@atproto/oauth-provider 0.15.16 → 0.16.1

package/src/customization/build-customization-css.ts

@@ -1,4 +1,9 @@
-import { extractHue, pickContrastColor } from '../lib/util/color.js'
+import {
+  RgbColor,
+  extractHue,
+  hslToRgb,
+  pickContrastColor,
+} from '../lib/util/color.js'
 import { Branding } from './branding.js'
 import { COLOR_NAMES } from './colors.js'
 import { Customization } from './customization.js'
@@ -12,8 +17,25 @@ export function buildCustomizationCss({
 
 function* buildCustomizationVars(branding?: Branding): Generator<string> {
   if (branding?.colors) {
-    const contrastLight = branding.colors.light ?? { r: 255, g: 255, b: 255 }
-    const contrastDark = branding.colors.dark ?? { r: 0, g: 0, b: 0 }
+    const contrastSaturation = branding.colors.contrastSaturation ?? 30
+    yield `--contrast-sat: ${contrastSaturation.toFixed(2)}%;`
+
+    const contrastLight: RgbColor =
+      branding.colors.light ??
+      // Corresponds to color-contrast-975
+      hslToRgb({
+        h: branding.colors.primaryHue ?? 0,
+        s: contrastSaturation / 100,
+        l: 0.07,
+      })
+    const contrastDark: RgbColor =
+      branding.colors.dark ??
+      // Corresponds to color-contrast-25
+      hslToRgb({
+        h: branding.colors.primaryHue ?? 0,
+        s: contrastSaturation / 100,
+        l: 0.953,
+      })
 
     for (const name of COLOR_NAMES) {
       const value = branding.colors[name]

package/src/customization/build-customization-data.ts

@@ -1,5 +1,5 @@
-import { CustomizationData } from '@atproto/oauth-provider-api'
-import { Customization } from './customization.js'
+import type { CustomizationData } from '@atproto/oauth-provider-api'
+import type { Customization } from './customization.js'
 
 export function buildCustomizationData({
   branding,

package/src/customization/colors.ts

@@ -2,13 +2,32 @@ import { z } from 'zod'
 import { colorHueSchema } from '../types/color-hue.js'
 import { rgbColorSchema } from '../types/rgb-color.js'
 
-export const COLOR_NAMES = ['primary', 'error', 'warning', 'success'] as const
+export const COLOR_NAMES = [
+  'primary',
+  'error',
+  'warning',
+  'info',
+  'success',
+] as const
 export type ColorName = (typeof COLOR_NAMES)[number]
 
 export const colorsSchema = z
   .object({
+    // The "light" and "dark" colors are used as default for unspecified
+    // contrast colors. The color that has the highest contrast ratio with the
+    // color base will be used. e.G. If "primary" is specified but
+    // "primaryContrast" is not, then the contrast color will be either "light"
+    // or "dark" depending on which one has the highest contrast ratio with
+    // "primary".
     light: rgbColorSchema.optional(),
     dark: rgbColorSchema.optional(),
+
+    // The "contrastSaturation" is used to compute the saturation of the
+    // "contrast" color. The "contrast" color is a (dynamic) color derived from
+    // the "primaryHue" color with the specified saturation and a variable
+    // lightness. "color-contrast-900" is used for default text, while
+    // "color-contrast-0" is used for the page background.
+    contrastSaturation: z.number().min(0).max(100).optional(),
   })
   .extend(
     Object.fromEntries(

package/src/errors/invalid-credentials-error.ts

@@ -0,0 +1,29 @@
+import { Sub } from '../oidc/sub.js'
+import { InvalidRequestError } from './invalid-request-error.js'
+
+/**
+ * Thrown by {@link AccountStore.authenticateAccount} implementations to signal
+ * that a sign-in attempt was rejected because the provided credentials did not
+ * match a known account.
+ *
+ * Stores should populate {@link InvalidCredentialsError.sub} when the
+ * identifier resolved to an existing account but e.g. the password or OTP was
+ * incorrect. The identifier-unknown case should leave `sub` unset. This
+ * information is surfaced to the `onSignInFailed` hook and never sent back to
+ * the client, so populating it does not affect the client-visible response.
+ *
+ * Only the subject identifier (DID) is carried — not a full `Account` — to
+ * avoid embedding PII (email, name, etc.) in an error that may be serialized
+ * by loggers or monitoring tools walking the `.cause` chain. Hook consumers
+ * that need richer profile info can resolve it from their own account store
+ * using `sub`.
+ */
+export class InvalidCredentialsError extends InvalidRequestError {
+  constructor(
+    message = 'Invalid identifier or password',
+    public readonly sub?: Sub,
+    cause?: unknown,
+  ) {
+    super(message, cause)
+  }
+}

package/src/lib/http/router.ts

@@ -1,4 +1,8 @@
-import type { IncomingMessage, ServerResponse } from 'node:http'
+import type {
+  IncomingHttpHeaders,
+  IncomingMessage,
+  ServerResponse,
+} from 'node:http'
 import { SubCtx, subCtx } from './context.js'
 import { MethodMatcherInput } from './method.js'
 import { combineMiddlewares } from './middleware.js'
@@ -8,7 +12,7 @@ import { Middleware } from './types.js'
 
 export type RouterCtx<T extends object | void = void> = SubCtx<
   T,
-  { url: Readonly<URL> }
+  { url: Readonly<URL>; headers: IncomingHttpHeaders }
 >
 
 export type RouterMiddleware<
@@ -93,7 +97,7 @@ export class Router<
 
       // Any error thrown here will be uncaught/unhandled (a middleware should
       // never throw)
-      const context = subCtx(this, { url })
+      const context = subCtx(this, { url, headers: req.headers })
       middleware.call(context, req, res, next)
     }
   }

package/src/lib/util/color.ts

@@ -5,6 +5,8 @@ export type HslColor = { h: number; s: number; l: number }
 export type RgbaColor = { r: number; g: number; b: number; a: number }
 export type HslaColor = { h: number; s: number; l: number; a: number }
 
+export type Color = RgbColor | HslColor | RgbaColor | HslaColor
+
 export function parseColor(color: string): RgbColor | RgbaColor {
   if (color.startsWith('#')) {
     return parseHexColor(color)
@@ -77,10 +79,44 @@ export function pickContrastColor(ref: RgbColor, a: RgbColor, b: RgbColor) {
   return computeContrastRatio(ref, a) > computeContrastRatio(ref, b) ? a : b
 }
 
+export function hslToRgb({ h, s, l }: HslColor): RgbColor
+export function hslToRgb({ h, s, l, a }: HslaColor): RgbaColor
+export function hslToRgb(input: HslaColor | HslColor): RgbColor | RgbaColor {
+  const { h, s, l } = input
+
+  // Achromatic (gray)
+  if (s === 0) {
+    const gray = Math.round(l * 255)
+    return 'a' in input
+      ? { r: gray, g: gray, b: gray, a: input.a }
+      : { r: gray, g: gray, b: gray }
+  }
+
+  const hueToRgb = (p: number, q: number, t: number): number => {
+    if (t < 0) t += 1
+    if (t > 1) t -= 1
+    if (t < 1 / 6) return p + (q - p) * 6 * t
+    if (t < 1 / 2) return q
+    if (t < 2 / 3) return p + (q - p) * (2 / 3 - t) * 6
+    return p
+  }
+
+  const q = l < 0.5 ? l * (1 + s) : l + s - l * s
+  const p = 2 * l - q
+  const hNorm = h / 360
+
+  const r = Math.round(hueToRgb(p, q, hNorm + 1 / 3) * 255)
+  const g = Math.round(hueToRgb(p, q, hNorm) * 255)
+  const b = Math.round(hueToRgb(p, q, hNorm - 1 / 3) * 255)
+
+  return 'a' in input ? { r, g, b, a: input.a } : { r, g, b }
+}
+
 /**
  * @see {@link https://www.w3.org/TR/2008/REC-WCAG20-20081211/#relativeluminancedef}
  */
-function relativeLuminance({ r, g, b }: RgbColor) {
+function relativeLuminance(color: HslColor | RgbColor) {
+  const { r, g, b } = 'h' in color ? hslToRgb(color) : color
   return rgbLum(r) * 0.2126 + rgbLum(g) * 0.7152 + rgbLum(b) * 0.0722
 }
 

package/src/oauth-errors.ts

@@ -10,6 +10,7 @@ export * from './errors/invalid-authorization-details-error.js'
 export * from './errors/invalid-client-error.js'
 export * from './errors/invalid-client-id-error.js'
 export * from './errors/invalid-client-metadata-error.js'
+export * from './errors/invalid-credentials-error.js'
 export * from './errors/invalid-dpop-key-binding-error.js'
 export * from './errors/invalid-dpop-proof-error.js'
 export * from './errors/invalid-grant-error.js'

package/src/oauth-hooks.ts

@@ -23,6 +23,7 @@ import { DeviceId } from './device/device-id.js'
 import { DpopProof } from './dpop/dpop-proof.js'
 import { AccessDeniedError } from './errors/access-denied-error.js'
 import { AuthorizationError } from './errors/authorization-error.js'
+import { InvalidCredentialsError } from './errors/invalid-credentials-error.js'
 import { InvalidRequestError } from './errors/invalid-request-error.js'
 import { OAuthError } from './errors/oauth-error.js'
 import {
@@ -32,6 +33,7 @@ import {
 } from './lib/hcaptcha.js'
 import { RequestMetadata } from './lib/http/request.js'
 import { Awaitable, OmitKey } from './lib/util/type.js'
+import { Sub } from './oidc/sub.js'
 import { RequestId } from './request/request-id.js'
 import { AccessTokenPayload } from './signer/access-token-payload.js'
 import { TokenClaims } from './token/token-claims.js'
@@ -52,6 +54,7 @@ export {
   type HcaptchaClientTokens,
   type HcaptchaConfig,
   type HcaptchaVerifyResult,
+  InvalidCredentialsError,
   InvalidRequestError,
   type Jwks,
   type OAuthAccessToken,
@@ -67,6 +70,7 @@ export {
   type SignInData,
   type SignUpData,
   type SignUpInput,
+  type Sub,
   type TokenClaims,
 }
 
@@ -159,15 +163,25 @@ export type OAuthHooks = {
     deviceMetadata: RequestMetadata
   }) => Awaitable<void>
 
+  /**
+   * `clientId` is populated when the sign-in is submitted in the context of
+   * an OAuth authorization request (i.e. the user is logging in to approve a
+   * client); it is omitted for first-party sign-ins that happen outside any
+   * authorization flow.
+   */
   onSignInAttempt?: (data: {
     data: SignInData
     deviceId: DeviceId
     deviceMetadata: RequestMetadata
+    clientId?: ClientId
   }) => Awaitable<void>
 
   /**
    * This hook is called when a user successfully signs in.
    *
+   * `clientId` is populated when the sign-in is submitted in the context of
+   * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.
+   *
    * @throws {InvalidRequestError} when the sing-in should be denied
    */
   onSignedIn?: (data: {
@@ -175,6 +189,34 @@ export type OAuthHooks = {
     account: Account
     deviceId: DeviceId
     deviceMetadata: RequestMetadata
+    clientId?: ClientId
+  }) => Awaitable<void>
+
+  /**
+   * This hook is called when a sign-in attempt is rejected by the account
+   * store due to invalid credentials (e.g. unknown identifier, wrong
+   * password). It is *not* called for unexpected server errors, nor for flows
+   * that require an additional authentication factor.
+   *
+   * `sub` is populated when the store throws an
+   * {@link InvalidCredentialsError} that carries the matched subject
+   * identifier (i.e. identifier known, credentials wrong). It is `null` when
+   * the identifier was unknown or when the store threw a plain
+   * {@link InvalidRequestError} without distinguishing the two cases.
+   *
+   * `clientId` is populated when the sign-in is submitted in the context of
+   * an OAuth authorization request; see {@link OAuthHooks.onSignInAttempt}.
+   *
+   * Errors thrown from this hook are caught and ignored so that they do not
+   * mask the original authentication failure.
+   */
+  onSignInFailed?: (data: {
+    data: SignInData
+    error: InvalidRequestError
+    sub: Sub | null
+    deviceId: DeviceId
+    deviceMetadata: RequestMetadata
+    clientId?: ClientId
   }) => Awaitable<void>
 
   /**

package/src/oauth-provider.ts

@@ -704,19 +704,13 @@ export class OAuthProvider extends OAuthVerifier {
         client,
         parameters,
         requestUri,
-        sessions: sessions.map((session) => ({
-          // Map to avoid leaking other data that might be present in the session
-          account: session.account,
-          loginRequired: session.loginRequired,
-          consentRequired: session.consentRequired,
-
-          selected:
-            parameters.prompt == null ||
-            parameters.prompt === 'login' ||
-            parameters.prompt === 'consent'
-              ? matchesHint.call(parameters, session)
-              : false,
-        })),
+        sessions,
+        selectedSub:
+          parameters.prompt == null ||
+          parameters.prompt === 'login' ||
+          parameters.prompt === 'consent'
+            ? sessions.find(matchesHint, parameters)?.account.sub
+            : undefined,
         permissionSets: await this.lexiconManager
           .getPermissionSetsFromScope(parameters.scope)
           .catch((cause) => {

package/src/request/request-manager.ts

@@ -316,6 +316,18 @@ export class RequestManager {
     return parameters
   }
 
+  /**
+   * Reads the {@link ClientId} associated with a request URI without any of
+   * the validation or side-effects performed by {@link RequestManager.get}
+   *
+   * Returns `undefined` when no such request exists.
+   */
+  async peekClientId(requestUri: RequestUri): Promise<ClientId | undefined> {
+    const requestId = decodeRequestUri(requestUri)
+    const data = await this.store.readRequest(requestId)
+    return data?.clientId
+  }
+
   async get(requestUri: RequestUri, deviceId?: DeviceId, clientId?: ClientId) {
     const requestId = decodeRequestUri(requestUri)
 

package/src/result/authorization-result-authorize-page.ts

@@ -1,5 +1,5 @@
 import type { LexiconPermissionSet } from '@atproto/lex-document'
-import type { Session } from '@atproto/oauth-provider-api'
+import type { Account, Session } from '@atproto/oauth-provider-api'
 import type { OAuthAuthorizationRequestParameters } from '@atproto/oauth-types'
 import type { Client } from '../client/client.js'
 import type { RequestUri } from '../request/request-uri.js'
@@ -12,4 +12,5 @@ export type AuthorizationResultAuthorizePage = {
 
   requestUri: RequestUri
   sessions: readonly Session[]
+  selectedSub?: Account['sub']
 }

package/src/router/assets/assets.ts

@@ -1,5 +1,4 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
-import type { HydrationData as FeHydrationData } from '@atproto/oauth-provider-frontend/hydration-data'
 import type { HydrationData as UiHydrationData } from '@atproto/oauth-provider-ui/hydration-data'
 import { buildCustomizationCss } from '../../customization/build-customization-css.js'
 import { buildCustomizationData } from '../../customization/build-customization-data.js'
@@ -7,7 +6,6 @@ import { Customization } from '../../customization/customization.js'
 import { CspConfig, mergeCsp } from '../../lib/csp/index.js'
 import { declareHydrationData } from '../../lib/html/hydration-data.js'
 import { cssCode, html } from '../../lib/html/index.js'
-import { combineMiddlewares } from '../../lib/http/middleware.js'
 import { WriteResponseOptions } from '../../lib/http/response.js'
 import {
   CrossOriginEmbedderPolicy,
@@ -29,24 +27,18 @@ import { setupCsrfToken } from './csrf.js'
 const ui = parseAssetsManifest(
   require.resolve('@atproto/oauth-provider-ui/bundle-manifest.json'),
 )
-const fe = parseAssetsManifest(
-  require.resolve('@atproto/oauth-provider-frontend/bundle-manifest.json'),
-)
 
-type HydrationData = Simplify<UiHydrationData & FeHydrationData>
+type HydrationData = Simplify<UiHydrationData>
 
 function getAssets(entryName: keyof HydrationData) {
-  const assetRef = ui.getAssets(entryName) || fe.getAssets(entryName)
+  const assetRef = ui.getAssets(entryName)
   if (assetRef) return assetRef
 
   // Fool-proof. Should never happen.
   throw new Error(`Entry "${entryName}" not found in assets`)
 }
 
-export const assetsMiddleware = combineMiddlewares([
-  ui.assetsMiddleware,
-  fe.assetsMiddleware,
-])
+export const assetsMiddleware = ui.assetsMiddleware
 
 const SPA_CSP: CspConfig = {
   // API calls are made to the same origin
@@ -81,9 +73,25 @@ export function sendWebAppFactory<P extends keyof HydrationData>(
 
   const csp = mergeCsp(
     SPA_CSP,
-    customization?.hcaptcha ? HCAPTCHA_CSP : undefined,
+    customization.hcaptcha ? HCAPTCHA_CSP : undefined,
   )
 
+  const coep = customization.hcaptcha
+    ? // hCaptcha's implementation of COEP is currently broken. Let's disable it
+      // to avoid breaking the entire page.
+      //
+      // https://github.com/hCaptcha/react-hcaptcha/issues/259
+      // https://github.com/hCaptcha/react-hcaptcha/issues/380
+      CrossOriginEmbedderPolicy.unsafeNone
+    : // Since we are loading avatars form other origins, which might not have
+      // CORP headers, we need to use the "credentialless" value, which allows
+      // loading cross-origin resources without credentials (cookies, client
+      // certificates, etc.). This is a more secure alternative to
+      // "unsafe-none". Ideally, we would want to set COEP to "require-corp" and
+      // ensure that all cross-origin resources have the appropriate CORP
+      // headers.
+      CrossOriginEmbedderPolicy.credentialless
+
   return async function sendWebApp(
     req: IncomingMessage,
     res: ServerResponse,
@@ -101,12 +109,9 @@ export function sendWebAppFactory<P extends keyof HydrationData>(
     return writeHtml(
       res,
       mergeDefaults<WriteHtmlOptions>(defaults, options, {
-        bodyAttrs: {
-          class:
-            'bg-white text-slate-900 dark:bg-slate-900 dark:text-slate-100',
-        },
+        bodyAttrs: { class: 'text-text-default bg-contrast-0' },
         csp: options?.csp ? mergeCsp(csp, options.csp) : csp,
-        coep: options?.coep ?? CrossOriginEmbedderPolicy.credentialless,
+        coep: options?.coep ?? coep,
         meta: [{ name: 'robots', content: 'noindex' }],
         body: html`<div id="root"></div>`,
         scripts: [script, ...scripts],

package/src/router/assets/send-authorization-page.ts

@@ -33,6 +33,7 @@ export function sendAuthorizePageFactory(
           loginHint: data.parameters.login_hint,
           promptMode: data.parameters.prompt,
           permissionSets: Object.fromEntries(data.permissionSets),
+          selectedSub: data.selectedSub,
         },
         __sessions: data.sessions,
       },

package/src/router/create-api-middleware.ts

@@ -145,10 +145,17 @@ export function createApiMiddleware<
         // Remember when not in the context of a request by default
         const { remember = requestUri == null, ...input } = this.input
 
+        // Look up the client identifier associated with the pending OAuth
+        // request, if any, so it can be surfaced to the sign-in hooks.
+        const clientId = requestUri
+          ? await server.requestManager.peekClientId(requestUri)
+          : undefined
+
         const account = await server.accountManager.authenticateAccount(
           deviceId,
           deviceMetadata,
           input,
+          clientId,
         )
 
         if (remember) {
@@ -576,14 +583,14 @@ export function createApiMiddleware<
   async function authenticate(
     this: ApiContext<void, { sub: Sub }>,
     req: Req,
-    res: Res,
+    _res: Res,
   ) {
-    const authorization = req.headers.authorization?.split(' ')
-    if (authorization?.[0].toLowerCase() === 'bearer') {
+    if (req.headers.authorization?.startsWith('Bearer ')) {
       try {
         // If there is an authorization header, verify that the ephemeral token it
         // contains is a jwt bound to the right [sub, device, request].
-        const ephemeralToken = signedJwtSchema.parse(authorization[1])
+        const bearer = req.headers.authorization.slice(7)
+        const ephemeralToken = signedJwtSchema.parse(bearer)
         const { payload } =
           await server.signer.verifyEphemeralToken(ephemeralToken)
 
@@ -595,8 +602,12 @@ export function createApiMiddleware<
           return await server.accountManager.getAccount(payload.sub)
         }
       } catch (err) {
-        onError?.(req, res, err, 'Failed to authenticate ephemeral token')
-        // Fall back to session based authentication
+        throw new WWWAuthenticateError(
+          'unauthorized',
+          `Invalid or expired bearer token`,
+          { Bearer: {} },
+          err,
+        )
       }
     }
 

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/authorization-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lexicon/lexicon-data.ts","./src/lexicon/lexicon-getter.ts","./src/lexicon/lexicon-manager.ts","./src/lexicon/lexicon-store.ts","./src/lib/hcaptcha.ts","./src/lib/nsid.ts","./src/lib/redis.ts","./src/lib/write-form-redirect.ts","./src/lib/write-html.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/error.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/object.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-manager.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-cookie-error-page.ts","./src/router/assets/send-error-page.ts","./src/router/assets/send-redirect.ts","./src/signer/access-token-payload.ts","./src/signer/api-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-claims.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/types/authorization-response-error.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/par-response-error.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}
+{"root":["./src/constants.ts","./src/index.ts","./src/oauth-client.ts","./src/oauth-dpop.ts","./src/oauth-errors.ts","./src/oauth-hooks.ts","./src/oauth-middleware.ts","./src/oauth-provider.ts","./src/oauth-store.ts","./src/oauth-verifier.ts","./src/access-token/access-token-mode.ts","./src/account/account-manager.ts","./src/account/account-store.ts","./src/account/sign-in-data.ts","./src/account/sign-up-input.ts","./src/client/client-auth.ts","./src/client/client-data.ts","./src/client/client-id.ts","./src/client/client-info.ts","./src/client/client-manager.ts","./src/client/client-store.ts","./src/client/client-utils.ts","./src/client/client.ts","./src/customization/branding.ts","./src/customization/build-customization-css.ts","./src/customization/build-customization-data.ts","./src/customization/colors.ts","./src/customization/customization.ts","./src/customization/links.ts","./src/device/device-data.ts","./src/device/device-id.ts","./src/device/device-manager.ts","./src/device/device-store.ts","./src/device/session-id.ts","./src/dpop/dpop-manager.ts","./src/dpop/dpop-nonce.ts","./src/dpop/dpop-proof.ts","./src/errors/access-denied-error.ts","./src/errors/account-selection-required-error.ts","./src/errors/authorization-error.ts","./src/errors/consent-required-error.ts","./src/errors/error-parser.ts","./src/errors/handle-unavailable-error.ts","./src/errors/invalid-authorization-details-error.ts","./src/errors/invalid-client-error.ts","./src/errors/invalid-client-id-error.ts","./src/errors/invalid-client-metadata-error.ts","./src/errors/invalid-credentials-error.ts","./src/errors/invalid-dpop-key-binding-error.ts","./src/errors/invalid-dpop-proof-error.ts","./src/errors/invalid-grant-error.ts","./src/errors/invalid-invite-code-error.ts","./src/errors/invalid-redirect-uri-error.ts","./src/errors/invalid-request-error.ts","./src/errors/invalid-scope-error.ts","./src/errors/invalid-token-error.ts","./src/errors/login-required-error.ts","./src/errors/oauth-error.ts","./src/errors/second-authentication-factor-required-error.ts","./src/errors/unauthorized-client-error.ts","./src/errors/use-dpop-nonce-error.ts","./src/errors/www-authenticate-error.ts","./src/lexicon/lexicon-data.ts","./src/lexicon/lexicon-getter.ts","./src/lexicon/lexicon-manager.ts","./src/lexicon/lexicon-store.ts","./src/lib/hcaptcha.ts","./src/lib/nsid.ts","./src/lib/redis.ts","./src/lib/write-form-redirect.ts","./src/lib/write-html.ts","./src/lib/csp/index.ts","./src/lib/html/build-document.ts","./src/lib/html/escapers.ts","./src/lib/html/html.ts","./src/lib/html/hydration-data.ts","./src/lib/html/index.ts","./src/lib/html/tags.ts","./src/lib/html/util.ts","./src/lib/http/accept.ts","./src/lib/http/context.ts","./src/lib/http/headers.ts","./src/lib/http/index.ts","./src/lib/http/method.ts","./src/lib/http/middleware.ts","./src/lib/http/parser.ts","./src/lib/http/path.ts","./src/lib/http/request.ts","./src/lib/http/response.ts","./src/lib/http/route.ts","./src/lib/http/router.ts","./src/lib/http/security-headers.ts","./src/lib/http/stream.ts","./src/lib/http/types.ts","./src/lib/http/url.ts","./src/lib/util/authorization-header.ts","./src/lib/util/cast.ts","./src/lib/util/color.ts","./src/lib/util/crypto.ts","./src/lib/util/date.ts","./src/lib/util/error.ts","./src/lib/util/function.ts","./src/lib/util/locale.ts","./src/lib/util/object.ts","./src/lib/util/redirect-uri.ts","./src/lib/util/time.ts","./src/lib/util/type.ts","./src/lib/util/ui8.ts","./src/lib/util/well-known.ts","./src/lib/util/zod-error.ts","./src/metadata/build-metadata.ts","./src/oidc/sub.ts","./src/replay/replay-manager.ts","./src/replay/replay-store-memory.ts","./src/replay/replay-store-redis.ts","./src/replay/replay-store.ts","./src/request/code.ts","./src/request/request-data.ts","./src/request/request-id.ts","./src/request/request-manager.ts","./src/request/request-store.ts","./src/request/request-uri.ts","./src/result/authorization-redirect-parameters.ts","./src/result/authorization-result-authorize-page.ts","./src/result/authorization-result-redirect.ts","./src/router/create-account-page-middleware.ts","./src/router/create-api-middleware.ts","./src/router/create-authorization-page-middleware.ts","./src/router/create-oauth-middleware.ts","./src/router/error-handler.ts","./src/router/middleware-options.ts","./src/router/assets/assets-manifest.ts","./src/router/assets/assets.ts","./src/router/assets/csrf.ts","./src/router/assets/send-account-page.ts","./src/router/assets/send-authorization-page.ts","./src/router/assets/send-cookie-error-page.ts","./src/router/assets/send-error-page.ts","./src/router/assets/send-redirect.ts","./src/signer/access-token-payload.ts","./src/signer/api-token-payload.ts","./src/signer/signer.ts","./src/token/refresh-token.ts","./src/token/token-claims.ts","./src/token/token-data.ts","./src/token/token-id.ts","./src/token/token-manager.ts","./src/token/token-store.ts","./src/types/authorization-response-error.ts","./src/types/color-hue.ts","./src/types/email-otp.ts","./src/types/email.ts","./src/types/handle.ts","./src/types/invite-code.ts","./src/types/par-response-error.ts","./src/types/password.ts","./src/types/rgb-color.ts"],"version":"5.8.3"}