB,aAAa,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAuB,OAAO,EAAE,CAC5F;iBACA,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,OAAO,CAAA;YAE/B,MAAM,IAAI,0BAA0B,CAClC,YAAY,CAAC,CAAC,CAAC,GAAG,OAAO,KAAK,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,EACtD,KAAK,CACN,CAAA;QACH,CAAC;QAED,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,6BAA6B,EAC5C,CAAC;YACD,MAAM,IAAI,0BAA0B,CAClC,GAAG,OAAO,2BAA2B,EACrC,KAAK,CACN,CAAA;QACH,CAAC;QAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,yEAAyE;YACzE,oEAAoE;YACpE,yEAAyE;YACzE,oCAAoC;YACpC,OAAO,IAAI,0BAA0B,CACnC,GAAG,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,EAC9B,KAAK,CACN,CAAA;QACH,CAAC;QAED,OAAO,IAAI,0BAA0B,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACvD,CAAC;CACF;AAxDD,gEAwDC"}
+{"version":3,"file":"invalid-client-metadata-error.js","sourceRoot":"","sources":["../../src/errors/invalid-client-metadata-error.ts"],"names":[],"mappings":";;;AAAA,6BAA8B;AAC9B,+CAAgD;AAChD,qDAA6C;AAE7C;;;;;;GAMG;AACH,MAAa,0BAA2B,SAAQ,2BAAU;IACxD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,yBAAyB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,OAAO,GAAG,yBAAyB;QAC7D,IAAI,KAAK,YAAY,2BAAU,EAAE,CAAC;YAChC,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,KAAK,YAAY,kBAAU,EAAE,CAAC;YAChC,MAAM,IAAI,0BAA0B,CAClC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,EACvD,KAAK,CACN,CAAA;QACH,CAAC;QAED,IAAI,KAAK,YAAY,cAAQ,EAAE,CAAC;YAC9B,MAAM,YAAY,GAChB,KAAK,CAAC,MAAM;iBACT,GAAG,CACF,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CACpB,aAAa,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAuB,OAAO,EAAE,CAC5F;iBACA,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,OAAO,CAAA;YAE/B,MAAM,IAAI,0BAA0B,CAClC,YAAY,CAAC,CAAC,CAAC,GAAG,OAAO,KAAK,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,EACtD,KAAK,CACN,CAAA;QACH,CAAC;QAED,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,6BAA6B,EAC5C,CAAC;YACD,MAAM,IAAI,0BAA0B,CAClC,GAAG,OAAO,2BAA2B,EACrC,KAAK,CACN,CAAA;QACH,CAAC;QAED,IAAI,KAAK,YAAY,SAAS,EAAE,CAAC;YAC/B,yEAAyE;YACzE,oEAAoE;YACpE,yEAAyE;YACzE,oCAAoC;YACpC,OAAO,IAAI,0BAA0B,CACnC,GAAG,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,EAC9B,KAAK,CACN,CAAA;QACH,CAAC;QAED,OAAO,IAAI,0BAA0B,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACvD,CAAC;CACF;AAxDD,gEAwDC","sourcesContent":["import { ZodError } from 'zod'\nimport { FetchError } from '@atproto-labs/fetch'\nimport { OAuthError } from './oauth-error.js'\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591 - Client Registration Error Response}\n *\n * The value of one of the client metadata fields is invalid and the server has\n * rejected this request.  Note that an authorization server MAY choose to\n * substitute a valid value for any requested parameter of a client's metadata.\n */\nexport class InvalidClientMetadataError extends OAuthError {\n  constructor(error_description: string, cause?: unknown) {\n    super('invalid_client_metadata', error_description, 400, cause)\n  }\n\n  static from(cause: unknown, message = 'Invalid client metadata'): OAuthError {\n    if (cause instanceof OAuthError) {\n      return cause\n    }\n\n    if (cause instanceof FetchError) {\n      throw new InvalidClientMetadataError(\n        cause.expose ? `${message}: ${cause.message}` : message,\n        cause,\n      )\n    }\n\n    if (cause instanceof ZodError) {\n      const causeMessage =\n        cause.issues\n          .map(\n            ({ path, message }) =>\n              `Validation${path.length ? ` of \"${path.join('.')}\"` : ''} failed with error: ${message}`,\n          )\n          .join(' ') || cause.message\n\n      throw new InvalidClientMetadataError(\n        causeMessage ? `${message}: ${causeMessage}` : message,\n        cause,\n      )\n    }\n\n    if (\n      cause instanceof Error &&\n      'code' in cause &&\n      cause.code === 'DEPTH_ZERO_SELF_SIGNED_CERT'\n    ) {\n      throw new InvalidClientMetadataError(\n        `${message}: Self-signed certificate`,\n        cause,\n      )\n    }\n\n    if (cause instanceof TypeError) {\n      // This method is meant to be used in the context of parsing & validating\n      // a client client metadata. In that context, a TypeError would more\n      // likely represent a problem with the data (e.g. invalid URL constructor\n      // arg) and not a programming error.\n      return new InvalidClientMetadataError(\n        `${message}: ${cause.message}`,\n        cause,\n      )\n    }\n\n    return new InvalidClientMetadataError(message, cause)\n  }\n}\n"]}

package/dist/errors/invalid-dpop-key-binding-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-dpop-key-binding-error.js","sourceRoot":"","sources":["../../src/errors/invalid-dpop-key-binding-error.ts"],"names":[],"mappings":";;;AAAA,2EAAkE;AAElE;;;;;;GAMG;AACH,MAAa,0BAA2B,SAAQ,gDAAoB;IAClE,YAAY,KAAe;QACzB,MAAM,KAAK,GAAG,eAAe,CAAA;QAC7B,MAAM,iBAAiB,GAAG,0BAA0B,CAAA;QACpD,KAAK,CACH,KAAK,EACL,iBAAiB,EACjB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EACtC,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAXD,gEAWC"}
+{"version":3,"file":"invalid-dpop-key-binding-error.js","sourceRoot":"","sources":["../../src/errors/invalid-dpop-key-binding-error.ts"],"names":[],"mappings":";;;AAAA,2EAAkE;AAElE;;;;;;GAMG;AACH,MAAa,0BAA2B,SAAQ,gDAAoB;IAClE,YAAY,KAAe;QACzB,MAAM,KAAK,GAAG,eAAe,CAAA;QAC7B,MAAM,iBAAiB,GAAG,0BAA0B,CAAA;QACpD,KAAK,CACH,KAAK,EACL,iBAAiB,EACjB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EACtC,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAXD,gEAWC","sourcesContent":["import { WWWAuthenticateError } from './www-authenticate-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field}\n *\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc9449#name-the-dpop-authentication-sch | RFC9449 - The DPoP Authentication Scheme}\n */\nexport class InvalidDpopKeyBindingError extends WWWAuthenticateError {\n  constructor(cause?: unknown) {\n    const error = 'invalid_token'\n    const error_description = 'Invalid DPoP key binding'\n    super(\n      error,\n      error_description,\n      { DPoP: { error, error_description } },\n      cause,\n    )\n  }\n}\n"]}

package/dist/errors/invalid-dpop-proof-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-dpop-proof-error.js","sourceRoot":"","sources":["../../src/errors/invalid-dpop-proof-error.ts"],"names":[],"mappings":";;;AAAA,2EAAkE;AAElE,MAAa,qBAAsB,SAAQ,gDAAoB;IAC7D,YAAY,iBAAyB,EAAE,KAAe;QACpD,MAAM,KAAK,GAAG,oBAAoB,CAAA;QAClC,KAAK,CACH,KAAK,EACL,iBAAiB,EACjB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EACtC,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAVD,sDAUC"}
+{"version":3,"file":"invalid-dpop-proof-error.js","sourceRoot":"","sources":["../../src/errors/invalid-dpop-proof-error.ts"],"names":[],"mappings":";;;AAAA,2EAAkE;AAElE,MAAa,qBAAsB,SAAQ,gDAAoB;IAC7D,YAAY,iBAAyB,EAAE,KAAe;QACpD,MAAM,KAAK,GAAG,oBAAoB,CAAA;QAClC,KAAK,CACH,KAAK,EACL,iBAAiB,EACjB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EACtC,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAVD,sDAUC","sourcesContent":["import { WWWAuthenticateError } from './www-authenticate-error.js'\n\nexport class InvalidDpopProofError extends WWWAuthenticateError {\n  constructor(error_description: string, cause?: unknown) {\n    const error = 'invalid_dpop_proof'\n    super(\n      error,\n      error_description,\n      { DPoP: { error, error_description } },\n      cause,\n    )\n  }\n}\n"]}

package/dist/errors/invalid-grant-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-grant-error.js","sourceRoot":"","sources":["../../src/errors/invalid-grant-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;;;GAQG;AACH,MAAa,iBAAkB,SAAQ,2BAAU;IAC/C,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,eAAe,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACvD,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,iBAAyB;QACjD,IAAI,GAAG,YAAY,iBAAiB;YAAE,OAAO,GAAG,CAAA;QAChD,OAAO,IAAI,iBAAiB,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;CACF;AATD,8CASC"}
+{"version":3,"file":"invalid-grant-error.js","sourceRoot":"","sources":["../../src/errors/invalid-grant-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;;;GAQG;AACH,MAAa,iBAAkB,SAAQ,2BAAU;IAC/C,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,eAAe,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACvD,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,iBAAyB;QACjD,IAAI,GAAG,YAAY,iBAAiB;YAAE,OAAO,GAAG,CAAA;QAChD,OAAO,IAAI,iBAAiB,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;CACF;AATD,8CASC","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token }\n *\n * The provided authorization grant (e.g., authorization code, resource owner\n * credentials) or refresh token is invalid, expired, revoked, does not match\n * the redirection URI used in the authorization request, or was issued to\n * another client.\n */\nexport class InvalidGrantError extends OAuthError {\n  constructor(error_description: string, cause?: unknown) {\n    super('invalid_grant', error_description, 400, cause)\n  }\n\n  static from(err: unknown, error_description: string): InvalidGrantError {\n    if (err instanceof InvalidGrantError) return err\n    return new InvalidGrantError(error_description, err)\n  }\n}\n"]}

package/dist/errors/invalid-invite-code-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-invite-code-error.js","sourceRoot":"","sources":["../../src/errors/invalid-invite-code-error.ts"],"names":[],"mappings":";;;AAAA,mEAA6D;AAE7D,MAAa,sBAAuB,SAAQ,2CAAmB;IAC7D,YAAY,OAAgB,EAAE,KAAe;QAC3C,KAAK,CACH,8BAA8B,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAC/D,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAPD,wDAOC"}
+{"version":3,"file":"invalid-invite-code-error.js","sourceRoot":"","sources":["../../src/errors/invalid-invite-code-error.ts"],"names":[],"mappings":";;;AAAA,mEAA6D;AAE7D,MAAa,sBAAuB,SAAQ,2CAAmB;IAC7D,YAAY,OAAgB,EAAE,KAAe;QAC3C,KAAK,CACH,8BAA8B,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAC/D,KAAK,CACN,CAAA;IACH,CAAC;CACF;AAPD,wDAOC","sourcesContent":["import { InvalidRequestError } from './invalid-request-error'\n\nexport class InvalidInviteCodeError extends InvalidRequestError {\n  constructor(details?: string, cause?: unknown) {\n    super(\n      'This invite code is invalid.' + (details ? ` ${details}` : ''),\n      cause,\n    )\n  }\n}\n"]}

package/dist/errors/invalid-redirect-uri-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-redirect-uri-error.js","sourceRoot":"","sources":["../../src/errors/invalid-redirect-uri-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;GAIG;AACH,MAAa,uBAAwB,SAAQ,2BAAU;IACrD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,sBAAsB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAe;QACzB,IAAI,KAAK,YAAY,uBAAuB;YAAE,OAAO,KAAK,CAAA;QAC1D,OAAO,IAAI,uBAAuB,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAA;IACnE,CAAC;CACF;AATD,0DASC"}
+{"version":3,"file":"invalid-redirect-uri-error.js","sourceRoot":"","sources":["../../src/errors/invalid-redirect-uri-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;GAIG;AACH,MAAa,uBAAwB,SAAQ,2BAAU;IACrD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,sBAAsB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAe;QACzB,IAAI,KAAK,YAAY,uBAAuB;YAAE,OAAO,KAAK,CAAA;QAC1D,OAAO,IAAI,uBAAuB,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAA;IACnE,CAAC;CACF;AATD,0DASC","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2 | RFC7591}\n *\n * The value of one or more redirection URIs is invalid.\n */\nexport class InvalidRedirectUriError extends OAuthError {\n  constructor(error_description: string, cause?: unknown) {\n    super('invalid_redirect_uri', error_description, 400, cause)\n  }\n\n  static from(cause?: unknown): InvalidRedirectUriError {\n    if (cause instanceof InvalidRedirectUriError) return cause\n    return new InvalidRedirectUriError('Invalid redirect URI', cause)\n  }\n}\n"]}

package/dist/errors/invalid-request-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-request-error.js","sourceRoot":"","sources":["../../src/errors/invalid-request-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAa,mBAAoB,SAAQ,2BAAU;IACjD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,iBAAiB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACzD,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,OAAO,GAAG,sBAAsB;QACxD,IAAI,GAAG,YAAY,2BAAU;YAAE,OAAO,GAAG,CAAA;QACzC,OAAO,IAAI,mBAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;IAC9C,CAAC;CACF;AATD,kDASC"}
+{"version":3,"file":"invalid-request-error.js","sourceRoot":"","sources":["../../src/errors/invalid-request-error.ts"],"names":[],"mappings":";;;AAAA,qDAA6C;AAE7C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAa,mBAAoB,SAAQ,2BAAU;IACjD,YAAY,iBAAyB,EAAE,KAAe;QACpD,KAAK,CAAC,iBAAiB,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;IACzD,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,GAAY,EAAE,OAAO,GAAG,sBAAsB;QACxD,IAAI,GAAG,YAAY,2BAAU;YAAE,OAAO,GAAG,CAAA;QACzC,OAAO,IAAI,mBAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;IAC9C,CAAC;CACF;AATD,kDASC","sourcesContent":["import { OAuthError } from './oauth-error.js'\n\n/**\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 | RFC6749 - Issuing an Access Token}\n * : The request is missing a required parameter, includes an unsupported\n * parameter value (other than grant type), repeats a parameter, includes\n * multiple credentials, utilizes more than one mechanism for authenticating the\n * client, or is otherwise malformed.\n *\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 | RFC6749 - Authorization Code Grant, Authorization Request}\n * : The request is missing a required parameter, includes an invalid parameter\n * value, includes a parameter more than once, or is otherwise malformed.\n *\n * @see\n * {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 | RFC6750 - The WWW-Authenticate Response Header Field}\n * : The request is missing a required parameter, includes an unsupported\n * parameter or parameter value, repeats the same parameter, uses more than one\n * method for including an access token, or is otherwise malformed. The resource\n * server SHOULD respond with the HTTP 400 (Bad Request) status code.\n */\nexport class InvalidRequestError extends OAuthError {\n  constructor(error_description: string, cause?: unknown) {\n    super('invalid_request', error_description, 400, cause)\n  }\n\n  static from(err: unknown, message = 'Invalid request data'): OAuthError {\n    if (err instanceof OAuthError) return err\n    return new InvalidRequestError(message, err)\n  }\n}\n"]}

package/dist/errors/invalid-scope-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-scope-error.js","sourceRoot":"","sources":["../../src/errors/invalid-scope-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D;;GAEG;AACH,MAAa,iBAAkB,SAAQ,2CAAkB;IACvD,YACE,UAA+C,EAC/C,iBAAyB,EACzB,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,eAAe,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;CACF;AARD,8CAQC"}
+{"version":3,"file":"invalid-scope-error.js","sourceRoot":"","sources":["../../src/errors/invalid-scope-error.ts"],"names":[],"mappings":";;;AACA,qEAA6D;AAE7D;;GAEG;AACH,MAAa,iBAAkB,SAAQ,2CAAkB;IACvD,YACE,UAA+C,EAC/C,iBAAyB,EACzB,KAAe;QAEf,KAAK,CAAC,UAAU,EAAE,iBAAiB,EAAE,eAAe,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;CACF;AARD,8CAQC","sourcesContent":["import { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'\nimport { AuthorizationError } from './authorization-error.js'\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1}\n */\nexport class InvalidScopeError extends AuthorizationError {\n  constructor(\n    parameters: OAuthAuthorizationRequestParameters,\n    error_description: string,\n    cause?: unknown,\n  ) {\n    super(parameters, error_description, 'invalid_scope', cause)\n  }\n}\n"]}