@atproto/oauth-provider 0.15.16 → 0.16.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (81) hide show
  1. package/CHANGELOG.md +25 -0
  2. package/dist/account/account-manager.d.ts +2 -1
  3. package/dist/account/account-manager.d.ts.map +1 -1
  4. package/dist/account/account-manager.js +45 -4
  5. package/dist/account/account-manager.js.map +1 -1
  6. package/dist/account/account-store.d.ts +10 -4
  7. package/dist/account/account-store.d.ts.map +1 -1
  8. package/dist/account/account-store.js +2 -1
  9. package/dist/account/account-store.js.map +1 -1
  10. package/dist/customization/branding.d.ts +18 -1
  11. package/dist/customization/branding.d.ts.map +1 -1
  12. package/dist/customization/build-customization-css.d.ts.map +1 -1
  13. package/dist/customization/build-customization-css.js +16 -2
  14. package/dist/customization/build-customization-css.js.map +1 -1
  15. package/dist/customization/build-customization-data.d.ts +2 -2
  16. package/dist/customization/build-customization-data.d.ts.map +1 -1
  17. package/dist/customization/build-customization-data.js.map +1 -1
  18. package/dist/customization/colors.d.ts +11 -2
  19. package/dist/customization/colors.d.ts.map +1 -1
  20. package/dist/customization/colors.js +19 -1
  21. package/dist/customization/colors.js.map +1 -1
  22. package/dist/customization/customization.d.ts +26 -1
  23. package/dist/customization/customization.d.ts.map +1 -1
  24. package/dist/errors/invalid-credentials-error.d.ts +24 -0
  25. package/dist/errors/invalid-credentials-error.d.ts.map +1 -0
  26. package/dist/errors/invalid-credentials-error.js +30 -0
  27. package/dist/errors/invalid-credentials-error.js.map +1 -0
  28. package/dist/lib/http/router.d.ts +2 -1
  29. package/dist/lib/http/router.d.ts.map +1 -1
  30. package/dist/lib/http/router.js +1 -1
  31. package/dist/lib/http/router.js.map +1 -1
  32. package/dist/lib/util/color.d.ts +3 -0
  33. package/dist/lib/util/color.d.ts.map +1 -1
  34. package/dist/lib/util/color.js +33 -1
  35. package/dist/lib/util/color.js.map +1 -1
  36. package/dist/oauth-errors.d.ts +1 -0
  37. package/dist/oauth-errors.d.ts.map +1 -1
  38. package/dist/oauth-errors.js +1 -0
  39. package/dist/oauth-errors.js.map +1 -1
  40. package/dist/oauth-hooks.d.ts +40 -1
  41. package/dist/oauth-hooks.d.ts.map +1 -1
  42. package/dist/oauth-hooks.js +3 -1
  43. package/dist/oauth-hooks.js.map +1 -1
  44. package/dist/oauth-provider.d.ts.map +1 -1
  45. package/dist/oauth-provider.js +6 -11
  46. package/dist/oauth-provider.js.map +1 -1
  47. package/dist/request/request-manager.d.ts +7 -0
  48. package/dist/request/request-manager.d.ts.map +1 -1
  49. package/dist/request/request-manager.js +11 -0
  50. package/dist/request/request-manager.js.map +1 -1
  51. package/dist/result/authorization-result-authorize-page.d.ts +2 -1
  52. package/dist/result/authorization-result-authorize-page.d.ts.map +1 -1
  53. package/dist/result/authorization-result-authorize-page.js.map +1 -1
  54. package/dist/router/assets/assets.d.ts +1 -2
  55. package/dist/router/assets/assets.d.ts.map +1 -1
  56. package/dist/router/assets/assets.js +20 -12
  57. package/dist/router/assets/assets.js.map +1 -1
  58. package/dist/router/assets/send-authorization-page.d.ts.map +1 -1
  59. package/dist/router/assets/send-authorization-page.js +1 -0
  60. package/dist/router/assets/send-authorization-page.js.map +1 -1
  61. package/dist/router/create-api-middleware.d.ts.map +1 -1
  62. package/dist/router/create-api-middleware.js +11 -7
  63. package/dist/router/create-api-middleware.js.map +1 -1
  64. package/package.json +10 -11
  65. package/src/account/account-manager.ts +49 -6
  66. package/src/account/account-store.ts +10 -2
  67. package/src/customization/build-customization-css.ts +25 -3
  68. package/src/customization/build-customization-data.ts +2 -2
  69. package/src/customization/colors.ts +20 -1
  70. package/src/errors/invalid-credentials-error.ts +29 -0
  71. package/src/lib/http/router.ts +7 -3
  72. package/src/lib/util/color.ts +37 -1
  73. package/src/oauth-errors.ts +1 -0
  74. package/src/oauth-hooks.ts +42 -0
  75. package/src/oauth-provider.ts +7 -13
  76. package/src/request/request-manager.ts +12 -0
  77. package/src/result/authorization-result-authorize-page.ts +2 -1
  78. package/src/router/assets/assets.ts +22 -17
  79. package/src/router/assets/send-authorization-page.ts +1 -0
  80. package/src/router/create-api-middleware.ts +17 -6
  81. package/tsconfig.build.tsbuildinfo +1 -1
package/dist/oauth-hooks.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-hooks.js","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":";;;AAoBA,kDAA2C;AAyBzC,uFAzBO,kBAAM,OAyBP;AAtBR,4EAAmE;AAiBjE,kGAjBO,0CAAiB,OAiBP;AAhBnB,4EAAoE;AAmBlE,mGAnBO,2CAAkB,OAmBP;AAlBpB,gFAAuE;AA6BrE,oGA7BO,8CAAmB,OA6BP;AA5BrB,4DAAoD;AAkClD,2FAlCO,2BAAU,OAkCP","sourcesContent":["import { Jwks } from '@atproto/jwk'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport {\n OAuthAccessToken,\n OAuthAuthorizationDetails,\n OAuthAuthorizationRequestParameters,\n OAuthClientMetadata,\n OAuthTokenResponse,\n OAuthTokenType,\n} from '@atproto/oauth-types'\nimport {\n ResetPasswordConfirmInput,\n ResetPasswordRequestInput,\n SignUpData,\n} from './account/account-store.js'\nimport { SignInData } from './account/sign-in-data.js'\nimport { SignUpInput } from './account/sign-up-input.js'\nimport { ClientAuth } from './client/client-auth.js'\nimport { ClientId } from './client/client-id.js'\nimport { ClientInfo } from './client/client-info.js'\nimport { Client } from './client/client.js'\nimport { DeviceId } from './device/device-id.js'\nimport { DpopProof } from './dpop/dpop-proof.js'\nimport { AccessDeniedError } from './errors/access-denied-error.js'\nimport { AuthorizationError } from './errors/authorization-error.js'\nimport { InvalidRequestError } from './errors/invalid-request-error.js'\nimport { OAuthError } from './errors/oauth-error.js'\nimport {\n HcaptchaClientTokens,\n HcaptchaConfig,\n HcaptchaVerifyResult,\n} from './lib/hcaptcha.js'\nimport { RequestMetadata } from './lib/http/request.js'\nimport { Awaitable, OmitKey } from './lib/util/type.js'\nimport { RequestId } from './request/request-id.js'\nimport { AccessTokenPayload } from './signer/access-token-payload.js'\nimport { TokenClaims } from './token/token-claims.js'\n\n// Make sure all types needed to implement the OAuthHooks are exported\nexport {\n AccessDeniedError,\n type AccessTokenPayload,\n type Account,\n AuthorizationError,\n type Awaitable,\n Client,\n type ClientAuth,\n type ClientId,\n type ClientInfo,\n type DeviceId,\n type DpopProof,\n type HcaptchaClientTokens,\n type HcaptchaConfig,\n type HcaptchaVerifyResult,\n InvalidRequestError,\n type Jwks,\n type OAuthAccessToken,\n type OAuthAuthorizationDetails,\n type OAuthAuthorizationRequestParameters,\n type OAuthClientMetadata,\n OAuthError,\n type OAuthTokenResponse,\n type OAuthTokenType,\n type RequestMetadata,\n type ResetPasswordConfirmInput,\n type ResetPasswordRequestInput,\n type SignInData,\n type SignUpData,\n type SignUpInput,\n type TokenClaims,\n}\n\nexport type OAuthHooks = {\n /**\n * Use this to alter, override or validate the client metadata & jwks returned\n * by the client store.\n *\n * @throws {InvalidClientMetadataError} if the metadata is invalid\n * @see {@link InvalidClientMetadataError}\n */\n getClientInfo?: (\n clientId: ClientId,\n data: { metadata: OAuthClientMetadata; jwks?: Jwks },\n ) => Awaitable<undefined | Partial<ClientInfo>>\n\n /**\n * This hook is called when a user attempts to sign up, after every validation\n * has passed (including hcaptcha).\n */\n onSignUpAttempt?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user attempts to sign up, after the hcaptcha\n * `/siteverify` request has been made (and before the result is validated).\n */\n onHcaptchaResult?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n tokens: HcaptchaClientTokens\n result: HcaptchaVerifyResult\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store.\n */\n onResetPasswordRequest?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store.\n */\n onResetPasswordRequested?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms a password reset, before the\n * password is actually reset on the account store.\n */\n onResetPasswordConfirm?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms a password reset, and the\n * password was successfully reset on the account store.\n */\n onResetPasswordConfirmed?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs up.\n *\n * @throws {AccessDeniedError} to deny the sign-up\n */\n onSignedUp?: (data: {\n data: SignUpData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n onSignInAttempt?: (data: {\n data: SignInData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs in.\n *\n * @throws {InvalidRequestError} when the sing-in should be denied\n */\n onSignedIn?: (data: {\n data: SignInData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * Allows validating an authorization request (typically the requested scopes)\n * before it is created. Note that the validity against the client metadata is\n * already enforced by the OAuth provider.\n *\n * @throws {AuthorizationError}\n */\n onAuthorizationRequest?: (data: {\n client: Client\n clientAuth: null | ClientAuth\n parameters: Readonly<OAuthAuthorizationRequestParameters>\n }) => Awaitable<void>\n\n /**\n * This hook is called when a client is authorized.\n *\n * @throws {AuthorizationError} to deny the authorization request and redirect\n * the user to the client with an OAuth error (other errors will result in an\n * internal server error being displayed to the user)\n *\n * @note We use `deviceMetadata` instead of `clientMetadata` to make it clear\n * that this metadata is from the user device, which might be different from\n * the client metadata (because the OAuth client could live in a backend).\n */\n onAuthorized?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n requestId: RequestId\n }) => Awaitable<void>\n\n /**\n * This hook is called whenever a token is about to be created. You can use\n * it to modify the token claims or perform additional validation.\n *\n * This hook should never throw an error.\n */\n onCreateToken?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n claims: TokenClaims\n }) => Awaitable<void | OmitKey<AccessTokenPayload, 'iss'>>\n\n /**\n * This hook is called whenever a token was just decoded, and basic validation\n * was performed (signature, expiration, not-before).\n *\n * It can be used to modify the payload (e.g., to add custom claims), or to\n * perform additional validation.\n *\n * This hook is called when authenticating requests through the\n * `authenticateRequest()` method in `OAuthVerifier` and `OAuthProvider`.\n *\n * Any error thrown here will be propagated.\n */\n onDecodeToken?: (data: {\n tokenType: OAuthTokenType\n token: OAuthAccessToken\n payload: AccessTokenPayload\n dpopProof: null | DpopProof\n }) => Promise<AccessTokenPayload | void>\n\n /**\n * This hook is called when an authorized client exchanges an authorization\n * code for an access token.\n *\n * @throws {OAuthError} to cancel the token creation and revoke the session\n */\n onTokenCreated?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n\n /**\n * This hook is called when an authorized client refreshes an access token.\n *\n * @throws {OAuthError} to cancel the token refresh and revoke the session\n */\n onTokenRefreshed?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n}\n"]}
1
+ {"version":3,"file":"oauth-hooks.js","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":";;;AAoBA,kDAA2C;AA2BzC,uFA3BO,kBAAM,OA2BP;AAxBR,4EAAmE;AAmBjE,kGAnBO,0CAAiB,OAmBP;AAlBnB,4EAAoE;AAqBlE,mGArBO,2CAAkB,OAqBP;AApBpB,wFAA+E;AA+B7E,wGA/BO,sDAAuB,OA+BP;AA9BzB,gFAAuE;AA+BrE,oGA/BO,8CAAmB,OA+BP;AA9BrB,4DAAoD;AAoClD,2FApCO,2BAAU,OAoCP","sourcesContent":["import { Jwks } from '@atproto/jwk'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport {\n OAuthAccessToken,\n OAuthAuthorizationDetails,\n OAuthAuthorizationRequestParameters,\n OAuthClientMetadata,\n OAuthTokenResponse,\n OAuthTokenType,\n} from '@atproto/oauth-types'\nimport {\n ResetPasswordConfirmInput,\n ResetPasswordRequestInput,\n SignUpData,\n} from './account/account-store.js'\nimport { SignInData } from './account/sign-in-data.js'\nimport { SignUpInput } from './account/sign-up-input.js'\nimport { ClientAuth } from './client/client-auth.js'\nimport { ClientId } from './client/client-id.js'\nimport { ClientInfo } from './client/client-info.js'\nimport { Client } from './client/client.js'\nimport { DeviceId } from './device/device-id.js'\nimport { DpopProof } from './dpop/dpop-proof.js'\nimport { AccessDeniedError } from './errors/access-denied-error.js'\nimport { AuthorizationError } from './errors/authorization-error.js'\nimport { InvalidCredentialsError } from './errors/invalid-credentials-error.js'\nimport { InvalidRequestError } from './errors/invalid-request-error.js'\nimport { OAuthError } from './errors/oauth-error.js'\nimport {\n HcaptchaClientTokens,\n HcaptchaConfig,\n HcaptchaVerifyResult,\n} from './lib/hcaptcha.js'\nimport { RequestMetadata } from './lib/http/request.js'\nimport { Awaitable, OmitKey } from './lib/util/type.js'\nimport { Sub } from './oidc/sub.js'\nimport { RequestId } from './request/request-id.js'\nimport { AccessTokenPayload } from './signer/access-token-payload.js'\nimport { TokenClaims } from './token/token-claims.js'\n\n// Make sure all types needed to implement the OAuthHooks are exported\nexport {\n AccessDeniedError,\n type AccessTokenPayload,\n type Account,\n AuthorizationError,\n type Awaitable,\n Client,\n type ClientAuth,\n type ClientId,\n type ClientInfo,\n type DeviceId,\n type DpopProof,\n type HcaptchaClientTokens,\n type HcaptchaConfig,\n type HcaptchaVerifyResult,\n InvalidCredentialsError,\n InvalidRequestError,\n type Jwks,\n type OAuthAccessToken,\n type OAuthAuthorizationDetails,\n type OAuthAuthorizationRequestParameters,\n type OAuthClientMetadata,\n OAuthError,\n type OAuthTokenResponse,\n type OAuthTokenType,\n type RequestMetadata,\n type ResetPasswordConfirmInput,\n type ResetPasswordRequestInput,\n type SignInData,\n type SignUpData,\n type SignUpInput,\n type Sub,\n type TokenClaims,\n}\n\nexport type OAuthHooks = {\n /**\n * Use this to alter, override or validate the client metadata & jwks returned\n * by the client store.\n *\n * @throws {InvalidClientMetadataError} if the metadata is invalid\n * @see {@link InvalidClientMetadataError}\n */\n getClientInfo?: (\n clientId: ClientId,\n data: { metadata: OAuthClientMetadata; jwks?: Jwks },\n ) => Awaitable<undefined | Partial<ClientInfo>>\n\n /**\n * This hook is called when a user attempts to sign up, after every validation\n * has passed (including hcaptcha).\n */\n onSignUpAttempt?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user attempts to sign up, after the hcaptcha\n * `/siteverify` request has been made (and before the result is validated).\n */\n onHcaptchaResult?: (data: {\n input: SignUpInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n tokens: HcaptchaClientTokens\n result: HcaptchaVerifyResult\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store.\n */\n onResetPasswordRequest?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user requests a password reset, before the\n * reset password request is triggered on the account store.\n */\n onResetPasswordRequested?: (data: {\n input: ResetPasswordRequestInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user confirms a password reset, before the\n * password is actually reset on the account store.\n */\n onResetPasswordConfirm?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * This hook is called after a user confirms a password reset, and the\n * password was successfully reset on the account store.\n */\n onResetPasswordConfirmed?: (data: {\n input: ResetPasswordConfirmInput\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n account: Account\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs up.\n *\n * @throws {AccessDeniedError} to deny the sign-up\n */\n onSignedUp?: (data: {\n data: SignUpData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n }) => Awaitable<void>\n\n /**\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request (i.e. the user is logging in to approve a\n * client); it is omitted for first-party sign-ins that happen outside any\n * authorization flow.\n */\n onSignInAttempt?: (data: {\n data: SignInData\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * This hook is called when a user successfully signs in.\n *\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.\n *\n * @throws {InvalidRequestError} when the sing-in should be denied\n */\n onSignedIn?: (data: {\n data: SignInData\n account: Account\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * This hook is called when a sign-in attempt is rejected by the account\n * store due to invalid credentials (e.g. unknown identifier, wrong\n * password). It is *not* called for unexpected server errors, nor for flows\n * that require an additional authentication factor.\n *\n * `sub` is populated when the store throws an\n * {@link InvalidCredentialsError} that carries the matched subject\n * identifier (i.e. identifier known, credentials wrong). It is `null` when\n * the identifier was unknown or when the store threw a plain\n * {@link InvalidRequestError} without distinguishing the two cases.\n *\n * `clientId` is populated when the sign-in is submitted in the context of\n * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.\n *\n * Errors thrown from this hook are caught and ignored so that they do not\n * mask the original authentication failure.\n */\n onSignInFailed?: (data: {\n data: SignInData\n error: InvalidRequestError\n sub: Sub | null\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n clientId?: ClientId\n }) => Awaitable<void>\n\n /**\n * Allows validating an authorization request (typically the requested scopes)\n * before it is created. Note that the validity against the client metadata is\n * already enforced by the OAuth provider.\n *\n * @throws {AuthorizationError}\n */\n onAuthorizationRequest?: (data: {\n client: Client\n clientAuth: null | ClientAuth\n parameters: Readonly<OAuthAuthorizationRequestParameters>\n }) => Awaitable<void>\n\n /**\n * This hook is called when a client is authorized.\n *\n * @throws {AuthorizationError} to deny the authorization request and redirect\n * the user to the client with an OAuth error (other errors will result in an\n * internal server error being displayed to the user)\n *\n * @note We use `deviceMetadata` instead of `clientMetadata` to make it clear\n * that this metadata is from the user device, which might be different from\n * the client metadata (because the OAuth client could live in a backend).\n */\n onAuthorized?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n deviceId: DeviceId\n deviceMetadata: RequestMetadata\n requestId: RequestId\n }) => Awaitable<void>\n\n /**\n * This hook is called whenever a token is about to be created. You can use\n * it to modify the token claims or perform additional validation.\n *\n * This hook should never throw an error.\n */\n onCreateToken?: (data: {\n client: Client\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n claims: TokenClaims\n }) => Awaitable<void | OmitKey<AccessTokenPayload, 'iss'>>\n\n /**\n * This hook is called whenever a token was just decoded, and basic validation\n * was performed (signature, expiration, not-before).\n *\n * It can be used to modify the payload (e.g., to add custom claims), or to\n * perform additional validation.\n *\n * This hook is called when authenticating requests through the\n * `authenticateRequest()` method in `OAuthVerifier` and `OAuthProvider`.\n *\n * Any error thrown here will be propagated.\n */\n onDecodeToken?: (data: {\n tokenType: OAuthTokenType\n token: OAuthAccessToken\n payload: AccessTokenPayload\n dpopProof: null | DpopProof\n }) => Promise<AccessTokenPayload | void>\n\n /**\n * This hook is called when an authorized client exchanges an authorization\n * code for an access token.\n *\n * @throws {OAuthError} to cancel the token creation and revoke the session\n */\n onTokenCreated?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n\n /**\n * This hook is called when an authorized client refreshes an access token.\n *\n * @throws {OAuthError} to cancel the token refresh and revoke the session\n */\n onTokenRefreshed?: (data: {\n client: Client\n clientAuth: ClientAuth\n clientMetadata: RequestMetadata\n account: Account\n parameters: OAuthAuthorizationRequestParameters\n }) => Awaitable<void>\n}\n"]}
package/dist/oauth-provider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAEnD,OAAO,EAEL,gBAAgB,EAChB,uCAAuC,EACvC,4BAA4B,EAC5B,4BAA4B,EAC5B,mCAAmC,EACnC,8BAA8B,EAC9B,gCAAgC,EAChC,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,kCAAkC,EAClC,wBAAwB,EACxB,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAExD,OAAO,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAA;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,aAAa,EAEd,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EACL,aAAa,EACb,sBAAsB,EACvB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AACrE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAS3C,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AACrE,OAAO,EACL,aAAa,EACb,kBAAkB,EAEnB,MAAM,kCAAkC,CAAA;AAEzC,OAAO,EACL,UAAU,EACV,aAAa,EACb,oBAAoB,EACrB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AASrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AAGvD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,EAAE,cAAc,EAAiB,MAAM,8BAA8B,CAAA;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EACL,SAAS,EACT,aAAa,EACb,oBAAoB,EACpB,yBAAyB,EAC1B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AAErE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AAEzE,OAAO,EAAE,+BAA+B,EAAE,MAAM,+CAA+C,CAAA;AAC/F,OAAO,EAAE,gCAAgC,EAAE,MAAM,iDAAiD,CAAA;AAClG,OAAO,EAAE,2BAA2B,EAAE,MAAM,2CAA2C,CAAA;AACvF,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EACL,UAAU,EAGX,MAAM,wBAAwB,CAAA;AAG/B,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;AAC/C,YAAY,EACV,kBAAkB,EAClB,+BAA+B,EAC/B,gCAAgC,IAAI,4BAA4B,EAChE,2BAA2B,EAC3B,QAAQ,EACR,aAAa,EACb,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,eAAe,EACf,gCAAgC,EAChC,yBAAyB,GAC1B,CAAA;AAED,KAAK,mBAAmB,GAAG;IACzB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAA;IAE7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB;;;;;;;;;;;;;OAaG;IACH,eAAe,CAAC,EAAE,eAAe,CAAA;IAEjC;;OAEG;IACH,QAAQ,CAAC,EAAE,cAAc,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAA;IAEnC;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,GAAG,YAAY,GAAG,MAAM,CAAA;IAErC;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,OAAO,CACb,YAAY,GACV,WAAW,GACX,WAAW,GACX,YAAY,GACZ,WAAW,GACX,YAAY,GACZ,UAAU,CACb,CAAA;IAED,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,UAAU,CAAC,EAAE,UAAU,CAAA;IAEvB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IAE3C;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAA;IAE9D;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,IAAI,GAAG,KAAK,GAAG,sBAAsB,CAAA;CACzD,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,GACpD,oBAAoB,GACpB,UAAU,GACV,oBAAoB,GACpB,kBAAkB,CAAA;AAEpB,qBAAa,aAAc,SAAQ,aAAa;IAC9C,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACnD,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAEpC,SAAgB,QAAQ,EAAE,gCAAgC,CAAA;IAC1D,SAAgB,aAAa,EAAE,aAAa,CAAA;IAE5C,SAAgB,oBAAoB,EAAE,MAAM,CAAA;IAE5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,YAAY,EAAE,YAAY,CAAA;gBAEvB,EAEjB,oBAA6C,EAC7C,WAA2B,EAC3B,eAA2C,EAE3C,QAAQ,EAER,SAA2B,EAC3B,KAAK,EAAE,gCAAgC;IACvC,WAAmD,EAGnD,YAAoC,EACpC,WAAkC,EAClC,YAAoC,EACpC,UAAgC,EAChC,YAAoC,EAGpC,WAAkC,EAClC,WAAkC,EAElC,eAGE,EACF,mBAGE,EAEF,gBAAgD,EAMhD,GAAG,IAAI,EACR,EAAE,oBAAoB;IA4DvB,IAAI,IAAI;;;;;eArTH,CAAC;eACkB,CAAC;eAEhB,CAAC;mBACsB,CAAC;eAKjC,CAAA;eACe,CAAC;sBAA4C,CAAC;eAG3D,CAAC;eACe,CAAC;eACe,CAAC;eACL,CAAC;eAErB,CAAC;mBAGb,CAAA;;sBAC0B,CAAC;;aACR,CAAC;aAAmC,CAAC;aAAmC,CAAC;cACzD,CAAC;cACjC,CAAC;cAAoC,CAAC;eACrC,CAAC;iBAAqB,CAAC;iBAAuC,CAAC;iBACjD,CAAC;;;;;aAEd,CAAC;;;;;;eAEqB,CAAC;eACJ,CAAC;eAAqC,CAAC;mBAC1B,CAAC;eAGnC,CAAC;eAAuC,CAAC;sBACN,CAAC;eAClB,CAAC;eAAqC,CAAC;eACtC,CAAA;eAElB,CAAC;eAEO,CAAC;mBAEX,CAAA;;sBACkC,CAAA;;aACR,CAAC;;;;aAEN,CAAA;;;;;;eAEc,CAAC;eAAuC,CAAC;eAC3D,CAAC;mBAAgD,CAAC;eAExD,CAAC;eAAuC,CAAC;sBACb,CAAC;eACjC,CAAC;eAAqC,CAAC;eACZ,CAAC;eAE5B,CAAC;eAEO,CAAC;mBAEb,CAAC;;sBAEN,CAAC;;aAEC,CAAA;;;;aAE6C,CAAC;;;;;eAM9B,CAAC;eAGjB,CAAA;eACkB,CAAC;mBAIpB,CAAC;eAKA,CAAC;eAGA,CAAC;sBAA4C,CAAC;eAExC,CAAC;eAGO,CAAC;eAAsC,CAAC;eACzC,CAAC;eAAqC,CAAC;mBACrC,CAAC;;sBAChB,CAAD;;aAA+D,CAAA;;;;aAGvD,CAAC;;OAiNR;IAED;;OAEG;IACI,oBAAoB,CACzB,UAAU,EAAE,mCAAmC,EAC/C,UAAU,CAAC,EAAE,oBAAoB;IAiB5B,kBAAkB,CAAC,aAAa,EAAE,aAAa;cAKtC,kBAAkB,CAChC,iBAAiB,EAAE,sBAAsB,EACzC,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,CAAC,EAAE;QACR,qBAAqB,CAAC,EAAE,OAAO,CAAA;KAChC,GACA,OAAO,CAAC;QACT,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,UAAU,CAAA;KACvB,CAAC;IAgDI,SAAS,CACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,4BAA4B,GAClC,OAAO,CAAC,mCAAmC,CAAC;IA0B/C;;OAEG;IACU,0BAA0B,CACrC,WAAW,EAAE,sBAAsB,EACnC,oBAAoB,EAAE,4BAA4B,EAClD,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,gBAAgB,CAAC;YAgEd,2BAA2B;IA6CzC;;OAEG;IACU,SAAS,CACpB,KAAK,EAAE,8BAA8B,EACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,UAAU,GACvC,OAAO,CAAC,2BAA2B,GAAG,gCAAgC,CAAC;IA0J7D,KAAK,CAChB,iBAAiB,EAAE,sBAAsB,EACzC,cAAc,EAAE,eAAe,EAC/B,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;cA2Cd,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,EAAE;QACP,UAAU,EAAE,mCAAmC,CAAA;QAC/C,QAAQ,EAAE,QAAQ,CAAA;QAClB,UAAU,EAAE,IAAI,GAAG,UAAU,GAAG,gBAAgB,CAAA;KACjD,GACA,OAAO,CAAC,IAAI,CAAC;cA+DA,sBAAsB,CACpC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,uCAAuC,EAC9C,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;cA+Dd,iBAAiB,CAC/B,UAAU,EAAE,mCAAmC,EAC/C,KAAK,EAAE,uCAAuC,GAC7C,OAAO,CAAC,IAAI,CAAC;cAmDA,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,kCAAkC,EACzC,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;cA4Bd,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,IAAI,CAAC;IAoBhB;;OAEG;IACU,MAAM,CACjB,iBAAiB,EAAE,sBAAsB,EACzC,EAAE,KAAK,EAAE,EAAE,wBAAwB,EACnC,SAAS,EAAE,IAAI,GAAG,SAAS;cAuBJ,WAAW,CAClC,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,gBAAgB,EACvB,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;CAmB/B"}
1
+ {"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAEnD,OAAO,EAEL,gBAAgB,EAChB,uCAAuC,EACvC,4BAA4B,EAC5B,4BAA4B,EAC5B,mCAAmC,EACnC,8BAA8B,EAC9B,gCAAgC,EAChC,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,kCAAkC,EAClC,wBAAwB,EACxB,iBAAiB,EACjB,kBAAkB,EAClB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAExD,OAAO,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAA;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,aAAa,EAEd,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAA;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EACL,aAAa,EACb,sBAAsB,EACvB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AACrE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAS3C,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AACrE,OAAO,EACL,aAAa,EACb,kBAAkB,EAEnB,MAAM,kCAAkC,CAAA;AAEzC,OAAO,EACL,UAAU,EACV,aAAa,EACb,oBAAoB,EACrB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AASrE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AAGvD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACtD,OAAO,EAAE,cAAc,EAAiB,MAAM,8BAA8B,CAAA;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EACL,SAAS,EACT,aAAa,EACb,oBAAoB,EACpB,yBAAyB,EAC1B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AAErE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AAEzE,OAAO,EAAE,+BAA+B,EAAE,MAAM,+CAA+C,CAAA;AAC/F,OAAO,EAAE,gCAAgC,EAAE,MAAM,iDAAiD,CAAA;AAClG,OAAO,EAAE,2BAA2B,EAAE,MAAM,2CAA2C,CAAA;AACvF,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EACL,UAAU,EAGX,MAAM,wBAAwB,CAAA;AAG/B,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;AAC/C,YAAY,EACV,kBAAkB,EAClB,+BAA+B,EAC/B,gCAAgC,IAAI,4BAA4B,EAChE,2BAA2B,EAC3B,QAAQ,EACR,aAAa,EACb,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,eAAe,EACf,gCAAgC,EAChC,yBAAyB,GAC1B,CAAA;AAED,KAAK,mBAAmB,GAAG;IACzB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAA;IAE7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB;;;;;;;;;;;;;OAaG;IACH,eAAe,CAAC,EAAE,eAAe,CAAA;IAEjC;;OAEG;IACH,QAAQ,CAAC,EAAE,cAAc,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAA;IAEnC;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,GAAG,YAAY,GAAG,MAAM,CAAA;IAErC;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,OAAO,CACb,YAAY,GACV,WAAW,GACX,WAAW,GACX,YAAY,GACZ,WAAW,GACX,YAAY,GACZ,UAAU,CACb,CAAA;IAED,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,UAAU,CAAC,EAAE,UAAU,CAAA;IAEvB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IAE3C;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAA;IAE9D;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,IAAI,GAAG,KAAK,GAAG,sBAAsB,CAAA;CACzD,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG,mBAAmB,GACpD,oBAAoB,GACpB,UAAU,GACV,oBAAoB,GACpB,kBAAkB,CAAA;AAEpB,qBAAa,aAAc,SAAQ,aAAa;IAC9C,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACnD,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAEpC,SAAgB,QAAQ,EAAE,gCAAgC,CAAA;IAC1D,SAAgB,aAAa,EAAE,aAAa,CAAA;IAE5C,SAAgB,oBAAoB,EAAE,MAAM,CAAA;IAE5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,YAAY,EAAE,YAAY,CAAA;gBAEvB,EAEjB,oBAA6C,EAC7C,WAA2B,EAC3B,eAA2C,EAE3C,QAAQ,EAER,SAA2B,EAC3B,KAAK,EAAE,gCAAgC;IACvC,WAAmD,EAGnD,YAAoC,EACpC,WAAkC,EAClC,YAAoC,EACpC,UAAgC,EAChC,YAAoC,EAGpC,WAAkC,EAClC,WAAkC,EAElC,eAGE,EACF,mBAGE,EAEF,gBAAgD,EAMhD,GAAG,IAAI,EACR,EAAE,oBAAoB;IA4DvB,IAAI,IAAI;;;;;eArTH,CAAC;eACkB,CAAC;eAEhB,CAAC;mBACsB,CAAC;eAKjC,CAAA;eACe,CAAC;sBAA4C,CAAC;eAG3D,CAAC;eACe,CAAC;eACe,CAAC;eACL,CAAC;eAErB,CAAC;mBAGb,CAAA;;sBAC0B,CAAC;;aACR,CAAC;aAAmC,CAAC;aAAmC,CAAC;cACzD,CAAC;cACjC,CAAC;cAAoC,CAAC;eACrC,CAAC;iBAAqB,CAAC;iBAAuC,CAAC;iBACjD,CAAC;;;;;aAEd,CAAC;;;;;;eAEqB,CAAC;eACJ,CAAC;eAAqC,CAAC;mBAC1B,CAAC;eAGnC,CAAC;eAAuC,CAAC;sBACN,CAAC;eAClB,CAAC;eAAqC,CAAC;eACtC,CAAA;eAElB,CAAC;eAEO,CAAC;mBAEX,CAAA;;sBACkC,CAAA;;aACR,CAAC;;;;aAEN,CAAA;;;;;;eAEc,CAAC;eAAuC,CAAC;eAC3D,CAAC;mBAAgD,CAAC;eAExD,CAAC;eAAuC,CAAC;sBACb,CAAC;eACjC,CAAC;eAAqC,CAAC;eACZ,CAAC;eAE5B,CAAC;eAEO,CAAC;mBAEb,CAAC;;sBAEN,CAAC;;aAEC,CAAA;;;;aAE6C,CAAC;;;;;eAM9B,CAAC;eAGjB,CAAA;eACkB,CAAC;mBAIpB,CAAC;eAKA,CAAC;eAGA,CAAC;sBAA4C,CAAC;eAExC,CAAC;eAGO,CAAC;eAAsC,CAAC;eACzC,CAAC;eAAqC,CAAC;mBACrC,CAAC;;sBAChB,CAAD;;aAA+D,CAAA;;;;aAGvD,CAAC;;OAiNR;IAED;;OAEG;IACI,oBAAoB,CACzB,UAAU,EAAE,mCAAmC,EAC/C,UAAU,CAAC,EAAE,oBAAoB;IAiB5B,kBAAkB,CAAC,aAAa,EAAE,aAAa;cAKtC,kBAAkB,CAChC,iBAAiB,EAAE,sBAAsB,EACzC,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,CAAC,EAAE;QACR,qBAAqB,CAAC,EAAE,OAAO,CAAA;KAChC,GACA,OAAO,CAAC;QACT,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,UAAU,CAAA;KACvB,CAAC;IAgDI,SAAS,CACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,4BAA4B,GAClC,OAAO,CAAC,mCAAmC,CAAC;IA0B/C;;OAEG;IACU,0BAA0B,CACrC,WAAW,EAAE,sBAAsB,EACnC,oBAAoB,EAAE,4BAA4B,EAClD,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,gBAAgB,CAAC;YAgEd,2BAA2B;IA6CzC;;OAEG;IACU,SAAS,CACpB,KAAK,EAAE,8BAA8B,EACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAAE,UAAU,GACvC,OAAO,CAAC,2BAA2B,GAAG,gCAAgC,CAAC;IAoJ7D,KAAK,CAChB,iBAAiB,EAAE,sBAAsB,EACzC,cAAc,EAAE,eAAe,EAC/B,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;cA2Cd,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,IAAI,GAAG,SAAS,EAC3B,OAAO,EAAE;QACP,UAAU,EAAE,mCAAmC,CAAA;QAC/C,QAAQ,EAAE,QAAQ,CAAA;QAClB,UAAU,EAAE,IAAI,GAAG,UAAU,GAAG,gBAAgB,CAAA;KACjD,GACA,OAAO,CAAC,IAAI,CAAC;cA+DA,sBAAsB,CACpC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,uCAAuC,EAC9C,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;cA+Dd,iBAAiB,CAC/B,UAAU,EAAE,mCAAmC,EAC/C,KAAK,EAAE,uCAAuC,GAC7C,OAAO,CAAC,IAAI,CAAC;cAmDA,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,kCAAkC,EACzC,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;cA4Bd,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,IAAI,CAAC;IAoBhB;;OAEG;IACU,MAAM,CACjB,iBAAiB,EAAE,sBAAsB,EACzC,EAAE,KAAK,EAAE,EAAE,wBAAwB,EACnC,SAAS,EAAE,IAAI,GAAG,SAAS;cAuBJ,WAAW,CAClC,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,gBAAgB,EACvB,SAAS,EAAE,IAAI,GAAG,SAAS,GAC1B,OAAO,CAAC,kBAAkB,CAAC;CAmB/B"}
package/dist/oauth-provider.js CHANGED
@@ -333,17 +333,12 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
333
333
  client,
334
334
  parameters,
335
335
  requestUri,
336
- sessions: sessions.map((session) => ({
337
- // Map to avoid leaking other data that might be present in the session
338
- account: session.account,
339
- loginRequired: session.loginRequired,
340
- consentRequired: session.consentRequired,
341
- selected: parameters.prompt == null ||
342
- parameters.prompt === 'login' ||
343
- parameters.prompt === 'consent'
344
- ? matchesHint.call(parameters, session)
345
- : false,
346
- })),
336
+ sessions,
337
+ selectedSub: parameters.prompt == null ||
338
+ parameters.prompt === 'login' ||
339
+ parameters.prompt === 'consent'
340
+ ? sessions.find(matchesHint, parameters)?.account.sub
341
+ : undefined,
347
342
  permissionSets: await this.lexiconManager
348
343
  .getPermissionSetsFromScope(parameters.scope)
349
344
  .catch((cause) => {
package/dist/oauth-provider.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AAExC,sCAA2C;AAyGjB,uFAzGX,YAAM,OAyGW;AAxGhC,wDAAmD;AAwGjB,4FAxGzB,0BAAW,OAwGyB;AAtG7C,sDAmB6B;AAC7B,yDAAwD;AAExD,2EAAqE;AACrE,8EAAqE;AA+E5D,gGA/EA,sCAAe,OA+EA;AA9ExB,qEAA6D;AAC7D,iEAKmC;AAGnC,kEAGmC;AACnC,8DAAqE;AAErE,iDAOuB;AAEvB,uEAIyC;AAEzC,kEAImC;AACnC,8DAAqE;AACrE,sGAA4F;AAC5F,4EAAoE;AACpE,kFAAyE;AACzE,kGAAuF;AACvF,sFAA4E;AAC5E,4EAAmE;AACnE,gFAAuE;AACvE,8EAAqE;AACrE,qEAA6D;AAC7D,iEAAyE;AAGzE,gDAA0D;AAC1D,kDAAiD;AAEjD,oEAA4E;AAE5E,2DAK4B;AAC5B,8DAAqE;AACrE,+CAA8C;AAC9C,qEAA6D;AAC7D,iEAAyE;AACzE,6DAA0D;AAO1D,+DAAuD;AACvD,2DAI+B;AAC/B,yEAAkE;AAmIlE,MAAa,aAAc,SAAQ,iCAAa;IAC3B,eAAe,CAAiB;IAChC,KAAK,CAAY;IAEpB,QAAQ,CAAkC;IAC1C,aAAa,CAAe;IAE5B,oBAAoB,CAAQ;IAE5B,cAAc,CAAgB;IAC9B,aAAa,CAAe;IAC5B,aAAa,CAAe;IAC5B,cAAc,CAAgB;IAC9B,cAAc,CAAgB;IAC9B,YAAY,CAAc;IAE1C,YAAmB;IACjB,sBAAsB;IACtB,oBAAoB,GAAG,qCAAsB,EAC7C,WAAW,GAAG,4BAAa,EAC3B,eAAe,GAAG,sCAAe,CAAC,SAAS,EAE3C,QAAQ,EAER,SAAS,GAAG,IAAA,0BAAa,GAAE,EAC3B,KAAK,EAAE,gCAAgC;IACvC,WAAW,GAAG,IAAI,0BAAW,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAEnD,kBAAkB;IAClB,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC,EACpC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC,EACpC,UAAU,GAAG,IAAA,6BAAY,EAAC,KAAK,CAAC,EAChC,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC;IAEpC,kBAAkB;IAClB,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAElC,eAAe,GAAG,IAAI,uCAAiB,CAAC;QACtC,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EACF,mBAAmB,GAAG,IAAI,uCAAiB,CAAC;QAC1C,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EAEF,gBAAgB,GAAG,2CAA6B;IAEhD,eAAe;IACf,yBAAyB;IACzB,yBAAyB;IACzB,gBAAgB;IAChB,GAAG,IAAI,EACc;QACrB,KAAK,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,CAAC,CAAA;QAE/B,wEAAwE;QACxE,2EAA2E;QAC3E,uEAAuE;QACvE,qEAAqE;QACrE,sCAAsC;QACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAA;QAEjB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAA;QACtC,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAA;QAChD,IAAI,CAAC,QAAQ,GAAG,IAAA,iCAAa,EAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACjE,IAAI,CAAC,aAAa,GAAG,sCAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAEpD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CAAC,WAAW,EAAE;YAClD,GAAG,IAAI;YACP,MAAM,EAAE;gBACN,GAAG,IAAI,CAAC,MAAM;gBACd,wEAAwE;gBACxE,qEAAqE;gBACrE,qEAAqE;gBACrE,gDAAgD;gBAChD,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC;aACzC;SACF,CAAC,CAAA;QACF,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,IAAI,CAAC,MAAM,EACX,YAAY,EACZ,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,aAAa,CACnB,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,KAAK,EACV,WAAW,IAAI,IAAI,EACnB,gBAAgB,IAAI,IAAI,EACxB,SAAS,EACT,eAAe,EACf,mBAAmB,CACpB,CAAA;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CAAC,YAAY,EAAE,WAAW,CAAC,CAAA;QACnE,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,YAAY,EACZ,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,KAAK,CACX,CAAA;QACD,IAAI,CAAC,YAAY,GAAG,IAAI,+BAAY,CAClC,UAAU,EACV,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,eAAe,EACpB,WAAW,CACZ,CAAA;IACH,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAA;IAC/B,CAAC;IAED;;OAEG;IACI,oBAAoB,CACzB,UAA+C,EAC/C,UAAiC;QAEjC,qCAAqC;QACrC,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAE5B,sCAAsC;QACtC,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAA;QAEhD,uEAAuE;QACvE,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACpD,IAAI,eAAe,IAAI,IAAI;YAAE,OAAO,KAAK,CAAA;QAEzC,0EAA0E;QAC1E,MAAM,EAAE,gBAAgB,EAAE,GAAG,UAAU,CAAA;QACvC,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAC5E,CAAC;IAEM,kBAAkB,CAAC,aAA4B;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QAC9D,OAAO,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAA;IAC5C,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,iBAAyC,EACzC,SAA2B,EAC3B,OAEC;QAKD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAC/C,iBAAiB,CAAC,SAAS,CAC5B,CAAA;QAED,IACE,MAAM,CAAC,QAAQ,CAAC,wBAAwB;YACxC,CAAC,SAAS;YACV,CAAC,OAAO,EAAE,qBAAqB,EAC/B,CAAC;YACD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,SAAS,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;YAC3D,MAAM,IAAI,mDAAqB,CAAC,wCAAwC,CAAC,CAAA;QAC3E,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,iBAAiB,EAAE;YAC9D,6BAA6B,EAAE,IAAI,CAAC,MAAM;SAC3C,CAAC,CAAA;QAEF,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;YAC5C,sEAAsE;YACtE,IAAI,SAAS,IAAI,UAAU,CAAC,GAAG,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;gBAClD,MAAM,IAAI,8CAAmB,CAC3B,8EAA8E,CAC/E,CAAA;YACH,CAAC;YAED,wDAAwD;YACxD,oEAAoE;YACpE,qEAAqE;YACrE,yEAAyE;YACzE,yCAAyC;YAEzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,UAAU,CAAC,GAAG,EACd,MAAM,CAAC,EAAE,EACT,UAAU,CAAC,GAAG,CACf,CAAA;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,0CAAiB,CAAC,GAAG,UAAU,CAAC,MAAM,aAAa,CAAC,CAAA;YAChE,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;IAC/B,CAAC;IAED,KAAK,CAAC,SAAS,CACb,MAAc,EACd,KAAmC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAClD,KAAK,CAAC,OAAO,EACb,IAAI,CAAC,MAAM,CACZ,CAAA;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QACvB,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,8CAAmB,CAC3B,mDAAmD,CACpD,CAAA;QACH,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,8CAAmB,CAAC,6BAA6B,CAAC,CAAA;QAC9D,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,uDAAyC;aAC/D,UAAU,CAAC,OAAO,CAAC;aACnB,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,2BAA2B,CAAC,CAAA;YACzD,MAAM,IAAI,8CAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QACzC,CAAC,CAAC,CAAA;QAEJ,OAAO,UAAU,CAAA;IACnB,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,0BAA0B,CACrC,WAAmC,EACnC,oBAAkD,EAClD,SAA2B;QAE3B,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,WAAW,EACX,SAAS;YACT,kEAAkE;YAClE,mEAAmE;YACnE,iBAAiB;YACjB,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAChC,CAAA;YAED,MAAM,UAAU,GACd,SAAS,IAAI,oBAAoB,CAAC,aAAa;gBAC7C,CAAC,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,oBAAoB,CAAC;gBACpD,CAAC,CAAC,oBAAoB,CAAA;YAE1B,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACzB,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;oBAC7C,IAAI,SAAS;wBAAE,UAAU,CAAC,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAA;yBAC7C,CAAC;wBACJ,oEAAoE;wBACpE,iEAAiE;wBACjE,sBAAsB;wBACtB,6DAA6D;oBAC/D,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;oBAC9C,MAAM,IAAI,8CAAmB,CAC3B,0DAA0D,CAC3D,CAAA;gBACH,CAAC;gBAED,wEAAwE;gBACxE,oCAAoC;gBACpC,IAAI,SAAS,IAAI,SAAS,CAAC,GAAG,KAAK,UAAU,CAAC,QAAQ,EAAE,CAAC;oBACvD,MAAM,IAAI,8DAA0B,EAAE,CAAA;gBACxC,CAAC;YACH,CAAC;YAED,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAC7B,MAAM,IAAI,CAAC,cAAc,CAAC,0BAA0B,CAClD,MAAM,EACN,UAAU,EACV,UAAU,EACV,IAAI,CACL,CAAA;YAEH,OAAO;gBACL,WAAW,EAAE,UAAU;gBACvB,UAAU,EAAE,IAAA,+BAAqB,EAAC,SAAS,CAAC;aAC7C,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,8DAA8D;YAC9D,0EAA0E;YAC1E,oEAAoE;YACpE,8DAA8D;YAC9D,IAAI,GAAG,YAAY,2CAAkB,IAAI,CAAC,IAAA,0CAAkB,EAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,8CAAmB,CAAC,GAAG,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;YAC3D,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAc,EACd,QAAkB,EAClB,KAAqC;QAErC,MAAM;QACN,IAAI,aAAa,IAAI,KAAK,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAA,gCAAe,EAAC,KAAK,CAAC,WAAW,EAAE;gBACpD,IAAI,EAAE,CAAC,OAAO,EAAE,aAAa,CAAC;aAC/B,CAAC,CAAA;YACF,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;QACjE,CAAC;QAED,MAAM;QACN,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC;YACvB,0EAA0E;YAC1E,mEAAmE;YACnE,gEAAgE;YAChE,+DAA+D;YAC/D,kDAAkD;YAClD,qCAAqC;YACrC,4CAA4C;YAC5C,wEAAwE;YACxE,kEAAkE;YAClE,qEAAqE;YACrE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YAEtD,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,IAAI,EACJ,UAAU,EACV,QAAQ,CACT,CAAA;QACH,CAAC;QAED,4EAA4E;QAC5E,qEAAqE;QACrE,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,QAAQ,CACT,CAAA;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,SAAS,CACpB,KAAqC,EACrC,EAAE,QAAQ,EAAE,cAAc,EAAc;QAExC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;QAEvB,oEAAoE;QACpE,qDAAqD;QACrD,MAAM,uBAAuB,GAC3B,cAAc,IAAI,KAAK;YACrB,CAAC,CAAC,CAAC,GAAY,EAAS,EAAE;gBACtB,iFAAiF;gBACjF,MAAM,2CAAkB,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;YAC3C,CAAC;YACH,CAAC,CAAC,IAAI,CAAA;QAEV,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa;aACpC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;aAC1B,KAAK,CAAC,uBAAuB,CAAC,CAAA;QAEjC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,2BAA2B,CACvE,MAAM,EACN,QAAQ,EACR,KAAK,CACN,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;QAEhC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,CACf,MAAM,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CACvD,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;gBACxB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAE9B,mEAAmE;gBACnE,iEAAiE;gBACjE,aAAa,EACX,UAAU,CAAC,MAAM,KAAK,OAAO;oBAC7B,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC;gBACxC,eAAe,EAAE,IAAI,CAAC,oBAAoB,CACxC,UAAU,EACV,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAC/C;aACF,CAAC,CAAC,CAAA;YAEH,oEAAoE;YAEpE,wBAAwB;YACxB,EAAE;YACF,yEAAyE;YACzE,uEAAuE;YACvE,sEAAsE;YACtE,yEAAyE;YACzE,oEAAoE;YACpE,0CAA0C;YAC1C,IAAI,UAAU,CAAC,MAAM,KAAK,gBAAgB,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC/D,MAAM,IAAI,mEAA6B,CAAC,UAAU,CAAC,CAAA;YACrD,CAAC;YAED,cAAc;YACd,EAAE;YACF,oEAAoE;YACpE,yEAAyE;YACzE,yEAAyE;YACzE,0EAA0E;YAC1E,iEAAiE;YACjE,qEAAqE;YACrE,wEAAwE;YACxE,mCAAmC;YACnC,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACjC,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,CAAA;gBAC5D,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,mEAA6B,CAAC,UAAU,CAAC,CAAA;gBACrD,CAAC;gBACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBAED,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;gBAClC,IAAI,UAAU,CAAC,aAAa,EAAE,CAAC;oBAC7B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBACD,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC;oBAC/B,MAAM,IAAI,gDAAoB,CAAC,UAAU,CAAC,CAAA;gBAC5C,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,UAAU,EACV,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;gBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;YACnD,CAAC;YAED,uEAAuE;YACvE,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,IAAI,UAAU,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;gBAC/D,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,CAAA;gBAC5D,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;oBAClC,IAAI,CAAC,UAAU,CAAC,aAAa,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;wBAC7D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,UAAU,EACV,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;wBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;oBACnD,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM;gBACN,MAAM;gBACN,UAAU;gBACV,UAAU;gBACV,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBACnC,uEAAuE;oBACvE,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,aAAa,EAAE,OAAO,CAAC,aAAa;oBACpC,eAAe,EAAE,OAAO,CAAC,eAAe;oBAExC,QAAQ,EACN,UAAU,CAAC,MAAM,IAAI,IAAI;wBACzB,UAAU,CAAC,MAAM,KAAK,OAAO;wBAC7B,UAAU,CAAC,MAAM,KAAK,SAAS;wBAC7B,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC;wBACvC,CAAC,CAAC,KAAK;iBACZ,CAAC,CAAC;gBACH,cAAc,EAAE,MAAM,IAAI,CAAC,cAAc;qBACtC,0BAA0B,CAAC,UAAU,CAAC,KAAK,CAAC;qBAC5C,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;oBACf,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,oCAAoC,EACpC,eAAe,EACf,KAAK,CACN,CAAA;gBACH,CAAC,CAAC;aACL,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,EAAE;gBACF,+DAA+D;gBAC/D,+BAA+B;YACjC,CAAC;YAED,MAAM,2CAAkB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;QAChD,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,KAAK,CAChB,iBAAyC,EACzC,cAA+B,EAC/B,OAA0B,EAC1B,SAA2B;QAE3B,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,iBAAiB,EACjB,SAAS,CACV,CAAA;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,kCAAkC,CACpE,CAAA;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,0CAAiB,CACzB,IAAI,OAAO,CAAC,UAAU,6CAA6C,CACpE,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,oBAAoB,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC,sBAAsB,CAChC,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC,iBAAiB,CAC3B,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,iBAAiB,CACnD,CAAA;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,MAAc,EACd,UAAsB,EACtB,SAA2B,EAC3B,OAIC;QAED,iFAAiF;QACjF,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC;YACrE,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,MAAM,CAAC,QAAQ,CAAC,0BAA0B,SAAS,UAAU,CAAC,MAAM,GAAG,CAC3H,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,IAAI,0CAAiB,CAAC,qCAAqC,CAAC,CAAA;QACpE,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAA;QAC9B,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACxB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,0CAAiB,CAAC,yCAAyC,CAAC,CAAA;YACxE,CAAC;iBAAM,IAAI,UAAU,CAAC,QAAQ,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;gBACjD,MAAM,IAAI,0CAAiB,CACzB,4CAA4C,CAC7C,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;YACxB,2EAA2E;YAC3E,yEAAyE;YACzE,4EAA4E;YAC5E,8DAA8D;YAC9D,wEAAwE;YACxE,eAAe;YACf,OAAM;QACR,CAAC;QAED,QAAQ,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YAClC,KAAK,8CAAgC,CAAC,CAAC,SAAS;YAChD,KAAK,iBAAiB;gBACpB,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;oBAC5C,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAChF,CAAA;gBACH,CAAC;gBACD,IACE,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG;oBACzC,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG;oBACzC,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG,EACzC,CAAC;oBACD,MAAM,IAAI,0CAAiB,CACzB,yFAAyF,CAC1F,CAAA;gBACH,CAAC;gBACD,MAAK;YACP,KAAK,MAAM;gBACT,qEAAqE;gBACrE,mEAAmE;gBACnE,MAAK;YACP;gBACE,MAAM,IAAI,0CAAiB;gBACzB,2DAA2D;gBAC3D,mBAAmB,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAChD,CAAA;QACL,CAAC;IACH,CAAC;IAES,KAAK,CAAC,sBAAsB,CACpC,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAA8C,EAC9C,SAA2B;QAE3B,MAAM,IAAI,GAAG,MAAM,oBAAU;aAC1B,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aAC1C,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,cAAc,CAAC,CAAA;YAC5C,MAAM,IAAI,0CAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QACvC,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc;aACnC,WAAW,CAAC,IAAI,CAAC;aACjB,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACnB,uDAAuD;YACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;YAC1D,IAAI,SAAS,EAAE,CAAC;gBACd,wEAAwE;gBACxE,IAAI,CAAC;oBACH,+CAA+C;oBAC/C,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;gBACnD,CAAC;wBAAS,CAAC;oBACT,kEAAkE;oBAClE,kEAAkE;oBAClE,gCAAgC;oBAChC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,SAAS,CAAC,IAAI,CAAA;oBACxC,IAAI,QAAQ,EAAE,CAAC;wBACb,MAAM,IAAI,CAAC,cAAc,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;oBAC9D,CAAC;gBACH,CAAC;YACH,CAAC;YAED,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAA;QACnD,CAAC,CAAC,CAAA;QAEJ,4EAA4E;QAC5E,uEAAuE;QACvE,2EAA2E;QAC3E,WAAW;QAEX,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;QAEjE,0EAA0E;QAC1E,UAAU;QACV,MAAM,UAAU,GACd,SAAS;YACT,MAAM,CAAC,QAAQ,CAAC,wBAAwB;YACxC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ;YACvB,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,GAAG,EAAE;YACjD,CAAC,CAAC,IAAI,CAAC,UAAU,CAAA;QAErB,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;QAE/C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAElE,OAAO,IAAI,CAAC,YAAY,CAAC,WAAW,CAClC,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CACL,CAAA;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,UAA+C,EAC/C,KAA8C;QAE9C,IAAI,UAAU,CAAC,YAAY,KAAK,KAAK,CAAC,YAAY,EAAE,CAAC;YACnD,MAAM,IAAI,0CAAiB,CACzB,iFAAiF,CAClF,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;YAC9B,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,0CAAiB,CAAC,2BAA2B,CAAC,CAAA;YAC1D,CAAC;YACD,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBACpC,MAAM,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,CAAA;YACxD,CAAC;YACD,QAAQ,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACzC,KAAK,SAAS,CAAC,CAAC,qBAAqB;gBACrC,KAAK,OAAO;oBACV,IAAI,UAAU,CAAC,cAAc,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;wBACtD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBAEP,KAAK,MAAM,CAAC,CAAC,CAAC;oBACZ,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAChC,UAAU,CAAC,cAAc,EACzB,QAAQ,CACT,CAAA;oBACD,MAAM,iBAAiB,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC;yBAC3C,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;yBAC3B,MAAM,EAAE,CAAA;oBACX,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;wBACpD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBACP,CAAC;gBAED;oBACE,qEAAqE;oBACrE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;YACxD,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CACzD,UAAU,CAAC,cAAc,CAC1B,CAAA;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,0CAAiB,CAAC,6BAA6B,CAAC,CAAA;YAC5D,CAAC;QACH,CAAC;aAAM,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,IAAI,8CAAmB,CAAC,0CAA0C,CAAC,CAAA;QAC3E,CAAC;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAAyC,EACzC,SAA2B;QAE3B,MAAM,YAAY,GAAG,MAAM,mCAAkB;aAC1C,UAAU,CAAC,KAAK,CAAC,aAAa,EAAE,EAAE,IAAI,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC;aAC5D,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,uBAAuB,CAAC,CAAA;YACrD,MAAM,IAAI,0CAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QACvC,CAAC,CAAC,CAAA;QAEJ,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;QAE3E,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;YAC1B,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;YACjE,MAAM,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,CAAA;YAEzD,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CACxC,MAAM,EACN,UAAU,EACV,cAAc,EACd,SAAS,CACV,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAEjD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,MAAc,EACd,UAAsB,EACtB,IAAe;QAEf,MAAM,CAAC,eAAe,EAAE,eAAe,CAAC,GACtC,UAAU,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY;YACtD,CAAC,CAAC;gBACE,mDAAoC;gBACpC,mDAAoC;aACrC;YACH,CAAC,CAAC,CAAC,6CAA8B,EAAE,6CAA8B,CAAC,CAAA;QAEtE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QACxD,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,0CAAiB,CAAC,iBAAiB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QACxD,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,MAAM,CACjB,iBAAyC,EACzC,EAAE,KAAK,EAA4B,EACnC,SAA2B;QAE3B,wEAAwE;QACxE,mCAAmC;QACnC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,iBAAiB,EACjB,SAAS,CACV,CAAA;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,uEAAuE;YACvE,mCAAmC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;YAC1B,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;YAEjE,0EAA0E;YAC1E,uEAAuE;YACvE,gCAAgC;YAChC,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC;IAEkB,KAAK,CAAC,WAAW,CAClC,SAAyB,EACzB,KAAuB,EACvB,SAA2B;QAE3B,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,KAAK,EAAE,SAAS,CAAC,CAAA;QAEzE,IAAI,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,EAAE,CAAC;YACvD,wEAAwE;YACxE,uEAAuE;YACvE,uEAAuE;YACvE,WAAW;YAEX,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,CACzD,SAAS,EACT,YAAY,CACb,CAAA;YAED,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,CAAA;QAC1C,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC;CACF;AA71BD,sCA61BC;AAED,SAAS,WAAW,CAElB,EAAE,OAAO,EAAwB;IAEjC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAA;IAC5B,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IAEvB,OAAO,OAAO,CAAC,GAAG,KAAK,IAAI,IAAI,OAAO,CAAC,kBAAkB,KAAK,IAAI,CAAA;AACpE,CAAC","sourcesContent":["import { createHash } from 'node:crypto'\nimport type { Redis, RedisOptions } from 'ioredis'\nimport { Jwks, Keyset } from '@atproto/jwk'\nimport { LexResolver } from '@atproto/lex-resolver'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport {\n CLIENT_ASSERTION_TYPE_JWT_BEARER,\n OAuthAccessToken,\n OAuthAuthorizationCodeGrantTokenRequest,\n OAuthAuthorizationRequestJar,\n OAuthAuthorizationRequestPar,\n OAuthAuthorizationRequestParameters,\n OAuthAuthorizationRequestQuery,\n OAuthAuthorizationServerMetadata,\n OAuthClientCredentials,\n OAuthClientMetadata,\n OAuthParResponse,\n OAuthRefreshTokenGrantTokenRequest,\n OAuthTokenIdentification,\n OAuthTokenRequest,\n OAuthTokenResponse,\n OAuthTokenType,\n atprotoLoopbackClientMetadata,\n oauthAuthorizationRequestParametersSchema,\n} from '@atproto/oauth-types'\nimport { safeFetchWrap } from '@atproto-labs/fetch-node'\nimport { SimpleStore } from '@atproto-labs/simple-store'\nimport { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'\nimport { AccessTokenMode } from './access-token/access-token-mode.js'\nimport { AccountManager } from './account/account-manager.js'\nimport {\n AccountStore,\n AuthorizedClientData,\n DeviceAccount,\n asAccountStore,\n} from './account/account-store.js'\nimport { ClientAuth, ClientAuthLegacy } from './client/client-auth.js'\nimport { ClientId } from './client/client-id.js'\nimport {\n ClientManager,\n LoopbackMetadataGetter,\n} from './client/client-manager.js'\nimport { ClientStore, ifClientStore } from './client/client-store.js'\nimport { Client } from './client/client.js'\nimport {\n AUTHENTICATION_MAX_AGE,\n CONFIDENTIAL_CLIENT_REFRESH_LIFETIME,\n CONFIDENTIAL_CLIENT_SESSION_LIFETIME,\n PUBLIC_CLIENT_REFRESH_LIFETIME,\n PUBLIC_CLIENT_SESSION_LIFETIME,\n TOKEN_MAX_AGE,\n} from './constants.js'\nimport { Branding, BrandingInput } from './customization/branding.js'\nimport {\n Customization,\n CustomizationInput,\n customizationSchema,\n} from './customization/customization.js'\nimport { DeviceId } from './device/device-id.js'\nimport {\n DeviceInfo,\n DeviceManager,\n DeviceManagerOptions,\n} from './device/device-manager.js'\nimport { DeviceStore, asDeviceStore } from './device/device-store.js'\nimport { AccountSelectionRequiredError } from './errors/account-selection-required-error.js'\nimport { AuthorizationError } from './errors/authorization-error.js'\nimport { ConsentRequiredError } from './errors/consent-required-error.js'\nimport { InvalidDpopKeyBindingError } from './errors/invalid-dpop-key-binding-error.js'\nimport { InvalidDpopProofError } from './errors/invalid-dpop-proof-error.js'\nimport { InvalidGrantError } from './errors/invalid-grant-error.js'\nimport { InvalidRequestError } from './errors/invalid-request-error.js'\nimport { LoginRequiredError } from './errors/login-required-error.js'\nimport { LexiconManager } from './lexicon/lexicon-manager.js'\nimport { LexiconStore, asLexiconStore } from './lexicon/lexicon-store.js'\nimport { HcaptchaConfig } from './lib/hcaptcha.js'\nimport { RequestMetadata } from './lib/http/request.js'\nimport { dateToRelativeSeconds } from './lib/util/date.js'\nimport { formatError } from './lib/util/error.js'\nimport { MultiLangString } from './lib/util/locale.js'\nimport { CustomMetadata, buildMetadata } from './metadata/build-metadata.js'\nimport { OAuthHooks } from './oauth-hooks.js'\nimport {\n DpopProof,\n OAuthVerifier,\n OAuthVerifierOptions,\n VerifyTokenPayloadOptions,\n} from './oauth-verifier.js'\nimport { ReplayStore, ifReplayStore } from './replay/replay-store.js'\nimport { codeSchema } from './request/code.js'\nimport { RequestManager } from './request/request-manager.js'\nimport { RequestStore, asRequestStore } from './request/request-store.js'\nimport { parseRequestUri } from './request/request-uri.js'\nimport { AuthorizationRedirectParameters } from './result/authorization-redirect-parameters.js'\nimport { AuthorizationResultAuthorizePage } from './result/authorization-result-authorize-page.js'\nimport { AuthorizationResultRedirect } from './result/authorization-result-redirect.js'\nimport { ErrorHandler } from './router/error-handler.js'\nimport { AccessTokenPayload } from './signer/access-token-payload.js'\nimport { TokenData } from './token/token-data.js'\nimport { TokenManager } from './token/token-manager.js'\nimport {\n TokenStore,\n asTokenStore,\n refreshTokenSchema,\n} from './token/token-store.js'\nimport { isPARResponseError } from './types/par-response-error.js'\n\nexport { AccessTokenMode, Keyset, LexResolver }\nexport type {\n AccessTokenPayload,\n AuthorizationRedirectParameters,\n AuthorizationResultAuthorizePage as AuthorizationResultAuthorize,\n AuthorizationResultRedirect,\n Branding,\n BrandingInput,\n CustomMetadata,\n Customization,\n CustomizationInput,\n ErrorHandler,\n HcaptchaConfig,\n MultiLangString,\n OAuthAuthorizationServerMetadata,\n VerifyTokenPayloadOptions,\n}\n\ntype OAuthProviderConfig = {\n /**\n * Maximum age a device/account session can be before requiring\n * re-authentication.\n */\n authenticationMaxAge?: number\n\n /**\n * Maximum age access & id tokens can be before requiring a refresh.\n */\n tokenMaxAge?: number\n\n /**\n * If set to {@link AccessTokenMode.stateless}, the generated access tokens\n * will contain all the necessary information to validate the token without\n * needing to query the database. This is useful for cases where the Resource\n * Server is on a different host/server than the Authorization Server.\n *\n * When set to {@link AccessTokenMode.light}, the access tokens will contain\n * only the necessary information to validate the token, but the token id\n * will need to be queried from the database to retrieve the full token\n * information (scope, audience, etc.)\n *\n * @see {@link AccessTokenMode}\n * @default {AccessTokenMode.stateless}\n */\n accessTokenMode?: AccessTokenMode\n\n /**\n * Additional metadata to be included in the discovery document.\n */\n metadata?: CustomMetadata\n\n /**\n * A Lexicon resolver instance to use for fetching lexicon schemas.\n */\n lexResolver?: LexResolver\n\n /**\n * A custom fetch function that can be used to fetch the client metadata from\n * the internet. By default, the fetch function is a safeFetchWrap() function\n * that protects against SSRF attacks, large responses & known bad domains. If\n * you want to disable all protections, you can provide `globalThis.fetch` as\n * fetch function.\n */\n safeFetch?: typeof globalThis.fetch\n\n /**\n * A redis instance to use for replay protection. If not provided, replay\n * protection will use memory storage.\n */\n redis?: Redis | RedisOptions | string\n\n /**\n * This will be used as the default store for all the stores. If a store is\n * not provided, this store will be used instead. If the `store` does not\n * implement a specific store, a runtime error will be thrown. Make sure that\n * this store implements all the interfaces not provided in the other\n * `<name>Store` options.\n */\n store?: Partial<\n AccountStore &\n ClientStore &\n DeviceStore &\n LexiconStore &\n ReplayStore &\n RequestStore &\n TokenStore\n >\n\n accountStore?: AccountStore\n clientStore?: ClientStore\n deviceStore?: DeviceStore\n lexiconStore?: LexiconStore\n replayStore?: ReplayStore\n requestStore?: RequestStore\n tokenStore?: TokenStore\n\n /**\n * In order to speed up the client fetching process, you can provide a cache\n * to store HTTP responses.\n *\n * @note the cached entries should automatically expire after a certain time (typically 10 minutes)\n */\n clientJwksCache?: SimpleStore<string, Jwks>\n\n /**\n * In order to speed up the client fetching process, you can provide a cache\n * to store HTTP responses.\n *\n * @note the cached entries should automatically expire after a certain time (typically 10 minutes)\n */\n clientMetadataCache?: SimpleStore<string, OAuthClientMetadata>\n\n /**\n * In order to enable loopback clients, you can provide a function that\n * returns the client metadata for a given loopback URL. This is useful for\n * development and testing purposes. This function is not called for internet\n * clients.\n *\n * @default is as specified by ATPROTO\n */\n loopbackMetadata?: null | false | LoopbackMetadataGetter\n}\n\nexport type OAuthProviderOptions = OAuthProviderConfig &\n OAuthVerifierOptions &\n OAuthHooks &\n DeviceManagerOptions &\n CustomizationInput\n\nexport class OAuthProvider extends OAuthVerifier {\n protected readonly accessTokenMode: AccessTokenMode\n protected readonly hooks: OAuthHooks\n\n public readonly metadata: OAuthAuthorizationServerMetadata\n public readonly customization: Customization\n\n public readonly authenticationMaxAge: number\n\n public readonly accountManager: AccountManager\n public readonly deviceManager: DeviceManager\n public readonly clientManager: ClientManager\n public readonly lexiconManager: LexiconManager\n public readonly requestManager: RequestManager\n public readonly tokenManager: TokenManager\n\n public constructor({\n // OAuthProviderConfig\n authenticationMaxAge = AUTHENTICATION_MAX_AGE,\n tokenMaxAge = TOKEN_MAX_AGE,\n accessTokenMode = AccessTokenMode.stateless,\n\n metadata,\n\n safeFetch = safeFetchWrap(),\n store, // compound store implementation\n lexResolver = new LexResolver({ fetch: safeFetch }),\n\n // Required stores\n accountStore = asAccountStore(store),\n deviceStore = asDeviceStore(store),\n lexiconStore = asLexiconStore(store),\n tokenStore = asTokenStore(store),\n requestStore = asRequestStore(store),\n\n // Optional stores\n clientStore = ifClientStore(store),\n replayStore = ifReplayStore(store),\n\n clientJwksCache = new SimpleStoreMemory({\n maxSize: 50_000_000,\n ttl: 600e3,\n }),\n clientMetadataCache = new SimpleStoreMemory({\n maxSize: 50_000_000,\n ttl: 600e3,\n }),\n\n loopbackMetadata = atprotoLoopbackClientMetadata,\n\n // OAuthHooks &\n // OAuthVerifierOptions &\n // DeviceManagerOptions &\n // Customization\n ...rest\n }: OAuthProviderOptions) {\n super({ replayStore, ...rest })\n\n // @NOTE: hooks don't really need a type parser, as all zod can actually\n // check at runtime is the fact that the values are functions. The only way\n // we would benefit from zod here would be to wrap the functions with a\n // validator for the provided function's return types, which we don't\n // really need if types are respected.\n this.hooks = rest\n\n this.accessTokenMode = accessTokenMode\n this.authenticationMaxAge = authenticationMaxAge\n this.metadata = buildMetadata(this.issuer, this.keyset, metadata)\n this.customization = customizationSchema.parse(rest)\n\n this.deviceManager = new DeviceManager(deviceStore, {\n ...rest,\n cookie: {\n ...rest.cookie,\n // \"secure\" defaults to \"true\" in DeviceManager. For the oauth routes to\n // work from localhost on Safari, we need to explicitly set secure to\n // false for localhost usage. This is not really an issue with Chrome\n // and Firefox, but Safari enforces it strictly.\n secure: !this.issuer.startsWith('http:'),\n },\n })\n this.accountManager = new AccountManager(\n this.issuer,\n accountStore,\n this.hooks,\n this.customization,\n )\n this.clientManager = new ClientManager(\n this.metadata,\n this.keyset,\n this.hooks,\n clientStore || null,\n loopbackMetadata || null,\n safeFetch,\n clientJwksCache,\n clientMetadataCache,\n )\n this.lexiconManager = new LexiconManager(lexiconStore, lexResolver)\n this.requestManager = new RequestManager(\n requestStore,\n this.lexiconManager,\n this.signer,\n this.metadata,\n this.hooks,\n )\n this.tokenManager = new TokenManager(\n tokenStore,\n this.lexiconManager,\n this.signer,\n this.hooks,\n this.accessTokenMode,\n tokenMaxAge,\n )\n }\n\n get jwks() {\n return this.keyset.publicJwks\n }\n\n /**\n * @returns true if the user's consent is required for the requested scopes\n */\n public checkConsentRequired(\n parameters: OAuthAuthorizationRequestParameters,\n clientData?: AuthorizedClientData,\n ) {\n // Client was never authorized before\n if (!clientData) return true\n\n // Client explicitly asked for consent\n if (parameters.prompt === 'consent') return true\n\n // No scope requested, and client is known by user, no consent required\n const requestedScopes = parameters.scope?.split(' ')\n if (requestedScopes == null) return false\n\n // Ensure that all requested scopes were previously authorized by the user\n const { authorizedScopes } = clientData\n return !requestedScopes.every((scope) => authorizedScopes.includes(scope))\n }\n\n public checkLoginRequired(deviceAccount: DeviceAccount) {\n const authAge = Date.now() - deviceAccount.updatedAt.getTime()\n return authAge > this.authenticationMaxAge\n }\n\n protected async authenticateClient(\n clientCredentials: OAuthClientCredentials,\n dpopProof: null | DpopProof,\n options?: {\n allowMissingDpopProof?: boolean\n },\n ): Promise<{\n client: Client\n clientAuth: ClientAuth\n }> {\n const client = await this.clientManager.getClient(\n clientCredentials.client_id,\n )\n\n if (\n client.metadata.dpop_bound_access_tokens &&\n !dpopProof &&\n !options?.allowMissingDpopProof\n ) {\n throw new InvalidDpopProofError('DPoP proof required')\n }\n\n if (dpopProof && !client.metadata.dpop_bound_access_tokens) {\n throw new InvalidDpopProofError('DPoP proof not allowed for this client')\n }\n\n const clientAuth = await client.authenticate(clientCredentials, {\n authorizationServerIdentifier: this.issuer,\n })\n\n if (clientAuth.method === 'private_key_jwt') {\n // Clients MUST NOT use their client assertion key to sign DPoP proofs\n if (dpopProof && clientAuth.jkt === dpopProof.jkt) {\n throw new InvalidRequestError(\n 'The DPoP proof must be signed with a different key than the client assertion',\n )\n }\n\n // https://www.rfc-editor.org/rfc/rfc7523.html#section-3\n // > 7. [...] The authorization server MAY ensure that JWTs are not\n // > replayed by maintaining the set of used \"jti\" values for the\n // > length of time for which the JWT would be considered valid based\n // > on the applicable \"exp\" instant.\n\n const unique = await this.replayManager.uniqueAuth(\n clientAuth.jti,\n client.id,\n clientAuth.exp,\n )\n if (!unique) {\n throw new InvalidGrantError(`${clientAuth.method} jti reused`)\n }\n }\n\n return { client, clientAuth }\n }\n\n async decodeJAR(\n client: Client,\n input: OAuthAuthorizationRequestJar,\n ): Promise<OAuthAuthorizationRequestParameters> {\n const { payload } = await client.decodeRequestObject(\n input.request,\n this.issuer,\n )\n\n const { jti } = payload\n if (!jti) {\n throw new InvalidRequestError(\n 'Request object payload must contain a \"jti\" claim',\n )\n }\n if (!(await this.replayManager.uniqueJar(jti, client.id))) {\n throw new InvalidRequestError('Request object was replayed')\n }\n\n const parameters = await oauthAuthorizationRequestParametersSchema\n .parseAsync(payload)\n .catch((err) => {\n const msg = formatError(err, 'Invalid parameters in JAR')\n throw new InvalidRequestError(msg, err)\n })\n\n return parameters\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9126}\n */\n public async pushedAuthorizationRequest(\n credentials: OAuthClientCredentials,\n authorizationRequest: OAuthAuthorizationRequestPar,\n dpopProof: null | DpopProof,\n ): Promise<OAuthParResponse> {\n try {\n const { client, clientAuth } = await this.authenticateClient(\n credentials,\n dpopProof,\n // Allow missing DPoP header for PAR requests as rfc9449 allows it\n // (though the dpop_jkt parameter must be present in that case, see\n // check bellow).\n { allowMissingDpopProof: true },\n )\n\n const parameters =\n 'request' in authorizationRequest // Handle JAR\n ? await this.decodeJAR(client, authorizationRequest)\n : authorizationRequest\n\n if (!parameters.dpop_jkt) {\n if (client.metadata.dpop_bound_access_tokens) {\n if (dpopProof) parameters.dpop_jkt = dpopProof.jkt\n else {\n // @NOTE When both PAR and DPoP are used, either the DPoP header, or\n // the dpop_jkt parameter must be present. We do not enforce this\n // for legacy reasons.\n // https://datatracker.ietf.org/doc/html/rfc9449#section-10.1\n }\n }\n } else {\n if (!client.metadata.dpop_bound_access_tokens) {\n throw new InvalidRequestError(\n 'DPoP bound access tokens are not enabled for this client',\n )\n }\n\n // Proof is optional if the dpop_jkt is provided, but if it is provided,\n // it must match the DPoP proof JKT.\n if (dpopProof && dpopProof.jkt !== parameters.dpop_jkt) {\n throw new InvalidDpopKeyBindingError()\n }\n }\n\n const { requestUri, expiresAt } =\n await this.requestManager.createAuthorizationRequest(\n client,\n clientAuth,\n parameters,\n null,\n )\n\n return {\n request_uri: requestUri,\n expires_in: dateToRelativeSeconds(expiresAt),\n }\n } catch (err) {\n // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3-1\n // > Since initial processing of the pushed authorization request does not\n // > involve resource owner interaction, error codes related to user\n // > interaction, such as \"access_denied\", are never returned.\n if (err instanceof AuthorizationError && !isPARResponseError(err.error)) {\n throw new InvalidRequestError(err.error_description, err)\n }\n throw err\n }\n }\n\n private async processAuthorizationRequest(\n client: Client,\n deviceId: DeviceId,\n query: OAuthAuthorizationRequestQuery,\n ) {\n // PAR\n if ('request_uri' in query) {\n const requestUri = parseRequestUri(query.request_uri, {\n path: ['query', 'request_uri'],\n })\n return this.requestManager.get(requestUri, deviceId, client.id)\n }\n\n // JAR\n if ('request' in query) {\n // @NOTE Since JAR are signed with the client's private key, a JAR *could*\n // technically be used to authenticate the client when requests are\n // created without PAR (i.e. created on the fly by the authorize\n // endpoint). This implementation actually used to support this\n // (un-spec'd) behavior. That support was removed:\n // - Because it was not actually used\n // - Because it was not part of any standard\n // - Because it makes extending the client authentication mechanism more\n // complex since any extension would not only need to affect the\n // \"private_key_jwt\" auth method but also the JAR \"request\" object.\n const parameters = await this.decodeJAR(client, query)\n\n return this.requestManager.createAuthorizationRequest(\n client,\n null,\n parameters,\n deviceId,\n )\n }\n\n // \"Regular\" authorization request (created on the fly by directing the user\n // to the authorization endpoint with all the parameters in the url).\n return this.requestManager.createAuthorizationRequest(\n client,\n null,\n query,\n deviceId,\n )\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.1}\n */\n public async authorize(\n query: OAuthAuthorizationRequestQuery,\n { deviceId, deviceMetadata }: DeviceInfo,\n ): Promise<AuthorizationResultRedirect | AuthorizationResultAuthorizePage> {\n const { issuer } = this\n\n // If there is a chance to redirect the user to the client, let's do\n // it by wrapping the error in an AuthorizationError.\n const throwAuthorizationError =\n 'redirect_uri' in query\n ? (err: unknown): never => {\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1\n throw AuthorizationError.from(query, err)\n }\n : null\n\n const client = await this.clientManager\n .getClient(query.client_id)\n .catch(throwAuthorizationError)\n\n const { parameters, requestUri } = await this.processAuthorizationRequest(\n client,\n deviceId,\n query,\n ).catch(throwAuthorizationError)\n\n try {\n const sessions = (\n await this.accountManager.listDeviceAccounts(deviceId)\n ).map((deviceAccount) => ({\n account: deviceAccount.account,\n\n // @TODO Return the session expiration date instead of a boolean to\n // avoid having to rely on a leeway when \"accepting\" the request.\n loginRequired:\n parameters.prompt === 'login' ||\n this.checkLoginRequired(deviceAccount),\n consentRequired: this.checkConsentRequired(\n parameters,\n deviceAccount.authorizedClients.get(client.id),\n ),\n }))\n\n // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\n\n // prompt=select_account\n //\n // > The Authorization Server SHOULD prompt the End-User to select a user\n // > account. This enables an End-User who has multiple accounts at the\n // > Authorization Server to select amongst the multiple accounts that\n // > they might have current sessions for. If it cannot obtain an account\n // > selection choice made by the End-User, it MUST return an error,\n // > typically account_selection_required.\n if (parameters.prompt === 'select_account' && !sessions.length) {\n throw new AccountSelectionRequiredError(parameters)\n }\n\n // prompt=none\n //\n // > The Authorization Server MUST NOT display any authentication or\n // > consent user interface pages. An error is returned if an End-User is\n // > not already authenticated or the Client does not have pre-configured\n // > consent for the requested Claims or does not fulfill other conditions\n // > for processing the request. The error code will typically be\n // > login_required, interaction_required, or another code defined in\n // > Section 3.1.2.6. This can be used as a method to check for existing\n // > authentication and/or consent.\n if (parameters.prompt === 'none') {\n const ssoSessions = sessions.filter(matchesHint, parameters)\n if (ssoSessions.length > 1) {\n throw new AccountSelectionRequiredError(parameters)\n }\n if (ssoSessions.length < 1) {\n throw new LoginRequiredError(parameters)\n }\n\n const ssoSession = ssoSessions[0]!\n if (ssoSession.loginRequired) {\n throw new LoginRequiredError(parameters)\n }\n if (ssoSession.consentRequired) {\n throw new ConsentRequiredError(parameters)\n }\n\n const code = await this.requestManager.setAuthorized(\n requestUri,\n client,\n ssoSession.account,\n deviceId,\n deviceMetadata,\n )\n\n return { issuer, parameters, redirect: { code } }\n }\n\n // Automatic SSO when a hint was provided that matches a single session\n if (parameters.prompt == null && parameters.login_hint != null) {\n const ssoSessions = sessions.filter(matchesHint, parameters)\n if (ssoSessions.length === 1) {\n const ssoSession = ssoSessions[0]!\n if (!ssoSession.loginRequired && !ssoSession.consentRequired) {\n const code = await this.requestManager.setAuthorized(\n requestUri,\n client,\n ssoSession.account,\n deviceId,\n deviceMetadata,\n )\n\n return { issuer, parameters, redirect: { code } }\n }\n }\n }\n\n return {\n issuer,\n client,\n parameters,\n requestUri,\n sessions: sessions.map((session) => ({\n // Map to avoid leaking other data that might be present in the session\n account: session.account,\n loginRequired: session.loginRequired,\n consentRequired: session.consentRequired,\n\n selected:\n parameters.prompt == null ||\n parameters.prompt === 'login' ||\n parameters.prompt === 'consent'\n ? matchesHint.call(parameters, session)\n : false,\n })),\n permissionSets: await this.lexiconManager\n .getPermissionSetsFromScope(parameters.scope)\n .catch((cause) => {\n throw new AuthorizationError(\n parameters,\n 'Unable to retrieve permission sets',\n 'invalid_scope',\n cause,\n )\n }),\n }\n } catch (err) {\n try {\n await this.requestManager.delete(requestUri)\n } catch {\n // There are two error here. Better keep the outer one.\n //\n // @TODO Maybe move this entire code to the /authorize endpoint\n // (allowing to log this error)\n }\n\n throw AuthorizationError.from(parameters, err)\n }\n }\n\n public async token(\n clientCredentials: OAuthClientCredentials,\n clientMetadata: RequestMetadata,\n request: OAuthTokenRequest,\n dpopProof: null | DpopProof,\n ): Promise<OAuthTokenResponse> {\n const { client, clientAuth } = await this.authenticateClient(\n clientCredentials,\n dpopProof,\n )\n\n if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {\n throw new InvalidGrantError(\n `Grant type \"${request.grant_type}\" is not supported by the server`,\n )\n }\n\n if (!client.metadata.grant_types.includes(request.grant_type)) {\n throw new InvalidGrantError(\n `\"${request.grant_type}\" grant type is not allowed for this client`,\n )\n }\n\n if (request.grant_type === 'authorization_code') {\n return this.authorizationCodeGrant(\n client,\n clientAuth,\n clientMetadata,\n request,\n dpopProof,\n )\n }\n\n if (request.grant_type === 'refresh_token') {\n return this.refreshTokenGrant(\n client,\n clientAuth,\n clientMetadata,\n request,\n dpopProof,\n )\n }\n\n throw new InvalidGrantError(\n `Grant type \"${request.grant_type}\" not supported`,\n )\n }\n\n protected async compareClientAuth(\n client: Client,\n clientAuth: ClientAuth,\n dpopProof: null | DpopProof,\n initial: {\n parameters: OAuthAuthorizationRequestParameters\n clientId: ClientId\n clientAuth: null | ClientAuth | ClientAuthLegacy\n },\n ): Promise<void> {\n // Fool proofing, ensure that the client is authenticating using the right method\n if (clientAuth.method !== client.metadata.token_endpoint_auth_method) {\n throw new InvalidGrantError(\n `Client authentication method mismatch (expected ${client.metadata.token_endpoint_auth_method}, got ${clientAuth.method})`,\n )\n }\n\n if (initial.clientId !== client.id) {\n throw new InvalidGrantError(`Token was not issued to this client`)\n }\n\n const { parameters } = initial\n if (parameters.dpop_jkt) {\n if (!dpopProof) {\n throw new InvalidGrantError(`DPoP proof is required for this request`)\n } else if (parameters.dpop_jkt !== dpopProof.jkt) {\n throw new InvalidGrantError(\n `DPoP proof does not match the expected JKT`,\n )\n }\n }\n\n if (!initial.clientAuth) {\n // If the client did not use PAR, it was not authenticated when the request\n // was initially created (see authorize() method in OAuthProvider). Since\n // PAR is not mandatory, and since the token exchange currently taking place\n // *is* authenticated (`clientAuth`), we allow \"upgrading\" the\n // authentication method (the token created will be bound to the current\n // clientAuth).\n return\n }\n\n switch (initial.clientAuth.method) {\n case CLIENT_ASSERTION_TYPE_JWT_BEARER: // LEGACY\n case 'private_key_jwt':\n if (clientAuth.method !== 'private_key_jwt') {\n throw new InvalidGrantError(\n `Client authentication method mismatch (expected ${initial.clientAuth.method})`,\n )\n }\n if (\n clientAuth.kid !== initial.clientAuth.kid ||\n clientAuth.alg !== initial.clientAuth.alg ||\n clientAuth.jkt !== initial.clientAuth.jkt\n ) {\n throw new InvalidGrantError(\n `The session was initiated with a different key than the client assertion currently used`,\n )\n }\n break\n case 'none':\n // @NOTE We allow the client to \"upgrade\" to a confidential client if\n // the session was initially created without client authentication.\n break\n default:\n throw new InvalidGrantError(\n // @ts-expect-error (future proof, backwards compatibility)\n `Invalid method \"${initial.clientAuth.method}\"`,\n )\n }\n }\n\n protected async authorizationCodeGrant(\n client: Client,\n clientAuth: ClientAuth,\n clientMetadata: RequestMetadata,\n input: OAuthAuthorizationCodeGrantTokenRequest,\n dpopProof: null | DpopProof,\n ): Promise<OAuthTokenResponse> {\n const code = await codeSchema\n .parseAsync(input.code, { path: ['code'] })\n .catch((err) => {\n const msg = formatError(err, 'Invalid code')\n throw new InvalidGrantError(msg, err)\n })\n\n const data = await this.requestManager\n .consumeCode(code)\n .catch(async (err) => {\n // Code not found in request manager: check for replays\n const tokenInfo = await this.tokenManager.findByCode(code)\n if (tokenInfo) {\n // try/finally to ensure that both code path get executed (sequentially)\n try {\n // \"code\" was replayed, delete existing session\n await this.tokenManager.deleteToken(tokenInfo.id)\n } finally {\n // As an additional security measure, we also sign the device out,\n // so that the device cannot be used to access the account anymore\n // without a new authentication.\n const { deviceId, sub } = tokenInfo.data\n if (deviceId) {\n await this.accountManager.removeDeviceAccount(deviceId, sub)\n }\n }\n }\n\n throw InvalidGrantError.from(err, `Invalid code`)\n })\n\n // @NOTE at this point, the request data was removed from the store and only\n // exists in memory here (in the \"data\" variable). Because of this, any\n // error thrown after this point will permanently cause the request data to\n // be lost.\n\n await this.compareClientAuth(client, clientAuth, dpopProof, data)\n\n // If the DPoP proof was not provided earlier (PAR / authorize), let's add\n // it now.\n const parameters =\n dpopProof &&\n client.metadata.dpop_bound_access_tokens &&\n !data.parameters.dpop_jkt\n ? { ...data.parameters, dpop_jkt: dpopProof.jkt }\n : data.parameters\n\n await this.validateCodeGrant(parameters, input)\n\n const { account } = await this.accountManager.getAccount(data.sub)\n\n return this.tokenManager.createToken(\n client,\n clientAuth,\n clientMetadata,\n account,\n data.deviceId,\n parameters,\n code,\n )\n }\n\n protected async validateCodeGrant(\n parameters: OAuthAuthorizationRequestParameters,\n input: OAuthAuthorizationCodeGrantTokenRequest,\n ): Promise<void> {\n if (parameters.redirect_uri !== input.redirect_uri) {\n throw new InvalidGrantError(\n 'The redirect_uri parameter must match the one used in the authorization request',\n )\n }\n\n if (parameters.code_challenge) {\n if (!input.code_verifier) {\n throw new InvalidGrantError('code_verifier is required')\n }\n if (input.code_verifier.length < 43) {\n throw new InvalidGrantError('code_verifier too short')\n }\n switch (parameters.code_challenge_method) {\n case undefined: // default is \"plain\"\n case 'plain':\n if (parameters.code_challenge !== input.code_verifier) {\n throw new InvalidGrantError('Invalid code_verifier')\n }\n break\n\n case 'S256': {\n const inputChallenge = Buffer.from(\n parameters.code_challenge,\n 'base64',\n )\n const computedChallenge = createHash('sha256')\n .update(input.code_verifier)\n .digest()\n if (inputChallenge.compare(computedChallenge) !== 0) {\n throw new InvalidGrantError('Invalid code_verifier')\n }\n break\n }\n\n default:\n // Should never happen (because request validation should catch this)\n throw new Error(`Unsupported code_challenge_method`)\n }\n const unique = await this.replayManager.uniqueCodeChallenge(\n parameters.code_challenge,\n )\n if (!unique) {\n throw new InvalidGrantError('Code challenge already used')\n }\n } else if (input.code_verifier !== undefined) {\n throw new InvalidRequestError(\"code_challenge parameter wasn't provided\")\n }\n }\n\n protected async refreshTokenGrant(\n client: Client,\n clientAuth: ClientAuth,\n clientMetadata: RequestMetadata,\n input: OAuthRefreshTokenGrantTokenRequest,\n dpopProof: null | DpopProof,\n ): Promise<OAuthTokenResponse> {\n const refreshToken = await refreshTokenSchema\n .parseAsync(input.refresh_token, { path: ['refresh_token'] })\n .catch((err) => {\n const msg = formatError(err, 'Invalid refresh token')\n throw new InvalidGrantError(msg, err)\n })\n\n const tokenInfo = await this.tokenManager.consumeRefreshToken(refreshToken)\n\n try {\n const { data } = tokenInfo\n await this.compareClientAuth(client, clientAuth, dpopProof, data)\n await this.validateRefreshGrant(client, clientAuth, data)\n\n return await this.tokenManager.rotateToken(\n client,\n clientAuth,\n clientMetadata,\n tokenInfo,\n )\n } catch (err) {\n await this.tokenManager.deleteToken(tokenInfo.id)\n\n throw err\n }\n }\n\n protected async validateRefreshGrant(\n client: Client,\n clientAuth: ClientAuth,\n data: TokenData,\n ): Promise<void> {\n const [sessionLifetime, refreshLifetime] =\n clientAuth.method !== 'none' || client.info.isFirstParty\n ? [\n CONFIDENTIAL_CLIENT_SESSION_LIFETIME,\n CONFIDENTIAL_CLIENT_REFRESH_LIFETIME,\n ]\n : [PUBLIC_CLIENT_SESSION_LIFETIME, PUBLIC_CLIENT_REFRESH_LIFETIME]\n\n const sessionAge = Date.now() - data.createdAt.getTime()\n if (sessionAge > sessionLifetime) {\n throw new InvalidGrantError(`Session expired`)\n }\n\n const refreshAge = Date.now() - data.updatedAt.getTime()\n if (refreshAge > refreshLifetime) {\n throw new InvalidGrantError(`Refresh token expired`)\n }\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}\n */\n public async revoke(\n clientCredentials: OAuthClientCredentials,\n { token }: OAuthTokenIdentification,\n dpopProof: null | DpopProof,\n ) {\n // > The authorization server first validates the client credentials (in\n // > case of a confidential client)\n const { client, clientAuth } = await this.authenticateClient(\n clientCredentials,\n dpopProof,\n )\n\n const tokenInfo = await this.tokenManager.findToken(token)\n if (tokenInfo) {\n // > [...] and then verifies whether the token was issued to the client\n // > making the revocation request.\n const { data } = tokenInfo\n await this.compareClientAuth(client, clientAuth, dpopProof, data)\n\n // > In the next step, the authorization server invalidates the token. The\n // > invalidation takes place immediately, and the token cannot be used\n // > again after the revocation.\n await this.tokenManager.deleteToken(tokenInfo.id)\n }\n }\n\n protected override async decodeToken(\n tokenType: OAuthTokenType,\n token: OAuthAccessToken,\n dpopProof: null | DpopProof,\n ): Promise<AccessTokenPayload> {\n const tokenPayload = await super.decodeToken(tokenType, token, dpopProof)\n\n if (this.accessTokenMode !== AccessTokenMode.stateless) {\n // @NOTE in non stateless mode, some claims can be omitted (most notably\n // \"scope\"). We load the token claims here (allowing to ensure that the\n // token is still valid, and to retrieve a (potentially updated) set of\n // claims).\n\n const tokenClaims = await this.tokenManager.loadTokenClaims(\n tokenType,\n tokenPayload,\n )\n\n Object.assign(tokenPayload, tokenClaims)\n }\n\n return tokenPayload\n }\n}\n\nfunction matchesHint(\n this: OAuthAuthorizationRequestParameters,\n { account }: { account: Account },\n): boolean {\n const hint = this.login_hint\n if (!hint) return false\n\n return account.sub === hint || account.preferred_username === hint\n}\n"]}
1
+ {"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AAExC,sCAA2C;AAyGjB,uFAzGX,YAAM,OAyGW;AAxGhC,wDAAmD;AAwGjB,4FAxGzB,0BAAW,OAwGyB;AAtG7C,sDAmB6B;AAC7B,yDAAwD;AAExD,2EAAqE;AACrE,8EAAqE;AA+E5D,gGA/EA,sCAAe,OA+EA;AA9ExB,qEAA6D;AAC7D,iEAKmC;AAGnC,kEAGmC;AACnC,8DAAqE;AAErE,iDAOuB;AAEvB,uEAIyC;AAEzC,kEAImC;AACnC,8DAAqE;AACrE,sGAA4F;AAC5F,4EAAoE;AACpE,kFAAyE;AACzE,kGAAuF;AACvF,sFAA4E;AAC5E,4EAAmE;AACnE,gFAAuE;AACvE,8EAAqE;AACrE,qEAA6D;AAC7D,iEAAyE;AAGzE,gDAA0D;AAC1D,kDAAiD;AAEjD,oEAA4E;AAE5E,2DAK4B;AAC5B,8DAAqE;AACrE,+CAA8C;AAC9C,qEAA6D;AAC7D,iEAAyE;AACzE,6DAA0D;AAO1D,+DAAuD;AACvD,2DAI+B;AAC/B,yEAAkE;AAmIlE,MAAa,aAAc,SAAQ,iCAAa;IAC3B,eAAe,CAAiB;IAChC,KAAK,CAAY;IAEpB,QAAQ,CAAkC;IAC1C,aAAa,CAAe;IAE5B,oBAAoB,CAAQ;IAE5B,cAAc,CAAgB;IAC9B,aAAa,CAAe;IAC5B,aAAa,CAAe;IAC5B,cAAc,CAAgB;IAC9B,cAAc,CAAgB;IAC9B,YAAY,CAAc;IAE1C,YAAmB;IACjB,sBAAsB;IACtB,oBAAoB,GAAG,qCAAsB,EAC7C,WAAW,GAAG,4BAAa,EAC3B,eAAe,GAAG,sCAAe,CAAC,SAAS,EAE3C,QAAQ,EAER,SAAS,GAAG,IAAA,0BAAa,GAAE,EAC3B,KAAK,EAAE,gCAAgC;IACvC,WAAW,GAAG,IAAI,0BAAW,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAEnD,kBAAkB;IAClB,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC,EACpC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC,EACpC,UAAU,GAAG,IAAA,6BAAY,EAAC,KAAK,CAAC,EAChC,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC;IAEpC,kBAAkB;IAClB,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAElC,eAAe,GAAG,IAAI,uCAAiB,CAAC;QACtC,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EACF,mBAAmB,GAAG,IAAI,uCAAiB,CAAC;QAC1C,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EAEF,gBAAgB,GAAG,2CAA6B;IAEhD,eAAe;IACf,yBAAyB;IACzB,yBAAyB;IACzB,gBAAgB;IAChB,GAAG,IAAI,EACc;QACrB,KAAK,CAAC,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,CAAC,CAAA;QAE/B,wEAAwE;QACxE,2EAA2E;QAC3E,uEAAuE;QACvE,qEAAqE;QACrE,sCAAsC;QACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAA;QAEjB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAA;QACtC,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAA;QAChD,IAAI,CAAC,QAAQ,GAAG,IAAA,iCAAa,EAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACjE,IAAI,CAAC,aAAa,GAAG,sCAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAEpD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CAAC,WAAW,EAAE;YAClD,GAAG,IAAI;YACP,MAAM,EAAE;gBACN,GAAG,IAAI,CAAC,MAAM;gBACd,wEAAwE;gBACxE,qEAAqE;gBACrE,qEAAqE;gBACrE,gDAAgD;gBAChD,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC;aACzC;SACF,CAAC,CAAA;QACF,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,IAAI,CAAC,MAAM,EACX,YAAY,EACZ,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,aAAa,CACnB,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,KAAK,EACV,WAAW,IAAI,IAAI,EACnB,gBAAgB,IAAI,IAAI,EACxB,SAAS,EACT,eAAe,EACf,mBAAmB,CACpB,CAAA;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CAAC,YAAY,EAAE,WAAW,CAAC,CAAA;QACnE,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,YAAY,EACZ,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,KAAK,CACX,CAAA;QACD,IAAI,CAAC,YAAY,GAAG,IAAI,+BAAY,CAClC,UAAU,EACV,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,eAAe,EACpB,WAAW,CACZ,CAAA;IACH,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAA;IAC/B,CAAC;IAED;;OAEG;IACI,oBAAoB,CACzB,UAA+C,EAC/C,UAAiC;QAEjC,qCAAqC;QACrC,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAE5B,sCAAsC;QACtC,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAA;QAEhD,uEAAuE;QACvE,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACpD,IAAI,eAAe,IAAI,IAAI;YAAE,OAAO,KAAK,CAAA;QAEzC,0EAA0E;QAC1E,MAAM,EAAE,gBAAgB,EAAE,GAAG,UAAU,CAAA;QACvC,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAC5E,CAAC;IAEM,kBAAkB,CAAC,aAA4B;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QAC9D,OAAO,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAA;IAC5C,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,iBAAyC,EACzC,SAA2B,EAC3B,OAEC;QAKD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAC/C,iBAAiB,CAAC,SAAS,CAC5B,CAAA;QAED,IACE,MAAM,CAAC,QAAQ,CAAC,wBAAwB;YACxC,CAAC,SAAS;YACV,CAAC,OAAO,EAAE,qBAAqB,EAC/B,CAAC;YACD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,SAAS,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;YAC3D,MAAM,IAAI,mDAAqB,CAAC,wCAAwC,CAAC,CAAA;QAC3E,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,iBAAiB,EAAE;YAC9D,6BAA6B,EAAE,IAAI,CAAC,MAAM;SAC3C,CAAC,CAAA;QAEF,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;YAC5C,sEAAsE;YACtE,IAAI,SAAS,IAAI,UAAU,CAAC,GAAG,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;gBAClD,MAAM,IAAI,8CAAmB,CAC3B,8EAA8E,CAC/E,CAAA;YACH,CAAC;YAED,wDAAwD;YACxD,oEAAoE;YACpE,qEAAqE;YACrE,yEAAyE;YACzE,yCAAyC;YAEzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,UAAU,CAAC,GAAG,EACd,MAAM,CAAC,EAAE,EACT,UAAU,CAAC,GAAG,CACf,CAAA;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,0CAAiB,CAAC,GAAG,UAAU,CAAC,MAAM,aAAa,CAAC,CAAA;YAChE,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;IAC/B,CAAC;IAED,KAAK,CAAC,SAAS,CACb,MAAc,EACd,KAAmC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAClD,KAAK,CAAC,OAAO,EACb,IAAI,CAAC,MAAM,CACZ,CAAA;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QACvB,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,8CAAmB,CAC3B,mDAAmD,CACpD,CAAA;QACH,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,8CAAmB,CAAC,6BAA6B,CAAC,CAAA;QAC9D,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,uDAAyC;aAC/D,UAAU,CAAC,OAAO,CAAC;aACnB,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,2BAA2B,CAAC,CAAA;YACzD,MAAM,IAAI,8CAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QACzC,CAAC,CAAC,CAAA;QAEJ,OAAO,UAAU,CAAA;IACnB,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,0BAA0B,CACrC,WAAmC,EACnC,oBAAkD,EAClD,SAA2B;QAE3B,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,WAAW,EACX,SAAS;YACT,kEAAkE;YAClE,mEAAmE;YACnE,iBAAiB;YACjB,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAChC,CAAA;YAED,MAAM,UAAU,GACd,SAAS,IAAI,oBAAoB,CAAC,aAAa;gBAC7C,CAAC,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,oBAAoB,CAAC;gBACpD,CAAC,CAAC,oBAAoB,CAAA;YAE1B,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACzB,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;oBAC7C,IAAI,SAAS;wBAAE,UAAU,CAAC,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAA;yBAC7C,CAAC;wBACJ,oEAAoE;wBACpE,iEAAiE;wBACjE,sBAAsB;wBACtB,6DAA6D;oBAC/D,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;oBAC9C,MAAM,IAAI,8CAAmB,CAC3B,0DAA0D,CAC3D,CAAA;gBACH,CAAC;gBAED,wEAAwE;gBACxE,oCAAoC;gBACpC,IAAI,SAAS,IAAI,SAAS,CAAC,GAAG,KAAK,UAAU,CAAC,QAAQ,EAAE,CAAC;oBACvD,MAAM,IAAI,8DAA0B,EAAE,CAAA;gBACxC,CAAC;YACH,CAAC;YAED,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAC7B,MAAM,IAAI,CAAC,cAAc,CAAC,0BAA0B,CAClD,MAAM,EACN,UAAU,EACV,UAAU,EACV,IAAI,CACL,CAAA;YAEH,OAAO;gBACL,WAAW,EAAE,UAAU;gBACvB,UAAU,EAAE,IAAA,+BAAqB,EAAC,SAAS,CAAC;aAC7C,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,8DAA8D;YAC9D,0EAA0E;YAC1E,oEAAoE;YACpE,8DAA8D;YAC9D,IAAI,GAAG,YAAY,2CAAkB,IAAI,CAAC,IAAA,0CAAkB,EAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,8CAAmB,CAAC,GAAG,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;YAC3D,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAc,EACd,QAAkB,EAClB,KAAqC;QAErC,MAAM;QACN,IAAI,aAAa,IAAI,KAAK,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAA,gCAAe,EAAC,KAAK,CAAC,WAAW,EAAE;gBACpD,IAAI,EAAE,CAAC,OAAO,EAAE,aAAa,CAAC;aAC/B,CAAC,CAAA;YACF,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;QACjE,CAAC;QAED,MAAM;QACN,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC;YACvB,0EAA0E;YAC1E,mEAAmE;YACnE,gEAAgE;YAChE,+DAA+D;YAC/D,kDAAkD;YAClD,qCAAqC;YACrC,4CAA4C;YAC5C,wEAAwE;YACxE,kEAAkE;YAClE,qEAAqE;YACrE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YAEtD,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,IAAI,EACJ,UAAU,EACV,QAAQ,CACT,CAAA;QACH,CAAC;QAED,4EAA4E;QAC5E,qEAAqE;QACrE,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,QAAQ,CACT,CAAA;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,SAAS,CACpB,KAAqC,EACrC,EAAE,QAAQ,EAAE,cAAc,EAAc;QAExC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;QAEvB,oEAAoE;QACpE,qDAAqD;QACrD,MAAM,uBAAuB,GAC3B,cAAc,IAAI,KAAK;YACrB,CAAC,CAAC,CAAC,GAAY,EAAS,EAAE;gBACtB,iFAAiF;gBACjF,MAAM,2CAAkB,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;YAC3C,CAAC;YACH,CAAC,CAAC,IAAI,CAAA;QAEV,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa;aACpC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;aAC1B,KAAK,CAAC,uBAAuB,CAAC,CAAA;QAEjC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,2BAA2B,CACvE,MAAM,EACN,QAAQ,EACR,KAAK,CACN,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;QAEhC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,CACf,MAAM,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CACvD,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;gBACxB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAE9B,mEAAmE;gBACnE,iEAAiE;gBACjE,aAAa,EACX,UAAU,CAAC,MAAM,KAAK,OAAO;oBAC7B,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC;gBACxC,eAAe,EAAE,IAAI,CAAC,oBAAoB,CACxC,UAAU,EACV,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAC/C;aACF,CAAC,CAAC,CAAA;YAEH,oEAAoE;YAEpE,wBAAwB;YACxB,EAAE;YACF,yEAAyE;YACzE,uEAAuE;YACvE,sEAAsE;YACtE,yEAAyE;YACzE,oEAAoE;YACpE,0CAA0C;YAC1C,IAAI,UAAU,CAAC,MAAM,KAAK,gBAAgB,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC/D,MAAM,IAAI,mEAA6B,CAAC,UAAU,CAAC,CAAA;YACrD,CAAC;YAED,cAAc;YACd,EAAE;YACF,oEAAoE;YACpE,yEAAyE;YACzE,yEAAyE;YACzE,0EAA0E;YAC1E,iEAAiE;YACjE,qEAAqE;YACrE,wEAAwE;YACxE,mCAAmC;YACnC,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACjC,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,CAAA;gBAC5D,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,mEAA6B,CAAC,UAAU,CAAC,CAAA;gBACrD,CAAC;gBACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBAED,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;gBAClC,IAAI,UAAU,CAAC,aAAa,EAAE,CAAC;oBAC7B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBACD,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC;oBAC/B,MAAM,IAAI,gDAAoB,CAAC,UAAU,CAAC,CAAA;gBAC5C,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,UAAU,EACV,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;gBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;YACnD,CAAC;YAED,uEAAuE;YACvE,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,IAAI,UAAU,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;gBAC/D,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,CAAA;gBAC5D,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;oBAClC,IAAI,CAAC,UAAU,CAAC,aAAa,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;wBAC7D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,UAAU,EACV,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;wBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;oBACnD,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM;gBACN,MAAM;gBACN,UAAU;gBACV,UAAU;gBACV,QAAQ;gBACR,WAAW,EACT,UAAU,CAAC,MAAM,IAAI,IAAI;oBACzB,UAAU,CAAC,MAAM,KAAK,OAAO;oBAC7B,UAAU,CAAC,MAAM,KAAK,SAAS;oBAC7B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,EAAE,OAAO,CAAC,GAAG;oBACrD,CAAC,CAAC,SAAS;gBACf,cAAc,EAAE,MAAM,IAAI,CAAC,cAAc;qBACtC,0BAA0B,CAAC,UAAU,CAAC,KAAK,CAAC;qBAC5C,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;oBACf,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,oCAAoC,EACpC,eAAe,EACf,KAAK,CACN,CAAA;gBACH,CAAC,CAAC;aACL,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,EAAE;gBACF,+DAA+D;gBAC/D,+BAA+B;YACjC,CAAC;YAED,MAAM,2CAAkB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;QAChD,CAAC;IACH,CAAC;IAEM,KAAK,CAAC,KAAK,CAChB,iBAAyC,EACzC,cAA+B,EAC/B,OAA0B,EAC1B,SAA2B;QAE3B,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,iBAAiB,EACjB,SAAS,CACV,CAAA;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,kCAAkC,CACpE,CAAA;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,0CAAiB,CACzB,IAAI,OAAO,CAAC,UAAU,6CAA6C,CACpE,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,oBAAoB,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC,sBAAsB,CAChC,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC,iBAAiB,CAC3B,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,iBAAiB,CACnD,CAAA;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,MAAc,EACd,UAAsB,EACtB,SAA2B,EAC3B,OAIC;QAED,iFAAiF;QACjF,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC;YACrE,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,MAAM,CAAC,QAAQ,CAAC,0BAA0B,SAAS,UAAU,CAAC,MAAM,GAAG,CAC3H,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,IAAI,0CAAiB,CAAC,qCAAqC,CAAC,CAAA;QACpE,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAA;QAC9B,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACxB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,0CAAiB,CAAC,yCAAyC,CAAC,CAAA;YACxE,CAAC;iBAAM,IAAI,UAAU,CAAC,QAAQ,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;gBACjD,MAAM,IAAI,0CAAiB,CACzB,4CAA4C,CAC7C,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;YACxB,2EAA2E;YAC3E,yEAAyE;YACzE,4EAA4E;YAC5E,8DAA8D;YAC9D,wEAAwE;YACxE,eAAe;YACf,OAAM;QACR,CAAC;QAED,QAAQ,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YAClC,KAAK,8CAAgC,CAAC,CAAC,SAAS;YAChD,KAAK,iBAAiB;gBACpB,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;oBAC5C,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAChF,CAAA;gBACH,CAAC;gBACD,IACE,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG;oBACzC,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG;oBACzC,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG,EACzC,CAAC;oBACD,MAAM,IAAI,0CAAiB,CACzB,yFAAyF,CAC1F,CAAA;gBACH,CAAC;gBACD,MAAK;YACP,KAAK,MAAM;gBACT,qEAAqE;gBACrE,mEAAmE;gBACnE,MAAK;YACP;gBACE,MAAM,IAAI,0CAAiB;gBACzB,2DAA2D;gBAC3D,mBAAmB,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAChD,CAAA;QACL,CAAC;IACH,CAAC;IAES,KAAK,CAAC,sBAAsB,CACpC,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAA8C,EAC9C,SAA2B;QAE3B,MAAM,IAAI,GAAG,MAAM,oBAAU;aAC1B,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aAC1C,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,cAAc,CAAC,CAAA;YAC5C,MAAM,IAAI,0CAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QACvC,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc;aACnC,WAAW,CAAC,IAAI,CAAC;aACjB,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACnB,uDAAuD;YACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;YAC1D,IAAI,SAAS,EAAE,CAAC;gBACd,wEAAwE;gBACxE,IAAI,CAAC;oBACH,+CAA+C;oBAC/C,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;gBACnD,CAAC;wBAAS,CAAC;oBACT,kEAAkE;oBAClE,kEAAkE;oBAClE,gCAAgC;oBAChC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,SAAS,CAAC,IAAI,CAAA;oBACxC,IAAI,QAAQ,EAAE,CAAC;wBACb,MAAM,IAAI,CAAC,cAAc,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;oBAC9D,CAAC;gBACH,CAAC;YACH,CAAC;YAED,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAA;QACnD,CAAC,CAAC,CAAA;QAEJ,4EAA4E;QAC5E,uEAAuE;QACvE,2EAA2E;QAC3E,WAAW;QAEX,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;QAEjE,0EAA0E;QAC1E,UAAU;QACV,MAAM,UAAU,GACd,SAAS;YACT,MAAM,CAAC,QAAQ,CAAC,wBAAwB;YACxC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ;YACvB,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,GAAG,EAAE;YACjD,CAAC,CAAC,IAAI,CAAC,UAAU,CAAA;QAErB,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;QAE/C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAElE,OAAO,IAAI,CAAC,YAAY,CAAC,WAAW,CAClC,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CACL,CAAA;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,UAA+C,EAC/C,KAA8C;QAE9C,IAAI,UAAU,CAAC,YAAY,KAAK,KAAK,CAAC,YAAY,EAAE,CAAC;YACnD,MAAM,IAAI,0CAAiB,CACzB,iFAAiF,CAClF,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;YAC9B,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,0CAAiB,CAAC,2BAA2B,CAAC,CAAA;YAC1D,CAAC;YACD,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBACpC,MAAM,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,CAAA;YACxD,CAAC;YACD,QAAQ,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACzC,KAAK,SAAS,CAAC,CAAC,qBAAqB;gBACrC,KAAK,OAAO;oBACV,IAAI,UAAU,CAAC,cAAc,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;wBACtD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBAEP,KAAK,MAAM,CAAC,CAAC,CAAC;oBACZ,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAChC,UAAU,CAAC,cAAc,EACzB,QAAQ,CACT,CAAA;oBACD,MAAM,iBAAiB,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC;yBAC3C,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;yBAC3B,MAAM,EAAE,CAAA;oBACX,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;wBACpD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBACP,CAAC;gBAED;oBACE,qEAAqE;oBACrE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;YACxD,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CACzD,UAAU,CAAC,cAAc,CAC1B,CAAA;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,0CAAiB,CAAC,6BAA6B,CAAC,CAAA;YAC5D,CAAC;QACH,CAAC;aAAM,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,IAAI,8CAAmB,CAAC,0CAA0C,CAAC,CAAA;QAC3E,CAAC;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAAyC,EACzC,SAA2B;QAE3B,MAAM,YAAY,GAAG,MAAM,mCAAkB;aAC1C,UAAU,CAAC,KAAK,CAAC,aAAa,EAAE,EAAE,IAAI,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC;aAC5D,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,uBAAuB,CAAC,CAAA;YACrD,MAAM,IAAI,0CAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QACvC,CAAC,CAAC,CAAA;QAEJ,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;QAE3E,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;YAC1B,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;YACjE,MAAM,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,CAAA;YAEzD,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CACxC,MAAM,EACN,UAAU,EACV,cAAc,EACd,SAAS,CACV,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAEjD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,MAAc,EACd,UAAsB,EACtB,IAAe;QAEf,MAAM,CAAC,eAAe,EAAE,eAAe,CAAC,GACtC,UAAU,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY;YACtD,CAAC,CAAC;gBACE,mDAAoC;gBACpC,mDAAoC;aACrC;YACH,CAAC,CAAC,CAAC,6CAA8B,EAAE,6CAA8B,CAAC,CAAA;QAEtE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QACxD,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,0CAAiB,CAAC,iBAAiB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QACxD,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,MAAM,CACjB,iBAAyC,EACzC,EAAE,KAAK,EAA4B,EACnC,SAA2B;QAE3B,wEAAwE;QACxE,mCAAmC;QACnC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,iBAAiB,EACjB,SAAS,CACV,CAAA;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,uEAAuE;YACvE,mCAAmC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;YAC1B,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;YAEjE,0EAA0E;YAC1E,uEAAuE;YACvE,gCAAgC;YAChC,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC;IAEkB,KAAK,CAAC,WAAW,CAClC,SAAyB,EACzB,KAAuB,EACvB,SAA2B;QAE3B,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,KAAK,EAAE,SAAS,CAAC,CAAA;QAEzE,IAAI,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,EAAE,CAAC;YACvD,wEAAwE;YACxE,uEAAuE;YACvE,uEAAuE;YACvE,WAAW;YAEX,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,CACzD,SAAS,EACT,YAAY,CACb,CAAA;YAED,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,CAAA;QAC1C,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC;CACF;AAv1BD,sCAu1BC;AAED,SAAS,WAAW,CAElB,EAAE,OAAO,EAAwB;IAEjC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAA;IAC5B,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA;IAEvB,OAAO,OAAO,CAAC,GAAG,KAAK,IAAI,IAAI,OAAO,CAAC,kBAAkB,KAAK,IAAI,CAAA;AACpE,CAAC","sourcesContent":["import { createHash } from 'node:crypto'\nimport type { Redis, RedisOptions } from 'ioredis'\nimport { Jwks, Keyset } from '@atproto/jwk'\nimport { LexResolver } from '@atproto/lex-resolver'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport {\n CLIENT_ASSERTION_TYPE_JWT_BEARER,\n OAuthAccessToken,\n OAuthAuthorizationCodeGrantTokenRequest,\n OAuthAuthorizationRequestJar,\n OAuthAuthorizationRequestPar,\n OAuthAuthorizationRequestParameters,\n OAuthAuthorizationRequestQuery,\n OAuthAuthorizationServerMetadata,\n OAuthClientCredentials,\n OAuthClientMetadata,\n OAuthParResponse,\n OAuthRefreshTokenGrantTokenRequest,\n OAuthTokenIdentification,\n OAuthTokenRequest,\n OAuthTokenResponse,\n OAuthTokenType,\n atprotoLoopbackClientMetadata,\n oauthAuthorizationRequestParametersSchema,\n} from '@atproto/oauth-types'\nimport { safeFetchWrap } from '@atproto-labs/fetch-node'\nimport { SimpleStore } from '@atproto-labs/simple-store'\nimport { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'\nimport { AccessTokenMode } from './access-token/access-token-mode.js'\nimport { AccountManager } from './account/account-manager.js'\nimport {\n AccountStore,\n AuthorizedClientData,\n DeviceAccount,\n asAccountStore,\n} from './account/account-store.js'\nimport { ClientAuth, ClientAuthLegacy } from './client/client-auth.js'\nimport { ClientId } from './client/client-id.js'\nimport {\n ClientManager,\n LoopbackMetadataGetter,\n} from './client/client-manager.js'\nimport { ClientStore, ifClientStore } from './client/client-store.js'\nimport { Client } from './client/client.js'\nimport {\n AUTHENTICATION_MAX_AGE,\n CONFIDENTIAL_CLIENT_REFRESH_LIFETIME,\n CONFIDENTIAL_CLIENT_SESSION_LIFETIME,\n PUBLIC_CLIENT_REFRESH_LIFETIME,\n PUBLIC_CLIENT_SESSION_LIFETIME,\n TOKEN_MAX_AGE,\n} from './constants.js'\nimport { Branding, BrandingInput } from './customization/branding.js'\nimport {\n Customization,\n CustomizationInput,\n customizationSchema,\n} from './customization/customization.js'\nimport { DeviceId } from './device/device-id.js'\nimport {\n DeviceInfo,\n DeviceManager,\n DeviceManagerOptions,\n} from './device/device-manager.js'\nimport { DeviceStore, asDeviceStore } from './device/device-store.js'\nimport { AccountSelectionRequiredError } from './errors/account-selection-required-error.js'\nimport { AuthorizationError } from './errors/authorization-error.js'\nimport { ConsentRequiredError } from './errors/consent-required-error.js'\nimport { InvalidDpopKeyBindingError } from './errors/invalid-dpop-key-binding-error.js'\nimport { InvalidDpopProofError } from './errors/invalid-dpop-proof-error.js'\nimport { InvalidGrantError } from './errors/invalid-grant-error.js'\nimport { InvalidRequestError } from './errors/invalid-request-error.js'\nimport { LoginRequiredError } from './errors/login-required-error.js'\nimport { LexiconManager } from './lexicon/lexicon-manager.js'\nimport { LexiconStore, asLexiconStore } from './lexicon/lexicon-store.js'\nimport { HcaptchaConfig } from './lib/hcaptcha.js'\nimport { RequestMetadata } from './lib/http/request.js'\nimport { dateToRelativeSeconds } from './lib/util/date.js'\nimport { formatError } from './lib/util/error.js'\nimport { MultiLangString } from './lib/util/locale.js'\nimport { CustomMetadata, buildMetadata } from './metadata/build-metadata.js'\nimport { OAuthHooks } from './oauth-hooks.js'\nimport {\n DpopProof,\n OAuthVerifier,\n OAuthVerifierOptions,\n VerifyTokenPayloadOptions,\n} from './oauth-verifier.js'\nimport { ReplayStore, ifReplayStore } from './replay/replay-store.js'\nimport { codeSchema } from './request/code.js'\nimport { RequestManager } from './request/request-manager.js'\nimport { RequestStore, asRequestStore } from './request/request-store.js'\nimport { parseRequestUri } from './request/request-uri.js'\nimport { AuthorizationRedirectParameters } from './result/authorization-redirect-parameters.js'\nimport { AuthorizationResultAuthorizePage } from './result/authorization-result-authorize-page.js'\nimport { AuthorizationResultRedirect } from './result/authorization-result-redirect.js'\nimport { ErrorHandler } from './router/error-handler.js'\nimport { AccessTokenPayload } from './signer/access-token-payload.js'\nimport { TokenData } from './token/token-data.js'\nimport { TokenManager } from './token/token-manager.js'\nimport {\n TokenStore,\n asTokenStore,\n refreshTokenSchema,\n} from './token/token-store.js'\nimport { isPARResponseError } from './types/par-response-error.js'\n\nexport { AccessTokenMode, Keyset, LexResolver }\nexport type {\n AccessTokenPayload,\n AuthorizationRedirectParameters,\n AuthorizationResultAuthorizePage as AuthorizationResultAuthorize,\n AuthorizationResultRedirect,\n Branding,\n BrandingInput,\n CustomMetadata,\n Customization,\n CustomizationInput,\n ErrorHandler,\n HcaptchaConfig,\n MultiLangString,\n OAuthAuthorizationServerMetadata,\n VerifyTokenPayloadOptions,\n}\n\ntype OAuthProviderConfig = {\n /**\n * Maximum age a device/account session can be before requiring\n * re-authentication.\n */\n authenticationMaxAge?: number\n\n /**\n * Maximum age access & id tokens can be before requiring a refresh.\n */\n tokenMaxAge?: number\n\n /**\n * If set to {@link AccessTokenMode.stateless}, the generated access tokens\n * will contain all the necessary information to validate the token without\n * needing to query the database. This is useful for cases where the Resource\n * Server is on a different host/server than the Authorization Server.\n *\n * When set to {@link AccessTokenMode.light}, the access tokens will contain\n * only the necessary information to validate the token, but the token id\n * will need to be queried from the database to retrieve the full token\n * information (scope, audience, etc.)\n *\n * @see {@link AccessTokenMode}\n * @default {AccessTokenMode.stateless}\n */\n accessTokenMode?: AccessTokenMode\n\n /**\n * Additional metadata to be included in the discovery document.\n */\n metadata?: CustomMetadata\n\n /**\n * A Lexicon resolver instance to use for fetching lexicon schemas.\n */\n lexResolver?: LexResolver\n\n /**\n * A custom fetch function that can be used to fetch the client metadata from\n * the internet. By default, the fetch function is a safeFetchWrap() function\n * that protects against SSRF attacks, large responses & known bad domains. If\n * you want to disable all protections, you can provide `globalThis.fetch` as\n * fetch function.\n */\n safeFetch?: typeof globalThis.fetch\n\n /**\n * A redis instance to use for replay protection. If not provided, replay\n * protection will use memory storage.\n */\n redis?: Redis | RedisOptions | string\n\n /**\n * This will be used as the default store for all the stores. If a store is\n * not provided, this store will be used instead. If the `store` does not\n * implement a specific store, a runtime error will be thrown. Make sure that\n * this store implements all the interfaces not provided in the other\n * `<name>Store` options.\n */\n store?: Partial<\n AccountStore &\n ClientStore &\n DeviceStore &\n LexiconStore &\n ReplayStore &\n RequestStore &\n TokenStore\n >\n\n accountStore?: AccountStore\n clientStore?: ClientStore\n deviceStore?: DeviceStore\n lexiconStore?: LexiconStore\n replayStore?: ReplayStore\n requestStore?: RequestStore\n tokenStore?: TokenStore\n\n /**\n * In order to speed up the client fetching process, you can provide a cache\n * to store HTTP responses.\n *\n * @note the cached entries should automatically expire after a certain time (typically 10 minutes)\n */\n clientJwksCache?: SimpleStore<string, Jwks>\n\n /**\n * In order to speed up the client fetching process, you can provide a cache\n * to store HTTP responses.\n *\n * @note the cached entries should automatically expire after a certain time (typically 10 minutes)\n */\n clientMetadataCache?: SimpleStore<string, OAuthClientMetadata>\n\n /**\n * In order to enable loopback clients, you can provide a function that\n * returns the client metadata for a given loopback URL. This is useful for\n * development and testing purposes. This function is not called for internet\n * clients.\n *\n * @default is as specified by ATPROTO\n */\n loopbackMetadata?: null | false | LoopbackMetadataGetter\n}\n\nexport type OAuthProviderOptions = OAuthProviderConfig &\n OAuthVerifierOptions &\n OAuthHooks &\n DeviceManagerOptions &\n CustomizationInput\n\nexport class OAuthProvider extends OAuthVerifier {\n protected readonly accessTokenMode: AccessTokenMode\n protected readonly hooks: OAuthHooks\n\n public readonly metadata: OAuthAuthorizationServerMetadata\n public readonly customization: Customization\n\n public readonly authenticationMaxAge: number\n\n public readonly accountManager: AccountManager\n public readonly deviceManager: DeviceManager\n public readonly clientManager: ClientManager\n public readonly lexiconManager: LexiconManager\n public readonly requestManager: RequestManager\n public readonly tokenManager: TokenManager\n\n public constructor({\n // OAuthProviderConfig\n authenticationMaxAge = AUTHENTICATION_MAX_AGE,\n tokenMaxAge = TOKEN_MAX_AGE,\n accessTokenMode = AccessTokenMode.stateless,\n\n metadata,\n\n safeFetch = safeFetchWrap(),\n store, // compound store implementation\n lexResolver = new LexResolver({ fetch: safeFetch }),\n\n // Required stores\n accountStore = asAccountStore(store),\n deviceStore = asDeviceStore(store),\n lexiconStore = asLexiconStore(store),\n tokenStore = asTokenStore(store),\n requestStore = asRequestStore(store),\n\n // Optional stores\n clientStore = ifClientStore(store),\n replayStore = ifReplayStore(store),\n\n clientJwksCache = new SimpleStoreMemory({\n maxSize: 50_000_000,\n ttl: 600e3,\n }),\n clientMetadataCache = new SimpleStoreMemory({\n maxSize: 50_000_000,\n ttl: 600e3,\n }),\n\n loopbackMetadata = atprotoLoopbackClientMetadata,\n\n // OAuthHooks &\n // OAuthVerifierOptions &\n // DeviceManagerOptions &\n // Customization\n ...rest\n }: OAuthProviderOptions) {\n super({ replayStore, ...rest })\n\n // @NOTE: hooks don't really need a type parser, as all zod can actually\n // check at runtime is the fact that the values are functions. The only way\n // we would benefit from zod here would be to wrap the functions with a\n // validator for the provided function's return types, which we don't\n // really need if types are respected.\n this.hooks = rest\n\n this.accessTokenMode = accessTokenMode\n this.authenticationMaxAge = authenticationMaxAge\n this.metadata = buildMetadata(this.issuer, this.keyset, metadata)\n this.customization = customizationSchema.parse(rest)\n\n this.deviceManager = new DeviceManager(deviceStore, {\n ...rest,\n cookie: {\n ...rest.cookie,\n // \"secure\" defaults to \"true\" in DeviceManager. For the oauth routes to\n // work from localhost on Safari, we need to explicitly set secure to\n // false for localhost usage. This is not really an issue with Chrome\n // and Firefox, but Safari enforces it strictly.\n secure: !this.issuer.startsWith('http:'),\n },\n })\n this.accountManager = new AccountManager(\n this.issuer,\n accountStore,\n this.hooks,\n this.customization,\n )\n this.clientManager = new ClientManager(\n this.metadata,\n this.keyset,\n this.hooks,\n clientStore || null,\n loopbackMetadata || null,\n safeFetch,\n clientJwksCache,\n clientMetadataCache,\n )\n this.lexiconManager = new LexiconManager(lexiconStore, lexResolver)\n this.requestManager = new RequestManager(\n requestStore,\n this.lexiconManager,\n this.signer,\n this.metadata,\n this.hooks,\n )\n this.tokenManager = new TokenManager(\n tokenStore,\n this.lexiconManager,\n this.signer,\n this.hooks,\n this.accessTokenMode,\n tokenMaxAge,\n )\n }\n\n get jwks() {\n return this.keyset.publicJwks\n }\n\n /**\n * @returns true if the user's consent is required for the requested scopes\n */\n public checkConsentRequired(\n parameters: OAuthAuthorizationRequestParameters,\n clientData?: AuthorizedClientData,\n ) {\n // Client was never authorized before\n if (!clientData) return true\n\n // Client explicitly asked for consent\n if (parameters.prompt === 'consent') return true\n\n // No scope requested, and client is known by user, no consent required\n const requestedScopes = parameters.scope?.split(' ')\n if (requestedScopes == null) return false\n\n // Ensure that all requested scopes were previously authorized by the user\n const { authorizedScopes } = clientData\n return !requestedScopes.every((scope) => authorizedScopes.includes(scope))\n }\n\n public checkLoginRequired(deviceAccount: DeviceAccount) {\n const authAge = Date.now() - deviceAccount.updatedAt.getTime()\n return authAge > this.authenticationMaxAge\n }\n\n protected async authenticateClient(\n clientCredentials: OAuthClientCredentials,\n dpopProof: null | DpopProof,\n options?: {\n allowMissingDpopProof?: boolean\n },\n ): Promise<{\n client: Client\n clientAuth: ClientAuth\n }> {\n const client = await this.clientManager.getClient(\n clientCredentials.client_id,\n )\n\n if (\n client.metadata.dpop_bound_access_tokens &&\n !dpopProof &&\n !options?.allowMissingDpopProof\n ) {\n throw new InvalidDpopProofError('DPoP proof required')\n }\n\n if (dpopProof && !client.metadata.dpop_bound_access_tokens) {\n throw new InvalidDpopProofError('DPoP proof not allowed for this client')\n }\n\n const clientAuth = await client.authenticate(clientCredentials, {\n authorizationServerIdentifier: this.issuer,\n })\n\n if (clientAuth.method === 'private_key_jwt') {\n // Clients MUST NOT use their client assertion key to sign DPoP proofs\n if (dpopProof && clientAuth.jkt === dpopProof.jkt) {\n throw new InvalidRequestError(\n 'The DPoP proof must be signed with a different key than the client assertion',\n )\n }\n\n // https://www.rfc-editor.org/rfc/rfc7523.html#section-3\n // > 7. [...] The authorization server MAY ensure that JWTs are not\n // > replayed by maintaining the set of used \"jti\" values for the\n // > length of time for which the JWT would be considered valid based\n // > on the applicable \"exp\" instant.\n\n const unique = await this.replayManager.uniqueAuth(\n clientAuth.jti,\n client.id,\n clientAuth.exp,\n )\n if (!unique) {\n throw new InvalidGrantError(`${clientAuth.method} jti reused`)\n }\n }\n\n return { client, clientAuth }\n }\n\n async decodeJAR(\n client: Client,\n input: OAuthAuthorizationRequestJar,\n ): Promise<OAuthAuthorizationRequestParameters> {\n const { payload } = await client.decodeRequestObject(\n input.request,\n this.issuer,\n )\n\n const { jti } = payload\n if (!jti) {\n throw new InvalidRequestError(\n 'Request object payload must contain a \"jti\" claim',\n )\n }\n if (!(await this.replayManager.uniqueJar(jti, client.id))) {\n throw new InvalidRequestError('Request object was replayed')\n }\n\n const parameters = await oauthAuthorizationRequestParametersSchema\n .parseAsync(payload)\n .catch((err) => {\n const msg = formatError(err, 'Invalid parameters in JAR')\n throw new InvalidRequestError(msg, err)\n })\n\n return parameters\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc9126}\n */\n public async pushedAuthorizationRequest(\n credentials: OAuthClientCredentials,\n authorizationRequest: OAuthAuthorizationRequestPar,\n dpopProof: null | DpopProof,\n ): Promise<OAuthParResponse> {\n try {\n const { client, clientAuth } = await this.authenticateClient(\n credentials,\n dpopProof,\n // Allow missing DPoP header for PAR requests as rfc9449 allows it\n // (though the dpop_jkt parameter must be present in that case, see\n // check bellow).\n { allowMissingDpopProof: true },\n )\n\n const parameters =\n 'request' in authorizationRequest // Handle JAR\n ? await this.decodeJAR(client, authorizationRequest)\n : authorizationRequest\n\n if (!parameters.dpop_jkt) {\n if (client.metadata.dpop_bound_access_tokens) {\n if (dpopProof) parameters.dpop_jkt = dpopProof.jkt\n else {\n // @NOTE When both PAR and DPoP are used, either the DPoP header, or\n // the dpop_jkt parameter must be present. We do not enforce this\n // for legacy reasons.\n // https://datatracker.ietf.org/doc/html/rfc9449#section-10.1\n }\n }\n } else {\n if (!client.metadata.dpop_bound_access_tokens) {\n throw new InvalidRequestError(\n 'DPoP bound access tokens are not enabled for this client',\n )\n }\n\n // Proof is optional if the dpop_jkt is provided, but if it is provided,\n // it must match the DPoP proof JKT.\n if (dpopProof && dpopProof.jkt !== parameters.dpop_jkt) {\n throw new InvalidDpopKeyBindingError()\n }\n }\n\n const { requestUri, expiresAt } =\n await this.requestManager.createAuthorizationRequest(\n client,\n clientAuth,\n parameters,\n null,\n )\n\n return {\n request_uri: requestUri,\n expires_in: dateToRelativeSeconds(expiresAt),\n }\n } catch (err) {\n // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3-1\n // > Since initial processing of the pushed authorization request does not\n // > involve resource owner interaction, error codes related to user\n // > interaction, such as \"access_denied\", are never returned.\n if (err instanceof AuthorizationError && !isPARResponseError(err.error)) {\n throw new InvalidRequestError(err.error_description, err)\n }\n throw err\n }\n }\n\n private async processAuthorizationRequest(\n client: Client,\n deviceId: DeviceId,\n query: OAuthAuthorizationRequestQuery,\n ) {\n // PAR\n if ('request_uri' in query) {\n const requestUri = parseRequestUri(query.request_uri, {\n path: ['query', 'request_uri'],\n })\n return this.requestManager.get(requestUri, deviceId, client.id)\n }\n\n // JAR\n if ('request' in query) {\n // @NOTE Since JAR are signed with the client's private key, a JAR *could*\n // technically be used to authenticate the client when requests are\n // created without PAR (i.e. created on the fly by the authorize\n // endpoint). This implementation actually used to support this\n // (un-spec'd) behavior. That support was removed:\n // - Because it was not actually used\n // - Because it was not part of any standard\n // - Because it makes extending the client authentication mechanism more\n // complex since any extension would not only need to affect the\n // \"private_key_jwt\" auth method but also the JAR \"request\" object.\n const parameters = await this.decodeJAR(client, query)\n\n return this.requestManager.createAuthorizationRequest(\n client,\n null,\n parameters,\n deviceId,\n )\n }\n\n // \"Regular\" authorization request (created on the fly by directing the user\n // to the authorization endpoint with all the parameters in the url).\n return this.requestManager.createAuthorizationRequest(\n client,\n null,\n query,\n deviceId,\n )\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.1}\n */\n public async authorize(\n query: OAuthAuthorizationRequestQuery,\n { deviceId, deviceMetadata }: DeviceInfo,\n ): Promise<AuthorizationResultRedirect | AuthorizationResultAuthorizePage> {\n const { issuer } = this\n\n // If there is a chance to redirect the user to the client, let's do\n // it by wrapping the error in an AuthorizationError.\n const throwAuthorizationError =\n 'redirect_uri' in query\n ? (err: unknown): never => {\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1\n throw AuthorizationError.from(query, err)\n }\n : null\n\n const client = await this.clientManager\n .getClient(query.client_id)\n .catch(throwAuthorizationError)\n\n const { parameters, requestUri } = await this.processAuthorizationRequest(\n client,\n deviceId,\n query,\n ).catch(throwAuthorizationError)\n\n try {\n const sessions = (\n await this.accountManager.listDeviceAccounts(deviceId)\n ).map((deviceAccount) => ({\n account: deviceAccount.account,\n\n // @TODO Return the session expiration date instead of a boolean to\n // avoid having to rely on a leeway when \"accepting\" the request.\n loginRequired:\n parameters.prompt === 'login' ||\n this.checkLoginRequired(deviceAccount),\n consentRequired: this.checkConsentRequired(\n parameters,\n deviceAccount.authorizedClients.get(client.id),\n ),\n }))\n\n // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest\n\n // prompt=select_account\n //\n // > The Authorization Server SHOULD prompt the End-User to select a user\n // > account. This enables an End-User who has multiple accounts at the\n // > Authorization Server to select amongst the multiple accounts that\n // > they might have current sessions for. If it cannot obtain an account\n // > selection choice made by the End-User, it MUST return an error,\n // > typically account_selection_required.\n if (parameters.prompt === 'select_account' && !sessions.length) {\n throw new AccountSelectionRequiredError(parameters)\n }\n\n // prompt=none\n //\n // > The Authorization Server MUST NOT display any authentication or\n // > consent user interface pages. An error is returned if an End-User is\n // > not already authenticated or the Client does not have pre-configured\n // > consent for the requested Claims or does not fulfill other conditions\n // > for processing the request. The error code will typically be\n // > login_required, interaction_required, or another code defined in\n // > Section 3.1.2.6. This can be used as a method to check for existing\n // > authentication and/or consent.\n if (parameters.prompt === 'none') {\n const ssoSessions = sessions.filter(matchesHint, parameters)\n if (ssoSessions.length > 1) {\n throw new AccountSelectionRequiredError(parameters)\n }\n if (ssoSessions.length < 1) {\n throw new LoginRequiredError(parameters)\n }\n\n const ssoSession = ssoSessions[0]!\n if (ssoSession.loginRequired) {\n throw new LoginRequiredError(parameters)\n }\n if (ssoSession.consentRequired) {\n throw new ConsentRequiredError(parameters)\n }\n\n const code = await this.requestManager.setAuthorized(\n requestUri,\n client,\n ssoSession.account,\n deviceId,\n deviceMetadata,\n )\n\n return { issuer, parameters, redirect: { code } }\n }\n\n // Automatic SSO when a hint was provided that matches a single session\n if (parameters.prompt == null && parameters.login_hint != null) {\n const ssoSessions = sessions.filter(matchesHint, parameters)\n if (ssoSessions.length === 1) {\n const ssoSession = ssoSessions[0]!\n if (!ssoSession.loginRequired && !ssoSession.consentRequired) {\n const code = await this.requestManager.setAuthorized(\n requestUri,\n client,\n ssoSession.account,\n deviceId,\n deviceMetadata,\n )\n\n return { issuer, parameters, redirect: { code } }\n }\n }\n }\n\n return {\n issuer,\n client,\n parameters,\n requestUri,\n sessions,\n selectedSub:\n parameters.prompt == null ||\n parameters.prompt === 'login' ||\n parameters.prompt === 'consent'\n ? sessions.find(matchesHint, parameters)?.account.sub\n : undefined,\n permissionSets: await this.lexiconManager\n .getPermissionSetsFromScope(parameters.scope)\n .catch((cause) => {\n throw new AuthorizationError(\n parameters,\n 'Unable to retrieve permission sets',\n 'invalid_scope',\n cause,\n )\n }),\n }\n } catch (err) {\n try {\n await this.requestManager.delete(requestUri)\n } catch {\n // There are two error here. Better keep the outer one.\n //\n // @TODO Maybe move this entire code to the /authorize endpoint\n // (allowing to log this error)\n }\n\n throw AuthorizationError.from(parameters, err)\n }\n }\n\n public async token(\n clientCredentials: OAuthClientCredentials,\n clientMetadata: RequestMetadata,\n request: OAuthTokenRequest,\n dpopProof: null | DpopProof,\n ): Promise<OAuthTokenResponse> {\n const { client, clientAuth } = await this.authenticateClient(\n clientCredentials,\n dpopProof,\n )\n\n if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {\n throw new InvalidGrantError(\n `Grant type \"${request.grant_type}\" is not supported by the server`,\n )\n }\n\n if (!client.metadata.grant_types.includes(request.grant_type)) {\n throw new InvalidGrantError(\n `\"${request.grant_type}\" grant type is not allowed for this client`,\n )\n }\n\n if (request.grant_type === 'authorization_code') {\n return this.authorizationCodeGrant(\n client,\n clientAuth,\n clientMetadata,\n request,\n dpopProof,\n )\n }\n\n if (request.grant_type === 'refresh_token') {\n return this.refreshTokenGrant(\n client,\n clientAuth,\n clientMetadata,\n request,\n dpopProof,\n )\n }\n\n throw new InvalidGrantError(\n `Grant type \"${request.grant_type}\" not supported`,\n )\n }\n\n protected async compareClientAuth(\n client: Client,\n clientAuth: ClientAuth,\n dpopProof: null | DpopProof,\n initial: {\n parameters: OAuthAuthorizationRequestParameters\n clientId: ClientId\n clientAuth: null | ClientAuth | ClientAuthLegacy\n },\n ): Promise<void> {\n // Fool proofing, ensure that the client is authenticating using the right method\n if (clientAuth.method !== client.metadata.token_endpoint_auth_method) {\n throw new InvalidGrantError(\n `Client authentication method mismatch (expected ${client.metadata.token_endpoint_auth_method}, got ${clientAuth.method})`,\n )\n }\n\n if (initial.clientId !== client.id) {\n throw new InvalidGrantError(`Token was not issued to this client`)\n }\n\n const { parameters } = initial\n if (parameters.dpop_jkt) {\n if (!dpopProof) {\n throw new InvalidGrantError(`DPoP proof is required for this request`)\n } else if (parameters.dpop_jkt !== dpopProof.jkt) {\n throw new InvalidGrantError(\n `DPoP proof does not match the expected JKT`,\n )\n }\n }\n\n if (!initial.clientAuth) {\n // If the client did not use PAR, it was not authenticated when the request\n // was initially created (see authorize() method in OAuthProvider). Since\n // PAR is not mandatory, and since the token exchange currently taking place\n // *is* authenticated (`clientAuth`), we allow \"upgrading\" the\n // authentication method (the token created will be bound to the current\n // clientAuth).\n return\n }\n\n switch (initial.clientAuth.method) {\n case CLIENT_ASSERTION_TYPE_JWT_BEARER: // LEGACY\n case 'private_key_jwt':\n if (clientAuth.method !== 'private_key_jwt') {\n throw new InvalidGrantError(\n `Client authentication method mismatch (expected ${initial.clientAuth.method})`,\n )\n }\n if (\n clientAuth.kid !== initial.clientAuth.kid ||\n clientAuth.alg !== initial.clientAuth.alg ||\n clientAuth.jkt !== initial.clientAuth.jkt\n ) {\n throw new InvalidGrantError(\n `The session was initiated with a different key than the client assertion currently used`,\n )\n }\n break\n case 'none':\n // @NOTE We allow the client to \"upgrade\" to a confidential client if\n // the session was initially created without client authentication.\n break\n default:\n throw new InvalidGrantError(\n // @ts-expect-error (future proof, backwards compatibility)\n `Invalid method \"${initial.clientAuth.method}\"`,\n )\n }\n }\n\n protected async authorizationCodeGrant(\n client: Client,\n clientAuth: ClientAuth,\n clientMetadata: RequestMetadata,\n input: OAuthAuthorizationCodeGrantTokenRequest,\n dpopProof: null | DpopProof,\n ): Promise<OAuthTokenResponse> {\n const code = await codeSchema\n .parseAsync(input.code, { path: ['code'] })\n .catch((err) => {\n const msg = formatError(err, 'Invalid code')\n throw new InvalidGrantError(msg, err)\n })\n\n const data = await this.requestManager\n .consumeCode(code)\n .catch(async (err) => {\n // Code not found in request manager: check for replays\n const tokenInfo = await this.tokenManager.findByCode(code)\n if (tokenInfo) {\n // try/finally to ensure that both code path get executed (sequentially)\n try {\n // \"code\" was replayed, delete existing session\n await this.tokenManager.deleteToken(tokenInfo.id)\n } finally {\n // As an additional security measure, we also sign the device out,\n // so that the device cannot be used to access the account anymore\n // without a new authentication.\n const { deviceId, sub } = tokenInfo.data\n if (deviceId) {\n await this.accountManager.removeDeviceAccount(deviceId, sub)\n }\n }\n }\n\n throw InvalidGrantError.from(err, `Invalid code`)\n })\n\n // @NOTE at this point, the request data was removed from the store and only\n // exists in memory here (in the \"data\" variable). Because of this, any\n // error thrown after this point will permanently cause the request data to\n // be lost.\n\n await this.compareClientAuth(client, clientAuth, dpopProof, data)\n\n // If the DPoP proof was not provided earlier (PAR / authorize), let's add\n // it now.\n const parameters =\n dpopProof &&\n client.metadata.dpop_bound_access_tokens &&\n !data.parameters.dpop_jkt\n ? { ...data.parameters, dpop_jkt: dpopProof.jkt }\n : data.parameters\n\n await this.validateCodeGrant(parameters, input)\n\n const { account } = await this.accountManager.getAccount(data.sub)\n\n return this.tokenManager.createToken(\n client,\n clientAuth,\n clientMetadata,\n account,\n data.deviceId,\n parameters,\n code,\n )\n }\n\n protected async validateCodeGrant(\n parameters: OAuthAuthorizationRequestParameters,\n input: OAuthAuthorizationCodeGrantTokenRequest,\n ): Promise<void> {\n if (parameters.redirect_uri !== input.redirect_uri) {\n throw new InvalidGrantError(\n 'The redirect_uri parameter must match the one used in the authorization request',\n )\n }\n\n if (parameters.code_challenge) {\n if (!input.code_verifier) {\n throw new InvalidGrantError('code_verifier is required')\n }\n if (input.code_verifier.length < 43) {\n throw new InvalidGrantError('code_verifier too short')\n }\n switch (parameters.code_challenge_method) {\n case undefined: // default is \"plain\"\n case 'plain':\n if (parameters.code_challenge !== input.code_verifier) {\n throw new InvalidGrantError('Invalid code_verifier')\n }\n break\n\n case 'S256': {\n const inputChallenge = Buffer.from(\n parameters.code_challenge,\n 'base64',\n )\n const computedChallenge = createHash('sha256')\n .update(input.code_verifier)\n .digest()\n if (inputChallenge.compare(computedChallenge) !== 0) {\n throw new InvalidGrantError('Invalid code_verifier')\n }\n break\n }\n\n default:\n // Should never happen (because request validation should catch this)\n throw new Error(`Unsupported code_challenge_method`)\n }\n const unique = await this.replayManager.uniqueCodeChallenge(\n parameters.code_challenge,\n )\n if (!unique) {\n throw new InvalidGrantError('Code challenge already used')\n }\n } else if (input.code_verifier !== undefined) {\n throw new InvalidRequestError(\"code_challenge parameter wasn't provided\")\n }\n }\n\n protected async refreshTokenGrant(\n client: Client,\n clientAuth: ClientAuth,\n clientMetadata: RequestMetadata,\n input: OAuthRefreshTokenGrantTokenRequest,\n dpopProof: null | DpopProof,\n ): Promise<OAuthTokenResponse> {\n const refreshToken = await refreshTokenSchema\n .parseAsync(input.refresh_token, { path: ['refresh_token'] })\n .catch((err) => {\n const msg = formatError(err, 'Invalid refresh token')\n throw new InvalidGrantError(msg, err)\n })\n\n const tokenInfo = await this.tokenManager.consumeRefreshToken(refreshToken)\n\n try {\n const { data } = tokenInfo\n await this.compareClientAuth(client, clientAuth, dpopProof, data)\n await this.validateRefreshGrant(client, clientAuth, data)\n\n return await this.tokenManager.rotateToken(\n client,\n clientAuth,\n clientMetadata,\n tokenInfo,\n )\n } catch (err) {\n await this.tokenManager.deleteToken(tokenInfo.id)\n\n throw err\n }\n }\n\n protected async validateRefreshGrant(\n client: Client,\n clientAuth: ClientAuth,\n data: TokenData,\n ): Promise<void> {\n const [sessionLifetime, refreshLifetime] =\n clientAuth.method !== 'none' || client.info.isFirstParty\n ? [\n CONFIDENTIAL_CLIENT_SESSION_LIFETIME,\n CONFIDENTIAL_CLIENT_REFRESH_LIFETIME,\n ]\n : [PUBLIC_CLIENT_SESSION_LIFETIME, PUBLIC_CLIENT_REFRESH_LIFETIME]\n\n const sessionAge = Date.now() - data.createdAt.getTime()\n if (sessionAge > sessionLifetime) {\n throw new InvalidGrantError(`Session expired`)\n }\n\n const refreshAge = Date.now() - data.updatedAt.getTime()\n if (refreshAge > refreshLifetime) {\n throw new InvalidGrantError(`Refresh token expired`)\n }\n }\n\n /**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}\n */\n public async revoke(\n clientCredentials: OAuthClientCredentials,\n { token }: OAuthTokenIdentification,\n dpopProof: null | DpopProof,\n ) {\n // > The authorization server first validates the client credentials (in\n // > case of a confidential client)\n const { client, clientAuth } = await this.authenticateClient(\n clientCredentials,\n dpopProof,\n )\n\n const tokenInfo = await this.tokenManager.findToken(token)\n if (tokenInfo) {\n // > [...] and then verifies whether the token was issued to the client\n // > making the revocation request.\n const { data } = tokenInfo\n await this.compareClientAuth(client, clientAuth, dpopProof, data)\n\n // > In the next step, the authorization server invalidates the token. The\n // > invalidation takes place immediately, and the token cannot be used\n // > again after the revocation.\n await this.tokenManager.deleteToken(tokenInfo.id)\n }\n }\n\n protected override async decodeToken(\n tokenType: OAuthTokenType,\n token: OAuthAccessToken,\n dpopProof: null | DpopProof,\n ): Promise<AccessTokenPayload> {\n const tokenPayload = await super.decodeToken(tokenType, token, dpopProof)\n\n if (this.accessTokenMode !== AccessTokenMode.stateless) {\n // @NOTE in non stateless mode, some claims can be omitted (most notably\n // \"scope\"). We load the token claims here (allowing to ensure that the\n // token is still valid, and to retrieve a (potentially updated) set of\n // claims).\n\n const tokenClaims = await this.tokenManager.loadTokenClaims(\n tokenType,\n tokenPayload,\n )\n\n Object.assign(tokenPayload, tokenClaims)\n }\n\n return tokenPayload\n }\n}\n\nfunction matchesHint(\n this: OAuthAuthorizationRequestParameters,\n { account }: { account: Account },\n): boolean {\n const hint = this.login_hint\n if (!hint) return false\n\n return account.sub === hint || account.preferred_username === hint\n}\n"]}
package/dist/request/request-manager.d.ts CHANGED
@@ -57,6 +57,13 @@ export declare class RequestManager {
57
57
  }>;
58
58
  }>;
59
59
  protected validate(client: Client, clientAuth: null | ClientAuth, parameters: Readonly<OAuthAuthorizationRequestParameters>): Promise<Readonly<OAuthAuthorizationRequestParameters>>;
60
+ /**
61
+ * Reads the {@link ClientId} associated with a request URI without any of
62
+ * the validation or side-effects performed by {@link RequestManager.get}
63
+ *
64
+ * Returns `undefined` when no such request exists.
65
+ */
66
+ peekClientId(requestUri: RequestUri): Promise<ClientId | undefined>;
60
67
  get(requestUri: RequestUri, deviceId?: DeviceId, clientId?: ClientId): Promise<{
61
68
  requestUri: `urn:ietf:params:oauth:request_uri:req-${string}`;
62
69
  expiresAt: Date;
package/dist/request/request-manager.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"request-manager.d.ts","sourceRoot":"","sources":["../../src/request/request-manager.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAA;AAE1D,OAAO,EACL,mCAAmC,EACnC,gCAAgC,EACjC,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAO5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAQjD,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAA;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,IAAI,EAAgB,MAAM,WAAW,CAAA;AAC9C,OAAO,EACL,qBAAqB,EAEtB,MAAM,mBAAmB,CAAA;AAE1B,OAAO,EAAE,YAAY,EAAqB,MAAM,oBAAoB,CAAA;AACpE,OAAO,EACL,UAAU,EAGX,MAAM,kBAAkB,CAAA;AAEzB,qBAAa,cAAc;IAEvB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,YAAY;IACtC,SAAS,CAAC,QAAQ,CAAC,cAAc,EAAE,cAAc;IACjD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACjC,SAAS,CAAC,QAAQ,CAAC,QAAQ,EAAE,gCAAgC;IAC7D,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,WAAW;gBALX,KAAK,EAAE,YAAY,EACnB,cAAc,EAAE,cAAc,EAC9B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gCAAgC,EAC1C,KAAK,EAAE,UAAU,EACjB,WAAW,SAAgB;IAGhD,SAAS,CAAC,iBAAiB;IAIrB,0BAA0B,CAC9B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,IAAI,GAAG,UAAU,EAC7B,KAAK,EAAE,QAAQ,CAAC,mCAAmC,CAAC,EACpD,QAAQ,EAAE,IAAI,GAAG,QAAQ;;;;;;;;;;yBAqGV,CAAA;uBACqB,CAAC;yBAarC,CAVD;0BAA0C,CAAC;0BAU1C,CATD;;;;;;;;;;qBAY6C,CAAC;sBACvB,CAAC;yBACjB,CAAC;;;;;;;;;cA7FO,QAAQ,CACtB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,IAAI,GAAG,UAAU,EAC7B,UAAU,EAAE,QAAQ,CAAC,mCAAmC,CAAC,GACxD,OAAO,CAAC,QAAQ,CAAC,mCAAmC,CAAC,CAAC;IAkOnD,GAAG,CAAC,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE,QAAQ;;;;;;;;;;yBA5JzD,CAAA;uBACqB,CAAC;yBAarC,CAVD;0BAA0C,CAAC;0BAU1C,CATD;;;;;;;;;;qBAY6C,CAAC;sBACvB,CAAC;yBACjB,CAAC;;;;;;;;;;IAqMH,aAAa,CACjB,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,IAAI,CAAC;IAiFhB;;;OAGG;IACU,WAAW,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,qBAAqB,CAAC;IA2B9D,MAAM,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;CAIpD"}
1
+ {"version":3,"file":"request-manager.d.ts","sourceRoot":"","sources":["../../src/request/request-manager.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAA;AAE1D,OAAO,EACL,mCAAmC,EACnC,gCAAgC,EACjC,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAO5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAQjD,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAA;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,IAAI,EAAgB,MAAM,WAAW,CAAA;AAC9C,OAAO,EACL,qBAAqB,EAEtB,MAAM,mBAAmB,CAAA;AAE1B,OAAO,EAAE,YAAY,EAAqB,MAAM,oBAAoB,CAAA;AACpE,OAAO,EACL,UAAU,EAGX,MAAM,kBAAkB,CAAA;AAEzB,qBAAa,cAAc;IAEvB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,YAAY;IACtC,SAAS,CAAC,QAAQ,CAAC,cAAc,EAAE,cAAc;IACjD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACjC,SAAS,CAAC,QAAQ,CAAC,QAAQ,EAAE,gCAAgC;IAC7D,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,WAAW;gBALX,KAAK,EAAE,YAAY,EACnB,cAAc,EAAE,cAAc,EAC9B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gCAAgC,EAC1C,KAAK,EAAE,UAAU,EACjB,WAAW,SAAgB;IAGhD,SAAS,CAAC,iBAAiB;IAIrB,0BAA0B,CAC9B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,IAAI,GAAG,UAAU,EAC7B,KAAK,EAAE,QAAQ,CAAC,mCAAmC,CAAC,EACpD,QAAQ,EAAE,IAAI,GAAG,QAAQ;;;;;;;;;;yBAqGV,CAAA;uBACqB,CAAC;yBAarC,CAVD;0BAA0C,CAAC;0BAU1C,CATD;;;;;;;;;;qBAY6C,CAAC;sBACvB,CAAC;yBACjB,CAAC;;;;;;;;;cA7FO,QAAQ,CACtB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,IAAI,GAAG,UAAU,EAC7B,UAAU,EAAE,QAAQ,CAAC,mCAAmC,CAAC,GACxD,OAAO,CAAC,QAAQ,CAAC,mCAAmC,CAAC,CAAC;IAkOzD;;;;;OAKG;IACG,YAAY,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC;IAMnE,GAAG,CAAC,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE,QAAQ;;;;;;;;;;yBAxKzD,CAAA;uBACqB,CAAC;yBAarC,CAVD;0BAA0C,CAAC;0BAU1C,CATD;;;;;;;;;;qBAY6C,CAAC;sBACvB,CAAC;yBACjB,CAAC;;;;;;;;;;IAiNH,aAAa,CACjB,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,IAAI,CAAC;IAiFhB;;;OAGG;IACU,WAAW,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,qBAAqB,CAAC;IA2B9D,MAAM,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;CAIpD"}
package/dist/request/request-manager.js CHANGED
@@ -210,6 +210,17 @@ class RequestManager {
210
210
  }
211
211
  return parameters;
212
212
  }
213
+ /**
214
+ * Reads the {@link ClientId} associated with a request URI without any of
215
+ * the validation or side-effects performed by {@link RequestManager.get}
216
+ *
217
+ * Returns `undefined` when no such request exists.
218
+ */
219
+ async peekClientId(requestUri) {
220
+ const requestId = (0, request_uri_js_1.decodeRequestUri)(requestUri);
221
+ const data = await this.store.readRequest(requestId);
222
+ return data?.clientId;
223
+ }
213
224
  async get(requestUri, deviceId, clientId) {
214
225
  const requestId = (0, request_uri_js_1.decodeRequestUri)(requestUri);
215
226
  const data = await this.store.readRequest(requestId);
package/dist/request/request-manager.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"request-manager.js","sourceRoot":"","sources":["../../src/request/request-manager.ts"],"names":[],"mappings":";;;AAAA,sCAA2C;AAC3C,wDAAwD;AAExD,wDAA2D;AAK3D,4CAA+C;AAI/C,kDAKwB;AAExB,6EAAoE;AACpE,6EAAqE;AACrE,mFAA0E;AAC1E,6GAAmG;AACnG,6EAAoE;AACpE,iFAAwE;AACxE,6EAAoE;AAKpE,uCAA8C;AAC9C,uDAG0B;AAC1B,mDAAmD;AAEnD,qDAIyB;AAEzB,MAAa,cAAc;IAEJ;IACA;IACA;IACA;IACA;IACA;IANrB,YACqB,KAAmB,EACnB,cAA8B,EAC9B,MAAc,EACd,QAA0C,EAC1C,KAAiB,EACjB,cAAc,4BAAa;QAL3B,UAAK,GAAL,KAAK,CAAc;QACnB,mBAAc,GAAd,cAAc,CAAgB;QAC9B,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAkC;QAC1C,UAAK,GAAL,KAAK,CAAY;QACjB,gBAAW,GAAX,WAAW,CAAgB;IAC7C,CAAC;IAEM,iBAAiB;QACzB,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAA;IAChD,CAAC;IAED,KAAK,CAAC,0BAA0B,CAC9B,MAAc,EACd,UAA6B,EAC7B,KAAoD,EACpD,QAAyB;QAEzB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,CAAA;QAEjE,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,MAAM;YACN,UAAU;YACV,UAAU;SACX,CAAC,CAAA;QAEF,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,6BAAc,CAAC,CAAA;QACvD,MAAM,SAAS,GAAG,MAAM,IAAA,iCAAiB,GAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE;YACxC,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,UAAU;YACV,UAAU;YACV,SAAS;YACT,QAAQ;YACR,GAAG,EAAE,IAAI;YACT,IAAI,EAAE,IAAI;SACX,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG,IAAA,iCAAgB,EAAC,SAAS,CAAC,CAAA;QAC9C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,CAAA;IAC9C,CAAC;IAES,KAAK,CAAC,QAAQ,CACtB,MAAc,EACd,UAA6B,EAC7B,UAAyD;QAEzD,kCAAkC;QAClC,kCAAkC;QAClC,kCAAkC;QAElC,KAAK,MAAM,CAAC,IAAI;YACd,oCAAoC;YACpC,QAAQ;YACR,eAAe;YACf,OAAO,EAAE,gDAAgD;SACjD,EAAE,CAAC;YACX,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;gBAChC,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,gBAAgB,CAAC,aAAa,CAAC,CAAA;YAC1E,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,0BAA0B;QAC1B,0BAA0B;QAE1B,IACE,CAAC,IAAI,CAAC,QAAQ,CAAC,wBAAwB,EAAE,QAAQ,CAC/C,UAAU,CAAC,aAAa,CACzB,EACD,CAAC;YACD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,8BAA8B,UAAU,CAAC,aAAa,GAAG,EACzD,2BAA2B,CAC5B,CAAA;QACH,CAAC;QAED,IACE,UAAU,CAAC,aAAa,KAAK,MAAM;YACnC,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EACpE,CAAC;YACD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,6CAA6C,EAC7C,iBAAiB,CAClB,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;YACrC,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACtD,IACE,CAAC,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,QAAQ,CAC5D,MAAM,CAAC,IAAI,CACZ,EACD,CAAC;oBACD,MAAM,IAAI,yEAAgC,CACxC,UAAU,EACV,6CAA6C,MAAM,CAAC,IAAI,GAAG,CAC5D,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,0BAA0B;QAC1B,0BAA0B;QAE1B,UAAU,GAAG,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAA;QAE/C,sBAAsB;QACtB,sBAAsB;QACtB,sBAAsB;QAEtB,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;YAC7B,yEAAyE;YACzE,0BAA0B;YAC1B,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,wBAAwB,CAAC,CAAA;QACpE,CAAC;QAED,+EAA+E;QAC/E,qEAAqE;QACrE,yEAAyE;QACzE,2EAA2E;QAC3E,sEAAsE;QACtE,2EAA2E;QAC3E,sEAAsE;QAEtE,uEAAuE;QACvE,SAAS;QACT,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,yEAAyE;QACzE,0EAA0E;QAC1E,sDAAsD;QACtD,MAAM,KAAK,GACT,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,kCAAmB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,SAAS,CAAA;QACvE,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,CAAA;QAErC,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;YAC9B,QAAQ,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACzC,KAAK,SAAS;oBACZ,4DAA4D;oBAC5D,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,qBAAqB,EAAE,OAAO,EAAE,CAAA;gBAChE,gBAAgB;gBAChB,KAAK,OAAO,CAAC;gBACb,KAAK,MAAM;oBACT,MAAK;gBACP,OAAO,CAAC,CAAC,CAAC;oBACR,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,sCAAsC,UAAU,CAAC,qBAAqB,GAAG,CAC1E,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACrC,8DAA8D;gBAC9D,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,mEAAmE,CACpE,CAAA;YACH,CAAC;YAED,iFAAiF;YACjF,EAAE;YACF,oEAAoE;YACpE,qEAAqE;YACrE,4DAA4D;YAC5D,sEAAsE;YACtE,aAAa;YACb,EAAE;YACF,wEAAwE;YACxE,qEAAqE;YACrE,4DAA4D;YAC5D,EAAE;YACF,uEAAuE;YACvE,2CAA2C;YAE3C,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAA;QACrE,CAAC;QAED,oBAAoB;QACpB,oBAAoB;QACpB,oBAAoB;QAEpB,IAAI,UAAU,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;YACxC,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,gDAAgD,CACjD,CAAA;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,0CAAiB,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAA;QAC5E,CAAC;aAAM,IAAI,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,+CAA+C,CAChD,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAChD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,sDAAsD,CACvD,CAAA;QACH,CAAC;QAED,0EAA0E;QAC1E,wEAAwE;QACxE,sEAAsE;QACtE,SAAS;QACT,IACE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS;YACtB,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY;YACzB,MAAM,CAAC,QAAQ,CAAC,0BAA0B,KAAK,MAAM,EACrD,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACjC,MAAM,IAAI,gDAAoB,CAC5B,UAAU,EACV,sDAAsD,CACvD,CAAA;YACH,CAAC;YAED,uEAAuE;YACvE,iCAAiC;YACjC,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACnC,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;YACnD,CAAC;QACH,CAAC;QAED,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,EAAE,WAAW,EAAE,CAAA;QACjD,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,IAAA,kBAAY,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,sBAAa,EAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,uBAAuB,IAAI,GAAG,CAAC,CAAA;YAC1E,CAAC;YAED,0EAA0E;YAC1E,yEAAyE;YAEzE,yDAAyD;YACzD,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,CAAA;QAClD,CAAC;QAED,4EAA4E;QAC5E,UAAU;QACV,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,CAAC,0BAA0B,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;YACxE,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,wBAAwB;gBACxB,IAAI,GAAG,YAAY,+BAAgB,EAAE,CAAC;oBACpC,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,GAAG,CAAC,OAAO,EACX,eAAe,EACf,GAAG,CACJ,CAAA;gBACH,CAAC;gBAED,mBAAmB;gBACnB,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,UAAsB,EAAE,QAAmB,EAAE,QAAmB;QACxE,MAAM,SAAS,GAAG,IAAA,iCAAgB,EAAC,UAAU,CAAC,CAAA;QAE9C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QACpD,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,8CAAmB,CAAC,qBAAqB,CAAC,CAAA;QAE/D,MAAM,OAAO,GAAsB,EAAE,CAAA;QAErC,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC1B,wEAAwE;gBACxE,wBAAwB;gBACxB,MAAM,IAAI,0CAAiB,CACzB,IAAI,CAAC,UAAU,EACf,qCAAqC,CACtC,CAAA;YACH,CAAC;YAED,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAChC,MAAM,IAAI,0CAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;YAC1E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,CAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,+CAAgC,CAC9C,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,IAAI,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACnD,MAAM,IAAI,0CAAiB,CACzB,IAAI,CAAC,UAAU,EACf,+CAA+C,CAChD,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACnB,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAA;gBAC7B,CAAC;qBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACtC,MAAM,IAAI,0CAAiB,CACzB,IAAI,CAAC,UAAU,EACf,gDAAgD,CACjD,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;YACzC,MAAM,GAAG,CAAA;QACX,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;QACpD,CAAC;QAED,OAAO;YACL,UAAU;YACV,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;YAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,UAAsB,EACtB,MAAc,EACd,OAAgB,EAChB,QAAkB,EAClB,cAA+B,EAC/B,aAAsB;QAEtB,MAAM,SAAS,GAAG,IAAA,iCAAgB,EAAC,UAAU,CAAC,CAAA;QAE9C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QACpD,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,8CAAmB,CAAC,qBAAqB,CAAC,CAAA;QAE/D,IAAI,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAEzB,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAChC,MAAM,IAAI,0CAAiB,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;YACrE,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACnB,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,gCAAgC,CACjC,CAAA;YACH,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC/B,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,gDAAgD,CACjD,CAAA;YACH,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC1B,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,qCAAqC,CACtC,CAAA;YACH,CAAC;YAED,sEAAsE;YACtE,qEAAqE;YACrE,0EAA0E;YAC1E,2BAA2B;YAC3B,IAAI,aAAa,IAAI,IAAI,EAAE,CAAC;gBAC1B,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;gBACvD,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;gBAEnD,qEAAqE;gBACrE,MAAM,SAAS,GAAG,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;gBAErE,+CAA+C;gBAC/C,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,iCAAiC,CAClC,CAAA;gBACH,CAAC;gBAED,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAA;YAC5D,CAAC;YAED,uCAAuC;YACvC,MAAM,IAAI,GAAG,MAAM,IAAA,sBAAY,GAAE,CAAA;YAEjC,wEAAwE;YACxE,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE;gBACxC,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,IAAI;gBACJ,gFAAgF;gBAChF,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,+CAAgC,CAAC;gBAClE,UAAU;aACX,CAAC,CAAA;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxC,MAAM;gBACN,OAAO;gBACP,UAAU;gBACV,QAAQ;gBACR,cAAc;gBACd,SAAS;aACV,CAAC,CAAA;YAEF,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;YACzC,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW,CAAC,IAAU;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAA;QACxD,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,0CAAiB,CAAC,cAAc,CAAC,CAAA;QAExD,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,MAAM,CAAA;QAElC,yEAAyE;QACzE,0DAA0D;QAC1D,IAAI,uBAAQ,KAAK,YAAY,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;YACtD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;YACtE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAA,yCAAuB,EAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACzD,kEAAkE;YAClE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;QAC7C,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAsB;QACjC,MAAM,SAAS,GAAG,IAAA,iCAAgB,EAAC,UAAU,CAAC,CAAA;QAC9C,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;IAC3C,CAAC;CACF;AA1cD,wCA0cC","sourcesContent":["import { isAtprotoDid } from '@atproto/did'\nimport { LexResolverError } from '@atproto/lex-resolver'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport { isAtprotoOauthScope } from '@atproto/oauth-scopes'\nimport {\n OAuthAuthorizationRequestParameters,\n OAuthAuthorizationServerMetadata,\n} from '@atproto/oauth-types'\nimport { isValidHandle } from '@atproto/syntax'\nimport { ClientAuth } from '../client/client-auth.js'\nimport { ClientId } from '../client/client-id.js'\nimport { Client } from '../client/client.js'\nimport {\n AUTHORIZATION_INACTIVITY_TIMEOUT,\n NODE_ENV,\n PAR_EXPIRES_IN,\n TOKEN_MAX_AGE,\n} from '../constants.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { AccessDeniedError } from '../errors/access-denied-error.js'\nimport { AuthorizationError } from '../errors/authorization-error.js'\nimport { ConsentRequiredError } from '../errors/consent-required-error.js'\nimport { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'\nimport { InvalidGrantError } from '../errors/invalid-grant-error.js'\nimport { InvalidRequestError } from '../errors/invalid-request-error.js'\nimport { InvalidScopeError } from '../errors/invalid-scope-error.js'\nimport { LexiconManager } from '../lexicon/lexicon-manager.js'\nimport { RequestMetadata } from '../lib/http/request.js'\nimport { OAuthHooks } from '../oauth-hooks.js'\nimport { Signer } from '../signer/signer.js'\nimport { Code, generateCode } from './code.js'\nimport {\n RequestDataAuthorized,\n isRequestDataAuthorized,\n} from './request-data.js'\nimport { generateRequestId } from './request-id.js'\nimport { RequestStore, UpdateRequestData } from './request-store.js'\nimport {\n RequestUri,\n decodeRequestUri,\n encodeRequestUri,\n} from './request-uri.js'\n\nexport class RequestManager {\n constructor(\n protected readonly store: RequestStore,\n protected readonly lexiconManager: LexiconManager,\n protected readonly signer: Signer,\n protected readonly metadata: OAuthAuthorizationServerMetadata,\n protected readonly hooks: OAuthHooks,\n protected readonly tokenMaxAge = TOKEN_MAX_AGE,\n ) {}\n\n protected createTokenExpiry() {\n return new Date(Date.now() + this.tokenMaxAge)\n }\n\n async createAuthorizationRequest(\n client: Client,\n clientAuth: null | ClientAuth,\n input: Readonly<OAuthAuthorizationRequestParameters>,\n deviceId: null | DeviceId,\n ) {\n const parameters = await this.validate(client, clientAuth, input)\n\n await this.hooks.onAuthorizationRequest?.call(null, {\n client,\n clientAuth,\n parameters,\n })\n\n const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN)\n const requestId = await generateRequestId()\n\n await this.store.createRequest(requestId, {\n clientId: client.id,\n clientAuth,\n parameters,\n expiresAt,\n deviceId,\n sub: null,\n code: null,\n })\n\n const requestUri = encodeRequestUri(requestId)\n return { requestUri, expiresAt, parameters }\n }\n\n protected async validate(\n client: Client,\n clientAuth: null | ClientAuth,\n parameters: Readonly<OAuthAuthorizationRequestParameters>,\n ): Promise<Readonly<OAuthAuthorizationRequestParameters>> {\n // -------------------------------\n // Validate unsupported parameters\n // -------------------------------\n\n for (const k of [\n // Known unsupported OIDC parameters\n 'claims',\n 'id_token_hint',\n 'nonce', // note that OIDC \"nonce\" is redundant with PKCE\n ] as const) {\n if (parameters[k] !== undefined) {\n throw new AuthorizationError(parameters, `Unsupported \"${k}\" parameter`)\n }\n }\n\n // -----------------------\n // Validate against server\n // -----------------------\n\n if (\n !this.metadata.response_types_supported?.includes(\n parameters.response_type,\n )\n ) {\n throw new AuthorizationError(\n parameters,\n `Unsupported response_type \"${parameters.response_type}\"`,\n 'unsupported_response_type',\n )\n }\n\n if (\n parameters.response_type === 'code' &&\n !this.metadata.grant_types_supported?.includes('authorization_code')\n ) {\n throw new AuthorizationError(\n parameters,\n `Unsupported grant_type \"authorization_code\"`,\n 'invalid_request',\n )\n }\n\n if (parameters.authorization_details) {\n for (const detail of parameters.authorization_details) {\n if (\n !this.metadata.authorization_details_types_supported?.includes(\n detail.type,\n )\n ) {\n throw new InvalidAuthorizationDetailsError(\n parameters,\n `Unsupported \"authorization_details\" type \"${detail.type}\"`,\n )\n }\n }\n }\n\n // -----------------------\n // Validate against client\n // -----------------------\n\n parameters = client.validateRequest(parameters)\n\n // -------------------\n // Validate parameters\n // -------------------\n\n if (!parameters.redirect_uri) {\n // Should already be ensured by client.validateRequest(). Adding here for\n // clarity & extra safety.\n throw new AuthorizationError(parameters, 'Missing \"redirect_uri\"')\n }\n\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-1.4.1\n // > The authorization server MAY fully or partially ignore the scope\n // > requested by the client, based on the authorization server policy or\n // > the resource owner's instructions. If the issued access token scope is\n // > different from the one requested by the client, the authorization\n // > server MUST include the scope response parameter in the token response\n // > (Section 3.2.3) to inform the client of the actual scope granted.\n\n // Let's make sure the scopes are unique (to reduce the token & storage\n // size).\n const scopes = new Set(parameters.scope?.split(' '))\n\n // @NOTE An app requesting a not yet supported list of scopes will need to\n // re-authenticate the user once the scopes are supported. This is due to\n // the fact that the AS does not know how to properly display those scopes\n // to the user, so it cannot properly ask for consent.\n const scope =\n Array.from(scopes).filter(isAtprotoOauthScope).join(' ') || undefined\n parameters = { ...parameters, scope }\n\n if (parameters.code_challenge) {\n switch (parameters.code_challenge_method) {\n case undefined:\n // https://datatracker.ietf.org/doc/html/rfc7636#section-4.3\n parameters = { ...parameters, code_challenge_method: 'plain' }\n // falls through\n case 'plain':\n case 'S256':\n break\n default: {\n throw new AuthorizationError(\n parameters,\n `Unsupported code_challenge_method \"${parameters.code_challenge_method}\"`,\n )\n }\n }\n } else {\n if (parameters.code_challenge_method) {\n // https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1\n throw new AuthorizationError(\n parameters,\n 'code_challenge is required when code_challenge_method is provided',\n )\n }\n\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1\n //\n // > An AS MUST reject requests without a code_challenge from public\n // > clients, and MUST reject such requests from other clients unless\n // > there is reasonable assurance that the client mitigates\n // > authorization code injection in other ways. See Section 7.5.1 for\n // > details.\n //\n // > [...] In the specific deployment and the specific request, there is\n // > reasonable assurance by the authorization server that the client\n // > implements the OpenID Connect nonce mechanism properly.\n //\n // atproto does not implement the OpenID Connect nonce mechanism, so we\n // require the use of PKCE for all clients.\n\n throw new AuthorizationError(parameters, 'Use of PKCE is required')\n }\n\n // -----------------\n // atproto extension\n // -----------------\n\n if (parameters.response_type !== 'code') {\n throw new AuthorizationError(\n parameters,\n 'atproto only supports the \"code\" response_type',\n )\n }\n\n if (!scopes.has('atproto')) {\n throw new InvalidScopeError(parameters, 'The \"atproto\" scope is required')\n } else if (scopes.has('openid')) {\n throw new InvalidScopeError(\n parameters,\n 'OpenID Connect is not compatible with atproto',\n )\n }\n\n if (parameters.code_challenge_method !== 'S256') {\n throw new AuthorizationError(\n parameters,\n 'atproto requires use of \"S256\" code_challenge_method',\n )\n }\n\n // atproto extension: if the client is not trusted, and not authenticated,\n // force users to consent to authorization requests. We do this to avoid\n // unauthenticated clients from being able to silently re-authenticate\n // users.\n if (\n !client.info.isTrusted &&\n !client.info.isFirstParty &&\n client.metadata.token_endpoint_auth_method === 'none'\n ) {\n if (parameters.prompt === 'none') {\n throw new ConsentRequiredError(\n parameters,\n 'Public clients are not allowed to use silent-sign-on',\n )\n }\n\n // force \"consent\" for unauthenticated third party clients, unless they\n // are trying to create accounts:\n if (parameters.prompt !== 'create') {\n parameters = { ...parameters, prompt: 'consent' }\n }\n }\n\n // atproto extension: ensure that the login_hint is a valid handle or DID\n // @NOTE we to allow invalid case here, which is not spec'd anywhere.\n const hint = parameters.login_hint?.toLowerCase()\n if (hint) {\n if (!isAtprotoDid(hint) && !isValidHandle(hint)) {\n throw new AuthorizationError(parameters, `Invalid login_hint \"${hint}\"`)\n }\n\n // @TODO: ensure that the account actually exists on this server (there is\n // no point in showing the UI to the user if the account does not exist).\n\n // Update the parameters to ensure the right case is used\n parameters = { ...parameters, login_hint: hint }\n }\n\n // Make sure that every nsid in the scope resolves to a valid permission set\n // lexicon\n if (parameters.scope) {\n try {\n await this.lexiconManager.getPermissionSetsFromScope(parameters.scope)\n } catch (err) {\n // Parse expected errors\n if (err instanceof LexResolverError) {\n throw new AuthorizationError(\n parameters,\n err.message,\n 'invalid_scope',\n err,\n )\n }\n\n // Unexpected error\n throw err\n }\n }\n\n return parameters\n }\n\n async get(requestUri: RequestUri, deviceId?: DeviceId, clientId?: ClientId) {\n const requestId = decodeRequestUri(requestUri)\n\n const data = await this.store.readRequest(requestId)\n if (!data) throw new InvalidRequestError('Unknown request_uri')\n\n const updates: UpdateRequestData = {}\n\n try {\n if (data.sub || data.code) {\n // If an account was linked to the request, the next step is to exchange\n // the code for a token.\n throw new AccessDeniedError(\n data.parameters,\n 'This request was already authorized',\n )\n }\n\n if (data.expiresAt < new Date()) {\n throw new AccessDeniedError(data.parameters, 'This request has expired')\n } else {\n updates.expiresAt = new Date(\n Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT,\n )\n }\n\n if (clientId != null && data.clientId !== clientId) {\n throw new AccessDeniedError(\n data.parameters,\n 'This request was initiated for another client',\n )\n }\n\n if (deviceId != null) {\n if (!data.deviceId) {\n updates.deviceId = deviceId\n } else if (data.deviceId !== deviceId) {\n throw new AccessDeniedError(\n data.parameters,\n 'This request was initiated from another device',\n )\n }\n }\n } catch (err) {\n await this.store.deleteRequest(requestId)\n throw err\n }\n\n if (Object.keys(updates).length > 0) {\n await this.store.updateRequest(requestId, updates)\n }\n\n return {\n requestUri,\n expiresAt: updates.expiresAt || data.expiresAt,\n parameters: data.parameters,\n clientId: data.clientId,\n }\n }\n\n async setAuthorized(\n requestUri: RequestUri,\n client: Client,\n account: Account,\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n scopeOverride?: string,\n ): Promise<Code> {\n const requestId = decodeRequestUri(requestUri)\n\n const data = await this.store.readRequest(requestId)\n if (!data) throw new InvalidRequestError('Unknown request_uri')\n\n let { parameters } = data\n\n try {\n if (data.expiresAt < new Date()) {\n throw new AccessDeniedError(parameters, 'This request has expired')\n }\n if (!data.deviceId) {\n throw new AccessDeniedError(\n parameters,\n 'This request was not initiated',\n )\n }\n if (data.deviceId !== deviceId) {\n throw new AccessDeniedError(\n parameters,\n 'This request was initiated from another device',\n )\n }\n if (data.sub || data.code) {\n throw new AccessDeniedError(\n parameters,\n 'This request was already authorized',\n )\n }\n\n // If a new scope value is provided, update the parameters by ensuring\n // that every existing scope in the parameters is also present in the\n // override value. This allows the user to remove scopes from the request,\n // but not to add new ones.\n if (scopeOverride != null) {\n const allowedScopes = new Set(scopeOverride.split(' '))\n const existingScopes = parameters.scope?.split(' ')\n\n // Compute the intersection of the existing scopes and the overrides.\n const newScopes = existingScopes?.filter((s) => allowedScopes.has(s))\n\n // Validate: make sure the new scopes are valid\n if (!newScopes?.includes('atproto')) {\n throw new AccessDeniedError(\n parameters,\n 'The \"atproto\" scope is required',\n )\n }\n\n parameters = { ...parameters, scope: newScopes.join(' ') }\n }\n\n // Only response_type=code is supported\n const code = await generateCode()\n\n // Bind the request to the account, preventing it from being used again.\n await this.store.updateRequest(requestId, {\n sub: account.sub,\n code,\n // Allow the client to exchange the code for a token within the next 60 seconds.\n expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),\n parameters,\n })\n\n await this.hooks.onAuthorized?.call(null, {\n client,\n account,\n parameters,\n deviceId,\n deviceMetadata,\n requestId,\n })\n\n return code\n } catch (err) {\n await this.store.deleteRequest(requestId)\n throw err\n }\n }\n\n /**\n * @note If this method throws an error, any token previously generated from\n * the same `code` **must** me revoked.\n */\n public async consumeCode(code: Code): Promise<RequestDataAuthorized> {\n const result = await this.store.consumeRequestCode(code)\n if (!result) throw new InvalidGrantError('Invalid code')\n\n const { requestId, data } = result\n\n // Fool-proofing the store implementation against code replay attacks (in\n // case consumeRequestCode() does not delete the request).\n if (NODE_ENV !== 'production') {\n const result = await this.store.readRequest(requestId)\n if (result) {\n throw new Error('Invalid store implementation: request not deleted')\n }\n }\n\n if (!isRequestDataAuthorized(data) || data.code !== code) {\n // Should never happen: maybe the store implementation is faulty ?\n throw new Error('Unexpected request state')\n }\n\n if (data.expiresAt < new Date()) {\n throw new InvalidGrantError('This code has expired')\n }\n\n return data\n }\n\n async delete(requestUri: RequestUri): Promise<void> {\n const requestId = decodeRequestUri(requestUri)\n await this.store.deleteRequest(requestId)\n }\n}\n"]}
1
+ {"version":3,"file":"request-manager.js","sourceRoot":"","sources":["../../src/request/request-manager.ts"],"names":[],"mappings":";;;AAAA,sCAA2C;AAC3C,wDAAwD;AAExD,wDAA2D;AAK3D,4CAA+C;AAI/C,kDAKwB;AAExB,6EAAoE;AACpE,6EAAqE;AACrE,mFAA0E;AAC1E,6GAAmG;AACnG,6EAAoE;AACpE,iFAAwE;AACxE,6EAAoE;AAKpE,uCAA8C;AAC9C,uDAG0B;AAC1B,mDAAmD;AAEnD,qDAIyB;AAEzB,MAAa,cAAc;IAEJ;IACA;IACA;IACA;IACA;IACA;IANrB,YACqB,KAAmB,EACnB,cAA8B,EAC9B,MAAc,EACd,QAA0C,EAC1C,KAAiB,EACjB,cAAc,4BAAa;QAL3B,UAAK,GAAL,KAAK,CAAc;QACnB,mBAAc,GAAd,cAAc,CAAgB;QAC9B,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAkC;QAC1C,UAAK,GAAL,KAAK,CAAY;QACjB,gBAAW,GAAX,WAAW,CAAgB;IAC7C,CAAC;IAEM,iBAAiB;QACzB,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAA;IAChD,CAAC;IAED,KAAK,CAAC,0BAA0B,CAC9B,MAAc,EACd,UAA6B,EAC7B,KAAoD,EACpD,QAAyB;QAEzB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,CAAA;QAEjE,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,MAAM;YACN,UAAU;YACV,UAAU;SACX,CAAC,CAAA;QAEF,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,6BAAc,CAAC,CAAA;QACvD,MAAM,SAAS,GAAG,MAAM,IAAA,iCAAiB,GAAE,CAAA;QAE3C,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE;YACxC,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,UAAU;YACV,UAAU;YACV,SAAS;YACT,QAAQ;YACR,GAAG,EAAE,IAAI;YACT,IAAI,EAAE,IAAI;SACX,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG,IAAA,iCAAgB,EAAC,SAAS,CAAC,CAAA;QAC9C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,CAAA;IAC9C,CAAC;IAES,KAAK,CAAC,QAAQ,CACtB,MAAc,EACd,UAA6B,EAC7B,UAAyD;QAEzD,kCAAkC;QAClC,kCAAkC;QAClC,kCAAkC;QAElC,KAAK,MAAM,CAAC,IAAI;YACd,oCAAoC;YACpC,QAAQ;YACR,eAAe;YACf,OAAO,EAAE,gDAAgD;SACjD,EAAE,CAAC;YACX,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;gBAChC,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,gBAAgB,CAAC,aAAa,CAAC,CAAA;YAC1E,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,0BAA0B;QAC1B,0BAA0B;QAE1B,IACE,CAAC,IAAI,CAAC,QAAQ,CAAC,wBAAwB,EAAE,QAAQ,CAC/C,UAAU,CAAC,aAAa,CACzB,EACD,CAAC;YACD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,8BAA8B,UAAU,CAAC,aAAa,GAAG,EACzD,2BAA2B,CAC5B,CAAA;QACH,CAAC;QAED,IACE,UAAU,CAAC,aAAa,KAAK,MAAM;YACnC,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,EACpE,CAAC;YACD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,6CAA6C,EAC7C,iBAAiB,CAClB,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;YACrC,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACtD,IACE,CAAC,IAAI,CAAC,QAAQ,CAAC,qCAAqC,EAAE,QAAQ,CAC5D,MAAM,CAAC,IAAI,CACZ,EACD,CAAC;oBACD,MAAM,IAAI,yEAAgC,CACxC,UAAU,EACV,6CAA6C,MAAM,CAAC,IAAI,GAAG,CAC5D,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,0BAA0B;QAC1B,0BAA0B;QAE1B,UAAU,GAAG,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAA;QAE/C,sBAAsB;QACtB,sBAAsB;QACtB,sBAAsB;QAEtB,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;YAC7B,yEAAyE;YACzE,0BAA0B;YAC1B,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,wBAAwB,CAAC,CAAA;QACpE,CAAC;QAED,+EAA+E;QAC/E,qEAAqE;QACrE,yEAAyE;QACzE,2EAA2E;QAC3E,sEAAsE;QACtE,2EAA2E;QAC3E,sEAAsE;QAEtE,uEAAuE;QACvE,SAAS;QACT,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,yEAAyE;QACzE,0EAA0E;QAC1E,sDAAsD;QACtD,MAAM,KAAK,GACT,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,kCAAmB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,SAAS,CAAA;QACvE,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,CAAA;QAErC,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;YAC9B,QAAQ,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACzC,KAAK,SAAS;oBACZ,4DAA4D;oBAC5D,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,qBAAqB,EAAE,OAAO,EAAE,CAAA;gBAChE,gBAAgB;gBAChB,KAAK,OAAO,CAAC;gBACb,KAAK,MAAM;oBACT,MAAK;gBACP,OAAO,CAAC,CAAC,CAAC;oBACR,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,sCAAsC,UAAU,CAAC,qBAAqB,GAAG,CAC1E,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACrC,8DAA8D;gBAC9D,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,mEAAmE,CACpE,CAAA;YACH,CAAC;YAED,iFAAiF;YACjF,EAAE;YACF,oEAAoE;YACpE,qEAAqE;YACrE,4DAA4D;YAC5D,sEAAsE;YACtE,aAAa;YACb,EAAE;YACF,wEAAwE;YACxE,qEAAqE;YACrE,4DAA4D;YAC5D,EAAE;YACF,uEAAuE;YACvE,2CAA2C;YAE3C,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAA;QACrE,CAAC;QAED,oBAAoB;QACpB,oBAAoB;QACpB,oBAAoB;QAEpB,IAAI,UAAU,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;YACxC,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,gDAAgD,CACjD,CAAA;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,0CAAiB,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAA;QAC5E,CAAC;aAAM,IAAI,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,+CAA+C,CAChD,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAChD,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,sDAAsD,CACvD,CAAA;QACH,CAAC;QAED,0EAA0E;QAC1E,wEAAwE;QACxE,sEAAsE;QACtE,SAAS;QACT,IACE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS;YACtB,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY;YACzB,MAAM,CAAC,QAAQ,CAAC,0BAA0B,KAAK,MAAM,EACrD,CAAC;YACD,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACjC,MAAM,IAAI,gDAAoB,CAC5B,UAAU,EACV,sDAAsD,CACvD,CAAA;YACH,CAAC;YAED,uEAAuE;YACvE,iCAAiC;YACjC,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACnC,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;YACnD,CAAC;QACH,CAAC;QAED,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,EAAE,WAAW,EAAE,CAAA;QACjD,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,IAAA,kBAAY,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,sBAAa,EAAC,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,2CAAkB,CAAC,UAAU,EAAE,uBAAuB,IAAI,GAAG,CAAC,CAAA;YAC1E,CAAC;YAED,0EAA0E;YAC1E,yEAAyE;YAEzE,yDAAyD;YACzD,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,CAAA;QAClD,CAAC;QAED,4EAA4E;QAC5E,UAAU;QACV,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,CAAC,0BAA0B,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;YACxE,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,wBAAwB;gBACxB,IAAI,GAAG,YAAY,+BAAgB,EAAE,CAAC;oBACpC,MAAM,IAAI,2CAAkB,CAC1B,UAAU,EACV,GAAG,CAAC,OAAO,EACX,eAAe,EACf,GAAG,CACJ,CAAA;gBACH,CAAC;gBAED,mBAAmB;gBACnB,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAAC,UAAsB;QACvC,MAAM,SAAS,GAAG,IAAA,iCAAgB,EAAC,UAAU,CAAC,CAAA;QAC9C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QACpD,OAAO,IAAI,EAAE,QAAQ,CAAA;IACvB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,UAAsB,EAAE,QAAmB,EAAE,QAAmB;QACxE,MAAM,SAAS,GAAG,IAAA,iCAAgB,EAAC,UAAU,CAAC,CAAA;QAE9C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QACpD,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,8CAAmB,CAAC,qBAAqB,CAAC,CAAA;QAE/D,MAAM,OAAO,GAAsB,EAAE,CAAA;QAErC,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC1B,wEAAwE;gBACxE,wBAAwB;gBACxB,MAAM,IAAI,0CAAiB,CACzB,IAAI,CAAC,UAAU,EACf,qCAAqC,CACtC,CAAA;YACH,CAAC;YAED,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAChC,MAAM,IAAI,0CAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;YAC1E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,CAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,+CAAgC,CAC9C,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,IAAI,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACnD,MAAM,IAAI,0CAAiB,CACzB,IAAI,CAAC,UAAU,EACf,+CAA+C,CAChD,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACnB,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAA;gBAC7B,CAAC;qBAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACtC,MAAM,IAAI,0CAAiB,CACzB,IAAI,CAAC,UAAU,EACf,gDAAgD,CACjD,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;YACzC,MAAM,GAAG,CAAA;QACX,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;QACpD,CAAC;QAED,OAAO;YACL,UAAU;YACV,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;YAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,UAAsB,EACtB,MAAc,EACd,OAAgB,EAChB,QAAkB,EAClB,cAA+B,EAC/B,aAAsB;QAEtB,MAAM,SAAS,GAAG,IAAA,iCAAgB,EAAC,UAAU,CAAC,CAAA;QAE9C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QACpD,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,8CAAmB,CAAC,qBAAqB,CAAC,CAAA;QAE/D,IAAI,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAEzB,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAChC,MAAM,IAAI,0CAAiB,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAA;YACrE,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACnB,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,gCAAgC,CACjC,CAAA;YACH,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC/B,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,gDAAgD,CACjD,CAAA;YACH,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC1B,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,qCAAqC,CACtC,CAAA;YACH,CAAC;YAED,sEAAsE;YACtE,qEAAqE;YACrE,0EAA0E;YAC1E,2BAA2B;YAC3B,IAAI,aAAa,IAAI,IAAI,EAAE,CAAC;gBAC1B,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;gBACvD,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;gBAEnD,qEAAqE;gBACrE,MAAM,SAAS,GAAG,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;gBAErE,+CAA+C;gBAC/C,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,0CAAiB,CACzB,UAAU,EACV,iCAAiC,CAClC,CAAA;gBACH,CAAC;gBAED,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAA;YAC5D,CAAC;YAED,uCAAuC;YACvC,MAAM,IAAI,GAAG,MAAM,IAAA,sBAAY,GAAE,CAAA;YAEjC,wEAAwE;YACxE,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE;gBACxC,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,IAAI;gBACJ,gFAAgF;gBAChF,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,+CAAgC,CAAC;gBAClE,UAAU;aACX,CAAC,CAAA;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxC,MAAM;gBACN,OAAO;gBACP,UAAU;gBACV,QAAQ;gBACR,cAAc;gBACd,SAAS;aACV,CAAC,CAAA;YAEF,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;YACzC,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW,CAAC,IAAU;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAA;QACxD,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,0CAAiB,CAAC,cAAc,CAAC,CAAA;QAExD,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,MAAM,CAAA;QAElC,yEAAyE;QACzE,0DAA0D;QAC1D,IAAI,uBAAQ,KAAK,YAAY,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;YACtD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;YACtE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAA,yCAAuB,EAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACzD,kEAAkE;YAClE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;QAC7C,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAsB;QACjC,MAAM,SAAS,GAAG,IAAA,iCAAgB,EAAC,UAAU,CAAC,CAAA;QAC9C,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;IAC3C,CAAC;CACF;AAtdD,wCAsdC","sourcesContent":["import { isAtprotoDid } from '@atproto/did'\nimport { LexResolverError } from '@atproto/lex-resolver'\nimport type { Account } from '@atproto/oauth-provider-api'\nimport { isAtprotoOauthScope } from '@atproto/oauth-scopes'\nimport {\n OAuthAuthorizationRequestParameters,\n OAuthAuthorizationServerMetadata,\n} from '@atproto/oauth-types'\nimport { isValidHandle } from '@atproto/syntax'\nimport { ClientAuth } from '../client/client-auth.js'\nimport { ClientId } from '../client/client-id.js'\nimport { Client } from '../client/client.js'\nimport {\n AUTHORIZATION_INACTIVITY_TIMEOUT,\n NODE_ENV,\n PAR_EXPIRES_IN,\n TOKEN_MAX_AGE,\n} from '../constants.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { AccessDeniedError } from '../errors/access-denied-error.js'\nimport { AuthorizationError } from '../errors/authorization-error.js'\nimport { ConsentRequiredError } from '../errors/consent-required-error.js'\nimport { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'\nimport { InvalidGrantError } from '../errors/invalid-grant-error.js'\nimport { InvalidRequestError } from '../errors/invalid-request-error.js'\nimport { InvalidScopeError } from '../errors/invalid-scope-error.js'\nimport { LexiconManager } from '../lexicon/lexicon-manager.js'\nimport { RequestMetadata } from '../lib/http/request.js'\nimport { OAuthHooks } from '../oauth-hooks.js'\nimport { Signer } from '../signer/signer.js'\nimport { Code, generateCode } from './code.js'\nimport {\n RequestDataAuthorized,\n isRequestDataAuthorized,\n} from './request-data.js'\nimport { generateRequestId } from './request-id.js'\nimport { RequestStore, UpdateRequestData } from './request-store.js'\nimport {\n RequestUri,\n decodeRequestUri,\n encodeRequestUri,\n} from './request-uri.js'\n\nexport class RequestManager {\n constructor(\n protected readonly store: RequestStore,\n protected readonly lexiconManager: LexiconManager,\n protected readonly signer: Signer,\n protected readonly metadata: OAuthAuthorizationServerMetadata,\n protected readonly hooks: OAuthHooks,\n protected readonly tokenMaxAge = TOKEN_MAX_AGE,\n ) {}\n\n protected createTokenExpiry() {\n return new Date(Date.now() + this.tokenMaxAge)\n }\n\n async createAuthorizationRequest(\n client: Client,\n clientAuth: null | ClientAuth,\n input: Readonly<OAuthAuthorizationRequestParameters>,\n deviceId: null | DeviceId,\n ) {\n const parameters = await this.validate(client, clientAuth, input)\n\n await this.hooks.onAuthorizationRequest?.call(null, {\n client,\n clientAuth,\n parameters,\n })\n\n const expiresAt = new Date(Date.now() + PAR_EXPIRES_IN)\n const requestId = await generateRequestId()\n\n await this.store.createRequest(requestId, {\n clientId: client.id,\n clientAuth,\n parameters,\n expiresAt,\n deviceId,\n sub: null,\n code: null,\n })\n\n const requestUri = encodeRequestUri(requestId)\n return { requestUri, expiresAt, parameters }\n }\n\n protected async validate(\n client: Client,\n clientAuth: null | ClientAuth,\n parameters: Readonly<OAuthAuthorizationRequestParameters>,\n ): Promise<Readonly<OAuthAuthorizationRequestParameters>> {\n // -------------------------------\n // Validate unsupported parameters\n // -------------------------------\n\n for (const k of [\n // Known unsupported OIDC parameters\n 'claims',\n 'id_token_hint',\n 'nonce', // note that OIDC \"nonce\" is redundant with PKCE\n ] as const) {\n if (parameters[k] !== undefined) {\n throw new AuthorizationError(parameters, `Unsupported \"${k}\" parameter`)\n }\n }\n\n // -----------------------\n // Validate against server\n // -----------------------\n\n if (\n !this.metadata.response_types_supported?.includes(\n parameters.response_type,\n )\n ) {\n throw new AuthorizationError(\n parameters,\n `Unsupported response_type \"${parameters.response_type}\"`,\n 'unsupported_response_type',\n )\n }\n\n if (\n parameters.response_type === 'code' &&\n !this.metadata.grant_types_supported?.includes('authorization_code')\n ) {\n throw new AuthorizationError(\n parameters,\n `Unsupported grant_type \"authorization_code\"`,\n 'invalid_request',\n )\n }\n\n if (parameters.authorization_details) {\n for (const detail of parameters.authorization_details) {\n if (\n !this.metadata.authorization_details_types_supported?.includes(\n detail.type,\n )\n ) {\n throw new InvalidAuthorizationDetailsError(\n parameters,\n `Unsupported \"authorization_details\" type \"${detail.type}\"`,\n )\n }\n }\n }\n\n // -----------------------\n // Validate against client\n // -----------------------\n\n parameters = client.validateRequest(parameters)\n\n // -------------------\n // Validate parameters\n // -------------------\n\n if (!parameters.redirect_uri) {\n // Should already be ensured by client.validateRequest(). Adding here for\n // clarity & extra safety.\n throw new AuthorizationError(parameters, 'Missing \"redirect_uri\"')\n }\n\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-1.4.1\n // > The authorization server MAY fully or partially ignore the scope\n // > requested by the client, based on the authorization server policy or\n // > the resource owner's instructions. If the issued access token scope is\n // > different from the one requested by the client, the authorization\n // > server MUST include the scope response parameter in the token response\n // > (Section 3.2.3) to inform the client of the actual scope granted.\n\n // Let's make sure the scopes are unique (to reduce the token & storage\n // size).\n const scopes = new Set(parameters.scope?.split(' '))\n\n // @NOTE An app requesting a not yet supported list of scopes will need to\n // re-authenticate the user once the scopes are supported. This is due to\n // the fact that the AS does not know how to properly display those scopes\n // to the user, so it cannot properly ask for consent.\n const scope =\n Array.from(scopes).filter(isAtprotoOauthScope).join(' ') || undefined\n parameters = { ...parameters, scope }\n\n if (parameters.code_challenge) {\n switch (parameters.code_challenge_method) {\n case undefined:\n // https://datatracker.ietf.org/doc/html/rfc7636#section-4.3\n parameters = { ...parameters, code_challenge_method: 'plain' }\n // falls through\n case 'plain':\n case 'S256':\n break\n default: {\n throw new AuthorizationError(\n parameters,\n `Unsupported code_challenge_method \"${parameters.code_challenge_method}\"`,\n )\n }\n }\n } else {\n if (parameters.code_challenge_method) {\n // https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1\n throw new AuthorizationError(\n parameters,\n 'code_challenge is required when code_challenge_method is provided',\n )\n }\n\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1\n //\n // > An AS MUST reject requests without a code_challenge from public\n // > clients, and MUST reject such requests from other clients unless\n // > there is reasonable assurance that the client mitigates\n // > authorization code injection in other ways. See Section 7.5.1 for\n // > details.\n //\n // > [...] In the specific deployment and the specific request, there is\n // > reasonable assurance by the authorization server that the client\n // > implements the OpenID Connect nonce mechanism properly.\n //\n // atproto does not implement the OpenID Connect nonce mechanism, so we\n // require the use of PKCE for all clients.\n\n throw new AuthorizationError(parameters, 'Use of PKCE is required')\n }\n\n // -----------------\n // atproto extension\n // -----------------\n\n if (parameters.response_type !== 'code') {\n throw new AuthorizationError(\n parameters,\n 'atproto only supports the \"code\" response_type',\n )\n }\n\n if (!scopes.has('atproto')) {\n throw new InvalidScopeError(parameters, 'The \"atproto\" scope is required')\n } else if (scopes.has('openid')) {\n throw new InvalidScopeError(\n parameters,\n 'OpenID Connect is not compatible with atproto',\n )\n }\n\n if (parameters.code_challenge_method !== 'S256') {\n throw new AuthorizationError(\n parameters,\n 'atproto requires use of \"S256\" code_challenge_method',\n )\n }\n\n // atproto extension: if the client is not trusted, and not authenticated,\n // force users to consent to authorization requests. We do this to avoid\n // unauthenticated clients from being able to silently re-authenticate\n // users.\n if (\n !client.info.isTrusted &&\n !client.info.isFirstParty &&\n client.metadata.token_endpoint_auth_method === 'none'\n ) {\n if (parameters.prompt === 'none') {\n throw new ConsentRequiredError(\n parameters,\n 'Public clients are not allowed to use silent-sign-on',\n )\n }\n\n // force \"consent\" for unauthenticated third party clients, unless they\n // are trying to create accounts:\n if (parameters.prompt !== 'create') {\n parameters = { ...parameters, prompt: 'consent' }\n }\n }\n\n // atproto extension: ensure that the login_hint is a valid handle or DID\n // @NOTE we to allow invalid case here, which is not spec'd anywhere.\n const hint = parameters.login_hint?.toLowerCase()\n if (hint) {\n if (!isAtprotoDid(hint) && !isValidHandle(hint)) {\n throw new AuthorizationError(parameters, `Invalid login_hint \"${hint}\"`)\n }\n\n // @TODO: ensure that the account actually exists on this server (there is\n // no point in showing the UI to the user if the account does not exist).\n\n // Update the parameters to ensure the right case is used\n parameters = { ...parameters, login_hint: hint }\n }\n\n // Make sure that every nsid in the scope resolves to a valid permission set\n // lexicon\n if (parameters.scope) {\n try {\n await this.lexiconManager.getPermissionSetsFromScope(parameters.scope)\n } catch (err) {\n // Parse expected errors\n if (err instanceof LexResolverError) {\n throw new AuthorizationError(\n parameters,\n err.message,\n 'invalid_scope',\n err,\n )\n }\n\n // Unexpected error\n throw err\n }\n }\n\n return parameters\n }\n\n /**\n * Reads the {@link ClientId} associated with a request URI without any of\n * the validation or side-effects performed by {@link RequestManager.get}\n *\n * Returns `undefined` when no such request exists.\n */\n async peekClientId(requestUri: RequestUri): Promise<ClientId | undefined> {\n const requestId = decodeRequestUri(requestUri)\n const data = await this.store.readRequest(requestId)\n return data?.clientId\n }\n\n async get(requestUri: RequestUri, deviceId?: DeviceId, clientId?: ClientId) {\n const requestId = decodeRequestUri(requestUri)\n\n const data = await this.store.readRequest(requestId)\n if (!data) throw new InvalidRequestError('Unknown request_uri')\n\n const updates: UpdateRequestData = {}\n\n try {\n if (data.sub || data.code) {\n // If an account was linked to the request, the next step is to exchange\n // the code for a token.\n throw new AccessDeniedError(\n data.parameters,\n 'This request was already authorized',\n )\n }\n\n if (data.expiresAt < new Date()) {\n throw new AccessDeniedError(data.parameters, 'This request has expired')\n } else {\n updates.expiresAt = new Date(\n Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT,\n )\n }\n\n if (clientId != null && data.clientId !== clientId) {\n throw new AccessDeniedError(\n data.parameters,\n 'This request was initiated for another client',\n )\n }\n\n if (deviceId != null) {\n if (!data.deviceId) {\n updates.deviceId = deviceId\n } else if (data.deviceId !== deviceId) {\n throw new AccessDeniedError(\n data.parameters,\n 'This request was initiated from another device',\n )\n }\n }\n } catch (err) {\n await this.store.deleteRequest(requestId)\n throw err\n }\n\n if (Object.keys(updates).length > 0) {\n await this.store.updateRequest(requestId, updates)\n }\n\n return {\n requestUri,\n expiresAt: updates.expiresAt || data.expiresAt,\n parameters: data.parameters,\n clientId: data.clientId,\n }\n }\n\n async setAuthorized(\n requestUri: RequestUri,\n client: Client,\n account: Account,\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n scopeOverride?: string,\n ): Promise<Code> {\n const requestId = decodeRequestUri(requestUri)\n\n const data = await this.store.readRequest(requestId)\n if (!data) throw new InvalidRequestError('Unknown request_uri')\n\n let { parameters } = data\n\n try {\n if (data.expiresAt < new Date()) {\n throw new AccessDeniedError(parameters, 'This request has expired')\n }\n if (!data.deviceId) {\n throw new AccessDeniedError(\n parameters,\n 'This request was not initiated',\n )\n }\n if (data.deviceId !== deviceId) {\n throw new AccessDeniedError(\n parameters,\n 'This request was initiated from another device',\n )\n }\n if (data.sub || data.code) {\n throw new AccessDeniedError(\n parameters,\n 'This request was already authorized',\n )\n }\n\n // If a new scope value is provided, update the parameters by ensuring\n // that every existing scope in the parameters is also present in the\n // override value. This allows the user to remove scopes from the request,\n // but not to add new ones.\n if (scopeOverride != null) {\n const allowedScopes = new Set(scopeOverride.split(' '))\n const existingScopes = parameters.scope?.split(' ')\n\n // Compute the intersection of the existing scopes and the overrides.\n const newScopes = existingScopes?.filter((s) => allowedScopes.has(s))\n\n // Validate: make sure the new scopes are valid\n if (!newScopes?.includes('atproto')) {\n throw new AccessDeniedError(\n parameters,\n 'The \"atproto\" scope is required',\n )\n }\n\n parameters = { ...parameters, scope: newScopes.join(' ') }\n }\n\n // Only response_type=code is supported\n const code = await generateCode()\n\n // Bind the request to the account, preventing it from being used again.\n await this.store.updateRequest(requestId, {\n sub: account.sub,\n code,\n // Allow the client to exchange the code for a token within the next 60 seconds.\n expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),\n parameters,\n })\n\n await this.hooks.onAuthorized?.call(null, {\n client,\n account,\n parameters,\n deviceId,\n deviceMetadata,\n requestId,\n })\n\n return code\n } catch (err) {\n await this.store.deleteRequest(requestId)\n throw err\n }\n }\n\n /**\n * @note If this method throws an error, any token previously generated from\n * the same `code` **must** me revoked.\n */\n public async consumeCode(code: Code): Promise<RequestDataAuthorized> {\n const result = await this.store.consumeRequestCode(code)\n if (!result) throw new InvalidGrantError('Invalid code')\n\n const { requestId, data } = result\n\n // Fool-proofing the store implementation against code replay attacks (in\n // case consumeRequestCode() does not delete the request).\n if (NODE_ENV !== 'production') {\n const result = await this.store.readRequest(requestId)\n if (result) {\n throw new Error('Invalid store implementation: request not deleted')\n }\n }\n\n if (!isRequestDataAuthorized(data) || data.code !== code) {\n // Should never happen: maybe the store implementation is faulty ?\n throw new Error('Unexpected request state')\n }\n\n if (data.expiresAt < new Date()) {\n throw new InvalidGrantError('This code has expired')\n }\n\n return data\n }\n\n async delete(requestUri: RequestUri): Promise<void> {\n const requestId = decodeRequestUri(requestUri)\n await this.store.deleteRequest(requestId)\n }\n}\n"]}
package/dist/result/authorization-result-authorize-page.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import type { LexiconPermissionSet } from '@atproto/lex-document';
2
- import type { Session } from '@atproto/oauth-provider-api';
2
+ import type { Account, Session } from '@atproto/oauth-provider-api';
3
3
  import type { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types';
4
4
  import type { Client } from '../client/client.js';
5
5
  import type { RequestUri } from '../request/request-uri.js';
@@ -10,5 +10,6 @@ export type AuthorizationResultAuthorizePage = {
10
10
  permissionSets: Map<string, LexiconPermissionSet>;
11
11
  requestUri: RequestUri;
12
12
  sessions: readonly Session[];
13
+ selectedSub?: Account['sub'];
13
14
  };
14
15
  //# sourceMappingURL=authorization-result-authorize-page.d.ts.map